Merge branch 'main' into cabailey-defender-newairoles

Author: cabailey

.github/workflows/TierManagement.yml

@@ -2,12 +2,15 @@ name: Tier management
 
 permissions:
   pull-requests: write
-  contents: read
+  contents: write
 
 on: 
   issue_comment:
     types: [created, edited]
 
+  pull_request_target:
+    types: [opened, reopened]
+
 jobs:
 
   tier-mgmt:

.openpublishing.publish.config.json

@@ -6,7 +6,7 @@
       "build_output_subfolder": "ATA-Docs",
       "locale": "en-us",
       "monikers": [],
-      "open_to_public_contributors": true,
+      "open_to_public_contributors": false,
       "type_mapping": {
         "Conceptual": "Content"
       },
@@ -191,6 +191,8 @@
     ".openpublishing.redirection.defender-cloud-apps.json",
     ".openpublishing.redirection.defender-endpoint.json",
     ".openpublishing.redirection.defender-office-365.json",
-    ".openpublishing.redirection.defender-xdr.json"
+    ".openpublishing.redirection.defender-xdr.json",
+    ".openpublishing.redirection.unified-secops.json"
+
   ]
 }

.openpublishing.redirection.ata-atp.json

@@ -17,17 +17,17 @@
     },
     {
       "source_path": "ATPDocs/deploy/quick-installation-guide.md",
-      "redirect_url": "deploy/deploy-defender-identity",
+      "redirect_url": "deploy-defender-identity",
       "redirect_document_id": false
     },
     {
       "source_path": "ATPDocs/deploy/prerequisites.md",
-      "redirect_url": "deploy/prerequisites-sensor-version-2",
+      "redirect_url": "prerequisites-sensor-version-2",
       "redirect_document_id": false
     },
         {
       "source_path": "ATPDocs/deploy/activate-capabilities.md",
-      "redirect_url": "deploy/activate-sensor",
+      "redirect_url": "activate-sensor",
       "redirect_document_id": false
     },
     {

.openpublishing.redirection.unified-secops.json

@@ -0,0 +1,9 @@
+{
+  "redirections": [
+    {
+      "source_path": "unified-secops-platform/mto-tenantgroups.md",
+      "redirect_url": "mto-distribution-profiles",
+      "redirect_document_id": false
+    }
+  ]
+}

ATPDocs/advanced-settings.md

@@ -1,7 +1,7 @@
 ---
 title: Adjust alert thresholds | Microsoft Defender for Identity
 description: Learn how to configure the number of Microsoft Defender for Identity alerts triggered of specific alert types by adjusting alert thresholds.
-ms.date: 02/11/2024
+ms.date: 08/03/2025
 ms.topic: how-to
 #CustomerIntent: As a Microsoft Defender for Identity customer, I want to reduce the number of false positives by adjusting thresholds for specific alerts.
 ms.reviewer: rlitinsky
@@ -15,7 +15,7 @@ Some Defender for Identity alerts rely on *learning periods* to build a profile
 
 Use the **Adjust alert thresholds** page to customize the threshold level for specific alerts to influence their alert volume. For example, if you're running comprehensive testing, you might want to lower alert thresholds to trigger as many alerts as possible.
 
-Alerts are always triggered immediately if the **Recommended test mode** option is selected, or if a threshold level is set to **Medium** or **Low**, regardless of whether the alert's learning period has already completed.
+Alerts are triggered immediately if the **Recommended test mode** option is selected, or if a threshold level is set to **Medium** or **Low**, regardless of whether the alert's learning period has already completed.
 
 > [!NOTE]
 > The **Adjust alert thresholds** page was previously named **Advanced settings**. For details about this transition and how any previous settings were retained, see our [What's New announcement](whats-new.md#enhanced-user-experience-for-adjusting-alert-thresholds-preview).
@@ -46,24 +46,27 @@ For example, if you have NAT or VPN, we recommend that you consider any changes
     When you select **Medium** or **Low**, details are bolded in the **Information** column to help you understand how the change affects the alert behavior.
 
 1. Select **Apply changes** to save changes.
+1. Select **Revert to default** and then **Apply changes** to reset all alerts to the default threshold (**High**). Reverting to default is irreversible and any changes made to your threshold levels are lost.
 
-Select **Revert to default** and then **Apply changes** to reset all alerts to the default threshold (**High**). Reverting to default is irreversible and any changes made to your threshold levels are lost.
-
-## Switch to test mode
+## Switch to Recommended test mode
 
 The **Recommended test mode** option is designed to help you understand all Defender for Identity alerts, including some related to legitimate traffic and activities so that you can thoroughly evaluate Defender for Identity as efficiently as possible.
 
 If you recently deployed Defender for Identity and want to test it, select the **Recommended test mode** option to switch all alert thresholds to **Low** and increase the number of alerts triggered. 
 
-Threshold levels are read-only when the **Recommended test mode** option is selected. When you're finished testing, toggle the **Recommended test mode** option back off to return to your previous settings.
+Threshold levels are read-only when the **Recommended test mode** option is selected.
+
+> [!NOTE] 
+> Test mode is time-limited to a maximum of 60 days.
+> When turning on Recommended test mode, you must specify an end time. The selected end time is displayed next to the toggle for as long as test mode is enabled.
 
-Select **Apply changes** to save changes.
+When you're finished testing, toggle the Recommended test mode option back off to return to your previous settings. Select **Apply changes** to save changes.
 
 ## Supported detections for threshold configurations
 
 The following table describes the types of detections that support adjustments for threshold levels, including the effects of **Medium** and **Low** thresholds.
 
-Cells marked with N/A indicate that the threshold level is not supported for the detection
+Cells marked with N/A indicate that the threshold level isn't supported for the detection.
 
 | Detection | Medium | Low |
 | --- | --- | --- |

ATPDocs/media/okta-integration/remove-inactive-service-accounts.png

@@ -0,0 +1,64 @@
+---
+title:  'Security Assessment: Remove Discoverable Passwords in Active Directory Account Attributes (Preview)'
+description: Learn how to identify and address discoverable passwords in Active Directory account attributes to mitigate security risks and improve your organization's security posture.
+ms.date: 08/12/2025
+ms.topic: how-to
+---
+
+# Security Assessment: Remove discoverable passwords in Active Directory account attributes (Preview)
+
+
+## Why do discoverable passwords in Active Directory account attributes pose a risk?
+
+Certain free-text attributes are often overlooked during hardening but are readable by any authenticated user in the domain. When credentials or clues are mistakenly stored in these attributes, attackers can abuse them to move laterally across the environment or escalate privileges.
+
+Attackers seek low-friction paths to expand access. Exposed passwords in these attributes represent an easy win because:
+
+- The attributes aren't access-restricted.
+
+- They aren't monitored by default.
+
+- They provide context attackers can exploit for lateral movement and privilege escalation.
+
+Removing exposed credentials from these attributes reduces the risk of identity compromise and strengthens your organization’s security posture.
+
+
+## How does Microsoft Defender for Identity detect discoverable passwords?
+
+> [!NOTE] 
+> Findings can include false positives. Always validate the results before taking action.
+
+Microsoft Defender for Identity detects potential credential exposure in Active Directory by analyzing commonly used free-text attributes. This includes looking for common password formats, hints,  `'description'`, `'info'`, and `'adminComment'` fields, and other contextual clues that might suggest the presence of credential misuse. 
+This recommendation uses GenAI-powered analysis of Active directory attributes to detect:
+
+- Plaintext passwords or variations. For example, '`Password=Summer2025!'`
+
+- Credential patterns, reset hints, or sensitive account information. 
+
+- Other indicators suggesting operational misuse of directory fields. 
+
+Detected matches are surfaced in **Secure Score** and the **Security Assessment report** for review and remediation.
+
+
+## Remediation steps 
+
+To address this security assessment, follow these steps:
+
+1. Review the recommended action at [https://security.microsoft.com/securescore?viewid=actions](https://security.microsoft.com/securescore?viewid=actions) for Remove discoverable passwords in Active Directory account attributes.
+1. Review the exposed entries in the security report. Identify any field content that includes:
+
+    - Cleartext passwords
+
+    - Reset instructions or credential clues
+
+    - Sensitive business or system information
+
+1. Remove sensitive information from the listed attribute fields using standard directory management tools (for example, PowerShell or ADSI Edit).
+1. Fully remove the sensitive information. Don’t just mask the value. Partial obfuscation (for example, P@ssw***) can still offer useful clues to attackers.
+
+> [!NOTE]
+> Assessments are updated in near real time. Scores and statuses are updated every 24 hours. The list of impacted entities is updated within a few minutes of you implementing the recommendations. The status might take time until it's marked as **Completed**.
+
+## Related articles
+
+- [Learn more about Microsoft Secure Score](/defender-xdr/microsoft-secure-score)

ATPDocs/remove-discoverable-passwords-active-directory-account-attributes.md

@@ -0,0 +1,46 @@
+---
+title: 'Security Assessment: Remove Inactive Service Account (Preview)'
+description: Learn how to identify and address inactive Active Directory service accounts to mitigate security risks and improve your organization's security posture.
+ms.date: 08/17/2025
+ms.topic: how-to
+#customer intent: As a security administrator, I want to improve security posture in my organization by removing inactive service accounts
+---
+
+# Security Assessment: Remove Inactive Service Accounts (Preview)
+
+This recommendation lists Active Directory service accounts detected as inactive (stale) within the past 180 days. 
+
+## Why do inactive service accounts pose a risk?
+
+Unused service accounts create significant security risks, as some of them can carry elevated privileges. If attackers gain access, the result can be substantial damage. Dormant service accounts might retain high or legacy permissions. When compromised, they provide attackers with discreet entry points into critical systems, granting far more access than a standard user account.
+
+This exposure creates several risks:
+
+- Unauthorized access to sensitive applications and data.
+
+- Lateral movement across the network without detection.
+
+
+## How do I use this security assessment to improve my organizational security posture? 
+
+To use this security assessment effectively, follow these steps:
+
+1. Review the recommended action at [https://security.microsoft.com/securescore?viewid=actions ](https://security.microsoft.com/securescore?viewid=actions ) for Remove inactive service account.
+1. Review the list of exposed entities to discover which of your service account is inactive.
+
+    :::image type="content" source="media/okta-integration/remove-inactive-service-accounts.png" alt-text="Screenshot that shows the recommendation action to remove inactive service accounts." lightbox="media/okta-integration/remove-inactive-service-accounts.png":::
+
+1. Take appropriate actions on those entities by removing the service account. For example:
+
+    - **Disable the account:** Prevent any usage by disabling the account identified as exposed.
+
+    - **Monitor for impact:** Wait several weeks and monitor for operational issues, such as service disruptions or errors.
+
+    - **Delete the account:** If no issues are observed, delete the account and fully remove its access.
+
+> [!NOTE]
+> Assessments are updated in near real time, and scores and statuses are updated every 24 hours. The list of impacted entities is updated within a few minutes of your implementing the recommendations. The status might take time until it's marked as **Completed**.
+
+## Related articles
+
+- [Learn more about Microsoft Secure Score](/defender-xdr/microsoft-secure-score)

ATPDocs/remove-inactive-service-account.md

@@ -249,6 +249,10 @@ items:
            href: security-assessment-clear-text.md
          - name: LAPS usage assessment
            href: security-assessment-laps.md
+         - name: Remove discoverable passwords in Active Directory account attributes
+           href: remove-discoverable-passwords-active-directory-account-attributes.md
+         - name: Remove inactive service accounts
+           href: remove-inactive-service-account.md
          - name: Riskiest lateral movement paths
            href: security-assessment-riskiest-lmp.md
          - name: Unsecure Kerberos delegation assessment