Merge branch 'main' into patch-2

Author: austinmccollum

ATPDocs/deploy/activate-sensor.md

@@ -25,7 +25,7 @@ You can choose to activate eligible domain controllers either automatically, whe
 |---------|---------|
 |Activate new sensor |The domain controller is already onboarded to Defender for Endpoint. [Activate the sensor](#activate-the-defender-for-identity-sensor).|
 |Install classic sensor|[Deploy the classic Defender for Identity sensor](install-sensor.md) from the **Sensors page**.|
-|OS update is required     |This domain controller is running an unsupported operating system version for the new sensor. Update the server to Windows Server 2019 or later to use the new sensor. |
+|OS upgrade is required     |This domain controller is running an unsupported operating system version for the new sensor. Upgrade the OS version to the latest version. |
 
 <!--|Download onboarding package     |[Onboard the domain controller to Defender for Endpoint](#onboard-the-domain-controller).|-->
 

CloudAppSecurityDocs/caac-known-issues.md

@@ -114,6 +114,35 @@ A user who starts a session in Edge with a profile other than his work profile,
 
 If the URL points to a resource within the secured application, the user will be directed to the application's homepage in Edge.
 
+### Outdated session policy enforcement with Edge
+When a session policy is enforced using Edge in-browser protection and the user is later removed from the corresponding Conditional Access (CA) policy, the original session enforcement may still persist.
+
+Example Scenario:
+
+A user was originally assigned a CA policy for the Salesforce application, along with an Defender for Cloud apps session policy that blocked file downloads. As a result, downloads were blocked when the user accessed Salesforce in Edge.
+
+Although the admin later removed the CA policy, the user still experiences the download block in Edge due to cached policy data.
+
+Mitigation Options:
+
+Option 1: Automatic cleanup
+1.	Reassign the user/app to the CA policy.
+2.	Remove the corresponding Defender for Cloud Apps session policy.
+3.	Have the user access the application using Edge, this will trigger the policy removal automatically.
+4.	Remove the CA policy again.
+   
+Option 2: Manual cleanup
+1.	Delete the cached policy file
+     - Go to: C:\Users\<username>\AppData\Local\Microsoft\Edge\
+     - Delete the file: mda_store.txt
+
+2.	Remove the work profile in Edge
+    - Open Microsoft Edge.
+    - Navigate to Profile Settings.
+    - Delete the work profile associated with the outdated session policy.
+  
+These steps will force a policy refresh and resolve enforcement issues related to outdated session policies.
+
 ## Related content
 
 - [Conditional Access app control in Microsoft Defender for Cloud Apps](proxy-intro-aad.md)

defender-office-365/media/email-collab-overview-insights-m365-secure-email-gateway.png

@@ -18,7 +18,7 @@ ms.collection:
 description: Admins can learn about the information on the Microsoft Defender for Office 365 Overview dashboard in the Microsoft Defender portal.
 ms.custom:
 ms.service: defender-office-365
-ms.date: 6/27/2025
+ms.date: 07/14/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
   - ✅ <a href="https://learn.microsoft.com/defender-xdr/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>
@@ -38,7 +38,7 @@ The information on the **Overview** page is organized into the following areas:
 
 For the permissions required to view the dashboard and reports, see [What permissions are needed to view these reports?](reports-email-security.md#what-permissions-are-needed-to-view-these-reports).
 
-By default, the data on the page is shown for the last 30 days. But, you can show data for the last 60 days or the last 90 days by selecting the **Last 30 days** drop down at the top of the page.
+By default, the data on the page is shown for the last 30 days.
 
 :::image type="content" source="media/email-collab-overview.png" alt-text="Screenshot of the Email and collaboration overview report page in the Microsoft Defender portal." lightbox="media/email-collab-overview.png":::
 
@@ -56,17 +56,17 @@ The graph on the **Phish / Malware Efficacy** card visually represents the prote
 
 - **Pre-delivery**: Items detected before they reach the recipient's mailbox.
 - **Post-delivery**: Items removed after the item was delivered to the recipient's mailbox via [zero-hour auto purge (ZAP)](zero-hour-auto-purge.md).
-- **Uncaught**: Delivered items that ZAP identified but couldn't remove. For example:
+- **Uncaught**: Delivered items that ZAP identified but didn't remove due to them already being remediated. For example:
   - Admin deletions or remediations.
   - [Admin submissions](submissions-admin.md) to Microsoft identifying the message as malware or phishing.
   - User deletions.
   - Non-Microsoft security provider deletions.
 
-The percentage value is the number of messages in each category divided by the total number of malicious malware and phishing email during the review period you selected at the top of the page (30 days (default), 60 days, or 90 days).
+The percentage value is the number of messages in each category divided by the total number of malicious malware and phishing email during the review period selected.
 
 Hover over a category in the chart to see the number of messages in each category for the review period. Hover over the percentage to see the total number of messages
 
-:::image type="content" source="media/email-collab-overview-mdo-efficacy.png" alt-text="Screenshot of the Efficacy card in the Defender for Office 365 section of the Email & collaboration overview report page." lightbox="media/email-collab-overview-mdo-efficacy.png":::
+:::image type="content" source="media/email-collab-overview-mdo-efficacy.png" alt-text="Screenshot of the Phish / Malware Efficacy card in the Defender for Office 365 section of the Email & collaboration overview report page." lightbox="media/email-collab-overview-mdo-efficacy.png":::
 
 > [!TIP]
 >
@@ -80,7 +80,7 @@ Hover over a category in the chart to see the number of messages in each categor
 
 <!--- https://go.microsoft.com/fwlink/?linkid=2323912 --->
 
-The graph on the **Threat detections** card shows the number of messages detected by the following technologies during the review period you selected at the top of the page (30 days (default), 60 days, or 90 days):
+The graph on the **Threat detections** card shows the number of messages detected by the following technologies during the review period selected.
 
 - **Malware**: The breakdown of detection technologies is available in the **Threat protection status** report under [View data by Email \> Malware and Chart breakdown by Detection Technology](reports-email-security.md#view-data-by-email--malware-and-chart-breakdown-by-detection-technology).
 
@@ -131,12 +131,8 @@ Hover over a category in the chart to see the number of **Onboarded** priority a
 
 The graph on the **Policy recommendations** card shows the number of users directly protected by [Safe Links](safe-links-about.md) and [Safe Attachments](safe-attachments-about.md) policies as a percentage of the total number of users (the value 100% means everyone is protected). The numbers are taken from whether the following recommended actions in [Microsoft Secure Score](/defender-xdr/microsoft-secure-score) have the **Status** value `Completed`:
 
-- <u>Safe Links</u>:
-  - **Ensure Safe Links for Office applications is enabled**
-  - **Create Safe Links policies for email messages**
-- <u>Safe Attachments</u>:
-  - **Turn on Safe Attachments in block mode**
-  - **Ensure Safe Attachments policy is enabled**
+- <u>Safe Links</u>: **Create Safe Links policies for email messages**
+- <u>Safe Attachments</u>: **Ensure Safe Attachments policy is enabled**
 
 Hover over a category in the chart to see the number of **Impacted users** (the total number of users in the organization) and **Protected users** (users protected by Safe Links or Safe Attachment policies as defined by the recommended actions in Microsoft Secure Score).
 
@@ -173,7 +169,7 @@ The **Tenant allow types** card shows a table with the types of allow entries in
   - [File hash](tenant-allow-block-list-files-configure.md#create-allow-entries-for-files)
   - [Sender](tenant-allow-block-list-email-spoof-configure.md#create-allow-entries-for-domains-and-email-addresses)
   - [IP allow](tenant-allow-block-list-ip-addresses-configure.md#create-allow-entries-for-ipv6-addresses)
-- **Messages allowed** column: The number of messages allowed for the review period you selected at the top of the page (30 days (default), 60 days, or 90 days).
+- **Messages allowed** column: The number of messages allowed for the review period selected.
 
 :::image type="content" source="media/email-collab-overview-risky-allows-tenant-allow-types.png" alt-text="Screenshot of the Tenant allow types card in the Risky allows section of the Email & collaboration overview report page." lightbox="media/email-collab-overview-risky-allows-tenant-allow-types.png":::
 
@@ -184,7 +180,7 @@ The **Tenant allow types** card shows a table with the types of allow entries in
 The **Exchange transport rules** card shows the mail flow rules (also known as transport rules) that allowed messages that would otherwise be blocked:
 
 - **Rule ID**
-- **Messages allowed**: The number of messages allowed during the review period you selected at the top of the page (30 days (default), 60 days, or 90 days).
+- **Messages allowed**: The number of messages allowed during the review period selected.
 
 Select **Review rules** to go to the **Rules** page in the Exchange admin center (EAC) at <https://admin.cloud.microsoft/exchange#/transportrules>.
 
@@ -205,7 +201,7 @@ The graph on the **Email detections** shows Microsoft and non-Microsoft detectio
 - **Non-Microsoft post-delivery detections**
 - **Duplicate detections Duplicate post-delivery detections**
 
-Hover over a category in the chart to see the number of messages in each category for the review period you selected at the top of the page (30 days (default), 60 days, or 90 days).
+Hover over a category in the chart to see the number of messages in each category for the review period selected.
 
 :::image type="content" source="media/email-collab-overview-compare-solutions-email-detections.png" alt-text="Screenshot of the Email detections card in the Compare solutions section of the Email & collaboration overview report page." lightbox="media/email-collab-overview-compare-solutions-email-detections.png":::
 
@@ -220,7 +216,7 @@ The graphs on the **Non-Microsoft detections** show the following information fo
   - **Phish**
   - **Spam**
 
-  Hover over a category in the chart to see the number of messages in each category for the review period you selected at the top of the page (30 days (default), 60 days, or 90 days).
+  Hover over a category in the chart to see the number of messages in each category for the review selected.
 
 - **Efficacy** graph: Shows the unique detections by the non-Microsoft service as a percentage of the total detections by Defender for Office 365.
 
@@ -232,7 +228,7 @@ The information in the **Insights** section is described in the following subsec
 
 ### Top trending attacks card
 
-The graph on the **Top trending attacks** card shows the most encountered phishing attack types by volume for the review period you selected at the top of the page (30 days (default), 60 days, or 90 days).
+The graph on the **Top trending attacks** card shows the most encountered phishing attack types by volume for the review period selected.
 
 Threat classification in Defender for Office 365 uses advanced technologies such as large language models (LLMs), small language models (SLMs), and machine learning (ML) models to automatically detect and classify email-based threats.
 
@@ -248,7 +244,7 @@ The **Emerging threats** card shows any notable campaigns observed by Microsoft
 
 <!--- https://go.microsoft.com/fwlink/?linkid=2324014 --->
 
-The graph on the **Microsoft 365 Secure Email Gateway performance** card compares the effectiveness of Defender for Office 365 against other secure email gateways. To ensure fairness, the number of missed messages is normalized per 1,000 active users.
+The graph on the **Microsoft 365 Secure Email Gateway performance** card compares the effectiveness of Defender for Office 365 against other secure email gateways. To ensure fairness, the number of missed phish and malware messages is normalized per 1,000 active users.
 
 :::image type="content" source="media/email-collab-overview-insights-m365-secure-email-gateway.png" alt-text="Screenshot of the Microsoft 365 Secure Email Gateway performance card in the Insights section of the Email & collaboration overview report page." lightbox="media/email-collab-overview-insights-m365-secure-email-gateway.png":::
 

defender-office-365/media/email-collab-overview-mdo-efficacy.png

@@ -42,7 +42,7 @@ Admins can mark messages and notify users of review results only if the user [re
   - **Payload reputation/detonation**: Up-to-date examination of any URLs and attachments in the message.
   - **Grader analysis**: Review done by human graders to confirm whether or not messages are malicious.
 
-[Learn more how submissions are processed behind-the-scenes to generate the result](https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/how-your-submissions-to-defender-for-office-365-are-processed-behind-the-scenes/4231551). 
+  For more information, see [Learn more how submissions are processed behind-the-scenes to generate the result](https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/how-your-submissions-to-defender-for-office-365-are-processed-behind-the-scenes/4231551).
 
   So, submitting or resubmitting messages to Microsoft is useful to admins only for messages that have never been submitted to Microsoft, or when you disagree with the original verdict.
 

defender-office-365/media/email-collab-overview-optimize-posture-recommendations.png

@@ -824,12 +824,12 @@ The analysis results of the reported item are shown in the details flyout that o
 - Current detonation results to see if the URLs or files in the message were malicious or not.
 - Feedback from graders.
 
-[Learn more how submissions are processed behind-the-scenes to generate the result](https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/how-your-submissions-to-defender-for-office-365-are-processed-behind-the-scenes/4231551). 
+For more information about how Microsoft processes submissions, see [Learn more how submissions are processed behind-the-scenes to generate the result](https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/how-your-submissions-to-defender-for-office-365-are-processed-behind-the-scenes/4231551).
 
 If an override or policy configuration was found, the result should be available in several minutes. If there wasn't a problem in email authentication or delivery wasn't affected by an override or policy, the detonation and feedback from graders could take up to a day.
 
 > [!NOTE]
-> **Currently in Preview**, AI-powered Submissions Response capability introduces generative AI explanations for admin email submissions to Microsoft. For more information, see [Submission result definitions](submissions-result-definitions.md).
+> AI-powered Submissions Response capability introduces generative AI explanations for admin email submissions to Microsoft. For more information, see [Submission result definitions](submissions-result-definitions.md).
 
 ### Actions for admin submissions in Defender for Office 365
 

defender-office-365/media/email-collab-overview.png

@@ -34,12 +34,12 @@ When admins or users submit items to Microsoft for analysis, we do the following
 - **Payload reputation/detonation**: Up-to-date examination of any URLs and attachments in the message.
 - **Grader analysis**: Review done by human graders to confirm whether messages are malicious.
 
-[Learn more how submissions are processed behind-the-scenes to generate the result](https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/how-your-submissions-to-defender-for-office-365-are-processed-behind-the-scenes/4231551). 
+For more information, see [Learn more how submissions are processed behind-the-scenes to generate the result](https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/how-your-submissions-to-defender-for-office-365-are-processed-behind-the-scenes/4231551).
 
 > [!NOTE]
 >
 > - In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD), admins can submit items to Microsoft for analysis, but the items are analyzed for email authentication and policy hits only. Payload reputation, detonation, and grader analysis aren't done for compliance reasons (data isn't allowed to leave the organization boundary).
-> - **Currently in Preview**, AI-powered Submissions Response capability introduces generative AI explanations for email submissions to Microsoft. These explanations aim to provide enterprise admins with clear, detailed, human-readable explanations for why messages were classified. Currently, this feature is scoped to email submissions only, and AI-generated explanations aren't used for the following types of submissions:
+> - AI-powered Submissions Response introduces generative AI explanations for email submissions to Microsoft. These explanations aim to provide enterprise admins with clear, detailed, human-readable explanations for why messages were classified. Currently, this feature is scoped to email submissions only, and AI-generated explanations aren't used for the following types of submissions:
 >   - Files
 >   - URLs
 >   - Microsoft Teams messages