Forum Discussion
Disable Defender for Identity Automation
Hello everyone. I am looking to rollout Defender for Identity in my environment. I am running into concerns regarding the automatic attack disruption feature. Ideally I would want to deploy the solution in a detect only format. However I am not seeing anyway to disable all automated response, or to exclude users in a bulk format. Currently all I was able to find is this exclusion list in within the Defender portal: https://learn.microsoft.com/en-us/defender-for-identity/automated-response-exclusions#how-to-add-automated-response-exclusions
However this list appears to only allow selecting of individual users. Is anyone aware of a way to fully disable all automated actions for Defender for Identity, or of a way to bulk exclude users?
Thanks
1 Reply
Hi mtcsb,
I’ll start off by saying I get the apprehension to allowing an automatic response being taken without understanding exactly what signals are being used to make the decision. Nevertheless, I personally have not heard any horror stories with Automatic Attack Disruption nor experienced any myself. Any time it did trigger which was seldom, it was 100% justified. Furthermore, to reverse the remediation there is an Undo button: Undo completed action
Now as far as how you can turn off automated responses I believe the setting is tied to all automated actions so there are implications in doing this such as having to approve any automated remediation actions even for the commodity malware removal depending on your settings. see here on how to configure these settings per device group: Automation setting for your organizations devices
And please read and understand what each automation level means and how it could affect your overall security posture and workload: Automation levels in automated investigation and remediation capabilities
Best,
Dylan
