doctoring images

Author: batamig

unified-secops-platform/media/mto-endpoint-security-policy/mto-create-policy-small.png

@@ -1,6 +1,6 @@
 ---
 title: Endpoint security policies in multitenant management
-description: Learn how to manage endpoint security policies in multi-tenant management in Microsoft Defender XDR.
+description: Learn how to manage endpoint security policies for Defender XDR multi-tenant management in the Microsoft Defender portal.
 ms.service: unified-secops-platform
 ms.author: bagol
 author: batamig
@@ -11,7 +11,7 @@ ms.collection:
   - m365-security
   - highpri
   - tier1
-ms.topic: concept-article
+ms.topic: how-to
 ms.date: 07/28/2025
 appliesto:
   - Microsoft Defender XDR
@@ -21,59 +21,42 @@ appliesto:
 
 # Endpoint security policies in multitenant management
 
-An aggregated view of all security policies from all tenants is available through the **Endpoint security policies** page in multitenant management. The page gives you access to manage security settings on your tenants' devices, allowing you to create, edit, or delete security policies. Navigate to the page through **Endpoint > Configuration management > Endpoint security policies**.
+Microsoft Defender for Endpoint security policies help you manage security settings across your devices. In the Microsoft Defender multitenant management portal, the **Endpoints > Configuration management > Endpoint security policies** page allows you to manage security settings on your tenants' devices across multiple tenants.
 
-> [!IMPORTANT]
-> The Endpoint security policies page is available only for [users with the security administrator role in Microsoft Defender XDR](/defender-endpoint/assign-portal-access). Any other user role like Security Reader cannot access the endpoint security policies page. When a user has the required permissions to view policies in the Microsoft Defender portal, the data is presented based on Intune permissions. If the user is in scope for Intune role-based access control, it applies to the list of policies presented in the Microsoft Defender portal. We recommend granting security administrators with the [Intune built-in role "Endpoint Security Manager"](/mem/intune/fundamentals/role-based-access-control#built-in-roles) to effectively align the level of permissions between Intune and Microsoft Defender XDR.
+For more information, see [Manage endpoint security policies in Microsoft Defender for Endpoint](/defender-endpoint/manage-security-policies).
 
-To know more about endpoint security policy types, see [Manage endpoint security policies in Microsoft Defender for Endpoint](/defender-endpoint/manage-security-policies).
+## Prerequisites
 
-As a Preview feature, distributed policies appear in a hierarchical view, with the original policy serving as the parent. You can find the policies that were distributed from your tenant under the original policy.
+- You must have Microsoft Defender for Endpoint to use endpoint security policies in multitenant management.
 
-:::image type="content" source="media/mto-endpoint-security-policy/mto-distributed.png" alt-text="Screenshot of the endpoint security policies page in multitenant management highlighting distributed policies" lightbox="media/mto-endpoint-security-policy/mto-distributed.png":::
-
-The **Last Distribution Status** for the original policy reflects the overall status of its distributed copies, and the **Tenants** and **Tenant Groups** sections indicate the recipients of the policy.
-
-> [!TIP]
-> Security administrators must have permissions in each tenant to access the endpoint security policies page in multitenant management.
-
-From the page, you can search for a specific policy by using the **Search** function. You can also **Filter** the policies according to tenant name, policy category, policy type, and targets. You can view, create, edit, or delete a security policy on a single tenant only through the page.
+- Security administrators must have permissions in each tenant to access the endpoint security policies page in multitenant management.
 
+- The **Endpoint security policies** page is available only for [users with the security administrator role in Microsoft Defender XDR](/defender-endpoint/assign-portal-access). Other user roles, like Security Reader, don't provide access to the **Endpoint security policies** page. 
 
-## Create a new security policy
+    When a user has the required permissions to view policies in the Microsoft Defender portal, the data is presented based on Intune permissions. If the user is in scope for Intune role-based access control, it applies to the list of policies presented in the Microsoft Defender portal. 
 
-> [!NOTE]
-> Creating one policy for multiple tenants is not yet supported.
+    We recommend granting security administrators with the [Intune built-in role "Endpoint Security Manager"](/mem/intune/fundamentals/role-based-access-control#built-in-roles) to effectively align the level of permissions between Intune and Microsoft Defender XDR.
 
-To create a new security policy, perform the following steps:
+## Create a new or edit an existing security policy
 
-1. Sign in to the Microsoft Defender portal using a security administrator role.
-2. From the main menu, select **Configuration management > Endpoint security policies**, then select **Create new Policy**.
-3. Select a tenant, platform, and a template in the dropdown menus. Then select Create policy.
-   :::image type="content" source="media/mto-endpoint-security-policy/mto-create-policy-small.png" alt-text="Screenshot of the policy creation page in endpoints security policy page in multitenant management." lightbox="media/mto-endpoint-security-policy/mto-create-policy.png":::
-4. On the **Basics** page, enter a name and description for the new policy, then choose **Next**.
-5. On the **Configuration settings** page, expand a group of settings and configure the settings you need to manage the endpoints in the tenant. Select **Next** once you're done with the configuration.
-6. On the **Assignments** page, select the Microsoft Entra ID groups where the policy will apply, then select **Next**.
-7. Review your new policy's settings on the **Review + create** page, then select **Save** when you're done.
+Use the same procedure to create a new endpoint security policy in the multitenant management portal as you would in the single tenant portal. Differences include:
 
-After creating, the Microsoft Defender portal opens a new window showing the new policy's details.
+- Before you start, select the tenant for which you want to create the policy. Each policy is created for a specific tenant, and you can only create policies for one tenant at a time.
 
-> [!NOTE]
-> To edit the scope tags, you'll need to go to the [Microsoft Intune admin center](https://intune.microsoft.com/). Editing scope tags must be done in the single tenant portal as multitenant management is not yet supported in the Intune admin center.
+  For example:
+  
+  :::image type="content" source="media/mto-endpoint-security-policy/mto-create-policy-small.png" alt-text="Screenshot of the policy creation page in endpoints security policy page in multitenant management." lightbox="media/mto-endpoint-security-policy/mto-create-policy.png":::
 
-## Edit a security policy
+- To edit the scope tags, you'll need to go to the [Microsoft Intune admin center](https://intune.microsoft.com/). Editing scope tags must be done in the single tenant portal as multitenant management is not yet supported in the Intune admin center.
 
-To edit an existing security policy, perform the following steps:
-
-1. In the **Endpoint security policies** page, select the policy you want to edit and then select **Edit**.
-2. In the side panel, select **Edit** to edit the policy.
-3. Modify the policy's settings and configuration in the next pages.
-4. After you've made changes, select **Save** to save your edits.
+From the page, you can search for a specific policy by using the **Search** function. You can also **Filter** the policies according to tenant name, policy category, policy type, and targets. You can view, create, edit, or delete a security policy on a single tenant only through the page.
 
-You can delete a security policy by selecting the policy in the Endpoint security policies page, then selecting **Delete**.
+Edit or delete a security policy by selecting the policy in the Endpoint security policies page, then selecting **Edit** or  **Delete**. For example:
 
 :::image type="content" source="media/mto-endpoint-security-policy/mto-edit-policy-small.png" alt-text="Screenshot of the editing pane for endpoint security policies page in multitenant management in Microsoft Defender XDR." lightbox="media/mto-endpoint-security-policy/mto-edit-policy.png":::
 
+For more information, see [Create an endpoint security policy](//defender-endpoint/manage-security-policies#create-an-endpoint-security-policy).
+
 ## Verify endpoint security policy status
 
 To verify that you have successfully created a policy, select the policy from the list and click on the policy name to open the policy page. You can also view the policy page through **Edit > Open policy page**. The policy page opens in a new tab.
@@ -84,4 +67,12 @@ The policy page displays details of an endpoint security policy, including the s
 
 You can also view the policy in the Microsoft Intune admin center. To do so, select the More actions ellipsis (…) in the policy page, then select **View in Intune**.
 
-[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]
+## View distributed policies (Preview)
+
+Endpoint security policies that are distributed across tenants with the multitenant management portal appear in a hierarchical view, with the original policy serving as the parent. You can find the policies that were distributed from your tenant under the original policy. For example:
+
+:::image type="content" source="media/mto-endpoint-security-policy/mto-distributed.png" alt-text="Screenshot of the endpoint security policies page in multitenant management highlighting distributed policies" lightbox="media/mto-endpoint-security-policy/mto-distributed.png":::
+
+The **Last Distribution Status** for the original policy reflects the overall status of its distributed copies, and the **Tenants** and **Tenant Groups** sections indicate the recipients of the policy.
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]

unified-secops-platform/media/mto-endpoint-security-policy/mto-create-policy.png

@@ -46,28 +46,20 @@ The following table lists the requirements for content distribution in multitena
 To create a new tenant group:
 
 1. Go to the [Tenant groups page](https://mto.security.microsoft.com/tenantgroups) in multitenant management in Microsoft Defender XDR.
-1. Select **Create tenant group**. In the **Tenants** page, select **Add tenant** to see a list of available tenants that you can add to your tenant group. Choose the tenants you want to add to the tenant group, then select **Add**.
 
-    :::image type="content" source="media/mto-tenantgroups/mto-add-tenants-small.png" alt-text="Screenshot of the tenant group creation wizard." lightbox="media/mto-tenantgroups/mto-add-tenants.png":::
+1. Select **Create tenant group**. In the **Tenants** page, select **Add tenant** to see a list of available tenants that you can add to your tenant group. Choose the tenants you want to add to the tenant group, then select **Add**.
 
 1. In the **Content selection** page, select the content to be distributed across all tenants in your tenant group, then select **Next**.
 
-1. In the **Custom detection rules** page, select **Add content** to add specific detection rules to your tenant group.
-
-    :::image type="content" source="media/mto-tenantgroups/mto-add-custom-small.png" alt-text="Screenshot of custom detection rules addition wizard." lightbox="media/mto-tenantgroups/mto-add-custom.png":::
+1. In the **Custom detection rules** page, select **Add content** to add content to your tenant group.
 
 1. In the **Select detection rules** page, filter the source tenant of the content, then select **Apply**. Choose the content you want to add to your tenant group from the list.
 
-    :::image type="content" source="media/mto-tenantgroups/mto-select-content-small.png" alt-text="Screenshot of the detection rules selection pane." lightbox="media/mto-tenantgroups/mto-select-content.png":::
-
 1. In the **Device groups** page, select the devices or specific device groups that need to be in your tenant's scope.
 
-    :::image type="content" source="media/mto-tenantgroups/mto-select-device-small.png" alt-text="Screenshot of the device selection pane." lightbox="media/mto-tenantgroups/mto-select-device.png":::
-
 1. Add a tenant group name and description about your tenant group in the Details page.
-1. Review the details of the tenant group you created in the **Summary** page. Leave the **Sync all authorized tenants** option checked if content needs to be synchronized now or uncheck it if the sync is planned for a later time.
 
-    :::image type="content" source="media/mto-tenantgroups/mto-summary-tenantgroups-small.png" alt-text="Screenshot of summary of tenant groups with the checkbox highlighted." lightbox="media/mto-tenantgroups/mto-summary-tenantgroups.png":::
+1. Review the details of the tenant group you created in the **Summary** page. Leave the **Sync all authorized tenants** option checked if content needs to be synchronized now or uncheck it if the sync is planned for a later time.
 
 1. Select **Submit** to finish your tenant group creation.
 

unified-secops-platform/media/mto-endpoint-security-policy/mto-distributed.png

@@ -29,15 +29,12 @@ This article lists recent features added for unified security operations in the
 
 ### Distribute Microsoft Defender for Endpoint security policies with multitenant management
 
-Microsoft Defender for Endpoint security policies can now be distributed across multiple tenants from the Defender multi-tenant portal. This capability empowers security teams to manage policies at scale, ensuring consistency and saving valuable time.
-
-- Endpoint security policies now display distributed policies in a hierarchical view, making it easier to identify parent policies and their distributed copies across tenants.
-- The original policy’s page now shows the overall distribution status and clearly lists recipient tenants and tenant groups.
-
-For example: 
+Microsoft Defender for Endpoint security policies can now be distributed as content across multiple tenants using the Defender multitenant portal, empowering security teams to manage endpoint security policies at scale. Disributed policies are shown in the **Configuration management > Endpoint security policies** page in a hierarchical view so that you can identify parent policies and their distributed copies across tenants. 
 
 :::image type="content" source="media/mto-endpoint-security-policy/mto-distributed.png" alt-text="Screenshot of an expanded, distributed policy." lightbox="media/mto-endpoint-security-policy/mto-distributed.png":::
 
+The original policy’s page also shows the overall distribution status and lists recipient tenants and tenant groups.
+
 For more information, see [Endpoint security policies in multitenant management](mto-endpoint-security-policy.md) and [Content distribution in multitenant management](mto-tenantgroups.md).
 
 ### For new customers only: Automatic onboarding and redirection to the Microsoft Defender portal