-The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md). In the **Microsoft Teams app usage report**, you can gain insights into the Teams apps activity in your organization. This article explains how to access the report and view and interpret the various metrics within the report.

-2. From the dashboard homepage, click on the **View more** button on the Microsoft Teams apps activity card.

-On the top of the report, you'll see three charts describing cross-app trends across your organization.

-This chart shows you the total number of app installs across your organization up to each date within the selected period. For example ΓÇô if you select January 28th 2022, the chart will show you the total number of installs from October 2021 up to January 28th 2022.

-This chart shows you the number of apps used across your organization on each date within the selected period. For example ΓÇô if you select January 28th, the chart will show you the total number of apps used on January 28th.

-|Used on Windows| This indicates whether that app has been used on Windows by at least one user in your organization.|Yes|

-|Used on Mobile|This indicates whether that app has been used on Mobile by at least one user in your organization.|Yes|

-|Used on Web| This indicates whether that app has been used on Web by at least one user in your organization.|Yes|

-|Publisher|The publisher of this application as present in the app manifest. This is only available for apps published to the global Store.|No|

-On the top of the report, you will see three charts describing cross-app trends across your organization.

-This chart shows you the total number of unique users that have installed an app up to each date within the selected period. For example ΓÇô if you select January 28th 2022 the chart will show you the total number of users from October 2021 up to January 28th 2022.

-This chart shows you the number of unique users that have used any app on each date within the selected period. For example ΓÇô if you select January 28th, the chart will show you the total number of users on January 28th.

-|Apps used in a Team|The number of unique apps (across Store and custom) that the user has opened and/or used in a Teams Team.|Yes|

-|Used on Windows| This indicates whether that user has used any app on Windows.|Yes|

-|Used on Mobile|This indicates whether that user has used any app on Mobile (iOS or Android).|Yes|

-|Used on Web| This indicates whether that user has used any app on Web.|Yes|

-|Used on Mac|This indicates whether that user has used any app on Mac.|No|

-To link an app in this report to the Manage Apps experience in Teams Admin Center, you can use the following:

-|Groups admin | Assign the groups admin role to users who need to manage all groups settings across admin centers, including the Microsoft 365 admin center and Microsoft Entra admin center. <br><br> Groups admins can:<br> - Create, edit, delete, and restore Microsoft 365 groups <br> - Create and update group creation, expiration, and naming policies <br> - Create, edit, delete, and restore Microsoft Entra security groups|

-[Get-MgDevice](/powershell/module/microsoft.graph.users/get-mgdevice)

-Microsoft is now partnering with leading developers to create unified apps that work across Outlook, Word, Excel, PowerPoint, Teams and the Microsoft 365 App (formerly known as Office.com). Any settings made for Office Add-ins will continue to be honored as long as they stay as add-ins. When Office add-ins upgrade to work across different Microsoft applications, you can learn to manage them from here. For more information, see [Controls for managing Teams apps that work on Outlook and Microsoft 365](/manage/teams-apps-work-on-outlook-and-m365#controls-for-managing-teams-apps-that-work-on-outlook-and-the-microsoft-365-app).

-> You need a Microsoft 365 or Microsoft Entra account to access your Message center through the [admin center](/office365/admin/admin-overview/admin-center-overview). Microsoft 365 home plan users don't have an admin center.

-Check out this video and others on our [YouTube channel](https://go.microsoft.com/fwlink/?linkid=2198034).

->

-To successfully use the automated batch migration tool, it is important to correctly complete all of the prerequisite tasks. For more detailed information, see [Google Workspace migration prerequisites](/exchange/mailbox-migration/googleworkspace-migration-prerequisites).

-1. Select **Add a domain**.

-1. Enter a domain name for your subdomain, such as *m365.contoso.com*.

-1. Select **User alias domain**, select **Add domain and start verification**, and then select **Continue**. Follow the instructions to verify domain ownership.

-1. Go to the **Microsoft 365 admin center**.

-6. In the Microsoft 365 admin center, in the left nav, select **Show all**, select **Settings**, select **Domains**, and then **Add domain**.

-Microsoft allows organizations to own more than one domain. The default domain is onmicrosoft.com. You can read more about domains and how to create them at [Add a domain to Microsoft 365](/admin/setup/add-domain.md).

-[Secure Windows devices](/misc/m365bp-secure-windows-devices) (article)\

-## Buy or remove licenses for your business subscription

-> [!NOTE]

->

-> - You can't reduce the number of licenses for your subscription if all licenses are currently assigned to users. To reduce the number of licenses, first [unassign one or more licenses from users](../../admin/manage/assign-licenses-to-users.md), then remove the licenses from the subscription.

-> - If you bought your subscription through a Microsoft Representative, contact them directly for help with reducing your license count.

-### If you have an MCA billing account type

-3. On the subscription details page, select **Buy licenses** or **Remove license**s. [What if I don't see the Buy licenses or Remove licenses buttons](#what-if-i-dont-see-the-buy-licenses-or-remove-licenses-buttons)?

