Merge branch 'main' into Add-preview-brackets-to-release-note

Author: DeCohen

.openpublishing.redirection.defender-cloud-apps.json

@@ -1004,6 +1004,11 @@
       "source_path": "CloudAppSecurityDocs/file-filters.md",
       "redirect_url": "/defender-cloud-apps/data-protection-policies",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "CloudAppSecurityDocs/troubleshooting-api-connectors-using-error-messages.md",
+      "redirect_url": "/defender-cloud-apps/troubleshooting-api-connectors-errors",
+      "redirect_document_id": true
     }
   ]
 }

CloudAppSecurityDocs/applications-inventory.md

@@ -0,0 +1,115 @@
+---
+title: Application inventory
+ms.date: 03/20/2025
+ms.topic: overview
+description: The new Applications page located under Assets in Microsoft Defender XDR portal provides a centralized location for users to view and manage SaaS and SaaS connected OAuth apps information across their environment, ensuring optimal visibility and a comprehensive experience
+#customer intent: As a security administrator, I want to discover, monitor, and manage all SaaS and OAuth connected apps in my organization so that I can ensure security and compliance.
+---
+# Applications inventory (Preview)
+
+Protecting your SaaS ecosystem requires taking inventory of all SaaS and OAuth connected apps that are in your environment. With the increasing number of applications, having a comprehensive inventory is crucial to ensure security and compliance. The Defender for Cloud apps Applications page provides a centralized view of all SaaS and connected OAuth apps in your organization, enabling efficient monitoring and management.
+At a glance you can see information such as app name, risk score, privilege level, publisher information, and other details for easy identification of SaaS and OAuth apps most at risk.
+
+The Application page includes the following tabs:
+
+* SaaS apps: A consolidated view of all SaaS applications in your network. This tab highlights key details, including app name, status (unprotected/protected app) and whether the app is marked as sanctioned or unsanctioned.
+* OAuth apps: Displays a list of OAuth apps such as Microsoft Entra ID, Google workspace and Salesforce.
+
+## Navigate to the Applications page
+
+In the Defender portal at <https://security.microsoft.com>, go to **Assets** \> **Applications**. Or, to go directly to the **Applications** page, by clicking on the banner links on the existing Cloud discovery and App governance pages.
+
+:::image type="content" source="media/banner-on-cloud-discovery-pages.png" alt-text="Screenshot of the Cloud Discovery page with a banner about the new unified application inventory experience" lightbox="media/banner-on-cloud-discovery-pages.png":::
+
+:::image type="content" source="media/banner-message-on-app-governance-pages.png" alt-text="Screenshot of the App Governance page with a banner about the new unified application inventory experience for managing OAuth and SaaS apps" lightbox="media/banner-message-on-app-governance-pages.png":::
+
+There are several options you can choose from to customize the SaaS apps and OAuth apps list view. In the top navigation panel you can:
+
+* Add or remove columns.
+* Export the entire list in CSV format.
+* Select the number of items to show per page.
+* Apply filters
+
+> [!NOTE]
+>When exporting the applications list to a CSV file, a maximum of 1000 SaaS or OAuth apps are displayed.
+
+The following image depicts the SaaS apps list:
+:::image type="content" source="media/applications-tab-in-the-defender-portal.png" alt-text="Screenshot of the applications tab in the Defender portal" lightbox="media/applications-tab-in-the-defender-portal.png"
+
+
+## SaaS app details
+
+At the top of Saas app tab, you can find actionable insights that allow you to quickly identify apps that need your attention and focus. The following details are displayed:
+
+* **Untagged high risk apps** – Shows apps that aren't tagged and have a high-risk.
+* **Untagged high traffic apps** – Shows apps that aren't tagged and have a high usage traffic (greater than 1 GB of data traffic).
+* **Untagged GenAI apps** – Shows apps that aren't tagged and are Gen-AI based.
+
+## Sort and filter the SaaS apps list
+
+You can use the sort and filter functionality to get a more focused view. These controls also help you assess and manage the SaaS applications in your organization.
+
+|Filter  |Description  |
+|---------|---------|
+|**App tags**     |    Select **Sanctioned**, **Unsanctioned**, or create custom tags to use in a customized filter.  |
+|**App**     |    Filter for specific SaaS apps.     |
+|**Categories**     |  Filter according to app categories.       |
+|**Compliance risk factor**     |   Filter for specific standards, certifications, and compliance your app might comply with. For example: HIPAA, ISO 27001, SOC 2, and PCI-DSS.      |
+| **Risk score**     |  Filter by a specific risk score, such as to view only risky apps.       |
+|**Security risk factor**     |   Filter based on specific security measures, such as encryption at rest, multifactor authentication, and others.
+|
+
+### OAuth Apps
+
+The OAuth apps tab provides visibility into Microsoft 365, Google workspace and Salesforce. Admins can review applications and decide to disable the apps or apply policies to monitor their behavior in their environment.
+
+* **New apps** – Shows apps added in the last 30 days (Available for Microsoft 365)
+
+* **Highly privileged apps** – Shows apps with powerful permissions that allow them to access data or change important settings. (Available for Microsoft 365 and Google)
+
+* **Overprivileged apps** – Shows apps with unused permissions. (Available for Microsoft 365)
+
+* **Apps from external unverified publishers** – Shows apps that originated from an external unverified publisher tenant. (Available for Microsoft 365)
+
+For more information on how to create app policies, see:[Create app policies in app governance](app-governance-app-policies-create.md)
+
+The following image depicts the OAuth apps list:
+
+:::image type="content" source="media/oauth-tab-in-the-applications-page.png" alt-text="Screenshot of a list of OAuth apps in the applications page in the Defender portal" lightbox="media/oauth-tab-in-the-applications-page.png":::
+
+## Sort and filter the OAuth apps list
+
+You can apply the following filters to get a more focused view:
+
+|Column name  |Description  |
+|---------|---------|
+| **App name** | The display name of the app as registered on Microsoft Entra ID. |
+| **App status** | Shows whether the app is enabled or disabled, and if disabled by whom. |
+| **Graph API access**| Shows whether the app has at least one Graph API permission. |
+| **Permission type**| Shows whether the app has application (app only), delegated, or mixed permissions. |
+| **App origin**| Shows whether the app originated within the tenant or was registered in an external tenant. |
+| **Consent type**| Shows whether the app consent has been given at the user or the admin level, and the number of users whose data is accessible to the app. |
+| **Publisher**| Publisher of the app and their verification status. |
+| **Last modified**| Date and time when registration information was last updated on Microsoft Entra ID |
+| **Added on**| Shows the date and time when the app was registered to Microsoft Entra ID and assigned a service principal. |
+| **Permission usage**| Shows whether the app has any unused Graph API permissions in the last 90 days. |
+| **Data usage**| Total data downloaded or uploaded by the app in the last 30 days. |
+| **Privilege level**  | The app's privilege level. |
+| **Certification**| Indicates if an app meets stringent security and compliance standards set by Microsoft 365 or if its publisher has publicly attested to its safety.  |
+| **Sensitivity label accessed**| Sensitivity labels on content accessed by the app  |
+| **Service accessed**| Microsoft 365 services accessed by the app  
+|
+
+
+> [!TIP]
+> To see all columns, you might need to do one or more of the following steps:
+> * Horizontally scroll in your web browser.
+> * Narrow the width of appropriate columns.
+> * Zoom out in your web browser.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Best practices for protecting your organization](best-practices.md)
+
+[!INCLUDE [Open support ticket](includes/support.md)]

CloudAppSecurityDocs/media/applications-tab-in-the-defender-portal.png

@@ -118,8 +118,6 @@ items:
         href: protect-zendesk.md
       - name: Zoom
         href: protect-zoom.md
-      - name: Troubleshooting API connectors using error messages
-        href: troubleshooting-api-connectors-using-error-messages.md
 - name: Cloud app discovery
   items:
   - name: Overview
@@ -157,6 +155,8 @@ items:
         href: log-collector-advanced-management.md
       - name: Use the custom log parser
         href: custom-log-parser.md
+      - name: Troubleshooting API connector errors
+        href: troubleshooting-api-connectors-errors.md
     - name: Integrate with Microsoft Defender for Endpoint
       items:
       - name: Overview
@@ -424,6 +424,12 @@ items:
       href: app-activity-threat-hunting.md
   - name: App governance FAQ
     href: app-governance-faq.yml
+- name: Investigate and respond 
+  items:
+    - name: Assets
+      items:
+      - name: Applications inventory
+        href: applications-inventory.md
 - name: Operations guide
   items:
   - name: Operations guide overview

CloudAppSecurityDocs/media/banner-message-on-app-governance-pages.png

@@ -6,8 +6,6 @@ ms.topic: conceptual
 ---
 # Troubleshooting App Connector errors
 
-
-
 This article provides a list of API App connector error messages and resolution recommendations for each error.
 
 ## Troubleshooting

CloudAppSecurityDocs/media/banner-on-cloud-discovery-pages.png

@@ -3,7 +3,7 @@ title: Microsoft Defender Antivirus security intelligence and product updates
 description: Manage how Microsoft Defender Antivirus receives protection and product updates.
 ms.service: defender-endpoint
 ms.localizationpriority: high
-ms.date: 03/12/2025
+ms.date: 04/01/2025
 audience: ITPro
 ms.topic: reference
 author: emmwalshh
@@ -98,17 +98,36 @@ Updates contain:
 - Serviceability improvements
 - Integration improvements (Cloud, [Microsoft Defender XDR](/defender-xdr/microsoft-365-defender))
 
-### February-2025 (Engine: 1.1.25020.1007)
+### March-2025 (Engine 1.1.25030.1)
+
+- Security intelligence update version: **1.427.3.0**
+- Release date: **April 1, 2025** (Engine only)
+- Platform: **4.18.25020.1009**
+- Engine: **1.1.25030.1**
+- Support phase: **Security and Critical Updates**
+
+#### What's new
+
+- Product improvements
+
+### February-2025 (Platform 4.18.25020.1009 | Engine: 1.1.25020.1007)
 
 - Security intelligence update version: **1.425.1.0**
-- Release date: **March 12, 2025** (Engine only)
-- Platform: **4.18.25010.11**
+- Release date: **March 12, 2025** (Engine) / **March 31, 2025** (Platform)
+- Platform: **4.18.25020.1009**
 - Engine: **1.1.25020.1007**
 - Support phase: **Security and Critical Updates**
 
 #### What's new
 
-- Product improvements
+- Fixed deadlock issue on [VDI](deployment-vdi-microsoft-defender-antivirus.md) that occurred when loading corrupted update files from UNC share.
+- Systems controlled by `SharedSignatureRoot` can be updated by running signature update commands.
+- If you're currently using a shared signature path to update VDI environments, you can now use signature update commands through [MpCmdRun](/defender-endpoint/command-line-arguments-microsoft-defender-antivirus), PowerShell, and the user interface to update to latest drops in your signature update shares.
+- Shared root signature setting updates are now applied without requiring a system restart. (If this setting is turned off and on multiple times, a system reboot is necessary.) 
+- Improved logic for handling [restore from quarantine](/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus).
+- Fixed fallback issue with [Update-MpSignature](/powershell/module/defender/update-mpsignature).
+- Increased [device control policy](device-control-policies.md) limits.
+- Improved security resilience for Defender update process.
 
 ### January-2025 (Platform: 4.18.25010.11 | Engine: 1.1.25010.7)
 
@@ -124,8 +143,8 @@ Updates contain:
 - Improved AMSI scan performance with changes to exclusion handling.
 - Fixed [Controlled Folder Access](controlled-folders.md) (CFA) protection for OneDrive when backup is enabled.
 - Fixed performance issues with [full scans](schedule-antivirus-scans.md) when initiated from the Microsoft Defender portal.
-- Fixed ASR warn mode processing for containerized objects (such as Office files) when the unblock option is selected.
-- Fixed ASR warn mode processing when exclusions are applied.
+- Fixed attack surface reduction warn mode processing for containerized objects (such as Office files) when the unblock option is selected.
+- Fixed attack surface reduction warn mode processing when exclusions are applied.
 - Fixed performance handling with file transfers having Mark of the Web (MoTW) set.
 - Implemented `AzureAd` cache to handle offline environments with [device control](device-control-overview.md).
 - Resolved an issue with `TrustLabelProtectionStatus` being reset after a Microsoft Defender platform update.
@@ -161,22 +180,6 @@ Updates contain:
 > On Windows Server 2019 and later, a new binary (`MpDefenderCoreService.exe`) will be included in the update package to support future service improvements (more information to follow).
 
 
-### August-2024 (Platform: 4.18.24080.9 | Engine: 1.1.24080.9)
-
-- Security intelligence update version: **1.419.1.0**
-- Release date: **September 17, 2024** (Engine and Platform)
-- Platform: **4.18.24080.9**
-- Engine: **1.1.24080.9**
-- Support phase: **Security and Critical Updates**
-
-#### What's new
-
-- Added a new parameter (`ControlledFolderAccessDefaultProtectedFolders`) to [Get-MpPreference](/powershell/module/defender/get-mppreference) cmdlet to show default protected folders for [controlled folder access](enable-controlled-folders.md).
-- Fixed an issue with device control regarding printer security checks.
-- Resolved an issue with platform rollback after an upgrade from Windows 10 to Windows 11.
-- Fixed an issue where volume exclusions weren't properly enforced in real-time protection after the completion of OOBE.
-- Removed support for Windows RT devices, like Surface RT, that use 32-bit ARM processors and reached their end-of-servicing date.
-
 ### Previous version updates: Technical upgrade support only
 
 After a new package version is released, support for the previous two versions is reduced to technical support only. For more information about previous versions, see [Microsoft Defender Antivirus updates: Previous versions for technical upgrade support](msda-updates-previous-versions-technical-upgrade-support.md).

CloudAppSecurityDocs/media/oauth-tab-in-the-applications-page.png

@@ -6,7 +6,7 @@ ms.author: ewalsh
 author: emmwalshh
 ms.localizationpriority: medium
 ms.reviewer: pahuijbr
-ms.date: 03/05/2025
+ms.date: 04/01/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -29,6 +29,22 @@ Microsoft regularly releases [security intelligence updates and product updates
 
 ## Engine and platform updates
 
+### August-2024 (Platform: 4.18.24080.9 | Engine: 1.1.24080.9)
+
+- Security intelligence update version: **1.419.1.0**
+- Release date: **September 17, 2024** (Engine and Platform)
+- Platform: **4.18.24080.9**
+- Engine: **1.1.24080.9**
+- Support phase: **Technical upgrade support (only)**
+
+#### What's new
+
+- Added a new parameter (`ControlledFolderAccessDefaultProtectedFolders`) to [Get-MpPreference](/powershell/module/defender/get-mppreference) cmdlet to show default protected folders for [controlled folder access](enable-controlled-folders.md).
+- Fixed an issue with device control regarding printer security checks.
+- Resolved an issue with platform rollback after an upgrade from Windows 10 to Windows 11.
+- Fixed an issue where volume exclusions weren't properly enforced in real-time protection after the completion of OOBE.
+- Removed support for Windows RT devices, like Surface RT, that use 32-bit ARM processors and reached their end-of-servicing date.
+
 ### July-2024 (Platform: 4.18.24070.5 | Engine: 1.1.24070.3)
 
 - Security intelligence update version: **1.417.14.0**