Worth Reading – Microsoft Defender Revelation Poses Troubling Questions
I think Tony’s introduction says it all:
Microsoft disclosed that Entra ID login events were missing from Microsoft Defender for Cloud Applications for nine months — and waited more than three months after the fix to tell customers. Here’s why that matters and what you should do about it.
https://office365itpros.com/2026/03/25/defender-revelation-questions/
I get a lot of material from Microsoft, including recommendations on keeping our M365 tenant secure using the built-in tools. The built-in tools have one thing going for them: they’re already there and connected to everything going on in the tenant.
So, when it turns out they aren’t connected and missing key information needed to keep things secure, it’s easy to doubt whether the platform is safe at all, isn’t it?
A security tool that isn’t getting login events is a pretty significant oversight. The fact that it went unpatched for nine months tells me one of two things:
- They don’t have the resources to do this properly. No one saw it for nine months? Really? Or did it take nine months to prioritize fixing it?
- Customers also didn’t notice, which makes me wonder how few of us use Defender for Cloud Applications.
Here’s the secret: even many of us who have enabled Defender for Cloud have no idea what we’re doing with it. OK, maybe that’s hyperbole, but most of us trust that Microsoft’s own tools work the way they’re supposed to. Verifying that is important, yes, but it’s also time-consuming when so many other things are begging for our attention. We are waiting for the tools to alert us, not actively checking logs every day. It’s kind of a no news is good news situation most of the time. When the tool isn’t collecting information, that’s a pretty big blind spot that we’re left with.
If we can’t trust Microsoft’s own tools to work, people will look for other tools. The advantage of being the built-in tool disappears when we can’t trust it.
Share this post on social media.