-5. To change the number of licenses, under **New quantity** in the **Total licenses** box, enter the total number of licenses that you want for this subscription. For example, if you have 100 licenses and you want to add five more, enter 105. If you want to remove five of them, enter 95.

-### If you have an MOSA billing account type

-3. On the subscription details page, select **Buy licenses** or **Remove licenses**. [What if I don't see the Buy licenses or Remove licenses buttons](#what-if-i-dont-see-the-buy-licenses-or-remove-licenses-buttons)?

-Prepaid product licenses are issued to you as a 25-character alphanumeric code, called a product key. After you buy the licenses you need, you can add them to your subscription by using the steps below. You can also use a product key to [extend the expiration date of your subscription](../enter-your-product-key.md#extend-the-expiration-date-for-an-existing-subscription).

-1. Go to the admin center.

-## What if I don't see the Buy licenses or Remove licenses buttons?

-|A credit check is pending. |If a credit check is pending, you can't buy or remove licenses until the credit check is complete. | Check back later to see if the credit check has completed. Credit checks typically take up to two working days to complete.<br/><br/>After the credit check is complete, you should see the **Buy licenses** and **Remove licenses** buttons. |

-## When will the new licenses be available to assign?

-If you have an MOSA billing account type, the payment method associated with your subscription or billing profile is charged as soon as you buy more licenses for a subscription. The licenses are immediately available for you to assign to users.

-If you prepaid for your subscription with a product key, you can add more licenses by using another product key, or by adding a credit card or debit card to cover the additional cost of the new licenses. If your subscription is prepaid, you can't remove licenses.

-If you have an MOSA billing account type, licenses added in the middle of your billing period appear on your next invoice. If you pay annually, you are invoiced within a month for these changes.

-On your next billing statement, the previous charge for the original number of licenses is deducted. We add a prorated charge for the time period with the original number of licenses and add a charge for the new license count. There's also a charge for the current license count for the remainder of your billing period.

-If you reduced the number of licenses for your subscription because someone has left your organization, you might want to remove that user's account. To learn more, see [Remove a former employee](../../admin/add-users/remove-former-employee.md).

-|Avatars for Teams (additional) | Yes | Yes |

-|More than 25 licenses | [Reduce the number of licenses](../licenses/buy-licenses.md#buy-or-remove-licenses-for-your-business-subscription) to 25 or fewer and then [use the steps later in this article to cancel](#steps-to-cancel-your-subscription). |

-If you moved only some users to a different subscription, [remove licenses that you no longer need](../licenses/buy-licenses.md#buy-or-remove-licenses-for-your-business-subscription).

-Site permissions must be set up separately from waves as part of the launch. For example, if you are releasing an organization-wide portal, you can set permissions to "Everyone except external users," then separate your users into waves using security groups. Adding a security group to a wave does not give that security group access to the site.

-1. Before using the Portal launch scheduler tool, [add all users who will need access to this site](https://support.microsoft.com/office/share-a-site-958771a8-d041-4eb8-b51c-afea2eae3658) through **Site permissions** as a Site owner, Site member, or Visitor.

- **Option 1**: The first few times you edit and republish changes to your home page - or up until home page version 3.0 - you will be prompted to use the Portal launch scheduler tool. Select **Schedule launch** to move forward with scheduling. Or select **Republish** to republish your page edits without scheduling the launch.

-1. Select the **Number of expected users** from the drop-down. This figure represents the number of users who will most likely need access to the site. The Portal launch scheduler will automatically determine the ideal number of waves depending on the expected users like this:

- **Option 1: Send users to an existing SharePoint page (bidirectional)** ΓÇô Use this option when launching a new modern SharePoint portal to replace an existing SharePoint portal. Users in active waves will be redirected to the new site regardless of whether they navigate to the old or new site. Users in a non-launched wave that try to access the new site will be redirected back to the old site until their wave is launched.

- **Option 2: Send users to an autogenerated temporary page (temporary page redirection)** ΓÇô Use a temporary page redirection should be used when no existing SharePoint portal exists. Users are directed to a new modern SharePoint portal and if a user is in a wave that has not been launched, they will be redirected to a temporary page.

-1. Break up your audience into waves. Add up to 20 security groups per wave. Wave details can be edited up until the launch of each wave. Each wave can last at minimum one day (24 hours) and at most seven days. This allows SharePoint and your technical environment an opportunity to acclimate and scale to the large volume of site users. When scheduling a launch through the UI, the time zone is based on the site's regional settings.

-1. Determine who needs to view the site right away and enter their information into the **Users exempt from waves** field. These users are excluded from waves and will not be redirected before, during, or after the launch.

-1. Confirm portal launch details and select **Schedule**. Once the launch has been scheduled, any changes to the SharePoint portal home page will need to receive a healthy diagnostic result before the portal launch will resume.

-If you are planning to launch a portal with over 100,000 users, submit a support request following the steps listed below within 10-14 days prior to the launch. Make sure to include all the requested information.

-1. After the ticket has been created, ensure you provide the support agent with the following information:

-1. When you are finished making your edits, select **Update**.

-The SharePoint Portal launch scheduler tool was originally only available via [SharePoint PowerShell](/powershell/sharepoint/sharepoint-online/introduction-sharepoint-online-management-shell) and will continue to be supported through PowerShell for customers who prefer this method. The same notes at the beginning of this article apply to both versions of the Portal launch scheduler.

-Bidirectional redirection involves launching a new modern SharePoint Online portal to replace an existing SharePoint classic or modern portal. Users in active waves will be redirected to the new site regardless of whether they navigate to the old or new site. Users in a non-launched wave that try to access the new site will be redirected back to the old site until their wave is launched.

-We only support redirection between the default home page on the old site and the default home page on the new site. Should you have administrators or owners that need access to the old and new sites without being redirected, ensure they are listed using the `WaveOverrideUsers` parameter.

-Temporary page redirection should be used when no existing SharePoint portal exists. Users are directed to a new modern SharePoint Online portal in a staged manner. If a user is in a wave that has not been launched, they will be redirected to a temporary page (any URL).

-This is Step 1 in a solution designed to complete a Cross-tenant OneDrive migration. To learn more, see [Cross-tenant OneDrive migration overview](cross-tenant-onedrive-migration.md).

-2. Run the following entering the **source** tenant URL:

-

-4. Run the following entering the **target** tenant URL:

->[!Important]

->**Microsoft 365 Multi-Geo customers:** You must treat each geography as a separate tenant. Provide the correct geography-specific URLs throughout the migration process.

-This is Step 3 in a solution designed to complete a Cross-tenant OneDrive migration. To learn more, see [Cross-tenant OneDrive migration overview](cross-tenant-onedrive-migration.md).

-Before starting the migration, the users current source OneDrive status is similar to the example below. This example is from the users source tenant, showing their current files and folders.

-|Success|The Migration has completed successfully.|

-**Target tenant**: After the migration has successfully completed, check the status of the user on the target tenant by logging into their new OneDrive account.

-### Start a SharePoint M365 Group connected site cross-tenant migration

-1. Ensure you have verified the compatibility status. If you see a status of either **Compatible** or **Warning** on your source tenant, you may continue. Run:

-These commands can be useful when planning bulk batches of site migrations.  You can queue and migrate up to 4,000 migrations per batch.  If your count exceeds 4,000 then separate batches can be created and scheduled to run once the current batch is close to completion.

-Before starting the migration, the users current source SharePoint status will be similar to the example below. This example is from the users source tenant, showing their current files and folders.

-**Source tenant**: Since the user has successfully migrated to the target tenant, they no longer have an active SharePoint account on the source.

-#### Related settings in Microsoft Entra ID

-#### Remove synchronized users from other tenants

-To remove your users from other tenants in a multitenant organization

-#### Stop user sync and automatic invitation redemption

-To prevent user sync and automatic invitation redemption

-|[Get-MgGroupPhoto](/powershell/module/microsoft.graph.users/get-mggroupphoto)|Used to view information about the user photo that's associated with a Microsoft 365 Group.|

-|[Get-MgGroupPhotoContent](/powershell/module/microsoft.graph.users/get-mggroupphotocontent)|Used to download the user photo that's associated with a Microsoft 365 Group.|

-|[Remove-MgGroupPhoto](/powershell/module/microsoft.graph.users/get-mggroupphoto)|Remove the photo for a Microsoft 365 Group.|

-For instructions on how to set up a PAW, see [https://aka.ms/cyberpaw](/security/compass/privileged-access-devices).

-> As images are now automatically managed in a SharePoint Online service-managed Private CDN, the manually configured Private CDN is in the process of being deprecated. This means that customers no longer need to configure private CDN. The recommended practice remains unchanged as images will be hosted via the service-managed Private CDN automatically and Public CDN will continue to be available for all other file types, like CSS and JS. Any customers using Private CDN for file types other than images, will need to move those files into Public CDN. Public CDN is recommended for these file types, to enhance performance.

-If you are already familiar with the way that CDNs work, you only need to complete a few steps to enable the Office 365 CDN for your tenant. This topic describes how. Read on for information about how to get started hosting your static assets.

-+ [Plan for deployment of the Office 365 CDN](use-microsoft-365-cdn-with-spo.md#plan-for-deployment-of-the-office-365-cdn)

- + [Determine which static assets you want to host on the CDN](use-microsoft-365-cdn-with-spo.md#CDNAssets).

- + [Determine where you want to store your assets](use-microsoft-365-cdn-with-spo.md#CDNStoreAssets). This location can be a SharePoint site, library or folder and is called an _origin_.

- + [Choose whether each origin should be public or private](use-microsoft-365-cdn-with-spo.md#CDNOriginChoosePublicPrivate). You can add multiple origins of both public and private types.

-+ Set up and configure the CDN, using either PowerShell or the CLI for Microsoft 365

- + [Set up and configure the CDN by using the SharePoint Online Management Shell](use-microsoft-365-cdn-with-spo.md#CDNSetupinPShell)

- + [Set up and configure the CDN by using PnP PowerShell](use-microsoft-365-cdn-with-spo.md#CDNSetupinPnPPosh)

- + [Set up and configure the CDN by using the CLI for Microsoft 365](use-microsoft-365-cdn-with-spo.md#CDNSetupinCLI)

- When you complete this step, you will have:

- + Enabled the CDN for your organization.

- + Added your origins, identifying each origin as public or private.

-+ Adding, updating, and removing assets

-+ Adding and removing origins

-+ Configuring CDN policies

-+ If necessary, disabling the CDN

- + [Determine which static assets you want to host on the CDN](use-microsoft-365-cdn-with-spo.md#CDNAssets)

- + [Determine where you want to store your assets](use-microsoft-365-cdn-with-spo.md#CDNStoreAssets)

- + [Choose whether each origin should be public or private](use-microsoft-365-cdn-with-spo.md#CDNOriginChoosePublicPrivate)

-In general, CDNs are most effective for hosting _static assets_, or assets that don't change very often. A good rule of thumb is to identify files that meet some or all of these conditions:

-+ Static files embedded in a page (like scripts and images) that may have a significant incremental impact on page load times

-+ Large files like executables and installation files

-+ Resource libraries that support client-side code

-For example, small files that are repeatedly requested like site images and scripts can significantly improve site rendering performance and incrementally reduce the load on your SharePoint Online sites when you add them to a CDN origin. Larger files such as installation executables can be downloaded from the CDN, delivering a positive performance impact and subsequent reduction of the load on your SharePoint Online site, even if they are not accessed as often.

-Performance improvement on a per-file basis is dependent on many factors, including the client's proximity to the nearest CDN endpoint, transient conditions on the local network, and so forth. Many static files are quite small, and can be downloaded from Office 365 in less than a second. However, a web page may contain many embedded files with a cumulative download time of several seconds. Serving these files from the CDN can significantly reduce the overall page load time. See [What performance gains does a CDN provide?](content-delivery-networks.md#what-performance-gains-does-a-cdn-provide) for an example.

-The CDN fetches your assets from a location called an _origin_. An origin can be a SharePoint site, document library or folder that is accessible by a URL. You have great flexibility when you specify origins for your organization. For example, you can specify multiple origins or a single origin where you want to put all your CDN assets. You can choose to have both public or private origins for your organization. Most organizations will choose to implement a combination of the two.

-You can create new container for your origins such as folders or document libraries, and add files you want to make available from the CDN. This is a good approach if you have a specific set of assets you want to be available from the CDN, and want to restrict the set of CDN assets to only those files in the container.

-You can also configure an existing site collection, site, library or folder as an origin, which will make all eligible assets in the container available from the CDN. Before you add an existing container as an origin, it's important to make sure you are aware of its contents and permissions so you do not inadvertently expose assets to anonymous access or unauthorized users.

-You can define _CDN policies_ to exclude content in your origins from the CDN. CDN policies exclude assets in public or private origins by attributes such as _file type_ and _site classification_, and are applied to all origins of the CdnType (private or public) you specify in the policy. For example, if you add a private origin consisting of a site that contains multiple subsites, you can define a policy to exclude sites marked as **Confidential** so content from sites with that classification applied will not be served from the CDN. The policy will apply to content from _all_ private origins you have added to the CDN.

-Keep in mind that the greater the number of origins, the greater the impact on the time it takes the CDN service to process requests. We recommend that you limit the number of origins as much as possible.

-When you identify an origin, you specify whether it should be made _public_ or _private_. Access to CDN assets in public origins is anonymous, and CDN content in private origins is secured by dynamically generated tokens for greater security. Regardless of which option you choose, Microsoft does all the heavy lifting for you when it comes to administration of the CDN itself. Also, you can change your mind later, after you've set up the CDN and identified your origins.

-**Public** origins within the Office 365 CDN are accessible anonymously, and hosted assets can be accessed by anyone who has the URL to the asset. Because access to content in public origins is anonymous, you should only use them to cache non-sensitive generic content such as JavaScript files, scripts, icons and images.

-+ Assets exposed in a public origin are accessible by everyone anonymously.

-+ If you remove an asset from a public origin, the asset may continue to be available for up to 30 days from the cache; however, we will invalidate links to the asset in the CDN within 15 minutes.

-+ When you host style sheets (CSS files) in a public origin, you can use relative paths and URIs within the code. This means that you can reference the location of background images and other objects relative to the location of the asset that's calling it.

