Forum Discussion

MPH2's avatar
MPH2
Copper Contributor
Dec 08, 2025

Defender for Identity health issues - Not Closing

We have old issues and they're not being "Closed" as reported. Are we missing something or is this "Microsoft Defender for Identity" Health Issues process broken? Thanks! Closed: A health issue is ...
microsoft 365 defender
Sensor
Lucaraheller's avatar
Lucaraheller
MCT
Feb 06, 2026

MPH2​ 

This behavior is usually not a bug, but related to how Defender for Identity evaluates health signals.

Health issues are marked as “Closed” only after the sensor reports back and Defender confirms that the underlying condition is fully resolved. If the sensor does not successfully revalidate the condition, the issue will remain open even if you believe it has been fixed.

A few things to verify:

  1. Sensor communication
    Ensure the Defender for Identity sensor is actively communicating with the service. If the sensor is offline, misconfigured, or unable to report telemetry, health state will not update.
  2. Replication latency
    Some health checks rely on directory replication or service re-evaluation cycles. It may take time before the backend confirms the issue is resolved.
  3. Service account or permissions issues
    If the health issue relates to directory permissions, event collection, or domain controller access, confirm that the sensor account has the required permissions and that no recent GPO or security hardening changed those settings.
  4. Manual close vs automatic close
    Even though documentation states that issues close automatically once resolved, in practice some legacy Azure ATP-related health items may require manual closure if the state does not re-trigger a validation event.
  5. Workspace role
    Make sure the account attempting manual closure has the appropriate role assigned (Defender for Identity Administrator).

If the issue persists after confirming sensor health and communication, review the Defender for Identity sensor logs on the affected domain controller. The logs often show whether the health test is still failing silently.

Also confirm that the issue is not related to a retired or decommissioned domain controller. If the sensor still references a removed DC, the health item may remain open until the sensor is properly removed from the portal.

In short, the health issue process is not broken, but it depends entirely on successful telemetry validation from the sensor. If that validation does not occur, the issue will not transition to Closed automatically.