Microsoft Defender for Identity extends ITDR capabilities to Okta identities
Identities are the organization’s new security perimeter and are a prime target for cyber-criminals. However, with today’s ever-evolving digital landscape, security leaders often wrestle with a tapestry of different identity solutions spanning multiple environments and vendors, making identity protection more challenging than ever. Because of this, security professionals understand that identity threat detection and response (ITDR) is a fundamental piece of their security practice that helps them to comprehensively secure their unique identity fabric across identity solutions, environments, and vendors. What is changing? Today, I am excited to announce that Microsoft Defender for Identity is extending its identity protection to protect Okta identities, that’s in addition to the already robust protection for on-premises Active Directory and Entra ID identities. As a leader in both Identity (IAM) and security, Microsoft provides comprehensive visibility, posture recommendations, and detection and response capabilities for our customer’s unique identity fabric - now including Okta. With these new protections from Defender, our customers will benefit from enhanced visibility and control for their Okta environments, including: Holistic identity visibility – A unified identity inventory with correlated view of accounts across Active Directory, Entra ID, and Okta. For instance, a user with an Entra ID and an Okta account would appear as one entity - meaning SOC professionals can easily zoom into a specific identity to see all their related accounts, their privileges, and any related security alerts. This holistic perspective is crucial for maintaining robust security postures and allows IT and security teams to identify potential vulnerabilities across different platforms seamlessly. Identity Threat Detection and Response (ITDR) – Alert on identity threats in Okta and trigger corresponding response actions, including detection of lateral movement between on-premises and cloud environments. This capability is crucial for mitigating sophisticated attacks that seek to exploit the transition between different identity platforms. The integration will also surface Okta logs and data within the Advanced Hunting like we already do for Active Directory and Entra ID, allowing security teams to delve into threats across the different platforms in a single place. Identity-specific posture recommendations (ISPM) - Expand the already robust set of identity security posture recommendations to include recommendations for Okta identities (e.g. dormant Okta accounts), and map how those posture gaps can be leveraged into attack paths. Adhering to these posture recommendations enables organizations to proactively prevent threats, rather than responding reactively. How can I take advantage of these new capabilities? Defender for Identity customers looking to take advantage of these new capabilities can read more here. Be advised that to get the full potential of enhanced integration, make sure your organization has Okta for Workforce with Identity Enterprise license.NEW: Scope Identity Protection with Defender for Identity
I am excited to announce the public preview of domain-based scoping for Active Directory within Microsoft Defender for Identity. This is a foundational step in extending role-based access control (RBAC) as part of the broader XDR URBAC initiative. This new capability enables SOC analysts to define and refine the scope of Microsoft Defender for Identity monitoring, providing more granular control over which entities and resources are included in security analysis. What is “scoping” and why does it matter? As organizations grow, so does their identity fabric and as security professionals look to manage these increasingly complex identity environments, the ability to control who can access what -and where- is critical. Whether for legal or efficiency reasons many organizations need a way to delegate access based on responsibility or ownership. The new scoping capability is part of Microsoft Defender's unified role-based access control (URBAC) model which allows customers to refine investigation and administration experiences by Active Directory domains, providing: Optimize performance - improve efficiency by focusing analysts on critical assets without the noise of other non-essential alerts and data outside their purview. Enhance visibility control - visibility on specific Active Directory domains. Support operational boundaries - align access and responsibility across SOC analysts, identity admins, and regional teams. This enhancement is part of Microsoft Defender XDR’s unified role-based access control (URBAC) model and sets the foundation for even more granular controls in the future. What can be scoped? Users assigned to scoped roles will only see data, such as alerts, identities, and activities, related to the Active Directory domains included in the assignment in the XDR role. This ensures that security teams can focus on the assets they are responsible for, without being exposed to information from outside their organizational boundaries. Today this includes: Alerts and incidents: Analysts will only see alerts and incidents related to identities within the scoped Active Directory domains within their queue. Entity pages: Users can only access the account details of identities within the Active Directory domains they are scoped for. Advanced hunting and investigations: Data is automatically filtered to include only scoped data. For the full list of supported experiences, see our documentation. How to configure scoping rules: This release is part of our ongoing XDR URBAC effort, bringing consistent and unified role-based access control across Microsoft Defender products. Domain-based scoping is now available for public preview in Microsoft Defender for Identity and aligns with the same RBAC principles used across the XDR platform. To enable the feature, follow these steps: Navigate to XDR permissions page --> Microsoft Defender XDR --> Roles. You can edit existing roles or create a new custom role Add an assignment and create a scoping role with the same set of permissions Define Entra ID user or groups to be assigned to the role Choose Microsoft Defender for Identity as a data source and select User groups (AD domains) that will be scoped to the assignment. Once configured, customers can restrict SOC analysts to viewing only specific entities, ensuring they have access only to the data relevant to their responsibilities and improving security control. Before enabling scoping, ensure that: You have Microsoft Defender for Identity sensor installed. The Identity workload for URBAC is activated. To manage roles without Global Administrator or Security Administrator privileges, customers must configure Authorization permissions through URBAC. Learn more here. What’s next As this feature is in Public Preview, some experiences are still in progress and will be expanded over time. For setup guidance and more details, visit the Defender for Identity documentation. To stay informed about upcoming enhancements and expanded support for scoping experiences, follow our What’s New documentation page.Monthly news - June 2025
Microsoft Defender XDR Monthly news - June 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from May 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel From on-premises to cloud: Graph-powered detection of hybrid attacks with Microsoft exposure graph. In this blog, we explain how the exposure graph, an integral part of our pre-breach security exposure solution, supercharges our post-breach threat protection capabilities to detect and respond to such multi-faceted threats. (Public Preview) Unified detections rules list that includes both analytics rules and custom detections is in public preview. Learn more in our docs. The Best of Microsoft Sentinel — Now in Microsoft Defender. We are proud to share that the most advanced and integrated SIEM experience from Microsoft Sentinel is now fully available within the Microsoft Defender portal as one unified experience. (General Available) Multi workspace for single and multi tenant is now in General Available. (Public Preview) Case management now available for the Defender multitenant portal. For more information, see View and manage cases across multiple tenants in the Microsoft Defender multitenant portal. (Public Preview) You can now highlight your security operations achievements and the impact of Microsoft Defender using the unified security summary. For more information, see Visualize security impact with the unified security summary. (Public Preview) New Microsoft Teams table: The MessageEvents table contains details about messages sent and received within your organization at the time of delivery (Public Preview) New Microsoft Teams table: The MessagePostDeliveryEvents table contains information about security events that occurred after the delivery of a Microsoft Teams message in your organization (Public Preview) New Microsoft Teams table: The MessageUrlInfo table contains information about URLs sent through Microsoft Teams messages in your organization Unified IdentityInfo table in advanced hunting now includes the largest possible set of fields common to both Defender and Azure portals. Microsoft Defender for Endpoint (Webinar - YouTube Link) Secure Your Servers with Microsoft's Server Protection Solution- This webinar offers an in-depth exploration of Microsoft Defender for Endpoint on Linux. Defender for Endpoint successfully passes the AV-Comparatives 2025 Anti-Tampering Test. Discover how automatic attack disruption protects critical assets while ensuring business continuity. Microsoft Defender for Office 365 Part 2: Build custom email security reports and dashboards with workbooks in Microsoft Sentinel New deployment guide: Quickly configure Microsoft Teams protection in Defender for Office 365 Plan 2 New SecOps guide: Security Operations Guide for Teams protection in Defender for Office 365 Video - Ninja Show: Advanced Threat Detection with Defender XDR Community Queries Video- Mastering Microsoft Defender for Office 365: Configuration Best Practices Video - Ninja Show: Protecting Microsoft Teams with Defender for Office 365 This blog discussed the new Defender for Office 365 Language AI for Phish Model. SafeLinks Protection for Links Generated by M365 Copilot Chat and Office Apps. Microsoft Defender for Cloud Apps New Applications inventory page now available in Defender XDR. The new Applications page in Microsoft Defender XDR provides a unified inventory of all SaaS and connected OAuth applications across your environment. For more information, see Application inventory overview. The Cloud app catalog page has been revamped to meet security standards. The new design includes improved navigation, making it easier for you to discover and manage your cloud applications. Note: As part of our ongoing convergence process across Defender workloads, Defender for Cloud Apps SIEM agents will be deprecated starting November 2025. Learn more. Microsoft Defender for Identity (Public Preview) Expanded New Sensor Deployment Support for Domain Controllers. Learn more. Active Directory Service Accounts Discovery Dashboard. Learn more. Improved Visibility into Defender for Identity New Sensor Eligibility in the Activation page. The Activation Page now displays