Back to Home

Disabling DLP alerts in Defender: migration to Purview

Microsoft has discontinued support for DLP alerts in Defender for endpoints starting March 23, 2026. Organizations must migrate to Purview DLP by checking and recreating policies. Changes affect SecOps and sensitive data monitoring.

Defender without DLP alerts: transition to Purview DLP is mandatory
Advertisement 728x90

Microsoft Discontinues Sensitive Data Alerts in Defender for Endpoint

Microsoft has completely disabled alerts for actions involving sensitive data on endpoints in the Microsoft Defender portal as of March 23, 2026. Organizations using Defender XDR to monitor such events must migrate to Microsoft Purview DLP. This change requires immediate review and updates to security policies.

Timeline of the Shutdown

The disabling process began on February 16, 2026: Microsoft removed the ability to create new alert policies in Defender for Endpoint. Full support cessation occurred on March 23. Now all notifications, policies, and investigations for sensitive data are available only through Purview DLP.

Affected components:

Google AdInline article slot
  • Defender XDR alerts for access and manipulation of sensitive information on physical devices.
  • Endpoint data loss prevention (DLP) monitoring settings.
  • Integrations with existing SecOps workflows.

Migration Steps

Organizations are advised to take the following actions without delay:

  • Review current policies in the Microsoft Defender portal for dependencies on the disabled alerts.
  • Export configurations and recreate them in Microsoft Purview DLP.
  • Notify SecOps teams and Microsoft support about the transition.
  • Update internal documentation on compliance and incident response.
  • Test new policies in Purview DLP for complete coverage.

Purview DLP offers advanced features: granular policies, automated remediation actions, and integration with the Microsoft 365 ecosystem.

Technical Impacts on Infrastructure

The shutdown affects endpoint detection and response (EDR) workflows, where Defender XDR was used for real-time alerting on PII, PHI, or financial data leaks. Without migration, organizations risk losing visibility into data exfiltration incidents.

Google AdInline article slot

Key differences between platforms:

| Aspect | Defender (pre-shutdown) | Purview DLP |

|--------|--------------------------|-------------|

Google AdInline article slot

| Alerts | Endpoint-focused | Cross-workload (endpoint + cloud) |

| Policies | Basic DLP rules | Advanced sensitivity labels |

| Investigations | XDR alerts | Unified audit logs + forensics |

| Integration | Defender portal | M365 compliance center |

After migration, enhanced features become available, such as adaptive protection and machine learning-based detection.

Key Points

  • Full Shutdown: As of March 23, 2026, alerts in Defender for endpoints are unavailable.
  • Mandatory Migration: Recreate policies in Purview DLP to maintain compliance.
  • Risks: Loss of sensitive data monitoring without action.
  • Support: Contact the M365 admin center (MC1217649) for details.
  • SecOps Impact: Update playbooks and notify teams.

— Editorial Team

Advertisement 728x90

Read Next