MC1124559 – Microsoft Defender for Identity: Expiration required for Recommended test mode (archived)

Product:

Defender, Defender for Identity, Defender XDR

Platform:

Online, World tenant

Status:

Change type:

Feature update, User impact, Admin impact

Links:

Details:

Summary:
Microsoft Defender for Identity will require a 60-day expiration period when enabling Recommended test mode starting late July 2025. Admins must manually set this expiration, which limits test duration and restores original alert thresholds after expiry, affecting alerting and integrations but not users directly.

Details:
Introduction
To help organizations better manage testing efforts and reduce the risk of prolonged exposure to test configurations, Microsoft Defender for Identity (MDI) now requires an expiration period (up to 60 days) when enabling Recommended test mode. This update ensures test settings are time-bound, improving operational clarity and reducing potential security gaps.
When this will happen
General Availability (Worldwide): Rollout will begin in late July 2025 and is expected to complete by mid-August 2025.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2025-07-30

updated:
2025-07-30

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

Pictures

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Alerting Behavior Changes
Once the Recommended test mode expires, original alert thresholds will be restored, potentially leading to missed alerts or delayed responses to security incidents.
   - roles: Security Administrator, IT Operations Manager
   - references: https://learn.microsoft.com/defender-for-identity/advanced-settings, https://learn.microsoft.com/defender-for-identity/

Integration Disruptions
The expiration of test mode may disrupt integrations with other Microsoft security products, affecting overall security posture and incident response capabilities.
   - roles: Security Administrator, IT Operations Manager
   - references: https://learn.microsoft.com/defender-for-identity/advanced-settings, https://learn.microsoft.com/defender-for-identity/

Configutation Options**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

Microsoft Defender for Identity is introducing a new requirement for its Recommended test mode starting in late July 2025. Think of this like a trial period for a new software or service you might use. When you sign up for a trial, it usually has an end date, so you don't keep using it indefinitely without making a decision. Similarly, Microsoft is now requiring that when you enable the Recommended test mode, you set an expiration date of up to 60 days. This means that after 60 days, the test mode will automatically turn off, and everything will go back to the way it was before the test started.

This change is like setting a timer on your oven when you're baking cookies. You set it so you don't forget and end up with burnt cookies. In this case, the timer ensures that the test mode doesn't run indefinitely, which could lead to security issues if not monitored. Once the timer (or expiration period) ends, the system automatically reverts to its original settings, much like how the oven stops heating once the timer goes off.

For administrators, this means that when they turn on the test mode, they need to remember to set this expiration period. If the test mode was already on before this change, it will automatically get a 60-day expiration from the rollout date. This doesn't directly affect end users, but it might change how alerts and integrations with other Microsoft security products behave once the test mode expires.

To prepare, it's a good idea to review how you're currently using the test mode and plan for what happens when it expires. Make sure the right people have the necessary permissions to manage these settings. Just like you would check your calendar to ensure you have reminders set for important deadlines, reviewing these settings will help ensure everything runs smoothly.