all servers from your device inventory, including those not currently eligible for the new Defender for Identity sensor. Note: Local administrators collection (using SAM-R queries) feature will be disabled. Microsoft Security Blogs Analyzing CVE-2025-31191: A macOS security-scoped bookmarks-based sandbox escape Marbled Dust leverages zero-day in Output Messenger for regional espionage Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer New Russia-affiliated actor Void Blizzard targets critical sectors for espionage Defending against evolving identity attack techniques Threat Analytics (Access to the Defender Portal needed) Activity profile - AITM campaign with brand impersonated OAUTH applications Threat overview: SharePoint Server and Exchange Server threats Vulnerability profile: CVE-2025-24813 – Apache Tomcat Path Equivalence Vulnerability Actor profile: Storm-0593 [TA update] Actor profile: Storm-0287 Activity Profile: Marbled Dust leverages zero-day to conduct regional espionage [TA update] Technique profile: ClickFix technique leverages clipboard to run malicious commands Technique profile: LNK file UI feature abuse Technique profile: Azure Blob Storage threats Activity profile: Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer Vulnerability profile - CVE-2025-30397 Activity profile: Recent OSINT trends in information stealers
Expanding the Identity perimeter: the rise of non-human identities
Expanding the Identity perimeter With the rise of cloud applications and AI, machine-to-machine access and authentication has become even more prevalent. From automating workflows, integrating applications, managing cloud services and even powering AI agents, non-human identity (NHI) has become vital to modern work. These digital constructs come in many different varieties, each with their own unique characteristics, but because they are foundational elements of many critical business processes, they represent a prime target for cyber-criminals. Not only do NHI greatly outnumber their human counterparts but they are also often highly privileged, eliminating the need for the attacker to elevate this status themselves. AI agents are expected to drive even faster growth machine identities. Copilot Studio alone has more than 230,000 organizations — including 90% of the Fortune 500- already using it to build AI agents and automations. What are non-human Identities? Non-human identities or machine identities like service accounts in Active Directory, Entra registered service principals and third-party OAuth apps, cloud workload identities, AI agents and Secrets each have their own unique roles, responsibilities and vulnerabilities. Despite their importance, there is no team dedicated to securing them holistically, leading to a lack of: Visibility: Different teams are often responsible for the creation of the various types of NHI. Due to this, organizations are often blind to what accounts exist, where, and who owns them. Governance and Management: Limited policies and regulations on how these accounts should be set up, used and managed can create situations where accounts are overprivileged or shared across multiple applications and even where their credentials are stored in plain text or their passwords become stale and susceptible to exploitation. Gaps like these in policy and the lifecycle management of NHI expose organizations to increased risk. Protection: Without dedicated security controls, non-human identities (NHIs) are often left exposed to threats such as credential theft, misuse, or unauthorized access. Many of these identities operate with elevated privileges, making them attractive targets for attackers. A lack of consistent monitoring, anomaly detection, and automated response mechanisms further increases the risk. Effective protection requires implementing least privilege access, rotating credentials regularly, encrypting secrets, and integrating NHIs into a broader identity threat detection and response strategy. How can Microsoft help protect your NHI? While NHIs are a recent term, they have been a critical focus area within Microsoft Security for a long time. Today, Microsoft Security delivers an end-to-end solution for monitoring, securing, and managing non-human identities across their entire lifecycle. Organizations benefit from a comprehensive set of unified capabilities, including: Full-spectrum discovery and visibility: Identify all non-human identities and secrets - including service principals, tokens, keys, and application credentials, across hybrid and multi-cloud environments. Enrichment and risk analysis: Gain deep insights into each identity’s privileges, activity patterns, ownership, and authentication methods to prioritize risks and streamline remediation. Secrets management: Detect secrets in insecure or inappropriate locations, validate their usage, and provide actionable recommendations for protection and remediation. Lifecycle and access governance: Monitor for stale or orphaned accounts, govern OAuth enabled and third-party connections, enforce credential rotation, manage ownership transfer, and ensure secure decommissioning of machine identities. Threat detection and response: Get alerts on suspicious activity or policy deviations, such as unusual privilege escalation, excessive app permissions, or risky machine-to-machine communications. Together, these integrated capabilities empower organizations to proactively identify and mitigate NHI risks, reduce attack surfaces, and strengthen access controls, no matter where identities live or how fast they change. Microsoft brings these protections together, so you can secure every identity -– human and non-human -– across your digital estate. For example, automatic classification rules help organizations quickly find and secure Service Accounts within their organization. 