Microsoft Defender for Identity Reviews

Defender for Identity provides intelligent authentication through conditional access policies and monitors user behavior. Defender looks at things like password changes and application use.

One of our users had the same password for every personal and company account. That was a problem because she started receiving phishing emails that could compromise all of her accounts. Defender told us that the user was not changing their password.

Microsoft should look at what competing vendors like CrowdStrike and Broadcom are doing and incorporate those features into Sentinel and Defender. At the same time, I think the intelligence inside the product is improving fast. They should incorporate more zero-trust and hybrid trust approaches. They need to build up threat intelligence based on threats and methods used in attacks on other companies.

I have used Defender for two years.

I rate Defender for Identity nine out of 10 for stability.

I rate Defender for Identity 10 out of 10 for scalability.

Defender is pretty solid, so we rarely call support. 

The implementation is fast and easy. You only need to buy a license and assign it to a user. 

We have seen a return on our investment.

I rate Microsoft Defender for Identity nine out of 10. My advice to new users is to learn the product. Microsft has courses you can take. They offer one that covers all their security solutions. It only takes a day and is the best way to learn how to use the product. 

The use case is securing identity on your on-premises Active Directory.

It helps identify insider leaks. If any of your users want to use their permissions to implement leaks or perform malicious actions, it alerts you. 

It also performs reconnaissance. If someone has succeeded in gaining access to your Active Directory, it monitors anomalous behaviors, such as moving laterally.

Microsoft has also identified vulnerabilities globally and Defender for Identity prevents such security incidents from occurring in your domain controllers.

Another benefit is that Defender for Identity saves us time because it is automated and proactive. I don't have to monitor the environment, just the feedback and alerts from the solution. It also helps save us money because it prevents potential breaches that would cost money.

In addition, the solution has decreased our time to detection.

The feature I like the most about Defender for Identity is the entity tags. They give you the ability to identify sensitive accounts, devices, and groups. You also have honeytoken entities, which are devices that are identified as "bait" for fraudulent actors. Once these devices have been tagged, they give you alerts about when a malicious actor tries to explore the vulnerability that you created. You can monitor what the attacker is going after. Entity tagging is a big win for Defender for Identity.

There is a connection between the cloud, Defender for Endpoint, and Defender for Cloud Apps, in addition to Defender for Identity, so that you get feedback about activity on the cloud regarding a user if he tries to move laterally in the on-premises Active Directory.

It gives you visibility into threats. On the cloud, you already have Azure AD Identity Protection to secure your cloud identity. But the security of Defender for Endpoints requires certain protections for your on-premises identity. It's helpful for organizations that have quite a few on-premises entities. There aren't a lot of organizations like that now, as quite a few have already moved to the cloud, but for those that are still on-prem need that security.

We also use Microsoft Defender for Endpoint and Intune. The beauty of Microsoft is that, with just a few clicks, it integrates all the security features. Signals from Defender for Identity can move to Defender for Endpoint, Defender for Cloud Apps, and Intune. That ensures that it eliminates false positives and gives you a comprehensive overview, like a map, of what a malicious actor has done. It tells you how a user moved from this device to that device, which is very good.

When it comes to comprehensiveness, Microsoft has done a good job of making Defender for Identity pretty straightforward and easy to use. There are detection rules that help you identify potential attacks. Your role, as a security professional using Defender for Identity, is basically to monitor and implement a few configurations, after the initial deployment.

Defender for Identity is automated, in that you can specify specific alerts or incidents to defend against.

Defender for Identity, Defender for Endpoints, Defender for Office 365, and Defender for Cloud Apps all point to the Microsoft Defender Security Center. That gives you a one-stop-shop dashboard where you can see the activity for these four solutions.

An area for improvement is the administrative interface. It's basic compared to other administrative centers. They could make it more user-friendly and easier to navigate.

I have been using Microsoft Defender for Identity for over a year.

So far, so good, when it comes to stability.

You can add it to more servers. It has been developed in such a way that, if you have 20 servers in an enterprise, you can install it on all the servers in your environment, and it has a dashboard that tells you if the Defender for Identity sensor has stopped.

Our environment has about 700 end-users.

I haven't had to contact their technical support.

We did not have a solution before using Defender for Identity.

The initial deployment of the solution, overall, is pretty straightforward. You install the sensor on-premises, on the virtual machine that is running Active Directory.

I did it myself. I'm a security expert, working for a Microsoft managed-services provider. There were three to four people involved.

It's very tricky to identify a return on investment. A return on investment for a solution like this can only be quantified when you can measure its effects. Of course, it identifies and eliminates breaches, and since we have not had any breaches, the return on investment has been good. It's protecting the environment.

I would always recommend a single-vendor security suite over multiple suppliers because you get a comprehensive overview of the handshake between all the security offerings in the Microsoft solution. In this case, they include Defender for Identity, which is integrated with Defender for Endpoint, Defender for Cloud Apps, and Defender for Office 365. A holistic, single security solution is better than having multiple solutions where you have to monitor different platforms, and where you can get conflicting reports.

I work for a bank and use it to see if users are doing something illegal or are taking some kind of risk. We receive alerts from it and we follow up on the issues.

It gives us control over all our users and everything they are working on. Defender for Identity is good to have because there are some types of alerts that, without them, it would be very difficult to know what is happening. All the integration it has with different Microsoft packages, like Teams and Office, is good.

When there are potentially risky users, the solution automatically blocks them. That helps prevent security incidents, and it's also good because we don't have to block them manually.

It also helps us be prepared for threats before they hit. And it has decreased our time to respond because the analytics make it easier.

You can block users very easily, with just one click. And the information about the tokens is useful.

The logs are not too clear when you search in Azure Identity. 

And when you are working in a priority IP address, Identity is not able to know that those IPs are from the company. It sees that the IPs are from Taiwan or Hong Kong or India, even though they are internal IPs, resulting in a lot of false positives.

I have been using Microsoft Defender for Identity for one year.

It hasn't crashed and there hasn't been any downtime. The stability is good. It's in the cloud and it works.

The scalability is good. We have about 50,000 users in several locations.

The visibility into threats with Defender for Identity is good, but I now use another identity tool, CrowdStrike Falcon Identity Protection and it may be better in certain ways. Still, the visibility with Defender for Identity is good and CrowdStrike is more difficult to implement.

We also use Microsoft Sentinel, but we have a lot of SIEMs, including CrowdStrike and Splunk. The problem with Sentinel is that it doesn't have specific rules. You can't change anything. It's difficult to work with it because the logs are not good enough. For investigations, it's more useful if you have another SIEM like Splunk. But when Microsoft Defender for Identity creates an alert, it's better. It gives you the user and the host, and it's easier to work with.

What makes Sentinel good is the description it provides. It's useful for knowing what is happening. But if you are going to do something deeper, it becomes more difficult. We don't have good queries because they are difficult to write. It's difficult to work with it. 

In the past, we had a dashboard for Defender for Identity that was really good, with a lot of views and information. But I think our company has changed things to SharePoint and, in SharePoint, the Identity information is not as clear. The old dashboard was better.

In the discussion about using one vendor's security suite versus products from various vendors, Microsoft is good but perhaps it would be good to have other products, such as internal solutions. Because with Microsoft, you can't change the rules or make your own rules, and that makes it difficult to get 100 percent protection. But Microsoft Defender for Identity is a good product.

It works well, but you have to work with the tool a lot to know when detections are false positives. If you put in an identity that was a false positive, sometimes you get an alert again. Sometimes, it doesn't learn.

The solution is primarily used for detecting user anomalies, sign-in anomalies, user behavior analytics, and identifying business compromises.

The solution’s alerting is fairly efficient.

The solution should provide more detailed data regarding anomaly detections. You get information occasionally, but it doesn't always correlate the different anomalies accurately. It takes quite a lot of effort to look at sign-in logs and security alert logs.

It would be nice to consolidate all that information into a more centralized view instead of going through different platforms in the Azure Stack to investigate.

I have been using the solution for two to three years.

The agent deployed on domain controllers and servers isn't very stable. In some instances, agents needed to be redeployed. In other cases, we had to involve Microsoft engineers to fix the issues.

Microsoft's first-level support is extremely pathetic. They take an extremely long time to escalate a call to a tier two or tier three analyst for extra in-depth investigations. We've had calls open for a month that weren't escalated to the correct people to solve them.

We have different channels to contact Microsoft support instead of the normal help center channels.

Neutral

We haven't used anything besides Cisco Identity Services Engine (ISE), but that's just for identity protection for your on-premise networks. It's not cloud-integrated. In contrast, Microsoft Defender for Identity works for both on-premise and cloud environments.

The solution’s initial setup was fairly straightforward. It probably took about a month to get it fully implemented.

The solution was implemented through an in-house team.

Microsoft's licensing model is very complex to understand. Microsoft Defender for Identity comes as part of the Microsoft E5 licensing stack. We do not have to pay additional costs for technical support.

The solution uses machine learning to detect if a user has never used a certain service provider or public IP address. The tool picks that up as an anomaly. Then, the user gets flagged that it's a potentially risky sign-in. You get alerted about that, and then you need to investigate.

From a business perspective and brand image, the solution helps quite a lot by responding to incidents quickly. The solution’s alerting is fairly efficient. The solution has built-in automation that can automatically disrupt attacks and block or disable accounts. The solution's cost savings are probably hard to gauge as we haven't used another product in the past.

The solution integrates seamlessly with the other Microsoft tools we have. Microsoft Copilot for Security is an additional product that Microsoft has released for enhanced AI capabilities over the Microsoft Defender stack. It comes with additional licensing. I would recommend the solution to other users.

Overall, I rate the solution an eight out of ten.

We use the solution for PIM management, access detection, and synchronization with Intra.

It has the ability to block access, monitor, and log in.

It integrates with on-premises Active Directory environments. It is designed to enhance security by providing advanced threat detection and response capabilities for both Azure Active Directory and on-premises Active Directory. This integration allows for comprehensive monitoring and protection of identity-related activities across both environments.

It focuses on protecting the on-premises Active Directory infrastructure and does not directly link both identity repositories. For users operating in mixed environments, while Defender for Identity offers robust protection for on-premises AD, additional solutions or configurations might be necessary to ensure seamless security management across Azure and on-premises AD systems.

It is stable. 

I rate the solution’s stability a nine out of ten.

It is scalable. It is suitable for large enterprises.

I rate the solution’s scalability a ten out of ten.

Support varies depending on your subscription level. For corporate enterprise and premium plans, you can expect more comprehensive support. However, if you have a basic or standard subscription, you might experience lower-priority support. Generally, the support provided is good, but response times may be longer for lower-tier plans. The support team is often overwhelmed due to high demand.

Positive

The initial setup is not very complex, but it could be easier. They are very easy to configure and set up.  Two people—one a security consultant and another infra—are required for deployment.

I rate the initial setup an eight-point five out of ten, where one is difficult, and ten is easy.

It provides time-saving. 

It has a fair price.

I recommend the solution.

Overall, I rate the solution an eight out of ten.

We are looking at this solution as a trusted tenant for our network.

This way, all of the data that goes through is trusted and the communication between our on-prem system and the Azure Cloud remains protected. Our only concern is when the data leaves the Azure Cloud and goes to another third-party tenant.

Azure is our trusted tenant — we trust it. We're just concerned about the data when it leaves Azure and goes to another third-party tenant. For example, if you have a SaaS solution, like Salesforce, sometimes they send data to customers. In order to do this, the data has to leave the trusted cloud tenant. 

We like the Active Directory Federation feature. We use it a lot with the Microsoft Azure Cloud.

When the data leaves the cloud, there are security issues. 

The cloud security services and the integration with on-prem applications like SIEM, needs to be improved.

We have been using this solution for roughly two years.

Microsoft Defender for Identity is very stable.

As it's a cloud application, there are no issues with scalability.

I've never had to deal with support regarding this solution; however, overall, Microsoft's support is quite good.

I was not involved in the initial setup, but I think Microsoft has a good team that can help you set it up. I believe the initial setup went very well.

Microsoft is a big company. They have put a lot of effort into their cloud solutions. They're the way of the future. They have done a lot to catch up with what Amazon did.

This solution has advanced a lot over the last few years. It integrates very well with Office 365. For this reason, I think it's the way of the future.

Overall, on a scale from one to ten, I would give this solution a rating of eight.

We use Microsoft Defender for Identity to prevent user account-level attacks such as lateral move attacks and pass-the-hash attacks on our on-premises servers. We leverage its features to mitigate identity-related threats and monitor activities on Active Directory Domain Services and other servers.

Microsoft Defender for Identity has significantly improved our environment's security by preventing identity-related attacks. We don't face financial losses from security breaches because the product provides robust protection.

The most valuable features of Microsoft Defender for Identity include real-time information for threat detection, its inclusion of behavioral analytics, and vulnerability management. These features help prevent various attacks and monitor user account activities effectively.

The solution could improve how it handles on-premises Android-related attacks. Without Microsoft Defender, it can be challenging to check which accounts are compromised and to analyze activities on on-premises servers. Enhancing this capability would make it even more effective.

I have been using Microsoft Defender for Identity for the past three years.

With three years of experience, I have never faced any issues or errors with Microsoft Defender for Identity. It is very stable and has performed exceptionally well in our environment.

I would rate the scalability of Microsoft Defender for Identity as a ten because it is robust and suitable for various environments, including small, medium, and enterprise businesses.

The technical support from Microsoft is excellent. I would rate it a ten because the support engineers are very knowledgeable and provide solutions promptly, ensuring that issues are resolved in a timely manner.

Positive

The initial setup is easy, especially with Microsoft's continuous improvements in the reporting feature. It is user-friendly and efficient.

The pricing of Microsoft Defender for Identity is affordable and competitive compared to other security products. The option to purchase specific features rather than a full license makes it convenient and cost-effective.

I'd rate the solution ten out of ten. 

Microsoft uses machine learning to analyze data over longer periods and identify anomalies. This approach is beneficial because it helps us understand user behavior over time rather than just focusing on immediate actions.

We handle alerts by investigating them using Defender Advanced Hunting, which provides more data to help us understand the issues. Additionally, we can use the incident page associated with the alert to access detailed information about the problem.

There are issues with the alerts in Microsoft Defender for identity-related intra-protection detection anomalies. The alerts are missing some data, which makes it difficult to determine the exact sign-in event associated with the alert. For instance, if we see a sign-in from a different country, we want to correlate this with the sign-in events recorded in our system and Microsoft. The alert in Defender does not provide the necessary details to match it directly with the corresponding sign-in event. To address this, we need to refer to Defender Protection events, where we can find the IP and sign-in ID associated with the event.

It would be beneficial if Microsoft developed the Microsoft Graph API for Advanced Hunting to facilitate more automation. Currently, the schema is not very well-defined, which limits automation possibilities. Additionally, improvements could be made to enhance queries, such as obtaining the full path of a process, which is available in EDR. Addressing these areas would significantly improve functionality and integration.

Occasionally, we've encountered issues with the API, such as when we cannot access the data and receive a 500 Internal Server Error. This has happened several times over the past few days.

I rate the solution’s stability an eight out of ten.

We experienced issues with Defender not responding about a year ago during a weekend. I’ve heard similar reports from other companies as well. Despite reaching out to Microsoft through forums and support tickets, it took a long time to get answers, and the response did not address the problem.

Neutral

Microsoft Defender consolidates various functionalities on a single dashboard, including incidents, alerts, Advanced Hunting, and PC onboarding details. This integration is very helpful, allowing us to view all relevant information in one place. Previously, managing these tasks required navigating multiple pages, which was less efficient. The current setup streamlines the workflow and makes it easier to work with the platform.

It’s a good product. I appreciate having all the necessary services for my company in one place. Defender provides various security services, including Identity services, which is very valuable.

Overall, I rate the solution an eight out of ten.