Week 15 · 7 min read
April 6 – April 13, 2026
Act by
-
15 Jun 2026 — Older Microsoft Sentinel repositories (content-as-code) API versions stop being supported. If you deploy analytics rules, hunting queries, or automation to Sentinel through a Git-connected repository, move the repository connection / deployment pipeline to API version 2025-09-01, 2025-06-01, or 2025-07-01-preview before this date, or Source Control API calls on the retired versions will fail. Existing connections keep operating; only API calls on the old versions break. (Microsoft Learn)
-
1 Jul 2026 — Sentinel is standardizing the account entity's Account Name for analytics-rule alerts: when a full UPN (
user@domain.com) is mapped to Account Name, the value will always be the UPN prefix only (user), and newUserPrincipalName/UPNSuffixfields are added to theSecurityAlerttable. Automation rules or Logic Apps playbooks that do a strict equality check against the full UPN will break. Replace equality checks with Contains / Starts with on the prefix plus a separateUPNSuffixcomparison before this date. (Microsoft Sentinel Blog) -
1 Jun 2026 — Microsoft Entra ID will block Connect Sync / Cloud Sync from hard-matching a new Active Directory user object to an existing cloud-managed Entra user that holds Entra roles. This closes a Source-of-Authority takeover path where a synced on-prem object could seize control of a privileged cloud account. If you run hybrid sync, confirm no privileged cloud accounts depend on hard-match behavior before the enforcement date. (Microsoft Learn)
What changed
Microsoft posted its Defender monthly roundup for 7 April 2026, consolidating the changes that shipped across March and the RSAC 2026 wave. The items worth an intern's attention are mostly things you can use on shift now: proactive user containment (contain user) reached GA as part of predictive shielding — it correlates activity data with exposure data to spot exposed credentials at risk of reuse and lets you contain the user before the account spreads; library management for live response went GA, giving a central place to manage the scripts and files you push during a live-response session; a chat experience for Security Copilot inside the Defender portal entered preview, so you can hold an ongoing, two-way conversation across an incident's alerts, identities, devices, and IPs instead of firing one-shot prompts; and agentic triage expanded to identity and cloud alerts, so the Security Alert Triage Agent now autonomously works phishing, identity, and cloud alerts in one place. The roundup also flags two new advanced-hunting tables in preview — CloudDnsEvents (cloud DNS activity) and CloudPolicyEnforcementEvents (cloud security-gating decisions) — that are useful when a hunt crosses into Defender for Cloud territory. (Microsoft Defender XDR Blog)
Built-in alert tuning rules reached general availability in Defender XDR. These first-party tuning rules suppress alerts from common benign activity in Defender for Endpoint and Defender for Office 365 without touching Automated Investigation and Response (AIR) investigations or email notifications — so the noise drops out of the queue but the underlying automation and audit trail stay intact. For an analyst drowning in known-good detections, this is queue hygiene you get without hand-writing suppression logic. (Microsoft Learn)
Defender XDR added an action-status view for automatic attack disruption and predictive shielding (preview): the incident page's Activities tab now shows the current status of the automated containment actions taken on that incident. When disruption isolates a device or contains a user mid-attack, you no longer have to reconstruct what the platform did — the tab tells you which actions fired and where they stand, which matters when you're deciding whether to release a containment or escalate. (Microsoft Learn)
Sentinel added native filter and split data transformation (preview) in the Defender portal. You can now drop noise before ingestion and route data between the analytics and data-lake tiers — keeping high-value telemetry hot for detections while sending bulk or low-signal logs to cheaper data-lake retention. For a SOC watching ingestion cost, this is a lever to cut spend without losing the data outright, applied at the pipeline instead of after the bill lands. (Microsoft Learn)
Sentinel scoping (row-level RBAC) entered public preview, letting you control access to specific subsets of Sentinel data without splitting into separate workspaces. Administrators define logical scopes, tag data at ingestion time, and assign users or groups to scopes through Unified RBAC, so multiple teams — or multiple tenants under an MSSP — can work inside one shared Sentinel environment while each sees only its slice. It's configured in the Defender portal and removes a common reason teams used to stand up extra workspaces just for data isolation. (Microsoft Learn)
AI-agent governance picked up surface on both sides of the stack. On the identity side, the Microsoft Entra Agent ID platform reached GA — an identity and authorization framework purpose-built for AI agents in the enterprise, so agents get first-class identities with real authentication, authorization, and governance over OAuth 2.0, MCP, and A2A rather than borrowing a service account. On the hunting side, the Defender AIAgentsInfo advanced-hunting table gained additional columns (preview) that extend visibility beyond Copilot Studio to all agent types, including Microsoft Foundry, third-party marketplace, and custom line-of-business agents. Together they mean the AI agents running in your tenant are becoming inventoried, queryable assets instead of a blind spot. (Microsoft Learn) (Microsoft Learn)
Sentinel also shipped a VS Code connector builder agent (preview) — an AI-powered, low-code helper that builds Sentinel data connectors in minutes instead of hand-authoring the connector definition. For detection engineers, it lowers the effort to bring a new data source online, which is usually the slow step before any new coverage can be written against it. (Microsoft Learn)
Worth knowing
Microsoft Threat Intelligence published "Investigating Storm-2755: 'Payroll pirate' attacks targeting Canadian employees" on 9 April. The financially motivated actor uses malvertising and search-poisoning to land victims on a fake Microsoft 365 login, then runs an adversary-in-the-middle (AiTM) proxy to capture the session cookie and OAuth token — bypassing legacy MFA that was never designed to be phishing-resistant. What makes this one instructive for a SOC is the post-compromise tradecraft: the group replays the stolen token roughly every 30 minutes using the Axios HTTP client (1.7.9) as the user-agent, refreshes tokens around 5:00 AM local time to dodge business-hours eyes, searches mailboxes for "payroll"/"finance"/"admin," and plants inbox rules that auto-hide "direct deposit" and "bank" emails so the victim never sees the change-of-deposit request. The defensive takeaways map straight to detections you can build: hunt for anomalous user-agents like Axios in sign-in logs, alert on inbox rules that hide payroll keywords, deploy phishing-resistant MFA (FIDO2/WebAuthn) and Continuous Access Evaluation to kill replayed tokens fast. (Microsoft Security Blog)
The April Defender roundup also notes a Secure Score category recalculation: some recommendations previously counted as Cloud apps are now treated as Identity recommendations. The total Secure Score is unchanged, but individual Identity and Cloud-apps sub-scores will shift — so if a dashboard or a scheduled score-trend report moves this month, it's the reclassification, not a real posture change. Worth a heads-up to anyone who tracks Secure Score deltas. (Microsoft Defender XDR Blog)
On the hybrid-identity front, the April Entra release notes open the transition from Entra Connect Sync to the cloud-native Entra Cloud Sync. Nothing forces action this week — customer-specific transition windows won't be announced until July 2026 (via Message Center, Connect Health, and email), and early waves target tenants whose sync needs Cloud Sync already fully covers. But it's the direction of travel: if you still run on-prem Connect Sync, this is the cue to start reviewing your configuration against Cloud Sync's capabilities so you're in the "straightforward" bucket rather than the deferred one. It sits alongside the broader Defender-portal consolidation push, with Sentinel in the Azure portal retiring after 31 March 2027. (Microsoft Learn)