-+ While you can construct a public origin's URL, you should proceed with caution and ensure you utilize the page context property and follow the guidance for doing so. The reason for this is that if access to the CDN becomes unavailable, the URL will not automatically resolve to your organization in SharePoint Online and might result in broken links and other errors. The URL is also subject to change which is why it should not just be hard coded to its current value.

-+ The default file types that are included for public origins are .css, .eot, .gif, .ico, .jpeg, .jpg, .js, .map, .png, .svg, .ttf, .woff and .woff2. You can specify additional file types.

-+ You can configure a policy to exclude assets that have been identified by site classifications that you specify. For example, you can choose to exclude all assets that are marked as "confidential" or "restricted" even if they are an allowed file type and are located in a public origin.

-+ Private origins can only be used for SharePoint Online assets.

-+ Users can only access the assets from a private origin if they have permissions to access the container. Anonymous access to these assets is prevented.

-+ Assets in private origins must be referred from the SharePoint Online tenant. Direct access to private CDN assets does not work.

-+ If you remove an asset from the private origin, the asset may continue to be available for up to an hour from the cache; however, we will invalidate links to the asset in the CDN within 15 minutes of the asset's removal.

-+ The default file types that are included for private origins are .gif, .ico, .jpeg, .jpg, .js, and .png. You can specify additional file types.

-+ Just like with public origins, you can configure a policy to exclude assets that have been identified by site classifications that you specify even if you use wildcards to include all assets within a folder or document library.

-+ \*/siteassets

-+ \*/masterpage

-+ \*/style library

-+ \*/clientsideassets

- <summary>Click to expand</summary>

-The status of the CDN for the specified CdnType will output to the screen.

-Use the **Set-SPOTenantCdnEnabled** cmdlet to enable your organization to use the Office 365 CDN. You can enable your organization to use public origins, private origins, or both at once. You can also configure the CDN to skip the setup of default origins when you enable it. You can always add these origins later as described in this topic.

-See [Default CDN origins](use-microsoft-365-cdn-with-spo.md#default-cdn-origins) for information about the origins that are provisioned by default when you enable the Office 365 CDN, and the potential impact of skipping the setup of default origins.

-Use the **Set-SPOTenantCdnPolicy** cmdlet to exclude site classifications that you do not want to make available over the CDN. By default, no site classifications are excluded.

-The properties that will be returned are _IncludeFileExtensions_, _ExcludeRestrictedSiteClassifications_ and _ExcludeIfNoScriptDisabled_.

-The _IncludeFileExtensions_ property contains the list of file extensions that will be served from the CDN.

-The _ExcludeRestrictedSiteClassifications_ property contains the site classifications that you want to exclude from the CDN. For example, you can exclude sites marked as **Confidential** so content from sites with that classification applied will not be served from the CDN.

-+ The wildcard modifier ***/** can only be used at the beginning of the path, and will match all URL segments under the specified URL.

-+ The path can point to a document library, folder or site. For example, the path _*/site1_ will match all the document libraries under the site.

-You can add an origin with a specific relative path. You cannot add an origin using the full path.

-If there is a space in the path, you can either surround the path in double quotes or replace the space with the URL encoding %20. The following examples add a private origin of the _folder 1_ folder in the site collection's site assets library:

-Once you've run the command, the system synchronizes the configuration across the datacenter. This can take up to 15 minutes.

-+ Use the **Add-SPOTenantCdnOrigin** cmdlet to define the style library as a public origin.

-+ Use the **Add-SPOTenantCdnOrigin** cmdlet to define the master pages as a public origin.

-Once you've run the command, the system synchronizes the configuration across the datacenter. This can take up to 15 minutes.

-+ Use the **Add-SPOTenantCdnOrigin** cmdlet to define the site assets folder as a private origin.

-+ Use the **Add-SPOTenantCdnOrigin** cmdlet to define the site pages folder as a private origin.

-+ Use the **Add-SPOTenantCdnOrigin** cmdlet to define the publishing images folder as a private origin.

-Once you've run the command, the system synchronizes the configuration across the datacenter. This can take up to 15 minutes.

-Once you've run the command, the system synchronizes the configuration across the datacenter. You may see a _Configuration pending_ message which is expected as the SharePoint Online tenant connects to the CDN service. This can take up to 15 minutes.

-Once you've set up the CDN, you can make changes to your configuration as you update content or as your needs change, as described in this section.

-Once you've completed the setup steps, you can add new assets, and update or remove existing assets whenever you want. Just make your changes to the assets in the folder or SharePoint library that you identified as an origin. If you add a new asset, it is available through the CDN immediately. However, if you update the asset, it will take up to 15 minutes for the new copy to propagate and become available in the CDN.

-You can remove access to a folder or SharePoint library that you identified as an origin. To do this, use the **Remove-SPOTenantCdnOrigin** cmdlet.

