After installing Defender for Identity sensor onto AD FS, you may experience an issue where the service does not enter the running state.
In the Microsoft Defender for Identity portal the sensor is reported as “Not Configured”
Lab Starting Reference Point
Since the AD FS sensor is new (January 2021), you initially installed sensors onto all of your AD Domain Controllers.
The below indicates that all of sensors installed to the DCs are healthy and running.
Installing Sensor Onto First AD FS Server
Then we install the sensor onto the first AD FS server. The install completes with no issues as we met all of the prerequisites (they were done in a prior change window to enable AD FS auditing).
Once the AD FS sensor contacts Defender, then the picture is less rosy. Note that the status is stuck at “starting” and it is marked as “Not Configured”
What the AD FS Server Saw
Locally on the AD FS server, the Azure Advanced Threat Protection Sensor Service is stuck in a starting status.
Eventually the service terminates.
In the Windows System Event Log, you will note that the service fails to start and is being constantly restarted. This is the generic EventID 7031 from Service Control Manager.
Even after rebooting the server, the service fails to start.
Defender For Identity Error Log
You look in the sensor’s local log file on the AD FS server
%programfiles%\Azure Advanced Threat Protection Sensor\<version>\Logs\
The following is logged multiple times:
2021-02-09 00:39:47.6405 Error Enumerable System.InvalidOperationException: Sequence contains no elements
at TSource System.Linq.Enumerable.First<TSource>(IEnumerable<TSource> source)
at void Microsoft.Tri.Sensor.DomainNetworkCredentialsManager.UpdateConfigurations(ConfigurationCollection configurations)
The “contains no elements” error is cryptic, but the answer is actually in the second image in this post.
Note that in the below copy of the image from above a couple of sections have been highlighted. Of note, the Domain Controller element is empty. It has no elements….
If we click on the AD FS server’s entry, the below window pops up. This allows us to configure the DCs.
We add the relevant DCs to the configuration, then click save.
After a couple of minutes, the sensor will update its configuration and the service will start is reported as healthy.
Now you can install sensors onto the other AD FS servers and get the job done!