Defender for identity powershell module update

Hello everyone! We are excited to announce an update. PowerShell module released for Microsoft Defender for Identity earlier this year. These improvements are designed to add new features and address some of the feedback you’ve provided in the comments. As always, we really appreciate your feedback and participation in this module!

Now let’s take a closer look at what’s in this new release and why.

New MDI Service Account cmdlets:

The service account is used for remote Security Account Manager (SAM) access and is provisioned to the portal for Defender for Identity Active Directory operations. This account is also used to access the Deleted Objects container in Active Directory, query remote forests if configured, and is required for some Active Directory Federation Services and Certificate Services configurations.

To create a new GMSA, use the following syntax, where you define the service account name and password retrieval group.

This new group and the domain controller group are added to the PrincipalsAllowedToRetrieveManagedPassword attribute of GMSA.

New-MDIDSA -Identity my-mdisvc -GmsaGroupName my-mdiGMSAgroup

To create a standard account, use the ForceStandardAccount switch.

New-MDIDSA -Identity my-mdisvc -ForceStandardAccount

New automatic PDCe detection and usage:

To further streamline required updates and make Group Policy Object (GPO) creation easier, we have added a new Primary Domain Controller Emulator (PDCe) role detection feature. This feature requires no intervention and most Active Directory operations automatically target the PDCe, improving the reliability of Group Policy Object creation and account creation. This is primarily to ensure reliability, as changes are not detected due to Active Directory replication delays.

Manual domain controller targeting:

In case you fail to detect the PDC or want full control like me, I added a Server parameter to the Get/Set/Test MDIConfiguration cmdlets. This parameter allows you to specify the domain controller to use for all Active Directory cmdlets.

Get-MDIConfiguration -Mode Domain -Configuration All -Server test-cdc1

This is optional and using the automatic PDCe detection feature will give you the best results.

Improve user experience:

• The GPOPrefix parameter is now applied dynamically to Get/Set/Test MDIConfiguration cmdlets and only appears when you specify the Domain option for the Mode parameter. There is no change in terms of behavior, but parameter autocompletion is a bit cleaner. The strings file has been updated for accuracy and support for Danish has been added. Please let me know if there are any inaccuracies! I believe words matter, so I try to be accurate. Portal communication checks now use basic parsing. There is no change in terms of functionality, but everything should run a bit more smoothly.
• There are also some changes and updates to the GPO content settings. These changes go along with the server parameter targeting a unique domain controller for writing, and should address some issues we were seeing with empty GPOs.

For more information about this module, see: PowerShell Gallery and Reference Documents. That’s it for this release! Thanks for your continued use and feedback, and let me know if there’s anything you’d like to see changed first. We’re currently working on the next version and looking forward to its release.