Not a user yet?
Log in Register for free Suggest a product
Update

Automatic Windows event auditing configuration for Defender for Identity sensors v3.x

Defender for IdentityDefender for Identity
Microsoft

November 2025

Automatic Windows event auditing configuration for Defender for Identity sensors v3.x
Defender for Identity now offers automatic Windows event-auditing configuration for Defender for Identity sensors v3.x. Automatic event auditing streamlines deployment by applying required Windows auditing settings to new sensors and fixing any misconfigurations on existing sensors. Admins can enable the option in the Defender portal or using Graph API.

Identity Inventory enhancements: Accounts tab, manual account linking and unlinking, and expanded remediation actions
The following new features are now available in Microsoft Defender for Identity:

Accounts tab in Identity Inventory
A new Accounts tab provides a consolidated view of all accounts associated with an identity, including accounts from Active Directory, Microsoft Entra ID, and supported third-party identity providers. For more information, see: Link or Unlink an Account to an Identity (Preview)

Manual link and unlink of accounts
You can now manually link or unlink accounts from an identity directly in the Accounts tab. This capability helps you correlate identity components from different directory sources and provides a complete identity context during investigations. For more information, see: Link or Unlink an Account to an Identity (Preview).

Identity-level remediation actions
You can now perform remediation actions such as disabling accounts or resetting passwords on one or more accounts linked to an identity. For more information, see: Remediation actions. Defender for Identity now offers an opt-in automatic event-auditing configuration for unified sensors (V3.x). This feature streamlines deployment by automatically applying required Windows auditing settings to new sensors and fixing misconfigurations on existing ones. Admins can enable the option in the Defender for Identity Settings -> Advanced Features or via Graph API. The capability and its related health alerts will roll out globally beginning mid-November 2025.

New security posture assessment: Change password for on-prem account with potentially leaked credentials (Preview)
The new security posture assessment lists users whose valid credentials have been leaked. For more information, see: Change password for on-prem account with potentially leaked credentials (Preview)

Microsoft Defender for Identity sensor version updates
Expansion of identity scoping: Support for Organizational units (Preview)
In addition to the GA release of scoping by Active Directory domains a few months ago, you can now scope by Organizational Units (OUs) as part of XDR User Role-Based Access Control (URBAC). This enhancement provides even more granular control over which entities and resources are included in security analysis.
For more information,

More updatesTo the product
Receive Important Update Messages Stay tuned for upcoming Microsoft updates

More from the Apps & Software section

Was the content helpful to you?

Advertisement Advertise here?
Banner Logitech