Merge branch 'Submissions-chrisda' into dhagarwal_working

Author: chrisda

ATPDocs/deploy/activate-capabilities.md

@@ -12,7 +12,7 @@ Microsoft Defender for Endpoint customers, who have already onboarded their doma
 This article describes how to activate and test Microsoft Defender for Identity capabilities on your domain controller.
 
 > [!IMPORTANT]
-> The new sensor is recommended for customers looking to deploy core identity protections to new domain controllers running Windows Server 2019 or newer. For all other identity infrastructure, or for customers looking to deploy the most robust identity protections available from Microsoft Defender for Identity today, we recommend deploying the classic sensor [here](https://learn.microsoft.com/defender-for-identity/deploy/quick-installation-guide)
+> The new sensor is recommended for customers looking to deploy core identity protections to new domain controllers running Windows Server 2019 or newer. For all other identity infrastructure, or for customers looking to deploy the most robust identity protections available from Microsoft Defender for Identity today, we recommend deploying the classic sensor [here](quick-installation-guide.md).
 
 ## Prerequisites
 
@@ -43,7 +43,7 @@ Your domain controller must be onboarded to Microsoft Defender for Endpoint.
 
 For more information, see [Onboard a Windows server](/microsoft-365/security/defender-endpoint/onboard-windows-server).
 
-### Required permissions
+### Permissions requirements 
 
 To access the Defender for Identity **Activation** page, you must either be a [Security Administrator](/entra/identity/role-based-access-control/permissions-reference), or have the following Unified RBAC permissions:
 
@@ -82,13 +82,32 @@ Set-MDIConfiguration -Mode Domain -Configuration All
 
 After ensuring that your environment is completely configured, activate the  Microsoft Defender for Identity capabilities on your domain controller.
 
-1. In the [Defender portal](https://security.microsoft.com), select **Settings > Identities > [Activation](https://security.microsoft.com/settings/identities?tabid=onboarding)**.
+Activate the Defender for Identity from the [Microsoft Defender portal](https://security.microsoft.com).
 
-    The **Activation** page lists any detected and eligible domain controllers.
+1. Navigate to **System** > **Settings** > **Identities** > **Activation**.
 
-1. Select the domain controller where you want to activate the Defender for Identity capabilities and then select **Activate**. Confirm your selection when prompted.
+   The Activation page lists servers discovered in Device Inventory and identified as eligible domain controllers. 
 
-When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers** to jump to the **Settings > Identities > Sensors** page, where you can check your sensor health.
+2. Select the domain controller where you want to activate the Defender for Identity capabilities and then select **Activate**. Confirm your selection when prompted. 
+
+   ![Activation Defensor.](media/activate-capabilities/1.png)
+   
+> [!NOTE]
+> You can choose to activate eligible domain controllers either automatically, where Defender for Identity activates them as soon as they are discovered, or manually, where you select specific domain controllers from the list of eligible servers.
+
+3. When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers** to jump to the **Settings > Identities > Sensors** page, where you can check your sensor health.  
+![Sensors page.](media/activate-capabilities/2.png)
+
+## Onboarding Confirmation 
+
+To confirm the sensor has been onboarded: 
+
+1. Navigate to **System** > **Settings** > **Identities** > **Sensors**. 
+
+2. Check that the onboarded domain controller is listed. 
+
+> [!NOTE]
+>  The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations are shown within five minutes. 
 
 ## Test activated capabilities
 
@@ -106,9 +125,9 @@ Use the following procedures to test your environment for Defender for Identity
 
 ### Check the ITDR dashboard
 
-In the Defender portal, select **Identities > Dashboard** and review the details shown, checking for expected results from your environment.
+In the Defender portal, select **Identities** > **Dashboard**, and review the details shown, checking for expected results from your environment.
 
-For more information, see [Work with Defender for Identity's ITDR dashboard (Preview)](../dashboard.md).
+For more information, see [Work with Defender for Identity's ITDR dashboard](../dashboard.md).
 
 
 ### Confirm entity page details
@@ -193,18 +212,15 @@ Test remediation actions on a test user. For example:
 
 1. Check Active Directory for the expected activity.
 
-> [!NOTE]
-> The current version doesn't collect the User Account Control (UAC) flags correctly. So disabled users, would still appear as Enabled in the portal.
-
-
 For more information, see [Remediation actions in Microsoft Defender for Identity](../remediation-actions.md).
 
 ## Deactivate Defender for Identity capabilities on your domain controller
 
 If you want to deactivate Defender for Identity capabilities on your domain controller, delete it from the **Sensors** page:
 
 1. In the Defender portal, select **Settings > Identities > Sensors**.
-1. Select the domain controller where you want to deactivate Defender for Identity capabilities, select **Delete**, and confirm your selection.
+1. Select the domain controller where you want to deactivate Defender for Identity capabilities, select **Delete**, and confirm your selection.  
+![Offboarding defensor.](media/activate-capabilities/3.png)
 
 Deactivating Defender for Identity capabilities from your domain controller doesn't remove the domain controller from Defender for Endpoint. For more information, see [Defender for Endpoint documentation](/microsoft-365/security/defender-endpoint/).
 

ATPDocs/deploy/media/activate-capabilities/1.png

@@ -25,10 +25,10 @@ Microsoft Defender for Cloud Apps is a security tool and therefore doesn't requi
 
 Microsoft Defender for Cloud Apps depends on the following Microsoft Entra ID applications to function properly. Do not disable these applications in Microsoft Entra ID:
 
-- Microsoft Defender for Cloud Apps - APIs
-- Microsoft Defender for Cloud Apps - Customer Experience
-- Microsoft Defender for Cloud Apps - Information Protection
-- Microsoft Defender for Cloud Apps - MIP Server
+- Microsoft Defender for Cloud Apps - APIs (ID: 972bb84a-1d27-4bd3-8306-6b8e57679e8c)
+- Microsoft Defender for Cloud Apps - Customer Experience (ID: 9ba4f733-be8f-4112-9c4a-e3b417c44e7d)
+- Microsoft Defender for Cloud Apps - Information Protection (ID: ac6dbf5e-1087-4434-beb2-0ebf7bd1b883)
+- Microsoft Defender for Cloud Apps - MIP Server (ID: 0858ddce-8fca-4479-929b-4504feeed95e)
 
 ## Access Defender for Cloud Apps
 

ATPDocs/deploy/media/activate-capabilities/2.png

@@ -19,7 +19,7 @@ ms.custom:
 - cx-ta
 ms.topic: conceptual
 ms.subservice: edr
-ms.date: 11/12/2024
+ms.date: 02/25/2025
 ---
 
 # Track and respond to emerging threats through threat analytics
@@ -63,7 +63,7 @@ Each report provides an analysis of a tracked threat and extensive guidance on h
 The following roles and permissions are required to access Threat analytics in the Defender portal:
 
 - **Security data basics (read)**—to view threat analytics report, related incidents and alerts, and impacted assets
-- **Vulnerability management (read)** and **Secure Score (read)**—to see related exposure data and recommended actions
+- **Vulnerability management (read)** and **Exposure Management (read)**—to see related exposure data and recommended actions
 
 By default, access to services available in the Defender portal are managed collectively using [Microsoft Entra global roles](/defender-xdr/m365d-permissions). If you need greater flexibility and control over access to specific product data, and aren't yet using the [Microsoft Defender XDR Unified role-based access control (RBAC)](/defender-xdr/manage-rbac) for centralized permissions management, we recommend creating custom roles for each service. [Learn more about creating custom roles](/defender-xdr/custom-roles)
 

ATPDocs/deploy/media/activate-capabilities/3.png

@@ -16,7 +16,7 @@ ms.collection:
 ms.custom:
 description: Admins can learn how to use the advanced delivery policy in Exchange Online Protection (EOP) to identify messages that shouldn't be filtered in specific supported scenarios (third-party phishing simulations and messages delivered to security operations (SecOps) mailboxes.
 ms.service: defender-office-365
-ms.date: 02/11/2025
+ms.date: 02/24/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -42,7 +42,7 @@ Use the _advanced delivery policy_ in EOP to prevent inbound messages _in these
 - [AIR and clustering in Defender for Office 365](air-about.md) ignores these messages.
 - Specifically for third-party phishing simulations:
   - [Admin submission](submissions-admin.md) generates an automatic response saying that the message is part of a phishing simulation campaign and isn't a real threat. Alerts and AIR aren't triggered. The admin submissions experience shows these messages as a simulated threat.
-  - When a user reports a phishing simulation message using the [built-in Report button in Outlook](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook) or the [Microsoft Report Message or Report Phishing add-ins](submissions-outlook-report-messages.md#use-the-report-message-and-report-phishing-add-ins-in-outlook), the system doesn't generate an alert, investigation, or incident. The links or files aren't detonated, but the message appears on the **User reported** tab of the **Submissions** page.
+  - When a user reports a phishing simulation message using the [built-in Report button in Outlook](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook), the system doesn't generate an alert, investigation, or incident. The links or files aren't detonated, but the message appears on the **User reported** tab of the **Submissions** page.
 
 Messages that are identified by the advanced delivery policy aren't security threats, so the messages are marked with system overrides. Admin experiences show these messages as **Phishing simulation** or **SecOps mailbox** system overrides. Admins can use these values to filter and analyze messages in the following experiences:
 

CloudAppSecurityDocs/get-started.md

@@ -14,7 +14,7 @@ search.appverid:
 ms.collection:
 - m365-security
 - tier2
-ms.date: 01/10/2025
+ms.date: 02/24/2025
 description: See examples for how to start automated investigation and response (AIR) in Microsoft Defender for Office 365 Plan 2.
 ms.custom:
 - air
@@ -39,7 +39,7 @@ This article describes how AIR works through several examples:
 
 ## Example: A user-reported phishing message launches an investigation playbook
 
-A user receives an email that looks like a phishing attempt. The user reports the message using the [Microsoft Report Message or Report Phishing add-ins](submissions-users-report-message-add-in-configure.md), which results in an alert that's triggered by the **Email reported by user as malware or phish** [alert policy](/purview/alert-policies#threat-management-alert-policies), which automatically launches the investigation playbook.
+A user receives an email that looks like a phishing attempt. The user reports the message using the [built-in Report button in Outlook](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook), which results in an alert that's triggered by the **Email reported by user as malware or phish** [alert policy](/purview/alert-policies#threat-management-alert-policies), which automatically launches the investigation playbook.
 
 Various aspects of the reported email message are assessed. For example:
 

defender-endpoint/threat-analytics.md

@@ -15,7 +15,7 @@ ms.collection:
   - MET150
 description: Admins can learn to identify the reasons why and how a phishing message got through in Microsoft 365, and what to do to prevent more phishing messages in the future.
 ms.service: defender-office-365
-ms.date: 06/09/2023
+ms.date: 02/24/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -81,7 +81,7 @@ You can also use the [configuration analyzer](configuration-analyzer-for-securit
 
 - Whenever possible, we recommend that you deliver email for your domain directly to Microsoft 365. In other words, point your Microsoft 365 domain's MX record to Microsoft 365. Exchange Online Protection (EOP) is able to provide the best protection for your cloud users when their mail is delivered directly to Microsoft 365. If you must use a third-party email hygiene system in front of EOP, use Enhanced Filtering for Connectors. For instructions, see [Enhanced Filtering for Connectors in Exchange Online](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors).
 
-- Have users use the [built-in Report button in Outlook](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook) or deploy the [Microsoft Report Message or Report Phishing add-ins](submissions-outlook-report-messages.md#use-the-report-message-and-report-phishing-add-ins-in-outlook) in your organization. Configure the [user reported settings](submissions-user-reported-messages-custom-mailbox.md) to send user reported messages to a reporting mailbox, to Microsoft, or both. User reported messages are then available to admins on the **User reported** tab on the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=user>. Admin can report user reported messages or any messages to Microsoft as described in [Use the Submissions page to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft](submissions-admin.md). User or admin reporting of false positives or false negatives to Microsoft is important, because it helps train our detection systems.
+- Have users use the [built-in Report button in Outlook](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook). Configure the [user reported settings](submissions-user-reported-messages-custom-mailbox.md) to send user reported messages to a reporting mailbox, to Microsoft, or both. User reported messages are then available to admins on the **User reported** tab on the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=user>. Admin can report user reported messages or any messages to Microsoft as described in [Use the Submissions page to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft](submissions-admin.md). User or admin reporting of false positives or false negatives to Microsoft is important, because it helps train our detection systems.
 
 - Multi factor authentication (MFA) is a good way to prevent compromised accounts. You should strongly consider enabling MFA for all of your users. For a phased approach, start by enabling MFA for your most sensitive users (admins, executives, etc.) before you enable MFA for everyone. For instructions, see [Set up multi-factor authentication](/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication).
 

defender-office-365/advanced-delivery-policy-configure.md

@@ -18,7 +18,7 @@ ms.collection:
 ms.custom:
 description: Learn how to get started with the initial deployment and configuration of Microsoft Defender for Office 365.
 ms.service: defender-office-365
-ms.date: 06/17/2024
+ms.date: 02/24/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
   - ✅ <a href="https://learn.microsoft.com/defender-xdr/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>
@@ -255,7 +255,7 @@ In Defender for Office 365 Plan 2, you also have access to create and apply cust
 
 ## Step 5: Review and configure user reported message settings
 
-**Summary**: Deploy the [Report Message or Report Phishing add-ins](submissions-users-report-message-add-in-configure.md) or a [supported third party tool](submissions-user-reported-messages-custom-mailbox.md#message-submission-format-for-third-party-reporting-tools) so users can report false positives and false negatives in Outlook, and so those reported messages are available to admins on the **User-reported** tab of the **Submissions** page in the Defender portal. Configure the organization so reported messages go to a specified reporting mailbox, to Microsoft, or both.
+**Summary**: Use the [built-in Report button in Outlook](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook) or a [supported third party tool](submissions-user-reported-messages-custom-mailbox.md#message-submission-format-for-third-party-reporting-tools) so users can report false positives and false negatives in Outlook, and so those reported messages are available to admins on the **User-reported** tab of the **Submissions** page in the Defender portal. Configure the organization so reported messages go to a specified reporting mailbox, to Microsoft, or both.
 
 **Details**:
 
@@ -266,7 +266,6 @@ The important parts of user message reporting are:
 - **How do users report messages?**: Make sure clients are using one of the following methods so reported messages appear on the **User-reported** tab of the **Submissions** page in the Defender portal at <https://security.microsoft.com/reportsubmission?viewid=user>:
 
 - The built-in **Report** button in Outlook on the web (formerly known as Outlook Web App or OWA).
-- The Microsoft [Report Message or Report Phishing add-ins](submissions-users-report-message-add-in-configure.md) for Outlook and Outlook on the web.
 - Third-party reporting tools that use the [supported message submission format](submissions-user-reported-messages-custom-mailbox.md#message-submission-format-for-third-party-reporting-tools).
 
 - **Where do user reported messages go?**: You have the following options: