Microsoft Defender for Identity Gets Domain-Based Scoping to Streamline SOC Monitoring

Microsoft Defender for Identity now supports domain-based scoping for Active Directory (AD) in public preview. This new feature allows SOC analysts to selectively define which AD domains fall within their monitoring scope to enhance focus and reduce noise.

As organizations expand, their identity environments become increasingly complex, making it harder for security teams to manage access. To reduce risk and maintain compliance, it’s important to limit access based on roles, locations, or responsibilities. In some cases, access restrictions are also required to meet data privacy regulations like GDPR or to streamline operations.

What are the benefits of scoping?

This new scoping feature is part of Microsoft Defender’s unified role-based access control (URBAC) model, allowing organizations to tailor investigation and management tasks based on specific Active Directory domains. This capability helps to enhance efficiency by reducing noise from nonessential data and focusing on critical assets.

SOC analysts can implement scoped access by creating a custom role using Microsoft Defender XDR Unified RBAC. They can define which users or groups have access to specific Active Directory domains or Microsoft Entra ID groups.

Currently, the scoping feature ensures that analysts only view alerts and incidents connected to identities within their assigned Active Directory domains. Moreover, access to account details is similarly restricted, allowing users to see only the entity pages relevant to their scoped domains. Advanced hunting and investigation tools also automatically filter data to include only information within the defined scope.

How to configure scoping rules in Microsoft Defender for Identity?

To enable identity scoping, SOC analysts will need to follow the steps mentioned below:

• Head over to Permissions > Microsoft Defender XDR > Roles.
• Create a new custom role or edit existing roles.
• Now, add an assignment and create a scoping role with the same set of permissions.
• Define Entra ID user or groups to be assigned to the role.
• Select Microsoft Defender for Identity as a data source and choose User groups (AD domains) that will be scoped to the assignment.
• Once configured, organizations can restrict SOC analysts to viewing only select entities.

Keep in mind that the scoping feature requires customers to ensure that the Microsoft Defender for Identity sensor is installed and the Identity workload for URBAC is activated. They should also make sure that Authorization permissions are configured through URBAC to manage roles without Global Administrator or Security Administrator privileges.

Microsoft notes that the scoped access is currently available in public preview, and some features might not be available for Defender for Identity customers. These include Defender XDR Incident email notifications, ISPMs and exposure management, download scheduled reports and Graph API, device and group global search and entity page, and alert tuning and critical asset management.