Microsoft Defender for Identity topics

Defender for Identity health issues - Not Closing

MPH2 — Mon, 08 Dec 2025 15:09:42 GMT

We have old issues and they're not being "Closed" as reported.

Are we missing something or is this "Microsoft Defender for Identity" Health Issues process broken? Thanks!

Closed: A health issue is automatically marked as Closed when Microsoft Defender for Identity detects that the underlying issue is resolved. If you have the Azure ATP (workspace name) Administrator role, you can also manually close a health issue.

IdentityLogonEvents - IsNtlmV1

kuglidani — Fri, 28 Nov 2025 22:43:06 GMT

Hi,

I cannot find documentation on how the IdentityLogonEvents table's AdditionalFields.IsNtlmV1 populated.

In a demo environment, I intentionally "enforced" NTLMv1 and made an NTLMv1 connection to a domain controller.

On the DC's Security log, event ID 4624 shows correct info:

Detailed Authentication Information:

Logon Process: NtLmSsp

Authentication Package: NTLM

Transited Services: -

Package Name (NTLM only): NTLM V1

Key Length: 128

On MDI side however it looks like this:
(using the following KQL to display relevant info here:

IdentityLogonEvents
| where ReportId == @"f70dbd37-af8e-4e4e-a77d-b4250f9e0d0b"

| extend todynamic(AdditionalFields)

| project TimeGenerated, ActionType, Application, LogonType, Protocol,IsNtlmV1 = AdditionalFields.IsNtlmV1

)

TimeGenerated	ActionType	Application	LogonType	Protocol	IsNtlmV1
Nov 28, 2025 10:43:05 PM	LogonSuccess	Active Directory	Credentials validation	Ntlm	false

Can someone please explain, under which circumstances will the IsNtlmV1 property become "true"?

Thank you in advance

sensor service fails to start

tandersn — Thu, 13 Nov 2025 19:46:40 GMT

Hello, i've installed MDI on all of our domain controllers and everything went fine. I am trying to install MDI our Entra connect server and our certificate authority server (which are not domain controllers) and the service is continually failing to start. Could someone please point me in the right direction on how to rectify this? I've tried:

recreating the service account (3x),
checking the service account with Test-ADServiceAccount (works fine from both member servers)
verified the service account is given the right to log on as service.

The error log is very vague:

2025-11-13 19:05:30.0968 Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__49 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName={FQDN of DC}] at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing) at async Task<bool> Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing) 2025-11-13 19:05:30.1124 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers [ _domainControllerConnectionDatas={FQDN of DC}] at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IDirectoryServicesDomainNetworkCredentialsManager domainNetworkCredentialsManager, IDomainTrustMappingManager domainTrustMappingManager, IRemoteImpersonationManager remoteImpersonationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy) at object lambda_method(Closure, object[]) at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate() at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes) at new Microsoft.Tri.Sensor.SensorModuleManager() at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager() at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync() at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task) at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)

MDI AD CS sensor not switching from removed DC

kuglidani — Fri, 07 Nov 2025 14:15:57 GMT

We are in the process of replacing our Domain Controllers.

What I found is that the MDI sensor on our PKI server is still stuck with a domain controller which has been demoted and removed from the domain.

(Sensor version: 2.250.18972.18405)

I guess, if I reinstall the sensor, it will find a new domain controller - but what if it finds a DC that is to be decommissioned? Should I reinstall the sensor until it choses a "new" DC?

Thank you in advance,

Daniel

Sizing tool for v3 sensor

AlastairCain — Fri, 07 Nov 2025 10:46:16 GMT

Hi,

I'm looking at the Defender for Identity v3 sensor. With the v2 sensor we have the sizing tool.

Is the existing sizing tool applicable / needed for the v3 sensor?

Thanks,

Alastair.

Incorrect Secure Score recommendation - Remove unnecessary replication permissions

kuglidani — Thu, 02 Oct 2025 12:54:58 GMT

Hi,

In our environment, we got the "Remove unnecessary replication permissions for Entra Connect AD DS Connector Account" secure score recommendation.

