You want to keep your directory services safe and follow security rules. To do this, you must turn on Directory Services Advanced Auditing for Microsoft Defender for Identity. Microsoft says you should use their official guide. This includes using certain Group Policy Object names and checking sensor health often. Doing these steps helps you stop security problems and keeps your monitoring working well.

Key Takeaways

• Turn on Advanced Auditing on your domain controllers. This helps you see more security events. Defender for Identity uses these events to find threats better.

• Use the Group Policy Object name 'Microsoft Defender for Identity - Advanced Audit Policy for DCs'. This helps you do health checks and watch your system.

• Set up NTLM and object auditing with care. This lets you see changes in user accounts, groups, and directory services. You get better security by watching these changes.

• Put Defender for Identity sensors on all domain controllers and servers. Check the sensor health and audit logs often. This keeps your protection strong.

• Use PowerShell commands and Group Policy Management Console. These tools help you set up, check, and fix your audit policies fast and well.

Overview

What Is Advanced Auditing?

Advanced Auditing lets you watch what happens in Active Directory. You can see when users log in, change passwords, or update groups. Windows Server has two kinds of auditing. Basic Auditing has 9 settings. Advanced Auditing has 58 settings. Advanced Auditing lets you pick which events to watch. You set these rules with Group Policy at the domain, site, or unit level.

Here are some important features of Advanced Auditing:

• You can watch things like Account Logon, Account Management, Directory Service Access, Logon/Logoff, and Object Access.

• You can track changes to user accounts, groups, permissions, and policies closely.

• You can use tools like auditpol.exe and Group Policy to set up and check audit rules.

• Advanced Auditing helps you see only the events you care about.

Tip: Advanced Auditing splits big groups into smaller ones. This helps you find important security events and skip the rest.

Why It Matters for Defender for Identity

Turning on Advanced Auditing helps Defender for Identity get more event logs from your domain controllers. These logs show what users do, NTLM logons, group changes, and directory changes. Defender for Identity uses this to find threats and warn you about strange activity.

You can spot attacks like DCShadow, bad account changes, and privilege increases better. Advanced Auditing also helps you watch for deleted or changed directory objects and logon events. With the right audit rules, Defender for Identity sensors get all the data they need. This helps you react to threats and keeps your system safe.

Note: Setting up Advanced Auditing the right way stops missing event logs. Defender for Identity looks for missing logs and tells you if something is not there.

Prerequisites

Licensing and Permissions

You need the right license and permissions before you begin. Your license must allow advanced auditing. Here are some main choices:

• Enterprise Mobility + Security E5 (EMS E5/A5)

• Microsoft 365 E5 (E5/A5/G5)

• Microsoft 365 E5/A5/G5 Security

• Standalone Defender for Identity license

You give these licenses to users in Entra ID. You do not need a special license just for advanced auditing. Make sure you have the correct permissions. You must be a Domain Administrator to set up and manage audit policies.

Note: Always check your company’s licensing portal to see your license status.

Required Tools and Modules

You need some tools to set up and manage advanced auditing. These tools help you make policies and check your directory services.

• Microsoft Remote Server Administration Tools (RSAT): Lets you use Active Directory consoles and PowerShell modules.

• Active Directory Users and Computers (ADUC): Lets you manage users, groups, and computers.

• Group Policy Management Console (GPMC): Used to make and manage Group Policy Objects (GPOs).

• Windows PowerShell: Lets you automate tasks and run scripts for Active Directory.

• Active Directory PowerShell module: Gives you commands like Get-ADUser and Get-ADComputer.

• AzureAD and MSOnline PowerShell modules: Good for hybrid setups with cloud and on-premises users.

• PowerShell Desired State Configuration (DSC): Helps keep your directory settings the same.

Tip: Put RSAT on your computer so you can use all these tools and modules.

GPO Naming Best Practices

When you make Group Policy Objects for auditing, use names that are clear and easy to understand. This helps you find and manage policies later. Here are some tips:

• Use names that show what the policy does and who it is for.

• Add prefixes like "U" for user policies or "C" for computer policies.

• Make names short but still clear.

This way, you will not get confused and your environment stays neat.

Configuration Steps

Set Advanced Audit Policy via GPO

You can use Group Policy Management Console to set Advanced Audit Policy. This helps you pick what Windows Server logs on your domain controllers.

Follow these steps:

1. Log in as a domain admin on a computer with GPMC.

2. Open Group Policy Management from the Start menu.

3. Right-click the GPO you want. You can use the Default Domain Controllers Policy or make a new GPO with a good name for Microsoft Defender for Identity.

4. Click "Edit" to open Group Policy Management Editor.

5. Go to Computer Configuration, then Policies, then Windows Settings, then Security Settings, then Advanced Audit Policy Configuration, then Audit Policies.

6. Turn on audit policies for Account Logon, Account Management, Directory Service Access, Logon/Logoff, Policy Change, and System. Set both Success and Failure for each one.

7. To make sure advanced audit policies are used, go to Security Options. Turn on "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings."

