Updates from: 01/27/2024 04:40:05
Category Microsoft Docs article Related commit history on GitHub Change details
microsoft-365-copilot-requirements Microsoft 365 Copilot Requirements https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-requirements.md
You can use the [Microsoft Teams setup guide](https://admin.microsoft.com/Adminp
To enable Copilot in Teams to reference meeting content after the meeting has ended, transcription or meeting recording must be enabled. To learn more about configuring transcription and recording, see [Configure transcription and captions for Teams meetings](/microsoftteams/meeting-transcription-captions) and [Teams meeting recording](/microsoftteams/meeting-recording).
+### Microsoft Teams Phone
+
+Copilot in [Teams Phone](/microsoftteams/what-is-phone-system-in-office-365) supports both voice over Internet Protocol (VOIP) and public switched telephone network (PSTN) calls. For support across VoIP calls, you'll need a Microsoft Copilot for Microsoft 365 license. To use Copilot for PSTN calls, you'll need a Teams Phone license and a calling plan in addition to the Microsoft Copilot for Microsoft 365 license.
+
+To enable Copilot in Teams Phone, you need to turn on transcription or recording. For VoIP callers, all participants see a notification that the call is being transcribed or recorded. For PSTN callers, all participants will hear an announcement that the call is being recorded.
+ ### Microsoft Loop To use Microsoft Copilot for Microsoft 365 with Microsoft Loop, you must have Loop enabled for your tenant. This can be done in the [Microsoft 365 admin center](https://admin.microsoft.com/Adminportal/Home#/Settings/Services/:/Settings/L1/Loop) or the [Microsoft 365 Apps admin center](https://config.office.com) under **Customization** \| **Policy Management**. For more information, see [Manage Loop workspaces in Syntex repository services](/microsoft-365/loop/loop-workspaces-configuration) and [Learn how to enable the Microsoft Loop app, now in Public Preview](https://techcommunity.microsoft.com/t5/microsoft-365-blog/learn-how-to-enable-the-microsoft-loop-app-now-in-public-preview/ba-p/3769013).
threat-intelligence Learn How To Access Microsoft Defender Threat Intelligence And Make Customizations In Your Portal https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/defender/threat-intelligence/learn-how-to-access-microsoft-defender-threat-intelligence-and-make-customizations-in-your-portal.md
Last updated 08/02/2022 + # Quickstart: Learn how to access Microsoft Defender Threat Intelligence and make customizations in your portal
threat-intelligence What Is Microsoft Defender Threat Intelligence Defender Ti https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti.md
+ Last updated 08/02/2022
admin Microsoft Teams Apps Usage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-teams-apps-usage.md
Title: "Microsoft 365 admin center Teams app usage reports"
Previously updated : 05/16/2022 Last updated : 1/25/2024 audience: Admin
description: "Learn how to get the Microsoft Teams app usage report and gain ins
# Microsoft 365 Reports in the admin center - Microsoft Teams apps usage reports
-The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md). In the **Microsoft Teams app usage report**, you can gain insights into the Teams apps activity in your organization. This article explains how to access the report and view and interpret the various metrics within the report.
+The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview article](activity-reports.md). In the **Microsoft Teams app usage report**, you can gain insights into the Teams apps activity in your organization. This article explains how to access the report and view and interpret the various metrics within the report.
You can use this report to understand who is installing/using apps, and deep dive on a per-app and per-user level.
The Teams app usage report is available in the Microsoft 365 admin center and th
**User activity** - This report helps you answer: -- How many users in your environment have installed at least one app?-- How many users in your environment have used at least one app?
+- How many users in your environment installed at least one app?
+- How many users in your environment used at least one app?
- How many users are using an app across platforms (Windows, Mac, Web, etc.)? - How many apps has each user used? ## How to get to the Microsoft Teams apps usage report 1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.
-2. From the dashboard homepage, click on the **View more** button on the Microsoft Teams apps activity card.
+2. From the dashboard homepage, select on the **View more** button on the Microsoft Teams apps activity card.
:::image type="content" source="../../media/teams-apps-tile.png" alt-text="Microsoft Teams app."::: ## Considerations -- Usage/installs data for a newly published app can take about five days to show up in the report. Data for a given day will show up within 48 hours. For example, data for January 10th should show up in the report by around January 12th.
+- Usage/installs data for a newly published app can take about five days to show up in the report. Data for a given day shows up within 48 hours. For example, data for January 10 should show up in the report by around January 12.
-- The start date for all installs metrics is October 2021. Only apps installed after that date will be counted.
+- The start date for all installs metrics is October 2021. Only apps installed after that date are counted.
-- App IDs in this report are the External (manifest) App IDs. For more information on how to tie this ID to an app in the Manage Apps experience in Teams Admin Center, see [Manage app setup policies in Microsoft Teams](/microsoftteams/teams-app-setup-policies#install-apps.md).
+- App IDs in this report are the External (manifest) App IDs. For more information on how to tie this ID to an app in the Manage Apps experience in Teams Admin Center, see [Manage app setup policies in Microsoft Teams](/microsoftteams/teams-app-setup-policies#install-apps).
- You can export the report data into an Excel .csv file by selecting the Export link. This exports data for all users/apps and enables you to do simple sorting and filtering for further analysis.
You can view the **App usage** in the Teams app usage report by choosing the **A
:::image type="content" source="../../media/teams-apps-usage-tab.png" alt-text="Teams user activity." lightbox="../../media/teams-apps-usage-tab.png":::
-On the top of the report, you'll see three charts describing cross-app trends across your organization.
+On the top of the report, three charts describe cross-app trends across your organization.
- Apps installed - Apps used
You can filter all charts by the time range picker in the top right.
### Apps installed
-This chart shows you the total number of app installs across your organization up to each date within the selected period. For example ΓÇô if you select January 28th 2022, the chart will show you the total number of installs from October 2021 up to January 28th 2022.
+This chart shows you the total number of app installs across your organization up to each date within the selected period. For example ΓÇô if you select January 28, 2022, the chart will show you the total number of installs from October 2021 up to January 28, 2022.
:::image type="content" source="../../media/apps-installed.png" alt-text="Microsoft Teams apps installed."::: ### Apps used
-This chart shows you the number of apps used across your organization on each date within the selected period. For example ΓÇô if you select January 28th, the chart will show you the total number of apps used on January 28th.
+This chart shows you the number of apps used across your organization on each date within the selected period. For example ΓÇô if you select January 28, the chart will show you the total number of apps used on January 28.
:::image type="content" source="../../media/apps-used.png" alt-text="Microsoft Teams Apps used.":::
This table shows you per-app view with the following metrics for each app. A sub
|Last used date|The date when that app was last used by anyone in your organization.|Yes| |Teams using this app|The number of distinct Teams teams that have at least one user using this app.|Yes| |Users using this app|The number of distinct users in your organization that are using this app.|Yes|
-|Used on Windows| This indicates whether that app has been used on Windows by at least one user in your organization.|Yes|
-|Used on Mobile|This indicates whether that app has been used on Mobile by at least one user in your organization.|Yes|
-|Used on Web| This indicates whether that app has been used on Web by at least one user in your organization.|Yes|
+|Used on Windows| This value indicates whether that app was on Windows by at least one user in your organization.|Yes|
+|Used on Mobile|This value indicates whether that app was on Mobile by at least one user in your organization.|Yes|
+|Used on Web| This value indicates whether that app was used on Web by at least one user in your organization.|Yes|
|Used on Mac|The number of ad hoc meetings a user organized during the specified time period.|No| |App name|The Name of this application as present in the app manifest.|No|
-|Publisher|The publisher of this application as present in the app manifest. This is only available for apps published to the global Store.|No|
+|Publisher|The publisher of this application as present in the app manifest. This metric is only available for apps published to the global Store.|No|
## Exploring the report - Teams apps usage user activity tab
You can view the **user activity** in the Teams app usage report by choosing the
:::image type="content" source="../../media/teams-apps-user-activity.png" alt-text="Microsoft Teams user activity." lightbox="../../media/teams-apps-user-activity.png":::
-On the top of the report, you will see three charts describing cross-app trends across your organization.
+On the top of the report, three charts describe cross-app trends across your organization.
- Users who have installed apps - User who have used apps
You can filter all charts by the time range picker in the top right.
### Users who have installed apps
-This chart shows you the total number of unique users that have installed an app up to each date within the selected period. For example ΓÇô if you select January 28th 2022 the chart will show you the total number of users from October 2021 up to January 28th 2022.
+This chart shows you the total number of unique users that have installed an app up to each date within the selected period. For example ΓÇô if you select January 28, 2022 the chart will show you the total number of users from October 2021 up to January 28, 2022.
:::image type="content" source="../../media/users-who-installed-apps.png" alt-text="Microsoft Teams apps Users who have installed apps chart."::: ### User who have used apps
-This chart shows you the number of unique users that have used any app on each date within the selected period. For example ΓÇô if you select January 28th, the chart will show you the total number of users on January 28th.
+This chart shows you the number of unique users that have used any app on each date within the selected period. For example ΓÇô if you select January 28, the chart will show you the total number of users on January 28.
:::image type="content" source="../../media/users-who-used-apps.png" alt-text="Microsoft Teams apps Users who have used apps chart.":::
This table shows you per-user view with the following metrics for each app. A su
|User name|The User name for a unique user. Value is concealed by default.|Yes| |Apps installed|The number of unique apps (across Store and custom) that the user has installed.|Yes| |Apps used|The number of unique apps (across Store and custom) that the user has opened and/or used.|Yes|
-|Apps used in a Team|The number of unique apps (across Store and custom) that the user has opened and/or used in a Teams Team.|Yes|
-|Used on Windows| This indicates whether that user has used any app on Windows.|Yes|
-|Used on Mobile|This indicates whether that user has used any app on Mobile (iOS or Android).|Yes|
-|Used on Web| This indicates whether that user has used any app on Web.|Yes|
-|Used on Mac|This indicates whether that user has used any app on Mac.|No|
+|Apps used in a Team|The number of unique apps (across Store and custom) that the user has opened and/or used in a team in Microsoft Teams.|Yes|
+|Used on Windows|This value indicates whether that user used any app on Windows.|Yes|
+|Used on Mobile|This value indicates whether that user used any app on Mobile (iOS or Android).|Yes|
+|Used on Web|This value indicates whether that user used any app on Web.|Yes|
+|Used on Mac|This value indicates whether that user used any app on Mac.|No|
## Managing apps in the Teams Admin Center For more information about how to manage your Teams apps, please refer to [About apps in Microsoft Teams](/microsoftteams/deploy-apps-microsoft-teams-landing-page).
-To link an app in this report to the Manage Apps experience in Teams Admin Center, you can use the following:
+To link an app in this report to the Manage Apps experience in Teams Admin Center, you can use the following items:
- App Name - External App ID
admin About Admin Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/about-admin-roles.md
You'll probably only need to assign the following roles in your organization. By
|Fabric admin | Assign the Fabric admin role to users who need to do the following: <br> - Manage all admin features for Microsoft Fabric and Power BI <br> - Report on usage and performance <br> - Review and manage auditing | |Global admin | Assign the Global admin role to users who need global access to most management features and data across Microsoft online services. <br><br> Giving too many users global access is a security risk and we recommend that you have between two and four Global admins. <br><br> Only global admins can:<br> - Reset passwords for all users <br> - Add and manage domains <br> - Unblock another global admin <br> <br> **Note:** The person who signed up for Microsoft online services automatically becomes a Global admin. | |Global reader | Assign the global reader role to users who need to view admin features and settings in admin centers that the global admin can view. The global reader admin can't edit any settings. |
-|Groups admin | Assign the groups admin role to users who need to manage all groups settings across admin centers, including the Microsoft 365 admin center and Microsoft Entra admin center. <br><br> Groups admins can:<br> - Create, edit, delete, and restore Microsoft 365 groups <br> - Create and update group creation, expiration, and naming policies <br> - Create, edit, delete, and restore Microsoft Entra security groups|
+|Groups admin | Assign the groups admin role to users who need to manage all groups settings across admin centers, including the Microsoft 365 admin center and Microsoft Entra admin center. <br><br> Groups admins can:<br> - Create, edit, delete, and restore Microsoft 365 groups <br> - Create and update group creation, expiration, and naming policies <br> - Create, edit, delete, and restore Microsoft Entra security groups|
|Helpdesk admin | Assign the Helpdesk admin role to users who need to do the following:<br> - Reset passwords <br> - Force users to sign out <br> - Manage service requests <br> - Monitor service health <br> <br> **Note**: The Helpdesk admin can only help non-admin users and users assigned these roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, and Reports reader. | |License admin | Assign the License admin role to users who need to assign and remove licenses from users and edit their usage location. <br/><br/> License admins also can: <br> - Reprocess license assignments for group-based licensing <br> - Assign product licenses to groups for group-based licensing | |Message center privacy reader | Assign the Message center privacy reader role to users who need to read privacy and security messages and updates in the Microsoft 365 Message center. Message center privacy readers may get email notifications related to data privacy, depending on their preferences, and they can unsubscribe using Message center preferences. Only global administrators and Message center privacy readers can read data privacy messages. This role has no permission to view, create, or manage service requests. <br><br>Message center privacy readers can also: <br> - Monitor all notifications in the Message Center, including data privacy messages <br> - View groups, domains, and subscriptions | |Message center reader | Assign the Message center reader role to users who need to do the following: <br> - Monitor message center notifications <br> - Get weekly email digests of message center posts and updates <br> - Share message center posts <br> - Have read-only access to Microsoft Entra services, such as users and groups|
+|Migration admin | Assign the Microsoft 365 Migration Administrator role to users who need to do the following tasks: <br> - Use Migration Manager in the Microsoft 365 admin center to manage content migration to Microsoft 365, including Teams, OneDrive for Business, and SharePoint sites, from various sources such as Google Drive, Dropbox, and Box. <br> - Select migration sources, create migration inventories (such as Google Drive user lists), schedule and execute migrations, and download reports. <br> - Create new SharePoint sites if the destination sites don't already exist, create SharePoint lists under the SharePoint admin sites, and create and update items in SharePoint lists. <br> - Manage migration project settings and migration lifecycle for tasks as well as manage permission mappings from source to destination. <br> **Note:** With this role, you can only migrate from Google Drive, Box, Dropbox and Egnyte. This role doesn't allow you to migrate from file share sources from the SharePoint admin center. Use either SharePoint admin or a Global admin to migrate from file share sources.|
|Office Apps admin | Assign the Office Apps admin role to users who need to do the following: <br> - Use the Cloud Policy service for Microsoft 365 to create and manage cloud-based policies. <br> - Create and manage service requests <br> - Manage the What's New content that users see in their Microsoft 365 apps <br> - Monitor service health | |Organizational Message Writer | Assign the Organizational Message Writer role to users who need to write, publish, manage, and review the organizational messages for end-users through Microsoft product surfaces. | |Password admin | Assign the Password admin role to a user who needs to reset passwords for non-administrators and Password Administrators. |
admin Manage Device Access Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/manage-device-access-settings.md
The information is exported to your Windows Desktop as a CSV file. You can use a
[Get-MgUser](/powershell/module/microsoft.graph.users/get-mguser)
-[Get-MgDevice](/powershell/module/microsoft.graph.users/get-mgdevice)
+[Get-MgDevice](/powershell/module/microsoft.graph.identity.directorymanagement/get-mgdevice)
[Get-MgUserOwnedDevice](/powershell/module/microsoft.graph.users/get-mguserowneddevice)
admin Office Addins https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/office-addins.md
Managing how users can install and use Office add-ins means that you decide who
> [!NOTE] > This setting does not impact any deployed Office add-ins on Outlook. You can continue to deploy Office add-ins on Outlook to users in your organization, even if the above setting is turned off.
-Microsoft is now partnering with leading developers to create unified apps that work across Outlook, Word, Excel, PowerPoint, Teams and the Microsoft 365 App (formerly known as Office.com). Any settings made for Office Add-ins will continue to be honored as long as they stay as add-ins. When Office add-ins upgrade to work across different Microsoft applications, you can learn to manage them from here. For more information, see [Controls for managing Teams apps that work on Outlook and Microsoft 365](/manage/teams-apps-work-on-outlook-and-m365#controls-for-managing-teams-apps-that-work-on-outlook-and-the-microsoft-365-app).
-
+Microsoft is now partnering with leading developers to create unified apps that work across Outlook, Word, Excel, PowerPoint, Teams and the Microsoft 365 App (formerly known as Office.com). Any settings made for Office Add-ins will continue to be honored as long as they stay as add-ins. When Office add-ins upgrade to work across different Microsoft applications, you can learn to manage them from here. For more information, see [Controls for managing Teams apps that work on Outlook and Microsoft 365](/microsoft-365/admin/manage/teams-apps-work-on-outlook-and-m365#controls-for-managing-teams-apps-that-work-on-outlook-and-the-microsoft-365-app).
## Upload Custom Office Add-ins in your organization
admin Release Options In Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/release-options-in-office-365.md
Any new release is first tested and validated by the feature team, then by the e
For significant updates, customers are initially notified by the [Microsoft 365 Roadmap](https://products.office.com/business/office-365-roadmap). As an update gets closer to rolling out, it is communicated through your [Microsoft 365 Message center](https://admin.microsoft.com/Adminportal/Home?source=applauncher#/MessageCenter). > [!NOTE]
-> You need a Microsoft 365 or Microsoft Entra account to access your Message center through the [admin center](/office365/admin/admin-overview/admin-center-overview). Microsoft 365 home plan users don't have an admin center.
+> You need a Microsoft 365 or Microsoft Entra account to access your Message center through the [admin center](../admin-overview/admin-center-overview.md). Microsoft 365 home plan users don't have an admin center.
## Standard release
admin Migrate Email https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/moveto-microsoft-365/migrate-email.md
It is recommended that you [get help from Microsoft](/microsoft-365/admin/get-he
If you are a VSB (very small business) where you have a small number of users, you should migrate your email using a different method, such as [importing to Outlook through a PST file](https://support.microsoft.com/office/import-gmail-to-outlook-20fdb8f2-fed8-4b14-baf0-bf04b9c44bf7). -- ## Prerequisites for automated batch migration from Google Workspace
-Check out this video and others on our [YouTube channel](https://go.microsoft.com/fwlink/?linkid=2198034).
->
+Check out this video and others on our [YouTube channel](https://go.microsoft.com/fwlink/p/?linkid=2198034).
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RW10Wot?autoplay=false]
-To successfully use the automated batch migration tool, it is important to correctly complete all of the prerequisite tasks. For more detailed information, see [Google Workspace migration prerequisites](/exchange/mailbox-migration/googleworkspace-migration-prerequisites).
+To successfully use the automated batch migration tool, it is important to correctly complete all of the prerequisite tasks. For more detailed information, see [Google Workspace migration prerequisites](/exchange/mailbox-migration/google-workspace-migration-prerequisites).
These tasks include:+ - Creating a subdomain to correctly route email to users who have been migrated to Microsoft 365. - Creating a subdomain to correctly route email from users you have migrated to Microsoft 365 back to users in your Google Workspace environment. - Adding all mail user accounts to Microsoft 365 for users you are migrating.
These tasks include:
### Create a subdomain for email going to Microsoft 365 1. Return to the **Google Workspace admin** console.
-1. Select **Add a domain**.
-1. Enter a domain name for your subdomain, such as *m365.contoso.com*.
-1. Select **User alias domain**, select **Add domain and start verification**, and then select **Continue**. Follow the instructions to verify domain ownership.
+2. Select **Add a domain**.
+3. Enter a domain name for your subdomain, such as *m365.contoso.com*.
+4. Select **User alias domain**, select **Add domain and start verification**, and then select **Continue**. Follow the instructions to verify domain ownership.
Domain verification usually takes just a few minutes, but it can take up to 48 hours.
-1. Go to the **Microsoft 365 admin center**.
-6. In the Microsoft 365 admin center, in the left nav, select **Show all**, select **Settings**, select **Domains**, and then **Add domain**.
+5. Go to the **Microsoft 365 admin center**.
+6. In the Microsoft 365 admin center, in the left nav, select **Show all**, select **Settings**, select **Domains**, and then **Add domain**.
7. Enter the subdomain you previously created, then select **Use this domain**. 8. To connect the domain, select **Continue**. 9. Select **Add DNS records**. Depending on your domain host provider, Microsoft 365 will try to update your DNS records for the domain.
bookings Custom Domain Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/bookings/custom-domain-support.md
description: "Learn how to configure custom domain support in Microsoft Bookings
# Custom domain support in Bookings
-Microsoft allows organizations to own more than one domain. The default domain is onmicrosoft.com. You can read more about domains and how to create them at [Add a domain to Microsoft 365](/admin/setup/add-domain.md).
+Microsoft allows organizations to own more than one domain. The default domain is onmicrosoft.com. You can read more about domains and how to create them at [Add a domain to Microsoft 365](/microsoft-365/admin/setup/add-domain).
You can specify which domain will be used from the domain list for Bookings using [OWA mailbox policy](/powershell/module/exchange/set-owamailboxpolicy?view=exchange-ps&preserve-view=true). Once the default domain policy is configured and deployed, any new booking calendars created will have the configured domain in the SMTP address.
business-premium M365bp Security Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-security-overview.md
- m365solution-smb - m365-security - tier1-- essentials-accountability
+- essentials-security
- MiniMaven search.appverid:
business-premium M365bp Security Privacy Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-security-privacy-compliance.md
Last updated 1/22/2024
ms.localizationpriority: medium f1.keywords: NOCSH-+
+ - essentials-security
+ - essentials-privacy
+ - essentials-compliance
business-premium M365bp Threats Detected Defender Av https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-threats-detected-defender-av.md
To learn more about different threats, visit the <a href="https://www.microsoft.
## Related content
-[Secure Windows devices](/misc/m365bp-secure-windows-devices) (article)\
+[Secure managed and unmanaged devices](m365bp-managed-unmanaged-devices.md) (article)\
[Evaluate Microsoft Defender Antivirus](/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus) (article)\ [How to turn on real-time and cloud-delivered antivirus protection](/mem/intune/user-help/turn-on-defender-windows#turn-on-real-time-and-cloud-delivered-protection) (article)\ [How to turn on and use Microsoft Defender Antivirus from the Windows Security app](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus) (article)\
business-premium Secure Your Business Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/secure-your-business-data.md
- m365-security - tier2 - ContentEnagagementFY23-- essentials-accountability
+- essentials-security
search.appverid: - BCS160 - MET150
commerce Buy Licenses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/buy-licenses.md
- adminvideo search.appverid: MET150 description: "Learn how to buy more licenses or reduce the number of licenses for your business subscription in the Microsoft 365 admin center." Previously updated : 10/17/2023 Last updated : 01/26/2024 # Buy or remove licenses for a Microsoft business subscription
As an admin, you can add or remove licenses for your business subscriptions in t
- If you have a Microsoft Customer Agreement (MCA) billing account type, you must be a Billing account owner or contributor, or a Billing profile owner or contributor to do the tasks in this article. - If you have a Microsoft Online Subscription Agreement (MOSA) billing account type, you must be a Global or Billing admin to complete the tasks in this article. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md). - You can [add users and assign licenses at the same time](../../admin/add-users/add-users.md).-- If you bought your Microsoft 365 for business or Office 365 Enterprise plan through a third-party partner, you must buy additional licenses through that partner.
+- If you bought your subscription through a Microsoft representative, contact them directly for help with increasing or reducing your license count.
+- You can't reduce the number of licenses for your subscription if all licenses are currently assigned to users. To reduce the number of licenses, first [unassign one or more licenses from users](../../admin/manage/assign-licenses-to-users.md), then remove the licenses from the subscription.
> [!NOTE] > If you're the person who signed up for the subscription, you're automatically a Billing account owner or Global admin.
-## Buy or remove licenses for your business subscription
+## Buy or remove licenses if you have an MCA billing account type
[Find out what type of billing account you have](../manage-billing-accounts.md#view-my-billing-accounts).
-> [!NOTE]
->
-> - You can't reduce the number of licenses for your subscription if all licenses are currently assigned to users. To reduce the number of licenses, first [unassign one or more licenses from users](../../admin/manage/assign-licenses-to-users.md), then remove the licenses from the subscription.
-> - If you bought your subscription through a Microsoft Representative, contact them directly for help with reducing your license count.
+If you have an MCA billing account type, you can buy more licenses for your subscription at any time. However, you can only remove licenses from your subscription if itΓÇÖs within seven days of you buying or renewing your subscription. For more information, see [Remove licenses from your subscription](#remove-licenses-from-your-subscription).
+
+### Buy more licenses for your subscription
-### If you have an MCA billing account type
+If you have an MCA billing account type and buy licenses in the middle of your billing period, you have seven days from when you buy them to reduce the number of licenses you bought.
1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>. - If youΓÇÖre using the **Simplified view**, select **Subscriptions**. - If youΓÇÖre using the **Dashboard view**, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page. 2. Select the subscription that you want to change.
-3. On the subscription details page, select **Buy licenses** or **Remove license**s. [What if I don't see the Buy licenses or Remove licenses buttons](#what-if-i-dont-see-the-buy-licenses-or-remove-licenses-buttons)?
+3. On the subscription details page, select **Buy licenses**.
4. Choose when to schedule the license change to happen. - If recurring billing is turned on, you can choose to make the change now, or when the subscription renews. - If recurring billing is turned off, you can only make the change now.
-5. To change the number of licenses, under **New quantity** in the **Total licenses** box, enter the total number of licenses that you want for this subscription. For example, if you have 100 licenses and you want to add five more, enter 105. If you want to remove five of them, enter 95.
+5. To change the number of licenses, under **New quantity** in the **Total licenses** box, enter the total number of licenses that you want for this subscription. For example, if you have 100 licenses and you want to add five more, enter 105.
6. Select **Save**.
-### If you have an MOSA billing account type
+### Remove licenses from your subscription
+
+If you have an MCA billing account type, you can only remove licenses from your subscription during a limited time window after you buy or renew your subscription, or if you recently bought more licenses. If the window is closed, the subscription details page lists the date when your plan changes take effect.
+
+1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>.
+ - If youΓÇÖre using the **Simplified view**, select **Subscriptions**.
+ - If youΓÇÖre using the **Dashboard view**, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
+2. Select the subscription that you want to change.
+3. On the subscription details page, select **Remove licenses**.
+4. Under **New quantity** in the **Total licenses** box, enter the total number of licenses that you want for this subscription. For example, if you have 100 licenses and you want to remove 25 licenses, enter 75.
+5. Select **Save**.
+
+## Buy or remove licenses if you have an MOSA billing account type
1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>. - If youΓÇÖre using the **Simplified view**, select **Subscriptions**. - If youΓÇÖre using the **Dashboard view**, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page. 2. Select the subscription that you want to change.
-3. On the subscription details page, select **Buy licenses** or **Remove licenses**. [What if I don't see the Buy licenses or Remove licenses buttons](#what-if-i-dont-see-the-buy-licenses-or-remove-licenses-buttons)?
+3. On the subscription details page, select **Buy licenses** or **Remove licenses**.
4. To change the number of licenses, under **New quantity** in the **Total licenses** box, enter the total number of licenses that you want for this subscription. For example, if you have 100 licenses and you want to add five more, enter 105. If you want to remove five of them, enter 95. 5. Select **Save**. ## Add licenses to a prepaid subscription by using a product key
-Prepaid product licenses are issued to you as a 25-character alphanumeric code, called a product key. After you buy the licenses you need, you can add them to your subscription by using the steps below. You can also use a product key to [extend the expiration date of your subscription](../enter-your-product-key.md#extend-the-expiration-date-for-an-existing-subscription).
+Prepaid product licenses are issued to you as a 25-character alphanumeric code, called a product key. After you buy the licenses you need, you can add them to your subscription by using the following steps. You can also use a product key to [extend the expiration date of your subscription](../enter-your-product-key.md#extend-the-expiration-date-for-an-existing-subscription).
> [!NOTE] > If you don't want to buy a new product key, you can always choose to add a credit card or debit card to your subscription to pay for more licenses. For more information, see [Renew your subscription](../subscriptions/renew-your-subscription.md).
-1. Go to the admin center.
+1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>.
- If youΓÇÖre using the **Simplified view**, select **Subscriptions**. - If youΓÇÖre using the **Dashboard view**, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page. 2. Select the subscription to which you want to add licenses.
Prepaid product licenses are issued to you as a 25-character alphanumeric code,
> If you have more than one product key, you can select **Add another product key** to enter them. 6. Review your order details, then select **Redeem**.
-## What if I don't see the Buy licenses or Remove licenses buttons?
+## What if I can't select the Buy licenses or Remove licenses buttons?
This table describes the reasons why the **Buy licenses** or **Remove licenses** buttons aren't available, and possible solutions. |Reason |Description |Solution | ||||
-|A credit check is pending. |If a credit check is pending, you can't buy or remove licenses until the credit check is complete. | Check back later to see if the credit check has completed. Credit checks typically take up to two working days to complete.<br/><br/>After the credit check is complete, you should see the **Buy licenses** and **Remove licenses** buttons. |
+|A credit check is pending. |If a credit check is pending, you can't buy or remove licenses until the credit check is complete. | Check back later to see if the credit check is complete. Credit checks typically take up to two working days to complete. After the credit check is complete, you should be able to select the **Buy licenses** and **Remove licenses** buttons. |
|You activated the subscription by using a product key.| If the subscription was bought and activated by using a 25-character product key, you see the word "Prepaid" in the **Purchase channel** column of the **Your products** page. |See [Add licenses to a prepaid subscription by using a product key](#add-licenses-to-a-prepaid-subscription-by-using-a-product-key). | |You bought your subscription through a reseller.| You see the word "Reseller" in the **Purchase information** section under **Purchase channel** on the subscription details page, and in the **Purchase channel** column of the **Your products** page. | If you bought the subscription through a Cloud Solution Provider (CSP) partner, contact your CSP partner to buy more licenses. | |You have a trial subscription. | To view your trial subscriptions, select the filter button, then choose **Trial**. | First buy your trial subscription, then you can buy more licenses.|
-## When will the new licenses be available to assign?
+## When are the new licenses available to assign?
-If you have an MOSA billing account type, the payment method associated with your subscription or billing profile is charged as soon as you buy more licenses for a subscription. The licenses are immediately available for you to assign to users.
+The payment method associated with your subscription or billing profile is charged as soon as you buy more licenses for a subscription. The licenses are immediately available for you to assign to users.
-If you prepaid for your subscription with a product key, you can add more licenses by using another product key, or by adding a credit card or debit card to cover the additional cost of the new licenses. If your subscription is prepaid, you can't remove licenses.
+If you prepaid for your subscription with a product key, you can add more licenses by using another product key, or by adding a credit card or debit card to cover the extra cost of the new licenses. If your subscription is prepaid, you can't remove licenses.
## How does buying or removing licenses affect my billing statements?
-If you have an MOSA billing account type, licenses added in the middle of your billing period appear on your next invoice. If you pay annually, you are invoiced within a month for these changes.
+Licenses added in the middle of your billing period appear on your next invoice. If you pay annually, you're invoiced within a month for these changes.
+
+If you have an MCA billing account type, you have seven days to reduce the number of licenses. If you reduce the number of licenses after that seven day period, the change appears on the first invoice you receive after the subscription renewal date.
-On your next billing statement, the previous charge for the original number of licenses is deducted. We add a prorated charge for the time period with the original number of licenses and add a charge for the new license count. There's also a charge for the current license count for the remainder of your billing period.
+If you have an MOSA billing account type, the previous charge for the original number of licenses is deducted on your next billing statement. We add a prorated charge for the time period with the original number of licenses and add a charge for the new license count. There's also a charge for the current license count for the remainder of your billing period.
## Next steps If you bought more licenses for your subscription, the next thing you should do is [assign those licenses to users in your organization](../../admin/manage/assign-licenses-to-users.md).
-If you reduced the number of licenses for your subscription because someone has left your organization, you might want to remove that user's account. To learn more, see [Remove a former employee](../../admin/add-users/remove-former-employee.md).
+If you reduced the number of licenses for your subscription because someone left your organization, you might want to remove that user's account. To learn more, see [Remove a former employee](../../admin/add-users/remove-former-employee.md).
