Merge branch 'main' of https://github.com/MicrosoftDocs/defender-docs-pr into WI451232-okta-public-preview-unified-connector

Author: DeCohen

.openpublishing.redirection.defender-xdr.json

@@ -1,10 +1,5 @@
 {
   "redirections": [
-    {
-      "source_path": "microsoft-365/security/defender/advanced-hunting-IdentityEvents-table.md",
-      "redirect_url": "/defender-xdr/advanced-hunting-identityevents-table",
-      "redirect_document_id": false
-    },
     {
       "source_path": "defender-xdr/microsoft-365-security-center-defender-cloud-apps.md",
       "redirect_url": "/defender-cloud-apps/microsoft-365-security-center-defender-cloud-apps",

ATPDocs/media/okta-integration/remove-inactive-service-accounts.png

@@ -0,0 +1,46 @@
+---
+title: 'Security Assessment: Remove Inactive Service Account (Preview)'
+description: Learn how to identify and address inactive Active Directory service accounts to mitigate security risks and improve your organization's security posture.
+ms.date: 08/17/2025
+ms.topic: how-to
+#customer intent: As a security administrator, I want to improve security posture in my organization by removing inactive service accounts
+---
+
+# Security Assessment: Remove Inactive Service Accounts (Preview)
+
+This recommendation lists Active Directory service accounts detected as inactive (stale) within the past 180 days. 
+
+## Why do inactive service accounts pose a risk?
+
+Unused service accounts create significant security risks, as some of them can carry elevated privileges. If attackers gain access, the result can be substantial damage. Dormant service accounts might retain high or legacy permissions. When compromised, they provide attackers with discreet entry points into critical systems, granting far more access than a standard user account.
+
+This exposure creates several risks:
+
+- Unauthorized access to sensitive applications and data.
+
+- Lateral movement across the network without detection.
+
+
+## How do I use this security assessment to improve my organizational security posture? 
+
+To use this security assessment effectively, follow these steps:
+
+1. Review the recommended action at [https://security.microsoft.com/securescore?viewid=actions ](https://security.microsoft.com/securescore?viewid=actions ) for Remove inactive service account.
+1. Review the list of exposed entities to discover which of your service account is inactive.
+
+    :::image type="content" source="media/okta-integration/remove-inactive-service-accounts.png" alt-text="Screenshot that shows the recommendation action to remove inactive service accounts." lightbox="media/okta-integration/remove-inactive-service-accounts.png":::
+
+1. Take appropriate actions on those entities by removing the service account. For example:
+
+    - **Disable the account:** Prevent any usage by disabling the account identified as exposed.
+
+    - **Monitor for impact:** Wait several weeks and monitor for operational issues, such as service disruptions or errors.
+
+    - **Delete the account:** If no issues are observed, delete the account and fully remove its access.
+
+> [!NOTE]
+> Assessments are updated in near real time, and scores and statuses are updated every 24 hours. The list of impacted entities is updated within a few minutes of your implementing the recommendations. The status might take time until it's marked as **Completed**.
+
+## Related articles
+
+- [Learn more about Microsoft Secure Score](/defender-xdr/microsoft-secure-score)

ATPDocs/remove-inactive-service-account.md

@@ -255,10 +255,12 @@ items:
            href: security-assessment-clear-text.md
          - name: LAPS usage assessment
            href: security-assessment-laps.md
-         - name: Riskiest lateral movement paths
-           href: security-assessment-riskiest-lmp.md
          - name: Remove discoverable passwords in Active Directory account attributes
            href: remove-discoverable-passwords-active-directory-account-attributes.md
+         - name: Remove inactive service accounts
+           href: remove-inactive-service-account.md
+         - name: Riskiest lateral movement paths
+           href: security-assessment-riskiest-lmp.md
          - name: Unsecure Kerberos delegation assessment
            href: security-assessment-unconstrained-kerberos.md
          - name: Unsecure SID History attributes

ATPDocs/toc.yml

@@ -32,7 +32,27 @@ Microsoft Defender for Identity supports the [Unified connectors](/azure/sentine
 For more information see: [Connect Okta to Microsoft Defender for Identity (Preview)](okta-integration.md)
 
 
-## New security posture assessment: Remove discoverable passwords in Active Directory account attributes (Preview)
+### New security assessment: Remove inactive service accounts (Preview)
+
+Microsoft Defender for Identity now includes a new security assessment that helps you identify and remove inactive service accounts in your organization. This assessment lists Active Directory service accounts that have been inactive (stale) for the past 180 days, to help you mitigate security risks associated with unused accounts.
+
+For more information, see: [Security Assessment: Remove Inactive Service Accounts (Preview)](remove-inactive-service-account.md)
+
+### New Graph based API for response actions (preview) 
+
+We’re excited to announce a new Graph-based API for initiating and managing remediation actions in Microsoft Defender for Identity.
+
+This capability is currently in preview and available in API Beta version.
+
+For more information, see [Managing response actions through Graph API](/graph/api/resources/security-identityaccounts?view=graph-rest-beta&preserve-view=true).
+
+### Identity scoping is now generally available (GA)
+
+Identity scoping is now generally available across all environments. Organizations can now define and refine the scope of MDI monitoring and gain granular control over which entities and resources are included in security analysis.
+
+For more information, see [Configure scoped access for Microsoft Defender for Identity](configure-scoped-access.md).
+
+### New security posture assessment: Remove discoverable passwords in Active Directory account attributes (Preview)
 
 The new security posture assessment highlights unsecured Active Directory attributes that contain passwords or credential clues and recommends steps to remove them, helping reduce the risk of identity compromise.
 
@@ -53,11 +73,11 @@ Improved detection logic to include scenarios where accounts were locked during
 
 ## July 2025
 
-**Expanded coverage in ITDR deployment health widget**
+### Expanded coverage in ITDR deployment health widget
 
 The Identity Threat Detection and Response (ITDR) deployment health widget now provides visibility into the deployment status of additional server types. Previously, it only reflected the status for Active Directory domain controllers. With this update, the widget also includes deployment status for ADFS, ADCS, and Microsoft Entra Connect servers - making it easier to track and ensure full sensor coverage across all supported identity infrastructure.
 
-**Time limit added to Recommended test mode**
+### Time limit added to Recommended test mode
 
 Recommended test mode configuration on the [Adjust alert thresholds page](/defender-for-identity/advanced-settings), now requires you to set an expiration time (up to 60 days) when enabling it. The end time is shown next to the toggle while test mode is active. For customers who already have Recommended test mode enabled, a 60-day expiration is automatically applied.
 

ATPDocs/whats-new.md

@@ -8,7 +8,6 @@ ms.topic: how-to
 # How to investigate anomaly detection alerts
 
 
-
 Microsoft Defender for Cloud Apps provides security detections and alerts for malicious activities. The purpose of this guide is to provide you with general and practical information on each alert, to help with your investigation and remediation tasks. Included in this guide is general information about the conditions for triggering alerts. However, it's important to note that since anomaly detections are nondeterministic by nature, they're only triggered when there's behavior that deviates from the norm. Finally, some alerts might be in preview, so regularly review the official documentation for updated alert status.
 
 > [!IMPORTANT]

CloudAppSecurityDocs/investigate-anomaly-alerts.md

@@ -55,7 +55,7 @@ You can use the following built-in policy templates to detect and notify you abo
 
 | Type | Name |
 | ---- | ---- |
-| Built-in anomaly detection policy | [Activity from anonymous IP addresses](anomaly-detection-policy.md#activity-from-anonymous-ip-addresses)<br />[Activity from infrequent country](anomaly-detection-policy.md#activity-from-infrequent-country)<br />[Activity from suspicious IP addresses](anomaly-detection-policy.md#activity-from-suspicious-ip-addresses)<br />[Impossible travel](anomaly-detection-policy.md#impossible-travel)<br />[Activity performed by terminated user](anomaly-detection-policy.md#activity-performed-by-terminated-user) (requires Microsoft Entra ID as IdP)<br />[Multiple failed login attempts](anomaly-detection-policy.md#multiple-failed-login-attempts)<br />[Unusual administrative activities](anomaly-detection-policy.md#unusual-activities-by-user)<br />[Unusual file deletion activities](anomaly-detection-policy.md#unusual-activities-by-user)<br />[Unusual file share activities](anomaly-detection-policy.md#unusual-activities-by-user)<br />[Unusual impersonated activities](anomaly-detection-policy.md#unusual-activities-by-user)<br />[Unusual multiple file download activities](anomaly-detection-policy.md#unusual-activities-by-user) |
+| Built-in anomaly detection policy | [Activity from anonymous IP addresses](anomaly-detection-policy.md#activity-from-anonymous-ip-addresses)<br />[Activity from infrequent country](anomaly-detection-policy.md#activity-from-infrequent-country)<br />[Activity from suspicious IP addresses](anomaly-detection-policy.md#activity-from-suspicious-ip-addresses)<br />[Impossible travel](anomaly-detection-policy.md#impossible-travel)<br />[Activity performed by terminated user](anomaly-detection-policy.md#activity-performed-by-terminated-user) (requires Microsoft Entra ID as IdP)<br />[Multiple failed login attempts](anomaly-detection-policy.md#multiple-failed-login-attempts)<br />[Unusual administrative activities](anomaly-detection-policy.md#unusual-activities-by-user)<br />[Unusual file deletion activities](anomaly-detection-policy.md#unusual-activities-by-user) (Temporarily not supported due to limitation in Salesforce API)<br />[Unusual file share activities](anomaly-detection-policy.md#unusual-activities-by-user)<br />[Unusual impersonated activities](anomaly-detection-policy.md#unusual-activities-by-user)<br />[Unusual multiple file download activities](anomaly-detection-policy.md#unusual-activities-by-user) |
 | Activity policy template | Logon from a risky IP address<br />Mass download by a single user|
 | File policy template | Detect a file shared with an unauthorized domain<br />Detect a file shared with personal email addresses|
 

CloudAppSecurityDocs/protect-salesforce.md

@@ -267,6 +267,8 @@
               items:
               - name: Installer script based deployment
                 href: linux-installer-script.md
+              - name: Enabling deployment to a custom location
+                href: linux-custom-location-installation.md
               - name: Ansible based deployment
                 href: linux-install-with-ansible.md
               - name: Chef based deployment

defender-endpoint/TOC.yml

@@ -16,7 +16,7 @@ ms.topic: reference
 ms.subservice: reference
 ms.custom: api
 search.appverid: met150
-ms.date: 12/18/2020
+ms.date: 08/18/2025
 ---
 
 # Advanced hunting API
@@ -105,13 +105,11 @@ POST https://api.securitycenter.microsoft.com/api/advancedqueries/run
 ```
 
 ```json
+
 {
-    "Query":"DeviceProcessEvents
-|where InitiatingProcessFileName =~ 'powershell.exe'
-|where ProcessCommandLine contains 'appdata'
-|project Timestamp, FileName, InitiatingProcessFileName, DeviceId
-|limit 2"
+    "Query":"DeviceProcessEvents |where InitiatingProcessFileName =~ 'powershell.exe' |where ProcessCommandLine contains 'appdata'|project Timestamp, FileName, InitiatingProcessFileName, DeviceId|limit 2"
 }
+
 ```
 
 ### Response example