MicrosoftDocs
diff --git a/‎ATPDocs/deploy/activate-capabilities.md‎
Lines changed: 1 addition & 1 deletion b/‎ATPDocs/deploy/activate-capabilities.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎ATPDocs/deploy/deploy-defender-identity.md‎
Lines changed: 7 additions & 4 deletions b/‎ATPDocs/deploy/deploy-defender-identity.md‎
Lines changed: 7 additions & 4 deletions
diff --git a/‎ATPDocs/deploy/download-sensor.md‎
Lines changed: 6 additions & 3 deletions b/‎ATPDocs/deploy/download-sensor.md‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎ATPDocs/deploy/install-sensor.md‎
Lines changed: 6 additions & 3 deletions b/‎ATPDocs/deploy/install-sensor.md‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎ATPDocs/deploy/prerequisites.md‎
Lines changed: 1 addition & 1 deletion b/‎ATPDocs/deploy/prerequisites.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎ATPDocs/deploy/quick-installation-guide.md‎
Lines changed: 6 additions & 3 deletions b/‎ATPDocs/deploy/quick-installation-guide.md‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎CloudAppSecurityDocs/app-governance-app-policies-create.md‎
Lines changed: 5 additions & 5 deletions b/‎CloudAppSecurityDocs/app-governance-app-policies-create.md‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎CloudAppSecurityDocs/app-governance-get-started.md‎
Lines changed: 5 additions & 4 deletions b/‎CloudAppSecurityDocs/app-governance-get-started.md‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎CloudAppSecurityDocs/app-governance-visibility-insights-get-started.md‎
Lines changed: 3 additions & 3 deletions b/‎CloudAppSecurityDocs/app-governance-visibility-insights-get-started.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎CloudAppSecurityDocs/app-governance-visibility-insights-view-apps.md‎
Lines changed: 5 additions & 5 deletions b/‎CloudAppSecurityDocs/app-governance-visibility-insights-view-apps.md‎
Lines changed: 5 additions & 5 deletions
@@ -12,7 +12,7 @@ Microsoft Defender for Endpoint customers, who have already onboarded their doma
 This article describes how to activate and test Microsoft Defender for Identity capabilities on your domain controller.
 
 > [!IMPORTANT]
-> The new sensor is recommended for customers looking to deploy core identity protections to new domain controllers running Windows Server 2019 or newer. For all other identity infrastructure, or for customers looking to deploy the most robust identity protections available from Microsoft Defender for Identity today, we recommend deploying the classic sensor.
+> The new sensor is recommended for customers looking to deploy core identity protections to new domain controllers running Windows Server 2019 or newer. For all other identity infrastructure, or for customers looking to deploy the most robust identity protections available from Microsoft Defender for Identity today, we recommend deploying the classic sensor [here](https://learn.microsoft.com/defender-for-identity/deploy/quick-installation-guide)
 
 ## Prerequisites
 
 
@@ -53,14 +53,17 @@ Use the following steps to prepare for deploying Defender for Identity:
 > We recommend running the [*Test-MdiReadiness.ps1*](https://github.com/microsoft/Microsoft-Defender-for-Identity/tree/main/Test-MdiReadiness) script to test and see if the servers in your environment have the necessary prerequisites.
 > You can use the [DefenderForIdentity PowerShell module](https://www.powershellgallery.com/packages/DefenderForIdentity/) to add the required auditing and configure the necessary settings.
 
-## Deploy Defender for Identity
+> [!IMPORTANT]
+> The new sensor is recommended for customers looking to deploy core identity protections to new domain controllers running Windows Server 2019 or newer. For all other identity infrastructure, or for customers looking to deploy the most robust identity protections available from Microsoft Defender for Identity today, we recommend deploying the classic sensor. [Learn more about the new sensor](/defender-for-identity/deploy/activate-capabilities)
+
+## Deploy Defender for Identity classic sensor
 
 After you've prepared your system, use the following steps to deploy Defender for Identity:
 
 1. [Verify connectivity to the Defender for Identity service](configure-proxy.md).
-1. [Download the Defender for Identity sensor](download-sensor.md).
-1. [Install the Defender for Identity sensor](install-sensor.md). 
-1. [Configure the Defender for Identity sensor](configure-sensor-settings.md) to start receiving data.
+1. [Download the Defender for Identity classic sensor](download-sensor.md).
+1. [Install the Defender for Identity classic sensor](install-sensor.md). 
+1. [Configure the Defender for Identity classic sensor](configure-sensor-settings.md) to start receiving data.
 
