Merge branch 'public' into patch-2

Author: denisebmsft

.openpublishing.redirection.defender-endpoint.json

@@ -82,8 +82,8 @@
     },
     {
       "source_path": "defender-endpoint/linux-support-rhel.md",
-      "redirect_url": "/defender-endpoint/comprehensive-guidance-on-linux-deployment",
-      "redirect_document_id": true
+      "redirect_url": "/defender-endpoint/linux-installer-script",
+      "redirect_document_id": false
     },
     {
       "source_path": "defender-endpoint/pilot-deploy-defender-endpoint.md",
@@ -94,6 +94,31 @@
       "source_path": "defender-endpoint/monthly-security-summary-report.md",
       "redirect_url": "/defender-endpoint/threat-protection-reports#monthly-security-summary",
       "redirect_document_id": true
-    }    
+    },
+    {
+      "source_path": "defender-endpoint/run-analyzer-macos-linux.md",
+      "redirect_url": "/defender-endpoint/overview-client-analyzer",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "defender-endpoint/download-client-analyzer.md",
+      "redirect_url": "/defender-endpoint/overview-client-analyzer",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-endpoint/schedule-antivirus-scan-in-mde.md",
+      "redirect_url": "/defender-endpoint/schedule-antivirus-scan-anacron",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "defender-endpoint/comprehensive-guidance-on-linux-deployment.md",
+      "redirect_url": "/defender-endpoint/linux-installer-script",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "defender-endpoint/linux-schedule-scan-mde.md",
+      "redirect_url": "/defender-endpoint/schedule-antivirus-scan-crontab",
+      "redirect_document_id": true
+    } 
   ]
 }

ATPDocs/media/remove-unsafe-permissions-sensitive-entra-connect/screenshot-of-excessive-permissions.png

@@ -2,7 +2,7 @@
 title: 'Security assessment: Remove Resource Based Constrained Delegation for Microsoft Entra seamless SSO account'
 description: This article describes Microsoft Defender for Identity's Microsoft Entra Seamless Single sign-on (SSO) account with Resource Based Constrained Delegation (RBCD) applied security posture assessment report.
 author: RonitLitinsky
-ms.author: t-rlitinsky
+ms.author: rlitinsky
 ms.service: microsoft-defender-for-identity
 ms.topic: article
 ms.date:     08/22/2024

ATPDocs/media/remove-unsafe-permissions-sensitive-entra-connect/screenshot-of-exposed-entities.png

@@ -0,0 +1,49 @@
+---
+# Required metadata
+# For more information, see https://review.learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata?branch=main
+# For valid values of ms.service, ms.prod, and ms.topic, see https://review.learn.microsoft.com/en-us/help/platform/metadata-taxonomies?branch=main
+
+title: 'Security assessment: Remove unsafe permissions on sensitive Microsoft Entra Connect accounts'
+description: This report lists any sensitive AD DS Connector (MSOL_) accounts or Microsoft Entra Seamless SSO computer account (AZUREADSSOACC) with unsafe permissions.
+author:      LiorShapiraa # GitHub alias
+ms.author: liorshapira
+ms.service: microsoft-defender-for-identity
+ms.topic: article
+ms.date:     03/16/2025
+---
+
+# Security assessment: Remove unsafe permissions on sensitive Entra Connect accounts
+
+This article describes Microsoft Defender for Identity's Microsoft Entra Connect accounts unsafe permissions security posture assessment report.
+
+> [!NOTE]
+> This security assessment will be available only if Microsoft Defender for Identity sensor is installed on servers running Microsoft Entra Connect services and Sign on method as part of Microsoft Entra Connect configuration is set to single sign-on and the SSO computer account exists. Learn more about Microsoft Entra seamless sign-on **[here](/entra/identity/hybrid/connect/how-to-connect-sso)**.
+
+## How can unsafe permissions on Microsoft Entra Connect accounts expose your hybrid identity to risk?
+
+Microsoft Entra Connect accounts like AD DS Connector account (also known as MSOL_) and Microsoft Entra Seamless SSO computer account (AZUREADSSOACC) have powerful privileges, including replication and password reset rights. If these accounts are granted unsafe permissions, attackers could exploit them to gain unauthorized access, escalate privileges, or take control of hybrid identity infrastructure. This could lead to account takeovers, unauthorized directory modifications, and a broader compromise of both on-premises and cloud environments.
+
+## How do I use this security assessment to improve my hybrid organizational security posture?
+
+> [!NOTE]
+> While assessments are updated in near real time, scores and statuses are updated every 24 hours. While the list of impacted entities is updated within a few minutes of your implementing the recommendations, the status may still take time until it's marked as **Completed**.
+
+1. Review the recommended action at[ https://security.microsoft.com/securescore?viewid=actions](https://security.microsoft.com/securescore?viewid=actions) for Remove unsafe permissions on sensitive Entra Connect accounts.
+
+1. Review the list of exposed entities to identify accounts with unsafe permissions. For example:
+
+    :::image type="content" source="media/remove-unsafe-permissions-sensitive-entra-connect/screenshot-of-exposed-entities.png" alt-text="Screenshot of exposed entities" lightbox="media/remove-unsafe-permissions-sensitive-entra-connect/screenshot-of-exposed-entities.png":::
+
+1. If you click on "Click to expend" you can find more details about the granted permissions. For example:  
+
+    :::image type="content" source="media/remove-unsafe-permissions-sensitive-entra-connect/screenshot-of-excessive-permissions.png" alt-text="Screenshot of excessive permissions" lightbox="media/remove-unsafe-permissions-sensitive-entra-connect/screenshot-of-excessive-permissions.png":::
+
+1. For each exposed account, remove problematic permissions that allow unprivileged accounts to takeover critical hybrid assets.
+
+
+## Next steps
+
+- [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score)
+
+- [Learn more about Defender for Identity Sensor for Microsoft Entra Connect](https://aka.ms/MdiSensorForMicrosoftEntraConnectInstallation)
+

ATPDocs/remove-rbcd-microsoft-entra-seamless-single-sign-on-account.md

@@ -172,6 +172,9 @@ items:
          displayName: Microsoft Entra Connect
        - name: Remove unnecessary replication permissions for Microsoft Entra Connect connector account
          href: remove-replication-permissions-microsoft-entra-connect.md
+       - name: Remove unsafe permissions on sensitive Entra Connect accounts
+         href: remove-unsafe-permissions-sensitive-entra-connect.md
+         displayName: MDI
        - name: Replace Enterprise or Domain Admin account for Entra Connect AD DS Connector account
          href: replace-entra-connect-default-admin.md
      - name: Identity infrastructure

ATPDocs/remove-unsafe-permissions-sensitive-entra-connect.md

@@ -8,63 +8,62 @@ ms.topic: how-to
 
 
 
-Microsoft Defender for Cloud Apps gives you visibility into the accounts from your connected apps. After you connect Defender for Cloud Apps to an app using the App connector, Defender for Cloud Apps reads account information associated with connected apps. The Accounts page enables you to investigate those accounts, permissions, the groups they're members of, their aliases, and the apps they're using. Additionally, when Defender for Cloud Apps detects a new account that wasn't previously seen in one of the connected apps - for example, in activities or file sharing - the account is added to the accounts list of that app. This enables you to have visibility into the activity of external users interacting with your cloud apps.
+Microsoft Defender for Cloud Apps gives you visibility into the accounts from your connected applications. After you connect Defender for Cloud Apps to an app using the [App connector](/defender-cloud-apps/enable-instant-visibility-protection-and-governance-actions-for-your-apps), Defender for Cloud Apps reads account information associated with connected applications. The Cloud application accounts tab within the Identity inventory enables you to investigate those accounts, permissions, the groups they're members of, their aliases, and the apps they're using. Additionally, when Defender for Cloud Apps detects a new account that wasn't previously seen in one of the connected apps - for example, in activities or file sharing - the account is added to the accounts list of that app. This enables you to have visibility into the activity of external users interacting with your cloud apps.
 
-## Identity Inventory (Preview)
+## Identity Inventory
 
-> [!NOTE]
-> The Identities page is in the process of merging into the unified **Identity Inventory (Preview)**. 
-> 
-> The **Identity inventory** provides a centralized view of all identities in your organization, enabling you to monitor and manage them efficiently. At a glance, you can see key details such as Domain, Tags, Type, and other attributes, helping you quickly identify and manage identities that require attention. 
-> 
-> The functionality of the Identities page, as presented below, will be provided in the new Identity Inventory under the "**Cloud application accounts**" tab, offering the same features as it does today. For more details, visit the [Identity Inventory documentation](/defender-for-identity/identity-inventory).
-> 
-## Identities
+The visibility into cloud application accounts, as described above, is provided in the Identity Inventory under the "**Cloud application accounts**" tab.
 
