Merge branch 'main' into fixing-whats-new

Author: limwainstein

ATPDocs/whats-new.md

@@ -25,6 +25,14 @@ For updates about versions and features released six months ago or earlier, see
 
 ## August 2025
 
+### Microsoft Entra ID risk level is now available in near real time in Microsoft Defender for Identity (Preview)
+
+Entra ID risk level is now available on the Identity Inventory assets page, the identity details page, and in the IdentityInfo table in Advanced Hunting, and includes the Entra ID risk score. SOC analysts can use this data to correlate risky users with sensitive or highly privileged users, create custom detections based on current or historical user risk, and improve investigation context.
+
+Previously, Defender for Identity tenants received Entra ID risk level in the IdentityInfo table through user and entity behavior analytics (UEBA). With this update, the Entra ID risk level is now updated in near real time through Microsoft Defender for Identity.
+
+For UEBA tenants without a Microsoft Defender for Identity license, synchronization of Entra ID risk level to the IdentityInfo table remains unchanged.
+
 
 ### New security assessment: Remove inactive service accounts (Preview)
 

CloudAppSecurityDocs/protect-office-365.md

@@ -162,7 +162,8 @@ This section provides instructions for connecting Microsoft Defender for Cloud A
     SaaS Security Posture Management (SSPM) data is shown in the Microsoft Defender Portal on the **Secure Score** page. For more information, see [Security posture management for SaaS apps](/defender-cloud-apps/security-saas).
 
     > [!NOTE]
-    > After connecting Microsoft 365, you see data from the past week, including any third-party applications connected to Microsoft 365 that are pulling APIs. For third-party apps that aren't pulling APIs before connection, you see events starting from when you connect Microsoft 365 because Defender for Cloud Apps turns on any APIs that are off by default.
+    > - After connecting Microsoft 365, you see data from the past week, including any third-party applications connected to Microsoft 365 that are pulling APIs. For third-party apps that aren't pulling APIs before connection, you see events starting from when you connect Microsoft 365 because Defender for Cloud Apps turns on any APIs that are off by default.
+    > - Files and folders that are publicly shared (shared with ‘anyone’) in SharePoint or OneDrive may incorrectly show up as private.
 
     If you have any problems connecting the app, see [Troubleshooting App Connectors](troubleshooting-api-connectors-using-error-messages.md).
 

defender-xdr/advanced-hunting-identityinfo-table.md

@@ -102,10 +102,9 @@ If you're using the Microsoft Defender portal but haven't onboarded a Microsoft
 - `DeletedDateTime`
 - `EmployeeId`
 - `OtherMailAddresses`
-- `RiskLevel`
-- `RiskLevelDetails`
-- `State`
 - `Tags`
+- `State`
+
 
 For more information about UEBA, read [Advanced threat detection with User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel](/azure/sentinel/identify-threats-with-entity-behavior-analytics). For more information about the different data sources in UEBA, read [Microsoft Sentinel UEBA reference](/azure/sentinel/ueba-reference).