Microsoft Solutions Partner — Security · 11,000+ engagements

Microsoft Defender for Identity (ITDR) Enterprise 2026

Behavior-based identity threat detection across hybrid Active Directory and Entra ID — sensors on every DC, AD FS, and AD CS, fused into Microsoft Defender XDR. Deployed end-to-end by a senior-architect-led 29-year Microsoft Solutions Partner.

Book an ITDR briefing Call 888-381-9725

What is Microsoft Defender for Identity (MDI) and how does ITDR protect hybrid Active Directory and Entra ID? Microsoft Defender for Identity is the Microsoft Identity Threat Detection and Response (ITDR) product. It deploys lightweight sensors directly on writable domain controllers, AD FS federation servers, and AD CS certificate authorities to detect behavior-based identity attacks — Pass-the-Hash, Pass-the-Ticket, Golden Ticket, Silver Ticket, Kerberoasting, DCSync, DCShadow, lateral movement, and certificate template (ESC1-ESC11) abuse. MDI signal fuses with Entra ID Identity Protection and the wider Microsoft Defender XDR platform — Endpoint, Cloud Apps, Office 365, and Cloud — to produce a unified hybrid identity incident graph that traditional log-based detection cannot match.

Microsoft Defender for Identity (MDI) is the Microsoft ITDR product for hybrid Active Directory and Entra ID. It runs lightweight sensors on every DC, AD FS, and AD CS server, detects credential-theft and lateral movement attacks in real time, and fuses with the Defender XDR incident graph. EPC Group delivers full MDI activation, Tier 0 hardening, and managed ITDR under a fixed-fee five-phase Accelerator.

Key Facts

MDI is the Microsoft Identity Threat Detection and Response (ITDR) product, formerly Azure ATP
Sensors deploy directly on writable DCs, AD FS servers, and AD CS certificate authorities — no standalone sensor or port mirroring required
Detects Pass-the-Hash, Pass-the-Ticket, Golden Ticket, Silver Ticket, Kerberoasting, DCSync, DCShadow, and AD CS template abuse (ESC1-ESC11)
Included in Microsoft 365 E5, E5 Security, and F5 Security — Entra ID P2 required for full Identity Protection correlation
Fuses with Defender XDR — alerts and entities flow into one cross-domain incident graph with Endpoint, Cloud Apps, Office 365, and Cloud
Entra ID Identity Secure Score and Identity Security Posture surface the AD hardening backlog by attack-path criticality
EPC Group ITDR Accelerator is fixed-fee $150K to $500K depending on directory complexity and Tier 0 hardening scope
29-year Microsoft Solutions Partner — Security; 70+ Fortune 500 clients

What ITDR is, and why identity is now the primary attack surface

Identity Threat Detection and Response (ITDR) is the security category that emerged once the industry realized endpoint detection alone could not see the most damaging part of the attack chain. Modern attackers compromise an endpoint, steal credentials, and then spend days or weeks moving laterally through the identity plane — Kerberos tickets, NTLM hashes, federation tokens, OAuth grants, certificate-template abuse — before staging the final objective. None of that lateral movement is visible to a traditional EDR; it is identity-layer behavior that requires identity-aware sensors and identity-aware detection logic.

Microsoft Defender for Identity is the ITDR product inside the Microsoft Defender XDR platform. It sensors the actual Kerberos, NTLM, Netlogon, LDAP, DNS, and replication traffic on every writable domain controller, the WS-Federation token issuance on every AD FS server, and the certificate issuance and template state on every AD CS certificate authority. The output is behavior-based detection of every major attack class against on-premises Active Directory, fused with Microsoft Entra ID Identity Protection so the hybrid identity attack chain is a single investigation rather than two disconnected consoles.

Every Microsoft 365 E5 customer already owns MDI. The question EPC Group sees across 70+ Fortune 500 assessments is not whether to buy it but whether the sensors are deployed, the integrations are wired, and the Tier 0 hardening backlog has been worked. The platform is paid for; activation is the consulting problem we solve.

MDI architecture — sensors, signal, and Defender XDR fusion

The MDI architecture has four moving parts — sensors on writable domain controllers, sensors on AD FS, sensors on AD CS, and the Defender XDR fusion layer that joins identity signal with the rest of the Microsoft security stack.

MDI sensor on every writable domain controller

Role: Primary signal capture for Kerberos, NTLM, LDAP, DNS, and Netlogon traffic

Lightweight Windows service installed directly on the DC — no port mirroring or dedicated standalone sensor in the modern architecture
Parses Kerberos AS-REQ, TGS-REQ, and Netlogon RPC traffic in real time to detect ticket forgery, Kerberoasting, and replay attacks
Reads the directory service replication stream to detect DCSync, DCShadow, and replication permission abuse
Performance budget under 1 percent CPU and under 350 MB memory on a properly sized DC — validated by Microsoft for production deployment

MDI sensor on AD FS federation servers

Role: Federation token signal — the path attackers take after compromising a federated identity

Captures WS-Trust and WS-Federation token issuance events to detect Golden SAML and federation abuse
Detects suspicious federation trust modification and certificate rollover events that precede token forgery attacks
Correlates with Entra ID sign-in logs through Defender XDR to expose the full federated attack chain
Required when AD FS is in the federation path between on-premises identity and Microsoft 365 — and still common across regulated industries

MDI sensor on AD CS certificate authorities

Role: PKI signal — detection of the ESC1 through ESC11 certificate-template abuse classes

Monitors certificate issuance and template modification on enterprise CAs to detect ESC1 (enrollee-supplied SAN), ESC2 (any-purpose EKU), and ESC4 through ESC11 abuse patterns
Surfaces vulnerable certificate templates and unsafe template ACLs as Identity Security Posture recommendations
Detects when an attacker requests a certificate that maps to a high-privilege account through templated abuse — the modern AD CS attack vector pioneered by SpecterOps
Integrates with the Defender for Endpoint sensor on the same CA to correlate certificate issuance with the binary behavior that requested it

Microsoft Defender XDR data fusion

Role: Cross-domain correlation that turns identity signal into a full attack story

MDI alerts and entities flow into the Defender XDR incident graph alongside Endpoint, Cloud Apps, Office 365, and Cloud signal
Identity-centric incident view shows the user, the device used, the cloud app touched, and the on-premises directory action in a single timeline
Attack disruption can automatically disable a compromised on-premises account, force a Kerberos TGT reset, and revoke Entra ID sessions within minutes
Advanced hunting tables (IdentityLogonEvents, IdentityQueryEvents, IdentityDirectoryEvents) join with DeviceEvents and CloudAppEvents for KQL hunting

Six enterprise ITDR detection patterns

Every MDI deployment composes from six detection-and-hardening patterns. They are not optional — they are the minimum coverage an enterprise ITDR program needs against the dominant on-premises Active Directory and hybrid identity attack classes.

Pattern 1 — Lateral movement detection across the Tier 0 plane

Lateral movement is the phase between initial endpoint compromise and full directory takeover, and it is where MDI earns its keep. The sensor on every domain controller correlates Kerberos and Netlogon traffic against the directory service replication stream to detect suspicious authentication chains — a workstation authenticating to a DC using a service account, a help-desk account suddenly enumerating Tier 0 group membership, a previously dormant account performing remote service control across the server estate. EPC Group ships a lateral movement path enrichment that joins MDI signal with Defender for Endpoint device telemetry, so the analyst sees not just the directory anomaly but the binary and command line on the source endpoint that produced it. The result is an investigation queue where the most dangerous attack — quiet horizontal movement under stolen credentials — is detected in minutes rather than the months that traditional log analysis takes.

Pattern 2 — Golden Ticket and Silver Ticket detection

Golden Ticket and Silver Ticket attacks are the canonical post-exploitation Kerberos forgeries — Golden Ticket using a stolen krbtgt hash to forge a TGT for any user, Silver Ticket forging a TGS for a specific service. MDI detects both by sensoring the actual TGS-REQ traffic at the DC and comparing the ticket properties against what a legitimately issued ticket from the KDC would look like — Time-to-Live anomalies, encryption type mismatches, RC4 downgrade in an AES environment, and PAC validation failures. EPC Group pairs MDI Golden Ticket detection with a krbtgt rotation playbook — twice-rotating the krbtgt password under controlled change, validating ticket revocation across the directory, and documenting the rotation evidence for SOC 2 and HIPAA auditors. Many enterprises have never rotated krbtgt in production; EPC Group treats it as a quarterly exercise for Tier 0 directories.

Pattern 3 — Kerberoasting and AS-REP roasting detection

Kerberoasting is the attack where a low-privilege user requests TGS tickets for service accounts (any account with a Service Principal Name) and then cracks the RC4 ticket offline to recover the service account password. AS-REP roasting attacks accounts with the do-not-require-preauthentication flag set. MDI detects Kerberoasting by watching for unusual TGS-REQ volume, downgraded encryption requests in an AES-required environment, and atypical request patterns against service accounts. EPC Group ships an Identity Security Posture remediation backlog that finds and fixes the precursors — service accounts with weak passwords, accounts with unconstrained delegation, accounts with the preauth flag disabled, and SPN-mapped users with privileged group membership. The detection is necessary; the hardening is what eliminates the attack class.

Pattern 4 — Pass-the-Hash and Pass-the-Ticket detection

Pass-the-Hash (NTLM) and Pass-the-Ticket (Kerberos) are the foundational credential-theft attacks against legacy Active Directory. MDI detects them through behavioral anomaly — an account authenticating from a device it has never used before, NTLM authentication where Kerberos would be expected, ticket reuse from a different source IP, and overlapping concurrent sessions from different geographies. EPC Group hardens against PtH by deploying Local Administrator Password Solution (LAPS) so every endpoint local admin has a unique randomly rotated password, enabling Credential Guard on every supported endpoint, and deploying Protected Users group membership for every Tier 0 account so cached credentials are no longer available for theft. The detection catches what the hardening misses; the hardening reduces the attack surface to the point where detection is high-fidelity.

Pattern 5 — DCSync, DCShadow, and replication abuse detection

DCSync is the attack where an account with directory replication permissions (Replicate Directory Changes plus Replicate Directory Changes All) impersonates a domain controller and pulls the full krbtgt hash and every user NT hash directly from the directory. DCShadow goes further — an attacker registers a rogue DC and pushes malicious changes back into the replication stream. MDI detects both by sensoring the directory replication traffic at the DC. EPC Group runs a quarterly directory permissions audit that finds and removes the unnecessary Replicate Directory Changes grants — most enterprises discover service accounts, legacy monitoring tools, and decommissioned migration accounts still holding the permission. The audit plus the detection eliminates the dominant on-premises credential theft path attackers use after initial compromise.

Pattern 6 — Suspicious group membership changes and privilege escalation

The single most common post-exploitation step on a compromised directory is adding an attacker-controlled account to a high-privilege group — Domain Admins, Enterprise Admins, Schema Admins, the local Administrators group on a Tier 0 server, or any group with delegated rights over Tier 0 OUs. MDI detects this through directory event monitoring and through Identity Security Posture analysis of the resulting graph — when did the group change, who made the change, was the source account previously associated with privileged operations, and what was the lateral movement path that led to the change. EPC Group pairs MDI group monitoring with Privileged Access Management (PAM) and Privileged Identity Management (PIM) — PAM for on-premises Tier 0 just-in-time access, PIM for Entra ID role activation — so the legitimate-administrator path is fully audited and the illegitimate path stands out clearly.

Defender XDR + Sentinel

MDI inside Defender XDR and Microsoft Sentinel

MDI is one of five modules inside Microsoft Defender XDR, the unified XDR platform. The value of MDI multiplies when its signal joins the wider Defender XDR incident graph and flows downstream into Microsoft Sentinel for cross-source SIEM correlation. EPC Group wires both integrations in every deployment because identity signal alone, without the fusion layer, leaves the SOC chasing partial stories.

Defender XDR incident graph

MDI entities — users, devices, ticket events — merge into the cross-domain Defender XDR incident with Endpoint, Cloud Apps, Office 365, and Cloud signal. One timeline, one queue, one investigation per attack story. Defender XDR hub.

Sentinel SIEM data connector

MDI alerts and the IdentityLogonEvents, IdentityQueryEvents, and IdentityDirectoryEvents advanced-hunting tables flow into Microsoft Sentinel for cross-source correlation with firewall, VPN, MFA, and IdP logs. Sentinel hub.

Attack disruption automation

Defender XDR attack disruption automatically disables compromised accounts, forces Kerberos TGT reset, and revokes Entra ID sessions within minutes of high-confidence MDI detection — turning detection into containment without analyst latency.

Hybrid identity posture

Entra ID Identity Protection, Identity Secure Score, and MDI together

MDI does not stop at the on-premises directory. The product fuses with Microsoft Entra ID Identity Protection so cloud and on-premises identity risk correlate in a single user-risk score that Conditional Access can act on. The Entra ID enterprise hub covers the cloud identity story in depth; the table below shows where MDI fits.

Identity Secure Score (Entra ID)

Tenant-level posture score covering MFA coverage, Conditional Access policies, privileged role configuration, and legacy authentication state. EPC Group runs a monthly score campaign with documented remediation evidence for SOC 2 auditors.

Identity Security Posture (MDI)

On-premises directory posture — dormant credentials, exposed Kerberos delegation, unsafe certificate templates, weak service-account passwords, and the lateral movement paths that connect them. Sequenced by attack-path criticality.

Conditional Access enforcement

Risk-based policies act on the combined MDI + Identity Protection signal — force MFA, block sign-in, require password reset, force compliant device. The signal is what makes risk-based Conditional Access effective at containment.

Privileged Identity Management (PIM)

Just-in-time activation of Entra ID roles with approval workflows and MFA requirements. EPC Group pairs PIM (cloud) with on-premises PAM and tiered admin workstations so the legitimate admin path is fully auditable.

Hardening posture

Detection without hardening is a fire alarm with no extinguishers

MDI detects the attack; the hardening reduces the attack surface so detection is high-fidelity and containment is fast. Every EPC Group MDI engagement ships with a hardening backlog that auditors will accept and that meaningfully closes the on-premises and hybrid identity attack surface.

Disable legacy authentication

Block POP, IMAP, SMTP AUTH, and basic-auth Exchange protocols through Conditional Access. Legacy auth bypasses MFA and is the most common Entra ID compromise vector that MDI hardening removes.

Enforce MFA for every admin role

Conditional Access policies require MFA for every Entra ID directory role — Global Admin, Security Admin, Exchange Admin, and the rest. Phishing-resistant FIDO2 keys or Windows Hello for Business for Tier 0.

Tier 0 administrative model

Protected Users group membership, Authentication Policy Silos, dedicated PAWs (Privileged Access Workstations), and separation of duties so a Tier 1 admin cannot escalate into Tier 0 without explicit just-in-time activation.

krbtgt rotation and LAPS

Quarterly krbtgt rotation under change control (twice with the appropriate gap), and Local Administrator Password Solution (LAPS) so every endpoint local admin has a unique randomly rotated password — eliminating Pass-the-Hash lateral movement at its source.

AD CS template remediation

Audit every certificate template for ESC1 through ESC11 conditions, remove enrollee-supplied SAN, disable any-purpose EKU on standard user templates, and lock down certificate-template ACLs so only intended principals can enroll.

Replicate Directory Changes audit

Find and remove unnecessary Replicate Directory Changes and Replicate Directory Changes All grants. Most enterprises discover dormant service accounts and decommissioned migration tools still holding the permission that enables DCSync.

The EPC Group ITDR Accelerator — five phases, fixed fee

The accelerator anchors on The EPC Group Lifecycle — Assess, Activate, Harden, Hunt, Operate. Fixed-scope between $150,000 and $500,000 depending on directory complexity, AD FS and AD CS footprint, Tier 0 hardening scope, regulatory requirements, and managed-service tail. Senior-architect led, no offshore handoff.

Phase 1 — Assess

Identity threat surface assessment in three weeks

Phase one inventories every domain controller, every AD FS server, every AD CS certificate authority, every Entra ID sign-in path, every privileged account, and every directory permission that touches Tier 0. EPC Group ships a costed ITDR roadmap, a risk-weighted backlog of identity attack paths, and a Tier 0 cleanup plan auditors will accept.

Active Directory forest and domain inventory — DCs, AD FS, AD CS, RODCs, trust relationships, replication topology
Entra ID tenant inventory — federation paths, hybrid join, password hash sync, pass-through auth, seamless SSO
Privileged account discovery — Tier 0 admins, shadow admins, service principals with delegation, dormant credentials
Identity Secure Score baseline and Identity Security Posture recommendations sequenced by attack-path criticality

Phase 2 — Activate

MDI sensors live across DCs, AD FS, and AD CS

Phase two deploys MDI sensors on every writable domain controller, every AD FS server, and every AD CS certificate authority. EPC Group sequences the rollout starting with a pilot domain controller pair, then broad rollout under change control with sensor health monitoring at each stage. AD CS sensor enablement is paired with the ESC1 through ESC11 template audit so detection and hardening land together.

