Is ITDR the same as IAM?

No. IAM (Identity and Access Management) is the system that authenticates users and authorises access — products like Microsoft Entra ID, Okta, Auth0. ITDR is the detection-and-response layer that sits on top of IAM and watches for compromise. They are complementary.

Is ITDR the same as EDR?

No. EDR (Endpoint Detection and Response) watches the endpoint. ITDR watches the identity system. A modern security stack typically has both, plus integrations between them.

Does Microsoft Entra ID Protection do this?

Microsoft Entra ID Protection provides "Risky Users" and "Risky Sign-ins" feeds that contribute raw signals. They are useful inputs but produce significant false-positive volume for MSPs without endpoint correlation. A dedicated ITDR layer like Lavawall® consumes those signals and adds the correlation, multi-tenant console, and configuration-assessment context that makes them actionable.

How quickly can I add a tenant to ITDR?

With Lavawall®, roughly one click per tenant. The MSP technician logs into the client's Microsoft account, grants the read-only scopes Lavawall® requires, and ingestion begins within minutes. Google Workspace is similarly fast (three clicks).

What is ITDR (Identity Threat Detection and Response)? Definition, components, and why it matters

Definition

ITDR (Identity Threat Detection and Response) is a category that emerged as cyber-attack patterns shifted from endpoint compromise toward identity compromise. The modern attacker increasingly does not need to plant malware on a workstation — they need only to phish credentials, register a malicious OAuth app against an enterprise tenant, or exploit a misconfigured admin role. Once inside the identity system, they can read mail, exfiltrate files, and pivot to downstream resources without ever touching the endpoint.

ITDR responds to that shift by treating the identity layer as a first-class detection surface. The signals come from Microsoft 365, Microsoft Entra ID, Microsoft Azure, Google Workspace, Okta, Auth0, and similar identity providers, plus the email and file services they federate (Exchange Online, OneDrive, SharePoint, Teams, Gmail, Drive, Calendar, Meet). Detections cover suspicious mailbox-rule creation (auto-forward, auto-delete), OAuth-app grants to risky third parties, anomalous login patterns, impossible-travel logins with real distance and speed analysis, privileged role escalations, secret-write events on application registrations, unusual file download/deletion/sharing activity, and admin-abuse patterns (granting consent on behalf of users, modifying audit logging configuration, etc.).

For MSPs, ITDR adds a layer that endpoint AV and EDR cannot provide. An attacker who has phished credentials and never touched the workstation is invisible to endpoint protection — but visible to ITDR through the abnormal login pattern, the new mailbox rule, or the new OAuth grant.

Core components

Authentication anomaly detection. Detection of unusual login patterns: new countries, new devices, new IP ranges, impossible travel between geographically separated logins, brute-force or password-spray patterns.
Mailbox rule monitoring. Detection of suspicious mailbox rules — auto-forwarding to external addresses, auto-deletion of security-warning emails, auto-archive of incident-response email threads.
OAuth application monitoring. Detection of newly-granted OAuth applications, particularly ones with broad mailbox or file access scopes from publishers the tenant has no relationship with.
Privileged role monitoring. Detection of changes to privileged role assignments (Global Admin, Privileged Role Admin, etc.) and abuse patterns by accounts already holding those roles.
File activity anomalies. Detection of unusual download volumes, mass deletions, mass external-share grants, and similar activities that signal an account compromise.
Endpoint correlation. Cross-referencing identity signals with endpoint telemetry. A login from a new country is much less suspicious if the user's registered workstation just connected from that country; with correlation, the ITDR system suppresses the false positive.
Configuration assessment. Continuous evaluation of the tenant's identity-related configuration (MFA enforcement, conditional access policies, legacy auth, mailbox audit logging, retention) so detection results in remediation, not just alert volume.

Why it matters

Modern attack data shows identity compromise as a leading initial-access vector. Microsoft's Digital Defense Reports and Verizon's DBIR have repeatedly highlighted phishing and credential-based attacks as primary entry methods. Endpoint EDR — focused on what is happening on the workstation — does not catch the attacker who has phished credentials and never installed anything.

For MSPs, ITDR is also a multi-tenant problem at scale. An MSP supporting 30 client tenants who relies on Microsoft Entra "Risky Users" alerts will spend most of its time chasing IPv6 privacy false positives, VPN handoffs, and benign travel — unless the ITDR layer correlates those signals with endpoint telemetry to drop the obvious false positives.

Cyber-insurance assessments and CMMC 2.0 / NIST CSF audits increasingly ask about identity-protection controls (MFA enforcement, privileged-access management, anomaly detection). ITDR coverage is part of the answer.

How Lavawall® helps with ITDR (Identity Threat Detection and Response)

Lavawall® delivers comprehensive ITDR for Microsoft 365 / Microsoft Entra ID / Microsoft Azure and for Google Workspace from a single multi-tenant console. The platform connects in one click per tenant, correlates the cloud signals with the MSP's endpoint telemetry, and surfaces actionable incidents — not raw alerts.

False-positive reduction is a particular focus. Computers running the Lavawall® agent for Windows, macOS, or Linux are automatically excluded from login sequences that include a failed login and an unknown successful login location. The platform accounts for IPv6 privacy and other noise sources that plague the built-in "Risky Users" feed. Impossible-travel detection displays the actual distance and speed so the technician can see whether 800 km in 12 minutes is real or a VPN handoff.

Coverage runs from mailbox forwarding rules and suspicious mailbox rules; through impossible-travel detection; through newly-installed Entra / Azure apps and risky OAuth grants; through unusual file download, deletion, and sharing activities; to admin-abuse detection and gaps between Intune-managed and Lavawall-managed devices. All of it flows into compliance evidence (CMMC 2.0 IA, AC, AU; NIST CSF PR.AA, DE.CM; CIS Controls 5, 6, 8) automatically.

Frequently asked

Is ITDR the same as IAM?: No. IAM (Identity and Access Management) is the system that authenticates users and authorises access — products like Microsoft Entra ID, Okta, Auth0. ITDR is the detection-and-response layer that sits on top of IAM and watches for compromise. They are complementary.
Is ITDR the same as EDR?: No. EDR (Endpoint Detection and Response) watches the endpoint. ITDR watches the identity system. A modern security stack typically has both, plus integrations between them.
Does Microsoft Entra ID Protection do this?: Microsoft Entra ID Protection provides "Risky Users" and "Risky Sign-ins" feeds that contribute raw signals. They are useful inputs but produce significant false-positive volume for MSPs without endpoint correlation. A dedicated ITDR layer like Lavawall® consumes those signals and adds the correlation, multi-tenant console, and configuration-assessment context that makes them actionable.
How quickly can I add a tenant to ITDR?: With Lavawall®, roughly one click per tenant. The MSP technician logs into the client's Microsoft account, grants the read-only scopes Lavawall® requires, and ingestion begins within minutes. Google Workspace is similarly fast (three clicks).