Merge pull request #53728 from ceperezb/CEPEREZB-sc100-evaluate-security-m365-solutions

module updates

Author: Stacyrch140

learn-pr/wwl-sci/design-solutions-secure-microsoft-365/3-design-microsoft-defender-365-solution.yml

@@ -1,8 +1,8 @@
 ### YamlMime:ModuleUnit
 uid: learn.wwl.design-solutions-secure-microsoft-365.design-microsoft-defender-365-solution
-title: Evaluate solutions that include Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps
+title: Evaluate how Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps protect productivity workloads
 metadata:
-  title: Evaluate Solutions That Include Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps
+  title: Evaluate how Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps protect productivity workloads
   description: "Evaluate how Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps protect productivity and collaboration workloads, including email threat protection, CASB capabilities, and real-time session controls."
   ms.date: 02/09/2026
   author: ceperezb

learn-pr/wwl-sci/design-solutions-secure-microsoft-365/4-design-configurations-operational-practices-microsoft-365.yml

@@ -1,8 +1,8 @@
 ### YamlMime:ModuleUnit
 uid: learn.wwl.design-solutions-secure-microsoft-365.design-configurations-operational-practices-microsoft-365
-title: Evaluate device management solutions that include Microsoft Intune
+title: Evaluate how Microsoft Intune protects and manages endpoints
 metadata:
-  title: Evaluate Device Management Solutions That Include Microsoft Intune
+  title: Evaluate How Microsoft Intune Protects and Manages Endpoints
   description: "Evaluate how Microsoft Intune addresses device management requirements, including MDM, MAM, endpoint security policies, compliance policies, and Conditional Access integration."
   ms.date: 02/09/2026
   author: ceperezb

learn-pr/wwl-sci/design-solutions-secure-microsoft-365/5-evaluate-data-security-compliance-copilot.yml

@@ -1,8 +1,8 @@
 ### YamlMime:ModuleUnit
 uid: learn.wwl.design-solutions-secure-microsoft-365.evaluate-data-security-compliance-copilot
-title:  Evaluate data security and compliance controls in Microsoft Copilot for Microsoft 365 services
+title: Evaluate how data security and compliance controls protect organizational data used by Microsoft 365 Copilot
 metadata:
-  title:  Evaluate data security and compliance controls in Microsoft Copilot for Microsoft 365 services
+  title: Evaluate How Data Security and Compliance Controls Protect Organizational Data Used by Microsoft 365 Copilot
   description: "Evaluate data security and compliance controls for Microsoft 365 Copilot, including sensitivity labels, DLP, Insider Risk Management, auditing, eDiscovery, retention, and DSPM for AI."
   ms.date: 02/09/2026
   author: ceperezb

learn-pr/wwl-sci/design-solutions-secure-microsoft-365/includes/2-evaluate-security-posture-collaboration-productivity-workloads.md

@@ -2,7 +2,7 @@ Evaluating security posture for productivity and collaboration workloads require
 
 ## Evaluate posture with Microsoft Secure Score
 
-[Microsoft Secure Score](/defender-xdr/microsoft-secure-score) is a numerical measurement of your organization's security posture, available in the [Microsoft Defender portal](https://security.microsoft.com/securescore). A higher score indicates that more recommended security actions are implemented. Secure Score helps your organization:
+Microsoft Secure Score is a numerical measurement of your organization's security posture, available in the Microsoft Defender portal. A higher score indicates that more recommended security actions are implemented. Secure Score helps your organization:
 
 - **Report** on the current state of security posture across productivity workloads.
 - **Improve** posture by providing discoverability, visibility, guidance, and control.
@@ -32,7 +32,7 @@ Secure Score also covers non-Microsoft SaaS applications connected through Defen
 Recommended actions are organized into four groups that align to the core dimensions of your productivity workload security:
 
 - **Identity**: Microsoft Entra accounts and roles, including multifactor authentication, Conditional Access policies, and privileged role management.
-- **Device**: Microsoft Defender for Endpoint recommendations, covered under [Microsoft Secure Score for Devices](/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices), including vulnerability management and endpoint configuration.
+- **Device**: Microsoft Defender for Endpoint recommendations, including vulnerability management and endpoint configuration.
 - **Apps**: Email and cloud app security, including Exchange Online protection policies and Defender for Cloud Apps configurations.
 - **Data**: Microsoft Purview Information Protection recommendations, covering data classification, sensitivity labels, and data loss prevention policies.
 
@@ -67,7 +67,7 @@ The highest ranked actions should be prioritized first. For actions that have hi
 
 ## Extend posture evaluation with Microsoft Security Exposure Management
 
-[Microsoft Security Exposure Management](/security-exposure-management/microsoft-security-exposure-management) builds on Secure Score by providing a unified view of security posture across your entire digital estate, including endpoints, cloud resources, and external attack surfaces. While Secure Score acts as an industry baseline and benchmark, Security Exposure Management adds deeper contextual analysis for designing holistic protection strategies for productivity workloads.
+Microsoft Security Exposure Management builds on Secure Score by providing a unified view of security posture across your entire digital estate, including endpoints, cloud resources, and external attack surfaces. While Secure Score acts as an industry baseline and benchmark, Security Exposure Management adds deeper contextual analysis for designing holistic protection strategies for productivity workloads.
 
 Key capabilities that complement Secure Score include:
 
@@ -83,15 +83,15 @@ Key capabilities that complement Secure Score include:
 
 ### Vulnerability management integration
 
-[Microsoft Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management) now resides within Security Exposure Management, providing a unified vulnerability management experience across your digital estate. This integration delivers several benefits for evaluating collaboration workload posture:
+Microsoft Defender Vulnerability Management now resides within Security Exposure Management, providing a unified vulnerability management experience across your digital estate. This integration delivers several benefits for evaluating collaboration workload posture:
 
 - **Unified vulnerability view**: Organizations with both Defender for Cloud and Defender for Endpoint licenses can see all vulnerabilities affecting their devices and cloud resources in a single view.
 - **Risk-based prioritization**: Cloud vulnerabilities are prioritized by risk in the Defender portal, helping you focus on the most impactful issues across your productivity workloads.
 - **Integrated recommendations**: Vulnerability management recommendations feed into the unified recommendations catalog, with separate views for misconfigurations and vulnerabilities to support different remediation workflows.
 
 ### Data connectors
 
-Security Exposure Management supports [data connectors](/security-exposure-management/overview-data-connectors) that integrate with external security solutions and data sources. These connectors consolidate security data from non-Microsoft tools—such as ServiceNow CMDB for asset management, and Tenable, Qualys, and Rapid7 for vulnerability assessment—into a single unified view. Connectors for Wiz and Palo Alto Prisma extend coverage to non-Microsoft cloud security platforms.
+Security Exposure Management supports data connectors that integrate with external security solutions and data sources. These connectors consolidate security data from non-Microsoft tools—such as ServiceNow CMDB for asset management, and Tenable, Qualys, and Rapid7 for vulnerability assessment—into a single unified view. Connectors for Wiz and Palo Alto Prisma extend coverage to non-Microsoft cloud security platforms.
 
 Data collected through these connectors is normalized within the enterprise exposure graph, enriching your device inventory, mapping relationships between external assets and existing infrastructure, and revealing new attack paths. For a security architect evaluating productivity workloads, connectors provide a complete picture of posture across both Microsoft and non-Microsoft security tools.
 
@@ -110,15 +110,15 @@ When you evaluate and design security posture for productivity and collaboration
 
 ## Evaluate AI readiness as a posture dimension
 
-As organizations adopt generative AI tools, security posture evaluation must extend to AI-specific risks. [Data Security Posture Management (DSPM)](/purview/data-security-posture-management-learn-about) in Microsoft Purview provides AI-focused posture metrics that complement Secure Score and Security Exposure Management. DSPM tracks objectives related to data exposure prevention, oversharing risk, and policy coverage. These capabilities are covered in detail in the unit on evaluating data security controls for Microsoft 365 Copilot.
+As organizations adopt generative AI tools, security posture evaluation must extend to AI-specific risks. Data Security Posture Management (DSPM) in Microsoft Purview provides AI-focused posture metrics that complement Secure Score and Security Exposure Management. DSPM tracks objectives related to data exposure prevention, oversharing risk, and policy coverage. These capabilities are covered in detail in the unit on evaluating data security controls for Microsoft 365 Copilot.
 
