Microsoft Defender for O365: New email actions available in Advanced Hunting

This update introduces new remediation actions in Microsoft Defender for O365 that can be triggered directly from the Advanced Hunting interface. These actions—previously only available in Threat Explorer—include “Submit to Microsoft” and “Initiate automated investigation.” This enhancement enables security teams to respond to threats more efficiently and programmatically using custom queries, aligning with customer feedback to streamline incident response workflows.

General Availability (Worldwide): We began rolling out this feature on November 10, 2025.

Who is affected:

• Admins and Security Analysts using Microsoft Defender XDR and Advanced Hunting.

What will happen:

• New actions will be available directly from Advanced Hunting results:
  • Submit to Microsoft
  • Add entries to Tenant allow/block list
  • Initiate automated investigation
• These actions are enabled automatically and available by default; they cannot be removed from the user interface.
• Existing admin policies are respected; no policy changes are required.
• Threat Explorer will continue to be available; both interfaces will coexist.

• Review and update existing hunting queries and playbooks to incorporate new actions.
• Communicate the change to SOC teams and relevant stakeholders.
• Provide training or documentation as needed.
• If you want to scope access to these actions, use role-based access control (RBAC) in Microsoft Defender XDR.
  • Click path: Microsoft 365 Defender portal > Settings > Permissions > Roles

Learn more: Take action on advanced hunting query results in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn

Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.