check before: 2026-02-15
Product:
Defender, Defender XDR, Microsoft 365 Apps, Purview, Purview Communication Compliance
Platform:
Online, World tenant
Status:
Change type:
User impact, Admin impact, Retirement
Links:
Details:
Summary:
Microsoft is retiring endpoint-sensitive data alerting in the Microsoft Defender portal by March 23, 2026. Organizations must switch to Microsoft Purview DLP for alerting, enforcement, and investigation of sensitive data activities on endpoints. Existing Defender alert policies will stop generating alerts after this date.
Details:
[Introduction]
We're retiring the ability to create alert policies and generate DLP alerts for sensitive data activities on endpoints in the Microsoft Defender portal. This change unifies endpoint data loss prevention (DLP) detection and alerting under Microsoft Purview DLP, giving organizations a more consistent experience and access to advanced enforcement and investigation capabilities in Microsoft Defender XDR.
[When this will happen]
February 16, 2026: Sensitive data activity options will be removed from new alert policy creation in the Microsoft Defender portal.
March 23, 2026: Existing alert policies using these activities will stop generating alerts.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2026-01-14
updated:
2026-01-14
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
Pictures
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Loss of Alerting Capabilities
Existing alert policies in Microsoft Defender will stop generating alerts for sensitive data activities, leading to potential undetected data breaches.
- roles: Security Admin, Compliance Officer
- references: https://learn.microsoft.com/purview/endpoint-dlp-getting-started
Increased Risk of Data Loss
Without alerting, sensitive data activities may go unnoticed, increasing the risk of data loss or leakage.
- roles: Security Admin, IT Support
- references: https://learn.microsoft.com/purview/endpoint-dlp-getting-started
Operational Disruption
Admins will need to recreate alerting policies in Microsoft Purview DLP, which may lead to temporary gaps in monitoring.
- roles: Security Admin, IT Manager
- references: https://learn.microsoft.com/purview/endpoint-dlp-getting-started
User Experience Degradation
Users may not receive timely notifications or alerts about sensitive data activities, leading to confusion and potential policy violations.
- roles: End User, Helpdesk Staff
- references: https://learn.microsoft.com/purview/endpoint-dlp-getting-started
Documentation and Training Needs
Internal documentation will need updates, and staff may require training on the new Purview DLP system, impacting productivity.
- roles: Training Coordinator, IT Support
- references: https://learn.microsoft.com/purview/endpoint-dlp-getting-started
Configutation Options**
XXXXXXX ... paid membership only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
Microsoft is making a change to how organizations handle alerts for sensitive data activities on their devices. Imagine if you had a security guard who used to watch over a specific area of your office, but now you're moving that responsibility to a more advanced security system that covers the entire building. That's what's happening here.
Previously, Microsoft Defender was like that security guard, focusing on specific tasks like alerting you when sensitive data was copied to a USB drive or uploaded to a third-party app. However, by March 23, 2026, this function will be retired, and organizations will need to use Microsoft Purview DLP for these alerts.
Think of Microsoft Purview DLP as the new, comprehensive security system. It not only watches over the same areas but also offers additional features like blocking certain activities and providing more detailed investigations. This change aims to provide a more unified and robust approach to data protection.
For those managing these systems, it means reviewing current alert policies in Microsoft Defender and transitioning them to Microsoft Purview DLP. It's like updating your security protocols to ensure the new system is fully operational and your team is informed about the changes. If your current setup doesn't rely on these specific alerts, then no immediate action is needed. However, it's always a good idea to update any internal documentation and inform relevant teams about the shift to ensure a smooth transition.
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
Last updated 1 month ago ago
