Merge pull request #861 from MicrosoftDocs/deniseb-global-admin

denisebmsft · web-flow · commit 071f8b5a9133 · 2024-06-28T16:08:22.000-07:00
Global Admin
diff --git a/defender-xdr/portal-submission-troubleshooting.md b/defender-xdr/portal-submission-troubleshooting.md
@@ -13,7 +13,7 @@ ms.collection:
 - tier2
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 03/18/2022
+ms.date: 06/28/2024
 ---
 
 # Troubleshooting Microsoft Security intelligence malware submission errors caused by administrator block
@@ -24,16 +24,21 @@ In some instances, an administrator block might cause submission issues when you
 
 Open your Azure [Enterprise application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/). Under **Enterprise Applications** >  **Users can consent to apps accessing company data on their behalf**, check whether Yes or No is selected.
 
-- If **No** is selected, a Microsoft Entra administrator for the customer tenant will need to provide consent for the organization. Depending on the configuration with Microsoft Entra ID, users might be able to submit a request right from the same dialog box. If there's no option to ask for admin consent,  users need to request for these permissions to be added to their Microsoft Entra admin. Go to the following section for more information.
+- If **No** is selected, a Microsoft Entra administrator for the customer tenant needs to provide consent for the organization. Depending on the configuration with Microsoft Entra ID, users might be able to submit a request right from the same dialog box. If there's no option to ask for admin consent,  users need to request for these permissions to be added to their Microsoft Entra admin. Go to the following section for more information.
 
-- If **Yes** is selected, ensure the Windows Defender Security Intelligence app setting **Enabled for users to sign in?** is set to **Yes** [in Azure](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). If **No** is selected, you'll need to request a Microsoft Entra admin enable it.
+- If **Yes** is selected, ensure the Windows Defender Security Intelligence app setting **Enabled for users to sign in?** is set to **Yes** [in Azure](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). If **No** is selected, you need to request a Microsoft Entra admin enable it.
 
 ## Implement Required Enterprise Application permissions
 
-This process requires a global or application admin in the tenant.
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
+This process requires a Global Administrator or Application Administrator in the tenant.
 
 1. Open [Enterprise Application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d).
+
 2. Select **Grant admin consent for organization**.
+
 3. If you're able to do so, review the API permissions required for this application, as the following image shows. Provide consent for the tenant.
 
     ![grant consent image.](/defender/media/security-intelligence-images/msi-grant-admin-consent.jpg)
@@ -42,10 +47,7 @@ This process requires a global or application admin in the tenant.
 
 ## Option 1 Approve enterprise application permissions by user request
 
-> [!NOTE]
-> This is currently a preview feature.
-
-Microsoft Entra admins will need to allow for users to request admin consent to apps. Verify the setting is configured to **Yes** in [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/).
+Microsoft Entra Administrators need to allow for users to request admin consent to apps. Verify the setting is configured to **Yes** in [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/).
 
 ![Enterprise applications user settings.](/defender/media/security-intelligence-images/msi-enterprise-app-user-setting.jpg)
 
@@ -55,19 +57,19 @@ Once this setting is verified, users can go through the enterprise customer sign
 
 ![Contoso sign in flow.](/defender/media/security-intelligence-images/msi-contoso-approval-required.png)
 
-Admin will be able to review and approve the application permissions [Azure admin consent requests](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AccessRequests/menuId/).
+Administrators can review and approve the application permissions [Azure admin consent requests](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AccessRequests/menuId/).
 
 After providing consent, all users in the tenant will be able to use the application.
 
 ## Option 2 Provide admin consent by authenticating the application as an admin
 
-This process requires that global admins go through the Enterprise customer sign-in flow at [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission).
+This process requires that Global Administrators go through the Enterprise customer sign-in flow at [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission).
 
 ![Consent sign in flow.](/defender/media/security-intelligence-images/msi-microsoft-permission-required.jpg)
 
 Then, admins review the permissions and make sure to select **Consent on behalf of your organization**, and then select **Accept**.
 
-All users in the tenant will now be able to use this application.
+All users in the tenant can now use this application.
 
 ## Option 3: Delete and readd app permissions
 
@@ -78,10 +80,11 @@ and select **delete**.
 