 ## Post-deployment configuration
 
 
@@ -5,9 +5,12 @@ ms.date: 06/13/2023
 ms.topic: how-to
 ---
 
-# Download the Microsoft Defender for Identity sensor
+# Download the Microsoft Defender for Identity classic sensor
 
-This article describes how to download the Microsoft Defender for Identity sensor for your domain controllers or AD CS / AD FS servers. 
+This article describes how to download the Microsoft Defender for Identity classic sensor for your domain controllers or AD CS / AD FS and Entra Connect servers. 
+
+> [!IMPORTANT]
+> The new sensor is recommended for customers looking to deploy core identity protections to new domain controllers running Windows Server 2019 or newer. For all other identity infrastructure, or for customers looking to deploy the most robust identity protections available from Microsoft Defender for Identity today, we recommend deploying the classic sensor. [Learn more about the new sensor](/defender-for-identity/deploy/activate-capabilities)
 
 ## Add a sensor and download sensor software
 
@@ -17,7 +20,7 @@ This article describes how to download the Microsoft Defender for Identity senso
 
     [![Screenshot of the Sensors tab.](../media//sensor-page.png)](../media/sensor-page.png#lightbox)
 
-1. Select **Add sensor**. Then, in the **Add a new sensor** pane, select **Download installer** and save the installation package locally. The downloaded zip file includes the following files:
+1. Select **Add sensor**. Then, in the **Add a new sensor** pane, select **Download installer**, and save the installation package locally. The downloaded zip file includes the following files:
 
     - The Defender for Identity sensor installer
 
 
@@ -7,7 +7,10 @@ ms.topic: how-to
 
 # Install a Microsoft Defender for Identity sensor
 
-This article describes how to install a Microsoft Defender for Identity sensor, including a standalone sensor. The default recommendation is to use the UI. However:
+> [!IMPORTANT]
+> The new sensor is recommended for customers looking to deploy core identity protections to new domain controllers running Windows Server 2019 or newer. For all other identity infrastructure, or for customers looking to deploy the most robust identity protections available from Microsoft Defender for Identity today, we recommend deploying the classic sensor. [Learn more about the new sensor](/defender-for-identity/deploy/activate-capabilities)
+
+This article describes how to install a Microsoft Defender for Identity classic sensor, including a standalone sensor. The default recommendation is to use the UI. However:
 
 - When you're installing the sensor on Windows Server Core, or to deploy the sensor via a software deployment system, follow the steps for [silent installation](#perform-a-defender-for-identity-silent-installation) instead.
 
@@ -29,9 +32,9 @@ Before you start, make sure that you have:
 
 - Trusted root certificates on your machine. If your trusted root CA-signed certificates are missing, [you might receive a connection error](../troubleshooting-known-issues.md#proxy-authentication-problem-presents-as-a-connection-error).
 
-## Install the sensor by using the UI
+## Install the classic sensor by using the UI
 
-Perform the following steps on the domain controller, Active Directory Federation Services (AD FS) server, or Active Directory Certificate Services (AD CS) server.
+Perform the following steps on the domain controller, Active Directory Federation Services (AD FS) server, Active Directory Certificate Services (AD CS) server or Entra Connect server.
 
 1. Verify that the machine has connectivity to the relevant [Defender for Identity cloud service endpoints](configure-proxy.md#enable-access-to-defender-for-identity-service-urls-in-the-proxy-server).
 
 
@@ -121,7 +121,7 @@ This article lists prerequisites required for a basic installation. Additional p
 
 For more information, see:
 
-- [Deploying Microsoft Defender for Identity on AD FS and AD CS servers](active-directory-federation-services.md)
+- [Deploying Microsoft Defender for Identity on AD FS, AD CS and Entra Connect servers](active-directory-federation-services.md)
 - [Microsoft Defender for Identity multi-forest support](multi-forest.md)
 - [Microsoft Defender for Identity standalone sensor prerequisites](prerequisites-standalone.md)
 - [Defender for Identity architecture](../architecture.md)
 
@@ -67,16 +67,19 @@ During installation, if .NET Framework 4.7 or later isn't installed, the .NET Fr
 
 When installing your sensors, consider scheduling a maintenance window for your domain controllers.
 
