check before: 2025-06-18
Product:
Defender, Defender for Cloud Apps, Defender XDR, Entra, Microsoft Graph, Stream
Platform:
Developer, Online, World tenant
Status:
Change type:
Admin impact, Retirement, Updated message
Links:
Details:
Summary:
Microsoft Defender for Cloud Apps will retire SIEM agents, with no new agents configurable after June 19, 2025. The rollout is paused, and users are advised to transition to unified APIs and SIEM solutions for alerts and activity data to ensure continuity and enhanced capabilities.
Details:
Updated December 23, 2025: We have paused rollout of this feature. We will announce via Message center when we are ready to proceed. Thank you for your patience.
As part of our ongoing convergence process for all Microsoft Defender workloads, we planned to retire SIEM (Security Information and Event Management) agents from Microsoft Defender for Cloud Apps in late December 2025 (previously mid-November) and ending early January 2026 (previously late November 2025). We have puased this release and will communicate via Message center when we are ready to proceed.
We recommend you transition to APIs that support the management of activities and alerts data from multiple workloads.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-05-20
updated:
2025-12-24
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Retirement of SIEM Agents
Without preparation, the retirement of SIEM agents may lead to a lack of alerting and monitoring capabilities, resulting in undetected security incidents.
- roles: Security Administrators, IT Operations Managers
- references: https://learn.microsoft.com/defender-cloud-apps/siem
Transition to Unified APIs
Failure to transition to unified APIs may cause disruptions in data access and reporting, leading to potential security blind spots.
- roles: Data Analysts, Security Analysts
- references: https://learn.microsoft.com/defender-xdr/streaming-api
Increased Workload on IT Staff
The sudden need to migrate to new systems without preparation may overwhelm IT staff, leading to delays in incident response and support.
- roles: IT Support Technicians, System Administrators
- references: https://learn.microsoft.com/defender-xdr/api-incident
User Experience Degradation
Users may experience delays or unavailability of security alerts and data, impacting their ability to respond to security threats effectively.
- roles: End Users, Security Operations Center (SOC) Analysts
- references: https://learn.microsoft.com/graph/api/security-list-alerts_v2?view=graph-rest-1.0&tabs=http
Compliance Risks
Not transitioning to new systems may result in non-compliance with security regulations, leading to potential legal and financial repercussions.
- roles: Compliance Officers, Risk Management Professionals
- references: https://learn.microsoft.com/defender-cloud-apps/siem
Configutation Options**
XXXXXXX ... paid membership only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
Microsoft is making a change to how its Defender for Cloud Apps interacts with SIEM (Security Information and Event Management) systems. Think of SIEM agents like the messengers in a large company. They gather important security information from different parts of the organization and deliver it to a central place where it can be analyzed. Microsoft has decided to retire these messengers, or SIEM agents, for their Defender for Cloud Apps. This means that after June 19, 2025, you won't be able to set up new messengers, although the existing ones will continue to work until early 2026.
Instead of using these messengers, Microsoft is encouraging users to switch to using APIs. APIs can be thought of as a more efficient and faster way to communicate. Imagine replacing a messenger on foot with a high-speed internet connection. This change allows for quicker and more comprehensive data sharing across different Microsoft security products. By using these APIs, you can access alerts and activity data from multiple sources, not just from the Cloud Apps, which enhances your ability to monitor and manage security.
For those concerned about continuity, Microsoft assures that the same data you used to get through the SIEM agents will still be available through these new methods. They recommend starting to plan your transition to these APIs to take advantage of their enhanced capabilities. This transition is akin to upgrading from an old, reliable car to a new, more efficient model. It might take some getting used to, but it offers more features and better performance in the long run.
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-12-24 | MC Last Updated | 12/02/2025 18:23:07 | 2025-12-23T18:49:04Z |
| 2025-12-24 | MC Messages | Updated December 1, 2025: We have updated the timeline. Thank you for your patience.
As part of our ongoing convergence process for all Microsoft Defender workloads, we will retire SIEM (Security Information and Event Management) agents from Microsoft Defender for Cloud Apps in starting late December 2025 (previously mid-November) and ending early January 2026 (previously late November 2025). We recommend you transition to APIs that support the management of activities and alerts data from multiple workloads. | Updated December 23, 2025: We have paused rollout of this feature. We will announce via Message center when we are ready to proceed. Thank you for your patience.
As part of our ongoing convergence process for all Microsoft Defender workloads, we planned to retire SIEM (Security Information and Event Management) agents from Microsoft Defender for Cloud Apps in late December 2025 (previously mid-November) and ending early January 2026 (previously late November 2025). We have puased this release and will communicate via Message center when we are ready to proceed. We recommend you transition to APIs that support the management of activities and alerts data from multiple workloads. |
| 2025-12-24 | MC End Time | 02/16/2026 09:00:00 | 2026-03-31T10:00:00Z |
| 2025-12-24 | MC Summary | Microsoft Defender for Cloud Apps will retire SIEM agents between late December 2025 and early January 2026. No new SIEM agents can be configured after June 19, 2025. Users should transition to unified APIs and SIEM solutions for alerts and activity data to ensure continuity and enhanced capabilities. | Microsoft Defender for Cloud Apps will retire SIEM agents, with no new agents configurable after June 19, 2025. The rollout is paused, and users are advised to transition to unified APIs and SIEM solutions for alerts and activity data to ensure continuity and enhanced capabilities. |
| 2025-12-03 | MC MessageTagNames | Admin impact, Retirement | Updated message, Admin impact, Retirement |
| 2025-12-03 | MC Summary | Microsoft Defender for Cloud Apps will retire SIEM agents between mid-November 2025 and late November 2025. No new SIEM agents can be configured after June 19, 2025. Transition to APIs for managing activities and alerts data from multiple workloads is recommended. Microsoft Sentinel agents remain supported. | Microsoft Defender for Cloud Apps will retire SIEM agents between late December 2025 and early January 2026. No new SIEM agents can be configured after June 19, 2025. Users should transition to unified APIs and SIEM solutions for alerts and activity data to ensure continuity and enhanced capabilities. |
| 2025-12-03 | MC Last Updated | 05/20/2025 01:43:41 | 2025-12-02T18:23:07Z |
| 2025-12-03 | MC Messages | As part of our ongoing convergence process for all Microsoft Defender workloads, we will retire SIEM (Security Information and Event Management) agents from Microsoft Defender for Cloud Apps in starting mid-November 2025 and ending late November 2025. We recommend you transition to APIs that support the management of activities and alerts data from multiple workloads. | Updated December 1, 2025: We have updated the timeline. Thank you for your patience.
As part of our ongoing convergence process for all Microsoft Defender workloads, we will retire SIEM (Security Information and Event Management) agents from Microsoft Defender for Cloud Apps in starting late December 2025 (previously mid-November) and ending early January 2026 (previously late November 2025). We recommend you transition to APIs that support the management of activities and alerts data from multiple workloads. |
| 2025-12-03 | MC Title | Microsoft Defender for Cloud Apps: SIEM agents will retire | (Updated) Microsoft Defender for Cloud Apps: SIEM agents will retire |
| 2025-12-03 | MC End Time | 01/09/2026 09:00:00 | 2026-02-16T09:00:00Z |
Last updated 2 months ago ago
