Microsoft Defender for Identity Reviews

My personal use case for Microsoft Defender for Identity is that it is amazing. It provides very good and deep analytics about whatever is happening in the on-premises Active Directory. The sensors are very lightweight. It is used in almost every deployment that we are doing for Azure or virtual machines on Azure or even migration of M365 Modern Workplace. We always include Microsoft Defender for Identity for all customers, whether for on-premises or infrastructure as a service.

The most valuable features of Microsoft Defender for Identity are the simulations. Whenever something happens, it provides complete step-by-step process details, including the hierarchy, how it happens in the environment, and the lateral movement, which is amazing.

The main benefits Microsoft Defender for Identity provides to users are comprehensive insights. When customers have Azure AD, they have all the insights by default, using Azure Monitor sign-in logs and everything. However, when they have on-premises Active Directory, they typically have no visibility into user lockouts, wrong attempt patterns, and other issues. Microsoft Defender for Identity fills this gap by providing deep insights for hybrid users in the on-premises Active Directory.

The integration of Microsoft Defender for Identity with MS 365 is exceptional. While we have not tested it along with Sentinel, the security.microsoft.com site provides valuable insights through the portal. The integration process is simple and straightforward.

The reporting and intelligent threat analytics provided by Microsoft Defender for Identity are effective and comprehensive.

Microsoft can improve Microsoft Defender for Identity by ensuring that installation prerequisites are included in the setup process. Installing the solution presents challenges as numerous logs and events must be enabled manually on all domain controllers. These manual processes should be integrated into the setup.

The configuration process is time-consuming, with installation taking two minutes but prerequisites requiring two hours.

Additionally, the prerequisites PowerShell script from Microsoft that must be run before installing the sensor should be integrated into the setup. Currently, users must download this script from the internet to determine sizing and compatibility requirements. The setup should automatically indicate whether a server is compatible or meets minimum requirements without requiring external tools.

I have been working with Microsoft Defender for Identity for almost three years now.

I do not have any experience with capabilities to detect insider threats.

For stability, Microsoft Defender for Identity rates as an eight out of ten.

Microsoft Defender for Identity is very lightweight and can accommodate as many instances as needed, earning a ten out of ten for scalability.

The main complexity with support is that products from Microsoft should be thoroughly tested from all possible scenarios from an end user perspective. As a system architect or system admin, it should be possible to tell customers about the product's capabilities and quick installation time without having to explain the lengthy prerequisites process.

Positive

Microsoft Defender for Identity can be compared with Quest's Active Administrator, which is popular for handling similar functions. While it tracks all environmental changes, it is not GUI based. ManageEngine's Active Directory Auditor is another good solution that monitors all attempts, logs, and movements, though its agent is not lightweight.

I am satisfied with Microsoft Defender for Identity's functionality.

We have deployed Microsoft Defender for Identity in both on-premises and hybrid models. We have implemented it on-premises as well as with additional domain controllers on Azure and AWS. For customers with multiple domain controllers across different multi-cloud environments, we deploy Microsoft Defender for Identity everywhere.

Technical support from Microsoft rates as a seven out of ten.

The pricing for Microsoft Defender for Identity is reasonable, especially since the majority of our customers are government and semi-government entities with E5 or E3 access.

I would give Microsoft Defender for Identity a final rating of eight out of ten.

I would recommend Microsoft Defender for Identity to other users. In fact, I implement it in 90% of my projects, which amounts to 40 or 50 projects annually.

Microsoft Defender for Identity is like a personal security guard for our organization's identity. It keeps a close eye on how we use our identities across both on-premises and Azure Active Directory. If there is anything suspicious or unusual happening with our user accounts, it raises the alarm. It is a vital tool for ensuring the safety of our identity in a hybrid setup.

Using Microsoft Defender for Identity has saved our organization a significant amount of time. I would estimate it to be around 80%, making monitoring and security management much more efficient.

Microsoft Defender for Identity provides excellent visibility into threats by leveraging real-time analytics and data intelligence. With features like SecureScore and SecureScan, it offers a holistic view of security across both on-premises and cloud environments. A high SecureScore indicates strong security, while a low score signals potential threats. This makes it easy to detect and address security issues promptly.

One potential area for improvement could be exploring flexibility in the installation of Microsoft Defender for Identity agents. Currently, it is mandatory to install the agent on the on-premises environment, and considering if there could be more flexibility in deployment might be worth exploring.

I have been using Microsoft Defender for Identity for over two months.

 I would rate Microsoft's technical support as a nine out of ten.

Positive

I have found the installation process of Microsoft Defender for Identity to be incredibly straightforward. You just download the agents from the Defender portal, move them to your domain controller, and install – simple as that. Once it is up and running, checking reports on our on-premises environment is a breeze. Everything I need is neatly aggregated on the Microsoft Defender portal, making it easy to monitor and manage our identity security. However, there is room for improvement, especially for organizations using proxy servers. Enhancements in this area could streamline the configuration process and make it more seamless, irrespective of the proxy settings in the environment.

Microsoft Defender for Identity helps us prioritize threats effectively, especially concerning lateral movements within our network. In the context of hybrid identity, where we synchronize users from the local Active Directory to the cloud, the solution prevents unauthorized lateral movements by detecting and addressing breaches. It is particularly crucial in safeguarding our on-premises environment, ensuring that any suspicious activities or attempts to move laterally are promptly identified and mitigated.

I have integrated multiple Microsoft security products, and the recent move to the Microsoft Defender portal has made it much more seamless. Formerly, each product had its portal, but now I can view everything in one place. This integration, including products like Microsoft Defender for Identity, cloud apps, and endpoints, provides a more comprehensive and efficient approach to security monitoring. To ensure a watertight security posture, integrating all these solutions is crucial for a holistic and superior defense against threats.

Microsoft Defender for Identity is designed to automate responses and remediation for high-security threats. The system can be configured based on organizational policies. Some choose automatic responses, while others prefer manual intervention for investigation and approval before remediation. It is flexible and adaptable to different security postures and business requirements.

Using Microsoft Defender for Identity has not only helped in detecting threats but also in preventing them proactively. The system is designed to not just respond but to actively block known and unknown threats. When encountering a new threat, it takes note of it and stores the information in the Threat Intelligence Workspace, ensuring continuous updates and preparedness for evolving threat landscapes.

Microsoft Defender for Identity has eliminated the need to juggle multiple dashboards. The unified Microsoft Defender portal consolidates all dashboards for endpoints, Office 365, and cloud apps into one place, simplifying and streamlining monitoring efforts.

Using Microsoft Defender for Identity not only saves our company money but also safeguards our reputation and valuable data. It is a significant cost-saving measure in the broader context of security and risk management.

Microsoft Defender for Identity has decreased the time to detect and increased the time to respond, contributing to a more efficient and responsive security posture.

Overall, I would rate Microsoft Defender for Identity a solid ten out of ten. Microsoft has invested significantly in security, and the product continually improves. The commitment to innovation and enhancements makes it an excellent choice for securing identity and maintaining a robust security posture. Microsoft's commitment to security and innovation makes it a compelling choice, even in the context of considering best-of-breed solutions.

I work for a university, and we use Defender for Identity for students, faculty members, researchers, etc. It's around 4,000 end-users. We have a completely Azure-based environment, and all of our users have migrated to the cloud. While we still have some on-premise users, we have synced our user base to the Azure Active Directory in the cloud. 

We require identity protection because most cybersecurity cases today involve identity harvesting. Microsoft Defender for Identity proved to be the best solution for providing support for malicious identity-related issues. Our entire cloud setup is protected. 

Our enterprise usage entirely depends on identity-based users. Any identity issue or attack could lead to massive data leakage in our environment. Defender for Identity is easy to use and provides precise details on the timeline to facilitate quick transfers.

