Category | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
microsoft-365-copilot-enable-users | Microsoft 365 Copilot Enable Users | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-enable-users.md | Once you've assigned licenses, the Copilot experience will automatically appear After licensing your users for Microsoft Copilot for Microsoft 365, we recommend sending them a welcome email to introduce them to Microsoft Copilot for Microsoft 365 and help them understand what it can do for them. The easiest way to do this is to use the [Microsoft Copilot for Microsoft 365 setup guide](https://admin.microsoft.com/Adminportal/Home?Q=learndocs#/modernonboarding/microsoft365copilotsetupguide), which includes an option for sending a welcome email to your Copilot users. HereΓÇÖs an example of this email: The welcome email also includes a link to [Microsoft Copilot help and learning](https://support.microsoft.com/copilot). |
microsoft-365-copilot-overview | Microsoft 365 Copilot Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-overview.md | description: "Learn about how Microsoft Copilot for Microsoft 365 works." [Microsoft Copilot for Microsoft 365](/office365/servicedescriptions/office-365-platform-service-description/microsoft-365-copilot) is an AI-powered productivity tool that coordinates large language models (LLMs), content in Microsoft Graph, and the Microsoft 365 apps that you use every day, such as Word, Excel, PowerPoint, Outlook, Teams, and others. This integration provides real-time intelligent assistance, enabling users to enhance their creativity, productivity, and skills. -Microsoft Copilot for Microsoft 365 uses a combination of LLMs, a type of artificial intelligence (AI) algorithm that uses deep learning techniques and vast data sets to understand, summarize, predict, and generate content. These LLMs include pre-trained models, such as Generative Pre-Trained Transformers (GPT) like GPT-4, designed to excel in these tasks. +Copilot for Microsoft 365 uses a combination of LLMs, a type of artificial intelligence (AI) algorithm that uses deep learning techniques and vast data sets to understand, summarize, predict, and generate content. These LLMs include pre-trained models, such as Generative Pre-Trained Transformers (GPT) like GPT-4, designed to excel in these tasks. ## Copilot integration with Graph and Microsoft 365 Apps To learn more about what's possible with Microsoft 365 Apps and Copilot, check o Microsoft Copilot for Microsoft 365 capabilities that users see in Microsoft 365 Apps and other surfaces appear as intelligent features, functionality, and prompting capability. Our foundation LLMs and proprietary Microsoft technologies work together in an underlying system that helps you securely access, use, and manage your organizational data. -- **Microsoft 365 Apps** (such as Word, Excel, PowerPoint, Outlook, Teams, and Loop) operate with Microsoft Copilot for Microsoft 365 to support users in the context of their work. For example, Copilot in Word is designed to assist users specifically in the process of creating, understanding, and editing documents. In a similar way, Copilot in the other apps helps users in the context of their work within those apps.+- **Microsoft 365 Apps** (such as Word, Excel, PowerPoint, Outlook, Teams, and Loop) operate with Copilot for Microsoft 365 to support users in the context of their work. For example, Copilot in Word is designed to assist users specifically in the process of creating, understanding, and editing documents. In a similar way, Copilot in the other apps helps users in the context of their work within those apps. -- **Microsoft 365 Chat** enables Microsoft Copilot for Microsoft 365 users to leverage cross-app intelligence, simplifying their workflow across multiple apps. Microsoft 365 Chat uses the power of the foundation LLMs, a user's organizational data, and a user's apps to generate a response. Microsoft 365 Chat is available in a range of experiences, including Teams (chat), Bing, Microsoft Edge, and the Microsoft 365 app.+- **Microsoft Copilot with Graph-grounded chat** enables you to bring your work content and context to Microsoft Copilot's chat capabilities. With Graph-grounded chat, you can draft content, catch up on what you missed, and get answers to questions via open-ended prompts— all securely grounded in your work data. Use Graph-grounded Copilot at many surfaces, including within Microsoft Teams, at [Microsoft365.com](https://www.microsoft365.com/), and at [copilot.microsoft.com](https://copilot.microsoft.com/). - **Microsoft Graph** has long been fundamental to Microsoft 365. It includes information about the relationships between users, activities, and your organization’s data. The Microsoft Graph API brings more context from customer signals into the prompt, such as information from emails, chats, documents, and meetings. For more information, see [Overview of Microsoft Graph](/graph/overview) and [Major services and features in Microsoft Graph](/graph/overview-major-services). -- **Semantic Index** for Copilot uses multiple LLMs that sit on top of Microsoft Graph to interpret user queries and produce sophisticated, meaningful, and multilingual responses that help you to be more productive. It allows you to search quickly through billions of vectors (mathematical representations of features or attributes) to help connect you with relevant and actionable information in your organization. For more information on Semantic Index for Copilot, [review this video](https://www.youtube.com/watch?v=KtsVRCsdvoU).+- **Semantic Index** for Copilot uses multiple LLMs that sit on top of Microsoft Graph to interpret user queries and produce sophisticated, meaningful, and multilingual responses that help you to be more productive. It allows you to search quickly through billions of vectors (mathematical representations of features or attributes) to help connect you with relevant and actionable information in your organization. For more information, see the [Semantic Index for Copilot article](https://aka.ms/SemanticIndex/Whitepaper) The following diagram provides a visual representation of how Microsoft Copilot for Microsoft 365 works. Microsoft Copilot for Microsoft 365 iteratively processes and orchestrates these ## Semantic Index -The semantic index brings a whole new world of understanding to your data in Microsoft 365. Through enhanced interactions with your individual and company data via the Microsoft Graph, and the creation of a new index, the semantic index is an improvement to Microsoft 365 search that lays the foundation for the next generation of Search and Copilot experiences. The semantic index respects security and policies in the Microsoft Graph so that when a user issues a query either directly via search or in Microsoft 365 chat via Copilot, it's always in the security context of the user, and only content that a user has access to is returned. +The semantic index brings a whole new world of understanding to your data in Microsoft 365. Through enhanced interactions with your individual and company data via the Microsoft Graph, and the creation of a new index, the semantic index is an improvement to Microsoft 365 search that lays the foundation for the next generation of Search and Copilot experiences. The semantic index respects security and policies in the Microsoft Graph so that when a user issues a query either directly via search or in Microsoft Copilot, it's always in the security context of the user, and only content that a user has access to is returned. To learn more, see [Semantic Index for Copilot](/MicrosoftSearch/semantic-index-for-copilot). |
microsoft-365-copilot-page | Microsoft 365 Copilot Page | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-page.md | You can manage Copilot licenses, including assigning and unassigning licenses, f ### Manage how your organization interacts with Copilot in Bing, Edge, and Windows -Copilot with commercial data protection provides enhanced security for users accessing the generative AI capabilities of Copilot. This experience is on by default for users when they are signed in and using a Microsoft 365 E3, E5, A3, or A5 license assigned by your organization. +Copilot with commercial data protection provides enhanced security for users accessing the generative AI capabilities of Copilot. This experience is on by default for users when they are signed in and using a Microsoft 365 E3, E5, A3, A5, Business Standard, or Business Premium license assigned by your organization. Copilot in Bing, Edge and Windows is the public version of Copilot and doesnΓÇÖt require users to be signed in. You can reroute to the documentation available on the panel to turn off the public experience and still have access to the Copilot with commercial data protection experience. |
microsoft-365-copilot-privacy | Microsoft 365 Copilot Privacy | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-privacy.md | Title: "Data, Privacy, and Security for Microsoft Copilot for Microsoft 365" -+ ms.localizationpriority: medium-+ description: "Learn how Microsoft Copilot for Microsoft 365 uses data and how it stores and protects that data." hideEdit: true Previously updated : 12/15/2023 Last updated : 01/16/2024 # Data, Privacy, and Security for Microsoft Copilot for Microsoft 365 When you enter prompts using Microsoft Copilot for Microsoft 365, the informatio > [!NOTE] > When using Microsoft Copilot for Microsoft 365, your organizationΓÇÖs data might leave the Microsoft 365 service boundary under the following circumstances: >-> - When you allow Microsoft Copilot for Microsoft 365 chat experiences to reference public web content. The query sent to Bing might include your organizationΓÇÖs data. For more information, see [Microsoft Copilot for Microsoft 365 and public web content](#microsoft-copilot-for-microsoft-365-and-public-web-content). +> - When you allow Microsoft Copilot with Graph-grounded chat to reference public web content. The query sent to Bing might include your organizationΓÇÖs data. For more information, see [Microsoft Copilot for Microsoft 365 and public web content](#microsoft-copilot-for-microsoft-365-and-public-web-content). > - When youΓÇÖre using plugins to help Microsoft Copilot for Microsoft 365 to provide more relevant information. Check the privacy statement and terms of use of the plugin to determine how it will handle your organizationΓÇÖs data. For information, see [Extensibility of Microsoft Copilot for Microsoft 365](#extensibility-of-microsoft-copilot-for-microsoft-365). Abuse monitoring for Microsoft Copilot for Microsoft 365 occurs in real-time, without providing Microsoft any standing access to customer data, either for human or for automated review. While abuse moderation, which includes human review of content, is available in Azure OpenAI, Microsoft Copilot for Microsoft 365 services have opted out of it. Microsoft 365 data isnΓÇÖt collected or stored by Azure OpenAI. Abuse monitoring for Microsoft Copilot for Microsoft 365 occurs in real-time, wi ## Data stored about user interactions with Microsoft Copilot for Microsoft 365 -When a user interacts with Microsoft Copilot for Microsoft 365 apps (such as Word, PowerPoint, Excel, OneNote, Loop, or Whiteboard), we store data about these interactions. The stored data includes the user's prompt, how Copilot responded, and information used to ground Copilot's response. For example, this stored data provides users with Copilot interaction history in [Microsoft 365 Chat](https://support.microsoft.com/topic/5b00a52d-7296-48ee-b938-b95b7209f737) and [meetings in Microsoft Teams](https://support.microsoft.com/office/0bf9dd3c-96f7-44e2-8bb8-790bedf066b1). This data is processed and stored in alignment with contractual commitments with your organizationΓÇÖs other content in Microsoft 365. The data is encrypted while it's stored and isn't used to train foundation LLMs, including those used by Microsoft Copilot for Microsoft 365. +When a user interacts with Microsoft Copilot for Microsoft 365 apps (such as Word, PowerPoint, Excel, OneNote, Loop, or Whiteboard), we store data about these interactions. The stored data includes the user's prompt, how Copilot responded, and information used to ground Copilot's response. For example, this stored data provides users with Copilot interaction history in [Microsoft Copilot with Graph-grounded chat](https://support.microsoft.com/topic/5b00a52d-7296-48ee-b938-b95b7209f737) and [meetings in Microsoft Teams](https://support.microsoft.com/office/0bf9dd3c-96f7-44e2-8bb8-790bedf066b1). This data is processed and stored in alignment with contractual commitments with your organizationΓÇÖs other content in Microsoft 365. The data is encrypted while it's stored and isn't used to train foundation LLMs, including those used by Microsoft Copilot for Microsoft 365. To view and manage this stored data, admins can use Content search or Microsoft Purview. Admins can also use Microsoft Purview to set retention policies for the data related to chat interactions with Copilot. For more information, see the following articles: For European Union (EU) users, we have additional safeguards to comply with the ## Microsoft Copilot for Microsoft 365 and data residency -Customers with [Advanced Data Residency (ADR) in Microsoft 365](/microsoft-365/enterprise/advanced-data-residency) or [Microsoft 365 Multi-Geo](/microsoft-365/enterprise/microsoft-365-multi-geo) can purchase and enable Microsoft Copilot for Microsoft 365. At this time, Microsoft doesn't provide data residency commitments for Microsoft Copilot for Microsoft 365, beyond EU Data Boundary. When customers store data generated by Copilot in Microsoft 365 products that have data residency commitments under the Product Terms, the applicable commitments will be upheld. +Copilot for Microsoft 365 is upholding data residency commitments as outlined in the Microsoft Product Terms and Data Protection Addendum. Copilot will be added as a covered workload in the data residency commitments in Microsoft Product Terms later in 2024. ++Microsoft [Advanced Data Residency (ADR)](/microsoft-365/enterprise/advanced-data-residency) and [Multi-Geo Capabilities](/microsoft-365/enterprise/microsoft-365-multi-geo) offerings will include data residency commitments for Copilot for Microsoft 365 customers later in 2024. For EU customers, Copilot for Microsoft 365 is an EU Data Boundary service. Customers outside the EU may have their queries processed in the US, EU, or other regions. ## Microsoft Copilot for Microsoft 365 and public web content -Microsoft Copilot Graph-grounding chat experiences can reference public web content from the Bing search index to ground user prompts and responses. Based on the userΓÇÖs prompt, Copilot for Microsoft 365 determines whether it needs to use Bing to query public web content to help provide a relevant response to the user. There are [controls available to manage the use of public web content](#controls-available-to-manage-the-use-of-public-web-content) for both admins and users. +Microsoft Copilot with Graph-grounded chat can reference public web content from the Bing search index to ground user prompts and responses. Based on the userΓÇÖs prompt, Copilot for Microsoft 365 determines whether it needs to use Bing to query public web content to help provide a relevant response to the user. There are [controls available to manage the use of public web content](#controls-available-to-manage-the-use-of-public-web-content) for both admins and users. > [!NOTE] > Public web content grounding in Copilot uses only the Bing Search service. Copilot with commercial data protection (previously named Bing Chat Enterprise) is a separate offering and not involved with public web content grounding. |
microsoft-365-copilot-requirements | Microsoft 365 Copilot Requirements | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-requirements.md | description: "Learn about the requirements for Microsoft Copilot for Microsoft 3 # Microsoft Copilot for Microsoft 365 requirements -The integration of Microsoft Copilot for Microsoft 365 and Microsoft 365 Apps for enterprise enables Copilot experiences to take place inside individual apps, such as Word, PowerPoint, Teams, Excel, Outlook, and more. As a result of this integration, the requirements for using Microsoft Copilot for Microsoft 365 are nearly identical to the requirements for using Microsoft 365 Apps for enterprise. +The integration of Microsoft Copilot for Microsoft 365 and Microsoft 365 Apps enables Copilot experiences to take place inside individual apps, such as Word, PowerPoint, Teams, Excel, Outlook, and more. As a result of this integration, the requirements for using Microsoft Copilot for Microsoft 365 are nearly identical to the requirements for using Microsoft 365 Apps. ## Prerequisites -The following are the prerequisites for using Microsoft Copilot for Microsoft 365. If your organization uses Microsoft 365 E3 or E5, A3, or A5 today, then you likely already meet most of these prerequisites. +The following are the prerequisites for using Microsoft Copilot for Microsoft 365. Copilot for Microsoft 365 requires the user to have a prerequisite base license assigned. You can find the list of eligible base licenses in the [Microsoft Copilot for Microsoft 365 service description guide](/office365/servicedescriptions/office-365-platform-service-description/microsoft-365-copilot). -### Microsoft 365 Apps for enterprise +### Microsoft 365 Apps -[Microsoft 365 Apps for enterprise](/deployoffice/about-microsoft-365-apps) must be deployed. Use the [Microsoft 365 Apps setup guide](https://admin.microsoft.com/Adminportal/Home?Q=learndocs#/modernonboarding/microsoft365copilotsetupguide) in the Microsoft 365 admin center to deploy to your users. +[Microsoft 365 Apps](/deployoffice/about-microsoft-365-apps) must be deployed. Use the [Microsoft 365 Apps setup guide](https://admin.microsoft.com/Adminportal/Home?Q=learndocs#/modernonboarding/microsoft365copilotsetupguide) in the Microsoft 365 admin center to deploy to your users. > [!NOTE] > - For Copilot to work in Word Online, Excel Online, and PowerPoint Online, you need to have third-party cookies enabled.-> - Review your privacy settings for Microsoft 365 Apps for enterprise because those settings might have an effect on the availability of Microsoft Copilot for Microsoft 365 features. For more information, see [Microsoft Copilot for Microsoft 365 and policy settings for connected experiences](microsoft-365-copilot-privacy.md#microsoft-copilot-for-microsoft-365-and-policy-settings-for-connected-experiences). +> - Review your privacy settings for Microsoft 365 Apps because those settings might have an effect on the availability of Microsoft Copilot for Microsoft 365 features. For more information, see [Microsoft Copilot for Microsoft 365 and policy settings for connected experiences](microsoft-365-copilot-privacy.md#microsoft-copilot-for-microsoft-365-and-policy-settings-for-connected-experiences). ### Microsoft Entra ID Microsoft Copilot for Microsoft 365 will be supported on classic Outlook for Win You can use the [Microsoft Teams setup guide](https://admin.microsoft.com/Adminportal/Home?Q=m365setup#/modernonboarding/microsoftteamssetupguide) in the Microsoft 365 admin center to configure popular Teams settings, including external access, guest access, team creation permissions, and more. Copilot in Teams is available on Windows, Mac, web, Android, and iOS. +To enable Copilot in Teams to reference meeting content after the meeting has ended, transcription or meeting recording must be enabled. To learn more about configuring transcription and recording, see [Configure transcription and captions for Teams meetings](/microsoftteams/meeting-transcription-captions) and [Teams meeting recording](/microsoftteams/meeting-recording). + ### Microsoft Loop To use Microsoft Copilot for Microsoft 365 with Microsoft Loop, you must have Loop enabled for your tenant. This can be done in the [Microsoft 365 admin center](https://admin.microsoft.com/Adminportal/Home#/Settings/Services/:/Settings/L1/Loop) or the [Microsoft 365 Apps admin center](https://config.office.com) under **Customization** \| **Policy Management**. For more information, see [Manage Loop workspaces in Syntex repository services](/microsoft-365/loop/loop-workspaces-configuration) and [Learn how to enable the Microsoft Loop app, now in Public Preview](https://techcommunity.microsoft.com/t5/microsoft-365-blog/learn-how-to-enable-the-microsoft-loop-app-now-in-public-preview/ba-p/3769013). To use Microsoft Copilot for Microsoft 365 with Microsoft Loop, you must have Lo To use Microsoft Copilot for Microsoft 365 with Microsoft Whiteboard, you must have Whiteboard enabled for your tenant. To learn more about Microsoft Whiteboard, see [Manage access to Microsoft Whiteboard for your organization](/microsoft-365/whiteboard/manage-whiteboard-access-organizations). -## Update channels --Microsoft Copilot for Microsoft 365 will follow Microsoft 365 Apps' standard practice for deployment and updates, being available in all update channels, except for Semi-annual channel. Preview channels include Insiders, Current Channel - Preview and Beta Channel. Production channels include Current Channel and then Monthly Enterprise Channel. --Once generally available on 11/1, Copilot will be in Current Channel, and starting December 12, on Monthly Enterprise Channel. As always, preview channels are a great option to validate the product before rolling out to the rest of organization. To learn more, see To learn more, see [Overview of update channels](/deployoffice/updates/overview-update-channels), and the [Microsoft 365 Insider channels](/deployoffice/insider/compare-channels). --## Network requirements --Copilot services connect to endpoints contained within the [Microsoft 365 endpoint taxonomy](https://aka.ms/o365ip). As with all Microsoft 365 services, we recommend that customers align their network with the [Microsoft 365 network connectivity principles](/microsoft-365/enterprise/microsoft-365-network-connectivity-principles). This helps provide the best experience with Copilot through minimization of latency and increased network quality of service for critical network flows. --There are many Copilot experiences, including some core experiences like Excel, Word, PowerPoint, Teams, and Loop, that use WebSocket connections (wss://) from the device running the Microsoft 365 app to a Microsoft service. So, to use these Copilot experiences, WebSocket connections must be allowed from user endpoints to the endpoints listed in our endpoint taxonomy, specifically in ID number 147 in the section for [Microsoft 365 Common and Office Online](/microsoft-365/enterprise/urls-and-ip-address-ranges). - ## License requirements Copilot for Microsoft 365 is an add-on plan with the following licensing prerequisites: Copilot for Microsoft 365 is an add-on plan with the following licensing prerequ You can use the [Microsoft Copilot for Microsoft 365 setup guide](https://admin.microsoft.com/Adminportal/Home?Q=learndocs#/modernonboarding/microsoft365copilotsetupguide) in the Microsoft 365 admin center to assign the required licenses to users. For more information, see [Assign licenses to users in the Microsoft 365 admin center](/microsoft-365/admin/manage/assign-licenses-to-users). +## Update channels ++Microsoft Copilot for Microsoft 365 will follow Microsoft 365 Apps' standard practice for deployment and updates, being available in all update channels, except for Semi-annual channel. Preview channels include Insiders, Current Channel - Preview and Beta Channel. Production channels include Current Channel and then Monthly Enterprise Channel. ++Copilot is available in Current Channel, and starting December 12, on Monthly Enterprise Channel. As always, preview channels are a great option to validate the product before rolling out to the rest of organization. To learn more, see To learn more, see [Overview of update channels](/deployoffice/updates/overview-update-channels), and the [Microsoft 365 Insider channels](/deployoffice/insider/compare-channels). ++## Network requirements ++Copilot services connect to endpoints contained within the [Microsoft 365 endpoint taxonomy](https://aka.ms/o365ip). As with all Microsoft 365 services, we recommend that customers align their network with the [Microsoft 365 network connectivity principles](/microsoft-365/enterprise/microsoft-365-network-connectivity-principles). This helps provide the best experience with Copilot through minimization of latency and increased network quality of service for critical network flows. ++There are many Copilot experiences, including some core experiences like Excel, Word, PowerPoint, Teams, and Loop, that use WebSocket connections (wss://) from the device running the Microsoft 365 app to a Microsoft service. So, to use these Copilot experiences, WebSocket connections must be allowed from user endpoints to the endpoints listed in our endpoint taxonomy, specifically in ID number 147 in the section for [Microsoft 365 Common and Office Online](/microsoft-365/enterprise/urls-and-ip-address-ranges). + ## Conditional Access -While Copilot supports Conditional Access Policies in SharePoint Online configured to target "all cloud apps" or "Office 365 group," Microsoft 365 Chat does not currently support Conditional Access policies configured to the SharePoint Online app directly. We anticipate deploying a change in coming weeks. +While Copilot supports Conditional Access Policies in SharePoint Online configured to target "all cloud apps" or "Office 365 group," Microsoft Copilot does not currently support Conditional Access policies configured to the SharePoint Online app directly. We anticipate deploying a change in coming weeks. ## Restricted Access Control -Microsoft 365 Chat does not currently support Restricted Access Control and Microsoft 365 Information Barriers (Implicit and Owner moderated mode) on sites. Support for both policies is intended.  We anticipate deploying a change in coming weeks. +Microsoft Copilot does not currently support Restricted Access Control and Microsoft Purview Information Barriers (Implicit and Owner moderated mode) on sites. Support for both policies is intended.  We anticipate deploying a change in coming weeks. |
microsoft-365-copilot-setup | Microsoft 365 Copilot Setup | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-setup.md | description: "Learn how to prepare your organization for Microsoft Copilot for M # Get started with Microsoft Copilot for Microsoft 365 -[Microsoft Copilot for Microsoft 365](https://www.microsoft.com/microsoft-365/blog/2023/03/16/introducing-microsoft-365-copilot-a-whole-new-way-to-work/) is an AI-powered productivity tool that uses large language models (LLMs) and integrates your data with the Microsoft Graph and Microsoft 365 Apps. It works alongside popular Microsoft 365 Apps such as Word, Excel, PowerPoint, Outlook, Teams, and more. Copilot provides real-time intelligent assistance, enabling users to enhance their creativity, productivity, and skills. This article covers the technical requirements to access and configure Microsoft Copilot for Microsoft 365. +[Microsoft Copilot for Microsoft 365](https://www.microsoft.com/microsoft-365/blog/2023/03/16/introducing-microsoft-365-copilot-a-whole-new-way-to-work/) is an AI-powered productivity tool that uses large language models (LLMs) and integrates your data with the Microsoft Graph and Microsoft 365 Apps. It works alongside popular Microsoft 365 Apps such as Word, Excel, PowerPoint, Outlook, Teams, and more. Copilot provides real-time intelligent assistance, enabling users to enhance their creativity, productivity, and skills. This article covers the technical requirements to access and configure Copilot for Microsoft 365. ## Prerequisites for Microsoft Copilot for Microsoft 365 Before you can access Copilot, you must meet these requirements: To get started with the implementation process, see [Deployment guide for Microsoft 365 Apps](/deployoffice/deployment-guide-microsoft-365-apps). -- **OneDrive Account** You need to have a OneDrive account for several features within Microsoft Copilot for Microsoft 365, such as saving and sharing your files. For more information, see [Sign in or create an account for OneDrive](https://support.microsoft.com/office/video-sign-in-or-create-an-account-for-onedrive-3adf09fd-90e3-4420-8c4e-b55e2cde40d2?ui=en-us&rs=en-us&ad=us).+- **OneDrive Account** You need to have a OneDrive account for several features within Copilot for Microsoft 365, such as saving and sharing your files. For more information, see [Sign in or create an account for OneDrive](https://support.microsoft.com/office/video-sign-in-or-create-an-account-for-onedrive-3adf09fd-90e3-4420-8c4e-b55e2cde40d2?ui=en-us&rs=en-us&ad=us). -- **New Outlook for Windows** For seamless integration of Microsoft Copilot for Microsoft 365 with Outlook, you are required to use the new Outlook for Windows, currently in preview. You can switch to Outlook Mobile to access the new Outlook experience. For more information, see [Getting started with the new Outlook for Windows](https://support.microsoft.com/office/getting-started-with-the-new-outlook-for-windows-656bb8d9-5a60-49b2-a98b-ba7822bc7627).+- **New Outlook for Windows** For seamless integration of Copilot for Microsoft 365 with Outlook, you are required to use the new Outlook for Windows, currently in preview. You can switch to Outlook Mobile to access the new Outlook experience. For more information, see [Getting started with the new Outlook for Windows](https://support.microsoft.com/office/getting-started-with-the-new-outlook-for-windows-656bb8d9-5a60-49b2-a98b-ba7822bc7627). -- **Microsoft Teams** To use Microsoft Copilot for Microsoft 365 with Microsoft Teams, you must use the Teams desktop client or web client. You can [download the desktop client here](https://www.microsoft.com/microsoft-teams/download-app) or sign into the web app at [https://teams.microsoft.com](https://teams.microsoft.com/). Both the current and the new version of Teams are supported. For more information, see [Microsoft Teams desktop client](/microsoftteams/get-clients?tabs=Windows).+- **Microsoft Teams** To use Copilot for Microsoft 365 with Microsoft Teams, you must use the Teams desktop client or web client. You can [download the desktop client here](https://www.microsoft.com/microsoft-teams/download-app) or sign into the web app at [https://teams.microsoft.com](https://teams.microsoft.com/). Both the current and the new version of Teams are supported. For more information, see [Microsoft Teams desktop client](/microsoftteams/get-clients?tabs=Windows). ++ To enable Copilot in Teams to reference meeting content after the meeting has ended, transcription or meeting recording must be enabled. To learn more about configuring transcription and recording, see [Configure transcription and captions for Teams meetings](/microsoftteams/meeting-transcription-captions) and [Teams meeting recording](/microsoftteams/meeting-recording). - **Microsoft Loop** To use Copilot in Microsoft Loop, you must have Loop enabled for your tenant. For more information on enabling Loop, see [Get started with Microsoft Loop](https://support.microsoft.com/office/get-started-with-microsoft-loop-9f4d8d4f-dfc6-4518-9ef6-069408c21f0c). -- **Microsoft Whiteboard** To use Microsoft Copilot for Microsoft 365 with Microsoft Whiteboard, you must have Whiteboard enabled for your tenant. To learn more about Microsoft Whiteboard, see [Manage access to Microsoft Whiteboard for your organization](/microsoft-365/whiteboard/manage-whiteboard-access-organizations).+- **Microsoft Whiteboard** To use Copilot for Microsoft 365 with Microsoft Whiteboard, you must have Whiteboard enabled for your tenant. To learn more about Microsoft Whiteboard, see [Manage access to Microsoft Whiteboard for your organization](/microsoft-365/whiteboard/manage-whiteboard-access-organizations). >[!IMPORTANT] > Microsoft Copilot for Microsoft 365 will follow Microsoft 365 Apps' standard practice for deployment and updates, being available in all update channels, except for Semi-annual channel. Preview channels include Insiders, Current Channel - Preview and Beta Channel. Production channels include Current Channel and then Monthly Enterprise Channel. >-> Once generally available on 11/1, Copilot will be in Current Channel, and starting December 12, on Monthly Enterprise Channel. As always, preview channels are a great option to validate the product before rolling out to the rest of organization. To learn more, see To learn more, see [Overview of update channels](/deployoffice/updates/overview-update-channels), and the [Microsoft 365 Insider channels](/deployoffice/insider/compare-channels). +> Copilot is available in Current Channel, and starting December 12, on Monthly Enterprise Channel. As always, preview channels are a great option to validate the product before rolling out to the rest of organization. To learn more, see To learn more, see [Overview of update channels](/deployoffice/updates/overview-update-channels), and the [Microsoft 365 Insider channels](/deployoffice/insider/compare-channels). ## Manage licenses for Copilot |
admin | Microsoft 365 Copilot Usage | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-365-copilot-usage.md | description: "Learn how to get the Microsoft 365 Copilot usage report and gain i The Microsoft 365 Usage dashboard shows you the activity overview across the Microsoft 365 apps in your organization. It enables you to drill into individual product-level reports to give you more granular insight about the activities within each app. To view all reports, check out the [Reports overview article](activity-reports.md). -The Copilot for Microsoft 365 report, which is in continuous enhancement, includes a Readiness section. In this section, you can view which users are technically eligible for Copilot, assign licenses, and monitor usage of Microsoft 365 apps that Copilot integrates best with. Within the Usage section, you can view a summary of how users’ adoption, retention, and engagement are with Copilot for Microsoft 365, and the activity of every Copilot user in your organization. +The Copilot for Microsoft 365 report, which is in continuous enhancement, includes a Readiness section and Usage section. In the Readiness section, you can view which users are technically eligible for Copilot, assign licenses, and monitor usage of Microsoft 365 apps that Copilot integrates best with. Within the Usage section, you can view a summary of how users’ adoption, retention, and engagement are with Copilot for Microsoft 365, and the activity of every Copilot user in your organization. The report becomes available within 72 hours, and we will update the documentation once there is improved latency. ## How do I get to the Copilot for Microsoft 365 report? You can see the following summary charts in this report :::image type="content" alt-text="Screenshot showing how you can ensure users are eligible for Copilot for Microsoft 365." source="../../media/copilot-usage-ensure-readiness.png"::: -**Total Prerequisite Licenses** This number is the sum of all users who have a Microsoft 365 E3 or E5 license assigned in your organization and could be assigned with a Copilot license. +**Total Prerequisite Licenses** The number is the sum of all users who have at least one license assigned to them or who could be assigned a license. The following license types are eligible for Copilot: ++- Microsoft 365 E5 +- Microsoft 365 E3 +- Office 365 E3 +- Office 365 E5 +- Microsoft 365 A5 for faculty +- Microsoft 365 A3 for faculty +- Office 365 A5 for faculty +- Office 365 A3 for faculty +- Microsoft 365 Business Standard +- Microsoft 365 Business Premium **Users on an eligible update channel** This number is the sum of all users who are enrolled in Current Channel or Monthly Enterprise Channel for app updates in your organization and could be assigned with a Copilot license. You can see the following summary charts in this report Recommended action cards highlight important actions to take to prepare your organization for Copilot, such as moving users to a monthly app update channel and assigning available Copilot licenses. +The last recommended action card promotes [Microsoft Copilot Dashboard](/viva/insights/org-team-insights/copilot-dashboard), where you can deliver insights to your IT leaders to explore Copilot readiness, adoption, and impact in Viva Insights. + :::image type="content" alt-text="Screenshot showing chart for Copilot active users in an organization." source="../../media/copilot-usage-enable-active-users.png" lightbox="../../media/copilot-usage-enable-active-users.png"::: This graph shows the sum of users that could benefit the most from having Copilot deployed based on where Copilot provides the most value in day-to-day scenarios. You can view several numbers for Copilot for Microsoft 365 usage, which highligh **Active users rate** shows you the number of active users in your organization divided by the number of enabled users. The definitions for Enabled Users and Active Users metrics are the same as provided earlier. +In Recommendations, the recommended action card highlights [Microsoft Copilot Dashboard](/viva/insights/org-team-insights/copilot-dashboard), where you can deliver insights to your IT leaders to explore Copilot readiness, adoption, and impact in Viva Insights. + You can see the following summary charts in this report as default view: :::image type="content" alt-text="Screenshot showing Microsoft 365 Copilot usage adoption chart." source="../../media/copilot-usage-adoption-chart.png"::: |
security | Defender Endpoint Demonstration Attack Surface Reduction Rules | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-attack-surface-reduction-rules.md | +- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business) +- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) +- [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows) Attack surface reduction rules target specific behaviors that are typically used by malware and malicious apps to infect machines, such as: Attack surface reduction rules target specific behaviors that are typically used ## Scenario requirements and setup -- Windows 10 1709 build 16273-- Windows 10 1803 build (1803 rules)+- Windows 11, Windows 10 1709 build 16273 or later +- Windows Server 2022, Windows Server 2019, Windows Server 2016 and Windows Server 2012 R2 with the unified MDE client. - Microsoft Defender AV - Microsoft Office (required for Office rules and sample) - [Download attack surface reduction PowerShell scripts](https://demo.wd.microsoft.com/Content/WindowsDefender_ASR_scripts.zip) You should immediately see an "Action blocked" notification. You should immediately see an "Action blocked" notification. -### Scenario 3 (1803): ASR rule blocks unsigned USB content from executing +### Scenario 3 (Windows 10 version 1803 or later): ASR rule blocks unsigned USB content from executing 1. Configure the rule for USB protection (B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4). Download and run this [clean-up script](https://demo.wd.microsoft.com/Content/AS Alternately, you can perform these manual steps: + ```powershell Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Disabled Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Disabled Add-MpPreference -AttackSurfaceReductionRules_Ids D1E49AAC-8F56-4280-B9BA-993A6D Add-MpPreference -AttackSurfaceReductionRules_Ids B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -AttackSurfaceReductionRules_Actions Disabled Add-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3F-A12568109D35 -AttackSurfaceReductionRules_Actions Disabled Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-CD74-433A-B99E-2ECDC07BFC25 -AttackSurfaceReductionRules_Actions Disabled+Add-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Disabled +Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Disabled +Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions Disabled +Add-MpPreference -AttackSurfaceReductionRules_Ids a8f5898e-1dc8-49a9-9878-85004b8a61e6 -AttackSurfaceReductionRules_Actions Disabled Add-MpPreference -AttackSurfaceReductionRules_Ids 26190899-1602-49E8-8B27-EB1D0A1CE869 -AttackSurfaceReductionRules_Actions Disabled Add-MpPreference -AttackSurfaceReductionRules_Ids 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C -AttackSurfaceReductionRules_Actions Disabled ``` + Cleanup **c:\demo** encryption by running the [encrypt/decrypt file](https://demo.wd.microsoft.com/Content/ransomware_cleanup_encrypt_decrypt.exe) ## See also |
security | Defender Endpoint Demonstration Block At First Sight Bafs | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-block-at-first-sight-bafs.md | Last updated 10/21/2022 **Applies to:** -- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)+- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business) +- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) +- [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows) +- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals) Block at First Sight, is a feature of Microsoft Defender Antivirus cloud-delivered protection that provides a way to detect and block new malware within seconds. You can test that it is working as expected by downloading a fake malware file. ## Scenario requirements and setup -- Windows 10 Anniversary update (1607) or later+- Windows 11, Windows 10 Anniversary update (1607) or later +- Windows Server 2022, Windows Server 2019, Windows Server 2016, and Windows Server 2012 R2 with the new unified Defender for Endpoint client. + - Cloud protection is enabled - You can [download and use the Powershell script](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings/) to enable this setting and others |
security | Defender Endpoint Demonstration Cloud Delivered Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-cloud-delivered-protection.md | Last updated 10/21/2022 **Applies to:** -- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)+- - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)+- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business) +- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) +- [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows) +- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals) Cloud-delivered protection for Microsoft Defender Antivirus, also referred to as Microsoft Advanced Protection Service (MAPS), provides you with strong, fast protection in addition to our standard real-time protection. ## Scenario requirements and setup -- Windows 7, Windows 8.1, Windows 10, Windows 11+- Windows 11, Windows 10, Windows 8.1, and Windows 7 SP1 - Microsoft Defender Real-time protection is enabled - Cloud-delivered protection is enabled by default, however you may need to re-enable it if it has been disabled as part of previous organizational policies. For more information, see [Enable cloud-delivered protection in Microsoft Defender Antivirus](/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus?ocid=wd-av-demo-cloud-middle). - You can also download and use the [PowerShell script](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings/) to enable this setting and others on Windows 10 and Windows 11. |
security | Defender Endpoint Demonstration Exploit Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-exploit-protection.md | +- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business) +- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) +- [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows) +- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals) Exploit Protection automatically applies exploit mitigation settings system wide and on individual apps. Many of the features in the Enhanced Mitigation Experience Toolkit (EMET) have been included in Exploit Protection, and you can convert and import existing EMET configuration profiles into Exploit Protection. ## Scenario requirements and setup -- Windows 10 1709 build 16273+- Windows 11 or Windows 10 1709 build 16273 or newer +- Windows Server 2022, Windows Server 2019, and Windows Server 2016. - Run PowerShell commands: ```powershell |
security | Defender Endpoint Demonstration Potentially Unwanted Applications | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-potentially-unwanted-applications.md | Last updated 11/20/2023 **Applies to:** -- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)+- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business) +- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) +- [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows) +- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals) The Potentially Unwanted Applications (PUA) protection feature in Microsoft Defender Antivirus can identify and block PUAs from downloading and installing on endpoints in your network. These applications aren't considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. ## Scenario requirements and setup -- Windows 10, Windows 11-+- Windows 11 or Windows 10 +- Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2008 R2 SP1 +- macOS +- Linux - Enable PUA protection. For more information, see the [Detect and block Potentially Unwanted Applications](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) article. - You can also [download and use the PowerShell script](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings/) to enable this setting and others. |
security | Defender Endpoint Demonstration Smartscreen Url Reputation | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-smartscreen-url-reputation.md | +- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business) +- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) Test how Microsoft Defender SmartScreen helps you identify phishing and malware websites based on URL reputation. Scenario requirements and setup -- Windows 10 or 11+- Windows 11 or Windows +- Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2 and Windows Server 2008 R2 SP1. - Microsoft Edge browser required - For more information, see [Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview) |
security | Edr Detection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/edr-detection.md | +#### Applies to: ++- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) +- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business) ++## Scenario requirements and setup ++- Windows 11, Windows 10 version 1709 build 16273 or newer, Windows 8.1, or Windows 7 SP1. +- Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2008 R2 SP1. +- Linux +- macOS +- Microsoft Defender for Endpoint +- Microsoft Defender for Endpoint on Linux +- Microsoft Defender for Endpoint on macOS + Endpoint detection and response for Endpoint provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. Run an EDR detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device: +### Windows ++1. Open a Command Prompt window ++2. At the prompt, copy and run the command below. The Command Prompt window will close automatically. +++```powershell +powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-WDATP-test\\invoice.exe');Start-Process 'C:\\test-WDATP-test\\invoice.exe' +``` ++3. If successful, the detection test will be marked as completed and a new alert will appear in few minutes. ++### Linux ++1. Download [script file](https://aka.ms/LinuxDIY) to an onboarded Linux server +++```bash +curl -o ~/Downloads/MDE Linux DIY.zip https://aka.ms/LinuxDIY +``` ++1. Extract the zip ++```bash +unzip ~/Downloads/MDE Linux DIY.zip +``` ++1. And run the following command: ++```bash +./mde_linux_edr_diy.sh +``` ++After a few minutes, a detection should be raised in Microsoft Defender XDR. ++3. Look at the alert details, machine timeline, and perform your typical investigation steps. ++### macOS + 1. In your browser, Microsoft Edge for Mac or Safari, download *MDATP MacOS DIY.zip* from [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy) and extract. The following prompt appears: Run an EDR detection test to verify that the device is properly onboarded and re > > > **"MDATP MacOS DIY" cannot be opened because the developer cannot be verifier.**<br/> > > macOS cannot verify that this app is free from malware.<br/>- > > **\[Move to Trash\]** **\[Cancel\]** + > > **[Move to Trash]** **[Cancel]** 7. Click **Cancel**. |
security | Linux Support Ebpf | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-ebpf.md | You can also update the mdatp_managed.json file: } } ```-Refere to the link for detailed sample json file - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md) +Refer to the link for detailed sample json file - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md) > [!IMPORTANT] > If you disable eBPF, the supplementary event provider switches back to auditd. > In the event eBPF doesn't become enabled or is not supported on any specific kernel, it will automatically switch back to auditd and retain all auditd custom rules. Top syscall ids: 90 : 10 87 : 3 ``` -In the above output,it can be seen that stress-ng is the top process generating large number of events and might result into performance issues. Most likely stress-ng is generating the system call with ID 82. You can create a ticket with Microsoft to get this process excluded. In future as part of upcoming enhancements, you will have more control to apply such exclusions at your end. +In the above output, it can be seen that stress-ng is the top process generating large number of events and might result into performance issues. Most likely stress-ng is generating the system call with ID 82. You can create a ticket with Microsoft to get this process excluded. In future as part of upcoming enhancements, you will have more control to apply such exclusions at your end. -Exclusions applied to auditd can not be migrated or copied to eBPF. Common concerns such as noisy logs, kernel panic, noisy syscalls are already taken care of by eBPF internally. In case you want to add any further exclusions, then reach out to Microsoft to get the necessary exclusions applied. +Exclusions applied to auditd cannot be migrated or copied to eBPF. Common concerns such as noisy logs, kernel panic, noisy syscalls are already taken care of by eBPF internally. In case you want to add any further exclusions, then reach out to Microsoft to get the necessary exclusions applied. ## See also |
security | Microsoft Defender Antivirus Windows | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows.md | Title: Microsoft Defender Antivirus in Windows description: Learn how to manage, configure, and use Microsoft Defender Antivirus, built-in antimalware and antivirus protection. -keywords: Microsoft Defender Antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security ms.localizationpriority: high Previously updated : 12/05/2023 Last updated : 01/16/2024 The Microsoft Defender Core service is releasing with [Microsoft Defender Antivi - `*.endpoint.security.microsoft.com` - `*.ecs.office.com` +- Enterprise U.S. Government customers should allow the following URLs: + - `*.events.data.microsoft.com` + - `*.endpoint.security.microsoft.us (GCC-H & DoD)` + - `*.gccmod.ecs.office.com (GCC-M)` + - `*.config.ecs.gov.teams.microsoft.us (GCC-H)` + - `*.config.ecs.dod.teams.microsoft.us (DoD)` + - If you're using [Application Control for Windows](/windows/security/application-security/application-control/windows-defender-application-control/wdac), or you're running non-Microsoft antivirus or endpoint detection and response software, make sure to add the processes mentioned earlier to your allow list. - Consumers need not take any actions to prepare. |
security | Validate Antimalware | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/validate-antimalware.md | -Anti-malware tests are intended to measure how well the anti-malware software is able to detect, block and remove malware in a variety of scenarios. The test also measures the impact of the anti-malware device on the system's performance. +**Applies to:** - Run an AV detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device: +- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) ++- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business) ++- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) ++- [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md) ++- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals) ++Scenario requirements and setup ++- Windows 11, Windows 10, Windows 8.1, Windows 7 SP1 ++- Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, and Windows Server 2008 R2 ++- Linux ++- macOS ++- Microsoft Defender Real-time protection is enabled ++## EICAR test file to simulate malware ++After you enable Microsoft Defender for Endpoint or Microsoft Defender for Business or Microsoft Defender Antivirus, you can test the service and run a proof of concept to familiarize yourself with its feature and validate the advanced security capabilities effectively protect your device by generating real security alerts. ++Run an AV detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device: ++### Windows ++1. Prepare for the EICAR test file: ++ 1. Use an EICAR test file instead of real malware to avoid causing damage. Microsoft Defender Antivirus treats EICAR test files as malware. ++1. Create the EICAR test file: ++ 1. Copy the following string: `X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*` ++ 1. Paste the string into a .TXT file and save it as EICAR.txt ++### Linux/macOS 1. Ensure that real-time protection is enabled (denoted by a result of 1 from running the following command): Anti-malware tests are intended to measure how well the anti-malware software is mdatp health --field real_time_protection_enabled ``` -2. Open a Terminal window. Copy and execute the following command: +1. Open a Terminal window. Copy and execute the following command: ++ +Linux +++```bash +curl -o ~/tmp/eicar.com.txt https://secure.eicar.org/eicar.com.txt +``` ++macOS + ```bash-curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt +curl -o ~/Downloads/eicar.com.txt ``` 3. The file has been quarantined by Defender for Endpoint on Mac. Use the following command to list all the detected threats: ```bash mdatp threat list-``` +``` |
security | Advanced Hunting Aadsignineventsbeta Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-aadsignineventsbeta-table.md | Use this reference to construct queries that return information from the table. |`ResourceTenantId`|`string`|Unique identifier of the tenant of the resource accessed| |`DeviceName`|`string`|Fully qualified domain name (FQDN) of the device| |`AadDeviceId`|`string`|Unique identifier for the device in Microsoft Entra ID|-|`OSPlatform`|`string`|Platform of the operating system running on the machine. Indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10, and Windows 7.| +|`OSPlatform`|`string`|Platform of the operating system running on the device. Indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10, and Windows 7.| |`DeviceTrustType`|`string`|Indicates the trust type of the device that signed in. For managed device scenarios only. Possible values are Workplace, AzureAd, and ServerAd.| |`IsManaged`|`int`|Indicates whether the device that initiated the sign-in is a managed device (1) or not a managed device (0)| |`IsCompliant`|`int`|Indicates whether the device that initiated the sign-in is compliant (1) or non-compliant (0)| |
security | Advanced Hunting Aadspnsignineventsbeta Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-aadspnsignineventsbeta-table.md | For information on other tables in the advanced hunting schema, see [the advance **** |Column name|Data type|Description|-|||| +|--||--| |`Timestamp`|`datetime`|Date and time when the record was generated| |`Application`|`string`|Application that performed the recorded action| |`ApplicationId`|`string`|Unique identifier for the application| For information on other tables in the advanced hunting schema, see [the advance |`Longitude`|`string`|The east to west coordinates of the sign-in location| |`RequestId`|`string`|Unique identifier of the request| |`ReportId`|`string`|Unique identifier for the event|-|||| ## Related articles |
security | Advanced Hunting Alertevidence Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-alertevidence-table.md | For information on other tables in the advanced hunting schema, [see the advance | `AccountObjectId` | `string` | Unique identifier for the account in Microsoft Entra ID | | `AccountUpn` | `string` | User principal name (UPN) of the account | | `DeviceId` | `string` | Unique identifier for the device in the service |-| `DeviceName` | `string` | Fully qualified domain name (FQDN) of the machine | +| `DeviceName` | `string` | Fully qualified domain name (FQDN) of the device | | `LocalIP` | `string` | IP address assigned to the local device used during communication | | `NetworkMessageId` | `string` | Unique identifier for the email, generated by Office 365 | | `EmailSubject` | `string` | Subject of the email | For information on other tables in the advanced hunting schema, [see the advance | `RegistryKey` |`string` | Registry key that the recorded action was applied to | | `RegistryValueName` |`string` | Name of the registry value that the recorded action was applied to | | `RegistryValueData` |`string` | Data of the registry value that the recorded action was applied to |-| `AdditionalFields` | `string` | Additional information about the event in JSON array format | +| `AdditionalFields` | `string` | Additional information about the entity or event | | `Severity` | `string` | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert | | `CloudResource` | `string` | Cloud resource name | | `CloudPlatform` | `string` | The cloud platform that the resource belongs to, can be Azure, Amazon Web Services, or Google Cloud Platform | |
security | Advanced Hunting Alertinfo Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-alertinfo-table.md | |
security | Advanced Hunting Behaviorentities Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-behaviorentities-table.md | |
security | Advanced Hunting Behaviorinfo Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-behaviorinfo-table.md | |
security | Advanced Hunting Cloudappevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-cloudappevents-table.md | |
security | Advanced Hunting Deviceevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceevents-table.md | For information on other tables in the advanced hunting schema, [see the advance | `Timestamp` | `datetime` | Date and time when the event was recorded | | `DeviceId` | `string` | Unique identifier for the device in the service | | `DeviceName` | `string` | Fully qualified domain name (FQDN) of the device |-| `ActionType` | `string` | Type of activity that triggered the event. See the [in-portal schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) for details | +| `ActionType` | `string` | Type of activity that triggered the event. See the [in-portal schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) for details. | | `FileName` | `string` | Name of the file that the recorded action was applied to | | `FolderPath` | `string` | Folder containing the file that the recorded action was applied to | | `SHA1` | `string` | SHA-1 of the file that the recorded action was applied to | For information on other tables in the advanced hunting schema, [see the advance | `AccountName` | `string` | User name of the account | | `AccountSid` | `string` | Security Identifier (SID) of the account | | `RemoteUrl` | `string` | URL or fully qualified domain name (FQDN) that was being connected to |-| `RemoteDeviceName` | `string` | Name of the device that performed a remote operation on the affected device. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information | +| `RemoteDeviceName` | `string` | Name of the device that performed a remote operation on the affected device. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information. | | `ProcessId` | `long` | Process ID (PID) of the newly created process | | `ProcessCommandLine` | `string` | Command line used to create the new process | | `ProcessCreationTime` | `datetime` | Date and time the process was created | | `ProcessTokenElevation` | `string` | Indicates the type of token elevation applied to the newly created process. Possible values: TokenElevationTypeLimited (restricted), TokenElevationTypeDefault (standard), and TokenElevationTypeFull (elevated) |-| `LogonId` | `string` | Identifier for a logon session. This identifier is unique on the same device only between restarts | +| `LogonId` | `long` | Identifier for a logon session. This identifier is unique on the same device only between restarts. | | `RegistryKey` | `string` | Registry key that the recorded action was applied to | | `RegistryValueName` | `string` | Name of the registry value that the recorded action was applied to | | `RegistryValueData` | `string` | Data of the registry value that the recorded action was applied to | | `RemoteIP` | `string` | IP address that was being connected to | | `RemotePort` | `int` | TCP port on the remote device that was being connected to |-| `LocalIP` | `string` | IP address assigned to the local machine used during communication | -| `LocalPort` | `int` | TCP port on the local machine used during communication | +| `LocalIP` | `string` | IP address assigned to the local device used during communication | +| `LocalPort` | `int` | TCP port on the local device used during communication | | `FileOriginUrl` | `string` | URL where the file was downloaded from | | `FileOriginIP` | `string` | IP address where the file was downloaded from | | `InitiatingProcessSHA1` | `string` | SHA-1 of the process (image file) that initiated the event | For information on other tables in the advanced hunting schema, [see the advance | `InitiatingProcessParentId` | `long` | Process ID (PID) of the parent process that spawned the process responsible for the event | | `InitiatingProcessParentFileName` | `string` | Name or full path of the parent process that spawned the process responsible for the event | | `InitiatingProcessParentCreationTime` | `datetime` | Date and time when the parent of the process responsible for the event was started |-| `InitiatingProcessLogonId` | `long` | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same device only between restarts | +| `InitiatingProcessLogonId` | `long` | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same device only between restarts. | | `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. | | `AppGuardContainerId` | `string` | Identifier for the virtualized container used by Application Guard to isolate browser activity | | `AdditionalFields` | `string` | Additional information about the event in JSON array format | |
security | Advanced Hunting Devicefilecertificateinfo Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicefilecertificateinfo-table.md | For information on other tables in the advanced hunting schema, [see the advance | `DeviceId` | `string` | Unique identifier for the device in the service | | `DeviceName` | `string` | Fully qualified domain name (FQDN) of the device | | `SHA1` | `string` | SHA-1 of the file that the recorded action was applied to |-| `IsSigned` | `boolean` | Indicates whether the file is signed | +| `IsSigned` | `bool` | Indicates whether the file is signed | | `SignatureType` | `string` | Indicates whether signature information was read as embedded content in the file itself or read from an external catalog file | | `Signer` | `string` | Information about the signer of the file | | `SignerHash` | `string` | Unique hash value identifying the signer | For information on other tables in the advanced hunting schema, [see the advance | `CertificateCreationTime` | `datetime` | Date and time the certificate was created | | `CertificateExpirationTime` | `datetime` | Date and time the certificate is set to expire | | `CertificateCountersignatureTime` | `datetime` | Date and time the certificate was countersigned |-| `IsTrusted` | `boolean` | Indicates whether the file is trusted based on the results of the WinVerifyTrust function, which checks for unknown root certificate information, invalid signatures, revoked certificates, and other questionable attributes | +| `IsTrusted` | `bool` | Indicates whether the file is trusted based on the results of the WinVerifyTrust function, which checks for unknown root certificate information, invalid signatures, revoked certificates, and other questionable attributes | | `IsRootSignerMicrosoft` | `boolean` | Indicates whether the signer of the root certificate is Microsoft and if the file is included in Windows operating system | | `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. | |
security | Advanced Hunting Devicefileevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicefileevents-table.md | For information on other tables in the advanced hunting schema, [see the advance | `Timestamp` | `datetime` | Date and time when the event was recorded | | `DeviceId` | `string` | Unique identifier for the device in the service | | `DeviceName` | `string` | Fully qualified domain name (FQDN) of the device |-| `ActionType` | `string` | Type of activity that triggered the event. See the [in-portal schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) for details | +| `ActionType` | `string` | Type of activity that triggered the event. See the [in-portal schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) for details. | | `FileName` | `string`| Name of the file that the recorded action was applied to | | `FolderPath` | `string` | Folder containing the file that the recorded action was applied to | | `SHA1` | `string` | SHA-1 of the file that the recorded action was applied to | |
security | Advanced Hunting Deviceimageloadevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceimageloadevents-table.md | For information on other tables in the advanced hunting schema, [see the advance | `Timestamp` | `datetime` | Date and time when the event was recorded | | `DeviceId` | `string` | Unique identifier for the device in the service | | `DeviceName` | `string` | Fully qualified domain name (FQDN) of the device |-| `ActionType` | `string` | Type of activity that triggered the event. See the [in-portal schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) for details | +| `ActionType` | `string` | Type of activity that triggered the event. See the [in-portal schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) for details. | | `FileName` | `string` | Name of the file that the recorded action was applied to | | `FolderPath` | `string` | Folder containing the file that the recorded action was applied to | | `SHA1` | `string` | SHA-1 of the file that the recorded action was applied to | |
security | Advanced Hunting Deviceinfo Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceinfo-table.md | For information on other tables in the advanced hunting schema, [see the advance | `Timestamp` | `datetime` | Date and time when the event was recorded | | `DeviceId` | `string` | Unique identifier for the device in the service | | `DeviceName` | `string` | Fully qualified domain name (FQDN) of the device |-| `ClientVersion` | `string` | Version of the endpoint agent or sensor running on the machine | -| `PublicIP` | `string` | Public IP address used by the onboarded machine to connect to the Microsoft Defender for Endpoint service. This could be the IP address of the machine itself, a NAT device, or a proxy | -| `OSArchitecture` | `string` | Architecture of the operating system running on the machine | +| `ClientVersion` | `string` | Version of the endpoint agent or sensor running on the device | +| `PublicIP` | `string` | Public IP address used by the onboarded device to connect to the Microsoft Defender for Endpoint service. This could be the IP address of the device itself, a NAT device, or a proxy. | +| `OSArchitecture` | `string` | Architecture of the operating system running on the device | | `OSPlatform` | `string` | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10 and Windows 7. |-| `OSBuild` | `long` | Build version of the operating system running on the machine | -| `IsAzureADJoined` | `boolean` | Boolean indicator of whether machine is joined to the Microsoft Entra ID | +| `OSBuild` | `long` | Build version of the operating system running on the device | +| `IsAzureADJoined` | `boolean` | Boolean indicator of whether device is joined to the Microsoft Entra ID | | `JoinType` | `string` | The device's Microsoft Entra ID join type | | `AadDeviceId` | `string` | Unique identifier for the device in Microsoft Entra ID |-| `LoggedOnUsers` | `string` | List of all users that are logged on the machine at the time of the event in JSON array format | +| `LoggedOnUsers` | `string` | List of all users that are logged on the device at the time of the event in JSON array format | | `RegistryDeviceTag` | `string` | Device tag added through the registry |-| `OSVersion` | `string` | Version of the operating system running on the machine | -| `MachineGroup` | `string` | Machine group of the machine. This group is used by role-based access control to determine access to the machine | +| `OSVersion` | `string` | Version of the operating system running on the device | +| `MachineGroup` | `string` | Machine group of the device. This group is used by role-based access control to determine access to the device. | | `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. | | `OnboardingStatus` | `string` | Indicates whether the device is currently onboarded or not to Microsoft Defender For Endpoint or if the device is not supported | | `AdditionalFields` | `string` | Additional information about the event in JSON array format | |
security | Advanced Hunting Devicelogonevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicelogonevents-table.md | For information on other tables in the advanced hunting schema, [see the advance | `DeviceId` | `string` | Unique identifier for the device in the service | | `DeviceName` | `string` | Fully qualified domain name (FQDN) of the device | | `ActionType` | `string` |Type of activity that triggered the event |-| `LogonType` | `string` | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br> | +| `LogonType` | `string` | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the device using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the device remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the device is accessed using PsExec or when shared resources on the device, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br> | | `AccountDomain` | `string` | Domain of the account | | `AccountName` | `string` | User name of the account | | `AccountSid` | `string` | Security Identifier (SID) of the account | | `Protocol` | `string` | Protocol used during the communication | | `FailureReason` | `string` | Information explaining why the recorded action failed |-| `IsLocalAdmin` | `boolean` | Boolean indicator of whether the user is a local administrator on the machine | -| `LogonId` | `long` | Identifier for a logon session. This identifier is unique on the same machine only between restarts | -| `RemoteDeviceName` | `string` | Name of the device that performed a remote operation on the affected device. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information | +| `IsLocalAdmin` | `boolean` | Boolean indicator of whether the user is a local administrator on the device | +| `LogonId` | `long` | Identifier for a logon session. This identifier is unique on the same device only between restarts. | +| `RemoteDeviceName` | `string` | Name of the device that performed a remote operation on the affected device. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information. | | `RemoteIP` | `string` | IP address of the device from which the logon attempt was performed | | `RemoteIPType` | `string` | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | | `RemotePort` | `int` | TCP port on the remote device that was being connected to | For information on other tables in the advanced hunting schema, [see the advance | `InitiatingProcessAccountSid` | `string` | Security Identifier (SID) of the account that ran the process responsible for the event | | `InitiatingProcessAccountUpn` | `string` | User principal name (UPN) of the account that ran the process responsible for the event | | `InitiatingProcessAccountObjectId` | `string` | Microsoft Entra object ID of the user account that ran the process responsible for the event |-| `InitiatingProcessIntegrityLevel` | `string` | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | +| `InitiatingProcessIntegrityLevel` | `string` | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. | | `InitiatingProcessTokenElevation` | `string` | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | | `InitiatingProcessSHA1` | `string` | SHA-1 hash of the process (image file) that initiated the event | | `InitiatingProcessSHA256` | `string` | SHA-256 hash of the process (image file) that initiated the event. This field is usually not populated - use the SHA1 column when available. | For information on other tables in the advanced hunting schema, [see the advance | `InitiatingProcessParentId` | `long` | Process ID (PID) of the parent process that spawned the process responsible for the event | | `InitiatingProcessParentFileName` | `string` | Name or full path of the parent process that spawned the process responsible for the event | | `InitiatingProcessParentCreationTime` | `datetime` | Date and time when the parent of the process responsible for the event was started |-| `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | +| `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. | | `AppGuardContainerId` | `string` | Identifier for the virtualized container used by Application Guard to isolate browser activity | | `AdditionalFields` | `string` | Additional information about the event in JSON array format | |
security | Advanced Hunting Devicenetworkevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table.md | For information on other tables in the advanced hunting schema, [see the advance | `Timestamp` | `datetime` | Date and time when the event was recorded | | `DeviceId` | `string` | Unique identifier for the device in the service | | `DeviceName` | `string` | Fully qualified domain name (FQDN) of the device |-| `ActionType` | `string` | Type of activity that triggered the event. See the [in-portal schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) for details | +| `ActionType` | `string` | Type of activity that triggered the event. See the [in-portal schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) for details. | | `RemoteIP` | `string` | IP address that was being connected to | | `RemotePort` | `int` | TCP port on the remote device that was being connected to | | `RemoteUrl` | `string` | URL or fully qualified domain name (FQDN) that was being connected to | | `LocalIP` | `string` | Source IP, or the IP address where the communication came from |-| `LocalPort` | `int` | TCP port on the local machine used during communication | +| `LocalPort` | `int` | TCP port on the local device used during communication | | `Protocol` | `string` | Protocol used during the communication | | `LocalIPType` | `string` | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | | `RemoteIPType` | `string` | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | For information on other tables in the advanced hunting schema, [see the advance | `InitiatingProcessAccountSid` | `string` | Security Identifier (SID) of the account that ran the process responsible for the event | | `InitiatingProcessAccountUpn` | `string` | User principal name (UPN) of the account that ran the process responsible for the event | | `InitiatingProcessAccountObjectId` | `string` | Microsoft Entra object ID of the user account that ran the process responsible for the event |-| `InitiatingProcessIntegrityLevel` | `string` | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | +| `InitiatingProcessIntegrityLevel` | `string` | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. | | `InitiatingProcessTokenElevation` | `string` | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |-| `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | +| `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. | | `AppGuardContainerId` | `string` | Identifier for the virtualized container used by Application Guard to isolate browser activity | | `AdditionalFields` | `string` | Additional information about the event in JSON array format | |
security | Advanced Hunting Devicenetworkinfo Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicenetworkinfo-table.md | For information on other tables in the advanced hunting schema, [see the advance | `DeviceName` | `string` | Fully qualified domain name (FQDN) of the device | | `NetworkAdapterName` | `string` | Name of the network adapter | | `MacAddress` | `string` | MAC address of the network adapter |-| `NetworkAdapterType` | `string` | Network adapter type. For the possible values, refer to [this enumeration](/dotnet/api/system.net.networkinformation.networkinterfacetype) | -| `NetworkAdapterStatus` | `string` | Operational status of the network adapter. For the possible values, refer to [this enumeration](/dotnet/api/system.net.networkinformation.operationalstatus) | +| `NetworkAdapterType` | `string` | Network adapter type. For the possible values, refer to [this enumeration](/dotnet/api/system.net.networkinformation.networkinterfacetype). | +| `NetworkAdapterStatus` | `string` | Operational status of the network adapter. For the possible values, refer to [this enumeration](/dotnet/api/system.net.networkinformation.operationalstatus). | | `TunnelType` | `string` | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |-| `ConnectedNetworks` | `string` | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it's connected publicly to the internet | +| `ConnectedNetworks` | `string` | Networks that the adapter is connected to. Each JSON element in the array contains the network name, category (public, private or domain), a description, and a flag indicating if it's connected publicly to the internet. | | `DnsAddresses` | `string` | DNS server addresses in JSON array format | | `IPv4Dhcp` | `string` | IPv4 address of DHCP server | | `IPv6Dhcp` | `string` | IPv6 address of DHCP server | | `DefaultGateways` | `string` | Default gateway addresses in JSON array format | | `IPAddresses` | `string` | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local |-| `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | +| `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. | | `NetworkAdapterVendor` | `string` | Name of the manufacturer or vendor of the network adapter | ## Related topics |
security | Advanced Hunting Deviceprocessevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceprocessevents-table.md | For information on other tables in the advanced hunting schema, [see the advance | `Timestamp` | `datetime` | Date and time when the event was recorded | | `DeviceId` | `string` | Unique identifier for the device in the service | | `DeviceName` | `string` | Fully qualified domain name (FQDN) of the device |-| `ActionType` | `string` | Type of activity that triggered the event. See the [in-portal schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) for details | +| `ActionType` | `string` | Type of activity that triggered the event. See the [in-portal schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) for details. | | `FileName` | `string` | Name of the file that the recorded action was applied to | | `FolderPath` | `string` | Folder containing the file that the recorded action was applied to | | `SHA1` | `string` | SHA-1 of the file that the recorded action was applied to | For information on other tables in the advanced hunting schema, [see the advance | `AccountSid` | `string` | Security Identifier (SID) of the account | | `AccountUpn` | `string` | User principal name (UPN) of the account | | `AccountObjectId` | `string` | Unique identifier for the account in Microsoft Entra ID |-| `LogonId` | `long` | Identifier for a logon session. This identifier is unique on the same machine only between restarts | +| `LogonId` | `long` | Identifier for a logon session. This identifier is unique on the same device only between restarts. | | `InitiatingProcessAccountDomain` | `string` | Domain of the account that ran the process responsible for the event | | `InitiatingProcessAccountName` | `string` | User name of the account that ran the process responsible for the event | | `InitiatingProcessAccountSid` | `string` | Security Identifier (SID) of the account that ran the process responsible for the event | | `InitiatingProcessAccountUpn` | `string` | User principal name (UPN) of the account that ran the process responsible for the event | | `InitiatingProcessAccountObjectId` | `string` | Microsoft Entra object ID of the user account that ran the process responsible for the event |-| `InitiatingProcessLogonId` | `long` | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. | -| `InitiatingProcessIntegrityLevel` | `string` | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | +| `InitiatingProcessLogonId` | `long` | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same device only between restarts. | +| `InitiatingProcessIntegrityLevel` | `string` | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. | | `InitiatingProcessTokenElevation` | `string` | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | | `InitiatingProcessSHA1` | `string` | SHA-1 hash of the process (image file) that initiated the event | | `InitiatingProcessSHA256` | `string` | SHA-256 of the process (image file) that initiated the event. This field is usually not populated ΓÇö use the SHA1 column when available. | For information on other tables in the advanced hunting schema, [see the advance | `InitiatingProcessParentCreationTime` | `datetime` | Date and time when the parent of the process responsible for the event was started | | `InitiatingProcessSignerType` | `string` | Type of file signer of the process (image file) that initiated the event | | `InitiatingProcessSignatureStatus` | `string` | Information about the signature status of the process (image file) that initiated the event |-| `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | +| `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. | | `AppGuardContainerId` | `string` | Identifier for the virtualized container used by Application Guard to isolate browser activity | | `AdditionalFields` | `string` | Additional information about the event in JSON array format | |
security | Advanced Hunting Deviceregistryevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceregistryevents-table.md | For information on other tables in the advanced hunting schema, [see the advance | `Timestamp` | `datetime` | Date and time when the event was recorded | | `DeviceId` | `string` | Unique identifier for the device in the service | | `DeviceName` | `string` | Fully qualified domain name (FQDN) of the device |-| `ActionType` | `string` | Type of activity that triggered the event. See the [in-portal schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) for details | +| `ActionType` | `string` | Type of activity that triggered the event. See the [in-portal schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) for details. | | `RegistryKey` | `string` | Registry key that the recorded action was applied to | | `RegistryValueType` | `string` | Data type, such as binary or string, of the registry value that the recorded action was applied to | | `RegistryValueName` | `string` | Name of the registry value that the recorded action was applied to | For information on other tables in the advanced hunting schema, [see the advance | `InitiatingProcessParentCreationTime` | `datetime` | Date and time when the parent of the process responsible for the event was started | | `InitiatingProcessIntegrityLevel` | `string` | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. | | `InitiatingProcessTokenElevation` | `string` | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |-| `ReportId` | `long` | Event identifier based on a repeating counter.To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. | +| `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. | | `AppGuardContainerId` | `string` | Identifier for the virtualized container used by Application Guard to isolate browser activity | ## Related topics |
security | Advanced Hunting Devicetvmhardwarefirmware Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicetvmhardwarefirmware-table.md | |
security | Advanced Hunting Devicetvminfogathering Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicetvminfogathering-table.md | |
security | Advanced Hunting Devicetvminfogatheringkb Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicetvminfogatheringkb-table.md | For information on other tables in the advanced hunting schema, see [the advance | `IgId` | `string` | Unique identifier for the piece of information gathered | | `FieldName` | `string` | Name of the field where this information appears in the AdditionalFields column of the DeviceTvmInfoGathering table | | `Description` | `string` | Description of the information gathered |-| `Categories` | `string` | List of categories that the information belongs to, in JSON array format | +| `Categories` | `dynamic` | List of categories that the information belongs to, in JSON array format | | `DataStructure` | `string` | The data structure of the information gathered | You can use this table to explore the kinds of information available in `DeviceTvmInfoGathering` so you can later fine-tune your hunting query. |
security | Advanced Hunting Devicetvmsecureconfigurationassessment Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicetvmsecureconfigurationassessment-table.md | For information on other tables in the advanced hunting schema, see [the advance | `ConfigurationId` | `string` | Unique identifier for a specific configuration | | `ConfigurationCategory` | `string` | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls | | `ConfigurationSubcategory` | `string` | Subcategory or subgrouping to which the configuration belongs. In many cases, string describes specific capabilities or features. |-| `ConfigurationImpact` | `string` | Rated impact of the configuration to the overall configuration score (1-10) | +| `ConfigurationImpact` | `real` | Rated impact of the configuration to the overall configuration score (1-10) | | `IsCompliant` | `boolean` | Indicates whether the configuration or policy is properly configured | | `IsApplicable` | `boolean` | Indicates whether the configuration or policy applies to the device |-| `Context` | `string` | Additional contextual information about the configuration or policy | +| `Context` | `dynamic` | Additional contextual information about the configuration or policy | | `IsExpectedUserImpact` | `boolean` | Indicates whether there will be user impact if the configuration or policy is applied | You can try this example query to return information on devices with non-compliant antivirus configurations along with the relevant configuration metadata from the `DeviceTvmSecureConfigurationAssessmentKB` table: |
security | Advanced Hunting Devicetvmsecureconfigurationassessmentkb Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md | For information on other tables in the advanced hunting schema, see [the advance | Column name | Data type | Description | |-|--|-| | `ConfigurationId` | `string` | Unique identifier for a specific configuration |-| `ConfigurationImpact` | `string` | Rated impact of the configuration to the overall configuration score (1-10) | +| `ConfigurationImpact` | `real` | Rated impact of the configuration to the overall configuration score (1-10) | | `ConfigurationName` | `string` | Display name of the configuration | | `ConfigurationDescription` | `string` | Description of the configuration | | `RiskDescription` | `string` | Description of the associated risk | | `ConfigurationCategory` | `string` | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls| | `ConfigurationSubcategory` | `string` |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |-| `ConfigurationBenchmarks` | `string` | List of industry benchmarks recommending the same or similar configuration | -| `Tags` | `string` | Labels representing various attributes used to identify or categorize a security configuration | +| `ConfigurationBenchmarks` | `dynamic` | List of industry benchmarks recommending the same or similar configuration | +| `Tags` | `dynamic` | Labels representing various attributes used to identify or categorize a security configuration | | `RemediationOptions` | `string` | Recommended actions to reduce or address any associated risks | You can try this example query to return relevant configuration metadata along with information on devices with non-compliant antivirus configurations from the `DeviceTvmSecureConfigurationAssessment` table: |
security | Advanced Hunting Devicetvmsoftwareevidencebeta Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicetvmsoftwareevidencebeta-table.md | For information on other tables in the advanced hunting schema, see [the advance | `SoftwareVersion` | `string` | Version number of the software product | | `RegistryPaths` | `dynamic` | Registry paths where evidence indicating the existence of the software on a device was detected | | `DiskPaths` | `dynamic` | Disk paths where file-level evidence indicating the existence of the software on a device was detected |-| `LastSeenTime` | `string` | Date and time when the device last seen by this service | +| `LastSeenTime` | `string` | Date and time when the device was last seen by this service | ## Related topics |
security | Advanced Hunting Devicetvmsoftwareinventory Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicetvmsoftwareinventory-table.md | For information on other tables in the advanced hunting schema, see [the advance | Column name | Data type | Description | |-|--|-|-| `DeviceId` | `string` | Unique identifier for the machine in the service | -| `DeviceName` | `string` | Fully qualified domain name (FQDN) of the machine | -| `OSPlatform` | `string` | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10 and Windows 7. | -| `OSVersion` | `string` | Version of the operating system running on the machine | -| `OSArchitecture` | `string` | Architecture of the operating system running on the machine | +| `DeviceId` | `string` | Unique identifier for the device in the service | +| `DeviceName` | `string` | Fully qualified domain name (FQDN) of the device | +| `OSPlatform` | `string` | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10 and Windows 7. | +| `OSVersion` | `string` | Version of the operating system running on the device | +| `OSArchitecture` | `string` | Architecture of the operating system running on the device | | `SoftwareVendor` | `string` | Name of the software vendor | | `SoftwareName` | `string` | Name of the software product | | `SoftwareVersion` | `string` | Version number of the software product | | `EndOfSupportStatus` | `string` | Indicates the lifecycle stage of the software product relative to its specified end-of-support (EOS) or end-of-life (EOL) date |-| `EndOfSupportDate` | `string` | End-of-support (EOS) or end-of-life (EOL) date of the software product | -| `ProductCodeCpe` | `string` | CPE of the software product or 'not available' where there's no CPE | -| `CveTags` | `string` | An array of the tags relevant to the CVE. Tags that are currently supported are "ZeroDay" and "NoSecurityUpdate". +| `EndOfSupportDate` | `datetime` | End-of-support (EOS) or end-of-life (EOL) date of the software product | +| `ProductCodeCpe` | `string` | The standard Common Platform Enumeration (CPE) name of the software product version or 'not available' where there's no CPE | ## Related topics |
security | Advanced Hunting Devicetvmsoftwarevulnerabilities Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicetvmsoftwarevulnerabilities-table.md | For information on other tables in the advanced hunting schema, see [the advance | Column name | Data type | Description | |-|--|-|-| `DeviceId` | `string` | Unique identifier for the machine in the service | -| `DeviceName` | `string` | Fully qualified domain name (FQDN) of the machine | -| `OSPlatform` | `string` | Platform of the operating system running on the machine. Indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10, and Windows 7. | -| `OSVersion` | `string` | Version of the operating system running on the machine | -| `OSArchitecture` | `string` | Architecture of the operating system running on the machine | +| `DeviceId` | `string` | Unique identifier for the device in the service | +| `DeviceName` | `string` | Fully qualified domain name (FQDN) of the device | +| `OSPlatform` | `string` | Platform of the operating system running on the device. Indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10, and Windows 7. | +| `OSVersion` | `string` | Version of the operating system running on the device | +| `OSArchitecture` | `string` | Architecture of the operating system running on the device | | `SoftwareVendor` | `string` | Name of the software publisher | | `SoftwareName` | `string` | Name of the software product | | `SoftwareVersion` | `string` | Version number of the software product | For information on other tables in the advanced hunting schema, see [the advance | `VulnerabilitySeverityLevel` | `string` | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape | | `RecommendedSecurityUpdate` | `string` | Name or description of the security update provided by the software publisher to address the vulnerability | | `RecommendedSecurityUpdateId` | `string` | Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles |-+| `CveTags` | `dynamic` | Array of tags relevant to the CVE; example: ZeroDay, NoSecurityUpdate | ## Related topics |
security | Advanced Hunting Devicetvmsoftwarevulnerabilitieskb Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md | For information on other tables in the advanced hunting schema, see [the advance | Column name | Data type | Description | |-|--|-| | `CveId` | `string` | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |-| `CvssScore` | `string` | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS) | +| `CvssScore` | `string` | Severity score assigned to the security vulnerability under the Common Vulnerability Scoring System (CVSS) | | `IsExploitAvailable` | `boolean` | Indicates whether exploit code for the vulnerability is publicly available | | `VulnerabilitySeverityLevel` | `string` | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape | | `LastModifiedTime` | `datetime` | Date and time the item or related metadata was last modified |-| `PublishedDate` | `datetime` | Date vulnerability was disclosed to public | -| `VulnerabilityDescription` | `string` | Description of vulnerability and associated risks | -| `AffectedSoftware` | `string` | List of all software products affected by the vulnerability | +| `PublishedDate` | `datetime` | Date vulnerability was disclosed to the public | +| `VulnerabilityDescription` | `string` | Description of the vulnerability and associated risks | +| `AffectedSoftware` | `dynamic` | List of all software products affected by the vulnerability | ## Related topics |
security | Advanced Hunting Emailattachmentinfo Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-emailattachmentinfo-table.md | |
security | Advanced Hunting Emailevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-emailevents-table.md | For information on other tables in the advanced hunting schema, [see the advance | `RecipientEmailAddress` | `string` | Email address of the recipient, or email address of the recipient after distribution list expansion | | `RecipientObjectId` | `string` | Unique identifier for the email recipient in Microsoft Entra ID | | `Subject` | `string` | Subject of the email |-| `EmailClusterId` | `string` | Identifier for the group of similar emails clustered based on heuristic analysis of their contents | +| `EmailClusterId` | `long` | Identifier for the group of similar emails clustered based on heuristic analysis of their contents | | `EmailDirection` | `string` | Direction of the email relative to your network: Inbound, Outbound, Intra-org | | `DeliveryAction` | `string` | Delivery action of the email: Delivered, Junked, Blocked, or Replaced | | `DeliveryLocation` | `string` | Location where the email was delivered: Inbox/Folder, On-premises/External, Junk, Quarantine, Failed, Dropped, Deleted items | For information on other tables in the advanced hunting schema, [see the advance | `OrgLevelPolicy` | `string` | Organizational policy that triggered the action taken on the email | | `UserLevelAction` | `string` | Action taken on the email in response to matches to a mailbox policy defined by the recipient | | `UserLevelPolicy` | `string` | End-user mailbox policy that triggered the action taken on the email |-| `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. | +| `ReportId` | `string` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. | | `AdditionalFields` | `string` | Additional information about the entity or event | | `LatestDeliveryLocation`* | `string` | Last known location of the email | |`LatestDeliveryAction`* | `string` | Last known action attempted on an email by the service or by an admin through manual remediation | |
security | Advanced Hunting Emailpostdeliveryevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-emailpostdeliveryevents-table.md | To get more information about individual email messages, you can also use the [` | `ActionResult` | `string` | Result of the action | | `RecipientEmailAddress` | `string` | Email address of the recipient, or email address of the recipient after distribution list expansion | | `DeliveryLocation` | `string` | Location where the email was delivered: Inbox/Folder, On-premises/External, Junk, Quarantine, Failed, Dropped, Deleted items |-| `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. | | `ThreatTypes` | `string` | Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats | | `DetectionMethods` | `string` | Methods used to detect malware, phishing, or other threats found in the email |+| `ReportId` | `string` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. | ## Supported event types This table captures events with the following `ActionType` values: |
security | Advanced Hunting Emailurlinfo Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-emailurlinfo-table.md | For information on other tables in the advanced hunting schema, [see the advance | `NetworkMessageId` | `string` | Unique identifier for the email, generated by Microsoft 365 | | `Url` | `string` | Full URL in the email subject, body, or attachment | | `UrlDomain` | `string` | Domain name or host name of the URL |-| `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | +| `ReportId` | `string` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) |
