Tag the AD FS as a sensitive

%3CLINGO-SUB%20id%3D%22lingo-sub-2235131%22%20slang%3D%22en-US%22%3ETag%20the%20AD%20FS%20as%20a%20sensitive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2235131%22%20slang%3D%22en-US%22%3E%3CP%3EProblem%3A%20my%20ADFS%20servers%20are%20not%20tagged%20as%20%22sensitive%22%20opposed%20the%20announcement%20made%20in%20%22Tag%20the%20AD%20FS%20as%20a%20sensitive%20entity%20further%20enhances%20protection%22%20on%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-security-and%2Fmicrosoft-defender-for-identity-expands-support-to-ad-fs-servers%2Fba-p%2F2058511%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-security-and%2Fmicrosoft-defender-for-identity-expands-support-to-ad-fs-servers%2Fba-p%2F2058511%3C%2FA%3E%3C%2FP%3E%3CP%3EAny%20idea%2C%20why%20%3CSPAN%3Ethe%20AD%20FS%20servers%20in%20the%20Microsoft%20Defender%20for%20Identity%20portal%20are%20not%20automatically%20tagged%20as%20sensitive%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2235677%22%20slang%3D%22en-US%22%3ERe%3A%20Tag%20the%20AD%20FS%20as%20a%20sensitive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2235677%22%20slang%3D%22en-US%22%3EHi%20Adrian.%3CBR%20%2F%3EOnce%20installing%20the%20MDI%20sensor%20on%20the%20AD%20FS%20server%2C%20all%20of%20the%20AD%20FS%20servers%20in%20the%20AD%20FS%20farm%20should%20be%20marked%20as%20sensitive.%3CBR%20%2F%3EPlease%20make%20sure%20that%20you%20meet%20all%20of%20the%20installation%20prerequisites%2C%20%3CBR%20%2F%3Ewith%20emphasis%20on%20granting%20read%5Cselect%20access%20to%20the%20directory%20services%20user%20on%20the%20AD%20FS%20DB.%3CBR%20%2F%3E%3CBR%20%2F%3EInstructions%20can%20be%20found%20here%3A%20%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-for-identity%2Finstall-step4%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-for-identity%2Finstall-step4%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20step%20should%20resolve%20the%20issue.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2235724%22%20slang%3D%22en-US%22%3ERe%3A%20Tag%20the%20AD%20FS%20as%20a%20sensitive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2235724%22%20slang%3D%22en-US%22%3E%3CP%3E%26gt%3B%20For%20sensor%20installations%20on%20AD%20FS%20servers%2C%20if%20you%20are%20using%20an%20external%20SQL%20server%2C%3CBR%20%2F%3E%26gt%3B%20configure%20the%20SQL%20server%20to%20allow%20the%20Directory%20service%20account%20(Configuration%20%26gt%3B%3CBR%20%2F%3E%26gt%3B%20Directory%20services%20%26gt%3B%20Username)%20connect%2C%20log%20in%2C%20read%2C%20and%20select%20permissions%20to%20the%3CBR%20%2F%3E%26gt%3B%20AdfsConfiguration%20database.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20read%20these%20instructions%20you're%20referring%20to%2C%20but%20as%20we%20do%20use%20WID%20and%20not%20an%20extrernal%20SQL%20server%2C%20I%20expected%20that%20it%20should%20work%20without%20additional%20steps.%3CBR%20%2F%3ECan%20you%2Fanyone%20confirm%20that%20this%20step%20is%20a%20prerequisite%20for%20ADFS%20using%20WID%20(%2B%20gMSA)%20too%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Problem: my ADFS servers are not tagged as "sensitive" opposed the announcement made in "Tag the AD FS as a sensitive entity further enhances protection" on https://techcommunity.microsoft.com/t5/microsoft-security-and/microsoft-defender-for-identity-expand...

Any idea, why the AD FS servers in the Microsoft Defender for Identity portal are not automatically tagged as sensitive?

4 Replies
Hi Adrian.
Once installing the MDI sensor on the AD FS server, all of the AD FS servers in the AD FS farm should be marked as sensitive.
Please make sure that you meet all of the installation prerequisites,
with emphasis on granting read\select access to the directory services user on the AD FS DB.

Instructions can be found here:
https://docs.microsoft.com/en-us/defender-for-identity/install-step4

This step should resolve the issue.

> For sensor installations on AD FS servers, if you are using an external SQL server,
> configure the SQL server to allow the Directory service account (Configuration >
> Directory services > Username) connect, log in, read, and select permissions to the
> AdfsConfiguration database.

I read these instructions you're referring to, but as we do use WID and not an extrernal SQL server, I expected that it should work without additional steps.
Can you/anyone confirm that this step is a prerequisite for ADFS using WID (+ gMSA) too?

This should be done for wid as well.

@ophir_grinstein thank you for your answers so far!

 

now we have
- granted read/select permissions to the Directory Service account (gMSA) on the AD FS database (WID)
- un-/installed MDI sensor on both AD FS servers
but unfortunately this has not resulted in any change, the servers are still not automatically tagged as sensitive.
something else we can check or adapt?

 

in the log file "C:\Program Files\Azure Advanced Threat Protection Sensor\2.143.13969.43847\Logs\Microsoft.Tri.Sensor.log" we do see some warnings:

2021-03-26 14:25:37.9381 Warn JsonSerializerSettingsExtension+JsonSerializationBinder GetTypeFromName [typeName=GetSensorComputerIpAddressAssertionsResponse]
2021-03-26 14:25:37.9538 Warn DirectoryServicesResolver SynchronizeAdfsServerDnsNamesAsync DomainId= CoveredDomainCount=1
2021-03-26 14:25:38.0164 Warn DirectoryServicesResolver UpdateSensitiveServersAsync [identifier=queriedAdfsServerDnsNames serverDnsNames=ADFS-SERVER-1;ADFS-SERVER-2]