Microsoft Defender for Identity | Microsoft Community Hub

Forum Widgets

Latest Discussions

Incorrect Secure Score recommendation - Remove unnecessary replication permissions
Hi, In our environment, we got the "Remove unnecessary replication permissions for Entra Connect AD DS Connector Account" secure score recommendation. Based on the https://learn.microsoft.com/en-us/defender-for-identity/remove-replication-permissions-microsoft-entra-connect replication permission is needed when PHS is in use. We are using PTA, but PHS is also enabled as a fallback. On the Entra Connect server I ran the following: Import-Module ADSyncDiagnostics Invoke-ADSyncDiagnostics -PasswordSync The result is: Password Hash Synchronization cloud configuration is enabled If I remove the replication permission, we soon receive an alert that password hash sync did not occour. Is it normal? I would say that the sensor should be able to detect PHS usage hence not recommending to remove the permissions. Thank you in advance, Daniel
Solved
kuglidani
Copper Contributor
Oct 02, 2025
identity protection
microsoft 365 defender
security posture
59Views
0likes
2Comments
MDI Activation vs. Manual/Scripted Install.
Hi, we recently noticed the new ‘Activation’ feature MDI added with MDE in our portal (https://learn.microsoft.com/en-us/defender-for-identity/deploy/activate-capabilities), and we’re very interested in the capabilities, but concerned about one thing the documentation states. In the documentation, it says that the activation is just the ‘core’ protections, while the installer package is a more robust defense. I was wondering if there were key differences, like losing out on some stuff, or if both installations would cover the same activities, etc. before we go through with preferring one method to the other. Thanks!
Solved
dhorne25
Copper Contributor
Mar 12, 2025
264Views
0likes
2Comments
Easiest way to view remediated risk detections?
I'm looking in Lighthouse at a series of risky logins that are remediated. The thing is, this tenant previously experienced a breach that got remediated, so I'm trying to be extra cautious. When I click "View in Entra", it brings up no risk detections. If I navigate to Protection > Risky Activities > Risky Sign-Ins I get nothing. Switching to all statuses, I still get nothing. Same thing happens if I got to Risk Detections, nothing. Short of bringing up each user, and checking every single login to try to find what was risky, is there a way I can see these once the statuses are remediated? It seems like I SHOULD able to... But here are the different ways I've tried filtering Risk detections: Risky Sign-Ins Trying to understand the users popping in Lighthouse, but they don't appear with any of these filters (or the defaults).... Anyone able to advise? THanks
Solved
underQualifried
Brass Contributor
Jan 28, 2025
172Views
0likes
2Comments
Unable to access Update 3 for Microsoft Advanced Threat Analytics 1.9
Hi, Microsoft Tech Community and Ricky Simpson from Microsoft, I cannot download Update 3 for Microsoft Advanced Threat Analytics 1.9. Whenever I tried to access the download update from this https://support.microsoft.com/en-us/topic/description-of-update-3-for-microsoft-advanced-threat-analytics-1-9-954cb9b7-9646-78ce-2000-2a257b64df7c, it seemed the ID number 56725 was missing, and an error code of 404 was returned. Tried URL: https://www.microsoft.com/download/details.aspx?id=56725 Hope you can fix this problem as soon as possible, because Microsoft ATA still plays an important role in most of the enterprise network, including my company's network. Best regards for all people in the community
Solved
shiroinekotfs
Brass Contributor
Oct 16, 2024
security posture
Sensor
updates
509Views
0likes
3Comments
Missing remediation actions
Hi everyone, Remediation actions such as Disable/Enable user in AD, Force password reset are currently not available through the Defender portal (user page, advanced hunting). Anyone aware of this change? https://learn.microsoft.com/en-us/defender-for-identity/remediation-actions#supported-actions
Solved
koroioan
Copper Contributor
Sep 25, 2024
microsoft 365 defender
634Views
1like
1Comment
MDI & gMSA config
