Merge pull request #4623 from MicrosoftDocs/main

[AutoPublish] main to live - 07/30 13:32 PDT | 07/31 02:02 IST

Author: m365-skilling-repo-management[bot]

ATPDocs/change-okta-password-privileged-user-accounts.md

@@ -11,6 +11,11 @@ ms.reviewer: Himanch
 
 This recommendation lists any Okta privileged accounts that use outdated passwords that were last set over 180 days ago.  
 
+## Prerequisites
+
+To use this security assessment, you must first connect your Okta instance in the Microsoft Defender portal.  
+For setup instructions, see [Connect your Okta instance](/defender-for-identity/okta-integration#connect-okta-to-defender-for-identity).
+
 ## Why is a privileged account with an old password a security risk?
 
 Privileged accounts with old passwords create a significant security risk, as older credentials are more likely to be exposed through data breaches or other attack vectors. Enforcing regular password updates for privileged accounts reduces the likelihood of unauthorized access and strengthens overall security. Applying stringent password policies to accounts with elevated privileges protects sensitive resources and lowers the risk of exploitation.

ATPDocs/high-number-of-okta-accounts-with-privileged-role-assigned.md

@@ -14,6 +14,12 @@ This article describes the security risks associated with having a high number o
 > [!NOTE]
 > This report lists Okta accounts with administrator roles - excluding Super Administrator, where the number of accounts assigned to these roles is greater than 25.  
 
+## Prerequisites
+
+To use this security assessment, you must first connect your Okta instance in the Microsoft Defender portal.  
+For setup instructions, see [Connect your Okta instance](/defender-for-identity/okta-integration#connect-okta-to-defender-for-identity).
+
+
 ## Why is a high number of Okta accounts with privileged roles considered a security risk?
 
 A high number of users with privileged roles increases the risk of misuse or unauthorized access to critical systems. By reducing the number of users assigned to roles such as Super Admin or Org Admin, organizations can better limit access to sensitive resources and reduce the attack surface. Maintaining a smaller, set of privileged accounts ensures more effective governance and minimizes potential security vulnerabilities.

ATPDocs/highly-privileged-okta-api-token.md

@@ -11,6 +11,12 @@ ms.reviewer: Himanch
 
 This article describes the security risks associated with highly privileged Okta API tokens and provides recommendations for mitigating these risks.
 
+## Prerequisites
+
+To use this security assessment, you must first connect your Okta instance in the Microsoft Defender portal.  
+For setup instructions, see [Connect your Okta instance](/defender-for-identity/okta-integration#connect-okta-to-defender-for-identity).
+
+
 ## Why is a highly privileged Okta API token a security risk?
 
 Okta’s API tokens inherit the permissions of the user who creates them. If a user with sensitive permissions generates an API token, it carries those permissions. Any API token created by a Super Admin has the same level of access as the Super Admin account. This can expose sensitive data and functionality to unauthorized users. If the token is stolen, it can grant the attacker access equivalent to the original user.

ATPDocs/limit-number-okta-super-admin-accounts.md

@@ -11,6 +11,12 @@ ms.reviewer: Himanch
 
 This report lists Okta accounts with Super Administrator role, where the number of users assigned to this role is greater than 5.
 
+## Prerequisites
+
+To use this security assessment, you must first connect your Okta instance in the Microsoft Defender portal.  
+For setup instructions, see [Connect your Okta instance](/defender-for-identity/okta-integration#connect-okta-to-defender-for-identity).
+
+
 ## Why is having too many Super Admin accounts a security risk?
 
 A high number of users with privileged roles increases the risk of misuse or unauthorized access to critical systems. By reducing the number of users assigned to roles such as Super Admin or Org Admin, organizations can better limit access to sensitive resources and reduce the attack surface. Maintaining a smaller, set of privileged accounts ensures more effective governance and minimizes potential security vulnerabilities.

ATPDocs/remove-dormant-okta-privileged-accounts.md

@@ -11,6 +11,12 @@ ms.reviewer: Himanch
 
 This article describes the security risks associated with dormant Okta privileged accounts and provides recommendations for mitigating these risks.
 
+## Prerequisites
+
+To use this security assessment, you must first connect your Okta instance in the Microsoft Defender portal.  
+For setup instructions, see [Connect your Okta instance](/defender-for-identity/okta-integration#connect-okta-to-defender-for-identity).
+
+
 ## Why is a dormant privileged account a security risk?
 
 Dormant privileged accounts represent a significant security risk, as they can become targets for unauthorized access or misuse without detection. Deactivating or removing unused privileged accounts ensures that only active, monitored users have access to critical administrative capabilities.

CloudAppSecurityDocs/discovered-apps.md

@@ -23,7 +23,7 @@ This procedure describes how to get an initial, general picture of your cloud di
 
     For example:
 
-    :::image type="content" source="media/cloud-discovery-dashboard.png" alt-text="Screenshot of the Cloud discovery dashboard":::
+    :::image type="content" source="media/cloud-discovery-dashboard.png" alt-text="Screenshot of the Cloud discovery dashboard" lightbox="media/cloud-discovery-dashboard.png":::
 
     Supported apps include Windows and macOS apps, which are both listed under the **Defender - managed endpoints** stream.
 
@@ -57,7 +57,8 @@ For example, if you want to identify commonly used, risky cloud storage and coll
 
 1. Set the **Security risk factor** for **Data at rest encryption** equals **Not supported**. Then set **Risk score** equals 6 or lower.
 
-    ![Screenshot of sample discovered app filters.](media/discovered-app-filters.png)
+
+    :::image type="content" source="media/discovered-app-filters.png" alt-text="Screenshot of discovered app filters." lightbox="media/discovered-app-filters.png":::
 
 After the results are filtered, [unsanction and block](governance-discovery.md) them by using the bulk action checkbox to unsanction them all in one action. Once they're unsanctioned, use a blocking script to block them from being used in your environment.
 
@@ -83,11 +84,13 @@ For example, if a large amount of data is uploaded, discover what resource it's
 
 1. In the Microsoft Defender portal, under **Cloud Apps**, select **Cloud discovery**. Then choose the  **Discovered resources** tab.
 
-    ![Screenshot of the discovered resources menu.](media/discovered-resources-menu.png)
+    :::image type="content" source="media/discovered-resources-menu.png" alt-text="Screenshot that shows the discovered resources menu." lightbox="media/discovered-resources-menu.png":::
 
 1. In the **Discovered resources** page, drill down into each resource to see what kinds of transactions occurred, who accessed it, and then drill down to investigate the users even further.
 
-   ![Screenshot of the Discovered resources tab.](media/discovery-resources.png)
+
+    :::image type="content" source="media/discovery-resources.png" alt-text="Screenshot that shows a list of discovered resources.":::
+
 
 1. For custom apps, select the options menu at the end of the row and then select **Add new custom app**. This opens the **Add this app** dialog, where you can name and identify the app so it can be included in the cloud discovery dashboard.
 
@@ -104,7 +107,7 @@ The best way to get an overview of Shadow IT use across your organization is by
 1. Optionally, change the report name, and then select **Generate**.
 
 > [!NOTE]
-> The executive summary report is revamped to a 6-pager report with a goal to provide a clear, concise & actionable overview while preserving the depth and integrity of the original analysis.
+> The executive summary report is revamped to a six-pager report with a goal to provide a clear, concise & actionable overview while preserving the depth and integrity of the original analysis.
 
 ## Exclude entities
 
@@ -118,10 +121,12 @@ If you have system users, IP addresses, or devices that are noisy but uninterest
 
 1. Add a user alias, IP address, or device name. We recommend adding information about why the exclusion was made.
 
-    ![Screenshot of excluding a user.](media/exclude-user.png "exclude user")
+    :::image type="content" source="media/exclude-user.png" alt-text="Screenshot that shows the option to exclude users from the Cloud Discovery report." lightbox="media/exclude-user.png":::
+
 
 >[!NOTE]
->All entity exclusions apply to newly received data only. Historical data of the excluded entities remains through the retention period (90 days).
+> - All entity exclusions apply to newly received data only. Historical data of the excluded entities remains through the retention period (90 days).
+> - Entity exclusion is only supported for the Global report stream. Entities from Microsoft Defender for Endpoint and the Cloud App Security proxy stream aren't supported for exclusion.
 
 ## Manage continuous reports
 
@@ -141,10 +146,11 @@ Custom continuous reports provide you with more granularity when monitoring your
 
 1. Set the filters you want on the data. These filters can be **User groups**, **IP address tags**, or **IP address ranges**. For more information on working with IP address tags and IP address ranges, see [Organize the data according to your needs](ip-tags.md).
 
-    ![Screenshot of creating a custom continuous report.](media/create-custom-continuous-report.png)
+
+    :::image type="content" source="media/create-custom-continuous-report.png" alt-text="Screenshot that shows how to create a continuous report.":::
 
 > [!NOTE]
-> All custom reports are limited to a maximum of 1 GB of uncompressed data. If there is more than 1 GB of data, the first 1 GB of data will be exported into the report.
+> All custom reports are limited to a maximum of 1 GB of uncompressed data. If there's more than 1 GB of data, the first 1 GB of data will be exported into the report.
 
 ## Deleting cloud discovery data
 
@@ -166,10 +172,10 @@ We recommend deleting cloud discovery data in the following cases:
 
 1. Select the **Delete** button.
 
-    ![Screenshot of deleting cloud discovery data.](media/delete-data.png "delete data")
+    :::image type="content" source="media/delete-data.png" alt-text="Screenshot of deleting cloud discovery data." lightbox="media/delete-data.png":::
 
 > [!NOTE]
-> The deletion process takes a few minutes and is not immediate.
+> The deletion process takes a few minutes and isn't immediate.
 
 ## Next steps
 

CloudAppSecurityDocs/user-groups.md

@@ -51,6 +51,7 @@ After the import is complete, select your group from the **User groups** page to
 > - There may be a short delay until imported user groups are available in filters.
 > - Only activities performed after importing a user group will be tagged as having been performed by a member of the user group.
 > - After the initial sync, groups are usually updated every hour. However, due to various factors there could be times where this might take several hours.
+> - Usernames must contain only standard alphanumeric characters (a–z, A–Z, 0–9). Usernames with special characters such as ~ or # aren't supported.
 
 For more information on using the User group filters, see [Activities](activity-filters.md).