Merge branch 'main' into patch-3

Author: padmagit77

.github/workflows/StaleBranch.yml

@@ -0,0 +1,25 @@
+name: (Scheduled) Stale branch removal
+
+permissions:
+  contents: write
+      
+on:
+  schedule:
+    - cron: "0 */12 * * *"
+
+  workflow_dispatch:
+  
+
+jobs:
+
+  stale-branch:
+    uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-StaleBranch.yml@workflows-prod
+    with:
+        PayloadJson: ${{ toJSON(github) }}
+        RepoBranchSkipList: '[
+                              "ExampleBranch1",
+                              "ExampleBranch2"
+                             ]'
+        ReportOnly: true
+    secrets:
+        AccessToken: ${{ secrets.GITHUB_TOKEN }}

ATPDocs/manage-security-alerts.md

@@ -8,7 +8,7 @@ ms.topic: how-to
 # Investigate Defender for Identity security alerts in Microsoft Defender XDR
 
 > [!NOTE]
-> Defender for Identity is not designed to serve as an auditing or logging solution that captures every single operation or activity on the servers where the sensor is installed. It only captures the data required for its detection and recommendation mechanisms.
+> Defender for Identity isn't designed to serve as an auditing or logging solution that captures every single operation or activity on the servers where the sensor is installed. It only captures the data required for its detection and recommendation mechanisms.
 
 This article explains the basics of how to work with Microsoft Defender for Identity security alerts in [Microsoft Defender XDR](/microsoft-365/security/defender/overview-security-center).
 

ATPDocs/replace-entra-connect-default-admin.md

@@ -0,0 +1,44 @@
+---
+title:       'Security assessment: Replace Enterprise or Domain Admin account for Entra Connect AD DS Connector account'
+description: 'This report lists any Entra Connect AD DS Connector account that is an Enterprise Administrator or Domain Administrator.'
+author:      LiorShapiraa # GitHub alias
+ms.author:   Liorshapira # Microsoft alias
+# ms.prod:   microsoft-defender-for-identity
+ms.topic:    article
+ms.date:     03/16/2025
+---
+
+# Security assessment: Replace Enterprise or Domain Admin account for Entra Connect AD DS Connector account
+
+This article describes Microsoft Defender for Identity's Microsoft Entra Connect AD DS Connector account default admin security posture assessment report.
+
+> [!NOTE]
+> This security assessment will be available only if Microsoft Defender for Identity sensor is installed on servers running Microsoft Entra Connect services.
+
+## Why might using an Enterprise or Domain Admin account for the Microsoft Entra Connect AD DS Connector be a risk?
+
+Smart attackers often target Microsoft Entra Connect in on-premises environments due to the elevated privileges associated with its AD DS Connector account (typically created in Active Directory with the MSOL_ prefix). Using an **Enterprise Admin** or **Domain Admin** account for this purpose significantly increases the attack surface, as these accounts have broad control over the directory.
+
+Starting with [Entra Connect build 1.4.###.#](/entra/identity/hybrid/connect/reference-connect-accounts-permissions), Enterprise Admin and Domain Admin accounts can no longer be used as the AD DS Connector account. This best practice prevents over-privileging the connector account, reducing the risk of domain-wide compromise if the account is targeted by attackers. Organizations must now create or assign a lower-privileged account specifically for directory synchronization, ensuring better adherence to the principle of least privilege and protecting critical admin accounts.
+
+## How do I use this security assessment to improve my hybrid organizational security posture?
+
+1. Review the recommended action at[ https://security.microsoft.com/securescore?viewid=actions](https://security.microsoft.com/securescore?viewid=actions) for Replace Enterprise or Domain Admin account for Entra Connect AD DS Connector account.
+
+1. Review the exposed accounts and their group memberships. The list contains members of Domain/Enterprise Admins through direct and recursive membership.
+
+1. Perform one of the following actions:
+
+   - Remove MSOL_ user account user from privileged groups, ensuring it retains the necessary permissions to function as the Entra Connect Connector account.
+   
+   - Change the Entra Connect AD DS Connector account (MSOL_) to a lower-privileged account. 
+   
+> [!NOTE]
+> While assessments are updated in near real time, scores and statuses are updated every 24 hours. While the list of impacted entities is updated within a few minutes of your implementing the recommendations, the status may still take time until it's marked as **Completed**.
+
+## Next steps
+
+- Learn more about [Microsoft Secure score]().
+
+- Learn more about [Defender for Identity Sensor for Microsoft Entra Connect](https://aka.ms/MdiSensorForMicrosoftEntraConnectInstallation)
+

ATPDocs/security-assessment.md

@@ -38,24 +38,30 @@ Defender for Identity security posture assessments have five key categories. Eac
 ## Access Defender for Identity security posture assessments
 
 > [!NOTE]
-You must have a Defender for Identity license to view Defender for Identity security posture assessments in Microsoft Secure Score.
-While *certificate template* assessments are available to all customers with AD CS installed in their environment, *certificate authority* assessments are available only to customers who have installed a sensor on an AD CS server. For more information, see [Configuring sensors for AD FS and AD CS](deploy/active-directory-federation-services.md).
+> You must have a Defender for Identity license to view Defender for Identity security posture assessments in Microsoft Secure Score.
+> 
+> Additionally, while *certificate template* assessments are available to all customers with AD CS installed in their environment, *certificate authority* assessments are available only to customers who have installed a sensor on an AD CS server.   
+>
+> Hybrid security recommendations will be available only if Microsoft Defender for Identity sensor is installed on servers running Microsoft Entra Connect services.  
+>
+> For more information, see [Configuring sensors for AD FS, AD CS and Entra Connect.](https://aka.ms/DeployMdiSensorOnYourIdentityInfrastructure)
 
 **To access identity security posture assessments**:
 
 1. Open the [Microsoft Secure Score dashboard](https://security.microsoft.com/securescore).
 1. Select the **Recommended actions** tab. You can search for a particular recommended action, or filter the results (for example, by the category **Identity**).
 
     [![Recommended actions.](media/recommended-actions.png)](media/recommended-actions.png#lightbox)
-
+   
 1. For more details, select the assessment.
 
     [![Select the assessment.](media/select-assessment.png)](media/select-assessment.png#lightbox)
-
+   
 [!INCLUDE [secure-score-note](../includes/secure-score-note.md)]
 
 
 ## Next steps
 
 - [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score)
-- [Check out the Defender for Identity forum!](<https://aka.ms/MDIcommunity>)
+- [Check out the Defender for Identity forum!](https://aka.ms/MDIcommunity)
+