What's new in Defender for Cloud features
This article summarizes what's new in Microsoft Defender for Cloud. It includes information about new features in preview or in general availability (GA), feature updates, upcoming feature plans, and deprecated functionality.
This page is updated frequently with the latest updates in Defender for Cloud.
Find the latest information about security recommendations and alerts in What's new in recommendations and alerts.
Tip
Get notified when this page is updated by copying and pasting the following URL into your feed reader:
https://aka.ms/mdc/rss
October 2024
| Date | Category | Update |
|---|---|---|
| October 6 | Preview | Kubernetes Identity and Access information in the security graph |
Kubernetes Identity and Access information in the security graph (preview)
October 6, 2024
Kubernetes Identity and Access information is added to the security graph, including nodes that represent all Kubernetes Role Based Access Control (RBAC) related entitles (service accounts, roles, role bindings, etc.), and edges that represent the permissions between Kubernetes objects. Customers can now query the security graph for their Kubernetes RBAC, and related relationships between Kubernetes entities (Can Authenticate As, Can Impersonate As, Grants Role, Access Defined By, Grants Access To, Has Permission To, etc.)
Full discovery of container images in supported registries
October 6, 2024
Defender for Cloud now collects inventory data for all container images in supported registries, providing full visibility within the security graph to all images in your cloud environments, including images that currently don't have any posture recommendations.
Querying capabilities through the Cloud Security Explorer are improved so users can now search for container images based on their metadata (digest, repository, OS, tag, and etc.)
September 2024
| Date | Category | Update |
|---|---|---|
| September 22 | Upcoming change | Cloud security explorer experience improvements |
| September 18 | Deprecation | Deprecation of MMA auto-provisioning capability |
| September 15 | GA | Integration with Power BI |
| September 9 | Deprecation | Defender for Servers feature deprecation |
Cloud security explorer experience improvements
September 22, 2024
Estimated date for change: October 2024
The Cloud Security Explorer is set to improve performance and grid functionality, provide more data enrichment on each cloud asset, improve search categories, and improve CSV export report with more insights on the exported cloud assets.
Deprecation of MMA auto-provisioning capability
September 18, 2024 As part of the MMA agent retirement, the auto provisioning capability that provides the installation and configuration of the agent for MDC customers, will be deprecated as well in 2 stages:
By the end of September 2024- auto provisioning of MMA will be disabled for customers that are no longer using the capability, as well as for newly created subscriptions. After end of September, the capability will no longer be able to be re-enable on those subscriptions.
End of November 2024- auto provisioning of MMA will be disabled on subscriptions that have not yet switched it off. From that point forward, it can no longer be possible to enable the capability on existing subscriptions.
Integration with Power BI
September 15, 2024
Defender for Cloud can now integrate with Power BI. This integration allows you to create custom reports and dashboards using the data from Defender for Cloud. You can use Power BI to visualize and analyze your security posture, compliance, and security recommendations.
Learn more about the new integration with Power BI.
Defender for Servers feature deprecation
September 9, 2024
Both Adaptive application controls, and Adaptive network hardening are now deprecated.
August 2024
| Date | Category | Update |
|---|---|---|
| August 1 | GA | Enable Microsoft Defender for SQL servers on machines at scale |
Enable Microsoft Defender for SQL servers on machines at scale
August 1, 2024
You can now enable Microsoft Defender for SQL servers on machines at scale. This feature allows you to enable Microsoft Defender for SQL on multiple servers at once, saving time and effort.
Learn how to enable Microsoft Defender for SQL servers on machines at scale.
July 2024
| Date | Category | Update |
|---|---|---|
| July 18 | Upcoming update | Deprecation of MMA-related features as part of agent retirement |
| July 15 | Preview | Binary Drift Public Preview in Defender for Containers |
| July 11 | Upcoming update | GitHub application permissions update |
| July 10 | GA | Compliance standards are now GA |
| July 9 | Upcoming update | Inventory experience improvement |
| July 8 | Upcoming update | Container mapping tool to run by default in GitHub |
Deprecation of MMA-related features as part of agent retirement
July 18, 2024
Estimated date for change: August 2024
As part of the deprecation of the Microsoft Monitoring Agent (MMA) and the updated Defender for Servers deployment strategy, all security features for Defender for Servers will now be provided through a single agent, or via agentless scanning capabilities. This won't require dependence on either the MMA or Azure Monitoring Agent (AMA).
As we approach the agent's retirement in August 2024, the following MMA-related features will be removed from the Defender for Cloud portal:
- Display of MMA installation status on the Inventory and Resource Health blades.
- The capability to onboard new non-Azure servers to Defender for Servers via Log Analytics workspaces will be removed from both the Inventory and Getting Started blades.
