MC1194061 - IP address changes in Defender for Identity v2.x sensor communication

Introduction

As part of ongoing infrastructure and security improvements, Microsoft Defender for Identity (MDI) v2.x sensors will begin using new IP addresses to communicate with the MDI cloud. These IPs will come exclusively from the published range associated with the service tag AzureAdvancedThreatProtection. This change improves reliability and aligns with Azure networking standards.

When this will happen:

General Availability (Worldwide, GCC, GCCH, DoD): Gradual rollout begins mid-December 2025.

How this affects your organization:

• Who is affected: Organizations using Microsoft Defender for Identity v2.x sensors and restricting outbound traffic by IP address.
• What will happen:
  • MDI sensors will start using new IP addresses from the published AzureAdvancedThreatProtection range.
  • No addresses outside the published range will be used.
  • Organizations that already allow the full published range will not experience any disruption.
  • If IP restrictions exist and are not updated, sensors may lose connectivity to the MDI cloud.

What you can do to prepare:

• If your organization already allows the full published range, no action is needed.
• Otherwise:
  • Review any firewall or network policies that restrict traffic to MDI by IP address.
  • Update policies to allow the full published IP range for the service tag AzureAdvancedThreatProtection. Learn more: Azure IP Ranges and Service Tags.

Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.