If you’ve ever had to deploy a new Microsoft Defender for Identity (MDI) Sensor on a Domain Controller, you’ll know that one of the required components is the Access Key that is used during installation. The Access Key is effectively a one-time password for use when deploying the sensor, after which communication is performed using certificates for authentication and TLS encryption. Something that gave me pause before deploying a new sensor recently was the wording in the portal.
“Regenerating the key will invalidate the existing key and installations using the previous key will fail.”
To me, the sentence above is ambiguous. It could be saying that existing installations using the previous key will just stop working! That would be really bad in an environment with lots of Domain Controllers.
Of course, what it really should say is, “Regenerating the key will invalidate the existing key and new installations using the previous key will fail.” In other words, it’s completely safe to regenerate the access key without impacting existing sensor deployments. This is corroborated by Microsoft’s own online documentation:
It is recommended to regenerate the access key using the Regenerate key button on a regular basis. It won’t affect any previously deployed sensors, because it’s only used for initial registration of the sensor.
Source: https://learn.microsoft.com/en-us/defender-for-identity/deploy/download-sensor
The importance of regenerating the access key after each deployment can’t be overstated given that there are known vulnerabilities, as described here:
https://thalpius.com/2024/07/18/microsoft-defender-for-identity-access-key-vulnerability/