In Microsoft’s Security, Compliance, and Identity guidance, Microsoft Defender for Identity (formerly Azure ATP) is explicitly described as “a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats.” The service deploys lightweight sensors on domain controllers to collect and analyze Active Directory (AD) authentication and activity data. Using behavioral analytics and built-in detections, it helps security teams surface indicators of compromised identities, lateral movement, pass-the-ticket/NTLM relay, and other identity-driven attack techniques. Documentation further explains that Defender for Identity “profiles and learns entity behavior,” correlates events, and raises security alerts with investigation timelines and evidence to accelerate incident response in hybrid environments.
This precisely matches the sentence in the prompt: the only Microsoft security product whose core purpose is to use on-premises AD signals to identify, detect, and investigate advanced threats is Defender for Identity. By contrast, Microsoft Defender for Endpoint focuses on endpoint prevention and EDR; Microsoft Defender for Office 365 protects email and collaboration workloads from phishing and malware; and Microsoft Cloud App Security (now Microsoft Defender for Cloud Apps) operates as a CASB for app discovery, control, and session monitoring. Therefore, aligning with SCI study guides and product descriptions, the correct completion is Microsoft Defender for Identity.
