What's Microsoft Defender for identity?

Microsoft Defender for Identity is designed to protect your on-premises Active Directory (AD) and Active Directory Federation Services (ADFS). Microsoft Defender for Identity can perform the following:

  • Monitor user and entity behavior/activities with intelligent analytics.
  • Protect user identities and reduces the attack surface.
  • Identify and investigate suspicious user activities to find advanced attacks throughout your environment.
  • Use the Microsoft 365 portal to monitor and respond to investigate alerts and user activity.

How does Microsoft Defender for Identity work?

Microsoft Defender for Identity monitors your domain controllers' network traffic and event logs. It then uses this information to detect attacks and threats. Microsoft Defender for Identity gathers the information and analyzes it based on user and device behavior. But what's the flow?

In short, you install a sensor on your AD FS servers and domain controllers. The sensor will send the network traffic, Windows events and traces back to Microsoft Defender for Identity that's in the Microsoft 365 cloud. Microsoft Defender for Identity will send the information to the Microsoft Defender for Cloud Apps portal and show you the activities, and alerts.

But don't worry. Microsoft won't use your data for advertising or anything else other than providing you the defense your organization needs.

What licenses will give us Microsoft Defender for Identity?

Microsoft Defender for Identity is part of the Enterprise Mobility + Security 5 (EMS E5) and as a standalone license.

How do you set up Microsoft Defender for Identity?

There are a couple of steps to set up the Microsoft Defender for Identity. In short, we'll need to configure Defender for Identity and then install the sensor on your AD servers. After that, we'll need to configure the account for automatic actions. Then we'll need to set up the sensitive accounts and honey token accounts. Next, we'll enable the integration between Defender for Identity and Defender for Cloud Apps, as well as, Defender for Endpoint. Then you'll need to review the reports and secure score to improve the security of your environment. Finally, you'll need to monitor the alerts.

How to configure Microsoft Defender for Identity

1. Go to the Microsoft 365 Defender portal > More resources > Click Open located under Azure Advanced Threat Protection.

How to open the Microsoft Defender for Identity Portal

How to open Microsoft Defender for Identity
2. If you receive the Welcome screen click Create.

Create the Defender for Identity instance

3. Click configuration > Directory services.

4. Open PowerShell on your domain controller. Run the following script:

Import-Module ActiveDirectory
if ((Get-KdsRootKey) -eq $null) {
Add-KdsRootKey -EffectiveImmediately
Write-Host "Please wait 10 hours and then run this script again"
} else {
$DomainControllers = Get-ADDomainController
$Dcs = @()
foreach ($DomainController in $DomainControllers) {
$Dcs += "$($DomainController.Name)$"
}
new-adserviceaccount -name gMSA01 -dnshostname ((Get-DnsServer).ServerSetting.ComputerName) -PrincipalsAllowedToRetrieveManagedPassword $Dcs
}

5. If you receive the message "Please wait 10 hours and then run this script again" wait 10 hours then run the script again.

6. Enter the username of gMSA01. Click the Group managed service account. Enter your domain name in the space provided. Click Save.

Setup directory services with Defender for Identity

How to
Microsoft Defender for Identity creation
install the sensor on your AD servers

1. Open the Microsoft Defender for Identity admin center.

2. Click Configuration > Sensors.

Microsoft Defender for identity sensors

3. Click Download. Save the zip to your computer.

4. Copy the zip file to one of your domain controllers.

5. Extract the zip.

6. Run Azure ATP Sensor Setup.exe

7. On the Install Microsoft Defender for Identity Sensor page click Next.

Microsoft Defender for Identity Sensor Install Choose Language

8. On the Sensor deployment type page click Next.

Microsoft Defender for Identity Sensor Install Deployment Type

9. Go back to the Defender for Identity admin center sensory web page and copy the Access key. Paste the access key into the Configure the Sensor page. Click Install.

Microsoft Defender for Identity Sensor Install Configure the Sensor

10. Click Finish.

11. Repeat steps 4-10 on each domain controller.

12. Once the sensor is installed on all of your domain controllers refresh the Defender for Identity Sensors web page and verify the DCs appear in the list with the status of Running.

Defender for Identity DCs with Sensor installed

Configure Automatic Actions

In these steps, we'll set up the group account we created earlier to perform automatic actions in our AD domain.

1. Open Active Directory Users and Computers. Right-click the domain and click Properties.

Open domain properties

2. Click the Security tab > Advanced > Add.

Add advanced permissions

3. Click Select a principal. Click Object Types > Service Accounts > OK. Enter gMSA01 in the object name to select box. Click OK.

Select a principal

4. Click the Applies to drop down. Select Descendant User object.

Applies to

5. To enable force password reset click Permissions: Reset password. Then click Properties: Read pwdLastSet & Properties: Write pwdLastSet

6. To grant the account the ability to disable users click Properties: Read userAccountControl & Properties: Write userAccountControl

User Permissions

8. Click OK.

7. Click Add > Select a principal. Enter GMSA01 in the name field again and click OK. Click the Applies to dropdown. Then click Descendant Group objects.

Group objects

8. Click Properties: Read Members & Properties: Write Members.

Group permissions

9. Click OK. Click Apply > OK.

10. Go back to the Microsoft Defender admin center web page again. Click Settings > Identities > Manage action accounts

11. Click Add credentials. Set the account name to gMSA01. Set the domain to your internal domain name. Click Save.

Add credentials for action accounts

How to set up the sensitive accounts

Sensitive accounts are typically C-level executives and administrator accounts. Administrator accounts and domain controllers are automatically added as sensitive accounts but we'll add them manually anyway. These accounts will require extra alerts and management by Defender for Identity.

1. Go to Microsoft Defender admin center > Settings > Identitites > Sensitive.

2. Click Tag users. Click the check box next to the accounts you want to add. Click Add selection.

Tag sensitive accounts

How to set up honey token accounts

Honey token accounts are accounts that are never used. They should never be logged into by anyone. When a malicious user accesses your environment and then uses that account in an attempt to gain elevated permissions then Defender for Identity will trigger alerts.

1. Create an account in your on-premises Active Directory Users and Computers. Name the account something like "Gruber Admin" that a malicious user would find and attempt to access.

Honeytoken account creation

2. Wait until your on-premises AD syncs to Microsoft 365. Typically it takes about 1 hour.

3. Go to Microsoft Defender admin center > Settings > Identities > Honeytoken.

4. Click Tag users. Select the honeytoken account you created in step 1. Click Add selection.

Honeytoken account setup

Enable Microsoft Defender for Identity data integration into Microsoft Defender for Cloud Apps

1. Open Microsoft Defender portal > More resources > Microsoft Defender for Cloud Apps.

Open Microsoft Defender for Cloud Apps

2. Click the gear in the top right corner > Settings > Microsoft Defender for Identity. Check the Enable Microsoft Defender for Identity integration. Click Save.

Integrate Defender for Cloud Apps with Defender for Identity

Enable Microsoft Defender for Identity data integration into Microsoft Defender for Endpoint

1. Go to Microsoft Defender for Identity admin center > Configuration > Microsoft Defender for Endpoint.

2. Click On next to Integration with Microsoft Defender for Endpoint. Click Save.

Enable Integration Between Defender for Endpoint and Defender for Identity

3. Go to the Microsoft 365 Defender admin center > Settings > Endpoints > Advanced Features.

4. Enable the Microsoft Defender for Identity integration setting. Click Save preferences.

Enable Defender for Identity and endpoint integration

How to monitor alerts

The alerts will show up in a couple of different places. First, they'll show up in the Microsoft Defender for Identity Timeline. Next, they'll show up in the Microsoft Defender admin center Alerts & Investigation pages. Finally, they'll show up on the Microsoft Defender for Cloud Apps Alerts page.

How to view alerts in the Microsoft Defender for Identity Timeline

Defender for Identity timeline

1. Go to Microsoft Defender for Identity admin center > Timeline.

From there you'll see the suspicious activity in a timeline. You can click an alert to review more details about the issue. You can also click the ellipsis (...) next to an alert and close, suppress, or delete an alert.

How to view alerts in the Microsoft Defender admin center

Honeytoken breach in Microsoft defender admin center

1. Open the Microsoft Defender admin center > Incidents & alerts > Incidents.

From there you can see the incidents. By clicking an incident name you can view more information, for example, the user and device that was used.

How to view alerts in the Microsoft Defender for Cloud Apps admin center

Defender for Cloud Apps alerts

1. Open the Microsoft Defender for Cloud Apps admin center > Alerts.