Managing Microsoft Defender for Identities from Microsoft Cloud App Security

Microsoft Defender for Identities (MDI, formerly Azure Advanced Threat Protection) is a solution to extend cloud behavior analytics and machine learning to activities that are occurring within your on-premises Active Directory and manage them entirely in the cloud. These insights can be shared within several other features within Microsoft Threat Protection to increase insights and speed of forensic investigations. 

However, a common problem is occurring as these features continue to develop…Too many portals to manage. Microsoft has acknowledged this issue by providing several consolidations and integrations within Microsoft Threat Protection.

Microsoft Cloud App Security (MCAS) integrates with MDI to provide machine learning and user entity behavioral analytics (UEBA) across a hybrid environment - both cloud app and on-premises. These insights can be shared to other areas as well including Microsoft Defender for Endpoints (MDE) and Azure Sentinel. 

Initial Integration with MCAS

While you still have to configure the initial setup of MDI, once complete, you almost never need to visit the MDI admin portal again once integrated with MCAS. While you can still choose to manage MDI alerts from the MDI portal, integration with MCAS provides additional insights and reduces the number of administrative portals required for administration. There are no settings required within MDI portal to turn on the integration with MCAS. There is a single switch within MCAS to enable. 

In MCAS, under the settings cog, select Settings. Under Threat Protection, select MDI.


Within 12 hours, MDI data and alerts will be processed by MCAS. 

MDI Features within MCAS

Once MDI integration with MCAS is enabled, you can take advantage of several additional features including: 

Identity Security Posture provides proactive recommendations to improve your on-premises Active Directory Configurations. Data analyzed includes detections and data on known exploits and misconfigured components. These actions are monitored and updated continuously to provide ongoing reports of your Active Directory environment. 

In addition, MDI integration improves upon the Investigation Priority Score by providing context for each user identity from its integration with Active Directory.


MDI alerts are created as unmodifiable MCAS policies. These policies are managed by Microsoft and are constantly updated. You can still configure exclusions from the MDI portal, but the only options within MCAS is to disable the policy from generating any alerts. Any alerts generated can be viewed and managed from the MCAS alerts queue.


Active Directory activities can now be selected within MCAS queries and used to create custom policies and alerts.


Additional Integration Options

If you are not using MCAS, there are still other ways to integrate MDI including Microsoft Defender for Endpoints, Microsoft Threat Protection, and Azure Sentinel. 

By integrating MDE, you combine the threat intelligence and analytics of both platforms for detections from endpoints and on-premises infrastructure to provide a much greater knowledge base and faster forensic investigation of malicious events. You need to enable this integration in both MDI and MDE administrative portals: 

In the MDI portal, open Configuration. Select Windows Defender ATP and set to On

MB blog5

In the Microsoft Defender for Endpoints portal, go to SettingsAdvanced features and set MDI integration to ON.


Microsoft Threat Protection Hunting for MDI events is currently in preview. This allows administrators to use the Microsoft 365 Security Center Advanced Hunting capabilities to find and detect MDI events without going to either MDI or MCAS portals. These events are stored in the IdentityDirectoryEvents table. A sample query to see the top 100 events is below. Additional filters can be added for specific users, devices, or actions. 


| limit 100


Azure Sentinel provides a seamless service to service connector for MDI (currently still in preview). This integration requires MDI and MCAS to also be integrated. Azure Sentinel can be used to hunt for and create incidents related to MDI. These events are stored in the SecurityAlert table and can be filtered by ProductName along with additional KQL filters, as necessary.



| where ProductName == "Azure Advanced Threat Protection" 


A single pane of glass is the goal of any cybersecurity platform. Too much data and too many locations to hunt creates an unmanageable environment that is bound to be in a never-ending reactive mode. Using Microsoft Threat Protection, you are provided with a seamless integrated platform that can provide a method to stop attacks at all levels an attack kill chain. Combining features, such as MCAS and MDI, provides increased efficiencies to become more proactive in identifying threats within your environment.

For more information about protecting your organization attend our upcoming webinar: FORTIFYING YOUR LAST LAYER OF SECURITY | OCT 13 | 2PM EST

Register Today

Work with our team of Cloud Computing Consultants who have done this so many times they know all of the “minefields” to prevent missteps.