As part of our ongoing efforts to enhance performance and scalability, Microsoft Defender for Office 365 investigation and hunting experiences are undergoing a data platform migration to establish a more robust, efficient, and scalable data storage system. This migration aims to improve data consistency and reliability, particularly in investigation and threat-hunting experiences.
When this will happen:
General Availability (Worldwide, GCC, GCC High, DoD): We began rolling out this migration early November 2024 and expect to complete by late June 2025.
How this will affect your organization:
Key benefits
- Ensures data consistency across multiple user experiences: By consolidating data management under a unified platform, this migration will eliminate discrepancies between different workflows, ensuring that security analysts have access to consistent and reliable data across various investigation and hunting experiences.
- Establishes data parity between Threat Explorer and Advanced Hunting: By leveraging a single, unified data source, the migration will ensure that data retrieved in Threat Explorer and Advanced Hunting remains synchronized. This reduces the chances of data disparity between different tools and allows security teams to conduct investigations with better accuracy.
- Enhances the data pipeline for Advanced Hunting, resulting in improved performance and accuracy: The migration will optimize data ingestion pipeline and proactive monitoring system of Advanced Hunting. This will lead to improved data freshness and reduce the chances of potential data quality issues in data pipeline.
- Accelerates development cycles for new features built on the new data platform: The modernized data architecture will enable faster iteration and deployment of new features. By reducing dependencies on legacy systems and adopting a scalable infrastructure, Microsoft can introduce feature enhancements more rapidly, bringing greater value to security analysts.
- Strengthens proactive monitoring capabilities to minimize potential impact on customer workflows: The new platform will enhance real-time monitoring and alerting mechanisms, allowing for proactive detection and resolution of issues before they impact user workflows. Improved observability will ensure that any latency or disruptions are identified early, reducing downtime and improving system reliability.
Potential impact
- No direct impact on customer data.
- While the new platform brings significant improvements, users may experience slight delays in data availability (such as email metadata and post-delivery actions like quarantine release and manual remediation) in certain experiences, including Threat Explorer, Email Entity, and the Email Summary Panel.
- In some cases, users may encounter intermittent failures for brief moment when loading the Email Summary Panel from experiences such as Quarantine and Submission immediately after an email is delivered. However, this will automatically resolve once the necessary data has been processed and stored.
Resolution plan
While our team works on the migration, we are also actively working on optimizing the performance of the new data platform to align as closely as possible with the data freshness rate of Threat Explorer before the data platform migration. Also, efforts are underway to minimize failure rates across user experiences caused by temporary data unavailability.
The phase 1 performance improvement work is expected to be completed by late June 2025. After that, our teams will be continuously monitoring the latencies and investing in further improvements to ensure seamless security operations experience to end users.
This change will be available by default.
What you need to do to prepare:
This migration will happen automatically by the specified dates with no admin action required before the rollout. Review your current configuration to assess the impact on your organization. You may want to notify your users about this change and update any relevant documentation.