Quest Software announced on July 8, 2026, that its Identity Defense and Identity Recovery tools for Microsoft Entra ID have received FedRAMP High authorization, making them available in the Azure Government cloud—a move that gives federal agencies and critical infrastructure operators access to advanced identity threat detection and response (ITDR) capabilities.
This authorization isn't just another compliance checkbox. With identity attacks now the leading breach vector—and nation-state threat actors increasingly targeting federated identity systems—having a vetted, high-assurance ITDR solution inside the government's dedicated cloud enclave closes a critical security gap for agencies struggling to balance stringent compliance requirements with modern hybrid identity architectures.
The authorization covers two SaaS offerings: Quest Identity Defense, which continuously monitors Entra ID and Active Directory for compromise indicators, and Quest Identity Recovery, an automated rollback engine that can unwind malicious changes to Active Directory in minutes rather than days. Both are now listed on the FedRAMP Marketplace as High Impact Level authorized services for Azure Government users.
In the Azure Government environment, these tools operate entirely within the Microsoft-validated boundary, meaning agency security teams can deploy them without breaking their existing Authority to Operate (ATO) documents. Quest has packaged the services as a native Azure Government offering, with data residency and encryption controls that meet the Department of Defense's Cloud Computing Security Requirements Guide (SRG) Impact Level 5, suitable for Controlled Unclassified Information (CUI) and mission-critical federal workloads.
For chief information security officers at civilian agencies, the authorization solves a jarring contradiction: Microsoft Entra ID has been FedRAMP High-authorized for years, but the identity defense layer that detects lateral movement, privilege escalation, and persistence mechanisms across hybrid environments has been largely absent from the authorized marketplace. "We've had to rely on SIEM rules and manual playbooks to spot Entra ID anomalies," said one federal security architect who has tested the Quest tools. "Getting a purpose-built identity threat detection platform inside the boundary is a game-changer."
The authorization also triggers a ripple effect across the broader regulated sector. Defense contractors, financial services firms, and healthcare organizations that mirror FedRAMP controls often look to the FedRAMP Marketplace as a shortcut for their own third-party risk assessments. Quest can now provide these customers with a standard authorization package, potentially shortening procurement cycles by months.
A Closer Look at What Changed
FedRAMP High authorization demands more than a vulnerability scan. Service providers must prove continuous monitoring, robust incident response, and tight access controls—all of which are independently audited by a Third-Party Assessment Organization (3PAO). The process typically takes 18 to 24 months, even for SaaS vendors with mature security programs.
For the Azure Government offering, Quest built a dedicated management plane within the government's instance of Azure, segmented from the commercial cloud. This ensures that all metadata, telemetry, and customer configuration data stay within the continental United States, addressed by cleared U.S. personnel. The architecture also hooks into the Azure Government's native logging pipeline, allowing agencies to forward alerts to existing security information and event management (SIEM) tools without additional connectors.
Crucially, the Identity Defense engine now taps into Microsoft Graph API endpoints available only within the Azure Government sovereign cloud. In the past, some anomaly detection tools couldn't achieve full visibility into Entra ID audit logs hosted in government-only regions because the APIs weren't fully exposed to third parties. Quest worked closely with Microsoft's Azure Government engineering team to bring those endpoints online for this authorization.
The Real-World Impact for Federal IT Teams
For the CIO shop at a mid-sized federal agency, the operational benefits break down into three areas:
Faster incident response. Quest Identity Recovery's rollback capability can revert Active Directory objects, group memberships, or Group Policy modifications to a known-good state using snapshots taken at configurable intervals. In a ransomware scenario where an attacker has compromised a Domain Admin account and started mass-deleting objects, having that recovery tool within the authorized ecosystem means the agency can restore services without calling in a commercial incident response team that lacks the necessary clearance documentation.
Reduced compliance overhead. Because the FedRAMP authorization package includes the System Security Plan (SSP), agencies can inherit controls directly into their own ATO packages rather than performing their own full security assessments. The Shared Responsibility Matrix for Quest Identity Defense already maps to NIST SP 800-53 Rev. 5 controls, including those specific to identity management (e.g., IA-2, IA-5, AC-2).
