Merge branch 'poliveria-mdti-custom-detection-03242025' of https://github.com/MicrosoftDocs/defender-docs-pr into poliveria-mdti-custom-detection-03242025

Author: poliveria

ATPDocs/architecture.md

@@ -12,7 +12,7 @@ Microsoft Defender for Identity monitors your domain controllers by capturing an
 
 The following image shows how Defender for Identity is layered over Microsoft Defender XDR, and works together with other Microsoft services and third-party identity providers to monitor traffic coming in from domain controllers and Active Directory servers.
 
-:::image type="content" source="media/architecture/architecture.png" alt-text="Diagram of the Defender for Identity architecture." border="false":::
+:::image type="content" source="media\diagram-of-the-defender-for-identity-architecture.png" alt-text="Diagram of the Defender for Identity architecture." border="false":::
 
 Installed directly on your domain controller, Active Directory Federation Services (AD FS), or Active Directory Certificate Services (AD CS) servers, the Defender for Identity sensor accesses the event logs it requires directly from the servers. After the logs and network traffic are parsed by the sensor, Defender for Identity sends only the parsed information to the Defender for Identity cloud service.
 

ATPDocs/investigate-assets.md

@@ -63,9 +63,10 @@ When you investigate a specific identity, you'll see the following details on an
 |[Remediation actions](/microsoft-365/security/defender/investigate-users#remediation-actions)      |     Respond to compromised users by disabling their accounts or resetting their password. After taking action on users, you can check on the activity details in the Microsoft Defender XDR **Action center.|
 
 > [!NOTE]
-> **Investigation Priority Score** has been deprecated on December 3, 2025. As a result, both the Investigation Priority Score breakdown and the scored activity timeline cards have been removed from the UI. 
+> **Investigation Priority Score** has been deprecated on December 3, 2024. As a result, both the Investigation Priority Score breakdown and the scored activity timeline cards have been removed from the UI. 
+
+
 
-  
 For more information, see [Investigate users](/microsoft-365/security/defender/investigate-users) in the Microsoft Defender XDR documentation.
 
 ## Investigation steps for suspicious groups

ATPDocs/media/diagram-of-the-defender-for-identity-architecture.png

@@ -0,0 +1,49 @@
+---
+# Required metadata
+# For more information, see https://review.learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata?branch=main
+# For valid values of ms.service, ms.prod, and ms.topic, see https://review.learn.microsoft.com/en-us/help/platform/metadata-taxonomies?branch=main
+
+title: 'Security assessment: Remove unsafe permissions on sensitive Microsoft Entra Connect accounts'
+description: This report lists any sensitive AD DS Connector (MSOL_) accounts or Microsoft Entra Seamless SSO computer account (AZUREADSSOACC) with unsafe permissions.
+author:      LiorShapiraa # GitHub alias
+ms.author: liorshapira
+ms.service: microsoft-defender-for-identity
+ms.topic: article
+ms.date:     03/16/2025
+---
+
+# Security assessment: Remove unsafe permissions on sensitive Entra Connect accounts
+
+This article describes Microsoft Defender for Identity's Microsoft Entra Connect accounts unsafe permissions security posture assessment report.
+
+> [!NOTE]
+> This security assessment will be available only if Microsoft Defender for Identity sensor is installed on servers running Microsoft Entra Connect services and Sign on method as part of Microsoft Entra Connect configuration is set to single sign-on and the SSO computer account exists. Learn more about Microsoft Entra seamless sign-on **[here](/entra/identity/hybrid/connect/how-to-connect-sso)**.
+
+## How can unsafe permissions on Microsoft Entra Connect accounts expose your hybrid identity to risk?
+
+Microsoft Entra Connect accounts like AD DS Connector account (also known as MSOL_) and Microsoft Entra Seamless SSO computer account (AZUREADSSOACC) have powerful privileges, including replication and password reset rights. If these accounts are granted unsafe permissions, attackers could exploit them to gain unauthorized access, escalate privileges, or take control of hybrid identity infrastructure. This could lead to account takeovers, unauthorized directory modifications, and a broader compromise of both on-premises and cloud environments.
+
+## How do I use this security assessment to improve my hybrid organizational security posture?
+
+> [!NOTE]
+> While assessments are updated in near real time, scores and statuses are updated every 24 hours. While the list of impacted entities is updated within a few minutes of your implementing the recommendations, the status may still take time until it's marked as **Completed**.
+
+1. Review the recommended action at[ https://security.microsoft.com/securescore?viewid=actions](https://security.microsoft.com/securescore?viewid=actions) for Remove unsafe permissions on sensitive Entra Connect accounts.
+
+1. Review the list of exposed entities to identify accounts with unsafe permissions. For example:
+
+    :::image type="content" source="media/remove-unsafe-permissions-sensitive-entra-connect/screenshot-of-exposed-entities.png" alt-text="Screenshot of exposed entities" lightbox="media/remove-unsafe-permissions-sensitive-entra-connect/screenshot-of-exposed-entities.png":::
+
+1. If you click on "Click to expend" you can find more details about the granted permissions. For example:  
+
+    :::image type="content" source="media/remove-unsafe-permissions-sensitive-entra-connect/screenshot-of-excessive-permissions.png" alt-text="Screenshot of excessive permissions" lightbox="media/remove-unsafe-permissions-sensitive-entra-connect/screenshot-of-excessive-permissions.png":::
+
+1. For each exposed account, remove problematic permissions that allow unprivileged accounts to takeover critical hybrid assets.
+
+
+## Next steps
+
+- [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score)
+
+- [Learn more about Defender for Identity Sensor for Microsoft Entra Connect](https://aka.ms/MdiSensorForMicrosoftEntraConnectInstallation)
+

ATPDocs/media/remove-unsafe-permissions-sensitive-entra-connect/screenshot-of-excessive-permissions.png

@@ -172,6 +172,9 @@ items:
          displayName: Microsoft Entra Connect
        - name: Remove unnecessary replication permissions for Microsoft Entra Connect connector account
          href: remove-replication-permissions-microsoft-entra-connect.md
+       - name: Remove unsafe permissions on sensitive Entra Connect accounts
+         href: remove-unsafe-permissions-sensitive-entra-connect.md
+         displayName: MDI
        - name: Replace Enterprise or Domain Admin account for Entra Connect AD DS Connector account
          href: replace-entra-connect-default-admin.md
      - name: Identity infrastructure

ATPDocs/media/remove-unsafe-permissions-sensitive-entra-connect/screenshot-of-exposed-entities.png

@@ -24,6 +24,10 @@ For updates about versions and features released six months ago or earlier, see
 
 ## March 2025
 
+### New Health Issue
+
+New [health issue](health-alerts.md#network-configuration-mismatch-for-sensors-running-on-vmware) for cases where sensors running on VMware have network configuration mismatch.
+
 ### Enhanced Identity Inventory (Preview)
 
 The Identities page under *Assets* has been updated to provide better visibility and management of identities across your environment.  

ATPDocs/remove-unsafe-permissions-sensitive-entra-connect.md

@@ -159,6 +159,14 @@ This section provides instructions for connecting Microsoft Defender for Cloud A
 
     ![Google Workspace authorize new client ID.](media/connect-google-workspace/google-workspace-authorize-new-client-id.png)
 
+   >[!IMPORTANT]
+   > In order for the Google connector to function correctly, enable **Google Drive** for the Super Admin user that will be used for the connector.
+   > - Navigate to admin.google.com
+   > - Select apps -> Google Workspace -> Drive and Docs
+   > - Turn on Service status for the Super Admin user used to onboard the connector. We recommended enabling Service status for all users.
+
+   
+
 ### Configure Defender for Cloud Apps
 
 1. In the Microsoft Defender Portal, select **Settings**. Then choose **Cloud Apps**. Under **Connected apps**, select **App Connectors**.

ATPDocs/toc.yml

@@ -1,5 +1,5 @@
 ---
-title: Troubleshoot App Connector errors 
+title: Troubleshoot App connector errors 
 description: This article provides a list of API App connector error messages as well as resolution recommendations for each.
 ms.date: 01/29/2023
 ms.topic: conceptual
@@ -33,7 +33,8 @@ App connector errors can be seen in the app connector dialog after attempting to
 > |HttpRequestFailure: Server returned: 401 Unauthorized|Exchange Online|User or password are incorrect|Make sure the username and password are correct and Follow the process to connect Exchange Online to Defender for Cloud Apps again.|
 > |HttpRequestFailure: Server returned: 404 Not Found|Exchange Online|The user you are using to log into Exchange Online does not have a primary mailbox in Exchange Online (for example, a user who does not exist in Microsoft Entra ID or a user exists in Microsoft Entra ID, but does not have an Exchange Online license).|Follow the process to connect Exchange Online to Defender for Cloud Apps again using a new admin account.|
 > |GoogleJsonResponseException: 401 Unauthorized|Google Workspace|Access denied. You are not authorized to read activity records. The user you log into Google Workspace with must be an admin user.|Follow the process to connect Google Workspace to Defender for Cloud Apps again using an admin account.|
-> |GoogleJsonResponseException: 403 Forbidden|Google Workspace|Problem running the Google Workspace API.|If you just deployed the Defender for Cloud Apps App Connector for Google Workspace, check the following: If you clicked Unlimited, make sure that your Google Workspace account is really unlimited. If it is not, run the App Connector again and un-select the option for an unlimited account. Check that the scopes you defined during setup are correct. If this is not a new deployment and you see this error, it may be that you reached the API limit for today and Google Workspace events will be renewed tomorrow.|
+> |GoogleJsonResponseException: 403 Forbidden|Google Workspace|
+Problem running the Google Workspace API.|If you just deployed the Defender for Cloud Apps App Connector for Google Workspace, check the following: If you clicked Unlimited, make sure that your Google Workspace account is really unlimited. If it is not, run the App Connector again and un-select the option for an unlimited account. Check that the scopes you defined during setup are correct. If this is not a new deployment and you see this error, it may be that you reached the API limit for today and Google Workspace events will be renewed tomorrow.|
 > |TokenResponseException: 400 Bad Request|Google Workspace|Either the connection to Google Workspace did not complete or is expired.|Follow the process to connect Google Workspace to Defender for Cloud Apps again.|
 > |HttpRequestFailure: Server returned: 401 Unauthorized|Okta|The Okta token is not valid.|Follow the process to connect Okta to Defender for Cloud Apps again.|
 > |IOException:|Okta|Internal error|Contact support|