Microsoft 365 Message Center Archive

MC1192257 - Microsoft Defender Threat Intelligence: Convergence with Microsoft Defender and Microsoft Sentinel

Message ID

MC1192257

View in Message Center

Service

Microsoft Defender XDR

Published

Dec 5, 2025

Tag

Major change
Updated message
Feature update
User impact
Admin impact

Act by

Jan 7, 2026

Summary

Microsoft Defender Threat Intelligence is merging with Microsoft Defender and Microsoft Sentinel by August 1, 2026, offering integrated threat insights and enhanced analytics. Post-transition, MDTI requires an active Defender or Sentinel license. Organizations should prepare by updating licenses, documentation, and transitioning before the deadline.

More information

Updated December 5, 2025: We have updated the timeline. Thank you for your patience. 

Introduction

Microsoft Defender Threat Intelligence (MDTI) is converging with Microsoft Defender and Microsoft Sentinel to deliver integrated threat intelligence capabilities directly within your SecOps environment. This change simplifies access to threat insights, improves detection and response workflows, and aligns with customer feedback for a unified experience.

When this will happen

Full convergence will be completed by August 1, 2026. New capabilities are available now, and as of August 2025, all MDTI data has been published via the free connector, with new Threat Analytics APIs replacing retired MDTI APIs.

How this affects your organization

Who is affected: Organizations using Microsoft Defender Threat Intelligence, Microsoft Defender, or Microsoft Sentinel.

What will happen:

  • Threat Intelligence Library will be accessible via the Microsoft Defender portal, including exclusive threat reports, intel profiles, and Indicators of Compromise (IoCs) integrated into Threat Analytics.
  • Enhanced Threat Analytics reports will include:
    • Indicators of Compromise (IoCs) embedded in reports.
    • MITRE ATT&CK mapping for tactics, techniques, and procedures.
    • Insights on targeted industries and actor origins.
    • Related intelligence and aliases for cross-referencing.
  • IoCs will be linked to cases for Sentinel customers.
  • After August 1, 2026, MDTI capabilities will require an active Microsoft Defender or Microsoft Sentinel license.

What you can do to prepare

  • Plan your transition to Microsoft Defender or Microsoft Sentinel before August 1, 2026, to maintain uninterrupted access.
  • Review licensing requirements for MDTI capabilities.
  • Update internal documentation to reflect new Threat Analytics APIs and connector availability.

Compliance considerations

No compliance considerations identified, review as appropriate for your organization.