How to configure Entra ID for the MDI monitoring and alerting?

Hi EnterpriseArchitect,

The article Connect Azure Active Directory to Microsoft Sentinel is specific to SIEM integration for log ingestion into Sentinel. For MDI, you do not need Sentinel unless you want to forward alerts to a SIEM. MDI natively integrates with Microsoft Defender XDR and Entra ID Protection for identity threat detection.

Below are some guidance steps and documentation on Entra ID for MDI Monitoring

1. Install MDI Sensors
   • Sensors should be installed on all AD Domain Controllers, AD FS, AD CS, and Microsoft Entra Connect servers.
   • You already have sensors installed under C:\Program Files\Azure Advanced Threat Protection Sensor\..., which is correct.
   • Reference: Configure sensors for AD FS, AD CS, and Microsoft Entra Connect [Configure...soft Learn | v4.hkg1.meaqua.org]
2. Enable Event Collection
   • MDI relies on Windows Event Logs and network traffic from domain controllers.
   • For Entra Connect servers, ensure auditing is configured for required events (e.g., 4624 logon events).
   • Reference: Event collection overview [v4.hkg1.meaqua.org]
3. Integrate with Entra ID Protection
   • Enable Microsoft Entra ID Protection in your tenant for risk-based detections.
   • Configure risk policies and Conditional Access to respond to suspicious sign-ins.
   • Reference: Secure your Microsoft Entra identity infrastructure [Secure you...soft Learn | v4.hkg1.meaqua.org]
4. Monitor and Alert
   • Use the Microsoft Defender portal for unified incidents and alerts across identities, endpoints, and cloud apps.
   • MDI alerts appear in the Defender portal and can be correlated with Entra ID signals.
   • Reference: Microsoft Defender for Identity in the Microsoft Defender portal

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.