Microsoft Defender Exposure Management provides a wide range of recommendations across different areas, including identities. When Microsoft Defender for Identity is deployed, these recommendations become particularly valuable and actionable. They offer detailed insights for improving on-premises Active Directory hygiene, such as identifying stale users and objects, overprivileged accounts, and other identity risks.
Active Directory remains one of the primary attack vectors in many organizations, making ongoing hygiene and remediation activities increasingly critical.
In the Microsoft Defender portal, navigate to Exposure Management → Recommendations → Identities, and apply a filter for Defender for Identity. This filters the view to Active Directory–related tasks and recommendations. To see all Identity recommendations, just don’t apply the filter.
These example screenshots illustrate some key insights:
- All Active Directory hygiene recommendations
- A specific recommendation about “Remove dormant accounts from sensitive groups”
- All Exposed entities from that recommendation (a closer look reveals that some accounts have not logged in for several years!)
Bringing Defender for Endpoint into the Game
Defender for Identity operates on Domain Controller telemetry -> it sees authentication events, Kerberos anomalies, replication abuse, etc. But I can’t see much further. Running Defender for Identity alongside with Defender for Endpoint gives you a correlated attack chain visibility across the identity and the device layer. With Defender for Identity alone, you also loose the ability to isolate a comprised device. DFI can raise an alert, but it has no device level response capability.
Together, these two Defender services provide a powerful solution to detect complex attacks, starting on the device or on the identity (or both).
