Implementation Defender for Identity

I could share a couple of best practices when considering deploying the MDI sensors

- Deploy the MDI's directly to the Domain Controller instead of using the standalone sensors which would require additional port mirroring configuration and a gateway server to communicate with the respective DC's. You will miss some log types and events when using Standalone sensors. The Defender for Identity standalone sensor does not support the collection of Event Tracing for Windows log for example.

- Don't use real users as honey token accounts, instead create few user objects in the AD with the following naming convention such as "Backup SQL Admin, Domain Admin User and a random First name and Surname with no permissions or accesses assigned at all). I do see alot of clients sync the honey token accounts to AAD and giving them explicit permissions to web apps. And please do not re-use orphan/disabled users as honey tokens since there are a lot of historical logs/data attached to the disabled user (Such as security group memberships and etc).

- Create a scheduled task that handles the sign-in activity frequency for the honey token accounts so that it is identified as a live and active user in your Active Directory (This can be done through PowerShell).

Cheers,

Rojan Koc