MicrosoftDocs
diff --git a/‎ATPDocs/deploy/activate-capabilities.md‎
Lines changed: 2 additions & 2 deletions b/‎ATPDocs/deploy/activate-capabilities.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎ATPDocs/health-alerts.md‎
Lines changed: 10 additions & 1 deletion b/‎ATPDocs/health-alerts.md‎
Lines changed: 10 additions & 1 deletion
diff --git a/‎ATPDocs/identity-inventory.md‎
Lines changed: 9 additions & 9 deletions b/‎ATPDocs/identity-inventory.md‎
Lines changed: 9 additions & 9 deletions
diff --git a/‎ATPDocs/whats-new.md‎
Lines changed: 13 additions & 6 deletions b/‎ATPDocs/whats-new.md‎
Lines changed: 13 additions & 6 deletions
diff --git a/‎defender-office-365/TOC.yml‎
Lines changed: 7 additions & 0 deletions b/‎defender-office-365/TOC.yml‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎defender-office-365/mdo-deployment-guide.md‎
Lines changed: 7 additions & 0 deletions b/‎defender-office-365/mdo-deployment-guide.md‎
Lines changed: 7 additions & 0 deletions
@@ -117,8 +117,8 @@ The first time you activate Defender for Identity capabilities on your domain co
 Defender for Identity capabilities on domain controllers currently support the following Defender for Identity functionality:
 
 - Investigation features on the [ITDR dashboard](#check-the-itdr-dashboard), [identity inventory](#confirm-entity-page-details), and [identity advanced hunting data](#test-advanced-hunting-tables)
-- [Specified security posture recommendations](#test-identity-security-posture-management-ispm-recommendations)
-- [Specified alert detections](#test-alert-functionality)
+- [Security posture recommendations](#test-identity-security-posture-management-ispm-recommendations)
+- [Alert detections](#test-alert-functionality)
 - [Remediation actions](#test-remediation-actions)
 - [Automatic attack disruption](/microsoft-365/security/defender/automatic-attack-disruption)
 
 
@@ -32,6 +32,15 @@ The Microsoft Defender for Identity **Health issues** page lets you know when th
 
     :::image type="content" source="media/health-issues/close-suppress.png" alt-text="Screenshot of a health issue details pane." lightbox="media/health-issues/close-suppress.png":::
 
+## Health issue status
+
+Health issues in Microsoft Defender for Identity can have different statuses depending on their state and how they're handled. 
+
+- **Open:**: The health issue is marked as open. 
+- **Closed:** A health issue is automatically marked as **Closed** when Microsoft Defender for Identity detects that the underlying issue is resolved. If you have [Azure ATP (workspace name) Administrator](/defender-for-identity/role-groups#defender-for-identity-security-groups)  you can also manually close a health issue.
+- **Suppressed:** If you have Azure ATP (workspace name) Administrators permissions, you can suppress the health alert for seven days. Suppress a health alert if you're aware of an expected temporary known issue, for example, taking down a machine for maintenance.
+
+For example, if a domain controller is taken offline for maintenance, a "Sensor stopped communicating" alert might be triggered. You can use the API to change the alert status from Open to Suppressed. Once the domain controller is back online, revert the status to Open and let Microsoft Defender for Identity close the alert automatically when the issue is resolved.
 
 ## Health issues
 
@@ -43,7 +52,7 @@ Sensor-specific health issues are displayed in the **Sensor health issues** tab
 
 |Alert|Description|Resolution|Severity|Displayed in|
 |----|----|----|----|----|
-|The virtual machines that the listed Defender for Identity sensors are installed on has a network configuration mismatch. This issue may affect the performance and reliability of the sensors.|Review the network interface settings, including disabling the Large Send Offload (LSO), and follow the instructions in [here](https://aka.ms/mdi/vmware-sensor-issue).|High|Sensors health issues tab|
+|The virtual machines that the listed Defender for Identity sensors is installed on has a network configuration mismatch. This issue might affect the performance and reliability of the sensors.|Review the network interface settings, including disabling the Large Send Offload (LSO), and follow the instructions in [here](https://aka.ms/mdi/vmware-sensor-issue).|High|Sensors health issues tab|
 
 ### A domain controller is unreachable by a sensor
 
 
@@ -28,15 +28,15 @@ The Identities inventory page includes the following tabs:
 
 - **Identities**: A consolidated view of identities across Active Directory, Entra ID. This Identities tab highlights key details, including identity types, and user's information.
 
-- **Cloud application accounts:** Displays a list of cloud application accounts, including those from application connectors and third-party sources (original available in the previous version based on Microsoft Defender for Cloud Apps). Learn more about [Cloud application accounts from connected apps.](/defender-cloud-apps/accounts) 
+- **Cloud application accounts:** Displays a list of cloud application accounts, including those from application connectors and third-party sources (original available in the previous version based on Microsoft Defender for Cloud Apps). Learn more about [Cloud application accounts from connected apps.](/defender-cloud-apps/accounts)
 
 There are several options you can choose from to customize the identities list view. On the top navigation you can:
 
 - Add or remove columns.
 
 - Apply filters.
 
-- Search for an identity by name or full UPN, SID and Object ID. 
+- Search for an identity by name or full UPN, SID, and Object ID. 
 
 - Export the list to a CSV file.
 
@@ -49,23 +49,23 @@ There are several options you can choose from to customize the identities list v
 
 ### Identity details 
 
-The **Identities** list offers a consolidated view of identities across Active Directory and Entra ID. It highlights key details, including the following columns by default:
+The **Identities** list offers a consolidated view of identities across Active Directory and Microsoft Entra IDs. It highlights key details, including the following columns by default:
 
 - __Display name__ – The full name of the identity as shown in the directory.
 
 - __SID__ – The Security Identifier, a unique value used to identify the identity in Active Directory.
 
 - __Domain__ – The Active Directory domain to which the identity belongs.
 
-- __Object ID__ – A unique identifier for the identity in Entra ID.
+- __Object ID__ – A unique identifier for the identity in Microsoft Entra ID.
 
-- __Source__ – Indicates whether the identity is on-premises (originate from Active Directory), Cloud only (Entra ID) or Hybrid (synced from AD to Entra ID).
+- __Source__ – Indicates whether the identity is on-premises (originate from Active Directory), Cloud only (Entra ID) or Hybrid (synced from Azure Active Directory to Entra ID).
 
 - __Type__ – Specifies if the identity is a user account or service account.
 
 - __UPN (User Principal Name)__ – The unique login name of the identity in an email-like format.
 
-- __Tags__ – Custom labels that help categorize or classify identities: Sensitive and Honeytoken.
+- __Tags__ – Custom labels that help categorize identities that are considered high value assets. For example, **Sensitive**, **Honeytoken** or **Privileged Accounts** managed by a [Privileged Identity Management](/entra/id-governance/privileged-identity-management/pim-configure) (PIM) service.
 
 - __Created time__ – The timestamp when the identity was first created.
 
@@ -75,7 +75,7 @@ The **Identities** list offers a consolidated view of identities across Active D
 
 - __Last updated__ – The timestamp of the most recent update to the identity's attributes in Active Directory.
 
-Non-default columns: Email and Entra ID risk level.  
+Nondefault columns: Email and Microsoft Entra ID risk level.  
 
 > [!TIP]
 > To see all columns, you likely need to do one or more of the following steps:
@@ -99,13 +99,13 @@ You can apply the following filters to limit the list of identities and get a mo
 
 - Account status
 
-Sort option applies to Display name, Domain and Created time columns.
+Sort option applies to Display name, Domain, and Created time columns.
 
 ### Identity inventory insights 
 
 - The __Classify critical assets__ card allows you to define identity groups as business critical. For more information, see [Microsoft Security Exposure Management](/security-exposure-management/microsoft-security-exposure-management). 
 
-- **Highly privileged identities** card helps you investigate in Advanced hunting all sensitive accounts in your organization, including Entra ID security administrators and Global admin users.
+- **Highly privileged identities** card helps you investigate in Advanced hunting all sensitive accounts in your organization, including Microsoft Entra ID security administrators and Global admin users.
 
