This post is a short overview of how you can use Microsoft Defender for Identity to investigate high-alert users in your environment.

If your active directory is a little bit spread out, using Microsoft Defender for Identity will allow you to track user access to files and folders. Defender has powerful capabilities to let you know which users are high-alert, investigate them and, if necessary, change their privileges to maintain security in your environment. This will ensure that sensitive data is protected by verifying that users only have the access that they need and nothing more.

This ability to investigate high-alert users is what we’re going to cover in today’s post. Let’s dig in.

Using Defender for Identity to Track and Investigate User Access

There are several ways to access Defender for Identity and investigate users. The most common way is to go through the In the example below, you can see that there are 15 users to investigate. This information is based on any investigation priority that Microsoft has analyzed and collected over the past week.

If you expand the menu on the left, you can then go to investigate and select users in accounts.

microsoft defender

Now click on investigation priority to sort. The higher the number, the more at risk a potential user.


The action menu over to the right allows us to do a number of things, including view the user page and any related activity or alerts that may have been generated by any user action.

endpoint security

Here is an example of an alert generated by a user account.

unified endpoint managment

Alerts can be marked as a false positive, benign, or true positive.

Identify Infrastructure Security Holes and Growth Opportunities

How mature is your infrastructure? Have your infrastructure assessed by Model Technology engineers, and identify exactly where and how Unified Endpoint Management could improve your security, compliance, and efficiency.

Before selecting an action, it’s best to dig into the alert a little more.

microsoft defender

By clicking on the alert, you can see that it was generated as the user was attempting to connect Azure active directory to ServiceNow for single sign-on.

Going back to users and accounts and view the user page.

unified endpoint management

Here, you can see exactly why the investigation priority score is much higher than the rest of the organization, as the weight given to the unusual addition of credentials to an O off app is 35, which is very high.


In this example, since there is an unusual addition of credentials to the O off app, you could confirm the user compromised…

endpoint security

…or go to the account settings in Azure active directory and revoke all current sessions, forcing this user to have to log in again.

microsoft defender

But because this was not a malicious activity, this particular alert can be closed as benign under alert actions.

endpoint security

And that’s it! For further information about how to use Microsoft Defender for Identity, you can visit the Microsoft Documentation about this software. Or for more information on how you can track your identity profiles and limit access to sensitive information, we can help as well. Feel free to reach out to us at

About the Author: Jesse Walter

Jesse Walter is a Partner with Model Technology Solutions and the Vice President of Research and Development. He has an extensive background in Microsoft endpoint management tools, such as Microsoft Endpoint Configuration Manager and Intune, as well as a strong foundation in the Microsoft 365 Defender stack. Additionally, he enjoys automating repeatable operational tasks using PowerShell, and has developed several security tools using C#.

Three Minutes For A More Secure & Efficient Infrastructure

Short and to the point, Steve’s Email Blasts give you endpoint management tips, tricks, and news in three minutes or less email read-time, guaranteed.

Model says no to spam. Privacy Policy

Model Technology Solutions

Model Technology Solutions is a small but mighty band of infrastructure experts. We’ve helped companies in diverse industries to modernize and automate their infrastructures through effectively managing their Microsoft endpoint suite.

With us on your team, you’ll watch your security and compliance go up and your IT team’s costs (and headaches) go down. You’ll relax in knowing that your endpoints will be secure and online when your users need them most. And you’ll finally get back to your most-important tasks.

Model Technology Solutions
12125 Woodcrest Executive Drive, Ste. 204 Creve Coeur, MO 63141

Phone: (314) 254-4138
General Inquiries:
Sales and Quotes: