Microsoft Defender for Identity alerts transitioning to XDR-based detection platform

Microsoft Defender for Identity classic alerts will transition to the XDR detection platform starting mid-December 2025, improving detection accuracy. Admins must update workflows, use new Detector IDs, and reconfigure alert exclusions with XDR Alert Tuning rules. The rollout completes by early January 2026.

[Introduction]

Microsoft Defender for Identity classic alerts will transition to the XDR detection platform in mid-December 2025. This change improves detection accuracy and performance and aligns with our efforts to enhance security across environments.

[When this will happen:]

General availability (Production, GCC, and DoD): Rollout will begin in mid-December 2025 and is expected to complete early January.

[How this affects your organization:]

Who is affected: Admins managing Microsoft Defender for Identity alerts and workflows.

What will happen:

• Classic MDI alerts will move to the XDR detection platform.
• Detector IDs will change for specific alerts.
• Alert exclusions configured in MDI must be reconfigured using XDR Alert Tuning rules.

Affected alerts and new Detector IDs:

Alert Title	Detector ID
Suspected brute-force attack (Kerberos, NTLM)	xdr_OnPremBruteforce
Suspected password spray attack (Kerberos, NTLM)	xdr_OnPremPasswordSpray
Anomalous SAMR activity	xdr_SamrReconnaissanceSecurityAlert

[What you can do to prepare:]

Action required:

• Update workflows and automation to use the new XDR Detector IDs.
• Reconfigure any alert exclusions using XDR Alert Tuning rules.
• Communicate this change to your security and operations teams.
• Review Microsoft documentation for XDR Alert Tuning configuration.

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.