Microsoft Defender for Identity Sensor v3.x Reduces Complexity, Boosts Threat Detection

Microsoft has launched version 3.x of its Defender for Identity sensor, bringing endpoint and identity protection together under one unified solution. This upgraded sensor simplifies deployment, streamlines management, and enhances security visibility across enterprise environments.

The Microsoft Defender for Identity sensor is a lightweight agent installed on domain controllers that monitors and analyzes network traffic and user activities to detect identity-based threats. It works by collecting data (such as authentication events, lateral movement patterns, and suspicious behaviors), then correlates this information with threat intelligence to identify potential attacks. This sensor is integrated with Microsoft Defender for Endpoint, and it provides a unified view of identity and endpoint security.

“New customers can now easily activate identity protections on critical on-premises identity infrastructure by deploying v3.x to eligible Domain Controllers in a matter of clicks. This streamlined approach reduces deployment complexity, minimizes configuration errors, and accelerates time-to-protection. It also allows security teams to focus on threat detection and response instead of managing infrastructure prerequisites,” Microsoft explained.

Integrated support for Windows Server 2019 and newer

Microsoft highlighted that the updated Defender for Identity sensor is now integrated directly into Windows Server 2019 or newer versions. It eliminates the need for separate installations and complex setup steps like .NET dependencies or NPCAP configuration. Once a domain controller is onboarded to Defender for Endpoint, IT admins can enable identity protection quickly through a few clicks in the Defender portal. Organizations can also opt for automatic activation across all eligible domain controllers to ensure seamless and continuous protection.

The enhanced capabilities of the unified Microsoft Defender for Identity sensor include support for Remote Procedure Call (RPC) audit tags. This feature allows for more precise tracking and analysis of identity-related activities across the network. Moreover, it utilizes the Windows Filtering Platform (WFP) to gain deeper insights into network traffic and user behavior.

Licensing requirements

To deploy Microsoft Defender for Identity sensor version 3.x, organizations must have a qualifying Microsoft 365 license, including Enterprise Mobility + Security E5 (EMS E5/A5), Microsoft 365 E5 (E5/A5/G5), Microsoft 365 E5/A5/G5/F5 Security, Microsoft 365 F5 Security + Compliance, or a standalone Defender for Identity license.

For those using F5 licenses, additional prerequisites apply, such as having Microsoft 365 F1/F3 or Office 365 F3 along with Enterprise Mobility + Security E3. Licenses can be purchased directly through the Microsoft 365 portal or via a Cloud Solution Partner (CSP) model.