Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Attention: All Microsoft Defender for Cloud features will be officially retired in Azure in China region on August 18, 2026 per the announcement posted by 21Vianet.
This article summarizes what's new in security recommendations, alerts, and incidents in Microsoft Defender for Cloud. It includes information about new, modified, and deprecated recommendations and alerts.
This page is updated frequently with the latest recommendations and alerts in Defender for Cloud.
Recommendations older than six months are found in the relevant recommendations reference list.
Find the latest information about new and updated Defender for Cloud features in What's new in Defender for Cloud features.
Tip
Get notified when this page is updated by copying and pasting the following URL into your feed reader:
https://aka.ms/mdc/rss-recommendations-alerts
- Review a complete list of security recommendations and alerts:
Recommendations, alerts, and incidents updates
New and updated recommendations, alerts, and incidents are added to the table in date order.
| Date announced | Type | State | Name |
|---|---|---|---|
| March 04, 2026 | Recommendation | Upcoming deprecation | The following grouped container vulnerability recommendations are set for deprecation on April 13, 2026: Container recommendations: * [Preview] Containers running in Azure should have vulnerability findings resolved *Container image recommendations:** * [Preview] Container images in Azure registry should have vulnerability findings resolved * These grouped recommendations are being replaced by individual recommendations that provide more granular visibility, better prioritization, and improved governance. Learn more in Deprecation of preview of container and container images vulnerability recommendations. |
| February 24, 2026 | Recommendation | GA | The following data recommendations are GA: - Storage accounts should restrict network access using virtual network rules. - Storage account should use a private link connection. - Storage accounts should prevent shared key access. |
| February 16 2026 | Recommendation | Upcoming deprecation (March 19, 2026) |
The preview recommendation Machines should be configured securely (powered by MDVM), which applied to Window machines, is set for deprecation. The recommendation is set to be replaced by the following OS-specific recommendations, which include Linux support using Guest configuration: - Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration) - Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration). These replacement recommendations are already available in Defender for Cloud. If you have any governance rules, reports, or workflows that reference the deprecated recommendation, update them to use the replacement recommendations. To ensure the new recommendations can assess your machines, verify that the required prerequisites are in place: - Azure machines should have the Azure Machine Configuration extension installed. - Non-Azure machines should be onboarded via Azure Arc, which includes the Machine Configuration extension by default. |
| February 10, 2026 | Recommendation | Preview | The following recommendations are released in Preview: * Execute permissions on xp_cmdshell from all users (except dbo) should be revoked for SQL Servers * Latest updates should be installed for SQL Servers * Database user GUEST should not be a member of any role in SQL databases * Ad hoc distributed queries should be disabled for SQL Servers * CLR should be disabled for SQL Servers * Untracked trusted assemblies should be removed for SQL Servers * Database ownership chaining should be disabled for all databases except for 'master', 'msdb' and 'tempdb' on SQL Servers * Principal GUEST should not have access to any user SQL database * Remote Admin Connections should be disabled unless specifically required for SQL databases * Default trace should be enabled for SQL Servers * CHECK_POLICY should be enabled for all SQL logins for SQL Servers * Password expiration check should be enabled for all SQL logins on SQL Servers * Database principals should not be mapped to the sa account in SQL databases * AUTO_CLOSE should be disabled for SQL databases * BUILTIN\Administrators should be removed as a server login for SQL Servers * Account with default name 'sa' should be renamed and disabled on SQL Servers * Excessive permissions should not be granted to PUBLIC role on objects or columns in SQL databases * 'sa' login should be disabled for SQL Servers * xp_cmdshell should be disabled for SQL Servers * Unused service broker endpoints should be removed for SQL Servers * Database Mail XPs should be disabled when it is not in use on SQL Servers * Server permissions shouldn't be granted directly to principals for SQL Servers * Database users shouldn't share the same name as a server login for Model SQL database * 'Scan for startup stored procedures' option should be disabled for SQL Servers * Authentication mode should be Windows Authentication for SQL Servers * Auditing of both successful and failed login attempts (default trace) should be enabled when 'Login auditing' is set up to track logins for SQL Servers * SQL Server instance shouldn't be advertised by the SQL Server Browser service for SQL Servers * Maximum number of error logs should be 12 or more for SQL Servers * Database permissions shouldn't be granted directly to principals for SQL Servers * Excessive permissions should not be granted to PUBLIC role in SQL databases * Principal GUEST should not be granted permissions in SQL databases * Principal GUEST should not be granted permissions on objects or columns in SQL databases * AES encryption should be required for any Existing Mirroring or SSB endpoint on SQL Databases * GUEST user should not be granted permissions on SQL database securables * The Trustworthy bit should be disabled on all databases except MSDB for SQL Databases * 'dbo' user should not be used for normal service operation in SQL databases * Only 'dbo' should have access to Model SQL database * Transparent data encryption should be enabled for SQL databases * Database communication using TDS should be protected through TLS for SQL Servers * Database Encryption Symmetric Keys should use AES algorithm in SQL databases * Cell-Level Encryption keys should use AES algorithm in SQL databases * Certificate keys should use at least 2048 bits for SQL Databases * Asymmetric keys' length should be at least 2048 bits in SQL databases * Filestream should be disabled for SQL Servers * Server configuration 'Replication XPs' should be disabled for SQL Servers * Orphaned users should be removed from SQL server databases * The database owner information in the database should match the respective database owner information in the master database for SQL databases * Application roles should not be used in SQL databases * There should be no SPs marked as auto-start for SQL Servers * User-defined database roles should not be members of fixed roles in SQL databases * User CLR assemblies should not be defined in SQL databases * Database owners should be as expected for SQL databases * Auditing of both successful and failed login attempts should be enabled for SQL Servers * Auditing of both successful and failed login attempts for contained DB authentication should be enabled for SQL databases * Contained users should use Windows Authentication in SQL Server databases * Polybase network encryption should be enabled for SQL databases * Create a baseline of External Key Management Providers for SQL Servers * Force encryption should be enabled for TDS for SQL Servers * Server Permissions granted to public should be minimized for SQL Servers * All memberships for user-defined roles should be intended in SQL databases * Orphan database roles should be removed from SQL databases * There should be at least 1 active audit in the system for SQL Servers * Minimal set of principals should be granted ALTER or ALTER ANY USER database-scoped permissions in SQL databases * Minimal set of principals should be granted EXECUTE permission on objects or columns in SQL databases * SQL Threat Detection should be enabled at the SQL server level * Auditing should be enabled at the server level for SQL Servers * Database-level firewall rules should not grant excessive access for SQL Servers * Server-level firewall rules shouldn't grant excessive access for SQL Servers * Database-level firewall rules should be tracked and maintained at a strict minimum for SQL Servers * Server-level firewall rules should be tracked and maintained at a strict minimum on SQL Servers * Unnecessary execute permissions on extended stored procedures should be revoked for SQL Servers * Minimal set of principals should be members of fixed Azure SQL Database master database roles * Minimal set of principals should be members of fixed high impact database roles in SQL databases * Minimal set of principals should be members of fixed low impact database roles in SQL databases * Execute permissions to access the registry should be restricted for SQL Servers * Sample databases should be removed for SQL Servers * Data Transformation Services (DTS) permissions should only be granted to SSIS roles in MSDB SQL database * Minimal set of principals should be members of fixed server roles for SQL Servers * Features that may affect security should be disabled for SQL Servers * 'OLE Automation Procedures' feature should be disabled for SQL Servers * 'User Options' feature should be disabled for SQL Servers * Extensibility-features that may affect security should be disabled if not needed for SQL Servers * Vulnerability Assessment should be configured on SQL Server 2012 and higher only * Changes to signed modules should be authorized for SQL databases * Track all users with access to the database for SQL Databases * SQL logins with commonly used names should be disabled for SQL Servers * See the full rules and recommendations mapping |
| December 11, 2025 | Alert | Deprecated | The following alerts are now deprecated. * AppServices_AnomalousPageAccess * AppServices_CurlToDisk * AppServices_WpThemeInjection * AppServices_SmartScreen * AppServices_ScanSensitivePage * AppServices_CommandlineSuspectDomain * AzureDNS_ThreatIntelSuspectDomain * AppServices_FilelessAttackBehaviorDetection * AppServices_FilelessAttackTechniqueDetection * AppServices_FilelessAttackToolkitDetection * AppServices_PhishingContent * AppServices_ProcessWithKnownSuspiciousExtension These alerts are being retired as part of a quality improvement process and replaced by newer, more advanced alerts that provide greater accuracy and improved threat detection capabilities. This update ensures enhanced security coverage and reduced noise. |
| December 3, 2025 | Recommendation | Upcoming deprecation (30 day notice) | The following recommendation is set for deprecation 30 days from now: Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers for Defender for SQL Servers on Machines plan. |
| June 1, 2025 | Alert | Upcoming Deprecation | The following alert will be deprecated since the method is no longer supported in PowerZure: * Usage of PowerZure function to maintain persistence in your Azure environment |
| May 15, 2025 | Alert | Upcoming Deprecation | The following alerts will be deprecated and won't be available through XDR Integration: * DDoS Attack detected for Public IP * DDoS Attack mitigated for Public IP Note: The alerts will be available on Defender for Cloud portal. |
| February 5, 2025 | Recommendation | Upcoming Deprecation | The following recommendations will be deprecated: * Configure Microsoft Defender for Storage (Classic) to be enabled * Configure basic Microsoft Defender for Storage to be enabled (Activity Monitoring only) |
| January 29, 2025 | Recommendation | GA | We have further hardened the Running containers as root user should be avoided recommendation. What's Changing? We now require at least one range to be specified for the "Run as group rule". This change was needed to ensure containers will not get access to files owned by root, and groups with permissions to the root group. |
| November 19, 2024 | Deprecation | GA | MFA recommendations are deprecated as Azure now requires it.. The following recommendations are deprecated: * Accounts with read permissions on Azure resources should be MFA enabled * Accounts with write permissions on Azure resources should be MFA enabled * Accounts with owner permissions on Azure resources should be MFA enabled |
| October 30, 2024 | Recommendation | Upcoming Deprecation | MFA recommendations are deprecated as Azure now requires it.. The following recommendations will be deprecated: * Accounts with read permissions on Azure resources should be MFA enabled * Accounts with write permissions on Azure resources should be MFA enabled * Accounts with owner permissions on Azure resources should be MFA enabled |
| September 5, 2024 | Recommendation | GA | System updates should be installed on your machines (powered by Azure Update Manager) |
| September 5, 2024 | Recommendation | GA | Machines should be configured to periodically check for missing system updates |
Related content
For information about new features, see What's new in Defender for Cloud features.