Merge pull request #5622 from MicrosoftDocs/main

[AutoPublish] main to live - 11/17 04:39 PST | 11/17 18:09 IST

Author: m365-skilling-repo-management[bot]

defender-for-cloud-apps/policy-template-reference.md

@@ -1,9 +1,10 @@
 ---
 title: Microsoft Defender for Cloud Apps policy templates
 description: This article provides information on policy templates included in Microsoft Defender for Cloud Apps.
-ms.date: 01/29/2023
+ms.date: 11/16/2025
 ms.topic: how-to
-ms.reviewer: Ronen-Refaeli
+ms.reviewer: MayaAbelson
+
 ---
 
 # Defender for Cloud Apps policy templates
@@ -13,7 +14,6 @@ We recommend that you simplify policy creation by starting with existing templat
 For the full list of templates, check the Microsoft Defender Portal.
 
 
-
 ## Policy template highlights
 
 |Risk category|Template name|Description|
@@ -33,10 +33,6 @@ For the full list of templates, check the Microsoft Defender Portal.
 |Cloud discovery|New risky app|Alert when new apps are discovered with risk score lower than 6 and that are used by more than 50 users with a total daily use of more than 50 MB.|
 |Cloud discovery|New sales app|Alert when new sales apps are discovered that are used by more than 50 users with a total daily use of more than 50 MB.|
 |Cloud discovery|New vendor management system apps|Alert when new vendor management system apps are discovered that are used by more than 50 users with a total daily use of more than 50 MB.|
-|DLP|Externally shared source code|Alert when a file containing source code is shared outside your organization.|
-|DLP|File containing PCI detected in the cloud (built-in DLP engine)|Alert when a file with payment card information (PCI) is detected by the Microsoft Defender for Cloud Apps built-in data loss prevention (DLP) engine in a sanctioned cloud app.|
-|DLP|File containing PHI detected in the cloud (built-in DLP engine)|Alert when a file with protected health information (PHI) is detected by the Microsoft Defender for Cloud Apps built-in data loss prevention (DLP) engine in a sanctioned cloud app.|
-|DLP|File containing private information detected in the cloud (built-in DLP engine)|Alert when a file with personal data is detected by the Microsoft Defender for Cloud Apps built-in data loss prevention (DLP) engine in a sanctioned cloud app.|
 |Threat detection|Administrative activity from a non-corporate IP address|Alert when an admin user performs an administrative activity from an IP address that isn't included in the corporate IP address range category. First configure your corporate IP addresses by going to the Settings page, and setting **IP address ranges**.|
 |Threat detection|Log on from a risky IP address|Alert when a user signs into your sanctioned apps from a risky IP address. By default, the Risky IP address category contains addresses that have IP address tags of Anonymous proxy, TOR, or Botnet. You can add more IP addresses to this category in the IP address ranges settings page.|
 |Threat detection|Mass download by a single user|Alert when a single user performs more than 50 downloads within 1 minute.|

defender-for-identity/identity-inventory.md

@@ -60,7 +60,7 @@ The **Identities** list offers a consolidated view of identities across Active D
 
 - __Object ID__ – A unique identifier for the identity in Microsoft Entra ID.
 
-- __Source__ – Indicates whether the identity is on-premises (originate from Active Directory), Cloud only (Entra ID) or Hybrid (synced from Azure Active Directory to Entra ID).
+- __Source__ – Indicates whether the identity is on-premises (originate from Active Directory), Cloud only (Entra ID) or Hybrid (synced from Azure Active Directory to Microsoft Entra ID).
 
 - __Type__ – Specifies if the identity is a user account or service account.
 
@@ -76,7 +76,7 @@ The **Identities** list offers a consolidated view of identities across Active D
 
 - __Last updated__ – The timestamp of the most recent update to the identity's attributes in Active Directory.
 
-Nondefault columns: Email, Microsoft Entra ID risk level and Cloud ID. 
+Nondefault columns: Email, Microsoft Entra ID risk level, and Cloud ID. 
 
 > [!TIP]
 > To see all columns, you likely need to do one or more of the following steps:

defender-for-identity/investigate-assets.md

@@ -8,7 +8,7 @@ ms.reviewer: LiorShapiraa
 
 # Investigate assets
 
-Microsoft Defender for Identity provides Microsoft Defender XDR users with evidence of when users, computers, and devices have performed suspicious activities or show signs of being compromised.
+Microsoft Defender for Identity gives Microsoft Defender XDR users evidence when users, computers, and devices show signs of suspicious activities or compromise.
 
 This article gives recommendations for how to determine risks to your organization, decide how to remediate, and determine the best way to prevent similar attacks in the future.
 
@@ -17,7 +17,7 @@ This article gives recommendations for how to determine risks to your organizati
 > [!NOTE]
 > For information on how to view user profiles in Microsoft Defender XDR, see [Microsoft Defender XDR documentation](/microsoft-365/security/defender/investigate-users).
 
-If an alert or incident indicates that a user may be suspicious or compromised, check and investigate the user profile for the following details and activities:
+If an alert or incident indicates that a user might be suspicious or compromised, check and investigate the user profile for the following details and activities:
 
 - **User identity**
     - Is the user a [sensitive user](entity-tags.md) (such as admin, or on a watchlist, etc.)?
@@ -56,16 +56,17 @@ When you investigate a specific identity, you'll see the following details on an
 
 |Identity details page area  |Description  |
 |---------|---------|
-|[Overview tab](/microsoft-365/security/defender/investigate-users#overview)       | General identity data, such as the Microsoft Entra identity risk level, the number of devices the user is signed in to, when the user was first and last seen, the user's accounts and more important information.  <br><br>Use the **Overview** tab to also view graphs for incidents and alerts, and an organizational tree, entity tags.       |
+|[Overview tab](/microsoft-365/security/defender/investigate-users#overview)       | Use the **Overview** tab to view graphs for incidents and alerts, an organizational tree, and entity tags. <br> General identity data includes: <br> - Microsoft Entra identity risk level <br> - The number of devices the identity is signed in to <br> - When the identity was first and last seen <br> - The identity's accounts and more important information.  <br><br>      |
 |[Incidents and alerts](/microsoft-365/security/defender/investigate-users#incidents-and-alerts)     | Lists active incidents and alerts involving the user from the last 180 days, including details like alert severity and the time the alert was generated. |
-|[Observed in organization](/microsoft-365/security/defender/investigate-users#observed-in-organization)     |   Includes the following sub-areas: <br>- **Devices**: The devices that the identity signed in to, including most and least used in the last 180 days. <br>- **Locations**: The identity's observed locations over the last 30 days. <br>- **Groups**: All observed on-premises groups for the identity. <br> - **Lateral movement paths** - all profiled lateral movement paths from the on-premises environment. |
-|[Identity timeline](/microsoft-365/security/defender/investigate-users#timeline)     |The timeline represents activities and alerts observed from a user's identity from the last 180 days, unifying identity entries across Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Defender for Endpoint. <br><br>Use the timeline to focus on activities a user performed or were performed on them in specific timeframes. Select the default **30 days** to change the time range to another built-in value, or to a custom range.       |
+|[Observed in organization](/microsoft-365/security/defender/investigate-users#observed-in-organization)     |   Includes the following sub-areas: <br>- **Devices**: The devices that the identity signed in to, including most and least used in the last 180 days. <br>- **Locations**: The identity's observed locations over the last 30 days. <br>- **Groups**: All observed on-premises groups for the identity. <br> - **Lateral movement paths** - all profiled lateral movement paths from the on-premises environment. <br> - **Accounts** View all accounts linked to a specific identity. |
+|[Identity timeline](/microsoft-365/security/defender/investigate-users#timeline)     | The timeline represents activities and alerts observed from a user's identity within the last 180 days, to help unify identity entries across Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Defender for Endpoint. <br><br> You can use the timeline to focus on activities a user performed or were performed on them in specific timeframes. Select the default **30 days** to change the time range to another built-in value, or to a custom range.       |
 |Security recommendations|This tab displays all active security posture assessments (ISPMs) associated with an identity account. It includes Defender for Identity recommendations across available identity providers such as Active Directory, Okta, and others. Selecting an ISPM pivots you to the recommendation page in Microsoft Secure Score for additional details.|
 |Attack paths|This tab provides visibility into potential attack paths leading to a critical identity or involving it within the path, helping assess security risks. For more information, see Overview of attack path within Exposure Management.|
 |[Remediation actions](/microsoft-365/security/defender/investigate-users#remediation-actions)      |Respond to compromised users by disabling their accounts or resetting their password. After taking action on users, you can check on the activity details in the Microsoft Defender XDR **Action center.|
 
+
 > [!NOTE]
-> **Investigation Priority Score** has been deprecated on December 3, 2024. As a result, both the Investigation Priority Score breakdown and the scored activity timeline cards have been removed from the UI. 
+> **Investigation Priority Score** was deprecated on December 3, 2024. As a result, the Investigation Priority Score breakdown and the scored activity timeline cards are no longer available.
 
 
 

defender-for-identity/link-unlink-account-to-identity.md

@@ -0,0 +1,107 @@
+---
+title: Link/Unlink an account to an identity
+description: This article explains how to link or unlink an account to an identity in Microsoft Defender for Identity.
+ms.date: 09/01/2025
+ms.topic: how-to
+ms.service: microsoft-defender-for-identity
+ms.reviewer: Almog Omrad
+#customer intent: As a SOC analyst, I want to view all accounts linked to an identity so that I can gain a complete and accurate understanding of the identity’s footprint across the organization and validate accounts correlated are correct. 
+---
+
+# Link or Unlink an Account to an Identity (Preview)
+
+## Overview
+
+In enterprise environments, identity data is often fragmented. A single user might have multiple accounts across systems, including personal, privileged, legacy, or cloud-based accounts. These accounts can cover on-premises Active Directory, Microsoft Entra ID, or third-party identity providers such as Okta and Ping. Users may also maintain multiple accounts within the same system, such as a standard business account ([email protected]) and a privileged administrative account ([email protected]). This fragmentation makes it difficult to maintain a unified view of identity across the organization. The **Manual link or unlink accounts** feature in Microsoft Defender for Identity helps you correlate accounts with identities to build a complete identity footprint.
+
+Consider a user named John Doe who has an Azure Active Directory account, an Okta account, and a Ping account. By manually linking these accounts to John’s identity in Microsoft Defender for Identity, you can create a consolidated view that supports identity-centric protection and investigation.
+
+## Why use manual linking
+
+Manual linking helps organizations:
+
+- Correlate identity components across different systems
+- Improve protection by creating a complete identity context
+- Support investigations and response actions with unified identity views
+
+### Scenarios and examples 
+
+- **Personal and privileged accounts**: A user might have two accounts, one for everyday work and another with elevated permissions for administrative tasks.  
+  **Example**  
+  - [email protected] (regular account)  
+  - [email protected] (privileged account)  
+
+- **Multiple domains**: Large organizations often manage several domains. Linking accounts across these domains provides full visibility into a user’s activity.  
+  **Example**  
+  - [email protected]  
+  - [email protected]  
+
+- **Personal and service accounts**: A user may have both a personal account and a service account they own or manage. Linking them helps connect ownership and responsibility to the same identity.  
+  **Example**  
+  - [email protected] (personal account)  
+  - [email protected] (service account)  
+
+- **Legacy accounts**: A user might still have an active account in a legacy system. Linking it ensures the account is monitored and tied back to the correct identity.  
+  **Example**  
+  - [email protected] (current account)  
+  - [email protected] (legacy account)  
+
+
+
+## Prerequisites
+
+- You must have [Unified role-based access control (URBAC)](/defender-for-identity/role-groups) roles: Global Administrator or Security Data (Manage)
+
+## How to Manually Link or Unlink Accounts to an Identity
+
+Follow these steps to manually link accounts to a selected identity.
+
+1. Navigate to **Assets** > **Identity Inventory**.
+1. Select an **Identity** from the list.
+
+    :::image type="content" source="media/identity-inventory/inventory11.png" alt-text="Screenshot of the Identity Inventory page in the Defender portal. " lightbox="media/identity-inventory/inventory11.png":::
+
+1. Select the **Observed in organization** tab.
+1. Open the **Accounts** tab.
+
+    :::image type="content" source="media/link-unlink-account-to-identity/accounts-observed-in-organization.png" alt-text="Screenshot that shows the accounts observed in an organization." lightbox="media/link-unlink-account-to-identity/accounts-observed-in-organization.png":::
+
+1. Select one or more accounts from the table. You must select at least one account to continue.
+1. You can search by:
+    - Display name
+    - User principal name (UPN)
+    - Security identifier (SID)
+    - Source provider account
+1. Select **Next**.
+1. Enter a short justification comment explaining why you're linking these accounts.
+1. Your justification must:
+    - Be between 1 and 50 characters
+    - Use only letters, numbers, spaces, @, and _
+    - If your input includes invalid characters or exceeds the limit, an error message will appear.
+1. Select **Next**.
+1. Review the selected accounts and your justification.
+1. Confirm that the accounts listed are correct.
+1. The account list refreshes automatically.
+
+## Unlink accounts from an identity
+
+Follow these steps to manually unlink accounts from a selected identity.
+
+1. Go to **Identity Inventory > Observed in organization**
+1. Open the **Accounts** tab.
+1. Select one or more account groups.
+1. Select **Unlink account**.
+1. A confirmation dialog appears with the identity name.
+1. Review the message and select **Unlink accounts** to confirm.
+
+
+## What to expect after linking or unlinking an account
+
+- The selected accounts are linked or unlinked immediately.
+- The system updates the identity context and refreshes the account list.
+- All actions are recorded in the unified audit system, including the justification and the user who performed the action.
+
+## See also
+
+- [Investigate users](/microsoft-365/security/defender/investigate-users)
+- [Investigate assets](/defender-for-identity/investigate-assets)