MC1254554 – Upcoming retirement of select threat detections in Microsoft Defender for Cloud Apps

Product:

Defender, Defender for Cloud Apps, Defender XDR

Platform:

Online, US Instances, World tenant

Status:

Change type:

Admin impact, Retirement

Links:

Details:

Summary:
Microsoft Defender for Cloud Apps will retire select IaaS and PaaS threat detections by mid-May 2026 due to low impact, focusing on identity-related threats. Affected alerts and policies will be removed, but historical data remains accessible. No admin action is required, though updating related processes is recommended.

Details:
[Introduction]
Microsoft Defender for Cloud Apps is retiring a small set of Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) threat detections. These detections no longer align with the current threat protection scope of Defender for Cloud Apps, which is focused on identity-related threats across Entra, on‑premises, and SaaS environments.
Following internal review, these detections are being retired due to low prevalence and low customer impact, allowing us to focus engineering investment on higher-value and more common threat scenarios.
[When this will happen:]
General Availability (Worldwide, GCC, GCC High, DoD): Retirement begins early May 2026 and is expected to complete by mid‑May 2026.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2026-03-18

updated:
2026-03-18

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Loss of Threat Detection Alerts
Retirement of IaaS and PaaS threat detections will result in the absence of alerts for suspicious activities, potentially leading to undetected security incidents.
   - roles: Security Administrators, Compliance Officers
   - references: https://techcommunity.microsoft.com/t5/security-compliance-identity/announcing-the-retirement-of-select-threat-detections-in/ba-p/3851230

Increased Risk of Security Incidents
Without alerts for certain threat detections, organizations may face increased risk of security breaches due to lack of monitoring for specific activities.
   - roles: Security Administrators, IT Operations Managers
   - references: https://techcommunity.microsoft.com/t5/security-compliance-identity/announcing-the-retirement-of-select-threat-detections-in/ba-p/3851230

Operational Process Disruption
Existing operational processes and playbooks referencing the retired detections may become outdated, leading to confusion and inefficiencies in incident response.
   - roles: Security Administrators, IT Support Staff
   - references: https://techcommunity.microsoft.com/t5/security-compliance-identity/announcing-the-retirement-of-select-threat-detections-in/ba-p/3851230

Compliance Reporting Challenges
Changes in detection capabilities may complicate compliance reporting and monitoring, as certain alerts will no longer be available for review.
   - roles: Compliance Officers, Security Auditors
   - references: https://techcommunity.microsoft.com/t5/security-compliance-identity/announcing-the-retirement-of-select-threat-detections-in/ba-p/3851230

User Experience Impact
Users may experience delays in incident response due to the lack of alerts for specific activities, potentially affecting their trust in IT security measures.
   - roles: End Users, IT Support Staff
   - references: https://techcommunity.microsoft.com/t5/security-compliance-identity/announcing-the-retirement-of-select-threat-detections-in/ba-p/3851230

Configutation Options**

XXXXXXX ... paid membership only

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only