+The **Quota** chart shows you the number of user or shared mailboxes in each quota category. There are four quota categories:

+|Deleted Item Count|The total number of recoverable items in the mailbox. |

+|Deleted Item Size (MB)|The total size of all recoverable items in the mailbox. |

+To learn more about the recoverable items folder, see [Recoverable Items folder in Exchange Online](/exchange/security-and-compliance/recoverable-items-folder/recoverable-items-folder#recoverable-items-mailbox-quotas).

+- **Summarize a Teams meeting:** This represents the number of users who summarize meetings using Copilot in Microsoft Teams.

+- **Summarize a Teams conversation**: This represents the number of users who summarize Teams conversations using Copilot in Microsoft Teams.

+- **Summarize an email thread:** This represents the number of users who summarize email threads using Copilot in Outlook.

+- **Summarize a Word document:** This represents the number of users who summarize Word documents using Copilot in Microsoft Word.

+- **Summarize a presentation:** This represents the number of users who summarize a presentation using Copilot in Microsoft PowerPoint.

+To ensure a smooth migration process, we recommend limiting the number of mailboxes per batch to 2,000 and submitting batches at least two weeks prior to the cut-over date. This will not impact end users during synchronization. For guidance on migrating quantities exceeding 50,000 mailboxes, please contact your account team for assistance.

+ Title: IT Admins - Overview of external collaboration options in Microsoft 365

+description: Learn about how people outside your organization can access your Microsoft 365 resources for meetings, guest sharing, chat, and collaboration.

+# IT Admins - Overview of external collaboration options in Microsoft 365

+|Cross-cloud sharing|Guest account|Disabled|

+|Multitenant organization sharing|Guest account|Disabled|

+|Cross-cloud meetings|Existing Microsoft 365 external account|Disabled|

+People outside your organization don't have access unless a user in your organization initiates one of these activities. You can disable any of these settings if you don't want to allow that activity in your organization.

+If you have business processes or requirements around allowing collaboration with external organizations, see [Onboard trusted vendors to collaborate in Microsoft 365](/microsoft-365/solutions/trusted-vendor-onboarding).

+Sharing documents, sites, and teams with people outside your organization uses *guest accounts*. Guest accounts are a type of account in Microsoft Entra ID that is managed through [Microsoft Entra B2B collaboration](/entra/external-id/what-is-b2b). They can be used to share resources in your organization with anyone who has an email address, including people in [other Microsoft 365 cloud environments](#cross-cloud-sharing-and-meetings). You can manage guest accounts the same way you manage users in your organization. Guests don't require a license for most features of collaboration.

+Shared channels are a type of Teams channel that allows you to share with people outside the team, including people in other Microsoft 365 organizations. While shared channels is turned on by default in Teams, external collaboration with shared channels is disabled by default. External collaboration with shared channels uses [Microsoft Entra B2B direct connect](/entra/external-id/b2b-direct-connect-overview) which allows you to add people from other Microsoft 365 organizations to Teams channels without the need for creating a guest account.

+Shared channels have a particular advantage over guest accounts in that they don't require external participants to switch accounts in the Teams desktop client or log into your organization. They can use their regular work or school account and access the channel directly.

+Sharing channels with people outside your organization requires that your organization and the external organization both configure an organizational relationship in Microsoft Entra B2B Direct Connect.

+You can also allow users in your organization to communicate with people from outside your organization who are using Teams accounts that aren't managed by an organization, as well as Skype for Business (online and on-premises) and Skype users.

+Guest accounts aren't used as part of external chat and meetings. External participants remain signed in to their organization or to Skype and can communicate directly with people in your organization. They don't have access to your teams or channels.

+## Anonymous meeting join

+- If they're logged in to a different organization with a work or school account, and both organizations trust each other in [external access](/microsoftteams/manage-external-access) or are part of [cross-cloud meeting connection](/microsoftteams/cross-cloud-meetings#add-a-new-cross-cloud-meeting-connection), they join meetings as an external participant.

+- If they're not a guest or external participant, they must join meetings anonymously.

+If the anonymous join setting is enabled for your organization, anonymous users can join a meeting using a meeting link that has been shared with them (such as a link in the meeting invitation). They're prompted to enter a display name of their choosing when joining the meeting anonymously. Depending on the lobby settings, the anonymous user may be automatically admitted to the meeting, or be added to a lobby where the meeting organizer (or meeting participants with the presenter role) can allow or deny access to the meeting.

+It is not possible to verify the identity of anonymous users before, during or after the meeting.

+You can control anonymous users' ability to join meetings at the organization level and through meeting policy settings. For information about configuring anonymous join for meetings, see [Manage anonymous participant access to Teams meetings](/microsoftteams/anonymous-users-in-meetings).

+People using an Anyone link don't have to authenticate, and their access can't be audited. File and folder owners can revoke access at any time by deleting the link.

+## Cross-cloud sharing and meetings

+You can collaborate with users in other Microsoft Azure cloud environments (such as between Microsoft Azure Commercial and Microsoft Azure Government) in the following ways:

+- **Cross-cloud guest access** - You can share documents, sites, and teams with organizations that are in other Microsoft Azure cloud environments.

+- **Cross-cloud meetings** - You can meet with people in other Microsoft Azure cloud environments with an authenticated meeting experience that doesn't require guest accounts.

+Both options require that you enable connections to the other cloud environment and set up an organizational relationship with the specific organization with which you want to collaborate.

+For information about setting up cross-cloud guest access, see [Collaborate with guests from other Microsoft 365 cloud environments](/microsoft-365/solutions/collaborate-guests-cross-cloud).

+For information about setting up cross-cloud meetings, see [Meet with people in other Microsoft 365 cloud environments](/microsoftteams/cross-cloud-meetings).

+## Multitenant organizations

+If your organization manages multiple Microsoft 365 tenants, you can set up a multitenant organization in Microsoft 365 to facilitate collaboration and resource access between tenants. Multitenant organizations synchronize users between tenants using Microsoft Entra B2B collaboration users. With the new Microsoft Teams desktop client, users can search for users in other tenants, receive real-time notifications from all the tenants in the multitenant organization, and participate in chats, meetings, and calls across all of the tenants without needing to switch tenants.

+For information about how to set up a multitenant organization, see [Plan for multitenant organizations in Microsoft 365](/microsoft-365/enterprise/plan-multi-tenant-org-overview) and [Set up a multitenant org in Microsoft 365](/microsoft-365/enterprise/set-up-multi-tenant-org).

+## Related articles

+[Intro to file collaboration in Microsoft 365](/sharepoint/intro-to-file-collaboration)

+Microsoft Teams enables your on-the-ground staff to collaborate efficiently with collaboration features and apps. Your frontline workforce can use Teams on either personal or shared devices depending on the needs of your organization.

+Here are some of the ways that your frontline can use Teams to communicate and share information.

+|Chat, post messages, and communicate |Your frontline workers can seamlessly communicate within and across locations through chats and channel conversations. Teams provides a great out-of-the-box collaboration experience for your organization, and most organizations find that the default settings work for them. |[Manage chat, teams, channels, and apps](/microsoftteams/deploy-chat-teams-channels-microsoft-teams-landing-page). |Chats:<ul><li>[Chat in Teams](https://support.microsoft.com/en-us/office/chat-in-microsoft-teams-f3a917cb-1a83-42b2-a097-0678298703bb)</li><li>[Start chats](https://support.microsoft.com/office/start-and-pin-chats-a864b052-5e4b-4ccf-b046-2e26f40e21b5) (video)</li></ul> Channel conversations: <ul><li>[Send a message to a channel](https://support.microsoft.com/office/send-a-message-to-a-channel-in-microsoft-teams-5c8131ce-eaad-4798-bc73-e33f4652a9c4)</li><li>[Work with posts and messages](https://support.microsoft.com/office/create-and-format-a-post-e66777da-636b-49eb-9408-b0d88b212885) (video training)</li></ul>[Using tags in Teams](https://support.microsoft.com/office/using-tags-in-microsoft-teams-667bd56f-32b8-4118-9a0b-56807c96d91e)|

+|Call and meet with team members |Managers can set up individual meetings, or use channel meetings to manage daily meetings, both with the power of Teams audio, video, screen sharing, recording, and transcription features. You'll need to configure settings for meetings and conferencing, and enable a voice solution to use calling. |[Overview of meetings, webinars, and town halls in Teams](/microsoftteams/deploy-meetings-microsoft-teams-landing-page) and [Plan your Teams voice solution](/microsoftteams/cloud-voice-landing-page) |Calls: <ul><li>[Make calls](https://support.microsoft.com/en-us/office/start-a-call-from-a-chat-in-microsoft-teams-f5138c9d-df4c-43d8-9cf6-53400c1a7798)</li><li>[Overview of Teams calls](https://support.microsoft.com/office/overview-of-teams-calls-425d6970-6e27-47b6-bc61-4c38fff51c4f) (video training)</li></ul> Meetings:<ul><li>[Join a meeting in Teams](https://support.microsoft.com/en-us/office/join-a-meeting-in-microsoft-teams-1613bb53-f3fa-431e-85a9-d6a91e3468c9)</li><li>[Join a meeting](https://support.microsoft.com/office/join-a-teams-meeting-078e9868-f1aa-4414-8bb9-ee88e9236ee4) (video training)</li></ul>|

+|Store and share files and documents |Sharing files allows in-store staff to easily access information such as merchandising diagrams without having to leave the sales floor or get help from a manager. Every team automatically comes with a **Files** tab that you can use to store and share documents. This tab actually represents a folder within the default team site document library in SharePoint that's' automatically created when the team is created. |[Overview of Teams and SharePoint integration](/sharepoint/teams-connected-sites) |[Upload and share files](https://support.microsoft.com/office/upload-and-share-files-57b669db-678e-424e-b0a0-15d19215cb12) (video training) |

+Healthcare workers in a hospital use Teams capabilities to coordinate care. Everyone in the office is part of a general chat, and each group of workers (doctors, nurses, receptionists, and other staff) can have their own channel where they can ask questions and communicate. Staff in different departments uses Teams meetings and calls to keep up to date without having to leave their stations. When multiple staff are attending to one patient, they share notes and care plans over Teams. Staff who work with instruments and machinery, such as medical instrument technicians, can share fact and care sheets about equipment.

+Manufacturing workers can use Teams to communicate and coordinate production within and across locations. Plants can hold morning stand-up meetings without anyone having to leave their stations. Workers can use chat to get in touch with each other and supervisors so they don't need to search across large areas to find help. Your team can use file sharing to make sure everyone has on-the-go access to manuals, instruction sheets, inspection records, and any other information your workers need.

+Use Shifts to seamlessly manage and share schedules. Managers can create custom groups such as cashiers, nurses, or mortgage specialists, assign shifts to employees, add breaks, and add open shifts that employees can request to take. Employees can use Shifts to set their availability, view their schedules, swap shifts with coworkers, clock in and out, and more. For example, a volunteer coordinator at a nonprofit could create open shifts that volunteers can request to take.

+Learn how to [manage Shifts for your organization](/microsoftteams/expand-teams-across-your-org/shifts/manage-the-shifts-app-for-your-organization-in-teams?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json).

+The Walkie Talkie app in Teams provides a push-to-talk (PTT) experience that enables clear, instant, and secure voice communications. For example, if a customer at one side of the store asks an employee if an item is in stock on the other side of the store, the employee can use Walkie Talkie to contact someone who works near the item. Employees can also easily consult with experts in other stores or corporate offices. Because Walkie Talkie works over Wi-Fi or cellular data, your frontline can communicate from anywhere they have an internet connection.

+|Retail | If a customer asks a store associate a question they don't know the answer to, the associate can use Walkie Talkie to communicate with a manager or another expert without having to leave the customer. |

+|Healthcare |A medical staff member who has a question about a patient's treatment can use Walkie Talkie to communicate with another staff member who works with the patient. |

+|Manufacturing |A technician can use Walkie Talkie to consult with an expert in another location while performing equipment maintenance or repairs. |

+Share these Walkie Talkie resources with your users:

+- [Get started with Teams Walkie Talkie](https://support.microsoft.com/office/get-started-with-teams-walkie-talkie-25bdc3d5-bbb2-41b7-89bf-650fae0c8e0c)

+- [Communicate with your team in Walkie Talkie](https://support.microsoft.com/office/communicate-with-your-team-in-walkie-talkie-e4342550-5516-4451-b9ec-93166b60f8a4)

+|Manufacturing |A manager can send the **Leadership** badge to a supervisor whose team is performing well. |

+## Manage apps

+Manage apps for your organization in the Teams admin center. To learn more, see [Overview of app management and governance in Teams admin center](/microsoftteams/manage-apps).

+The Viva Connections dashboard provides fast and easy access to information and job-related tasks. For example, add the Shifts card to show information about the next or current shift from the Shifts app. Content in the cards is dynamic and personalized to the user.

+Learn more about [Viva Connections](/viva/connections/viva-connections-overview) and [how to create a Viva Connections dashboard](/viva/connections/create-dashboard).

+- [Teams for Manufacturing](teams-for-manufacturing.md)

+description: Learn how a user with Away status or Do not disturb status can set another user as a delegate in their Teams status message.

+Users in Microsoft Teams can set their status to Away or Do not disturb, and include a custom status message. A user who's going to be away can assign someone as a delegate who people can contact instead. The message delegation feature works as follows:

+1. The user who's @mentioned gets notified that they're designated as a delegate.

+1. When someone opens a chat with the away user and sees their status message, they see the delegate's name and can easily message them instead.

+Users can initiate this process themselves. No admin involvement is required to enable the feature.

+## Example scenario

+Ravi Costa is a doctor on call at the radiology department. Ravi receives an urgent personal call and has to step away for the next couple of hours. Ravi asks a peer in the radiology department, Max Morin, to cover for them while they're away. They change their status in Teams to Away and set a status message that says "I'm unavailable for the next few hours. Contact @MaxMorin for any emergencies." Max is notified in Teams, and team members who try to contact Ravi see the status message and know to contact Max in the meantime.

+ Title: Messaging policy settings for healthcare organizations using Microsoft Teams

+description: Learn how to customize a messaging policy for Microsoft Teams that can include read receipts and priority notifications.

+# Messaging policies for healthcare organizations

+Messaging policies are used to control which chat and channel messaging features are available to users in Microsoft Teams. They're part of the overall messaging deployment for healthcare organizations like hospitals, clinics, or doctor's offices, where having a message picked up and acted upon in a timely manner is crucial, as is knowing when messages are read.

+You can use the global (Org-wide default) policy that's automatically created or create and assign custom messaging policies. Users in your organization automatically get the global policy unless you create and assign a custom policy. Edit the settings in the global policy or create and assign one or more custom policies to turn on or turn off the features that you want.

+For example, you might choose to only allow certain job roles to use certain features (perhaps doctors and nurses only) and other workers (like food services staff) to get a more limited set of features. Decide for yourself what needs your organization has, the guidance here is at most a suggestion.

+You manage messaging policies in the Teams admin center. To learn more, see [Manage messaging policies in Teams](/microsoftteams/messaging-policies-in-teams).

+The following messaging policy settings are of special interest for healthcare organizations, and should be considered when designing a custom policy used in the healthcare field.

+[Read receipts](https://support.microsoft.com/office/use-read-receipts-for-messages-in-microsoft-teams-533f2334-32ef-424b-8d56-ed30e019f856) allows the sender of a chat message to know when their message was read by the recipient in 1:1 chats and in group chats of 20 people or less. Use this setting to specify whether read receipts are user controlled, on for everyone, or off for everyone. Message read receipts are important in healthcare organizations because they remove uncertainly about whether a message was read.

+For healthcare applications, choose either **User controlled** or **On for everyone**. Keep in mind that when using the **On for everyone** setting, the only way to set receipts for the whole tenant is either to have only one messaging policy for the whole tenant (the default global policy) or to have all messaging policies in the tenant use the same settings for receipts. The read receipts feature is most effective when set to **On for everyone**.

+### Example scenario

+Remy Morris, a high-risk patient, is admitted to the hospital. Sofia Krause is a nurse who is assigned as the primary care coordinator of this patient. Sofia starts a group chat with a set of doctors and other nurses who are working with the patient and starts an emergency triage. The doctors and nurses communicate and collaborate over the patient's care plan. Important and urgent messages are sent through 1:1 and group chat conversations. Sofia uses read receipts to determine whether messages sent requesting support are delivered and read by the care team.

+A user can mark a message as *urgent* when sending chat messages to other users. This feature helps hospital staff alert one another when a critical incident requires their attention. [Urgent messages using priority notifications](https://support.microsoft.com/article/mark-a-message-as-important-or-urgent-in-teams-ea99d5b6-1317-4550-8d75-86ff14cd4462) notify users every two minutes for up to 20 minutes or until the recipient reads the message, maximizing the likelihood that the message is acted upon in a timely manner.

+An admin can enable or disable the ability for users assigned this policy to send priority notifications. This feature is on by default. The recipient of the priority message might not have the same messaging policy, and won't be able to disable receiving priority messages. For healthcare applications, we recommend enabling the feature for at least some users, but you'll need to determine which ones.

+### Example scenario

+Sofia Krause is readmitting a patient, Jakob Roth. Manuela Carstens, a physician, is the primary care doctor for this patient. Sofia sends an urgent message to Manuela using priority notifications asking for immediate help with triage of Jakob. Manuela's phone receives the message but Manuela didn't feel the phone vibration and doesn't reply. Teams renotifies Manuela and continues to repeatedly notify until Manuela reads the message. If read receipts are also enabled, Sofia is aware that the message was read by Manuela, even before Manuela decides how to respond.

+## Related articles

+<!-- > [!VIDEO https://www.microsoft.com/videoplayer/embed/RWRzfc]-->

+Add Power Apps to create low-code or no-code apps for your organization. You can build custom apps to connect your business data, so you can manage inventory or conduct store walks, for example.

+> Examples are given for the financial services, healthcare, nonprofit, and retail industries, but apply to an organization in any sector.

+|Financial services |Create an app for relationship and account managers to track calls and emails to clients. |

+|Healthcare |Create an app to track consumables inventory in exam rooms to make sure all rooms are ready for patients. |

+|Retail | Create an app to manage and track your inventory, or to conduct store walks where a person in charge checks all areas of a store before opening. |

+|Manufacturing |Create an app to track machinery and equipment inspections and repair needs. |

+More information: [Power Apps and Microsoft Teams integration](/powerapps/teams/overview).

+Share and collaborate on interactive Power BI content in Microsoft Teams channels and chats. You can add the Power BI app to Teams to embed interactive reports and chat in Teams about your reports.

+More information: [Collaborate with Power BI in Microsoft Teams, Outlook, and Office](/power-bi/collaborate-share/service-collaborate-microsoft-teams).

+ Title: "Manage Lighthouse RBAC permissions in Microsoft 365 Lighthouse"

+f1.keywords: NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- Tier1

+- scotvorg

+- M365-subscription-management

+- Adm_O365

+- AdminSurgePortfolio

+- M365-Lighthouse

+search.appverid: MET150

+description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, learn how to manage Lighthouse role-based access control (RBAC) permissions in Microsoft 365 Lighthouse."

+# Manage Lighthouse RBAC permissions in Microsoft 365 Lighthouse

+The Lighthouse permissions page allows administrators in Microsoft 365 Lighthouse to manage user role-based access control (RBAC) permissions in the partner tenant. Administrators can view and manage membership for each Lighthouse RBAC role to ensure that users in the partner tenant have right-sized permissions. Each Lighthouse RBAC role is associated with a security group instead of an Entra ID role, so when users are assigned a Lighthouse RBAC role, they're automatically associated with a specific Lighthouse RBAC security group.

+When administrators assign a Lighthouse RBAC role to a user in the partner tenant for the first time, a security group is automatically created. Administrators can view the associated security group for each Lighthouse RBAC role on the Lighthouse permissions page and in the Microsoft Entra admin center. All security group membership changes are reflected in both Lighthouse and the Microsoft Entra admin center.

+## Before you begin

+To access the Lighthouse permissions page and manage permissions, you must be a Global Administrator in Microsoft Entra ID.

+## View Lighthouse RBAC role membership and associated security group

+1. In the left navigation pane in <a href="https://go.microsoft.com/fwlink/p/?linkid=2168110" target="_blank">Lighthouse</a>, select **Permissions** > **Lighthouse permissions**.

+

+2. Select a Lighthouse role from the list to open the Lighthouse role details pane.

+

+3. View users in the partner tenant who are assigned the Lighthouse RBAC role and the associated security group.

+## Assign Lighthouse RBAC roles to users in the partner tenant

+1. In the left navigation pane in <a href="https://go.microsoft.com/fwlink/p/?linkid=2168110" target="_blank">Lighthouse</a>, select **Permissions** > **Lighthouse permissions**.

+

+2. Select a Lighthouse role from the list to open the Lighthouse role details pane.

+

+3. Select **Assign users**.

+

+4. Select the users you want to assign to the Lighthouse RBAC role.

+5. Select **Assign users**.

+

+> [!NOTE]

+> The Lighthouse Operator role is viewable but not assignable from the Lighthouse permissions page. The Lighthouse Operator role is automatically assigned to users with GDAP permissions.

+## Remove users in the partner tenant from a Lighthouse RBAC role

+1. In the left navigation pane in <a href="https://go.microsoft.com/fwlink/p/?linkid=2168110" target="_blank">Lighthouse</a>, select **Permissions** > **Lighthouse permissions**.

+2. Select a Lighthouse role from the list to open the Lighthouse role details pane.

+3. Do one of the following:

+ - To remove a single user from the Lighthouse RBAC role, select the **X** next to the user you want to remove.

+ - To remove multiple users from the Lighthouse RBAC role, select the users you want to remove, and then select **Remove users**.

+4. In the confirmation window, select **Remove users** to confirm removal.

+## Next steps

+After you've added users to, or removed users from, the available Lighthouse RBAC roles, go to the Lighthouse permissions page to view the latest group membership for each role.

+> [!NOTE]

+> Once you've added a user to, or removed a user from, a Lighthouse RBAC role, it may take up to an hour for group membership changes to appear in Lighthouse.

+To learn more about each Lighthouse RBAC role to determine which roles users in your partner tenant should have, see [Overview of permissions in Microsoft 365 Lighthouse](m365-lighthouse-overview-of-permissions.md).

+## Related content

+[Overview of permissions in Microsoft 365 Lighthouse](m365-lighthouse-overview-of-permissions.md) (article)\

+[Set up GDAP for your customers](m365-lighthouse-setup-gdap.md) (article)\

+[Overview of Delegated Access in Microsoft 365 Lighthouse](m365-lighthouse-delegated-access-overview.md) (article)

+Microsoft 365 Lighthouse permissions are primarily managed by the following:

+- Lighthouse role-based access control (RBAC) in the partner tenant

+- Granular Delegated Admin Privileges (GDAP) in the customer tenant

+To use Lighthouse, you need a combination of roles assigned via RBAC and GDAP.

+## Managing Lighthouse RBAC permissions in the partner tenant

+Lighthouse permissions in the partner tenant are managed by assigning RBAC roles. Each role has a set of permissions that determines which data users can access and change within the partner tenant.

+RBAC roles are managed from the Lighthouse permissions page in Lighthouse. To access the Lighthouse permissions page and manage permissions, you must be a Global Administrator in Microsoft Entra ID. To learn more, see [Manage Lighthouse RBAC permissions in Microsoft 365 Lighthouse](m365-lighthouse-manage-lighthouse-rbac-permissions.md).

+There's currently only one Lighthouse RBAC role: Lighthouse Account Manager. The following table describes the Lighthouse Account Manager role.

+| Lighthouse&nbsp;RBAC&nbsp;role | Description |

+|||

+| Lighthouse Account Manager | Provides full access to Sales Advisor pages and data across the entire partner tenant. Lighthouse Account Managers can export Sales Advisor data. |

+## Lighthouse RBAC roles and capabilities

+The following table describes the actions that Lighthouse Account Managers can perform in Lighthouse.

+| Area | Actions | Lighthouse&nbsp;Account&nbsp;Manager |

+|||::|

+| **Tenants** | View the Tenants page | &check; |

+| | Manage tags | |

+| | Activate and inactivate a tenant | |

+| | View delegated status | &check; |

+| | View baseline assignment | |

+| | View deployment status | &check; |

+| | View and edit customer contact information and website | &check; |

+| **Baselines** | View baselines (default, custom) | |

+| | Create, edit, and assign baselines | |

+| **Alerts** | View alerts | &check; |

+| | Manage alerts (change severity, status, or assignment) | |

+| | Create, edit, and delete alert rules | |

+| **Permissions** | Set up and manage Lighthouse permissions | |

+| | Set up and manage GDAP | |

+| | View GDAP status detail | |

+| **Audit logs** | View audit logs | |

+| **Sales Advisor** | View Sales Advisor reports and manage data | &check; |

+| **Support** | Open and manage service requests | |

+| **Service&nbsp;health** | Monitor service health | |

+## Managing GDAP in the customer tenant

+GDAP gives you a high level of control and flexibility by providing access to customer tenants throughΓÇ»[Microsoft Entra built-in roles](/azure/active-directory/roles/permissions-reference). Assigning the least-privileged roles by task through GDAP to MSP technicians reduces security risk for both MSPs and customers.

+For more information about setting up a GDAP relationship with a customer tenant in Lighthouse, see [Obtain granular admin permissions to manage a customer's service - Partner Center](/partner-center/gdap-obtain-admin-permissions-to-manage-customer).ΓÇ»

+For more information about least-privileged roles by task, seeΓÇ»[Least-privileged roles - Partner Center](/partner-center/gdap-least-privileged-roles-by-task) and [Least privileged roles by task in Microsoft Entra ID](/azure/active-directory/roles/delegate-by-task).

+For more information about GDAP or Delegated Admin Privileges (DAP) deprecation, see [GDAP frequently asked questions - Partner Center](/partner-center/gdap-faq), [Delegated administration privileges (DAP) FAQ - Partner Center](/partner-center/dap-faq), or search the [Partner Center announcements](/partner-center/announcements/) for dates and timelines.

+Microsoft 365 Lighthouse is an admin portal that provides advanced capabilities for Managed Service Providers (MSPs) to manage customers at scale through proactive account management, simplified onboarding, efficient tenant configuration, device protection, and alerts. Lighthouse provides insights into customer acquisition, retention, and growth opportunities, as well as multi-tenant views across customer devices, data, and users to help customers get the most value from Microsoft 365.

+Lighthouse is available to partners enrolled in the Cloud Solution Provider (CSP) program, including both indirect resellers and direct-bill partners.

+> Only partners are required to enroll in the CSP program; the customers they manage don't need to enroll in the CSP program.

+In addition, each customer tenant must meet the following requirements to be actively monitored and managed in Lighthouse:

+- Must have delegated access set up for the partner to be able to manage the customer tenant

+This article provides instructions for how to sign up for Microsoft 365 Lighthouse. Microsoft 365 Lighthouse is an admin portal that provides advanced capabilities for Managed Service Providers (MSPs) to manage customers at scale through proactive account management, simplified onboarding, efficient tenant configuration, device protection, and alerts. Lighthouse provides insights into customer acquisition, retention, and growth opportunities, as well as multi-tenant views across customer devices, data, and users to help customers get the most value from Microsoft 365.

+Microsoft 365 Lighthouse is deployed in the partner tenant only&mdash;not in the customer tenants, but make sure you and your tenants meet the requirements listed in [Microsoft 365 Lighthouse requirements](m365-lighthouse-requirements.md).

+## Sign up for Microsoft 365 Lighthouse

+1. Go to <a href="https://go.microsoft.com/fwlink/p/?linkid=2168110" target="_blank">https://lighthouse.microsoft.com</a>.

+ If your partner tenant is eligible to use Microsoft 365 Lighthouse, you'll see a welcome message and your managed tenants will begin loading. After this initial loading process completes (which may take a couple minutes), you can start using Lighthouse to manage your customers.

+ > If you see the message, "You must be an indirect reseller or direct-bill partner to use this service," see [Requirements for Microsoft 365 Lighthouse](m365-lighthouse-requirements.md) for eligibility details.

+2. If you see the message, "You need to sign up for Microsoft 365 Lighthouse in the Microsoft 365 admin center," then follow these steps:

+ 1. Go to the Microsoft 365 admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.microsoft.com</a> and sign in using your partner tenant credentials.

+ 2. Go to **Billing** > **Purchase services** > **Microsoft 365**.

+

+ > [!NOTE]

+ > Instead of **Billing**, some partners may need to go to **Marketplace** > **All products**, and then search for **Microsoft 365 Lighthouse**.

+

+ 3. Under **Microsoft 365 Lighthouse**, select **Details**.

+ 4. Select **Buy**.

+ > [!NOTE]

+ > Lighthouse requires one license for the partner tenant only. No additional per-user licenses are required for the partner, and no Lighthouse licenses are required in any customer tenant.

+ To verify that Lighthouse was successfully added to your tenant, look for Microsoft 365 Lighthouse under **Billing** > **Your products** in the Microsoft 365 admin center.

+ 5. If you aren't redirected to the Lighthouse portal, go to <a href="https://go.microsoft.com/fwlink/p/?linkid=2168110" target="_blank">https://lighthouse.microsoft.com</a>.

+> [!NOTE]

+> After you complete sign-up, it can take up to 48 hours for customer data to appear in Lighthouse.

+- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- Windows 11 or Windows 10

+- Windows Server 2022 or Windows Server 2019 or Windows Server 2016 or Windows Server 2012 R2 or Windows Server 2008 R2

+- Microsoft Edge or Internet Explorer browser required

+Launching this link should render a message similar to the following:

+ :::image type="content" source="images/smartscreen-app-reputation-known-malware.png" alt-text="Screenshot showing how SmartScreen detects a file download with an unsafe reputation; the download is blocked.":::

+ Title: Deployment guidance for Microsoft Defender for Endpoint on Linux for SAP

+description: Deployment guidance for Microsoft Defender for Endpoint on Linux for SAP

+keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, installation, SAp

+ms.localizationpriority: medium

+audience: ITPro

+- m365-security

+- tier3

+- mde-linux

+search.appverid: met150

+# Deployment guidance for Microsoft Defender for Endpoint on Linux for SAP

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+This article provides deployment guidance for Microsoft Defender for Endpoint on Linux for SAP. You'll learn about recommended SAP OSS(Online Services System) notes, the system requirements, prerequisites, important configuration settings, recommended antivirus exclusions, and guidance on scheduling antivirus scans.

+Conventional security defenses that have been commonly used to protect SAP systems such as isolating infrastructure behind firewalls and limiting interactive operating system logons are no longer considered sufficient to mitigate modern sophisticated threats. It's essential to deploy modern defenses to detect and contain threats in real-time. SAP applications unlike most other workloads require basic assessment and validation before deploying Microsoft Defender for Endpoint. The Enterprise Security administrators should contact the SAP Basis Team prior to deploying Defender for Endpoint. The SAP Basis Team should be cross trained with a basic level of knowledge about Defender for Endpoint.

+## Recommended SAP OSS Notes

+- [2248916 - Which files and directories should be excluded from an antivirus scan for SAP BusinessObjects Business Intelligence Platform products in Linux/Unix? - SAP ONE Support Launchpad](https://launchpad.support.sap.com/#/notes/2248916)

+- [1984459 - Which files and directories should be excluded from an antivirus scan for SAP Data Services - SAP ONE Support Launchpad](https://launchpad.support.sap.com/#/notes/1984459)

+- [2808515 - Installing security software on SAP servers running on Linux - SAP ONE Support Launchpad](https://launchpad.support.sap.com/#/notes/2808515)

+- [1730930 - Using antivirus software in an SAP HANA appliance - SAP ONE Support Launchpad](https://launchpad.support.sap.com/#/notes/1730930)

+- [1730997 - Unrecommended versions of antivirus software - SAP ONE Support Launchpad](https://launchpad.support.sap.com/#/notes/1730997)

+## SAP Applications on Linux

+- SAP only supports Suse, Redhat and Oracle Linux. Other distributions aren't supported for SAP S4 or NetWeaver applications.

+- Suse 15.x, Redhat 8.x or 9.x and Oracle Linux 8.x are strongly recommended.

+- Suse 12.x, Redhat 7.x and Oracle Linux 7.x are technically supported but haven't been extensively tested.

+- Suse 11.x, Redhat 6.x and Oracle Linux 6.x might not be supported and haven't been tested.

+- Suse and Redhat offer tailored distributions for SAP. These ΓÇ£for SAPΓÇ¥ versions of Suse and Redhat might have different packages preinstalled and possibly different kernels.

+- SAP only supports certain Linux File systems. In general, XFS and EXT3 are used. Oracle Automatic Storage Management (ASM) filesystem is sometimes used for Oracle DBMS and can't be read by Defender for Endpoint.

+- Some SAP applications use ΓÇ£standalone enginesΓÇ¥ such as TREX, Adobe Document Server, Content Server and LiveCache. These engines require specific configuration and file exclusions.

+- SAP applications often have Transport and Interface directories with many thousands of small files. If the number of files is larger than 100,000, it might and affect performance. It's recommended to archive files.

+- It's strongly recommended to deploy Defender for Endpoint to non-productive SAP landscapes for several weeks before deploying to production. The SAP Basis Team should use tools such as sysstat, KSAR and nmon to verify if CPU and other performance parameters are impacted.

+## Prerequisites for deploying Microsoft Defender for Endpoint for Linux on SAP VMs

+- Microsoft Defender for Endpoint [version](./linux-whatsnew.md) >= 101.23082.0009 | Release version: 30.123082.0009 or higher must be deployed.

+- Microsoft Defender for Endpoint for Linux supports all the [Linux releases](microsoft-defender-endpoint-linux.md#system-requirements) used by SAP applications.

+- Microsoft Defender for Endpoint for Linux requires connectivity to [specific Internet endpoints](microsoft-defender-endpoint-linux.md#network-connections) from VMs to update AV Definitions.

+- Microsoft Defender for Endpoint for Linux requires some crontab (or other task scheduler) entries to schedule scans, log rotation, and Microsoft Defender for Endpoint updates. Enterprise Security team will normally manage these entries. Refer to [How to schedule an update of the Microsoft Defender for Endpoint (Linux) | Microsoft Learn](linux-update-mde-linux.md).

+The default configuration option for deployment as an Azure Extension for AntiVirus (AV) will be Passive Mode. This means that the AV component of Microsoft Defender for Endpoint won't intercept IO calls. It's recommended to run Microsoft Defender for Endpoint in Passive Mode on all SAP applications and to schedule a scan once per day. In this mode:

+- **Real-time protection is turned off**: Threats are not remediated by Microsoft Defender Antivirus.

+- **On-demand scanning is turned on**: Still use the scan capabilities on the endpoint.

+- **Automatic threat remediation is turned off**: No files will be moved and the security administrator is expected to take required action.

+- **Security intelligence updates are turned on**: Alerts will be available on security administrator's tenant.

+The Linux crontab is typically used to schedule Microsoft Defender for Endpoint AV scan and log rotation tasks:

+[How to schedule scans with Microsoft Defender for Endpoint (Linux) | Microsoft Learn](linux-schedule-scan-mde.md)

+Endpoint Detection and Response (EDR) functionality is active whenever Microsoft Defender for Endpoint for Linux is installed. There is no simple way to disable EDR functionality through command line or configuration. For more information on troubleshooting EDR, see the sections [Useful Commands](#useful-commands) and [Useful Links](#useful-links).

+## Important Configuration Settings for Microsoft Defender for Endpoint on SAP on Linux

+It's recommended to check the installation and configuration of Defender for Endpoint with the command mdatp health.

+The key parameters recommended for SAP applications are:

+- healthy = true

+- release_ring = Production. Pre-release and insider rings shouldn't be used with SAP Applications.

+- real_time_protection_enabled = false. Real-time protection is off in passive mode which is the default mode and will prevent real-time IO interception.

+- automatic_definition_update_enabled = true

+- definition_status = ΓÇ£up_to_dateΓÇ¥. Run a manual update if a new value is identified.

+- edr_early_preview_enabled = ΓÇ£disabledΓÇ¥. If enabled on SAP systems it might lead to system instability.

+- conflicting_applications = [ ]. Other AV or security software installed on a VM such as Clam.

+- supplementary_events_subsystem = "ebpf". Do not proceed if ebpf is not displayed. Contact the security admin team.

+This article has some useful hints on troubleshooting installation issues for Microsoft Defender for Endpoint:

+[Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux | Microsoft Docs](linux-support-install.md#installation-failed)

+## Recommended Microsoft Defender for Endpoint AntiVirus Exclusions for SAP on Linux

+Enterprise Security Team must obtain a full list of AV exclusions from the SAP Administrators (typically the SAP Basis Team).

+It's recommended to initially exclude:

+- DBMS data files, log files and temp files, including disks containing backup files

+- The entire contents of the SAPMNT directory

+- The entire contents of the SAPLOC directory

+- The entire contents of the TRANS directory

+- The entire contents of directories for standalone engines such as TREX

+- Hana ΓÇô exclude /hana/shared, /hana/data and /hana/log - see Note 1730930

+- SQL Server ΓÇô [Configure antivirus software to work with SQL Server - SQL Server | Microsoft Learn](/troubleshoot/sql/database-engine/security/antivirus-and-sql-server)

+- Oracle ΓÇô See How To Configure Anti-Virus On Oracle Database Server (Doc ID 782354.1)

+- DB2 ΓÇô [https://www.ibm.com/support/pages/which-db2-directories-exclude-linux-anti-virus-software](https://www.ibm.com/support/pages/which-db2-directories-exclude-linux-anti-virus-software)

+- SAP ASE ΓÇô contact SAP

+- MaxDB ΓÇô contact SAP

+Oracle ASM systems don't need exclusions as Microsoft Defender for Endpoint can't read ASM disks.

+Customers with Pacemaker clusters should also configure these exclusions:

+```bash

+mdatp exclusion folder add --path /usr/lib/pacemaker/ (for RedHat /var/lib/pacemaker/)

+```

+```bash

+mdatp exclusion process add --name pacemakerd

+```

+```bash

+mdatp exclusion process add --name crm_*

+```

+Customers running the Azure Security security policy might trigger a scan using the Freeware Clam AV solution. It's recommended to disable Clam AV scan after a VM has been protected with Microsoft Defender for Endpoint using following commands:

+```bash

+sudo azsecd config -s clamav -d "Disabled"

+```

+```bash

+sudo service azsecd restart

+```

+```bash

+sudo azsecd status

+```

+The following articles detail how to configure AV exclusions for processes, files, and folders per individual VM:

+- [Set up exclusions for Microsoft Defender Antivirus scans | Microsoft Learn](configure-exclusions-microsoft-defender-antivirus.md)

+- [Common mistakes to avoid when defining exclusions | Microsoft Learn](common-exclusion-mistakes-microsoft-defender-antivirus.md)

+## Scheduling a Daily AV Scan

+The recommended configuration for SAP applications disables real-time interception of IO calls for AV scanning. The recommended setting is passive mode in which real_time_protection_enabled = false.

+The following link details how to schedule a scan: [How to schedule scans with Microsoft Defender for Endpoint (Linux) | Microsoft Learn](linux-schedule-scan-mde.md).

+Large SAP systems might have more than 20 SAP application servers each with a connection to the SAPMNT NFS share. Twenty or more application servers simultaneously scanning the same NFS server will likely overload the NFS server. By default Microsoft Defender for Endpoint for Linux won't scan NFS sources.

+If there's a requirement to scan SAPMNT then this scan should be configured on one or two VMs only.

+Scheduled scans for SAP ECC, BW, CRM, SCM, Solution Manager, and other components should be staggered at different times to avoid all SAP components from overloading a shared NFS storage source shared by all SAP components.

+## Useful Commands

+If, during manual zypper installation on Suse an error ΓÇ£Nothing provides ΓÇÿpolicycoreutilsΓÇÖΓÇ¥ occurs, refer to:

+[Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux](linux-support-install.md).

+There are several command-line commands that can control the operation of mdatp. To enable the passive mode you can use the following command:

+```bash

+mdatp config passive-mode --value enabled

+```

+> [!NOTE]

+> passive mode is the default mode on installing defender for endpoint on Linux.

+To turn off real-time protection, you can use the command:

+```bash

+mdatp config real-time-protection --value disabled

+```

+This command tells mdatp to retrieve the latest definitions from the cloud:

+```bash

+mdatp definitions update

+```

+This command tests whether mdatp can connect to the cloud-based endpoints via the network:

+```bash

+mdatp connectivity test

+```

+These commands updates the mdatp software if needed:

+```bash

+yum update mdatp

+```

+```bash

+zypper update mdatp

+```

+Since mdatp runs as a linux system service, you can control mdatp using the service command, for example:

+```bash

+service mdatp status

+```

+This command creates a diagnostic file that can be uploaded to Microsoft support:

+```bash

+sudo mdatp diagnostic create

+```

+## Useful Links

+- Microsoft Endpoint Manager doesn't support Linux at this time

+- [Manage Microsoft Defender for Endpoint configuration settings on devices with Microsoft Endpoint Manager | Microsoft Learn](security-config-management.md)

+- [Microsoft Defender for Endpoint Linux - Configuration and Operation Command List - Microsoft Tech Community](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/microsoft-defender-for-endpoint-linux-configuration-and/ba-p/1577902)

+- [Deploying Microsoft Defender for Endpoint on Linux Servers. - Microsoft Tech Community](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/deploying-microsoft-defender-for-endpoint-on-linux-servers/ba-p/1560326)

+- [Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on Linux | Microsoft Docs](linux-support-connectivity.md#run-the-connectivity-test)

+- [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux | Microsoft Docs](linux-support-perf.md#troubleshoot-performance-issues-using-microsoft-defender-for-endpoint-client-analyzer)

+>

+We've added additional checks for duplicate or overlapping investigations with the same clusters approved multiple times. If the same investigation cluster is already approved in the previous hour, new duplicate remediation will not be processed again. This behavior doesn't remove duplicate investigations or investigation evidence - it simply de-duplicates approved actions to improve remediation processing speed. For the duplicate approved cluster investigations, you won't see action details in the [action center](https://security.microsoft.com/action-center/history) side panel.

