Merge branch 'main' into WI408602-reshuffle-connector-articles-in-mda-toc

Author: DeCohen

.github/workflows/StaleBranch.yml

@@ -0,0 +1,25 @@
+name: (Scheduled) Stale branch removal
+
+permissions:
+  contents: write
+      
+on:
+  schedule:
+    - cron: "0 */12 * * *"
+
+  workflow_dispatch:
+  
+
+jobs:
+
+  stale-branch:
+    uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-StaleBranch.yml@workflows-prod
+    with:
+        PayloadJson: ${{ toJSON(github) }}
+        RepoBranchSkipList: '[
+                              "ExampleBranch1",
+                              "ExampleBranch2"
+                             ]'
+        ReportOnly: true
+    secrets:
+        AccessToken: ${{ secrets.GITHUB_TOKEN }}

.openpublishing.redirection.defender-endpoint.json

@@ -94,6 +94,21 @@
       "source_path": "defender-endpoint/monthly-security-summary-report.md",
       "redirect_url": "/defender-endpoint/threat-protection-reports#monthly-security-summary",
       "redirect_document_id": true
+    },
+    {
+      "source_path": "defender-endpoint/run-analyzer-macos-linux.md",
+      "redirect_url": "/defender-endpoint/overview-client-analyzer",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "defender-endpoint/download-client-analyzer.md",
+      "redirect_url": "/defender-endpoint/overview-client-analyzer",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-endpoint/comprehensive-guidance-on-linux-deployment.md",
+      "redirect_url": "/defender-endpoint/linux-installer-script",
+      "redirect_document_id": true
     }    
   ]
 }

.openpublishing.redirection.defender-xdr.json

@@ -309,6 +309,11 @@
       "source_path": "defender-xdr/microsoft-365-defender-integration-with-azure-sentinel.md",
       "redirect_url": "/azure/sentinel/microsoft-365-defender-sentinel-integration",
       "redirect_document_id": false
-    }                                            
+    },
+    {
+      "source_path": "defender-xdr/microsoft-365-security-center-defender-cloud.md",
+      "redirect_url": "/azure/defender-for-cloud/concept-integration-365",
+      "redirect_document_id": false
+    }                                                
   ]
 }

