Merge branch 'public' into patch-1

Author: denisebmsft

.github/workflows/AutoPublish.yml

@@ -0,0 +1,25 @@
+name: (Scheduled) Publish to live
+
+permissions:
+  contents: write
+  pull-requests: write
+
+on:
+  schedule:
+    - cron: "25 5,11,17,22 * * *" # Times are UTC based on Daylight Saving Time. Need to be adjusted for Standard Time. Scheduling at :25 to account for queuing lag.
+
+  workflow_dispatch:
+
+jobs:
+
+  auto-publish:
+    if: github.repository_owner == 'MicrosoftDocs' && contains(github.event.repository.topics, 'build')
+    uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-AutoPublish.yml@workflows-prod
+    with:
+        PayloadJson: ${{ toJSON(github) }}
+        EnableAutoPublish: true
+
+    secrets:
+        AccessToken: ${{ secrets.GITHUB_TOKEN }}
+        PrivateKey: ${{ secrets.M365_APP_PRIVATE_KEY }}
+        ClientId: ${{ secrets.M365_APP_CLIENT_ID }}

CloudAppSecurityDocs/activity-filters-queries.md

@@ -135,7 +135,7 @@ Defender for Cloud Apps also provides you with **Suggested queries**. Suggested
 - Successful log in - Filters all your activities to display only those activities that involve successful sign-ins, including impersonate action, impersonate sign-in, single sign-o sign-ins, and sign-in from a new device.
 
   ![query activities.](media/queries-activity.png)
-
+  
 Additionally, you can use the suggested queries as a starting point for a new query. First, select one of the suggested queries. Then, make changes as needed and finally select **Save as** to create a new **Saved query**.
 
 ### Query activities six months back
@@ -184,37 +184,6 @@ Reports that include private activities are marked with an Eye icon in the repor
 
 ![eye-icon](media/activity-filters-queries/eye-icon-to-indicate-private-report.png)
 
-> [!NOTE] 
->Exporting and viewing activity data up to six months back is restricted to specific roles with elevated permissions.
-
-The following roles are supported:
-
-- `INVITED_ADMIN`
-
-- `GLOBAL_ADMINISTRATOR`
-
-- `SECURITY_ADMINISTRATOR`
-
-- `MCAS_ADMINISTRATOR`
-
-- `DISCOVERY_ADMIN`
-
-- `SECURITY_OPERATOR`
-
-- `COMPLIANCE_ADMIN`
-
-- `SECURITY_READER`
-
-- `GLOBAL_READER`
-
-- `URBAC_ROLES_GLOBAL_ADMINISTRATOR`
-
-- `URBAC_ROLES_COMPLIANCE_ADMINISTRATOR`
-
-- `URBAC_ROLES_SECURITY_READER`
-
-- `URBAC_ROLES_SECURITY_OPERATOR`
-
 ## Next steps
 
 > [!div class="nextstepaction"]

CloudAppSecurityDocs/attack-paths.md

@@ -10,9 +10,6 @@ ms.date: 03/23/2025
 [Microsoft Security Exposure Management](/security-exposure-management/microsoft-security-exposure-management) helps you to manage your company's attack surface and exposure risk effectively. By combining assets and techniques, [attack paths](/security-exposure-management/review-attack-paths) illustrate the end-to-end paths that attackers can use to move from an entry point within your organization to your critical assets.
 Microsoft Defender for Cloud Apps observed an increase in attackers using OAuth applications to access sensitive data in business-critical applications like Microsoft Teams, SharePoint, Outlook, and more. To support investigation and mitigation, these applications are integrated into the attack path and attack surface map views in Microsoft Security Exposure Management.
 
-### Critical Asset Management - Service Principals
-
-Microsoft Defender for Cloud Apps defines a set of critical privilege OAuth permissions. OAuth applications with these permissions are considered high-value assets. If compromised, an attacker can gain high privileges to SaaS applications. To reflect this risk, attack paths treat service principals with these permissions as target goals.
 
 ### Prerequisites
 
@@ -44,21 +41,26 @@ Alternatively, you can use one of the following **Entra ID roles**:
 >[!NOTE]
 > Currently available in commercial cloud environments only. Microsoft Security Exposure Management data and capabilities are currently unavailable in U.S Government clouds - GCC, GCC High, DoD, and China Gov.
 
-## View permissions for critical assets
+### Critical Asset Management - Service Principals
+
+Microsoft Defender for Cloud Apps defines a set of critical privilege OAuth permissions. OAuth applications with these permissions are considered high-value assets. If compromised, an attacker can gain high privileges to SaaS applications. To reflect this risk, attack paths treat service principals with these permissions as target goals.
+
+#### View permissions for critical assets
 
 To view the full list of permissions, go to the  [Microsoft Defender portal](https://security.microsoft.com) and navigate to Settings > Microsoft Defender XDR > Rules > Critical asset management.
 
 :::image type="content" source="media/saas-securty-initiative/screenshot-of-the-critical-asset-management-page.png" alt-text="Screenshot of the Critical asset management page in the Defender XDR portal." lightbox="media/saas-securty-initiative/Screenshot-of-the-critical-asset-management-page.png":::
 
-> [!NOTE]  
-> OAuth apps appear in the attack path surface map only when specific conditions are detected.  
-> For example, an OAuth app may appear in the attack path only if a vulnerable component with an easily exploitable entry point is detected that allows lateral movement to service principals with high privileges.
 
 ## Investigation user flow: View attack paths involving OAuth applications
 
 Once you understand which permissions represent high-value targets, use the following steps to investigate how these applications appear in your environment’s attack paths.
 For smaller organizations with a manageable number of attack paths, we recommend following this structured approach to investigate each attack path:
 
+> [!NOTE]  
+> OAuth apps show in the attack path surface map only when specific conditions are detected.  
+> For example, an OAuth app might appear in the attack path if a vulnerable component with an easily exploitable entry point is detected. This entry point allows lateral movement to service principals with high privileges.
+
 1. Go to Exposure Management > Attack surface > Attack paths.
 
 1. Filter by 'Target type: AAD Service principal'

CloudAppSecurityDocs/caac-known-issues.md

@@ -51,6 +51,9 @@ For example, assume that a session policy is configured to prevent downloading f
 
 Session policies don't protect external business-to-business (B2B) collaboration users in Microsoft Teams applications.
 
+## Session Controls with Non-Interactive Tokens
+Some applications utilize non-interactive access tokens to facilitate seamless redirection between apps within the same suite or realm. When one application is onboarded to Conditional Access App Control and the other is not, session controls may not be enforced as expected. For example, if the Teams client retrieves a non-interactive token for SharePoint Online (SPO), it can initiate an active session in SPO without prompting the user for reauthentication. As a result, the session control mechanism cannot intercept or enforce policies on these sessions. To ensure consistent enforcement, it's recommended to onboard all relevant applications, such as Teams, alongside SPO. 
+
 ## Limitations for sessions that the reverse proxy serves
 
 The following limitations apply only on sessions that the reverse proxy serves. Users of Microsoft Edge can benefit from in-browser protection instead of using the reverse proxy, so these limitations don't affect them.

CloudAppSecurityDocs/network-requirements.md

@@ -35,7 +35,7 @@ To see which data center you're connecting to, do the following steps:
 1. In the **About** screen, you can see the region and the data center.
 
     ![View your data center.](media/data-center.png)
-
+   
 ## Portal access
 
 To use Defender for Cloud Apps in the Microsoft Defender Portal:
@@ -104,7 +104,7 @@ Additionally, the following IP addresses, used by our reverse proxy regions, sho
 |  | **IP Addresses** | **DNS Name** |
 |--|--|--|
 | **Session controls** | Australia Southeast: 40.81.58.184, 40.81.58.180, 20.40.163.96, 20.40.163.88, 40.81.62.221, 40.81.62.206, 20.40.160.184, 20.40.163.130, 20.11.210.40, 4.198.66.78, 4.198.66.135, 20.190.102.146, 4.198.66.126, 4.198.66.117, 4.198.66.105, 4.198.66.90, 20.92.29.167, 4.198.66.94, 4.198.66.92, 4.198.154.86<br /><br />Brazil South: 191.235.123.114, 191.235.121.164, 191.235.122.101, 191.235.119.253, 191.233.23.29, 191.234.216.181, 191.233.21.52, 191.234.216.10, 20.226.100.200, 191.235.57.180, 191.235.58.203, 191.235.58.201, 191.235.58.255, 191.235.59.0, 20.206.229.223, 191.235.58.56, 191.235.58.85, 191.235.54.192, 191.235.55.73, 20.206.75.66<br /><br />Canada Central: 40.82.187.211, 40.82.187.164, 52.139.18.234, 52.139.20.118, 40.82.187.199, 40.82.187.179, 52.139.19.215, 52.139.18.236, 4.205.74.7, 20.175.142.143, 20.175.143.220, 20.175.140.191, 20.175.140.128, 20.175.140.185, 20.175.143.233, 20.175.151.201, 20.175.142.19, 20.175.142.34, 20.175.151.166, 20.104.25.35<br /><br />Central India: 20.193.137.191, 20.193.137.153, 20.193.138.1, 20.193.136.234, 20.193.131.246, 20.193.131.250, 20.193.131.247, 20.193.131.248, 20.219.218.134, 20.204.236.74, 20.204.236.213, 20.204.236.115, 20.204.235.50, 20.219.226.117, 20.219.226.224, 20.204.236.147, 20.204.235.230, 20.204.236.17, 20.204.236.111, 20.235.115.136<br /><br />North Europe: 52.156.205.222, 52.156.204.99, 52.155.166.50, 52.142.127.127, 52.155.181.183, 52.155.168.45, 52.156.202.7, 52.142.124.23, 68.219.99.63, 20.166.182.182, 20.166.182.163, 20.166.182.165, 4.231.129.246, 20.166.182.193, 4.231.129.248, 20.54.22.195, 20.166.182.159, 20.166.182.171, 20.166.182.204, 40.127.131.206<br /><br />Southeast Asia: 40.65.170.125, 40.65.170.123, 52.139.245.40, 52.139.245.48, 40.119.203.158, 40.119.203.209, 20.184.61.67, 20.184.60.77, 20.187.114.178<br /><br />West Europe: 52.157.233.49, 52.157.235.27, 51.105.164.234, 51.105.164.241, 20.229.66.63, 20.76.151.201, 20.76.199.32, 20.76.199.126, 20.76.199.12, 20.76.198.169, 20.76.198.91, 20.76.199.14, 20.76.199.49, 20.93.194.151, 20.76.198.36, 20.160.197.20<br /><br />UK West: 40.81.121.140, 40.81.121.135, 51.137.137.121, 51.137.137.118, 20.90.50.115, 20.90.53.162, 20.90.53.126, 20.68.124.199, 20.90.53.127, 20.68.122.206, 20.90.53.132, 20.90.49.200, 51.142.187.141, 51.142.187.196, 20.90.53.133, 20.254.168.148<br /><br />East US: 104.45.170.196, 104.45.170.182, 52.151.238.5, 52.151.237.243, 104.45.170.173, 104.45.170.176, 52.224.188.157, 52.224.188.168, 20.168.249.164, 20.237.16.198, 20.124.59.146, 20.237.18.20, 20.121.150.131, 20.237.16.199, 20.237.22.162, 20.237.18.21, 20.237.22.163, 20.237.23.162, 20.124.59.116, 172.173.135.148<br /><br />West US 2: 52.156.88.173, 52.149.61.128, 52.149.61.214, 52.149.63.211, 20.190.7.24, 20.190.6.224, 20.190.7.239, 20.190.7.233<br /><br />West US 3: 20.106.103.34, 20.150.153.126, 20.118.150.70, 20.150.157.146, 20.150.153.110, 20.118.145.8, 20.150.152.101, 20.150.157.211, 20.150.158.183, 20.106.80.235, 20.106.81.123, 20.14.38.249, 20.14.38.222, 20.163.100.176<br /><br />East Asia: 20.195.89.219, 20.195.89.186, 20.239.27.66, 20.195.89.166, 20.239.26.193, 20.195.89.213, 20.195.89.72, 20.195.89.128, 20.195.89.62, 20.195.89.56, 20.205.119.72<br /><br />France Central: 51.103.95.227, 20.74.94.42, 20.74.94.220, 20.74.94.113, 20.74.115.131, 20.74.94.109, 20.74.95.102, 20.74.114.253, 20.74.94.73, 20.74.94.136, 20.74.94.139, 51.103.31.141                                                                                                | *.mcas.ms<br/>\*.admin-mcas.ms |
-| **Access controls** | Australia Southeast: 20.42.228.161, 20.211.237.204, 4.198.66.78, 4.198.66.135, 20.190.102.146, 4.198.66.126, 4.198.66.117, 4.198.66.105, 4.198.66.90, 20.92.29.167, 4.198.66.94, 4.198.66.92, 4.198.154.86<br /><br />Brazil South: 191.235.228.36, 104.41.37.185, 20.201.80.33, 104.41.37.185, 191.235.57.180, 191.235.58.203, 191.235.58.201, 191.235.58.255, 191.235.59.0, 20.206.229.223, 191.235.58.56, 191.235.58.85, 191.235.54.192, 191.235.55.73, 20.206.75.66<br /><br />North Europe: 68.219.99.39, 20.166.182.182, 20.166.182.163, 20.166.182.165, 4.231.129.246, 20.166.182.193, 4.231.129.248, 20.54.22.195, 20.166.182.159, 20.166.182.171, 20.166.182.204, 40.127.131.206<br /><br />West Europe: 13.69.81.118, 20.103.48.225, 13.69.81.118, 20.76.151.201, 20.76.199.32, 20.76.199.126, 20.76.199.12, 20.76.198.169, 20.76.198.91, 20.76.199.14, 20.76.199.49, 20.93.194.151, 20.76.198.36, 20.160.197.20<br /><br />Southeast Asia: 20.43.132.128, 20.24.14.233, 20.195.116.193, 20.187.116.207<br /><br />UK West: 51.137.163.32, 20.90.50.109, 20.90.53.162, 20.90.53.126, 20.68.124.199, 20.90.53.127, 20.68.122.206, 20.90.53.132, 20.90.49.200, 51.142.187.141, 51.142.187.196, 20.90.53.133, 20.254.168.148<br /><br />East US: 20.49.104.46, 40.117.113.165, 52.249.211.17, 40.117.113.165, 20.237.16.198, 20.124.59.146, 20.237.18.20, 20.121.150.131, 20.237.16.199, 20.237.22.162, 20.237.18.21, 20.237.22.163, 20.237.23.162, 20.124.59.116, 172.173.135.148<br /><br /> France Central: 20.111.40.153, 20.74.94.42, 20.74.94.220, 20.74.94.113, 20.74.115.131, 20.74.94.109, 20.74.95.102, 20.74.114.253, 20.74.94.73, 20.74.94.136, 20.74.94.139, 51.103.31.141<br /><br />West US 2: 20.115.232.7<br /><br />Canada Central: 20.48.202.161, 4.205.74.15, 20.175.142.143, 20.175.143.220, 20.175.140.191, 20.175.140.128, 20.175.140.185, 20.175.143.233, 20.175.151.201, 20.175.142.19, 20.175.142.34, 20.175.151.166, 20.104.25.35<br /><br />East Asia: 20.187.116.207, 20.195.89.219, 20.195.89.186, 20.239.27.66, 20.195.89.166, 20.239.26.193, 20.195.89.213, 20.195.89.72, 20.195.89.128, 20.195.89.62, 20.195.89.56, 20.205.119.72<br /><br /> West US 3: 20.150.143.88, 20.150.153.126, 20.118.150.70, 20.150.157.146, 20.150.153.110, 20.118.145.8, 20.150.152.101, 20.150.157.211, 20.150.158.183, 20.106.80.235, 20.106.81.123, 20.14.38.249, 20.14.38.222, 20.163.100.176<br /><br />Central India: 20.235.81.243, 20.204.236.74, 20.204.236.213, 20.204.236.115, 20.204.235.50, 20.219.226.117, 20.219.226.224, 20.204.236.147, 20.204.235.230, 20.204.236.17, 20.204.236.111, 20.235.115.136| \*.access.mcas.ms<br/> |
+| **Access controls** | Australia Southeast: 20.42.228.161, 20.211.237.204, 4.198.66.78, 4.198.66.135, 20.190.102.146, 4.198.66.126, 4.198.66.117, 4.198.66.105, 4.198.66.90, 20.92.29.167, 4.198.66.94, 4.198.66.92, 4.198.154.86<br /><br />Brazil South: 191.235.228.36, 104.41.37.185, 20.201.80.33, 104.41.37.185, 191.235.57.180, 191.235.58.203, 191.235.58.201, 191.235.58.255, 191.235.59.0, 20.206.229.223, 191.235.58.56, 191.235.58.85, 191.235.54.192, 191.235.55.73, 20.206.75.66<br /><br />North Europe: 68.219.99.39, 20.166.182.182, 20.166.182.163, 20.166.182.165, 4.231.129.246, 20.166.182.193, 4.231.129.248, 20.54.22.195, 20.166.182.159, 20.166.182.171, 20.166.182.204, 40.127.131.206<br /><br />West Europe: 13.69.81.118, 20.103.48.225, 20.76.151.201, 20.76.199.32, 20.76.199.126, 20.76.199.12, 20.76.198.169, 20.76.198.91, 20.76.199.14, 20.76.199.49, 20.93.194.151, 20.76.198.36, 20.160.197.20<br /><br />Southeast Asia: 20.43.132.128, 20.24.14.233, 20.195.116.193, 20.187.116.207<br /><br />UK West: 51.137.163.32, 20.90.50.109, 20.90.53.162, 20.90.53.126, 20.68.124.199, 20.90.53.127, 20.68.122.206, 20.90.53.132, 20.90.49.200, 51.142.187.141, 51.142.187.196, 20.90.53.133, 20.254.168.148<br /><br />East US: 20.49.104.46, 40.117.113.165, 52.249.211.17, 40.117.113.165, 20.237.16.198, 20.124.59.146, 20.237.18.20, 20.121.150.131, 20.237.16.199, 20.237.22.162, 20.237.18.21, 20.237.22.163, 20.237.23.162, 20.124.59.116, 172.173.135.148<br /><br /> France Central: 20.111.40.153, 20.74.94.42, 20.74.94.220, 20.74.94.113, 20.74.115.131, 20.74.94.109, 20.74.95.102, 20.74.114.253, 20.74.94.73, 20.74.94.136, 20.74.94.139, 51.103.31.141<br /><br />West US 2: 20.115.232.7<br /><br />Canada Central: 20.48.202.161, 4.205.74.15, 20.175.142.143, 20.175.143.220, 20.175.140.191, 20.175.140.128, 20.175.140.185, 20.175.143.233, 20.175.151.201, 20.175.142.19, 20.175.142.34, 20.175.151.166, 20.104.25.35<br /><br />East Asia: 20.187.116.207, 20.195.89.219, 20.195.89.186, 20.239.27.66, 20.195.89.166, 20.239.26.193, 20.195.89.213, 20.195.89.72, 20.195.89.128, 20.195.89.62, 20.195.89.56, 20.205.119.72<br /><br /> West US 3: 20.150.143.88, 20.150.153.126, 20.118.150.70, 20.150.157.146, 20.150.153.110, 20.118.145.8, 20.150.152.101, 20.150.157.211, 20.150.158.183, 20.106.80.235, 20.106.81.123, 20.14.38.249, 20.14.38.222, 20.163.100.176<br /><br />Central India: 20.235.81.243, 20.204.236.74, 20.204.236.213, 20.204.236.115, 20.204.235.50, 20.219.226.117, 20.219.226.224, 20.204.236.147, 20.204.235.230, 20.204.236.17, 20.204.236.111, 20.235.115.136| \*.access.mcas.ms<br/> |
 | **SAML proxy** | North Europe: 20.50.64.15, 40.127.131.206<br /><br />East US: 20.49.104.26, 172.173.135.148<br /><br />West US 2: 20.42.128.102<br /><br />West US 2: 20.163.100.176| \*.us.saml.cas.ms \*.us2.saml.cas.ms \*.us3.saml.cas.ms \*.eu.saml.cas.ms *.eu2.saml.cas.ms |
 
 ### US Government offerings

defender-endpoint/advanced-features.md

@@ -177,7 +177,7 @@ Deception enables your security team to manage and deploy lures and decoys to ca
 
 ## Share endpoint alerts with Microsoft Compliance Center
 
-Forwards endpoint security alerts and their triage status to Microsoft Purview compliance portal, allowing you to enhance insider risk management policies with alerts and remediate internal risks before they cause harm. Forwarded data is processed and stored in the same location as your Office 365 data.
+Forwards endpoint security alerts and their triage status to Microsoft Purview portal, allowing you to enhance insider risk management policies with alerts and remediate internal risks before they cause harm. Forwarded data is processed and stored in the same location as your Office 365 data.
 
 After configuring the [Security policy violation indicators](/microsoft-365/compliance/insider-risk-management-settings#indicators) in the insider risk management settings, Defender for Endpoint alerts will be shared with insider risk management for applicable users.
 

defender-endpoint/configure-endpoints-gp.md

@@ -1,5 +1,5 @@
 ---
-title: Onboard Windows devices to Microsoft Defender for Endpoint via Group Policy
+title: Onboard Windows Servers to Microsoft Defender for Endpoint via Group Policy
 description: Use Group Policy to deploy the configuration package on Windows devices so that they are onboarded to the service.
 ms.service: defender-endpoint
 ms.author: deniseb

defender-endpoint/configure-endpoints-script.md

@@ -1,5 +1,5 @@
 ---
-title: Onboard Windows devices using a local script
+title: Onboard Windows Servers using a local script
 description: Use a local script to deploy the configuration package on devices to enable onboarding of the devices to the service.
 search.appverid: met150
 ms.service: defender-endpoint

defender-endpoint/defender-antivirus-compatibility-without-mde.md

@@ -6,7 +6,7 @@ ms.author: deniseb
 ms.reviewer: yongrhee
 ms.service: defender-endpoint
 ms.topic: conceptual
-ms.date: 01/23/2025
+ms.date: 04/09/2025
 ms.subservice: ngp
 search.appverid: met150
 ms.localizationpriority: medium
@@ -84,7 +84,7 @@ Uninstall-WindowsFeature Windows-Defender-Gui
 
 **Q:** Can I use Microsoft Defender Antivirus in passive mode without onboarding to Microsoft Defender for Endpoint?
 
-**A:** No. Passive mode is a functionality in Microsoft Defender for Endpoint Plan 2.
+**A:** No. Passive mode is a functionality in Microsoft Defender for Endpoint Plan 1, Microsoft Defender for Endpoint Plan 2 and Microsoft Defender for Business.
 
 **Q:** Can I use [EDR in block mode](edr-in-block-mode.md) without onboarding to Microsoft Defender for Endpoint?
 

defender-endpoint/device-health-microsoft-defender-antivirus-health.md

@@ -159,7 +159,7 @@ There are two different export csv functionalities through the portal:
 
 - **Top level export**. You can use the top-level **Export** button to gather an all-up Microsoft Defender Antivirus health report (500-K limit).
 
-:::image type="content" source="media/device-health-defender-antivirus-health-tab-export.png" alt-text="Screenshot that shows the top-level export report button." lightbox="media/device-health-defender-antivirus-health-tab-export.png":::
+  :::image type="content" source="media/device-health-defender-antivirus-health-tab-export.png" alt-text="Screenshot that shows the top-level export report button." lightbox="media/device-health-defender-antivirus-health-tab-export.png":::
 
 - **Flyout level export**. You can use the **Export** button within the flyouts to export a report to an Excel spreadsheet (100-K limit).