Important upcoming changes to Microsoft Defender for Cloud

Note

Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. We've also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage. Learn more about the recent renaming of Microsoft security services.

Important

The information on this page relates to pre-release products or features, which may be substantially modified before they are commercially released, if ever. Microsoft makes no commitments or warranties, express or implied, with respect to the information provided here.

On this page, you'll learn about changes that are planned for Defender for Cloud. It describes planned modifications to the product that might impact things like your secure score or workflows.

If you're looking for the latest release notes, you'll find them in the What's new in Microsoft Defender for Cloud.

Planned changes

Planned change Estimated date for change
Deprecating a preview alert: ARM.MCAS_ActivityFromAnonymousIPAddresses January 2022
Legacy implementation of ISO 27001 is being replaced with new ISO 27001:2013 January 2022
Multiple changes to identity recommendations February 2022
Deprecating the recommendation to use service principals to protect your subscriptions February 2022
Deprecating the recommendations to install the network traffic data collection agent February 2022
Changes to recommendations for managing endpoint protection solutions March 2022

Deprecating a preview alert: ARM.MCAS_ActivityFromAnonymousIPAddresses

Estimated date for change: January 2022

We'll be deprecating the following preview alert:

Alert name Description
PREVIEW - Activity from a risky IP address
(ARM.MCAS_ActivityFromAnonymousIPAddresses)
Users activity from an IP address that has been identified as an anonymous proxy IP address has been detected.
These proxies are used by people who want to hide their device's IP address, and can be used for malicious intent. This detection uses a machine learning algorithm that reduces false positives, such as mis-tagged IP addresses that are widely used by users in the organization.
Requires an active Microsoft Defender for Cloud Apps license.

We've created new alerts that provide this information and add to it. In addition, the newer alerts (ARM_OperationFromSuspiciousIP, ARM_OperationFromSuspiciousProxyIP) don't require a license for Microsoft Defender for Cloud Apps (formerly known as Microsoft Cloud App Security).

Legacy implementation of ISO 27001 is being replaced with new ISO 27001:2013

Estimated date for change: January 2022

The legacy implementation of ISO 27001 will be removed from Defender for Cloud's regulatory compliance dashboard. If you're tracking your ISO 27001 compliance with Defender for Cloud, onboard the new ISO 27001:2013 standard for all relevant management groups or subscriptions, and the current legacy ISO 27001 will soon be removed from the dashboard.

Defender for Cloud's regulatory compliance dashboard showing the message about the removal of the legacy implementation of ISO 27001.

Multiple changes to identity recommendations

Estimated date for change: February 2022

Defender for Cloud includes multiple recommendations for improving the management of users and accounts. In December, we'll be making the changes outlined below.

Deprecating the recommendation to use service principals to protect your subscriptions

Estimated date for change: February 2022

As organizations are moving away from using management certificates to manage their subscriptions, and our recent announcement that we're retiring the Cloud Services (classic) deployment model, we'll be deprecating the following Defender for Cloud recommendation and its related policy:

Recommendation Description Severity
Service principals should be used to protect your subscriptions instead of Management Certificates Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise. It also automates resource management.
(Related policy: Service principals should be used to protect your subscriptions instead of management certificates)
Medium

Learn more:

Deprecating the recommendations to install the network traffic data collection agent

Estimated date for change: February 2022

Changes in our roadmap and priorities have removed the need for the network traffic data collection agent. Consequently, we'll be deprecating the following two recommendations and their related policies.

Recommendation Description Severity
Network traffic data collection agent should be installed on Linux virtual machines Defender for Cloud uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.
(Related policy: Network traffic data collection agent should be installed on Linux virtual machines)
Medium
Network traffic data collection agent should be installed on Windows virtual machines Defender for Cloud uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations, and specific network threats.
(Related policy: Network traffic data collection agent should be installed on Windows virtual machines)
Medium

Changes to recommendations for managing endpoint protection solutions

Estimated date for change: March 2022

In August 2021, we added two new preview recommendations to deploy and maintain the endpoint protection solutions on your machines. For full details, see the release note.

When the recommendations are released to general availability, they will replace the following existing recommendations:

Learn more:

Next steps

For all recent changes to Defender for Cloud, see What's new in Microsoft Defender for Cloud?