Extended RPC auditing capabilities (Preview)

May 2026

Extended RPC auditing capabilities (Preview)
Defender for Identity now supports extended RPC auditing capabilities for advanced identity detections. To enable these capabilities, apply the new Extended Sensor Audit tag to your devices and install the latest cumulative update. A new health alert, Sensor v3.x Extended RPC Audit Misconfigured (Preview), notifies you when the tag is missing or incorrectly applied. For more information, see Configure RPC on sensors v3.x.

Increased sensor capacity
Defender for Identity now supports up to 1,000 sensors per workspace, increased from the previous limit of 350. To add more than 1,000 sensors, contact Defender for Identity support.

New Defender for Identity security alerts
These new alerts were added to the Defender for Identity security alerts:

New alerts related to Entra ID:

• Guest user account promoted to member
• Failed credential abuse attempt in Entra ID authentication
• Malicious sign in from a randomized user agent
• Possible use of a stolen session cookie
• Stolen session cookie replay detected
• Suspected Conditional Access bypass via non-compliant device
• Suspicious addition of default third‑party MFA method to user account

Known limitation: Migration of domain controllers with Windows Server 2025 from sensor v2.x to sensor v3.x is not supported
Migrating domain controllers running Windows Server 2025 to sensor v3.x isn't currently supported. Continue using the v2.x sensor on Windows Server 2025 domain controllers should until support for migration to v3.x is available.