check before: 2025-06-18
Product:
Defender, Defender for Cloud Apps, Defender XDR, Entra, Microsoft Graph, Stream
Platform:
Developer, Online, World tenant
Status:
Change type:
Admin impact, Retirement, Updated message
Links:
Details:
Summary:
Microsoft Defender for Cloud Apps will retire SIEM agents between late December 2025 and early January 2026. No new SIEM agents can be configured after June 19, 2025. Users should transition to unified APIs and SIEM solutions for alerts and activity data to ensure continuity and enhanced capabilities.
Details:
Updated December 1, 2025: We have updated the timeline. Thank you for your patience.
As part of our ongoing convergence process for all Microsoft Defender workloads, we will retire SIEM (Security Information and Event Management) agents from Microsoft Defender for Cloud Apps in starting late December 2025 (previously mid-November) and ending early January 2026 (previously late November 2025). We recommend you transition to APIs that support the management of activities and alerts data from multiple workloads.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-05-20
updated:
2025-12-03
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Retirement of SIEM Agents
Without proper transition planning, users may lose access to critical security alerts and activity data, leading to potential security vulnerabilities.
- roles: Security Administrators, IT Managers
- references: https://learn.microsoft.com/defender-cloud-apps/siem
Increased Security Risks
Failure to migrate to unified APIs may result in gaps in security monitoring, increasing the risk of undetected security incidents.
- roles: Security Analysts, Compliance Officers
- references: https://learn.microsoft.com/defender-xdr/advanced-hunting-identitylogonevents-table
Operational Disruption
The abrupt discontinuation of SIEM agents could disrupt ongoing security operations, affecting incident response times and overall security posture.
- roles: Incident Response Teams, System Administrators
- references: https://learn.microsoft.com/defender-xdr/api-incident
User Experience Degradation
Users may experience delays or lack of visibility into security events, leading to frustration and decreased trust in IT systems.
- roles: End Users, Help Desk Support
- references: https://learn.microsoft.com/defender-xdr/streaming-api
Training and Adaptation Needs
Users will require training on new APIs and SIEM solutions, which may not be feasible without adequate preparation, leading to a steep learning curve.
- roles: Training Coordinators, IT Support Staff
- references: https://learn.microsoft.com/graph/api/security-list-alerts_v2?view=graph-rest-1.0&tabs=http
Configutation Options**
XXXXXXX ... paid membership only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-12-03 | MC MessageTagNames | Admin impact, Retirement | Updated message, Admin impact, Retirement |
| 2025-12-03 | MC Summary | Microsoft Defender for Cloud Apps will retire SIEM agents between mid-November 2025 and late November 2025. No new SIEM agents can be configured after June 19, 2025. Transition to APIs for managing activities and alerts data from multiple workloads is recommended. Microsoft Sentinel agents remain supported. | Microsoft Defender for Cloud Apps will retire SIEM agents between late December 2025 and early January 2026. No new SIEM agents can be configured after June 19, 2025. Users should transition to unified APIs and SIEM solutions for alerts and activity data to ensure continuity and enhanced capabilities. |
| 2025-12-03 | MC Last Updated | 05/20/2025 01:43:41 | 2025-12-02T18:23:07Z |
| 2025-12-03 | MC Messages | As part of our ongoing convergence process for all Microsoft Defender workloads, we will retire SIEM (Security Information and Event Management) agents from Microsoft Defender for Cloud Apps in starting mid-November 2025 and ending late November 2025. We recommend you transition to APIs that support the management of activities and alerts data from multiple workloads. | Updated December 1, 2025: We have updated the timeline. Thank you for your patience.
As part of our ongoing convergence process for all Microsoft Defender workloads, we will retire SIEM (Security Information and Event Management) agents from Microsoft Defender for Cloud Apps in starting late December 2025 (previously mid-November) and ending early January 2026 (previously late November 2025). We recommend you transition to APIs that support the management of activities and alerts data from multiple workloads. |
| 2025-12-03 | MC Title | Microsoft Defender for Cloud Apps: SIEM agents will retire | (Updated) Microsoft Defender for Cloud Apps: SIEM agents will retire |
| 2025-12-03 | MC End Time | 01/09/2026 09:00:00 | 2026-02-16T09:00:00Z |
Last updated 4 days ago ago
