SOLVED

Implementation Defender for Identity

Occasional Contributor

Hey all, who has recently implemented defender for identity. Anyone care to share their experience, do's, dont do, what went well and wrong? A project plan to share? I am about to embark on this shortly.   Yes, I'm currently reading all the MS documentation but be good to have a real-world example of how it went.  Thank you. 

7 Replies
best response confirmed by clcurtis777 (Occasional Contributor)
Solution

@clcurtis777 I've attached a simple deployment guide we put together last year. Hope it helps!

Please note, since this was put together, we stopped supporting Windows Server 2008 R2. Make sure you take this into consideration when you're planning.
This is awesome, thanks for the checklist and advice
Just wondered if you had the full checklist also please? Light one was a great start, just want to ensure I have everything in place in my complex environment. Cheers

@clcurtis777 

If you follow the instructions starting at the Microsoft Defender for Identity prerequisites page, it will help you cover everything.

There's also a great walkthrough by Jeffrey Appel here: How to implement Defender for Identity and configure all prerequisites (jeffreyappel.nl)

I could share a couple of best practices when considering deploying the MDI sensors

- Deploy the MDI's directly to the Domain Controller instead of using the standalone sensors which would require additional port mirroring configuration and a gateway server to communicate with the respective DC's. You will miss some log types and events when using Standalone sensors. The Defender for Identity standalone sensor does not support the collection of Event Tracing for Windows log for example.

- Don't use real users as honey token accounts, instead create few user objects in the AD with the following naming convention such as "Backup SQL Admin, Domain Admin User and a random First name and Surname with no permissions or accesses assigned at all). I do see alot of clients sync the honey token accounts to AAD and giving them explicit permissions to web apps. And please do not re-use orphan/disabled users as honey tokens since there are a lot of historical logs/data attached to the disabled user (Such as security group memberships and etc).

- Create a scheduled task that handles the sign-in activity frequency for the honey token accounts so that it is identified as a live and active user in your Active Directory (This can be done through PowerShell).

Cheers,

Rojan Koc

Excellent advice and tips. Really appreciate that. Thanks