1: Service Account classification capabilities from Defender for Identity And the Microsoft's "Attack Paths" capabilities allow users to see all their NHIs, their connections, associated risks and context, as well as potential lateral movement paths. 2: Attack path mapping in Microsoft Defender illustrates a scenario where a resource contains a service principal certificate that can authenticate asa service principal with permissions to a sensitive database. This represents a risky lateral movement path — one that is now visible and can be proactively secured. What does this mean for you? Non-human identities (NHI) have become a critical yet overlooked component of modern security practices. While each type of NHI poses distinct challenges, they are tightly interconnected and require expertise across the security landscape. This is what makes Microsoft such a powerful partner. Our leadership in identity, security and now AI make us uniquely qualified to help your organization, and your machine identities, stay protected against threats. Our unified approach: consolidating visibility, control, and protection across AI, cloud, apps, data, devices and identities helps comprehensively secure all NHI and your organization. And this is only the beginning. Our team is already hard at work building the cohesive, intelligent defense layer our customers will need to remain protected today and, in the future, including leveraging our leadership in AI to help our customers secure their organizations, and their AI agents, against attacks.Monthly news - May 2025
Microsoft Defender XDR Monthly news May 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from April 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel What’s new in Microsoft Defender XDR at Secure 2025 New blog post: Empowering SOC Analysts: Investigating Identity Threats with Microsoft Defender XDR. (GA) Multi Tenant Organizations (MTO) expanded support for up to 100 tenants per view per user is now generally available! We are delighted to announce that Microsoft Defender MTO now supports the ability, for each user, to add up to 100 tenants to their view. We extended the number of tenants you can see in one single pane of glass – from 50 to 100. You can now view incidents, investigate, view device inventory and vulnerabilities on a larger number of tenants at the same time. Expanding Cross Cloud Multitenant Security Operations for Government Customers. This blog post summarizes a new capability that enhances multitenant security operations for government cloud customers, enabling cross-cloud visibility and centralized security management. We invite you to give this new capability a try! (Public Preview) The OAuthAppInfo table is now available for preview in advanced hunting. The table contains information about Microsoft 365-connected OAuth applications registered with Microsoft Entra ID and available in the Defender for Cloud Apps app governance capability. The OnboardingStatus and NetworkAdapterDnsSuffix columns are now available in the DeviceNetworkInfo table in advanced hunting. Automatic attack disruption: Enhanced containment for critical assets and shadow IT. This blog post introduces new, extended capabilities in automatic attack disruption. Announcing Rich Text for Case Management. In the dynamic world of SecOps, managing and communicating information efficiently is vital. Rich Text for Case Management introduces capabilities that allow you to enrich your case documentation with various formatting options, including bold, italics, underlining, code blocks, links, tables, and more. (Public Preview) You can now create data security investigations in the Microsoft Defender portal with the integration of Microsoft Purview Data Security Investigations (preview) and Microsoft Defender XDR. This integration allows security operations center (SOC) teams to enhance their investigation and response to potential data security incidents like data breaches or data leaks. Learn more in our docs. (Public Preview) Containing IP addresses associated with devices that are undiscovered or are not onboarded to Defender for Endpoint is now in preview. Containing an IP address prevents attackers from spreading attacks to other non-compromised devices. Learn more in our docs. Microsoft Defender for Endpoint Updated documentation Schedule antivirus scans using Group Policy Schedule antivirus scans using PowerShell Two new ASR rules are now generally available: Block rebooting machine in Safe Mode: This rule prevents the execution of commands to restart machines in Safe Mode. Block use of copied or impersonated system tools: This rule blocks the use of executable files that are identified as copies of Windows system tools. These files are either duplicates or impostors of the original system tools. (General Available) Defender for Endpoint supports ARM64-based Linux servers across various Linux distributions, including Ubuntu, RHEL, Debian, SUSE Linux, Amazon Linux, and Oracle Linux. All product capabilities that are supported on AMD64 devices are now supported on ARM64-based Linux servers. For more information, see the following articles: Tech Community Blog: Defender for Endpoint extends support to ARM-based Linux servers Microsoft Defender for Endpoint on Linux Microsoft Defender for Office 365 Announcing the Public Preview of Auto-Remediation of Malicious Entity Clusters Identified in Automated Investigation and Response (AIR). Defender for Office 365 automated investigation and response is being enhanced to enable AIR to automatically remediate malicious entity clusters. AIR currently recommends actions for SecOps to approve or decline and this enhancement will allow customers the option to configure auto-remediation for AIR to automatically execute the soft deletion of messages included in malicious URL or malicious file clusters. Options to "tune" controls within Defender for Office 365 for an organization to maximize protection and efficacy. We are pleased to announce that if you are using third-party report message solutions in Microsoft Outlook, such as Knowbe4, Hoxhunt, and Cofense, you can now configure Defender for Office 365 to automatically forward these suspicious messages to Microsoft for analysis. The Outlook.com consumer email service will require compliance with SPF, DKIM, and DMARC email authentication standards for domains sending more than 5000 messages to outlook.com, hotmail.com, and yahoo.com recipients as of 5 May, 2025. Learn more in this blog post.. Microsoft Defender for Cloud Apps Enhanced alert source accuracy. This update, applicable to new alerts only, are reflected across various experiences and APIs, including the Defender XDR portal, Advanced hunting, and Graph API. (Public Preview) Investigate OAuth application attack paths in Defender for Cloud Apps Microsoft Defender for Identity (General available) Identities guided tour New attack paths tab on the Identity profile page New and updated events in the Advanced hunting IdentityDirectoryEvents table Identity page enhancements such as user timeline side panel, password last change field on the UI, devices tab filters and others. Deprecation of Defender for Identity alert email notifications (Public Preview) Defender for Identity integration with Entra Privileged Identity Management (PIM) Privileged Access Management (PAM) vendors integration with Defender for Identity – CyberArk, Delinea and BeyondTrust Microsoft Security Blogs Threat actors leverage tax season to deploy tax-themed phishing campaigns As Tax Day approaches in the United States on April 15, Microsoft has detected several tax-themed phishing campaigns employing various tactics. These campaigns use malicious hyperlinks and attachments to deliver credential phishing and malware including RaccoonO365, AHKBot, Latrodectus, BruteRatel C4 (BRc4), and Remcos. Exploitation of CLFS zero-day leads to ransomware activity Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a newly discovered zero-day vulnerability in the Windows Common Log File System (CLFS) against a small number of targets. Microsoft released security updates to address the vulnerability, tracked as CVE 2025-29824, on April 8, 2025. Stopping attacks against on-premises Exchange Server and SharePoint Server with AMSI Exchange Server and SharePoint Server are business-critical assets and considered crown-jewels for many organizations, making them attractive targets for attacks. Threat actors misuse Node.js to deliver malware and other malicious payloads Since October 2024, Microsoft Defender Experts has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information theft and data exfiltration. Understanding the threat landscape for Kubernetes and containerized assets The dynamic nature of containers can make it challenging for security teams to detect runtime anomalies or pinpoint the source of a security incident, presenting an opportunity for attackers to stay undetected. Microsoft Threat Intelligence has observed threat actors taking advantage of unsecured workload identities to gain access to resources, including containerized environments. Threat Analytics (Access to the Defender Portal needed) Activity profile: Tax and IRS-themed phishing campaigns [TA update] Tool profile: Grandoreiro banking trojan Activity profile - Threat actors using fake Chrome updates to deliver Lumma Stealer Actor profile: Storm-2256 Actor Profile - Storm-1877 [TA update] Vulnerability profile: CVE-2025-26633 Vulnerability profile - CVE-2025-29824 Activity profile: Cryptomining infection by malicious AutoIT scripts uses masqueraded Ncat for C2 communications Technique profile: ClickFix technique leverages clipboard to run malicious commands [TA update] Actor profile: Storm-1249 Tool profile - XCSSET Tool profile: ReedBed Quarterly cyber threat report: MITRE ATT&CK framework trends in OSINT (January to March 2025) Actor Profile - Storm-1125 Activity profile: Sapphire Sleet using GoLang files to download malware Technique Profile: Device Code PhishingProtect and Detect: Microsoft Defender for Identity Expands to Entra Connect Server
We are excited to announce a new Microsoft Defender for Identity sensor for Entra Connect servers. This addition is a significant step in our ongoing commitment to expanding Defender for Identity’s coverage across hybrid identity environments. It reinforces our vision of overseeing and protecting the entire identity fabric, greatly enhancing the SOC’s visibility and protections for these complex environments.Empowering SOC Analysts: Investigating Identity Threats with Microsoft Defender XDR