Based on the docs replication permission is needed when PHS is in use. We are using PTA, but PHS is also enabled as a fallback.

On the Entra Connect server I ran the following:

Import-Module ADSyncDiagnostics

Invoke-ADSyncDiagnostics -PasswordSync

The result is: Password Hash Synchronization cloud configuration is enabled

If I remove the replication permission, we soon receive an alert that password hash sync did not occour.

Is it normal? I would say that the sensor should be able to detect PHS usage hence not recommending to remove the permissions.

Thank you in advance,

Daniel

Entra ID Sensitive Groups

beikjrir — Thu, 21 Aug 2025 20:12:49 GMT

We have our AD sensitive groups programmed into the identity module but we don't know how to add Entra security groups to the sensitive groups list. Has anyone done this before?

Alert Not Found

edhealea — Fri, 15 Aug 2025 21:03:39 GMT

We are receiving the following the follow alert from Defender;
2025-08-15T09:26:42-07:00 {SERVERNAME} CEF[6208]0|Microsoft|Azure ATP|##########|AccountEnumerationSecurityAlert|Account enumeration reconnaissance|5|start=2025-08-15T16:23:14.5550516Z app=Ntlm shost=NULL shostfqdn= msg=An actor on NULL performed suspicious account enumeration, exposing 6 existing account names. externalId=2003 cs1Label=url cs1=https://security.microsoft.com/alerts/xx###xxxx-#xx#-####-#x##-##x##x#x#x#x cs2Label=trigger cs2=update
But when we go to the URL listed, we get an error that it can't be found. We are able to see other alerts that come in.
How do I go about finding the details on this error?

Low success rate of active name resolution NetBIOS (failed rates 80%) andRdpTls (failed rate 90%).

paddypowers — Mon, 28 Jul 2025 13:36:17 GMT

Low success rate of active name resolution
Three Domain controllers are failing name resolution using NetBIOS (failed rates 80%), NetworkNameResolverMethod RdpTls (failed rate 90%) however
RPC over NTLM and reverse DNS working confirmed by Microsoft support.The three domain controllers are runing windows server 2016 with the installed Azure ATP Sensor on the DCs is version is 2.243 I need assistance how to get this issue resoves on the failing three dc please.

Sensor install failing, error log indicates proxy issue

Bobbers — Tue, 01 Jul 2025 17:58:10 GMT

Hi Everyone,

I was re-installing a sensor that was stuck on updates and I get an error in the logs -

failed connecting to service. The issue can be caused by a transparent proxy configuration

From what I can find that's related to either missing certificates or SSL inspection. The proxy works fine for other sensors and I know it's not inspecting this traffic anyway. I found a troubleshooting page that calls out the specific Root CA - "DigiCert Global Root G2" which exists on this machine.

https://learn.microsoft.com/en-us/defender-for-identity/troubleshooting-known-issues#proxy-authentication-problem-presents-as-a-connection-error

I believe this sChannel error is related

The remote server has requested SSL client authentication, but no suitable client certificate could be found.

I am stumped at this point, any help is appreciated.

Agent install error

Bobbers — Tue, 01 Jul 2025 13:56:38 GMT

Hi Everyone,

One of the servers running the agent was failing to update so I attempted a reinstall. During install it fails / rollsback with an error in the log stating "failed connecting to service. The issue can be caused by a transparent proxy configuration".

The device does use a proxy set via netsh, and I've tried specifying it on the command line of the install. I have read elsewhere that this can be related to SSL inspection or an issue with Root CAs on the device. I know there is no inspection going on in this case. I have compared the Root CA list on this device to working devices and don't see anything related to Microsoft that is different.

Any ideas?

Capture DFS activity

Olivier Mangon — Thu, 12 Jun 2025 06:54:21 GMT

Hello, did you have a best pratice baseline to capture DFS activity specially the one done avia a remote console.

For example removing and DFS-N or DFS-Target or modify ACL on it ?

