{"id":4897,"date":"2023-10-11T15:21:54","date_gmt":"2023-10-11T22:21:54","guid":{"rendered":"https:\/\/SUMMALAI.COM\/?p=4897"},"modified":"2023-10-11T15:21:56","modified_gmt":"2023-10-11T22:21:56","slug":"how-to-deploy-microsoft-defender-for-identity","status":"publish","type":"post","link":"https:\/\/SUMMALAI.COM\/?p=4897","title":{"rendered":"How to Deploy Microsoft Defender for Identity"},"content":{"rendered":"\n<p>Are you planning on deploying Microsoft Defender for Identity (MDI), but you are not sure how to? No worries, this blog will walk you through the deployment steps.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is Microsoft Defender for Identity<\/h2>\n\n\n\n<p>MDI Leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Now that we got that out the way, let\u2019s move on the fun stuff.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-for-identity\/prerequisites\">Prerequisites<\/a><\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li><strong><a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-for-identity\/prerequisites#licensing\">Licensing<\/a><\/strong><ul><li>One of the following license is required.<ul><li>Enterprise Mobility + Security E5\/A5<\/li><li>Microsoft 365 E5\/A5\/G5<\/li><li>Microsoft 365 E5\/A5\/G5 Security<\/li><\/ul><\/li><\/ul><\/li><li><a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-for-identity\/directory-service-accounts\"><strong>Directory Service Account (DSA)<\/strong><\/a><br>When creating the DSA, you have three options. For more info click&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-for-identity\/directory-service-accounts\">here<\/a><ul><li><strong>Group Managed Service Account<\/strong>&nbsp;(gMSA) (recommended) \u2013 This is the recommended DSA option due to its more secure deployment and management of passwords.<\/li><li><strong>Regular user account in Active Directory<\/strong>&nbsp;\u2013 This option is easy to get started with but requires additional management overhead of passwords.<\/li><li><strong>Local service account&nbsp;<\/strong>\u2013 This option is used out-of-the-box and deployed by default with the sensor, no additional configuration steps are required. This option has limitations such as no support for SAM-R queries and multi-forest scenarios.<\/li><\/ul><\/li><li><strong>Permissions<\/strong><ul><li>To create your Defender for Identity instance, you\u2019ll need an Azure AD tenant with at least one&nbsp;<strong>global\/security administrator<\/strong><\/li><li>You need to be a&nbsp;<strong>global administrator<\/strong>&nbsp;or&nbsp;<strong>security administrator&nbsp;<\/strong>on the tenant to access the Identity section on the Microsoft 365 Defender portal and be able to create the workspace.<\/li><\/ul><\/li><li><strong>Browser<\/strong><ul><li>Access Defender for Identity using Microsoft Edge or any HTML 5 compliant web browser.<\/li><\/ul><\/li><li><strong>Firewall<\/strong><ul><li>Verify access to the Defender for Identity Cloud Service from the servers you plan to install the sensor on. Servers should be able to access&nbsp;<a href=\"https:\/\/%2Ayour-instancename%2Asensorapi.atp.azure.com\/\">https:\/\/*your-instancename*sensorapi.atp.azure.com<\/a>. For example,&nbsp;<a href=\"https:\/\/contososensorapi.atp.azure.com\/\">https:\/\/contososensorapi.atp.azure.com<\/a>&nbsp;for commercial and&nbsp;<a href=\"https:\/\/contososensorapi.gcc.atp.azure.com\/\">https:\/\/contososensorapi.gcc.atp.azure.com<\/a>&nbsp;for GCC.<\/li><\/ul><\/li><li>Ports, Network Name Resolution, Sensor requirements, Server specifications, Time synchronization, Network adapter and Window Event logs requirements are found&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-for-identity\/prerequisites#ports\">here<\/a>.<\/li><\/ul>\n\n\n\n<p>Before we move forward we need to create the Defender for Identity workspace.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Create the defender for identity workspace<\/h2>\n\n\n\n<p>To create a Defender for Identity workspace, Navigate to&nbsp;<a href=\"https:\/\/security.microsoft.com\/\">https:\/\/security.microsoft.com\/<\/a>&nbsp;and in the left menu, select Settings &gt; Identities, and wait for the process to complete.