check before: 2025-01-01
Product:
Defender, Defender for Cloud Apps, Defender for Endpoint, Defender for Identity, Defender for Office 365, Defender XDR, Entra, Stream
Platform:
Online, US Instances, World tenant
Status:
Rolling out
Change type:
Admin impact, Retirement, Updated message
Links:
Details:
Summary:
Defender for Identity activities and alerts will be retired from Defender for Cloud Apps by late May 2025. All data and functionality will be available through Microsoft Defender XDR. Organizations should update their resources and create new custom detections in Advanced Hunting.
Details:
Updated May 13, 2025: We have updated the timeline below. Thank you for your patience.
As part of the convergence of both Microsoft Defender for Identity and Microsoft Defender for Cloud Apps into Microsoft Defender XDR services, we are continuing to move away from legacy experiences and enhancing the unified experiences.
Therefore, we will gradually retire Defender for Identity's Active Directory and alerts data from Defender for Cloud Apps dedicated experiences. All data, as well as all functionality of the affected experiences, remain available through Microsoft Defender XDR unified experiences, where we will continue to invest our development resources.
[When this will happen:]
General Availability (Worldwide, GCC, GCC High, DoD): This retirement will begin rolling out in late January 2025 and is expected to complete in late May 2025 (previously early May).
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2024-11-23
updated:
2025-05-14
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
linked item details
XXXXXXX ... free basic plan only
summary for non-techies**
Microsoft is consolidating its security tools, such as Defender for Identity and Defender for Cloud Apps, into a unified platform called Microsoft Defender XDR, requiring organizations to adapt by updating systems and creating new custom detections in Advanced Hunting, while also integrating alerts from Microsoft Entra ID Protection into the new system.
Direct effects for Operations**
Loss of Active Directory Data Access
Active Directory activities will no longer be available in Defender for Cloud Apps, impacting the ability to monitor and respond to security incidents based on this data.
- roles: Security Analyst, IT Administrator
- references: https://learn.microsoft.com/defender-xdr/advanced-hunting-overview" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/defender-xdr/advanced-hunting-overview, https://learn.microsoft.com/defender-xdr/configure-siem-defender#ingesting-streaming-event-data-via-event-hubs
Disruption in Alert Management
Defender for Cloud Apps activity policies will cease triggering based on Active Directory data, leading to potential gaps in alert management and incident response.
- roles: Security Analyst, Compliance Officer
- references: https://learn.microsoft.com/defender-xdr/advanced-hunting-schema-tables, https://learn.microsoft.com/defender-xdr/custom-detection-rules
" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/defender-xdr/custom-detection-rules
Need for Custom Detections
Organizations will need to create new custom detections in Advanced Hunting to replace the lost functionality, which may require additional time and resources.
- roles: Security Analyst, IT Administrator
- references: https://learn.microsoft.com/defender-xdr/custom-detection-rules, https://learn.microsoft.com/defender-xdr/advanced-hunting-shared-queries
Integration Challenges
Transitioning to Microsoft Defender XDR may present integration challenges with existing SIEM tools, potentially leading to delays in threat detection.
- roles: IT Administrator, Security Engineer
- references: https://learn.microsoft.com/defender-xdr/streaming-api, https://learn.microsoft.com/defender-xdr/configure-siem-defender#ingesting-streaming-event-data-via-event-hubs
User Experience Impact
Users may experience confusion or disruption due to the changes in alert visibility and management processes, affecting their ability to respond to security incidents.
- roles: End User, IT Support
- references: https://learn.microsoft.com/defender-xdr/microsoft-365-security-center-mdi, https://learn.microsoft.com/defender-xdr/advanced-hunting-overview" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/defender-xdr/advanced-hunting-overview
Configutation Options**
XXXXXXX ... paid membership only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-05-14 | MC Last Updated | 02/10/2025 16:18:15 | 2025-05-13T19:22:51Z |
| 2025-05-14 | MC Messages | Updated February 10, 2025: We have updated the rollout timeline below. Thank you for your patience.
As part of the convergence of both Microsoft Defender for Identity and Microsoft Defender for Cloud Apps into Microsoft Defender XDR services, we are continuing to move away from legacy experiences and enhancing the unified experiences. Therefore, we will gradually retire Defender for Identity's Active Directory and alerts data from Defender for Cloud Apps dedicated experiences. All data, as well as all functionality of the affected experiences, remain available through Microsoft Defender XDR unified experiences, where we will continue to invest our development resources. [When this will happen:] General Availability (Worldwide, GCC, GCC High, DoD): This retirement will begin rolling out in late January 2025 and is expected to complete in early May 2025 (previously early March 2025). | Updated May 13, 2025: We have updated the timeline below. Thank you for your patience.
As part of the convergence of both Microsoft Defender for Identity and Microsoft Defender for Cloud Apps into Microsoft Defender XDR services, we are continuing to move away from legacy experiences and enhancing the unified experiences. Therefore, we will gradually retire Defender for Identity's Active Directory and alerts data from Defender for Cloud Apps dedicated experiences. All data, as well as all functionality of the affected experiences, remain available through Microsoft Defender XDR unified experiences, where we will continue to invest our development resources. [When this will happen:] General Availability (Worldwide, GCC, GCC High, DoD): This retirement will begin rolling out in late January 2025 and is expected to complete in late May 2025 (previously early May). |
| 2025-05-14 | MC End Time | 04/07/2025 09:00:00 | 2025-07-07T09:00:00Z |
| 2025-05-14 | MC Summary | Defender for Identity activities and alerts will retire from Defender for Cloud Apps and move to Microsoft Defender XDR services. This change starts in late January 2025 and completes in early May 2025. Users must prepare by creating new custom detections and updating resources accordingly. | Defender for Identity activities and alerts will be retired from Defender for Cloud Apps by late May 2025. All data and functionality will be available through Microsoft Defender XDR. Organizations should update their resources and create new custom detections in Advanced Hunting. |
| 2025-02-11 | MC Messages | Updated December 31, 2024: We have updated the content. Thank you for your patience.
As part of the convergence of both Microsoft Defender for Identity and Microsoft Defender for Cloud Apps into Microsoft Defender XDR services, we are continuing to move away from legacy experiences and enhancing the unified experiences. Therefore, we will gradually retire Defender for Identity's Active Directory and alerts data from Defender for Cloud Apps dedicated experiences. All data, as well as all functionality of the affected experiences, remain available through Microsoft Defender XDR unified experiences, where we will continue to invest our development resources. [When this will happen:] General Availability (Worldwide, GCC, GCC High, DoD): This retirement will begin rolling out in late January 2025 and is expected to complete in early March 2025. | Updated February 10, 2025: We have updated the rollout timeline below. Thank you for your patience.
As part of the convergence of both Microsoft Defender for Identity and Microsoft Defender for Cloud Apps into Microsoft Defender XDR services, we are continuing to move away from legacy experiences and enhancing the unified experiences. Therefore, we will gradually retire Defender for Identity's Active Directory and alerts data from Defender for Cloud Apps dedicated experiences. All data, as well as all functionality of the affected experiences, remain available through Microsoft Defender XDR unified experiences, where we will continue to invest our development resources. [When this will happen:] General Availability (Worldwide, GCC, GCC High, DoD): This retirement will begin rolling out in late January 2025 and is expected to complete in early May 2025 (previously early March 2025). |
| 2025-02-11 | MC Title | Upcoming changes to Defender for Identity activities and alerts in Defender for Cloud Apps experiences | (Updated) Upcoming changes to Defender for Identity activities and alerts in Defender for Cloud Apps experiences |
| 2025-02-11 | MC Last Updated | 12/31/2024 18:55:49 | 2025-02-10T16:18:15Z |
| 2025-02-11 | MC Summary | Defender for Identity activities and alerts will retire from Defender for Cloud Apps and move to Microsoft Defender XDR services. This change starts in late January 2025 and completes in early March 2025. Users must prepare by creating new custom detections and updating resources accordingly. | Defender for Identity activities and alerts will retire from Defender for Cloud Apps and move to Microsoft Defender XDR services. This change starts in late January 2025 and completes in early May 2025. Users must prepare by creating new custom detections and updating resources accordingly. |
| 2025-01-01 | MC Messages | As part of the convergence of both Microsoft Defender for Identity and Microsoft Defender for Cloud Apps into Microsoft Defender XDR services, we are continuing to move away from legacy experiences and enhancing the unified experiences.
Therefore, we will gradually retire Defender for Identity's Active Directory and alerts data from Defender for Cloud Apps dedicated experiences. All data, as well as all functionality of the affected experiences, remain available through Microsoft Defender XDR unified experiences, where we will continue to invest our development resources. [When this will happen:] General Availability (Worldwide, GCC, GCC High, DoD): This retirement will begin rolling out in late January 2025 and is expected to complete in early March 2025. | Updated December 31, 2024: We have updated the content. Thank you for your patience.
As part of the convergence of both Microsoft Defender for Identity and Microsoft Defender for Cloud Apps into Microsoft Defender XDR services, we are continuing to move away from legacy experiences and enhancing the unified experiences. Therefore, we will gradually retire Defender for Identity's Active Directory and alerts data from Defender for Cloud Apps dedicated experiences. All data, as well as all functionality of the affected experiences, remain available through Microsoft Defender XDR unified experiences, where we will continue to invest our development resources. [When this will happen:] General Availability (Worldwide, GCC, GCC High, DoD): This retirement will begin rolling out in late January 2025 and is expected to complete in early March 2025. |
| 2025-01-01 | MC MessageTagNames | Admin impact, Retirement | Updated message, Admin impact, Retirement |
| 2025-01-01 | MC How Affect | You are receiving this message because the following changes may affect your organization:
Active directory activities coming from Defender for Identity will no longer be available in Defender for Cloud Apps activity logs. Consequently, Defender for Cloud Apps activity policies will cease from triggering based on Active Directory data. All Active Directory activities data remains available through Advanced Hunting, in the following tables: IdentityLogonEvents IdentityDirectoryEvents IdentityQueryEvents To learn more about Advanced Hunting and the Data Schema, visit Proactively hunt for threats with advanced hunting in Microsoft Defender and Understand the advanced hunting schema. New Active Directory activities, as well as Defender for Identity's alerts data, will no longer be available through Defender for Cloud Apps Activities API, Alerts API, or dedicated SIEM agents. All activities and alerts data remains available through Defender XDR Streaming API and Event Hubs. Learn more about Streaming API. For more information about how to integrate your SIEM tools with Microsoft Defender XDR, visit Ingesting streaming event data via Event Hubs. The Identities page under 'Assets' in the XDR portal will be updated to better support the new experiences. The page will be divided into two distinct tabs: First-party identities and Third-party accounts. To learn more about Defender for Identity's experiences in the XDR portal, visit Microsoft Defender for Identity in the Microsoft Defender portal. | You are receiving this message because the following changes may affect your organization:
Active directory activities coming from Defender for Identity will no longer be available in Defender for Cloud Apps activity logs. Consequently, Defender for Cloud Apps activity policies will cease from triggering based on Active Directory data. All Active Directory activities data remains available through Advanced Hunting, in the following tables: IdentityLogonEvents IdentityDirectoryEvents IdentityQueryEvents To learn more about Advanced Hunting and the Data Schema, visit Proactively hunt for threats with advanced hunting in Microsoft Defender and Understand the advanced hunting schema. New Active Directory activities, as well as Defender for Identity's alerts data, will no longer be available through Defender for Cloud Apps Activities API, Alerts API, or dedicated SIEM agents. All activities and alerts data remains available through Defender XDR Streaming API and Event Hubs. Learn more about Streaming API. For more information about how to integrate your SIEM tools with Microsoft Defender XDR, visit Ingesting streaming event data via Event Hubs. The Identities page under 'Assets' in the XDR portal will be updated to better support the new experiences. The page will be divided into two distinct tabs: First-party identities and Third-party accounts. In the User page, "View related activity" action will no longer be available. To learn more about Defender for Identity's experiences in the XDR portal, visit Microsoft Defender for Identity in the Microsoft Defender portal. |
| 2025-01-01 | MC Last Updated | 11/22/2024 23:28:23 | 2024-12-31T18:55:49Z |
| 2025-01-01 | MC Summary | Defender for Identity activities and alerts will retire from Defender for Cloud Apps and move to Microsoft Defender XDR services. This change starts in late January 2025 and completes in early March 2025. Users must prepare by creating new custom detections and updating resources accordingly. |
Last updated 1 month ago