MDI sensor installation on every writable DC, validated under change control with sensor health dashboards
AD FS sensor deployment with WS-Federation token issuance monitoring enabled
AD CS sensor deployment with certificate template audit and ESC1 through ESC11 remediation
Entra ID Identity Protection integration so cloud and on-premises identity risk correlate in one signal

Phase 3 — Harden

Directory posture aligned to Tier 0 and Zero Trust

Phase three is the hardening that turns a detection platform into a defense platform. EPC Group disables legacy authentication protocols across the tenant, enforces multi-factor authentication through Conditional Access for every privileged role, deploys Protected Users group membership for Tier 0, rotates krbtgt twice under controlled change, deploys LAPS for local administrator credential isolation, and removes unnecessary directory replication permissions.

Conditional Access — legacy auth block, MFA required for all admin roles, sign-in risk-based session controls
Tier 0 administrative model — Protected Users, Authentication Policy Silos, separate admin workstations (PAWs)
krbtgt rotation playbook executed twice under change control with documented validation evidence
LAPS deployment, Credential Guard enforcement, removal of unnecessary Replicate Directory Changes grants

Phase 4 — Hunt

ITDR threat hunting with Defender XDR and Sentinel

Phase four stands up the threat hunting program for identity. EPC Group authors KQL hunting queries against the IdentityLogonEvents, IdentityQueryEvents, and IdentityDirectoryEvents tables in Defender XDR advanced hunting, builds saved query libraries for the MITRE ATT&CK Credential Access and Lateral Movement tactics, and configures Microsoft Sentinel to ingest MDI signal for cross-source correlation with firewall, VPN, and SaaS logs.

Advanced hunting query library covering Credential Access, Lateral Movement, and Defense Evasion ATT&CK tactics
Microsoft Sentinel data connector enabled with bi-directional incident sync
Custom analytics rules correlating MDI signal with non-Microsoft identity sources (VPN, MFA, IdP)
SOAR playbooks for the top fifteen identity incident scenarios — account disable, session revoke, password reset

Phase 5 — Operate

24/7 managed ITDR with senior-architect escalation

Phase five is steady-state ITDR operation. EPC Group provides managed identity threat detection and response — twenty-four-by-seven monitoring, incident response, quarterly krbtgt rotation, sensor health monitoring, Identity Secure Score campaign management, and content engineering. Senior-architect escalation is the differentiator; tier one analysts triage, but every customer has named senior architects on call for Tier 0 incidents.

24/7 SOC monitoring of MDI alerts inside the Defender XDR incident queue
Quarterly krbtgt rotation and directory permissions audit under change control
Identity Secure Score campaign management — monthly delta tracking, posture improvement work
Sensor health monitoring across every DC, AD FS, and AD CS server with automated alerting on coverage gaps

Why EPC Group leads enterprise ITDR deployments

Years Microsoft consulting

70+

Fortune 500 clients

216+

M&A tenant consolidations

1.83 million

Users migrated

Microsoft Solutions Partner — Security

Microsoft Solutions Partner with the Security designation plus five additional designations covering Modern Work, Infrastructure, Data & AI, Digital & App Innovation, and Business Applications. Senior identity architects average two decades of Active Directory and Entra ID delivery experience.

Four-time Microsoft Press author

Founder Errin O’Connor has nearly three decades of Microsoft consulting leadership and is a four-time Microsoft Press author across Power BI, SharePoint, Azure, and large-scale migrations.

Fixed-fee accelerators

Every ITDR engagement is fixed-fee with a costed roadmap and named senior identity architect on-record from kickoff through go-live. No T&M overruns, no offshore handoff, no junior-analyst-led Tier 0 cutover.

Compliance-native

EPC Group is compliance-native across HIPAA, SOC 2, FedRAMP, FINRA, CMMC, and GxP. MDI deployments ship with auditor-ready Tier 0 control matrices, krbtgt rotation evidence, and Identity Security Posture remediation logs.

ITDR mapped to the regulatory reality

MDI controls map directly to control families in NIST CSF 2.0 (Protect, Detect, Respond), ISO 27001 Annex A.9 (Access Control), HIPAA Security Rule §164.308 (Administrative Safeguards), FedRAMP AC and IA families, and CMMC 2.0 AC and IA practices. EPC Group extends the mapping into a documented control matrix that auditors will accept. See the standards alignment library for the full mapping.

HIPAA

SOC 2

FedRAMP

FINRA

CMMC

GxP

Frequently asked questions — Microsoft Defender for Identity

What is Microsoft Defender for Identity (MDI) and what does ITDR mean?

Microsoft Defender for Identity (formerly Azure Advanced Threat Protection) is the Microsoft Identity Threat Detection and Response (ITDR) product. ITDR is the security industry category for behavior-based detection of identity-layer attacks — credential theft, ticket forgery, lateral movement, privilege escalation, and federation abuse — across both on-premises Active Directory and cloud identity (Entra ID). MDI deploys lightweight sensors directly on writable domain controllers, AD FS federation servers, and AD CS certificate authorities, then correlates the captured signal with Entra ID Protection and the rest of the Microsoft Defender XDR platform. The result is identity-layer detection that complements endpoint-layer EDR with the directory-aware signal an EDR alone cannot produce.

How does Microsoft Defender for Identity compare to CrowdStrike Falcon Identity Protection?

MDI and CrowdStrike Falcon Identity Protection are the two leading ITDR products. MDI wins on bundled value (already paid for inside Microsoft 365 E5 and E5 Security), on tight integration with Entra ID Protection and Defender XDR, and on AD CS certificate-template abuse detection through the dedicated AD CS sensor. CrowdStrike wins on agent-based identity monitoring that does not require sensor placement on every DC, on the Falcon Identity Protection console for IdP-agnostic deployments, and on threat intelligence breadth from the CrowdStrike Intelligence team. For Microsoft-anchored enterprises that own E5, MDI is the rational choice because the activation cost is deployment services only. For multi-EDR environments or environments where CrowdStrike Falcon is already the endpoint platform of record, Falcon Identity Protection can simplify operations by consolidating on one vendor.

How does Microsoft Defender for Identity compare to Tenable Identity Exposure (formerly Tenable.ad)?

Tenable Identity Exposure is a posture and exposure management product for Active Directory and Entra ID, where MDI is a detection and response product. The two are complementary rather than competitive. Tenable Identity Exposure excels at continuous exposure assessment — finding misconfigurations, exposed credentials, weak ACLs, dangerous trust paths, and the BloodHound-style attack-path analysis that helps proactively close exposure before an attacker exploits it. MDI excels at runtime detection — observing the Kerberos and Netlogon traffic for actual attack behavior. EPC Group sees the strongest defensive posture from running both: Tenable Identity Exposure for continuous attack-path closure, MDI for runtime detection and Defender XDR fusion when an attack does occur.

What is the MDI sensor deployment model, and how does it affect domain controller performance?

The modern MDI deployment model uses a single sensor type installed directly as a Windows service on writable domain controllers, AD FS servers, and AD CS certificate authorities — the older standalone-sensor model with port mirroring is deprecated. The sensor reads ETW providers, the directory replication stream, and the relevant Kerberos and Netlogon traffic directly through the local network stack. Microsoft validates the sensor at under 1 percent CPU and under 350 MB memory on properly sized hardware, which is well within the headroom of any DC sized to handle the directory load. EPC Group runs a controlled rollout against a pilot DC pair first, captures baseline performance metrics, validates impact, and then broad-rolls under change control. We have never seen the sensor cause a production DC issue in any of the deployments we have led when the DC is properly sized to begin with.

What is the difference between Defender for Identity (MDI) and Defender for Office 365 (MDO)?

Defender for Identity (MDI) and Defender for Office 365 (MDO) are two of the five modules inside Microsoft Defender XDR and they protect different parts of the attack surface. MDI protects the identity plane — on-premises Active Directory through sensors on DCs, AD FS, and AD CS, and the hybrid path into Entra ID through Identity Protection correlation. MDO protects the email and collaboration plane — Exchange Online, SharePoint Online, OneDrive, and Microsoft Teams chat — with Safe Attachments, Safe Links, anti-phishing, and Threat Explorer. They share the Defender XDR incident graph, so an attack that starts as a phishing email (MDO detection) and pivots to credential theft and lateral movement (MDI detection) shows up as a single correlated incident with the full timeline.

How does MDI integrate with Microsoft Entra ID Identity Protection and Conditional Access?

MDI sends signal into the Entra ID Identity Protection risk engine — when MDI detects an on-premises Kerberos attack against a hybrid-joined account, the corresponding Entra ID user risk is elevated, which Conditional Access can act on through risk-based policies (force MFA, block sign-in, require password change). The reverse is true as well — Entra ID Protection signal (impossible travel, anonymous IP, leaked credentials) feeds back into MDI investigations through the Defender XDR fusion layer. EPC Group configures the bi-directional integration in every deployment because it is what turns two separate identity products into one unified hybrid identity protection plane. The integration requires Entra ID P2, which is included in Microsoft 365 E5 and E5 Security but not in E3.

What is the difference in scope between Defender XDR and Defender for Identity inside it?

Microsoft Defender XDR is the unified Extended Detection and Response platform that correlates signal across all five Defender modules and Entra ID Protection. Defender for Identity (MDI) is one of those five modules — the identity-layer detection module. Defender XDR is where MDI alerts are investigated, correlated with Endpoint, Cloud Apps, and Office 365 alerts, grouped into incidents, and acted on through attack disruption. MDI is where the actual detection of identity attacks happens — the sensor on the DC, the Kerberos traffic analysis, the directory replication monitoring. Most enterprises that buy Microsoft 365 E5 own both, and the EPC Group recommendation is to activate MDI early in the Defender XDR rollout because the identity plane is where attackers spend most of their time after initial endpoint compromise.

What does an MDI engagement cost, and how long does a full ITDR Accelerator take?

EPC Group delivers full MDI activation under a fixed-fee engagement between $150,000 and $500,000 depending on directory complexity, AD FS and AD CS footprint, Tier 0 hardening scope, regulatory requirements, and managed-service tail. A typical engagement runs eight to fourteen weeks across the five phases (Assess, Activate, Harden, Hunt, Operate). The mid-market engagements (single forest, no AD FS, modest AD CS) cluster near the $150K to $250K end. The complex engagements (multi-forest, federation across regulated subsidiaries, AD CS certificate template remediation, krbtgt rotation under regulatory change control) cluster near the $400K to $500K end. Managed ITDR services are a separate annual subscription priced per protected user with senior-architect escalation included.

Continue exploring the EPC Group enterprise Microsoft library

MDI sits inside the broader Microsoft Defender XDR and Entra ID story. These hubs cover the adjacent territory.

Microsoft Cloud Orchestrator

The end-to-end Microsoft cloud orchestration model under which MDI sits as the identity-detection plane.

Microsoft Defender XDR Enterprise Guide

The unified XDR platform that MDI fuses into — five modules, Sentinel integration, and the five-phase Defender accelerator.

Microsoft Sentinel SIEM Enterprise Guide

Cross-source SIEM correlation, regulatory log retention, SOAR playbooks, and the bi-directional MDI integration.

Microsoft Entra ID Enterprise Guide

Cloud identity, Conditional Access, Identity Protection, PIM, and the hybrid identity surface MDI defends.

Microsoft 365 Consulting

Enterprise Microsoft 365 strategy, E5 activation, and the security designation work MDI is part of.

Microsoft 365 GCC High & DoD Migration

Federal Microsoft 365 with FedRAMP and CMMC 2.0 alignment — MDI inside the GCC High security boundary.

Standards alignment library

NIST CSF 2.0, ISO 27001, HIPAA, FedRAMP, FINRA, CMMC, and GxP control mappings for Microsoft platforms.

Microsoft Defender 365 Enterprise Security Guide

The Defender 365 enterprise security narrative covering all five Defender modules and the security operating model.

Activate the ITDR you already own

Book a Defender for Identity briefing with an EPC Group senior identity architect. Two-hour working session — directory inventory, Tier 0 attack-path review, accelerator scoping. Zero obligation, board-ready output.

Book the briefing 888-381-9725

‌
‌
‌

‌
‌