How to Deploy Microsoft Defender for Identity with Microsoft 365 Defender

The deployment of Microsoft Defender for Identity with Microsoft 365 Defender has two phases – preparation and deployment.

This article will outline the steps in each phase, and also provide instructions for special scenarios.

Start using Microsoft 365 Defender

To begin the deployment of Defender for Identity, sign in to the Microsoft 365 Defender portal. From the navigation menu, select any item, such as Incidents & alerts, Hunting, Action center, or Threat analytics to initiate the onboarding process.

You’ll then be given the option to deploy supported services, including Microsoft Defender for Identity. When you go to the Defender for Identity settings, the required cloud components will be auto-provisioned.

For more information about these steps, see the following articles:

• Get started with Microsoft 365 Defender
• Turn on Microsoft 365 Defender
• Deploy supported services
• Frequently asked questions when turning on Microsoft 365 Defender

 Important

Currently, Defender for Identity data centers are deployed in Europe, UK, North America/Central America/Caribbean, Australia East, and Asia. Your instance is created automatically in the Azure region closest to the geographical location of your Azure Active Directory tenant. Once created, Defender for Identity instances aren’t movable.

Preparation

1. Defender for Identity prerequisites.
2. Plan your Defender for Identity capacity.
3. Configure Windows Event collection.
4. Directory Service accounts.
5. Role groups.
6. Configure remote calls to SAM.

 Note

To test and see if your environment has the necessary prerequisites, you can run the Test-MdiReadiness.ps1 script. For more information, see the script’s page.

Deployment

1. Download the Defender for Identity sensor.
2. Proxy configuration.
3. Install the Defender for Identity sensor.
4. Manage action accounts.
5. Configure the Defender for Identity sensor to start receiving data.

Special scenarios

1. Installing on Active Directory Federation Services
2. Multi-forest support
3. Migrate from Advanced Threat Analytics (ATA)

Standalone sensor

If you deploy Defender for Identity standalone sensors, you’ll need to do the following steps:

1. Configure port mirroring
2. Validate Port Mirroring
3. Configure event collection
4. Configuring Windows Event Forwarding

Ref: Deploying with Microsoft 365 Defender – Microsoft Defender for Identity | Microsoft Learn