Identities have been a top threat vector forever. However, the rise of cloud identity attacks and an ever increasingly complex digital estate has made a tough problem even harder. Securing identities has always required a close partnership between two different functional teams – the identity and access management teams that are responsible for managing, authenticating, and authorizing user access to protected systems and data; and the security teams that detect and respond to threats across the entire digital estate. Nowhere is this more apparent than during a security incident. Let’s take a look at a common attack type like this phishing email example below: While this is a straightforward scenario, it’s still extremely effective as many organizations aren’t equipped to protect against it. The 2024 Verizon Data Breach Investigation report detailed how the median time for an attacker to access data from phishing is now just 60 seconds, giving the security team little time to triage alerts across email, identity, and endpoints, coordinate with the IAM team to disable the user and reset the password, and clean up any affected devices and inboxes. This is where implementing an integrated Identity Threat Detection and Response (ITDR) solution comes in. Our solution breaks down the existing silos between your identity and security teams by natively integrating our IAM solution, Microsoft Entra ID, and our identity threat protection solution, Microsoft Defender for Identity into our Extended Detection and Response (XDR) platform. Our ITDR offering is unique in that it delivers robust ITDR capabilities where your teams already work today. This means empowering the SOC to investigate identity alerts directly within Defender while also surfacing necessary insights from those investigations for Identity Admins directly within the Entra experience. Enhancing XDR with ITDR Identity is a core pillar of our XDR solution. Capitalizing on Microsoft’s leadership in both Identity and Access Management (IAM) and security, Defender correlates identity data and insights with Endpoint, Cloud, SaaS app and collaboration alerts to help security professionals better understand the full scope of security threats without spending hours triaging and correlating alerts. Customers benefit from the following within the Defender experience: 1. Enriched visibility across the identity fabric The ITDR dashboard provides the SOC with a single, prioritized view of Identity-specific security information and recommendations. Pulling relevant alerts and insights from across their identity footprint, this pane helps SOC teams better understand their identity posture and quickly manage potential identity-related security risks. Additionally, the recently updated identity inventory provides visibility into all the identities within their fabric including human and non-human, on-premises or in the cloud, from Microsoft or another provider. Each one of those identities also has a corresponding identity page which offers even more insights into the identity itself and allows the SOC to take action on that identity, right from the experience. 2. Proactive Identity posture and prevention The robust posture recommendations within Microsoft Security Exposure Management include Identity-specific posture recommendations (ISPM’s) that range from spotting common misconfigurations to helping customers address vulnerabilities across Active Directory, Entra ID and other common identity fabric elements, before they can be exploited. This is further enriched with attack path modeling, which provides a prioritized queue of possible attack paths that could be exploited by a threat actor. This helps the SOC and identity teams understand the entire scope of vulnerabilities—from initial access to reach critical data—and work together to prioritize the highest priority exposures. Again, because of the native integration between Entra ID and Defender the recommendations surfaced to identity admins and SOC professionals are consistent, helping the two teams work in unison to strengthen their overall identity. Defender for Identity provides dedicated sensors for Domain Controllers, Active Directory Federation Services (ADFS), Active Directory Certificate Services (AD CS) and Entra ID Connect to provide comprehensive visibility into on-premises identity environments while Entra ID does the same for cloud identities. 3. Incident-level visibility Microsoft Defender uses XDR-level detections to automatically correlate all related alerts into prioritized incidents – making it easy for analysts to see which alerts are tied to a broader incident and need to be addressed first. Incidents are automatically updated if new related alerts are triggered, so analysts can be confident they’re always looking at the latest info. Incidents are also automatically enriched with identity-related insights – like recently logged on users on an endpoint, recent activity, MFA type, open incidents, Entra ID risk level, and more—so the SOC team can quickly understand the full context of a user without needing to go hunting. All of this information is synced automatically with Microsoft Entra, ensuring both the identity and SOC teams are looking at the same data. This context is also showcased within the hunting experience. Customers can hunt for emerging threats across identity and other domains right from the same pane. 4. Automated Threats Response With attackers moving laterally in just minutes, even the best security teams will be challenged to respond in time with manual processes. Microsoft Defender utilizes AI to automatically take action on in-progress attacks and prevent lateral movement. This built-in, self-defense capability uses the correlated signals in XDR, the latest threat intelligence, and machine learning backed models to accurately predict the attack path used and block an attacker’s next move before it happens with above 99% confidence. Disruption attacks only take the minimum action necessary to stop the attacker – like disabling a compromise user or containing an affected endpoint – limiting the impact on the organization and leaving the SOC and identity teams in control to complete the investigation and bring assets back online. Security professionals can take direct action on identities right from the XDR experience through actions like “Confirm user as compromised” or “Disable user,” to mitigate an active threat. These updates are reflected automatically in the Entra portal, so they work in conjunction with Entra’s risk based conditional access. That way, when an identity is confirmed as compromised by the SOC, the risk level within Entra will automatically be raised and the relevant conditional access policies will be triggered at the next login to prevent future attacks. This signal loop protects customers both proactively through continuous monitoring and zero-trust policy engine , and reactively through real-time alerts and response from both Entra ID and Defender XDR. Conclusion In today's dynamic cyber landscape and with the complexity of modern identity environments, SOC analysts require a single pane of glass view into and the ability to effectively combat identity threats. Microsoft XDR, with its integration of Microsoft Defender for Identity and Microsoft Entra ID, provides a unified platform that enhances identity threat detection, investigation, and response capabilities, across on-prem and cloud. The seamless flow of data, alerts and workflows between IAM and Security teams created by this integration closes the loop between reactive and preventative identity protection helping organizations stay ahead of adversaries and ensure the security and integrity of their systems and data.
Discover and protect Service Accounts with Microsoft Defender for Identity
When people think about “identities” many default to the human variety – a user with a username and password. But by most estimates, human identities are outnumbered more than 10:1 by their non-human counterparts. Non-human identities, which can encompass service accounts, cloud workload identities and even security “secrets”, are essential elements of the machine-to-machine communication that drives our digital world. Their critical nature also makes them prime targets for cyber-attacks. Today I am excited to announce the public preview of a new Service Account discovery module within Microsoft Defender for Identity. These capabilities extend the identity threat detection and response capabilities we provide our customers by helping quickly identify and protect service accounts within their identity fabric. What are Service Accounts? Service accounts are specialized identities within Active Directory that are used to run applications, services, and automated tasks. They can be broadly classified into several types, including: gMSA (Group Managed Service Accounts): gMSAs provide a single identity solution for multiple services that require mutual authentication across multiple servers, as they allow Windows to handle password management, reducing administrative overhead. sMSA (Managed Service Accounts): Like gMSA but are designed for individual services on a single server rather than groups. User Account: These standard user accounts are typically used for interactive logins but can also be configured to run services. These accounts often require elevated privileges to perform their designated job but because they cannot authenticate in the same way as human accounts, they typically do not benefit from the increased security of modern auth methods like MFA. Given their potential elevated privilege and the inherent limitations of the access policies that govern them, careful management and monitoring are crucial to ensure they do not become a security vulnerability. NEW: Service account discovery module Now available as part of Defender for Identity, the service account discovery module helps organizations proactively monitor and secure service accounts within their identity fabric. The auto discovery feature quickly identifies gMSA and sMSA accounts as well as user accounts within Active Directory that meet specific criteria and classifies them as service accounts. These accounts are then surfaced, along with relevant information including insights into recent authentications and the sources and destinations of those interactions, as part of a dedicated inventory within the Defender experience. This helps the SOC better understand what the accounts purpose so they can more easily spot anomalous activity and understand its implications. In addition to the inventory views, each of the accounts also has their own details page which is enriched with other data from across the Defender experience. Things like account creation date, last login, recent activities, privileges and criticality level provide valuable insights into the service accounts themselves. SOC professionals can also take direct action on these identities, like disabling a user, directly within this view. Within this page is a new Connections tab. Here security teams can explore the unique connections made by these accounts and see insights into which machines were involved, their potential risk level and identify abnormal interactions. Customers can also take advantage of Defender for Identity recent integrations with leading Privilege Access Management (PAM) vendors. Any service accounts managed by those PAM solutions will automatically have the “privileged” tag applied to them and the SOC will be able to enforce password rotation right from within the experience. As with all other Defender for Identity data, the service account tags are now exposed within the Identity Info table within Advanced Hunting. With this customer can now build custom detections and automations around their service accounts. By leveraging these features, organizations can reduce the risk of credential theft and unauthorized access. Get started today! These capabilities are now in public preview and are automatically enabled for Defender for Identity customers. To find the inventory simply navigate to the “Identities” section of the Defender experience and click on the “Service account” tab.
