🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-200 Domain 2
Domain 2 — Module 3 of 10 30%
15 of 28 overall

SC-200 Study Guide

Domain 1: Manage a Security Operations Environment

  • Sentinel Workspace: Roles & Retention
  • Get Windows Events Into Sentinel
  • Syslog, CEF & Azure Data Ingestion
  • Defender for Endpoint: Core Setup
  • Attack Surface Reduction & Security Policies
  • Defender XDR: Tune Your Alerts
  • Automated Investigation & Attack Disruption
  • Sentinel Automation: Rules & Playbooks
  • Custom Detections in Defender XDR
  • Sentinel Analytics & Threat Intelligence
  • MITRE ATT&CK & Anomaly Detection
  • Detection Engineering: Putting It All Together

Domain 2: Respond to Security Incidents

  • Incident Triage: From Alert to Verdict Free
  • Purview & Defender for Cloud Threats
  • Identity Threats: Entra & Defender for Identity
  • Cloud App Security: Investigate Shadow IT
  • Sentinel Incident Response
  • Copilot for Security: Your AI Analyst
  • Complex Attacks & Lateral Movement
  • Endpoint: Timeline & Live Response
  • Endpoint: Evidence & Entity Investigation
  • M365 Investigations: Audit, Search & Graph

Domain 3: Perform Threat Hunting

  • KQL Foundations for Threat Hunters Free
  • Advanced Hunting in Defender XDR Free
  • Sentinel Hunting: Build & Monitor Queries
  • Threat Analytics & Hunting Graphs
  • Data Lake: KQL Jobs & Summary Rules
  • Notebooks & the Sentinel MCP Server

SC-200 Study Guide

Domain 1: Manage a Security Operations Environment

  • Sentinel Workspace: Roles & Retention
  • Get Windows Events Into Sentinel
  • Syslog, CEF & Azure Data Ingestion
  • Defender for Endpoint: Core Setup
  • Attack Surface Reduction & Security Policies
  • Defender XDR: Tune Your Alerts
  • Automated Investigation & Attack Disruption
  • Sentinel Automation: Rules & Playbooks
  • Custom Detections in Defender XDR
  • Sentinel Analytics & Threat Intelligence
  • MITRE ATT&CK & Anomaly Detection
  • Detection Engineering: Putting It All Together

Domain 2: Respond to Security Incidents

  • Incident Triage: From Alert to Verdict Free
  • Purview & Defender for Cloud Threats
  • Identity Threats: Entra & Defender for Identity
  • Cloud App Security: Investigate Shadow IT
  • Sentinel Incident Response
  • Copilot for Security: Your AI Analyst
  • Complex Attacks & Lateral Movement
  • Endpoint: Timeline & Live Response
  • Endpoint: Evidence & Entity Investigation
  • M365 Investigations: Audit, Search & Graph

Domain 3: Perform Threat Hunting

  • KQL Foundations for Threat Hunters Free
  • Advanced Hunting in Defender XDR Free
  • Sentinel Hunting: Build & Monitor Queries
  • Threat Analytics & Hunting Graphs
  • Data Lake: KQL Jobs & Summary Rules
  • Notebooks & the Sentinel MCP Server
Domain 2: Respond to Security Incidents Premium ⏱ ~12 min read

Identity Threats: Entra & Defender for Identity

Compromised identities are behind most breaches. Learn how to investigate and remediate compromised accounts from Microsoft Entra ID and lateral movement alerts from Defender for Identity.

Why identity is the new perimeter

☕ Simple explanation

Firewalls protect the building. Identity protects the person.

In a world where employees work from home, coffee shops, and airports, the network perimeter is meaningless. What matters is: who is logging in, from where, and is it really them?

Entra ID (Microsoft’s cloud identity service) detects compromised cloud accounts — impossible travel, password spray, token theft. Defender for Identity watches your on-premises Active Directory for lateral movement, credential theft, and reconnaissance.

Together, they cover the full identity attack surface: cloud + on-premises.

Microsoft Entra ID Protection uses machine learning to detect identity-based threats: risky sign-ins (unfamiliar locations, impossible travel, anonymous IP), risky users (leaked credentials, anomalous activity), and compromised accounts requiring remediation.

Microsoft Defender for Identity (MDI) monitors on-premises Active Directory by analysing domain controller traffic. It detects reconnaissance (LDAP enumeration, DNS queries), credential theft (pass-the-hash, pass-the-ticket, Kerberoasting), and lateral movement (overpass-the-hash, suspicious service creation).

Both products feed alerts into Defender XDR’s unified incident queue, enabling cross-domain investigation that traces an attack from cloud sign-in through on-prem lateral movement.

Entra ID: cloud identity threats

Common Entra ID risk detections

DetectionWhat It MeansRisk Level
Impossible travelUser signs in from New Zealand, then Germany 30 minutes laterHigh
Password sprayMultiple accounts targeted with common passwordsHigh
Unfamiliar sign-in propertiesNew device, new browser, new locationMedium
Anonymous IPSign-in from Tor, VPN, or anonymous proxyMedium
Leaked credentialsUser’s credentials found in a public breach databaseHigh
Token theftAdversary-in-the-middle attack stealing session tokensHigh
Malicious IPSign-in from an IP associated with known attacksHigh

Investigation workflow for compromised Entra ID accounts

  1. Review the risk detection — what triggered it? (impossible travel, password spray, etc.)
  2. Check sign-in logs — when, where, what device, what app
  3. Check audit logs — did the attacker change anything? (MFA methods, email forwarding rules, app consent)
  4. Check for lateral activity — did the account access other resources, send emails, or create apps?
  5. Remediate:
    • Reset password
    • Revoke all refresh tokens and sessions
    • Re-register MFA (if MFA methods were modified)
    • Review and remove suspicious app consents
    • Check for inbox rules and mailbox forwarding
💡 Scenario: James investigates impossible travel

James at Pacific Meridian sees a High-risk alert: “Impossible travel — user signed in from Auckland NZ at 9:00 AM, then from Moscow at 9:15 AM.”

Investigation:

  • Sign-in logs show the Moscow sign-in used a different device and browser
  • The Auckland sign-in was the user’s normal work device
  • Audit logs show the Moscow session changed the user’s MFA phone number and created a mail forwarding rule to an external address

This is a confirmed account compromise.

Remediation:

  • Reset password immediately
  • Revoke all sessions
  • Remove the malicious MFA phone number and re-register the legitimate one
  • Delete the forwarding rule
  • Check if any sensitive emails were forwarded before detection
  • Block the Moscow IP as an indicator

Defender for Identity: on-premises threats

Common MDI detections

DetectionAttack TechniqueMITRE ATT&CK
LDAP reconnaissanceAttacker queries AD to map users, groups, and permissionsDiscovery (T1087)
KerberoastingRequest TGS tickets for service accounts to crack offlineCredential Access (T1558)
Pass-the-hashUse stolen NTLM hash to authenticate without passwordLateral Movement (T1550)
Pass-the-ticketUse stolen Kerberos ticket to impersonate a userLateral Movement (T1550)
DCSyncImpersonate a domain controller to replicate password hashesCredential Access (T1003)
Suspicious service creationCreate a service on a remote machine for persistencePersistence (T1543)
Honeytoken activityAccess to a decoy account designed to detect attackersEarly warning

Investigation workflow for MDI alerts

  1. Review the MDI alert — what technique was detected? What accounts and devices are involved?
  2. Check the attack timeline — MDI shows the sequence of activities on the entity page
  3. Correlate with Entra ID — did the same user trigger cloud-side risk detections?
  4. Check lateral movement paths — MDI maps potential lateral movement paths through the organisation
  5. Remediate:
    • Reset the compromised account’s password
    • Rotate credentials for any service accounts involved
    • Check for persistence mechanisms (scheduled tasks, services, registry keys)
    • Review Group Policy for unauthorised changes
Entra ID covers cloud identity; MDI covers on-premises AD — use both for full coverage
FeatureEntra ID ProtectionDefender for Identity
EnvironmentCloud (Entra ID / Azure AD)On-premises (Active Directory)
Detection methodMachine learning on sign-in telemetryNetwork traffic analysis on domain controllers
Threats detectedImpossible travel, password spray, token theft, leaked credsKerberoasting, pass-the-hash, DCSync, LDAP recon, lateral movement
Data sourceSign-in logs, audit logsDomain controller traffic (port mirroring or ADFS)
RemediationReset password, revoke tokens, re-register MFAReset passwords, rotate service account creds, check persistence
IntegrationFeeds into Defender XDR incidents + Conditional AccessFeeds into Defender XDR incidents + Sentinel
💡 Exam tip: Entra ID Protection vs Defender for Identity

The exam tests whether you know which product handles which scenario:

  • “User signs in from impossible location” → Entra ID Protection
  • “Attacker performs pass-the-hash on domain controller” → Defender for Identity
  • “Kerberoasting detected” → Defender for Identity
  • “Leaked credentials found in public breach” → Entra ID Protection
  • “Suspicious LDAP queries from a workstation” → Defender for Identity

Rule of thumb: if it involves sign-in behaviour or cloud tokens, it is Entra ID. If it involves AD protocols or domain controller traffic, it is MDI.

Question

What are the key remediation steps for a compromised Entra ID account?

Click or press Enter to reveal answer

Answer

1. Reset password. 2. Revoke all refresh tokens and sessions. 3. Re-register MFA if methods were changed. 4. Remove suspicious app consents. 5. Delete malicious inbox rules and forwarding. 6. Check for data access or email forwarding during the compromise window.

Click to flip back
Question

What is Kerberoasting and which product detects it?

Click or press Enter to reveal answer

Answer

Kerberoasting is an attack where an attacker requests Kerberos TGS tickets for service accounts and cracks them offline to obtain passwords. Microsoft Defender for Identity (MDI) detects this by monitoring abnormal TGS request patterns on domain controllers.

Click to flip back
Question

What is the difference between Entra ID Protection and Defender for Identity?

Click or press Enter to reveal answer

Answer

Entra ID Protection monitors cloud sign-in behaviour (impossible travel, password spray, token theft). Defender for Identity monitors on-premises Active Directory traffic (pass-the-hash, Kerberoasting, LDAP recon, lateral movement). Use both for full identity coverage.

Click to flip back
Knowledge Check

An Entra ID alert shows a user signed in from Auckland at 9:00 AM and from Moscow at 9:15 AM. The Moscow session changed the user's MFA phone number. What is the priority remediation action?
Knowledge Check

Defender for Identity detects Kerberoasting activity targeting a service account on Pacific Meridian's domain. What should James do?

🎬 Video coming soon

Next up: Identity threats are handled. Now let’s investigate shadow IT and risky cloud apps with Defender for Cloud Apps.

← Previous

Purview & Defender for Cloud Threats

Next →

Cloud App Security: Investigate Shadow IT

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.