This video was very helpful in configuring MDI. One minor note, if you have never created a gmsa service account you need to run this command to create a root key. Thanks for posting this video. Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))
my Sensors show as Running on both DCs and I've set up the gMSA Account but I'm not getting any alerts, even when flooding the security log with rdp bruteforce. Any idea what it could be?
Hi! Make sure you have the proper permissions added to the M365 account you're using to access these settings. Without them, you won't see the option as you've mentioned. Info on the needed permissions can be found here > docs.microsoft.com/en-us/defender-for-identity/role-groups#required-permissions-for-the-microsoft-365-defender-experience
Is it needed a directory service account (as you create in min 3:01) for receiving alerts in MDI? I've tried everything but alerts not showing, between this and conection with MEM has to be I guess.
Hi Sergio, the account created at 3:01 in the video is a managed service account which is the recommended approach today, but it can be just an ordinary user account (should not be Domain Admin), it's only there to read information from the directory. There's no relationship or reliance on MEM in MDI. I suspect that your MDI installation is working as expected (especially if the sensors tab in settings are listing your installed agents) - it should be quiet, unless you've got bad guys in your AD domain. You can test it though by doing your own fake attacks - see docs.microsoft.com/en-us/defender-for-identity/playbook-lab-overview. There are four playbooks you can use to test your detections. Good luck!
Thank you for your tutorial!
This video was very helpful in configuring MDI. One minor note, if you have never created a gmsa service account you need to run this command to create a root key. Thanks for posting this video.
Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))
my Sensors show as Running on both DCs and I've set up the gMSA Account but I'm not getting any alerts, even when flooding the security log with rdp bruteforce. Any idea what it could be?
Hi, do not have the identities option in settings, do you know what could be?
Hi! Make sure you have the proper permissions added to the M365 account you're using to access these settings. Without them, you won't see the option as you've mentioned. Info on the needed permissions can be found here > docs.microsoft.com/en-us/defender-for-identity/role-groups#required-permissions-for-the-microsoft-365-defender-experience
Is it needed a directory service account (as you create in min 3:01) for receiving alerts in MDI?
I've tried everything but alerts not showing, between this and conection with MEM has to be I guess.
Hi Sergio, the account created at 3:01 in the video is a managed service account which is the recommended approach today, but it can be just an ordinary user account (should not be Domain Admin), it's only there to read information from the directory. There's no relationship or reliance on MEM in MDI. I suspect that your MDI installation is working as expected (especially if the sensors tab in settings are listing your installed agents) - it should be quiet, unless you've got bad guys in your AD domain. You can test it though by doing your own fake attacks - see docs.microsoft.com/en-us/defender-for-identity/playbook-lab-overview. There are four playbooks you can use to test your detections. Good luck!