Merge branch 'main' into sentinel-azure-sunset

Author: batamig

CloudAppSecurityDocs/content-inspection.md

@@ -1,35 +1,74 @@
 ---
 title: DLP content inspection
 description: This article describes the process Defender for Cloud Apps follows when performing DLP content inspection on data in your cloud.
-ms.date: 01/29/2023
+ms.date: 06/26/2025
 ms.topic: how-to
 ---
 # DLP content inspection in Microsoft Defender for Cloud Apps
 
 
+Data loss prevention (DLP) in Microsoft Defender for Cloud Apps uses content inspection to detect sensitive information in files. When content inspection is enabled, Defender for Cloud Apps analyzes files for text patterns defined by expressions. Text that meets these expressions is treated as a match and can be used to determine a policy violation.
 
-If you enable content inspection, you can choose to use preset expressions or to search for other customized expressions.
+You can use preset or custom expressions and define a threshold for when a match constitutes a violation. For example, you can set a threshold of 10 to alert when a file contains at least 10 credit card numbers.
 
-You can specify a regular expression to exclude a file from the results. This option is highly useful if you have an inner classification keyword standard that you want to exclude from the policy.
+Matched text is replaced with "X" characters, and the surrounding context (100 characters before and after the match) is masked. Numbers in the context are replaced with "#" and aren't stored. To expose the final four digits of a match, enable the **Unmask the last four characters of a match** setting in the file policy.
 
-You can decide set the minimum number of content violations that you want to match before the file is considered a violation. For example, you can choose 10 if you want to be alerted on files with at least 10 credit card numbers found within its content.
+You can also define which file elements are inspected—content, metadata, or file name. By default, inspection applies to both content and metadata. This approach allows inspection of protected files, detection of sensitive data, enforcement of compliance, and application of governance controls, while reducing false positives and aligning enforcement with internal classification standards.
+
+## Prerequisites
+
+To inspect encrypted files, and enable scanning of labels a [Global Administrator](/entra/identity/enterprise-apps/configure-admin-consent-workflow) must first grant one‑time admin consent to Defender for Cloud Apps in Microsoft Entra ID.
+
+To do this, in the Defender portal go to **Settings > Cloud Apps > Microsoft Information Protection > Inspect protected files**, and select **Grant permission**.
 
-When content is matched against the selected expression, the violation text is replaced with "X" characters. By default, violations are masked and shown in their context displaying 100 characters before and after the violation. Numbers in the context of the expression are replaced with "#" characters and are never stored within Defender for Cloud Apps. When creating a file policy, if you've enabled an inspection method, then you can select the option to **Unmask the last four characters of a match** to unmask the last four characters of the violation itself. It's necessary to set which data types the regular expression searches: content, metadata and/or file name. By default it searches the content and the metadata.
 
 ## Content inspection for protected files
 
-Defender for Cloud Apps allows admins to grant Defender for Cloud Apps permission to decrypt encrypted files and scan their content for violations. This consent is also required to enable scanning labels on encrypted files.
+Once consent is granted, Defender for Cloud Apps provisions the Microsoft Cloud App Security (Internal) app in your tenant. The app uses the Azure Rights Management Services > Content.SuperUser permission to decrypt and inspect protected files.
+
+The following app IDs apply based on your Microsoft cloud environment:
+
+**App IDs**
+
+| Environment | App ID |
+|--------------|---------|
+| Public | 25a6a87d-1e19-4c71-9cb0-16e88ff608f1 |
+| Fairfax | bd5667e4-0484-4262-a9db-93faa0893899 |
+| GCCM | 23105e90-1dfc-497a-bb5d-8b18a44ba061 |
+
+>[!NOTE]
+>App IDs are internal service principals used by Defender for Cloud Apps in Public, Fairfax, and GCC‑M environments to inspect and enforce DLP policies on protected files.
+>Don't remove or disable these App IDs. Doing so breaks inspection and prevent DLP policies from applying to protected files.
+>Always verify that the App ID for your environment is present and enabled.
+
+## Configure Microsoft Information Protection settings
 
 In order to give Defender for Cloud Apps the necessary permissions:
 
-1. Go to **Settings** and then **Microsoft Information Protection**.
-2. Under **Inspect protected files**, select **Grant permission** to grant Defender for Cloud Apps permission in Microsoft Entra ID.
-3. Follow the prompt to allow the required permissions in Microsoft Entra ID.
-4. You can configure the settings per file policy to determine which policies will scan protected files.
+1. Go to **Settings** > **Microsoft Information Protection**.
+1. Under **Microsoft Information Protection settings**, configure one or both of the following options:
+
+   - **Automatically scan new files for Microsoft Information Protection sensitivity labels and content inspection warnings.** When enabled, the App connector scans new files for embedded sensitivity labels from Microsoft Information Protection.
+
+   - **Only scan files for Microsoft Information Protection sensitivity labels and content inspection warnings from this tenant.** When enabled, only sensitivity labels applied within your tenant are scanned. Labels applied by external tenants are disregarded.
+
+1. After selecting your options, select **Save** to apply your changes.
+
+## Configure file policies for protected files
+
+1. In the Defender portal, go to **Settings > Cloud Apps > Policies > Policy management**.
+1. Follow the steps to [create a new file policy](data-protection-policies.md#create-a-new-file-policy).
+1. Select either **Apply to all files**, or **Apply to selected files** to specify which files to scan. This option is useful if you have an inner classification keyword standard that you want to exclude from the policy.
+1. Select **Inspection method** > **Data Classification Service** to enable content inspection for the policy.
+1. Check both boxes - **Inspect protected files** and **Unmask the last 4 characters of a match**.
+
+   :::image type="content" source="media/content-inspection/inspection-method-data-classification-service.png" alt-text="Screenshot that shows the Data classification service inspection method.":::
+
 
 ## Next steps
 
-> [!div class="nextstepaction"]
-> [Control cloud apps with policies](control-cloud-apps-with-policies.md)
+- [Tutorial: Discover and protect sensitive information in your organization](tutorial-dlp.md)
+- [Learn how to control cloud apps using policies](control-cloud-apps-with-policies.md)
+- [Integrate with Microsoft Purview for information protection](azip-integration.md)
 
 [!INCLUDE [Open support ticket](includes/support.md)]

CloudAppSecurityDocs/media/content-inspection/inspection-method-data-classification-service.png

@@ -47,7 +47,7 @@ In addition to monitoring for potential threats, you can apply and automate the
 
 | Type | Action |
 | ---- | ---- |
-| Data governance | - Change shared link access level on folders<br />- Put folders in admin quarantine<br />- Put folders in user quarantine<br />- Remove a collaborator from folders<br />- Remove direct shared links on folders<br />- Remove external collaborators on folders<br />- Send DLP violation digest to file owners<br />- Send violation digest to last file editor<br />- Set expiration date to a folder shared link<br /> - Trash folder |
+| Data governance | - Change shared link access level on folders<br />- Put folders in admin quarantine<br />- Put folders in user quarantine<br />- Remove a collaborator from folders<br />- Remove direct shared links on folders<br/> - Send policy-match digest to file owners<br />- Send violation digest to last file editor<br />- Set expiration date to a folder shared link<br /> - Trash folder |
 | User governance | - Suspend user<br />- Notify user on alert (via Microsoft Entra ID)<br />- Require user to sign in again (via Microsoft Entra ID)<br />- Suspend user (via Microsoft Entra ID) |
 
 For more information about remediating threats from apps, see [Governing connected apps](governance-actions.md).

CloudAppSecurityDocs/protect-box.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: how-to
 ms.subservice: macos
 search.appverid: met150
-ms.date: 05/21/2025
+ms.date: 07/01/2025
 ---
 
 # Set preferences for Microsoft Defender for Endpoint on macOS
@@ -995,6 +995,8 @@ The following templates contain entries for all settings described in this docum
                 <dict>
                     <key>enforcementLevel</key>
                     <string>real_time</string>
+                    <key>behaviorMonitoring</key>
+                    <string>enabled</string>
                     <key>scanAfterDefinitionUpdate</key>
                     <true/>
                     <key>scanArchives</key>

defender-endpoint/mac-preferences.md

@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: article
 ms.subservice: onboard
 search.appverid: met150
-ms.date: 04/03/2025
+ms.date: 07/01/2025
 ---
 
 # Supported Microsoft Defender for Endpoint capabilities by platform
@@ -50,7 +50,7 @@ The following table gives information about the supported Microsoft Defender for
 |[Passive Mode](microsoft-defender-antivirus-compatibility.md)|![Yes.](media/svg/check-yes.svg)|![Yes.](media/svg/check-yes.svg)|![Yes.](media/svg/check-yes.svg)|![Yes.](media/svg/check-yes.svg)|
 |Sense detection sensor|![Yes.](media/svg/check-yes.svg)|![Yes.](media/svg/check-yes.svg)|![Yes.](media/svg/check-yes.svg)|![Yes.](media/svg/check-yes.svg)|
 |[Endpoint & network device discovery](device-discovery.md)|![Yes.](media/svg/check-yes.svg)|![Yes.](media/svg/check-yes.svg) <br/>(See note below) |![No](media/svg/check-no.svg)|![No](media/svg/check-no.svg)|
-|[Vulnerability management](/defender-vulnerability-management/defender-vulnerability-management)|![Yes.](media/svg/check-yes.svg)|![Yes.](media/svg/check-yes.svg)|![Yes.](media/svg/check-yes.svg)|![Yes.](media/svg/check-yes.svg) <br/>(preview)|
+|[Vulnerability management](/defender-vulnerability-management/defender-vulnerability-management)|![Yes.](media/svg/check-yes.svg)|![Yes.](media/svg/check-yes.svg)|![Yes.](media/svg/check-yes.svg)|![Yes.](media/svg/check-yes.svg) <br/>|
 |**Response**     |         |         |         ||
 |[Automated Investigation & Response (AIR)](automated-investigations.md)        | ![Yes.](media/svg/check-yes.svg)        | ![Yes.](media/svg/check-yes.svg)  |  ![No](media/svg/check-no.svg)       |  ![No](media/svg/check-no.svg)        |
 |[Device response capabilities: collect investigation package ](respond-machine-alerts.md)        | ![Yes.](media/svg/check-yes.svg)        | ![Yes.](media/svg/check-yes.svg)   |  ![Yes.](media/svg/check-yes.svg)  |  ![Yes.](media/svg/check-yes.svg)  |
@@ -64,8 +64,8 @@ The following table gives information about the supported Microsoft Defender for
 > - For Windows Server 2012 R2 and Windows Server 2016, use the modern, unified solution. See [Onboard Windows Servers to the Defender for Endpoint service](onboard-server.md#functionality-in-the-modern-unified-solution-for-windows-server-2016-and-windows-server-2012-r2).
 > - On Linux Server, network protection, web protection, and custom network indicators are currently in preview.
 > - On Linux, network protection, web protection, and custom network indicators are currently in preview.
-> - Endpoint & network device discovery is supported on Windows Server 2019 or later, and on Windows 10 and Windows 11.
-> - Microsoft Defender Vulnerability Management is not supported on Rocky and Alma currently.
+>   - Endpoint & network device discovery is supported on Windows Server 2019 or later, and on Windows 10 and Windows 11.
 > - For Windows 7, Windows 8.1, and Windows Server 2008 R2, use [MMA](/defender-endpoint/onboard-downlevel#install-and-configure-microsoft-monitoring-agent-mma) for the EDR sensor and [System Center Endpoint Protection](/defender-endpoint/onboard-downlevel#configure-and-update-system-center-endpoint-protection-clients) (SCEP) for antivirus protection.
 
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

defender-endpoint/supported-capabilities-by-platform.md

@@ -8,7 +8,7 @@ ms.author: chrisda
 author: chrisda
 manager: deniseb
 ms.localizationpriority: medium
-ms.date: 05/19/2025
+ms.date: 7/1/2025
 audience: ITPro
 ms.collection:
   - m365-security
@@ -47,6 +47,8 @@ For more information on what's new with other Microsoft Defender security produc
 
   For more information, see [MC1096885](https://admin.microsoft.com/AdminPortal/Home?#/MessageCenter/:/messages/MC1096885).
 
+- AI-powered Submissions Response introduces generative AI explanations for admin email submissions to Microsoft. For more information, see [Submission result definitions](submissions-result-definitions.md).
+
 ## May 2025
 
 - In government cloud environments, :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action** replaces the **Message actions** drop down list on the **Email** tab (view) of the details area of the **All email**, **Malware**, or **Phish** views in [Threat Explorer (Explorer)](threat-explorer-real-time-detections-about.md):

defender-office-365/defender-for-office-365-whats-new.md

@@ -46,7 +46,6 @@ The following table shows how the family names map to the threat actors that we
 
 |Threat actor category|Type|Family name|
 |:---|:---|:---|
-|Nation-state|China<br>Iran<br>Lebanon<br>North Korea<br>Russia<br>South Korea<br>Türkiye<br>Vietnam|Typhoon<br>Sandstorm<br>Rain<br>Sleet<br>Blizzard<br>Hail<br>Dust<br>Cyclone|
 |Nation-state|China<br>Germany<br>India<br>Iran<br>North Korea<br>Lebanon<br>Pakistan<br>Palestinian Authority<br>Russia<br>Singapore<br>South Korea<br>Spain<br>Syria<br>Türkiye<br>Ukraine<br>United States<br>Vietnam|Typhoon<br>Gale<br>Monsoon<br>Sandstorm<br>Sleet<br>Rain<br>Whirlwind<br>Lightning<br>Blizzard<br>Squall<br>Hail<br>Derecho<br>Haze<br>Dust<br>Frost<br>Tornado<br>Cyclone|
 |Financially motivated|Financially motivated|Tempest|
 |Private sector offensive actors|PSOAs|Tsunami|