Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

MDI Sensor vs Standalone Sensor - Updated Guidance

Copper Contributor

It appears that guidance on MDI Sensor vs Standalone Sensor has shifted towards discouraging Standalone sensors altogether. Standalone is now lacking functionality, while all the older materials highlighting its benefits had been removed. (E.g. higher stability/throughput; better security and separation of duties, especially when deployed as a member of a Workgroup etc.)


This begs the question - is Standalone on its way out? And what are the use cases you still believe it is best suited for?


Thank you!

5 Replies

Integrated is clearly superior to standalone because it has many more data sources we can use to do detection and add additional security.

Using a Workgroup standalone is better security wise only in theory, assuming that it will be maintained and patched in the same level of a domain joined machine. In most cases it is not...
There is no throughput change compared to integrated, but there is a possible scale issue if your DC is limited to scaling up, and your current spec will not allow the additional resources needed for the sensor (old physical machine for example).

As of today, only 3.19% of sensors we have are standalone. the number keeps dropping monthly.
For now there is no planned decision to remove this option, but in theory this can happen some time in the future once this umber will go down to a ridiculous number...

The Advice is clear - use Integrated whenever possible, use standalone as last option. 

Hey @EliOfek,


Do you have current data on the % sensors that are standalone? I am trying to discourage all customers from doing this, but some have concerns about allowing any internet traffic to DCs. It would be useful to get a steer about the roadmap of this, supportability, etc.




You don't need to allow any internet traffic from the DCs, you can use a proxy to allow only the specific url for the sensors API (as described on Configure your proxy or firewall to enable Microsoft Defender for Identity communication with the se...

As for the % of standalone sensors, we see less than 0.5% worldwide.

Total standalone sensors WW significantly reduced since the last update (and keeps shrinking).
There is no change as of now in supportability, but I can say that the product group focus is not on standalone. most of the features require the integrated version nowadays.

You don't need to directly connect the DC to the internet.
A common design would be to use an internet proxy, with authentication, which is limited only to MDI urls or service tag IP ranges.
When installing the sensor, use the silent option with proxy parameters, which means only the sensor processes on the machine can use the proxy, and only to connect to the MDI backend.

@EliOfek @Martin_Schvartzman 


Thanks both, useful info & appreciate the metric on usage.