Merge pull request #4621 from DebLanger/M1_changes

Updates to MSEM (MDC/MDVM)

Author: DebLanger

defender-xdr/compare-rbac-roles.md

@@ -129,13 +129,40 @@ You configured protection-related Exchange Online permissions in the Exchange ad
 > Exception: If you have configured [Scoped deployment](/defender-cloud-apps/scoped-deployment) for Microsoft Defender for Identity alerts in Microsoft Defender for Cloud Apps, these permissions do not carry over. You need to explicitly grant the Security operations \ Security data \ Security data basics (read) permissions for the relevant portal users.
 
 <a name='map-microsoft-defender-for-cloud-apps-permissions-to-the-microsoft-365-defender-unified-rbac-permissions'></a>
-
 ### Map Microsoft Defender for Cloud Apps permissions to the Microsoft Defender XDR Unified RBAC permissions (Preview)
 
 > [!IMPORTANT]
 > App Governance supports Microsoft Entra roles as described in [Roles in app governance for Microsoft Defender for Cloud Apps](/defender-cloud-apps/app-governance-get-started#roles) and does not support the roles defined in the integration of Defender for Cloud Apps with unified RBAC.</br></br>
 > Once you activate the Defender for Cloud Apps integration with Microsoft Defender XDR Unified RBAC, the following roles, configured through [built-in scoped roles](/defender-cloud-apps/manage-admins#roles-and-permissions) in Defender for Cloud Apps, will no longer be supported: **App/instance admin**, **User group admin**, **Cloud Discovery global admin**, and **Cloud Discovery report admin**.
 
+|Defender for Cloud Apps permission|Defender XDR Unified RBAC permission|
+|---|-----|
+|Local Global administrator|Security operations \ Security data \ Security data basics (read)</br>Security operations \ Security data \ Alerts (manage)</br>Authorization and settings \ Authorization (all permissions) </br>Authorization and settings \ Security settings (all permissions) </br>Authorization and settings \ System settings (all permissions)|
+|Local Security operator|Security operations \ Security data \ Security data basics (read) </br>Security operations \ Security data \ Alerts (manage)</br>Authorization and settings \ Authorization (read) </br>Authorization and settings \ Security setting (all permissions) </br>Authorization and settings \ System setting (read)|
+|Local Security reader|Security operations \ Security data \ Security data basics (read)</br>Authorization and settings \ Authorization (read) </br>Authorization and settings \ Security settings \ Security settings (read) </br>Authorization and settings \ System settings (read)|
+|Local Compliance administrator|Security operations \ Security data \ Security data basics (read)</br>Security operations \ Security data \ Alerts (manage)</br>Authorization and settings \ Authorization (read) </br>Authorization and settings \ Security settings \ Security settings (all permissions) </br>Authorization and settings \ System settings (read)|
+
+### Unified RBAC roles in Microsoft Defender for Cloud
+
+Unified Role-Based Access Control (uRBAC) lets you manage permissions across Microsoft Defender for Cloud resources using a consistent model. Roles define what actions users can perform and assign roles carefully to maintain least-privilege access.
+
+The following table lists the available uRBAC roles and their permissions.
+
+| **Role**                | **Permissions**                                                                                              | **Description**                                                                 |
+|-------------------------|----------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------|
+| **Security data basics**: Security operations / Security data / Security data basics (read)   | Read | Access alerts, incidents, investigations, hunting, devices, cloud assets, and reports. Includes cloud inventory and threat protection. |
+| **Alerts**: Security operations / Security data / Alerts (manage) | Manage | Manage alerts, investigations, scans, device tags, and packages. Includes cloud threat protection features. |
+| **Vulnerability Management**: Security posture / Posture management / Vulnerability management (read) | Read | View vulnerability data: software inventory, weaknesses, missing KBs, baselines, hunting, and devices. Includes data lake (Preview). |
+| **Exposure Management**: Security posture / Posture management / Exposure Management (read); Security posture / Posture management / Exposure Management (manage) | Read/Manage  | View or manage exposure insights, including Secure Score, recommendations, initiatives, and metrics.|
+
+> [!NOTE]
+> Roles can be combined for broader access, but always apply least-privilege principles. Some capabilities may require additional permissions or feature enablement.
+
+### Map Microsoft Defender for Cloud Apps permissions to the Microsoft Defender XDR Unified RBAC permissions (Preview)
+
+> [!IMPORTANT]
+> App Governance supports Microsoft Entra roles as described in [Roles in app governance for Microsoft Defender for Cloud Apps](/defender-cloud-apps/app-governance-get-started#roles) and does not support the roles defined in the integration of Defender for Cloud Apps with unified RBAC.</br></br>
+> Once you activate the Defender for Cloud Apps integration with Microsoft Defender XDR Unified RBAC, the following roles, configured through [built-in scoped roles](/defender-cloud-apps/manage-admins#roles-and-permissions) in Defender for Cloud Apps, will no longer be supported: **App/instance admin**, **User group admin**, **Cloud Discovery global admin**, and **Cloud Discovery report admin**.
 
