Merge branch 'main' of https://github.com/MicrosoftDocs/defender-docs-pr into sentinel-ga

Author: batamig

.acrolinx-config.edn

@@ -51,10 +51,10 @@ Select the total score link to review all feedback on clarity, consistency, tone
  "
 **More information about Acrolinx**
  
-- [Install Acrolinx locally for VSCode for Magic](https://review.docs.microsoft.com/office-authoring-guide/acrolinx-vscode?branch=main)
+- [Install Acrolinx locally for VSCode for Magic](https://review.learn.microsoft.com/office-authoring-guide/acrolinx-vscode?branch=main)
 - [False positives or issues](https://aka.ms/acrolinxbug)
 - [Request a new Acrolinx term](https://microsoft.sharepoint.com/teams/M365Dev2/SitePages/M365-terminology.aspx)
-- [Troubleshooting issues with Acrolinx](https://review.docs.microsoft.com/help/contribute/acrolinx-error-messages)
+- [Troubleshooting issues with Acrolinx](https://review.learn.microsoft.com/help/platform/acrolinx-troubleshoot?branch)
 
 "
 }

.github/workflows/StaleBranch.yml

@@ -2,6 +2,7 @@ name: (Scheduled) Stale branch removal
 
 permissions:
   contents: write
+  pull-requests: read
 
 # This workflow is designed to be run in the days up to, and including, a "deletion day", specified by 'DeleteOnDayOfMonth' in env: in https://github.com/MicrosoftDocs/microsoft-365-docs/blob/workflows-prod/.github/workflows/Shared-StaleBranch.yml.
 # On the days leading up to "deletion day", the workflow will report the branches to be deleted. This lets users see which branches will be deleted. On "deletion day", those branches are deleted.

.openpublishing.redirection.defender-cloud-apps.json

@@ -1009,6 +1009,11 @@
       "source_path": "CloudAppSecurityDocs/troubleshooting-api-connectors-using-error-messages.md",
       "redirect_url": "/defender-cloud-apps/troubleshooting-api-connectors-errors",
       "redirect_document_id": true
-    }
+    },
+    {
+      "source_path": "CloudAppSecurityDocs/connector-platform.md",
+      "redirect_url": "/defender-cloud-apps/enable-instant-visibility-protection-and-governance-actions-for-your-apps",
+      "redirect_document_id": true
+    },
   ]
 }

ATPDocs/deploy/activate-capabilities.md

@@ -37,12 +37,6 @@ Direct Defender for Identity capabilities are supported on domain controllers on
 >
 > This issue is addressed in the out-of-band update [KB5037422](https://support.microsoft.com/en-gb/topic/march-22-2024-kb5037422-os-build-20348-2342-out-of-band-e8f5bf56-c7cb-4051-bd5c-cc35963b18f3).
 
-### Defender for Endpoint onboarding
-
-Your domain controller must be onboarded to Microsoft Defender for Endpoint.
-
-For more information, see [Onboard a Windows server](/microsoft-365/security/defender-endpoint/onboard-windows-server).
-
 ### Permissions requirements 
 
 To access the Defender for Identity **Activation** page, you must either be a [Security Administrator](/entra/identity/role-based-access-control/permissions-reference), or have the following Unified RBAC permissions:
@@ -55,12 +49,6 @@ For more information, see:
 - [Unified role-based access control RBAC](../role-groups.md#unified-role-based-access-control-rbac)
 - [Create a role to access and manage roles and permissions](/microsoft-365/security/defender/create-custom-rbac-roles#create-a-role-to-access-and-manage-roles-and-permissions)
 
-### Connectivity requirements
-
-Defender for Identity capabilities directly on domain controllers use Defender for Endpoint URL endpoints for communication, including simplified URLs.
-
-For more information, see [Configure your network environment to ensure connectivity with Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-environment##enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server).
-
 ## Configure Windows auditing
 
