Oct 02 2022 06:49 PM
Oct 02 2022 06:49 PM
Hey all, who has recently implemented defender for identity. Anyone care to share their experience, do's, dont do, what went well and wrong? A project plan to share? I am about to embark on this shortly. Yes, I'm currently reading all the MS documentation but be good to have a real-world example of how it went. Thank you.
Oct 03 2022 11:54 AM
Oct 09 2022 02:54 PM
Oct 10 2022 07:24 AM
If you follow the instructions starting at the Microsoft Defender for Identity prerequisites page, it will help you cover everything.
There's also a great walkthrough by Jeffrey Appel here: How to implement Defender for Identity and configure all prerequisites (jeffreyappel.nl)
Oct 19 2022 03:36 AM - edited Oct 19 2022 03:37 AM
I could share a couple of best practices when considering deploying the MDI sensors
- Deploy the MDI's directly to the Domain Controller instead of using the standalone sensors which would require additional port mirroring configuration and a gateway server to communicate with the respective DC's. You will miss some log types and events when using Standalone sensors. The Defender for Identity standalone sensor does not support the collection of Event Tracing for Windows log for example.
- Don't use real users as honey token accounts, instead create few user objects in the AD with the following naming convention such as "Backup SQL Admin, Domain Admin User and a random First name and Surname with no permissions or accesses assigned at all). I do see alot of clients sync the honey token accounts to AAD and giving them explicit permissions to web apps. And please do not re-use orphan/disabled users as honey tokens since there are a lot of historical logs/data attached to the disabled user (Such as security group memberships and etc).
- Create a scheduled task that handles the sign-in activity frequency for the honey token accounts so that it is identified as a live and active user in your Active Directory (This can be done through PowerShell).