Implementation Defender for Identity

clcurtis777 · ‎Oct 02 2022

Hey all, who has recently implemented defender for identity. Anyone care to share their experience, do's, dont do, what went well and wrong? A project plan to share? I am about to embark on this shortly. Yes, I'm currently reading all the MS documentation but be good to have a real-world example of how it went. Thank you.

clcurtis777 · ‎Oct 03 2022

@clcurtis777 I've attached a simple deployment guide we put together last year. Hope it helps!

Ricky Simpson · ‎Oct 03 2022

Please note, since this was put together, we stopped supporting Windows Server 2008 R2. Make sure you take this into consideration when you're planning.

clcurtis777 · ‎Oct 03 2022

This is awesome, thanks for the checklist and advice

clcurtis777 · ‎Oct 09 2022

Just wondered if you had the full checklist also please? Light one was a great start, just want to ensure I have everything in place in my complex environment. Cheers

Martin_Schvartzman · ‎Oct 10 2022

@clcurtis777

If you follow the instructions starting at the Microsoft Defender for Identity prerequisites page, it will help you cover everything.

There's also a great walkthrough by Jeffrey Appel here: How to implement Defender for Identity and configure all prerequisites (jeffreyappel.nl)

MyIdentity · ‎Oct 19 2022

I could share a couple of best practices when considering deploying the MDI sensors

- Deploy the MDI's directly to the Domain Controller instead of using the standalone sensors which would require additional port mirroring configuration and a gateway server to communicate with the respective DC's. You will miss some log types and events when using Standalone sensors. The Defender for Identity standalone sensor does not support the collection of Event Tracing for Windows log for example.

- Don't use real users as honey token accounts, instead create few user objects in the AD with the following naming convention such as "Backup SQL Admin, Domain Admin User and a random First name and Surname with no permissions or accesses assigned at all). I do see alot of clients sync the honey token accounts to AAD and giving them explicit permissions to web apps. And please do not re-use orphan/disabled users as honey tokens since there are a lot of historical logs/data attached to the disabled user (Such as security group memberships and etc).

- Create a scheduled task that handles the sign-in activity frequency for the honey token accounts so that it is identified as a live and active user in your Active Directory (This can be done through PowerShell).

Cheers,

Rojan Koc

clcurtis777 · ‎Oct 19 2022

Excellent advice and tips. Really appreciate that. Thanks

clcurtis777 · ‎Oct 03 2022

@clcurtis777 I've attached a simple deployment guide we put together last year. Hope it helps!

View solution in original post

Implementation Defender for Identity

Implementation Defender for Identity

Re: Implementation Defender for Identity

Re: Implementation Defender for Identity

Re: Implementation Defender for Identity

Re: Implementation Defender for Identity

Re: Implementation Defender for Identity

Re: Implementation Defender for Identity

Re: Implementation Defender for Identity

Re: Implementation Defender for Identity

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Implementation Defender for Identity