Microsoft Defender for Cloud Apps: Improvements to threat protection capabilities

Microsoft Defender for Cloud Apps is replacing the legacy “Activity performed by terminated user” alert with a dynamic detection model called "Activity by a deprovisioned user (preview)" starting late June 2026. This improves detection accuracy, adapts to threats, requires no manual setup, and may change alert behavior over time.

[What and Why]

Microsoft Defender for Cloud Apps is enhancing its threat protection capabilities by migrating legacy detection policies to a new dynamic detection model. This update improves detection accuracy, reduces false positives, and enables faster response to evolving threats by using research-driven detections maintained by Microsoft security experts.

As part of this change, the legacy alert “Activity performed by terminated user" is being replaced by a detection built on the new dynamic detection model. This updated detection is designed to more precisely identify risky activity associated with users who have left the organization while continuously adapting to changes in the threat landscape.

This change also introduces a shift from static detection logic to continuously updated detection logic, which may evolve over time to improve signal quality and accuracy.

[Rollout Schedule]

General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out in late June 2026 and expect to complete by early July 2026.

[Impact on your organization]

Who is affected

• Organizations using Microsoft Defender for Cloud Apps threat protection capabilities
• Security operations center and IT security teams

Platforms and services

• Microsoft Defender for Cloud Apps, part of Microsoft Defender XDR

What will happen

• The legacy alert “Activity performed by terminated user” will be replaced by a detection built on the new dynamic detection model, titled "Activity by a deprovisioned user (preview)." The suffix will be removed next month.
• The updated detection will:
  • Be enabled by default
  • Be automatically maintained and updated by Microsoft
  • Continuously evolve to improve detection accuracy and adapt to emerging threats
• Detection behavior, alert patterns, or alert volume may change over time as the model adapts.
• No manual configuration is required.
• During rollout:
  • Disabled legacy policies may remain temporarily visible, and 
  • Legacy policies will be removed after migration completes as part of the retirement of the legacy detection model.

Screenshot 1:

 

Screenshot 2:

 

[Action Required/Recommendations]

No action is required.

Recommended steps:

• Notify SOC and helpdesk teams about this change.
• Update internal documentation that references the legacy alert “Activity performed by terminated user.” and the new alert "Activity by a deprovisioned user (preview)".
• Review and validate any alert-based automation, workflows, or incident response processes after rollout.
• Monitor alerts after rollout to understand updated detection behavior and tuning needs.

Learn more: (To be updated closer to rollout.) Create Defender for Cloud Apps anomaly detection policies | Microsoft Defender for Cloud Apps | Microsoft Learn

[Compliance considerations]

Question	Answer
Does the change alter how existing customer data is processed, stored, or accessed?	Yes. The change updates the detection logic used to analyze existing activity data in Microsoft Defender for Cloud Apps to identify potential threats.
Does the change alter how admins can monitor, report on, or demonstrate compliance activities?	Yes. Alerts will be generated using a dynamic detection model, which may affect how administrators monitor, interpret, and report on threat-related activity.