-You cannot modify an origin you've created. Instead, remove the origin and then add a new one. For more information, see [To remove an origin from the Office 365 CDN](use-microsoft-365-cdn-with-spo.md#Office365CDNforSPORemoveOriginPosh) and [To add an origin for your assets](use-microsoft-365-cdn-with-spo.md#Office365CDNforSPOOriginPosh).

- <summary>Click to expand</summary>

-The status of the CDN for the specified CdnType will output to the screen.

-Use the **Set-PnPTenantCdnEnabled** cmdlet to enable your organization to use the Office 365 CDN. You can enable your organization to use public origins, private origins, or both at the same time. You can also configure the CDN to skip the setup of default origins when you enable it. You can always add these origins later as described in this topic.

-See [Default CDN origins](use-microsoft-365-cdn-with-spo.md#default-cdn-origins) for information about the origins that are provisioned by default when you enable the Office 365 CDN, and the potential impact of skipping the setup of default origins.

-Use the **Set-PnPTenantCdnPolicy** cmdlet to exclude site classifications that you do not want to make available over the CDN. By default, no site classifications are excluded.

-The properties that will be returned are _IncludeFileExtensions_, _ExcludeRestrictedSiteClassifications_ and _ExcludeIfNoScriptDisabled_.

-The _IncludeFileExtensions_ property contains the list of file extensions that will be served from the CDN.

-The _ExcludeRestrictedSiteClassifications_ property contains the site classifications that you want to exclude from the CDN. For example, you can exclude sites marked as **Confidential** so content from sites with that classification applied will not be served from the CDN.

-+ The wildcard modifier ***/** can only be used at the beginning of the path, and will match all URL segments under the specified URL.

-+ The path can point to a document library, folder or site. For example, the path _*/site1_ will match all the document libraries under the site.

-You can add an origin with a specific relative path. You cannot add an origin using the full path.

-If there is a space in the path, you can either surround the path in double quotes or replace the space with the URL encoding %20. The following examples add a private origin of the _folder 1_ folder in the site collection's site assets library:

-> In private origins, assets being shared from an origin must have a major version published before they can be accessed from the CDN.

-Once you've run the command, the system synchronizes the configuration across the datacenter. This can take up to 15 minutes.

-+ Use the **Add-PnPTenantCdnOrigin** cmdlet to define the style library as a public origin.

-+ Use the **Add-PnPTenantCdnOrigin** cmdlet to define the master pages as a public origin.

-Once you've run the command, the system synchronizes the configuration across the datacenter. This can take up to 15 minutes.

-+ Use the **Add-PnPTenantCdnOrigin** cmdlet to define the site assets folder as a private origin.

-+ Use the **Add-PnPTenantCdnOrigin** cmdlet to define the site pages folder as a private origin.

-+ Use the **Add-PnPTenantCdnOrigin** cmdlet to define the publishing images folder as a private origin.

-Once you've run the command, the system synchronizes the configuration across the datacenter. This can take up to 15 minutes.

-Once you've run the command, the system synchronizes the configuration across the datacenter. You may see a _Configuration pending_ message which is expected as the SharePoint Online tenant connects to the CDN service. This can take up to 15 minutes.

-Once you've set up the CDN, you can make changes to your configuration as you update content or as your needs change, as described in this section.

-Once you've completed the setup steps, you can add new assets, and update or remove existing assets whenever you want. Just make your changes to the assets in the folder or SharePoint library that you identified as an origin. If you add a new asset, it is available through the CDN immediately. However, if you update the asset, it will take up to 15 minutes for the new copy to propagate and become available in the CDN.

-If you need to retrieve the location of the origin, you can use the **Get-PnPTenantCdnOrigin** cmdlet. For information on how to use this cmdlet, see [Get-PnPTenantCdnOrigin](/powershell/module/sharepoint-pnp/get-pnptenantcdnorigin).

-You can remove access to a folder or SharePoint library that you identified as an origin. To do this, use the **Remove-PnPTenantCdnOrigin** cmdlet.

-You cannot modify an origin you've created. Instead, remove the origin and then add a new one. For more information, see [To remove an origin from the Office 365 CDN](use-microsoft-365-cdn-with-spo.md#Office365CDNforSPORemoveOriginPnPPosh) and [To add an origin for your assets](use-microsoft-365-cdn-with-spo.md#Office365CDNforSPOOriginPnPPosh).

-The procedures in this section require that you have installed the [CLI for Microsoft 365](https://aka.ms/cli-m365). Next, connect to your Office 365 tenant using the [login](https://pnp.github.io/cli-microsoft365/cmd/login/) command.

- <summary>Click to expand</summary>

-To enable the Office 365 Public CDN in your tenant execute:

-To enable the Office 365 SharePoint CDN, execute:

-To check if the Office 365 Public CDN is enabled, execute:

-To view the currently configured Office 365 Public CDN origins execute:

-Use the [spo cdn origin add](https://pnp.github.io/cli-microsoft365/cmd/spo/cdn/cdn-origin-add/) command to define a CDN origin. You can define multiple origins. The origin is a URL that points to a SharePoint library or folder that contains the assets that you want to be hosted by the CDN.

