+> [!NOTE]

+> If you're a partner who's an admin on behalf of (AOBO) a customer, and you've canceled a subscription, it can take up to 90 days for the admin center to reflect the status change.

+If your subscription endsΓÇöeither because it expires, or because you decide to upgrade or cancel itΓÇöyour access to Microsoft 365 services, applications, and customer data go through multiple stages before the subscription is fully turned off, or *deleted*. If you're aware of this progression, you're better equipped to return your subscription to an active stage before it's too late, or, if you're leaving Microsoft 365, back up your data before it's ultimately deleted.

+> [!IMPORTANT]

+When your subscription expires, it goes through the following stages: Expired > Disabled > Deleted. The Expired stage starts immediately after the subscription has reached its end date.

+- **Annual subscriptions.** If you turn off recurring billing on an annual subscription, it goes through the same stages as an expired subscription. The first stage starts on the anniversary of the annual subscription, not the date that you turned off the subscription's recurring billing setting.

+- **Monthly subscriptions.** If you cancel a monthly subscription, it immediately moves to the Disabled stage on the date you cancel it. This means that your users immediately lose access to the Microsoft 365 assets, and only admins have access to the data for the next 90 days.

+| Admins have normal access to Microsoft 365, data, and apps | Admins can access the admin center | Admins can access the admin center, but can't assign licenses to users | Admins can access the admin center to buy and manage other subscriptions |

+If you cancel your subscription before its term end date, the subscription skips the Expired stage and moves directly into the Disabled stage, which is 90 days for most subscriptions, in most countries and regions. We recommend that you [back up your data](move-users-different-subscription.md) before canceling. As an admin, you can still access and back up data for your organization while it is in the Disabled stage. Any customer data that you leave behind might be deleted after 90 days and will be deleted no later than 180 days after cancellation.

+If you're a partner who's an admin on behalf of (AOBO) a customer, and you've canceled a subscription, it can take up to 90 days for the admin center to reflect the status change.

+> [!NOTE]

+> If you want your subscription data to be deleted before the typical Disabled stage is over, you can [close your account](../close-your-account.md).

+- **User access** Your users can't use services like OneDrive for Business, or access customer data like email or documents on team sites. Office applications, like Word and Excel, are eventually moved into a read-only, reduced functionality mode and display [Unlicensed Product notifications](https://support.microsoft.com/office/0d23d3c0-c19c-4b2f-9845-5344fedc4380).

+> If you explicitly delete a subscription, it skips the Expired and Disabled stages and the SharePoint Online data and content, including OneDrive, is immediately deleted.

+While a subscription is active, you and your users have normal access to your data, services like email and OneDrive for Business, and Office applications. As the admin, you'll receive a series of notifications via email and in the admin center as your subscription nears its expiration date.

+ - If **Recurring billing** is already turned on, you don't have to take any action. Your subscription is automatically billed, and you're charged for another year or month, depending on your current payment frequency. If for any reason you've turned **Recurring billing** off, you can always [turn Recurring billing back on](renew-your-subscription.md).

+ - If you bought Microsoft 365 Apps for business with a prepaid card, you can [turn on Recurring billing](renew-your-subscription.md) for your subscription.

+ - If you're an Open Volume Licensing customer with a prepaid, one-year subscription, contact your partner to buy a new product key. You'll receive instructions via email to activate your key in the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkID=282016). To learn how to find a new partner, or the partner you've worked with in the past, see [Find your partner or reseller](../../admin/manage/find-your-partner-or-reseller.md).

+ - If you're paying by credit card or invoice and you don't want to continue your subscription, [turn off Recurring billing](renew-your-subscription.md). Your subscription ends on its expiration date, and you can ignore all related email notifications.

+If you let your subscription expire, it goes through multiple stages before it's ultimately deleted. This gives you, as the admin, time to reactivate if you want to continue the service, or to back up your data if you decide you no longer want the subscription.

+Here's what you can expect when your subscription is in each stage.

+### Stage: Expired

+**What to expect:** The Expired stage lasts for 30 days for most subscriptions, including subscriptions bought through [Microsoft Open](https://go.microsoft.com/fwlink/p/?LinkID=613298), in most countries and regions. For Volume Licensing products, except for Microsoft Open, the Expired stage lasts 90 days.

+In this stage, users have normal access to the Microsoft 365 portal, Office applications, and services such as email and SharePoint Online.

+### Stage: Disabled

+In this stage, your access decreases significantly. Your users can't sign in, or access services like email or SharePoint Online. Office applications eventually move into a read-only, reduced functionality mode and display [Unlicensed Product notifications](https://support.microsoft.com/office/0d23d3c0-c19c-4b2f-9845-5344fedc4380). You can still sign in and get to the admin center, but can't assign licenses to users. Your customer data, including all user data, email, and files on team sites, is available only to you and other admins.

+### Stage: Deleted

+**What to expect:** If you don't reactivate your subscription while it's expired or disabled, the subscription is deleted.

+> - Adding a new subscription of the same type that was deleted doesn't restore the data that was associated with the deleted subscription.

+> - If a Cloud Solution Provider (CSP) license is suspended, there's no 30-day Expired stage, and services are disabled immediately. Data is deleted after 90 days if the tenant isn't reactivated by adding a new license.

+- **Buy Microsoft 365.** When your trial expires, it moves into the Expired stage, which gives you another 30 days (for most trials, in most countries and regions) to buy a Microsoft 365 subscription. To learn how to convert your trial into a paid subscription, see [Buy a subscription from your free trial](../try-or-buy-microsoft-365.md#buy-a-subscription-from-your-free-trial).

+- **Cancel the trial or let it expire.** If you decide not to buy Microsoft 365, you can let your trial expire or [cancel it](cancel-your-subscription.md). Back up any data that you want to keep. After the 30-day Expired stage ends, your trial account information and data are permanently deleted.

+## Channel limits

+|**Channel**|**Current limit**|

+|:-|:-|

+| All channels | Maximum of 25 attachments per policy match |

+| Teams | Maximum of 250 users for public channel messages for static scopes with users |

+| Teams | No support or coverage for public channel messages for adaptive scopes with users |

+|||

+- [Utimaco](https://utimaco.com/solutions/applications/double-key-encryption)

+In the descriptions that follow, a policy for retention can refer to a retention policy (no labels), or a retention label policy. Each policy defines whether it's static or adaptive and the locations for the policy to be applied.

+When you use retention policies, the policy requires one rule to complete the configuration, for example, a rule that defines the retention settings, such as retain for five years and then delete.

+|[Enable-ComplianceTagStorage](/powershell/module/exchange/enable-compliancetagstorage) <br /><br /> [Get-ComplianceTagStorage](/powershell/module/exchange/get-compliancetagstorage) |A one-time operation to create storage, or view that storage for retention labels |Exchange email <br /><br />SharePoint sites <br /><br /> OneDrive accounts <br /><br /> Microsoft 365 Groups|

+|[Get-ComplianceTag](/powershell/module/exchange/get-compliancetag)<br /><br> [New-ComplianceTag](/powershell/module/exchange/new-compliancetag) <br /><br> [Remove-ComplianceTag](/powershell/module/exchange/remove-compliancetag) <br /><br> [Set-ComplianceTag](/powershell/module/exchange/set-compliancetag) |View, create, delete, configure retention labels for use with a retention label policy |Exchange email <br /><br /> SharePoint sites <br /><br /> OneDrive accounts<br /><br /> Microsoft 365 Groups|

+|[Get-RecordReviewNotificationTemplateConfig](/powershell/module/exchange/get-recordreviewnotificationtemplateconfig) <br /><br /> [Set-RecordReviewNotificationTemplateConfig](/powershell/module/exchange/set-recordreviewnotificationtemplateconfig) |View or configure the disposition review notification and reminder settings |Exchange email <br /><br /> SharePoint sites <br /><br /> OneDrive accounts <br /><br /> Microsoft 365 Groups|

+|[Get-RetentionCompliancePolicy](/powershell/module/exchange/get-retentioncompliancepolicy) <br /><br /> [New-RetentionCompliancePolicy](/powershell/module/exchange/new-retentioncompliancepolicy) <br /><br /> [Remove-RetentionCompliancePolicy](/powershell/module/exchange/remove-retentioncompliancepolicy) <br /><br /> [Set-RetentionCompliancePolicy](/powershell/module/exchange/set-retentioncompliancepolicy) |View, create, delete, configure retention policies |Exchange email <br /><br /> SharePoint sites <br /><br /> OneDrive accounts<br /><br /> Microsoft 365 Groups <br /><br /> Skype for Business <br /><br /> Exchange public folders <br /><br /> Teams chat messages <br /><br /> Teams channel messages |

+|[Get-RetentionComplianceRule](/powershell/module/exchange/get-retentioncompliancerule) <br /><br /> [New-RetentionComplianceRule](/powershell/module/exchange/new-retentioncompliancerule) <br /><br /> [Set-RetentionComplianceRule](/powershell/module/exchange/set-retentioncompliancerule) <br /><br /> [Remove-RetentionComplianceRule](/powershell/module/exchange/remove-retentioncompliancerule) | View, create, configure, delete settings (rules) for retention policies and retention labels |Exchange email <br /><br /> SharePoint sites <br /><br /> OneDrive accounts <br /><br /> Microsoft 365 Groups <br /><br /> Skype for Business <br /><br /> Exchange public folders <br /><br /> Teams chat messages <br /><br /> Teams channel messages |

+|[Get-AppRetentionCompliancePolicy](/powershell/module/exchange/get-appretentioncompliancepolicy) <br /><br> [New-AppRetentionCompliancePolicy](/powershell/module/exchange/new-appretentioncompliancepolicy) <br /><br> [Remove-AppRetentionCompliancePolicy](/powershell/module/exchange/remove-appretentioncompliancepolicy) <br /><br> [Set-AppRetentionCompliancePolicy](/powershell/module/exchange/set-appretentioncompliancepolicy) | View, create, delete, configure retention policies |Teams private channel messages <br /><br /> Yammer user messages <br /><br /> Yammer community messages|

+|[Get-AppRetentionComplianceRule](/powershell/module/exchange/get-appretentioncompliancerule) <br /><br /> [New-AppRetentionComplianceRule](/powershell/module/exchange/new-appretentioncompliancerule) <br /><br /> [Remove-AppRetentionComplianceRule](/powershell/module/exchange/remove-appretentioncompliancerule) <br /><br /> [Set-AppRetentionComplianceRule](/powershell/module/exchange/set-appretentioncompliancerule) | View, create, configure, delete settings (rules) for retention policies |Teams private channel messages <br /><br /> Yammer user messages <br /><br /> Yammer community messages|

+You can specify individual files or folders (using folder paths or fully qualified resource names). An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.

+For information about per-rule exclusions, see [Configure ASR rules per-rule exclusions](attack-surface-reduction-rules-deployment-test.md#configure-asr-rules-per-rule-exclusions).

+ :::image type="content" source="images/mem01-create-profile.png" alt-text="The Create profile page in the Microsoft Endpoint Manager admin center portal" lightbox="images/mem01-create-profile.png":::

+ :::image type="content" source="images/mem02-profile-attributes.png" alt-text="The rule profile attributes in the Microsoft Endpoint Manager admin center portal" lightbox="images/mem02-profile-attributes.png":::

+ :::image type="content" source="images/mem03-1-basics.png" alt-text="The basic attributes in the Microsoft Endpoint Manager admin center portal" lightbox="images/mem03-1-basics.png":::

+ :::image type="content" source="images/mem04-2-configuration-settings.png" alt-text="The configuration settings in the Microsoft Endpoint Manager admin center portal" lightbox="images/mem04-2-configuration-settings.png":::

+ :::image type="content" source="images/mem05-add-row-oma-uri.png" alt-text="The OMA URI configuration in the Microsoft Endpoint Manager admin center portal" lightbox="images/mem05-add-row-oma-uri.png":::

+ :::image type="content" source="images/mem06-4-assignments.png" alt-text="The assignments in the Microsoft Endpoint Manager admin center portal" lightbox="images/mem06-4-assignments.png":::

+ :::image type="content" source="images/mem07-5-applicability-rules.png" alt-text="The applicability rules in the Microsoft Endpoint Manager admin center portal" lightbox="images/mem07-5-applicability-rules.png":::

+ :::image type="content" source="images/mem08-6-review-create.png" alt-text="The Review and create option in the Microsoft Endpoint Manager admin center portal" lightbox="images/mem08-6-review-create.png":::

+Apple has fixed an issue on macOS [Ventura upgrade](<https://developer.apple.com/documentation/macos-release-notes/macos-13_1-release-notes>), which is fixed with the latest OS update.

+<details>

+ <summary>Jan-2023 (Build: 101.94.13 | Release version: 20.122112.19413.0)</summary>

+&ensp;Build: **101.94.13**<br/>

+&ensp;Release version: **20.122112.19413.0**<br/>

+&ensp;Engine version: **1.1.19900.2**<br/>

+&ensp;Signature version: **1.381.2029.0**<br/>

+**What's new**

+- Performance improvement - Adding system exclusions during full scan and quick scan

+- Bug and performance fixes

+<br/>

+</details>

+> [!IMPORTANT]

+>

+> When tamper protection is turned on, tamper protected settings cannot be changed from their default value. Changes might appear to be successful in Intune, but will not actually be allowed by tamper protection. For the most current list of tamper protected settings, contact support.

+>

+>

+> When tamper protection is turned on, tamper protected settings cannot be changed from their default value. Changes might appear to be successful in Intune, but will not actually be allowed by tamper protection. For the most current list of tamper protected settings, contact support.

+ ```powershell

+ New-MpPerformanceRecording -RecordTo <recording.etl>

+ ```

+ where `-RecordTo` parameter specifies full path location in which the trace file is saved. For more cmdlet information, see [Microsoft Defender Antivirus cmdlets](/powershell/module/defender).

+4. Analyze the results using the performance analyzer's `Get-MpPerformanceReport` parameter. For example, on executing the command `Get-MpPerformanceReport -Path <recording.etl> -TopFiles 3 -TopScansPerFile 10`, the user is provided with a list of top-ten scans for the top 3 files affecting performance.

+> When running a recording, if you get the error "Cannot start performance recording because Windows Performance Recorder is already recording", run the following command to stop the existing trace with the new command:

+Starting with Defender version 4.18.2206.X, users will be able to view scan skip reason information under "SkipReason" column. The possible values are:

+1. Optimization (typically due to performance reasons)

+```powershell

+(Get-MpPerformanceReport -Path .\Repro-Install.etl -Topscans 1000).TopScans | Export-CSV -Path .\Repro-Install-Scans.csv -Encoding UTF8 -NoTypeInformation

+```

+```powershell

+(Get-MpPerformanceReport -Path .\Repro-Install.etl -Topscans 100).TopScans | ConvertTo-Csv -NoTypeInformation

+```

+```powershell

+(Get-MpPerformanceReport -Path .\Repro-Install.etl -Topscans 1000).TopScans | ConvertTo-Json -Depth 1

+```

+To ensure machine-readable output for exporting with other data processing systems, it is recommended to use `-Raw` parameter for `Get-MpPerformanceReport`. See below for details.

+New-MpPerformanceRecording -RecordTo <String>

+```output

+Get-MpPerformanceReport [-Path] <String>

+Using \-Raw in the above command specifies that the output should be machine readable and readily convertible to serialization formats like JSON.

+```yaml

+```

+```yaml

+```

+## December 2022

+- Microsoft Defender for Endpoint Device control removable storage access control updates:

+ 1. Microsoft Endpoint Manager support for removable storage access control is now available in Intune. See [Deploy Removable Storage Access Control by using Intune user interface](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-user-interface)

+ 2. The new default enforcement policy of removable storage access control is designed for all device control features. Printer Protection is now available for this policy. If you create a Default Deny policy, printers will be blocked in your organization.

+ - Intune:*./Vendor/MSFT/Defender/Configuration/DefaultEnforcement* <br> See [Deploy and manage Removable Storage Access Control using Intune](deploy-manage-removable-storage-intune.md)

+ - Group policy: *Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Features > Device Control > Select Device Control Default Enforcement*<br> See [Deploy and manage Removable Storage Access Control using group policy](deploy-manage-removable-storage-group-policy.md)

+- Microsoft Defender for Endpoint Device control New Printer Protection solution to manage printer is now available. For more information, see

+[Printer Protection Overview](printer-protection-overview.md)

+Your exposure score is visible in the [Defender Vulnerability Management dashboard](tvm-dashboard-insights.md) in the Microsoft 365 Defender portal. It reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your devices are less vulnerable to exploitation.

+Exposure score is broken down into the following levels:

+## How to use exposure score to reduce your vulnerability exposure

+When software weaknesses are identified, they are transformed into recommendations and prioritized based on risk to the organization. By remediating vulnerabilities with [security recommendations](tvm-security-recommendation.md) prioritized to reduce your exposure score, you can reduce your overall vulnerability exposure.

+To view security recommendations prioritized to reduce your exposure score:

+1. Go to the **Vulnerability management** navigation menu and select **Dashboard**

+2. Select **Improve score** on the **Exposure score** card

+The security recommendations page will open with a list of security recommendations prioritized by the potential impact on your exposure score. The higher the impact on lowering your exposure by implementing a recommendation, the less vulnerable you will be to exploitation. For more information see [security recommendations impact](tvm-security-recommendation.md#impact).

+Using the top security recommendations, which can be viewed in the [Defender Vulnerability Management dashboard](tvm-dashboard-insights.md) can also help you achieve this goal.

+View recommendations, the number of weaknesses found, related components, threat insights, number of exposed devices, status, remediation type, remediation activities, impact to your exposure score and Secure Score for Devices once the recommendation is implemented, and associated tags.

+### Impact

+The impact column shows the potential impact on your exposure score and Secure Score for Devices once a recommendation is implemented. You should prioritize items that will lower your exposure score and raise your Secure Score for Devices.

+- The potential reduction in your exposure score is displayed as: :::image type="icon" source="../../media/defender-vulnerability-management/reduce-exposure-score.png" border="false":::. A lower exposure score means devices are less vulnerable to exploitation. Since the exposure score is based on a combination of factors, including new remediations or newly discovered vulnerabilities, the actual score reduction may be lower.

+- The projected increase to your Secure Score for Devices is displayed as: :::image type="icon" source="../../media/defender-vulnerability-management/increase-secure-score.png" border="false":::. A higher Secure Score for Devices means your endpoints are more resilient against cybersecurity attacks.

+If there is a large jump in the number of exposed devices, or a sharp increase in the impact on your organization exposure score and Secure Score for Devices, then that security recommendation is worth investigating.

+- **Anti-spoofing enhancement for internal domains and senders:**

+ - For spoofing protection, the allowed senders or domains defined in the [anti-spam policy](anti-spam-policies-configure.md) and within user allow lists must now pass authentication in order for the allowed messages to be honored. The change only impacts messages that are considered to be internal (the sender or sender's domain is in an accepted domain in the organization). All other messages will continue to be handled as they are today.

+ Title: Review and remove unnecessary allow list entries with Advanced Hunting in Microsoft Defender for Office 365

+description: Steps and sample queries for advanced hunting to start reviewing your security configuration and removing unnecessary allow list entries.

+search.product:

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+- m365-guidance-templates

+- m365-security

+- tier3

+search.appverid: met150

+# Introduction

+Historically, allow lists have told Exchange Online Protection to ignore the signals indicating an email is malicious. It is commonplace for vendors to request IPs, domains, and sender addresses be overridden unnecessarily. Attackers have been known to take advantage of this mistake and it is a pressing security loophole to have unnecessary allow list entries. This step-by-step guide will walk you through using advanced hunting to identify these misconfigured overrides and remove them, so you can increase your organization's security posture.

+## What you will need

+- Microsoft Defender for Office 365 Plan 2 (Included in E5 plans, or trial available at aka.ms/trymdo)

+- Sufficient permissions (Security reader role)

+- 5-10 minutes to do the steps below.

+## Common steps for all the below queries

+1. [Login to the security portal and navigate to advanced hunting](https://security.microsoft.com/advanced-hunting)

+2. Enter the KQL query into the query box, and press **Run Query**.

+3. Pressing the **NetworkMessageId** hyperlink for individual emails when shown in the results will load a flyout, allowing easy access to the email entity page, where the **analysis** tab will provide further details, such as the transport rule(s) which that email matched.

+4. The results can also be exported by pressing **Export** for manipulation / analysis offline.

+> [!TIP]

+> Changing **OrgLevelAction** to **UserLevelAction** will allow you to search for emails getting overridden by users rather than administrators, and can also be a useful insight.

+## Queries

+### Top override source

+Use this query to find where the most unnecessary overrides are located. This query looks for emails that have been overridden without any detection that needed an override.

+`EmailEvents

+| where OrgLevelAction == "Allow"

+| summarize count() by OrgLevelPolicy, ThreatTypes`

+### Top overridden threat type

+Use this query to find the most overridden types of threat detected. This query looks for emails that had the detected threat overridden, DMARC, or Spoof indicates email authentication issues that can be fixed to remove the *need* for the override.

+`EmailEvents

+| where OrgLevelAction == "Allow" and ThreatTypes != ""

+|summarize count() by DetectionMethods `

+### Top overridden IPs

+This query looks for emails that have been overridden by IP, without any detection that called for an override.

+`EmailEvents

+| where OrgLevelAction == "Allow" and ThreatTypes != ""

+|summarize count() by SenderIPv4

+| top 10 by count_ `

+### Top overridden domains

+This query looks for emails that have been overridden by sending domain without any detection that called for an override. **(Change to SenderMailFromDomain to check the 5321.MailFrom)**

+`EmailEvents

+| where OrgLevelAction == "Allow" and ThreatTypes != ""

+|summarize count() by SenderFromDomain

+| top 10 by count_ `

+### Top overridden senders

+This query looks for emails that have been overridden by sending address without any detection that requires an override. **(Change to SenderMailFromAddress to check the 5321.MailFrom)**

+`EmailEvents

+| where OrgLevelAction == "Allow" and ThreatTypes != ""

+|summarize count() by SenderFromAddress

+| top 10 by count_ `

+## Learn More

+Hopefully you found this useful, with some basic queries to get you started with advanced hunting, to learn more check out the below articles

+Learn more about advanced hunting: [Overview - Advanced hunting](../../defender/advanced-hunting-overview.md)

+Learn more about authentication: [Email Authentication in Exchange Online Protection](../email-authentication-about.md)

+|Use Priva to understand your organization's personal data.| Priva evaluates your organization's Microsoft 365 environment to determine the types and amounts of sensitive information types and where they're stored. It then gives you insights and key analytics to help you understand the privacy issues and associated risks in your organization.<br><br>To get started with Priva, check to make sure your users are appropriately licensed and have the roles they need. It's also a good idea to confirm that the [Microsoft 365 audit log is enabled](/privacy/priva/priva-setup#enable-the-microsoft-365-audit-log).<br><br> We recommend making some initial settings before you start. Visit Priva settings to turn [anonymization](/privacy/priva/priva-settings#anonymization) **On** for greater protection while reviewing sensitive data, and turn [user notification emails](/privacy/priva/priva-settings#user-notification-emails) **Off** while you're getting familiar with Privacy Risk Management policies. You can turn both on later.| [Learn more about Priva](/privacy/priva/priva-overview) <br><br> [Check Priva licensing guidance](/privacy/priva/priva-setup)<br><br>[Set user permissions for Priva](/privacy/priva/priva-permissions)<br><br>[Check Priva settings](/privacy/priva/priva-settings)<br><br>[Find and visualize personal data in your organization](/privacy/priva/priva-data-profile)|

+| Supported languages| Models work on all Latin alphabet languages. In addition to English: German, Swedish, French, Spanish, Italian, and Portuguese. | Current language support is for English. | Language support for [more than 100 languages](/ai-builder/form-processing-model-requirements#languages-supported). |