Manage sensitive or honeytoken accounts

Note

The experience described in this page can also be accessed at https://security.microsoft.com as part of Microsoft 365 Defender. The supporting documents for the new experience can be found here. For more information about Microsoft Defender for Identity and when other features will be available in Microsoft 365 Defender, see Microsoft Defender for Identity in Microsoft 365 Defender.

This article explains how to apply entity tags to sensitive accounts. This is important because some Defender for Identity detections, such as sensitive group modification detection and lateral movement path rely on an entity's sensitivity status.

Defender for Identity also enables the configuration of honeytoken accounts, which are used as traps for malicious actors - any authentication associated with these honeytoken accounts (normally dormant), triggers an alert.

Sensitive entities

The following list of groups are considered Sensitive by Defender for Identity. Any entity that is a member of one of these Active Directory groups (including nested groups and their members) is automatically considered sensitive:

  • Administrators

  • Power Users

  • Account Operators

  • Server Operators

  • Print Operators

  • Backup Operators

  • Replicators

  • Network Configuration Operators

  • Incoming Forest Trust Builders

  • Domain Admins

  • Domain Controllers

  • Group Policy Creator Owners

  • Read-only Domain Controllers

  • Enterprise Read-only Domain Controllers

  • Schema Admins

  • Enterprise Admins

  • Microsoft Exchange Servers

    Note

    Until September, 2018, Remote Desktop Users were also automatically considered sensitive by Defender for Identity. Remote Desktop entities or groups added after this date are no longer automatically marked as sensitive while Remote Desktop entities or groups added before this date may remain marked as Sensitive. This Sensitive setting can now be changed manually.

In addition to these groups, Defender for Identity identifies the following high value asset servers and automatically tags them as Sensitive:

  • Certificate Authority Server
  • DHCP Server
  • DNS Server
  • Microsoft Exchange Server

Manually tagging entities

You can also manually tag entities as sensitive or honeytoken accounts. If you manually tag additional users or groups, such as board members, company executives, and sales directors, Defender for Identity will consider them sensitive.

To manually tag entities

To tag entities, do the following:

  1. In the Defender for Identity portal, select Configuration.

    Defender for Identity configuration settings

  2. Under Detection, select Entity tags.

    Defender for Identity entity tags

  3. For each account that you want to configure, do the following:

    1. Under Honeytoken accounts or Sensitive, enter the account name.
    2. Click the plus icon (+).

    Tip

    The sensitive or honeytoken account field is searchable and will autofill with entities in your network.

    Defender for Identity sensitive account sample

  4. Click Save.

See also