## Related content
commerce E3 Extra Features Licenses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/e3-extra-features-licenses.md
Microsoft 365 E3 or E5 Extra Features provides additional features for your user
|Feature |Microsoft 365 E3 Extra Features |Microsoft 365 E5 Extra Features | |||| |Avatars for Teams | Yes | Yes |
-|Avatars for Teams (additional) | Yes | Yes |
|Microsoft Copilot | Yes | Yes | |Microsoft Clipchamp | Yes | Yes | |Microsoft Loop | Yes | Yes |
commerce Cancel Your Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/cancel-your-subscription.md
The steps to cancel your trial or paid subscription depend on the number of lice
|If your subscription has |You can | |--|--| |25 or fewer licenses | [Use the steps later in this article to cancel your trial or paid subscription](#steps-to-cancel-your-subscription) online in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>. |
-|More than 25 licenses | [Reduce the number of licenses](../licenses/buy-licenses.md#buy-or-remove-licenses-for-your-business-subscription) to 25 or fewer and then [use the steps later in this article to cancel](#steps-to-cancel-your-subscription). |
+|More than 25 licenses | [Reduce the number of licenses](../licenses/buy-licenses.md) to 25 or fewer and then [use the steps later in this article to cancel](#steps-to-cancel-your-subscription). |
If you can't reduce the number of licenses, [turn off recurring billing](renew-your-subscription.md). Turning off recurring billing prevents you from being charged again for your subscription, and lets you keep your access to your products and services for the remainder of your subscription.
commerce Upgrade To Different Plan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/upgrade-to-different-plan.md
After you confirm the number of licenses in your new subscription, you can [move
If you moved all users from one subscription to another, and you don't need the original subscription anymore, just [cancel the subscription](cancel-your-subscription.md).
-If you moved only some users to a different subscription, [remove licenses that you no longer need](../licenses/buy-licenses.md#buy-or-remove-licenses-for-your-business-subscription).
+If you moved only some users to a different subscription, [remove licenses that you no longer need](../licenses/buy-licenses.md).
## Next steps
enterprise Portallaunchscheduler https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/PortalLaunchScheduler.md
Title: Launch your portal using the Portal launch scheduler--++ Last updated 11/11/2020 audience: Admin
The Portal launch scheduler is designed to help you follow a phased roll-out app
- **Bidirectional**: launch a new modern SharePoint portal to replace an existing SharePoint classic or modern portal - **Redirect to a temporary page**: launch a new modern SharePoint portal with no existing SharePoint portal
-Site permissions must be set up separately from waves as part of the launch. For example, if you are releasing an organization-wide portal, you can set permissions to "Everyone except external users," then separate your users into waves using security groups. Adding a security group to a wave does not give that security group access to the site.
+Site permissions must be set up separately from waves as part of the launch. For example, if you're releasing an organization-wide portal, you can set permissions to "Everyone except external users," then separate your users into waves using security groups. Adding a security group to a wave doesn't give that security group access to the site.
> [!NOTE] >
Formerly, portal launches could only be scheduled through SharePoint PowerShell.
## Get started using the Portal launch scheduler
-1. Before using the Portal launch scheduler tool, [add all users who will need access to this site](https://support.microsoft.com/office/share-a-site-958771a8-d041-4eb8-b51c-afea2eae3658) through **Site permissions** as a Site owner, Site member, or Visitor.
+1. Before using the Portal launch scheduler tool, [add all users who need access to this site](https://support.microsoft.com/office/share-a-site-958771a8-d041-4eb8-b51c-afea2eae3658) through **Site permissions** as a Site owner, Site member, or Visitor.
1. Then, start scheduling your portal's launch by accessing the Portal launch scheduler in one of two ways:
- **Option 1**: The first few times you edit and republish changes to your home page - or up until home page version 3.0 - you will be prompted to use the Portal launch scheduler tool. Select **Schedule launch** to move forward with scheduling. Or select **Republish** to republish your page edits without scheduling the launch.
+ **Option 1**: The first few times you edit and republish changes to your home page - or up until home page version 3.0 - you'll be prompted to use the Portal launch scheduler tool. Select **Schedule launch** to move forward with scheduling. Or select **Republish** to republish your page edits without scheduling the launch.
![Image of the prompt to use the portal launch scheduler when republishing the home page.](../media/portal-launch-republish-2.png)
Formerly, portal launches could only be scheduled through SharePoint PowerShell.
> [!NOTE] > The site name and description can't be edited from the Portal launch scheduler and instead can be changed by selecting **Settings** and then **Site information** from the home page.
-1. Select the **Number of expected users** from the drop-down. This figure represents the number of users who will most likely need access to the site. The Portal launch scheduler will automatically determine the ideal number of waves depending on the expected users like this:
+1. Select the **Number of expected users** from the drop-down. This figure represents the number of users who will most likely need access to the site. The Portal launch scheduler automatically determines the ideal number of waves depending on the expected users like this:
- Less than 10k users: Two waves - 10k to 30k users: Three waves
Formerly, portal launches could only be scheduled through SharePoint PowerShell.
1. Then, determine the **Type of redirect** needed:
- **Option 1: Send users to an existing SharePoint page (bidirectional)** ΓÇô Use this option when launching a new modern SharePoint portal to replace an existing SharePoint portal. Users in active waves will be redirected to the new site regardless of whether they navigate to the old or new site. Users in a non-launched wave that try to access the new site will be redirected back to the old site until their wave is launched.
+ **Option 1: Send users to an existing SharePoint page (bidirectional)** ΓÇô Use this option when launching a new modern SharePoint portal to replace an existing SharePoint portal. Users in active waves are redirected to the new site regardless of whether they navigate to the old or new site. Users in a non-launched wave that try to access the new site are redirected back to the old site until their wave is launched.
> [!NOTE] > When using the bidirectional option, the person scheduling the launch must have site owner permissions to both the new SharePoint portal and existing SharePoint portal. Additionally, the two site URLs must exist within the same tenant/domain in order to validate appropriate permissions.
- **Option 2: Send users to an autogenerated temporary page (temporary page redirection)** ΓÇô Use a temporary page redirection should be used when no existing SharePoint portal exists. Users are directed to a new modern SharePoint portal and if a user is in a wave that has not been launched, they will be redirected to a temporary page.
+ **Option 2: Send users to an autogenerated temporary page (temporary page redirection)** ΓÇô Use a temporary page redirection should be used when no existing SharePoint portal exists. Users are directed to a new modern SharePoint portal and if a user is in a wave that hasn't been launched, they're redirected to a temporary page.
**Option 3: Send users to an external page** ΓÇô Provide an external URL to a temporary landing page experience until the user's wave is launched.
-1. Break up your audience into waves. Add up to 20 security groups per wave. Wave details can be edited up until the launch of each wave. Each wave can last at minimum one day (24 hours) and at most seven days. This allows SharePoint and your technical environment an opportunity to acclimate and scale to the large volume of site users. When scheduling a launch through the UI, the time zone is based on the site's regional settings.
+1. Break up your audience into waves. Add up to 20 security groups per wave. Wave details can be edited up until the launch of each wave. Each wave can last at minimum one day (24 hours) and at most seven days. This allows SharePoint and your technical environment an opportunity to acclimate and scale to the large volume of site users. When you schedule a launch through the UI, the time zone is based on the site's regional settings.
> [!NOTE] > > - The Portal launch scheduler will automatically default to a minimum of 2 waves. However, the PowerShell version of this tool will allow for 1 wave. > - Microsoft 365 groups are not supported by this version of the Portal launch scheduler.
-1. Determine who needs to view the site right away and enter their information into the **Users exempt from waves** field. These users are excluded from waves and will not be redirected before, during, or after the launch.
+1. Determine who needs to view the site right away and enter their information into the **Users exempt from waves** field. These users are excluded from waves and won't be redirected before, during, or after the launch.
>[!NOTE] > Up to 50 distinct users or security groups max can be added. Use security groups when you need more than 50 individuals to get access to the portal before the waves start launching.
-1. Confirm portal launch details and select **Schedule**. Once the launch has been scheduled, any changes to the SharePoint portal home page will need to receive a healthy diagnostic result before the portal launch will resume.
+1. Confirm portal launch details and select **Schedule**. Once the launch is scheduled, any changes to the SharePoint portal home page need to receive a healthy diagnostic result before the portal launch resumes.
### Launch a portal with over 100k users
-If you are planning to launch a portal with over 100,000 users, submit a support request following the steps listed below within 10-14 days prior to the launch. Make sure to include all the requested information.
+If you're planning to launch a portal with over 100,000 users, submit a support request following the steps listed below within 10-14 days prior to the launch. Make sure to include all the requested information.
> [!NOTE] >
If you are planning to launch a portal with over 100,000 users, submit a support
1. Fill out the remaining info, and select **Contact me**.
-1. After the ticket has been created, ensure you provide the support agent with the following information:
+1. After the ticket is created, ensure you provide the support agent with the following information:
- Portal URL - Number of users expected - Estimated launch schedule (detailing the wave sizes)
Launch details can be edited for each wave up until the date of the wave's launc
1. To edit portal launch details, navigate to **Settings** and select **Schedule site launch**. 1. Then, select **Edit**.
-1. When you are finished making your edits, select **Update**.
+1. When you're finished making your edits, select **Update**.
## Delete a scheduled portal launch
Launches scheduled using the Portal launch scheduler tool can be canceled, or de
## Use the PowerShell Portal launch scheduler
-The SharePoint Portal launch scheduler tool was originally only available via [SharePoint PowerShell](/powershell/sharepoint/sharepoint-online/introduction-sharepoint-online-management-shell) and will continue to be supported through PowerShell for customers who prefer this method. The same notes at the beginning of this article apply to both versions of the Portal launch scheduler.
+The SharePoint Portal launch scheduler tool was originally only available via [SharePoint PowerShell](/powershell/sharepoint/sharepoint-online/introduction-sharepoint-online-management-shell) and continues to be supported through PowerShell for customers who prefer this method. The same notes at the beginning of this article apply to both versions of the Portal launch scheduler.
> [!NOTE] > You need administrator permissions to use SharePoint PowerShell.
The number of waves required depends on your expected launch size.
#### Steps for bidirectional redirection
-Bidirectional redirection involves launching a new modern SharePoint Online portal to replace an existing SharePoint classic or modern portal. Users in active waves will be redirected to the new site regardless of whether they navigate to the old or new site. Users in a non-launched wave that try to access the new site will be redirected back to the old site until their wave is launched.
+Bidirectional redirection involves launching a new modern SharePoint Online portal to replace an existing SharePoint classic or modern portal. Users in active waves are redirected to the new site regardless of whether they navigate to the old or new site. Users in a non-launched wave that try to access the new site are redirected back to the old site until their wave is launched.
-We only support redirection between the default home page on the old site and the default home page on the new site. Should you have administrators or owners that need access to the old and new sites without being redirected, ensure they are listed using the `WaveOverrideUsers` parameter.
+We only support redirection between the default home page on the old site and the default home page on the new site. Should you have administrators or owners that need access to the old and new sites without being redirected, ensure they're listed using the `WaveOverrideUsers` parameter.
To migrate users from an existing SharePoint site to a new SharePoint site in a staged manner:
To migrate users from an existing SharePoint site to a new SharePoint site in a
#### Steps for redirection to temporary page
-Temporary page redirection should be used when no existing SharePoint portal exists. Users are directed to a new modern SharePoint Online portal in a staged manner. If a user is in a wave that has not been launched, they will be redirected to a temporary page (any URL).
+Temporary page redirection should be used when no existing SharePoint portal exists. Users are directed to a new modern SharePoint Online portal in a staged manner. If a user is in a wave that hasn't been launched, they're redirected to a temporary page (any URL).
1. Run the following command to designate portal launch waves.
enterprise Cross Tenant Onedrive Migration Faqs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-onedrive-migration-faqs.md
Title: OneDrive Cross-tenant OneDrive migration FAQs---+++ Last updated 10/13/2023 recommendations: true audience: ITPro
enterprise Cross Tenant Onedrive Migration Step1 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-onedrive-migration-step1.md
Title: OneDrive Cross-tenant OneDrive migration Step 1---+++ Last updated 10/13/2023 recommendations: true audience: ITPro
description: "Step 1 of the OneDrive Cross-tenant migration feature"
# Step 1: Connect to the source and target tenants
-This is Step 1 in a solution designed to complete a Cross-tenant OneDrive migration. To learn more, see [Cross-tenant OneDrive migration overview](cross-tenant-onedrive-migration.md).
+This article details Step 1 in a solution designed to complete a Cross-tenant OneDrive migration. To learn more, see [Cross-tenant OneDrive migration overview](cross-tenant-onedrive-migration.md).
- **Step 1: [Connect to the source and the target tenants](cross-tenant-onedrive-migration-step1.md)** - Step 2: [Establish trust between the source and the target tenant](cross-tenant-onedrive-migration-step2.md) -- Step 3: [Verify trust has been established](cross-tenant-onedrive-migration-step3.md)
+- Step 3: [Verify trust is established](cross-tenant-onedrive-migration-step3.md)
- Step 4: [Pre-create users and groups](cross-tenant-onedrive-migration-step4.md) - Step 5: [Prepare identity mapping](cross-tenant-onedrive-migration-step5.md) - Step 6: [Start a Cross-tenant OneDrive migration](cross-tenant-onedrive-migration-step6.md)
This is Step 1 in a solution designed to complete a Cross-tenant OneDrive migrat
## Before you begin -- **Microsoft SharePoint Online Powershell**. Confirm you have the most recent version installed. If not, [Download SharePoint Online Management Shell from Official Microsoft Download Center](/download/details.aspx?id=35588).
+- **Microsoft SharePoint Online Powershell**. Confirm you have the most recent version installed. If not, [Download SharePoint Online Management Shell from Official Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=35588).
- Be a SharePoint Online admin or Microsoft 365 Global admin on both the source and target tenants - ### Connect to both tenants 1. Sign in to the SharePoint Management Shell as a SharePoint Online admin or Microsoft 365 Global admin.
-2. Run the following entering the **source** tenant URL:
+2. Run the following entering the **source** tenant URL:
```powershell Connect-SPOService -url https://<TenantName>-admin.sharepoint.com ``` 3. When prompted, sign in to the **source** tenant using your Admin username and password.
-
-4. Run the following entering the **target** tenant URL:
+
+4. Run the following entering the **target** tenant URL:
```powershell Connect-SPOService -url https://<TenantName>-admin.sharepoint.com
This is Step 1 in a solution designed to complete a Cross-tenant OneDrive migrat
5. When prompted, sign in to the **target** tenant using your Admin username and password.
->[!Important]
->**Microsoft 365 Multi-Geo customers:** You must treat each geography as a separate tenant. Provide the correct geography-specific URLs throughout the migration process.
+> [!IMPORTANT]
+> **Microsoft 365 Multi-Geo customers:** You must treat each geography as a separate tenant. Provide the correct geography-specific URLs throughout the migration process.
## Step 2: [Establish trust between the source and target tenants](cross-tenant-onedrive-migration-step2.md)
enterprise Cross Tenant Onedrive Migration Step2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-onedrive-migration-step2.md
Title: OneDrive Cross-tenant OneDrive migration Step 2---+++ Last updated 10/13/2023 recommendations: true audience: ITPro
enterprise Cross Tenant Onedrive Migration Step3 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-onedrive-migration-step3.md
Title: OneDrive Cross-tenant OneDrive migration Step 3---+++ Last updated 10/13/2023 recommendations: true audience: ITPro
description: "Step 3 of the OneDrive Cross-tenant migration feature"
# Step 3: Verifying trust
-This is Step 3 in a solution designed to complete a Cross-tenant OneDrive migration. To learn more, see [Cross-tenant OneDrive migration overview](cross-tenant-onedrive-migration.md).
+This article details Step 3 in a solution designed to complete a Cross-tenant OneDrive migration. To learn more, see [Cross-tenant OneDrive migration overview](cross-tenant-onedrive-migration.md).
- Step 1: [Connect to the source and the target tenants](cross-tenant-onedrive-migration-step1.md) - Step 2: [Establish trust between the source and the target tenant](cross-tenant-onedrive-migration-step2.md)
enterprise Cross Tenant Onedrive Migration Step4 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-onedrive-migration-step4.md
Title: OneDrive Cross-tenant OneDrive migration Step 4---+++ Last updated 10/13/2023 recommendations: true audience: ITPro
enterprise Cross Tenant Onedrive Migration Step5 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-onedrive-migration-step5.md
Title: OneDrive Cross-tenant OneDrive migration Step 5---+++ Last updated 10/13/2023 recommendations: true audience: ITPro
enterprise Cross Tenant Onedrive Migration Step6 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-onedrive-migration-step6.md
Title: OneDrive Cross-tenant OneDrive migration Step 6---+++ Last updated 10/13/2023 recommendations: true audience: ITPro
These commands can be useful when planning bulk batches of OneDrive migrations.
## OneDrive status pre-migration
-Before starting the migration, the users current source OneDrive status is similar to the example below. This example is from the users source tenant, showing their current files and folders.
+Before you start the migration, the users current source OneDrive status is similar to the example below. This example is from the users source tenant, showing their current files and folders.
:::image type="content" source="../media/cross-tenant-migration/t2t-onedrive-status-premigration.png" alt-text="pre-migration status":::
Get-SPOCrossTenantUserContentMoveState -PartnerCrossTenantHostURL https://ttestt
|Scheduled|The migration is now in the queue and is scheduled to run when a slot becomes available.| |ReadytoTrigger|The Migration is in its preflight stage and will start the Migration shortly.| |InProgress|The migration is in progress in one of the following states: </br>- Validation </br>- Backup </br>- Restore </br>- Cleanup|
-|Success|The Migration has completed successfully.|
+|Success|The Migration completed successfully.|
|Rescheduled|The migration may not have completed and has been requeued for another pass.| |Failed|The migration failed to complete.| ## Post-migration status checks
-**Target tenant**: After the migration has successfully completed, check the status of the user on the target tenant by logging into their new OneDrive account.
+**Target tenant**: After the migration successfully completes, check the status of the user on the target tenant by logging into their new OneDrive account.
**Source tenant**: Since the user has successfully migrated to the target tenant, they no longer have an active OneDrive account on the source.
enterprise Cross Tenant Onedrive Migration Step7 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-onedrive-migration-step7.md
Title: OneDrive Cross-Tenant User Data Migration Step 7--++ Last updated 10/13/2023 recommendations: true
enterprise Cross Tenant Onedrive Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-onedrive-migration.md
Title: Cross-tenant OneDrive migration overview--++ Last updated 10/13/2023 recommendations: true
enterprise Cross Tenant Sharepoint Bulk Site Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-sharepoint-bulk-site-migration.md
Title: Performing Bulk SharePoint site Cross-tenant migrations (preview)--++ Last updated 10/13/2023 recommendations: true
enterprise Cross Tenant Sharepoint Migration Faqs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-sharepoint-migration-faqs.md
Title: SharePoint Cross-tenant SharePoint migration FAQs (preview)---+++ Last updated 10/13/2023 recommendations: true audience: ITPro
enterprise Cross Tenant Sharepoint Migration Step1 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step1.md
Title: SharePoint Cross-tenant SharePoint migration Step 1 (preview)---+++ Last updated 10/13/2023 recommendations: true audience: ITPro
This is Step 1 in a solution designed to complete a **Cross-tenant SharePoint mi
## Before you begin -- **Microsoft SharePoint Online Powershell**. Confirm you have the most recent version installed. If not, [Download SharePoint Online Management Shell from Official Microsoft Download Center](/download/details.aspx?id=35588).
+- **Microsoft SharePoint Online Powershell**. Confirm you have the most recent version installed. If not, [Download SharePoint Online Management Shell from Official Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=35588).
- Be a SharePoint Online admin or Microsoft 365 Global admin on both the source and target tenants
enterprise Cross Tenant Sharepoint Migration Step2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step2.md
Title: SharePoint Cross-tenant SharePoint migration Step 2 (preview)---+++ Last updated 10/13/2023 recommendations: true audience: ITPro
enterprise Cross Tenant Sharepoint Migration Step3 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step3.md
Title: SharePoint Cross-tenant SharePoint migration Step 3 (preview)---+++ Last updated 10/13/2023 recommendations: true audience: ITPro
enterprise Cross Tenant Sharepoint Migration Step4 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step4.md
Title: SharePoint Cross-tenant SharePoint migration Step 4 (preview)---+++ Last updated 10/13/2023 recommendations: true audience: ITPro
enterprise Cross Tenant Sharepoint Migration Step5 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step5.md
Title: SharePoint Cross-tenant SharePoint migration Step 5 (preview)---+++ Last updated 10/13/2023 recommendations: true audience: ITPro
enterprise Cross Tenant Sharepoint Migration Step6 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step6.md
Title: SharePoint site Cross-tenant SharePoint migration Step 6 (preview)---+++ Last updated 10/13/2023 recommendations: true audience: ITPro
Start-SPOCrossTenantGroupContentMove  -SourceSiteUrl <…> -TargetSiteUrl <
|TargetCrossTenantHostUrl|The Cross-tenant host URL of the target tenant. The target tenant Admin can determine the TargetCrossTenantHostUrl by running *Get-SPOCrossTenantHostUrl* on their tenant.| |
-### Start a SharePoint M365 Group connected site cross-tenant migration
+### Start a SharePoint Microsoft 365 Group connected site cross-tenant migration
-1. Ensure you have verified the compatibility status. If you see a status of either **Compatible** or **Warning** on your source tenant, you may continue. Run:
+1. Ensure to verify the compatibility status. If you see a status of either **Compatible** or **Warning** on your source tenant, you may continue. Run:
```powershell Get-SPOCrossTenantCompatibilityStatus ΓÇôPartnerCrossTenantHostURL [Target tenant hostname]
Start-SPOCrossTenantGroupContentMove  -SourceGroupAlias <…> -TargetGroupAli
```
-These commands can be useful when planning bulk batches of site migrations.  You can queue and migrate up to 4,000 migrations per batch.  If your count exceeds 4,000 then separate batches can be created and scheduled to run once the current batch is close to completion.
+These commands can be useful when planning bulk batches of site migrations.  You can queue and migrate up to 4,000 migrations per batch.  If your count exceeds 4,000, then separate batches can be created and scheduled to run once the current batch is close to completion.
|Parameter|Description| |||
These commands can be useful when planning bulk batches of site migrations.  Yo
## SharePoint status pre-migration
-Before starting the migration, the users current source SharePoint status will be similar to the example below. This example is from the users source tenant, showing their current files and folders.
+Before you begin the migration, the users current source SharePoint status will be similar to the example below. This example is from the users source tenant, showing their current files and folders.
:::image type="content" source="../media/cross-tenant-migration/t2t-onedrive-status-premigration.png" alt-text="pre-migration status":::
Get-SPOCrossTenantUserContentMoveState -PartnerCrossTenantHostURL https://ttestt
**Target tenant**: After the migration has successfully completed, check the status of the user on the target tenant by logging into their new SharePoint account.
-**Source tenant**: Since the user has successfully migrated to the target tenant, they no longer have an active SharePoint account on the source.
+**Source tenant**: Once the user has successfully migrated to the target tenant, they no longer have an active SharePoint account on the source.
## Step 7: [Post migration steps](cross-tenant-SharePoint-migration-step7.md)
enterprise Cross Tenant Sharepoint Migration Step7 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step7.md
Title: SharePoint Cross-Tenant User Data Migration Step 7 (preview)---+++ Last updated 10/13/2023 recommendations: true audience: ITPro
enterprise Cross Tenant Sharepoint Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-sharepoint-migration.md
Title: Cross-tenant SharePoint site migration overview (preview)---+++ Last updated 10/13/2023 recommendations: true audience: ITPro
enterprise Exchange 2013 End Of Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/exchange-2013-end-of-support.md
Title: "Exchange 2013 end of support roadmap" -+ Last updated 08/10/2020 audience: ITPro
enterprise Join Leave Multi Tenant Org https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/join-leave-multi-tenant-org.md
Once you've joined, you can leave a multitenant organization at any time.
<a name='related-settings-in-azure-ad'></a>
-#### Related settings in Microsoft Entra ID
+## Related settings in Microsoft Entra ID
When you join an existing multitenant organization, the following settings are configured in Microsoft Entra ID: - A cross-tenant synchronization configuration is added with the name *MTO_Sync_\<TenantID\>*, but no sync jobs are created yet. (If you already have a cross-tenant synchronization configuration, it remains unchanged.)-- An organization relationship is added to the [cross-tenant access settings](/azure/active-directory/external-identities/cross-tenant-access-overview) based on the [multitenant organization templates](/azure/active-directory/multi-tenant-organizations/templates) for cross-tenant access and identity synchronization. (If an organizational relationship already exists, the existing one is used.)
+- An organization relationship is added to the [cross-tenant access settings](/azure/active-directory/external-identities/cross-tenant-access-overview) based on the [multitenant organization templates](/entra/identity/multi-tenant-organizations/multi-tenant-organization-templates) for cross-tenant access and identity synchronization. (If an organizational relationship already exists, the existing one is used.)
- The multitenant organization template for identity synchronization is set to allow users to sync into this tenant. - The multitenant org template for cross-tenant access will be set to automatically redeem user invitations, inbound as well as outbound.
To remove a tenant from a multitenant organization in Microsoft 365
Removing a tenant doesn't change any user synchronization configurations or cross-tenant access settings in Microsoft Entra ID. We recommend you review these settings and make any updates needed after the tenant is removed.
-#### Remove synchronized users from other tenants
+### Remove synchronized users from other tenants
When you remove a tenant from a multitenant organization, you might want to stop synchronizing users between that tenant and the tenants that remain in the multitenant organization. This can be done by updating the cross-tenant synchronization configuration in Microsoft Entra ID and removing the security groups being synchronized, then restarting the synchronization with zero users.
To remove the cross-synchronized users:
- For each tenant that's remaining in the multitenant organization, update the synchronization configuration for the tenant that's leaving.
-To remove your users from other tenants in a multitenant organization
+To remove your users from other tenants in a multitenant organization:
+ 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) as a Global administrator. 1. Expand **Identity**, and then expand **External Identities**. 1. Select **Cross-tenant synchronization**.
To remove your users from other tenants in a multitenant organization
Once the users have been removed from the other tenants' directories, you can stop provisioning for the synchronization configurations or delete them.
-#### Stop user sync and automatic invitation redemption
+### Stop user sync and automatic invitation redemption
Once you remove a tenant from a multitenant organization, you might want to stop user sync and automatic invitation redemption with the tenants that remain in the multitenant organization.
To prevent user sync and automatic invitation redemption:
- For each tenant that's remaining in the multitenant organization, update the cross-tenant access settings for the tenant that's leaving.
-To prevent user sync and automatic invitation redemption
+To prevent user sync and automatic invitation redemption:
+ 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) as a Global administrator. 1. Expand **Identity**, and then expand **External Identities**. 1. Select **Cross-tenant access settings**.
enterprise Manage Microsoft 365 Groups With Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-microsoft-365-groups-with-powershell.md
The following cmdlets can be used with Microsoft 365 Groups.
|[Get-UnifiedGroupLinks](/powershell/module/exchange/get-unifiedgrouplinks)|Retrieve membership and owner information for a Microsoft 365 Group| |[Add-UnifiedGroupLinks](/powershell/module/exchange/add-unifiedgrouplinks)|Add members, owners, and subscribers to an existing Microsoft 365 Group| |[Remove-UnifiedGroupLinks](/powershell/module/exchange/remove-unifiedgrouplinks)|Remove owners and members from an existing Microsoft 365 Group|
-|[Get-MgGroupPhoto](/powershell/module/microsoft.graph.users/get-mggroupphoto)|Used to view information about the user photo that's associated with a Microsoft 365 Group.|
-|[Get-MgGroupPhotoContent](/powershell/module/microsoft.graph.users/get-mggroupphotocontent)|Used to download the user photo that's associated with a Microsoft 365 Group.|
+|[Get-MgGroupPhoto](/powershell/module/microsoft.graph.groups/get-mggroupphoto)|Used to view information about the user photo that's associated with a Microsoft 365 Group.|
+|[Get-MgGroupPhotoContent](/powershell/module/microsoft.graph.groups/get-mggroupphotocontent)|Used to download the user photo that's associated with a Microsoft 365 Group.|
|[Set-MgUserPhotoContent](/powershell/module/microsoft.graph.users/set-mguserphotocontent)|Used to add a user photo to a Microsoft 365 Group.|
-|[Remove-MgGroupPhoto](/powershell/module/microsoft.graph.users/get-mggroupphoto)|Remove the photo for a Microsoft 365 Group.|
+|[Remove-MgGroupPhoto](/powershell/module/microsoft.graph.groups/get-mggroupphoto)|Remove the photo for a Microsoft 365 Group.|
## Related articles
enterprise Protect Your Global Administrator Accounts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/protect-your-global-administrator-accounts.md
Use these additional methods to ensure that your privileged account, and the con
To ensure that the execution of highly privileged tasks is as secure as possible, use a privileged access workstation (PAW). A PAW is a dedicated computer that is only used for sensitive configuration tasks, such as Microsoft 365 configuration that requires a privileged account. Because this computer isn't used daily for Internet browsing or email, it's better protected from Internet attacks and threats.
-For instructions on how to set up a PAW, see [https://aka.ms/cyberpaw](/security/compass/privileged-access-devices).
+For instructions on how to set up a PAW, see [Securing devices as part of the privileged access story](https://aka.ms/cyberpaw).
To enable Azure PIM for your Microsoft Entra tenant and administrator accounts, see the [steps to configure PIM](/azure/active-directory/active-directory-privileged-identity-management-configure).
enterprise Set Up Multi Tenant Org https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/set-up-multi-tenant-org.md
You can set up a multitenant organization or add tenants to an existing one in t
When each external tenant accepts the invitation to join the multitenant organization, the following settings are configured in Microsoft Entra ID: - A cross-tenant synchronization configuration is added with the name *MTO_Sync_\<TenantID\>*, but no sync jobs are created yet. (If you already have a cross-tenant synchronization configuration, it remains unchanged.)-- An organization relationship is added to the [cross-tenant access settings](/azure/active-directory/external-identities/cross-tenant-access-overview) based on the [multitenant organization templates](/azure/active-directory/multi-tenant-organizations/templates) for cross-tenant access and identity synchronization. (If an organizational relationship already exists, the existing one is used.)
+- An organization relationship is added to the [cross-tenant access settings](/azure/active-directory/external-identities/cross-tenant-access-overview) based on the [multitenant organization templates](/entra/identity/multi-tenant-organizations/multi-tenant-organization-templates) for cross-tenant access and identity synchronization. (If an organizational relationship already exists, the existing one is used.)
- The multitenant organization template for identity synchronization is set to allow users to sync into this tenant. - The multitenant org template for cross-tenant access will be set to automatically redeem user invitations, inbound as well as outbound.
enterprise Use Microsoft 365 Cdn With Spo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/use-microsoft-365-cdn-with-spo.md
Title: Use Office 365 Content Delivery Network (CDN) with SharePoint Online
Previously updated : 07/13/2021 Last updated : 1/25/2024 audience: ITPro
description: Learn how to use the Office 365 Content Delivery Network (CDN) to s
You can use the built-in Office 365 Content Delivery Network (CDN) to host static assets to provide better performance for your SharePoint Online pages. The Office 365 CDN improves performance by caching static assets closer to the browsers requesting them, which helps to speed up downloads and reduce latency. Also, the Office 365 CDN uses the [HTTP/2 protocol](https://en.wikipedia.org/wiki/HTTP/2) for improved compression and HTTP pipelining. The Office 365 CDN service is included as part of your SharePoint Online subscription. > [!CAUTION]
-> As images are now automatically managed in a SharePoint Online service-managed Private CDN, the manually configured Private CDN is in the process of being deprecated. This means that customers no longer need to configure private CDN. The recommended practice remains unchanged as images will be hosted via the service-managed Private CDN automatically and Public CDN will continue to be available for all other file types, like CSS and JS. Any customers using Private CDN for file types other than images, will need to move those files into Public CDN. Public CDN is recommended for these file types, to enhance performance.
+> As images are now automatically managed in a SharePoint Online service-managed Private CDN, the manually configured Private CDN is in the process of being deprecated. This behavior means that customers no longer need to configure private CDN. The recommended practice remains unchanged as images are hosted via the service-managed Private CDN automatically. Public CDN continues to be available for all other file types (for example, CSS and JS). Customers using Private CDN for file types other than images, need to move those files into Public CDN. We recommend Public CDN for these file types to enhance performance.
> [!NOTE] > The Office 365 CDN is only available to tenants in the **Production** (worldwide) cloud. Tenants in the US Government and China clouds do not currently support the Office 365 CDN.
The Office 365 CDN is composed of multiple CDNs that allow you to host static as
![Office 365 CDN conceptual diagram.](../media/O365-CDN/o365-cdn-flow-transparent.png "Office 365 CDN conceptual diagram")
-If you are already familiar with the way that CDNs work, you only need to complete a few steps to enable the Office 365 CDN for your tenant. This topic describes how. Read on for information about how to get started hosting your static assets.
+If you're already familiar with the way that CDNs work, you only need to complete a few steps to enable the Office 365 CDN for your tenant. This article describes how. Read on for information about how to get started hosting your static assets.
> [!TIP] > There are other Microsoft-hosted CDNs that can be used with Office 365 for specialized usage scenarios, but are not discussed in this topic because they fall outside the scope of the Office 365 CDN. For more information, see [Other Microsoft CDNs](content-delivery-networks.md#other-microsoft-cdns).
If you are already familiar with the way that CDNs work, you only need to comple
To set up the Office 365 CDN for your organization, you follow these basic steps:
-+ [Plan for deployment of the Office 365 CDN](use-microsoft-365-cdn-with-spo.md#plan-for-deployment-of-the-office-365-cdn)
+- [Plan for deployment of the Office 365 CDN](use-microsoft-365-cdn-with-spo.md#plan-for-deployment-of-the-office-365-cdn)
+ - [Determine which static assets you want to host on the CDN](use-microsoft-365-cdn-with-spo.md#CDNAssets).
+ - [Determine where you want to store your assets](use-microsoft-365-cdn-with-spo.md#CDNStoreAssets). This location can be a SharePoint site, library or folder and is called an _origin_.
+ - [Choose whether each origin should be public or private](use-microsoft-365-cdn-with-spo.md#CDNOriginChoosePublicPrivate). You can add multiple origins of both public and private types.
- + [Determine which static assets you want to host on the CDN](use-microsoft-365-cdn-with-spo.md#CDNAssets).
- + [Determine where you want to store your assets](use-microsoft-365-cdn-with-spo.md#CDNStoreAssets). This location can be a SharePoint site, library or folder and is called an _origin_.
- + [Choose whether each origin should be public or private](use-microsoft-365-cdn-with-spo.md#CDNOriginChoosePublicPrivate). You can add multiple origins of both public and private types.
+- Set up and configure the CDN, using either PowerShell or the CLI for Microsoft 365
+ - [Set up and configure the CDN by using the SharePoint Online Management Shell](use-microsoft-365-cdn-with-spo.md#CDNSetupinPShell)
+ - [Set up and configure the CDN by using PnP PowerShell](use-microsoft-365-cdn-with-spo.md#CDNSetupinPnPPosh)
+ - [Set up and configure the CDN by using the CLI for Microsoft 365](use-microsoft-365-cdn-with-spo.md#CDNSetupinCLI)
-+ Set up and configure the CDN, using either PowerShell or the CLI for Microsoft 365
+ When you complete this step, you get the following results:
- + [Set up and configure the CDN by using the SharePoint Online Management Shell](use-microsoft-365-cdn-with-spo.md#CDNSetupinPShell)
- + [Set up and configure the CDN by using PnP PowerShell](use-microsoft-365-cdn-with-spo.md#CDNSetupinPnPPosh)
- + [Set up and configure the CDN by using the CLI for Microsoft 365](use-microsoft-365-cdn-with-spo.md#CDNSetupinCLI)
-
- When you complete this step, you will have:
-
- + Enabled the CDN for your organization.
- + Added your origins, identifying each origin as public or private.
+ - The CDN is enabled for your organization.
+ - You added your origins, identifying each origin as public or private.
Once you're done with setup, you can [Manage the Office 365 CDN](use-microsoft-365-cdn-with-spo.md#CDNManage) over time by:
-+ Adding, updating, and removing assets
-+ Adding and removing origins
-+ Configuring CDN policies
-+ If necessary, disabling the CDN
+- Adding, updating, and removing assets
+- Adding and removing origins
+- Configuring CDN policies
+- If necessary, disabling the CDN
Finally, see [Using your CDN assets](use-microsoft-365-cdn-with-spo.md#using-your-cdn-assets) to learn about accessing your CDN assets from both public and private origins.
See [Troubleshooting the Office 365 CDN](use-microsoft-365-cdn-with-spo.md#CDNTr
Before you deploy the Office 365 CDN for your Office 365 tenant, you should consider the following factors as part of your planning process.
- + [Determine which static assets you want to host on the CDN](use-microsoft-365-cdn-with-spo.md#CDNAssets)
- + [Determine where you want to store your assets](use-microsoft-365-cdn-with-spo.md#CDNStoreAssets)
- + [Choose whether each origin should be public or private](use-microsoft-365-cdn-with-spo.md#CDNOriginChoosePublicPrivate)
+- [Determine which static assets you want to host on the CDN](use-microsoft-365-cdn-with-spo.md#CDNAssets)
+- [Determine where you want to store your assets](use-microsoft-365-cdn-with-spo.md#CDNStoreAssets)
+- [Choose whether each origin should be public or private](use-microsoft-365-cdn-with-spo.md#CDNOriginChoosePublicPrivate)
<a name="CDNAssets"> </a>+ ### Determine which static assets you want to host on the CDN
-In general, CDNs are most effective for hosting _static assets_, or assets that don't change very often. A good rule of thumb is to identify files that meet some or all of these conditions:
+In general, CDNs are most effective for hosting _static assets_, or assets that don't change often. A good rule of thumb is to identify files that meet some or all of these conditions:
-+ Static files embedded in a page (like scripts and images) that may have a significant incremental impact on page load times
-+ Large files like executables and installation files
-+ Resource libraries that support client-side code
+- Static files embedded in a page (like scripts and images) that might have a significant effect on page load times.
+- Large files like executables and installation files.
+- Resource libraries that support client-side code.
-For example, small files that are repeatedly requested like site images and scripts can significantly improve site rendering performance and incrementally reduce the load on your SharePoint Online sites when you add them to a CDN origin. Larger files such as installation executables can be downloaded from the CDN, delivering a positive performance impact and subsequent reduction of the load on your SharePoint Online site, even if they are not accessed as often.
+For example, adding repeatedly requested small files (site images and scripts) to a CDN origin can significantly improve site rendering performance and incrementally reduce the load on your SharePoint Online sites. Larger files (installation executables) can be downloaded from the CDN, delivering a positive performance effect and subsequent reduction of the load on your SharePoint Online site, even if they aren't accessed as often.
-Performance improvement on a per-file basis is dependent on many factors, including the client's proximity to the nearest CDN endpoint, transient conditions on the local network, and so forth. Many static files are quite small, and can be downloaded from Office 365 in less than a second. However, a web page may contain many embedded files with a cumulative download time of several seconds. Serving these files from the CDN can significantly reduce the overall page load time. See [What performance gains does a CDN provide?](content-delivery-networks.md#what-performance-gains-does-a-cdn-provide) for an example.
+Performance improvement on a per-file basis is dependent on many factors, including the client's proximity to the nearest CDN endpoint, transient conditions on the local network, and so forth. Many static files are small, and can be downloaded from Office 365 in less than a second. However, a web page might contain many embedded files with a cumulative download time of several seconds. Serving these files from the CDN can significantly reduce the overall page load time. See [What performance gains does a CDN provide?](content-delivery-networks.md#what-performance-gains-does-a-cdn-provide) for an example.
<a name="CDNStoreAssets"> </a>+ ### Determine where you want to store your assets
-The CDN fetches your assets from a location called an _origin_. An origin can be a SharePoint site, document library or folder that is accessible by a URL. You have great flexibility when you specify origins for your organization. For example, you can specify multiple origins or a single origin where you want to put all your CDN assets. You can choose to have both public or private origins for your organization. Most organizations will choose to implement a combination of the two.
+The CDN fetches your assets from a location called an _origin_. An origin can be a SharePoint site, document library or folder that is accessible by a URL. You have great flexibility when you specify origins for your organization. For example, you can specify multiple origins or a single origin where you want to put all your CDN assets. You can choose to have both public or private origins for your organization. Most organizations choose to implement a combination of the two.
-You can create new container for your origins such as folders or document libraries, and add files you want to make available from the CDN. This is a good approach if you have a specific set of assets you want to be available from the CDN, and want to restrict the set of CDN assets to only those files in the container.
+You can create new container for your origins such as folders or document libraries, and add files you want to make available from the CDN. This is a good approach for a specific set of assets that you want to be available from the CDN, and you want to restrict the set of CDN assets to only those files in the container.
-You can also configure an existing site collection, site, library or folder as an origin, which will make all eligible assets in the container available from the CDN. Before you add an existing container as an origin, it's important to make sure you are aware of its contents and permissions so you do not inadvertently expose assets to anonymous access or unauthorized users.
+You can also configure an existing site collection, site, library or folder as an origin, which makes all eligible assets in the container available from the CDN. Before you add an existing container as an origin, it's important to make sure you're aware of its contents and permissions so you don't inadvertently expose assets to anonymous access or unauthorized users.
-You can define _CDN policies_ to exclude content in your origins from the CDN. CDN policies exclude assets in public or private origins by attributes such as _file type_ and _site classification_, and are applied to all origins of the CdnType (private or public) you specify in the policy. For example, if you add a private origin consisting of a site that contains multiple subsites, you can define a policy to exclude sites marked as **Confidential** so content from sites with that classification applied will not be served from the CDN. The policy will apply to content from _all_ private origins you have added to the CDN.
+You can define _CDN policies_ to exclude content in your origins from the CDN. CDN policies exclude assets in public or private origins by attributes such as _file type_ and _site classification_, and are applied to all origins of the CdnType (private or public) you specify in the policy. For example, if you add a private origin consisting of a site that contains multiple subsites, you can define a policy to exclude sites marked as **Confidential** so content from sites with that classification applied aren't served from the CDN. The policy applies to content from _all_ private origins that you added to the CDN.
-Keep in mind that the greater the number of origins, the greater the impact on the time it takes the CDN service to process requests. We recommend that you limit the number of origins as much as possible.
+Keep in mind that the greater the number of origins, the greater the effect on the time it takes the CDN service to process requests. We recommend that you limit the number of origins as much as possible.
<a name="CDNOriginChoosePublicPrivate"> </a>+ ### Choose whether each origin should be public or private
-When you identify an origin, you specify whether it should be made _public_ or _private_. Access to CDN assets in public origins is anonymous, and CDN content in private origins is secured by dynamically generated tokens for greater security. Regardless of which option you choose, Microsoft does all the heavy lifting for you when it comes to administration of the CDN itself. Also, you can change your mind later, after you've set up the CDN and identified your origins.
+When you identify an origin, you specify whether it should be made _public_ or _private_. Access to CDN assets in public origins is anonymous, and CDN content in private origins is secured by dynamically generated tokens for greater security. Regardless of which option you choose, Microsoft does all the heavy lifting for you when it comes to administration of the CDN itself. Also, you can change your mind later, after you set up the CDN and identified your origins.
Both public and private options provide similar performance gains, but each has unique attributes and advantages.
-**Public** origins within the Office 365 CDN are accessible anonymously, and hosted assets can be accessed by anyone who has the URL to the asset. Because access to content in public origins is anonymous, you should only use them to cache non-sensitive generic content such as JavaScript files, scripts, icons and images.
+**Public** origins within the Office 365 CDN are accessible anonymously, and hosted assets can be accessed by anyone who has the URL to the asset. Because access to content in public origins is anonymous, you should only use them to cache nonsensitive generic content such as JavaScript files, scripts, icons and images.
**Private** origins within the Office 365 CDN provide private access to user content such as SharePoint Online document libraries, sites and proprietary images. Access to content in private origins is secured by dynamically generated tokens so it can only be accessed by users with permissions to the original document library or storage location. Private origins in the Office 365 CDN can only be used for SharePoint Online content, and you can only access assets in private origins through redirection from your SharePoint Online tenant.
You can read more about how CDN access to assets in a private origin works in [U
#### Attributes and advantages of hosting assets in public origins
-+ Assets exposed in a public origin are accessible by everyone anonymously.
+- Assets exposed in a public origin are accessible by everyone anonymously.
> [!IMPORTANT] > You should never place resources that contain user information or are considered sensitive to your organization in a public origin.
-+ If you remove an asset from a public origin, the asset may continue to be available for up to 30 days from the cache; however, we will invalidate links to the asset in the CDN within 15 minutes.
+- If you remove an asset from a public origin, the asset might continue to be available for up to 30 days from the cache; however, we invalidate links to the asset in the CDN within 15 minutes.
-+ When you host style sheets (CSS files) in a public origin, you can use relative paths and URIs within the code. This means that you can reference the location of background images and other objects relative to the location of the asset that's calling it.
+- When you host style sheets (CSS files) in a public origin, you can use relative paths and URIs within the code. This result means that you can reference the location of background images and other objects relative to the location of the asset that's calling it.
-+ While you can construct a public origin's URL, you should proceed with caution and ensure you utilize the page context property and follow the guidance for doing so. The reason for this is that if access to the CDN becomes unavailable, the URL will not automatically resolve to your organization in SharePoint Online and might result in broken links and other errors. The URL is also subject to change which is why it should not just be hard coded to its current value.
+- While you can construct a public origin's URL, you should proceed with caution, use the page context property, and follow the guidance for doing so. If access to the CDN becomes unavailable, the URL doesn't automatically resolve to your organization in SharePoint Online and might result in broken links and other errors. The URL is also subject to change, so you shouldn't hard code it to the current value.
-+ The default file types that are included for public origins are .css, .eot, .gif, .ico, .jpeg, .jpg, .js, .map, .png, .svg, .ttf, .woff and .woff2. You can specify additional file types.
+- The default file types that are included for public origins are: `.css`, `.eot`, `.gif`, `.ico`, `.jpeg`, `.jpg`, `.js`, `.map`, `.png`, `.svg`, `.ttf`, `.woff` and `.woff2`. You can specify additional file types.
-+ You can configure a policy to exclude assets that have been identified by site classifications that you specify. For example, you can choose to exclude all assets that are marked as "confidential" or "restricted" even if they are an allowed file type and are located in a public origin.
+- You can configure a policy to exclude assets based on specified site classifications. For example, you can exclude all assets that are marked as "confidential" or "restricted", even if they're an allowed file type and are located in a public origin.
#### Attributes and advantages of hosting assets in private origins
-+ Private origins can only be used for SharePoint Online assets.
+- Private origins can only be used for SharePoint Online assets.
-+ Users can only access the assets from a private origin if they have permissions to access the container. Anonymous access to these assets is prevented.
+- Users can only access the assets from a private origin if they have permissions to access the container. Anonymous access to these assets is prevented.
-+ Assets in private origins must be referred from the SharePoint Online tenant. Direct access to private CDN assets does not work.
+- Assets in private origins must be referred from the SharePoint Online tenant. Direct access to private CDN assets doesn't work.
-+ If you remove an asset from the private origin, the asset may continue to be available for up to an hour from the cache; however, we will invalidate links to the asset in the CDN within 15 minutes of the asset's removal.
+- If you remove an asset from the private origin, the asset might continue to be available for up to an hour from the cache. But, links to the asset in the CDN are invalid within 15 minutes of the removal of the asset.
-+ The default file types that are included for private origins are .gif, .ico, .jpeg, .jpg, .js, and .png. You can specify additional file types.
+- The default file types that are included for private origins are .gif, .ico, .jpeg, .jpg, .js, and .png. You can specify additional file types.
-+ Just like with public origins, you can configure a policy to exclude assets that have been identified by site classifications that you specify even if you use wildcards to include all assets within a folder or document library.
+- Just like with public origins, you can configure a policy to exclude assets that are identified by site classifications that you specify even if you use wildcards to include all assets within a folder or document library.
For more information about why to use the Office 365 CDN, general CDN concepts, and other Microsoft CDNs you can use with your Office 365 tenant, see [Content Delivery Networks](content-delivery-networks.md).
Unless you specify otherwise, Office 365 sets up some default origins for you wh
Default private CDN origins:
-+ \*/siteassets
+- \*/siteassets
Default public CDN origins:
-+ \*/masterpage
-+ \*/style library
-+ \*/clientsideassets
+- \*/masterpage
+- \*/style library
+- \*/clientsideassets
> [!NOTE] > _clientsideassets_ is a default public origin that was added to the Office 365 CDN service in December 2017. This origin must be present in order for SharePoint Framework solutions in the CDN to work. If you enabled the Office 365 CDN prior to December 2017, or if you skipped setup of default origins when you enabled the CDN, you can manually add this origin. For more information, see [My client-side web part or SharePoint Framework solution isn't working](use-microsoft-365-cdn-with-spo.md#my-client-side-web-part-or-sharepoint-framework-solution-isnt-working).
The procedures in this section require you to use the SharePoint Online Manageme
Complete these steps to set up and configure the CDN to host your assets in SharePoint Online using the SharePoint Online Management Shell. <details>
- <summary>Click to expand</summary>
+ <summary>Select to expand</summary>
### Enable your organization to use the Office 365 CDN
Now use the **Get-SPOTenantCdnEnabled** cmdlet to retrieve the CDN status settin
Get-SPOTenantCdnEnabled -CdnType <Public | Private> ```
-The status of the CDN for the specified CdnType will output to the screen.
+The status of the CDN for the specified CdnType is shown on the screen.
-Use the **Set-SPOTenantCdnEnabled** cmdlet to enable your organization to use the Office 365 CDN. You can enable your organization to use public origins, private origins, or both at once. You can also configure the CDN to skip the setup of default origins when you enable it. You can always add these origins later as described in this topic.
+Use the **Set-SPOTenantCdnEnabled** cmdlet to enable your organization to use the Office 365 CDN. You can enable your organization to use public origins, private origins, or both at once. You can also configure the CDN to skip the setup of default origins when you enable it. You can always add these origins later as described in this article.
In Windows PowerShell for SharePoint Online:
To enable your organization to use both public and private origins but skip sett
Set-SPOTenantCdnEnabled -CdnType Both -Enable $true -NoDefaultOrigins ```
-See [Default CDN origins](use-microsoft-365-cdn-with-spo.md#default-cdn-origins) for information about the origins that are provisioned by default when you enable the Office 365 CDN, and the potential impact of skipping the setup of default origins.
+See [Default CDN origins](use-microsoft-365-cdn-with-spo.md#default-cdn-origins) for information about the origins that are provisioned by default when you enable the Office 365 CDN, and the potential effect of skipping the setup of default origins.
To enable your organization to use public origins, type the following command:
Set-SPOTenantCdnEnabled -CdnType Private -Enable $true
For more information about this cmdlet, see [Set-SPOTenantCdnEnabled](/powershell/module/sharepoint-online/Set-SPOTenantCdnEnabled). <a name="Office365CDNforSPOFileType"> </a>+ ### Change the list of file types to include in the Office 365 CDN (Optional) > [!TIP]
Get-SPOTenantCdnPolicies -CdnType <Public | Private>
For more information about these cmdlets, see [Set-SPOTenantCdnPolicy](/powershell/module/sharepoint-online/) and [Get-SPOTenantCdnPolicies](/powershell/module/sharepoint-online/). <a name="Office365CDNforSPOSiteClassification"> </a>+ ### Change the list of site classifications you want to exclude from the Office 365 CDN (Optional) > [!TIP] > When you exclude site classifications by using the **Set-SPOTenantCdnPolicy** cmdlet, you overwrite the currently defined list. If you want to exclude additional site classifications, use the cmdlet first to find out what classifications are already excluded and then add them along with your new ones.
-Use the **Set-SPOTenantCdnPolicy** cmdlet to exclude site classifications that you do not want to make available over the CDN. By default, no site classifications are excluded.
+Use the **Set-SPOTenantCdnPolicy** cmdlet to exclude site classifications that you don't want to make available over the CDN. By default, no site classifications are excluded.
In Windows PowerShell for SharePoint Online:
To see what site classifications are currently restricted, use the **Get-SPOTena
Get-SPOTenantCdnPolicies -CdnType <Public | Private> ```
-The properties that will be returned are _IncludeFileExtensions_, _ExcludeRestrictedSiteClassifications_ and _ExcludeIfNoScriptDisabled_.
+The returned properties are _IncludeFileExtensions_, _ExcludeRestrictedSiteClassifications_ and _ExcludeIfNoScriptDisabled_.
-The _IncludeFileExtensions_ property contains the list of file extensions that will be served from the CDN.
+The _IncludeFileExtensions_ property contains the list of file extensions that are served from the CDN.
> [!NOTE] > The default file extensions are different between public and private.
-The _ExcludeRestrictedSiteClassifications_ property contains the site classifications that you want to exclude from the CDN. For example, you can exclude sites marked as **Confidential** so content from sites with that classification applied will not be served from the CDN.
+The _ExcludeRestrictedSiteClassifications_ property contains the site classifications that you want to exclude from the CDN. For example, you can exclude sites marked as **Confidential** so content from sites with that classification applied isn't served from the CDN.
The _ExcludeIfNoScriptDisabled_ property excludes content from the CDN based on the site-level _NoScript_ attribute settings. By default, the _NoScript_ attribute is set to **Enabled** for _Modern_ sites and **Disabled** for _Classic_ sites. This depends on your tenant settings. For more information about these cmdlets, see [Set-SPOTenantCdnPolicy](/powershell/module/sharepoint-online/) and [Get-SPOTenantCdnPolicies](/powershell/module/sharepoint-online/). <a name="Office365CDNforSPOOriginPosh"> </a>+ ### Add an origin for your assets Use the **Add-SPOTenantCdnOrigin** cmdlet to define an origin. You can define multiple origins. The origin is a URL that points to a SharePoint library or folder that contains the assets that you want to be hosted by the CDN.
The value of _path_ is the relative path to the library or folder that contains
Add-SPOTenantCdnOrigin -CdnType Public -OriginUrl */masterpage ```
-+ The wildcard modifier ***/** can only be used at the beginning of the path, and will match all URL segments under the specified URL.
-+ The path can point to a document library, folder or site. For example, the path _*/site1_ will match all the document libraries under the site.
+- The wildcard modifier ***/** can only be used at the beginning of the path, and matches all URL segments under the specified URL.
+- The path can point to a document library, folder or site. For example, the path _*/site1_ matches all the document libraries under the site.
-You can add an origin with a specific relative path. You cannot add an origin using the full path.
+You can add an origin with a specific relative path. You can't add an origin using the full path.
This example adds a private origin of the siteassets library on a specific site:
This example adds a private origin of the _folder1_ folder in the site collectio
Add-SPOTenantCdnOrigin -CdnType Private -OriginUrl sites/test/siteassets/folder1 ```
-If there is a space in the path, you can either surround the path in double quotes or replace the space with the URL encoding %20. The following examples add a private origin of the _folder 1_ folder in the site collection's site assets library:
+If there's a space in the path, you can either surround the path in double quotes or replace the space with the URL encoding %20. The following examples add a private origin of the _folder 1_ folder in the site collection's site assets library:
```powershell Add-SPOTenantCdnOrigin -CdnType Private -OriginUrl sites/test/siteassets/folder%201
For more information about this command and its syntax, see [Add-SPOTenantCdnOri
> [!NOTE] > In private origins, assets being shared from an origin must have a major version published before they can be accessed from the CDN.
-Once you've run the command, the system synchronizes the configuration across the datacenter. This can take up to 15 minutes.
+After you run the command, the system synchronizes the configuration across the datacenter. This result can take up to 15 minutes.
<a name="ExamplePublicOrigin"> </a>+ ### Example: Configure a public origin for your master pages and for your style library for SharePoint Online Normally, these origins are set up for you by default when you enable the Office 365 CDN. However, if you want to enable them manually, follow these steps.
-+ Use the **Add-SPOTenantCdnOrigin** cmdlet to define the style library as a public origin.
+- Use the **Add-SPOTenantCdnOrigin** cmdlet to define the style library as a public origin.
```powershell Add-SPOTenantCdnOrigin -CdnType Public -OriginUrl */style%20library ```
-+ Use the **Add-SPOTenantCdnOrigin** cmdlet to define the master pages as a public origin.
+- Use the **Add-SPOTenantCdnOrigin** cmdlet to define the master pages as a public origin.
```powershell Add-SPOTenantCdnOrigin -CdnType Public -OriginUrl */masterpage
Normally, these origins are set up for you by default when you enable the Office
For more information about this command and its syntax, see [Add-SPOTenantCdnOrigin](/powershell/module/sharepoint-online/Add-SPOTenantCdnOrigin).
-Once you've run the command, the system synchronizes the configuration across the datacenter. This can take up to 15 minutes.
+After you run the command, the system synchronizes the configuration across the datacenter. This result can take up to 15 minutes.
<a name="ExamplePrivateOrigin"> </a>+ ### Example: Configure a private origin for your site assets, site pages, and publishing images for SharePoint Online
-+ Use the **Add-SPOTenantCdnOrigin** cmdlet to define the site assets folder as a private origin.
+- Use the **Add-SPOTenantCdnOrigin** cmdlet to define the site assets folder as a private origin.
```powershell Add-SPOTenantCdnOrigin -CdnType Private -OriginUrl */siteassets ```
-+ Use the **Add-SPOTenantCdnOrigin** cmdlet to define the site pages folder as a private origin.
+- Use the **Add-SPOTenantCdnOrigin** cmdlet to define the site pages folder as a private origin.
```powershell Add-SPOTenantCdnOrigin -CdnType Private -OriginUrl */sitepages ```
-+ Use the **Add-SPOTenantCdnOrigin** cmdlet to define the publishing images folder as a private origin.
+- Use the **Add-SPOTenantCdnOrigin** cmdlet to define the publishing images folder as a private origin.
```powershell Add-SPOTenantCdnOrigin -CdnType Private -OriginUrl */publishingimages
Once you've run the command, the system synchronizes the configuration across th
For more information about this command and its syntax, see [Add-SPOTenantCdnOrigin](/powershell/module/sharepoint-online/Add-SPOTenantCdnOrigin).
-Once you've run the command, the system synchronizes the configuration across the datacenter. This can take up to 15 minutes.
+After you run the command, the system synchronizes the configuration across the datacenter. This result can take up to 15 minutes.
<a name="ExamplePrivateOriginSiteCollection"> </a>+ ### Example: Configure a private origin for a site collection for SharePoint Online Use the **Add-SPOTenantCdnOrigin** cmdlet to define a site collection as a private origin. For example:
Add-SPOTenantCdnOrigin -CdnType Private -OriginUrl sites/site1/siteassets
For more information about this command and its syntax, see [Add-SPOTenantCdnOrigin](/powershell/module/sharepoint-online/Add-SPOTenantCdnOrigin).
-Once you've run the command, the system synchronizes the configuration across the datacenter. You may see a _Configuration pending_ message which is expected as the SharePoint Online tenant connects to the CDN service. This can take up to 15 minutes.
+After you run the command, the system synchronizes the configuration across the datacenter. You might see a _Configuration pending_ message. This message is expected as the SharePoint Online tenant connects to the CDN service. This result can take up to 15 minutes.
<a name="CDNManage"> </a>+ ### Manage the Office 365 CDN
-Once you've set up the CDN, you can make changes to your configuration as you update content or as your needs change, as described in this section.
+After you set up the CDN, you can make changes to your configuration as you update content or as your needs change, as described in this section.
<a name="Office365CDNforSPOaddremoveasset"> </a>+ #### Add, update, or remove assets from the Office 365 CDN
-Once you've completed the setup steps, you can add new assets, and update or remove existing assets whenever you want. Just make your changes to the assets in the folder or SharePoint library that you identified as an origin. If you add a new asset, it is available through the CDN immediately. However, if you update the asset, it will take up to 15 minutes for the new copy to propagate and become available in the CDN.
+After you complete the setup steps, you can add new assets, and update or remove existing assets whenever you want. Just make your changes to the assets in the folder or SharePoint library that you identified as an origin. If you add a new asset, it's available through the CDN immediately. However, if you update the asset, it takes up to 15 minutes for the new copy to propagate and become available in the CDN.
If you need to retrieve the location of the origin, you can use the **Get-SPOTenantCdnOrigins** cmdlet. For information on how to use this cmdlet, see [Get-SPOTenantCdnOrigins](/powershell/module/sharepoint-online/Get-SPOTenantCdnOrigins). <a name="Office365CDNforSPORemoveOriginPosh"> </a>+ #### Remove an origin from the Office 365 CDN
-You can remove access to a folder or SharePoint library that you identified as an origin. To do this, use the **Remove-SPOTenantCdnOrigin** cmdlet.
+You can remove access to a folder or SharePoint library that you identified as an origin using the **Remove-SPOTenantCdnOrigin** cmdlet.
```powershell Remove-SPOTenantCdnOrigin -OriginUrl <path> -CdnType <Public | Private | Both>
Remove-SPOTenantCdnOrigin -OriginUrl <path> -CdnType <Public | Private | Both>
For information on how to use this cmdlet, see [Remove-SPOTenantCdnOrigin](/powershell/module/sharepoint-online/Remove-SPOTenantCdnOrigin). <a name="Office365CDNforSPOModifyOrigin"> </a>+ #### Modify an origin in the Office 365 CDN
-You cannot modify an origin you've created. Instead, remove the origin and then add a new one. For more information, see [To remove an origin from the Office 365 CDN](use-microsoft-365-cdn-with-spo.md#Office365CDNforSPORemoveOriginPosh) and [To add an origin for your assets](use-microsoft-365-cdn-with-spo.md#Office365CDNforSPOOriginPosh).
+You can't modify an origin after you create it. Instead, remove the origin and then add a new one. For more information, see [To remove an origin from the Office 365 CDN](use-microsoft-365-cdn-with-spo.md#Office365CDNforSPORemoveOriginPosh) and [To add an origin for your assets](use-microsoft-365-cdn-with-spo.md#Office365CDNforSPOOriginPosh).
<a name="Office365CDNforSPODisable"> </a>+ #### Disable the Office 365 CDN Use the **Set-SPOTenantCdnEnabled** cmdlet to disable the CDN for your organization. If you have both the public and private origins enabled for the CDN, you need to run the cmdlet twice as shown in the following examples.
For more information about this cmdlet, see [Set-SPOTenantCdnEnabled](/powershel
</details> <a name="CDNSetupinPnPPosh"> </a>+ ## Set up and configure the Office 365 CDN by using PnP PowerShell The procedures in this section require you to use PnP PowerShell to connect to SharePoint Online. For instructions, see [Getting started with PnP PowerShell](https://github.com/SharePoint/PnP-PowerShell#getting-started).
The procedures in this section require you to use PnP PowerShell to connect to S
Complete these steps to set up and configure the CDN to host your assets in SharePoint Online using PnP PowerShell. <details>
- <summary>Click to expand</summary>
+ <summary>Select to expand</summary>
### Enable your organization to use the Office 365 CDN
Now use the **Get-PnPTenantCdnEnabled** cmdlet to retrieve the CDN status settin
Get-PnPTenantCdnEnabled -CdnType <Public | Private> ```
-The status of the CDN for the specified CdnType will output to the screen.
+The status of the CDN for the specified CdnType is shown on the screen.
-Use the **Set-PnPTenantCdnEnabled** cmdlet to enable your organization to use the Office 365 CDN. You can enable your organization to use public origins, private origins, or both at the same time. You can also configure the CDN to skip the setup of default origins when you enable it. You can always add these origins later as described in this topic.
+Use the **Set-PnPTenantCdnEnabled** cmdlet to enable your organization to use the Office 365 CDN. You can enable your organization to use public origins, private origins, or both at the same time. You can also configure the CDN to skip the setup of default origins when you enable it. You can always add these origins later as described in this article.
In PnP PowerShell:
To enable your organization to use both public and private origins but skip sett
Set-PnPTenantCdnEnabled -CdnType Both -Enable $true -NoDefaultOrigins ```
-See [Default CDN origins](use-microsoft-365-cdn-with-spo.md#default-cdn-origins) for information about the origins that are provisioned by default when you enable the Office 365 CDN, and the potential impact of skipping the setup of default origins.
+See [Default CDN origins](use-microsoft-365-cdn-with-spo.md#default-cdn-origins) for information about the origins that are provisioned by default when you enable the Office 365 CDN, and the potential effect of skipping the setup of default origins.
