Merge branch 'main' into patch-11

Author: padmagit77

ATPDocs/whats-new.md

@@ -25,6 +25,14 @@ For updates about versions and features released six months ago or earlier, see
 
 ## August 2025
 
+### Microsoft Entra ID risk level is now available in near real time in Microsoft Defender for Identity (Preview)
+
+Entra ID risk level is now available on the Identity Inventory assets page, the identity details page, and in the IdentityInfo table in Advanced Hunting, and includes the Entra ID risk score. SOC analysts can use this data to correlate risky users with sensitive or highly privileged users, create custom detections based on current or historical user risk, and improve investigation context.
+
+Previously, Defender for Identity tenants received Entra ID risk level in the IdentityInfo table through user and entity behavior analytics (UEBA). With this update, the Entra ID risk level is now updated in near real time through Microsoft Defender for Identity.
+
+For UEBA tenants without a Microsoft Defender for Identity license, synchronization of Entra ID risk level to the IdentityInfo table remains unchanged.
+
 
 ### New security assessment: Remove inactive service accounts (Preview)
 

CloudAppSecurityDocs/attest-your-app.md

@@ -9,7 +9,7 @@ ms.topic: article
 
 Microsoft Defender for Cloud Apps enables you to attest your app, so that you make sure that the compliance and security details we use to rate your app in our cloud app catalog are up to date.
 
-Whether your app is already listed in the cloud app catalog, or it's new, submit a [self-attestation questionnaire](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR4CRHM-U7CtKpJma_QJAnSlUMEpLQzBaQ1hWNDMxUEhRNFI3Q0FZUkdWRC4u). For details on the self-attestation process, contact casfeedback@microsoft.com.
+Whether your app is already listed in the cloud app catalog, or it's new, submit a [self-attestation questionnaire](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR4CRHM-U7CtKpJma_QJAnSlUMEpLQzBaQ1hWNDMxUEhRNFI3Q0FZUkdWRC4u). For details on the self-attestation process, contact mscac@microsoft.com.
 
 Follow the service attributes described below to successfully complete the submission of the questionnaire:
 
