You have the following environment:Azure SentinelA Microsoft 365 subscriptionMicrosoft Defender for IdentityAn Azure Active Directory...

Microsoft Defender for Identity (MDI) detects sensitive group modifications—such as changes to Domain Admins, Enterprise Admins, or Schema Admins—by analyzing Windows security events from domain controllers. For MDI sensors to detect such changes, advanced audit policies must be configured to log these activities (specifically Directory Service Changes and Account Management events).

Microsoft documentation specifies that “Defender for Identity requires auditing to be enabled on domain controllers for security events like group membership changes.” This is done under Advanced Audit Policy Configuration → Directory Service Changes.

Additionally, Windows Event Forwarding (WEF) is required or beneficial when Azure Sentinel needs to centralize those events from multiple domain controllers into a Log Analytics workspace. WEF minimizes administrative effort by automatically collecting logs without manual export or per-server log pulling.

Thus, configuring Advanced Audit Policy ensures the right events are generated, and Windows Event Forwarding ensures those events reach Sentinel for correlation with MDI alerts.

✅ Correct Answers: A and D