Microsoft Defender for Identity prerequisites
This article describes the requirements for a successful Microsoft Defender for Identity deployment.
Licensing requirements
Deploying Defender for Identity requires one of the following Microsoft 365 licenses:
- Enterprise Mobility + Security E5 (EMS E5/A5)
- Microsoft 365 E5 (Microsoft E5/A5/G5)
- Microsoft 365 E5/A5/G5/F5* Security
- Microsoft 365 F5 Security + Compliance*
- A standalone Defender for Identity license
* Both F5 licenses require Microsoft 365 F1/F3 or Office 365 F3 and Enterprise Mobility + Security E3.
Acquire licenses directly via the Microsoft 365 portal or use the Cloud Solution Partner (CSP) licensing model.
For more information, see Licensing and privacy FAQs.
Required permissions
To create your Defender for Identity workspace, you need a Microsoft Entra ID tenant with at least one Security administrator.
You need at least Security administrator access on your tenant to access the Identity section of the Microsoft Defender XDR Settings area and create the workspace.
For more information, see Microsoft Defender for Identity role groups.
We recommend using at least one Directory Service account, with read access to all objects in the monitored domains. For more information, see Configure a Directory Service account for Microsoft Defender for Identity.
Connectivity requirements
The Defender for Identity sensor must be able to communicate with the Defender for Identity cloud service, using one of the following methods:
| Method | Description | Considerations | Learn more |
|---|---|---|---|
| Set up a proxy | Customers who have a forward proxy deployed can take advantage of the proxy to provide connectivity to the MDI cloud service. If you choose this option, you'll configure your proxy later in the deployment process. Proxy configurations include allowing traffic to the sensor URL, and configuring Defender for Identity URLs to any explicit allowlists used by your proxy or firewall. |
Allows access to the internet for a single URL SSL inspection isn't supported |
Configure endpoint proxy and internet connectivity settings Run a silent installation with a proxy configuration |
| ExpressRoute | ExpressRoute can be configured to forward MDI sensor traffic over customer's express route. To route network traffic destined to the Defender for Identity cloud servers use ExpressRoute Microsoft peering and add the Microsoft Defender for Identity (12076:5220) service BGP community to your route filter. |
Requires ExpressRoute | Service to BGP community value |
| Firewall, using the Defender for Identity Azure IP addresses | Customers who don't have a proxy or ExpressRoute can configure their firewall with the IP addresses assigned to the MDI cloud service. This requires that the customer monitor the Azure IP address list for any changes in the IP addresses used by the MDI cloud service. If you chose this option, we recommend that you download the Azure IP Ranges and Service Tags – Public Cloud file and use the AzureAdvancedThreatProtection service tag to add the relevant IP addresses. |
Customer must monitor Azure IP assignments | Virtual network service tags |
For more information, see Microsoft Defender for Identity architecture.
Sensor requirements and recommendations
The following table summarizes requirements and recommendations for the domain controller, AD FS, AD CS, Entra Connect server where you'll install the Defender for Identity sensor.
| Prerequisite / Recommendation | Description |
|---|---|
| Specifications | Make sure to install Defender for Identity on Windows version 2016 or higher, on a domain controller server with a minimum of: - 2 cores - 6 GB of RAM - 6 GB of disk space required, 10 GB recommended, including space for Defender for Identity binaries and logs Defender for Identity supports read-only domain controllers (RODC). |
| Performance | For optimal performance, set the Power Option of the machine running the Defender for Identity sensor to High Performance. |
| Network interface configuration | If you are using VMware virtual machines, make sure the virtual machine's NIC configuration has Large Send Offload (LSO) disabled. See VMware virtual machine sensor issue for more details. |
| Maintenance window | We recommend scheduling a maintenance window for your domain controllers, as a restart might be required if the installation runs and a restart is already pending, or if .NET Framework needs to be installed. If .NET Framework version 4.7 or later isn't already found on the system, .NET Framework version 4.7 is installed, and may require a restart. |
Minimum operating system requirements
Defender for Identity sensors can be installed on the following operating systems:
- Windows Server 2016
- Windows Server 2019. Requires KB4487044 or a newer cumulative update. Sensors installed on Server 2019 without this update will be automatically stopped if the ntdsai.dll file version found in the system directory is older than 10.0.17763.316
- Windows Server 2022
For all operating systems:
- Both servers with desktop experience and server cores are supported.
- Nano servers are not supported.
- Installations are supported for domain controllers, AD FS, and AD CS servers.
Legacy operating systems
Windows Server 2012 and Windows Server 2012 R2 reached extended end of support on October 10, 2023.
We recommend that you plan to upgrade those servers as Microsoft no longer supports the Defender for Identity sensor on devices running Windows Server 2012 and Windows Server 2012 R2.
Sensors running on these operating systems will continue to report to Defender for Identity and even receive the sensor updates, but some of the new functionalities will not be available as they might rely on operating system capabilities.
Required ports
| Protocol | Transport | Port | From | To |
|---|---|---|---|---|
| Internet ports | ||||
| SSL (*.atp.azure.com) Alternately, configure access through a proxy. |
TCP | 443 | Defender for Identity sensor | Defender for Identity cloud service |
| Internal ports | ||||
| DNS | TCP and UDP | 53 | Defender for Identity sensor | DNS Servers |
| Netlogon (SMB, CIFS, SAM-R) |
TCP/UDP | 445 | Defender for Identity sensor | All devices on the network |
| RADIUS | UDP | 1813 | RADIUS | Defender for Identity sensor |
| Localhost ports: Required for the sensor service updater By default, localhost to localhost traffic is allowed unless a custom firewall policy blocks it. |
||||
| SSL | TCP | 444 | Sensor service | Sensor updater service |
| Network Name Resolution (NNR) ports To resolve IP addresses to computer names, we recommend opening all ports listed. However, only one port is required. |
||||
| NTLM over RPC | TCP | Port 135 | Defender for Identity sensor | All devices on network |
| NetBIOS | UDP | 137 | Defender for Identity sensor | All devices on network |
| RDP Only the first packet of Client hello queries the DNS server using reverse DNS lookup of the IP address (UDP 53) |
TCP | 3389 | Defender for Identity sensor | All devices on network |
If you're working with multiple forests, make sure that the following ports are opened on any machine where a Defender for Identity sensor is installed:
| Protocol | Transport | Port | To/From | Direction |
|---|---|---|---|---|
| Internet ports | ||||
| SSL (*.atp.azure.com) | TCP | 443 | Defender for Identity cloud service | Outbound |
| Internal ports | ||||
| LDAP | TCP and UDP | 389 | Domain controllers | Outbound |
| Secure LDAP (LDAPS) | TCP | 636 | Domain controllers | Outbound |
| LDAP to Global Catalog | TCP | 3268 | Domain controllers | Outbound |
| LDAPS to Global Catalog | TCP | 3269 | Domain controllers | Outbound |
Dynamic memory requirements
The following table describes memory requirements on the server used for the Defender for Identity sensor, depending on the type of virtualization you're using:
| VM running on | Description |
|---|---|
| Hyper-V | Ensure that Enable Dynamic Memory isn't enabled for the VM. |
| VMware | Ensure that the amount of memory configured and the reserved memory are the same, or select the Reserve all guest memory (All locked) option in the VM settings. |
| Other virtualization host | Refer to the vendor supplied documentation on how to ensure that memory is fully allocated to the VM at all times. |
Important
When running as a virtual machine, all memory must be allocated to the virtual machine at all times.
Time synchronization
The servers and domain controllers onto which the sensor is installed must have time synchronized to within five minutes of each other.
Test your prerequisites
We recommend running the Test-MdiReadiness.ps1 script to test and see if your environment has the necessary prerequisites.
The link to the Test-MdiReadiness.ps1 script is also available from Microsoft Defender XDR, on the Identities > Tools page (Preview).
Related content
This article lists prerequisites required for a basic installation. Additional prerequisites are required when installing on an AD FS / AD CS server or Entra Connect, to support multiple Active Directory forests, or when you're installing a standalone Defender for Identity sensor.
For more information, see:
- Deploying Microsoft Defender for Identity on AD FS and AD CS servers
- Microsoft Defender for Identity multi-forest support
- Microsoft Defender for Identity standalone sensor prerequisites
- Defender for Identity architecture