Microsoft Defender for Identity vs Defender for Endpoint: Key Differences

Two Products, One Common Confusion

Microsoft Defender for Identity and Microsoft Defender for Endpoint share a brand, a console, and even some alert types. Both are part of Microsoft Defender XDR. Both detect lateral movement. Both generate incidents that land in the same queue.

So what is the difference, and do you actually need both?

The short answer: they protect fundamentally different things. Defender for Identity watches your identity infrastructure (Active Directory, Entra ID, domain controllers). Defender for Endpoint watches your devices (Windows, macOS, Linux, servers, mobile). An attacker moving through your environment will almost always touch both — which is exactly why they are designed to work together.

---

Microsoft Defender for Identity (MDI)

What It Protects

Defender for Identity monitors Active Directory Domain Services (AD DS) and Microsoft Entra ID for identity-based attacks. It reads events from domain controllers, Entra ID sign-in logs, and AD FS servers to detect:

• Reconnaissance (LDAP enumeration, DNS reconnaissance, user and group enumeration)
• Credential attacks (Pass-the-Hash, Pass-the-Ticket, Kerberoasting, AS-REP Roasting, brute force)
• Lateral movement techniques (Overpass-the-Hash, Remote Code Execution via SMB, DCSync)
• Domain dominance (Golden Ticket attacks, Skeleton Key, DCShadow, AdminSDHolder abuse)
• Exfiltration (unusual LDAP data export, suspicious data access patterns)

How It Works

MDI deploys a lightweight sensor on each domain controller that reads Windows Event Logs, ETW traces, and network traffic metadata. The sensor ships this telemetry to the MDI cloud service, which correlates it with Entra ID signals and threat intelligence to generate alerts.

For Entra ID-only environments (no on-premises AD), MDI still provides value through its Entra ID threat detections — impossible travel, token theft, risky sign-ins — though many of these overlap with Entra ID Identity Protection.

Key Alert Types

The alerts that MDI is uniquely good at detecting include:

Kerberoasting: An attacker requests service tickets for SPNs and attempts to crack the service account password offline. MDI detects the unusual pattern of SPN requests from a non-service account.

DCSync: An attacker with domain replication privileges uses the DRS protocol to dump password hashes from a domain controller without touching the DC file system. MDI detects the replication request from a non-DC machine.

Golden Ticket: An attacker uses a forged Kerberos ticket signed with the krbtgt hash to impersonate any user indefinitely. MDI detects golden ticket usage through anomalous ticket lifetimes and encryption types.

Pass-the-Hash / Pass-the-Ticket: Credential relay attacks where hashes or Kerberos tickets are stolen from one machine and replayed on another. MDI detects the mismatch between the source of the authentication and the expected machine for that credential.

Licensing

Defender for Identity requires Microsoft Defender for Identity standalone licensing or is included in:

• Microsoft 365 E5
• Microsoft 365 E5 Security
• Enterprise Mobility + Security E5

It is licensed per user (every user in the directory, not just protected users). As of 2026, pricing is approximately $5.50/user/month for the standalone product.

---

Microsoft Defender for Endpoint (MDE)

What It Protects

Defender for Endpoint protects devices — Windows, macOS, Linux, iOS, Android, Windows Server. It installs an endpoint detection and response (EDR) agent that monitors process activity, file system changes, network connections, registry modifications, and memory, then correlates this into alerts and incidents.

MDE detects:

• Malware execution (fileless, script-based, and binary)
• Exploit techniques (memory injection, process hollowing, UAC bypass)
• Persistence mechanisms (scheduled tasks, registry run keys, WMI subscriptions)
• Lateral movement from the endpoint's perspective (remote service creation, SMB connections, RDP sessions)
• Data exfiltration (large uploads, USB activity, cloud sync anomalies)
• Ransomware behavior (mass file encryption, shadow copy deletion)

How It Works

MDE uses a kernel-level sensor that monitors all process, file, network, and registry events and streams a rich telemetry dataset to the cloud. Machine learning models run continuously against this telemetry to surface behavioral detections that go far beyond signature-based antivirus. The same sensor also powers Microsoft's Attack Surface Reduction (ASR) rules and Controlled Folder Access.

MDE includes two plans:

Plan 1: Core endpoint protection — next-gen AV, ASR rules, device control. Suitable for workstations without EDR requirements.

Plan 2: Full EDR capability — behavioral detection, threat hunting, live response, device timeline, automated investigation and remediation. This is the plan most enterprises use.

Key Capabilities

Device timeline: A chronological record of every event on a device — every process, network connection, file write, registry change, and logon. Invaluable for incident investigation.

Live response: Remote shell access to an endpoint for investigation and remediation without disrupting the user. Run commands, collect memory dumps, isolate the device, all from the Defender portal.

Automated Investigation and Remediation (AIR): MDE automatically investigates triggered alerts, determines if they are genuine threats, and remediates (quarantines files, terminates processes) without analyst intervention. Tunable to semi-automatic or full automatic mode.

Threat and Vulnerability Management (TVM): Continuous CVE discovery and risk scoring for every device. Shows which vulnerabilities are actively exploited and prioritizes remediation by actual exposure.

Licensing

MDE is included in:

• Microsoft 365 E5
• Microsoft 365 E3 + Microsoft 365 E5 Security add-on
• Microsoft Defender for Endpoint Plan 2 standalone (~$5.20/device/month)
• Microsoft Defender for Business (SMB tier, up to 300 users)

Server licensing requires Defender for Servers (Plan 1 or Plan 2) through Microsoft Defender for Cloud.

---

Side-by-Side Comparison

---

Where They Overlap

Lateral Movement Detection

Both products detect lateral movement, but from different vantage points. MDI sees the Kerberos tickets and LDAP queries that represent the attacker's identity-level movement. MDE sees the SMB connections, remote service creations, and process executions on the target device.

In a real attack, both generate alerts that correlate into a single Defender XDR incident. The combined signal is much stronger than either alone: MDI tells you the credential was abused, MDE tells you which device was compromised and what the attacker ran on it.

Pass-the-Hash

This is the most commonly cited overlap. MDI detects Pass-the-Hash at the domain controller level (authentication from an unexpected machine for a given hash). MDE detects LSASS credential access on the source device (the tool that dumped the hash). Both are needed for the full picture: MDE shows where the hash was stolen, MDI shows where it was used.

Unified XDR Incidents

When MDI and MDE alerts correlate, Defender XDR fuses them into a single incident with a combined attack story. An analyst sees: "MDI detected DCSync from server X → MDE detected process injection on server X → MDI detected lateral movement using stolen credentials to workstation Y → MDE detected ransomware execution on workstation Y." This correlation is only possible because both sensors feed the same XDR engine.

---

Do You Need Both?

Yes, if you have Active Directory. Any environment with on-premises AD or hybrid AD is exposed to Kerberos-based attacks that MDE alone cannot detect. MDI is the only Microsoft product that provides domain controller-level visibility into AD attack techniques like Kerberoasting and DCSync.

MDE alone if you are Entra ID-only. If your organization is fully cloud-native with no AD DS, MDE provides complete endpoint protection. Entra ID Identity Protection covers the identity-based detections for cloud-only environments (risky sign-ins, impossible travel, anomalous token usage).

MDI adds significant value even for small organizations. The most devastating ransomware attacks of the last three years all involved AD compromise before encryption. Kerberoasting a service account, then using that account to deploy ransomware via Group Policy, is a documented playbook. MDI detects this chain; MDE alone does not.

---

Integration Best Practices

Enable Both in Defender XDR

Both products feed into the unified Microsoft Defender portal. Enable both and configure automatic incident correlation so MDI identity alerts and MDE endpoint alerts merge into connected incidents rather than appearing as isolated events.

Configure MDI Sensor on All Domain Controllers

Deploy the MDI sensor on every domain controller in your environment, not just the PDC emulator. Many attacks specifically target non-primary DCs to avoid detection. The sensor is lightweight (under 5% CPU impact in most environments) and reads existing Windows Event Logs — it does not require network traffic mirroring for most detections.

Tune MDE Automated Remediation

Set MDE automated investigation to "Semi — require approval for core directories" in production environments. Full automation is appropriate for isolated workstation fleets; for servers and domain controllers, require analyst approval before automated remediation to avoid accidental disruption.

Connect Both to Microsoft Sentinel

Stream both MDI and MDE alerts to Microsoft Sentinel using the native data connectors. This enables cross-product KQL hunting and lets you build detection rules that span identity and endpoint telemetry in a single query — for example, hunting for DCSync followed by lateral movement to a high-value target within the same hour.

---

Bottom Line

Defender for Identity protects the identity plane. Defender for Endpoint protects the device plane. In a real attack, adversaries move through both — and the combination of MDI and MDE in Defender XDR gives you the most complete picture of that movement available in the Microsoft stack.

If you have Active Directory in your environment, both are essential. If you are Entra ID-only, MDE covers the endpoint and Entra ID Identity Protection covers the identity side. The licensing for both is included in Microsoft 365 E5, which is the primary reason most enterprise Microsoft shops deploy them together.