Microsoft Defender for Identity prerequisites

This article describes the requirements for a successful deployment of Microsoft Defender for Identity in your environment.

Note

For information on how to plan resources and capacity, see Defender for Identity capacity planning.

Defender for Identity is composed of the Defender for Identity cloud service, which consists of the Defender for Identity portal and the Defender for Identity sensor. For more information about each Defender for Identity component, see Defender for Identity architecture.

Defender for Identity protects your on-premises Active Directory users and/or users synced to your Azure Active Directory. To protect an environment made up of only AAD users, see AAD Identity Protection.

To create your Defender for Identity instance, you'll need an AAD tenant with at least one global/security administrator. Each Defender for Identity instance supports a multiple Active Directory forest boundary and Forest Functional Level (FFL) of Windows 2003 and above.

This prerequisite guide is divided into the following sections to ensure you have everything you need to successfully deploy Defender for Identity.

Before you start: Lists information to gather and accounts and network entities you'll need to have before starting to install.

Defender for Identity portal: Describes Defender for Identity portal browser requirements.

Defender for Identity sensor: Lists Defender for Identity sensor hardware, and software requirements.

Defender for Identity standalone sensor: The Defender for Identity Standalone Sensor is installed on a dedicated server and requires port mirroring to be configured on the domain controller to receive network traffic.

Note

Defender for Identity standalone sensors do not support the collection of Event Tracing for Windows (ETW) log entries that provide the data for multiple detections. For full coverage of your environment, we recommend deploying the Defender for Identity sensor.

Before you start

This section lists information you should gather as well as accounts and network entity information you should have before starting Defender for Identity installation.

  • Acquire a license for Enterprise Mobility + Security 5 (EMS E5) directly via the Microsoft 365 portal or use the Cloud Solution Partner (CSP) licensing model. Standalone Defender for Identity licenses are also available.

  • Verify the domain controller(s) you intend to install Defender for Identity sensors on have internet connectivity to the Defender for Identity Cloud Service. The Defender for Identity sensor supports the use of a proxy. For more information on proxy configuration, see Configuring a proxy for Defender for Identity.

  • At least one of the following directory services accounts with read access to all objects in the monitored domains:

    • A standard AD user account and password. Required for sensors running Windows Server 2008 R2 SP1.

    • A group Managed Service Account (gMSA). Requires Windows Server 2012 or above.
      All sensors must have permissions to retrieve the gMSA account's password.
      To learn about gMSA accounts, see Getting Started with Group Managed Service Accounts.

      The following table shows which AD user accounts can be used with which server versions:

      Account type Windows Server 2008 R2 SP1 Windows Server 2012 or above
      Standard AD user account Yes Yes
      gMSA account No Yes

      Note

      • For sensor machines running Windows Server 2012 and above, we recommend using a gMSA account for its improved security and automatic password management.
      • If you have multiple sensors, some running Windows Server 2008 and others running Windows Server 2012 or above, in addition to the recommendation to use a gMSA account, you must also use at least one standard AD user account.
      • If you have set custom ACLs on various Organizational Units (OU) in your domain, make sure that the selected user has read permissions to those OUs.
  • If you run Wireshark on Defender for Identity standalone sensor, restart the Defender for Identity sensor service after you've stopped the Wireshark capture. If you don't restart the sensor service, the sensor stops capturing traffic.

  • If you attempt to install the Defender for Identity sensor on a machine configured with a NIC Teaming adapter, you'll receive an installation error. If you want to install the Defender for Identity sensor on a machine configured with NIC teaming, see Defender for Identity sensor NIC teaming issue.

  • Deleted Objects container Recommendation: User should have read-only permissions on the Deleted Objects container. Read-only permissions on this container allows Defender for Identity to detect user deletions from your Active Directory. For information about configuring read-only permissions on the Deleted Objects container, see the Changing permissions on a deleted object container section of the View or Set Permissions on a Directory Object article.

  • Optional Honeytoken: A user account of a user who has no network activities. This account is configured as a Defender for Identity Honeytoken user. For more information about using Honeytokens, see Configure exclusions and Honeytoken user.

  • Optional: When deploying the standalone sensor, it is necessary to forward Windows events to Defender for Identity to further enhance Defender for Identity authentication based detections, additions to sensitive groups and suspicious service creation detections. Defender for Identity sensor receives these events automatically. In Defender for Identity standalone sensor, these events can be received from your SIEM or by setting Windows Event Forwarding from your domain controller. Events collected provide Defender for Identity with additional information that is not available via the domain controller network traffic.

Defender for Identity portal requirements

Access to the Defender for Identity portal is via a browser, supporting the following browsers and settings:

  • A browser that supports TLS 1.2, such as:

    • Microsoft Edge
    • Internet Explorer version 11 and above
    • Google Chrome 30.0 and above
  • Minimum screen width resolution of 1700 pixels

  • Firewall/proxy open - To communicate with the Defender for Identity cloud service, *.atp.azure.com port 443 must be open in your firewall/proxy.

    Note

    You can also use our Azure service tag (AzureAdvancedThreatProtection) to enable access to Defender for Identity. For more information about service tags, see Virtual network service tags or download the service tags file.

Defender for Identity architecture diagram

Note

By default, Defender for Identity supports up to 200 sensors. If you want to install more sensors, contact Defender for Identity support.

Defender for Identity Network Name Resolution (NNR) requirements

Network Name Resolution (NNR) is a main component of Defender for Identity functionality. To resolve IP addresses to computer names, Defender for Identity sensors look up the IP addresses using the following methods:

  • NTLM over RPC (TCP Port 135)
  • NetBIOS (UDP port 137)
  • RDP (TCP port 3389) - only the first packet of Client hello
  • Queries the DNS server using reverse DNS lookup of the IP address (UDP 53)

For the first three methods to work, the relevant ports must be opened inbound from the Defender for Identity sensors to devices on the network. To learn more about Defender for Identity and NNR, see Defender for Identity NNR policy.

For the best results, we recommend using all of the methods. If this is not possible, you should use the DNS lookup method and at least one of the other methods.

Defender for Identity sensor requirements

This section lists the requirements for the Defender for Identity sensor.

General

The Defender for Identity sensor supports installation on a domain controller running Windows Server 2008 R2 SP1 (not including Server Core), Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 (including Server Core but not Nano Server), Windows Server 2019* (including Server Core but not Nano Server) as shown in the following table.

Operating system version Server with Desktop Experience Server Core Nano Server
Windows Server 2008 R2 SP1 Not applicable
Windows Server 2012 Not applicable
Windows Server 2012 R2 Not applicable
Windows Server 2016
Windows Server 2019*

* Requires KB4487044 or newer cumulative update. Sensors installed on Server 2019 without this update will be automatically stopped if the file version of the ntdsai.dll file in the system directory is older than 10.0.17763.316.

The domain controller can be a read-only domain controller (RODC).

For your domain controllers to communicate with the cloud service, you must open port 443 in your firewalls and proxies to *.atp.azure.com.

During installation, if .Net Framework 4.7 or later is not installed, the .Net Framework 4.7 is installed and might require a reboot of the domain controller.A reboot might also be required if there is a restart already pending.

Note

A minimum of 5 GB of disk space is required and 10 GB is recommended. This includes space needed for the Defender for Identity binaries, Defender for Identity logs, and performance logs.

Server specifications

The Defender for Identity sensor requires a minimum of 2 cores and 6 GB of RAM installed on the domain controller. For optimal performance, set the Power Option of the machine running the Defender for Identity sensor to High Performance.

Defender for Identity sensors can be deployed on domain controllers of various loads and sizes, depending on the amount of network traffic to and from the domain controllers, and the amount of resources installed.

For Windows Operating systems 2008R2 and 2012, Defender for Identity Sensor is not supported in a Multi Processor Group mode. For more information about multi-processor group mode, see troubleshooting.

Note

When running as a virtual machine, dynamic memory or any other memory ballooning feature is not supported.

For more information about the Defender for Identity sensor hardware requirements, see Defender for Identity capacity planning.

Time synchronization

The servers and domain controllers onto which the sensor is installed must have time synchronized to within five minutes of each other.

Network adapters

The Defender for Identity sensor monitors the local traffic on all of the domain controller's network adapters.
After deployment, use the Defender for Identity portal to modify which network adapters are monitored.

The sensor is not supported on domain controllers running Windows 2008 R2 with Broadcom Network Adapter Teaming enabled.

Ports

The following table lists the minimum ports that the Defender for Identity sensor requires:

Protocol Transport Port From To
Internet ports
SSL (*.atp.azure.com) TCP 443 Defender for Identity sensor Defender for Identity cloud service
SSL (localhost) TCP 444 Defender for Identity sensor localhost
Internal ports
DNS TCP and UDP 53 Defender for Identity sensor DNS Servers
Netlogon (SMB, CIFS, SAM-R) TCP/UDP 445 Defender for Identity sensor All devices on network
RADIUS UDP 1813 RADIUS Defender for Identity sensor
NNR ports*
NTLM over RPC TCP Port 135 Defender for Identitys All devices on network
NetBIOS UDP 137 Defender for Identitys All devices on network
RDP TCP 3389, only the first packet of Client hello Defender for Identitys All devices on network

* One of these ports is required, but we recommend opening all of them.

Windows Event logs

Defender for Identity detection relies on specific Windows Event logs that the sensor parses from your domain controllers. For the correct events to be audited and included in the Windows Event log, your domain controllers require accurate Advanced Audit Policy settings. For more information about setting the correct policies, see, Advanced audit policy check. To make sure Windows Event 8004 is audited as needed by the service, review your NTLM audit settings.

Note

Using the Directory service user account, the sensor queries endpoints in your organization for local admins using SAM-R (network logon) in order to build the lateral movement path graph. For more information, see Configure SAM-R required permissions.

Defender for Identity standalone sensor requirements

This section lists the requirements for the Defender for Identity standalone sensor.

Note

Defender for Identity standalone sensors do not support the collection of Event Tracing for Windows (ETW) log entries that provide the data for multiple detections. For full coverage of your environment, we recommend deploying the Defender for Identity sensor.

General

The Defender for Identity standalone sensor supports installation on a server running Windows Server 2012 R2 or Windows Server 2016 (Include server core). The Defender for Identity standalone sensor can be installed on a server that is a member of a domain or workgroup. The Defender for Identity standalone sensor can be used to monitor Domain Controllers with Domain Functional Level of Windows 2003 and above.

For your standalone sensor to communicate with the cloud service, port 443 in your firewalls and proxies to *.atp.azure.com must be open.

For information on using virtual machines with the Defender for Identity standalone sensor, see Configure port mirroring.

Note

A minimum of 5 GB of disk space is required and 10 GB is recommended. This includes space needed for the Defender for Identity binaries, Defender for Identity logs, and performance logs.

Server specifications

For optimal performance, set the Power Option of the machine running the Defender for Identity standalone sensor to High Performance.

Defender for Identity standalone sensors can support monitoring multiple domain controllers, depending on the amount of network traffic to and from the domain controllers.

Note

When running as a virtual machine, dynamic memory or any other memory ballooning feature is not supported.

For more information about the Defender for Identity standalone sensor hardware requirements, see Defender for Identity capacity planning.

Time synchronization

The servers and domain controllers onto which the sensor is installed must have time synchronized to within five minutes of each other.

Network adapters

The Defender for Identity standalone sensor requires at least one Management adapter and at least one Capture adapter:

  • Management adapter - used for communications on your corporate network. The sensor will use this adapter to query the DC it's protecting and performing resolution to machine accounts.

    This adapter should be configured with the following settings:

    • Static IP address including default gateway

    • Preferred and alternate DNS servers

    • The DNS suffix for this connection should be the DNS name of the domain for each domain being monitored.

      Configure DNS suffix in advanced TCP/IP settings

      Note

      If the Defender for Identity standalone sensor is a member of the domain, this may be configured automatically.

  • Capture adapter - used to capture traffic to and from the domain controllers.

    Important

    • Configure port mirroring for the capture adapter as the destination of the domain controller network traffic. For more information, see Configure port mirroring. Typically, you need to work with the networking or virtualization team to configure port mirroring.
    • Configure a static non-routable IP address (with /32 mask) for your environment with no default sensor gateway and no DNS server addresses. For example, 10.10.0.10/32. This ensures that the capture network adapter can capture the maximum amount of traffic and that the management network adapter is used to send and receive the required network traffic.

Ports

The following table lists the minimum ports that the Defender for Identity standalone sensor requires configured on the management adapter:

Protocol Transport Port From To
Internet ports
SSL (*.atp.azure.com) TCP 443 Defender for Identity Sensor Defender for Identity cloud service
SSL (localhost) TCP 444 Defender for Identity sensor localhost
Internal ports
LDAP TCP and UDP 389 Defender for Identity Sensor Domain controllers
Secure LDAP (LDAPS) TCP 636 Defender for Identity Sensor Domain controllers
LDAP to Global Catalog TCP 3268 Defender for Identity Sensor Domain controllers
LDAPS to Global Catalog TCP 3269 Defender for Identity Sensor Domain controllers
Kerberos TCP and UDP 88 Defender for Identity Sensor Domain controllers
Netlogon (SMB, CIFS, SAM-R) TCP and UDP 445 Defender for Identity Sensor All devices on network
Windows Time UDP 123 Defender for Identity Sensor Domain controllers
DNS TCP and UDP 53 Defender for Identity Sensor DNS Servers
Syslog (optional) TCP/UDP 514, depending on configuration SIEM Server Defender for Identity Sensor
RADIUS UDP 1813 RADIUS Defender for Identity sensor
NNR ports *
NTLM over RPC TCP 135 Defender for Identitys All devices on network
NetBIOS UDP 137 Defender for Identitys All devices on network
RDP TCP 3389, only the first packet of Client hello Defender for Identitys All devices on network

* One of these ports is required, but we recommend opening all of them.

Note

See Also