What’s new in DefenderXDR? 02/26

Status: Announced

Summary

Microsoft will retire the MDE and Defender XDR Advanced Hunting APIs and migrate all customers to the Microsoft Graph Security API. After February 1, 2027, the legacy APIs will stop functioning.

Key Details

• Timeline

  • Retirement start: Feb 6, 2026

  • Full retirement: Feb 1, 2027 (APIs cease to work)

• Impact

  • All scripts, automations, and integrations using the old hunting APIs will fail.

  • No automatic migration; manual rewrite required.

  • Graph Security API becomes the single supported interface.

• Who’s affected

  • Any organization consuming MDE/XDR hunting APIs for SIEM/SOAR, dashboards, custom tooling, or KQL-based automation.

Required Actions

• Migrate all workflows to the Microsoft Graph Security API before Jan 31, 2027.

Learn more:
MC1220762

Status: GA rollout planned

Summary

With platform release 4.18.25110.6, devices managed via MDE configuration management will no longer store readable antivirus exclusion values in the local registry. Exclusions must be retrieved using supported Microsoft Defender PowerShell cmdlets like Get-MpPreference.

Key Details

• Timeline

  • Rollout: Early March 2026

  • Completion: Late March 2026

• Impact

  • Registry-based reading of AV exclusions will no longer work.

  • Monitoring tools or scripts querying registry paths will return incomplete data.

  • Supported cmdlets (Get-MpPreference, Get-MpComputerStatus) become the required retrieval method.

  • Devices not using MDE configuration management remain unaffected.

  • Feature is enabled by default for all tenants using MDE config management.

Who’s affected

• • Organizations using Defender for Endpoint configuration management.

  • Admins relying on registry-based monitoring of AV configuration settings.

Required Actions

• Update monitoring workflows to use supported PowerShell cmdlets.

Learn more:

MC1227621

Status: Public Preview

Summary

Microsoft Defender XDR introduces six new Microsoft‑curated alert tuning rules for Defender for Endpoint (MDE). The goal: reduce low‑priority or informational endpoint alerts hitting SOC queues.

Key Details

• Timeline

  • Feb 8, 2026: Rules become visible in Preview

  • Feb 8–18, 2026: Visible, inactive — review/opt‑out window

  • Feb 18, 2026: Rules activate by default

• Impact

  • Fewer low‑value endpoint alerts in alert/incident queues.

  • Alerts can be automatically Resolved or re‑classified as Behavior (no incident creation, but still available for investigation/hunting).

  • All rules remain fully transparent and manageable in:
    Settings → Microsoft Defender XDR → Alert Tuning

Required Actions

• No changes needed if you want the default behavior.

• To opt out, review and disable the new rules between Feb 8–18 (or any time afterward).

Learn more

MC1228325

Status: General Availability

Summary

Defender for Identity expands its identity inventory with new capabilities that improve correlation across directories and simplify investigations. The update introduces a consolidated accounts view, manual account linking, identity‑level remediation, and a new Advanced Hunting table.

Key Details

• Accounts Tab (New)

  • Consolidated view of all accounts tied to an identity.

  • Covers Active Directory, Microsoft Entra ID, and supported non‑Microsoft IDPs.

  • Useful for building full identity context across hybrid environments.

• Manual Link/Unlink

  • Administrators can manually link or unlink accounts directly in the Accounts tab.

  • Helps align identity objects across different directory sources.

  • Supports more accurate entity resolution during investigations.

• Identity‑Level Remediation Actions

  • Perform remediation directly at the identity level, including:

    • Disable accounts

    • Reset passwords

  • Applies to one or multiple linked accounts in a single action.

• New Advanced Hunting Table: IdentityAccountInfo

  • Provides account metadata from multiple sources.

  • Includes relationships to the underlying identity entity.

  • Supports correlation across MDI, Entra ID, and endpoint signals.

Learn more:
MSLearn

Status: Preview

Summary

Defender for Identity adds two new posture assessments that surface identity‑related risks in hybrid environments: stale AD accounts and dual‑privileged Entra ID/AD identities.

Key Details

• Stale Active Directory Accounts

  • Flags AD user accounts that have not logged in for 90+ days.

  • Helps identify unused or abandoned accounts that increase lateral‑movement risk.

  • Useful for cleanup workflows and conditional access refinement.

  • More info: Security posture assessment: Remove stale Active Directory accounts

• Privileged Accounts in Both Entra ID and Active Directory

  • Identifies users who hold privileged roles in Entra ID and privileged roles in AD.

  • Highlights risky dual‑admin configurations common in hybrid identity setups.

  • Supports investigations and privilege reduction efforts.

Learn more:

MSLearn

Status: Rollout (January 2026)

Summary

Defender for Cloud Apps updates the Microsoft 365 connector configuration page, introducing revised default values and a clearer layout for newly created connectors. The changes help ensure required Microsoft Entra signals are enabled so SaaS Identity related features (Discovery, Threat Protection, Response, Posture insights) receive the data they depend on.

Key Details

• Timeline

  • Rollout starts mid‑January 2026

  • Completion expected late January 2026

• Impact

  • Existing connectors remain unchanged (for privacy/compliance reasons).

  • Only new Microsoft 365 connectors receive the updated defaults.

  • Revised UI provides better visibility into required Entra permissions.

  • Restrictive connector settings may reduce detection coverage and posture accuracy.

Who’s affected

• • Admins configuring or managing Microsoft 365 connectors in Defender for Cloud Apps.

Required Actions

• Review existing Microsoft 365 connector settings:

  • Go to: Microsoft Security platform → Settings → Cloud apps → App connectors → Microsoft 365 → Edit settings

  • Ensure all required checkboxes are enabled (all except “Microsoft 365 files”).

Learn more:
MC1217650

Status: Preview

Summary

Microsoft Defender XDR introduces a new built‑in alert tuning experience for Defender for Office 365 (MDO). The feature becomes visible on January 25, 2026, with tuning rules activating on February 5, 2026. The goal is to reduce low‑value MDO alerts and streamline SOC queues through automated triage.

Key Details

• Timeline

  • Feb 5, 2026: Built‑in tuning becomes active

• What goes live on Feb 5

  • Initial rule set: 12 built‑in rules targeting informational/low‑severity MDO alerts

  • Automated investigation: Selected alerts trigger AIR playbooks automatically

  • Reopen logic: If AIR determines analyst review is needed, the alert reopens as New

• Included MDO Alert Types (12 Rules)

  • User submitted junk / not junk / malware / phish

  • User requested to release a quarantined message

  • Tenant Allow/Block List expiry or removal events

  • Email messages removed post‑delivery (standard, campaign, malicious file, malicious URL)

  • Admin Submission completed

  • Admin-triggered manual email investigation

• Impact

  • SOC queues become less cluttered with low‑severity events.

  • Alerts handled automatically still remain available for investigation/hunting.

  • Full control retained — rules visible and manageable under Alert Tuning.

Required Actions

• No action required if you want to use the streamlined default experience.

Learn more:
MC1222979

Status: Available

Summary

Zero‑hour auto‑purge (ZAP) and Teams admin‑managed quarantine are now included in Microsoft Defender for Plan 1. This brings post‑delivery protection capabilities—previously limited to higher licensing tiers—to customers using Plan 1.

Key Details

• ZAP for Plan 1

  • Automatically removes malicious emails after delivery if they become classified as malware, phishing, or spam.

  • Helps close gaps where messages evade initial detection.

• Teams Admin Quarantine

  • Admins can review and manage quarantined Teams messages.

  • Supports response workflows when suspicious or harmful content is detected post‑delivery.

• Impact

  • Plan 1 tenants gain automatic post‑delivery cleanup across email and Teams.

  • SOC teams get more consistent remediation capabilities regardless of licensing tier.

• Who’s affected

  • Organizations using Microsoft Defender for Office 365 Plan 1.

Learn more:
MSLearn

Status: Announced

Summary

Microsoft Defender for Android is aligning with the Android platform lifecycle and its enterprise‑first strategy. Two changes take effect in March 2026: end of support for Android 10, and retirement of Defender protection in personal profiles on enrolled devices. Work‑profile and MAM‑based protection remain fully supported.

Key Details

• Timeline

  • Android 10 support ends: March 31, 2026

  • Personal‑profile protection retirement: Mid → late March 2026 rollout

• Impact

  • Android 10 devices

    • Defender continues to run but receives no new features, no security fixes, no technical support.

    • New installations on Android 10 will no longer be available.

    • Devices upgraded to Android 11+ continue to be fully supported.

  • Personal profile on enrolled devices

    • Defender will no longer support, monitor, or manage personal profiles configured via MDM.

    • Defender will continue to protect the work profile and unenrolled MAM‑enabled devices.

    • Goal is to strengthen enterprise data protection while preserving user privacy through Android’s profile isolation.

• Who’s affected

  • Organizations with devices still running Android 10.

  • Tenants using MDE on Android with Defender deployed in personal profiles via MDM policies.

Required Actions

• For Android 10

  • Identify Android 10 devices via your management tooling.

  • Encourage OS upgrades to Android 11+ or replace unsupported devices.

• For Personal‑Profile Retirement

  • No action required

Learn more:
MC1222977
MC1221927