Microsoft creates a database of critical vulnerabilities that they are constantly updating. Whether it's an old-fashioned or novel attack, it promptly notifies us. It may take some time to identify if it is a brand-new threat. Once it is located, it will tell us what the issue is.

We need to analyze the security features monthly and validate them. Microsoft Defender provides the correct solution for this. It will give you the proper security progressions that happen in Microsoft. We can define levels of security and prioritize security concerns, so we take action on the high-priority problems first. Regarding password resets, etc., there are less-complicated issues that don't pose a risk of data leakage, so we assign a lower priority.

It helps us be proactive because it will notify us about the preventive measures we can take. Once it flags a vulnerability, we can investigate the root cause. So that way, we can mitigate the most critical threats with this set of notifications from Defender.

Defender for Identity has affected our on-premise security because we need less identity management. Everything can be handled on the cloud. We require fewer devices for identity management, so it has reduced our hardware shortage.

It has saved us time by providing prompt notifications. We don't need to spend more time on SIEM solutions. Usually, we would require SIEM solutions or advanced log-based analysis solutions to find all the identity compromises or any identity-hijacking issues. We needed a designated person to check all these aspects with advanced threat-detection programs. We can eliminate all these challenges with the help of Microsoft Defender for Identity. It has cut the time spent on these tasks by 50 percent. 

Defender has also saved us money because we don't require traditional identity-based solutions in the firewall. We needed different identity-based solutions for the cloud, virtual machines, etc. Microsoft has this legacy proprietary feature, so we don't need other solutions. It has considerably reduced our budget by around 30 percent. It has sped up our detection and response time by about 10 percent. 

The best feature is security monitoring, which detects and investigates suspicious user activities. It can easily detect advanced attacks based on the behavior. The credentials are securely stored, so it reduces the risk of compromise. It will monitor user behavior based on artificial intelligence to protect the identities in your organization. It will even help secure the on-premise Active Directory. It syncs from the cloud to on-premise, and on-premise modifications will be reflected in the cloud.

Identity harvesting is the most common threat. Legacy Microsoft solutions and Amazon face the same issues in the cloud. Users don't implement other security mechanisms in the cloud. In an on-premise environment, we would have multiple security devices like firewalls and several layers of security. Cloud users are less bothered because cloud features are there and only need to be configured.

Microsoft Defender for Cloud is the best solution because all threats are completely visible, and it has a great dashboard. The dashboard displays each threat and score, so we can identify the threat rating and act efficiently to avoid compromising user identities.

We have a  single sign-on feature on the cloud. If we lose a single set of identities, it can compromise the entire organization, including cloud and on-premise. The same identities are being used everywhere. The user activity has to be completely visible on the dashboard, and it has to generate a pattern. It will notify us if there is any security breach.

It is a complete monitoring set. Minor changes in the user identity can lead to data leakage. If a password is changed in the cloud, it will be reflected automatically in the on-premise. This minor change will trigger an alert in Microsoft Defender for Identity. It ensures that each cloud identity is well protected from spoofing. It has a comprehensive database of well-known spoofing techniques, enabling us to provide cloud identity protection completely. 

It has a vast scope because it is completely single sign-on. In the emerging industry, we use single sign-on because users need to authenticate, but it's challenging to remember multiple passwords. Once your user signs in, you can access all the data. An identity compromise would lead to various issues and affect the data on-premises. Defender maintains a constantly updated database with the latest signatures, attack models, and threats. If it detects one threat, it will monitor the suspicious event and give us frequent alerts.

Identity protection is vital because we use an identity mechanism for everything, including firewall-related activities. The exact identity used in the cloud is used in the most complex firewalls. We require an excellent migration technique to regain this user credential if something gets compromised. Blocking this requires a massive set of procedures. Microsoft Defender comprehensively monitors identity and provides frequent alerts regarding any issue, so we don't need to think of anything else.

