Merge branch 'main' into poliveria-custom-detections-08012025

Author: poliveria

.acrolinx-config.edn

@@ -35,7 +35,7 @@ If you need a scoring exception for content in this PR, add the *Sign off* and t
 - Escalate the exception request to the Acrolinx Review Team for review.
 - Approve the exception and work with the GitHub Admin Team to merge the PR to the default branch.
 
-For more information about the exception criteria and exception process, see [Minimum Acrolinx topic scores for publishing](https://review.docs.microsoft.com/en-us/office-authoring-guide/acrolinx-min-score?branch=main).
+For more information about the exception criteria and exception process, see [Minimum Acrolinx topic scores for publishing](https://review.learn.microsoft.com/en-us/office-authoring-guide/acrolinx-min-score?branch=main).
  
 Select the total score link to review all feedback on clarity, consistency, tone, brand, terms, spelling, grammar, readability, and inclusive language. _You should fix all spelling errors regardless of your total score_. Fixing spelling errors helps maintain customer trust in overall content quality.
 
@@ -54,7 +54,7 @@ Select the total score link to review all feedback on clarity, consistency, tone
 - [Install Acrolinx locally for VSCode for Magic](https://review.learn.microsoft.com/office-authoring-guide/acrolinx-vscode?branch=main)
 - [False positives or issues](https://aka.ms/acrolinxbug)
 - [Request a new Acrolinx term](https://microsoft.sharepoint.com/teams/M365Dev2/SitePages/M365-terminology.aspx)
-- [Troubleshooting issues with Acrolinx](https://review.learn.microsoft.com/help/platform/acrolinx-troubleshoot?branch)
+- [Troubleshooting issues with Acrolinx](https://review.learn.microsoft.com/help/platform/acrolinx-troubleshoot?branch=main)
 
 "
 }

ATPDocs/advanced-settings.md

@@ -1,7 +1,7 @@
 ---
 title: Adjust alert thresholds | Microsoft Defender for Identity
 description: Learn how to configure the number of Microsoft Defender for Identity alerts triggered of specific alert types by adjusting alert thresholds.
-ms.date: 02/11/2024
+ms.date: 08/03/2025
 ms.topic: how-to
 #CustomerIntent: As a Microsoft Defender for Identity customer, I want to reduce the number of false positives by adjusting thresholds for specific alerts.
 ms.reviewer: rlitinsky
@@ -15,7 +15,7 @@ Some Defender for Identity alerts rely on *learning periods* to build a profile
 
 Use the **Adjust alert thresholds** page to customize the threshold level for specific alerts to influence their alert volume. For example, if you're running comprehensive testing, you might want to lower alert thresholds to trigger as many alerts as possible.
 
-Alerts are always triggered immediately if the **Recommended test mode** option is selected, or if a threshold level is set to **Medium** or **Low**, regardless of whether the alert's learning period has already completed.
+Alerts are triggered immediately if the **Recommended test mode** option is selected, or if a threshold level is set to **Medium** or **Low**, regardless of whether the alert's learning period has already completed.
 
 > [!NOTE]
 > The **Adjust alert thresholds** page was previously named **Advanced settings**. For details about this transition and how any previous settings were retained, see our [What's New announcement](whats-new.md#enhanced-user-experience-for-adjusting-alert-thresholds-preview).
@@ -46,24 +46,27 @@ For example, if you have NAT or VPN, we recommend that you consider any changes
     When you select **Medium** or **Low**, details are bolded in the **Information** column to help you understand how the change affects the alert behavior.
 
 1. Select **Apply changes** to save changes.
+1. Select **Revert to default** and then **Apply changes** to reset all alerts to the default threshold (**High**). Reverting to default is irreversible and any changes made to your threshold levels are lost.
 
-Select **Revert to default** and then **Apply changes** to reset all alerts to the default threshold (**High**). Reverting to default is irreversible and any changes made to your threshold levels are lost.
-
-## Switch to test mode
+## Switch to Recommended test mode
 
 The **Recommended test mode** option is designed to help you understand all Defender for Identity alerts, including some related to legitimate traffic and activities so that you can thoroughly evaluate Defender for Identity as efficiently as possible.
 
 If you recently deployed Defender for Identity and want to test it, select the **Recommended test mode** option to switch all alert thresholds to **Low** and increase the number of alerts triggered. 
 
-Threshold levels are read-only when the **Recommended test mode** option is selected. When you're finished testing, toggle the **Recommended test mode** option back off to return to your previous settings.
+Threshold levels are read-only when the **Recommended test mode** option is selected.
+
+> [!NOTE] 
+> Test mode is time-limited to a maximum of 60 days.
+> When turning on Recommended test mode, you must specify an end time. The selected end time is displayed next to the toggle for as long as test mode is enabled.
 
-Select **Apply changes** to save changes.
+When you're finished testing, toggle the Recommended test mode option back off to return to your previous settings. Select **Apply changes** to save changes.
 
 ## Supported detections for threshold configurations
 
 The following table describes the types of detections that support adjustments for threshold levels, including the effects of **Medium** and **Low** thresholds.
 
-Cells marked with N/A indicate that the threshold level is not supported for the detection
+Cells marked with N/A indicate that the threshold level isn't supported for the detection.
 
 | Detection | Medium | Low |
 | --- | --- | --- |

ATPDocs/whats-new.md

@@ -36,6 +36,14 @@ Improved detection logic to include scenarios where accounts were locked during
 
 ## July 2025
 
+**Expanded coverage in ITDR deployment health widget**
+
+The ITDR deployment health widget now provides visibility into the deployment status of additional server types. Previously, it only reflected the status for Active Directory domain controllers. With this update, the widget also includes deployment status for ADFS, ADCS, and Entra Connect servers - making it easier to track and ensure full sensor coverage across all supported identity infrastructure.
+
+**Time limit added to Recommended test mode**
+
+Recommended test mode configuration on the [Adjust alert thresholds page](/defender-for-identity/advanced-settings), now requires you to set an expiration time (up to 60 days) when enabling it. The end time is shown next to the toggle while test mode is active. For customers who already had Recommended test mode enabled, a 60-day expiration was automatically applied.
+
 ### Identity scoping is now available in Governance environments
 
 Scoping is now supported in government (GOV) environments. Organizations can now define and refine the scope of MDI monitoring and gain granular control over which entities and resources are included in security analysis.

CloudAppSecurityDocs/discovered-apps.md

@@ -67,7 +67,7 @@ You also might want to identify specific app instances that are in use by invest
 :::image type="content" source="media/discovered-apps/subdomains-image.png" alt-text="Subdomain filter.":::
 
 > [!NOTE]
-> The feature of discovered subdomains will be deprecated by Sep 31st, 2025. Post this, no support for discovery subdomains will be provided.
+> The feature of discovered subdomains will be deprecated by Dec 31st, 2025. Post this, no support for discovery subdomains will be provided.
 > 
 >  Deep dives into discovered apps are supported only in firewalls and proxies that contain target URL data. For more information, see [Supported firewalls and proxies](set-up-cloud-discovery.md#supported-firewalls-and-proxies).
 >

defender-endpoint/whats-new-in-microsoft-defender-endpoint.md

@@ -46,6 +46,10 @@ For more information on what's new with other Microsoft Defender security produc
 - [What's new in Microsoft Defender for Cloud Apps](/cloud-app-security/release-notes)
 - [What's new in Microsoft Defender Vulnerability Management](/defender-vulnerability-management/whats-new-in-microsoft-defender-vulnerability-management)
 
+## July 2025
+
+- (GA) [Microsoft Defender Core service](/defender-endpoint/microsoft-defender-core-service-overview) is now generally available on Windows Server 2019 or later.  Helps with the stability and performance of Microsoft Defender Antivirus.
+
 ## April 2025
 
 - (Preview) **Contain IP addresses of undiscovered devices**: Containing IP addresses associated with devices that are undiscovered or are not onboarded to Defender for Endpoint is now in preview. Containing an IP address prevents attackers from spreading attacks to other non-compromised devices. See [Contain IP addresses of undiscovered devices](respond-machine-alerts.md#contain-ip-addresses-of-undiscovered-devices) for more information.

defender-office-365/attack-simulation-training-teams.md

@@ -20,7 +20,7 @@ appliesto:
 # Microsoft Teams in Attack simulation training
 
 > [!IMPORTANT]
-> Microsoft Teams' Attack simulation training is currently in Private Preview. The information in this article is subject to change.
+> Microsoft Teams' Attack simulation training is currently in Private Preview and the intake for this preview is now closed. The information in this article is subject to change.
 
 In organizations with Microsoft Defender for Office 365 Plan 2 or Microsoft Defender XDR, admins can now use Attack simulation training to deliver simulated phishing messages in Microsoft Teams. For more information about attack simulation training, see [Get started using Attack simulation training in Defender for Office 365](attack-simulation-training-get-started.md).
 

defender-office-365/configure-junk-email-settings-on-exo-mailboxes.md

@@ -16,7 +16,7 @@ ms.collection:
   - tier2
 description: Admins can learn how to configure the junk email settings in Exchange Online mailboxes. Many of these settings are available to users in Outlook or Outlook on the web.
 ms.service: defender-office-365
-ms.date: 07/03/2025
+ms.date: 07/31/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Default email protections for cloud mailboxes</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -33,9 +33,11 @@ But, there are also specific anti-spam settings that admins can configure on ind
 
 - **Deliver messages to the Junk Email folder based on anti-spam policies**: When an anti-spam policy is configured with the action **Move message to Junk Email folder** for a spam filtering verdict, the message is delivered to the Junk Email folder of the mailbox. For more information about spam filtering verdicts in anti-spam policies, see [Configure anti-spam policies](anti-spam-policies-configure.md). Similarly, if zero-hour auto purge (ZAP) determines that a delivered message is spam or phishing, the message is moved to the Junk Email folder for **Move message to Junk Email folder** spam filtering verdict actions. For more information about ZAP, see [Zero-hour auto purge (ZAP) in Exchange Online](zero-hour-auto-purge.md).
 
-- **Junk email settings that users configure for themselves in Outlook or Outlook on the web**: The _safelist collection_ is the Safe Senders list, the Safe Recipients list, and the Blocked Senders list on each mailbox. The entries in these lists determine whether the message is moved to the Inbox or the Junk Email folder. Users can configure the safelist collection for their own mailboxes in Outlook or Outlook on the web (formerly known as Outlook Web App). Admins can configure the safelist collection on any user's mailbox.
+- **Junk email settings that users configure for themselves in Outlook or Outlook on the web**: The _safelist collection_ is the Safe Senders list, the Safe Recipients list, and the Blocked Senders list on each mailbox. The entries in these lists determine whether the message is delivered to the Inbox or the Junk Email folder. Users can configure the safelist collection for their own mailboxes in Outlook or Outlook on the web (formerly known as Outlook Web App or OWA). Admins can configure the safelist collection on any user's mailbox.
 
-Microsoft 365 is able to deliver messages to the Junk Email folder based on the spam filtering verdict action **Move message to Junk Email folder** and the Blocked Senders list in the mailbox, and prevent messages from being delivered to the Junk Email folder based on the Safe Senders list on the mailbox.
+Microsoft 365 adds the header `X-Forefront-Antispam-Report: SFV:BLK` to incoming messages from senders in a user's Blocked Senders list, and any future messages from that sender are classified as spam. The message is delivered to the user's Junk Email folder or to quarantine based on the action configured in the applicable anti-spam policy (our [recommended action](recommended-settings-for-eop-and-office365.md#anti-spam-policy-settings) is **Move message to Junk Email folder**).
+
+If the sender is a user's Safe Senders list, the message is delivered to their Inbox.
 
 Admins can use Exchange Online PowerShell to configure entries in the safelist collection on mailboxes (the Safe Senders list, the Safe Recipients list, and the Blocked Senders list).
 

defender-office-365/reports-mdo-email-collaboration-dashboard.md

@@ -18,7 +18,7 @@ ms.collection:
 description: Admins can learn about the information on the Microsoft Defender for Office 365 Overview dashboard in the Microsoft Defender portal.
 ms.custom:
 ms.service: defender-office-365
-ms.date: 07/16/2025
+ms.date: 08/01/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
   - ✅ <a href="https://learn.microsoft.com/defender-xdr/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>
@@ -33,7 +33,6 @@ The information on the **Overview** page is organized into the following areas:
 - [Defender for Office 365 summary](#defender-for-office-365-summary)
 - [Optimize section](#optimize-section)
 - [Risky allows section](#risky-allows-section)
-- [Compare solutions section](#compare-solutions-section)
 - [Insights section](#insights-section)
 
 For the permissions required to view the dashboard and reports, see [What permissions are needed to view these reports?](reports-email-security.md#what-permissions-are-needed-to-view-these-reports).
@@ -187,42 +186,6 @@ Select **Review rules** to go to the **Rules** page in the Exchange admin center
 
 :::image type="content" source="media/email-collab-overview-risky-allows-etrs.png" alt-text="Screenshot of the Exchange transport rules card in the Risky allows section of the Email & collaboration overview report page." lightbox="media/email-collab-overview-risky-allows-etrs.png":::
 
-## Compare solutions section
-
-The information in the **Compare solutions** section is described in the following subsections.
-
-### Email detections card
-
-<!--- https://go.microsoft.com/fwlink/?linkid=2323918--->
-
-The graph on the **Email detections** shows Microsoft and non-Microsoft detections as part of [ICES Vendor Ecosystem integration](mdo-ices-vendor-ecosystem.md):
-
-- **Defender mail flow detections**
-- **Defender post-delivery detections**
-- **Non-Microsoft post-delivery detections**
-- **Duplicate detections Duplicate post-delivery detections**
-
-Hover over a category in the chart to see the number of messages in each category for the review period selected.
-
-:::image type="content" source="media/email-collab-overview-compare-solutions-email-detections.png" alt-text="Screenshot of the Email detections card in the Compare solutions section of the Email & collaboration overview report page." lightbox="media/email-collab-overview-compare-solutions-email-detections.png":::
-
-### Non-Microsoft detections card
-
-<!--- https://go.microsoft.com/fwlink/?linkid=2324014 --->
-
-The graphs on the **Non-Microsoft detections** show the following information for non-Microsoft detections as part of  [ICES Vendor Ecosystem integration](mdo-ices-vendor-ecosystem.md):
-
-- **Post delivery detections** graph:
-  - **Malware**
-  - **Phish**
-  - **Spam**
-
-  Hover over a category in the chart to see the number of messages in each category for the review selected.
-
-- **Efficacy** graph: Shows the unique detections by the non-Microsoft service as a percentage of the total detections by Defender for Office 365.
-
-:::image type="content" source="media/email-collab-overview-compare-solutions-non-microsoft.png" alt-text="Screenshot of the Non-Microsoft detections card in the Compare solutions section of the Email & collaboration overview report page." lightbox="media/email-collab-overview-compare-solutions-non-microsoft.png":::
-
 ## Insights section
 
 The information in the **Insights** section is described in the following subsections.