Almost all the features are valuable. 

The solution offers excellent visibility into threats. 

Defender for Identity helps prioritize threats across our enterprise, which is essential for any identity and access management product. 

The solution's threat intelligence helps us prepare for potential threats and take proactive steps before they hit. We've tested various scenarios over the past months, including our major security concerns, a valuable exercise that helps us to protect our system.   

The best feature is security monitoring, which detects and investigates suspicious user activities. It can easily detect advanced attacks based on the behavior. The credentials are securely stored, so it reduces the risk of compromise. It will monitor user behavior based on artificial intelligence to protect the identities in your organization. It will even help secure the on-premise Active Directory. It syncs from the cloud to on-premise, and on-premise modifications will be reflected in the cloud.

Identity harvesting is the most common threat. Legacy Microsoft solutions and Amazon face the same issues in the cloud. Users don't implement other security mechanisms in the cloud. In an on-premise environment, we would have multiple security devices like firewalls and several layers of security. Cloud users are less bothered because cloud features are there and only need to be configured.

Microsoft Defender for Cloud is the best solution because all threats are completely visible, and it has a great dashboard. The dashboard displays each threat and score, so we can identify the threat rating and act efficiently to avoid compromising user identities.

We have a  single sign-on feature on the cloud. If we lose a single set of identities, it can compromise the entire organization, including cloud and on-premise. The same identities are being used everywhere. The user activity has to be completely visible on the dashboard, and it has to generate a pattern. It will notify us if there is any security breach.

It is a complete monitoring set. Minor changes in the user identity can lead to data leakage. If a password is changed in the cloud, it will be reflected automatically in the on-premise. This minor change will trigger an alert in Microsoft Defender for Identity. It ensures that each cloud identity is well protected from spoofing. It has a comprehensive database of well-known spoofing techniques, enabling us to provide cloud identity protection completely. 

It has a vast scope because it is completely single sign-on. In the emerging industry, we use single sign-on because users need to authenticate, but it's challenging to remember multiple passwords. Once your user signs in, you can access all the data. An identity compromise would lead to various issues and affect the data on-premises. Defender maintains a constantly updated database with the latest signatures, attack models, and threats. If it detects one threat, it will monitor the suspicious event and give us frequent alerts.

Identity protection is vital because we use an identity mechanism for everything, including firewall-related activities. The exact identity used in the cloud is used in the most complex firewalls. We require an excellent migration technique to regain this user credential if something gets compromised. Blocking this requires a massive set of procedures. Microsoft Defender comprehensively monitors identity and provides frequent alerts regarding any issue, so we don't need to think of anything else.

Defender's bidirectional sync capabilities are helpful because we need to sync data from multiple directions, including tenant-to-tenant, on-premise-to-cloud, and cloud-to-cloud syncing. As a university, we have multiple tenants, so we need to sync or access data across platforms. That way, everything is more secure, and Microsoft Defender for Cloud also provides ample security for cloud transfers.

The bidirectional sync capabilities are flawless—10 out of 10. Our on-premise Active Directory is perfectly synced with the Azure AD. Everything is synced with on-premise, and changes are reflected in minutes. If a problem with identity is addressed on the cloud, the fix will be mirrored on-premise and vice versa.

Microsoft Defender for Cloud and Identity are bundled. If we have these two solutions, we don't need to worry about anything else or third-party antivirus. Microsoft Defender for Identity acts as a link to all the Microsoft security features that require identity-based validation. Microsoft Defender instantly provides identity security for all our applications, and users need not worry about typing their passwords. Even in situations with less complex encryption mechanisms, users don't need to worry about typing in their passwords. Defender will check and monitor if there are any flaws in that, and it will let us know if there are any issues.

We're a Microsoft shop, so everything works together. If one feature isn't working, everything will be affected. If Defender isn't working, half of our Microsoft security features will be dead. Without identity security, user data can easily be compromised, and data can fall into the hands of intruders or other hackers. The solutions have to complement each other. If anything got wrong, the entire setup would have flaws.

Microsoft security has a legacy security mechanism. A while back, we might have gone with Defender for Endpoint, but Microsoft has also grown into the face of the cloud. The same Defender solution is completely maintaining cloud security. We can imagine Microsoft's vast scale and how Defender can protect the cloud environment from vulnerabilities and attacks. We are definitely delighted with Microsoft products.

The dashboard features are fantastic because it provides a comprehensive overview. It has a great alert mechanism and log inspector that tracks when users access various servers. With this kind of identity validation, we can control which servers the users can access. We have total visibility from the dashboard. We can track identity usage even if there are no issues. That is an essential advantage.

Microsoft Defender for Identity provides excellent visibility into threats by leveraging real-time analytics and data intelligence. With features like SecureScore and SecureScan, it offers a holistic view of security across both on-premises and cloud environments. A high SecureScore indicates strong security, while a low score signals potential threats. This makes it easy to detect and address security issues promptly.

It gives us visibility into advanced behavior activities. It’ll show a history of logins or events.

It’s efficient, and it provides all of the investigation reports, which is an advantage for us. It also helps us prioritize threats across the company. It helps us detect the exact timing of incidents, and we’ll see them when they happen. It helps us adhere to our SLAs. We can see threats and if they are of higher or lower severity. We can find the types of malicious events, see what’s happening, see what actions are taken, and understand what is happening.

It integrates with other products, and these solutions work natively together to deliver coordinated detection and response across the environment. These are all work through Jira.

The comprehensiveness of the threat protection provided by Microsoft security products is good. It is giving better visibility to us. We can understand what the false positives are. That gives us more confidence in the security posture of the environment.

We use Microsoft Defender for the cloud, and we use its directional sync capabilities. It’s important to be able to see both in and outbound reporting. 

It automates routine testing and helps automate the finding of high-value alerts.

As we define policies and rules, automation makes it easier to do so.

The product helped eliminate having to look at multiple dashboards. It has a free single dashboard for us.

We’ve found that threat intelligence helps us prepare for potential threats before they even hit and we can take preventative steps. That is the beauty of it. It has good threat intelligence within the platform. We can prepare ourselves before we have an issue.

It continues to scan for threats on our devices. We’re always scanning.

We’ve been able to save time on security-related tasks. Right now, we’re saving two to three hours a day.

Microsoft Defender for Identity decreased our time to detect or our time to respond overall.

The most valuable aspect is its connection to Microsoft Sentinel and Defender for Endpoint, and giving exact timelines for incidents and when certain events occured during an incident. It's good to know when a sign-on occurred, especially if it was outside the usual time, and whether the sign-on was from Australia, because our users don't usually sign on from outside Australia.

And for prioritizing threats, we get alerts that are low or high severity and that tells us what need to do within our SLA, and what we prioritize in terms of further escalation down the pipeline. We get the alerts in real time, thanks to Sentinel. That's very important because when we get an alert from Sentinel, we can click through on the link to find out what happened, see further details about the user and the malicious event, and what files were there. It has all those details and actions.

Sentinel enables us to ingest data from our client's ecosystem so that all the endpoints and users are in Sentinel. That is critical for operational success. When alerts come in you need all those details. If you don't have those details it's hard to follow up with further investigations and you can't tell it was a legitimate threat or not, which isn't good.

And with Sentinel, we have one spot to respond across the board. That's another very important factor because you don't want to spend all your time trying to figure out where the data and information are, which is very difficult to do. Being able to run KQL queries within Sentinel and get the details from Defender for Identity, and the other solutions, is pretty cool.

In addition to Defender for Identity, we use Defender for Endpoint, Defender for Cloud Apps, Sentinel, and Azure ID. They're all integrated because we run it as an MSP for a client and we get their endpoints connected to Azure to get the alerts feed. They all work very well together. It's good to be able to investigate across the different products. They work seamlessly. That integration has been a very important factor, considering that we have a set timeline for alerts. Being able to switch seamlessly from one solution to the other solution to further investigate is very important for the job.

You can block users very easily, with just one click. And the information about the tokens is useful.

The feature I like the most about Defender for Identity is the entity tags. They give you the ability to identify sensitive accounts, devices, and groups. You also have honeytoken entities, which are devices that are identified as "bait" for fraudulent actors. Once these devices have been tagged, they give you alerts about when a malicious actor tries to explore the vulnerability that you created. You can monitor what the attacker is going after. Entity tagging is a big win for Defender for Identity.

There is a connection between the cloud, Defender for Endpoint, and Defender for Cloud Apps, in addition to Defender for Identity, so that you get feedback about activity on the cloud regarding a user if he tries to move laterally in the on-premises Active Directory.

It gives you visibility into threats. On the cloud, you already have Azure AD Identity Protection to secure your cloud identity. But the security of Defender for Endpoints requires certain protections for your on-premises identity. It's helpful for organizations that have quite a few on-premises entities. There aren't a lot of organizations like that now, as quite a few have already moved to the cloud, but for those that are still on-prem need that security.

We also use Microsoft Defender for Endpoint and Intune. The beauty of Microsoft is that, with just a few clicks, it integrates all the security features. Signals from Defender for Identity can move to Defender for Endpoint, Defender for Cloud Apps, and Intune. That ensures that it eliminates false positives and gives you a comprehensive overview, like a map, of what a malicious actor has done. It tells you how a user moved from this device to that device, which is very good.

When it comes to comprehensiveness, Microsoft has done a good job of making Defender for Identity pretty straightforward and easy to use. There are detection rules that help you identify potential attacks. Your role, as a security professional using Defender for Identity, is basically to monitor and implement a few configurations, after the initial deployment.

Defender for Identity is automated, in that you can specify specific alerts or incidents to defend against.

Defender for Identity, Defender for Endpoints, Defender for Office 365, and Defender for Cloud Apps all point to the Microsoft Defender Security Center. That gives you a one-stop-shop dashboard where you can see the activity for these four solutions.

The feature I like most is that you can create your own customized detection rules. It has a lot of default alerts and rules, but you can customize them according to your business needs. For example, we have a prevention mechanism through a policy where, if anyone tries to access something and gives the wrong credentials three times, that account will automatically be deactivated for the next half hour.

Also, you can integrate Defender for Identity with any SIEM platform, like Splunk, QRadar, and all top SIEMs, and create your own dashboards and reports to identify any suspicious activity. It's also very user-friendly, UI-wise. Anyone can understand it. We integrated it with Splunk, which is a big analytics tool.

Visibility-wise, it's also quite useful. And if you want to enhance something based on your requirements, you can raise a ticket with the Microsoft team and they will review and implement it. That flexibility makes Microsoft very helpful to its clients.

In addition, there is only one dashboard where we get the alerts. They come in as low, medium, or high priority.

We like the Active Directory Federation feature. We use it a lot with the Microsoft Azure Cloud.

The feature that I most like is that it integrates with the other Defender components. Defender Identity is part of Microsoft 365, and there is Defender for Office 365, Defender for endpoints, and cloud edge security. These tools integrate really well together. The integration with the other tools makes it a comprehensive tool that I would recommend to any company.

It measures your identity security. For example, let's say a lot of companies don't have a proper decommissioning process for global admins or domain admins. And so, when an administrator who has built many privileges leaves the company, the account gets disabled and it still has members of domain admin groups or sensitive groups. This will highlight them and alert users to say, in a sense, "hey, these users or to these user accounts of sensitive privileges, but haven't been used for a long period of time". The few times I've created this report and showed this to customers, they're shocked due to the fact that it's an easy entry for malicious actors that they weren't aware of. That's one of the cool features.

Defender for Identity has not affected the end-user experience.

The basic security monitoring at its core feature is the most valuable aspect. But also the investigative parts, the historical logging of events over the network are extremely interesting because it gives an in-depth insight into the history of account activity that is really easy to read, easy to follow, and easy to export.

It's provided a simple identification of issues of account abuse. It showed some configuration mistakes. One of the features that it also has is privilege escalation. So it has a feature where you can look into lateral movement parts, and it has a great graphing feature that shows you what kind of lateral movement risks are associated with certain accounts.

Integrating with the Microsoft Cloud Application Security, you get a tab called Identity Security Posture, where it provides a list of best practices, improvements, things that it has found based on the actual data that it received. One of the things that was interesting, is that two to three months ago, Microsoft had a massive issue with their print spoolers and suddenly the advice came worldwide. The first thing you did was disable the print spooler on the main controllers. This has always been a best practice for Microsoft services, just never clearly communicated. But this feature, this best practice was already clearly visible within the Identity Security Posture from MDI. So we already mitigated this weakness because of the recommendations that the application gave.

It displays, for instance, a clear tax credential exposure. One of the things that you have a lot within enterprise applications is that a lot of third-party applications communicate via LDAP to active directory. Currently one of the weak points there is that the typical LDAP communication is communicating over LDAP and not over LDAP secure. So it's unencrypted, which means that you get plain text passwords over your networks. And this MDI is able to identify those applications as well and say that the endpoints communicating with MDI need to be secure. They should be secured.

The most valuable features are ETL, lab, and monitoring.