Merge branch 'main' into diannegali-freshnessmay

Author: denisebmsft

.acrolinx-config.edn

@@ -51,10 +51,10 @@ Select the total score link to review all feedback on clarity, consistency, tone
  "
 **More information about Acrolinx**
  
-- [Install Acrolinx locally for VSCode for Magic](https://review.docs.microsoft.com/office-authoring-guide/acrolinx-vscode?branch=main)
+- [Install Acrolinx locally for VSCode for Magic](https://review.learn.microsoft.com/office-authoring-guide/acrolinx-vscode?branch=main)
 - [False positives or issues](https://aka.ms/acrolinxbug)
 - [Request a new Acrolinx term](https://microsoft.sharepoint.com/teams/M365Dev2/SitePages/M365-terminology.aspx)
-- [Troubleshooting issues with Acrolinx](https://review.docs.microsoft.com/help/contribute/acrolinx-error-messages)
+- [Troubleshooting issues with Acrolinx](https://review.learn.microsoft.com/help/platform/acrolinx-troubleshoot?branch)
 
 "
 }

ATPDocs/deploy/remote-calls-sam.md

@@ -7,6 +7,10 @@ ms.topic: how-to
 
 # Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity
 
+> [!IMPORTANT]
+> Remote collection of local administrators' group members on endpoints (using SAM-R queries) feature in Microsoft Defender for Identity will be disabled by mid-May 2025. This change will happen automatically by the specified dates. No admin action is required. 
+> 
+
 Microsoft Defender for Identity mapping for [potential lateral movement paths](/defender-for-identity/understand-lateral-movement-paths) relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity [Directory Service account](directory-service-accounts.md) you configured.
 
 > [!NOTE]

ATPDocs/whats-new.md

@@ -22,6 +22,15 @@ For more information, see also:
 
 For updates about versions and features released six months ago or earlier, see the [What's new archive for Microsoft Defender for Identity](whats-new-archive.md).
 
+## May 2025
+
+### Local administrators collection (using SAM-R queries) feature will be disabled
+Remote collection of local administrators' group members on endpoints (using SAM-R queries) feature in Microsoft Defender for Identity will be disabled by mid-May 2025. The details collected are used to build the potential lateral movement paths map. Alternative methods are currently being explored. This change will happen automatically by the specified dates. No admin action is required. 
+
+### New Health Issue
+
+New [health issue](health-alerts.md#network-configuration-mismatch-for-sensors-running-on-vmware) for cases where sensors running on VMware have network configuration mismatch.
+
 ## April 2025
 
 ### Privileged Identity Tag Now Visible in Defender for Identity Inventory
@@ -47,7 +56,6 @@ For more information, see: [Integrations Defender for Identity and PAM services.
 
 ### New Service Account Discovery page
 
-
 Microsoft Defender for Identity now includes a Service Account Discovery capability, offering you  centralized visibility into service accounts across your Active Directory environment.
 
 This update provides:
@@ -60,11 +68,6 @@ This update provides:
 
 For more information, see: [Investigate and protect Service Accounts | Microsoft Defender for Identity](service-account-discovery.md).
 
-
-### New Health Issue
-
-New [health issue](health-alerts.md#network-configuration-mismatch-for-sensors-running-on-vmware) for cases where sensors running on VMware have network configuration mismatch.
-
 ### Enhanced Identity Inventory
 
 The Identities page under *Assets* has been updated to provide better visibility and management of identities across your environment.  

CloudAppSecurityDocs/activity-filters-queries.md

@@ -170,8 +170,21 @@ You can export all activities from the past six months by clicking the Export bu
 
 ![Click the export icon to export records.](media/activity-filters-queries/export-button-of-activity-logs.png)
 
-When exporting data:
+> [!NOTE]
+> **Required Permissions for Exporting Capabilities:** To utilize the exporting features, users must be assigned one of the following roles:
+> - **Built-in admin roles in Defender for Cloud Apps-** These roles must be granted via [Microsoft Defender for Cloud Apps Permissions and roles settings](/defender-cloud-apps/manage-admins):
+>   - Global Admin
+>   - Cloud Discovery Global Admin
+>   - Security Operator
+>   - Compliance Admin
+>   - Security Reader
+> - **Microsoft Entra ID Roles-** These roles must be assigned through [Microsoft Entra ID built-in roles](/entra/identity/role-based-access-control/permissions-reference):
+>   - Global Administrator
+>   - Security Administrator
+>   - Cloud App Security Administrator
+>   - Global Reader
 
+When exporting data:
 - You can choose a date range of up to six months.
 - You can choose to exclude private activities.  
 - The exported file is limited to 100,000 records and is delivered in CSV format.

CloudAppSecurityDocs/anomaly-detection-policy.md

@@ -64,14 +64,14 @@ Use this detection to control file uploads and downloads in real time with sessi
 
 By enabling file sandboxing, files that according to their metadata and based on proprietary heuristics to be potentially risky, will also be sandbox scanned in a safe environment. The Sandbox scan may detect files that were not detected based on threat intelligence sources.
 
-Defender for Cloud Apps supports malware detection for the following apps:
+Defender for Cloud Apps supports "File Sandboxing" malware detection for the following apps:
 
 * Box
 * Dropbox
 * Google Workspace
 
 > [!NOTE]
->* Proactively sandboxing will be done in third party applications (*Box*, *Dropbox* etc.). In *OneDrive* and *SharePoint* files are being scanned and sandboxed as part of the service itself.
+>* Proactively sandboxing will be done in third party applications (*Box*, *Dropbox* etc.). **In *OneDrive* and *SharePoint* files are being scanned and sandboxed as part of the service itself**.
 > * In *Box*, *Dropbox*, and *Google Workspace*, Defender for Cloud Apps doesn't automatically block the file, but blocking may be performed according to the app's capabilities and the app's configuration set by the customer.
 > * If you're unsure about whether a detected file is truly malware or a false positive, go to the Microsoft Security Intelligence page at [https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission) and submit the file for further analysis.
 

CloudAppSecurityDocs/cloud-discovery-policies.md

@@ -44,8 +44,8 @@ Discovery policies enable you to set alerts that notify you when new apps are de
 
 > [!NOTE]
 >
-> - Newly created discovery policies (or policies with updated continuous reports) trigger an alert once in 90 days per app per continuous report, regardless of whether there are existing alerts for the same app. So, for example, if you create a policy for discovering new popular apps, it may trigger additional alerts for apps that have already been discovered and alerted on.
-> - Data from **snapshot reports** do not trigger alerts in app discovery policies.
+> - Newly created discovery policies (or policies with updated continuous reports) trigger an alert once in 90 days per app per continuous report, regardless of whether there are existing alerts for the same app. So, for example, if you create a policy for discovering new popular apps, it might trigger additional alerts for apps that have already been discovered and alerted on.
+> - Data from **snapshot reports** don't trigger alerts in app discovery policies.
 
 For example, if you're interested in discovering risky hosting apps found in your cloud environment, set your policy as follows:
 
@@ -73,6 +73,11 @@ Defender for Cloud Apps searches all the logs in your cloud discovery for anomal
 
 1. Under **Apply to** choose whether this policy applies **All continuous reports** or **Specific continuous reports**. Select whether the policy applies to **Users**, **IP addresses**, or both.
 
+    :::image type="content" source="media/apply-to-continous-reports.png" alt-text="Screenshot showing how to apply file polcies to specific continous reports" lightbox="media/apply-to-continous-reports.png":::
+
+    > [!IMPORTANT]
+    > When you configure an app discovery policy and select **Apply to > All continuous reports**, multiple alerts are generated for each discovery stream, including the global stream which aggregates data from all sources. To control alert volume, select **Apply to > Specific continuous reports** and choose only the relevant streams for your policy.
+    > Learn more: [Defender for Cloud apps continuous risk assessment reports](set-up-cloud-discovery.md#snapshot-and-continuous-risk-assessment-reports)
 1. Select the dates during which the anomalous activity occurred to trigger the alert under **Raise alerts only for suspicious activities occurring after date.**
 
 1. Set a **Daily alert limit** under **Alerts**. Select if the alert is sent as an email. Then provide email addresses as needed.

CloudAppSecurityDocs/in-browser-protection.md

@@ -27,7 +27,7 @@ To use in-browser protection, users must also have the following environmental r
 |**Operating systems**|Windows 10 or 11, macOS|
 |**Identity platform**|Microsoft Entra ID|
 |**Microsoft Edge for Business versions**|The last two stable versions. For example, if the newest Microsoft Edge is 126, in-browser protection works for v126 and v125. <br> For more information, see [Microsoft Edge releases](/deployedge/microsoft-edge-release-schedule#microsoft-edge-releases).|
-|**Supported session policies**|<ul><li>Block\Monitor of file download (all files\sensitive files)</li><li>Block\Monitor file upload (all files\sensitive files)</li><li>Block\Monitor copy\cut\paste</li><li>Block\Monitor print</li><li>Block\Monitor malware upload</li><li>Block\Monitor malware download</li></ul> <br> Users that are served by multiple policies, including at least one policy that's *not* supported by Microsoft Edge for Business, their sessions are always served by the reverse proxy. <br><br> Policies defined in the Microsoft Entra ID portal are also always served by reverse proxy.|
+|**Supported session policies**|<ul><li>Block\Monitor of file download (all files\\*sensitive files)</li><li>Block\Monitor file upload (all files\\*sensitive files)</li><li>Block\Monitor copy\cut\paste</li><li>Block\Monitor print</li><li>Block\Monitor malware upload</li><li>Block\Monitor malware download</li></ul> <br> Users that are served by multiple policies, including at least one policy that's *not* supported by Microsoft Edge for Business, their sessions are always served by the reverse proxy. <br><br> Policies defined in the Microsoft Entra ID portal are also always served by reverse proxy.<br> *Sensitive files identified by built-in DLP scanning are not supported for Edge in-browser protection|
 
 All other scenarios are served automatically with the standard reverse proxy technology, including user sessions from browsers that don't support in-browser protection, or for policies not supported by in-browser protection.
 
@@ -105,7 +105,7 @@ Administrators who understand the power of Microsoft Edge browser protection can
 
 4. When you're finished on the **Edge for Business protection** page, select **Save**.
 
-:::image type="content" source="media/in-browser-protection/edge-for-business-protection-settings.png" alt-text="Screenshot of Microsoft Edge for business protection settings." lightbox="media/in-browser-protection/edge-for-business-protection-settings.png":::
+   :::image type="content" source="media/in-browser-protection/edge-for-business-protection-settings.png" alt-text="Screenshot of Microsoft Edge for business protection settings." lightbox="media/in-browser-protection/edge-for-business-protection-settings.png":::
 
 ## Related content
 

CloudAppSecurityDocs/mde-integration.md

@@ -1,7 +1,7 @@
 ---
 title: Integrate Microsoft Defender for Endpoint
 description: This article describes how to integrate Microsoft Defender for Endpoint with Defender for Cloud Apps for enhanced visibility into Shadow IT and risk management.
-ms.date: 06/03/2024
+ms.date: 05/12/2025
 ms.topic: how-to
 ---
 
@@ -18,10 +18,12 @@ This article describes the out-of-the-box integration available between Microsof
 
 - Microsoft Defender for Cloud Apps license
 
+- Devices must be onboarded to [Microsoft Defender for Endpoint](/defender-endpoint/onboard-client)
+
 - One of the following:
 
     - Microsoft Defender for Endpoint with Plan 2
-    - Microsoft Defender for Business with a premium or standalone license
+    - Microsoft Defender for Business (standalone or as part of Microsoft 365 Business Premium)
 
     For more information, see [Compare Microsoft endpoint security plans](/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1-2).
 

CloudAppSecurityDocs/media/apply-to-continous-reports.png

@@ -97,7 +97,6 @@ This procedure describes how to create a new session policy in Defender for Clou
 
     1. <a name="inspection"></a>In the **Apply to** area (Preview):
 
-        - Select whether to apply the policy to all files, or files in specified folders only
         - Select an inspection method to use, such as data classification services, or malware. For more information, see [Microsoft Data Classification Services integration](dcs-inspection.md).
         - Configure more detailed options for your policy, such as scenarios based on elements like fingerprints or trainable classifiers.