+ > Bookings supports up to 100 staff members in a Bookings Calendar.

+> [!IMPORTANT]

+> Sensitive information types have two different ways of defining the max unique instance count parameters. To learn more, see [Instance count supported values for SIT](create-a-custom-sensitive-information-type.md#instance-count-supported-values-for-sit).

+ - Incoming email is labeled when there is a match with your auto-labeling conditions. If the label is configured for [encryption](encryption-sensitivity-labels.md), that encryption is applied when the sender is from your organization but not applied when the sender is outside your organization.

+ - When the label applies encryption, the [Rights Management issuer and Rights Management owner](/azure/information-protection/configure-usage-rights#rights-management-issuer-and-rights-management-owner) is the person who sends the email.

+> [!IMPORTANT]

+> Sensitive information types have two different ways of defining the max unique instance count parameters. To learn more, see [Instance count supported values for SIT](create-a-custom-sensitive-information-type.md#instance-count-supported-values-for-sit).

+ Title: "Use data connectors to import and archive third-party data in Microsoft 365"

+# Learn about connectors for third-party data

+Microsoft 365 lets administrators use data connectors to import and archive non-Microsoft, third-party data from social media platforms, instant messaging platforms, and document collaboration platforms, to mailboxes in your Microsoft 365 organization. One primary benefit of using data connectors to import and archive third-party data in Microsoft 365 is that you can apply various Microsoft 365 compliance solutions to the data after it's been imported. This helps you ensure that your organization's non-Microsoft data is in compliance with the regulations and standards that affect your organization.

+Watch this interactive guide that demonstrates how to create data connectors to import and archive third-party data and examples of applying compliance solutions to data after it's imported to Microsoft 365.

+### Copy and modify a sensitive information type

+Use this procedure to create a new sensitive information type that is based on an existing sensitive information type.

+1. In the Compliance Center, go to **Data classification** \> **Sensitive info types** and choose the sensitive information type that you want to copy.

+2. In the flyout, choose **Copy**.

+3. Choose **Refresh** in the list of sensitive information types and either browse or search for the copy you just made. Partial sting searches work, so you could just search for `copy` and search would return all the sensitive information types with the word `copy` in the name.

+4. Fill in values for **Name** and **Description** and choose **Next**.

+5. Choose your sensitive information type copy and choose **Edit**.

+6. Give your new sensitive information type a new **Name** and **Description**.

+7. You can choose to edit or remove the existing patterns and add new ones. Choose the default confidence level for the new pattern. The values are **Low confidence**, **Medium confidence**, and **High confidence**.

+8. Choose and define **Primary element**. The primary element can be a **Regular expression**, a **Keyword list**, a **Keyword dictionary**, or one of the pre-configured **Functions**. See, [What the DLP functions look for](what-the-dlp-functions-look-for.md).

+9. Fill in a value for **Character proximity**.

+10. (Optional) If you have **Supporting elements** or any [**Additional checks**](#more-information-on-additional-checks) add them. If needed you can group your **Supporting elements**.

+11. Choose **Create**.

+12. Choose **Next**.

+13. Choose the **recommended confidence level** for this sensitive information type.

+14. Check your setting and choose **Submit**.

+|UserId|The user who performed the action (specified in the **Operation** property) that resulted in the record being logged. Audit records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included in the audit log. Another common value for the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. <br/><br/>For more information, see:<br/> [The app\@sharepoint user in audit records](search-the-audit-log-in-security-and-compliance.md#the-appsharepoint-user-in-audit-records)<br/> or <br/>[System accounts in Exchange mailbox audit records](search-the-audit-log-in-security-and-compliance.md#system-accounts-in-exchange-mailbox-audit-records). |All|

+ Title: Office TLS Certificate Changes

+description: How to prepare for upcoming changes to Office TLS certificates.

+audience: Developer

+ms.localizationpriority: medium

+# Office TLS Certificate Changes

+Microsoft 365 is updating services powering messaging, meetings, telephony, voice, and video to use TLS certificates from a different set of Root Certificate Authorities (CAs). This change is being made because the current Root CA will expire in May 2025.

+Affected products include:

+- Microsoft Teams

+- Skype

+- Skype for Business Online

+- Microsoft Dynamics 365

+- GroupMe

+- Kaizala

+- Azure Communication Services

+Affected endpoints include (but are not limited to):

+- *.teams.microsoft.com

+- *.skype.com

+- *.skypeforbusiness.com

+- *.groupme.com

+- *.communication.azure.com

+- *.operatorconnect.microsoft.com

+This change will not affect certificates, domains, or services used in the US Government, China, or Germany national cloud instances of Microsoft 365.

+All certificate information in this article was previously provided in [Microsoft 365 encryption chains](./encryption-office-365-certificate-chains.md) no later than October 2020.

+## When will this change happen?

+Services will begin transitioning to the new Root CAs beginning in Jan 2022, possibly continuing into the third quarter (July-Sept) 2022.

+## What is changing?

+Today, most of the TLS certificates used by Microsoft 365 services chain up to the following Root CA:

+| Common Name of the CA | Thumbprint (SHA1) |

+|--|--|

+| [Baltimore CyberTrust Root](https://cacerts.digicert.com/BaltimoreCyberTrustRoot.crt) | d4de20d05e66fc53fe1a50882c78db2852cae474 |

+with one of the following Intermediate CAs:

+| Common Name of the CA | Thumbprint (SHA1) |

+|--|--|

+| [Microsoft RSA TLS CA 01](http://www.microsoft.com/pki/mscorp/Microsoft%20RSA%20TLS%20CA%2001.crt) | 703d7a8f0ebf55aaa59f98eaf4a206004eb2516a |

+| [Microsoft RSA TLS CA 02](http://www.microsoft.com/pki/mscorp/Microsoft%20RSA%20TLS%20CA%2002.crt) | b0c2d2d13cdd56cdaa6ab6e2c04440be4a429c75 |

+New TLS certificates used by Microsoft 365 services will now chain up to one of the following Root CAs:

+| Common Name of the CA | Thumbprint (SHA1) |

+|--|--|

+| [DigiCert Global Root G2](https://cacerts.digicert.com/DigiCertGlobalRootG2.crt) | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |

+| [Microsoft RSA Root Certificate Authority 2017](https://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt) | 73a5e64a3bff8316ff0edccc618a906e4eae4d74 |

+| [Microsoft ECC Root Certificate Authority 2017](https://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Root%20Certificate%20Authority%202017.crt) | 999a64c37ff47d9fab95f14769891460eec4c3c5 |

+with one of the following Intermediate CAs:

+| Common Name of the CA | Thumbprint (SHA1) |

+|--|--|

+| [Microsoft Azure TLS Issuing CA 01](http://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2001%20-%20xsign.crt) | 2f2877c5d778c31e0f29c7e371df5471bd673173 |

+| [Microsoft Azure TLS Issuing CA 02](http://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2002%20-%20xsign.crt) | e7eea674ca718e3befd90858e09f8372ad0ae2aa |

+| [Microsoft Azure TLS Issuing CA 05](http://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2005%20-%20xsign.crt) | 6c3af02e7f269aa73afd0eff2a88a4a1f04ed1e5 |

+| [Microsoft Azure TLS Issuing CA 06](http://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2006%20-%20xsign.crt) | 30e01761ab97e59a06b41ef20af6f2de7ef4f7b0 |

+## Will this change affect me?

+The Root CA "DigiCert Global Root G2" is widely trusted by operating systems including Windows, macOS, Android, and iOS and by browsers such as Microsoft Edge, Chrome, Safari, and Firefox. We expect that **most Microsoft 365 customers will not be impacted**.

+However, **your application may be impacted if it explicitly specifies a list of acceptable CAs**. This practice is known as "certificate pinning". Customers who do not have the new Root CAs in their list of acceptable CAs will receive certificate validation errors, which may impact the availability or function of your application.

+Here are some ways to detect if your application may be impacted:

+- Search your source code for the thumbprint, Common Name, or other properties of any of the Intermediate CAs found [here](https://www.microsoft.com/pki/mscorp/cps/default.htm). If there is a match, then your application will be impacted. To resolve this problem, update the source code to add the properties of the new CAs. As a best practice, ensure that CAs can be added or edited on short notice. Industry regulations require CA certificates to be replaced within seven days in some circumstances, so applications that implement certificate pinning must react to these changes swiftly.

+- .NET exposes the `System.Net.ServicePointManager.ServerCertificateValidationCallback` and the `System.Net.HttpWebRequest.ServerCertificateValidationCallback` callback functions, which allow developers to use custom logic to determine if certificates are valid rather than relying on the standard Windows certificate store. A developer can add logic that checks for a specific Common Name or thumbprint or only allows a specific Root CA such as "Baltimore CyberTrust Root". If your application uses these callback functions, you should make sure that it accepts both the old and new Root and Intermediate CAs.

+- Native applications may be using `WINHTTP_CALLBACK_STATUS_SENDING_REQUEST`, which allows native applications to implement custom certificate validation logic. Usage of this notification is rare and requires a significant amount of custom code to implement. Similar to the above, ensure that your application accepts both the old and new Root and Intermediate CAs.

+- If you use an application that integrates with Microsoft Teams, Skype, Skype for Business Online, or Microsoft Dynamics APIs and you are unsure if it uses certificate pinning, check with the application vendor.

+- Different operating systems and language runtimes that communicate with Azure services may require other steps to correctly build and validate the new certificate chains:

+ - **Linux**: Many distributions require you to add CAs to `/etc/ssl/certs`. For specific instructions, refer to the distribution's documentation.

+ - **Java**: Ensure that the Java key store contains the CAs listed above.

+ - **Windows running in disconnected environments**: Systems running in disconnected environments will need to have the new Root CAs added to their `Trusted Root Certification Authorities` store and the new Intermediate CAs added to their `Intermediate Certification Authorities` store.

+ - **Android**: Check the documentation for your device and version of Android.

+ - **IoT or embedded devices**: Embedded devices such as TV set top boxes often ship with a limited set of root authority certificates and have no easy way to update the certificate store. If you write code for, or manage deployments of, custom embedded or IoT devices, make sure the devices trust the new Root CAs. You may need to contact the device manufacturer.

+- If you have an environment where firewall rules allow outbound calls only to specific endpoints, allow the following Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP) URLs:

+ - http://crl3.digicert.com

+ - http://crl4.digicert.com

+ - http://ocsp.digicert.com

+ - http://crl.microsoft.com

+ - http://oneocsp.microsoft.com

+ - http://ocsp.msocsp.com

+ - http://www.microsoft.com/pkiops

+- If you are impacted by this change, you may see error messages dependent on the type of environment you are running in and scenario you are impacted by. Check Windows Application event logs, CAPI2 event logs, and custom application logs for messages that look like:

+ ```

+ An operation failed because the following certificate has validation errors:

+

+ Subject Name: CN=teams.microsoft.com

+ Issuer Name: CN=Microsoft Azure TLS Issuing CA 01, O=Microsoft Corporation, C=US

+

+ Errors:

+

+ The root of the certificate chain is not a trusted root authority.

+ ```

+## When can I retire the old CA information?

+The current Root CA, Intermediate CA, and leaf certificates will not be revoked. The existing CA Common Names and/or thumbprints will be required through at least Feb 2023 based on the lifetime of existing certificates.

+|Message kind|The message type to search. This is the same property as the Kind email property. Possible values: <ul><li>contacts</li><li>docs</li><li>email</li><li>externaldata</li><li>fax</li><li>im</li><li>journals</li><li>meetings</li><li>microsoftteams</li><li>notes</li><li>posts</li><li>rssfeeds</li><li>tasks</li><li>voicemail</li></ul>|

+|Equals any of|`(property=value) OR (property=value)`|Used with conditions for properties that specify a string value. Returns items that are a match of one or more specified string values.|

+- Any condition that uses an operator with **Contains** and **Equals** logic will return similar search results for simple string searches. A simple string search is a string in the condition that doesn't include a wildcard). For example, a condition that uses **Equals any of** will return the same items as a condition that uses **Contains any of**.

+|Added delegate mailbox permissions|Add-MailboxPermission|An administrator assigned the FullAccess mailbox permission to a user (known as a delegate) to another person's mailbox. The FullAccess permission allows the delegate to open the other person's mailbox, and read and manage the contents of the mailbox. The audit record for this activity is also generated when a system account in the Microsoft 365 service periodically performs maintenance tasks in behalf of your organization. A common task performed by a system account is updating the permissions for system mailboxes. For more information, see [System accounts in Exchange mailbox audit records](#system-accounts-in-exchange-mailbox-audit-records).|

+#### System accounts in Exchange mailbox audit records

+In audit records for some mailbox activities (especially **Add-MailboxPermissions**), you may notice the user who performed the activity (and is identified in the User and UserId fields) is NT AUTHORITY\SYSTEM or NT AUTHORITY\SYSTEM(Microsoft.Exchange.Servicehost). This indicates that the "user" who performed the activity was a system account in Exchange service in the Microsoft cloud. This system account often performs scheduled maintenance tasks on behalf of your organization. For example, a common audited activity performed by the NT AUTHORITY\SYSTEM(Microsoft.Exchange.ServiceHost) account is to update the permissions on the DiscoverySearchMailbox, which is a system mailbox. The purpose of this update is to verify that the FullAccess permission (which is the default) is assigned to the Discovery Management role group for the DiscoverySearchMailbox. This ensures that eDiscovery administrators can perform necessary tasks in their organization.

+Another system user account that may be identified in an audit record for **Add-MailboxPermission** is Administrator@apcprd03.prod.outlook.com. This service account is also included in mailbox audit records related to verifying and updating the FullAccess permission is assigned to the Discovery Management role group for the DiscoverySearchMailbox system mailbox. Specifically, audit records that identify the Administrator@apcprd03.prod.outlook.com account are typically triggered when Microsoft support personnel run an RBAC role diagnostic tool on behalf of your organization.

+- pattern: A pattern defines what a sensitive information type detects. It consists of the following components.

+ - Primary element ΓÇô The main element that the sensitive information type is looking for. It can be a **regular expression** with or without a checksum validation, a **keyword list**, a **keyword dictionary**, or a **function**.

+ - Supporting element ΓÇô Elements that act as supporting evidence that help in increasing the confidence of the match. For example, keyword "SSN" in proximity to an SSN number. It can be a regular expression with or without a checksum validation, keyword list, keyword dictionary.

+ - Proximity ΓÇô Number of characters between primary and supporting element.

+In a sensitive information type entity definition, **confidence level** reflects how much supporting evidence is detected in addition to the primary element. The more supporting evidence an item contains, the higher the confidence that a matched item contains the sensitive info you're looking for. For example, matches with a high confidence level will contain more supporting evidence in close proximity to the primary element, whereas matches with a low confidence level would contain little to no supporting evidence in close proximity.

+- **low confidence**: Matched items will contain the fewest false negatives but the most false positives. Low confidence returns all low, medium, and high confidence matches. The low confidence level has a value of 65.

+- **medium confidence**: Matched items will contain an average amount of false positives and false negatives. Medium confidence returns all medium, and high confidence matches. The medium confidence level has a value of 75.

+- **high confidence**: Matched items will contain the fewest false positives but the most false negatives. High confidence only returns high confidence matches and has a value of 85.

+You can choose from several options to create custom sensitive information types in the Compliance Center.

+- **Use the UI** - You can set up a custom sensitive information type using the Compliance Center UI. With this method, you can use regular expressions, keywords, and keyword dictionaries. To learn more, see [Create a custom sensitive information type](create-a-custom-sensitive-information-type.md).

+- **Use EDM** - You can set up custom sensitive information types using Exact Data Match (EDM)-based classification. This method enables you to create a dynamic sensitive information type using a secure database that you can refresh periodically. See [Learn about exact data match based sensitive information types](sit-learn-about-exact-data-match-based-sits.md#learn-about-exact-data-match-based-sensitive-information-types).

+- **Use PowerShell** - You can set up custom sensitive information types using PowerShell. Although this method is more complex than using the UI, you have more configuration options. See [Create a custom sensitive information type in Security & Compliance Center PowerShell](create-a-custom-sensitive-information-type-in-scc-powershell.md).

+> This support is available for sensitive information types. See, [Information protection support for double byte character sets release notes](mip-dbcs-relnotes.md) for more information.

+> Along with Chinese/Japanese/double byte characters, if the list of keywords/phrases also contain non Chinese/Japanese words also (like English only), you should create two dictionaries/keyword lists. One for keywords containing Chinese/Japanese/double byte characters and another one for English only.

+> - For example, if you want to create a keyword dictionary/list with three phrases "Highly confidential", "機密性が高い" and "机密的document", the you should create two keyword lists.

+|[Support co-authoring and AutoSave](sensitivity-labels-coauthoring.md) for labeled and encrypted documents | Current Channel: 2107+ <br /><br> Monthly Enterprise Channel: 2107+ <br /><br> Semi-Annual Enterprise Channel: 2202+ | 16.51+ | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |

+- M365-security-compliance

+Microsoft Defender for Endpoint Device Control Device Installation enables you to do the following task:

+| Licensing requirements | Defender for Endpoint Plan 1 (formerly referred to as Microsoft Defender for Endpoint Lite)|

+- [Get started with Defender for Endpoint Plan 1](mde-plan1-getting-started.md)

+To view all the services that are not running, run the following Powershell cmdlet:

+```console

+sc query state= all

+```

+- Your devices must be [onboarded to Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/onboarding).

+1. Set up tenant attach. To learn more, see [Get started: Create and deploy endpoint security policies from the admin center](/mem/configmgr/tenant-attach/endpoint-security-get-started).

+ - In the **Platform** list, select **Windows 10, Windows 11, and Windows Server (ConfigMgr)**.

+Defender for Office 365 in evaluation mode creates Defender for Office 365 email policies that log verdicts, such as malware, but don't act on messages. You're not required to change your MX record configuration.

+With evaluation mode, [Safe Attachments](safe-attachments.md), [Safe Links](safe-links.md), and [mailbox intelligence in anti-pishing policies](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) are set up on your behalf. All Defender for Office 365 policies are created in non-enforcement mode in the background and are not visible to you.

+As part of the setup, evaluation mode also configures [Enhanced Filtering for Connectors](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) (also known as _skip listing_). This configuration improves filtering accuracy by preserving IP address and sender information, which are otherwise lost when mail passes through an email security gateway (ESG) in front of Defender for Office 365. Enhanced Filtering for Connectors also improves the filtering accuracy for your existing Exchange Online Protection (EOP) anti-spam and anti-phishing policies.

+Enhanced Filtering for Connectors improves filtering accuracy but may alter deliverability for certain messages if you have an ESG in front of Defender for Office 365 and currently don't bypass EOP filtering. The impact is limited to EOP policies; Defender for Office 365 policies set up as part of the evaluation are created in non-enforcement mode. To minimize potential production impact, you can bypass most EOP filtering by creating a mail flow rule (also known as a transport rule) to set the spam confidence level (SCL) of messages to -1. See [Use mail flow rules to set the spam confidence level (SCL) in messages in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl) for details.

+When the evaluation mode is set up, you'll have a daily report with up to 90 days of data quantifying the messages that would have been blocked if the policies were implemented (for example, delete, send to junk, quarantine). Reports are generated for all Defender for Office 365 and EOP detections. Reports are aggregated per detection technology (for example, impersonation) and can be filtered by time range. Additionally, message reports can be created on-demand to create custom pivots or to deep dive messages using Explorer.

+With the simplified set up experience, you can focus on:

+Once you have the proper role, the recommended path is to obtain a trial license for Microsoft Defender for Office 365 (Plan 2) in the Microsoft 365 admin center at <https://admin.microsoft.com> and then go to **Billing** \> **Purchase services** and then find and select the Microsoft Defender for Office 365 (Plan 2) trial. Or, to go directly to the trial page, use <https://admin.microsoft.com/AdminPortal/Home#/catalog/offer-details/microsoft-defender-for-office-365-plan-2-/223860DC-15D6-42D9-A861-AE05473069FA)> The trial includes a 30-day free trial for 25 licenses.

+**Exchange Online roles** are required to set up Defender for Office 365 in evaluation mode. Assigning a Microsoft 365 compliance or security admin role won't work.

+Prepare the corresponding details that you'll need to set up how your email is currently routed, including the name of the inbound connector that routes your mail. If you're just using Exchange Online Protection, you won't have a connector. [Learn about mail flow and email routing](/office365/servicedescriptions/exchange-online-service-description/mail-flow)

+If you're using a third-party email security gateway (ESG), you'll need to know the provider's name. If you're using an on-premises ESG or non-supported vendors, you'll need to know the public IP address(es) for the devices.

+You'll be able to scope the evaluation to an inbound connector. If there's no connector configured, then the evaluation scope will allow admins to gather data from any user in your tenant to evaluate Defender for Office 365.

+Once you start the set-up flow for your evaluation, you'll be given two routing options. Depending on your organization's mail routing setup and evaluation needs, you can select whether you're using a third-party and/or on-premises service provider or only Microsoft Exchange Online.

+- If you're using a third-party partner and/or on-premises service provider, you'll need to select the name of the vendor from the drop-down menu. Provide the other connector-related details.

+- Select **Microsoft Exchange Online** if the MX record points to Microsoft and you have an Exchange Online mailbox.

+If you have an existing gateway, enabling evaluation mode will activate Enhanced Filtering for Connectors. This feature improves filtering accuracy by altering the incoming sender IP address. This feature might change the filter verdicts, and if you're not bypassing Exchange Online Protection, this may alter deliverability for certain messages. In this case, you might want to temporarily bypass filtering to analyze impact. To bypass filtering, create a mail flow rule (also known as a transport rule) in the Exchange admin center (EAC) at <https://admin.exchange.microsoft.com/#/transportrules> that sets the SCL of messages to -1 (if you don't already have one). For instructions, see [Use mail flow rules to set the spam confidence level (SCL) in messages in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl).

+- **Domain reputation**: This message was considered spam based on the sender domain reputation.

+- M365-security-compliance

+- M365-security-compliance

+- M365-security-compliance

+- M365-security-compliance

+- M365-security-compliance

+- M365-security-compliance

+- M365-security-compliance

+- M365-security-compliance