Merge branch 'main' into mdav-release

Author: emmwalshh

CloudAppSecurityDocs/governance-actions.md

@@ -34,11 +34,11 @@ The following governance actions can be taken for connected apps either on a spe
     - **Apply label** - Ability to add a Microsoft Purview Information Protection sensitivity label.
     - **Remove label** - Ability to remove a Microsoft Purview Information Protection sensitivity label.
   - **Change sharing**
-
+  
     - **Remove public sharing** – Allow access only to named collaborators, for example: *Remove public access* for Google Workspace, and *Remove direct shared link* for Box and Dropbox.
 
-    - **Remove external users** – Allow access only to company users.
-
+    - **Remove external users** – Allow access only to company users. When a group, containing both internal and external members, is added as a collaborator, the action removes members at the group level instead of individually. 
+        
     - **Make private** – Only Site Admins can access the file, all shares are removed.
 
     - **Remove a collaborator** – Remove a specific collaborator from the file.
@@ -60,7 +60,7 @@ The following governance actions can be taken for connected apps either on a spe
   - **Trash** – Move the file to the trash folder. (Box, Dropbox, Google Drive, OneDrive, SharePoint, Cisco Webex)
 
    ![policy_create alerts.](media/policy_create-alerts.png)
-
+  
 ## Malware governance actions (Preview)
 
 The following governance actions can be taken for connected apps either on a specific file, user or from a specific policy. For security reasons, this list is limited only to malware related actions that don't imply risk for the user or the tenant.
@@ -104,7 +104,7 @@ The following governance actions can be taken for connected apps either on a spe
 
 - **Governance actions in apps** - Granular actions can be enforced per app, specific actions vary depending on app terminology.
 
-  - **Suspend user** – Suspend the user from the application.
+- **Suspend user** – Suspend the user from the application.
     > [!NOTE]
     > If your Microsoft Entra ID is set to automatically sync with the users in your Active Directory on-premises environment the settings in the on-premises environment will override the Microsoft Entra settings and this governance action will be reverted.
 
@@ -113,7 +113,7 @@ The following governance actions can be taken for connected apps either on a spe
   - **Confirm user compromised** - Set the user's risk level to high. This causes the relevant policy actions defined in Microsoft Entra ID to be enforced. For more information How Microsoft Entra ID works with risk levels, see [How does Microsoft Entra ID use my risk feedback](/azure/active-directory/identity-protection/howto-identity-protection-risk-feedback#how-does-azure-ad-use-my-risk-feedback).
 
   ![Defender for Cloud Apps activity policy governance actions.](media/activity-policy-ref6.png)
-
+  
 ## Revoke an OAuth app and notify user
 
 For Google Workspace and Salesforce, it's possible to revoke permission to an OAuth app or to notify the user that they should change the permission. When you revoke permission it removes all permissions that were granted to the application under "Enterprise Applications" in Microsoft Entra ID.

defender-xdr/before-you-begin-xdr.md

@@ -17,7 +17,7 @@ ms.custom:
 - cx-ti
 - cx-dex
 search.appverid: met150
-ms.date: 10/31/2024
+ms.date: 02/05/2025
 ---
 
 # Before you begin
@@ -55,7 +55,9 @@ Defender Experts for XDR also covers servers—whether on premises or on a hyper
 
 ### Ask Defender Experts
 
-As part of the service's built-in [Microsoft Defender Experts for Hunting](defender-experts-for-hunting.md), you're also assigned 10 **Ask Defender Experts** credits, which you can use to submit questions, at the start of each calendar quarter. Unused credits from the current quarter roll up to the next one. You can use up to 20 credits only per quarter. All unused credits expire by the end of the calendar year or at the end of your subscription term, whichever comes first.
+[Ask Defender Experts](experts-on-demand.md) is intended to provide a better understanding of complex threats affecting your organization. It focuses on products included in Microsoft Defender XDR (Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity). [See sample questions you can ask Defender Experts](experts-on-demand.md#sample-questions-you-can-ask-from-defender-experts).
+
+As part of the service's built-in [Microsoft Defender Experts for Hunting](defender-experts-for-hunting.md), customers are assigned 10 **Ask Defender Experts** credits, which you can use to submit questions, at the start of each calendar quarter. Unused credits from the current quarter roll up to the next one. You can use up to 20 credits only per quarter. All unused credits expire by the end of the calendar year or at the end of your subscription term, whichever comes first.
 
 [Learn more about Microsoft's commercial licensing terms](https://www.microsoft.com/licensing/terms/productoffering/Microsoft365/MCA).
 

defender-xdr/dex-xdr-overview.md

@@ -17,7 +17,7 @@ ms.custom:
 - cx-ti
 - cx-dex
 search.appverid: met150
-ms.date: 10/30/2024
+ms.date: 02/05/2025
 ---
 
 # Microsoft Defender Experts for XDR
@@ -44,6 +44,7 @@ Apart from the constantly updated research and intelligence tailored for the thr
 
 - **Managed detection and response** - Expert analysts manage your Microsoft Defender XDR incident queue and handle triage and investigation on your behalf; they partner with you and your team to take action or guide you to respond to incidents
 - **Proactive threat hunting** - [Microsoft Defender Experts for Hunting](defender-experts-for-hunting.md) is built in to extend your team's threat hunting capabilities and prioritize significant threats
+- **Ask Defender Experts** - Select [Ask Defender Experts](experts-on-demand.md) in the Microsoft Defender portal to get expert advice about threats your organization is facing. You can ask for help on a specific incident, nation-state actor, or attack vector-related notifications
 - **Live dashboards and reports** - Transparent view of our operations on your behalf and noise free, actionable view into what matters for you coupled with detailed analytics
 - **Proactive check-ins for continuous security improvements** - Periodic check-ins with your named service delivery team to guide your Defender Experts for XDR experience and improve your security posture
 

exposure-management/initiatives-list.md

@@ -43,7 +43,11 @@ IoT devices are often connected to endpoints, to one another or to the internet,
 
 ## External Attack Surface Protection
 
-Microsoft Defender External Attack Surface Management (Defender EASM) continuously discovers and maps your digital attack surface to provide an external view of your online infrastructure. This visibility enables security and IT teams to identify unknowns, prioritize risk, eliminate threats, and extend vulnerability and exposure control beyond the firewall. Attack Surface Insights are generated by leveraging vulnerability and infrastructure data to showcase the key areas of concern for your organization. This initiative requires no license and is complementary.
+The External Attack Surface Initiative in Microsoft Security Exposure Management uses Defender EASM to continuously discover and map your digital attack surface, providing an external view of your online infrastructure. This helps security and IT teams identify unknown assets, prioritize risks, eliminate threats, and extend control beyond the firewall.
+
+> [!NOTE]
+>
+> This initiative provides high-level insights without a full connection to the MDEASM subscription and supports pre-built footprints only.
 
 [Learn more here.](https://aka.ms/xspm/EasmLearnMore)