– Audit logs, Defender SIEM & DLP notifications in June 2025
Microsoft is once again tightening the screws around Security & Compliance. In the current month, administrators are affected by three changes in Exchange Online, Microsoft Defender and the Purview DLP workloads of SharePoint and OneDrive. All of them affect either classic cmdlets or integrations that many environments still use productively. In this article, you'll learn what exactly is changing, why Microsoft is doing this, and how to adjust your tenant in time.
Mailbox audit becomes static: The cmdlets Search-MailboxAuditLog and New-MailboxAuditLogSearch can only be used read-only from the end of June.
Defender SIEM agent on the verge of extinction: New SIEM agents can no longer be created from June 19 ; in the future, streaming and graph APIs will provide the data.
DLP signaling becomes more flexible: Email notifications and policy tips can finally be controlled separately in SharePoint/OneDrive DLP.
Pressure to act: Scripts, playbooks and dashboards that still rely on the old mechanisms should now be rewritten.
More Purview, less legacy: Behind all the changes is Microsoft's goal of consolidating audit and security data into Purview or Purview. Defender APIs.
Exchange Online | Mailbox audit logs
Historical audit data will remain in the mailboxes, but from the end of June 2025 it will become read-only. The two cmdlets Search-MailboxAuditLog and New-MailboxAuditLogSearch then no longer accept changes or exports. Microsoft had already stopped writing new audit entries in mailboxes on March 1, 2025. By the end of 2025 at the latest, the cmdlets will disappear completely from Exchange Online.
Microsoft consolidates audit information in the Purview Unified Audit Log. Events from all M365 workloads already end up there, offer longer retention periods (even over a year with E5 or Audit Premium) and a wide range of filter options. Separate storage in individual mailboxes costs performance, maintenance effort and creates inconsistencies.
Impact on your business
- Check PowerShell scripts: All reports or automations that are still based on
Search-MailboxAuditLogmust switch toSearch-UnifiedAuditLog. - Adjust permissions: For the Unified Audit Log, you need at least the View-Only Audit Logs or Audit Logs role in Purview.
- Evaluate retention strategy: If you use extended retention in your mailbox today, you will have to migrate to Audit Premium with Extended Retention (Purview).
- Schedule a migration tool: Microsoft will provide a script later this year that will move historical audit entries to the unified log.
From now on, you can only rely on the Unified Audit Log cmdlet for Exchange audits. Test filters such as -RecordType ExchangeMailbox and use parameters such as -HighCompleteness or -ResultSize for fine control. In this way, you and your team get used to the future standard at an early stage.
Microsoft Defender for Cloud Apps | Farewell to the SIEM Agent
As of June 19, 2025 , new Defender SIEM agents will no longer be registered. Existing agents will continue to send logs until November 2025 , but will not receive feature or security support. The XDR Streaming API, the Graph Security Alerts API or the native integration with Microsoft Sentinel offer replacements.
The local Java agent was intended as a temporary solution. Today, the Defender backend delivers all telemetry centrally from the cloud – an additional pull mechanism via agent is superfluous. APIs are more easily scalable, offer more data types (e.g., Entra ID Protection Events), and save the administration overhead of an on-prem component.
Impact on your business
- Relieve on-prem servers: Elimination of the agent service reduces maintenance, patch management, and Java dependencies.
- Customize SIEM playbooks: Syslog parsers, CEF mappers, and normalization rules will have to process API payloads instead of agent CSV.
- License check: The XDR streaming API requires at least Microsoft 365 E5 or Defender XDR license.
Migration path
- Use-Case Analysis | Which alerts and activities really end up in the SIEM today?
- API Mapping | Correlate agent fields to the streaming API schema (incidents, alerts, rawEvents).
- Event Hub / Sentinel Connector | For Sentinel, it is usually sufficient to activate the integrated connector.
- Plan cut-over | Parallel operation for two to four weeks, then switch off the agent.
SharePoint / OneDrive DLP – Decouple notifications
Until now, a SharePoint or OneDrive DLP rule inevitably coupled email notification and policy tip : If you activated one, you got the other. From the end of June 2025 , you will be able to configure both signals independently . Four variants per rule are now possible:
| Variant | Policy Tip | |
|---|---|---|
| Still | – | – |
| Discreet | ✔ | – |
| Visual | – | ✔ |
| Combined | ✔ | ✔ |
Added value for admins
- Granularity: Different target groups – e.g. legal department by e-mail, end users only by tap.
- User acceptance: Fewer pop-ups in Word & Co. if only a silent e-mail is enough.
- Harmonization: Alignment with Exchange DLP, where this separation has been in place for some time.
Steps to Implementation
- Open the Purview portal > Data Loss Prevention > Policies.
- Edit existing SharePoint/OneDrive rule.
- In the User notifications section, check either Send email or Show policy tip (or both).
- If necessary, you can store your own HTML templates for mails, use tokens such as
%%ContentURL%%or%%PolicyName%%. - Testing with
Test-DlpPoliciesthe cmdlet or a pilot site.
Time for spring cleaning in scripts and integrations
The June changes are clearly aimed at consolidation: old cmdlets, agents or couplings give way to central APIs and more flexible configurations. For you as an admin, this means one-time work, but in the long run less maintenance and better data quality. Start now with tests and updates - then at the end of June there will only be a calendar entry and no fire brigade operation.
Further links
| Exchange Online: Roadmap for decommissioning | techcommunity.microsoft.com |
| Defender for Cloud Apps: Deprecation Notice for SIEM agents | learn.microsoft.com |
| Purview DLP: Email Notifications and Policy Tips | learn.microsoft.com |
Sei der Erste und starte die Diskussion mit einem hilfreichen Beitrag.
Kommentar hinterlassen
Dein Beitrag wird vor der Veröffentlichung kurz geprüft — fachlich, respektvoll und auf den Punkt ist hier genau richtig.