Merge pull request #794 from MicrosoftDocs/deniseb-globaladmin

denisebmsft · web-flow · commit fa9c38360ff8 · 2024-06-25T12:42:23.000-07:00
deniseb globaladmin
diff --git a/defender-endpoint/configure-endpoints-non-windows.md b/defender-endpoint/configure-endpoints-non-windows.md
@@ -13,7 +13,7 @@ ms.collection:
 - tier1
 ms.topic: conceptual
 ms.subservice: onboard
-ms.date: 01/18/2024
+ms.date: 06/25/2024
 ---
 
 # Onboard non-Windows devices
@@ -41,22 +41,27 @@ You'll need to know the exact Linux distros and macOS versions that are compatib
 
 ## Onboarding non-Windows devices
 
-You can choose to onboard non-Windows devices through Microsoft Defender for Endpoint or through a third-party solution.
+You can choose to onboard non-Windows devices through Microsoft Defender for Endpoint or through a third-party (non-Microsoft) solution.
 
-[!INCLUDE [Defender for Endpoint repackaging warning](../includes/repackaging-warning.md)]
+- To onboard macOS devices using Microsoft Defender for Endpoint, see [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md).
+
+- To onboard Linux devices using Microsoft Defender for Endpoint, see [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md).
+
+- To onboard non-windows devices using a non-Microsoft solution:
 
-You'll need to take the following steps:
+   1. In the navigation pane, select **Partners and APIs** > **Connected Applications**. Make sure the non-Microsoft solution is listed.
+      
+   2. In the **Connected Applications** page, select the partner that supports your non-Windows devices.
+      
+   3. Select **View** to open the partner's page. Follow the instructions provided on the page.
+      
+   4. After creating an account or subscribing to the partner solution, you should get to a stage where a tenant admin (or Global Administrator) is asked to accept a permission request from the partner application. Read the permission request carefully to make sure that it's aligned with the service that you require.
 
-1. Select your preferred method of onboarding:
-   - To onboard macOS devices using Microsoft Defender for Endpoint, see [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md).
-   - To onboard Linux devices using Microsoft Defender for Endpoint, see [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md).
-   - To onboard non-windows devices using third party solution:
-     1. In the navigation pane, select **Partners and APIs > Connected Applications**. Make sure the third-party solution is listed.
-     2. In the **Connected Applications** page, select the partner that supports your non-Windows devices.
-     3. Select **View** to open the partner's page. Follow the instructions provided on the page.
-     4. After creating an account or subscribing to the partner solution, you should get to a stage where a tenant Global Admin in your organization is asked to accept a permission request from the partner application. Read the permission request carefully to make sure that it's aligned with the service that you require.
+      > [!IMPORTANT]
+      > Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
-2. Run a detection test by following the instructions of the third-party solution.
+
+[!INCLUDE [Defender for Endpoint repackaging warning](../includes/repackaging-warning.md)]
 
 ## Offboard non-Windows devices
 
@@ -72,5 +77,6 @@ You can also offboard non-Windows devices by disabling the third-party integrati
 - [Onboard servers](configure-server-endpoints.md)
 - [Configure proxy and Internet connectivity settings](configure-proxy-internet.md)
 - [Troubleshooting Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md)
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
 
diff --git a/defender-endpoint/configure-machines.md b/defender-endpoint/configure-machines.md
@@ -14,7 +14,7 @@ ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
 ms.subservice: onboard
 search.appverid: met150
-ms.date: 04/04/2024
+ms.date: 06/25/2024
 ---
 
 # Ensure your devices are configured properly
@@ -34,11 +34,11 @@ With properly configured devices, you can boost overall resilience against threa
 - Meet or exceed the Defender for Endpoint security baseline configuration
 - Have strategic attack surface mitigations in place
 
-Click **Configuration management** from the navigation menu to open the Device configuration management page.
+In the [Microsoft Defender portal](https://security.microsoft.com), go to **Endpoints** > **Configuration management** > **Dashboard**. 
 
 :::image type="content" source="media/secconmgmt-main.png" alt-text="The Security configuration management page" lightbox="media/secconmgmt-main.png":::
 
-*Device configuration management page*
+*The device configuration management page*
 
 You can track configuration status at an organizational level and quickly take action in response to poor onboarding coverage, compliance issues, and poorly optimized attack surface mitigations through direct, deep links to device management pages on Microsoft Intune and <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>.
 
@@ -65,6 +65,9 @@ Before you can ensure your devices are configured properly, enroll them to Intun
 
 By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Microsoft Entra ID can manage and assign the device configuration profiles needed for onboarding devices and deploying the security baseline.
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
 If you have been assigned other roles, ensure you have the necessary permissions:
 
 - Full permissions to device configurations
@@ -79,13 +82,12 @@ If you have been assigned other roles, ensure you have the necessary permissions
 > [!TIP]
 > To learn more about assigning permissions on Intune, [read about creating custom roles](/intune/create-custom-role#to-create-a-custom-role).
 
-## In this section
+## More information
 
-Topic|Description
-:---|:---
-[Get devices onboarded to Defender for Endpoint](configure-machines-onboarding.md)|Track onboarding status of Intune-managed devices and onboard more devices through Intune. 
-[Increase compliance to the Defender for Endpoint security baseline](configure-machines-security-baseline.md)|Track baseline compliance and noncompliance. Deploy the security baseline to more Intune-managed devices.
-[Optimize ASR rule deployment and detections](configure-machines-asr.md)|Review rule deployment and tweak detections using impact analysis tools in <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>.
+|Article |Description
+|:---|:---
+|[Get devices onboarded to Defender for Endpoint](configure-machines-onboarding.md)|Track onboarding status of Intune-managed devices and onboard more devices through Intune. |
+|[Increase compliance to the Defender for Endpoint security baseline](configure-machines-security-baseline.md)|Track baseline compliance and noncompliance. Deploy the security baseline to more Intune-managed devices. |
+| [Optimize ASR rule deployment and detections](configure-machines-asr.md)|Review rule deployment and tweak detections using impact analysis tools in <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>. |
 
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
diff --git a/defender-endpoint/configure-vulnerability-email-notifications.md b/defender-endpoint/configure-vulnerability-email-notifications.md
@@ -12,7 +12,7 @@ ms.collection:
 - tier2
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 02/02/2021
+ms.date: 06/25/2024
 ---
 
 # Configure vulnerability email notifications in Microsoft Defender for Endpoint
@@ -27,10 +27,10 @@ ms.date: 02/02/2021
 
 Configure Microsoft Defender for Endpoint to send email notifications to specified recipients for new vulnerability events. This feature enables you to identify a group of individuals who will immediately be informed and can act on the notifications based on the event. The vulnerability information comes from [Microsoft Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management).
 
-If you're using [Defender for Business](/defender-business/mdb-overview), you can set up vulnerability notifications for specific users (not roles or groups).
+If you're using [Defender for Business](/defender-business/mdb-overview), you can set up vulnerability notifications for specific users only (not roles or groups).
 
 > [!NOTE]
-> - Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications. [Learn more about permission options](user-roles.md)
+> - Only users with `Manage security settings` permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications. [Learn more about permission options](user-roles.md)
 > - Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.
 
 The notification rules allow you to set the vulnerability events that trigger notifications, and add or remove email notification recipients. New recipients get notified about vulnerabilities after they're added.
@@ -39,11 +39,14 @@ If you're using role-based access control (RBAC), recipients will only receive n
 
 The email notification includes basic information about the vulnerability event. There are also links to filtered views in the Defender Vulnerability Management [Security recommendations](api/ti-indicator.md) and [Weaknesses](/defender-vulnerability-management/tvm-weaknesses) pages in the portal so you can further investigate. For example, you could get a list of all exposed devices or get additional details about the vulnerability.
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
 ## Create rules for alert notifications
 
 Create a notification rule to send an email when there are certain exploit or vulnerability events, such as a new public exploit. For each rule, multiple event types can be selected.
 
-1. Go to [Microsoft Defender XDR](https://go.microsoft.com/fwlink/p/?linkid=2077139) and sign in using an account with the Security administrator or Global administrator role assigned.
+1. Sign in to the [Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2077139) and using an account with the Security administrator or Global administrator role assigned.
 
 2. In the navigation pane, go to **Settings** \> **Endpoints** \> **Email notifications** \> **Vulnerabilities**.
 
@@ -93,7 +96,9 @@ This section lists various issues that you may encounter when using email notifi
 **Solution:** Make sure that the notifications aren't blocked by email filters:
 
 1. Check that the Defender for Endpoint email notifications aren't sent to the Junk Email folder. Mark them as Not junk.
+
 2. Check that your email security product isn't blocking the email notifications from Defender for Endpoint.
+
 3. Check your email application rules that might be catching and moving your Defender for Endpoint email notifications.
 
 ## Related articles
@@ -102,4 +107,5 @@ This section lists various issues that you may encounter when using email notifi
 - [Security recommendations](api/ti-indicator.md)
 - [Weaknesses](/defender-vulnerability-management/tvm-weaknesses)
 - [Event timeline](/defender-vulnerability-management/threat-and-vuln-mgt-event-timeline)
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
diff --git a/defender-endpoint/defender-endpoint-subscription-settings.md b/defender-endpoint/defender-endpoint-subscription-settings.md
@@ -7,7 +7,7 @@ ms.author: siosulli
 manager: deniseb 
 audience: ITPro
 ms.topic: overview
-ms.date: 02/21/2024
+ms.date: 06/25/2024
 ms.service: defender-endpoint
 ms.subservice: onboard
 ms.localizationpriority: medium
@@ -47,9 +47,8 @@ You can also use a newly added license usage report to track status.
 > - **Make sure to follow the procedures in this article to try mixed-license scenarios in your environment**. Assigning user licenses in the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)) doesn't set your tenant to mixed mode. 
 > - **You should have active trial or paid licenses for both Defender for Endpoint Plan 1 and Plan 2**. 
 > - To access license information, you must have one of the following roles assigned in Microsoft Entra ID:
->    - Global Admin
->    - Security Admin
->    - License Admin + MDE Admin  
+>    - Security Administrator
+>    - License Administrator and Defender for Endpoint Administrator  
 
 1. As an admin, go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
 
@@ -104,11 +103,10 @@ For example, suppose that you want to use a tag called `VIP` for all the devices
 
 > [!IMPORTANT]
 > To access license information, you must have one of the following roles assigned in Microsoft Entra ID:
-> - Global Admin
-> - Security Admin
-> - License Admin + MDE Admin  
+> - Security Administrator
+> - License Administrator and Defender for Endpoint Administrator  
 
-1. As a Security Admin or Global Admin, go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
+1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in as a Security Administrator.
 
 2. Go to **Settings** > **Endpoints** > **Licenses**.
 
@@ -125,6 +123,9 @@ For example, suppose that you want to use a tag called `VIP` for all the devices
 
 ---
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
 ## Validate that a device is receiving only Defender for Endpoint Plan 1 capabilities
 
 After you have assigned Defender for Endpoint Plan 1 capabilities to some or all devices, you can verify that an individual device is receiving those capabilities.
@@ -144,9 +145,8 @@ To reduce management overhead, there's no requirement for device-to-user mapping
 
 > [!IMPORTANT]
 > To access license information, you must have one of the following roles assigned in Microsoft Entra ID:
-> - Security Admin
-> - Global Admin
-> - License Admin + MDE Admin
+> - Security Administrator
+> - License Administrator and Defender for Endpoint Administrator
 
 1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
 