Note
We recommend that current customers, who have onboarded on-premises servers using the legacy approach, should now connect these machines via Azure Arc-enabled servers. We also recommend enabling the Defender for Servers Plan 2 on the Azure subscriptions to which these servers are connected.
These steps will ensure there is no loss of security coverage due to the retirement of the Log Analytics agent.
You can use this custom workbook to keep track of your Log Analytics Agent (MMA) estate and monitor the deployment status of Defender for Servers across Azure VMs and Azure Arc machines.
Binary Drift public preview now available in Defender for Containers
We are introducing the public preview of Binary Drift for Defender for Containers. This feature aids in identifying and mitigating potential security risks associated with unauthorized binaries in your containers. Binary Drift autonomously identifies and sends alerts about potentially harmful binary processes within your containers. Furthermore, it allows the implementation of a new Binary Drift Policy to control alert preferences, offering the ability to tailor notifications to specific security needs.
GitHub application permissions update
July 11, 2024
Estimated date for change: July 18, 2024
DevOps security in Defender for Cloud is constantly making updates that require customers with GitHub connectors in Defender for Cloud to update the permissions for the Microsoft Security DevOps application in GitHub.
As part of this update, the GitHub application will require GitHub Copilot Business read permissions. This permission will be used to help customers better secure their GitHub Copilot deployments. We suggest updating the application as soon as possible.
Permissions can be granted in two different ways:
In your GitHub organization, navigate to the Microsoft Security DevOps application within Settings > GitHub Apps and accept the permissions request.
In an automated email from GitHub Support, select Review permission request to accept or reject this change.
Inventory experience improvement
July 9, 2024
Estimated date for change: July 11, 2024
The inventory experience will be updated to improve performance, including improvements to the blade's 'Open query' query logic in Azure Resource Graph. Updates to the logic behind Azure resource calculation may result in additional resources counted and presented.
Container mapping tool to run by default in GitHub
July 8, 2024
Estimated date for change: August 12, 2024
With DevOps security capabilities in Microsoft Defender Cloud Security Posture Management (CSPM), you can map your cloud-native applications from code to cloud to easily kick off developer remediation workflows and reduce the time to remediation of vulnerabilities in your container images. Currently, you must manually configure the container image mapping tool to run in the Microsoft Security DevOps action in GitHub. With this change, container mapping will run by default as part of the Microsoft Security DevOps action. Learn more about the Microsoft Security DevOps action.
June 2024
| Date | Category | Update |
|---|---|---|
| June 10 | Upcoming update | SQL vulnerability assessment automatic enablement using express configuration on unconfigured servers. Estimated update: July 10, 2024. |
| June 3 | Upcoming update | Changes in identity recommendations behavior Estimated update: July 10 2024. |
Update: SQL vulnerability assessment automatic enablement
June 10, 2024
Estimated date for change: July 10, 2024
Originally, SQL Vulnerability Assessment (VA) with Express Configuration was only automatically enabled on servers where Microsoft Defender for SQL was activated after the introduction of Express Configuration in December 2022.
We will be updating all Azure SQL Servers that had Microsoft Defender for SQL activated before December 2022 and had no existing SQL VA policy in place, to have SQL Vulnerability Assessment (SQL VA) automatically enabled with Express Configuration.
- The implementation of this change will be gradual, spanning several weeks, and does not require any action on the user’s part.
- This change applies to Azure SQL Servers where Microsoft Defender for SQL was activated at the Azure subscription level.
- Servers with an existing classic configuration (whether valid or invalid) will not be affected by this change.
- Upon activation, the recommendation ‘SQL databases should have vulnerability findings resolved’ may appear and could potentially impact your secure score.
Update: Changes in identity recommendations behavior
June 3, 2024
Estimated date for change: July 2024
These changes:
- The assessed resource will become the identity instead of the subscription
- The recommendations won't have 'sub-recommendations' anymore
- The value of the 'assessmentKey' field in the API will be changed for those recommendations
Will be applied to the following recommendations:
- Accounts with owner permissions on Azure resources should be MFA enabled
- Accounts with write permissions on Azure resources should be MFA enabled
- Accounts with read permissions on Azure resources should be MFA enabled
- Guest accounts with owner permissions on Azure resources should be removed
- Guest accounts with write permissions on Azure resources should be removed
- Guest accounts with read permissions on Azure resources should be removed
- Blocked accounts with owner permissions on Azure resources should be removed
- Blocked accounts with read and write permissions on Azure resources should be removed
- A maximum of 3 owners should be designated for your subscription
- There should be more than one owner assigned to your subscription
May 2024
| Date | Category | Update |
|---|---|---|
| May 22 | Update | Configure email notifications for attack paths |
| May 21 | Update | Advanced hunting in Microsoft Defender XDR includes Defender for Cloud alerts and incidents |
| May 2 | Update | Security policy management. |
Update: Configure email notifications for attack paths
May 22, 2024
You can now configure email notifications when an attack path is detected with a specified risk level or higher. Learn how to configure email notifications.
Update: Advanced hunting in Microsoft Defender XDR includes Defender for Cloud alerts and incidents
May 21, 2024
Defender for Cloud's alerts and incidents are now integrated with Microsoft Defender XDR and can be accessed in the Microsoft Defender Portal. This integration provides richer context to investigations that span cloud resources, devices, and identities. Learn about advanced hunting in XDR integration.
GA: Security policy management
May 2, 2024
Security policy management is now generally available. This enables security teams to manage their security policies in a consistent way and with new features
Learn more about security policies in Microsoft Defender for Cloud.
April 2024
| Date | Category | Update |
|---|---|---|
| April 16 | Upcoming update | Change in CIEM assessment IDs. Estimated update: May 2024. |
| April 3 | Update | Defender for open-source relational databases updates. |
Update: Change in CIEM assessment IDs
April 16, 2024
Estimated date for change: May 2024
The following recommendations are scheduled for remodeling, which will result in changes to their assessment IDs:
Azure overprovisioned identities should have only the necessary permissionsSuper identities in your Azure environment should be removedUnused identities in your Azure environment should be removed
Update: Defender for Open-Source Relational Databases
April 3, 2024
- Defender for PostgreSQL Flexible Servers post-GA updates - The update enables customers to enforce protection for existing PostgreSQL flexible servers at the subscription level, allowing complete flexibility to enable protection on a per-resource basis or for automatic protection of all resources at the subscription level.
- Defender for MySQL Flexible Servers Availability and GA - Defender for Cloud expanded its support for Azure open-source relational databases by incorporating MySQL Flexible Servers.
This release includes:
- Alert compatibility with existing alerts for Defender for MySQL Single Servers.
- Enablement of individual resources.
- Enablement at the subscription level.
- Updates for Azure Database for MySQL flexible servers are rolling out over the next few weeks. If you see the error
The server <servername> is not compatible with Advanced Threat Protection, you can either wait for the update, or open a support ticket to update the server sooner to a supported version.
If you're already protecting your subscription with Defender for open-source relational databases, your flexible server resources are automatically enabled, protected, and billed. Specific billing notifications have been sent via email for affected subscriptions.
Learn more about Microsoft Defender for open-source relational databases.
March 2024
| Date | Category | Update |
|---|---|---|
| March 31 | GA | Windows container images scanning |
| March 25 | Update | Continuous export now includes attack path data |
| March 17 | Preview | Custom recommendations based on KQL for Azure. |
| March 13 | Update | Inclusion of DevOps recommendations in the Azure cloud security benchmark |
| March 6 | Preview | Compliance standards added to compliance dashboard |
| March 6 | Upcoming update | Defender for open-source relational databases updates Expected: April, 2024 |
| March 3 | Upcoming update | Changes in where you access Compliance offerings and Microsoft Actions Expected: September 2025 |
| March 3 | Deprecation | Defender for Cloud Containers Vulnerability Assessment powered by Qualys retirement |
| March 3 | Upcoming update | Changes in where you access Compliance offerings and Microsoft Actions. Estimated deprecation: September 30, 2025. |
GA: Windows container images scanning
March 31, 2024
We're announcing the general availability (GA) of the Windows container images support for scanning by Defender for Containers.
Update: Continuous export now includes attack path data
March 25, 2024
We're announcing that continuous export now includes attack path data. This feature allows you to stream security data to Log Analytics in Azure Monitor, to Azure Event Hubs, or to another Security Information and Event Management (SIEM), Security Orchestration Automated Response (SOAR), or IT classic deployment model solution.
Learn more about continuous export.
Preview: Custom recommendations based on KQL for Azure
March 17, 2024
Custom recommendations based on KQL for Azure are now in public preview, and supported for all clouds. For more information, see Create custom security standards and recommendations.
Preview: Compliance standards added to compliance dashboard
March 6, 2024
Based on customer feedback, we've added compliance standards in preview to Defender for Cloud.
Check out the full list of supported compliance standards
We are continuously working on adding and updating new standards for Azure environment.
Learn how to assign a security standard.
Update: Defender for open-source relational databases updates
March 6, 2024**
Estimated date for change: April, 2024
Defender for PostgreSQL Flexible Servers post-GA updates - The update enables customers to enforce protection for existing PostgreSQL flexible servers at the subscription level, allowing complete flexibility to enable protection on a per-resource basis or for automatic protection of all resources at the subscription level.
Defender for MySQL Flexible Servers Availability and GA - Defender for Cloud is set to expand its support for Azure open-source relational databases by incorporating MySQL Flexible Servers. This release will include:
- Alert compatibility with existing alerts for Defender for MySQL Single Servers.
- Enablement of individual resources.
- Enablement at the subscription level.
If you're already protecting your subscription with Defender for open-source relational databases, your flexible server resources are automatically enabled, protected, and billed. Specific billing notifications have been sent via email for affected subscriptions.
Learn more about Microsoft Defender for open-source relational databases.
Update: Changes to Compliance Offerings and Microsoft Actions settings
March 3, 2024
Estimated date for change: September 30, 2025
On September 30, 2025, the locations where you access two preview features, Compliance offering and Microsoft Actions, will change.
The table that lists the compliance status of Microsoft's products (accessed from the Compliance offerings button in the toolbar of Defender's regulatory compliance dashboard). After this button is removed from Defender for Cloud, you'll still be able to access this information using the Service Trust Portal.
For a subset of controls, Microsoft Actions was accessible from the Microsoft Actions (Preview) button in the controls details pane. After this button is removed, you can view Microsoft Actions by visiting Microsoft’s Service Trust Portal for FedRAMP and accessing the Azure System Security Plan document.
Update: Changes in where you access Compliance offerings and Microsoft Actions
March 3, 2024**
Estimated date for change: September 2025
On September 30, 2025, the locations where you access two preview features, Compliance offering and Microsoft Actions, will change.
The table that lists the compliance status of Microsoft's products (accessed from the Compliance offerings button in the toolbar of Defender's regulatory compliance dashboard). After this button is removed from Defender for Cloud, you'll still be able to access this information using the Service Trust Portal.
For a subset of controls, Microsoft Actions was accessible from the Microsoft Actions (Preview) button in the controls details pane. After this button is removed, you can view Microsoft Actions by visiting Microsoft’s Service Trust Portal for FedRAMP and accessing the Azure System Security Plan document.
Deprecation: Defender for Cloud Containers Vulnerability Assessment powered by Qualys retirement
March 3, 2024
The Defender for Cloud Containers Vulnerability Assessment powered by Qualys is being retired. The retirement will be completed by March 6, and until that time partial results may still appear both in the Qualys recommendations, and Qualys results in the security graph. Any customers who were previously using this assessment should upgrade to Vulnerability assessments for Azure with Microsoft Defender Vulnerability Management.
February 2024
| Date | Category | Update |
|---|---|---|
| February 26 | Update | Cloud support for Defender for Containers |
| February 20 | Update | New version of Defender sensor for Defender for Containers |
| February 18 | Update | Open Container Initiative (OCI) image format specification support |
| February 5 | Upcoming update | Decommissioning of Microsoft.SecurityDevOps resource provider Expected: March 6, 2024 |
Update: Cloud support for Defender for Containers
February 26, 2024
Azure Kubernetes Service (AKS) threat detection features in Defender for Containers are now fully supported in Azure China 21Vianet cloud. Review supported features.
Update: New version of Defender sensor for Defender for Containers
February 20, 2024
A new version of the Defender sensor for Defender for Containers is available. It includes performance and security improvements, support for both AMD64 and Arm64 arch nodes (Linux only), and uses Inspektor Gadget as the process collection agent instead of Sysdig. The new version is only supported on Linux kernel versions 5.4 and higher, so if you have older versions of the Linux kernel, you need to upgrade. Support for Arm64 is only available from AKS V1.29 and above. For more information, see Supported host operating systems.
Update: Open Container Initiative (OCI) image format specification support
February 18, 2024
The Open Container Initiative (OCI) image format specification is now supported by vulnerability assessment, powered by Microsoft Defender Vulnerability Management for Azure.
Update: Decommissioning of Microsoft.SecurityDevOps resource provider
February 5, 2024
Estimated date for change: March 6, 2024
Microsoft Defender for Cloud is decommissioning the resource provider Microsoft.SecurityDevOps that was used during public preview of DevOps security, having migrated to the existing Microsoft.Security provider. The reason for the change is to improve customer experiences by reducing the number of resource providers associated with DevOps connectors.
Customers that are still using the API version 2022-09-01-preview under Microsoft.SecurityDevOps to query Defender for Cloud DevOps security data will be impacted. To avoid disruption to their service, customer will need to update to the new API version 2023-09-01-preview under the Microsoft.Security provider.
Customers currently using Defender for Cloud DevOps security from Azure portal won't be impacted.
For details on the new API version, see Microsoft Defender for Cloud REST APIs.