Microsoft Defender for Identity Unlocks Unified Active Directory Domain Investigation—Now Generally Available + Video

Listen to this Post

Featured Image

Introduction:

Active Directory (AD) remains the primary authentication backbone for most enterprises, making it a prime target for identity-based attacks. Configuration issues such as unhealthy sensors, weak security policies, or risky trust relationships can expose an environment, yet the information needed to assess a domain’s security has historically been scattered across different tools and views. Microsoft has now announced the General Availability (GA) of the “Investigate an Active Directory domain” feature within Microsoft Defender for Identity (MDI), consolidating domain health, sensor coverage, security policies, trust relationships, and prioritized recommendations into a single, unified pane of glass.

Learning Objectives:

  • Understand the core capabilities of the new Active Directory domain investigation page in Microsoft Defender for Identity.
  • Learn how to access the domain page, interpret the Overview dashboard, and leverage incident data for proactive threat hunting.
  • Master the practical commands and step-by-step procedures to validate MDI configurations, audit domain health, and harden Active Directory security postures.

You Should Know:

  1. The Unified Domain Dashboard: A Single Source of Truth for AD Security

The Active Directory domain page in Microsoft Defender brings together previously fragmented data points into one comprehensive view. This centralized approach allows security administrators to determine whether a domain is healthy and fully monitored, identify configuration or policy issues that increase risk, review trust relationships, and act on prioritized recommendations.

The Overview tab provides a detailed domain summary, including:

  • Domain Details: Key attributes such as provider, domain name, functional level, creation date, and counts of identities, service accounts, group accounts, and computer accounts.
  • Properties: The domain’s Canonical Name, SID (Security Identifier), and unique ID.
  • Deployment Health: Sensor deployment coverage and health status. A 100% coverage score indicates that all domain controllers have sensors deployed, ensuring comprehensive monitoring.
  • Health Score: An overall health score (Low, Medium, or High) based on identity infrastructure coverage, sensor health, and active recommendations.
  • Service Accounts: A donut chart breaking down service accounts by type—sMSA (standalone Managed Service Account), gMSA (group Managed Service Account), and standard User accounts.
  • Sensitive Entities: Counts of sensitive identities, groups, and computers that require heightened protection.
  • Active Recommendations: A list of security recommendations affecting the health score, with direct links to remediation guidance.
  • Group Policies: A listing of Group Policy Objects (GPOs) applied in the domain, allowing administrators to verify active policies and identify domains with no GPOs configured.

Step‑by‑step guide: Accessing and Navigating the Domain Page

  1. Prerequisites: Ensure you have a Microsoft Defender for Identity license (or an E5 license that includes MDI) and a user role with at least Security Reader permissions.
  2. Access the Page: Navigate to the Active Directory domain page through multiple entry points:

– Select a domain name from the Domain column in the identity inventory.
– Select a domain from a domain-related security alert or incident.
– Search for a domain by name using the global search bar.
3. Switch Between Domains: Use the domain selector at the top right of the page to switch between different domains when investigating multiple environments.
4. Analyze the Overview: Review each section of the Overview tab to assess the domain’s overall security posture, paying close attention to the Health Score, Deployment Health, and Active Recommendations.
5. Investigate Incidents and Alerts: Switch to the Incidents and alerts tab to view all incidents and alerts connected to the domain. Data on this tab includes only incidents and alerts created on or after February 1, 2026. Use the default filters for Status (New, In progress) and Alert severity (High, Medium, Low) to prioritize your investigation.

2. Validating MDI Configuration via PowerShell

To ensure that your domain controllers are properly configured for MDI monitoring, Microsoft recommends periodically running the `Test-MDIConfiguration` PowerShell command. This cmdlet validates the Defender for Identity configuration for various post-deployment required settings, including Advanced Audit Policy settings. Misconfigured Advanced Audit Policy settings can cause gaps in the Event Log and incomplete Defender for Identity coverage.

Step‑by‑step guide: Running Test-MDIConfiguration

  1. Open PowerShell: Launch PowerShell on a Defender for Identity sensor machine with administrative privileges.

2. Validate Local Machine NTLM Auditing:

Test-MDIConfiguration -Mode LocalMachine -Configuration NTLMAuditing

This example validates the NTLM auditing configuration for the local machine.

3. Validate Domain NTLM Auditing with GPO Prefix:

Test-MDIConfiguration -Mode Domain -Configuration NTLMAuditing -GpoNamePrefix 'CONTOSO'

This validates the NTLM auditing configurations for the domain, specifically targeting a GPO with the prefix ‘CONTOSO’ in its name.

4. Validate All Domain Configurations:

Test-MDIConfiguration -Mode Domain -Configuration All

This validates all configurations for the domain, including SACLs (System Access Control Lists) and GPOs.
5. Review Output: Examine the output to identify any configuration gaps or misconfigurations and remediate them accordingly.

  1. Auditing and Hardening Active Directory Security with PowerShell

Beyond MDI-specific validation, a comprehensive AD security strategy involves regular auditing and hardening using native PowerShell commands. Here are some essential commands to incorporate into your quarterly operational reviews.

Step‑by‑step guide: Essential AD Auditing and Hardening Commands

1. Check Default Domain Password Policy:

Get-ADDefaultDomainPasswordPolicy

This command retrieves the default password policy settings for the domain, including password length, complexity requirements, and lockout thresholds.

2. Check Fine-Grained Password Policies:

Get-ADFineGrainedPasswordPolicy -Filter 

This retrieves all fine-grained password policies (FGPPs) applied to specific users or groups in the domain.

3. List All Domain Admins:

Get-ADGroupMember -Identity "Domain Admins"

This command lists all members of the Domain Admins group, helping you identify and review privileged accounts.

4. Identify Stale User Accounts:

Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 | Where-Object {$_.Enabled -eq $true}

This finds user accounts that have been inactive for 90 days but are still enabled, representing potential security risks.

5. List All Service Accounts:

Get-ADUser -Filter {ServicePrincipalName -like ""} -Properties ServicePrincipalName

This identifies accounts with Service Principal Names (SPNs) configured, which are often used as service accounts and are prime targets for Kerberoasting attacks.

6. Review Trust Relationships:

Get-ADTrust -Filter 

This command lists all trust relationships configured in the domain, allowing you to review and validate their necessity and security posture.

  1. Integrating MDI with Broader ITDR and XDR Strategies

The “Investigate an Active Directory domain” feature is not an isolated tool; it is a critical component of a comprehensive Identity Threat Detection and Response (ITDR) strategy. As identity becomes the primary attack surface, expectations for ITDR are expanding. Leading industry frameworks like the NIST Cybersecurity Framework now align ITDR more closely with a lifecycle-based approach that extends beyond prevention and detection to include response and recovery.

Step‑by‑step guide: Building an Automated ITDR Program

  1. Map Your Identity Attack Surface: Start with Active Directory attack patterns that have well-defined signatures and near-zero false-positive rates, such as Kerberoasting, DCSync, pass-the-hash, and golden ticket creation.
  2. Establish Continuous Discovery: Maintain a complete, up-to-date view of both human and non-human identities across hybrid Active Directory and Entra ID environments.
  3. Classify Tier 0 Assets: Identify and formally classify Tier 0 identities (domain controllers, administrators, and other critical assets), then apply focused protections, auditing, and alerting.
  4. Automate Response Actions: Implement pre-built playbooks tied to high-confidence detection rules. According to the ReliaQuest 2025 Annual Threat Report, attackers achieved lateral movement in as little as 27 minutes in 2024. Automation closes the gap between detection and containment by executing response actions at machine speed without waiting for human triage.
  5. Correlate Identity Signals: Continuously monitor identity activity across hybrid environments and use AI to surface suspicious behavior, reduce alert noise, and prioritize high-risk events.

5. Cloud and API Security Considerations for MDI

To ensure maximal security and data privacy, Defender for Identity uses certificate-based, mutual authentication between each sensor and the MDI cloud back-end. When integrating MDI with other services or automating tasks via APIs, proper permission management is crucial.

Step‑by‑step guide: Securing MDI API Access

  1. Configure API Permissions: In the Microsoft Defender portal, navigate to Settings → Endpoints → Roles to assign appropriate roles (e.g., Security Operator) to managed identities or applications.
  2. Use Application Permissions: The Defender API requires Application permissions (not delegated permissions) when using Managed Identity.
  3. Allow Sensor Traffic: Ensure that your network allows traffic to the sensor URL using the syntax: <your-workspace-1ame>sensorapi.atp.azure.com.
  4. Avoid Hard-Coded Secrets: Use Workload Identity Federation or Managed Identities instead of App Registration secrets for obtaining access tokens to the Defender API.

What Undercode Say:

  • Key Takeaway 1: The new Active Directory domain investigation page in Microsoft Defender for Identity represents a significant leap forward in operationalizing AD security. By consolidating fragmented data into a single view, it empowers security teams to rapidly assess domain health, identify misconfigurations, and act on prioritized recommendations—turning reactive troubleshooting into proactive defense.
  • Key Takeaway 2: Security administrators must complement this powerful UI with regular, automated validation using PowerShell cmdlets like Test-MDIConfiguration. This ensures that the underlying Advanced Audit Policies and configurations are correctly set, preventing gaps in coverage that could allow attackers to evade detection.

Prediction:

  • +1 The unification of AD domain investigation within Microsoft Defender XDR will drive broader adoption of ITDR practices, as organizations can now leverage a single platform for identity monitoring, detection, and response.
  • +1 As AI-driven analysis becomes more integrated into MDI, the platform will increasingly surface actionable insights and automated remediation paths, reducing the mean time to respond (MTTR) to identity-based threats.
  • -1 The consolidation of security data into a single pane of glass also creates a single point of failure. If an attacker compromises the Microsoft Defender portal or the underlying MDI infrastructure, they could potentially gain a comprehensive view of an organization’s AD security posture, turning the defender’s tool into an attacker’s reconnaissance map.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Markolauren Ga – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky