I will cut to the chase. MDI or Microsoft Defender for Identity is a great tool for identifying Identity threats in the local AD environment. Once the sensor is setup, you can monitor for the behavior and have the ability to configure in a way so that the bad actors aren’t able to compromise your environment. In this, I will demonstrate how to install and configure the sensors to get the threat signals.
To enable this feature, you need a license for both Defender for Identity and Defender for Endpoint.
Acquire a license for Enterprise Mobility + Security E5 (EMS E5/A5), Microsoft 365 E5 (M365 E5/A5/G5) or Microsoft 365 E5/A5/G5 Security directly via the Microsoft 365 portal or use the Cloud Solution Partner (CSP) licensing model. Standalone Defender for Identity licenses are also available.
To setup the sensors and for further work, you should have the Global Administrator or Security Administrator permissions assigned
Please refer this URL for all requirements for both Domain Controller and Standalone servers
Integrate the MDI with MDE (Microsoft Defender for Identity with Microsoft Defender for Endpoint)
As you may know MDI will monitor the traffic in and out to the Domain Controllers, but for a perfect solution to activate the next steps if something is not right in the DC, you need MDE to provide with all the threat remediation goodness. So to make this happen, both MDI and MDE must talk to each other. Lets see how this can be configured.
Configure the old Azure ATP portal
- Login to the Azure ATP portal https://tenant_name.atp.azure.com/ (eg: https://contoso.atp.azure.com/)
- Go to Configuration
- Go to Microsoft Defender for Endpoint and switch on the option Integration with Microsoft Defender for Endpoint
- Press Save
Configure the Defender Security portal
- Go to https://security.microsoft.com
- Go to Settings > Endpoints > Advanced Features
- Switch on the option Microsoft Defender for Identity Integration
With this way, now MDI will start talking with MDE and will send the threat analytics data for further action.
Installing the Sensor
Now that the ground work is done, we can start installing the sensor. There are 2 methods of installing the MDI sensor.
You can either install the sensor straight on the DC which is much more reliable OR you can install the sensor on a standalone server and let it talk to the DC to get the signals from.
Few Prereqs first
- Make sure Microsoft .NET Framework 4.7 or later is installed on the machine. If Microsoft .NET Framework 4.7 or later isn’t installed, the Defender for Identity sensor setup package installs it, which may require a reboot of the server.
- Verify that the servers you intend to install Defender for Identity sensors on are able to reach the Defender for Identity Cloud Service. They should be able to access https://your-instance-namesensorapi.atp.azure.com (port 443). For example, https://contoso-corpsensorapi.atp.azure.com.
Defender for Identity Network Name Resolution (NNR) requirements
Below is straight from the Microsoft Document
Network Name Resolution (NNR) is a main component of Defender for Identity functionality. To resolve IP addresses to computer names, Defender for Identity sensors look up the IP addresses using the following methods:
- NTLM over RPC (TCP Port 135)
- NetBIOS (UDP port 137)
- RDP (TCP port 3389) – only the first packet of Client hello
- Queries the DNS server using reverse DNS lookup of the IP address (UDP 53)
For the first three methods to work, the relevant ports must be opened inbound from the Defender for Identity sensors to devices on the network. To learn more about Defender for Identity and NNR, see Defender for Identity NNR policy.
For the best results, we recommend using all of the methods. If this isn’t possible, you should use the DNS lookup method and at least one of the other methods.
Steps to install the sensor
- Go to https://security.microsoft.com/settings/identities
- Under General > go to Sensors > Click on Add Sensor
- Download the installer and keep a note of the Access Key
The sensor installation will look like below
Go to to your Standalone Server or to the Domain Controller and install the setup which you downloaded and enter the Access Key copied earlier when it asks to enter.
The service will register in the server as below.
Once the sensor is installed, the server will appear in the MDI console
Further, if you click on it, you will see more details about that instance
Setup – Directory Services Accounts
This is required as the service installed in the local AD server must be accessed via this account.
Best to have this account as an AD read-only account. A standard username must be used.
These are the basic steps of how to install the MDI sensor on to the Domain Controllers to start monitoring the traffic in and out of the server.
Setup – Manage Action Accounts
This will be used for actions that can be performed by the sensor such as disable user accounts, reset password so the actions can be done manually or automatically
For more reading, please refer below
In the next article on Microsoft Defender for Identity, I will drill down further in to the capabilities of the service and will showcase how you can effectively manage your Identity infrastructure.