Thanks you

Clarification over "dormant" account status

jasonbourne5379 — Mon, 09 Jun 2025 11:34:23 GMT

I was looking today at our list of "Remove dormant accounts from sensitive groups" within Microsoft Defender for Identity, and one service account has caused a bit of discussion. The account would only be used on-premise and would never be carrying out authentications out of our estate. In this case would Defender for Identity still see the account as being "dormant", or is the reason because it's not carried out any of those off-estate authentications?

Apologies if this is a simple question, but it would be very helpful to know the answer.

Activity logs not showing in cloud apps

prasanthpro7 — Mon, 02 Jun 2025 08:23:27 GMT

Hi folks,

MDI activity logs not showing in cloud apps, the last log was on May 13, 2025, It is showing for multiple tenants.

Anybody experiencing similar issue?

Spurious health alerts with sensor 2.241.18721.18894

robmacf9108931 — Mon, 26 May 2025 13:30:05 GMT

We use delayed update on half of our sensors to help catch possible issues with new sensor versions.

Only on half of our DCs running the latest sensor 2.241.18721.18894, we are receiving alerts "The virtual machine that sensor [hostname.domain] is installed on has a network configuration mismatch. This issue may affect the performance and reliability of the sensor"

Looking at the alert in the portal, MDI alleges that the affected virtual machines virtual NICs have Large Send Offload (LSO) enabled. However, the virtual machines do NOT have LSO enabled.

We are not seeing these alerts from the other half of our sensors that are still running 2.241.18708.7989. The issue is only appearing on VM DCs running sensor 2.241.18721.18894.

Anyone else see this issue?

All the affected DCs are virtual machines. We do have some bare-metal DCs, but they are still running 2.241.18708.7989.

MDI port requisites - May 2025

Kikoooooo2 — Mon, 12 May 2025 15:24:48 GMT

Port 445 is not needed anymore from May 2025 forward. Microsoft disabled SAM-R queries for MDI. Update the documentation.

Melsan

Thirisanptt — Tue, 29 Apr 2025 12:35:14 GMT

Thank you

Defender for Identity Certificate Requirements

I_tried — Fri, 25 Apr 2025 13:40:38 GMT

One of the required certificates for the MDI sensor to run is this certificate:

Subject : CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Issuer : CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Thumbprint : D4DE20D05E66FC53FE1A50882C78DB2852CAE474
FriendlyName : DigiCert Baltimore Root
NotBefore : 5/12/2000 11:46:00 AM
NotAfter : 5/12/2025 4:59:00 PM
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}

It expires in a little over 2 weeks. I still see it listed as required here:

https://learn.microsoft.com/en-us/defender-for-identity/troubleshooting-known-issues

Does anyone know if that requirement will be going away and/or will the certificate be updated before this one expires? I haven't been able to find anything related to its replacement through my various searches so I apologize if this has been covered already.

Thanks.

Segreation of views for different sub-companies

DunfieldMark — Fri, 25 Apr 2025 13:19:08 GMT

I am in a group of companies and due to various legal reasons they are not allowed to see each others data, but we are all part of the same azure tenant and active directories.

So i want to use the idnetity sensor, and it to feed data into dfi, but i want to give the it teams from the different companies access to ONLY their own data and also allow them to do investations on only their own users.

How can i do this segregation within defender?

ATP Sensor will not install on Windows 2016

ChristianT — Thu, 13 Mar 2025 12:11:46 GMT

Environment: Windows Server Standard 2016, vSphere 7x, Hardware requirements met, .Net Framework 4.8.

We have 4 Windows Server 2016 Domain Controllers that all experience the exact same error that prevents us from installing the download classic sensor. I have tried rebooting, run as admin, upgrading .Net framework (from 4.7 to 4.8), etc. This occurs on all 4 DCs that are 2016. We have successfully installed on the 2019 DCs. I have searched online for this error but all suggested fixes are Visual Studio related and I dont think it applies to our situation.

"Error DeploymentManager ShowErrorMessage System.IO.FileLoadException: Could not load file or assembly 'System.ValueTuple, Version=4.0.2.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)" error.