The solution is primarily used for detecting user anomalies, sign-in anomalies, user behavior analytics, and identifying business compromises.
Security Specialist at a construction company with 1,001-5,000 employees
Used for detecting user anomalies, sign-in anomalies, and user behavior analytics
Pros and Cons
- "The solution’s alerting is fairly efficient."
- "The solution should provide more detailed data regarding anomaly detections."
What is our primary use case?
What is most valuable?
The solution’s alerting is fairly efficient.
What needs improvement?
The solution should provide more detailed data regarding anomaly detections. You get information occasionally, but it doesn't always correlate the different anomalies accurately. It takes quite a lot of effort to look at sign-in logs and security alert logs.
It would be nice to consolidate all that information into a more centralized view instead of going through different platforms in the Azure Stack to investigate.
For how long have I used the solution?
I have been using the solution for two to three years.
Buyer's Guide
Microsoft Defender for Identity
November 2024
Learn what your peers think about Microsoft Defender for Identity. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,406 professionals have used our research since 2012.
What do I think about the stability of the solution?
The agent deployed on domain controllers and servers isn't very stable. In some instances, agents needed to be redeployed. In other cases, we had to involve Microsoft engineers to fix the issues.
How are customer service and support?
Microsoft's first-level support is extremely pathetic. They take an extremely long time to escalate a call to a tier two or tier three analyst for extra in-depth investigations. We've had calls open for a month that weren't escalated to the correct people to solve them.
We have different channels to contact Microsoft support instead of the normal help center channels.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
We haven't used anything besides Cisco Identity Services Engine (ISE), but that's just for identity protection for your on-premise networks. It's not cloud-integrated. In contrast, Microsoft Defender for Identity works for both on-premise and cloud environments.
How was the initial setup?
The solution’s initial setup was fairly straightforward. It probably took about a month to get it fully implemented.
What about the implementation team?
The solution was implemented through an in-house team.
What's my experience with pricing, setup cost, and licensing?
Microsoft's licensing model is very complex to understand. Microsoft Defender for Identity comes as part of the Microsoft E5 licensing stack. We do not have to pay additional costs for technical support.
What other advice do I have?
The solution uses machine learning to detect if a user has never used a certain service provider or public IP address. The tool picks that up as an anomaly. Then, the user gets flagged that it's a potentially risky sign-in. You get alerted about that, and then you need to investigate.
From a business perspective and brand image, the solution helps quite a lot by responding to incidents quickly. The solution’s alerting is fairly efficient. The solution has built-in automation that can automatically disrupt attacks and block or disable accounts. The solution's cost savings are probably hard to gauge as we haven't used another product in the past.
The solution integrates seamlessly with the other Microsoft tools we have. Microsoft Copilot for Security is an additional product that Microsoft has released for enhanced AI capabilities over the Microsoft Defender stack. It comes with additional licensing. I would recommend the solution to other users.
Overall, I rate the solution an eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Sep 11, 2024
Flag as inappropriateThreat Analysis Technology Risk & Cybersecurity Analyst II at a consultancy with 5,001-10,000 employees
Without some of the alerts we get, it would be very difficult to know what is happening
Pros and Cons
- "All the integration it has with different Microsoft packages, like Teams and Office, is good."
- "And when you are working in a priority IP address, Identity is not able to know that those IPs are from the company. It sees that the IPs are from Taiwan or from Hong Kong or from India, even though they are internal IPs, resulting in a lot of false positives."
What is our primary use case?
I work for a bank and use it to see if users are doing something illegal or are taking some kind of risk. We receive alerts from it and we follow up on the issues.
How has it helped my organization?
It gives us control over all our users and everything they are working on. Defender for Identity is good to have because there are some types of alerts that, without them, it would be very difficult to know what is happening. All the integration it has with different Microsoft packages, like Teams and Office, is good.
When there are potentially risky users, the solution automatically blocks them. That helps prevent security incidents, and it's also good because we don't have to block them manually.
It also helps us be prepared for threats before they hit. And it has decreased our time to respond because the analytics make it easier.
What is most valuable?
You can block users very easily, with just one click. And the information about the tokens is useful.
What needs improvement?
The logs are not too clear when you search in Azure Identity.
And when you are working in a priority IP address, Identity is not able to know that those IPs are from the company. It sees that the IPs are from Taiwan or Hong Kong or India, even though they are internal IPs, resulting in a lot of false positives.
For how long have I used the solution?
I have been using Microsoft Defender for Identity for one year.
What do I think about the stability of the solution?
It hasn't crashed and there hasn't been any downtime. The stability is good. It's in the cloud and it works.
What do I think about the scalability of the solution?
The scalability is good. We have about 50,000 users in several locations.
Which other solutions did I evaluate?
The visibility into threats with Defender for Identity is good, but I now use another identity tool, CrowdStrike Falcon Identity Protection and it may be better in certain ways. Still, the visibility with Defender for Identity is good and CrowdStrike is more difficult to implement.
We also use Microsoft Sentinel, but we have a lot of SIEMs, including CrowdStrike and Splunk. The problem with Sentinel is that it doesn't have specific rules. You can't change anything. It's difficult to work with it because the logs are not good enough. For investigations, it's more useful if you have another SIEM like Splunk. But when Microsoft Defender for Identity creates an alert, it's better. It gives you the user and the host, and it's easier to work with.
What makes Sentinel good is the description it provides. It's useful for knowing what is happening. But if you are going to do something deeper, it becomes more difficult. We don't have good queries because they are difficult to write. It's difficult to work with it.
What other advice do I have?
In the past, we had a dashboard for Defender for Identity that was really good, with a lot of views and information. But I think our company has changed things to SharePoint and, in SharePoint, the Identity information is not as clear. The old dashboard was better.
In the discussion about using one vendor's security suite versus products from various vendors, Microsoft is good but perhaps it would be good to have other products, such as internal solutions. Because with Microsoft, you can't change the rules or make your own rules, and that makes it difficult to get 100 percent protection. But Microsoft Defender for Identity is a good product.
It works well, but you have to work with the tool a lot to know when detections are false positives. If you put in an identity that was a false positive, sometimes you get an alert again. Sometimes, it doesn't learn.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
Microsoft Defender for Identity
November 2024
Learn what your peers think about Microsoft Defender for Identity. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,406 professionals have used our research since 2012.
Cloud Solutions Architect at a tech services company with 201-500 employees
Integration with other Microsoft products is simple, providing a holistic security solution
Pros and Cons
- "The feature I like the most about Defender for Identity is the entity tags. They give you the ability to identify sensitive accounts, devices, and groups. You also have honeytoken entities, which are devices that are identified as "bait" for fraudulent actors."
- "An area for improvement is the administrative interface. It's basic compared to other administrative centers. They could make it more user-friendly and easier to navigate."
What is our primary use case?
The use case is securing identity on your on-premises Active Directory.
How has it helped my organization?
It helps identify insider leaks. If any of your users want to use their permissions to implement leaks or perform malicious actions, it alerts you.
It also performs reconnaissance. If someone has succeeded in gaining access to your Active Directory, it monitors anomalous behaviors, such as moving laterally.
Microsoft has also identified vulnerabilities globally and Defender for Identity prevents such security incidents from occurring in your domain controllers.
Another benefit is that Defender for Identity saves us time because it is automated and proactive. I don't have to monitor the environment, just the feedback and alerts from the solution. It also helps save us money because it prevents potential breaches that would cost money.
In addition, the solution has decreased our time to detection.
What is most valuable?
The feature I like the most about Defender for Identity is the entity tags. They give you the ability to identify sensitive accounts, devices, and groups. You also have honeytoken entities, which are devices that are identified as "bait" for fraudulent actors. Once these devices have been tagged, they give you alerts about when a malicious actor tries to explore the vulnerability that you created. You can monitor what the attacker is going after. Entity tagging is a big win for Defender for Identity.
There is a connection between the cloud, Defender for Endpoint, and Defender for Cloud Apps, in addition to Defender for Identity, so that you get feedback about activity on the cloud regarding a user if he tries to move laterally in the on-premises Active Directory.
It gives you visibility into threats. On the cloud, you already have Azure AD Identity Protection to secure your cloud identity. But the security of Defender for Endpoints requires certain protections for your on-premises identity. It's helpful for organizations that have quite a few on-premises entities. There aren't a lot of organizations like that now, as quite a few have already moved to the cloud, but for those that are still on-prem need that security.
