Merge branch 'main' into docs-editor/migrate-devices-streamlined-1741343630

Author: lakshmyav

.github/workflows/AutoLabelMsftContributor.yml

@@ -31,4 +31,5 @@ jobs:
           PayloadJson: ${{ needs.download-payload.outputs.WorkflowPayload }}
         secrets:
           AccessToken: ${{ secrets.GITHUB_TOKEN }}
-          TeamReadAccessToken: ${{ secrets.ORG_READTEAMS_TOKEN }}
+          ClientId: ${{ secrets.M365_APP_CLIENT_ID }}
+          PrivateKey: ${{ secrets.M365_APP_PRIVATE_KEY }}

.openpublishing.redirection.defender-xdr.json

@@ -259,6 +259,51 @@
       "source_path": "defender-xdr/microsoft-sentinel-onboard.md",
       "redirect_url": "/unified-secops-platform/microsoft-sentinel-onboard",
       "redirect_document_id": false
-    }
+    },
+    {
+      "source_path": "defender-xdr/first-incident-path-phishing.md",
+      "redirect_url": "/security/operations/incident-response-playbook-phishing",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/first-incident-path-identity.md",
+      "redirect_url": "/defender-for-identity/manage-security-alerts",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/incident-response-overview.md",
+      "redirect_url": "/defender-xdr/incidents-overview",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "defender-xdr/respond-first-incident-analyze.md",
+      "redirect_url": "/defender-xdr/investigate-incidents",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "defender-xdr/respond-first-incident-365-defender.md",
+      "redirect_url": "/defender-xdr/manage-incidents",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "defender-xdr/export-incidents-queue.md",
+      "redirect_url": "/defender-xdr/incident-queue",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "defender-xdr/respond-first-incident-remediate.md",
+      "redirect_url": "/defender-xdr/incidents-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/m365d-time-zone.md",
+      "redirect_url": "/defender-xdr/m365d-enable-faq",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "defender-xdr/feedback.md",
+      "redirect_url": "/defender-xdr/m365d-enable-faq",
+      "redirect_document_id": false
+    },                                       
   ]
 }

ATPDocs/role-groups.md

@@ -15,6 +15,9 @@ Users that are already [Global Administrators](/entra/identity/role-based-access
 
 For other users, enable and use Microsoft 365 role-based access control (RBAC) to create custom roles and to support more Entra ID roles such as Security operator or Security Reader by default to manage access to Defender for Identity.
 
+> [!IMPORTANT]
+>Starting March 2, 2025, new Microsoft Defender for Identity tenants can only configure permissions through Microsoft Defender XDR [Unified Role-Based Access Control (RBAC)](/defender-xdr/manage-rbac). Tenants with roles assigned or exported before this date will retain their current configuration.
+
 When creating your custom roles, make sure that you apply the permissions listed in the following table:
 
 |Defender for Identity access level | Minimum required Microsoft 365 unified RBAC permissions      |
@@ -41,15 +44,17 @@ The following table details the specific permissions required for Defender for I
 | ------------------- | ---------------------- |
 | **Onboard Defender for Identity** (create workspace)   |  [Security Administrator](/entra/identity/role-based-access-control/permissions-reference) |
 | **Configure Defender for Identity settings**      | One of the following Microsoft Entra roles:<br>- [Security Administrator](/entra/identity/role-based-access-control/permissions-reference)<br>- [Security Operator](/entra/identity/role-based-access-control/permissions-reference)<br> **Or** <br>The following [Unified RBAC permissions](#unified-role-based-access-control-rbac):<br />- `Authorization and settings/Security settings/Read`<br/>- `Authorization and settings/Security settings/All permissions`<br/>- `Authorization and settings/System settings/Read`<br/>- `Authorization and settings/System settings/All permissions` |
-|**View Defender for Identity settings**      | One of the following Microsoft Entra roles:<br>- [Global Reader](/entra/identity/role-based-access-control/permissions-reference)<br>- [Security Reader](/entra/identity/role-based-access-control/permissions-reference) <br> **Or** <br>The following [Unified RBAC permissions](#unified-role-based-access-control-rbac):<br />- `Authorization and settings/Security settings/Read` <br/>- `Authorization and settings/System settings/Read`|
+|**View Defender for Identity settings**      | Microsoft Entra roles:<br>- [Security Reader](/entra/identity/role-based-access-control/permissions-reference) <br> **Or** <br>The following [Unified RBAC permissions](#unified-role-based-access-control-rbac):<br />- `Authorization and settings/Security settings/Read` <br/>- `Authorization and settings/System settings/Read`|
 |**Manage Defender for Identity security alerts and activities**                           | One of the following Microsoft Entra roles:<br>- [Security Operator](/entra/identity/role-based-access-control/permissions-reference)<br> **Or** <br>The following [Unified RBAC permissions](#unified-role-based-access-control-rbac):<br />- `Security operations/Security data/Alerts (Manage)`<br/>- `Security operations/Security data /Security data basics (Read)` |
 | **View Defender for Identity security assessments** <br> (now part of Microsoft Secure Score) | [Permissions](/microsoft-365/security/defender/microsoft-secure-score#required-permissions) to access Microsoft Secure Score <br> **And** <br> The following [Unified RBAC permissions](#unified-role-based-access-control-rbac): `Security operations/Security data /Security data basics (Read)`|
 |**View the Assets / Identities page**|[Permissions](/defender-cloud-apps/manage-admins) to access Defender for Cloud Apps <br> **Or** <br> One of the Microsoft Entra roles required by [Microsoft Defender XDR](/microsoft-365/security/defender/m365d-permissions) |
 |**Perform Defender for Identity response actions** |A [custom role](/microsoft-365/security/defender/create-custom-rbac-roles) defined with permissions for **Response (manage)**<br> **Or** <br> One of the following Microsoft Entra roles:<br>- [Security Operator](/entra/identity/role-based-access-control/permissions-reference) |
 
-
 ## Defender for Identity security groups
 
+ > [!IMPORTANT]
+> Starting March 2, Defender for Identity will no longer create Microsoft Entra ID security groups. Tenants can still configure the same permissions through  Microsoft Defender XDR [Unified Role-Based Access Control (RBAC)](/defender-xdr/manage-rbac)
+
 Defender for Identity provides the following security groups to help manage access to Defender for Identity resources:
 
 - **Azure ATP *(workspace name)* Administrators**

ATPDocs/security-assessment.md

@@ -9,13 +9,13 @@ ms.topic: how-to
 
 Typically, organizations of all sizes have limited visibility into whether or not their on-premises apps and services could introduce a security vulnerability to their organization. The problem of limited visibility is especially true regarding use of unsupported or outdated components.
 
-While your company may invest significant time and effort on hardening identities and identity infrastructure (such as Active Directory, Active Directory Connect) as an on-going project, it's easy to remain unaware of common misconfigurations and use of legacy components that represent one of the greatest threat risks to your organization. 
+While your company might invest significant time and effort on hardening identities and identity infrastructure (such as Active Directory, Active Directory Connect) as an ongoing project, it's easy to remain unaware of common misconfigurations and use of legacy components that represent one of the greatest threat risks to your organization. 
 
 Microsoft security research reveals that most identity attacks utilize common misconfigurations in Active Directory and continued use of legacy components (such as NTLMv1 protocol) to compromise identities and successfully breach your organization. To combat this effectively, Microsoft Defender for Identity now offers proactive identity security posture assessments to detect and recommend actions across your on-premises Active Directory configurations.
 
 ## What do Defender for Identity security assessments provide?
 
-Defender for Identity's security posture assessments are available in [Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score), and provide:
+Defender for Identity security posture assessments are available in [Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score), and provide:
 
 - **Detections and contextual data** on known exploitable components and misconfigurations, along with relevant paths for remediation.
 
@@ -25,11 +25,21 @@ Defender for Identity's security posture assessments are available in [Microsoft
 
 Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at <https://security.microsoft.com/securescore> in the [Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-defender).
 
+### Categorization of Defender for Identity security posture assessments
+
+Defender for Identity security posture assessments have five key categories. Each category addresses specific identity security risks and provides remediation guidance.
+
+- **Hybrid security**: Identifies misconfigurations in environments that integrate on-premises (e.g., Active Directory) and cloud-based identity providers (e.g., Entra ID, Okta). Assesses risks related to synchronization, authentication, and authorization across platforms.
+- **Identity infrastructure**: Detects misconfigurations and vulnerabilities in core identity components, including domain controllers.
+- **Certificates**: Assesses Active Directory Certificate Services (AD CS) for security gaps, such as misconfigured certificate templates or weak certificate authority settings. Identifying and addressing these issues helps prevent unauthorized access that could arise from certificate-related vulnerabilities.
+- **Group policy**: Analyzes Group Policy configurations to identify settings that might allow privilege escalation or unauthorized lateral movement within the network. Ensuring secure Group Policy settings helps maintain proper access controls and system configurations.
+- **Accounts**: Reviews users, devices, and groups to pinpoint security risks such as weak passwords, inactive accounts, or improper permissions.
+
 ## Access Defender for Identity security posture assessments
 
+> [!NOTE]
 You must have a Defender for Identity license to view Defender for Identity security posture assessments in Microsoft Secure Score.
-
-While *certificate template* assessments are available to all customers that have AD CS installed on their environment, *certificate authority* assessments are available only to customers who've installed a sensor on an AD CS server. For more information, see [Configuring sensors for AD FS and AD CS](deploy/active-directory-federation-services.md).
+While *certificate template* assessments are available to all customers with AD CS installed in their environment, *certificate authority* assessments are available only to customers who have installed a sensor on an AD CS server. For more information, see [Configuring sensors for AD FS and AD CS](deploy/active-directory-federation-services.md).
 
 **To access identity security posture assessments**: