+- **Multi-Geo** In a multi-geo environment, shared mailboxes need to be licensed the same way a user mailbox is licensed. Note that cross-geo mailbox auditing is not supported. For example, if a user is assigned permissions to access a shared mailbox in a different geo location, mailbox actions performed by that user are not logged in the mailbox audit log of the shared mailbox.

+>

+## Run the Unknown Charge Diagnostic

+As a Microsoft 365 Global admin, you can use a diagnostic tool that runs within the Microsoft 365 admin center to research unexpected charges from Microsoft that appear on your bank or credit card statement.

+> [!NOTE]

+> The Unknown Charge Diagnostic is only available for customers who bought their products and services from Microsoft.com, including Microsoft 365 Enterprise, Education, and Non-profit.

+Select the **Run Tests** link below to open the diagnostic tool in the Microsoft 365 admin center.

+>[!div class="nextstepaction"]

+>[Run Tests: Unknown Charge](https://aka.ms/PillarUnknownCharge)

+> In Preview - You can view the trainable classifiers in content explorer by expanding **Trainable Classifiers** in the filters panel. The trainable classifiers will automatically display the number of incidents found in SharePoint, Teams, and OneDrive, without requiring any labeling.

+- Microsoft Defender for Cloud Apps

+There is no built-in option to alert administrators. However, administrators can set up alerts using [Microsoft Defender for Cloud Apps](/cloud-app-security/getting-started-with-cloud-app-security#to-create-policies).

+- In a multi-geo environment, cross-geo mailbox auditing is not supported. For example, if a user is assigned permissions to access a shared mailbox in a different geo location, mailbox actions performed by that user are not logged in the mailbox audit log of the shared mailbox. Exchange admin audit events are currently only available for the default location.

+ Title: "How SMTP DNS-based Authentication of Named Entities (DANE) works to secure email communications"

+f1.keywords:

+- NOCSH

+audience: ITPro

+ms.localizationpriority: medium

+search.appverid:

+- MET150

+- M365-security-compliance

+description: "Learn how SMTP DNS-based Authentication of Named Entities (DANE) works to secure email communications between mail servers."

+# How SMTP DNS-based Authentication of Named Entities (DANE) works

+The SMTP protocol is the main protocol used to transfer messages between mail servers and is, by default, not secure. The Transport Layer Security (TLS) protocol was introduced years ago to support encrypted transmission of messages over SMTP. ItΓÇÖs commonly used opportunistically rather than as a requirement, leaving much email traffic in clear text, vulnerable to interception by nefarious actors. Furthermore, SMTP determines the IP addresses of destination servers through the public DNS infrastructure, which is susceptible to spoofing and Man-in-the-Middle (MITM) attacks. This has led to many new standards being created to increase security for sending and receiving email, one of those is DNS-based Authentication of Named Entities (DANE).

+

+DANE for SMTP [RFC 7672](https://tools.ietf.org/html/rfc7672) uses the presence of a Transport Layer Security Authentication (TLSA) record in a domain's DNS record set to signal a domain and its mail server(s) support DANE. If there is no TLSA record present, DNS resolution for mail flow will work as usual without any DANE checks being attempted. The TLSA record securely signals TLS support and publishes the DANE policy for the domain. So, sending mail servers can successfully authenticate legitimate receiving mail servers using SMTP DANE. This makes it resistant to downgrade and MITM attacks. DANE has direct dependencies on DNSSEC, which works by digitally signing records for DNS lookups using public key cryptography. DNSSEC checks occur on recursive DNS resolvers, the DNS servers that make DNS queries for clients. DNSSEC ensures that DNS records arenΓÇÖt tampered with and are authentic.

+Once the MX, A/AAAA and DNSSEC-related resource records for a domain are returned to the DNS recursive resolver as DNSSEC authentic, the sending mail server will ask for the TLSA record corresponding to the MX host entry or entries. If the TLSA record is present and proven authentic using another DNSSEC check, the DNS recursive resolver will return the TLSA record to the sending mail server.

+After receiving the authentic TLSA record, the sending mail server establishes an SMTP connection to the MX host associated with the authentic TLSA record. The sending mail server will try to set up TLS and compare the server's TLS certificate with the data in the TLSA record to validate that the destination mail server connected to the sender is the legitimate receiving mail server. The message will be transmitted (using TLS) if authentication succeeds. When authentication fails or if TLS isnΓÇÖt supported by the destination server, Exchange Online will retry the entire validation process beginning with a DNS query for the same destination domain again after 15 minutes, then 15 minutes after that, then every hour for the next 24 hours. If authentication continues to fail after 24 hours of retrying, the message will expire and an NDR with error details will be generated and sent to the sender.

+## What are the components of DANE?

+### TLSA Resource Record

+The TLS Authentication (TLSA) record is used to associate a serverΓÇÖs X.509 certificate or public key value with the domain name that contains the record. TLSA records can only be trusted if DNSSEC is enabled on your domain. If youΓÇÖre using a DNS provider to host your domain, this may be a setting offered when configuring a domain with them. To learn more about DNSSEC zone signing, visit this link: [Overview of DNSSEC | Microsoft Docs](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj200221(v=ws.11)).

+

+Example TLSA record:

+

+There are four configurable fields unique to the TLSA record type:

+**Certificate Usage Field**: Specifies how the sending email server should verify the destination email serverΓÇÖs certificate.

+|Value |Acronym |Description |

+||||

+|0¹ |PKIX-TA |Certificate used is the trust-anchor Public CA from the X.509 trust-chain. |

+|1¹ |PKIX-EE |Certificate checked is the destination server; DNSSEC checks must verify its authenticity. |

+|2 |DANE-TA |Use serverΓÇÖs private key from the X.509 tree that must be validated by a trust anchor in the chain of trust. The TLSA record specifies the trust anchor to be used for validating the TLS certificates for the domain. |

+|3 |DANE-EE |Only match against the destination serverΓÇÖs certificate. |

+¹ Exchange Online follows RFC implementation guidance that Certificate Usage Field values of 0 or 1 shouldnΓÇÖt be used when DANE is implemented with SMTP. When a TLSA record that has a Certificate Usage field value of 0 or 1 is returned to Exchange Online, Exchange Online will treat it as not usable. If all TLSA records are found unusable, Exchange Online wonΓÇÖt perform the DANE validation steps for 0 or 1 when sending the email. Instead, because of the presence of a TLSA record, Exchange Online will enforce the use of TLS for sending the email, sending the email if the destination email server supports TLS or dropping the email and generating an NDR if the destination email server doesnΓÇÖt support TLS.

+In the example TLSA record, the Certificate Usage Field is set to ‘3’, so the Certificate Association Data (‘abc123…xyz789’) would be matched against the destination server’s certificate only.

+**Selector field**: Indicates which parts of the destination serverΓÇÖs certificate should be checked.

+|Value |Acronym |Description |

+||||

+|0 |Cert |Use full certificate. |

+|1 |SPKI (Subject Public Key Info) |Use certificateΓÇÖs public key and the algorithm with which the public key is identified to use. |

+In the example TLSA record, the Selector Field is set to ΓÇÿ1ΓÇÖ so the Certificate Association Data would be matched using the destination server certificateΓÇÖs public key and the algorithm with which the public key is identified to use.

+**Matching Type Field**: Indicates the format the certificate will be represented in the TLSA record.

+|Value |Acronym |Description |

+||||

+|0 |Full |The data in the TSLA record is the full certificate or SPKI. |

+|1 |SHA-256 |The data in the TSLA record is a SHA-256 hash of either the certificate or the SPKI. |

+|2 |SHA-512 |The data in the TSLA record is a SHA-512 hash of either the certificate or the SPKI. |

+In the example of TLSA record, the Matching Type Field is set to ΓÇÿ1ΓÇÖ so the Certificate Association Data is a SHA-256 hash of the Subject Public Key Info from the destination server certificate

+**Certificate Association Data**: Specifies the certificate data that is used for matching against the destination server certificate. This data depends on the Selector Field value and the Matching Type Value.

+In the example of TLSA record, the Certificate Association data is set to ‘abc123…xyz789’. Since the Selector Field value in the example is set to '1’, it would reference the destination server certificate’s public key and the algorithm that is identified to be used with it. And since the Matching Type field value in the example is set to ‘1’, it would reference the SHA-256 hash of the Subject Public Key Info from the destination server certificate.

+## How can Exchange Online customers use SMTP DANE Outbound?

+As an Exchange Online customer, there isn't anything you need to do to configure this enhanced email security for your outbound email. This is something we have built for you and it is on by default for all Exchange Online customers and is used when the destination domain advertises support for DANE. To reap the benefits of sending email with DNSSEC and DANE checks, communicate to your business partners with whom you exchange email that they need to implement DNSSEC and DANE so they can receive email using these standards.

+## How can Exchange Online customers use SMTP DANE inbound?

+Currently, inbound SMTP DANE isnΓÇÖt supported for Exchange Online. Support is anticipated to be released at the end of 2022.

+## What is the recommended TLSA record configuration?

+Per RFC implementation guidance for SMTP DANE, a TLSA record composed of the Certificate Usage field set to 3, the Selector field set to 1, and the Matching Type field set to 1 is recommended.

+## Exchange Online Mail Flow with SMTP DANE

+The mail flow process for Exchange Online with SMTP DANE, shown in the flow chart below, validates domain and resource record security through DNSSEC, TLS support on the destination mail server, and that the destination mail serverΓÇÖs certificate matches what is expected based on its associated TLSA record.

+There are only two scenarios where an SMTP DANE failure will result in the email being blocked:

+- The destination domain signaled DNSSEC support but one or more records were returned as inauthentic.

+- All MX records for the destination domain have TLSA records and none of the destination serverΓÇÖs certificates match what was expected per the TSLA record data, or a TLS connection isnΓÇÖt supported by the destination server.

+## Related Technologies

+|Technology |Additional Information |

+|||

+|**Mail Transfer Agent ΓÇô Strict Transport Security (MTA-STS)** helps thwart downgrade and Man-in-the-Middle attacks by providing a mechanism for setting domain policies that specify whether the destination email server supports TLS and what to do when TLS canΓÇÖt be negotiated, for example stop the transmission. |More information about Exchange OnlineΓÇÖs upcoming support for inbound and outbound MTA-STS will be published later this year. [Exchange Online Transport News from Microsoft Ignite 2020 - Microsoft Tech Community](https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-online-transport-news-from-microsoft-ignite-2020/ba-p/1687699)<br /><br />[rfc8461 (ietf.org)](https://datatracker.ietf.org/doc/html/rfc8461) |

+|**Sender Policy Framework (SPF)** uses IP information to ensure that destination email systems trust messages sent from your custom domain. | [How Sender Policy Framework (SPF) prevents spoofing - Office 365 - Microsoft Docs](/microsoft-365/security/office-365-security/how-office-365-uses-spf-to-prevent-spoofing) |

+|**DomainKeys Identified Mail (DKIM)** uses X.509 certificate information to ensure that destination email systems trust messages sent outbound from your custom domain. | [How to use DKIM for email in your custom domain - Office 365 - Microsoft Docs](/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email) |

+|**Domain-based Message Authentication, Reporting, and Conformance (DMARC)** works with Sender Policy Framework and DomainKeys Identified Mail to authenticate mail senders and ensure that destination email systems trust messages sent from your domain. | [Use DMARC to validate email, setup steps - Office 365 - Microsoft Docs](/microsoft-365/security/office-365-security/use-dmarc-to-validate-email) |

+## Troubleshooting Sending Emails with SMTP DANE

+Currently, there are four error codes for DANE when sending emails with Exchange Online. Microsoft is actively updating this error code list. The errors will be visible in:

+1. The Exchange Admin Center portal through the Message Trace Details view.

+2. NDRs generated when a message isnΓÇÖt sent due to a DANE or DNSSEC failure.

+3. Remote Connectivity Analyzer tool [Microsoft Remote Connectivity Analyzer](https://testconnectivity.microsoft.com/tests/o365).

+|NDR Code |Description |

+|||

+|5.7.321 |starttls-not-supported: Destination mail server must support TLS to receive mail. |

+|5.7.322 |certificate-expired: Destination mail server's certificate is expired. |

+|5.7.323 |tlsa-invalid: The domain failed DANE validation. |

+|5.7.324 |dnssec-invalid: Destination domain returned invalid DNSSEC records. |

+### Troubleshooting 5.7.321 starttls-not-supported

+This usually indicates an issue with the destination mail server. After receiving the message:

+1. Check that the destination email address was entered correctly.

+2. Alert the destination email administrator that you received this error code so they can determine if the destination server is configured correctly to receive messages using TLS.

+3. Retry sending the email and review the Message Trace Details for the message in the Exchange Admin Center portal.

+### Troubleshooting 5.7.322 certificate-expired

+A valid X.509 certificate that hasn't expired must be presented to the sending email server. X.509 certificates must be renewed after their expiration, commonly annually. After receiving the message:

+1. Alert the destination email administrator that you received this error code and provide the error code string.

+2. Allow time for the destination server certificate to be renewed and the TLSA record to be updated to reference the new certificate. Then, retry sending the email and review the Message Trace Details for the message in the Exchange Admin Center portal.

+### Troubleshooting 5.7.323 tlsa-invalid

+This error code is related to a TLSA record misconfiguration and can only be generated after a DNSSEC-authentic TLSA record has been returned. There are many scenarios during the DANE validation that occur after the record has been returned that can result in the code being generated. Microsoft is actively working on the scenarios that are covered by this error code, so that each scenario has a specific code. Currently, one or more of these scenarios could cause the generation of the error code:

+1. The destination mail server's certificate doesnΓÇÖt match with what is expected per the authentic TLSA record.

+2. Authentic TLSA record is misconfigured.

+3. The destination domain is being attacked.

+4. Any other DANE failure.

+After receiving the message:

+1. Alert the destination email administrator that you received this error code and provide them the error code string.

+2. Allow time for the destination email admin to review their DANE configuration and email server certificate validity. Then, retry sending the email and review the Message Trace Details for the message in the Exchange Admin Center portal.

+### Troubleshooting 5.7.324 dnssec-invalid

+This error code is generated when the destination domain indicated it was DNSSEC-authentic but Exchange Online wasnΓÇÖt able to verify it as DNSSEC-authentic.

+After receiving the message:

+1. Alert the destination email administrator that you received this error code and provide them the error code string.

+2. Allow time for the destination email admin to review their domainΓÇÖs DNSSEC configuration. Then, retry sending the email and review the Message Trace Details for the message in the Exchange Admin Center portal.

+## Troubleshooting Receiving Emails with SMTP DANE

+Currently, there are two methods an admin of a receiving domain can use to validate and troubleshoot their DNSSEC and DANE configuration to receive email from Exchange Online using these standards.

+1. Adopt SMTP TLS-RPT (Transport Layer Security Reporting) introduced in [RFC8460](https://datatracker.ietf.org/doc/html/rfc8460)

+2. Use the Remote Connectivity Analyzer tool [Microsoft Remote Connectivity Analyzer](https://testconnectivity.microsoft.com/tests/o365)

+TLS-RPT [https://datatracker.ietf.org/doc/html/rfc8460](https://datatracker.ietf.org/doc/html/rfc8460) is a reporting mechanism for senders to provide details to destination domain administrators about DANE and MTA-STS successes and failures with those respective destination domains. To receive TLS-RPT reports, you only need to add a TXT record in your domain's DNS records that includes the email address or URI you would like the reports to be sent to. Exchange Online will send TLS-RPT reports in JSON format.

+Example record:

+The second method is to use the Remote Connectivity Analyzer [Microsoft Remote Connectivity Analyzer](https://testconnectivity.microsoft.com/tests/o365), which can do the same DNSSEC and DANE checks against your DNS configuration that Exchange Online will do when sending email outside the service. This is the most direct way of troubleshooting errors in your configuration to receive email from Exchange Online using these standards.

+When troubleshooting, the below error codes may be generated:

+|NDR Code |Description |

+|||

+|4/5.7.321 |starttls-not-supported: Destination mail server must support TLS to receive mail. |

+|4/5.7.322 |certificate-expired: Destination mail server's certificate has expired. |

+|4/5.7.323 |tlsa-invalid: The domain failed DANE validation. |

+|4/5.7.324 |dnssec-invalid: Destination domain returned invalid DNSSEC records. |

+### Troubleshooting 5.7.321 starttls-not-supported

+> [!NOTE]

+> These steps are for email administrators troubleshooting receiving email from Exchange Online using SMTP DANE.

+This usually indicates an issue with the destination mail server. The mail server that the Remote Connectivity Analyzer is testing connecting with. There are generally two scenarios that generate this code:

+1. The destination mail server doesnΓÇÖt support secure communication at all, and plain, non-encrypted communication must be used.

+2. The destination server is configured improperly and ignores the STARTTLS command.

+

+After receiving the message:

+1. Check the email address.

+2. Locate the IP address that is associated with the error statement so you can identify the mail server the statement is associated with.

+3. Check your mail serverΓÇÖs setting to make sure itΓÇÖs configured to listen for SMTP traffic (commonly ports 25 and 587).

+4. Wait a few minutes, then retry the test with the Remote Connectivity Analyzer tool.

+5. If it still fails, then try removing the TLSA record and run the test with the Remote Connectivity Analyzer tool again.

+6. If there are no failures, this may indicate the mail server youΓÇÖre using to receive mail doesnΓÇÖt support STARTTLS and you may need to upgrade to one that does in order to use DANE.

+### Troubleshooting 5.7.322 certificate-expired

+> [!NOTE]

+> These steps are for email administrators troubleshooting receiving email from Exchange Online using SMTP DANE.

+A valid X.509 certificate that hasnΓÇÖt expired must be presented to the sending email server. X.509 certificates must be renewed after their expiration, commonly annually. After receiving the message:

+1. Check the IP that is associated with the error statement, so you can identify the mail server itΓÇÖs associated with. Locate the expired certificate on the email server you identified.

+2. Log in to your certificate provider's website.

+3. Select the expired certificate and follow the instructions to renew and to pay for the renewal.

+4. After your provider has verified the purchase, you may download a new certificate.

+5. Install the renewed certificate into its associated mail server.

+6. Update the mail serverΓÇÖs associated TLSA record with the new certificateΓÇÖs data.

+7. After waiting an appropriate amount of time, retry the test with the Remote Connectivity Analyzer tool.

+### Troubleshooting 5.7.323 tlsa-invalid

+> [!NOTE]

+> These steps are for email administrators troubleshooting receiving email from Exchange Online using SMTP DANE.

+This error code is related to a TLSA record misconfiguration and can only be generated after a DNSSEC-authentic TSLA record has been returned. But, there are many scenarios during the DANE validation that occur after the record has been returned that can result in the code being generated. Microsoft is actively working on the scenarios that are covered by this error code, so that each scenario has a specific code. Currently, one or more of these scenarios could cause the generation of the error code:

+1. Authentic TLSA record is misconfigured.

+2. The certificate isnΓÇÖt yet time valid/configured for a future time window.

+3. Destination domain is being attacked.

+4. Any other DANE failure.

+After receiving the message:

+1. Check the IP that is associated with the error statement to identify the mail server itΓÇÖs associated with.

+2. Identify the TLSA record that is associated with the identified mail server.

+3. Verify the configuration of the TLSA record to ensure that it signals the sender to perform the preferred DANE checks and that the correct certificate data has been included in the TLSA record.

+ 1. If you have to make any updates to the record for discrepancies, then wait a few minutes then rerun the test with the Remote Connectivity Analyzer tool.

+4. Locate the certificate on the identified mail server.

+5. Check the time window for which the certificate is valid. If itΓÇÖs set to start validity at a future date, it needs to be renewed for the current date.

+ 1. Log in to your certificate provider's website.

+ 2. Select the expired certificate and follow the instructions to renew and to pay for the renewal.

+ 3. After your provider has verified the purchase, you may download a new certificate.

+ 4. Install the renewed certificate into its associated mail server.

+### Troubleshooting 5.7.324 dnssec-invalid

+> [!NOTE]

+> These steps are for email administrators troubleshooting receiving email from Exchange Online using SMTP DANE.

+This error code is generated when the destination domain indicated itΓÇÖs DNSSEC-authentic but Exchange Online isnΓÇÖt able to verify it as DNSSEC-authentic. This section wonΓÇÖt be comprehensive for troubleshooting DNSSEC issues and focuses on scenarios where domains previously passed DNSSEC authentication but not now.

+After receiving the message:

+1. If youΓÇÖre using a DNS provider, for example GoDaddy, alert your DNS provider of the error so they can work on the troubleshooting and configuration change.

+2. If youΓÇÖre managing your own DNSSEC infrastructure, there are many DNSSEC misconfigurations that may generate this error message. Some common problems to check for if your zone was previously passing DNSSEC authentication:

+ 1. Broken trust chain, when the parent zone holds a set of DS records that point to something that doesnΓÇÖt exist in the child zone. This results in the child zone being marked as bogus by validating resolvers.

+ - Resolve by reviewing the child domains RRSIG key IDs and ensuring that they match with the key IDs in the DS records published in the parent zone.

+ 2. RRSIG resource record for the domain isnΓÇÖt time valid, it has either expired or its validity period hasnΓÇÖt begun.

+ - Resolve by generating new signatures for the domain using valid timespans.

+## Frequently Asked Questions

+### As an Exchange Online customer, can I opt out of using DNSSEC and/or DANE?

+We strongly believe DNSSEC and DANE will significantly increase the security position of our service and benefit all of our customers. WeΓÇÖve worked diligently over the last year to reduce the risk and severity of the potential impact this deployment might have for M365 customers. WeΓÇÖll be actively monitoring and tracking the deployment to ensure negative impact is minimized as it rolls out. Because of this, tenant-level exceptions or opt-out wonΓÇÖt be available.

+If you experience any issues related to the enablement of DNSSEC and/or DANE, the different methods for investigating failures noted in this document will help you identify the source of the error. In most cases, the issue will be with the external destination party and youΓÇÖll need to communicate to these business partners that they need to correctly configure DNSSEC and DANE in order to receive email from Exchange Online using these standards.

+### How does DNSSEC relate to DANE?

+DNSSEC adds a layer of trust into DNS resolution by leveraging the public key infrastructure to ensure the records returned in response to a DNS query are authentic. DANE ensures that the receiving mail server is the legitimate and expected mail server for the authentic MX record.

+### What is the difference between MTA-STS and DANE for SMTP?

+DANE and MTA-STS serve the same purpose, but DANE requires DNSSEC for DNS authentication while MTA-STS relies on certificate authorities.

+### Why isn't Opportunistic TLS sufficient?

+Opportunistic TLS will encrypt communication between two endpoints if both agree to support it. However, even if TLS encrypts the transmission, a domain could be spoofed during DNS resolution such that it points to a malicious actor's endpoint instead of the real endpoint for the domain. This is a gap in email security that is addressed by implementing MTA-STS and/or SMTP DANE with DNSSEC.

+### Why isn't DNSSEC sufficient?

+DNSSEC isnΓÇÖt fully resistant to Man-in-the-Middle attacks and downgrade (from TLS to clear text) attacks for mail flow scenarios. The addition of MTA-STS and DANE along with DNSSEC provides a comprehensive security method to thwart both MITM and downgrade attacks.

+## Additional Links

+[Find and fix issues after adding your domain or DNS records](/microsoft-365/admin/get-help-with-domains/find-and-fix-issues)

+[Overview of DNSSEC | Microsoft Docs ](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj200221(v=ws.11))

+[Use DMARC to validate email, setup steps - Office 365 | Microsoft Docs](/microsoft-365/security/office-365-security/use-dmarc-to-validate-email)

+[How to use DKIM for email in your custom domain - Office 365 | Microsoft Docs](/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email)

+[How Sender Policy Framework (SPF) prevents spoofing - Office 365 | Microsoft Docs](/microsoft-365/security/office-365-security/how-office-365-uses-spf-to-prevent-spoofing)

+[Exchange Online Transport News from Microsoft Ignite 2020 - Microsoft Tech Community](https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-online-transport-news-from-microsoft-ignite-2020/ba-p/1687699)

+[rfc8461 (ietf.org)](https://datatracker.ietf.org/doc/html/rfc8461)

+description: "Learn how to create an In-Place Hold for a soft-deleted mailbox to make it inactive and preserve its contents."

+|[Audit label-related user activity](data-classification-activity-explorer.md) | Current Channel: 2011+ <br /><br> Monthly Enterprise Channel: 2011+ <br /><br> Semi-Annual Enterprise Channel: 2202+ | 16.51+ ^\* | 4.2126+ | 4.2126+ | Yes |

+ | Comment | body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['acComments'] |

+ "value": "@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['acComments']}"

+ "value": "@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['acComments']}"

+ 

+> [!NOTE]

+> Exchange admin audit events are only available for the default location.

+5. On the Register an application page, under Supported account types, select Accounts in any organizational directory (Any Azure AD directory - Multitenant). Then, under Redirect URI (optional), select Web and enter <https://office.com>. Lastly, select Register.

+13. In the Request API permissions windows, select APIs my organization uses, search for Office 365 Exchange Online, and select it.

+- In a multi-geo environment, cross-geo mailbox auditing is not supported. For example, if a user is assigned permissions to access a shared mailbox in a different geo location, mailbox actions performed by that user are not logged in the mailbox audit log of the shared mailbox. Exchange admin audit events are also only available for the default location. For more information, see [Manage mailbox auditing](../compliance/enable-mailbox-auditing.md).

+The [Microsoft Edge setup guide](https://aka.ms/edgeadvisoradmin) will help you configure Enterprise Site Discovery to see which sites accessed in your org might need to use IE mode, review and configure important security features, configure privacy policies and compliance policies to meet your org's requirements, and manage web access on your devices. You can download Microsoft Edge to individual devices, or we'll show you how to deploy to multiple users in your org with Group Policy, Configuration Manager, or Microsoft Intune.

+If you've already deployed Microsoft Edge and only want to configure IE mode, the [Configure IE mode for Microsoft Edge guide](https://aka.ms/configureiemodeadmin) will give you scripts to automate the configuration of Enterprise Site Discovery. You'll also get IE mode recommendations from a cloud-based tool that will help you create an Enterprise Mode Site List to deploy to your users.

+ Title: "Compare device compliance policy settings"

+f1.keywords: NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- M365-subscription-management

+- Adm_O365

+- AdminSurgePortfolio

+- M365-Lighthouse

+search.appverid: MET150

+description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, learn how to compare device compliance policy settings."

+# Compare device compliance policy settings

+> [!NOTE]

+> The features described in this article are in Preview, are subject to change, and are only available to partners who meet the [requirements](m365-lighthouse-requirements.md). If your organization does not have Microsoft 365 Lighthouse, see [Sign up for Microsoft 365 Lighthouse](m365-lighthouse-sign-up.md).

+Microsoft 365 Lighthouse lets you view compliance policies across your tenants in a single view. You can drive security and standardization across your tenants by comparing policies. You can filter views to see settings that have been configured (versus settings that were left not configured), settings that differ in their configurations, or just the settings that match. You can also search for specific settings youΓÇÖre interested in and see how that compares among the policies.

+## Before you begin

+- Devices must have an Intune license and be enrolled in Microsoft Endpoint Manager (MEM).

+## Compare policy settings

+1. In the left navigation pane in Lighthouse, select **Devices**.

+2. Select the **Policies** tab.

+3. From the **Filters** drop-down list, select an operating system/platform.

+ > [!NOTE]

+ > You can only compare policies with the same operating system/platform.

+4. From the filtered list, select up to three policies you want to compare.

+5. Select **Compare**.

+You can filter the results to see **Settings that differ**, **Settings that match**, or **Configured settings**.

+## Configure a policy setting

+1. In the left navigation pane in Lighthouse, select **Devices**.

+2. Select the **Policies** tab.

+3. From the list, select a policy name.

+4. From the Policy details pane, select **View this policy in Microsoft Endpoint Manager**.

+5. In MEM, edit the policy settings as needed.

+## Next steps

+As you make policy adjustments, make sure you assess your changes against your current baseline settings. For more information, see [Overview of using baselines to deploy standard tenant configurations](m365-lighthouse-deploy-standard-tenant-configurations-overview.md).

+## Related content

+[What is device enrollment in Intune?](/mem/intune/enrollment/device-enrollment) (article)

+[Use compliance policies to set rules for devices you manage with Intune](/mem/intune/protect/device-compliance-get-started) (article)

+[Overview of using baselines to deploy standard tenant configurations](m365-lighthouse-deploy-standard-tenant-configurations-overview.md) (article)

+> If you would like to track the status of your Experts on Demand cases through Microsoft Services Hub, reach out to your Customer Success Account Manager.

+For information on how to fetch alerts using REST API, see [Fetch alerts from MSSP customer tenant](fetch-alerts-mssp.md).

+#### Enforcement level for antivirus engine

+Specifies the enforcement preference of antivirus engine. There are three values for setting enforcement level:

+- Real-time (`real_time`): Real-time protection (scan files as they are accessed) is enabled.

+- On-demand (`on_demand`): Files are scanned only on demand. In this:

+ - Real-time protection is turned off.

+- Passive (`passive`): Runs the antivirus engine in passive mode. In this:

+ - Real-time protection is turned off.

+ - On-demand scanning is turned on.

+ - Automatic threat remediation is turned off.

+ - Security intelligence updates are turned on.

+|**Key**|enforcementLevel|

+|**Data type**|String|

+|**Possible values**|real_time (default) <p> on_demand <p> passive|

+|**Comments**|Available in Defender for Endpoint version 101.10.72 or higher.|

+ "enforcementLevel":"real_time",

+ "enforcementLevel":"real_time",

+#### Enforcement level for antivirus engine

+Specifies the enforcement preference of antivirus engine. There are three values for setting enforcement level:

+- Real-time (`real_time`): Real-time protection (scan files as they are accessed) is enabled.

+- On-demand (`on_demand`): Files are scanned only on demand. In this:

+ - Real-time protection is turned off.

+- Passive (`passive`): Runs the antivirus engine in passive mode. In this:

+ - Real-time protection is turned off.

+ - On-demand scanning is turned on.

+ - Automatic threat remediation is turned off.

+ - Security intelligence updates are turned on.

+ - Status menu icon is hidden.

+|**Key**|enforcementLevel|

+|**Data type**|String|

+|**Possible values**|real_time (default) <p> on_demand <p> passive|

+|**Comments**|Available in Microsoft Defender for Endpoint version 101.10.72 or higher.|

+ <key>enforcementLevel</key>

+ <string>real_time</string>

+ <key>enforcementLevel</key>

+ <string>real_time</string>

+ <key>enforcementLevel</key>

+ <string>real_time</string>

+<?xml version="1.0" encoding="utf-8"?>

+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

+<plist version="1">

+ <dict>

+ <key>enforcementLevel</key>

+ <string>real_time</string>

+ </dict>

+</plist>

+- Added the ability to configure the antivirus functionality to run in [passive mode](mac-preferences.md#enforcement-level-for-antivirus-engine)

+When you enable security information and event management (SIEM) integration, it allows you to pull detections from Microsoft 365 Defender using your SIEM solution or by connecting directly to the detections REST API. This activates the SIEM connector access details section with pre-populated values and an application is created under your Azure Active Directory (Azure AD) tenant.

+> Running other third-party endpoint protection products alongside Microsoft Defender for Endpoint on Linux is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of Defender for Endpoint on Linux EDR functionality after configuring the antivirus functionality to run in [Passive mode](linux-preferences.md#enforcement-level-for-antivirus-engine).

+- List of supported kernel versions

+ - Red Hat Enterprise Linux 6 and CentOS 6:

+ - For 6.7: 2.6.32-573.*

+ - For 6.8: 2.6.32-642.*

+ - For 6.9: 2.6.32-696.*

+ - For 6.10: 2.6.32.754.2.1.el6.x86_64 to 2.6.32-754.41.2:

+

+ |||||

+ |--|--|--|--|

+ |2.6.32-754.2.1.el6.x86_64|2.6.32-754.17.1.el6.x86_64|2.6.32-754.29.1.el6.x86_64|2.6.32-754.3.5.el6.x86_64|

+ |2.6.32-754.18.2.el6.x86_64|2.6.32-754.29.2.el6.x86_64|2.6.32-754.6.3.el6.x86_64|2.6.32-754.22.1.el6.x86_64|

+ |2.6.32-754.30.2.el6.x86_64|2.6.32-754.9.1.el6.x86_64|2.6.32-754.23.1.el6.x86_64|2.6.32-754.33.1.el6.x86_64|

+ |2.6.32-754.10.1.el6.x86_64|2.6.32-754.24.2.el6.x86_64|2.6.32-754.35.1.el6.x86_64|2.6.32-754.11.1.el6.x86_64|

+ |2.6.32-754.24.3.el6.x86_64|2.6.32-754.39.1.el6.x86_64|2.6.32-754.12.1.el6.x86_64|2.6.32-754.25.1.el6.x86_64|

+ |2.6.32-754.41.2.el6.x86_64|2.6.32-754.14.2.el6.x86_64|2.6.32-754.27.1.el6.x86_64|2.6.32-754.15.3.el6.x86_64|

+ |2.6.32-754.28.1.el6.x86_64|

+ > [!NOTE]

+ > After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that that are listed in this section are provided for technical upgrade support only.

+ - For rest of the supported distributions, minimum kernel version required is 3.10.0-327

+- Event provider mechanism

+ - Red Hat Enterprise Linux 6 and CentOS 6: `Talpa` kernel module based solution

+ - For rest of the supported distributions: `Fanotify`

+ - The `fanotify` kernel option must be enabled

+ > [!CAUTION]

+ > Running Defender for Endpoint on Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system.

+> Running other third-party endpoint protection products alongside Microsoft Defender for Endpoint on Mac is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of Defender for Endpoint on Mac EDR functionality after configuring the antivirus functionality to run in [Passive mode](mac-preferences.md#enforcement-level-for-antivirus-engine).

+> If you would like to track the status of your Experts on Demand cases through Microsoft Services Hub, reach out to your Customer Success Account Manager.

+Defender for Endpoint supports SIEM integration through various of methods. This can include specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management.

+ > The current SHA256 hash of 'XMDEClientAnalyzer.zip' that is downloaded from the above link is: '34C0DA20A6B38A16951394958991CD74EF7E07EB1DE06923547B351665A32DF6'.

+You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter).

+ - **Security Administrator** or **Security Reader** in the [Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).

+> [!NOTE]

+> The emails from these senders will be blocked as *spam*.

+> [!NOTE]

+> The emails containing these URLs will be blocked as *phish*.

+> [!NOTE]

+> The emails containing these files will be blocked as *malware*.