For orgs that have integrated MCAS and Defender for Identity , what scenarios require Defender for Identity to be used monitor incidents instead of MCAS. My client is trying to simplify operations and would like to use as few portals as possible.
If the integration between MCAS and Defender for Identity is in place, then the Operations Team can monitor the incidents on just one portal (MCAS). MCAS will contain all the incidents from Defender for Identity.
However an analyst would need to go the DfI portal in case he need to drill down and investigate in depth on the events.
Better to go with Azure Sentinel as it can act as single pane of monitoring for incidents from all Microsoft Security Solutions.