Every breach has one thing in common: an identity was exploited. Attackers have learned that identity is the fastest path to lateral movement and escalation. The challenge for defenders is that today's identity landscape is vast and fragmented — spanning hybrid environments, SaaS apps, cloud platforms, and autonomous agents. Protecting it demands more than point solutions. It requires continuous visibility, proactive posture reduction, and the ability to detect and disrupt identity threats across the full attack lifecycle.
Leveraging our expertise as a leader in both Identity and Access Management (IAM) and Security, our focus has been to deliver a fast, comprehensive, and increasingly autonomous approach to identity security. It is designed to continuously strengthen identity posture and help SOC teams act faster with less manual effort. Today, I am excited to announce the next set of innovations including:
- Reimagined Identity Security dashboard and experiences to surface identity insights
- Expanded protection for more elements of modern identity fabrics including non-human identities.
- Streamlined detections including a new identity-level risk score that can be applied directly within risk-based conditional access policies.
- Unified identity view & protection across Active Directory, Entra ID, IAM solutions, SaaS and Cloud – with improved at-scale identity correlations
- New autonomous response capabilities to further speed identity threat triage, disruption and response.
Below is a deeper look at what’s new.
Turning identity sprawl into clarity
Security teams don’t suffer from a lack of identity data — they suffer from a lack of insight across that data. Without context, the flood of activity from various directories, SaaS platforms, cloud services, and on‑premises infrastructure simply becomes noise. Disconnected alerts, isolated accounts, and fragmented investigations make it harder, not easier, to determine what actually matters.
The updated Identity security dashboard is one of the new experiences designed to help with just that. It serves as the starting point for the SOC to gain a birds eye view of their entire identity security status, surfacing critical information on the human and non-human identities from across on-premises, SaaS and cloud environments.
Fueling this, and other identity security experiences within Defender, are the advancements we have made in unifying the identity inventories. First, for human users we have expanded the account correlation capabilities we released at Ignite to include SaaS and cloud accounts. This means that security professionals will have an even more comprehensive view of related accounts, their holistic posture and identity risk. Additionally, we are also introducing new, policy-based linkage to help organizations customize these connections at scale.
But modern identity fabrics extend far beyond human users. To address this shift, we are also expanding identity security coverage to include a greater focus on non‑human identities. The new non‑human identity inventory helps security teams to discover, understand, and protect these critical identities within the same identity‑centric view as human accounts.
Defender helps teams see the full identity fabric — not as disconnected components, but as an interconnected system — so they can reduce blind spots, prioritize exposure, and apply consistent protection across the identities attackers increasingly rely on.
Expanded coverage across the modern identity fabric
Staying one step ahead of attackers starts with having a better understanding of what makes you vulnerable and closing those gaps before they can be exploited. With this mission in mind, I am excited to announce a new coverage and maturity view that shows how identity infrastructure, protections, and risk actually connect across your environment. This view serves as a snapshot revealing which access paths are protected, which are exposed, and what to fix next to meaningfully reduce blast radius.
Rather than treating coverage as a static checklist, this experience surfaces actionable insights that show both current status and prioritized next steps, helping teams understand not only what needs to be protected, but also how to systematically improve identity security posture over time. With this clear guidance Defender empowers SOC teams to move from fragmented awareness to confident, identity‑centric protection.
This new view is powered by the native integration available out-of-the-box with Microsoft Entra ID and the dedicated sensors and connectors available for other identity components like Privilege Access Management (PAM) solutions and other identity providers. Given this, I am pleased to share that we are adding new integrations with solutions like SailPoint and CyberArk that further our commitment to bringing additional depth and coverage for more elements of modern identity landscapes within Defender.
In this same vein, we're making it easier for customers to activate protections across their on-premises identity infrastructure. Today we are excited to share that the unified identity and endpoint agent is extending support for more identity infrastructure and releasing a streamlined experience for existing customers looking to migrate to the new sensor.
In addition to all this we are also adding a new identity explorer experience that is designed to help security professionals uncover identity-based exposures and lateral movement paths within their organization. Leveraging the graph capabilities within Defender and a robust set of pre-defined queries, SOC teams gain new visibility into potential exposure scenarios and end-to-end attack paths.
Streamlined protections and workflows across Defender and Entra
Security teams need to understand how the individual role, privilege, activity and alerts for each individual account relate to the risk of the identity as a whole. To address this, we’re introducing a new unified risk score that aggregates signals across all linked accounts to calculate a single risk score for the identity.
As you can see in the image above the score considers the observed activity, criticality, privilege and likelihood of compromise for each linked account and produces a single, actionable view of risk. This means analysts no longer need to decipher various alerts themselves, they can quickly prioritize investigations based on the potential impact and urgency of identity‑driven threats.
But the value of this new unified risk score doesn’t stop at investigation. Entra ID customers can now leverage these new risk signals directly within their risk-based conditional access policies. This gives admins a stronger signal for access decisions, resulting in earlier prevention, detection, and response across the identity control plane. This powers the feedback loop between identity and SOC teams, ensuring that insights gained in the SOC can immediately reduce exposure across the identity fabric.
