Merge pull request #49864 from KenMAG/main

Updates per global admin audit

Author: Stacyrch140

learn-pr/wwl-sci/deploy-microsoft-defender-for-endpoints-environment/2-create-your-environment.yml

@@ -4,8 +4,8 @@ title: Create your environment
 metadata:
   title: Create your environment
   description: "Create your environment"
-  ms.date: 12/19/2024
-  author: wwlpublish
+  ms.date: 04/03/2025
+  author: KenMAG
   ms.author: kelawson
   ms.topic: unit
   ms.custom:

learn-pr/wwl-sci/deploy-microsoft-defender-for-endpoints-environment/includes/2-create-your-environment.md

@@ -1,6 +1,9 @@
-When accessing your Microsoft Defender portal settings for Endpoints for the first time, you're able to configure many attributes. You must be a global administrator or security administrator for the tenant. On the Set-up preferences page, you can set the:
+When accessing your Microsoft Defender portal settings for Endpoints for the first time, you're able to configure many attributes. You must be a Security Administrator for the tenant. On the Set-up preferences page, you can set the:
 
-**Data storage location** - Determine where you want to be primarily hosted: US, EU, or UK. You can't change the location after this set up and Microsoft won't transfer the data from the specified geolocation.
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
+**Data storage location** - Determine where you want to be primarily hosted: US, EU, or UK. You can't change the location after this is set up, and Microsoft won't transfer the data from the specified geolocation.
 
 **Data retention** - The default is six months.
 

learn-pr/wwl-sci/deploy-microsoft-defender-for-endpoints-environment/includes/4-onboard-devices.md

@@ -1,13 +1,13 @@
 ## Configure Device discovery
 
-When accessing your Microsoft Defender portal settings for Endpoints for the first time, the first step is to configure Device discovery. You must be a global administrator or security administrator for the tenant.
+When accessing your Microsoft Defender portal settings for Endpoints for the first time, the first step is to configure Device discovery. You must be a Security Administrator for the tenant.
 
 1. On the **Microsoft Defender XDR** portal, from the navigation menu, select **Settings** from the left.
 
 1. In the Settings menu page, select Device discovery.
 
    > [!NOTE]
-   > If you do not see the **Device discovery** option under **Settings**, logout by selecting the top-right circle with your account initials and select **Sign out**. Other options that you might want to try is to refresh the page with Ctrl+F5 or open the page InPrivate. Login again with the **Tenant Email** credentials.
+   > If you do not see the **Device discovery** option under **Settings**, logout by selecting the top-right circle with your account initials and select **Sign out**. Other options that you might want to try is to refresh the page with Ctrl+F5 or open the page InPrivate. Log in again with the **Tenant Email** credentials.
 
 1. In Discovery setup, make sure **Standard discovery (recommended)** is selected.
 

learn-pr/wwl-sci/deploy-microsoft-defender-for-endpoints-environment/includes/5-manage-access.md

@@ -1,5 +1,8 @@
-Using role-based access control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal. Based on the roles and groups you create, you have fine-grained control over what users with access to the portal can see and do.  The following video explains the use of Role-Based Access Control (RBAC) and Device Groups (Machine Groups).
+Using role-based access control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal. Based on the roles and groups you create, you have precise control over what users with access to the portal can see and do.  The following video explains the use of Role-Based Access Control (RBAC) and Device Groups (Machine Groups).
 
+> [!IMPORTANT]
+> Starting February 16, 2025, new Microsoft Defender for Endpoint customers will only have access to the Unified Role-Based Access Control (URBAC).
+> Existing customers keep their current roles and permissions. For more information, see URBAC [Unified Role-Based Access Control (URBAC) for Microsoft Defender for Endpoint](/defender-xdr/manage-rbac)
 
 >[!VIDEO https://learn-video.azurefd.net/vod/player?id=c9903800-3d26-4b30-bd0b-fed00dfc6a5c]
 
@@ -13,6 +16,9 @@ Defender for Endpoint RBAC is designed to support your tier or role-based model
 
   - Create device groups by specific criteria such as names, tags, domains, and others, then grant role access to them using a specific Microsoft Entra user group.
 
-To implement role-based access, you'll need to define admin roles, assign corresponding permissions, and assign Microsoft Entra user groups assigned to the roles.
+To implement role-based access, you need to define admin roles, assign corresponding permissions, and assign Microsoft Entra user groups assigned to the roles.
 
 Before using RBAC, you should understand the roles that can grant permissions and the consequences of turning on RBAC. On your first sign-in to Microsoft Defender XDR you're granted either full access or read-only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Microsoft Entra ID. Read-only access is granted to users with a Security Reader role in Microsoft Entra ID. Someone with a Defender for Endpoint Global administrator role has unrestricted access to all devices, regardless of their device group association and the Microsoft Entra user groups assignments
+
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

learn-pr/wwl-sci/deploy-microsoft-defender-for-endpoints-environment/includes/6-create-manage-roles-for-role-based-access-control.md

@@ -1,6 +1,9 @@
 The following steps guide you on how to create roles in the Microsoft Defender portal. It assumes that you have already created Microsoft Entra user groups.
 
-1. Access the Microsoft Defender portal using an account with a Security administrator or Global administrator role assigned.
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
+1. Access the Microsoft Defender portal using an account the Security administrator role assigned.
 1. In the navigation pane, select **Settings** then select **Endpoints**. Under the **Permissions** category, select **Roles**.
 1. Select the **Turn on roles** button.
 1. Select **+ Add item**.
@@ -9,7 +12,6 @@ The following steps guide you on how to create roles in the Microsoft Defender p
 1. Use the filter to select the Microsoft Entra group that you would like to add this role to.
 1. Select **Save**.
 
-
 > [!IMPORTANT]
 > After creating roles, you'll need to create a device group and provide access to the device group by assigning it to a role that you just created.
 

learn-pr/wwl-sci/deploy-microsoft-defender-for-endpoints-environment/includes/7-configure-device-groups.md

@@ -4,13 +4,13 @@ In Microsoft Defender for Endpoint, you can create device groups and use them to
 
 - Limit access to related alerts and data to specific Microsoft Entra user groups with assigned RBAC roles
 
-- Configure different auto-remediation settings for different sets of devices
+- Configure different autoremediation settings for different sets of devices
 
 - Assign specific remediation levels to apply during automated investigations
 
 - In an investigation, filter the Devices list to specific device groups by using the Group filter.
 
-You can create device groups in the context of role-based access (RBAC) to control who can take specific action or see information by assigning the device group(s) to a user group.
+You can create device groups in the context of role-based access (RBAC) to control who can take specific action or see information by assigning the device groups to a user group.
 
 As part of the process of creating a device group, you'll:
 
@@ -30,10 +30,10 @@ To create a device group:
 
 1. Select **+ Add device group**.
 
-1. Enter the group name and automation settings and specify the matching rule that determines which devices belong to the group. See How the automated investigation starts.
+1. Enter the group name and remediation settings and specify the matching rule that determines which devices belong to the group. See How the automated investigation starts.
 
 1. Preview several devices that will be matched by this rule. If you're satisfied with the rule, select the User access tab.
 
-1. Assign the user groups that can access the device group you created.  You can only grant access to Microsoft Entra user groups that have been assigned to RBAC roles.
+1. Assign the user groups that can access the device group you created.  You can only grant access to Microsoft Entra user groups that are assigned to RBAC roles.
 
 1. Select **Close**. The configuration changes are applied.

learn-pr/wwl-sci/deploy-microsoft-defender-for-endpoints-environment/index.yml

@@ -3,8 +3,8 @@ uid: learn.wwl.deploy-microsoft-defender-for-endpoints-environment
 metadata:
   title: Deploy the Microsoft Defender for Endpoint environment
   description: "Deploy the Microsoft Defender for Endpoint environment"
-  ms.date: 1/7/2025
-  author: wwlpublish
+  ms.date: 4/3/2025
+  author: KenMAG
   ms.author: kelawson
   ms.topic: module
   ms.custom: