MC1194061 – M365 Change Digest

One-line summary

Defender for Identity v2.x sensors will use new IPs from the AzureAdvancedThreatProtection range starting mid-December 2025; update firewall rules if restricting outbound traffic.

Similar updates

Details

Summary

Microsoft Defender for Identity v2.x sensors will start using new IP addresses from the AzureAdvancedThreatProtection service tag range beginning mid-December 2025. Organizations restricting outbound IPs must update firewall rules to allow this range to avoid connectivity loss; no action is needed if the full range is already allowed.

Body (from Message Center)

[Introduction]

As part of ongoing infrastructure and security improvements, Microsoft Defender for Identity (MDI) v2.x sensors will begin using new IP addresses to communicate with the MDI cloud. These IPs will come exclusively from the published range associated with the service tag AzureAdvancedThreatProtection. This change improves reliability and aligns with Azure networking standards.

[When this will happen:]

General Availability (Worldwide, GCC, GCCH, DoD): Gradual rollout begins mid-December 2025.

[How this affects your organization:]

Who is affected: Organizations using Microsoft Defender for Identity v2.x sensors and restricting outbound traffic by IP address.
What will happen:
- MDI sensors will start using new IP addresses from the published AzureAdvancedThreatProtection range.
- No addresses outside the published range will be used.
- Organizations that already allow the full published range will not experience any disruption.
- If IP restrictions exist and are not updated, sensors may lose connectivity to the MDI cloud.

[What you can do to prepare:]

If your organization already allows the full published range, no action is needed.
Otherwise:
- Review any firewall or network policies that restrict traffic to MDI by IP address.
- Update policies to allow the full published IP range for the service tag AzureAdvancedThreatProtection. Learn more: Azure IP Ranges and Service Tags.

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

Raw JSON (for debugging)

Expand/collapse the full payload below.

Show/hide raw

{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": null,
    "ai_actions": [
      "Review firewall/network policies for MDI",
      "Update rules to allow AzureAdvancedThreatProtection IP range"
    ],
    "ai_master_tags": [
      "Security",
      "Network"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "Defender for Identity v2.x sensors will use new IPs from the AzureAdvancedThreatProtection range starting mid-December 2025; update firewall rules if restricting outbound traffic.",
    "ai_topics": [
      "Defender"
    ],
    "category": "stayInformed",
    "details_map": {
      "Summary": "Microsoft Defender for Identity v2.x sensors will start using new IP addresses from the AzureAdvancedThreatProtection service tag range beginning mid-December 2025. Organizations restricting outbound IPs must update firewall rules to allow this range to avoid connectivity loss; no action is needed if the full range is already allowed."
    },
    "id": "MC1194061",
    "importance": 0,
    "is_major_change": false,
    "last_modified": "2025-12-10T23:23:25Z",
    "ms_products": [
      "Defender"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Microsoft Defender XDR"
    ],
    "severity": "normal",
    "tags": [
      "Feature update",
      "User impact",
      "Admin impact"
    ],
    "title": "IP address changes in Defender for Identity v2.x sensor communication"
  }
}