Article 2 – Tips & Tricks #Deploy Microsoft Defender for Identity (gMSA Accounts)

With my friend for many years and my best colleague Daniel Pasquier in our Article 1 - (2) Article 1 – Tips & Tricks #Investigate with Microsoft Defender for Identity | LinkedIn we started to share our tips and advises on using, deploying and managing MDI in your organization.

In this second article with Daniel & Christophe Guerre (another great colleague for many years) we will share our experience on connecting MDI Sensors to your Active Directory and start deploying MDI respecting Microsoft Security Best Practices.

Deploying MDI is easy and straight forward, in our experience from the field with big French and EMEA customers we can easily say that deployment of MDI on few hundreds of Domain Controllers can be done in few days.

You will be successful in your deployment if you respect some guidance and Microsoft Best Practices.

The first best practice is to use a gMSA (Group Managed Service Accounts) account for connecting MDI solution to your Active Directory Forests.

Note: A gMSA Account is not mandatory for installing MDI, you can use a standard AD user account and password but if your Domain Controllers running Windows Server 2012 and above, we strongly recommend using a gMSA.

Tips 1: Why we are recommending a gMSA Account? It’s all about Security Best Practices! gMSA account includes an automatic password management. Your security team will be happier seeing you respecting security account best practices. Group Managed Service Accounts Overview | Microsoft Docs

?Tips 2: ?gMSA Account requires Windows Server 2012 and above, however if you are not able to setup a gMSA for some specific DCs, you can use a standard AD User Account. You can have a mix with standard and gMSA account on different DCs.

Tips 3: Do not worry about the number of domains or forests you will need to monitor with MDI because the solution supports up to 30 credentials, if you need to add more you can contact Microsoft Support Team to increase this number.

Tips 4: You need to decide if you are planning to deploy MDI on one Domain or the Whole Forest. Why? because you need to Create a new security group containing all the domain controllers that will run the sensors (running Windows Server 2012 or above). As such If you're planning to use one gMSA for the whole Active Directory Forest, we recommend you create and add all the domain controllers to a universal group and give the retrieve gMSA password permission to that group. We have seen too many times errors and Domain Controlers not able to retrieve gMSA Account Password and failing during the installation or when trying to start). If you plan to deploy to only one Active Directory Domain, you can use the Built Domain Controlers group. Connect Microsoft Defender for Identity to Active Directory quickstart | Microsoft Docs ?

Let’s now create a gMSA account together, here is a sample:

Step 1 - Create the global Managed Service Account (gMSA) on PowerShell:

New-ADServiceAccount -Name MDI-gMSA -DNSHostName MDI-gMSA.<Yourdomain.com> -KerberosEncryptionType AES256

Step 2 - Run the following PowerShell command to verify the managed password: Get-ADServiceAccount -Identity MDI-gMSA -Properties PrincipalsAllowedToRetrieveManagedPassword

Check for line "PrincipalsAllowedToRetrieveManagedPassword", it should be empty

Step 3 - Set the following PowerShell command to verify the managed password:

Set-ADServiceAccount -Identity MDI-gMSA -PrincipalsAllowedToRetrieveManagedPassword ‘Domain Controllers’

Note: you can use the Distinguished name: Set-ADServiceAccount -Identity MDI-gMSA -PrincipalsAllowedToRetrieveManagedPassword ‘CN=Domain Controllers,CN=Users,DC=<YourDomain>’

Important note: if you have decided to use a Universal Group, change "Domain Controllers" group name above by the name of the Universal Group you have created.?

Step 4 - Run the following PowerShell command to verify the managed password:

Get-ADServiceAccount -Identity MDI-gMSA -Properties PrincipalsAllowedToRetrieveManagedPassword

Check for line "PrincipalsAllowedToRetrieveManagedPassword" value.

Here a sample done in our Lab Environment, how it looks like :

Tips 5: Be careful and verify if your gMSA account will be able to Log on as a service on all Domain Controllers that will be running MDI. gMSA account must be granted the Log on as a service permission if not the impersonation will fail, and the domain controller will not be able to retrieve gMSA account password and install properly.

Modify your GPO (especially Hardening/Security GPO) to add this account in the URA (User Right Assignment) Log on as a service.

Tips 6: If your sensor is failing to install and you are not sure that domain controller has been given rights to access the password run the following command lines to verify:?

Get-ADServiceAccount <YourServiceAccountName> -Properties PrincipalsAllowedToRetrieveManagedPassword

(Get-ADPrincipalGroupMembership (Get-ADComputer <YourDCName>).DistinguishedName).distinguishedName

Note : you must find the same group in the PrincipalsAllowedToRetrieveManagedPassword and in the output of the second command.

Tips 7 : If you think that you have done all the steps properly and still have an error retrieving gMSA account password it might be that the Kerberos tickets have not been refresh yet. The main reason is that if the domain controller Kerberos ticket was issued before the domain controller was added to the security group with the proper permissions, this group won't be part of the Kerberos ticket. As such it won't be able to retrieve the password of the gMSA account.

To try to solve this:

1.?????Reboot the domain controller.

2.?????Purge the Kerberos ticket, forcing the domain controller to request a new Kerberos ticket. From an administrator command prompt on the domain controller, run the following command: klist -li 0:0x3e7 purge

Tips 8: If you want to test that your gMSA is properly configured and domain controller has been given rights to access the password, try to install it on the Domain Controller:

1. Stop AATPSensor and AATPSensorUpdater
2. Cache service account to server: Install-ADServiceAccount

In our example the command will be: Install-ADServiceAccount MDI-gMSA

1. Start AATPSensor

Note: If you have this error:

Re-check Tips 5,6,7

Tips 9: Investigate logs. There are two types of logs for MDI, deployment logs and MDI Sensor logs.

If the service is not able to start, we will have to investigate MDI Sensor logs in the following folder on the Domain Controller: C:\Program Files\Azure Advanced Threat Protection Sensor\version number\Logs

If the error concerns the gMSA account based on our experience you will see this type of error:

?2021-12-1 14:02:19.6258 Warn GroupManagedServiceAccountImpersonationHelper GetGroupManagedServiceAccountAccessTokenAsync failed GMSA password could not be retrieved [errorCode=AccessDenied AccountName=account_name DomainDnsName=domain1.test.local]

The sensor failed to retrieve the password of the gMSA account (re-check Tips 5,6,7,8).

Tips 10: Summary of the steps to do not forget:

1. Create a universal group and add all Domain Controllers that will be running MDI in the Active Directory Forest (if the scope for a MDI deployment is a Domain then "Domain Controllers Built-in should be enough")
2. If you have created a Universal group, ensure all you DCs have been restarted of Kerberos tickets purged using Klist
3. Ensure gMSA account is given the Logon as a service privilege for running on the Domain Controller
4. Try to install the gMSA Account using PowerShell command line just to see if the Domain Controller can retrieve the password
5. Important step when your gMSA Account is ready use it to connect to your Active Directory Forest in the MDI Portal : Connect Microsoft Defender for Identity to Active Directory quickstart | Microsoft Docs
6. If all steps above have been done properly you can proceed to MDI Installation.?

Your MDI deployment is not finished yet, but you have an important part of the actions to ensure success of your deployment. Do not forget that the Microsoft Support Team will be here to help you if needed.

We hope you have enjoyed our tips and those will be helpful. In next coming articles we will share more tips on configuring and using MDI solution ... stay tuned..."!

Thank you.?