Microsoft Defender for Identity | Microsoft Community Hub

Forum Widgets

Latest Discussions

Very High Increase in CPU activity after Update Microsoft Defender for Identity sensor
All our servers that are running this sensor (DCs, Certificate servers, AD Connect servers) showed a massive increase in average CPU utilization from virtually straight after the sensor was automatically updated to version 2.254.19112.470 (late night UK time). Two of our DCs are sitting on 100% CPU today and we can't find anything to resolve it. Has anyone else seen this since running this version and if so what actions did you take ? How would we go back to rolling back to the previous version when it appears it will just be automatically updated soon after ? This is our monitoring of CPU utilization from one of the majorly affected DCs but every server with the sensor had the exact same graph showing a major increase in CPU at the same date and time i.e. just after the sensor was updated.
Solved
TomHaz
Copper Contributor
Jan 19, 2026
microsoft 365 defender
Sensor
382Views
4likes
6Comments
MDI AD CS sensor not switching from removed DC
We are in the process of replacing our Domain Controllers. What I found is that the MDI sensor on our PKI server is still stuck with a domain controller which has been demoted and removed from the domain. (Sensor version: 2.250.18972.18405) I guess, if I reinstall the sensor, it will find a new domain controller - but what if it finds a DC that is to be decommissioned? Should I reinstall the sensor until it choses a "new" DC? Thank you in advance, Daniel
Solved
kuglidani
Copper Contributor
Nov 07, 2025
Sensor
166Views
0likes
2Comments
Incorrect Secure Score recommendation - Remove unnecessary replication permissions
Hi, In our environment, we got the "Remove unnecessary replication permissions for Entra Connect AD DS Connector Account" secure score recommendation. Based on the https://learn.microsoft.com/en-us/defender-for-identity/remove-replication-permissions-microsoft-entra-connect replication permission is needed when PHS is in use. We are using PTA, but PHS is also enabled as a fallback. On the Entra Connect server I ran the following: Import-Module ADSyncDiagnostics Invoke-ADSyncDiagnostics -PasswordSync The result is: Password Hash Synchronization cloud configuration is enabled If I remove the replication permission, we soon receive an alert that password hash sync did not occour. Is it normal? I would say that the sensor should be able to detect PHS usage hence not recommending to remove the permissions. Thank you in advance, Daniel
Solved
kuglidani
Copper Contributor
Oct 02, 2025
identity protection
microsoft 365 defender
security posture
232Views
0likes
3Comments
MDI Activation vs. Manual/Scripted Install.
Hi, we recently noticed the new ‘Activation’ feature MDI added with MDE in our portal (https://learn.microsoft.com/en-us/defender-for-identity/deploy/activate-capabilities), and we’re very interested in the capabilities, but concerned about one thing the documentation states. In the documentation, it says that the activation is just the ‘core’ protections, while the installer package is a more robust defense. I was wondering if there were key differences, like losing out on some stuff, or if both installations would cover the same activities, etc. before we go through with preferring one method to the other. Thanks!
Solved
dhorne25
Copper Contributor
Mar 12, 2025
307Views
0likes
2Comments
Easiest way to view remediated risk detections?
I'm looking in Lighthouse at a series of risky logins that are remediated. The thing is, this tenant previously experienced a breach that got remediated, so I'm trying to be extra cautious. When I click "View in Entra", it brings up no risk detections. If I navigate to Protection > Risky Activities > Risky Sign-Ins I get nothing. Switching to all statuses, I still get nothing. Same thing happens if I got to Risk Detections, nothing. Short of bringing up each user, and checking every single login to try to find what was risky, is there a way I can see these once the statuses are remediated? It seems like I SHOULD able to... But here are the different ways I've tried filtering Risk detections: Risky Sign-Ins Trying to understand the users popping in Lighthouse, but they don't appear with any of these filters (or the defaults).... Anyone able to advise? THanks
Solved
underQualifried
Brass Contributor
Jan 28, 2025
194Views
0likes
