Microsoft Defender for Identity Reviews

Our use case is endpoint detection and response (EDR). 

You can integrate Microsoft Defender with other solutions. 

It gives you a holistic view of everything happening in your organization.

You can use it to do a lot of monitoring.

The most valuable features are ETL, lab, and monitoring.

I would like to be able to do remediation from the platform because it is just a scanner right now. If you onboard a device, it shows you what is happening, but you can't use it to fix things. You need to go into the system to fix it instead.

I have been using it for three years.

It is quite stable. There are incidents from time to time, which can affect any platform. This affects in different regions or locations within Canada or even Africa. Sometimes users complain and we get a service request that we check to determine if there is an incident. 

When there are issues, sometimes the issue is clear by itself, and other times, I contact Microsoft technical support. Most times, the technical support provides a workaround. My experience with their technical support has been excellent.

Positive

We also use Kaspersky and other solutions, but all these solutions integrate with Azure, Microsoft Defender, or Microsoft 365. They don't really work on their own.

It is easy to set up. Based on the number of devices you would like to set up, you can use scripts, Group Policy, etc.

It takes five minutes to set up.

You won't be able to change your tenants from where you deploy them. For example, if you select Canada, they will charge you based on Canadian pricing. If you are also in London, when you deploy in Canada, the pound is higher than Canadian dollars, but your platform resources are billable in Canadian dollars. Using your pounds to pay for any of these things will be cheaper. Or, if you deploy in London, they will charge you based on your local currency.

The package has a lot of features. We just want email and calendar only. This is the standard plan. However, if you want something which extends the product's features, you can get Microsoft business.

I would rate the solution as nine out of 10.

The solution provides alerts when malicious actors are active and that's something most companies are missing. Quite often, malicious actors do reconnaissance for weeks, months, and on their checkout. They get a sense of the whole environment before they execute a ransomware attack. This sensor will alert users if something like that happens and it gives you time to mitigate the issues or block the attacker.

It gives companies a lot of insights that they didn't have before. It has increased the security posture significantly.

The feature that I most like is that it integrates with the other Defender components. Defender Identity is part of Microsoft 365, and there is Defender for Office 365, Defender for endpoints, and cloud edge security. These tools integrate really well together. The integration with the other tools makes it a comprehensive tool that I would recommend to any company.

It measures your identity security. For example, let's say a lot of companies don't have a proper decommissioning process for global admins or domain admins. And so, when an administrator who has built many privileges leaves the company, the account gets disabled and it still has members of domain admin groups or sensitive groups. This will highlight them and alert users to say, in a sense, "hey, these users or to these user accounts of sensitive privileges, but haven't been used for a long period of time". The few times I've created this report and showed this to customers, they're shocked due to the fact that it's an easy entry for malicious actors that they weren't aware of. That's one of the cool features.

Defender for Identity has not affected the end-user experience.

The solution could be better at using group-managed access and they could replace it with broad-based access controls.

I've worked with the solution since June of last year. I've worked with it across three organizations so far.

I have never seen any issues. The solution appears to be stable. 

Scalability is not applicable in this case.

In terms of users, there will be cloud engineers or security analysts, security engineers, and those types of people.

Normally the tech support is pretty responsive and they understand the tool.

Our organization did not previously use a different solution.

I've used the solution within three organizations. Two I have implemented myself and the third was implemented by someone else entirely.

The initial setup is straightforward, however, because it needs to communicate between the domain controller and Microsoft cloud, which can cause issues if there are firewalls. Normally, domain controllers don't have access to the internet, or at least, that's what's recommended. Installing the tool itself is not hard, however, the firewalls make the process harder.

There are a bunch of URLs that you have to whitelist on the firewalls and you could set up a transparent proxy.

Installing one takes five minutes at a maximum and you need to times that by the number of domain controllers you have. I recall that, in our case, some domain controllers were not up to speed. Their memory CPU utilization was not big enough to handle the load of the network traffic scanning. Therefore, before you install it on the domain controller, the recommendation is to run a tool to see if your domain controllers are capable to handle the sensors. That's something to note for other users considering an installation.

I didn't create an implementation strategy. It's a pretty straightforward tool. You just install it on all the main controllers and then integrate it with all the other Defender components. It's not really a strategy. The only thing to note is if you deal with a security team, they always say that there's already an endpoint protection solution on the domain controller. However, this is different, and this works side-by-side with whatever already exists. Other than that, there's not really a strategy.

For deployment and maintenance, one person would be enough and they would not even have to be full-time as it's a cloud solution. Microsoft does all the maintenance of the backend of the infrastructure and the only thing you have to make sure of is that the sensors are healthy on the domain controllers. That's the only thing you have to do. It's not too much effort.

This tool I install for customers as I am a consultant. When I say, I've got experience, it's not purely for our company as we are an IT company and we consult with customers. I didn't use a third party. I'll typically do it with one of my colleagues.

We have not looked at the ROI of Defender.

In terms of the pricing, I don't know off the top of my head the cost, however, it's part of Microsoft 365. It is an EMS-5, an Enterprise Mobility and Security Suite.

It's my understanding that there are no extra costs beyond the standard licensing fee.

I do not recall looking at other options before implementing Defender. 

I'm an integrator and consultant.

With the current versions I'm working on, I clarified today that it was up to date. Whatever the latest version is, is the one I am working on. I don't keep track of the version numbers.

It's a cloud-based solution. No on-premise components are required.

I'd rate the solution at a nine out of ten.

I'd advise new users to check their firewalls and make sure they whitelist them, alongside the appropriate URLs. Make sure to enlist a tool to measure if the center can run on your domain controller as well.

Any company should have this tool or a similar tool to it. It's very important to understand if there is a malicious actor in the environment. You can't live without this tool like this in this day and age.

We are looking at this solution as a trusted tenant for our network.

This way, all of the data that goes through is trusted and the communication between our on-prem system and the Azure Cloud remains protected. Our only concern is when the data leaves the Azure Cloud and goes to another third-party tenant.

Azure is our trusted tenant — we trust it. We're just concerned about the data when it leaves Azure and goes to another third-party tenant. For example, if you have a SaaS solution, like Salesforce, sometimes they send data to customers. In order to do this, the data has to leave the trusted cloud tenant. 

We like the Active Directory Federation feature. We use it a lot with the Microsoft Azure Cloud.

When the data leaves the cloud, there are security issues. 

The cloud security services and the integration with on-prem applications like SIEM, needs to be improved.

We have been using this solution for roughly two years.

Microsoft Defender for Identity is very stable.

As it's a cloud application, there are no issues with scalability.

I've never had to deal with support regarding this solution; however, overall, Microsoft's support is quite good.

I was not involved in the initial setup, but I think Microsoft has a good team that can help you set it up. I believe the initial setup went very well.

Microsoft is a big company. They have put a lot of effort into their cloud solutions. They're the way of the future. They have done a lot to catch up with what Amazon did.

This solution has advanced a lot over the last few years. It integrates very well with Office 365. For this reason, I think it's the way of the future.

Overall, on a scale from one to ten, I would give this solution a rating of eight.

Microsoft uses machine learning to analyze data over longer periods and identify anomalies. This approach is beneficial because it helps us understand user behavior over time rather than just focusing on immediate actions.

We handle alerts by investigating them using Defender Advanced Hunting, which provides more data to help us understand the issues. Additionally, we can use the incident page associated with the alert to access detailed information about the problem.

There are issues with the alerts in Microsoft Defender for identity-related intra-protection detection anomalies. The alerts are missing some data, which makes it difficult to determine the exact sign-in event associated with the alert. For instance, if we see a sign-in from a different country, we want to correlate this with the sign-in events recorded in our system and Microsoft. The alert in Defender does not provide the necessary details to match it directly with the corresponding sign-in event. To address this, we need to refer to Defender Protection events, where we can find the IP and sign-in ID associated with the event.

It would be beneficial if Microsoft developed the Microsoft Graph API for Advanced Hunting to facilitate more automation. Currently, the schema is not very well-defined, which limits automation possibilities. Additionally, improvements could be made to enhance queries, such as obtaining the full path of a process, which is available in EDR. Addressing these areas would significantly improve functionality and integration.

Occasionally, we've encountered issues with the API, such as when we cannot access the data and receive a 500 Internal Server Error. This has happened several times over the past few days.

I rate the solution’s stability an eight out of ten.

We experienced issues with Defender not responding about a year ago during a weekend. I’ve heard similar reports from other companies as well. Despite reaching out to Microsoft through forums and support tickets, it took a long time to get answers, and the response did not address the problem.

Neutral

Microsoft Defender consolidates various functionalities on a single dashboard, including incidents, alerts, Advanced Hunting, and PC onboarding details. This integration is very helpful, allowing us to view all relevant information in one place. Previously, managing these tasks required navigating multiple pages, which was less efficient. The current setup streamlines the workflow and makes it easier to work with the platform.

It’s a good product. I appreciate having all the necessary services for my company in one place. Defender provides various security services, including Identity services, which is very valuable.

Overall, I rate the solution an eight out of ten.