Identity inventory enhancements are now generally available

January 2026

Identity inventory enhancements are now generally available
- Accounts tab in Identity Inventory: The new Accounts tab provides a consolidated view of all accounts associated with an identity, including accounts from Active Directory, Microsoft Entra ID, and supported non-Microsoft identity providers. For more information, see Manage related identities and accounts.

• Manually link and unlink accounts: Manually link or unlink accounts from an identity directly in the Accounts tab. This capability helps you correlate identity components from different directory sources and provides a complete identity context during investigations. For more information, see Manage related identities and accounts.
  - Identity-level remediation actions: You can now perform remediation actions such as disabling accounts or resetting passwords on one or more accounts linked to an identity. For more information, see Remediation actions.
  - New advanced hunting table: Advanced hunting in Microsoft Defender now includes the IdentityAccountInfo table. This table provides account information from various sources, including Microsoft Entra ID, and links to the identity that owns the account.

MDI alerts migrated to the unified Defender alerting experience
As part of the ongoing transition to a unified alerting experience across Microsoft Defender products, some alerts were converted from the Microsoft Defender for Identity classic format to the MDI XDR alert format. Keep in mind that all alerts are based on detections from Defender for Identity sensors. See Microsoft Defender for Identity XDR security alerts for the full list of XDR alerts.

New Health Alert: Sensor v3.x RPC Audit Misconfigured
Enhanced RPC auditing is required for some Microsoft Defender for Identity advanced identity detections. A new health alert helps identify v3.x sensors where this configuration is either missing or incorrectly applied. The alert is being rolled out gradually to customers. For more information, see Configure RPC on sensors v3.x.

Automatic Windows event auditing configuration for Defender for Identity sensors v3.x (preview)
We’re gradually rolling out automatic Windows event-auditing configuration for sensors v3.x, along with related health alerts. This update streamlines deployment by automatically applying the required auditing settings to new sensors and correcting misconfigurations on existing ones.

New security posture assessment: Identify service accounts in privileged groups
This identity security posture assessment lists Active Directory service accounts with direct or nested membership in privileged groups.

You can use this assessment to identify service accounts with elevated permissions and take action when privileged access isn’t required.

For more information, see:Security posture assessment: Identify service accounts in privileged groups

New security posture assessment: Locate accounts in built-in Operator Groups
This identity security posture assessment lists Active Directory accounts that are members of built-in Operator Groups, including direct and indirect membership.

You can use this assessment to review legacy or unnecessary operator access and take action when elevated access isn’t required.