Microsoft is retiring endpoint-sensitive data alerting in the Microsoft Defender portal today. From today, organizations must switch to Microsoft Purview DLP for alerting, enforcement, and investigation of sensitive data activities on endpoints. After today’s date, existing Defender alert policies will stop generating alerts, so it is important to take action.
In its announcement on the Microsoft 365 Admin Center, the Windows-maker says:
“We’re retiring the ability to create alert policies and generate DLP alerts for sensitive data activities on endpoints in the Microsoft Defender portal. This change unifies endpoint data loss prevention (DLP) detection and alerting under Microsoft Purview DLP, giving organizations a more consistent experience and access to advanced enforcement and investigation capabilities in Microsoft Defender XDR.”
Today’s date marks the very end of endpoint-sensitive DLP alerting via Defender, but the retirement began on February 16th when sensitive data activity options were removed from the new policy creation in the Microsoft Defender portal. As of today, existing policies using these activities will stop generating alerts as well.
Organizations that use alert policies in Microsoft Defender XDR to monitor sensitive data activities on endpoints and admins who create or manage alert policies in the Microsoft Defender portal are affected by this change.
To prepare, you should review existing Microsoft Defender alert policies to identify any that use the retiring activities. You should then re-create the required alerts using Microsoft Purview DLP policies. You can also notify SecOps and helpdesk teams about the changes and update any internal documentation that references these Defender alert policies.
You can learn more about this change in the Microsoft 365 Admin Center under Message ID MC1217649. Be sure to act quickly as today is the retirement date.