Safeguarding networks from cyber threats demands a proactive approach. Microsoft Defender for Identity provides a robust solution to strengthen organizational security. However, before leveraging this powerful tool, meeting specific requirements is vital. Let’s explore the key prerequisites for implementing Microsoft Defender for Identity, ensuring your network is ready for optimal protection.
What is Microsoft Defender for Identity?
Microsoft Defender for Identity is a cloud-based security solution that uses user behavior analytics and traffic analytics in Active Directory to prevent, detect, and understand identity-based threats. It allows organizations to protect their identities by monitoring and analyzing network traffic, Windows events, and user data to detect suspicious activity. Additionally, Microsoft Defender for Identity uses Network Name Resolution (NNR) to correlate activity based on network traffic, Windows events, and Windows event traces, allowing you to profile objects and generate security alerts for suspicious activity.
Prerequisites and Licensing
To implement Microsoft Defender for Identity, ensure the following prerequisites are met:
- Licensing: Microsoft Entra ID customers must have one of the designated Microsoft 365 licenses, such as Enterprise Mobility + Security E5 or Microsoft 365 E5. Additionally, at least one security administrator must create a Defender for Identity workspace.
- Connectivity requirements: Depending on your network setup, the Defender for Identity sensor must communicate with the cloud service through methods such as configuring a proxy, using ExpressRoute, or installing a firewall using the appropriate IP address provided to the Defender for Identity cloud service.
- Supported Windows versions: The minimum Windows versions required to install Microsoft Defender for Identity sensors are:
- Windows Server 2016
- Windows Server 2019 (Requires KB4487044 or a newer cumulative update)
- Windows Server 2022
Network requirements
For Microsoft Defender for Identity to function effectively, specific network protocols and ports must be enabled for communication between the Defender for Identity sensor and other components:
- SSL: Communication between the Defender for Identity sensor and the Defender for Identity Cloud service requires TCP port 443.
- DNS: Communication between the ID sensor and the DNS server requires TCP and UDP port 53.
- Network login: TCP/UDP port 445 is required for communication between the Defender for Identity sensor and all devices on the network.
- RADIUS: Communication between the RADIUS server and the Identity Defender sensor requires UDP port 1813.
Troubleshooting network connectivity issues
To troubleshoot Microsoft Defender for Identity network connectivity issues, you can use the following procedures:
- If communication problems are caused by a sensor failure, ensure that communication to the local host on TCP port 444 is not disabled.
- If you encounter proxy authentication issues that appear as licensing errors when installing a sensor, verify that the sensor can connect to *.atp.azure.com through the configured proxy without authentication.
- If you encounter connection errors during sensor installation, make sure you have installed the Trusted Root Certification Authorities certificate that Defender requires for identification. Run the PowerShell cmdlet to verify that you have the appropriate certificate.
Key features of Microsoft Defender for Identity
Microsoft Defender for Identity includes several key features:
- Analytics: Gain visibility through an accurate inventory of cloud and on-premises identities to understand your identity environment and mitigate identity threats.
- Hazard identification: By reviewing each individual’s complete activity profile, recent alerts, and overall risk assessment, you can identify the individuals most at risk and effectively prioritize your response.
Why are network requirements necessary?
Providing connectivity to cloud services is crucial for real-time monitoring and response to security threats. Network requirements enable secure transmission of data from sensors to cloud services. This data includes network traffic information, Windows events, and user data analyzed to identify unusual activity and potential security threats.
Organizations can maintain data security and privacy standards by complying with network requirements. Using mutual certificate-based authentication between sensors and cloud backends ensures secure data transmission without interference from SSL inspection and interception, improving overall security. Following network rules helps businesses limit the risk of unwanted access or data leaks.
Organizations that follow these network prerequisites can ensure seamless communication between Defender for Identity sensors and cloud services, meet port requirements for efficient data collection and monitoring, and configure autonomous sensors for optimal performance and security. By adhering to these guidelines, you can enhance your network security and protect against identity-based threats effectively.