Connect Microsoft Defender for Identity to Active Directory
Start course

Microsoft Defender for Identity is a cloud-based security solution that leverages on-prem Active Directory to identify, detect, and investigate things like threats and compromised identities. It also helps identify malicious insider attacks.

For any feedback relating to this course, please contact us at

Learning Objectives

  • Learn what Defender for Identity is
  • Learn how to create a Defender for Identity instance
  • Learn how to connect Defender for Identity to an on-prem Active Directory forest
  • Learn how to install the Defender for Identity sensor

Intended Audience

This quick-hitting course is intended for those who want to learn how to deploy Defender for Identity.


To get the most from this course, you should have a basic understanding of Microsoft Azure and Microsoft 365.


Welcome back. So now that we have our Microsoft Defender for Identity instance created, what we'll do here in this demonstration is complete the deployment by attaching it to our active directory forest. This is going to entail providing a username and password for the forest, downloading the sensor and installing it on the domain controller, and configuring that sensor. So from this portal here, what we'll do is click on provide a username and password. And what I'm going to do for this demonstration is just use the domain admin for the on-prem active directory. We could use a group managed service account. If we highlight it here, we could see that services that get configured with a group managed service account don't require a password, and they're considered more secure. In this demonstration here, I'm not entirely worried about security. It's a throwaway domain. So we're just going to use the domain admin account for our on-prem active directory. So we'll go ahead. Go with VM admin. We'll provide the password here. And the domain name is And we'll go ahead and save this information. And now what we need to do is download the sensor setup. So we'll go ahead and download it. Now, you'll notice here we have the download button, but we also have an access key here that we need to copy because we'll need that when we install the actual sensor. So we'll copy the access key and then we'll download the sensor. Now I'm downloading this sensor to my workstation here, my local laptop. Once this downloads we'll copy it over to our domain controller. So we'll show this in the folder. We'll copy this. And then we'll bounce over to our domain controller where we'll paste it. So this guy here, this server you're looking at is called DCO1 It's the only domain controller for the on-prem active directory that I spun up in a lab environment in Azure. So we're just mocking an on-prem environment, right within Azure here. So what we'll do is we'll copy this over and then we'll run this sensor setup on this machine. Okay, so we have it copied over. So what we'll do is extract it and then we'll begin the setup. And this process is actually pretty straightforward. What we first have to do is select our language. So we'll use English. Now in this sensor deployment site, we have a couple different options. We have sensor, standalone sensor, or ADFS sensor. We don't have any ADFS in our environment, so this isn't an option. The standalone sensor is not an option we're using. That allows you to install on dedicated servers, but then you had to configure port mirroring and the like from the domain controllers. What we're doing here is the basic sensor installation. This is where the sensor's installed directly on domain controllers and then monitors the local traffic on those DCs. It also performs, as you can see here, dynamic resource limitation based on the domain controller's load. So basically that means that the sensor isn't going to overpower whatever the domain control is doing. So we'll go ahead and click next here. And we can accept the fault installation path. There's no real need to change it. And then this is where we paste in the access key, which I have to go back and copy. Copy him, go back over, and paste. There we go. So we'll go ahead and install. And this just takes a few minutes here. It's nothing, nothing crazy. And this sensor is what's going to read all the information from the domain controller, which in turn is providing information for the forest to Microsoft Defender for Identity. And we can see installation has completed successfully. And we'll finish. Now I do want to note that since this sensor is going to communicate with the Defender for Identity service, you need to have internet access from this machine. In most environments, that's not too big a deal. Even if you have a proxy in place for internet access, this will work with a proxy. So now that we have the sensor installed we'll bounce back over here and we can see DCO1 has now shown up and we can see the service status is running and that's pretty much it. We now have Defender for Identity created. We have the instance created and we have it connected with our on-prem active directory. Under data sources here, we can look at the directory services we're connected to, and you can add additional ones here. If we hover over the icon here, we can add another set of credentials to support sensors in an untrusted forest. So you can monitor multiple forests with a single instance of Defender for Identity. We can also choose VPN as a data source. We can actually monitor RADIUS accounting. If we hover over the icon here, we can see that enabling this switch here enables the RADIUS listener for all sensors on port 1813, using the UDP protocol. We can also, if we go into Microsoft Defender for Endpoint, we can integrate with Microsoft Defender for Endpoint in our environment. I'm not using Defender for Endpoint, so we're not going to turn this on. And then of course we can look at entity tags, exclusions, and do all of our management, right from Microsoft Defender for Identity. We can even delete the instance. So that's it. That's how you deploy Microsoft Defender for Identity. And it's how you connect it to your on-prem traditional active directory forest.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.