Deploy Microsoft Defender for Identity with Microsoft Defender XDR

Article
12/08/2023

This article provides an overview of the full deployment process for Microsoft Defender for Identity, including steps for preparation, deployment, and extra steps for specific scenarios.

Defender for Identity is a primary component of a Zero Trust strategy and your identity threat detection and response (ITDR) or extended detection and response (XDR) deployment with Microsoft Defender XDR. Defender for Identity uses Active Directory signals to detect sudden account changes like privilege escalation or high-risk lateral movement, and reports on easily exploited identity issues like unconstrained Kerberos delegation, for correction by the security team.

For a quick set of deployment highlights, see Quick installation guide.

Prerequisites

Before you start, make sure that you have access to Microsoft Defender XDR at least as a Security administrator, and you have one of the following licenses:

Enterprise Mobility + Security E5 (EMS E5/A5)
Microsoft 365 E5 (Microsoft E5/A5/G5)
Microsoft 365 E5/A5/G5 Security
A standalone Defender for Identity license

Acquire licenses directly via the Microsoft 365 portal or use the Cloud Solution Partner (CSP) licensing model.

For more information, see Licensing and privacy FAQs and What are Defender for Identity roles and permissions?

Start using Microsoft Defender XDR

This section describes how to start onboarding to Defender for Identity.

Sign in to the Microsoft Defender portal.
From the navigation menu, select any item, such as Incidents & alerts, Hunting, Action center, or Threat analytics to initiate the onboarding process.

You'll then be given the option to deploy supported services, including Microsoft Defender for Identity. Cloud components required for Defender for Identity are automatically added when you open the Defender for Identity settings page.

For more information, see:

Important

Currently, Defender for Identity data centers are deployed in Europe, UK, North America/Central America/Caribbean, Australia East, and Asia. Your workspace (instance) is created automatically in the Azure region closest to the geographical location of your Microsoft Entra tenant. Once created, Defender for Identity workspaces aren't movable.

Plan and prepare

Use the following steps to prepare for deploying Defender for Identity:

Make sure that you have all prerequisites required.
Plan your Defender for Identity capacity.

Tip

We recommend running the Test-MdiReadiness.ps1 script to test and see if your environment has the necessary prerequisites.

Deploy Defender for Identity

After you've prepared your system, use the following steps to deploy Defender for Identity:

Verify connectivity to the Defender for Identity service.
Download the Defender for Identity sensor.
Install the Defender for Identity sensor.
Configure the Defender for Identity sensor to start receiving data.

Post-deployment configuration

The following procedures help you complete the deployment process:

Configure Windows event collection. For more information, see Event collection with Microsoft Defender for Identity and Configure audit policies for Windows event logs.
Enable and configure unified role-based access control (RBAC) for Defender for Identity.
Configure a Directory Service account (DSA) for use with Defender for Identity. While a DSA is optional in some scenarios, we recommend that you configure a DSA for Defender for Identity for full security coverage.
Configure remote calls to SAM as needed. While this step is optional, we recommend that you configure remote calls to SAM-R for lateral movement path detection with Defender for Identity.

Important

Installing a Defender for Identity sensor on an AD FS / AD CS server requires extra steps. For more information, see Configuring sensors for AD FS and AD CS.

Next step

Defender for Identity prerequisites »