What's Microsoft Defender for identity?

Microsoft Defender for Identity is designed to protect your on-premises Active Directory (AD) and Active Directory Federation Services (ADFS). Microsoft Defender for Identity can perform the following:

• Monitor user and entity behavior/activities with intelligent analytics.
• Protect user identities and reduces the attack surface.
• Identify and investigate suspicious user activities to find advanced attacks throughout your environment.
• Use the Microsoft 365 portal to monitor and respond to investigate alerts and user activity.

How does Microsoft Defender for Identity work?

Microsoft Defender for Identity monitors your domain controllers' network traffic and event logs. It then uses this information to detect attacks and threats. Microsoft Defender for Identity gathers the information and analyzes it based on user and device behavior. But what's the flow?

In short, you install a sensor on your AD FS servers and domain controllers. The sensor will send the network traffic, Windows events, and traces back to Microsoft Defender for Identity that's in the Microsoft 365 cloud. Microsoft Defender for Identity will send the information to the Microsoft Defender for Cloud Apps portal and show you the activities, and alerts.

But don't worry. Microsoft won't use your data for advertising or anything else other than providing you the defense your organization needs.

What licenses will give us Microsoft Defender for Identity?

Microsoft Defender for Identity is part of the Enterprise Mobility + Security 5 (EMS E5) and as a standalone license.

How do you set up Microsoft Defender for Identity?

There are a couple of steps to set up the Microsoft Defender for Identity. In short, we'll need to configure Defender for Identity and then install the sensor on your AD servers. After that, we'll need to configure the account for automatic actions. Then we'll need to set up the sensitive accounts and honey token accounts. Next, we'll enable the integration between Defender for Identity and Defender for Cloud Apps, as well as, Defender for Endpoint. Then you'll need to review the reports and Secure Score to improve the security of your environment. Finally, you'll need to monitor the alerts.

How to configure Microsoft Defender for Identity

1. Go to the Microsoft 365 Defender portal > More resources > Click Open located under Azure Advanced Threat Protection.

2. If you receive the Welcome screen click Create.

3. Click configuration > Directory services.

4. Open PowerShell on your domain controller. Run the following script:

Import-Module ActiveDirectory
if ((Get-KdsRootKey) -eq $null) {
     Add-KdsRootKey -EffectiveImmediately
     Write-Host "Please wait 10 hours and then run this script again"
} else {
     $DomainControllers = Get-ADDomainController
     $Dcs = @()
     foreach ($DomainController in $DomainControllers) {
          $Dcs += "$($DomainController.Name)$"
     }
     new-adserviceaccount -name gMSA01 -dnshostname ((Get-DnsServer).ServerSetting.ComputerName) -PrincipalsAllowedToRetrieveManagedPassword $Dcs
}

5. If you receive the message "Please wait 10 hours and then run this script again" wait 10 hours then run the script again.

6. Enter the username of gMSA01. Click the Group managed service account. Enter your domain name in the space provided. Click Save.

How to

install the sensor on your AD servers

1. Open the Microsoft Defender for Identity admin center.

2. Click Configuration > Sensors.

3. Click Download. Save the zip to your computer.

4. Copy the zip file to one of your domain controllers.

5. Extract the zip.

6. Run Azure ATP Sensor Setup.exe

7. On the Install Microsoft Defender for Identity Sensor page click Next.

8. On the Sensor deployment type page click Next.

9. Go back to the Defender for Identity admin center sensory web page and copy the Access key. Paste the access key into the Configure the Sensor page. Click Install.

10. Click Finish.

11. Repeat steps 4-10 on each domain controller.

12. Once the sensor is installed on all of your domain controllers refresh the Defender for Identity Sensors web page and verify the DCs appear in the list with the status of Running.

Configure Delayed updates

Now that we have the software installed there's one configuration option you should know. Delayed updates give you the ability to set the Defender for Identity to delay installing updates by 72 hours. Typically, Microsoft will release updates for the sensor a couple of times a month. By setting the delay to 72 hours you may be a little bit behind but you'll be less likely to have a negative impact due to an update being misconfigured.

1. Go to the Microsoft 365 Defender portal > More resources > Click Open located under Azure Advanced Threat Protection.

2. Click Settings in the left nav > Updates. Click the Delayed update switch to On. Click Save.

Configure Automatic Actions

In these steps, we'll set up the group account we created earlier to perform automatic actions in our AD domain.

1. Open Active Directory Users and Computers. Right-click the domain and click Properties.

2. Click the Security tab > Advanced > Add.

3. Click Select a principal. Click Object Types > Service Accounts > OK. Enter gMSA01 in the object name to select box. Click OK.

4. Click the Applies to drop down. Select Descendant User object.

5. To enable force password reset click Permissions: Reset password. Then click Properties: Read pwdLastSet & Properties: Write pwdLastSet

6. To grant the account the ability to disable users click Properties: Read userAccountControl & Properties: Write userAccountControl

8. Click OK.

7. Click Add > Select a principal. Enter GMSA01 in the name field again and click OK. Click the Applies to dropdown. Then click Descendant Group objects.

8. Click Properties: Read Members & Properties: Write Members.

9. Click OK. Click Apply > OK.

10. Go back to the Microsoft Defender admin center web page again. Click Settings > Identities > Manage action accounts. 

11. Click Add credentials. Set the account name to gMSA01. Set the domain to your internal domain name. Click Save.

How to set up the sensitive accounts

Sensitive accounts are typically C-level executives and administrator accounts. Administrator accounts and domain controllers are automatically added as sensitive accounts but we'll add them manually anyway. These accounts will require extra alerts and management by Defender for Identity.

1. Go to Microsoft Defender admin center > Settings > Identities > Sensitive.

2. Click Tag users. Click the check box next to the accounts you want to add. Click Add selection.

How to set up honey token accounts

Honey token accounts are accounts that are never used. They should never be logged into by anyone. When a malicious user accesses your environment and then uses that account in an attempt to gain elevated permissions then Defender for Identity will trigger alerts.

1. Create an account in your on-premises Active Directory Users and Computers. Name the account something like "Gruber Admin" that a malicious user would find and attempt to access.

2. Wait until your on-premises AD syncs to Microsoft 365. Typically it takes about 1 hour.

3. Go to Microsoft Defender admin center > Settings > Identities > Honeytoken.

4. Click Tag users. Select the honeytoken account you created in step 1. Click Add selection.

Enable Microsoft Defender for Identity data integration into Microsoft Defender for Cloud Apps

1. Open Microsoft Defender portal > More resources > Microsoft Defender for Cloud Apps.

2. Click the gear in the top right corner > Settings > Microsoft Defender for Identity. Check the Enable Microsoft Defender for Identity integration. Click Save.

Enable Microsoft Defender for Identity data integration into Microsoft Defender for Endpoint

1. Go to Microsoft Defender for Identity admin center > Configuration > Microsoft Defender for Endpoint.

2. Click On next to Integration with Microsoft Defender for Endpoint. Click Save.

3. Go to the Microsoft 365 Defender admin center > Settings > Endpoints > Advanced Features.

4. Enable the Microsoft Defender for Identity integration setting. Click Save preferences.

How to configure monitoring for a server that cannot connect to the internet

Let's say you have two servers: Server1 and Server2. Server1 is a domain controller and can connect to the internet. Server2 is a member server and can't connect to the internet. How do we monitor Server2 using Microsoft Defender for Identity? With an event subscription and port mirroring!

Install the sensor in standalone mode

Here's another scenario you'll probably never see in real life but it may be on the test. Let's say you have 2 servers: server1 and server2. Server1 is a domain controller and can't connect to the internet. Server2 is a member server and can communicate with server1 and connect to the internet. How do you monitor server2 using the sensor?

1. Install the standalone sensor on Server2

2. Setup event subscription on Server2

3. Setup port mirroring on Server1

How to monitor VPN

So now we're at another oddball. It's not very common so I won't go into details but you may see the question on the test. How do we integrate a VPN and Microsoft Defender for Identity?

Let's run through the scenario. Let's say you have a VPN server named VPN1 that runs Windows Server 2016 with the Remote Access role installed and configured. You have the Defender for Identity sensor installed on a Windows Server 2016 server named Server1. How do we integrate the VPN and Defender for Identity?

1. Configure RADIUS Accounting on VPN1

2. Enable VPN / RADIUS Accounts in Defender for Identity

3. Enable inbound port 1813 on Server1

How to integrate SIEM and Defender for identity

Here's another oddball I won't go into detail but you may see it on the test. How and when do we integrate a third-party security information and event management (SIEM) solution and Defender for Identity?

You'll need to integrate a SIEM and Defender for Identity when you're using a third-party SIEM solution and you want Defender for Identity to detect when sensitive groups are modified and when malicious services are created. In short, anytime you want Defender for Identity to alert when the SIEM solution picks up an issue.

How do you integrate a SIEM solution and Defender for Identity? By configuring event forwarding on the domain controllers / SIEM solution.

How to monitor alerts

The alerts will show up in a couple of different places. First, they'll show up in the Microsoft Defender for Identity Timeline. Next, they'll show up in the Microsoft Defender admin center Alerts & Investigation pages. Finally, they'll show up on the Microsoft Defender for Cloud Apps Alerts page.

How to view alerts in the Microsoft Defender for Identity Timeline

1. Go to Microsoft Defender for Identity admin center > Timeline.

From there you'll see the suspicious activity in a timeline. You can click an alert to review more details about the issue. You can also click the ellipsis (...) next to an alert and close, suppress, or delete an alert.

How to view alerts in the Microsoft Defender admin center

1. Open the Microsoft Defender admin center > Incidents & alerts > Incidents.

From there you can see the incidents. By clicking an incident name you can view more information, for example, the user and device that was used.

How to view alerts in the Microsoft Defender for Cloud Apps admin center

1. Open the Microsoft Defender for Cloud Apps admin center > Alerts.