Microsoft Defender for Identity Reviews

Defender for Identity provides intelligent authentication through conditional access policies and monitors user behavior. Defender looks at things like password changes and application use.

One of our users had the same password for every personal and company account. That was a problem because she started receiving phishing emails that could compromise all of her accounts. Defender told us that the user was not changing their password.

Microsoft should look at what competing vendors like CrowdStrike and Broadcom are doing and incorporate those features into Sentinel and Defender. At the same time, I think the intelligence inside the product is improving fast. They should incorporate more zero-trust and hybrid trust approaches. They need to build up threat intelligence based on threats and methods used in attacks on other companies.

I have used Defender for two years.

I rate Defender for Identity nine out of 10 for stability.

I rate Defender for Identity 10 out of 10 for scalability.

Defender is pretty solid, so we rarely call support. 

The implementation is fast and easy. You only need to buy a license and assign it to a user. 

We have seen a return on our investment.

I rate Microsoft Defender for Identity nine out of 10. My advice to new users is to learn the product. Microsft has courses you can take. They offer one that covers all their security solutions. It only takes a day and is the best way to learn how to use the product. 

The use case is securing identity on your on-premises Active Directory.

It helps identify insider leaks. If any of your users want to use their permissions to implement leaks or perform malicious actions, it alerts you. 

It also performs reconnaissance. If someone has succeeded in gaining access to your Active Directory, it monitors anomalous behaviors, such as moving laterally.

Microsoft has also identified vulnerabilities globally and Defender for Identity prevents such security incidents from occurring in your domain controllers.

Another benefit is that Defender for Identity saves us time because it is automated and proactive. I don't have to monitor the environment, just the feedback and alerts from the solution. It also helps save us money because it prevents potential breaches that would cost money.

In addition, the solution has decreased our time to detection.

The feature I like the most about Defender for Identity is the entity tags. They give you the ability to identify sensitive accounts, devices, and groups. You also have honeytoken entities, which are devices that are identified as "bait" for fraudulent actors. Once these devices have been tagged, they give you alerts about when a malicious actor tries to explore the vulnerability that you created. You can monitor what the attacker is going after. Entity tagging is a big win for Defender for Identity.

There is a connection between the cloud, Defender for Endpoint, and Defender for Cloud Apps, in addition to Defender for Identity, so that you get feedback about activity on the cloud regarding a user if he tries to move laterally in the on-premises Active Directory.

It gives you visibility into threats. On the cloud, you already have Azure AD Identity Protection to secure your cloud identity. But the security of Defender for Endpoints requires certain protections for your on-premises identity. It's helpful for organizations that have quite a few on-premises entities. There aren't a lot of organizations like that now, as quite a few have already moved to the cloud, but for those that are still on-prem need that security.

We also use Microsoft Defender for Endpoint and Intune. The beauty of Microsoft is that, with just a few clicks, it integrates all the security features. Signals from Defender for Identity can move to Defender for Endpoint, Defender for Cloud Apps, and Intune. That ensures that it eliminates false positives and gives you a comprehensive overview, like a map, of what a malicious actor has done. It tells you how a user moved from this device to that device, which is very good.

When it comes to comprehensiveness, Microsoft has done a good job of making Defender for Identity pretty straightforward and easy to use. There are detection rules that help you identify potential attacks. Your role, as a security professional using Defender for Identity, is basically to monitor and implement a few configurations, after the initial deployment.

Defender for Identity is automated, in that you can specify specific alerts or incidents to defend against.

Defender for Identity, Defender for Endpoints, Defender for Office 365, and Defender for Cloud Apps all point to the Microsoft Defender Security Center. That gives you a one-stop-shop dashboard where you can see the activity for these four solutions.

An area for improvement is the administrative interface. It's basic compared to other administrative centers. They could make it more user-friendly and easier to navigate.

I have been using Microsoft Defender for Identity for over a year.

So far, so good, when it comes to stability.

You can add it to more servers. It has been developed in such a way that, if you have 20 servers in an enterprise, you can install it on all the servers in your environment, and it has a dashboard that tells you if the Defender for Identity sensor has stopped.

Our environment has about 700 end-users.

I haven't had to contact their technical support.

We did not have a solution before using Defender for Identity.

The initial deployment of the solution, overall, is pretty straightforward. You install the sensor on-premises, on the virtual machine that is running Active Directory.

I did it myself. I'm a security expert, working for a Microsoft managed-services provider. There were three to four people involved.

