Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

ATP sensor moved to another tenant is still showing in former tenant

Copper Contributor

We have uninstalled ATP sensor from Tenant1, then re-installed with ATP sensor package downloaded from Tenant2, this was done a few months ago, but they are still reporting under "Microsoft secure score" with recommended action "install defender for identity sensor on all domain controller". I have verified they are not listed under identities > sensors list. Do any one has similar issue? is there a fix to remove the moved sensors from former tenant's "Microsoft secure score"?

8 Replies
The score should be calculated every day. The process to do this starts at about 1AM pacific time but it will take a few hours to run.
Sorry, my bad, forgotten to add that it was done a few months ago, if you know any fix

@ggaurav79 did you deleted the sensor from the MDI settings? or the old sensor still appearing there ?

eliekarkafy_0-1697018033270.png

 

Yes, I have uninstalled them first and deleted as well from sensors list. I have verified they are not listed under settings > identities > sensors list (in tenant1)

@ggaurav79 I suggest you open a ticket with the MS team so they can check your tenant in the backend because secure score have a scheduled tasks that run in the background and it might be failing to update your secure score 

Thank you for good info, I'll create a ticket for MS support as i thought earlier but it was worth checking in this discussion board :).
Last thing, Do you know, if keeping the "Microsoft Azure recovery services agent" and "Microsoft monitoring agent" from/into same previous Tenant1 may causing this behavior?
If you have a sensor running in a domain reporting to tenant1, then this sensor will report that there are Domain Controllers without a sensor. So, it's not about where the sensor is installed, but if there is still a sensor running which reports to the cloud that there are Domain Controllers without a sensor.

Note: Even though there are still some references from "Azure ATP" in the product, the product is called Microsoft Defender for Identity for a long time :)

@thalpius Yes and agreed what you said ! I knew and understand that even one installed sensor will report if there are any other domain controllers missing the MIDI setup in same domain.
Though, the problem is, regardless that we have removed them from one tenant, they are still coming in Secure score report which they shouldn't. I have already reported a case to Microsoft.