Before discuss the new feature, a bit of Defender for Identity Architecture:

From an architectural standpoint, Defender for Identity is deployed using sensors installed directly on domain controllers and AD FS servers. These sensors capture and analyze network traffic such as Kerberos authentication, NTLM traffic, and replication events. The collected data is securely forwarded to the Defender for Identity cloud service, where it is processed and enriched with advanced detection algorithms. This design ensures that all identity-related activity within Active Directory is visible, without requiring additional mirroring or complex infrastructure. The cloud component provides a centralized management console for alerts, investigations, and integration into Microsoft 365 Defender, allowing security teams to correlate identity signals with endpoint, email, and cloud activity.

Deep Dive into Remove Inactive Service Accounts (Preview)

The newly released feature focuses on automatically removing inactive service accounts configured for Defender forIdentity. Traditionally, organizations maintained these accounts for specific integrations, but inactive or unused accounts posed a significant security risk if left unattended. Attackers often target dormant accounts, since they may retain privileges but go unnoticed in routine monitoring.

By automatically identifying and removing these inactive accounts, Defender for Identity reduces exposure while simplifying account hygiene.

The motivation behind this change is:

• Improve security posture by eliminating unused privileged accounts

• Reduce administrative overhead in account lifecycle management

• The capability is designed to run natively within the service, ensuring minimal operational impact and allowing admins to focus on active, legitimate accounts only.

Others Risks and Threats Covered by MDI:

Defender for Identity does not just monitor authentication events — it provides broad security assessments and detection capabilities across multiple attack vectors. The platform helps identify misconfigurations, risky behaviors, and ongoing attack techniques. It continuously evaluates:

• Reconnaissance activities such as LDAP enumeration or mapping of sensitive accounts and groups

• Credential theft attempts like pass-the-hash, pass-the-ticket, overpass-the-hash, and brute-force logons

• Lateral movement using compromised accounts or remote code execution

• Privilege escalation scenarios, including abnormal use of sensitive accounts and permissions

• Domain dominance attacks like DCSync, Golden Ticket creation, or malicious replication requests

In addition, the security assessment feature provides visibility into the overall identity posture of the organization. This includes identifying weak protocols (e.g., NTLM usage), exposed accounts with unconstrained delegation, and administrative accounts with excessive permissions. By covering these categories, Defender for Identity not only detects active threats but also proactively highlights weaknesses that adversaries could exploit.

Resources:

https://learn.microsoft.com/en-us/defender-for-identity/remove-inactive-service-account

https://learn.microsoft.com/en-us/defender-for-identity/architecture