Merge branch 'main' into docs-editor/mde-linux-prerequisites-1765336118

Author: paulinbar

defender-endpoint/android-support-signin.md

@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: troubleshooting-general
 ms.subservice: android
 search.appverid: met150
-ms.date: 03/21/2025
+ms.date: 12/10/2025
 appliesto:
 - Microsoft Defender for Endpoint Plan 1
 - Microsoft Defender for Endpoint Plan 2
@@ -129,43 +129,35 @@ The Android devices Battery Optimization screen opens automatically as part of t
 
 5. Navigate back to Defender
 
-**Solution 2** (needed in case the Solution 1 does not work):
+**Solution 2** (needed in case the Solution 1 doesn't work):
 
-1. Install MDE app in personal profile. (Sign-in isn't required.)
+1. Install the Microsoft Defender for Endpoint app in personal profile. (Sign-in isn't required.)
 2. Open the Company Portal and tap on Settings.
 3. Go to the Battery Optimization section, tap on the **Turn Off** button, and then select on **Allow** to turn off Battery Optimization for the Company Portal.
 4. Again, go to the Battery Optimization section and tap on the **Turn On** button. The battery saver section opens.
 5. Find the Defender app and tap on it.
 6. Select **No Restriction**. Go back to the Defender app in work profile and tap on **Allow** button.  
 7. The application shouldn't be uninstalled from personal profile for this to work.
 
-## Unable to use banking applications with MDE app
+## Unable to use certain third party applications along with the Microsoft Defender for Endpoint app (VPN)
 
-**Applies to:** Banking apps like iMobile Pay (ICICI), PNB ONE.
+**Applies to:** (Not limited) Apps handling banking, government services, or handling sensitive personal information
 
-**Cause:** Android allows apps in the personal profile to check if there's a VPN active on the device, even outside of the personal profile. The banking app checks that and blocks it in VPN work profiles only. The banking app doesn't work with any other VPN product.
+**Cause:** Some applications, such as those used for banking, government services, or handling sensitive personal information, may restrict access if a VPN is detected on your device. These restrictions are determined by the app developer as part of their implementation and even applies all VPNs *including third party) on the device. Microsoft Defender doesn't control or enforce this behavior through its settings or policies.
 
-**Solution:**
-Users need to disable MDE VPN from the Settings page. The following steps can be used:
-
-1. Go to Settings on the mobile device.
-2. Search for VPN or open 'Network and Internet' and select on VPN.
-3. Select on Microsoft Defender and select Disconnect.
-
-Users should enable VPN when they're no longer using the banking app to ensure that their devices are protected.
-
-> [!NOTE]
-> This a temporary workaround. We are working on other alternatives to provide users more control over the VPN settings from within the app.
+**Workaround:**
+If an app doesn't function while a VPN is enabled or present in the work profile, you might need to disable the VPN or work profile when you use the app. 
+Users should enable VPN when they're no longer using the app to ensure that their devices are protected.
 
 ## Send in-app feedback
 
 If a user faces an issue, which isn't already addressed in the above sections or is unable to resolve using the listed steps, the user can provide **in-app feedback** along with **diagnostic data**. Our team can then investigate the logs to provide the right solution. Users can follow these steps to do the same:
 
-1. Open the **MDE application** on your device and select on the **profile icon** in the top-left corner.
+1. Open the **Microsoft Defender for Endpoint application** on your device and select the **profile icon** in the top-left corner.
 
     :::image type="content" source="media/select-profile-icon-1.jpg" alt-text="The profile icon in the Microsoft Defender for Endpoint portal" lightbox="media/select-profile-icon-1.jpg":::
 
-2. Select "Help & feedback".
+2. Select **Help & feedback**.
 
     :::image type="content" source="media/selecthelpandfeedback2.png" alt-text="The Help & feedback option that can be selected in the Microsoft Defender for Endpoint portal" lightbox="media/selecthelpandfeedback2.png":::
 

defender-for-cloud-apps/app-governance-app-policies-create.md

@@ -53,6 +53,7 @@ The following table lists the app governance templates supported to generate ale
 
 |Template name|Description|
 |---|---|
+|**Unused app**|Find apps that have not authenticated recently. This policy checks the following conditions: <ul><li>Last used: More than 90 days (customizable)</li></ul>|
 |**New app with high data usage**|Find newly registered apps that have uploaded or downloaded large amounts of data using Microsoft Graph and EWS APIs. This policy checks the following conditions: <ul><li>Registration age: Seven days or less (customizable)</li><li>Data usage: Greater than 1 GB in one day (customizable)</li></ul>|
 |**Increase in users**|Find apps with a sizable increase in the number of users. This policy checks the following conditions: <ul><li>Time range: Last 90 days</li><li>Increase in consenting users: At least 50% (customizable)</li></ul>|
 
@@ -78,7 +79,7 @@ The following table lists the app governance templates supported to generate ale
 
 Use a custom app policy when you need to do something not already done by one of the built-in templates.
 
-- To create a new custom app policy, first select **Create new policy** on the **Policies** page. On the **Choose App policy template page**, select the **Custom** category, the **Custom policy** template, and then select **Next**.
+1. To create a new custom app policy, first select **Create new policy** on the **Policies** page. On the **Choose App policy template page**, select the **Custom** category, the **Custom policy** template, and then select **Next**.
 
 1. On the **Name and description** page, configure the following settings:
    - Policy Name
@@ -125,6 +126,7 @@ Use a custom app policy when you need to do something not already done by one of
    |**Sensitivity labels accessed**|Select one or more sensitivity labels from the list|Apps that accessed data with specific sensitivity labels in the last 30 days.||
    |**Services accessed** (Graph only)|Exchange and/or OneDrive and/or SharePoint and/or Teams|Apps that have accessed OneDrive, SharePoint, or Exchange Online using Microsoft Graph and EWS APIs|Multiple selections allowed.|
    |**Error rate** (Graph only)|Error rate is greater than X% in the last seven days|Apps whose Graph API error rates in the last seven days are greater than a specified percentage||
+   |**Last used**|Within last X days|Apps that have not authenticated within a specified period from the current date||
    |**App origin**|External or Internal|Apps that originated within the tenant or registered in an external tenant||
 
       All of the specified conditions must be met for this app policy to generate an alert.
@@ -176,9 +178,9 @@ Policies for OAuth apps trigger alerts only on policies that are authorized by u
 
 3. You might want to set the policy based on the group memberships of the users who authorized the apps. For example, an admin can decide to set a policy that revokes uncommon apps if they ask for high permissions, only if the user who authorized the permissions is a member of the Administrators group.
 
-For example:
-
-![new OAuth app policy.](media/app-permissions-policy.png)
+   For example:
+    
+    ![new OAuth app policy.](media/app-permissions-policy.png)
 
 ### Anomaly detection policies for OAuth apps connected to Salesforce and Google Workspace
 
@@ -188,7 +190,6 @@ This section is only relevant for Salesforce and Google Workspace applications.
 
 > [!NOTE]
 > Anomaly detection policies are only available for OAuth apps that are authorized in your Microsoft Entra ID.
->
 > The severity of OAuth app anomaly detection policies can't be modified.
 
 The following table describes the out-of-the-box anomaly detection policies provided by Defender for Cloud Apps:

defender-for-cloud-apps/app-governance-secure-apps-app-hygiene-features.md

@@ -10,7 +10,7 @@ ms.reviewer: anandd512
 # Secure apps with app hygiene features
 
 > [!NOTE]
-> Management of unused apps, unused credentials, and expiring credentials will only be available to app governance customers with Microsoft Entra Workload ID Premium. For more information, see [What are workload identities?](/azure/active-directory/workload-identities/workload-identities-overview)
+> Management of unused credentials and expiring credentials is available to app governance customers with a Microsoft Entra Workload ID Premium license. For more information, see [What are workload identities?](/azure/active-directory/workload-identities/workload-identities-overview)
 
 Have you ever wanted to see the apps that your organization owns but isn't using, but didn't know how to? Or clean up unused or expiring credentials more easily? Microsoft Entra ID includes recommendations to help you identify such apps, and the **App governance** page in Microsoft Defender provides an app hygiene feature suite that includes controls and insights on unused apps, unused credentials, and expiring credentials. 
 

defender-for-cloud-apps/app-governance-trial-user-guide.md

@@ -34,7 +34,7 @@ Start by using the following steps to get visibility and insights about your app
    > You can also view app governance-related recommendations in [Secure Score](https://security.microsoft.com/securescore?viewid=overview&tid=b5304409-74ae-42bf-a3e3-d62da4845129) to help you holistically manage your posture.
    >
 
-1. **[View your apps](app-governance-visibility-insights-view-apps.md)**: Sort the data on the **App governance** tabs by apps with high data usage or number of consents given, or filter by high privileged apps, apps with unused permissions, or unverified publisher, and more.
+1. **[View your apps](app-governance-visibility-insights-view-apps.md)**: Sort the data on the **App governance** tabs by apps with high data usage or number of consents given, or filter by high privileged apps, unused apps, apps with unused permissions, or unverified publisher, and more.
 
     Use these sorting and filtering options to gain deeper insights into your OAuth apps, including relevant app metadata and usage data.
 

defender-for-cloud-apps/app-governance-visibility-insights-compliance-posture.md

@@ -14,16 +14,14 @@ The **Overview** page shows the following details:
 
 |Apps / incidents  |Details shown  | Use this data to... |
 |---------|---------|---------|
-|**OAuth-enabled apps that use the Microsoft Graph API**     |  - How many apps are in your tenant <br>- How many apps might be overprivileged <br>- How many apps are highly privileged | Determine the level of risk to your organization by overprivileged and highly privileged apps. |
-|**For incidents**    | - How many active incidents your tenant has <br>- How many are based on app governance detections (**Threat incidents**) <br>- How many are based on app policies you have in place (**Policy incidents**) <br>- The 10 latest incidents  | Determine how quickly incidents are being generated and the relative number of detected and policy-based incidents. |
+|**OAuth-enabled apps that use the Microsoft Graph API**     |  - How many apps are in your tenant <br>  - How many apps are unused in the last 90 days <br>  - How many apps might be overprivileged <br>  - How many apps are highly privileged | Determine the level of risk to your organization by unused, overprivileged and highly privileged apps. |
+|**For incidents**    | - How many active incidents your tenant has <br>- How many are based on app governance detections (**Threat incidents**) <br> - How many are based on app policies you have in place (**Policy incidents**) <br>- The 10 latest incidents  | Determine how quickly incidents are being generated and the relative number of detected and policy-based incidents. |
 
 For example:
 
-> [!div class="mx-imgBorder"]
-> ![Relative number of detected and policy-based incidents.](media/incidents-summary1.png)
-> 
-> [!div class="mx-imgBorder"]
-> ![top alerts.](media/app-governance-visibility-insights-compliance-posture/top-alerts.png)
+:::image type="content" source="media/incidents-summary1.png" alt-text="Screenshot showing relative number of detected and policy-based incidents.":::
+
+:::image type="content" source="media/app-governance-visibility-insights-compliance-posture/top-alerts.png" alt-text="Screenshot showing top alerts.":::
 
 ## Data usage cards
 
@@ -35,17 +33,15 @@ Data usage cards show the following types of information:
 
 For example:
 
-> [!div class="mx-imgBorder"]
-> ![Total data accessed by apps.](media/app-governance-visibility-insights-compliance-posture/data-usage-chart.png)
+:::image type="content" source="media/app-governance-visibility-insights-compliance-posture/data-usage-chart.png" alt-text="Screenshot showing total data accessed by apps.":::
 
 ## Apps that access data on Microsoft 365
 
 For apps that access data on Microsoft 365, cards show the number of apps that have accessed data on SharePoint, OneDrive, Exchange Online, or Teams using Microsoft Graph and EWS APIs in the last 30 days.
 
 For example:
 
-> [!div class="mx-imgBorder"]
-> ![Apps that have accessed data on SharePoint, OneDrive, Exchange Online, or Teams in the last 30 days.](media/app-governance-visibility-insights-compliance-posture/apps-accessed-m365-services-chart.png)
+:::image type="content" source="media/app-governance-visibility-insights-compliance-posture/apps-accessed-m365-services-chart.png" alt-text="Screenshot showing apps that have accessed data on SharePoint, OneDrive, Exchange Online, or Teams in the last 30 days.":::
 
 ## Sensitivity labels accessed
 
@@ -54,8 +50,9 @@ For sensitivity labeling data, cards show the number apps that have accessed con
 For example:
 
 The number of apps that have accessed content with sensitivity labels.
-> :::image type="content" source="media/sensitive-data-accessed-chart1.png" alt-text="Number of apps that have accessed content with sensitivity labels.":::
+
+:::image type="content" source="media/sensitive-data-accessed-chart1.png" alt-text="Screenshot showing the number of apps that have accessed content with sensitivity labels.":::
 
 ## Next steps
 
-[Get insights on and regulate access to sensitive content](app-governance-visibility-insights-sensitive-content.md)
+[Get insights on and regulate access to sensitive content](app-governance-visibility-insights-sensitive-content.md)

defender-for-cloud-apps/app-governance-visibility-insights-get-started.md

@@ -28,7 +28,7 @@ The dashboard on the **Overview** tab contains a summary of your app ecosystem:
 |**Apps that accessed data across Microsoft 365 services**     |  The count of apps that have accessed data with and without sensitivity labels on SharePoint, OneDrive, Exchange Online, and Teams in the last 30 days. <br><br>For example, in the screenshot above, 99 apps accessed OneDrive in the last 30 days, out of which 27 apps accessed data with sensitivity labels.       |
 |**Sensitivity labels accessed**     |     Count of apps that accessed labeled data across SharePoint, OneDrive, Exchange Online, and Teams in the last 30 days, sorted by the count. <br><br>For example, in the screenshot above, 90 apps accessed confidential data on SharePoint, OneDrive, Exchange Online, and Teams.    |
 |**Predefined policies**     |  Count of active and total predefined policies that identify risky apps, such as apps with excessive privileges, unusual characteristics, or suspicious activities.       |
-|**App categories**     |  The top apps sorted by these categories:  <br><br>- **All categories**: Sorts across all available categories.<br>  - **Highly privileged**: High privilege is an internally determined category based on platform machine learning and signals.<br>  - **Overprivileged**: When app governance receives data that indicates that a permission granted to an application hasn't been used in the last 90 days, that application is overprivileged. App governance must be operating for at least 90 days to determine if any app is overprivileged.  <br>- **Unverified publisher**: Applications that haven't received [publisher certification](/azure/active-directory/develop/publisher-verification-overview) are considered unverified.<br>  - **App only permissions**: [Application permissions](/azure/active-directory/develop/v2-permissions-and-consent#permission-types) are used by apps that can run without a signed-in user present. Apps with permissions to access data across the tenant are potentially a higher risk.<br>- **New apps**: New apps that have been registered in the last seven days.       |
+|**App categories**     |  The top apps sorted by these categories:  <br><br>- **All categories**: Sorts across all available categories.<br>  - **Highly privileged**: High privilege is an internally determined category based on platform machine learning and signals.<br>  - **Overprivileged**: When app governance receives data that indicates that a permission granted to an application hasn't been used in the last 90 days, that application is overprivileged. App governance must be operating for at least 90 days to determine if any app is overprivileged.<br> - **Unused**: Apps that have not signed in within the last 90 days  <br>- **Unverified publisher**: Applications that haven't received [publisher certification](/azure/active-directory/develop/publisher-verification-overview) are considered unverified.<br>  - **App only permissions**: [Application permissions](/azure/active-directory/develop/v2-permissions-and-consent#permission-types) are used by apps that can run without a signed-in user present. Apps with permissions to access data across the tenant are potentially a higher risk.<br>- **New apps**: New apps that have been registered in the last seven days.       |
 
 ## View app insights
 
@@ -56,25 +56,28 @@ One of the primary value points for app governance is the ability to quickly vie
 
    - **Publisher verified**
 
-    Use one of the following nondefault filters to further customize the apps listed:
-
-    - **Last modified**
+   - **Last used**
 
-       - **Added on**
+   - **Services accessed**
 
-       - **Certification**
+   - **Sensitivity labels accessed**
 
+       Use one of the following nondefault filters to further customize the apps listed:
+
+       - **Last modified**
+   
+       - **Added on**
+   
+       - **Certification**
+   
        - **Users**
-      
-       - **Services accessed**
-      
+   
        - **Data usage**
-      
-       - **Sensitivity labels accessed**
+
+    > [!TIP]
+    > Save the query to save the currently selected filters for use again in the future.
+   
 
-     > [!TIP]
-     > Save the query to save the currently selected filters for use again in the future.
-     
 1. Select the name of an app to view more details. For example:
 
     :::image type="content" source="media/app-governance-visibility-insights-get-started/app-governance-app-list-view.png" alt-text="Screenshot of the app details pan showing an app summary." lightbox="media/app-governance-visibility-insights-get-started/app-governance-app-list-view.png":::

defender-for-cloud-apps/app-governance-visibility-insights-overview.md

@@ -24,7 +24,7 @@ App governance provides access to the following data:
 
 - Data accessed and permissions used by all apps with workload and user level insights.
 
-- App information and metadata, such as Graph API and legacy permissions, registration date, and certification.
+- App information and metadata, such as Graph API and legacy permissions, registration date, last used date and certification.
 
 - Publisher information and metadata, such as name and verification status.
 
@@ -36,6 +36,8 @@ App governance provides access to the following data:
 
   - High-privileged apps.
   - Overprivileged apps.
+  - Unused apps.
+    
   - High-usage apps.
   - Top consented users whose data a specific app can access.
   - Priority accounts who have data that a specific app can access.