Merge pull request #4802 from MicrosoftDocs/main

m365-skilling-repo-management[bot] · web-flow · commit 189c86c4549d · 2025-08-21T11:30:05.000Z
[AutoPublish] main to live - 08/21 04:28 PDT | 08/21 16:58 IST
diff --git a/ATPDocs/remediation-actions.md b/ATPDocs/remediation-actions.md
@@ -35,34 +35,30 @@ To perform any of the [supported actions](#supported-actions), you need to:
 
 The following Defender for Identity actions can be performed on Identities:
 
-- **Disable user in Active Directory** - This temporarily prevents a user from signing in to the on-premises network. This can help prevent compromised users from moving laterally and attempting to exfiltrate data or further compromise the network.
+| Remediation Action  | Description     |          Scope                        | 
+| ------------------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ |
+|Disable user                 | This temporarily prevents a user from signing in. This can help prevent compromised users from moving laterally and attempting to exfiltrate data or further compromise the network. | Active Directory, Entra ID and Okta
+|Enable user              | Enable a user to sign in. | Active Directory, Entra ID and Okta
+|Revoke all Users' sessions       | Revoke a user's active sessions. | Entra ID and Okta
+|Confirm user compromised      | The user's risk level is set to High | Entra ID
+| Reset user password| This prompts the user to change their password on the next logon, ensuring that this account can't be used for further impersonation attempts| Active Directory
+|Deactivate user in Okta | This action can be used when a non-legit malicious account was detected, to deactivate the account permanently | Okta
+| Set user risk to High/Medium/Low |Set one user risk scoring to one of the defined levels. This action will only be available if [Risk Scoring](https://help.okta.com/en-us/Content/Topics/Security/Security_Risk_Scoring.htm) feature is enabled | Okta
 
-- **Reset user password** - This prompts the user to change their password on the next logon, ensuring that this account can't be used for further impersonation attempts.
-
-- **Mark User Compromised** - The user's risk level is set to High.
-
-- **Suspend User in Entra ID** - Block new sign-ins and access to cloud resources.
-
-- **Require User to Sign In Again** - Revoke a user's active sessions.
-
-- **Suspend User in Okta** - Temporarily disables a user account. This action can be used when a legit user account was found to be compromised and needed to be disabled.
-
-- **Deactivate User in Okta** - This action can be used when a non-legit malicious account was detected, to deactivate the account permanently.
 
 Depending on your Microsoft Entra ID roles, you might see additional Microsoft Entra ID actions, such as requiring users to sign in again and confirming a user as compromised. For more information, see [Remediate risks and unblock users](/entra/id-protection/howto-identity-protection-remediate-unblock).
 
 ## Roles and Permissions
 
-| Action | XDR RBAC permissions      |
-| ------------------------------------- | ------------------------------------------------------------ |
-|Mark User Compromised                  | - Global Administrator <br> - Security Administrator|
-|Suspend User in Entra ID               | - Global Administrator |
-|Require User to Sign In Again          | - Global Administrator <br>|
-| Disable/Enable User in Active Directory | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr)|
-| Force Password Reset in Active Directory | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr)|
-| Suspend User in Okta | A custom role defined with permissions for Response (manage) Or One of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator|
-| Deactivate User in Okta | A custom role defined with permissions for Response (manage) Or One of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator|
-
+| Remediation Action | Active Directory  |Entra ID   | Okta  |
+|--|--|--|--|
+| Disable user | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr) | - Global Administrator <br> - Security Administrator  | A custom role defined with permissions for Response (manage) or one of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator |
+| Enable user | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr) | Global Administrator | A custom role defined with permissions for Response (manage) or one of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator |
+| Revoke all Users' sessions |N\A  | Global Administrator | A custom role defined with permissions for Response (manage) or one of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator |
+| Confirm user compromised |N\A  |  - Global Administrator <br> -Security Administrator | N/A|
+| Reset user password | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr) | N\A | N\A
+| Deactivate user in Okta  | N\A | N\A | A custom role defined with permissions for Response (manage) or one of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator
+|  Set User risk to High/Medium/Low  | N\A | N\A | A custom role defined with permissions for Response (manage) or One of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator
 
 ## Related videos
 
diff --git a/ATPDocs/whats-new.md b/ATPDocs/whats-new.md
@@ -25,6 +25,14 @@ For updates about versions and features released six months ago or earlier, see
 
 ## August 2025
 
+### Microsoft Entra ID risk level is now available in near real time in Microsoft Defender for Identity (Preview)
+
+Entra ID risk level is now available on the Identity Inventory assets page, the identity details page, and in the IdentityInfo table in Advanced Hunting, and includes the Entra ID risk score. SOC analysts can use this data to correlate risky users with sensitive or highly privileged users, create custom detections based on current or historical user risk, and improve investigation context.
+
+Previously, Defender for Identity tenants received Entra ID risk level in the IdentityInfo table through user and entity behavior analytics (UEBA). With this update, the Entra ID risk level is now updated in near real time through Microsoft Defender for Identity.
+
+For UEBA tenants without a Microsoft Defender for Identity license, synchronization of Entra ID risk level to the IdentityInfo table remains unchanged.
+
 
 ### New security assessment: Remove inactive service accounts (Preview)
 
diff --git a/defender-endpoint/whats-new-in-microsoft-defender-endpoint.md b/defender-endpoint/whats-new-in-microsoft-defender-endpoint.md
@@ -36,11 +36,11 @@ Learn more:
 
 ## August 2025
 
-**Microsoft Defender for Endpoint on macOS**
-
-- (Preview) **Configure offline security intelligence updates for Microsoft Defender for Endpoint on macOS**: This feature enables organizations to update security intelligence (antivirus definitions/signatures) on macOS endpoints offline from a local mirror server. For more information, see [Configure offline security intelligence updates for Microsoft Defender for Endpoint on macOS (preview)](./mac-support-offline-security-intelligence-update.md).
+|Feature  |Preview/GA  |Description  |
+|---------|------------|-------------|
+|[Configure offline security intelligence updates for Microsoft Defender for Endpoint on macOS](./mac-support-offline-security-intelligence-update.md) |Preview |Enables organizations to update security intelligence (antivirus definitions/signatures) on macOS endpoints offline from a local mirror server. |
 
-- ## July 2025
+## July 2025
 
 |Feature  |Preview/GA  |Description  |
 |---------|------------|-------------|
diff --git a/defender-xdr/advanced-hunting-identityinfo-table.md b/defender-xdr/advanced-hunting-identityinfo-table.md
@@ -102,10 +102,9 @@ If you're using the Microsoft Defender portal but haven't onboarded a Microsoft
 - `DeletedDateTime`
 - `EmployeeId`
 - `OtherMailAddresses`
-- `RiskLevel`
-- `RiskLevelDetails`
-- `State`
 - `Tags`
+- `State`
+
 
 For more information about UEBA, read [Advanced threat detection with User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel](/azure/sentinel/identify-threats-with-entity-behavior-analytics). For more information about the different data sources in UEBA, read [Microsoft Sentinel UEBA reference](/azure/sentinel/ueba-reference).
 