To enable your organization to use public origins, type the following command:
Set-PnPTenantCdnEnabled -CdnType Private -Enable $true
For more information about this cmdlet, see [Set-PnPTenantCdnEnabled](https://pnp.github.io/powershell/cmdlets/Set-PnPTenantCdnEnabled.html). <a name="Office365CDNforPnPPoshFileType"> </a>+ ### Change the list of file types to include in the Office 365 CDN (Optional) > [!TIP]
Get-PnPTenantCdnPolicies -CdnType <Public | Private>
For more information about these cmdlets, see [Set-PnPTenantCdnPolicy](https://pnp.github.io/powershell/cmdlets/Set-PnPTenantCdnPolicy.html) and [Get-PnPTenantCdnPolicies](https://pnp.github.io/powershell/cmdlets/Get-PnPTenantCdnPolicies.html). <a name="Office365CDNforPnPPoshSiteClassification"> </a>+ ### Change the list of site classifications you want to exclude from the Office 365 CDN (Optional) > [!TIP] > When you exclude site classifications by using the **Set-PnPTenantCdnPolicy** cmdlet, you overwrite the currently defined list. If you want to exclude additional site classifications, use the cmdlet first to find out what classifications are already excluded and then add them along with your new ones.
-Use the **Set-PnPTenantCdnPolicy** cmdlet to exclude site classifications that you do not want to make available over the CDN. By default, no site classifications are excluded.
+Use the **Set-PnPTenantCdnPolicy** cmdlet to exclude site classifications that you don't want to make available over the CDN. By default, no site classifications are excluded.
In PnP PowerShell:
To see what site classifications are currently restricted, use the **Get-PnPTena
Get-PnPTenantCdnPolicies -CdnType <Public | Private> ```
-The properties that will be returned are _IncludeFileExtensions_, _ExcludeRestrictedSiteClassifications_ and _ExcludeIfNoScriptDisabled_.
+The returned properties are _IncludeFileExtensions_, _ExcludeRestrictedSiteClassifications_ and _ExcludeIfNoScriptDisabled_.
-The _IncludeFileExtensions_ property contains the list of file extensions that will be served from the CDN.
+The _IncludeFileExtensions_ property contains the list of file extensions that are served from the CDN.
> [!NOTE] > The default file extensions are different between public and private.
-The _ExcludeRestrictedSiteClassifications_ property contains the site classifications that you want to exclude from the CDN. For example, you can exclude sites marked as **Confidential** so content from sites with that classification applied will not be served from the CDN.
+The _ExcludeRestrictedSiteClassifications_ property contains the site classifications that you want to exclude from the CDN. For example, you can exclude sites marked as **Confidential** so content from sites with that classification applied won't be served from the CDN.
The _ExcludeIfNoScriptDisabled_ property excludes content from the CDN based on the site-level _NoScript_ attribute settings. By default, the _NoScript_ attribute is set to **Enabled** for _Modern_ sites and **Disabled** for _Classic_ sites. This depends on your tenant settings. For more information about these cmdlets, see [Set-PnPTenantCdnPolicy](https://pnp.github.io/powershell/cmdlets/Set-PnPTenantCdnPolicy.html) and [Get-PnPTenantCdnPolicies](https://pnp.github.io/powershell/cmdlets/Get-PnPTenantCdnPolicies.html). <a name="Office365CDNforSPOOriginPnPPosh"> </a>+ ### Add an origin for your assets Use the **Add-PnPTenantCdnOrigin** cmdlet to define an origin. You can define multiple origins. The origin is a URL that points to a SharePoint library or folder that contains the assets that you want to be hosted by the CDN.
The value of _path_ is the relative path to the library or folder that contains
Add-PnPTenantCdnOrigin -CdnType Public -OriginUrl */masterpage ```
-+ The wildcard modifier ***/** can only be used at the beginning of the path, and will match all URL segments under the specified URL.
-+ The path can point to a document library, folder or site. For example, the path _*/site1_ will match all the document libraries under the site.
+- The wildcard modifier ***/** can only be used at the beginning of the path, and matches all URL segments under the specified URL.
+- The path can point to a document library, folder or site. For example, the path _*/site1_ matches all the document libraries under the site.
-You can add an origin with a specific relative path. You cannot add an origin using the full path.
+You can add an origin with a specific relative path. You can't add an origin using the full path.
This example adds a private origin of the site assets library on a specific site:
This example adds a private origin of the _folder1_ folder in the site collectio
Add-PnPTenantCdnOrigin -CdnType Private -OriginUrl sites/test/siteassets/folder1 ```
-If there is a space in the path, you can either surround the path in double quotes or replace the space with the URL encoding %20. The following examples add a private origin of the _folder 1_ folder in the site collection's site assets library:
+If there's a space in the path, you can either surround the path in double quotes or replace the space with the URL encoding %20. The following examples add a private origin of the _folder 1_ folder in the site collection's site assets library:
```powershell Add-PnPTenantCdnOrigin -CdnType Private -OriginUrl sites/test/siteassets/folder%201
Add-PnPTenantCdnOrigin -CdnType Private -OriginUrl "sites/test/siteassets/folder
For more information about this command and its syntax, see [Add-PnPTenantCdnOrigin](https://pnp.github.io/powershell/cmdlets/Add-PnPTenantCdnOrigin.html). > [!NOTE]
-> In private origins, assets being shared from an origin must have a major version published before they can be accessed from the CDN.
+> In private origins, assets shared from an origin must have a major version published before they're accessible from the CDN.
-Once you've run the command, the system synchronizes the configuration across the datacenter. This can take up to 15 minutes.
+After you run the command, the system synchronizes the configuration across the datacenter. This result can take up to 15 minutes.
<a name="ExamplePublicOriginPnPPosh"> </a>+ ### Example: Configure a public origin for your master pages and for your style library for SharePoint Online Normally, these origins are set up for you by default when you enable the Office 365 CDN. However, if you want to enable them manually, follow these steps.
-+ Use the **Add-PnPTenantCdnOrigin** cmdlet to define the style library as a public origin.
+- Use the **Add-PnPTenantCdnOrigin** cmdlet to define the style library as a public origin.
```powershell Add-PnPTenantCdnOrigin -CdnType Public -OriginUrl */style%20library ```
-+ Use the **Add-PnPTenantCdnOrigin** cmdlet to define the master pages as a public origin.
+- Use the **Add-PnPTenantCdnOrigin** cmdlet to define the master pages as a public origin.
```powershell Add-PnPTenantCdnOrigin -CdnType Public -OriginUrl */masterpage
Normally, these origins are set up for you by default when you enable the Office
For more information about this command and its syntax, see [Add-PnPTenantCdnOrigin](https://pnp.github.io/powershell/cmdlets/Add-PnPTenantCdnOrigin.html).
-Once you've run the command, the system synchronizes the configuration across the datacenter. This can take up to 15 minutes.
+After you run the command, the system synchronizes the configuration across the datacenter. This result can take up to 15 minutes.
<a name="ExamplePrivateOriginPnPPosh"> </a>+ ### Example: Configure a private origin for your site assets, site pages, and publishing images for SharePoint Online
-+ Use the **Add-PnPTenantCdnOrigin** cmdlet to define the site assets folder as a private origin.
+- Use the **Add-PnPTenantCdnOrigin** cmdlet to define the site assets folder as a private origin.
```powershell Add-PnPTenantCdnOrigin -CdnType Private -OriginUrl */siteassets ```
-+ Use the **Add-PnPTenantCdnOrigin** cmdlet to define the site pages folder as a private origin.
+- Use the **Add-PnPTenantCdnOrigin** cmdlet to define the site pages folder as a private origin.
```powershell Add-PnPTenantCdnOrigin -CdnType Private -OriginUrl */sitepages ```
-+ Use the **Add-PnPTenantCdnOrigin** cmdlet to define the publishing images folder as a private origin.
+- Use the **Add-PnPTenantCdnOrigin** cmdlet to define the publishing images folder as a private origin.
```powershell Add-PnPTenantCdnOrigin -CdnType Private -OriginUrl */publishingimages
Once you've run the command, the system synchronizes the configuration across th
For more information about this command and its syntax, see [Add-PnPTenantCdnOrigin](https://pnp.github.io/powershell/cmdlets/Add-PnPTenantCdnOrigin.html).
-Once you've run the command, the system synchronizes the configuration across the datacenter. This can take up to 15 minutes.
+After you run the command, the system synchronizes the configuration across the datacenter. This result can take up to 15 minutes.
<a name="ExamplePrivateOriginSiteCollectionPnPPosh"> </a>+ ### Example: Configure a private origin for a site collection for SharePoint Online Use the **Add-PnPTenantCdnOrigin** cmdlet to define a site collection as a private origin. For example:
Add-PnPTenantCdnOrigin -CdnType Private -OriginUrl sites/site1/siteassets
For more information about this command and its syntax, see [Add-PnPTenantCdnOrigin](https://pnp.github.io/powershell/cmdlets/Add-PnPTenantCdnOrigin.html).
-Once you've run the command, the system synchronizes the configuration across the datacenter. You may see a _Configuration pending_ message which is expected as the SharePoint Online tenant connects to the CDN service. This can take up to 15 minutes.
+After you run the command, the system synchronizes the configuration across the datacenter. You might see a _Configuration pending_ message. This result is expected as the SharePoint Online tenant connects to the CDN service. This result can take up to 15 minutes.
<a name="CDNManagePnPPosh"> </a>+ ### Manage the Office 365 CDN
-Once you've set up the CDN, you can make changes to your configuration as you update content or as your needs change, as described in this section.
+After you set up the CDN, you can make changes to your configuration as you update content or as your needs change, as described in this section.
<a name="Office365CDNforSPOaddremoveassetPnPPosh"> </a>+ #### Add, update, or remove assets from the Office 365 CDN
-Once you've completed the setup steps, you can add new assets, and update or remove existing assets whenever you want. Just make your changes to the assets in the folder or SharePoint library that you identified as an origin. If you add a new asset, it is available through the CDN immediately. However, if you update the asset, it will take up to 15 minutes for the new copy to propagate and become available in the CDN.
+After you complete the setup steps, you can add new assets, and update or remove existing assets whenever you want. Just make your changes to the assets in the folder or SharePoint library that you identified as an origin. If you add a new asset, it's available through the CDN immediately. However, if you update the asset, it takes up to 15 minutes for the new copy to propagate and become available in the CDN.
-If you need to retrieve the location of the origin, you can use the **Get-PnPTenantCdnOrigin** cmdlet. For information on how to use this cmdlet, see [Get-PnPTenantCdnOrigin](/powershell/module/sharepoint-pnp/get-pnptenantcdnorigin).
+If you need to retrieve the location of the origin, you can use the **Get-PnPTenantCdnOrigin** cmdlet. For information on how to use this cmdlet, see [Get-PnPTenantCdnOrigin](https://github.com/pnp/powershell/blob/dev/documentation/Get-PnPTenantCdnOrigin.md).
<a name="Office365CDNforSPORemoveOriginPnPPosh"> </a>+ #### Remove an origin from the Office 365 CDN
-You can remove access to a folder or SharePoint library that you identified as an origin. To do this, use the **Remove-PnPTenantCdnOrigin** cmdlet.
+You can remove access to a folder or SharePoint library that you identified as an origin. To take this action, use the **Remove-PnPTenantCdnOrigin** cmdlet.
```powershell Remove-PnPTenantCdnOrigin -OriginUrl <path> -CdnType <Public | Private | Both>
Remove-PnPTenantCdnOrigin -OriginUrl <path> -CdnType <Public | Private | Both>
For information on how to use this cmdlet, see [Remove-PnPTenantCdnOrigin](https://pnp.github.io/powershell/cmdlets/Remove-PnPTenantCdnOrigin.html). <a name="Office365CDNforSPOModifyOriginPnPPosh"> </a>+ #### Modify an origin in the Office 365 CDN
-You cannot modify an origin you've created. Instead, remove the origin and then add a new one. For more information, see [To remove an origin from the Office 365 CDN](use-microsoft-365-cdn-with-spo.md#Office365CDNforSPORemoveOriginPnPPosh) and [To add an origin for your assets](use-microsoft-365-cdn-with-spo.md#Office365CDNforSPOOriginPnPPosh).
+You can't modify an origin after you create it. Instead, remove the origin and then add a new one. For more information, see [To remove an origin from the Office 365 CDN](use-microsoft-365-cdn-with-spo.md#Office365CDNforSPORemoveOriginPnPPosh) and [To add an origin for your assets](use-microsoft-365-cdn-with-spo.md#Office365CDNforSPOOriginPnPPosh).
<a name="Office365CDNforSPODisable"> </a>+ #### Disable the Office 365 CDN Use the **Set-PnPTenantCdnEnabled** cmdlet to disable the CDN for your organization. If you have both the public and private origins enabled for the CDN, you need to run the cmdlet twice as shown in the following examples.
For more information about this cmdlet, see [Set-PnPTenantCdnEnabled](https://pn
</details> <a name="CDNSetupinCLI"> </a>+ ## Set up and configure the Office 365 CDN using the CLI for Microsoft 365
-The procedures in this section require that you have installed the [CLI for Microsoft 365](https://aka.ms/cli-m365). Next, connect to your Office 365 tenant using the [login](https://pnp.github.io/cli-microsoft365/cmd/login/) command.
+The procedures in this section require the [CLI for Microsoft 365](https://aka.ms/cli-m365). The, connect to your Office 365 tenant using the [login](https://pnp.github.io/cli-microsoft365/cmd/login/) command.
Complete these steps to set up and configure the CDN to host your assets in SharePoint Online using the CLI for Microsoft 365. <details>
- <summary>Click to expand</summary>
+ <summary>Select to expand</summary>
### Enable the Office 365 CDN You can manage the state of the Office 365 CDN in your tenant using the [spo cdn set](https://pnp.github.io/cli-microsoft365/cmd/spo/cdn/cdn-set/) command.
-To enable the Office 365 Public CDN in your tenant execute:
+To enable the Office 365 Public CDN in your tenant, run the following command:
```cli m365 spo cdn set --type Public --enabled true ```
-To enable the Office 365 SharePoint CDN, execute:
+To enable the Office 365 SharePoint CDN, run the following command:
```cli m365 spo cdn set --type Private --enabled true
m365 spo cdn set --type Private --enabled true
To check if the particular type of Office 365 CDN is enabled or disabled, use the [spo cdn get](https://pnp.github.io/cli-microsoft365/cmd/spo/cdn/cdn-get/) command.
-To check if the Office 365 Public CDN is enabled, execute:
+To check if the Office 365 Public CDN is enabled, run the following command:
```cli m365 spo cdn get --type Public
m365 spo cdn get --type Public
### View the Office 365 CDN origins
-To view the currently configured Office 365 Public CDN origins execute:
+To view the currently configured Office 365 Public CDN origins, run the following command:
```cli m365 spo cdn origin list --type Public
See [Default CDN origins](use-microsoft-365-cdn-with-spo.md#default-cdn-origins)
> [!IMPORTANT] > You should never place resources that are considered sensitive to your organization in a SharePoint document library configured as a public origin.
-Use the [spo cdn origin add](https://pnp.github.io/cli-microsoft365/cmd/spo/cdn/cdn-origin-add/) command to define a CDN origin. You can define multiple origins. The origin is a URL that points to a SharePoint library or folder that contains the assets that you want to be hosted by the CDN.
+Use the [spo cdn origin add](https://pnp.github.io/cli-microsoft365/cmd/spo/cdn/cdn-origin-add/) command to define a CDN origin. You can define multiple origins. The origin is a URL that points to a SharePoint library or folder that contains the assets that you want the CDN to host.
```cli m365 spo cdn origin add --type [Public | Private] --origin <path>
m365 spo cdn origin add --type [Public | Private] --origin <path>
Where `path` is the relative path to the folder that contains the assets. You can use wildcards in addition to relative paths.
-To include all assets in the **Master Page Gallery** of all sites as a public origin, execute:
+To include all assets in the **Master Page Gallery** of all sites as a public origin, run the following command:
```cli m365 spo cdn origin add --type Public --origin */masterpage ```
-To configure a private origin for a specific site collection, execute:
+To configure a private origin for a specific site collection, run the following command:
```cli m365 spo cdn origin add --type Private --origin sites/site1/siteassets
m365 spo cdn origin add --type Private --origin sites/site1/siteassets
Use the [spo cdn origin remove](https://pnp.github.io/cli-microsoft365/cmd/spo/cdn/cdn-origin-remove/) command to remove a CDN origin for the specified CDN type.
-To remove a public origin from the CDN configuration, execute:
+To remove a public origin from the CDN configuration, run the following command:
```cli m365 spo cdn origin remove --type Public --origin */masterpage ``` > [!NOTE]
-> Removing a CDN origin doesn't affect the files stored in any document library matching that origin. If these assets have been referenced using their SharePoint URL, SharePoint will automatically switch back to the original URL pointing to the document library. If, however, assets have been referenced using a public CDN URL, then removing the origin will break the link and you will need to manually change them.
+> Removing a CDN origin doesn't effect the files stored in any document library that matches the origin. If these assets are referenced using their SharePoint URL, SharePoint automatically switches back to the original URL pointing to the document library. If the assets are referenced using a public CDN URL, removing the origin breaks the link, and you need to manually change them.
### Modify an Office 365 CDN origin
It's not possible to modify an existing CDN origin. Instead, you should remove t
### Change the types of files to include in the Office 365 CDN
-By default, the following file types are included in the CDN: _.css, .eot, .gif, .ico, .jpeg, .jpg, .js, .map, .png, .svg, .ttf, .woff and .woff2_. If you need to include additional file types in the CDN, you can change the CDN configuration using the [spo cdn policy set](https://pnp.github.io/cli-microsoft365/cmd/spo/cdn/cdn-policy-set/) command.
+By default, the following file types are included in the CDN: `.css`, `.eot`, `.gif`, `.ico`, `.jpeg`, `.jpg`, `.js`, `.map`, `.png`, `.svg`, `.ttf`, `.woff`, and `.woff2`. If you need to include additional file types in the CDN, you can change the CDN configuration using the [spo cdn policy set](https://pnp.github.io/cli-microsoft365/cmd/spo/cdn/cdn-policy-set/) command.
> [!NOTE] > When changing the list of file types, you overwrite the currently defined list. If you want to include additional file types, first use the [spo cdn policy list](https://pnp.github.io/cli-microsoft365/cmd/spo/cdn/cdn-origin-list/) command to find out which file types are currently configured.
-To add the _JSON_ file type to the default list of file types included in the public CDN, execute:
+To add the _JSON_ file type to the default list of file types included in the public CDN, run the following command:
```cli m365 spo cdn policy set --type Public --policy IncludeFileExtensions --value "CSS,EOT,GIF,ICO,JPEG,JPG,JS,MAP,PNG,SVG,TTF,WOFF,JSON"
m365 spo cdn policy set --type Public --policy IncludeFileExtensions --value "CS
### Change the list of site classifications you want to exclude from the Office 365 CDN
-Use the [spo cdn policy set](https://pnp.github.io/cli-microsoft365/cmd/spo/cdn/cdn-policy-set/) command to exclude site classifications that you do not want to make available over the CDN. By default, no site classifications are excluded.
+Use the [spo cdn policy set](https://pnp.github.io/cli-microsoft365/cmd/spo/cdn/cdn-policy-set/) command to exclude site classifications that you don't want to make available over the CDN. By default, no site classifications are excluded.
> [!NOTE] > When changing the list of excluded site classifications, you overwrite the currently defined list. If you want to exclude additional classifications, first use the [spo cdn policy list](https://pnp.github.io/cli-microsoft365/cmd/spo/cdn/cdn-policy-list/) command to find out which classifications are currently configured.
-To exclude sites classified as _HBI_ from the public CDN, execute
+To exclude sites classified as _HBI_ from the public CDN, run the following command:
```cli m365 spo cdn policy set --type Public --policy ExcludeRestrictedSiteClassifications --value "HBI"
m365 spo cdn set --type Public --enabled false
## Using your CDN assets
-Now that you have enabled the CDN and configured origins and policies, you can begin using your CDN assets.
+Now that you enabled the CDN and configured origins and policies, you can begin using your CDN assets.
-This section will help you understand how to use CDN URLs in your SharePoint pages and content so that SharePoint redirects requests for assets in both public and private origins to the CDN.
+This section helps you understand how to use CDN URLs in your SharePoint pages and content so that SharePoint redirects requests for assets in both public and private origins to the CDN.
-+ [Updating links to CDN assets](use-microsoft-365-cdn-with-spo.md#updating-links-to-cdn-assets)
-+ [Using assets in public origins](use-microsoft-365-cdn-with-spo.md#using-assets-in-public-origins)
-+ [Using assets in private origins](use-microsoft-365-cdn-with-spo.md#using-assets-in-private-origins)
+- [Updating links to CDN assets](use-microsoft-365-cdn-with-spo.md#updating-links-to-cdn-assets)
+- [Using assets in public origins](use-microsoft-365-cdn-with-spo.md#using-assets-in-public-origins)
+- [Using assets in private origins](use-microsoft-365-cdn-with-spo.md#using-assets-in-private-origins)
-For information on how to use the CDN for hosting client-side web parts, see the topic [Host your client-side web part from Office 365 CDN (Hello World part 4)](/sharepoint/dev/spfx/web-parts/get-started/hosting-webpart-from-office-365-cdn).
+For information on how to use the CDN for hosting client-side web parts, see the article [Host your client-side web part from Office 365 CDN (Hello World part 4)](/sharepoint/dev/spfx/web-parts/get-started/hosting-webpart-from-office-365-cdn).
> [!NOTE] > If you add the _ClientSideAssets_ folder to the **private** CDN origins list, CDN-hosted custom web parts will fail to render. Files used by SPFX web parts can only utilize the public CDN and the ClientSideAssets folder is a default origin for public CDN. ### Updating links to CDN assets
-To use assets that you have added to an origin, you simply update links to the original file with the path to the file in the origin.
+To use assets that you added to an origin, you simply update links to the original file with the path to the file in the origin.
-+ Edit the page or content that contains links to assets you have added to an origin. You can also use one of several methods to globally search and replace links across an enter site or site collection if you want to update the link to a given asset everywhere it appears.
-+ For each link to an asset in an origin, replace the path with the path to the file in the CDN origin. You can use relative paths.
-+ Save the page or content.
+- Edit the page or content that contains links to assets you added to an origin. You can also use one of several methods to globally search and replace links across an enter site or site collection if you want to update the link to a given asset everywhere it appears.
+- For each link to an asset in an origin, replace the path with the path to the file in the CDN origin. You can use relative paths.
+- Save the page or content.
-For example, consider the image _/site/SiteAssets/images/image.png_, which you have copied to the document library folder _/site/CDN_origins/public/_. To use the CDN asset, replace the original path to the image file location with the path to the origin to make the new URL _/site/CDN_origins/public/image.png_.
+For example, consider the image _/site/SiteAssets/images/image.png_, which you copied to the document library folder _/site/CDN_origins/public/_. To use the CDN asset, replace the original path to the image file location with the path to the origin to make the new URL _/site/CDN_origins/public/image.png_.
If you want to use the full URL to the asset instead of a relative path, construct the link like so:
To learn about how to verify that assets are being served from the CDN, see [How
The **Publishing feature** in SharePoint Online automatically rewrites URLs of assets stored in public origins to their CDN equivalents so that assets are served from the CDN service instead of SharePoint.
-If your origin is in a site with the Publishing feature enabled, and the assets you want to offload to the CDN are in one of the following categories, SharePoint will automatically rewrite URLs for assets in the origin, provided that the asset has not been excluded by a CDN policy.
+If your origin is in a site with the Publishing feature enabled, and the assets you want to offload to the CDN are in one of the following categories, SharePoint automatically rewrites URLs for assets in the origin, if the asset hasn't been excluded by a CDN policy.
-The following is an overview of which links are automatically rewritten by the SharePoint Publishing feature:
+The following example is an overview where links are automatically rewritten by the SharePoint Publishing feature:
-+ IMG/LINK/CSS URLs in classic publishing page HTML responses
- + This includes images added by authors within the HTML content of a page
-+ Picture Library SlideShow webpart image URLs
-+ Image fields in SPList REST API (RenderListDataAsStream) results
- + Use the new property _ImageFieldsToTryRewriteToCdnUrls_ to provide a comma separated list of fields
- + Supports hyperlink fields and PublishingImage fields
-+ SharePoint image renditions
+- IMG/LINK/CSS URLs in classic publishing page HTML responses.
+ - This includes images added by authors within the HTML content of a page.
+- Picture Library SlideShow webpart image URLs.
+- Image fields in SPList REST API (RenderListDataAsStream) results.
+ - Use the new property _ImageFieldsToTryRewriteToCdnUrls_ to provide a comma separated list of fields.
+ - Supports hyperlink fields and PublishingImage fields.
+- SharePoint image renditions.
The following diagram illustrates the workflow when SharePoint receives a request for a page containing assets from a public origin.
The following diagram illustrates the workflow when SharePoint receives a reques
#### Constructing CDN URLs for public assets
-If the _Publishing_ feature is not enabled for a public origin, or the asset is not one of the link types supported by the auto-rewrite feature of the CDN service, you can manually construct URLs to the CDN location of the assets and use these URLs in your content.
+If the _Publishing_ feature isn't enabled for a public origin, or the asset isn't one of the link types supported by the auto-rewrite feature of the CDN service, you can manually construct URLs to the CDN location of the assets and use these URLs in your content.
> [!NOTE]
-> You cannot hardcode or construct CDN URLs to assets in a private origin because the required access token that forms the last section of the URL is generated at the time the resource is requested. You can construct the URL for Public CDN and the URL should not be hard coded as it is subject to change.
+> You cannot hardcode or construct CDN URLs to assets in a private origin because the required access token that forms the last section of the URL is generated at the time the resource is requested. You can construct the URL for Public CDN and the URL should not be hard coded as it's subject to change.
-For public CDN assets, the URL format will look like the following:
+For public CDN assets, the URL format looks like the following example:
```http https://publiccdn.sharepointonline.com/<TenantHostName>/sites/site/library/asset.png ```
-Replace **TenantHostName** with your tenant name. Example:
+Replace **TenantHostName** with your tenant name. For example:
```http https://publiccdn.sharepointonline.com/contoso.sharepoint.com/sites/site/library/asset.png ``` > [!NOTE]
-> The page context property should be used to construct the prefix instead of hard coding "https://publiccdn.sharepointonline.com". The URL is subject to change and should not be hard coded. If you are using display templates with Classic SharePoint Online then you can use the property "window._spPageContextInfo.publicCdnBaseUrl" in your display template for the prefix of the URL. If you are SPFx web parts for modern and classic SharePoint the you can utilize the property "this.context.pageContext.legacyPageContext.publicCdnBaseUrl". This will provide the prefix so that if it is changed then your implementation will update with it. As an example for SPFx, the URL can be constructed using the property "this.context.pageContext.legacyPageContext.publicCdnBaseUrl" + "/" + "host" + "/" + "relativeURL for the item". Please see [Using CDN in Client-side code](https://youtu.be/IH1RbQlbhIA) which is part of the [season 1 performance series](https://aka.ms/sppnp-perfvideos)
-
+> Use the page context property to construct the prefix instead of hard coding `https://publiccdn.sharepointonline.com`, because the URL is subject to change. If you use display templates with Classic SharePoint Online, you can use the property `window._spPageContextInfo.publicCdnBaseUrl` in your display template for the prefix of the URL. If you use SPFx web parts for modern and classic SharePoint, you can use the property `this.context.pageContext.legacyPageContext.publicCdnBaseUrl`, which also provides the prefix. If the prefix changes, your implementation is updated with it.
+>
+> As an example for SPFx, you can construct the URL using the property `this.context.pageContext.legacyPageContext.publicCdnBaseUrl` - `/` - `host` - `/` - `relativeURL for the item`. For more information, see the video [Using CDN in Client-side code](https://youtu.be/IH1RbQlbhIA), which is part of the [season 1 performance series](https://aka.ms/sppnp-perfvideos).
### Using assets in private origins
-No additional configuration is required to use assets in private origins. SharePoint Online automatically rewrites URLs for assets in private origins so requests for those assets will always be served from the CDN. You cannot manually build URLs to CDN assets in private origins because these URLs contain tokens that must be auto-generated by SharePoint Online at the time the asset is requested.
+No additional configuration is required to use assets in private origins. SharePoint Online automatically rewrites URLs for assets in private origins so requests for those assets are always be served from the CDN. You can't manually build URLs to CDN assets in private origins because these URLs contain tokens that must be auto-generated by SharePoint Online at the time the asset is requested.
Access to assets in private origins is protected by dynamically generated tokens based on user permissions to the origin, with the caveats described in the following sections. Users must have at least **read** access to the origins for the CDN to render content.
The following diagram illustrates the workflow when SharePoint receives a reques
#### Token-based authorization in private origins
-Access to assets in private origins in the Office 365 CDN is granted by tokens generated by SharePoint Online. Users who already have permission to access to the folder or library designated by the origin are automatically granted tokens that permit the user to access the file based on their permission level. These access tokens are valid for 30 to 90 minutes after they are generated to help prevent token replay attacks.
+Access to assets in private origins in the Office 365 CDN is granted by tokens generated by SharePoint Online. Users who already have permission to access to the folder or library designated by the origin are automatically granted tokens that permit the user to access the file based on their permission level. These access tokens are valid for 30 to 90 minutes after they're generated to help prevent token replay attacks.
Once the access token is generated, SharePoint Online returns a custom URI to the client containing two authorization parameters _eat_ (edge authorization token) and _oat_ (origin authorization token). The structure of each token is _<'expiration time in Epoch time format'>__<'secure signature'>_. For example:
https://privatecdn.sharepointonline.com/contoso.sharepoint.com/sites/site1/libra
> [!NOTE] > Anyone in possession of the token can access the resource in the CDN. However, URLs containing these access tokens are only shared over HTTPS, so unless the URL is explicitly shared by an end user before the token expires, the asset won't be accessible to unauthorized users.
-#### Item-level permissions are not supported for assets in private origins
+#### Item-level permissions aren't supported for assets in private origins
-It is important to note that SharePoint Online does not support item-level permissions for assets in private origins. For example, for a file located at `https://contoso.sharepoint.com/sites/site1/library1/folder1/image1.jpg`, users have effective access to the file given the following conditions:
+It's important to note that SharePoint Online doesn't support item-level permissions for assets in private origins. For example, for a file located at `https://contoso.sharepoint.com/sites/site1/library1/folder1/image1.jpg`, users have effective access to the file given the following conditions:
-|User |Permissions |Effective access |
-||||
-|User 1 |Has access to folder1 |Can access image1.jpg from the CDN |
-|User 2 |Does not have access to folder1 |Cannot access image1.jpg from the CDN |
-|User 3 |Does not have access to folder1, but is granted explicit permission to access image1.jpg in SharePoint Online |Can access the asset image1.jpg directly from SharePoint Online, but not from the CDN |
-|User 4 |Has access to folder1, but has been explicitly denied access to image1.jpg in SharePoint Online |Cannot access the asset from SharePoint Online, but can access the asset from the CDN despite being denied access to the file in SharePoint Online |
+|User|Permissions|Effective access|
+||||
+|User 1|Has access to folder1|Can access image1.jpg from the CDN|
+|User 2|Doesn't have access to folder1|Can't access image1.jpg from the CDN|
+|User 3|Doesn't have access to folder1, but is granted explicit permission to access image1.jpg in SharePoint Online|Can access the asset image1.jpg directly from SharePoint Online, but not from the CDN|
+|User 4|Has access to folder1, but has been explicitly denied access to image1.jpg in SharePoint Online|Can't access the asset from SharePoint Online, but can access the asset from the CDN despite being denied access to the file in SharePoint Online|
<a name="CDNTroubleshooting"></a>
It is important to note that SharePoint Online does not support item-level permi
### How do I confirm that assets are being served by the CDN?
-Once you have added links to CDN assets to a page, you can confirm that the asset is being served from the CDN by browsing to the page, right clicking on the image once it has rendered and reviewing the image URL.
+After you add links to CDN assets to a page, you can confirm that the asset is being served from the CDN by browsing to the page, right clicking on the image once it has rendered and reviewing the image URL.
You can also use your browser's developer tools to view the URL for each asset on a page, or use a third party network trace tool. > [!NOTE] > If you use a network tool such as Fiddler to test your assets outside of rendering the asset from a SharePoint page, you must manually add the referer header "Referer: `https://yourdomain.sharepoint.com`" to the GET request where the URL is the root URL of your SharePoint Online tenant.
-You cannot test CDN URLs directly in a web browser because you must have a referrer coming from SharePoint Online. However, if you add the CDN asset URL to a SharePoint page and then open the page in a browser, you will see the CDN asset rendered on the page.
+You can't test CDN URLs directly in a web browser because you must have a referrer coming from SharePoint Online. However, if you add the CDN asset URL to a SharePoint page and then open the page in a browser, the CDN asset is rendered on the page.
