2026-04

This release tracker is LLM-curated and based on the official Microsoft product sources listed below. It provides an architect-grade summary of recent features, changes, and announcements. Always verify critical details against the official documentation. List of all raw markdown files for the releases are at https://github.com/pisinger/pisinger.github.io/tree/main/_ms_release_radar

Microsoft Security Release Radar - April 2026

---

📦 Azure Container Apps

Indicator	Feature	Type	Description
🟡	Defender for Cloud support for Azure Container Apps (Serverless Containers Posture)	Preview	Extends posture management to Azure Container Apps environments from a single Defender for Cloud workflow.
🟢	Confidential Compute support on Azure Container Apps	GA	Run regulated/sensitive containerized workloads with hardware-level isolation for data in use.
🟢	Monitor HTTP traffic in Azure Container Apps	GA	New ContainerAppHTTPLogs diagnostic setting category exposes detailed HTTP access logs for high-volume request data via Azure Monitor.
🟢	Additional OpenTelemetry destinations (New Relic, Dynatrace, Elastic)	GA	Expands OTel third-party observability platform support with new endpoint options.
🟢	Override Scale Rules in Azure Functions on Azure Container Apps	GA	New allowScalingRuleOverride property lets customers override platform-managed KEDA scale rules.
🟡	Azure Container Apps Sandboxes	Preview	Run untrusted code safely with session-level isolation, state preservation, and burst handling for agentic/multi-tenant/CI-CD workloads.
🔵	AI & Serverless GPU Workloads (ComfyUI, Gemma 4 + Ollama)	Update	New blog patterns for running multimedia AI and self-hosted LLMs on ACA with serverless GPUs (T4/A100), scale-to-zero, and per-second billing.

