MC1431377Microsoft Defender for Office 365: AIR Investigation Experience Improvements
Summary
Microsoft Defender for Office 365's AIR experience will add a manual refresh button, replacing auto-refresh, and simplify investigation names by removing email subjects and UPNs. These changes improve performance, reduce network activity, and support data minimization. No admin action is required, but SOC workflows and documentation should be updated.
More information
What and Why:
Microsoft is enhancing the Automated Investigation and Response (AIR) experience in Microsoft Defender for Office 365 by introducing a manual refresh capability and simplifying investigation naming conventions. These changes improve portal performance, reduce unnecessary network activity, and support data minimization principles by removing email subjects and User Principal Names (UPNs) from investigation names.
Rollout Schedule:
- General Availability (Worldwide): Beginning in late July 2026 and expected to complete by late August 2026
Impact on Your Organization:
Who is affected:
- Security Operations Center (SOC) analysts
- Security administrators
- Incident responders
- Organizations using Microsoft Defender for Office 365 Plan 2 / E5 and AIR
Platforms/Services:
- Microsoft Defender portal
- Microsoft Defender for Office 365
- Automated Investigation and Response (AIR)
What will happen:
- Manual refresh replaces auto-refresh:
- The AIR Investigations page will no longer refresh automatically.
- A new Refresh button will be available on the Investigations page.
- Analysts must manually refresh the page to obtain the latest investigation status and details.
- This change is enabled by default as part of the service update.
- Improved page responsiveness and reduced background network calls are expected.
- Simplified investigation names:
- Investigation names for Manual and User-Reported will no longer include email subject lines
- Generic investigation names will be displayed instead, such as:
- Email investigation for 'Network message Id"
- User reported message as malicious "Network message Id"
- Existing investigation history and results remain unchanged.
- No changes to existing capabilities
- Investigation triggers remain unchanged.
- Detection logic remains unchanged.
- Automated remediation actions remain unchanged.
- Threat Explorer functionality remains unchanged.
- Email & Collaboration reports remain unchanged.
- Historical investigation records remain available.
Action Required/Recommendations:
No mandatory administrative configuration is required.
Recommended actions:
- Review SOC workflows that rely on automatic refresh behavior.
- Inform security analysts that investigation status updates now require use of the new Refresh button.
- Review automation, runbooks, scripts, dashboards, or integrations that may parse investigation names.
- Update internal SOPs, analyst guides, and training materials that reference investigation names containing email subjects.
- Communicate the naming convention change to help desk and security teams prior to rollout.
- Validate any custom reporting processes that may depend on previous investigation naming formats.
Learn more: Details and results of AIR in Defender for Office 365 Plan 2 - Microsoft Defender for Office 365 | Microsoft Learn (will be updated before rollout)
Compliance Considerations:
| Area | Explanation |
| Existing customer data processing/access | Investigation names will no longer expose email subjects, supporting data minimization and changing how investigation-related data is presented to administrators. |
| Admin monitoring and reporting | Organizations may need to update reporting, operational procedures, and investigation workflows that reference investigation names. |