Defender for Identity PowerShell module update

Hi everyone! I'm excited to announce an update to the PowerShell module we released for Microsoft Defender for Identity earlier this year. These enhancements are designed to add some new functionality and address some of the feedback you provided in the comments. As always, we really appreciate your feedback and engagement with this module!

 

Now let's dive into the what and why with this new release:

 

New MDI Service Account cmdlet:

The service account will be used for remote Security Account Manager (SAM) access and is provisioned in the portal for Defender for Identity Active Directory operations. This account will also used to access the Deleted Objects container in Active Directory, used to query remote forests if configured, and needed for some of the Active Directory Federation Services and Certificate Services configurations.

To create a new GMSA use the following syntax, where you define the name of the service account and the password retrieval group.

This new group, and the Domain Controllers group are added to the PrincipalsAllowedToRetrieveManagedPassword attribute of the GMSA.

New-MDIDSA -Identity my-mdisvc -GmsaGroupName my-mdiGMSAgroup

To create a standard account use the ForceStandardAccount switch

New-MDIDSA -Identity my-mdisvc -ForceStandardAccount

 

New automatic PDCe detection and usage:

To help further streamline any necessary updates and make the creation of group policy objects (GPO) even easier we have added a new Primary Domain Controller Emulator (PDCe) role detection feature. This feature requires no intervention and means that most Active Directory operations will automatically target the PDCe, which will increase the reliability of Group Policy Object creation, as well as account creation. This is mostly for reliability purposes to ensure that detection of changes won’t fail due to Active Directory replication delays.

 

Manual Domain Controller Targeting:

If PDC detection fails, or you're like me and want   over everything, we've also added a Server parameter to the Get/Set/Test MDIConfiguration cmdlets that will allow you to specify a domain controller to be used for any Active Directory cmdlet.

Get-MDIConfiguration -Mode Domain -Configuration All -Server test-cdc1

Note that this is optional, and things work best when you use the automatic PDCe detection.

 

User experience enhancements: 

• The GPOPrefix parameter is now dynamic for the Get/Set/Test MDIConfiguration cmdlets and will only appear if you specify the Domain option for the Mode parameter. This changes nothing in terms of how it works, it just makes the parameter auto complete a little cleaner. The strings files have been updated for accuracy and we added support for Danish language. Please do report any inaccuracies to us! I am a huge believer that words matter and, because of that, I strive to be precise. The portal communication check now uses basic parsing. This should change nothing from a functionality perspective but should make things run a little smoother.
• There are also some changes and updates to GPO content setting. This change goes hand in hand with the Server parameter to target the distinct Domain Controller for writes and it should work around some of the issues we were seeing with blank GPO's.

For more information on this module check out the PowerShell Gallery and reference documentation. That's it for this release! Thank you all for your continued usage and feedback and please do let us know with any priority changes you want. We're working on the next version now and can't wait to get that out.