---

⛵ AKS

Indicator	Feature	Type	Description
🔴	CVE-2026-31431: Linux kernel algif_aead local privilege escalation	Security	Lets a pod escalate to root on the underlying node. Affects Ubuntu 20.04 FIPS, 22.04, 24.04, and Azure Linux 3.0. Mitigation in node images 202604.13.0 and 202604.24.0.
🔴	Ingress NGINX project retirement — migrate to Gateway API	Security	Upstream Ingress NGINX maintenance ended March 2026. Production workloads supported through Nov 2026 on application routing add-on. Migrate to Gateway API implementation.
⚫	AKS Kubernetes LTS version 1.29 deprecated	Deprecation	Upgrade clusters to a supported version.
⚫	AKS Kubernetes version 1.32 moved to LTS-only	Deprecation	Use LTS support plan or upgrade to standard-support version.
⚫	AKS Automatic clusters to preconfigure with Gateway API (starting 1.36)	Deprecation	Managed NGINX ingress replaced by Kubernetes Gateway API due to upstream Ingress NGINX retirement.
⚫	Istio add-on revision asm-1-26 deprecated	Deprecation	Upgrade to asm-1-27, asm-1-28, or asm-1-29.
🟡	AKS-managed NAT Gateway V2 outbound type	Preview	Preview support for StandardV2 NAT Gateway in supported public Azure regions.
🟡	Custom kube-reserved and hard eviction kubelet configuration	Preview	Customize default kubelet configuration through custom node preview feature registration.
🟡	AKS List Available VM SKUs API	Preview	View VM SKUs supported on AKS and available in subscription.
🟡	AKS-managed GPU metrics in Azure Managed Prometheus	Preview	GPU metrics supported by default in Azure Managed Prometheus and Grafana dashboards.
🟡	Capacity Based Surge for node pool upgrades	Preview	Set MaxUnavailable and MaxSurge values; falls back to in-place upgrade if surge capacity unavailable.
🟢	Gateway API-based ingress for application routing add-on	GA	Generally available; replaces Ingress NGINX for new AKS Automatic clusters on 1.36+.
🟢	AKS Automatic clusters can migrate to Standard in additional regions	GA	Managed system node pools can now migrate to AKS Standard clusters.
🟢	spec.minReadySeconds in Application Routing Gateway ConfigMap	GA	Helps applications needing extra initialization time after health check.
🔴	Istio CRD installer busybox registry fix	Security/Fix	Fixed issue where CRD installer could pull busybox from unintended registry in AGC environments.
🔴	ClusterRoleBinding protection for AKS Automatic managed system node pools	Security/Fix	Blocks ClusterRoleBinding create/update when roleRef targets privileged ClusterRoles, reducing privilege escalation risk.
🔵	New Kubernetes patch versions: 1.35.2, 1.35.3, 1.34.5, 1.34.6, 1.33.9, 1.33.10	Update	New patch versions available for standard support.
🔵	Azure Policy add-on updated to 1.16.1 (Gatekeeper 3.20.1-8)	Update	Includes CVE fixes.
🔵	Istio add-on revisions updated (asm-1-27 to 1.27.9-2, asm-1-28 to 1.28.6-1, asm-1-29 to 1.29.2-1)	Update	Patch version upgrades for Istio service mesh.
🔵	Azure Monitor Container Insights updated to 3.3.0	Update	Updated container monitoring agent.
🔵	Node Auto Provisioning updated to Karpenter Azure v1.10.2	Update	Artifact Streaming uniformly disabled by default.
🔵	Application Routing NGINX updated to 1.13.9	Update	NGINX image version update.
🔵	Azure Disk CSI driver updated (v1.34.3 / v1.33.9)	Update	CSI driver updates per AKS version.
🔵	Azure File CSI driver updated (v1.35.2 / v1.34.5 / v1.33.9)	Update	CSI driver updates per AKS version.
🔵	Azure Blob CSI driver updated (v1.27.4 / v1.26.11)	Update	CSI driver updates per AKS version.
🔵	Cloud-provider-azure components updated (v1.32.16, v1.33.11, v1.34.8, v1.35.3)	Update	April 2026 releases for cloud-controller-manager, cloud-node-manager, health-probe-proxy.
🔵	Cilium updated to v1.17.10	Update	Updated for Kubernetes 1.32 and 1.33 to support Gateway API scenarios.
🔵	kube-proxy reduced privileges (K8s 1.30+)	Update	Uses NET_ADMIN and SYS_RESOURCE capabilities instead of privileged: true.
🔵	Fleet-managed resources via ClusterResourcePlacement	Update	Managed namespace selection for separate rollout from customer workloads.
🔵	HTTP Proxy: max 20 Trusted CA certificates	Update	New limitation enforced.
🔵	Mesh Membership requires Managed Gateway API add-on	Update	Required for joining Azure Kubernetes Application Network.

---

📊 Azure Monitor

Indicator	Feature	Type	Description
🟡	OTLP ingestion options for container monitoring	Preview	Published documentation for ingesting OTLP data with AMA, AKS autoinstrumentation for Python/.NET, and OpenTelemetry protocol ingestion.
🟡	Service Level Indicators (SLIs)	Preview	New article for creating and managing SLIs in Azure Monitor.
🟡	Performance Diagnostics configurable threshold values	Preview	New configurable threshold feature for VM Performance Diagnostics.
🟢	Azure Monitor pipeline GA updates	GA	TLS setup, transformations, sizing, troubleshooting, and Kubernetes gateway guidance published.
🟢	Reliability guide for Azure Monitor Logs	GA	Comprehensive guide covering AZ protection, workspace replication, data export, and DR recommendations.
⚫	HTTP Data Collector API deprecation notices	Deprecation	Logs Ingestion API overview updated with deprecation notices and migration guidance for the replacement API.
⚫	Application Insights Classic API retirement dates	Deprecation	Updated with explicit retirement dates for Node.js and .NET SDKs; migration to OpenTelemetry recommended.
🔵	Observability agent documentation rewritten	Update	Four Azure Copilot observability agent articles reorganized around common scenarios.
🔵	Syslog troubleshooting for Linux AMA	Update	New diagnostic section for syslog upload failures on Linux.
🔵	App Center migration guidance updated	Update	Clearer support-request steps and revised retirement timeline.
🔵	OpenTelemetry guidance reorganized	Update	Application Insights OTel guidance restructured into task-based articles.
🔵	Java configuration consolidated	Update	JMX metrics, sampling overrides, and telemetry processors in one article.
🔵	Summary rules updated	Update	Thresholds corrected, parameter naming fixed, PowerShell syntax errors fixed.
🔵	Logs Ingestion API prerequisites updated	Update	Get-AzAccessToken code sample updated for SecureString breaking change.

