Merge pull request #1250 from MicrosoftDocs/deniseb-303141

denisebmsft · web-flow · commit 31ff7fad2450 · 2024-08-29T14:59:36.000-07:00
Deniseb 303141
diff --git a/defender-endpoint/assign-portal-access.md b/defender-endpoint/assign-portal-access.md
@@ -40,7 +40,7 @@ Defender for Endpoint supports two ways to manage permissions:
 
 If you have already assigned basic permissions, you can switch to RBAC anytime. Consider the following before making the switch:
 
-- Users who have full access (users who are assigned the Global Administrator or Security Administrator directory role in Microsoft Entra ID), are automatically assigned the default Defender for Endpoint administrator role, which also has full access. 
+- Users who have full access (users who are assigned either the Global Administrator or Security Administrator directory role in Microsoft Entra ID) are automatically assigned the default Defender for Endpoint administrator role, which also has full access. 
 - Other Microsoft Entra user groups can be assigned to the Defender for Endpoint administrator role after switching to RBAC.
 - Only users who are assigned the Defender for Endpoint administrator role can manage permissions using RBAC. 
 - Users who have read-only access (Security Readers) lose access to the portal until they are assigned a role. Only Microsoft Entra user groups can be assigned a role under RBAC.
diff --git a/defender-endpoint/basic-permissions.md b/defender-endpoint/basic-permissions.md
@@ -49,7 +49,7 @@ You can assign users with one of the following levels of permissions:
 
 - Connect to your Microsoft Entra ID. For more information, see [Connect-MgGraph](/powershell/microsoftgraph/authentication-commands).
 
-  - **Full access**: Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package. Assigning full access rights requires adding the users to the "Security Administrator" or "Global Administrator" Microsoft Entra built-in roles.
+  - **Full access**: Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package. Assigning full access rights requires adding the users to a role, such as Security Administrator, using Microsoft Entra built-in roles.
 
   - **Read-only access**: Users with read-only access can log in, view all alerts, and related information.
 
diff --git a/defender-endpoint/configure-endpoints-non-windows.md b/defender-endpoint/configure-endpoints-non-windows.md
@@ -55,7 +55,7 @@ You can choose to onboard non-Windows devices through Microsoft Defender for End
       
    3. Select **View** to open the partner's page. Follow the instructions provided on the page.
       
-   4. After creating an account or subscribing to the partner solution, you should get to a stage where a tenant admin (or Global Administrator) is asked to accept a permission request from the partner application. Read the permission request carefully to make sure that it's aligned with the service that you require.
+   4. After creating an account or subscribing to the partner solution, you should get to a stage where an administrator (such as a tenant administrator) is asked to accept a permission request from the partner application. Read the permission request carefully to make sure that it's aligned with the service that you require.
 
       > [!IMPORTANT]
       > Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
diff --git a/defender-endpoint/configure-machines.md b/defender-endpoint/configure-machines.md
@@ -14,7 +14,7 @@ ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
 ms.subservice: onboard
 search.appverid: met150
-ms.date: 06/25/2024
+ms.date: 08/29/2024
 ---
 
 # Ensure your devices are configured properly
@@ -63,7 +63,7 @@ Before you can ensure your devices are configured properly, enroll them to Intun
 
 ## Obtain required permissions
 
-By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Microsoft Entra ID can manage and assign the device configuration profiles needed for onboarding devices and deploying the security baseline.
+By default, only users who have been assigned an appropriate role, such as the Intune Service Administrator role in Microsoft Entra ID, can manage and assign the device configuration profiles needed for onboarding devices and deploying the security baseline.
 
 > [!IMPORTANT]
 > Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
diff --git a/defender-endpoint/configure-vulnerability-email-notifications.md b/defender-endpoint/configure-vulnerability-email-notifications.md
@@ -30,12 +30,12 @@ Configure Microsoft Defender for Endpoint to send email notifications to specifi
 If you're using [Defender for Business](/defender-business/mdb-overview), you can set up vulnerability notifications for specific users only (not roles or groups).
 
 > [!NOTE]
-> - Only users with `Manage security settings` permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications. [Learn more about permission options](user-roles.md)
+> - Only users with `Manage security settings` permissions can configure email notifications. If you've chosen to use basic permissions management, users with an appropriate role, such as Security Administrator, can configure email notifications. [Learn more about permission options](user-roles.md)
 > - Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.
 
 The notification rules allow you to set the vulnerability events that trigger notifications, and add or remove email notification recipients. New recipients get notified about vulnerabilities after they're added.
 
-If you're using role-based access control (RBAC), recipients will only receive notifications based on the device groups that were configured in the notification rule. Users with the proper permission can only create, edit, or delete notifications that are limited to their device group management scope. Only users assigned to the Global administrator role can manage notification rules that are configured for all device groups.
+If you're using role-based access control (RBAC), recipients only receive notifications based on the device groups that were configured in the notification rule. Users with the proper permission can only create, edit, or delete notifications that are limited to their device group management scope. Only users assigned to an administrator role, such as Security Administrator, can manage notification rules that are configured for all device groups.
 
 The email notification includes basic information about the vulnerability event. There are also links to filtered views in the Defender Vulnerability Management [Security recommendations](api/ti-indicator.md) and [Weaknesses](/defender-vulnerability-management/tvm-weaknesses) pages in the portal so you can further investigate. For example, you could get a list of all exposed devices or get additional details about the vulnerability.
 
@@ -46,7 +46,7 @@ The email notification includes basic information about the vulnerability event.
 
 Create a notification rule to send an email when there are certain exploit or vulnerability events, such as a new public exploit. For each rule, multiple event types can be selected.
 
-1. Sign in to the [Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2077139) and using an account with the Security administrator or Global administrator role assigned.
+1. Sign in to the [Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2077139) and using an account with the Security Administrator role assigned.
 
 2. In the navigation pane, go to **Settings** \> **Endpoints** \> **General** \> **Email notifications** \> **Vulnerabilities**.
 
diff --git a/defender-endpoint/mde-planning-guide.md b/defender-endpoint/mde-planning-guide.md
@@ -18,7 +18,7 @@ ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
 ms.subservice: onboard
 search.appverid: met150
-ms.date: 06/26/2024
+ms.date: 08/29/2024
 ---
 
 # Get started with your Microsoft Defender for Endpoint deployment
@@ -54,7 +54,7 @@ The steps to deploy Defender for Endpoint are:
 
 Here's a list of prerequisites required to deploy Defender for Endpoint:
 
-- You're a Global Administrator
+- You're a Security Administrator
 - Your environment meets the [minimum requirements](minimum-requirements.md)
 - You have a full inventory of your environment. The following table provides a starting point to gather information and ensure that stakeholders understand your environment. The inventory helps identify potential dependencies and/or changes required in technologies or processes.
 
diff --git a/defender-endpoint/prepare-deployment.md b/defender-endpoint/prepare-deployment.md
@@ -52,7 +52,7 @@ Microsoft recommends using [Privileged Identity Management](/azure/active-direct
 
 Defender for Endpoint supports two ways to manage permissions:
 
-- **Basic permissions management**: Set permissions to either full access or read-only. Users with Global Administrator or Security Administrator roles in Microsoft Entra ID have full access. The Security reader role has read-only access and does not grant access to view machines/device inventory.
+- **Basic permissions management**: Set permissions to either full access or read-only. Users with a role, such as Security Administrator in Microsoft Entra ID have full access. The Security reader role has read-only access and does not grant access to view machines/device inventory.
 
 - **Role-based access control (RBAC)**: Set granular permissions by defining roles, assigning Microsoft Entra user groups to the roles, and granting the user groups access to device groups. For more information. see [Manage portal access using role-based access control](rbac.md).
 
diff --git a/defender-endpoint/rbac.md b/defender-endpoint/rbac.md
@@ -66,9 +66,9 @@ To implement role-based access, you'll need to define admin roles, assign corres
 Before using RBAC, it's important that you understand the roles that can grant permissions and the consequences of turning on RBAC.
 
 > [!WARNING]
-> Before enabling the feature, it's important that you have a Global Administrator role or Security Administrator role in Microsoft Entra ID and that you have your Microsoft Entra groups ready to reduce the risk of being locked out of the portal.
+> Before enabling the feature, it's important that you have an appropriate role, such as Security Administrator assigned in Microsoft Entra ID, and that you have your Microsoft Entra groups ready to reduce the risk of being locked out of the portal.
 
-When you first sign in to the Microsoft Defender portal, you're granted either full access or read only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Microsoft Entra ID. Read only access is granted to users with a Security Reader role in Microsoft Entra ID.
+When you first sign in to the Microsoft Defender portal, you're granted either full access or read only access. Full access rights are granted to users with the Security Administrator role in Microsoft Entra ID. Read only access is granted to users with a Security Reader role in Microsoft Entra ID.
 
 Someone with a Defender for Endpoint Global Administrator role has unrestricted access to all devices, regardless of their device group association and the Microsoft Entra user groups assignments.
 
diff --git a/defender-endpoint/respond-file-alerts.md b/defender-endpoint/respond-file-alerts.md
@@ -166,10 +166,10 @@ The **Download file** button can have the following states:
   For Microsoft Defender for Endpoint role-based access control (RBAC):
 
     For Portable Executable file (.exe, .sys, .dll, and others)
-    - Global admin or Advanced live response or Alerts 
+    - Security Administrator or Advanced live response or Alerts 
 
     Non-Portable Executable file (.txt, .docx, and others) 
-    - Global admin or Advanced live response
+    - Security Administrator or Advanced live response
     - Tenants with [role-based access (RBAC) permissions](/defender-xdr/manage-rbac) enabled
 
 
@@ -212,15 +212,15 @@ The **Collect file** button can have the following states:
     The following permissions are required: 
 
     For Portable Executable file (.exe, .sys, .dll, and others)
-    - Global admin or Advanced live response or Alerts 
+    - Security Administrator or Advanced live response or Alerts 
 
     Non-Portable Executable file (.txt, .docx, and others) 
-    - Global admin or Advanced live response
+    - Security Administrator or Advanced live response
 
 
 If a file hasn't been seen in the organization in the past 30 days, **Collect file** is disabled. 
 
-> [!Important]
+> [!IMPORTANT]
 > A file that was quarantined as a potential network threat might not be recoverable. If a user attempts to restore the file after quarantine, that file might not be accessible. This can be due to the system no longer having network credentials to access the file. Typically, this is a result of a temporary log on to a system or shared folder and the access tokens expired.
 
 ## Add indicator to block or allow a file
diff --git a/defender-endpoint/switch-to-mde-phase-2.md b/defender-endpoint/switch-to-mde-phase-2.md
@@ -6,7 +6,7 @@ ms.subservice: onboard
 ms.author: siosulli
 author: siosulli
 ms.localizationpriority: medium
-ms.date: 07/25/2024
+ms.date: 08/29/2024
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -87,7 +87,7 @@ You can now run Microsoft Defender Antivirus in passive mode on Windows Server 2
 > - If you have Defender for Endpoint Plan 1, complete steps 1-5 in the following procedure.
 > - If you have Defender for Endpoint Plan 2, complete steps 1-7 in the following procedure.
 
-1. Make sure Defender for Endpoint is provisioned. As a Global Administrator, go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in. Then, in the navigation pane, select **Assets** > **Devices**. 
+1. Make sure Defender for Endpoint is provisioned. As a Security Administrator, go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in. Then, in the navigation pane, select **Assets** > **Devices**. 
 
    The following table shows what your screen might look like and what it means.
 
diff --git a/defender-endpoint/tamperprotection-macos.md b/defender-endpoint/tamperprotection-macos.md
@@ -74,8 +74,11 @@ You can configure the tamper protection mode by providing the mode name as enfor
 
 ## Before you begin
 
+Make sure that the following requirements are met:
+
 - Supported macOS versions: Big Sur (11), or later
 - Minimum required version for Defender for Endpoint: `101.70.19`
+- You have an appropriate role assigned (see [Create and manage roles for role-based access control](user-roles.md))
 
 > [!IMPORTANT]
 > Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
@@ -87,7 +90,7 @@ You can configure the tamper protection mode by providing the mode name as enfor
 - Ensure that Defender for Endpoint has **Full Disk Access** authorization.
 
    > [!NOTE]
-   > Both having SIP enabled and all configuration done via MDM is not mandatory, but required for a fully secured device, as otherwise a local admin still can make tampering changes that macOS manages. For example, enabling **TCC** (Transparency, Consent & Control) through a Mobile Device Management solution such as [Intune](mac-install-with-intune.md), will eliminate the risk of a Global Administrator revoking **Full Disk Access** Authorization by a local admin.
+   > Both having SIP enabled and all configuration done via MDM is not mandatory, but is required for a fully secured device. Otherwise, a local administrator can make tampering changes that macOS manages. For example, enabling **TCC** (Transparency, Consent & Control) through a Mobile Device Management solution such as [Intune](mac-install-with-intune.md), will eliminates the risk of a Security Administrator revoking **Full Disk Access** Authorization by a local admin.
 
 ## Configure tamper protection on macOS devices
 
@@ -134,7 +137,7 @@ sudo mdatp config tamper-protection enforcement-level --value block
 ![Image of manual configuration command](media/manual-config-cmd.png)
 
 > [!NOTE]
-> You must use managed configuration profile (deployed via MDM) on production devices. If a local admin changed tamper protection mode via a manual configuration, they can change it to a less restrictive mode at any time as well. If tamper protection mode was set via a managed profile, only a Global Administrator will be able to undo it.
+> You must use managed configuration profile (deployed via MDM) on production devices. If a local admin changed tamper protection mode via a manual configuration, they can change it to a less restrictive mode at any time as well. If tamper protection mode was set via a managed profile, only a Security Administrator will be able to undo it.
 
 2. Verify the result.
 
@@ -409,14 +412,14 @@ As an example, macOS can upgrade Defender's package, if tamper protection verifi
 There are other exclusions as well.
 For example, macOS MDM process can replace Microsoft's Defender's managed configuration files.
 
-There are situations when a Global Administrator needs to restart Defender on all or some managed devices.
+There are situations when a Security Administrator needs to restart Defender on all or some managed devices.
 Typically it's done by creating and running a JAMF's policy that runs a script on remote devices (or similar operations for other MDM vendors.)
 
 In order to avoid marking those policy-initiated operations, Microsoft Defender detects those MDM policy processes for JAMF and Intune, and permits tampering operations from them. At the same time, tamper protection blocks the same script from restarting Microsoft Defender, if it's started from a Terminal locally.
 
 However, those policy running processes are vendor specific.
 While Microsoft Defender provides built-in exclusions for JAMF and Intune, it can't provide those exclusions for all possible MDM vendors.
-Instead, a Global Administrator can add their own exclusions to tamper protection.
+Instead, a Security Administrator can add their own exclusions to tamper protection.
 Exclusions can be done only through MDM profile, not local configuration.
 
 To do that, you need to first figure out the path to the MDM helper process that runs policies. You can do it either by following the MDM vendor's documentation. You can also initiate tampering with a test policy, get an alert in the Security Portal, inspect the hierarchy of processes that initiated the attack, and pick the process that looks like an MDM helper candidate.
@@ -497,7 +500,7 @@ Configure [preferences](mac-preferences.md#exclusions), for example for JAMF:
 </plist>
 ```
 
-Note, that excluding a scripting interpreter (like Ruby from the example above) instead of a compiled executable isn't secure, as it can run *any script*, not just the one that a Global Administrator uses.
+Note, that excluding a scripting interpreter (like Ruby from the example above) instead of a compiled executable isn't secure, as it can run *any script*, not just the one that a Security Administrator uses.
 
 To minimize the risk, we recommend using extra `args` to allow only specific scripts to run with scripting interpreters.
 In the example above, only `/usr/bin/ruby /usr/local/bin/global_mdatp_restarted.rb` is permitted to restart Defender.
@@ -530,7 +533,7 @@ configuration_is_managed                    : false
 
 - `tamper_protection` is the *effective* mode. If this mode is the mode you intended to use, then you're all set.
 - `configuration_source` indicates how tamper protection enforcement level is set. It must match how you configured tamper protection. (If you set its mode through a managed profile, and `configuration_source` shows something different, then you most probably misconfigured your profile.)
-  - `mdm` - it's configured through a managed profile. Only a Global Administrator can change it with an update to the profile!
+  - `mdm` - it's configured through a managed profile. Only a Security Administrator can change it with an update to the profile!
   - `local` - it's configured with `mdatp config` command
   - `portal` - default enforcement level set in Security Portal
   - `defaults` - not configured, the default mode is used
