Exam MS-500 topic 2 question 14 discussion

https://learn.microsoft.com/en-us/defender-for-identity/configure-port-mirroring

To monitor the domain using Microsoft Defender for Identity after installing the standalone sensor on Server1, you should: B. Install the Microsoft Monitoring Agent on DC1. Microsoft Defender for Identity requires the Microsoft Monitoring Agent to be installed on the domain controllers (DCs) in order to collect security-related events and data from the Active Directory environment. In this scenario, since Server1 is a member server, installing the Microsoft Monitoring Agent on Server1 (option C) would not fulfill the requirement of monitoring the domain. Configuring port mirroring for Server1 (option A) or configuring port mirroring for DC1 (option D) would not be the appropriate steps for monitoring the domain using Microsoft Defender for Identity. Port mirroring is typically used to capture network traffic and send it to a monitoring or security appliance for analysis, but it is not directly related to Microsoft Defender for Identity functionality. Therefore, the correct action to monitor the domain using Microsoft Defender for Identity after installing the standalone sensor on Server1 is to install the Microsoft Monitoring Agent on DC1 (option B)

D is correct. Taken from: https://learn.microsoft.com/en-us/defender-for-identity/prerequisites "The Defender for Identity standalone sensor is installed on a dedicated server and requires port mirroring to be configured on the domain controller to receive network traffic."

It's tricky though, because Microsoft recommends deploying the "Defender for Identity" sensor on DC's "For full coverage of your environment, we recommend deploying the Defender for Identity sensor." This is from the note at the reference link... Answer is D though, since question specifies the Standalone sensor...

D is correct!