added global admin note

Author: diannegali

defender-xdr/configure-email-notifications.md

@@ -12,7 +12,7 @@ ms.collection:
 - tier2
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 10/11/2023
+ms.date: 07/08/2024
 ---
 
 # Configure alert notifications in Microsoft Defender XDR
@@ -37,6 +37,9 @@ You can set the alert severity levels that trigger notifications. You can also a
 
 If you're using role-based access control (RBAC), recipients will only receive notifications based on the device groups that were configured in the notification rule. Users with the proper permission can only create, edit, or delete notifications that are limited to their device group management scope. Only users assigned to the Global administrator role can manage notification rules that are configured for all device groups.
 
+> [!NOTE]
+> Microsoft recommends using roles with fewer permissions for better security. The Global Administrator role, which has many permissions, should only be used in emergencies when no other role fits.
+
 The email notification includes basic information about the alert and a link to the portal where you can do further investigation.
 
 ## Create rules for alert notifications

defender-xdr/deception-overview.md

@@ -16,7 +16,7 @@ ms.topic: conceptual
 search.appverid: 
   - MOE150
   - MET150
-ms.date: 05/02/2023
+ms.date: 07/08/2024
 ---
 
 # Manage the deception capability in Microsoft Defender XDR
@@ -50,6 +50,9 @@ The following table lists the requirements to enable the deception capability in
 > |Deployment requirements|Requirements:</br> - Defender for Endpoint is the primary EDR solution</br> - [Automated investigation and response capabilities in Defender for Endpoint](/defender-endpoint/configure-automated-investigations-remediation) is configured</br> - Devices are [joined](/entra/identity/devices/concept-directory-join/) or [hybrid joined](/entra/identity/devices/concept-hybrid-join/) in Microsoft Entra</br> - PowerShell is enabled on the devices</br> - The deception feature covers clients operating on Windows 10 RS5 and later in preview|
 > |Permissions|You must have one of the following roles assigned in the [Microsoft Entra admin center](https://entra.microsoft.com) or in the [Microsoft 365 admin center](https://admin.microsoft.com) to configure deception capabilities:</br> - Global administrator</br> - Security administrator</br> - Manage portal system settings|
 
+> [!NOTE]
+> Microsoft recommends using roles with fewer permissions for better security. The Global Administrator role, which has many permissions, should only be used in emergencies when no other role fits.
+
 ## What is deception technology?
 
 Deception technology is a security measure that provides immediate alerts of a potential attack to security teams, allowing them to respond in real-time. Deception technology creates fake assets like devices, users, and hosts that appear to belong to your network.

defender-xdr/investigate-alerts.md

@@ -79,8 +79,8 @@ An alert can have system tags and/or custom tags with certain color backgrounds.
 You'll need to have any of the following roles to access Microsoft Defender for Office 365 alerts:
 
 - For Microsoft Entra global roles:
-  - Global administrator
-  - Security administrator
+  - Global Administrator
+  - Security Administrator
   - Security Operator
   - Global Reader
   - Security Reader
@@ -91,6 +91,9 @@ You'll need to have any of the following roles to access Microsoft Defender for
 
 - A [custom role](custom-roles.md)
 
+> [!NOTE]
+> Microsoft recommends using roles with fewer permissions for better security. The Global Administrator role, which has many permissions, should only be used in emergencies when no other role fits.
+
 ## Analyze an alert
 
 To see the main alert page, select the name of the alert. Here's an example.

defender-xdr/m365d-configure-auto-investigation-response.md

@@ -9,7 +9,7 @@ audience: ITPro
 ms.topic: how-to
 ms.service: defender-xdr
 ms.localizationpriority: medium
-ms.date: 06/11/2024
+ms.date: 07/08/2024
 ms.collection:
 - m365-security
 - tier2
@@ -46,6 +46,9 @@ Then, after you're all set up, you can [view and manage remediation actions in t
 |Protection for email content and Office files|<ul><li>[Microsoft Defender for Office 365 is configured](/defender-office-365/mdo-deployment-guide#step-2-configure-protection-policies)</li><li>[Automated investigation and remediation capabilities in Defender for Endpoint are configured](/defender-endpoint/configure-automated-investigations-remediation) (required for manual response actions, such as deleting email messages on devices)</li></ul>|
 |Permissions|To configure automated investigation and response capabilities, you must have one of the following roles assigned in either Microsoft Entra ID (<https://portal.azure.com>) or in the Microsoft 365 admin center (<https://admin.microsoft.com>): <ul><li>Global Administrator</li><li>Security Administrator</li></ul>To work with automated investigation and response capabilities, such as by reviewing, approving, or rejecting pending actions, see [Required permissions for Action center tasks](m365d-action-center.md#required-permissions-for-action-center-tasks).|
 
+> [!NOTE]
+> Microsoft recommends using roles with fewer permissions for better security. The Global Administrator role, which has many permissions, should only be used in emergencies when no other role fits.
+
 ## Review or change the automation level for device groups
 
 Whether automated investigations run, and whether remediation actions are taken automatically or only upon approval for your devices depend on certain settings, such as your organization's device group policies. Review the configured automation level for your device group policies. You must be a global administrator or security administrator to perform the following procedure:

defender-xdr/m365d-notifications-incidents.md

@@ -16,7 +16,7 @@ ms.topic: conceptual
 search.appverid: 
   - MOE150
   - MET150
-ms.date: 09/18/2023
+ms.date: 07/08/2024
 ---
 
 # Get incident notifications by email in Microsoft Defender XDR
@@ -52,6 +52,9 @@ You can add or remove recipients in the email notifications. New recipients get
 > You need the **Manage security settings** permission to configure email notification settings. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications. <br> <br>
 Likewise, if your organization is using role-based access control (RBAC), you can only create, edit, delete, and receive notifications based on device groups that you are allowed to manage.
 
+> [!NOTE]
+> Microsoft recommends using roles with fewer permissions for better security. The Global Administrator role, which has many permissions, should only be used in emergencies when no other role fits.
+
 ## Create a rule for email notifications
 
 Follow these steps to create a new rule and customize email notification settings.

defender-xdr/m365d-response-actions-notifications.md

@@ -16,7 +16,7 @@ ms.topic: conceptual
 search.appverid: 
   - MOE150
   - MET150
-ms.date: 03/28/2024
+ms.date: 07/08/2024
 ---
 
 # Get email notifications for response actions in Microsoft Defender XDR
@@ -38,6 +38,9 @@ You can set up Microsoft Defender XDR to notify you through email about manual o
 > [!NOTE]
 > You need the **Manage security settings** permission to configure email notification settings. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications. Likewise, if your organization is using [role-based access control (RBAC)](manage-rbac.md), you can only create, edit, delete, and receive notifications based on device groups that you are allowed to manage.
 
+> [!NOTE]
+> Microsoft recommends using roles with fewer permissions for better security. The Global Administrator role, which has many permissions, should only be used in emergencies when no other role fits.
+
 ## Create a rule for email notifications
 
 > [!NOTE]