From c456731193fa5ad666d17f613b1cb6eac45c9a8a Mon Sep 17 00:00:00 2001
From: Zvi Avidor <zavidor@microsoft.com>
Date: Thu, 4 Oct 2018 16:17:11 +0300
Subject: [PATCH] add roles info to docs

---
 ...indows-defender-advanced-threat-protection-new.md | 10 ++++++----
 ...indows-defender-advanced-threat-protection-new.md |  1 -
 ...indows-defender-advanced-threat-protection-new.md |  5 +++++
 ...indows-defender-advanced-threat-protection-new.md |  5 +++++
 ...indows-defender-advanced-threat-protection-new.md |  5 +++++
 ...indows-defender-advanced-threat-protection-new.md |  5 +++++
 ...indows-defender-advanced-threat-protection-new.md |  5 +++++
 ...indows-defender-advanced-threat-protection-new.md |  5 +++++
 ...indows-defender-advanced-threat-protection-new.md |  5 +++++
 ...indows-defender-advanced-threat-protection-new.md |  5 +++++
 ...indows-defender-advanced-threat-protection-new.md |  4 ++++
 ...indows-defender-advanced-threat-protection-new.md |  8 +++++---
 ...indows-defender-advanced-threat-protection-new.md |  8 +++++---
 ...indows-defender-advanced-threat-protection-new.md |  5 +++++
 ...indows-defender-advanced-threat-protection-new.md |  4 ++++
 ...indows-defender-advanced-threat-protection-new.md |  5 +++++
 ...indows-defender-advanced-threat-protection-new.md |  5 +++++
 ...indows-defender-advanced-threat-protection-new.md |  4 ++++
 ...indows-defender-advanced-threat-protection-new.md |  6 ++++++
 ...indows-defender-advanced-threat-protection-new.md |  5 +++++
 ...indows-defender-advanced-threat-protection-new.md |  5 +++++
 ...indows-defender-advanced-threat-protection-new.md |  4 ++++
 ...indows-defender-advanced-threat-protection-new.md |  4 ++++
 ...indows-defender-advanced-threat-protection-new.md |  5 +++++
 ...indows-defender-advanced-threat-protection-new.md |  5 +++++
 ...indows-defender-advanced-threat-protection-new.md | 12 ++++++++----
 .../windows-defender-atp/machineactionsnote.md       |  6 ++++++
 ...indows-defender-advanced-threat-protection-new.md |  8 ++++++--
 ...ts-windows-defender-advanced-threat-protection.md |  4 ++--
 ...indows-defender-advanced-threat-protection-new.md |  9 ++++++---
 .../windows-defender-atp/run-advanced-query-api.md   |  5 +++++
 ...indows-defender-advanced-threat-protection-new.md |  9 ++++++---
 ...indows-defender-advanced-threat-protection-new.md |  5 +++++
 ...indows-defender-advanced-threat-protection-new.md |  9 +++++++--
 ...indows-defender-advanced-threat-protection-new.md |  5 +++++
 35 files changed, 173 insertions(+), 27 deletions(-)
 create mode 100644 windows/security/threat-protection/windows-defender-atp/machineactionsnote.md

diff --git a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md
index 0070c9376a..7783e25c09 100644
--- a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md
@@ -19,10 +19,10 @@ ms.date: 12/08/2017
 
 [!include[Prerelease information](prerelease.md)]
 
-
-
 Collect investigation package from a machine.
 
+[!include[Machine actions note](machineactionsnote.md)]
+
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md)
 
@@ -31,8 +31,10 @@ Permission type |	Permission	|	Permission display name
 Application |	Machine.CollectForensics |	'Collect forensics'
 Delegated (work or school account) |	Machine.CollectForensics |	'Collect forensics'
 
->[!IMPORTANT]
-> This response action is available for machines on Windows 10, version  1703 or later.
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
 
 ## HTTP request
 ```
diff --git a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md
index e5e7d337a8..94288d30d6 100644
--- a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md
@@ -30,7 +30,6 @@ One of the following permissions is required to call this API. To learn more, in
 Permission type |	Permission	|	Permission display name
 :---|:---|:---
 Application |	Alerts.ReadWrite.All |	'Read and write all alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
 
 ## HTTP request
 ```
diff --git a/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md
index 15d829c27a..61c158ed1b 100644
--- a/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md
@@ -33,6 +33,11 @@ Application |	Machine.ReadWrite.All |	'Read and write all machine information'
 Delegated (work or school account) | Machine.Read | 'Read machine information'
 Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
 
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
 ## HTTP request
 ```
 GET /api/machines/findbyip(ip='{IP}',timestamp={TimeStamp})
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md
index 6e7721ecde..6ed27e2648 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md
@@ -29,6 +29,11 @@ Permission type |	Permission	|	Permission display name
 Application |	URL.Read.All |	'Read URLs'
 Delegated (work or school account) | URL.Read.All |	'Read URLs'
 
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
 ## HTTP request
 ```
 GET /api/alerts/{id}/domains
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md
index 7fe0e0b9d5..951363752e 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md
@@ -29,6 +29,11 @@ Permission type |	Permission	|	Permission display name
 Application |	File.Read.All |	'Read file profiles'
 Delegated (work or school account) | File.Read.All |	'Read file profiles'
 
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
 ## HTTP request
 ```
 GET /api/alerts/{id}/files
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md
index 20d5a2ffac..2aaf342cae 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md
@@ -31,6 +31,11 @@ Application |	Machine.ReadWrite.All |	'Read and write all machine information'
 Delegated (work or school account) | Machine.Read | 'Read machine information'
 Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
 
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
 ## HTTP request
 ```
 GET /api/alerts/{id}/machine
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md
index abdd6ee9d9..8e6501fcf1 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md
@@ -30,6 +30,11 @@ Permission type |	Permission	|	Permission display name
 Application |	User.Read.All |	'Read user profiles'
 Delegated (work or school account) | User.Read.All | 'Read user profiles'
 
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
 ## HTTP request
 ```
 GET /api/alerts/{id}/user
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md
index a05d4dba9b..205805378d 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md
@@ -34,6 +34,11 @@ Application |	Alert.ReadWrite.All |	'Read and write all alerts'
 Delegated (work or school account) | Alert.Read | 'Read alerts'
 Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
 
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
 ## HTTP request
 ```
 GET /api/alerts
diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md
index b8b7730bad..fc469816ef 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md
@@ -36,6 +36,11 @@ Application |	Alert.ReadWrite.All |	'Read and write all alerts'
 Delegated (work or school account) | Alert.Read | 'Read alerts'
 Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
 
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
 ## HTTP request
 ```
 GET /api/domains/{domain}/alerts
diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md
index a039d49807..e1d21e0582 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md
@@ -35,6 +35,11 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
 ```
 GET /api/domains/{domain}/machines
 ```
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Only machines that the user can access, based on machine group settings will be listed (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
 
 ## Request headers
 
diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md
index 1625a17a50..7bfd097dd2 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md
@@ -30,6 +30,10 @@ Permission type |	Permission	|	Permission display name
 Application |	URL.Read.All |	'Read URLs'
 Delegated (work or school account) | URL.Read.All |	'Read URLs'
 
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
 ## HTTP request
 ```
 GET /api/domains/{domain}/stats
diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md
index c817a1c653..63aabdd191 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md
@@ -21,9 +21,6 @@ ms.date: 12/08/2017
 [!include[Prerelease information](prerelease.md)]
 
 
-
-
-
 Retrieves a file by identifier Sha1, Sha256, or MD5.
 
 ## Permissions
@@ -34,6 +31,11 @@ Permission type |	Permission	|	Permission display name
 Application |	File.Read.All |	'Read all file profiles'
 Delegated (work or school account) | File.Read.All |	'Read all file profiles'
 
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
+
 ## HTTP request
 ```
 GET /api/files/{id}
diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md
index 3c3605bebb..284cb68225 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md
@@ -22,9 +22,6 @@ ms.date: 12/08/2017
 [!include[Prerelease information](prerelease.md)]
 
 
-
-
-
 Retrieves a collection of alerts related to a given file hash.
 
 ## Permissions
@@ -37,6 +34,11 @@ Application |	Alert.ReadWrite.All |	'Read and write all alerts'
 Delegated (work or school account) | Alert.Read | 'Read alerts'
 Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
 
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
 ## HTTP request
 ```
 GET /api/files/{id}/alerts
diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md
index e977dc59f9..ca74749c35 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md
@@ -32,6 +32,11 @@ Application |	Machine.ReadWrite.All |	'Read and write all machine information'
 Delegated (work or school account) | Machine.Read | 'Read machine information'
 Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
 
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
 ## HTTP request
 ```
 GET /api/files/{id}/machines
diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md
index e8a8ede6fd..a53c06b80a 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md
@@ -34,6 +34,10 @@ Permission type |	Permission	|	Permission display name
 Application |	File.Read.All |	'Read file profiles'
 Delegated (work or school account) | File.Read.All | 'Read file profiles'
 
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
 ## HTTP request
 ```
 GET /api/files/{id}/stats
diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md
index 4d83cb3d73..92ca8d53d4 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md
@@ -32,6 +32,11 @@ Application |	Alert.ReadWrite.All |	'Read and write all alerts'
 Delegated (work or school account) | Alert.Read | 'Read alerts'
 Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
 
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
 ## HTTP request
 ```
 GET /api/ips/{ip}/alerts
diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md
index c2e1dcab6e..f68e1e12b1 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md
@@ -32,6 +32,11 @@ Application |	Machine.ReadWrite.All |	'Read and write all machine information'
 Delegated (work or school account) | Machine.Read | 'Read machine information'
 Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
 
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
 ## HTTP request
 ```
 GET /api/ips/{ip}/machines
diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md
index 990bd3f852..cdeaa1e441 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md
@@ -32,6 +32,10 @@ Permission type |	Permission	|	Permission display name
 Application |	Ip.Read.All |	'Read IP address profiles'
 Delegated (work or school account) | Ip.Read.All |	'Read IP address profiles'
 
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
 ## HTTP request
 ```
 GET /api/ips/{ip}/stats
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md
index 4683167dfb..ed3fde05b1 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md
@@ -32,6 +32,12 @@ Application |	Machine.ReadWrite.All |	'Read and write all machine information'
 Delegated (work or school account) | Machine.Read | 'Read machine information'
 Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
 
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+
 ## HTTP request
 ```
 GET /api/machines/{id}
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md
index 61cb0e8c02..5dad09904f 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md
@@ -30,6 +30,11 @@ Permission type |	Permission	|	Permission display name
 Application |	User.Read.All |	'Read user profiles'
 Delegated (work or school account) | User.Read.All | 'Read user profiles'
 
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include users only if the machine is visible to the user, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
 ## HTTP request
 ```
 GET /api/machines/{id}/logonusers
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md
index 16fef6228a..0a8170f0fd 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md
@@ -32,6 +32,11 @@ Application |	Alert.ReadWrite.All |	'Read and write all alerts'
 Delegated (work or school account) | Alert.Read | 'Read alerts'
 Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
 
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
 ## HTTP request
 ```
 GET /api/machines/{id}/alerts
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md
index bcdbd711ec..17e20f0b73 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md
@@ -31,6 +31,10 @@ Application |	Machine.ReadWrite.All |	'Read and write all machine information'
 Delegated (work or school account) | Machine.Read | 'Read machine information'
 Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
 
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
 ## HTTP request
 ```
 GET https://api.securitycenter.windows.com/api/machineactions/{id}
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md
index e11cd96856..d057cb5c85 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md
@@ -34,6 +34,10 @@ Application |	Machine.ReadWrite.All |	'Read and write all machine information'
 Delegated (work or school account) | Machine.Read | 'Read machine information'
 Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
 
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
 ## HTTP request
 ```
 GET https://api.securitycenter.windows.com/api/machineactions
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md
index d114cf97cb..8f2008c14a 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md
@@ -34,6 +34,11 @@ Application |	Machine.ReadWrite.All |	'Read and write all machine information'
 Delegated (work or school account) | Machine.Read | 'Read machine information'
 Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
 
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
 ## HTTP request
 ```
 GET https://api.securitycenter.windows.com/api/machines
diff --git a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md
index b59b11034b..bf4cb3c934 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md
@@ -29,6 +29,11 @@ Permission type |	Permission	|	Permission display name
 Application |	Machine.CollectForensics |	'Collect forensics'
 Delegated (work or school account) | Machine.CollectForensics |	'Collect forensics'
 
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
 ## HTTP request
 ```
 GET https://api.securitycenter.windows.com/api/machineactions/{machine action id}/getPackageUri
diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md
index 604f6fe959..33e7130f36 100644
--- a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md
@@ -21,6 +21,8 @@ ms.date: 12/08/2017
 
 Isolates a machine from accessing external network.
 
+[!include[Machine actions note](machineactionsnote.md)]
+
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md)
 
@@ -29,9 +31,11 @@ Permission type |	Permission	|	Permission display name
 Application |	Machine.Isolate |	'Isolate machine'
 Delegated (work or school account) | Machine.Isolate |	'Isolate machine'
 
->[!IMPORTANT]
->- Full isolation is available for machines on Windows 10, version 1703.
->- Selective isolation is available for machines on Windows 10, version 1709 or later.
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
 
 ## HTTP request
 ```
@@ -55,7 +59,7 @@ IsolationType	| String |	Type of the isolation. Allowed values are: 'Full' or 'S
 
 **IsolationType** controls the type of isolation to perform and can be one of the following:
 -	Full â€“ Full isolation
--	Selective â€“ Restrict only limited set of applications from accessing the network
+-	Selective â€“ Restrict only limited set of applications from accessing the network (see [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) for more details)
 
 
 ## Response
diff --git a/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md b/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md
new file mode 100644
index 0000000000..fcbd68ecec
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md
@@ -0,0 +1,6 @@
+---
+ms.date: 08/28/2017
+author: zavidor
+---
+>[!Note]
+> This page focuses on performing a machine action via API. See [take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information about response actions functionality via WDATP.
diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md
index b40d39cbc3..13b8574222 100644
--- a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md
@@ -21,6 +21,8 @@ ms.date: 12/08/2017
 
 Offboard machine from WDATP.
 
+[!include[Machine actions note](machineactionsnote.md)]
+
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md)
 
@@ -29,8 +31,10 @@ Permission type |	Permission	|	Permission display name
 Application |	Machine.Offboard |	'Offboard machine'
 Delegated (work or school account) |	Machine.Offboard |	'Offboard machine'
 
->[!IMPORTANT]
-> This response action is available for machines on Windows 10, version  1703 or later.
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to 'Global Admin' AD role
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
 
 ## HTTP request
 ```
diff --git a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
index 064fb37360..132ae5943b 100644
--- a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
@@ -181,7 +181,7 @@ Depending on the severity of the attack and the sensitivity of the machine, you
 
 This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine.
 
-On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity.
+On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity (a.k.a 'Selective Isolation').
 
 >[!NOTE]
 >Youâ€™ll be able to reconnect the machine back to the network at any time.
@@ -197,7 +197,7 @@ On Windows 10, version 1709 or later, you'll have additional control over the ne
 
     ![Image of isolate machine](images/atp-actions-isolate-machine.png)
 
-3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated.
+3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated (a.k.a. 'Selective Isolation').
 
     ![Image of isolation confirmation](images/atp-confirm-isolate.png)
 
diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md
index 962dad7581..90321fb7ff 100644
--- a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md
@@ -21,6 +21,8 @@ ms.date: 12/08/2017
 
 Restrict execution of all applications on the machine except a predefined set (see [Response machine alerts](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information)
 
+[!include[Machine actions note](machineactionsnote.md)]
+
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md)
 
@@ -29,9 +31,10 @@ Permission type |	Permission	|	Permission display name
 Application |	Machine.RestrictExecution |	'Restrict code execution'
 Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code execution'
 
->[!IMPORTANT]
-> - This action is available for machines on Windows 10, version  1709 or later.
-> - This action needs to meet the Windows Defender Application Control code integrity policy formats and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/en-us/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing).
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
 
 ## HTTP request
 ```
diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md
index 7e312d08e8..86899b1396 100644
--- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md
+++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md
@@ -39,6 +39,11 @@ Permission type |	Permission	|	Permission display name
 Application |	AdvancedQuery.Read.All |	'Run advanced queries'
 Delegated (work or school account) | AdvancedQuery.Read | 'Run advanced queries'
 
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to 'Global Admin' AD role
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
 ## HTTP request
 ```
 POST /advancedqueries/query
diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md
index 85c37a2cc6..f8a0432c1d 100644
--- a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md
@@ -21,6 +21,8 @@ ms.date: 12/08/2017
 
 Initiate Windows Defender Antivirus scan on a machine.
 
+[!include[Machine actions note](machineactionsnote.md)]
+
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md)
 
@@ -29,9 +31,10 @@ Permission type |	Permission	|	Permission display name
 Application |	Machine.Scan |	'Scan machine'
 Delegated (work or school account) |	Machine.Scan |	'Scan machine'
 
->[!IMPORTANT]
->- This action is available for machines on Windows 10, version  1709 or later.
->- A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
 
 ## HTTP request
 ```
diff --git a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md
index 5aaccd64f1..205ee3432c 100644
--- a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md
@@ -29,6 +29,11 @@ Permission type |	Permission	|	Permission display name
 Application |	Machine.Isolate |	'Isolate machine'
 Delegated (work or school account) |	Machine.Isolate |	'Isolate machine'
 
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
 ## HTTP request
 ```
 POST https://api.securitycenter.windows.com/api/machines/{id}/unisolate
diff --git a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md
index 4deeaa4646..fd0479fd8a 100644
--- a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md
@@ -19,10 +19,10 @@ ms.date: 12/08/2017
 
 [!include[Prerelease information](prerelease.md)]
 
-
-
 Enable execution of any application on the machine.
 
+[!include[Machine actions note](machineactionsnote.md)]
+
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md)
 
@@ -31,6 +31,11 @@ Permission type |	Permission	|	Permission display name
 Application |	Machine.RestrictExecution |	'Restrict code execution'
 Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code execution'
 
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
 ## HTTP request
 ```
 POST https://api.securitycenter.windows.com/api/machines/{id}/unrestrictCodeExecution
diff --git a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md
index 81c8f8d9ac..762ae2251a 100644
--- a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md
+++ b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md
@@ -30,6 +30,11 @@ Permission type |	Permission	|	Permission display name
 Application |	Alerts.ReadWrite.All |	'Read and write all alerts'
 Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
 
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
 ## HTTP request
 ```
 PATCH /api/alerts/{id}