@@ -21,7 +21,7 @@ Follow the service attributes described below to successfully complete the submi
 | Headquarters | General | Country code | Close list - provided in questionnaire | The country/region of the provider's headquarters.|
 | Data center| General | Country code array* | Close list - provided in questionnaire (Multi selection) | The country/region in which your data center resides (can be multiple locations) |
 | Hosting company | General | String | Free text | The name of the company that provides server hosting for the app. |
-| Founded | General | Integer | YYYY (no later than 2019) | The year in which the provider was founded. |
+| Founded | General | Integer | YYYY (no later than 2025) | The year in which the provider was founded. |
 | Holding | General | String | Private, Public | Displays whether the provider is a publicly or privately held company |
 | App domain | General | URL array* | Free text | The list of specific domains that are used to interact with the service. For example, 'teams.microsoft.com' for Microsoft Teams and not the generic domain 'microsoft.com'. |
 | Terms of service | General | URL | Free text | Does this app provide a set of regulations that users must agree to follow in order to use the app? |
@@ -31,7 +31,7 @@ Follow the service attributes described below to successfully complete the submi
 | Data types | General | String | Close list - provided in questionnaire | Which data types can be uploaded by the user to the app?|
 | Homepage | General | URL | Free text | The provider's home page URL. |
 | Disaster recovery plan | General | Boolean | True, False | Does this app have a disaster recovery plan that includes a backup and restore strategy? |
-| Latest breach | Security | Date | MMM-dd-YYYY | Most recent incident in which sensitive, protected, or confidential data owned by the app was viewed, stolen, or used by an individual unauthorized to do so. |
+| Latest breach | Security | Date | MM-dd-YYYY | Most recent incident in which sensitive, protected, or confidential data owned by the app was viewed, stolen, or used by an individual unauthorized to do so. |
 | Data-at-rest encryption method | Security | String | Close list - provided in questionnaire | The type of encryption of data-at-rest performed on the app. |
 | Multifactor authentication | Security | Boolean | True, False | Does this app support multifactor authentication solutions? |
 | IP address restriction | Security | Boolean | True, False | Does this app support restriction of specific IP addresses by the app? |
@@ -40,7 +40,7 @@ Follow the service attributes described below to successfully complete the submi
 | Data audit trail | Security | Boolean | True, False | Does this app support availability of a data audit trail in the app? |
 | User can upload data | Security | Boolean | True, False | Does this app support user uploaded data? |
 | Data classification | Security | Boolean | True, False | Does this app enable the option for classification of the data uploaded to the app? |
-| Remember password | Security | Boolean | True, False | Does this app enable the option for remembering and saving user passwords in the app? |
+| Remember password | Security | Boolean | True, False, N/A | Does this app enable the option for remembering and saving user passwords in the app? |
 | User-roles support | Security | Boolean | True, False | Does this app support distribution of users by roles and levels of permission? |
 | File sharing | Security | Boolean | True, False | Does this app include features that allow file sharing between users? |
 | Supports SAML | Security | Boolean | True, False | Does this app support the SAML standard for exchanging authentication and authorization data? |
@@ -61,12 +61,12 @@ Follow the service attributes described below to successfully complete the submi
 | ISO 27001 | Compliance | Boolean | True, False | Is this app ISO 27001 certified, a certificate given to companies upholding internationally recognized guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization? |
 | ITAR | Compliance | Boolean | True, False, N/A | Does this app comply with ITAR, regulations controlling the export and import of defense-related articles and services found on the US Munitions List? |
 | SOC 1 | Compliance | Boolean | True, False, N/A | Does this app comply with SOC 1, reporting on controls at a service organization which are relevant to user entities' internal control over financial reporting? |
-| SOC 2 | Compliance | Boolean | True, False | Does this app comply with SOC 2, reporting on non-financial processing based on one or more of the Trust service criteria on security, privacy, availability, confidentiality, and processing integrity? |
-| SOC 3 | Compliance | Boolean | True, False | Does this app comply with SOC 3, reporting based on the Trust service criteria, that may be distributed freely and only contain management's assertion that they have met the requirements of the chosen criteria? |
+| SOC 2 | Compliance | Boolean |  True, False, N/A | Does this app comply with SOC 2, reporting on non-financial processing based on one or more of the Trust service criteria on security, privacy, availability, confidentiality, and processing integrity? |
+| SOC 3 | Compliance | Boolean | True, False, N/A | Does this app comply with SOC 3, reporting based on the Trust service criteria, that may be distributed freely and only contain management's assertion that they have met the requirements of the chosen criteria? |
 | SOX | Compliance | Boolean | True, False, N/A | Does this app comply with SOX, US legislation aimed at protecting shareholders and the general public from accounting errors and frauds, as well as improving the accuracy of corporate disclosures? |
 | SP 800-53 | Compliance | Boolean | True, False | Does this app comply with SP80053, recommended security controls for federal information systems and organizations? |
 | SSAE 16 | Compliance | Boolean | True, False, N/A | Does this app comply with the SSAE 16 standard for auditing a service organization's internal compliance controls and reporting processes? |
-| PCI DSS version | Compliance | String | 1, 2, 3, 3.1, 3.2, N/A | The version of the PCI-DSS protocol supported by this app. |
+| PCI DSS version | Compliance | String | 4.0, 3.2.1, N/A | The version of the PCI-DSS protocol supported by this app. |
 | ISO 27018 | Compliance | Boolean | True, False, N/A | Does this app comply with ISO 27018, which establishes commonly accepted controls and guidelines for processing and protecting Personally Identifiable Information (PII) in a public cloud computing environment? |
 | GLBA | Compliance | Boolean | True, False, N/A | Does this app comply with the Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to establish standards for protecting the security and confidentiality of customers' personal information? |
 | FedRAMP level | Compliance | String | High, Moderate, Low, Li-SaaS | The level of the FedRAMP-compliant solution provided by this app. |
@@ -76,14 +76,14 @@ Follow the service attributes described below to successfully complete the submi
 | COBIT | Compliance | Boolean | True, False | Does this app comply with COBIT, which sets best practices for the governance and control of information systems and technology, and aligns IT with business principles? |
 | COPPA | Compliance | Boolean | True, False, N/A | Does this app comply with COPPA, which defines requirements on website and online services operators that provide content to children under 13 years of age? |
 | FERPA | Compliance | Boolean | True, False, N/A | Does this app comply with FERPA, a federal law that protects the privacy of student education records? |
-| GAPP | Compliance | Boolean | True, False, N/A | Does this app comply with GAPP, a collection of commonly followed rules that address privacy risks in an organization? |
+| GAPP | Compliance | Boolean | True, False| Does this app comply with GAPP, a collection of commonly followed rules that address privacy risks in an organization? |
 | HITRUST CSF | Compliance | Boolean | True, False, N/A | Does this app comply with HITRUST CSF, a set of controls that harmonizes the requirements of information security regulations and standards? |
-| Jericho Forum Commandments | Compliance | Boolean | True, False | Does this app follow Jericho Forum Commandments, a set if principles to be observed when architecting systems for secure operation in de-perimeterized environments? |
-| ISO 27002 | Compliance | Boolean | True, False, N/A | Does this app comply with ISO 27002, which establishes common guidelines for organizational information security standards and information security management practices? |
+| Jericho Forum Commandments | Compliance | Boolean | True, False | Does this app follow Jericho Forum Commandments, a set of principles to be observed when architecting systems for secure operation in de-perimeterized environments? |
+| ISO 27002 | Compliance | Boolean | True, False| Does this app comply with ISO 27002, which establishes common guidelines for organizational information security standards and information security management practices? |
 | FFIEC | Compliance | Boolean | True, False, N/A | Does this app comply with the Federal Financial Institutions Examination Council's guidance on the risk management controls necessary to authenticate services in an Internet banking environment? |
-| Data ownership | Legal | Boolean | True, False | Does this app fully preserve the user's ownership of uploaded data? |
-| DMCA | Legal | Boolean | True, False | Does this app comply with the Digital Millennium Copyright Act (DMCA), which criminalizes any attempt to unlawfully access copyrighted material? |
-| Data retention policy | Legal | Boolean | True, False | What is the app's policy for user data retention after account termination? |
+| Data ownership | Legal | Boolean | True, False, N/A | Does this app fully preserve the user's ownership of uploaded data? |
+| DMCA | Legal | Boolean | True, False, N/A | Does this app comply with the Digital Millennium Copyright Act (DMCA), which criminalizes any attempt to unlawfully access copyrighted material? |
+| Data retention policy | Legal | String | Deleted immediately, Within 2 weeks, Within 1 month, Within 3 months, Within more than 3 months, Retained| What is the app's policy for user data retention after account termination? |
 | GDPR readiness statement | Legal | URL | Free text | A link to your website, when relevant, relating how this provider plans to handle GDPR compliance. |
 | GDPR - Right to erasure | Legal | Boolean | True, False, N/A | Does this app stop processing and delete an individual's personal data upon request? |
 | GDPR - Report data breaches | Legal | Boolean | True, False, N/A | Does this app report data breaches to supervisory authorities and individuals affected by the breach, within 72 hours of breach detection? |

CloudAppSecurityDocs/discovered-apps.md

@@ -111,6 +111,7 @@ The best way to get an overview of Shadow IT use across your organization is by
 
 > [!NOTE]
 > The executive summary report is revamped to a six-pager report with a goal to provide a clear, concise & actionable overview while preserving the depth and integrity of the original analysis.
+> Starting September 1, 2025, the Cloud Discovery Alerts data point will no longer be included in the Executive Summary Report.
 
 ## Exclude entities
 

CloudAppSecurityDocs/protect-office-365.md

@@ -162,7 +162,8 @@ This section provides instructions for connecting Microsoft Defender for Cloud A
     SaaS Security Posture Management (SSPM) data is shown in the Microsoft Defender Portal on the **Secure Score** page. For more information, see [Security posture management for SaaS apps](/defender-cloud-apps/security-saas).
 
     > [!NOTE]
-    > After connecting Microsoft 365, you see data from the past week, including any third-party applications connected to Microsoft 365 that are pulling APIs. For third-party apps that aren't pulling APIs before connection, you see events starting from when you connect Microsoft 365 because Defender for Cloud Apps turns on any APIs that are off by default.
+    > - After connecting Microsoft 365, you see data from the past week, including any third-party applications connected to Microsoft 365 that are pulling APIs. For third-party apps that aren't pulling APIs before connection, you see events starting from when you connect Microsoft 365 because Defender for Cloud Apps turns on any APIs that are off by default.
+    > - Files and folders that are publicly shared (shared with ‘anyone’) in SharePoint or OneDrive may incorrectly show up as private.
 
     If you have any problems connecting the app, see [Troubleshooting App Connectors](troubleshooting-api-connectors-using-error-messages.md).
 