security | Advanced Hunting Identitydirectoryevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-identitydirectoryevents-table.md | For information on other tables in the advanced hunting schema, [see the advance | `TargetDeviceName` | `string` | Fully qualified domain name (FQDN) of the device that the recorded action was applied to | | `DestinationDeviceName` | `string` | Name of the device running the server application that processed the recorded action | | `DestinationIPAddress` | `string` | IP address of the device running the server application that processed the recorded action |-| `DestinationPort` | `string` | Destination port of the activity | +| `DestinationPort` | `int` | Destination port of the activity | | `Protocol` | `string` | Protocol used during the communication | | `AccountName` | `string` | User name of the account | | `AccountDomain` | `string` | Domain of the account | | `AccountUpn` | `string` | User principal name (UPN) of the account | | `AccountSid` | `string` | Security Identifier (SID) of the account | | `AccountObjectId` | `string` | Unique identifier for the account in Microsoft Entra ID |-| `AccountDisplayName` | `string` | Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initiation, and a last name or surname. | +| `AccountDisplayName` | `string` | Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initial, and a last name or surname. | | `DeviceName` | `string` | Fully qualified domain name (FQDN) of the device | | `IPAddress` | `string` | IP address assigned to the device during communication |-| `Port` | `string` | TCP port used during communication | +| `Port` | `int` | TCP port used during communication | | `Location` | `string` | City, country/region, or other geographic location associated with the event | | `ISP` | `string` | Internet service provider associated with the IP address |-| `ReportId` | `long` | Unique identifier for the event | -| `AdditionalFields` | `string` | Additional information about the entity or event | +| `ReportId` | `string` | Unique identifier for the event | +| `AdditionalFields` | `dynamic` | Additional information about the entity or event | ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) |
security | Advanced Hunting Identityinfo Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-identityinfo-table.md | For information on other tables in the advanced hunting schema, [see the advance | `AccountObjectId` | `string` | Unique identifier for the account in Microsoft Entra ID | | `AccountUpn` | `string` | User principal name (UPN) of the account | | `OnPremSid` | `string` | On-premises security identifier (SID) of the account |-| `AccountDisplayName` | `string` | Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initiation, and a last name or surname. | +| `AccountDisplayName` | `string` | Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initial, and a last name or surname. | | `AccountName` | `string` | User name of the account | | `AccountDomain` [*](#mdi-only) | `string` | Domain of the account | | `Type` [*](#mdi-only) | `string` | Type of record | For information on other tables in the advanced hunting schema, [see the advance | `IsAccountEnabled` | `boolean` | Indicates whether the account is enabled or not | | `Manager` [*](#mdi-only) | `string` | The listed manager of the account user | | `Phone` [*](#mdi-only) | `string` | The listed phone number of the account user|-| `AccountCreationTime` [*](#mdi-only) | `datetime` | The date and time that the user was created| +| `CreatedDateTime` [*](#mdi-only) | `datetime` | Date and time when the account user was created | | `SourceProvider` [*](#mdi-only) | `string` |The identity's source, such as Microsoft Entra ID, Active Directory, or a [hybrid identity](/azure/active-directory/hybrid/what-is-provisioning) synchronized from Active Directory to Azure Active Directory | | `ChangeSource` [*](#mdi-only) | `string` |Identifies which identity provider or process triggered the addition of the new row. For example, the `System-UserPersistence` value is used for any rows added by an automated process.| | `Tags` [*](#mdi-only) | `dynamic` | Tags assigned to the account user by Defender for Identity | |
security | Advanced Hunting Identitylogonevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table.md | For information on other tables in the advanced hunting schema, [see the advance | `Timestamp` | `datetime` | Date and time when the event was recorded | | `ActionType` | `string` | Type of activity that triggered the event. See the [in-portal schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) for details | | `Application` | `string` | Application that performed the recorded action |-| `LogonType` | `string` | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start | +| `LogonType` | `string` | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the device using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the device remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the device is accessed using PsExec or when shared resources on the device, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start | | `Protocol` | `string` | Network protocol used | | `FailureReason` | `string` | Information explaining why the recorded action failed | | `AccountName` | `string` | User name of the account | For information on other tables in the advanced hunting schema, [see the advance | `AccountUpn` | `string` | User principal name (UPN) of the account | | `AccountSid` | `string` | Security Identifier (SID) of the account | | `AccountObjectId` | `string` | Unique identifier for the account in Microsoft Entra ID |-| `AccountDisplayName` | `string` | Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initiation, and a last name or surname. | +| `AccountDisplayName` | `string` | Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initial, and a last name or surname. | | `DeviceName` | `string` | Fully qualified domain name (FQDN) of the device |-| `DeviceType` | `string` | Type of device | -| `OSPlatform` | `string` | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10 and Windows 7. | +| `DeviceType` | `string` | Type of device based on purpose and functionality, such as network device, workstation, server, mobile, gaming console, or printer | +| `OSPlatform` | `string` | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10 and Windows 7. | | `IPAddress` | `string` | IP address assigned to the endpoint and used during related network communications |-| `Port` | `string` | TCP port used during communication | +| `Port` | `int` | TCP port used during communication | | `DestinationDeviceName` | `string` | Name of the device running the server application that processed the recorded action | | `DestinationIPAddress` | `string` | IP address of the device running the server application that processed the recorded action |-| `DestinationPort` | `string` | Destination port of related network communications | +| `DestinationPort` | `int` | Destination port of related network communications | | `TargetDeviceName` | `string` | Fully qualified domain name (FQDN) of the device that the recorded action was applied to | | `TargetAccountDisplayName` | `string` | Display name of the account that the recorded action was applied to | | `Location` | `string` | City, country/region, or other geographic location associated with the event | | `Isp` | `string` | Internet service provider (ISP) associated with the endpoint IP address |-| `ReportId` | `long` | Unique identifier for the event | -| `AdditionalFields` | `string` | Additional information about the entity or event | +| `ReportId` | `string` | Unique identifier for the event | +| `AdditionalFields` | `dynamic` | Additional information about the entity or event | ## Related topics |
security | Advanced Hunting Identityqueryevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-identityqueryevents-table.md | For information on other tables in the advanced hunting schema, [see the advance | `AccountUpn` | `string` | User principal name (UPN) of the account | | `AccountSid` | `string` | Security Identifier (SID) of the account | | `AccountObjectId` | `string` | Unique identifier for the account in Microsoft Entra ID |-| `AccountDisplayName` | `string` | Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initiation, and a last name or surname. | -| `DeviceName` | `string` | Fully qualified domain name (FQDN) of the endpoint | +| `AccountDisplayName` | `string` | Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initial, and a last name or surname. | +| `DeviceName` | `string` | Fully qualified domain name (FQDN) of the device | | `IPAddress` | `string` | IP address assigned to the endpoint and used during related network communications |-| `Port` | `string` | TCP port used during communication | +| `Port` | `int` | TCP port used during communication | | `DestinationDeviceName` | `string` | Name of the device running the server application that processed the recorded action | | `DestinationIPAddress` | `string` | IP address of the device running the server application that processed the recorded action |-| `DestinationPort` | `string` | Destination port of related network communications | +| `DestinationPort` | `int` | Destination port of related network communications | | `TargetDeviceName` | `string` | Fully qualified domain name (FQDN) of the device that the recorded action was applied to | | `TargetAccountUpn` | `string` | User principal name (UPN) of the account that the recorded action was applied to | | `TargetAccountDisplayName` | `string` | Display name of the account that the recorded action was applied to | | `Location` | `string` | City, country/region, or other geographic location associated with the event |-| `ReportId` | `long` | Unique identifier for the event | -| `AdditionalFields` | `string` | Additional information about the entity or event | +| `ReportId` | `string` | Unique identifier for the event | +| `AdditionalFields` | `dynamic` | Additional information about the entity or event | ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) |
security | Advanced Hunting Urlclickevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-urlclickevents-table.md | For information on other tables in the advanced hunting schema, see [the advance | `AccountUpn` | `string` | User Principal Name of the account that clicked on the link| | `Workload` | `string` | The application from which the user clicked on the link, with the values being Email, Office, and Teams| | `NetworkMessageId` | `string` | The unique identifier for the email that contains the clicked link, generated by Microsoft 365|-| `IPAddress` | `string` | Public IP address of the device from which the user clicked on the link| | `ThreatTypes` | `string` | Verdict at the time of click, which tells whether the URL led to malware, phish or other threats| | `DetectionMethods` | `string` | Detection technology that was used to identify the threat at the time of click|+| `IPAddress` | `string` | Public IP address of the device from which the user clicked on the link| | `IsClickedThrough` | `bool` | Indicates whether the user was able to click through to the original URL (1) or not (0)| | `UrlChain` | `string` | For scenarios involving redirections, it includes URLs present in the redirection chain| | `ReportId` | `string` | The unique identifier for a click event. For clickthrough scenarios, report ID would have same value, and therefore it should be used to correlate a click event.| |
security | Faq Managed Response | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/faq-managed-response.md | The following section lists down questions you or your SOC team might have regar | Questions | Answers | |||-| **What is managed response?** | Microsoft Defender Experts for XDR offers **managed response** where our experts manage the entire remediation process for incidents that require them. This process includes investigating the incident to identify the root cause, determining the required response actions, and taking those actions on your behalf.| -| **What actions are in scope for managed response?** | All actions found below are in scope for Managed Response for any device and user that isn't excluded.<br><br>*For devices* <ul><li>Isolate machine<br><li>Release device from isolation<br><li>Run antivirus scan<br><li>Stop and quarantine file<br><li>Release file from quarantine<br><li>Restrict app execution<br><li>Remove app restriction</ul><br>*For users*<ul><li>Force password reset<br><li>Disable user<br><li>Enable user<br><li>Suspend user<br><li>Unsuspend user<br><li>Revoke user tokens<br><li>Soft delete emails </ul><br> | +| **What is managed response?** | Microsoft Defender Experts for XDR offers **Managed response** where our experts manage the entire remediation process for incidents that require them. This process includes investigating the incident to identify the root cause, determining the required response actions, and taking those actions on your behalf.| +| **What actions are in scope for managed response?** | All actions found below are in scope for managed response for any device and user that isn't excluded.<br><br>*For devices* *(Available now)*<ul><li>Isolate machine<br><li>Release machine from isolation<br><li>Run antivirus scan<br><li>Stop and quarantine file<br><li>Release file from quarantine<br><li>Restrict app execution<br><li>Remove app restriction</ul><br>*For users (Coming soon)*<ul><li>Force password reset<br><li>Disable user<br><li>Enable user<br><li>Suspend user<br><li>Soft delete emails </ul><br> | | **Can I customize the extent of managed response?** | You can configure the extent to which our experts do managed response actions on your behalf by excluding certain devices and users (individually or by groups) either during onboarding or later by modifying your service's settings. [Read more about excluding device and user groups](../defender/get-started-xdr.md#exclude-devices-and-users-from-remediation) |-| **What support do Defender Experts offer for excluded assets?** | If our experts determine that you need to perform response actions on excluded devices or users, we notify you through various customizable methods and direct you to your Microsoft Defender portal. From your portal, you can then view a detailed summary of our investigation process and the required response actions in the portal, and perform these required actions directly. Similar capabilities are also available through Defender APIs, in case you prefer using a security information and event management (SIEM), IT service management (ITSM), or any other third-party tool. | -| **How am I going to be informed about the response actions?** | Response actions that our experts have completed on your behalf and any pending ones that you need to perform on your excluded assets are displayed in the **Managed response** panel in your Microsoft Defender portal's **Incidents** page. <br><br>In addition, you'll also receive an email containing a link to the incident and instructions to view the managed response in the portal. Moreover if you have integration with Microsoft Sentinel or APIs, you'll also be notified within those tools by looking for DEX statuses. For more information, see [FAQs related to Microsoft Defender Experts for XDR incident notifications](../defender/faq-incident-notifications-xdr.md).| +| **What support do Defender Experts offer for excluded assets?** | If our experts determine that you need to perform response actions on excluded devices or users, we notify you through various customizable methods and direct you to your Microsoft Defender XDR portal. From your portal, you can then view a detailed summary of our investigation process and the required response actions in the portal, and perform these required actions directly. Similar capabilities are also available through Defender APIs, in case you prefer using a security information and event management (SIEM), IT service management (ITSM), or any other third-party tool. | +| **How am I going to be informed about the response actions?** | Response actions that our experts have completed on your behalf and any pending ones that you need to perform on your excluded assets are displayed in the **Managed response** panel in your Microsoft Defender XDR portal's **Incidents** page. <br><br>In addition, you'll also receive an email containing a link to the incident and instructions to view the managed response in the portal. Moreover if you have integration with Microsoft Sentinel or APIs, you'll also be notified within those tools by looking for DEX statuses. For more information, see [FAQs related to Microsoft Defender Experts for XDR incident notifications](../defender/faq-incident-notifications-xdr.md).| | **Can I customize managed response based on actions?** | No. If you have devices or users that are considered high-value or sensitive, you can add them to your exclusion list. Our experts will NOT take any action on them and will only provide guidance if they're impacted by an incident.| ### See also |
security | Manage Rbac | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/manage-rbac.md | Centralized permissions management is supported for the following solutions: ||| |Microsoft Defender XDR|Centralized permissions management for Microsoft Defender XDR experiences.| |Microsoft Defender for Endpoint|Full support for all endpoint data and actions. All roles are compatible with the device group's scope as defined on the device groups page.|-|Microsoft Defender Vulnerability Management | Centralized permissions management for all Defender Vulnerability Management capabilities.| -|Microsoft Defender for Office 365| Full support for all email & collaboration data and actions scenarios that are controlled by Exchange Online Protection roles (EOP) as well as scenarios controlled by Exchange Online (EXO). </br></br> **Note:** The Microsoft Defender XDR RBAC model will initially be available for organizations with Microsoft Defender for Office Plan 2 licenses only. This capability is not available to users on trial licenses. </br></br>Granular delegated admin privileges (GDAP) is not supported. </br></br>Remote PowerShell is not supported. | +|Microsoft Defender Vulnerability Management|Centralized permissions management for all Defender Vulnerability Management capabilities.| +|Microsoft Defender for Office 365|Full support for all data and actions scenarios that are controlled by [Email & Collaboration roles](../office-365-security/mdo-portal-permissions.md) and scenarios controlled by [Exchange Online permissions](/exchange/permissions-exo/permissions-exo). </br></br> **Note:** <ul><li>The Microsoft Defender XDR RBAC model is initially available for organizations with Microsoft Defender for Office 365 Plan 2 licenses only. This capability isn't available to users on trial licenses.</li><li>Granular delegated admin privileges (GDAP) isn't supported.</li><li>Cmdlets in Exchange Online PowerShell and Security & Compliance PowerShell continue to use the old RBAC models and aren't affected by Microsoft Defender XDR Unified RBAC.</ul><li>| |Microsoft Defender for Identity|Full support for all identity data and actions. </br></br> **Note:** Defender for Identity experiences will also adhere to permissions granted from [Microsoft Defender for Cloud Apps](https://security.microsoft.com/cloudapps/permissions/roles). For more information, see [Microsoft Defender for Identity role groups](https://go.microsoft.com/fwlink/?linkid=2202729).|-|Microsoft Defender for Cloud| Support access management for all Defender for Cloud data that is available in Microsoft Defender portal.| +|Microsoft Defender for Cloud|Support access management for all Defender for Cloud data that is available in Microsoft Defender portal.| |Microsoft Secure Score|Full support for all Secure Score data from the [Products included in Secure Score](../defender/microsoft-secure-score.md#products-included-in-secure-score).| > [!NOTE] This section provides useful information on what you need to know before you sta ### Permissions pre-requisites -> [!NOTE] -> Unified RBAC - Preview experience is currently not available for US Government customers using GCC and GCC High. - - You must be a Global Administrator or Security Administrator in Microsoft Entra ID to:- - Gain initial access to [Permissions and roles](https://security.microsoft.com/mtp_roles) in the Microsoft Defender portal. - Manage roles and permissions in Microsoft Defender XDR Unified RBAC. |
security | Microsoft Secure Score Whats New | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-secure-score-whats-new.md | The more improvement actions you take, the higher your Secure Score will be. For Microsoft Secure Score can be found at <https://security.microsoft.com/securescore> in the [Microsoft Defender portal](microsoft-365-defender-portal.md). +## January 2024 + +The following recommendations have been added as Microsoft Secure Score improvement actions: + +**Microsoft Entra (AAD):** ++- Ensure 'Phishing-resistant MFA strength' is required for Administrators. +- Ensure custom banned passwords lists are used. ++**Admin Center:** ++- Ensure ΓÇÿUser owned apps and servicesΓÇÖ is restricted. ++**Microsoft Forms:** ++- Ensure internal phishing protection for Forms is enabled. + +**Microsoft Share Point:** ++- Ensure that SharePoint guest users cannot share items they don't own. ++## December 2023 ++The following recommendations have been added as Microsoft Secure Score improvement actions: ++**Microsoft Entra (AAD):** ++- Ensure 'Microsoft Azure Management' is limited to administrative roles. ++**Microsoft Sway:** ++- Ensure that Sways cannot be shared with people outside of your organization. ++**Microsoft Exchange Online:** ++- Ensure users installing Outlook add-ins is not allowed. ++**Zendesk:** ++- Enable and adopt two-factor authentication (2FA). +- Send a notification on password change for admins, agents, and end users. +- Enable IP restrictions. +- Block customers to bypass IP restrictions. +- Admins and agents can use the Zendesk Support mobile app. +- Enable Zendesk authentication. +- Enable session timeout for users. +- Block account assumption. +- Block admins to set passwords. +- Automatic redaction. ++**Net Document:** ++- Adopt Single sign on (SSO) in netDocument. ++**Meta Workplace:** ++- Adopt Single sign on (SSO) in Workplace by Meta. ++**Dropbox:** ++- Enable web session timeout for web users. ++**Atlassian:** ++- Enable multi-factor authentication (MFA). +- Enable Single Sign On (SSO). +- Enable strong Password Policies. +- Enable session timeout for web users. +- Enable Password expiration policies. +- Atlassian mobile app security - Users that are affected by policies. +- Atlassian mobile app security - App data protection. +- Atlassian mobile app security - App access requirement. ++**Microsoft Defender for Identity: +New Active Directory Certificate Services (ADCS) related recommendations:** ++- **Certificate templates recommended actions** : + - [Prevent users to request a certificate valid for arbitrary users based on the certificate template (ESC1)](/defender-for-identity/security-assessment-prevent-users-request-certificate) + - [Edit overly permissive Certificate Template with privileged EKU (Any purpose EKU or No EKU) (ESC2)](/defender-for-identity/security-assessment-edit-overly-permissive-template) + - [Misconfigured enrollment agent certificate template (ESC3)](/defender-for-identity/security-assessment-edit-misconfigured-enrollment-agent) + - [Edit misconfigured certificate templates ACL (ESC4)](/defender-for-identity/security-assessment-edit-misconfigured-acl) + - [Edit misconfigured certificate templates owner](/defender-for-identity/security-assessment-edit-misconfigured-owner) +- **Certificate authority recommended actions** : + - [Edit vulnerable Certificate Authority setting](/defender-for-identity/security-assessment-edit-vulnerable-ca-setting) + - [Edit misconfigured Certificate Authority ACL (ESC7)](/defender-for-identity/security-assessment-edit-misconfigured-ca-acl) + - [Enforce encryption for RPC certificate enrollment interface (ESC8)](/defender-for-identity/security-assessment-enforce-encryption-rpc) ++For more information, see [Microsoft Defender for Identity's security posture assessments](/defender-for-identity/security-assessment). ++## October 2023: ++The following recommendations have been added as Microsoft Secure Score improvement actions: ++**Microsoft Entra (AAD):** ++- Ensure 'Phishing-resistant MFA strength' is required for administrators. +- Ensure custom banned passwords lists are used. ++**Microsoft Sway:** ++- Ensure that Sways cannot be shared with people outside of your organization. ++**Atlassian:** ++- Enable multi-factor authentication (MFA). +- Enable Single Sign On (SSO). +- Enable strong Password Policies. +- Enable session timeout for web users. +- Enable Password expiration policies. +- Atlassian mobile app security - Users that are affected by policies. +- Atlassian mobile app security - App data protection. +- Atlassian mobile app security - App access requirement. ++## September 2023: ++The following recommendations have been added as Microsoft Secure Score improvement actions: ++**Microsoft Information Protection:** ++- Ensure Microsoft 365 audit log search is enabled. +- Ensure DLP policies are enabled for Microsoft Teams. ++**Exchange Online:** ++- Ensure that SPF records are published for all Exchange Domains. +- Ensure modern authentication for Exchange Online is enabled. +- Ensure MailTips are enabled for end users. +- Ensure mailbox auditing for all users is enabled. +- Ensure additional storage providers are restricted in Outlook on the web. ++**Microsoft Defender for Cloud Apps:** ++- Ensure Microsoft Defender for Cloud Apps is enabled. ++**Microsoft Defender for Office:** ++- Ensure Exchange Online Spam Policies are set to notify administrators. +- Ensure all forms of mail forwarding are blocked and/or disabled. +- Ensure Safe Links for Office Applications is enabled. +- Ensure Safe Attachments policy is enabled. +- Ensure that an anti-phishing policy has been created. + ## August 2023 The following recommendations have been added as Microsoft Secure Score improvement actions: |
security | Microsoft Threat Actor Naming | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/intelligence/microsoft-threat-actor-naming.md | -> [!IMPORTANT] -> Learn about how [Volt Typhoon targets US critical infrastructure with living-off-the-land techniques](https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/#:~:text=Volt%20Typhoon%20has%20been%20active%20since%20mid-2021%20and,construction%2C%20maritime%2C%20government%2C%20information%20technology%2C%20and%20education%20sectors) - Microsoft shifted to a new naming taxonomy for threat actors aligned with the theme of weather. We intend to bring better clarity to customers and other security researchers with the nex taxonomy. We offer a more organized, articulate, and easy way to reference threat actors so that organizations can better prioritize and protect themselves and aid security researchers already confronted with an overwhelming amount of threat intelligence data. :::image type="content" source="../../media/threat-actor-naming/threat-actor-categories.png" alt-text="Nation-state actors based on Microsoft naming" lightbox="../../media/threat-actor-naming/threat-actor-categories-lg.png"::: The table shows how the new family names map to the threat actors that we track. Use the following reference table to understand how our previously publicly disclosed old threat actor names translate to our new taxonomy. -|Previous name|New name|Origin/Threat|Other names| -||::|::|::| -|ACTINIUM|Aqua Blizzard|Russia|UNC530, Primitive Bear, Gamaredon| -|AMERICIUM|Pink Sandstorm|Iran|Agrius, Deadwood, BlackShadow, SharpBoys| -|BARIUM|Brass Typhoon|China|APT41| -|BISMUTH|Canvas Cyclone|Vietnam|APT32, OceanLotus| -|BOHRIUM|Smoke Sandstorm|Iran|| -|BROMINE|Ghost Blizzard|Russia|Energetic Bear, Crouching Yeti| -|CERIUM|Ruby Sleet|North Korea|| -|CHIMBORAZO|Spandex Tempest|Financially motivated|TA505| -|CHROMIUM|Charcoal Typhoon|China|ControlX| -|COPERNICIUM|Sapphire Sleet|North Korea|Genie Spider, BlueNoroff| -|CURIUM|Crimson Sandstorm|Iran|TA456, Tortoise Shell| -|DUBNIUM|Zigzag Hail|South Korea|Dark Hotel, Tapaoux| -|ELBRUS|Sangria Tempest|Financially motivated|Carbon Spider, FIN7| -|EUROPIUM|Hazel Sandstorm|Iran|Cobalt Gypsy, APT34, OilRig| -|GADOLINIUM|Gingham Typhoon|China|APT40, Leviathan, TEMP.Periscope, Kryptonite Panda| -|GALLIUM|Granite Typhoon|China|| -|HAFNIUM|Silk Typhoon|China|| -|HOLMIUM|Peach Sandstorm|Iran|APT33, Refined Kitten| -|IRIDIUM|Seashell Blizzard|Russia|Sandworm| -|KNOTWEED|Denim Tsunami|Private sector offensive actor|DSIRF| -|KRYPTON|Secret Blizzard|Russia|Venomous Bear, Turla, Snake| -|LAWRENCIUM|Pearl Sleet|North Korea|| -|MANGANESE|Mulberry Typhoon|China|APT5, Keyhole Panda, TABCTENG| -|MERCURY|Mango Sandstorm|Iran|MuddyWater, SeedWorm, Static Kitten, TEMP.Zagros| -|NEPTUNIUM|Cotton Sandstorm|Iran|Vice Leaker| -|NICKEL|Nylon Typhoon|China|ke3chang, APT15, Vixen Panda| -|NOBELIUM|Midnight Blizzard|Russia|APT29, Cozy Bear| -|OSMIUM|Opal Sleet|North Korea|Konni| -|PARINACOTA|Wine Tempest|Financially motivated|Wadhrama| -|PHOSPHORUS|Mint Sandstorm|Iran|APT35, Charming Kitten| -|PLUTONIUM|Onyx Sleet|North Korea|Silent Chollima, Andariel, DarkSeoul| -|POLONIUM|Plaid Rain|Lebanon|| -|RADIUM|Raspberry Typhoon|China|APT30, LotusBlossom| -|RUBIDIUM|Lemon Sandstorm|Iran|Fox Kitten, UNC757, PioneerKitten| -|SEABORGIUM|Star Blizzard|Russia|Callisto, Reuse Team| -|SILICON|Marbled Dust|T├╝rkiye|Sea Turtle| -|SOURGUM|Caramel Tsunami|Private sector offensive actor|Candiru| -|SPURR|Tomato Tempest|Financially motivated|Vatet| -|STRONTIUM|Forest Blizzard|Russia|APT28, Fancy Bear| -|TAAL|Camouflage Tempest|Financially motivated|FIN6, Skeleton Spider| -|THALLIUM|Emerald Sleet|North Korea|Kimsuky, Velvet Chollima| -|ZINC|Diamond Sleet|North Korea|Labyrinth Chollima, Lazarus| -|ZIRCONIUM|Violet Typhoon|China|APT31| --|Previous name|New name|Origin/Threat|Other names| +|Threat actor name|Previous name|Origin/Threat|Other names| ||::|::|::|-|DEV-0146|Pumpkin Sandstorm|Iran|ZeroCleare| -|DEV-0193|Periwinkle Tempest|Financially motivated|Wizard Spider, UNC2053| -|DEV-0196|Carmine Tsunami|Private sector offensive actor|QuaDream| -|DEV-0198 (NEPTUNIUM)|Cotton Sandstorm|Iran|Vice Leaker| -|DEV-0206|Mustard Tempest|Financially motivated|Purple Vallhund| -|DEV-0215 (LAWRENCIUM)|Pearl Sleet|North Korea|| -|DEV-0227 (AMERICIUM)|Pink Sandstorm|Iran|Agrius, Deadwood, BlackShadow, SharpBoys| -|DEV-0228|Cuboid Sandstorm|Iran|| -|DEV-0234|Lilac Typhoon|China|| -|DEV-0237|Pistachio Tempest|Financially motivated|FIN12| -|DEV-0243|Manatee Tempest|Financially motivated|EvilCorp, UNC2165, Indrik Spider| -|DEV-0257|Storm-0257|Group in development|UNC1151| -|DEV-0322|Circle Typhoon|China|| -|DEV-0336|Night Tsunami|Private sector offensive actor|NSO Group| -|DEV-0343|Gray Sandstorm|Iran|| -|DEV-0401|Cinnamon Tempest|Financially motivated|Emperor Dragonfly, Bronze Starlight| -|DEV-0500|Marigold Sandstorm|Iran|Moses Staff| -|DEV-0504|Velvet Tempest|Financially motivated|| -|DEV-0530|Storm-0530|North Korea|H0lyGh0st| -|DEV-0537|Strawberry Tempest|Financially motivated|LAPSUS$| -|DEV-0586|Cadet Blizzard|Russia|| -|DEV-0605|Wisteria Tsunami|Private sector offensive actor|CyberRoot| -|DEV-0665|Sunglow Blizzard|Russia|| -|DEV-0796|Phlox Tempest|Financially motivated|ClickPirate, Chrome Loader, Choziosi loader| -|DEV-0832|Vanilla Tempest|Financially motivated|| -|DEV-0950|Lace Tempest|Financially motivated|FIN11, TA505| -|DEV-XXXX|[Volt Typhoon](https://www.microsoft.com/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques) |China|BRONZE SILHOUETTE| +|Aqua Blizzard|ACTINIUM|Russia|UNC530, Primitive Bear, Gamaredon| +|Blue Tsunami||Private sector offensive actor|Black Cube| +|Brass Typhoon|BARIUM|China|APT41| +|Cadet Blizzard|DEV-0586|Russia|| +|Camouflage Tempest|TAAL|Financially motivated|FIN6, Skeleton Spider| +|Canvas Cyclone|BISMUTH|Vietnam|APT32, OceanLotus| +|Caramel Tsunami|SOURGUM|Private sector offensive actor|Candiru| +|Carmine Tsunami|DEV-0196|Private sector offensive actor|QuaDream| +|Charcoal Typhoon|CHROMIUM|China|ControlX| +|Cinnamon Tempest|DEV-0401|Financially motivated|Emperor Dragonfly, Bronze Starlight| +|Circle Typhoon|DEV-0322|China|| +|Citrine Sleet|DEV-0139, DEV-1222|North Korea|AppleJeus, Labyrinth Chollima, UNC4736| +|Cotton Sandstorm|DEV-0198 (NEPTUNIUM)|Iran|Vice Leaker| +|Crimson Sandstorm|CURIUM|Iran|TA456, Tortoise Shell| +|Cuboid Sandstorm|DEV-0228|Iran|| +|Denim Tsunami|KNOTWEED|Private sector offensive actor|DSIRF| +|Diamond Sleet|ZINC|North Korea|Labyrinth Chollima, Lazarus| +|Emerald Sleet|THALLIUM|North Korea|Kimsuky, Velvet Chollima| +|Flax Typhoon|Storm-0919|China|Ethereal Panda| +|Forest Blizzard|STRONTIUM|Russia|APT28, Fancy Bear| +|Ghost Blizzard|BROMINE|Russia|Energetic Bear, Crouching Yeti| +|Gingham Typhoon|GADOLINIUM|China|APT40, Leviathan, TEMP.Periscope, Kryptonite Panda| +|Granite Typhoon|GALLIUM|China|| +|Gray Sandstorm|DEV-0343|Iran|| +|Hazel Sandstorm|EUROPIUM|Iran|Cobalt Gypsy, APT34, OilRig| +|Jade Sleet|Storm-0954|North Korea|TraderTraitor, UNC4899| +|Lace Tempest|DEV-0950|Financially motivated|FIN11, TA505| +|Lemon Sandstorm|RUBIDIUM|Iran|Fox Kitten, UNC757, PioneerKitten| +|Lilac Typhoon|DEV-0234|China|| +|Manatee Tempest|DEV-0243|Financially motivated|EvilCorp, UNC2165, Indrik Spider| +|Mango Sandstorm|MERCURY|Iran|MuddyWater, SeedWorm, Static Kitten, TEMP.Zagros| +|Marbled Dust|SILICON|T├╝rkiye|Sea Turtle| +|Marigold Sandstorm|DEV-0500|Iran|Moses Staff| +|Midnight Blizzard|NOBELIUM|Russia|APT29, Cozy Bear| +|Mint Sandstorm|PHOSPHORUS|Iran|APT35, Charming Kitten| +|Mulberry Typhoon|MANGANESE|China|APT5, Keyhole Panda, TABCTENG| +|Mustard Tempest|DEV-0206|Financially motivated|Purple Vallhund| +|Night Tsunami|DEV-0336|Private sector offensive actor|NSO Group| +|Nylon Typhoon|NICKEL|China|ke3chang, APT15, Vixen Panda| +|Octo Tempest|Storm-0875|Financially motivated|0ktapus, Scattered Spider, UNC3944| +|Onyx Sleet|PLUTONIUM|North Korea|Silent Chollima, Andariel, DarkSeoul| +|Opal Sleet|OSMIUM|North Korea|Konni| +|Peach Sandstorm|HOLMIUM|Iran|APT33, Refined Kitten| +|Pearl Sleet|DEV-0215 (LAWRENCIUM)|North Korea|| +|Periwinkle Tempest|DEV-0193|Financially motivated|Wizard Spider, UNC2053| +|Phlox Tempest|DEV-0796|Financially motivated|ClickPirate, Chrome Loader, Choziosi loader| +|Pink Sandstorm|AMERICIUM|Iran|Agrius, Deadwood, BlackShadow, SharpBoys| +|Pistachio Tempest|DEV-0237|Financially motivated|FIN12| +|Plaid Rain|POLONIUM|Lebanon|| +|Pumpkin Sandstorm|DEV-0146|Iran|ZeroCleare| +|Raspberry Typhoon|RADIUM|China|APT30, LotusBlossom| +|Ruby Sleet|CERIUM|North Korea|| +|Sangria Tempest|ELBRUS|Financially motivated|Carbon Spider, FIN7| +|Sapphire Sleet|COPERNICIUM|North Korea|Genie Spider, BlueNoroff| +|Seashell Blizzard|IRIDIUM|Russia|Sandworm| +|Secret Blizzard|KRYPTON|Russia|Venomous Bear, Turla, Snake| +|Silk Typhoon|HAFNIUM|China|| +|Smoke Sandstorm|BOHRIUM|Iran|| +|Spandex Tempest|CHIMBORAZO|Financially motivated|TA505| +|Star Blizzard|SEABORGIUM|Russia|Callisto, Reuse Team| +|Storm-0062|DEV-0062|China|DarkShadow, Oro0lxy| +|Storm-0133|DEV-0133|Iran|LYCEUM, HEXANE| +|Storm-0216|DEV-0216|Financially motivated|Twisted Spider, UNC2198| +|Storm-0257|DEV-0257|Group in development|UNC1151| +|Storm-0324|DEV-0324|Financially motivated|TA543, Sagrid| +|Storm-0381|DEV-0381|Financially motivated|| +|Storm-0530|DEV-0530|North Korea|H0lyGh0st| +|Storm-0539||Financially motivated|| +|Storm-0558||China|| +|Storm-0569|DEV-0569|Financially motivated|| +|Storm-0587|DEV-0587|Russia|SaintBot, Saint Bear, TA471| +|Storm-0744|DEV-0744|Financially motivated|| +|Storm-0829|DEV-0829|Group in development|Nwgen Team| +|Storm-0835||Group in development|EvilProxy| +|Storm-0867|DEV-0867|Egypt|Caffeine| +|Storm-0971|DEV-0971|Financially motivated|(Merged into Octo Tempest)| +|Storm-0978|DEV-0978|Group in development|RomCom, Underground Team| +|Storm-1044|DEV-1044|Financially motivated|Danabot| +|Storm-1084|DEV-1084|Iran|DarkBit| +|Storm-1099||Russia|| +|Storm-1101|DEV-1101|Group in development|NakedPages| +|Storm-1113|DEV-1113|Financially motivated|| +|Storm-1133||Palestinian Authority|| +|Storm-1152||Financially motivated|| +|Storm-1167|DEV-1167|Indonesia|| +|Storm-1283||Group in development|| +|Storm-1286||Group in development|| +|Storm-1295|DEV-1295|Group in development|Greatness| +|Storm-1567||Financially motivated|Akira| +|Storm-1575||Group in development|Dadsec| +|Storm-1674||Financially motivated|| +|Strawberry Tempest|DEV-0537|Financially motivated|LAPSUS$| +|Sunglow Blizzard|DEV-0665|Russia|| +|Tomato Tempest|SPURR|Financially motivated|Vatet| +|Vanilla Tempest|DEV-0832|Financially motivated|| +|Velvet Tempest|DEV-0504|Financially motivated|| +|Violet Typhoon|ZIRCONIUM|China|APT31| +|[Volt Typhoon](https://www.microsoft.com/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques)||China|BRONZE SILHOUETTE, VANGUARD PANDA| +|Wine Tempest|PARINACOTA|Financially motivated|Wadhrama| +|Wisteria Tsunami|DEV-0605|Private sector offensive actor|CyberRoot| +|Zigzag Hail|DUBNIUM|South Korea|Dark Hotel, Tapaoux| Read our announcement about the new taxonomy for more information: [https://aka.ms/threatactorsblog](https://aka.ms/threatactorsblog) |
security | Advanced Delivery Policy Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/advanced-delivery-policy-configure.md | Messages that are identified by the advanced delivery policy aren't security thr - To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**. - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md) and [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - _Create, modify, or remove configured settings in the advanced delivery policy_: Membership in the **Security Administrator** role groups in Email & collaboration RBAC <u>and</u> membership in the **Organization Management** role group in Exchange Online RBAC. - _Read-only access to the advanced delivery policy_: Membership in the **Global Reader** or **Security Reader** role groups in Email & collaboration RBAC. |
security | Alert Policies Defender Portal | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/alert-policies-defender-portal.md | In Microsoft 365 organizations with mailboxes in Exchange Online, alert policies ## What do you need to know before you begin? - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations\Security data\Alerts (manage)** and **Security operations\Security data\ Security data basics (read)**. - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): - _Create and manage alert policies in the Threat management category_: Membership in the **Organization Management** or **Security Administrator** role groups. - _View alerts in the Threat management_ category: Membership in the **Security Reader** role group. |
security | Anti Malware Policies Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-malware-policies-configure.md | description: Admins can learn how to view, create, modify, and remove anti-malwa Previously updated : 9/26/2023 Last updated : 11/2/2023 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> You can configure anti-malware policies in the Microsoft Defender portal or in P - To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell). - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**. - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - _Add, modify, and delete policies_: Membership in the **Organization Management** or **Security Administrator** role groups. - _Read-only access to policies_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups. |
security | Anti Phishing Mdo Impersonation Insight | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-mdo-impersonation-insight.md | Admins can use the impersonation insight in the Microsoft Defender portal to qui - You open the Microsoft Defender portal at <https://security.microsoft.com>. To go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>. To go directly to the **Impersonation insight** page, use <https://security.microsoft.com/impersonationinsight>. - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**. - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in any of the following role groups: - **Organization Management** - **Security Administrator** |
security | Anti Phishing Policies Eop Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-policies-eop-configure.md | description: Admins can learn how to create, modify, and delete the anti-phishin search.appverid: met150 Previously updated : 9/19/2023 Last updated : 11/2/2023 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> For anti-phishing policy procedures in organizations with Microsoft Defender for - To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell). - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**. - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - _Add, modify, and delete policies_: Membership in the **Organization Management** or **Security Administrator** role groups. - _Read-only access to policies_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups. |
security | Anti Phishing Policies Mdo Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-policies-mdo-configure.md | description: Admins can learn how to create, modify, and delete the advanced ant search.appverid: met150 Previously updated : 9/19/2023 Last updated : 11/2/2023 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a> For anti-phishing policy procedures in organizations without Defender for Office - To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**. - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - _Add, modify, and delete policies_: Membership in the **Organization Management** or **Security Administrator** role groups. - _Read-only access to policies_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups. |
security | Anti Spam Policies Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-policies-configure.md | You can configure anti-spam policies in the Microsoft Defender portal or in Powe - To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell). - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**. - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - _Add, modify, and delete policies_: Membership in the **Organization Management** or **Security Administrator** role groups. - _Read-only access to policies_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups. |
security | Anti Spoofing Spoof Intelligence | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spoofing-spoof-intelligence.md | The rest of this article explains how to use the spoof intelligence insight in t - To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell). - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**. - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - _Allow or block spoofed senders or turn on or turn off spoof intelligence_: Membership in one of the following role groups: - **Organization Management** |
security | Attack Simulation Training Get Started | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-get-started.md | Watch this short video to learn more about Attack simulation training. <sup>\*</sup> Adding users to this role in [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md) is currently unsupported. + Currently, [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) isn't supported. + - There are no corresponding PowerShell cmdlets for Attack simulation training. - Attack simulation and training related data is stored with other customer data for Microsoft 365 services. For more information, see [Microsoft 365 data locations](/microsoft-365/enterprise/o365-data-locations). Attack simulation training is available in the following regions: APC, EUR, and NAM. Countries within these regions where Attack simulation training is available include ARE, AUS, BRA, CAN, CHE, DEU, FRA, GBR, IND, JPN, KOR, LAM, NOR, POL, QAT, SGP, SWE, and ZAF. |
security | Audit Log Search Defender Portal | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/audit-log-search-defender-portal.md | In Microsoft 365 organizations with mailboxes in Exchange Online or standalone E ## What do you need to know before you begin? - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations \ Security data \ Security data basics (read)**. - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): Membership in the **Organization Management** or **Compliance Management** role groups. - [Azure AD permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator** or **Compliance Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365. |
security | Campaigns | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/campaigns.md | A campaign might be short-lived, or could span several days, weeks, or months wi - The campaigns feature is available in organizations with Defender for Office 365 Plan 2 (add-on licenses or included in subscriptions like Microsoft 365 E5). - You need to be assigned permissions to view information about campaigns as described in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations/Raw data (email & collaboration)/Email message headers (read)**. - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in any of the following role groups: - **Organization Management** - **Security Administrator** |
security | Configuration Analyzer For Security Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configuration-analyzer-for-security-policies.md | The Standard and Strict policy setting values that are used as baselines are des - To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**. - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): - _Use the configuration analyzer and update the affected security policies_: Membership in the **Organization Management** or **Security Administrator** role groups. - _Read-only access to the configuration analyzer_: Membership in the **Global Reader** or **Security Reader** role groups. |
security | Connection Filter Policies Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/connection-filter-policies-configure.md | This article describes how to configure the default connection filter policy in - To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell). - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**. - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - _Modify policies_: Membership in the **Organization Management** or **Security Administrator** role groups. - _Read-only access to policies_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups. |
security | Connectors Remove Blocked | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/connectors-remove-blocked.md | For more information about compromised _user accounts_ and how to remove them fr - To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Detection tuning (manage)** or **Authorization and settings/Security settings/Core security settings (read)**. - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - _Remove connectors from the Restricted entities page_: Membership in the **Organization Management** or **Security Administrator** role groups. - _Read-only access to the Restricted entities page_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups. |
security | Email Authentication Arc Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-authentication-arc-configure.md | When an admin adds a trusted ARC sealer, Microsoft 365 validates and trusts the - To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell). - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**. - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): Membership in the **Organization Management** or **Security Administrator** role groups. - [Azure AD permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator** or **Security Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365. |
security | Mdo Email Entity Page | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-email-entity-page.md | Here are some helpful specifics to get started. Admins can preview and download emails in Cloud mailboxes, ***if*** the mails are still accessible to Microsoft in an Exchange Online mailbox. In case of a soft delete (by an admin, or user), or ZAP (to quarantine), the emails are no longer present in the Exchange Online mailbox. In that case, admins won't be able to preview or download those specific emails. Emails that were dropped, or where delivery failed, never made it into the mailbox and as a result, admins won't be able to preview or download those emails either. -> [!WARNING] -> Previewing and downloading emails requires a special role called **Preview**. You can add this role in the Microsoft Defender portal as described in [Email & collaboration roles in the Microsoft Defender portal](mdo-portal-permissions.md#email--collaboration-roles-in-the-microsoft-365-defender-portal). You might need to create a new **Email & collaboration** role group there and add the **Preview** role to that new role group or add the **Preview** role to a role group that allows admins in your organization to work in **Explorer**. +> [!IMPORTANT] +> Previewing and downloading emails requires a special role called **Preview**. You can assign this role in the following locations: +> +> - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations/Raw data (email & collaboration)/Email content (read)**. +> - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Data Investigator** or **eDiscovery Manager** role groups. Or, you can [create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) and add the **Preview** role to it. ### Detonation details |
security | Outbound Spam Policies Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/outbound-spam-policies-configure.md | You can configure outbound spam policies in the Microsoft Defender portal or in - To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell). - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**. - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - _Add, modify, and delete policies_: Membership in the **Organization Management** or **Security Administrator** role groups. - _Read-only access to policies_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups. |
security | Outbound Spam Restore Restricted Users | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/outbound-spam-restore-restricted-users.md | For more information about compromised _connectors_ and how to remove them from - To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**. - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - _Remove user accounts from the Restricted entities page_: Membership in the **Organization Management** or **Security Administrator** role groups. - _Read-only access to the Restricted entities page_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups. |
security | Preset Security Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/preset-security-policies.md | The rest of this article how to configure preset security policies. - To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**. - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - _Configure preset security policies_: Membership in the **Organization Management** or **Security Administrator** role groups. - _Read-only access to preset security policies_: Membership in the **Global Reader** role group. |
security | Priority Accounts Turn On Priority Account Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/priority-accounts-turn-on-priority-account-protection.md | This article describes how to confirm that priority account protection is turned - You open the Microsoft Defender portal at <https://security.microsoft.com>. - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/System settings/Read and manage** or **Authorization and settings/System settings/Read-only**. - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): Membership in the **Organization Management** or **Security Administrator** role groups. - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator** or **Security Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365. |
security | Quarantine Admin Manage Messages Files | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-admin-manage-messages-files.md | Watch this short video to learn how to manage quarantined messages as an admin. - To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell). - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security Data / email quarantine (manage)** (management via PowerShell). - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Global Administrator**, **Security Administrator**, or **Quarantine Administrator** role group. - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership these roles gives users the required permissions _and_ permissions for other features in Microsoft 365: - _Take action on quarantined messages for all users_: Membership in the **Global Administrator** or **Security Administrator** roles. |
security | Quarantine Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-policies.md | You create and assign quarantine policies in the Microsoft Defender portal or in - How long messages that were quarantined by anti-spam and anti-phishing protection are held before they expire is controlled by the **Retain spam in quarantine for this many days** (_QuarantineRetentionPeriod_) in anti-spam policies. For more information, see the table in [Quarantine retention](quarantine-about.md#quarantine-retention). - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)**. - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in any of the following role groups: - **Organization Management** - **Security Administrator** |
security | Real Time Detections | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/real-time-detections.md | This article explains the difference between Threat Explorer and real-time detec If your organization has [Microsoft Defender for Office 365](defender-for-office-365.md), and you have the [permissions](#required-licenses-and-permissions), you can use **Explorer** (also known as **Threat Explorer**) or **Real-time detections** to detect and remediate threats. -In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration**, and then choose **Explorer** *or* **Real-time detections**. To go directly to the page, use <https://security.microsoft.com/threatexplorer> or <https://security.microsoft.com/realtimereports>. +In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration**, and then choose **Explorer** _or_ **Real-time detections**. To go directly to the page, use <https://security.microsoft.com/threatexplorer> or <https://security.microsoft.com/realtimereports>. With these tools, you can: For more information, see [Email security with Explorer](email-security-in-micro ## Differences between Explorer and Real-time detections -- *Real-time detections* is a reporting tool available in Defender for Office 365 Plan 1. *Threat Explorer* is a threat hunting and remediation tool available in Defender for Office 365 Plan 2.+- _Real-time detections_ is a reporting tool available in Defender for Office 365 Plan 1. _Threat Explorer_ is a threat hunting and remediation tool available in Defender for Office 365 Plan 2. - The Real-time detections report allows you to view detections in real time. Threat Explorer does this as well, but it provides additional details for a given attack, such as highlighting attack campaigns, and gives security operations teams the ability to remediate threats (including triggering an [Automated Investigation and Response investigation](air-about-office.md).-- An *All email* view is available in Threat Explorer, but not included in the Real-time detections report.+- An **All email** view is available in Threat Explorer, but not included in the Real-time detections report. - Rich filtering capabilities and remediation actions are included in Threat Explorer. For more information, see [Microsoft Defender for Office 365 Service Description: Feature availability across Defender for Office 365 plans](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#feature-availability-across-advanced-threat-protection-atp-plans). ## Updated experience for Explorer and Real-time detections The experience for Threat Explorer and Real-time detections is updated to align Threat Explorer and Real-time detections are divided into the following views: -- *All email*: Shows all email analyzed by Defender for office 365 and contains both good and malicious emails. This feature is only present in Threat Explorer and isn't available for Real-time detections. By default, it's set to show data for two days, which can be expanded up to 30 days. This is also the default view for Threat Explorer.+- **All email**: Shows all email analyzed by Defender for office 365 and contains both good and malicious emails. This feature is only present in Threat Explorer and isn't available for Real-time detections. By default, it's set to show data for two days, which can be expanded up to 30 days. This is also the default view for Threat Explorer. -- *Malware view*: Shows emails on which a malware threat was identified. This is the default view for Real-time detections, and shows data for two days (can be expanded to 30 days).+- **Malware view**: Shows emails on which a malware threat was identified. This is the default view for Real-time detections, and shows data for two days (can be expanded to 30 days). -- *Phish view*: Shows emails on which a phish threat was identified.+- **Phish view**: Shows emails on which a phish threat was identified. -- *Content malware view*: Shows malicious detections identified in files shared through OneDrive, SharePoint, or Teams.+- **Content malware view**: Shows malicious detections identified in files shared through OneDrive, SharePoint, or Teams. Here are the common components within these experiences: Here are the common components within these experiences: - You can also customize your columns to add or remove columns to optimize your view. > [!NOTE]- > You can toggle between the *Chart View* and the *List View* to maximize your result set. + > You can toggle between the **Chart view** and the **List view** to maximize your result set. :::image type="content" source="../../media/explorer-new-experience-list-chart-view.png" alt-text="Screenshot showing viewing chart data." lightbox="../../media/explorer-new-experience-list-chart-view.png"::: Here are the common components within these experiences: - Actions - - From Threat Explorer, you can trigger remediation actions like *Delete an email*. For more information on remediation, remediation limits, and tracking remediation see [Remediate malicious email](remediate-malicious-email-delivered-office-365.md). + - From Threat Explorer, you can trigger remediation actions like **Delete an email**. For more information on remediation, remediation limits, and tracking remediation see [Remediate malicious email](remediate-malicious-email-delivered-office-365.md). - Export Here are the common components within these experiences: :::image type="content" source="../../media/explorer-new-experience-export-chart-data.png" alt-text="Screenshot showing exporting chart data." lightbox="../../media/explorer-new-experience-export-chart-data.png"::: -In addition to these features, you'll also get updated experiences like *Top URLs*, *Top clicks*, *Top targeted users*, and *Email origin*. *Top URLs*, *Top clicks*, and *Top targeted users* can be further filtered based on the filter that you apply within Explorer. +In addition to these features, you'll also get updated experiences like **Top URLs**, **Top clicks**, **Top targeted users**, and **Email origin**. **Top URLs**, **Top clicks**, and **Top targeted users** can be further filtered based on the filter that you apply within Explorer. ### Exporting data Threat Explorer and Real-time detections now allows users to export additional d ## Required licenses and permissions -You must have [Microsoft Defender for Office 365](defender-for-office-365.md) to use either of Explorer or Real-time detections: +You need [Microsoft Defender for Office 365](defender-for-office-365.md) to use either of Explorer or Real-time detections (included in your subscription or purchased as an add-on): - Explorer is only included in Defender for Office 365 Plan 2. - The Real-time detections report is included in Defender for Office 365 Plan 1. Security Operations teams need to assign licenses for all users who should be protected by Defender for Office 365 and be aware that Explorer and Real-time detections show detection data for licensed users. -To view and use Explorer *or* Real-time detections, you need the following permissions: --- In Defender for Office 365:- - Organization Management - - Security Administrator (this can be assigned in the Microsoft Entra admin center) (<https://aad.portal.azure.com>) - - Security Reader -- In Exchange Online:- - Organization Management - - View-Only Organization Management - - View-Only Recipients - - Compliance Management --To learn more about roles and permissions, see the following articles: --- [Permissions in the Microsoft Defender portal](mdo-portal-permissions.md)-- [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo)+To view and use Explorer or Real-time detections, you need to be assigned permissions. You have the following options: ++- [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): + - _Read access for email and Teams message headers_: **Security operations/Raw data (email & collaboration)/Email message headers (read)**. + - _Preview and download email messages_: **Security operations/Raw data (email & collaboration)/Email content (read)**. + - _Remediate malicious email_: **Security operations/Security data/Email advanced actions (manage)**. +- [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): + - _Full access_: Membership in the **Organization Management** or **Security Administrator** role groups. + - _Preview and download messages_: Membership in the **Preview** role group. + - _Read-only access_: Membership in the **Security Reader** role group. +- [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): + - _Full access_: Membership in the **Organization Management** or **Compliance Management** role groups. + - _Read-only access_: Membership in the **View-Only Organization Management** or **View-Only Recipients** role groups. +- [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365. ## More information |
security | Remediate Malicious Email Delivered Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/remediate-malicious-email-delivered-office-365.md | search.appverid: MET150 description: Threat remediation Previously updated : 6/19/2023 Last updated : 1/16/2024 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison" target="_blank">Microsoft Defender for Office 365 plan 2</a> appliesto: Remediation means to take a prescribed action against a threat. Malicious email sent to your organization can be cleaned up either by the system, through zero-hour auto purge (ZAP), or by security teams through remediation actions like *move to inbox*, *move to junk*, *move to deleted items*, *soft delete*, or *hard delete*. Microsoft Defender for Office 365 Plan 2/E5 enables security teams to remediate threats in email and collaboration functionality through manual and automated investigation. -> [!NOTE] -> To remediate malicious email, security teams need the *Search and Purge* role assigned to them. Role assignment is done through [permissions in the Microsoft Defender portal](mdo-portal-permissions.md). - ## What you need to know before you begin -Admins can take required action on emails, but to get those actions approved, they must have the *Search and Purge* role assigned to them in the **Email & collaboration** permissions in the Microsoft Defender portal. Without the *Search and purge"*role added to one of the role-groups, they won't be able to execute the action. +- You need to be assigned permissions before you can do the procedures in this article. Admins can take the required action on email messages, but the **Search and Purge** role is required to get those actions approved. To assign the **Search and Purge** role, you have the following options: + - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations/Security data/Email advanced actions (manage)**. + - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Organization Management** or **Data Investigator** role groups. Or, you can [create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) and add the **Search and Purge** role to it. -Because email actions create automated investigations in the backend, you need to enable *Automated Investigation*. Go to **Settings** \> **Endpoints** \> **Advanced features** and turn on **Automated Investigation**. +- Verify **Automated Investigation** is turned on at <https://security.microsoft.com/securitysettings/endpoints/integration>. ## Manual and automated remediation |
security | Reports Email Security | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reports-email-security.md | On the **User reported messages** page, the :::image type="icon" source="../../m You need to be assigned permissions before you can view and use the reports that are described in this article. You have the following options: +- [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/System settings/manage** or **Security operations/Security data/Read-only**. - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in any of the following role groups: - **Organization Management**<sup>\*</sup> - **Security Administrator** |
security | Safe Attachments Policies Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments-policies-configure.md | description: Learn about how to define Safe Attachments policies to protect your Previously updated : 9/19/2023 Last updated : 11/2/2023 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a> You configure Safe Attachments policies in the Microsoft Defender portal or in E - To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**. - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md) and [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - _Create, modify, and delete policies_: Membership in the **Organization Management** or **Security Administrator** role groups in Email & collaboration RBAC <u>and</u> membership in the **Organization Management** role group in Exchange Online RBAC. - _Read-only access to policies_: Membership in one of the following role groups: |
security | Safe Documents In E5 Plus Security About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-documents-in-e5-plus-security-about.md | Users don't need Defender for Endpoint installed on their local devices to get S - To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**. - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - _Configure Safe Documents settings_: Membership in the **Organization Management** or **Security Administrator** role groups. - _Read-only access to Safe Documents settings_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups. |
security | Safe Links Policies Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links-policies-configure.md | You configure Safe Links policies in the Microsoft Defender portal or in Exchang - To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**. - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md) and [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - _Create, modify, and delete policies_: Membership in the **Organization Management** or **Security Administrator** role groups in Email & collaboration RBAC <u>and</u> membership in the **Organization Management** role group in Exchange Online RBAC. - _Read-only access to policies_: Membership in one of the following role groups: |
security | Submissions Admin Review User Reported Messages | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-admin-review-user-reported-messages.md | Admins can mark messages and notify users of review results only if the user [re So, submitting or resubmitting messages to Microsoft is useful to admins only for messages that have never been submitted to Microsoft, or when you disagree with the original verdict. - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/System settings/manage** or **Authorization and settings/System settings/Read-only**. - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Organization Management** or **Security Administrator** role groups. - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): Membership in the **Organization Management** role group. - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator** or **Security Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365. |
security | Submissions Admin | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-admin.md | For other ways that **admins** can report messages to Microsoft in the Defender - You open the Microsoft Defender portal at <https://security.microsoft.com/>. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>. - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations/Security data/Response (manage)** or **Security operations/Security data/Read-only**. - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Security Administrator** or **Security Reader** role groups. - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Security Administrator** or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365. |
security | Submissions User Reported Messages Custom Mailbox | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-user-reported-messages-custom-mailbox.md | After you verify that the reporting mailbox meets all of these requirements, use - To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations/Security data/Response (manage)** or **Security operations/Security data/Read-only**. - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Organization Management** or **Security Administrator** role groups. - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator** or **Security Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365. |
security | Submissions Users Report Message Add In Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-users-report-message-add-in-configure.md | After the add-in is installed and enabled, users see the following icons based o ## What do you need to know before you begin? - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations/Security data/Response (manage)** or **Security operations/Security data/Read-only**. - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Organization Management** role group. - [Exchange Online permissions](/Exchange/permissions-exo/permissions-exo): Membership in the **Organization Management** role group. - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator** role gives users the required permissions _and_ permissions for other features in Microsoft 365. |
security | Tenant Allow Block List Email Spoof Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-email-spoof-configure.md | This article describes how admins can manage entries for email senders in the Mi - An entry should be active within 5 minutes. - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Detection tuning (manage)** or **Authorization and settings/Security settings/Core security settings (read)**. - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - _Add and remove entries from the Tenant Allow/Block List_: Membership in one of the following role groups: - **Organization Management** or **Security Administrator** (Security admin role). |
security | Tenant Allow Block List Files Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-files-configure.md | This article describes how admins can manage entries for files in the Microsoft - An entry should be active within 5 minutes. - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Detection tuning (manage)** or **Authorization and settings/Security settings/Core security settings (read)**. - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - _Add and remove entries from the Tenant Allow/Block List_: Membership in one of the following role groups: - **Organization Management** or **Security Administrator** (Security admin role). |
security | Tenant Allow Block List Urls Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-urls-configure.md | This article describes how admins can manage entries for URLs in the Microsoft D - An entry should be active within 5 minutes. - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/System settings/manage** or **Authorization and settings/Security settings/Read-only**. - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - *Add and remove entries from the Tenant Allow/Block List*: Membership in one of the following role groups: - **Organization Management** or **Security Administrator** (Security admin role). |
security | User Tags About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-tags-about.md | f1.keywords: Previously updated : 6/20/2023 Last updated : 11/2/2023 audience: ITPro ms.localizationpriority: medium To see how user tags are part of the strategy to help protect high-impact user a - You open the Microsoft Defender portal at <https://security.microsoft.com>. To go directly to the **User tags** page, use <https://security.microsoft.com/securitysettings/userTags>. - You need to be assigned permissions before you can do the procedures in this article. You have the following options:+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/System settings/manage** or **Authorization and settings/System settings/Read-only**. - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): - _Create, modify, and delete custom user tags_: Membership in the **Organization Management** or **Security Administrator** role groups. - _Apply and remove the Priority account tag from users_: Membership in the **Security Administrator** and **Exchange Admin** role groups. |
syntex | Accessibility Mode | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/accessibility-mode.md | |
syntex | Content Assembly | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/content-assembly.md | |
syntex | Create Local Model | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/create-local-model.md | |
syntex | Esignature Troubleshoot | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/esignature-troubleshoot.md | -description: Learn how to use Microsoft SharePoint eSignature to create and send electronic signature requests to people inside and outside of your organization. +description: Learn how to troubleshoot issues with sending, receiving, or viewing requests in Microsoft SharePoint eSignature. # Troubleshoot a signature request for Microsoft SharePoint eSignature description: Learn how to use Microsoft SharePoint eSignature to create and send If you aren't able to create a signature request, check the PDF viewer settings, the collaboration settings, or the access policies. -### PDF settings from the PDF viewer +### Default program for PDF viewing -The PDF viewer is opened by selecting a PDF file from SharePoint Online. The ability to request signatures won't be available if the PDF is viewed in any other way (for example, in Microsoft Edge). If PDF files are opened in any other way, the **Get signatures** option isn't available. +The PDF viewer is opened by selecting a PDF file from SharePoint Online. The ability to use the **Get signatures** option won't be available if the PDF is viewed in any other way, for example, in Microsoft Edge or Adobe Reader. ### Collaboration settings |
syntex | Freeform Document Processing Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/freeform-document-processing-overview.md | |
syntex | Learn About Document Understanding Models Through The Sample Model | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/learn-about-document-understanding-models-through-the-sample-model.md | |
syntex | Model Discovery | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/model-discovery.md | |
syntex | Model Usage Analytics | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/model-usage-analytics.md | |
syntex | Prebuilt Model Invoice | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/prebuilt-model-invoice.md | |
syntex | Prebuilt Model Receipt | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/prebuilt-model-receipt.md | |
syntex | Push Content Type To Hub | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/push-content-type-to-hub.md | Title: Push content types to a hub Previously updated : 01/14/2023 Last updated : 01/14/2024 audience: admin |
syntex | Skos Format Reference | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/skos-format-reference.md | |
syntex | Term Store Analytics | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/term-store-analytics.md | |
syntex | Use Content Center Site | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/use-content-center-site.md | |
topics | Get Started With Viva Topics | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/topics/get-started-with-viva-topics.md | Topics empowers you to: ## Discover important topics highlighted in related content -As you read content stored in Microsoft 365, topics will be highlighted inline. When you hover over the topic name, youΓÇÖll see more information shown in a topic card. You might see a prompt to provide feedback on topic cards and topic pages. When you give feedback on topics, you improve the experience for yourself and others. +As you read content stored in select Microsoft 365 experiences, such as SharePoint, topics will be highlighted inline. When you hover over the topic name, youΓÇÖll see more information shown in a topic card. You might see a prompt to provide feedback on topic cards and topic pages. When you give feedback on topics, you improve the experience for yourself and others. ++>[!NOTE] +>Inline highlights aren't available for all Microsoft 365 experiences. You won't currently see inline highlights in Teams. Topics will introduce topic highlights gradually across the service. At first, youΓÇÖll see highlights in SharePoint news and pages. |
topics | Restrict Access To Topics | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/topics/restrict-access-to-topics.md | Knowledge admins can also [select who can view topics in your organization](./ma ## Remove topics from being viewed -Knowledge managers can choose to [remove topics](./manage-topics.md) so that users can no longer see them. On the **Manage topics** page in the topic center, knowledge managers can choose to reject specific topics to prevent them from being viewed. Topics can be removed regardless if they are in a suggested or confirmed state. +Knowledge managers can choose to [remove topics](./manage-topics.md) so that users can no longer see them. On the **Manage topics** page in the topic center, knowledge managers can choose to remove specific topics to prevent them from being viewed. Topics can be removed regardless of if they are in a suggested, confirmed, or published state. Removed topics can later be added back as viewable topics if needed. |
topics | Save Topic As Draft | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/topics/save-topic-as-draft.md | You can save as a draft a new topic or a revised topic that you're working on, b ![Screenshot showing the save as draft option.](../media/knowledge-management/draft-save-as-draft.png) -4. Select **Publish** to save your changes. After you publish the page, the topic name, alternate name description, and pinned people will display to users who can view the topic. Specific files, pages, and sites will only appear on the topic page, if the viewer has permissions to the topic. +4. Select **Publish** to save your changes. After you publish the page, the topic name, alternate name description, and pinned people will display to users who can view the topic. Specific files, pages, and sites will only appear on the topic page, if the viewer has access to them. ## Save a revised topic as a draft |
topics | Search | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/topics/search.md | The topic answer will display: - Topic name - Alternate names: Alternate names or acronyms for the topic. - Definition: Description of the topic provided by AI or manually added by a person.-- Suggested or Pinned people: People suggested by AI or pinned to the topic by a person-- Suggested or Pinned resources: Files, pages, or sites either suggested by AI or pinned to the topic by a person.+- Suggested or Confirmed people: People suggested by AI or added to the topic by a person +- Suggested or Confirmed resources: Files, pages, or sites either suggested by AI or added to the topic by a person. ![Screenshot of a topic showing up in Search.](../media/knowledge-management/search-topic-answer.png) |
topics | Topic Center Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/topics/topic-center-overview.md | On the topic center home page, you can see the topics in your organization to wh Once a user confirms their connection to a topic, the user can make edits to the topic page to curate their connection. For example, they can provide more information about their connection to the topic. +>[!NOTE] +>Users need to have edit permissions to make edits to topic pages. + ## Manage topics page -To work on the **Manage topics** page of topic center, you need to have the required Manage topics permissions needed for the knowledge manager role. Your admin can assign these permissions to users during [Topics setup](set-up-topic-experiences.md), or new users can be [added afterwards](manage-topic-visibility.md) by an admin through the Microsoft 365 admin center. +To work on the **Manage topics** page of the topic center, you need to have permissions to manage topics. Your admin can assign these permissions to users during [Topics setup](set-up-topic-experiences.md), or new users can be [added afterwards](manage-topic-visibility.md) by an admin through the Microsoft 365 admin center. -On the **Manage topics** page, the topic dashboard shows all the topics, you have access to, that were identified from your specified source locations. Each topic will show the date the topic was discovered. A user who was assigned Manage topics permissions can review the unconfirmed topics and choose to: +On the **Manage topics** page, the topic dashboard shows all the topics, you have access to that were identified from the source locations specified when you set up Topics. Each topic will show the date the topic was discovered. A user who was assigned Manage topics permissions can review the unconfirmed topics and choose to: -- Confirm the topic: Indicates to users that an AI-suggested topic has been validated by a human curator.+- Confirm the topic: Indicates to users that an AI-suggested topic has been validated by a human as a relevant topic for the organization. -- Publish the topic: Edit the topic information to improve the quality of the topic that was initially identified, and highlights the topic to all users who have view access to topics.+- Publish the topic: Edit the topic information to improve the quality of the topic that was initially identified, and enable all Topics users in the organization to access the topic. Note that users will only see content on the topic that their permissions give them access to. -- Remove the topic: Makes the topic undiscoverable to end users. The topic is moved to the **Removed** tab and can be confirmed later if needed.+- Remove the topic: Makes the topic undiscoverable to end users. The topic is moved to the **Removed** tab and can be confirmed later if needed. Note that removing a topic doesn't delete it. For more information about how to manage topics on the **Manage topics** page, see [Manage topics](manage-topics.md). For more information about how to manage topics on the **Manage topics** page, s If you have Create and edit topics permissions, you can: -- [Edit existing topics](edit-a-topic.md): You can make changes to existing topic pages that were created through discovery.+- [Edit existing topics](edit-a-topic.md): You can make changes to existing topic pages that were created through discovery or created by other users. - [Create new topics](create-a-topic.md): You can create new topics for ones that weren't found through discovery, or if AI tools didn't find enough evidence to create a topic. |
topics | Topic Experiences Security Privacy | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/topics/topic-experiences-security-privacy.md | description: Learn how to plan for security and privacy in Topics. Topics uses existing content security features in Microsoft 365, along with administrative controls, to control what AI-generated content is shown to users in your organization. It is the combination of Microsoft 365 security settings (permissions to sites, files, and folders) and Topics admin settings that determine what a given user can see in topics. -Setting up Topics does not modify any existing access controls on content in your organization. Users will only see what they already have access to. +Setting up Topics does not modify any existing access controls on content in your organization. Users can only see what they already have access to. ++>[!NOTE] +>Users might not see everything that the previously mentioned settings allow them to. [Topic scores](manage-topics.md#topic-scores) and [topic status](manage-topics.md#topic-status) also determine what users see. This article describes how Topics works from a security perspective and the options that administrators and knowledge managers have to control topic visibility. Read this article as part of your [planning for Topics](plan-topic-experiences.md). You should be familiar with [what Topics is](topic-experiences-overview.md), the To see topics, a user must: - Have a license that includes Topics-- Be a [topic viewer](manage-topic-visibility.md#change-who-can-see-topics-in-your-organization), [contributor, or knowledge manager](topic-experiences-user-permissions.md)+- Have permissions to [view topics](manage-topic-visibility.md#change-who-can-see-topics-in-your-organization), [or create, contribute to, or manage topics](topic-experiences-user-permissions.md). -These two things give users view access to the topic center and allow them to see highlights and topic cards. +These two things give users view access to the topic center and allow them to see topic experiences in Microsoft 365. Topic contributors additionally have [create and edit](topic-experiences-user-permissions.md) permissions for topics, and knowledge managers can confirm or remove topics. |
topics | Topic Experiences Topic Contributors | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/topics/topic-experiences-topic-contributors.md | description: Learn how to contribute to topics in Topics # Topic contributors: Share knowledge and expertise in Topics -[Topics](topic-experiences-overview.md) helps organizations make knowledge and expertise accessible to all employees. It’s like Wikipedia for organizations, but [artificial intelligence (AI) develops the first draft](topic-experiences-discovery-curation.md) and subject matter experts edit the information to add their unique knowledge and expertise. Topics then makes the knowledge available to colleagues and leaders at the time of need, and in the flow of their work. In this article we review how to: +[Topics](topic-experiences-overview.md) helps organizations make knowledge and expertise accessible to all employees. It’s like Wikipedia for organizations, but [artificial intelligence (AI) develops the first draft](topic-experiences-discovery-curation.md) and subject matter experts edit the information to add their unique knowledge. Topics then makes the knowledge available to colleagues and leaders at the time of need, and in the flow of their work. In this article we review how to: - [Showcase knowledge and expertise with Topics](#showcase-knowledge-and-expertise-with-topics) Topics uses AI to help organize an organization’s knowledge into shared topics The AI not only organizes knowledge into topics, it also automatically creates a suggested topic page for each. To take the knowledge base to the next level, people can easily add their tacit knowledge, provide unique insights, or generally improve the quality of the topic. -When the context is appropriate, Topics will suggest topics to be highlighted on all modern SharePoint site pages in a tenant. The topic can also be directly referenced on the modern SharePoint site page by a page author using a hashtag. Page authors can invoke the topic picker on a modern SharePoint page by adding a hashtag and then selecting the topic they’d like to include on the page. +When the context is appropriate, Topics will suggest topics to be highlighted on all modern SharePoint site pages in a tenant. The topic can also be directly referenced on the modern SharePoint site page by a page author using a hashtag. Page authors can invoke the topic picker on a modern SharePoint page by adding a hashtag and then selecting the topic they’d like to include on the page. Published topics appear for all page viewers, whereas Suggested and Confirmed topics only appear for viewers who have access to one of the topic's resources. ![Image showing reference topic on SharePoint using a hashtag.](../media/knowledge-management/topics-hashtag-reference-enduser.png) -When a user is curious to learn more about a topic, they can select the highlighted topic to view a **topic summary card** that provides a short description. And if they want to learn more, they can select the **Topic details** link in the summary to open the detailed topic page. Any edits made, along with appearances in the people and suggested files and pages properties of the topic, are properly attributed to the author. +When a user wants to learn more about a topic, they can select the highlighted topic to view a **topic summary card** that provides a short description. And if they want to learn more, they can select the **Topic details** link in the summary to open the detailed topic page. Any edits made to the topic, along with appearances in the people and suggested files and pages properties of the topic, are properly attributed to the author. ![Image showing topic summary card.](../media/knowledge-management/topic-summary-card-tc.png) Additionally, users will also be able to find topics through Microsoft Search an ## Contribute to relevant topics -There are multiple easy to find relevant topics in the organization to contribute towards: - 1. **Topic center**: The Topic center is the center of knowledge for the organization. It highlights the topics to which a user has a connection. There are two types of connections: - **Suggested connections** - You will see topics listed under ***We've listed you on these topics. Did we get it right?*** These are topics in which a user’s connection to the topic has been suggested through AI based on contributions made to related files or sites. The user is asked to confirm whether they should stay listed as a related person for the topic. By responding to the confirmation request, the user is making Topics better for themselves and the organization as a whole. + **Suggested connections** - You will see topics listed under ***We've listed you on these topics. Did we get it right?*** These are topics in which a user’s connection to the topic has been suggested through AI based on contributions made to related files or sites. The user is asked to confirm whether they should stay listed as a related person for the topic. By responding to the confirmation request, the user is making Topics better for themselves and the organization as a whole. ![Image showing suggested topics topic cards.](../media/knowledge-management/suggested-topics-enduser.png) - **Confirmed connections** - These are topics that users have pinned on the topic page or confirmed as a suggested connection to the topic. Topics will move from the suggested to confirmed section when they confirm a suggested connection. + **Confirmed connections** - These are topics that users have pinned on the topic page or confirmed as a suggested connection to the topic. Topics will move from the suggested to confirmed section when they confirm a suggested connection. ![Image showing confirmed connections topic cards.](../media/knowledge-management/topics-confirmed-connections-tc.png) There are multiple easy to find relevant topics in the organization to contribut ![Image showing editing button within the topic page.](../media/knowledge-management/topic-page-editing-tc-topics.png) -3. **Search**: If there's a specific topic to edit, the user can [search for it using Microsoft Search](search.md). If there's no existing topic in the tenant, a new topic can be created. +3. **Search**: If there's a specific topic to edit, the user can [search for it using Microsoft Search](search.md). If there's no existing topic in the tenant, a new topic can be created. ![Image showing topic being searched for in the search field in SharePoint with result.](../media/knowledge-management/search-for-topic-tc.png) Each topic contains a consistent set of AI generated properties that can be edit ![Image showing ai generated topic properties in a topic card.](../media/knowledge-management/ai-generated-topic-properties-km.png) -The properties are identified from the files and pages that are part of the evidence the AI gathered for identifying the topic. Alternate names and acronyms are sourced from these files and pages. The short description is sourced from these files and pages, or from the internet through Wikipedia. The source file, page, or Wikipedia article is referenced alongside the suggested properties. People are suggested based on their active contributions (for example, edits) to the files and pages. A reference to the number of contributions from a particular person provides a hint as to why the person has been identified. Files, pages, and sites are ranked based on whether they're central to the topic, or whether they can give an overview or introduction to the topic. +The properties are identified from the files and pages that are part of the evidence the AI gathered for identifying the topic. Alternate names and acronyms are sourced from these files and pages. The short description is sourced from these files and pages, or from the internet through Wikipedia. The source file, page, or Wikipedia article is referenced alongside the suggested properties. People are suggested based on their active contributions (for example, edits) to the files and pages. A reference to the number of contributions from a particular person provides a hint as to why the person has been identified. Files, pages, and sites are ranked based on whether they're central to the topic, or whether they can give an overview or introduction to the topic. It’s possible to improve the quality of topics in an organization by adding the correct alternate names and descriptions, recommending people, files, pages, and related topics relevant for others in the company to learn more about the topic. Editing or creating a topic is like editing or publishing a SharePoint page. Learn how to [edit an existing topic](edit-a-topic.md). If the AI didn't discover topics that are important to the organization, they can [create new topics](create-a-topic.md) in Topics. Users can [save a topic as draft](save-topic-as-draft.md) if they aren't ready to publish it. -> [!Note] -> While information in a topic that is gathered by AI is [security trimmed](topic-experiences-security-trimming.md), the topic description and people information manually added when editing an existing topic is visible to all users who have permissions to view topics. +> [!NOTE] +> While information in a topic that is gathered by AI is [security trimmed](topic-experiences-security-trimming.md), the topic name, alternate names, description, and confirmed people added or updated when editing an existing topic are visible to all users with permissions to view Topics. ### Contribution guidance -To make contributions to Topics inclusive and helpful, keep in mind: +To make contributions to Topics inclusive and helpful, keep in mind: -- Contributions should avoid acronyms or other “insider” terms +- Contributions should avoid acronyms or other “insider” terms. -- Contributions should distinguish between facts and opinion +- Contributions should distinguish between facts and opinion. -- Contributions should contain up—to—date information +- Contributions should contain up—to—date information. -- Contributions should be accurate, relevant, reliable, and reusable +- Contributions should be accurate, relevant, reliable, and reusable. -- Contributions shouldn't contain confidential information that is not intended for broad distribution +- Contributions shouldn't contain confidential information that is not intended for broad distribution. ### Customize a topic page To accommodate different scenarios for how an organization wants to use Topics, it’s possible to customize a topic page to include more types of content—such as text, images, or links—beyond the standard properties of a topic. [Web parts](https://support.microsoft.com/office/using-web-parts-on-sharepoint-pages-336e8e92-3e2d-4298-ae01-d404bbe751e0) can be used on a topic page to bring in these different types of content. -The appropriate web parts to use on a topic page will be based on the scenarios identified for Topics. The [Topics scenario catalog](https://aka.ms/TopicsScenarios) can be referenced for some ideas. To help users think about different ways to make a topic page relevant to a scenario, consider sharing these sample scenarios and associated web parts that have been used on a topic page. Users can choose what makes the most sense and be creative. +The appropriate web parts to use on a topic page will be based on the scenarios identified for Topics. The [Topics scenario catalog](https://aka.ms/TopicsScenarios) can be referenced for some ideas. To help users think about different ways to make a topic page relevant to a scenario, consider sharing these sample scenarios and associated web parts that have been used on a topic page. Users can choose what makes the most sense and be creative. ### Product–based topic -Help employees learn about company products with easy access to product details, announcements, roadmaps, and a place to ask questions. +Help employees learn about company products with easy access to product details, announcements, roadmaps, and a place to ask questions. ![Image showing product based topic page.](../media/knowledge-management/topics-product-based-topic-page-tc.png) ### Customer based topic -Help sales executives, account managers, and support reps serve customers in a more effective manner by providing easy access to customer information. +Help sales executives, account managers, and support reps serve customers in a more effective manner by providing easy access to customer information. ![Image showing customer based topic page.](../media/knowledge-management/topics-customer-based-topic-tc.png) Provide employees with one place to go to find comprehensive and up—to—date ![Image showing asset based topic page.](../media/knowledge-management/topics-organizational-assets-tc.png) ### Knowledge networks+ Enable employees with a common interest in a topic to share knowledge, connect, learn, solve, and create together. ![Image showing topic page for curated for knowledge networks.](../media/knowledge-management/knowledge-networks-tc.png) Help colleagues curate topics effectively by: - Helping them learn how to [edit](edit-a-topic.md) and [create](create-a-topic.md) new topics, and how to [save a topic as a draft](save-topic-as-draft.md) -Users need the **Who can create or edit topics permissions** link to be able to edit and create new topics. If colleagues are unable to edit or create topics, they can reach out to the admin to have the appropriate [permissions assigned](topic-experiences-user-permissions.md). +Users need the **Who can create or edit topics permissions** link to be able to edit and create new topics. If colleagues are unable to edit or create topics, they can reach out to the admin to have the appropriate [permissions assigned](topic-experiences-user-permissions.md). |
topics | Topic Experiences Viva Engage | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/topics/topic-experiences-viva-engage.md | Previously updated : 01/05/2023 Last updated : 01/16/2024 Title: Topics in Viva Engage |