For more information on using the developer tools in the Microsoft Edge browser, see [Microsoft Edge Developer Tools](/microsoft-edge/devtools-guide).
-To watch a short video hosted in the [SharePoint Developer Patterns and Practices YouTube channel](https://aka.ms/sppnp-videos) demonstrating how to verify that your CDN is working, please see [Verifying your CDN usage and ensuring optimal network connectivity](https://www.youtube.com/watch?v=ClCtBAtGjE8&list=PLR9nK3mnD-OWMfr1BA9mr5oCw2aJXw4WA&index=5).
+To watch a short video hosted in the [SharePoint Developer Patterns and Practices YouTube channel](https://aka.ms/sppnp-videos) that shows how to verify your CDN is working, see [Verifying your CDN usage and ensuring optimal network connectivity](https://www.youtube.com/watch?v=ClCtBAtGjE8&list=PLR9nK3mnD-OWMfr1BA9mr5oCw2aJXw4WA&index=5).
### Why are assets from a new origin unavailable?
-Assets in new origins will not immediately be available for use, as it takes time for the registration to propagate through the CDN and for the assets to be uploaded from the origin to CDN storage. The time required for assets to be available in the CDN depends on how many assets and the files sizes.
+
+Assets in new origins won't immediately be available for use, as it takes time for the registration to propagate through the CDN and for the assets to be uploaded from the origin to CDN storage. The time required for assets to be available in the CDN depends on how many assets and the files sizes.
### My client-side web part or SharePoint Framework solution isn't working When you enable the Office 365 CDN for public origins, the CDN service automatically creates these default origins:
-+ */MASTERPAGE
-+ */STYLE LIBRARY
-+ */CLIENTSIDEASSETS
+- */MASTERPAGE
+- */STYLE LIBRARY
+- */CLIENTSIDEASSETS
-If the */clientsideassets origin is missing, SharePoint Framework solutions will fail, and no warning or error messages are generated. This origin may be missing either because the CDN was enabled with the _-NoDefaultOrigins_ parameter set to **$true**, or because the origin was manually deleted.
+If the */clientsideassets origin is missing, SharePoint Framework solutions fails, and no warning or error messages are generated. This origin might be missing either because the CDN was enabled with the _-NoDefaultOrigins_ parameter set to **$true**, or because the origin was manually deleted.
You can check to see which origins are present with the following PowerShell command:
m365 spo cdn origin add --origin */CLIENTSIDEASSETS
You can choose to work with the Office 365 CDN using either the **SharePoint Online Management Shell** PowerShell module or the **CLI for Microsoft 365**.
-+ [Getting started with SharePoint Online Management Shell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online)
-+ [Installing the CLI for Microsoft 365](https://pnp.github.io/cli-microsoft365/user-guide/installing-cli/)
+- [Getting started with SharePoint Online Management Shell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online)
+- [Installing the CLI for Microsoft 365](https://pnp.github.io/cli-microsoft365/user-guide/installing-cli/)
## See also
lighthouse M365 Lighthouse Block Signin Shared Mailboxes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-block-signin-shared-mailboxes.md
Lighthouse opens your default email client and prepopulates the email message to
## Related content
-[Block user sign-in](/microsoft-365/lighthouse/m365-lighthouse-block-user-signin.md) (article)\
+[Block user sign-in](m365-lighthouse-block-user-signin.md) (article)\
[About shared mailboxes - Microsoft 365 admin](../admin/email/about-shared-mailboxes.md) (article)
lighthouse M365 Lighthouse Configure Portal Security https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-configure-portal-security.md
- scotvorg - M365-subscription-management - Adm_O365-- essentials-accountability
+- essentials-security
- AdminSurgePortfolio - M365-Lighthouse
lighthouse M365 Lighthouse Data Collection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-data-collection.md
- scotvorg - M365-subscription-management - Adm_O365-- essentials-accountability
+- essentials-privacy
- AdminSurgePortfolib - M365-Lighthouse
loop Loop Compliance Summary https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/loop/loop-compliance-summary.md
This section provides expanded information on the subset of admin management cap
Admins can perform the following tasks for Loop workspaces, which are containers in SharePoint Embedded. - PowerShell ability to
- - enumeration of list of Loop workspaces created
+ - enumerate all Loop workspaces created
- get container details including labels, storage, owners etc. - delete, recover and purge Loop workspaces (note that the Loop app workspaces views do not yet reflect the changes, so a user would need to visit a page link for a workspace that's recovered in order to see it again) - set sharing settings at a tenant level
+ - get and set sensitivity labels
See more about how to use PowerShell to perform these tasks on Loop application containers in the [Consuming Tenant admin](/sharepoint/dev/embedded/concepts/admin-exp/cta) article. ### Capabilities that aren't yet available - PowerShell ability to
- - list all Loop workspaces
- add storage to enumeration list of Loop workspace - control external sharing of a Loop workspace - **Multi-Geo capabilities**, including creation of .loop files in a user's Loop workspaces in the geo that matches the user's preferred data location, and **Multi-Geo rehome** of Loop workspaces and .loop files as needed
- - get and set sensitivity labels, conditional access policy, block download policy
+ - get and set conditional access policy, block download policy
- SharePoint Admin Center - Loop workspaces page for active and deleted workspaces, restore, permanently delete, sort, filter, storage information - search in active and deleted
security Comprehensive Guidance On Linux Deployment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/comprehensive-guidance-on-linux-deployment.md
Use the following steps to check the network connectivity of Microsoft Defender
#### Step 1: Allow URLs for the Microsoft Defender for Endpoint traffic 1. Download the [Microsoft Defender for Endpoint URL list for commercial customers](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx
-) or the [Microsoft Defender for Endpoint URL list for Gov/GCC/DoD](https://download.microsoft.com/download/8/e-urls.xlsx) for a list of services and their associated URLs that your network must be able to connect.
+) or the [Microsoft Defender for Endpoint URL list for Gov/GCC/DoD](https://download.microsoft.com/download/6/e-urls-gov.xlsx) for a list of services and their associated URLs that your network must be able to connect.
2. Under **Geography** column, ensure the following checkboxes are selected: - EU, or UK, or US
security Configure Local Policy Overrides Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-local-policy-overrides-microsoft-defender-antivirus.md
search.appverid: met150
# Prevent or allow users to locally modify Microsoft Defender Antivirus policy settings - **Applies to:** - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)
By default, lists that have been configured in local group policy and the Window
> [!TIP] > If you're looking for Antivirus related information for other platforms, see:+ > - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md) > - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md) > - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos)
By default, lists that have been configured in local group policy and the Window
## Related topics -- [Microsoft Intune](/protect/advanced-threat-protection-configure)
+- [Microsoft Intune](/mem/intune/protect/advanced-threat-protection-configure)
- [Microsoft Defender Antivirus in Windows](microsoft-defender-antivirus-in-windows-10.md) - [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security Configure Server Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-endpoints.md
Microsoft Defender for Endpoint integrates seamlessly with Microsoft Defender fo
> [!NOTE] > For Windows Server 2012 R2 and 2016, you can either manually install/upgrade the modern, unified solution on these machines, or use the integration to automatically deploy or upgrade servers covered by your respective Microsoft Defender for Server plan. More information about making the switch at [Protect your endpoints with Defender for Cloud's integrated EDR solution: Microsoft Defender for Endpoint](/azure/defender-for-cloud/integration-defender-for-endpoint?tabs=windows#enable-the-integration).
+>
> - When you use Microsoft Defender for Cloud to monitor servers, a Defender for Endpoint tenant is automatically created (in the US for US users, in the EU for European users, and in the UK for UK users). Data collected by Defender for Endpoint is stored in the geo-location of the tenant as identified during provisioning. > - If you use Defender for Endpoint before using Microsoft Defender for Cloud, your data will be stored in the location you specified when you created your tenant even if you integrate with Microsoft Defender for Cloud at a later time. > - Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant. > - Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers. > - Previously, the use of the Microsoft Monitoring Agent (MMA) on Windows Server 2016 and previous versions of Windows Server allowed for the OMS / Log Analytics gateway to provide connectivity to Defender cloud services. The new solution, like Microsoft Defender for Endpoint on Windows Server 2019, Windows Server 2022, and Windows 10, doesn't support this gateway.
-> - Linux servers onboarded through Microsoft Defender for Cloud will have their initial configuration set to run Defender Antivirus in [passive mode](/defender-endpoint/microsoft-defender-antivirus-compatibility#microsoft-defender-antivirus-and-non-microsoft-antivirusantimalware-solutions).
+> - Linux servers onboarded through Microsoft Defender for Cloud will have their initial configuration set to run Defender Antivirus in [passive mode](microsoft-defender-antivirus-compatibility.md#microsoft-defender-antivirus-and-non-microsoft-antivirusantimalware-solutions).
**Windows Server 2012 R2 and Windows Server 2016**:
security Controlled Folders https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/controlled-folders.md
Apps can also be added manually to the trusted list by using Configuration Manag
## Why controlled folder access is important
-Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware). In a ransomware attack, your files can get encrypted and held hostage. With controlled folder access in place, a notification appears on the computer where an app attempted to make changes to a file in a protected folder. You can [customize the notification](attack-surface-reduction-rules-deployment-implement.md#customize-attack-surface-reduction-rules) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
+Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats). In a ransomware attack, your files can get encrypted and held hostage. With controlled folder access in place, a notification appears on the computer where an app attempted to make changes to a file in a protected folder. You can [customize the notification](attack-surface-reduction-rules-deployment-implement.md#customize-attack-surface-reduction-rules) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
The [protected folders](#review-controlled-folder-access-events-in-windows-event-viewer) include common system folders (including boot sectors), and you can [add more folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
security Data Storage Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/data-storage-privacy.md
audience: ITPro
- m365-security - tier2-- essentials-accountability
+- essentials-privacy
+- essentials-compliance
search.appverid: met150 Last updated 08/07/2023
security Defender Endpoint False Positives Negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives.md
See [Configure PUA protection in Microsoft Defender Antivirus](detect-block-pote
Depending on the [level of automation](/microsoft-365/security/defender-endpoint/automation-levels) set for your organization and other security settings, remediation actions are taken on artifacts that are considered to be *Malicious* or *Suspicious*. In some cases, remediation actions occur automatically; in other cases, remediation actions are taken manually or only upon approval by your security operations team. - [Learn more about automation levels](/microsoft-365/security/defender-endpoint/automation-levels); and then-- [Configure AIR capabilities in Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-automated-investigations-remediation).
+- [Configure AIR capabilities in Defender for Endpoint](configure-automated-investigations-remediation.md).
> [!IMPORTANT] > We recommend using *Full automation* for automated investigation and remediation. Don't turn these capabilities off because of a false positive. Instead, use ["allow" indicators to define exceptions](#indicators-for-defender-for-endpoint), and keep automated investigation and remediation set to take appropriate actions automatically. Following [this guidance](automation-levels.md#levels-of-automation) helps reduce the number of alerts your security operations team must handle.
security Evaluate Controlled Folder Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-controlled-folder-access.md
Last updated 12/18/2020
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-enablesiem-abovefoldlink) - [Controlled folder access](controlled-folders.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019, Windows Server 2022, Windows 10, and Windows 11 clients.
-It's especially useful in helping protect against [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that attempts to encrypt your files and hold them hostage.
+It's especially useful in helping protect against [ransomware](https://www.microsoft.com/wdsi/threats) that attempts to encrypt your files and hold them hostage.
This article helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the feature directly in your organization.
See [Protect important folders with controlled folder access](controlled-folders
## See also
-* [Protect important folders with controlled folder access](controlled-folders.md)
-* [Evaluate Microsoft Defender for Endpoint](evaluate-mde.md)
-* [Use audit mode](audit-windows-defender.md)
+- [Protect important folders with controlled folder access](controlled-folders.md)
+- [Evaluate Microsoft Defender for Endpoint](evaluate-mde.md)
+- [Use audit mode](audit-windows-defender.md)
[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security Mac Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-manually.md
ms.localizationpriority: medium audience: ITPro-+ - m365-security - tier3 - mde-macos
Download the installation and onboarding packages from Microsoft Defender portal
To complete this process, you must have admin privileges on the device.
-1. - Navigate to the downloaded *wdav.pkg* in **Finder** and open it.
-
- Or
- - You can download the *wdav.pkg*- from **Terminal**
-
- *sudo installer -store -pkg /Users/admin/Downloads/wdav.pkg -target /*
+1. Do one of the following steps:
+
+ - Navigate to the downloaded *wdav.pkg* in **Finder** and open it.
+
+ Or
+
+ - You can download the *wdav.pkg*- from **Terminal**
+
+ ```console
+ sudo installer -store -pkg /Users/admin/Downloads/wdav.pkg -target /
+ ```
:::image type="content" source="images/monterey-install-1.png" alt-text="Screenshot that shows the installation process for the application"::: 2. Select **Continue**. 3. Read through the **Software License Agreement** and select **Continue** to agree with the terms.+ :::image type="content" source="images/software-license-agreement.png" alt-text="Screenshot that shows the Software License Agreement."::: 4. Read through the *End-User License Agreement (EULA)* and select **Agree**.+ :::image type="content" source="images/agree-license.png" alt-text="Screenshot that shows the acceptance of the agreement."::: 5. From **Destination Select**, select the disk where you want to install the Microsoft Defender Software, for example, *Macintosh HD* and select **Continue**.+ :::image type="content" source="images/destination-select.png" alt-text="Screenshot that shows the selection of destination for installation.":::
-> [!Note]
-> The amount of disk space required for installation is around 777 MB.
+ > [!NOTE]
+ > The amount of disk space required for installation is around 777 MB.
6. To change the installation destination, select **Change Install Location...**.+ :::image type="content" source="images/installation-type.png" alt-text="Screenshot that shows the final installation step."::: 7. Click **Install**. 8. Enter the password, when prompted.+ :::image type="content" source="images/password-2g.png" alt-text="Screenshot that shows the password dialog box."::: 9. Click **Install Software**.
-3. At the end of the installation process, for macOS Big Sur (11.0) or latest version, you're prompted to approve the system extensions used by the product. Select **Open Security Preferences**.
+10. At the end of the installation process, for macOS Big Sur (11.0) or latest version, you're prompted to approve the system extensions used by the product. Select **Open Security Preferences**.
- :::image type="content" source="images/monterey-install-2.png" alt-text="Screenshot that shows the system extension approval":::
+ :::image type="content" source="images/monterey-install-2.png" alt-text="Screenshot that shows the system extension approval":::
11. To enable system extention, select **Details**.+ :::image type="content" source="images/system-extention-image.png" alt-text="Screenshot that shows the system extention.":::
-4. From the **Security & Privacy** window, select the checkboxes next to **Microsoft Defender** and select **OK**.
+12. From the **Security & Privacy** window, select the checkboxes next to **Microsoft Defender** and select **OK**.
+ :::image type="content" source="images/security-privacy-window-updated.png" alt-text="Screenshot that shows the security and privacy window.":::
-5. Repeat steps 11 and 12 for all system extensions distributed with Microsoft Defender for Endpoint on Mac.
+13. Repeat steps 11 and 12 for all system extensions distributed with Microsoft Defender for Endpoint on Mac.
-6. As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on Mac inspects socket traffic and reports this information to the Microsoft Defender portal. When prompted to grant Microsoft Defender for Endpoint permissions to filter network traffic, select **Allow**.
+14. As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on Mac inspects socket traffic and reports this information to the Microsoft Defender portal. When prompted to grant Microsoft Defender for Endpoint permissions to filter network traffic, select **Allow**.
- :::image type="content" source="images/monterey-install-4.png" alt-text="Screenshot that shows the system extension security preferences2":::
+ :::image type="content" source="images/monterey-install-4.png" alt-text="Screenshot that shows the system extension security preferences2":::
To troubleshoot System Extension issues, refer [Troubleshoot System Extension](mac-support-sys-ext.md).
To complete this process, you must have admin privileges on the device.
The macOS Catalina (10.15) and newer versions require full disk access to be granted to **Microsoft Defender for Endpoint** in order to be able to protect and monitor.
-> [!Note]
+> [!NOTE]
> Full disk access grant to **Microsoft Defender for Endpoint** is a new requirement for all the third-party software by Apple for files and folders containing personal data. To grant full disk access: 1. Open **System Preferences** \> **Security & Privacy** \> **Privacy** \> **Full Disk Access**. Click the lock icon to make changes (bottom of the dialog box).+ 1. Grant **Full Disk Access** permission to **Microsoft Defender** and **Microsoft Defenders Endpoint Security Extension**. :::image type="content" source="images/full-disk-access-security-privacy.png" alt-text="The screenshot shows the full disk access's security and privacy.":::+ 1. Select **General** \> **Restart** for the new system extensions to take effect. :::image type="content" source="images/restart-fulldisk.png" alt-text="Screenshot that allows you to restart the system for new system extensions to be enabled.":::+ 1. Enable *Potentially Unwanted Application* (PUA) in block mode. To enable PUA, refer [configure PUA protection](mac-pua.md).+ 1. Enable *Network Protection*. To enable *Network protection*, refer [manual deployment](network-protection-macos.md).+ 1. Enable *Device Control*. To enable *Device Control*, refer [device control for macOS](mac-device-control-overview.md).+ 1. Enable *Tamper Protection* in block mode. To enable *Tamper Protection*, refer [Protect MacOS security settings with tamper protection](tamperprotection-macos.md).+ 1. If you have the *Microsoft Purview ΓÇô Endpoint data loss prevention license*, you can review [Get started with Microsoft Purview - Endpoint data loss prevention](/purview/endpoint-dlp-getting-started). ## Background execution
Once you have installed the MDE on macOS client, you must now onboard the packag
Copy *wdav.pkg* and *MicrosoftDefenderATPOnboardingMacOs.sh* to the device where you have deployed Microsoft Defender for Endpoint on macOS.
- The client device isn't associated with *org_id*. The *org_id* attribute is blank.
+ The client device isn't associated with *org_id*. The *org_id* attribute is blank.
- ```bash
- mdatp health --field org_id
- ```
+ ```bash
+ mdatp health --field org_id
+ ```
2. Run the Bash script to install the onboarding package:
- ```bash
- sudo bash -x MicrosoftDefenderATPOnboardingMacOs.sh
- ```
+ ```bash
+ sudo bash -x MicrosoftDefenderATPOnboardingMacOs.sh
+ ```
3. Verify that the device is now associated with your organization and reports a valid org ID:
- ```bash
- mdatp health --field org_id
- ```
+ ```bash
+ mdatp health --field org_id
+ ```
- After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.
+ After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.
- > [!div class="mx-imgBorder"]
- > :::image type="content" source="images/mdatp-icon-bar.png" alt-text="Screenshot that shows the Microsoft Defender icon in status bar":::
+ > [!div class="mx-imgBorder"]
+ > :::image type="content" source="images/mdatp-icon-bar.png" alt-text="Screenshot that shows the Microsoft Defender icon in status bar":::
You can [troubleshoot license issues for Microsoft Defender for Endpoint on macOS](mac-support-license.md). 4. Run the connectivity test.
- ```bash
- mdatp connectivity test
- ```
+ ```bash
+ mdatp connectivity test
+ ```
- You can [troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on macOS](troubleshoot-cloud-connect-mdemac.md).
+You can [troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on macOS](troubleshoot-cloud-connect-mdemac.md).
## Verifying anti-malware detection See the following article to test for anti-malware detection review: [Antivirus detection test to verify device onboarding and reporting services](validate-antimalware.md) ## Verifying EDR detection
-See the following article to test for an EDR detection review: [EDR detection test to verify device onboarding and reporting services](/microsoft-365/security/defender-endpoint/edr-detection.md)
+
+See the following article to test for an EDR detection review: [EDR detection test to verify device onboarding and reporting services](edr-detection.md).
## Logging installation issues
For more information on how to find the automatically generated log that's creat
For information on troubleshooting procedures, see: - [Troubleshoot system extension issues in Microsoft Defender for Endpoint on macOS](mac-support-sys-ext.md)- - [Troubleshoot installation issues for Microsoft Defender for Endpoint on macOS](mac-support-install.md)- - [Troubleshoot license issues for Microsoft Defender for Endpoint on macOS](mac-support-license.md)- - [Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on macOS](troubleshoot-cloud-connect-mdemac.md)- - [Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS](mac-support-perf.md) ## Uninstallation See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender for Endpoint on macOS from client devices.
- > [!Tip]
- > - Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: [Microsoft Defender for Endpoint Tech Community](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bd-p/MicrosoftDefenderATP).
- > - If you have any feedback that you will like to share, submit it by opening Microsoft Defender Endpoint on Mac on your device and navigate to **Help** \> **Send feedback**.
+> [!TIP]
+>
+> - Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: [Microsoft Defender for Endpoint Tech Community](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bd-p/MicrosoftDefenderATP).
+> - If you have any feedback that you will like to share, submit it by opening Microsoft Defender Endpoint on Mac on your device and navigate to **Help** \> **Send feedback**.
## Recommended content
See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove M
- [Learn how to configure Microsoft Defender for Endpoint on Mac in enterprise organizations](mac-preferences.md). - [Learn how to install Microsoft Defender for Endpoint on Mac on other management solutions](mac-install-with-other-mdm.md). - [Learn how to detect and block Potentially Unwanted Applications (PUA) using Microsoft Defender for Endpoint on macOS](mac-pua.md).-
security Microsoft Defender Antivirus Ring Deployment Group Policy Network Share https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-group-policy-network-share.md
ms.localizationpriority: high audience: ITPro-+ - m365-security - tier1
Microsoft Defender for Endpoint is an enterprise endpoint security platform desi
> [!TIP] > Microsoft Defender for Endpoint is available in two plans, Defender for Endpoint Plan 1 and Plan 2. A new Microsoft Defender Vulnerability Management add-on is now available for Plan 2. - ## Introduction This article describes how to deploy Microsoft Defender Antivirus in rings using Group Policy and Network share (also known as UNC path, SMB, CIFS). ## Prerequisites
-Review the _read me_ article at [Readme](https://github.com/microsoft/defender-updatecontrols/blob/main/README.md)
-https://github.com/microsoft/defender-updatecontrols/blob/main/README.md
+Review the _read me_ article at [Readme](https://github.com/microsoft/defender-updatecontrols/blob/main/README.md)
-1. Download the latest Windows Defender .admx and .adml
+1. Download the latest Windows Defender .admx and .adml.
- - [WindowsDefender.admx](https://github.com/microsoft/defender-updatecontrols/blob/main/WindowsDefender.admx)
+ - [WindowsDefender.admx](https://github.com/microsoft/defender-updatecontrols/blob/main/WindowsDefender.admx)
- [WindowsDefender.adml](https://github.com/microsoft/defender-updatecontrols/blob/main/WindowsDefender.adml) 1. Copy the latest .admx and .adml to the [Domain Controller Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store#the-central-store). 1. [Create a UNC share for security intelligence and platform updates](manage-protection-updates-microsoft-defender-antivirus.md#create-a-unc-share-for-security-intelligence-and-platform-updates)
-## Setting up the pilot environment
+## Setting up the pilot environment
This section describes the process for setting up the pilot UAT / Test / QA environment. On about 10-500* Windows and/or Windows Server systems, depending on how many total systems that you all have.
Set up a network file share (UNC/mapped drive) to download security intelligence
> [!NOTE] > Do not add the x64 (or x86) folder in the path. The mpcmdrun.exe process adds it automatically. - ## Setting up the Pilot (UAT/Test/QA) environment This section describes the process for setting up the pilot UAT / Test / QA environment, on about 10-500 Windows and/or Windows Server systems, depending on how many total systems that you all have.
In [Group Policy Management Console](/previous-versions/windows/it-pro/windows-s
1. Edit your Microsoft Defender Antivirus policy. For example, edit _MDAV\_Settings\_Pilot_. Go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**. There are three related options:
- | Feature | Recommendation for the pilot systems |
- |:|:|
- | Select the channel for Microsoft Defender daily **Security Intelligence updates** | Current Channel (Staged) |
- | Select the channel for Microsoft Defender monthly **Engine updates** | Beta Channel |
- | Select the channel for Microsoft Defender monthly **Platform updates** | Beta Channel |
+ |Feature|Recommendation for the pilot systems|
+ |||
+ |Select the channel for Microsoft Defender daily **Security Intelligence updates**|Current Channel (Staged)|
+ |Select the channel for Microsoft Defender monthly **Engine updates**|Beta Channel|
+ |Select the channel for Microsoft Defender monthly **Platform updates**|Beta Channel|
The three options are shown in the following figure.
In [Group Policy Management Console](/previous-versions/windows/it-pro/windows-s
1. Select **Apply**, and then select **OK**.
-1. Go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**.
+1. Go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**.
1. For _engine_ updates, double-click **Select the channel for Microsoft Defender monthly engine updates**.
In [Group Policy Management Console](/previous-versions/windows/it-pro/windows-s
- [Antivirus profiles - Devices managed by Microsoft Intune](/mem/intune/protect/endpoint-security-antivirus-policy#antivirus-profiles) - [Use Endpoint security Antivirus policy to manage Microsoft Defender update behavior (Preview)](/mem/intune/fundamentals/whats-new#use-endpoint-security-antivirus-policy-to-manage-microsoft-defender-update-behavior-preview)-- [Manage the gradual rollout process for Microsoft Defender updates](/manage-gradual-rollout)
+- [Manage the gradual rollout process for Microsoft Defender updates](manage-gradual-rollout.md)
## Setting up the production environment
-1. In [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265969(v=ws.11)) (GPMC, GPMC.msc), go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**.
+1. In [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265969(v=ws.11)) (GPMC, GPMC.msc), go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**.
- :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-gp-microsoft-defender-antivirus-channels.png" alt-text="Screenshot that shows a screen capture of the production Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus update channels." lightbox="images/microsoft-defender-antivirus-deploy-ring-gp-microsoft-defender-antivirus-channels.png":::
+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-gp-microsoft-defender-antivirus-channels.png" alt-text="Screenshot that shows a screen capture of the production Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus update channels." lightbox="images/microsoft-defender-antivirus-deploy-ring-gp-microsoft-defender-antivirus-channels.png":::
-1. Set the three policies as follows:
+1. Set the three policies as follows:
- | Feature | Recommendation for the production systems | Remarks |
- |:|:|
- | Select the channel for Microsoft Defender daily **Security Intelligence updates** | Current Channel (Broad) | This setting provides you with 3 hours of time to find an FP and prevent the production systems from getting an incompatible signature update. |
- | Select the channel for Microsoft Defender monthly **Engine updates** | Critical ΓÇô Time delay | Updates are delayed by two days. |
- | Select the channel for Microsoft Defender monthly **Platform updates** | Critical ΓÇô Time delay | Updates are delayed by two days. |
+ |Feature|Recommendation for the production systems|Remarks|
+ |||
+ |Select the channel for Microsoft Defender daily **Security Intelligence updates**|Current Channel (Broad)|This setting provides you with 3 hours of time to find an FP and prevent the production systems from getting an incompatible signature update.|
+ |Select the channel for Microsoft Defender monthly **Engine updates**|Critical ΓÇô Time delay|Updates are delayed by two days.|
+ |Select the channel for Microsoft Defender monthly **Platform updates**|Critical ΓÇô Time delay|Updates are delayed by two days.|
1. For _intelligence_ updates, double-click **Select the channel for Microsoft Defender monthly intelligence updates**.
In [Group Policy Management Console](/previous-versions/windows/it-pro/windows-s
1. Select **Apply**, and then select **OK**. - ## If you encounter problems If you encounter problems with your deployment, create or append your Microsoft Defender Antivirus policy: 1. In [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265969(v=ws.11)) (GPMC, GPMC.msc), create or append to your Microsoft Defender Antivirus policy using the following setting:
-
+ Go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > (administrator-defined) _PolicySettingName_. For example, _MDAV\_Settings\_Production_, right-click, and then select **Edit**. **Edit** for **MDAV\_Settings\_Production** is shown in the following figure:
- :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-edit.png" alt-text="Screenshot that shows a screen capture of the administrator-defined Microsoft Defender Antivirus policy Edit option." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-edit.png":::
+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-edit.png" alt-text="Screenshot that shows a screen capture of the administrator-defined Microsoft Defender Antivirus policy Edit option." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-edit.png":::
1. Select **Define the order of sources for downloading security intelligence updates**.
-1. Select the radio button named **Enabled**.
+1. Select the radio button named **Enabled**.
1. Under **Options:**, change the entry to _FileShares_, select **Apply**, and then select **OK**. This change is shown in the following figure:
- :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-define-order.png" alt-text="Screenshot that shows a screen capture of the Define the order of sources for downloading security intelligence updates page." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-define-order.png":::
+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-define-order.png" alt-text="Screenshot that shows a screen capture of the Define the order of sources for downloading security intelligence updates page." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-define-order.png":::
1. Select **Define the order of sources for downloading security intelligence updates**. 1. Select the radio button named **Disabled**, select **Apply**, and then select **OK**. The disabled option is shown in the following figure:
- :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-disabled.png" alt-text="Screenshot that shows a screen capture of the Define the order of sources for downloading security intelligence updates page with Security Intelligence updates disabled." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-disabled.png":::
+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-disabled.png" alt-text="Screenshot that shows a screen capture of the Define the order of sources for downloading security intelligence updates page with Security Intelligence updates disabled." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-disabled.png":::
1. The change is active when Group Policy updates. There are two methods to refresh Group Policy: - From the command line, run the Group Policy update command. For example, run `gpupdate / force`. For more information, see [gpupdate](/windows-server/administration/windows-commands/gpupdate) - Wait for Group Policy to automatically refresh. Group Policy refreshes every 90 minutes +/- 30 minutes.
- If you have multiple forests/domains, force replication or wait 10-15 minutes. Then force a Group Policy Update from the Group Policy Management Console.
+ If you have multiple forests/domains, force replication or wait 10-15 minutes. Then force a Group Policy Update from the Group Policy Management Console.
- Right-click on an organizational unit (OU) that contains the machines (for example, Desktops), select **Group Policy Update**. This UI command is the equivalent of doing a gpupdate.exe /force on every machine in that OU. The feature to force Group Policy to refresh is shown in the following figure:
- :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-management-console.png" alt-text="Screenshot that shows a screen capture of the Group Policy Management console, initiating a forced update." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-management-console.png":::
+ :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-management-console.png" alt-text="Screenshot that shows a screen capture of the Group Policy Management console, initiating a forced update." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-management-console.png":::
1. After the issue is resolved, set the **Signature Update Fallback Order** back to the original setting. `InternalDefinitionUpdateServder|MicrosoftUpdateServer|MMPC|FileShare`.
security Network Protection Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-protection-linux.md
sudo python3 MicrosoftDefenderATPOnboardingLinuxServer.py
### Validation
-A. Check Network Protection has effect on always blocked sites:
-<!--These links are purposely blocked; will trigger as broken link>
-- [http://www.smartscreentestratings2.net](http://www.smartscreentestratings2.net)-- [https://www.smartscreentestratings2.net](https://www.smartscreentestratings2.net)
+1. Check Network Protection has effect on always blocked sites:
+ - <http://smartscreentestratings2.net>
+ - <https://smartscreentestratings2.net>
-B. Inspect diagnostic logs
+ <!--These links are purposely blocked; will trigger as broken link>
-```bash
-$ sudo mdatp log level set --level debug
-$ sudo tail -f /var/log/microsoft/mdatp/microsoft_defender_np_ext.log
-```
+2. Inspect diagnostic logs
+
+ ```bash
+ sudo mdatp log level set --level debug
+ sudo tail -f /var/log/microsoft/mdatp/microsoft_defender_np_ext.log
+ ```
#### To exit the validation mode Disable network protection and restart the network connection: ```bash
-$ sudo mdatp config network-protection enforcement-level --value disabled
+sudo mdatp config network-protection enforcement-level --value disabled
``` ## Advanced configuration
Also, make sure that in **Microsoft Defender** \> **Settings** \> **Endpoints**
> Pro tip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy. > > Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.
-
+ 4. [Integrate Microsoft Defender for Endpoint with Defender for Cloud Apps](/defender-cloud-apps/mde-integration) and your network protection-enabled macOS devices will have endpoint policy enforcement capabilities. > [!NOTE]
Within 10-15 minutes, these domains will be listed in Microsoft Defender XDR und
- [Web content filtering](web-content-filtering.md) - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) - [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security Professional Services https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/professional-services.md
Managed security services that assist organizations to detect threats early and
|[eSentire Managed Detection and Response](https://go.microsoft.com/fwlink/?linkid=2202582)|eSentire|MDR you can trust that provides 24/7 threat investigations and responses via Microsoft Defender XDR suite.| |[Aujas Managed Security Services](https://go.microsoft.com/fwlink/?linkid=2202672)|Aujas Cybersecurity|Managed security services that assist organizations to detect threats early and help minimize the impact of a breach.| |[Expel for Microsoft](https://go.microsoft.com/fwlink/?linkid=2202477)|Expel|Provides 24/7 detection and response for Microsoft Defender for Endpoint, Azure, and Office 365.|
-|[Managed XDR for Microsoft](https://go.microsoft.com/fwlink/?linkid=2202386)|CyberProof|CyberProof's Managed XDR (Extended Detection and Response) for Microsoft identifies intrusions across your enterprise as you migrate to the cloud ΓÇô from applications to endpoints, identities and data - enabling timely response to reduce the impact of the attack. The combination of their human expertise and experience in security operations with Microsoft's 365 Defender and Microsoft Sentinel technology reduces the costs and complexity of adopting and operating a cloud-native cyber defense architecture.|
+|[Managed XDR for Microsoft](https://www.cyberproof.com/security-services/managed-xdr-for-microsoft/)|CyberProof|CyberProof's Managed XDR (Extended Detection and Response) for Microsoft identifies intrusions across your enterprise as you migrate to the cloud ΓÇô from applications to endpoints, identities and data - enabling timely response to reduce the impact of the attack. The combination of their human expertise and experience in security operations with Microsoft's 365 Defender and Microsoft Sentinel technology reduces the costs and complexity of adopting and operating a cloud-native cyber defense architecture.|
|[Taegis XDR](https://go.microsoft.com/fwlink/?linkid=2202848)|Secureworks|Taegis™ ManagedXDR is Secureworks® 24x7 managed detection and response service, which helps you detect advanced threats and take the right action. Included threat hunting and incident response capabilities help you scale your security operations as Secureworks uses threat data collected across thousands of customers to improve your security posture. Secureworks' combination of proprietary security analytics software, SecOps expertise, incident response and threat hunting experience, threat intelligence capabilities, and 20-year history of service excellence helps reduce risk to your business.| |[Cloud Control - Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2202678)|The Collective|The Collective's Cloud Control Managed Protection, Detection and Response services is an enterprise grade managed service, delivering true Security Operations Center-as-a-Service (SOC) experience with a personal touch.| |[Nedscaper Managed XDR](https://go.microsoft.com/fwlink/?linkid=2202478)|Nedscaper|Nedscaper Manager XDR (MDR) is a Managed Detect and Respond SaaS solution, which provides 24/7 Threat Protection, continues Vulnerability Management and combined Threat Intelligence built on Azure. The Microsoft (365 & Azure) Defender products, plus any non-Microsoft / 3P Security solution, is connected to Microsoft Sentinel as the core platform for the Security analysts.| |[dinext. pi-SOC](https://go.microsoft.com/fwlink/?linkid=2202581)|dinext AG|Through a close integration of deployment support, security operations and consulting in hardening and architectural improvements, dinext AG accompanies customers holistically on their way to a modern security environment.| |[Synergy Advisors Teams App](https://synergyadvisors.biz/e-visor-teams-app/)|Synergy Advisors LLC|E-Visor Teams App is a centralized place to involve and empower your end-users in the security and productivity of the organization by presenting unique information using data from Microsoft Defenders and Microsoft Entra ID while ensuring identity governance, and compliance.|
-|[Managed Microsoft XDR](https://go.cyberproof.com/hubfs/CyberProof_Managed%20XDR%20for%20Microsoft_2022_06.pdf)|Quorum Cyber|Quorum Cyber's Managed Microsoft XDR, a solution designed to enable customers to unleash the power of Microsoft security to reduce cyber risk and maximize return of investment in security.|
+|[Managed Microsoft XDR](https://www.cyberproof.com/security-services/managed-xdr-for-microsoft/)|Quorum Cyber|Quorum Cyber's Managed Microsoft XDR, a solution designed to enable customers to unleash the power of Microsoft security to reduce cyber risk and maximize return of investment in security.|
|[SecureShield365](https://patriotconsultingtech.com/)|Patriot Consulting|SecureShield365 includes a full deployment of all Microsoft Defender XDR products including Intune plus 12 months of support. Microsoft XDR including Sentinel, Defender for Cloud, and MDR are available options.| |[Open Systems MDR+](https://go.microsoft.com/fwlink/?linkid=2208895)|Open Systems|Built for Microsoft security customers, MDR+ combines certified experts, exemplary processes, and seamless technology to deliver tailored, 24x7 protection while reducing attack surfaces and MTTR.| |[Kroll](https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder)|Kroll|Kroll provides proprietary data, technology and insights to help our clients stay ahead of complex demands related to risk, governance and growth. Our solutions deliver a powerful competitive advantage, enabling faster, smarter and more sustainable decisions. With 5,000 experts around the world, we create value and impact for our clients and communities.|
Respond to security incidents quickly, effectively and at scale with complete in
|Service name|Vendor|Description| |||| |[Microsoft Incident Response](https://go.microsoft.com/fwlink/?linkid=2203105)|Microsoft|The Cybersecurity Incident Response service is an effective way to respond to incidents due to the activities of today's adversaries and sophisticated criminal organizations. This service seeks to determine whether systems are under targeted exploitation via investigation for signs of advanced implants and anomalous behavior.|
-|[Managed Microsoft XDR](https://go.cyberproof.com/hubfs/CyberProof_Managed%20XDR%20for%20Microsoft_2022_06.pdf)|Quorum Cyber|Quorum Cyber's Managed Microsoft XDR, a solution designed to enable customers to unleash the power of Microsoft security to reduce cyber risk and maximize return of investment in security.|
+|[Managed Microsoft XDR](https://www.cyberproof.com/security-services/managed-xdr-for-microsoft/)|Quorum Cyber|Quorum Cyber's Managed Microsoft XDR, a solution designed to enable customers to unleash the power of Microsoft security to reduce cyber risk and maximize return of investment in security.|
|[Trustwave MDR](https://azuremarketplace.microsoft.com/marketplace/apps/trustwaveholdingsinc1611868326737.tw_mdr_managed_service?tab=Overview)|Trustwave|Trustwave offers a security service (Gartner Leader) for endpoint using Microsoft Defender for Endpoint.| |[Active Remediation](https://go.microsoft.com/fwlink/?linkid=)|Red Canary|Red Canary security experts respond to remediate threats on your endpoints, 24x7. Requires Red Canary MDR for Microsoft.| |[Onevinn DFIR](https://go.microsoft.com/fwlink/?linkid=2202584)|Onevinn|Onevinn DFIR, Digital Defense and Incident Response team, when you're having a breach and you need urgent assistance to gain back control of your IT Environment.|
Protect your organization proactively by evaluating your organization's ability
|[Cloud Control - Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2202678)|The Collective|The Collective's Cloud Control Managed Protection, Detection and Response services is an enterprise grade managed service, delivering true Security Operations Center-as-a-Service (SOC) experience with a personal touch.| |[dinext. pi-SOC](https://go.microsoft.com/fwlink/?linkid=2202581)|dinext AG|Through a close integration of deployment support, security operations and consulting in hardening and architectural improvements, dinext AG accompanies customers holistically on their way to a modern security environment.| |[Synergy Advisors Teams App](https://synergyadvisors.biz/e-visor-teams-app/)|Synergy Advisors LLC|E-Visor Teams App is a centralized place to involve and empower your end-users in the security and productivity of the organization by presenting unique information using data from Microsoft Defenders and Microsoft Entra ID while ensuring identity governance, and compliance.|
-|[Managed Microsoft XDR](https://go.cyberproof.com/hubfs/CyberProof_Managed%20XDR%20for%20Microsoft_2022_06.pdf)|Quorum Cyber|Quorum Cyber's Managed Microsoft XDR, a solution designed to enable customers to unleash the power of Microsoft security to reduce cyber risk and maximize return of investment in security.|
+|[Managed Microsoft XDR](https://www.cyberproof.com/security-services/managed-xdr-for-microsoft/)|Quorum Cyber|Quorum Cyber's Managed Microsoft XDR, a solution designed to enable customers to unleash the power of Microsoft security to reduce cyber risk and maximize return of investment in security.|
|[SepagoSOC](https://go.microsoft.com/fwlink/?linkid=2202677)|Sepago GmbH|SepagoSOC experts ensure that your environment is constantly monitored and protected utilizing the complete range of Microsoft Defender XDR solutions and Microsoft Sentinel. They help you to constantly evolve your security landscape with both technical and organizational experience.| |[SecureShield365](https://patriotconsultingtech.com/)|Patriot Consulting|SecureShield365 includes a full deployment of all Microsoft Defender XDR products including Intune plus 12 months of support. Microsoft XDR including Sentinel, Defender for Cloud, and MDR are available options.| |[Open Systems MDR+](https://www.ontinue.com/mdr/microsoft-mdr/)|Open Systems|Built for Microsoft security customers, MDR+ combines certified experts, exemplary processes, and seamless technology to deliver tailored, 24x7 protection while reducing attack surfaces and MTTR.|
Evolve your organization's security posture through improved processes and techn
|[Taegis XDR](https://go.microsoft.com/fwlink/?linkid=2202848)|Secureworks|Taegis™ ManagedXDR is Secureworks® 24x7 managed detection and response service, which helps you detect advanced threats and take the right action. Included threat hunting and incident response capabilities help you scale your security operations as Secureworks uses threat data collected across thousands of customers to improve your security posture. Secureworks' combination of proprietary security analytics software, SecOps expertise, incident response and threat hunting experience, threat intelligence capabilities, and 20-year history of service excellence helps reduce risk to your business.| |[Cloud Control - Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2202678)|The Collective|The Collective's Cloud Control Managed Protection, Detection and Response services is an enterprise grade managed service, delivering true Security Operations Center-as-a-Service (SOC) experience with a personal touch.| |[dinext. pi-SOC](https://go.microsoft.com/fwlink/?linkid=2202581)|dinext AG|Through a close integration of deployment support, security operations and consulting in hardening and architectural improvements, it accompanies customers holistically on their way to a modern security environment.|
-|[Managed Microsoft XDR](https://go.cyberproof.com/hubfs/CyberProof_Managed%20XDR%20for%20Microsoft_2022_06.pdf)|Quorum Cyber|Quorum Cyber's Managed Microsoft XDR, a solution designed to enable customers to unleash the power of Microsoft security to reduce cyber risk and maximize return of investment in security.|
+|[Managed Microsoft XDR](https://www.cyberproof.com/security-services/managed-xdr-for-microsoft/)|Quorum Cyber|Quorum Cyber's Managed Microsoft XDR, a solution designed to enable customers to unleash the power of Microsoft security to reduce cyber risk and maximize return of investment in security.|
|[SepagoSOC](https://go.microsoft.com/fwlink/?linkid=2202677)|Sepago GmbH|SepagoSOC experts ensure that your environment is constantly monitored and protected utilizing the complete range of Microsoft Defender XDR solutions and Microsoft Sentinel. They help you to constantly evolve your security landscape with both technical and organizational experience.| |[SecureShield365](https://patriotconsultingtech.com/)|Patriot Consulting|SecureShield365 includes a full deployment of all Microsoft Defender XDR products including Intune plus 12 months of support. Microsoft XDR including Sentinel, Defender for Cloud, and MDR are available options.| |[Open Systems MDR+](https://www.ontinue.com/mdr/microsoft-mdr/)|Open Systems|Built for Microsoft security customers, MDR+ combines certified experts, exemplary processes, and seamless technology to deliver tailored, 24x7 protection while reducing attack surfaces and MTTR.|
Mature and maintain your internal team's security capabilities to prevent, detec
|[White Hat Managed Security Services](https://go.microsoft.com/fwlink/?linkid=2202391)|White Hat IT Security|White Hat MSS offers zero trust approach to managed security on every platform ΓÇô scalable and adaptive security from true experts.| |[Cloud Control - Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2202678)|The Collective|The Collective's Cloud Control Managed Protection, Detection and Response services is an enterprise grade managed service, delivering true Security Operations Center-as-a-Service (SOC) experience with a personal touch.| |[Synergy Advisors Teams App](https://synergyadvisors.biz/e-visor-teams-app/)|Synergy Advisors LLC|E-Visor Teams App is a centralized place to involve and empower your end-users in the security and productivity of the organization by presenting unique information using data from Microsoft Defenders and Microsoft Entra ID while ensuring identity governance, and compliance.|
-|[Managed Microsoft XDR](https://go.cyberproof.com/hubfs/CyberProof_Managed%20XDR%20for%20Microsoft_2022_06.pdf)|Quorum Cyber|Quorum Cyber's Managed Microsoft XDR, a solution designed to enable customers to unleash the power of Microsoft security to reduce cyber risk and maximize return of investment in security.|
+|[Managed Microsoft XDR](https://www.cyberproof.com/security-services/managed-xdr-for-microsoft/)|Quorum Cyber|Quorum Cyber's Managed Microsoft XDR, a solution designed to enable customers to unleash the power of Microsoft security to reduce cyber risk and maximize return of investment in security.|
|[SecureShield365](https://patriotconsultingtech.com/)|Patriot Consulting|SecureShield365 includes a full deployment of all Microsoft Defender XDR products including Intune plus 12 months of support. Microsoft XDR including Sentinel, Defender for Cloud, and MDR are available options.| ## Related topics
security Respond Machine Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-machine-alerts.md
Alternate steps:
![Image of collect investigation package](images/collect-investigation-package.png)
-2. Add comments and select **Confirm**.
+1. Add comments and select **Confirm**.
![Image of confirm comment](images/comments-confirm.png)-
-3. Select **Action center** from the response actions section of the device page.
+
+1. Select **Action center** from the response actions section of the device page.
![Image of action center](images/action-center-selected.png)-
-4. Click the **Package collection package available** to download the collection package.
+
+1. Click the **Package collection package available** to download the collection package.
![Image of download package](images/download-package.png)
+
+ For Windows devices, the package contains the following folders:
-For Windows devices, the package contains the following folders:
-
-|Folder|Description|
+ |Folder|Description|
||| |Autoruns|Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker's persistency on the device. <p> <div class="alert"><b>NOTE:</b> If the registry key is not found, the file will contain the following message: "ERROR: The system was unable to find the specified registry key or value."<div>| |Installed programs|This .CSV file contains the list of installed programs that can help identify what is currently installed on the device. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509).|
For Windows devices, the package contains the following folders:
|WdSupportLogs|Provides the MpCmdRunLog.txt and MPSupportFiles.cab <p> <div class="alert"><b>NOTE:</b> This folder will only be created on Windows 10, version 1709 or later with February 2020 update rollup or more recent installed: <ul><li>Win10 1709 (RS3) Build 16299.1717: [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816)</li><li>Win10 1803 (RS4) Build 17134.1345: [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795)</li><li>Win10 1809 (RS5) Build 17763.1075: [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818)</li><li>Win10 1903/1909 (19h1/19h2) Builds 18362.693 and 18363.693: [KB4535996](https://support.microsoft.com/help/4535996/windows-10-update-kb4535996)</li></ul> </div>| |CollectionSummaryReport.xls|This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code if there is failure. You can use this report to track if the package includes all the expected data and identify if there were any errors.|
-The collection packages for macOS and Linux devices contain the following:
+ The collection packages for macOS and Linux devices contain the following:
-|Object|macOS|Linux|
+ |Object|macOS|Linux|
|||| |Applications|A list of all installed applications|Not applicable| |Disk volume|<ul><li>Amount of free space</li><li>List of all mounted disk volumes</li><li>List of all partitions</li>|<ul><li>Amount of free space</li><li>List of all mounted disk volumes</li><li>List of all partitions</li>|
Depending on the severity of the attack and the sensitivity of the device, you m
> > - Isolating devices from the network is supported for macOS for client version 101.98.84 and above. You can also use live response to run the action. For more information on live response, see [Investigate entities on devices using live response](live-response.md) > - Full isolation is available for devices running Windows 11, Windows 10, version 1703 or later, Windows Server 2022, Windows Server 2019, Windows Server 2016 and Windows Server 2012 R2.
-> - You can use the device isolation capability on all supported Microsoft Defender for Endpoint on Linux listed in [System requirements](microsoft-defender-endpoint-linux.md#system-requirements).
+> - You can use the device isolation capability on all supported Microsoft Defender for Endpoint on Linux listed in [System requirements](microsoft-defender-endpoint-linux.md#system-requirements). Ensure that the following prerequisites are enabled: iptables, ip6tables, and Linux kernel with CONFIG_NETFILTER, CONFID_IP_NF_IPTABLES, and CONFIG_IP_NF_MATCH_OWNER.
> - Selective isolation is available for devices running Windows 10, version 1709 or later, and Windows 11. > - When isolating a device, only certain processes and destinations are allowed. Therefore, devices that are behind a full VPN tunnel won't be able to reach the Microsoft Defender for Endpoint cloud service after the device is isolated. We recommend using a split-tunneling VPN for Microsoft Defender for Endpoint and Microsoft Defender Antivirus cloud-based protection-related traffic. > - The feature supports VPN connection.
Once you have selected **Isolate device** on the device page, type a comment and
:::image type="content" source="images/isolate-device.png" alt-text="An isolated device details page" lightbox="images/isolate-device.png"::: > [!NOTE]
-> The device will remain connected to the Defender for Endpoint service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the device is isolated.
+> The device will remain connected to the Defender for Endpoint service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the device is isolated. Selective isolation only works on the classic versions of Outlook and Microsoft Teams.
### Forcibly release device from isolation
security Advanced Hunting Emailpostdeliveryevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-emailpostdeliveryevents-table.md
Last updated 01/16/2024
**Applies to:** - Microsoft Defender XDR - The `EmailPostDeliveryEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about post-delivery actions taken on email messages processed by Microsoft 365. Use this reference to construct queries that return information from this table. > [!TIP]
To get more information about individual email messages, you can also use the [`
| `ReportId` | `string` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. | ## Supported event types+ This table captures events with the following `ActionType` values: - **Manual remediation** ΓÇô An administrator manually took action on an email message after it was delivered to the user mailbox. This includes actions taken manually through [Threat Explorer](../office-365-security/threat-explorer-about.md) or approvals of [automated investigation and response (AIR) actions](m365d-autoir-actions.md).
This table captures events with the following `ActionType` values:
- **Malware ZAP** ΓÇô Zero-hour auto purge (ZAP) took action on an email message found containing malware after delivery. ## Related topics+ - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md) - [Use shared queries](advanced-hunting-shared-queries.md)
security Advanced Hunting Find Ransomware https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-find-ransomware.md
By default, the query result lists only devices that have more than two types of
Key information from Microsoft: - [The growing threat of ransomware](https://blogs.microsoft.com/on-the-issues/2021/07/20/the-growing-threat-of-ransomware/), Microsoft On the Issues blog post on July 20, 2021-- [Human-operated ransomware](/security/compass/human-operated-ransomware)-- [Rapidly protect against ransomware and extortion](/security/compass/protect-against-ransomware)
+- [Human-operated ransomware](/security/ransomware/human-operated-ransomware)
+- [Quickly deploy ransomware preventions](/security/ransomware/protect-against-ransomware)
- [2021 Microsoft Digital Defense Report](https://www.microsoft.com/security/business/microsoft-digital-defense-report) (see pages 10-19) - [Ransomware: A pervasive and ongoing threat](https://security.microsoft.com/threatanalytics3/05658b6c-dc62-496d-ad3c-c6a795a33c27/overview) threat analytics report in the Microsoft Defender portal
Microsoft Azure:
- [Azure Defenses for Ransomware Attack](https://azure.microsoft.com/resources/azure-defenses-for-ransomware-attack/) - [Maximize Ransomware Resiliency with Azure and Microsoft 365](https://azure.microsoft.com/resources/maximize-ransomware-resiliency-with-azure-and-microsoft-365/)-- [Backup and restore plan to protect against ransomware](/security/compass/backup-plan-to-protect-against-ransomware)
+- [Backup and restore plan to protect against ransomware](/azure/security/fundamentals/backup-plan-to-protect-against-ransomware)
- [Help protect from ransomware with Microsoft Azure Backup](https://www.youtube.com/watch?v=VhLOr2_1MCg) (26-minute video) - [Recovering from systemic identity compromise](/azure/security/fundamentals/recover-from-identity-compromise) - [Advanced multistage attack detection in Microsoft Sentinel](/azure/sentinel/fusion#ransomware) - [Fusion Detection for Ransomware in Microsoft Sentinel](https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-fusion-detection-for-ransomware/ba-p/2621373) ++ Microsoft Defender for Cloud Apps: - [Create anomaly detection policies in Defender for Cloud Apps](/cloud-app-security/anomaly-detection-policy)
security Advanced Hunting Query Builder https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-query-builder.md
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security
+f1.keywords:
- NOCSH ms.localizationpriority: medium audience: ITPro-+ - m365-security - tier2
Last updated 08/11/2022
[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] - **Applies to:** - Microsoft Defender XDR
Last updated 08/11/2022
The query builder in guided mode allows analysts to craft meaningful hunting queries *without knowing Kusto Query Language (KQL) or the data schema*. Analysts from every tier of experience can use the query builder to filter through data from the last 30 days to look for threats, expand incident investigations, perform data analytics on threat data, or focus on specific threat areas.
-The analyst can choose which data set to look at and which filters and conditions to use to narrow the data down to what they need.
+The analyst can choose which data set to look at and which filters and conditions to use to narrow the data down to what they need.
You can watch this video to get an overview of guided hunting: > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RW12cm6] ## Open Query in builder
-In the **Advanced hunting** page, select **Create new** to open a new query tab and select **Query in builder**.
+
+In the **Advanced hunting** page, select **Create new** to open a new query tab and select **Query in builder**.
![Screenshot of guided mode query builder](../../media/guided-hunting/01-open-query-builder.png) This brings you to the guided mode, where you can then construct your query by selecting different components using dropdown menus. ## Specify the data domain to hunt in+ You can control the scope of the hunt by selecting which domain the query covers: ![Screenshot of guided mode query builder domains dropdown](../../media/guided-hunting/02-specify-domain.png) -
-Selecting **All** includes data from all domains you currently have access to. Narrowing down to a specific domain allows filters relevant to that domain only.
+Selecting **All** includes data from all domains you currently have access to. Narrowing down to a specific domain allows filters relevant to that domain only.
You can choose from:+ - All domains - to look through all available data in your query - Endpoints - to look through endpoint data as provided by Microsoft Defender for Endpoint - Apps and identities - to look through application and identity data as provided by Microsoft Defender for Cloud Apps and Microsoft Defender for Identity; users familiar with [Activity log](/defender-cloud-apps/activity-filters) can find the same data here-- Email and collaboration - to look through email and collaboration apps data like SharePoint, OneDrive and others; users familiar with [Threat Explorer](/office-365-security/threat-explorer-about) can find the same data here
+- Email and collaboration - to look through email and collaboration apps data like SharePoint, OneDrive and others; users familiar with [Threat Explorer](../office-365-security/threat-explorer-about.md) can find the same data here
## Use basic filters
-By default, guided hunting includes a few basic filters to get you started fast.
+By default, guided hunting includes a few basic filters to get you started fast.
![Screenshot of guided mode query builder basic filter set](../../media/guided-hunting/03-use-basic-filters.png) -- When you choose one data source, for instance, **Endpoints**, the query builder displays only the applicable filter groups. You can then choose a filter you are interested in narrowing down by selecting that filter group, for instance, **EventType**, and selecting the filter of your choice. ![Screenshot of guided mode query builder endpoint basic filter set](../../media/guided-hunting/03a-use-basic-filters.png) --
-Once the query is ready, select the blue **Run query** button. If the button is grayed out, it means the query needs to be filled out or edited further.
+Once the query is ready, select the blue **Run query** button. If the button is grayed out, it means the query needs to be filled out or edited further.
> [!NOTE]
-> The basic filter view uses the **AND** operator only, meaning running the query generates results for which all set filters are true.
-
+> The basic filter view uses the **AND** operator only, meaning running the query generates results for which all set filters are true.
## Load sample queries
-Another quick way to get familiar with guided hunting is to load sample queries using the **Load sample queries** dropdown menu.
+Another quick way to get familiar with guided hunting is to load sample queries using the **Load sample queries** dropdown menu.
![Screenshot of guided mode query builder load sample queries list](../../media/guided-hunting/05-load-sample-queries.png)
-> [!NOTE]
-> Selecting a sample query overrides the existing query.
+> [!NOTE]
+> Selecting a sample query overrides the existing query.
Once the sample query is loaded, select **Run query**.
If you have previously selected a domain, the list of available sample queries c
To restore the complete list of sample queries, select **All domains** then reopen **Load sample queries**.
-If the loaded sample query uses filters outside of the basic filter set, the toggle button is grayed out. To go back to the basic filter set, select **Clear all** then toggle **All filters**.
-
+If the loaded sample query uses filters outside of the basic filter set, the toggle button is grayed out. To go back to the basic filter set, select **Clear all** then toggle **All filters**.
## Use more filters
When the **All filters** toggle is active, you can now use the full range of fil
![Screenshot of guided mode query builder all filters active](../../media/guided-hunting/09-use-more-filters.png) --- ### Create conditions To specify a set of data to be used in the query, select **Select a filter**. Explore the different filter sections to find what is available to you.
-
+ ![Screenshot showing different filters you can use](../../media/guided-hunting/10-create-conditions.png) Type the section's titles in the search box at the top of the list to find the filter. Sections ending in *info* contain filters that provide information about the different components you can look at and filters for the states of entities. Sections ending in *events* contain filters that allow you to look for any monitored event on the entity. For instance, to hunt for activities involving certain devices, you can use the filters under the **Device events** section.
Type the section's titles in the search box at the top of the list to find the f
> [!NOTE] > Choosing a filter that isn't in the basic filters list deactivates or grays out the toggle to return to the basic filters view. To reset the query or remove existing filters in the current query, select **Clear all**. This also reactivates the basic filters list. - Next, set the appropriate condition to further filter the data by selecting it from the second dropdown menu and providing entries in the third dropdown menu if necessary: ![Screenshot showing different conditions you can use](../../media/guided-hunting/11-create-conditions.png)
-You can add more conditions to your query by using **AND**, and **OR** conditions. AND returns results that fulfill all conditions in the query, while OR returns results that fulfill any of the conditions in the query.
+You can add more conditions to your query by using **AND**, and **OR** conditions. AND returns results that fulfill all conditions in the query, while OR returns results that fulfill any of the conditions in the query.
![Screenshot showing AND OR operators](../../media/guided-hunting/12-create-conditions.png)
To get to know what data types are supported and other guided mode capabilities
## Try sample query walk-throughs
-Another way to get familiar with guided hunting is to load sample queries pre-created in guided mode.
+Another way to get familiar with guided hunting is to load sample queries pre-created in guided mode.
In the **Getting started** section of the hunting page, we have provided three guided query examples that you can load. The query examples contain some of the most common filters and inputs you would typically need in your hunting. Loading any of the three sample queries opens a guided tour of how you would construct the entry using guided mode.
Follow the instructions in the blue teaching bubbles to construct your query. Se
## Try some queries ### Hunt for successful connections to specific IP+ To hunt for successful network communications to a specific IP address, start typing "ip" to get suggested filters: ![Screenshot of guided mode query builder hunt for successful connections to specific IP first filter](../../media/guided-hunting/14-hunt-for-ips.png)
Finally, select **Run query** to hunt for all successful network communications
![Screenshot of guided mode query builder hunt for successful connections to specific IP results view](../../media/guided-hunting/18-hunt-for-ips.png)
-### Hunt for high confidence phish or spam emails delivered to inbox
+### Hunt for high confidence phish or spam emails delivered to inbox
To look for all high confidence phish and spam emails that were delivered to the inbox folder at the time of delivery, first select **ConfidenceLevel** under Email Events, select **equals** and choose **High** under both **Phish** and **Spam** from the suggested closed list which supports multi-selection: ![Screenshot of guided mode query builder hunt high confidence phish or spam emails delivered to inbox, first condition](../../media/guided-hunting/19-hunt-for-phish.png)
-Then, add another condition, this time specifying the folder or **DeliveryLocation, Inbox/folder**.
+Then, add another condition, this time specifying the folder or **DeliveryLocation, Inbox/folder**.
![Screenshot of guided mode query builder hunt high confidence phish or spam emails delivered to inbox, second condition](../../media/guided-hunting/20-hunt-for-phish.png) --- ## See also - [Refine your query in guided mode](advanced-hunting-query-builder-details.md)
security Api Incident https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-incident.md
Last updated 02/08/2023
**Applies to:** -- [Microsoft Defender XDR](/fwlink/?linkid=2118804)
+- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/p/?linkid=2118804)
> [!NOTE] > **Try our new APIs using MS Graph security API**. Find out more at: [Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn](/graph/api/resources/security-api-overview?view=graph-rest-1.0&preserve-view=true).
security Api Update Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-update-incidents.md
Last updated 02/08/2023
- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804) > [!NOTE]
-> **Try our new APIs using MS Graph security API**. Find out more at: [Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn](/graph/api/resources/security-api-overview). For information about the new _update incident_ API using MS Graph security API, see [Update incident](/graph/api/resources/security-incident-update).
+> **Try our new APIs using MS Graph security API**. Find out more at: [Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn](/graph/api/resources/security-api-overview). For information about the new _update incident_ API using MS Graph security API, see [Update incident](/graph/api/security-incident-update).
> [!IMPORTANT] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
security Auditing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/auditing.md
audience: ITPro
- m365-security - tier1
+ - essentials-compliance
search.appverid: met150 Last updated 05/29/2023
security Configure Deception https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/configure-deception.md
Last updated 01/12/2024
- Microsoft Defender XDR > [!NOTE]
-> The built-in [deception](deception-overview.md) capability in Microsoft Defender XDR covers all Windows clients onboarded to Microsoft Defender for Endpoint. Learn how to onboard clients to Defender for Endpoint in [Onboard to Microsoft Defender for Endpoint](/defender-for-endpoint/onboarding/).
+> The built-in [deception](deception-overview.md) capability in Microsoft Defender XDR covers all Windows clients onboarded to Microsoft Defender for Endpoint. Learn how to onboard clients to Defender for Endpoint in [Onboard to Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/onboarding).
Microsoft Defender XDR has [deception technology](deception-overview.md) built in to protect your environment from high-impact attacks that use human-operated lateral movement. This article describes how to configure the deception capability in Microsoft Defender XDR.
security Data Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/data-privacy.md
audience: ITPro
- m365-security - tier2
+- essentials-security
+- essentials-privacy
+- essentials-compliance
search.appverid: - MOE150
security Deception Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/deception-overview.md
The following table lists the requirements to enable the deception capability in
> |Requirement|Details| > |-|-| > |Subscription requirements|One of these subscriptions:</br> - Microsoft 365 E5</br> - Microsoft Security E5</br> - Microsoft Defender for Endpoint Plan 2|
-> |Deployment requirements|Requirements:</br> - Defender for Endpoint is the primary EDR solution</br> - [Automated investigation and response capabilities in Defender for Endpoint](/defender-endpoint/configure-automated-investigations-remediation/) is configured</br> - Devices are [joined](/entra/identity/devices/concept-directory-join/) or [hybrid joined](/entra/identity/devices/concept-hybrid-join/) in Microsoft Entra</br> - PowerShell is enabled on the devices</br> - The deception feature covers clients operating on Windows 10 RS5 and later in preview|
+> |Deployment requirements|Requirements:</br> - Defender for Endpoint is the primary EDR solution</br> - [Automated investigation and response capabilities in Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-automated-investigations-remediation) is configured</br> - Devices are [joined](/entra/identity/devices/concept-directory-join/) or [hybrid joined](/entra/identity/devices/concept-hybrid-join/) in Microsoft Entra</br> - PowerShell is enabled on the devices</br> - The deception feature covers clients operating on Windows 10 RS5 and later in preview|
> |Permissions|You must have one of the following roles assigned in the [Microsoft Entra admin center](https://entra.microsoft.com) or in the [Microsoft 365 admin center](https://admin.microsoft.com) to configure deception capabilities:</br> - Global administrator</br> - Security administrator| ## What is deception technology?