 - **Critical Active Directory service accounts** card helps you quickly identify all Active Directory accounts designated as critical, making it easier to focus on identities most at risk.
 
 
@@ -24,6 +24,13 @@ For updates about versions and features released six months ago or earlier, see
 
 ## April 2025
 
+### Privileged Identity Tag Now Visible in Defender for Identity Inventory
+
+Identities listed in the [Identity inventory](identity-inventory.md) in Microsoft Defender portal now include a **“Privileged account”** tag for accounts managed by a **Privileged Identity Management (PIM)** service.
+Privileged accounts are prime targets for attackers. Tagging them in the inventory helps you quickly identify high-risk or high-value accounts, prioritize investigation and mitigation efforts, and streamline incident response workflows.
+
+Learn more about [Privileged Identity Management](/entra/id-governance/privileged-identity-management/pim-configure)
+
 ### New Defender for Identity and PAM Integration
 
 Microsoft Defender for Identity now supports integration with industry-leading Privileged Access Management (PAM) platforms to enhance detection and response for privileged identities.
@@ -34,7 +41,7 @@ Microsoft Defender for Identity now supports integration with industry-leading P
 - Delinea
 - BeyondTrust
 
-For more information see: [Integrations Defender for Identity and PAM services.](Integrate-microsoft-and-pam-services.md)
+For more information, see: [Integrations Defender for Identity and PAM services.](Integrate-microsoft-and-pam-services.md)
 
 ## March 2025
 
@@ -77,7 +84,7 @@ New LDAP query events were added to the `IdentityQueryEvents` table in Advanced
 ### DefenderForIdentity PowerShell module updates (version 1.0.0.3)
 
 New Features and Improvements:
-- Support for getting, testing, and setting the Active Directory Recycle Bin in Get/Set/Test MDIConfiguration.
+- Support for getting, testing, and setting the Active Directory Recycle Bin in Get/Set/Test MDI Configuration.
 - Support for getting, testing, and setting the proxy configuration on new MDI sensor.
 - The Active Directory Certificate Services registry value for audit filtering now properly sets the type.
 - New-MDIConfigurationReport now shows the name of the tested GPO and supports Server and Identity arguments.
@@ -121,7 +128,7 @@ Additionally, the **built-in schema reference** for Advanced Hunting in Microsof
 
 ### New Identity guide tour
 
-Explore key MDI features with the new **Identities Tour** in the M365 portal. Navigate Incidents, Hunting, and Settings to enhance identity security and threat investigation.
+Explore key MDI features with the new **Identities Tour** in the Microsoft 365 portal. Navigate Incidents, Hunting, and Settings to enhance identity security and threat investigation.
 
 ## December 2024
 
@@ -177,11 +184,11 @@ As part of our ongoing effort to enhance Microsoft Defender for Identity coverag
 **New Microsoft Entra Connect Identity posture recommendations:**
 
 * **Rotate password for Microsoft Entra Connect connector account**
-   * A compromised Microsoft Entra Connect connector account (AD DS connector account, commonly shown as MSOL_XXXXXXXX) can grant access to high-privilege functions like replication and password resets, allowing attackers to modify synchronization settings and compromise security in both cloud and on-premises environments as well as offering several paths for compromising the entire domain. In this assessment we recommend customers change the password of MSOL accounts with the password last set over 90 days ago. For more information click [here](rotate-password-microsoft-entra-connect.md).
+   * A compromised Microsoft Entra Connect connector account (AD DS connector account, commonly shown as MSOL_XXXXXXXX) can grant access to high-privilege functions like replication and password resets, allowing attackers to modify synchronization settings and compromise security in both cloud and on-premises environments as well as offering several paths for compromising the entire domain. In this assessment we recommend customers change the password of MSOL accounts with the password last set over 90 days ago. For more information, click [here](rotate-password-microsoft-entra-connect.md).
 * **Remove unnecessary replication permissions for Microsoft Entra Connect Account**
-   * By default, the Microsoft Entra Connect connector account has extensive permissions to ensure proper synchronization (even if they aren't actually required). If Password Hash Sync isn't configured, it’s important to remove unnecessary permissions to reduce the potential attack surface. For more information click [here](remove-replication-permissions-microsoft-entra-connect.md)
+   * By default, the Microsoft Entra Connect connector account has extensive permissions to ensure proper synchronization (even if they aren't required). If Password Hash Sync isn't configured, it’s important to remove unnecessary permissions to reduce the potential attack surface. For more information, click [here](remove-replication-permissions-microsoft-entra-connect.md)
 * **Change password for Microsoft Entra seamless SSO account configuration**
-   * This report lists all [Microsoft Entra seamless SSO](/entra/identity/hybrid/connect/how-to-connect-sso) computer accounts with password last set over 90 days ago. The password for the Azure SSO computer account isn't automatically changed every 30 days. If an attacker compromises this account, they can generate service tickets for the AZUREADSSOACC account on behalf of any user and impersonate any user in the Microsoft Entra tenant that is synchronized from Active Directory. An attacker can use this to move laterally from Active Directory into Microsoft Entra ID. For more information click [here](change-password-microsoft-entra-seamless-single-sign-on.md).    
+   * This report lists all [Microsoft Entra seamless SSO](/entra/identity/hybrid/connect/how-to-connect-sso) computer accounts with password last set over 90 days ago. The password for the Azure SSO computer account isn't automatically changed every 30 days. If an attacker compromises this account, they can generate service tickets for the AZUREADSSOACC account on behalf of any user and impersonate any user in the Microsoft Entra tenant that is synchronized from Active Directory. An attacker can use this to move laterally from Active Directory into Microsoft Entra ID. For more information, click [here](change-password-microsoft-entra-seamless-single-sign-on.md).    
 
 **New Microsoft Entra Connect detections:**
 
 
@@ -101,6 +101,9 @@
        items:
        - name: Defender for Office 365 SecOps guide
          href: mdo-sec-ops-guide.md
+     - name: Quickly configure Microsoft Teams protection
+       href: mdo-support-teams-quick-configure.md
+
    - name: Migrate
      items:
        - name: Migrate to Defender for Office 365
@@ -116,6 +119,8 @@
      items:
        - name: Defender for Office 365 SecOps Guide
          href: mdo-sec-ops-guide.md
+       - name: SecOps guide for Teams protection in Defender for Office 365
+         href: mdo-support-teams-sec-ops-guide.md
        - name: Threat classification
          href: mdo-threat-classification.md
        - name: Security recommendations for priority accounts
@@ -363,6 +368,8 @@
        href: office-365-ti.md
      - name: Defender for Office 365 SecOps Guide
        href: mdo-sec-ops-guide.md
+     - name: SecOps guide for Teams protection in Defender for Office 365
+       href: mdo-support-teams-sec-ops-guide.md
      - name: Analyze and classify
        items:
        - name: Campaign Views
 
@@ -30,6 +30,13 @@ In new Microsoft 365 organizations with Microsoft Defender for Office 365 (inclu
 
 Although your Microsoft 365 organization includes a default level of protection from the moment you create it (or add Defender for Office 365 to it), the steps in this article give you an actionable plan to unleash the full protection capabilities of EOP and Defender for Office 365. After you complete the steps, you can also use this article to show management that you're maximizing your investment in Microsoft 365.
 
+> [!TIP]
+> For information about configuring protection for Microsoft Teams, see the following articles:
+>
+> - [Microsoft Defender for Office 365 Plan 2 support for Microsoft Teams](mdo-support-teams-about.md)
+> - [Quickly configure Microsoft Teams protection in Microsoft Defender for Office 365 Plan 2](mdo-support-teams-quick-configure.md)
+> - [Security Operations Guide for Teams protection in Microsoft Defender for Office 365](mdo-support-teams-sec-ops-guide.md)
+
 The steps to configure EOP and Defender for Office 365 are described in the following diagram:
 
 :::image type="content" source="media/mdo-deployment-guide.png" alt-text="A conceptual diagram showing the steps to configure Defender for Office 365." lightbox="media/mdo-deployment-guide.png":::