Important upcoming changes to Microsoft Defender for Cloud

Important

The information on this page relates to pre-release products or features, which might be substantially modified before they are commercially released, if ever. Microsoft makes no commitments or warranties, express or implied, with respect to the information provided here.

On this page, you can learn about changes that are planned for Defender for Cloud. It describes planned modifications to the product that might affect things like your secure score or workflows.

Planned changes

Planned change Announcement date Estimated date for change
SQL vulnerability assessment automatic enablement using express configuration on unconfigured servers June 10, 2024 July 10, 2024
Changes to identity recommendations June 3, 2024 July 2024
Deprecation of system update recommendations May 1, 2024 July 2024
Deprecation of MMA related recommendations May 1, 2024 July 2024
Change in CIEM assessment IDs April 16.2024 May 2024
Deprecating of virtual machine recommendation April 2, 2024 July, 2024
Changes in where you access Compliance offerings and Microsoft Actions March 3, 2024 September 30, 2025
Changes to how Microsoft Defender for Cloud's costs are presented in Microsoft Cost Management October 25, 2023 November 2023
Replacing the "Key Vaults should have purge protection enabled" recommendation with combined recommendation "Key Vaults should have deletion protection enabled" June 2023
Deprecating two security incidents November 2023
Defender for Cloud plan and strategy for the Log Analytics agent deprecation August 2024

SQL vulnerability assessment automatic enablement using express configuration on unconfigured servers

Announcement date: June 10, 2024

Estimated date for change: July 10, 2024

Originally, SQL Vulnerability Assessment (VA) with Express Configuration was only automatically enabled on servers where Microsoft Defender for SQL was activated after the introduction of Express Configuration in December 2022.

We will be updating all Azure SQL Servers that had Microsoft Defender for SQL activated before December 2022 and had no existing SQL VA policy in place, to have SQL Vulnerability Assessment (SQL VA) automatically enabled with Express Configuration.

The implementation of this change will be gradual, spanning several weeks, and does not require any action on the user’s part.

Note

This change applies to Azure SQL Servers where Microsoft Defender for SQL was activated either at the Azure subscription level or at the individual server level.

Servers with an existing classic configuration (whether valid or invalid) will not be affected by this change.

Upon activation, the recommendation ‘SQL databases should have vulnerability findings resolved’ may appear and could potentially impact your secure score.

Changes to identity recommendations

Announcement date: June 3, 2024

Estimated date for change: July 2024

These changes:

  • The assessed resource will become the identity instead of the subscription
  • The recommendations won't have 'sub-recommendations' anymore
  • The value of the 'assessmentKey' field in the API will be changed for those recommendations

Will be applied to the following recommendations:

  • Accounts with owner permissions on Azure resources should be MFA enabled
  • Accounts with write permissions on Azure resources should be MFA enabled
  • Accounts with read permissions on Azure resources should be MFA enabled
  • Guest accounts with owner permissions on Azure resources should be removed
  • Guest accounts with write permissions on Azure resources should be removed
  • Guest accounts with read permissions on Azure resources should be removed
  • Blocked accounts with owner permissions on Azure resources should be removed
  • Blocked accounts with read and write permissions on Azure resources should be removed
  • A maximum of 3 owners should be designated for your subscription
  • There should be more than one owner assigned to your subscription

Deprecation of system update recommendations

Announcement date: May 1, 2024

Estimated date for change: July 2024

As use of the Azure Monitor Agent (AMA) and the Log Analytics agent (also known as the Microsoft Monitoring Agent (MMA)) is phased out in Defender for Servers, the following recommendations that rely on those agents are set for deprecation:

Announcement date: May 1, 2024

Estimated date for change: July 2024

As part of the MMA deprecation and the Defender for Servers updated deployment strategy, all Defender for Servers security features will be provided via a single agent (MDE), or via agentless scanning capabilities, and without dependency on either Log Analytics Agent (MMA) or Azure Monitoring Agent (AMA).

As part of this, and in a goal to reduce complexity, the following recommendations are going to be deprecated:

Display name Related feature
Log Analytics agent should be installed on Windows-based Azure Arc-enabled machines MMA enablement
Log Analytics agent should be installed on virtual machine scale sets MMA enablement
Auto provisioning of the Log Analytics agent should be enabled on subscriptions MMA enablement
Log Analytics agent should be installed on virtual machines MMA enablement
Log Analytics agent should be installed on Linux-based Azure Arc-enabled machines MMA enablement
Adaptive application controls for defining safe applications should be enabled on your machines AAC
Adaptive application controls for defining safe applications should be enabled on your machines AAC

Change in CIEM assessment IDs

Announcement date: April 16, 2024

Estimated date for change: May 2024

The following recommendations are scheduled for remodeling, which will result in changes to their assessment IDs:

  • Azure overprovisioned identities should have only the necessary permissions
  • AWS Overprovisioned identities should have only the necessary permissions
  • GCP overprovisioned identities should have only the necessary permissions
  • Super identities in your Azure environment should be removed
  • Unused identities in your Azure environment should be removed

Deprecating of virtual machine recommendation

Announcement date: April 2, 2024

Estimated date of change: July 30, 2024

The recommendation Virtual machines should be migrated to new Azure Resource Manager resources is set to be deprecated. There should be no effect on customers as these resources no longer exist.

Changes in where you access Compliance offerings and Microsoft Actions

Announcement date: March 3, 2024

Estimated date for change: September 30, 2025

On September 30, 2025, the locations where you access two preview features, Compliance offering and Microsoft Actions, will change.

The table that lists the compliance status of Microsoft's products (accessed from the Compliance offerings button in the toolbar of Defender's regulatory compliance dashboard). After this button is removed from Defender for Cloud, you'll still be able to access this information using the Service Trust Portal.

For a subset of controls, Microsoft Actions was accessible from the Microsoft Actions (Preview) button in the controls details pane. After this button is removed, you can view Microsoft Actions by visiting Microsoft’s Service Trust Portal for FedRAMP and accessing the Azure System Security Plan document.

Changes to how Microsoft Defender for Cloud's costs are presented in Microsoft Cost Management

Announcement date: October 26, 2023

Estimated date for change: November 2023

In November there will be a change as to how Microsoft Defender for Cloud's costs are presented in Cost Management and in Subscriptions invoices.

Costs will be presented for each protected resource instead of as an aggregation of all resources on the subscription.

If a resource has a tag applied, which are often used by organizations to perform financial chargeback processes, it will be added to the appropriate billing lines.

Replacing the "Key Vaults should have purge protection enabled" recommendation with combined recommendation "Key Vaults should have deletion protection enabled"

Estimated date for change: June 2023

The Key Vaults should have purge protection enabled recommendation is deprecated from the (regulatory compliance dashboard/Azure security benchmark initiative) and replaced with a new combined recommendation Key Vaults should have deletion protection enabled.

Recommendation name Description Effect(s) Version
Key vaults should have deletion protection enabled A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. audit, deny, disabled 2.0.0

See the full index of Azure Policy built-in policy definitions for Key Vault.

Defender for Cloud plan and strategy for the Log Analytics agent deprecation

Estimated date for change: August 2024

The Azure Log Analytics agent, also known as the Microsoft Monitoring Agent (MMA) will be retired in August 2024. As a result, features of the two Defender for Cloud plans that rely on the Log Analytics agent are impacted, and they have updated strategies: Defender for Servers and Defender for SQL Server on machines.

Key strategy points

  • The Azure monitoring Agent (AMA) won’t be a requirement of the Defender for Servers offering, but will remain required as part of Defender for SQL.
  • Defender for Servers MMA-based features and capabilities will be deprecated in their Log Analytics version in August 2024, and delivered over alternative infrastructures, before the MMA deprecation date.
  • In addition, the currently shared autoprovisioning process that provides the installation and configuration of both agents (MMA/AMA), will be adjusted accordingly.

Defender for Servers

The following table explains how each capability will be provided after the Log Analytics agent retirement:

Feature Deprecation plan Alternative
Defender for Endpoint/Defender for Cloud integration for down level machines (Windows Server 2012 R2, 2016) Defender for Endpoint integration that uses the legacy Defender for Endpoint sensor and the Log Analytics agent (for Windows Server 2016 and Windows Server 2012 R2 machines) won’t be supported after August 2024. Enable the GA unified agent integration to maintain support for machines, and receive the full extended feature set.
OS-level threat detection (agent-based) OS-level threat detection based on the Log Analytics agent won’t be available after August 2024. A full list of deprecated detections will be provided soon. OS-level detections are provided by Defender for Endpoint integration and are already GA.
Adaptive application controls The current GA version based on the Log Analytics agent will be deprecated in August 2024, along with the preview version based on the Azure monitoring agent. Adaptive Application Controls feature as it is today will be discontinued, and new capabilities in the application control space (on top of what Defender for Endpoint and Windows Defender Application Control offer today) will be considered as part of future Defender for Servers roadmap.
Missing OS patches (system updates) Recommendations to apply system updates based on the Log Analytics agent won’t be available after August 2024. The preview version available today over Guest Configuration agent will be deprecated when the alternative is provided over Microsoft Defender Vulnerability Management premium capabilities. Support of this feature for Docker-hub and VMMS will be deprecated in Aug 2024 and will be considered as part of future Defender for Servers roadmap. New recommendations, based on integration with Update Manager, are already in GA, with no agent dependencies.
OS misconfigurations (Azure Security Benchmark recommendations) The current GA version based on the Log Analytics agent won’t be available after August 2024. The current preview version that uses the Guest Configuration agent will be deprecated as the Microsoft Defender Vulnerability Management integration becomes available. A new version, based on integration with Premium Microsoft Defender Vulnerability Management, will be available early in 2024, as part of Defender for Servers plan 2.
File integrity monitoring The current GA version based on the Log Analytics agent won’t be available after August 2024. A new version of this feature will be provided based on Microsoft Defender for Endpoint integration by April 2024.
The 500-MB benefit for data ingestion The 500-MB benefit for data ingestion over the defined tables will remain supported via the AMA agent for the machines under subscriptions covered by Defender for Servers P2. Every machine is eligible for the benefit only once, even if both Log Analytics agent and Azure Monitor agent are installed on it.

Defender for SQL Server on machines

The Defender for SQL Server on machines plan relies on the Log Analytics agent (MMA) / Azure monitoring agent (AMA) to provide Vulnerability Assessment and Advanced Threat Protection to IaaS SQL Server instances. The plan supports Log Analytics agent autoprovisioning in GA, and Azure Monitoring agent autoprovisioning in Public Preview.

The following section describes the planned introduction of a new and improved SQL Server-targeted Azure monitoring agent (AMA) autoprovisioning process and the deprecation procedure of the Log Analytics agent (MMA). On-premises SQL servers using MMA will require the Azure Arc agent when migrating to the new process due to AMA requirements. Customers who use the new autoprovisioning process will benefit from a simple and seamless agent configuration, reducing onboarding errors and providing broader protection coverage.

Milestone Date More information
SQL-targeted AMA autoprovisioning Public Preview release October 2023 The new autoprovisioning process will only target Azure registered SQL servers (SQL Server on Azure VM/ Arc-enabled SQL Server). The current AMA autoprovisioning process and its related policy initiative will be deprecated. It can still be used by customers, but they won't be eligible for support.
SQL-targeted AMA autoprovisioning GA release December 2023 GA release of a SQL-targeted AMA autoprovisioning process. Following the release, it will be defined as the default option for all new customers.
MMA deprecation August 2024 The current MMA autoprovisioning process and its related policy initiative will be deprecated. It can still be used by customers, but they won't be eligible for support.

Deprecating two security incidents

Estimated date for change: November 2023

Following quality improvement process, the following security incidents are set to be deprecated: Security incident detected suspicious virtual machines activity and Security incident detected on multiple machines.