Merge branch 'main' into diannegali-crosscloudmto

Author: diannegali

.github/workflows/AutoLabelMsftContributor.yml

@@ -31,4 +31,5 @@ jobs:
           PayloadJson: ${{ needs.download-payload.outputs.WorkflowPayload }}
         secrets:
           AccessToken: ${{ secrets.GITHUB_TOKEN }}
-          TeamReadAccessToken: ${{ secrets.ORG_READTEAMS_TOKEN }}
+          ClientId: ${{ secrets.M365_APP_CLIENT_ID }}
+          PrivateKey: ${{ secrets.M365_APP_PRIVATE_KEY }}

.github/workflows/StaleBranch.yml

@@ -0,0 +1,25 @@
+name: (Scheduled) Stale branch removal
+
+permissions:
+  contents: write
+      
+on:
+  schedule:
+    - cron: "0 */12 * * *"
+
+  workflow_dispatch:
+  
+
+jobs:
+
+  stale-branch:
+    uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-StaleBranch.yml@workflows-prod
+    with:
+        PayloadJson: ${{ toJSON(github) }}
+        RepoBranchSkipList: '[
+                              "ExampleBranch1",
+                              "ExampleBranch2"
+                             ]'
+        ReportOnly: true
+    secrets:
+        AccessToken: ${{ secrets.GITHUB_TOKEN }}

.openpublishing.redirection.defender-endpoint.json

@@ -1,5 +1,15 @@
 {
   "redirections": [
+    {
+      "source_path": "defender-endpoint/threat-analytics-analyst-reports.md",
+      "redirect_url": "/defender-xdr/threat-analytics-analyst-reports",
+      "redirect_document_id": false
+    },    
+    {
+      "source_path": "defender-endpoint/threat-analytics.md",
+      "redirect_url": "/defender-xdr/threat-analytics",
+      "redirect_document_id": false
+    },    
     {
       "source_path": "defender-endpoint/configure-microsoft-threat-experts.md",
       "redirect_url": "/defender-xdr/defender-experts-for-hunting",
@@ -84,6 +94,21 @@
       "source_path": "defender-endpoint/monthly-security-summary-report.md",
       "redirect_url": "/defender-endpoint/threat-protection-reports#monthly-security-summary",
       "redirect_document_id": true
+    },
+    {
+      "source_path": "defender-endpoint/run-analyzer-macos-linux.md",
+      "redirect_url": "/defender-endpoint/overview-client-analyzer",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "defender-endpoint/download-client-analyzer.md",
+      "redirect_url": "/defender-endpoint/overview-client-analyzer",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-endpoint/comprehensive-guidance-on-linux-deployment.md",
+      "redirect_url": "/defender-endpoint/linux-installer-script",
+      "redirect_document_id": true
     }    
   ]
 }

.openpublishing.redirection.defender-xdr.json

@@ -259,6 +259,61 @@
       "source_path": "defender-xdr/microsoft-sentinel-onboard.md",
       "redirect_url": "/unified-secops-platform/microsoft-sentinel-onboard",
       "redirect_document_id": false
-    }
+    },
+    {
+      "source_path": "defender-xdr/first-incident-path-phishing.md",
+      "redirect_url": "/security/operations/incident-response-playbook-phishing",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/first-incident-path-identity.md",
+      "redirect_url": "/defender-for-identity/manage-security-alerts",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/incident-response-overview.md",
+      "redirect_url": "/defender-xdr/incidents-overview",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "defender-xdr/respond-first-incident-analyze.md",
+      "redirect_url": "/defender-xdr/investigate-incidents",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "defender-xdr/respond-first-incident-365-defender.md",
+      "redirect_url": "/defender-xdr/manage-incidents",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "defender-xdr/export-incidents-queue.md",
+      "redirect_url": "/defender-xdr/incident-queue",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "defender-xdr/respond-first-incident-remediate.md",
+      "redirect_url": "/defender-xdr/incidents-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/m365d-time-zone.md",
+      "redirect_url": "/defender-xdr/m365d-enable-faq",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "defender-xdr/feedback.md",
+      "redirect_url": "/defender-xdr/m365d-enable-faq",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/microsoft-365-defender-integration-with-azure-sentinel.md",
+      "redirect_url": "/azure/sentinel/microsoft-365-defender-sentinel-integration",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/microsoft-365-security-center-defender-cloud.md",
+      "redirect_url": "/azure/defender-for-cloud/concept-integration-365",
+      "redirect_document_id": false
+    }                                                
   ]
 }

ATPDocs/deploy/activate-capabilities.md

@@ -7,20 +7,20 @@ ms.topic: how-to
 
 # Activate Microsoft Defender for Identity capabilities directly on a domain controller
 
-Microsoft Defender for Endpoint customers, who have already onboarded their domain controllers to Defender for Endpoint, can activate Microsoft Defender for Identity capabilities directly on a domain controller instead of using a [Microsoft Defender for Identity sensor](deploy-defender-identity.md).
+Microsoft Defender for Endpoint customers, who have already onboarded their domain controllers to Defender for Endpoint, can activate Microsoft Defender for Identity capabilities directly on a domain controller instead of using [Microsoft Defender for Identity classic sensor](deploy-defender-identity.md).
 
 This article describes how to activate and test Microsoft Defender for Identity capabilities on your domain controller.
 
 > [!IMPORTANT]
-> The new sensor is recommended for customers looking to deploy core identity protections to new domain controllers running Windows Server 2019 or newer. For all other identity infrastructure, or for customers looking to deploy the most robust identity protections available from Microsoft Defender for Identity today, we recommend deploying the classic sensor [here](quick-installation-guide.md).
+> The new Defender for Identity sensor (version 3.x) is recommended for customers looking to deploy core identity protections to new domain controllers running Windows Server 2019 or newer. For all other identity infrastructure, or for customers looking to deploy the most robust identity protections available from Microsoft Defender for Identity today, we recommend deploying the classic sensor [here](quick-installation-guide.md).
 
 ## Prerequisites
 
 Before activating the Defender for Identity capabilities on your domain controller, make sure that your environment complies with the prerequisites in this section.
 
 ### Defender for Identity sensor conflicts
 
-The configuration described in this article doesn't support side-by-side installation with an existing Defender for Identity sensor, and isn't recommended as a replacement for the Defender for Identity sensor.
+The configuration described in this article doesn't support side-by-side installation with an existing Defender for Identity sensor, and isn't recommended as a replacement for the Defender for Identity classic sensor.
 
 Make sure that the domain controller where you're planning to activate Defender for Identity capabilities doesn't have a [Defender for Identity sensor](deploy-defender-identity.md) deployed.
 
@@ -88,12 +88,16 @@ Activate the Defender for Identity from the [Microsoft Defender portal](https://
 
    The Activation page lists servers discovered in Device Inventory and identified as eligible domain controllers. 
 
-2. Select the domain controller where you want to activate the Defender for Identity capabilities and then select **Activate**. Confirm your selection when prompted. 
+1. Select the domain controller where you want to activate the Defender for Identity capabilities and then select **Activate**. Confirm your selection when prompted. 
+
+    :::image type="content" source="media/activate-capabilities/1.jpg" lightbox="media/activate-capabilities/1.jpg" alt-text="Screenshot that shows how to activate the new sensor.":::
 
     > [!NOTE]
     > You can choose to activate eligible domain controllers either automatically, where Defender for Identity activates them as soon as they're discovered, or manually, where you select specific domain controllers from the list of eligible servers.
 
-3. When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers** to jump to the **Settings > Identities > Sensors** page, where you can check your sensor health.
+1. When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers** to jump to the **Settings > Identities > Sensors** page, where you can check your sensor health.  
+
+    :::image type="content" source="media/activate-capabilities/2.jpg" lightbox="media/activate-capabilities/2.jpg" alt-text="Screenshot that shows how to seethe onboarded servers.":::
 
 ## Onboarding Confirmation 
 
@@ -104,7 +108,7 @@ To confirm the sensor has been onboarded:
 2. Check that the onboarded domain controller is listed. 
 
 > [!NOTE]
->  The activation doesn't require a restart/reboot. The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations are shown within five minutes.
+> The activation doesn't require a restart/reboot. The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations are shown within five minutes.
 
 ## Test activated capabilities
 
@@ -126,7 +130,6 @@ In the Defender portal, select **Identities** > **Dashboard**, and review the de
 
 For more information, see [Work with Defender for Identity's ITDR dashboard](../dashboard.md).
 
