Enhancing visibility into your identity fabric with Microsoft Defender

Attackers don’t move in straight lines or follow predictable, sequential steps. Instead, they think in graphs, seeking the path of least resistance, surveying your environment for weak spots and then leverage legitimate connections and permissions to quietly traverse your IT landscape. Just a single compromised account can be a powerful foothold, helping an attacker bypass your other security protocols.

To put this simply, while your account may not be what the attacker is looking for, it’s one step on the path to their ultimate goal. Its estimated that less than 1% of your organizational footprint is actually of interest to attackers, but 80% of organizations have at least one open attack path to these critical assets. This is why it is so critical to have a deep understanding of the connected identities, accounts and applications that make up your identity fabric.  

Layered identity security for the modern enterprise

Identity Threat Detection and Response (ITDR) has to combine modern identity and access management (IAM) and security operations (SOC) through an integrated partnership between identity and security teams. Because of this, our vision remains focused on streamlining how these groups collaborate, breaking down siloes to unite these teams, their tools and processes.

Today, I am excited to announce new enhancements to the identity security experience within Defender that will help enrich your security team’s visibility and understanding into your unique identity fabric. These new capabilities include:

• Account correlation links related accounts and corresponding insights to provide identity-level visibility and insights to the SOC.
• Coordinated response allows Defenders to take action comprehensively across connected accounts, accelerating response and minimizing the potential for lateral movement.

Account correlation: Mapping the identity fabric, one account at a time.

Modern identity fabrics are often complex, reflecting the reality of today’s hybrid and multi-cloud enterprise environments. To understand vulnerabilities and map potential attack paths, security teams must first decipher the relationships between identities, accounts, infrastructure, and a myriad of identity related apps and tools.

But the complexity doesn’t end with the fabric itself, each identity typically consists of several related accounts.

Figure 1: Example identity footprint showing an interconnected set of accounts related to that single individual

Take the identity footprint in Figure 1 above: here we see a visual representation of the accounts associated with a single user. At the top you’ll see an on-premises Active Directory (AD) account that is synced with a corresponding Entra ID account. This type of hybrid scenario is found in more than 90% of our customers as a way to allow their users to authenticate seamlessly, to both legacy on-premises environments and cloud services like Microsoft 365.

In this example the user also has two other accounts, one an administrator account with elevated privileges and the other a misconfigured cloud account. Now, as I mentioned earlier, attackers will use whatever connections they can to move laterally towards their target and in this case the misconfigured cloud account puts the identity and all its accounts at risk, including the privileged admin.

Defender now links accounts, privileges, and activity patterns across the components of your unique identity fabric, augmenting the powerful graph capabilities within Microsoft Sentinel to provide defenders with one trusted view into the identity’s entire footprint.

Figure 2: Identity page in Microsoft Defender showing related accounts

The detailed understanding of how accounts are connected helps Defender better showcase these risks at the identity level. Posture alerts and recommendations for every related account are now surfaced within a single view.

Figure 3: Identity page within Microsoft Defender showing posture recommendations for the related accounts

But we don’t stop there: with a relational understanding of your unique identity fabric, Defender maps potential attack paths, showing how an attacker could leverage these vulnerabilities on their way to access critical assets.

The easiest way to bring this value to life is using a scenario involving leaked credentials. Earlier this year we unveiled a new leaked credentials alert that extends the powerful detection from Entra to on-premises identities.

Figure 4: a sample attack path showing leaked credentials as an entry point

To do this Microsoft continuously scans public and private breach resources to identify leaked credentials. If a match is found, Microsoft Security Exposure Management  automatically identifies the affected user and surfaces the exposure with clear severity and context.

Defender then further validates and correlates that exposure, linking that account to other cross-domain security signals to detect unusual authentications or privilege escalations. These attack paths map are now expanded to show how that compromised account could be leveraged to reach other accounts and ultimately critical assets. One leaked password doesn’t have to become a breach. With Microsoft’s identity security stack, it becomes a closed path and a measurable step toward resilience showing exactly which routes an attacker could take and what controls will break that path.

Turning visibility into coordinated response

Just as security professionals can now see all the related alerts and posture recommendations across the accounts associated with an identity, they can also take direct action across all accounts with one action.

Figure 5: Screenshot of the new "Disable user" experience in Defender

Once analysts confirm that an identity is compromised, they can disable compromised identities comprehensively across providers and applications - turning previously complex, multi-portal process into a coordinated, identity-wide response.

Get started today

Microsoft Defender’s latest identity security enhancements empower organizations to see and understand their entire identity fabric with unprecedented clarity. By surfacing connected accounts and posture recommendations into a single view, and coordinating response actions, Defender enables security teams to better remediate identity before, during and after a breach. This holistic approach not only strengthens identity posture but also transforms response actions from isolated steps into coordinated, organization-wide defenses. With these innovations, organizations are better equipped to outpace attackers, close open paths, and build lasting resilience in an ever-evolving threat landscape. 

Learn more about these capabilities here and join us in San Francisco, November 17–21, or online, November 18–20, for deep dives and practical labs to help you maximize your Microsoft Defender investments and to get more from the Microsoft capabilities you already use.

Featured sessions:

• Microsoft Defender: Building the agentic SOC with guest Allie Mellen
• Blueprint for building the SOC of the future
• Empowering the SOC: Security Copilot and the rise of agentic defense
• Identity Under Siege: Modern ITDR from Microsoft
• AI vs AI: Protect email and collaboration tools with Microsoft Defender
• AI-powered defense for cloud workloads