Defender for Identity

Defender for Identity

Defender for Identity

Microsoft Defender for Identity permit to monitor Azure Active Directory and Active Directory infrastructure. You can easily analyses the data of potential attacks. A Defender for Identity sensor is installed on domain controllers or AD FS servers to access the event logs of these servers. The logs and network traffic will be analyzed by the sensor and then the information needed by Microsoft Defender for Identity will be sent to the Defender for Identity cloud service.

Defender for Identity components

The Defender for Identity portal displays the data received by the sensor. He permit to monitor, manage and investigate threats. The Defender for Identity sensor monitors Domain Controller traffic. He does not require dedicated server or configuration of port mirroring. For the ADFS Server, the sensor monitor network traffic and authentification events.The Defender for Identity cloud service is present on Azure infrastructure. It’s deployed in US, Europe and Asia region.

The sensor read automatidally the following events :

  • 4776
  • 4732
  • 4733
  • 4728
  • 4729
  • 4756
  • 4757
  • 7045
  • 8004


Microsoft Defender for Identity requires Enterprise Mobility + Security 5 (EMS E5) or Microsoft 365 E5/A5/G5 or Microsoft 365 E5/A5/G5 Security or Microsoft Defender for Identity licence.

If you server use proxy server to access at Internet, you can use this link for configure Microsoft Defender for Identity.

If you server is configured with NIC Teaming adapter, an error installation appear. Use this link for install sensor with NIC Teaming adapter.

The defender for Identity portal require a browser that supports TLS 1.2 such as Microsoft Edge, Internet Explorer 11 or Google Chrome 3O.0. For communicate with the Defender for Identity Cloud Service, the following URLs must be open in the Firewall/proxy.

  • *

The Microsoft Defender for Identity can be installed on Domain Controller or RODC (Read Only Domain Controller). If the .Net Framework 4.7 is not installed on the server, it’s installed and might require a reboot of the server.

The sensor require two cores and 6Gb of RAM on the domain controller. Be careful ! If your domain controller running on Windows Server 2008 R2 and Broadcom Network Adapter Teaming is enabled, sensor installed on domain controller is not supported..

Create ATP instance

For create an ATP instance, user must have a Microsoft Defender for Identity license (Microsoft 365 E5 or EMS E5). Go to the Microsoft Defender for identity portal and sign with global administrator or security administrator account. Click on Create.

Defender for Identity - Create Microsoft Defender for Identity instance

Microsoft Defender for identity has been created.

Defender for Identity - Instance of Microsoft Defender for Identity has been created

Configure Microsoft Defender for Identity

Click on Provide a username and password then on Add credentials. My user account does not have administrative rights. This credential permit to connect at your Active Directory Forest.

Defender for Identity - Configure Active Directory credential

You can now download the sensor. You can install the sensor on your Domain controller.

Download Microsoft Defender sensor

Click on Download Sensor Setup. You must download file with Download button and copy Access Key.

Download Sensor Setup and copy Access Key

Run Azure ATP Sensor Setup on your domain controller.

Lauch Microsoft Identity setup

A wizard appear, select the desired language and click on Next.

Select the setup language

If a know issue is detected, a link appear, click on it for resolve a problem. Click on Next when the problem is fixed.

Sensor deployment type

Paste Access Key and click on Install.

Install Defender for Identity sensor

Click on Finish when installation is finished. The sensor appear on configurations.

The sensor appear on console

Manually tagging entities

If you have sensitive accounts or sensitive groups (CIO, CTO, etc.), it is possible to mark them as sensitive. Thus defender for Identity will mark them as sensitive. I will add my service accounts as sensitive.

From the Defender for Identity portaln click on Configuration.

Open Configuration tab

Click on Entity tags then add desired account or group on Sensisitive accounts or Sensitive groups.

Add account and groups

Click on Save. Reporiting can take up to 30 days.

Configure SAM-R permissions

For allow Windows clients and servers to perform SAM-R, group policy must be modified. The group policy must be applied to all computers (except for domain controllers). From the Group Policy Management, right click on Group Policy Objects and click on New.

Create new group policy

Enter the desired name and click on OK.

Enter the name of the GPO

Edit the group policy and expand the different nodes

Computer Configuration / Policies / Windows settings / Security settings / Local policies / Security options
Open parameter

Open Network Access : Restrict clients allowed to make remote calls to SAM parameter.

Configure parameter

Tick Define this policy setting and click on Edit Security.

Configure parameter

Click Add button.

Click on Add button

Enter user account used on Directory Services.

Configure SAMR

Link GPO on all computer and server except domain controller.

Configure Group policy for SAMR
Configure Group policy for SAMR

Configure Audit Parameter policy

Audit parameter must be configured for domain controller. From the Group Policy Management, create new Group Policy. Expand Computer configuration, Policies, Windows Settings then Security Settings.

Configure Audit

Expand Advanced Audit Policy Configuration then Audit Policies.

Configure Audit parameter

Configure the following parameter :

  • Account Logon – Audit Credential Validation : Success and Failure
  • Account Management – Audit Computer Account Management : Success and Failure
  • Account Management – Audit Distribution Group Management : Success and Failure
  • System – Audit Security System Extension : Success and Failure
  • Account Management – Audit User Account Management : Success and Failure
  • System – Audit Security System Extension : Success and Failure
Configure Audit Parameter

From Local Policies select Security Options.

Configure Audit parameter

Double click on Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers parameter and select Audit all.

Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers

Double click on Network security: Restrict NTLM: Audit Incoming NTLM Traffic parameter and select Enable auditing for all accounts.

Network security: Restrict NTLM: Audit Incoming NTLM Traffic

Link Group Policy to Domain Controller OU and restart the domain controller.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.