ATPDocs/identity-inventory.md

@@ -0,0 +1,133 @@
+---
+# Required metadata
+# For more information, see https://review.learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata?branch=main
+# For valid values of ms.service, ms.prod, and ms.topic, see https://review.learn.microsoft.com/en-us/help/platform/metadata-taxonomies?branch=main
+
+title: Identity inventory
+description: The Identity Inventory provides a centralized location for customers to view and manage identity information across their environment, ensuring optimal visibility and a comprehensive experience. The updated Identities Inventory page, located under Assets in Defender XDR portal
+author:      LiorShapiraa # GitHub alias
+ms.author: liorshapira
+ms.service: microsoft-defender-for-identity
+ms.topic: article
+ms.date:     03/13/2025
+---
+
+# Identity inventory
+
+__Applies to:__
+
+- [Microsoft Defender for Identity](https://aka.ms/aatp/docs)
+
+- [Microsoft Defender for Cloud Apps](/defender-cloud-apps/)
+
+- [Microsoft Defender XDR](/defender-xdr)
+
+The __Identity inventory__ provides a centralized view of all identities in your organization, enabling you to monitor and manage them efficiently. At a glance, you can see key details such as Domain, Tags, Type, and other attributes, helping you quickly identify and manage identities that require attention.
+
+The Identities inventory page includes the following tabs:
+
+- **Identities**: A consolidated view of identities across Active Directory, Entra ID. This Identities tab highlights key details, including identity types, and user's information.
+
+- **Cloud application accounts:** Displays a list of cloud application accounts, including those from application connectors and third-party sources (original available in the previous version based on Microsoft Defender for Cloud Apps). Learn more about [Cloud application accounts from connected apps.](/defender-cloud-apps/accounts) 
+
+There are several options you can choose from to customize the identities list view. On the top navigation you can:
+
+- Add or remove columns.
+
+- Apply filters.
+
+- Search for an identity by name or full UPN, Sid and Object ID. 
+
+- Export the list to a CSV file.
+
+- Copy list link with the included filters configured. 
+
+## ![A screenshot of identity inventory page.](media/identity-inventory/inventory11.png)  
+
+### Identity details 
+
+The **Identities** list offers a consolidated view of identities across Active Directory and Entra ID. It highlights key details, including the following columns by default:
+
+- __Display name__ – The full name of the identity as shown in the directory.
+
+- __SID__ – The Security Identifier, a unique value used to identify the identity in Active Directory.
+
+- __Domain__ – The Active Directory domain to which the identity belongs.
+
+- __Object ID__ – A unique identifier for the identity in Entra ID.
+
+- __Source__ – Indicates whether the identity is on-premises (originate from Active Directory), Cloud only (Entra ID) or Hybrid (synced from AD to Entra ID).
+
+- __Type__ – Specifies if the identity is a user account or service account.
+
+- __UPN (User Principal Name)__ – The unique login name of the identity in an email-like format.
+
+- __Tags__ – Custom labels that help categorize or classify identities: Sensitive and Honeytoken.
+
+- __Created time__ – The timestamp when the identity was first created.
+
+- __Criticality level__ – Indicates the critical level of the identity.
+
+- __Account status__ – Shows whether the identity is enabled or disabled.
+
+- __Last updated__ – The timestamp of the most recent update to the identity's attributes in Active Directory.
+
+Non-default columns: Email and Entra ID risk level.  
+
+> [!TIP]
+> To see all columns, you likely need to do one or more of the following steps:
+> - Horizontally scroll in your web browser.
+> - Narrow the width of appropriate columns.
+> - Zoom out in your web browser.
+
+### Sort and filter the Identities list
+
+You can apply the following filters to limit the list of identities and get a more focused view:
+
+- Domain
+
+- Type
+
+- Source
+
+- Tags
+
+- Criticality level
+
+- Account status
+
+Sort option applies to Display name, Domain and Created time columns.
+
+### Identity inventory insights 
+
+- The __Classify critical assets__ card allows you to define identity groups as business critical. For more information, see [Microsoft Security Exposure Management](/security-exposure-management/microsoft-security-exposure-management). 
+
+- **Highly privileged identities** card helps you investigate in Advanced hunting all sensitive accounts in your organization, including Entra ID security administrators and Global admin users.
+
+- **Critical Active Directory service accounts** card helps you quickly identify all Active Directory accounts designated as critical, making it easier to focus on identities most at risk.
+
+At the top of each device inventory tab, the following device counts are available:
+
+- __Total__: The total number of identities. 
+
+- __Critical:__ The number of your critical assets. 
+
+- **Disabled:** The number of all disabled identities in your organization. 
+
+- **Services:** The number of all service accounts both on-premises and cloud.
+
+You can use this information to help you prioritize devices for security posture improvements.
+
+### Navigate to the Identity inventory page
+
+Use relative links instead of absolute links. 
+In the Defender XDR portal at [https://security.microsoft.com](https://security.microsoft.com), go to Assets > Identities. Or, to navigate directly to the [identity inventory](/defender-for-identity/identity-inventory) page.
+
+### Related Articles
+
+- [Investigate cloud application accounts](/defender-cloud-apps/accounts)
+
+- [Investigate users in Microsoft Defender XDR](/defender-xdr/investigate-users) 
+
+- [Investigate assets in Microsoft Defender for Identity](/defender-for-identity/investigate-assets)
+

ATPDocs/manage-security-alerts.md

@@ -8,7 +8,7 @@ ms.topic: how-to
 # Investigate Defender for Identity security alerts in Microsoft Defender XDR
 
 > [!NOTE]
-> Defender for Identity is not designed to serve as an auditing or logging solution that captures every single operation or activity on the servers where the sensor is installed. It only captures the data required for its detection and recommendation mechanisms.
+> Defender for Identity isn't designed to serve as an auditing or logging solution that captures every single operation or activity on the servers where the sensor is installed. It only captures the data required for its detection and recommendation mechanisms.
 
 This article explains the basics of how to work with Microsoft Defender for Identity security alerts in [Microsoft Defender XDR](/microsoft-365/security/defender/overview-security-center).
 
@@ -87,7 +87,7 @@ On the right pane, you'll see the **Alert details**. Here you can see more detai
     You can also export the alert to an Excel file. To do this, select **Export.**
 
     > [!NOTE]
-    > In the Excel file, you now have two links available: **View in Microsoft Defender for Identity** and **View in Microsoft Defender XDR**. Each link will bring you to the relevant portal, and provide information about the alert there.
+    > Alert export option is limited to Microsoft Defender for Identity Alerts with the "aa" prefix, for more information refer to [XDR Alert Sources](https://learn.microsoft.com/defender-xdr/investigate-alerts?tabs=settings#alert-sources).
 
 ## Tuning alerts
 

ATPDocs/media/identity-inventory/inventory.png

@@ -0,0 +1,44 @@
+---
+title:       'Security assessment: Replace Enterprise or Domain Admin account for Entra Connect AD DS Connector account'
+description: 'This report lists any Entra Connect AD DS Connector account that is an Enterprise Administrator or Domain Administrator.'
+author:      LiorShapiraa # GitHub alias
+ms.author:   Liorshapira # Microsoft alias
+# ms.prod:   microsoft-defender-for-identity
+ms.topic:    article
+ms.date:     03/16/2025
+---
+
+# Security assessment: Replace Enterprise or Domain Admin account for Entra Connect AD DS Connector account
+
+This article describes Microsoft Defender for Identity's Microsoft Entra Connect AD DS Connector account default admin security posture assessment report.
+
+> [!NOTE]
+> This security assessment will be available only if Microsoft Defender for Identity sensor is installed on servers running Microsoft Entra Connect services.
+
+## Why might using an Enterprise or Domain Admin account for the Microsoft Entra Connect AD DS Connector be a risk?
+
+Smart attackers often target Microsoft Entra Connect in on-premises environments due to the elevated privileges associated with its AD DS Connector account (typically created in Active Directory with the MSOL_ prefix). Using an **Enterprise Admin** or **Domain Admin** account for this purpose significantly increases the attack surface, as these accounts have broad control over the directory.
+
+Starting with [Entra Connect build 1.4.###.#](/entra/identity/hybrid/connect/reference-connect-accounts-permissions), Enterprise Admin and Domain Admin accounts can no longer be used as the AD DS Connector account. This best practice prevents over-privileging the connector account, reducing the risk of domain-wide compromise if the account is targeted by attackers. Organizations must now create or assign a lower-privileged account specifically for directory synchronization, ensuring better adherence to the principle of least privilege and protecting critical admin accounts.
+
+## How do I use this security assessment to improve my hybrid organizational security posture?
+
+1. Review the recommended action at[ https://security.microsoft.com/securescore?viewid=actions](https://security.microsoft.com/securescore?viewid=actions) for Replace Enterprise or Domain Admin account for Entra Connect AD DS Connector account.
+
+1. Review the exposed accounts and their group memberships. The list contains members of Domain/Enterprise Admins through direct and recursive membership.
+
+1. Perform one of the following actions:
+
+   - Remove MSOL_ user account user from privileged groups, ensuring it retains the necessary permissions to function as the Entra Connect Connector account.
+   
+   - Change the Entra Connect AD DS Connector account (MSOL_) to a lower-privileged account. 
+   
+> [!NOTE]
+> While assessments are updated in near real time, scores and statuses are updated every 24 hours. While the list of impacted entities is updated within a few minutes of your implementing the recommendations, the status may still take time until it's marked as **Completed**.
+
+## Next steps
+
+- Learn more about [Microsoft Secure score]().
+
+- Learn more about [Defender for Identity Sensor for Microsoft Entra Connect](https://aka.ms/MdiSensorForMicrosoftEntraConnectInstallation)
+

ATPDocs/media/identity-inventory/inventory11.png

@@ -38,24 +38,30 @@ Defender for Identity security posture assessments have five key categories. Eac
 ## Access Defender for Identity security posture assessments
 
 > [!NOTE]
-You must have a Defender for Identity license to view Defender for Identity security posture assessments in Microsoft Secure Score.
-While *certificate template* assessments are available to all customers with AD CS installed in their environment, *certificate authority* assessments are available only to customers who have installed a sensor on an AD CS server. For more information, see [Configuring sensors for AD FS and AD CS](deploy/active-directory-federation-services.md).
+> You must have a Defender for Identity license to view Defender for Identity security posture assessments in Microsoft Secure Score.
+> 
+> Additionally, while *certificate template* assessments are available to all customers with AD CS installed in their environment, *certificate authority* assessments are available only to customers who have installed a sensor on an AD CS server.   
+>
+> Hybrid security recommendations will be available only if Microsoft Defender for Identity sensor is installed on servers running Microsoft Entra Connect services.  
+>
+> For more information, see [Configuring sensors for AD FS, AD CS and Entra Connect.](https://aka.ms/DeployMdiSensorOnYourIdentityInfrastructure)
 
 **To access identity security posture assessments**:
 
 1. Open the [Microsoft Secure Score dashboard](https://security.microsoft.com/securescore).
 1. Select the **Recommended actions** tab. You can search for a particular recommended action, or filter the results (for example, by the category **Identity**).
 
     [![Recommended actions.](media/recommended-actions.png)](media/recommended-actions.png#lightbox)
-
+   
 1. For more details, select the assessment.
 
     [![Select the assessment.](media/select-assessment.png)](media/select-assessment.png#lightbox)
-
+   
 [!INCLUDE [secure-score-note](../includes/secure-score-note.md)]
 
 
 ## Next steps
 
 - [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score)
-- [Check out the Defender for Identity forum!](<https://aka.ms/MDIcommunity>)
+- [Check out the Defender for Identity forum!](https://aka.ms/MDIcommunity)
+

ATPDocs/replace-entra-connect-default-admin.md

@@ -124,6 +124,8 @@ items:
   items:
   - name: Assets
     items:
+    - name: Identity inventory
+      href: identity-inventory.md
     - name: Investigate assets
       href: investigate-assets.md
   - name: Lateral movement paths
@@ -170,6 +172,8 @@ items:
          displayName: Microsoft Entra Connect
        - name: Remove unnecessary replication permissions for Microsoft Entra Connect connector account
          href: remove-replication-permissions-microsoft-entra-connect.md
+       - name: Replace Enterprise or Domain Admin account for Entra Connect AD DS Connector account
+         href: replace-entra-connect-default-admin.md
      - name: Identity infrastructure
        items:
        - name: Built-in Active Directory Guest account is enabled
@@ -186,26 +190,26 @@ items:
          href: security-assessment-unsecure-domain-configurations.md
      - name: Certificates
        items: 
-        - name: Enforce encryption for RPC certificate enrollment interface  (ESC8)
-          href: security-assessment-enforce-encryption-rpc.md
-        - name: Insecure ADCS certificate enrollment IIS endpoints (ESC8)
-          href: security-assessment-insecure-adcs-certificate-enrollment.md
-        - name: Misconfigured certificate templates owner  (ESC4)
-          href: security-assessment-edit-misconfigured-owner.md
-        - name: Misconfigured Certificate Authority ACL  (ESC7)
-          href: security-assessment-edit-misconfigured-ca-acl.md
-        - name: Misconfigured certificate templates ACL (ESC4)
-          href: security-assessment-edit-misconfigured-acl.md
-        - name: Misconfigured enrollment agent certificate template  (ESC3)
-          href: security-assessment-edit-misconfigured-enrollment-agent.md    
-        - name: Overly permissive certificate template with privileged EKU (ESC2)
-          href: security-assessment-edit-overly-permissive-template.md
-        - name: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)
-          href: prevent-certificate-enrollment-esc15.md
-        - name: Prevent requests for certificates valid for arbitrary users  (ESC1)
-          href: security-assessment-prevent-users-request-certificate.md
-        - name: Vulnerable Certificate Authority setting (ESC6)
-          href: security-assessment-edit-vulnerable-ca-setting.md
+       - name: Enforce encryption for RPC certificate enrollment interface  (ESC8)
+         href: security-assessment-enforce-encryption-rpc.md
+       - name: Insecure ADCS certificate enrollment IIS endpoints (ESC8)
+         href: security-assessment-insecure-adcs-certificate-enrollment.md
+       - name: Misconfigured certificate templates owner  (ESC4)
+         href: security-assessment-edit-misconfigured-owner.md
+       - name: Misconfigured Certificate Authority ACL  (ESC7)
+         href: security-assessment-edit-misconfigured-ca-acl.md
+       - name: Misconfigured certificate templates ACL (ESC4)
+         href: security-assessment-edit-misconfigured-acl.md
+       - name: Misconfigured enrollment agent certificate template  (ESC3)
+         href: security-assessment-edit-misconfigured-enrollment-agent.md    
+       - name: Overly permissive certificate template with privileged EKU (ESC2)
+         href: security-assessment-edit-overly-permissive-template.md
+       - name: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)
+         href: prevent-certificate-enrollment-esc15.md
+       - name: Prevent requests for certificates valid for arbitrary users  (ESC1)
+         href: security-assessment-prevent-users-request-certificate.md
+       - name: Vulnerable Certificate Authority setting (ESC6)
+         href: security-assessment-edit-vulnerable-ca-setting.md
      - name: Group policy 
        items: 
         - name: GPO assigns unprivileged identities to local groups with elevated privileges