---

☁️ Microsoft Defender Cloud Apps

No April 2026 updates found.

---

🧠 Microsoft Copilot Studio

Indicator	Feature	Type	Description
🟢	Agent-to-agent (A2A) protocol	GA	Connect agents to other agents using the A2A protocol.
🟡	Real-time voice agents	Preview	Build and deploy real-time voice agents with NLU, multilingual support, knowledge integration, and voice tuning.
🟡	Automated agent evaluations from REST API	Preview	Run evaluations via Power Platform API for CI/CD and custom automation pipelines.
🟡	Custom metrics for agent analytics	Preview	Define custom analytics categories and visualize alongside built-in analytics.
🟡	Display name suffix for agents	Preview	Identify agents across environments in Teams and M365 Copilot using environment variables.
🟡	GPT-5.5 Reasoning (Deep) experimental model	Preview	Experimental model for agents requiring deep analytical reasoning.
🟡	Analytics Viewer role	Preview	Share analytics access without granting broader maker permissions.
🔵	Hold and resume for voice-enabled agents	Update	Pause mid-conversation and resume where left off for natural calling experience.
🔵	Trigger agent evaluations with Power Automate connector	Update	Automate evaluations using Copilot Studio connector, reducing manual effort.
🔵	Agent usage estimator	Update	Forecast Copilot credit consumption before deploying at scale.

---

🔬 Defender Container Sensor

Indicator	Feature	Type	Description
🟡	Sensor v0.10.4 — Go dependency upgrades	Preview	Upgraded Go and related dependencies to address security vulnerabilities and improve runtime stability.
🟡	Sensor v0.9.53 — Go dependency upgrades	Preview	Upgraded Go and related dependencies to address security vulnerabilities and improve runtime stability.
🟢	Sensor v0.8.50 — Go dependency upgrades	GA	Upgraded Go and related dependencies to address security vulnerabilities and improve runtime stability.

---

🚨 Microsoft Defender XSPM (Exposure Management)

Indicator	Feature	Type	Description
🔵	New predefined classification: APIs with Sensitive Data	Update	New Cloud resource classification rule added to critical assets list for APIs containing sensitive data.

---

🛡️ Microsoft Defender Cloud

Indicator	Feature	Type	Description
🟢	Defender for Containers runtime protection on EKS Bottlerocket	GA	Runtime protection now supports AWS Bottlerocket OS on EKS.
🟢	Anti-malware detection and blocking	GA	Anti-malware detection and blocking is now generally available.
🟢	DNS Detection for Kubernetes	GA	DNS-based threat detection for Kubernetes is now generally available.
🟢	Defender for Storage integration in Azure portal Storage Center	GA	Integrated storage security in Azure portal Storage Center.
🟢	Container security capabilities in Azure Government cloud	GA	Container security now available in Azure Government cloud.
🔵	Defender for SQL servers on machines plan update for Fairfax	Update	Updated plan for Fairfax (US Government) customers.

---

🛡️ Microsoft Defender Unified SecOps

No April 2026 updates found.

---

🎯 Microsoft Defender XDR

Indicator	Feature	Type	Description
🟡	View action status in Activities tab (Preview)	Preview	Track automatic attack disruption and predictive shielding action status per incident.
🟡	AIAgentsInfo table expanded columns	Preview	Deeper visibility into AI agents (Copilot Studio, Foundry, third-party, custom LOB agents) in advanced hunting.
🟢	Built-in alert tuning rules	GA	Suppress alerts from common benign activity in Defender for Endpoint and Defender for Office 365 without affecting AIR investigations.
🟢	Defender Experts in navigation menu	GA	Defender Experts for XDR now appears as a distinct entry in the Defender portal navigation menu.

---

🆔 Microsoft Defender Identity

Indicator	Feature	Type	Description
🟡	Identity Explorer (Preview)	Preview	Visualize identity attack paths and exposure scenarios as interactive graphs using hunting graph. Requires Sentinel Data Lake license.
🟡	Custom account correlation rules (Preview)	Preview	Link accounts belonging to the same identity using UPN prefix, suffix, or domain rules.
🟢	Automatic Windows event auditing configuration for sensors v3.x	GA	Automatically applies required auditing settings to new sensors and corrects misconfigurations on existing ones.

---

📧 Microsoft Defender Office 365

Indicator	Feature	Type	Description
🟡	Promotions folder for bulk email	Preview	Configure anti-spam policies to deliver bulk mail below BCL threshold to Promotions folder in supported Outlook versions.
🟢	Security Copilot email summary on Email entity page	GA	Generate AI summary of email entity data from the Email entity page.
🟢	Remove users from Teams chats	GA	Remove internal users from Teams chats in the Teams message entity panel.
🟢	New RBAC permission for email content associated with alerts	GA	Granular Unified RBAC permission to preview/download email messages associated with security alerts.

---

🏢 Microsoft Entra ID

Indicator	Feature	Type	Description
🟢	Microsoft Entra Agent ID platform	GA	Identity and authorization framework for AI agents with OAuth 2.0, MCP, and A2A protocol support.
🟡	Account Discovery for connected applications	Preview	Visibility into all accounts in connected applications including orphan accounts; requires ID Governance or Entra Suite license.
🟡	Entra ID federation with External ID (EEID)	Preview	Standards-based federation for workforce-to-customer sign-in scenarios.
🟡	App-based branding via Branding themes	Preview	Create different branding experiences for specific applications.
🟡	$count filtering in sign-ins API	Preview	Perform count computations directly in Microsoft Graph sign-ins API requests.
🔵	Migrate from Entra Connect Sync to Entra Cloud Sync	Update	Transition beginning July 2026; phased rollout with tailored guidance. Cloud Sync replaces Connect Sync for identity synchronization.
🔵	SCIM provisioning apps to use modern authentication	Update	OAuth 2.0 Authorization Code grant replaced with Client Credentials and workload identity federation.
🔵	SAP SuccessFactors: switch from basic auth to workload identity	Update	New authentication option available May 2026; SAP plans to deprecate basic auth by November 2026.

---

📊 Microsoft Fabric

Indicator	Feature	Type	Description
🟡	Stream Mirrored Database change feeds into Eventstreams	Preview	Stream Delta CDF row-level changes from mirrored databases into Fabric Eventstream for low-latency event-driven processing.
🟡	Custom CA and mTLS support in Eventstream connectors	Preview	Specify custom CA and client certificates from Azure Key Vault for Kafka-based sources and Confluent Schema Registry.
🟡	Customer Managed Keys (CMK) for Eventhouse	Preview	Bring your own Azure Key Vault key to encrypt Eventhouse data at rest.
🟡	Eventstream workspace monitoring	Preview	Automatic creation of Eventhouse tables for per-minute data volume, watermark delay, backlog, and error metrics.
🟢	Eventstream SQL operator	GA	Production-ready code-first transformation operator with multiple destinations and event-time processing.
🔵	Stream SQL Change Events to Fabric Eventstream	Update	SQL Server 2025, Azure SQL DB, and Azure SQL MI push CloudEvents-formatted changes directly into Eventstream.