Better visibility into hybrid attacks. Most federal agencies run a mix of on-premises Active Directory and Entra ID in hybrid sync. Attackers frequently exploit that bridge by compromising an on-premises account and then moving laterally to the cloud via pass-the-hash or Golden Ticket attacks. Quest's ITDR platform runs analytics across both environments, correlating signals that would look benign in isolation. One early adopter at a Department of Energy lab told reporters that the tool flagged a pass-the-cookie token replay that slipped past the lab's existing endpoint detection and response (EDR) tools.
How We Got Here: The Identity Threat Evolution
Quest's path to this authorization follows a longer arc of identity security maturation. Five years ago, identity threat detection and response was a niche category. Analysts at Gartner only formalized the ITDR term in 2022, and the market comprised mostly startups. Quest, a decades-old infrastructure management vendor, entered the space in 2024 through its acquisition of SpecterOps' identity attack path management technology and subsequent internal development. By 2025, Quest had a unified platform that could assess Active Directory and Entra ID attack paths, simulate Tier 0 compromise scenarios, and recommend remediation.
The move to FedRAMP High responded to a tangible demand spike. After the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 23-01 in early 2023, which required agencies to improve their logging and monitoring of identity systems, procurement officers began scanning the market for FedRAMP-authorized identity security tools. Until now, the pickings were slim: only one other ITDR vendor had achieved Moderate-level authorization, and none had reached High.
Simultaneously, Microsoft's push to Entra ID and its broader defense for Azure, including the rollout of Entra Permissions Management and Entra Workload ID, expanded the attack surface that agencies needed to protect. The Quest authorization reflects a pragmatic realization: even the most secure identity provider needs a third-party watchdog that can detect misconfigurations, over-permissioned service principals, and anomalous token usage—activities that might not trigger Microsoft's own security alerts.
What Organizations Should Do Now
If your agency or regulated business operates in Azure Government, start with these steps:
-
Check your ATO's dependency map. Identify where identity management controls are currently satisfied through inherited or system-specific implementations. Quest's FedRAMP package can replace custom-built controls for AU-2 (Audit Events), CA-7 (Continuous Monitoring), and IR-4 (Incident Handling) if you choose to inherit.
-
Run a gap analysis of your current identity threat detection. Most federal environments still rely on native log analytics—that is, querying Entra ID sign-in logs in Microsoft Sentinel or Splunk. Compare that approach against Quest's dedicated analytics that use behavior-based detection on top of the same logs. The difference often surfaces in detection of token replay, OAuth consent grant anomalies, and stale group memberships.
-
Engage your Microsoft account team. Quest Identity Defense is deployed alongside your existing Entra ID tenant, but you'll need to confirm that the required Microsoft Graph permissions (Directory.Read.All, AuditLog.Read.All, etc.) are compatible with your agency's conditional access policies. Microsoft has published a joint architecture guide with Quest for Azure Government deployments; request that document.
-
Plan for the deployment model. The service is SaaS, meaning no on-premises footprint. However, if you need the full hybrid ITDR experience that includes on-prem Active Directory, you'll deploy a lightweight sensor (a domain-joined VM) within your Azure Government virtual network. Quest's documentation includes a FedRAMP-compliant network diagram that keeps sensor communication within the Azure Government boundary.
-
Validate the rollback feature in a test environment. Quest Identity Recovery is potent—it can undo hours of change in seconds. That power demands careful testing. Federal customers are advised to run tabletop exercises with the tool against a replica domain controller to build muscle memory before a real incident.
For private-sector organizations that follow FedRAMP as a benchmark, the authorization provides a transferable assessment package. If you're pursuing CMMC Level 2 or higher, referencing an already-authorized identity security tool can shortcut your own assessment.
The Outlook
Quest's achievement may signal the start of a broader trend: purpose-built identity security tools moving from the commercial cloud into the government's highly regulated enclaves. Analysts expect other ITDR vendors to follow, but the 18-to-24-month authorization timeline means that Quest will enjoy a first-mover advantage well into 2028.
Microsoft, for its part, may increase its own investment in native identity protection within Azure Government—but for now, agencies get a choice. With nation-state attacks on federal identity systems showing no sign of slowing, that choice could not come soon enough.