MicrosoftDocs
diff --git a/‎ATPDocs/deploy/deploy-defender-identity.md‎
Lines changed: 2 additions & 2 deletions b/‎ATPDocs/deploy/deploy-defender-identity.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎ATPDocs/deploy/prerequisites-sensor-version-3.md‎
Lines changed: 2 additions & 2 deletions b/‎ATPDocs/deploy/prerequisites-sensor-version-3.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎ATPDocs/health-alerts.md‎
Lines changed: 32 additions & 32 deletions b/‎ATPDocs/health-alerts.md‎
Lines changed: 32 additions & 32 deletions
diff --git a/‎ATPDocs/notifications.md‎
Lines changed: 4 additions & 1 deletion b/‎ATPDocs/notifications.md‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎ATPDocs/sensor-settings.md‎
Lines changed: 6 additions & 1 deletion b/‎ATPDocs/sensor-settings.md‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎ATPDocs/uninstall-sensor.md‎
Lines changed: 12 additions & 9 deletions b/‎ATPDocs/uninstall-sensor.md‎
Lines changed: 12 additions & 9 deletions
diff --git a/‎ATPDocs/vpn-integration.md‎
Lines changed: 4 additions & 1 deletion b/‎ATPDocs/vpn-integration.md‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎CloudAppSecurityDocs/anomaly-detection-policy.md‎
Lines changed: 0 additions & 7 deletions b/‎CloudAppSecurityDocs/anomaly-detection-policy.md‎
Lines changed: 0 additions & 7 deletions
diff --git a/‎CloudAppSecurityDocs/network-requirements.md‎
Lines changed: 22 additions & 7 deletions b/‎CloudAppSecurityDocs/network-requirements.md‎
Lines changed: 22 additions & 7 deletions
@@ -31,10 +31,10 @@ Identify your architecture and your requirements, and then use the table below t
 > [!NOTE]
 > The Defender for Identity sensor version 3.x is still in preview and has some limited functionality compared to version 2.x. Keep these limitations in mind before activating the sensor.
 > The Defender for Identity sensor v3.x:
-> - Requires that Defender for Endpoint is deployed on your endpoints
+> - Requires that Defender for Endpoint is deployed
 > - Doesn't currently support VPN integration
 > - Doesn't currently support ExpressRoute
-> - Doesn't currently offer full functionality of health alerts, posture recommendations or security alerts
+> - Doesn't currently offer full functionality of health alerts, posture recommendations, security alerts or advanced hunting data.
 
 Once you've evaluated your infrastructure and requirements, follow the instructions for deploying the sensor based on the version you need.
 
 
@@ -14,10 +14,10 @@ This article describes the requirements for installing the Microsoft Defender fo
 
 Before activating the Defender for Identity sensor v3.x, note that this version of the sensor is still in preview and has some limited functionality compared to version 2.x. Keep these limitations in mind before activating the sensor.
 The Defender for Identity sensor v3.x:
- - Requires that Defender for Endpoint is deployed on your endpoints
+ - Requires that Defender for Endpoint is deployed
  - Doesn't currently support VPN integration
  - Doesn't currently support ExpressRoute
- - Doesn't currently offer full functionality of health alerts, posture recommendations or security alerts
+ - Doesn't currently offer full functionality of health alerts, posture recommendations, security alerts or advanced hunting data.
 
 ## Licensing requirements
 
 
@@ -1,14 +1,17 @@
 ---
 title: Microsoft Defender for Identity notifications
 description: Learn how to use and configure Microsoft Defender for Identity notifications in Microsoft Defender XDR.
-ms.date: 09/03/2023
+ms.date: 07/10/2025
 ms.topic: how-to
 #CustomerIntent: As a Defender for Identity user, I want to learn how to work with Defender for Identity notifications to make sure I'm up to date about events detected by Defender for Identity.
 ms.reviewer: LiorShapiraa
 ---
 
 # Defender for Identity notifications in Microsoft Defender XDR
 
+>[!NOTE]
+>This feature is currently supported only by the Defender for Identity sensor version 2.x.
+
 Microsoft Defender for Identity provides notifications for health issues and security alerts, either via email notifications or to a Syslog server.
 
 This article describes how to configure Defender for Identity notifications so that you're aware of any health issues or security alerts detected.
 
@@ -1,7 +1,7 @@
 ---
 title: Manage and update sensors
 description: Learn how to manage and update your Microsoft Defender for Identity sensors.
-ms.date: 01/29/2023
+ms.date: 07/10/2025
 ms.topic: how-to
 ms.reviewer: rlitinsky
 ---
@@ -104,6 +104,9 @@ The sensors page provides the following information about each sensor:
 
   * Disabled
 
+    >[!NOTE]
+    >This feature is supported only by the Defender for Identity sensor version 2.x.
+
 * **Health status**: Displays the overall health status of the sensor with a colored icon representing the highest severity open health alert. Possible values are:
 
   * **Healthy (green icon)**: No opened health issues
@@ -143,6 +146,8 @@ Defender for Identity sensors support two kinds of updates:
 > * Defender for Identity sensors always reserve at least 15% of the available memory and CPU available on the domain controller where it is installed. If the Defender for Identity service consumes too much memory, the service is automatically stopped and restarted by the Defender for Identity sensor updater service.
 
 ### Delayed sensor update
+>[!NOTE]
+>This feature is supported only by the Defender for Identity sensor version 2.x.
 
 Given the rapid speed of ongoing Defender for Identity development and release updates, you may decide to define a subset group of your sensors as a delayed update ring, allowing for a gradual sensor update process. Defender for Identity enables you to choose how your sensors are updated and set each sensor as a **Delayed update** candidate.
 
 
@@ -1,7 +1,7 @@
 ---
 title: Uninstall the sensor
 description: This article describes how to uninstall the Microsoft Defender for Identity sensor from domain controllers.
-ms.date: 07/02/2025
+ms.date: 07/07/2025
 ms.topic: how-to
 ms.reviewer: rlitinsky
 ---
@@ -22,21 +22,24 @@ Deactivating Defender for Identity capabilities from your domain controller does
 
 ## Delete a sensor
 
+### For sensor v3.x
 1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Settings** > **Identities** > **Sensors**.
-1. Select the domain controller where you want to deactivate Defender for Identity capabilities, select **Delete**, and confirm your selection.
+2. Select the domain controller where you want to deactivate Defender for Identity capabilities, select **Delete**, and confirm your selection.
 
-    ![Screenshot that shows how to delete a sensor.](media/screenshot-that-shows-how-to-delete-a-sensor.png)
+   :::image type="content" source="media/screenshot-that-shows-how-to-delete-a-sensor.png" alt-text="Screenshot that shows how to delete a sensor." lightbox="media/screenshot-that-shows-how-to-delete-a-sensor.png":::
 
-## Uninstall a sensor v2.x from a domain controller
+    >[!NOTE]
+    >This action removes the v3.x sensor and stops monitoring on that domain controller.   
 
-The following steps describe how to uninstall a sensor v2.x from a domain controller.
-
-1. Sign in to the domain controller with administrative privileges.
-1. From the Windows **Start** menu, select **Settings** > **Control Panel** > **Add/ Remove Programs**.
-1. Select the sensor installation, select **Uninstall**, and follow the instructions to remove the sensor.
+## Delete and uninstall a sensor v2.x from a domain controller
 
 > [!IMPORTANT]
 > We recommend removing the sensor from the domain controller before demoting the domain controller.
+> 
+1. Sign in to the domain controller with administrative privileges.
+2. From the Windows **Start** menu, select **Settings** > **Control Panel** > **Add/ Remove Programs**.
+3. Select the sensor installation, select **Uninstall**, and follow the instructions to remove the sensor.
+4. After uninstallation is complete, go to the Microsoft Defender portal > Settings > Identities > Sensors, select the domain controller, and choose Delete.
 
 ## Remove an orphaned sensor
 
 
@@ -1,14 +1,17 @@
 ---
 title: VPN integration | Microsoft Defender for Identity
 description: Learn how to collect accounting information by integrating a VPN for Microsoft Defender for Identity in Microsoft Defender XDR.
-ms.date: 08/31/2023
+ms.date: 07/10/2025
 ms.topic: how-to
 #CustomerIntent: As a Defender for Identity user, I want to learn how to collect accounting information from VPN solutions. 
 ms.reviewer: martin77s
 ---
 
 # Defender for Identity VPN integration in Microsoft Defender XDR
 
+>[!NOTE]
+>This feature is currently supported only by the Defender for Identity sensor version 2.x.
+
 Microsoft Defender for Identity can integrate with your VPN solution by listening to RADIUS accounting events forwarded to Defender for Identity sensors, such as the IP addresses and locations where connections originated. VPN accounting data can help your investigations by providing more information about user activity, such as the locations from where computers are connecting to the network, and an extra detection for abnormal VPN connections.
 
 Defender for Identity's VPN integration is based on standard RADIUS Accounting ([RFC 2866](https://tools.ietf.org/html/rfc2866)), and supports the following VPN vendors:
 
@@ -25,13 +25,6 @@ Anomalies are detected by scanning user activity. The risk is evaluated by looki
 
 Based on the policy results, security alerts are triggered. Defender for Cloud Apps looks at every user session on your cloud and alerts you when something happens that is different from the baseline of your organization or from the user's regular activity.
 
-In addition to native Defender for Cloud Apps alerts, you'll also get the following detection alerts based on information received from Microsoft Entra ID Protection:
-
-* Leaked credentials: Triggered when a user's valid credentials have been leaked. For more information, see [Microsoft Entra ID's Leaked credentials detection](/azure/active-directory/identity-protection/concept-identity-protection-risks#user-risk).
-* Risky sign-in: Combines a number of Microsoft Entra ID Protection sign-in detections into a single detection. For more information, see [Microsoft Entra ID's Sign-in risk detections](/azure/active-directory/identity-protection/concept-identity-protection-risks#sign-in-risk).
-
-These policies appear on the Defender for Cloud Apps policies page and can be enabled or disabled.
-
 > [!IMPORTANT]
 > Starting June 2025, Microsoft Defender for Cloud Apps began transitioning anomaly detection policies to a dynamic threat detection model. This model automatically adapts detection logic to the evolving threat landscape, keeping detections current without manual configuration or policy updates. As part of these improvements to overall security, and to provide more accurate and timely alerts, several legacy policies have been disabled:
 > 
 
@@ -8,9 +8,23 @@ ms.topic: reference
 # Network requirements
 
 >[!IMPORTANT]
+> **Important notice for GCC and Gov customers**
 >
-> **Take Immediate Action by April, 29 2025**, to ensure optimal service quality and prevent the interruption of some services. Update your firewall rules to allow outbound traffic on port 443 for the following IP addresses: 13.107.228.0/24, 13.107.229.0/24, 13.107.219.0/24, 13.107.227.0/24, 150.171.97.0/24. Alternatively, if you currently allow outbound traffic based on Azure service tags, please add the new Azure service tag, ‘AzureFrontDoor.MicrosoftSecurity’ to your allowlist. This tag  will be adjusted to reflect the above range by April 28, 2025.
-> This change only affects commercial customers of Microsoft Defender for Cloud Apps. Customers connected to the Gov US1 or GCC datacenters won't be affected.
+> To prevent service disruption in Microsoft Defender for Cloud Apps, take immediate action by August 25, 2025.
+> Update your firewall configuration as follows:
+>
+> Allow outbound traffic on port 443 to the following IP ranges:
+>
+> - `51.54.53.136/29`
+> - `51.54.114.160/29`
+> - `62.11.173.176/29`
+>
+> If you use Azure service tags for outbound traffic, add the Azure Gov service tag `AzureFrontDoor.MicrosoftSecurity` tag to your firewall allowlist.
+>
+> Add the following endpoint to your firewall allowlist on port 443:
+> - `discoveryresources-cdn-prod.cloudappsecurity.com`
+>
+> For the full list of required IP addresses and DNS names, see [Portal access](network-requirements.md#portal-access).
 
 This article provides a list of ports and IP addresses you need to allow and allowlist to work with Microsoft Defender for Cloud Apps.
 
@@ -35,6 +49,8 @@ To see which data center you're connecting to, do the following steps:
 1. In the **About** screen, you can see the region and the data center.
 
     ![View your data center.](media/data-center.png)
+
+
 
 ## Portal access
 
@@ -53,7 +69,6 @@ To use Defender for Cloud Apps in the Microsoft Defender Portal:
     static2.sharepointonline.com
     *.blob.core.windows.net
     discoveryresources-cdn-prod.cloudappsecurity.com
-    discoveryresources-cdn-gov.cloudappsecurity.us    
     ```
 
 1. Allow the following items based on your data center:
@@ -65,8 +80,8 @@ To use Defender for Cloud Apps in the Microsoft Defender Portal:
       |US3|13.107.219.0/24, 13.107.227.0/24, 13.107.228.0/24, 13.107.229.0/24,  150.171.97.0/24, 13.80.125.22, 40.74.1.235, 40.74.6.204, 40.90.218.196, 40.90.218.198, 51.143.58.207, 52.137.89.147, 52.183.75.62, 20.3.226.231, 4.255.218.227|*.us3.portal.cloudappsecurity.com|
       |EU1|13.107.219.0/24, 13.107.227.0/24, 13.107.228.0/24, 13.107.229.0/24,  150.171.97.0/24, 13.80.125.22, 40.74.1.235, 40.74.6.204, 40.119.154.72, 51.143.58.207, 52.137.89.147, 52.157.238.58, 52.174.56.180, 52.183.75.62, 20.71.203.39, 137.116.224.49|\*.eu.portal.cloudappsecurity.com|
       |EU2|13.107.219.0/24, 13.107.227.0/24, 13.107.228.0/24, 13.107.229.0/24,  150.171.97.0/24, 13.80.125.22, 40.74.1.235, 40.74.6.204, 40.81.156.154, 40.81.156.156, 51.143.58.207, 52.137.89.147, 52.183.75.62, 20.0.210.84, 20.90.9.64|*.eu2.portal.cloudappsecurity.com|
-      |Gov US1|13.72.19.4, 52.227.143.223|*.us1.portal.cloudappsecurity.us|
-      |GCC| 52.227.23.181, 52.227.180.126| *.us1.portal.cloudappsecuritygov.com |
+      |Gov US1|13.72.19.4, 52.227.143.223, 51.54.53.136/29, 51.54.114.160/29, 62.11.173.176/29|*.us1.portal.cloudappsecurity.us|
+      |GCC| 52.227.23.181, 52.227.180.126, 51.54.53.136/29, 51.54.114.160/29, 62.11.173.176/29|*.us1.portal.cloudappsecuritygov.com|
 
       > [!NOTE]
       > For portal access, instead of a wildcard (\*), you can choose to open only your specific tenant URL. For example, based on the screenshot above you can open: `contoso.us.portal.cloudappsecurity.com`. To determine your tenant URL, see the earlier section [View your data center](#view-your-data-center), and look for **API URL**.
@@ -151,8 +166,8 @@ To enable Defender for Cloud Apps to connect to your SIEM, add **outbound port 4
 |US3|13.107.219.0/24, 13.107.227.0/24, 13.107.228.0/24, 13.107.229.0/24,  150.171.97.0/24, 13.80.125.22, 40.74.1.235, 40.74.6.204, 40.90.218.196, 40.90.218.198, 51.143.58.207, 52.137.89.147, 52.183.75.62, 20.3.226.231, 4.255.218.227|
 |EU1|13.107.219.0/24, 13.107.227.0/24, 13.107.228.0/24, 13.107.229.0/24,  150.171.97.0/24, 13.80.125.22, 40.74.1.235, 40.74.6.204, 40.119.154.72, 51.143.58.207, 52.137.89.147, 52.157.238.58, 52.174.56.180, 52.183.75.62, 20.71.203.39, 137.116.224.49|
 |EU2|13.107.219.0/24, 13.107.227.0/24, 13.107.228.0/24, 13.107.229.0/24,  150.171.97.0/24, 13.80.125.22, 40.74.1.235, 40.74.6.204, 40.81.156.154, 40.81.156.156, 51.143.58.207, 52.137.89.147, 52.183.75.62, 20.0.210.84, 20.90.9.64|
-|Gov US1|13.72.19.4, 52.227.143.223|
-|GCC| 52.227.23.181, 52.227.180.126|
+|Gov US1|13.72.19.4, 52.227.143.223, 51.54.53.136/29, 51.54.114.160/29, 62.11.173.176/29 |
+|GCC| 52.227.23.181, 52.227.180.126, 51.54.53.136/29, 51.54.114.160/29, 62.11.173.176/29|
 
 > [!NOTE]
 >