Merge branch 'main' into US428946_WIZ

Author: DebLanger

ATPDocs/remove-inactive-service-account.md

@@ -6,13 +6,13 @@ ms.topic: how-to
 #customer intent: As a security administrator, I want to improve security posture in my organization by removing inactive service accounts
 ---
 
-# Security Assessment: Remove Inactive Service Accounts (Preview)
+# Security Assessment: Remove Stale Service Accounts (Preview)
 
-This recommendation lists Active Directory service accounts detected as inactive (stale) within the past 90 days. 
+This recommendation lists Active Directory service accounts detected as stale within the past 90 days. 
 
-## Why do inactive service accounts pose a risk?
+## Why do stale service accounts pose a risk?
 
-Unused service accounts create significant security risks, as some of them can carry elevated privileges. If attackers gain access, the result can be substantial damage. Dormant service accounts might retain high or legacy permissions. When compromised, they provide attackers with discreet entry points into critical systems, granting far more access than a standard user account.
+Unused service accounts create significant security risks, as some of them can carry elevated privileges. If attackers gain access, the result can be substantial damage. Stale service accounts might retain high or legacy permissions. When compromised, they provide attackers with discreet entry points into critical systems, granting far more access than a standard user account.
 
 This exposure creates several risks:
 
@@ -25,10 +25,9 @@ This exposure creates several risks:
 
 To use this security assessment effectively, follow these steps:
 
-1. Review the recommended action at [https://security.microsoft.com/securescore?viewid=actions ](https://security.microsoft.com/securescore?viewid=actions ) for Remove inactive service account.
-1. Review the list of exposed entities to discover which of your service account is inactive.
+1. Review the recommended action at [https://security.microsoft.com/securescore?viewid=actions ](https://security.microsoft.com/securescore?viewid=actions) for Remove stale service account.
 
-    :::image type="content" source="media/okta-integration/remove-inactive-service-accounts.png" alt-text="Screenshot that shows the recommendation action to remove inactive service accounts." lightbox="media/okta-integration/remove-inactive-service-accounts.png":::
+1. Review the list of exposed entities to discover which of your service accounts are stale and have not performed any login activity in the last 90 days.
 
 1. Take appropriate actions on those entities by removing the service account. For example:
 

ATPDocs/whats-new.md

@@ -42,11 +42,11 @@ Previously, Defender for Identity tenants received Entra ID risk level in the Id
 
 For UEBA tenants without a Microsoft Defender for Identity license, synchronization of Entra ID risk level to the IdentityInfo table remains unchanged.
 
-### New security assessment: Remove inactive service accounts (Preview)
+### New security assessment: Remove stale service accounts (Preview)
 
-Microsoft Defender for Identity now includes a new security assessment that helps you identify and remove inactive service accounts in your organization. This assessment lists Active Directory service accounts that have been inactive (stale) for the past 90 days, to help you mitigate security risks associated with unused accounts.
+Microsoft Defender for Identity now includes a new security assessment that helps you identify and remove inactive service accounts in your organization. This assessment lists Active Directory service accounts that have been stale for the past 90 days, to help you mitigate security risks associated with unused accounts.
 
-For more information, see: [Security Assessment: Remove Inactive Service Accounts (Preview)](remove-inactive-service-account.md)
+For more information, see: Security Assessment: [Remove Stale Service Accounts (Preview)](/defender-for-identity/remove-inactive-service-account)
 
 ### New Graph based API for response actions (preview) 
 

CloudAppSecurityDocs/app-governance-app-policies-get-started.md

@@ -1,8 +1,9 @@
 ---
 title: Get started with app governance policies | Microsoft Defender for Cloud Apps
-ms.date: 05/28/2023
+ms.date: 08/31/2025
 ms.topic: how-to
 description: Get started learning about app governance policies with Microsoft Defender for Cloud Apps in Microsoft Defender XDR
+ms.reviewer: shragar456
 ---
 
 # Get started with app policies
@@ -23,22 +24,21 @@ To see your list of current app policies, go to the **Microsoft Defender XDR > A
 
 For example:
 
-![Screenshot of the app governance policies summary page in Microsoft Defender XDR.](media/app-governance-app-policies-get-started/azure-ad-policies.jpg)
+:::image type="content" source="media/app-governance-app-policies-get-started/app-governance-app-policies.png" alt-text="Screenshot that shows the app governance app polcies." lightbox="media/app-governance-app-policies-get-started/app-governance-app-policies.png":::
 
 > [!NOTE]
 > Built-in threat detection policies aren't listed on the **Policies** tab. For more information, see [Investigate threat detection alerts](app-governance-anomaly-detection-alerts.md).
 > 
 
 ## What’s available on the app policies dashboard
 
-The **App governance** > **Policies** tab shows the number of active, inactive, and audit mode policies, and the following information for each policy:
+The **App governance** > **Policies** tab shows the number of active and disabled policies, and the following information for each policy:
 
 - **Policy name**
 - **Status**
 
   - **Active**:  All policy evaluation and actions are active.
-  - **Inactive**: All policy evaluation and actions are disabled.
-  - **Audit mode**: Policy evaluation is active (alerts will trigger) but policy actions are disabled.
+  - **Disabled**: All policy evaluation and actions are disabled.
 
 - **Severity**: Severity level set on any alerts triggered because of this policy being evaluated as true, which is part of the configuration of the policy.
 - **Active alerts**: Number of alerts generated by the policy that have an **In Progress** or **New** status.
@@ -74,22 +74,24 @@ You can also:
 
 1. Select **Edit**.
 
-    While you can't change the name of the policy once created, but you can change the description and policy severity as needed. When you're done, select **Next**.
+    While you can't change the name of the policy once created, you can change the description and policy severity as needed. When you're done, select **Next**.
 
 1. Choose whether you want to continue with the existing policy settings or customize them. Select **No, I'll customize the policy** to make changes, and then select **Next**.
 
-1. Choose whether this policy applies to all apps, specific apps, or all apps except the apps you select. Select **Choose apps** to select which apps to apply the policy to, and then select **Next**.
+1. Choose whether this policy applies to all apps, specific apps, or all apps except the apps you select. 
+
+1. Select **Choose apps** to select which apps to apply the policy to, and then select **Next**.
 
 1. Choose whether to modify the existing conditions of the policy. 
 
     - If you choose to modify the conditions, select **Edit or modify existing conditions for the policy** and choose which policy conditions to apply. 
     - Otherwise, select **Use existing conditions of the policy**. 
 
-    When you're done, select **Next**.
+1. When you're done, select **Next**.
 
 1. Choose whether to disable the app if it triggers the policy conditions and then select **Next**.
 
-1. Set the policy status to **Audit** mode, **Active**, or **Inactive**, as needed, and then select **Next**.
+1. Set the policy status to **Active**, or **Disabled**, as needed, and then select **Next**.
 
 1. Review your setting choices for the policy and if everything is the way you want it, select **Submit**.
 

CloudAppSecurityDocs/app-governance-detect-remediate-get-started.md

@@ -1,8 +1,9 @@
 ---
 title: Get started with app governance threat detection and remediation | Microsoft Defender for Cloud Apps
-ms.date: 05/28/2023
+ms.date: 08/31/2025
 ms.topic: overview
 description: Get started with app governance threat detection and remediation in Microsoft Defender XDR with Microsoft Defender for Cloud Apps.
+ms.reviewer: shragar456
 ---
 
 # Get started with app threat detection and remediation
@@ -13,7 +14,8 @@ To view the latest incidents associated with these alerts, go to the **App gover
 
 For example:
 
-:::image type="content" source="media/app-governance/mapg-cc-overview-alerts.png" alt-text="Screenshot of the App governance > Overview tab with the Latest alerts section highlighted." lightbox="media/app-governance/mapg-cc-overview-alerts.png":::
+:::image type="content" source="media/app-governance/app-governance-overview.png" alt-text="Screenshot that shows the App Governance overview tab." lightbox="media/app-governance/app-governance-overview.png":::
+
 
 On the **Overview** tab, the **Latest alerts** section lists the most recent alerts. You can use these recent alerts to quickly see the current app alert activity for your tenant.
 

CloudAppSecurityDocs/in-browser-protection.md

@@ -8,7 +8,7 @@ ms.topic: how-to
 
 # In-browser protection with Microsoft Edge for Business (Preview)
 
-Defender for Cloud Apps users who use Microsoft Edge for Business and are subject to session policies are protected directly from within the browser. In-browser protection reduces the need for proxies, improving both security and productivity.
+Defender for Cloud Apps users who use Microsoft Edge for Business or Purview Data Loss Prevention policies for Cloud Apps in Edge and are subject to session policies are protected directly from within the browser. In-browser protection reduces the need for proxies, improving both security and productivity.
 
 Protected users experience a smooth experience with their cloud apps, without latency or app compatibility issues, and with a higher level of security protection.
 
@@ -27,14 +27,15 @@ To use in-browser protection, users must also have the following environmental r
 |**Operating systems**|Windows 10 or 11, macOS|
 |**Identity platform**|Microsoft Entra ID|
 |**Microsoft Edge for Business versions**|The last two stable versions. For example, if the newest Microsoft Edge is 126, in-browser protection works for v126 and v125. <br> For more information, see [Microsoft Edge releases](/deployedge/microsoft-edge-release-schedule#microsoft-edge-releases).|
-|**Supported session policies**|<ul><li>Block\Monitor of file download (all files\\*sensitive files)</li><li>Block\Monitor file upload (all files\\*sensitive files)</li><li>Block\Monitor copy\cut\paste</li><li>Block\Monitor print</li><li>Block\Monitor malware upload</li><li>Block\Monitor malware download</li></ul> <br> Users that are served by multiple policies, including at least one policy that's *not* supported by Microsoft Edge for Business, their sessions are always served by the reverse proxy. <br><br> Policies defined in the Microsoft Entra ID portal are also always served by reverse proxy.<br> *Sensitive files identified by built-in DLP scanning are not supported for Edge in-browser protection|
+|**Supported session policies**|<ul><li>Block\Monitor of file download (all files\\*sensitive files)</li><li>Block\Monitor file upload (all files\\*sensitive files)</li><li>Block\Monitor copy\cut\paste</li><li>Block\Monitor print</li><li>Block\Monitor malware upload</li><li>Block\Monitor malware download</li></ul> <br> Users that are served by multiple policies, including at least one policy that's *not* supported by Microsoft Edge for Business, their sessions are always served by the reverse proxy. <br><br> Policies defined in the Microsoft Entra ID portal are also always served by reverse proxy.<br> *Sensitive files identified by built-in DLP scanning are not supported for Microsoft Edge in-browser protection|
+|**Supported Purview DLP policies**|Please see: [Activities you can monitor and take action on in the browser](/purview/dlp-browser-dlp-learn#activities-you-can-monitor-and-take-action-on) <br>Purview policies are always served by in-browser protection.|
 
 All other scenarios are served automatically with the standard reverse proxy technology, including user sessions from browsers that don't support in-browser protection, or for policies not supported by in-browser protection.
 
 For instance, these scenarios are served by the reverse proxy:
 
 - Google Chrome users.
-- Microsoft Edge users who are scoped to a protect file download policy.
+- Microsoft Edge users who are scoped to a protect file download session policy.
 - Microsoft Edge users on Android devices.
 - Users in apps that use the OKTA authentication method.
 - Microsoft Edge users in InPrivate mode.
@@ -52,20 +53,20 @@ Also, the `.mcas.ms` suffix doesn't appear in the browser address bar with in-br
 
 ### Work profile enforcement for in-browser protection
 
-To access a work resource in *contoso.com* with in-browser protection, users must sign in with their `[email protected]` profile. If users try to access the work resource from outside the work profile, they're prompted to switch to the work profile or create one if it doesn't exist. Users can also choose to continue with their current profile, in which case they're served by the [reverse proxy architecture](proxy-intro-aad.md).
+To access a work resource in *contoso.com* with in-browser protection, you must sign in with your `[email protected]` profile. If you try to access the work resource from outside the work profile, you will be prompted to switch to the work profile or create one if it doesn't exist. If access from the Microsoft Edge work profile isn't enforced, you can also choose to continue with your current profile, in which case you're served by the [reverse proxy architecture](proxy-intro-aad.md).
 
-If the user decides to create a new work profile, they're prompted with the **Allow my organization to manage my device** option. In such cases, users don't need to select this option to create the work profile or benefit from in-browser protection.
+If you decide to create a new work profile, you'll see a prompt with the **Allow my organization to manage my device** option. In such cases, you don't need to select this option to create the work profile or benefit from in-browser protection.
 
 For more information, see [Microsoft Edge for Business](/deployedge/microsoft-edge-for-business) and [How to add new profiles to Microsoft Edge](https://www.microsoft.com/edge/learning-center/how-to-add-new-profiles).
 
 ## Configure in-browser protection settings
 
-In-browser protection with Microsoft Edge for Business is turned on by default. Admins can turn the integration off and on, and can configure a prompt for non-Microsoft Edge users to switch to Microsoft Edge for enhanced performance and security.
+In-browser protection with Microsoft Edge for Business is turned on by default, with **Do not enforce** selected. You can turn the integration off and on, change settings to enforce use of Microsoft Edge for Business, and configure a prompt for non-Microsoft Edge users to switch to Microsoft Edge for enhanced performance and security. 
 
 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **System** \> **Settings** \> **Cloud apps** \> **Conditional Access App Control** section \> **Edge for Business protection**. Or, to go directly to the **Edge for Business protection** page, use <https://security.microsoft.com/cloudapps/settings?tabid=edgeIntegration>.
 
 2. On the **Edge for Business protection** page, configure the following settings as needed:
-   - **Turn on Edge for Business browser protection**: The default value is **On**, but you can toggle the setting to **Off**.
+   - **Turn on Edge for Business browser protection**: The default value for this is **On**, but you can toggle the setting to **Off**.
    - **Notify users in non-Edge browsers to use Microsoft Edge for Business for better performance and security**: If you select the check box, select one of the following values that appear:
      - **Use default message** (default)
      - **Customize message**: Enter the custom text in the box that appears.
@@ -74,17 +75,16 @@ In-browser protection with Microsoft Edge for Business is turned on by default.
 
    When you're finished on the **Edge for Business protection** page, select **Save**.
 
-## Working with Microsoft Purview and Endpoint data loss prevention
+## Working with Microsoft Purview Endpoint data loss prevention
+Endpoint DLP policies are prioritized and applied if the same context and action are configured for the Endpoint policy and either a Defender for Cloud Apps session policy or a [Purview DLP policy for cloud apps](/purview/dlp-browser-dlp-learn#activities-you-can-monitor-and-take-action-on).
 
-If the same exact context and action are configured for both Defender for Cloud Apps policies and a Microsoft Purview Endpoint data loss prevention policy (DLP), the Endpoint DLP policy is applied.
+For example, you have an Endpoint DLP policy that blocks a file upload to Salesforce, and you also have a Defender for Cloud Apps session policy that monitors file uploads to Salesforce. In this scenario, the Endpoint DLP policy is applied.
 
-For example, you have an Endpoint DLP policy that blocks a file upload to Salesforce, and you also have a Defender for Cloud Apps policy that monitors file uploads to Salesforce. In this scenario, the Endpoint DLP policy is applied.
-
-For more information, see [Learn about data loss prevention](/purview/dlp-learn-about-dlp).
+For more information, see [Learn about Endpoint data loss prevention](/purview/endpoint-dlp-learn-about).
 
 ## Enforce Microsoft Edge browser protection when accessing business apps
 
-Administrators who understand the power of Microsoft Edge browser protection can require users to use Microsoft Edge when accessing corporate resources. A primary reason is security, since the barrier to circumventing session controls using Microsoft Edge is much higher than with reverse proxy technology.
+Administrators who understand the power of Microsoft Edge browser protection can require users to use Microsoft Edge when accessing corporate resources. A primary reason is security, since the barrier to circumventing session controls using Microsoft Edge is much higher than with reverse proxy technology. For Purview DLP policies, these settings are required to be on and enforcing access only from Microsoft Edge for business application when using policies that [help prevent users from sharing sensitive info with Cloud Apps in Edge for Business](/purview/dlp-create-policy-prevent-cloud-sharing-from-edge-biz).
 
 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **System** \> **Settings** \> **Cloud apps** \> **Conditional Access App Control** section \> **Edge for Business protection**. Or, to go directly to the **Edge for Business protection** page, use <https://security.microsoft.com/cloudapps/settings?tabid=edgeIntegration>.