Last Updated on August 11, 2025 by Arnav Sharma
What is Microsoft Defender for Identity?
Microsoft Defender for Identity, also known as MDI, is a cloud-based solution from Microsoft designed to protect an organization’s Active Directory environment. Previously, Microsoft Defender for Identity was known as Azure Advanced Threat Protection and was commonly referred to as Azure ATP.
MDI leverages on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at an organization
Why MDI !!
It helps enable SecOps analysts and security professionals to detect advanced attacks in hybrid environments to be able to:
- Monitor users, entity behaviour, and activities with learning-based analytics
- Protect user identities and credentials stored in Active Directory
- Identify and investigate suspicious user activities and advanced attacks throughout the kill chain
- Provide clear incident information on a simple timeline for fast triage
MDI Integration with other services:
- Defender for Identity integrates into Microsoft 365 Defender
- Defender for Identity integrates into Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security)
- Microsoft Sentinel has a data connector available for Defender for Identity.
Onboarding Defender for Identity
Prerequisites
- Licensing : EMS E5/A5/G5, M365 E5/A5/G5
- This is a cloud service that works against on-premises Active Directory services or Multi-forest and multi-domain support
- The MDI sensor requires a service account to run, and the recommendation is to use a group-managed service account, also known as a gMSA.
- Audit & Windows Event logging enabled
Steps:
- Go to https://portal.atp.azure.com
- Create the MDI service account in Active Directory (Script below)
- Input the service account information into the MDI portal
- Download the MDI sensor installation files and copy the access key
- Deploy to all Domain Controllers and/or AD FS servers
gMSA:
Alerts & Monitoring:
- Defender for Identity provides reconnaissance alerts, helping identify unusual directory enumeration.
- Defender for Identity provides for compromised credential alerts, helping identify account compromise and threats attempting to gain credentials.
- Defender for Identity provides for lateral movement detection, alerting on common mechanisms.
- Defender for Identity provides for domain dominance detection, which provides insight into malicious actors have gained privileged access to Active Directory.
- Defender for Identity provides for exfiltration detection, which provides insight into malicious actors attempting to exfiltrate data from domain controllers or compromise DNS.
PS Script for creating gMSA and enable access (reboot system in case of error & rerun):
# Set the variables:
#Name of the account - to be cretaed
$gMSA_AccountName = 'mdiSvc01'
#group that will be created for the account created in above step
#Can be any name
$gMSA_HostsGroupName = 'mdiSvc01'
$Identity = 'arnavsharmamdiSvc01'
#name of the domain controller - the target
$gMSA_HostNames = 'WIN-TE2RL78F23R'
# Declare the *user* or *group* that needs to have read access to the deleted objects container
# Note that if the identity you want to grant the permissions to is a Group Managed Service Account (gMSA),
# you need first to create a security group, add the gMSA as a member and list that group as the identity below
# Import the required PowerShell module:
Import-Module ActiveDirectory
#Add a root key
Add-KdsRootKey โEffectiveTime ((get-date).addhours(-10))
#10 hours - back date
Start-Sleep -Seconds 10
# Create the group and add the members
$gMSA_HostsGroup = New-ADGroup -Name $gMSA_HostsGroupName -GroupScope Global -PassThru
$gMSA_HostNames | ForEach-Object { Get-ADComputer -Identity $_ } | ForEach-Object { Add-ADGroupMember -Identity $gMSA_HostsGroupName -Members $_ }
# Or, use the built-in 'Domain Controllers' group if the environment is a single forest, and will contain only domain controller sensors
# $gMSA_HostsGroup = Get-ADGroup -Identity 'Domain Controllers'
# Create the gMSA:
New-ADServiceAccount -Name $gMSA_AccountName -DNSHostName "$gMSA_AccountName.$env:USERDNSDOMAIN" -PrincipalsAllowedToRetrieveManagedPassword $gMSA_HostsGroupName
Start-Sleep -Seconds 10
# Install the gMSA account
#Install-ADServiceAccount -Identity $gMSA_AccountName
# Get the deleted objects container's distinguished name:
$distinguishedName = ([adsi]'').distinguishedName.Value
$deletedObjectsDN = 'CN=Deleted Objects,{0}' -f $distinguishedName
# Take ownership on the deleted objects container:
$params = @("$deletedObjectsDN", '/takeOwnership')
C:WindowsSystem32dsacls.exe $params
# Grant the 'List Contents' and 'Read Property' permissions to the user or group:
$params = @("$deletedObjectsDN", '/G', "$($Identity):LCRP")
C:WindowsSystem32dsacls.exe $params
Start-Sleep -Seconds 10
# Install the gMSA account
Install-ADServiceAccount -Identity $gMSA_AccountName
Start-Sleep -Seconds 10
Test-ADServiceAccount -Identity $gMSA_AccountName