Montly Microsoft Security Feature Updates - June 2025

calendarJun 30, 2025 · 7 min read · Microsoft XDR Microsoft Sentinel Azure Firewall Azure FrontDoor Security Copilot Defender for Cloud GitHub Advanced Security  ·
Share on: linkedincopy

Within this blog, I want to give you each month an overview of all the features that came General Availability (GA), Preview available (PP) or Deprecated (DEP), together (where possible) with handson links to Microsoft Learn page how to implement them. Happy learning and stay tuned for more Security News!

SIEM & XDR

Microsoft Defender XDR


Microsoft Sentinel

  • [GA] Codeless Connector Platform (CCP) renamed to Codeless Connector Framework (CCF)
    The Microsoft Sentinel Codeless Connector Platform (CCP) has been renamed to Codeless Connector Framework (CCF). The new name reflects the platform's evolution and avoids confusion with other platform-oriented services, while still providing the same ease of use and flexibility that users have come to expect. For more information, click here.
  • [GA] Consolidated Microsoft Sentinel data connector reference
    Microsoft consolidated the connector reference documentation, merging the separate connector articles into a single, comprehensive reference table. You can find the new connector reference at Microsoft Sentinel data connectors. For more information, click here.
  • [PP] Summary rule templates
    You can now use summary rule templates to deploy pre-built summary rules tailored to common security scenarios. These templates help you aggregate and analyze large datasets efficiently, don't require deep expertise, reduce setup time, and ensure best practices. For more information, click here.

Azure Firewall

  • [GA] Azure Firewall supports now FQDNs in DNAT rules
    Azure Firewall supports the use of Fully Qualified Domain Names (FQDNs) in DNAT (Destination Network Address Translation) rules, allowing inbound traffic to be routed to backend resources using domain names instead of static IP addresses. This feature is especially useful for scenarios where backend IP addresses are dynamic or centrally managed via DNS.
  • [PP] Draft + deployment
    The new Draft & Deploy feature for Azure Firewall Policy introduces a streamlined, two-phase approach to managing firewall policies, significantly reducing deployment time and disruption. Traditionally, any policy update would trigger a full deployment of both the policy and the attached firewall, taking 2–4 minutes per change.
    With Draft & Deploy, users can collaboratively make multiple changes in a draft version cloned from the current policy without affecting the live environment. Once finalized, all changes can be deployed at once, replacing the existing policy.

Azure FrontDoor

  • [GA] Azure Front Door | Microsoft Wildcard certificate support
    Azure Front Door standard and premium profiles now support managed certificate for wildcard domains. Previously, you can only bring your own certificate for wildcard domains on Azure Front Door. This enables customers to secure multiple subdomains with a single certificate—ideal for SaaS providers and large-scale multi-tenant applications. Advantages: customers no longer need to manage individual certificates for each subdomain, Wildcard support reduces configuration overhead and accelerates onboarding and Managed certificates ensure automated renewals.
  • [PP] Azure Front Door | WAF Profile and Route Based Policies
    Azure's Web Application Firewall (WAF) running on Azure Front Door is now previewing the ability to attach WAF policies at the Front Door profile level, and the route level, in addition to the existing domain level. Attaching a WAF policy at the route level gives you the ability to apply and tune WAF policies at a more granular level without changes effecting all routes under a domain. Additionally, attaching a WAF policy at the profile level means that you can ensure all of the traffic flowing through your Azure Front Door is protected by a WAF policy.

Application Gateway

  • None (for this month).

Microsoft Defender for Endpoint

  • None

Microsoft Defender for Office 365

  • [GA] Mail Bombing Detection technology in Microsoft Defender for Office 365
    Microsoft Defender for Office 365 is introducing Mail Bombing Detection to protect against email bombing attacks. This feature will be available worldwide from late June to early July 2025. It will automatically identify and block such attacks, sending them to the Junk folder without manual configuration. Inform your security team and update documentation accordingly. Mail bombing is now an available Detection technology value in Threat Explorer, the Email entity page, and the Email summary panel. Mail bombing is also an available DetectionMethods value in Advanced Hunting.
  • [GA] Generative AI explanations for admin email submissions
    AI-powered Submissions Response introduces generative AI explanations for admin email submissions to Microsoft.

Microsoft Defender for Identity

  • [GA] Service account classification rules now available
    You can now create custom classification rules to identify service accounts based on your organization’s specific criteria. This complements automatic discovery, enabling more accurate identification of service accounts.
  • [GA] PowerShell module updates (version 1.0.0.4)
    New Features and Improvements:
    • Added remote domain functionality;
    • Added SensorType parameter to Test-MDISensorApiConnection to inform endpoint URL;
    • Added ability to Get/Set/Test the Deleted Objects container permissions;
    • Added auditing for Delegated Managed Service Accounts (dMSA) in the DomainObjectAuditing configuration
  • [PP] Okta integration is now available in Microsoft Defender for Identity
    Microsoft Defender for Identity now supports integration with Okta, enabling detection of identity-based threats across cloud and on-premises environments. This integration helps identify suspicious sign-ins, risky role assignments, and potential privilege misuse within your Okta environment.
  • [PP] Scoped access by Active Directory domain now supported
    MDI scoping is now available as part of XDR User Role-Based Access Control (URBAC). Organizations can now define and refine the scope of MDI monitoring, providing granular control over which entities and resources are included in security analysis. Scoping by Active Directory domains helps:
    • Optimize performance: Focus monitoring on critical assets and reduce noise from non-essential data;
    • Enhance visibility control: Tailor MDI coverage to specific domains and user groups;
    • Support operational boundaries: Align access for SOC analysts, identity administrators, and regional teams.

Microsoft Defender for Cloud Apps

  • [GA] “Behaviors” data type in Microsoft Defender for Cloud Apps - General Availability
    The Behaviors data type enhances overall threat detection accuracy by reducing alerts on generic anomalies and surfacing alerts only when observed patterns align with real security scenarios. You can now use Behaviors to conduct investigations in Advanced Hunting, build better custom detections based on behavioral signals, and benefit from automatic inclusion of context-related behaviors into incidents. This provides clearer context and helps security operations teams to reduce alert fatigue, prioritize, and respond more efficiently.
  • [GA] New Dynamic Threat Detection model
    TMicrosoft Defender for Cloud Apps new dynamic threat detection model continuously adapts to the ever-changing SaaS apps threat landscape. This approach ensures your organization remains protected with up-to-date detection logic without the need for manual policy updates or reconfiguration. Several legacy anomaly detection policies have already been seamlessly transitioned to this adaptive model, delivering smarter and more responsive security coverage.

Microsoft Defender for IoT

  • None (for this month).

Microsoft Security Copilot

  • [GA] Azure Web Application Firewall (WAF) integration (General Available)
    This integration supports both Azure Front Door WAF and Azure Application Gateway WAF. By integrating Azure WAF with the Security Copilot, organizations can streamline security operations, and accelerate investigations, helping security teams stay ahead of increasingly sophisticated threats. Key features:
    • SQL Injection (SQLi) Attack Analysis;
    • Cross-Site Scripting (XSS) Attack Analysis;
    • Top Offending IP Analysis;
    • Top Azure WAF Rules Analysis.
  • [GA] Azure Firewall integration (General Available)
    The Azure Firewall integration in Security Copilot helps analysts perform detailed investigations of the malicious traffic intercepted by the IDPS feature of their firewalls across their entire fleet using natural language questions. Key features:
    • Retrieve the top IDPS signature hits for an Azure Firewall: Get log information about the traffic intercepted by the IDPS feature instead of constructing KQL queries manually.
    • Enrich the threat profile of an IDPS signature beyond log information: Get additional details to enrich the threat information/profile of an IDPS signature instead of compiling it yourself manually.
    • Look for a given IDPS signature across your tenant, subscription, or resource group: Perform a fleet-wide search (over any scope) for a threat across all your Firewalls instead of searching for the threat manually.
    • Generate recommendations to secure your environment using Azure Firewall's IDPS feature: Get information from documentation about using Azure Firewall's IDPS feature to secure your environment instead of having to look up this information manually.

GitHub Advanced Security

  • None (for this month).
    Check out the GitHub Roadmap for the latest news.

That are all the updates! Till next time, take care!