Technology Coordinator at a educational organization with 501-1,000 employees
Real User
Top 20
Nov 20, 2025
I really would have to sit down to think about how Microsoft Defender for Identity can be improved. I didn't take stock in what needs to be improved because I appreciated having the tools right there when I needed them, so I didn't really think about what else it needs.
In our company, Microsoft Defender for Identity does not help me automate routine tasks and automate finding high-value alerts, but it does for our clients.Microsoft Defender for Identity does not save me time, but I think it is the way that I secure the data. It does not save me money either.
The only challenge I have with Microsoft Defender for Identity is the latency. I may not put that entirely on Microsoft, because latency could be network related. At times when trying to authenticate, the prompt is delayed. We tried implementing passwordless authentication, especially for on-premises workloads, but we haven't been able to achieve that. Passwordless authentication is part of the identity functionalities, particularly when it comes to enforcing passwordless for on-premises workloads. In terms of improvements, you can't create OUs on Azure AD. Regarding giving users privileges on what they can do across different OUs, I haven't seen that feature on Microsoft Defender for Identity. Microsoft Defender for Identity needs to be able to plug into third-party applications that are not Microsoft. For instance, with a human resource application used to manage users and leave requests, when staff leaves the organization, they are first exited from that application before AD. Integration between Azure AD and third-party applications would allow automatic syncing when removing staff. The initial setup of Microsoft Defender for Identity is not hard. However, setup is one thing, and getting value from the application end-to-end is another. It can be set up and running from the first day but not functioning optimally. Initially, when we did the setup, it wasn't optimal. Over time, with continuous improvement, which we're still doing, we've gotten to a comfortable level, but there's still room for improvement.
Microsoft can improve Microsoft Defender for Identity by ensuring that installation prerequisites are included in the setup process. Installing the solution presents challenges as numerous logs and events must be enabled manually on all domain controllers. These manual processes should be integrated into the setup. The configuration process is time-consuming, with installation taking two minutes but prerequisites requiring two hours. Additionally, the prerequisites PowerShell script from Microsoft that must be run before installing the sensor should be integrated into the setup. Currently, users must download this script from the internet to determine sizing and compatibility requirements. The setup should automatically indicate whether a server is compatible or meets minimum requirements without requiring external tools.
I do not see anything regarding the best features of Microsoft Defender for Identity that needs improvement. We have not received such requirements. The out-of-the-box features are fulfilling the solutions we require. Currently, I do not see anything to improve in Microsoft Defender for Identity. I currently do not have anything in mind regarding design, setup, or pricing. I think we can cover the third-party identity to be managed through an identity.
For improvement, I need to complete the testing. We are currently in the initial phase. Improvement insights will be shared post the thorough testing phase. We have just started using it a month ago, and we are in a continual process of establishing it completely.
Learn what your peers think about Microsoft Defender for Identity. Get advice and tips from experienced pros sharing their opinions. Updated: January 2026.
CyberSecurity Engineer | Information Security Management at Self Employed
Real User
Top 10
May 26, 2025
In Microsoft Defender for Identity, I would appreciate improvements in providing information on conditional access. They have added more control that can be put in place, which was not present years ago. They have also integrated Azure Information Protection where policies can be configured. The Self-Service Password Reset (SSPR) allows users to reset their passwords, which is a valuable tool for remote workers. They have added more features into conditional access that integrate with other components, including SSPR and Identity Information Protection, trusted IPs, and locations. These configurations in trusted IP addresses are integrated into conditional access and control the applications I want to secure. Regarding impossible travel scenarios, I can either block the user or grant access while requesting multi-factor authentication. They should improve the automation for impossible travel detection. When connected to Wi-Fi and then to VPN, the system sometimes interprets the IP address change as impossible travel. If Microsoft could develop a feature that indicates when impossible travel is caused by VPN connections, it would prevent unnecessary password resets and session disruptions, especially for VIP users in organizations.
Information Technology Security Manager at a security firm with 51-200 employees
Real User
Top 10
Mar 31, 2025
There is room for improvement in delivering knowledge to technical users, especially regarding what we can gain from the solution and how to apply it. The documentation provided by Microsoft is often seen as a waste of time. We had no specific complaints about technical support, as it was rarely used due to the availability of materials online.
One area that needs improvement is the number of alerts generated, leading to alert fatigue. Reducing false positives is something we've been working on with Microsoft.
One improvement I would recommend is the integration of an admin application within Teams, allowing easy access to attack information on a mobile platform to promptly alert affected users and their friends.
The solution could improve how it handles on-premises Android-related attacks. Without Microsoft Defender, it can be challenging to check which accounts are compromised and to analyze activities on on-premises servers. Enhancing this capability would make it even more effective.
Security Specialist at a construction company with 1,001-5,000 employees
Real User
Top 10
Sep 10, 2024
The solution should provide more detailed data regarding anomaly detections. You get information occasionally, but it doesn't always correlate the different anomalies accurately. It takes quite a lot of effort to look at sign-in logs and security alert logs. It would be nice to consolidate all that information into a more centralized view instead of going through different platforms in the Azure Stack to investigate.
Software Engineer at a computer software company with 201-500 employees
Real User
Top 20
Sep 2, 2024
There are issues with the alerts in Microsoft Defender for identity-related intra-protection detection anomalies. The alerts are missing some data, which makes it difficult to determine the exact sign-in event associated with the alert. For instance, if we see a sign-in from a different country, we want to correlate this with the sign-in events recorded in our system and Microsoft. The alert in Defender does not provide the necessary details to match it directly with the corresponding sign-in event. To address this, we need to refer to Defender Protection events, where we can find the IP and sign-in ID associated with the event. It would be beneficial if Microsoft developed the Microsoft Graph API for Advanced Hunting to facilitate more automation. Currently, the schema is not very well-defined, which limits automation possibilities. Additionally, improvements could be made to enhance queries, such as obtaining the full path of a process, which is available in EDR. Addressing these areas would significantly improve functionality and integration. Occasionally, we've encountered issues with the API, such as when we cannot access the data and receive a 500 Internal Server Error. This has happened several times over the past few days.
Owner at a tech services company with 51-200 employees
Real User
Top 10
Aug 8, 2024
It integrates with on-premises Active Directory environments. It is designed to enhance security by providing advanced threat detection and response capabilities for both Azure Active Directory and on-premises Active Directory. This integration allows for comprehensive monitoring and protection of identity-related activities across both environments. It focuses on protecting the on-premises Active Directory infrastructure and does not directly link both identity repositories. For users operating in mixed environments, while Defender for Identity offers robust protection for on-premises AD, additional solutions or configurations might be necessary to ensure seamless security management across Azure and on-premises AD systems.
Cloud Security Engineer at a non-tech company with 10,001+ employees
Real User
Dec 21, 2023
One potential area for improvement could be exploring flexibility in the installation of Microsoft Defender for Identity agents. Currently, it is mandatory to install the agent on the on-premises environment, and considering if there could be more flexibility in deployment might be worth exploring.
The tracking instance needs to be configured appropriately. They need to be able to identify more vulnerabilities in order to increase the efficiency of the solution.
Self Employed, Freelance, Consultor, Sales - Learning Time at SpectralByte
Real User
Top 20
Jun 1, 2023
Microsoft should look at what competing vendors like CrowdStrike and Broadcom are doing and incorporate those features into Sentinel and Defender. At the same time, I think the intelligence inside the product is improving fast. They should incorporate more zero-trust and hybrid trust approaches. They need to build up threat intelligence based on threats and methods used in attacks on other companies.
Although the threat protection is comprehensive, the solution needs to be reevaluated when it comes to complex scenarios. There is no publicly available roadmap regarding upcoming features and improvements to the product. The product has significant limitations around acquiring device vulnerabilities, primarily because hunting queries are limited. The technical support needs significant improvement. Documentation for more minor issues in the form of guides or walkthroughs could help to resolve this issue. The number of tickets raised would decrease, removing some pressure from the support team and making it easier to clear the remaining tickets.
There is no option to remedy an issue directly from the console. If we see an alert, we can't fix it from the console. Instead, we must depend on other Microsoft products, such as MDE. That is a significant drawback. It simply works as a scanner, which can sometimes put enough load on the sensors. Immediate actions should be possible from the dashboard because. It can prevent issues from spreading further.
