check before: 2025-01-01
Product:
Defender, Defender for Cloud Apps, Defender for Identity, Defender XDR, Stream
Platform:
Online, US Instances, World tenant
Status:
Change type:
Admin impact, Retirement, Updated message
Links:

Details:
Summary:
Defender for Identity activities and alerts will retire from Defender for Cloud Apps and move to Microsoft Defender XDR services. This change starts in late January 2025 and completes in early March 2025. Users must prepare by creating new custom detections and updating resources accordingly.
Details:
Updated December 31, 2024: We have updated the content. Thank you for your patience.
As part of the convergence of both Microsoft Defender for Identity and Microsoft Defender for Cloud Apps into Microsoft Defender XDR services, we are continuing to move away from legacy experiences and enhancing the unified experiences.
Therefore, we will gradually retire Defender for Identity's Active Directory and alerts data from Defender for Cloud Apps dedicated experiences. All data, as well as all functionality of the affected experiences, remain available through Microsoft Defender XDR unified experiences, where we will continue to invest our development resources.
[When this will happen:]
General Availability (Worldwide, GCC, GCC High, DoD): This retirement will begin rolling out in late January 2025 and is expected to complete in early March 2025.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2024-11-23
updated:
2025-01-01
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
Microsoft is consolidating Defender for Identity activities and alerts into Microsoft Defender XDR services, moving them from Defender for Cloud Apps, with the transition starting in late January 2025 and completing by early March 2025, requiring organizations to update their systems and set up new custom detections.
Direct effects for Operations**
Loss of Active Directory Data in Defender for Cloud Apps
Active Directory activities will no longer be available in Defender for Cloud Apps, impacting the ability to monitor and respond to security incidents effectively.
- roles: Security Analyst, IT Administrator
- references: https://learn.microsoft.com/defender-xdr/advanced-hunting-overview
Disruption in Activity Policies
Defender for Cloud Apps activity policies will cease triggering based on Active Directory data, potentially leading to unmonitored security events.
- roles: Security Analyst, Compliance Officer
- references: https://learn.microsoft.com/defender-xdr/advanced-hunting-schema-tables
Need for Custom Detections
Organizations must create new custom detections for activity policies based on Active Directory data, requiring additional time and resources.
- roles: Security Analyst, IT Administrator
- references: https://learn.microsoft.com/defender-xdr/custom-detection-rules
Changes in User Experience in XDR Portal
The Identities page will be updated, and the 'View related activity' action will no longer be available, potentially hindering user navigation and efficiency.
- roles: Security Analyst, End User
- references: https://learn.microsoft.com/defender-xdr/microsoft-365-security-center-mdi
Integration Challenges with SIEM Tools
Existing integrations with Defender for Cloud Apps dedicated API and SIEM agents will need to be updated, which may lead to temporary data gaps.
- roles: IT Administrator, Security Engineer
- references: https://learn.microsoft.com/defender-xdr/configure-siem-defender#ingesting-streaming-event-data-via-event-hubs
Configutation Options**
XXXXXXX ... paid membership only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.

change history
Date | Property | old | new |
2025-01-01 | MC Messages | As part of the convergence of both Microsoft Defender for Identity and Microsoft Defender for Cloud Apps into Microsoft Defender XDR services, we are continuing to move away from legacy experiences and enhancing the unified experiences.
Therefore, we will gradually retire Defender for Identity's Active Directory and alerts data from Defender for Cloud Apps dedicated experiences. All data, as well as all functionality of the affected experiences, remain available through Microsoft Defender XDR unified experiences, where we will continue to invest our development resources. [When this will happen:] General Availability (Worldwide, GCC, GCC High, DoD): This retirement will begin rolling out in late January 2025 and is expected to complete in early March 2025. | Updated December 31, 2024: We have updated the content. Thank you for your patience.
As part of the convergence of both Microsoft Defender for Identity and Microsoft Defender for Cloud Apps into Microsoft Defender XDR services, we are continuing to move away from legacy experiences and enhancing the unified experiences. Therefore, we will gradually retire Defender for Identity's Active Directory and alerts data from Defender for Cloud Apps dedicated experiences. All data, as well as all functionality of the affected experiences, remain available through Microsoft Defender XDR unified experiences, where we will continue to invest our development resources. [When this will happen:] General Availability (Worldwide, GCC, GCC High, DoD): This retirement will begin rolling out in late January 2025 and is expected to complete in early March 2025. |
2025-01-01 | MC MessageTagNames | Admin impact, Retirement | Updated message, Admin impact, Retirement |
2025-01-01 | MC How Affect | You are receiving this message because the following changes may affect your organization:
Active directory activities coming from Defender for Identity will no longer be available in Defender for Cloud Apps activity logs. Consequently, Defender for Cloud Apps activity policies will cease from triggering based on Active Directory data. All Active Directory activities data remains available through Advanced Hunting, in the following tables: IdentityLogonEvents IdentityDirectoryEvents IdentityQueryEvents To learn more about Advanced Hunting and the Data Schema, visit Proactively hunt for threats with advanced hunting in Microsoft Defender and Understand the advanced hunting schema. New Active Directory activities, as well as Defender for Identity's alerts data, will no longer be available through Defender for Cloud Apps Activities API, Alerts API, or dedicated SIEM agents. All activities and alerts data remains available through Defender XDR Streaming API and Event Hubs. Learn more about Streaming API. For more information about how to integrate your SIEM tools with Microsoft Defender XDR, visit Ingesting streaming event data via Event Hubs. The Identities page under 'Assets' in the XDR portal will be updated to better support the new experiences. The page will be divided into two distinct tabs: First-party identities and Third-party accounts. To learn more about Defender for Identity's experiences in the XDR portal, visit Microsoft Defender for Identity in the Microsoft Defender portal. | You are receiving this message because the following changes may affect your organization:
Active directory activities coming from Defender for Identity will no longer be available in Defender for Cloud Apps activity logs. Consequently, Defender for Cloud Apps activity policies will cease from triggering based on Active Directory data. All Active Directory activities data remains available through Advanced Hunting, in the following tables: IdentityLogonEvents IdentityDirectoryEvents IdentityQueryEvents To learn more about Advanced Hunting and the Data Schema, visit Proactively hunt for threats with advanced hunting in Microsoft Defender and Understand the advanced hunting schema. New Active Directory activities, as well as Defender for Identity's alerts data, will no longer be available through Defender for Cloud Apps Activities API, Alerts API, or dedicated SIEM agents. All activities and alerts data remains available through Defender XDR Streaming API and Event Hubs. Learn more about Streaming API. For more information about how to integrate your SIEM tools with Microsoft Defender XDR, visit Ingesting streaming event data via Event Hubs. The Identities page under 'Assets' in the XDR portal will be updated to better support the new experiences. The page will be divided into two distinct tabs: First-party identities and Third-party accounts. In the User page, "View related activity" action will no longer be available. To learn more about Defender for Identity's experiences in the XDR portal, visit Microsoft Defender for Identity in the Microsoft Defender portal. |
2025-01-01 | MC Last Updated | 11/22/2024 23:28:23 | 2024-12-31T18:55:49Z |
2025-01-01 | MC Summary | Defender for Identity activities and alerts will retire from Defender for Cloud Apps and move to Microsoft Defender XDR services. This change starts in late January 2025 and completes in early March 2025. Users must prepare by creating new custom detections and updating resources accordingly. |
Last updated 1 month ago