Deploy Microsoft Defender for Identity with Microsoft Defender XDR
This article provides an overview of the full deployment process for Microsoft Defender for Identity, including steps for preparation, deployment, and extra steps for specific scenarios.
Defender for Identity is a primary component of a Zero Trust strategy and your identity threat detection and response (ITDR) or extended detection and response (XDR) deployment with Microsoft Defender XDR. Defender for Identity uses Active Directory signals to detect sudden account changes like privilege escalation or high-risk lateral movement, and reports on easily exploited identity issues like unconstrained Kerberos delegation, for correction by the security team.
For a quick set of deployment highlights, see Quick installation guide.
Before you start, make sure that you have access to Microsoft Defender XDR at least as a Security administrator, and you have one of the following licenses:
- Enterprise Mobility + Security E5 (EMS E5/A5)
- Microsoft 365 E5 (Microsoft E5/A5/G5)
- Microsoft 365 E5/A5/G5 Security
- A standalone Defender for Identity license
Acquire licenses directly via the Microsoft 365 portal or use the Cloud Solution Partner (CSP) licensing model.
For more information, see Licensing and privacy FAQs and What are Defender for Identity roles and permissions?
Start using Microsoft Defender XDR
This section describes how to start onboarding to Defender for Identity.
- Sign in to the Microsoft Defender portal.
- From the navigation menu, select any item, such as Incidents & alerts, Hunting, Action center, or Threat analytics to initiate the onboarding process.
You'll then be given the option to deploy supported services, including Microsoft Defender for Identity. Cloud components required for Defender for Identity are automatically added when you open the Defender for Identity settings page.
For more information, see:
- Microsoft Defender for Identity in Microsoft Defender XDR
- Get started with Microsoft Defender XDR
- Turn on Microsoft Defender XDR
- Deploy supported services
- Frequently asked questions when turning on Microsoft Defender XDR
Currently, Defender for Identity data centers are deployed in Europe, UK, North America/Central America/Caribbean, Australia East, and Asia. Your workspace (instance) is created automatically in the Azure region closest to the geographical location of your Microsoft Entra tenant. Once created, Defender for Identity workspaces aren't movable.
Plan and prepare
Use the following steps to prepare for deploying Defender for Identity:
We recommend running the Test-MdiReadiness.ps1 script to test and see if your environment has the necessary prerequisites.
The link to the Test-MdiReadiness.ps1 script is also available from Microsoft Defender XDR, on the Identities > Tools page (Preview).
Deploy Defender for Identity
After you've prepared your system, use the following steps to deploy Defender for Identity:
- Verify connectivity to the Defender for Identity service.
- Download the Defender for Identity sensor.
- Install the Defender for Identity sensor.
- Configure the Defender for Identity sensor to start receiving data.
The following procedures help you complete the deployment process:
Configure Windows event collection. For more information, see Event collection with Microsoft Defender for Identity and Configure audit policies for Windows event logs.
Enable and configure unified role-based access control (RBAC) for Defender for Identity.
Configure a Directory Service account (DSA) for use with Defender for Identity. While a DSA is optional in some scenarios, we recommend that you configure a DSA for Defender for Identity for full security coverage.
Configure remote calls to SAM as needed. While this step is optional, we recommend that you configure remote calls to SAM-R for lateral movement path detection with Defender for Identity.
Installing a Defender for Identity sensor on an AD FS / AD CS server requires extra steps. For more information, see Configuring sensors for AD FS and AD CS.