From 1b46167e1101d011bd62f8db33152c7eac70b681 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Thu, 29 Aug 2024 14:07:07 -0700 Subject: [PATCH 01/28] Update api-hello-world.md --- defender-endpoint/api/api-hello-world.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defender-endpoint/api/api-hello-world.md b/defender-endpoint/api/api-hello-world.md index dc3ff81ebe..e9764260b4 100644 --- a/defender-endpoint/api/api-hello-world.md +++ b/defender-endpoint/api/api-hello-world.md @@ -16,7 +16,7 @@ ms.topic: reference ms.subservice: reference ms.custom: api search.appverid: met150 -ms.date: 06/24/2024 +ms.date: 08/29/2024 --- # Microsoft Defender for Endpoint API - Hello World @@ -47,7 +47,7 @@ It only takes 5 minutes done in two steps: ### Do I need a permission to connect? -For the Application registration stage, you must have the **Global administrator** role assigned in your Microsoft Entra tenant. +For the Application registration stage, you must have an appropriate role assigned in your Microsoft Entra tenant. For more details about roles, see [Permission options](../user-roles.md#permission-options). From 4885bfe5684730fc8e10765ce3db7fcfe946334a Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Thu, 29 Aug 2024 14:08:17 -0700 Subject: [PATCH 02/28] Update exposed-apis-create-app-partners.md --- defender-endpoint/api/exposed-apis-create-app-partners.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defender-endpoint/api/exposed-apis-create-app-partners.md b/defender-endpoint/api/exposed-apis-create-app-partners.md index a62915cd20..bfe95ddbbb 100644 --- a/defender-endpoint/api/exposed-apis-create-app-partners.md +++ b/defender-endpoint/api/exposed-apis-create-app-partners.md @@ -6,7 +6,7 @@ ms.service: defender-endpoint ms.author: siosulli author: siosulli ms.localizationpriority: medium -ms.date: 06/28/2024 +ms.date: 08/29/2024 manager: deniseb audience: ITPro ms.collection: @@ -61,7 +61,7 @@ The following steps guide you how to create a Microsoft Entra application, get a ## Create the multitenant app -1. Sign in to your [Azure tenant](https://portal.azure.com) with user that has **Global Administrator** role. +1. Sign in to your [Azure tenant](https://portal.azure.com). 2. Navigate to **Microsoft Entra ID** \> **App registrations** \> **New registration**. From fa180b28adf694778977613a67b5c80472e15d43 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Thu, 29 Aug 2024 14:10:09 -0700 Subject: [PATCH 03/28] Update exposed-apis-create-app-partners.md --- defender-endpoint/api/exposed-apis-create-app-partners.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defender-endpoint/api/exposed-apis-create-app-partners.md b/defender-endpoint/api/exposed-apis-create-app-partners.md index bfe95ddbbb..b0514bd1cc 100644 --- a/defender-endpoint/api/exposed-apis-create-app-partners.md +++ b/defender-endpoint/api/exposed-apis-create-app-partners.md @@ -122,9 +122,9 @@ In the following example we use **Read all alerts** permission: You need your application to be approved in each customer tenant where you intend to use it. This approval is necessary because your application interacts with Microsoft Defender for Endpoint application on behalf of your customer. - A user with **Global Administrator** from your customer's tenant need to select the consent link and approve your application. + A user account with appropriate permissions for your customer's tenant must select the consent link and approve your application. - Consent link is of the form: + The consent link is of the form: ```http https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true @@ -132,7 +132,7 @@ In the following example we use **Read all alerts** permission: Where `00000000-0000-0000-0000-000000000000` should be replaced with your Application ID. - After selecting the consent link, sign in as the Global Administrator of the customer's tenant and consent the application. + After selecting the consent link, sign into the customer's tenant, and then grant consent for the application. :::image type="content" source="../media/app-consent-partner.png" alt-text="The Accept button" lightbox="../media/app-consent-partner.png"::: From cc5c4a64b23939b23a3c603ffbd44e4df1ae9412 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Thu, 29 Aug 2024 14:11:15 -0700 Subject: [PATCH 04/28] Update exposed-apis-create-app-webapp.md --- defender-endpoint/api/exposed-apis-create-app-webapp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defender-endpoint/api/exposed-apis-create-app-webapp.md b/defender-endpoint/api/exposed-apis-create-app-webapp.md index 1a9d978b29..f0e5a3727f 100644 --- a/defender-endpoint/api/exposed-apis-create-app-webapp.md +++ b/defender-endpoint/api/exposed-apis-create-app-webapp.md @@ -6,7 +6,7 @@ ms.service: defender-endpoint ms.author: siosulli author: siosulli ms.localizationpriority: medium -ms.date: 06/28/2024 +ms.date: 08/29/2024 manager: deniseb audience: ITPro ms.collection: @@ -56,7 +56,7 @@ This article explains how to create a Microsoft Entra application, get an access ## Create an app -1. Sign in to the [Azure portal](https://portal.azure.com) with a user that has the Global Administrator role. +1. Sign in to the [Azure portal](https://portal.azure.com). 2. Navigate to **Microsoft Entra ID** \> **App registrations** \> **New registration**. From a756113556556ef8536fe1f0cf049638a8cb4e4e Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Thu, 29 Aug 2024 14:12:05 -0700 Subject: [PATCH 05/28] Update offboard-machine-api.md --- defender-endpoint/api/offboard-machine-api.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defender-endpoint/api/offboard-machine-api.md b/defender-endpoint/api/offboard-machine-api.md index d7dd1768a1..3f499bf423 100644 --- a/defender-endpoint/api/offboard-machine-api.md +++ b/defender-endpoint/api/offboard-machine-api.md @@ -15,7 +15,7 @@ ms.topic: reference ms.subservice: reference ms.custom: api search.appverid: met150 -ms.date: 06/28/2024 +ms.date: 08/29/2024 --- # Offboard machine API @@ -63,7 +63,7 @@ One of the following permissions is required to call this API. To learn more, in > [!NOTE] > When obtaining a token using user credentials: > -> - The user must have a Global Administrator role. +> - The user must have an appropriate role assigned (see [Permission options](../user-roles.md#permission-options)). > - The user must have access to the device, based on device group settings. For more information, see [Create and manage device groups](../machine-groups.md). > > Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2. From 0c691958cd7e4af70e0e31c8b01c8cd60a48ed71 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Thu, 29 Aug 2024 14:12:49 -0700 Subject: [PATCH 06/28] Update offboard-machine-api.md --- defender-endpoint/api/offboard-machine-api.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/defender-endpoint/api/offboard-machine-api.md b/defender-endpoint/api/offboard-machine-api.md index 3f499bf423..771891ca0b 100644 --- a/defender-endpoint/api/offboard-machine-api.md +++ b/defender-endpoint/api/offboard-machine-api.md @@ -60,13 +60,13 @@ One of the following permissions is required to call this API. To learn more, in > [!IMPORTANT] > Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. -> [!NOTE] -> When obtaining a token using user credentials: -> -> - The user must have an appropriate role assigned (see [Permission options](../user-roles.md#permission-options)). -> - The user must have access to the device, based on device group settings. For more information, see [Create and manage device groups](../machine-groups.md). -> -> Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2. +When obtaining a token using user credentials: + +- The user must have an appropriate role assigned (see [Permission options](../user-roles.md#permission-options)). + +- The user must have access to the device, based on device group settings. For more information, see [Create and manage device groups](../machine-groups.md). + +Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2. ## HTTP request From 90c2db865dc7baa474d63c73a5725262bfdee345 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Thu, 29 Aug 2024 14:14:07 -0700 Subject: [PATCH 07/28] Update raw-data-export-storage.md --- defender-endpoint/api/raw-data-export-storage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/api/raw-data-export-storage.md b/defender-endpoint/api/raw-data-export-storage.md index 7fae94706d..fb35cc5dc3 100644 --- a/defender-endpoint/api/raw-data-export-storage.md +++ b/defender-endpoint/api/raw-data-export-storage.md @@ -43,7 +43,7 @@ ms.date: 06/28/2024 ## Enable raw data streaming -1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com) as a Security Administrator. +1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com). 2. Go to [Data export settings page](https://security.microsoft.com/settings/mtp_settings/raw_data_export) in Microsoft Defender XDR. From 112c10cfb1e02fcae68eba226873a92961f78270 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Thu, 29 Aug 2024 14:18:16 -0700 Subject: [PATCH 08/28] Update configure-conditional-access.md --- defender-endpoint/configure-conditional-access.md | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/defender-endpoint/configure-conditional-access.md b/defender-endpoint/configure-conditional-access.md index 29b1fb133e..e02cb5c9b6 100644 --- a/defender-endpoint/configure-conditional-access.md +++ b/defender-endpoint/configure-conditional-access.md @@ -31,28 +31,26 @@ This section guides you through all the steps you need to take to properly imple ## Before you begin > [!WARNING] -> It's important to note that Microsoft Entra registered devices aren't supported in this scenario.
-> Only Intune enrolled devices are supported. +> It's important to note that Microsoft Entra registered devices aren't supported in this scenario. Only Intune enrolled devices are supported. You need to make sure that all your devices are enrolled in Intune. You can use any of the following options to enroll devices in Intune: - IT Admin: For more information on how to enable auto-enrollment, see [Windows Enrollment](/intune/windows-enroll#enable-windows-10-automatic-enrollment) -- End-user: For more information on how to enroll your Windows 10 and Windows 11 device in Intune, see [Enroll your Windows 10 device in Intune](/intune/quickstart-enroll-windows-device) +- End user: For more information on how to enroll your Windows 10 and Windows 11 device in Intune, see [Enroll your Windows 10 device in Intune](/intune/quickstart-enroll-windows-device) - End-user alternative: For more information on joining a Microsoft Entra domain, see [How to: Plan your Microsoft Entra join implementation](/azure/active-directory/devices/azureadjoin-plan). There are steps you'll need to take in the Microsoft Defender portal, the Intune portal, and Microsoft Entra admin center. It's important to note the required roles to access these portals and implement Conditional access: -- **Microsoft Defender portal** - You'll need to sign into the portal with a Global Administrator role to turn on the integration. +- **Microsoft Defender portal** - You'll need to sign into the portal with an appropriate role to turn on integration. See [Permission options](user-roles.md#permission-options). - **Intune** - You'll need to sign in to the portal with Security Administrator rights with management permissions. -- **Microsoft Entra admin center** - You'll need to sign in as a Global Administrator, Security Administrator, or Conditional Access administrator. +- **Microsoft Entra admin center** - You'll need to sign in as a Security Administrator or Conditional Access administrator. > [!IMPORTANT] > Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. -> [!NOTE] -> You'll need a Microsoft Intune environment, with Intune managed and Microsoft Entra joined Windows 10 and Windows 11 devices. +You'll need a Microsoft Intune environment, with Intune managed and Microsoft Entra joined Windows 10 and Windows 11 devices. Take the following steps to enable Conditional Access: From 4b9f542ef384c6d8f48c5f3dab2225d9aa0f026b Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Thu, 29 Aug 2024 14:28:40 -0700 Subject: [PATCH 09/28] Update configure-endpoints-non-windows.md --- defender-endpoint/configure-endpoints-non-windows.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/configure-endpoints-non-windows.md b/defender-endpoint/configure-endpoints-non-windows.md index 5db28369a5..abb2439d87 100644 --- a/defender-endpoint/configure-endpoints-non-windows.md +++ b/defender-endpoint/configure-endpoints-non-windows.md @@ -55,7 +55,7 @@ You can choose to onboard non-Windows devices through Microsoft Defender for End 3. Select **View** to open the partner's page. Follow the instructions provided on the page. - 4. After creating an account or subscribing to the partner solution, you should get to a stage where a tenant admin (or Global Administrator) is asked to accept a permission request from the partner application. Read the permission request carefully to make sure that it's aligned with the service that you require. + 4. After creating an account or subscribing to the partner solution, you should get to a stage where an administrator (such as a tenant administrator) is asked to accept a permission request from the partner application. Read the permission request carefully to make sure that it's aligned with the service that you require. > [!IMPORTANT] > Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. From 9c9af28afa543a656055444abc5c20c46137efe7 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Thu, 29 Aug 2024 14:31:13 -0700 Subject: [PATCH 10/28] Update basic-permissions.md --- defender-endpoint/basic-permissions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/basic-permissions.md b/defender-endpoint/basic-permissions.md index 267e452878..740c5c81d9 100644 --- a/defender-endpoint/basic-permissions.md +++ b/defender-endpoint/basic-permissions.md @@ -49,7 +49,7 @@ You can assign users with one of the following levels of permissions: - Connect to your Microsoft Entra ID. For more information, see [Connect-MgGraph](/powershell/microsoftgraph/authentication-commands). - - **Full access**: Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package. Assigning full access rights requires adding the users to the "Security Administrator" or "Global Administrator" Microsoft Entra built-in roles. + - **Full access**: Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package. Assigning full access rights requires adding the users to a role, such as Security Administrator, using Microsoft Entra built-in roles. - **Read-only access**: Users with read-only access can log in, view all alerts, and related information. From 0cedbc0f3e564e81ce38e5075f4516156fd09407 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Thu, 29 Aug 2024 14:32:21 -0700 Subject: [PATCH 11/28] Update configure-machines.md --- defender-endpoint/configure-machines.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/configure-machines.md b/defender-endpoint/configure-machines.md index e3466babfa..b39bc27aa5 100644 --- a/defender-endpoint/configure-machines.md +++ b/defender-endpoint/configure-machines.md @@ -63,7 +63,7 @@ Before you can ensure your devices are configured properly, enroll them to Intun ## Obtain required permissions -By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Microsoft Entra ID can manage and assign the device configuration profiles needed for onboarding devices and deploying the security baseline. +By default, only users who have been assigned an appropriate role, such as the Intune Service Administrator role in Microsoft Entra ID, can manage and assign the device configuration profiles needed for onboarding devices and deploying the security baseline. > [!IMPORTANT] > Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. From fdab3be5780ae4df0e536817d999cc4e5f7fd69e Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Thu, 29 Aug 2024 14:32:36 -0700 Subject: [PATCH 12/28] Update configure-machines.md --- defender-endpoint/configure-machines.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/configure-machines.md b/defender-endpoint/configure-machines.md index b39bc27aa5..5cef011900 100644 --- a/defender-endpoint/configure-machines.md +++ b/defender-endpoint/configure-machines.md @@ -14,7 +14,7 @@ ms.custom: admindeeplinkDEFENDER ms.topic: conceptual ms.subservice: onboard search.appverid: met150 -ms.date: 06/25/2024 +ms.date: 08/29/2024 --- # Ensure your devices are configured properly From 96a5c300337d39007cb3f3206a2f1d362734b012 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Thu, 29 Aug 2024 14:36:38 -0700 Subject: [PATCH 13/28] Update configure-vulnerability-email-notifications.md --- .../configure-vulnerability-email-notifications.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defender-endpoint/configure-vulnerability-email-notifications.md b/defender-endpoint/configure-vulnerability-email-notifications.md index dbb8cd70a6..8ea33ffd29 100644 --- a/defender-endpoint/configure-vulnerability-email-notifications.md +++ b/defender-endpoint/configure-vulnerability-email-notifications.md @@ -30,12 +30,12 @@ Configure Microsoft Defender for Endpoint to send email notifications to specifi If you're using [Defender for Business](/defender-business/mdb-overview), you can set up vulnerability notifications for specific users only (not roles or groups). > [!NOTE] -> - Only users with `Manage security settings` permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications. [Learn more about permission options](user-roles.md) +> - Only users with `Manage security settings` permissions can configure email notifications. If you've chosen to use basic permissions management, users with an appropriate role, such as Security Administrator, can configure email notifications. [Learn more about permission options](user-roles.md) > - Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2. The notification rules allow you to set the vulnerability events that trigger notifications, and add or remove email notification recipients. New recipients get notified about vulnerabilities after they're added. -If you're using role-based access control (RBAC), recipients will only receive notifications based on the device groups that were configured in the notification rule. Users with the proper permission can only create, edit, or delete notifications that are limited to their device group management scope. Only users assigned to the Global administrator role can manage notification rules that are configured for all device groups. +If you're using role-based access control (RBAC), recipients only receive notifications based on the device groups that were configured in the notification rule. Users with the proper permission can only create, edit, or delete notifications that are limited to their device group management scope. Only users assigned to an administrator role, such as Security Administrator, can manage notification rules that are configured for all device groups. The email notification includes basic information about the vulnerability event. There are also links to filtered views in the Defender Vulnerability Management [Security recommendations](api/ti-indicator.md) and [Weaknesses](/defender-vulnerability-management/tvm-weaknesses) pages in the portal so you can further investigate. For example, you could get a list of all exposed devices or get additional details about the vulnerability. @@ -46,7 +46,7 @@ The email notification includes basic information about the vulnerability event. Create a notification rule to send an email when there are certain exploit or vulnerability events, such as a new public exploit. For each rule, multiple event types can be selected. -1. Sign in to the [Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2077139) and using an account with the Security administrator or Global administrator role assigned. +1. Sign in to the [Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2077139) and using an account with the Security Administrator role assigned. 2. In the navigation pane, go to **Settings** \> **Endpoints** \> **General** \> **Email notifications** \> **Vulnerabilities**. From b9af9a638c649bd2e0556bb42b2b2c19b7e9a736 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Thu, 29 Aug 2024 14:39:08 -0700 Subject: [PATCH 14/28] Update assign-portal-access.md --- defender-endpoint/assign-portal-access.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/assign-portal-access.md b/defender-endpoint/assign-portal-access.md index 2f35f42935..ab6f230c8a 100644 --- a/defender-endpoint/assign-portal-access.md +++ b/defender-endpoint/assign-portal-access.md @@ -40,7 +40,7 @@ Defender for Endpoint supports two ways to manage permissions: If you have already assigned basic permissions, you can switch to RBAC anytime. Consider the following before making the switch: -- Users who have full access (users who are assigned the Global Administrator or Security Administrator directory role in Microsoft Entra ID), are automatically assigned the default Defender for Endpoint administrator role, which also has full access. +- Users who have full access (users who are assigned either the Global Administrator or Security Administrator directory role in Microsoft Entra ID) are automatically assigned the default Defender for Endpoint administrator role, which also has full access. - Other Microsoft Entra user groups can be assigned to the Defender for Endpoint administrator role after switching to RBAC. - Only users who are assigned the Defender for Endpoint administrator role can manage permissions using RBAC. - Users who have read-only access (Security Readers) lose access to the portal until they are assigned a role. Only Microsoft Entra user groups can be assigned a role under RBAC. From 345c3038288fa8d5d966f8d74c6cafbb2d1e4344 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Thu, 29 Aug 2024 14:40:27 -0700 Subject: [PATCH 15/28] Update mde-planning-guide.md --- defender-endpoint/mde-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/mde-planning-guide.md b/defender-endpoint/mde-planning-guide.md index 8d5c057b8f..921868dace 100644 --- a/defender-endpoint/mde-planning-guide.md +++ b/defender-endpoint/mde-planning-guide.md @@ -54,7 +54,7 @@ The steps to deploy Defender for Endpoint are: Here's a list of prerequisites required to deploy Defender for Endpoint: -- You're a Global Administrator +- You're a Security Administrator - Your environment meets the [minimum requirements](minimum-requirements.md) - You have a full inventory of your environment. The following table provides a starting point to gather information and ensure that stakeholders understand your environment. The inventory helps identify potential dependencies and/or changes required in technologies or processes. From 09a31f65e40cc902e6a550e0b7565ef596f223b9 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Thu, 29 Aug 2024 14:40:49 -0700 Subject: [PATCH 16/28] Update mde-planning-guide.md --- defender-endpoint/mde-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/mde-planning-guide.md b/defender-endpoint/mde-planning-guide.md index 921868dace..7d405e57bb 100644 --- a/defender-endpoint/mde-planning-guide.md +++ b/defender-endpoint/mde-planning-guide.md @@ -18,7 +18,7 @@ ms.custom: admindeeplinkDEFENDER ms.topic: conceptual ms.subservice: onboard search.appverid: met150 -ms.date: 06/26/2024 +ms.date: 08/29/2024 --- # Get started with your Microsoft Defender for Endpoint deployment From 9da50315dd5c9798b2fad8204d770b9ee59db159 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Thu, 29 Aug 2024 14:41:39 -0700 Subject: [PATCH 17/28] Update prepare-deployment.md --- defender-endpoint/prepare-deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/prepare-deployment.md b/defender-endpoint/prepare-deployment.md index 5773c0b40b..d86af29744 100644 --- a/defender-endpoint/prepare-deployment.md +++ b/defender-endpoint/prepare-deployment.md @@ -52,7 +52,7 @@ Microsoft recommends using [Privileged Identity Management](/azure/active-direct Defender for Endpoint supports two ways to manage permissions: -- **Basic permissions management**: Set permissions to either full access or read-only. Users with Global Administrator or Security Administrator roles in Microsoft Entra ID have full access. The Security reader role has read-only access and does not grant access to view machines/device inventory. +- **Basic permissions management**: Set permissions to either full access or read-only. Users with a role, such as Security Administrator in Microsoft Entra ID have full access. The Security reader role has read-only access and does not grant access to view machines/device inventory. - **Role-based access control (RBAC)**: Set granular permissions by defining roles, assigning Microsoft Entra user groups to the roles, and granting the user groups access to device groups. For more information. see [Manage portal access using role-based access control](rbac.md). From dbe9064712be9bbdb39635bc5895c103c95b3fc6 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Thu, 29 Aug 2024 14:45:24 -0700 Subject: [PATCH 18/28] GA fixes --- defender-endpoint/rbac.md | 4 ++-- defender-endpoint/respond-file-alerts.md | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/defender-endpoint/rbac.md b/defender-endpoint/rbac.md index 4c6ae4abea..eb2998b9f7 100644 --- a/defender-endpoint/rbac.md +++ b/defender-endpoint/rbac.md @@ -66,9 +66,9 @@ To implement role-based access, you'll need to define admin roles, assign corres Before using RBAC, it's important that you understand the roles that can grant permissions and the consequences of turning on RBAC. > [!WARNING] -> Before enabling the feature, it's important that you have a Global Administrator role or Security Administrator role in Microsoft Entra ID and that you have your Microsoft Entra groups ready to reduce the risk of being locked out of the portal. +> Before enabling the feature, it's important that you have an appropriate role, such as Security Administrator assigned in Microsoft Entra ID, and that you have your Microsoft Entra groups ready to reduce the risk of being locked out of the portal. -When you first sign in to the Microsoft Defender portal, you're granted either full access or read only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Microsoft Entra ID. Read only access is granted to users with a Security Reader role in Microsoft Entra ID. +When you first sign in to the Microsoft Defender portal, you're granted either full access or read only access. Full access rights are granted to users with the Security Administrator role in Microsoft Entra ID. Read only access is granted to users with a Security Reader role in Microsoft Entra ID. Someone with a Defender for Endpoint Global Administrator role has unrestricted access to all devices, regardless of their device group association and the Microsoft Entra user groups assignments. diff --git a/defender-endpoint/respond-file-alerts.md b/defender-endpoint/respond-file-alerts.md index bc2c0292ab..be8c843d76 100644 --- a/defender-endpoint/respond-file-alerts.md +++ b/defender-endpoint/respond-file-alerts.md @@ -166,10 +166,10 @@ The **Download file** button can have the following states: For Microsoft Defender for Endpoint role-based access control (RBAC): For Portable Executable file (.exe, .sys, .dll, and others) - - Global admin or Advanced live response or Alerts + - Security Administrator or Advanced live response or Alerts Non-Portable Executable file (.txt, .docx, and others) - - Global admin or Advanced live response + - Security Administrator or Advanced live response - Tenants with [role-based