Merge pull request #5631 from MicrosoftDocs/main

[AutoPublish] main to live - 11/17 13:30 PST | 11/18 03:00 IST

Author: m365-skilling-repo-management[bot]

defender-for-identity/whats-new.md

@@ -25,6 +25,13 @@ For updates about versions and features released six months ago or earlier, see
 
 ## November 2025
 
+|Version number |Updates |
+|---------|---------|
+|2.251|The enhanced ADWS LDAP and legacy password-based LDAP query methods now capture a broader range of unique events at scale. As a result, you may notice an increase in recorded activity.|
+
+### Automatic Windows event auditing configuration for Defender for Identity sensors v3.x
+
+Defender for Identity now offers automatic Windows event-auditing configuration for Defender for Identity sensors v3.x. Automatic event auditing streamlines deployment by applying required Windows auditing settings to new sensors and fixing any misconfigurations on existing sensors. Admins can enable the option in the Defender portal or using Graph API. 
 
 ### Identity Inventory enhancements: Accounts tab, manual account linking and unlinking, and expanded remediation actions
 
@@ -44,13 +51,6 @@ For more information, see: [Link or Unlink an Account to an Identity (Preview)](
 You can now perform remediation actions such as disabling accounts or resetting passwords on one or more accounts linked to an identity. For more information, see: [Remediation actions](remediation-actions.md#roles-and-permissions).
 Defender for Identity now offers an opt-in automatic event-auditing configuration for unified sensors (V3.x). This feature streamlines deployment by automatically applying required Windows auditing settings to new sensors and fixing misconfigurations on existing ones. Admins can enable the option in the Defender for Identity Settings -> Advanced Features or via Graph API. The capability and its related health alerts will roll out globally beginning mid-November 2025.
 
-Releated Health alerts:
-- NTLM Auditing is not enabled 
-- Directory Services Advanced Auditing is not enabled as required 
-- Directory Services Object Auditing is not enabled as required 
-- Auditing on the Configuration container is not enabled as required 
-- Auditing on the ADFS container is not enabled as required
-
 ### New security posture assessment: Change password for on-prem account with potentially leaked credentials (Preview)
 
 The new security posture assessment lists users whose valid credentials have been leaked. For more information, see: [Change password for on-prem account with potentially leaked credentials (Preview)](/defender-for-identity/security-posture-assessments/accounts#change-password-for-on-prem-account-with-potentially-leaked-credentials-preview)
@@ -68,8 +68,8 @@ For more information, see [Configure scoped access for Microsoft Defender for Id
 
 ## October 2025
 
-We’re excited to announce that the Microsoft Defender for Identity Sensor (v3.x) is now generally available (GA). 
-[Version 3.x of the sensor](/defender-for-identity/deploy/activate-sensor) provides enhanced coverage, improved performance across your environment and offering easier deployment and management for domain controllers.
+We’re excited to announce that the Microsoft Defender for Identity sensor v3.x is now generally available (GA). 
+The [Microsoft Defender for Identity sensor v3.x](/defender-for-identity/deploy/activate-sensor) provides enhanced coverage, improved performance across your environment and offering easier deployment and management for domain controllers.
 
 ### Microsoft Defender for Identity sensor version updates
 
@@ -93,9 +93,9 @@ As part of the ongoing transition to a unified alerting experience across Micros
 |Suspected brute-force attack (LDAP)|2004|[Suspected brute-force attack (LDAP)](alerts-xdr.md#suspected-brute-force-attack-ldap)|xdr_LdapBindBruteForce|
 |Suspicious network connection over Encrypting File System Remote Protocol|2416|[Suspicious network connection over Encrypting File System Remote Protocol](alerts-xdr.md#suspicious-network-connection-over-encrypting-file-system-remote-protocol)|xdr_SuspiciousConnectionOverEFSRPC|
 
-### Unlock additional security value in the unified agent (Preview)
+### Additional security value in the Defender for Identity sensor v3.x
 
-Get enhanced protection by applying the **Unified sensor RPC audit** tag to your v3.x sensors through the Asset rule management feature. Learn more [here](/defender-for-identity/deploy/prerequisites-sensor-version-3).
+Apply the **Unified sensor RPC audit** tag to your Defender for Identity sensor v3.x in the **Asset rule management** page for enhanced protection. Learn more [here](/defender-for-identity/deploy/prerequisites-sensor-version-3).
 
 ### Identity posture recommendations view on the identity page (preview)
 
@@ -106,18 +106,18 @@ For more information, see [Investigate users in Microsoft Defender XDR](/microso
 Defender for Identity data centers are now also deployed in the United Arab Emirates, North and Central regions. For the most current list of regional deployments, see [Defender for Identity data locations](/defender-for-identity/privacy-compliance/#data-location).
 
 
-### New API support for unified sensor (preview)
-We are excited to announce the availability of a new Graph-based API for managing unified sensor server actions in Microsoft Defender for Identity.
+### New API support for the Defender for Identity sensor v3.x (Preview)
+We are excited to announce the availability of a new Graph-based API for managing the Defender for Identity sensor v3.x server actions.
 This capability is currently in preview and available in API Beta version.
 
 This API allows customers to:
 
-* Monitor the status of unified sensor servers
+* Monitor the status of servers deployed with the Defender for Identity sensor v3.x
 * Enable or disable the automatic activation of eligible servers
 * Activate or deactivate the sensor on eligible servers
  ​
 
-For more information, see [Managing unified sensor actions through Graph API](/graph/api/resources/security-api-overview?view=graph-rest-beta&preserve-view=true).
+For more information, see [Managing the Defender for Identity sensor v3.x actions using Graph API](/graph/api/resources/security-api-overview?view=graph-rest-beta&preserve-view=true).
 
 ### Microsoft Defender for Identity sensor version updates
 

defender-office-365/air-user-automatic-feedback-response.md

@@ -6,7 +6,7 @@ ms.author: chrisda
 manager: bagol
 ms.reviewer: kellycrider
 ms.topic: overview
-ms.date: 07/10/2024
+ms.date: 11/17/2024
 ms.service: defender-office-365
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 2</a>
@@ -21,6 +21,8 @@ This article explains how to enable and customize automatic feedback response fo
 
 ## What do you need to know before you begin?
 
+- The alert policy named **Email reported by user as malware or phish** must be enabled for this feature to work (it's on by default). For more information about this alert policy, see [Threat management alert policies](/defender-xdr/alert-policies#threat-management-alert-policies).
+
 - You open the Microsoft Defender portal at <https://security.microsoft.com>. To go directly to the **User reported settings** page, use <https://security.microsoft.com/securitysettings/userSubmission>.
 
 - You need to be assigned permissions before you can do the procedures in this article. You have the following options:

defender-office-365/anti-phishing-policies-mdo-configure.md

@@ -351,6 +351,7 @@ On the **Anti-phishing** page, the following properties are displayed in the lis
   - **Always on** for the default anti-phishing policy.
   - **On** or **Off** for other anti-spam policies.
 - **Priority**: For more information, see the [Set the priority of custom anti-spam policies](#use-the-microsoft-defender-portal-to-set-the-priority-of-custom-anti-phishing-policies) section.
+
 To change the list of policies from normal to compact spacing, select :::image type="icon" source="media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="media/m365-cc-sc-compact-icon.png" border="false"::: **Compact list**.
 
 Select :::image type="icon" source="media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the policies by **Time range** (creation date) or **Status**.

defender-office-365/app-guard-for-office-install.md

@@ -48,6 +48,7 @@ Microsoft Defender Application Guard for Office (Application Guard for Office) h
 - **Update package**: Windows 10 cumulative monthly security update [KB4571756](https://support.microsoft.com/help/4571756/windows-10-update-KB4571756)
 
 For detailed system requirements, refer to [System requirements for Microsoft Defender Application Guard](/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard). Also, refer to your computer manufacturer's guides on how to enable virtualization technology.
+
 To learn more about Microsoft 365 Apps update channels, see [Overview of update channels for Microsoft 365 Apps](/deployoffice/overview-update-channels).
 
 ## Deploy Application Guard for Office

defender-office-365/email-auth-sec-ops-guide.md

@@ -24,7 +24,6 @@ appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-xdr/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>
 ---
 
-
 # Security Operations guide for email authentication in Microsoft 365
 
 [Email authentication](email-authentication-about.md) is a critical component of securing communication in your organization. When an email is received in Microsoft 365, the service adds an **Authentication-Results** header. This header shows the results of various email authentication checks, including SPF, DKIM, DMARC, and composite authentication (compauth).

defender-office-365/quarantine-faq.yml

@@ -81,7 +81,6 @@ sections:
 
           You can't customize quarantine policies in [preset security policies](preset-security-policies.md).
 
-
       - question: |
           What messages can end users access in quarantine?
         answer: |

defender-office-365/reports-email-security.md

@@ -1069,7 +1069,6 @@ Select **View details** to go to the **Top senders and recipients** page. Or, to
 - **Microsoft 365 organizations without Defender for Office 365**: <https://security.microsoft.com/reports/TopSenderRecipient>
 - **Microsoft 365 organizations with Defender for Office 365 (included or in an add-on subscription)**: <https://security.microsoft.com/reports/TopSenderRecipientsATP>
 
-
 On the **Top senders and recipients** page, a larger version of the pie chart is displayed. The following charts are available:
 
 - **Show data for Top mail senders** (default view)

defender-office-365/safe-links-policies-configure.md

@@ -406,7 +406,9 @@ This example creates a safe links rule to the previous examples, but the rule ap
 
 ```powershell
 $Data = Import-Csv -Path "C:\Data\SafeLinksDomains.csv"
+
 $SLDomains = $Data.Domains
+
 New-SafeLinksRule -Name "Contoso All" -SafeLinksPolicy "Contoso All" -RecipientDomainIs $SLDomains
 ```
 
@@ -507,7 +509,9 @@ This example adds the domains from the specified .csv as a condition to the safe
 
 ```powershell
 $Data = Import-Csv -Path "C:\Data\SafeLinksDomains.csv"
+
 $SLDomains = $Data.Domains
+
 Set-SafeLinksRule -Identity "Contoso All" -RecipientDomainIs $SLDomains
 ```
 

defender-office-365/step-by-step-guides/how-to-handle-false-negatives-in-microsoft-defender-for-office-365.md

@@ -21,6 +21,7 @@ ms.date: 01/31/2023
 # How to handle malicious emails that are delivered to recipients (False Negatives), using Microsoft Defender for Office 365
 
 Microsoft Defender for Office 365 helps deal with malicious emails (False Negative) that are delivered to recipients and that put your organizational productivity at risk.
+
 Defender for Office 365 can help you understand why emails are getting delivered, how to resolve the situation quickly, and how to prevent similar situations from happening in the future.
 
 ## What you'll need

defender-office-365/submissions-users-report-message-add-in-configure.md

@@ -70,9 +70,9 @@ The rest of this article describes how to remove the Report Message and Report P
     > [!IMPORTANT]
     > <sup>\*</sup> Microsoft strongly advocates for the principle of least privilege. Assigning accounts only the minimum permissions necessary to perform their tasks helps reduce security risks and strengthens your organization's overall protection. Global Administrator is a highly privileged role that you should limit to emergency scenarios or when you can't use a different role.
 
--  The Report Message and Report Phishing add-ins now use Nested app authentication. For more information, see [Nested app auth requirement set](/javascript/api/requirement-sets/common/nested-app-auth-requirement-sets) . If your Outlook client doesn't support the required NAA authentication, we suggest updating clients in the Microsoft admin center or advising users to use the built-in **Report** button.
+- The Report Message and Report Phishing add-ins now use Nested app authentication. For more information, see [Nested app auth requirement set](/javascript/api/requirement-sets/common/nested-app-auth-requirement-sets) . If your Outlook client doesn't support the required NAA authentication, we suggest updating clients in the Microsoft admin center or advising users to use the built-in **Report** button.
 
--  For organizational removals, the organization needs to be configured to use OAuth authentication. For more information, see [Determine if Centralized Deployment of add-ins works for your organization](/Microsoft-365/admin/manage/centralized-deployment-of-add-ins).
+- For organizational removals, the organization needs to be configured to use OAuth authentication. For more information, see [Determine if Centralized Deployment of add-ins works for your organization](/Microsoft-365/admin/manage/centralized-deployment-of-add-ins).
 
 - For more information on how to report a message using reporting in Outlook, see [Report false positives and false negatives in Outlook](submissions-outlook-report-messages.md).