MC1194061 – IP address changes in Defender for Identity v2.x sensor communication

Product:

Defender, Defender for Identity, Defender XDR

Platform:

Online, US Instances, World tenant

Status:

Change type:

Feature update, User impact, Admin impact

Links:

Details:

Summary:
Microsoft Defender for Identity v2.x sensors will start using new IP addresses from the AzureAdvancedThreatProtection service tag range beginning mid-December 2025. Organizations restricting outbound IPs must update firewall rules to allow this range to avoid connectivity loss; no action is needed if the full range is already allowed.

Details:
[Introduction]
As part of ongoing infrastructure and security improvements, Microsoft Defender for Identity (MDI) v2.x sensors will begin using new IP addresses to communicate with the MDI cloud. These IPs will come exclusively from the published range associated with the service tag AzureAdvancedThreatProtection. This change improves reliability and aligns with Azure networking standards.
[When this will happen:]
General Availability (Worldwide, GCC, GCCH, DoD): Gradual rollout begins mid-December 2025.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2025-12-11

updated:
2025-12-11

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Loss of Connectivity
If organizations do not update their firewall rules to allow the new IP addresses, MDI sensors may lose connectivity to the MDI cloud, leading to potential security gaps.
   - roles: Network Administrator, Security Analyst
   - references: https://learn.microsoft.com/azure/virtual-network/service-tags-overview

Increased Security Risks
Failure to allow the new IP addresses may result in unmonitored network activity, increasing the risk of security incidents due to lack of visibility from MDI sensors.
   - roles: Security Analyst, IT Manager
   - references: https://learn.microsoft.com/azure/virtual-network/service-tags-overview

User Experience Degradation
If MDI sensors lose connectivity, users may experience delays or failures in security alerts and monitoring, impacting overall user experience and trust in security measures.
   - roles: End User, IT Support
   - references: https://learn.microsoft.com/azure/virtual-network/service-tags-overview

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Firewall Policy Optimization
By reviewing and updating firewall rules to allow the new IP address range for Microsoft Defender for Identity, organizations can streamline their network security policies, reducing complexity and potential errors. This optimization can lead to improved security posture and easier management of firewall configurations.
   - next-steps: Conduct an audit of current firewall rules, identify necessary updates to accommodate the new IP range, and implement the changes in a test environment before rolling out organization-wide.
   - roles: Network Administrators, IT Security Teams, Compliance Officers
   - references: https://learn.microsoft.com/azure/virtual-network/service-tags-overview

Enhanced Monitoring and Alerting
Implementing enhanced monitoring tools that can automatically detect and alert IT teams about connectivity issues with Defender for Identity can improve incident response times and user experience. This proactive approach can minimize downtime and ensure that security measures are always operational.
   - next-steps: Evaluate existing monitoring tools, assess their compatibility with Defender for Identity, and consider integrating additional solutions that provide real-time alerts for connectivity issues.
   - roles: IT Operations, Network Administrators, Security Analysts
   - references: https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-threat-protection?view=o365-worldwide

User Training and Awareness
Providing training for IT staff and end-users on the changes in IP address communication can enhance understanding and preparedness for potential connectivity issues. This training can lead to quicker troubleshooting and reduced frustration among users during the transition period.
   - next-steps: Develop a training program outlining the changes, potential impacts, and troubleshooting steps, and schedule sessions for relevant staff members.
   - roles: IT Training Coordinators, Help Desk Staff, End Users
   - references: https://learn.microsoft.com/en-us/microsoft-365/security/defender/identity/overview?view=o365-worldwide

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

Imagine you are in charge of a large office building, and you have a security system that only allows certain delivery trucks to enter the premises. These trucks have specific license plates that your security system recognizes. Now, let's say the delivery company decides to update their fleet with new trucks that have different license plates. To ensure that deliveries continue smoothly, you need to update your security system to recognize these new plates.

This is similar to what's happening with Microsoft Defender for Identity v2.x sensors. These sensors are like the delivery trucks, and the IP addresses they use to communicate with the MDI cloud are like the license plates. Microsoft is updating these IP addresses to improve reliability and security, much like the delivery company updating their fleet.

If your organization restricts outbound traffic by IP address, it's like having a security system that only allows certain license plates. You will need to update your firewall rules to recognize the new IP addresses, which are part of the AzureAdvancedThreatProtection service tag range. If you don't update these rules, it's like not updating your security system, and the new delivery trucks won't be able to enter, causing a disruption in service.

However, if your system already allows the full range of these new IP addresses, you won't need to make any changes, just like if your security system already recognizes all the new license plates. This change is scheduled to begin in mid-December 2025, so there's time to make the necessary updates to avoid any connectivity issues.