Hi everyone,

We are currently deploying Defender for Identity all around our infrastructure. We already covered all the DCs, however we are facing some configuration issue with the sensors installed on our AD FS farm.

In a nutshell, even if it seems that the sensors have been configured correctly (no health issues in the XDR console, service running), when running the KQL query to ensure authentication logs from AD FS are coming in, we get nothing:

IdentityLogonEvents | where Protocol contains ‘Adfs’

No results found in the specified time frame.

Here’s a summary of the tasks we performed:

We installed the sensor on the two servers in our AD FS farm and verified that they check in with the cloud consoleWe enabled verbose logs and granted access to the AD FS database to the gMSA user we use with MDIWe were unable to enable audit logs on the AD FS container because for some reason we can’t find it (even enabling View > Advanced features in ADUC) – maybe this is the problem?We specified the FQDNs of the domain controllers on the two sensors, in the cloud console

After looking at the logs (Microsoft.Tri.Sensor.log), it seems that there is some issue indeed, since for every authentication we get the following two Warning messages:

Warn EventActivityEntityResolver ResolveLogonEventAsync logonEvent detected […]
Warn EventActivityEntityResolver ResolveLogonEventAsync logonEvent failed to resolve source computer […]

We cannot see more descriptive errors in the logs.

Did anyone have this issue? How is it possible that we don’t have the ADFS container in AD?

​Hi everyone, We are currently deploying Defender for Identity all around our infrastructure. We already covered all the DCs, however we are facing some configuration issue with the sensors installed on our AD FS farm. In a nutshell, even if it seems that the sensors have been configured correctly (no health issues in the XDR console, service running), when running the KQL query to ensure authentication logs from AD FS are coming in, we get nothing:IdentityLogonEvents | where Protocol contains ‘Adfs’

No results found in the specified time frame. Here’s a summary of the tasks we performed:We installed the sensor on the two servers in our AD FS farm and verified that they check in with the cloud consoleWe enabled verbose logs and granted access to the AD FS database to the gMSA user we use with MDIWe were unable to enable audit logs on the AD FS container because for some reason we can’t find it (even enabling View > Advanced features in ADUC) – maybe this is the problem?We specified the FQDNs of the domain controllers on the two sensors, in the cloud console After looking at the logs (Microsoft.Tri.Sensor.log), it seems that there is some issue indeed, since for every authentication we get the following two Warning messages:Warn EventActivityEntityResolver ResolveLogonEventAsync logonEvent detected […]
Warn EventActivityEntityResolver ResolveLogonEventAsync logonEvent failed to resolve source computer […]We cannot see more descriptive errors in the logs. Did anyone have this issue? How is it possible that we don’t have the ADFS container in AD?   Read More

​