Merge branch 'main' of https://github.com/MicrosoftDocs/defender-docs-pr into mde-policies

Author: batamig

.openpublishing.redirection.defender-office-365.json

@@ -59,6 +59,11 @@
       "source_path": "defender-office-365/step-by-step-guides/deploy-and-configure-the-report-message-add-in.md",
       "redirect_url": "/defender-office-365/submissions-outlook-report-messages",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-office-365/tenant-wide-setup-for-increased-security.md",
+      "redirect_url": "/security/zero-trust/zero-trust-identity-device-access-policies-overview",
+      "redirect_document_id": false
     }
   ]
 }

ATPDocs/assign-multi-factor-authentication-okta-privileged-user-accounts.md

@@ -12,6 +12,11 @@ ms.reviewer: Himanch
 
 This report lists any Okta privileged accounts that don't have any multifactor authentication (MFA) methods assigned. 
 
+## Prerequisites
+
+To use this security assessment, you must first connect your Okta instance in the Microsoft Defender portal.  
+For setup instructions, see [Connect your Okta instance](/defender-for-identity/okta-integration#connect-okta-to-defender-for-identity).
+
 ## Why is a privileged account without MFA a security risk?
 
 All privileged accounts should have multifactor authentication (MFA) enabled to strengthen security. By ensuring that privileged accounts such as Super Admin or Org Admin roles are secured with MFA, organizations can significantly reduce the risk of unauthorized access from compromised credentials. This strategy helps prevent attackers from gaining elevated access, safeguarding sensitive resources and protecting critical administrative functions from abuse.

ATPDocs/change-okta-password-privileged-user-accounts.md

@@ -11,6 +11,11 @@ ms.reviewer: Himanch
 
 This recommendation lists any Okta privileged accounts that use outdated passwords that were last set over 180 days ago.  
 
+## Prerequisites
+
+To use this security assessment, you must first connect your Okta instance in the Microsoft Defender portal.  
+For setup instructions, see [Connect your Okta instance](/defender-for-identity/okta-integration#connect-okta-to-defender-for-identity).
+
 ## Why is a privileged account with an old password a security risk?
 
 Privileged accounts with old passwords create a significant security risk, as older credentials are more likely to be exposed through data breaches or other attack vectors. Enforcing regular password updates for privileged accounts reduces the likelihood of unauthorized access and strengthens overall security. Applying stringent password policies to accounts with elevated privileges protects sensitive resources and lowers the risk of exploitation.

ATPDocs/deploy/deploy-defender-identity.md

@@ -23,10 +23,10 @@ Identify your architecture and your requirements, and then use the table below t
 |Server configuration   |Server Operating System  |Recommended deployment |
 |---------|---------|---------|---------|
 |Domain controller     | Windows Server 2019 or later with the [March 2024 Cumulative Update](https://support.microsoft.com/topic/march-12-2024-kb5035857-os-build-20348-2340-a7953024-bae2-4b1a-8fc1-74a17c68203c) or later.<br> * **See Note**.|[Defender for Identity sensor v3.x (Preview)](prerequisites-sensor-version-3.md)<br> * **See Note**.        |
-|Domain controller      |Windows Server 2016 or earlier         |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)         |
-|[Active Directory Federation Services (AD FS)](active-directory-federation-services.md)     |    NA     |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)      |
-|[Active Directory Certificate Services (AD CS)](active-directory-federation-services.md)     |  NA       |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)      |
-|[Entra Connect](active-directory-federation-services.md)|  NA    |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)     |
+|Domain controller      |Windows Server 2016 or later         |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)         |
+|[Active Directory Federation Services (AD FS)](active-directory-federation-services.md)     |    Windows Server 2016 or later      |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)      |
+|[Active Directory Certificate Services (AD CS)](active-directory-federation-services.md)     |  Windows Server 2016 or later        |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)      |
+|[Entra Connect](active-directory-federation-services.md)|  Windows Server 2016 or later     |[Defender for Identity sensor v2.x](prerequisites-sensor-version-2.md)     |
 
 > [!NOTE]
 > The Defender for Identity sensor version 3.x is still in preview and has some limited functionality compared to version 2.x. Keep these limitations in mind before activating the sensor.

ATPDocs/high-number-of-okta-accounts-with-privileged-role-assigned.md

@@ -14,6 +14,12 @@ This article describes the security risks associated with having a high number o
 > [!NOTE]
 > This report lists Okta accounts with administrator roles - excluding Super Administrator, where the number of accounts assigned to these roles is greater than 25.  
 
+## Prerequisites
+
+To use this security assessment, you must first connect your Okta instance in the Microsoft Defender portal.  
+For setup instructions, see [Connect your Okta instance](/defender-for-identity/okta-integration#connect-okta-to-defender-for-identity).
+
+
 ## Why is a high number of Okta accounts with privileged roles considered a security risk?
 
 A high number of users with privileged roles increases the risk of misuse or unauthorized access to critical systems. By reducing the number of users assigned to roles such as Super Admin or Org Admin, organizations can better limit access to sensitive resources and reduce the attack surface. Maintaining a smaller, set of privileged accounts ensures more effective governance and minimizes potential security vulnerabilities.

ATPDocs/highly-privileged-okta-api-token.md

@@ -11,6 +11,12 @@ ms.reviewer: Himanch
 
 This article describes the security risks associated with highly privileged Okta API tokens and provides recommendations for mitigating these risks.
 
+## Prerequisites
+
+To use this security assessment, you must first connect your Okta instance in the Microsoft Defender portal.  
+For setup instructions, see [Connect your Okta instance](/defender-for-identity/okta-integration#connect-okta-to-defender-for-identity).
+
+
 ## Why is a highly privileged Okta API token a security risk?
 
 Okta’s API tokens inherit the permissions of the user who creates them. If a user with sensitive permissions generates an API token, it carries those permissions. Any API token created by a Super Admin has the same level of access as the Super Admin account. This can expose sensitive data and functionality to unauthorized users. If the token is stolen, it can grant the attacker access equivalent to the original user.

ATPDocs/limit-number-okta-super-admin-accounts.md

@@ -11,6 +11,12 @@ ms.reviewer: Himanch
 
 This report lists Okta accounts with Super Administrator role, where the number of users assigned to this role is greater than 5.
 
+## Prerequisites
+
+To use this security assessment, you must first connect your Okta instance in the Microsoft Defender portal.  
+For setup instructions, see [Connect your Okta instance](/defender-for-identity/okta-integration#connect-okta-to-defender-for-identity).
+
+
 ## Why is having too many Super Admin accounts a security risk?
 
 A high number of users with privileged roles increases the risk of misuse or unauthorized access to critical systems. By reducing the number of users assigned to roles such as Super Admin or Org Admin, organizations can better limit access to sensitive resources and reduce the attack surface. Maintaining a smaller, set of privileged accounts ensures more effective governance and minimizes potential security vulnerabilities.

ATPDocs/remove-dormant-okta-privileged-accounts.md

@@ -11,6 +11,12 @@ ms.reviewer: Himanch
 
 This article describes the security risks associated with dormant Okta privileged accounts and provides recommendations for mitigating these risks.
 
+## Prerequisites
+
+To use this security assessment, you must first connect your Okta instance in the Microsoft Defender portal.  
+For setup instructions, see [Connect your Okta instance](/defender-for-identity/okta-integration#connect-okta-to-defender-for-identity).
+
+
 ## Why is a dormant privileged account a security risk?
 
 Dormant privileged accounts represent a significant security risk, as they can become targets for unauthorized access or misuse without detection. Deactivating or removing unused privileged accounts ensures that only active, monitored users have access to critical administrative capabilities.

ATPDocs/whats-new.md

@@ -25,7 +25,14 @@ For updates about versions and features released six months ago or earlier, see
 
 ## August 2025
 
-**Suspected Brute Force attack (Kerberos, NTLM):** Improved detection logic now includes scenarios where accounts were locked during the attacks - note that the number of triggered alerts may increase.
+### Sensor version 2.246
+
+This version includes bug fixes and stability improvements for the Microsoft Defender for Identity sensor.
+
+### Detection update: Suspected Brute Force attack (Kerberos, NTLM)
+
+Improved detection logic to include scenarios where accounts were locked during attacks. As a result, the number of triggered alerts might increase.
+
 
 ## July 2025
 
@@ -37,17 +44,17 @@ For more information, see [Configure scoped access for Microsoft Defender for Id
 
 ### New security posture assessments for unmonitored identity servers
 
-Microsoft Defender for Identity now includes three security posture assessments that detect when Microsoft Entra Connect, Active Directory Federation Services (ADFS), or Active Directory Certificate Services (ADCS) servers are present in your environment but aren't monitored.
+Microsoft Defender for Identity three new security posture assessments detect when Microsoft Entra Connect, Active Directory Federation Services (ADFS), or Active Directory Certificate Services (ADCS) servers are present in your environment but aren't monitored.
 
 Use these assessments to improve monitoring coverage and strengthen your hybrid identity security posture.
 
-For more details, see:
+For more information, see:
 
 [Security Assessment: Unmonitored ADCS servers](unmonitored-active-directory-certificate-services-server.md)
 
 [Security Assessment: Unmonitored ADFS servers](unmonitored-active-directory-federation-services-servers.md)
 
-[Security Assessment: Unmonitored Entra Connect servers](unmonitored-entra-connect-servers.md)
+[Security Assessment: Unmonitored Microsoft Entra Connect servers](unmonitored-entra-connect-servers.md)
 
 
 
@@ -65,7 +72,7 @@ Scoping by Active Directory domains helps:
 
 - Support operational boundaries: Align access for SOC analysts, identity administrators, and regional teams.
 
-For more information see: [Configure scoped access for Microsoft Defender for Identity](configure-scoped-access.md).
+For more information, see: [Configure scoped access for Microsoft Defender for Identity](configure-scoped-access.md).
 
 
 ### Okta integration is now available in Microsoft Defender for Identity
@@ -106,7 +113,7 @@ Defender for Identity now supports deploying its new sensor on Domain Controller
 The Activation Page now displays all servers from your device inventory, including those not currently eligible for the new Defender for Identity sensor. This enhancement increases transparency into sensor eligibility, helping you identify noneligible servers and take action to update and onboard them for enhanced identity protection.
 
 
-### Local administrators collection (using SAM-R queries) feature will be disabled
+### Local administrators collection (using SAM-R queries) feature is disabled
 The remote collection of local administrators group members from endpoints using SAM-R queries in Microsoft Defender for Identity will be disabled by mid-May 2025. This data is currently used to build potential lateral movement path maps, which will no longer be updated after this change. An alternative method is being explored. The change occurs automatically by the specified date, and no administrative action is required.
 
 ### New Health Issue
@@ -152,7 +159,7 @@ For more information, see: [Investigate and protect Service Accounts | Microsoft
 
 ### Enhanced Identity Inventory
 
-The Identities page under *Assets* has been updated to provide better visibility and management of identities across your environment.  
+The Identities page under *Assets* was updated to provide better visibility and management of identities across your environment.  
 The updated Identities Inventory page now includes the following tabs:
 
 - Identities: A consolidated view of identities across Active Directory, Entra ID. This Identities tab highlights key details, including identity types, and user's information. 

CloudAppSecurityDocs/discovered-apps.md

@@ -23,7 +23,7 @@ This procedure describes how to get an initial, general picture of your cloud di
 
     For example:
 
-    :::image type="content" source="media/cloud-discovery-dashboard.png" alt-text="Screenshot of the Cloud discovery dashboard":::
+    :::image type="content" source="media/cloud-discovery-dashboard.png" alt-text="Screenshot of the Cloud discovery dashboard" lightbox="media/cloud-discovery-dashboard.png":::
 
     Supported apps include Windows and macOS apps, which are both listed under the **Defender - managed endpoints** stream.
 
@@ -57,7 +57,8 @@ For example, if you want to identify commonly used, risky cloud storage and coll
 
 1. Set the **Security risk factor** for **Data at rest encryption** equals **Not supported**. Then set **Risk score** equals 6 or lower.
 
-    ![Screenshot of sample discovered app filters.](media/discovered-app-filters.png)
+
+    :::image type="content" source="media/discovered-app-filters.png" alt-text="Screenshot of discovered app filters." lightbox="media/discovered-app-filters.png":::
 
 After the results are filtered, [unsanction and block](governance-discovery.md) them by using the bulk action checkbox to unsanction them all in one action. Once they're unsanctioned, use a blocking script to block them from being used in your environment.
 
@@ -66,10 +67,13 @@ You also might want to identify specific app instances that are in use by invest
 :::image type="content" source="media/discovered-apps/subdomains-image.png" alt-text="Subdomain filter.":::
 
 > [!NOTE]
-> Deep dives into discovered apps are supported only in firewalls and proxies that contain target URL data. For more information, see [Supported firewalls and proxies](set-up-cloud-discovery.md#supported-firewalls-and-proxies).
+> The feature of discovered subdomains will be deprecated by Sep 31st, 2025. Post this, no support for discovery subdomains will be provided.
+> 
+>  Deep dives into discovered apps are supported only in firewalls and proxies that contain target URL data. For more information, see [Supported firewalls and proxies](set-up-cloud-discovery.md#supported-firewalls-and-proxies).
 >
 > If Defender for Cloud Apps can't match the subdomain detected in the traffic logs with the data stored in the app catalog, the subdomain is tagged as **Other**.
 
+
 ## Discover resources and custom apps
 
 Cloud discovery also enables you to dive into your IaaS and PaaS resources. Discover activity across your resource-hosting platforms, viewing access to data across your self-hosted apps and resources including storage accounts, infrastructure and custom apps hosted on Azure, Google Cloud Platform, and AWS. Not only can you see overall usage in your IaaS solutions, but you can get visibility into the specific resources that are hosted on each, and the overall usage of the resources, to help mitigate risk per resource.
@@ -83,11 +87,13 @@ For example, if a large amount of data is uploaded, discover what resource it's
 
 1. In the Microsoft Defender portal, under **Cloud Apps**, select **Cloud discovery**. Then choose the  **Discovered resources** tab.
 
-    ![Screenshot of the discovered resources menu.](media/discovered-resources-menu.png)
+    :::image type="content" source="media/discovered-resources-menu.png" alt-text="Screenshot that shows the discovered resources menu." lightbox="media/discovered-resources-menu.png":::
 
 1. In the **Discovered resources** page, drill down into each resource to see what kinds of transactions occurred, who accessed it, and then drill down to investigate the users even further.
 
-   ![Screenshot of the Discovered resources tab.](media/discovery-resources.png)
+
+    :::image type="content" source="media/discovery-resources.png" alt-text="Screenshot that shows a list of discovered resources.":::
+
 
 1. For custom apps, select the options menu at the end of the row and then select **Add new custom app**. This opens the **Add this app** dialog, where you can name and identify the app so it can be included in the cloud discovery dashboard.
 
@@ -104,7 +110,7 @@ The best way to get an overview of Shadow IT use across your organization is by
 1. Optionally, change the report name, and then select **Generate**.
 
 > [!NOTE]
-> The executive summary report is revamped to a 6-pager report with a goal to provide a clear, concise & actionable overview while preserving the depth and integrity of the original analysis.
+> The executive summary report is revamped to a six-pager report with a goal to provide a clear, concise & actionable overview while preserving the depth and integrity of the original analysis.
 
 ## Exclude entities
 
@@ -118,10 +124,12 @@ If you have system users, IP addresses, or devices that are noisy but uninterest
 
 1. Add a user alias, IP address, or device name. We recommend adding information about why the exclusion was made.
 
-    ![Screenshot of excluding a user.](media/exclude-user.png "exclude user")
+    :::image type="content" source="media/exclude-user.png" alt-text="Screenshot that shows the option to exclude users from the Cloud Discovery report." lightbox="media/exclude-user.png":::
+
 
 >[!NOTE]
->All entity exclusions apply to newly received data only. Historical data of the excluded entities remains through the retention period (90 days).
+> - All entity exclusions apply to newly received data only. Historical data of the excluded entities remains through the retention period (90 days).
+> - Entity exclusion is only supported for the Global report stream. Entities from Microsoft Defender for Endpoint and the Cloud App Security proxy stream aren't supported for exclusion.
 
 ## Manage continuous reports
 
@@ -141,10 +149,11 @@ Custom continuous reports provide you with more granularity when monitoring your
 
 1. Set the filters you want on the data. These filters can be **User groups**, **IP address tags**, or **IP address ranges**. For more information on working with IP address tags and IP address ranges, see [Organize the data according to your needs](ip-tags.md).
 
-    ![Screenshot of creating a custom continuous report.](media/create-custom-continuous-report.png)
+
+    :::image type="content" source="media/create-custom-continuous-report.png" alt-text="Screenshot that shows how to create a continuous report.":::
 
 > [!NOTE]
-> All custom reports are limited to a maximum of 1 GB of uncompressed data. If there is more than 1 GB of data, the first 1 GB of data will be exported into the report.
+> All custom reports are limited to a maximum of 1 GB of uncompressed data. If there's more than 1 GB of data, the first 1 GB of data will be exported into the report.
 
 ## Deleting cloud discovery data
 
@@ -166,10 +175,10 @@ We recommend deleting cloud discovery data in the following cases:
 
 1. Select the **Delete** button.
 
-    ![Screenshot of deleting cloud discovery data.](media/delete-data.png "delete data")
+    :::image type="content" source="media/delete-data.png" alt-text="Screenshot of deleting cloud discovery data." lightbox="media/delete-data.png":::
 
 > [!NOTE]
-> The deletion process takes a few minutes and is not immediate.
+> The deletion process takes a few minutes and isn't immediate.
 
 ## Next steps