SOC Weekly Brief The week in the Microsoft security stack, distilled

← Home

Week 22 · 6 min read

May 25 – June 1, 2026

Act by

  • 1 Jun 2026 — Microsoft Entra ID begins blocking Entra Connect Sync and Cloud Sync from hard-matching a newly synced on-premises Active Directory user onto an existing cloud-managed Entra user that holds an Entra role. It closes a Source-of-Authority takeover path where an on-prem foothold manipulates AD attributes to seize a privileged cloud account. Soft match, and hard match for non-role-holding users, are unaffected. If you run hybrid sync, confirm no privileged cloud accounts still depend on hard-match behavior before today, or legitimate syncs will start throwing hard-match errors. (Microsoft Entra: What's new)

What changed

Tenant Groups entered public preview in the Microsoft Defender multitenant (MTO) portal on 27 May, letting you organize the tenants you manage into logical groups (by customer segment, geography, criticality, or onboarding stage) and switch the whole Defender view to just that set of tenants with one click. The view is permissions-aware — a group can list tenants you lack access to, but you only ever see the ones where you hold B2B/GDAP rights — so existing access controls stay in charge. Note the naming change: the old "Tenant groups" feature used for content distribution is now called Deployment profiles, and "Tenant Groups" refers to this new grouping experience. For MSSP and multi-tenant SOC teams, this cuts cross-tenant noise when investigating incidents or hunting against a specific customer tier or region. (Microsoft Defender XDR Blog)

Sentinel RBAC and row-level scoping reached general availability, per the May Sentinel recap, giving security teams a single, granular permissions model that spans Microsoft Sentinel and the Defender portal. Scoping lets you tag data at ingestion, define logical scopes, and assign users or groups to those scopes through Unified RBAC — so multiple teams can work inside one shared workspace without spinning up separate workspaces to enforce data boundaries. For a SOC that runs tiered analysts, regional teams, or MSSP-style separation, this is the mechanism to keep each group to the rows it should see while keeping detections and hunting in one place. (What's new in Microsoft Sentinel: May 2026)

Generate playbooks using AI in Microsoft Sentinel became generally available this month. The SOAR playbook generator builds Python-based automation workflows through a conversational experience with Cline, an AI coding agent, so responders can describe the response they want and get a working playbook instead of hand-authoring Logic Apps from scratch. For teams short on SOAR-engineering hours, it lowers the bar to automating routine containment and enrichment steps. (What's new in Microsoft Sentinel)

Sentinel UEBA gained three enhancements. A new UEBA tab in the Sentinel settings page consolidates UEBA and Behaviors settings behind one entry point; Okta anomalies now read the newer OktaV2_CL table alongside the legacy Okta_CL, extending the existing Anomalous Activity and Anomalous MFA Failures detections to tenants on the V2 Okta connector (no new anomaly types, just wider coverage); and UEBA added five new GCP Audit Logs anomaly detections covering unusual logins, privileged actions, resource deployments, secret/KMS key access, and infrastructure usage. For analysts, the practical wins are cleaner UEBA administration and anomaly coverage that now reaches Okta-V2 and GCP identity activity. (What's new in Microsoft Sentinel)

Automatic attack disruption can now isolate a compromised device from the network (preview) when high-confidence incident analysis shows the device is being used as an active foothold. Isolation blocks attacker communication and lateral movement while keeping the device reachable by security services; the action is time-limited, scoped to devices involved in the incident, and releasable by an operator at any time. This extends attack disruption beyond user containment and account/token actions to cutting off the machine itself, buying a SOC time on an active intrusion without waiting for a human to pull the device. (What's new in Microsoft Defender XDR)

The advanced-hunting Take action wizard added email-scoped blocking. From query results, analysts can now allow or block top-level domains and file-attachment hashes in email, turning a hunting query straight into a containment control for a phishing or malware-delivery campaign. It shortens the loop between finding a malicious sender pattern or attachment in hunting and blocking it across mail flow. (What's new in Microsoft Defender XDR)

The advanced-hunting graph added identity-focused predefined scenarios that map attack paths, privilege-escalation routes, and credential-access risks across on-premises and cloud. The new scenarios include Kerberoast and AS-REP roast paths, domain-compromise routes, OAuth application risks, and guest-user access to cloud resources. Instead of hand-building queries to trace how a credential-theft technique could pivot through the environment, an analyst gets a ready graph to walk the exposure — useful for both incident scoping and proactive identity hunting. (What's new in Microsoft Defender XDR)

Defender Chat entered preview — an open-prompt chat assistant built into the Microsoft Defender portal that lets analysts investigate threats, explore incidents, and answer security questions in plain language without navigating multiple screens or writing KQL. It sits alongside the more scoped Security Copilot agents as a general-purpose, in-portal way to ask questions of your Defender data during triage. (What's new in Microsoft Defender XDR)

On-demand malware scanning of Azure Files reached general availability in Microsoft Defender for Storage on 26 May. On-demand scanning now covers storage accounts that hold both blobs and files, and scans can be started from the Azure portal or the REST API and automated with Logic Apps, Automation runbooks, or PowerShell. For a SOC, this gives an analyst a way to scan a suspect file share on demand during an investigation rather than waiting on upload-triggered scans only. (Microsoft Learn)

Defender for Containers extended sensor-based protection to private clusters in public preview on 31 May, adding gated deployment, binary drift detection, and malware detection for cluster scenarios that were previously uncovered. This closes a visibility gap for Kubernetes estates that run private (non-public-endpoint) clusters, so drift and malware on those workloads now surface in the same Defender experience as the rest of your container fleet. (Microsoft Learn)

Worth knowing

This was the last quiet week before Microsoft Build 2026 (June 2–3, San Francisco), where the larger Sentinel, Defender, and identity wave lands — expect next week's brief to carry it. The AI-agent-security thread running through this month's releases is the tell: the May Sentinel recap headlines an Agent 365 connector (preview) that pulls AI-agent telemetry into the data lake as first-class signals, and Defender's local-AI-agent discovery and runtime protection arrive right after Build. If your org is starting to run coding agents and MCP servers on endpoints, that is the coverage gap to watch fill over the next fortnight.

Also on 31 May, Defender for Cloud extended Kubernetes node malware detection beyond AKS to EKS and GKE nodes; that is multicloud-only and out of scope here, but it is part of the same containers push as the private-clusters preview above. On the patching cadence, there was no Patch Tuesday in this window — May's shipped on the 12th (covered last issue) and the next drops 9 June, so the near-term identity deadline to plan around is today's Entra Connect hard-match enforcement, not a new CVE batch. (Microsoft Learn)