    ![Delete app permissions.](/defender/media/security-intelligence-images/msi-properties.png)
 
-2. Capture TenantID from [Properties](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties).
+2. Capture `TenantID` from [Properties](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties).
+
+3. Replace `{tenant-id}` with the specific tenant that needs to grant consent to this application in the URL below. Copy the following URL into browser: `https://login.microsoftonline.com/{tenant-id}/v2.0/adminconsent?client_id=f0cf43e5-8a9b-451c-b2d5-7285c785684d&state=12345&redirect_uri=https%3a%2f%2fwww.microsoft.com%2fwdsi%2ffilesubmission&scope=openid+profile+email+offline_access`
 
-3. Replace {tenant-id} with the specific tenant that needs to grant consent to this application in the URL below. Copy this URL into browser. The rest of the parameters are already completed.
-``https://login.microsoftonline.com/{tenant-id}/v2.0/adminconsent?client_id=f0cf43e5-8a9b-451c-b2d5-7285c785684d&state=12345&redirect_uri=https%3a%2f%2fwww.microsoft.com%2fwdsi%2ffilesubmission&scope=openid+profile+email+offline_access``
+   The rest of the parameters are already completed.
 
    ![Permissions needed.](/defender/media/security-intelligence-images/msi-microsoft-permission-requested-your-organization.png)
 
@@ -93,4 +96,4 @@ and select **delete**.
 
 6. Sign in to [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission) as an enterprise user with a non-admin account to see if you have access.
 
- If the warning is not resolved after following these troubleshooting steps, call Microsoft support.
+ If the warning isn't resolved after following these troubleshooting steps, call Microsoft support.
diff --git a/defender-xdr/setup-m365deval.md b/defender-xdr/setup-m365deval.md
@@ -15,7 +15,7 @@ ms.collection:
   - highpri
   - tier1
 ms.topic: conceptual
-ms.date: 02/17/2021
+ms.date: 06/28/2024
 ---
 
 # Set up your Microsoft Defender XDR trial in a lab environment
@@ -25,113 +25,74 @@ ms.date: 02/17/2021
 **Applies to:**
 - Microsoft Defender XDR
 
-This topic guides you to set up a dedicated lab environment. For information on setting up a trial in production, see the new [Pilot and deploy Microsoft Defender XDR](pilot-deploy-overview.md) guide.
+This article guides you to set up a dedicated lab environment. For information on setting up a trial in production, see the new [Pilot and deploy Microsoft Defender XDR](pilot-deploy-overview.md) guide.
 
-## Create an Office 365 E5 trial tenant
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
-> [!NOTE]
-> If you already have an existing Office 365 or Microsoft Entra subscription, you can skip the Office 365 E5 trial tenant creation steps.
-
-1. Go to the [Office 365 E5 product portal](https://www.microsoft.com/microsoft-365/business/office-365-enterprise-e5-business-software?activetab=pivot%3aoverviewtab) and select **Free trial**.
+## Create a Microsoft 365 E5 trial tenant
 
-   :::image type="content" source="/defender/media/mtp-eval-9.png" alt-text="The Office 365 E5 free trial page" lightbox="/defender/media/mtp-eval-9.png":::
+> [!NOTE]
+> If you already have an existing Microsoft 365 or Microsoft Entra subscription, you can skip the Microsoft 365 E5 trial tenant creation steps.
 
-2. Complete the trial registration by entering your email address (personal or corporate). Click **Set up account**.
+1. Go to the [Microsoft 365 E5 product portal](https://www.microsoft.com/microsoft-365/business/office-365-enterprise-e5-business-software?activetab=pivot%3aoverviewtab) and select **Free trial**.
 
-   :::image type="content" source="/defender/media/mtp-eval-10.png" alt-text="The Office 365 E5 trial registration setup page" lightbox="/defender/media/mtp-eval-10.png":::
+2. Complete the trial registration by entering your email address (personal or corporate). Select **Set up account**.
 
 3. Fill in your first name, last name, business phone number, company name, company size, and country or region.
 
-   :::image type="content" source="/defender/media/mtp-eval-11.png" alt-text="The Office 365 E5 trial registration setup page asking for name, phone, and company details" lightbox="/defender/media/mtp-eval-11.png":::
-
    > [!NOTE]
-   > The country or region you set here determines the data center region your Office 365 will be hosted.
-
-4. Choose your verification preference: through a text message or call. Click **Send Verification Code**.
-
-   :::image type="content" source="/defender/media/mtp-eval-12.png" alt-text="The Office 365 E5 trial registration setup page asking for verification preference" lightbox="/defender/media/mtp-eval-12.png":::
-
-5. Set the custom domain name for your tenant, then click **Next**.
+   > The country or region you set here determines the data center region your Microsoft 365 will be hosted.
 
-   :::image type="content" source="/defender/media/mtp-eval-13.png" alt-text="The Office 365 E5 trial registration setup page where you can set up your custom domain name" lightbox="/defender/media/mtp-eval-13.png":::
+4. Choose your verification preference: through a text message or call. Select **Send Verification Code**.
 
-6. Set up the first identity, which will be a Global Administrator for the tenant. Fill in **Name** and **Password**. Click **Sign up**.
+5. Set the custom domain name for your tenant, then select **Next**.
 
-   :::image type="content" source="/defender/media/mtp-eval-14.png" alt-text="The Office 365 E5 trial registration setup page where you can set your business identity" lightbox="/defender/media/mtp-eval-14.png":::
+6. Set up the first identity, which is a Global Administrator for the tenant. Fill in **Name** and **Password**. Select **Sign up**.
 
-7. Click **Go to Setup** to complete the Office 365 E5 trial tenant provisioning.
+7. Select **Go to Setup** to complete the Microsoft 365 E5 trial tenant provisioning.
 
-   :::image type="content" source="/defender/media/mtp-eval-15.png" alt-text="The Office 365 E5 trial registration setup page prompting to click Go to Setup button" lightbox="/defender/media/mtp-eval-15.png":::
-
-8. Connect your corporate domain to the Office 365 tenant. [Optional] Choose **Connect a domain you already own** and type in your domain name. Click **Next**.
-
-   :::image type="content" source="/defender/media/mtp-eval-16.png" alt-text="The Office 365 E5 Setup page where you should personalize your sign-in and email" lightbox="/defender/media/mtp-eval-16.png":::
+8. Connect your corporate domain to the Microsoft 365 tenant. [Optional] Choose **Connect a domain you already own** and type in your domain name. Select **Next**.
 
 9. Add a TXT or MX record to validate the domain ownership. Once you've added the TXT or MX record to your domain, select **Verify**.
 
-   :::image type="content" source="/defender/media/mtp-eval-17.png" alt-text="The Office 365 E5 setup page where you should add a TXT of MX record to verify your domain" lightbox="/defender/media/mtp-eval-17.png":::
-
 10. [Optional] Create more user accounts for your tenant. You can skip this step by clicking **Next**.
 
-    :::image type="content" source="/defender/media/mtp-eval-18.png" alt-text="The Office 365 E5 setup page where you can add more users" lightbox="/defender/media/mtp-eval-18.png":::
-
-11. [Optional] Download Office apps. Click **Next** to skip this step.
-
-    :::image type="content" source="/defender/media/mtp-eval-19.png" alt-text="The Office 365 E5 page where you can install your Office apps" lightbox="/defender/media/mtp-eval-19.png":::
+11. [Optional] Download Office apps. Select **Next** to skip this step.
 
 12. [Optional] Migrate email messages. Again, you can skip this step.
 
-    :::image type="content" source="/defender/media/mtp-eval-20.png" alt-text="The Office 365 E5 where you can set whether to migrate email messages or not" lightbox="/defender/media/mtp-eval-20.png":::
-
-13. Choose online services. Select **Exchange** and click **Next**.
-
-    :::image type="content" source="/defender/media/mtp-eval-21.png" alt-text="The Office 365 E5 where you can choose your online services" lightbox="/defender/media/mtp-eval-21.png":::
+13. Choose online services. Select **Exchange** and select **Next**.
 
 14. Add MX, CNAME, and TXT records to your domain. When completed, select **Verify**.
 
-    :::image type="content" source="/defender/media/mtp-eval-22.png" alt-text="The Office 365 E5 here you can add your DNS records" lightbox="/defender/media/mtp-eval-22.png":::
-
-15. Congratulations, you have completed the provisioning of your Office 365 tenant.
-
-    :::image type="content" source="/defender/media/mtp-eval-23.png" alt-text="The Office 365 E5 setup completion confirmation page" lightbox="/defender/media/mtp-eval-23.png":::
+Congratulations! You have completed the provisioning of your Microsoft 365 tenant.
 
-## Enable Microsoft 365 trial subscription
+## Enable your Microsoft 365 trial subscription
 
 > [!NOTE]
 > Signing up for a trial gives you 25 user licenses to use for a month. See [Try or buy a Microsoft 365 subscription](/microsoft-365/commerce/try-or-buy-microsoft-365) for details.
 
-1. From [Microsoft 365 Admin Center](https://admin.microsoft.com/), click **Billing** and then navigate to **Purchase services**.
+1. From [Microsoft 365 Admin Center](https://admin.microsoft.com/), select **Billing** and then navigate to **Purchase services**.
 
-2. Select **Microsoft 365 E5** and click **Start free trial**.
-
-   :::image type="content" source="/defender/media/mtp-eval-24.png" alt-text="The Microsoft 365 E5 Start free trial page" lightbox="/defender/media/mtp-eval-24.png":::
+2. Select **Microsoft 365 E5** and select **Start free trial**.
 
 3. Choose your verification preference: through a text message or call. Once you have decided, enter the phone number, select **Text me** or **Call me** depending on your selection.
 
-   :::image type="content" source="/defender/media/mtp-eval-25.png" alt-text="The Microsoft 365 E5 Start free trial page asking for contact details to send code to prove you are not a robot" lightbox="/defender/media/mtp-eval-25.png":::
-
-4. Enter the verification code and click **Start your free trial**.
-
-   :::image type="content" source="/defender/media/mtp-eval-26.png" alt-text="The Microsoft 365 E5 Start free trial page where you can fill out verification code the system sent to prove you are not a robot" lightbox="/defender/media/mtp-eval-26.png":::
+4. Enter the verification code and select **Start your free trial**.
 
-5. Click **Try now** to confirm your Microsoft 365 E5 trial.
+5. Select **Try now** to confirm your Microsoft 365 E5 trial.
 
-   :::image type="content" source="/defender/media/mtp-eval-27.png" alt-text="The Microsoft 365 E5 Start free trial page where you should clock the Try now button to start" lightbox="/defender/media/mtp-eval-27.png":::
+6. Go to the **Microsoft 365 Admin Center** > **Users** > **Active users**. Select your user account, select **Manage product licenses**, and then assign the Microsoft 365 E5 license. Then select **Save**.
 
-6. Go to the **Microsoft 365 Admin Center** > **Users** > **Active users**. Select your user account, select **Manage product licenses**, then swap the license from Office 365 E5 to **Microsoft 365 E5**. Click **Save**.
+7. Select the Global Administrator account again then select **Manage username**.
 
-   :::image type="content" source="/defender/media/mtp-eval-28.png" alt-text="The Microsoft 365 Admin Center page where you can select the Microsoft 365 E5 license" lightbox="/defender/media/mtp-eval-28.png":::
-
-7. Select the global administrator account again then click **Manage username**.
-
-   :::image type="content" source="/defender/media/mtp-eval-29.png" alt-text="The Microsoft 365 Admin Center page where you can select Account and Manage username" lightbox="/defender/media/mtp-eval-29.png":::
-
-8. [Optional] Change the domain from *onmicrosoft.com* to your own domain—depending on what you chose on the previous steps. Click **Save changes**.
-
-   :::image type="content" source="/defender/media/mtp-eval-30.png" alt-text="The Microsoft 365 Admin Center page where you can change your domain preference" lightbox="/defender/media/mtp-eval-30.png":::
+8. [Optional] Change the domain from *onmicrosoft.com* to your own domain—depending on what you chose on the previous steps. Select **Save changes**.
 
 ## Next step
 
 |[Phase 3: Configure & Onboard](pilot-deploy-overview.md) | Configure each Microsoft Defender XDR pillar for your Microsoft Defender XDR trial lab or pilot environment and onboard your endpoints.
 |:-------|:-----|
+
+
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]