+> The default anti-malware policy applies to inbound and outbound email. Custom anti-malware policies apply to inbound email only.

+In EOP, messages that are found to contain malware in _any_ attachments are quarantined^\*. Whether the recipients can view or otherwise interact with the quarantined messages is controlled by _quarantine policies_. By default, messages that were quarantined due to malware can only be viewed and released by admins. Users can't release their own quarantined malware messages, regardless of any available settings that admins configure. For more information, see the following articles:

+^\* Malware filtering is skipped on SecOps mailboxes that are identified in the advanced delivery policy. For more information, see [Configure the advanced delivery policy for third-party phishing simulations and email delivery to SecOps mailboxes](advanced-delivery-policy-configure.md).

+ > The email address `<email address>` includes unexpected letters or numbers. We recommend you don't interact with this message.

+Select a policy by clicking anywhere in the row other than the check box next to the name to open the details flyout for the policy.

+ - **Intra-Organizational messages to take action on**: Controls whether spam filtering and the corresponding verdict actions are applied to internal messages (messages sent between users within the organization). The available values are:

+ - **Default**: This is the default value. This value is the same as selecting **High confidence phishing messages**.

+ - **None**

+ - **High confidence phishing messages**

+ - **Phishing and high confidence phishing messages**

+ - **All phishing and high confidence spam messages**

+ - **All phishing and spam messages**

+>

+>

+After you remove the Training campaign, it's no longer listed on the **Training** tab.

+> [Unified Auditing](/purview/audit-log-enable-disable) needs to be enabled for drift analysis.

+ - Disable the connector by selecting :::image type="icon" source="../../media/m365-cc-sc-disable-icon.png" border="false"::: **Disable** at the top of the flyout, and then select **Confirm** in the confirmation flyout that opens.

+> Messages that are identified as malware^\* or high confidence phishing are always quarantined, regardless of the safe sender list option that you use. For more information, see [Secure by default in Office 365](secure-by-default.md).

+>

+> ^\* Malware filtering is skipped on SecOps mailboxes that are identified in the advanced delivery policy. For more information, see [Configure the advanced delivery policy for third-party phishing simulations and email delivery to SecOps mailboxes](advanced-delivery-policy-configure.md).

+- URL top-level domain blocking is available in the **Tenant allow block list**. [Learn more](tenant-allow-block-list-urls-configure.md).

+- Ask the Microsoft 365 recipient to contact Microsoft Support and open a support ticket on your behalf. Typically, external senders can't open support tickets in Microsoft 365. But, there are legal reasons that might require Microsoft Support to communicate directly with owner of the blocked source IP address space.

+We're adding the ability to take multiple actions together. You can take email remediation actions, create submissions, tenant level block actions (block senders, domains, files, and URLs), investigative actions, and proposed remediation from the **same panel**. Actions are now contextual and grouped together depending on the **latest location of the email message**.

+> These enhancements bring the following benefits:

+>

+> - SecOps can now select multiple actions together in the single flow.

+In organizations with Microsoft Defender for Office 365, the usage card is available to help admins and Security Operations (SecOps) teams understand the usage of Defender for Office 365. Specifically, they can compare the active usage of Defender for Office 365 licenses vs the actual number of available licenses.

+> [!TIP]

+> The usage card is enabled for tenants with at least one paid Defender for Office 365 Plan 1 or Defender for Office 365 Plan 2 license.

+Usage cards can help determine the following scenarios:

+- The active usage of Exchange Online licenses and how many of those licenses are active usage of Microsoft Defender for Office 365.

+- A Breakdown of active usage across key Plan 1 and Plan 2 capabilities (Plan 1: protection and detection; Plan 2: SecOps capabilities).

+- The Number of active Plan 1 and Plan 2 licenses purchased.

+1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Reports** \> **Email & collaboration** section \> **Email & collaboration reports**. Or, to go directly to the **Email & collaboration reports and insights** page, use <https://security.microsoft.com/emailandcollabreport>.

+2. On the **Email & collaboration reports and insights** page, go to the **Email & collaboration insights** section, and find the **Defender for Office 365 usage** card.

+ :::image type="content" source="../../medio.png":::

+For members of **Global Administrator** or **Billing Administrator** roles in [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles), following items are available on the card:

+- **Add more licenses**

+- **See licensing details**

+These items aren't available for member of **Global Reader**, **Security Administrator**, **Security Operator**, or **Security Reader** roles.

+## Understand usage details

+On the **Defender for Office 365 usage** card, select **Show details**.

+The details flyout that opens contains the following information from the last 28 days:

+- The number of active users in the organization and the number of Plan 2 licenses.

+- **Configured prevention and detection** section:

+ - **Users with Office protection**: The number of active users of Safe Links or Safe Attachments for Office 365.

+ - **Users with email protection**: The number of active users of Safe Links or Safe Attachments for emails.

+ - **Users with Teams protection**: The number of active users of Safe Links for Teams.

+- **Security Operations capabilities** section: The number of active users for the following categories:

+ - **Users for whom manual and automated investigations were triggered**.

+ - **Users for whom remediations were triggered**.

+ - **Users targeted by phishing simulation training**.

+**Threat protection status report** takes you to the [Threat protection status report](reports-email-security.md#threat-protection-status-report).

+**See licensing details** is available for members of the **Global Administrators** or **Security Operator** roles in [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles).

+- **Defender for Office 365 active users**: The distinct user count with active usage of Microsoft Defender for Office 365 Plan 1 and/or Plan 2 licenses over a period of 28 days for a specific paid Microsoft Defender for Office 365 tenant.

+- **Other active users**: Active users without the Microsoft Defender for Office 365 active users.

+- **Users for whom manual and automated investigations were triggered**: Manual investigations triggered from Threat Explorer or auto investigations actions approved or rejected by SecOps in Incidents or in Action center.

+- **Users for whom remediations were triggered**: Manual remediations in Threat Explorer, Email entity, Advanced Hunting, Automation, or Action center.

+- **Users targeted by phishing simulation training**: Users who were targeted as part of simulations over past 28 days.

+### I have Defender for Office 365 Plan 1 or Plan 2 paid license. Why can I not see the usage card?

+If you have at least one Defender for Office 365 Plan 1 or Plan 2 license, but you're still unable to see the card because of one of the following reasons:

+If you see **Collecting license and usage data** status in your usage card, it means Microsoft is still collecting your current licensing and usage data. When it's available, you can see the full usage card and other details.

+### Why does it still show overage even though you don't have any Microsoft Defender for Office 365 Plan 2 license and no usage of SecOps capabilities?

+If you have overage across Microsoft Defender for Office 365 Plan 1 licenses offering protection and detection, you can remediate this overage by purchasing more Microsoft Defender for Office 365 Plan 1 licenses.

+You can use the information from message trace to efficiently answer user questions about what happened to messages, troubleshoot mail flow issues, and validate policy changes.

+ - Run the following command to determine whether the rules for the Standard and Strict preset security policies are currently enabled or disabled:

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/System settings/Read and manage** or **Authorization and settings/System settings/Read-only**.

+For information about where the Priority account tag and other user tags are available as filters, see [User tags in reports and features](user-tags-about.md#user-tags-in-reports-and-features).

+ - Malware detections by [anti-malware policies](anti-malware-policies-configure.md) and [Safe Attachments policies](safe-attachments-policies-configure.md), including [Built-in protection](preset-security-policies.md) for Safe Attachments^\*.

+^\* Malware filtering is skipped on SecOps mailboxes that are identified in the advanced delivery policy. For more information, see [Configure the advanced delivery policy for third-party phishing simulations and email delivery to SecOps mailboxes](advanced-delivery-policy-configure.md).

+When a potentially malicious chat message is detected in Microsoft Teams, zero-hour auto purge (ZAP) removes the message and quarantines it. Users can now view and manage these quarantined Teams messages in the Microsoft Defender portal. Quarantine notifications aren't supported for quarantined Teams messages.

+In the Microsoft Defender portal at https://security.microsoft.com, go to **Email & collaboration** > **Review** > **Quarantine** > **Teams messages** tab. Or, to go directly to the **Teams messages** tab on the **Quarantine** page, use <https://security.microsoft.com/quarantine?viewid=Teams>.

+- **Status**: Shows whether the message is already reviewed and released or needs review.

+ - **Sender address**

+> The PermissionToAllowSender permission in quarantine policies in PowerShell isn't used.

+- Horizontally scroll in your web browser.

+- Narrow the width of appropriate columns.

+- Zoom out in your web browser.

+- Horizontally scroll in your web browser.

+- Narrow the width of appropriate columns.

+- Zoom out in your web browser.

+ - Click in the box, wait for the list of users to resolve, and then select the user from the list below the box.

+ - Click in the box, start typing a value, and then select the user from the list below the box.

+The scheduled report entry is available on the **Managed schedules** page as described in the next subsection.

+ - Click in the box, wait for the list of users to resolve, and then select the user from the list below the box.

+ - Click in the box, start typing a value, and then select the user from the list below the box.

+The report creation task (and eventually the finished report) is available on the **Reports for download** page as described in the next subsection.

+- **Start date**

+- **Name**

+- **Report type**

+- **Last sent**

+- **Status**:

+ - **Pending**: The report is still being created, and it isn't available to download yet.

+ - **Complete - Ready for download**: Report generation is complete, and the report is available to download.

+ - **Complete - No results found**: Report generation is complete, but the report contains no data, so you can't download it.

+ - Select the user by clicking anywhere in the row other than the check box next to the name. In the details flyout that opens, verify the **Account** tab is selected, and then select **Manage roles** in the **Roles** section.

+1. Verify the contents of the **Sent items** folder of the account in Outlook or Outlook on the web.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**.

+> Safe Links protection for Teams is supported in Teams desktop and web instances.

+4. Under the **Content sharing** heading, set **Who can present** to **Only organizers and co-organizers**.

+description: The steps to set up a weekly digest email of message center activity to stay up-to-date about changes to Microsoft Defender for Office 365.

+## Before you begin

+What you'll need before you get started.

+## Steps to set up a weekly digest mail of message center changes and notifications

+1. Log in to the **Admin Center** at <https://admin.microsoft.com>.

+1. A flyout appears on the right, select the **Email** tab.

+1. Make sure the email notification settings are as expected. You can select **Other e-mail addresses** if you want the digest to be sent to different users or a shared mailbox.

+> Try the [Defender for Office 365 setup guide](https://go.microsoft.com/fwlink/?linkid=2224785) for step-by-step instructions that are tenant-aware and customized to your organization's needs. This setup guide helps you implement anti-malware policies, anti-phishing policies, safe attachments, and more.

+ Title: Understanding overrides within the email entity page in Microsoft Defender for Office 365

+Within the Microsoft Defender for Office 365 *[email entity page](/microsoft-365/security/office-365-security/mdo-email-entity-page)*, there's a wealth of useful information about an email, including if applicable the **overrides** which affected that message, and potentially the location that the message was delivered or moved to post delivery.

+- **Outlook** section \> **Select an Outlook report button configuration** section \> **When the user reports an email** section:

+- No one ever specified a reporting mailbox on the **User reported settings** page (but remember, the global admin's Exchange Online mailbox is used by default).

+ - **Send reported messages to**: **Microsoft and my reporting mailbox** is selected: `-EnableReportToMicrosoft $true`, `-ReportJunkToCustomizedAddress $true`, `-ReportNotJunkToCustomizedAddress $true`, and `-ReportPhishToCustomizedAddress $true` are the default values, so you don't need to use those parameters.

+ [-MultiLanguagePreSubmitMessageButtonTextForJunk "Language1 Before Junk Info Button Text","Language2 Before Junk Info Button Text",..."Language7 Before Junk Info Button Text"] `

+ [-MultiLanguagePreSubmitMessageButtonLinkForJunk "Language1 Before Junk Info Button URL","Language2 Before Junk Info Button URL",..."Language7 Before Junk Info Button URL"]

+ - **Name and email**: Contains the name and address of the channel.

+ - Email messages from these senders are marked as *phishing* and then moved to quarantine.

+## Upcoming improvements to the threat hunting experience

+To view this report, in Explorer, select **All email** in the top navigation pane. This view shows emails identified as malicious due to phishing or malware, as well all other non-malicious emails like regular email, spam, and bulk mail.

+> [!NOTE]

+> If you get a **Too much data to display** error, add a filter and, if necessary, narrow the date range you're viewing.

+To apply a filter, select the filter dropdown, select an item in the list, and then select **Refresh**. You can view information by sender, sender's domain, recipients, subject, attachment filename, malware family, detection technology (how the malware was detected), and more.

+You can view more details about specific email messages, such as subject line, recipient, sender, status, and so on below the chart.

+Use this list to view data by sender, recipients, sender domain, subject, detection technology, and more.

+You can also use the **Top malware families** section to identify the malware families used most frequently to attack the users and the number of times it is used in last 30 days.

+Your list of viewing options include data by sender, recipients, sender domain, sender IP, URL domain, click verdict, and more.

+Below the chart, view more details about specific emails, **URL clicks**, **Top URLs**, **Top clicks**, and more.

+When you select an item in the list, such as a URL that was detected, a fly-out pane opens, where you can learn more about the item you selected.

+You can view information by recipient, detection technology (how the malware was detected), and workload (Email, Office, Teams).

+- **Users, groups, and domains** section: Select **Edit users, groups, and domains** to change who the evaluation or trial applies to as described earlier in [Set up an evaluation or trial in audit mode](#set-up-an-evaluation-or-trial-in-audit-mode).

+ - **Attachments in email**:

+ - **Spoofed senders**:

+ - **Detection** filters: **Spoof intra-org**, **Spoof external domain**, and **Spoof DMARC**.

+- **Custom tags**: The details flyout for a custom tag contains the same information as the **User tags** page, plus the list of users and groups that the tag applies to.

+For information about where the effects of priority account protection are visible, see [Review differentiated protection from priority account protection](priority-accounts-turn-on-priority-account-protection.md#review-differentiated-protection-from-priority-account-protection).

+> Microsoft 365 Backup (Preview) is now available worldwide in all commercial cloud environments. This preview feature is subject to change and [limitations as defined](backup-limitations.md). Before you begin, read the [Microsoft 365 Backup preview terms and conditions](backup-preview-terms.md).