Summary
Table of Contents
- Microsoft Graph Security API v1 is being retired, so organizations that read security alerts through v1 must move to the newer v2 alerts/incidents model.
- Affected integrations include SIEM connectors, dashboards, automation scripts, SOAR playbooks, and third-party security tools that call the legacy alerts endpoint.
- Microsoft Sentinel customers have an additional requirement: onboard Sentinel to the Microsoft Defender portal and update integrations to use API v2 to keep receiving alerts through Microsoft Graph.
- Admins should inventory all consumers of the legacy API, update endpoints and permissions, and adjust data models/queries for the new incidents-centric response format.
Primary Service: Defender XDR
Admin Impact: High
User Impact: Low
Release Start: 15 Oct 2026
Release End: 15 Oct 2026
Services: Defender XDR, Entra, Exchange, Purview, Security
Category: Plan for change
Tags: Admin Action, Retirement, User Adoption
History
7/15/2026 Item Added to Message Center
Microsoft Message
What and Why
Going forward, retrieve Microsoft security alerts and incidents through the Microsoft Graph Security API v2 — an incident-centric model that groups related alerts and adds richer investigation context across Microsoft Defender XDR.
Organizations that retrieve alerts through the Microsoft Graph Security API v1— including SIEM integrations, dashboards, automation workflows, SOAR playbooks, or third-party security tools — must move to API v2 by October 15, 2026. If you use Microsoft Sentinel, there’s one additional step: to continue receiving Sentinel alerts through Microsoft Graph, onboard Microsoft Sentinel to the Microsoft Defender portal and move to API v2. No additional licensing is required to connect Microsoft Sentinel to the Microsoft Defender portal.
API v2 brings real improvements: automatic correlation of identity, endpoint, email, and cloud signals into incidents; 40+ strongly typed evidence objects; expanded coverage including Microsoft Purview Data Loss Prevention and Insider Risk Management; and richer context such as MITRE ATT&CK techniques.
Rollout Schedule
Global: The legacy API retirement will be completed on October 15, 2026
Key dates:
- Early 2024: Change first announced in Microsoft Graph documentation.
- April 10, 2026: Initial retirement rollout began.
- April 29, 2026: Rollback completed to restore legacy v1 alert ingestion after customer feedback.
- October 15, 2026: Microsoft Graph Security API v1 will be retired.
Impact on Your Organization
Who is affected
- Organizations using Microsoft Graph Security API v1 to retrieve Microsoft Security alerts
- Any security team using the product alerts within the Security API v1 such as Microsoft Entra, Microsoft 365, Microsoft Defender for Cloud Apps, Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Sentinel
Platforms/Services
- Microsoft Graph Security API
- Microsoft Defender portal
- Microsoft Sentinel
What will happen
- After October 15, 2026, calls to the legacy alerts endpoint will no longer return alerts.
- Between April 10 and April 29, 2026, calls to alerts may have stopped returning results. Ingestion has since been restored, and the endpoint is operational again until the final retirement on October 15, 2026. If you observed that disruption, your organization is affected.
- API v2 returns alerts grouped into incidents within Microsoft Defender XDR. Only alerts that are part of the Defender XDR ecosystem are returned.
- To continue retrieving Sentinel alerts through Microsoft Graph:
- Microsoft Sentinel must be onboarded to the Microsoft Defender portal.
- Integrations must use Microsoft Graph Security API v2.
- The following are not returned by API v2:
- Alerts from sources not integrated with Defender XDR
- Standalone alerts that aren’t promoted to an incident.
- Tuned or suppressed alerts (hidden by alert-tuning rules).
- Certain low-signal Exchange Online events — retrieve these through audit logs.
- For Microsoft Sentinel alerts specifically: the workspace must be onboarded to the Microsoft Defender portal, and integrations must use API v2. The Sentinel REST API can be used as a temporary option in the interim, but it will be retired in the future.
Action Required / Recommendations
Action is required by October 15, 2026, to avoid disruption in alert retrieval:
- Inventory every integration, script, connector, and downstream process that calls alerts (SIEM, dashboards, automation, SOAR playbooks, third-party tools).
- Update endpoints: Replace calls to /security/alerts with /security/alerts_v2, and use /security/incidents to retrieve incidents.
- Update permissions and consent: To read alerts and incidents, request SecurityAlert.Read.All and SecurityIncident.Read.All (use the SecurityAlert.ReadWrite.All / SecurityIncident.ReadWrite.All variants only if you write back alert or incident status). These replace the legacy SecurityEvents.Read.All / SecurityEvents.ReadWrite.All scopes. An administrator must grant consent before the app can use the new permissions.
- Update your data model and queries: replace the v1 state collections (userStates, hostStates, fileStates, networkConnections) with the new strongly typed evidence objects, and rewrite OData filters to the new property names.
Microsoft Sentinel customers — additionally: Onboard your Sentinel workspace to the Microsoft Defender portal (no additional licensing required). Use the Sentinel REST API only as an interim measure if onboarding can’t be completed immediately.
Learn more and take action:
- Migrate from legacy alerts to the alerts and incidents API | Microsoft Learn
- Alerts – Use the Microsoft Graph security API | Microsoft Graph | Microsoft Learn
- alert resource type | Microsoft Graph | Microsoft Learn
- incident resource type | Microsoft Graph | Microsoft Learn
- Microsoft Sentinel in the Microsoft Defender portal | Microsoft Sentinel | Security | Azure | Microsoft Learn
- Transition your Microsoft Sentinel environment to the Defender portal | Microsoft Sentinel | Security | Azure | Microsoft Learn
Compliance considerations
No compliance considerations identified. Review as appropriate for your organization.