Merge branch 'main' into docs-editor/security-assessment-1742120942

aditisrivastava07 · web-flow · commit 4fcf4f28e02f · 2025-03-17T11:45:03.000+05:30
diff --git a/CloudAppSecurityDocs/accounts.md b/CloudAppSecurityDocs/accounts.md
@@ -4,12 +4,23 @@ description: This article provides information about reviewing accounts from you
 ms.date: 01/29/2023
 ms.topic: how-to
 ---
-# Accounts
+# Cloud Application Accounts
 
 
 
 Microsoft Defender for Cloud Apps gives you visibility into the accounts from your connected apps. After you connect Defender for Cloud Apps to an app using the App connector, Defender for Cloud Apps reads account information associated with connected apps. The Accounts page enables you to investigate those accounts, permissions, the groups they're members of, their aliases, and the apps they're using. Additionally, when Defender for Cloud Apps detects a new account that wasn't previously seen in one of the connected apps - for example, in activities or file sharing - the account is added to the accounts list of that app. This enables you to have visibility into the activity of external users interacting with your cloud apps.
 
+## Identity Inventory (Preview)
+
+> [!NOTE]
+> The Identities page is in the process of merging into the unified **Identity Inventory (Preview)**. 
+> 
+> The **Identity inventory** provides a centralized view of all identities in your organization, enabling you to monitor and manage them efficiently. At a glance, you can see key details such as Domain, Tags, Type, and other attributes, helping you quickly identify and manage identities that require attention. 
+> 
+> The functionality of the Identities page, as presented below, will be provided in the new Identity Inventory under the "**Cloud application accounts**" tab, offering the same features as it does today. For more details, visit the [Identity Inventory documentation](/defender-for-identity/identity-inventory).
+> 
+## Identities
+
 Admins can search for a specific user's metadata or user's activity. The **Identities** page provides you with comprehensive details about the entities that are pulled from connected cloud applications. It also provides the user's activity history and security alerts related to the user.
 
 The **Identities** page can be [filtered](#identities-filters) to enable you to find specific accounts and to deep dive into different types of accounts, for example, you can filter for all External accounts that haven't been accessed since last year.
@@ -25,15 +36,15 @@ The **Identities** page enables you to easily investigate your accounts, includi
 * You can see which apps are accessed by each account and which apps are deleted for specific accounts
 
     ![accounts screen.](media/accounts-page.png)
-
-## Identities filters
+  
+### Identities filters
 
 Following is a list of the account filters that can be applied. Most filters support multiple values as well as NOT, in order to provide you with a powerful tool for policy creation.  
 
 * **Affiliation**: The affiliation is either **Internal** or **External**. To set which users and accounts are internal, under **Settings** make sure to set the **IP address range** of your internal organization. If the account has admin permissions the icon in the Accounts table appears with the addition of the red tie:
 
     ![accounts admin icon.](media/accounts-admin-icon.png)
-
+  
 * **App**: You can filter for any API connected app being used by accounts in your organization.
 * **Domain**: This enables you to filter for users in specific domains.
 * **Groups**: Enables you to filter for members of user groups in Defender for Cloud Apps - both built-in user groups and imported user groups.
@@ -45,13 +56,13 @@ Following is a list of the account filters that can be applied. Most filters sup
 * **Type**: This enables you to filter to either the user or the account type.
 * **User name**: Enables you to filter specific users.
 
-## Governance actions
+### Governance actions
 
 From the **Users and account** page, you can take governance actions such as suspending an app or going to the account settings page. For a full list of governance actions, see the [governance log](governance-actions.md).
 
 For example, if you identify a user that is compromised, you can apply the **Confirm user compromised** action to set the user risk level to high, causing the relevant policy actions defined in Microsoft Entra ID to be enforced. The action can be applied manually or using relevant [policies that support governance actions](governance-actions.md).
 
-### To manually apply a user or account governance action
+#### To manually apply a user or account governance action
 
 From the **Users and account** page, on the row where the relevant user or account appears, choose the three dots at the end of the row, then select **Confirm user compromised**.
 
diff --git a/exposure-management/predefined-classification-rules-and-levels.md b/exposure-management/predefined-classification-rules-and-levels.md
@@ -6,7 +6,7 @@ author: dlanger
 manager: rayne-wiselman
 ms.topic: reference
 ms.service: exposure-management
-ms.date: 11/16/2024
+ms.date: 03/16/2025
 ---
 
 # Predefined classifications
@@ -42,7 +42,7 @@ Current asset types are:
 | Security Operations Admin Device         | Device     | High        | Critical devices used to configure, manage, and monitor the security within an organization are vital for security operations administration and are at high risk of cyber threats. They require top-level security measures to prevent unauthorized access.  Note: We apply a logic to identify devices belonging to an admin based on multiple factors, including the frequent usage of administrative tools.|
 | Network Admin Device         | Device     | Medium                    | Critical devices used to configure, manage, and monitor the network assets within the organization are vital for network administration and are at high risk of cyber threats. They require top-level security to prevent unauthorized access. _Note: We apply a logic to identify devices belonging to an admin based on multiple factors, including the frequent usage of administrative tools._|
 | VMware ESXi                | Device     | High                      | The VMware ESXi hypervisor is essential for running and managing virtual machines within your infrastructure. As a bare-metal hypervisor, it's providing the foundation for creating and managing virtual resources. |
-| VMware vCenter             | Device     | High                      | The VMware vCenter Server is crucial for managing virtual environments. It provides centralized management of virtual machines and ESXi hosts. If it fails, it could disrupt the administration and control of your virtual infrastructure, including provisioning, migration, load balancing of virtual machines, and datacenter automation. However, as there are often redundant vCenter Servers and High Availability configurations, the immediate halt of all operations might not occur. Its failure could still cause significant inconvenience and potential performance issues |
+| VMware vCenter             | Device     | High                      | The VMware vCenter Server is crucial for managing virtual environments. It provides centralized management of virtual machines and ESXi hosts. If it fails, it could disrupt the administration and control of your virtual infrastructure, including provisioning, migration, load balancing of virtual machines, and datacenter automation. However, as there are often redundant vCenter Servers and High Availability configurations, the immediate halt of all operations might not occur. Its failure could still cause significant inconvenience and potential performance issues. |
 | Hyper-V Server             | Device     | High                      | The Hyper-V hypervisor is essential for running and managing virtual machines within your infrastructure, serving as the core platform for their creation and management. If the Hyper-V host fails, it can lead to the unavailability of hosted virtual machines, potentially causing downtime and disrupting business operations. Moreover, it can result in significant performance degradation and operational challenges. Ensuring the reliability and stability of Hyper-V hosts is therefore critical for maintaining seamless operations in a virtual environment. |
 
 ##### Identity
@@ -73,6 +73,7 @@ Current asset types are:
 | Password Administrator                        | Identity   | Very High                 | Identities in this role can reset passwords for nonadministrators and Password Administrators. |
 | Privileged Authentication Administrator       | Identity   | Very High                 | Identities in this role can view, set, and reset authentication method information for any user (admin or nonadmin). |
 | Privileged Role Administrator                 | Identity   | Very High                 | Identities in this role can manage role assignments in Microsoft Entra ID, and all aspects of Privileged Identity Management. |
+| Security Operations Admin User                | Identity   | High                      | Identities in this role can configure, manage, monitor, and respond to threats within the organization.  **Note**: This rule’s logic relies on the predefined critical device classification “Security Operations Admin Device”.  |
 | Security Administrator                        | Identity   | High                      | Identities in this role can read security information and reports, and manage configuration in Microsoft Entra ID and Office 365. |
 | Security Operator                             | Identity   | High                      | Identities in this role can create and manage security events.    |
 | Security Reader                               | Identity   | High                      | Identities in this role can read security information and reports in Microsoft Entra ID and Office 365. |
@@ -102,6 +103,13 @@ Current asset types are:
 | Yammer Administrator                          | Identity   | High                      | Identities in this role can manage all aspects of the Yammer service. |
 | Authentication Extensibility Administrator    | Identity   | High                      | Identities in this role can customize sign in and sign up experiences for users by creating and managing custom authentication extensions. |
 | Lifecycle Workflows Administrator             | Identity   | High                      | Identities in this role create and manage all aspects of workflows and tasks associated with Lifecycle Workflows in Microsoft Entra ID. |
+| Senior Executive (Technology)      | Identity | Very High | Identities with this classification belong to senior executives in the field of Technology. |
+| Senior Executive (Finance)         | Identity | Very High | Identities with this classification belong to senior executives in the field of Finance. |
+| Senior Executive (Operations)      | Identity | Very High | Identities with this classification belong to senior executives in the field of Operations. |
+| Senior Executive (Marketing)   | Identity | Very High | Identities with this classification belong to senior executives in the field of Marketing. |
+| Senior Executive (Information)     | Identity | Very High | Identities with this classification belong to senior executives in the field of Information. |
+| Senior Executive (Execution)       | Identity | Very High | Identities with this classification belong to senior executives in the field of Execution. |
+| Senior Executive (Human Resources) | Identity | Very High | Identities with this classification belong to senior executives in the field of Human Resources. |
 
 ##### Cloud resource
 
diff --git a/exposure-management/whats-new.md b/exposure-management/whats-new.md
@@ -6,7 +6,7 @@ author: dlanger
 manager: rayne-wiselman
 ms.topic: overview
 ms.service: exposure-management
-ms.date: 12/03/2024
+ms.date: 03/16/2025
 
 ---
 
@@ -24,8 +24,29 @@ Learn more about MSEM by reading the blogs, [here](https://techcommunity.microso
 >
 > `https://aka.ms/msem/rss`
 
+## March 2025
+
+### New predefined classifications
+
+The following predefined **Identity** classification rules were added to the critical assets list:
+
+| Classification                     | Description                                                  |
+| ---------------------------------- | ------------------------------------------------------------ |
+| Senior Executive (Technology)      | This rule applies to identities classified as senior executives in the field of Technology. |
+| Senior Executive (Finance)         | This rule applies to identities classified as senior executives in the field of Finance. |
+| Senior Executive (Operations)      | This rule applies to identities classified as senior executives in the field of Operations. |
+| Senior Executive (Marketing)   | This rule applies to identities classified as senior executives in the field of Marketing. |
+| Senior Executive (Information)     | This rule applies to identities classified as senior executives in the field of Information. |
+| Senior Executive (Execution)       | This rule applies to identities classified as senior executives in the field of Execution. |
+| Senior Executive (Human Resources) | This rule applies to identities classified as senior executives in the field of Resources. |
+| Security Operations Admin User              | This rule applies to security operations admin users that configure, manage, monitor, and respond to threats within the organization. |
+
+For more information, see, [Predefined classifications](predefined-classification-rules-and-levels.md)
+
 ## February 2025
 
+### New predefined classifications
+
 The following predefined classification rules were added to the critical assets list:
 
 | Classification                                       | Description                                                  |
