Merge branch 'public' into patch-3

Author: denisebmsft

CloudAppSecurityDocs/applications-inventory.md

@@ -5,7 +5,7 @@ ms.topic: overview
 description: The new Applications page located under Assets in Microsoft Defender XDR portal provides a centralized location for users to view and manage SaaS and SaaS connected OAuth apps information across their environment, ensuring optimal visibility and a comprehensive experience
 #customer intent: As a security administrator, I want to discover, monitor, and manage all SaaS and OAuth connected apps in my organization so that I can ensure security and compliance.
 ---
-# Applications inventory (Preview)
+# Applications inventory 
 
 Protecting your SaaS ecosystem requires taking inventory of all SaaS and connected OAuth apps that are in your environment. With the increasing number of applications, having a comprehensive inventory is crucial to ensure security and compliance. The Applications page provides a centralized view of all SaaS and connected OAuth apps in your organization, enabling efficient monitoring and management.
 At a glance you can see information such as app name, risk score, privilege level, publisher information, and other details for easy identification of SaaS and OAuth apps most at risk.
@@ -19,7 +19,7 @@ The Applications page includes the following tabs:
 
 In the Defender portal at <https://security.microsoft.com>, go to **Assets** > **Applications**. Or, go directly to the **Applications** page, by clicking on the banner links on the existing Cloud discovery and App governance pages.
 
-:::image type="content" source="media/banner-on-cloud-discovery-pages.png" alt-text="Screenshot of the Cloud Discovery page with a banner about the new unified application inventory experience" lightbox="media/banner-on-cloud-discovery-pages.png":::
+:::image type="content" source="media/banner-on-cloud-discovery-pages.png" alt-text="Screenshot of the Cloud Discovery page with a banner about the new unified application inventory experience." lightbox="media/banner-on-cloud-discovery-pages.png":::
 
 :::image type="content" source="media/banner-message-on-app-governance-pages.png" alt-text="Screenshot of the App Governance page with a banner about the new unified application inventory experience for managing OAuth and SaaS apps" lightbox="media/banner-message-on-app-governance-pages.png":::
 
@@ -31,7 +31,7 @@ There are several options you can choose from to customize the SaaS apps and OAu
 * Apply filters
 
 > [!NOTE]
->When exporting the applications list to a CSV file, a maximum of 1000 SaaS or OAuth apps are displayed.
+> When exporting the applications list to a CSV file, a maximum of 1000 SaaS or OAuth apps are displayed.
 
 The following image depicts the SaaS apps list:
 :::image type="content" source="media/applications-tab-in-the-defender-portal.png" alt-text="Screenshot of the applications tab in the Defender portal" lightbox="media/applications-tab-in-the-defender-portal.png"
@@ -71,7 +71,7 @@ The OAuth apps tab provides visibility into Microsoft 365, Google workspace and
 
 * **Apps from external unverified publishers** – Shows apps that originated from an external unverified publisher tenant. (Available for Microsoft 365)
 
-For more information on how to create app policies, see:[Create app policies in app governance](app-governance-app-policies-create.md)
+For more information on how to create app policies, see [Create app policies in app governance](app-governance-app-policies-create.md).
 
 The following image depicts the OAuth apps list:
 
@@ -97,8 +97,7 @@ You can apply the following filters to get a more focused view:
 | **Privilege level**  | The app's privilege level. |
 | **Certification**| Indicates if an app meets stringent security and compliance standards set by Microsoft 365 or if its publisher has publicly attested to its safety.  |
 | **Sensitivity label accessed**| Sensitivity labels on content accessed by the app  |
-| **Service accessed**| Microsoft 365 services accessed by the app  
-|
+| **Service accessed**| Microsoft 365 services accessed by the app  |
 
 
 > [!TIP]
@@ -112,4 +111,4 @@ You can apply the following filters to get a more focused view:
 > [!div class="nextstepaction"]
 > [Best practices for protecting your organization](best-practices.md)
 
-[!INCLUDE [Open support ticket](includes/support.md)]
+[!INCLUDE [Open support ticket](includes/support.md)]

CloudAppSecurityDocs/toc.yml

@@ -424,7 +424,7 @@ items:
       href: app-activity-threat-hunting.md
   - name: App governance FAQ
     href: app-governance-faq.yml
-- name: Investigate and respond 
+- name: View and manage applications
   items:
     - name: Assets
       items:

defender-business/mdb-faq.yml

@@ -10,7 +10,7 @@ metadata:
   ms.topic: faq
   ms.service: defender-business
   ms.localizationpriority: medium
-  ms.date: 03/19/2024
+  ms.date: 05/20/2025
   ms.reviewer: efratka, nehabha
   f1.keywords: NOCSH
   ms.collection:
@@ -61,10 +61,10 @@ sections:
         answer: |
           The following table compares server options for Defender for Business customers:
 
-          | Server license | Description |
-          |--|--|
-          | Microsoft Defender for Business servers | [Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers) is an add-on to Defender for Business and Microsoft 365 Business Premium. This offering enables small and medium sized businesses (up to 300 users) to onboard and protect servers and client devices in the [Microsoft Defender portal](https://security.microsoft.com). |
-          | Microsoft Defender for Servers Plan 1 / Plan 2| [Microsoft Defender for Servers Plan 1/Plan 2](/azure/defender-for-cloud/plan-defender-for-servers) is an enterprise-focused offering that can be purchased with any other Microsoft cloud plan. This offering is part of [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction), and includes advanced threat hunting with six months of data retention and the Microsoft Threat Experts service.<br/><br/>The admin experience for Defender for Cloud resides within the Azure portal ([https://portal.azure.com](https://portal.azure.com)).|
+          |Server license|Description|
+          |---|---|
+          |Microsoft Defender for Business servers|[Microsoft Defender for Business servers](get-defender-business.md#how-to-get-microsoft-defender-for-business-servers) is an add-on to Defender for Business and Microsoft 365 Business Premium. This offering enables small and medium sized businesses (up to 300 users) to onboard and protect servers and client devices in the [Microsoft Defender portal](https://security.microsoft.com).|
+          |Microsoft Defender for Servers Plan 1 / Plan 2|[Microsoft Defender for Servers Plan 1/Plan 2](/azure/defender-for-cloud/plan-defender-for-servers) is an enterprise-focused offering that can be purchased with any other Microsoft cloud plan. This offering is part of [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction), and includes advanced threat hunting with six months of data retention and the Microsoft Threat Experts service.<br/><br/>The admin experience for Defender for Cloud resides within the Azure portal ([https://portal.azure.com](https://portal.azure.com)).|
 
           Adding Defender for Cloud to a tenant that has Defender for Business doesn't change the simplified configuration experience that Defender for Business offers. The functionality in Microsoft Defender for Servers Plan 1 or Plan 2 work with Defender for Business. 
 
@@ -90,7 +90,7 @@ sections:
 
           |OS|Method|Notes|
           |---|---|---|
-          |Windows |[Attack surface reduction rules](/defender-endpoint/attack-surface-reduction-rules-deployment)|On Windows devices, you can configure device control through ASR rules. You'll need [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) to set up your ASR rules. Intune is not included in the standalone version of Defender for Business, but you can add it on. Intune is included in [Microsoft 365 Business Premium](/microsoft-365/business-premium). <br/><br/>[ASR capabilities in Defender for Business](mdb-asr.md)|
+          |Windows|[Attack surface reduction rules](/defender-endpoint/attack-surface-reduction-rules-deployment)|On Windows devices, you can configure device control through ASR rules. You'll need [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) to set up your ASR rules. Intune is not included in the standalone version of Defender for Business, but you can add it on. Intune is included in [Microsoft 365 Business Premium](/microsoft-365/business-premium). <br/><br/>[ASR capabilities in Defender for Business](mdb-asr.md)|
           |Mac|Jamf or Intune|You can use Jamf or Intune to set up device control on Mac. See [Device Control for macOS](/defender-endpoint/mac-device-control-overview).|
 
       - question: How do I run custom reports with Defender for Business?
@@ -141,25 +141,25 @@ sections:
           
           The following table summarizes some differences between Defender for Business and Defender for Endpoint:
 
-          | Capabilities | Defender for Business | Defender for Endpoint Plan 1 | Defender for Endpoint Plan 2 |
-          |---|---|---|---|
-          | Centralized management | ✔ | ✔ | ✔ |
-          | Simplified firewall and antivirus configuration for Windows | ✔ | | |
-          | Vulnerability management (core capabilities) | ✔ | | ✔ |
-          | Attack surface reduction | ✔ | ✔ | ✔ |
-          | Next-generation protection | ✔ | ✔ | ✔ |
-          | Endpoint detection & response (EDR) | ✔ <br/>(optimized) | | ✔ |
-          | Automatic attack disruption | ✔ | | ✔ |
-          | Automated investigation & remediation | ✔ | | ✔ |
-          | Monthly security summary reporting | ✔ | | ✔ |
-          | 30 days advanced hunting and six months of data retention in the device timeline | | | ✔ |
-          | Threat analytics | ✔<br/>(optimized) | | ✔ |
-          | Cross-platform support <br/>(Mac, iOS, Android)| ✔ | ✔ | ✔ |
-          | Windows Server and Linux Server <br/>(requires server licenses) | ✔  | ✔ | ✔ |
-          | Microsoft Threat Experts | | | ✔ |
-          | Microsoft 365 Lighthouse <br/>(optimized; for CSPs only) | ✔ | ✔ | ✔ |
-          | Microsoft Defender multi-tenant management | ✔ | ✔ | ✔ |
-          | APIs | ✔  | ✔ | ✔ |
+          |Capabilities|Defender for</br>Business|Defender for</br>Endpoint Plan 1|Defender for</br>Endpoint Plan 2|
+          |---|:---:|:---:|:---:|
+          |Centralized management|✔|✔|✔|
+          |Simplified firewall and antivirus configuration for Windows|✔|||
+          |Vulnerability management (core capabilities)|✔||✔|
+          |Attack surface reduction|✔|✔|✔|
+          |Next-generation protection|✔|✔|✔|
+          |Endpoint detection & response (EDR)|✔ <br/> (optimized)||✔|
+          |Automatic attack disruption|✔||✔|
+          |Automated investigation & remediation|✔||✔|
+          |Monthly security summary reporting|✔||✔|
+          |30 days advanced hunting <br/> and six months of data retention <br/> in the device timeline|||✔|
+          |Threat analytics|✔ <br/> (optimized)||✔|
+          |Cross-platform support <br/> (Mac, iOS/iPadOS, Android)|✔|✔|✔|
+          |Windows Server and Linux Server <br/> (requires server licenses)|✔|✔|✔|
+          |Microsoft Threat Experts|||✔|
+          |Microsoft 365 Lighthouse <br/> (optimized; for CSPs only)|✔|✔|✔|
+          |Microsoft Defender multi-tenant management|✔|✔|✔|
+          |APIs|✔|✔|✔|
 
       - question: Can I have a mix of Microsoft endpoint security subscriptions?
         answer: |

defender-office-365/mdo-deployment-guide.md

@@ -18,7 +18,7 @@ ms.collection:
 ms.custom:
 description: Learn how to get started with the initial deployment and configuration of Microsoft Defender for Office 365.
 ms.service: defender-office-365
-ms.date: 02/24/2025
+ms.date: 05/20/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
   - ✅ <a href="https://learn.microsoft.com/defender-xdr/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>
@@ -315,7 +315,17 @@ In general, it's easier to create blocks than allows, because unnecessary allow
 
 - **Allow**:
 
-  - You can't create allow entries for **domains and email addresses**, **files**, and **URLs** directly on the corresponding tabs in the Tenant Allow/Block List. Instead, you use the **Submissions** page to report the item to Microsoft. As you report the item to Microsoft, you can select to allow the item, which creates a corresponding temporary allow entry in the Tenant Allow/Block list.
+  - You can create allow entries for **domains and email addresses** and **URLs** on the corresponding tabs in the Tenant Allow/Block List to override the following verdicts:
+    - Bulk
+    - Spam
+    - High confidence spam
+    - Phishing (not high confidence phishing)
+
+  - You can't create allow entries directly in the Tenant Allow/Block List for the following items:
+    - Malware or high confidence phishing verdicts for **domains and email addresses** or **URLs**.
+    - Any verdicts for **files**.
+
+    Instead, you use the **Submissions** page to report the items to Microsoft. After you select **I've confirmed it's clean**, you can then select **Allow this message**, **Allow this URL**, or **Allow this file** to create a corresponding temporary allow entry in the Tenant Allow/Block list.
 
   - Messages allowed by [spoof intelligence](anti-spoofing-spoof-intelligence.md) are shown on the **Spoof intelligence** page. If you change a block entry to an allow entry, the sender becomes a manual allow entry on the **Spoofed senders** tab in the Tenant Allow/Block List. You can also proactively create allow entries for not yet encountered spoofed senders on the **Spoofed senders** tab.
 

defender-office-365/office-365-ti.md

@@ -104,8 +104,10 @@ Microsoft Defender for Office 365 uses role-based access control. Permissions ar
 |Use the Microsoft Defender Vulnerability Management dashboard <br/><br/> View information about recent or current threats|One of the following: <ul><li>**Global Administrator**<sup>\*</sup></li><li>**Security Administrator**</li><li>**Security Reader**</li></ul> <br/> These roles can be assigned in either Microsoft Entra ID (<https://portal.azure.com>) or the Microsoft 365 admin center (<https://admin.microsoft.com>).|
 |Use [Explorer (and real-time detections)](threat-explorer-real-time-detections-about.md) to analyze threats|One of the following: <ul><li>**Global Administrator**<sup>\*</sup></li><li>**Security Administrator**</li><li>**Security Reader**</li></ul> <br/> These roles can be assigned in either Microsoft Entra ID (<https://portal.azure.com>) or the Microsoft 365 admin center (<https://admin.microsoft.com>).|
 |View Incidents (also referred to as Investigations) <br/><br/> Add email messages to an incident|One of the following: <ul><li>**Global Administrator**<sup>\*</sup></li><li>**Security Administrator**</li><li>**Security Reader**</li></ul> <br/> These roles can be assigned in either Microsoft Entra ID (<https://portal.azure.com>) or the Microsoft 365 admin center (<https://admin.microsoft.com>).|
-|Trigger email actions in an incident <br/><br/> Find and delete suspicious email messages|One of the following: <ul><li>**Global Administrator**<sup>\*</sup></li><li>**Security Administrator** plus the **Search and Purge** role</li></ul> <br/> The **Global Administrator**<sup>\*</sup> and **Security Administrator** roles can be assigned in either Microsoft Entra ID (<https://portal.azure.com>) or the Microsoft 365 admin center (<https://admin.microsoft.com>). <br/><br/> The **Search and Purge** role must be assigned in the **Email & collaboration roles** in the Microsoft 36 Defender portal (<https://security.microsoft.com>).|
+|Trigger email actions in an incident <br/><br/> Find and delete suspicious email messages|One of the following: <ul><li>**Global Administrator**<sup>\*</sup></li><li>**Security Administrator** plus the **Search and Purge** role</li></ul> <br/> The **Global Administrator**<sup>\*</sup> and **Security Administrator** roles can be assigned in either Microsoft Entra ID (<https://portal.azure.com>) or the Microsoft 365 admin center (<https://admin.microsoft.com>). <br/><br/> The **Search and Purge** role must be assigned in the **Email & collaboration roles** in the Microsoft 365 Defender portal (<https://security.microsoft.com>).|
 |Integrate Microsoft Defender for Office 365 Plan 2 with Microsoft Defender for Endpoint <br/><br/> Integrate Microsoft Defender for Office 365 Plan 2 with a SIEM server|Either the **Global Administrator**<sup>\*</sup> or the **Security Administrator** role assigned in either Microsoft Entra ID (<https://portal.azure.com>) or the Microsoft 365 admin center (<https://admin.microsoft.com>). <br/><br/> --- **plus** --- <br/><br/> An appropriate role assigned in additional applications (such as [Microsoft Defender Security Center](/windows/security/threat-protection/microsoft-defender-atp/user-roles) or your SIEM server).|
+|View email preview/download .eml of Quarantined emails (view/download only Quarantined emails)|One of the following: <ul><li>**Global Administrator**<sup>\*</sup></li><li>**Security Administrator**</li><li>**Security Reader**</li></ul> <br/> These roles can be assigned in either Microsoft Entra ID (<https://portal.azure.com>) or the Microsoft 365 admin center (<https://admin.microsoft.com>).|
+|View email preview/download .eml of ANY email in Explorer|One of the following: <ul><li>**Security Administrator**</li><li>**Security Reader**</li></ul> <br/> These roles can be assigned in either Microsoft Entra ID (<https://portal.azure.com>) or the Microsoft 365 admin center (<https://admin.microsoft.com>).|
 
 > [!IMPORTANT]
 > <sup>\*</sup> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.