Site icon Office 365 for IT Pros

New Microsoft Defender Revelation Reopens Troubling Quality Questions

Paul Robichaux
Defender for Cloud Apps and Entra ID Login Events.
Advertisements

Entra ID Login Events Fail to Get to Defender for Cloud Apps

Microsoft’s recent message center post MC1253510 is the kind of disclosure that deserves more attention than it’s likely to get. Microsoft has revealed that Entra ID login events from February 17, 2025, through November 17, 2025— a nine-month period— were not being sent to Microsoft Defender for Cloud Applications (MDA – Figure 1). That’s nine months of missing security telemetry in a product that organizations pay for specifically because it provides visibility into user sign-in behavior.

Figure 1: Microsoft Defender for Cloud Apps

Microsoft sent notifications to affected tenants with the subject line “Data privacy notification available in Message Center.” Tenants who were not affected (e.g. because they don’t use MDA) won’t see this notification.

What Happened to Microsoft Defender for Cloud Apps

According to the message center post, a code issue introduced on February 17, 2025, caused a subset of Entra ID login events to stop flowing into the MDA portal. Microsoft deployed a fix on November 30, 2025, and says that the fix “restored processing for all affected Entra ID login events.”

The affected capabilities include activity viewing, activity alerts, advanced hunting, anomaly detection, Microsoft Sentinel integration (for MDA-sourced data paths), and file policy evaluation. In other words, the full range of things you’d use MDA for when investigating user sign-in activity.

Microsoft says the data itself was never lost — it remained on Microsoft’s servers and was always accessible through the Entra portal and through the EntraSignInEvents table in Advanced Hunting. The gap was specifically in the pipeline that feeds login events to MDA. I’m not sure that’s actually comforting.

Why This Is a Problem

Let’s be direct about what this means: organizations that were depending on Defender for Cloud Apps didn’t get the security protection they paid for. During that time, Defender for Cloud Apps didn’t correctly detect some number of anomalous sign-ins, trigger alerts on suspicious logins, or feed sign-in signals into Sentinel.

This is a security product. Incomplete telemetry in a security product isn’t just an inconvenience. It’s a fundamental failure, because it could allow attackers to work without triggering the alerts that MDA is supposed to generate.

A brief outage in a data pipeline is understandable; cloud services are complex, and things break. But a nine-month duration is unacceptable. The length of the gap suggests that either the data pipeline lacked adequate monitoring, or the monitoring existed but nobody acted on it.

Neither explanation is reassuring for a security product, especially given Microsoft’s loud public focus on improving product and platform security.

Microsoft’s Disclosure Timeline Raises Questions

The fix was deployed on November 30, 2025. The message center post disclosing the issue was published on March 16, 2026 — more than three and a half months after the fix. Microsoft frames the disclosure as “part of [their] commitment to transparency and service reliability.” That… sounds wrong.

On one hand, yes, transparency is welcome, so it’s good that Microsoft disclosed this issue.

On the other hand, a 14-week gap in making the actual disclosure is excessive. Microsoft had already fixed the problem at that point, so there was no issue of responsible disclosure. Meanwhile, customers that ran an investigation between February and November 2025 that depended on MDA sign-in data must now question the validity of the results they got.

The post says “no further action is required” from customers because Microsoft has resolved the underlying issue. That’s true in the narrow sense that the pipeline is fixed. But organizations that conducted security investigations, compliance reviews, or audit responses during the affected period using MDA data absolutely have follow-up work to do. They need to assess whether any conclusions drawn from MDA sign-in data during those nine months were affected by the gap.

If I were an MDCA customer, I would also be assessing whether I wanted to switch products.

What You Should Do

If you’re using MDA as part of your infrastructure, there are a few things you should do to ensure that the pipeline issue didn’t affect you.

  1. Review investigations conducted during the affected period. If your security team or compliance team ran investigations between February 17 and November 17, 2025, that relied on Entra ID sign-in data from MDA, flag them for review.
  2. Cross-reference with Entra ID logs. Microsoft confirms that the sign-in data was always available through the Entra portal and the EntraSignInEvents table in Advanced Hunting. If you find gaps in your MDA-based investigation data, you can fill them from these sources — assuming your log retention policies still cover the affected period.
  3. Check your Sentinel integration. If you feed MDA data into Microsoft Sentinel, review whether your detection rules and hunting queries that depend on MDA-sourced sign-in events produced accurate results during the affected window. Sentinel queries that pull directly from Entra (rather than through MDA) would not have been affected.
  4. Review your anomaly detection baselines. MDA’s anomaly detection builds behavioral baselines from historical data. Nine months of incomplete sign-in data could have skewed those baselines. Monitor whether your anomaly detection produces an unusual number of false positives or negatives in the weeks following the fix as the models recalibrate.
  5. Document the gap for your auditors. If your organization is subject to compliance frameworks that require continuous monitoring of sign-in activity (SOC 2, ISO 27001, various regulatory requirements), document this gap and your remediation steps. Your auditors will want to see that you’ve assessed the impact.

The Bigger Picture

This incident is part of a pattern. Microsoft’s security products are powerful, but the company’s track record on timely disclosure of data pipeline issues and service gaps has been uneven. The Copilot DLP bug from earlier this year — where confidential email content leaked through Copilot Chat despite sensitivity labels — took weeks to acknowledge after customers first reported it. Now we have a nine-month data gap disclosed three and a half months after the fix.

Organizations building their security posture on Microsoft’s cloud security stack need to account for the possibility that these products occasionally fail silently. That means maintaining independent verification processes, cross-referencing data sources, and not assuming that the absence of alerts means the absence of threats. It also means treating “no action required” disclosures from Microsoft with a healthy dose of skepticism — because “no action required by Microsoft” and “no action required by your security team” are very different statements.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Exit mobile version