Extended RPC auditing capabilities (Preview)

May 2026
Extended RPC auditing capabilities (Preview)
Defender for Identity now supports extended RPC auditing capabilities for advanced identity detections. To enable these capabilities, apply the new Extended Sensor Audit tag to your devices and install the latest cumulative update. A new health alert, Sensor v3.x Extended RPC Audit Misconfigured (Preview), notifies you when the tag is missing or incorrectly applied. For more information, see Configure RPC on sensors v3.x.

Increased sensor capacity
Defender for Identity now supports up to 1,000 sensors per workspace, increased from the previous limit of 350. To add more than 1,000 sensors, contact Defender for Identity support.

New Defender for Identity security alerts
These new alerts were added to the Defender for Identity security alerts:

New alerts related to Entra ID:

• Guest user account promoted to member
• Failed credential abuse attempt in Entra ID authentication
• Malicious sign in from a randomized user agent
• Possible use of a stolen session cookie
• Stolen session cookie replay detected
• Suspected Conditional Access bypass via non-compliant device
• Suspicious addition of default third‑party MFA method to user account