update

openpublishbuild · openpublishbuild · commit 4cfbff6e684f · 2026-03-01T05:50:48.000Z
diff --git a/articles/security/fundamentals/backup-plan-to-protect-against-ransomware.md b/articles/security/fundamentals/backup-plan-to-protect-against-ransomware.md
@@ -117,7 +117,7 @@ Apply these best practices before an attack.
 | Protect (or print) supporting documents and systems required for recovery such as restoration procedure documents, CMDB, network diagrams, and SolarWinds instances. | Attackers deliberately target these resources because it impacts your ability to recover. |
 | Ensure you have well-documented procedures for engaging any third-party support, particularly support from threat intelligence providers, antimalware solution providers, and from the malware analysis provider. Protect (or print) these procedures. | Third-party contacts may be useful if the given ransomware variant has known weaknesses or decryption tools are available. |
 | Ensure backup and recovery strategy includes: <br><br>Ability to back up data to a specific point in time. <br><br>Multiple copies of backups are stored in isolated, offline (air-gapped) locations. <br><br>Recovery time objectives that establish how quickly backed up information can be retrieved and put into production environment. <br><br>Rapid restore of back up to a production environment/sandbox. | Backups are essential for resilience after an organization has been breached. Apply the 3-2-1 rule for maximum protection and availability: 3 copies (original + 2 backups), 2 storage types, and 1 offsite or cold copy. |
-| Protect backups against deliberate erasure and encryption: <br><br>Store backups in offline or off-site storage and/or immutable storage. <br><br>Require out of band steps (such as [MFA](/entra/identity/authentication/concept-mfa-howitworks.md) or a security PIN) before permitting an online backup to be modified or erased. <br><br>Create private endpoints within your Azure Virtual Network to securely back up and restore data from your Recovery Services vault. | Backups that are accessible by attackers can be rendered unusable for business recovery. <br><br>Offline storage ensures robust transfer of backup data without using any network bandwidth. Azure Backup supports [offline backup](../../backup/offline-backup-overview.md), which transfers initial backup data offline, without the use of network bandwidth. It provides a mechanism to copy backup data onto physical storage devices. The devices are then shipped to a nearby Azure datacenter and uploaded onto a [Recovery Services vault](../../backup/backup-azure-recovery-services-vault-overview.md). <br><br>Online immutable storage (such as [Azure Blob](../../storage/blobs/immutable-storage-overview.md)) enables you to store business-critical data objects in a WORM (Write Once, Read Many) state. This state makes the data non-erasable and non-modifiable for a user-specified interval. <br><br>[Multifactor authentication (MFA)](/entra/identity/authentication/concept-mfa-howitworks.md) should be mandatory for all admin accounts and is strongly recommended for all users. The preferred method is to use an authenticator app rather than SMS or voice where possible. When you set up Azure Backup you can configure your recovery services to enable MFA using a security PIN generated in the Azure portal. This ensures that a security pin is generated to perform critical operations such as updating or removing a recovery point. |
+| Protect backups against deliberate erasure and encryption: <br><br>Store backups in offline or off-site storage and/or immutable storage. <br><br>Require out of band steps (such as [MFA](/entra/identity/authentication/concept-mfa-howitworks) or a security PIN) before permitting an online backup to be modified or erased. <br><br>Create private endpoints within your Azure Virtual Network to securely back up and restore data from your Recovery Services vault. | Backups that are accessible by attackers can be rendered unusable for business recovery. <br><br>Offline storage ensures robust transfer of backup data without using any network bandwidth. Azure Backup supports [offline backup](../../backup/offline-backup-overview.md), which transfers initial backup data offline, without the use of network bandwidth. It provides a mechanism to copy backup data onto physical storage devices. The devices are then shipped to a nearby Azure datacenter and uploaded onto a [Recovery Services vault](../../backup/backup-azure-recovery-services-vault-overview.md). <br><br>Online immutable storage (such as [Azure Blob](../../storage/blobs/immutable-storage-overview.md)) enables you to store business-critical data objects in a WORM (Write Once, Read Many) state. This state makes the data non-erasable and non-modifiable for a user-specified interval. <br><br>[Multifactor authentication (MFA)](/entra/identity/authentication/concept-mfa-howitworks) should be mandatory for all admin accounts and is strongly recommended for all users. The preferred method is to use an authenticator app rather than SMS or voice where possible. When you set up Azure Backup you can configure your recovery services to enable MFA using a security PIN generated in the Azure portal. This ensures that a security pin is generated to perform critical operations such as updating or removing a recovery point. |
 | Designate [protected folders](/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). | Makes it more difficult for unauthorized applications to modify the data in these folders. |
 | Review your permissions: <br><br>Discover broad write/delete permissions on file shares, SharePoint, and other solutions. Broad is defined as many users having write/delete permissions for business-critical data. <br><br>Reduce broad permissions while meeting business collaboration requirements. <br><br>Audit and monitor to ensure broad permissions don’t reappear. | Reduces risk from broad access-enabling ransomware activities. |
 | Protect against a phishing attempt: <br><br>Conduct security awareness training regularly to help users identify a phishing attempt and avoid clicking on something that can create an initial entry point for a compromise. <br><br>Apply security filtering controls to email to detect and minimize the likelihood of a successful phishing attempt. | The most common method used by attackers to infiltrate an organization is phishing attempts via email. [Exchange Online Protection (EOP)](/microsoft-365/security/office-365-security/exchange-online-protection-overview) is the cloud-based filtering service that protects your organization against spam, malware, and other email threats. EOP is included in all Microsoft 365 organizations with Exchange Online mailboxes. <br><br>An example of a security filtering control for email is [Safe Links](/microsoft-365/security/office-365-security/safe-links). Safe Links is a feature in Defender for Office 365 that provides scanning and rewriting of URLs and links in email messages during inbound mail flow, and time-of-click verification of URLs and links in email messages and other locations (Microsoft Teams and Office documents). Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in EOP. Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks. <br><br>Learn more about [anti-phishing protection](/microsoft-365/security/office-365-security/tuning-anti-phishing). |
diff --git a/articles/security/fundamentals/overview.md b/articles/security/fundamentals/overview.md
@@ -503,9 +503,9 @@ Microsoft uses multiple security practices and technologies across its products
 
 - [Microsoft Authenticator](https://aka.ms/authenticator) provides a user-friendly multifactor authentication experience that works with both Microsoft Entra ID and Microsoft accounts. It includes support for wearables and fingerprint-based approvals.
 
-- [Password policy enforcement](/entra/identity/authentication/concept-sspr-policy.md) increases the security of traditional passwords by imposing length and complexity requirements, forced periodic rotation, and account lockout after failed authentication attempts.
+- [Password policy enforcement](/entra/identity/authentication/concept-sspr-policy) increases the security of traditional passwords by imposing length and complexity requirements, forced periodic rotation, and account lockout after failed authentication attempts.
 
-- [Token-based authentication](/entra/identity-platform/authentication-vs-authorization.md) enables authentication via Microsoft Entra ID.
+- [Token-based authentication](/entra/identity-platform/authentication-vs-authorization) enables authentication via Microsoft Entra ID.
 
 - [Azure role-based access control (Azure RBAC)](../../role-based-access-control/built-in-roles.md) enables you to grant access based on the user’s assigned role. It's easy to give users only the amount of access they need to perform their job duties. You can customize Azure RBAC per your organization’s business model and risk tolerance.
 
@@ -516,19 +516,19 @@ Microsoft uses multiple security practices and technologies across its products
 
 | Free or common features     | Basic features    |Premium P1 features |Premium P2 features | Microsoft Entra join – Windows 10 only related features|
 | :------------- | :------------- |:------------- |:------------- |:------------- |
-| 	[Directory Objects](/entra/fundamentals/active-directory-whatis.md), [User/Group Management (add/update/delete)/ User-based provisioning, Device registration](/entra/fundamentals/active-directory-whatis.md), [single sign-on (SSO)](/entra/fundamentals/active-directory-whatis.md), [Self-Service Password Change for cloud users](/entra/fundamentals/active-directory-whatis.md), [Connect (Sync engine that extends on-premises directories to Microsoft Entra ID)](/entra/fundamentals/active-directory-whatis.md), [Security / Usage Reports](/entra/fundamentals/active-directory-whatis.md) | [Group-based access management / provisioning](/entra/fundamentals/active-directory-whatis.md), [Self-Service Password Reset for cloud users](/entra/fundamentals/active-directory-whatis.md), [Company Branding (sign in Pages/Access Panel customization)](/entra/fundamentals/active-directory-whatis.md), [Application Proxy](/entra/fundamentals/active-directory-whatis.md), [SLA 99.9%](/entra/fundamentals/active-directory-whatis.md) |  [Self-Service Group and app Management/Self-Service application additions/Dynamic Groups](/entra/fundamentals/active-directory-whatis.md), [Self-Service Password Reset/Change/Unlock with on-premises write-back](/entra/fundamentals/active-directory-whatis.md), [multifactor authentication (Cloud and On-premises (MFA Server))](/entra/fundamentals/active-directory-whatis.md), [MIM CAL + MIM Server](/entra/fundamentals/active-directory-whatis.md), [Cloud App Discovery](/entra/fundamentals/active-directory-whatis.md), [Connect Health](/entra/fundamentals/active-directory-whatis.md), [Automatic password rollover for group accounts](/entra/fundamentals/active-directory-whatis.md)| [Identity Protection](/entra/id-protection/overview-identity-protection.md), [Privileged Identity Management](/entra/id-governance/privileged-identity-management/pim-configure.md)| [Join a device to Microsoft Entra ID, Desktop SSO, Microsoft Passport for Microsoft Entra ID, Administrator BitLocker recovery](/entra/fundamentals/active-directory-whatis.md), [MDM autoenrollment, Self-Service BitLocker recovery, extra local administrators to Windows 10 devices via Microsoft Entra join](/entra/fundamentals/active-directory-whatis.md)|
+| 	[Directory Objects](/entra/fundamentals/active-directory-whatis.md), [User/Group Management (add/update/delete)/ User-based provisioning, Device registration](/entra/fundamentals/active-directory-whatis.md), [single sign-on (SSO)](/entra/fundamentals/active-directory-whatis.md), [Self-Service Password Change for cloud users](/entra/fundamentals/active-directory-whatis.md), [Connect (Sync engine that extends on-premises directories to Microsoft Entra ID)](/entra/fundamentals/active-directory-whatis.md), [Security / Usage Reports](/entra/fundamentals/active-directory-whatis.md) | [Group-based access management / provisioning](/entra/fundamentals/active-directory-whatis.md), [Self-Service Password Reset for cloud users](/entra/fundamentals/active-directory-whatis.md), [Company Branding (sign in Pages/Access Panel customization)](/entra/fundamentals/active-directory-whatis.md), [Application Proxy](/entra/fundamentals/active-directory-whatis.md), [SLA 99.9%](/entra/fundamentals/active-directory-whatis.md) |  [Self-Service Group and app Management/Self-Service application additions/Dynamic Groups](/entra/fundamentals/active-directory-whatis.md), [Self-Service Password Reset/Change/Unlock with on-premises write-back](/entra/fundamentals/active-directory-whatis.md), [multifactor authentication (Cloud and On-premises (MFA Server))](/entra/fundamentals/active-directory-whatis.md), [MIM CAL + MIM Server](/entra/fundamentals/active-directory-whatis.md), [Cloud App Discovery](/entra/fundamentals/active-directory-whatis.md), [Connect Health](/entra/fundamentals/active-directory-whatis.md), [Automatic password rollover for group accounts](/entra/fundamentals/active-directory-whatis.md)| [Identity Protection](/entra/id-protection/overview-identity-protection), [Privileged Identity Management](/entra/id-governance/privileged-identity-management/pim-configure)| [Join a device to Microsoft Entra ID, Desktop SSO, Microsoft Passport for Microsoft Entra ID, Administrator BitLocker recovery](/entra/fundamentals/active-directory-whatis.md), [MDM autoenrollment, Self-Service BitLocker recovery, extra local administrators to Windows 10 devices via Microsoft Entra join](/entra/fundamentals/active-directory-whatis.md)|
 
 - [Cloud App Discovery](/cloud-app-security/set-up-cloud-discovery) is a premium feature of Microsoft Entra ID that enables you to identify cloud applications that employees in your organization use.
 
-- [Microsoft Entra ID Protection](/entra/id-protection/overview-identity-protection.md) is a security service that uses Microsoft Entra anomaly detection capabilities to provide a consolidated view into risk detections and potential vulnerabilities that could affect your organization’s identities.
+- [Microsoft Entra ID Protection](/entra/id-protection/overview-identity-protection) is a security service that uses Microsoft Entra anomaly detection capabilities to provide a consolidated view into risk detections and potential vulnerabilities that could affect your organization’s identities.
 
 - [Microsoft Entra Domain Services](https://azure.microsoft.com/products/microsoft-entra-ds/) enables you to join Azure VMs to a domain without the need to deploy domain controllers. Users sign in to these VMs by using their corporate Active Directory credentials, and can seamlessly access resources.
 
 - [Microsoft Entra B2C](https://www.microsoft.com/security/business/identity-access/microsoft-entra-id) is a highly available, global identity management service for consumer-facing apps that can scale to hundreds of millions of identities and integrate across mobile and web platforms. Your customers can sign in to all your apps through customizable experiences that use existing social media accounts, or you can create new standalone credentials.
 
-- [Microsoft Entra B2B Collaboration](/entra/external-id/what-is-b2b.md) is a secure partner integration solution that supports your cross-company relationships by enabling partners to access your corporate applications and data selectively by using their self-managed identities.
+- [Microsoft Entra B2B Collaboration](/entra/external-id/what-is-b2b) is a secure partner integration solution that supports your cross-company relationships by enabling partners to access your corporate applications and data selectively by using their self-managed identities.
 
-- [Microsoft Entra joined](/entra/identity/devices/overview.md) enables you to extend cloud capabilities to Windows 10 devices for centralized management. It makes it possible for users to connect to the corporate or organizational cloud through Microsoft Entra ID and simplifies access to apps and resources.
+- [Microsoft Entra joined](/entra/identity/devices/overview) enables you to extend cloud capabilities to Windows 10 devices for centralized management. It makes it possible for users to connect to the corporate or organizational cloud through Microsoft Entra ID and simplifies access to apps and resources.
 
 - [Microsoft Entra application proxy](/entra/identity/app-proxy/application-proxy.md) provides SSO and secure remote access for web applications hosted on-premises.
 
diff --git a/articles/security/fundamentals/ransomware-features-resources.md b/articles/security/fundamentals/ransomware-features-resources.md
@@ -115,9 +115,9 @@ Key Features:
 - [Zero Trust Guidance Center](/security/zero-trust/)
 - [Azure Web Application Firewall](../../web-application-firewall/ag/application-gateway-crs-rulegroups-rules.md?tabs=owasp32)
 - [Azure VPN gateway](../../vpn-gateway/openvpn-azure-ad-tenant.md#enable-authentication)
-- [Microsoft Entra multifactor authentication (MFA)](/entra/identity/authentication/howto-mfa-userstates.md)
-- [Microsoft Entra ID Protection](/entra/identity/authentication/concept-password-ban-bad.md)
-- [Microsoft Entra Conditional Access](/entra/identity/conditional-access/overview.md)
+- [Microsoft Entra multifactor authentication (MFA)](/entra/identity/authentication/howto-mfa-userstates)
+- [Microsoft Entra ID Protection](/entra/identity/authentication/concept-password-ban-bad)
+- [Microsoft Entra Conditional Access](/entra/identity/conditional-access/overview)
 - [Microsoft Defender for Cloud documentation](/azure/defender-for-cloud/)
 
 ## Conclusion
diff --git a/articles/security/fundamentals/steps-secure-identity.md b/articles/security/fundamentals/steps-secure-identity.md
