fixing merge conflicts

Author: batamig

.github/workflows/StaleBranch.yml

@@ -5,9 +5,9 @@ permissions:
 
 on:
   schedule:
-    - cron: "0 */12 * * *"
+    - cron: "0 9 1 * *"
 
-  workflow_dispatch:
+  # workflow_dispatch:
 
 
 jobs:
@@ -21,6 +21,6 @@ jobs:
                               "ExampleBranch1",
                               "ExampleBranch2"
                              ]'
-        ReportOnly: true
+        ReportOnly: false
     secrets:
         AccessToken: ${{ secrets.GITHUB_TOKEN }}

.openpublishing.redirection.defender-cloud-apps.json

@@ -1004,6 +1004,11 @@
       "source_path": "CloudAppSecurityDocs/file-filters.md",
       "redirect_url": "/defender-cloud-apps/data-protection-policies",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "CloudAppSecurityDocs/troubleshooting-api-connectors-using-error-messages.md",
+      "redirect_url": "/defender-cloud-apps/troubleshooting-api-connectors-errors",
+      "redirect_document_id": true
     }
   ]
 }

ATPDocs/docfx.json

@@ -38,9 +38,9 @@
       "breadcrumb_path": "/azure-advanced-threat-protection/bread/toc.json",
       "searchScope": ["Defender for Identity"],
       "titleSuffix": "Microsoft Defender for Identity",
-      "author": "batamig",
-      "manager": "batamig",
-      "ms.author": "bagol",
+      "author": "AbbyMSFT",
+      "manager": "AbbyMSFT",
+      "ms.author": "abbyweisberg",
       "ms.collection": "M365-security-compliance",
       "ms.service": "microsoft-defender-for-identity",
       "uhfHeaderId": "MSDocsHeader-MicrosoftDefender",

ATPDocs/identity-inventory.md

@@ -36,13 +36,16 @@ There are several options you can choose from to customize the identities list v
 
 - Apply filters.
 
-- Search for an identity by name or full UPN, Sid and Object ID. 
+- Search for an identity by name or full UPN, SID and Object ID. 
 
 - Export the list to a CSV file.
 
 - Copy list link with the included filters configured. 
 
-## ![A screenshot of identity inventory page.](media/identity-inventory/inventory11.png)  
+> [!NOTE]
+> When exporting the identities list to a CSV file, a maximum of 5,000 identities are displayed.
+
+## ![A screenshot of identity inventory page.](media/identity-inventory/inventory11.png)
 
 ### Identity details 
 
@@ -120,8 +123,7 @@ You can use this information to help you prioritize devices for security posture
 
 ### Navigate to the Identity inventory page
 
-Use relative links instead of absolute links. 
-In the Defender XDR portal at [https://security.microsoft.com](https://security.microsoft.com), go to Assets > Identities. Or, to navigate directly to the [identity inventory](/defender-for-identity/identity-inventory) page.
+In the Defender XDR portal at [https://security.microsoft.com](https://security.microsoft.com), go to **Assets** > **Identities**. Or, to navigate directly to the [identity inventory](/defender-for-identity/identity-inventory) page.
 
 ### Related Articles
 

ATPDocs/media/Screenshot-of-the-connections-page.png

@@ -0,0 +1,103 @@
+---
+title: Service Account Discovery
+description: The Service Accounts page provides a centralized location for customers to view and manage identity information across their environment, ensuring optimal visibility and a comprehensive experience.
+ms.topic: conceptual
+ms.date: 03/25/2025
+---
+
+# Investigate and protect Service Accounts | Microsoft Defender for Identity
+
+### What are Service Accounts?
+
+Service accounts are specialized identities within Active Directory used to run applications, services, and automated tasks. These accounts often require elevated privileges to perform their designated job. However, because they can't authenticate in the same way as human accounts, they typically don't benefit from the increased security of modern authentication methods like MFA (multifactor authentication). Given their potential elevated privilege and the inherent limitations of the access policies that govern them, careful management and monitoring are crucial to ensure they don't become a security vulnerability.
+
+Service accounts are classified into several types:
+
+- gMSA (Group Managed Service Accounts): gMSAs provide a single identity solution for multiple services that require mutual authentication across multiple servers, as they allow Windows to handle password management, reducing administrative overhead.
+- sMSA (Managed Service Accounts): Designed for individual services on a single server rather than groups.
+- User Account: These standard user accounts are typically used for interactive logins but can also be configured to run services.
+
+The auto discovery feature quickly identifies gMSA and sMSA accounts as well as user accounts within Active Directory that meet specific criteria and classifies them as service accounts. These accounts are then highlighted and presented, along with relevant information including insights into recent authentications and the sources and destinations of those interactions, as part of a dedicated inventory within the Defender experience. This helps you better understand the accounts' purpose so you can more easily spot anomalous activity and understand its implications.
+
+Service account types are displayed in the Identity Info table within Advanced Hunting.
+
+## Service accounts page
+
+#### Navigate to the Service accounts page
+
+In the Defender XDR portal at [https://security.microsoft.com](https://security.microsoft.com), go to Identities > Service Accounts.
+
+The following image depicts the Service accounts page:
+
+:::image type="content" source="media/service-accounts-page.png" alt-text="Screenshot of the Service accounts page in the Defender portal." lightbox="media/service-accounts-page.png":::
+
+### Customize the page view
+
+There are several options you can choose from to customize the identities list view. On the top navigation you can:
+
+- Add or remove columns.
+
+- Apply filters.
+
+- Export the list to a CSV file.
+
+- Sort and filter the Service accounts list.
+
+> [!NOTE]
+> When exporting the service accounts list to a CSV file, a maximum of 2,000 service accounts are displayed.
+
+### Service account details
+
+- Total: The total number of service accounts listed.
+
+- Managed: The total number of service accounts that are gMSA (Group Managed Service Accounts) or sMSA (Managed Service Accounts).
+
+- User: The total number of standard user accounts used for interactive logins or configured to run services.
+
+- Critical: The total number of service accounts identified as critical.
+
+You can use the sort and filter functionality on each service account tab to get a more focused view.
+
+| Service account details   |  Description |
+|---------|---------|
+|**Display name** | The full name of the service account as shown in the directory.
+|**SID**     | The Security Identifier, a unique value used to identify the identity in Active Directory.         |
+|**Domain**    | The Active Directory domain to which the identity belongs.         |
+|**Type**    | Specifies if the service account is gMSA (Group Managed Service Accounts), sMSA (Managed Service Accounts) or a user account.         |
+|**Criticality level**     | Indicates the critical level of the service account, ranging from low to very high.         |
+|**Tags**    | Sensitive or Honey Token        |
+|**Auth protocols**   | Lists the available methods for verifying user identities, for example, Kerberos and NTLM (New Technology LAN Manager).         |
+|**Sources**     |  The number of potential source logins.        |
+|**Destinations**    | When a service account is trying to access a destination server, the request is directed to the target system, which can include a number of resources on that server. These resources might be a database, a file server, or other services hosted on the server.        |
+|**Connections**   | The number of unique connections made between sources and destinations.         |
+|**Created**    |The timestamp when the service account was first created.         |
+|**Last updated**    | The timestamp of the most recent update to the service account.        |
+|
+
+### Connections
+
+
+For a deeper dive into what's happening in your service account click on the domain name to see the following information:
+
+When you investigate a specific Service account, you'll see the following details under the connections tab:
+
+:::image type="content" source="media/Screenshot-of-the-connections-page.png" alt-text="Screenshot of the connections page." lightbox="media/Screenshot-of-the-connections-page.png":::
+
+|Service account connection details  |Description |
+|---------|---------|
+|Source  |  Where the network traffic or request originates from.       |
+|Source type    | What kind of device or system is initiating the request. For example, server, workstation or domain controller.        |
+|Source risk   | Identicates the risk posed to the source from no risk to high risk.         |
+|Destination   | Where the request is being directed to. The target system that the service account is trying to access. For example, when trying to access a destination server, there can be multiple resources on that server (for example, a database and a file-server).        |
+|Destination type    | Server, Workstation, or Domain controller.         |
+|Auth protocols   | Kerberos and NTLM        |
+|Service Class     | The services within a network that define the type of service being provided, often used for authentication and resource management. These include: Lightweight Directory Access Protocol (LDAP), Common Internet File System (CIFS), Remote Procedure Call (RPC), Remote Procedure Call Subsystem (RPCSS), "HTTP," Terminal Services (TERMSRV), and "HOST"        |
+|Count | How many sign in events occurred over this connection in the last 180 days.
+Last seen   | The date and time of the most recent sign in event over this connection.        |
+
+
+
+For more information about the following tabs, **Overview**, **Incidents and alerts**,**Observed in organization**, **Timeline**, and **Attack paths**, see: [Investigate assets](/defender-for-identity/investigate-assets#identity-details).
+
+
+If you run into any problems, we're here to help. To get assistance or support for your product issue, see how to open a support ticket at [Microsoft Defender for Identity support](support.md).

ATPDocs/media/service-accounts-page.png

@@ -128,6 +128,8 @@ items:
       href: identity-inventory.md
     - name: Investigate assets
       href: investigate-assets.md
+    - name: Service accounts
+      href: service-account-discovery.md
   - name: Lateral movement paths
     items:
     - name: Understand and investigate lateral movement paths

ATPDocs/service-account-discovery.md

@@ -24,11 +24,27 @@ For updates about versions and features released six months ago or earlier, see
 
 ## March 2025
 
+### New Service Account Discovery page
+
+
+Microsoft Defender for Identity now includes a Service Account Discovery capability, offering you  centralized visibility into service accounts across your Active Directory environment.
+
+This update provides:
+
+- Automatic identification of Group Managed Service Accounts, Managed Service Accounts, and user accounts operating as service accounts.
+
+- A centralized Service Accounts inventory, displaying key attributes like account type, authentication type, unique connections, last log-on, service class and criticality.
+
+- A Service Account details page, including an overview, a timeline of activities, alerts, and a new connections tab.
+
+For more information, see: [Investigate and protect Service Accounts | Microsoft Defender for Identity](service-account-discovery.md).
+
+
 ### New Health Issue
 
 New [health issue](health-alerts.md#network-configuration-mismatch-for-sensors-running-on-vmware) for cases where sensors running on VMware have network configuration mismatch.
 
-### Enhanced Identity Inventory (Preview)
+### Enhanced Identity Inventory
 
 The Identities page under *Assets* has been updated to provide better visibility and management of identities across your environment.  
 The updated Identities Inventory page now includes the following tabs:

ATPDocs/toc.yml

@@ -0,0 +1,115 @@
+---
+title: Application inventory
+ms.date: 03/20/2025
+ms.topic: overview
+description: The new Applications page located under Assets in Microsoft Defender XDR portal provides a centralized location for users to view and manage SaaS and SaaS connected OAuth apps information across their environment, ensuring optimal visibility and a comprehensive experience
+#customer intent: As a security administrator, I want to discover, monitor, and manage all SaaS and OAuth connected apps in my organization so that I can ensure security and compliance.
+---
+# Applications inventory (Preview)
+
+Protecting your SaaS ecosystem requires taking inventory of all SaaS and connected OAuth apps that are in your environment. With the increasing number of applications, having a comprehensive inventory is crucial to ensure security and compliance. The Applications page provides a centralized view of all SaaS and connected OAuth apps in your organization, enabling efficient monitoring and management.
+At a glance you can see information such as app name, risk score, privilege level, publisher information, and other details for easy identification of SaaS and OAuth apps most at risk.
+
+The Applications page includes the following tabs:
+
+* SaaS apps: A consolidated view of all SaaS applications in your network. This tab highlights key details, including app name, status (unprotected/protected app) and whether the app is marked as sanctioned or unsanctioned.
+* OAuth apps: A comprehensive view of OAuth apps registered on Microsoft Entra ID, Google workspace and Salesforce. This tab highlights OAuth apps metadata, publisher info and app origin, permissions used, data accessed and other insights.
+
+## Navigate to the Applications page
+
+In the Defender portal at <https://security.microsoft.com>, go to **Assets** > **Applications**. Or, go directly to the **Applications** page, by clicking on the banner links on the existing Cloud discovery and App governance pages.
+
+:::image type="content" source="media/banner-on-cloud-discovery-pages.png" alt-text="Screenshot of the Cloud Discovery page with a banner about the new unified application inventory experience" lightbox="media/banner-on-cloud-discovery-pages.png":::
+
+:::image type="content" source="media/banner-message-on-app-governance-pages.png" alt-text="Screenshot of the App Governance page with a banner about the new unified application inventory experience for managing OAuth and SaaS apps" lightbox="media/banner-message-on-app-governance-pages.png":::
+
+There are several options you can choose from to customize the SaaS apps and OAuth apps list view. In the top navigation panel you can:
+
+* Add or remove columns.
+* Export the entire list in CSV format.
+* Select the number of items to show per page.
+* Apply filters
+
+> [!NOTE]
+>When exporting the applications list to a CSV file, a maximum of 1000 SaaS or OAuth apps are displayed.
+
+The following image depicts the SaaS apps list:
+:::image type="content" source="media/applications-tab-in-the-defender-portal.png" alt-text="Screenshot of the applications tab in the Defender portal" lightbox="media/applications-tab-in-the-defender-portal.png"
+
+
+## SaaS app details
+
+At the top of Saas app tab, you can find actionable insights that allow you to quickly identify apps that need your attention and focus. The following details are displayed:
+
+* **Untagged high risk apps** – Shows apps that aren't tagged and have a high-risk.
+* **Untagged high traffic apps** – Shows apps that aren't tagged and have a high usage traffic (greater than 1 GB of data traffic).
+* **Untagged GenAI apps** – Shows apps that aren't tagged and are Gen-AI based.
+
+## Sort and filter the SaaS apps list
+
+You can use the sort and filter functionality to get a more focused view. These controls also help you assess and manage the SaaS applications in your organization.
+
+|Filter  |Description  |
+|---------|---------|
+|**App tags**     |    Select **Sanctioned**, **Unsanctioned**, or create custom tags to use in a customized filter.  |
+|**App**     |    Filter for specific SaaS apps.     |
+|**Categories**     |  Filter according to app categories.       |
+|**Compliance risk factor**     |   Filter for specific standards, certifications, and compliance your app might comply with. For example: HIPAA, ISO 27001, SOC 2, and PCI-DSS.      |
+| **Risk score**     |  Filter by a specific risk score, such as to view only risky apps.       |
+|**Security risk factor**     |   Filter based on specific security measures, such as encryption at rest, multifactor authentication, and others.
+|
+
+### OAuth Apps
+
+The OAuth apps tab provides visibility into Microsoft 365, Google workspace and Salesforce. Admins can review applications and decide to disable the apps or apply policies to monitor their behavior in their environment.
+
+* **New apps** – Shows apps added in the last 30 days (Available for Microsoft 365)
+
+* **Highly privileged apps** – Shows apps with powerful permissions that allow them to access data or change important settings. (Available for Microsoft 365 and Google)
+
+* **Overprivileged apps** – Shows apps with unused permissions. (Available for Microsoft 365)
+
+* **Apps from external unverified publishers** – Shows apps that originated from an external unverified publisher tenant. (Available for Microsoft 365)
+
+For more information on how to create app policies, see:[Create app policies in app governance](app-governance-app-policies-create.md)
+
+The following image depicts the OAuth apps list:
+
+:::image type="content" source="media/oauth-tab-in-the-applications-page.png" alt-text="Screenshot of a list of OAuth apps in the applications page in the Defender portal" lightbox="media/oauth-tab-in-the-applications-page.png":::
+
+## Sort and filter the OAuth apps list
+
+You can apply the following filters to get a more focused view:
+
+|Column name  |Description  |
+|---------|---------|
+| **App name** | The display name of the app as registered on Microsoft Entra ID. |
+| **App status** | Shows whether the app is enabled or disabled, and if disabled by whom. |
+| **Graph API access**| Shows whether the app has at least one Graph API permission. |
+| **Permission type**| Shows whether the app has application (app only), delegated, or mixed permissions. |
+| **App origin**| Shows whether the app originated within the tenant or was registered in an external tenant. |
+| **Consent type**| Shows whether the app consent has been given at the user or the admin level, and the number of users whose data is accessible to the app. |
+| **Publisher**| Publisher of the app and their verification status. |
+| **Last modified**| Date and time when registration information was last updated on Microsoft Entra ID |
+| **Added on**| Shows the date and time when the app was registered to Microsoft Entra ID and assigned a service principal. |
+| **Permission usage**| Shows whether the app has any unused Graph API permissions in the last 90 days. |
+| **Data usage**| Total data downloaded or uploaded by the app in the last 30 days. |
+| **Privilege level**  | The app's privilege level. |
+| **Certification**| Indicates if an app meets stringent security and compliance standards set by Microsoft 365 or if its publisher has publicly attested to its safety.  |
+| **Sensitivity label accessed**| Sensitivity labels on content accessed by the app  |
+| **Service accessed**| Microsoft 365 services accessed by the app  
+|
+
+
+> [!TIP]
+> To see all columns, you might need to do one or more of the following steps:
+> * Horizontally scroll in your web browser.
+> * Narrow the width of appropriate columns.
+> * Zoom out in your web browser.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Best practices for protecting your organization](best-practices.md)
+
+[!INCLUDE [Open support ticket](includes/support.md)]