Cyber Security BA/BSA at a insurance company with 10,001+ employees
Real User
Mar 13, 2021
When the data leaves the cloud, there are security issues. The cloud security services and the integration with on-prem applications like SIEM, needs to be improved.
Microsoft Defender for Identity offers real-time threat detection and protection for hybrid Active Directory environments. It integrates with Microsoft 365 components for seamless security and monitors advanced behaviors, enhancing identity protection across cloud and on-premises environments.Microsoft Defender for Identity provides detailed threat insights and user behavior analytics to detect unauthorized access and notify anomalies. It allows setting custom detection rules, enhancing...
I really would have to sit down to think about how Microsoft Defender for Identity can be improved. I didn't take stock in what needs to be improved because I appreciated having the tools right there when I needed them, so I didn't really think about what else it needs.
In our company, Microsoft Defender for Identity does not help me automate routine tasks and automate finding high-value alerts, but it does for our clients.Microsoft Defender for Identity does not save me time, but I think it is the way that I secure the data. It does not save me money either.
The only challenge I have with Microsoft Defender for Identity is the latency. I may not put that entirely on Microsoft, because latency could be network related. At times when trying to authenticate, the prompt is delayed. We tried implementing passwordless authentication, especially for on-premises workloads, but we haven't been able to achieve that. Passwordless authentication is part of the identity functionalities, particularly when it comes to enforcing passwordless for on-premises workloads. In terms of improvements, you can't create OUs on Azure AD. Regarding giving users privileges on what they can do across different OUs, I haven't seen that feature on Microsoft Defender for Identity. Microsoft Defender for Identity needs to be able to plug into third-party applications that are not Microsoft. For instance, with a human resource application used to manage users and leave requests, when staff leaves the organization, they are first exited from that application before AD. Integration between Azure AD and third-party applications would allow automatic syncing when removing staff. The initial setup of Microsoft Defender for Identity is not hard. However, setup is one thing, and getting value from the application end-to-end is another. It can be set up and running from the first day but not functioning optimally. Initially, when we did the setup, it wasn't optimal. Over time, with continuous improvement, which we're still doing, we've gotten to a comfortable level, but there's still room for improvement.
Microsoft can improve Microsoft Defender for Identity by ensuring that installation prerequisites are included in the setup process. Installing the solution presents challenges as numerous logs and events must be enabled manually on all domain controllers. These manual processes should be integrated into the setup. The configuration process is time-consuming, with installation taking two minutes but prerequisites requiring two hours. Additionally, the prerequisites PowerShell script from Microsoft that must be run before installing the sensor should be integrated into the setup. Currently, users must download this script from the internet to determine sizing and compatibility requirements. The setup should automatically indicate whether a server is compatible or meets minimum requirements without requiring external tools.
I do not see anything regarding the best features of Microsoft Defender for Identity that needs improvement. We have not received such requirements. The out-of-the-box features are fulfilling the solutions we require. Currently, I do not see anything to improve in Microsoft Defender for Identity. I currently do not have anything in mind regarding design, setup, or pricing. I think we can cover the third-party identity to be managed through an identity.
For improvement, I need to complete the testing. We are currently in the initial phase. Improvement insights will be shared post the thorough testing phase. We have just started using it a month ago, and we are in a continual process of establishing it completely.
In Microsoft Defender for Identity, I would appreciate improvements in providing information on conditional access. They have added more control that can be put in place, which was not present years ago. They have also integrated Azure Information Protection where policies can be configured. The Self-Service Password Reset (SSPR) allows users to reset their passwords, which is a valuable tool for remote workers. They have added more features into conditional access that integrate with other components, including SSPR and Identity Information Protection, trusted IPs, and locations. These configurations in trusted IP addresses are integrated into conditional access and control the applications I want to secure. Regarding impossible travel scenarios, I can either block the user or grant access while requesting multi-factor authentication. They should improve the automation for impossible travel detection. When connected to Wi-Fi and then to VPN, the system sometimes interprets the IP address change as impossible travel. If Microsoft could develop a feature that indicates when impossible travel is caused by VPN connections, it would prevent unnecessary password resets and session disruptions, especially for VIP users in organizations.
