MC1190195: Upcoming Changes to Entra Identity Protection Alert Settings in Defender XDR

[Introduction]

To improve alert clarity and reduce fatigue, Microsoft Defender XDR is introducing enhanced configuration options for identity-related alerts from Entra ID Protection. These updates are based on customer feedback requesting more granular control over risk-based alerting.

[When this will happen]

This change will begin rolling out as a public preview starting December 11, 2025.

[How this affects your organization]

• Who is affected:
  • Admins using Microsoft Defender XDR with Entra ID Protection.
• What will happen:
  • New alert configuration options will be available in the Defender XDR portal.
  • Alert ingestion logic will now be explicitly tied to Entra ID Protection risk levels.
  • Admins can choose which alerts to ingest into Defender XDR based on:
    • High risk detections only
    • High + Medium risk detections
    • All detections
  • Updated UI strings and visuals will improve clarity and usability.
  • The default setting is changing from ingesting alerts of all severities to ingesting only alerts with severity = High. As a result, you may notice a reduction in alert volume, and some alert types will no longer be ingested into Defender XDR. You can always change the default setting to any of the other options - High + Medium or All detections, according to your organization’s needs.

[What you can do to prepare]

• No immediate action is required.
• If you wish to explore the new configuration options:
  • Visit the Microsoft Defender XDR portal after December 11, 2025.
  • Review and adjust alert settings based on your organization’s risk tolerance.
  • Share this update with your security operations team.
  • Learn more: Microsoft Defender XDR alert settings

[Compliance considerations]

No compliance considerations identified, review as appropriate for your organization.