Hey guys good morning! Is a rainy day today, just brings the relax mood on.
Here is another topic on Microsoft Defender for Identity, is the troubleshooting on sensors.
When you notice that your sensor keeps disconnecting, while it was fine during the first 2 weeks of the deployment.
There are many possibilities that causes this issue, so I’m glad that there is this Sizing tool that you can use to identify the traffic on the domain controllers and it will provide you recommendation of the hardware requirements that needs increasing or look into it.
Sometimes this is not due to domain controllers or the sensor issue, it could meant that the environment is growing and numbers of applications required the LDAP authentications with the closest domain controllers or the FSMO holder domain controller.
This is how the alert looks like on the ATP portal;
To proof that whether the domain controller needs increment of the hardware resources
Hi and good weekend to you. I haven’t been writing blog post for 1 week due to Chinese New Year holiday, 1 week off from doing YouTube videos and writing blog post, and spending quality time with my family. This is the first Chinese New Year celebration without visiting friends or other family members. E-angpao has become our replacement of physical AngPao. Seeing how this pandemic pushes technology forward and forcing people from all different generation to use technology, is amazing.
Anyway, this blog post I’m going to be talking about how you as administrator you can exclude certain situation from the Azure ATP detection. Azure ATP stands for Microsoft Defender for Identity. There are few situation you can exclude from Azure ATP detection such as Backup accounts and replication accounts. Take note this is only based on my experience or Microsoft recommendation but is not a MUST to exclude them.
How the alerts works in Azure ATP, is that when ever the account is behaving one of the detection it will notify an alert to the Azure ATP portal and to administrator’s email. So imagine if you have Azure AD Connect in your environment, your Azure AD Connect service account is notifying your administrator every 30 minutes, because the default replication time is every 30 minutes. Annoying right? Once you confirmed that this is the service account used only for replication, here is how you could whitelist it from the Azure ATP detection;
*This is for replication account, for others situation the exclude value may differ, these steps below is mainly to gain understanding how to exclude and where to locate the exclude.
Good afternoon everyone, and Happy Holiday to you all. Today’s blog post is another Azure ATP, or you could say Microsoft Identity Defender or MDI for short.
As you might know that gMSA is a type of service account for Windows Server 2012 and above. For some reason it failed to establish authentication between a Windows Server 2016 and Azure ATP portal for this particular environment. This environment is running single label domain on a Windows Server 2016. It was migrate from Widows Server 2008 R2 to Windows Server 2016.
To locate the logs in the server that you installed the sensor to further identify the cause and issue,
In the server where your sensor installed, if you notice the Azure ATP services keeps stopping and starting, from the services.msc, then it means there is problem with the sensor trying to establish the connection to the Azure ATP.
There wasn’t much article found to prove that gMSA limitation with single label domain, so I go ahead and proceed a testing. I created a managed service account with no special permission included, and add the credential to the Azure ATP > Directory Service. Upon monitoring, there wasn’t any alert prompt from Azure ATP, Azure ATP alert is pretty instant when detected failure on authentication.
So the resolution was to use managed service account instead of the gMSA account for this situation. The sensor start to working well with managed service account.
Hey guys hope you all are staying indoors and cautions about your health. Today’s blog post is to understand what is gMSA account, how to create them and why does it required for setting up Azure ATP (a.k.a Microsoft Identity Defender ATP).
gMSA stands for group managed service account, below reference that you can refer to understand details about it. You only need to setup a gMSA account for Windows Server version 2012 and above, it is recommended to use gMSA account for you Azure ATP deployment if your Domain controller fall on the versions 2012 and above.
Why gMSA and not usually service account (user object)? It improves the security and automatic password management. It works similar as a managed service account functionality and with extended capabilities, such as password is being managed by your Active Directory and every 30 days a new password is assigned to this service account automatically. If you have mix of legacy domain controllers and newer version of domain controllers, you would need both type of service accounts.
Azure ATP directory service connection, doesn’t required a gMSA account, to be a member of domain admin
If your server doesn’t have the root key created, then run the Add-KdsRootKey command with following parameter “-EffectiveTime“, with value immediately or scheduled.
For this Azure ATP case, all domain controllers with sensor must have managed password permission/right on the gMSA account. Make sure your account has a domain admins right to be able to perform the following setup below;
How to setup a gMSA account?
On your domain controller
Open/Launch PowerShell cmdlet
Type the following command New-ADServiceAccount -Name <ATP service account name> -DNSHostName <FQDN of 1 of your domain controller> -PrincipalsAllowedToRetrieveManagedPassword <domain controller hostname01$>,<domain controller hostname02$>
Sample of the command New-ADServiceAccount -Name AzATPSvc -DNSHostName DC01.contoso.com -PrincipalsAllowedToRetrieveManagedPassword DC01$, DC02$
Retrieve your change result command Get-ADServiceAccount -Identity AzATPSvc -Properties PrincipalsAllowedToRetrieveManagedPassword
Testing the service account command Test-ADServiceAccount -Identity AzATPSvc
If your customer is highly concerns about what sort of permission this account is assigned you may run the command below;
Hey fellow humans, how are you guys doing? With this covid-19 happening around us, hope that you are cautions about your health and safety of yourself and others too. I still can not believe that there are people still thinks that this virus is a myth. It really hurts to see the increases of cases in Malaysia has reach 4 thousand covid-19 cases yesterday in a day.
This blog post would be about onboarding methods Endpoint to Microsoft Endpoint Defender ATP, if you haven’t notice Microsoft has launch 1 new onboarding methods that you can enroll for your lab environment or customers.
If you are new to the ATP here are the steps to get these methods;
At the side bar you can see “Endpoint security” > Setup > Microsoft Defender ATP
There you would need to start setup of the Microsoft Defender ATP, it only takes 5 mins to setup, yes from the setup page here you may able to view the onboarding methods too but is only one-time setup page, so the actual location of this onboarding is at their Microsoft Defender ATP Admin portal.
At the side bar > Select Settings icon > Device Management > Onboarding
As you can see the above image, these are the following onboarding methods that you can use to onboard your endpoint devices.
Has limitation, per script only for 10 devices. Meaning that Script 1 has been used for 10 devices and to enroll the number 11 device you would need to re-download the new script package from the onboarding method.
If you are doing a quick lab this would be the best method to test the onboarding
Microsoft Endpoint Configuration Manager current branch and later
System Center Configuration Manager 2021 /2012 R2/1511/1602
VDI onboarding scripts for non-persistent devices
Onboarding are run at the backend of your endpoint, and it dependent on the licenses that you purchase and also the environment type. Meaning if your environment has SCCM then you would need to use the SCCM onboarding method to enroll the devices to Microsoft Defender ATP.
Microsoft has really ease quite a lot for administrators work in enroll their devices to ATP services and having integration between ATP and other security features inside. I will write more about it on the next blog post. Have a nice weekend!