Defender's bidirectional sync capabilities are helpful because we need to sync data from multiple directions, including tenant-to-tenant, on-premise-to-cloud, and cloud-to-cloud syncing. As a university, we have multiple tenants, so we need to sync or access data across platforms. That way, everything is more secure, and Microsoft Defender for Cloud also provides ample security for cloud transfers.

The bidirectional sync capabilities are flawless—10 out of 10. Our on-premise Active Directory is perfectly synced with the Azure AD. Everything is synced with on-premise, and changes are reflected in minutes. If a problem with identity is addressed on the cloud, the fix will be mirrored on-premise and vice versa.

Microsoft Defender for Cloud and Identity are bundled. If we have these two solutions, we don't need to worry about anything else or third-party antivirus. Microsoft Defender for Identity acts as a link to all the Microsoft security features that require identity-based validation. Microsoft Defender instantly provides identity security for all our applications, and users need not worry about typing their passwords. Even in situations with less complex encryption mechanisms, users don't need to worry about typing in their passwords. Defender will check and monitor if there are any flaws in that, and it will let us know if there are any issues.

We're a Microsoft shop, so everything works together. If one feature isn't working, everything will be affected. If Defender isn't working, half of our Microsoft security features will be dead. Without identity security, user data can easily be compromised, and data can fall into the hands of intruders or other hackers. The solutions have to complement each other. If anything got wrong, the entire setup would have flaws.

Microsoft security has a legacy security mechanism. A while back, we might have gone with Defender for Endpoint, but Microsoft has also grown into the face of the cloud. The same Defender solution is completely maintaining cloud security. We can imagine Microsoft's vast scale and how Defender can protect the cloud environment from vulnerabilities and attacks. We are definitely delighted with Microsoft products.

The dashboard features are fantastic because it provides a comprehensive overview. It has a great alert mechanism and log inspector that tracks when users access various servers. With this kind of identity validation, we can control which servers the users can access. We have total visibility from the dashboard. We can track identity usage even if there are no issues. That is an essential advantage.

There is no option to remedy an issue directly from the console. If we see an alert, we can't fix it from the console. Instead, we must depend on other Microsoft products, such as MDE. That is a significant drawback. It simply works as a scanner, which can sometimes put enough load on the sensors. Immediate actions should be possible from the dashboard because. It can prevent issues from spreading further.

I have used Defender for Identity for six years.

Defender for Identity is extremely stable. We don't experience any bugs because Microsoft has a three-tier system for checking everything. 

Defender for Identity is completely scalable.

I rate Microsoft support 10 out of 10. The technical support is good, but we don't need it for Defender because everything is pretty straightforward.

Positive

Setting up Defender is straightforward and took two days. We require system admins to check for data mismatches. Once we implement the security, the cloud and on-premise data have to be perfectly synced. We need to ensure the on-premise data can be secured from Defender. It doesn't need maintenance after deployment. Everything happens automatically.

The return on investment is there because we don't need to add complicated security managers in the cloud where we need security-based virtual machines running Azure or other cloud platforms. It considerably reduces the time system admins spend on management. The subscription cost is cheaper than deploying a complete hardware setup. It is budget-friendly.

Defender for Identity is a little more expensive than other Microsoft products. Identity and Microsoft Defender for Cloud are both a bit costly.

I rate Defender for Identity nine out of 10. I would give it a perfect 10, except for the inability to remedy issues directly from the console. Defender for Identity is a popular product because most endpoint users already use Defender, so they will be familiar.

When dealing with single sign-on, an identity-based cloud solution is essential for all enterprises because most security concerns are related to identity. It's easy for hackers to hack into servers with compromised identities. We need a legacy enterprise product like Microsoft Defender or a close competitor like Kaspersky. If user identities are compromised, your entire infrastructure will be in danger. Even if the cost is high, you need an enterprise product like Microsoft Defender for Identity.

It's challenging to integrate solutions from multiple vendors. If we used several vendors, we would need to spend a lot of time checking to ensure they integrate correctly. We must also establish an adequate surveillance solution to monitor these different products. It's a headache for the system admins. System administrators have fewer security concerns with an all-Microsoft setup because the elements work in sync. It's easy to monitor the data from any instance, so the data is more secure and accessible. 

We mainly use the solution to ensure our security and to increase our security score. We want to understand the threats or attacks to help prevent them. 

The product has given our security posture a very big score. It is very easy to integrate with other applications, other packages, and what we have. It helps to measure and block events. 

It gives us visibility into advanced behavior activities. It’ll show a history of logins or events.

It’s efficient, and it provides all of the investigation reports, which is an advantage for us. It also helps us prioritize threats across the company. It helps us detect the exact timing of incidents, and we’ll see them when they happen. It helps us adhere to our SLAs. We can see threats and if they are of higher or lower severity. We can find the types of malicious events, see what’s happening, see what actions are taken, and understand what is happening.

It integrates with other products, and these solutions work natively together to deliver coordinated detection and response across the environment. These are all work through Jira.

The comprehensiveness of the threat protection provided by Microsoft security products is good. It is giving better visibility to us. We can understand what the false positives are. That gives us more confidence in the security posture of the environment.

We use Microsoft Defender for the cloud, and we use its directional sync capabilities. It’s important to be able to see both in and outbound reporting. 

It automates routine testing and helps automate the finding of high-value alerts.

As we define policies and rules, automation makes it easier to do so.

The product helped eliminate having to look at multiple dashboards. It has a free single dashboard for us.

We’ve found that threat intelligence helps us prepare for potential threats before they even hit and we can take preventative steps. That is the beauty of it. It has good threat intelligence within the platform. We can prepare ourselves before we have an issue.

It continues to scan for threats on our devices. We’re always scanning.

We’ve been able to save time on security-related tasks. Right now, we’re saving two to three hours a day.

Microsoft Defender for Identity decreased our time to detect or our time to respond overall.

The tracking instance needs to be configured appropriately. They need to be able to identify more vulnerabilities in order to increase the efficiency of the solution. 

I've been using the solution for almost five years. 

The solution is stable. 

We have 600 people using the solution. It's in one location. 

It's a scalable solution. 

We did not previously use a different solution. 

The initial setup was very easy. I found it to be straightforward. The deployment only takes one day. Our implementation strategy was to ensure all threats and vulnerabilities were covered. 

We have two admins that cover the solution. However, it doesn't require maintenance. 

The enterprise pricing is reasonable. Our company has a good deal. 

We did look at another solution before choosing this product. It was a filter scanner. However, we have other Microsoft products, so we went with this solution. 

I'm a customer. 

I'd rate the solution nine out of ten. 

It's covering all of our major vulnerabilities and threats without giving an inch. It's a one-stop solution. It can detect any type of suspicious activity, whether internal or external, and provides historical logs. 

Our primary use for the solution is for user and entity behavior analytics. 

We use multiple Microsoft security products including Defender for Endpoint and Defender for Cloud.  

We use Defender for Cloud for our Azure VMs, but not for the multi-cloud environment, and we don't make use of its bi-directional sync capabilities.

We have integrated these products, and the integration was straightforward. 

These solutions work natively together to deliver coordinated detection and response across our environment, which is not the case for non-Microsoft tools. 

These multiple Microsoft security products provide comprehensive threat protection. 

Defender for Identity improved our organization; a major part of that is threat analytics. The user entity and behavior analytics, in particular, helps us a lot right now, as compromised user scenarios, such as phishing emails, are significant threats.

The solution reduced our time to detection and response. 

Almost all the features are valuable. 

The solution offers excellent visibility into threats. 

Defender for Identity helps prioritize threats across our enterprise, which is essential for any identity and access management product. 

The solution's threat intelligence helps us prepare for potential threats and take proactive steps before they hit. We've tested various scenarios over the past months, including our major security concerns, a valuable exercise that helps us to protect our system.   

Although the threat protection is comprehensive, the solution needs to be reevaluated when it comes to complex scenarios.

There is no publicly available roadmap regarding upcoming features and improvements to the product. 

The product has significant limitations around acquiring device vulnerabilities, primarily because hunting queries are limited. 

The technical support needs significant improvement. Documentation for more minor issues in the form of guides or walkthroughs could help to resolve this issue. The number of tickets raised would decrease, removing some pressure from the support team and making it easier to clear the remaining tickets.

We've been using the solution for almost eight years.

We have around 16,000 end users and expect that to increase by 20% in the coming year.

The customer support is inferior as they lack technical ability; I rate them two out of ten.

Negative

In place of Sentinel, we previously used QRadar for reporting purposes, but it's a SIEM product, not SOAR. However, when we evaluate SOAR solutions like Sentinel, we find them expensive.

The complexity of the initial deployment depends on the scenario; it can be straightforward, but it can also be complex, especially if it involves removing the agents from a previous solution.

The setup typically takes 45 minutes to an hour if there are no issues, but if you run into problems, it can take a day or two. We implemented the solution using a team of five staff. We have another team of 15-20 employees working on customer projects.

It took six to eight months from the time of deployment to realize the benefits of the solution. From an endpoint and identity perspective, it took that long because the data needed to be recorded and captured.

We have seen an ROI with the solution. 

The product is costly, and we had multiple discussions with accounting to receive a discounted rate. However, on the open market, the tool is expensive.

You can purchase Defender for Identity as an add-on to an E3 license, and it comes included with an E5 license. I think those with the E3 and add-on aren't benefitting, and it's a better deal for those with E5 licenses; however, the price difference between E3 and E5 is significant. If we can get E5 at a discounted price, that's likely the most cost-effective way of accessing the product. We use a mix of E3 licenses and E5s for high-profile users.

I rate the solution seven out of ten. 

My advice to those considering the product is that it's great. We have yet to test complex scenarios in an open-source environment, but our findings and results have been promising so far. At the same time, the customer support is very poor, and the tool is expensive.

Whether Defender for Identity saves us time is still an open question. We need to conduct more testing, especially around complex scenarios, though I believe it will save us time. There was a greater level of complexity involved in the products we previously used. Our team members were less familiar with them, creating a need for education, training, and experience. However, many staff are already familiar with Microsoft and Windows, so for those people to work with Defender is a much simpler proposition.

We have yet to onboard services such as Salesforce running in different clouds, primarily GCP and AWS. When we onboard them into Defender for Cloud and Defender for Identity, we may discover some vulnerabilities or weaknesses there, but as of now, that is unclear. We intend to run tests and find any weaknesses if they are there.

We currently don't use the solution's automation. 

The use cases are for dealing with situations where a user signs on with MFA from unusual locations or malicious files are detected.

The way it has improved our organization is that we're able to get the information across and easily pull it all together in one place, to help us be secure.

It is very good to have all the threat locations that the threat actors are coming from on one dashboard. That has enabled us to run a lot more efficiently. We're able to put more time into taking action on alerts instead of setting up dashboards and having to find the relevant information.

Our Microsoft solution has saved us time because we have been able to field the alerts and see what level of urgency they have, with all the information in one spot. It has made it a lot easier to find relevant alerts and threats and take action. It has decreased our time to respond, allowing us to provide a five- to 10-minute response time for most alerts.

And with the playbooks, were able to find additional alerts, like unfamiliar sign-ons, and automate the closing of sign-ons from certain locations so that we don't get a full feed of useless data.

The most valuable aspect is its connection to Microsoft Sentinel and Defender for Endpoint, and giving exact timelines for incidents and when certain events occured during an incident. It's good to know when a sign-on occurred, especially if it was outside the usual time, and whether the sign-on was from Australia, because our users don't usually sign on from outside Australia.

And for prioritizing threats, we get alerts that are low or high severity and that tells us what need to do within our SLA, and what we prioritize in terms of further escalation down the pipeline. We get the alerts in real time, thanks to Sentinel. That's very important because when we get an alert from Sentinel, we can click through on the link to find out what happened, see further details about the user and the malicious event, and what files were there. It has all those details and actions.

