Microsoft Defender for Identity offers real-time threat detection and protection for hybrid Active Directory environments. It integrates with Microsoft 365 components for seamless security and monitors advanced behaviors, enhancing identity protection across cloud and on-premises environments.
| Product | Mindshare (%) |
|---|---|
| Microsoft Defender for Identity | 8.9% |
| CrowdStrike Falcon | 12.2% |
| Huntress Managed ITDR | 6.3% |
| Other | 72.6% |
| Type | Title | Date | |
|---|---|---|---|
| Category | Identity Threat Detection and Response (ITDR) | Jun 21, 2026 | Download |
| Product | Reviews, tips, and advice from real users | Jun 21, 2026 | Download |
| Comparison | Microsoft Defender for Identity vs CrowdStrike Falcon | Jun 21, 2026 | Download |
| Comparison | Microsoft Defender for Identity vs Microsoft Entra ID Protection | Jun 21, 2026 | Download |
| Comparison | Microsoft Defender for Identity vs Huntress Managed ITDR | Jun 21, 2026 | Download |
| Title | Rating | Mindshare | Recommending | |
|---|---|---|---|---|
| CrowdStrike Falcon | 4.3 | 12.2% | 97% | 140 interviewsAdd to research |
| Microsoft Intune | 4.1 | N/A | 95% | 378 interviewsAdd to research |
| Company Size | Count |
|---|---|
| Small Business | 7 |
| Midsize Enterprise | 3 |
| Large Enterprise | 15 |
| Company Size | Count |
|---|---|
| Small Business | 303 |
| Midsize Enterprise | 129 |
| Large Enterprise | 431 |
Microsoft Defender for Identity provides detailed threat insights and user behavior analytics to detect unauthorized access and notify anomalies. It allows setting custom detection rules, enhancing threat response automation. While it needs improvements in cloud security, SIEM integration, and access controls, users leverage its ability to mitigate identity threats like suspicious logins and ransomware. Enhanced integration with Microsoft security products ensures a coordinated threat response for identity control and privilege management.
What are the key features of Microsoft Defender for Identity?In specific industries, organizations implement Microsoft Defender for Identity to secure on-premises and hybrid Active Directory environments through user and entity behavior analytics, malicious activity detection, and integration with Microsoft security tools. This approach enhances security posture assessment and helps mitigate identity threats like identity harvesting and unauthorized access.
Microsoft Defender for Identity was previously known as Azure Advanced Threat Protection, Azure ATP, MS Defender for Identity.
Microsoft Defender for Identity is trusted by companies such as St. Luke’s University Health Network, Ansell, and more.
| Author info | Rating | Review Summary |
|---|---|---|
| Security Engineer at Fidelity Bank Plc | 4.0 | I've used Microsoft Defender for Identity in a hybrid setup with Azure AD for over five years; it's effective but costly, has occasional latency, limited third-party integration, and setup requires ongoing optimization despite responsive technical support. |
| Technology Coordinator at a educational organization with 501-1,000 employees | 4.0 | I've used Microsoft Defender for Identity for years; it saves me time, improves threat visibility, and supports faster responses, though I don’t use it much lately. It's stable, effective, and customer support has been knowledgeable and efficient. |
| Manager, Collaboration Bds at C3ntro | 5.0 | I've used Microsoft Defender for Identity for four years; it's stable, helps secure data, and fits our financial clients well. While not time- or cost-saving for me, it's essential to our enterprise security services. |
| Cloud Security & Governance at a financial services firm with 10,001+ employees | 4.0 | We use Microsoft Defender for Identity to protect our on-premises and hybrid Active Directory, focusing on advanced threat detection and security posture assessment. Despite its strengths, reducing alert fatigue remains necessary as we enhance integration with Azure AD. |
| Deputy Manager at Servion Global Solutions | 5.0 | I’ve used Microsoft Defender for Identity for over four years, and it’s stable, scalable, and effective with valuable threat analytics and reporting. Setup was smooth with support from Microsoft's fast track team, and I have no complaints. |
| CyberSecurity Engineer | Information Security Management at Self Employed | 5.0 | I find Microsoft Defender for Identity valuable for its conditional access and role-based permissions. It saves time but could improve in automation for impossible travel detection, particularly with VPNs, to reduce unnecessary disruptions and enhance security. |
| Instrumentation Engineer at Toyo Engineering Corp | 4.0 | We're testing Microsoft Defender for Identity, which auto-remediates incidents, saving investigation time and offering preemptive security. It identifies and mitigates threats from different IPs efficiently. We're in the initial phase, using it alongside Microsoft Azure. |
| Principle Architect at LiveRoute | 4.0 | I've used Microsoft Defender for Identity for three years and find it essential for deep analytics in hybrid environments, though setup is manual and time-consuming. Its integration, scalability, and reporting are impressive, and I recommend it frequently. |
| CTO at a tech vendor with 10,001+ employees | 4.0 | I use Microsoft Defender for Identity as part of the Defender suite to manage identities. Its seamless integration with other tools is valuable, though it’s expensive with Sentinel and could improve integration with non-Microsoft systems. No ROI seen yet. |
| Information Technology Security Manager at a security firm with 51-200 employees | 4.5 | We use Microsoft Defender for Identity to manage organizational privileges and enhance security, appreciating its automatic remedies and threat visibility, especially with Sentinel. While its features are valuable, better documentation for technical users is needed for optimal application. |
I've used Microsoft Defender for Identity primarily for provisioning users on Azure AD and Microsoft authentication. For hybrid scenarios, I integrate on-premises AD to Azure AD.
We use AD Connect to sync on-premises AD to Azure AD, and so far, it has been effective. I think it's fine and don't have any issues.
The only challenge I have with Microsoft Defender for Identity is the latency. I may not put that entirely on Microsoft, because latency could be network related. At times when trying to authenticate, the prompt is delayed.
We tried implementing passwordless authentication, especially for on-premises workloads, but we haven't been able to achieve that. Passwordless authentication is part of the identity functionalities, particularly when it comes to enforcing passwordless for on-premises workloads.
In terms of improvements, you can't create OUs on Azure AD. Regarding giving users privileges on what they can do across different OUs, I haven't seen that feature on Microsoft Defender for Identity.
Microsoft Defender for Identity needs to be able to plug into third-party applications that are not Microsoft. For instance, with a human resource application used to manage users and leave requests, when staff leaves the organization, they are first exited from that application before AD. Integration between Azure AD and third-party applications would allow automatic syncing when removing staff.
The initial setup of Microsoft Defender for Identity is not hard. However, setup is one thing, and getting value from the application end-to-end is another. It can be set up and running from the first day but not functioning optimally. Initially, when we did the setup, it wasn't optimal. Over time, with continuous improvement, which we're still doing, we've gotten to a comfortable level, but there's still room for improvement.
I have been using Microsoft Defender for Identity for over five years.
Technical support from Microsoft rates an eight on a scale of 1 to 10 for response time. When opening a ticket with Microsoft, problems are rarely fixed immediately. The process involves going back and forth, checking logs, and continuous analysis. They respond and react to needs, but fixing issues isn't what I would expect. For fixing, I would rate them five. For response, I would rate them eight. Fixing the solution isn't very seamless.
Positive
I don't use the threat hunting feature in Microsoft Defender for Identity.
My experience with the pricing of Microsoft Defender for Identity is that it's very expensive. The cost is particularly high due to currency conversion from Naira to dollars. The cost of renewal is really on the high side because of the FX conversion, which unfortunately isn't favorable for my country as the Naira has highly depreciated against the dollar. Microsoft should reduce their pricing to make it more accommodating.
The deployment model I am using for Microsoft Defender for Identity is cloud. We are running hybrid with on-premises AD and Azure AD.
I rate Microsoft Defender for Identity an eight out of ten.
My main use cases for Microsoft Defender for Identity include Conditional Access, checking risky users, remediating risky users, and user sign-ins. I can easily remediate or determine what the user is trying to log in for or not trying to log in for.
My impression of the visibility into threats that Microsoft Defender for Identity provides is good. It works.
The feature I value most about Microsoft Defender for Identity is the ability to see where people are attempting to log in from.
Microsoft Defender for Identity helps me automate routine tasks and find alerts that I set up to receive, so it helps me get where I'm trying to go easier and faster. I can see where everything is at.
Microsoft Defender for Identity helps me prioritize important tasks.
If I get an alert for a user who downloaded an application that is not sanctioned, I normally go straight to that user's computer device to find the device name and the user. Now I can get to them much faster.
Microsoft Defender for Identity saves me time overall.
I can quantify the time saved by Microsoft Defender for Identity as maybe 25 minutes, or if expressed as a percentage, maybe 20 to 25%. Some of the learning curve and actually learning what these products do takes time to figure out.
Microsoft Defender for Identity definitely helps decrease the time of detection and response.
I really would have to sit down to think about how Microsoft Defender for Identity can be improved. I didn't take stock in what needs to be improved because I appreciated having the tools right there when I needed them, so I didn't really think about what else it needs.
I have been using Microsoft Defender for Identity for maybe three or four years.
I did not have any downtime or crashes with Microsoft Defender for Identity. I had one of my sensors down, but it did not cause any major downtime.
We are considering another solution at this time, some XDR, as part of our efforts to broaden our security with Microsoft Defender for Identity and another solution.
I did use customer support for Microsoft Defender for Identity.
My experience with customer support is that they get right to the point. The people I normally use for support are very knowledgeable, especially when they help remote in and get to where I need to go and show me much faster and help me understand what I should be doing.
Positive
We chose the Microsoft solution at the beginning because we already had the product.
Since we already had everything, we just decided to invest more in tweaking it out and setting it up properly. A few of our third-party engineers told us that Microsoft Defender for Identity has been enhanced and has been working well, so we decided to beef it up and see what happens.
I can't say that I've seen a return on investment since we have Microsoft Defender for Identity because we also have another security solution in place. Between those two, we've never had a breach that we've known of.
I don't deal with the pricing, setup cost, and licensing of Microsoft Defender for Identity.
I don't really use Microsoft Defender for Identity a lot because my new role doesn't allow me to take time to do so. I don't really use the threat intelligence feature of Microsoft Defender for Identity. I would rate this product an 8.
Microsoft Defender for Identity is very useful in the financial industry. Most of our clients are banks. It is very easy to sell and most of our consultants have the certifications and knowledge to deploy a very good project.
Microsoft Defender for Identity helps me prioritize threats and identify the more important ones.
In the security portfolio that we manage, Microsoft Defender for Identity is very important because it is the professional service that we sell the most.
We connect the logs that Microsoft Defender for Identity allows to our SOC so we can see all the features that the logs provide for clients. We also sell managed services of a SOC.
Microsoft Defender for Identity does not save me time, but I think it is the way that I secure the data.
It does not save me money either.
I have experience with Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Defender for IoT, including Microsoft Defender External Attack Surface Management.
We use Microsoft Defender for Identity with our EMS E5 license which comes with all these components.
We have been using Microsoft Defender for Identity for more than four years.
We are an end user and customer for them.
It is part of the product itself. It is bundled and the product we use internally is completely based on Microsoft solutions for managing a single identity.
We use the comprehensive reporting and intelligent threat analytics features.
Based on the detection of incidents, we can prevent issues, and if there are any identity-related alerts, they are prevented through a conditional access policy.
I do not see anything regarding the best features of Microsoft Defender for Identity that needs improvement.
We have not received such requirements. The out-of-the-box features are fulfilling the solutions we require.
Currently, I do not see anything to improve in Microsoft Defender for Identity.
I currently do not have anything in mind regarding design, setup, or pricing.
I think we can cover the third-party identity to be managed through an identity.
We have been using Microsoft Defender for Identity for more than four years.
We did not see any challenges, and Microsoft has a separate fast track team. When we onboard any new solution, a fast track team is assigned from their side to roll out the solutions. This was done a couple of years back. The Microsoft fast track team handled the implementation.
We do not see any issues with the stability of Microsoft Defender for Identity. I can say it is 100% stable.
We do not see any issues with the scalability of Microsoft Defender for Identity.
Technical support with respect to the identity product can be rated as nine because we have not faced many issues with respect to identity with Microsoft.
Positive
We did not use any solution before Microsoft Defender for Identity.
We have a hybrid setup.
The Microsoft fast track team was engaged to configure this solution.
We did not evaluate other options before choosing Microsoft Defender for Identity.
My company name is Servion Global Solutions, and my email address is loganathan@servion.com. I rate Microsoft Defender for Identity a 10 out of 10.
The main use cases for Microsoft Defender for Identity involve working with security and signing risk aspects. I work with conditional access, though I have not implemented this task yet.
I find the most valuable features in Microsoft Defender for Identity to be the conditional access and the rule-based access control to give users their actual role-based permission to work.
Microsoft security solutions have saved me time, which is why they call it Microsoft solution.
In Microsoft Defender for Identity, I would appreciate improvements in providing information on conditional access. They have added more control that can be put in place, which was not present years ago. They have also integrated Azure Information Protection where policies can be configured.
The Self-Service Password Reset (SSPR) allows users to reset their passwords, which is a valuable tool for remote workers. They have added more features into conditional access that integrate with other components, including SSPR and Identity Information Protection, trusted IPs, and locations. These configurations in trusted IP addresses are integrated into conditional access and control the applications I want to secure.
Regarding impossible travel scenarios, I can either block the user or grant access while requesting multi-factor authentication. They should improve the automation for impossible travel detection. When connected to Wi-Fi and then to VPN, the system sometimes interprets the IP address change as impossible travel. If Microsoft could develop a feature that indicates when impossible travel is caused by VPN connections, it would prevent unnecessary password resets and session disruptions, especially for VIP users in organizations.
My experience with the pricing, setup costs, and licensing for Microsoft Defender for Identity is that the pricing is acceptable. If they can reduce the costs, organizations will be happy, and it will compensate for using the Azure environment, which is more expensive on the infrastructure as a service side. This would be beneficial if the price for the SaaS environment and platform as a service resources were reduced.
When features are configured in Microsoft Defender for Identity, impossible travels are detected when IP addresses show unexpected locations. User verification is required to determine if it is a false positive or a security threat.
Microsoft Defender for Identity provides a dashboard for threat visibility, allowing users to see and analyze all threats before responding. The dashboard and granular access help prioritize threats across the enterprise environment, particularly for critical systems or users.
The solution automates routine tasks and helps find high-value alerts by showing user location, attacker IP address, attack timelines, and attack type information. The threat intelligence helps prepare for potential threats proactively by sharing information from other organizations' experiences.
I recommend Microsoft Defender for Identity because it is easy to implement. The solution offers different types of license options that can reduce organizational spending. There are numerous engineers supporting it, and free learning materials are available on the Microsoft knowledge-based portal.
The migration from Google platform to Microsoft 365 was seamless in integration. On a scale of 1 to 10, I rate Microsoft Defender for Identity a 10.
We have deployed Microsoft Defender for Identity logs in our Sentinel. If there is a suspicious sign in, a wrong password, and if the MFA is not satisfied, the trigger gets alerted, and the user will be identified as a risky user. It will prompt the user to change the password. Auto remediation is enabled in Microsoft Defender for Identity, helping in identifying if the user identity is genuine.
Threats to the organization are mitigated instantly. If a user logs from a different IP or Tor Browser, we get notified, block that account, deactivate the user, and request a password change. We have the information about the risky users signed in from non-available IPs or locations displayed on our dashboard using Microsoft Defender for Identity.
We receive an advance report of risky users, allowing us to take preemptive action before an attack causes damage to organization details. This proactive measure offers an advanced security operation.
Neutral
I am not aware of the specific budget or costs related to pricing.
We are connecting different Microsoft connectors to our cloud, including Microsoft Defender for Identity and Microsoft Defender for Endpoint.
Currently, it is fully established as it is being used full-fledged in various use cases. The UI is easy to access and provides a comprehensive understanding.
On a scale of one to ten, this solution receives a rating of eight.
My personal use case for Microsoft Defender for Identity is that it is amazing. It provides very good and deep analytics about whatever is happening in the on-premises Active Directory. The sensors are very lightweight. It is used in almost every deployment that we are doing for Azure or virtual machines on Azure or even migration of M365 Modern Workplace. We always include Microsoft Defender for Identity for all customers, whether for on-premises or infrastructure as a service.
The most valuable features of Microsoft Defender for Identity are the simulations. Whenever something happens, it provides complete step-by-step process details, including the hierarchy, how it happens in the environment, and the lateral movement, which is amazing.
The main benefits Microsoft Defender for Identity provides to users are comprehensive insights. When customers have Azure AD, they have all the insights by default, using Azure Monitor sign-in logs and everything. However, when they have on-premises Active Directory, they typically have no visibility into user lockouts, wrong attempt patterns, and other issues. Microsoft Defender for Identity fills this gap by providing deep insights for hybrid users in the on-premises Active Directory.
The integration of Microsoft Defender for Identity with MS 365 is exceptional. While we have not tested it along with Sentinel, the security.microsoft.com site provides valuable insights through the portal. The integration process is simple and straightforward.
The reporting and intelligent threat analytics provided by Microsoft Defender for Identity are effective and comprehensive.
Microsoft can improve Microsoft Defender for Identity by ensuring that installation prerequisites are included in the setup process. Installing the solution presents challenges as numerous logs and events must be enabled manually on all domain controllers. These manual processes should be integrated into the setup.
