← Back
Microsoft Defender for Cloud Apps: Improvements to threat protection capabilities
MC1169078 · build prod-20251231-200323
Category
planForChange
Severity
normal
Major change
False
Last modified
2025-10-09 23:33:51
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
Action by (AI)
Services
Microsoft Defender XDR
Tags
Feature update, User impact, Admin impact
Master tags
Security
Roadmap IDs

One-line summary

Defender for Cloud Apps expands dynamic threat detection, replacing legacy policies with new, research-driven detections; rollout starts early November 2025 and completes by end of November.

Similar updates

More like this
MC992217 (Updated) Microsoft Defender: Changes to Defender for Cloud Apps alerts
(Updated) Microsoft Defender: Changes to Defender for Cloud Apps alerts Defender for Cloud Apps alerts in Defender XDR will update alert source fields and alert ID prefixes for new alerts, affecting APIs, SIEM, and custom automations; rollout completes by late June 2025. Coming soon for Microsoft Defender for Cloud Apps: A change to alerts.
MC1077861 (Updated) Microsoft Defender for Cloud Apps: SIEM agents will retire
(Updated) Microsoft Defender for Cloud Apps: SIEM agents will retire Retirement of SIEM agents for Microsoft Defender for Cloud Apps is paused; no new SIEM agents can be configured after June 19, 2025. ...rt of our ongoing convergence process for all Microsoft Defender workloads, we planned to retire SIEM (Security Information and Event.
MC1042925 (Updated) Microsoft Defender for Office 365: Enhancing page load performance
(Updated) Microsoft Defender for Office 365: Enhancing page load performance Defender for Office 365 will improve portal page load times, starting with Submission page in March 2025; no downtime or required admin action during phased rollout. Updated July 9, 2025: We have updated the timeline below. At Microsoft Defender for Office 365, we are.
MC1187386 Microsoft Defender for Identity alerts transitioning to XDR-based detection platform
Microsoft Defender for Identity alerts transitioning to XDR-based detection platform Defender for Identity classic alerts will shift to the XDR detection platform starting mid-December 2025; update workflows and alert exclusions to use new XDR Detector IDs. [Introduction] Microsoft Defender for Identity classic alerts will transition to the XDR.
MC1042926 (Updated) Microsoft Defender for Office 365: Platform migration for enhanced data storage and performance
(Updated) Microsoft Defender for Office 365: Platform migration for enhanced data storage and performance Defender for Office 365 is migrating its data platform to improve performance, data consistency, and reliability; Phase 2 rollout completes by end of December 2025. As part of our ongoing efforts to enhance performance and scalability,.
MC1147387 Microsoft Defender for Office 365: Alert experience enhancements for faster triage
Microsoft Defender for Office 365: Alert experience enhancements for faster triage Defender for Office 365 will consolidate related alerts into richer, single alerts starting mid-September 2025, reducing alert fatigue and improving triage without changing detection or workflows. Introduction We’re improving the alert experience in Microsoft.

Details

Summary
Microsoft Defender for Cloud Apps will expand its dynamic threat detection model in November 2025, replacing legacy policies with more accurate, research-driven detections. This update improves threat detection accuracy and responsiveness, requires no admin action before rollout, and includes new detections enabled by default.

Body (from Message Center)

[Introduction:]

To improve threat detection accuracy and responsiveness, Microsoft Defender for Cloud Apps is expanding its dynamic model for threat protection. This update enhances the signal-to-noise ratio (SNR) of detections and enables faster adaptation to emerging threats, helping security teams stay ahead of evolving risks.

This rollout continues the migration of legacy threat detection policies, following the first batch announced in Message center post MC1061724. The second batch introduces new detections that replace several legacy policies, further aligning with our goal of delivering more precise, research-driven protection.

[When this will happen:]

General Availability (Worldwide, GCC, GCC High, DoD): Rollout begins early November 2025 and is expected to complete by the end of November 2025.

[How this affects your organization:]

Who is affected:

Organizations using Microsoft Defender for Cloud Apps, including tenants in Worldwide, GCC, GCC High, and DoD environments.

What will happen:

  • The dynamic model will be expanded to include additional research-driven detections.
  • These detections are continuously updated by Microsoft security researchers to reflect the evolving threat landscape.
    • Detections may be added, removed, or modified dynamically to ensure optimal protection.
    • These are research-driven and enabled by default, requiring no manual configuration.
  • The second batch of legacy policies being migrated includes:
    • Unusual ISP for an OAuth App
    • Suspicious file access activity (by user)
  • These will be replaced with the following detections:
    • Replacing “Unusual ISP for an OAuth App”:
      • OAuth application activity from an unknown ISP (Preview)
    • Replacing “Suspicious file access activity (by user)”:
      • Suspicious file access from untrusted ISP and user agent with malicious IP indicator (Preview)
      • Suspicious file access indicative of lateral movement (Preview)
    • Adding new detection "Activity from a password-spray associated IP address (Preview)

  • These new detections are already available to you in Preview; the "(Preview)" suffix will be removed once legacy policies are disabled.
  • Governance actions configured on legacy policies will be disabled. Admins can re-enable them manually after 24 hours.
  • Migrated policies will be listed in Create Defender for Cloud Apps anomaly detection policies | Microsoft Learn.
  • Eventually, all other out-of-the-box (OOTB) activity-based policies will be migrated to the new dynamic model. Future Message center posts will provide details as additional policies are transitioned.

By applying the new dynamic model, we aim to deliver more accurate and timely threat detections, enhancing your organization’s overall security posture.

In some cases, legacy policies may be split into multiple detections and alerts to provide deeper visibility and context for SOC teams.

During the gradual migration of OOTB policies, disabled policies will remain temporarily visible in Defender for Cloud Apps. Once migration is complete, these legacy policies will be removed from the legacy policies page. A separate Message center post will be published to confirm their removal.

[What you can do to prepare:]

No admin action is required before rollout.

To prepare:

  • Review your current policy configurations to assess impact.
  • Notify SOC and helpdesk teams about the updated detections.
  • Update internal documentation if referencing legacy policies.
  • If you wish to retain governance actions:
    • Wait 24 hours after disablement.
    • Re-enable policies from the legacy policies page at: Defender portal > Cloud apps > Policy management.

user settings

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw 
{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": null,
    "ai_actions": [
      "Review current policy configurations",
      "Notify SOC and helpdesk teams",
      "Update internal documentation",
      "Re-enable governance actions after 24 hours if needed"
    ],
    "ai_master_tags": [
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "Defender for Cloud Apps expands dynamic threat detection, replacing legacy policies with new, research-driven detections; rollout starts early November 2025 and completes by end of November.",
    "ai_topics": [
      "Defender"
    ],
    "category": "planForChange",
    "details_map": {
      "Summary": "Microsoft Defender for Cloud Apps will expand its dynamic threat detection model in November 2025, replacing legacy policies with more accurate, research-driven detections. This update improves threat detection accuracy and responsiveness, requires no admin action before rollout, and includes new detections enabled by default."
    },
    "id": "MC1169078",
    "importance": 1,
    "is_major_change": false,
    "last_modified": "2025-10-09T23:33:51Z",
    "ms_products": [
      "Defender"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Microsoft Defender XDR"
    ],
    "severity": "normal",
    "tags": [
      "Feature update",
      "User impact",
      "Admin impact"
    ],
    "title": "Microsoft Defender for Cloud Apps: Improvements to threat protection capabilities"
  }
}