Microsoft Defender for Identity – Install and Configure Sensors (Azure ATP Sensors)

I will cut to the chase. MDI or Microsoft Defender for Identity is a great tool for identifying Identity threats in the local AD environment. Once the sensor is setup, you can monitor for the behavior and have the ability to configure in a way so that the bad actors aren’t able to compromise your environment. In this, I will demonstrate how to install and configure the sensors to get the threat signals.

figure from Microsoft Docs

Licensing Requirement

To enable this feature, you need a license for both Defender for Identity and Defender for Endpoint.

Acquire a license for Enterprise Mobility + Security E5 (EMS E5/A5), Microsoft 365 E5 (M365 E5/A5/G5) or Microsoft 365 E5/A5/G5 Security directly via the Microsoft 365 portal or use the Cloud Solution Partner (CSP) licensing model. Standalone Defender for Identity licenses are also available.

RBAC Requirement

To setup the sensors and for further work, you should have the Global Administrator or Security Administrator permissions assigned

Server Requirement

Please refer this URL for all requirements for both Domain Controller and Standalone servers

https://docs.microsoft.com/en-us/defender-for-identity/prerequisites#defender-for-identity-sensor-requirements

Integrate the MDI with MDE (Microsoft Defender for Identity with Microsoft Defender for Endpoint)

As you may know MDI will monitor the traffic in and out to the Domain Controllers, but for a perfect solution to activate the next steps if something is not right in the DC, you need MDE to provide with all the threat remediation goodness. So to make this happen, both MDI and MDE must talk to each other. Lets see how this can be configured.

Configure the old Azure ATP portal

  • Login to the Azure ATP portal https://tenant_name.atp.azure.com/ (eg: https://contoso.atp.azure.com/)
  • Go to Configuration
  • Go to Microsoft Defender for Endpoint and switch on the option Integration with Microsoft Defender for Endpoint
  • Press Save

Configure the Defender Security portal

With this way, now MDI will start talking with MDE and will send the threat analytics data for further action.

Installing the Sensor

Now that the ground work is done, we can start installing the sensor. There are 2 methods of installing the MDI sensor.

You can either install the sensor straight on the DC which is much more reliable OR you can install the sensor on a standalone server and let it talk to the DC to get the signals from.

Few Prereqs first

  • Make sure Microsoft .NET Framework 4.7 or later is installed on the machine. If Microsoft .NET Framework 4.7 or later isn’t installed, the Defender for Identity sensor setup package installs it, which may require a reboot of the server.
  • Verify that the servers you intend to install Defender for Identity sensors on are able to reach the Defender for Identity Cloud Service. They should be able to access https://your-instance-namesensorapi.atp.azure.com (port 443). For example, https://contoso-corpsensorapi.atp.azure.com.

Defender for Identity Network Name Resolution (NNR) requirements

Below is straight from the Microsoft Document

Network Name Resolution (NNR) is a main component of Defender for Identity functionality. To resolve IP addresses to computer names, Defender for Identity sensors look up the IP addresses using the following methods:

  • NTLM over RPC (TCP Port 135)
  • NetBIOS (UDP port 137)
  • RDP (TCP port 3389) – only the first packet of Client hello
  • Queries the DNS server using reverse DNS lookup of the IP address (UDP 53)

For the first three methods to work, the relevant ports must be opened inbound from the Defender for Identity sensors to devices on the network. To learn more about Defender for Identity and NNR, see Defender for Identity NNR policy.

For the best results, we recommend using all of the methods. If this isn’t possible, you should use the DNS lookup method and at least one of the other methods.

Steps to install the sensor

The sensor installation will look like below

Go to to your Standalone Server or to the Domain Controller and install the setup which you downloaded and enter the Access Key copied earlier when it asks to enter.

The service will register in the server as below.

Once the sensor is installed, the server will appear in the MDI console

Further, if you click on it, you will see more details about that instance

Setup – Directory Services Accounts

This is required as the service installed in the local AD server must be accessed via this account.

Best to have this account as an AD read-only account. A standard username must be used.

These are the basic steps of how to install the MDI sensor on to the Domain Controllers to start monitoring the traffic in and out of the server.

Setup – Manage Action Accounts

This will be used for actions that can be performed by the sensor such as disable user accounts, reset password so the actions can be done manually or automatically

For more reading, please refer below

https://docs.microsoft.com/en-us/defender-for-identity/what-is

In the next article on Microsoft Defender for Identity, I will drill down further in to the capabilities of the service and will showcase how you can effectively manage your Identity infrastructure.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.