Quickstart: Connect to your Active Directory Forest
The experience described in this page can also be accessed at https://security.microsoft.com as part of Microsoft 365 Defender. The supporting documents for the new experience can be found here. For more information about Microsoft Defender for Identity and when other features will be available in Microsoft 365 Defender, see Microsoft Defender for Identity in Microsoft 365 Defender.
In this quickstart, you'll connect Microsoft Defender for Identity to Active Directory (AD) to retrieve data about users and computers. If you're connecting multiple forests, see the Multi-forest support article.
- A Defender for Identity instance.
- Review the Defender for Identity prerequisites article.
- At least one of the following directory services accounts with read access to all objects in the monitored domains:
A standard AD user account and password. Required for sensors running Windows Server 2008 R2 SP1.
A group Managed Service Account (gMSA). Requires Windows Server 2012 or above. All sensors must have permissions to retrieve the gMSA account's password. For information about creating a gMSA account, see Set up a gMSA account.
- For sensor machines running Windows Server 2012 and above, we recommend using a gMSA account for its improved security and automatic password management.
- If you have multiple sensors, some running Windows Server 2008 and others running Windows Server 2012 or above, in addition to the recommendation to use a gMSA account, you must also use at least one standard AD user account.
- By default, Defender for Identity supports up to 30 credentials. If you want to add more credentials, contact Defender for Identity support.
How to set up a gMSA account
Read the group managed service accounts prerequisites carefully.
Create a new security group containing all the domain controllers that will run the sensors (running Windows Server 2012 or above).
- If you're planning to use one gMSA for the whole forest, you can add all the domain controllers to a universal group.
- If all the domain controllers are Windows 2012 and above, you can use the built-in Domain Controllers group.
Create the gMSA account using the cmdlet as explained in this article. For the PrincipalsAllowedToRetrieveManagedPassword parameter, enter the name of the security group you created in the previous step. This will grant the group permissions to retrieve the gMSA's password.
If the user rights assignment policy Log on as a service is configured for this domain controller, impersonation will fail unless the gMSA account is granted the Log on as a service permission. For more information, see Sensor failed to retrieve group Managed Service Account (gMSA) credentials.
Provide a username and password to connect to your Active Directory Forest
The first time you open the Defender for Identity portal, the following screen appears:
Enter the following information and select Save:
Field Comments Username (required) Enter the read-only AD username. For example: DefenderForIdentityUser. You must use a standard AD user or gMSA account. Don't use the UPN format for your username.
NOTE: We recommend that you avoid using accounts assigned to specific users.
Password (required for standard AD user account) For AD user account only, enter the password for the read-only user. For example: Pencil1. Group managed service account (required for gMSA account) For gMSA account only, select Group managed service account. Domain (required) Enter the domain for the read-only user. For example: contoso.com. It's important that you enter the complete FQDN of the domain where the user is located. For example, if the user's account is in domain corp.contoso.com, you need to enter
In the Defender for Identity portal, click Download sensor setup and install the first sensor to continue.
Join the Community
Have more questions, or an interest in discussing Defender for Identity and related security with others? Join the Defender for Identity Community today!