Merge branch 'main' into patch-17

Author: chrisda

ATPDocs/role-groups.md

@@ -41,7 +41,7 @@ The following table details the specific permissions required for Defender for I
 | ------------------- | ---------------------- |
 | **Onboard Defender for Identity** (create workspace)   |  [Security Administrator](/entra/identity/role-based-access-control/permissions-reference) |
 | **Configure Defender for Identity settings**      | One of the following Microsoft Entra roles:<br>- [Security Administrator](/entra/identity/role-based-access-control/permissions-reference)<br>- [Security Operator](/entra/identity/role-based-access-control/permissions-reference)<br> **Or** <br>The following [Unified RBAC permissions](#unified-role-based-access-control-rbac):<br />- `Authorization and settings/Security settings/Read`<br/>- `Authorization and settings/Security settings/All permissions`<br/>- `Authorization and settings/System settings/Read`<br/>- `Authorization and settings/System settings/All permissions` |
-|**View Defender for Identity settings**      | One of the following Microsoft Entra roles:<br>- [Global Reader](/entra/identity/role-based-access-control/permissions-reference)<br>- [Security Reader](/entra/identity/role-based-access-control/permissions-reference) <br> **Or** <br>The following [Unified RBAC permissions](#unified-role-based-access-control-rbac):<br />- `Authorization and settings/Security settings/Read` <br/>- `Authorization and settings/System settings/Read`|
+|**View Defender for Identity settings**      | Microsoft Entra roles:<br>- [Security Reader](/entra/identity/role-based-access-control/permissions-reference) <br> **Or** <br>The following [Unified RBAC permissions](#unified-role-based-access-control-rbac):<br />- `Authorization and settings/Security settings/Read` <br/>- `Authorization and settings/System settings/Read`|
 |**Manage Defender for Identity security alerts and activities**                           | One of the following Microsoft Entra roles:<br>- [Security Operator](/entra/identity/role-based-access-control/permissions-reference)<br> **Or** <br>The following [Unified RBAC permissions](#unified-role-based-access-control-rbac):<br />- `Security operations/Security data/Alerts (Manage)`<br/>- `Security operations/Security data /Security data basics (Read)` |
 | **View Defender for Identity security assessments** <br> (now part of Microsoft Secure Score) | [Permissions](/microsoft-365/security/defender/microsoft-secure-score#required-permissions) to access Microsoft Secure Score <br> **And** <br> The following [Unified RBAC permissions](#unified-role-based-access-control-rbac): `Security operations/Security data /Security data basics (Read)`|
 |**View the Assets / Identities page**|[Permissions](/defender-cloud-apps/manage-admins) to access Defender for Cloud Apps <br> **Or** <br> One of the Microsoft Entra roles required by [Microsoft Defender XDR](/microsoft-365/security/defender/m365d-permissions) |

ATPDocs/security-assessment.md

@@ -9,13 +9,13 @@ ms.topic: how-to
 
 Typically, organizations of all sizes have limited visibility into whether or not their on-premises apps and services could introduce a security vulnerability to their organization. The problem of limited visibility is especially true regarding use of unsupported or outdated components.
 
-While your company may invest significant time and effort on hardening identities and identity infrastructure (such as Active Directory, Active Directory Connect) as an on-going project, it's easy to remain unaware of common misconfigurations and use of legacy components that represent one of the greatest threat risks to your organization. 
+While your company might invest significant time and effort on hardening identities and identity infrastructure (such as Active Directory, Active Directory Connect) as an ongoing project, it's easy to remain unaware of common misconfigurations and use of legacy components that represent one of the greatest threat risks to your organization. 
 
 Microsoft security research reveals that most identity attacks utilize common misconfigurations in Active Directory and continued use of legacy components (such as NTLMv1 protocol) to compromise identities and successfully breach your organization. To combat this effectively, Microsoft Defender for Identity now offers proactive identity security posture assessments to detect and recommend actions across your on-premises Active Directory configurations.
 
 ## What do Defender for Identity security assessments provide?
 
-Defender for Identity's security posture assessments are available in [Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score), and provide:
+Defender for Identity security posture assessments are available in [Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score), and provide:
 
 - **Detections and contextual data** on known exploitable components and misconfigurations, along with relevant paths for remediation.
 
@@ -25,11 +25,21 @@ Defender for Identity's security posture assessments are available in [Microsoft
 
 Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at <https://security.microsoft.com/securescore> in the [Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-defender).
 
+### Categorization of Defender for Identity security posture assessments
+
+Defender for Identity security posture assessments have five key categories. Each category addresses specific identity security risks and provides remediation guidance.
+
+- **Hybrid security**: Identifies misconfigurations in environments that integrate on-premises (e.g., Active Directory) and cloud-based identity providers (e.g., Entra ID, Okta). Assesses risks related to synchronization, authentication, and authorization across platforms.
+- **Identity infrastructure**: Detects misconfigurations and vulnerabilities in core identity components, including domain controllers.
+- **Certificates**: Assesses Active Directory Certificate Services (AD CS) for security gaps, such as misconfigured certificate templates or weak certificate authority settings. Identifying and addressing these issues helps prevent unauthorized access that could arise from certificate-related vulnerabilities.
+- **Group policy**: Analyzes Group Policy configurations to identify settings that might allow privilege escalation or unauthorized lateral movement within the network. Ensuring secure Group Policy settings helps maintain proper access controls and system configurations.
+- **Accounts**: Reviews users, devices, and groups to pinpoint security risks such as weak passwords, inactive accounts, or improper permissions.
+
 ## Access Defender for Identity security posture assessments
 
+> [!NOTE]
 You must have a Defender for Identity license to view Defender for Identity security posture assessments in Microsoft Secure Score.
-
-While *certificate template* assessments are available to all customers that have AD CS installed on their environment, *certificate authority* assessments are available only to customers who've installed a sensor on an AD CS server. For more information, see [Configuring sensors for AD FS and AD CS](deploy/active-directory-federation-services.md).
+While *certificate template* assessments are available to all customers with AD CS installed in their environment, *certificate authority* assessments are available only to customers who have installed a sensor on an AD CS server. For more information, see [Configuring sensors for AD FS and AD CS](deploy/active-directory-federation-services.md).
 
 **To access identity security posture assessments**:
 

ATPDocs/toc.yml

@@ -158,88 +158,92 @@ items:
       href: remediation-actions.md
   - name: Security posture
     items:
-    - name: Accounts with non-default Primary Group ID
-      href: accounts-with-non-default-pgid.md
-    - name: Built-in Active Directory Guest account is enabled
-      href: built-in-active-directory-guest-account-is-enabled.md
-    - name: Ensure privileged accounts are not delegated
-      href: ensure-privileged-accounts-with-sensitive-flag.md
-    - name: Change Domain Controller computer account old password
-      href: domain-controller-account-password-change.md
-    - name: Change password of built-in domain Administrator account
-      href: change-password-domain-administrator-account.md
-    - name: GPO assigns unprivileged identities to local groups with elevated privileges
-      href: gpo-assigns-unprivileged-identities.md
-    - name: Overview
-      href: security-assessment.md
-      displayName: security posture, security assessment
-    - name: Reversible passwords found in GPOs
-      href: reversible-passwords-group-policy.md
-    - name: GPO can be modified by unprivileged accounts
-      href: modified-unprivileged-accounts-gpo.md
-    - name: Change password for krbtgt account
-      href: change-password-krbtgt-account.md
-    - name: Unsafe permissions on the DnsAdmins group
-      href: unsafe-permissions-dns-admins-group.md
-    - name: Change password for Microsoft Entra seamless SSO account
-      href: change-password-microsoft-entra-seamless-single-sign-on.md
-      displayName: Microsoft Entra connect
-    - name: "Rotate password for Microsoft Entra Connect connector account "
-      href: rotate-password-microsoft-entra-connect.md
-      displayName: Microsoft Entra Connect
-    - name: Admin SDHolder permissions
-      href: security-assessment-remove-suspicious-access-rights.md
-    - name: DCSync permissions
-      href: security-assessment-non-admin-accounts-dcsync.md
-    - name: Deploy Defender for Identity
-      href: security-assessment-deploy-defender-for-identity.md
-    - name: Domain controllers with Print spooler service available assessment
-      href: security-assessment-print-spooler.md
-    - name: Dormant entities in sensitive groups assessment
-      href: security-assessment-dormant-entities.md
-    - name: Enforce encryption for RPC certificate enrollment interface  (ESC8)
-      href: security-assessment-enforce-encryption-rpc.md
-    - name: Entities exposing credentials in clear text assessment
-      href: security-assessment-clear-text.md
-    - name: Remove unnecessary replication permissions for Microsoft Entra Connect connector account
-      href: remove-replication-permissions-microsoft-entra-connect.md
-      displayName: Microsoft Entra Connect
-    - name: Insecure ADCS certificate enrollment IIS endpoints (ESC8)
-      href: security-assessment-insecure-adcs-certificate-enrollment.md
-    - name: LAPS usage assessment
-      href: security-assessment-laps.md
-    - name: Misconfigured Certificate Authority ACL  (ESC7)
-      href: security-assessment-edit-misconfigured-ca-acl.md
-    - name: Misconfigured certificate templates ACL (ESC4)
-      href: security-assessment-edit-misconfigured-acl.md
-    - name: Misconfigured certificate templates owner  (ESC4)
-      href: security-assessment-edit-misconfigured-owner.md
-    - name: Misconfigured enrollment agent certificate template  (ESC3)
-      href: security-assessment-edit-misconfigured-enrollment-agent.md
-    - name: Overly permissive certificate template with privileged EKU (ESC2)
-      href: security-assessment-edit-overly-permissive-template.md
-    - name: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)
-      href: prevent-certificate-enrollment-esc15.md
-    - name: Prevent requests for certificates valid for arbitrary users  (ESC1)
-      href: security-assessment-prevent-users-request-certificate.md
-    - name: Remove local admins on identity assets
-      href: security-assessment-remove-local-admins.md      
-    - name: Riskiest lateral movement paths
-      href: security-assessment-riskiest-lmp.md
-    - name: Unmonitored domain controllers
-      href: security-assessment-unmonitored-domain-controller.md
-    - name: Unsecure account attributes
-      href: security-assessment-unsecure-account-attributes.md
-    - name: Unsecure domain configurations
-      href: security-assessment-unsecure-domain-configurations.md
-    - name: Unsecure Kerberos delegation assessment
-      href: security-assessment-unconstrained-kerberos.md
-    - name: Unsecure SID History attributes
-      href: security-assessment-unsecure-sid-history-attribute.md
-    - name: Vulnerable Certificate Authority setting (ESC6)
-      href: security-assessment-edit-vulnerable-ca-setting.md
-    - name: Weak cipher usage assessment
-      href: security-assessment-weak-cipher.md
+     - name: Overview
+       href: security-assessment.md
+     - name: Hybrid security
+       items:
+       - name: Change password for Microsoft Entra seamless SSO account
+         href: change-password-microsoft-entra-seamless-single-sign-on.md
+         displayName: Microsoft Entra connect
+       - name: Rotate password for Microsoft Entra Connect connector account
+         href: rotate-password-microsoft-entra-connect.md
+         displayName: Microsoft Entra Connect
+       - name: Remove unnecessary replication permissions for Microsoft Entra Connect connector account
+         href: remove-replication-permissions-microsoft-entra-connect.md
+     - name: Identity infrastructure
+       items:
+       - name: Built-in Active Directory Guest account is enabled
+         href: built-in-active-directory-guest-account-is-enabled.md
+       - name: Change Domain Controller computer account old password
+         href: domain-controller-account-password-change.md
+       - name: Domain controllers with Print spooler service available assessment
+         href: security-assessment-print-spooler.md
+       - name: Remove local admins on identity assets
+         href: security-assessment-remove-local-admins.md   
+       - name: Unmonitored domain controllers
+         href: security-assessment-unmonitored-domain-controller.md
+       - name: Unsecure domain configurations
+         href: security-assessment-unsecure-domain-configurations.md
+     - name: Certificates
+       items: 
+        - name: Enforce encryption for RPC certificate enrollment interface  (ESC8)
+          href: security-assessment-enforce-encryption-rpc.md
+        - name: Insecure ADCS certificate enrollment IIS endpoints (ESC8)
+          href: security-assessment-insecure-adcs-certificate-enrollment.md
+        - name: Misconfigured certificate templates owner  (ESC4)
+          href: security-assessment-edit-misconfigured-owner.md
+        - name: Misconfigured Certificate Authority ACL  (ESC7)
+          href: security-assessment-edit-misconfigured-ca-acl.md
+        - name: Misconfigured certificate templates ACL (ESC4)
+          href: security-assessment-edit-misconfigured-acl.md
+        - name: Misconfigured enrollment agent certificate template  (ESC3)
+          href: security-assessment-edit-misconfigured-enrollment-agent.md    
+        - name: Overly permissive certificate template with privileged EKU (ESC2)
+          href: security-assessment-edit-overly-permissive-template.md
+        - name: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)
+          href: prevent-certificate-enrollment-esc15.md
+        - name: Prevent requests for certificates valid for arbitrary users  (ESC1)
+          href: security-assessment-prevent-users-request-certificate.md
+        - name: Vulnerable Certificate Authority setting (ESC6)
+          href: security-assessment-edit-vulnerable-ca-setting.md
+     - name: Group policy 
+       items: 
+        - name: GPO assigns unprivileged identities to local groups with elevated privileges
+          href: gpo-assigns-unprivileged-identities.md
+        - name: GPO can be modified by unprivileged accounts
+          href: modified-unprivileged-accounts-gpo.md
+        - name: Reversible passwords found in GPOs
+          href: reversible-passwords-group-policy.md
+     - name: Accounts
+       items: 
+         - name: Accounts with non-default Primary Group ID
+           href: accounts-with-non-default-pgid.md 
+         - name: Admin SDHolder permissions
+           href: security-assessment-remove-suspicious-access-rights.md
+         - name: Change password for krbtgt account
+           href: change-password-krbtgt-account.md
+         - name: Change password of built-in domain Administrator account
+           href: change-password-domain-administrator-account.md
+         - name: Dormant entities in sensitive groups assessment
+           href: security-assessment-dormant-entities.md
+         - name: DCSync permissions
+           href: security-assessment-non-admin-accounts-dcsync.md
+         - name: Ensure privileged accounts are not delegated
+           href: ensure-privileged-accounts-with-sensitive-flag.md
+         - name: Entities exposing credentials in clear text assessment
+           href: security-assessment-clear-text.md
+         - name: LAPS usage assessment
+           href: security-assessment-laps.md
+         - name: Riskiest lateral movement paths
+           href: security-assessment-riskiest-lmp.md
+         - name: Unsecure Kerberos delegation assessment
+           href: security-assessment-unconstrained-kerberos.md
+         - name: Unsecure SID History attributes
+           href: security-assessment-unsecure-sid-history-attribute.md
+         - name: Unsecure account attributes
+           href: security-assessment-unsecure-account-attributes.md
+         - name: Weak cipher usage assessment
+           href: security-assessment-weak-cipher.md
 - name: Reference
   items:
   - name: Operations guide

ATPDocs/whats-new.md

@@ -25,9 +25,7 @@ For updates about versions and features released six months ago or earlier, see
 ## March 2025
 
 ### New LDAP query events added to the IdentityQueryEvents table in Advanced Hunting
-New LDAP query events will be added by March 6th to the `IdentityQueryEvents` table in Advanced Hunting to provide more visibility into additional LDAP search queries running in the customer environment.
-This update may lead to an increase in activity within the Advanced Hunting IdentityQueryEvents table for LDAP queries. If you have custom detections related to these queries, you may see a higher number of triggered alerts.
-We recommend that you review your existing custom detections to ensure they align with your objectives. If needed, you can adjust your query accordingly.
+New LDAP query events were added to the `IdentityQueryEvents` table in Advanced Hunting to provide more visibility into additional LDAP search queries running in the customer environment.
 
 ## February 2025
 

CloudAppSecurityDocs/app-governance-get-started.md

@@ -18,12 +18,17 @@ Before you start, verify that you satisfy the following prerequisites:
 - Microsoft Defender for Cloud Apps must be present in your account as either a standalone product or as part of the various [license](#licensing) packages.
 
   If you aren't already a Defender for Cloud Apps customer, you can [sign up for a free trial](https://www.microsoft.com/security/business/cloud-apps-defender).
-
+  
 - You must have [one of the appropriate roles](#roles) to turn on app governance and access it.
 
 
 - Your organization's billing address must be in a region **other than** Brazil, Singapore, Latin America, South Korea, Switzerland, Norway, Poland, Italy, Qatar, Israel, Spain, Mexico, South Africa, Sweden, or United Arab Emirates.
 
+> [!IMPORTANT]
+> Connect to Microsoft 365 connector to get visibility into activities and specific resources accessed by OAuth apps in the Microsoft Defender XDR advanced hunting blade. This will enhance your ability to investigate and respond to certain threat detection policy alerts generated by app governance.
+>
+> Learn how to [connect to the Microsoft 365 connector](/defender-cloud-apps/protect-office-365).
+
 ## Turn on app governance
 
 If your organization satisfies the [prerequisites](#prerequisites), go to [Microsoft Defender XDR > Settings > Cloud Apps > App governance](https://security.microsoft.com/cloudapps/settings) and select **Use app governance**. For example: