Microsoft 365 Message Center Archive

MC1254554 - Upcoming retirement of select threat detections in Microsoft Defender for Cloud Apps

Message ID

MC1254554

View in Message Center

Service

Microsoft Defender XDR

Published

Mar 17, 2026

Tag

Major change
Admin impact
Retirement

Summary

Microsoft Defender for Cloud Apps will retire select IaaS and PaaS threat detections by mid-May 2026 due to low impact, focusing on identity-related threats. Affected alerts and policies will be removed, but historical data remains accessible. No admin action is required, though updating related processes is recommended.

More information

Introduction

Microsoft Defender for Cloud Apps is retiring a small set of Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) threat detections. These detections no longer align with the current threat protection scope of Defender for Cloud Apps, which is focused on identity-related threats across Entra, on‑premises, and SaaS environments.

Following internal review, these detections are being retired due to low prevalence and low customer impact, allowing us to focus engineering investment on higher-value and more common threat scenarios.

When this will happen:

General Availability (Worldwide, GCC, GCC High, DoD): Retirement begins early May 2026 and is expected to complete by mid‑May 2026.

How this affects your organization:

Who is affected:

  • Administrators using Microsoft Defender for Cloud Apps
  • Organizations that rely on the affected IaaS and PaaS detections

What will happen:

Alerts

  • Suspicious creation activity for cloud region
  • Suspicious change of CloudTrail logging service
  • Multiple storage deletion activities

Behaviors

  • Multiple virtual machine (VM) creation activities
  • Multiple delete VM activities

After the phase‑out

  • These detections will no longer generate alerts or behaviors.
  • The related built‑in policies will be removed from the Policy management page.
  • Alerts and behaviors already generated will not be deleted and will remain available in:
    • Alerts and Incidents pages
    • Advanced Hunting tables (for historical investigation and auditing)
  • Any existing alert links that previously pointed to these policies will indicate that the policy has been deleted.

What you can do to prepare:

  • No admin action is required.
  • If you currently reference these detections in operational processes, playbooks, or documentation, we recommend reviewing and updating those materials ahead of the removal date.

Compliance considerations:

This change modifies how admins can monitor and report on specific Defender for Cloud Apps detections. Historical alert and hunting data remains available for auditing.