check before: 2027-01-31
Product:
Defender, Defender for Endpoint, Defender XDR, Microsoft Graph
Platform:
Developer, Online, World tenant
Status:
Change type:
Admin impact, Retirement, Updated message, User impact
Links:
Details:
Summary:
Microsoft is retiring the Microsoft Defender for Endpoint and Defender XDR Advanced Hunting APIs by February 1, 2027. Organizations must manually migrate workflows to the Microsoft Graph Security API by January 31, 2027, to ensure continued functionality and improved security integration.
Details:
Updated January 26, 2026: We have updated the content. Thank you for your patience.
[Introduction]
We're retiring the Microsoft Defender for Endpoint (MDE) Advanced Hunting API and Microsoft Defender XDR Advanced Hunting API and transitioning customers to the Microsoft Graph Security API. This update aligns our security integrations with a unified interface and schema across Microsoft Defender products. The Microsoft Graph Security API provides broader data coverage, improved consistency, and better scalability for automation and security workflows.
[When this will happen]
Retirement start: February 6, 2026
Full retirement: February 1, 2027
After February 1, 2027, the MDE and XDR APIs will no longer function.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2026-01-22
updated:
2026-01-29
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
Microsoft plans to retire the Microsoft Defender for Endpoint (MDE) Advanced Hunting API and Microsoft Defender XDR Advanced Hunting API by February 1, 2027, urging organizations to transition to the Microsoft Graph Security API for improved data coverage and scalability.
Direct effects for Operations**
API Functionality Loss
Existing scripts, automations, and workflows relying on the MDE and XDR Advanced Hunting APIs will fail after February 1, 2027, leading to disruptions in security operations.
- roles: Security Operations Team, Development Team
- references: https://learn.microsoft.com/defender-endpoint/api/run-advanced-query-api, https://learn.microsoft.com/defender-xdr/api-advanced-hunting
" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/defender-xdr/api-advanced-hunting
Increased Workload for Migration
Manual migration of workflows to the Microsoft Graph Security API will require significant time and resources, potentially leading to delays in other projects.
- roles: IT Operations Team, Engineering Team
- references: https://learn.microsoft.com/graph/api/resources/security-api-overview?view=graph-rest-1.0" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/graph/api/resources/security-api-overview?view=graph-rest-1.0, https://learn.microsoft.com/graph/api/resources/security-api-overview?view=graph-rest-1.0" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/graph/api/resources/security-api-overview?view=graph-rest-1.0#migrate-from-the-older-apis
User Experience Degradation
Failure to migrate may result in users experiencing delays or unavailability of security data, impacting incident response times and overall security posture.
- roles: End Users, Security Analysts
- references: https://learn.microsoft.com/graph/api/resources/security-api-overview?view=graph-rest-1.0" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/graph/api/resources/security-api-overview?view=graph-rest-1.0, https://learn.microsoft.com/defender-xdr/api-advanced-hunting
" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/defender-xdr/api-advanced-hunting
Documentation and Training Gaps
Internal documentation and training materials will need to be updated to reflect the new API, which may lead to confusion and errors if not properly managed.
- roles: Training Team, Documentation Team
- references: https://learn.microsoft.com/graph/api/resources/security-api-overview?view=graph-rest-1.0" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/graph/api/resources/security-api-overview?view=graph-rest-1.0, https://learn.microsoft.com/defender-endpoint/api/run-advanced-query-api
" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/defender-endpoint/api/run-advanced-query-api
Integration Endpoint Failures
Integration endpoints that are not updated to the Microsoft Graph Security API will cease to function, leading to potential data loss and integration issues.
- roles: Integration Team, IT Support Team
- references: https://learn.microsoft.com/defender-xdr/api-advanced-hunting, https://learn.microsoft.com/graph/api/resources/security-api-overview?view=graph-rest-1.0" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/graph/api/resources/security-api-overview?view=graph-rest-1.0
Configutation Options**
XXXXXXX ... paid membership only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2026-01-29 | MC Messages | Updated January 26, 2026: We have updated the content. Thank you for your patience.
[Introduction] We're retiring the Microsoft Defender for Endpoint (MDE) API and XDR Advanced Hunting API and transitioning customers to the Microsoft Graph Security API. This update aligns our security integrations with a unified interface and schema across Microsoft Defender products. The Microsoft Graph Security API provides broader data coverage, improved consistency, and better scalability for automation and security workflows. [When this will happen] Retirement start: February 6, 2026 Full retirement: February 1, 2027 After February 1, 2027, the MDE and XDR APIs will no longer function. | Updated January 26, 2026: We have updated the content. Thank you for your patience.
[Introduction] We're retiring the Microsoft Defender for Endpoint (MDE) Advanced Hunting API and Microsoft Defender XDR Advanced Hunting API and transitioning customers to the Microsoft Graph Security API. This update aligns our security integrations with a unified interface and schema across Microsoft Defender products. The Microsoft Graph Security API provides broader data coverage, improved consistency, and better scalability for automation and security workflows. [When this will happen] Retirement start: February 6, 2026 Full retirement: February 1, 2027 After February 1, 2027, the MDE and XDR APIs will no longer function. |
| 2026-01-29 | MC Last Updated | 01/26/2026 21:42:25 | 2026-01-28T18:09:23Z |
| 2026-01-29 | MC Summary | Microsoft Defender for Endpoint (MDE) and XDR Advanced Hunting APIs will retire by February 1, 2027. Organizations must manually migrate workflows to the Microsoft Graph Security API by January 31, 2027, to ensure continued functionality and improved security integration. No automatic migration will occur. | Microsoft is retiring the Microsoft Defender for Endpoint and Defender XDR Advanced Hunting APIs by February 1, 2027. Organizations must manually migrate workflows to the Microsoft Graph Security API by January 31, 2027, to ensure continued functionality and improved security integration. |
| 2026-01-27 | MC prepare | Migrate all existing API workflows to the Microsoft Graph Security API by January 31, 2027.
Update internal documentation, automation scripts, and integration endpoints to use the Microsoft Graph Security API. Communicate these changes to your security operations, engineering, and development teams. Review Microsoft documentation to plan your migration: Use the Microsoft Graph security API. If your organization uses custom solutions, validate that new queries and response schemas work as expected before the retirement date. Learn more: Advanced hunting - Use the Microsoft Graph security API | Microsoft Graph | Microsoft Learn Migrate from the older APIs - Use the Microsoft Graph security API | Microsoft Graph | Microsoft Learn (to be retired) Microsoft Defender for Endpoint (MDE) API (to be retired) Microsoft Defender XDR API [Compliance considerations] No compliance considerations identified. Review as appropriate for your organization. https://learn.microsoft.com/defender-endpoint/api/run-advanced-query-api https://learn.microsoft.com/defender-xdr/api-overview https://learn.microsoft.com/graph/api/resources/security-api-overview?view=graph-rest-1.0 https://learn.microsoft.com/graph/api/resources/security-api-overview?view=graph-rest-1.0#advanced-hunting https://learn.microsoft.com/graph/api/resources/security-api-overview?view=graph-rest-1.0#migrate-from-the-older-apis | Migrate all existing API workflows to the Microsoft Graph Security API by January 31, 2027.
Update internal documentation, automation scripts, and integration endpoints to use the Microsoft Graph Security API. Communicate these changes to your security operations, engineering, and development teams. Review Microsoft documentation to plan your migration: Use the Microsoft Graph security API. If your organization uses custom solutions, validate that new queries and response schemas work as expected before the retirement date. Learn more: Advanced hunting - Use the Microsoft Graph security API | Microsoft Graph | Microsoft Learn Migrate from the older APIs - Use the Microsoft Graph security API | Microsoft Graph | Microsoft Learn (to be retired) Advanced Hunting API - Microsoft Defender for Endpoint | Microsoft Learn (to be retired) Microsoft Defender XDR advanced hunting API - Microsoft Defender XDR | Microsoft Learn [Compliance considerations] No compliance considerations identified. Review as appropriate for your organization. https://learn.microsoft.com/defender-endpoint/api/run-advanced-query-api https://learn.microsoft.com/defender-xdr/api-advanced-hunting https://learn.microsoft.com/graph/api/resources/security-api-overview?view=graph-rest-1.0 https://learn.microsoft.com/graph/api/resources/security-api-overview?view=graph-rest-1.0#advanced-hunting https://learn.microsoft.com/graph/api/resources/security-api-overview?view=graph-rest-1.0#migrate-from-the-older-apis |
| 2026-01-27 | MC MessageTagNames | User impact, Admin impact, Retirement | Updated message, User impact, Admin impact, Retirement |
| 2026-01-27 | MC Summary | Microsoft Defender for Endpoint (MDE) and XDR Advanced Hunting APIs will retire by February 1, 2027. Organizations must manually migrate workflows to the Microsoft Graph Security API by January 31, 2027, to ensure continued functionality and improved security integration. No automatic migration will occur. | |
| 2026-01-27 | MC Last Updated | 01/22/2026 01:47:21 | 2026-01-26T21:42:25Z |
| 2026-01-27 | MC Messages | [Introduction]
We're retiring the Microsoft Defender for Endpoint (MDE) API and XDR API and transitioning customers to the Microsoft Graph Security API. This update aligns our security integrations with a unified interface and schema across Microsoft Defender products. The Microsoft Graph Security API provides broader data coverage, improved consistency, and better scalability for automation and security workflows. [When this will happen] Retirement start: February 6, 2026 Full retirement: February 1, 2027 After February 1, 2027, the MDE and XDR APIs will no longer function. | Updated January 26, 2026: We have updated the content. Thank you for your patience.
[Introduction] We're retiring the Microsoft Defender for Endpoint (MDE) API and XDR Advanced Hunting API and transitioning customers to the Microsoft Graph Security API. This update aligns our security integrations with a unified interface and schema across Microsoft Defender products. The Microsoft Graph Security API provides broader data coverage, improved consistency, and better scalability for automation and security workflows. [When this will happen] Retirement start: February 6, 2026 Full retirement: February 1, 2027 After February 1, 2027, the MDE and XDR APIs will no longer function. |
| 2026-01-27 | MC Title | Retirement notice: MDE and XDR APIs retiring; migrate to Microsoft Graph Security API | (Updated) Retirement notice: MDE and XDR Advanced Hunting APIs retiring; migrate to Microsoft Graph Security API |
| 2026-01-27 | MC How Affect | Who is affected:
Organizations using the MDE API or XDR API for automation, integration, or custom workflows. You are receiving this message because our reporting indicates your organization may be using these APIs. What will happen: The MDE and XDR APIs will stop functioning after February 1, 2027. Existing scripts, automations, and workflows that rely on these APIs will fail if not updated. The Microsoft Graph Security API will be the supported API for accessing Microsoft security data. No automatic migration will occur; manual updates will be required. | Who is affected:
Organizations using the MDE or XDR Advanced Hunting API for automation, integration, or custom workflows. You are receiving this message because our reporting indicates your organization may be using these APIs. What will happen: The MDE and XDR Advanced Hunting APIs will stop functioning after February 1, 2027. Existing scripts, automations, and workflows that rely on these APIs will fail if not updated. The Microsoft Graph Security API will be the supported API for accessing Microsoft security data. No automatic migration will occur; manual updates will be required. |
Last updated 4 weeks ago ago