Together, these advances transform identity sprawl into clarity. By automatically connecting the dots and surfacing insights instead of raw data Defender is elevating what matters most, helping security teams cut through noise, focus on true risk, and respond to identity‑based threats with greater speed and confidence.
New Identity detections using novel and unique sensor capabilities
Detection opportunities start with visibility and sensor capabilities and we are excited to share a new capability that significantly improves how we see identity-based attacks on Domain Controllers. We work closely with the Windows team within Microsoft and are introducing a new Event Tracking for Windows (ETW) that gives us richer insight into Kerberos activity. This allows us to safely access important ticket details that were previously hidden while the ticket was in use, without needing to break or decrypt the ticket itself.
With this additional context, we can spot unusual behavior that points to forged or tampered Kerberos tickets more accurately than before. By connecting this new operating system signal directly into our identity threat detection capabilities, we unlock a unique level of protection. It also opens up new investigation and hunting scenarios for SOC analysts who want deeper visibility into Kerberos related activity.
Our first detection using this new sensor capability (“Possible golden ticket attack (suspicious ticket)”) is now generally available, and further exemplifies why our strategy is so revolutionary. Previously detecting these types of attacks would require decrypting the ticket/token itself, introducing even more potential for exposure. With this ETW however we have the same visibility without the risk.
We know that Identity attacks no longer stop at the perimeter. Recognizing that modern adversaries target on‑premises, hybrid, and cloud identities alike, we invested heavily in expanding also our detection capabilities across this full spectrum. In particular, we introduced new detections for emerging attack techniques targeting Entra ID as a platform. While Entra ID Protection continues to deliver broad, native protection for Entra users and identities, the core mission of Identity Threat Protection products is to go further— detecting also sophisticated post‑breach activity and lateral movements where attackers directly target the identity provider itself, often by exploiting the hybrid trust and linkage between on‑premises and cloud environments. We are excited to announce the availability of the following new detections:
- 4 new detections for anomalies and attacks targeting Entra ID sync application in hybrid environments
- 2 new detections for suspicious device registration/join across Entra and Intune
- 1 new detection for techniques abusing Oauth Authorization Flow for browser-based attacks, as observed in-the-wild recently (“ConsentFix”)
Powering autonomous Identity Threat Protection
When a security incident is unfolding, every second matters. Attackers are already operating at machine speed, and human response alone can’t keep up, which is why AI-powered capabilities are essential for detecting, triaging and remediating identity threats in time.
As part of our push toward autonomous Identity Threat Protection, we’re extending Security Copilot’s agentic triage capabilities to identity. We’ve already seen the impact of outcome-driven autonomous workflows in phishing, where our agent identifies 6.5 times more malicious alerts than human analysts working alone. Today, that same capability is extending beyond phishing to include identity alerts.
The new Security Alert Triage Agent autonomously evaluates high‑volume identity alerts, distinguishing true threats from noise, and surfacing clear, explainable verdicts so analysts can focus immediately on what requires action. At Public Preview, it supports triage of alert types involving password spray attempts, suspicious inbox rules associated with business email compromise (BEC), and accounts potentially compromised following a password spray attack. Learn more about Security Copilot in Defender announcements here.
In parallel, we’re expanding identity takeover predictive shielding, using real‑time exposure and attack path insights to proactively harden the identity attack surface during an active incident—blocking attacker progression before high‑value identities can be compromised. Together, these capabilities shift identity defense from reactive investigation to real‑time disruption, helping security teams contain attacks faster, reduce blast radius, and stay ahead of adversaries when it matters most.
At Ignite, we introduced predictive shielding, an AI-powered capability in automatic attack disruption that predicts an attacker’s next move in an active attack and applies targeted, just-in-time hardening to block them before they can pivot. Today, predictive shielding proactively hardens many of the controls attackers most often rely on to regain access, such as SafeBoot abuse and Group Policy Objects. We’ve already seen tremendous impact across our customers, including a large public university:
“During a ransomware incident, Microsoft Defender’s attack disruption stopped the attack before it could progress. In parallel, predictive shielding applied Safe Boot hardening across key devices, helping protect against a common evasion tactic—rebooting endpoints into Safe Mode to try and bypass protections like disruption. Together, these layers increased our confidence and resilience during the incident.”
This speed and accuracy matter because identity-based attacks now operate at massive scale, with each user tied to many accounts across the environment, making it increasingly difficult to protect every identity.
We are excited to share that we’re expanding this set of just-in-time hardening actions tailored for identity-based attacks. This includes:
- RemoteOps hardening: restricts high-risk remote administrative operations such as RPC-based actions that attackers rely on for lateral movement and hands-on-keyboard control.
- Remote Registry hardening: prevents attackers from remotely modifying sensitive registry settings often used to weaken security controls or enable credential theft.
What makes these controls unique is their precision: Defender shields only the specific assets at risk, rather than applying broad, organization-wide restrictions, maximizing security while minimizing business impact.
Looking ahead
Identity has become the foundation of access, trust, and control in modern enterprises—and the primary target for attackers. The announcements detailed throughout this blog reflect our continued commitment to advancing identity security and to helping customers stay ahead of rapidly evolving identity-based threats.
We’re excited to share more throughout the week at RSA, and we look forward to partnering with customers as they continue their journey toward comprehensive, identity centric security.
Microsoft