Merge pull request #279871 from ElazarK/WI274814-AWS-onboarding-faq

v-dirichards · web-flow · commit 34b5b0083995 · 2024-07-03T09:32:02.000-05:00
added new FAQ
diff --git a/articles/defender-for-cloud/faq-general.yml b/articles/defender-for-cloud/faq-general.yml
@@ -7,7 +7,7 @@ metadata:
   ms.author: dacurwin
   manager: raynew
   ms.topic: faq
-  ms.date: 05/22/2024
+  ms.date: 07/03/2024
 title: Common questions - General questions
 summary: |
 
@@ -368,6 +368,19 @@ sections:
         answer: |
           No, if the region or scan interval is changed, there is no need to re-run the CloudFormation template or Cloud Shell script. The changes will be applied automatically.
 
+      - question: |
+          How does onboarding an AWS organization or management account to Microsoft Defender for Cloud work?
+        answer: |
+          Onboarding an organization or a management account to Microsoft Defender for Cloud initiates the process of [deploying a StackSet](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-getting-started-create.html). The SteckSet includes the necessary roles and permissions. The StackSet also propagates the required permissions across all accounts within the organization. 
+          
+          The included permissions allow Microsoft Defender for Cloud to deliver the selected security features through the created connector in Defender for Cloud. The permissions also allow Defender for Cloud to continuously monitor all accounts that might be added using the auto-provisioning service.
+          
+          Defender for Cloud is capable of identifying the creation of new management accounts and can leverage the granted permissions to automatically provision an equivalent member security connector for each member account.
+          
+          This feature is available for organizational onboarding only and allows Defender for Cloud to create connectors for newly added accounts. The feature also allows Defender for Cloud to edit all member connectors when the management account is edited, delete all member accounts when the management account is deleted, and remove specific member account if the corresponding account is removed.
+
+          A separate stack must be deployed specifically for the management account.
+                
 additionalContent: |
 
   ## Next steps