-To include all assets in the **Master Page Gallery** of all sites as a public origin, execute:

-To configure a private origin for a specific site collection, execute:

-To remove a public origin from the CDN configuration, execute:

-> Removing a CDN origin doesn't affect the files stored in any document library matching that origin. If these assets have been referenced using their SharePoint URL, SharePoint will automatically switch back to the original URL pointing to the document library. If, however, assets have been referenced using a public CDN URL, then removing the origin will break the link and you will need to manually change them.

-By default, the following file types are included in the CDN: _.css, .eot, .gif, .ico, .jpeg, .jpg, .js, .map, .png, .svg, .ttf, .woff and .woff2_. If you need to include additional file types in the CDN, you can change the CDN configuration using the [spo cdn policy set](https://pnp.github.io/cli-microsoft365/cmd/spo/cdn/cdn-policy-set/) command.

-To add the _JSON_ file type to the default list of file types included in the public CDN, execute:

-Use the [spo cdn policy set](https://pnp.github.io/cli-microsoft365/cmd/spo/cdn/cdn-policy-set/) command to exclude site classifications that you do not want to make available over the CDN. By default, no site classifications are excluded.

-To exclude sites classified as _HBI_ from the public CDN, execute

-Now that you have enabled the CDN and configured origins and policies, you can begin using your CDN assets.

-This section will help you understand how to use CDN URLs in your SharePoint pages and content so that SharePoint redirects requests for assets in both public and private origins to the CDN.

-+ [Updating links to CDN assets](use-microsoft-365-cdn-with-spo.md#updating-links-to-cdn-assets)

-+ [Using assets in public origins](use-microsoft-365-cdn-with-spo.md#using-assets-in-public-origins)

-+ [Using assets in private origins](use-microsoft-365-cdn-with-spo.md#using-assets-in-private-origins)

-For information on how to use the CDN for hosting client-side web parts, see the topic [Host your client-side web part from Office 365 CDN (Hello World part 4)](/sharepoint/dev/spfx/web-parts/get-started/hosting-webpart-from-office-365-cdn).

-To use assets that you have added to an origin, you simply update links to the original file with the path to the file in the origin.

-+ Edit the page or content that contains links to assets you have added to an origin. You can also use one of several methods to globally search and replace links across an enter site or site collection if you want to update the link to a given asset everywhere it appears.

-+ For each link to an asset in an origin, replace the path with the path to the file in the CDN origin. You can use relative paths.

-+ Save the page or content.

-For example, consider the image _/site/SiteAssets/images/image.png_, which you have copied to the document library folder _/site/CDN_origins/public/_. To use the CDN asset, replace the original path to the image file location with the path to the origin to make the new URL _/site/CDN_origins/public/image.png_.

-If your origin is in a site with the Publishing feature enabled, and the assets you want to offload to the CDN are in one of the following categories, SharePoint will automatically rewrite URLs for assets in the origin, provided that the asset has not been excluded by a CDN policy.

-The following is an overview of which links are automatically rewritten by the SharePoint Publishing feature:

-+ IMG/LINK/CSS URLs in classic publishing page HTML responses

- + This includes images added by authors within the HTML content of a page

-+ Picture Library SlideShow webpart image URLs

-+ Image fields in SPList REST API (RenderListDataAsStream) results

- + Use the new property _ImageFieldsToTryRewriteToCdnUrls_ to provide a comma separated list of fields

- + Supports hyperlink fields and PublishingImage fields

-+ SharePoint image renditions

-If the _Publishing_ feature is not enabled for a public origin, or the asset is not one of the link types supported by the auto-rewrite feature of the CDN service, you can manually construct URLs to the CDN location of the assets and use these URLs in your content.

-> You cannot hardcode or construct CDN URLs to assets in a private origin because the required access token that forms the last section of the URL is generated at the time the resource is requested. You can construct the URL for Public CDN and the URL should not be hard coded as it is subject to change.

-For public CDN assets, the URL format will look like the following:

-Replace **TenantHostName** with your tenant name. Example:

-> The page context property should be used to construct the prefix instead of hard coding "https://publiccdn.sharepointonline.com". The URL is subject to change and should not be hard coded. If you are using display templates with Classic SharePoint Online then you can use the property "window._spPageContextInfo.publicCdnBaseUrl" in your display template for the prefix of the URL. If you are SPFx web parts for modern and classic SharePoint the you can utilize the property "this.context.pageContext.legacyPageContext.publicCdnBaseUrl". This will provide the prefix so that if it is changed then your implementation will update with it. As an example for SPFx, the URL can be constructed using the property "this.context.pageContext.legacyPageContext.publicCdnBaseUrl" + "/" + "host" + "/" + "relativeURL for the item". Please see [Using CDN in Client-side code](https://youtu.be/IH1RbQlbhIA) which is part of the [season 1 performance series](https://aka.ms/sppnp-perfvideos)

-No additional configuration is required to use assets in private origins. SharePoint Online automatically rewrites URLs for assets in private origins so requests for those assets will always be served from the CDN. You cannot manually build URLs to CDN assets in private origins because these URLs contain tokens that must be auto-generated by SharePoint Online at the time the asset is requested.

