Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article is updated frequently to let you know what's new in the latest releases of Microsoft Defender for Identity.
What's new scope and references
Defender for Identity releases are deployed gradually across customer tenants. If there's a feature documented here that you don't see yet in your tenant, check back later for the update.
For more information, see also:
- What's new in Microsoft Defender XDR
- What's new in Microsoft Defender for Endpoint
- What's new in Microsoft Defender for Cloud Apps
For updates about versions and features released six months ago or earlier, see the What's new archive for Microsoft Defender for Identity.
March 2026
Continued rollout of new health alert: Sensor v3.x RPC Audit Misconfigured
The Sensor v3.x RPC Audit Misconfigured health alert is continuing to be rolled out gradually to customers. The new health alert helps identify v3.x sensors where Enhanced RPC auditing configuration is either missing or incorrectly applied. Enhanced RPC auditing is required for some Microsoft Defender for Identity advanced identity detections. For more information, see Configure RPC on sensors v3.x.
February 2026
Defender for Identity sensor updates
| Version number | Updates |
|---|---|
| 2.255 | This sensor update includes bug fixes. |
New Defender for Identity security alerts
These new alerts were added to the Defender for Identity security alerts:
New alerts related to Entra ID:
- Suspicious user configuration change activity from Entra ID sync application
- Anomalous OAuth device code authentication activity
- Suspicious Graph API request made from Entra ID sync application
- Suspicious sign-in observed from Entra ID sync application
- Suspicious sign in with CSRF speedbump trigger
New alerts related to Active Directory:
January 2026
New Defender for Identity security alerts
These new alerts were added to the Defender for Identity security alerts:
New alerts related to Entra ID:
- Suspicious sign-in observed from Entra ID sync application to an uncommon resource app
- Suspicious sign-in observed to Entra ID sync application using an uncommon user agent
- Possible OAuth code theft detected through consent abuse
- Possible adversary-in-the-middle (AiTM) attack detected (ConsentFix)
- Skipped MFA on remembered device from uncommon ISP sign-in
New alerts related to Active Directory:
- Pass-the-Ticket (PtT) attack (Preview)
- Possible Active Directory Certificate Services enumeration
- Possible Active Directory enumeration via ADWS
- Suspicious NTLM authentication
- Possible Kerberoasting attack using a stealthy LDAP search
- Suspicious Kerberos authentication (TGT request using TGS-REQ)
Identity inventory enhancements are now generally available
- Accounts tab in Identity Inventory: The new **Accounts*- tab provides a consolidated view of all accounts associated with an identity, including accounts from Active Directory, Microsoft Entra ID, and supported non-Microsoft identity providers. For more information, see Manage related identities and accounts.
- Manually link and unlink accounts: Manually link or unlink accounts from an identity directly in the **Accounts*- tab. This capability helps you correlate identity components from different directory sources and provides a complete identity context during investigations. For more information, see Manage related identities and accounts.
- Identity-level remediation actions: You can now perform remediation actions such as disabling accounts or resetting passwords on one or more accounts linked to an identity. For more information, see Remediation actions.
- New advanced hunting table: Advanced hunting in Microsoft Defender now includes the **IdentityAccountInfo*- table. This table provides account information from various sources, including Microsoft Entra ID, and links to the identity that owns the account.
New security posture assessments
- Remove stale Active Directory accounts (Preview) lists any user accounts in Active Directory that are stale, meaning they haven't logged in at all during the past 90 days.
- Microsoft Entra ID privileged user accounts that are also privileged in Active Directory (Preview) lists Microsoft Entra ID privileged user accounts that also have privileged roles in Active Directory.
New Health Alert: Sensor v3.x RPC Audit Misconfigured
Enhanced RPC auditing is required for some Microsoft Defender for Identity advanced identity detections. A new health alert helps identify v3.x sensors where this configuration is either missing or incorrectly applied. The alert is being rolled out gradually to customers. For more information, see Configure RPC on sensors v3.x.
Automatic Windows event auditing configuration for Defender for Identity sensors v3.x (Preview)
We’re gradually rolling out automatic Windows event-auditing configuration for sensors v3.x, along with related health alerts. Automatic Windows event-auditing streamlines deployment by automatically applying the required auditing settings to new sensors and correcting misconfigurations on existing ones. This update might identify existing auditing configuration gaps that weren't previously detected. To ensure consistent protection, we recommend that you make sure all servers with the v3 sensors are configured with:
- The latest Windows cumulative update
- Automatic Windows event auditing enabled For more information, see Configure automatic windows auditing.
Sensor updates
| Version number | Updates |
|---|---|
| 2.254 | The sensor now supports a new DNS zone target for *.atp.gcc.azure.com. Make sure your sensors in GCC can access this zone with your sensor DNS prefix. |
New security posture assessment: Identify service accounts in privileged groups
This identity security posture assessment lists Active Directory service accounts with direct or nested membership in privileged groups.
You can use this assessment to identify service accounts with elevated permissions and take action when privileged access isn’t required.
For more information, see:Security posture assessment: Identify service accounts in privileged groups
New security posture assessment: Locate accounts in built-in Operator Groups
This identity security posture assessment lists Active Directory accounts that are members of built-in Operator Groups, including direct and indirect membership.
You can use this assessment to review legacy or unnecessary operator access and take action when elevated access isn’t required.
For more information, see:Security posture assessment: Locate accounts in built-in Operator Groups
December 2025
New properties for 'sensorCandidate' resource type in Graph-API (preview)
| Property | Type | Description |
|---|---|---|
| domainName | String | The domain name of the sensor. |
| senseClientVersion | String | The version of the Defender for Identity sensor client. |
This capability is currently in preview and available in API preview version. Learn more here
ADWS LDAP search in Advanced Hunting
New ADWS LDAP search activity is now available in the 'IdentityQueryEvents' table in Advanced Hunting. This can provides visibility into directory queries performed through ADWS, helping customers track these operations and create custom detection based on this data.
| Version number | Updates |
|---|---|
| 2.253 | Includes bug fixes and stability improvements for the Microsoft Defender for Identity sensor. |
| 2.252 | Includes bug fixes and stability improvements for the Microsoft Defender for Identity sensor. |
November 2025
| Version number | Updates |
|---|---|
| 2.251 | The enhanced ADWS LDAP and legacy password-based LDAP query methods now capture a broader range of unique events at scale. As a result, you might notice an increase in recorded activity. |
Identity Inventory enhancements: Accounts tab, manual account linking and unlinking, and expanded remediation actions
The following new features are now available in Microsoft Defender for Identity:
Accounts tab in Identity Inventory:
A new Accounts tab provides a consolidated view of all accounts associated with an identity, including accounts from Active Directory, Microsoft Entra ID, and supported non-Microsoft identity providers. For more information, see: Manage related identities and accounts (Preview)
Manual link and unlink of accounts:
You can now manually link or unlink accounts from an identity directly in the Accounts tab. This capability helps you correlate identity components from different directory sources and provides a complete identity context during investigations. For more information, see: Manage related identities and accounts.
Identity-level remediation actions:
You can now perform remediation actions such as disabling accounts or resetting passwords on one or more accounts linked to an identity. For more information, see: Remediation actions.
New security posture assessment: Change password for on-premises account with potentially leaked credentials (Preview)
The new security posture assessment lists users whose valid credentials were leaked. For more information, see: Change password for on-premises account with potentially leaked credentials (Preview)
Microsoft Defender for Identity sensor version updates
| Version number | Updates |
|---|---|
| 2.250 | The improved event log query method captures a broader range of unique events at scale. As a result, you might notice an increase in captured activities. This update also includes security and performance improvements. |
Expansion of identity scoping: Support for Organizational units (Preview)
In addition to the GA release of scoping by Active Directory domains a few months ago, you can now scope by **Organizational Units (OUs)*- as part of XDR user role-based access control (URBAC). This enhancement provides even more granular control over which entities and resources are included in security analysis.
For more information, see Configure scoped access for Microsoft Defender for Identity.
October 2025
We're excited to announce that the Microsoft Defender for Identity sensor v3.x is now generally available (GA). The Microsoft Defender for Identity sensor v3.x provides enhanced coverage, improved performance across your environment and offering easier deployment and management for domain controllers.
Microsoft Defender for Identity sensor version updates
| Version number | Updates |
|---|---|
| 2.249 | The improved event log query method now captures a broader range of unique events at scale. As a result, you might notice an increase in captured activities. This update also delivers other security enhancements and performance improvements. |
September 2025
Defender for Identity alerts transitioned to the unified Defender alerting experience
As part of the ongoing transition to a unified alerting experience across Microsoft Defender products, the following alerts were converted from the Microsoft Defender for Identity classic format to the the unified Defender alerting format. Keep in mind that all alerts are based on detections from Defender for Identity sensors.
| Classic Alert Title | External ID | XDR Alert Name | Detector ID |
|---|---|---|---|
| Active Directory attributes Reconnaissance using LDAP | 2210 | LDAP reconnaissance attributes in Active Directory | xdr_LdapSensitiveAttributeReconnaissance |
| User and IP address reconnaissance | 2012 | Suspicious Server Message Block (SMB) enumeration from untrusted host | xdr_SmbSessionEnumeration |
| Account enumeration reconnaissance | 2003 | Suspected account enumeration (Kerberos, NTLM, AD FS) | xdr_SuspectedAccountEnumeration |
| Suspected brute-force attack (LDAP) | 2004 | Suspected brute-force attack on Lightweight Directory Access Protocol (LDAP) authentication | xdr_LdapBindBruteforce |
| Suspected password spray attack on Lightweight Directory Access Protocol (LDAP) authentication | xdr_LdapBindBruteforce | ||
| Suspicious network connection over Encrypting File System Remote Protocol | 2416 | Suspicious network connection over Encrypting File System Remote Protocol | xdr_SuspiciousConnectionOverEFSRPC |
Additional security value in the Defender for Identity sensor v3.x
Apply the **Unified sensor RPC audit- tag to your Defender for Identity sensor v3.x in the **Asset rule management- page for enhanced protection. Learn more here.
Identity posture recommendations view on the identity page (preview)
A new tab on the Identity profile page contains all active identity-related identity security posture assessments (ISPMs). This page consolidates all identity-specific security posture assessments into a single contextual view, helping security teams quickly spot weaknesses and take targeted actions. For more information, see Investigate users in Microsoft Defender XDR.
New Regional Availability: United Arab Emirates
Defender for Identity data centers are now also deployed in the United Arab Emirates, North, and Central regions. For the most current list of regional deployments, see Defender for Identity data locations.
New API support for the Defender for Identity sensor v3.x (Preview)
We're excited to announce the availability of a new Graph-based API for managing the Defender for Identity sensor v3.x server actions. This capability is currently in preview and available in API Beta version.
This API allows customers to:
- Monitor the status of servers deployed with the Defender for Identity sensor v3.x.
- Enable or disable the automatic activation of eligible servers.
- Activate or deactivate the sensor on eligible server.
For more information, see Managing the Defender for Identity sensor v3.x actions using Graph API.
Microsoft Defender for Identity sensor version updates
| Version number | Updates |
|---|---|
| 2.249 | Includes bug fixes and stability improvements for the Microsoft Defender for Identity sensor. |
Updates to multiple detections to reduce noise and improve alert accuracy
Several Defender for Identity detections are being updated to reduce noise and improve accuracy, making alerts more reliable and actionable. As the rollout continues, you might see a decrease in the number of alerts raised.
The improvements will gradually take effect across the following detections:
- Suspicious communication over DNS
- Suspected Netlogon privilege elevation attempt (CVE-2020-1472)
- Honeytoken authentication activity
- Remote code execution attempt over DNS
- Suspicious password reset by Microsoft Entra Connect account
- Data exfiltration over SMB
- Suspected skeleton key attack (encryption downgrade)
- Suspicious modification of Resource Based Constrained Delegation by a machine account
- Remote code execution attempt
Unified connectors is now available for Okta single sign-on connectors (Preview)
Microsoft Defender for Identity supports the Unified connectors experience, starting with the Okta single sign-on connector. The unified connector enables Defender for Identity to collect Okta system logs once and share them across supported Microsoft security products, reducing API usage and improving connector efficiency.
For more information, see: Connect Okta to Microsoft Defender for Identity (Preview)