Microsoft Defender for Identity: The Licensing Summary
Microsoft Defender for Identity (MDI) — previously called Azure Advanced Threat Protection (Azure ATP) and before that Microsoft Advanced Threat Analytics (ATA) — is Microsoft's on-premises Active Directory monitoring product. It detects identity-based attacks: lateral movement, credential theft, pass-the-hash, pass-the-ticket, Kerberoasting, DC Shadow attacks, and the full range of Active Directory-based attack patterns used by sophisticated threat actors.
MDI is included in Microsoft 365 E5 and Microsoft 365 E5 Security. It is not included in E3. As a standalone add-on, it is priced per-user rather than per-domain controller, which creates a specific licensing model organisations need to understand before committing at scale.
This guide covers what MDI does, how it is licensed, when it justifies its cost, and how it compares with Entra ID Protection (its cloud identity counterpart) and third-party alternatives.
What MDI Actually Monitors
MDI deploys lightweight sensors directly on your domain controllers. These sensors monitor all Kerberos, NTLM, DNS, and LDAP traffic flowing through Active Directory in real time — without requiring network mirroring or separate SIEM infrastructure. The sensor's traffic analysis is uploaded to the Microsoft Defender portal for detection and investigation.
The attack patterns MDI detects fall into four categories:
Reconnaissance: LDAP enumeration, DNS reconnaissance, network mapping using SMB session, user and group enumeration. Attackers who have gained a foothold in your environment systematically map AD to identify high-value targets.
Credential compromise: Pass-the-hash, pass-the-ticket, Kerberoasting (offline cracking of service account hashes), AS-REP Roasting, Golden Ticket attacks, Silver Ticket attacks, skeleton key attacks. These are the techniques that allow attackers to escalate from a single compromised workstation to Domain Admin.
Lateral movement: Pass-the-hash and pass-the-ticket again (in movement context), remote execution via PsExec/WMI/SMB, Overpass-the-Hash, DCSync (replicating domain controller data). This is how attackers move from one system to another without needing new credentials.
Domain dominance: DC Shadow (rogue domain controller simulation), DCShadow attacks, malicious replication, changes to sensitive AD groups, suspicious domain controller promotion. These indicate an attacker has or is close to achieving full domain control.
Crucially, these attacks are largely invisible to endpoint detection tools. Defender for Endpoint sees what happens on the endpoint; MDI sees what happens in the authentication layer. An attacker who steals a Kerberos ticket from one machine and uses it on another leaves almost no endpoint-visible footprint — but leaves a very clear trail in Active Directory traffic that MDI captures.
MDI Licensing: The Per-User Model
MDI is licensed per user in Active Directory — not per domain controller. Every user account in your AD environment (enabled accounts) requires an MDI licence. This includes service accounts if they are user accounts, but Microsoft's Product Terms have specific guidance on service account counting that should be reviewed for your deployment.
As a standalone add-on, MDI is approximately £3.50–4.00/user/month (list price, EA discounts apply). For an organisation with 2,000 AD users, the standalone cost is approximately £84,000–96,000/year.
| Licence Path | MDI Included? | Effective Cost Basis |
|---|---|---|
| M365 E5 | Included | Part of E5 bundle |
| M365 E5 Security (add-on to E3) | Included | ~£10/user/month (5 security products) |
| M365 E3 | Not included | Add-on required |
| MDI Standalone Add-On | Yes | ~£3.50–4.00/user/month |
| Enterprise Mobility + Security E5 | Included | Legacy bundle (less common) |
MDI vs Entra ID Protection: Understanding the Distinction
This is the most common source of confusion in Microsoft identity security licensing. MDI and Entra ID Protection (formerly Azure AD Identity Protection) protect the same category of threat — identity compromise — but at different layers of your environment:
MDI: Monitors on-premises Active Directory. Detects attacks at the AD authentication layer — Kerberos, NTLM, LDAP. Requires sensor installation on domain controllers. Requires on-premises AD infrastructure to be relevant.
Entra ID Protection: Monitors Microsoft Entra ID (cloud identity / formerly Azure AD). Detects risky sign-ins, compromised credentials, suspicious behaviour patterns in cloud authentication. No on-premises deployment required.