It's very tricky to identify a return on investment. A return on investment for a solution like this can only be quantified when you can measure its effects. Of course, it identifies and eliminates breaches, and since we have not had any breaches, the return on investment has been good. It's protecting the environment.

I would always recommend a single-vendor security suite over multiple suppliers because you get a comprehensive overview of the handshake between all the security offerings in the Microsoft solution. In this case, they include Defender for Identity, which is integrated with Defender for Endpoint, Defender for Cloud Apps, and Defender for Office 365. A holistic, single security solution is better than having multiple solutions where you have to monitor different platforms, and where you can get conflicting reports.

I work for a bank and use it to see if users are doing something illegal or are taking some kind of risk. We receive alerts from it and we follow up on the issues.

It gives us control over all our users and everything they are working on. Defender for Identity is good to have because there are some types of alerts that, without them, it would be very difficult to know what is happening. All the integration it has with different Microsoft packages, like Teams and Office, is good.

When there are potentially risky users, the solution automatically blocks them. That helps prevent security incidents, and it's also good because we don't have to block them manually.

It also helps us be prepared for threats before they hit. And it has decreased our time to respond because the analytics make it easier.

You can block users very easily, with just one click. And the information about the tokens is useful.

The logs are not too clear when you search in Azure Identity. 

And when you are working in a priority IP address, Identity is not able to know that those IPs are from the company. It sees that the IPs are from Taiwan or Hong Kong or India, even though they are internal IPs, resulting in a lot of false positives.

I have been using Microsoft Defender for Identity for one year.

It hasn't crashed and there hasn't been any downtime. The stability is good. It's in the cloud and it works.

The scalability is good. We have about 50,000 users in several locations.

The visibility into threats with Defender for Identity is good, but I now use another identity tool, CrowdStrike Falcon Identity Protection and it may be better in certain ways. Still, the visibility with Defender for Identity is good and CrowdStrike is more difficult to implement.

We also use Microsoft Sentinel, but we have a lot of SIEMs, including CrowdStrike and Splunk. The problem with Sentinel is that it doesn't have specific rules. You can't change anything. It's difficult to work with it because the logs are not good enough. For investigations, it's more useful if you have another SIEM like Splunk. But when Microsoft Defender for Identity creates an alert, it's better. It gives you the user and the host, and it's easier to work with.

What makes Sentinel good is the description it provides. It's useful for knowing what is happening. But if you are going to do something deeper, it becomes more difficult. We don't have good queries because they are difficult to write. It's difficult to work with it. 

In the past, we had a dashboard for Defender for Identity that was really good, with a lot of views and information. But I think our company has changed things to SharePoint and, in SharePoint, the Identity information is not as clear. The old dashboard was better.

In the discussion about using one vendor's security suite versus products from various vendors, Microsoft is good but perhaps it would be good to have other products, such as internal solutions. Because with Microsoft, you can't change the rules or make your own rules, and that makes it difficult to get 100 percent protection. But Microsoft Defender for Identity is a good product.

It works well, but you have to work with the tool a lot to know when detections are false positives. If you put in an identity that was a false positive, sometimes you get an alert again. Sometimes, it doesn't learn.

Defender for Identity is mainly a monitoring tool for Active Directory activity. Active Directory logs are fixed into Defender for Identity and it has its own core rules. Based on those rules, it gives us an alert if any suspicious activity is going on in Active Directory.

Many organizations are using the Microsoft Windows operating system. Whenever users log in to their systems, all the login activity, the credentials et cetera, are managed by Active Directory. If suspicious login activity happens in that system, everything is logged and the logs are saved by the Defender for Identity. Based on the correlation rules and AI technology, it gives us alerts, such as brute-force and honey-token-related alerts, or login activity after office hours, or successful login after three consecutive login failures.

It helps our organization protect employee access and prevent anyone from outside of the organization from accessing our systems. It is very important for securing our organization's endpoints, our laptops and servers. No unauthorized person can access an endpoint or enter our assets. It is also very helpful for preventing DDoS alerts, brute-force alerts, and other Active Directory-related threats.

The feature I like most is that you can create your own customized detection rules. It has a lot of default alerts and rules, but you can customize them according to your business needs. For example, we have a prevention mechanism through a policy where, if anyone tries to access something and gives the wrong credentials three times, that account will automatically be deactivated for the next half hour.

Also, you can integrate Defender for Identity with any SIEM platform, like Splunk, QRadar, and all top SIEMs, and create your own dashboards and reports to identify any suspicious activity. It's also very user-friendly, UI-wise. Anyone can understand it. We integrated it with Splunk, which is a big analytics tool.

Visibility-wise, it's also quite useful. And if you want to enhance something based on your requirements, you can raise a ticket with the Microsoft team and they will review and implement it. That flexibility makes Microsoft very helpful to its clients.

In addition, there is only one dashboard where we get the alerts. They come in as low, medium, or high priority.

We observe a lot of false positives. Sometimes, when we go for a coffee break, we lock our screens. Locking the screen has a separate Windows event ID and sometimes I see it is detected as a failed login. The number of false positives needs to be improved. With the separate event ID for a locked screen, we have to segregate the event ID and correlate everything properly so that we can identify it as a false positive.

I have been working with Microsoft Defender for Identity for the last four years.

It has never failed and it's never down. It's very stable.

The scalability is very good. In our organization we have almost 10,000 associates and that means we have about 10,000 endpoints, including 3,000 servers.

We have contacted their support several times, not only for Defender for Identity, due to false positives, but also for some other solutions. There is some delay in response, it's not an immediate reply. They will take one or two days to reply, based on the priority.

Neutral

It's not very complicated to deploy, although we were not involved. It was deployed by Microsoft. We just provided the Active Directory server details and they integrated it. It took about one week to fully deploy it, and there were three people involved.

There is no maintenance required on our side. Everything is done by the vendor, including all the security patches. It is a cloud-based security solution, it's not on-premises, so we don't need to manage anything on our side. Everything, all the patches and all the application upgrades, happen automatically.

You need to understand why this product is important and why it is required in your organization. What are the benefits? You have to identify that first. If you don't understand the requirements or the benefits, you will not get the proper answers. You have to evaluate your security design and identify the importance of Active Directory logs and Active Directory protection.

You also have to ensure your Active Directory policies are well maintained and monitor your Active Directory logs as well.

If I could choose between a single security vendor or having multiple vendors, I would always prefer a multi-vendor approach. A single vendor only has a single source of threat intelligence, but if you want to protect your organization, and the budget permits, you should have multiple security sources.

No one can say they are 100 percent secure, even after you put a lot of security devices in place and have done everything. Security devices are based on predefined rules or behavioral-based analysis or IOC-based. They have the intelligence to detect possible threats, but there are limitations. There are known and unknown threats. But with Defender for Identity, over the last five years, I have not observed any vulnerabilities. Several breaches have happened in our organization, but there have been no major breaches. There have been no ransomware or security events in that time. Everything has been detected. Sometimes we get false positives, but we notify Microsoft that those are not malicious files and they can be whitelisted. Defender is very good at detecting any abnormal behavior or malicious files.

The solution is primarily used for detecting user anomalies, sign-in anomalies, user behavior analytics, and identifying business compromises.

The solution’s alerting is fairly efficient.

The solution should provide more detailed data regarding anomaly detections. You get information occasionally, but it doesn't always correlate the different anomalies accurately. It takes quite a lot of effort to look at sign-in logs and security alert logs.

It would be nice to consolidate all that information into a more centralized view instead of going through different platforms in the Azure Stack to investigate.

I have been using the solution for two to three years.

The agent deployed on domain controllers and servers isn't very stable. In some instances, agents needed to be redeployed. In other cases, we had to involve Microsoft engineers to fix the issues.

Microsoft's first-level support is extremely pathetic. They take an extremely long time to escalate a call to a tier two or tier three analyst for extra in-depth investigations. We've had calls open for a month that weren't escalated to the correct people to solve them.

We have different channels to contact Microsoft support instead of the normal help center channels.

Neutral

We haven't used anything besides Cisco Identity Services Engine (ISE), but that's just for identity protection for your on-premise networks. It's not cloud-integrated. In contrast, Microsoft Defender for Identity works for both on-premise and cloud environments.

The solution’s initial setup was fairly straightforward. It probably took about a month to get it fully implemented.

The solution was implemented through an in-house team.

Microsoft's licensing model is very complex to understand. Microsoft Defender for Identity comes as part of the Microsoft E5 licensing stack. We do not have to pay additional costs for technical support.

The solution uses machine learning to detect if a user has never used a certain service provider or public IP address. The tool picks that up as an anomaly. Then, the user gets flagged that it's a potentially risky sign-in. You get alerted about that, and then you need to investigate.

From a business perspective and brand image, the solution helps quite a lot by responding to incidents quickly. The solution’s alerting is fairly efficient. The solution has built-in automation that can automatically disrupt attacks and block or disable accounts. The solution's cost savings are probably hard to gauge as we haven't used another product in the past.

The solution integrates seamlessly with the other Microsoft tools we have. Microsoft Copilot for Security is an additional product that Microsoft has released for enhanced AI capabilities over the Microsoft Defender stack. It comes with additional licensing. I would recommend the solution to other users.

Overall, I rate the solution an eight out of ten.

We use the solution for PIM management, access detection, and synchronization with Intra.

It has the ability to block access, monitor, and log in.

It integrates with on-premises Active Directory environments. It is designed to enhance security by providing advanced threat detection and response capabilities for both Azure Active Directory and on-premises Active Directory. This integration allows for comprehensive monitoring and protection of identity-related activities across both environments.

It focuses on protecting the on-premises Active Directory infrastructure and does not directly link both identity repositories. For users operating in mixed environments, while Defender for Identity offers robust protection for on-premises AD, additional solutions or configurations might be necessary to ensure seamless security management across Azure and on-premises AD systems.

It is stable. 

I rate the solution’s stability a nine out of ten.

It is scalable. It is suitable for large enterprises.

I rate the solution’s scalability a ten out of ten.

Support varies depending on your subscription level. For corporate enterprise and premium plans, you can expect more comprehensive support. However, if you have a basic or standard subscription, you might experience lower-priority support. Generally, the support provided is good, but response times may be longer for lower-tier plans. The support team is often overwhelmed due to high demand.

Positive

The initial setup is not very complex, but it could be easier. They are very easy to configure and set up.  Two people—one a security consultant and another infra—are required for deployment.

I rate the initial setup an eight-point five out of ten, where one is difficult, and ten is easy.

It provides time-saving. 

It has a fair price.

I recommend the solution.

Overall, I rate the solution an eight out of ten.

Our use case is for the securing of the on-premise active directory, but also to correlate the on-premise active directory security information with the Defender for Endpoint ADP integration. That's most of my use cases, the protection of online AD, but the additional information that it gives regarding the incidents as they occur and possible lateral escalation of privileges for the workstation are also use cases. 

We're using Azure AD in combination with on-premise AD. 

The basic security monitoring at its core feature is the most valuable aspect. But also the investigative parts, the historical logging of events over the network are extremely interesting because it gives an in-depth insight into the history of account activity that is really easy to read, easy to follow, and easy to export.

It's provided a simple identification of issues of account abuse. It showed some configuration mistakes. One of the features that it also has is privilege escalation. So it has a feature where you can look into lateral movement parts, and it has a great graphing feature that shows you what kind of lateral movement risks are associated with certain accounts.

Integrating with the Microsoft Cloud Application Security, you get a tab called Identity Security Posture, where it provides a list of best practices, improvements, things that it has found based on the actual data that it received. One of the things that was interesting, is that two to three months ago, Microsoft had a massive issue with their print spoolers and suddenly the advice came worldwide. The first thing you did was disable the print spooler on the main controllers. This has always been a best practice for Microsoft services, just never clearly communicated. But this feature, this best practice was already clearly visible within the Identity Security Posture from MDI. So we already mitigated this weakness because of the recommendations that the application gave.

It displays, for instance, a clear tax credential exposure. One of the things that you have a lot within enterprise applications is that a lot of third-party applications communicate via LDAP to active directory. Currently one of the weak points there is that the typical LDAP communication is communicating over LDAP and not over LDAP secure. So it's unencrypted, which means that you get plain text passwords over your networks. And this MDI is able to identify those applications as well and say that the endpoints communicating with MDI need to be secure. They should be secured.

It would be good if Defender for Identity would further align the Azure ID with the on-premise experience. Because those still seem to be two different worlds. 

The impact of the sensors on the domain controllers can be quite high depending on your loads. I don't know if there's any room for improvement there, but that's one of the things that might be improved.

I have been using Microsoft Defender since its inception. I've been using it before it was called MDI, around three years ago. 

Stability is great, it's been improved quite a bit. In the beginning, we had some occasional restarts of sensors on the domain controllers, but stability itself right now is great. We adjusted some performance on the main controllers, made sure that we have enough CPU and memory, especially taking a good look at the exact memory requirements. That's definitely something not to underestimate. If you go under memory requirements, you might hit upon an issue where the sensor tends to restart occasionally.

Scalability is great. In an enterprise network with 22,500 workstations, 15 domain controllers, give a give or take, it's easily scaling out. Especially since you deploy it, it's really scaling out on a per sensor basis. So if you ever added a main controller, you just need to factor a sensor in and that's it.

I have it currently deployed in Europe and in the short term, I have plans to deploy it in several other of our areas, such as the United States and South America, and I am also advising our Japanese headquarters to follow the same.

Technical support depends. If you get directly in contact with the core support team from the product, it is very, very good. But since it is from Microsoft's perspective, sometimes it seems like an additional, niche product that not everybody's even aware of. So sometimes it's hard to get in contact with the right support group. But once you have the right support group, then things generally work out very well.

It can take a bit, but once you get there, you get really excellent support.

Positive

I previously used several other solutions. Some of them are still actually in place because there are some differences in functionality and feature sets. 

The initial setup was extremely simple. You go to the portal, you download the clients, retrieve the key, you install the clients on the main controllers input key and things start working. The deployment is a matter of minutes to two hours, depending, of course, on the impact on the amount of the main control it needs to configure.

We had to investigate the impact on the main controllers. Of course, we started carefully, but after an evaluation period of two to three weeks, on a handful of the main controllers, it was within a month. It was deployed on all the main controllers.

We only needed two people, and several man-hours, for the initial setup. It starts to study the behavior of the activity on the network. So for the first 30 days, it doesn't do much. Then you start to get some alerts. It just really depends on your configuration, how active your environment is, based on what sort of threats you might have going on on the radar that you weren't aware of.

Once it is actually running and you focus on the core alert functionality, that is just part of the normal security operations procedure. It hardly ever gives false positives. So the moment you get something, you really should act on that sound. That of course depends on the nature of the threat. But I don't think that says anything about the maintenance that you need to do for MDI. That's more about the actual events that are going on. So MDI is very low maintenance. It can alert you on some very high maintenance incidents though.

Initially, we had an investigative call with Microsoft. They offered to use a third party to assist with the installation. But when we went over the whole configuration that was required, we decided just to do it on our own. No regards to getting help.

Our RPO is seen in its prevention of incidents and even faster resolution of security incidents mostly.

There are no additional costs to standard licensing. You get an infinite amount of the directory sensors that you can deploy. It integrates directly into the security portal from Microsoft and in the cloud application security, you get cloud login. 

I'm also a social security specialist. One of the things that we do is run our own sensors and our own logging on active directory controllers. And we analyze that in an elastic stack. Basically, you spend a lot of time getting dedicated to the monitoring configuration active directory. We capture a little bit more than what MDI is capturing, but that is only really for fringe cases that we ever need, to really see that in the eyes a very user-friendly application for people to see what is happening on your network. And you don't have to be escalating specialists to see that somebody accessed a server at one time and then logged on to the following computer. I think that for a defensive view, it can give most administrators absolutely amazing insight into what's happening in the network that they probably never had before.

There is much more going on that you're generally aware of. I'm really quite a fan of this tool because it gives such great insights, such great historical logging.

I would rate it a nine out of ten. 

It's sometimes represented in an over-complicated way because it's really just such a simple tool to use that it's also giving non-IT security experts such great insight. And it's not just for the alerts, but also just for the needs of the logging and all the typical configuration mistakes that you do. I think it's just a really great tool.

Our use case is endpoint detection and response (EDR). 

You can integrate Microsoft Defender with other solutions. 

It gives you a holistic view of everything happening in your organization.

You can use it to do a lot of monitoring.

The most valuable features are ETL, lab, and monitoring.

I would like to be able to do remediation from the platform because it is just a scanner right now. If you onboard a device, it shows you what is happening, but you can't use it to fix things. You need to go into the system to fix it instead.

I have been using it for three years.

It is quite stable. There are incidents from time to time, which can affect any platform. This affects in different regions or locations within Canada or even Africa. Sometimes users complain and we get a service request that we check to determine if there is an incident. 

When there are issues, sometimes the issue is clear by itself, and other times, I contact Microsoft technical support. Most times, the technical support provides a workaround. My experience with their technical support has been excellent.

Positive

We also use Kaspersky and other solutions, but all these solutions integrate with Azure, Microsoft Defender, or Microsoft 365. They don't really work on their own.

It is easy to set up. Based on the number of devices you would like to set up, you can use scripts, Group Policy, etc.

It takes five minutes to set up.

You won't be able to change your tenants from where you deploy them. For example, if you select Canada, they will charge you based on Canadian pricing. If you are also in London, when you deploy in Canada, the pound is higher than Canadian dollars, but your platform resources are billable in Canadian dollars. Using your pounds to pay for any of these things will be cheaper. Or, if you deploy in London, they will charge you based on your local currency.

The package has a lot of features. We just want email and calendar only. This is the standard plan. However, if you want something which extends the product's features, you can get Microsoft business.

I would rate the solution as nine out of 10.