Skip to Content

MC1169078 Microsoft Defender for Cloud Apps: Improvements to threat protection capabilities

By: Author Alex Lim

Posted on

Categories Microsoft

Home » Microsoft » MC1169078 Microsoft Defender for Cloud Apps: Improvements to threat protection capabilities

Summary

  • Microsoft Defender for Cloud Apps is expanding its dynamic threat detection model to enhance threat protection accuracy.
  • New detections will replace several legacy policies, including “Unusual ISP for an OAuth App” and “Suspicious file access activity (by user)”.
  • Admins will need to manually re-enable governance actions after 24 hours of disablement.
  • No admin action is required before the rollout, but it’s advised to review policy configurations and notify relevant teams.
  • All legacy policies will eventually be migrated to the dynamic model, with further updates to be communicated.

Admin Impact: Medium
User Impact: Low
Release Start: 01 Nov 2025
Release End: 30 Nov 2025
Services: Defender XDR
Category: Plan for change
Tags: Feature Update, User Adoption, Admin Action

History

10/9/2025: Item Added to Message Center

Microsoft Message

Introduction

To improve threat detection accuracy and responsiveness, Microsoft Defender for Cloud Apps is expanding its dynamic model for threat protection. This update enhances the signal-to-noise ratio (SNR) of detections and enables faster adaptation to emerging threats, helping security teams stay ahead of evolving risks.

This rollout continues the migration of legacy threat detection policies, following the first batch announced in Message center post MC1061724. The second batch introduces new detections that replace several legacy policies, further aligning with our goal of delivering more precise, research-driven protection.

When this will happen

General Availability (Worldwide, GCC, GCC High, DoD): Rollout begins early November 2025 and is expected to complete by the end of November 2025.

How this affects your organization

Who is affected

Organizations using Microsoft Defender for Cloud Apps, including tenants in Worldwide, GCC, GCC High, and DoD environments.

What will happen

The dynamic model will be expanded to include additional research-driven detections.

These detections are continuously updated by Microsoft security researchers to reflect the evolving threat landscape.

  • Detections may be added, removed, or modified dynamically to ensure optimal protection.
  • These are research-driven and enabled by default, requiring no manual configuration.

The second batch of legacy policies being migrated includes:

  • “Unusual ISP for an OAuth App”
  • “Suspicious file access activity (by user)”

These will be replaced with the following detections:

  • Replacing “Unusual ISP for an OAuth App”:
    • “OAuth application activity from an unknown ISP (Preview)”
  • Replacing “Suspicious file access activity (by user)”:
    • “Suspicious file access from untrusted ISP and user agent with malicious IP indicator (Preview)”
    • “Suspicious file access indicative of lateral movement (Preview)”
  • Adding new detection “Activity from a password-spray associated IP address (Preview)”

These new detections are already available to you in Preview; the “(Preview)” suffix will be removed once legacy policies are disabled.

Governance actions configured on legacy policies will be disabled. Admins can re-enable them manually after 24 hours.

Migrated policies will be listed in Create Defender for Cloud Apps anomaly detection policies | Microsoft Learn.

Eventually, all other out-of-the-box (OOTB) activity-based policies will be migrated to the new dynamic model. Future Message center posts will provide details as additional policies are transitioned.

By applying the new dynamic model, we aim to deliver more accurate and timely threat detections, enhancing your organization’s overall security posture.

In some cases, legacy policies may be split into multiple detections and alerts to provide deeper visibility and context for SOC teams.

During the gradual migration of OOTB policies, disabled policies will remain temporarily visible in Defender for Cloud Apps. Once migration is complete, these legacy policies will be removed from the legacy policies page. A separate Message center post will be published to confirm their removal.

What you can do to prepare

No admin action is required before rollout.

To prepare:

  1. Review your current policy configurations to assess impact.
  2. Notify SOC and helpdesk teams about the updated detections.
  3. Update internal documentation if referencing legacy policies.
  4. If you wish to retain governance actions:
    • Wait 24 hours after disablement.
    • Re-enable policies from the legacy policies page at: Defender portal > Cloud apps > Policy management.

Re-enable policies from the legacy policies page at: Defender portal > Cloud apps > Policy management.

Compliance considerations

No compliance considerations identified, review as appropriate for your organization.