MDI and multi-tenancy

Question

Hi,&nbsp;We have the following setup:&nbsp;Developer Azure Tenant and developer on-prem domain (sync'ed via AADConnect)Production Azure Tenant and Production on-prem domain (sync'ed via AADConnect)&nbsp;We would now like to start using MS Defender for Identity.Can we install the MDI sensor on all domain controllers (in both Developer and Production on-prem domains) so that they all report to the same MDI Portal running in the Production Azure Tenant?&nbsp;Thank you,SK

skjivert · Answer

ShimKwan&nbsp;&nbsp;Should work fine i believe. As long as you have the licenses in your production tenant to cover both forests. You can read more here&nbsp;https://learn.microsoft.com/en-us/defender-for-identity/deploy/multi-forest

shimkwan · Answer

Hi skjivert,Thank you for the link - even though it mentions "Forests", you reckon it should therefore also apply to "Tenants"?Secondly, if a company has E5 licensing, they will have MDI - correct?Is there also a limit within this E5/MDI license on the amount of domain controllers for the sensor deployment? Or are there any additional costs (other than E5)?I thought E5 included MDI.ThxSK

esatyaman · Answer

Hi ShimKwan,

Yes, E5 licenses come with MDI.

MDI automatically onboards all users in the tenant (Reference below) and limit for DC Sensor should be 350.
https://learn.microsoft.com/en-us/defender-for-identity/deploy/capacity-planning#manual-sizing-estimation-for-domain-controllers

Regards,
Esat

Forum Discussion

MDI and multi-tenancy

3 Replies

Resources