Ask Downloads
Domain 2 — Module 3 of 10 30%
15 of 28 overall
Domain 2: Respond to Security Incidents Free ⏱ ~12 min read

Identity Threats: Entra & Defender for Identity

Compromised identities are behind most breaches. Learn how to investigate and remediate compromised accounts from Microsoft Entra ID and lateral movement alerts from Defender for Identity.

Why identity is the new perimeter

Simple explanation

Firewalls protect the building. Identity protects the person.

In a world where employees work from home, coffee shops, and airports, the network perimeter is meaningless. What matters is: who is logging in, from where, and is it really them?

Entra ID (Microsoft’s cloud identity service) detects compromised cloud accounts — impossible travel, password spray, token theft. Defender for Identity watches your on-premises Active Directory for lateral movement, credential theft, and reconnaissance.

Together, they cover the full identity attack surface: cloud + on-premises.

Entra ID: cloud identity threats

Common Entra ID risk detections

DetectionWhat It MeansRisk Level
Impossible travelUser signs in from New Zealand, then Germany 30 minutes laterHigh
Password sprayMultiple accounts targeted with common passwordsHigh
Unfamiliar sign-in propertiesNew device, new browser, new locationMedium
Anonymous IPSign-in from Tor, VPN, or anonymous proxyMedium
Leaked credentialsUser’s credentials found in a public breach databaseHigh
Token theftAdversary-in-the-middle attack stealing session tokensHigh
Malicious IPSign-in from an IP associated with known attacksHigh

Investigation workflow for compromised Entra ID accounts

  1. Review the risk detection — what triggered it? (impossible travel, password spray, etc.)
  2. Check sign-in logs — when, where, what device, what app
  3. Check audit logs — did the attacker change anything? (MFA methods, email forwarding rules, app consent)
  4. Check for lateral activity — did the account access other resources, send emails, or create apps?
  5. Remediate:
    • Reset password
    • Revoke all refresh tokens and sessions
    • Re-register MFA (if MFA methods were modified)
    • Review and remove suspicious app consents
    • Check for inbox rules and mailbox forwarding
Scenario: James investigates impossible travel

James at Pacific Meridian sees a High-risk alert: “Impossible travel — user signed in from Auckland NZ at 9:00 AM, then from Moscow at 9:15 AM.”

Investigation:

  • Sign-in logs show the Moscow sign-in used a different device and browser
  • The Auckland sign-in was the user’s normal work device
  • Audit logs show the Moscow session changed the user’s MFA phone number and created a mail forwarding rule to an external address

This is a confirmed account compromise.

Remediation:

  • Reset password immediately
  • Revoke all sessions
  • Remove the malicious MFA phone number and re-register the legitimate one
  • Delete the forwarding rule
  • Check if any sensitive emails were forwarded before detection
  • Block the Moscow IP as an indicator

Defender for Identity: on-premises threats

Common MDI detections

DetectionAttack TechniqueMITRE ATT&CK
LDAP reconnaissanceAttacker queries AD to map users, groups, and permissionsDiscovery (T1087)
KerberoastingRequest TGS tickets for service accounts to crack offlineCredential Access (T1558)
Pass-the-hashUse stolen NTLM hash to authenticate without passwordLateral Movement (T1550)
Pass-the-ticketUse stolen Kerberos ticket to impersonate a userLateral Movement (T1550)
DCSyncImpersonate a domain controller to replicate password hashesCredential Access (T1003)
Suspicious service creationCreate a service on a remote machine for persistencePersistence (T1543)
Honeytoken activityAccess to a decoy account designed to detect attackersEarly warning

Investigation workflow for MDI alerts

  1. Review the MDI alert — what technique was detected? What accounts and devices are involved?
  2. Check the attack timeline — MDI shows the sequence of activities on the entity page
  3. Correlate with Entra ID — did the same user trigger cloud-side risk detections?
  4. Check lateral movement paths — MDI maps potential lateral movement paths through the organisation
  5. Remediate:
    • Reset the compromised account’s password
    • Rotate credentials for any service accounts involved
    • Check for persistence mechanisms (scheduled tasks, services, registry keys)
    • Review Group Policy for unauthorised changes
Entra ID covers cloud identity; MDI covers on-premises AD — use both for full coverage
FeatureEntra ID ProtectionDefender for Identity
EnvironmentCloud (Entra ID / Azure AD)On-premises (Active Directory)
Detection methodMachine learning on sign-in telemetryNetwork traffic analysis on domain controllers
Threats detectedImpossible travel, password spray, token theft, leaked credsKerberoasting, pass-the-hash, DCSync, LDAP recon, lateral movement
Data sourceSign-in logs, audit logsDomain controller traffic (port mirroring or ADFS)
RemediationReset password, revoke tokens, re-register MFAReset passwords, rotate service account creds, check persistence
IntegrationFeeds into Defender XDR incidents + Conditional AccessFeeds into Defender XDR incidents + Sentinel
Exam tip: Entra ID Protection vs Defender for Identity

The exam tests whether you know which product handles which scenario:

  • “User signs in from impossible location” → Entra ID Protection
  • “Attacker performs pass-the-hash on domain controller” → Defender for Identity
  • “Kerberoasting detected” → Defender for Identity
  • “Leaked credentials found in public breach” → Entra ID Protection
  • “Suspicious LDAP queries from a workstation” → Defender for Identity

Rule of thumb: if it involves sign-in behaviour or cloud tokens, it is Entra ID. If it involves AD protocols or domain controller traffic, it is MDI.

Question

What are the key remediation steps for a compromised Entra ID account?

Click or press Enter to reveal answer

Answer

1. Reset password. 2. Revoke all refresh tokens and sessions. 3. Re-register MFA if methods were changed. 4. Remove suspicious app consents. 5. Delete malicious inbox rules and forwarding. 6. Check for data access or email forwarding during the compromise window.

Click to flip back
Question

What is Kerberoasting and which product detects it?

Click or press Enter to reveal answer

Answer

Kerberoasting is an attack where an attacker requests Kerberos TGS tickets for service accounts and cracks them offline to obtain passwords. Microsoft Defender for Identity (MDI) detects this by monitoring abnormal TGS request patterns on domain controllers.

Click to flip back
Question

What is the difference between Entra ID Protection and Defender for Identity?

Click or press Enter to reveal answer

Answer

Entra ID Protection monitors cloud sign-in behaviour (impossible travel, password spray, token theft). Defender for Identity monitors on-premises Active Directory traffic (pass-the-hash, Kerberoasting, LDAP recon, lateral movement). Use both for full identity coverage.

Click to flip back
Knowledge Check

An Entra ID alert shows a user signed in from Auckland at 9:00 AM and from Moscow at 9:15 AM. The Moscow session changed the user's MFA phone number. What is the priority remediation action?
Knowledge Check

Defender for Identity detects Kerberoasting activity targeting a service account on Pacific Meridian's domain. What should James do?

Next up: Identity threats are handled. Now let’s investigate shadow IT and risky cloud apps with Defender for Cloud Apps.