Microsoft Defender for Identity mapping for potential lateral movement paths relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity Directory Service account you configured.