The configuration process is time-consuming, with installation taking two minutes but prerequisites requiring two hours.
Additionally, the prerequisites PowerShell script from Microsoft that must be run before installing the sensor should be integrated into the setup. Currently, users must download this script from the internet to determine sizing and compatibility requirements. The setup should automatically indicate whether a server is compatible or meets minimum requirements without requiring external tools.
I have been working with Microsoft Defender for Identity for almost three years now.
I do not have any experience with capabilities to detect insider threats.
For stability, Microsoft Defender for Identity rates as an eight out of ten.
Microsoft Defender for Identity is very lightweight and can accommodate as many instances as needed, earning a ten out of ten for scalability.
The main complexity with support is that products from Microsoft should be thoroughly tested from all possible scenarios from an end user perspective. As a system architect or system admin, it should be possible to tell customers about the product's capabilities and quick installation time without having to explain the lengthy prerequisites process.
Positive
Microsoft Defender for Identity can be compared with Quest's Active Administrator, which is popular for handling similar functions. While it tracks all environmental changes, it is not GUI based. ManageEngine's Active Directory Auditor is another good solution that monitors all attempts, logs, and movements, though its agent is not lightweight.
I am satisfied with Microsoft Defender for Identity's functionality.
We have deployed Microsoft Defender for Identity in both on-premises and hybrid models. We have implemented it on-premises as well as with additional domain controllers on Azure and AWS. For customers with multiple domain controllers across different multi-cloud environments, we deploy Microsoft Defender for Identity everywhere.
Technical support from Microsoft rates as a seven out of ten.
The pricing for Microsoft Defender for Identity is reasonable, especially since the majority of our customers are government and semi-government entities with E5 or E3 access.
I would give Microsoft Defender for Identity a final rating of eight out of ten.
I would recommend Microsoft Defender for Identity to other users. In fact, I implement it in 90% of my projects, which amounts to 40 or 50 projects annually.
Microsoft Defender for Identity is used as part of an overall Microsoft Defender security suite. I use it to manage identities, both on-premises and in the cloud, in conjunction with an identity and access management tool, such as SailPoint or Guaranty.
The integration into the Microsoft Defender ecosystem is the most valuable feature of Microsoft Defender for Identity. It fits very nicely with all the other Defender tools, allowing for excellent collaboration among them. It also fits seamlessly into Microsoft Sentinel SIEM. Furthermore, Microsoft security solutions can save time as they allow the automation of numerous functionalities, and the reporting inside the Microsoft ecosystem is commendable.
The areas of Microsoft Defender for Identity that can be improved include its cost, which is quite expensive when integrated into Sentinel. Additionally, there is room for improvement in its integration with non-Microsoft applications and systems.
I have four years of experience working with Microsoft Defender for Identity.
I find Microsoft Defender for Identity to be a stable solution.
Microsoft Defender for Identity is a scalable solution.
The quality of customer service and technical support received from Microsoft is a seven out of ten.
Neutral
I have not seen a return on investment (ROI) from this tool.
As for pricing, the Microsoft Defender Suite is quite expensive, especially when integrated into Sentinel.
I must emphasize that the information provided is my personal opinion and not an official stance from my company. If anonymity is desired, it is essential to request that the company name remain anonymous. Overall, I rate Microsoft Defender for Identity an eight out of ten.
The primary use case for Microsoft Defender for Identity is to maintain control and privilege inside our organization and revoke rights when they are not needed. The solution is used to keep our organization relatively safe and is utilized extensively across its features available in E3 and E5.
The most valuable features of Microsoft Defender for Identity include its automatic remedies, possibilities for avoiding incidents, the privilege manager, and the generation of logs that facilitate a safer environment. It provides real issues directly to us without fake alerts. The visibility into threats is very good, especially with add-ons like Sentinel.
There is room for improvement in delivering knowledge to technical users, especially regarding what we can gain from the solution and how to apply it. The documentation provided by Microsoft is often seen as a waste of time. We had no specific complaints about technical support, as it was rarely used due to the availability of materials online.
I think the product is overall very stable.
I think the product is very scalable.
We rarely use technical support, and I have not formed an opinion about it. We rely on online resources available for support.
Positive
The initial setup was straightforward.
I would rate Microsoft Defender for Identity at nine out of ten. Although I could not provide a specific reason for not giving it a ten, the overall issues with Microsoft documentation and technical support are considerations. As of now, there are no suggestions for improvements because sometimes the ideas with the product surprise me.
