Microsoft Defender for Identity
Capability scores
Methodology →- Authentication
- 3.0
- SSO & Federation
- 3.0
- Authorization
- 3.5
- Lifecycle & Provisioning
- 2.5
- MFA & Passwordless
- 3.0
- Governance & Audit
- 4.0
- Developer Experience
- 3.0
- Deployment Flexibility
- 3.5
- Pricing Transparency
- 3.0
- Support & Ecosystem
- 4.5
Scored 0–5 against a published rubric. Independent analysis, no vendor sponsorship.
Overview
Microsoft Defender for Identity (formerly Azure ATP) is Microsoft's ITDR offering for on-premises Active Directory and Entra ID. It uses sensors on domain controllers to detect reconnaissance, credential theft, lateral movement, and domain dominance, feeding those signals into the Defender XDR ecosystem.
Capability deep-dive
The strength is integration and the price of entry. For organizations already on Microsoft 365 E5, the detection is included, and correlation across endpoints, email, and identity inside Defender XDR is hard to match without buying separate tools. Coverage of classic AD attack techniques is solid, and analyst workflows tie into Sentinel cleanly. The weaknesses: it is Microsoft-directory focused, so non-Microsoft identity providers fall outside its lens, and it leans toward detection over response and recovery (there is no automated forest rebuild). Specialist vendors often catch attacks earlier and offer deeper remediation. Sensor deployment and tuning across many domain controllers takes planning.
Pricing
Bundled into Microsoft 365 E5 and the E5 Security add-on rather than sold per-seat standalone. That makes it effectively free if you already hold the license and a meaningful add-on cost if you do not. Model the full E5 commitment, not just this component.
Bottom line
A practical default for E5 customers with Active Directory who want identity detection inside Defender XDR, less suited to multi-IdP estates or teams needing recovery.