CloudAppSecurityDocs/use-case-admin-quarantine.md

@@ -1,8 +1,9 @@
 ---
 title: Protect files with admin quarantine
 description: This tutorial describes the scenario for using admin quarantine to control data breaches.
-ms.date: 02/16/2023
+ms.date: 08/20/2025
 ms.topic: tutorial
+ms.reviewer: drormikdash
 ---
 
 # Tutorial: Protect files with admin quarantine
@@ -23,19 +24,13 @@ In this tutorial, you'll learn how to use Microsoft Defender for Cloud Apps to d
 > 
 > - For a list of apps that support admin quarantine, see the list of [governance actions](governance-actions.md). 
 > - Files labeled by Defender for Cloud Apps can't be quarantined.
-> - Defender for Cloud Apps admin quarantine actions are limited to 100 actions per day.
+> - Defender for Cloud Apps admin quarantine actions is limited to 100 actions per day.
 > - Sharepoint sites that are renamed either directly or as part of domain rename can't be used as a folder location for admin quarantine.
 
 
 1. When a file matches a policy, the **Admin quarantine** option is available for the file.
 
-1. Do one of the following actions to quarantine the file:
-
-   - Manually apply the **Admin quarantine** action:
-
-     :::image type="content" alt-text="quarantine action." source="media/quarantine-action.png" lightbox="media/quarantine-action.png":::
-
-   - Set it as an automated quarantine action in the policy:
+1. Set an automated quarantine action in the policy.
 
      :::image type="content" alt-text="quarantine automatically." source="media/quarantine-automated.png" lightbox="media/quarantine-automated.png":::
 
@@ -49,7 +44,7 @@ In this tutorial, you'll learn how to use Microsoft Defender for Cloud Apps to d
 
     1. The user can only access the tombstone file. In the file, they can read the custom guidelines provided by IT and the correlation ID to give IT to release the file.
 
-1. When you receive the alert that a file has been quarantined, go to **Policies** -> **Policy Management**. Then select the **Information Protection** tab.  In the row with your file policy, choose the three dots at the end of the line, and select **View all matches**. This brings you the report of matches, where you can see the matching and quarantined files:
+1. When you receive the alert that a file has been quarantined, go to **Policies** -> **Policy Management**. Then select the **Information Protection** tab. In the row with your file policy, choose the three dots at the end of the line, and select **View all matches**. This brings you the report of matches, where you can see the matching and quarantined files:
 
    :::image type="content" alt-text="Quarantined files." source="media/quarantine-alerts.png" lightbox="media/quarantine-alerts.png":::
 
@@ -58,7 +53,7 @@ In this tutorial, you'll learn how to use Microsoft Defender for Cloud Apps to d
     1. Inspect the file in the quarantined folder on SharePoint online.
     1. You can also look at the audit logs to deep dive into the file properties.
     1. If you find the file is against corporate policy, run the organization's Incident Response (IR) process.
-    1. If you find that the file is harmless, you can restore the file from quarantine. At that point the original file is released, meaning it's copied back to the original location, the tombstone is deleted, and the user can access the file.
+    1. If you find that the file is harmless, you can restore the file from quarantine. At that point the original file is released, and copied back to the original location. The tombstone is deleted, and the user can access the file.
 
        :::image type="content" alt-text="quarantine restore." source="media/quarantine-restore.png":::
 
@@ -76,7 +71,7 @@ In this tutorial, you'll learn how to use Microsoft Defender for Cloud Apps to d
 1. Set file policies that detect breaches. Examples of these types of policies include:
 
    - A metadata only policy such as a sensitivity label in SharePoint Online
-   - A native DLP policy such as a policy that searches for credit card numbers
+   - A native data loss prevention (DLP) policy such as a policy that searches for credit card numbers
    - An ICAP third-party policy such as a policy that looks for Vontu
 
 1. Set a quarantine location:
@@ -90,7 +85,7 @@ In this tutorial, you'll learn how to use Microsoft Defender for Cloud Apps to d
       :::image type="content" alt-text="quarantine settings." source="media/quarantine-settings.png" lightbox="media/quarantine-settings.png":::
 
       > [!NOTE]
-      > Defender for Cloud Apps will create a quarantine folder on the selected site.
+      > Defender for Cloud Apps creates a quarantine folder on the selected site.
 
    1. For Box, the quarantine folder location and user message can't be customized. The folder location is the drive of the admin who connected Box to Defender for Cloud Apps and the user message is: This file was quarantined to your administrator's drive because it might violate your company's security and compliance policies. Contact your IT administrator for help.