Merge branch 'main' into docs-editor/security-assessment-unsecure-a-1756124544

Author: padmagit77

ATPDocs/unmonitored-active-directory-certificate-services-server.md

@@ -19,7 +19,7 @@ This article describes the security posture assessment report for unmonitored Ac
 Unmonitored Active Directory Certificate Services (AD CS) servers pose a significant risk to your organization’s identity infrastructure. AD CS, the backbone of certificate issuance and trust, is a high-value target for attackers aiming to escalate privileges or forge credentials. Without proper monitoring, attackers can exploit these servers to issue unauthorized certificates, enabling stealthy lateral movement and persistent access. Deploy Microsoft Defender for Identity version 2.0 sensors on all AD CS servers to mitigate this risk. These sensors provide real-time visibility into suspicious activity, detect advanced threats, and generate actionable alerts based on security events and network behavior.
 
 > [!NOTE]
->  This security assessment is available only if Microsoft Defender for Endpoint detects an eligible AD CS server in the environment.
+> This security assessment is only available if Microsoft Defender for Endpoint detects eligible ADCS servers in the environment. In some cases, servers running ADCS might not be identified with the required role and therefore will not appear in this assessment, even if they exist in the environment.
 
 ## How do I use this security assessment?
 
@@ -35,4 +35,4 @@ Unmonitored Active Directory Certificate Services (AD CS) servers pose a signifi
 
 ## Next steps
 
-Learn more about [Microsoft Secure Score](/defender-xdr/microsoft-secure-score).
+Learn more about [Microsoft Secure Score](/defender-xdr/microsoft-secure-score).

ATPDocs/unmonitored-active-directory-federation-services-servers.md

@@ -18,8 +18,7 @@ This article describes the Microsoft Defender for Identity's unmonitored Active
 Unmonitored Active Directory Federation Services (ADFS) servers are a significant security risk to organizations. ADFS controls access to both cloud and on-premises resources as the gateway for federated authentication and single sign-on. If attackers compromise an ADFS server, they can issue forged tokens and impersonate any user, including privileged accounts. Such attacks might bypass multi-factor authentication (MFA), conditional access, and other downstream security controls, making them particularly dangerous. Without proper monitoring, suspicious activity on ADFS servers might go undetected for extended periods. Deploying Microsoft Defender for Identity version 2.0 sensors on ADFS servers is essential. These sensors enable real-time detection of suspicious behavior and help prevent token forgery, abuse of trust relationships, and stealthy lateral movement within the environment.
 
 > [!NOTE]
-> This security assessment is only available if Microsoft Defender for Endpoint detects an eligible ADFS server in the environment.
-
+> This security assessment is only available if Microsoft Defender for Endpoint detects eligible ADFS servers in the environment. In some cases, servers running ADFS might not be identified with the required role and therefore will not appear in this assessment, even if they exist in the environment.
 
 ## How do I use this security assessment?
 

ATPDocs/unmonitored-entra-connect-servers.md

@@ -23,7 +23,7 @@ If an attacker compromises a Microsoft Entra Connect server, they can inject sha
 These servers operate at the intersection of on-premises and cloud identity, making them a prime target for privilege escalation and stealthy persistence. Without monitoring, such attacks can go undetected. Deploying Microsoft Defender for Identity version 2.0 sensors on Microsoft Entra Connect servers is critical. These sensors help detect suspicious activity in real time, protect the integrity of your hybrid identity bridge, and prevent full-domain compromise from a single point of failure.
 
 > [!NOTE]
-> This security assessment is only available if Microsoft Defender for Endpoint detects eligible Microsoft Entra Connect servers in the environment.
+> This security assessment is only available if Microsoft Defender for Endpoint detects eligible Microsoft Entra Connect servers in the environment. In some cases, servers running Entra Connect might not be identified with the required role and therefore will not appear in this assessment, even if they exist in the environment.
 
 ## How do I use this security assessment? 
 

CloudAppSecurityDocs/governance-actions.md

@@ -84,21 +84,17 @@ The following governance actions can be taken for connected apps either on a spe
   - **Trash** – Move the file to the trash folder. (Box, Dropbox, Google Drive, OneDrive, SharePoint)
 
 These actions are restricted to users with specific administrative roles. If the options described are not visible or accessible, please confirm with your system administrator that your account has one of the following roles assigned:
- - Security Operator
+- Security Operator
  - Security administrator
  - Global administrator
  - Cloud app security administrator
 
 :::image type="content" source="media/governance-actions/governance-actions-dropbox-google-workspace.png" alt-text="Screenshot that shows malware governance actions." lightbox="media/governance-actions/governance-actions-dropbox-google-workspace.png":::
 
 > [!NOTE]
-> In SharePoint and OneDrive, Defender for Cloud Apps supports user quarantine only for files in Shared Documents libraries (SharePoint Online) and files in the Documents library (OneDrive for Business).
-> 
-> Microsoft Defender for Microsoft 365 customers can control detected malware files in SharePoint and OneDrive via the [Microsoft Defender XDR **Quarantine** page](https://security.microsoft.com/quarantine?viewid=Files). For example, supported activities include recovering files, deleting files, and downloading files in password-protected ZIP files. These activities are limited to files that were not already quarantined by Microsoft Defender for Cloud Apps.
-> In SharePoint, Defender for Cloud Apps supports quarantine tasks only for files with Shared Documents in path in English.
-> 
+> In SharePoint and OneDrive, Defender for Cloud Apps supports user quarantine only for files in Shared Documents libraries and only for files with Shared Documents in path in English (SharePoint Online) and files in the Documents library (OneDrive for Business). In addition, you must [enable the service principal](/graph/api/serviceprincipal-get?view=graph-rest-1.0&tabs=http) to get Malware detection and response support (this service API is enabled by default). Once API is enabled, Defender for Cloud Apps starts getting the logs (with a delay of 24-72 hours).
+>  Microsoft Defender for Microsoft 365 customers can control detected malware files in SharePoint and OneDrive via the [Microsoft Defender XDR ](https://security.microsoft.com/quarantine?viewid=Files)**[Quarantine](https://security.microsoft.com/quarantine?viewid=Files)**[ page](https://security.microsoft.com/quarantine?viewid=Files). For example, supported activities include recovering files, deleting files, and downloading files in password-protected ZIP files. These activities are limited to files that were not already quarantined by Microsoft Defender for Cloud Apps.
 > Actions will only show for connected apps.
-> 
 
 ## Activity governance actions
 
@@ -113,6 +109,7 @@ These actions are restricted to users with specific administrative roles. If the
 - **Governance actions in apps** - Granular actions can be enforced per app, specific actions vary depending on app terminology.
 
 - **Suspend user** – Suspend the user from the application.
+
     > [!NOTE]
     > If your Microsoft Entra ID is set to automatically sync with the users in your Active Directory on-premises environment the settings in the on-premises environment will override the Microsoft Entra settings and this governance action will be reverted.