 Defender for Identity detections rely on specific Windows Event Log entries to enhance detections and provide extra information about the users performing specific actions, such as NTLM sign-ins and security group modifications.
@@ -78,42 +66,58 @@ For example, the following command defines all settings for the domain, creates
 Set-MDIConfiguration -Mode Domain -Configuration All
 ```
 
-## Activate Defender for Identity capabilities
+## Onboarding steps
+
+### Customers with domain controllers already onboarded to Defender for Endpoint 
 
-After ensuring that your environment is completely configured, activate the Microsoft Defender for Identity capabilities on your domain controller.
+### Activate Defender for Identity capabilities
 
 Activate the Defender for Identity from the [Microsoft Defender portal](https://security.microsoft.com).
 
 1. Navigate to **System** > **Settings** > **Identities** > **Activation**.
 
-   The Activation page lists servers discovered in Device Inventory and identified as eligible domain controllers. 
+    The Activation Page now displays all servers from your device inventory, including those not currently eligible for the activation of the new Defender for Identity sensor. For each server you can find its activation state.
 
-1. Select the domain controller where you want to activate the Defender for Identity capabilities and then select **Activate**. Confirm your selection when prompted. 
+2. Select the domain controller where you want to activate the Defender for Identity capabilities and then select **Activate**. Confirm your selection when prompted. 
 
     :::image type="content" source="media/activate-capabilities/1.jpg" lightbox="media/activate-capabilities/1.jpg" alt-text="Screenshot that shows how to activate the new sensor.":::
 
     > [!NOTE]
     > You can choose to activate eligible domain controllers either automatically, where Defender for Identity activates them as soon as they're discovered, or manually, where you select specific domain controllers from the list of eligible servers.
 
-1. When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers** to jump to the **Settings > Identities > Sensors** page, where you can check your sensor health.  
+3. When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers** to jump to the **Settings > Identities > Sensors** page, where you can check your sensor health.  
 
     :::image type="content" source="media/activate-capabilities/2.jpg" lightbox="media/activate-capabilities/2.jpg" alt-text="Screenshot that shows how to seethe onboarded servers.":::
 
+### Customers without domain controllers onboarded to Defender for Endpoint 
+
+### Connectivity requirements
+
+Defender for Identity capabilities directly on domain controllers use Defender for Endpoint URL endpoints for communication, including simplified URLs.
+
+For more information, see [Configure your network environment to ensure connectivity with Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-environment##enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server).
+
+### Onboard Defender for Identity capabilities 
+Download the Defender for Identity onboarding package from the [Microsoft Defender portal] (https://security.microsoft.com) 
+
+1. Navigate to **System** > **Settings** > **Identities** > **Activation**
+2. Select Download onboarding package and save the file in a location you can access from your domain controller.
+3. From the domain controller, extract the zip file you downloaded from the Microsoft Defender portal, and run the `DefenderForIdentityOnlyOnboardingScript.cmd` script as an Administrator. 
+   
 ## Onboarding Confirmation 
 
 To confirm the sensor has been onboarded: 
 
-1. Navigate to **System** > **Settings** > **Identities** > **Sensors**. 
+1. Navigate to **System** > **Settings** > **Identities** > **Sensors**.
 
 2. Check that the onboarded domain controller is listed. 
 
 > [!NOTE]
-> The activation doesn't require a restart/reboot. The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations are shown within five minutes.
+> The onboarding doesn't require a restart/reboot. The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations are shown within five minutes.
+> To check the onboarding on the local server you can also review the event log under **Applications and Services Logs** > **Microsoft** > **Windows** > **Sense** > **Operational**. You should receive an onboarding event: 
 
 ## Test activated capabilities
 
-The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as **Running** on the **Sensors** page. Subsequent activations show within five minutes.
-
 Defender for Identity capabilities on domain controllers currently support the following Defender for Identity functionality:
 
 - Investigation features on the [ITDR dashboard](#check-the-itdr-dashboard), [identity inventory](#confirm-entity-page-details), and [identity advanced hunting data](#test-advanced-hunting-tables)
@@ -163,7 +167,6 @@ IdentityQueryEvents
 
 For more information, see [Advanced hunting in the Microsoft Defender portal](/microsoft-365/security/defender/advanced-hunting-microsoft-defender).
 
-
 ## Test Identity Security Posture Management (ISPM) recommendations
 
 We recommend simulating risky behavior in a test environment to trigger supported assessments and verify that they appear as expected. For example:
