Important upcoming changes to Microsoft Defender for Cloud
Important
The information on this page relates to pre-release products or features, which may be substantially modified before they are commercially released, if ever. Microsoft makes no commitments or warranties, express or implied, with respect to the information provided here.
On this page, you'll learn about changes that are planned for Defender for Cloud. It describes planned modifications to the product that might affect things like your secure score or workflows.
If you're looking for the latest release notes, you'll find them in the What's new in Microsoft Defender for Cloud.
Planned changes
Changes in the recommendation "Machines should be configured securely"
Estimated date for change: March 2023
The recommendation Machines should be configured securely will be updated. The update will improve the performance and stability of the recommendation and align its experience with the generic behavior of Defender for Cloud's recommendations.
As part of this update, the recommendation's ID will be changed from 181ac480-f7c4-544b-9865-11b8ffe87f47 to c476dc48-8110-4139-91af-c8d940896b98.
No action is required on the customer side, and there's no expected downtime nor impact on the secure score.
Three alerts in the Defender for Resource Manager plan will be deprecated
Estimated date for change: March 2023
As we continue to improve the quality of our alerts, the following three alerts from the Defender for Resource Manager plan will be deprecated:
Activity from a risky IP address (ARM.MCAS_ActivityFromAnonymousIPAddresses)Activity from infrequent country (ARM.MCAS_ActivityFromInfrequentCountry)Impossible travel activity (ARM.MCAS_ImpossibleTravelActivity)
You can learn more details about each of these alerts from the alerts reference list.
In the scenario where an activity from a suspicious IP address is detected, one of the following Defenders for Resource Manager plan alerts Azure Resource Manager operation from suspicious IP address or Azure Resource Manager operation from suspicious proxy IP address will be present.
Alerts automatic export to Log Analytics workspace will be deprecated
Estimated date for change: March 2023
Currently, Defender for Cloud security alerts are automatically exported to a default Log Analytics workspace on the resource level. This causes an indeterministic behavior and therefore, this feature is set to be deprecated.
You can export your security alerts to a dedicated Log Analytics workspace with the Continuous Export feature. If you have already configured continuous export of your alerts to a Log Analytics workspace, no further action is required.
Deprecation and improvement of selected alerts for Windows and Linux Servers
Estimated date for change: April 2023
The security alert quality improvement process for Defender for Servers includes the deprecation of some alerts for both Windows and Linux servers. The deprecated alerts will now be sourced from and covered by Defender for Endpoint threat alerts.
If you already have the Defender for Endpoint integration enabled, no further action is required. You may experience a decrease in your alerts volume in April 2023.
If you don't have the Defender for Endpoint integration enabled in Defender for Servers, you'll need to enable the Defender for Endpoint integration to maintain and improve your alert coverage.
All Defender for Servers customers, have full access to the Defender for Endpoint’s integration as a part of the Defender for Servers plan.
You can learn more about Microsoft Defender for Endpoint onboarding options.
You can also view the full list of alerts that are set to be deprecated.
Read the Microsoft Defender for Cloud blog.
Deprecation of App Service language monitoring policies
The following App Service language monitoring policies are set to be deprecated because they generate false negatives and they don't necessarily provide better security. Instead, you should always ensure you're using a language version without any known vulnerabilities.
| Policy name | Policy ID |
|---|---|
| App Service apps that use Java should use the latest 'Java version' | 496223c3-ad65-4ecd-878a-bae78737e9ed |
| App Service apps that use Python should use the latest 'Python version' | 7008174a-fd10-4ef0-817e-fc820a951d73 |
| Function apps that use Java should use the latest 'Java version' | 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc |
| Function apps that use Python should use the latest 'Python version' | 7238174a-fd10-4ef0-817e-fc820a951d73 |
| App Service apps that use PHP should use the latest 'PHP version' | 7261b898-8a84-4db8-9e04-18527132abb3 |
Customers can use alternative built-in policies to monitor any specified language version for their App Services.
These will no longer be in Defender for Cloud's built-in recommendations. You can add them as custom recommendations to have Defender for Cloud monitor them.
Deprecation of legacy compliance standards across cloud environments
Estimated date for change: April 2023
We are announcing the full deprecation of support of PCI DSS standard/initiative in Azure China 21Vianet.
Legacy PCI DSS v3.2.1 and legacy SOC TSP are set to be fully deprecated and replaced by SOC 2 Type 2 initiative and PCI DSS v4 initiative. Learn how to Customize the set of standards in your regulatory compliance dashboard.
Multiple changes to identity recommendations
Estimated date for change: May 2023
We announced previously the availability of identity recommendations V2 (preview), which included enhanced capabilities.
As part of these changes, the following recommendations will be released as General Availability (GA) and replace the V1 recommendations that are set to be deprecated.
General Availability (GA) release of identity recommendations V2
The following security recommendations will be released as GA and replace the V1 recommendations:
| Recommendation | Assessment Key |
|---|---|
| Accounts with owner permissions on Azure resources should be MFA enabled | 6240402e-f77c-46fa-9060-a7ce53997754 |
| Accounts with write permissions on Azure resources should be MFA enabled | c0cb17b2-0607-48a7-b0e0-903ed22de39b |
| Accounts with read permissions on Azure resources should be MFA enabled | dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c |
| Guest accounts with owner permissions on Azure resources should be removed | 20606e75-05c4-48c0-9d97-add6daa2109a |
| Guest accounts with write permissions on Azure resources should be removed | 0354476c-a12a-4fcc-a79d-f0ab7ffffdbb |
| Guest accounts with read permissions on Azure resources should be removed | fde1c0c9-0fd2-4ecc-87b5-98956cbc1095 |
| Blocked accounts with owner permissions on Azure resources should be removed | 050ac097-3dda-4d24-ab6d-82568e7a50cf |
| Blocked accounts with read and write permissions on Azure resources should be removed | 1ff0b4c9-ed56-4de6-be9c-d7ab39645926 |
Deprecation of identity recommendations V1
The following security recommendations will be deprecated as part of this change:
| Recommendation | Assessment Key |
|---|---|
| MFA should be enabled on accounts with owner permissions on subscriptions | 94290b00-4d0c-d7b4-7cea-064a9554e681 |
| MFA should be enabled on accounts with write permissions on subscriptions | 57e98606-6b1e-6193-0e3d-fe621387c16b |
| MFA should be enabled on accounts with read permissions on subscriptions | 151e82c5-5341-a74b-1eb0-bc38d2c84bb5 |
| External accounts with owner permissions should be removed from subscriptions | c3b6ae71-f1f0-31b4-e6c1-d5951285d03d |
| External accounts with write permissions should be removed from subscriptions | 04e7147b-0deb-9796-2e5c-0336343ceb3d |
| External accounts with read permissions should be removed from subscriptions | a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b |
| Deprecated accounts with owner permissions should be removed from subscriptions | e52064aa-6853-e252-a11e-dffc675689c2 |
| Deprecated accounts should be removed from subscriptions | 00c6d40b-e990-6acf-d4f3-471e747a27c4 |
We recommend updating custom scripts, workflows, and governance rules to correspond with the V2 recommendations.
We've improved the coverage of the V2 identity recommendations by scanning all Azure resources (rather than just subscriptions) which allows security administrators to view role assignments per account. These changes may result in changes to your Secure Score throughout the GA process.
Deprecation of legacy compliance standards across cloud environments
Estimated date for change: April 2023
We are announcing the full deprecation of support of PCI DSS standard/initiative in Azure China 21Vianet.
Legacy PCI DSS v3.2.1 and legacy SOC TSP are set to be fully deprecated and replaced by SOC 2 Type 2 initiative and PCI DSS v4 initiative.
Learn how to Customize the set of standards in your regulatory compliance dashboard.
New Azure Active Directory authentication-related recommendations for Azure Data Services
Estimated date for change: April 2023
| Recommendation Name | Recommendation Description | Policy |
|---|---|---|
| Azure SQL Managed Instance authentication mode should be Azure Active Directory Only | Disabling local authentication methods and allowing only Azure Active Directory Authentication improves security by ensuring that Azure SQL Managed Instances can exclusively be accessed by Azure Active Directory identities. Learn more at: aka.ms/adonlycreate | Azure SQL Managed Instance should have Azure Active Directory Only Authentication enabled |
| Azure Synapse Workspace authentication mode should be Azure Active Directory Only | Azure Active Directory (AAD) only authentication methods improves security by ensuring that Synapse Workspaces exclusively require AAD identities for authentication. Learn more at: https://aka.ms/Synapse | Synapse Workspaces should use only Azure Active Directory identities for authentication |
| Azure Database for MySQL should have an Azure Active Directory administrator provisioned | Provision an Azure AD administrator for your Azure Database for MySQL to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | Based on policy: An Azure Active Directory administrator should be provisioned for MySQL servers |
| Azure Database for PostgreSQL should have an Azure Active Directory administrator provisioned | Provision an Azure AD administrator for your Azure Database for PostgreSQL to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | Based on policy: An Azure Active Directory administrator should be provisioned for PostgreSQL servers |
DevOps Resource Deduplication for Defender for DevOps
Estimated date for change: June 2023
To improve the Defender for DevOps user experience and enable further integration with Defender for Coud's rich set of capabilities, Defender for DevOps will no longer support duplicate instances of a DevOps organization to be onboarded to an Azure tenant.
If you do not have an instance of a DevOps organization onboarded more than once to your organization, no further action is required. If you do have more than one instance of a DevOps organization onboarded to your tenant, the subscription owner will be notified and will need to delete the DevOps Connector(s) they do not want to keep by navigating to Defender for Cloud Environment Settings.
Customers will have until June 30, 2023 to resolve this issue. After this date, only the most recent DevOps Connector created where an instance of the DevOps organization exists will remain onboarded to Defender for DevOps.
Next steps
For all recent changes to Defender for Cloud, see What's new in Microsoft Defender for Cloud?.
Feedback
Submit and view feedback for