Merge branch 'main' into patch-5

Author: denisebmsft

ATPDocs/deploy/activate-capabilities.md

@@ -6,11 +6,15 @@ ms.topic: how-to
 ms.reviewer: rlitinsky
 ---
 
-# Activate Microsoft Defender for Identity capabilities directly on a domain controller
+# Activate Microsoft Defender for Identity capabilities directly on a domain controller (Preview)
 
-Microsoft Defender for Endpoint customers, who have already onboarded their domain controllers to Defender for Endpoint, can activate Microsoft Defender for Identity capabilities directly on a domain controller instead of using [Microsoft Defender for Identity classic sensor](deploy-defender-identity.md).
+This article describes how to activate and test Microsoft Defender for Identity new sensor capabilities on your domain controller.
 
-This article describes how to activate and test Microsoft Defender for Identity capabilities on your domain controller.
+> [!NOTE]
+> The capabilities described in this article are currently available as Preview features. Preview features are features that aren't complete, but are made available on a "preview" basis so customers can get early access and provide feedback.
+> 
+> Preview features are still in development, have limited or restricted functionality and may be available only in selected geographic areas.
+> For more information, see the [Microsoft Defender XDR preview features](/defender-xdr/preview)
 
 > [!IMPORTANT]
 > The new Defender for Identity sensor (version 3.x) is recommended for customers looking to deploy core identity protections to new domain controllers running Windows Server 2019 or newer. For all other identity infrastructure, or for customers looking to deploy the most robust identity protections available from Microsoft Defender for Identity today, we recommend deploying the classic sensor [here](quick-installation-guide.md).
@@ -71,25 +75,27 @@ Set-MDIConfiguration -Mode Domain -Configuration All
 
 ### Customers with domain controllers already onboarded to Defender for Endpoint 
 
+Microsoft Defender for Endpoint customers, who have already onboarded their domain controllers to Defender for Endpoint, can activate Microsoft Defender for Identity capabilities directly on a domain controller instead of using [Microsoft Defender for Identity classic sensor](deploy-defender-identity.md).
+
 ### Activate Defender for Identity capabilities
 
 Activate the Defender for Identity from the [Microsoft Defender portal](https://security.microsoft.com).
 
 1. Navigate to **System** > **Settings** > **Identities** > **Activation**.
 
-    The Activation Page now displays all servers from your device inventory, including those not currently eligible for the activation of the new Defender for Identity sensor. For each server you can find its activation state.
+   The Activation Page now displays all servers from your device inventory, including those not currently eligible for the activation of the new Defender for Identity sensor. For each server, you can find its activation state.
 
-2. Select the domain controller where you want to activate the Defender for Identity capabilities and then select **Activate**. Confirm your selection when prompted. 
+1. Select the domain controller where you want to activate the Defender for Identity capabilities and then select **Activate**. Confirm your selection when prompted. 
 
     :::image type="content" source="media/activate-capabilities/1.jpg" lightbox="media/activate-capabilities/1.jpg" alt-text="Screenshot that shows how to activate the new sensor.":::
 
     > [!NOTE]
     > You can choose to activate eligible domain controllers either automatically, where Defender for Identity activates them as soon as they're discovered, or manually, where you select specific domain controllers from the list of eligible servers.
 
-3. When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers** to jump to the **Settings > Identities > Sensors** page, where you can check your sensor health.  
-
-    :::image type="content" source="media/activate-capabilities/2.jpg" lightbox="media/activate-capabilities/2.jpg" alt-text="Screenshot that shows how to seethe onboarded servers.":::
+1. When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers** to jump to the **Settings > Identities > Sensors** page, where you can check your sensor health.  
 
+    :::image type="content" source="media/activate-capabilities/2.jpg" lightbox="media/activate-capabilities/2.jpg" alt-text="Screenshot that shows how to see the onboarded servers.":::
+   
 ### Customers without domain controllers onboarded to Defender for Endpoint 
 
 ### Connectivity requirements
@@ -98,26 +104,32 @@ Defender for Identity capabilities directly on domain controllers use Defender f
 
 For more information, see [Configure your network environment to ensure connectivity with Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-environment##enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server).
 
-### Onboard Defender for Identity capabilities 
-Download the Defender for Identity onboarding package from the [Microsoft Defender portal] (https://security.microsoft.com) 
+### Onboard Defender for Identity capabilities
+
+Download the Defender for Identity onboarding package from the [Microsoft Defender portal](https://security.microsoft.com)
+
+1. Navigate to **System** > **Settings** > **Identities** > **Activation**.
+
+1. Select Download onboarding package and save the file in a location you can access from your domain controller.
+
+    :::image type="content" source="media/activate-capabilities/screenshot-that-shows-how-to-onboard-the-new-sensor.png" alt-text="Screenshot that shows how to onboard the new sensor" lightbox="media/activate-capabilities/screenshot-that-shows-how-to-onboard-the-new-sensor.png":::
+
+1. From the domain controller, extract the zip file you downloaded from the Microsoft Defender portal, and run the `DefenderForIdentityOnlyOnboardingScript.cmd` script as an Administrator.
+
+<img width="474" alt="Screenshot that shows the script." src="https://github.com/user-attachments/assets/ff2d73d4-7285-403e-979a-520e05cbf1d1" />
 
-1. Navigate to **System** > **Settings** > **Identities** > **Activation**
-2. Select Download onboarding package and save the file in a location you can access from your domain controller.
-3. From the domain controller, extract the zip file you downloaded from the Microsoft Defender portal, and run the `DefenderForIdentityOnlyOnboardingScript.cmd` script as an Administrator. 
-   
 ## Onboarding Confirmation 
 
 To confirm the sensor has been onboarded: 
 
 1. Navigate to **System** > **Settings** > **Identities** > **Sensors**.
 
-2. Check that the onboarded domain controller is listed. 
+1. Check that the onboarded domain controller is listed. 
 
-> [!NOTE]
-> The onboarding doesn't require a restart/reboot. The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations are shown within five minutes.
-> To check the onboarding on the local server you can also review the event log under **Applications and Services Logs** > **Microsoft** > **Windows** > **Sense** > **Operational**. You should receive an onboarding event: 
+    > [!NOTE]
+    > The onboarding doesn't require a restart/reboot. The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations are shown within five minutes.
 
-## Test activated capabilities
+**Test activated capabilities**
 
 Defender for Identity capabilities on domain controllers currently support the following Defender for Identity functionality:
 
@@ -147,7 +159,7 @@ In the Defender portal, check for the following details:
 
 - **Group entities**: Use the global search to find a user group, or pivot from a user or device details page where group details are shown. Check for details of group membership, view group users, and group timeline data.
 
-   If no event data is found on the group timeline, you may need to create some manually. For example, do this by adding and removing users from the group in Active Directory.
+If no event data is found on the group timeline, you may need to create some manually. For example, do this by adding and removing users from the group in Active Directory.
 
 For more information, see [Investigate assets](../investigate-assets.md).
 
@@ -226,22 +238,27 @@ For more information, see [Remediation actions in Microsoft Defender for Identit
 
 If you want to deactivate Defender for Identity capabilities on your domain controller, delete it from the **Sensors** page:
 
-1. Navigate to **Settings** > **Identities** > **Sensors**
-2. Select the domain controller where you want to deactivate Defender for Identity capabilities, select **Delete**, and confirm your selection.
+1. Navigate to **Settings** > **Identities** > **Sensors**.
+1. Select the domain controller where you want to deactivate Defender for Identity capabilities, select **Delete**, and confirm your selection.
 
-    :::image type="content" source="media/activate-capabilities/3.jpg" lightbox="media/activate-capabilities/3.jpg" alt-text="Screenshot that shows how to deactivate a server.":::
+    ![Screenshot that shows how to delete a sensor.](media/activate-capabilities/screenshot-that-shows-how-to-delete-a-sensor.png)
 
 Deactivating Defender for Identity capabilities from your domain controller doesn't remove the domain controller from Defender for Endpoint. For more information, see [Defender for Endpoint documentation](/microsoft-365/security/defender-endpoint/).
 
 ### Customers without domain controllers onboarded to Defender for Endpoint 
 
 ### Offboard Defender for Identity capabilities on your domain controller 
-Download the Defender for Identity offboarding package from the [Microsoft Defender portal] (https://security.microsoft.com).
+Download the Defender for Identity offboarding package from the [Microsoft Defender portal](https://security.microsoft.com).
 
 1. Navigate to **Settings** > **Identities** > **Activation**
-2. Select Download offboarding package and save the file in a location you can access from your domain controller.
-3. From the domain controller, extract the zip file you downloaded from the Microsoft Defender portal, and run the `DefenderForIdentityOnlyOffboardingScript_valid_until_YYYY-MM-DD.cmd` script as an Administrator.
-4. To fully remove the sensor, navigate to **Settings** > **Identities** > **Sensors**, select the server and click Delete. 
+
+1. Select Download offboarding package and save the file in a location you can access from your domain controller.  
+![Screenshot that shows how to offboard the new sensor.](media/activate-capabilities/screenshot-that-shows-how-to-offboard-the-new-sensor.png)
+1. From the domain controller, extract the zip file you downloaded from the Microsoft Defender portal, and run the `DefenderForIdentityOnlyOffboardingScript_valid_until_YYYY-MM-DD.cmd` script as an Administrator.
+1. To fully remove the sensor, navigate to **Settings** > **Identities** > **Sensors**, select the server, and click **Delete**.
+
+:::image type="content" source="media/activate-capabilities/screenshot-that-shows-how-to-delete-a-sensor.png" alt-text="Screenshot that shows how to delete a sensor" lightbox="media/activate-capabilities/screenshot-that-shows-how-to-delete-a-sensor.png":::
+
 
 ## Next steps
 

ATPDocs/deploy/configure-windows-event-collection.md

@@ -1,7 +1,7 @@
 ---
 title: Configure audit policies for Windows event logs | Microsoft Defender for Identity
 description: This article describes how to configure audit policies for Windows event logs as part of deploying a Microsoft Defender for Identity sensor.
-ms.date: 01/16/2024
+ms.date: 06/04/2025
 ms.topic: how-to
 ms.reviewer: rlitinsky
 ---
@@ -240,6 +240,7 @@ To configure domain object auditing:
    - **Descendant Computer Objects**
    - **Descendant msDS-GroupManagedServiceAccount Objects**
    - **Descendant msDS-ManagedServiceAccount Objects**
+   - **Descendant msDS-DelegatedManagedServiceAccount Objects**
 
 > [!NOTE]
 > Assigning the auditing permissions on **All descendant objects** would also work, but you need only the object types detailed in the last step.

ATPDocs/deploy/media/activate-capabilities/screenshot-that-shows-how-to-delete-a-sensor.png

@@ -46,7 +46,7 @@ Your data is kept and is available to you while the license is under grace perio
 
 ## Data sharing
 
-Defender for Identity shares data, including customer data, among any of the following Microsoft products that are also licensed by the customer:
+Defender for Identity shares data, including customer data, among any of the following Microsoft products that are also licensed by the customer. For customers in the Government Community Cloud (GCC), data sharing between government and commercial cloud environments may occur, depending on the location of the service offering.
 
 - Microsoft Defender XDR
 - Microsoft Defender for Cloud Apps

ATPDocs/deploy/media/activate-capabilities/screenshot-that-shows-how-to-offboard-the-new-sensor.png

@@ -39,8 +39,24 @@ The following Defender for Identity actions can be performed directly on your on
 
 - **Reset user password** – This will prompt the user to change their password on the next logon, ensuring that this account can't be used for further impersonation attempts.
 
+- **Mark User Compromised** - The user’s risk level is set to High
+
+- **Suspend User in Entra ID** - Block new sign-ins and access to cloud resources
+
+- **Require User to Sign In Again** - Revoke a user’s active sessions
+
 Depending on your Microsoft Entra ID roles, you might see additional Microsoft Entra ID actions, such as requiring users to sign in again and confirming a user as compromised. For more information, see [Remediate risks and unblock users](/entra/id-protection/howto-identity-protection-remediate-unblock).
 
+## Roles and Permissions
+
+| Action | XDR RBAC permissions      |
+| ------------------------------------- | ------------------------------------------------------------ |
+|Mark User Compromised                  | - Global Administrator <br> - Security Administrator|
+|Suspend User in Entra ID               | - Global Administrator |
+|Require User to Sign In Again          | - Global Administrator <br>|
+| Disable/Enable User in Active Directory | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr)|
+| Force Password Reset in Active Directory | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr)|
+
 
 ## Related videos
 

ATPDocs/deploy/media/activate-capabilities/screenshot-that-shows-how-to-onboard-the-new-sensor.png

@@ -23,6 +23,23 @@ For more information, see also:
 
 For updates about versions and features released six months ago or earlier, see the [What's new archive for Microsoft Defender for Identity](whats-new-archive.md).
 
+## June 2025
+
+### DefenderForIdentity PowerShell module updates (version 1.0.0.4)
+
+New Features and Improvements:
+- Added remote domain functionality
+- Added SensorType parameter to Test-MDISensorApiConnection to inform endpoint URL.
+- Added ability to Get/Set/Test the Deleted Objects container permissions.
+- Added auditing for Delegated Managed Service Accounts (dMSA) in the DomainObjectAuditing configuration.
+
+Bug Fixes:
+- Fixed audit verification checks for non-English operating systems.
+- Fixed DomainObjectAuditing identity redundant parameter bug.
+- Fixed Domain Controller detection logic to confirm AD Web Services is running on the server.
+- Fixed issue with Test-MDIDSA not parsing Deleted Object permissions.
+- Other reliability fixes.
+
 ## May 2025
 
 ###  Expanded New Sensor Deployment Support for Domain Controllers (Preview)