In plain English
Defender for Identity watches what's happening in your Active Directory environment and flags suspicious behaviour — an account suddenly querying every computer on the network, a user performing a pass-the-hash attack, or credentials being dumped from memory. It catches attackers who are already inside and moving through your network.
Full definition
Defender for Identity deploys a sensor on domain controllers (or reads event logs via an API) to monitor Kerberos, NTLM, and DNS traffic. It builds a behavioural baseline for every user and device, then raises alerts when activity deviates — such as scans, over-pass-the-hash attacks, or domain dominance techniques.
As part of the Microsoft Defender suite, Defender for Identity alerts are correlated with and alerts in the unified security portal. This allows analysts to see an spanning email delivery, endpoint compromise, and in a single investigation timeline.