Merge branch 'public' into patch-1

Author: denisebmsft

.openpublishing.redirection.defender-office-365.json

@@ -49,6 +49,16 @@
       "source_path": "defender-office-365/pilot-deploy-defender-office-365.md",
       "redirect_url": "/defender-xdr/pilot-deploy-defender-office-365",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-office-365/submissions-error-messages.md",
+      "redirect_url": "/defender-office-365/submissions-result-definitions",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-office-365/step-by-step-guides/deploy-and-configure-the-report-message-add-in.md",
+      "redirect_url": "/defender-office-365/submissions-outlook-report-messages",
+      "redirect_document_id": false
     }
   ]
 }

ATPDocs/deploy/activate-capabilities.md

@@ -7,20 +7,20 @@ ms.topic: how-to
 
 # Activate Microsoft Defender for Identity capabilities directly on a domain controller
 
-Microsoft Defender for Endpoint customers, who have already onboarded their domain controllers to Defender for Endpoint, can activate Microsoft Defender for Identity capabilities directly on a domain controller instead of using a [Microsoft Defender for Identity sensor](deploy-defender-identity.md).
+Microsoft Defender for Endpoint customers, who have already onboarded their domain controllers to Defender for Endpoint, can activate Microsoft Defender for Identity capabilities directly on a domain controller instead of using [Microsoft Defender for Identity classic sensor](deploy-defender-identity.md).
 
 This article describes how to activate and test Microsoft Defender for Identity capabilities on your domain controller.
 
 > [!IMPORTANT]
-> The new sensor is recommended for customers looking to deploy core identity protections to new domain controllers running Windows Server 2019 or newer. For all other identity infrastructure, or for customers looking to deploy the most robust identity protections available from Microsoft Defender for Identity today, we recommend deploying the classic sensor [here](https://learn.microsoft.com/defender-for-identity/deploy/quick-installation-guide)
+> The new Defender for Identity sensor (version 3.x) is recommended for customers looking to deploy core identity protections to new domain controllers running Windows Server 2019 or newer. For all other identity infrastructure, or for customers looking to deploy the most robust identity protections available from Microsoft Defender for Identity today, we recommend deploying the classic sensor [here](quick-installation-guide.md).
 
 ## Prerequisites
 
 Before activating the Defender for Identity capabilities on your domain controller, make sure that your environment complies with the prerequisites in this section.
 
 ### Defender for Identity sensor conflicts
 
-The configuration described in this article doesn't support side-by-side installation with an existing Defender for Identity sensor, and isn't recommended as a replacement for the Defender for Identity sensor.
+The configuration described in this article doesn't support side-by-side installation with an existing Defender for Identity sensor, and isn't recommended as a replacement for the Defender for Identity classic sensor.
 
 Make sure that the domain controller where you're planning to activate Defender for Identity capabilities doesn't have a [Defender for Identity sensor](deploy-defender-identity.md) deployed.
 
@@ -43,7 +43,7 @@ Your domain controller must be onboarded to Microsoft Defender for Endpoint.
 
 For more information, see [Onboard a Windows server](/microsoft-365/security/defender-endpoint/onboard-windows-server).
 
-### Required permissions
+### Permissions requirements 
 
 To access the Defender for Identity **Activation** page, you must either be a [Security Administrator](/entra/identity/role-based-access-control/permissions-reference), or have the following Unified RBAC permissions:
 
@@ -80,15 +80,31 @@ Set-MDIConfiguration -Mode Domain -Configuration All
 
 ## Activate Defender for Identity capabilities
 
-After ensuring that your environment is completely configured, activate the  Microsoft Defender for Identity capabilities on your domain controller.
+After ensuring that your environment is completely configured, activate the Microsoft Defender for Identity capabilities on your domain controller.
 
-1. In the [Defender portal](https://security.microsoft.com), select **Settings > Identities > [Activation](https://security.microsoft.com/settings/identities?tabid=onboarding)**.
+Activate the Defender for Identity from the [Microsoft Defender portal](https://security.microsoft.com).
 
-    The **Activation** page lists any detected and eligible domain controllers.
+1. Navigate to **System** > **Settings** > **Identities** > **Activation**.
 
-1. Select the domain controller where you want to activate the Defender for Identity capabilities and then select **Activate**. Confirm your selection when prompted.
+   The Activation page lists servers discovered in Device Inventory and identified as eligible domain controllers. 
 
-When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers** to jump to the **Settings > Identities > Sensors** page, where you can check your sensor health.
+2. Select the domain controller where you want to activate the Defender for Identity capabilities and then select **Activate**. Confirm your selection when prompted. 
+
+    > [!NOTE]
+    > You can choose to activate eligible domain controllers either automatically, where Defender for Identity activates them as soon as they're discovered, or manually, where you select specific domain controllers from the list of eligible servers.
+
+3. When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers** to jump to the **Settings > Identities > Sensors** page, where you can check your sensor health.
+
+## Onboarding Confirmation 
+
+To confirm the sensor has been onboarded: 
+
+1. Navigate to **System** > **Settings** > **Identities** > **Sensors**. 
+
+2. Check that the onboarded domain controller is listed. 
+
+> [!NOTE]
+>  The activation doesn't require a restart/reboot. The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations are shown within five minutes.
 
 ## Test activated capabilities
 
@@ -106,9 +122,9 @@ Use the following procedures to test your environment for Defender for Identity
 
 ### Check the ITDR dashboard
 
-In the Defender portal, select **Identities > Dashboard** and review the details shown, checking for expected results from your environment.
+In the Defender portal, select **Identities** > **Dashboard**, and review the details shown, checking for expected results from your environment.
 
-For more information, see [Work with Defender for Identity's ITDR dashboard (Preview)](../dashboard.md).
+For more information, see [Work with Defender for Identity's ITDR dashboard](../dashboard.md).
 
 
 ### Confirm entity page details
@@ -193,10 +209,6 @@ Test remediation actions on a test user. For example:
 
 1. Check Active Directory for the expected activity.
 
-> [!NOTE]
-> The current version doesn't collect the User Account Control (UAC) flags correctly. So disabled users, would still appear as Enabled in the portal.
-
-
 For more information, see [Remediation actions in Microsoft Defender for Identity](../remediation-actions.md).
 
 ## Deactivate Defender for Identity capabilities on your domain controller

ATPDocs/deploy/media/activate-capabilities/1.png

@@ -22,6 +22,13 @@ For more information, see also:
 
 For updates about versions and features released six months ago or earlier, see the [What's new archive for Microsoft Defender for Identity](whats-new-archive.md).
 
+## March 2025
+
+### New LDAP query events added to the IdentityQueryEvents table in Advanced Hunting
+New LDAP query events will be added by March 6th to the `IdentityQueryEvents` table in Advanced Hunting to provide more visibility into additional LDAP search queries running in the customer environment.
+This update may lead to an increase in activity within the Advanced Hunting IdentityQueryEvents table for LDAP queries. If you have custom detections related to these queries, you may see a higher number of triggered alerts.
+We recommend that you review your existing custom detections to ensure they align with your objectives. If needed, you can adjust your query accordingly.
+
 ## February 2025
 
 ### DefenderForIdentity PowerShell module updates (version 1.0.0.3)
@@ -67,6 +74,12 @@ We have added and updated the following events in the `IdentityDirectoryEvents`
 
 Additionally, the **built-in schema reference** for Advanced Hunting in Microsoft Defender XDR has been updated to include detailed information on all supported event types (**`ActionType`** values) in identity-related tables, ensuring complete visibility into available events. For more information, see [Advanced hunting schema details](/defender-xdr/advanced-hunting-schema-tables).
 
+## January 2025
+
+### New Identity guide tour
+
+Explore key MDI features with the new **Identities Tour** in the M365 portal. Navigate Incidents, Hunting, and Settings to enhance identity security and threat investigation.
+
 ## December 2024
 
 ### New security posture assessment: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)

ATPDocs/deploy/media/activate-capabilities/2.png

@@ -25,10 +25,10 @@ Microsoft Defender for Cloud Apps is a security tool and therefore doesn't requi
 
 Microsoft Defender for Cloud Apps depends on the following Microsoft Entra ID applications to function properly. Do not disable these applications in Microsoft Entra ID:
 
-- Microsoft Defender for Cloud Apps - APIs
-- Microsoft Defender for Cloud Apps - Customer Experience
-- Microsoft Defender for Cloud Apps - Information Protection
-- Microsoft Defender for Cloud Apps - MIP Server
+- Microsoft Defender for Cloud Apps - APIs (ID: 972bb84a-1d27-4bd3-8306-6b8e57679e8c)
+- Microsoft Defender for Cloud Apps - Customer Experience (ID: 9ba4f733-be8f-4112-9c4a-e3b417c44e7d)
+- Microsoft Defender for Cloud Apps - Information Protection (ID: ac6dbf5e-1087-4434-beb2-0ebf7bd1b883)
+- Microsoft Defender for Cloud Apps - MIP Server (ID: 0858ddce-8fca-4479-929b-4504feeed95e)
 
 ## Access Defender for Cloud Apps
 

ATPDocs/deploy/media/activate-capabilities/3.png

@@ -11,8 +11,6 @@ ms.topic: how-to
 
 Zoom is an online video conferencing and collaboration tool. Zoom holds critical data of your organization, and this makes it a target for malicious actors.
 
-Connecting Zoom to Defender for Cloud Apps gives you improved insights into your users' activities and provides threat detection using machine learning based anomaly detections.
-
 [!INCLUDE [security-posture-management-connector](includes/security-posture-management-connector.md)]
 
 ## SaaS security posture management

ATPDocs/whats-new.md

@@ -21,6 +21,18 @@ For news about earlier releases, see [Archive of past updates for Microsoft Defe
 
 ## February 2025
 
+### Enhanced Visibility into OAuth Apps Connected to Microsoft 365 - General Availability
+
+Defender for Cloud Apps users who use app governance will be able to gain visibility into the origin of OAuth apps connected to Microsoft 365. You can filter and monitor apps that have external origins, to proactively review such apps and improve the security posture of the organization. 
+
+The new *Permissions filter and export capabilities allow you to quickly identify apps with specific permissions to access Microsoft 365.
+
+You can now get granular insights into data accessed by apps using legacy EWS API alongside Microsoft Graph. The enhanced coverage of data usage insights enable you to get deeper visibility into apps accessing emails using legacy EWS API.
+
+We're also expanding the coverage of privilege level feature for all popular Microsoft first-party API permissions. The enhanced coverage of privilege level classification enables you to view and monitor apps with powerful permissions into legacy and other non-Graph APIs that have access to Microsoft 365. 
+
+For more information, see [detailed insights into OAuth apps](/defender-cloud-apps/app-governance-visibility-insights-view-apps#getting-detailed-information-on-an-app).
+
 ### Enhanced alert source accuracy
 
 Microsoft Defender for Cloud Apps is enhancing its alert sources to deliver more precise information. This update, applicable to new alerts only, will be reflected across various experiences and APIs, including the Defender XDR portal, Advanced hunting, and Graph API.   
@@ -32,7 +44,11 @@ To learn more about the Graph API alert resource: [alert resource type - Microso
 
 ### Network requirement updates
 
-Microsoft Defender for Cloud Apps has improved its security and performance. Network information in firewalls and additional third-party services must be updated to comply with the new standards. To ensure uninterrupted access to our services you must apply these changes by March 16, 2025.
+Microsoft Defender for Cloud Apps has improved its security and performance. Network information in firewalls and additional third-party services must be updated to comply with the new standards. To ensure uninterrupted access to our portals and services you must apply these changes by March 27, 2025.
+
+New CDN domains have been added and must be included in firewall rules to allow outbound traffic on port 443:
+- cdn.cloudappsecurity.com
+- cdn-discovery.cloudappsecurity.com
 
 To connect to third-party apps and enable Defender for Cloud Apps, use the following IP addresses:
 

CloudAppSecurityDocs/get-started.md

@@ -9,7 +9,7 @@ audience: Admin
 ms.topic: overview
 ms.service: defender-business
 ms.localizationpriority: medium
-ms.date: 06/07/2024
+ms.date: 02/28/2025
 ms.reviewer: efratka
 f1.keywords: NOCSH
 ms.collection:
@@ -35,12 +35,30 @@ Sections include:
 
 To get Defender for Business, you can choose from several options:
 
+- Work with a Microsoft partner who can help you get everything set up and configured.
 - Try or buy the standalone version of Defender for Business.
 - Get Microsoft 365 Business Premium, which includes Defender for Business.
-- Work with a Microsoft partner who can help you get everything set up and configured.
 
 Use the following tabs to learn more about each option.
 
+## [Work with a Microsoft partner](#tab/findpartner)
+
+Microsoft has a list of solution providers who are authorized to sell offerings, including Microsoft 365 Business Premium and Microsoft Defender for Business. If you'd prefer to work with a Microsoft partner, you can follow these steps to find a solution provider in your area:
+
+1. Go to [Browse Partners](https://appsource.microsoft.com/en-us/marketplace/partner-dir).
+
+2. In the **Filters** pane, specify search criteria, such as:
+
+   - Your location
+   - Your organization's size
+   - **Focus areas**, such as **Security** and/or **Threat Protection**
+
+   - **Services**, such as **Licensing** or **Managed Services (MSP)**
+
+   As soon as you select one or more criteria, the list of partners updates.
+
+3. Review the list of results. Select a provider to learn more about their expertise and the services they provide.
+
 ## [Get Defender for Business (standalone)](#tab/getmdb)
 
 Defender for Business provides advanced security protection for your company's devices. For more information, see [What is Microsoft Defender for Business](mdb-overview.md)?
@@ -77,24 +95,6 @@ Microsoft 365 Business Premium includes Defender for Business, Microsoft Defende
 > [!IMPORTANT]
 > Make sure to complete all the steps described in [Microsoft 365 Business Premium – productivity and cybersecurity for small business](/Microsoft-365/business-premium/m365bp-overview).
 
-## [Work with a Microsoft partner](#tab/findpartner)
-
-Microsoft has a list of solution providers who are authorized to sell offerings, including Microsoft 365 Business Premium and Microsoft Defender for Business. If you'd prefer to work with a Microsoft partner, you can follow these steps to find a solution provider in your area:
-
-1. Go to the [Browse Partners](https://appsource.microsoft.com/en-us/marketplace/partner-dir).
-
-2. In the **Filters** pane, specify search criteria, such as:
-
-   - Your location
-   - Your organization's size
-   - **Focus areas**, such as **Security** and/or **Threat Protection**
-
-   - **Services**, such as **Licensing** or **Managed Services (MSP)**
-
-   As soon as you select one or more criteria, the list of partners updates.
-
-3. Review the list of results. Select a provider to learn more about their expertise and the services they provide.
-
 ---
 
 ## How to get Microsoft Defender for Business servers
@@ -113,7 +113,7 @@ Microsoft Defender for Business servers is an add-on to Defender for Business th
 >
 > - In order to add on Microsoft Defender for Business servers, you'll need at least one paid license for [Defender for Business](mdb-overview.md) (standalone) or [Microsoft 365 Business Premium](/Microsoft-365/business-premium/m365bp-overview).
 > - There's a limit of 60 Microsoft Defender for Business servers licenses per subscription to Microsoft 365 Business Premium or Defender for Business.
-> - If preferred, you could use [Microsoft Defender for Servers Plan 1 or Plan 2](/azure/defender-for-cloud/plan-defender-for-servers) instead to onboard your servers. To learn more, see [What happens if I have a mix of Microsoft endpoint security subscriptions](mdb-faq.yml#what-happens-if-i-have-a-mix-of-microsoft-endpoint-security-subscriptions)?
+> - If preferred, you could use [Microsoft Defender for Servers Plan 1 or Plan 2](/azure/defender-for-cloud/plan-defender-for-servers) instead to onboard your servers. 
 
 ## Portals you use for setup and management