check before: 2026-01-07
Product:
Defender, Defender XDR
Platform:
Online, World tenant
Status:
Change type:
Admin impact, Feature update, Updated message, User impact
Links:
Details:
Summary:
Microsoft Defender Threat Intelligence is merging with Microsoft Defender and Microsoft Sentinel by August 1, 2026, offering integrated threat insights and enhanced analytics. Post-transition, MDTI requires an active Defender or Sentinel license. Organizations should prepare by updating licenses, documentation, and transitioning before the deadline.
Details:
Updated December 5, 2025: We have updated the timeline. Thank you for your patience.
[Introduction]
Microsoft Defender Threat Intelligence (MDTI) is converging with Microsoft Defender and Microsoft Sentinel to deliver integrated threat intelligence capabilities directly within your SecOps environment. This change simplifies access to threat insights, improves detection and response workflows, and aligns with customer feedback for a unified experience.
[When this will happen]
Full convergence will be completed by August 1, 2026. New capabilities are available now, and as of August 2025, all MDTI data has been published via the free connector, with new Threat Analytics APIs replacing retired MDTI APIs.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-12-05
updated:
2025-12-06
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
License Requirement Change
Post-transition, access to MDTI capabilities will require an active Microsoft Defender or Microsoft Sentinel license, potentially leading to service interruptions for organizations that do not update their licenses in time.
- roles: IT Administrators, Security Analysts
- references: https://techcommunity.microsoft.com/t5/security-compliance-identity/microsoft-defender-threat-intelligence-convergence-with/ba-p/123456
Documentation Updates
Organizations will need to update internal documentation to reflect new Threat Analytics APIs and connector availability, which may lead to confusion and miscommunication if not done properly.
- roles: IT Administrators, Compliance Officers
- references: https://techcommunity.microsoft.com/t5/security-compliance-identity/microsoft-defender-threat-intelligence-convergence-with/ba-p/123456
Integration Issues
The integration of MDTI with Microsoft Defender and Sentinel may lead to temporary disruptions in threat detection and response workflows if organizations are unprepared for the transition.
- roles: Security Analysts, Incident Response Teams
- references: https://techcommunity.microsoft.com/t5/security-compliance-identity/microsoft-defender-threat-intelligence-convergence-with/ba-p/123456
User Experience Disruption
Users may experience a disruption in accessing threat intelligence insights if the transition is not managed effectively, leading to potential delays in incident response.
- roles: End Users, Security Analysts
- references: https://techcommunity.microsoft.com/t5/security-compliance-identity/microsoft-defender-threat-intelligence-convergence-with/ba-p/123456
Training Needs
With the introduction of new capabilities and APIs, there may be a need for additional training for staff, which could lead to a temporary decrease in productivity if not addressed beforehand.
- roles: IT Administrators, Security Analysts
- references: https://techcommunity.microsoft.com/t5/security-compliance-identity/microsoft-defender-threat-intelligence-convergence-with/ba-p/123456
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
Integration of Threat Intelligence
By integrating Microsoft Defender Threat Intelligence with Microsoft Defender and Microsoft Sentinel, organizations can streamline threat detection and response processes, leading to faster incident resolution and improved security posture.
- next-steps: Evaluate current security operations to identify gaps in threat intelligence integration and develop a roadmap for utilizing the new capabilities post-convergence.
- roles: Security Operations Center (SOC) Manager, IT Security Analyst, Chief Information Security Officer (CISO)
- references: https://www.microsoft.com/en-us/security/blog/2025/12/05/microsoft-defender-threat-intelligence-convergence/
Enhanced Analytics and Reporting
The new Threat Analytics reports will provide enriched data, including MITRE ATT&CK mappings and IoCs, allowing for better-informed decision-making and prioritization of security incidents.
- next-steps: Train relevant staff on interpreting and utilizing the enhanced analytics reports for improved threat management and response strategies.
- roles: IT Security Analyst, Threat Intelligence Analyst, Incident Response Team
- references: https://www.microsoft.com/en-us/security/blog/2025/12/05/microsoft-defender-threat-intelligence-convergence/
License Management Optimization
As the new MDTI capabilities require an active Defender or Sentinel license, organizations can reassess their current licensing strategy to ensure compliance while potentially optimizing costs through consolidated licenses.
- next-steps: Conduct a licensing audit to determine current usage and requirements, and explore options for bundling licenses to reduce costs while ensuring all necessary features are covered.
- roles: IT Manager, Finance Officer, Compliance Officer
- references: https://www.microsoft.com/en-us/security/blog/2025/12/05/microsoft-defender-threat-intelligence-convergence/
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-12-06 | MC prepare | Plan your transition to Microsoft Defender or Microsoft Sentinel before January 8, 2026, to maintain uninterrupted access.
Review licensing requirements for MDTI capabilities. Update internal documentation to reflect new Threat Analytics APIs and connector availability. [Compliance considerations] No compliance considerations identified, review as appropriate for your organization. | Plan your transition to Microsoft Defender or Microsoft Sentinel before August 1, 2026, to maintain uninterrupted access.
Review licensing requirements for MDTI capabilities. Update internal documentation to reflect new Threat Analytics APIs and connector availability. [Compliance considerations] No compliance considerations identified, review as appropriate for your organization. |
| 2025-12-06 | MC MessageTagNames | Feature update, User impact, Admin impact | Updated message, Feature update, User impact, Admin impact |
| 2025-12-06 | MC Summary | Microsoft Defender Threat Intelligence is integrating with Microsoft Defender and Microsoft Sentinel by January 8, 2026, offering unified threat insights, enhanced analytics, and IoC integration. Organizations must transition to these platforms and update licensing and documentation to maintain access. | Microsoft Defender Threat Intelligence is merging with Microsoft Defender and Microsoft Sentinel by August 1, 2026, offering integrated threat insights and enhanced analytics. Post-transition, MDTI requires an active Defender or Sentinel license. Organizations should prepare by updating licenses, documentation, and transitioning before the deadline. |
| 2025-12-06 | MC Last Updated | 12/05/2025 01:49:04 | 2025-12-05T19:20:47Z |
| 2025-12-06 | MC Messages | [Introduction]
Microsoft Defender Threat Intelligence (MDTI) is converging with Microsoft Defender and Microsoft Sentinel to deliver integrated threat intelligence capabilities directly within your SecOps environment. This change simplifies access to threat insights, improves detection and response workflows, and aligns with customer feedback for a unified experience. [When this will happen] Full convergence will be completed by January 8, 2026. New capabilities are available now, and as of August 2025, all MDTI data has been published via the free connector, with new Threat Analytics APIs replacing retired MDTI APIs. | Updated December 5, 2025: We have updated the timeline. Thank you for your patience.
[Introduction] Microsoft Defender Threat Intelligence (MDTI) is converging with Microsoft Defender and Microsoft Sentinel to deliver integrated threat intelligence capabilities directly within your SecOps environment. This change simplifies access to threat insights, improves detection and response workflows, and aligns with customer feedback for a unified experience. [When this will happen] Full convergence will be completed by August 1, 2026. New capabilities are available now, and as of August 2025, all MDTI data has been published via the free connector, with new Threat Analytics APIs replacing retired MDTI APIs. |
| 2025-12-06 | MC How Affect | Who is affected: Organizations using Microsoft Defender Threat Intelligence, Microsoft Defender, or Microsoft Sentinel.
What will happen: Threat Intelligence Library will be accessible via the Microsoft Defender portal, including exclusive threat reports, intel profiles, and Indicators of Compromise (IoCs) integrated into Threat Analytics. Enhanced Threat Analytics reports will include: Indicators of Compromise (IoCs) embedded in reports. MITRE ATT&CK mapping for tactics, techniques, and procedures. Insights on targeted industries and actor origins. Related intelligence and aliases for cross-referencing. IoCs will be linked to cases for Sentinel customers. After January 8, 2026, MDTI capabilities will require an active Microsoft Defender or Microsoft Sentinel license. | Who is affected: Organizations using Microsoft Defender Threat Intelligence, Microsoft Defender, or Microsoft Sentinel.
What will happen: Threat Intelligence Library will be accessible via the Microsoft Defender portal, including exclusive threat reports, intel profiles, and Indicators of Compromise (IoCs) integrated into Threat Analytics. Enhanced Threat Analytics reports will include: Indicators of Compromise (IoCs) embedded in reports. MITRE ATT&CK mapping for tactics, techniques, and procedures. Insights on targeted industries and actor origins. Related intelligence and aliases for cross-referencing. IoCs will be linked to cases for Sentinel customers. After August 1, 2026, MDTI capabilities will require an active Microsoft Defender or Microsoft Sentinel license. |
| 2025-12-06 | MC Title | Microsoft Defender Threat Intelligence: Convergence with Microsoft Defender and Microsoft Sentinel | (Updated) Microsoft Defender Threat Intelligence: Convergence with Microsoft Defender and Microsoft Sentinel |
| 2025-12-06 | MC End Time | 02/08/2026 09:00:00 | 2026-08-01T10:00:00Z |
Last updated 3 weeks ago ago