Sentinel enables us to ingest data from our client's ecosystem so that all the endpoints and users are in Sentinel. That is critical for operational success. When alerts come in you need all those details. If you don't have those details it's hard to follow up with further investigations and you can't tell it was a legitimate threat or not, which isn't good.

And with Sentinel, we have one spot to respond across the board. That's another very important factor because you don't want to spend all your time trying to figure out where the data and information are, which is very difficult to do. Being able to run KQL queries within Sentinel and get the details from Defender for Identity, and the other solutions, is pretty cool.

In addition to Defender for Identity, we use Defender for Endpoint, Defender for Cloud Apps, Sentinel, and Azure ID. They're all integrated because we run it as an MSP for a client and we get their endpoints connected to Azure to get the alerts feed. They all work very well together. It's good to be able to investigate across the different products. They work seamlessly. That integration has been a very important factor, considering that we have a set timeline for alerts. Being able to switch seamlessly from one solution to the other solution to further investigate is very important for the job.

Defender for Identity gives us visibility, but we often get false positives from Azure that take us down the garden path. We go through 30 incidents each day and most of those are false positives or benign positive alerts. Occasionally, we get true positive alerts.

Also, while the threat protection from Microsoft is very comprehensive for certain threat alerts, for new things we sometimes have to create new alerts to try to get them into the pipeline and we've had mixed results with that.

There is also room for improvement in how the threat intelligence comes through. Sometimes, the user data is not all there and we have to confirm things across multiple solutions to get the full data for one alert.

I've been using Microsoft Defender for Identity for one year and seven months.

I rate the stability at a six or seven out of 10. Sometimes there is downtime with the system.

It's very scalable. We've had it across a small environment and a large environment. Our client has about 10,000 endpoints connected. They have a total of about 100,000 endpoints but we're having some issues with connectivity, so the number is fluctuating. We've deployed it both across our company and our client's base. We ingest their data and manage our company's data.

The technical support has been very good. Whenever we have had issues they have been resolved very quickly.

Positive

We didn't have a previous solution. Because we're mostly using Microsoft software and applications, it makes more sense to stick with a Microsoft solution.

We've been able to better satisfy our client's needs.

It is very affordable considering that other SIEM solutions are much more expensive and have many more licensing restrictions and fees.

There isn't really any maintenance involved on our side. It's on the client to keep the endpoints connected. Sometimes they don't get updated and sometimes they don't have it set up on their devices to connect.

I would recommend a single-vendor suite because if you run into issues across multiple solutions, it's going to be quite a headache for the engineering and DevOps teams to sort out all those issues, communicate with each other, and provide data to each other.

Give Defender for Identity a shot if you're running a very Microsoft-centric environment. Test it out and see how you find it. It's very efficient at picking up alerts from endpoints and ingests all the information efficiently without too many hang-ups.

Defender for Identity provides intelligent authentication through conditional access policies and monitors user behavior. Defender looks at things like password changes and application use.

One of our users had the same password for every personal and company account. That was a problem because she started receiving phishing emails that could compromise all of her accounts. Defender told us that the user was not changing their password.

Microsoft should look at what competing vendors like CrowdStrike and Broadcom are doing and incorporate those features into Sentinel and Defender. At the same time, I think the intelligence inside the product is improving fast. They should incorporate more zero-trust and hybrid trust approaches. They need to build up threat intelligence based on threats and methods used in attacks on other companies.

I have used Defender for two years.

I rate Defender for Identity nine out of 10 for stability.

I rate Defender for Identity 10 out of 10 for scalability.

Defender is pretty solid, so we rarely call support. 

The implementation is fast and easy. You only need to buy a license and assign it to a user. 

We have seen a return on our investment.

I rate Microsoft Defender for Identity nine out of 10. My advice to new users is to learn the product. Microsft has courses you can take. They offer one that covers all their security solutions. It only takes a day and is the best way to learn how to use the product. 

