How To Block Malware Attacks With Azure Advanced Threat Protection

How to Block Malware with Azure Advanced Threat Protection

Azure Advanced Threat Protection — now called Microsoft Defender for Identity — detects and blocks malware, lateral movement, and credential attacks on enterprise networks. This guide covers ATP policy setup, threat detection rules, and automated response for organizations running Azure and Microsoft 365.

Key facts

• Azure ATP is now Microsoft Defender for Identity — same product, rebranded in 2021.
• Defender for Identity monitors Active Directory, Azure AD, and on-premises DCs for suspicious behavior.
• It detects pass-the-hash, pass-the-ticket, golden ticket, and lateral movement attacks in real time.
• Integrates with Microsoft Sentinel for centralized SIEM alerting and automated response playbooks.
• HIPAA, SOC 2, FedRAMP, and CMMC all require identity threat detection controls — Defender for Identity satisfies each.
• EPC Group has 29 years of Microsoft security consulting. We hold core Microsoft Solutions Partner designations.

What is Microsoft Defender for Identity?

Microsoft Defender for Identity (formerly Azure ATP) is a cloud-powered security service. It analyzes signals from on-premises Active Directory and Azure AD to detect attacks before they spread.

The sensor deploys on domain controllers. It watches authentication events, DNS queries, and LDAP traffic. When it spots anomalous behavior, it triggers an alert and can block the account automatically.

• Behavioral baselines — learns normal user and device patterns over 30 days.
• Attack detection — flags credential harvesting, brute force, and privilege escalation.
• Lateral movement paths — maps how an attacker could move from a compromised account to a domain admin.
• Integration — feeds alerts to Microsoft Defender XDR and Microsoft Sentinel.

How to configure ATP policies

Defender for Identity policy setup has four main steps.

1. Deploy sensors — install the lightweight sensor on every domain controller. The sensor captures traffic locally and forwards to the Defender for Identity cloud service.
2. Connect to Microsoft 365 Defender — link the Defender for Identity workspace to the Microsoft Defender portal for unified incident management.
3. Configure detection policies — enable built-in detections for lateral movement, reconnaissance, and persistence. Review sensitivity levels for your environment.
4. Set automated response actions — configure policies to disable accounts or require MFA on high-confidence alerts. Pair with Microsoft Sentinel playbooks for ticket creation.

Threat detection: what it catches

Defender for Identity covers four attack categories.

• Reconnaissance — LDAP enumeration, DNS recon, account enumeration using SAMR.
• Credential attacks — brute force, password spray, pass-the-hash, pass-the-ticket.
• Privilege escalation — golden ticket forgery, skeleton key malware, DCSync.
• Lateral movement — over-pass-the-hash, remote code execution via WMI or PsExec.

Each alert includes a kill chain stage, confidence rating, and a full evidence timeline. Your SOC team can act without pivoting to a separate console.

Automated response options

Manual review is too slow for credential attacks. Defender for Identity gives you three automation paths.

• Account suspension — automatically disable an account when a high-confidence alert fires.
• Conditional Access integration — trigger step-up MFA for risky sign-ins detected by Entra ID Identity Protection.
• Sentinel playbooks — run Logic Apps workflows to isolate endpoints, notify the SOC, and create ServiceNow tickets.

Compliance alignment

Regulated industries must log identity threat events and show evidence of active detection. Defender for Identity helps satisfy these requirements.

• HIPAA — access control (§164.312(a)) and audit controls (§164.312(b)) for PHI systems.
• FedRAMP / CMMC — continuous monitoring (AC-17, SI-4) across on-premises and cloud identity stores.
• SOC 2 — threat detection evidence for the Security Trust Services Criterion.
• GDPR — breach detection and notification support under Article 33.

Frequently asked questions

Is Azure ATP the same as Microsoft Defender for Identity?

Yes. Microsoft renamed Azure Advanced Threat Protection to Microsoft Defender for Identity in 2021. The underlying technology is the same. It now appears in the Microsoft Defender XDR portal.

Do I need a domain controller to use Defender for Identity?

Yes. The sensor installs on Active Directory domain controllers. It can also work with AD FS servers. Azure AD-only environments use Entra ID Identity Protection instead.

What licenses include Defender for Identity?

Defender for Identity is included in Microsoft 365 E5, Microsoft 365 E5 Security, and Enterprise Mobility + Security E5. It is also available as a standalone subscription.

How long does deployment take?

Sensor deployment on a standard enterprise with 5–20 domain controllers takes 1–3 days. Full behavioral baseline learning takes 30 days. Initial alerts appear within hours of sensor activation.

Can it block attacks automatically?

Yes. You can configure automated account disabling on high-confidence alerts. Combined with Microsoft Sentinel playbooks, you can isolate endpoints and revoke sessions within minutes of detection.

Does it work in hybrid environments?

Yes. Defender for Identity covers on-premises Active Directory, Azure AD, and hybrid configurations. It correlates signals across both environments in a single incident view.

Talk to a Microsoft security architect

EPC Group has deployed Defender for Identity across healthcare, federal, and Fortune 500 environments. Call (888) 381-9725 or request a 30-minute discovery call to discuss your threat protection requirements.