Merge branch 'public' into patch-1

Author: denisebmsft

.acrolinx-config.edn

@@ -51,10 +51,10 @@ Select the total score link to review all feedback on clarity, consistency, tone
  "
 **More information about Acrolinx**
  
-- [Install Acrolinx locally for VSCode for Magic](https://review.docs.microsoft.com/office-authoring-guide/acrolinx-vscode?branch=main)
+- [Install Acrolinx locally for VSCode for Magic](https://review.learn.microsoft.com/office-authoring-guide/acrolinx-vscode?branch=main)
 - [False positives or issues](https://aka.ms/acrolinxbug)
 - [Request a new Acrolinx term](https://microsoft.sharepoint.com/teams/M365Dev2/SitePages/M365-terminology.aspx)
-- [Troubleshooting issues with Acrolinx](https://review.docs.microsoft.com/help/contribute/acrolinx-error-messages)
+- [Troubleshooting issues with Acrolinx](https://review.learn.microsoft.com/help/platform/acrolinx-troubleshoot?branch)
 
 "
 }

.github/workflows/StaleBranch.yml

@@ -2,6 +2,7 @@ name: (Scheduled) Stale branch removal
 
 permissions:
   contents: write
+  pull-requests: read
 
 # This workflow is designed to be run in the days up to, and including, a "deletion day", specified by 'DeleteOnDayOfMonth' in env: in https://github.com/MicrosoftDocs/microsoft-365-docs/blob/workflows-prod/.github/workflows/Shared-StaleBranch.yml.
 # On the days leading up to "deletion day", the workflow will report the branches to be deleted. This lets users see which branches will be deleted. On "deletion day", those branches are deleted.

.openpublishing.redirection.defender-cloud-apps.json

@@ -1009,6 +1009,11 @@
       "source_path": "CloudAppSecurityDocs/troubleshooting-api-connectors-using-error-messages.md",
       "redirect_url": "/defender-cloud-apps/troubleshooting-api-connectors-errors",
       "redirect_document_id": true
-    }
+    },
+    {
+      "source_path": "CloudAppSecurityDocs/connector-platform.md",
+      "redirect_url": "/defender-cloud-apps/enable-instant-visibility-protection-and-governance-actions-for-your-apps",
+      "redirect_document_id": true
+    },
   ]
 }

ATPDocs/deploy/remote-calls-sam.md

@@ -7,10 +7,14 @@ ms.topic: how-to
 
 # Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity
 
+> [!IMPORTANT]
+> Remote collection of local administrators' group members on endpoints (using SAM-R queries) feature in Microsoft Defender for Identity will be disabled by mid-May 2025. This change will happen automatically by the specified dates. No admin action is required. 
+> 
+
 Microsoft Defender for Identity mapping for [potential lateral movement paths](/defender-for-identity/understand-lateral-movement-paths) relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity [Directory Service account](directory-service-accounts.md) you configured.
 
 > [!NOTE]
-> This feature can potentially be exploited by an adversary to obtain the Net-NTLM hash of the DSA account due to a Windows limitation in the SAM-R calls that allows downgrading from Kerberos to NTLM.
+> This feature can potentially be exploited by an adversary to obtain the NTLM hash of the DSA account due to a Windows limitation in the SAM-R calls that allows downgrading from Kerberos to NTLM.
 > The new Defender for Identity sensor (version 3.x) is not affected by this issue as it uses different detection methods.
 > 
 > It is recommended to use a [low privileged DSA account](directory-service-accounts.md#grant-required-dsa-permissions). You can also [contact support](../support.md) to open a case and request to completely disable the [Lateral Movement Paths](../security-assessment-riskiest-lmp.md) data collection capability.

