โ† Back
(Updated) Microsoft Defender Threat Intelligence: Convergence with Microsoft Defender and Microsoft Sentinel
MC1192257 ยท build prod-20251231-200323
Category
planForChange
Severity
normal
Major change
True
Last modified
2025-12-22 17:04:56
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
2026-08-01 08:00:00
Action by (AI)
โ€”
Services
Microsoft Defender XDR
Tags
Updated message, Feature update, User impact, Admin impact
Master tags
Security
Roadmap IDs

One-line summary

MDTI is merging with Defender and Sentinel; by Aug 1, 2026, MDTI features will need Defender or Sentinel licenses and new APIs will replace old MDTI APIs.

Similar updates

More like this
MC1077861 (Updated) Microsoft Defender for Cloud Apps: SIEM agents will retire
(Updated) Microsoft Defender for Cloud Apps: SIEM agents will retire Retirement of SIEM agents for Microsoft Defender for Cloud Apps is paused; no new SIEM agents can be configured after June 19, 2025As part of our ongoing convergence process for all Microsoft Defender workloads, we planned to retire SIEM (Security Information and Event.
MC992217 (Updated) Microsoft Defender: Changes to Defender for Cloud Apps alerts
(Updated) Microsoft Defender: Changes to Defender for Cloud Apps alerts Defender for Cloud Apps alerts in Defender XDR will update alert source fields and alert ID prefixes for new alerts, affecting APIs, SIEM, and custom automations; rollout completes by late June 2025. Coming soon for Microsoft Defender for Cloud Apps: A change to alerts.
MC1187386 Microsoft Defender for Identity alerts transitioning to XDR-based detection platform
Microsoft Defender for Identity alerts transitioning to XDR-based detection platform Defender for Identity classic alerts will shift to the XDR detection platform starting mid-December 2025; update workflows and alert exclusions to use new XDR Detector IDs. [Introduction] Microsoft Defender for Identity classic alerts will transition to the XDR.
MC1169078 Microsoft Defender for Cloud Apps: Improvements to threat protection capabilities
Microsoft Defender for Cloud Apps: Improvements to threat protection capabilities Defender for Cloud Apps expands dynamic threat detection, replacing legacy policies with new, research-driven detections; rollout starts early November 2025 and completes by end of November. [Introduction:] To improve threat detection accuracy and responsiveness,.
MC1180712 Microsoft Copilot Studio - Strengthen security of Copilot Studio agents with additional threat protection
Microsoft Copilot Studio - Strengthen security of Copilot Studio agents with additional threat protection Copilot Studio agents gain enhanced security with external threat detection, available December 10, 2025; admins can integrate Microsoft Defender or other providers via Entra and Power Platform. Update: Release of this feature has been.
MC1194061 IP address changes in Defender for Identity v2.x sensor communication
IP address changes in Defender for Identity v2.x sensor communication Defender for Identity v2.x sensors will use new IPs from the AzureAdvancedThreatProtection range starting mid-December 2025; update firewall rules if restricting outbound IPs. [Introduction] As part of ongoing infrastructure and security improvements, Microsoft Defender for.

Details

Summary
Microsoft Defender Threat Intelligence is merging with Microsoft Defender and Microsoft Sentinel by August 1, 2026, offering integrated threat insights and enhanced analytics. Post-transition, MDTI requires an active Defender or Sentinel license. Organizations should prepare by updating licenses, documentation, and transitioning before the deadline.

Body (from Message Center)

Updated December 5, 2025: We have updated the timeline. Thank you for your patience. 

[Introduction]

Microsoft Defender Threat Intelligence (MDTI) is converging with Microsoft Defender and Microsoft Sentinel to deliver integrated threat intelligence capabilities directly within your SecOps environment. This change simplifies access to threat insights, improves detection and response workflows, and aligns with customer feedback for a unified experience.

[When this will happen]

Full convergence will be completed by August 1, 2026. New capabilities are available now, and as of August 2025, all MDTI data has been published via the free connector, with new Threat Analytics APIs replacing retired MDTI APIs.

[How this affects your organization]

Who is affected: Organizations using Microsoft Defender Threat Intelligence, Microsoft Defender, or Microsoft Sentinel.

What will happen:

  • Threat Intelligence Library will be accessible via the Microsoft Defender portal, including exclusive threat reports, intel profiles, and Indicators of Compromise (IoCs) integrated into Threat Analytics.
  • Enhanced Threat Analytics reports will include:
    • Indicators of Compromise (IoCs) embedded in reports.
    • MITRE ATT&CK mapping for tactics, techniques, and procedures.
    • Insights on targeted industries and actor origins.
    • Related intelligence and aliases for cross-referencing.
  • IoCs will be linked to cases for Sentinel customers.
  • After August 1, 2026, MDTI capabilities will require an active Microsoft Defender or Microsoft Sentinel license.

[What you can do to prepare]

  • Plan your transition to Microsoft Defender or Microsoft Sentinel before August 1, 2026, to maintain uninterrupted access.
  • Review licensing requirements for MDTI capabilities.
  • Update internal documentation to reflect new Threat Analytics APIs and connector availability.

[Compliance considerations]

No compliance considerations identified, review as appropriate for your organization.

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw 
{
  "snapshot_item": {
    "action_required_by": "2026-08-01T08:00:00Z",
    "ai_action_required_by": null,
    "ai_actions": [
      "Plan transition to Defender or Sentinel",
      "Review MDTI licensing needs",
      "Update documentation for new APIs"
    ],
    "ai_master_tags": [
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "MDTI is merging with Defender and Sentinel; by Aug 1, 2026, MDTI features will need Defender or Sentinel licenses and new APIs will replace old MDTI APIs.",
    "ai_topics": [
      "Defender",
      "Sentinel"
    ],
    "category": "planForChange",
    "details_map": {
      "Summary": "Microsoft Defender Threat Intelligence is merging with Microsoft Defender and Microsoft Sentinel by August 1, 2026, offering integrated threat insights and enhanced analytics. Post-transition, MDTI requires an active Defender or Sentinel license. Organizations should prepare by updating licenses, documentation, and transitioning before the deadline."
    },
    "id": "MC1192257",
    "importance": 4,
    "is_major_change": true,
    "last_modified": "2025-12-22T17:04:56Z",
    "ms_products": [
      "Defender"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Microsoft Defender XDR"
    ],
    "severity": "normal",
    "tags": [
      "Updated message",
      "Feature update",
      "User impact",
      "Admin impact"
    ],
    "title": "(Updated) Microsoft Defender Threat Intelligence: Convergence with Microsoft Defender and Microsoft Sentinel"
  }
}