This article outlines the steps required when installing Microsoft Defender for Identity sensors on Active Directory, Active Directory Federation Services (AD FS), or Active Directory Certification Services (AD CS) servers. For more detailed instructions, see Deploy Microsoft Defender for Identity with Microsoft Defender XDR.
Watch the following video for a step-by-step demo and to learn about:
The importance of installing Defender for Identity sensors to protect your organization against identity-based attacks
Downloading and installing the sensor
Finding potential sensor and configuration health issues
Viewing identity-related posture assessments in Microsoft Secure Score
Prerequisites
This section lists the prerequisites required before installing the Defender for Identity sensor, including:
Licensing
Permissions
System requirements
Recommendations for best practices
Each Defender for Identity workspace supports a multiple Active Directory forest boundary and Forest Functional Level (FFL) of Windows 2003 and above.
Licensing requirements
Make sure that you have one of the following licenses:
To create your Defender for Identity workspace, you need a Microsoft Entra ID tenant with at least one Security administrator.
You need at least Security administrator access on your tenant to access the Identity section of the Microsoft Defender XDR Settings area and create the workspace.
This section describes the operating systems supported for Defender for Identity sensor installations. Installing a Defender for Identity sensor requires a minimum of 2 cores, 6 GB of RAM, and 6 GB of disk space installed on your domain controller.
Defender for Identity sensors can be installed on the following operating systems:
Windows Server 2016
Windows Server 2019. Requires KB4487044 or a newer cumulative update. Sensors installed on Server 2019 without this update will be automatically stopped if the ntdsai.dll file version found in the system directory is older than 10.0.17763.316
Windows Server 2022
Windows Server 2025
For all operating systems:
Both servers with desktop experience and server cores are supported.
Nano servers aren't supported.
Installations are supported for domain controllers, AD FS, and AD CS servers.
Check network connectivity
Verify that the servers you intend to install Defender for Identity sensors on can reach the Defender for Identity cloud service. From each server, try accessing: https://*your-workspace-name*sensorapi.atp.azure.com.
To get your workspace name, see the About page in the portal.
During installation, if .NET Framework 4.7 or later isn't installed, the .NET Framework 4.7 will be installed and might require a reboot of the server. A reboot might also be required if there's a restart already pending.
When installing your sensors, consider scheduling a maintenance window for your domain controllers.
Important
The new sensor is recommended for customers looking to deploy core identity protections to new domain controllers running Windows Server 2019 or newer. For all other identity infrastructure, or for customers looking to deploy the most robust identity protections available from Microsoft Defender for Identity today, we recommend deploying the classic sensor. Learn more about the new sensor
Install Defender for Identity classic sensor
This procedure describes how to install the Defender for Identity sensor on a Windows server version 2016 or higher. Make sure that your server has the minimum system requirements.
Notă
Defender for Identity sensors should be installed on all domain controllers, including read-only domain controllers (RODC). If you're installing on an AD FS / AD CS / Entra Connect farm or cluster, we recommend installing the sensor on each AD FS / AD CS / Entra Connect server.
Browse to System > Settings > Identities > Sensors > Add sensor
Select Download installer and save the file in a location you can access from your domain controller.
Copy the Access key value, which you'll need for the installation.
Sfat
You only need to download the installer once, as it can be used for every server in the tenant. Make sure that no pop-up blocker is blocking the download.
From the domain controller, run the installer you'd downloaded from Microsoft Defender XDR and follow the instructions on the screen.
Demonstrează caracteristicile Microsoft Entra ID pentru a moderniza soluțiile de identitate, a implementa soluții hibride și a implementa guvernanța identității.
Learn how to quickly install Microsoft Defender for Identity on Active Directory, Active Directory Federation Services (AD FS), or Active Directory Certificate Services (AD CS) servers.
Learn how to use Microsoft Defender for Identity within the Microsoft Defender portal to monitor and manage security across your Microsoft identities, data, devices, apps, and infrastructure.