Microsoft Q2 2025 Roadmap

The first quarter of 2025 is complete, let's review the past quarter and what we might see exciting in security for the next quarter. Everything here is publicly available on the roadmap or my opinion based on some groundwork Microsoft has been laying in 2024.

Changes we saw in Q1

Looking back at features we were excited for in Q1 we unfortunately did not see everything make it to GA and you will notice some repeats in our exciting features for Q2. Of the items that did make it to production are these:

• MDO
  • Jan 2025 - Allows in Tenant Allow/Block list
  • Feb 2025 - Microsoft Analysis of Third-party reported phish
    • This has been announced however I have seen some issues with actually implementing this.

Exciting Q2 Features!

• MDO
  • May 2025 - AIR automatic remediation
  • May 2025 - Advanced hunting Teams messages
• Entra
  • Dec 2024 - Conditional Access What If API
• General
  • Mar 2025 - EWS Usage Report

Thoughts on MDO features

Of the two items we are anticipating for Q2 here we expected one to arrive in Q1 and it did not. But we did see two other major features get implemented so the MDO team was busy. The new feature is some advanced hunting tables in Defender for Teams messages. Any Microsoft admin should be aware no message is private but it will be interesting to see what's available in these logs. If there is message data I would hope there is a "message preview" permission required to view that particular information.

Expectation for remainder of 2025

The below list contains my expectation for 2025 in my last post.

• Required MFA for administrators
• Entra ID authentication setting changes
• Push for use of passkeys
• Increased passkey compatibility

I still expect to see these items this year, only time will tell. One item I did not have that I believe we will see more of in the future, maybe not 2025 but early 2026 is new DMARC requirements. Microsoft is setting some DMARC restrictions for their personal email services in May. You can read some more about that announcement here. This really lines up with what Google and Yahoo have enforced last year. I suspect all of these service will require a reject or quarantine in the DMARC policy at some point in the near future.

Ending note

I have no significant notes for Microsoft's Q1 or what I am expecting for Q2. I am excited for what the future holds and believe Microsoft's Defender stack remains important to a good security posture, especially for customers who primarily use Microsoft services. Sentinel remains an important tool in the security arsenal if you are a mixed service and not purely Microsoft.