MC1187386 - Microsoft Defender for Identity alerts transitioning to XDR-based detection platform

Message ID

MC1187386

View in Message Center

Service

Microsoft Defender XDR

Published

Nov 17, 2025

Tag

Feature update

Admin impact

Summary

Microsoft Defender for Identity classic alerts will transition to the XDR detection platform starting mid-December 2025, improving detection accuracy. Admins must update workflows, use new Detector IDs, and reconfigure alert exclusions with XDR Alert Tuning rules. The rollout completes by early January 2026.

More information

Introduction

Microsoft Defender for Identity classic alerts will transition to the XDR detection platform in mid-December 2025. This change improves detection accuracy and performance and aligns with our efforts to enhance security across environments.

When this will happen:

General availability (Production, GCC, and DoD): Rollout will begin in mid-December 2025 and is expected to complete early January.

How this affects your organization:

Who is affected: Admins managing Microsoft Defender for Identity alerts and workflows.

What will happen:

Classic MDI alerts will move to the XDR detection platform.
Detector IDs will change for specific alerts.
Alert exclusions configured in MDI must be reconfigured using XDR Alert Tuning rules.

Affected alerts and new Detector IDs:

Alert Title	Detector ID
Suspected brute-force attack (Kerberos, NTLM)	xdr_OnPremBruteforce
Suspected password spray attack (Kerberos, NTLM)	xdr_OnPremPasswordSpray
Anomalous SAMR activity	xdr_SamrReconnaissanceSecurityAlert

What you can do to prepare:

Action required:

Update workflows and automation to use the new XDR Detector IDs.
Reconfigure any alert exclusions using XDR Alert Tuning rules.
Communicate this change to your security and operations teams.
Review Microsoft documentation for XDR Alert Tuning configuration.

Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.