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Validate access to the Defender cloud service<\/h2>\n\n\n\n<p>Before installing the sensor, confirm access to the defender cloud service from the domain controller. We will use PowerShell to validate access to the service URL. For commercial, use &nbsp;<a href=\"https:\/\/%2Ayour-instance-name%2Asensorapi.atp.azure.com\/\">https:\/\/*your-instance-name*sensorapi.atp.azure.com<\/a>&nbsp;and for GCC, use &nbsp;<a href=\"https:\/\/%2Ayour-instance-name%2Asensorapi.atp.azure.com\/\">https:\/\/*your-instance-name*sensorapi.gcc.atp.azure.com<\/a>. We will need the workspace name.<br><br>Navigate to&nbsp;<a href=\"https:\/\/security.microsoft.com\/\">https:\/\/security.microsoft.com\/<\/a>&nbsp;&gt;&nbsp;<strong>Settings<\/strong>&nbsp;&gt;&nbsp;<strong>Identities<\/strong>&nbsp;&gt; under&nbsp;<strong>General<\/strong>&nbsp;click on&nbsp;<strong>About<\/strong>&nbsp;&gt; then copy the Workspace Name. In my lab, the workspace name is&nbsp;<strong>Contoso<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/i0.wp.com\/azurecloudai.blog\/wp-content\/uploads\/2023\/07\/image.png?resize=807%2C563&amp;ssl=1\" alt=\"\" class=\"wp-image-76846\"\/><\/figure>\n\n\n\n<p>Your cloud service URL for GCC would look like&nbsp;<a href=\"https:\/\/contososensorapi.atp.azure.com\/\">https:\/\/Contososensorapi.gcc.atp.azure.com<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/contososensorapi.atp.azure.com\/\">https:\/\/Contososensorapi.atp.azure.com<\/a>&nbsp;for commercial. Since it is not best practice to browse on a domain controllers, we will use a short PowerShell command to validate access. Run the command below.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>12<\/td><td><code>$HTTP_Request<\/code><code>= <\/code><code>[System.Net.WebRequest]<\/code><code>::Create(<\/code><code>'<a href=\"https:\/\/contososensorapi.atp.azure.com\/\">https:\/\/Contososensorapi.atp.azure.com<\/a>'<\/code><code>)<\/code><code>$HTTP_Request<\/code><code>.GetResponse()<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/i0.wp.com\/azurecloudai.blog\/wp-content\/uploads\/2023\/07\/image-1.png?resize=1024%2C255&amp;ssl=1\" alt=\"\" class=\"wp-image-76848\"\/><\/figure>\n\n\n\n<p>A 503 error will validate access. If you get a different error, or prompted for a certificate, then there are issues accessing the service. Check for firewall or proxy settings.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Create the gMSA account<\/h2>\n\n\n\n<p>It requires a little more effort to use a gMSA account, so we will go through the steps to create the account. Adding the account after creation is the same as adding a regular active directory account.<\/p>\n\n\n\n<p>Confirm the following before creating a gMSA account.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>The forest schema needs to be at least Windows Server 2012<\/li><li>The master root key for AD has been deployed<\/li><li>And there is at least one Windows Server 2012 DC.<\/li><\/ul>\n\n\n\n<p>The Domain Controllers require a root key to begin generating gMSA passwords. The KDC root key creation requires domain admin or enterprise admin rights. For more information click&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/security\/group-managed-service-accounts\/create-the-key-distribution-services-kds-root-keyRequires\">here<\/a>. Before creating a root key, check if one exist already.<\/p>\n\n\n\n<p>To check, open PowerShell and run the command below<br><em><mark>Get-KdsRootKey<\/mark><\/em><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/i0.wp.com\/azurecloudai.blog\/wp-content\/uploads\/2023\/07\/image-5.png?resize=925%2C240&amp;ssl=1\" alt=\"\" class=\"wp-image-76857\"\/><\/figure>\n\n\n\n<p>The results from the screenshot above confirms the existence of the root key. No result mean the key does not exist. Run one of the commands below to create the root key if it does not exist.<\/p>\n\n\n\n<p><strong>If only one DC, use this command to create the root key and set start time in the past:<\/strong><br><em>Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))<\/em><br><strong>For multiple DC\u2019s, use the command below and allow time for replication:<\/strong><br><em>Add-KdsRootKey -EffectiveImmediately<\/em><\/p>\n\n\n\n<p>Run the PowerShell script below to create the gMSA account. The script creates an Activce directory group and all domain controllers are added to it. As a result any DC can retrieve the account password. Click&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-for-identity\/directory-service-accounts\">here&nbsp;<\/a>to learn more.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>123456789101112131415161718<\/td><td><code># Set the variables:<\/code><code>$gMSA_AccountName<\/code><code>= <\/code><code>' service1'<\/code><code>$gMSA_HostsGroupName<\/code><code>= <\/code><code>'gMSAGroup'<\/code><code>$gMSA_HostNames<\/code><code>= <\/code><code>'srvEl4HDC'<\/code><code>#, 'DC2', 'DC3', 'DC4', 'DC5', 'DC6', 'ADFS1', 'ADFS2'<\/code><code># Import the required PowerShell module:<\/code><code>Import-Module<\/code><code>ActiveDirectory<\/code><code># Create the group and add the members<\/code><code>$gMSA_HostsGroup<\/code><code>= <\/code><code>New-ADGroup<\/code><code>-Name<\/code><code>$gMSA_HostsGroupName<\/code><code>-GroupScope<\/code><code>Global<\/code><code>-PassThru<\/code><code>-Verbose<\/code><code>$gMSA_HostNames<\/code><code>| <\/code><code>ForEach-Object<\/code><code>{ <\/code><code>Get-ADComputer<\/code><code>-Identity<\/code><code>$_<\/code><code>} |<\/code><code>&nbsp;&nbsp;&nbsp;&nbsp;<\/code><code>ForEach-Object<\/code><code>{ <\/code><code>Add-ADGroupMember<\/code><code>-Identity<\/code><code>$gMSA_HostsGroupName<\/code><code>-Members<\/code><code>$_<\/code><code>}<\/code><code># Or, use the built-in 'Domain Controllers' group if the environment is a single forest, and will contain only domain controller sensors<\/code><code># $gMSA_HostsGroup = Get-ADGroup -Identity 'Domain Controllers'<\/code><code>&nbsp;&nbsp;<\/code><code># Create the gMSA:<\/code><code>New-ADServiceAccount<\/code><code>-Name<\/code><code>$gMSA_AccountName<\/code><code>-DNSHostName<\/code><code>\"$gMSA_AccountName.$env:USERDNSDOMAIN\"<\/code><code>`<\/code><code>-PrincipalsAllowedToRetrieveManagedPassword<\/code><code>$gMSA_HostsGroupName<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>To confirm the creation of the gMSA account, open PowerShell and run this command.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>1<\/td><td><code>Get-ADServiceAccount<\/code><code>-Identity<\/code><code>service1&nbsp;&nbsp; <\/code><code>#service1 is the name of the gMSA account.<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/i0.wp.com\/azurecloudai.blog\/wp-content\/uploads\/2023\/07\/image-6.png?resize=556%2C202&amp;ssl=1\" alt=\"\" class=\"wp-image-76860\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Install the gMSA account on each DC<\/h2>\n\n\n\n<p>Like I said, the gMSA account takes a little more effort than the active directory user account. After creating the gMSA account we need to install it on each DC\u2019s. Run the command below to install, then wait 10 hours for the DC to request a new kerberos ticket, and registered its group membership.&nbsp; If you do not want to wait, restart the DC.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>1<\/td><td><code>Install-ADServiceAccount<\/code><code>-Identity<\/code><code>'Service1'<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Add the directory service account in Microsoft 365 Defender<\/h2>\n\n\n\n<p>To connect your sensors with your Active Directory domains, you\u2019ll need to configure the Directory Service account in Microsoft 365 Defender.&nbsp; You can use a group managed service account (gMSA) or a regular Active Directory service account.&nbsp; For this example, we will use a standard read-only AD service account. The steps to add a gMSA account is identical to the steps below.<\/p>\n\n\n\n<p>When using a regular AD account, it is recommended to use a service account instead of a user account. Creating a service account in AD is super easy, so we will move on to adding the account.<\/p>\n\n\n\n<p>Navigate to&nbsp;<a href=\"https:\/\/security.microsoft.com\/\">https:\/\/security.microsoft.com\/<\/a>&nbsp;&gt;&nbsp;<strong>Settings<\/strong>&nbsp;&gt;&nbsp;<strong>Identities<\/strong>&nbsp;&gt; under&nbsp;<strong>General<\/strong>&nbsp;click on&nbsp;<strong>Directory service accounts<\/strong>&nbsp;then&nbsp;<strong>Add credentials<\/strong>. In my example, the account name is Blake and the domain name is Contoso.com<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/i0.wp.com\/azurecloudai.blog\/wp-content\/uploads\/2023\/07\/image-2.png?resize=1024%2C451&amp;ssl=1\" alt=\"\" class=\"wp-image-76852\"\/><\/figure>\n\n\n\n<p>Click&nbsp;<strong>Add credentials<\/strong>&nbsp;to add a directory service account.&nbsp; Enter the&nbsp;<strong>Account name<\/strong>,&nbsp;<strong>Domain<\/strong>&nbsp;and&nbsp;<strong>Password<\/strong>, then click&nbsp;<strong>Save<\/strong>. Simple and straightforward.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/i0.wp.com\/azurecloudai.blog\/wp-content\/uploads\/2023\/07\/image-3.png?resize=917%2C432&amp;ssl=1\" alt=\"\" class=\"wp-image-76854\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Download and install the sizing tool<\/h2>\n\n\n\n<p>Run the sizing tool before installing the sensor. The Sizing Tool measures the capacity needed for domain controllers, not ADFS servers. The following CPU and Random Access Memory (RAM) capacity refers to the<em>&nbsp;sensor\u2019s own consumption<\/em>, not the domain controller capacity.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/i0.wp.com\/azurecloudai.blog\/wp-content\/uploads\/2023\/07\/image-21.png?resize=862%2C309&amp;ssl=1\" alt=\"\" class=\"wp-image-76916\"\/><\/figure>\n\n\n\n<p><strong>Download the sizing tool:<\/strong><br>Click&nbsp;<a href=\"https:\/\/github.com\/microsoft\/Microsoft-Defender-for-Identity-Sizing-Tool\/releases\">here<\/a>&nbsp;to download the sizing tool. When the page opens, click on the highlighted link as shown in the image below.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/i0.wp.com\/azurecloudai.blog\/wp-content\/uploads\/2023\/07\/image-22.png?resize=552%2C324&amp;ssl=1\" alt=\"\" class=\"wp-image-76918\"\/><\/figure>\n\n\n\n<p><strong>Install the sizing tool:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Use your enterprise admin account to run the tool<\/li><li>If possible, run the tool on a Privileged Access Workstation (PAW). If a PAW is not available, run the tool on a member server or workstation.<\/li><li>The sizing tool will collect counters from each domain controller. Allow the tool to run for 24 hours.<\/li><li>Extract the files from Tri_Sizing_Tool_ZIP. Open command prompt as administration and run TriSizingTool.exe.<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/i0.wp.com\/azurecloudai.blog\/wp-content\/uploads\/2023\/07\/image-23.png?resize=880%2C493&amp;ssl=1\" alt=\"\" class=\"wp-image-76920\"\/><\/figure>\n\n\n\n<p>The sizing tool will create an excel file in the folder you ran the tool from. Locate and select the \u201cAzure ATP Summary\u201d sheet for any domain controller capacity recommendations.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Download the sensor<\/h2>\n\n\n\n<p>Navigate to&nbsp;<a href=\"https:\/\/security.microsoft.com\/\">https:\/\/security.microsoft.com\/<\/a>&nbsp;&gt;&nbsp;<strong>Settings<\/strong>&nbsp;&gt;&nbsp;<strong>Identities<\/strong>&nbsp;&gt; under&nbsp;<strong>General<\/strong>&nbsp;click on&nbsp;<strong>Sensors<\/strong>&nbsp;&gt; then to the right, click on&nbsp;<strong>Add sensor<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/i0.wp.com\/azurecloudai.blog\/wp-content\/uploads\/2023\/07\/image-7.png?resize=772%2C339&amp;ssl=1\" alt=\"\" class=\"wp-image-76863\"\/><\/figure>\n\n\n\n<p>On the Add a new senor page, copy the Access key.&nbsp; The key is only used to install the senor.&nbsp; All communication after the sensor is installed will use certificates for authentication.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/i0.wp.com\/azurecloudai.blog\/wp-content\/uploads\/2023\/07\/image-11.png?resize=460%2C270&amp;ssl=1\" alt=\"\" class=\"wp-image-76868\"\/><\/figure>\n\n\n\n<p>The download will start immediately after clicking on&nbsp;<strong>Download installer<\/strong>.&nbsp; The name of the file is Azure ATP Sensor Setup.zip \u2013 it is not best practice to open a browser and download files on a domain controller.&nbsp; Downloader the installer on a workstation, then copy the installer to the domain controller. The zip includes the following files.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/i0.wp.com\/azurecloudai.blog\/wp-content\/uploads\/2023\/07\/image-12.png?resize=316%2C133&amp;ssl=1\" alt=\"\" class=\"wp-image-76870\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-for-identity\/install-sensor\"><mark>Install the sensor<\/mark><\/a><\/h2>\n\n\n\n<p>Microsoft Defender for Identity supports up to 350 sensors. If you need more, contact support. Before installing the sensor, confirm Microsoft .Net 4.7 or later is installed.&nbsp; If not, the sensor package will install it, but the server might reboot.<\/p>\n\n\n\n<p>Extract the zip file that was downloaded in the previous section and run Azure ATP Sensor Setup.exe as administrator. On the first page select your language and click&nbsp;<strong>Next<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/i0.wp.com\/azurecloudai.blog\/wp-content\/uploads\/2023\/07\/image-13.png?resize=652%2C402&amp;ssl=1\" alt=\"\" class=\"wp-image-76873\"\/><\/figure>\n\n\n\n<p>The installer checks if the server is a DC.&nbsp; If not, it installs the standalone sensor.&nbsp; Click&nbsp;<strong>Next<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/i0.wp.com\/azurecloudai.blog\/wp-content\/uploads\/2023\/07\/image-14.png?resize=625%2C384&amp;ssl=1\" alt=\"\" class=\"wp-image-76875\"\/><\/figure>\n\n\n\n<p>On the&nbsp;<strong>Configure the sensor<\/strong>&nbsp;page, enter the installation path and access key, then click&nbsp;<strong>Install<\/strong>.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/i0.wp.com\/azurecloudai.blog\/wp-content\/uploads\/2023\/07\/image-15.png?resize=637%2C382&amp;ssl=1\" alt=\"\" class=\"wp-image-76877\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/i0.wp.com\/azurecloudai.blog\/wp-content\/uploads\/2023\/07\/image-16.png?resize=640%2C385&amp;ssl=1\" alt=\"\" class=\"wp-image-76878\"\/><\/figure>\n\n\n\n<p>If there are no errors or issues, the installer should report \u201cInstallation completed successfully\u201d.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/i0.wp.com\/azurecloudai.blog\/wp-content\/uploads\/2023\/07\/image-17.png?resize=643%2C394&amp;ssl=1\" alt=\"\" class=\"wp-image-76880\"\/><\/figure>\n\n\n\n<p>Open services on the DC and confirm the MDI service is running.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/i0.wp.com\/azurecloudai.blog\/wp-content\/uploads\/2023\/07\/image-18.png?resize=780%2C174&amp;ssl=1\" alt=\"\" class=\"wp-image-76882\"\/><\/figure>\n\n\n\n<p>Navigate to the security portal and confirm the health of the senor.&nbsp; Check the service status and the health status<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/i0.wp.com\/azurecloudai.blog\/wp-content\/uploads\/2023\/07\/image-19.png?resize=1015%2C217&amp;ssl=1\" alt=\"\" class=\"wp-image-76884\"\/><\/figure>\n\n\n\n<p>If the status is not healthy, check if NTLM auditing is enabled. For step by step instructions, click&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-for-identity\/configure-windows-event-collection#event-id-8004\">here<\/a>. After stepping through the instructions, the highlighted options below will be enabled.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/i0.wp.com\/azurecloudai.blog\/wp-content\/uploads\/2023\/07\/image-20.png?resize=822%2C466&amp;ssl=1\" alt=\"\" class=\"wp-image-76886\"\/><\/figure>\n\n\n\n<p>Ref: <a href=\"https:\/\/azurecloudai.blog\/2023\/07\/14\/how-to-install-microsoft-defender-for-identity\/\">How to deploy Microsoft Defender for Identity &#8211; Azure Cloud &amp; AI Domain Blog (azurecloudai.blog)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Are you planning on deploying Microsoft Defender for Identity (MDI), but you are not sure how to? No worries, this blog will walk you through the deployment steps. What is Microsoft Defender for Identity MDI Leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed <a class=\"read-more\" href=\"https:\/\/SUMMALAI.COM\/?p=4897\">Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[238,239],"tags":[1614],"class_list":["post-4897","post","type-post","status-publish","format-standard","hentry","category-cloud","category-azure","tag-deploy-microsoft-defender-for-identity"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4897","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4897"}],"version-history":[{"count":1,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4897\/revisions"}],"predecessor-version":[{"id":4898,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4897\/revisions\/4898"}],"wp:attachment":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4897"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4897"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4897"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}