Monthly news - February 2026

Microsoft Defender
Monthly news - February 2026 Edition

This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from January 2026. Defender for Cloud has its own Monthly News post, have a look here. 

🚀 New Virtual Ninja Show episode:

• Discovering Microsoft Sentinel MCP server
• Microsoft Sentinel for SAP: What's New, What's Gone, and What's Next
• Unlocking Security Context with Microsoft Sentinel Graph
• Inside OAuth App: Risks, Real Attacks, and How Microsoft Defender Shuts Them Down
• Technical AI Agent foundations and Microsoft Entra Agent ID

Microsoft Defender

• (Public Preview) Microsoft Defender now supports Entra Agent IDs! Microsoft Entra Agent ID extends the comprehensive security capabilities of Microsoft Entra to agents, enabling organizations to build, discover, govern, and protect agent identities. Until now agents use User OBO (User on behalf of), but now you can specify an Entra agent ID, a dedicated identity for your agents. Learn more about Entra Agent IDs here.

• (Public Preview) The BehaviorInfo and BehaviorEntities tables in advanced hunting now include additional columns and information about behavior data types and alerts from User and Entity Behavior Analytics (UEBA), providing more insights on the relationships between identified behaviors and entities. Learn more about UEBA behaviors

• (Public Preview) Streamline Incident Management with Microsoft Defender’s New Built-In Alert Tuning Rules. Built‑in alert tuning rules help SOC teams focus on high‑quality, actionable incidents that reflect real threats - while automatically handling informational and low‑severity alerts in the background.
• At Microsoft Ignite last November, we announced a new capability in Microsoft Defender designed to solve exactly this problem: AI-powered incident prioritization. Today, we’re excited to share that AI-powered incident prioritization is now available in public preview for all Microsoft Defender customers! This is about helping SOC teams cut through noise, focus on what matters most, and move faster with confidence. Read more details in this blog post.
• (Public Preview) In advanced hunting, if the query result exceeds the 64-MB size limit, the portal now returns the maximum number of records it can within this limit and displays a message indicating that the displayed results are partial due to size constraints. Learn more.

• (Public Preview) Alert tuning set as behavior - reclassifies certain alerts as behaviors so they don’t appear in the open alerts queue or generate incidents - yet remain available for investigation and hunting when needed.

• Recording: Spotlight the latest innovations and enhancements, including improvements to the Microsoft Defender portal that deepen its integration with Microsoft Sentinel. Watch it on YouTube

• Updated date: Microsoft Sentinel in the Azure portal to be retired March 2027. Microsoft Sentinel is generally available in the Microsoft Defender portal, including for customers without Microsoft Defender XDR or an E5 license. This means that you can use Microsoft Sentinel in the Defender portal even if you aren't using other Microsoft Defender services. After March 31, 2027, Microsoft Sentinel will no longer be supported in the Azure portal and will be available only in the Microsoft Defender portal. Learn more in this blog post and get useful resources.

• 2 Part Webinar: walk through a day in the life of a SOC, showing how integration and simplicity make security operations smoother in the unified portal

  • Part 1: Stop Waiting, Start Onboarding: Get Sentinel Defender‑Ready Today
  • Part 2: Don’t Get Left Behind: Complete Your Sentinel Move to Defender

• (General Availability) The option to disable incident correlation for analytics rules is now general available. Learn more about it here.

• (Public Preview) Content distribution in Defender's multi-tenant management now supports the distribution of Analytics Rules, Automation Rules, and Workbooks. This allows multi-tenant customers to quickly onboard new tenants and maintain a consistent security baseline. Read the blog to learn more.
• Blog post: Accelerate your move to Microsoft Sentinel with the new AI Powered SIEM migration experience.
• (Public Preview) You can now enable UEBA for supported data sources directly from the data connector configuration page, reducing management time and preventing coverage gaps. 
• (Public Preview) UEBA behaviors layer aggregates actionable insights from raw logs in near-real time. Microsoft Sentinel introduces a UEBA behaviors layer that transforms high-volume, low-level security logs into clear, human-readable behavioral insights in the Defender portal. This AI-powered capability aggregates and sequences raw events from supported data sources into normalized behaviors that explain "who did what to whom" with MITRE ATT&CK context. Learn more here.

• (Public Preview) The Triage MCP is a collection (server) on the Sentinel MCP platform and provides access to a set of APIs that enable incident and alert triage. You can use these tools to carry out autonomous triage and investigation, or build your own agentic workflows, on top of Microsoft Defender and Microsoft Sentinel alerts and incidents.

• New detections for Sentinel solution for SAP BTP. This update expands detection coverage for SAP BTP, strengthening visibility into high‑risk control plane, integration, and identity activities.

Microsoft Defender Vulnerability Management

• (General Availability) New Microsoft Secure Score recommendations:
  • Disable Remote Registry service on Windows: Prevents remote access to the Windows registry, reducing attack surface and blocking unauthorized configuration changes, privilege escalation, and lateral movement.
  • Disable NTLM authentication for Windows workstations: Helps prevent credential theft and lateral movement attacks by removing support for an outdated and insecure protocol. New Technology LAN Manager (NTLM) can be exploited with techniques like Pass-the-Hash and NTLM relay, allowing attackers to bypass password complexity and compromise domains.

• (Public Preview) To simplify and streamline the Device vulnerabilities report experience, the Vulnerable devices report now includes the following changes and enhancements (These changes are not yet visible to government cloud customers. The changes will be visible in late January 2026):

  • The Vulnerable devices by Windows 10/11 version over time section has been removed.
  • The report’s filters have been simplified to only include the Device group filter.
  • The report’s history is now limited to the last 30 days.

Microsoft Defender for Office 365

• Blog post: Secure collaboration in Microsoft Teams with efficient and automated Threat Protection and response.
• Block communication from sender email address and domains in Teams: Admins can directly block malicious domains and email addresses from within the Microsoft Defender portal, seamlessly adding targeted entries to the Teams Admin Center (TAC) blocked domains and users list. This capability enables near real-time protection. When suspicious or abusive external organizations are identified, SOC teams can immediately block them, effectively halting new external chat messages, invites, and channel communications from those domains and senders while deleting existing ones.
• Expanding ZAP and Teams Admin quarantine to Plan 1: Zero-hour-auto-purge (ZAP) and admin management of quarantined Teams messages is available to Microsoft Defender for Plan 1 by default, bringing a post-delivery protection layer.

Microsoft Defender for Cloud Apps

• The Workday connector now requires only “View” permissions to function. We have removed the “Modify” permission requirement to better align with the principle of least privilege. While existing configurations will continue to work, admins are encouraged to update the Workday account settings to remove these unnecessary rights as a security best practice. For more information see: How Defender for Cloud Apps helps protect your Workday environment.

Microsoft Defender for Identity

• (General Availability) The following Identity inventory enhancements are now generally available:
  • Accounts tab in Identity Inventory: The new Accounts tab provides a consolidated view of all accounts associated with an identity, including accounts from Active Directory, Microsoft Entra ID, and supported non-Microsoft identity providers. For more information, see Manage related identities and accounts.
  • Manually link and unlink accounts: Manually link or unlink accounts from an identity directly in the Accounts tab. This capability helps you correlate identity components from different directory sources and provides a complete identity context during investigations. For more information, see Manage related identities and accounts.
  • Identity-level remediation actions: You can now perform remediation actions such as disabling accounts or resetting passwords on one or more accounts linked to an identity. For more information, see Remediation actions.
  • New advanced hunting table: Advanced hunting in Microsoft Defender now includes the IdentityAccountInfo table. This table provides account information from various sources, including Microsoft Entra ID, and links to the identity that owns the account.
• As part of the ongoing transition to a unified alerting experience across Microsoft Defender products, some alerts were converted from the Microsoft Defender for Identity classic format to the Microsoft Defender XDR alert format. Keep in mind that all alerts are based on detections from Defender for Identity sensors. See Microsoft Defender for Identity XDR security alerts for the full list of XDR alerts. Alert names in the XDR structure are different than the alert names in the classic structure, but alert IDs stay consistent between the two alert structures.
• Enhanced RPC auditing is required for some Microsoft Defender for Identity advanced identity detections. A new health alert helps identify v3.x sensors where this configuration is either missing or incorrectly applied. The alert is being rolled out gradually to customers. For more information, see Configure RPC on sensors v3.x.
• (Public Preview) We’re gradually rolling out automatic Windows event-auditing configuration for sensors v3.x, along with related health alerts. This update streamlines deployment by automatically applying the required auditing settings to new sensors and correcting misconfigurations on existing ones. For more information, see Configure automatic windows auditing.