Microsoft Defender for Identity | Microsoft Community Hub

Forum Widgets

Latest Discussions

Change password for krbtgt account
What is the criteria that MDI uses to determine whether the https://learn.microsoft.com/en-us/defender-for-identity/security-posture-assessments/accounts#change-password-for-krbtgt-account recommendation has been completed? I'm working with an org where the passwordLastSet attribute on the krbtgt account says "never", yet this recommendation is showing "Completed".
rgsteele
Copper Contributor
Nov 16, 2025
19Views
0likes
0Comments
sensor service fails to start
Hello, i've installed MDI on all of our domain controllers and everything went fine. I am trying to install MDI our Entra connect server and our certificate authority server (which are not domain controllers) and the service is continually failing to start. Could someone please point me in the right direction on how to rectify this? I've tried: recreating the service account (3x), checking the service account with Test-ADServiceAccount (works fine from both member servers) verified the service account is given the right to log on as service. The error log is very vague: 2025-11-13 19:05:30.0968 Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__49 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName={FQDN of DC}] at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing) at async Task<bool> Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing) 2025-11-13 19:05:30.1124 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers [ _domainControllerConnectionDatas={FQDN of DC}] at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IDirectoryServicesDomainNetworkCredentialsManager domainNetworkCredentialsManager, IDomainTrustMappingManager domainTrustMappingManager, IRemoteImpersonationManager remoteImpersonationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy) at object lambda_method(Closure, object[]) at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate() at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes) at new Microsoft.Tri.Sensor.SensorModuleManager() at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager() at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync() at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task) at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)
tandersn
Copper Contributor
Nov 13, 2025
56Views
0likes
0Comments
MDI AD CS sensor not switching from removed DC
We are in the process of replacing our Domain Controllers. What I found is that the MDI sensor on our PKI server is still stuck with a domain controller which has been demoted and removed from the domain. (Sensor version: 2.250.18972.18405) I guess, if I reinstall the sensor, it will find a new domain controller - but what if it finds a DC that is to be decommissioned? Should I reinstall the sensor until it choses a "new" DC? Thank you in advance, Daniel
Solved
kuglidani
Copper Contributor
Nov 10, 2025
Sensor
65Views
0likes
2Comments
Sizing tool for v3 sensor
Hi, I'm looking at the Defender for Identity v3 sensor. With the v2 sensor we have the sizing tool. Is the existing sizing tool applicable / needed for the v3 sensor? Thanks, Alastair.
AlastairCain
Brass Contributor
Nov 07, 2025
17Views
0likes
0Comments
Incorrect Secure Score recommendation - Remove unnecessary replication permissions
Hi, In our environment, we got the "Remove unnecessary replication permissions for Entra Connect AD DS Connector Account" secure score recommendation. Based on the https://learn.microsoft.com/en-us/defender-for-identity/remove-replication-permissions-microsoft-entra-connect replication permission is needed when PHS is in use. We are using PTA, but PHS is also enabled as a fallback. On the Entra Connect server I ran the following: Import-Module ADSyncDiagnostics Invoke-ADSyncDiagnostics -PasswordSync The result is: Password Hash Synchronization cloud configuration is enabled If I remove the replication permission, we soon receive an alert that password hash sync did not occour. Is it normal? I would say that the sensor should be able to detect PHS usage hence not recommending to remove the permissions. Thank you in advance, Daniel
Solved
kuglidani
Copper Contributor
Oct 27, 2025
identity protection
microsoft 365 defender
security posture
77Views
0likes
2Comments
Activity logs not showing in cloud apps
Hi folks, MDI activity logs not showing in cloud apps, the last log was on May 13, 2025, It is showing for multiple tenants. Anybody experiencing similar issue?
prasanthpro7
Copper Contributor
Sep 11, 2025
313Views
0likes
3Comments
Entra ID Sensitive Groups
We have our AD sensitive groups programmed into the identity module but we don't know how to add Entra security groups to the sensitive groups list. Has anyone done this before?
beikjrir
Copper Contributor
Aug 22, 2025
92Views
0likes
1Comment
Alert Not Found
We are receiving the following the follow alert from Defender; 2025-08-15T09:26:42-07:00 {SERVERNAME} CEF[6208]0|Microsoft|Azure ATP|##########|AccountEnumerationSecurityAlert|Account enumeration reconnaissance|5|start=2025-08-15T16:23:14.5550516Z app=Ntlm shost=NULL shostfqdn= msg=An actor on NULL performed suspicious account enumeration, exposing 6 existing account names. externalId=2003 cs1Label=url cs1=https://security.microsoft.com/alerts/xx###xxxx-#xx#-####-#x##-##x##x#x#x#x cs2Label=trigger cs2=update But when we go to the URL listed, we get an error that it can't be found. We are able to see other alerts that come in. How do I go about finding the details on this error?
edhealea
Copper Contributor
Aug 20, 2025
109Views
0likes
2Comments
Agent install error
Hi Everyone, One of the servers running the agent was failing to update so I attempted a reinstall. During install it fails / rollsback with an error in the log stating "failed connecting to service. The issue can be caused by a transparent proxy configuration". The device does use a proxy set via netsh, and I've tried specifying it on the command line of the install. I have read elsewhere that this can be related to SSL inspection or an issue with Root CAs on the device. I know there is no inspection going on in this case. I have compared the Root CA list on this device to working devices and don't see anything related to Microsoft that is different. Any ideas?
Bobbers
Copper Contributor
Aug 05, 2025
Sensor
145Views
0likes
1Comment
Low success rate of active name resolution NetBIOS (failed rates 80%) andRdpTls (failed rate 90%).
Low success rate of active name resolution Three Domain controllers are failing name resolution using NetBIOS (failed rates 80%), NetworkNameResolverMethod RdpTls (failed rate 90%) however RPC over NTLM and reverse DNS working confirmed by Microsoft support.The three domain controllers are runing windows server 2016 with the installed Azure ATP Sensor on the DCs is version is 2.243 I need assistance how to get this issue resoves on the failing three dc please.
paddypowers
Copper Contributor
Aug 01, 2025
132Views
0likes
2Comments

Resources

Tags

Sensor49 Topics
microsoft 365 defender43 Topics
identity protection36 Topics
alerts17 Topics
security posture17 Topics
logging13 Topics
azure active directory11 Topics
updates10 Topics
requirements8 Topics
Investigations8 Topics