Favorite your Message Center and Roadmap items. Access them anytime via your Profile. Export and share with your team or your LLM.

(Updated) Microsoft Defender for Cloud Apps: SIEM agents will retire

Message ID
MC1077861
View in Message Center
Service
Microsoft Defender XDR
Category
Plan for Change
Tags
Major Change Admin impactRetirement
Act By
June 18, 2025
Rollout
June 2025November 2025December 2025January 2026

Summary

Microsoft Defender for Cloud Apps will retire SIEM agents, with no new agents configurable after June 19, 2025. The rollout is paused, and users are advised to transition to unified APIs and SIEM solutions for alerts and activity data to ensure continuity and enhanced capabilities.

Details

Updated December 23, 2025: We have paused rollout of this feature. We will announce via Message center when we are ready to proceed. Thank you for your patience. 

As part of our ongoing convergence process for all Microsoft Defender workloads, we planned to retire SIEM (Security Information and Event Management) agents from Microsoft Defender for Cloud Apps in late December 2025 (previously mid-November) and ending early January 2026 (previously late November 2025). We have puased this release and will communicate via Message center when we are ready to proceed.

We recommend you transition to APIs that support the management of activities and alerts data from multiple workloads.

[How this will affect your organization:]

Existing Microsoft Defender for Cloud Apps SIEM agents will function as is until the SIEM agents retire, but no new SIEM agents can be configured starting June 19, 2025. Microsoft Sentinel agents will remain supported and can still be added.

Defender for Cloud Apps alerts and activities data currently supported in the SIEM agents are also available in the unified API and SIEM solutions that provide access to alerts and activity data for all Microsoft security products, for cross-workload visibility:

These APIs enhance security monitoring and management and offer additional supported capabilities that utilize data from multiple Microsoft Defender workloads.

[What you need to do to prepare:]

To ensure continuity and access to the same data available before this retirement through Microsoft Defender for Cloud Apps SIEM agents, we recommend transitioning to the supported unified API and SIEM solutions. We encourage you to begin planning your migration to these solutions to take advantage of their enhanced capabilities.

Learn more: Generic SIEM integration - Microsoft Defender for Cloud Apps | Microsoft Learn

Change History

Show
December 23, 2025 at 6:30 PM Updated
Summary
Previous
Microsoft Defender for Cloud Apps will retire SIEM agents between late December 2025 and early January 2026. No new SIEM agents can be configured after June 19, 2025. Users should transition to unified APIs and SIEM solutions for alerts and activity data to ensure continuity and enhanced capabilities.
New
Microsoft Defender for Cloud Apps will retire SIEM agents, with no new agents configurable after June 19, 2025. The rollout is paused, and users are advised to transition to unified APIs and SIEM solutions for alerts and activity data to ensure continuity and enhanced capabilities.
Last Updated Date
Previous
2025-12-02T17:23:07.610Z
New
2025-12-23T17:49:04.747Z
Body Content
Previous
<p>Updated December 1, 2025: We have updated the timeline. Thank you for your patience.&nbsp;</p><p>As part of our ongoing convergence process for all Microsoft Defender workloads, we will retire SIEM (Security Information and Event Management) agents from Microsoft Defender for Cloud Apps in starting late December 2025 (previously mid-November) and ending early January 2026 (previously late November 2025). We recommend you transition to APIs that support the management of activities and alerts data from multiple workloads. </p><p>[How this will affect your organization:] </p><p>Existing Microsoft Defender for Cloud Apps SIEM agents will function as is until the SIEM agents retire, but no new SIEM agents can be configured starting June 19, 2025. Microsoft Sentinel agents will remain supported and can still be added.</p><p>Defender for Cloud Apps alerts and activities data currently supported in the SIEM agents are also available in the unified API and SIEM solutions that provide access to alerts and activity data for all Microsoft security products, for cross-workload visibility:</p><ul><li>For alerts and activities, Defender XDR streaming API: <a href="https://learn.microsoft.com/defender-xdr/streaming-api" target="_blank">Stream Microsoft Defender XDR events - Microsoft Defender XDR | Microsoft Learn</a> </li><li>For Microsoft Entra ID Protection login events: <a href="https://learn.microsoft.com/defender-xdr/advanced-hunting-identitylogonevents-table" target="_blank">IdentityLogonEvents table in the advanced hunting schema - Microsoft Defender XDR | Microsoft Learn</a> </li><li>For alerts, Microsoft Graph security alerts API (v2): <a href="https://learn.microsoft.com/graph/api/security-list-alerts_v2?view=graph-rest-1.0&amp;tabs=http" target="_blank">List alerts_v2 - Microsoft Graph v1.0 | Microsoft Learn</a> </li><li>We also recommend viewing Defender for Cloud Apps alerts data in the Microsoft Defender XDR incidents API. Learn more: <a href="https://learn.microsoft.com/defender-xdr/api-incident" target="_blank">Microsoft Defender XDR incidents APIs and the incidents resource type - Microsoft Defender XDR | Microsoft Learn</a> </li></ul><p>These APIs enhance security monitoring and management and offer additional supported capabilities that utilize data from multiple Microsoft Defender workloads.</p><p>[What you need to do to prepare:]</p><p>To ensure continuity and access to the same data available before this retirement through Microsoft Defender for Cloud Apps SIEM agents, we recommend transitioning to the supported unified API and SIEM solutions. We encourage you to begin planning your migration to these solutions to take advantage of their enhanced capabilities. </p><p>Learn more: <a href="https://learn.microsoft.com/defender-cloud-apps/siem" target="_blank" style="font-family: sans-serif; font-weight: 400; background-color: rgb(255, 255, 255);">Generic SIEM integration - Microsoft Defender for Cloud Apps | Microsoft Learn</a></p>
New
<p>Updated December 23, 2025: We have paused rollout of this feature. We will announce via Message center when we are ready to proceed. Thank you for your patience.&nbsp;</p><p>As part of our ongoing convergence process for all Microsoft Defender workloads, we planned to retire SIEM (Security Information and Event Management) agents from Microsoft Defender for Cloud Apps in late December 2025 (previously mid-November) and ending early January 2026 (previously late November 2025). We have puased this release and will communicate via Message center when we are ready to proceed. <br><br>We recommend you transition to APIs that support the management of activities and alerts data from multiple workloads. </p><p>[How this will affect your organization:] </p><p>Existing Microsoft Defender for Cloud Apps SIEM agents will function as is until the SIEM agents retire, but no new SIEM agents can be configured starting June 19, 2025. Microsoft Sentinel agents will remain supported and can still be added.</p><p>Defender for Cloud Apps alerts and activities data currently supported in the SIEM agents are also available in the unified API and SIEM solutions that provide access to alerts and activity data for all Microsoft security products, for cross-workload visibility:</p><ul><li>For alerts and activities, Defender XDR streaming API: <a href="https://learn.microsoft.com/defender-xdr/streaming-api" target="_blank">Stream Microsoft Defender XDR events - Microsoft Defender XDR | Microsoft Learn</a> </li><li>For Microsoft Entra ID Protection login events: <a href="https://learn.microsoft.com/defender-xdr/advanced-hunting-identitylogonevents-table" target="_blank">IdentityLogonEvents table in the advanced hunting schema - Microsoft Defender XDR | Microsoft Learn</a> </li><li>For alerts, Microsoft Graph security alerts API (v2): <a href="https://learn.microsoft.com/graph/api/security-list-alerts_v2?view=graph-rest-1.0&amp;tabs=http" target="_blank">List alerts_v2 - Microsoft Graph v1.0 | Microsoft Learn</a> </li><li>We also recommend viewing Defender for Cloud Apps alerts data in the Microsoft Defender XDR incidents API. Learn more: <a href="https://learn.microsoft.com/defender-xdr/api-incident" target="_blank">Microsoft Defender XDR incidents APIs and the incidents resource type - Microsoft Defender XDR | Microsoft Learn</a> </li></ul><p>These APIs enhance security monitoring and management and offer additional supported capabilities that utilize data from multiple Microsoft Defender workloads.</p><p>[What you need to do to prepare:]</p><p>To ensure continuity and access to the same data available before this retirement through Microsoft Defender for Cloud Apps SIEM agents, we recommend transitioning to the supported unified API and SIEM solutions. We encourage you to begin planning your migration to these solutions to take advantage of their enhanced capabilities. </p><p>Learn more: <a href="https://learn.microsoft.com/defender-cloud-apps/siem" target="_blank" style="font-family: sans-serif; font-weight: 400; background-color: rgb(255, 255, 255);">Generic SIEM integration - Microsoft Defender for Cloud Apps | Microsoft Learn</a></p>
December 2, 2025 at 6:31 PM Updated
Title
Previous
Microsoft Defender for Cloud Apps: SIEM agents will retire
New
(Updated) Microsoft Defender for Cloud Apps: SIEM agents will retire
Summary
Previous
Microsoft Defender for Cloud Apps will retire SIEM agents between mid-November 2025 and late November 2025. No new SIEM agents can be configured after June 19, 2025. Transition to APIs for managing activities and alerts data from multiple workloads is recommended. Microsoft Sentinel agents remain supported.
New
Microsoft Defender for Cloud Apps will retire SIEM agents between late December 2025 and early January 2026. No new SIEM agents can be configured after June 19, 2025. Users should transition to unified APIs and SIEM solutions for alerts and activity data to ensure continuity and enhanced capabilities.
Last Updated Date
Previous
2025-05-19T23:43:41.810Z
New
2025-12-02T17:23:07.610Z
Tags
Previous
Admin impact,Retirement
New
Updated message,Admin impact,Retirement
Body Content
Previous
<p>As part of our ongoing convergence process for all Microsoft Defender workloads, we will retire SIEM (Security Information and Event Management) agents from Microsoft Defender for Cloud Apps in starting mid-November 2025 and ending late November 2025. We recommend you transition to APIs that support the management of activities and alerts data from multiple workloads. </p><p>[How this will affect your organization:] </p><p>Existing Microsoft Defender for Cloud Apps SIEM agents will function as is until the SIEM agents retire, but no new SIEM agents can be configured starting June 19, 2025. Microsoft Sentinel agents will remain supported and can still be added.</p><p>Defender for Cloud Apps alerts and activities data currently supported in the SIEM agents are also available in the unified API and SIEM solutions that provide access to alerts and activity data for all Microsoft security products, for cross-workload visibility:</p><ul><li>For alerts and activities, Defender XDR streaming API: <a href="https://learn.microsoft.com/defender-xdr/streaming-api" target="_blank">Stream Microsoft Defender XDR events - Microsoft Defender XDR | Microsoft Learn</a> </li><li>For Microsoft Entra ID Protection login events: <a href="https://learn.microsoft.com/defender-xdr/advanced-hunting-identitylogonevents-table" target="_blank">IdentityLogonEvents table in the advanced hunting schema - Microsoft Defender XDR | Microsoft Learn</a> </li><li>For alerts, Microsoft Graph security alerts API (v2): <a href="https://learn.microsoft.com/graph/api/security-list-alerts_v2?view=graph-rest-1.0&amp;tabs=http" target="_blank">List alerts_v2 - Microsoft Graph v1.0 | Microsoft Learn</a> </li><li>We also recommend viewing Defender for Cloud Apps alerts data in the Microsoft Defender XDR incidents API. Learn more: <a href="https://learn.microsoft.com/defender-xdr/api-incident" target="_blank">Microsoft Defender XDR incidents APIs and the incidents resource type - Microsoft Defender XDR | Microsoft Learn</a> </li></ul><p>These APIs enhance security monitoring and management and offer additional supported capabilities that utilize data from multiple Microsoft Defender workloads.</p><p>[What you need to do to prepare:]</p><p>To ensure continuity and access to the same data available before this retirement through Microsoft Defender for Cloud Apps SIEM agents, we recommend transitioning to the supported unified API and SIEM solutions. We encourage you to begin planning your migration to these solutions to take advantage of their enhanced capabilities. </p><p>Learn more: <a href="https://learn.microsoft.com/defender-cloud-apps/siem" target="_blank">Generic SIEM integration - Microsoft Defender for Cloud Apps | Microsoft Learn</a></p>
New
<p>Updated December 1, 2025: We have updated the timeline. Thank you for your patience.&nbsp;</p><p>As part of our ongoing convergence process for all Microsoft Defender workloads, we will retire SIEM (Security Information and Event Management) agents from Microsoft Defender for Cloud Apps in starting late December 2025 (previously mid-November) and ending early January 2026 (previously late November 2025). We recommend you transition to APIs that support the management of activities and alerts data from multiple workloads. </p><p>[How this will affect your organization:] </p><p>Existing Microsoft Defender for Cloud Apps SIEM agents will function as is until the SIEM agents retire, but no new SIEM agents can be configured starting June 19, 2025. Microsoft Sentinel agents will remain supported and can still be added.</p><p>Defender for Cloud Apps alerts and activities data currently supported in the SIEM agents are also available in the unified API and SIEM solutions that provide access to alerts and activity data for all Microsoft security products, for cross-workload visibility:</p><ul><li>For alerts and activities, Defender XDR streaming API: <a href="https://learn.microsoft.com/defender-xdr/streaming-api" target="_blank">Stream Microsoft Defender XDR events - Microsoft Defender XDR | Microsoft Learn</a> </li><li>For Microsoft Entra ID Protection login events: <a href="https://learn.microsoft.com/defender-xdr/advanced-hunting-identitylogonevents-table" target="_blank">IdentityLogonEvents table in the advanced hunting schema - Microsoft Defender XDR | Microsoft Learn</a> </li><li>For alerts, Microsoft Graph security alerts API (v2): <a href="https://learn.microsoft.com/graph/api/security-list-alerts_v2?view=graph-rest-1.0&amp;tabs=http" target="_blank">List alerts_v2 - Microsoft Graph v1.0 | Microsoft Learn</a> </li><li>We also recommend viewing Defender for Cloud Apps alerts data in the Microsoft Defender XDR incidents API. Learn more: <a href="https://learn.microsoft.com/defender-xdr/api-incident" target="_blank">Microsoft Defender XDR incidents APIs and the incidents resource type - Microsoft Defender XDR | Microsoft Learn</a> </li></ul><p>These APIs enhance security monitoring and management and offer additional supported capabilities that utilize data from multiple Microsoft Defender workloads.</p><p>[What you need to do to prepare:]</p><p>To ensure continuity and access to the same data available before this retirement through Microsoft Defender for Cloud Apps SIEM agents, we recommend transitioning to the supported unified API and SIEM solutions. We encourage you to begin planning your migration to these solutions to take advantage of their enhanced capabilities. </p><p>Learn more: <a href="https://learn.microsoft.com/defender-cloud-apps/siem" target="_blank" style="font-family: sans-serif; font-weight: 400; background-color: rgb(255, 255, 255);">Generic SIEM integration - Microsoft Defender for Cloud Apps | Microsoft Learn</a></p>

Never Miss a Microsoft 365 Update

Join thousands of IT professionals who rely on DeltaPulse for real-time Microsoft 365 change intelligence, automated notifications, and community insights.