access (RBAC) permissions](/defender-xdr/manage-rbac) enabled @@ -212,10 +212,10 @@ The **Collect file** button can have the following states: The following permissions are required: For Portable Executable file (.exe, .sys, .dll, and others) - - Global admin or Advanced live response or Alerts + - Security Administrator or Advanced live response or Alerts Non-Portable Executable file (.txt, .docx, and others) - - Global admin or Advanced live response + - Security Administrator or Advanced live response If a file hasn't been seen in the organization in the past 30 days, **Collect file** is disabled. From 9f8a22de86cddf754164389e9e2bd68bd801822b Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Thu, 29 Aug 2024 14:47:26 -0700 Subject: [PATCH 19/28] Update switch-to-mde-phase-2.md --- defender-endpoint/switch-to-mde-phase-2.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/switch-to-mde-phase-2.md b/defender-endpoint/switch-to-mde-phase-2.md index 5faf28a7da..4f49877c65 100644 --- a/defender-endpoint/switch-to-mde-phase-2.md +++ b/defender-endpoint/switch-to-mde-phase-2.md @@ -87,7 +87,7 @@ You can now run Microsoft Defender Antivirus in passive mode on Windows Server 2 > - If you have Defender for Endpoint Plan 1, complete steps 1-5 in the following procedure. > - If you have Defender for Endpoint Plan 2, complete steps 1-7 in the following procedure. -1. Make sure Defender for Endpoint is provisioned. As a Global Administrator, go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in. Then, in the navigation pane, select **Assets** > **Devices**. +1. Make sure Defender for Endpoint is provisioned. As a Security Administrator, go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in. Then, in the navigation pane, select **Assets** > **Devices**. The following table shows what your screen might look like and what it means. From 79feec0f975e990ffbe2d0d7d2a9fec7dfe18928 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Thu, 29 Aug 2024 14:47:40 -0700 Subject: [PATCH 20/28] Update switch-to-mde-phase-2.md --- defender-endpoint/switch-to-mde-phase-2.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/switch-to-mde-phase-2.md b/defender-endpoint/switch-to-mde-phase-2.md index 4f49877c65..9f46a64e9f 100644 --- a/defender-endpoint/switch-to-mde-phase-2.md +++ b/defender-endpoint/switch-to-mde-phase-2.md @@ -6,7 +6,7 @@ ms.subservice: onboard ms.author: siosulli author: siosulli ms.localizationpriority: medium -ms.date: 07/25/2024 +ms.date: 08/29/2024 manager: deniseb audience: ITPro ms.collection: From bcc49e379c2ad0e1ef5bf262b06701786f936912 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Thu, 29 Aug 2024 14:50:41 -0700 Subject: [PATCH 21/28] Update tamperprotection-macos.md --- defender-endpoint/tamperprotection-macos.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/defender-endpoint/tamperprotection-macos.md b/defender-endpoint/tamperprotection-macos.md index cfb17b4d1b..f1f9e954b5 100644 --- a/defender-endpoint/tamperprotection-macos.md +++ b/defender-endpoint/tamperprotection-macos.md @@ -74,8 +74,11 @@ You can configure the tamper protection mode by providing the mode name as enfor ## Before you begin +Make sure that the following requirements are met: + - Supported macOS versions: Big Sur (11), or later - Minimum required version for Defender for Endpoint: `101.70.19` +- You have an appropriate role assigned (see [Create and manage roles for role-based access control](user-roles.md)) > [!IMPORTANT] > Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. @@ -497,7 +500,7 @@ Configure [preferences](mac-preferences.md#exclusions), for example for JAMF: ``` -Note, that excluding a scripting interpreter (like Ruby from the example above) instead of a compiled executable isn't secure, as it can run *any script*, not just the one that a Global Administrator uses. +Note, that excluding a scripting interpreter (like Ruby from the example above) instead of a compiled executable isn't secure, as it can run *any script*, not just the one that a Security Administrator uses. To minimize the risk, we recommend using extra `args` to allow only specific scripts to run with scripting interpreters. In the example above, only `/usr/bin/ruby /usr/local/bin/global_mdatp_restarted.rb` is permitted to restart Defender. @@ -530,7 +533,7 @@ configuration_is_managed : false - `tamper_protection` is the *effective* mode. If this mode is the mode you intended to use, then you're all set. - `configuration_source` indicates how tamper protection enforcement level is set. It must match how you configured tamper protection. (If you set its mode through a managed profile, and `configuration_source` shows something different, then you most probably misconfigured your profile.) - - `mdm` - it's configured through a managed profile. Only a Global Administrator can change it with an update to the profile! + - `mdm` - it's configured through a managed profile. Only a Security Administrator can change it with an update to the profile! - `local` - it's configured with `mdatp config` command - `portal` - default enforcement level set in Security Portal - `defaults` - not configured, the default mode is used From 5d8118825588ddbec8a9cec0aaee68f3dd45c3e0 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Thu, 29 Aug 2024 14:52:18 -0700 Subject: [PATCH 22/28] Update tamperprotection-macos.md --- defender-endpoint/tamperprotection-macos.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defender-endpoint/tamperprotection-macos.md b/defender-endpoint/tamperprotection-macos.md index f1f9e954b5..136bd0659b 100644 --- a/defender-endpoint/tamperprotection-macos.md +++ b/defender-endpoint/tamperprotection-macos.md @@ -90,7 +90,7 @@ Make sure that the following requirements are met: - Ensure that Defender for Endpoint has **Full Disk Access** authorization. > [!NOTE] - > Both having SIP enabled and all configuration done via MDM is not mandatory, but required for a fully secured device, as otherwise a local admin still can make tampering changes that macOS manages. For example, enabling **TCC** (Transparency, Consent & Control) through a Mobile Device Management solution such as [Intune](mac-install-with-intune.md), will eliminate the risk of a Global Administrator revoking **Full Disk Access** Authorization by a local admin. + > Both having SIP enabled and all configuration done via MDM is not mandatory, but is required for a fully secured device. Otherwise, a local administrator can make tampering changes that macOS manages. For example, enabling **TCC** (Transparency, Consent & Control) through a Mobile Device Management solution such as [Intune](mac-install-with-intune.md), will eliminates the risk of a Security Administrator revoking **Full Disk Access** Authorization by a local admin. ## Configure tamper protection on macOS devices @@ -137,7 +137,7 @@ sudo mdatp config tamper-protection enforcement-level --value block ![Image of manual configuration command](media/manual-config-cmd.png) > [!NOTE] -> You must use managed configuration profile (deployed via MDM) on production devices. If a local admin changed tamper protection mode via a manual configuration, they can change it to a less restrictive mode at any time as well. If tamper protection mode was set via a managed profile, only a Global Administrator will be able to undo it. +> You must use managed configuration profile (deployed via MDM) on production devices. If a local admin changed tamper protection mode via a manual configuration, they can change it to a less restrictive mode at any time as well. If tamper protection mode was set via a managed profile, only a Security Administrator will be able to undo it. 2. Verify the result. From 5d90dae6b77fcb2e07447a0d9e812124f467d774 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Thu, 29 Aug 2024 14:53:01 -0700 Subject: [PATCH 23/28] Update tamperprotection-macos.md --- defender-endpoint/tamperprotection-macos.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defender-endpoint/tamperprotection-macos.md b/defender-endpoint/tamperprotection-macos.md index 136bd0659b..a1e19f9918 100644 --- a/defender-endpoint/tamperprotection-macos.md +++ b/defender-endpoint/tamperprotection-macos.md @@ -412,14 +412,14 @@ As an example, macOS can upgrade Defender's package, if tamper protection verifi There are other exclusions as well. For example, macOS MDM process can replace Microsoft's Defender's managed configuration files. -There are situations when a Global Administrator needs to restart Defender on all or some managed devices. +There are situations when a Security Administrator needs to restart Defender on all or some managed devices. Typically it's done by creating and running a JAMF's policy that runs a script on remote devices (or similar operations for other MDM vendors.) In order to avoid marking those policy-initiated operations, Microsoft Defender detects those MDM policy processes for JAMF and Intune, and permits tampering operations from them. At the same time, tamper protection blocks the same script from restarting Microsoft Defender, if it's started from a Terminal locally. However, those policy running processes are vendor specific. While Microsoft Defender provides built-in exclusions for JAMF and Intune, it can't provide those exclusions for all possible MDM vendors. -Instead, a Global Administrator can add their own exclusions to tamper protection. +Instead, a Security Administrator can add their own exclusions to tamper protection. Exclusions can be done only through MDM profile, not local configuration. To do that, you need to first figure out the path to the MDM helper process that runs policies. You can do it either by following the MDM vendor's documentation. You can also initiate tampering with a test policy, get an alert in the Security Portal, inspect the hierarchy of processes that initiated the attack, and pick the process that looks like an MDM helper candidate. From 4fbe0b4e89ae2cb1cd093857bee1a7f5b9bd5a34 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Thu, 29 Aug 2024 14:54:21 -0700 Subject: [PATCH 24/28] Update respond-file-alerts.md --- defender-endpoint/respond-file-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/respond-file-alerts.md b/defender-endpoint/respond-file-alerts.md index be8c843d76..de56ae88d4 100644 --- a/defender-endpoint/respond-file-alerts.md +++ b/defender-endpoint/respond-file-alerts.md @@ -220,7 +220,7 @@ The **Collect file** button can have the following states: If a file hasn't been seen in the organization in the past 30 days, **Collect file** is disabled. -> [!Important] +> [!IMPORTANT] > A file that was quarantined as a potential network threat might not be recoverable. If a user attempts to restore the file after quarantine, that file might not be accessible. This can be due to the system no longer having network credentials to access the file. Typically, this is a result of a temporary log on to a system or shared folder and the access tokens expired. ## Add indicator to block or allow a file From 59575010aefd7e488ffffd8aa53da0936f3b7695 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Thu, 29 Aug 2024 15:21:07 -0700 Subject: [PATCH 25/28] Update api-create-app-user-context.md --- defender-xdr/api-create-app-user-context.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defender-xdr/api-create-app-user-context.md b/defender-xdr/api-create-app-user-context.md index 30508eade9..e1e9d325e2 100644 --- a/defender-xdr/api-create-app-user-context.md +++ b/defender-xdr/api-create-app-user-context.md @@ -18,7 +18,7 @@ search.appverid: - MOE150 - MET150 ms.custom: api -ms.date: 02/16/2024 +ms.date: 08/29/2024 --- # Create an app to access Microsoft Defender XDR APIs on behalf of a user @@ -54,11 +54,11 @@ This article explains how to: > When accessing Microsoft Defender XDR API on behalf of a user, you will need the correct application permissions and user permissions. > [!TIP] -> If you have the permission to perform an action in the portal, you have the permission to perform the action in the API. +> If you have the permission to perform an action in the portal, you have the permission to perform the action in the API. For more information about roles and permissions, see [Manage access to Microsoft Defender XDR with Microsoft Entra global roles](m365d-permissions.md). ## Create an app -1. Sign in to [Azure](https://portal.azure.com) as a user with the **Global Administrator** role. +1. Sign in to [Azure](https://portal.azure.com). 2. Navigate to **Microsoft Entra ID** > **App registrations** > **New registration**. From 00ee8dc7be6f767d795a4038593ab7eedbed455c Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Thu, 29 Aug 2024 15:21:58 -0700 Subject: [PATCH 26/28] Update api-create-app-web.md --- defender-xdr/api-create-app-web.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defender-xdr/api-create-app-web.md b/defender-xdr/api-create-app-web.md index 57c3443b6c..d91dd2b01a 100644 --- a/defender-xdr/api-create-app-web.md +++ b/defender-xdr/api-create-app-web.md @@ -18,7 +18,7 @@ search.appverid: - MOE150 - MET150 ms.custom: api -ms.date: 02/16/2024 +ms.date: 08/29/2024 --- # Create an app to access Microsoft Defender XDR without a user @@ -52,7 +52,7 @@ This article explains how to: ## Create an app -1. Sign in to [Azure](https://portal.azure.com) as a user with the **Global Administrator** role. +1. Sign in to [Azure](https://portal.azure.com). 2. Navigate to **Microsoft Entra ID** > **App registrations** > **New registration**. From c84775d8c834bdfe5d60bdc31229311ee336a30c Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Thu, 29 Aug 2024 15:23:51 -0700 Subject: [PATCH 27/28] Update api-hello-world.md --- defender-xdr/api-hello-world.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defender-xdr/api-hello-world.md b/defender-xdr/api-hello-world.md index ab4356d516..c90cda8eae 100644 --- a/defender-xdr/api-hello-world.md +++ b/defender-xdr/api-hello-world.md @@ -18,7 +18,7 @@ search.appverid: - MOE150 - MET150 ms.custom: api -ms.date: 02/16/2024 +ms.date: 08/29/2024 --- # Hello World for Microsoft Defender XDR REST API @@ -40,7 +40,7 @@ It should take 5 to 10 minutes to complete this project. This time estimate incl ### Register an app in Microsoft Entra ID -1. Sign in to [Azure](https://portal.azure.com) as a user with the **Global administrator** role. +1. Sign in to [Azure](https://portal.azure.com). 2. Navigate to **Microsoft Entra ID** > **App registrations** > **New registration**. From 717cc39befc9564bdeddab5c96af2ff3a8f73363 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Thu, 29 Aug 2024 15:25:26 -0700 Subject: [PATCH 28/28] Update api-partner-access.md --- defender-xdr/api-partner-access.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/defender-xdr/api-partner-access.md b/defender-xdr/api-partner-access.md index 590ba5eded..99384a3e10 100644 --- a/defender-xdr/api-partner-access.md +++ b/defender-xdr/api-partner-access.md @@ -18,7 +18,7 @@ search.appverid: - MOE150 - MET150 ms.custom: api -ms.date: 02/16/2024 +ms.date: 08/29/2024 --- # Create an app with partner access to Microsoft Defender XDR APIs @@ -66,7 +66,7 @@ The following steps with guide you how to create a multi-tenant Microsoft Entra ## Create the multi-tenant app -1. Sign in to [Azure](https://portal.azure.com) as a user with the **Global Administrator** role. +1. Sign in to [Azure](https://portal.azure.com). 2. Navigate to **Microsoft Entra ID** > **App registrations** > **New registration**. @@ -117,7 +117,7 @@ The following steps with guide you how to create a multi-tenant Microsoft Entra Since your application interacts with Microsoft Defender XDR on behalf of your users, it needs be approved for every tenant on which you intend to use it. - A **Global Administrator** from your user's tenant needs to view the consent link and approve your application. + An administrator from your user's tenant needs to view the consent link and approve your application. Consent link is of the form: @@ -127,7 +127,7 @@ The following steps with guide you how to create a multi-tenant Microsoft Entra The digits `00000000-0000-0000-0000-000000000000` should be replaced with your Application ID. - After clicking on the consent link, sign in with the Global Administrator of the user's tenant and consent the application. + After clicking on the consent link, sign in as an administrator of the user's tenant and grant consent for the application. :::image type="content" source="/defender/media/app-consent-partner.png" alt-text="The consent application page in the Microsoft Defender portal" lightbox="/defender/media/app-consent-partner.png":::