Merge branch 'main' into docs-editor/ios-whatsnew-1741884495

Author: denisebmsft

ATPDocs/identity-inventory.md

@@ -0,0 +1,133 @@
+---
+# Required metadata
+# For more information, see https://review.learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata?branch=main
+# For valid values of ms.service, ms.prod, and ms.topic, see https://review.learn.microsoft.com/en-us/help/platform/metadata-taxonomies?branch=main
+
+title: Identity inventory
+description: The Identity Inventory provides a centralized location for customers to view and manage identity information across their environment, ensuring optimal visibility and a comprehensive experience. The updated Identities Inventory page, located under Assets in Defender XDR portal
+author:      LiorShapiraa # GitHub alias
+ms.author: liorshapira
+ms.service: microsoft-defender-for-identity
+ms.topic: article
+ms.date:     03/13/2025
+---
+
+# Identity inventory
+
+__Applies to:__
+
+- [Microsoft Defender for Identity](https://aka.ms/aatp/docs)
+
+- [Microsoft Defender for Cloud Apps](/defender-cloud-apps/)
+
+- [Microsoft Defender XDR](/defender-xdr)
+
+The __Identity inventory__ provides a centralized view of all identities in your organization, enabling you to monitor and manage them efficiently. At a glance, you can see key details such as Domain, Tags, Type, and other attributes, helping you quickly identify and manage identities that require attention.
+
+The Identities inventory page includes the following tabs:
+
+- **Identities**: A consolidated view of identities across Active Directory, Entra ID. This Identities tab highlights key details, including identity types, and user's information.
+
+- **Cloud application accounts:** Displays a list of cloud application accounts, including those from application connectors and third-party sources (original available in the previous version based on Microsoft Defender for Cloud Apps). Learn more about [Cloud application accounts from connected apps.](/defender-cloud-apps/accounts) 
+
+There are several options you can choose from to customize the identities list view. On the top navigation you can:
+
+- Add or remove columns.
+
+- Apply filters.
+
+- Search for an identity by name or full UPN, Sid and Object ID. 
+
+- Export the list to a CSV file.
+
+- Copy list link with the included filters configured. 
+
+## ![A screenshot of identity inventory page.](media/identity-inventory/inventory11.png)  
+
+### Identity details 
+
+The **Identities** list offers a consolidated view of identities across Active Directory and Entra ID. It highlights key details, including the following columns by default:
+
+- __Display name__ – The full name of the identity as shown in the directory.
+
+- __SID__ – The Security Identifier, a unique value used to identify the identity in Active Directory.
+
+- __Domain__ – The Active Directory domain to which the identity belongs.
+
+- __Object ID__ – A unique identifier for the identity in Entra ID.
+
+- __Source__ – Indicates whether the identity is on-premises (originate from Active Directory), Cloud only (Entra ID) or Hybrid (synced from AD to Entra ID).
+
+- __Type__ – Specifies if the identity is a user account or service account.
+
+- __UPN (User Principal Name)__ – The unique login name of the identity in an email-like format.
+
+- __Tags__ – Custom labels that help categorize or classify identities: Sensitive and Honeytoken.
+
+- __Created time__ – The timestamp when the identity was first created.
+
+- __Criticality level__ – Indicates the critical level of the identity.
+
+- __Account status__ – Shows whether the identity is enabled or disabled.
+
+- __Last updated__ – The timestamp of the most recent update to the identity's attributes in Active Directory.
+
+Non-default columns: Email and Entra ID risk level.  
+
+> [!TIP]
+> To see all columns, you likely need to do one or more of the following steps:
+> - Horizontally scroll in your web browser.
+> - Narrow the width of appropriate columns.
+> - Zoom out in your web browser.
+
+### Sort and filter the Identities list
+
+You can apply the following filters to limit the list of identities and get a more focused view:
+
+- Domain
+
+- Type
+
+- Source
+
+- Tags
+
+- Criticality level
+
+- Account status
+
+Sort option applies to Display name, Domain and Created time columns.
+
+### Identity inventory insights 
+
+- The __Classify critical assets__ card allows you to define identity groups as business critical. For more information, see [Microsoft Security Exposure Management](/security-exposure-management/microsoft-security-exposure-management). 
+
+- **Highly privileged identities** card helps you investigate in Advanced hunting all sensitive accounts in your organization, including Entra ID security administrators and Global admin users.
+
+- **Critical Active Directory service accounts** card helps you quickly identify all Active Directory accounts designated as critical, making it easier to focus on identities most at risk.
+
+At the top of each device inventory tab, the following device counts are available:
+
+- __Total__: The total number of identities. 
+
+- __Critical:__ The number of your critical assets. 
+
+- **Disabled:** The number of all disabled identities in your organization. 
+
+- **Services:** The number of all service accounts both on-premises and cloud.
+
+You can use this information to help you prioritize devices for security posture improvements.
+
+### Navigate to the Identity inventory page
+
+Use relative links instead of absolute links. 
+In the Defender XDR portal at [https://security.microsoft.com](https://security.microsoft.com), go to Assets > Identities. Or, to navigate directly to the [identity inventory](/defender-for-identity/identity-inventory) page.
+
+### Related Articles
+
+- [Investigate cloud application accounts](/defender-cloud-apps/accounts)
+
+- [Investigate users in Microsoft Defender XDR](/defender-xdr/investigate-users) 
+
+- [Investigate assets in Microsoft Defender for Identity](/defender-for-identity/investigate-assets)
+

