Skip to main content
🦉
Message CenterMicrosoft 365 Updates
HomePermissionsTenant FinderPortfolio
🦉
M365 Message Centerby Cengiz YILMAZ

Track the latest updates, features, and announcements for Microsoft 365 services. Comprehensive archive of service updates and important changes.

Quick Links

HomePermissionsTenant FinderPortfolio

Connect

© 2026 M365 Message Center. Created with ❤ by Cengiz YILMAZ

Data sourced from Microsoft 365 Message Center • Not affiliated with Microsoft

  1. Home
  2. /
  3. MC1254554

Upcoming retirement of select threat detections in Microsoft Defender for Cloud Apps

Plan for Change
Major Change

Message ID

MC1254554
View in Admin Center

Services

Microsoft Defender XDR

Summary

Microsoft Defender for Cloud Apps will retire select IaaS and PaaS threat detections by mid-May 2026 due to low impact, focusing on identity-related threats. Affected alerts and policies will be removed, but historical data remains accessible. No admin action is required, though updating related processes is recommended.

Details

Introduction

Microsoft Defender for Cloud Apps is retiring a small set of Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) threat detections. These detections no longer align with the current threat protection scope of Defender for Cloud Apps, which is focused on identity-related threats across Entra, on‑premises, and SaaS environments.

Following internal review, these detections are being retired due to low prevalence and low customer impact, allowing us to focus engineering investment on higher-value and more common threat scenarios.

When this will happen:

General Availability (Worldwide, GCC, GCC High, DoD): Retirement begins early May 2026 and is expected to complete by mid‑May 2026.

How this affects your organization:

Who is affected:

  • Administrators using Microsoft Defender for Cloud Apps
  • Organizations that rely on the affected IaaS and PaaS detections

What will happen:

Alerts

  • Suspicious creation activity for cloud region
  • Suspicious change of CloudTrail logging service
  • Multiple storage deletion activities

Behaviors

  • Multiple virtual machine (VM) creation activities
  • Multiple delete VM activities

After the phase‑out

  • These detections will no longer generate alerts or behaviors.
  • The related built‑in policies will be removed from the Policy management page.
  • Alerts and behaviors already generated will not be deleted and will remain available in:
    • Alerts and Incidents pages
    • Advanced Hunting tables (for historical investigation and auditing)
  • Any existing alert links that previously pointed to these policies will indicate that the policy has been deleted.

What you can do to prepare:

  • No admin action is required.
  • If you currently reference these detections in operational processes, playbooks, or documentation, we recommend reviewing and updating those materials ahead of the removal date.

Compliance considerations:

This change modifies how admins can monitor and report on specific Defender for Cloud Apps detections. Historical alert and hunting data remains available for auditing.

Timeline

Published
Mar 17, 2026
Message published to Message Center
Updated
Mar 17, 2026
Message content updated
End Date
Jun 17, 2026
Message timeline ends

Tags

#Admin impact#Retirement

Category

Plan for Change

Related Messages

Similar updates

MC1245219â—Ź

Microsoft Defender for iOS: End of support for iOS 16 devices

Mar 5, 2026
MC1234542â—Ź

Retirement of “Suspected identity theft (pass-the-ticket)” classic alert

Feb 18, 2026
MC1222977â—Ź

Microsoft Defender for Android: End of support for Android 10 devices

Jan 28, 2026
MC1221927â—Ź

Microsoft Defender for Android ending support for enrolled personal profiles

Jan 23, 2026
MC1220762â—Ź

Retirement notice: MDE and XDR Advanced Hunting APIs retiring; migrate to Microsoft Graph Security API

Jan 22, 2026