Setup instructions for Microsoft Defender for Identity - mattnovitsch/M365 GitHub Wiki

Looking to deploy Microsoft Defender for Identity? Follow these quick steps to get deployed. If you still have trouble, put in a request for assistance at Fast Track. Fast Track can walk you through the process.

Setup instructions for Microsoft Defender for Identity

  1. Run sizing tool for 24 hours on a machine with a user that has access to all the domain controllers and/or ADFS servers: Plan capacity for deployment - Microsoft Defender for Identity | Microsoft Learn
  2. Configure Audit Policies via GPO for all DCs, CS, and/or ADFS servers. You can use the Domain Controller Default Domain Policy or Create a new one: Configure Advanced Audit Policy settings
  3. Configure NTLM Auditing: Configure NTLM auditing
  4. Configure ADFS Auditing: Configure auditing on an Active Directory Federation Services (AD FS) | Microsoft Learn
  5. Configure Certificate Services Auditing: Configure auditing for Active Directory Certificate Services (AD CS)
  6. Configure auding on Container Configuration: Configure auditing on the configuration container
  7. Setup an account for Directory Services in MDI :Directory Service account recommendations - Microsoft Defender for Identity | Microsoft Learn
  8. If you plan on using Managed Action Account to resolve situation in your environment: Manage action accounts - Microsoft Defender for Identity | Microsoft Learn
  9. Configure any proxy settings: Configure endpoint proxy and Internet connectivity settings - Microsoft Defender for Identity | Microsoft Learn
  10. Make sure firewall/proxies allow access to your tenant: Prerequisites - Microsoft Defender for Identity | Microsoft Learn
  11. Run the MDI Readiness script to confirm all setting are applied correctly: Microsoft-Defender-for-Identity/Test-MdiReadiness at main ยท microsoft/Microsoft-Defender-for-Identity (github.com)
  12. Install Sensor: Install the sensor - Microsoft Defender for Identity | Microsoft Learn

        a. If you have NPCAP from another installation like Wireshark follow these instructions: Microsoft Defender for Identity frequently asked questions - Microsoft Defender for Identity | Microsoft Learn

NOTE: If you go to settings and try to deploy the sensor and get an error when trying to provision your instance. Go into Azure Active Directory and find the groups below. If they are present, make sure there are no users assigned to them. If there are then you will need to make sure you keep note of them. Delete the groups and then try to provision your instance again.

Note for VMWare Users: If you have a Defender for Identity sensor on VMware virtual machines, you might receive the health alert Some network traffic is not being analyzed. VMware virtual machine sensor issue