Microsoft Defender for Identity for Small Businesses in Berlin

Most endpoint security tools protect the device. Microsoft Defender for Identity (MDI) protects the identity infrastructure itself — specifically, on-premises Active Directory. It monitors domain controller traffic in real time, detecting attacks like pass-the-hash, pass-the-ticket, Kerberoasting, DCSync, and Golden Ticket that bypass traditional endpoint controls entirely.

Why Active Directory Is a High-Value Target

On-premises Active Directory remains the authentication backbone for most hybrid environments. If an attacker compromises a domain account — especially a privileged one — they can move laterally across the network without triggering traditional security alerts. Many ransomware groups spend days or weeks in an environment doing exactly this before deploying their payload.

Defender for Endpoint protects the workstation layer. MDI protects the identity layer. Without MDI, the domain controller is effectively a blind spot in your detection coverage.

How MDI Works

MDI deploys a lightweight sensor directly on each domain controller. The sensor captures all Kerberos, NTLM, DNS, and LDAP traffic from the DC and streams it to Microsoft’s cloud-based analysis engine. No traffic mirroring or SPAN ports required — the sensor reads the traffic natively.

The analysis engine applies behavioral baselines and known attack signatures to detect:

• Pass-the-Hash / Pass-the-Ticket: Credential relay attacks that let an attacker authenticate as another user without knowing the password
• Kerberoasting: Extraction of service account ticket hashes for offline cracking
• DCSync: Simulating domain controller replication to extract password hashes from AD
• Golden Ticket / Silver Ticket: Forged Kerberos tickets that provide persistent access even after password resets
• Lateral movement paths: Visual maps of how an attacker could escalate from a compromised account to domain admin

MDI and Microsoft Sentinel Integration

MDI alerts feed natively into Microsoft Sentinel as a data connector. This means identity-based attack signals from Active Directory are correlated with endpoint signals from Defender for Endpoint, email signals from Defender for Office 365, and cloud signals from Defender for Cloud Apps — all in one SIEM. Multi-stage attacks that span the identity and endpoint layers become visible as a single incident rather than isolated alerts.

Lateral Movement Path Visualisation

One of MDI’s most useful features is the lateral movement path map. It shows which accounts, if compromised, provide a path to domain admin. A standard user account that has local administrator access on a server where a domain admin has an active session is a lateral movement risk — MDI surfaces these paths before an attacker can exploit them.

Deployment Requirements

• MDI sensor installed on each on-premises domain controller
• Directory service account with read access to AD (standard user, no admin rights required)
• Microsoft Defender for Identity licence — included in Microsoft 365 E5 or Microsoft 365 Business Premium with the Defender add-on; also available as a standalone licence
• Outbound HTTPS connectivity from DCs to *.atp.azure.com

Deployment Steps for Berlin SMBs

1. Open the Microsoft Defender portal → Settings → Identities → Sensors.
2. Download the MDI sensor installer package.
3. Run the installer on each domain controller with the workspace key from the portal.
4. Configure the Directory Service Account in the portal (Settings → Directory Services).
5. Validate that sensor status shows “Running” for all DCs within 5–10 minutes.
6. Review the lateral movement path report (Settings → Identity Security Posture) within 24 hours.

Need help deploying Defender for Identity in your Berlin office environment? Contact us for a free consultation.