Microsoft Defender for Cloud Apps is continuously working to ensure that our out-of-the-box (OOTB) threat protection capabilities within App Governance are as accurate and effective as possible.
As part of this effort, we will be disabling by default three specific pre-defined policies that have been found to mostly trigger on legitimate activities, rather than alerting on malicious ones. This change is aimed at improving the overall accuracy of our alerts by relying on more accurate sources that provide a comprehensive view of potential attacks, rather than focusing on isolated anomalous activities.
If you prefer to continue receiving these alerts, the option to re-enable them remains available.
When this will happen:
General Availability (Worldwide, GCC, GCC High): Rollout is simultaneous to all tenants and will happen on April 21, 2025
How this will affect your organization:
These specific pre-defined policies within App Governance will be switched off for all customers by default. The policies being disabled are:
- Increase in data usage by an overprivileged or highly privileged app
- Unusual activity from an app with priority account consent
- Access to sensitive data
This change will reduce the number of alerts triggered by legitimate activities, allowing you to focus on more accurate and relevant security notifications. The remaining policies and our advanced threat detection engines, which are always enabled and running behind the scenes, will continue to provide robust protection by correlating multiple pieces of evidence to identify potential attacks with higher confidence.
If for any reason you prefer to continue receiving these alerts can re-enable the policies via the policy management interface. Additionally, we provide tools for customers to create custom policies tailored to their specific needs. For more details, please refer to the relevant documentation.
For more details, please refer to the relevant documentation: Get started with app policies
What you need to do to prepare:
No immediate action is required. However, if you wish to re-enable any of the disabled policies, you can do so through the policy management interface. This will allow you to utilize the full functionality of the policies as you have been up to this point.