MicrosoftDocs
diff --git a/‎defender-endpoint/advanced-features.md‎
Lines changed: 44 additions & 75 deletions b/‎defender-endpoint/advanced-features.md‎
Lines changed: 44 additions & 75 deletions
diff --git a/‎defender-endpoint/api/api-hello-world.md‎
Lines changed: 18 additions & 17 deletions b/‎defender-endpoint/api/api-hello-world.md‎
Lines changed: 18 additions & 17 deletions
diff --git a/‎defender-endpoint/api/exposed-apis-create-app-nativeapp.md‎
Lines changed: 10 additions & 10 deletions b/‎defender-endpoint/api/exposed-apis-create-app-nativeapp.md‎
Lines changed: 10 additions & 10 deletions
diff --git a/‎defender-endpoint/device-timeline-event-flag.md‎
Lines changed: 6 additions & 0 deletions b/‎defender-endpoint/device-timeline-event-flag.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎defender-office-365/advanced-delivery-policy-configure.md‎
Lines changed: 4 additions & 1 deletion b/‎defender-office-365/advanced-delivery-policy-configure.md‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎defender-office-365/alert-policies-defender-portal.md‎
Lines changed: 5 additions & 2 deletions b/‎defender-office-365/alert-policies-defender-portal.md‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎defender-office-365/anti-malware-policies-configure.md‎
Lines changed: 4 additions & 1 deletion b/‎defender-office-365/anti-malware-policies-configure.md‎
Lines changed: 4 additions & 1 deletion
@@ -16,7 +16,7 @@ ms.topic: reference
 ms.subservice: reference
 ms.custom: api
 search.appverid: met150
-ms.date: 12/18/2020
+ms.date: 06/24/2024
 ---
 
 # Microsoft Defender for Endpoint API - Hello World
@@ -47,43 +47,43 @@ It only takes 5 minutes done in two steps:
 
 ### Do I need a permission to connect?
 
-For the Application registration stage, you must have a **Global administrator** role in your Microsoft Entra tenant.
+For the Application registration stage, you must have the **Global administrator** role assigned in your Microsoft Entra tenant.
 
 <a name='step-1---create-an-app-in-azure-active-directory'></a>
 
 ### Step 1 - Create an App in Microsoft Entra ID
 
-1. Log on to [Azure](https://portal.azure.com) with your **Global administrator** user.
+1. Sign in to the [Azure portal](https://portal.azure.com).
 
 2. Navigate to **Microsoft Entra ID** \> **App registrations** \> **New registration**.
 
    :::image type="content" source="../media/atp-azure-new-app2.png" alt-text="The App registrations option under the Manage pane in the Microsoft Entra admin center"  lightbox="../media/atp-azure-new-app2.png":::
 
-3. In the registration form, choose a name for your application and then click **Register**.
+3. In the registration form, choose a name for your application and then select **Register**.
 
 4. Allow your Application to access Defender for Endpoint and assign it **'Read all alerts'** permission:
 
-   - On your application page, click **API Permissions** \> **Add permission** \> **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**.
+   - On your application page, select **API Permissions** \> **Add permission** \> **APIs my organization uses** > type **WindowsDefenderATP** and select **WindowsDefenderATP**.
 
      > [!NOTE]
      > WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
 
      :::image type="content" source="../media/add-permission.png" alt-text="The API permissions option under the Manage pane in the Microsoft Entra admin center" lightbox="../media/add-permission.png":::
 
-   - Choose **Application permissions** \> **Alert.Read.All** > Click on **Add permissions**.
+   - Choose **Application permissions** \> **Alert.Read.All**, and then select **Add permissions**.
 
      :::image type="content" source="../media/application-permissions.png" alt-text="The permission type and settings panes in the Request API permissions page" lightbox="../media/application-permissions.png":::
 
      > [!IMPORTANT]
-     > You need to select the relevant permissions. 'Read All Alerts' is only an example!
+     > You need to select the relevant permissions. **Read All Alerts** is only an example.
 
      For example:
 
      - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission.
      - To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission.
-     - To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
+     - To determine which permission you need, see the **Permissions** section in the API you're interested to call.
 
-5. Click **Grant consent**.
+5. Select **Grant consent**.
 
    > [!NOTE]
    > Every time you add permission, you must click on **Grant consent** for the new permission to take effect.
@@ -92,7 +92,7 @@ For the Application registration stage, you must have a **Global administrator**
 
 6. Add a secret to the application.
 
-    Click **Certificates & secrets**, add description to the secret and click **Add**.
+    Select **Certificates & secrets**, add description to the secret and select **Add**.
 
     > [!IMPORTANT]
     > After click Add, **copy the generated secret value**. You won't be able to retrieve after you leave!
@@ -105,12 +105,12 @@ For the Application registration stage, you must have a **Global administrator**
 
    :::image type="content" source="../media/app-and-tenant-ids.png" alt-text="The application details pane under the Overview menu item in the Microsoft Entra admin center" lightbox="../media/app-and-tenant-ids.png":::
 
-Done! You have successfully registered an application!
+Done! You've successfully registered an application!
 
 ### Step 2 - Get a token using the App and use this token to access the API.
 
-- Copy the script below to PowerShell ISE or to a text editor, and save it as **Get-Token.ps1**.
-- Running this script will generate a token and will save it in the working folder under the name **Latest-token.txt**.
+- Copy the following script to PowerShell ISE or to a text editor, and save it as `Get-Token.ps1`.
+- Running this script generates a token and saves it in the working folder under the name `Latest-token.txt`.
 
    ```powershell
    # That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current directory
@@ -145,8 +145,8 @@ Done! You have successfully registered an application!
 
 ### Let's get the Alerts!
 
-- The script below will use **Get-Token.ps1** to access the API and will get the past 48 hours Alerts.
-- Save this script in the same folder you saved the previous script **Get-Token.ps1**.
+- The following script uses `Get-Token.ps1` to access the API and gets alerts for the past 48 hours.
+- Save this script in the same folder you saved the previous script `Get-Token.ps1`.
 - The script creates two files (json and csv) with the data in the same folder as the scripts.
 
   ```powershell
@@ -185,16 +185,17 @@ Done! You have successfully registered an application!
   ($alerts | ConvertFrom-Json) | Export-CSV $outputCsvPath -NoTypeInformation
   ```
 
-You're all done! You have just successfully:
+You're all done! You have successfully:
 
 - Created and registered and application
 - Granted permission for that application to read alerts
 - Connected the API
 - Used a PowerShell script to return alerts created in the past 48 hours
 
-## Related topic
+## Related articles
 
 - [Microsoft Defender for Endpoint APIs](exposed-apis-list.md)
 - [Access Microsoft Defender for Endpoint with application context](exposed-apis-create-app-webapp.md)
 - [Access Microsoft Defender for Endpoint with user context](exposed-apis-create-app-nativeapp.md)
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 ms.author: siosulli
 author: siosulli
 ms.localizationpriority: medium
-ms.date: 01/25/2023
+ms.date: 06/24/2024
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -44,11 +44,11 @@ This page describes how to create an application to get programmatic access to D
 
 If you need programmatic access Microsoft Defender for Endpoint without a user, refer to [Access Microsoft Defender for Endpoint with application context](exposed-apis-create-app-webapp.md).
 
-If you are not sure which access you need, read the [Introduction page](apis-intro.md).
+If you're not sure which access you need, read the [Introduction page](apis-intro.md).
 
-Microsoft Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate work flows and innovate based on Microsoft Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
+Microsoft Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs enable you to automate work flows and innovate based on Microsoft Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
 
-In general, you'll need to take the following steps to use the APIs:
+In general, you need to take the following steps to use the APIs:
 
 - Create a Microsoft Entra application
 - Get an access token using this application
@@ -65,23 +65,23 @@ This page explains how to create a Microsoft Entra application, get an access to
 
 ## Create an app
 
-1. Log on to [Azure](https://portal.azure.com) with a user account that has the **Global Administrator** role.
+1. Sign in to the [Azure portal](https://portal.azure.com).
 
 2. Navigate to **Microsoft Entra ID** \> **App registrations** \> **New registration**.
 
    :::image type="content" source="../media/atp-azure-new-app2.png" alt-text="The App registrations page in the Microsoft Azure portal" lightbox="../media/atp-azure-new-app2.png":::
 
 3. When the **Register an application** page appears, enter your application's registration information:
-   - **Name** - Enter a meaningful application name that will be displayed to users of the app.
+   - **Name** - Enter a meaningful application name that is displayed to users of the app.
    - **Supported account types** - Select which accounts you would like your application to support.
 
      <br>
 
      |Supported account types|Description|
      |---|---|
-     |**Accounts in this organizational directory only**|Select this option if you're building a line-of-business (LOB) application. This option is not available if you're not registering the application in a directory. <p> This option maps to Microsoft Entra-only single-tenant. <p> This is the default option unless you're registering the app outside of a directory. In cases where the app is registered outside of a directory, the default is Microsoft Entra multi-tenant and personal Microsoft accounts.|
-     |**Accounts in any organizational directory**|Select this option if you would like to target all business and educational customers. <p> This option maps to a Microsoft Entra-only multi-tenant. <p> If you registered the app as Microsoft Entra-only single-tenant, you can update it to be Microsoft Entra multi-tenant and back to single-tenant through the **Authentication** blade.|
-     |**Accounts in any organizational directory and personal Microsoft accounts**|Select this option to target the widest set of customers. <p> This option maps to Microsoft Entra multi-tenant and personal Microsoft accounts. <p> If you registered the app as Microsoft Entra multi-tenant and personal Microsoft accounts, you cannot change this in the UI. Instead, you must use the application manifest editor to change the supported account types.|
+     |**Accounts in this organizational directory only**|Select this option if you're building a line-of-business (LOB) application. This option isn't available if you're not registering the application in a directory. <br/><br/> This option maps to Microsoft Entra-only single-tenant. <br/><br/> This option is the default option unless you're registering the app outside of a directory. In cases where the app is registered outside of a directory, the default is Microsoft Entra multitenant and personal Microsoft accounts.|
+     |**Accounts in any organizational directory**|Select this option if you would like to target all business and educational customers. <br/><br/> This option maps to a Microsoft Entra-only multitenant. <br/><br/> If you registered the app as Microsoft Entra-only single-tenant, you can update it to be Microsoft Entra multitenant and back to single-tenant through the **Authentication** blade.|
+     |**Accounts in any organizational directory and personal Microsoft accounts**|Select this option to target the widest set of customers. <br/><br/> This option maps to Microsoft Entra multitenant and personal Microsoft accounts. <br/><br/> If you registered the app as Microsoft Entra multitenant and personal Microsoft accounts, you can't change this in the UI. Instead, you must use the application manifest editor to change the supported account types.|
 
    - **Redirect URI (optional)** - Select the type of app you're building, **Web** or **Public client (mobile & desktop)**, and then enter the redirect URI (or reply URL) for your application.
 
@@ -113,7 +113,7 @@ This page explains how to create a Microsoft Entra application, get an access to
 
      - To [run advanced queries](run-advanced-query-api.md), select **Run advanced queries** permission.
      - To [isolate a device](isolate-machine.md), select **Isolate machine** permission.
-     - To determine which permission you need, view the **Permissions** section in the API you are interested to call.
+     - To determine which permission you need, view the **Permissions** section in the API you're interested to call.
 
    - Select **Grant consent**.
 
 
@@ -99,6 +99,12 @@ To use [advanced hunting](/defender-xdr/advanced-hunting-overview) to find event
 
 > [!NOTE]
 > Querying using the **Hunt for related events** button from a Technique side pane displays all the events related to the identified technique but does not include the Technique itself in the query results.
+ 
+ ### EDR client (MsSense.exe) Resource Manager 
+
+When the EDR client on a device is running low on resources, it enters critical mode to maintain the normal working operation of the device. The device won't process new events until the EDR client returns to a normal state. A new event appears in the **Timeline** for that device indicating that the EDR client switched to **Critical** mode. 
+
+When the EDR client's resource usage goes back to normal levels, it will automatically return to normal mode.
 
 ### Customize your device timeline
 
 
@@ -64,7 +64,10 @@ Messages that are identified by the advanced delivery policy aren't security thr
     - _Create, modify, or remove configured settings in the advanced delivery policy_: Membership in the **Security Administrator** role groups in Email & collaboration RBAC <u>and</u> membership in the **Organization Management** role group in Exchange Online RBAC.
     - _Read-only access to the advanced delivery policy_: Membership in the **Global Reader** or **Security Reader** role groups in Email & collaboration RBAC.
       - **View-Only Organization Management** in Exchange Online RBAC.
-  - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+  - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**<sup>\*</sup>, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+
+    > [!IMPORTANT]
+    > <sup>\*</sup> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
 ## Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy
 
 
@@ -41,9 +41,12 @@ In Microsoft 365 organizations with mailboxes in Exchange Online, alert policies
   - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md):
     - _Create and manage alert policies in the Threat management category_: Membership in the **Organization Management** or **Security Administrator** role groups.
     - _View alerts in the Threat management_ category: Membership in the **Security Reader** role group.
-  - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**, **Security Administrator**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+  - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**<sup>\*</sup>, **Security Administrator**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
 
-  For information about other alert policy categories, see [Permissions required to view alerts](/purview/alert-policies#rbac-permissions-required-to-view-alerts).
+    > [!IMPORTANT]
+    > <sup>\*</sup> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
+- For information about other alert policy categories, see [Permissions required to view alerts](/purview/alert-policies#rbac-permissions-required-to-view-alerts).
 
 ## Open alert policies
 
 
@@ -51,7 +51,10 @@ You can configure anti-malware policies in the Microsoft Defender portal or in P
   - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo):
     - _Add, modify, and delete policies_: Membership in the **Organization Management** or **Security Administrator** role groups.
     - _Read-only access to policies_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups.
-  - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+  - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**<sup>\*</sup>, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+
+    > [!IMPORTANT]
+    > <sup>\*</sup> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
 - For our recommended settings for anti-malware policies, see [EOP anti-malware policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-malware-policy-settings).