MC1151683 - Microsoft Defender for Identity | Detections improvements to reduce noise and improve accuracy

Introduction:

The Microsoft Defender for Identity team is rolling out improvements to several detections based on customer feedback and internal analysis. These updates are designed to reduce alert noise and improve detection accuracy, helping security teams focus on the most actionable threats. An active Microsoft Defender for Identity (MDI) license is required to benefit from these improvements.

When this will happen:

These improvements will begin rolling out gradually starting in late September 2025 and will complete by mid-October 2025.

How this affects your organization:

Who is affected: Admins managing Microsoft Defender for Identity in commercial tenants.

What will happen:

• Several existing detections will be updated to reduce false positives and improve precision.
• You may observe a decrease in the number of alerts raised for the following detections:
  • Suspicious communication over DNS     
  • Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation)
  • Honeytoken authentication activity
  • Remote code execution attempt over DNS
  • Suspicious password reset by Entra Connect account
  • Data exfiltration over SMB
  • Suspected skeleton key attack (encryption downgrade)
  • Suspicious modification of the Resource-Based Constrained Delegation attribute by a machine account
  • Remote code execution attempt

No changes to configuration or policy settings are required.

What you can do to prepare:

•  No action is required at this time.
•  Review alert volumes and detection behavior after rollout to assess impact.
•  Communicate this change to your security operations team.
•  Update internal documentation if you track detection logic or alert thresholds.

Learn more: Security alerts - Microsoft Defender for Identity | Microsoft Learn

Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.