Merge branch 'main' into exception-updates

Author: limwainstein

defender-for-identity/deploy/prerequisites-sensor-version-3.md

@@ -110,4 +110,4 @@ We recommend running the [*Test-MdiReadiness.ps1*](https://github.com/microsoft/
 The *Test-MdiReadiness.ps1* script is also available from Microsoft Defender XDR, on the **Identities > Tools** page (Preview).
 
 ## Next step
-[Plan capacity for Microsoft Defender for Identity](capacity-planning.md)
+[Activate the Microsoft Defender for Identity sensor](activate-sensor.md)

defender-for-identity/whats-new.md

@@ -23,6 +23,11 @@ For more information, see also:
 
 For updates about versions and features released six months ago or earlier, see the [What's new archive for Microsoft Defender for Identity](whats-new-archive.md).
 
+## December 2025
+|Version number |Updates |
+|---------|---------|
+|2.252|Includes bug fixes and stability improvements for the Microsoft Defender for Identity sensor.|
+
 ## November 2025
 
 |Version number |Updates |

defender-office-365/mdo-support-teams-about.md

@@ -16,7 +16,7 @@ ms.collection:
   - tier1
 description: Admins can learn about Microsoft Teams features in Microsoft Defender for Office 365.
 ms.service: defender-office-365
-ms.date: 09/11/2025
+ms.date: 10/27/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
   - ✅ <a href="https://learn.microsoft.com/defender-xdr/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>
@@ -58,6 +58,9 @@ Microsoft 365 E5 and Defender for Office 365 Plan 2 extend Teams protection with
 
 - **Teams message entity panel**: A single place to store all Teams message metadata for immediate SecOps review. Any threats coming from Teams chats, group chats, meeting chats, and other channels can be found in one place as soon as they're assessed. For more information, see [The Teams message entity panel in Microsoft Defender for Office 365 Plan 2](teams-message-entity-panel.md).
 
+  > [!TIP]
+  > To remove users from Teams chats, see [Remove users from Teams chats in the Teams message entity panel](teams-message-entity-panel.md#remove-users-from-teams-chats-in-the-teams-message-entity-panel).
+
 - **Attack simulation training using Teams messages**: To ensure users are resilient to phishing attacks in Microsoft Teams, admins can configure phishing simulations using Teams messages instead of email messages. For more information, see [Microsoft Teams in Attack simulation training](attack-simulation-training-teams.md).
 
 - **Hunting on Teams messages with URLs**: You can hunt for Teams messages containing URL across three new advanced hunting tables: [MessageEvents](/defender-xdr/advanced-hunting-messageevents-table), [MessagePostDeliveryEvents](/defender-xdr/advanced-hunting-messagepostdeliveryevents-table), and [MessageURLInfo](/defender-xdr/advanced-hunting-messageurlinfo-table).

defender-office-365/media/teams-message-entity-panel-choose-target-entities.png

@@ -18,7 +18,7 @@ ms.custom:
   - seo-marvel-apr2020
 description: Admins can learn how to view and manage quarantined messages for all users in Microsoft 365 organizations with cloud mailboxes. Admins in organizations with Microsoft Defender for Office 365 can also manage quarantined files in SharePoint, OneDrive, and Microsoft Teams.
 ms.service: defender-office-365
-ms.date: 10/07/2025
+ms.date: 10/27/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Default email protections for cloud mailboxes</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -789,7 +789,7 @@ The next section in the details flyout is related to quarantined Teams messages:
   - **Policy name**: The value is **Teams Protection Policy**.
   - **Quarantine policy**
 
-The rest of the details flyout contains the **Message details**, **Sender**, **Participants**, **Channel details**, and **URLs** sections that are part of the _Teams message entity panel_. For more information, see [The Teams mMessage entity panel in Microsoft Defender for Office 365 Plan 2](teams-message-entity-panel.md).
+The rest of the details flyout contains the **Message details**, **Sender**, **Participants**, **Channel details**, and **URLs** sections that are part of the _Teams message entity panel_. For more information, see [The Teams message entity panel in Microsoft Defender for Office 365 Plan 2](teams-message-entity-panel.md).
 
 When you're finished in the details flyout, select **Close**.
 
@@ -811,7 +811,7 @@ On the **Teams messages** tab, select the quarantined message by using either of
 
 Using either method to select the message, some actions are available under :::image type="icon" source="media/m365-cc-sc-more-actions-icon.png" border="false"::: **More**.
 
-After you select the quarantined message, the available actions are described in the following subsections.
+After you select the quarantined Teams message, the available actions are described in the following subsections.
 
 #### Release quarantined Teams messages
 
@@ -878,6 +878,16 @@ By default, The .html message file is saved in a compressed file named Quarantin
 
 Back on the **Download messages** flyout, select **Done**.
 
+#### Remove users from quarantined Teams chats
+
+> [!TIP]
+> Currently, this feature is in Preview, isn't available in all organizations, and is subject to change.
+
+1. On the **Teams messages** tab, select the Teams message by clicking anywhere in the row other than the check box next to the first column.
+2. In the details flyout that opens (the Teams message entity panel), select :::image type="icon" source="media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** \> :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action** at the top of the flyout.
+
+For complete instructions, see [Remove users from Teams chats in the Teams message entity panel](teams-message-entity-panel.md#remove-users-from-teams-chats-in-the-teams-message-entity-panel).
+
 #### Take action on multiple quarantined Teams messages
 
 When you select multiple quarantined messages on the **Teams messages** tab by selecting the check boxes next to the first column, the following bulk actions are available on the **Teams messages** tab:

defender-office-365/quarantine-admin-manage-messages-files.md

@@ -1,6 +1,6 @@
 ---
-title: (False Negatives) How to handle malicious emails that are delivered to recipients using Microsoft Defender for Office 365
-description: The steps to handle malicious emails coming through to end users and inboxes (as False Negatives) with Microsoft Defender for Office 365 in order to prevent loss of business.
+title: (False negatives) How to use Microsoft Defender for Office 365 to handle malicious emails delivered to recipients.
+description: Steps in Microsoft Defender for Office 365 to handle malicious emails delivered to end users (false negatives) to prevent the loss of business.
 ms.service: defender-office-365
 f1.keywords: 
  - NOCSH
@@ -15,37 +15,37 @@ ms.collection:
 - tier3
 ms.topic: how-to
 search.appverid: met150
-ms.date: 01/31/2023
+ms.date: 12/08/2025
 ---
 
-# How to handle malicious emails that are delivered to recipients (False Negatives), using Microsoft Defender for Office 365
+# How to handle malicious emails that are delivered to recipients (false negatives) using Microsoft Defender for Office 365
 
-Microsoft Defender for Office 365 helps deal with malicious emails (False Negative) that are delivered to recipients and that put your organizational productivity at risk.
+Microsoft Defender for Office 365 helps deal with undetected malicious email delivered to recipients (known as false negatives) that put your organizational productivity at risk.
 
-Defender for Office 365 can help you understand why emails are getting delivered, how to resolve the situation quickly, and how to prevent similar situations from happening in the future.
+Defender for Office 365 can help admins understand *why* malicious emails were delivered, how to quickly resolve the issue, and how to prevent similar issues from happening in the future.
 
-## What you'll need
+## What you need
 
-- Microsoft Defender for Office 365 Plan 1 and 2 (included as part of E5). Exchange Online customers can also leverage this.
-- Sufficient permissions (Security Administrator role).
-- 5-10 minutes to perform the steps below.
+- Microsoft Defender for Office 365 Plan 1 or Plan 2. Microsoft 365 A5/E5/G5 includes Plan 2.
+- Sufficient permissions. For example, membership in the **Security Administrator** role in [Microsoft Entra ID](/entra/identity/role-based-access-control/manage-roles-portal).
+- 5-10 minutes to perform the following steps.
 
 ## Handling malicious emails in the Inbox folder of end users
 
-1. Ask end users to report the email as **phishing** or **junk** using Microsoft Message Add-in or Microsoft Phish add-in or the Outlook buttons.
-2. End users can also add the sender to the [block senders list](https://support.microsoft.com/office/block-a-mail-sender-b29fd867-cac9-40d8-aed1-659e06a706e4#:~:text=1%20On%20the%20Home%20tab%2C%20in%20the%20Delete,4%20Click%20OK%20in%20both%20open%20dialog%20boxes..) in Outlook to prevent emails from this sender from being delivered to their inbox.
+1. Ask end users to report the email as **Phishing** or **Junk** using the [built-in **Report** button in supported versions of Outlook](../submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook).
+2. End users can also add senders to their **[Blocked Senders List](https://support.microsoft.com/office/block-or-unblock-senders-in-outlook-9bf812d4-6995-4d19-901a-76d6e26939b0#picktab=classic_outlook)** in Outlook to prevent emails from this sender from being delivered to their inbox.
 3. Admins can triage the user reported messages from [User reported tab on the Submissions page](../submissions-admin.md#view-user-reported-messages-to-microsoft).
 4. From those reported messages, admins can **submit to** [Microsoft for analysis](../submissions-admin-review-user-reported-messages.md#notify-users-from-within-the-portal) to learn why that email was allowed in the first place.
 5. If needed, while submitting to Microsoft for analysis, admins can [create a block entry for the sender](../tenant-allow-block-list-email-spoof-configure.md#create-block-entries-for-domains-and-email-addresses) to mitigate the problem.
-6. Once the results for submissions are available, read the verdict to understand why emails were allowed, and how your tenant setup could be improved to prevent similar situations from happening in the future.
+6. Once the results for submissions are available, read the verdict to understand why emails were allowed, and how your organization setup could be improved to prevent similar issues from happening in the future.
 
 ## Handling malicious emails in junk folder of end users
 
-1. Ask end users to report the email as **phishing** using Microsoft Message Add-in, or Microsoft Phish Add-in, or the Outlook buttons.
+1. Ask end users to report the email as **phishing** using the [built-in **Report** button in supported versions of Outlook](../submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook).
 2. Admins can triage the user reported messages from the [User reported tab on the Submissions page](../submissions-admin.md#view-user-reported-messages-to-microsoft).
 3. From those reported messages admins can **submit to** [Microsoft for analysis](../submissions-admin.md#notify-users-about-admin-submitted-messages-to-microsoft) and learn why that email was allowed in the first place.
 4. If needed, while submitting to Microsoft for analysis, admins can [create a block entry for the sender](../tenant-allow-block-list-email-spoof-configure.md#create-block-entries-for-domains-and-email-addresses) to mitigate the problem.
-5. Once the results for submissions are available, read the verdict to understand why emails were allowed, and how your tenant setup could be improved to prevent similar situations from happening in the future.
+5. Once the results for submissions are available, read the verdict to understand why emails were allowed, and how your organization setup could be improved to prevent similar issues from happening in the future.
 
 ## Handling malicious emails landing in the quarantine folder of end users
 
@@ -55,5 +55,5 @@ Defender for Office 365 can help you understand why emails are getting delivered
 ## Handling malicious emails landing in the quarantine folder of admins
 
 1. Admins can view the quarantined emails (including the ones asking permission to request release) from the [review page](../quarantine-admin-manage-messages-files.md).
-2. Admins can submit any malicious, or suspicious messages to Microsoft for analysis, and create a block to mitigate the situation while waiting for verdict.
-3. Once the results for submissions are available, read the verdict to learn why the emails were allowed, and how your tenant setup could be improved to prevent similar situations from happening in the future.
+2. Admins can submit any malicious, or suspicious messages to Microsoft for analysis, and create a block to mitigate the issue while waiting for a verdict.
+3. Once the results for submissions are available, read the verdict to learn why the emails were allowed, and how your organization setup could be improved to prevent similar issues from happening in the future.

defender-office-365/step-by-step-guides/how-to-handle-false-negatives-in-microsoft-defender-for-office-365.md

@@ -1,6 +1,6 @@
 ---
-title: (False Positives) How to handle legitimate emails getting blocked from delivery using Microsoft Defender for Office 365
-description: The steps to handle legitimate email getting blocked(False Positive) by Microsoft Defender for Office 365 in order to prevent lose of business.
+title: (False positives) How to use Microsoft Defender for Office 365 to handle legitimate emails that were blocked from delivery to recipients.
+description: Steps in  Microsoft Defender for Office 365 to handle legitimate emails getting blocked from delivery to end users (false positives) to prevent the loss of business.
 ms.service: defender-office-365
 f1.keywords: 
  - NOCSH
@@ -15,27 +15,29 @@ ms.collection:
 - tier3
 ms.topic: how-to
 search.appverid: met150
-ms.date: 01/31/2023
+ms.date: 12/08/2025
 ---
 
-# How to handle Legitimate emails getting blocked (False Positive), using Microsoft Defender for Office 365
+# How to handle legitimate emails getting blocked (false positives) using Microsoft Defender for Office 365
 
-Microsoft Defender for Office 365 helps deal with important legitimate business emails that are mistakenly blocked as threats (False Positives). Defender for Office 365 can help admins understand *why* legitimate emails are being blocked, how to resolve the situation quickly, and prevent similar situations from happening in the future.
+Microsoft Defender for Office 365 helps deal with legitimate business emails that are mistakenly blocked as threats (known as false positives).
 
-## What you'll need
+Defender for Office 365 can help admins understand *why* legitimate emails were blocked, how to quickly resolve the issue, and how to prevent similar issues from happening in the future.
 
-- Microsoft Defender for Office 365 Plan 1 or 2 (included as part of E5). Exchange Online customers can also leverage this feature.
-- Sufficient permissions (Security Administrator role).
-- 5-10 minutes to perform the steps below.
+## What you need
+
+- Microsoft Defender for Office 365 Plan 1 or Plan 2. Microsoft 365 A5/E5/G5 includes Plan 2.
+- Sufficient permissions. For example, membership in the **Security Administrator** role in [Microsoft Entra ID](/entra/identity/role-based-access-control/manage-roles-portal).
+- 5-10 minutes to perform the following steps.
 
 ## Handling legitimate emails in to Junk folder of end users
 
-1. Ask end users to report the email as **not junk** using Microsoft Message Add-in or the Outlook buttons.
-2. End users can also add the sender to the [**safe sender list**](https://support.microsoft.com/office/safe-senders-in-outlook-com-470d4ee6-e3b6-402b-8cd9-a6f00eda7339) in Outlook to prevent the email from these senders landing in Junk folder.
+1. Ask end users to report the email as **Not junk** using the [built-in **Report** button in supported versions of Outlook](../submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook).
+2. End users can also add senders to their **[Safe Sender List](https://support.microsoft.com/office/add-recipients-to-the-safe-senders-list-in-outlook-be1baea0-beab-4a30-b968-9004332336ce)** in Outlook to prevent messages from these senders landing in Junk folder.
 3. Admins can triage the user-reported messages from [the User reported tab on the Submission page](../submissions-admin.md#view-user-reported-messages-to-microsoft).
 4. From those reported messages admins can submit to [**Microsoft for analysis**](../submissions-admin.md#notify-users-about-admin-submitted-messages-to-microsoft) and understand why was that email blocked in the first place.
 5. If needed, while submitting to Microsoft for analysis, admins can judiciously [create an allow entry for the sender](../tenant-allow-block-list-email-spoof-configure.md#create-allow-entries-for-domains-and-email-addresses) to mitigate the problem.
-6. Once the results from the admin submission are available, read it to understand why emails were blocked and how your tenant setup could be improved to *prevent* similar situations from happening in the future.
+6. Once the results from the admin submission are available, read it to understand why emails were blocked and how your organization setup could be improved to *prevent* similar issues from happening in the future.
 
 ## Handling legitimate emails that are in quarantine folder of end users
 
@@ -45,10 +47,10 @@ Microsoft Defender for Office 365 helps deal with important legitimate business
 ## Handling legitimate emails in quarantine folder of an admin
 
 1. Admins can view the quarantined emails (including the ones asking permission to request release) from the [review page](../quarantine-admin-manage-messages-files.md).
-2. Admins can release the message from quarantine while submitting it to Microsoft for analysis, and create a temporary allow to mitigate the situation.
+2. Admins can release the message from quarantine while submitting it to Microsoft for analysis. They can also create a temporary allow entry in the Tenant Allow/Block List during the submission to Microsoft to mitigate the issue.
 3. Once the results for submissions are available, admins should read the verdict to understand the reason.
-   - If false positives are due to tenant configuration, admins can correct it to mitigate the issue.
+   - If false positives are due to organization configuration, admins can correct it to mitigate the issue.
    - If false positives are due to other factors, Microsoft learns from the submission and similar messages aren't quarantined anymore.
 
 > [!NOTE]
-> Admins need to manually release any similar messages that have already been quarantined, as the quarantined messages aren't released automatically. To find and release quarantined messages in bulk, see [Can I release or report more than one quarantined message at a time?](../quarantine-faq.yml#can-i-release-or-report-more-than-one-quarantined-message-at-a-time-)
+> Admins need to manually release any similar quarantined messages. Quarantined messages aren't released automatically. To find and release quarantined messages in bulk, see [Can I release or report more than one quarantined message at a time?](../quarantine-faq.yml#can-i-release-or-report-more-than-one-quarantined-message-at-a-time-)