There are two types of lures available in the deception feature:
- Advanced lures ΓÇô planted content like cached credentials and interceptions that respond or interact with the customer environment. For example, attackers might interact with decoy credentials that were injected responses to Active Directory queries, which can be used to sign in. > [!NOTE]
-> Lures are only planted on Windows clients defined in the scope of a deception rule. However, attempts to use any decoy host or account on any Defender for Endpoint-onboarded client raises a deception alert. Learn how to onboard clients in [Onboard to Microsoft Defender for Endpoint](/defender-for-endpoint/onboarding/). Planting lures on Windows Server 2016 and later is planned for future development.
+> Lures are only planted on Windows clients defined in the scope of a deception rule. However, attempts to use any decoy host or account on any Defender for Endpoint-onboarded client raises a deception alert. Learn how to onboard clients in [Onboard to Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/onboarding). Planting lures on Windows Server 2016 and later is planned for future development.
You can specify decoys, lures, and the scope in a deception rule. See [Configure the deception feature](configure-deception.md) to learn more about how to create and modify deception rules.
security Defender Experts For Hunting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/defender-experts-for-hunting.md
audience: ITPro
- m365-security - tier1
+ - essentials-overview
search.appverid: met150 Last updated 10/18/2023
security Defender Experts Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/defender-experts-report.md
audience: ITPro
- m365-security - tier1
+- essentials-manage
Last updated 10/17/2023
security Dex Xdr Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/dex-xdr-overview.md
audience: ITPro
- m365-security - tier1
+ - essentials-overview
search.appverid: met150 Last updated 08/08/2023
security Dlp Investigate Alerts Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/dlp-investigate-alerts-defender.md
It's best practice to only grant minimal permissions to alerts in the Microsoft
|DLP Compliance Management |DLP only | |View-Only DLP Compliance Management |DLP only | - ## Before you start [Turn on alerts for all your DLP policies](/purview/dlp-create-deploy-policy) in the <a href="https://purview.microsoft.com" target="_blank">Microsoft Purview compliance portal</a>.
It's best practice to only grant minimal permissions to alerts in the Microsoft
1. Go to the Microsoft Defender portal, and select **Incidents** in the left hand navigation menu to open the incidents page.
-2. Select **Filters** on the top right, and choose **Service Source : Data Loss Prevention** to view all incidents with DLP alerts. Here's a few examples of the subfilters that are available in preview:
- 1. by user and device names
+1. Select **Filters** on the top right, and choose **Service Source : Data Loss Prevention** to view all incidents with DLP alerts. Here's a few examples of the subfilters that are available in preview:
+ 1. by user and device names
1. (in preview) In the **Entities** filter, you can search on file names, user, device names, and file paths. 1. (in preview) In the **Incidents** queue > **Alert policies** > Alert policy title. You can search on the DLP policy name.
The **CloudAppEvents** table contains all audit logs across all locations like S
#### Before you begin
-If you're new to advanced hunting, you should review [Get started with advanced hunting](/microsoft-365/security/defender/advanced-hunting-overview.md).
+If you're new to advanced hunting, you should review [Get started with advanced hunting](/microsoft-365/security/defender/advanced-hunting-overview).
-Before you can use advance hunting you must have [access to the **CloudAppEvents** table](/defender-cloud-apps/connect-office-365.md) that contains the Microsoft Purview data.
+Before you can use advance hunting you must have [access to the **CloudAppEvents** table](/defender-cloud-apps/protect-office-365#connect-microsoft-365-to-microsoft-defender-for-cloud-apps) that contains the Microsoft Purview data.
#### Using built in queries
The Defender portal offers multiple built-in queries you can use to help with yo
1. Select **Filters** on the top right, and choose **Service Source : Data Loss Prevention** to view all incidents with DLP alerts. 1. Open a DLP incident. 1. Select on an alert to view its associated events.
-1. Select an event.
+1. Select an event.
1. In the event details pane, select the **Go Hunt** control. 1. Defender shows you a list of built-in queries that are relevant to the source location of the event. For example, if the event is from SharePoint you see 1. **File shared with**
security Faq Incident Notifications Xdr https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/faq-incident-notifications-xdr.md
The following section lists down questions your SOC team might have regarding th
| Questions | Answers | |||
-| **How do I get Defender Experts updates in Sentinel?** | If you have enabled the data connector between Microsoft Defender XDR and Microsoft Sentinel, updates made by Defender Experts in Defender to incidents are synchronized with Microsoft Sentinel. [Learn more](/articles/sentinel/connect-microsoft-365-defender).<br><br>The **Assigned to**, **Status**, and **Classification** fields in Microsoft Defender XDR incidents are mapped to the corresponding fields in Sentinel, namely **Owner**, **Status**, and **Reason for closing**.|
-| **How do I get Defender Experts updates in Sentinel to automatically trigger a playbook?** | To get Defender Experts updates, first, set up automation rules in Sentinel that are triggered with the following Defender Experts updates:<ul><li>When the **Owner** field in Microsoft Sentinel is updated to _Defender Experts_ or _Customer_.</li><li> When the **Status** field in Microsoft Sentinel is updated to _Active_ or _Closed_, which corresponds to Microsoft Defender XDR **Status** _Active_ and _In Progress_ respectively.</li><li>When Sentinel **Tag** _Awaiting Customer Action_ gets added, which corresponds to Microsoft Defender XDR **Status** _Awaiting Customer Action_.</li></ul>Next, set up playbooks in Microsoft Sentinel to automatically sync incident updates or [send incident notifications into other apps](/articles/sentinel/tutorial-respond-threats-playbook).<ul><li>Send email, or Teams message, or Slack message to your SOC team when a Defender Experts analyst is assigned to an incident.</li><li>Send SMS or phone call via Azure Communications Services or Twilio connector to your SOC lead when Defender Experts publishes response action for your team.</li><li>Create a task or ticket in apps such as Azure DevOps, ServiceNow, Jira, ZenDesk, FreshService, PagerDuty, etc. for your IT Ops team. </li></ul>|
+| **How do I get Defender Experts updates in Sentinel?** | If you have enabled the data connector between Microsoft Defender XDR and Microsoft Sentinel, updates made by Defender Experts in Defender to incidents are synchronized with Microsoft Sentinel. [Learn more](/azure/sentinel/connect-microsoft-365-defender).<br><br>The **Assigned to**, **Status**, and **Classification** fields in Microsoft Defender XDR incidents are mapped to the corresponding fields in Sentinel, namely **Owner**, **Status**, and **Reason for closing**.|
+| **How do I get Defender Experts updates in Sentinel to automatically trigger a playbook?** | To get Defender Experts updates, first, set up automation rules in Sentinel that are triggered with the following Defender Experts updates:<ul><li>When the **Owner** field in Microsoft Sentinel is updated to _Defender Experts_ or _Customer_.</li><li> When the **Status** field in Microsoft Sentinel is updated to _Active_ or _Closed_, which corresponds to Microsoft Defender XDR **Status** _Active_ and _In Progress_ respectively.</li><li>When Sentinel **Tag** _Awaiting Customer Action_ gets added, which corresponds to Microsoft Defender XDR **Status** _Awaiting Customer Action_.</li></ul>Next, set up playbooks in Microsoft Sentinel to automatically sync incident updates or [send incident notifications into other apps](/azure/sentinel/tutorial-respond-threats-playbook).<ul><li>Send email, or Teams message, or Slack message to your SOC team when a Defender Experts analyst is assigned to an incident.</li><li>Send SMS or phone call via Azure Communications Services or Twilio connector to your SOC lead when Defender Experts publishes response action for your team.</li><li>Create a task or ticket in apps such as Azure DevOps, ServiceNow, Jira, ZenDesk, FreshService, PagerDuty, etc. for your IT Ops team. </li></ul>|
| **How can I access managed response actions published by Defender Experts from Sentinel?** | Once Defender Experts publish managed response actions for an incident in your Microsoft Defender portal, the **Owner** field is updated to _Customer_ automatically, and the tag _Awaiting Customer Action_ is available in Sentinel. You can use these field changes as a trigger to review the managed response panel for the corresponding incident in the Microsoft Defender portal.| ## In third-party SIEM, SOAR, or ITSM apps
security Get Started Xdr https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/get-started-xdr.md
audience: ITPro
- m365-security - tier1
+ - essentials-get-started
search.appverid: met150 Last updated 01/23/2024
To edit or update permissions after the initial setup, go to **Settings** > **De
## Exclude devices and users from remediation
-Defender Experts for XDR lets you exclude devices and users from remediation actions taken by our experts and instead get remediation guidance for those entities. These exclusions are based on identified [device groups](../defender-endpoint/machine-groups.md) in Microsoft Defender for Endpoint and identified [user groups](/entr) in Microsoft Entra ID.
+Defender Experts for XDR lets you exclude devices and users from remediation actions taken by our experts and instead get remediation guidance for those entities. These exclusions are based on identified [device groups](../defender-endpoint/machine-groups.md) in Microsoft Defender for Endpoint and identified [user groups](/entra/fundamentals/concept-learn-about-groups) in Microsoft Entra ID.
**To exclude device groups:**
Defender Experts for XDR lets you exclude devices and users from remediation act
1. In the same Defender Experts settings setup, under **Exclusions**, go to the **User groups** tab. 2. Select **+ Add user groups**, then search for and choose the user group(s) that you wish to exclude. > [!NOTE]
- > This page only lists existing user groups. If you wish to create a new user group, you first need to sign into the Microsoft Entra ID admin center as a Global Administrator. Then, refresh this page to search for and choose the newly created group. [Learn more about creating user groups](/entr)
+ > This page only lists existing user groups. If you wish to create a new user group, you first need to sign into the Microsoft Entra ID admin center as a Global Administrator. Then, refresh this page to search for and choose the newly created group. [Learn more about creating user groups](/entra/fundamentals/groups-view-azure-portal)
3. Select **Add user groups**. 4. Back on the **User groups** tab, review the list of excluded user groups. If you wish to remove a user group from the exclusion list, choose it then select **Remove user group**.
security Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/get-started.md
- m365solution-getstarted - highpri - tier1
+ - essentials-overview
Last updated 09/21/2023
security Incidents Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/incidents-overview.md
Consider these steps for your own incident response workflow:
If you're new to security analysis, see the [introduction to responding to your first incident](incidents-overview.md) for additional information and to step through an example incident.
-For more information about incident response across Microsoft products, see [this article](/security/compass/incident-response-overview).
+For more information about incident response across Microsoft products, see [this article](/security/operations/incident-response-overview).
<a name='example-security-operations-for-microsoft-365-defender'></a>
See [Integrating Microsoft Defender XDR into your security operations](integrate
For more information about SecOps across Microsoft's products, see these resources: - [Capabilities](/security/compass/security-operations-capabilities)-- [Best practices](/security/compass/security-operations)-- [Videos and slides](/security/compass/security-operations-videos-and-decks)
+- [Best practices](/azure/cloud-adoption-framework/secure/security-operations)
+- [Videos and slides](/security/operations/security-operations-videos-and-decks)
## Get incident notifications by email
Follow this table for your level of experience with security analysis and incide
| Level | Steps | |:-|:--| | **New** | <ol><li> See the [Respond to your first incident walkthrough](first-incident-overview.md) to get a guided tour of a typical process of analysis, remediation, and post-incident review in the Microsoft Defender portal with an example attack. </li><li> See which incidents should be [prioritized](incident-queue.md) based on severity and other factors. </li><li> [Manage incidents](manage-incidents.md), which includes renaming, assigning, classifying, and adding tags and comments based on your incident management workflow.</li></ol> |
-| **Experienced** | <ol><li> Get started with the incident queue from the **Incidents** page of the Microsoft Defender portal. From here you can: </li> <ul><li> See which incidents should be [prioritized](incident-queue.md) based on severity and other factors. </li><li> [Manage incidents](manage-incidents.md), which includes renaming, assigning, classifying, and adding tags and comments based on your incident management workflow. </li><li> Perform [investigations](investigate-incidents.md) of incidents. </li></ul> </li><li> Track and respond to emerging threats with [threat analytics](threat-analytics.md). </li><li> Proactively hunt for threats with [advanced threat hunting](advanced-hunting-overview.md). </li><li> See these [incident response playbooks](/security/compass/incident-response-playbooks) for detailed guidance for phishing, password spray, and app consent grant attacks. </li></ol> |
+| **Experienced** | <ol><li> Get started with the incident queue from the **Incidents** page of the Microsoft Defender portal. From here you can: </li> <ul><li> See which incidents should be [prioritized](incident-queue.md) based on severity and other factors. </li><li> [Manage incidents](manage-incidents.md), which includes renaming, assigning, classifying, and adding tags and comments based on your incident management workflow. </li><li> Perform [investigations](investigate-incidents.md) of incidents. </li></ul> </li><li> Track and respond to emerging threats with [threat analytics](threat-analytics.md). </li><li> Proactively hunt for threats with [advanced threat hunting](advanced-hunting-overview.md). </li><li> See these [incident response playbooks](/security/operations/incident-response-playbooks) for detailed guidance for phishing, password spray, and app consent grant attacks. </li></ol> |
### Security team role
Follow this table based on your security team role.
| Role | Steps | ||| | Incident responder (Tier 1) | Get started with the incident queue from the **Incidents** page of the Microsoft Defender portal. From here you can: <ul><li> See which incidents should be [prioritized](incident-queue.md) based on severity and other factors. </li><li> [Manage incidents](manage-incidents.md), which includes renaming, assigning, classifying, and adding tags and comments based on your incident management workflow. </li></ul> |
-| Security investigator or analyst (Tier 2) | <ol><li> Perform [investigations](investigate-incidents.md) of incidents from the **Incidents** page of the Microsoft Defender portal. </li><li> See these [incident response playbooks](/security/compass/incident-response-playbooks) for detailed guidance for phishing, password spray, and app consent grant attacks. </li></ol> |
-| Advanced security analyst or threat hunter (Tier 3) | <ol><li>Perform [investigations](investigate-incidents.md) of incidents from the **Incidents** page of the Microsoft Defender portal. </li><li> Track and respond to emerging threats with [threat analytics](threat-analytics.md). </li><li> Proactively hunt for threats with [advanced threat hunting](advanced-hunting-overview.md). </li><li> See these [incident response playbooks](/security/compass/incident-response-playbooks) for detailed guidance for phishing, password spray, and app consent grant attacks. |
+| Security investigator or analyst (Tier 2) | <ol><li> Perform [investigations](investigate-incidents.md) of incidents from the **Incidents** page of the Microsoft Defender portal. </li><li> See these [incident response playbooks](/security/operations/incident-response-playbooks) for detailed guidance for phishing, password spray, and app consent grant attacks. </li></ol> |
+| Advanced security analyst or threat hunter (Tier 3) | <ol><li>Perform [investigations](investigate-incidents.md) of incidents from the **Incidents** page of the Microsoft Defender portal. </li><li> Track and respond to emerging threats with [threat analytics](threat-analytics.md). </li><li> Proactively hunt for threats with [advanced threat hunting](advanced-hunting-overview.md). </li><li> See these [incident response playbooks](/security/operations/incident-response-playbooks) for detailed guidance for phishing, password spray, and app consent grant attacks. |
| SOC manager | See how to [integrate Microsoft Defender XDR into your Security Operations Center (SOC)](integrate-microsoft-365-defender-secops.md). | [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/defender-m3d-techcommunity.md)]
security M365d Configure Auto Investigation Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-configure-auto-investigation-response.md
Then, after you're all set up, you can [view and manage remediation actions in t
|Subscription requirements|One of these subscriptions: <ul><li>Microsoft 365 E5</li><li>Microsoft 365 A5</li><li>Microsoft 365 E3 with the Microsoft 365 E5 Security add-on</li><li>Microsoft 365 A3 with the Microsoft 365 A5 Security add-on</li><li>Office 365 E5 plus Enterprise Mobility + Security E5 plus Windows E5</li></ul> <br/> See [Microsoft Defender XDR licensing requirements](./prerequisites.md#licensing-requirements).| |Network requirements|<ul><li>[Microsoft Defender for Identity](/azure-advanced-threat-protection/what-is-atp) enabled</li><li>[Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security) configured</li><li>[Microsoft Defender for Identity integration](/cloud-app-security/mdi-integration)</li></ul>| |Windows device requirements|<ul><li>Windows 11</li><li>Windows 10, version 1709 or later installed (See [Windows release information](/windows/release-information/))</li><li>The following threat protection services are configured:<ul><li>[Microsoft Defender for Endpoint](../defender-endpoint/configure-endpoints.md)</li><li>[Microsoft Defender Antivirus](/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features)</li></ul></li></ul>|
-|Protection for email content and Office files|<ul><li>[Microsoft Defender for Office 365 is configured](/microsoft-365/security/office-365-security/defender-for-office-365#configure-atp-policies)</li><li>[Automated investigation and remediation capabilities in Defender for Endpoint are configured](../defender-endpoint/configure-automated-investigations-remediation.md) (required for manual response actions, such as deleting email messages on devices)</li></ul>|
+|Protection for email content and Office files|<ul><li>[Microsoft Defender for Office 365 is configured](/microsoft-365/security/office-365-security/defender-for-office-365#configure-atp-policies)</li><li>[Automated investigation and remediation capabilities in Defender for Endpoint are configured](/microsoft-365/security/defender-endpoint/configure-automated-investigations-remediation) (required for manual response actions, such as deleting email messages on devices)</li></ul>|
|Permissions|To configure automated investigation and response capabilities, you must have one of the following roles assigned in either Microsoft Entra ID (<https://portal.azure.com>) or in the Microsoft 365 admin center (<https://admin.microsoft.com>): <ul><li>Global Administrator</li><li>Security Administrator</li></ul>To work with automated investigation and response capabilities, such as by reviewing, approving, or rejecting pending actions, see [Required permissions for Action center tasks](m365d-action-center.md#required-permissions-for-action-center-tasks).| ## Review or change the automation level for device groups
security M365d Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-permissions.md
audience: ITPro
- m365-security - tier1
+- essentials-manage
search.appverid: - MOE150
Access to specific functionality is determined by your [Microsoft Entra role](/a
## Access to data
-Access to Microsoft Defender XDR data can be controlled using the scope assigned to user groups in Microsoft Defender for Endpoint role-based access control (RBAC). If your access has not been scoped to a specific set of devices in the Defender for Endpoint, you will have full access to data in Microsoft Defender XDR. However, once your account is scoped, you will only see data about the devices in your scope.
+Access to Microsoft Defender XDR data can be controlled using the scope assigned to user groups in Microsoft Defender for Endpoint role-based access control (RBAC). If your access hasn't been scoped to a specific set of devices in the Defender for Endpoint, you'll have full access to data in Microsoft Defender XDR. However, once your account is scoped, you'll only see data about the devices in your scope.
-For example, if you belong to only one user group with a Microsoft Defender for Endpoint role and that user group has been given access to sales devices only, you will see only data about sales devices in Microsoft Defender XDR. [Learn more about RBAC settings in Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/rbac)
+For example, if you belong to only one user group with a Microsoft Defender for Endpoint role and that user group has been given access to sales devices only, you'll see only data about sales devices in Microsoft Defender XDR. [Learn more about RBAC settings in Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/rbac)
### Microsoft Defender for Cloud Apps access controls
-During the preview, Microsoft Defender XDR does not enforce access controls based on Defender for Cloud Apps settings. Access to Microsoft Defender XDR data is not affected by these settings.
+During the preview, Microsoft Defender XDR doesn't enforce access controls based on Defender for Cloud Apps settings. Access to Microsoft Defender XDR data isn't affected by these settings.
-## Related topics
+## Related articles
- [Custom roles in role-based access control for Microsoft Defender XDR](custom-roles.md) - [Microsoft Entra built-in roles](/azure/active-directory/roles/permissions-reference)
security Microsoft 365 Defender Portal https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-defender-portal.md
audience: ITPro
- m365-security - tier1
+ - essentials-manage
- admindeeplinkDEFENDER - intro-overview
Threat analytics is the Microsoft Defender XDR threat intelligence solution from
- Common attack surfaces - Prevalent malware
-## Learning Hub
-
-The Defender portal includes a learning hub that provides guidance from resources such as the Microsoft security blog, the Microsoft security community on YouTube, and the official documentation.
-
-> [!TIP]
-> There are helpful **filters** along the top of Microsoft Defender XDR learning hub that will let you choose between products (currently Microsoft Defender XDR, Microsoft Defender for Endpoint, and Microsoft Defender for Office 365). Notice that the number of learning resources for each section is listed, which can help learners keep track of how many resources they have at hand for training and learning.
->
-> Along with the Product filter, current topics, types of resources (from videos to webinars), levels of familiarity or experience with security areas, security roles, and product features are listed.
->
-> There are lots of other learning opportunities in [Microsoft Learn](/training/). You'll find certification training such as [Course MS-500T00: Microsoft 365 Security Administration](/training/courses/ms-500t00).
- ## Partner catalog Microsoft Defender XDR supports two types of partners:
With this learning path from Microsoft Learn, you can understand Microsoft Defen
|![Microsoft Defender XDR training icon.](../../media/microsoft-365-defender/m365-defender-secure-organization.svg)|Analyze threat data across domains and rapidly remediate threats with built-in orchestration and automation in Microsoft Defender XDR. This learning path aligns with exam SC-200: Microsoft Security Operations Analyst.<p> 9 hr 31 min - Learning Path - 11 Modules| > [!div class="nextstepaction"]
-> [Start >](/training/paths/dsc-200-mitigate-threats-using-microsoft-365-defender/)
+> [Start >](/training/paths/sc-200-mitigate-threats-using-microsoft-365-defender/)
## See also
security Microsoft 365 Security Center Defender Cloud https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-defender-cloud.md
**Applies to:** - [Microsoft Defender XDR](microsoft-365-defender.md)-- [Microsoft Defender for Cloud](/defender-for-cloud/)
+- [Microsoft Defender for Cloud](/azure/defender-for-cloud/)
[Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction) is now part of Microsoft Defender XDR. Security teams can now access Defender for Cloud alerts and incidents within the Microsoft Defender portal, providing richer context to investigations that span cloud resources, devices, and identities. In addition, security teams can get the complete picture of an attack, including suspicious and malicious events that happen in their cloud environment, through immediate correlations of alerts and incidents.
Moreover, the Defender for Cloud incidents and alerts are now part of [Microsoft
## Prerequisite
-To ensure access to Defender for Cloud alerts in Microsoft Defender XDR, you must be subscribed to any of the plans listed in [Connect your Azure subscriptions](/defender-for-cloud/connect-azure-subscription/).
+To ensure access to Defender for Cloud alerts in Microsoft Defender XDR, you must be subscribed to any of the plans listed in [Connect your Azure subscriptions](/azure/defender-for-cloud/connect-azure-subscription).
### Required permissions
The following section describes the detection and investigation experience in Mi
> |Area |Description | > |-|--| > |Incidents|All Defender for Cloud incidents will be integrated to Microsoft Defender XDR.</br></br> - Searching for cloud resource assets in the [incident queue](incident-queue.md) is supported.</br> - The [attack story](investigate-incidents.md#attack-story) graph will show the cloud resource.</br> - The [assets tab](investigate-incidents.md#assets) in an incident page will show the cloud resource.</br> - Each virtual machine has its own device page containing all related alerts and activity.</br></br> There will be no duplication of incidents from other Defender workloads.|
-> |Alerts|All Defender for Cloud alerts, including multi-cloud, internal and external providers' alerts will be integrated to Microsoft Defender XDR. Defender for Cloud alerts will show on the Microsoft Defender XDR [alert queue](/defender-endpoint/alerts-queue-endpoint-detection-response/).</br></br> The *cloud resource* asset will show up in the Asset tab of an alert. Resources are clearly identified as an Azure, Amazon, or a Google Cloud resource.</br></br>Defender for Cloud alerts will automatically be associated with a tenant.</br></br>There will be no duplication of alerts from other Defender workloads.|
+> |Alerts|All Defender for Cloud alerts, including multi-cloud, internal and external providers' alerts will be integrated to Microsoft Defender XDR. Defender for Cloud alerts will show on the Microsoft Defender XDR [alert queue](/microsoft-365/security/defender-endpoint/alerts-queue-endpoint-detection-response).</br></br> The *cloud resource* asset will show up in the Asset tab of an alert. Resources are clearly identified as an Azure, Amazon, or a Google Cloud resource.</br></br>Defender for Cloud alerts will automatically be associated with a tenant.</br></br>There will be no duplication of alerts from other Defender workloads.|
> |Alert and incident correlation|Alerts and incidents are automatically correlated, providing robust context to security operations teams to understand the complete attack story in their cloud environment.| > |Threat detection|Accurate matching of virtual entities to device entities to ensure precision and effective threat detection.| > |Unified API|Defender for Cloud alerts and incidents are now included in [Microsoft Defender XDR's public API](api-overview.md), allowing customers to export their security alerts data into other systems using one API.|
security Onboarding Defender Experts For Hunting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/onboarding-defender-experts-for-hunting.md
audience: ITPro
- m365-security - tier1
+ - essentials-get-started
search.appverid: met150 Last updated 01/03/2024
security Playbook Detecting Ransomware M365 Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/playbook-detecting-ransomware-m365-defender.md
This article describes proactive detection of new or ongoing human-operated rans
- Microsoft 365 Business Premium - Microsoft Defender for Business
-For information about preventing ransomware attacks, see [Rapidly protect against ransomware and extortion](/security/compass/protect-against-ransomware-phase3).
+For information about preventing ransomware attacks, see [Quickly deploy ransomware preventions - Phase 3: Make it hard to get in](/security/ransomware/protect-against-ransomware-phase3).
## The importance of proactive detection
Preparing your SecOps team for proactive ransomware detection requires:
Consider these steps to get your SecOps team and organization ready for focused ransomware attack prevention:
-1. Configure your IT and cloud infrastructure for ransomware prevention with the [Rapidly protect against ransomware and extortion](/security/compass/protect-against-ransomware-phase3) guidance. The phases and tasks in this guidance can be done in parallel with the following steps.
+1. Configure your IT and cloud infrastructure for ransomware prevention with the [Quickly deploy ransomware preventions - Phase 3: Make it hard to get in](/security/ransomware/protect-against-ransomware-phase3) guidance. The phases and tasks in this guidance can be done in parallel with the following steps.
2. Get the appropriate licenses for the Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps, the app governance add-on, Defender for IoT, and Microsoft Entra ID Protection services. 3. Assemble a catalog of advanced hunting queries tuned for known ransomware attack methods or attack phases. 4. Create the set of custom detection rules for specific advanced hunting queries that create alerts for known ransomware attack methods, including their schedule, alert naming, and automated actions.
security Playbook Responding Ransomware M365 Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/playbook-responding-ransomware-m365-defender.md
When you suspect you were or are currently under a ransomware attack, establish
* Eradication and recovery This article provides a generalized playbook for responding to ransomware attacks. Consider adapting the described steps and tasks in this article to your own security operations playbook.
-NOTE: For information about preventing ransomware attacks, see [Rapidly protect against ransomware and extortion](/security/compass/protect-against-ransomware).
+NOTE: For information about preventing ransomware attacks, see [Quickly deploy ransomware preventions](/security/ransomware/protect-against-ransomware).
## Containment
Run through this list of questions and tasks to discover the extent of the attac
Run through this list of tasks and questions to protect existing systems from attack:
-* If you have online backups, consider disconnecting the backup system from the network until you're confident that the attack is contained, see [Backup and restore plan to protect against ransomware | Microsoft Docs](/security/compass/backup-plan-to-protect-against-ransomware).
+* If you have online backups, consider disconnecting the backup system from the network until you're confident that the attack is contained, see [Backup and restore plan to protect against ransomware | Microsoft Docs](/azure/security/fundamentals/backup-plan-to-protect-against-ransomware).
* If you're experiencing or expect an imminent and active ransomware deployment: * [Suspend privileged and local accounts](./investigate-users.md) that you suspect are part of the attack. You can do this from the **Users** tab in the properties of the incident in the Microsoft Defender portal. * Stop all [remote logon sessions](/defender-for-identity/playbook-domain-dominance).
security Respond First Incident Analyze https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/respond-first-incident-analyze.md
The following sections contain tutorials and videos of Microsoft Defender XDR fe
Ransomware continues to be a significant threat to organizations. Microsoft has the following resources to help you investigate and respond to ransomware attacks: -- **Guides**: [From detection to protection: Microsoft's guide to combating ransomware attacks](/security/ransowmare)
+- **Guides**: [From detection to protection: Microsoft's guide to combating ransomware attacks](/security/ransomware/)
- **Tutorial**: [Ransomware investigation playbook](/security/operations/incident-response-playbook-dart-ransomware-approach) - **Video**: [Investigating ransomware attacks in Microsoft Defender XDR (part 1)](https://youtu.be/eLCrGe4-Zzc) - **Video**: [Investigating ransomware attacks in Microsoft Defender XDR (part 2)](https://youtu.be/q1s7lm3O9Sc)
Ransomware continues to be a significant threat to organizations. Microsoft has
Identifying and tracking modified, created, or stolen identities are essential to investigating phishing and BEC attacks. Use the following resources when investigating these attacks: -- **Tutorial**: [Investigate malicious email](//microsoft-365/security/office-365-security/investigate-malicious-email-that-was-delivered)
+- **Tutorial**: [Investigate malicious email](/microsoft-365/security/office-365-security/investigate-malicious-email-that-was-delivered)
- **Tutorial**: [Investigate users](investigate-users.md)-- **Tutorial**: [Investigate a user account](//microsoft-365/security/defender-endpoint/investigate-user)
+- **Tutorial**: [Investigate a user account](/microsoft-365/security/defender-endpoint/investigate-user)
- **Blog**: [Total Identity Compromise: Microsoft Incident Response lessons on securing Active Directory Identity compromise can also be investigated using Defender for Identity signals.](https://techcommunity.microsoft.com/t5/microsoft-security-experts-blog/total-identity-compromise-microsoft-incident-response-lessons-on/ba-p/3753391) - **Tutorial**: [Example of a phishing email attack](first-incident-path-phishing.md)
security Respond First Incident Remediate https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/respond-first-incident-remediate.md
Other actions on devices are available through the following tutorial:
The following tutorials enumerate steps and actions that you can apply when investigating entities or responding to specific threats: -- [Responding to a compromised email account via Defender for Office 365](/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account.md)-- [Remediating vulnerabilities with Defender for Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/tvm-remediation.md)-- [Remediation actions for user accounts via Defender for Identity](/defender-for-identity/remediation-actions)-- [Applying policies to control apps with Defender for Cloud Apps](/defender-cloud-apps/control-cloud-apps-with-policies)
+- [Responding to a compromised email account via Defender for Office 365](/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account)
+- [Remediating vulnerabilities with Defender for Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/tvm-remediation)
+- [Remediation actions for user accounts via Defender for Identity](/defender-for-identity/remediation-actions)
+- [Applying policies to control apps with Defender for Cloud Apps](/defender-cloud-apps/control-cloud-apps-with-policies)
## Next steps -- [Simulate attacks through the attack simulation training](eval-defender-investigate-respond-simulate-attack.md)
+- [Simulate attacks through the attack simulation training](eval-defender-investigate-respond-simulate-attack.md)
- Explore Microsoft Defender XDR through the [Virtual Ninja training](https://adoption.microsoft.com/ninja-show/) ## See also
security Security Copilot M365d Create Incident Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/security-copilot-m365d-create-incident-report.md
Here are some recommendations to consider to ensure that Security Copilot genera
- Classify and resolve the incident before generating the incident report. - Ensure that you write and save comments in the Microsoft Sentinel activity log or in the Microsoft Defender XDR incident comments and history to include the comments in the incident report. - Write comments using comprehensive and clear language. In-depth and clear comments provide better context about the response actions. See the following steps to know how to access the comments field:
- - [Add comments to incidents in Microsoft Defender XDR](manage-incidents.md#add-comments)
- - [Add comments to incidents in Microsoft Sentinel](/azure/sentinel/investigate-cases.md#comment-on-incidents)
+ - [Add comments to incidents in Microsoft Defender XDR](manage-incidents.md#add-comments)
+ - [Add comments to incidents in Microsoft Sentinel](/azure/sentinel/investigate-cases#comment-on-incidents)
- For ServiceNow users, [enable the Microsoft Sentinel and ServiceNow bi-directional sync](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-introducing-microsoft-sentinel-solution-for/ba-p/3692840) to get more robust incident data. - Copy the generated incident report and post it to the comments and history of the incident to ensure that the incident report is saved in the incident page.
security Security Copilot M365d Script Analysis https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/security-copilot-m365d-script-analysis.md
This guide describes what the script analysis capability is and how it works, in
## Analyze a script or code
-You can access the script analysis capability in the alert timeline within an incident and in the [device timeline](/defender-endpoint/device-timeline-event-flag.md).
+You can access the script analysis capability in the alert timeline within an incident and in the [device timeline](/microsoft-365/security/defender-endpoint/device-timeline-event-flag).
To begin analysis, perform the following steps:
security Start Using Mdex Xdr https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/start-using-mdex-xdr.md
audience: ITPro
- m365-security - tier1
+ - essentials-manage
search.appverid: met150 Last updated 01/23/2024
security Streaming Api https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/streaming-api.md
Last updated 07/25/2023
[!INCLUDE [Microsoft Defender XDR rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender XDR](/fwlink/?linkid=2118804)
+- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/p/?linkid=2118804)
> [!NOTE] > **Try our new APIs using MS Graph security API**. Find out more at: [Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn](/graph/api/resources/security-api-overview?view=graph-rest-1.0&preserve-view=true).
security Criteria https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/intelligence/criteria.md
Title: How Microsoft identifies malware and potentially unwanted applications-+ description: Learn how Microsoft reviews software for privacy violations and other negative behavior, to determine if it's malware or a potentially unwanted application.
-keywords: security, malware, virus research threats, research malware, device protection, computer infection, virus infection, descriptions, remediation, latest threats, MMdevice, Microsoft Malware Protection Center, PUA, potentially unwanted applications
-ms.sitesec: library
ms.localizationpriority: medium
- m365-security - tier2 Previously updated : 12/13/2021 Last updated : 01/26/2024 search.appverid: met150 # How Microsoft identifies malware and potentially unwanted applications
-Microsoft aims to provide a delightful and productive Windows experience by working to ensure you're safe and in control of your devices. Microsoft helps protect you from potential threats by identifying and analyzing software and online content. When you download, install, and run software, we check the reputation of downloaded programs and ensure you're protected against known threats. You are also warned about software that is unknown to us.
+Microsoft aims to provide a delightful and productive Windows experience by working to ensure you're safe and in control of your devices. Microsoft helps protect you from potential threats by identifying and analyzing software and online content. When you download, install, and run software, we check the reputation of downloaded programs and ensure you're protected against known threats. You're also warned about software that is unknown to us.
-You can assist Microsoft by [submitting unknown or suspicious software for analysis](https://www.microsoft.com/wdsi/filesubmission/). This will help ensure that unknown or suspicious software is scanned by our system to start establishing reputation. [Learn more about submitting files for analysis](submission-guide.md)
+You can assist Microsoft by [submitting unknown or suspicious software for analysis](https://www.microsoft.com/wdsi/filesubmission/). Submitting files for analysis helps ensure that unknown or suspicious software is scanned by our system to start establishing reputation. [Learn more about submitting files for analysis](submission-guide.md)
The next sections provide an overview of the classifications we use for applications and the types of behaviors that lead to that classification.
Once enough data is gathered, Microsoft's security solutions can make a determin
## Malware
-Malware is the overarching name for applications and other code, like software, that Microsoft classifies more granularly as *malicious software* or *unwanted software*.
+Malware is the overarching name for applications and other code, like software, that Microsoft classifies more granularly as *malicious software*, *unwanted software*, or *tampering software*.
### Malicious software
-Malicious software is an application or code that compromises user security. Malicious software may steal your personal information, lock your device until you pay a ransom, use your device to send spam, or download other malicious software. In general, malicious software wants to trick, cheat, or defrauds users, placing them in vulnerable states.
+Malicious software is an application or code that compromises user security. Malicious software might steal your personal information, lock your device until you pay a ransom, use your device to send spam, or download other malicious software. In general, malicious software wants to trick, cheat, or defrauds users, placing them in vulnerable states.
Microsoft classifies most malicious software into one of the following categories:
Microsoft classifies most malicious software into one of the following categorie
* **Obfuscator:** A type of malware that hides its code and purpose, making it more difficult for security software to detect or remove.
-* **Password stealer:** A type of malware that gathers your personal information, such as usernames and passwords. It often works along with a keylogger, which collects and sends information about the keys you press and websites you visit.
+* **Password stealer:** A type of malware that gathers your personal information, such as usernames and passwords. It often works along with a key logger, which collects and sends information about the keys you press and websites you visit.
-* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note that states you must pay money or perform other actions before you can use your device again. [See more information about ransomware](/security/compass/human-operated-ransomware).
+* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note that states you must pay money or perform other actions before you can use your device again. [Learn more about ransomware](/security/ransomware/).
* **Rogue security software:** Malware that pretends to be security software but doesn't provide any protection. This type of malware usually displays alerts about nonexistent threats on your device. It also tries to convince you to pay for its services. * **Trojan:** A type of malware that attempts to appear harmless. Unlike a virus or a worm, a trojan doesn't spread by itself. Instead, it tries to look legitimate to tricks users into downloading and installing it. Once installed, trojans perform various malicious activities such as stealing personal information, downloading other malware, or giving attackers access to your device.
-* **Trojan clicker:** A type of trojan that automatically clicks buttons or similar controls on websites or applications. Attackers can use this trojan to click on online advertisements. These clicks can skew online polls or other tracking systems and can even install applications on your device.
+* **Trojan clicker:** A type of trojan that automatically selects buttons or similar controls on websites or applications. Attackers can use this trojan to click on online advertisements. These clicks can skew online polls or other tracking systems and can even install applications on your device.
* **Worm:** A type of malware that spreads to other devices. Worms can spread through email, instant messaging, file sharing platforms, social networks, network shares, and removable drives. Sophisticated worms take advantage of software vulnerabilities to propagate.
Software that exhibits lack of choice might:
* Falsely claim to be software from Microsoft.
-Software must not mislead or coerce you into making decisions about your device. It is considered behavior that limits your choices. In addition to the previous list, software that exhibits lack of choice might:
+Software must not mislead or coerce you into making decisions about your device. It's considered behavior that limits your choices. In addition to the previous list, software that exhibits lack of choice might:
* Display exaggerated claims about your device's health.
Software that exhibits lack of control might:
* Modify or manipulate webpage content without your consent.
-Software that changes your browsing experience must only use the browser's supported extensibility model for installation, execution, disabling, or removal. Browsers that don't provide supported extensibility models are considered non-extensible and shouldn't be modified.
+Software that changes your browsing experience must only use the browser's supported extensibility model for installation, execution, disabling, or removal. Browsers that don't provide supported extensibility models are considered nonextensible and shouldn't be modified.
#### Installation and removal
Advertisements shown to you must:
Microsoft maintains a worldwide network of analysts and intelligence systems where you can [submit software for analysis](https://www.microsoft.com/wdsi/filesubmission). Your participation helps Microsoft identify new malware quickly. After analysis, Microsoft creates Security intelligence for software that meets the described criteria. This Security intelligence identifies the software as malware and are available to all users through Microsoft Defender Antivirus and other Microsoft antimalware solutions.
+#### Tampering software
+
+Tampering software encompasses a broad spectrum of tools and threats that directly or indirectly lower the overall level of security of devices. Examples of common tampering actions include:
+
+* **Disabling or uninstalling security software**: Tools and threats that attempt to evade defense mechanisms by disabling or uninstalling security software, such as antivirus, EDR, or network protection systems. These actions leave the system vulnerable to further attacks.
+
+* **Abusing operating system features and settings**: Tools and threats that exploit features and settings within the operating system to compromise security. Examples include:
+
+ - **Firewall abuse**: Attackers using firewall components to indirectly tamper with security software or block legitimate network connections, potentially enabling unauthorized access or data exfiltration.
+
+ - **DNS manipulation**: Tampering with DNS settings to redirect traffic or block security updates, leaving the system exposed to malicious activities.
+
+ - **Safe mode exploitation**: Leveraging the legitimate `Safe Mode` setting to put the device in a state where security solutions might be bypassed, allowing for unauthorized access or malware execution.
+
+* **Manipulating system components**: Tools and threats that target critical system components, such as kernel drivers or system services, to compromise the overall security and stability of the device.
+
+* **Privilege escalation**: Techniques aimed at elevating user privileges to gain control over the system's resources and potentially manipulate security settings.
+
+* **Interfering with security updates**: Attempts to block or manipulate security updates, leaving the system vulnerable to known vulnerabilities.
+
+* **Disrupting critical services**: Actions that disrupt essential system services or processes, potentially causing system instability and opening the door for other attacks.
+
+* **Unauthorized registry changes**: Modifications to the Windows Registry or system settings that impact the security posture of the device.
+
+* **Tampering with boot processes**: Efforts to manipulate the boot process, which can result in the loading of malicious code during startup.
+ ## Potentially unwanted application (PUA) Our PUA protection aims to safeguard user productivity and ensure enjoyable Windows experiences. This protection helps deliver more productive, performant, and delightful Windows experiences. For instruction on how to enable PUA protection in Chromium-based Microsoft Edge and Microsoft Defender Antivirus, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
-*PUAs are not considered malware.*
+*PUAs aren't considered malware.*
Microsoft uses specific categories and the category definitions to classify software as a PUA.
-* **Advertising software:** Software that displays advertisements or promotions, or prompts you to complete surveys for other products or services in software other than itself. This includes software that inserts advertisements to webpages.
+* **Advertising software:** Software that displays advertisements or promotions, or prompts you to complete surveys for other products or services in software other than itself. Such software includes software that inserts advertisements to webpages.
* **Torrent software (Enterprise only):** Software that is used to create or download torrents or other files specifically used with peer-to-peer file-sharing technologies. * **Cryptomining software (Enterprise only):** Software that uses your device resources to mine cryptocurrencies.
-* **Bundling software:** Software that offers to install other software that is not developed by the same entity or not required for the software to run. Also, software that offers to install other software that qualifies as PUA based on the criteria outlined in this document.
+* **Bundling software:** Software that offers to install other software that isn't developed by the same entity or not required for the software to run. Also, software that offers to install other software that qualifies as PUA based on the criteria outlined in this document.
* **Marketing software:** Software that monitors and transmits the activities of users to applications or services other than itself for marketing research.
Microsoft uses specific categories and the category definitions to classify soft
* **Poor industry reputation:** Software that trusted security providers detect with their security products. The security industry is dedicated to protecting customers and improving their experiences. Microsoft and other organizations in the security industry continuously exchange knowledge about files we have analyzed to provide users with the best possible protection.
+## Vulnerable software
+
+Vulnerable software is an application or code that has security flaws or weaknesses which can be exploited by attackers to perform various malicious and potentially destructive actions. These vulnerabilities may stem from unintentional coding errors or design flaws, and if exploited, can lead to harmful activities such as unauthorized access, privilege escalation, tampering, and more.
+
+### Vulnerable drivers
+
+Despite strict requirements and reviews imposed on code running in kernel, device drivers remain susceptible to various types of vulnerabilities and bugs. Examples include memory corruption and arbitrary read and write bugs, which can be exploited by attackers to execute more significant malicious and destructive actions -ΓÇô actions typically restricted in user mode. Terminating critical processes on a device is an example of such malicious action.
security Priority Accounts Security Recommendations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/priority-accounts-security-recommendations.md
Microsoft 365 and Microsoft Defender for Office 365 contain several key features
|[Train users](#train-users)|:::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" border="false":::|:::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" border="false":::|:::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" border="false":::| > [!NOTE]
-> For information about securing _privileged accounts_ (admin accounts), see [this topic](/security/compass/critical-impact-accounts).
+> For information about securing _privileged accounts_ (admin accounts), see [this topic](/purview/privileged-access-management).
## Increase sign-in security for priority accounts
security Secure By Default https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/secure-by-default.md
search.appverid:
- m365-security - tier2
- - essentials-accountability
+ - essentials-security
description: Learn more about the secure by default setting in Exchange Online Protection (EOP)
security Threat Explorer Threat Hunting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-threat-hunting.md
Once a Sec Ops person determines that an email is a threat, the next Explorer or
:::image type="content" source="../../media/threat-explorer-email-actions-button-new.png" alt-text="Screenshot of the Actions button in the Threat Explorer." lightbox="../../media/threat-explorer-email-actions-button-new.png":::
-Here, the analyst can take actions like reporting the mail as Spam, Phishing, or Malware, contacting recipients, or further investigations that can include triggering Automated Investigation and Response (or AIR) playbooks (if you have Plan 2). Or, the mail can also be reported as clean.
+Here, the analyst can take actions like submitting the message as Spam, Phishing, or Malware, contacting recipients, or further investigations that can include triggering Automated Investigation and Response (or AIR) playbooks (if you have Plan 2). Or, the message can also be submitted as clean.
:::image type="content" source="../../media/threat-explorer-email-actions-drop-down-new.png" alt-text="Screenshot of the Actions drop down." lightbox="../../media/threat-explorer-email-actions-drop-down-new.png":::
security User Tags About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-tags-about.md
To see how user tags are part of the strategy to help protect high-impact user a
- You can also manage and monitor the Priority account tag in the Microsoft 365 admin center. For instructions, see [Manage and monitor priority accounts](/microsoft-365/admin/setup/priority-accounts). -- For information about securing _privileged accounts_ (admin accounts), see [this article](/security/compass/critical-impact-accounts).
+- For information about securing _privileged accounts_ (admin accounts), see [this article](/purview/privileged-access-management).
<a name='use-the-microsoft-365-defender-portal-to-create-user-tags'></a>
solutions Apps Config Step 7 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/apps-config-step-7.md
You can use reports and logs to help view app configuration status.
The App Configuration Status report, available in the Intune console, provides details about the configuration state of each app based on user.
-The report provided the following list of app configuration status:
+The report provided the following list of app configuration status:
+ - **User**: The name of the user. - **Email**: The email of the user. - **App**: The name of the app that is being protected.
The report provided the following list of app configuration status:
- **Platform version**: The operating system version. - **iOS SDK version**: The current iOS MAM SDK version of the iOS app. - **MDM device ID**: The MDM device ID is displayed if the device is enrolled with Microsoft Intune MDM.
-
->[!NOTE]
-> The **Last Sync** column represents the same value in the in-console **User status report**, the **App Protection Policy** [exportable .csv report](/mdm/intune/app-protection-policies-monitor#export-app-protection-activities), and the **App Configuration Report**. The difference is a small delay in synchronization between the value in the reports.
+
+> [!NOTE]
+> The **Last Sync** column represents the same value in the in-console **User status report**, the **App Protection Policy** [exportable .csv report](/mem/intune/apps/app-protection-policies-monitor), and the **App Configuration Report**. The difference is a small delay in synchronization between the value in the reports.
## Understand app configuration diagnostic logs You can validate configuration by using the **Intune Diagnostic Log** for settings deployed through the managed app configuration policies. See the following resources related to app configuration logs:+ - [iOS/iPadOS configuration on unmanaged devices](/mem/intune/apps/app-configuration-policies-overview?branch=main#iosipados-configuration-on-unmanaged-devices) - [iOS/iPadOS configuration on managed devices](/mem/intune/apps/app-configuration-policies-overview?branch=main#iosipados-configuration-on-managed-devices) - [Android configuration on managed devices](/mem/intune/apps/app-configuration-policies-overview?branch=main#android-configuration-on-managed-devices)
Once a configuration policy has been assigned, you can monitor app configuration
## Troubleshoot app configuration Before you start troubleshooting app configuration, collect some basic information to help you better understand the problem and reduce the time to find a resolution.
-
+ Collect background information by answering the following questions:+ - Which policy setting is or isn't being applied? Is any app config policy being applied at all? - What is the version or build release of the targeted application? Is it the most current in the mobile store? - Did app configuration settings work on previous application releases, but started breaking on this new release?
Collect background information by answering the following questions:
- What communication channel was used to deploy your App Config settings (Managed Devices or Managed Apps)? ### Recommended investigation flow
-
+ Successfully applying app configuration settings for mobile apps relies on adding proper settings based on guidance from the publisher (developer) of the mobile app. Also, success also relies on the related [delivery channel](/microsoft-365/solutions/apps-config-overview#delivery-channels-for-app-configuration-policies) dependencies used when deploying app configuration settings. See the steps below for more information. #### Step 1: Verify prerequisites for deploying app configuration settings
-
-App configuration can be delivered either through the mobile device management (MDM) OS channel on enrolled devices (Managed App Configuration channel for iOS or the Android in the Enterprise channel for Android) or through the Mobile Application Management (MAM) channel.
-
+
+App configuration can be delivered either through the mobile device management (MDM) OS channel on enrolled devices (Managed App Configuration channel for iOS or the Android in the Enterprise channel for Android) or through the Mobile Application Management (MAM) channel.
+ Confirm your app configuration channel you selected for the app configuration policy:
- - Both communication channels or methods require that the user must be assigned an Intune license.
- - User, app, and device must meet the requirements under related app configuration policy channel.
- - For managed devices, the device must be properly enrolled in Intune MDM with a healthy enrollment profile and has synced with the service recently.
- - For managed apps, the app must support the Intune SDK and any related app protection policy must be applied correctly.
-
+
+- Both communication channels or methods require that the user must be assigned an Intune license.
+- User, app, and device must meet the requirements under related app configuration policy channel.
+ - For managed devices, the device must be properly enrolled in Intune MDM with a healthy enrollment profile and has synced with the service recently.
+ - For managed apps, the app must support the Intune SDK and any related app protection policy must be applied correctly.
+ #### Step 2: Check status of your app config policy when using the Managed Devices channel When the device is MDM enrolled, you can use the **Troubleshooting + support** > **Troubleshoot** dashboard in Intune to help review a specific user and device details. You can find and select a user by entering a display name or email. You can then select policy from the tab options. Once selected, you can review the list of currently assigned policies for that user to validate the intended app config policy is assigned. Additionally, you can select the assigned app config policy for review. #### Step 3: Check status of your app config policy when using Managed Apps channel
-
+ Similar to the previous step used for reviewing a policy, using the **Managed Devices** channel, use the **Troubleshooting** dashboard to validate the specific user is targeted with the intended app config policy. However, app config policies using the **Managed Apps** channel currently doesn't have a monitoring feature.
-
+ #### Step 4: Collect device data
-
+ Since the **Managed Devices** channel uses the MDM agent, the related app config policy would be incorporated with other device policies. Thus, we have no manual method to collect app config logs under **Managed Devices**. However, when using **Managed Apps** as the configuration channel, you can review the `IntuneMAMDiagnostics.txt` file just as you would for App Protection Policies.
-
+ For related information, see [Troubleshooting Intune app protection policy using log files on local devices](https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-troubleshooting-intune-app-protection-policy-using/ba-p/330372).
-
+ ### Additional troubleshooting scenarios #### Scenario 1 When checking the status of your app config policy when using the **Managed Devices** channel, if the status reports are **Not Applicable**, do the following action:
-
-- Review your configuration to confirm the targeted app is the app associated with your Application Configuration Policy. For example, if you select an iOS app from Apple Volume Purchase Program, that VPP managed app must be installed on the MDM enrolled device. The public store app would have a different ID than the VPP app used in targeting. Confirm the user or device has installed the MDM managed app you targeted. This could be deployed as required via MDM or available to be installed from the Company Portal or Managed Play Store on Android. +
+- Review your configuration to confirm the targeted app is the app associated with your Application Configuration Policy. For example, if you select an iOS app from Apple Volume Purchase Program, that VPP managed app must be installed on the MDM enrolled device. The public store app would have a different ID than the VPP app used in targeting. Confirm the user or device has installed the MDM managed app you targeted. This could be deployed as required via MDM or available to be installed from the Company Portal or Managed Play Store on Android.
#### Scenario 2 When some of your app config settings are applying to the app correctly, but others aren't, do the following action:
-
+ - Review and compare the publisher's documentation defining needed configuration string or values versus the string or values you have set in your configuration. The app publishers change publicly documented settings from time to time based on OS updates and other dynamics. Also, make sure your users have the most current version of the store app installed to include fixes and security updates.
-
+ #### Scenario 3 None of your app config policy settings are applying correctly to the app based on the communication channel used (**Managed Apps** or **Managed Devices**), do the following action:
-
+ - Review the publishers documentation again for the string or settings used. You may want to try using the other option for device enrollment type of the policy. For example, Edge Managed NTLM policy settings can only apply in user context. So, this means only managed apps can be used to allow Managed NTLM single sign-on sites.
-
+ For more troubleshooting information, see the following resources:+ - [App configuration policies for Microsoft Intune](/mem/intune/apps/app-configuration-policies-overview)-- [Troubleshooting app protection policy user issues](/mem/intune/app-protection-policies/troubleshoot-mam)
+- [Troubleshooting app protection policy user issues](/troubleshoot/mem/intune/app-protection-policies/troubleshoot-mam)
- [Frequently asked questions about MAM and app protection](/mem/intune/apps/mam-faq) ## After configuring apps in Intune
For more troubleshooting information, see the following resources:
Once you have reviewed and completed the steps provided in this solution, you're ready to configure, protect, assign, and monitor the managed apps your organization uses. For more information about how to proceed, see the following articles:+ - [App configuration policies for Microsoft Intune](/mem/intune/apps/app-configuration-policies-overview) - [App protection policies overview](/mem/intune/apps/app-protection-policy) - [Data protection framework using app protection policies](/mem/intune/apps/app-protection-framework)
solutions Ransomware Protection Microsoft 365 Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/ransomware-protection-microsoft-365-devices.md
To help protect against an attacker executing code as part of an attack:
- Turn on [Microsoft Defender Antivirus](/mem/intune/user-help/turn-on-defender-windows). - [Block Win32 API calls from Office macros](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules#block-win32-api-calls-from-office-macros).-- Migrate all legacy workbooks requiring Excel 4.0 macros to the updated VBA macro format using [this process](https://www.microsoft.com/microsoft-365/blog/2010/02/16/migrating-excel-4-macros-to-vba/).
+- Migrate all legacy workbooks requiring Excel 4.0 macros to the updated VBA macro format.
- [Disable use of unsigned macros](https://support.microsoft.com/topic/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6). Ensure all internal macros with business need are signed and leveraging [trusted locations](/deployoffice/security/designate-trusted-locations-for-files-in-office) to ensure unknown macros will not run in your environment. - Stop malicious XLM or VBA macros by ensuring runtime macro scanning by [Antimalware Scan Interface](https://www.microsoft.com/security/blog/2021/03/03/xlm-amsi-new-runtime-defense-against-excel-4-0-macro-malware/) (AMSI) is on. This feature (enabled by default) is on if the Group Policy setting for **Macro Run Time Scan Scope** is set to **Enable for All Files** or **Enable for Low Trust Files**. Get the latest group policy template files.
solutions Ransomware Protection Microsoft 365 Information https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/ransomware-protection-microsoft-365-information.md
Here's the ransomware protection for your tenant for steps 1-5.
Key information from Microsoft: - [The growing threat of ransomware](https://blogs.microsoft.com/on-the-issues/2021/07/20/the-growing-threat-of-ransomware/), Microsoft On the Issues blog post on July 20, 2021-- [Human-operated ransomware](/security/compass/human-operated-ransomware)-- [Rapidly protect against ransomware and extortion](/security/compass/protect-against-ransomware)
+- [Human-operated ransomware](/security/ransomware/human-operated-ransomware)
+- [Quickly deploy ransomware preventions](/security/ransomware/protect-against-ransomware)
- [2021 Microsoft Digital Defense Report](https://www.microsoft.com/security/business/microsoft-digital-defense-report) (see pages 10-19) - [Ransomware: A pervasive and ongoing threat](https://security.microsoft.com/threatanalytics3/05658b6c-dc62-496d-ad3c-c6a795a33c27/overview) analytics report in the Microsoft Defender portal-- Microsoft's Detection and Response Team (DART) ransomware [approach and best practices](/security/compass/incident-response-playbook-dart-ransomware-approach) and [case study](/security/compass/dart-ransomware-case-study)
+- Microsoft's Detection and Response Team (DART) ransomware [approach and best practices](/security/operations/incident-response-playbook-dart-ransomware-approach) and [case study](/security/ransomware/dart-ransomware-case-study)
Microsoft 365:
Microsoft Azure:
- [Azure Defenses for Ransomware Attack](https://azure.microsoft.com/resources/azure-defenses-for-ransomware-attack/) - [Maximize Ransomware Resiliency with Azure and Microsoft 365](https://azure.microsoft.com/resources/maximize-ransomware-resiliency-with-azure-and-microsoft-365/)-- [Backup and restore plan to protect against ransomware](/security/compass/backup-plan-to-protect-against-ransomware)
+- [Backup and restore plan to protect against ransomware](/azure/security/fundamentals/backup-plan-to-protect-against-ransomware)
- [Help protect from ransomware with Microsoft Azure Backup](https://www.youtube.com/watch?v=VhLOr2_1MCg) (26-minute video) - [Recovering from systemic identity compromise](/azure/security/fundamentals/recover-from-identity-compromise) - [Advanced multistage attack detection in Microsoft Sentinel](/azure/sentinel/fusion#ransomware)
solutions Ransomware Protection Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/ransomware-protection-microsoft-365.md
Use these steps to deploy comprehensive protection for your Microsoft 365 tenant
Key information from Microsoft: - [The growing threat of ransomware](https://blogs.microsoft.com/on-the-issues/2021/07/20/the-growing-threat-of-ransomware/), Microsoft On the Issues blog post on July 20, 2021-- [Human-operated ransomware](/security/compass/human-operated-ransomware)-- [Rapidly protect against ransomware and extortion](/security/compass/protect-against-ransomware)
+- [Human-operated ransomware](/security/ransomware/human-operated-ransomware)
+- [Quickly deploy ransomware preventions](/security/ransomware/protect-against-ransomware)
- [2021 Microsoft Digital Defense Report](https://www.microsoft.com/security/business/microsoft-digital-defense-report) (see pages 10-19) - [Ransomware: A pervasive and ongoing threat](https://security.microsoft.com/threatanalytics3/05658b6c-dc62-496d-ad3c-c6a795a33c27/overview) analytics report in the Microsoft Defender portal-- Microsoft's Detection and Response Team (DART) ransomware [approach and best practices](/security/compass/incident-response-playbook-dart-ransomware-approach) and [case study](/security/compass/dart-ransomware-case-study)
+- Microsoft's Detection and Response Team (DART) ransomware [approach and best practices](/security/operations/incident-response-playbook-dart-ransomware-approach) and [case study](/security/ransomware/dart-ransomware-case-study)
Microsoft 365:
Microsoft Azure:
- [Azure Defenses for Ransomware Attack](https://azure.microsoft.com/resources/azure-defenses-for-ransomware-attack/) - [Maximize Ransomware Resiliency with Azure and Microsoft 365](https://azure.microsoft.com/resources/maximize-ransomware-resiliency-with-azure-and-microsoft-365/)-- [Backup and restore plan to protect against ransomware](/security/compass/backup-plan-to-protect-against-ransomware)
+- [Backup and restore plan to protect against ransomware](/azure/security/fundamentals/backup-plan-to-protect-against-ransomware)
- [Help protect from ransomware with Microsoft Azure Backup](https://www.youtube.com/watch?v=VhLOr2_1MCg) (26-minute video) - [Recovering from systemic identity compromise](/azure/security/fundamentals/recover-from-identity-compromise) - [Advanced multistage attack detection in Microsoft Sentinel](/azure/sentinel/fusion#ransomware)
solutions Trusted Vendor Onboarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/trusted-vendor-onboarding.md
The procedures in this article assume that you've enabled [SharePoint and OneDri
With Microsoft Entra external collaboration settings, you can allow or block invites to certain domains. By creating an allowlist, you allow guest invitations only to those domains and all others are blocked. You can use this to allow guest invitations to vendors that you've approved while blocking those to vendors you haven't.
-To allow sharing invitations only from specified domains
+To allow sharing invitations only from specified domains:
+ 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) as a Global administrator. 1. Expand **Identity**, and then expand **External Identities**. 1. Select **External collaboration settings**.
To allow sharing invitations only from specified domains
![Screenshot of collaboration restrictions settings in Microsoft Entra ID.](../media/azure-ad-allow-only-specified-domains.png)
-For more information about using allowlists or blocklists in Microsoft Entra ID, see [Allow or block invitations to B2B users from specific organizations](/azure/active-dir.ectory/external-identities/allow-deny-list)
+For more information about using allowlists or blocklists in Microsoft Entra ID, see [Allow or block invitations to B2B users from specific organizations](/azure/active-directory/external-identities/allow-deny-list)
## Allow domains for other Microsoft 365 organizations
By adding the vendor organization to the allowlist for Teams external access:
<a name='allow-the-vendors-domain-in-azure-ad-cross-tenant-access-settings'></a>
-#### Allow the vendor's domain in Microsoft Entra cross-tenant access settings
+### Allow the vendor's domain in Microsoft Entra cross-tenant access settings
To specify settings such as who can be invited from the vendor organization and what applications they can use, first add the organization in Microsoft Entra cross-tenant access settings.
-To add an organization
+To add an organization:
+ 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) as a Global administrator. 1. Expand **Identity**, and then expand **External Identities**. 1. Select **Cross-tenant access settings**.
To add an organization
![Screenshot of cross-tenant access settings in Microsoft Entra ID with two external organizations configured.](../media/cross-tenant-access-settings.png) To specify who your users can invite as guests from the vendor organization:+ 1. On the **Organizational settings** tab, select the **Inbound access** link for the organization you want to configure. 1. On the **B2B collaboration** tab, select **Customize settings** 1. On the **External users and groups** tab, choose **Select \<organization\> users and groups**, and then select **Add external users and groups**.
To specify who your users can invite as guests from the vendor organization:
![Screenshot of an allowed group in the inbound cross-tenant access settings for an external organization.](../media/cross-tenant-inbound-allow-group.png) To specify which applications guests from the vendor organization can use:+ 1. On the **Organizational settings** tab, select the **Inbound access** link for the organization you want to configure. 1. On the **B2B collaboration** tab, select **Customize settings** 1. On the **Applications** tab, choose **Select applications**, and then select **Add Microsoft applications** or **Add other applications**.
If you plan to use Teams shared channels with the vendor organization, both orga
To allow users in your organization and the vendor organization to chat and meet without the vendor having to log in as a guest, allow the domain in Teams external access.
-To allow an organization in Teams external access
+To allow an organization in Teams external access:
+ 1. In the Teams admin center, expand **Users**, and then select **External access**. 1. Under **Choose which domains your users have access to**, choose **Allow only specific external domains**. 1. Select **Allow domains**.
syntex Image Tagging https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/image-tagging.md
Before you can use image tagging, you need to enable it in a document library. T
## Use an existing Image Tags column
-If you already have an [**Image Tags** column in your library](https://support.microsoft.com/office/work-with-image-tags-in-a-sharepoint-library), use these steps to enable enhanced image tagging:
+If you already have an **Image Tags** column in your library, use these steps to enable enhanced image tagging:
-1. On the **Image Tags** column, select **Column settings** > **Edit**.
+1. On the **Image Tags** column, select **Column settings** > **Edit**.
2. On the **Edit column** panel, in the **Automatically tag images with detected objects** section, toggle the switch to **Yes**.
- ![Screenshot showing the Column settings panel for the Image Tags column.](../media/content-understanding/image-tagger-edit-column-toggle-highlighted.png)
-
+ ![Screenshot showing the Column settings panel for the Image Tags column.](../media/content-understanding/image-tagger-edit-column-toggle-highlighted.png)
+ 3. Once enabled, any new images uploaded to the library are tagged with the descriptive keywords. ## Enable the Image Tags column
syntex Translation Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/translation-overview.md
description: Learn about the document translation service in Microsoft Syntex.
# Overview of document translation in Microsoft Syntex > [!NOTE]
-> Through June 2024, you can try out optical character recognition and other selected Syntex services at no cost if you have [pay-as-you-go billing](syntex-azure-billing.md) set up. For information and limitations, see [Try out Microsoft Syntex and explore its services](promo-syntex.md).
+> Through June 2024, you can try out document translation and other selected Syntex services at no cost if you have [pay-as-you-go billing](syntex-azure-billing.md) set up. For information and limitations, see [Try out Microsoft Syntex and explore its services](promo-syntex.md).
Microsoft Syntex lets you easily create a translated copy of a selected file or a set of files in a SharePoint document library. You can translate a file, while preserving the original format and structure of the file. Translation is available for all supported languages and dialects.
topics Faq Topics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/topics/faq-topics.md
- m365initiative-viva-topics - highpri - Tier1
- - essentials-accountability
+ - essentials-security
+ - essentials-privacy
+ - essentials-compliance
search.appverid:
topics Topic Experiences Security Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/topics/topic-experiences-security-privacy.md
- m365initiative-viva-topics - Tier1
- - essentials-accountability
+ - essentials-privacy
search.appverid: