Merge branch 'main' into deniseb-293977

Author: denisebmsft

defender-endpoint/TOC.yml

@@ -67,6 +67,8 @@
         href: evaluate-microsoft-defender-antivirus.md
       - name: Evaluate Microsoft Defender Antivirus using PowerShell
         href: microsoft-defender-antivirus-using-powershell.md
+      - name: Evaluate Microsoft Defender Antivirus using Microsoft Defender Endpoint Security Settings Management
+        href: evaluate-mda-using-mde-security-settings-management.md
       - name: Evaluate Microsoft Defender Antivirus using Group Policy 
         href: evaluate-mdav-using-gp.md  
       - name: Microsoft Defender for Endpoint demonstration scenarios

defender-endpoint/android-configure.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: android
 search.appverid: met150
-ms.date: 08/26/2024
+ms.date: 08/30/2024
 ---
 
 # Configure Defender for Endpoint on Android features
@@ -303,9 +303,6 @@ Use the following steps to configure Disable sign-out:
 
 5. Select **Next** and assign this profile to targeted devices and users.
 
-> [!IMPORTANT]
-> This feature is in Public Preview. The following information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
 ## Device Tagging
 
 Defender for Endpoint on Android enables bulk tagging the mobile devices during onboarding by allowing the admins to set up tags via Intune. Admin can configure the device tags through Intune via configuration policies and push them to user's devices. Once the User installs and activates Defender, the client app passes the device tags to the Security Portal. The Device tags appear against the devices in the Device Inventory. 

defender-endpoint/api/api-hello-world.md

@@ -16,7 +16,7 @@ ms.topic: reference
 ms.subservice: reference
 ms.custom: api
 search.appverid: met150
-ms.date: 06/24/2024
+ms.date: 08/29/2024
 ---
 
 # Microsoft Defender for Endpoint API - Hello World
@@ -47,7 +47,7 @@ It only takes 5 minutes done in two steps:
 
 ### Do I need a permission to connect?
 
-For the Application registration stage, you must have the **Global administrator** role assigned in your Microsoft Entra tenant.
+For the Application registration stage, you must have an appropriate role assigned in your Microsoft Entra tenant. For more details about roles, see [Permission options](../user-roles.md#permission-options).
 
 <a name='step-1---create-an-app-in-azure-active-directory'></a>
 

defender-endpoint/api/exposed-apis-create-app-partners.md

@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 ms.author: siosulli
 author: siosulli
 ms.localizationpriority: medium
-ms.date: 06/28/2024
+ms.date: 08/29/2024
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -61,7 +61,7 @@ The following steps guide you how to create a Microsoft Entra application, get a
 
 ## Create the multitenant app
 
-1. Sign in to your [Azure tenant](https://portal.azure.com) with user that has **Global Administrator** role.
+1. Sign in to your [Azure tenant](https://portal.azure.com).
 
 2. Navigate to **Microsoft Entra ID** \> **App registrations** \> **New registration**.
 
@@ -122,17 +122,17 @@ In the following example we use **Read all alerts** permission:
 
    You need your application to be approved in each customer tenant where you intend to use it. This approval is necessary because your application interacts with Microsoft Defender for Endpoint application on behalf of your customer.
 
-   A user with **Global Administrator** from your customer's tenant need to select the consent link and approve your application.
+   A user account with appropriate permissions for your customer's tenant must select the consent link and approve your application.
 
-   Consent link is of the form:
+   The consent link is of the form:
 
    ```http
    https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true
    ```
 
    Where `00000000-0000-0000-0000-000000000000` should be replaced with your Application ID.
 
-   After selecting the consent link, sign in as the Global Administrator of the customer's tenant and consent the application.
+   After selecting the consent link, sign into the customer's tenant, and then grant consent for the application.
 
    :::image type="content" source="../media/app-consent-partner.png" alt-text="The Accept button" lightbox="../media/app-consent-partner.png":::
 

defender-endpoint/api/exposed-apis-create-app-webapp.md

@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 ms.author: siosulli
 author: siosulli
 ms.localizationpriority: medium
-ms.date: 06/28/2024
+ms.date: 08/29/2024
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -56,7 +56,7 @@ This article explains how to create a Microsoft Entra application, get an access
 
 ## Create an app
 
-1. Sign in to the [Azure portal](https://portal.azure.com) with a user that has the Global Administrator role.
+1. Sign in to the [Azure portal](https://portal.azure.com).
 
 2. Navigate to **Microsoft Entra ID** \> **App registrations** \> **New registration**. 
 

defender-endpoint/api/offboard-machine-api.md

@@ -15,7 +15,7 @@ ms.topic: reference
 ms.subservice: reference
 ms.custom: api
 search.appverid: met150
-ms.date: 06/28/2024
+ms.date: 08/29/2024
 ---
 
 # Offboard machine API
@@ -60,13 +60,13 @@ One of the following permissions is required to call this API. To learn more, in
 > [!IMPORTANT]
 > Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
-> [!NOTE]
-> When obtaining a token using user credentials:
->
-> - The user must have a Global Administrator role.
-> - The user must have access to the device, based on device group settings. For more information, see [Create and manage device groups](../machine-groups.md).
->
-> Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.  
+When obtaining a token using user credentials:
+
+- The user must have an appropriate role assigned (see [Permission options](../user-roles.md#permission-options)).
+
+- The user must have access to the device, based on device group settings. For more information, see [Create and manage device groups](../machine-groups.md).
+
+Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.  
 
