HOWTO: Programmatically add a Microsoft Defender for Identity Action Account to Active Directory

Reading Time: 4 minutes

Microsoft provides guidance for Managing action accounts for Microsoft Defender for Identity, but this documentation is severely lacking from my point of view:

  1. It actually lacks the information on creating the actual group Managed Service Account (gMSA) for the action account, itself.
  2. It provides guidance to delegating permissions in Active Directory to an individual account, instead of to a group. This does not follow Microsoft’s own recommended practices and may lead to orphaned delegations in the long term.
  3. It provides guidance to delegate permissions in the graphical user interface of Active Directory Users and Computers (dsa.msc). This method is not only laborious and error-prone, but also tedious when you want to deploy action accounts in all Active Directory domains in scope for Microsoft Defender for Identity.
  4. It provides guidance to delegate permissions at the domain’s top level for resetting passwords and writing attributes, including objects that may be sensitive and that the organization may not want to be included (beyond the sensitive accounts that are protected by the AdminSDHolder process).

Therefore, I’ve decided to write down the method I decided on embracing myself to create Microsoft Defender for Identity action accounts in Active Directory.

Note:
Although I’ve automated much of the steps to configure the accounts and delegations in Active Directory, you’re still required to add action accounts manually in the Microsoft 365 Portal to the Microsoft Defender for Identity settings.

Note:
Although I don’t agree with delegating the required permissions on the domain level, it seems Defender for Identity checks the permissions at this level. Currently, the attribute-specific permissions can’t be delegated at the OU level.

 

Creating Microsoft Defender for Identity Action Accounts programmatically

Creating Microsoft Defender for Identity Action Accounts programmatically consists of three steps:

  1. Creating the group Managed Service Account (gMSA)
  2. Creating the Microsoft Defender for Identity Action Accounts group and adding the Action Account to it
  3. Delegating the Active Directory permissions to the group

 

Getting Ready

Sign into a domain-joined device with the Active Directory Module for Windows PowerShell and the AD DS and AD LDS Tools installed. This can be a domain controller, or a Windows or a Windows Server installation with the Remote Server Administration Tools (RSAT) installed. When using Windows Server, the operating system needs to run at least Windows Server 2012.

Use these tools with an Active Directory account that is a member of the Domain Admins group.

Make sure the Active Directory environment for which you want to create an Action Account runs the Windows Server 2008 R2 Domain Functional Level (DFL) or a newer version of the DFL and that a sufficient number of domain controllers run Windows Server 2012, or a newer version of Windows Server.

 

Creating the group Managed Service Account (gMSA)

When this is the first time you’re creating a group Managed Service Account (gMSA), you’ll need to check whether the service is configured correctly on your Windows Server 2012-based Domain Controllers. For this, open Active Directory Sites and Services (dssite.msc) and in the View menu check the Show Services Node option.

Then in the left pane, expand the Services node, then the Group Key Distribution Service node and finally the Server Configuration node. Here you should see the Group Key Distribution Service Server Configuration object. When it exists, the service has been correctly registered.

In order for the Group Key Distribution Service to work, however, it needs root keys. In the Master Root Keys node under the Group Key Distribution Service node in Active Directory Sites and Services, check whether at least one exists. If not, use the following line of Windows PowerShell to create them:

Add-KdsRootKey -EffectiveImmediately

 

Note:
Although the command specifies the Root Key to be effective immediately, you will actually have to wait 10 hours for it to become active. This ensures there is ample time to replicate the information to other Domain Controllers.

You can create the group Managed Service Account (gMSA), for the Microsoft Defender for Identity Action Account using the following line of Windows PowerShell:

New-ADServiceAccount MDIgMSA –Description "Microsoft Defender for Identity Action Account" –DNSHostName MDIgMSA.domain.tld

 

In the previous line of Windows PowerShell, replace the values for the gMSA’s name (MDIgMSA) and the Active Directory domain (domain.tld) with values that represent your naming convention and Active Directory domain.

 

Creating the Microsoft Defender for Identity Action Accounts group and
adding the Action Account to it

As it is a poor practice to delegate Active Directory permissions on an individual user, MSA, gMSA or, computer object, we’ll create a group.

Use the following lines of Windows PowerShell to create the group, configure the group with the Protected from accidental deletion option and add the previously created gMSA to it:

New-ADGroup –GroupCategory Security –GroupScope DomainLocal –Name "MDIActionAccounts" –Path "OU=Groups,DC=domain,DC=tld" –SamAccountName "MDIActionAccounts"

Set-ADObject –Identity "CN=MDIDefenderAccounts,OU=groups,DC=domain,DC=tld" –ProtectedFromAccidentalDeletion $true

Set-ADGroup -Add:@{'Member'="CN=MDIgMSA,CN=Managed Service Accounts,DC=domain,DC=tld"} -Identity "CN=MDIDefenderAccounts,OU=groups,DC=domain,DC=tld"

 

In the previous lines of Windows PowerShell, replace the values for the gMSA’s name (MDIgMSA), the group’s name (MDIActionAccounts) and location (OU=Groups) and the Active Directory domain (both domain.tld and DC=domain,DC=tld) with values that represent your naming convention and Active Directory domain.

 

 

Delegating the Active Directory permissions to the group

Now, we can delegate the Active Directory permissions to the group that contains the Microsoft Defender for Identity action account. Use the following lines in a command prompt to do so:

dsacls.exe "dc=domain,dc=tld" /I:S /G "DOMAIN\MDIActionAccounts:WP;pwdLastSet;user" "DOMAIN\MDIActionAccounts:WP;userAccountControl;user" "DOMAIN\MDIActionAccounts:CA;Reset Password;user" "DOMAIN\MDIActionAccounts:WP;member;group"

Replace the values for your domain (dc=domain,dc=tld), the NetBIOS name of the domain (DOMAIN), the group name (MDIActionAccounts) and the group’s location (OU=Groups).

 

Concluding

Creating Microsoft Defender for Identity action accounts in Active Directory programmatically has lead to surprisingly fast, reliable and repeatable Action Accounts for the organizations for which I’ve implemented Microsoft Defender for Identity.

Further reading

What's New in Microsoft Defender for Identity in February 2022
What's New in Microsoft Defender for Identity in January 2022
What's New in Microsoft Defender for Identity in December 2021
What's New in Microsoft Defender for Identity in November 2021
What's New in Microsoft Defender for Identity in September 2021

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.