MicrosoftGood stuff! The powershell module is a real banger when it comes to setting up this correctly.
I have some followup questions:
1. In your post above there is no mention about Action account. Previously Microsoft recommended seperating the DSA and Action account, the powershell module seems to not have any support for this.
2. Licensing Licensing Licensing, ive had many cases with DFI team and they always come back with the same info, there is no technical way to exclude unlicensed users, none. So by default DFI coverers all user, computer and ou objects in your tenant no matter what. So, having 500 E5 licenses and 1500 user objects (even if old service accounts and inactive accounts saved for traceability) it meens we are not compliant untill we get 1.500 E5 licenses, even tho only 1-500 active users are working in my tenant, right ?
3. Activating the gMSA accounts on the domaincontrollers, that step is not mentioned anywhere, is the new-mdidsa powershell module solving that ?
Thank you!
Microsoft1) I probably should have brought the discussion up on "Action Account", but we recommend "Using a dedicated gMSA as an action account is optional. We recommend that you use the default settings for the LocalSystem account." So there is nothing to do from an admin user install prespective.
Manage action accounts - Microsoft Defender for Identity | Microsoft Learn
2) I can't comment on license questions, please work with the team you purchased your licensing from.
3) Once the gMSA is created (Using the MDI PoSh cmdlet(s)) there should be no activation required. I verified this by bringing up another DC in my lab to ensure that this worked without any effort on my part. Please see the notification on using any of my PowerShell scripts within the blog itself.
Thanks!
1. Good stuff, the wording has been changed! great to see (in my own scripts i always deploy two, i can now modify to streamline for 1). <3
2. Thanks! Understandable. There are so many uncompliant instances as its not well known that all objects (even if 15.000 inactive or frontlineworker accounts are present that do not use devices, laptops or pc's - but have an userobject in AD) needs to be covered with a license. Many companies buys 500 E5's for their officeworkers but forget the rest.
3. So, localsystem, is there any configuration needed for this account like you do with a separate gMSA action account? to me it seems kinda weird that system account has the access needed to become 'action account' in my Active Directory. But perhaps clicking the 'automaticly use the local system account' in XDR-portal does something in the background configures its access in AD to reset pw and disable accounts (im trying to understand how its granted these rights).
(For anyone reading this, the activation mentioned earlier is: Install-ADServiceAccount -Identity gMSA-Account, which was needed for each DC where gMSA account would be active on)
Keep up the great work :) !
Would love to see how you could bring the powershell module with you to an envoirment that has no internetconnection!