@@ -214,17 +217,31 @@ Test remediation actions on a test user. For example:
 
 For more information, see [Remediation actions in Microsoft Defender for Identity](../remediation-actions.md).
 
-## Deactivate Defender for Identity capabilities on your domain controller
+## Offboarding steps
+
+### Customers with domain controllers already onboarded to Defender for Endpoint 
+
+### Deactivate Defender for Identity capabilities on your domain controller 
 
 If you want to deactivate Defender for Identity capabilities on your domain controller, delete it from the **Sensors** page:
 
-1. In the Defender portal, select **Settings** > **Identities** > **Sensors**.
+1. Navigate to **Settings** > **Identities** > **Sensors**
 2. Select the domain controller where you want to deactivate Defender for Identity capabilities, select **Delete**, and confirm your selection.
 
     :::image type="content" source="media/activate-capabilities/3.jpg" lightbox="media/activate-capabilities/3.jpg" alt-text="Screenshot that shows how to deactivate a server.":::
 
 Deactivating Defender for Identity capabilities from your domain controller doesn't remove the domain controller from Defender for Endpoint. For more information, see [Defender for Endpoint documentation](/microsoft-365/security/defender-endpoint/).
 
+### Customers without domain controllers onboarded to Defender for Endpoint 
+
+### Offboard Defender for Identity capabilities on your domain controller 
+Download the Defender for Identity offboarding package from the [Microsoft Defender portal] (https://security.microsoft.com).
+
+1. Navigate to **Settings** > **Identities** > **Activation**
+2. Select Download offboarding package and save the file in a location you can access from your domain controller.
+3. From the domain controller, extract the zip file you downloaded from the Microsoft Defender portal, and run the `DefenderForIdentityOnlyOffboardingScript_valid_until_YYYY-MM-DD.cmd` script as an Administrator.
+4. To fully remove the sensor, navigate to **Settings** > **Identities** > **Sensors**, select the server and click Delete. 
+
 ## Next steps
 
 For more information, see [Manage and update Microsoft Defender for Identity sensors](../sensor-settings.md).

ATPDocs/deploy/remote-calls-sam.md

@@ -7,14 +7,11 @@ ms.topic: how-to
 
 # Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity
 
-Microsoft Defender for Identity mapping for [potential lateral movement paths](/defender-for-identity/understand-lateral-movement-paths) relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity [Directory Service account](directory-service-accounts.md) you configured.
-
-> [!NOTE]
-> This feature can potentially be exploited by an adversary to obtain the Net-NTLM hash of the DSA account due to a Windows limitation in the SAM-R calls that allows downgrading from Kerberos to NTLM.
-> The new Defender for Identity sensor (version 3.x) is not affected by this issue as it uses different detection methods.
+> [!IMPORTANT]
+> The remote collection of local administrators group members from endpoints using SAM-R queries in Microsoft Defender for Identity will be disabled by mid-May 2025. This data is currently used to build potential lateral movement path maps, which will no longer be updated after this change. The change will occur automatically by the specified date, and no administrative action is required.
 > 
-> It is recommended to use a [low privileged DSA account](directory-service-accounts.md#grant-required-dsa-permissions). You can also [contact support](../support.md) to open a case and request to completely disable the [Lateral Movement Paths](../security-assessment-riskiest-lmp.md) data collection capability.
-> Please note that this will result in reduced data available for the [attack path feature in Exposure Management](/security-exposure-management/review-attack-paths).
+
+Microsoft Defender for Identity mapping for [potential lateral movement paths](/defender-for-identity/understand-lateral-movement-paths) relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity [Directory Service account](directory-service-accounts.md) you configured.
 
 This article describes the configuration changes required to allow the Defender for Identity Directory Services Account (DSA) to perform the SAM-R queries.
 

ATPDocs/identity-security-initiative.md

@@ -0,0 +1,85 @@
+---
+title: Identity Security Initiative
+description: Learn how to enhance your organization's identity security using the Identity Security Initiative in Microsoft Defender XDR.
+ms.topic: overview
+ms.date: 04/05/2025
+---
+
+# Identity Security Initiative (Preview)
+
+Identity security is the practice of protecting the digital identities of individuals and organizations. This includes protecting passwords, usernames, and other credentials that can be used to access sensitive data or systems. Identity security is essential for protecting against a wide range of cyber threats, including phishing, malware, and data breaches.
+
+## Prerequisites
+
+- Your organization must have a Microsoft Defender for Identity license.
+- [Review prerequisites and permissions needed](/security-exposure-management/prerequisites) for working with Security Exposure Management.
+
+## View Identity Security Initiatives
+1. Navigate to the [Microsoft Defender portal](https://security.microsoft.com/).
+1. From the Exposure management section on the navigation bar, select **Exposure insights** **>** **Initiatives** to open the Identity Security page.
+
+   :::image type="content" source="media/identity-security-initiative/screenshot-of-the-identity-security-initiative-page.png" alt-text="Screenshot showing the Identity security initiative page." lightbox="media/identity-security-initiative/screenshot-of-the-identity-security-initiative-page.png":::
+
+## Review security metrics
+
+Metrics in security initiatives help you to measure exposure risk for different areas within the initiative. Each metric gathers together one or more recommendations for similar assets.
+Metrics can be associated with one or more initiatives.
+
+On the **Metrics** tab of an initiative, or in the Metrics section of Exposure Insights, you can see the metric state, its effect, and relative importance in an initiative, and recommendations to improve the metric.
+We recommend that you prioritize metrics with the highest impact on Initiative Score level. This composite measure considers both the weight value of each recommendation and the percentage of noncompliant recommendations.
+
+:::image type="content" source="media/identity-security-initiative/screenshot-of-the-security-metrics-page.png" alt-text="Screenshot showing the security metrics page." lightbox="media/identity-security-initiative/screenshot-of-the-security-metrics-page.png":::
+
+
+|Metric property |Description  |
+|---------|---------|
+|**Metric name**    | The name of the metric.        |
+|**Progress**   |Shows the improvement of the exposure level for the metric from 0 (high exposure) to 100 (no exposure).         |
+|**State**   | Shows if the metric needs attention or if the target was met.       |
+|**Total assets**  | Total number of assets under the metric scope.        |
+|**Recommendations**   | Security recommendations associated with the metric.        |
+|**Weight**    | The relative weight (importance) of the metric within the initiative, and its effect on the initiative score. Shown as High, Medium, and Low. It can also be defined as Risk accepted.        |
+|**14-day trend** | Shows the metric value changes over the last 14 days.        |
+|**Last updated** | Shows a timestamp of when the metric was last updated.
+
+> [!NOTE]
+> The Affected assets experience isn't fully supported during the Preview phase.
+
+## View Identity security recommendations 
+
+ The Security recommendations tab displays a list of prioritized remediation actions related to your identity security posture. Each recommendation is evaluated for compliance and mapped to its corresponding risk impact, workload, and domain. This view helps you triage and take action based on urgency and business relevance.
+
+:::image type="content" source="media/identity-security-initiative/screenshot-showing-the-security-recommendations-page.png" alt-text="Showing showing the security recommendations page." lightbox="media/identity-security-initiative/screenshot-showing-the-security-recommendations-page.png":::
+
+Sort the recommendations by any of the headings or filter them based on your task needs. 
+
+| **Column**             | **Description**                                                                 |
+|------------------------|---------------------------------------------------------------------------------|
+| **Name**               | The name of the recommended action (for example, *Configure VPN integration*, *Enable MFA*). |
+| **State**              | Indicates whether the recommendation is *Compliant* or *Not Compliant*.         |
+| **Impact**             | The security impact level (Low, Medium, or High) of implementing the recommendation. |
+| **Workload**           | The Microsoft service area the recommendation applies to (for example, Defender for Identity, Microsoft Entra ID). |
+| **Domain**             | The security domain (for example, identity, apps) associated with the recommendation.   |
+| **Last calculated**    | The most recent time the recommendation's status was evaluated.                 |
+| **Last state change**  | When the recommendation’s compliance state last changed.                        |
+| **Related initiatives**| Number of security initiatives impacted by this recommendation.                 |
+| **Related metrics**    | Number of security metrics that this recommendation contributes to.             |
+
+Security Exposure Management categorizes recommendations by compliance status, as follows:
+
+- **Compliant**: Indicates that the recommendation was implemented successfully.
+- **Not complaint**: Indicates that the recommendation wasn't fixed.
+
+## Set target score
+
+You can set a customized target score for the initiative, taking your organization’s unique set of circumstances, priorities, and risk appetite into account.
+
+To set a target store, select the initiative, and then select **Set target score** from the top of the initiative pane.
+
+:::image type="content" source="media/identity-security-initiative/set-target-score.png" alt-text="Screenshot showing the set target score button." lightbox="media/identity-security-initiative/set-target-score.png":::
+
+## Related content
+
+- [Review security initiatives](/security-exposure-management/initiatives)
+
+- [Investigate security initiative metrics](/security-exposure-management/security-metrics)