There is room for improvement in delivering knowledge to technical users, especially regarding what we can gain from the solution and how to apply it. The documentation provided by Microsoft is often seen as a waste of time. We had no specific complaints about technical support, as it was rarely used due to the availability of materials online.
One area that needs improvement is the number of alerts generated, leading to alert fatigue. Reducing false positives is something we've been working on with Microsoft.
One improvement I would recommend is the integration of an admin application within Teams, allowing easy access to attack information on a mobile platform to promptly alert affected users and their friends.
The solution could improve how it handles on-premises Android-related attacks. Without Microsoft Defender, it can be challenging to check which accounts are compromised and to analyze activities on on-premises servers. Enhancing this capability would make it even more effective.
The solution should provide more detailed data regarding anomaly detections. You get information occasionally, but it doesn't always correlate the different anomalies accurately. It takes quite a lot of effort to look at sign-in logs and security alert logs. It would be nice to consolidate all that information into a more centralized view instead of going through different platforms in the Azure Stack to investigate.
There are issues with the alerts in Microsoft Defender for identity-related intra-protection detection anomalies. The alerts are missing some data, which makes it difficult to determine the exact sign-in event associated with the alert. For instance, if we see a sign-in from a different country, we want to correlate this with the sign-in events recorded in our system and Microsoft. The alert in Defender does not provide the necessary details to match it directly with the corresponding sign-in event. To address this, we need to refer to Defender Protection events, where we can find the IP and sign-in ID associated with the event. It would be beneficial if Microsoft developed the Microsoft Graph API for Advanced Hunting to facilitate more automation. Currently, the schema is not very well-defined, which limits automation possibilities. Additionally, improvements could be made to enhance queries, such as obtaining the full path of a process, which is available in EDR. Addressing these areas would significantly improve functionality and integration. Occasionally, we've encountered issues with the API, such as when we cannot access the data and receive a 500 Internal Server Error. This has happened several times over the past few days.
It integrates with on-premises Active Directory environments. It is designed to enhance security by providing advanced threat detection and response capabilities for both Azure Active Directory and on-premises Active Directory. This integration allows for comprehensive monitoring and protection of identity-related activities across both environments. It focuses on protecting the on-premises Active Directory infrastructure and does not directly link both identity repositories. For users operating in mixed environments, while Defender for Identity offers robust protection for on-premises AD, additional solutions or configurations might be necessary to ensure seamless security management across Azure and on-premises AD systems.
One potential area for improvement could be exploring flexibility in the installation of Microsoft Defender for Identity agents. Currently, it is mandatory to install the agent on the on-premises environment, and considering if there could be more flexibility in deployment might be worth exploring.
The tracking instance needs to be configured appropriately. They need to be able to identify more vulnerabilities in order to increase the efficiency of the solution.
Microsoft should look at what competing vendors like CrowdStrike and Broadcom are doing and incorporate those features into Sentinel and Defender. At the same time, I think the intelligence inside the product is improving fast. They should incorporate more zero-trust and hybrid trust approaches. They need to build up threat intelligence based on threats and methods used in attacks on other companies.
Although the threat protection is comprehensive, the solution needs to be reevaluated when it comes to complex scenarios. There is no publicly available roadmap regarding upcoming features and improvements to the product. The product has significant limitations around acquiring device vulnerabilities, primarily because hunting queries are limited. The technical support needs significant improvement. Documentation for more minor issues in the form of guides or walkthroughs could help to resolve this issue. The number of tickets raised would decrease, removing some pressure from the support team and making it easier to clear the remaining tickets.
There is no option to remedy an issue directly from the console. If we see an alert, we can't fix it from the console. Instead, we must depend on other Microsoft products, such as MDE. That is a significant drawback. It simply works as a scanner, which can sometimes put enough load on the sensors. Immediate actions should be possible from the dashboard because. It can prevent issues from spreading further.
The solution could be better at using group-managed access and they could replace it with broad-based access controls.
When the data leaves the cloud, there are security issues. The cloud security services and the integration with on-prem applications like SIEM, needs to be improved.