MicrosoftDocs
diff --git a/‎ATPDocs/remediation-actions.md‎
Lines changed: 18 additions & 22 deletions b/‎ATPDocs/remediation-actions.md‎
Lines changed: 18 additions & 22 deletions
diff --git a/‎ATPDocs/security-assessment-unsecure-account-attributes.md‎
Lines changed: 2 additions & 1 deletion b/‎ATPDocs/security-assessment-unsecure-account-attributes.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎ATPDocs/unmonitored-active-directory-certificate-services-server.md‎
Lines changed: 2 additions & 2 deletions b/‎ATPDocs/unmonitored-active-directory-certificate-services-server.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎ATPDocs/unmonitored-active-directory-federation-services-servers.md‎
Lines changed: 1 addition & 2 deletions b/‎ATPDocs/unmonitored-active-directory-federation-services-servers.md‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎ATPDocs/unmonitored-entra-connect-servers.md‎
Lines changed: 1 addition & 1 deletion b/‎ATPDocs/unmonitored-entra-connect-servers.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎ATPDocs/whats-new.md‎
Lines changed: 8 additions & 0 deletions b/‎ATPDocs/whats-new.md‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎CloudAppSecurityDocs/access-policy-aad.md‎
Lines changed: 1 addition & 0 deletions b/‎CloudAppSecurityDocs/access-policy-aad.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎CloudAppSecurityDocs/accounts.md‎
Lines changed: 1 addition & 0 deletions b/‎CloudAppSecurityDocs/accounts.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎CloudAppSecurityDocs/activity-filters.md‎
Lines changed: 4 additions & 3 deletions b/‎CloudAppSecurityDocs/activity-filters.md‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎CloudAppSecurityDocs/admin-settings.md‎
Lines changed: 1 addition & 0 deletions b/‎CloudAppSecurityDocs/admin-settings.md‎
Lines changed: 1 addition & 0 deletions
@@ -35,34 +35,30 @@ To perform any of the [supported actions](#supported-actions), you need to:
 
 The following Defender for Identity actions can be performed on Identities:
 
-- **Disable user in Active Directory** - This temporarily prevents a user from signing in to the on-premises network. This can help prevent compromised users from moving laterally and attempting to exfiltrate data or further compromise the network.
+| Remediation Action  | Description     |          Scope                        | 
+| ------------------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ |
+|Disable user                 | This temporarily prevents a user from signing in. This can help prevent compromised users from moving laterally and attempting to exfiltrate data or further compromise the network. | Active Directory, Entra ID and Okta
+|Enable user              | Enable a user to sign in. | Active Directory, Entra ID and Okta
+|Revoke all Users' sessions       | Revoke a user's active sessions. | Entra ID and Okta
+|Confirm user compromised      | The user's risk level is set to High | Entra ID
+| Reset user password| This prompts the user to change their password on the next logon, ensuring that this account can't be used for further impersonation attempts| Active Directory
+|Deactivate user in Okta | This action can be used when a non-legit malicious account was detected, to deactivate the account permanently | Okta
+| Set user risk to High/Medium/Low |Set one user risk scoring to one of the defined levels. This action will only be available if [Risk Scoring](https://help.okta.com/en-us/Content/Topics/Security/Security_Risk_Scoring.htm) feature is enabled | Okta
 
-- **Reset user password** - This prompts the user to change their password on the next logon, ensuring that this account can't be used for further impersonation attempts.
-
-- **Mark User Compromised** - The user's risk level is set to High.
-
-- **Suspend User in Entra ID** - Block new sign-ins and access to cloud resources.
-
-- **Require User to Sign In Again** - Revoke a user's active sessions.
-
-- **Suspend User in Okta** - Temporarily disables a user account. This action can be used when a legit user account was found to be compromised and needed to be disabled.
-
-- **Deactivate User in Okta** - This action can be used when a non-legit malicious account was detected, to deactivate the account permanently.
 
 Depending on your Microsoft Entra ID roles, you might see additional Microsoft Entra ID actions, such as requiring users to sign in again and confirming a user as compromised. For more information, see [Remediate risks and unblock users](/entra/id-protection/howto-identity-protection-remediate-unblock).
 
 ## Roles and Permissions
 
-| Action | XDR RBAC permissions      |
-| ------------------------------------- | ------------------------------------------------------------ |
-|Mark User Compromised                  | - Global Administrator <br> - Security Administrator|
-|Suspend User in Entra ID               | - Global Administrator |
-|Require User to Sign In Again          | - Global Administrator <br>|
-| Disable/Enable User in Active Directory | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr)|
-| Force Password Reset in Active Directory | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr)|
-| Suspend User in Okta | A custom role defined with permissions for Response (manage) Or One of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator|
-| Deactivate User in Okta | A custom role defined with permissions for Response (manage) Or One of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator|
-
+| Remediation Action | Active Directory  |Entra ID   | Okta  |
+|--|--|--|--|
+| Disable user | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr) | Global Administrator   | A custom role defined with permissions for Response (manage) or one of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator |
+| Enable user | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr) | Global Administrator | A custom role defined with permissions for Response (manage) or one of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator |
+| Revoke all Users' sessions |N\A  | Global Administrator | A custom role defined with permissions for Response (manage) or one of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator |
+| Confirm user compromised |N\A  |  - Global Administrator <br> -Security Administrator | N/A|
+| Reset user password | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr) | N\A | N\A
+| Deactivate user in Okta  | N\A | N\A | A custom role defined with permissions for Response (manage) or one of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator
+|  Set User risk to High/Medium/Low  | N\A | N\A | A custom role defined with permissions for Response (manage) or One of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator
 
 ## Related videos
 
 
@@ -40,8 +40,9 @@ Use the remediation appropriate to the relevant attribute as described in the fo
 | Enable Kerberos AES encryption support | Enable AES features on the account properties in AD | Enabling AES128_CTS_HMAC_SHA1_96 or AES256_CTS_HMAC_SHA1_96 on the account helps prevent the use of weaker encryption ciphers for Kerberos authentication. |
 | Remove Use Kerberos DES encryption types for this account | Remove this setting from account properties in AD | Removing this setting enables the use of stronger encryption algorithms for the account's password. |
 | Remove a Service Principal Name (SPN) | Remove this setting from account properties in AD | When a user account is configured with an SPN set, it means that the account has been associated with one or more SPNs. This typically occurs when a service is installed or registered to run under a specific user account, and the SPN is created to uniquely identify the service workspace for Kerberos authentication. This recommendation only showed for sensitive accounts. |
+|Reset password as SmartcardRequired setting was removed|Reset the account password|Changing the account's password after the SmartcardRequired UAC flag was removed ensures it was set under current security policies. This helps prevent potential exposure from passwords created when smartcard enforcement was still active.|
 
-Use the **UserAccountControl** flag to manipulate user account profiles. For more information, see:
+Use the **UserAccountControl** (UAC) flag to manipulate user account profiles. For more information, see:
 
 - [Windows Server troubleshooting](/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties) documentation.
 - [User Properties - Account Section](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd861342(v=ws.11))
 
@@ -19,7 +19,7 @@ This article describes the security posture assessment report for unmonitored Ac
 Unmonitored Active Directory Certificate Services (AD CS) servers pose a significant risk to your organization’s identity infrastructure. AD CS, the backbone of certificate issuance and trust, is a high-value target for attackers aiming to escalate privileges or forge credentials. Without proper monitoring, attackers can exploit these servers to issue unauthorized certificates, enabling stealthy lateral movement and persistent access. Deploy Microsoft Defender for Identity version 2.0 sensors on all AD CS servers to mitigate this risk. These sensors provide real-time visibility into suspicious activity, detect advanced threats, and generate actionable alerts based on security events and network behavior.
 
 > [!NOTE]
->  This security assessment is available only if Microsoft Defender for Endpoint detects an eligible AD CS server in the environment.
+> This security assessment is only available if Microsoft Defender for Endpoint detects eligible ADCS servers in the environment. In some cases, servers running ADCS might not be identified with the required role and therefore will not appear in this assessment, even if they exist in the environment.
 
 ## How do I use this security assessment?
 
@@ -35,4 +35,4 @@ Unmonitored Active Directory Certificate Services (AD CS) servers pose a signifi
 
 ## Next steps
 
-Learn more about [Microsoft Secure Score](/defender-xdr/microsoft-secure-score).
+Learn more about [Microsoft Secure Score](/defender-xdr/microsoft-secure-score).
@@ -18,8 +18,7 @@ This article describes the Microsoft Defender for Identity's unmonitored Active
 Unmonitored Active Directory Federation Services (ADFS) servers are a significant security risk to organizations. ADFS controls access to both cloud and on-premises resources as the gateway for federated authentication and single sign-on. If attackers compromise an ADFS server, they can issue forged tokens and impersonate any user, including privileged accounts. Such attacks might bypass multi-factor authentication (MFA), conditional access, and other downstream security controls, making them particularly dangerous. Without proper monitoring, suspicious activity on ADFS servers might go undetected for extended periods. Deploying Microsoft Defender for Identity version 2.0 sensors on ADFS servers is essential. These sensors enable real-time detection of suspicious behavior and help prevent token forgery, abuse of trust relationships, and stealthy lateral movement within the environment.
 
 > [!NOTE]
-> This security assessment is only available if Microsoft Defender for Endpoint detects an eligible ADFS server in the environment.
-
+> This security assessment is only available if Microsoft Defender for Endpoint detects eligible ADFS servers in the environment. In some cases, servers running ADFS might not be identified with the required role and therefore will not appear in this assessment, even if they exist in the environment.
 
 ## How do I use this security assessment?
 
 
@@ -23,7 +23,7 @@ If an attacker compromises a Microsoft Entra Connect server, they can inject sha
 These servers operate at the intersection of on-premises and cloud identity, making them a prime target for privilege escalation and stealthy persistence. Without monitoring, such attacks can go undetected. Deploying Microsoft Defender for Identity version 2.0 sensors on Microsoft Entra Connect servers is critical. These sensors help detect suspicious activity in real time, protect the integrity of your hybrid identity bridge, and prevent full-domain compromise from a single point of failure.
 
 > [!NOTE]
-> This security assessment is only available if Microsoft Defender for Endpoint detects eligible Microsoft Entra Connect servers in the environment.
+> This security assessment is only available if Microsoft Defender for Endpoint detects eligible Microsoft Entra Connect servers in the environment. In some cases, servers running Entra Connect might not be identified with the required role and therefore will not appear in this assessment, even if they exist in the environment.
 
 ## How do I use this security assessment? 
 
 
@@ -25,6 +25,14 @@ For updates about versions and features released six months ago or earlier, see
 
 ## August 2025
 
+### Microsoft Entra ID risk level is now available in near real time in Microsoft Defender for Identity (Preview)
+
+Entra ID risk level is now available on the Identity Inventory assets page, the identity details page, and in the IdentityInfo table in Advanced Hunting, and includes the Entra ID risk score. SOC analysts can use this data to correlate risky users with sensitive or highly privileged users, create custom detections based on current or historical user risk, and improve investigation context.
+
+Previously, Defender for Identity tenants received Entra ID risk level in the IdentityInfo table through user and entity behavior analytics (UEBA). With this update, the Entra ID risk level is now updated in near real time through Microsoft Defender for Identity.
+
+For UEBA tenants without a Microsoft Defender for Identity license, synchronization of Entra ID risk level to the IdentityInfo table remains unchanged.
+
 
 ### New security assessment: Remove inactive service accounts (Preview)
 
 
@@ -3,6 +3,7 @@ title: Create access policies | Microsoft Defender for Cloud Apps
 description: Learn how to configure Microsoft Defender for Cloud Apps access policies with Conditional Access app control to control access to cloud apps.
 ms.date: 05/15/2024
 ms.topic: how-to
+ms.reviewer: AmitMishaeli
 ---
 # Create Microsoft Defender for Cloud Apps access policies
 
 
@@ -3,6 +3,7 @@ title: Investigate accounts from connected apps | Microsoft Defender for Cloud A
 description: This article provides information about reviewing accounts from your connected apps.
 ms.date: 01/29/2023
 ms.topic: how-to
+ms.reviewer: gayasalomon
 ---
 # Cloud Application Accounts
 
 
@@ -3,6 +3,7 @@ title: Investigate activities
 description: This article provides a list of activities, filters, and match parameters that can be applied to activity policies.
 ms.date: 06/24/2025
 ms.topic: how-to
+ms.reviewer: gayasalomon
 ---
 
 # Investigate activities
@@ -15,7 +16,7 @@ Microsoft Defender for Cloud Apps gives you visibility into all the activities f
 >
 > Microsoft Defender for Cloud Apps displays these activity names and types exactly as received and doesn't define or modify them. To understand the meaning of an activity, refer to the relevant third‑party API documentation.
 
-The action types for events and activities are determined by the source service, whether it is a first-party or third-party service. Microsoft Defender for Cloud Apps (MDA) supports a wide range of action types and is not restricted to specific ones.
+The action types for events and activities are determined by the source service, whether it's a first-party or third-party service. Microsoft Defender for Cloud Apps (MDA) supports a wide range of action types and isn't restricted to specific ones.
 For a full list of Microsoft 365 activities monitored by Defender for Cloud Apps, see [Search the audit log in the Microsoft Purview portal](/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance#audited-activities).
 
 
@@ -93,7 +94,7 @@ Selecting it opens the Activity drawer **User** tab provides the following insig
     - **ISPs**: The number of ISPs the user connected from in the past 30 days.
     - **IP addresses**: The number of IP addresses the user connected from in the past 30 days.
 
-:::image type="content" source="media/user-insights.png" alt-text="Screenshot that shows user insights, user activities and frequent alert locations for Defender for Cloud apps." lightbox="media/user-insights.png":::
+:::image type="content" source="media/user-insights.png" alt-text="Screenshot that shows user insights, user activities, and frequent alert locations for Defender for Cloud apps." lightbox="media/user-insights.png":::
 
 
 #### IP address insights
@@ -122,7 +123,7 @@ To view IP address insights:
         - Set as a VPN IP address and add to allowlist
         - Set as a Risky IP and add to blocklist
 
-:::image type="content" source="media/activity-filters/ip-address-insights.png" alt-text="Screenshot that shows Ip address activities over the last 30 days." lightbox="media/activity-filters/ip-address-insights.png":::
+:::image type="content" source="media/activity-filters/ip-address-insights.png" alt-text="Screenshot that shows IP address activities over the last 30 days." lightbox="media/activity-filters/ip-address-insights.png":::
 
 
 > [!NOTE]
 
@@ -3,6 +3,7 @@ title: Configure admin notifications
 description: This article provides instructions for setting admin preferences in Defender for Cloud Apps.
 ms.date: 01/29/2023
 ms.topic: how-to
+ms.reviewer: Naama-Goldbart 
 ---
 # Configure admin notifications