ATPDocs/media/identity-inventory/inventory.png

@@ -124,6 +124,8 @@ items:
   items:
   - name: Assets
     items:
+    - name: Identity inventory
+      href: identity-inventory.md
     - name: Investigate assets
       href: investigate-assets.md
   - name: Lateral movement paths

ATPDocs/media/identity-inventory/inventory11.png

@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 ms.author: ewalsh
 author: emmwalshh
 ms.localizationpriority: medium
-ms.date: 02/19/2025
+ms.date: 03/13/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -44,14 +44,29 @@ The Device Health report provides information about the devices in your organiza
 
 In the Microsoft Defender portal, in the navigation pane, select **Reports**, and then open **Device health and compliance**. The [**Microsoft Defender Antivirus health** tab](#microsoft-defender-antivirus-health-tab) has eight cards that report on the following aspects of Microsoft Defender Antivirus:
 
-- [Antivirus mode card](#antivirus-mode-card)
-- [Antivirus engine version card](#antivirus-engine-version-card)
-- [Antivirus security intelligence version card](#antivirus-security-intelligence-version-card)
-- [Antivirus platform version card](#antivirus-platform-version-card)
-- [Recent antivirus scan results card](#recent-antivirus-scan-results-card)
-- [Antivirus engine updates card](#antivirus-engine-updates-card)
-- [Security intelligence updates card](#security-intelligence-updates-card)
-- [Antivirus platform updates card](#antivirus-platform-updates-card)
+- [Device health, Microsoft Defender Antivirus health report](#device-health-microsoft-defender-antivirus-health-report)
+  - [View device health cards](#view-device-health-cards)
+  - [Report access permissions](#report-access-permissions)
+  - [Microsoft Defender Antivirus health tab](#microsoft-defender-antivirus-health-tab)
+    - [Prerequisites](#prerequisites)
+    - [Card functionality](#card-functionality)
+      - [New Microsoft Defender Antivirus filter definitions](#new-microsoft-defender-antivirus-filter-definitions)
+      - [Export report](#export-report)
+        - [Top level export](#top-level-export)
+    - [Microsoft Defender Antivirus version and update cards functionality](#microsoft-defender-antivirus-version-and-update-cards-functionality)
+      - [Full report](#full-report)
+    - [Card descriptions](#card-descriptions)
+      - [Antivirus mode card](#antivirus-mode-card)
+      - [Recent antivirus scan results card](#recent-antivirus-scan-results-card)
+      - [Antivirus engine version card](#antivirus-engine-version-card)
+      - [Antivirus security intelligence version card](#antivirus-security-intelligence-version-card)
+        - [Antivirus platform version card](#antivirus-platform-version-card)
+      - [Up-to-date cards](#up-to-date-cards)
+        - [Up-to-date definitions](#up-to-date-definitions)
+        - [Antivirus engine updates card](#antivirus-engine-updates-card)
+      - [Antivirus platform updates card](#antivirus-platform-updates-card)
+        - [Security intelligence updates card](#security-intelligence-updates-card)
+  - [See also](#see-also)
 
 ## Report access permissions
 
@@ -108,14 +123,16 @@ For the three `updates` cards (also known as up-to-date reporting cards), "**No
 
 Up-to-date reporting generates information for devices that meet the following criteria:
 
-- Engine version: 1.1.19300.2+
-- Platform version: 4.18.2202.1+
-- Cloud protection enabled
-- Sense (MsSense.exe): **10.8210.** \*+
-- Windows OS - Windows 10 1809 or later
+* **Windows:**
+  * OS - Windows 10 1809 or later  
+  * Engine version: 1.1.19300.2+  
+  * Platform version: 4.8.2202.1+  
+  * Sense (MsSense.exe): 10.8210.*+  
+
+* **Linux and Mac:**
+  * Platform version: 101.23112.*+  
 
-  > [!NOTE]
-  > \* Currently up to date reporting is only available for Windows and Linux devices. Mac devices are listed under “no such data available or unknown".
+* **Cloud Protection enabled**
 
 :::image type="content" source="media/device-health-defender-antivirus-health-tab.png" alt-text="Shows the Microsoft Defender Antivirus Health tab." lightbox="media/device-health-defender-antivirus-health-tab.png":::
 

ATPDocs/toc.yml

@@ -10,17 +10,17 @@ ms.localizationpriority: medium
 ms.collection:
   - m365-security
   - tier2
-description: Admins can learn about the addition of Microsoft Teams in delivering simulated phishing attacks in Attack simulation training in Microsoft Defender for Office 365 Plan 2.
+description: Admins can learn about the addition in Microsoft Defender for Office 365 Plan 2 of delivering simulated phishing attacks in Attack simulation training to Microsoft Teams.
 search.appverid: met150
-ms.date: 3/15/2024
+ms.date: 3/13/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 2</a>
 ---
 
 # Microsoft Teams in Attack simulation training
 
 > [!IMPORTANT]
-> Microsoft Teams' Attack simulation training is currently in Private Preview, and the intake for this preview is now closed. The information in this article is subject to change.
+> Microsoft Teams' Attack simulation training is currently in Private Preview. The information in this article is subject to change.
 
 In organizations with Microsoft Defender for Office 365 Plan 2 or Microsoft Defender XDR, admins can now use Attack simulation training to deliver simulated phishing messages in Microsoft Teams. For more information about attack simulation training, see [Get started using Attack simulation training in Defender for Office 365](attack-simulation-training-get-started.md).
 
@@ -41,10 +41,10 @@ The addition of Teams in Attack simulation training affects the following featur
 
 In addition to having user reporting for Teams messages turned on as described in [User reported message settings in Microsoft Teams](submissions-teams.md), you also need to configure the Teams accounts that can be used as sources for simulation messages in Attack simulation training. To configure the accounts, do the following steps:
 
-1. Identify or create a user who's a member of the [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator)<sup>\*</sup>, [Security Administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator), or [Attack Simulation Administrator](/entra/identity/role-based-access-control/permissions-reference#attack-simulation-administrator) roles in Microsoft Entra ID. Assign a Microsoft 365, Office 365, Microsoft Teams Essentials, Microsoft 365 Business Basic, or a Microsoft 365 Business Standard license for [Microsoft Teams](/office365/servicedescriptions/teams-service-description). You need to know the password.
+1. Identify or create a user who's a member of the [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator), [Security Administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator), or [Attack Simulation Administrator](/entra/identity/role-based-access-control/permissions-reference#attack-simulation-administrator) roles in Microsoft Entra ID. Assign a Microsoft 365, Office 365, Microsoft Teams Essentials, Microsoft 365 Business Basic, or a Microsoft 365 Business Standard license for [Microsoft Teams](/office365/servicedescriptions/teams-service-description). You need to know the password.
 
     > [!IMPORTANT]
-    > <sup>\*</sup> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+    > Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
 2. Using the account from Step 1, open the Microsoft Defender portal at <https://security.microsoft.com> and go to **Email & collaboration** \> **Attack simulation training** \> **Settings** tab. Or, to go directly to the **Settings** tab, use <https://security.microsoft.com/attacksimulator?viewid=setting>.
 3. On the **Settings** tab, select **Manager user accounts** in the **Teams simulation configuration** section.
@@ -93,7 +93,7 @@ Whether you create a payload on the **Payloads** page of the **Content library**
 
 - If you select :::image type="icon" source="media/m365-cc-sc-create-icon.png" border="false"::: **Create a payload** on the **Tenant payload** tab to create a payload, the first page of the new payload wizard is **Select type** where you can select **Teams**. Selecting **Teams** introduces the following changes to the rest of the new payload wizard:
 
-  - On the **[Select technique](attack-simulation-training-payloads.md#create-payloads)** page, the **Malware Attachment** and **Link in Attachment** social engineering techniques aren't available for Teams.
+  - On the **[Select technique](attack-simulation-training-payloads.md#create-payloads)** page, the **Malware Attachment**, **Link in Attachment**, and **How-to Guide** techniques aren't available for Teams.
 
   - The **Configure payload** page has the following changes for Teams:
     - **Sender details** section: The only available setting for Teams is **Chat topic** where you enter a tile for the Teams message.

defender-endpoint/device-health-microsoft-defender-antivirus-health.md

@@ -16,7 +16,7 @@ ms.collection:
 ms.custom:
 description: "Admins can configure whether users can report malicious message in Microsoft Teams."
 ms.service: defender-office-365
-ms.date: 3/19/2024
+ms.date: 03/13/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 2</a>
   - ✅ <a href="https://learn.microsoft.com/defender-xdr/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>
@@ -28,7 +28,7 @@ appliesto:
 
 In organizations with Microsoft Defender for Office 365 Plan 2 or Microsoft Defender XDR, admins can decide whether users can report malicious messages in Microsoft Teams. Admins can also get visibility into the Teams messages that users are reporting.
 
-Users can report messages in Teams from **internal** chats, channels and meeting conversations. Users can only report messages as malicious.
+Users can report messages in Teams from chats, standard channels and meeting conversations. Users can only report messages as malicious.
 
 > [!NOTE]
 > User reporting of messages in Teams is not supported in U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD).
@@ -48,7 +48,7 @@ User reporting of messages in Teams is made of two separate settings:
 To view or configure this setting, you need to be a member of the **Global Administrator**<sup>\*</sup> or **Teams Administrator** roles. For more information about permissions in Teams, see [Use Microsoft Teams administrator roles to manage Teams](/microsoftteams/using-admin-roles).
 
 > [!IMPORTANT]
-> <sup>\*</sup> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
 1. In the Teams admin center at <https://admin.teams.microsoft.com>, go to **Messaging policies**. Or, to go directly to the **Messaging policies** page, use <https://admin.teams.microsoft.com/policies/messaging>.