Services
Summary
Microsoft Defender for Cloud Apps will disable three pre-defined policies by default to improve alert accuracy. The rollout starts mid-May 2025 (worldwide) and early June 2025 (GCC, GCC High). Users can re-enable these policies if desired. No immediate action is required. More details are available in the documentation.
Details
Updated May 29, 2025: We have updated the timeline below. Thank you for your patience.
Microsoft Defender for Cloud Apps is continuously working to ensure that our out-of-the-box (OOTB) threat protection capabilities within App Governance are as accurate and effective as possible.
As part of this effort, we will be disabling by default three specific pre-defined policies that have been found to mostly trigger on legitimate activities, rather than alerting on malicious ones. This change is aimed at improving the overall accuracy of our alerts by relying on more accurate sources that provide a comprehensive view of potential attacks, rather than focusing on isolated anomalous activities.
If you prefer to continue receiving these alerts, the option to re-enable them remains available.
When this will happen:
General Availability (Worldwide): We will begin rolling out mid-May (previously late April) and expect to complete by late May 2025.
General Availability (GCC, GCC High): We will begin rolling out early June 2025 (previously late May) and expect to complete by mid-June 2025 (previously late May).
How this will affect your organization:
These specific pre-defined policies within App Governance will be switched off for all customers by default. The policies being disabled are:
- Increase in data usage by an overprivileged or highly privileged app
- Unusual activity from an app with priority account consent
- Access to sensitive data
This change will reduce the number of alerts triggered by legitimate activities, allowing you to focus on more accurate and relevant security notifications. The remaining policies and our advanced threat detection engines, which are always enabled and running behind the scenes, will continue to provide robust protection by correlating multiple pieces of evidence to identify potential attacks with higher confidence.
If you have made any changes to customize the existing pre-defined policy template, they will not be disabled as part of this change.
If for any reason you prefer to continue receiving these alerts, you can re-enable the policies via the policy management interface. Additionally, we provide tools for customers to create custom policies tailored to their specific needs. For more details, please refer to the relevant documentation.
For more details, please refer to the relevant documentation: Get started with app policies
What you need to do to prepare:
No immediate action is required. However, if you wish to re-enable any of the disabled policies, you can do so through the policy management interface. This will allow you to utilize the full functionality of the policies as you have been up to this point.