 |Defender for Cloud Apps permission|Defender XDR Unified RBAC permission|
 |---|-----|

defender-xdr/create-custom-rbac-roles.md

@@ -149,6 +149,12 @@ You can configure scoped access using Microsoft Defender XDR’s Unified RBAC (U
 
 For more information, see: [Configure scoped access for Microsoft Defender for Identity](/defender-for-identity/configure-scoped-access).
 
+### Configure scoped roles for Microsoft Defender for Cloud
+
+You can configure scoped access using Microsoft Defender XDR’s Unified RBAC model for resources managed by Microsoft Defender for Cloud. This enables you to limit access and visibility to specific **subscriptions**, **resource groups**, or **individual resources**. By applying scoped roles, you help ensure that team members only see and manage the assets relevant to their responsibilities, reducing unnecessary exposure and improving operational security.
+
+For more information, see: [Manage cloud scopes and unified role-based access control](/azure/defender-for-cloud/cloud-scopes-unified-rbac&pivots=defender-portal).
+
 ## Next steps
 
 - [Import existing RBAC roles](import-rbac-roles.md)

defender-xdr/whats-new-in-microsoft-defender-urbac.md

@@ -19,6 +19,18 @@ ms.date: 07/06/2025
 
 This article provides information about new features and important product updates for the latest release of Microsoft Defender XDR Unified role-based access control (RBAC).
 
+## November 2025
+
+### Microsoft Defender for Cloud permissions are now integrated with Microsoft Defender XDR unified RBAC (Preview)
+
+We’ve introduced Unified Role-Based Access Control (uRBAC) to simplify permission management across Defender for Cloud resources.
+
+Assign roles consistently across cloud scopes.
+Apply least-privilege principles with granular permissions.
+New consolidated role table available for quick reference.
+
+For more information, see: [Unified RBAC roles in Microsoft Defender for Cloud](compare-rbac-roles.md#unified-rbac-roles-in-microsoft-defender-for-cloud)
+
 ## July 2025
 
 ### Microsoft Sentinel data lake permissions integrated with Microsoft Defender XDR unified RBAC (Preview)

exposure-management/TOC.yml

@@ -67,7 +67,11 @@
         - name: Overview
           href: work-attack-paths-overview.md
         - name: Review attack paths
-          href: review-attack-paths.md    
+          href: review-attack-paths.md
+    - name: Vulnerability management
+      items:
+        - name: Vulnerability management integration with Exposure Management
+          href: vulnerability-management-integration.md
     - name: Manage exposure with security insights
       items:
         - name: Overview
@@ -84,7 +88,7 @@
         - name: Review security recommendations
           href: security-recommendations.md
         - name: Explore security events
-          href: security-events.md 
+          href: security-events.md
     - name: Microsoft Defender XDR docs
       items: 
        - name: Microsoft Defender XDR

exposure-management/critical-asset-management.md

@@ -3,29 +3,31 @@ title: Overview of critical asset management in Microsoft Security Exposure Mana
 description: Learn about critical asset management in Microsoft Security Exposure Management.
 ms.author: dlanger
 author: dlanger
-manager: Ornat-Spodek
+manager: ornat-spodek
 ms.topic: overview
 ms.service: exposure-management
-ms.date: 06/09/2025
+ms.date: 07/30/2025
 ---
 
 # Overview of critical asset management
 
-[Microsoft Security Exposure Management](microsoft-security-exposure-management.md) streamlines the identification and prioritization of business-critical assets, enabling risk-managers and SOC teams to focus efforts where they matter most and reduce overall attack surface risk. Asset classification is driven by proprietary classifiers, which can be fine-tuned manually to reflect organizational context. This article details the underlying mechanisms used for identifying and classifying assets within the Critical Assets Protection framework.
+[Microsoft Security Exposure Management](microsoft-security-exposure-management.md) streamlines the identification and prioritization of business-critical assets across all domains including devices, identities, and cloud resources, enabling risk-managers and SOC teams to focus efforts where they matter most and reduce overall attack surface risk. With the integration of Defender for Cloud in the Defender portal, asset classification now covers the unified inventory spanning endpoints, cloud environments, and external attack surfaces. Asset classification is driven by proprietary classifiers, which can be fine-tuned manually to reflect organizational context. This article details the underlying mechanisms used for identifying and classifying assets within the Critical Assets Protection framework.
 
 - Microsoft Defender XDR automatically detects and categorizes critical assets, streamlining identification and enabling immediate protection.  
 - Your security team can prioritize security investigations, posture recommendations, and remediation steps to focus on critical assets and systems first.
 
 ## Predefined classifications
 
-Security Exposure Management provides an out-of-the-box catalog of predefined critical asset classifications for assets that include devices, identities, and cloud resources. Predefined classifications include:
+Security Exposure Management provides an out-of-the-box catalog of predefined critical asset classifications for assets that include devices, identities, and cloud resources across the unified inventory. Predefined classifications include:
 
 - Critical cyber-security assets such as file servers and domain controllers
 - Databases with sensitive data
 - Identity groups such as Power Users
 - User roles like Privileged Role Administrator
+- Cloud resources from Azure, AWS, and GCP environments
+- External assets discovered through third-party integrations
 
-In addition, you can create custom critical assets to prioritize what your organization considers to be critical when assessing exposure and risk.
+In addition, you can create custom critical assets to prioritize what your organization considers to be critical when assessing exposure and risk across all asset types in the unified inventory.
 
 ## Identifying critical assets
 
@@ -53,18 +55,19 @@ In another example, on the [**Attack surface map**](enterprise-exposure-map.md),
 
 You can work with critical asset settings as follows:
 
-- **Create custom classifications**: You can create new critical asset classifications for devices, identities, and cloud resources, tailored to your organization.
-  - You use the query builder to define a new classification. For example, you might build a query to define devices with a specific naming convention as critical.
-  - Creating critical asset classification queries is also useful for limited cases where not all assets of interest are identified.
-- **Add assets to classifications**: You can manually add assets to critical asset classifications.
-- **Modify criticality levels**: You can choose to edit criticality levels according to your organization's risk profile.
+- **Create custom classifications**: You can create new critical asset classifications for devices, identities, and cloud resources from any domain (Azure, AWS, GCP, or on-premises), tailored to your organization.
+  - You use the query builder to define a new classification. For example, you might build a query to define devices with a specific naming convention as critical, or cloud resources with specific tags as critical.
+  - Creating critical asset classification queries is also useful for limited cases where not all assets of interest are identified across the unified inventory.
+- **Add assets to classifications**: You can manually add assets from any domain to critical asset classifications in the unified asset management experience.
+- **Modify criticality levels**: You can choose to edit criticality levels according to your organization's risk profile across all asset types.
 - **Edit custom classifications**: You can edit, delete, and turn off custom classifications. Predefined classifications can't be modified. The "turn off" rule functionality is available for predefined queries. However, it might not be visible to some users due to specific issues.
+- **Third-party data integration**: Assets discovered via third-party connectors (such as ServiceNow CMDB) can be automatically tagged as critical if they meet certain criteria, enhancing critical asset identification across the unified inventory.
 
 ## Reviewing critical assets
 
-The critical asset classification logic uses asset behavior from Microsoft Defender workloads and third-party integrations. To implement different logic, turn off the rule and create a custom rule suited to your scenarios.
+The critical asset classification logic uses asset behavior from Microsoft Defender workloads, cloud environments (Azure, AWS, GCP), and third-party integrations. With the integration of Defender for Cloud in the Defender portal, this now includes assets from the unified inventory across all domains. To implement different logic, turn off the rule and create a custom rule suited to your scenarios.
 
-Some assets that match a classification might not meet the criticality threshold. For example, an asset might be a domain controller, but it might not be deemed critical for your business. Use the asset review feature to add these assets to your defined classification. This  feature allows you to include assets based on your organization's specific criticality criteria.
+Some assets that match a classification might not meet the criticality threshold. For example, an asset might be a domain controller or a cloud resource, but it might not be deemed critical for your business. Use the asset review feature to add these assets to your defined classification. This feature allows you to include assets based on your organization's specific criticality criteria across the entire unified asset inventory, ensuring all critical assets across devices, identities, and cloud resources are properly managed in one place.
 
 ## Critical Asset Protection initiative
 

exposure-management/cross-workload-attack-surfaces.md

@@ -3,15 +3,15 @@ title: Overview of attack surface management in Microsoft Security Exposure Mana
 description: Learn about attack surface management in Microsoft Security Exposure Management. s
 ms.author: dlanger
 author: dlanger
-manager: rayne-wiselman
+manager: ornat-spodek
 ms.topic: overview
 ms.service: exposure-management
-ms.date: 11/04/2024
+ms.date: 10/26/2025
 ---
 
 # Overview of attack surface management
 
-[Microsoft Security Exposure Management](microsoft-security-exposure-management.md) helps you to visualize, analyze, and remediate cross-workload attack surfaces.
+[Microsoft Security Exposure Management](microsoft-security-exposure-management.md) helps you to visualize, analyze, and remediate cross-workload attack surfaces spanning on-premises, cloud, and hybrid environments. With the integration of Defender for Cloud in the Defender portal, attack surface management includes hybrid attack paths that bridge on-premises and cloud contexts, providing comprehensive visibility across your entire digital estate.
 
 ## Enterprise exposure graph
 
@@ -32,21 +32,22 @@ The enterprise exposure graph and the exposure graph schemas extend the existing
 - The schemas provide attack surface information to help understand how potential threats can reach and compromise valuable assets.
 - You use the schema tables and operators to query the enterprise exposure graph. Queries allow you to inspect and search attack surface data, and to retrieve exposure information to help prevent risk.
 - The enterprise exposure graph currently includes assets, findings, and entity relationships from:
-  - Microsoft Defender for Cloud
+  - Microsoft Defender for Cloud (including Azure, AWS, and GCP resources)
   - Microsoft Defender for Endpoint
   - Microsoft Defender Vulnerability Management
   - Microsoft Defender for Identity
   - Microsoft Entra ID
+  - External data sources through Exposure Management connectors (ServiceNow CMDB, Tenable, Qualys, Rapid7)
 
 By correlating exposure queries with other graph data, such as incident data, you can uncover risk to a greater degree.
 
 ## Attack surface map
 
-The attack surface map helps you to visualize the exposure data that you query using the exposure graph schema.  
+The attack surface map helps you to visualize the exposure data that you query using the exposure graph schema, including cloud resources and their relationships.  
 
-In the map you can explore the data, check what assets are at risk, contextualize them in a broader network framework, and prioritize security focus.
+In the map you can explore the data across hybrid environments, check what assets are at risk, contextualize them in a broader network framework that spans on-premises and cloud, and prioritize security focus.
 
-For example, you can check whether a particular asset has unwanted connections, or see whether a device has a path to the internet, and if so, what other devices are exposed.  
+For example, you can check whether a particular asset has unwanted connections across cloud and on-premises environments, see whether a device has a path to the internet through cloud resources, identify how cloud misconfigurations might expose on-premises assets, and understand the full scope of hybrid attack paths.
 
 ## Next steps