The use case is securing identity on your on-premises Active Directory.

It helps identify insider leaks. If any of your users want to use their permissions to implement leaks or perform malicious actions, it alerts you. 

It also performs reconnaissance. If someone has succeeded in gaining access to your Active Directory, it monitors anomalous behaviors, such as moving laterally.

Microsoft has also identified vulnerabilities globally and Defender for Identity prevents such security incidents from occurring in your domain controllers.

Another benefit is that Defender for Identity saves us time because it is automated and proactive. I don't have to monitor the environment, just the feedback and alerts from the solution. It also helps save us money because it prevents potential breaches that would cost money.

In addition, the solution has decreased our time to detection.

The feature I like the most about Defender for Identity is the entity tags. They give you the ability to identify sensitive accounts, devices, and groups. You also have honeytoken entities, which are devices that are identified as "bait" for fraudulent actors. Once these devices have been tagged, they give you alerts about when a malicious actor tries to explore the vulnerability that you created. You can monitor what the attacker is going after. Entity tagging is a big win for Defender for Identity.

There is a connection between the cloud, Defender for Endpoint, and Defender for Cloud Apps, in addition to Defender for Identity, so that you get feedback about activity on the cloud regarding a user if he tries to move laterally in the on-premises Active Directory.

It gives you visibility into threats. On the cloud, you already have Azure AD Identity Protection to secure your cloud identity. But the security of Defender for Endpoints requires certain protections for your on-premises identity. It's helpful for organizations that have quite a few on-premises entities. There aren't a lot of organizations like that now, as quite a few have already moved to the cloud, but for those that are still on-prem need that security.

We also use Microsoft Defender for Endpoint and Intune. The beauty of Microsoft is that, with just a few clicks, it integrates all the security features. Signals from Defender for Identity can move to Defender for Endpoint, Defender for Cloud Apps, and Intune. That ensures that it eliminates false positives and gives you a comprehensive overview, like a map, of what a malicious actor has done. It tells you how a user moved from this device to that device, which is very good.

When it comes to comprehensiveness, Microsoft has done a good job of making Defender for Identity pretty straightforward and easy to use. There are detection rules that help you identify potential attacks. Your role, as a security professional using Defender for Identity, is basically to monitor and implement a few configurations, after the initial deployment.

Defender for Identity is automated, in that you can specify specific alerts or incidents to defend against.

Defender for Identity, Defender for Endpoints, Defender for Office 365, and Defender for Cloud Apps all point to the Microsoft Defender Security Center. That gives you a one-stop-shop dashboard where you can see the activity for these four solutions.

An area for improvement is the administrative interface. It's basic compared to other administrative centers. They could make it more user-friendly and easier to navigate.

I have been using Microsoft Defender for Identity for over a year.

So far, so good, when it comes to stability.

You can add it to more servers. It has been developed in such a way that, if you have 20 servers in an enterprise, you can install it on all the servers in your environment, and it has a dashboard that tells you if the Defender for Identity sensor has stopped.

Our environment has about 700 end-users.

I haven't had to contact their technical support.

We did not have a solution before using Defender for Identity.

The initial deployment of the solution, overall, is pretty straightforward. You install the sensor on-premises, on the virtual machine that is running Active Directory.

I did it myself. I'm a security expert, working for a Microsoft managed-services provider. There were three to four people involved.

It's very tricky to identify a return on investment. A return on investment for a solution like this can only be quantified when you can measure its effects. Of course, it identifies and eliminates breaches, and since we have not had any breaches, the return on investment has been good. It's protecting the environment.

I would always recommend a single-vendor security suite over multiple suppliers because you get a comprehensive overview of the handshake between all the security offerings in the Microsoft solution. In this case, they include Defender for Identity, which is integrated with Defender for Endpoint, Defender for Cloud Apps, and Defender for Office 365. A holistic, single security solution is better than having multiple solutions where you have to monitor different platforms, and where you can get conflicting reports.