Microsoft Retires Defender Endpoint Data Alerting, Forces Shift to Purview DLP

Microsoft is continuing to phase out legacy security features, and the company has now retired another capability alongside the previously announced Access Database Compare Tool removal. This time, the change impacts endpoint-sensitive data alerting in the Microsoft Defender portal.

Defender alerting feature officially retired

According to the Microsoft 365 Admin Center (Message ID MC1217649), endpoint-sensitive data alerting in Defender has officially reached its end of life. Organizations must now transition to Microsoft Purview Data Loss Prevention (DLP) for alerting and enforcement going forward.

The update directly affects endpoint DLP monitoring workflows. Existing alert policies configured in Microsoft Defender will no longer generate alerts, effectively disabling a key layer of visibility for organizations that relied on these controls.

The retirement process rolled out in stages. Microsoft first removed the ability to create new policies on February 16, signaling the beginning of the transition. As of today, the process is complete, and all existing policies have been fully disabled.

This change primarily impacts organizations that used Defender XDR for monitoring sensitive data on endpoints, as well as administrators responsible for managing alert policies within the Defender portal. Without migration, these environments may lose critical monitoring coverage.

Microsoft pushes organizations to adopt Purview DLP

Microsoft says the move is part of a broader effort to consolidate data loss prevention capabilities under Microsoft Purview. By centralizing DLP, the company aims to deliver a more consistent experience, improved enforcement options, and deeper investigation tools that integrate with Defender XDR.

To avoid disruptions, Microsoft recommends that organizations take immediate action. Admins should review their existing Defender alert policies, recreate necessary configurations in Purview DLP, and notify security operations and helpdesk teams about the transition. Internal documentation should also be updated to reflect the new workflow.

Failure to act quickly could result in gaps in data protection and reduced visibility into sensitive data activity across endpoints.

In other cybersecurity developments, Azure Monitor has recently been abused in phishing campaigns that leverage legitimate Microsoft infrastructure, while CISA has warned of potential risks involving Microsoft Intune following the Stryker breach.

Via Neowin