Services
Summary
Defender for Identity activities and alerts will be retired from Defender for Cloud Apps by late May 2025. All data and functionality will be available through Microsoft Defender XDR. Organizations should update their resources and create new custom detections in Advanced Hunting.
Details
Updated May 13, 2025: We have updated the timeline below. Thank you for your patience.
As part of the convergence of both Microsoft Defender for Identity and Microsoft Defender for Cloud Apps into Microsoft Defender XDR services, we are continuing to move away from legacy experiences and enhancing the unified experiences.
Therefore, we will gradually retire Defender for Identity's Active Directory and alerts data from Defender for Cloud Apps dedicated experiences. All data, as well as all functionality of the affected experiences, remain available through Microsoft Defender XDR unified experiences, where we will continue to invest our development resources.
When this will happen:
General Availability (Worldwide, GCC, GCC High, DoD): This retirement will begin rolling out in late January 2025 and is expected to complete in late May 2025 (previously early May).
How this will affect your organization:
You are receiving this message because the following changes may affect your organization:
Active directory activities coming from Defender for Identity will no longer be available in Defender for Cloud Apps activity logs. Consequently, Defender for Cloud Apps activity policies will cease from triggering based on Active Directory data.
All Active Directory activities data remains available through Advanced Hunting, in the following tables:
- IdentityLogonEvents
- IdentityDirectoryEvents
- IdentityQueryEvents
To learn more about Advanced Hunting and the Data Schema, visit Proactively hunt for threats with advanced hunting in Microsoft Defender and Understand the advanced hunting schema.
New Active Directory activities, as well as Defender for Identity's alerts data, will no longer be available through Defender for Cloud Apps Activities API, Alerts API, or dedicated SIEM agents.
All activities and alerts data remains available through Defender XDR Streaming API and Event Hubs.
Learn more about Streaming API.
For more information about how to integrate your SIEM tools with Microsoft Defender XDR, visit Ingesting streaming event data via Event Hubs.
The Identities page under 'Assets' in the XDR portal will be updated to better support the new experiences. The page will be divided into two distinct tabs: First-party identities and Third-party accounts. In the User page, "View related activity" action will no longer be available. To learn more about Defender for Identity's experiences in the XDR portal, visit Microsoft Defender for Identity in the Microsoft Defender portal.
What you need to do to prepare:
To ensure a seamless experience, create new custom detections for any activity policies based on active directory data in Advanced Hunting. To learn more about how to create custom detections, visit Create and manage custom detections rules. Suggested queries related to Active Directory activities are available through the portal under Advanced Hunting > Community Queries. For more information, see Use shared queries in Advanced Hunting.
If you are still using Defender for Cloud Apps dedicated API and SIEM agents to consume Defender for Identity activities or alerts, make sure to update your resources according to the above information.