Deploy Microsoft Defender for Identity with Microsoft Defender XDR

This article provides an overview of the full deployment process for Microsoft Defender for Identity, including steps for preparation, deployment, and extra steps for specific scenarios.

Defender for Identity is a primary component of a Zero Trust strategy and your identity threat detection and response (ITDR) or extended detection and response (XDR) deployment with Microsoft Defender XDR. Defender for Identity uses Active Directory signals to detect sudden account changes like privilege escalation or high-risk lateral movement, and reports on easily exploited identity issues like unconstrained Kerberos delegation, for correction by the security team.

For a quick set of deployment highlights, see Quick installation guide.

Prerequisites

Before you start, make sure that you have access to Microsoft Defender XDR at least as a Security administrator, and you have one of the following licenses:

  • Enterprise Mobility + Security E5 (EMS E5/A5)
  • Microsoft 365 E5 (Microsoft E5/A5/G5)
  • Microsoft 365 E5/A5/G5 Security
  • A standalone Defender for Identity license

Acquire licenses directly via the Microsoft 365 portal or use the Cloud Solution Partner (CSP) licensing model.

For more information, see Licensing and privacy FAQs and What are Defender for Identity roles and permissions?

Start using Microsoft Defender XDR

This section describes how to start onboarding to Defender for Identity.

  1. Sign in to the Microsoft Defender portal.
  2. From the navigation menu, select any item, such as Incidents & alerts, Hunting, Action center, or Threat analytics to initiate the onboarding process.

You'll then be given the option to deploy supported services, including Microsoft Defender for Identity. Cloud components required for Defender for Identity are automatically added when you open the Defender for Identity settings page.

For more information, see:

Important

Currently, Defender for Identity data centers are deployed in Europe, UK, North America/Central America/Caribbean, Australia East, and Asia. Your workspace (instance) is created automatically in the Azure region closest to the geographical location of your Microsoft Entra tenant. Once created, Defender for Identity workspaces aren't movable.

Plan and prepare

Use the following steps to prepare for deploying Defender for Identity:

  1. Make sure that you have all prerequisites required.

  2. Plan your Defender for Identity capacity.

Tip

We recommend running the Test-MdiReadiness.ps1 script to test and see if your environment has the necessary prerequisites.

The link to the Test-MdiReadiness.ps1 script is also available from Microsoft Defender XDR, on the Identities > Tools page (Preview).

Deploy Defender for Identity

After you've prepared your system, use the following steps to deploy Defender for Identity:

  1. Verify connectivity to the Defender for Identity service.
  2. Download the Defender for Identity sensor.
  3. Install the Defender for Identity sensor.
  4. Configure the Defender for Identity sensor to start receiving data.

Post-deployment configuration

The following procedures help you complete the deployment process:

Important

Installing a Defender for Identity sensor on an AD FS / AD CS server requires extra steps. For more information, see Configuring sensors for AD FS and AD CS.

Next step