Merge pull request #3117 from MicrosoftDocs/main

Published main to live, Wednesday 10:30 AM PDT, 03/12

Author: padmagit77

CloudAppSecurityDocs/behaviors.md

@@ -22,6 +22,9 @@ Behaviors are attached to MITRE attack categories and techniques, and provide a
 
 While behaviors might be related to security scenarios, they're not necessarily a sign of malicious activity or a security incident. Each behavior is based on one or more raw events, and provides contextual insights into what occurred at a specific time, using information that Defender for Cloud Apps as learned or identified.
 
+> [!IMPORTANT]
+> Starting March 2025, Defender for Cloud Apps customers can configure Role-Based Access Control (RBAC) scoping for 'Behaviors.' This new capability empowers administrators to define and manage access permissions more precisely. Administrators can ensure that users have the appropriate level of access to specific application data based on their roles and responsibilities. For more information, see [how to configure admin access](/defender-cloud-apps/manage-admins).
+
 ## Supported detections
 
 Behaviors currently support low-fidelity, Defender for Cloud Apps detections, that may not meet the standard for alerts but are still useful in providing context during an investigation. Currently supported detections include:
@@ -121,7 +124,7 @@ BehaviorInfo
 
 ### Investigate behaviors for a specific user
 
-**Scenario**: Investigate all behaviors related to a specific user after understanding the user may have been compromised.
+**Scenario**: Investigate all behaviors related to a specific user after understanding the user might have been compromised.
 
 Use the following query, where *username* is the name of the user you want to investigate:
 
@@ -147,10 +150,6 @@ BehaviorEntities
 | project Timestamp, BehaviorId, ActionType, Categories, ServiceSource, AccountUpn, AccountObjectId, EntityType, EntityRole, RemoteIP, AccountName, AccountDomain
 ```
 
-### Role-Based Access Control (RBAC) scoping for 'Behaviors'
-
-Starting March 2025, Defender for Cloud Apps customers can configure Role-Based Access Control (RBAC) scoping for 'Behaviors'. This new capability empowers administrators to define and manage access permissions more precisely, ensuring that users have the appropriate level of access to specific application data based on their roles and responsibilities. Read more here on how to configure - [Configure admin access](https://learn.microsoft.com/defender-cloud-apps/manage-admins).
-
 ## Next steps
 
 - [TechCommunity Blog](https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/transform-the-way-you-investigate-by-using-behaviors-amp-new/ba-p/3825154)

CloudAppSecurityDocs/media/connect-an-app.png

@@ -49,8 +49,7 @@ To use Defender for Cloud Apps in the Microsoft Defender Portal:
     static2.sharepointonline.com
     *.blob.core.windows.net
     discoveryresources-cdn-prod.cloudappsecurity.com
-    discoveryresources-cdn-gov.cloudappsecurity.com
-    
+    discoveryresources-cdn-gov.cloudappsecurity.us    
     ```
 
 1. Allow the following items based on your data center:

CloudAppSecurityDocs/media/connect-office-365-components.png

@@ -8,7 +8,7 @@ ms.topic: how-to
 
 
 
-As a major productivity suite providing cloud file storage, collaboration, BI, and CRM tools, Microsoft 365 enables your users to share their documents across your organization and partners in a streamlined and efficient way. Using Microsoft 365 may expose your sensitive data not only internally, but also to external collaborators, or even worse make it publicly available via a shared link. Such incidents might occur due to malicious actor, or by an unaware employee. Microsoft 365 also provides a large third-party app eco-system to help boost productivity. Using these apps can expose your organization to the risk of malicious apps or use of apps with excessive permissions.
+As a major productivity suite providing cloud file storage, collaboration, BI, and CRM tools, Microsoft 365 enables your users to share their documents across your organization and partners in a streamlined and efficient way. Using Microsoft 365 might expose your sensitive data not only internally, but also to external collaborators, or even worse make it publicly available via a shared link. Such incidents might occur due to malicious actor, or by an unaware employee. Microsoft 365 also provides a large third-party app eco-system to help boost productivity. Using these apps can expose your organization to the risk of malicious apps or use of apps with excessive permissions.
 
 Connecting Microsoft 365 to Defender for Cloud Apps gives you improved insights into your users' activities, provides threat detection using machine learning based anomaly detections, information protection detections (such as detecting external information sharing), enables automated remediation controls, and detects threats from enabled third-party apps in your organization.
 
@@ -17,7 +17,11 @@ Defender for Cloud Apps integrates directly with [Microsoft 365's audit logs](/m
 [!INCLUDE [security-posture-management-connector](includes/security-posture-management-connector.md)]
 
 
-## File scanning improvements for Microsoft 365
+## File scanning updates for Microsoft 365
+
+To enhance file scanning efficiency and accuracy within Microsoft 365 environments, Defender for Cloud Apps has updated the file scanning process for Microsoft 365. Unless you activate information protection policies, Defender for Cloud Apps won't scan or store organizational files.
+
+When you actively use information protection policies, organizational files might have significant scanning durations due to high volumes of file scanning activities.
 
 Defender for Cloud Apps has added new file scanning improvements for SharePoint and OneDrive:
 
@@ -26,7 +30,7 @@ Defender for Cloud Apps has added new file scanning improvements for SharePoint
 - Better identification for a file's access level in SharePoint: file access level in SharePoint will be marked by default as **Internal**, and not as **Private** (since every file in SharePoint is accessible by the site owner, and not only by the file owner).
 
     >[!NOTE]
-    >This change could impact your file policies (if a file policy is looking for **Internal** or **Private** files in SharePoint).
+    >This change could affect your file policies (if a file policy is looking for **Internal** or **Private** files in SharePoint).
 
 ## Main threats
 
@@ -79,7 +83,7 @@ Review our best practices for [securing and collaborating with external users](b
 
 ## Defender for Cloud Apps integration with Microsoft 365
 
-Defender for Cloud Apps supports the legacy Microsoft 365 Dedicated Platform as well as the latest offerings of Microsoft 365 services, commonly referred as the *vNext* release family of Microsoft 365.
+Defender for Cloud Apps supports the legacy Microsoft 365 Dedicated Platform and the latest offerings of Microsoft 365 services, commonly referred as the *vNext* release family of Microsoft 365.
 
 In some cases, a vNext service release differs slightly at the administrative and management levels from the standard Microsoft 365 offering.
 
@@ -115,7 +119,9 @@ This section provides instructions for connecting Microsoft Defender for Cloud A
 
 [!INCLUDE [security-posture-management-connector](includes/security-posture-management-connector.md)]
 
-**Prerequisites**:
+#### Prerequisites:
+
+- To enable file monitoring of Microsoft 365 files, you must use a relevant Entra Admin ID, such as Application Administrator or Cloud Application Administrator. For more information, see [Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference)
 
 - You must have at least one assigned Microsoft 365 license to connect Microsoft 365 to Defender for Cloud Apps.
 
@@ -126,22 +132,21 @@ This section provides instructions for connecting Microsoft Defender for Cloud A
 - You must [enable auditing in Power BI](/power-bi/admin/service-admin-auditing) to get the logs from there. Once auditing is enabled, Defender for Cloud Apps starts getting the logs (with a delay of 24-72 hours).
 - You must [enable auditing in Dynamics 365](/power-platform/admin/enable-use-comprehensive-auditing#enable-auditing) to get the logs from there. Once auditing is enabled, Defender for Cloud Apps starts getting the logs (with a delay of 24-72 hours).
 
-
 **To connect Microsoft 365 to Defender for Cloud Apps**:
 
 1. In the Microsoft Defender Portal, select **Settings**. Then choose **Cloud Apps**. Under **Connected apps**, select **App Connectors**.
 1. In the **App connectors** page, select **+Connect an app**, and then select **Microsoft 365**.
 
-    ![Connect O365 menu option.](media/connect-o365.png)
+    :::image type="content" source="media/connect-an-app.png" alt-text="Screenshot that shows the connect an app button." lightbox="media/connect-an-app.png":::
 
 1. In the **Select Microsoft 365 components** page, select the options you require, and then select **Connect**.
 
     > [!NOTE]
     >
     > - For best protection, we recommend selecting all Microsoft 365 components.
-    > - The **Azure AD files** component, requires the **Azure AD activities** component and Defender for Cloud Apps file monitoring (**Settings** > **Cloud Apps** > **Files** > **Enable file monitoring**).
+    > - The **Microsoft 365 files** component, requires enabling Defender for Cloud Apps file monitoring (**Settings** > **Cloud Apps** > **Files** > **Enable file monitoring**).
 
-    ![connect O365 components.](media/connect-o365-components.png)
+    :::image type="content" source="media/connect-office-365-components.png" alt-text="Screenshot showing the Connect Office 365 components page with the Microsoft 365 files box checked." lightbox="media/connect-office-365-components.png":::
 
 1. On the **Follow the link** page, select **Connect Microsoft 365**.
 

CloudAppSecurityDocs/network-requirements.md

@@ -21,14 +21,73 @@ For news about earlier releases, see [Archive of past updates for Microsoft Defe
 
 ## March 2025
 
-### RBAC scoping for "Behaviors" (Preview)
+### Role-Based Access Control scoping for "Behaviors" (Preview)
 
-Defender for Cloud Apps customers can now configure Role-Based Access Control (RBAC) scoping for 'Behaviors'. This new capability empowers administrators to define and manage access permissions more precisely, ensuring that users have the appropriate level of access to specific application data based on their roles and responsibilities. By leveraging RBAC scoping, organizations can enhance their security posture, streamline operations, and reduce the risk of unauthorized access.
+Defender for Cloud Apps customers can now configure Role-Based Access Control (RBAC) scoping for 'Behaviors.' This new capability allows administrators to define and manage access permissions more precisely. Administrators can ensure that users have the appropriate level of access to specific application data based on their roles and responsibilities. By using RBAC scoping, organizations can enhance their security posture, streamline operations, and reduce the risk of unauthorized access.
 
 For more information, see:
 
-- [Configure admin access](https://learn.microsoft.com/defender-cloud-apps/manage-admins)
-- [Investigate behaviors with advanced hunting (Preview)](https://learn.microsoft.com/defender-cloud-apps/behaviors)
+- [Configure admin access](/defender-cloud-apps/manage-admins)
+- [Investigate behaviors with advanced hunting (Preview)](/defender-cloud-apps/behaviors)
+
+## February 2025
+ 
+ ### Enhanced Visibility into OAuth Apps Connected to Microsoft 365 - General Availability
+ 
+ Defender for Cloud Apps users who use app governance are able to gain visibility into the origin of OAuth apps connected to Microsoft 365. You can filter and monitor apps that have external origins, to proactively review such apps and improve the security posture of the organization.
+ 
+ The new *Permissions filter and export capabilities allow you to quickly identify apps with specific permissions to access Microsoft 365.
+ 
+ You can now get granular insights into data accessed by apps using legacy EWS API alongside Microsoft Graph. The enhanced coverage of data usage insights enable you to get deeper visibility into apps accessing emails using legacy EWS API.
+ 
+ We're also expanding the coverage of privilege level feature for all popular Microsoft first-party API permissions. The enhanced coverage of privilege level classification enables you to view and monitor apps with powerful permissions into legacy and other non-Graph APIs that have access to Microsoft 365.
+ 
+ For more information, see [detailed insights into OAuth apps](/defender-cloud-apps/app-governance-visibility-insights-view-apps#getting-detailed-information-on-an-app).
+ 
+ ### Enhanced alert source accuracy
+ 
+ Microsoft Defender for Cloud Apps is enhancing its alert sources to deliver more precise information. This update, applicable to new alerts only, are reflected across various experiences and APIs, including the Defender XDR portal, Advanced hunting, and Graph API.
+ Microsoft Defender for Cloud Apps is enhancing its alert sources to deliver more precise information. This update, applicable to new alerts only, are reflected across various experiences and APIs, including the Defender XDR portal, Advanced hunting, and Graph API.
+ The goal is to improve the accuracy of alert origins, facilitating better identification, management, and response to alerts.
+ 
+ To learn more about the different alert sources in Defender XDR see the _Alert sources_ section of [Investigate alerts in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn](/defender-xdr/investigate-alerts?tabs=settings)
+ 
+ 
+ ### Network requirement updates
+ 
+ Microsoft Defender for Cloud Apps has improved its security and performance. Network information in firewalls and additional third-party services must be updated to comply with the new standards. To ensure uninterrupted access to our services you must apply these changes by March 16, 2025.
+ Microsoft Defender for Cloud Apps has improved its security and performance. Network information in firewalls and additional third-party services must be updated to comply with the new standards. To ensure uninterrupted access to our services you must apply these changes by March 27, 2025.
+ 
+ To connect to third-party apps and enable Defender for Cloud Apps, use the following IP addresses:
+ 
+ |Data center|IP addresses|DNS name|
+ |----|----|----|
+ |US1|13.64.26.88, 13.64.29.32, 13.80.125.22, 13.91.91.243, 40.74.1.235, 40.74.6.204, 51.143.58.207, 52.137.89.147, 52.183.75.62, 23.101.201.123, 20.228.186.154|\*.us.portal.cloudappsecurity.com|
+ |US2|13.80.125.22, 20.36.222.59, 20.36.222.60, 40.74.1.235, 40.74.6.204, 51.143.58.207, 52.137.89.147, 52.183.75.62, 52.184.165.82, 20.15.114.156, 172.202.90.196|\*.us2.portal.cloudappsecurity.com|
+ |US3|13.80.125.22, 40.74.1.235, 40.74.6.204, 40.90.218.196, 40.90.218.198, 51.143.58.207, 52.137.89.147, 52.183.75.62, 20.3.226.231, 4.255.218.227|*.us3.portal.cloudappsecurity.com|
+ |EU1|13.80.125.22, 40.74.1.235, 40.74.6.204, 40.119.154.72, 51.143.58.207, 52.137.89.147, 52.157.238.58, 52.174.56.180, 52.183.75.62, 20.71.203.39, 137.116.224.49|\*.eu.portal.cloudappsecurity.com|
+ |EU2|13.80.125.22, 40.74.1.235, 40.74.6.204, 40.81.156.154, 40.81.156.156, 51.143.58.207, 52.137.89.147, 52.183.75.62, 20.0.210.84, 20.90.9.64|*.eu2.portal.cloudappsecurity.com|
+ |Gov US1|13.72.19.4, 52.227.143.223|*.us1.portal.cloudappsecurity.us|
+ |GCC| 52.227.23.181, 52.227.180.126| *.us1.portal.cloudappsecuritygov.com |
+ 
+ 
+ For **US Government GCC High** customers:
+ 
+ ||IP addresses|DNS name|
+ |----|----|----|
+ |**Session controls**|US Gov Arizona: 52.244.144.65, 52.244.43.90, 52.244.43.225, 52.244.215.117, 52.235.134.195, 52.126.54.167, 52.126.55.65 <br /><br />US Gov Virginia: 13.72.27.223, 13.72.27.219, 13.72.27.220, 13.72.27.222, 20.141.230.137, 52.235.179.167, 52.235.184.112|\*.mcas-gov.us<br/>\*.admin-mcas-gov.us|
+ |**Access controls**|US Gov Arizona: 52.244.215.83, 52.244.212.197, 52.127.2.97, 52.126.54.254, 52.126.55.65 <br /><br />US Gov Virginia: 13.72.27.216, 13.72.27.215, 52.127.50.130, 52.235.179.123, 52.245.252.18, 52.245.252.131, 52.245.252.191, 52.245.253.12, 52.245.253.58, 52.245.253.229, 52.245.254.39, 52.245.254.51, 52.245.254.212, 52.245.254.245, 52.235.184.112, 52.235.184.112|\*.access.mcas-gov.us<br/>\*.access.cloudappsecurity.us|
+ |**SAML proxy**|US Gov Arizona: 20.140.49.129, 52.126.55.65<br /><br />US Gov Virginia: 52.227.216.80, 52.235.184.112|\*.saml.cloudappsecurity.us|
+ 
+ For **US Government GCC** customers:
+ 
+ ||IP addresses|DNS name|
+ |----|----|----|
+ |**Session controls**|US Gov Arizona: 52.235.147.86, 52.126.49.55, 52.126.48.233 <br /><br /> US Gov Virginia: 52.245.225.0, 52.245.224.229, 52.245.224.234, 52.245.224.228, 20.141.230.215, 52.227.10.254, 52.126.48.233, 52.227.3.207 | \*.mcas-gov.ms<br/>\*.admin-mcas-gov.ms|
+ |**Access controls** |US Gov Arizona: 52.127.2.97, 52.235.143.220, 52.126.48.233 <br /><br />US Gov Virginia: 52.245.224.235, 52.245.224.227, 52.127.50.130, 52.245.222.168, 52.245.222.172, 52.245.222.180, 52.245.222.209, 52.245.223.38, 52.245.223.72, 52.245.223.177, 52.245.223.181, 52.245.223.182, 52.245.223.190, 23.97.12.140, 52.227.3.207  | \*.access.mcas-gov.ms|
+ |**SAML proxy** |US Gov Arizona: 52.126.48.233 <br /> US Gov Virginia: 52.227.216.80, 52.126.48.233, 52.227.3.207 | \*.saml.cloudappsecuritygov.com|
+ 
+ To stay up to date on IP ranges, it's recommended to refer to the following Azure service tags for Microsoft Defender for Cloud Apps services. The latest IP ranges are found in the service tag. For more information, see [Azure IP ranges](/azure/virtual-network/service-tags-overview).
 
 ## November 2024
 

CloudAppSecurityDocs/protect-office-365.md

@@ -321,6 +321,8 @@
                 href: ios-install-unmanaged.md
             - name: Configure Mobile Threat Defense
               items:
+              - name: New user experiences in Defender for Endpoint on iOS
+                href: ios-new-ux.md
               - name: Mobile device resources for Defender for Endpoint 
                 href: mobile-resources-defender-endpoint.md
               - name: Configure Defender for Endpoint on Android features

CloudAppSecurityDocs/release-notes.md

@@ -14,7 +14,7 @@ ms.collection:
 ms.reviewer: pahuijbr
 search.appverid: MET150
 audience: ITPro
-ms.date: 02/04/2025
+ms.date: 03/12/2025
 ---
 
 # Onboarding devices using streamlined connectivity for Microsoft Defender for Endpoint 
@@ -170,11 +170,11 @@ The following preonboarding checks can be run on both Windows and Xplat MDE Clie
 
 To test streamlined connectivity for devices not yet onboarded to Defender for Endpoint, you can use the Client Analyzer for Windows using the following commands: 
 
-- Run `mdeclientanalyzer.cmd -o <path to cmd file>`  from within MDEClientAnalyzer folder. The command uses parameters from onboarding package to test connectivity.
+- Run `mdeclientanalyzer.cmd -o <path to cmd file>`  from within the MDEClientAnalyzer folder. The command uses parameters from onboarding package to test connectivity.
 
 - Run `mdeclientanalyzer.cmd -g <GW_US, GW_UK, GW_EU>` , where parameter is of GW_US, GW_EU, GW_UK. GW refers to the streamlined option. Run with applicable tenant geo.
 
-As a supplementary check, you can also use the client analyzer to test whether a device meets prerequisites: https://aka.ms/MDEClientAnalyzerPreview
+As a supplementary check, you can also use the client analyzer to test whether a device meets prerequisites: [MDEClientAnalyzerPreview.zip]{https://aka.ms/MDEClientAnalyzerPreview}.
 
 
 > [!NOTE]