Hi, We have followed the MDI Deployment guide from Microsoft: https://learn.microsoft.com/en-us/defender-for-identity/deploy/deploy-defender-identity We have also cross referenced this guide: https://jeffreyappel.nl/how-to-implement-defender-for-identity-and-configure-all-prerequisites/ The MDI Portal shows the gMSA account. The MDI agents are running fine and reporting to the MDI Portal. However, when we look at Services.msc on the Domain Controllers, the MDI agent runs under the security context of "Local Service" and not the gMSA account. Can anyone advise us on whether this is correct? or should we see the gMSA account in Service.msc console? And what other config may be required to make it run under the gMSA account? Thank you SK (screenshot below)
Solved
ShimKwan
Brass Contributor
Jul 08, 2024
identity protection
Sensor
882Views
0likes
2Comments
MDI Sensor Windows-Service issue Version 2.235.17900.47908
Hello all, We have successfully installed the MDI sensor with version 2.235.17900.47908 on an Windows Server 2022. After installation, the MDI sensor does not start. According to the readiness tool, everything is in place. We also added the MDI service account to the Logon as service group. The MDI sensor then tries to start the sensor-service over and over again, but without success. We receive the following errors: Microsoft.Tri.Sensor-Errors.log 2024-05-23 13:40:20.4944 Error HttpResponseMessageExtension Microsoft.Tri.Infrastructure.ExtendedHttpRequestException: Response status code does not indicate success: 400 (Bad Request). ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 400 (Bad Request). Microsoft.Tri.Sensor.Updater-Errors.logs 2024-05-23 13:41:02.8043 Error ServiceControllerExtension ChangeServiceStatus failed to change service status [name=AATPSensor status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed. at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout) at Microsoft.Tri.Infrastructure.ServiceControllerExtension.ChangeServiceStatus(String name, ServiceControllerStatus status, TimeSpan timeout, Nullable`1 awaitedStatus)] I can't find anything about this behaviour in any other discussion. That's why I started this one. Thanks for all the inputs.
Solved
lorisAmbrozzo
Copper Contributor
May 27, 2024
857Views
0likes
1Comment
Lateral Movement Alert Documentation
On page https://learn.microsoft.com/en-us/defender-for-identity/lateral-movement-alerts The Suspected identity theft (pass-the-ticket) section (https://learn.microsoft.com/en-us/defender-for-identity/lateral-movement-alerts#suspected-identity-theft-pass-the-ticket-external-id-2018) MITRE sub Technique points to the wrong technique it points to Pass-the-Hash not Pass-The-Ticket As github documentation is no longer used, not sure if this is the right place to be raising this
Solved
JayK_13
Copper Contributor
May 10, 2024
708Views
0likes
1Comment
Microsoft Defender for Windows/iOS/Android
Hey all, Microsoft Defender for Windows/iOS/Android fails after I try to add the 5th email address to be monitored on the dark web. It says there was an error and to try again later below the box where the 2FA number gets filled in there is a blue link 'send again' but clicking that link gets the same error message, it is always repeated. I will have a total of no more than 8 emails ever. Is 4 emails to monitor the limit. This is a personal Office 365 subscription. I am happy Microsoft Defender has been added to the benefits of the subscription as I have had my SS number stolen before and it's on the dark web associated with a complete stranger's name & address in another state according to Defender/Experian. I would like clarification on the number of allowed email though. I guess I could start consolidating them now that a I have Microsoft Defender with a reasonable scope of dark web and other computer/personal/finance attack protection but it's kind of a hassle as I've been using these addresses 10 years now. Thanks. Ciao
Solved
Andy_Grogan
Copper Contributor
Mar 15, 2024
655Views
0likes
1Comment
MDI on RODC only
Hi all, I'm going through the implementation guide for Defender for Identity, but on this https://learn.microsoft.com/en-us/defender-for-identity/deploy/quick-installation-guide#install-defender-for-identity it is stated that "Defender for Identity sensors should be installed on read-only domain controllers (RODC)". Is it correct? It's not clear to me if the phrase stands for "MDI sensor is compatible with RODC too" or "MDI sensor must only be installed on RODCs", which seems to be quite limiting. Thank you in advance!
Solved
MarkPnt
Copper Contributor
Mar 14, 2024
915Views
0likes
2Comments

Resources

Tags

Sensor48 Topics
microsoft 365 defender43 Topics
identity protection36 Topics
alerts17 Topics
security posture17 Topics
logging13 Topics
azure active directory11 Topics
updates10 Topics
requirements8 Topics
Investigations8 Topics