Microsoft Defender for Identity in Depth: An exhaustive guide to ITDR, breach prevention, and cyberattack response

Microsoft Defender for Identity in Depth

Copyright © 2024 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

The author acknowledges the use of cutting-edge AI, such as ChatGPT/Claude/Grammarly, with the sole aim of enhancing the language and clarity within the book, thereby ensuring a smooth reading experience for readers. It’s important to note that the content itself has been crafted by the author and edited by a professional publishing team.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Dhruv Jagdish Kataria

Publishing Product Manager: Prachi Sawant

Book Project Manager: Ashwin Kharwa

Senior Editor: Sarada Biswas

Technical Editor: Rajat Sharma

Copy Editor: Safis Editing

Proofreader: Sarada Biswas

Indexer: Pratik Shirodkar

Production Designer: Jyoti Kadam

Senior DevRel Marketing Executive: Marylou De Mello

First published: December 2024

Production reference: 1251124

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB, UK.

ISBN 978-1-83588-448-5

www.packtpub.com

For Carina, the love of my life, and our amazing children – your support and love mean the world to me.

– Pierre Thoor

Foreword

A well-known phrase in cyber security is "hackers don’t break in, they log in." Anyone who has worked in incident response, in a security operations center, or in any kind of threat-hunting role can attest to the truth of this statement. Despite being with us for many years, and despite the evolution of cloud identity platforms such as Microsoft Entra ID, in many organizations, Microsoft Active Directory is still at the heart of the corporate identity landscape. Identities, from our regular users to our most privileged administrators, are key to maintaining the security of our environments or limiting the impact of compromise. I have been fortunate to be involved in some of the largest and most complex cybersecurity breaches in the world and have seen defenders struggle to protect Active Directory effectively. It is understandable that defenders would struggle; modern identity systems are complex and ever-changing to suit the evolving needs of modern companies. The advent of the work-from-home era has increased this complexity significantly and further highlighted the importance of securing our identities. This evolving complexity presents a unique challenge to defenders. It is difficult to collect the logs and telemetry from all these services manually and build custom detection rules across them all to effectively secure your identity plane. Microsoft Defender for Identity (MDI) looks to solve this problem by reducing the barrier to entry to be able to effectively monitor Active Directory. The out-of-the-box telemetry and detection logic has been tuned over years of understanding how adversaries compromise Active Directory, taken from the lessons from real-world compromises. As new techniques are discovered, they are built and deployed into the product, ensuring protection against the most novel of attacks.

MDI is one of the pillars of the Microsoft Defender security stack. It provides unique visibility and insights into not only Active Directory, but also other supporting components, such as Active Directory Federation Services, Active Directory Certificate Services, and Microsoft Entra Connect. My personal belief is there is no product available that comes close to providing the out-of-the-box insights that MDI does. I have often joked that if I could spend someone else’s money on a security product, then MDI would be it. In this book, you will learn from Pierre, an expert in the deployment and operationalization of MDI. Importantly, he will arm you with the knowledge to not only configure and deploy MDI but also to empower you with the skills to effectively hunt for and prevent identity compromise. This book covers not only reactive investigations but, crucially for defenders, how to use MDI to proactively address misconfigurations or weaknesses in Active Directory. The goal of any threat actor is to obtain an identity with enough privilege to complete their objectives, from data exfiltration to ransomware and everything in between. This book will arm you with the skills to hopefully prevent, disrupt, or understand that activity in your environment.

Matthew Zorich

Principal Security Research Manager

Microsoft GHOST

Contributors

About the author

Pierre Thoor is a Microsoft MVP in security and a dedicated cybersecurity expert with a focus on identity protection and threat detection. As a first-time author, he shares his extensive knowledge in this book. Pierre hosts the Security Dojo Podcast and blogs at thoor.tech

, where he explores Microsoft security topics. As an international speaker, he makes complex security subjects accessible to audiences worldwide.

At Onevinn, Pierre delivers advanced security solutions that strengthen organizations’ defenses against cyber threats. He specializes in Microsoft Sentinel and Microsoft Defender XDR. Pierre is also an expert in Azure Governance, including the Cloud Adoption Framework and enterprise-scale landing zones, ensuring that security is integrated into every aspect of cloud adoption. With skills in DevOps practices, Kusto Query Language (KQL), and developing solutions with Bicep and PowerShell, he implements automation and infrastructure as code to enhance security operations.

Pierre assists organizations in navigating the complexities of modern cybersecurity challenges.

I want to deeply thank my wife, Carina, for her constant support and belief in me. To my children, whose curiosity and questions inspired me – thank you. Big thanks to the technical reviewers, Stefan Schörling and Konrad Sagala, for your helpful support and comments that made this book better. Thank you, Matthew Zorich, for your endless inspiration and for writing the foreword. Lastly, thank you to my employer, Onevinn, for your support during this journey.

About the reviewers

Stefan Schörling is a renowned security expert with more than 25 years of experience in the cybersecurity field. He has served various roles within the cybersecurity area. Today, he is supporting customers to be better protected against adversaries, but also helping those who have been hit by cyber incidents. In his spare time, he conducts security research and also speaks at various international conferences (SANS, Live 360, TechED, Ignite, and various user groups). Stefan has been awarded a Microsoft MVP award every year for 17 years for his efforts and passion for sharing his knowledge in tech communities.

I’d like to thank my wife and family for the time and commitment it takes for me to follow my dream and do the things I do. Without their support, this would not be possible. I would also like to thank my first manager, Mathias, for believing in me even if I had no formal IT education and for the fun times we had over the years working together. I would simply not be where I am today without them.

Konrad Sagala has been involved in designing and deploying server systems since 1993. From 1996, he focused on Windows Server Systems: Security, Exchange and Active Directory. For the last 10 years, he has focused on cloud platforms. He has been an active Microsoft Certified Trainer since 2007, delivering Identity, Microsoft 365, Exchange, Security, and Server Platform courses, and has been a Microsoft Most Valuable Professional for 18 years in the Microsoft 365 category.

Table of Contents

Preface

Part 1: Mastering the Fundamentals of Microsoft Defender for Identity

1

Introduction to Microsoft Defender for Identity

The growing threat landscape and the role of MDI in ITDR

Modern identity threats and strategic defense frameworks

The Cyber Kill Chain

MITRE ATT&CK framework

The Unified Kill Chain

MDI’s strategic position in the cybersecurity ecosystem

Unpacking key features and benefits of MDI

Summary

2

Setting up Microsoft Defender for Identity

Technical requirements

Pre-installation and planning checklist: laying the groundwork

Licensing

What permissions do you need?

What are the operating system requirements?

Other sensor requirements

Networking

PowerShell

Data collection

User profiling

Sizing

Prerequisites for AD FS and AD CS

Active Directory service accounts

Deployment of MDI – a step-by-step guide

Following with your own lab environment

Getting the MDI installation package and access key

Navigating step-by-step proxy configuration for MDI

Installing TinyProxy

Configuring TinyProxy

Ensuring success with post-installation activities

DSAs

Configuring SAM-R

Setting the gMSA in the Defender XDR portal

Verifying the DSA

Defender XDR unified RBAC

Summary

3

Leveraging MDI PowerShell for Automation and Management

Technical requirements

Primer on the MDI PowerShell module

Installing the MDI PowerShell module

Module file overview

Understanding the module and its functions

Crafting advanced PowerShell scripts for MDI management

Health issues API

Automation in action – case studies and scripting scenarios

Monitoring the MDI service via Azure Monitor

Monitoring the MDI configuration with Azure Monitor and custom alert rules

Sending health issues and security alerts via syslog to Microsoft Sentinel

Summary

Part 2: Advanced Configuration, Integration, and Threat Detection

4

Integrating MDI with AD FS, AD CS, and Entra Connect

Technical requirements

Integrating MDI with AD FS

How AD FS authentication works

Configuring AD FS for MDI sensor installation

Validating the AD FS integration

Integrating MDI with AD CS

How AD CS works

Importance of MDI on Certificate Servers

Configuring AD CS for MDI sensor installation

Validating the AD CS integration

Integrating MDI with Entra Connect

How Entra Connect works

Configuring Entra Connect for the MDI sensor

Validating the Entra Connect integration

Expanding MDI across multiple Active Directory forests

The concept of multiple forests

Types of trusts in multi-forest environments

Prerequisites for MDI in a multi-forest environment

VPN integration – securing remote activities and data flow

Understanding RRAS and RADIUS

Configuring Microsoft RRAS

Summary

5

Extending MDI Capabilities Through APIs

Technical requirements

Introduction to the MDI API

Getting started with Microsoft Graph API

Building custom integrations and automations

Identifying integration opportunities

Type of use cases

Summary

6

Mastering KQL for Advanced Threat Detection in MDI

Technical requirements

KQL for beginners – querying MDI data

The history of KQL and its ecosystem

Understanding your MDI data

Getting started with KQL

Practical tips for effective queries

Hunting tables in MDI

Practical use of hunting tables

Advanced KQL techniques for deep threat detection

Understanding attack paths in AD

MDI and the attacker’s kill chain

Crafting KQL queries for threat detection

Real-world case studies – detecting advanced attacks with KQL

Prerequisites

PtH attack

Kerberoasting

DCShadow attack

Summary

Further reading

Part 3: Operational Excellence with Microsoft Defender for Identity

7

Investigating and Responding to Security Alerts

Developing a methodical approach to alert investigation

Understanding the MDI alert system

User Entity

Lateral movement paths (LMPs)

Initial triage and categorization

Root cause analysis

Real-world playbook – responding to advanced threats

Defining advanced threats

Pre-incident preparation

Incident detection and validation

Response strategy and execution

Incident response – an action plan for high-stakes situations

Building an incident response team

Incident Response Plan (IRP)

Summary

8

Utilizing MDI Action Accounts Effectively

Technical requirements

Configuring and securing action accounts

Understanding action accounts – what are they and why do they matter?

Best practices for action account configuration – getting it right the first time

Security measures – protecting your action accounts from compromise

Real-world scenarios and use cases

Automated threat response – leveraging action accounts for quick reactions

Case study – detecting and responding to credential theft and lateral movement

Operational efficiency – how action accounts streamline security processes

Summary

9

Building a Resilient Identity Threat Detection and Response Framework

Technical requirements

Designing proactive threat-hunting strategies with MDI

Understanding the threat-hunting methodology

The importance of logging and accurate detection

Developing security use cases

Leveraging behavioral analytics and MDI in hypothesis-driven hunting

Elevating your ITDR posture – Continuous improvement with MDI

Learning from total identity compromise incidents

Implementing identity-hardening strategies

Disaster recovery and incident response – preparing for the inevitable

Establishing an incident response plan

Automating responses to identity-based incidents with SOAR

Disaster recovery for identity systems

Summary

10

Navigating Challenges: MDI Troubleshooting and Optimization

Diagnosing common MDI issues

Spotting the signs of trouble

Using tools and logs to find problems

Configuration and connectivity fixes

Checking key configuration settings

Removing a malfunctioning MDI sensor manually

Network connectivity troubleshooting

Resolving security alert misfires

Customizing detection rules and applying filtering techniques

Adjusting alert settings for better accuracy

Operational guide

Daily tasks

Weekly tasks

Monthly tasks

Quarterly/ad-hoc tasks

Summary

Future reading

Index

Other Books You May Enjoy

Preface

Welcome to a journey where we turn the tables on cyber adversaries using Microsoft Defender for Identity!

In today’s digital landscape, cyber threats are becoming more sophisticated, targeting the very identities that form the backbone of our organizations. Microsoft Defender for Identity (MDI) is a powerful tool designed to help you protect your Active Directory environments from these advanced attacks. By providing deep insights into user activities and behaviors, MDI enables you to detect, investigate, and respond to threats effectively.

This book, Microsoft Defender for Identity in Depth, is your comprehensive guide to mastering MDI. It brings together everything you need in one place, from setting up and configuring MDI to exploring advanced features and integrations. Through hands-on examples and real-world scenarios, you’ll learn how to secure identities, hunt for adversaries, and optimize your defenses against evolving cyber threats.

By diving deep into MDI, you’ll enhance your ability to detect and catch adversaries, accelerate your learning curve, and position yourself to work confidently with other Microsoft security products. Whether you’re starting from scratch or looking to refine your existing knowledge, this book will inspire you to elevate your cybersecurity skills to new heights.

Who this book is for

This book is designed for IT and security professionals eager to elevate their expertise in identity protection and threat management using Microsoft Defender for Identity. It is particularly valuable for the following:

System administrators aiming to secure Active Directory environments

Cybersecurity analysts seeking to enhance their detection and response capabilities

Identity and access management specialists focused on safeguarding user identities

Incident response team members who require effective tools for investigating security incidents

Threat hunters interested in proactively identifying and mitigating risks

Cloud security engineers looking to integrate MDI within broader security strategies

What this book covers

Chapter 1

, Introduction to Microsoft Defender for Identity, begins our journey by exploring the why behind MDI before diving into technical details. We examine its critical role within the evolving threat landscape and its place in Identity Threat Detection and Response (ITDR). By understanding modern identity threats, MDI’s strategic importance in cybersecurity, and unpacking its key features and benefits, you’ll gain a solid foundation on how MDI fortifies defenses against identity-centric attacks.

Chapter 2

, Setting up Microsoft Defender for Identity, guides you through securely deploying MDI. It includes a pre-installation checklist, step-by-step installation with proxy configurations, and post-installation verification to ensure MDI operates correctly.

Chapter 3

, Leveraging MDI PowerShell for Automation and Management, teaches you how to use the MDI PowerShell module to automate and manage Microsoft Defender for Identity. You’ll learn about key commands and automation techniques to streamline MDI administration.

Chapter 4

, Integrating MDI with AD FS, AD CS, and Entra Connect, teaches you how to integrate Microsoft Defender for Identity with key Active Directory services: Active Directory Federation Services (AD FS), Active Directory Certificate Services (AD CS), and Entra Connect. You’ll learn how to expand MDI’s coverage across multiple Active Directory forests and integrate with VPNs to secure remote activities.

Chapter 5

, Extending MDI Capabilities Through APIs, explores how to extend Microsoft Defender for Identity using the Microsoft Graph API. You’ll focus on key APIs that allow you to monitor and manage alerts, incidents, and health issues within your MDI environment.

Chapter 6

, Mastering KQL for Advanced Threat Detection in MDI, teaches you how to use Kusto Query Language (KQL) within Microsoft Defender for Identity to enhance your threat detection capabilities. You’ll start with the basics of querying and filtering MDI data, then progress to advanced techniques for identifying hidden patterns and anomalies. Through real-world case studies, you’ll learn how to detect advanced attacks, empowering you to improve your organization’s security defenses.

Chapter 7

, Investigating and Responding to Security Alerts, teaches you how to effectively investigate and respond to security alerts in Microsoft Defender for Identity. You’ll establish a methodical approach for accurate threat identification and assessment. The chapter presents a real-world playbook for responding to advanced threats with swift action strategies. It also outlines a comprehensive incident response plan for high-stakes situations, preparing you to manage and mitigate security incidents effectively.

Chapter 8

, Utilizing MDI Action Accounts Effectively, delves into the strategic use of MDI action accounts. You’ll learn how to configure them securely, following best practices to strengthen your security posture without introducing vulnerabilities. The chapter explores real-world scenarios and use cases, demonstrating how effectively managed action accounts play a pivotal role in automated threat response and operational efficiency within Microsoft Defender for Identity environments.

Chapter 9

, Building a Resilient Identity Threat Detection and Response Framework, focuses on constructing a robust ITDR framework using Microsoft Defender for Identity. You’ll learn how to design proactive threat-hunting strategies with MDI, leveraging KQL to detect early indicators of compromise. The chapter discusses elevating your ITDR posture through continuous improvement and covers disaster recovery and incident response planning, preparing you for the inevitable challenges of security breaches.

Chapter 10

, Navigating Challenges: MDI Troubleshooting and Optimization, serves as a practical guide for IT professionals to troubleshoot and resolve common challenges with Microsoft Defender for Identity. You’ll learn essential techniques for diagnosing and fixing frequent issues, including configuration and connectivity problems. The chapter delves into strategies for tuning performance and optimizing MDI operations to ensure a smooth and efficient security framework. It also provides insights into resolving false positives and alert misfires, enhancing the accuracy and reliability of your security measures.

Note

News from Microsoft Ignite 2024: Unified agent Microsoft has introduced a unified agent that integrates Microsoft Defender for Endpoint (MDE) with Microsoft Defender for Identity (MDI), extending protection across endpoints, operational technology (OT) devices, identities, and Data Loss Prevention (DLP). This consolidation simplifies deployment and maintenance by eliminating the need for separate agents, thereby reducing system overhead and enhancing efficiency. Organizations can now enable MDI directly from the Defender portal, streamlining the process of securing on-premises identities.

News from Microsoft Ignite 2024: Sensor Management API for Automated Operations To further enhance operational efficiency, Microsoft has launched a Sensor Management API. This API allows for the automation of tasks such as deployment, configuration, and monitoring of sensors within an organization's environment. By providing programmatic access, it enables security teams to maintain up-to-date sensor deployments and monitor their health status effectively, ensuring continuous and robust protection.

To get the most out of this book

This book assumes readers have foundational knowledge of Microsoft Defender for Identity, Kusto Query Language (KQL), Active Directory, and basic networking principles. Familiarity with the Microsoft 365 or Azure portals and experience with PowerShell will support you in following the labs and step-by-step instructions. For setup, ensure access to the specified software and environments in the following table.

If you’re familiar with infrastructure-as-code, you can use the Bicep templates provided in the GitHub repository to automate the deployment of the lab setup in your Azure environment.

If you are using the digital version of this book, we advise you to type the code yourself or access the code from the book’s GitHub repository (a link is available in the next section). Doing so will help you avoid any potential errors related to the copying and pasting of code.

Download the example code files

You can download the example code files for this book from GitHub at https://github.com/PacktPublishing/Microsoft-Defender-for-Identity-in-Depth

. If there’s an update to the code, it will be updated in the GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/

. Check them out!

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: A .json configuration setting file with connection information to your MDI instance.

A block of code is set as follows:

$AccessKey = <>

Set-Location $PathForDestinationFiles

.\Azure ATP sensor Setup.exe /quiet NetFrameworkCommandLineArguments=/q AccessKey=$AccessKey

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

Connect-MgGraph -Scopes Application.ReadWrite.All

New-MgServicePrincipal -AppId

Any command-line input or output is written as follows:

sudo nano /etc/tinyproxy/tinyproxy.conf

Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: Navigate to the Sensor Installation Page. You have two options to reach the Add Sensor page.

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected]

and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata

and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected]

with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you’ve read Microsoft Defender for Identity in Depth, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page

for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

Scan the QR code or visit the link below

https://packt.link/free-ebook/9781835884485

Submit your proof of purchase

That’s it! We’ll send your free PDF and other benefits to your email directly

Part 1:Mastering the Fundamentals of Microsoft Defender for Identity

This part provides an essential foundation for understanding Microsoft Defender for Identity (MDI). You’ll be introduced to MDI’s critical role in protecting against identity-based threats, guided through the deployment process, and equipped with automation techniques using PowerShell for streamlined management. This section is designed to give you a strong grasp of MDI’s functionality and how to integrate it into your broader security strategy.

This part includes the following chapters:

Chapter 1

, Introduction to Microsoft Defender for Identity

Chapter 2

, Setting up Microsoft Defender for Identity

Chapter 3

, Leveraging MDI PowerShell for Automation and Management

1

Introduction to Microsoft Defender for Identity

In this starter chapter, we’ll start boarding ourselves on the journey of Microsoft Defender for Identity (MDI) and its critical role within the evolving threat landscape. We’ll get insights into the strategic importance of MDI within the broader cybersecurity ecosystem, learning how it serves as a fundamental tool in Identity Threat Detection and Response (ITDR), which is a term from Gartner. This chapter will explore how MDI fits within the broader cybersecurity ecosystem, providing vital tools for protecting against identity-based threats.

Instead of jumping straight into the technical setup, we’ll take time to explore the why behind MDI. Understanding these foundational aspects will give you a solid grasp of how MDI fits into a comprehensive security strategy. By the end of this chapter, you’ll not only appreciate the capabilities of MDI but also how it helps to fortify your defenses against identity-centric attacks.

These insights are crucial for IT professionals and cybersecurity experts tasked with safeguarding Active Directory (AD) – a common target for adversaries. A successful attack on AD can lead to unauthorized access or even allow attackers to gain complete control over an environment, posing a severe threat to an organization’s security and stability.

In this chapter, we will cover the following:

The growing threat landscape and the role of MDI in ITDR

Modern identity threats and strategic defense frameworks

MDI’s strategic position in the cybersecurity ecosystem

Unpacking key features and benefits of MDI

Let’s get started!

The growing threat landscape and the role of MDI in ITDR

As we begin this journey through the area of cybersecurity, we find ourselves navigating an ever-expanding threat landscape. The digital age, while bringing unparalleled convenience and connectivity, also introduces complex challenges that demand sophisticated solutions.

ITDR was identified by Gartner Inc. (and the term ITDR was created by them as well), an IT research and advisory company, as one of the top security and risk management trends that IT leaders and security leaders need to have a strategy on. Adversaries, attackers, hackers, we can call them whatever we want, abuse access and identities, and the focus of their attacks is identity compromise, lateral movement, and privileged escalation. Therefore, we need tools and processes to detect, investigate, and respond to these types of threats to efficiently defend our organization. If we start thinking that ITDR is a security discipline and not just a product, to get visibility into credential abuse, privilege escalation attempts, and entitlement exposure, my opinion is that we then can know more about our environment and take appropriate actions for our security posture.

But what is ITDR? Before we answer that question, I want you to look at how our attack surface has expanded a lot in just a few years. Attackers are changing tactics and the spotlight on protecting our identities has never been so current as of now. While firewalls once served as our primary security boundary, the current landscape suggests that identity management is becoming a central element of security strategies. I believe this shift is driven by the rising numbers of password spray attacks, fundamental security misconfigurations – especially in implementing multifactor authentication (MFA) – and a lack of visibility into our data, leaving us remarkably vulnerable. Just before I began to write this book, Microsoft experienced an interesting nation-state attack from the group known as Midnight Blizzard, also referred to as NOBELIUM, famous for their password-spray attacks during 2021 against Cloud Solution Providers (CSPs) and Managed Service Providers (MSPs) and in January 2024 for their initial access through a password-spray attack of a legacy test OAuth application that had elevated privileged access.

Now, back to the question – what is ITDR? In this case, we are joining Identity and Access Management (IAM) together with Extended Detection and Response (XDR). Many times, organizations are divided in the same way, where the identity team handles the IAM solution and products and the SecOps team handles the XDR functionality. In Microsoft terminology, the identity team looks at Microsoft Entra ID (formerly Azure AD) and AD. SecOps then looks at Defender XDR and Microsoft Sentinel. Some organizations only use cloud identities in Microsoft Entra ID, and other organizations use hybrid identities with AD and other third-party identity providers (such as Okta). The goal of an ITDR solution is to get signals from all those areas, regardless of where the identity resides.

In short, we want the capability to prevent, detect, and respond to identity-related threats. If we start thinking about how attacks start, it is typically through phishing or other social engineering tactics, up to more sophisticated attacks where the IAM infrastructure is targeted to exploit vulnerabilities in that area. If the attacker is successful, this can lead to unauthorized access to sensitive information, data exfiltration, ransomware deployment, and more. IAM’s job is to ensure that the right people have the right access to files, systems, apps, and so on to be able to do their jobs without positioning those types of resources at any risk for compromise.

In this book, we will be focusing on AD and MDI as our ITDR product. Other ITDR products from Microsoft will then be, as we learned earlier, Microsoft Entra ID, Microsoft Entra ID Protection, and Microsoft Defender XDR, and if you are invested in the Microsoft security ecosystem, you will then have your entire ITDR solution in place.

It is highly recommended to not just implement MDI as the only protection for your AD deployment but also explore common entry points to be able to reduce the attack surface. Such close the gap exercises or best practices could be implementing tiering, not using