You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-for-identity/whats-new.md
+22-17Lines changed: 22 additions & 17 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,7 @@
1
1
---
2
2
title: What's new | Microsoft Defender for Identity
3
3
description: This article is updated frequently to let you know what's new in the latest release of Microsoft Defender for Identity.
4
-
ms.date: 11/12/2025
4
+
ms.date: 10/23/2025
5
5
ms.topic: overview
6
6
#CustomerIntent: As a Defender for Identity customer, I want to know what's new in the latest release of Defender for Identity, so that I can take advantage of new features and functionality.
7
7
ms.reviewer: AbbyMSFT
@@ -25,6 +25,7 @@ For updates about versions and features released six months ago or earlier, see
25
25
26
26
## November 2025
27
27
28
+
28
29
### Identity Inventory enhancements: Accounts tab, manual account linking and unlinking, and expanded remediation actions
29
30
30
31
The following new features are now available in Microsoft Defender for Identity:
@@ -42,7 +43,11 @@ For more information, see: [Link or Unlink an Account to an Identity (Preview)](
42
43
43
44
You can now perform remediation actions such as disabling accounts or resetting passwords on one or more accounts linked to an identity. For more information, see: [Remediation actions](remediation-actions.md#roles-and-permissions).
44
45
45
-
### Expansion of identity scoping - support for Organizational units (preview)
46
+
### New security posture assessment: Change password for on-prem account with potentially leaked credentials (Preview)
47
+
48
+
The new security posture assessment lists users whose valid credentials have been leaked. For more information, see: [Change password for on-prem account with potentially leaked credentials(Preview)](/defender-for-identity/security-posture-assessments/accounts#change-password-for-on-prem-account-with-potentially-leaked-credentials-preview)
49
+
50
+
### Expansion of identity scoping - support for Organizational units (Preview)
46
51
47
52
In addition to the GA release of scoping by Active Directory domains a few months ago, you can now scope by **Organizational Units (OUs)** as part of XDR User Role-Based Access Control (URBAC). This enhancement provides even more granular control over which entities and resources are included in security analysis.
48
53
For more information, see [Configure scoped access for Microsoft Defender for Identity](configure-scoped-access.md).
@@ -172,7 +177,7 @@ For more information, see [Configure scoped access for Microsoft Defender for Id
172
177
173
178
The new security posture assessment highlights unsecured Active Directory attributes that contain passwords or credential clues and recommends steps to remove them, helping reduce the risk of identity compromise.
174
179
175
-
For more information, see: [Security Assessment: Remove discoverable passwords in Active Directory account attributes (Preview)](/security-posture-assessments/accounts.md#remove-discoverable-passwords-in-active-directory-account-attributes-preview)
180
+
For more information, see: [Security Assessment: Remove discoverable passwords in Active Directory account attributes (Preview)](/defender-for-identity/security-posture-assessments/accounts#remove-discoverable-passwords-in-active-directory-account-attributes-preview)
176
181
177
182
### Microsoft Defender for Identity sensor version updates
178
183
@@ -210,11 +215,11 @@ Use these assessments to improve monitoring coverage and strengthen your hybrid
[Security Assessment: Unmonitored Microsoft Entra Connect servers](/defender-for-identity/security-posture-assessments/identity-infrastructure.md#unmonitored-microsoft-entra-connect-servers)
222
+
[Security Assessment: Unmonitored Microsoft Entra Connect servers](/defender-for-identity/security-posture-assessments/identity-infrastructure#unmonitored-microsoft-entra-connect-servers)
218
223
219
224
220
225
@@ -434,9 +439,9 @@ As part of our ongoing effort to enhance Microsoft Defender for Identity coverag
434
439
***Rotate password for Microsoft Entra Connect connector account**
435
440
* A compromised Microsoft Entra Connect connector account (AD DS connector account, commonly shown as MSOL_XXXXXXXX) can grant access to high-privilege functions like replication and password resets, allowing attackers to modify synchronization settings and compromise security in both cloud and on-premises environments as well as offering several paths for compromising the entire domain. In this assessment, we recommend customers change the password of MSOL accounts with the password last set over 90 days ago. For more information, select [Rotate password for Microsoft Entra Connect connector account](../defender-for-identity/security-posture-assessments/hybrid-security.md#rotate-password-for-microsoft-entra-connect-ad-ds-connector-account).
436
441
***Remove unnecessary replication permissions for Microsoft Entra Connect Account**
437
-
* By default, the Microsoft Entra Connect connector account has extensive permissions to ensure proper synchronization (even if they aren't required). If Password Hash Sync isn't configured, it’s important to remove unnecessary permissions to reduce the potential attack surface. For more information, see [Remove replication permissions for Microsoft Entra account](/defender-for-identity/security-posture-assessments/hybrid-security.md#remove-unnecessary-replication-permissions-for-microsoft-entra-connect-ad-ds-connector-account).
442
+
* By default, the Microsoft Entra Connect connector account has extensive permissions to ensure proper synchronization (even if they aren't required). If Password Hash Sync isn't configured, it’s important to remove unnecessary permissions to reduce the potential attack surface. For more information, see [Remove replication permissions for Microsoft Entra account](/defender-for-identity/security-posture-assessments/hybrid-security#remove-unnecessary-replication-permissions-for-microsoft-entra-connect-ad-ds-connector-account).
438
443
***Change password for Microsoft Entra seamless SSO account configuration**
439
-
* This report lists all [Microsoft Entra seamless SSO](/entra/identity/hybrid/connect/how-to-connect-sso) computer accounts with password last set over 90 days ago. The password for the Azure SSO computer account isn't automatically changed every 30 days. If an attacker compromises this account, they can generate service tickets for the AZUREADSSOACC account on behalf of any user and impersonate any user in the Microsoft Entra tenant that is synchronized from Active Directory. An attacker can use this to move laterally from Active Directory into Microsoft Entra ID. For more information, see: [Change password for Microsoft Entra seamless SSO account configuration](/defender-for-identity/security-posture-assessments/hybrid-security.md#change-password-for-microsoft-entra-seamless-sso-account).
444
+
* This report lists all [Microsoft Entra seamless SSO](/entra/identity/hybrid/connect/how-to-connect-sso) computer accounts with password last set over 90 days ago. The password for the Azure SSO computer account isn't automatically changed every 30 days. If an attacker compromises this account, they can generate service tickets for the AZUREADSSOACC account on behalf of any user and impersonate any user in the Microsoft Entra tenant that is synchronized from Active Directory. An attacker can use this to move laterally from Active Directory into Microsoft Entra ID. For more information, see: [Change password for Microsoft Entra seamless SSO account configuration](/defender-for-identity/security-posture-assessments/hybrid-security#change-password-for-microsoft-entra-seamless-sso-account).
440
445
441
446
**New Microsoft Entra Connect detections:**
442
447
@@ -588,7 +593,7 @@ The new **Edit insecure ADCS certificate enrollment IIS endpoints (ESC8)** recom
-[Security posture assessments for AD CS sensors](#security-posture-assessments-for-ad-cs-sensors-preview)
593
598
-[Microsoft Defender for Identity's security posture assessments](security-assessment.md)
594
599
@@ -724,17 +729,17 @@ Recommended actions now include the following new security posture assessments,
724
729
725
730
-**Certificate templates recommended actions**:
726
731
727
-
-[Prevent users to request a certificate valid for arbitrary users based on the certificate template (ESC1)](/defender-for-identity/security-posture-assessments/certificates.md#prevent-users-to-request-a-certificate-valid-for-arbitrary-users-based-on-the-certificate-template-esc1--preview)
728
-
-[Edit overly permissive certificate template with privileged EKU (Any purpose EKU or No EKU) (ESC2)](/defender-for-identity/security-posture-assessments/certificates.md#edit-overly-permissive-certificate-template-with-privileged-eku-any-purpose-eku-or-no-eku-esc2)
-[Prevent users to request a certificate valid for arbitrary users based on the certificate template (ESC1)](/defender-for-identity/security-posture-assessments/certificates#prevent-users-to-request-a-certificate-valid-for-arbitrary-users-based-on-the-certificate-template-esc1--preview)
733
+
-[Edit overly permissive certificate template with privileged EKU (Any purpose EKU or No EKU) (ESC2)](/defender-for-identity/security-posture-assessments/certificates#edit-overly-permissive-certificate-template-with-privileged-eku-any-purpose-eku-or-no-eku-esc2)
-[Enforce encryption for RPC certificate enrollment interface (ESC11)](/defender-for-identity/security-posture-assessments/certificates#security-assessment-enforce-encryption-rpc)
738
743
739
744
The new assessments are available in Microsoft Secure Score, surfacing security issues, and severe misconfigurations that pose risks to the entire organization, alongside detections. Your score is updated accordingly.
0 commit comments