near real time updates for Entra ID Risk Level

Author: DeCohen

ATPDocs/whats-new.md

@@ -25,6 +25,14 @@ For updates about versions and features released six months ago or earlier, see
 
 ## August 2025
 
+### Microsoft Entra ID risk level near-real-time (NRT) visibility in Defender for Identity (Preview)
+
+Microsoft Entra ID Risk Level extends identity visibility in Identity Inventory assets page, the Identity page, and the Identity Info Table in Advanced Hunting to include the Entra ID risk score. It lets SOC analysts correlate risky users and sensitive and high-privileged users, and create custom detections based on current or historical user risk to enhance investigation context.
+
+Previously, Microsoft Defender for Identity tenants received Entra ID Risk Level attributes in the Identity Info Table through UEBA. With this update, these attributes will now be synchronized in near real time via Defender for Identity.
+
+For UEBA tenants without a Microsoft Defender for Identity license, the Entra ID Risk Level sync to the Identity Info table remains unchanged.
+
 
 ## New security posture assessment: Remove discoverable passwords in Active Directory account attributes (Preview)
 

defender-xdr/advanced-hunting-identityinfo-table.md

@@ -102,10 +102,14 @@ If you're using the Microsoft Defender portal but haven't onboarded a Microsoft
 - `DeletedDateTime`
 - `EmployeeId`
 - `OtherMailAddresses`
+- `Tags`
+
+The following columns are available in near real time for tenants with Microsoft Defender for Identity:
+
 - `RiskLevel`
 - `RiskLevelDetails`
 - `State`
-- `Tags`
+
 
 For more information about UEBA, read [Advanced threat detection with User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel](/azure/sentinel/identify-threats-with-entity-behavior-analytics). For more information about the different data sources in UEBA, read [Microsoft Sentinel UEBA reference](/azure/sentinel/ueba-reference).