Most successful cyberattacks do not begin with a spectacular exploit, but with a stolen account that moves undetected through Active Directory. Microsoft Defender for Identity places sensors on your domain controllers and shows exactly which attack paths lead to your most sensitive accounts — before an attacker walks them.
Ninety percent of successful cyberattacks on organisations do not begin with an advanced zero-day exploit, but with a stolen or guessed password. Once inside, attackers move laterally through the network, accumulate permissions, and work systematically towards the most valuable systems. Active Directory is almost always the end target: whoever controls AD holds the keys to the entire Windows environment.
Microsoft Defender for Identity (MDI) is the specific product Microsoft uses to address this attack path. It places a lightweight sensor on your domain controllers that continuously analyses Kerberos, NTLM, and DNS protocol traffic, detects anomalous behaviour, and visualises attack paths — before an attacker can walk them. This article explains how MDI works, what it detects, and how you approach the implementation.
MDI works with a lightweight sensor that you install on your domain controllers, AD FS servers, and AD CS servers. The sensor reads network traffic locally and sends encrypted metadata to the MDI cloud service for analysis. No passwords or content are transmitted — only behavioural data derived from authentication events and protocols. The sensor has minimal impact on domain controller performance and requires no additional proxy configuration.
This design means MDI sees virtually all relevant authentication events: who tries to log on to which machine, with which permissions, via which protocol, and at what time. That continuous stream of events forms the behavioural baseline the cloud service uses to recognise anomalies.
MDI recognises a broad range of techniques that attackers employ after an initial breach. In the reconnaissance phase, it detects queries used to map the AD structure: users, groups, machine accounts, and trust relationships. Well-known techniques such as LDAP reconnaissance and SAMR enumeration are picked up and attributed to the source account.
Lateral movement techniques form the core of what MDI monitors. Pass-the-hash and pass-the-ticket, where attackers use stolen authentication data to impersonate another user without knowing their password, are recognised by characteristic patterns in Kerberos and NTLM traffic. Overpass-the-hash and Kerberoasting, where attackers try to crack service-account hashes offline, are also in scope.
The most severe attacks — golden ticket attacks in which an attacker forges completely fake Kerberos tickets, skeleton key malware that installs a backdoor in AD, and DCSync attacks in which the attacker attempts to replicate the full AD database — are detected as well. All these alerts appear in the Microsoft Defender portal with a structured explanation: which technique, which accounts, which mitigation step.
One of MDI's distinguishing features is attack path analysis. Every day, MDI calculates which routes an attacker could walk from a compromised low-privilege account towards a sensitive target, such as a Domain Admin, a Tier-0 server, or an account with access to critical business systems.
A typical attack path looks like this: account A has local administrator rights on server B. On server B, Domain Admin C has an active session. Anyone who compromises account A can intercept Domain Admin C's credentials via server B and take over the entire environment. This path exists in many organisations for years without anyone noticing, because no single configuration element appears as an error on its own.
MDI visualises these paths and ranks them by risk. That enables targeted mitigation: reduce permissions, separate sessions, shield sensitive accounts with Entra PIM or a dedicated Privileged Access Workstation. Rather than blindly working through a hardening checklist, you address the specific weaknesses in your own environment that carry the greatest impact.
MDI is one of the pillars of Microsoft Defender XDR, the integrated security platform that combines endpoints (Defender for Endpoint), identities (MDI), email (Defender for Office 365), and cloud applications (Defender for Cloud Apps) into a single investigation interface. When an incident combines signals from multiple pillars — for example, a phishing email followed by a suspicious Kerberos authentication from the same account — XDR groups those signals into one incident with a reconstructed attack scenario.
For organisations that also use Microsoft Sentinel as their SIEM, MDI streams its alerts and raw events via a native connector. This enables longer retention periods for forensic investigation and correlation with data sources outside the Microsoft ecosystem, such as network logs, firewalls, or an on-premises SIEM you are planning to migrate.
Microsoft Defender for Identity is available as a standalone licence and is included in Microsoft 365 E5, Microsoft 365 E5 Security, and Enterprise Mobility + Security E5. Organisations already on one of these bundles can activate MDI without additional licence costs. Microsoft 365 Business Premium includes Defender for Business, but that product has a more limited identity-detection scope and does not place sensors on domain controllers.
Investment in MDI is most focused for organisations with an on-premises or hybrid Active Directory, a domain controller central to business operations, and a heightened compliance obligation from NIS2, ISO 27001, or a cyber insurer. Many cyber insurers now explicitly ask during acceptance whether identity detection at the AD level is in place.
An MDI implementation is straightforward. Step one: create an MDI workspace in the Microsoft Defender portal and activate the licence for your tenant. Step two: download and install the MDI sensor on each domain controller. In most environments this takes less than an hour per server. The sensor requires a service account with limited read permissions on AD — not a domain administrator. Step three: calibration. MDI typically needs two weeks to build a behavioural baseline. During this period you may receive false-positive alerts; adjust thresholds based on your specific environment.
After the first two weeks, the combination of attack path analysis and active alerts pairs best with a targeted AD hardening session, in which you address the identified risks systematically. Want to know whether your environment is ready for MDI, which licence arrangement applies to you, or how to approach the implementation most efficiently? Contact Zarioh for a no-obligation conversation.
