As Microsoft continues to roll out hundreds of updates each month, keeping up with the latest changes can feel overwhelming. That’s where we come in. In this month’s M365 Update Series, Head of Managed Services, Salim Othman, dives into some of his top updates released in February 2025, that you should be aware of.
From changes to Microsoft Purview’s alert capabilities to updates in Windows Autopatch policies and a shift in how Microsoft Defender handles identity alerts, these changes will impact how IT teams manage their environments.
In this blog, we’ll cover:
- The retirement of event alerts in Microsoft Purview and how to prepare.
- Changes to diagnostic data policies in Windows Autopatch.
- The migration of Defender for Identity alerts to Defender XDR.
Read on for everything you need to know to ensure a smooth transition and keep your organisation ahead of the curve.
Update 1: Retirement of Alerts Policy cmdlets in Microsoft Purview Audit
Microsoft Purview previously offered the flexibility to create event alert policies through the Purview Audit solution (in addition to the more commonly used Data Loss Prevention alerts). On March 24, 2025, Microsoft will be retiring the event alerts capability within the Purview Audit solution. With this change, any existing alert policies which had been created through the Audit solution will no longer generate alerts and customers will no longer be able to create new alert policies through the Audit solution. This functionality had already been removed from the Purview Portal’s Audit UI in 2023. Starting March 24, 2025, support for the following cmdlets will also be retired:
Please note that the event alerts capability within Purview DLP will remain unaffected by this change. Any alert policies created through Purview DLP will continue to generate alerts as expected. Microsoft recommend that you use the alerts functionality within DLP, which is where Microsoft will continue to invest our development resources.
How this will affect your organisation:
Any existing alert policies which you may have created through the Purview Audit solution will no longer generate alerts. Policies created through Purview DLP will remain unaffected.
What you need to do to prepare:
If you have any alert policies created using Purview Audit which you wish to retain, please re-create these alert policies through Purview DLP. To view a list of all alert policies created through audit, please use the Get-AuditConfigurationRule cmdlet, as illustrated below. This will be available to use until March 24, 2025.
Get-AuditConfigurationRule | Format-List Name,Workload,AuditOperation,Policy
For any new alerting requirements, Microsoft recommend that you use the alerts functionality within Purview DLP.
Learn more about DLP Alert Policies here: Get started with data loss prevention alerts | Microsoft Learn
Update 2: Update to Windows Autopatch diagnostic data collection levels and removal of Windows Autopatch data collection policy
Windows Diagnostics data settings must be configured for Windows Autopatch reports to accurately include devices and update status. The minimum necessary Windows diagnostic data collection level to be configured on devices registered to Autopatch with the following diagnostic data settings: Windows 10 and Windows 11 - Required
With this change:
- Windows Autopatch will cease to deploy and configure the Windows Data Diagnostics policy. Previously, as part of the Autopatch feature activation process, Windows Autopatch deployed a policy named Windows Autopatch - Data collection which set the Windows diagnostics data collection level to Optional (previously labeled as Full) for managed devices. You will be able to configure and maintain the Windows Diagnostics Data level policy in your environment.
- As part of the ongoing service maintenance Windows Autopatch will remove the Windows Autopatch - Data collection policy from tenants starting March 03, 2025, Pacific Standard Time. This change will be completed in 2 weeks.
Action required:
Create and deploy a Windows Diagnostic data collection policy with at least the recommended minimum setting to all Autopatch devices prior to this change. You may see missing Client State and Client Substate values if your devices are not configured with the recommended Windows Diagnostics settings and level. Alternatively, you may already be covered with existing data collection policies in your environment.
TIP: You may want to consider using the Windows Autopatch - Devices All group which contains all of the active, registered devices presently in your Autopatch implementation across any and all Autopatch Groups. This is a service-managed group (subject to changes at any time). Not Registered devices will not appear in this Entra group.
Defender for Identity activities and alerts will retire from Defender for Cloud Apps and move to Microsoft Defender XDR services. This change starts in late January 2025 and completes in early May 2025. Users must prepare by creating new custom detections and updating resources accordingly.
Is this summary helpful?
Updated February 10, 2025: Microsoft have updated the rollout timeline below. Thank you for your patience.
Update3:(Updated) Upcoming changes to Defender for Identity activities and alerts in Defender for Cloud Apps experiences
Defender for Identity activities and alerts will retire from Defender for Cloud Apps and move to Microsoft Defender XDR services. This change starts in late January 2025 and completes in early May 2025. Users must prepare by creating new custom detections and updating resources accordingly.
Updated February 10, 2025: Microsoft have updated the rollout timeline below. Thank you for your patience.
As part of the convergence of both Microsoft Defender for Identity and Microsoft Defender for Cloud Apps into Microsoft Defender XDR services, Microsoft are continuing to move away from legacy experiences and enhancing the unified experiences.
Therefore, Microsoft will gradually retire Defender for Identity's Active Directory and alerts data from Defender for Cloud Apps dedicated experiences. All data, as well as all functionality of the affected experiences, remain available through Microsoft Defender XDR unified experiences, where Microsoft will continue to invest our development resources.
When this will happen:
General Availability (Worldwide, GCC, GCC High, DoD): This retirement will begin rolling out in late January 2025 and is expected to complete in early May 2025 (previously early March 2025).
How this will affect your organization:
You are receiving this message because the following changes may affect your organization:
Active directory activities coming from Defender for Identity will no longer be available in Defender for Cloud Apps activity logs. Consequently, Defender for Cloud Apps activity policies will cease from triggering based on Active Directory data.
All Active Directory activities data remains available through Advanced Hunting, in the following tables:
To learn more about Advanced Hunting and the Data Schema, visit Proactively hunt for threats with advanced hunting in Microsoft Defender and Understand the advanced hunting schema.
New Active Directory activities, as well as Defender for Identity's alerts data, will no longer be available through Defender for Cloud Apps Activities API, Alerts API, or dedicated SIEM agents.
All activities and alerts data remains available through Defender XDR Streaming API and Event Hubs.
Learn more about Streaming API.
For more information about how to integrate your SIEM tools with Microsoft Defender XDR, visit Ingesting streaming event data via Event Hubs.
The Identities page under 'Assets' in the XDR portal will be updated to better support the new experiences. The page will be divided into two distinct tabs: First-party identities and Third-party accounts. In the User page, "View related activity" action will no longer be available. To learn more about Defender for Identity's experiences in the XDR portal, visit Microsoft Defender for Identity in the Microsoft Defender portal.
What you need to do to prepare:
To ensure a seamless experience, create new custom detections for any activity policies based on active directory data in Advanced Hunting. To learn more about how to create custom detections, visit Create and manage custom detections rules. Suggested queries related to Active Directory activities are available through the portal under Advanced Hunting > Community Queries. For more information, see Use shared queries in Advanced Hunting.
If you are still using Defender for Cloud Apps dedicated API and SIEM agents to consume Defender for Identity activities or alerts, make sure to update your resources according to the above information.
