Integrate with other Microsoft tools

  • 5 minutes

Architecture and integration of Microsoft Defender XDR components.

Microsoft Defender for Identity is a cloud-based security solution fully integrated with Microsoft Defender XDR. As a native component of the Microsoft Defender XDR platform, Defender for Identity contributes identity intelligence — including on-premises AD signals and Microsoft Entra ID signals — to correlated alerts and incidents shared across all Defender workloads in the unified Microsoft Defender portal.

This unified experience means that on-premises identity activities and cloud application activities appear together in the same alert queue and incident graph. Alerts from Defender for Identity, Microsoft Defender for Cloud Apps, and Defender for Endpoint are automatically correlated into incidents, giving you combined insights across your cloud and on-premises environments without any separate integration steps. The following screenshot shows Microsoft Defender for Identity reporting within the Microsoft Defender portal.

Screen capture of Microsoft Defender for Identity reporting within the Microsoft Defender portal.

Microsoft Defender for Identity also works alongside Microsoft Defender for Endpoint within the unified platform. While Defender for Identity monitors the traffic on your domain controllers, Defender for Endpoint monitors your endpoints — together contributing their signals to the shared incident and alert queue in the Microsoft Defender portal. You can select any endpoint in the portal to view Defender for Identity alerts associated with that device.

Screenshot of Microsoft Defender portal showing Defender for Identity alerts on an endpoint.

Having this level of insight into system running processes allows an analyst to locate event sequences leading to a compromise of the network. In the screenshot below, there are high severity alerts pointing to malware being installed on the system.

Other integrations

Microsoft Defender for Identity extends its protection to other identity sources and security platforms:

  • Privileged Access Management (PAM) platforms — Defender for Identity integrates with CyberArk, Delinea, and BeyondTrust to detect threats targeting privileged accounts managed by those platforms.
  • Okta — Defender for Identity can monitor Okta sign-ins and activity, enabling detection of suspicious identity events in hybrid environments that include cloud identity providers.
  • Microsoft Security Copilot — Identity insights from Defender for Identity flow into Microsoft Security Copilot, helping analysts triage and investigate incidents faster using natural language.

High severity malware alert.

Clicking into the alert verifies that a Pass-The-Hash (PtH) attack occurred using the tool Mimikatz. Under actions for the alert, we can also review a timeline of events surrounding the credential theft.

Review a timeline of events surrounding the credential theft.