Merge branch 'main' into patch-13

Author: chrisda

ATPDocs/change-password-krbtgt-account.md

@@ -29,7 +29,9 @@ If the KRBTGT account's password is compromised, an attacker can use its hash to
 1. Take appropriate action on those accounts by resetting their password **twice** to invalidate the Golden Ticket attack. 
 
 > [!NOTE]
-> The krbtgt Kerberos account in all Active Directory domains supports key storage in all Kerberos Key Distribution Centers (KDC). To renew the Kerberos keys for TGT encryption, periodically change the krbtgt account password. It is recommended to use the [Microsoft-provided script.](https://github.com/microsoft/New-KrbtgtKeys.ps1)
+> The krbtgt Kerberos account in all Active Directory domains supports key storage in all Kerberos Key Distribution Centers (KDC). To renew the Kerberos keys for TGT encryption, periodically change the krbtgt account password. It is recommended to use the [Microsoft-provided script.](https://github.com/microsoft/New-KrbtgtKeys.ps1)  
+> When resetting the password twice, wait at least 10 hours between resets to avoid Kerberos authentication issues. This wait time is enforced by the script and aligns with best practices.
+
 ### Next steps
 
 [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score)

CloudAppSecurityDocs/app-governance-app-policies-get-started.md

@@ -1,8 +1,9 @@
 ---
 title: Get started with app governance policies | Microsoft Defender for Cloud Apps
-ms.date: 05/28/2023
+ms.date: 08/31/2025
 ms.topic: how-to
 description: Get started learning about app governance policies with Microsoft Defender for Cloud Apps in Microsoft Defender XDR
+ms.reviewer: shragar456
 ---
 
 # Get started with app policies
@@ -23,22 +24,21 @@ To see your list of current app policies, go to the **Microsoft Defender XDR > A
 
 For example:
 
-![Screenshot of the app governance policies summary page in Microsoft Defender XDR.](media/app-governance-app-policies-get-started/azure-ad-policies.jpg)
+:::image type="content" source="media/app-governance-app-policies-get-started/app-governance-app-policies.png" alt-text="Screenshot that shows the app governance app polcies." lightbox="media/app-governance-app-policies-get-started/app-governance-app-policies.png":::
 
 > [!NOTE]
 > Built-in threat detection policies aren't listed on the **Policies** tab. For more information, see [Investigate threat detection alerts](app-governance-anomaly-detection-alerts.md).
 > 
 
 ## What’s available on the app policies dashboard
 
-The **App governance** > **Policies** tab shows the number of active, inactive, and audit mode policies, and the following information for each policy:
+The **App governance** > **Policies** tab shows the number of active and disabled policies, and the following information for each policy:
 
 - **Policy name**
 - **Status**
 
   - **Active**:  All policy evaluation and actions are active.
-  - **Inactive**: All policy evaluation and actions are disabled.
-  - **Audit mode**: Policy evaluation is active (alerts will trigger) but policy actions are disabled.
+  - **Disabled**: All policy evaluation and actions are disabled.
 
 - **Severity**: Severity level set on any alerts triggered because of this policy being evaluated as true, which is part of the configuration of the policy.
 - **Active alerts**: Number of alerts generated by the policy that have an **In Progress** or **New** status.
@@ -74,22 +74,24 @@ You can also:
 
 1. Select **Edit**.
 
-    While you can't change the name of the policy once created, but you can change the description and policy severity as needed. When you're done, select **Next**.
+    While you can't change the name of the policy once created, you can change the description and policy severity as needed. When you're done, select **Next**.
 
 1. Choose whether you want to continue with the existing policy settings or customize them. Select **No, I'll customize the policy** to make changes, and then select **Next**.
 
-1. Choose whether this policy applies to all apps, specific apps, or all apps except the apps you select. Select **Choose apps** to select which apps to apply the policy to, and then select **Next**.
+1. Choose whether this policy applies to all apps, specific apps, or all apps except the apps you select. 
+
+1. Select **Choose apps** to select which apps to apply the policy to, and then select **Next**.
 
 1. Choose whether to modify the existing conditions of the policy. 
 
     - If you choose to modify the conditions, select **Edit or modify existing conditions for the policy** and choose which policy conditions to apply. 
     - Otherwise, select **Use existing conditions of the policy**. 
 
-    When you're done, select **Next**.
+1. When you're done, select **Next**.
 
 1. Choose whether to disable the app if it triggers the policy conditions and then select **Next**.
 
-1. Set the policy status to **Audit** mode, **Active**, or **Inactive**, as needed, and then select **Next**.
+1. Set the policy status to **Active**, or **Disabled**, as needed, and then select **Next**.
 
