Summary
Details
Updated November 19, 2025: We have updated the timeline. Thank you for your patience.
[Introduction]
We’re introducing a new opt-in feature for automatic event-auditing configuration in Defender for Identity unified sensors (V3.x). This enhancement simplifies deployment by allowing admins to automatically apply the required Windows event-auditing settings on their sensors. It reduces manual post-deployment steps and ensures consistent policy enforcement across all onboarded sensors.
[When this will happen:]
General Availability (Worldwide, GCC, GCCH, and DoD): The auditing opt-in feature will be available starting mid-December 2025 (previously mid-November), with rollout expected to complete within the same timeframe.
General Availability (Worldwide, GCC, GCCH, and DoD): The related auditing health alerts will be released gradually by mid-January 2026 (previously mid-December).
[How this affects your organization:]
Who is affected:
Admins managing Defender for Identity unified sensors (V3.x) in Microsoft 365 tenants.
What will happen:
- A new opt-in setting will be available in both the UI and via Graph API.
- In the UI, this option will appear under Defender for Identity Settings → Advanced features.
- Once enabled, the automatic configuration feature will:
- For new sensor activations: automatically apply all required Windows event-auditing settings during activation.
- For existing onboarded sensors: automatically apply auditing settings only if misconfigured, and dismiss the related health issues.
- The opt-in applies to all unified sensors in the tenant.
- This feature is not enabled by default and requires admin action.
- No changes will occur unless admins choose to enable the feature.
- NTLM auditing is not enabled
- Directory Services Advanced Auditing is not enabled as required
- Directory Services Object Auditing is not enabled as required
- Auditing on the Configuration container is not enabled as required
- Auditing on the ADFS container is not enabled as required
[What you can do to prepare:]
No action is required unless you choose to enable the feature.
If you plan to opt in:
- Review your unified sensor deployment strategy.
- Enable the opt-in setting via the UI or Graph API.
- Communicate the change to relevant IT and security teams.
- Update internal documentation if you track auditing configurations.
To review the required auditing configurations for Defender for Identity unified sensors (V3.x)
For details about the relevant auditing health issues
[Compliance considerations:]
No compliance considerations identified, review as appropriate for your organization.
Change History
[Introduction]
We’re introducing a new opt-in feature for automatic event-auditing configuration in Defender for Identity unified sensors (V3.x). This enhancement simplifies deployment by allowing admins to automatically apply the required Windows event-auditing settings on their sensors. It reduces manual post-deployment steps and ensures consistent policy enforcement across all onboarded sensors.
[When this will happen:]
General Availability (Worldwide, GCC, GCCH, and DoD): The auditing opt-in feature will be available starting mid-Nov 2025, with rollout expected to complete within the same timeframe.
General Availability (Worldwide, GCC, GCCH, and DoD): The related auditing health alerts will be released gradually by mid-December 2025.
[How this affects your organization:]
Who is affected:
Admins managing Defender for Identity unified sensors (V3.x) in Microsoft 365 tenants.
What will happen:
- A new opt-in setting will be available in both the UI and via Graph API.
- In the UI, this option will appear under Defender for Identity Settings → Advanced features.
- Once enabled, the automatic configuration feature will:
- For new sensor activations: automatically apply all required Windows event-auditing settings during activation.
- For existing onboarded sensors: automatically apply auditing settings only if misconfigured, and dismiss the related health issues.
- The opt-in applies to all unified sensors in the tenant.
- This feature is not enabled by default and requires admin action.
- No changes will occur unless admins choose to enable the feature.
- NTLM auditing is not enabled
- Directory Services Advanced Auditing is not enabled as required
- Directory Services Object Auditing is not enabled as required
- Auditing on the Configuration container is not enabled as required
- Auditing on the ADFS container is not enabled as required
[What you can do to prepare:]
No action is required unless you choose to enable the feature.
If you plan to opt in:
- Review your unified sensor deployment strategy.
- Enable the opt-in setting via the UI or Graph API.
- Communicate the change to relevant IT and security teams.
- Update internal documentation if you track auditing configurations.
To review the required auditing configurations for Defender for Identity unified sensors (V3.x)
For details about the relevant auditing health issues
[Compliance considerations:]
No compliance considerations identified, review as appropriate for your organization.
Updated November 19, 2025: We have updated the timeline. Thank you for your patience.
[Introduction]
We’re introducing a new opt-in feature for automatic event-auditing configuration in Defender for Identity unified sensors (V3.x). This enhancement simplifies deployment by allowing admins to automatically apply the required Windows event-auditing settings on their sensors. It reduces manual post-deployment steps and ensures consistent policy enforcement across all onboarded sensors.
[When this will happen:]
General Availability (Worldwide, GCC, GCCH, and DoD): The auditing opt-in feature will be available starting mid-December 2025 (previously mid-November), with rollout expected to complete within the same timeframe.
General Availability (Worldwide, GCC, GCCH, and DoD): The related auditing health alerts will be released gradually by mid-January 2026 (previously mid-December).
[How this affects your organization:]
Who is affected:
Admins managing Defender for Identity unified sensors (V3.x) in Microsoft 365 tenants.
What will happen:
- A new opt-in setting will be available in both the UI and via Graph API.
- In the UI, this option will appear under Defender for Identity Settings → Advanced features.
- Once enabled, the automatic configuration feature will:
- For new sensor activations: automatically apply all required Windows event-auditing settings during activation.
- For existing onboarded sensors: automatically apply auditing settings only if misconfigured, and dismiss the related health issues.
- The opt-in applies to all unified sensors in the tenant.
- This feature is not enabled by default and requires admin action.
- No changes will occur unless admins choose to enable the feature.
- NTLM auditing is not enabled
- Directory Services Advanced Auditing is not enabled as required
- Directory Services Object Auditing is not enabled as required
- Auditing on the Configuration container is not enabled as required
- Auditing on the ADFS container is not enabled as required
[What you can do to prepare:]
No action is required unless you choose to enable the feature.
If you plan to opt in:
- Review your unified sensor deployment strategy.
- Enable the opt-in setting via the UI or Graph API.
- Communicate the change to relevant IT and security teams.
- Update internal documentation if you track auditing configurations.
To review the required auditing configurations for Defender for Identity unified sensors (V3.x)
For details about the relevant auditing health issues
[Compliance considerations:]
No compliance considerations identified, review as appropriate for your organization.
Never Miss a Microsoft 365 Update
Join thousands of IT professionals who rely on DeltaPulse for real-time Microsoft 365 change intelligence, automated notifications, and community insights.