Microsoft is rolling out a major wave of security enhancements in its April 2026 Microsoft Defender XDR update, with a clear focus on deeper AI assistance for SOC teams, richer identity protection, and new guidance to harden enterprise attack surfaces. The latest monthly “What’s new” roundup covers features shipped in March, spanning Security Copilot, Defender for Identity, Defender for Endpoint, Defender for Office 365, and more.
In the “Monthly news – April 2026 Edition” post on the Microsoft Defender XDR blog, Microsoft highlights a new Copilot chat experience inside the Defender portal, expanded “agentic” triage, a refreshed identity security experience with risk scoring, and fresh threat research on AI-enabled phishing, Medusa ransomware, PHP webshells, and the Axios npm supply-chain compromise.
Security Copilot gets embedded chat and broader agentic triage
The headline change this month is a new chat experience for Microsoft Security Copilot directly inside Microsoft Defender, designed to give SOC analysts a two-way, conversational interface that’s fully aware of their investigation context. Instead of jumping between tools, analysts can ask questions, explore hypotheses, and follow alerts, identities, devices, IPs, and other evidence from one place, with Copilot grounding responses in Defender’s telemetry.
Microsoft is also expanding “agentic triage” to identity and cloud alerts, unifying triage for phishing, identity, and cloud signals in a single Security Alert Triage Agent. That agent helps determine whether alerts represent real threats or false positives, returning natural language findings and transparent, step-by-step reasoning—a move aimed at cutting noise and speeding up SOC decision-making.
Complementing the product updates, the April post surfaces new Virtual Ninja Show episodes covering topics like autonomous AI agents in Defender, extending attack disruption with third‑party signals, and a “new home” experience for Defender for Cloud in the Defender portal. Microsoft also points to fresh RSA 2026 blog content on how Security Copilot in Defender is meant to empower SOCs with both assistive and autonomous AI.techcommunity.microsoft+2
Deeper identity security: dashboards, risk scoring, and non-human identities
Identity protection is another big theme in this update. Microsoft is introducing a series of public preview capabilities intended to give security teams a more complete view of both human and non-human identities across hybrid environments.
Key additions include:
-
Identity Security dashboard (Public Preview) – A new dashboard with summary cards for identity providers, on-prem identities, SaaS identities, PAM and IGA integrations, and non-human identities, plus widgets for deployment status, privileged identities, risky users, and domains with weak configurations.
-
Coverage and maturity page (Public Preview) – A view that shows identity security coverage across identity sources, mapped to maturity stages like Connected, Protected, Fortified, and Resilient, along with coverage scores and prioritized setup tasks.
-
Identity inventory enhancements – The Identity inventory page now separates human and non-human identities into different tabs, with insight cards to classify critical assets, identify highly privileged accounts, spot critical AD service accounts, and view cloud app accounts.
-
Non-human identities tab (Preview) – A focused view of non-human identities such as Microsoft Entra ID apps, AD service accounts, Google Workspace apps, and Salesforce apps, including statistics on risky, overprivileged, unused, and externally published identities and a dedicated investigation page.
Microsoft is also adding a new identity risk score, ranging from 0–100, that reflects the likelihood of compromise and potential impact based on criticality and privileged roles. The score appears in Microsoft Entra ID and can feed into conditional access and identity protection workflows, while a new Risk score tab in Defender provides trend views, percentile comparisons, and factor breakdowns for each identity.
To support domain-level analysis, a Domain investigation page (Public Preview) now shows Active Directory domain properties, deployment health, identity summaries, service account breakdowns, sensitive entities, active recommendations, GPOs, and trust relationships. There’s also a Password protection page (Public Preview) that aggregates password hygiene risks across AD, Entra ID, and Okta, including leaked credentials and exposed passwords.
As part of these changes, Secure Score category calculations are being updated so some recommendations that previously appeared under “Cloud apps” are now treated as identity-related and grouped in the Identity category. While the overall Secure Score stays the same, individual app and identity scores may shift.
New identity alerts and lateral movement detections
On the detection side, the “Suspected pass-the-ticket attack” alert is now generally available, graduating from its earlier preview form under the Pass‑the‑Ticket (PtT) name. This alert helps defenders catch lateral movement tactics where attackers reuse Kerberos tickets to move across environments.
The April update also introduces a slate of new Defender for Identity alerts tied to both Microsoft Entra ID and Active Directory:
-
Entra ID–focused alerts like:
-
Attempt to disable Defender for Identity service principal
-
Suspicious Entra account enablement after disruption
-
Suspicious Intune device registration activity
-
Suspicious OS switch sign-in
-
Suspicious shared client infrastructure activity
-
Suspicious sign-in from unusual user agent and IP using PowerShell
-
Suspicious sign-in from unusual user agent and IP using device code flow
-
-
Active Directory alerts including:
-
Suspicious on-premises account enablement after disruption
-
Suspicious resource-based constrained delegation (RBCD) attribute change
-
Suspicious RBCD authentication attempts
-
These additions are designed to improve visibility into account misuse after disruptive events and to flag dangerous delegation misconfigurations before attackers exploit them.
Defender for Endpoint and Secure Score: new controls for real-world attack chains
In Microsoft Defender for Endpoint and Defender Vulnerability Management, Microsoft is making several changes geared toward live response and hardening against “living off the land” techniques.
-
Library management for live response (GA) – Security teams now get a centralized view for managing the files and scripts they use in live response sessions, simplifying operational hygiene and script reuse.
-
New Microsoft Secure Score recommendations target real-world abuse patterns:
-
Block outbound network connections from mshta.exe – Reduces risk from attacks that abuse Microsoft HTML Application Host to execute malicious scripts and call out to C2 infrastructure, including campaigns like ClickFix that leverage legitimate binaries.
-
Block file transfer over RDP – Prevents attackers from using Remote Desktop sessions to move malware into an environment or exfiltrate data.
-
SMB server security hardening – Encourages enforcing EPA, SMB signing, and SMB encryption to protect against credential relay and traffic tampering on SMB servers.
-
The post also confirms that proactive user containment—a predictive shielding feature that uses exposure data to identify and temporarily contain users at high risk of credential compromise—is now generally available, highlighted twice as a key mitigation for identity-driven attack chains.
Advanced hunting, Sentinel content updates, and incident graph improvements
For customers investing in threat hunting, Microsoft is previewing two new advanced hunting tables in Defender XDR:
-
CloudDnsEvents – Captures DNS activity events from cloud infrastructure environments.
-
CloudPolicyEnforcementEvents – Stores policy enforcement decisions and metadata for security gating events across cloud platforms protected by Defender for Cloud.
There’s also an important call to action for Microsoft Sentinel users: organizations need to update older “content as code” (Sentinel repositories) API versions before June 15, 2026, to stay supported.
On the incident side, a new preview capability adds filters for very large incidents with many alerts and entities, letting analysts hide specific entities and reduce graph complexity so they can focus on what matters most.
Defender for Office 365 and Cloud Apps: Teams reporting and Secure Score refinements
In Microsoft Defender for Office 365, Microsoft is extending its coverage to more of the Teams experience:
-
User reporting for Teams calls now includes one-to-one calls—completed or missed—which users can mark as malicious (scam) or benign, sending reports to a designated mailbox and/or Microsoft via user-reported settings.
-
When users report Teams messages from chats, channels, or meetings, up to fifteen messages before and after the flagged item are now included for contextual analysis, helping security teams understand the full conversation.
For Defender for Cloud Apps, Secure Score category updates mirror the identity-focused changes noted earlier: certain Cloud apps recommendations are now classified as identity-related to better reflect how attackers blend cloud and identity abuse.
Why it matters for Microsoft Defender XDR security customers
Taken together, the April 2026 updates clearly push Microsoft Defender XDR further toward AI-driven operations, unified identity security, and practical hardening against current attack techniques. Security Copilot’s embedded chat and expanded agentic triage are aimed squarely at SOC productivity, while the richer identity dashboards, risk scoring, and non-human identity coverage respond to the reality that identities—not just endpoints—are now the primary perimeter.
For customers, the key action items are to evaluate the new Copilot chat and triage experience, onboard identity security previews where possible, review new Secure Score recommendations, and ensure Sentinel content is updated before the June 2026 deadline.
Recent Posts You Might Like
Discover more from Microsoft News Now
Subscribe to get the latest posts sent to your email.