 ## HTTP request
 

defender-endpoint/api/raw-data-export-storage.md

@@ -43,7 +43,7 @@ ms.date: 06/28/2024
 
 ## Enable raw data streaming
 
-1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com) as a Security Administrator.
+1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com).
 
 2. Go to [Data export settings page](https://security.microsoft.com/settings/mtp_settings/raw_data_export) in Microsoft Defender XDR.
 

defender-endpoint/assign-portal-access.md

@@ -40,7 +40,7 @@ Defender for Endpoint supports two ways to manage permissions:
 
 If you have already assigned basic permissions, you can switch to RBAC anytime. Consider the following before making the switch:
 
-- Users who have full access (users who are assigned the Global Administrator or Security Administrator directory role in Microsoft Entra ID), are automatically assigned the default Defender for Endpoint administrator role, which also has full access. 
+- Users who have full access (users who are assigned either the Global Administrator or Security Administrator directory role in Microsoft Entra ID) are automatically assigned the default Defender for Endpoint administrator role, which also has full access. 
 - Other Microsoft Entra user groups can be assigned to the Defender for Endpoint administrator role after switching to RBAC.
 - Only users who are assigned the Defender for Endpoint administrator role can manage permissions using RBAC. 
 - Users who have read-only access (Security Readers) lose access to the portal until they are assigned a role. Only Microsoft Entra user groups can be assigned a role under RBAC.

defender-endpoint/basic-permissions.md

@@ -49,7 +49,7 @@ You can assign users with one of the following levels of permissions:
 
 - Connect to your Microsoft Entra ID. For more information, see [Connect-MgGraph](/powershell/microsoftgraph/authentication-commands).
 
-  - **Full access**: Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package. Assigning full access rights requires adding the users to the "Security Administrator" or "Global Administrator" Microsoft Entra built-in roles.
+  - **Full access**: Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package. Assigning full access rights requires adding the users to a role, such as Security Administrator, using Microsoft Entra built-in roles.
 
   - **Read-only access**: Users with read-only access can log in, view all alerts, and related information.
 

defender-endpoint/configure-conditional-access.md

@@ -31,28 +31,26 @@ This section guides you through all the steps you need to take to properly imple
 ## Before you begin
 
 > [!WARNING]
-> It's important to note that Microsoft Entra registered devices aren't supported in this scenario.</br>
-> Only Intune enrolled devices are supported.
+> It's important to note that Microsoft Entra registered devices aren't supported in this scenario. Only Intune enrolled devices are supported.
 
 You need to make sure that all your devices are enrolled in Intune. You can use any of the following options to enroll devices in Intune:
 
 - IT Admin: For more information on how to enable auto-enrollment, see [Windows Enrollment](/intune/windows-enroll#enable-windows-10-automatic-enrollment)
-- End-user: For more information on how to enroll your Windows 10 and Windows 11 device in Intune, see [Enroll your Windows 10 device in Intune](/intune/quickstart-enroll-windows-device)
+- End user: For more information on how to enroll your Windows 10 and Windows 11 device in Intune, see [Enroll your Windows 10 device in Intune](/intune/quickstart-enroll-windows-device)
 - End-user alternative: For more information on joining a Microsoft Entra domain, see [How to: Plan your Microsoft Entra join implementation](/azure/active-directory/devices/azureadjoin-plan).
 
 There are steps you'll need to take in the Microsoft Defender portal, the Intune portal, and Microsoft Entra admin center.
 
 It's important to note the required roles to access these portals and implement Conditional access:
 
-- **Microsoft Defender portal** - You'll need to sign into the portal with a Global Administrator role to turn on the integration.
+- **Microsoft Defender portal** - You'll need to sign into the portal with an appropriate role to turn on integration. See [Permission options](user-roles.md#permission-options).
 - **Intune** - You'll need to sign in to the portal with Security Administrator rights with management permissions.
-- **Microsoft Entra admin center** - You'll need to sign in as a Global Administrator, Security Administrator, or Conditional Access administrator.
+- **Microsoft Entra admin center** - You'll need to sign in as a Security Administrator or Conditional Access administrator.
 
 > [!IMPORTANT]
 > Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
-> [!NOTE]
-> You'll need a Microsoft Intune environment, with Intune managed and Microsoft Entra joined Windows 10 and Windows 11 devices.
+You'll need a Microsoft Intune environment, with Intune managed and Microsoft Entra joined Windows 10 and Windows 11 devices.
 
 Take the following steps to enable Conditional Access: