Microsoft 365: Defender for Identity Enabled

Metric Name: Microsoft 365: Defender for Identity Enabled

Category: Security

Description: This metric checks if Microsoft Defender for Identity is enabled. Defender for Identity (formerly Azure Advanced Threat Protection) provides protection for on-premises Active Directory identities by monitoring, detecting, and responding to advanced threats and identity theft activities.

Purpose: The purpose of this metric is to ensure that Defender for Identity is enabled and active, which is crucial for monitoring and safeguarding on-premises and hybrid environments against identity-based threats and intrusions.

How it works:

• The metric uses a query (SecureScores.controlScores[?controlName=='AATP_DefenderForIdentityIsNotInstalled'].on) to check if the Defender for Identity control is marked as "on" in Microsoft 365's Secure Score.

• This ensures that identity monitoring features are active, helping to protect against identity breaches and lateral movement within the network.

Beneficiaries:

• Security Teams: Can monitor and verify that Defender for Identity is enabled, ensuring that Active Directory environments are being actively protected.

• IT Administrators: Gain insights into the security posture of hybrid identity infrastructures, making it easier to detect misconfigurations or missing installations.

• Organizations with Hybrid Networks: Benefit from continuous identity monitoring, reducing the risk of attacks targeting on-premises identities and Active Directory services.

Additional Notes:

• Customization: The query can be modified to track the status of other Defender products or integrate the findings into a broader security assessment. Additionally, it can be paired with metrics that monitor cloud-based identity protection features for a holistic view of identity security.

• Why this is valuable: Having Defender for Identity enabled is crucial for detecting advanced identity threats, especially in hybrid environments where both on-premises and cloud-based identities need protection.

• How Defender for Identity Works in the Hybrid Environment:

• On-Premises Active Directory Monitoring: Defender for Identity is designed to monitor on-premises Active Directory (AD). It looks at traffic, events, and behavior on on-prem domain controllers, detecting potential security threats like compromised credentials, lateral movement, and privilege escalation.

• Cloud Integration with Microsoft 365: Even though it focuses on on-prem AD, the configuration, deployment, and management of Defender for Identity are handled through Microsoft 365 (cloud). The insights and threat data from on-prem AD environments are sent to the Microsoft 365 Defender portal, where they can be viewed and analyzed alongside cloud-based security signals.

  • Why the Data Comes from Microsoft 365: Although Defender for Identity collects data from on-prem AD, it reports and integrates with cloud-based security dashboards in Microsoft 365, such as the Secure Score and Microsoft 365 Security Center. This allows organizations to have a unified security view, including their on-prem AD and cloud environments.