Microsoft Defender for Identity (MDI) is a cloud-based security solution designed to shield organizations from advanced threats targeting Active Directory (AD) environments. The MDI sensor, a lightweight agent deployed on domain controllers, monitors user and device activity within your AD infrastructure. This blog explores the installation process for the MDI sensor, highlighting its purpose, functionalities, and relevant use cases.
Purpose and functionalities of the MDI sensor
The MDI sensor acts as the ‘eyes and ears’ for MDI within your on-premises AD environment. Its core functionalities include:
- Real-time monitoring: The sensor continuously monitors user sign-in attempts, privilege escalations, suspicious activities, and other events within your AD domain.
- Detection and analysis: Advanced analytics in the sensor detect suspicious behavior patterns indicative of potential security threats.
- Threat intelligence integration: The sensor uses threat intelligence feeds from Microsoft to recognize and respond to known attack vectors and malicious activities.
- Communication with MDI cloud service: The sensor securely communicates with the MDI cloud service, relaying collected data for further analysis and threat detection.
Why install the MDI sensor?
Deploying the MDI sensor offers several benefits:
- Enhanced threat detection: MDI proactively detects attacks targeting user credentials, privileged access, and lateral movement within the AD environment.
- Improved security posture: Organizations can reduce risks and prevent security incidents by identifying suspicious activities and potential breaches promptly.
- Reduced attack surface: MDI minimizes the impact of compromised credentials or unauthorized access attempts by implementing ‘least privilege access principles’.
- Streamlined security operations: MDI’s automated threat detection and response capabilities allow security teams to focus on more strategic tasks.
- Compliance support: MDI helps organizations meet regulatory compliance requirements by monitoring user activity and data security.
When to install the MDI sensor?
Here are some key scenarios where installing the MDI sensor is crucial:
- Hybrid environments: Domain controllers with MDI sensors provide comprehensive insight into user activity across both on-premises and Azure AD environments.
- Security concerns: In organizations with frequent security incidents or compromised credentials, MDI detects anomalous behavior and strengthens defenses.
- Compliance requirements: MDI sensors help you comply with regulations that mandate monitoring user activity or detecting data breaches.
Installation scope
Install the MDI sensor on every domain controller in your AD environment to ensure comprehensive monitoring and detection capabilities. You can also deploy MDI sensors on:
- Read-only domain Ccntrollers (RODCs): Gain more insight into user behavior in remote network segments.
- Domain member servers: Monitor particular domain member servers hosting important applications or resources for better security.
How to install the MDI sensor
The MDI sensor installation process is straightforward and can be accomplished using two primary methods:
1. Microsoft Defender for Identity portal:
Steps:
- Navigate to the “Sensors” section in the MDI portal.
- Click on “Add Sensor” and choose “Download installer.”
- Download the installer package and copy the provided access key.
- Transfer the installer package to the target domain controller and run it with administrative privileges.
- Enter the copied access key during installation to establish communication with the MDI cloud service.
2. Manual installation:
Steps:
- Download the MDI sensor installer package from the MDI portal.
- Ensure the target domain controller meets the minimum system requirements specified by Microsoft.
- Run the downloaded installer on the domain controller with administrative privileges.
- Provide the access key obtained from the MDI portal during installation.
Additional considerations
- Network connectivity: Ensure domain controllers with MDI sensors can transmit data to the MDI cloud service through a working network connection.
- .NET framework: The MDI sensor requires the target domain controllers to have Microsoft .NET Framework 4.7 or a newer version installed. If not installed, the installer will automatically install the necessary version.
- Permissions: The user installing the MDI sensor must have local administrator privileges on the target domain controller.
By strategically deploying MDI sensors within their AD environment, organizations can gain important insights into user behavior, enhance security, and ensure compliance with regulatory requirements.