check before: 2025-11-01
Product:
Defender, Defender for Cloud Apps, Defender XDR, SharePoint
Platform:
Online, US Instances, World tenant
Status:
Scheduled
Change type:
Feature update, User impact, Admin impact
Links:
Details:
Summary:
Microsoft Defender for Cloud Apps will expand its dynamic threat detection model in November 2025, replacing legacy policies with more accurate, research-driven detections. This update improves threat detection accuracy and responsiveness, requires no admin action before rollout, and includes new detections enabled by default.
Details:
[Introduction:]
To improve threat detection accuracy and responsiveness, Microsoft Defender for Cloud Apps is expanding its dynamic model for threat protection. This update enhances the signal-to-noise ratio (SNR) of detections and enables faster adaptation to emerging threats, helping security teams stay ahead of evolving risks.
This rollout continues the migration of legacy threat detection policies, following the first batch announced in Message center post MC1061724. The second batch introduces new detections that replace several legacy policies, further aligning with our goal of delivering more precise, research-driven protection.
[When this will happen:]
General Availability (Worldwide, GCC, GCC High, DoD): Rollout begins early November 2025 and is expected to complete by the end of November 2025.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-10-10
updated:
2025-10-10
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
linked item details
XXXXXXX ... free basic plan only
Pictures
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Legacy Policy Migration
The migration of legacy policies to new dynamic detections may lead to temporary gaps in threat detection capabilities, potentially exposing the organization to undetected threats during the transition period.
- roles: Security Operations Center (SOC) Analyst, IT Administrator
- references: https://learn.microsoft.com/defender-cloud-apps/anomaly-detection-policy
Governance Actions
Governance actions configured on legacy policies will be disabled, which may result in a lack of automated responses to certain threats until policies are re-enabled manually.
- roles: Security Operations Center (SOC) Analyst, Compliance Officer
- references: https://learn.microsoft.com/defender-cloud-apps/anomaly-detection-policy
User Experience
Users may experience increased alerts or notifications due to the new dynamic detections, which could lead to confusion or alert fatigue if not properly communicated.
- roles: End User, Helpdesk Support
- references: https://learn.microsoft.com/defender-cloud-apps/anomaly-detection-policy
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
XXXXXXX ... free basic plan only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
Imagine you're in charge of security at a large event, like a concert. You have a team of security personnel who are trained to spot and respond to any potential threats. Over time, you've noticed that some of the security protocols you've been using are outdated and not as effective as they could be. So, you decide to upgrade your security measures to be more responsive and accurate in identifying real threats.
This is similar to what Microsoft is doing with its Defender for Cloud Apps. They are updating their threat detection system to be more dynamic and research-driven. Think of it as replacing older security measures with smarter, more adaptable ones that can quickly identify and respond to new types of threats, much like how a security team might use new technology to spot suspicious behavior at a concert.
The good news is that these changes are being implemented automatically, so there's no need for IT administrators to do anything before the rollout. It's like having a new security system installed at your event venue without needing to close down or disrupt operations. Once the new system is in place, it will work more efficiently to keep everything secure.
For those involved in managing security or IT, it's important to inform your teams about these updates. This way, everyone is aware of the new protocols and can adjust their practices accordingly. It's like briefing your security team on the new measures so they know what to look out for and how to respond.
Overall, these updates aim to enhance security by making threat detection more precise and timely, ensuring that your organization's digital environment is as safe as possible.
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
Last updated 2 months ago ago