We also use Microsoft Defender for Endpoint and Intune. The beauty of Microsoft is that, with just a few clicks, it integrates all the security features. Signals from Defender for Identity can move to Defender for Endpoint, Defender for Cloud Apps, and Intune. That ensures that it eliminates false positives and gives you a comprehensive overview, like a map, of what a malicious actor has done. It tells you how a user moved from this device to that device, which is very good.
When it comes to comprehensiveness, Microsoft has done a good job of making Defender for Identity pretty straightforward and easy to use. There are detection rules that help you identify potential attacks. Your role, as a security professional using Defender for Identity, is basically to monitor and implement a few configurations, after the initial deployment.
Defender for Identity is automated, in that you can specify specific alerts or incidents to defend against.
Defender for Identity, Defender for Endpoints, Defender for Office 365, and Defender for Cloud Apps all point to the Microsoft Defender Security Center. That gives you a one-stop-shop dashboard where you can see the activity for these four solutions.
What needs improvement?
An area for improvement is the administrative interface. It's basic compared to other administrative centers. They could make it more user-friendly and easier to navigate.
For how long have I used the solution?
I have been using Microsoft Defender for Identity for over a year.
What do I think about the stability of the solution?
So far, so good, when it comes to stability.
What do I think about the scalability of the solution?
You can add it to more servers. It has been developed in such a way that, if you have 20 servers in an enterprise, you can install it on all the servers in your environment, and it has a dashboard that tells you if the Defender for Identity sensor has stopped.
Our environment has about 700 end-users.
How are customer service and support?
I haven't had to contact their technical support.
Which solution did I use previously and why did I switch?
We did not have a solution before using Defender for Identity.
How was the initial setup?
The initial deployment of the solution, overall, is pretty straightforward. You install the sensor on-premises, on the virtual machine that is running Active Directory.
What about the implementation team?
I did it myself. I'm a security expert, working for a Microsoft managed-services provider. There were three to four people involved.
What was our ROI?
It's very tricky to identify a return on investment. A return on investment for a solution like this can only be quantified when you can measure its effects. Of course, it identifies and eliminates breaches, and since we have not had any breaches, the return on investment has been good. It's protecting the environment.
What other advice do I have?
I would always recommend a single-vendor security suite over multiple suppliers because you get a comprehensive overview of the handshake between all the security offerings in the Microsoft solution. In this case, they include Defender for Identity, which is integrated with Defender for Endpoint, Defender for Cloud Apps, and Defender for Office 365. A holistic, single security solution is better than having multiple solutions where you have to monitor different platforms, and where you can get conflicting reports.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner.
Cyber Security BA/BSA at a insurance company with 10,001+ employees
Identifies, detects, and investigates advanced threats
Pros and Cons
- "This solution has advanced a lot over the last few years."
- "When the data leaves the cloud, there are security issues."
What is our primary use case?
We are looking at this solution as a trusted tenant for our network.
This way, all of the data that goes through is trusted and the communication between our on-prem system and the Azure Cloud remains protected. Our only concern is when the data leaves the Azure Cloud and goes to another third-party tenant.
Azure is our trusted tenant — we trust it. We're just concerned about the data when it leaves Azure and goes to another third-party tenant. For example, if you have a SaaS solution, like Salesforce, sometimes they send data to customers. In order to do this, the data has to leave the trusted cloud tenant.
What is most valuable?
We like the Active Directory Federation feature. We use it a lot with the Microsoft Azure Cloud.
What needs improvement?
When the data leaves the cloud, there are security issues.
The cloud security services and the integration with on-prem applications like SIEM, needs to be improved.
For how long have I used the solution?
We have been using this solution for roughly two years.
What do I think about the stability of the solution?
Microsoft Defender for Identity is very stable.
What do I think about the scalability of the solution?
As it's a cloud application, there are no issues with scalability.
How are customer service and technical support?
I've never had to deal with support regarding this solution; however, overall, Microsoft's support is quite good.
How was the initial setup?
I was not involved in the initial setup, but I think Microsoft has a good team that can help you set it up. I believe the initial setup went very well.
What other advice do I have?
Microsoft is a big company. They have put a lot of effort into their cloud solutions. They're the way of the future. They have done a lot to catch up with what Amazon did.
This solution has advanced a lot over the last few years. It integrates very well with Office 365. For this reason, I think it's the way of the future.
Overall, on a scale from one to ten, I would give this solution a rating of eight.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Real-time threat detection, good behavioral analytics, and enhanced security
Pros and Cons
- "The most valuable features of Microsoft Defender for Identity include real-time information for threat detection, its inclusion of behavioral analytics, and vulnerability management."
- "The solution could improve how it handles on-premises Android-related attacks."
What is our primary use case?
We use Microsoft Defender for Identity to prevent user account-level attacks such as lateral move attacks and pass-the-hash attacks on our on-premises servers. We leverage its features to mitigate identity-related threats and monitor activities on Active Directory Domain Services and other servers.
How has it helped my organization?
Microsoft Defender for Identity has significantly improved our environment's security by preventing identity-related attacks. We don't face financial losses from security breaches because the product provides robust protection.
What is most valuable?
The most valuable features of Microsoft Defender for Identity include real-time information for threat detection, its inclusion of behavioral analytics, and vulnerability management. These features help prevent various attacks and monitor user account activities effectively.
What needs improvement?
The solution could improve how it handles on-premises Android-related attacks. Without Microsoft Defender, it can be challenging to check which accounts are compromised and to analyze activities on on-premises servers. Enhancing this capability would make it even more effective.
For how long have I used the solution?
I have been using Microsoft Defender for Identity for the past three years.
What do I think about the stability of the solution?
With three years of experience, I have never faced any issues or errors with Microsoft Defender for Identity. It is very stable and has performed exceptionally well in our environment.
What do I think about the scalability of the solution?
I would rate the scalability of Microsoft Defender for Identity as a ten because it is robust and suitable for various environments, including small, medium, and enterprise businesses.
How are customer service and support?
The technical support from Microsoft is excellent. I would rate it a ten because the support engineers are very knowledgeable and provide solutions promptly, ensuring that issues are resolved in a timely manner.
How would you rate customer service and support?
Positive
How was the initial setup?
The initial setup is easy, especially with Microsoft's continuous improvements in the reporting feature. It is user-friendly and efficient.
What's my experience with pricing, setup cost, and licensing?
The pricing of Microsoft Defender for Identity is affordable and competitive compared to other security products. The option to purchase specific features rather than a full license makes it convenient and cost-effective.
What other advice do I have?
I'd rate the solution ten out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
Last updated: Sep 16, 2024
Flag as inappropriateEnterprise Architect at NTT New Zealand Ltd.
Stable, integrates with other Defender components, and effectively measures identity security
Pros and Cons
- "Defender for Identity has not affected the end-user experience."
- "The solution could be better at using group-managed access and they could replace it with broad-based access controls."
What is our primary use case?
The solution provides alerts when malicious actors are active and that's something most companies are missing. Quite often, malicious actors do reconnaissance for weeks, months, and on their checkout. They get a sense of the whole environment before they execute a ransomware attack. This sensor will alert users if something like that happens and it gives you time to mitigate the issues or block the attacker.
How has it helped my organization?
It gives companies a lot of insights that they didn't have before. It has increased the security posture significantly.
What is most valuable?
The feature that I most like is that it integrates with the other Defender components. Defender Identity is part of Microsoft 365, and there is Defender for Office 365, Defender for endpoints, and cloud edge security. These tools integrate really well together. The integration with the other tools makes it a comprehensive tool that I would recommend to any company.
It measures your identity security. For example, let's say a lot of companies don't have a proper decommissioning process for global admins or domain admins. And so, when an administrator who has built many privileges leaves the company, the account gets disabled and it still has members of domain admin groups or sensitive groups. This will highlight them and alert users to say, in a sense, "hey, these users or to these user accounts of sensitive privileges, but haven't been used for a long period of time". The few times I've created this report and showed this to customers, they're shocked due to the fact that it's an easy entry for malicious actors that they weren't aware of. That's one of the cool features.
Defender for Identity has not affected the end-user experience.
What needs improvement?
The solution could be better at using group-managed access and they could replace it with broad-based access controls.
For how long have I used the solution?
I've worked with the solution since June of last year. I've worked with it across three organizations so far.
What do I think about the stability of the solution?
I have never seen any issues. The solution appears to be stable.
What do I think about the scalability of the solution?
Scalability is not applicable in this case.
In terms of users, there will be cloud engineers or security analysts, security engineers, and those types of people.
How are customer service and support?
Normally the tech support is pretty responsive and they understand the tool.
Which solution did I use previously and why did I switch?
Our organization did not previously use a different solution.
How was the initial setup?
I've used the solution within three organizations. Two I have implemented myself and the third was implemented by someone else entirely.
The initial setup is straightforward, however, because it needs to communicate between the domain controller and Microsoft cloud, which can cause issues if there are firewalls. Normally, domain controllers don't have access to the internet, or at least, that's what's recommended. Installing the tool itself is not hard, however, the firewalls make the process harder.
There are a bunch of URLs that you have to whitelist on the firewalls and you could set up a transparent proxy.
Installing one takes five minutes at a maximum and you need to times that by the number of domain controllers you have. I recall that, in our case, some domain controllers were not up to speed. Their memory CPU utilization was not big enough to handle the load of the network traffic scanning. Therefore, before you install it on the domain controller, the recommendation is to run a tool to see if your domain controllers are capable to handle the sensors. That's something to note for other users considering an installation.
I didn't create an implementation strategy. It's a pretty straightforward tool. You just install it on all the main controllers and then integrate it with all the other Defender components. It's not really a strategy. The only thing to note is if you deal with a security team, they always say that there's already an endpoint protection solution on the domain controller. However, this is different, and this works side-by-side with whatever already exists. Other than that, there's not really a strategy.
For deployment and maintenance, one person would be enough and they would not even have to be full-time as it's a cloud solution. Microsoft does all the maintenance of the backend of the infrastructure and the only thing you have to make sure of is that the sensors are healthy on the domain controllers. That's the only thing you have to do. It's not too much effort.
What about the implementation team?
This tool I install for customers as I am a consultant. When I say, I've got experience, it's not purely for our company as we are an IT company and we consult with customers. I didn't use a third party. I'll typically do it with one of my colleagues.
What was our ROI?
We have not looked at the ROI of Defender.
What's my experience with pricing, setup cost, and licensing?
In terms of the pricing, I don't know off the top of my head the cost, however, it's part of Microsoft 365. It is an EMS-5, an Enterprise Mobility and Security Suite.
It's my understanding that there are no extra costs beyond the standard licensing fee.
Which other solutions did I evaluate?
I do not recall looking at other options before implementing Defender.
What other advice do I have?
I'm an integrator and consultant.
With the current versions I'm working on, I clarified today that it was up to date. Whatever the latest version is, is the one I am working on. I don't keep track of the version numbers.
It's a cloud-based solution. No on-premise components are required.
I'd rate the solution at a nine out of ten.
I'd advise new users to check their firewalls and make sure they whitelist them, alongside the appropriate URLs. Make sure to enlist a tool to measure if the center can run on your domain controller as well.
Any company should have this tool or a similar tool to it. It's very important to understand if there is a malicious actor in the environment. You can't live without this tool like this in this day and age.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Software Engineer at a computer software company with 201-500 employees
Uses machine learning to analyze data over longer periods and identify anomalies
What is most valuable?
Microsoft uses machine learning to analyze data over longer periods and identify anomalies. This approach is beneficial because it helps us understand user behavior over time rather than just focusing on immediate actions.
We handle alerts by investigating them using Defender Advanced Hunting, which provides more data to help us understand the issues. Additionally, we can use the incident page associated with the alert to access detailed information about the problem.
What needs improvement?
There are issues with the alerts in Microsoft Defender for identity-related intra-protection detection anomalies. The alerts are missing some data, which makes it difficult to determine the exact sign-in event associated with the alert. For instance, if we see a sign-in from a different country, we want to correlate this with the sign-in events recorded in our system and Microsoft. The alert in Defender does not provide the necessary details to match it directly with the corresponding sign-in event. To address this, we need to refer to Defender Protection events, where we can find the IP and sign-in ID associated with the event.
It would be beneficial if Microsoft developed the Microsoft Graph API for Advanced Hunting to facilitate more automation. Currently, the schema is not very well-defined, which limits automation possibilities. Additionally, improvements could be made to enhance queries, such as obtaining the full path of a process, which is available in EDR. Addressing these areas would significantly improve functionality and integration.
Occasionally, we've encountered issues with the API, such as when we cannot access the data and receive a 500 Internal Server Error. This has happened several times over the past few days.
For how long have I used the solution?
What do I think about the stability of the solution?
I rate the solution’s stability an eight out of ten.
How are customer service and support?
We experienced issues with Defender not responding about a year ago during a weekend. I’ve heard similar reports from other companies as well. Despite reaching out to Microsoft through forums and support tickets, it took a long time to get answers, and the response did not address the problem.
How would you rate customer service and support?
Neutral
What other advice do I have?
Microsoft Defender consolidates various functionalities on a single dashboard, including incidents, alerts, Advanced Hunting, and PC onboarding details. This integration is very helpful, allowing us to view all relevant information in one place. Previously, managing these tasks required navigating multiple pages, which was less efficient. The current setup streamlines the workflow and makes it easier to work with the platform.
It’s a good product. I appreciate having all the necessary services for my company in one place. Defender provides various security services, including Identity services, which is very valuable.
Overall, I rate the solution an eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Sep 16, 2024
Flag as inappropriateSecurity specialist at a manufacturing company with 10,001+ employees
Gives most administrators absolutely amazing insight into what's happening in the network that they probably never had before
Pros and Cons
- "The basic security monitoring at its core feature is the most valuable aspect. But also the investigative parts, the historical logging of events over the network are extremely interesting because it gives an in-depth insight into the history of account activity that is really easy to read, easy to follow, and easy to export."
- "The impact of the sensors on the domain controllers can be quite high depending on your loads. I don't know if there's any room for improvement there, but that's one of the things that might be improved."
What is our primary use case?
Our use case is for the securing of the on-premise active directory, but also to correlate the on-premise active directory security information with the Defender for Endpoint ADP integration. That's most of my use cases, the protection of online AD, but the additional information that it gives regarding the incidents as they occur and possible lateral escalation of privileges for the workstation are also use cases.
We're using Azure AD in combination with on-premise AD.
What is most valuable?
The basic security monitoring at its core feature is the most valuable aspect. But also the investigative parts, the historical logging of events over the network are extremely interesting because it gives an in-depth insight into the history of account activity that is really easy to read, easy to follow, and easy to export.
It's provided a simple identification of issues of account abuse. It showed some configuration mistakes. One of the features that it also has is privilege escalation. So it has a feature where you can look into lateral movement parts, and it has a great graphing feature that shows you what kind of lateral movement risks are associated with certain accounts.
Integrating with the Microsoft Cloud Application Security, you get a tab called Identity Security Posture, where it provides a list of best practices, improvements, things that it has found based on the actual data that it received. One of the things that was interesting, is that two to three months ago, Microsoft had a massive issue with their print spoolers and suddenly the advice came worldwide. The first thing you did was disable the print spooler on the main controllers. This has always been a best practice for Microsoft services, just never clearly communicated. But this feature, this best practice was already clearly visible within the Identity Security Posture from MDI. So we already mitigated this weakness because of the recommendations that the application gave.
It displays, for instance, a clear tax credential exposure. One of the things that you have a lot within enterprise applications is that a lot of third-party applications communicate via LDAP to active directory. Currently one of the weak points there is that the typical LDAP communication is communicating over LDAP and not over LDAP secure. So it's unencrypted, which means that you get plain text passwords over your networks. And this MDI is able to identify those applications as well and say that the endpoints communicating with MDI need to be secure. They should be secured.
What needs improvement?
It would be good if Defender for Identity would further align the Azure ID with the on-premise experience. Because those still seem to be two different worlds.
The impact of the sensors on the domain controllers can be quite high depending on your loads. I don't know if there's any room for improvement there, but that's one of the things that might be improved.
For how long have I used the solution?
I have been using Microsoft Defender since its inception. I've been using it before it was called MDI, around three years ago.
What do I think about the stability of the solution?
Stability is great, it's been improved quite a bit. In the beginning, we had some occasional restarts of sensors on the domain controllers, but stability itself right now is great. We adjusted some performance on the main controllers, made sure that we have enough CPU and memory, especially taking a good look at the exact memory requirements. That's definitely something not to underestimate. If you go under memory requirements, you might hit upon an issue where the sensor tends to restart occasionally.
