Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Defender for Identity uses sensors to collect signals from your on-premises identity infrastructure to detect threats.
Defender for Identity detects threats like privilege escalation or high-risk lateral movement, and reports on easily exploited identity issues like unconstrained Kerberos delegation for correction by the security team.
Install Defender for Identity sensors on all domain controllers, including read-only domain controllers (RODCs). If you have AD FS, AD CS, or Microsoft Entra Connect servers in your environment that aren't domain controllers, install the v2.x sensor on each of those servers as well.
Select your deployment method
The sensor version you deploy depends on the server role and operating system. Use the following table to select the appropriate deployment for each server in your environment.
| Server configuration | Server Operating System | Recommended deployment |
|---|---|---|
| Domain controller | Windows Server 2019 or later with at least the March 2026 Cumulative Update | Defender for Identity sensor v3.x |
| Domain controller with AD FS, AD CS, or Microsoft Entra Connect identity roles | Windows Server 2019 or later with at least the March 2026 Cumulative Update | Defender for Identity sensor v3.x |
| Domain controller | Windows Server 2016 or later | Defender for Identity sensor v2.x |
| AD FS server that isn't a domain controller | Windows Server 2016 or later | Defender for Identity sensor v2.x |
| AD CS server that isn't a domain controller | Windows Server 2016 or later | Defender for Identity sensor v2.x |
| Microsoft Entra Connect server that isn't a domain controller | Windows Server 2016 or later | Defender for Identity sensor v2.x |
Defender for Identity supports mixed environments with both v3.x and v2.x sensors. For example, you might deploy v3.x on domain controllers running Windows Server 2019 or later, and v2.x on older domain controllers or on AD FS, AD CS, and Microsoft Entra Connect servers that aren't domain controllers. Both sensor versions work together and report to the same Defender for Identity workspace.
Before you activate the Defender for Identity sensor v3.x, note that v3.x:
- Requires Defender for Endpoint deployed on the server. The endpoint deployment alone isn't a prerequisite; Defender for Endpoint must be onboarded on the server where the sensor runs.
- Doesn't support VPN integration.
- Doesn't support syslog notifications.
- Has limitations working with Azure ExpressRoute. For more information, see Azure ExpressRoute for Microsoft 365.
Deployment steps for sensor v3.x
Follow these steps to deploy the sensor v3.x on domain controllers running Windows Server 2019 or later, including domain controllers that also run AD FS, AD CS, or Microsoft Entra Connect roles:
- Verify prerequisites
- Activate the sensor
- Configure Windows event auditing
- Configure RPC auditing
- Validate deployment
Deployment steps for sensor v2.x
Follow these steps to deploy the sensor v2.x on domain controllers running Windows Server 2016 or later, or on AD FS, AD CS, and Microsoft Entra Connect servers that aren't domain controllers:
- Verify prerequisites
- Plan capacity
- Configure connectivity
- Install the sensor
- Configure the sensor
- Configure Windows event auditing
- Configure Directory Service accounts
- Configure for AD FS, AD CS, or Entra Connect (if applicable)
- Validate deployment