Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
Microsoft Defender for Identity expands support to AD FS servers
Published Jan 13 2021 01:49 PM 25.6K Views

We are happy to announce the availability of the Microsoft Defender for Identity sensor for Active Directory Federation Services (AD FS) after successfully piloting the feature with customers in Private Preview over the last few months.


Advanced identity protection can help prevent lateral movement by attackers

Microsoft Defender for Identity is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Until now, Microsoft Defender for Identity has protected domain controllers in either on-premises or hybrid environments. By installing the sensor on the domain controller, you are gaining access to the core value from our product:


  • Attack surface reduction – Increases on-premises identity resiliency against malicious intent – both internal and external.
  • Detect malicious attempts to compromise on-premises identities, move laterally within your organizations and gain persistency in your Active Directory environment.
  • Investigate the activities of identities and gain further insights into their behaviors to respond to compromised identities in order to stop further expansion across domains (when you use Microsoft Defender for Identity through the Microsoft Cloud App Security or Microsoft 365 Security Center console experiences)  

While Active Directory continues to play a major role in most organizations, we must always look to how we can enhance our identity protection capabilities through the power of the cloud. Our products have constantly evolving roadmaps that are built from the fantastic work our security research teams carry out. Continuous improvement based on customer feedback and the evolving threat landscape are a key part of helping to keep our customers secure and protected.


AD FS enables federated Identity and access management by securely sharing digital identity and access rights across security and enterprise boundaries. While we recommend customers upgrade their existing on-premises AD FS systems to Azure AD to gain the protections that a cloud identity solution can provide, we understand that some customers are on different journeys – which is why we are introducing today new capabilities from Microsoft Defender for Identity to protect your AD FS environment.


Best practices to reduce your attack surface from Solorigate with AD FS

As we have seen in recent events related to Solorigate, on-premises compromise can propagate to the cloud. We plan our security with an “assume breach” philosophy and layer in defense-in-depth protections and controls to stop attackers sooner when they do gain access. To protect privileged accounts, we recommend best practices such as those outlined here, and implementing Privileged Access Workstations (PAW).


With credential compromise still being one of the most common entry methods for a potential attacker, services like AD FS are often a target for bad actors given that it’s a critical element of identity and access management infrastructure. We encourage customers to adopt best practices like enabling MFA and general credential hygiene because credential theft is a common entry point. 


Additional information on Solorigate and guidance for security admins, operations and hunters can be found at our Solorigate resource center.


Given what we know about the importance of AD FS, let’s explore the impact of introducing an AD FS sensor as part of Microsoft Defender for Identity’s capabilities:


Protect AD FS from on-premises attacks

Much like the existing domain controller sensor, Microsoft Defender for Identity’s new capability for AD FS provides visibility into advanced persistent threats, detecting attempts to compromise the AD FS server through techniques such as remote code execution or attempts to install malicious services.




(figure 1. Remote code execution attempt against AD FS server)


Microsoft Defender for Identity detections are better with AD FS

With the new sensor, there are two detections that immediately take advantage of the information and signals being captured from AD FS. These are:

  • Suspected Brute Force attack (LDAP) and
  • Account enumeration reconnaissance



(figure 2. Brute force attack with failed logons from DC and AD FS)


Microsoft Defender for Identity activities are better with AD FS

Correlating login data from both AD FS sensor and Active Directory sensors enables Microsoft Defender for Identity to analyze further user behavior. For example, some authentication activities, such as failed logins, are visible only to the AD FS server. On other successful logins, Microsoft Defender for Identity can now correlate login information from Active Directory with data from the AD FS server, including whether multi factor authentication occurred when the request was made, the user context, and more.

Here is an example of the enrichment mentioned above in user activity log in Microsoft Defender for Identity before and after the AD FS sensor is installed:




(figure 3. User activity log before and after AD FS sensor has been installed)


The new benefit we are adding enhances Microsoft Defender for Identity by introducing the ability to see the actual device the account was logged into with additional context. This will provide further enrichment in a similar way that RADIUS information provides to Microsoft Defender for Identity when contributing VPN login activities. More information from identity sources makes for more context and as a result, better detections.


Tag the AD FS as a sensitive entity further enhances protection

After installing an AD FS sensor, the AD FS servers in the Microsoft Defender for Identity portal will be automatically tagged as sensitive. This extends functionality that already marks other high value asset servers as sensitive, such as DHCP servers, DNS servers, Microsoft Exchange servers and Certificate Authority servers.  




(figure 4. AD FS asset tagged as sensitive)


What’s next?

The requirements for installing the AD FS sensor are:

  • Windows Server 2016 or later (required for the appropriate audit logs)
  • Domain controller is not installed on the same server as AD FS
  • Audit logs enabled on the AD FS server

If you meet these requirements, download the latest deployment package from the sensor configuration page.

To learn more about the requirements and how to enable audit logs, click here.


Get started today

Are you just starting your Microsoft Defender for Identity journey? Begin a trial of Microsoft 365 Defender to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for your organization.


Join the Microsoft Defender for Identity community for the latest updates and news about Identity Security Posture Management assessments, detections and other updates.


Once again, further information and information for security admins, operations and hunters on Solorigate can be found at our Solorigate resource center

Version history
Last update:
‎May 11 2021 01:59 PM
Updated by: