Merge branch 'main' into US479147SP

Author: DebLanger

.acrolinx-config.edn

@@ -35,7 +35,7 @@ If you need a scoring exception for content in this PR, add the *Sign off* and t
 - Escalate the exception request to the Acrolinx Review Team for review.
 - Approve the exception and work with the GitHub Admin Team to merge the PR to the default branch.
 
-For more information about the exception criteria and exception process, see [Minimum Acrolinx topic scores for publishing](https://review.docs.microsoft.com/en-us/office-authoring-guide/acrolinx-min-score?branch=main).
+For more information about the exception criteria and exception process, see [Minimum Acrolinx topic scores for publishing](https://review.learn.microsoft.com/en-us/office-authoring-guide/acrolinx-min-score?branch=main).
  
 Select the total score link to review all feedback on clarity, consistency, tone, brand, terms, spelling, grammar, readability, and inclusive language. _You should fix all spelling errors regardless of your total score_. Fixing spelling errors helps maintain customer trust in overall content quality.
 
@@ -54,7 +54,7 @@ Select the total score link to review all feedback on clarity, consistency, tone
 - [Install Acrolinx locally for VSCode for Magic](https://review.learn.microsoft.com/office-authoring-guide/acrolinx-vscode?branch=main)
 - [False positives or issues](https://aka.ms/acrolinxbug)
 - [Request a new Acrolinx term](https://microsoft.sharepoint.com/teams/M365Dev2/SitePages/M365-terminology.aspx)
-- [Troubleshooting issues with Acrolinx](https://review.learn.microsoft.com/help/platform/acrolinx-troubleshoot?branch)
+- [Troubleshooting issues with Acrolinx](https://review.learn.microsoft.com/help/platform/acrolinx-troubleshoot?branch=main)
 
 "
 }

.github/workflows/TierManagement.yml

@@ -2,12 +2,15 @@ name: Tier management
 
 permissions:
   pull-requests: write
-  contents: read
+  contents: write
 
 on: 
   issue_comment:
     types: [created, edited]
 
+  pull_request_target:
+    types: [opened, reopened]
+
 jobs:
 
   tier-mgmt:

.openpublishing.publish.config.json

@@ -6,7 +6,7 @@
       "build_output_subfolder": "ATA-Docs",
       "locale": "en-us",
       "monikers": [],
-      "open_to_public_contributors": true,
+      "open_to_public_contributors": false,
       "type_mapping": {
         "Conceptual": "Content"
       },
@@ -191,6 +191,8 @@
     ".openpublishing.redirection.defender-cloud-apps.json",
     ".openpublishing.redirection.defender-endpoint.json",
     ".openpublishing.redirection.defender-office-365.json",
-    ".openpublishing.redirection.defender-xdr.json"
+    ".openpublishing.redirection.defender-xdr.json",
+    ".openpublishing.redirection.unified-secops.json"
+
   ]
 }

.openpublishing.redirection.ata-atp.json

@@ -15,6 +15,21 @@
       "redirect_url": "deploy/active-directory-federation-services",
       "redirect_document_id": false
     },
+    {
+      "source_path": "ATPDocs/deploy/quick-installation-guide.md",
+      "redirect_url": "deploy-defender-identity",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "ATPDocs/deploy/prerequisites.md",
+      "redirect_url": "prerequisites-sensor-version-2",
+      "redirect_document_id": false
+    },
+        {
+      "source_path": "ATPDocs/deploy/activate-capabilities.md",
+      "redirect_url": "activate-sensor",
+      "redirect_document_id": false
+    },
     {
       "source_path": "ATPDocs/configure-event-collection.md",
       "redirect_url": "deploy/configure-event-collection",
@@ -125,6 +140,31 @@
       "redirect_url": "manage-security-alerts",
       "redirect_document_id": false
     },
+    {
+      "source_path": "ATPDocs/credential-access-alerts.md",
+      "redirect_url": "alerts-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "ATPDocs/persistence-privilege-escalation-alerts.md",
+      "redirect_url": "alerts-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "ATPDocs/reconnaissance-discovery-alerts.md",
+      "redirect_url": "alerts-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "ATPDocs/lateral-movement-alerts.md",
+      "redirect_url": "alerts-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "ATPDocs/other-alerts.md",
+      "redirect_url": "alerts-overview",
+      "redirect_document_id": false
+    },
     {
       "source_path": "ATPDocs/classic-activities-filtering-mcas.md",
       "redirect_url": "/previous-versions/defender-for-identity/classic-activities-filtering-mcas",

.openpublishing.redirection.defender-office-365.json

@@ -59,6 +59,11 @@
       "source_path": "defender-office-365/step-by-step-guides/deploy-and-configure-the-report-message-add-in.md",
       "redirect_url": "/defender-office-365/submissions-outlook-report-messages",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-office-365/tenant-wide-setup-for-increased-security.md",
+      "redirect_url": "/security/zero-trust/zero-trust-identity-device-access-policies-overview",
+      "redirect_document_id": false
     }
   ]
 }

.openpublishing.redirection.unified-secops.json

@@ -0,0 +1,9 @@
+{
+  "redirections": [
+    {
+      "source_path": "unified-secops-platform/mto-tenantgroups.md",
+      "redirect_url": "mto-distribution-profiles",
+      "redirect_document_id": false
+    }
+  ]
+}

ATADocs/suspicious-activity-guide.md

@@ -536,9 +536,9 @@ Apply the latest patches to all of your machines, and check all security updates
 
 1. [Remove WannaCry](https://support.microsoft.com/help/890830/remove-specific-prevalent-malware-with-windows-malicious-software-remo)
 
-1. Data in the control of some ransom software can sometimes be decrypted. Decryption is only possible if the user hasn't restarted or turned off the computer. For more information, see [Wanna Cry Ransomware](https://answers.microsoft.com/en-us/windows/forum/windows_10-security/wanna-cry-ransomware/5afdb045-8f36-4f55-a992-53398d21ed07?auth=1)
+1. Data in the control of some ransom software can sometimes be decrypted. Decryption is only possible if the user hasn't restarted or turned off the computer. For more information, see [WannaCrypt ransomware worm targets out-of-date systems](https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/)
 
->[!NOTE]
+> [!NOTE]
 > To disable a suspicious activity alert, contact support.
 
 ## See also

ATPDocs/advanced-settings.md

@@ -1,7 +1,7 @@
 ---
 title: Adjust alert thresholds | Microsoft Defender for Identity
 description: Learn how to configure the number of Microsoft Defender for Identity alerts triggered of specific alert types by adjusting alert thresholds.
-ms.date: 02/11/2024
+ms.date: 08/03/2025
 ms.topic: how-to
 #CustomerIntent: As a Microsoft Defender for Identity customer, I want to reduce the number of false positives by adjusting thresholds for specific alerts.
 ms.reviewer: rlitinsky
@@ -15,7 +15,7 @@ Some Defender for Identity alerts rely on *learning periods* to build a profile
 
 Use the **Adjust alert thresholds** page to customize the threshold level for specific alerts to influence their alert volume. For example, if you're running comprehensive testing, you might want to lower alert thresholds to trigger as many alerts as possible.
 
-Alerts are always triggered immediately if the **Recommended test mode** option is selected, or if a threshold level is set to **Medium** or **Low**, regardless of whether the alert's learning period has already completed.
+Alerts are triggered immediately if the **Recommended test mode** option is selected, or if a threshold level is set to **Medium** or **Low**, regardless of whether the alert's learning period has already completed.
 
 > [!NOTE]
 > The **Adjust alert thresholds** page was previously named **Advanced settings**. For details about this transition and how any previous settings were retained, see our [What's New announcement](whats-new.md#enhanced-user-experience-for-adjusting-alert-thresholds-preview).
@@ -46,24 +46,27 @@ For example, if you have NAT or VPN, we recommend that you consider any changes
     When you select **Medium** or **Low**, details are bolded in the **Information** column to help you understand how the change affects the alert behavior.
 
 1. Select **Apply changes** to save changes.
+1. Select **Revert to default** and then **Apply changes** to reset all alerts to the default threshold (**High**). Reverting to default is irreversible and any changes made to your threshold levels are lost.
 
-Select **Revert to default** and then **Apply changes** to reset all alerts to the default threshold (**High**). Reverting to default is irreversible and any changes made to your threshold levels are lost.
-
-## Switch to test mode
+## Switch to Recommended test mode
 
 The **Recommended test mode** option is designed to help you understand all Defender for Identity alerts, including some related to legitimate traffic and activities so that you can thoroughly evaluate Defender for Identity as efficiently as possible.
 
 If you recently deployed Defender for Identity and want to test it, select the **Recommended test mode** option to switch all alert thresholds to **Low** and increase the number of alerts triggered. 
 
-Threshold levels are read-only when the **Recommended test mode** option is selected. When you're finished testing, toggle the **Recommended test mode** option back off to return to your previous settings.
+Threshold levels are read-only when the **Recommended test mode** option is selected.
+
+> [!NOTE] 
+> Test mode is time-limited to a maximum of 60 days.
+> When turning on Recommended test mode, you must specify an end time. The selected end time is displayed next to the toggle for as long as test mode is enabled.
 
-Select **Apply changes** to save changes.
+When you're finished testing, toggle the Recommended test mode option back off to return to your previous settings. Select **Apply changes** to save changes.
 
 ## Supported detections for threshold configurations
 
 The following table describes the types of detections that support adjustments for threshold levels, including the effects of **Medium** and **Low** thresholds.
 
-Cells marked with N/A indicate that the threshold level is not supported for the detection
+Cells marked with N/A indicate that the threshold level isn't supported for the detection.
 
 | Detection | Medium | Low |
 | --- | --- | --- |