MicrosoftDocs
diff --git a/‎ATADocs/ata-capacity-planning.md‎
Lines changed: 1 addition & 1 deletion b/‎ATADocs/ata-capacity-planning.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎ATADocs/ata-threats.md‎
Lines changed: 1 addition & 1 deletion b/‎ATADocs/ata-threats.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎ATADocs/monitoring-alerts.md‎
Lines changed: 1 addition & 1 deletion b/‎ATADocs/monitoring-alerts.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎ATADocs/troubleshoot-audit.md‎
Lines changed: 1 addition & 1 deletion b/‎ATADocs/troubleshoot-audit.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎ATPDocs/deploy/activate-capabilities.md‎
Lines changed: 7 additions & 7 deletions b/‎ATPDocs/deploy/activate-capabilities.md‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎ATPDocs/investigate-security-alerts.md‎
Lines changed: 1 addition & 1 deletion b/‎ATPDocs/investigate-security-alerts.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎ATPDocs/media/remove-replication-permissions-microsoft-entra-connect/image.png‎
672 KB b/‎ATPDocs/media/remove-replication-permissions-microsoft-entra-connect/image.png‎
672 KB
diff --git a/‎ATPDocs/media/remove-replication-permissions-microsoft-entra-connect/replicationconfig.png‎
652 KB b/‎ATPDocs/media/remove-replication-permissions-microsoft-entra-connect/replicationconfig.png‎
652 KB
diff --git a/‎ATPDocs/media/remove-replication-permissions-microsoft-entra-connect/replicationconfiguration.png‎
680 KB b/‎ATPDocs/media/remove-replication-permissions-microsoft-entra-connect/replicationconfiguration.png‎
680 KB
diff --git a/‎ATPDocs/remove-replication-permissions-microsoft-entra-connect.md‎
Lines changed: 5 additions & 1 deletion b/‎ATPDocs/remove-replication-permissions-microsoft-entra-connect.md‎
Lines changed: 5 additions & 1 deletion
@@ -4,7 +4,7 @@
 title: Planning your Advanced Threat Analytics deployment
 description: Helps you plan your deployment and decide how many ATA servers will be needed to support your network
 ms.date: 01/10/2023
-ms.topic: conceptual
+ms.topic: concept-article
 ms.service: advanced-threat-analytics
 ms.assetid: 1b5b24ff-0df8-4660-b4f8-64d68cc72f65
 
 
@@ -4,7 +4,7 @@
 title: What threats does Advanced Threat Analytics detect?
 description: Lists the threats that Advanced Threat Analytics detects 
 ms.date: 01/10/2023
-ms.topic: conceptual
+ms.topic: concept-article
 ms.service: advanced-threat-analytics
 ms.assetid: 283e7b4e-996a-4491-b7f6-ff06e73790d2
 
 
@@ -4,7 +4,7 @@
 title: Understanding ATA health alerts
 description: Describes all the health alerts for each component, listing the cause and the steps needed to resolve the problem
 ms.date: 01/10/2023
-ms.topic: conceptual
+ms.topic: concept-article
 ms.collection: M365-security-compliance
 ms.service: advanced-threat-analytics
 ms.assetid: b04fb8a4-b366-4b55-9d4c-6f054fa58a90
 
@@ -4,7 +4,7 @@
 title: Working with ATA audit logs
 description: This article describes how to work with ATA audit logs in the Windows Event Log.
 ms.date: 01/10/2023
-ms.topic: conceptual
+ms.topic: concept-article
 ms.service: advanced-threat-analytics
 ms.assetid: 1d186a96-ef70-4787-aa64-c03d1db94ce0
 
 
@@ -1,5 +1,5 @@
 ---
-title: Activate Microsoft Defender for Identity capabilities directly on a domain controller 
+title: Activate Microsoft Defender for Identity capabilities directly on a domain controller (Preview)
 description: Learn about the Microsoft Defender for Identity capabilities on domain controllers and how to activate them.
 ms.date: 08/13/2024
 ms.topic: how-to
@@ -14,7 +14,7 @@ This article describes how to activate and test Microsoft Defender for Identity
 > The capabilities described in this article are currently available as Preview features. Preview features are features that aren't complete, but are made available on a "preview" basis so customers can get early access and provide feedback.
 > 
 > Preview features are still in development, have limited or restricted functionality and may be available only in selected geographic areas.
-> For more information, see the [Microsoft Defender XDR preview features](/defender-xdr/preview)
+> For more information, see the [Microsoft Defender XDR preview features](/defender-xdr/preview).
 
 > [!IMPORTANT]
 > The new Defender for Identity sensor (version 3.x) is recommended for customers looking to deploy core identity protections to new domain controllers running Windows Server 2019 or newer. For all other identity infrastructure, or for customers looking to deploy the most robust identity protections available from Microsoft Defender for Identity today, we recommend deploying the classic sensor [here](quick-installation-guide.md).
@@ -90,8 +90,8 @@ Activate the Defender for Identity from the [Microsoft Defender portal](https://
    [![Screenshot that shows how to activate the new sensor.](media/activate-capabilities/1.jpg)](media/activate-capabilities/1.jpg#lightbox)
 
 
-> [!NOTE]
-> You can choose to activate eligible domain controllers either automatically, where Defender for Identity activates them as soon as they're discovered, or manually, where you select specific domain controllers from the list of eligible servers.
+   > [!NOTE]
+   > You can choose to activate eligible domain controllers either automatically, where Defender for Identity activates them as soon as they're discovered, or manually, where you select specific domain controllers from the list of eligible servers.
 
 1. When the activation is complete, a green success banner shows. In the banner, select **Click here to see the onboarded servers** to jump to the **Settings > Identities > Sensors** page, where you can check your sensor health.  
 
@@ -207,9 +207,9 @@ We recommend simulating risky behavior in a test environment to trigger supporte
     Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota
     ```
 
-1. In Microsoft Secure Score, select **Recommended Actions** to check for a new **Resolve unsecure domain configurations** recommendation. You might want to filter recommendations by the **Defender for Identity** product.
+1. In the Microsoft Secure Score, select **Recommended Actions** to check for a new **Resolve unsecure domain configurations** recommendation. You might want to filter recommendations by the **Defender for Identity** product.
 
-For more information, see [Microsoft Defender for Identity's security posture assessments](../security-assessment.md)
+For more information, see [Microsoft Defender for Identity's security posture assessments](../security-assessment.md).
 
 ### Test alert functionality
 
@@ -253,7 +253,7 @@ Deactivating Defender for Identity capabilities from your domain controller does
 ### Offboard Defender for Identity capabilities on your domain controller 
 Download the Defender for Identity offboarding package from the [Microsoft Defender portal](https://security.microsoft.com).
 
-1. Navigate to **Settings** > **Identities** > **Activation**
+1. Navigate to **Settings** > **Identities** > **Activation**.
 
 1. Select Download offboarding package and save the file in a location you can access from your domain controller.  
 ![Screenshot that shows how to offboard the new sensor.](media/activate-capabilities/screenshot-that-shows-how-to-offboard-the-new-sensor.png)
 
@@ -12,7 +12,7 @@ Investigate alerts that are affecting your environment, understand what they mea
 Begin your investigation by selecting an alert from the **Alerts** page in the Microsoft Defender portal. The alerts page displays a list of all security alerts generated by Defender for Identity, including their severity, status, and impacted assets. Selecting an alert opens the alert page, which contains the alert title, the affected assets, the details side pane, and in some cases, an alert story.
 
 > [!NOTE]
-> The **alert story** and **export to Excel** options are only available for alerts that use the original Defender for Identity structure.  
+> The **alert story** and **export to Excel** options are only available for alerts that use the classic Defender for Identity structure.  
 > For more information about differences in how alerts are presented in the Defender portal, see [View and manage alerts](understanding-security-alerts.md).
 
 ## Investigate using the alert story
 
@@ -30,7 +30,11 @@ Smart attackers are likely to target Microsoft Entra Connect in on-premises envi
 
 1. Take appropriate action on those accounts and remove their 'Replication Directory Changes' and 'Replication Directory Changes All' permissions by unchecking the following permissions:  
 
-![Screenshot of the replication permissions.](media/remove-replication-permissions-microsoft-entra-connect/permissions.png)
+[![Screenshot that shows Replicationconfiguration](media/remove-replication-permissions-microsoft-entra-connect/replicationconfiguration.png)](media/remove-replication-permissions-microsoft-entra-connect/replicationconfiguration.png#lightbox)
+
+
+
+
 
 > [!IMPORTANT]
 > For environments with multiple Microsoft Entra Connect servers, it’s crucial to install sensors on each server to ensure Microsoft Defender for Identity can fully monitor your setup. It has been detected that your Microsoft Entra Connect configuration does not utilize Password Hash Sync, which means that replication permissions are not necessary for the accounts in the Exposed Entities list. Additionally, it’s important to ensure that each exposed MSOL account is not required for Replication Permissions by any other applications.