Active Directory Service Accounts Inventory & Service Account Page In Defender XDR

Microsoft has introduced a new feature in Defender XDR that provides an inventory of Active Directory Service Accounts, including detailed information about each account and a dedicated page for gMSA (Group Managed Service Accounts). This feature is particularly useful for organizations that have deployed Defender for Identity.

You Should Know:

To leverage this feature, ensure you have the following prerequisites and commands in place:

1. Prerequisite:

Deploy Microsoft Defender for Identity in your environment.

2. Commands to Verify Deployment:

Check the status of Defender for Identity sensors:
```
Get-MDIStatus
```
Verify the connectivity between Defender for Identity and your Active Directory:
```
Test-MDIConnectivity
```

3. Accessing the Service Accounts Inventory:

Navigate to the Defender XDR portal and access the new Service Accounts Inventory page.
Use PowerShell to list service accounts:
```
Get-ADServiceAccount -Filter *
```

4. Managing gMSA Accounts:

Create a new gMSA account:

New-ADServiceAccount -Name "gMSA_Account" -DNSHostName "gmsa.domain.com" -PrincipalsAllowedToRetrieveManagedPassword "Domain Computers"

Retrieve the password for a gMSA account:

Get-ADServiceAccount -Identity "gMSA_Account" -Property ManagedPassword

5. Monitoring and Auditing:

Use Defender XDR to monitor service account activities:
```
Get-MDIActivity -ServiceAccount "ServiceAccountName"
```

Set up alerts for unusual service account activities:

Set-MDIAlert -ServiceAccount "ServiceAccountName" -AlertType "UnusualActivity"

What Undercode Say:

The of the Service Accounts Inventory in Defender XDR is a significant enhancement for organizations managing Active Directory environments. It simplifies the tracking and management of service accounts, particularly gMSA accounts, which are crucial for secure service operations. By leveraging PowerShell commands and Defender XDR’s monitoring capabilities, administrators can ensure robust security and compliance. For more detailed information, refer to the official Microsoft Defender XDR documentation.

Additional Commands:

To list all service accounts in Active Directory:

Get-ADUser -Filter {ServicePrincipalName -like "*"} -Properties ServicePrincipalName

To check the last logon time of a service account:

Get-ADUser -Identity "ServiceAccountName" -Properties LastLogonDate

To disable a compromised service account:

Disable-ADAccount -Identity "ServiceAccountName"

This feature is a game-changer for IT security professionals, providing enhanced visibility and control over service accounts, which are often targeted in cyber attacks.