Merge branch 'main' into AdvHunt-chrisda

Author: chrisda

ATPDocs/deploy/remote-calls-sam.md

@@ -9,8 +9,8 @@ ms.reviewer: rlitinsky
 # Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity
 
 > [!IMPORTANT]
-> The remote collection of local administrators group members from endpoints using SAM-R queries in Microsoft Defender for Identity will be disabled by mid-May 2025. This data is currently used to build potential lateral movement path maps, which will no longer be updated after this change. The change will occur automatically by the specified date, and no administrative action is required.
-> 
+> As of mid-May 2025, Microsoft Defender for Identity no longer collects local administrators group members from endpoints using SAM-R queries. This data is used to build potential lateral movement path maps, which are no longer being updated. The change was applied automatically—no administrative action or configuration changes were required.
+>
 
 Microsoft Defender for Identity mapping for [potential lateral movement paths](/defender-for-identity/understand-lateral-movement-paths) relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity [Directory Service account](directory-service-accounts.md) you configured.
 

ATPDocs/investigate-security-alerts.md

@@ -11,9 +11,7 @@ Investigate alerts that are affecting your environment, understand what they mea
 
 Begin your investigation by selecting an alert from the **Alerts** page in the Microsoft Defender portal. The alerts page displays a list of all security alerts generated by Defender for Identity, including their severity, status, and impacted assets. Selecting an alert opens the alert page, which contains the alert title, the affected assets, the details side pane, and in some cases, an alert story.
 
-> [!NOTE]
-> The **alert story** and **export to Excel** options are only available for alerts that use the original Defender for Identity structure.  
-> For more information about differences in how alerts are presented in the Defender portal, see [View and manage alerts](understanding-security-alerts.md).
+
 
 ## Investigate using the alert story
 
@@ -25,6 +23,10 @@ The Important information section includes additional technical details that sup
 
 Together, the alert story, alert graph, and Important information give you a complete picture of the alert. They help you understand what triggered the alert, which entities were involved, and whether the activity requires further investigation or action.
 
+> [!NOTE]
+> The **alert story** is only visible for alerts that use the classic Defender for Identity structure. 
+> For more information about differences in how alerts are presented in the Defender portal, see [View and manage alerts](understanding-security-alerts.md).
+
 ## Take action from the details pane
 Once you've selected an alert of interest, the details pane changes to display information about the selected alert, historic information when it's available, and offer recommended actions to take action on this alert.
 
@@ -35,6 +37,10 @@ Once you're done investigating, go back to the alert you started with, mark the
 
 To get more details on a security alert, select **Export** on an alert details page to download the detailed Excel alert report.
 
+> [!NOTE]
+> The **export to Excel** option is also only available for alerts that use the classic Defender for Identity structure.
+> For more information about differences in how alerts are presented in the Defender portal, see [View and manage alerts](understanding-security-alerts.md).
+
 
 The downloaded file includes summary details about the alert on the first tab, including:
 

ATPDocs/media/remove-replication-permissions-microsoft-entra-connect/image.png

@@ -6,7 +6,7 @@ ms.topic: how-to
 ms. reviewer: izauer-bit 
 ---
 
-# Integrate Okta with Microsoft Defender for Identity
+# Integrate Okta with Microsoft Defender for Identity (Preview)
 
 Okta manages how users and customers sign in and get access to key systems. Since it plays a central role in identity and access management, any compromise whether accidental or intentional can lead to serious security risks. By integrating Microsoft Defender for Identity with Okta, you gain stronger identity protection. Defender for Identity monitors sign-in activity, detects unusual behavior, and highlights threats related to compromised or misused identities. It also identifies risks like suspicious role assignments or unused high-privilege accounts, using Okta data to deliver clear, actionable insights that help keep your organization secure.
 
@@ -23,6 +23,11 @@ Before connecting your Okta account to Microsoft Defender for Identity, make sur
 > [!NOTE]
 > The Super Admin role is required only to create the API token. Once the token is created, remove the role and assign the Read-Only Administrator and Defender for Identity custom roles for ongoing API access.
 
+
+> [!NOTE]
+> If your Okta environment is already integrated with [Microsoft Defender for Cloud Apps](/defender-cloud-apps/protect-okta), connecting it to Microsoft Defender for Identity might cause duplicate Okta data, such as user activity, to appear in the Defender portal.
+
+
 ### Connect Okta to Microsoft Defender for Identity
 
 This section provides instructions for connecting Microsoft Defender for Identity to your dedicated Okta account using the connector APIs. This connection gives you visibility into and control over Okta use.
@@ -142,7 +147,7 @@ To complete the configuration in Okta, assign the custom role and resource set t
 1. Paste the API token you copied from your Okta account.
 1. Select **Save**.
 
-:::image type="content" source="media/okta-integration/connect-okta-instance.png" alt-text="Screenshot that shows how to connect your Okta instance.":::
+    :::image type="content" source="media/okta-integration/connect-okta-instance.png" alt-text="Screenshot that shows how to connect your Okta instance.":::
 
 1. Verify that your Okta environment appears in the table as enabled.
 
@@ -151,3 +156,4 @@ To complete the configuration in Okta, assign the custom role and resource set t
 ## Related articles
 
 - [Defender for Identity VPN integration in Microsoft Defender XDR](vpn-integration.md)
+- [Microsoft Defender for Identity extends ITDR capabilities to Okta identities](https://techcommunity.microsoft.com/blog/MicrosoftThreatProtectionBlog/microsoft-defender-for-identity-extends-itdr-capabilities-to-okta-identities/4418955)

ATPDocs/media/remove-replication-permissions-microsoft-entra-connect/replicationconfig.png

@@ -30,7 +30,11 @@ Smart attackers are likely to target Microsoft Entra Connect in on-premises envi
 
 1. Take appropriate action on those accounts and remove their 'Replication Directory Changes' and 'Replication Directory Changes All' permissions by unchecking the following permissions:  
 
-![Screenshot of the replication permissions.](media/remove-replication-permissions-microsoft-entra-connect/permissions.png)
+[![Screenshot that shows Replicationconfiguration](media/remove-replication-permissions-microsoft-entra-connect/replicationconfiguration.png)](media/remove-replication-permissions-microsoft-entra-connect/replicationconfiguration.png#lightbox)
+
+
+
+
 
 > [!IMPORTANT]
 > For environments with multiple Microsoft Entra Connect servers, it’s crucial to install sensors on each server to ensure Microsoft Defender for Identity can fully monitor your setup. It has been detected that your Microsoft Entra Connect configuration does not utilize Password Hash Sync, which means that replication permissions are not necessary for the accounts in the Exposed Entities list. Additionally, it’s important to ensure that each exposed MSOL account is not required for Replication Permissions by any other applications.

ATPDocs/media/remove-replication-permissions-microsoft-entra-connect/replicationconfiguration.png

@@ -85,13 +85,13 @@ items:
       - name: Listen for SIEM events
         href: deploy/configure-event-collection.md
         displayName: standalone
-    - name: Activate Defender for Identity capabilities on your domain controller
+    - name: Activate Defender for Identity capabilities on your domain controller (Preview)
       href: deploy/activate-capabilities.md
 - name: Integrate with identity services
   items:
     - name: Integrate Defender for Identity with PAM services
       href: integrate-microsoft-and-pam-services.md
-    - name: Integrate Defender for Identity with Okta
+    - name: Integrate Defender for Identity with Okta (Preview)
       href: okta-integration.md
 - name: Manage
   items:

ATPDocs/okta-integration.md

@@ -560,11 +560,14 @@
     items:
     - name: Migration guides overview
       href: migration-guides.md
+    - name: Considerations for side-by-side deployment
+      href: mde-side-by-side.md
     - name: Migrate servers to Defender for Cloud
       href: migrating-mde-server-to-cloud.md
     - name: Migrate to Defender for Endpoint
-      href: switch-to-mde-overview.md
       items:
+      - name: Overview
+        href: switch-to-mde-overview.md
       - name: Phase 1 - Prepare
         href: switch-to-mde-phase-1.md
       - name: Phase 2 - Setup

ATPDocs/remove-replication-permissions-microsoft-entra-connect.md

@@ -0,0 +1,11 @@
+---
+author: denisebmsft
+ms.author: deniseb
+ms.date: 06/13/2025
+ms.topic: include
+ms.service: defender-endpoint
+---
+
+If you want to run multiple security solutions side by side, see [Considerations for performance, configuration, and support](/defender-endpoint/mde-side-by-side).
+
+You might have already configured mutual security exclusions for devices onboarded to Microsoft Defender for Endpoint. If you still need to set mutual exclusions to avoid conflicts, see [Add Microsoft Defender for Endpoint to the exclusion list for your existing solution](/defender-endpoint/switch-to-mde-phase-2#step-3-add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-your-existing-solution).