Merge pull request #798 from MicrosoftDocs/deniseb-globaladmin

deniseb globaladmin

Author: denisebmsft

defender-endpoint/edr-in-block-mode.md

@@ -14,7 +14,7 @@ ms.custom:
 - next-gen
 - mde-edr
 - admindeeplinkDEFENDER
-ms.date: 04/26/2024
+ms.date: 06/25/2024
 ms.collection: 
 - m365-security
 - tier2
@@ -44,7 +44,6 @@ This article describes EDR in block mode, which helps protect devices that are r
 
 > [!IMPORTANT]
 > EDR in block mode cannot provide all available protection when Microsoft Defender Antivirus real-time protection is in passive mode. Some capabilities that depend on Microsoft Defender Antivirus to be the active antivirus solution will not work, such as the following examples:
-> 
 > - Real-time protection, including on-access scanning, and scheduled scan is not available when Microsoft Defender Antivirus is in passive mode. To learn more about real-time protection policy settings, see **[Enable and configure Microsoft Defender Antivirus always-on protection](configure-real-time-protection-microsoft-defender-antivirus.md)**.
 > - Features like **[network protection](network-protection.md)** and **[attack surface reduction rules](attack-surface-reduction.md)** and indicators (file hash, ip address, URL, and certificates) are only available when Microsoft Defender Antivirus is running in active mode.
 > It is expected that your non-Microsoft antivirus solution includes these capabilities.
@@ -107,6 +106,9 @@ The following table lists requirements for EDR in block mode:
 
 > [!IMPORTANT]
 > To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your [exclusions are configured](configure-exclusions-microsoft-defender-antivirus.md). EDR in block mode respects exclusions that are defined for Microsoft Defender Antivirus, but not [indicators](manage-indicators.md) that are defined for Microsoft Defender for Endpoint.
+> 
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
 
 ## See also
 

defender-endpoint/faqs-on-tamper-protection.yml

@@ -13,7 +13,7 @@ metadata:
   ms.topic: faq
   ms.collection: 
   - m365-security
-  ms.date: 10/27/2023
+  ms.date: 06/25/2024
 title: Frequently asked questions (FAQs) about tamper protection 
 summary: | 
 
@@ -42,7 +42,7 @@ sections:
           - Devices must be using anti-malware platform version `4.18.2010.7` (or later) and anti-malware engine version `1.1.17600.5` (or later). ([Manage Microsoft Defender Antivirus updates and apply baselines](microsoft-defender-antivirus-updates.md).)
           - [Cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) must be turned on.
 
-          To manage tamper protection in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), you must have appropriate permissions assigned through roles, such as Global Administrator or Security Administrator. (See [Microsoft Defender XDR role-based access control (RBAC)](/defender-xdr/manage-rbac).)
+          To manage tamper protection in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), you must have appropriate permissions assigned through roles, such as Security Administrator. (See [Microsoft Defender XDR role-based access control (RBAC)](/defender-xdr/manage-rbac).)
 
       - question: |
           On which versions of Windows can I configure tamper protection?
@@ -80,7 +80,7 @@ sections:
       - question: |
           Does tamper protection apply to Microsoft Defender Antivirus exclusions?
         answer: |
-          New functionality is rolling out now to protect Microsoft Defender Antivirus exclusions on devices. Certain conditions must be met. For example, you must use Intune only or Configuration Manager only to manage devices, and you must have Sense enabled. See [Protect Microsoft Defender Antivirus exclusions](prevent-changes-to-security-settings-with-tamper-protection.md#protect-microsoft-defender-antivirus-exclusions).
+          Yes. To protect Microsoft Defender Antivirus exclusions on devices, certain conditions must be met. For example, you must use Intune only or Configuration Manager only to manage devices, and you must have Sense enabled. See [Protect Microsoft Defender Antivirus exclusions](prevent-changes-to-security-settings-with-tamper-protection.md#protect-microsoft-defender-antivirus-exclusions).
 
       - question: |
           How does configuring tamper protection in Intune affect how I manage Microsoft Defender Antivirus with Group Policy?
@@ -155,10 +155,8 @@ sections:
       - question: |
           If the status of tamper protection changes, are alerts shown in the Microsoft Defender portal?
         answer: |
-          Alerts should be listed in the [Microsoft Defender portal](https://security.microsoft.com) under **Alerts**.
-
-          Your security operations team can also use hunting queries, such as the following example:
-
+          Alerts should be listed in the [Microsoft Defender portal](https://security.microsoft.com) under **Alerts**. Your security operations team can also use hunting queries, such as the following example: 
+          
           `AlertInfo|where Title == "Tamper Protection bypass"`
 
       - question: |

defender-endpoint/grant-mssp-access.md

@@ -27,68 +27,64 @@ ms.date: 12/18/2020
 
 > [!IMPORTANT]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+>
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
 To implement a multitenant delegated access solution, take the following steps:
 
-1. Enable [role-based access control](rbac.md) in Defender for Endpoint and connect with Active Directory (AD) groups.
+1. Enable [role-based access control](rbac.md) in Defender for Endpoint and connect with Microsoft Entra ID groups.
 
 2. Configure [Governance Access Packages](/azure/active-directory/governance/identity-governance-overview) for access request and provisioning.
 
-3. Manage access requests and audits in [Microsoft Myaccess](/azure/active-directory/governance/entitlement-management-request-approve).
+3. Manage access requests and audits in [Microsoft MyAccess](/azure/active-directory/governance/entitlement-management-request-approve).
 
 ## Enable role-based access controls in Microsoft Defender for Endpoint
 
-1. **Create access groups for MSSP resources in Customer AAD: Groups**
+1. **Create access groups for MSSP resources in Customer Entra ID: Groups**
 
-    These groups are linked to the Roles you create in Defender for Endpoint. To do so, in the customer AD tenant, create three groups. In our example approach, we create the following groups:
+    These groups are linked to the Roles you create in Defender for Endpoint. To do so, in the customer Entra ID tenant, create three groups. In our example approach, we create the following groups:
 
     - Tier 1 Analyst
     - Tier 2 Analyst
     - MSSP Analyst Approvers
 
 2. Create Defender for Endpoint roles for appropriate access levels in Customer Defender for Endpoint.
 
-    To enable RBAC in the customer Microsoft Defender portal, access **Settings > Endpoints > Permissions > Roles** and "Turn on roles", from a user account with Global Administrator or Security Administrator rights.
+    To enable RBAC in the customer [Microsoft Defender portal](https://security.microsoft.com), go to **Settings** > **Endpoints** > **Permissions** > **Roles**, and then select **Turn on roles**. 
 
-    Then, create RBAC roles to meet MSSP SOC Tier needs. Link these roles to the created user groups via "Assigned user groups".
+    Then, create RBAC roles to meet MSSP SOC Tier needs. Link these roles to the created user groups via assigned user groups. There are two possible roles: Tier 1 Analysts, and Tier 2 Analysts.
 
-    Two possible roles:
+    - **Tier 1 Analysts** - Perform all actions except for live response and manage security settings.
 
-    - **Tier 1 Analysts**
-
-      Perform all actions except for live response and manage security settings.
-
-    - **Tier 2 Analysts**
-
-      Tier 1 capabilities with the addition to [live response](live-response.md)
+    - **Tier 2 Analysts** - Tier 1 capabilities with the addition to [live response](live-response.md)
 
     For more information, see [Use role-based access control](rbac.md).
 
 ## Configure Governance Access Packages
 
-1. **Add MSSP as Connected Organization in Customer AAD: Identity Governance**
+1. **Add MSSP as Connected Organization in Customer Entra ID: Identity Governance**
 
-    Adding the MSSP as a connected organization allows the MSSP to request and have accesses provisioned.
+    Adding the MSSP as a connected organization allows the MSSP to request and have access provisioned.
 
-    To do so, in the customer AD tenant, access Identity Governance: Connected organization. Add a new organization and search for your MSSP Analyst tenant via Tenant ID or Domain. We suggest creating a separate AD tenant for your MSSP Analysts.
+    To do so, in the customer Entra ID tenant, access Identity Governance: Connected organization. Add a new organization and search for your MSSP Analyst tenant via Tenant ID or Domain. We suggest creating a separate Entra ID tenant for your MSSP Analysts.
 
-2. **Create a resource catalog in Customer AAD: Identity Governance**
+2. **Create a resource catalog in Customer Entra ID: Identity Governance**
 
-    Resource catalogs are a logical collection of access packages, created in the customer AD tenant.
+    Resource catalogs are a logical collection of access packages, created in the customer Entra ID tenant.
 
-    To do so, in the customer AD tenant,  access Identity Governance: Catalogs, and add **New Catalog**. In our example, it's called, **MSSP Accesses**.
+    To do so, in the customer Entra ID tenant,  access Identity Governance: Catalogs, and add **New Catalog**. In our example, it's called, **MSSP Accesses**.
 
     :::image type="content" source="media/goverance-catalog.png" alt-text="The new catalog page" lightbox="media/goverance-catalog.png":::
 
     Further more information, see [Create a catalog of resources](/azure/active-directory/governance/entitlement-management-catalog-create).
 
-3. **Create access packages for MSSP resources Customer AAD: Identity Governance**
+3. **Create access packages for MSSP resources Customer Entra ID: Identity Governance**
 
     Access packages are the collection of rights and accesses that a requestor is granted upon approval.
 
-    To do so, in the customer AD tenant, access Identity Governance: Access Packages, and add **New Access Package**. Create an access package for the MSSP approvers and each analyst tier. For example, the following Tier 1 Analyst configuration creates an access package that:
+    To do so, in the customer Entra ID tenant, access Identity Governance: Access Packages, and add **New Access Package**. Create an access package for the MSSP approvers and each analyst tier. For example, the following Tier 1 Analyst configuration creates an access package that:
 
-    - Requires a member of the AD group **MSSP Analyst Approvers** to authorize new requests
+    - Requires a member of the Entra ID group **MSSP Analyst Approvers** to authorize new requests
     - Has annual access reviews, where the SOC analysts can request an access extension
     - Can only be requested by users in the MSSP SOC Tenant
     - Access auto expires after 365 days
@@ -98,7 +94,7 @@ To implement a multitenant delegated access solution, take the following steps:
 
     For more information, see [Create a new access package](/azure/active-directory/governance/entitlement-management-access-package-create).
 
-4. **Provide access request link to MSSP resources from Customer AAD: Identity Governance**
+4. **Provide access request link to MSSP resources from Customer Entra ID: Identity Governance**
 
     The My Access portal link is used by MSSP SOC analysts to request access via the access packages created. The link is durable, meaning the same link may be used over time for new analysts. The analyst request goes into a queue for approval by the **MSSP Analyst Approvers**.
 
@@ -109,21 +105,22 @@ To implement a multitenant delegated access solution, take the following steps:
 
 ## Manage access
 
-1. Review and authorize access requests in Customer and/or MSSP myaccess.
+1. Review and authorize access requests in Customer and/or MSSP MyAccess.
 
     Access requests are managed in the customer My Access, by members of the MSSP Analyst Approvers group.
 
-    To do so, access the customer's myaccess using: `https://myaccess.microsoft.com/@<Customer Domain>`.
+    To do so, access the customer's MyAccess using: `https://myaccess.microsoft.com/@<Customer Domain>`.
 
     Example: `https://myaccess.microsoft.com/@M365x440XXX.onmicrosoft.com#/`
 
 2. Approve or deny requests in the **Approvals** section of the UI.
 
-    At this point, analyst access has been provisioned, and each analyst should be able to access the customer's Microsoft Defender portal: `https://security.microsoft.com/?tid=<CustomerTenantId>`
+    At this point, analyst access is provisioned, and each analyst should be able to access the customer's Microsoft Defender portal: `https://security.microsoft.com/?tid=<CustomerTenantId>`
 
-## Related topics
+## Related articles
 
 - [Access the MSSP customer portal](access-mssp-portal.md)
 - [Configure alert notifications](configure-mssp-notifications.md)
 - [Fetch alerts from customer tenant](api/fetch-alerts-mssp.md)
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

defender-endpoint/manage-automation-file-uploads.md

@@ -12,7 +12,7 @@ ms.collection:
 - tier2
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 05/08/2023
+ms.date: 06/25/2024
 ---
 
 # Manage automation file uploads
@@ -37,18 +37,23 @@ For example, if you add *exe* and *bat* as file or attachment extension names, t
 > [!NOTE]
 > Microsoft securely stores the files submitted for a six-month period. Files are promptly deleted after six months.
 
-## Add file extension names and attachment extension names.
+## Add file extension names and attachment extension names
 
-1. Log in to [Microsoft Defender XDR](https://go.microsoft.com/fwlink/p/?linkid=2077139) using an account with the Security administrator or Global administrator role assigned.
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
+1. Sign in to the [Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2077139) using an account with the Security administrator or Global administrator role assigned.
 
 2. In the navigation pane, select **Settings** \> **Endpoints** \> **Rules** \> **Automation uploads**.
 
 2. Toggle the content analysis setting between **On** and **Off**.
 
 3. Configure the following extension names and separate extension names with a comma:
+
    - **File extension names** - Suspicious files except email attachments will be submitted for additional inspection
 
 ## Related topics
 
 - [Manage automation folder exclusions](manage-automation-folder-exclusions.md)
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

defender-endpoint/manage-automation-folder-exclusions.md

@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: edr
 search.appverid: met150
-ms.date: 12/18/2020
+ms.date: 06/25/2024
 ---
 
 # Manage automation folder exclusions
@@ -41,13 +41,17 @@ You can control the following attributes about the folder that you'd like to be
 
 - **File names**: You can specify the file names that you want to be excluded in a specific directory. The names are a way to prevent an attacker from using an excluded folder to hide an exploit. The names explicitly define which files to ignore.
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
+
 ## Add an automation folder exclusion
 
-1. Log in to [Microsoft Defender XDR](https://go.microsoft.com/fwlink/p/?linkid=2077139) using an account with the Security administrator or Global administrator role assigned.
+1. Sign in to the [Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2077139) using an account with the Security administrator or Global administrator role assigned.
 
 2. In the navigation pane, select **Settings** \> **Endpoints** \> **Rules** \> **Automation folder exclusions**.
 
-2. Click **New folder exclusion**.
+2. Select **New folder exclusion**.
 
 3. Enter the folder details:
 
@@ -56,25 +60,29 @@ You can control the following attributes about the folder that you'd like to be
     - File names
     - Description
 
-4. Click **Save**.
+4. Select **Save**.
 
 > [!NOTE]
 > Live Response commands to collect or examine excluded files will fail with error: "File is excluded". In addition, automated investigations will ignore the excluded items.
 
 ## Edit an automation folder exclusion
 
 1. In the navigation pane, select **Settings** \> **Endpoints** \> **Rules** \> **Automation folder exclusions**.
-2. Click **Edit** on the folder exclusion.
+
+2. Select **Edit** on the folder exclusion.
+
 3. Update the details of the rule and click **Save**.
 
 ## Remove an automation folder exclusion
 
 1. In the navigation pane, select **Settings** \> **Endpoints** \> **Rules** \> **Automation folder exclusions**.
-2. Click **Remove exclusion**.
+
+2. Select **Remove exclusion**.
 
 ## Related articles
 
 - [Manage automation allowed/blocked lists](manage-indicators.md)
 - [Manage automation file uploads](manage-automation-file-uploads.md)
 - [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]