MicrosoftDocs
diff --git a/‎ATPDocs/security-assessment-unsecure-account-attributes.md‎
Lines changed: 2 additions & 1 deletion b/‎ATPDocs/security-assessment-unsecure-account-attributes.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎ATPDocs/unmonitored-active-directory-certificate-services-server.md‎
Lines changed: 2 additions & 2 deletions b/‎ATPDocs/unmonitored-active-directory-certificate-services-server.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎ATPDocs/unmonitored-active-directory-federation-services-servers.md‎
Lines changed: 1 addition & 2 deletions b/‎ATPDocs/unmonitored-active-directory-federation-services-servers.md‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎ATPDocs/unmonitored-entra-connect-servers.md‎
Lines changed: 1 addition & 1 deletion b/‎ATPDocs/unmonitored-entra-connect-servers.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎CloudAppSecurityDocs/access-policy-aad.md‎
Lines changed: 1 addition & 0 deletions b/‎CloudAppSecurityDocs/access-policy-aad.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎CloudAppSecurityDocs/accounts.md‎
Lines changed: 1 addition & 0 deletions b/‎CloudAppSecurityDocs/accounts.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎CloudAppSecurityDocs/activity-filters.md‎
Lines changed: 4 additions & 3 deletions b/‎CloudAppSecurityDocs/activity-filters.md‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎CloudAppSecurityDocs/admin-settings.md‎
Lines changed: 1 addition & 0 deletions b/‎CloudAppSecurityDocs/admin-settings.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎CloudAppSecurityDocs/anomaly-detection-policy.md‎
Lines changed: 1 addition & 0 deletions b/‎CloudAppSecurityDocs/anomaly-detection-policy.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎CloudAppSecurityDocs/api-activities-investigate-script.md‎
Lines changed: 4 additions & 3 deletions b/‎CloudAppSecurityDocs/api-activities-investigate-script.md‎
Lines changed: 4 additions & 3 deletions
@@ -40,8 +40,9 @@ Use the remediation appropriate to the relevant attribute as described in the fo
 | Enable Kerberos AES encryption support | Enable AES features on the account properties in AD | Enabling AES128_CTS_HMAC_SHA1_96 or AES256_CTS_HMAC_SHA1_96 on the account helps prevent the use of weaker encryption ciphers for Kerberos authentication. |
 | Remove Use Kerberos DES encryption types for this account | Remove this setting from account properties in AD | Removing this setting enables the use of stronger encryption algorithms for the account's password. |
 | Remove a Service Principal Name (SPN) | Remove this setting from account properties in AD | When a user account is configured with an SPN set, it means that the account has been associated with one or more SPNs. This typically occurs when a service is installed or registered to run under a specific user account, and the SPN is created to uniquely identify the service workspace for Kerberos authentication. This recommendation only showed for sensitive accounts. |
+|Reset password as SmartcardRequired setting was removed|Reset the account password|Changing the account's password after the SmartcardRequired UAC flag was removed ensures it was set under current security policies. This helps prevent potential exposure from passwords created when smartcard enforcement was still active.|
 
-Use the **UserAccountControl** flag to manipulate user account profiles. For more information, see:
+Use the **UserAccountControl** (UAC) flag to manipulate user account profiles. For more information, see:
 
 - [Windows Server troubleshooting](/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties) documentation.
 - [User Properties - Account Section](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd861342(v=ws.11))
 
@@ -19,7 +19,7 @@ This article describes the security posture assessment report for unmonitored Ac
 Unmonitored Active Directory Certificate Services (AD CS) servers pose a significant risk to your organization’s identity infrastructure. AD CS, the backbone of certificate issuance and trust, is a high-value target for attackers aiming to escalate privileges or forge credentials. Without proper monitoring, attackers can exploit these servers to issue unauthorized certificates, enabling stealthy lateral movement and persistent access. Deploy Microsoft Defender for Identity version 2.0 sensors on all AD CS servers to mitigate this risk. These sensors provide real-time visibility into suspicious activity, detect advanced threats, and generate actionable alerts based on security events and network behavior.
 
 > [!NOTE]
->  This security assessment is available only if Microsoft Defender for Endpoint detects an eligible AD CS server in the environment.
+> This security assessment is only available if Microsoft Defender for Endpoint detects eligible ADCS servers in the environment. In some cases, servers running ADCS might not be identified with the required role and therefore will not appear in this assessment, even if they exist in the environment.
 
 ## How do I use this security assessment?
 
@@ -35,4 +35,4 @@ Unmonitored Active Directory Certificate Services (AD CS) servers pose a signifi
 
 ## Next steps
 
-Learn more about [Microsoft Secure Score](/defender-xdr/microsoft-secure-score).
+Learn more about [Microsoft Secure Score](/defender-xdr/microsoft-secure-score).
@@ -18,8 +18,7 @@ This article describes the Microsoft Defender for Identity's unmonitored Active
 Unmonitored Active Directory Federation Services (ADFS) servers are a significant security risk to organizations. ADFS controls access to both cloud and on-premises resources as the gateway for federated authentication and single sign-on. If attackers compromise an ADFS server, they can issue forged tokens and impersonate any user, including privileged accounts. Such attacks might bypass multi-factor authentication (MFA), conditional access, and other downstream security controls, making them particularly dangerous. Without proper monitoring, suspicious activity on ADFS servers might go undetected for extended periods. Deploying Microsoft Defender for Identity version 2.0 sensors on ADFS servers is essential. These sensors enable real-time detection of suspicious behavior and help prevent token forgery, abuse of trust relationships, and stealthy lateral movement within the environment.
 
 > [!NOTE]
-> This security assessment is only available if Microsoft Defender for Endpoint detects an eligible ADFS server in the environment.
-
+> This security assessment is only available if Microsoft Defender for Endpoint detects eligible ADFS servers in the environment. In some cases, servers running ADFS might not be identified with the required role and therefore will not appear in this assessment, even if they exist in the environment.
 
 ## How do I use this security assessment?
 
 
@@ -23,7 +23,7 @@ If an attacker compromises a Microsoft Entra Connect server, they can inject sha
 These servers operate at the intersection of on-premises and cloud identity, making them a prime target for privilege escalation and stealthy persistence. Without monitoring, such attacks can go undetected. Deploying Microsoft Defender for Identity version 2.0 sensors on Microsoft Entra Connect servers is critical. These sensors help detect suspicious activity in real time, protect the integrity of your hybrid identity bridge, and prevent full-domain compromise from a single point of failure.
 
 > [!NOTE]
-> This security assessment is only available if Microsoft Defender for Endpoint detects eligible Microsoft Entra Connect servers in the environment.
+> This security assessment is only available if Microsoft Defender for Endpoint detects eligible Microsoft Entra Connect servers in the environment. In some cases, servers running Entra Connect might not be identified with the required role and therefore will not appear in this assessment, even if they exist in the environment.
 
 ## How do I use this security assessment? 
 
 
@@ -3,6 +3,7 @@ title: Create access policies | Microsoft Defender for Cloud Apps
 description: Learn how to configure Microsoft Defender for Cloud Apps access policies with Conditional Access app control to control access to cloud apps.
 ms.date: 05/15/2024
 ms.topic: how-to
+ms.reviewer: AmitMishaeli
 ---
 # Create Microsoft Defender for Cloud Apps access policies
 
 
@@ -3,6 +3,7 @@ title: Investigate accounts from connected apps | Microsoft Defender for Cloud A
 description: This article provides information about reviewing accounts from your connected apps.
 ms.date: 01/29/2023
 ms.topic: how-to
+ms.reviewer: gayasalomon
 ---
 # Cloud Application Accounts
 
 
@@ -3,6 +3,7 @@ title: Investigate activities
 description: This article provides a list of activities, filters, and match parameters that can be applied to activity policies.
 ms.date: 06/24/2025
 ms.topic: how-to
+ms.reviewer: gayasalomon
 ---
 
 # Investigate activities
@@ -15,7 +16,7 @@ Microsoft Defender for Cloud Apps gives you visibility into all the activities f
 >
 > Microsoft Defender for Cloud Apps displays these activity names and types exactly as received and doesn't define or modify them. To understand the meaning of an activity, refer to the relevant third‑party API documentation.
 
-The action types for events and activities are determined by the source service, whether it is a first-party or third-party service. Microsoft Defender for Cloud Apps (MDA) supports a wide range of action types and is not restricted to specific ones.
+The action types for events and activities are determined by the source service, whether it's a first-party or third-party service. Microsoft Defender for Cloud Apps (MDA) supports a wide range of action types and isn't restricted to specific ones.
 For a full list of Microsoft 365 activities monitored by Defender for Cloud Apps, see [Search the audit log in the Microsoft Purview portal](/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance#audited-activities).
 
 
@@ -93,7 +94,7 @@ Selecting it opens the Activity drawer **User** tab provides the following insig
     - **ISPs**: The number of ISPs the user connected from in the past 30 days.
     - **IP addresses**: The number of IP addresses the user connected from in the past 30 days.
 
-:::image type="content" source="media/user-insights.png" alt-text="Screenshot that shows user insights, user activities and frequent alert locations for Defender for Cloud apps." lightbox="media/user-insights.png":::
+:::image type="content" source="media/user-insights.png" alt-text="Screenshot that shows user insights, user activities, and frequent alert locations for Defender for Cloud apps." lightbox="media/user-insights.png":::
 
 
 #### IP address insights
@@ -122,7 +123,7 @@ To view IP address insights:
         - Set as a VPN IP address and add to allowlist
         - Set as a Risky IP and add to blocklist
 
-:::image type="content" source="media/activity-filters/ip-address-insights.png" alt-text="Screenshot that shows Ip address activities over the last 30 days." lightbox="media/activity-filters/ip-address-insights.png":::
+:::image type="content" source="media/activity-filters/ip-address-insights.png" alt-text="Screenshot that shows IP address activities over the last 30 days." lightbox="media/activity-filters/ip-address-insights.png":::
 
 
 > [!NOTE]
 
@@ -3,6 +3,7 @@ title: Configure admin notifications
 description: This article provides instructions for setting admin preferences in Defender for Cloud Apps.
 ms.date: 01/29/2023
 ms.topic: how-to
+ms.reviewer: Naama-Goldbart 
 ---
 # Configure admin notifications
 
 
@@ -3,6 +3,7 @@ title: Create anomaly detection policies | Microsoft Defender for Cloud Apps
 description: This article provides a description of Anomaly detection policies and provides reference information about the building blocks of an anomaly detection policy.
 ms.date: 03/01/2023
 ms.topic: how-to
+ms.reviewer: Ronen-Refaeli
 ---
 
 # Create Defender for Cloud Apps anomaly detection policies
 
@@ -3,6 +3,7 @@ title: Investigate activities using the API
 description: This article provides information on how to use the API to investigate user activity in Defender for Cloud Apps.
 ms.date: 01/29/2023
 ms.topic: how-to
+ms.reviewer: Naama-Goldbart
 ---
 # Investigate activities using the API
 
@@ -18,7 +19,7 @@ The activities API mode is optimized for scanning and retrieval of large quantit
 ## To use the activity scan script
 
 1. Run the query on your data.
-1. If there are more records than could be listed in a single scan, you will get a return command with `nextQueryFilters` that you should run. You will get this command each time you scan until the query has returned all the results.
+1. If there are more records than could be listed in a single scan, you'll get a return command with `nextQueryFilters` that you should run. You'll get this command each time you scan until the query has returned all the results.
 
 ## Request body parameters
 
@@ -32,9 +33,9 @@ The activities API mode is optimized for scanning and retrieval of large quantit
 
 ## Response parameters
 
-- "data": the returned data. Will contain up to "limit" number of records each iteration. If there are more records to be pulled (hasNext=true), the last few records will be dropped to ensure that all data is listed only once.
+- "data": the returned data. Will contain up to "limit" number of records each iteration. If there are more records to be pulled (hasNext=true), the last few records are dropped to ensure that all data is listed only once.
 - "hasNext": Boolean. Denotes whether another iteration on the data is needed.
-- "nextQueryFilters": If another iteration is needed, it contains the consecutive JSON query to be run. Use this as the "filters" parameter in the next request. Note that if the "hasNext" parameter is set to False, this parameter will be missing since you've iterated over all of the data.
+- "nextQueryFilters": If another iteration is needed, it contains the consecutive JSON query to be run. Use this as the "filters" parameter in the next request. If the "hasNext" parameter is set to False, this parameter will be missing since you've iterated over all of the data.
 
 The following Python example gets all the activities from the past day from Exchange Online.