MC1187386 – M365 Change Digest

One-line summary

Defender for Identity classic alerts will shift to the XDR detection platform starting mid-December 2025; update workflows and alert exclusions to use new XDR Detector IDs.

Similar updates

Details

Summary

Microsoft Defender for Identity classic alerts will transition to the XDR detection platform starting mid-December 2025, improving detection accuracy. Admins must update workflows, use new Detector IDs, and reconfigure alert exclusions with XDR Alert Tuning rules. The rollout completes by early January 2026.

Body (from Message Center)

[Introduction]

Microsoft Defender for Identity classic alerts will transition to the XDR detection platform in mid-December 2025. This change improves detection accuracy and performance and aligns with our efforts to enhance security across environments.

[When this will happen:]

General availability (Production, GCC, and DoD): Rollout will begin in mid-December 2025 and is expected to complete early January.

[How this affects your organization:]

Who is affected: Admins managing Microsoft Defender for Identity alerts and workflows.

What will happen:

Classic MDI alerts will move to the XDR detection platform.
Detector IDs will change for specific alerts.
Alert exclusions configured in MDI must be reconfigured using XDR Alert Tuning rules.

Affected alerts and new Detector IDs:

Alert Title	Detector ID
Suspected brute-force attack (Kerberos, NTLM)	xdr_OnPremBruteforce
Suspected password spray attack (Kerberos, NTLM)	xdr_OnPremPasswordSpray
Anomalous SAMR activity	xdr_SamrReconnaissanceSecurityAlert

[What you can do to prepare:]

Action required:

Update workflows and automation to use the new XDR Detector IDs.
Reconfigure any alert exclusions using XDR Alert Tuning rules.
Communicate this change to your security and operations teams.
Review Microsoft documentation for XDR Alert Tuning configuration.

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

Raw JSON (for debugging)

Expand/collapse the full payload below.

Show/hide raw

{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": null,
    "ai_actions": [
      "Update workflows for new XDR Detector IDs",
      "Reconfigure alert exclusions using XDR Alert Tuning",
      "Inform security and operations teams",
      "Review XDR Alert Tuning documentation"
    ],
    "ai_master_tags": [
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "Defender for Identity classic alerts will shift to the XDR detection platform starting mid-December 2025; update workflows and alert exclusions to use new XDR Detector IDs.",
    "ai_topics": [
      "Defender"
    ],
    "category": "stayInformed",
    "details_map": {
      "Summary": "Microsoft Defender for Identity classic alerts will transition to the XDR detection platform starting mid-December 2025, improving detection accuracy. Admins must update workflows, use new Detector IDs, and reconfigure alert exclusions with XDR Alert Tuning rules. The rollout completes by early January 2026."
    },
    "id": "MC1187386",
    "importance": 0,
    "is_major_change": false,
    "last_modified": "2025-11-17T23:46:18Z",
    "ms_products": [
      "Defender"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Microsoft Defender XDR"
    ],
    "severity": "normal",
    "tags": [
      "Feature update",
      "Admin impact"
    ],
    "title": "Microsoft Defender for Identity alerts transitioning to XDR-based detection platform"
  }
}