Merge pull request #4436 from MicrosoftDocs/main

[AutoPublish] main to live - 07/07 10:31 PDT | 07/07 23:01 IST

Author: m365-skilling-repo-management[bot]

ATPDocs/media/unmonitored-adcs-servers/recommended-actions-unmonitored-active-directory-certificate-services-servers.png

@@ -199,6 +199,12 @@ items:
          href: security-assessment-remove-local-admins.md   
        - name: Unmonitored domain controllers
          href: security-assessment-unmonitored-domain-controller.md
+       - name: Unmonitored ADCS servers
+         href: unmonitored-active-directory-certificate-services-server.md
+       - name: Unmonitored ADFS servers
+         href: unmonitored-active-directory-federation-services-servers.md
+       - name: Unmonitored Entra Connect servers
+         href: unmonitored-entra-connect-servers.md
        - name: Unsecure domain configurations
          href: security-assessment-unsecure-domain-configurations.md
      - name: Certificates

ATPDocs/media/unmonitored-adfs-server/recommended-actions-unmonitored-active-directory-federation-services-server.png

@@ -0,0 +1,38 @@
+---
+title: 'Security Assessment: Unmonitored ADCS servers'
+description: 'Detect unmonitored ADCS servers and deploy Defender for Identity sensors to help prevent unauthorized certificate issuance and privilege escalation.'
+author: LiorShapiraa # GitHub alias
+ms.author: liorshapira
+ms.service: microsoft-defender-for-identity
+ms.topic: article
+ms.date:     07/06/2025
+ms.reviewer: LiorShapiraa
+---
+
+# Security Assessment: Unmonitored ADCS servers
+
+This article describes the security posture assessment report for unmonitored Active Directory Certificate Services (AD CS) servers by Microsoft Defender for Identity.
+
+
+## What risk do unmonitored ADCS servers pose to an organization?
+
+Unmonitored Active Directory Certificate Services (AD CS) servers pose a significant risk to your organization’s identity infrastructure. AD CS, the backbone of certificate issuance and trust, is a high-value target for attackers aiming to escalate privileges or forge credentials. Without proper monitoring, attackers can exploit these servers to issue unauthorized certificates, enabling stealthy lateral movement and persistent access. Deploy Microsoft Defender for Identity version 2.0 sensors on all AD CS servers to mitigate this risk. These sensors provide real-time visibility into suspicious activity, detect advanced threats, and generate actionable alerts based on security events and network behavior.
+
+> [!NOTE]
+>  This security assessment is available only if Microsoft Defender for Endpoint detects an eligible AD CS server in the environment.
+
+## How do I use this security assessment?
+
+1. Review the recommended action at https://security.microsoft.com/securescore?viewid=actions to discover which of your AD CS servers are unmonitored.
+
+    :::image type="content" source="media/unmonitored-adcs-servers/recommended-actions-unmonitored-active-directory-certificate-services-servers.png" alt-text="Screenshot that shows the recommended actions for an unmonitored AD CS server." lightbox="media/unmonitored-adcs-servers/recommended-actions-unmonitored-active-directory-certificate-services-servers.png":::
+
+1. Go to the **Microsoft Defender portal > Settings > Identities > Sensors**. You can view the already installed sensors in your environment and download the install package to deploy them on your remaining servers.
+1. Take appropriate action on those servers by [configuring monitoring sensors](/defender-for-identity/deploy/active-directory-federation-services).
+
+> [!NOTE]
+> Assessment details update in near real time. However, scores and statuses refresh every 24 hours. The list of impacted entities updates within a few minutes of implementing recommendations, but the overall status might take longer to show as Completed.
+
+## Next steps
+
+Learn more about [Microsoft Secure Score](/defender-xdr/microsoft-secure-score).

ATPDocs/media/unmonitored-entra-connect-servers/recommended-actions-unmonitored-entra-connect-server.png

@@ -0,0 +1,38 @@
+---
+title: 'Security Assessment: Unmonitored ADFS servers'
+description: 'Identify unmonitored ADFS servers and deploy Defender for Identity sensors to reduce risk.'
+author: LiorShapiraa # GitHub alias
+ms.author: liorshapira
+ms.service: microsoft-defender-for-identity
+ms.topic: article
+ms.date:     07/06/2025
+ms.reviewer: LiorShapiraa
+---
+
+# Security Assessment: Unmonitored ADFS servers
+
+This article describes the Microsoft Defender for Identity's unmonitored Active Directory Federation Services (ADFS) servers security posture assessment report.
+
+## What risk do unmonitored ADFS servers pose to an organization?
+
+Unmonitored Active Directory Federation Services (ADFS) servers are a significant security risk to organizations. ADFS controls access to both cloud and on-premises resources as the gateway for federated authentication and single sign-on. If attackers compromise an ADFS server, they can issue forged tokens and impersonate any user, including privileged accounts. Such attacks might bypass multi-factor authentication (MFA), conditional access, and other downstream security controls, making them particularly dangerous. Without proper monitoring, suspicious activity on ADFS servers might go undetected for extended periods. Deploying Microsoft Defender for Identity version 2.0 sensors on ADFS servers is essential. These sensors enable real-time detection of suspicious behavior and help prevent token forgery, abuse of trust relationships, and stealthy lateral movement within the environment.
+
+> [!NOTE]
+> This security assessment is only available if Microsoft Defender for Endpoint detects an eligible ADFS server in the environment.
+
+
+## How do I use this security assessment?
+
+1. Review the recommended action at https://security.microsoft.com/securescore?viewid=actions to discover which of your ADFS servers are unmonitored.
+
+    :::image type="content" source="media/unmonitored-adfs-server/recommended-actions-unmonitored-active-directory-federation-services-server.png" alt-text="Screenshot that shows the recommended actions for an unmonitored ADFS server." lightbox="media/unmonitored-adfs-server/recommended-actions-unmonitored-active-directory-federation-services-server.png":::
+
+1. Go to the **Microsoft Defender portal > Settings > Identities > Sensors**. You can view the already installed sensors in your environment and download the install package to deploy them on your remaining servers.
+1. Take appropriate action on those servers by [configuring monitoring sensors](/defender-for-identity/deploy/active-directory-federation-services).
+
+> [!NOTE]
+> Assessment details are updated in near real time. However, scores and statuses are refreshed every 24 hours. The list of impacted entities is updated within a few minutes of implementing recommendations, but the overall status might take longer to show as Completed.
+
+## Next steps
+
+Learn more about [Microsoft Secure Score](/defender-xdr/microsoft-secure-score).

ATPDocs/toc.yml

@@ -0,0 +1,42 @@
+---
+title: 'Security Assessment: Unmonitored Microsoft Entra Connect servers'
+description: 'Detect unmonitored Microsoft Entra Connect servers and deploy Defender for Identity sensors to protect your hybrid identity infrastructure from privilege escalation.'
+author: LiorShapiraa # GitHub alias
+ms.author: liorshapira
+ms.service: microsoft-defender-for-identity
+ms.topic: article
+ms.date:     07/06/2025
+ms.reviewer: LiorShapiraa
+---
+
+
+# Security Assessment: Unmonitored Microsoft Entra Connect servers
+
+This article describes the Microsoft Defender for Identity's unmonitored Microsoft Entra Connect servers security posture assessment report.
+
+## What risk do unmonitored Microsoft Entra Connect servers pose to an organization? 
+
+Unmonitored Microsoft Entra Connect servers (formerly Azure AD Connect) pose a significant security risk in hybrid identity environments. These servers synchronize identities between on-premises Active Directory and Entra ID. They can introduce, modify, or remove accounts and attributes that directly affect cloud access.
+
+If an attacker compromises a Microsoft Entra Connect server, they can inject shadow admins, manipulate group memberships, or sync malicious changes into the cloud without triggering traditional alerts.
+
+These servers operate at the intersection of on-premises and cloud identity, making them a prime target for privilege escalation and stealthy persistence. Without monitoring, such attacks can go undetected. Deploying Microsoft Defender for Identity version 2.0 sensors on Microsoft Entra Connect servers is critical. These sensors help detect suspicious activity in real time, protect the integrity of your hybrid identity bridge, and prevent full-domain compromise from a single point of failure.
+
+> [!NOTE]
+> This security assessment is only available if Microsoft Defender for Endpoint detects eligible Microsoft Entra Connect servers in the environment.
+
+## How do I use this security assessment? 
+
+1. Review the recommended action at https://security.microsoft.com/securescore?viewid=actions to discover which of your Microsoft Entra Connect servers are unmonitored.
+
+    :::image type="content" source="media/unmonitored-entra-connect-servers/recommended-actions-unmonitored-entra-connect-server.png" alt-text="Screenshot that shows the recommended actions for an unmonitored Entra Connect server." lightbox="media/unmonitored-entra-connect-servers/recommended-actions-unmonitored-entra-connect-server.png":::
+
+1. Go to the **Microsoft Defender portal > Settings > Identities > Sensors**. You can view the already installed sensors in your environment and download the install package to deploy them on your remaining servers.
+1. Take appropriate action on those servers by [configuring monitoring sensors](/defender-for-identity/deploy/active-directory-federation-services).
+
+> [!NOTE]
+> Assessment details are updated in near real time. However, scores and statuses are refreshed every 24 hours. The list of impacted entities is updated within a few minutes of implementing recommendations, but the overall status might take longer to show as completed.
+
+## Next steps
+
+Learn more about [Microsoft Secure Score](/defender-xdr/microsoft-secure-score).

ATPDocs/unmonitored-active-directory-certificate-services-server.md

@@ -23,8 +23,26 @@ For more information, see also:
 
 For updates about versions and features released six months ago or earlier, see the [What's new archive for Microsoft Defender for Identity](whats-new-archive.md).
 
-## June 2025
 
+## July 2025
+
+### New security posture assessments for unmonitored identity servers
+
+Microsoft Defender for Identity now includes three security posture assessments that detect when Microsoft Entra Connect, Active Directory Federation Services (ADFS), or Active Directory Certificate Services (ADCS) servers are present in your environment but aren't monitored.
+
+Use these assessments to improve monitoring coverage and strengthen your hybrid identity security posture.
+
+For more details, see:
+
+[Security Assessment: Unmonitored ADCS servers](unmonitored-active-directory-certificate-services-server.md)
+
+[Security Assessment: Unmonitored ADFS servers](unmonitored-active-directory-federation-services-servers.md)
+
+[Security Assessment: Unmonitored Entra Connect servers](unmonitored-entra-connect-servers.md)
+
+
+
+## June 2025
 
 ### Scoped access by Active Directory domain now supported (Preview)
 

ATPDocs/unmonitored-active-directory-federation-services-servers.md

@@ -1,13 +1,12 @@
 ---
 title: Attest your apps 
 description: This article provides instructions for attesting your apps in Defender for Cloud Apps.
-ms.date: 01/29/2023
+ms.date: 06/30/2025
 ms.topic: article
 ---
 # Attest your apps
 
 
-
 Microsoft Defender for Cloud Apps enables you to attest your app, so that you make sure that the compliance and security details we use to rate your app in our cloud app catalog are up to date.
 
 Whether your app is already listed in the cloud app catalog, or it's new, submit a [self-attestation questionnaire](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR4CRHM-U7CtKpJma_QJAnSlUMEpLQzBaQ1hWNDMxUEhRNFI3Q0FZUkdWRC4u). For details on the self-attestation process, contact [email protected].
@@ -107,4 +106,3 @@ Follow the service attributes described below to successfully complete the submi
 > [!div class="nextstepaction"]
 > [Best practices for protecting your organization](best-practices.md)
 
-[!INCLUDE [Open support ticket](includes/support.md)]

ATPDocs/unmonitored-entra-connect-servers.md

@@ -0,0 +1,54 @@
+---
+title: Submit an App Catalog update request
+description: This article provides instructions for app owners and nonapp owners on how to submit an update request for an app in the Defender for Cloud Apps catalog.
+ms.date: 06/30/2025
+ms.topic: how-to
+---
+
+# Submit an App Catalog update request
+
+To keep the Microsoft Defender for Cloud Apps (MDA) catalog accurate and secure, use the right submission method based on your relationship to the app and the type of update needed.
+
+## App owners or verified vendors
+
+If you're a verified app vendor or developer, complete the [Self-Attestation Questionnaire](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR4CRHM-U7CtKpJma_QJAnSlUMEpLQzBaQ1hWNDMxUEhRNFI3Q0FZUkdWRC4u) to:
+
+- Add a new app to the catalog.
+
+- Update risk attributes.
+
+**While we review your request:**
+
+- If the app isn’t in the catalog, you can [add it as a custom app](cloud-discovery-custom-apps.md) in Cloud Discovery to monitor its usage in your environment.
+- If the app is listed but its risk score doesn’t reflect your organization’s security posture, you can manually [override the app’s risk score](risk-score.md#override-the-risk-score).
+
+## Nonowners requesting updates
+
+Even if you're not the app owner, you can help improve the app catalog's accuracy:
+
+- You can [request a risk score update](risk-score.md#customize-the-risk-score) for apps in use by your organization.
+- You can [suggest a change to the cloud app catalog](risk-score.md#suggest-a-change-to-the-cloud-app-catalog) if you find a new app in your environment that hasn't been scored by Defender for Cloud Apps, or if you want to request a review for a new risk factor, a score update, or outdated app data.
+
+## Validation and processing timeline
+
+We thoroughly validate all catalog update requests to ensure accuracy and relevance. All app catalog requests must meet these criteria:
+
+- The submitted domain must map to a known application.
+- The app must qualify as a SaaS product.
+- The request must include complete and verifiable information.
+
+We typically update the catalog within three weeks of receiving your request.
+
+## All other requests
+
+For general inquiries, metadata corrections, or update requests that don’t fall into the previous categories, [open a support ticket](/defender-cloud-apps/support-and-ts)
+
+> [!NOTE]
+> We review support tickets on a case-by-case basis. They aren’t a fast track for catalog updates but help capture edge cases or routing issues needing broader investigation.
+
+
+## Related articles
+
+- [Find your cloud app and calculate risk scores](risk-score.md)
+- [Attest your apps](attest-your-app.md)
+- [Add custom apps to cloud discovery](cloud-discovery-custom-apps.md)