For cloud-only organisations with no on-premises AD, MDI provides zero value — there is nothing for the sensors to monitor. For hybrid organisations with on-premises AD and Entra ID, both products are relevant to different parts of the attack surface. For on-premises-only organisations (no Entra ID), MDI is the primary identity monitoring tool and Entra ID Protection is irrelevant.
Before purchasing MDI, answer: Does your organisation have on-premises domain controllers that users authenticate against? If no (cloud-only M365/Entra), MDI provides no value — you need Entra ID Protection (included in Entra P2/E5). If yes, MDI is the tool for that on-premises layer. Many organisations need both for full identity coverage.
The E5 Security Bundle: When MDI Is Better Value as Part of a Package
As a standalone product at £3.50–4.00/user/month, MDI is relatively modestly priced for the protection it provides. However, the more important commercial question is whether your security requirements justify Microsoft 365 E5 Security (approximately £10/user/month on E3), which includes MDI along with:
- Microsoft Defender for Endpoint Plan 2 (endpoint detection & response)
- Microsoft Defender for Office 365 Plan 2 (email threat protection)
- Microsoft Defender for Cloud Apps (CASB)
- Microsoft Entra ID Plan 2 (including Entra ID Protection, PIM, Access Reviews)
If you need MDI and any two of these other products, E5 Security typically has a better effective per-product cost than buying MDI standalone plus individual product add-ons. The standalone pricing for the five products combined is approximately £18–22/user/month at list price. E5 Security at £10/user/month represents a 45–55% cost reduction for the same coverage.
For a detailed analysis of the E5 Security bundle economics, see our guide to whether E5 Security is worth it.
MDI Deployment Architecture: Sensor Placement
MDI requires sensor installation on every domain controller in scope. This is a critical implementation consideration that affects both the technical deployment and the commercial justification.
Full deployment (all DCs): MDI sensors on all domain controllers provide complete visibility of all authentication traffic. Any gap — an unseeded DC, a remote site DC without a sensor — creates a detection blind spot. Attackers target unseeded domain controllers specifically because authentication traffic there will not generate MDI alerts.
Partial deployment risks: Many organisations deploy MDI sensors on their "primary" DCs and skip remote site or legacy DCs. This creates exactly the blind spots that sophisticated attackers exploit. Partial MDI deployment is better than none, but should not be treated as equivalent to full coverage.
The sensor is lightweight (typically 5–15% CPU overhead on a domain controller depending on AD authentication volume) and communicates with the Microsoft Defender cloud infrastructure for detection processing. There is no on-premises detection server — all analysis is cloud-based, which is relevant for organisations with data residency requirements.
MDI and the Active Directory Tier Model
MDI's value is highest for organisations that have implemented (or are implementing) an Active Directory administrative tier model — the security architecture that separates Tier 0 (domain controllers, PKI), Tier 1 (servers), and Tier 2 (workstations, users) to limit the blast radius of credential compromise.
MDI is effectively the monitoring layer for Tier 0 and Tier 1 activity. It detects when accounts that should only operate at Tier 2 are performing Tier 0 authentication (a clear indicator of credential theft or lateral movement) and when Tier 0 activity patterns indicate attack rather than legitimate administration.
Organisations without an AD tier model get some value from MDI, but unlock the full detection value only when the detection output is contextualized by an understanding of what authentication patterns are normal vs suspicious in their specific AD architecture.
Integration with Microsoft Defender XDR
MDI is one of five pillars of Microsoft Defender XDR — the unified security operations platform. When MDI is combined with Defender for Endpoint, Defender for Office 365, Defender for Cloud Apps, and Entra ID Protection (all included in E5), the XDR platform correlates signals across all five products to detect multi-stage attacks that span the kill chain.
An attack sequence that starts with a phishing email (MDO), establishes a foothold via a malicious attachment executed on an endpoint (MDE), harvests credentials from memory (MDI detects the Kerberos pass-the-ticket), and moves laterally across the network (MDI + MDE correlation) generates a unified XDR incident — rather than five separate unrelated alerts in five different consoles. This correlated detection is the primary argument for acquiring the full E5 Security suite rather than individual products.
For more on the unified Defender XDR platform, see our guide to Defender XDR licensing.
MDI vs Third-Party Identity Threat Detection
| Dimension | MDI | CrowdStrike Falcon Identity | Varonis | Semperis DSP |
|---|---|---|---|---|
| On-premises AD monitoring | Yes | Yes | Yes | Yes |
| Cloud identity monitoring | Via Entra (separate) | Unified | Limited | Limited |
| Defender XDR integration | Native | Via SIEM | Via SIEM | Via SIEM |
| Attack pattern detection breadth | Comprehensive | Comprehensive | Data-centric focus | AD-specific depth |
| AD recovery capabilities | No | No | No | Yes |
| Effective cost (E5 Security bundle) | Included in E5 | ~£4–7/user/month | ~£6–10/user/month | ~£3–5/user/month |
MDI's primary commercial advantage is its inclusion in E5 Security — if you have acquired E5 Security for other reasons (Defender for Endpoint P2 being the most common), MDI comes along at no incremental cost. Against dedicated identity security tools like CrowdStrike Falcon Identity, MDI has slightly less sophisticated attack detection in some specific areas, but the native Defender XDR correlation provides a significant operational advantage for Microsoft-centric security operations.
Semperis DSP is worth noting specifically for organisations that want both AD attack detection AND AD forest recovery capability. MDI does not have an AD recovery component — it is detection only. Organisations for whom AD compromise recovery speed is a business priority may need Semperis or a comparable DR tool alongside MDI rather than instead of it.
When MDI is Right for Your Organisation
MDI is the right investment when your organisation meets all of the following criteria:
- You have on-premises Active Directory infrastructure that authenticates users and manages access to resources
- Your threat model includes sophisticated adversaries (nation-state, financially-motivated ransomware groups, targeted attackers) — not just commodity malware
- Your security team has the operational capability to act on MDI alerts (a SOC, an MSSP, or at minimum a security engineer reviewing the Defender portal regularly)
- You have or are moving toward E5 Security (making MDI an included benefit rather than an add-on purchase)
MDI is not the right investment when your AD infrastructure is primarily cloud (Entra-only), when your security team lacks the capacity to respond to identity alerts, or when you are a small organisation with limited attack surface and risk profile.
Negotiating MDI in Your EA
If you are considering MDI standalone (rather than as part of E5 Security), the negotiation principles are:
User count scope: Negotiate the user count carefully — service accounts, disabled accounts, and admin accounts should be reviewed against the Product Terms. Large AD environments often have 10–20% of their user count in accounts that may not require MDI coverage. Accurate scoping reduces the licence count.
Phased deployment aligned to AD scope: If your AD estate spans multiple forests or geographic regions, negotiate a phased deployment where MDI is deployed to high-priority forests first and expanded over the EA term. This allows you to start with a smaller commitment and grow into it based on proven operational value.
E5 Security vs standalone comparison: Before signing standalone MDI, require your Microsoft account team to model the E5 Security cost against what you currently pay for E3 + MDI add-on + whatever security products you already have. In many cases, the E5 Security upgrade produces better security coverage at lower total cost than E3 plus individual add-ons.
For the broader EA negotiation context, see our EA negotiation complete guide and the Microsoft security licensing guide.
Frequently Asked Questions
Is Microsoft Defender for Identity the same as Azure ATP?
Yes. Azure Advanced Threat Protection (Azure ATP) was rebranded as Microsoft Defender for Identity in 2020. Before that it was Microsoft Advanced Threat Analytics (ATA). The technology has evolved significantly but the product focus — on-premises Active Directory monitoring — has remained consistent across the rebranding history.
Does Defender for Identity work with Entra ID (cloud-only) environments?
No. MDI monitors on-premises Active Directory via sensors installed on domain controllers. In cloud-only Entra ID environments where there are no on-premises domain controllers, MDI has nothing to monitor and provides no value. Cloud identity monitoring for Entra-only environments is provided by Entra ID Protection (included in Entra P2 / E5 Security).
How many sensors do I need?
One sensor per domain controller is the standard deployment model. MDI sensors are lightweight and install directly on domain controllers (no additional server hardware required). Read-only domain controllers (RODCs) require a separate standalone sensor deployment. Missing any DC from the sensor deployment creates detection blind spots.
Can I deploy MDI in a tiered or partial way to manage cost?
Yes, though with trade-offs. Deploying MDI in the highest-risk domains first (head office, finance, IT admin domains) while deferring remote site coverage is a common phased approach. The Product Terms require licences for all users in the covered domains, not all users globally — allowing you to scope your initial deployment to high-priority forests or domains. However, unseeded domain controllers remain blind spots for lateral movement detection.