Reading through the MDI documentation there are two tasks that need to be done for the MDI sensor on a Entra Connect server to work:
- Audit Events 4624 (https://learn.microsoft.com/en-us/defender-for-identity/deploy/configure-windows-event-collection#configure-auditing-for-entra-connect)
- Add directory service account (e.g. gMSA) to Log on as a Service policy on Entra Connect server (https://learn.microsoft.com/en-us/defender-for-identity/deploy/active-directory-federation-services#prerequisites).
The interesting thing is that if neither of the prerequisites are set both services (AATPSensor, AATPSensorUpdater) are running. There are no errors in the local MDI logs nor are there sensor health alerts in the MDI section of the Defender XDR portal.
Will these checks be added in a future version of the MDI sensor or is the gMSA not needed as directory service account for the Entra Connect server?