2Comments
Unable to access Update 3 for Microsoft Advanced Threat Analytics 1.9
Hi, Microsoft Tech Community and Ricky Simpson from Microsoft, I cannot download Update 3 for Microsoft Advanced Threat Analytics 1.9. Whenever I tried to access the download update from this https://support.microsoft.com/en-us/topic/description-of-update-3-for-microsoft-advanced-threat-analytics-1-9-954cb9b7-9646-78ce-2000-2a257b64df7c, it seemed the ID number 56725 was missing, and an error code of 404 was returned. Tried URL: https://www.microsoft.com/download/details.aspx?id=56725 Hope you can fix this problem as soon as possible, because Microsoft ATA still plays an important role in most of the enterprise network, including my company's network. Best regards for all people in the community
Solved
shiroinekotfs
Brass Contributor
Oct 15, 2024
security posture
Sensor
updates
594Views
0likes
3Comments
Missing remediation actions
Hi everyone, Remediation actions such as Disable/Enable user in AD, Force password reset are currently not available through the Defender portal (user page, advanced hunting). Anyone aware of this change? https://learn.microsoft.com/en-us/defender-for-identity/remediation-actions#supported-actions
Solved
koroioan
Copper Contributor
Sep 25, 2024
microsoft 365 defender
686Views
1like
1Comment
MDI & gMSA config
Hi, We have followed the MDI Deployment guide from Microsoft: https://learn.microsoft.com/en-us/defender-for-identity/deploy/deploy-defender-identity We have also cross referenced this guide: https://jeffreyappel.nl/how-to-implement-defender-for-identity-and-configure-all-prerequisites/ The MDI Portal shows the gMSA account. The MDI agents are running fine and reporting to the MDI Portal. However, when we look at Services.msc on the Domain Controllers, the MDI agent runs under the security context of "Local Service" and not the gMSA account. Can anyone advise us on whether this is correct? or should we see the gMSA account in Service.msc console? And what other config may be required to make it run under the gMSA account? Thank you SK (screenshot below)
Solved
ShimKwan
Brass Contributor
Jul 07, 2024
identity protection
Sensor
1KViews
0likes
2Comments
MDI Sensor Windows-Service issue Version 2.235.17900.47908
Hello all, We have successfully installed the MDI sensor with version 2.235.17900.47908 on an Windows Server 2022. After installation, the MDI sensor does not start. According to the readiness tool, everything is in place. We also added the MDI service account to the Logon as service group. The MDI sensor then tries to start the sensor-service over and over again, but without success. We receive the following errors: Microsoft.Tri.Sensor-Errors.log 2024-05-23 13:40:20.4944 Error HttpResponseMessageExtension Microsoft.Tri.Infrastructure.ExtendedHttpRequestException: Response status code does not indicate success: 400 (Bad Request). ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 400 (Bad Request). Microsoft.Tri.Sensor.Updater-Errors.logs 2024-05-23 13:41:02.8043 Error ServiceControllerExtension ChangeServiceStatus failed to change service status [name=AATPSensor status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed. at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout) at Microsoft.Tri.Infrastructure.ServiceControllerExtension.ChangeServiceStatus(String name, ServiceControllerStatus status, TimeSpan timeout, Nullable`1 awaitedStatus)] I can't find anything about this behaviour in any other discussion. That's why I started this one. Thanks for all the inputs.
Solved
lorisAmbrozzo
Copper Contributor
May 27, 2024
910Views
0likes
1Comment
Lateral Movement Alert Documentation
On page https://learn.microsoft.com/en-us/defender-for-identity/lateral-movement-alerts The Suspected identity theft (pass-the-ticket) section (https://learn.microsoft.com/en-us/defender-for-identity/lateral-movement-alerts#suspected-identity-theft-pass-the-ticket-external-id-2018) MITRE sub Technique points to the wrong technique it points to Pass-the-Hash not Pass-The-Ticket As github documentation is no longer used, not sure if this is the right place to be raising this
Solved
JayK_13
Copper Contributor
May 10, 2024
746Views
0likes
1Comment

Resources

Tags

Sensor52 Topics
microsoft 365 defender45 Topics
identity protection36 Topics
alerts17 Topics
security posture17 Topics
logging14 Topics
azure active directory11 Topics
updates10 Topics
requirements8 Topics
Investigations8 Topics