Blog Post

Microsoft Defender XDR Blog

5 MIN READ

Protect and Detect: Microsoft Defender for Identity Expands to Entra Connect Server

Microsoft

Aug 28, 2024

We are excited to announce a new Microsoft Defender for Identity sensor for Entra Connect servers. This addition is a significant step in our ongoing commitment to expanding Defender for Identity’s c...

Updated Sep 19, 2024

Version 4.0

microsoft defender for identity

LiorShapira

Microsoft

Joined May 25, 2022

View Profile

Microsoft Defender XDR Blog

Follow this blog board to get notified when there's new activity

am1357

Brass Contributor

Sep 02, 2024

Reading through the MDI documentation there are two tasks that need to be done for the MDI sensor on a Entra Connect server to work:

Audit Events 4624 (https://learn.microsoft.com/en-us/defender-for-identity/deploy/configure-windows-event-collection#configure-auditing-for-entra-connect)
Add directory service account (e.g. gMSA) to Log on as a Service policy on Entra Connect server (https://learn.microsoft.com/en-us/defender-for-identity/deploy/active-directory-federation-services#prerequisites).

The interesting thing is that if neither of the prerequisites are set both services (AATPSensor, AATPSensorUpdater) are running. There are no errors in the local MDI logs nor are there sensor health alerts in the MDI section of the Defender XDR portal.

Will these checks be added in a future version of the MDI sensor or is the gMSA not needed as directory service account for the Entra Connect server?