MDI alerts migrated to the unified Defender alerting experience
Defender for IdentityMicrosoft
January 2026
MDI alerts migrated to the unified Defender alerting experience
As part of the ongoing transition to a unified alerting experience across Microsoft Defender products, some alerts were converted from the Microsoft Defender for Identity classic format to the MDI XDR alert format. Keep in mind that all alerts are based on detections from Defender for Identity sensors. See Microsoft Defender for Identity XDR security alerts for the full list of XDR alerts.
New Health Alert: Sensor v3.x RPC Audit Misconfigured
Enhanced RPC auditing is required for some Microsoft Defender for Identity advanced identity detections. A new health alert helps identify v3.x sensors where this configuration is either missing or incorrectly applied. The alert is being rolled out gradually to customers. For more information, see Configure RPC on sensors v3.x.
Automatic Windows event auditing configuration for Defender for Identity sensors v3.x (preview)
We’re gradually rolling out automatic Windows event-auditing configuration for sensors v3.x, along with related health alerts. This update streamlines deployment by automatically applying the required auditing settings to new sensors and correcting misconfigurations on existing ones.
New security posture assessment: Identify service accounts in privileged groups
This identity security posture assessment lists Active Directory service accounts with direct or nested membership in privileged groups.
You can use this assessment to identify service accounts with elevated permissions and take action when privileged access isn’t required.
For more information, see:Security posture assessment: Identify service accounts in privileged groups
New security posture assessment: Locate accounts in built-in Operator Groups
This identity security posture assessment lists Active Directory accounts that are members of built-in Operator Groups, including direct and indirect membership.
You can use this assessment to review legacy or unnecessary operator access and take action when elevated access isn’t required.
