Update ATPDocs/unmonitored-active-directory-federation-services-servers.md

DeCohen · ElazarK · web-flow · commit c74fad418014 · 2025-07-07T17:11:46.000+03:00
Co-authored-by: Elazar Krieger &lt;58463413+ElazarK@users.noreply.github.com&gt;
diff --git a/ATPDocs/unmonitored-active-directory-federation-services-servers.md b/ATPDocs/unmonitored-active-directory-federation-services-servers.md
@@ -15,7 +15,7 @@ This article describes the Microsoft Defender for Identity's unmonitored Active
 
 ## What risk do unmonitored ADFS servers pose to an organization?
 
-Unmonitored Active Directory Federation Services (ADFS) servers pose a significant security risk to organizations. As the gateway for federated authentication and single sign-on, ADFS controls access to both cloud and on-premises resources. If an ADFS server is compromised, attackers can issue forged tokens and impersonate any user, including privileged accounts. Such attacks may bypass multi-factor authentication (MFA), conditional access, and other downstream security controls, making them particularly dangerous. Without proper monitoring, suspicious activity on ADFS servers can go undetected for extended periods. Deploying Microsoft Defender for Identity version 2.0 sensors on ADFS servers is essential, as it enables real-time detection of suspicious behavior and helps prevent token forgery, abuse of trust relationships, and stealthy lateral movement within the environment.
+Unmonitored Active Directory Federation Services (ADFS) servers are a significant security risk to organizations. ADFS controls access to both cloud and on-premises resources as the gateway for federated authentication and single sign-on. If attackers compromise an ADFS server, they can issue forged tokens and impersonate any user, including privileged accounts. Such attacks might bypass multi-factor authentication (MFA), conditional access, and other downstream security controls, making them particularly dangerous. Without proper monitoring, suspicious activity on ADFS servers might go undetected for extended periods. Deploying Microsoft Defender for Identity version 2.0 sensors on ADFS servers is essential. These sensors enable real-time detection of suspicious behavior and help prevent token forgery, abuse of trust relationships, and stealthy lateral movement within the environment.
 
 > [!NOTE]
 >  This security assessment is only available if Microsoft Defender for Endpoint detected an eligible ADFS server in the environment.
