Defender for IoT sensor access
The Microsoft Defender for IoT | OT Sensor is a virtual or physical appliance connected to the OT network via a SPAN port or TAP device to collect information about devices, network communication, vulnerabilities and alerts.
The OT sensor has a web interface for configuration, air-gapped or Cloud connected. If the sensor is connected to the (Azure) cloud, the most used settings can be configured in the Microsoft Defender for IoT portal in Azure (e.g. VLAN, Subnet, NTP, Active Directory, etc.)
Access to the local web interface of the OT sensor can configured via different access and authentication methods, each with their own pros and cons.
Stand-alone
Stand-alone access and authentication is the default method via username (admin, cyber, cyberx or custom) and (complex) password to the web portal [HTTPS].
By default the deployment is air-gapped, meaning only accessible from the (on-premises) OT network via the network interface.
Active Directory
Stand-alone access and Active Directory authentication provides centralized and ‘secured’ access via the OT Active Directory (security boundary).
At least one local account needs to exist on the sensor for local access
Configure the following settings:
- Domain Controller FQDN (or IP-address if the sensor DNS cannot resolve the FQDN)
- Domain Controller port [389 LDAP | 636 LDAPS]
- Primary Domain
- Active Directory groups (lowercase only)
Use the username to logon without the NetBIOS prefix or Domain suffix
Entra ID | SSO
Entra ID access and authentication, SSO (Singel Sign-On) from an Entra ID joined device, provides seamless (Entra ID device) access the on-premises portal protected via the Entra ID | Conditional Access framework.
Configure the following settings:
- Entra ID | App Registration
- Redirect URI <>
- Grant admin consent for <Directory Name>
Requires a public IP address or hostname and inbound port forwarding to the sensor on port 443 [HTTPS].
Outbound access can be restricted: iothub-prodweu-ad4iot.azure-devices.net,eventhubprodweueiotNameSpace.servicebus.windows.net,storprodweunotif.blob.core.windows.net,storprodweusenasts.blob.core.windows.net,westeurope.iot.security.azure.com,pipe.skype.com,api.mdiot.microsoft.com
Entra | Application Proxy
Microsoft Entra Application Proxy leverages Entra ID authentication and Conditional Access policies to secure access to on-premises web services on port 80/443 [HTTP(S)] without requiring a public IP-address and inbound port forwarding.
Public certificate for the OT sensor is required for Application Proxy, all other options above can use the self-signed certificate.
Configure the following settings:
- Download and deploy the Entra Private Network Connector on a Windows Server (2012 R2 or above) that has network access to the on-premises application.
- Create an Enterprise Application > Add an on-premises application
- <AppName>
- Internal Url (https:// OT Sensor name included in the public certificate)
- External URL https://<AppName>-<tenant>.msappproxy.net/
Summary
The table below provides and overview of thee pros and cons for the different authentication models to access the OT sensor.