Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.
It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory admins to investigate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.
Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).
In January 2022, four new versions of Microsoft Defender for Identity were released:
- Version 2.168, released on January 9th, 2022
- Version 2.169, released on January 17th, 2022
- Version 2.170, released on January 24th, 2022
- Version 2.171, released on January 31st, 2022
Action Account for Defender for Identity
With version 2.169, Microsoft released the ability to configure an action account for Microsoft Defender for Identity. From Microsoft’s point of view, this is the first step in the ability to take actions on users directly from the product.
As a first step, Defender for Identity admins can define the group Managed Service Account (gMSA) that Microsoft Defender for Identity will use to take these actions.
Perform these steps:
- Create a group Managed Service Account (gMSA) in Active Directory.
- In Active Directory, delegate permissions at the domain level to reset passwords, read the pwdLastSet attribute, write the pwdLastSet attribute, read the userAccountControl attribute and write the userAccountControl attribute for user objects.
- Add the gMA account in the Microsoft 365 Defender portal under Settings, Identities. Under Microsoft Defender for Identity, select Manage action accounts.
Actions that Microsoft are working on for Defender for Identity is to force a password reset and disable users.
IMPROVEMENTS AND BUG FIXES
All four January 2022 Defender for Identity versions releases include improvements and bug fixes for the internal sensor infrastructure.