Merge pull request #5627 from MicrosoftDocs/main

[AutoPublish] main to live - 11/17 10:37 PST | 11/18 00:07 IST

Author: m365-skilling-repo-management[bot]

defender-for-cloud-apps/ai-agent-inventory.md

@@ -43,34 +43,19 @@ When Copilot Studio AI Agents are connected, a green indicator appears in the **
 
 ## Identify misconfigured or risky AI agents using advanced hunting
 
-After you give Microsoft Defender access to your custom agents, you can use advanced hunting to help identify misconfigured or risky agents and minimize organizational exposure to potential threats.
+After you give Microsoft Defender access to your custom agents, you can use advanced hunting to help identify misconfigured or risky agents and minimize organizational exposure to potential threats. 
+
+See [Proactively hunt for threats with advanced hunting in Microsoft Defender](/defender-xdr/advanced-hunting-overview) to learn how to use queries to proactively hunt for threats.
+
 We recommend that you reach out to the owners of the risky agents for more information, and that you consider quarantining or deleting risky agents.
 
 1. Sign in to the Defender portal, and go **Investigation & response** -> **Hunting** -> **Advanced hunting**.
 1. In the **Apps & identities** section, the [AIAgentsInfo table](/defender-xdr/advanced-hunting-aiagentsinfo-table) contains data for all your custom AI agents created using Copilot Studio. You can use this data to create custom queries.
+1. You can use the collection of community queries to identify misconfigured or risky agents.
+    1. **Sign in to the [Microsoft Defender portal](https://security.microsoft.com)**.
+    1. Go to **Investigation & response** -> **Hunting** -> **Advanced hunting**.
+    1. In the **Queries** tab, select **Community queries**. The **AI Agents** folder contains queries related to AI agents. For more information, see [Sample queries](/defender-xdr/advanced-hunting-aiagentsinfo-table).
 
-### Sample queries
-
-Run this query to get a list of all the agents in your tenant:
-
-```kusto
-    AIAgentsInfo 
-    | summarize arg_max(Timestamp, *) by AIAgentId
-```
-
-Run this query to identify all published agents that are configured with an incorrect authentication mechanism: 
-
-```kusto
-    AIAgentsInfo
-    | summarize arg_max(Timestamp, *) by AIAgentId 
-    | where AgentStatus != "Deleted"  
-    | where AgentStatus == "Published" 
-    | where UserAuthenticationType == "None" or AuthenticationTrigger == "As Needed"  
-    | project-reorder AgentCreationTime ,AIAgentId, AIAgentName, AgentStatus, CreatorAccountUpn, OwnerAccountUpns
-```
-
- 
-See [Proactively hunt for threats with advanced hunting in Microsoft Defender](/defender-xdr/advanced-hunting-overview) to learn how to use queries to proactively hunt for threats.
 
  ## Related articles
 

defender-for-cloud-apps/real-time-agent-protection-during-runtime.md

@@ -22,26 +22,21 @@ If Microsoft Defender determines that a prompt is suspicious:
 ## Enable real-time protection for Microsoft Copilot Studio agents during runtime
 
 > [!NOTE]
-> - The onboarding process for real-time protection during agent runtime requires configuration in Power Platform and collaboration with other administrators.
-> - If the Microsoft 365 connector isn’t properly connected, real-time agent protection during runtime continues to block suspicious activity on the AI agent, but alerts and incidents related to these actions won't appear in the Microsoft Defender portal.
+> The onboarding process for real-time protection during agent runtime requires configuration in Power Platform and collaboration with other administrators.
 
 1. Sign in to the **[Microsoft Defender portal](https://security.microsoft.com)**:
 1. Navigate to **System > Settings > Cloud Apps > Copilot Studio AI Agents**.
-1. Check the Microsoft 365 App Connector status:
-   - **If the connector is already connected:** Continue to step 5.
-   - **If the connector isn’t connected:**
-      - Under **Microsoft 365 connector**, select **Connect** or **Edit**.
-      - Select **Microsoft Entra ID Management events** and **Microsoft 365 activities**. 
-      - Select **Connect Microsoft 365**.
-1. Work together with a Power Platform administrator to and Enter the App ID provided by your Power Platform administrator and select **Save**.
-      
-    :::image type="content" source="media/protect-ai-agents/turn-on-real-time-agent-protection.png" alt-text="Screenshot that shows how to turn on Real time agent protection during runtime in the Defender portal." lightbox="media/protect-ai-agents/turn-on-real-time-agent-protection.png":::
-
+1. Check the Microsoft 365 App Connector status. If the Microsoft 365 connector is not connected, [Enable the Microsoft 365 app connector](protect-office-365.md#connect-microsoft-365-to-microsoft-defender-for-cloud-apps).
+    > [!NOTE]
+    > If the Microsoft 365 connector isn’t connected, real-time agent protection during runtime continues to block suspicious activity on the AI agent, but alerts and incidents related to these actions won't appear in the Microsoft Defender portal. 
 1. Work together with a Power Platform administrator to complete these onboarding steps: [Enable external threat detection and protection for Copilot Studio custom agents](/microsoft-copilot-studio/external-security-provider#step-2-configure-the-threat-detection-system).
-    - The Power Platform administrator must use the same App ID as the App ID used in [Microsoft Entra ID application](/microsoft-copilot-studio/external-security-provider#step-1-configure-microsoft-entra-application).
-    - Share the URL provided in the Defender portal with the Power Platform administrator to help them complete the onboarding steps.
+    - Share the URL provided in the Defender portal with the Power Platform administrator to help them complete their onboarding steps.
+    - Make sure that the Power Platform administrator uses the same App ID as the App ID used in [Microsoft Entra ID application](/microsoft-copilot-studio/external-security-provider#step-1-configure-microsoft-entra-application).
+    - Get the AppID from the Power Platform administrator, and enter it in the **App ID** field in the Defender portal, then select **Save**.
+
+        :::image type="content" source="media/protect-ai-agents/turn-on-real-time-agent-protection.png" alt-text="Screenshot that shows how to turn on Real time agent protection during runtime in the Defender portal." lightbox="media/protect-ai-agents/turn-on-real-time-agent-protection.png":::
 
-    Once the Power Platform administrator completes the onboarding steps, a green **Connected** status appears in the **Microsoft 365 connector** section.
+    Once the Power Platform administrator completes the onboarding steps, a green **Connected** status appears in the **Microsoft 365 connector** section in the Defender portal.
 
 ## Related articles
 

defender-for-identity/deploy/configure-windows-event-collection.md

@@ -8,15 +8,30 @@ ms.reviewer: rlitinsky
 
 # Configure audit policies for Windows event logs
 
-To enhance detections and gather more information on user actions like NTLM logons and security group changes, Microsoft Defender for Identity relies on specific entries in Windows event logs. Proper configuration of Advanced Audit Policy settings on your domain controllers is crucial to avoid gaps in the event logs and incomplete Defender for Identity coverage.
+Defender for Identity detections rely on specific Windows event log entries to enhance detections and provide extra information about the users performing specific actions, such as NTLM sign-ins and security group modifications. 
+This article describes how to optimally configure the Advanced Audit Policy settings on your domain controllers to avoid gaps in the event logs and incomplete Defender for Identity coverage.
 
-This article describes how to configure your Advanced Audit Policy settings as needed for a Defender for Identity sensor. It also describes other configurations for specific event types.
+## Configure Windows event auditing with the Defender for Identity sensor v3.x
 
+Defender for Identity sensor v3.x can automatically configure Windows event auditing on your domain controllers, applying the required Windows event auditing settings to new sensors, and fixing misconfigurations on existing ones.
+
+To turn on automatic windows auditing:
+1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Settings**, and then **Identities**. 
+1. In the **General** section, select **Advanced features**.
+1. Turn on **Automatic Windows auditing configuration**.​
+ 
+If you do not select automatic Windows event auditing, you must manually configure Windows event collection on your domain controller.
+
+## Configure Windows event auditing with the Defender for Identity sensor v2.x
+
+Configure Windows event auditing on your domain controllers to support Defender for Identity detections. 
 Defender for Identity generates health issues for each of these scenarios if they're detected. For more information, see [Microsoft Defender for Identity health issues](../health-alerts.md).
 
 ## Prerequisites
 
-- Before you run Defender for Identity PowerShell commands, make sure that you downloaded the [Defender for Identity PowerShell module](https://www.powershellgallery.com/packages/DefenderForIdentity/).
+- Before you run Defender for Identity PowerShell commands, make sure that you download the [Defender for Identity PowerShell module](https://www.powershellgallery.com/packages/DefenderForIdentity/).
+> [!NOTE]
+> The Active Directory PowerShell module is required when configuring Defender for Identity on domain controllers. It isn’t required on ADCS servers running the Certification Authority Role Service.
 
 ## Generate a report of current configurations via PowerShell
 
@@ -47,7 +62,7 @@ For more information, see the [DefenderforIdentity PowerShell reference](/powers
 > [!TIP]
 > The `Domain` mode report includes only configurations set as group policies on the domain. If you have settings defined locally on your domain controllers, we recommend that you also run the [Test-MdiReadiness.ps1](https://github.com/microsoft/Microsoft-Defender-for-Identity/tree/main/Test-MdiReadiness) script.
 
-## Configure auditing for domain controllers
+## Configure Windows event auditing for domain controllers
 
 Update your Advanced Audit Policy settings and extra configurations for specific events and event types, such as users, groups, computers, and more. Audit configurations for domain controllers include:
 
@@ -120,6 +135,12 @@ The following actions describe how to modify your domain controller's Advanced A
 
 **Related health issue:** [Directory Services Advanced Auditing isn't enabled as required](../health-alerts.md)
 
+The following command defines all settings for the domain, creates group policy objects, and links them.
+
+```powershell
+Set-MDIConfiguration -Mode Domain -Configuration All
+```
+
 To configure your settings, run:
 
 ```powershell

defender-for-identity/deploy/prerequisites-sensor-version-2.md

@@ -106,24 +106,11 @@ The following table describes memory requirements on the server used for the Def
 > [!IMPORTANT]
 > When running as a virtual machine, all memory must be allocated to the virtual machine at all times.
 
-## Configure Windows auditing
+## Configure Windows event auditing
 
-Defender for Identity detections rely on specific Windows Event Log entries to enhance detections and provide extra information about the users performing specific actions, such as NTLM sign-ins and security group modifications.
+Defender for Identity detections rely on specific Windows event log entries to enhance detections and provide extra information about the users performing specific actions, such as NTLM sign-ins and security group modifications.
 
-Configure Windows event collection on your domain controller to support Defender for Identity detections. For more information, see [Event collection with Microsoft Defender for Identity](event-collection-overview.md) and [Configure audit policies for Windows event logs](configure-windows-event-collection.md).
-
-You might want to use the Defender for Identity PowerShell module to configure the required settings. For example, the following command defines all settings for the domain, creates group policy objects, and links them.
-
-```powershell
-Set-MDIConfiguration -Mode Domain -Configuration All
-```
-> [!NOTE]
-> The Active Directory PowerShell module is required only when configuring Defender for Identity on domain controllers. It isn’t required on ADCS servers running the Certification Authority Role Service.
-
-For more information, see:
-- [DefenderForIdentity Module](/powershell/module/defenderforidentity/)
-- [Defender for Identity in the PowerShell Gallery](https://www.powershellgallery.com/packages/DefenderForIdentity/)
- 
+[Configure Windows event auditing](configure-windows-event-collection.md) on your domain controller to support Defender for Identity detections in the Defender portal or using PowerShell.
 
 ## Test your prerequisites
 

defender-for-identity/deploy/prerequisites-sensor-version-3.md

@@ -97,22 +97,13 @@ Applying the **Unified Sensor RPC Audit** tag enables a new, tested capability o
 
 Learn more about Asset Management Rule [here](/defender-xdr/configure-asset-rules).
 
-## Configure Windows auditing
+## Configure Windows event auditing
 
-Defender for Identity detections rely on specific Windows Event Log entries to enhance detections and provide extra information about the users performing specific actions, such as NTLM sign-ins and security group modifications.
+Defender for Identity detections rely on specific Windows event log entries to enhance detections and provide extra information about the users performing specific actions, such as NTLM sign-ins and security group modifications.
 
-Configure Windows event collection on your domain controller to support Defender for Identity detections. For more information, see [Event collection with Microsoft Defender for Identity](event-collection-overview.md) and [Configure audit policies for Windows event logs](configure-windows-event-collection.md).
-
-You might want to use the Defender for Identity PowerShell module to configure the required settings. For example, the following command defines all settings for the domain, creates group policy objects, and links them.
-
-```powershell
-Set-MDIConfiguration -Mode Domain -Configuration All
-```
-For more information, see:
-- [DefenderForIdentity Module](/powershell/module/defenderforidentity/)
-- [Defender for Identity in the PowerShell Gallery](https://www.powershellgallery.com/packages/DefenderForIdentity/)
+The Defender for Identity sensor v3.x can automatically configure Windows event auditing on your domain controllers, applying the required Windows event auditing settings to new sensors, and fixing misconfigurations on existing ones. See [Configure auditing with the Defender for Identity sensor v3.x](configure-windows-event-collection.md#configure-windows-event-auditing-with-the-defender-for-identity-sensor-v3x).
+If you do not select automatic Windows auditing configuration, you must [manually configure Windows event auditing](configure-windows-event-collection.md) in the Defender portal or using PowerShell. 
 
-
 ## Test your prerequisites
 
 We recommend running the [*Test-MdiReadiness.ps1*](https://github.com/microsoft/Microsoft-Defender-for-Identity/tree/main/Test-MdiReadiness) script to test and see if your environment has the necessary prerequisites.

defender-for-identity/nnr-policy.md

@@ -6,14 +6,17 @@ ms.topic: article
 ms.reviewer: rlitinsky
 ---
 
-# Network Name Resolution in Microsoft Defender for Identity
+# Network Name Resolution (NNR) in Microsoft Defender for Identity
 
 Network Name Resolution (NNR) is a main component of  Microsoft Defender for Identity functionality. Defender for Identity captures activities based on network traffic, Windows events, and ETW - these activities normally contain IP data.
 
 Using NNR, Defender for Identity can correlate between raw activities (containing IP addresses), and the relevant computers involved in each activity. Based on the raw activities, Defender for Identity profiles entities, including computers, and generates security alerts for suspicious activities.
 
-> [!NOTE]
-> For optimal NNR, the Defender for Identity sensor version 3.x requires a Defender for Endpoint deployment.
+## NNR with the Defender for Identity sensor v3.x
+
+The Defender for Identity sensor v3.x automatically performs Name Resolution using the Defender device inventory and events collected by the sensor​, without the need to open additional ports in your environment.​
+
+## NNR with the Defender for Identity sensor v2.x
 
 To resolve IP addresses to computer names, Defender for Identity sensors look up the IP addresses using the following methods:
 

defender-for-identity/whats-new.md

@@ -1,7 +1,7 @@
 ---
 title: What's new | Microsoft Defender for Identity
 description: This article is updated frequently to let you know what's new in the latest release of Microsoft Defender for Identity.
-ms.date: 11/12/2025
+ms.date: 11/16/2025
 ms.topic: overview
 #CustomerIntent: As a Defender for Identity customer, I want to know what's new in the latest release of Defender for Identity, so that I can take advantage of new features and functionality. 
 ms.reviewer: AbbyMSFT
@@ -44,7 +44,7 @@ For more information, see: [Link or Unlink an Account to an Identity (Preview)](
 You can now perform remediation actions such as disabling accounts or resetting passwords on one or more accounts linked to an identity. For more information, see: [Remediation actions](remediation-actions.md#roles-and-permissions).
 Defender for Identity now offers an opt-in automatic event-auditing configuration for unified sensors (V3.x). This feature streamlines deployment by automatically applying required Windows auditing settings to new sensors and fixing misconfigurations on existing ones. Admins can enable the option in the Defender for Identity Settings -> Advanced Features or via Graph API. The capability and its related health alerts will roll out globally beginning mid-November 2025.
 
-**Related Health alerts:**
+Releated Health alerts:
 - NTLM Auditing is not enabled 
 - Directory Services Advanced Auditing is not enabled as required 
 - Directory Services Object Auditing is not enabled as required 
@@ -68,8 +68,8 @@ For more information, see [Configure scoped access for Microsoft Defender for Id
 
 ## October 2025
 
-We’re excited to announce that the Microsoft Defender for Identity Unified Sensor (v3.x) is now generally available (GA). 
-The [unified sensor](/defender-for-identity/deploy/activate-sensor) provides enhanced coverage, improved performance across your environment and offering easier deployment and management for domain controllers.
+We’re excited to announce that the Microsoft Defender for Identity Sensor (v3.x) is now generally available (GA). 
+[Version 3.x of the sensor](/defender-for-identity/deploy/activate-sensor) provides enhanced coverage, improved performance across your environment and offering easier deployment and management for domain controllers.
 
 ### Microsoft Defender for Identity sensor version updates