Services
Summary
Microsoft Defender for Identity classic alerts will transition to the XDR detection platform starting mid-December 2025, improving detection accuracy. Admins must update workflows, use new Detector IDs, and reconfigure alert exclusions with XDR Alert Tuning rules. The rollout completes by early January 2026.
Details
Introduction
Microsoft Defender for Identity classic alerts will transition to the XDR detection platform in mid-December 2025. This change improves detection accuracy and performance and aligns with our efforts to enhance security across environments.
When this will happen:
General availability (Production, GCC, and DoD): Rollout will begin in mid-December 2025 and is expected to complete early January.
How this affects your organization:
Who is affected: Admins managing Microsoft Defender for Identity alerts and workflows.
What will happen:
- Classic MDI alerts will move to the XDR detection platform.
- Detector IDs will change for specific alerts.
- Alert exclusions configured in MDI must be reconfigured using XDR Alert Tuning rules.
Affected alerts and new Detector IDs:
| Alert Title | Detector ID |
|---|---|
| Suspected brute-force attack (Kerberos, NTLM) | xdr_OnPremBruteforce |
| Suspected password spray attack (Kerberos, NTLM) | xdr_OnPremPasswordSpray |
| Anomalous SAMR activity | xdr_SamrReconnaissanceSecurityAlert |
What you can do to prepare:
Action required:
- Update workflows and automation to use the new XDR Detector IDs.
- Reconfigure any alert exclusions using XDR Alert Tuning rules.
- Communicate this change to your security and operations teams.
- Review Microsoft documentation for XDR Alert Tuning configuration.
Compliance considerations:
No compliance considerations identified, review as appropriate for your organization.