Deploy Microsoft Defender for Identity with Microsoft 365 Defender
The deployment of Microsoft Defender for Identity with Microsoft 365 Defender has two phases - preparation and deployment.
This article will outline the steps in each phase, and also provide instructions for special scenarios.
Start using Microsoft 365 Defender
To begin the deployment of Defender for Identity, sign in to the Microsoft 365 Defender portal. From the navigation menu, select any item, such as Incidents & alerts, Hunting, Action center, or Threat analytics to initiate the onboarding process.
You'll then be given the option to deploy supported services, including Microsoft Defender for Identity. When you go to the Defender for Identity settings, the required cloud components will be auto-provisioned.
For more information about these steps, see the following articles:
- Microsoft Defender for Identity in Microsoft 365 Defender
- Get started with Microsoft 365 Defender
- Turn on Microsoft 365 Defender
- Deploy supported services
- Frequently asked questions when turning on Microsoft 365 Defender
Currently, Defender for Identity data centers are deployed in Europe, UK, North America/Central America/Caribbean, Australia East, and Asia. Your workspace is created automatically in the Azure region closest to the geographical location of your Microsoft Entra tenant. Once created, Defender for Identity workspaces aren't movable.
- Defender for Identity prerequisites.
- Plan your Defender for Identity capacity.
- Configure Windows Event collection.
- Directory Service accounts.
- Role groups.
- Configure remote calls to SAM.
To test and see if your environment has the necessary prerequisites, you can run the Test-MdiReadiness.ps1 script. For more information, see the script's page.
- Download the Defender for Identity sensor.
- Proxy configuration.
- Install the Defender for Identity sensor.
- Manage action accounts.
- Configure the Defender for Identity sensor to start receiving data.
- Installing on Active Directory Federation Services
- Multi-forest support
- Migrate from Advanced Threat Analytics (ATA)
If you deploy Defender for Identity standalone sensors, you'll need to do the following steps:
- Configure port mirroring
- Validate Port Mirroring
- Configure event collection
- Configuring Windows Event Forwarding