Merge branch 'main' into batamig-patch-4

Author: batamig

ATPDocs/deploy/capacity-planning.md

@@ -12,7 +12,7 @@ This article describes how to use the Microsoft Defender for Identity sizing too
 
 While domain controller performance may not be affected if the server doesn't have required resources, the Defender for Identity sensor may not operate as expected. For more information, see [Microsoft Defender for Identity prerequisites](prerequisites-sensor-version-2.md).
 
-The sizing tool measures the capacity needed for domain controllers only. There is no need to run it against AD FS / AD CS / Entra Connect servers, as the performance impact on these servers is extremely minimal to not existent.
+The sizing tool measures the capacity needed for domain controllers only. There is no need to run it against servers that are only AD FS, AD CS, or Entra Connect (unless those servers also function as a domain controller), as the performance impact on these servers is extremely minimal to not existent.
 
 > [!TIP]
 > By default, Defender for Identity supports up to 350 sensors. To install more sensors, contact Defender for Identity support.
@@ -120,6 +120,10 @@ Various tools can help you discover the average packet/second counter for your d
 > [!NOTE]
 > By default, Defender for Identity supports up to 350 sensors. If you want to install more sensors, contact Defender for Identity support.
 
+> [!IMPORTANT]
+> If your domain controller runs low on available memory, a corresponding health issue will appear in the Defender for Identity portal to alert you of this condition. Learn more about [health issues](../health-alerts.md).
+
+
 ## Next step
 
 

ATPDocs/health-alerts.md

@@ -199,6 +199,12 @@ items:
          href: security-assessment-remove-local-admins.md   
        - name: Unmonitored domain controllers
          href: security-assessment-unmonitored-domain-controller.md
+       - name: Unmonitored ADCS servers
+         href: unmonitored-active-directory-certificate-services-server.md
+       - name: Unmonitored ADFS servers
+         href: unmonitored-active-directory-federation-services-servers.md
+       - name: Unmonitored Entra Connect servers
+         href: unmonitored-entra-connect-servers.md
        - name: Unsecure domain configurations
          href: security-assessment-unsecure-domain-configurations.md
      - name: Certificates

ATPDocs/media/unmonitored-adcs-servers/recommended-actions-unmonitored-active-directory-certificate-services-servers.png

@@ -0,0 +1,38 @@
+---
+title: 'Security Assessment: Unmonitored ADCS servers'
+description: 'Detect unmonitored ADCS servers and deploy Defender for Identity sensors to help prevent unauthorized certificate issuance and privilege escalation.'
+author: LiorShapiraa # GitHub alias
+ms.author: liorshapira
+ms.service: microsoft-defender-for-identity
+ms.topic: article
+ms.date:     07/06/2025
+ms.reviewer: LiorShapiraa
+---
+
+# Security Assessment: Unmonitored ADCS servers
+
+This article describes the security posture assessment report for unmonitored Active Directory Certificate Services (AD CS) servers by Microsoft Defender for Identity.
+
+
+## What risk do unmonitored ADCS servers pose to an organization?
+
+Unmonitored Active Directory Certificate Services (AD CS) servers pose a significant risk to your organization’s identity infrastructure. AD CS, the backbone of certificate issuance and trust, is a high-value target for attackers aiming to escalate privileges or forge credentials. Without proper monitoring, attackers can exploit these servers to issue unauthorized certificates, enabling stealthy lateral movement and persistent access. Deploy Microsoft Defender for Identity version 2.0 sensors on all AD CS servers to mitigate this risk. These sensors provide real-time visibility into suspicious activity, detect advanced threats, and generate actionable alerts based on security events and network behavior.
+
+> [!NOTE]
+>  This security assessment is available only if Microsoft Defender for Endpoint detects an eligible AD CS server in the environment.
+
+## How do I use this security assessment?
+
+1. Review the recommended action at https://security.microsoft.com/securescore?viewid=actions to discover which of your AD CS servers are unmonitored.
+
+    :::image type="content" source="media/unmonitored-adcs-servers/recommended-actions-unmonitored-active-directory-certificate-services-servers.png" alt-text="Screenshot that shows the recommended actions for an unmonitored AD CS server." lightbox="media/unmonitored-adcs-servers/recommended-actions-unmonitored-active-directory-certificate-services-servers.png":::
+
+1. Go to the **Microsoft Defender portal > Settings > Identities > Sensors**. You can view the already installed sensors in your environment and download the install package to deploy them on your remaining servers.
+1. Take appropriate action on those servers by [configuring monitoring sensors](/defender-for-identity/deploy/active-directory-federation-services).
+
+> [!NOTE]
+> Assessment details update in near real time. However, scores and statuses refresh every 24 hours. The list of impacted entities updates within a few minutes of implementing recommendations, but the overall status might take longer to show as Completed.
+
+## Next steps
+
+Learn more about [Microsoft Secure Score](/defender-xdr/microsoft-secure-score).

ATPDocs/media/unmonitored-adfs-server/recommended-actions-unmonitored-active-directory-federation-services-server.png

@@ -0,0 +1,38 @@
+---
+title: 'Security Assessment: Unmonitored ADFS servers'
+description: 'Identify unmonitored ADFS servers and deploy Defender for Identity sensors to reduce risk.'
+author: LiorShapiraa # GitHub alias
+ms.author: liorshapira
+ms.service: microsoft-defender-for-identity
+ms.topic: article
+ms.date:     07/06/2025
+ms.reviewer: LiorShapiraa
+---
+
+# Security Assessment: Unmonitored ADFS servers
+
+This article describes the Microsoft Defender for Identity's unmonitored Active Directory Federation Services (ADFS) servers security posture assessment report.
+
+## What risk do unmonitored ADFS servers pose to an organization?
+
+Unmonitored Active Directory Federation Services (ADFS) servers are a significant security risk to organizations. ADFS controls access to both cloud and on-premises resources as the gateway for federated authentication and single sign-on. If attackers compromise an ADFS server, they can issue forged tokens and impersonate any user, including privileged accounts. Such attacks might bypass multi-factor authentication (MFA), conditional access, and other downstream security controls, making them particularly dangerous. Without proper monitoring, suspicious activity on ADFS servers might go undetected for extended periods. Deploying Microsoft Defender for Identity version 2.0 sensors on ADFS servers is essential. These sensors enable real-time detection of suspicious behavior and help prevent token forgery, abuse of trust relationships, and stealthy lateral movement within the environment.
+
+> [!NOTE]
+> This security assessment is only available if Microsoft Defender for Endpoint detects an eligible ADFS server in the environment.
+
+
+## How do I use this security assessment?
+
+1. Review the recommended action at https://security.microsoft.com/securescore?viewid=actions to discover which of your ADFS servers are unmonitored.
+
+    :::image type="content" source="media/unmonitored-adfs-server/recommended-actions-unmonitored-active-directory-federation-services-server.png" alt-text="Screenshot that shows the recommended actions for an unmonitored ADFS server." lightbox="media/unmonitored-adfs-server/recommended-actions-unmonitored-active-directory-federation-services-server.png":::
+
+1. Go to the **Microsoft Defender portal > Settings > Identities > Sensors**. You can view the already installed sensors in your environment and download the install package to deploy them on your remaining servers.
+1. Take appropriate action on those servers by [configuring monitoring sensors](/defender-for-identity/deploy/active-directory-federation-services).
+
+> [!NOTE]
+> Assessment details are updated in near real time. However, scores and statuses are refreshed every 24 hours. The list of impacted entities is updated within a few minutes of implementing recommendations, but the overall status might take longer to show as Completed.
+
+## Next steps
+
+Learn more about [Microsoft Secure Score](/defender-xdr/microsoft-secure-score).

ATPDocs/media/unmonitored-entra-connect-servers/recommended-actions-unmonitored-entra-connect-server.png

@@ -0,0 +1,42 @@
+---
+title: 'Security Assessment: Unmonitored Microsoft Entra Connect servers'
+description: 'Detect unmonitored Microsoft Entra Connect servers and deploy Defender for Identity sensors to protect your hybrid identity infrastructure from privilege escalation.'
+author: LiorShapiraa # GitHub alias
+ms.author: liorshapira
+ms.service: microsoft-defender-for-identity
+ms.topic: article
+ms.date:     07/06/2025
+ms.reviewer: LiorShapiraa
+---
+
+
+# Security Assessment: Unmonitored Microsoft Entra Connect servers
+
+This article describes the Microsoft Defender for Identity's unmonitored Microsoft Entra Connect servers security posture assessment report.
+
+## What risk do unmonitored Microsoft Entra Connect servers pose to an organization? 
+
+Unmonitored Microsoft Entra Connect servers (formerly Azure AD Connect) pose a significant security risk in hybrid identity environments. These servers synchronize identities between on-premises Active Directory and Entra ID. They can introduce, modify, or remove accounts and attributes that directly affect cloud access.
+
+If an attacker compromises a Microsoft Entra Connect server, they can inject shadow admins, manipulate group memberships, or sync malicious changes into the cloud without triggering traditional alerts.
+
+These servers operate at the intersection of on-premises and cloud identity, making them a prime target for privilege escalation and stealthy persistence. Without monitoring, such attacks can go undetected. Deploying Microsoft Defender for Identity version 2.0 sensors on Microsoft Entra Connect servers is critical. These sensors help detect suspicious activity in real time, protect the integrity of your hybrid identity bridge, and prevent full-domain compromise from a single point of failure.
+
+> [!NOTE]
+> This security assessment is only available if Microsoft Defender for Endpoint detects eligible Microsoft Entra Connect servers in the environment.
+
+## How do I use this security assessment? 
+
+1. Review the recommended action at https://security.microsoft.com/securescore?viewid=actions to discover which of your Microsoft Entra Connect servers are unmonitored.
+
+    :::image type="content" source="media/unmonitored-entra-connect-servers/recommended-actions-unmonitored-entra-connect-server.png" alt-text="Screenshot that shows the recommended actions for an unmonitored Entra Connect server." lightbox="media/unmonitored-entra-connect-servers/recommended-actions-unmonitored-entra-connect-server.png":::
+
+1. Go to the **Microsoft Defender portal > Settings > Identities > Sensors**. You can view the already installed sensors in your environment and download the install package to deploy them on your remaining servers.
+1. Take appropriate action on those servers by [configuring monitoring sensors](/defender-for-identity/deploy/active-directory-federation-services).
+
+> [!NOTE]
+> Assessment details are updated in near real time. However, scores and statuses are refreshed every 24 hours. The list of impacted entities is updated within a few minutes of implementing recommendations, but the overall status might take longer to show as completed.
+
+## Next steps
+
+Learn more about [Microsoft Secure Score](/defender-xdr/microsoft-secure-score).

ATPDocs/toc.yml

@@ -23,8 +23,26 @@ For more information, see also:
 
 For updates about versions and features released six months ago or earlier, see the [What's new archive for Microsoft Defender for Identity](whats-new-archive.md).
 
-## June 2025
 
+## July 2025
+
+### New security posture assessments for unmonitored identity servers
+
+Microsoft Defender for Identity now includes three security posture assessments that detect when Microsoft Entra Connect, Active Directory Federation Services (ADFS), or Active Directory Certificate Services (ADCS) servers are present in your environment but aren't monitored.
+
+Use these assessments to improve monitoring coverage and strengthen your hybrid identity security posture.
+
+For more details, see:
+
+[Security Assessment: Unmonitored ADCS servers](unmonitored-active-directory-certificate-services-server.md)
+
+[Security Assessment: Unmonitored ADFS servers](unmonitored-active-directory-federation-services-servers.md)
+
+[Security Assessment: Unmonitored Entra Connect servers](unmonitored-entra-connect-servers.md)
+
+
+
+## June 2025
 
 ### Scoped access by Active Directory domain now supported (Preview)