Add windows auditing config (#28525)

* Add windows auditing config

* Fix comment

* Fix comments

---------

Co-authored-by: SamuelBenichou <sbenichou@microsoft.com>

Author: samuelbenichou

api-reference/v1.0/api/security-autoauditingconfiguration-get.md

@@ -0,0 +1,95 @@
+---
+title: "Get autoAuditingConfiguration"
+description: "Read the properties and relationships of microsoft.graph.security.autoAuditingConfiguration object."
+author: "SamuelBenichou"
+ms.date: 03/26/2026
+ms.localizationpriority: medium
+ms.subservice: "security"
+doc_type: apiPageType
+---
+
+# Get autoAuditingConfiguration
+
+Namespace: microsoft.graph.security
+
+
+Get the properties and relationships of [microsoft.graph.security.autoAuditingConfiguration](../resources/security-autoauditingconfiguration.md) object.
+
+## Permissions
+
+Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions [only if your app requires it](/graph/permissions-overview#best-practices-for-using-microsoft-graph-permissions). For details about delegated and application permissions, see [Permission types](/graph/permissions-overview#permission-types). To learn more about these permissions, see the [permissions reference](/graph/permissions-reference).
+
+<!-- {
+  "blockType": "permissions",
+  "name": "security-autoauditingconfiguration-get-permissions"
+}
+-->
+[!INCLUDE [permissions-table](../includes/permissions/security-autoauditingconfiguration-get-permissions.md)]
+
+[!INCLUDE [rbac-mdi-apis](../includes/rbac-for-apis/rbac-mdi-apis.md)]
+
+## HTTP request
+
+<!-- {
+  "blockType": "ignored"
+}
+-->
+``` http
+GET /security/identities/settings/autoAuditingConfiguration
+```
+
+## Optional query parameters
+
+Not supported.
+
+## Request headers
+
+|Name|Description|
+|:---|:---|
+|Authorization|Bearer {token}. Required. Learn more about [authentication and authorization](/graph/auth/auth-concepts).|
+
+## Request body
+
+Don't supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a [microsoft.graph.security.autoAuditingConfiguration](../resources/security-autoauditingconfiguration.md) object in the response body.
+
+## Examples
+
+### Request
+
+The following example shows a request.
+<!-- {
+  "blockType": "request",
+  "name": "get_autoauditingconfiguration"
+}
+-->
+``` http
+GET https://graph.microsoft.com/v1.0/security/identities/settings/autoAuditingConfiguration
+```
+
+
+### Response
+
+The following example shows the response.
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+  "blockType": "response",
+  "truncated": true,
+  "@odata.type": "microsoft.graph.security.autoAuditingConfiguration"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+  "value": {
+    "@odata.type": "#microsoft.graph.security.autoAuditingConfiguration",
+    "isAutomatic": true
+  }
+}
+```
+

api-reference/v1.0/api/security-autoauditingconfiguration-update.md

@@ -0,0 +1,92 @@
+---
+title: "Update autoAuditingConfiguration"
+description: "Update the properties of a autoAuditingConfiguration object."
+author: "SamuelBenichou"
+ms.date: 03/26/2026
+ms.localizationpriority: medium
+ms.subservice: "security"
+doc_type: apiPageType
+---
+
+# Update autoAuditingConfiguration
+
+Namespace: microsoft.graph.security
+
+Update the properties of an [autoAuditingConfiguration](../resources/security-autoauditingconfiguration.md) object.
+
+## Permissions
+
+Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions [only if your app requires it](/graph/permissions-overview#best-practices-for-using-microsoft-graph-permissions). For details about delegated and application permissions, see [Permission types](/graph/permissions-overview#permission-types). To learn more about these permissions, see the [permissions reference](/graph/permissions-reference).
+
+<!-- {
+  "blockType": "permissions",
+  "name": "security-autoauditingconfiguration-update-permissions"
+}
+-->
+[!INCLUDE [permissions-table](../includes/permissions/security-autoauditingconfiguration-update-permissions.md)]
+
+[!INCLUDE [rbac-mdi-apis](../includes/rbac-for-apis/rbac-mdi-apis.md)]
+
+## HTTP request
+
+<!-- {
+  "blockType": "ignored"
+}
+-->
+``` http
+PATCH /security/identities/settings/autoAuditingConfiguration
+```
+
+## Request headers
+
+|Name|Description|
+|:---|:---|
+|Authorization|Bearer {token}. Required. Learn more about [authentication and authorization](/graph/auth/auth-concepts).|
+|Content-Type|application/json. Required.|
+
+## Request body
+
+
+|Property|Type|Description|
+|:---|:---|:---|
+|isAutomatic|Boolean| Required.|
+
+
+
+## Response
+
+If successful, this method returns a `200 OK` response code.
+
+## Examples
+
+### Request
+
+The following example shows a request.
+<!-- {
+  "blockType": "request",
+  "name": "update_autoauditingconfiguration"
+}
+-->
+``` http
+PATCH https://graph.microsoft.com/v1.0/security/identities/settings/autoAuditingConfiguration
+Content-Type: application/json
+
+{
+  "@odata.type": "#microsoft.graph.security.autoAuditingConfiguration",
+  "isAutomatic": true
+}
+```
+
+
+### Response
+
+The following example shows the response.
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+  "blockType": "response",
+  "truncated": true
+}
+-->
+``` http
+HTTP/1.1 200 OK
+```

api-reference/v1.0/includes/permissions/security-autoauditingconfiguration-get-permissions.md

@@ -0,0 +1,11 @@
+---
+description: Automatically generated file. DO NOT MODIFY
+ms.topic: include
+ms.localizationpriority: medium
+---
+
+|Permission type|Least privileged permissions|Higher privileged permissions|
+|:---|:---|:---|
+|Delegated (work or school account)| SecurityIdentitiesAutoConfig.Read.All | Not available.  |
+|Delegated (personal Microsoft account)| Not supported.  | Not supported. |
+|Application| SecurityIdentitiesAutoConfig.Read.All |  Not available. |

api-reference/v1.0/includes/permissions/security-autoauditingconfiguration-update-permissions.md

@@ -0,0 +1,11 @@
+---
+description: Automatically generated file. DO NOT MODIFY
+ms.topic: include
+ms.localizationpriority: medium
+---
+
+|Permission type|Least privileged permission|Higher privileged permissions|
+|:---|:---|:---|
+|Delegated (work or school account)|SecurityIdentitiesAutoConfig.ReadWrite.All|Not available.|
+|Delegated (personal Microsoft account)|Not supported.|Not supported.|
+|Application|SecurityIdentitiesAutoConfig.ReadWrite.All|Not available.|

api-reference/v1.0/resources/security-api-overview.md

@@ -141,6 +141,11 @@ The Defender for Identity sensors management APIs allows you to:
 - Manage sensor settings, such as adding descriptions, enabling or disabling delayed updates, and specifying the domain controller that the sensor connects to for querying Entra ID.
 - Identify sensors that are ready to be activated.
 - Define whether the sensors in your infrastructure are to be activated automatically or manually.
+- Identify servers that are ready to be activated with the unified agent.
+- Enable or disable the automatic activation of eligible servers for the unified agent.
+- Activate or deactivate the unified agent on eligible servers.
+- Enable or disable the automatic enabling of the required events auditing configuration during the sensor’s activation.
+
 
 ### identityAccounts
 The [identityAccounts resource and related APIs](../resources/security-identityaccounts.md) allows you to retrieve details of users that are flagged by Microsoft Defender for Identity alerts, and apply actions such as disabling accounts and resetting the user password for the compromised user.

api-reference/v1.0/resources/security-autoauditingconfiguration.md

@@ -0,0 +1,49 @@
+---
+title: "autoAuditingConfiguration resource type"
+description: "Represents the configuration settings for automatic auditing in Microsoft Defender for Identity."
+author: "SamuelBenichou"
+ms.date: 03/26/2026
+ms.localizationpriority: medium
+ms.subservice: "security"
+doc_type: resourcePageType
+---
+
+# autoAuditingConfiguration resource type
+
+Namespace: microsoft.graph.security
+
+Represents the configuration settings for automatic auditing in Microsoft Defender for Identity. The config activates predefined audit policies that automatically log critical security events in Windows Event Viewer. For more information, see [Configure audit policies for Windows event logs](/defender-for-identity/deploy/configure-windows-event-collection).
+
+Inherits from [microsoft.graph.entity](../resources/entity.md).
+
+
+## Methods
+|Method|Return type|Description|
+|:---|:---|:---|
+|[Get](../api/security-autoauditingconfiguration-get.md)|[microsoft.graph.security.autoAuditingConfiguration](../resources/security-autoauditingconfiguration.md)| Read the properties and relationships of [microsoft.graph.security.autoAuditingConfiguration](../resources/security-autoauditingconfiguration.md) object.|
+|[Update](../api/security-autoauditingconfiguration-update.md)|[microsoft.graph.security.autoAuditingConfiguration](../resources/security-autoauditingconfiguration.md)| Update the properties of an autoAuditingConfiguration object.                                                                                           |
+
+## Properties
+|Property|Type|Description|
+|:---|:---|:---|
+|isAutomatic|Boolean|Indicates whether automatic auditing is enabled for Defender for Identity monitoring.|
+
+## Relationships
+None.
+
+## JSON representation
+The following JSON representation shows the resource type.
+<!-- {
+  "blockType": "resource",
+  "keyProperty": "id",
+  "@odata.type": "microsoft.graph.security.autoAuditingConfiguration",
+  "baseType": "microsoft.graph.entity",
+  "openType": false
+}
+-->
+``` json
+{
+  "@odata.type": "#microsoft.graph.security.autoAuditingConfiguration",
+  "isAutomatic": "Boolean"
+}
+```

api-reference/v1.0/resources/security-identitycontainer.md

@@ -24,13 +24,14 @@ None.
 
 ## Relationships
 
-| Relationship                           |Type|Description|
-|:---------------------------------------|:---|:---|
-| healthIssues                           |[microsoft.graph.security.healthIssue](security-healthissue.md) collection| Represents potential issues identified by Microsoft Defender for Identity within a customer's Microsoft Defender for Identity configuration. |
-| identityAccounts| [microsoft.graph.security.identityAccounts](security-identityaccounts.md) collection | Represents an identity's details in the context of Microsoft Defender for Identity. |
-| sensors                                |[microsoft.graph.security.sensor](security-sensor.md) collection| Represents a customer's Microsoft Defender for Identity sensors.|
-| sensorCandidates                       |[microsoft.graph.security.sensorCandidate](security-sensorcandidate.md) collection| Represents Microsoft Defender for Identity sensors that are ready to be activated.                                                             |
-| sensorCandidateActivationConfiguration |[microsoft.graph.security.sensorCandidateActivationConfiguration](security-sensorcandidateactivationconfiguration.md) collection| Represents the activation mode of a Microsoft Defender for Identity sensor.                                                                    |
+| Relationship                           | Type                                                                                                                             | Description                                                                                                                                    |
+|:---------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------|
+| healthIssues                           | [microsoft.graph.security.healthIssue](security-healthissue.md) collection                                                       | Represents potential issues identified by Microsoft Defender for Identity within a customer's Microsoft Defender for Identity configuration.   |
+| identityAccounts                       | [microsoft.graph.security.identityAccounts](security-identityaccounts.md) collection                                             | Represents an identity's details in the context of Microsoft Defender for Identity.                                                            |
+| sensors                                | [microsoft.graph.security.sensor](security-sensor.md) collection                                                                 | Represents a customer's Microsoft Defender for Identity sensors.                                                                               |
+| sensorCandidates                       | [microsoft.graph.security.sensorCandidate](security-sensorcandidate.md) collection                                               | Represents Microsoft Defender for Identity sensors that are ready to be activated.                                                             |
+| sensorCandidateActivationConfiguration | [microsoft.graph.security.sensorCandidateActivationConfiguration](security-sensorcandidateactivationconfiguration.md) collection | Represents the activation mode of a Microsoft Defender for Identity sensor.                                                                    |
+| settings                               | [microsoft.graph.security.settingsContainer](security-settingscontainer.md)                                                      | Represents a container for security identities settings APIs.                                                                                  |
 
 ## JSON representation
 

api-reference/v1.0/resources/security-settingscontainer.md

@@ -0,0 +1,44 @@
+---
+title: "settingsContainer resource type"
+description: "Represents a container for security settings APIs."
+author: "SamuelBenichou"
+ms.date: 03/26/2026
+ms.localizationpriority: medium
+ms.subservice: "security"
+doc_type: resourcePageType
+---
+
+# settingsContainer resource type
+
+Namespace: microsoft.graph.security
+
+Represents a container for security identities APIs that currently exposes the [autoAuditingConfiguration](security-autoauditingconfiguration.md) relationship.
+
+## Methods
+
+None
+
+## Properties
+
+None
+
+## Relationships
+|Relationship|Type|Description|
+|:---|:---|:---|
+|autoAuditingConfiguration|[microsoft.graph.security.autoAuditingConfiguration](../resources/security-autoauditingconfiguration.md)|Represents automatic configuration for collection of Windows event logs as needed for Defender for Identity sensors.|
+
+## JSON representation
+The following JSON representation shows the resource type.
+<!-- {
+  "blockType": "resource",
+  "keyProperty": "id",
+  "@odata.type": "microsoft.graph.security.settingsContainer",
+  "baseType": "microsoft.graph.entity",
+  "openType": false
+}
+-->
+``` json
+{
+  "@odata.type": "#microsoft.graph.security.settingsContainer"
+}
+```

api-reference/v1.0/toc/toc.mapping.json

@@ -1765,7 +1765,8 @@
             "microsoft.graph.security.sensor",
             "microsoft.graph.security.sensorCandidate",
             "microsoft.graph.security.sensorCandidateActivationConfiguration",
-            "microsoft.graph.security.identityAccounts"
+            "microsoft.graph.security.identityAccounts",
+            "microsoft.graph.security.autoAuditingConfiguration"
           ],
           "complexTypes": [
             "microsoft.graph.security.deploymentAccessKeyType",