Microsoft Defender April 2026: AI Agents, Identity Security, and Enhanced XDR Capabilities

Microsoft Defender has delivered a comprehensive set of updates in April 2026, marking a significant evolution in autonomous security operations and identity protection capabilities. The monthly release demonstrates Microsoft's continued investment in AI-driven security and expanded XDR functionality across its Defender portfolio.

AI-Powered Security Operations Take Center Stage

New Virtual Ninja Show Episode Highlights

The latest Virtual Ninja Show episode explores cutting-edge developments in Microsoft Defender's autonomous AI agents, showcasing how these capabilities are transforming security operations center (SOC) workflows. The episode demonstrates practical applications of AI agents in real-world security scenarios.

Beyond KQL: Sentinel Data Lake Jupyter Notebooks

Microsoft has expanded its analytics capabilities beyond traditional KQL queries by introducing Jupyter Notebooks integration with the Sentinel data lake. This enhancement enables security analysts to perform complex data analysis using Python, opening new possibilities for advanced threat hunting and investigation techniques.

Extending Attack Disruption Beyond Microsoft

A significant advancement is the ability to incorporate third-party signals into attack disruption workflows. This cross-platform capability allows organizations to leverage threat intelligence and security signals from non-Microsoft sources, creating a more comprehensive defense strategy.

Enhanced Security Copilot Integration

Microsoft is introducing a conversational chat experience for Security Copilot directly within Microsoft Defender. This represents a major shift from the current embedded Copilot experiences to a more interactive, two-way conversation model. Security teams can now:

• Ask contextual questions about incidents and alerts
• Explore security hypotheses through natural dialogue
• Follow investigation threads across multiple evidence types
• Query identities, devices, IPs, and other security artifacts

This conversational approach aims to make advanced security analytics more accessible to analysts of varying skill levels while accelerating investigation workflows.

Agentic Triage Revolutionizes Alert Management

Microsoft is expanding agentic triage capabilities to cover identity and cloud alerts, unifying phish, identity, and cloud triage within a single autonomous agent. The Security Alert Triage Agent can now:

• Determine whether alerts represent real threats or false positives
• Provide natural language findings for human review
• Deliver transparent, step-by-step decision analysis
• Reduce alert fatigue and improve SOC efficiency

The unified approach to triage represents a significant advancement in automated security operations, potentially reducing the time analysts spend on routine alert validation.

Comprehensive Identity Security Overhaul

Identity Security Dashboard (Public Preview)

A new centralized dashboard provides summary cards for multiple identity providers, including:

• On-premises identities
• SaaS identities
• PAM and IGA integrations
• Non-human identities

The dashboard includes widgets showing deployment status, highly privileged identities, users at risk, and domains with unsecured configurations.

Coverage and Maturity Page (Public Preview)

Organizations can now assess their identity security posture through maturity levels:

• Connected
• Protected
• Fortified
• Resilient

Each level includes identity counts, coverage scores, and prioritized setup tasks to guide security improvements.

Enhanced Identity Inventory

The Identity inventory page now separates human and non-human identities into distinct tabs, with insight cards that help classify critical assets, view highly privileged identities, identify critical Active Directory service accounts, and monitor cloud application accounts.

Non-Human Identity Management (Preview)

The new Non-human identities tab provides visibility into:

• Microsoft Entra ID apps
• Active Directory service accounts
• Google Workspace apps
• Salesforce apps

Statistics cover risky, highly privileged, overprivileged, unused, and externally published identities, with dedicated investigation pages for detailed analysis.

Identity Risk Score (Public Preview)

A new risk scoring system (0-100) indicates the likelihood of identity compromise based on:

• Criticality of roles
• Privileged access levels
• Historical behavior patterns
• Exposure indicators

The score integrates with Microsoft Entra ID for conditional access policies and identity protection workflows, with detailed breakdowns including percentile comparisons and risk trends.

Domain Investigation Page (Public Preview)

Security teams gain comprehensive visibility into Active Directory domain security, including:

• Domain properties and deployment health
• Identity summaries and service account breakdowns
• Sensitive entities and active recommendations
• Group policies and trust relationships

Identity Security Recommendations

The expanded recommendation system now covers:

• Active Directory configurations
• Microsoft Entra ID settings
• SaaS applications (Microsoft, Atlassian, GitHub, Google Workspace, Salesforce, ServiceNow)
• Non-Microsoft identity providers (Okta, PingOne, CyberArk, SailPoint)

Advanced Hunting and Detection Capabilities

New Schema Tables (Public Preview)

Two new advanced hunting tables enhance threat detection capabilities:

• CloudDnsEvents: Contains DNS activity events from cloud infrastructure environments
• CloudPolicyEnforcementEvents: Includes policy enforcement evaluation decisions and metadata for security gating events across cloud platforms

Secure Score Updates

Microsoft has reorganized security recommendations to improve accuracy:

• Cloud apps recommendations now categorized under Identity
• Total Secure Score remains unchanged
• Individual identity and app scores may vary

Enhanced Incident Management

Customers can now use filters on very large incidents with many alerts and entities, or hide specific entities to simplify complex incident graphs. This feature helps security teams focus investigations on the most critical elements.

Proactive User Containment (Generally Available)

The predictive shielding feature's user containment action is now generally available. It identifies exposed credentials at risk of compromise by analyzing activity data combined with exposure data, enabling proactive threat mitigation.

Microsoft Defender for Endpoint Enhancements

Library Management for Live Response (GA)

Centralized file and script management for live response sessions is now generally available, providing better control and organization of response tools.

New Secure Score Recommendations

Three new recommendations enhance security posture:

1. Block outbound network connections from mshta.exe: Mitigates ClickFix and similar campaigns that abuse legitimate Windows binaries
2. Block file transfer over RDP: Prevents malicious file transfers and data exfiltration through Remote Desktop Protocol
3. SMB server security hardening against authentication relay attacks: Strengthens Server Message Block authentication protections

Microsoft Defender for Identity Updates

The identity security enhancements in Defender for Identity mirror those in the broader Defender portfolio, including the Identity Security dashboard, Coverage and maturity page, enhanced Identity inventory, Non-human identity management, Identity risk score, Domain investigation page, and Password protection page.

New Security Alerts

Several new alerts have been added to enhance threat detection:

Entra ID-related alerts:

• Attempt to disable Defender for Identity service principal observed
• Suspicious Entra account enablement after disruption
• Suspicious Intune device registration activity
• Suspicious OS switch sign-in
• Suspicious shared client infrastructure activity
• Suspicious sign-in from unusual user agent and IP address using PowerShell
• Suspicious sign-in from unusual user agent and IP address using device code flow

Active Directory-related alerts:

• Suspicious on-premises account enablement after disruption
• Suspicious resource-based constrained delegation (RBCD) attribute change
• Suspicious resource-based constrained delegation (RBCD) authentication

General availability:

• Suspected pass-the-ticket attack alert (formerly Pass-the-Ticket attack in public preview)

Microsoft Defender for Office 365 Improvements

Expanded User Reporting in Teams

User reporting capabilities now include Teams calls, allowing users to report completed or missed one-to-one calls as malicious (scam) or non-malicious (non-scam) to specified reporting mailboxes or directly to Microsoft.

Contextual Teams Messages

When users report Teams messages as security risks, up to fifteen messages before and after the reported message are shared for analysis, providing valuable context for threat investigation.

Microsoft Defender for Cloud Apps

Identity security enhancements extend to Cloud Apps, with cloud apps recommendations now categorized under the Identity category to improve accuracy and protection.

Critical Call to Action

Microsoft has issued an important deadline for customers using Sentinel repositories:

Update older Microsoft Sentinel content as code (Sentinel repositories) API versions before June 15, 2026

This update is required to maintain compatibility and ensure continued functionality of Sentinel content.

Strategic Implications

These April 2026 updates represent a significant evolution in Microsoft's security strategy, emphasizing:

1. Autonomous operations: AI agents that can triage alerts and conduct investigations with minimal human intervention
2. Unified identity security: Comprehensive coverage across human and non-human identities across multiple platforms
3. Conversational analytics: Natural language interfaces that democratize advanced security capabilities
4. Cross-platform integration: Third-party signal incorporation and unified security experiences

The focus on identity security reflects the growing recognition that identity compromise remains one of the most common attack vectors. By providing comprehensive visibility, risk scoring, and automated protection across human and non-human identities, Microsoft is addressing a critical security challenge.

The expansion of AI capabilities through conversational interfaces and autonomous agents suggests Microsoft's vision for the future of security operations: reducing manual workload while improving detection and response capabilities through intelligent automation.

These updates position Microsoft Defender as a more comprehensive and intelligent XDR solution, capable of protecting organizations across endpoints, identities, cloud applications, and collaboration platforms with increasingly autonomous capabilities.

For organizations using Microsoft Defender, these updates offer opportunities to enhance security posture through automation and improved visibility, but also require attention to implementation details and potential workflow changes as AI-driven capabilities become more prevalent in security operations.