updates for recommendations

DebLanger · DebLanger · commit d6893f9ce0c9 · 2025-11-06T15:16:45.000+02:00
diff --git a/exposure-management/exposure-insights-overview.md b/exposure-management/exposure-insights-overview.md
@@ -96,7 +96,7 @@ Grayed out metrics aren't considered for score calculation.
 
 ## Working with recommendations
 
-Security Exposure Management ingests security recommendations from multiple source, including Expsosure Management, [Microsoft Secure Score](/defender-xdr/microsoft-secure-score), and Microsoft Defender for Cloud. With the integration of Defender for Cloud in the Defender portal, Microsoft Security Exposure Management consolidates all of these recommendations into a unified Recommendations Catalog accessible in the Defender portal.
+Security Exposure Management ingests security recommendations from multiple sources, including Exposure Management, [Microsoft Secure Score](/defender-xdr/microsoft-secure-score), and Microsoft Defender for Cloud. With the integration of Defender for Cloud in the Defender portal, Microsoft Security Exposure Management consolidates all of these recommendations into a unified Recommendations Catalog accessible in the Defender portal.
 
 ### Unified Recommendations Experience
 
diff --git a/exposure-management/security-recommendations.md b/exposure-management/security-recommendations.md
@@ -13,7 +13,7 @@ ms.date: 07/30/2025
 
 This article describes how to work with security recommendations in the new unified recommendations experience in [Microsoft Security Exposure Management](microsoft-security-exposure-management.md).
 
-## Prerequisites
+## Before you start
 
 - Learn about the [unified recommendations catalog](exposure-insights-overview.md#working-with-recommendations) before you start.
 - [Review permissions and prerequisites needed](prerequisites.md) for working with Security Exposure Management.
@@ -34,40 +34,70 @@ You can explore the full breadth of Microsoft's security recommendations without
 
 ## Review recommendations
 
-1. In the [Microsoft Defender portal](https://security.microsoft.com), select **Exposure management > Exposure insights > Recommendations** to open the unified [Recommendations](https://security.microsoft.com/exposure-recommendations) page.
+1. In the [Microsoft Defender portal](https://security.microsoft.com), select **Exposure management > Recommendations** to open the unified [Recommendations](https://security.microsoft.com/exposure-recommendations) page.
 
     :::image type="content" source="./media/recommendations-navigation.png" alt-text="Screenshot of the recommendations window." lightbox="./media/recommendations-navigation.png":::
 
 ### Navigate the new unified recommendations interface
 
-1. **Use the attack surface tabs**: The recommendations are now organized by tabs for different domains:
-   - **Devices** - Device-related recommendations including misconfigurations and vulnerabilities
-   - **Cloud** - Multicloud (Azure, AWS, and GCP), hybrid environments and code recommendations with risk-based prioritization. 
-   - **Identity** - Identity-related security recommendations
-   - **SaaS** - Software-as-a-Service application recommendations
-   - **Data** - Data protection recommendations
+Use the recommendations tabs that are organized by asset type to explore specific recommendation categories:
 
-1. **Separate views for issue types**: On the Devices tab, you'll find separate views for:
-   - **Misconfigurations** - Configuration-related security issues from MDVM, Microsoft Secure Score, and Security Exposure Management, contributing to the Devices Secure Score
-   - **Vulnerabilities** - Software vulnerabilities from MDVM requiring patches, preserving the familiar structure, fields, filters, and prioritization logic with the same exposure score
-   
-   This separation recognizes that misconfigurations and vulnerabilities often represent distinct workflows handled by different personas, allowing for clearer prioritization and ownership.
+- **Devices** - Device-related recommendations including misconfigurations and vulnerabilities
+- **Cloud assets** - Multicloud (Azure, AWS, and GCP), hybrid environments and code recommendations with risk-based prioritization. 
+- **SaaS apps** - Software-as-a-Service application recommendations
+- **Identities** - Identity-related security recommendations
+- **Data** - Data protection recommendations
 
-## Cloud recommendations with risk-based prioritization
+#### Filter and sort recommendations
 
-In the Defender portal, cloud recommendations are prioritized by risk, helping you focus on what matters most. The Cloud assets tab presents security recommendations related to cloud assets across your environment with enhanced context. It has separate views for misconfigurations, vulnerabilities, and exposed secrets.
+There are several ways to filter and sort recommendations in each category to help you prioritize your security efforts effectively.
 
-:::image type="content" source="media/security-recommendations/cloud-assets-security-recommendations.png" alt-text="Screenshots of cloud assets recommendations tab" lightbox="media/security-recommendations/cloud-assets-security-recommendations.png":::
+Sort the recommendations by any of the headings or filter them based on your task needs.
 
-With the integration of Defender for Cloud in the Defender portal, you can also access enhanced cloud recommendations through the unified interface:
+Apply advanced filtering using the **Add filter** option to narrow down recommendations by various criteria depending on the recommendation type.
 
-:::image type="content" source="./media/defender-for-cloud-defender-portal/recommendations.png" alt-text="Screenshot of unified cloud recommendations in the Defender portal." lightbox="./media/defender-for-cloud-defender-portal/recommendations.png":::
+#### Devices
+
+The Devices tab provides a unified view of device-related security recommendations, combining misconfigurations and vulnerabilities into a single location for easier management.
+
+There are separate views for issue types:
+
+- **Misconfigurations** - Configuration-related security issues from Vulnerability Management, Microsoft Secure Score, and Security Exposure Management, contributing to the Devices Secure Score
+- **Vulnerabilities** - Software vulnerabilities from Vulnerability Management requiring patches, preserving the familiar structure, fields, filters, and prioritization logic with the same exposure score
 
-### Cloud Secure Score integration
+This separation recognizes that misconfigurations and vulnerabilities often represent distinct workflows handled by different personas, allowing for clearer prioritization and ownership.
 
-The Cloud Secure Score provides comprehensive scoring alongside traditional Secure Score:
+## Cloud assets
 
-:::image type="content" source="./media/defender-for-cloud-defender-portal/cloud-secure-score.png" alt-text="Screenshot of Cloud Secure Score in the Defender portal." lightbox="./media/defender-for-cloud-defender-portal/cloud-secure-score.png":::
+This tab provides a prioritized list of security actions designed to improve your cloud security posture by addressing vulnerabilities and misconfigurations. These recommendations are ranked by effective risk, helping security teams focus on the most critical threats first.
+
+Apply filters and filter sets such as **Exposed asset**, **Asset risk factors**, **Environment**, **Workload**, **Recommendation maturity** and others.
+
+On the left navigation pane, you can choose to either view all recommendations or view by a specific category.
+
+There are separate views for issue types:
+
+- **Misconfigurations**
+- **Vulnerabilities**
+- **Exposed Secrets**.
+
+For each view you will view the **Cloud secure score**, **Score history**, **Recommendation by risk level** and how the risk is calculated.
+
+:::image type="content" source="media/security-recommendations/cloud-assets-security-recommendations.png" alt-text="Screenshots of cloud assets recommendations tab" lightbox="media/security-recommendations/cloud-assets-security-recommendations.png":::
+
+> [!NOTE]
+> In the Defender portal, some recommendations that previously appeared as a single aggregated item now display as multiple individual recommendations. This change reflects a shift from grouping related findings under one recommendation to listing each recommendation separately.
+
+> - You may notice a longer list of recommendations compared to before. Combined findings (such as vulnerabilities, exposed secrets, or misconfigurations) are now shown individually rather than nested under a parent recommendation.
+> - The old grouped recommendations still appear side by side with the new format for now, but they will eventually be deprecated.
+> - These recommendations are marked as Preview. This tag indicates that the recommendation is in an early state and does not affect Secure Score yet.
+> - Secure Score currently applies to the parent recommendation only, not to each individual item.
+>
+ **Tip**: If you see both formats or recommendations with a Preview tag, this is expected during the transition. The goal is to improve clarity and allow customers to act on specific recommendations more easily.
+
+With the integration of Defender for Cloud in the Defender portal, you can also access enhanced cloud recommendations through the unified interface:
+
+:::image type="content" source="./media/defender-for-cloud-defender-portal/recommendations.png" alt-text="Screenshot of unified cloud recommendations in the Defender portal." lightbox="./media/defender-for-cloud-defender-portal/recommendations.png":::
 
 Key improvements in the cloud recommendations experience include:
 
@@ -76,40 +106,16 @@ Key improvements in the cloud recommendations experience include:
 - **Enhanced data**: Core recommendation data from Azure Recommendations enriched with additional fields and capabilities from Exposure Management
 - **Prioritized by criticality**: Greater emphasis on critical issues that pose the highest risk to your organization
 
-## Device vulnerabilities and misconfigurations
-
-The Devices tab maintains familiar functionality while benefiting from the unified catalog structure:
-
-### Device vulnerabilities
-
-- **Preserved experience**: The same table structure, fields, filters, and prioritization logic from MDVM
-- **Familiar exposure scoring**: Uses the established exposure score methodology for assessing device vulnerability
-- **Integrated workflow**: Part of the unified experience while maintaining specialized vulnerability management workflows
-
-### Device misconfigurations  
+#### SaaS apps, Identities, and Data tabs
 
-- **Unified data sources**: Combines device-related misconfiguration recommendations from MDVM, Microsoft Secure Score, and Security Exposure Management
-- **Secure Score contribution**: Recommendations contribute to the Devices Secure Score following Microsoft's established calculation methodology
-- **Enhanced baseline logic**: Based on MDVM's device recommendations enhanced with additional context from other sources
+These tabs provide recommendations specific to SaaS applications, identity security, and data protection, respectively. Each tab allows you to filter and sort recommendations to focus on the most relevant security actions for your organization.
 
-1. **Use enhanced filtering and sorting**: Sort the recommendations by any of the headings or filter them based on your task needs. Sorting includes all of the headers:
-    - **Name** - Recommendation name
-    - **State** - Compliant or not compliant
-    - **Impact** - High, low, or medium impact
-    - **Workload** - Which workload the recommendations relate to
-    - **Domain** - Device, apps, data, or identity
-    - **Risk Score** - For cloud recommendations, shows calculated risk score based on asset value and other factors
-    - **Last calculated** - Last time the recommendation was calculated
-    - **Last state change** - Last time the recommendation state changed
-    - **Related initiatives** - The number of related initiatives
-    - **Related metrics** - The number of related metrics
+The recommendations summary on these tabs includes:
 
-1. **Apply advanced filtering**: Filter recommendations by:
-   - State (compliant, not compliant, etc.)
-   - Impact level
-   - Workload source
-   - Domain/attack surface
-   - Risk score (for cloud recommendations)
+- Their unique secure score
+- Score history
+- Recommendation by status
+- Score comparison
 
 1. Select a recommendation to view and review details.
 
@@ -125,7 +131,7 @@ You can also review recommendations on the **Recommendations** tab in a specific
    - Microsoft Secure Score for Microsoft 365 recommendations
    - Other Microsoft workloads as appropriate
 
-1. **Note on unified workflow**: All recommendations, including those from Azure security center, are now visible in MSEM, so you can manage your entire security posture from the unified portal without needing to navigate to separate Azure portals for cloud recommendations.
+1. **Note on unified workflow**: All recommendations, including those from Azure security center, are now visible in Exposure Management, so you can manage your entire security posture from the unified portal without needing to navigate to separate Azure portals for cloud recommendations.
 
 ## Next steps
 
