Introduction
Microsoft Defender for Identity classic alerts will transition to the XDR detection platform in mid-December 2025. This change improves detection accuracy and performance and aligns with our efforts to enhance security across environments.
When this will happen:
General availability (Production, GCC, and DoD): Rollout will begin in mid-December 2025 and is expected to complete early January.
How this affects your organization:
Who is affected: Admins managing Microsoft Defender for Identity alerts and workflows.
What will happen:
- Classic MDI alerts will move to the XDR detection platform.
- Detector IDs will change for specific alerts.
- Alert exclusions configured in MDI must be reconfigured using XDR Alert Tuning rules.
Affected alerts and new Detector IDs:
| Alert Title | Detector ID |
|---|
| Suspected brute-force attack (Kerberos, NTLM) | xdr_OnPremBruteforce |
| Suspected password spray attack (Kerberos, NTLM) | xdr_OnPremPasswordSpray |
| Anomalous SAMR activity | xdr_SamrReconnaissanceSecurityAlert |
What you can do to prepare:
Action required:
- Update workflows and automation to use the new XDR Detector IDs.
- Reconfigure any alert exclusions using XDR Alert Tuning rules.
- Communicate this change to your security and operations teams.
- Review Microsoft documentation for XDR Alert Tuning configuration.
Compliance considerations:
No compliance considerations identified, review as appropriate for your organization.