Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article describes the requirements for installing the Microsoft Defender for Identity sensor v3.x.
Sensor version limitations
Before activating the Defender for Identity sensor v3.x, note that this version of the sensor is still in preview and has some limited functionality compared to version 2.x. Keep these limitations in mind before activating the sensor. The Defender for Identity sensor v3.x:
- Requires that Defender for Endpoint is deployed
- Doesn't currently support VPN integration
- Doesn't currently support ExpressRoute
- Doesn't currently offer full functionality of health alerts, posture recommendations, security alerts or advanced hunting data.
Licensing requirements
Deploying Defender for Identity requires one of the following Microsoft 365 licenses:
- Enterprise Mobility + Security E5 (EMS E5/A5)
- Microsoft 365 E5 (Microsoft E5/A5/G5)
- Microsoft 365 E5/A5/G5/F5* Security
- Microsoft 365 F5 Security + Compliance*
- A standalone Defender for Identity license
* Both F5 licenses require Microsoft 365 F1/F3 or Office 365 F3 and Enterprise Mobility + Security E3.
Acquire licenses directly via the Microsoft 365 portal or use the Cloud Solution Partner (CSP) licensing model.
For more information, see Licensing and privacy FAQs.
Roles and permissions
- To create your Defender for Identity workspace, you need a Microsoft Entra ID tenant.
- You must either be a Security Administrator, or have the following Unified RBAC permissions:
System settings (Read and manage)Security setting (All permissions)
- We recommend using at least one Directory Service account, with read access to all objects in the monitored domains. For more information, see Configure a Directory Service account for Microsoft Defender for Identity.
Sensor requirements and recommendations
The following table summarizes the server requirements and recommendations for the Defender for Identity sensor.
| Prerequisite / Recommendation | Description |
|---|---|
| Operating System | The domain controller must have both: - Windows Server 2019 or later - March 2024 Cumulative Update or later. |
| Specifications | A domain controller server with a minimum of: - two cores - 6 GB of RAM |
| Performance | For optimal performance, set the Power Option of the machine running the Defender for Identity sensor to High Performance. |
| Connectivity | Requires a Microsoft Defender for Endpoint deployment. If Microsoft Defender for Endpoint is installed on the domain controller, there are no additional connectivity requirements. |
| Previous installations | Before activating the sensor on a domain controller, make sure that the domain controller doesn't have another Defender for Identity sensor already deployed. |
| Server time synchronization | The servers and domain controllers onto which the sensor is installed must have time synchronized to within five minutes of each other. |
| ExpressRoute | This version of the sensor doesn't support ExpressRoute. If your environment uses ExpressRoute, we recommend deploying the Defender for Identity sensor v2.x. |
Note
After the March 2024 Cumulative Update is installed, LSASS might experience a memory leak on domain controllers during on-premises and cloud-based Active Directory Domain Controllers service Kerberos authentication requests. This out-of-band update: KB5037422 addresses this issue.
Dynamic memory requirements
The following table describes memory requirements on the server used for the Defender for Identity sensor, depending on the type of virtualization you're using:
| VM running on | Description |
|---|---|
| Hyper-V | Ensure that Enable Dynamic Memory isn't enabled for the VM. |
| VMware | Ensure that the amount of memory configured and the reserved memory are the same, or select the Reserve all guest memory (All locked) option in the VM settings. |
| Other virtualization host | Refer to the vendor supplied documentation on how to ensure that memory is fully allocated to the VM at all times. |
Important
When running as a virtual machine, all memory must be allocated to the virtual machine at all times.
Configure Windows auditing
Defender for Identity detections rely on specific Windows Event Log entries to enhance detections and provide extra information about the users performing specific actions, such as NTLM sign-ins and security group modifications.
Configure Windows event collection on your domain controller to support Defender for Identity detections. For more information, see Event collection with Microsoft Defender for Identity and Configure audit policies for Windows event logs.
You might want to use the Defender for Identity PowerShell module to configure the required settings. For example, the following command defines all settings for the domain, creates group policy objects, and links them.
Set-MDIConfiguration -Mode Domain -Configuration All
For more information, see:
Test your prerequisites
We recommend running the Test-MdiReadiness.ps1 script to test and see if your environment has the necessary prerequisites.
The Test-MdiReadiness.ps1 script is also available from Microsoft Defender XDR, on the Identities > Tools page (Preview).