-
 ### Confirm entity page details
 
 Confirm that entities, such as domain controllers, users, and groups, are populated as expected. 
@@ -139,7 +142,7 @@ In the Defender portal, check for the following details:
 
 - **Group entities**: Use the global search to find a user group, or pivot from a user or device details page where group details are shown. Check for details of group membership, view group users, and group timeline data.
 
-    If no event data is found on the group timeline, you may need to create some manually. For example, do this by adding and removing users from the group in Active Directory.
+   If no event data is found on the group timeline, you may need to create some manually. For example, do this by adding and removing users from the group in Active Directory.
 
 For more information, see [Investigate assets](../investigate-assets.md).
 
@@ -205,18 +208,20 @@ Test remediation actions on a test user. For example:
 
 1. In the Defender portal, go to the user details page for a test user.
 
-1. From the **Options** menu, select any of the available remediation actions.
+2. From the **Options** menu, select any of the available remediation actions.
 
-1. Check Active Directory for the expected activity.
+3. Check Active Directory for the expected activity.
 
 For more information, see [Remediation actions in Microsoft Defender for Identity](../remediation-actions.md).
 
 ## Deactivate Defender for Identity capabilities on your domain controller
 
 If you want to deactivate Defender for Identity capabilities on your domain controller, delete it from the **Sensors** page:
 
-1. In the Defender portal, select **Settings > Identities > Sensors**.
-1. Select the domain controller where you want to deactivate Defender for Identity capabilities, select **Delete**, and confirm your selection.
+1. In the Defender portal, select **Settings** > **Identities** > **Sensors**.
+2. Select the domain controller where you want to deactivate Defender for Identity capabilities, select **Delete**, and confirm your selection.
+
+    :::image type="content" source="media/activate-capabilities/3.jpg" lightbox="media/activate-capabilities/3.jpg" alt-text="Screenshot that shows how to deactivate a server.":::
 
 Deactivating Defender for Identity capabilities from your domain controller doesn't remove the domain controller from Defender for Endpoint. For more information, see [Defender for Endpoint documentation](/microsoft-365/security/defender-endpoint/).
 

ATPDocs/deploy/media/activate-capabilities/1.jpg

@@ -39,6 +39,12 @@ This section describes all the health issues for each component, listing the cau
 
 Sensor-specific health issues are displayed in the **Sensor health issues** tab and domain related or aggregated health issues are displayed in the **Global health issues** tab as detailed in the following tables:
 
+### Network configuration mismatch for sensors running on VMware
+
+|Alert|Description|Resolution|Severity|Displayed in|
+|----|----|----|----|----|
+|The virtual machines that the listed Defender for Identity sensors are installed on has a network configuration mismatch. This issue may affect the performance and reliability of the sensors.|Review the network interface settings, including disabling the Large Send Offload (LSO), and follow the instructions in [here](https://aka.ms/mdi/vmware-sensor-issue).|High|Sensors health issues tab|
+
 ### A domain controller is unreachable by a sensor
 
 |Alert|Description|Resolution|Severity|Displayed in|

ATPDocs/deploy/media/activate-capabilities/2.jpg

@@ -0,0 +1,133 @@
+---
+# Required metadata
+# For more information, see https://review.learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata?branch=main
+# For valid values of ms.service, ms.prod, and ms.topic, see https://review.learn.microsoft.com/en-us/help/platform/metadata-taxonomies?branch=main
+
+title: Identity inventory
+description: The Identity Inventory provides a centralized location for customers to view and manage identity information across their environment, ensuring optimal visibility and a comprehensive experience. The updated Identities Inventory page, located under Assets in Defender XDR portal
+author:      LiorShapiraa # GitHub alias
+ms.author: liorshapira
+ms.service: microsoft-defender-for-identity
+ms.topic: article
+ms.date:     03/13/2025
+---
+
+# Identity inventory
+
+__Applies to:__
+
+- [Microsoft Defender for Identity](https://aka.ms/aatp/docs)
+
+- [Microsoft Defender for Cloud Apps](/defender-cloud-apps/)
+
+- [Microsoft Defender XDR](/defender-xdr)
+
+The __Identity inventory__ provides a centralized view of all identities in your organization, enabling you to monitor and manage them efficiently. At a glance, you can see key details such as Domain, Tags, Type, and other attributes, helping you quickly identify and manage identities that require attention.
+
+The Identities inventory page includes the following tabs:
+
+- **Identities**: A consolidated view of identities across Active Directory, Entra ID. This Identities tab highlights key details, including identity types, and user's information.
+
+- **Cloud application accounts:** Displays a list of cloud application accounts, including those from application connectors and third-party sources (original available in the previous version based on Microsoft Defender for Cloud Apps). Learn more about [Cloud application accounts from connected apps.](/defender-cloud-apps/accounts) 
+
+There are several options you can choose from to customize the identities list view. On the top navigation you can:
+
+- Add or remove columns.
+
+- Apply filters.
+
+- Search for an identity by name or full UPN, Sid and Object ID. 
+
+- Export the list to a CSV file.
+
+- Copy list link with the included filters configured. 
+
+## ![A screenshot of identity inventory page.](media/identity-inventory/inventory11.png)  
+
+### Identity details 
+
+The **Identities** list offers a consolidated view of identities across Active Directory and Entra ID. It highlights key details, including the following columns by default:
+
+- __Display name__ – The full name of the identity as shown in the directory.
+
+- __SID__ – The Security Identifier, a unique value used to identify the identity in Active Directory.
+
+- __Domain__ – The Active Directory domain to which the identity belongs.
+
+- __Object ID__ – A unique identifier for the identity in Entra ID.
+
+- __Source__ – Indicates whether the identity is on-premises (originate from Active Directory), Cloud only (Entra ID) or Hybrid (synced from AD to Entra ID).
+
+- __Type__ – Specifies if the identity is a user account or service account.
+
+- __UPN (User Principal Name)__ – The unique login name of the identity in an email-like format.
+
+- __Tags__ – Custom labels that help categorize or classify identities: Sensitive and Honeytoken.
+
+- __Created time__ – The timestamp when the identity was first created.
+
+- __Criticality level__ – Indicates the critical level of the identity.
+
+- __Account status__ – Shows whether the identity is enabled or disabled.
+
+- __Last updated__ – The timestamp of the most recent update to the identity's attributes in Active Directory.
+
+Non-default columns: Email and Entra ID risk level.  
+
+> [!TIP]
+> To see all columns, you likely need to do one or more of the following steps:
+> - Horizontally scroll in your web browser.
+> - Narrow the width of appropriate columns.
+> - Zoom out in your web browser.
+
+### Sort and filter the Identities list
+
+You can apply the following filters to limit the list of identities and get a more focused view:
+
+- Domain
+
+- Type
+
+- Source
+
+- Tags
+
+- Criticality level
+
+- Account status
+
+Sort option applies to Display name, Domain and Created time columns.
+
+### Identity inventory insights 
+
+- The __Classify critical assets__ card allows you to define identity groups as business critical. For more information, see [Microsoft Security Exposure Management](/security-exposure-management/microsoft-security-exposure-management). 
+
+- **Highly privileged identities** card helps you investigate in Advanced hunting all sensitive accounts in your organization, including Entra ID security administrators and Global admin users.
+
+- **Critical Active Directory service accounts** card helps you quickly identify all Active Directory accounts designated as critical, making it easier to focus on identities most at risk.
+
+At the top of each device inventory tab, the following device counts are available:
+
+- __Total__: The total number of identities. 
+
+- __Critical:__ The number of your critical assets. 
+
+- **Disabled:** The number of all disabled identities in your organization. 
+
+- **Services:** The number of all service accounts both on-premises and cloud.
+
+You can use this information to help you prioritize devices for security posture improvements.
+
+### Navigate to the Identity inventory page
+
+Use relative links instead of absolute links. 
+In the Defender XDR portal at [https://security.microsoft.com](https://security.microsoft.com), go to Assets > Identities. Or, to navigate directly to the [identity inventory](/defender-for-identity/identity-inventory) page.
+
+### Related Articles
+
+- [Investigate cloud application accounts](/defender-cloud-apps/accounts)
+
+- [Investigate users in Microsoft Defender XDR](/defender-xdr/investigate-users) 
+
+- [Investigate assets in Microsoft Defender for Identity](/defender-for-identity/investigate-assets)
+