Microsoft Defender for Identity (MDI): Detecting AD Attacks for Small Business in Berlin
Active Directory is still the backbone of identity for most small businesses in Berlin — on-premises, hybrid, or fully cloud-joined. Microsoft Defender for Identity (MDI) is the purpose-built sensor layer that watches every authentication event, service account behaviour, and lateral movement attempt inside that AD environment and surfaces attacks before credentials are weaponised. For a business running an on-premises AD or Entra ID hybrid join, MDI is not optional security hygiene — it is the detection engine that turns your domain controller logs into actionable threat intelligence.
What MDI Actually Does
MDI installs a lightweight sensor directly on every domain controller (DC). The sensor reads AD logs and network traffic in real time without requiring port mirroring or an inline proxy. Every Kerberos ticket request, NTLM authentication, LDAP query, and SAM-R enumeration passes through the sensor. MDI correlates these events against a baseline of normal behaviour for each user and machine, then flags deviations as security alerts. The cloud-backed analytics continuously update attack pattern signatures without requiring on-premises signature updates.
Detected Attack Techniques
| Technique | What MDI Detects |
|---|---|
| Pass-the-Hash (PtH) | NTLM authentication using a harvested hash without plaintext password |
| Pass-the-Ticket (PtT) | Stolen Kerberos TGT or service ticket replayed on another host |
| Kerberoasting | Service account Kerberos ticket requests targeting high-privilege SPNs for offline cracking |
| AS-REP Roasting | Accounts with Kerberos pre-auth disabled — hash extracted without credentials |
| DCSync | Replication API abuse to extract all password hashes from a DC |
| Golden Ticket | Forged TGT signed with the KRBTGT hash — persistent AD compromise |
| LDAP Enumeration | Bulk user, group, and ACL enumeration patterns indicative of reconnaissance |
| Lateral Movement | Pass-through authentication paths, remote execution service abuse (PsExec, WMI) |
| Privilege Escalation | AdminSDHolder abuse, ACE modification on sensitive objects |
| Honey Token Alerts | Any authentication attempt using a designated decoy account |
Architecture: Sensor Placement and Data Flow
MDI operates on a cloud-connected sensor model. The sensor on each DC forwards events to the MDI cloud service (hosted in the EU data centre for GDPR compliance). No raw AD data is stored in the cloud — only security-relevant events and alert metadata. The sensor footprint is minimal: CPU impact under 5% at steady state, memory around 450 MB. Installation takes under 15 minutes per DC and requires no reboot.
For hybrid environments with Entra ID Connect, MDI complements Entra ID Protection by covering the on-premises AD tier. Entra ID Protection watches cloud sign-in risk; MDI watches on-premises Kerberos and NTLM flows. Together they give full identity coverage across hybrid AD.
Required Licences
MDI is included in Microsoft 365 Business Premium and Microsoft Defender for Identity standalone licences. It is also part of the Microsoft 365 E5 Security and Microsoft Defender for Identity P2 bundles. For Berlin small businesses already on Microsoft 365 Business Premium, MDI is already in the subscription — the sensor just needs to be deployed.
Deploying MDI: Step-by-Step
- Create the MDI workspace: In the Microsoft 365 Defender portal (security.microsoft.com) under Settings → Identities, provision the MDI workspace. Select the EU region to keep data within GDPR boundaries.
- Configure the Directory Services account: Create a dedicated low-privilege AD service account (read-only access to all objects) or use a Group Managed Service Account (gMSA) for credential rotation automation. MDI uses this account for LDAP queries.
- Download and deploy the sensor: Download the sensor installer from the MDI portal. Run it on each DC — primary and read-only. The installer registers the sensor with the workspace automatically. No firewall rules required for the sensor-to-cloud channel (HTTPS outbound only).
- Validate sensor health: In the MDI portal, Sensors blade, confirm all DCs show Status: Running and Connectivity: Connected. Sensor delay (last update) should be under 1 minute.
- Configure Honeytoken accounts: Designate one or more decoy AD accounts as honey tokens. Any authentication attempt against these accounts triggers an immediate Critical alert — a reliable early-warning tripwire for credential stuffing or internal threat actors.
- Integrate with Microsoft Sentinel: Connect MDI alerts to Microsoft Sentinel via the Microsoft Defender XDR data connector. MDI identity alerts enrich Sentinel incidents with on-premises AD context.
- Review and tune alert policies: In the first two weeks, review noisy alerts for known administrative patterns (scheduled tasks running as service accounts, legacy NTLM from printers) and suppress them with entity exclusions to reduce alert fatigue.
MDI and the Unified Microsoft 365 Defender Portal
MDI alerts surface directly in the Microsoft 365 Defender portal alongside MDE endpoint alerts, Defender for Office 365 email alerts, and Entra ID Protection risk events. A single incident in Defender XDR can correlate an MDI Kerberoasting alert with the MDE process execution alert on the compromised host and the Entra ID sign-in risk event from the same user — providing the full attack chain without switching consoles. This unified investigation view is the primary operational reason to deploy MDI even in smaller environments: the cross-signal correlation dramatically compresses mean time to detect (MTTD).
Practical Value for Berlin Small Businesses
The most common attack paths against small businesses with AD environments are credential attacks: phishing to harvest a password, NTLM relay to harvest a hash, or Kerberoasting to crack a service account offline. MDI detects all three in real time. For a Berlin business subject to GDPR, the ability to demonstrate that an unauthorised access attempt was detected and contained within hours (rather than discovered weeks later during a breach investigation) is directly relevant to Article 33 notification timelines and data protection accountability requirements.
IT Experts Berlin deploys and manages MDI as part of a layered identity security architecture. If your business runs Active Directory on-premises or in a hybrid configuration and does not have MDI sensors on your domain controllers, your identity attack surface is unmonitored. Request a free IT assessment to evaluate your current identity protection posture.