Posted by: kurtsh | November 1, 2022

INFO: Key considerations for Microsoft Defender for Identity

(I stole this from Eric M.’s post because it was such a good reference.)

MMDI Machine Learning Periodsicrosoft’s Active Directory Monitoring solution started as Advanced Threat Analytics, migrated to the cloud as Azure Advanced Threat Protection, and then graduated into the Defender for Identity product that is deeply integrated with the other M365D products such as Defender for Endpoint, Defender for Cloud Apps, and Azure Active Directory Identity Protection.

It’s important to understand that configuring an AD service account and installing the MDI sensor msi does not complete the deployment. If you stop there, your sensor will fail to detect malicious activity that it could because key installation steps were missed.

Key things to consider when deploying MDI:

  • Advanced Audit Policy that meets MDI’s auditing requirements is critical
  • Disable LSO on VMware DC’s that show health alerts
    Allowlist/bypass TCP 443 traffic from SSL intercept/proxy
  • Make sure that communication isn’t blocked for localhost, TCP port 444
  • MDI takes 30 days to baseline the environment for behavioral alerts (pictured)
  • Never use the same gMSA for the monitoring & action accounts
  • Make sure that SAM-R required permissions are configured for Lateral Movement Path detections
  • You do not need to purchase Npcap licenses
  • You can use the Azure service tag AzureAdvancedThreatProtection in NSG/Azure Firewall rules
  • The monitoring gMSA account must be granted the Log on as a service permission



%d bloggers like this: