check before: 2025-05-15
Product:
Defender, Defender for Cloud Apps, Defender XDR, Microsoft 365 Apps
Platform:
Online, US Instances, World tenant
Status:
Change type:
Admin impact, Feature update, Updated message
Links:
Details:
Summary:
Microsoft Defender for Cloud Apps will disable three pre-defined policies by default to improve alert accuracy. The rollout starts mid-May 2025 (worldwide) and early June 2025 (GCC, GCC High). Users can re-enable these policies if desired. No immediate action is required. More details are available in the documentation.
Details:
Updated May 29, 2025: We have updated the timeline below. Thank you for your patience.
Microsoft Defender for Cloud Apps is continuously working to ensure that our out-of-the-box (OOTB) threat protection capabilities within App Governance are as accurate and effective as possible.
As part of this effort, we will be disabling by default three specific pre-defined policies that have been found to mostly trigger on legitimate activities, rather than alerting on malicious ones. This change is aimed at improving the overall accuracy of our alerts by relying on more accurate sources that provide a comprehensive view of potential attacks, rather than focusing on isolated anomalous activities.
If you prefer to continue receiving these alerts, the option to re-enable them remains available.
[When this will happen:]
General Availability (Worldwide): We will begin rolling out mid-May (previously late April) and expect to complete by late May 2025.
General Availability (GCC, GCC High): We will begin rolling out early June 2025 (previously late May) and expect to complete by mid-June 2025 (previously late May).
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-03-20
updated:
2025-05-30
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
Microsoft is improving alert accuracy in Defender for Cloud Apps by disabling three default alert policies to reduce false alarms, with changes rolling out in May 2025, and users can re-enable these alerts or create custom alerts if desired.
Direct effects for Operations**
Alert Management
Disabling pre-defined policies may lead to a lack of alerts for potential security threats, resulting in delayed response to actual incidents.
- roles: Security Analyst, IT Administrator
- references: https://learn.microsoft.com/defender-cloud-apps/app-governance-app-policies-get-started
User Experience
Users may experience a false sense of security due to fewer alerts, potentially leading to complacency in monitoring app activities.
- roles: End User, Compliance Officer
- references: https://learn.microsoft.com/defender-cloud-apps/app-governance-app-policies-get-started
Policy Customization
Organizations that rely on the disabled policies for compliance may face challenges in meeting regulatory requirements without prior adjustments.
- roles: Compliance Officer, IT Administrator
- references: https://learn.microsoft.com/defender-cloud-apps/app-governance-app-policies-get-started
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
Improved Alert Management
With the disabling of less relevant alerts, IT teams can focus on more critical security notifications, improving incident response times and reducing alert fatigue. This enhances the overall security posture of the organization.
- next-steps: Review the new alert configurations post-rollout and adjust monitoring strategies to align with the updated policies. Train IT staff on how to prioritize alerts effectively.
- roles: Security Analysts, IT Administrators, Compliance Officers
- references: https://learn.microsoft.com/defender-cloud-apps/app-governance-app-policies-get-started
Customization of Policies
Organizations can create custom policies tailored to their specific needs, allowing for a more granular approach to security that aligns with unique business requirements and compliance mandates.
- next-steps: Engage with stakeholders to identify specific security needs and develop a plan for creating and implementing custom policies. Provide training on how to create and manage these policies effectively.
- roles: Security Analysts, IT Administrators, Compliance Officers
- references: https://learn.microsoft.com/defender-cloud-apps/app-governance-app-policies-get-started
Enhanced User Experience
By reducing unnecessary alerts, users can experience less disruption and confusion, leading to improved satisfaction and productivity. This also allows IT to allocate resources more effectively to support user needs.
- next-steps: Gather feedback from users regarding their experiences with alerts and adjust IT support processes accordingly. Communicate changes to ensure users understand the new alert management system.
- roles: End Users, IT Support Staff, IT Managers
- references: https://learn.microsoft.com/defender-cloud-apps/app-governance-app-policies-get-started
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-05-30 | MC Last Updated | 04/10/2025 17:05:36 | 2025-05-29T16:39:34Z |
| 2025-05-30 | MC Messages | Updated April 10, 2025: We have updated the rollout timeline below. Thank you for your patience.
Microsoft Defender for Cloud Apps is continuously working to ensure that our out-of-the-box (OOTB) threat protection capabilities within App Governance are as accurate and effective as possible. As part of this effort, we will be disabling by default three specific pre-defined policies that have been found to mostly trigger on legitimate activities, rather than alerting on malicious ones. This change is aimed at improving the overall accuracy of our alerts by relying on more accurate sources that provide a comprehensive view of potential attacks, rather than focusing on isolated anomalous activities. If you prefer to continue receiving these alerts, the option to re-enable them remains available. [When this will happen:] General Availability (Worldwide): We will begin rolling out mid-May (previously late April) and expect to complete by late May 2025. General Availability (GCC, GCC High): We will begin rolling out late May 2025 (previously late April) and expect to complete by late May 2025. | Updated May 29, 2025: We have updated the timeline below. Thank you for your patience.
Microsoft Defender for Cloud Apps is continuously working to ensure that our out-of-the-box (OOTB) threat protection capabilities within App Governance are as accurate and effective as possible. As part of this effort, we will be disabling by default three specific pre-defined policies that have been found to mostly trigger on legitimate activities, rather than alerting on malicious ones. This change is aimed at improving the overall accuracy of our alerts by relying on more accurate sources that provide a comprehensive view of potential attacks, rather than focusing on isolated anomalous activities. If you prefer to continue receiving these alerts, the option to re-enable them remains available. [When this will happen:] General Availability (Worldwide): We will begin rolling out mid-May (previously late April) and expect to complete by late May 2025. General Availability (GCC, GCC High): We will begin rolling out early June 2025 (previously late May) and expect to complete by mid-June 2025 (previously late May). |
| 2025-05-30 | MC End Time | 06/30/2025 09:00:00 | 2025-07-21T09:00:00Z |
| 2025-05-30 | MC Summary | Microsoft Defender for Cloud Apps will disable three pre-defined policies by default by mid-May, 2025, to improve alert accuracy. The policies affected are related to data usage, unusual activity, and access to sensitive data. Users can re-enable these policies if desired. No immediate action is required. | Microsoft Defender for Cloud Apps will disable three pre-defined policies by default to improve alert accuracy. The rollout starts mid-May 2025 (worldwide) and early June 2025 (GCC, GCC High). Users can re-enable these policies if desired. No immediate action is required. More details are available in the documentation. |
| 2025-04-11 | MC MessageTagNames | Feature update, Admin impact | Updated message, Feature update, Admin impact |
| 2025-04-11 | MC Summary | Microsoft Defender for Cloud Apps will disable three pre-defined policies by default on April 21, 2025, to improve alert accuracy. The policies affected are related to data usage, unusual activity, and access to sensitive data. Users can re-enable these policies if desired. No immediate action is required. | Microsoft Defender for Cloud Apps will disable three pre-defined policies by default by mid-May, 2025, to improve alert accuracy. The policies affected are related to data usage, unusual activity, and access to sensitive data. Users can re-enable these policies if desired. No immediate action is required. |
| 2025-04-11 | MC Last Updated | 03/20/2025 00:04:08 | 2025-04-10T17:05:36Z |
| 2025-04-11 | MC Messages | Microsoft Defender for Cloud Apps is continuously working to ensure that our out-of-the-box (OOTB) threat protection capabilities within App Governance are as accurate and effective as possible.
As part of this effort, we will be disabling by default three specific pre-defined policies that have been found to mostly trigger on legitimate activities, rather than alerting on malicious ones. This change is aimed at improving the overall accuracy of our alerts by relying on more accurate sources that provide a comprehensive view of potential attacks, rather than focusing on isolated anomalous activities. If you prefer to continue receiving these alerts, the option to re-enable them remains available. [When this will happen:] General Availability (Worldwide, GCC, GCC High): Rollout is simultaneous to all tenants and will happen on April 21, 2025 | Updated April 10, 2025: We have updated the rollout timeline below. Thank you for your patience.
Microsoft Defender for Cloud Apps is continuously working to ensure that our out-of-the-box (OOTB) threat protection capabilities within App Governance are as accurate and effective as possible. As part of this effort, we will be disabling by default three specific pre-defined policies that have been found to mostly trigger on legitimate activities, rather than alerting on malicious ones. This change is aimed at improving the overall accuracy of our alerts by relying on more accurate sources that provide a comprehensive view of potential attacks, rather than focusing on isolated anomalous activities. If you prefer to continue receiving these alerts, the option to re-enable them remains available. [When this will happen:] General Availability (Worldwide): We will begin rolling out mid-May (previously late April) and expect to complete by late May 2025. General Availability (GCC, GCC High): We will begin rolling out late May 2025 (previously late April) and expect to complete by late May 2025. |
| 2025-04-11 | MC Title | Updates to App Governance Pre-Defined Policies in Defender for Cloud Apps | (Updated) Updates to App Governance Pre-Defined Policies in Defender for Cloud Apps |
| 2025-04-11 | MC How Affect | These specific pre-defined policies within App Governance will be switched off for all customers by default. The policies being disabled are:
Increase in data usage by an overprivileged or highly privileged app Unusual activity from an app with priority account consent Access to sensitive data This change will reduce the number of alerts triggered by legitimate activities, allowing you to focus on more accurate and relevant security notifications. The remaining policies and our advanced threat detection engines, which are always enabled and running behind the scenes, will continue to provide robust protection by correlating multiple pieces of evidence to identify potential attacks with higher confidence. If for any reason you prefer to continue receiving these alerts can re-enable the policies via the policy management interface. Additionally, we provide tools for customers to create custom policies tailored to their specific needs. For more details, please refer to the relevant documentation. For more details, please refer to the relevant documentation: Get started with app policies | These specific pre-defined policies within App Governance will be switched off for all customers by default. The policies being disabled are:
Increase in data usage by an overprivileged or highly privileged app Unusual activity from an app with priority account consent Access to sensitive data This change will reduce the number of alerts triggered by legitimate activities, allowing you to focus on more accurate and relevant security notifications. The remaining policies and our advanced threat detection engines, which are always enabled and running behind the scenes, will continue to provide robust protection by correlating multiple pieces of evidence to identify potential attacks with higher confidence. If you have made any changes to customize the existing pre-defined policy template, they will not be disabled as part of this change. If for any reason you prefer to continue receiving these alerts, you can re-enable the policies via the policy management interface. Additionally, we provide tools for customers to create custom policies tailored to their specific needs. For more details, please refer to the relevant documentation. For more details, please refer to the relevant documentation: Get started with app policies |
Last updated 3 weeks ago
