Microsoft Defender for Identity action accounts

Defender for Identity allows you to take remediation actions targeting on-premises Active Directory accounts in the event that an identity is compromised. To take these actions, Microsoft Defender for Identity needs to have the required permissions to do so.

By default, the Microsoft Defender for Identity sensor installed on a domain controller will impersonate the LocalSystem account of the domain controller and perform the actions. However, you can change this default behavior by setting up a gMSA account and scope the permissions as you need.

Configure management accounts.

Create and configure a specific action account

  1. On a domain controller in your domain, create a new gMSA account, following the instructions in Getting started with Group Managed Service Accounts.

  2. Assign the "Log on as a service" right to the gMSA account on each domain controller that runs the Defender for Identity sensor.

  3. Grant the required permissions to the gMSA account.

    1. Open Active Directory Users and Computers.

    2. Right-click the relevant domain or OU, and select Properties.

      Select properties of domain or OU.

    3. Go the Security tab and select Advanced.

      Advanced security settings.

    4. Select Add.

    5. Choose Select a principal. Choose select a principal.

    6. Make sure Service accounts is marked in Object types. Select service accounts as object types.

    7. Enter the name of the gMSA account in the Enter the object name to select box and select OK.

    8. Select Descendant User objects in the Applies to field, leave the existing settings, and add the following permissions and properties: Set permissions and properties.

      • To enable force password reset:
        • Permissions:
          • Reset password
        • Properties:
          • Read pwdLastSet
          • Write pwdLastSet
      • To disable user:
        • Properties:
          • Read userAccountControl
          • Write userAccountControl
    9. Select Descendant Group objects in the Applies to field and set the following properties:

      • Read members
      • Write members
    10. Select OK.

Note

  • It's not recommended to use the same gMSA account you configured for Defender for Identity managed actions on servers other than domain controllers. If the server is compromised, an attacker could retrieve the password for the account and gain the ability to change passwords and disable accounts.

  • We don't recommend using the same account as the Directory Service account and the Manage Action account. This is because the Directory Service account requires only read-only permissions to Active Directory, and the Manage Action accounts needs write permissions on user accounts.

Add the gMSA account in the Microsoft 365 Defender portal

  1. Go to the Microsoft 365 Defender portal.

  2. Go to Settings -> Identities.

  3. Under Microsoft Defender for Identity, select Manage action accounts.

  4. Select +Create new account to add your gMSA account.

  5. Provide the account name and domain, and select Save.

  6. Your action account will be listed on the Manage action accounts page.

    Create action account.

Remediation actions in Defender for Identity

Next steps