Microsoft Defender for Identity prerequisites

This article describes the requirements for a successful Microsoft Defender for Identity deployment.

Licensing requirements

Deploying Defender for Identity requires one of the following Microsoft 365 licenses:

  • Enterprise Mobility + Security E5 (EMS E5/A5)
  • Microsoft 365 E5 (Microsoft E5/A5/G5)
  • Microsoft 365 E5/A5/G5 Security
  • A standalone Defender for Identity license

Acquire licenses directly via the Microsoft 365 portal or use the Cloud Solution Partner (CSP) licensing model.

For more information, see Licensing and privacy FAQs.

Required permissions

Connectivity requirements

The Defender for Identity sensor must be able to communicate with the Defender for Identity cloud service, using one of the following methods:

Method Description Considerations Learn more
Set up a proxy Customers who have a forward proxy deployed can take advantage of the proxy to provide connectivity to the MDI cloud service.

If you choose this option, you'll configure your proxy later in the deployment process.
Allows access to the internet for a single URL

SSL inspection isn't supported
Configure endpoint proxy and internet connectivity settings

Run a silent installation with a proxy configuration
ExpressRoute ExpressRoute can be configured to forward MDI sensor traffic over customer’s express route.

To route network traffic destined to the Defender for Identity cloud servers use ExpressRoute Microsoft peering and add the Microsoft Defender for Identity (12076:5220) service BGP community to your route filter.
Requires ExpressRoute Service to BGP community value
Firewall, using the Defender for Identity Azure IP addresses Customers who don’t have a proxy or ExpressRoute can configure their firewall with the IP addresses assigned to the MDI cloud service. This requires that the customer monitor the Azure IP address list for any changes in the IP addresses used by the MDI cloud service.

If you chose this option, we recommend that you download the Azure IP Ranges and Service Tags – Public Cloud file and use the AzureAdvancedThreatProtection service tag to add the relevant IP addresses.
Customer must monitor Azure IP assignments Virtual network service tags

For more information, see Microsoft Defender for Identity architecture.

Sensor requirements and recommendations

The following table summarizes requirements and recommendations for the domain controller, AD FS, or AD CS server where you'll install the Defender for Identity sensor.

Prerequisite / Recommendation Description
Specifications Make sure to install Defender for Identity on Windows version 2016 or higher, on a domain controller server with a minimum of:

- 2 cores
- 6 GB of RAM
- 6 GB of disk space required, 10 GB recommended, including space for Defender for Identity binaries and logs

Defender for Identity supports read-only domain controllers (RODC).
Performance For optimal performance, set the Power Option of the machine running the Defender for Identity sensor to High Performance.
Maintenance window We recommend scheduling a maintenance window for your domain controllers, as a restart might be required if the installation runs and a restart is already pending, or if .NET Framework needs to be installed.

If .NET Framework version 4.7 or later isn't already found on the system, .NET Framework version 4.7 is installed, and may require a restart.

Minimum operating system requirements

Defender for Identity sensors can be installed on the following operating systems:

  • Windows Server 2016
  • Windows Server 2019. Requires KB4487044 or a newer cumulative update. Sensors installed on Server 2019 without this update will be automatically stopped if the ntdsai.dll file version found in the system directory is older than 10.0.17763.316
  • Windows Server 2022

For all operating systems:

  • Both servers with desktop experience and server cores are supported.
  • Nano servers are not supported.
  • Installations are supported for domain controllers, AD FS, and AD CS servers.

Legacy operating systems

Windows Server 2012 and Windows Server 2012 R2 reached extended end of support on October 10, 2023.

We recommend that you plan to upgrade those servers as Microsoft no longer supports the Defender for Identity sensor on devices running Windows Server 2012 and Windows Server 2012 R2.

Sensors running on these operating systems will continue to report to Defender for Identity and even receive the sensor updates, but some of the new functionalities will not be available as they might rely on operating system capabilities.

Required ports

Protocol Transport Port From To
Internet ports
SSL (*.atp.azure.com)

Alternately, configure access through a proxy.
TCP 443 Defender for Identity sensor Defender for Identity cloud service
Internal ports
DNS TCP and UDP 53 Defender for Identity sensor DNS Servers
Netlogon
(SMB, CIFS, SAM-R)
TCP/UDP 445 Defender for Identity sensor All devices on the network
RADIUS UDP 1813 RADIUS Defender for Identity sensor
Localhost ports: Required for the sensor service updater

By default, localhost to localhost traffic is allowed unless a custom firewall policy blocks it.
SSL TCP 444 Sensor service Sensor updater service
Network Name Resolution (NNR) ports

To resolve IP addresses to computer names, we recommend opening all ports listed. However, only one port is required.
NTLM over RPC TCP Port 135 Defender for Identity sensor All devices on network
NetBIOS UDP 137 Defender for Identity sensor All devices on network
RDP

Only the first packet of Client hello queries the DNS server using reverse DNS lookup of the IP address (UDP 53)
TCP 3389 Defender for Identity sensor All devices on network

If you're working with multiple forests, make sure that the following ports are opened on any machine where a Defender for Identity sensor is installed:

Protocol Transport Port To/From Direction
Internet ports
SSL (*.atp.azure.com) TCP 443 Defender for Identity cloud service Outbound
Internal ports
LDAP TCP and UDP 389 Domain controllers Outbound
Secure LDAP (LDAPS) TCP 636 Domain controllers Outbound
LDAP to Global Catalog TCP 3268 Domain controllers Outbound
LDAPS to Global Catalog TCP 3269 Domain controllers Outbound

Dynamic memory requirements

The following table describes memory requirements on the server used for the Defender for Identity sensor, depending on the type of virtualization you're using:

VM running on Description
Hyper-V Ensure that Enable Dynamic Memory isn't enabled for the VM.
VMware Ensure that the amount of memory configured and the reserved memory are the same, or select the Reserve all guest memory (All locked) option in the VM settings.
Other virtualization host Refer to the vendor supplied documentation on how to ensure that memory is fully allocated to the VM at all times.

Important

When running as a virtual machine, all memory must be allocated to the virtual machine at all times.

Time synchronization

The servers and domain controllers onto which the sensor is installed must have time synchronized to within five minutes of each other.

Test your prerequisites

We recommend running the Test-MdiReadiness.ps1 script to test and see if your environment has the necessary prerequisites.

The link to the Test-MdiReadiness.ps1 script is also available from Microsoft Defender XDR, on the Identities > Tools page (Preview).

This article lists prerequisites required for a basic installation. Additional prerequisites are required when installing on an AD FS / AD CS server, to support multiple Active Directory forests, or when you're installing a standalone Defender for Identity sensor.

For more information, see:

Next step