Montly Microsoft Security Feature Updates - July 2025
Introduction
Within this blog, I want to give you each month an overview of all the features that came General Availability (GA), Preview available (PP) or Deprecated (DEP), together (where possible) with handson links to Microsoft Learn page how to implement them. Happy learning and stay tuned for more Security News!
SIEM & XDR
Microsoft Defender XDR
- [PP] GraphApiAuditEvents table is now available in advanced hunting schema
This table contains information about Microsoft Entra ID API requests made to Microsoft Graph API for resources in the tenant. For more information about this table, click here and the advanced shema, click here. - [PP] DisruptionAndResponseEvents is now available in advanced hunting schema
The DisruptionAndResponseEvents table contains information about automatic attack disruption events in Microsoft Defender XDR. These events include both block and policy application events related to triggered attack disruption policies, and automatic actions that were taken across related workloads. Increase your visibility and awareness of active, complex attacks disrupted by attack disruption to understand the attacks' scope, context, impact, and actions taken.. For more information about this table, click here and the advanced shema, click here.
Microsoft Sentinel
- [GA] Table management and retention settings in the Microsoft Defender portal
Table management and retention settings are now available in the Microsoft Defender portals. You can view and manage table settings in the Microsoft Defender portal, including retention settings for Microsoft Sentinel and Defender XDR tables, and switch between analytics and data lake tiers. - [GA] For new customers only: Automatic onboarding and redirection to the Microsoft Defender portal
or this update, new Microsoft Sentinel customers are customers who are onboarding the first workspace in their tenant to Microsoft Sentinel on or after July 1, 2025. Starting July 1, 2025, such new customers who have the permissions of a subscription Owner or a User access administrator, and are also not Azure Lighthouse-delegated users, have their workspaces automatically onboarded to the Defender portal together with onboarding to Microsoft Sentinel. Users of such workspaces, who also aren't Azure Lighthouse-delegated users, see links in Microsoft Sentinel in the Azure portal that redirect them to the Defender portal. Such users use Microsoft Sentinel in the Defender portal only.New customers who don't have relevant permissions aren't automatically onboarded to the Defender portal, but they do still see redirection links in the Azure portal, together with prompts to have a user with relevant permissions manually onboard the workspace to the Defender portal. This change streamlines the onboarding process and ensures that new customers can immediately take advantage of unified security operations capabilities without the extra step of manually onboarding their workspaces. - [GA] No limit on the number of workspaces you can onboard to the Defender portal
There is no longer any limit to the number of workspaces you can onboard to the Defender portal. Limitations still apply to the number of workspaces you can include in a Log Analytics query, and in the number of workspaces you can or should include in a scheduled analytics rule. - [PP] Data lake support
Microsoft Sentinel is now enhanced with a modern data lake, purpose-built to streamline data management, reduce costs, and accelerate AI adoption for security operations teams. The new Microsoft Sentinel data lake offers cost-effective, long-term storage, eliminating the need to choose between affordability and robust security. Security teams gain deeper visibility and faster incident resolution, all within the familiar Sentinel experience, enriched through seamless integration with advanced data analytics tools. - [PP] Microsoft Sentinel data lake permissions integrated with Microsoft Defender XDR unified RBAC
Starting in July 2025, Microsoft Sentinel data lake permissions are provided through Microsoft Defender XDR unified RBAC. Support for unified RBAC is available in addition the support provided by global Microsoft Entra ID roles. - [DEP] Microsoft Sentinel in the Azure portal to be retired July 2026
Microsoft Sentinel is generally available in the Microsoft Defender portal, including for customers without Microsoft Defender XDR or an E5 license. This means that you can use Microsoft Sentinel in the Defender portal even if you aren't using other Microsoft Defender services. Starting in July 2026, Microsoft Sentinel will be supported in the Defender portal only, and any remaining customers using the Azure portal will be automatically redirected. If you're currently using Microsoft Sentinel in the Azure portal, we recommend that you start planning your transition to the Defender portal now to ensure a smooth transition and take full advantage of the unified security operations experience offered by Microsoft Defender.
Network Security
Azure Firewall
- [GA] Customer-controlled maintenance
Azure Firewall enables users to set a maintenance window with a minimum duration of 5 hours, recurring daily, to best accommodate their requirements and minimize unexpected downtime. Firewalls with an associated maintenance configuration will not undergo upgrades outside the designated maintenance period. - [GA] Ingestion-time transformation of logs in Log Analytics, enabling selective logging and advanced filtering
For customers using Log Analytics to analyse firewall logs, the cost of log ingestion and storage itself can be significant. This feature lets you filter and transform logs before ingestion, helping reduce costs while retaining critical data. Advantages:- Security monitoring: Log only suspicious traffic for better threat detection;
- Cost savings: Avoid ingesting and storing unnecessary logs;
- Compliance: Use DCRs to route logs for audit/reporting;
- Incident response: Faster access to relevant logs;
- Custom alerts: Build dashboards and alerts in Azure Monitor.
- Security monitoring: Log only suspicious traffic for better threat detection;
Azure FrontDoor
- None (for this month).
Application Gateway
- None (for this month).
Defender
Microsoft Defender for Endpoint
- None (for this month).
Microsoft Defender for Office 365
- None (for this month).
Microsoft Defender for Identity
- [GA] Identity scoping is now available in Governance environments. Scoping is now supported in government (GOV) environments. Organizations can now define and refine the scope of MDI monitoring and gain granular control over which entities and resources are included in security analysis.
- [GA] New security posture assessments for unmonitored identity servers
Microsoft Defender for Identity now includes three security posture assessments that detect when Microsoft Entra Connect, Active Directory Federation Services (ADFS), or Active Directory Certificate Services (ADCS) servers are present in your environment but aren't monitored. Use these assessments to improve monitoring coverage and strengthen your hybrid identity security posture.
Microsoft Defender for Cloud Apps
- [GA] App Governance available in 8 new regions
App Governance is now also available in Brazil, Sweden, Norway, Switzerland, South Africa, South Korea, Arab Emirates and Asia Pacific. - [GA] Updated network requirements for GCC and Gov customers
To support ongoing security enhancements and maintain service availability, Microsoft Defender for Cloud Apps now requires updated firewall configurations for customers in GCC and Gov environments. To avoid service disruption, take action by August 25, 2025, and update your firewall configuration. Allow outbound traffic on port 443 to the following IP ranges: 51.54.53.136/29, 51.54.114.160/29 and 62.11.173.176/29 . If you're using Azure service tags, add AzureFrontDoor.MicrosoftSecurity to your firewall allowlist.
Microsoft Defender for IoT
- None (for this month).
Microsoft Copilot
Microsoft Security Copilot
- [GA] Azure Web Application Firewall (WAF) integration
This integration supports both Azure Front Door WAF and Azure Application Gateway WAF. By integrating Azure WAF with the Security Copilot, organizations can streamline security operations, and accelerate investigations, helping security teams stay ahead of increasingly sophisticated threats. Key features:- SQL Injection (SQLi) Attack Analysis;
- Cross-Site Scripting (XSS) Attack Analysis;
- Top Offending IP Analysis;
- Top Azure WAF Rules Analysis.
- SQL Injection (SQLi) Attack Analysis;
- [GA] Azure Firewall integration
The Azure Firewall integration in Security Copilot helps analysts perform detailed investigations of the malicious traffic intercepted by the IDPS feature of their firewalls across their entire fleet using natural language questions. Key features:- Retrieve the top IDPS signature hits for an Azure Firewall: Get log information about the traffic intercepted by the IDPS feature instead of constructing KQL queries manually.
- Enrich the threat profile of an IDPS signature beyond log information: Get additional details to enrich the threat information/profile of an IDPS signature instead of compiling it yourself manually.
- Look for a given IDPS signature across your tenant, subscription, or resource group: Perform a fleet-wide search (over any scope) for a threat across all your Firewalls instead of searching for the threat manually.
- Generate recommendations to secure your environment using Azure Firewall's IDPS feature: Get information from documentation about using Azure Firewall's IDPS feature to secure your environment instead of having to look up this information manually.
- Retrieve the top IDPS signature hits for an Azure Firewall: Get log information about the traffic intercepted by the IDPS feature instead of constructing KQL queries manually.
DevOps Security
GitHub Advanced Security
- None (for this month).
Check out the GitHub Roadmap for the latest news.
Roundup
That are all the updates! Till next time, take care!