{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreic5hs4ukudaprwkstwnl3xycousirdaneqfefus77lkdmzoqweyce",
"uri": "at://did:plc:xxrzfynfiasdpbxteqxi4jgq/app.bsky.feed.post/3mhcbxqi6iaj2"
},
"description": "Microsoft Defender for Cloud Apps will retire select IaaS and PaaS threat detections by mid-May 2026 due to low impact, focusing on identity-related threats. Affected alerts and policies will be removed, but historical data remains accessible. No admin action is required, though updating related ...",
"path": "/m365-message-center/message/mc1254554/",
"publishedAt": "2026-03-18T01:00:07.000Z",
"site": "https://blog.tophhie.cloud",
"textContent": "🚨\n\n**Major Update:** This post contains a significant change that may impact your organisation.\n\n**[Introduction]**\n\nMicrosoft Defender for Cloud Apps is retiring a small set of **Infrastructure as a Service (IaaS)** and **Platform as a Service (PaaS) threat detections**. These detections no longer align with the current threat protection scope of Defender for Cloud Apps, which is focused on**identity-related threats across Entra, on‑premises, and SaaS environments**.\n\nFollowing internal review, these detections are being retired due to low prevalence and low customer impact, allowing us to focus engineering investment on higher-value and more common threat scenarios.\n\n**[When this will happen:]**\n\nGeneral Availability (Worldwide, GCC, GCC High, DoD): Retirement begins **early May 2026** and is expected to complete by **mid‑May 2026**.\n\n**[How this affects your organization:]**\n\n**Who is affected:**\n\n * Administrators using **Microsoft Defender for Cloud Apps**\n * Organizations that rely on the affected IaaS and PaaS detections\n\n\n\n**What will happen:**\n\n**Alerts**\n\n * Suspicious creation activity for cloud region\n * Suspicious change of CloudTrail logging service\n * Multiple storage deletion activities\n\n\n\n**Behaviors**\n\n * Multiple virtual machine (VM) creation activities\n * Multiple delete VM activities\n\n\n\n**After the phase‑out**\n\n * These detections will no longer generate alerts or behaviors.\n * The related built‑in policies will be removed from the **Policy management** page.\n * Alerts and behaviors already generated will **not be deleted** and will remain available in:\n * **Alerts** and **Incidents** pages\n * **Advanced Hunting** tables (for historical investigation and auditing)\n * Any existing alert links that previously pointed to these policies will indicate that the policy has been deleted.\n\n\n\n**[What you can do to prepare:]**\n\n * No admin action is required.\n * If you currently reference these detections in operational processes, playbooks, or documentation, we recommend reviewing and updating those materials ahead of the removal date.\n\n\n\n**[Compliance considerations:]**\n\nThis change modifies how admins can monitor and report on specific Defender for Cloud Apps detections. Historical alert and hunting data remains available for auditing.",
"title": "MC1254554: Upcoming retirement of select threat detections in Microsoft Defender for Cloud Apps",
"updatedAt": "2026-03-18T01:00:07.442Z"
}