Microsoft Q1 2025 Roadmap

2024 has come to an end which means 2025 is here! I thought now would be a great time to share security features I am excited for in the next quarter as well as my expectations for 2025. Everything here is publicly available on the roadmap or my opinion based on some groundwork Microsoft has been laying in 2024.

Exciting Q1 Features!

• MDO
  • Dec 2024 - AIR automatic remediation
  • Jan 2025 - Allows in Tenant Allow/Block list
  • Feb 2025 - Microsoft Analysis of Third-party reported phish
• Entra
  • Dec 2024 - Conditional Access What If API
• General
  • Mar 2025 - EWS Usage Report

Thoughts on MDO features

MDO has a lot of exciting or interesting features coming in Q1. AIR has always been just automated investigation for MDO and not automated remediation, even smaller tenants can have a ton of these so having basic and reversible actions like Soft Deleting a malicious/suspicious entity is enticing! Microsoft also allowed user message reports to go to third-party vendors this year, integrating it with analysis by Microsoft could prove handy depending on your environment's configuration. Lastly, MDO is going to enable you to add allow entries directly to the tenant allow/block list. I am not excited for this, I prefer the submission method personally, and I suspect complaints from larger organizations played a role where maybe you want to pre-allow a vendor or something along those lines.

Thoughts on Entra features

Opening up an API for "what if" of conditional access is interesting to me. Larger organizations likely have the budget and setup to use Log Analytics and Sentinel to preview policies that are in report-only. I could see in smaller orgs having a script to feed in a bunch of "what if" scenarios to evaluate some impact prior to enabling a policy. I could see that being a problem that might require throttling.

Thoughts on General features

EWS is still out there but is being deprecated coming October 2026. In environments where app consent is not locked down EWS seems to be a common culprit for sending phish email. I think this report could be useful for finding suspicious apps, at the very least it will show you any apps you need to get upgraded!

Expectation for 2025

Based on all the features being pushed currently, and excluding the feature of AI/Copilot, I think we will see a big push to Entra ID authentication and passwords. Some things we saw in 2024:

• Required MFA for administrators
• Entra ID authentication setting changes
• Push for use of passkeys
• Increased passkey compatibility

Microsoft is seeing cyberattacks increasing substantially, my read on these changes is they are not waiting for users to understand passkeys or for admins to enforce security for their users. They are forcing some changes and sharing their lessons learned so other companies can start to push passkeys to their users. You may have some people who disagree with having MFA on their "personal phone" but everyone knows what MFA is today. Passkeys are not a concept people understand but once they do they can be easily converted on their Microsoft account.

I also think we will continue to see an increase in third-party support and flexibility from Microsoft. More changes we saw in 2024:

• Third-party phish reporting support
• Third-party MFA support

I believe Microsoft see's their product as the best when you consider all the features you get together. From a security standpoint I actually agree with this. If you compare say MDE to CrowdStrike, or MDO to ProofPoint, head to head the third-party may have the edge, but what happens when you consider all the products together? The "XDR" element, being able to see all of your products from one view is a benefit that can't be ignored. There are certainly ways around this but they will all likely cost more money on top of Microsoft and third-party licensing you may already be paying for.

If you are the best why not make it easy to integrate third-party apps? It allows them more data, more enrichment of incidents, and gives orgs a chance to see what Microsoft has to offer with their existing security stack.

Ending note

I hope to do this quarterly as more items hit the roadmap and possibly blog to announce these and other exciting changes when they enter GA. If you work with Microsoft products regularly I suggest thinking about what you think we will see in 2025 as well! What I notice and find exciting might not be the same for you, the security stack is big and constantly changing when you consider where it was only a year ago.