---

🏗️ Microsoft Foundry

Indicator	Feature	Type	Description
🟢	Foundry Local	GA	Local model inference production-ready on Windows, macOS (Apple Silicon), and Linux x64.
🟢	Microsoft Agent Framework 1.0	GA	Unified multi-agent orchestration SDK for .NET and Python.
🟢	Microsoft Foundry Toolkit for VS Code	GA	Model playground, agent builder, and one-click deploy.
🟢	Notification center	GA	Tenant-level notifications with email delivery for critical alerts.
🟢	Claude Opus 4.7	GA	Anthropic’s most capable model available in Foundry.
🟡	Agent Framework tracing (OpenTelemetry)	Preview	Agent Framework agents emit OpenTelemetry traces into Foundry for debugging and production observability.
🟡	Hosted-agent tracing	Preview	Hosted-agent sessions, tool calls, and run steps surface in Foundry traces.
🟡	CodeAct with Hyperlight (alpha)	Preview	Sandboxed Python code execution in Hyperlight micro-VMs for low-risk tool chains.
🟡	Continuous evaluation custom evaluators	Preview	Bring code-based or prompt-based evaluators into continuous evaluation.
🟡	Agent Monitoring Dashboard	Preview	Track operational metrics and evaluation results (token usage, latency, success rate, evaluator scores).
🟡	GPT-image-2	Preview	OpenAI’s latest image generation model with 4K resolution, editing, and up to 10 images per request.
🟡	Microsoft first-party AI models (MAI-Image-2, MAI-Voice-1, MAI-Transcribe-1)	Preview	Image generation, text-to-speech, and speech recognition models.
🟡	Batch evaluations for third-party agents	Preview	Cloud-based batch evaluations against agents built on any framework.
🟡	Audio and image input in score model grader	Preview	Evaluation graders accept audio and image content alongside text.
🟢	GPT-5.5	GA	Latest GPT-5 family model with default quota for Tier 5 and Tier 6 subscriptions.
🟢	Gemma 4	GA	Google DeepMind’s open-weight models with multimodal input and up to 256K context.
🟢	Agent inventory in Foundry Control Plane	GA	Find supported agents across subscription from Operate view.

---

🔎 Microsoft Purview

Indicator	Feature	Type	Description
🟡	Collection policies: sensitivity labels as condition	Preview	Scope detection to items with specific sensitivity labels for browser and network cloud apps detection.
🟡	Glossary migration and asset enablement	Preview	One-time migration of glossary terms into Unified Catalog for centralized management.
🟡	Bulk import/edit/move in Unified Catalog	Preview	Bulk create data products, critical data elements, glossary terms; bulk edit and move between governance domains.
🟡	Data quality: on-premises Oracle and SQL Server support	Preview	On-premises database scanning via Kubernetes-hosted runtime; data stays on premises.
🟡	Data quality thresholds with alerts	Preview	Configure alerts for rule-level and data asset-level thresholds.
🟡	Unsaved file protection (JIT)	Preview	Extends just-in-time DLP protection to brand-new files and files with unsaved modifications.
🟡	DLP: URL contains text condition for unmanaged cloud apps	Preview	Scope DLP rules to specific URLs or exclude URLs from policy enforcement.
🟡	Email notifications for browser and network DLP	Preview	Notify end users via email when activity is blocked; 10-minute batching window.
🟡	DLP policy tip reference for Outlook mobile/macOS	Preview	New reference article for DLP policy tips on Android, iOS, and macOS Outlook.
🟡	Proactive AI insights from DSPM	Preview	Automatic 24-hour investigation refresh with DSPM exfiltration objective card across five risk categories.
🟡	Customer-managed key encryption for eDiscovery exports	Preview	CMK encryption for direct export packages in eDiscovery.
🟡	Advanced review set explorer with left navigation	Preview	Browse review set schema, insert KQL operators, run sample queries with new Getting Started tab.
🟡	Preview content while triaging Insider Risk alerts	Preview	Preview content to identify false positives and confirm sensitive data before escalation.
🟢	Advanced resource sets	GA	Available to all customers with consistent pricing.
🟢	Auto-labeling policies: override lower-priority labels	GA	Option to always override existing lower-priority labels for SharePoint/OneDrive files.
🟢	Export policy configuration as ZIP	GA	Point-in-time snapshot of DLP and sensitivity label publishing policies in XML format.
🔵	Teams call logs retention policies	Update	New PowerShell-based retention policies for Teams call data records, separate from chat retention.
🔵	Sensitivity labels for user-defined permissions in Office for web	Update	Users can apply labels configured for user-defined permissions in Office for the web (requires co-authoring).
🔵	Export policies option on Label policies page	Update	Export to CSV or ZIP with detailed policy and label information.
🔵	Data Security Investigation Contributor role	Update	Automatic access for Compliance Administrator, Organization Management, Data Security Management, and Insider Risk Management role groups.
🔵	Microsoft Sentinel with Varonis for Salesforce data insights	Update	Partner solution integration for holistic data insights.
🔵	eDiscovery: max review sets per case increased to 100	Update	Increased from 20 to 100 for eDiscovery with premium feature support.

---

🤖 Microsoft Security Copilot

Indicator	Feature	Type	Description
🟡	Security Analyst Agent	Preview	Deep multi-step investigations across Defender and Sentinel telemetry; surfaces prioritized risks with reasoning and evidence. Supports flexible analysis, data integration, interactive exploration, and conversation assistance.

---

🔐 Microsoft Sentinel

Indicator	Feature	Type	Description
🟡	Data federation (powered by Microsoft Fabric)	Preview	Analyze security data in-place from Fabric, ADLS, and Azure Databricks without copying; use KQL, notebooks, and custom graphs across federated and native data.
🟡	Transform data with filter and split features	Preview	Reduce noise before ingestion, control costs, and route data between analytics and data lake tiers.
🟡	VS Code connector builder agent (AI-powered)	Preview	Low-code agent builds custom Microsoft Sentinel connectors in minutes.
🟡	Build custom security graphs	Preview	Build tailored security graphs across Sentinel data lake and third-party data to uncover attack paths and blast radius.
🟡	Cost estimation tool with three-year projections	Preview	Guided, meter-level cost estimator for modeling data growth and predicting spend.
🟡	Configure row-level access using scoping (row-level RBAC)	Preview	Define logical scopes, tag data at ingestion, assign users via Unified RBAC — no workspace separation needed.
🟢	Entity analyzer	GA	Out-of-the-box, explainable entity risk assessments for URLs and identities using threat intelligence, prevalence, and organizational context. Billed via SCUs starting April 1, 2026.
🟢	AI-powered SIEM migration tool	GA	AI-assisted migration from Splunk and QRadar to Microsoft Sentinel.
🔵	Account Name UPN prefix consistency change	Update	Account Name now consistently UPN prefix only. Update automation rules and Logic Apps by July 1, 2026.

---

🔍 Microsoft Defender Endpoint

Indicator	Feature	Type	Description
🟡	Secure Boot 2023 certificate recommendation in Microsoft Secure Score	Preview	Identifies devices that haven’t transitioned to new Secure Boot 2023 certificates ahead of June 2026 expiration.
🟡	View action status in Activities tab	Preview	Track automatic attack disruption and predictive shielding action status (Contain user, GPO hardening, Safeboot hardening).
🟢	Linux build 101.26032.0000	GA	Expanded kernel module visibility, offline security intelligence update optimization, SELinux policy cleanup fix.
🟢	macOS build 101.26032.0016	GA	Bug and performance fixes.
🟢	macOS build 4.18.25040.1	GA	Native root detection GA; performance improvements and bug fixes.
🟢	macOS build 101.26022.0020	GA	Resolved performance regression under high load.
🟢	macOS build 101.26022.0018	GA	macOS >= 14 only; CVE-2025-68664/5 LangGrinch fix; bug and performance fixes.

---

💿 MDE Detailed Releases

Windows

Indicator	Feature	Type	Description
🔴	CVE-2026-41091: Microsoft Defender Elevation of Privilege Vulnerability	Security/Fix	Improper link resolution before file access (Important); fixed in Engine 1.1.26040.8.
🔴	CVE-2026-45584: Microsoft Defender Remote Code Execution Vulnerability	Security/Fix	Heap-based buffer overflow (Critical); fixed in Engine 1.1.26040.8.
🔴	CVE-2026-45498: Microsoft Defender Denial of Service Vulnerability	Security/Fix	(Low); fixed in Platform 4.18.26040.7.
🔵	Performance improvement for SFC cache build during engine reload	Update	Performance optimization for SFC cache build.
🔵	Reduced API calls for Device Control to prevent Entra throttling	Update	Reduced API calls and improved logging for Device Control.
🔵	Improved TVM Block logic handling	Update	Improved threat and vulnerability management block logic.
🔵	Fixed TVM Warn temporary paths exclusion issue	Update	Fixed exclusion issue when Tamper Protection Exclusions and DLAM are enabled.
🔵	Fixed Defender managed type when migrating from Co-management to Intune	Update	Migration fix for Defender managed type.

macOS

Indicator	Feature	Type	Description
🟢	Native root detection for Microsoft Defender	GA	Native root detection is now generally available.
🔵	Bug and performance fixes (101.26032.0016)	Update	General bug and performance fixes.
🔵	Performance improvement and bug fixes (4.18.25040.1)	Update	Performance improvements and general bug fixes.
🔵	Resolved performance regression under high load (101.26022.0020)	Update	Fixed degraded responsiveness and stability under high load conditions.
🔴	macOS >= 14 only (101.26022.0018)	Security	Packaging change: macOS 14+ only supported.
🔴	CVE-2025-68664/5 LangGrinch (langchain vulnerability) (101.26022.0018)	Security	Fixed langchain vulnerability.
🔵	Bug and performance fixes (101.26022.0018)	Update	General bug and performance fixes.

Linux

Indicator	Feature	Type	Description
🔵	Expanded visibility into Linux kernel module (.ko) file activity	Update	Creation, rename, and deletion visibility for kernel module files.
🔵	Offline security intelligence update optimization	Update	Offline updates now run at most once per configured interval, reducing redundant downloads.
🔵	Resolved SELinux policy cleanup issue on RHEL-based systems	Update	Safe removal of legacy SELinux modules while preserving customer-defined policies.

---

Top 5 Action Items

Priority	Action	Due	Affected Product(s)
🔴	Apply AKS node image updates (202604.13.0 / 202604.24.0) to mitigate CVE-2026-31431 (Linux kernel LPE)	Immediately	AKS
🔴	Migrate from Ingress NGINX to Gateway API-based application routing	November 2026	AKS
🔴	Update automation rules and Logic Apps for Sentinel Account Name UPN prefix change	July 1, 2026	Microsoft Sentinel
🔴	Apply Windows Defender Antivirus engine update (1.1.26040.8) to fix CVE-2026-45584 (RCE - Critical) and CVE-2026-41091 (EoP - Important)	Immediately	Microsoft Defender Endpoint
🔴	Plan migration from Entra Connect Sync to Entra Cloud Sync	Starting July 2026 (phased)	Microsoft Entra ID

---

Security Architect Observations

• AKS CVE-2026-31431 is critical: A Linux kernel LPE allowing pod-to-node root escalation affects Ubuntu 20.04 FIPS, 22.04, 24.04, and Azure Linux 3.0. Node image upgrade is required — existing nodes are not patched in place. The mitigation DaemonSet from the advisory should be applied immediately for pools already on 202604.24.0.
• Ingress NGINX retirement creates a major migration wave: With upstream maintenance ending March 2026 and production support through November 2026, all AKS clusters using the application routing add-on with NGINX must migrate to Gateway API. AKS Automatic clusters on 1.36+ will default to Gateway API. Plan the migration as a structured project with testing windows.
• Entra Connect Sync to Cloud Sync transition: Beginning July 2026, Microsoft will notify customers of phased transition windows. Cloud Sync does not yet support all advanced scenarios — organizations with complex sync configurations or large directories will be in later waves. Review the feature comparison and begin SOA (Source of Authority) planning now.
• Sentinel Account Name consistency change: The UPN prefix-only change (effective July 1, 2026) will break automation rules and Logic Apps that use strict equality on AccountName. Replace with Contains/Starts with operators and use the new UPNSuffix field. Audit all playbooks and automation before the deadline.
• Defender for Cloud container security expansion: GA of runtime protection on EKS Bottlerocket, DNS Detection for Kubernetes, and anti-malware detection/blocking significantly broadens container threat coverage. Evaluate enabling these for existing EKS and AKS clusters.
• Entra Agent ID platform GA: A new identity framework for AI agents using OAuth 2.0, MCP, and A2A protocols. Architects should evaluate this for governing agent identities in enterprise environments, especially as agent adoption grows across Copilot Studio, Foundry, and third-party platforms.

---

Security Operations Observations

• Three CVEs in Windows Defender Antivirus require immediate patching: CVE-2026-45584 (Critical RCE, heap-based buffer overflow) and CVE-2026-41091 (Important EoP) are fixed in Engine 1.1.26040.8. CVE-2026-45498 (Low DoS) is fixed in Platform 4.18.26040.7. Prioritize deployment via your endpoint management tooling.
• Security Analyst Agent in Security Copilot (Preview): Performs multi-step investigations across Defender and Sentinel telemetry without requiring query writing. SOC teams should pilot this to evaluate its effectiveness for triage and Tier-1 investigation workflows.
• Sentinel data federation and filter/split features: These reduce ingestion costs and enable in-place analysis of Fabric/ADLS/Databricks data. Operations teams should evaluate which data sources can be federated rather than ingested, and configure filter/split rules to route noise to the data lake tier.
• Defender XDR built-in alert tuning rules are now GA: Suppress alerts from common benign activity in Defender for Endpoint and Office 365 without affecting AIR. Review and enable these to reduce alert fatigue.
• Identity Explorer (Preview) in Defender Identity: Visualizes identity attack paths and lateral movement routes. SOC analysts should use this for proactive threat hunting and privilege escalation path discovery, especially for high-value identities.
• Purview DSPM proactive AI insights: Automatic 24-hour investigation refresh with exfiltration risk categorization. SOC teams monitoring data exfiltration should enable this and integrate findings into their incident response workflow.

---

References

Product	URL
Defender XDR	https://learn.microsoft.com/en-us/defender-xdr/whats-new
Unified SecOps	https://learn.microsoft.com/en-us/unified-secops/whats-new
Defender Endpoint	https://learn.microsoft.com/en-us/defender-endpoint/whats-new-in-microsoft-defender-endpoint
Defender Endpoint Releases	https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint-releases
Defender Identity	https://learn.microsoft.com/en-us/defender-for-identity/whats-new
Microsoft Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/whats-new
Microsoft Entra ID	https://learn.microsoft.com/en-us/entra/fundamentals/whats-new
Defender Cloud Apps	https://learn.microsoft.com/en-us/defender-cloud-apps/release-notes
Defender Office 365	https://learn.microsoft.com/en-us/defender-office-365/defender-for-office-365-whats-new
Defender Cloud	https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes
AKS	https://github.com/Azure/AKS/releases
Azure Container Apps	https://learn.microsoft.com/en-us/azure/container-apps/whats-new
Azure Monitor	https://learn.microsoft.com/en-us/azure/azure-monitor/fundamentals/whats-new
Defender Container Sensor	https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-sensor-change-log
Security Copilot	https://learn.microsoft.com/en-us/copilot/security/whats-new-copilot-security
Defender Exposure Management	https://learn.microsoft.com/en-us/security-exposure-management/whats-new
Microsoft Purview	https://learn.microsoft.com/en-us/purview/whats-new
Microsoft Foundry	https://devblogs.microsoft.com/foundry/category/whats-new/
Microsoft Copilot Studio	https://learn.microsoft.com/en-us/microsoft-copilot-studio/whats-new
Microsoft Fabric	https://learn.microsoft.com/en-us/fabric/fundamentals/whats-new