CyberSecurity Engineer | Information Security Management at Self Employed
Real User
Top 20
2025-05-26T14:19:59Z
May 26, 2025
In Microsoft Defender for Identity, I would appreciate improvements in providing information on conditional access. They have added more control that can be put in place, which was not present years ago. They have also integrated Azure Information Protection where policies can be configured. The Self-Service Password Reset (SSPR) allows users to reset their passwords, which is a valuable tool for remote workers. They have added more features into conditional access that integrate with other components, including SSPR and Identity Information Protection, trusted IPs, and locations. These configurations in trusted IP addresses are integrated into conditional access and control the applications I want to secure. Regarding impossible travel scenarios, I can either block the user or grant access while requesting multi-factor authentication. They should improve the automation for impossible travel detection. When connected to Wi-Fi and then to VPN, the system sometimes interprets the IP address change as impossible travel. If Microsoft could develop a feature that indicates when impossible travel is caused by VPN connections, it would prevent unnecessary password resets and session disruptions, especially for VIP users in organizations.
Information Technology Security Manager at a security firm with 51-200 employees
Real User
Top 5
2025-03-31T13:37:00Z
Mar 31, 2025
There is room for improvement in delivering knowledge to technical users, especially regarding what we can gain from the solution and how to apply it. The documentation provided by Microsoft is often seen as a waste of time. We had no specific complaints about technical support, as it was rarely used due to the availability of materials online.
One area that needs improvement is the number of alerts generated, leading to alert fatigue. Reducing false positives is something we've been working on with Microsoft.
One improvement I would recommend is the integration of an admin application within Teams, allowing easy access to attack information on a mobile platform to promptly alert affected users and their friends.
The solution could improve how it handles on-premises Android-related attacks. Without Microsoft Defender, it can be challenging to check which accounts are compromised and to analyze activities on on-premises servers. Enhancing this capability would make it even more effective.
Security Specialist at a construction company with 1,001-5,000 employees
Real User
Top 20
2024-09-10T11:45:00Z
Sep 10, 2024
The solution should provide more detailed data regarding anomaly detections. You get information occasionally, but it doesn't always correlate the different anomalies accurately. It takes quite a lot of effort to look at sign-in logs and security alert logs. It would be nice to consolidate all that information into a more centralized view instead of going through different platforms in the Azure Stack to investigate.
Learn what your peers think about Microsoft Defender for Identity. Get advice and tips from experienced pros sharing their opinions. Updated: May 2025.
There are issues with the alerts in Microsoft Defender for identity-related intra-protection detection anomalies. The alerts are missing some data, which makes it difficult to determine the exact sign-in event associated with the alert. For instance, if we see a sign-in from a different country, we want to correlate this with the sign-in events recorded in our system and Microsoft. The alert in Defender does not provide the necessary details to match it directly with the corresponding sign-in event. To address this, we need to refer to Defender Protection events, where we can find the IP and sign-in ID associated with the event. It would be beneficial if Microsoft developed the Microsoft Graph API for Advanced Hunting to facilitate more automation. Currently, the schema is not very well-defined, which limits automation possibilities. Additionally, improvements could be made to enhance queries, such as obtaining the full path of a process, which is available in EDR. Addressing these areas would significantly improve functionality and integration. Occasionally, we've encountered issues with the API, such as when we cannot access the data and receive a 500 Internal Server Error. This has happened several times over the past few days.
Owner at a tech services company with 51-200 employees
Real User
Top 5
2024-08-08T17:23:00Z
Aug 8, 2024
It integrates with on-premises Active Directory environments. It is designed to enhance security by providing advanced threat detection and response capabilities for both Azure Active Directory and on-premises Active Directory. This integration allows for comprehensive monitoring and protection of identity-related activities across both environments. It focuses on protecting the on-premises Active Directory infrastructure and does not directly link both identity repositories. For users operating in mixed environments, while Defender for Identity offers robust protection for on-premises AD, additional solutions or configurations might be necessary to ensure seamless security management across Azure and on-premises AD systems.
Cloud Security Engineer at a non-tech company with 10,001+ employees
Real User
Top 5
2023-12-21T07:14:00Z
Dec 21, 2023
One potential area for improvement could be exploring flexibility in the installation of Microsoft Defender for Identity agents. Currently, it is mandatory to install the agent on the on-premises environment, and considering if there could be more flexibility in deployment might be worth exploring.
The tracking instance needs to be configured appropriately. They need to be able to identify more vulnerabilities in order to increase the efficiency of the solution.
Microsoft should look at what competing vendors like CrowdStrike and Broadcom are doing and incorporate those features into Sentinel and Defender. At the same time, I think the intelligence inside the product is improving fast. They should incorporate more zero-trust and hybrid trust approaches. They need to build up threat intelligence based on threats and methods used in attacks on other companies.
Although the threat protection is comprehensive, the solution needs to be reevaluated when it comes to complex scenarios. There is no publicly available roadmap regarding upcoming features and improvements to the product. The product has significant limitations around acquiring device vulnerabilities, primarily because hunting queries are limited. The technical support needs significant improvement. Documentation for more minor issues in the form of guides or walkthroughs could help to resolve this issue. The number of tickets raised would decrease, removing some pressure from the support team and making it easier to clear the remaining tickets.
There is no option to remedy an issue directly from the console. If we see an alert, we can't fix it from the console. Instead, we must depend on other Microsoft products, such as MDE. That is a significant drawback. It simply works as a scanner, which can sometimes put enough load on the sensors. Immediate actions should be possible from the dashboard because. It can prevent issues from spreading further.
Cyber Security BA/BSA at a insurance company with 10,001+ employees
Real User
2021-03-13T00:30:29Z
Mar 13, 2021
When the data leaves the cloud, there are security issues. The cloud security services and the integration with on-prem applications like SIEM, needs to be improved.
Microsoft Defender for Identity integrates with Microsoft tools to monitor user activity, providing advanced threat detection and analysis using AI. It enhances proactive threat response and security visibility, making it essential for securing on-premises and cloud environments like Active Directory.Microsoft Defender for Identity offers comprehensive monitoring and AI-driven user behavior analysis. It detects threats through real-time alerts and identifies lateral movements and entity...
In Microsoft Defender for Identity, I would appreciate improvements in providing information on conditional access. They have added more control that can be put in place, which was not present years ago. They have also integrated Azure Information Protection where policies can be configured. The Self-Service Password Reset (SSPR) allows users to reset their passwords, which is a valuable tool for remote workers. They have added more features into conditional access that integrate with other components, including SSPR and Identity Information Protection, trusted IPs, and locations. These configurations in trusted IP addresses are integrated into conditional access and control the applications I want to secure. Regarding impossible travel scenarios, I can either block the user or grant access while requesting multi-factor authentication. They should improve the automation for impossible travel detection. When connected to Wi-Fi and then to VPN, the system sometimes interprets the IP address change as impossible travel. If Microsoft could develop a feature that indicates when impossible travel is caused by VPN connections, it would prevent unnecessary password resets and session disruptions, especially for VIP users in organizations.
There is room for improvement in delivering knowledge to technical users, especially regarding what we can gain from the solution and how to apply it. The documentation provided by Microsoft is often seen as a waste of time. We had no specific complaints about technical support, as it was rarely used due to the availability of materials online.
One area that needs improvement is the number of alerts generated, leading to alert fatigue. Reducing false positives is something we've been working on with Microsoft.
One improvement I would recommend is the integration of an admin application within Teams, allowing easy access to attack information on a mobile platform to promptly alert affected users and their friends.
The solution could improve how it handles on-premises Android-related attacks. Without Microsoft Defender, it can be challenging to check which accounts are compromised and to analyze activities on on-premises servers. Enhancing this capability would make it even more effective.
The solution should provide more detailed data regarding anomaly detections. You get information occasionally, but it doesn't always correlate the different anomalies accurately. It takes quite a lot of effort to look at sign-in logs and security alert logs. It would be nice to consolidate all that information into a more centralized view instead of going through different platforms in the Azure Stack to investigate.
There are issues with the alerts in Microsoft Defender for identity-related intra-protection detection anomalies. The alerts are missing some data, which makes it difficult to determine the exact sign-in event associated with the alert. For instance, if we see a sign-in from a different country, we want to correlate this with the sign-in events recorded in our system and Microsoft. The alert in Defender does not provide the necessary details to match it directly with the corresponding sign-in event. To address this, we need to refer to Defender Protection events, where we can find the IP and sign-in ID associated with the event. It would be beneficial if Microsoft developed the Microsoft Graph API for Advanced Hunting to facilitate more automation. Currently, the schema is not very well-defined, which limits automation possibilities. Additionally, improvements could be made to enhance queries, such as obtaining the full path of a process, which is available in EDR. Addressing these areas would significantly improve functionality and integration. Occasionally, we've encountered issues with the API, such as when we cannot access the data and receive a 500 Internal Server Error. This has happened several times over the past few days.
It integrates with on-premises Active Directory environments. It is designed to enhance security by providing advanced threat detection and response capabilities for both Azure Active Directory and on-premises Active Directory. This integration allows for comprehensive monitoring and protection of identity-related activities across both environments. It focuses on protecting the on-premises Active Directory infrastructure and does not directly link both identity repositories. For users operating in mixed environments, while Defender for Identity offers robust protection for on-premises AD, additional solutions or configurations might be necessary to ensure seamless security management across Azure and on-premises AD systems.
One potential area for improvement could be exploring flexibility in the installation of Microsoft Defender for Identity agents. Currently, it is mandatory to install the agent on the on-premises environment, and considering if there could be more flexibility in deployment might be worth exploring.
The tracking instance needs to be configured appropriately. They need to be able to identify more vulnerabilities in order to increase the efficiency of the solution.
Microsoft should look at what competing vendors like CrowdStrike and Broadcom are doing and incorporate those features into Sentinel and Defender. At the same time, I think the intelligence inside the product is improving fast. They should incorporate more zero-trust and hybrid trust approaches. They need to build up threat intelligence based on threats and methods used in attacks on other companies.
Although the threat protection is comprehensive, the solution needs to be reevaluated when it comes to complex scenarios. There is no publicly available roadmap regarding upcoming features and improvements to the product. The product has significant limitations around acquiring device vulnerabilities, primarily because hunting queries are limited. The technical support needs significant improvement. Documentation for more minor issues in the form of guides or walkthroughs could help to resolve this issue. The number of tickets raised would decrease, removing some pressure from the support team and making it easier to clear the remaining tickets.
There is no option to remedy an issue directly from the console. If we see an alert, we can't fix it from the console. Instead, we must depend on other Microsoft products, such as MDE. That is a significant drawback. It simply works as a scanner, which can sometimes put enough load on the sensors. Immediate actions should be possible from the dashboard because. It can prevent issues from spreading further.
The solution could be better at using group-managed access and they could replace it with broad-based access controls.
When the data leaves the cloud, there are security issues. The cloud security services and the integration with on-prem applications like SIEM, needs to be improved.