Microsoft Defender for Identity Gets Action Accounts Support
Microsoft has added support for action accounts to its Microsoft Defender for Identity solution. The new action accounts feature was spotted by Twitter user @JimSycurity earlier this week, and it is now generally available for all enterprise customers worldwide.
The action accounts setting allows IT Admins to take actions (such as reset their password or disable them) on compromised accounts directly from Microsoft Defender for Identity. This new capability should make it easier for security teams to prevent cyber-attacks targeting employees in their organization.
Just noticed something new in Microsoft Defender for Identity: Action Accounts. This appears to let us disable a user or reset their password in on-prem AD based on incident or alerts in M365 Security Center.
— Jim Sykora (@JimSycurity) March 7, 2022
Microsoft Defender for Identity is a cloud-based security solution that allows organizations to detect and investigate compromised identities, threats, as well as malicious attacks targetted at the on-premises Active Directory. The security teams can use the Defender for Identity portal to analyze the data received from the sensors to investigate potential threats in their network environment.
How to configure the action account in Microsoft Defender for Identity
To use this feature, IT Admins will need to define the group Managed Service Account (gMSA) that will be used to take actions by following these steps:
- First of all, create a new group Managed Service Account (gMSA) in Active Directory.
- Now, set the correct permissions for the gMSA account at the domain level to reset passwords, read the pwdLastSet attribute, write the pwdLastSet attribute, read the userAccountControl attribute and write the userAccountControl attribute.
- Go to the Microsoft 365 Defender portal and add the gMA account under Settings >> Identities.
- Finally, select the Manage action accounts option available under the Microsoft Defender for Identity section.
It is important to note that Microsoft is dropping support for the Defender for Identity sensor on Windows Server 2008 R2 devices in June of this year. The company recommends customers to update their Domain Controllers and servers to a supported version of the OS as soon as possible.
More in Security
CISA Advises Federal Agencies to Patch Windows LSA Flaw Affecting Domain Controllers
Jul 5, 2022 | Rabia Noureen
Microsoft Defender for Endpoint Now Detects Network Threats on Android and iOS Devices
Jul 5, 2022 | Rabia Noureen
Microsoft Defender Vulnerability Management Adds New CVE Reporting Feature
Jun 30, 2022 | Rabia Noureen
Microsoft Releases Patches to Address Azure FabricScape Flaw Affecting Linux Workloads
Jun 29, 2022 | Rabia Noureen
Microsoft Defender for Identity Can Now Detect Insecure Domain Configurations
Jun 27, 2022 | Rabia Noureen
CISA Warns Unpatched VMware Servers Remain Vulnerable to Log4Shell
Jun 24, 2022 | Rabia Noureen
Most popular on petri