Enable the evaluation environment for Microsoft Defender for Identity
Applies to:
- Microsoft Defender XDR
This article is Step 2 of 2 in the process of setting up the evaluation environment for Microsoft Defender for Identity. For more information about this process, see the overview article.
Use the following steps to set up your Microsoft Defender for Identity environment.
- Step 1. Set up the Defender for Identity Instance
- Step 2. Install and configure the sensor
- Step 3. Configure event log and proxy settings on machines with the sensor
- Step 4. Allow Defender for Identity to identify local admins on other computers
Step 1: Set up the Defender for Identity Instance
Sign in to the Defender for Identity portal to create your instance and then connect this instance to your Active Directory environment.
Step | Description | More information |
---|---|---|
1 | Create the Defender for Identity instance | Quickstart: Create your Microsoft Defender for Identity instance |
2 | Connect the Defender for Identity instance to your Active Directory forest | Quickstart: Connect to your Active Directory Forest |
Step 2: Install and configure the sensor
Next, download, install, and configure the Defender for Identity sensor on the domain controllers and AD FS servers in your on-premises environment.
Step | Description | More information |
---|---|---|
1 | Determine how many Microsoft Defender for Identity sensors you need. | Plan capacity for Microsoft Defender for Identity |
2 | Download the sensor setup package | Quickstart: Download the Microsoft Defender for Identity sensor setup package |
3 | Install the Defender for Identity sensor | Quickstart: Install the Microsoft Defender for Identity sensor |
4 | Configure the sensor | Configure Microsoft Defender for Identity sensor settings |
Step 3: Configure event log and proxy settings on machines with the sensor
On the machines that you installed the sensor on, configure Windows event log collection and Internet proxy settings to enable and enhance detection capabilities.
Step | Description | More information |
---|---|---|
1 | Configure Windows event log collection | Configure Windows Event collection |
2 | Configure Internet proxy settings | Configure endpoint proxy and Internet connectivity settings for your Microsoft Defender for Identity Sensor |
Step 4: Allow Defender for Identity to identify local admins on other computers
Microsoft Defender for Identity lateral movement path detection relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity Service account.
To ensure Windows clients and servers allow your Defender for Identity account to perform SAM-R, a modification to Group Policy must be made to add the Defender for Identity service account in addition to the configured accounts listed in the Network access policy. Make sure to apply group policies to all computers except domain controllers.
For instructions on how to do this, see Configure Microsoft Defender for Identity to make remote calls to SAM.
Next steps
Step 3 of 3: Pilot Microsoft Defender for Identity
Return to the overview for Evaluate Microsoft Defender for Identity
Return to the overview for Evaluate and pilot Microsoft Defender XDR
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for