 1. Review your setting choices for the policy and if everything is the way you want it, select **Submit**.
 

CloudAppSecurityDocs/app-governance-app-policies-manage.md

@@ -1,8 +1,9 @@
 ---
 title: Manage app policies
-ms.date: 05/21/2023
+ms.date: 09/08/2025
 ms.topic: how-to
 description: Manage your app governance policies.
+ms.reviewer: shragar456
 ---
 
 # Manage app policies
@@ -12,55 +13,35 @@ Use app governance to manage OAuth policies for Microsoft 365, Google Workspace,
 You might need to manage your app policies as follows to keep up-to-date with your organization's apps, respond to new app-based attacks, and for ongoing changes to your app compliance needs:
 
 - Create new policies targeted at new apps
-- Change the status of an existing policy (active, inactive, audit mode)
+- Change the status of an existing policy (active or disable)
 - Change the conditions of an existing policy
 - Change the actions of an existing policy for auto-remediation of alerts
 
-<a name='manage-oauth-app-policies-for-azure-ad'></a>
 
-## Manage OAuth app policies for Microsoft Entra ID
-
-Here's an example of a process for managing an existing policy for Microsoft Entra apps:
-
-1. Edit the policy:
-
-    - Change the settings of the policy.
-    - If needed, change the status to **Audit mode** for testing.
-
-1. Check for expected behavior, such as alerts generated.
-1. If the behavior isn't expected, go back to step 1.
-1. If the behavior is expected, edit the policy and change its status to active (if needed).
-
-For example:
-
-:::image type="content" source="media/app-governance/mapg-manage-policy-process.png" alt-text="Diagram of the manage app policy workflow." lightbox="media/app-governance/mapg-manage-policy-process.png" border="false":::
+## Editing an app policy configuration
 
-> [!NOTE]
-> Following the change in the **Activity type** filter, policies with the previous filter will have a "LEGACY" label attached to the filter and if the policies are edited or deleted the filter can't be restored.
+To change the configuration of a user defined app policy:
 
-## Editing an app policy configuration
+1. Select the policy in the policy list, and then select **Edit** on the app policy pane.
 
-To change the configuration of an existing app policy:
+1. In the **Edit policy** page, you can make the following changes:
 
-- Select the policy in the policy list, and then select **Edit** on the app policy pane.
-- Select the vertical ellipses for the policy in the list, and then select **Edit**.
+    - **Description**: Change the description to make it easier to understand the policy's purpose.
+    - **Severity** : Change the severity for your app policy to low, medium, or high. 
+    - **Policy settings**: Change the set of apps to which the policy applies. You can also choose to use the existing conditions or modify the conditions
+    - **Actions**: Change the autoremediation action for alerts generated by the policy.
+    - **Status**: Change the policy status.
 
-For the **Edit policy** page, step through the pages and make the appropriate changes:
+:::image type="content" source="media/app-governance-app-policies-manage/edit-user-defined-policy.png" alt-text="Screenshot that shows how to edit a user defined policy in the Defender portal. " lightbox="media/app-governance-app-policies-manage/edit-user-defined-policy.png":::
 
-- **Description**: Change the description to make it easier to understand the policy's purpose.
-- **Severity**
-- **Policy settings**: Change the set of apps to which the policy applies. You can also choose to use the existing conditions or modify the conditions
-- **Actions**: Change the autoremediation action for alerts generated by the policy.
-- **Status**: Change the policy status.
 
 ## Deleting an app policy
 
 To delete an app policy, you can:
 
 - Select the policy in the policy list, and then select **Delete** on the app policy pane.
-- Select the vertical ellipses for the policy in the list, and then select **Delete**.
 
-An alternative to deleting an app policy is to change its status to inactive. Once inactive, the policy doesn't generate alerts. For example, rather than deleting an app policy for an app with a specific set of conditions that are useful for a future policy, rename the app policy to indicate its usefulness and set its status to inactive. You can later return to the policy and modify it for a similar app and set its status to audit mode or inactive.
+An alternative to deleting an app policy is to change its status to disabled. Once disabled, the policy doesn't generate alerts. For example, rather than deleting an app policy for an app with a specific set of conditions that are useful for a future policy, rename the app policy to indicate its usefulness and set its status to disabled. 
 
 ## Next steps
 

CloudAppSecurityDocs/app-governance-detect-remediate-get-started.md

@@ -1,8 +1,9 @@
 ---
 title: Get started with app governance threat detection and remediation | Microsoft Defender for Cloud Apps
-ms.date: 05/28/2023
+ms.date: 08/31/2025
 ms.topic: overview
 description: Get started with app governance threat detection and remediation in Microsoft Defender XDR with Microsoft Defender for Cloud Apps.
+ms.reviewer: shragar456
 ---
 
 # Get started with app threat detection and remediation
@@ -13,7 +14,8 @@ To view the latest incidents associated with these alerts, go to the **App gover
 
 For example:
 
-:::image type="content" source="media/app-governance/mapg-cc-overview-alerts.png" alt-text="Screenshot of the App governance > Overview tab with the Latest alerts section highlighted." lightbox="media/app-governance/mapg-cc-overview-alerts.png":::
+:::image type="content" source="media/app-governance/app-governance-overview.png" alt-text="Screenshot that shows the App Governance overview tab." lightbox="media/app-governance/app-governance-overview.png":::
+
 
 On the **Overview** tab, the **Latest alerts** section lists the most recent alerts. You can use these recent alerts to quickly see the current app alert activity for your tenant.
 

CloudAppSecurityDocs/media/app-governance-app-policies-get-started/app-governance-app-policies.png

@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: install-set-up-deploy
 ms.subservice: onboard
 search.appverid: met150
-ms.date: 04/16/2025
+ms.date: 09/07/2025
 ---
 
 # Onboard client devices running Windows or macOS to Microsoft Defender for Endpoint
@@ -37,15 +37,15 @@ To onboard client devices running Windows or macOS, follow this general process:
 
 1. Make sure to review the [Minimum requirements for Defender for Endpoint](minimum-requirements.md).
 
-2. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Settings** > **Endpoints**, and then, under **Device management**, select **Onboarding**.
+2. In the [Microsoft Defender portal](https://security.microsoft.com), go to **System** > **Settings** > **Endpoints**, and then, under **Device management**, select **Onboarding**.
 
-   :::image type="content" source="media/mde-device-onboarding-ui.png" alt-text="Screenshot showing device onboarding in the Microsoft Defender portal for Defender for Endpoint.":::
+   :::image type="content" source="media/mde-device-onboarding-ui.png" alt-text="Screenshot showing device onboarding in the Microsoft Defender portal for Defender for Endpoint." lightbox="media/mde-device-onboarding-ui.png":::
 
 3. Under **Select operating system to start onboarding process**, select the operating system for the device.
 
 4. Under **Connectivity type**, select either **Streamlined** or **Standard**. (See [prerequisites for streamlined connectivity](/defender-endpoint/configure-device-connectivity#prerequisites).)
 
-5. Under **Deployment method**, select an option. Then download the onboarding package (and installation package, if there is one available). Follow the instructions to onboard your devices. The following table lists available deployment methods:
+5. Under **Deployment method**, select an option. Then download the onboarding package (and installation package, if there's one available). Follow the instructions to onboard your devices. The following table lists available deployment methods:
 
    |Operating system | Deployment method |
    |---|---|

CloudAppSecurityDocs/media/app-governance-app-policies-manage/edit-user-defined-policy.png

@@ -16,40 +16,51 @@ ms.collection:
   - tier1
 description: Admins can learn about Microsoft Teams features in Microsoft Defender for Office 365.
 ms.service: defender-office-365
-ms.date: 08/18/2025
+ms.date: 09/03/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
   - ✅ <a href="https://learn.microsoft.com/defender-xdr/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>
 ---
 
 # Microsoft Defender for Office 365 support for Microsoft Teams
 
-[!include[Prerelease information](../includes/prerelease.md)]
+[!INCLUDE [Prerelease information](../includes/prerelease.md)]
 
 [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
 
-With the increased use of collaboration tools like Microsoft Teams, the possibility of malicious attacks using chat messages has also increased. Microsoft Defender for Office 365 already provides the following Teams protection features:
+With the increased use of collaboration tools like Microsoft Teams, the possibility of malicious attacks using chat messages has also increased.
+
+All licenses of Microsoft Teams in Microsoft 365 include the following built-in protections:
+
+- [Built-in virus protection in SharePoint, SharePoint Embedded, OneDrive, and Microsoft Teams](anti-malware-protection-for-spo-odfb-teams-about.md)
+- **Near real-time URL protection in Teams messages (currently in Preview)**: Known, malicious URLs in Teams messages are delivered with a warning. Messages found to contain malicious URLs up to 48 hours after delivery also receive a warning. The warning is added to messages in internal and external chats and teams for all URL verdicts (not just malware or high confidence phishing).
+
+  :::image type="content" source="media/teams-message-url-warning.png" alt-text="Screenshot showing a Microsoft Teams message with a URL warning." lightbox="media/teams-message-url-warning.png":::
+
+  To turn this feature off or on, see [Verify warnings for unsafe links are shown in Microsoft Teams messages](mdo-support-teams-quick-configure.md#step-3-verify-warnings-for-unsafe-links-are-shown-in-microsoft-teams-messages).
+
+Microsoft Defender for Office 365 provides the following extra Teams protection features:
 
 - Time of click protection for URLs and files in Teams messages through [Safe Links for Microsoft Teams](safe-links-about.md#safe-links-settings-for-microsoft-teams) and [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md).
 - Allow/block [domains](tenant-allow-block-list-teams-domains-configure.md), [URLs](tenant-allow-block-list-urls-configure.md) and [files](tenant-allow-block-list-files-configure.md) inside Teams using the Tenant Allow Block List.
 
-In Microsoft 365 E5 and Defender for Office 365 Plan 2, we've extended Teams protection with a set of capabilities that are designed to disrupt the attack chain:
+Microsoft 365 E5 and Defender for Office 365 Plan 2 extend Teams protection with a set of extra capabilities designed to disrupt the attack chain:
 
 - **Report suspicious Teams messages**: Users can report malicious Teams messages. Depending on the reported message settings in the organization, the reported messages go to the specified reporting mailbox, to Microsoft, or both. For more information, see [User reported settings in Teams](submissions-teams.md).
 
 - **Zero-hour auto protection (ZAP) for Teams**: ZAP is an existing email protection feature that detects and neutralizes spam, phishing, and malware messages after delivery by moving the messages to the Junk Email folder or quarantine.
 
-  ZAP for Teams quarantines messages in Teams chats or channels that are found to be malware or high confidence phishing. For more information, see [Zero-hour auto purge (ZAP) in Microsoft Teams](zero-hour-auto-purge.md#zero-hour-auto-purge-zap-in-microsoft-teams).
+  ZAP for Teams quarantines messages in internal Teams chats or channels that are found to be malware or high confidence phishing. For more information, see [Zero-hour auto purge (ZAP) in Microsoft Teams](zero-hour-auto-purge.md#zero-hour-auto-purge-zap-in-microsoft-teams).
 
   Instructions to configure ZAP for Teams protection are in the next section.
 
-- **Teams messages in quarantine**: As with email messages that are identified as malware or high confidence phishing, only admins are able to manage Teams messages that are quarantined by ZAP for Teams by default. For more information, see [Manage quarantined Teams messages](quarantine-admin-manage-messages-files.md#use-the-microsoft-defender-portal-to-manage-microsoft-teams-quarantined-messages).
+- **Teams messages in quarantine**: By default, only admins are allowed to manage Teams messages quarantined by ZAP for Teams. This is the same default limitation for email messages identified as malware or high confidence phishing. For more information, see [Manage quarantined Teams messages](quarantine-admin-manage-messages-files.md#use-the-microsoft-defender-portal-to-manage-microsoft-teams-quarantined-messages).
 
-- The **Teams message entity panel** is a single place to store all Teams message metadata for immediate SecOps review. Any threats coming from Teams chats, group chats, meeting chats, and other channels can be found in one place as soon as they're assessed. For more information, see [The Teams message entity panel in Microsoft Defender for Office 365 Plan 2](teams-message-entity-panel.md).
+- **Teams message entity panel**: A single place to store all Teams message metadata for immediate SecOps review. Any threats coming from Teams chats, group chats, meeting chats, and other channels can be found in one place as soon as they're assessed. For more information, see [The Teams message entity panel in Microsoft Defender for Office 365 Plan 2](teams-message-entity-panel.md).
 
 - **Attack simulation training using Teams messages**: To ensure users are resilient to phishing attacks in Microsoft Teams, admins can configure phishing simulations using Teams messages instead of email messages. For more information, see [Microsoft Teams in Attack simulation training](attack-simulation-training-teams.md).
 
-- **Hunting on Teams messages with URLs**: You can now hunt on Teams messages containing URL across three new advanced hunting tables: [MessageEvents](/defender-xdr/advanced-hunting-messageevents-table), [MessagePostDeliveryEvents](/defender-xdr/advanced-hunting-messagepostdeliveryevents-table), and [MessageURLInfo](/defender-xdr/advanced-hunting-messageurlinfo-table).
+- **Hunting on Teams messages with URLs**: You can hunt for Teams messages containing URL across three new advanced hunting tables: [MessageEvents](/defender-xdr/advanced-hunting-messageevents-table), [MessagePostDeliveryEvents](/defender-xdr/advanced-hunting-messagepostdeliveryevents-table), and [MessageURLInfo](/defender-xdr/advanced-hunting-messageurlinfo-table).
 
 ## Configure ZAP for Teams protection in Defender for Office 365 Plan 2