Merge branch 'main' into docs-editor/android-intune-1752055974

Author: KesemSharabi

ATPDocs/deploy/activate-sensor.md

@@ -25,7 +25,7 @@ You can choose to activate eligible domain controllers either automatically, whe
 |---------|---------|
 |Activate new sensor |The domain controller is already onboarded to Defender for Endpoint. [Activate the sensor](#activate-the-defender-for-identity-sensor).|
 |Install classic sensor|[Deploy the classic Defender for Identity sensor](install-sensor.md) from the **Sensors page**.|
-|OS update is required     |This domain controller is running an unsupported operating system version for the new sensor. Update the server to Windows Server 2019 or later to use the new sensor. |
+|OS upgrade is required     |This domain controller is running an unsupported operating system version for the new sensor. Upgrade the OS version to the latest version. |
 
 <!--|Download onboarding package     |[Onboard the domain controller to Defender for Endpoint](#onboard-the-domain-controller).|-->
 

ATPDocs/deploy/deploy-defender-identity.md

@@ -31,10 +31,10 @@ Identify your architecture and your requirements, and then use the table below t
 > [!NOTE]
 > The Defender for Identity sensor version 3.x is still in preview and has some limited functionality compared to version 2.x. Keep these limitations in mind before activating the sensor.
 > The Defender for Identity sensor v3.x:
-> - Requires that Defender for Endpoint is deployed on your endpoints
+> - Requires that Defender for Endpoint is deployed
 > - Doesn't currently support VPN integration
 > - Doesn't currently support ExpressRoute
-> - Doesn't currently offer full functionality of health alerts, posture recommendations or security alerts
+> - Doesn't currently offer full functionality of health alerts, posture recommendations, security alerts or advanced hunting data.
 
 Once you've evaluated your infrastructure and requirements, follow the instructions for deploying the sensor based on the version you need.
 

ATPDocs/deploy/prerequisites-sensor-version-3.md

@@ -14,10 +14,10 @@ This article describes the requirements for installing the Microsoft Defender fo
 
 Before activating the Defender for Identity sensor v3.x, note that this version of the sensor is still in preview and has some limited functionality compared to version 2.x. Keep these limitations in mind before activating the sensor.
 The Defender for Identity sensor v3.x:
- - Requires that Defender for Endpoint is deployed on your endpoints
+ - Requires that Defender for Endpoint is deployed
  - Doesn't currently support VPN integration
  - Doesn't currently support ExpressRoute
- - Doesn't currently offer full functionality of health alerts, posture recommendations or security alerts
+ - Doesn't currently offer full functionality of health alerts, posture recommendations, security alerts or advanced hunting data.
 
 ## Licensing requirements
 

ATPDocs/health-alerts.md

@@ -76,7 +76,7 @@ The **Identities** list offers a consolidated view of identities across Active D
 
 - __Last updated__ – The timestamp of the most recent update to the identity's attributes in Active Directory.
 
-Nondefault columns: Email and Microsoft Entra ID risk level.  
+Nondefault columns: Email, Microsoft Entra ID risk level and Cloud ID. 
 
 > [!TIP]
 > To see all columns, you likely need to do one or more of the following steps:

ATPDocs/identity-inventory.md

@@ -1,14 +1,17 @@
 ---
 title: Microsoft Defender for Identity notifications
 description: Learn how to use and configure Microsoft Defender for Identity notifications in Microsoft Defender XDR.
-ms.date: 09/03/2023
+ms.date: 07/10/2025
 ms.topic: how-to
 #CustomerIntent: As a Defender for Identity user, I want to learn how to work with Defender for Identity notifications to make sure I'm up to date about events detected by Defender for Identity.
 ms.reviewer: LiorShapiraa
 ---
 
 # Defender for Identity notifications in Microsoft Defender XDR
 
+>[!NOTE]
+>This feature is currently supported only by the Defender for Identity sensor version 2.x.
+
 Microsoft Defender for Identity provides notifications for health issues and security alerts, either via email notifications or to a Syslog server.
 
 This article describes how to configure Defender for Identity notifications so that you're aware of any health issues or security alerts detected.

ATPDocs/notifications.md

@@ -1,7 +1,7 @@
 ---
 title: Manage and update sensors
 description: Learn how to manage and update your Microsoft Defender for Identity sensors.
-ms.date: 01/29/2023
+ms.date: 07/10/2025
 ms.topic: how-to
 ms.reviewer: rlitinsky
 ---
@@ -104,6 +104,9 @@ The sensors page provides the following information about each sensor:
 
   * Disabled
 
+    >[!NOTE]
+    >This feature is supported only by the Defender for Identity sensor version 2.x.
+
 * **Health status**: Displays the overall health status of the sensor with a colored icon representing the highest severity open health alert. Possible values are:
 
   * **Healthy (green icon)**: No opened health issues
@@ -143,6 +146,8 @@ Defender for Identity sensors support two kinds of updates:
 > * Defender for Identity sensors always reserve at least 15% of the available memory and CPU available on the domain controller where it is installed. If the Defender for Identity service consumes too much memory, the service is automatically stopped and restarted by the Defender for Identity sensor updater service.
 
 ### Delayed sensor update
+>[!NOTE]
+>This feature is supported only by the Defender for Identity sensor version 2.x.
 
 Given the rapid speed of ongoing Defender for Identity development and release updates, you may decide to define a subset group of your sensors as a delayed update ring, allowing for a gradual sensor update process. Defender for Identity enables you to choose how your sensors are updated and set each sensor as a **Delayed update** candidate.
 

ATPDocs/sensor-settings.md

@@ -1,7 +1,7 @@
 ---
 title: Uninstall the sensor
 description: This article describes how to uninstall the Microsoft Defender for Identity sensor from domain controllers.
-ms.date: 07/02/2025
+ms.date: 07/07/2025
 ms.topic: how-to
 ms.reviewer: rlitinsky
 ---
@@ -22,21 +22,24 @@ Deactivating Defender for Identity capabilities from your domain controller does
 
 ## Delete a sensor
 
+### For sensor v3.x
 1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Settings** > **Identities** > **Sensors**.
-1. Select the domain controller where you want to deactivate Defender for Identity capabilities, select **Delete**, and confirm your selection.
+2. Select the domain controller where you want to deactivate Defender for Identity capabilities, select **Delete**, and confirm your selection.
 
-    ![Screenshot that shows how to delete a sensor.](media/screenshot-that-shows-how-to-delete-a-sensor.png)
+   :::image type="content" source="media/screenshot-that-shows-how-to-delete-a-sensor.png" alt-text="Screenshot that shows how to delete a sensor." lightbox="media/screenshot-that-shows-how-to-delete-a-sensor.png":::
 
-## Uninstall a sensor v2.x from a domain controller
+    >[!NOTE]
+    >This action removes the v3.x sensor and stops monitoring on that domain controller.   
 
-The following steps describe how to uninstall a sensor v2.x from a domain controller.
-
-1. Sign in to the domain controller with administrative privileges.
-1. From the Windows **Start** menu, select **Settings** > **Control Panel** > **Add/ Remove Programs**.
-1. Select the sensor installation, select **Uninstall**, and follow the instructions to remove the sensor.
+## Delete and uninstall a sensor v2.x from a domain controller
 
 > [!IMPORTANT]
 > We recommend removing the sensor from the domain controller before demoting the domain controller.
+> 
+1. Sign in to the domain controller with administrative privileges.
+2. From the Windows **Start** menu, select **Settings** > **Control Panel** > **Add/ Remove Programs**.
+3. Select the sensor installation, select **Uninstall**, and follow the instructions to remove the sensor.
+4. After uninstallation is complete, go to the Microsoft Defender portal > Settings > Identities > Sensors, select the domain controller, and choose Delete.
 
 ## Remove an orphaned sensor
 

ATPDocs/uninstall-sensor.md

@@ -1,14 +1,17 @@
 ---
 title: VPN integration | Microsoft Defender for Identity
 description: Learn how to collect accounting information by integrating a VPN for Microsoft Defender for Identity in Microsoft Defender XDR.
-ms.date: 08/31/2023
+ms.date: 07/10/2025
 ms.topic: how-to
 #CustomerIntent: As a Defender for Identity user, I want to learn how to collect accounting information from VPN solutions. 
 ms.reviewer: martin77s
 ---
 
 # Defender for Identity VPN integration in Microsoft Defender XDR
 
+>[!NOTE]
+>This feature is currently supported only by the Defender for Identity sensor version 2.x.
+
 Microsoft Defender for Identity can integrate with your VPN solution by listening to RADIUS accounting events forwarded to Defender for Identity sensors, such as the IP addresses and locations where connections originated. VPN accounting data can help your investigations by providing more information about user activity, such as the locations from where computers are connecting to the network, and an extra detection for abnormal VPN connections.
 
 Defender for Identity's VPN integration is based on standard RADIUS Accounting ([RFC 2866](https://tools.ietf.org/html/rfc2866)), and supports the following VPN vendors:

ATPDocs/vpn-integration.md

@@ -26,6 +26,12 @@ For updates about versions and features released six months ago or earlier, see
 
 ## July 2025
 
+### Identity scoping is now available in Governance environments
+
+Scoping is now supported in government (GOV) environments. Organizations can now define and refine the scope of MDI monitoring and gain granular control over which entities and resources are included in security analysis.
+
+For more information, see [Configure scoped access for Microsoft Defender for Identity](configure-scoped-access.md).
+
 ### New security posture assessments for unmonitored identity servers
 
 Microsoft Defender for Identity now includes three security posture assessments that detect when Microsoft Entra Connect, Active Directory Federation Services (ADFS), or Active Directory Certificate Services (ADCS) servers are present in your environment but aren't monitored.
@@ -347,7 +353,8 @@ This version includes improvements and bug fixes for cloud services and the Defe
 ### Easily detect CVE-2024-21427 Windows Kerberos Security Feature Bypass Vulnerability
 
 To help customers better identify and detect attempts to bypass security protocols according to [this vulnerability](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21427), we have added a new activity within Advanced Hunting that monitors Kerberos AS authentication.   
-With this data customers can now easily create their own [custom detection rules within Microsoft Defender XDR](https://aka.ms/CustomDetectionsDocs) and automatically trigger alerts for this type of activity
+
+With this data, customers can now easily create their own [custom detection rules within Microsoft Defender XDR](https://aka.ms/CustomDetectionsDocs) and automatically trigger alerts for this type of activity.
 
 Access Defender XDR portal -> Hunting -> Advanced Hunting.