Defender for Identity health issues - Not Closing

MPH2​ 

This behavior is usually not a bug, but related to how Defender for Identity evaluates health signals.

Health issues are marked as “Closed” only after the sensor reports back and Defender confirms that the underlying condition is fully resolved. If the sensor does not successfully revalidate the condition, the issue will remain open even if you believe it has been fixed.

A few things to verify:

1. Sensor communication
   Ensure the Defender for Identity sensor is actively communicating with the service. If the sensor is offline, misconfigured, or unable to report telemetry, health state will not update.
2. Replication latency
   Some health checks rely on directory replication or service re-evaluation cycles. It may take time before the backend confirms the issue is resolved.
3. Service account or permissions issues
   If the health issue relates to directory permissions, event collection, or domain controller access, confirm that the sensor account has the required permissions and that no recent GPO or security hardening changed those settings.
4. Manual close vs automatic close
   Even though documentation states that issues close automatically once resolved, in practice some legacy Azure ATP-related health items may require manual closure if the state does not re-trigger a validation event.
5. Workspace role
   Make sure the account attempting manual closure has the appropriate role assigned (Defender for Identity Administrator).

If the issue persists after confirming sensor health and communication, review the Defender for Identity sensor logs on the affected domain controller. The logs often show whether the health test is still failing silently.

Also confirm that the issue is not related to a retired or decommissioned domain controller. If the sensor still references a removed DC, the health item may remain open until the sensor is properly removed from the portal.

In short, the health issue process is not broken, but it depends entirely on successful telemetry validation from the sensor. If that validation does not occur, the issue will not transition to Closed automatically.

Hi MPH2​ 

A health issue is automatically marked as Closed when Microsoft Defender for Identity detects that the underlying issue is resolved. Yes - provided that you have correctly followed the recommended action and implemented the configuration attached to that health alert. 
If you have the Azure ATP (workspace name) Administrator role, you can also manually close a health issue. You can close the health issue manually, but it will come back after 1minute to 24hrs due to continuous scanning for health issues. 
The best approach is:
1. Check the health alert description and understand it properly. 
2. Make the required changes.
3. Close the health alert manually if you are confident about the changes being in line with what was recommended and if it is still showing up after you made the changes. 
4. If it comes back - create a support ticket with Defender for Identity support. Provide the health alert export + Screenshots and the documentation or steps followed to resolve the health issue. 
MDI support with validate the settings and escalate if needed.