Merge branch 'main' into mde-sap

Author: denisebmsft

ATPDocs/deploy/activate-capabilities.md

@@ -37,12 +37,6 @@ Direct Defender for Identity capabilities are supported on domain controllers on
 >
 > This issue is addressed in the out-of-band update [KB5037422](https://support.microsoft.com/en-gb/topic/march-22-2024-kb5037422-os-build-20348-2342-out-of-band-e8f5bf56-c7cb-4051-bd5c-cc35963b18f3).
 
-### Defender for Endpoint onboarding
-
-Your domain controller must be onboarded to Microsoft Defender for Endpoint.
-
-For more information, see [Onboard a Windows server](/microsoft-365/security/defender-endpoint/onboard-windows-server).
-
 ### Permissions requirements 
 
 To access the Defender for Identity **Activation** page, you must either be a [Security Administrator](/entra/identity/role-based-access-control/permissions-reference), or have the following Unified RBAC permissions:
@@ -55,12 +49,6 @@ For more information, see:
 - [Unified role-based access control RBAC](../role-groups.md#unified-role-based-access-control-rbac)
 - [Create a role to access and manage roles and permissions](/microsoft-365/security/defender/create-custom-rbac-roles#create-a-role-to-access-and-manage-roles-and-permissions)
 
-### Connectivity requirements
-
-Defender for Identity capabilities directly on domain controllers use Defender for Endpoint URL endpoints for communication, including simplified URLs.
-
-For more information, see [Configure your network environment to ensure connectivity with Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-environment##enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server).
-
 ## Configure Windows auditing
 
 Defender for Identity detections rely on specific Windows Event Log entries to enhance detections and provide extra information about the users performing specific actions, such as NTLM sign-ins and security group modifications.
@@ -78,42 +66,58 @@ For example, the following command defines all settings for the domain, creates
 Set-MDIConfiguration -Mode Domain -Configuration All
 ```
 
-## Activate Defender for Identity capabilities
+## Onboarding steps
+
+### Customers with domain controllers already onboarded to Defender for Endpoint 
 
-After ensuring that your environment is completely configured, activate the Microsoft Defender for Identity capabilities on your domain controller.
+### Activate Defender for Identity capabilities
 
 Activate the Defender for Identity from the [Microsoft Defender portal](https://security.microsoft.com).
 
 1. Navigate to **System** > **Settings** > **Identities** > **Activation**.
 
-   The Activation page lists servers discovered in Device Inventory and identified as eligible domain controllers. 
+    The Activation Page now displays all servers from your device inventory, including those not currently eligible for the activation of the new Defender for Identity sensor. For each server you can find its activation state.
 
-1. Select the domain controller where you want to activate the Defender for Identity capabilities and then select **Activate**. Confirm your selection when prompted. 
+2. Select the domain controller where you want to activate the Defender for Identity capabilities and then select **Activate**. Confirm your selection when prompted. 
 
     :::image type="content" source="media/activate-capabilities/1.jpg" lightbox="media/activate-capabilities/1.jpg" alt-text="Screenshot that shows how to activate the new sensor.":::
 
     > [!NOTE]
     > You can choose to activate eligible domain controllers either automatically, where Defender for Identity activates them as soon as they're discovered, or manually, where you select specific domain controllers from the list of eligible servers.
 
-1. When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers** to jump to the **Settings > Identities > Sensors** page, where you can check your sensor health.  
+3. When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers** to jump to the **Settings > Identities > Sensors** page, where you can check your sensor health.  
 
     :::image type="content" source="media/activate-capabilities/2.jpg" lightbox="media/activate-capabilities/2.jpg" alt-text="Screenshot that shows how to seethe onboarded servers.":::
 
+### Customers without domain controllers onboarded to Defender for Endpoint 
+
+### Connectivity requirements
+
+Defender for Identity capabilities directly on domain controllers use Defender for Endpoint URL endpoints for communication, including simplified URLs.
+
+For more information, see [Configure your network environment to ensure connectivity with Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-environment##enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server).
+
+### Onboard Defender for Identity capabilities 
+Download the Defender for Identity onboarding package from the [Microsoft Defender portal] (https://security.microsoft.com) 
+
+1. Navigate to **System** > **Settings** > **Identities** > **Activation**
+2. Select Download onboarding package and save the file in a location you can access from your domain controller.
+3. From the domain controller, extract the zip file you downloaded from the Microsoft Defender portal, and run the `DefenderForIdentityOnlyOnboardingScript.cmd` script as an Administrator. 
+   
 ## Onboarding Confirmation 
 
 To confirm the sensor has been onboarded: 
 
-1. Navigate to **System** > **Settings** > **Identities** > **Sensors**. 
+1. Navigate to **System** > **Settings** > **Identities** > **Sensors**.
 
 2. Check that the onboarded domain controller is listed. 
 
 > [!NOTE]
-> The activation doesn't require a restart/reboot. The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations are shown within five minutes.
+> The onboarding doesn't require a restart/reboot. The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations are shown within five minutes.
+> To check the onboarding on the local server you can also review the event log under **Applications and Services Logs** > **Microsoft** > **Windows** > **Sense** > **Operational**. You should receive an onboarding event: 
 
 ## Test activated capabilities
 
-The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations show within five minutes.
-
 Defender for Identity capabilities on domain controllers currently support the following Defender for Identity functionality:
 
 - Investigation features on the [ITDR dashboard](#check-the-itdr-dashboard), [identity inventory](#confirm-entity-page-details), and [identity advanced hunting data](#test-advanced-hunting-tables)
@@ -163,7 +167,6 @@ IdentityQueryEvents
 
 For more information, see [Advanced hunting in the Microsoft Defender portal](/microsoft-365/security/defender/advanced-hunting-microsoft-defender).
 
-
 ## Test Identity Security Posture Management (ISPM) recommendations
 
 We recommend simulating risky behavior in a test environment to trigger supported assessments and verify that they appear as expected. For example:
@@ -214,17 +217,31 @@ Test remediation actions on a test user. For example:
 
 For more information, see [Remediation actions in Microsoft Defender for Identity](../remediation-actions.md).
 
-## Deactivate Defender for Identity capabilities on your domain controller
+## Offboarding steps
+
+### Customers with domain controllers already onboarded to Defender for Endpoint 
+
+### Deactivate Defender for Identity capabilities on your domain controller 
 
 If you want to deactivate Defender for Identity capabilities on your domain controller, delete it from the **Sensors** page:
 
-1. In the Defender portal, select **Settings** > **Identities** > **Sensors**.
+1. Navigate to **Settings** > **Identities** > **Sensors**
 2. Select the domain controller where you want to deactivate Defender for Identity capabilities, select **Delete**, and confirm your selection.
 
     :::image type="content" source="media/activate-capabilities/3.jpg" lightbox="media/activate-capabilities/3.jpg" alt-text="Screenshot that shows how to deactivate a server.":::
 
 Deactivating Defender for Identity capabilities from your domain controller doesn't remove the domain controller from Defender for Endpoint. For more information, see [Defender for Endpoint documentation](/microsoft-365/security/defender-endpoint/).
 
+### Customers without domain controllers onboarded to Defender for Endpoint 
+
+### Offboard Defender for Identity capabilities on your domain controller 
+Download the Defender for Identity offboarding package from the [Microsoft Defender portal] (https://security.microsoft.com).
+
+1. Navigate to **Settings** > **Identities** > **Activation**
+2. Select Download offboarding package and save the file in a location you can access from your domain controller.
+3. From the domain controller, extract the zip file you downloaded from the Microsoft Defender portal, and run the `DefenderForIdentityOnlyOffboardingScript_valid_until_YYYY-MM-DD.cmd` script as an Administrator.
+4. To fully remove the sensor, navigate to **Settings** > **Identities** > **Sensors**, select the server and click Delete. 
+
 ## Next steps
 
 For more information, see [Manage and update Microsoft Defender for Identity sensors](../sensor-settings.md).

ATPDocs/whats-new.md

@@ -24,6 +24,14 @@ For updates about versions and features released six months ago or earlier, see
 
 ## May 2025
 
+###  Expanded New Sensor Deployment Support for Domain Controllers (Preview)
+Defender for Identity now supports deploying its new sensor on Domain Controllers without requiring Defender for Endpoint onboarding. This simplifies sensor activation and expands deployment flexibility. [Learn more](deploy/activate-capabilities.md).
+
+
+### Improved Visibility into Defender for Identity New Sensor Eligibility in the Activation page
+The Activation Page now displays all servers from your device inventory, including those not currently eligible for the new Defender for Identity sensor. This enhancement increases transparency into sensor eligibility, helping you identify non-eligible servers and take action to update and onboard them for enhanced identity protection.
+
+
 ### Local administrators collection (using SAM-R queries) feature will be disabled
 The remote collection of local administrators group members from endpoints using SAM-R queries in Microsoft Defender for Identity will be disabled by mid-May 2025. This data is currently used to build potential lateral movement path maps, which will no longer be updated after this change. An alternative method is being explored. The change will occur automatically by the specified date, and no administrative action is required.
 

CloudAppSecurityDocs/applications-inventory.md

@@ -5,7 +5,7 @@ ms.topic: overview
 description: The new Applications page located under Assets in Microsoft Defender XDR portal provides a centralized location for users to view and manage SaaS and SaaS connected OAuth apps information across their environment, ensuring optimal visibility and a comprehensive experience
 #customer intent: As a security administrator, I want to discover, monitor, and manage all SaaS and OAuth connected apps in my organization so that I can ensure security and compliance.
 ---
-# Applications inventory (Preview)
+# Applications inventory 
 
 Protecting your SaaS ecosystem requires taking inventory of all SaaS and connected OAuth apps that are in your environment. With the increasing number of applications, having a comprehensive inventory is crucial to ensure security and compliance. The Applications page provides a centralized view of all SaaS and connected OAuth apps in your organization, enabling efficient monitoring and management.
 At a glance you can see information such as app name, risk score, privilege level, publisher information, and other details for easy identification of SaaS and OAuth apps most at risk.
@@ -19,7 +19,7 @@ The Applications page includes the following tabs:
 
 In the Defender portal at <https://security.microsoft.com>, go to **Assets** > **Applications**. Or, go directly to the **Applications** page, by clicking on the banner links on the existing Cloud discovery and App governance pages.
 
-:::image type="content" source="media/banner-on-cloud-discovery-pages.png" alt-text="Screenshot of the Cloud Discovery page with a banner about the new unified application inventory experience" lightbox="media/banner-on-cloud-discovery-pages.png":::
+:::image type="content" source="media/banner-on-cloud-discovery-pages.png" alt-text="Screenshot of the Cloud Discovery page with a banner about the new unified application inventory experience." lightbox="media/banner-on-cloud-discovery-pages.png":::
 
 :::image type="content" source="media/banner-message-on-app-governance-pages.png" alt-text="Screenshot of the App Governance page with a banner about the new unified application inventory experience for managing OAuth and SaaS apps" lightbox="media/banner-message-on-app-governance-pages.png":::
 
@@ -31,7 +31,7 @@ There are several options you can choose from to customize the SaaS apps and OAu
 * Apply filters
 
 > [!NOTE]
->When exporting the applications list to a CSV file, a maximum of 1000 SaaS or OAuth apps are displayed.
+> When exporting the applications list to a CSV file, a maximum of 1000 SaaS or OAuth apps are displayed.
 
 The following image depicts the SaaS apps list:
 :::image type="content" source="media/applications-tab-in-the-defender-portal.png" alt-text="Screenshot of the applications tab in the Defender portal" lightbox="media/applications-tab-in-the-defender-portal.png"
@@ -71,7 +71,7 @@ The OAuth apps tab provides visibility into Microsoft 365, Google workspace and
 
 * **Apps from external unverified publishers** – Shows apps that originated from an external unverified publisher tenant. (Available for Microsoft 365)
 
-For more information on how to create app policies, see:[Create app policies in app governance](app-governance-app-policies-create.md)
+For more information on how to create app policies, see [Create app policies in app governance](app-governance-app-policies-create.md).
 
 The following image depicts the OAuth apps list:
 
@@ -97,8 +97,7 @@ You can apply the following filters to get a more focused view:
 | **Privilege level**  | The app's privilege level. |
 | **Certification**| Indicates if an app meets stringent security and compliance standards set by Microsoft 365 or if its publisher has publicly attested to its safety.  |
 | **Sensitivity label accessed**| Sensitivity labels on content accessed by the app  |
-| **Service accessed**| Microsoft 365 services accessed by the app  
-|
+| **Service accessed**| Microsoft 365 services accessed by the app  |
 
 
 > [!TIP]
@@ -112,4 +111,4 @@ You can apply the following filters to get a more focused view:
 > [!div class="nextstepaction"]
 > [Best practices for protecting your organization](best-practices.md)
 
-[!INCLUDE [Open support ticket](includes/support.md)]
+[!INCLUDE [Open support ticket](includes/support.md)]

CloudAppSecurityDocs/discovered-apps.md

@@ -66,9 +66,9 @@ You also might want to identify specific app instances that are in use by invest
 :::image type="content" source="media/discovered-apps/subdomains-image.png" alt-text="Subdomain filter.":::
 
 > [!NOTE]
-> Deep dives into discovered apps are supported only only in firewalls and proxies that contain target URL data. For more information, see [Supported firewalls and proxies](set-up-cloud-discovery.md#supported-firewalls-and-proxies).
+> Deep dives into discovered apps are supported only in firewalls and proxies that contain target URL data. For more information, see [Supported firewalls and proxies](set-up-cloud-discovery.md#supported-firewalls-and-proxies).
 >
-> If Defender for Cloud Apps can't match the subdomain detected in the traffic logs with the data stored in the app catalogue, the subdomain is tagged as **Other**.
+> If Defender for Cloud Apps can't match the subdomain detected in the traffic logs with the data stored in the app catalog, the subdomain is tagged as **Other**.
 
 ## Discover resources and custom apps
 
@@ -102,6 +102,9 @@ The best way to get an overview of Shadow IT use across your organization is by
 1. From the **Cloud discovery** page, select **Actions** > **Generate Cloud Discovery executive report**.
 
 1. Optionally, change the report name, and then select **Generate**.
+   
+> [!NOTE]
+> The executive summary report is revamped to a 6-pager report with a goal to provide a clear, concise & actionable overview while preserving the depth and integrity of the original analysis.
 
 ## Exclude entities
 
@@ -154,7 +157,7 @@ We recommend deleting cloud discovery data in the following cases:
 - If many users or IP addresses recently started working again after being offline for some time, their activity is identified as anomalous and might give you false positive violations.
 
 > [!IMPORTANT]
-> Make sure you want to delete data before doing so. This action is irreversbile and deletes **all** cloud discovery data in the system.
+> Make sure you want to delete data before doing so. This action is irreversible and deletes **all** cloud discovery data in the system.
 >
 
 **To delete cloud discovery data**: