MC1187386: Microsoft Defender for Identity alerts transitioning to XDR-based detection platform
Microsoft Defender for Identity classic alerts will transition to the XDR detection platform starting mid-December 2025, improving detection accuracy. Admins must update workflows, use new Detector IDs, and reconfigure alert exclusions with XDR Alert Tuning rules. The rollout completes by early J...
[Introduction]
Microsoft Defender for Identity classic alerts will transition to the XDR detection platform in mid-December 2025. This change improves detection accuracy and performance and aligns with our efforts to enhance security across environments.
[When this will happen:]
General availability (Production, GCC, and DoD): Rollout will begin in mid-December 2025 and is expected to complete early January.
[How this affects your organization:]
Who is affected: Admins managing Microsoft Defender for Identity alerts and workflows.
What will happen:
- Classic MDI alerts will move to the XDR detection platform.
- Detector IDs will change for specific alerts.
- Alert exclusions configured in MDI must be reconfigured using XDR Alert Tuning rules.
Affected alerts and new Detector IDs:
| Alert Title | Detector ID |
|---|---|
| Suspected brute-force attack (Kerberos, NTLM) | xdr_OnPremBruteforce |
| Suspected password spray attack (Kerberos, NTLM) | xdr_OnPremPasswordSpray |
| Anomalous SAMR activity | xdr_SamrReconnaissanceSecurityAlert |
[What you can do to prepare:]
Action required:
- Update workflows and automation to use the new XDR Detector IDs.
- Reconfigure any alert exclusions using XDR Alert Tuning rules.
- Communicate this change to your security and operations teams.
- Review Microsoft documentation for XDR Alert Tuning configuration.
[Compliance considerations:]
No compliance considerations identified, review as appropriate for your organization.