Merge pull request #2906 from DeCohen/WI361499-restructure-and-categorise-secure-posture-docs

aditisrivastava07 · web-flow · commit 9f18a2f780aa · 2025-03-10T12:57:55.000+05:30
Added categories to the toc.yml
diff --git a/ATPDocs/security-assessment.md b/ATPDocs/security-assessment.md
@@ -9,13 +9,13 @@ ms.topic: how-to
 
 Typically, organizations of all sizes have limited visibility into whether or not their on-premises apps and services could introduce a security vulnerability to their organization. The problem of limited visibility is especially true regarding use of unsupported or outdated components.
 
-While your company may invest significant time and effort on hardening identities and identity infrastructure (such as Active Directory, Active Directory Connect) as an on-going project, it's easy to remain unaware of common misconfigurations and use of legacy components that represent one of the greatest threat risks to your organization. 
+While your company might invest significant time and effort on hardening identities and identity infrastructure (such as Active Directory, Active Directory Connect) as an ongoing project, it's easy to remain unaware of common misconfigurations and use of legacy components that represent one of the greatest threat risks to your organization. 
 
 Microsoft security research reveals that most identity attacks utilize common misconfigurations in Active Directory and continued use of legacy components (such as NTLMv1 protocol) to compromise identities and successfully breach your organization. To combat this effectively, Microsoft Defender for Identity now offers proactive identity security posture assessments to detect and recommend actions across your on-premises Active Directory configurations.
 
 ## What do Defender for Identity security assessments provide?
 
-Defender for Identity's security posture assessments are available in [Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score), and provide:
+Defender for Identity security posture assessments are available in [Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score), and provide:
 
 - **Detections and contextual data** on known exploitable components and misconfigurations, along with relevant paths for remediation.
 
@@ -25,11 +25,21 @@ Defender for Identity's security posture assessments are available in [Microsoft
 
 Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at <https://security.microsoft.com/securescore> in the [Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-defender).
 
+### Categorization of Defender for Identity security posture assessments
+
+Defender for Identity security posture assessments have five key categories. Each category addresses specific identity security risks and provides remediation guidance.
+
+- **Hybrid security**: Identifies misconfigurations in environments that integrate on-premises (e.g., Active Directory) and cloud-based identity providers (e.g., Entra ID, Okta). Assesses risks related to synchronization, authentication, and authorization across platforms.
+- **Identity infrastructure**: Detects misconfigurations and vulnerabilities in core identity components, including domain controllers.
+- **Certificates**: Assesses Active Directory Certificate Services (AD CS) for security gaps, such as misconfigured certificate templates or weak certificate authority settings. Identifying and addressing these issues helps prevent unauthorized access that could arise from certificate-related vulnerabilities.
+- **Group policy**: Analyzes Group Policy configurations to identify settings that might allow privilege escalation or unauthorized lateral movement within the network. Ensuring secure Group Policy settings helps maintain proper access controls and system configurations.
+- **Accounts**: Reviews users, devices, and groups to pinpoint security risks such as weak passwords, inactive accounts, or improper permissions.
+
 ## Access Defender for Identity security posture assessments
 
+> [!NOTE]
 You must have a Defender for Identity license to view Defender for Identity security posture assessments in Microsoft Secure Score.
-
-While *certificate template* assessments are available to all customers that have AD CS installed on their environment, *certificate authority* assessments are available only to customers who've installed a sensor on an AD CS server. For more information, see [Configuring sensors for AD FS and AD CS](deploy/active-directory-federation-services.md).
+While *certificate template* assessments are available to all customers with AD CS installed in their environment, *certificate authority* assessments are available only to customers who have installed a sensor on an AD CS server. For more information, see [Configuring sensors for AD FS and AD CS](deploy/active-directory-federation-services.md).
 
 **To access identity security posture assessments**:
 
diff --git a/ATPDocs/toc.yml b/ATPDocs/toc.yml
@@ -158,88 +158,92 @@ items:
       href: remediation-actions.md
   - name: Security posture
     items:
-    - name: Accounts with non-default Primary Group ID
-      href: accounts-with-non-default-pgid.md
-    - name: Built-in Active Directory Guest account is enabled
-      href: built-in-active-directory-guest-account-is-enabled.md
-    - name: Ensure privileged accounts are not delegated
-      href: ensure-privileged-accounts-with-sensitive-flag.md
-    - name: Change Domain Controller computer account old password
-      href: domain-controller-account-password-change.md
-    - name: Change password of built-in domain Administrator account
-      href: change-password-domain-administrator-account.md
-    - name: GPO assigns unprivileged identities to local groups with elevated privileges
-      href: gpo-assigns-unprivileged-identities.md
-    - name: Overview
-      href: security-assessment.md
-      displayName: security posture, security assessment
-    - name: Reversible passwords found in GPOs
-      href: reversible-passwords-group-policy.md
-    - name: GPO can be modified by unprivileged accounts
-      href: modified-unprivileged-accounts-gpo.md
-    - name: Change password for krbtgt account
-      href: change-password-krbtgt-account.md
-    - name: Unsafe permissions on the DnsAdmins group
-      href: unsafe-permissions-dns-admins-group.md
-    - name: Change password for Microsoft Entra seamless SSO account
-      href: change-password-microsoft-entra-seamless-single-sign-on.md
-      displayName: Microsoft Entra connect
-    - name: "Rotate password for Microsoft Entra Connect connector account "
-      href: rotate-password-microsoft-entra-connect.md
-      displayName: Microsoft Entra Connect
-    - name: Admin SDHolder permissions
-      href: security-assessment-remove-suspicious-access-rights.md
-    - name: DCSync permissions
-      href: security-assessment-non-admin-accounts-dcsync.md
-    - name: Deploy Defender for Identity
-      href: security-assessment-deploy-defender-for-identity.md
-    - name: Domain controllers with Print spooler service available assessment
-      href: security-assessment-print-spooler.md
-    - name: Dormant entities in sensitive groups assessment
-      href: security-assessment-dormant-entities.md
-    - name: Enforce encryption for RPC certificate enrollment interface  (ESC8)
-      href: security-assessment-enforce-encryption-rpc.md
-    - name: Entities exposing credentials in clear text assessment
-      href: security-assessment-clear-text.md
-    - name: Remove unnecessary replication permissions for Microsoft Entra Connect connector account
-      href: remove-replication-permissions-microsoft-entra-connect.md
-      displayName: Microsoft Entra Connect
-    - name: Insecure ADCS certificate enrollment IIS endpoints (ESC8)
-      href: security-assessment-insecure-adcs-certificate-enrollment.md
-    - name: LAPS usage assessment
-      href: security-assessment-laps.md
-    - name: Misconfigured Certificate Authority ACL  (ESC7)
-      href: security-assessment-edit-misconfigured-ca-acl.md
-    - name: Misconfigured certificate templates ACL (ESC4)
-      href: security-assessment-edit-misconfigured-acl.md
-    - name: Misconfigured certificate templates owner  (ESC4)
-      href: security-assessment-edit-misconfigured-owner.md
-    - name: Misconfigured enrollment agent certificate template  (ESC3)
-      href: security-assessment-edit-misconfigured-enrollment-agent.md
-    - name: Overly permissive certificate template with privileged EKU (ESC2)
-      href: security-assessment-edit-overly-permissive-template.md
-    - name: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)
-      href: prevent-certificate-enrollment-esc15.md
-    - name: Prevent requests for certificates valid for arbitrary users  (ESC1)
-      href: security-assessment-prevent-users-request-certificate.md
-    - name: Remove local admins on identity assets
-      href: security-assessment-remove-local-admins.md      
-    - name: Riskiest lateral movement paths
-      href: security-assessment-riskiest-lmp.md
-    - name: Unmonitored domain controllers
-      href: security-assessment-unmonitored-domain-controller.md
-    - name: Unsecure account attributes
-      href: security-assessment-unsecure-account-attributes.md
-    - name: Unsecure domain configurations
-      href: security-assessment-unsecure-domain-configurations.md
-    - name: Unsecure Kerberos delegation assessment
-      href: security-assessment-unconstrained-kerberos.md
-    - name: Unsecure SID History attributes
-      href: security-assessment-unsecure-sid-history-attribute.md
-    - name: Vulnerable Certificate Authority setting (ESC6)
-      href: security-assessment-edit-vulnerable-ca-setting.md
-    - name: Weak cipher usage assessment
-      href: security-assessment-weak-cipher.md
+     - name: Overview
+       href: security-assessment.md
+     - name: Hybrid security
+       items:
+       - name: Change password for Microsoft Entra seamless SSO account
+         href: change-password-microsoft-entra-seamless-single-sign-on.md
+         displayName: Microsoft Entra connect
+       - name: Rotate password for Microsoft Entra Connect connector account
+         href: rotate-password-microsoft-entra-connect.md
+         displayName: Microsoft Entra Connect
+       - name: Remove unnecessary replication permissions for Microsoft Entra Connect connector account
+         href: remove-replication-permissions-microsoft-entra-connect.md
+     - name: Identity infrastructure
+       items:
+       - name: Built-in Active Directory Guest account is enabled
+         href: built-in-active-directory-guest-account-is-enabled.md
+       - name: Change Domain Controller computer account old password
+         href: domain-controller-account-password-change.md
+       - name: Domain controllers with Print spooler service available assessment
+         href: security-assessment-print-spooler.md
+       - name: Remove local admins on identity assets
+         href: security-assessment-remove-local-admins.md   
+       - name: Unmonitored domain controllers
+         href: security-assessment-unmonitored-domain-controller.md
+       - name: Unsecure domain configurations
+         href: security-assessment-unsecure-domain-configurations.md
+     - name: Certificates
+       items: 
+        - name: Enforce encryption for RPC certificate enrollment interface  (ESC8)
+          href: security-assessment-enforce-encryption-rpc.md
+        - name: Insecure ADCS certificate enrollment IIS endpoints (ESC8)
+          href: security-assessment-insecure-adcs-certificate-enrollment.md
+        - name: Misconfigured certificate templates owner  (ESC4)
+          href: security-assessment-edit-misconfigured-owner.md
+        - name: Misconfigured Certificate Authority ACL  (ESC7)
+          href: security-assessment-edit-misconfigured-ca-acl.md
+        - name: Misconfigured certificate templates ACL (ESC4)
+          href: security-assessment-edit-misconfigured-acl.md
+        - name: Misconfigured enrollment agent certificate template  (ESC3)
+          href: security-assessment-edit-misconfigured-enrollment-agent.md    
+        - name: Overly permissive certificate template with privileged EKU (ESC2)
+          href: security-assessment-edit-overly-permissive-template.md
+        - name: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)
+          href: prevent-certificate-enrollment-esc15.md
+        - name: Prevent requests for certificates valid for arbitrary users  (ESC1)
+          href: security-assessment-prevent-users-request-certificate.md
+        - name: Vulnerable Certificate Authority setting (ESC6)
+          href: security-assessment-edit-vulnerable-ca-setting.md
+     - name: Group policy 
+       items: 
+        - name: GPO assigns unprivileged identities to local groups with elevated privileges
+          href: gpo-assigns-unprivileged-identities.md
+        - name: GPO can be modified by unprivileged accounts
+          href: modified-unprivileged-accounts-gpo.md
+        - name: Reversible passwords found in GPOs
+          href: reversible-passwords-group-policy.md
+     - name: Accounts
+       items: 
+         - name: Accounts with non-default Primary Group ID
+           href: accounts-with-non-default-pgid.md 
+         - name: Admin SDHolder permissions
+           href: security-assessment-remove-suspicious-access-rights.md
+         - name: Change password for krbtgt account
+           href: change-password-krbtgt-account.md
+         - name: Change password of built-in domain Administrator account
+           href: change-password-domain-administrator-account.md
+         - name: Dormant entities in sensitive groups assessment
+           href: security-assessment-dormant-entities.md
+         - name: DCSync permissions
+           href: security-assessment-non-admin-accounts-dcsync.md
+         - name: Ensure privileged accounts are not delegated
+           href: ensure-privileged-accounts-with-sensitive-flag.md
+         - name: Entities exposing credentials in clear text assessment
+           href: security-assessment-clear-text.md
+         - name: LAPS usage assessment
+           href: security-assessment-laps.md
+         - name: Riskiest lateral movement paths
+           href: security-assessment-riskiest-lmp.md
+         - name: Unsecure Kerberos delegation assessment
+           href: security-assessment-unconstrained-kerberos.md
+         - name: Unsecure SID History attributes
+           href: security-assessment-unsecure-sid-history-attribute.md
+         - name: Unsecure account attributes
+           href: security-assessment-unsecure-account-attributes.md
+         - name: Weak cipher usage assessment
+           href: security-assessment-weak-cipher.md
 - name: Reference
   items:
   - name: Operations guide
