Our primary use for the solution is for user and entity behavior analytics. 

We use multiple Microsoft security products including Defender for Endpoint and Defender for Cloud.  

We use Defender for Cloud for our Azure VMs, but not for the multi-cloud environment, and we don't make use of its bi-directional sync capabilities.

We have integrated these products, and the integration was straightforward. 

These solutions work natively together to deliver coordinated detection and response across our environment, which is not the case for non-Microsoft tools. 

These multiple Microsoft security products provide comprehensive threat protection. 

I work for a university, and we use Defender for Identity for students, faculty members, researchers, etc. It's around 4,000 end-users. We have a completely Azure-based environment, and all of our users have migrated to the cloud. While we still have some on-premise users, we have synced our user base to the Azure Active Directory in the cloud. 

We require identity protection because most cybersecurity cases today involve identity harvesting. Microsoft Defender for Identity proved to be the best solution for providing support for malicious identity-related issues. Our entire cloud setup is protected. 

Microsoft Defender for Identity is like a personal security guard for our organization's identity. It keeps a close eye on how we use our identities across both on-premises and Azure Active Directory. If there is anything suspicious or unusual happening with our user accounts, it raises the alarm. It is a vital tool for ensuring the safety of our identity in a hybrid setup.

We mainly use the solution to ensure our security and to increase our security score. We want to understand the threats or attacks to help prevent them. 

Defender for Identity provides intelligent authentication through conditional access policies and monitors user behavior. Defender looks at things like password changes and application use.

The use cases are for dealing with situations where a user signs on with MFA from unusual locations or malicious files are detected.

I work for a bank and use it to see if users are doing something illegal or are taking some kind of risk. We receive alerts from it and we follow up on the issues.

The use case is securing identity on your on-premises Active Directory.

Defender for Identity is mainly a monitoring tool for Active Directory activity. Active Directory logs are fixed into Defender for Identity and it has its own core rules. Based on those rules, it gives us an alert if any suspicious activity is going on in Active Directory.

Many organizations are using the Microsoft Windows operating system. Whenever users log in to their systems, all the login activity, the credentials et cetera, are managed by Active Directory. If suspicious login activity happens in that system, everything is logged and the logs are saved by the Defender for Identity. Based on the correlation rules and AI technology, it gives us alerts, such as brute-force and honey-token-related alerts, or login activity after office hours, or successful login after three consecutive login failures.

We are looking at this solution as a trusted tenant for our network.

This way, all of the data that goes through is trusted and the communication between our on-prem system and the Azure Cloud remains protected. Our only concern is when the data leaves the Azure Cloud and goes to another third-party tenant.

Azure is our trusted tenant — we trust it. We're just concerned about the data when it leaves Azure and goes to another third-party tenant. For example, if you have a SaaS solution, like Salesforce, sometimes they send data to customers. In order to do this, the data has to leave the trusted cloud tenant. 

The solution provides alerts when malicious actors are active and that's something most companies are missing. Quite often, malicious actors do reconnaissance for weeks, months, and on their checkout. They get a sense of the whole environment before they execute a ransomware attack. This sensor will alert users if something like that happens and it gives you time to mitigate the issues or block the attacker.

Our use case is for the securing of the on-premise active directory, but also to correlate the on-premise active directory security information with the Defender for Endpoint ADP integration. That's most of my use cases, the protection of online AD, but the additional information that it gives regarding the incidents as they occur and possible lateral escalation of privileges for the workstation are also use cases. 

We're using Azure AD in combination with on-premise AD. 

Our use case is endpoint detection and response (EDR). 

You can integrate Microsoft Defender with other solutions.