Starting December 11, 2025, Microsoft Defender XDR will offer enhanced alert configuration for Entra ID Protection, allowing admins to filter alerts by risk level (High only, High + Medium, or All). The default will change to High risk only, reducing alert volume and improving clarity.
[Introduction]
To improve alert clarity and reduce fatigue, Microsoft Defender XDR is introducing enhanced configuration options for identity-related alerts from Entra ID Protection. These updates are based on customer feedback requesting more granular control over risk-based alerting.
[When this will happen]
This change will begin rolling out as a public preview starting December 11, 2025.
[How this affects your organization]
- Who is affected:
- Admins using Microsoft Defender XDR with Entra ID Protection.
- What will happen:
- New alert configuration options will be available in the Defender XDR portal.
- Alert ingestion logic will now be explicitly tied to Entra ID Protection risk levels.
- Admins can choose which alerts to ingest into Defender XDR based on:
- High risk detections only
- High + Medium risk detections
- All detections
- Updated UI strings and visuals will improve clarity and usability.
- The default setting is changing from ingesting alerts of all severities to ingesting only alerts with severity = High. As a result, you may notice a reduction in alert volume, and some alert types will no longer be ingested into Defender XDR. You can always change the default setting to any of the other options - High + Medium or All detections, according to your organization’s needs.
- No immediate action is required.
- If you wish to explore the new configuration options:
- Visit the Microsoft Defender XDR portal after December 11, 2025.
- Review and adjust alert settings based on your organization’s risk tolerance.
- Share this update with your security operations team.
- Learn more: Microsoft Defender XDR alert settings
No compliance considerations identified, review as appropriate for your organization.