โ† Back
(Updated) Microsoft Defender for Cloud Apps: SIEM agents will retire
MC1077861 ยท build prod-20251231-200323
Category
planForChange
Severity
normal
Major change
True
Last modified
2025-12-23 17:49:04
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
2025-06-18 07:00:00
Action by (AI)
โ€”
Services
Microsoft Defender XDR
Tags
Updated message, Admin impact, Retirement
Master tags
Admin, Security
Roadmap IDs

One-line summary

Retirement of SIEM agents for Microsoft Defender for Cloud Apps is paused; no new SIEM agents can be configured after June 19, 2025. Transition to supported APIs for continued access.

Similar updates

More like this

Details

Summary
Microsoft Defender for Cloud Apps will retire SIEM agents, with no new agents configurable after June 19, 2025. The rollout is paused, and users are advised to transition to unified APIs and SIEM solutions for alerts and activity data to ensure continuity and enhanced capabilities.

Body (from Message Center)

Updated December 23, 2025: We have paused rollout of this feature. We will announce via Message center when we are ready to proceed. Thank you for your patience. 

As part of our ongoing convergence process for all Microsoft Defender workloads, we planned to retire SIEM (Security Information and Event Management) agents from Microsoft Defender for Cloud Apps in late December 2025 (previously mid-November) and ending early January 2026 (previously late November 2025). We have puased this release and will communicate via Message center when we are ready to proceed.

We recommend you transition to APIs that support the management of activities and alerts data from multiple workloads.

[How this will affect your organization:]

Existing Microsoft Defender for Cloud Apps SIEM agents will function as is until the SIEM agents retire, but no new SIEM agents can be configured starting June 19, 2025. Microsoft Sentinel agents will remain supported and can still be added.

Defender for Cloud Apps alerts and activities data currently supported in the SIEM agents are also available in the unified API and SIEM solutions that provide access to alerts and activity data for all Microsoft security products, for cross-workload visibility:

These APIs enhance security monitoring and management and offer additional supported capabilities that utilize data from multiple Microsoft Defender workloads.

[What you need to do to prepare:]

To ensure continuity and access to the same data available before this retirement through Microsoft Defender for Cloud Apps SIEM agents, we recommend transitioning to the supported unified API and SIEM solutions. We encourage you to begin planning your migration to these solutions to take advantage of their enhanced capabilities.

Learn more: Generic SIEM integration - Microsoft Defender for Cloud Apps | Microsoft Learn

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw
{
  "snapshot_item": {
    "action_required_by": "2025-06-18T07:00:00Z",
    "ai_action_required_by": null,
    "ai_actions": [
      "Plan migration from SIEM agents to supported APIs",
      "Stop configuring new SIEM agents after June 19, 2025"
    ],
    "ai_master_tags": [
      "Admin",
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "Retirement of SIEM agents for Microsoft Defender for Cloud Apps is paused; no new SIEM agents can be configured after June 19, 2025. Transition to supported APIs for continued access.",
    "ai_topics": [
      "Defender",
      "Entra"
    ],
    "category": "planForChange",
    "details_map": {
      "Summary": "Microsoft Defender for Cloud Apps will retire SIEM agents, with no new agents configurable after June 19, 2025. The rollout is paused, and users are advised to transition to unified APIs and SIEM solutions for alerts and activity data to ensure continuity and enhanced capabilities."
    },
    "id": "MC1077861",
    "importance": 5,
    "is_major_change": true,
    "last_modified": "2025-12-23T17:49:04Z",
    "ms_products": [
      "Defender"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Microsoft Defender XDR"
    ],
    "severity": "normal",
    "tags": [
      "Updated message",
      "Admin impact",
      "Retirement"
    ],
    "title": "(Updated) Microsoft Defender for Cloud Apps: SIEM agents will retire"
  }
}