What do I think about the scalability of the solution?
Scalability is great. In an enterprise network with 22,500 workstations, 15 domain controllers, give a give or take, it's easily scaling out. Especially since you deploy it, it's really scaling out on a per sensor basis. So if you ever added a main controller, you just need to factor a sensor in and that's it.
I have it currently deployed in Europe and in the short term, I have plans to deploy it in several other of our areas, such as the United States and South America, and I am also advising our Japanese headquarters to follow the same.
How are customer service and support?
Technical support depends. If you get directly in contact with the core support team from the product, it is very, very good. But since it is from Microsoft's perspective, sometimes it seems like an additional, niche product that not everybody's even aware of. So sometimes it's hard to get in contact with the right support group. But once you have the right support group, then things generally work out very well.
It can take a bit, but once you get there, you get really excellent support.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I previously used several other solutions. Some of them are still actually in place because there are some differences in functionality and feature sets.
How was the initial setup?
The initial setup was extremely simple. You go to the portal, you download the clients, retrieve the key, you install the clients on the main controllers input key and things start working. The deployment is a matter of minutes to two hours, depending, of course, on the impact on the amount of the main control it needs to configure.
We had to investigate the impact on the main controllers. Of course, we started carefully, but after an evaluation period of two to three weeks, on a handful of the main controllers, it was within a month. It was deployed on all the main controllers.
We only needed two people, and several man-hours, for the initial setup. It starts to study the behavior of the activity on the network. So for the first 30 days, it doesn't do much. Then you start to get some alerts. It just really depends on your configuration, how active your environment is, based on what sort of threats you might have going on on the radar that you weren't aware of.
Once it is actually running and you focus on the core alert functionality, that is just part of the normal security operations procedure. It hardly ever gives false positives. So the moment you get something, you really should act on that sound. That of course depends on the nature of the threat. But I don't think that says anything about the maintenance that you need to do for MDI. That's more about the actual events that are going on. So MDI is very low maintenance. It can alert you on some very high maintenance incidents though.
What about the implementation team?
Initially, we had an investigative call with Microsoft. They offered to use a third party to assist with the installation. But when we went over the whole configuration that was required, we decided just to do it on our own. No regards to getting help.
What was our ROI?
Our RPO is seen in its prevention of incidents and even faster resolution of security incidents mostly.
What's my experience with pricing, setup cost, and licensing?
There are no additional costs to standard licensing. You get an infinite amount of the directory sensors that you can deploy. It integrates directly into the security portal from Microsoft and in the cloud application security, you get cloud login.
What other advice do I have?
I'm also a social security specialist. One of the things that we do is run our own sensors and our own logging on active directory controllers. And we analyze that in an elastic stack. Basically, you spend a lot of time getting dedicated to the monitoring configuration active directory. We capture a little bit more than what MDI is capturing, but that is only really for fringe cases that we ever need, to really see that in the eyes a very user-friendly application for people to see what is happening on your network. And you don't have to be escalating specialists to see that somebody accessed a server at one time and then logged on to the following computer. I think that for a defensive view, it can give most administrators absolutely amazing insight into what's happening in the network that they probably never had before.
There is much more going on that you're generally aware of. I'm really quite a fan of this tool because it gives such great insights, such great historical logging.
I would rate it a nine out of ten.
It's sometimes represented in an over-complicated way because it's really just such a simple tool to use that it's also giving non-IT security experts such great insight. And it's not just for the alerts, but also just for the needs of the logging and all the typical configuration mistakes that you do. I think it's just a really great tool.
Which deployment model are you using for this solution?
Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Microsoft Defender for Identity Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Product Categories
Identity Threat Detection and Response (ITDR) Advanced Threat Protection (ATP) Microsoft Security SuitePopular Comparisons
CrowdStrike Falcon
Varonis Platform
Securonix Next-Gen SIEM
Cortex XSIAM
Microsoft Entra ID Protection
SentinelOne Singularity Identity
BloodHound Enterprise
Proofpoint Identity Threat Defense
Buyer's Guide
Download our free Microsoft Defender for Identity Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions: