Merge pull request #1252 from MicrosoftDocs/main

Publish main to live, Thursday 3:30PM PDT, 08/29

defender-endpoint/api/api-hello-world.md

@@ -16,7 +16,7 @@ ms.topic: reference
 ms.subservice: reference
 ms.custom: api
 search.appverid: met150
-ms.date: 06/24/2024
+ms.date: 08/29/2024
 ---
 
 # Microsoft Defender for Endpoint API - Hello World
@@ -47,7 +47,7 @@ It only takes 5 minutes done in two steps:
 
 ### Do I need a permission to connect?
 
-For the Application registration stage, you must have the **Global administrator** role assigned in your Microsoft Entra tenant.
+For the Application registration stage, you must have an appropriate role assigned in your Microsoft Entra tenant. For more details about roles, see [Permission options](../user-roles.md#permission-options).
 
 <a name='step-1---create-an-app-in-azure-active-directory'></a>
 

defender-endpoint/api/exposed-apis-create-app-partners.md

@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 ms.author: siosulli
 author: siosulli
 ms.localizationpriority: medium
-ms.date: 06/28/2024
+ms.date: 08/29/2024
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -61,7 +61,7 @@ The following steps guide you how to create a Microsoft Entra application, get a
 
 ## Create the multitenant app
 
-1. Sign in to your [Azure tenant](https://portal.azure.com) with user that has **Global Administrator** role.
+1. Sign in to your [Azure tenant](https://portal.azure.com).
 
 2. Navigate to **Microsoft Entra ID** \> **App registrations** \> **New registration**.
 
@@ -122,17 +122,17 @@ In the following example we use **Read all alerts** permission:
 
    You need your application to be approved in each customer tenant where you intend to use it. This approval is necessary because your application interacts with Microsoft Defender for Endpoint application on behalf of your customer.
 
-   A user with **Global Administrator** from your customer's tenant need to select the consent link and approve your application.
+   A user account with appropriate permissions for your customer's tenant must select the consent link and approve your application.
 
-   Consent link is of the form:
+   The consent link is of the form:
 
    ```http
    https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true
    ```
 
    Where `00000000-0000-0000-0000-000000000000` should be replaced with your Application ID.
 
-   After selecting the consent link, sign in as the Global Administrator of the customer's tenant and consent the application.
+   After selecting the consent link, sign into the customer's tenant, and then grant consent for the application.
 
    :::image type="content" source="../media/app-consent-partner.png" alt-text="The Accept button" lightbox="../media/app-consent-partner.png":::
 

defender-endpoint/api/exposed-apis-create-app-webapp.md

@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 ms.author: siosulli
 author: siosulli
 ms.localizationpriority: medium
-ms.date: 06/28/2024
+ms.date: 08/29/2024
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -56,7 +56,7 @@ This article explains how to create a Microsoft Entra application, get an access
 
 ## Create an app
 
-1. Sign in to the [Azure portal](https://portal.azure.com) with a user that has the Global Administrator role.
+1. Sign in to the [Azure portal](https://portal.azure.com).
 
 2. Navigate to **Microsoft Entra ID** \> **App registrations** \> **New registration**. 
 

defender-endpoint/api/offboard-machine-api.md

@@ -15,7 +15,7 @@ ms.topic: reference
 ms.subservice: reference
 ms.custom: api
 search.appverid: met150
-ms.date: 06/28/2024
+ms.date: 08/29/2024
 ---
 
 # Offboard machine API
@@ -60,13 +60,13 @@ One of the following permissions is required to call this API. To learn more, in
 > [!IMPORTANT]
 > Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
-> [!NOTE]
-> When obtaining a token using user credentials:
->
-> - The user must have a Global Administrator role.
-> - The user must have access to the device, based on device group settings. For more information, see [Create and manage device groups](../machine-groups.md).
->
-> Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.  
+When obtaining a token using user credentials:
+
+- The user must have an appropriate role assigned (see [Permission options](../user-roles.md#permission-options)).
+
+- The user must have access to the device, based on device group settings. For more information, see [Create and manage device groups](../machine-groups.md).
+
+Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.  
 
 ## HTTP request
 

defender-endpoint/api/raw-data-export-storage.md

@@ -43,7 +43,7 @@ ms.date: 06/28/2024
 
 ## Enable raw data streaming
 
-1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com) as a Security Administrator.
+1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com).
 
 2. Go to [Data export settings page](https://security.microsoft.com/settings/mtp_settings/raw_data_export) in Microsoft Defender XDR.
 

defender-endpoint/assign-portal-access.md

@@ -40,7 +40,7 @@ Defender for Endpoint supports two ways to manage permissions:
 
 If you have already assigned basic permissions, you can switch to RBAC anytime. Consider the following before making the switch:
 
-- Users who have full access (users who are assigned the Global Administrator or Security Administrator directory role in Microsoft Entra ID), are automatically assigned the default Defender for Endpoint administrator role, which also has full access. 
+- Users who have full access (users who are assigned either the Global Administrator or Security Administrator directory role in Microsoft Entra ID) are automatically assigned the default Defender for Endpoint administrator role, which also has full access. 
 - Other Microsoft Entra user groups can be assigned to the Defender for Endpoint administrator role after switching to RBAC.
 - Only users who are assigned the Defender for Endpoint administrator role can manage permissions using RBAC. 
 - Users who have read-only access (Security Readers) lose access to the portal until they are assigned a role. Only Microsoft Entra user groups can be assigned a role under RBAC.

defender-endpoint/basic-permissions.md

@@ -49,7 +49,7 @@ You can assign users with one of the following levels of permissions:
 
 - Connect to your Microsoft Entra ID. For more information, see [Connect-MgGraph](/powershell/microsoftgraph/authentication-commands).
 
-  - **Full access**: Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package. Assigning full access rights requires adding the users to the "Security Administrator" or "Global Administrator" Microsoft Entra built-in roles.
+  - **Full access**: Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package. Assigning full access rights requires adding the users to a role, such as Security Administrator, using Microsoft Entra built-in roles.
 
   - **Read-only access**: Users with read-only access can log in, view all alerts, and related information.
 

defender-endpoint/configure-conditional-access.md

@@ -31,28 +31,26 @@ This section guides you through all the steps you need to take to properly imple
 ## Before you begin
 
 > [!WARNING]
-> It's important to note that Microsoft Entra registered devices aren't supported in this scenario.</br>
-> Only Intune enrolled devices are supported.
+> It's important to note that Microsoft Entra registered devices aren't supported in this scenario. Only Intune enrolled devices are supported.
 
 You need to make sure that all your devices are enrolled in Intune. You can use any of the following options to enroll devices in Intune:
 
 - IT Admin: For more information on how to enable auto-enrollment, see [Windows Enrollment](/intune/windows-enroll#enable-windows-10-automatic-enrollment)
-- End-user: For more information on how to enroll your Windows 10 and Windows 11 device in Intune, see [Enroll your Windows 10 device in Intune](/intune/quickstart-enroll-windows-device)
+- End user: For more information on how to enroll your Windows 10 and Windows 11 device in Intune, see [Enroll your Windows 10 device in Intune](/intune/quickstart-enroll-windows-device)
 - End-user alternative: For more information on joining a Microsoft Entra domain, see [How to: Plan your Microsoft Entra join implementation](/azure/active-directory/devices/azureadjoin-plan).
 
 There are steps you'll need to take in the Microsoft Defender portal, the Intune portal, and Microsoft Entra admin center.
 
 It's important to note the required roles to access these portals and implement Conditional access:
 
-- **Microsoft Defender portal** - You'll need to sign into the portal with a Global Administrator role to turn on the integration.
+- **Microsoft Defender portal** - You'll need to sign into the portal with an appropriate role to turn on integration. See [Permission options](user-roles.md#permission-options).
 - **Intune** - You'll need to sign in to the portal with Security Administrator rights with management permissions.
-- **Microsoft Entra admin center** - You'll need to sign in as a Global Administrator, Security Administrator, or Conditional Access administrator.
+- **Microsoft Entra admin center** - You'll need to sign in as a Security Administrator or Conditional Access administrator.
 
 > [!IMPORTANT]
 > Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
-> [!NOTE]
-> You'll need a Microsoft Intune environment, with Intune managed and Microsoft Entra joined Windows 10 and Windows 11 devices.
+You'll need a Microsoft Intune environment, with Intune managed and Microsoft Entra joined Windows 10 and Windows 11 devices.
 
 Take the following steps to enable Conditional Access:
 

defender-endpoint/configure-endpoints-non-windows.md

@@ -55,7 +55,7 @@ You can choose to onboard non-Windows devices through Microsoft Defender for End
 
    3. Select **View** to open the partner's page. Follow the instructions provided on the page.
 
-   4. After creating an account or subscribing to the partner solution, you should get to a stage where a tenant admin (or Global Administrator) is asked to accept a permission request from the partner application. Read the permission request carefully to make sure that it's aligned with the service that you require.
+   4. After creating an account or subscribing to the partner solution, you should get to a stage where an administrator (such as a tenant administrator) is asked to accept a permission request from the partner application. Read the permission request carefully to make sure that it's aligned with the service that you require.
 
       > [!IMPORTANT]
       > Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

defender-endpoint/configure-machines.md

@@ -14,7 +14,7 @@ ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
 ms.subservice: onboard
 search.appverid: met150
-ms.date: 06/25/2024
+ms.date: 08/29/2024
 ---
 
 # Ensure your devices are configured properly
@@ -63,7 +63,7 @@ Before you can ensure your devices are configured properly, enroll them to Intun
 
 ## Obtain required permissions
 
-By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Microsoft Entra ID can manage and assign the device configuration profiles needed for onboarding devices and deploying the security baseline.
+By default, only users who have been assigned an appropriate role, such as the Intune Service Administrator role in Microsoft Entra ID, can manage and assign the device configuration profiles needed for onboarding devices and deploying the security baseline.
 
 > [!IMPORTANT]
 > Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

defender-endpoint/configure-vulnerability-email-notifications.md

@@ -30,12 +30,12 @@ Configure Microsoft Defender for Endpoint to send email notifications to specifi
 If you're using [Defender for Business](/defender-business/mdb-overview), you can set up vulnerability notifications for specific users only (not roles or groups).
 
 > [!NOTE]
-> - Only users with `Manage security settings` permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications. [Learn more about permission options](user-roles.md)
+> - Only users with `Manage security settings` permissions can configure email notifications. If you've chosen to use basic permissions management, users with an appropriate role, such as Security Administrator, can configure email notifications. [Learn more about permission options](user-roles.md)
 > - Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.
 
 The notification rules allow you to set the vulnerability events that trigger notifications, and add or remove email notification recipients. New recipients get notified about vulnerabilities after they're added.
 
-If you're using role-based access control (RBAC), recipients will only receive notifications based on the device groups that were configured in the notification rule. Users with the proper permission can only create, edit, or delete notifications that are limited to their device group management scope. Only users assigned to the Global administrator role can manage notification rules that are configured for all device groups.
+If you're using role-based access control (RBAC), recipients only receive notifications based on the device groups that were configured in the notification rule. Users with the proper permission can only create, edit, or delete notifications that are limited to their device group management scope. Only users assigned to an administrator role, such as Security Administrator, can manage notification rules that are configured for all device groups.
 
 The email notification includes basic information about the vulnerability event. There are also links to filtered views in the Defender Vulnerability Management [Security recommendations](api/ti-indicator.md) and [Weaknesses](/defender-vulnerability-management/tvm-weaknesses) pages in the portal so you can further investigate. For example, you could get a list of all exposed devices or get additional details about the vulnerability.
 
@@ -46,7 +46,7 @@ The email notification includes basic information about the vulnerability event.
 
 Create a notification rule to send an email when there are certain exploit or vulnerability events, such as a new public exploit. For each rule, multiple event types can be selected.
 
-1. Sign in to the [Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2077139) and using an account with the Security administrator or Global administrator role assigned.
+1. Sign in to the [Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2077139) and using an account with the Security Administrator role assigned.
 
 2. In the navigation pane, go to **Settings** \> **Endpoints** \> **General** \> **Email notifications** \> **Vulnerabilities**.
 

defender-endpoint/mde-planning-guide.md

@@ -18,7 +18,7 @@ ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
 ms.subservice: onboard
 search.appverid: met150
-ms.date: 06/26/2024
+ms.date: 08/29/2024
 ---
 
 # Get started with your Microsoft Defender for Endpoint deployment
@@ -54,7 +54,7 @@ The steps to deploy Defender for Endpoint are:
 
 Here's a list of prerequisites required to deploy Defender for Endpoint:
 
-- You're a Global Administrator
+- You're a Security Administrator
 - Your environment meets the [minimum requirements](minimum-requirements.md)
 - You have a full inventory of your environment. The following table provides a starting point to gather information and ensure that stakeholders understand your environment. The inventory helps identify potential dependencies and/or changes required in technologies or processes.
 

defender-endpoint/prepare-deployment.md

@@ -52,7 +52,7 @@ Microsoft recommends using [Privileged Identity Management](/azure/active-direct
 
 Defender for Endpoint supports two ways to manage permissions:
 
-- **Basic permissions management**: Set permissions to either full access or read-only. Users with Global Administrator or Security Administrator roles in Microsoft Entra ID have full access. The Security reader role has read-only access and does not grant access to view machines/device inventory.
+- **Basic permissions management**: Set permissions to either full access or read-only. Users with a role, such as Security Administrator in Microsoft Entra ID have full access. The Security reader role has read-only access and does not grant access to view machines/device inventory.
 
 - **Role-based access control (RBAC)**: Set granular permissions by defining roles, assigning Microsoft Entra user groups to the roles, and granting the user groups access to device groups. For more information. see [Manage portal access using role-based access control](rbac.md).
 

defender-endpoint/rbac.md

@@ -66,9 +66,9 @@ To implement role-based access, you'll need to define admin roles, assign corres
 Before using RBAC, it's important that you understand the roles that can grant permissions and the consequences of turning on RBAC.
 
 > [!WARNING]
-> Before enabling the feature, it's important that you have a Global Administrator role or Security Administrator role in Microsoft Entra ID and that you have your Microsoft Entra groups ready to reduce the risk of being locked out of the portal.
+> Before enabling the feature, it's important that you have an appropriate role, such as Security Administrator assigned in Microsoft Entra ID, and that you have your Microsoft Entra groups ready to reduce the risk of being locked out of the portal.
 
-When you first sign in to the Microsoft Defender portal, you're granted either full access or read only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Microsoft Entra ID. Read only access is granted to users with a Security Reader role in Microsoft Entra ID.
+When you first sign in to the Microsoft Defender portal, you're granted either full access or read only access. Full access rights are granted to users with the Security Administrator role in Microsoft Entra ID. Read only access is granted to users with a Security Reader role in Microsoft Entra ID.
 
 Someone with a Defender for Endpoint Global Administrator role has unrestricted access to all devices, regardless of their device group association and the Microsoft Entra user groups assignments.