Merge pull request #5528 from MicrosoftDocs/main

[AutoPublish] main to live - 11/06 10:38 PST | 11/07 00:08 IST

Author: m365-skilling-repo-management[bot]

defender-endpoint/respond-machine-alerts.md

@@ -363,9 +363,7 @@ When an identity in your network might be compromised, you must prevent that ide
 > Blocking incoming communication with a "contained" user is supported on onboarded Microsoft Defender for Endpoint Windows 10 and 11 devices (Sense version 8740 and higher), Windows Server 2019+ devices, and Windows Servers 2012R2 and 2016 with the modern agent.
 
 > [!IMPORTANT]
-> As part of the active protection provided by Microsoft Defender for Endpoint, a distributed mechanism can apply LSA Policy to prevent compromised users from accessing machines in your organization. Currently, when this policy is applied on Domain Controllers, it may cause Group Policy synchronization activity across domain controllers.
->
-> We are gradually rolling out a new solution by integrating with new OS APIs. This deployment will be phased and thoroughly tested to ensure stability and security. During this rollout, LSA Policy enforcement on your servers will be temporarily removed to prevent potential GPO sync. This change will remain in effect until the rollout is complete.
+> Once a **Contain user** action is enforced on a domain controller, it starts a GPO update on the Default Domain Controller policy. A change of a GPO starts a sync across the domain controllers in your environment.  This is expected behavior, and if you monitor your environment for AD GPO changes, you may be notified of such changes. Undoing the **Contain user** action reverts the GPO changes to their previous state, which will then start another AD GPO synchronization in your environment. Learn more about [merging of security policies on domain controllers](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj966251(v=ws.11)#merging-of-security-policies-on-domain-controllers).
 
 ### How to contain a user
 

defender-for-identity/configure-scoped-access.md

@@ -8,8 +8,8 @@ ms. reviewer: 'LiorShapiraa'
 
 # Configure scoped access for Microsoft Defender for Identity
 
-As organizations grow and their identity environments become more complex, it's important to control who has access to which resources. Microsoft Defender for Identity scoping lets you focus monitoring on specific Active Directory domains. This helps improve efficiency by reducing noise from nonessential data and focusing on critical assets. You can also limit visibility to specific entities, so access matches each person's responsibilities. 
-Scoped access is implemented by creating a custom role using Microsoft Defender XDR Unified RBAC. During the role configuration process, you define which users or groups have access to specific Active Directory domains or Microsoft Entra ID groups.
+As organizations grow and their identity environments become more complex, it's important to control who has access to which resources. Microsoft Defender for Identity scoping lets you focus monitoring on specific Active Directory domains or organizational units. This helps improve efficiency by reducing noise from nonessential data and focusing on critical assets. You can also limit visibility to specific entities, so access matches each person's responsibilities.
+Scoped access is implemented by [creating a custom role using Microsoft Defender XDR Unified RBAC](/defender-xdr/create-custom-rbac-roles). During the role configuration process, you define which users or Entra ID groups have access to specific Active Directory domains or Organizational units.
 
 ## Prerequisites
 
@@ -25,7 +25,7 @@ Before you begin, make sure you meet the following requirements:
 
 To enable identity scoping, follow these steps:​
 
-1. Navigate to **Permissions > Microsoft Defender XDR >  Roles​**.
+1. Navigate to **Permissions > Microsoft Defender XDR > Roles​**.
 
     :::image type="content" source="media/custom-roles/permissions-roles.png" alt-text="Screenshot showing the roles page in the Defender XDR portal.":::
 
@@ -40,34 +40,40 @@ To enable identity scoping, follow these steps:​
 1. Select Add assignments and add the Assignment name.
     1. Under **Assign users and groups**, enter the usernames or Microsoft Entra ID groups you want to assign to the role.
     1. Select Microsoft Defender for Identity as the data source.
-    1. Under **Scope**, select the user groups (AD domains) that will be scoped to the assignment.
-     :::image type="content" source="media/custom-roles/add-assignment.png" alt-text="Screenshot showing how to add Defender for Identity to your scoping role.":::
-1. Select **Add**.
+   1. Under **Scope**, select the user groups (AD domains or OU's) that will be scoped to the assignment. For an optimal experience, use the filter or search box.
+   ![Screenshot showing how the user selects the user group to be scoped to the assignment.](media/configure-scoped-access/add-scope.png)
+   
+   ![Screenshot that shows how to create a custom scope.](media/configure-scoped-access/custom-scope.png)
+   
+   
+1. Select **Apply** and **Add**.
 
 
-### Known limitations (Preview)
 
-Defender for Identity scoping is currently in Public preview. The following table lists the current limitations and supported scenarios for scoped access in Microsoft Defender for Identity.
+### Known limitations
+
+The following table lists the current limitations and supported scenarios for scoped access in Microsoft Defender for Identity.
 
 > [!NOTE]
 > - Custom roles apply only to new alerts and activities. Alerts and activities triggered before a custom role was created aren't retroactively tagged or filtered.
 >
 > - Microsoft Entra ID IP alerts aren't included within scoped MDI detections.
 
-|Defender for Identity experience |Status |
-|---------|---------|
-|MDI alerts and incidents  | Available
-|Hunting tables: AlertEvidence+Info, IdentityInfo, IdentityDirectoryEvents, IdentityLogonEvents, IdentityQueryEvents     |   Available      |
-|User page and user global search  |   Available      |
-|MDI alerts based on XDR detection platform (detection source is XDR and service source is MDI)     |   Available      |
-|Health issues       |   Available      |
-|Identities inventory and service accounts discovery page     |  Available      |
-|Identities settings: sensors page, manual tagging, health issues notifications  |   Available      |
-|Defender XDR Incident email notifications     | Unavailable      |
-|ISPMs and exposure management     |   Unavailable      |
-|Download scheduled reports and Graph API    |   Unavailable      |
-|Device and group global search and entity page     |   Unavailable      |
-|Alert tuning and critical asset management   |   Unavailable      |
+|Defender for Identity experience |Scoping by OU's|Scoping by AD domain|
+|---------| -------- |---------|
+|MDI alerts and incidents  |Available| Available|
+|Hunting tables: AlertEvidence+Info, IdentityInfo, IdentityDirectoryEvents, IdentityLogonEvents, IdentityQueryEvents     |Available|   Available      |
+|User page and user global search  |Available|   Available      |
+|MDI alerts based on XDR detection platform (detection source is XDR and service source is MDI)     |Available|   Available      |
+|Health issues       |Unavailable|   Available      |
+|Identities inventory and service accounts discovery page     |Available|  Available      |
+|Identities settings: manual tagging|Available|Available|
+|Identities settings: sensors page, health issues notifications  |Unavailable|   Available      |
+|Defender XDR Incident email notifications     |Available| Unavailable      |
+|ISPMs and exposure management     |Unavailable|   Unavailable      |
+|Download scheduled reports and Graph API    |Unavailable|   Unavailable      |
+|Device and group global search and entity page     |Available|   Available      |
+|Alert tuning and critical asset management   |Unavailable|   Unavailable      |
 
 ### Related articles
 

defender-for-identity/media/configure-scoped-access/add-scope.png

@@ -30,7 +30,6 @@ Alerts from the last seven days are displayed with the following information:
 :::image type="content" source="media/understanding-security-alerts/filtered-alerts.png" alt-text="Screenshot showing the Alerts page in the Defender portal. Two alerts named Suspected brute-force are listed with full alert details."  lightbox="media/understanding-security-alerts/filtered-alerts.png":::
 
 
-
 ## Customize the view of the alerts queue
 
 You can customize the view of the alerts queue in a few ways. Using the tools at the top of the page, you can: