Skip to main content
🦉
Message CenterMicrosoft 365 Updates
HomePermissionsTenant FinderPortfolio
🦉
M365 Message Centerby Cengiz YILMAZ

Track the latest updates, features, and announcements for Microsoft 365 services. Comprehensive archive of service updates and important changes.

Quick Links

HomePermissionsTenant FinderPortfolio

Connect

© 2026 M365 Message Center. Created with ❤️ by Cengiz YILMAZ

Data sourced from Microsoft 365 Message Center • Not affiliated with Microsoft

  1. Home
  2. /
  3. MC1147387

Microsoft Defender for Office 365: Alert experience enhancements for faster triage

Informational

Message ID

MC1147387
View in Admin Center

Services

Microsoft Defender XDR

Summary

Microsoft Defender for Office 365 will enhance alert experience by consolidating related signals into richer alerts, reducing alert fatigue while preserving detection and workflows. Rollout starts mid-September 2025, requires no configuration changes, and may affect automation and alert metrics tracking. No compliance issues identified.

Details

Introduction

We’re improving the alert experience in Microsoft Defender for Office 365 (MDO) to help security teams triage alerts more efficiently. These updates reduce alert fatigue by consolidating related signals into single, richer alerts—without compromising detection fidelity or coverage.

When this will happen

General Availability (Worldwide, GCC, GCC High, DoD): Rollout begins mid-September 2025 and will complete by late November 2025. Updates will be delivered incrementally during this period.

How this affects your organization
  • Fewer near-duplicate alerts: Closely related signals will be grouped, reducing clutter in the alert list.
  • Richer alert detail: Alerts will include impacted entities (e.g., users, recipients), key identifiers (e.g., message/network IDs), and timelines. Evidence such as URLs, attachments, and IPs remains accessible.
  • Preserved triage workflows: Existing pivots like Open message in Explorer, View timeline, and List impacted entities remain unchanged. Severity and categorization are unaffected.
  • Incident correlation: Incidents may contain fewer child alerts but with denser evidence per alert.
  • APIs and reporting: No schema changes. You may observe lower raw alert counts with higher per-alert density. Dashboards and automation referencing alert IDs will continue to function.

This feature is on by default and requires no configuration changes.

What you can do to prepare
  • Review automation logic: Ensure playbooks and scripts can handle alerts with multiple entities and richer context.
  • Review alert metrics: If you track alert counts, consider also measuring how many users or messages are included in each alert, what actions are taken, and how long it takes to respond and resolve (mean time to acknowledge and mean time to resolve).
  • Communicate with SecOps teams: Set expectations around reduced alert volume with maintained evidence depth.

No policy or configuration changes are required before rollout.

Compliance considerations

No compliance considerations identified, review as appropriate for your organization.

Timeline

📅
Published
Sep 3, 2025
Message published to Message Center
✏️
Updated
Sep 3, 2025
Message content updated
🏁
End Date
Jan 31, 2026
Message timeline ends

Tags

#Feature update#Admin impact

Category

📖Stay Informed

Related Messages

Similar updates

MC1155429

Microsoft Defender for Identity: New recommendations added to Microsoft Secure Score

Sep 18, 2025
MC1152320

Microsoft Defender for Office 365: Enhanced email entity page experience

Sep 12, 2025
MC1151683

Microsoft Defender for Identity | Detections improvements to reduce noise and improve accuracy

Sep 11, 2025
MC1166867

Microsoft Defender for Office 365: Enhancing the quarantine email preview experience

Oct 6, 2025
MC1163754

Enhancements to the Deep Analysis tab of Email Entity page by Microsoft Defender for Office 365

Oct 1, 2025