Merge branch 'main' of https://github.com/MicrosoftDocs/defender-docs-pr into painbar-simplified-installation

Author: paulinbar

ATPDocs/media/okta-integration/remove-inactive-service-accounts.png

@@ -0,0 +1,46 @@
+---
+title: 'Security Assessment: Remove Inactive Service Account (Preview)'
+description: Learn how to identify and address inactive Active Directory service accounts to mitigate security risks and improve your organization's security posture.
+ms.date: 08/17/2025
+ms.topic: how-to
+#customer intent: As a security administrator, I want to improve security posture in my organization by removing inactive service accounts
+---
+
+# Security Assessment: Remove Inactive Service Accounts (Preview)
+
+This recommendation lists Active Directory service accounts detected as inactive (stale) within the past 180 days. 
+
+## Why do inactive service accounts pose a risk?
+
+Unused service accounts create significant security risks, as some of them can carry elevated privileges. If attackers gain access, the result can be substantial damage. Dormant service accounts might retain high or legacy permissions. When compromised, they provide attackers with discreet entry points into critical systems, granting far more access than a standard user account.
+
+This exposure creates several risks:
+
+- Unauthorized access to sensitive applications and data.
+
+- Lateral movement across the network without detection.
+
+
+## How do I use this security assessment to improve my organizational security posture? 
+
+To use this security assessment effectively, follow these steps:
+
+1. Review the recommended action at [https://security.microsoft.com/securescore?viewid=actions ](https://security.microsoft.com/securescore?viewid=actions ) for Remove inactive service account.
+1. Review the list of exposed entities to discover which of your service account is inactive.
+
+    :::image type="content" source="media/okta-integration/remove-inactive-service-accounts.png" alt-text="Screenshot that shows the recommendation action to remove inactive service accounts." lightbox="media/okta-integration/remove-inactive-service-accounts.png":::
+
+1. Take appropriate actions on those entities by removing the service account. For example:
+
+    - **Disable the account:** Prevent any usage by disabling the account identified as exposed.
+
+    - **Monitor for impact:** Wait several weeks and monitor for operational issues, such as service disruptions or errors.
+
+    - **Delete the account:** If no issues are observed, delete the account and fully remove its access.
+
+> [!NOTE]
+> Assessments are updated in near real time, and scores and statuses are updated every 24 hours. The list of impacted entities is updated within a few minutes of your implementing the recommendations. The status might take time until it's marked as **Completed**.
+
+## Related articles
+
+- [Learn more about Microsoft Secure Score](/defender-xdr/microsoft-secure-score)

ATPDocs/remove-inactive-service-account.md

@@ -249,10 +249,12 @@ items:
            href: security-assessment-clear-text.md
          - name: LAPS usage assessment
            href: security-assessment-laps.md
-         - name: Riskiest lateral movement paths
-           href: security-assessment-riskiest-lmp.md
          - name: Remove discoverable passwords in Active Directory account attributes
            href: remove-discoverable-passwords-active-directory-account-attributes.md
+         - name: Remove inactive service accounts
+           href: remove-inactive-service-account.md
+         - name: Riskiest lateral movement paths
+           href: security-assessment-riskiest-lmp.md
          - name: Unsecure Kerberos delegation assessment
            href: security-assessment-unconstrained-kerberos.md
          - name: Unsecure SID History attributes

ATPDocs/toc.yml

@@ -26,13 +26,19 @@ For updates about versions and features released six months ago or earlier, see
 ## August 2025
 
 
+### New security assessment: Remove inactive service accounts (Preview)
+
+Microsoft Defender for Identity now includes a new security assessment that helps you identify and remove inactive service accounts in your organization. This assessment lists Active Directory service accounts that have been inactive (stale) for the past 180 days, to help you mitigate security risks associated with unused accounts.
+
+For more information, see: [Security Assessment: Remove Inactive Service Accounts (Preview)](remove-inactive-service-account.md)
+
 ### New Graph based API for response actions (preview) 
 
 We’re excited to announce a new Graph-based API for initiating and managing remediation actions in Microsoft Defender for Identity.
 
 This capability is currently in preview and available in API Beta version.
 
-For more information, see [Managing response actions through Graph API](/graph/api/resources/security-identityaccounts?view=graph-rest-beta).
+For more information, see [Managing response actions through Graph API](/graph/api/resources/security-identityaccounts?view=graph-rest-beta&preserve-view=true).
 
 ### Identity scoping is now generally available (GA)
 

ATPDocs/whats-new.md

@@ -16,7 +16,7 @@ ms.collection:
 ms.custom: seo-marvel-apr2020
 description: "Admins can learn how to use the Submissions page in the Microsoft Defender portal to submit messages, URLs, and email attachments to Microsoft for analysis. Reasons for submission include: legitimate messages that were blocked, suspicious messages that were allowed, suspected phishing email, spam, malware, and other potentially harmful messages."
 ms.service: defender-office-365
-ms.date: 06/13/2025
+ms.date: 08/18/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Default email protections for cloud mailboxes</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -140,6 +140,11 @@ For other ways that **admins** can report messages to Microsoft in the Defender
 
 After a few moments, the block entry is available on the **Domains & addresses** tab on the **Tenant Allow/Block Lists** page at <https://security.microsoft.com/tenantAllowBlockList?viewid=Sender>.
 
+> [!NOTE]
+> Admin submissions for on-premises mailboxes are supported only for messages less than 7 days old.
+>
+> Currently, admin submissions by uploading files from on-premises mailboxes isn't supported.
+
 ### Report questionable email attachments to Microsoft
 
 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Actions & submissions** \> **Submissions**. Or, to go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.