MC1124559 - Microsoft Defender for Identity: Expiration required for Recommended test mode

Service

Microsoft Defender XDR

Published

Jul 29, 2025

Tag

Feature update
User impact
Admin impact

Summary

Microsoft Defender for Identity will require a 60-day expiration period when enabling Recommended test mode starting late July 2025. Admins must manually set this expiration, which limits test duration and restores original alert thresholds after expiry, affecting alerting and integrations but not users directly.

More information

Introduction

To help organizations better manage testing efforts and reduce the risk of prolonged exposure to test configurations, Microsoft Defender for Identity (MDI) now requires an expiration period (up to 60 days) when enabling Recommended test mode. This update ensures test settings are time-bound, improving operational clarity and reducing potential security gaps.

When this will happen

General Availability (Worldwide): Rollout will begin in late July 2025 and is expected to complete by mid-August 2025.

How this affects your organization

This feature is not enabled by default. Admins must manually enable Recommended test mode, and starting with this update, they will also be required to define an expiration period of up to 60 days. The selected expiration date will be clearly displayed next to the toggle in the Microsoft Defender for Identity portal.

Expiration date displayed next to the Recommended test mode toggle in the Microsoft Defender for Identity portal:

user settings

For tenants that had Recommended test mode enabled prior to this change, a default 60-day expiration period will be automatically applied starting from the rollout date. Once the expiration period ends, test mode will be turned off and original alert thresholds will be restored.

This change:

  • Applies to all tenants with Microsoft Defender for Identity (MDI) installed, regardless of licensing (e.g., E5, Defender for Identity).
  • Requires Security administrator permissions (or higher) to make changes on the Adjust alerts thresholds page.
  • Does not impact users directly but may affect alerting behavior and integrations with other Microsoft security products once test mode expires.

What you can do to prepare

No admin action is required for this change to take effect. However, we recommend:

  • Reviewing your current use of Recommended test mode.
  • Planning for the expiration behavior and any downstream effects on alerting or integrations.
  • Ensuring appropriate admin roles (e.g., Security administrator) are assigned to those managing alert thresholds.

Learn more: 

Compliance considerations

No compliance considerations identified, review as appropriate for your organization.