-## Install Defender for Identity
+> [!IMPORTANT]
+> The new sensor is recommended for customers looking to deploy core identity protections to new domain controllers running Windows Server 2019 or newer. For all other identity infrastructure, or for customers looking to deploy the most robust identity protections available from Microsoft Defender for Identity today, we recommend deploying the classic sensor. [Learn more about the new sensor](/defender-for-identity/deploy/activate-capabilities)
+
+## Install Defender for Identity classic sensor
 
 
 This procedure describes how to install the Defender for Identity sensor on a Windows server version 2016 or higher. Make sure that your server has the [minimum system requirements](#minimum-system-requirements).
 
 > [!NOTE]
-> Defender for Identity sensors should be installed on all domain controllers, including read-only domain controllers (RODC). If you're installing on an AD FS / AD CS farm or cluster, we recommend installing the sensor on each AD FS / AD CS server.
+> Defender for Identity sensors should be installed on all domain controllers, including read-only domain controllers (RODC). If you're installing on an AD FS / AD CS / Entra Connect farm or cluster, we recommend installing the sensor on each AD FS / AD CS / Entra Connect server.
 >
 
-**To download and install the sensor**:
+**To download and install the classic sensor**:
 
 1. Download the Defender for Identity sensor from the [Microsoft Defender portal](https://security.microsoft.com).
 1. Browse to **System** > **Settings** > **Identities** > **Sensors** > **Add sensor**
 
@@ -99,7 +99,7 @@ Use a custom app policy when you need to do something not already done by one of
    > [!NOTE]
    > Some policy conditions are only applicable to apps that access Graph API permissions. When evaluating apps that access only non-Graph APIs, app governance skips these policy conditions and proceed to check only other policy conditions.
 
-5. Here are the available conditions for a custom app policy:
+1. Here are the available conditions for a custom app policy:
 
    |Condition|Condition values accepted|Description|More information|
    |---|---|---|---|
@@ -123,9 +123,9 @@ Use a custom app policy when you need to do something not already done by one of
    |**Sensitivity labels accessed**|Select one or more sensitivity labels from the list|Apps that accessed data with specific sensitivity labels in the last 30 days.||
    |**Services accessed** (Graph only)|Exchange and/or OneDrive and/or SharePoint and/or Teams|Apps that have accessed OneDrive, SharePoint, or Exchange Online using Microsoft Graph and EWS APIs|Multiple selections allowed.|
    |**Error rate** (Graph only)|Error rate is greater than X% in the last seven days|Apps whose Graph API error rates in the last seven days are greater than a specified percentage||
-   |**App origin** (Preview)|External or Internal|Apps that originated within the tenant or registered in an external tenant||
-
-   All of the specified conditions must be met for this app policy to generate an alert.
+   |**App origin**|External or Internal|Apps that originated within the tenant or registered in an external tenant||
+   
+      All of the specified conditions must be met for this app policy to generate an alert.
 
 6. When you're done specifying the conditions, select **Save**, and then select **Next**.
 
@@ -166,7 +166,7 @@ Policies for OAuth apps trigger alerts only on policies that are authorized by u
 1. Go to **Microsoft Defender XDR > App governance > Policies > Other apps**. For example:
 
     ![Other apps-policy creation](media/app-governance-app-policies-create/other-apps-policy-creation.jpg)
-
+   
 2. Filter the apps according to your needs. For example, you might want to view all apps that request **Permission** to **Modify calendars in your mailbox**.
 
    > [!TIP]
 
@@ -10,7 +10,7 @@ description: Get started with app governance capabilities to govern your apps in
 This article describes how to turn on Microsoft Defender for Cloud Apps app governance.
 
 > [!NOTE]
-> By default, the Microsoft Defender for Cloud Apps instance in the US Government environments cannot connect to resources in Azure commercial and is FedRAMP compliant. However, App Governance is not FedRAMP certified. App Governance will only store and process data in secure locations within the United States and the data will only be accessible by approved Microsoft employees. 
+> By default, the Microsoft Defender for Cloud Apps instance in the US Government environments can't connect to resources in Azure commercial and is FedRAMP compliant. However, App Governance isn't FedRAMP certified. App Governance will only store and process data in secure locations within the United States and the data will only be accessible by approved Microsoft employees. 
 ## Prerequisites
 
 Before you start, verify that you satisfy the following prerequisites:
@@ -21,15 +21,16 @@ Before you start, verify that you satisfy the following prerequisites:
 
 - You must have [one of the appropriate roles](#roles) to turn on app governance and access it.
 
-- Your organization's billing address must be in a region **other than** Brazil, Singapore, Latin America, South Korea, Switzerland, Norway, South Africa, Sweden or United Arab Emirates.
+
+- Your organization's billing address must be in a region **other than** Brazil, Singapore, Latin America, South Korea, Switzerland, Norway, Poland, Italy, Qatar, Israel, Spain, Mexico, South Africa, Sweden, or United Arab Emirates.
 
 ## Turn on app governance
 
 If your organization satisfies the [prerequisites](#prerequisites), go to [Microsoft Defender XDR > Settings > Cloud Apps > App governance](https://security.microsoft.com/cloudapps/settings) and select **Use app governance**. For example:
 
 :::image type="content" source="media/app-governance-get-started/app-governance-service-status2.png" alt-text="Screenshot of the App governance toggle in Microsoft Defender XDR." lightbox="media/app-governance-get-started/app-governance-service-status2.png":::
 
-After you've signed up for app governance, you'll need to wait up to 10 hours to see and use the product.
+After signing up for app governance, you'll need to wait up to 10 hours to see and use the product.
 
 If you're unable to see the app governance option in the settings page, it might be due to one or more of the following reasons:
 
@@ -76,7 +77,7 @@ For more information about each role, see [Administrator role permissions](/azur
 > Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
 > [!NOTE]
-> App governance alerts will not flow to Microsoft Defender XDR or show up in app governance until you have provisioned both Defender for Cloud Apps and Microsoft Defender XDR by accessing their respective portals at least once.
+> App governance alerts won't flow to Microsoft Defender XDR or show up in app governance until you have provisioned both Defender for Cloud Apps and Microsoft Defender XDR by accessing their respective portals at least once.
 
 ## Next steps
 
 
@@ -45,7 +45,7 @@ One of the primary value points for app governance is the ability to quickly vie
 
    - **Privilege level**
 
-   - **Permission** (Preview)
+   - **Permission**
 
    - **Permission usage**
 
@@ -56,8 +56,8 @@ One of the primary value points for app governance is the ability to quickly vie
    - **Publisher verified**
 
     Use one of the following nondefault filters to further customize the apps listed:
-   
-   - **Last modified**
+
+- **Last modified**
 
    - **Added on**
 
 
@@ -31,7 +31,7 @@ On the **Microsoft 365** tab, the apps in your tenant are listed with the follow
 | **App status** | Shows whether the app is enabled or disabled, and if disabled by whom |
 | **Graph API access**| Shows whether the app has at least one Graph API permission |
 | **Permission type**| Shows whether the app has application (app only), delegated, or mixed permissions |
-| **App origin** (Preview)| Shows whether the app originated within the tenant or was registered in an external tenant |
+| **App origin**| Shows whether the app originated within the tenant or was registered in an external tenant |
 | **Consent type**| Shows whether the app consent has been given at the user or the admin level, and the number of users whose data is accessible to the app |
 | **Publisher**| Publisher of the app and their verification status |
 | **Last modified**| Date and time when registration information was last updated on Microsoft Entra ID |
@@ -69,10 +69,10 @@ In the details pane, select any of the following tabs to view more details:
 
 - Select the **Users** tab to see a list of users who are using the app, whether they're a priority account, and the amount of data downloaded and uploaded. For example:
 
-    :::image type="content" source="media/app-governance-visibility-insights-view-apps/users.png" alt-text="Screenshot of the Users tab.":::
-
-    If an app is *admin consented*, the **Total consented users** are all users in the tenant.
-
+  ![Screenshot 2025-02-24 005703](media/app-governance-visibility-insights-view-apps/screenshot-2025-02-24-005703.png)
+  
+   If an app is *admin consented*, the **Total consented users** are all users in the tenant.
+  
 - Select the **Permissions** tab to see a summary and list of the Graph API and legacy permissions granted to the app, consent type, privilege level and whether they are in use. For example:
 
     :::image type="content" source="media/app-governance-visibility-insights-view-apps/permissions.png" alt-text="Screenshot of the Permissions tab.":::