Response Actions in Microsoft Defender for Identity

What does the feature do?

MDI has been more of a watcher in Active Directory in the past. Mainly logs from the domain controllers and traffic from network cards are analyzed and information from the AD and the member servers (SAM-R) is collected and analyzed. Even if an attack is detected, MDI does not intervene.

What problem does this feature solve?

With Microsoft Defender, Microsoft provides us with an extended detection and response solution which, among other things, has the idea (together with Microsoft Sentinel) of providing a central portal for the security operations teams.

Example: Credential Phishing

A practical example are credential phishing attacks. Although there are various very effective countermeasures (MFA, Safe Links, Windows Hello,…), it happens again and again that we are alerted, e.g. by alarms in Defender, that a user has clicked on a link that may have led to the user’s credentials being compromised.

Implementation

Microsoft has published a guide for the implementation which is a good foundation. If you have already used MDI, you should meet all the requirements for this feature. The only change is that Group Managed Service Accounts (gMSA) are now mandatory for this feature.

How can I use the feature?

As announced by MS, the new features can only be used in the Security Portal (that means not in the MCAS or MDI Portal).

  • Ernie is an AD only user
  • Big Bird is an AAD only user
  • Bert is a synchronized hybrid user
  • Google Guest is a guest user

What happens if I disable a user?

After clicking Disable Users, a warning is followed by a confirmation. But be careful: this confirmation only says that the process has been initiated — not that it has been performed successfully.

Active Directory and Hybrid User:

If the user originates in AD, MDI will take action and try to disable the user account. If successful, this will result in events 4725: A user account was disabled and ID 4738: A user account was changed.

Azure Active Directory and Guest User:

If the user originates in AAD or is a Guest User, MDCA will take action and try to disable the user account. This results in two entries in the AAD Audit Log:

What happens if I force a password reset?

Currently the Force Password Reset Action is only available for AD and Hybrid users in the Security Portal. A reset also results in an event 4738 which can be displayed with the above filter:

Anything else I need to know?

Be careful with Password Never Expires!

During testing I noticed that the password reset did not work for all users. The reason was the flag “Password never expires”, which prevents the flag “User must change password at next logon” from being set. If you try to set the flag via PowerShell you will get an appropriate error message:

Which Permissions do I need to use this feature?

I have not yet found any documentation on the permissions required — so here are my observations:

  • With the Security Admin role, the described feature is fully usable.
  • With the Security Operator role (and MDE RBAC enabled) you can see the users from AAD but not the AD-only users.
  • As a security operator you get Disable User displayed but then an error message.

Are there automation options?

In Defender you can can use both described methods as action in your custom detections.

Read on:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Christopher Brumm

Christopher Brumm

ITSec Pro focussed on MS Cloud Stuff