 From a posture evaluation perspective, the **AI observability** dashboard in DSPM is especially relevant. It inventories all active AI apps and agents across your organization, highlights high-risk agents, and reports sensitive interactions. This gives you visibility into how AI tools interact with organizational data, which feeds directly into the posture metrics you track alongside Secure Score and Security Exposure Management.
 
-The [Microsoft Security Dashboard for AI](https://ai.security.microsoft.com) provides a complementary executive-level view. It aggregates AI risk signals from Microsoft Entra, Microsoft Defender, and Microsoft Purview into a single dashboard, covering identity governance for AI apps, threat protection for AI workloads, data classification of AI-accessible content, and compliance posture against AI regulations. For security architects, this dashboard provides a starting point for assessing whether existing security controls adequately cover the AI attack surface.
+The Microsoft Security Dashboard for AI provides a complementary executive-level view. It aggregates AI risk signals from Microsoft Entra, Microsoft Defender, and Microsoft Purview into a single dashboard, covering identity governance for AI apps, threat protection for AI workloads, data classification of AI-accessible content, and compliance posture against AI regulations. For security architects, this dashboard provides a starting point for assessing whether existing security controls adequately cover the AI attack surface.
 
 ## Align with Microsoft cloud security benchmark v2
 
-The [Microsoft cloud security benchmark v2 (MCSBv2)](/security/benchmark/azure/overview) provides a framework of security controls that validates your posture evaluation approach against Microsoft-recommended best practices. The **Posture and Vulnerability Management (PV)** domain maps directly to the capabilities covered in this unit:
+The Microsoft cloud security benchmark v2 (MCSBv2) provides a framework of security controls that validates your posture evaluation approach against Microsoft-recommended best practices. The **Posture and Vulnerability Management (PV)** domain maps directly to the capabilities covered in this unit:
 
 | MCSBv2 control | Secure Score / MSEM alignment |
 |---|---|

learn-pr/wwl-sci/design-solutions-secure-microsoft-365/includes/3-design-microsoft-defender-365-solution.md

@@ -1,10 +1,8 @@
 As a security architect, you need to evaluate how Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps protect your organization's productivity and collaboration workloads. These solutions address different but complementary attack surfaces: Defender for Office 365 focuses on email and collaboration-based threats, while Defender for Cloud Apps extends protection to SaaS applications. Both integrate into Microsoft Defender XDR (Extended Detection and Response), providing correlated signals and unified incident management across the full kill chain.
 
-:::image type="content" source="../media/defender-xdr-integration.png" lightbox="../media/defender-xdr-integration.png" alt-text="An image that shows how Microsoft's XDR solution seamlessly integrates with Microsoft Sentinel in the Microsoft Defender portal.":::
+## Evaluate how Microsoft Defender for Office 365 protects collaboration workloads
 
-## Evaluate Microsoft Defender for Office 365
-
-[Microsoft Defender for Office 365](/defender-office-365/mdo-about) protects your organization against sophisticated threats in email and collaboration tools, including phishing, zero-day malware, and business email compromise (BEC). It's available in two plans that build on the built-in security features included with all cloud mailboxes.
+Microsoft Defender for Office 365 protects your organization against sophisticated threats in email and collaboration tools, including phishing, zero-day malware, and business email compromise (BEC). It's available in two plans that build on Exchange Online Protection (EOP), which provides built-in anti-malware, anti-spam, anti-spoofing, and zero-hour auto purge (ZAP) for all cloud mailboxes.
 
 ### Plan 1: Prevention and detection
 
@@ -34,9 +32,9 @@ When you evaluate Defender for Office 365 for your organization, consider the fo
 - **Preset security policies**: Use preset security policies as a baseline configuration. These follow Microsoft-recommended defaults and simplify initial deployment. Customize policies as your organization's threat landscape evolves.
 - **XDR integration**: Defender for Office 365 feeds alerts and signals into Microsoft Defender XDR, correlating email-based threats with endpoint, identity, and cloud app signals. This cross-domain correlation is essential for detecting multi-stage attacks.
 
-## Evaluate Microsoft Defender for Cloud Apps
+## Evaluate how Microsoft Defender for Cloud Apps protects SaaS applications
 
-[Microsoft Defender for Cloud Apps](/defender-cloud-apps/what-is-defender-for-cloud-apps) is a cloud access security broker (CASB) that delivers full protection for SaaS applications. It provides visibility into cloud app usage, enforces real-time access controls, and protects sensitive data stored in cloud services.
+Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that delivers full protection for SaaS applications. It provides visibility into cloud app usage, enforces real-time access controls, and protects sensitive data stored in cloud services.
 
 ### Core capabilities
 
@@ -52,15 +50,13 @@ Defender for Cloud Apps addresses four key areas:
 
 ### Conditional Access App Control
 
-[Conditional Access App Control](/defender-cloud-apps/proxy-intro-aad) uses a reverse proxy architecture integrated with Microsoft Entra Conditional Access to monitor and control user sessions in real time. Access and session policies enable granular controls, including:
+Conditional Access App Control uses a reverse proxy architecture integrated with Microsoft Entra Conditional Access to monitor and control user sessions in real time. Access and session policies enable granular controls, including:
 
 - Blocking downloads of sensitive documents on unmanaged devices.
 - Requiring reauthentication when sensitive actions occur during a session.
 - Protecting downloaded files by applying encryption and sensitivity labels.
 - Preventing uploads of unlabeled files that contain sensitive content.
 - Blocking uploads of potentially malicious files by scanning against Microsoft Threat Intelligence.
-- Monitoring user sessions for compliance and logging activities for investigation.
-
 For a security architect, Conditional Access App Control is a critical capability that bridges identity-based access decisions with real-time data protection. It extends Zero Trust principles into SaaS application sessions.
 
 ### Continuous threat protection through Microsoft Defender XDR
@@ -79,15 +75,14 @@ When you evaluate Defender for Cloud Apps, consider the following:
 
 ## Evaluate AI-specific threat protection
 
-Defender for Cloud Apps plays a central role in discovering and governing generative AI applications across your organization. The cloud app catalog includes a **Generative AI** category covering more than a thousand AI apps, including ChatGPT, Google Gemini, and other large language model tools. Each app receives a risk score based on more than 90 risk factors spanning security, compliance, and legal criteria.
+Defender for Cloud Apps plays a central role in discovering and governing generative AI applications across your organization. The cloud app catalog includes a **Generative AI** category covering more than a thousand AI apps, each scored against the same 90+ risk factors used for all cataloged applications.
 
 For security architects, the key design decisions around AI app governance include:
 
-- **Shadow AI discovery**: Deploy cloud discovery to identify which generative AI apps employees use. Filter on the Generative AI category to see usage patterns, user counts, and traffic volumes for each app.
+- **Shadow AI discovery**: Deploy cloud discovery to identify which generative AI apps employees use. Filter on the Generative AI category to see usage patterns, user counts, and traffic volumes. Create app discovery policies to trigger alerts when new AI apps appear in your environment.
 - **App sanctioning and blocking**: Based on risk scores and compliance requirements, sanction approved AI apps and unsanction those that don't meet your security standards. Unsanctioned apps are automatically blocked on devices onboarded to Defender for Endpoint.
-- **Discovery policies for new AI apps**: Create app discovery policies that trigger alerts when new Generative AI apps appear in your environment. This ensures continuous monitoring as new AI tools enter the market.
-- **Session controls for AI apps**: Apply [Conditional Access App Control](/defender-cloud-apps/proxy-intro-aad) session policies to sanctioned AI apps to monitor and restrict how data flows between your organization and these services.
+- **Session controls for AI apps**: Apply Conditional Access App Control session policies to sanctioned AI apps to monitor and restrict data flows between your organization and AI services.
 
-Defender for Cloud Apps also provides dedicated threat detections for [Microsoft 365 Copilot](/defender-cloud-apps/release-notes#new-threat-detections-for-microsoft-copilot-for-microsoft-365). Security teams receive alerts when users interact with Copilot under suspicious conditions, such as access from risky IP addresses. These signals integrate with Microsoft Defender XDR incidents, giving your security operations team visibility into AI-related threats alongside traditional attack patterns.
+Defender for Cloud Apps also provides threat detections for Microsoft 365 Copilot, alerting security teams when users interact with Copilot under suspicious conditions such as access from risky IP addresses. These signals integrate into Defender XDR incidents, providing visibility into AI-related threats alongside traditional attack patterns.