Category
stayInformed
Severity
normal
Major change
False
Last modified
2025-12-10 23:23:25
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
—
Action by (AI)
—
Services
Microsoft Defender XDR
Tags
Feature update, User impact, Admin impact
Master tags
Admin, Security, Network
Roadmap IDs
One-line summary
Defender for Identity v2.x sensors will use new IPs from the AzureAdvancedThreatProtection range starting mid-December 2025; update firewall rules if restricting outbound traffic.
Similar updates
More like thisMC1192257 (Updated) Microsoft Defender Threat Intelligence: Convergence with Microsoft Defender and Microsoft Sentinel
MC1191616 Microsoft Secure Score: New recommendations for Microsoft Defender for Endpoint
MC1187390 Unified sensor (v3.x) – new Remote Procedure Call (RPC) configuration health alert for Microsoft Defender for Identity
MC1192254 Microsoft Defender for Endpoint: New Microsoft Secure Score recommendations
MC1200058 Microsoft Defender for Office 365: Admins can block external users in Microsoft Teams from Defender Portal
MC1077861 (Updated) Microsoft Defender for Cloud Apps: SIEM agents will retire
Details
Summary
Microsoft Defender for Identity v2.x sensors will start using new IP addresses from the AzureAdvancedThreatProtection service tag range beginning mid-December 2025. Organizations restricting outbound IPs must update firewall rules to allow this range to avoid connectivity loss; no action is needed if the full range is already allowed.
Body (from Message Center)
[Introduction]
As part of ongoing infrastructure and security improvements, Microsoft Defender for Identity (MDI) v2.x sensors will begin using new IP addresses to communicate with the MDI cloud. These IPs will come exclusively from the published range associated with the service tag AzureAdvancedThreatProtection. This change improves reliability and aligns with Azure networking standards.
[When this will happen:]
General Availability (Worldwide, GCC, GCCH, DoD): Gradual rollout begins mid-December 2025.
[How this affects your organization:]
- Who is affected: Organizations using Microsoft Defender for Identity v2.x sensors and restricting outbound traffic by IP address.
- What will happen:
- MDI sensors will start using new IP addresses from the published AzureAdvancedThreatProtection range.
- No addresses outside the published range will be used.
- Organizations that already allow the full published range will not experience any disruption.
- If IP restrictions exist and are not updated, sensors may lose connectivity to the MDI cloud.
[What you can do to prepare:]
- If your organization already allows the full published range, no action is needed.
- Otherwise:
- Review any firewall or network policies that restrict traffic to MDI by IP address.
- Update policies to allow the full published IP range for the service tag AzureAdvancedThreatProtection. Learn more: Azure IP Ranges and Service Tags.
[Compliance considerations:]
No compliance considerations identified, review as appropriate for your organization.
Raw JSON (for debugging)
Expand/collapse the full payload below.
Show/hide raw
{
"snapshot_item": {
"action_required_by": null,
"ai_action_required_by": null,
"ai_actions": [
"Review firewall/network policies for MDI",
"Update rules to allow AzureAdvancedThreatProtection IP range"
],
"ai_master_tags": [
"Admin",
"Security",
"Network"
],
"ai_model": "gpt-4.1",
"ai_summary": "Defender for Identity v2.x sensors will use new IPs from the AzureAdvancedThreatProtection range starting mid-December 2025; update firewall rules if restricting outbound traffic.",
"ai_topics": [
"Defender"
],
"category": "stayInformed",
"details_map": {
"Summary": "Microsoft Defender for Identity v2.x sensors will start using new IP addresses from the AzureAdvancedThreatProtection service tag range beginning mid-December 2025. Organizations restricting outbound IPs must update firewall rules to allow this range to avoid connectivity loss; no action is needed if the full range is already allowed."
},
"id": "MC1194061",
"importance": 0,
"is_major_change": false,
"last_modified": "2025-12-10T23:23:25Z",
"ms_products": [
"Defender"
],
"platforms": null,
"roadmap_ids": [],
"services": [
"Microsoft Defender XDR"
],
"severity": "normal",
"tags": [
"Feature update",
"User impact",
"Admin impact"
],
"title": "IP address changes in Defender for Identity v2.x sensor communication"
}
}