This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Microsoft Defender for Endpoint customers, who have already onboarded their domain controllers to Defender for Endpoint, can activate Microsoft Defender for Identity capabilities directly on a domain controller instead of using Microsoft Defender for Identity classic sensor.
This article describes how to activate and test Microsoft Defender for Identity capabilities on your domain controller.
Important
The new Defender for Identity sensor (version 3.x) is recommended for customers looking to deploy core identity protections to new domain controllers running Windows Server 2019 or newer. For all other identity infrastructure, or for customers looking to deploy the most robust identity protections available from Microsoft Defender for Identity today, we recommend deploying the classic sensor here.
Before activating the Defender for Identity capabilities on your domain controller, make sure that your environment complies with the prerequisites in this section.
The configuration described in this article doesn't support side-by-side installation with an existing Defender for Identity sensor, and isn't recommended as a replacement for the Defender for Identity classic sensor.
Make sure that the domain controller where you're planning to activate Defender for Identity capabilities doesn't have a Defender for Identity sensor deployed.
Direct Defender for Identity capabilities are supported on domain controllers only, using the one of the following operating systems:
Important
After installing the March 2024 Cumulative Update, LSASS might experience a memory leak on domain controllers when on-premises and cloud-based Active Directory Domain Controllers service Kerberos authentication requests.
This issue is addressed in the out-of-band update KB5037422.
Your domain controller must be onboarded to Microsoft Defender for Endpoint.
For more information, see Onboard a Windows server.
To access the Defender for Identity Activation page, you must either be a Security Administrator, or have the following Unified RBAC permissions:
Authorization and settings / System settings (Read and manage)Authorization and settings / Security setting (All permissions)For more information, see:
Defender for Identity capabilities directly on domain controllers use Defender for Endpoint URL endpoints for communication, including simplified URLs.
For more information, see Configure your network environment to ensure connectivity with Defender for Endpoint.
Defender for Identity detections rely on specific Windows Event Log entries to enhance detections and provide extra information about the users performing specific actions, such as NTLM sign-ins and security group modifications.
Configure Windows event collection on your domain controller to support Defender for Identity detections. For more information, see Event collection with Microsoft Defender for Identity and Configure audit policies for Windows event logs.
You might want to use the Defender for Identity PowerShell module to configure the required settings. For more information, see:
For example, the following command defines all settings for the domain, creates group policy objects, and links them.
Set-MDIConfiguration -Mode Domain -Configuration All
After ensuring that your environment is completely configured, activate the Microsoft Defender for Identity capabilities on your domain controller.
Activate the Defender for Identity from the Microsoft Defender portal.
Navigate to System > Settings > Identities > Activation.
The Activation page lists servers discovered in Device Inventory and identified as eligible domain controllers.
Select the domain controller where you want to activate the Defender for Identity capabilities and then select Activate. Confirm your selection when prompted.
Note
You can choose to activate eligible domain controllers either automatically, where Defender for Identity activates them as soon as they're discovered, or manually, where you select specific domain controllers from the list of eligible servers.
When the activation is complete, a green success banner shows. In the banner, select Click here to see the onboarded servers to jump to the Settings > Identities > Sensors page, where you can check your sensor health.
To confirm the sensor has been onboarded:
Navigate to System > Settings > Identities > Sensors.
Check that the onboarded domain controller is listed.
Note
The activation doesn't require a restart/reboot. The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as Running on the Sensors page. Subsequent activations are shown within five minutes.
The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as Running on the Sensors page. Subsequent activations show within five minutes.
Defender for Identity capabilities on domain controllers currently support the following Defender for Identity functionality:
Use the following procedures to test your environment for Defender for Identity capabilities on a domain controller.
In the Defender portal, select Identities > Dashboard, and review the details shown, checking for expected results from your environment.
For more information, see Work with Defender for Identity's ITDR dashboard.
Confirm that entities, such as domain controllers, users, and groups, are populated as expected.
In the Defender portal, check for the following details:
Device entities: Select Assets > Devices, and select the machine for your new sensor. Defender for Identity events are shown on the device timeline.
User entities: Select Assets > Users and check for users from a newly onboarded domain. Alternately, use the global search option to search for specific users. User details pages should include Overview, Observed in organization, and Timeline data.
Group entities: Use the global search to find a user group, or pivot from a user or device details page where group details are shown. Check for details of group membership, view group users, and group timeline data.
If no event data is found on the group timeline, you may need to create some manually. For example, do this by adding and removing users from the group in Active Directory.
For more information, see Investigate assets.
In the Defender portal's Advanced hunting page, use the following sample queries to check that data appears in relevant tables as expected for your environment:
IdentityDirectoryEvents
| where TargetDeviceName contains "DC_FQDN" // insert domain controller FQDN
IdentityInfo
| where AccountDomain contains "domain" // insert domain
IdentityQueryEvents
| where DeviceName contains "DC_FQDN" // insert domain controller FQDN
For more information, see Advanced hunting in the Microsoft Defender portal.
We recommend simulating risky behavior in a test environment to trigger supported assessments and verify that they appear as expected. For example:
Trigger a new Resolve unsecure domain configurations recommendation by setting your Active Directory configuration to a non-compliant state, and then returning it to a compliant state. For example, run the following commands:
To set a non-compliant state
Set-ADObject -Identity ((Get-ADDomain).distinguishedname) -Replace @{"ms-DS-MachineAccountQuota"="10"}
To return it to a compliant state:
Set-ADObject -Identity ((Get-ADDomain).distinguishedname) -Replace @{"ms-DS-MachineAccountQuota"="0"}
To check your local configuration:
Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota
In Microsoft Secure Score, select Recommended Actions to check for a new Resolve unsecure domain configurations recommendation. You might want to filter recommendations by the Defender for Identity product.
For more information, see Microsoft Defender for Identity's security posture assessments
Test alert functionality by simulating risky activity in a test environment. For example:
For more information, see Investigate Defender for Identity security alerts in Microsoft Defender XDR.
Test remediation actions on a test user. For example:
In the Defender portal, go to the user details page for a test user.
From the Options menu, select any of the available remediation actions.
Check Active Directory for the expected activity.
For more information, see Remediation actions in Microsoft Defender for Identity.
If you want to deactivate Defender for Identity capabilities on your domain controller, delete it from the Sensors page:
Deactivating Defender for Identity capabilities from your domain controller doesn't remove the domain controller from Defender for Endpoint. For more information, see Defender for Endpoint documentation.
For more information, see Manage and update Microsoft Defender for Identity sensors.
Training
Module
Safeguard your environment with Microsoft Defender for Identity - Training
Learn about the Microsoft Defender for Identity component of Microsoft Defender XDR.
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.