Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article describes the requirements for installing the Microsoft Defender for Identity sensor v3.x.
Sensor version limitations
Before activating the Defender for Identity sensor v3.x, note that this version of the sensor is still in preview and has some limited functionality compared to version 2.x. Keep these limitations in mind before activating the sensor. The Defender for Identity sensor v3.x:
- Requires that Defender for Endpoint is deployed
- Can't be activated on a server that has a Defender for Identity sensor V2.x already deployed
- Doesn't currently support VPN integration
- Doesn't currently support ExpressRoute
- Doesn't currently offer full functionality of health alerts, posture recommendations, security alerts or advanced hunting data.
Licensing requirements
Deploying Defender for Identity requires one of the following Microsoft 365 licenses:
- Enterprise Mobility + Security E5 (EMS E5/A5)
- Microsoft 365 E5 (Microsoft E5/A5/G5)
- Microsoft 365 E5/A5/G5/F5* Security
- Microsoft 365 F5 Security + Compliance*
- A standalone Defender for Identity license
* Both F5 licenses require Microsoft 365 F1/F3 or Office 365 F3 and Enterprise Mobility + Security E3.
Acquire licenses directly via the Microsoft 365 portal or use the Cloud Solution Partner (CSP) licensing model.
For more information, see Licensing and privacy FAQs.
Roles and permissions
- To create your Defender for Identity workspace, you need a Microsoft Entra ID tenant.
- You must either be a Security Administrator, or have the following Unified RBAC permissions:
System settings (Read and manage)Security settings (All permissions)
Sensor requirements and recommendations
The following table summarizes the server requirements and recommendations for the Defender for Identity sensor.
| Prerequisite / Recommendation | Description |
|---|---|
| Operating System | The ___domain controller must have both: - Windows Server 2019 or later - June 2025 Cumulative Update or later. |
| Previous installations | Before activating the sensor on a ___domain controller, make sure that the ___domain controller doesn't have Defender for Identity sensor V2.x already deployed. |
| Specifications | A ___domain controller server with a minimum of: - two cores - 6 GB of RAM |
| Performance | For optimal performance, set the Power Option of the machine running the Defender for Identity sensor to High Performance. |
| Connectivity | Requires a Microsoft Defender for Endpoint deployment. If Microsoft Defender for Endpoint is installed on the ___domain controller, there are no additional connectivity requirements. |
| Server time synchronization | The servers and ___domain controllers onto which the sensor is installed must have time synchronized to within five minutes of each other. |
| ExpressRoute | This version of the sensor doesn't support ExpressRoute. If your environment uses ExpressRoute, we recommend deploying the Defender for Identity sensor v2.x. |
| Identity and response actions | The sensor doesn't require credentials to be provided in the portal. Even if credentials are entered, the sensor uses the Local System identity on the server to query Active Directory and perform response actions. If a Group Managed Service Account (gMSA) is configured for response actions, the response actions are disabled. |
Dynamic memory requirements
The following table describes memory requirements on the server used for the Defender for Identity sensor, depending on the type of virtualization you're using:
| VM running on | Description |
|---|---|
| Hyper-V | Ensure that Enable Dynamic Memory isn't enabled for the VM. |
| VMware | Ensure that the amount of memory configured and the reserved memory are the same, or select the Reserve all guest memory (All locked) option in the VM settings. |
| Other virtualization host | Refer to the vendor supplied documentation on how to ensure that memory is fully allocated to the VM at all times. |
Important
When running as a virtual machine, all memory must be allocated to the virtual machine at all times.
Configure Unified Sensor to support advanced identity detections (Preview)
Applying the Unified Sensor RPC Audit tag enables a new, tested capability on the machine, improving security visibility and unlocking additional identity detections. Once applied, the configuration is enforced on existing and future devices that match the rule criteria. The tag itself is visible in the Device Inventory, providing admins with transparency and auditing capabilities.
Steps to apply the configuration:
- In the Microsoft Defender portal, navigate to: System > Settings > Microsoft Defender XDR > Asset Rule Management.
- Select Create a new rule
In the side panel:
Enter a Rule name and Description.
Set rule conditions using
Device name,Domain, orDevice tagto target the desired machines.Ensure that the Defender for Identity V3.x sensor is already deployed on the selected devices.
Matching should primarily target ___domain controllers with the V3.x sensor installed.
Add the tag
Unified Sensor RPC Auditto the selected devices.
- Select Next to review and finish creating the rule and then select Submit.
Updating rules
Offboarding a device from this configuration can be done only from deleting the asset rule or modifying the rule conditions so the device no longer matches.
Note
It may take up to 1 hour for changes to be reflected in the portal.
Learn more about Asset Management Rule here
Configure Windows auditing
Defender for Identity detections rely on specific Windows Event Log entries to enhance detections and provide extra information about the users performing specific actions, such as NTLM sign-ins and security group modifications.
Configure Windows event collection on your ___domain controller to support Defender for Identity detections. For more information, see Event collection with Microsoft Defender for Identity and Configure audit policies for Windows event logs.
You might want to use the Defender for Identity PowerShell module to configure the required settings. For example, the following command defines all settings for the ___domain, creates group policy objects, and links them.
Set-MDIConfiguration -Mode Domain -Configuration All
For more information, see:
Test your prerequisites
We recommend running the Test-MdiReadiness.ps1 script to test and see if your environment has the necessary prerequisites.
The Test-MdiReadiness.ps1 script is also available from Microsoft Defender XDR, on the Identities > Tools page (Preview).