Merge pull request #4372 from MicrosoftDocs/main

[AutoPublish] main to live - 06/30 01:35 PDT | 06/30 14:05 IST

Author: m365-skilling-repo-management[bot]

ATPDocs/deploy/configure-windows-event-collection.md

@@ -235,15 +235,16 @@ To configure domain object auditing:
 
         Now, all relevant changes to directory services appear as 4662 events when they're triggered.
 
-1. Repeat the steps in this procedure, but for **Applies to**, select the following object types:
+1. Repeat the steps in this procedure, but for **Applies to**, select the following object types <sup>1</sup>
    - **Descendant Group Objects**
    - **Descendant Computer Objects**
    - **Descendant msDS-GroupManagedServiceAccount Objects**
    - **Descendant msDS-ManagedServiceAccount Objects**
-   - **Descendant msDS-DelegatedManagedServiceAccount Objects**
+   - **Descendant msDS-DelegatedManagedServiceAccount Objects** <sup>2</sup>
 
 > [!NOTE]
-> Assigning the auditing permissions on **All descendant objects** would also work, but you need only the object types detailed in the last step.
+> 1. Assigning the auditing permissions on **All descendant objects** would also work, but you need only the object types detailed in the last step.
+> 2. The **msDS-DelegatedManagedServiceAccount** class is relevant only for domains running at least one Windows Server 2025 domain controller.
 
 ## Configure auditing on AD FS
 

ATPDocs/identity-inventory.md

@@ -110,7 +110,7 @@ Sort option applies to Display name, Domain, and Created time columns.
 
 - **Critical Active Directory service accounts** card helps you quickly identify all Active Directory accounts designated as critical, making it easier to focus on identities most at risk.
 
-At the top of each device inventory tab, the following device counts are available:
+At the top of the page, the following identities counts are available:
 
 - __Total__: The total number of identities. 
 
@@ -120,7 +120,7 @@ At the top of each device inventory tab, the following device counts are availab
 
 - **Services:** The number of all service accounts both on-premises and cloud.
 
-You can use this information to help you prioritize devices for security posture improvements.
+You can use this information to help you prioritize identities for security posture improvements.
 
 ### Navigate to the Identity inventory page
 

CloudAppSecurityDocs/governance-actions.md

@@ -83,8 +83,7 @@ The following governance actions can be taken for connected apps either on a spe
 
   - **Trash** – Move the file to the trash folder. (Box, Dropbox, Google Drive, OneDrive, SharePoint)
 
-> [!NOTE]
-> These actions are restricted to users with specific administrative roles. If the options described are not visible or accessible, please confirm with your system administrator that your account has one of the following roles assigned:
+These actions are restricted to users with specific administrative roles. If the options described are not visible or accessible, please confirm with your system administrator that your account has one of the following roles assigned:
  - Security Operator
  - Security administrator
  - Global administrator

unified-secops-platform/TOC.yml

@@ -104,6 +104,9 @@
               href: mto-advanced-hunting.md
             - name: Multitenant devices
               href: mto-tenant-devices.md
+            - name: Multitenant identities
+              href: multitenant-identities-inventory.md
+              displayName: MTO
             - name: Vulnerability management
               href: mto-dashboard.md
             - name: Manage tenants

unified-secops-platform/media/multitenant-identities-inventory/screenshot-of-inventory.png

@@ -0,0 +1,61 @@
+---
+# Required metadata
+# For more information, see https://learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata
+# For valid values of ms.service, ms.prod, and ms.topic, see https://learn.microsoft.com/en-us/help/platform/metadata-taxonomies
+
+title: Multitenant identities
+description: A multi-tenant identity inventory
+author: LiorShapiraa
+ms.author: liorshapira
+ms.service: microsoft-defender-for-identity
+ms.topic: article
+ms.date: 06/29/2025
+---
+
+# Identities
+
+The **Identities** page in multitenant management enables you to quickly manage tenants and identities.
+
+## Identity inventory
+
+The Identity inventory page lists all the identities in each tenant that you have access to. The page is like the [Defender for Identity inventory](/defender-for-identity/identity-inventory) with the addition of the **Tenant name** column and filter. 
+
+You can navigate to the identity inventory page by selecting **Assets > Identities** in Microsoft Defender XDR's navigation menu.
+
+:::image type="content" source="media/multitenant-identities-inventory/screenshot-of-inventory.png" alt-text="Screenshot of inventory." lightbox="media/multitenant-identities-inventory/screenshot-of-inventory.png":::
+   
+At the top of the page, the following identities counts are available for all tenants:
+
+**Total**: The total number of identities.
+
+**Critical:** The number of your critical assets.
+
+**Disabled:** The number of all disabled identities in your organization.
+
+**Services:** The number of all service accounts both on-premises and cloud.
+
+You can use this information to help you prioritize identities for security posture improvements.
+
+Highly privileged identities card helps you investigate in Advanced hunting all sensitive accounts in your organization, including Microsoft Entra ID security administrators and Global admin users.
+
+There are several options you can choose from to customize the identities list view. On the top navigation you can:
+
+- Add or remove columns.
+
+- Apply filters.
+
+- Search for an identity by name or full UPN, SID, and Object ID.
+
+- Export the list to a CSV file.
+
+- Copy list link with the included filters configured.
+
+> [!NOTE]
+> When exporting the identities list to a CSV file, a maximum of 5,000 identities are displayed.
+
+To view full identity details, select a specific identity from the list. Tenant ID and Tenant name are available in the identity side panel and page:
+
+:::image type="content" source="media/multitenant-identities-inventory/screenshot-of-tenant-details-on-identity.png" alt-text="Screenshot of tenant details on identity.":::
+
+
+