MC878427: Restricted Content Discoverability for SharePoint Sites

Announcement ID	MC875063		Published Date	08-27-2024
Service	Microsoft365Defender		Last Updated	08-27-2024
Category	Stay informed		Expiration Date	12-27-2024
Roadmap ID			Action Required by Date
Tags	Admin impact, New feature, User impact

Summary
Microsoft Defender for Identity will soon add new recommendations to Microsoft Secure Score, automatically updating scores to better reflect security posture. Public Preview and General Availability rollouts will begin mid-September 2024. Organizations should review Microsoft Secure Score improvement actions to prepare.

More Information

Coming soon for Microsoft Defender XDR | Microsoft Defender for Identity: We're adding to Microsoft Secure Score improvement actions to ensure a more accurate representation of security posture. We will update your score automatically. When this will happen: Public Preview: We will begin rolling out mid-September 2024 and expect to complete by late September 2024. General Availability (Worldwide, GCC, GCC High, DoD, USSec, USNat): We will begin rolling out mid-September 2024 and expect to complete by mid-October 2024. How this will affect your organization: After this rollout, the Defender XDR portal will include these new Microsoft Defender for Identity recommendations as Microsoft Secure Score improvement actions: Accounts with non-default Primary Group ID Domain Controllers with computer account password unchanged for more than 45 days GPO assigns unprivileged identities to local groups with elevated privileges GPO can be modified by unprivileged accounts GPO contains passwords Group Policy Preferences files Built-in Active Directory Guest account is enabled Unsafe permissions on the DnsAdmins group Ensure that all privileged accounts have the configuration flag "this account is sensitive and cannot be delegated" Change password of krbtgt account Change password of built-in domain Administrator account Additionally, we are updating the existing recommendation of "Modify unsecure Kerberos delegations to prevent impersonation" to include indication of Kerberos Constrained Delegation with Protocol Transition to a privileged service. These new identity recommendations are new security posture reports related to Active Directory and Group policy objects and will be available by default to customers who have installed a Defender for Identity sensor. These recommendations are on by default. What you need to do to prepare: We recommend reviewing the improvement actions listed in Microsoft Secure Score. We will continue to add suggested security improvement actions on an ongoing basis. This rollout will happen automatically by the specified date with no admin action required before the rollout. You may want to notify your admins about this change and update any relevant documentation.