From 68dd57c610bf1261998fad40a2b9f6ac1ce3771b Mon Sep 17 00:00:00 2001
From: anunesms <136581744+anunesms@users.noreply.github.com>
Date: Fri, 17 Apr 2026 11:44:41 +0100
Subject: [PATCH] Document sensitive roles for Defender for Identity
 integrations

Added sensitive roles for Okta, CyberArk, and SailPoint under Defender for Identity integrations and dircetory Services Replications addition
---
 defender-for-identity/entity-tags.md | 55 ++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/defender-for-identity/entity-tags.md b/defender-for-identity/entity-tags.md
index ae357f52f2..c953245b35 100644
--- a/defender-for-identity/entity-tags.md
+++ b/defender-for-identity/entity-tags.md
@@ -76,6 +76,61 @@ In addition to these groups, Defender for Identity identifies the following high
 - DHCP Server
 - DNS Server
 - Microsoft Exchange Server
+- Replicating Directory Changes Permissions
+
+## Defender for Identity Integrations
+
+The following roles are designated as Sensitive by Microsoft Defender for Identity. Any entity assigned membership in these roles is automatically classified as sensitive.
+
+### Okta
+
+- Super Administrator
+- Application Administrator
+- Group Administrator
+- API Access Management Administrator
+- Group Membership Administrator
+- Help Desk Administrator
+- Mobile Administrator
+- Organization Administrator
+- Read-only Administrator
+- Report Administrator
+
+### CyberArk
+
+- Administration Role
+- Cloud Onboarding Admin
+- Connector Management Admin
+- Flows Admin
+- Privilege Cloud Administrators
+- Privilege Cloud Administrators Basic
+- Privilege Cloud Administrators Lite
+- Privilege Cloud Safe Managers
+- Privilege Cloud Safe Managers Basic
+- Privilege Cloud Safe Managers Lite
+- Privilege Cloud Session Admin
+- Privilege Cloud Session Risk Managers
+- System Administrator
+
+### SailPoint
+
+#### Entra Id Roles
+- Global Administrator
+- User Administrator
+- Authentication Administrator
+- Privileged Authentication Administrator
+- Helpdesk Administrator
+- Agent ID Administrator
+- Application Administrator
+- Directory Writers
+- Domain Name Administrator
+- Password Administrator
+- Privileged Role Administrator
+- Hybrid Identity Administrator
+- Cloud Application Administrator
+
+#### SailPoint Roles
+
+- IdentityNow Administrator
 
 
 ## Related content