8. Save your changes.

9. Run gpupdate /force on your domain controllers to use the new settings.

Tip: Use a GPO with a clear name like "Microsoft Defender for Identity - Advanced Audit Policy for DCs." This makes it easier to find and fix problems.

Best practices:

• Keep user rights assignment policies in the Default Domain Controllers Policy.

• Put audit policies in a different GPO or add them to the Default Domain Controllers Policy.

• Test your audit policies before using them for real.

Configure with PowerShell

PowerShell is a quick way to set and check audit policies. You can use it to do tasks on many domain controllers at once.

To set audit policies with PowerShell:

Set-MDIConfiguration -Mode Domain -Configuration All

You can check your settings with:

Get-MDIConfiguration -Mode Domain -Configuration All

To test if your audit policies work:

Test-MDIConfiguration -Mode Domain -Configuration All

Note: PowerShell helps you do things faster, but you need to know how to write scripts.

Enable NTLM Auditing

NTLM auditing lets you watch authentication events and find strange activity. You need to set up NTLM audit policies for Microsoft Defender for Identity to work well.

Steps to enable NTLM auditing:

1. Open Group Policy Management Console and go to Domain Controllers.

2. Make or edit a GPO for security settings.

3. Under Computer Configuration, then Policies, then Windows Settings, then Security Settings, then Local Policies, then Security Options, set these:

   • Network security: Restrict NTLM: Audit Incoming NTLM Traffic — Turn on auditing for all accounts.

   • Network security: Restrict NTLM: Audit NTLM authentication in this domain — Turn on all.

   • Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers — Audit all.

4. Apply the GPO and run gpupdate /force on your domain controllers.

5. Check Local Security Policy (secpol.msc) to make sure NTLM auditing is on.

Note: NTLM auditing is very important for Microsoft Defender for Identity. Watch event ID 8004 and other related events.

Set Object Auditing

Object auditing lets you see changes to important Active Directory objects. You need to set up auditing for users, groups, computers, and managed service accounts.

How to set object auditing:

1. Open Active Directory Users and Computers.

2. Click "View" and turn on "Advanced Features."

3. Right-click your domain and choose "Properties."

4. Go to the Security tab, then click "Advanced."

5. On the Auditing tab, click "Add."

6. Pick "Everyone" as the principal.

7. Set Type to "Success."

8. For "Applies to," pick descendant user objects.

9. In Permissions, clear all, then pick "Full Control." Uncheck "List contents," "Read all properties," and "Read permissions."

10. Do the same for descendant group objects, computer objects, msDS-GroupManagedServiceAccount objects, and msDS-ManagedServiceAccount objects.

Tip: Auditing these objects helps Microsoft Defender for Identity find changes you did not allow and privilege increases.

You should also audit important containers like the Schema Directory Partition, Configuration Container, Sites, and DirectoryService objects. This helps you see changes that affect your whole forest.

Audit AD FS, AD CS, and Configuration Container

You need to audit special containers and services to cover everything for Microsoft Defender for Identity.

AD FS Auditing:

1. Open Active Directory Users and Computers.

2. Go to Program Data, then Microsoft, then ADFS.

3. Right-click ADFS and pick "Properties."

4. Go to the Security tab, click "Advanced," then go to the Auditing tab.

5. Add "Everyone" as principal.

6. Set Type to "All" and Applies to "This object and all descendant objects."

7. In Permissions, clear all, then pick "Read all properties" and "Write all properties."

AD CS Auditing:

1. Make a GPO for your AD CS server.

2. Go to Computer Configuration, then Policies, then Windows Settings, then Security Settings, then Advanced Audit Policy Configuration, then Audit Policies, then Object Access, then Audit Certification Services.

3. Turn on Success and Failure events.

4. On the CA server, open Certification Authority, right-click your CA, and pick "Properties."

5. Go to the Auditing tab and pick the events you want to audit.

Configuration Container Auditing:

1. Open ADSI Edit (Start, then Run, then ADSIEdit.msc).

2. Connect to the Configuration naming context.

3. Right-click the Configuration node and pick "Properties."

4. Go to the Security tab, click "Advanced," then go to the Auditing tab.

5. Add "Everyone" as principal.

6. Set Type to "All" and Applies to "This object and all descendant objects."

7. In Permissions, clear all, then pick "Write all properties."

Note: Auditing these containers and services helps Microsoft Defender for Identity sensors get all the security events they need. This helps you find threats and keep your directory safe.

Integrate with Microsoft Defender for Identity

Sensor Deployment

You have to put sensors on your domain controllers. Sensors help Defender for Identity watch what happens. They collect network packets and event logs. Put a sensor on every domain controller. Also add sensors to servers like AD FS, AD CS, and Entra Connect.

Here is how you set up sensors:

1. Make a directory service account. Use a group Managed Service Account with the full domain name.

2. Download the sensor installer. Get your access key.

3. Run the sensor setup on each domain controller. The installer checks for .NET Framework 4.7 or newer. It installs it if you do not have it. Sometimes you need to restart the server.

4. The Npcap driver is needed. The installer puts it on for you.

5. Make sure your domain controllers can reach Defender for Identity service IPs over the network.

6. After you finish, check that the sensor services are running.

7. You can set options like delayed updates. You can also pick which network adapters to use.

8. Open the Defender for Identity portal. Check that the sensor is healthy.

Tip: Always use DNS names for service URLs. This helps if IP addresses change.

Health Checks and Troubleshooting

After you install sensors, you need to check if they work well. Sensors must capture traffic and log events without errors. If you see alerts, you can fix most problems by doing these steps:

• Check network settings. Turn off Large Send Offload on network adapters. Make sure all adapters are enabled and connected.

• Test domain controller connections. Try LDAP connections. Make sure the directory service account has the right permissions.

• Make sure the Npcap driver is up to date. Old drivers can block packet capture.

• Confirm auditing policies are turned on. Missing NTLM or Directory Services auditing stops sensors from collecting needed events.

• Set power options to High Performance. This keeps sensors working well.

• If the sensor cannot write logs, stop the service. Fix the log path. Then restart the service.

• For certificate problems, download and install the DigiCert root certificate using PowerShell.

• If you use VMware, turn off IPv4 TSO Offload and Large Send Offload in NIC settings.

Note: You can watch sensor health and alerts in the Defender for Identity portal. If you see errors, check logs and follow Microsoft’s troubleshooting steps.

Validation

Verify Audit Policy Application

You have to check if audit policies are working on every domain controller. Open Command Prompt first. Type auditpol /get /category:* to see what audit rules are set. This command lists all current audit settings. Look at the time and update info for the audit policy file at %systemroot%\security\audit\audit.csv. If the file is Read-Only, remove that so it can update. You can also use Group Policy Management Console with your Domain Admin account. Open the Default Domain Controllers Policy or your own GPO for Domain Controllers. Go to Computer Configuration, then Policies, then Windows Settings, then Security Settings, then Local Policies, then Security Options. Turn on 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings'. After you change settings, run gpupdate /force to make them work right away.

Tip: Always check your settings with auditpol /get /category:* after you make changes.

Confirm Event Log Generation

You need to see proof that audit policies are working. Open Event Viewer and go to Windows Logs, then Security. Run a command like whoami to make an event happen. Look for event ID 4688 in the Security log. This event means process creation auditing is turned on. In Group Policy, both Success and Failure should be checked for process creation. The table below shows important audit settings you should check:

These settings help you get the right security events for monitoring.

Use PowerShell for Readiness Checks

PowerShell makes checking your setup easy. First, install and import the DefenderForIdentity module. Run New-MDIConfigurationReport -Path C:\Temp -OpenHtmlReport to make a report. This report shows your audit policy status. Use Set-MDIConfiguration -Mode Domain -Configuration All to set all needed settings. Test your setup with Test-MDIConfiguration -Mode Domain -Configuration All. This command checks if everything is set up right. You can also check sensor connections with Test-MDISensorApiConnection -Verbose -SensorApiUrl <URL> -BypassConfiguration. Run the report again to make sure all changes worked. PowerShell helps you do these checks fast and keeps your audit policies current.

Note: Checking often makes sure your audit policies stay on and your security monitoring works well.

You now know how to set up Directory Services Advanced Auditing for Microsoft Defender for Identity. Always use the GPO names and settings that Microsoft suggests. This helps you stop problems and keeps your sensors working. Keep checking your audit policies and event logs often. Make sure you read Microsoft’s guides to stay updated.

• Watching and checking your setup helps you:

  • Make sure audit logs are complete for security tools.

  • Save logs longer so you can look back if needed.

  • Keep logs safe and ready for rules you must follow.

  • Find strange activity faster with better audit data.

  • Make your security stronger by spotting issues early.

Checking your setup often helps you get ready for audits and keeps your system safe.

FAQ

What should you do if Defender for Identity reports "Directory Services Advanced Auditing is not enabled"?

Check your GPO names first. Defender for Identity looks for a GPO called Microsoft Defender for Identity - Advanced Audit Policy for DCs. Rename your GPO or make a new one with this name. Update your policies after that. Run the readiness check again to see if it works.

Can you use your own naming convention for audit GPOs?

No, Defender for Identity needs certain GPO names for health checks. Always use the recommended name:

Microsoft Defender for Identity - Advanced Audit Policy for DCs

This helps sensors find and check your audit settings.

How do you confirm audit events are being collected?

Open Event Viewer on your domain controller. Go to Windows Logs, then Security. Look for event IDs like 4662, 4728, or 4776. If you see these, your audit policies are working. You can also run auditpol /get /category:* in Command Prompt.

What PowerShell command checks if your configuration is correct?

Use this command to test your setup:

Test-MDIConfiguration -Mode Domain -Configuration All

You will get True or False as a result. True means your setup matches Defender for Identity rules.

Do you need to restart domain controllers after changing audit policies?

You usually do not need to restart. Run gpupdate /force to use new policies right away. If you do not see changes, check for policy problems or delays.