check before: 2025-05-15
Product:
Defender, Defender for Cloud Apps, Defender XDR, Microsoft 365 Apps
Platform:
Online, US Instances, World tenant
Status:
Change type:
Admin impact, Feature update, Updated message
Links:
Details:
Summary:
Microsoft Defender for Cloud Apps will disable three pre-defined policies by default by mid-May, 2025, to improve alert accuracy. The policies affected are related to data usage, unusual activity, and access to sensitive data. Users can re-enable these policies if desired. No immediate action is required.
Details:
Updated April 10, 2025: We have updated the rollout timeline below. Thank you for your patience.
Microsoft Defender for Cloud Apps is continuously working to ensure that our out-of-the-box (OOTB) threat protection capabilities within App Governance are as accurate and effective as possible.
As part of this effort, we will be disabling by default three specific pre-defined policies that have been found to mostly trigger on legitimate activities, rather than alerting on malicious ones. This change is aimed at improving the overall accuracy of our alerts by relying on more accurate sources that provide a comprehensive view of potential attacks, rather than focusing on isolated anomalous activities.
If you prefer to continue receiving these alerts, the option to re-enable them remains available.
[When this will happen:]
General Availability (Worldwide): We will begin rolling out mid-May (previously late April) and expect to complete by late May 2025.
General Availability (GCC, GCC High): We will begin rolling out late May 2025 (previously late April) and expect to complete by late May 2025.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-03-20
updated:
2025-04-11
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
Microsoft Defender for Cloud Apps will disable three specific policies related to data usage, unusual activity, and access to sensitive data by default to reduce false alerts, with changes rolling out in May 2025, but users can re-enable them if desired.
Direct effects for Operations**
Alert Management
Disabling pre-defined policies may lead to a lack of alerts for unusual activities, potentially allowing malicious actions to go unnoticed.
- roles: Security Analyst, IT Administrator
- references: https://learn.microsoft.com/defender-cloud-apps/app-governance-app-policies-get-started
User Experience
Users may experience a false sense of security due to fewer alerts, which could lead to complacency in monitoring app activities.
- roles: End User, Compliance Officer
- references: https://learn.microsoft.com/defender-cloud-apps/app-governance-app-policies-get-started
Policy Customization
Organizations that rely on the disabled policies for compliance may face challenges in meeting regulatory requirements without prior adjustments.
- roles: Compliance Officer, IT Administrator
- references: https://learn.microsoft.com/defender-cloud-apps/app-governance-app-policies-get-started
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
XXXXXXX ... free basic plan only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-04-11 | MC MessageTagNames | Feature update, Admin impact | Updated message, Feature update, Admin impact |
| 2025-04-11 | MC Summary | Microsoft Defender for Cloud Apps will disable three pre-defined policies by default on April 21, 2025, to improve alert accuracy. The policies affected are related to data usage, unusual activity, and access to sensitive data. Users can re-enable these policies if desired. No immediate action is required. | Microsoft Defender for Cloud Apps will disable three pre-defined policies by default by mid-May, 2025, to improve alert accuracy. The policies affected are related to data usage, unusual activity, and access to sensitive data. Users can re-enable these policies if desired. No immediate action is required. |
| 2025-04-11 | MC Last Updated | 03/20/2025 00:04:08 | 2025-04-10T17:05:36Z |
| 2025-04-11 | MC Messages | Microsoft Defender for Cloud Apps is continuously working to ensure that our out-of-the-box (OOTB) threat protection capabilities within App Governance are as accurate and effective as possible.
As part of this effort, we will be disabling by default three specific pre-defined policies that have been found to mostly trigger on legitimate activities, rather than alerting on malicious ones. This change is aimed at improving the overall accuracy of our alerts by relying on more accurate sources that provide a comprehensive view of potential attacks, rather than focusing on isolated anomalous activities. If you prefer to continue receiving these alerts, the option to re-enable them remains available. [When this will happen:] General Availability (Worldwide, GCC, GCC High): Rollout is simultaneous to all tenants and will happen on April 21, 2025 | Updated April 10, 2025: We have updated the rollout timeline below. Thank you for your patience.
Microsoft Defender for Cloud Apps is continuously working to ensure that our out-of-the-box (OOTB) threat protection capabilities within App Governance are as accurate and effective as possible. As part of this effort, we will be disabling by default three specific pre-defined policies that have been found to mostly trigger on legitimate activities, rather than alerting on malicious ones. This change is aimed at improving the overall accuracy of our alerts by relying on more accurate sources that provide a comprehensive view of potential attacks, rather than focusing on isolated anomalous activities. If you prefer to continue receiving these alerts, the option to re-enable them remains available. [When this will happen:] General Availability (Worldwide): We will begin rolling out mid-May (previously late April) and expect to complete by late May 2025. General Availability (GCC, GCC High): We will begin rolling out late May 2025 (previously late April) and expect to complete by late May 2025. |
| 2025-04-11 | MC Title | Updates to App Governance Pre-Defined Policies in Defender for Cloud Apps | (Updated) Updates to App Governance Pre-Defined Policies in Defender for Cloud Apps |
| 2025-04-11 | MC How Affect | These specific pre-defined policies within App Governance will be switched off for all customers by default. The policies being disabled are:
Increase in data usage by an overprivileged or highly privileged app Unusual activity from an app with priority account consent Access to sensitive data This change will reduce the number of alerts triggered by legitimate activities, allowing you to focus on more accurate and relevant security notifications. The remaining policies and our advanced threat detection engines, which are always enabled and running behind the scenes, will continue to provide robust protection by correlating multiple pieces of evidence to identify potential attacks with higher confidence. If for any reason you prefer to continue receiving these alerts can re-enable the policies via the policy management interface. Additionally, we provide tools for customers to create custom policies tailored to their specific needs. For more details, please refer to the relevant documentation. For more details, please refer to the relevant documentation: Get started with app policies | These specific pre-defined policies within App Governance will be switched off for all customers by default. The policies being disabled are:
Increase in data usage by an overprivileged or highly privileged app Unusual activity from an app with priority account consent Access to sensitive data This change will reduce the number of alerts triggered by legitimate activities, allowing you to focus on more accurate and relevant security notifications. The remaining policies and our advanced threat detection engines, which are always enabled and running behind the scenes, will continue to provide robust protection by correlating multiple pieces of evidence to identify potential attacks with higher confidence. If you have made any changes to customize the existing pre-defined policy template, they will not be disabled as part of this change. If for any reason you prefer to continue receiving these alerts, you can re-enable the policies via the policy management interface. Additionally, we provide tools for customers to create custom policies tailored to their specific needs. For more details, please refer to the relevant documentation. For more details, please refer to the relevant documentation: Get started with app policies |
Last updated 2 weeks ago
