Not a user yet?
Log in Register for free Suggest a product
Update

Migrate Defender for Identity sensors from v2.x to v3.x

Defender for IdentityDefender for Identity
Microsoft

March 2026

Migrate Defender for Identity sensors from v2.x to v3.x
You can now migrate Defender for Identity sensors from v2.x to v3.x directly from the Microsoft Defender portal. The v2.x sensor continues running during the migration until the v3.x sensor is ready, so there's no downtime. Eligible servers appear as Ready for migration on the Sensors page, and migration takes up to 20 minutes. For more information, see Migrate to Defender for Identity sensor v3.x.

Identity security enhancements
New identity security capabilities help you monitor and manage identity security for human and non-human identities:

  • Identity Security dashboard (Preview): The Identity Security dashboard provides summary cards for identity providers, on-premises identities, SaaS identities, PAM and IGA integrations, and non-human identities. Widgets show deployment status, highly privileged identities, users at risk, and domains with unsecured configurations. For more information, see The Identity Security dashboard.
  • The Identity Security dashboard is being rolled out gradually to customers, and might not yet be available in your organization.
  • Coverage and maturity page (Preview): The Coverage and maturity page shows your organization's identity security coverage for identity providers, on-premises identities, SaaS identities, and PAM and IGA integrations. Each source displays a maturity level, including Connected, Protected, Fortified, and Resilient, with identity counts, coverage scores, and prioritized setup tasks. For more information, see Coverage and maturity.
  • The Coverage and maturity page is being rolled out gradually to customers, and might not yet be available in your organization. If you don't see this feature in your environment yet, check back soon.
  • Identity inventory: The Identity inventory page now shows human and non-human identities in separate tabs. Insight cards help you classify critical assets, view highly privileged identities, identify critical Active Directory service accounts, and view cloud application accounts. For more information, see View the Identity inventory.
  • Non-human identities (Preview): The Non-human identities tab on the Identity inventory page shows non-human identities, including Microsoft Entra ID apps, Active Directory service accounts, Google Workspace apps, and Salesforce apps. The tab includes statistics for risky, highly privileged, overprivileged, unused, and externally published identities. A separate investigation page lets you view details for each identity. For more information, see Identity inventory and Investigate non-human identities.
  • Identity risk score (Preview): A new risk score for identities, ranging from 0 to 100, that indicates the likelihood of compromise and the potential impact based on criticality and privileged roles. The risk score is available in Microsoft Entra ID, where it can be used to inform conditional access policies and identity protection workflows. A new Risk score tab on the Identity page provides a detailed breakdown of the risk factors, including percentile comparison and risk trends. For more information, see Investigate an identity.
  • Identity security recommendations (Preview): View recommendations for Active Directory, Microsoft Entra ID, and SaaS applications such as Microsoft, Atlassian, GitHub, Google Workspace, Salesforce, and ServiceNow. Recommendations are also available for non-Microsoft identity providers such as Okta, PingOne, CyberArk, and SailPoint. For more information, see Identity security recommendations.
  • Domain investigation page (Preview): The Domain investigation page shows Active Directory domain security, including domain properties, deployment health, identity summary, service account breakdown, sensitive entities, active recommendations, group policies, and trust relationships. For more information, see Investigate a domain.
  • Password protection page (Preview): The Password protection page shows identity password risk from Active Directory, Microsoft Entra ID, and Okta, with tabs for password hygiene, password policies, leaked credentials, and exposed passwords. For more information, see Password protection.

Defender for Identity sensor updates
Sensor versions now display the full version number (for example, 2.255.19201.14651) instead of only the major/minor version (for example, 2.255). This makes it easier to identify the exact update installed on each sensor.

When you validate upgrades or troubleshoot, the last two numbers in the version (for example, 19201.14651) show which update is installed.

New Defender for Identity security alerts
These new alerts were added to the Defender for Identity security alerts:

New alerts related to Entra ID:

  • Attempt to disable Defender for Identity service principal observed
  • Suspicious Entra account enablement after disruption
  • Suspicious Intune device registration activity
  • Suspicious OS switch sign-in
  • Suspicious shared client infrastructure activity
  • Suspicious sign-in from unusual user agent and IP address using PowerShell
  • Suspicious sign-in from unusual user agent and IP address using device code flow

New alerts related to Active Directory:

  • Suspicious on-premises account enablement after disruption
  • Suspicious resource-based constrained delegation (RBCD) attribute change
  • Suspicious resource-based constrained delegation (RBCD) authentication

Suspected pass-the-ticket attack alert is now generally available
The Suspected pass-the-ticket attack alert is now generally available. This alert was previously available in public preview as Pass-the-Ticket (PtT) attack. For more information, see Lateral movement alerts.

Updates to Secure Score category calculations for increased accuracy
To improve accuracy and better protect organizational identities, some security recommendations categorized as Cloud apps recommendations are now considered identity‑related and grouped under the Identity category. While the total Secure Score remains unchanged, individual identity and app scores may change.

Continued rollout of new health alert: Sensor v3.x RPC Audit Misconfigured
The Sensor v3.x RPC Audit Misconfigured health alert is continuing to be rolled out gradually to customers. The new health alert helps identify v3.x sensors where Enhanced RPC auditing configuration is either missing or incorrectly applied. Enhanced RPC auditing is required for some Microsoft Defender for Identity advanced identity detections. For more information, see Configure RPC on sensors v3.x.

More updatesTo the product
Receive Important Update Messages Stay tuned for upcoming Microsoft updates

More from the Apps & Software section

Was the content helpful to you?

Advertisement Advertise here?
Banner Logitech