ATPDocs/identity-security-initiative.md

@@ -0,0 +1,85 @@
+---
+title: Identity Security Initiative
+description: Learn how to enhance your organization's identity security using the Identity Security Initiative in Microsoft Defender XDR.
+ms.topic: overview
+ms.date: 04/05/2025
+---
+
+# Identity Security Initiative (Preview)
+
+Identity security is the practice of protecting the digital identities of individuals and organizations. This includes protecting passwords, usernames, and other credentials that can be used to access sensitive data or systems. Identity security is essential for protecting against a wide range of cyber threats, including phishing, malware, and data breaches.
+
+## Prerequisites
+
+- Your organization must have a Microsoft Defender for Identity license.
+- [Review prerequisites and permissions needed](/security-exposure-management/prerequisites) for working with Security Exposure Management.
+
+## View Identity Security Initiatives
+1. Navigate to the [Microsoft Defender portal](https://security.microsoft.com/).
+1. From the Exposure management section on the navigation bar, select **Exposure insights** **>** **Initiatives** to open the Identity Security page.
+
+   :::image type="content" source="media/identity-security-initiative/screenshot-of-the-identity-security-initiative-page.png" alt-text="Screenshot showing the Identity security initiative page." lightbox="media/identity-security-initiative/screenshot-of-the-identity-security-initiative-page.png":::
+
+## Review security metrics
+
+Metrics in security initiatives help you to measure exposure risk for different areas within the initiative. Each metric gathers together one or more recommendations for similar assets.
+Metrics can be associated with one or more initiatives.
+
+On the **Metrics** tab of an initiative, or in the Metrics section of Exposure Insights, you can see the metric state, its effect, and relative importance in an initiative, and recommendations to improve the metric.
+We recommend that you prioritize metrics with the highest impact on Initiative Score level. This composite measure considers both the weight value of each recommendation and the percentage of noncompliant recommendations.
+
+:::image type="content" source="media/identity-security-initiative/screenshot-of-the-security-metrics-page.png" alt-text="Screenshot showing the security metrics page." lightbox="media/identity-security-initiative/screenshot-of-the-security-metrics-page.png":::
+
+
+|Metric property |Description  |
+|---------|---------|
+|**Metric name**    | The name of the metric.        |
+|**Progress**   |Shows the improvement of the exposure level for the metric from 0 (high exposure) to 100 (no exposure).         |
+|**State**   | Shows if the metric needs attention or if the target was met.       |
+|**Total assets**  | Total number of assets under the metric scope.        |
+|**Recommendations**   | Security recommendations associated with the metric.        |
+|**Weight**    | The relative weight (importance) of the metric within the initiative, and its effect on the initiative score. Shown as High, Medium, and Low. It can also be defined as Risk accepted.        |
+|**14-day trend** | Shows the metric value changes over the last 14 days.        |
+|**Last updated** | Shows a timestamp of when the metric was last updated.
+
+> [!NOTE]
+> The Affected assets experience isn't fully supported during the Preview phase.
+
+## View Identity security recommendations 
+
+ The Security recommendations tab displays a list of prioritized remediation actions related to your identity security posture. Each recommendation is evaluated for compliance and mapped to its corresponding risk impact, workload, and domain. This view helps you triage and take action based on urgency and business relevance.
+
+:::image type="content" source="media/identity-security-initiative/screenshot-showing-the-security-recommendations-page.png" alt-text="Showing showing the security recommendations page." lightbox="media/identity-security-initiative/screenshot-showing-the-security-recommendations-page.png":::
+
+Sort the recommendations by any of the headings or filter them based on your task needs. 
+
+| **Column**             | **Description**                                                                 |
+|------------------------|---------------------------------------------------------------------------------|
+| **Name**               | The name of the recommended action (for example, *Configure VPN integration*, *Enable MFA*). |
+| **State**              | Indicates whether the recommendation is *Compliant* or *Not Compliant*.         |
+| **Impact**             | The security impact level (Low, Medium, or High) of implementing the recommendation. |
+| **Workload**           | The Microsoft service area the recommendation applies to (for example, Defender for Identity, Microsoft Entra ID). |
+| **Domain**             | The security domain (for example, identity, apps) associated with the recommendation.   |
+| **Last calculated**    | The most recent time the recommendation's status was evaluated.                 |
+| **Last state change**  | When the recommendation’s compliance state last changed.                        |
+| **Related initiatives**| Number of security initiatives impacted by this recommendation.                 |
+| **Related metrics**    | Number of security metrics that this recommendation contributes to.             |
+
+Security Exposure Management categorizes recommendations by compliance status, as follows:
+
+- **Compliant**: Indicates that the recommendation was implemented successfully.
+- **Not complaint**: Indicates that the recommendation wasn't fixed.
+
+## Set target score
+
+You can set a customized target score for the initiative, taking your organization’s unique set of circumstances, priorities, and risk appetite into account.
+
+To set a target store, select the initiative, and then select **Set target score** from the top of the initiative pane.
+
+:::image type="content" source="media/identity-security-initiative/set-target-score.png" alt-text="Screenshot showing the set target score button." lightbox="media/identity-security-initiative/set-target-score.png":::
+
+## Related content
+
+- [Review security initiatives](/security-exposure-management/initiatives)
+
+- [Investigate security initiative metrics](/security-exposure-management/security-metrics)

ATPDocs/media/identity-security-initiative/screenshot-of-the-identity-security-initiative-page.png

@@ -17,7 +17,7 @@ Service accounts are classified into several types:
 - sMSA (Managed Service Accounts): Designed for individual services on a single server rather than groups.
 - User Account: These standard user accounts are typically used for interactive logins but can also be configured to run services.
 
-The auto discovery feature quickly identifies gMSA and sMSA accounts as well as user accounts within Active Directory that meet specific criteria and classifies them as service accounts. These accounts are then highlighted and presented, along with relevant information including insights into recent authentications and the sources and destinations of those interactions, as part of a dedicated inventory within the Defender experience. This helps you better understand the accounts' purpose so you can more easily spot anomalous activity and understand its implications.
+The auto discovery feature quickly identifies gMSA and sMSA accounts as well as user accounts within Active Directory that meet specific criteria.These criteria include having a [Service Principal Name ](/windows/win32/ad/service-principal-names)(SPN) or a "password never expires" attribute assigned. The feature then classifies these accounts as service accounts. These accounts are then highlighted and presented, along with relevant information including insights into recent authentications and the sources and destinations of those interactions, as part of a dedicated inventory within the Defender experience. This helps you better understand the accounts' purpose so you can more easily spot anomalous activity and understand its implications.
 
 Service account types are displayed in the Identity Info table within Advanced Hunting.
 
@@ -68,7 +68,7 @@ You can use the sort and filter functionality on each service account tab to get
 |**Tags**    | Sensitive or Honey Token        |
 |**Auth protocols**   | Lists the available methods for verifying user identities, for example, Kerberos and NTLM (New Technology LAN Manager).         |
 |**Sources**     |  The number of potential source logins.        |
-|**Destinations**    | When a service account is trying to access a destination server, the request is directed to the target system, which can include a number of resources on that server. These resources might be a database, a file server, or other services hosted on the server.        |
+|**Destinations**    | When a service account is trying to access a destination server, the request is directed to the target system, which can include many resources on that server. These resources might be a database, a file server, or other services hosted on the server.        |
 |**Connections**   | The number of unique connections made between sources and destinations.         |
 |**Created**    |The timestamp when the service account was first created.         |
 |**Last updated**    | The timestamp of the most recent update to the service account.        |
@@ -79,7 +79,7 @@ You can use the sort and filter functionality on each service account tab to get
 
 For a deeper dive into what's happening in your service account click on the domain name to see the following information:
 
-When you investigate a specific Service account, you'll see the following details under the connections tab:
+When you investigate a specific Service account, you see the following details under the connections tab:
 
 :::image type="content" source="media/screenshot-of-the-connections-page.png" alt-text="Screenshot of the connections page." lightbox="media/Screenshot-of-the-connections-page.png":::
 
@@ -96,8 +96,10 @@ When you investigate a specific Service account, you'll see the following detail
 Last seen   | The date and time of the most recent sign in event over this connection.        |
 
 
-
 For more information about the following tabs, **Overview**, **Incidents and alerts**,**Observed in organization**, **Timeline**, and **Attack paths**, see: [Investigate assets](/defender-for-identity/investigate-assets#identity-details).
 
+## Related content
+- [Service principal names](/windows/win32/ad/service-principal-names)
+- [How to configure SPN](/windows-server/identity/ad-ds/manage/how-to-configure-spn?tabs=add%2Caduc)
 
 If you run into any problems, we're here to help. To get assistance or support for your product issue, see how to open a support ticket at [Microsoft Defender for Identity support](support.md).