-Admins can search for a specific user's metadata or user's activity. The **Identities** page provides you with comprehensive details about the entities that are pulled from connected cloud applications. It also provides the user's activity history and security alerts related to the user.
+The **Identity inventory** provides a centralized view of all identities in your organization, enabling you to monitor and manage them efficiently. At a glance, you can see key details such as Domain, Tags, Type, and other attributes, helping you quickly identify and manage identities that require attention. 
 
-The **Identities** page can be [filtered](#identities-filters) to enable you to find specific accounts and to deep dive into different types of accounts, for example, you can filter for all External accounts that haven't been accessed since last year.
+For more details, visit the [Identity Inventory documentation](/defender-for-identity/identity-inventory).
 
-The **Identities** page enables you to easily investigate your accounts, including the following issues:
+## Cloud Application Accounts
 
-* Check if any accounts have been inactive in a particular service for a long time (Maybe you should revoke the license for that user to that service)
+Admins can search for specific account metadata or account activity. The **Cloud application accounts** tab provides comprehensive details about entities pulled from connected cloud applications, including activity history and security alerts related to the account.
 
-* You can filter for the list of users with admin permissions
-* You can search for users who are no longer part of your organization but may still have active accounts
-* You can take [governance actions](#governance-actions) on the accounts, such as suspending an app or going to the account settings page.
-* You can see which accounts are included in each user group  
-* You can see which apps are accessed by each account and which apps are deleted for specific accounts
+The **Cloud application accounts** tab can be filtered to find specific accounts and deep dive into different types of accounts. For example, you can filter for all External accounts that haven't been accessed since last year.
 
-    ![accounts screen.](media/accounts-page.png)
-  
-### Identities filters
+The **Cloud application accounts** tab enables easy investigation of accounts, including:
+
+- Checking if any accounts have been inactive in a particular service for a long time (consider revoking the license for that user to that service).
+
+- Filtering for accounts with admin permissions.
+
+- Searching for accounts that are no longer part of your organization but may still have active accounts.
+
+- Taking governance actions on accounts, such as suspending an app or accessing the account settings page.
+
+- Viewing which accounts are included in each user group.
+
+- Seeing which apps are accessed by each account and which apps are deleted for specific accounts.
 
-Following is a list of the account filters that can be applied. Most filters support multiple values as well as NOT, in order to provide you with a powerful tool for policy creation.  
+[![Screenshot that shows the Cloud application accounts](media/accounts/cloud-application-accounts.png)](media/accounts/cloud-application-accounts.png#lightbox)
 
-* **Affiliation**: The affiliation is either **Internal** or **External**. To set which users and accounts are internal, under **Settings** make sure to set the **IP address range** of your internal organization. If the account has admin permissions the icon in the Accounts table appears with the addition of the red tie:
+### Accounts filters
+
+The Cloud application accounts tab offers comprehensive filtering capabilities, with pre-defined filters for a quick and easy experience.
+
+Admins can also enable the "Advanced filters" toggle to filter by additional attributes or create complex filters that include conditions such as "does not equal."  
+![Screenshot that shows the Advanced filters toggle.](media/accounts/image.png)
+
+Predefined filters include:
+
+- **Account name:** Filter specific accounts.
+
+- **Affiliation:** Internal or External. Set internal accounts under **Settings** by defining the **IP address range of your organization**. Admin accounts are marked with a red tie icon.
 
     ![accounts admin icon.](media/accounts-admin-icon.png)
 
-* **App**: You can filter for any API connected app being used by accounts in your organization.
-* **Domain**: This enables you to filter for users in specific domains.
-* **Groups**: Enables you to filter for members of user groups in Defender for Cloud Apps - both built-in user groups and imported user groups.
-* **Instance**: This enables you to filter for members of a specific app instance.
-* **Last seen**: The **last seen** filter enables you to find accounts that are dormant and whose users haven't performed any activities in a while.
-* **Organization**: This enables you to filter for members of specific organizational groups defined in your connected apps.
-* **Show Admins only**: Filters for accounts and users that are admins.
-* **Status**: Filter based on user account status of N/A, staged, active, suspended, or deleted. A status of not available (N/A) is normal and may appear, for example, for anonymous accounts.
-* **Type**: This enables you to filter to either the user or the account type.
-* **User name**: Enables you to filter specific users.
-
-### Governance actions
+- **App:** Filter for any connected app used by accounts in your organization.
 
-From the **Users and account** page, you can take governance actions such as suspending an app or going to the account settings page. For a full list of governance actions, see the [governance log](governance-actions.md).
+- **Groups:** Filter for members of user groups in Defender for Cloud Apps—both built-in and imported user groups.
 
-For example, if you identify a user that is compromised, you can apply the **Confirm user compromised** action to set the user risk level to high, causing the relevant policy actions defined in Microsoft Entra ID to be enforced. The action can be applied manually or using relevant [policies that support governance actions](governance-actions.md).
+- **Show Admins only:** Filter for admin accounts.
 
-#### To manually apply a user or account governance action
+### Additional actions
 
-From the **Users and account** page, on the row where the relevant user or account appears, choose the three dots at the end of the row, then select **Confirm user compromised**.
+Additional actions for further investigation, such as viewing related activities and incidents, are available through the Cloud application accounts tab. Click the three dots at the end of the relevant account's row to view available actions, or click on the account row to see additional accounts related to a single user. Additional actions are also available via the three dots at the end of the table in this view.
 
 ## Next steps
 

ATPDocs/toc.yml

@@ -35,7 +35,7 @@ Below is a list of the activity filters that can be applied. Most filters suppor
 - Administrative activity – Search only for administrative activities.
 
   >[!NOTE]
-  > Defender for Cloud Apps can't mark Google Cloud Platform (GCP) administrative activities as administrative activities.
+  > Defender for Cloud Apps classifies all GCP activities as administrative activities.
 
 - Alert ID - Search by alert ID.
 

CloudAppSecurityDocs/accounts.md

@@ -27,6 +27,6 @@ The Defender for Cloud Apps robust platform allows you to integrate with a wide
 
     Defender for Cloud Apps allows security teams to automatically or manually confirm a user as compromised to ensure fast remediation of compromised users.
 
-    For more information, see [How does Microsoft Entra ID use my risk feedback](/azure/active-directory/identity-protection/howto-identity-protection-risk-feedback#how-does-azure-ad-use-my-risk-feedback) and [Governance actions](accounts.md#governance-actions).
+    For more information, see [How does Microsoft Entra ID use my risk feedback](/azure/active-directory/identity-protection/howto-identity-protection-risk-feedback#how-does-azure-ad-use-my-risk-feedback).
 
 [!INCLUDE [Open support ticket](includes/support.md)]

CloudAppSecurityDocs/activity-filters-queries.md

@@ -29,7 +29,7 @@ Defender for Cloud Apps operates in the Microsoft Azure data centers in the foll
 |---------|---------|
 |**Customers whose tenants are provisioned in the United States**     |  United States       |
 |**Customers whose tenants are provisioned in the European Union or the United Kingdom**     |    Either the European Union and/or the United Kingdom      |
-|**Customers whose tenants are provisioned in any other region**     |     The United States and/or a data center in the region that's nearest to the location of where the customer's Microsoft Entra tenant has been provisioned    |
+|**Customers whose tenants are provisioned in any other region**     |     The United States and/or a data center in the region that's nearest to the location of where the customer's Microsoft Entra tenant has been provisioned.    |
 
 In addition to the locations above, the App Governance features within Defender for Cloud Apps operate in the Microsoft Azure data centers in the following geographical regions listed below. Customer with App Governance enabled will have data stored within the data storage location the customer provisions in above, and in a second data storage location as described below: 
 
@@ -45,7 +45,7 @@ In addition to the locations above, the App Governance features within Defender
 | **Customers whose tenants are provisioned in Japan** | Japan  |
 | **Customers whose tenants are provisioned in India** | India  |
 | **Customers whose tenants are provisioned in Asia Pacific**  | Asia Pacific  |
-|**Customers whose tenants are provisioned in any other region**     |     The United States and/or a data center in the region that's nearest to the location of where the customer's Microsoft Entra tenant has been provisioned   |
+|**Customers whose tenants are provisioned in any other region**     |     The United States and/or a data center in the region that's nearest to the location of where the customer's Microsoft Entra tenant has been provisioned.   |
 
 Customer data collected by Defender for Cloud Apps is either stored in your tenant location, as described in the previous tables, or in the geographic location of another online service that Defender for Cloud Apps shares data with, as defined by the data storage rules of that online service.
 
@@ -71,4 +71,4 @@ Defender for Cloud Apps shares data, including customer data, among the followin
 
 ## Related content
 
-For more information, see the [Microsoft Service Trust portal](https://www.microsoft.com/en-us/trust-center/product-overview).
+For more information, see the [Microsoft compliance offerings](/compliance/regulatory/offering-nist-sp-800-171).