Enable the evaluation environment for Microsoft Defender for Identity

Applies to:

  • Microsoft Defender XDR

This article is Step 2 of 2 in the process of setting up the evaluation environment for Microsoft Defender for Identity. For more information about this process, see the overview article.

Use the following steps to set up your Microsoft Defender for Identity environment.

The steps to enable Microsoft Defender for Identity in the Microsoft Defender evaluation environment

Step 1: Set up the Defender for Identity Instance

Sign in to the Defender for Identity portal to create your instance and then connect this instance to your Active Directory environment.

Step Description More information
1 Create the Defender for Identity instance Quickstart: Create your Microsoft Defender for Identity instance
2 Connect the Defender for Identity instance to your Active Directory forest Quickstart: Connect to your Active Directory Forest

Step 2: Install and configure the sensor

Next, download, install, and configure the Defender for Identity sensor on the domain controllers and AD FS servers in your on-premises environment.

Step Description More information
1 Determine how many Microsoft Defender for Identity sensors you need. Plan capacity for Microsoft Defender for Identity
2 Download the sensor setup package Quickstart: Download the Microsoft Defender for Identity sensor setup package
3 Install the Defender for Identity sensor Quickstart: Install the Microsoft Defender for Identity sensor
4 Configure the sensor Configure Microsoft Defender for Identity sensor settings

Step 3: Configure event log and proxy settings on machines with the sensor

On the machines that you installed the sensor on, configure Windows event log collection and Internet proxy settings to enable and enhance detection capabilities.

Step Description More information
1 Configure Windows event log collection Configure Windows Event collection
2 Configure Internet proxy settings Configure endpoint proxy and Internet connectivity settings for your Microsoft Defender for Identity Sensor

Step 4: Allow Defender for Identity to identify local admins on other computers

Microsoft Defender for Identity lateral movement path detection relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity Service account.

To ensure Windows clients and servers allow your Defender for Identity account to perform SAM-R, a modification to Group Policy must be made to add the Defender for Identity service account in addition to the configured accounts listed in the Network access policy. Make sure to apply group policies to all computers except domain controllers.

For instructions on how to do this, see Configure Microsoft Defender for Identity to make remote calls to SAM.

Next steps

Step 3 of 3: Pilot Microsoft Defender for Identity

Return to the overview for Evaluate Microsoft Defender for Identity

Return to the overview for Evaluate and pilot Microsoft Defender XDR

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.