HANDS ON SharePoint
HANDS ON Teams
HANDS ON Lists
HANDS ON tek
M365 Admin
Microsoft Defender for Office 365: Modernization of AIR platform for user submission investigation playbook
Microsoft Defender for Office 365 Plan 2+ is upgrading its Automated Investigations and Response (AIR) platform, starting with the user submission playbook, to improve speed and scalability. Rollout begins October 2025, with faster investigations, no downtime, unchanged workflows, and no admin action required.
Applies to Defender for Office 365 Plan 2 or above customers:
We’re rolling out a major upgrade to the Automated Investigations and Response (AIR) capability in Microsoft Defender for Office 365. One of the key areas of feedback from customers has been latency in AIR’s automated investigations—particularly in the user submission investigation playbook, where fast and reliable automation is essential to reducing Security Operations Center (SOC) workload and enabling focus on higher-severity incidents.
In response to this feedback and as part of ongoing efforts to improve the end-to-end email submission response workflow in Defender for Office 365, AIR is being migrated from a legacy platform to a modernized infrastructure to improve performance, scalability, and speed. In this first phase, the user submission playbook (triggered by the alert policy “Email reported by user as malware or phish”) will be migrated. A separate communication will follow for the migration of other playbooks.
This message is associated with Microsoft 365 Roadmap ID 503108.
When this will happen:
General Availability (Worldwide, GCC, GCCH, and DoD): Rollout begins in early October 2025 and completes by late December 2025.
How this affects your organization:
Who is affected:
Organizations using Microsoft Defender for Office 365 with Automated Investigations and Response (AIR) enabled, specifically those leveraging the user submission investigation playbook.
What will happen:
- AIR investigations for user submissions will complete in minutes instead of hours, even during surge loads.
- AIR is rebuilt on Microsoft Azure for flexibility and improved tenant-level isolation and load distribution.
- The modernized platform enables faster development and deployment of new AIR features.
- No disruptions or downtime during rollout.
- User workflows remain unchanged.
- This change is enabled by default.
What you can do to prepare:
- No admin action is required before rollout.
- Review your current AIR configuration to assess impact.
- Notify users and update internal documentation if needed.
Learn more:
- Automated investigation and response (AIR) in Microsoft Defender for Office 365 Plan 2 | Microsoft Defender for Office 365 | Microsoft Defender | Microsoft Learn
- Automated remediation in Automated investigation and response (AIR) | Microsoft Defender for Office 365 | Microsoft Defender | Microsoft Learn
- Example: A user-reported phishing message launches an investigation playbook | Microsoft Defender for Office 365 | Microsoft Defender | Microsoft Learn
Compliance considerations:
No compliance considerations identified, review as appropriate for your organization.
Message ID: MC1165053
