Team: Huntress Managed Identity Threat Detection and Response (ITDR)
Summary: This guide covers how to scope, deploy, verify, and test your Huntress Managed Identity Threat Detection and Response (ITDR) environment. Following these steps ensures your core identity fabric is fully monitored and protected.
In this Article
Before You Begin
Before starting your deployment, ensure you have the following prerequisites ready:
A complete list of all Microsoft 365/ Microsoft Entra, and Google Workspace tenants in scope.
For hybrid environments, a list of all on-premises domain controllers.
Verified access to a Global Administrator account for your Microsoft tenants and a Super Admin account for Google Workspace.
Microsoft 365 / Microsoft Entra tenants require at least one Exchange Online (or greater) license
Phase 1: Scope and Connect Your Tenants
First, identify your environment boundaries and connect your live user identities to the platform.
-
Log in to Huntress and go to the ITDR wizard to initiate a new connection.
For Microsoft 365 / Microsoft Entra tenants, log in with your Global Administrator credentials
For Google Workspace tenants, authenticate using a Super Admin account
For hybrid environments, install the Huntress Agent on all relevant domain controllers to maintain identity isolation capabilities across your on-premises infrastructure.
Phase 1 Result
Huntress is connected to the right tenants, and agents are installed on relevant domain controllers so ITDR can see the core identity fabric and maintain full identity disablement in hybrid environments.
Phase 2: Verify Your Coverage
After connecting your tenants, check that no gaps remain in your deployment fabric.
For all tenants
In the Huntress platform, navigate to your ITDR tenants page and list all active integrations.
Compare this list against your initial scoping documentation to ensure no Microsoft or Google Workspace tenants are missing.
Open a ticket with Huntress Support to resolve any identified tenant connectivity gaps.
For hybrid tenants (Microsoft only)
Verify that every hybrid identity environment has the Huntress Agent installed on at least one active domain controller.
Verify that each domain controller shows a recent check-in time in the platform.
Open a deployment ticket to resolve any identified tenant connectivity gaps.
Phase 2 Result
All intended Microsoft 365 / Microsoft Entra tenants and Google Workspace tenants appear as connected and healthy in Huntress.
All known domain controllers have the Huntress agent and appear in the portal with a recent check-intime.
Phase 3: Perform a Function Check
Validate that your response automation, exclusions, and escalation policies are operating correctly.
Automated response and isolation
-
Identify non-isolation-tolerant identities, such as emergency break-glass or critical service accounts, that must never be automatically disabled.
In the platform, add exclusions for those specific identities or organizations only.
For all other identities or organizations, Identity Isolation should remain enabled (recommended).
Test with a non-critical user
Choose a low-risk test identity, such as a lab user or sandbox user account.
From the platform identities list, click the target account to trigger the Revoke Sessions and Disable the Account
Re-enable the test account afterward to verify that you can successfully restore active user access.
Use the Simulate an Incident option to test the full isolation process with a sample incident report.
Unwanted Access and escalations
-
Create Unwanted Access rules and review any received ITDR escalations.
Review your baseline geofencing rules. Do not implement a global block on all virtual private networks (VPNs) or all countries during your first two weeks.
If a country is definitively unauthorized, create a targeted rule for that specific location.
When an Unexpected Country escalation triggers, click the More Actions (three dots) icon next to the user to either save an expected location rule or initiate an active incident workflow.
Phase 3 Result
Automated response and identity isolation are enabled with clear exclusions for non-isolation-tolerant accounts
You have tested revoke and disable on a non-critical identity and confirmed you can restore it
You have handled at least one Unwanted Access style escalation and know how to add expected or unauthorized rules.
Final Expectations
You have successfully deployed and validated your identity security baseline. Huntress Managed ITDR is now actively monitoring your identity fabric, protecting your environment against unapproved access patterns, and automated isolation infrastructure is verified.
Related Articles
Microsoft 365 troubleshooting
Google Workspace troubleshooting
Understanding the Differences between ITDR for Microsoft 365 and ITDR for Google Workspace
Billable Identities