-Access to assets in private origins in the Office 365 CDN is granted by tokens generated by SharePoint Online. Users who already have permission to access to the folder or library designated by the origin are automatically granted tokens that permit the user to access the file based on their permission level. These access tokens are valid for 30 to 90 minutes after they are generated to help prevent token replay attacks.

-#### Item-level permissions are not supported for assets in private origins

-It is important to note that SharePoint Online does not support item-level permissions for assets in private origins. For example, for a file located at `https://contoso.sharepoint.com/sites/site1/library1/folder1/image1.jpg`, users have effective access to the file given the following conditions:

-|User |Permissions |Effective access |

-||||

-|User 1 |Has access to folder1 |Can access image1.jpg from the CDN |

-|User 2 |Does not have access to folder1 |Cannot access image1.jpg from the CDN |

-|User 3 |Does not have access to folder1, but is granted explicit permission to access image1.jpg in SharePoint Online |Can access the asset image1.jpg directly from SharePoint Online, but not from the CDN |

-|User 4 |Has access to folder1, but has been explicitly denied access to image1.jpg in SharePoint Online |Cannot access the asset from SharePoint Online, but can access the asset from the CDN despite being denied access to the file in SharePoint Online |

-Once you have added links to CDN assets to a page, you can confirm that the asset is being served from the CDN by browsing to the page, right clicking on the image once it has rendered and reviewing the image URL.

-You cannot test CDN URLs directly in a web browser because you must have a referrer coming from SharePoint Online. However, if you add the CDN asset URL to a SharePoint page and then open the page in a browser, you will see the CDN asset rendered on the page.

-To watch a short video hosted in the [SharePoint Developer Patterns and Practices YouTube channel](https://aka.ms/sppnp-videos) demonstrating how to verify that your CDN is working, please see [Verifying your CDN usage and ensuring optimal network connectivity](https://www.youtube.com/watch?v=ClCtBAtGjE8&list=PLR9nK3mnD-OWMfr1BA9mr5oCw2aJXw4WA&index=5).

-Assets in new origins will not immediately be available for use, as it takes time for the registration to propagate through the CDN and for the assets to be uploaded from the origin to CDN storage. The time required for assets to be available in the CDN depends on how many assets and the files sizes.

-+ */MASTERPAGE

-+ */STYLE LIBRARY

-+ */CLIENTSIDEASSETS

-If the */clientsideassets origin is missing, SharePoint Framework solutions will fail, and no warning or error messages are generated. This origin may be missing either because the CDN was enabled with the _-NoDefaultOrigins_ parameter set to **$true**, or because the origin was manually deleted.

-+ [Getting started with SharePoint Online Management Shell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online)

-+ [Installing the CLI for Microsoft 365](https://pnp.github.io/cli-microsoft365/user-guide/installing-cli/)

-[Block user sign-in](/microsoft-365/lighthouse/m365-lighthouse-block-user-signin.md) (article)\

- - enumeration of list of Loop workspaces created

- - list all Loop workspaces

- - get and set sensitivity labels, conditional access policy, block download policy

-) or the [Microsoft Defender for Endpoint URL list for Gov/GCC/DoD](https://download.microsoft.com/download/8/e-urls.xlsx) for a list of services and their associated URLs that your network must be able to connect.

-> - Linux servers onboarded through Microsoft Defender for Cloud will have their initial configuration set to run Defender Antivirus in [passive mode](/defender-endpoint/microsoft-defender-antivirus-compatibility#microsoft-defender-antivirus-and-non-microsoft-antivirusantimalware-solutions).

-Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware). In a ransomware attack, your files can get encrypted and held hostage. With controlled folder access in place, a notification appears on the computer where an app attempted to make changes to a file in a protected folder. You can [customize the notification](attack-surface-reduction-rules-deployment-implement.md#customize-attack-surface-reduction-rules) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.

-It's especially useful in helping protect against [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that attempts to encrypt your files and hold them hostage.

-* [Protect important folders with controlled folder access](controlled-folders.md)

-* [Evaluate Microsoft Defender for Endpoint](evaluate-mde.md)

-* [Use audit mode](audit-windows-defender.md)

-1. - Navigate to the downloaded *wdav.pkg* in **Finder** and open it.

-

- Or

- - You can download the *wdav.pkg*- from **Terminal**

-

- *sudo installer -store -pkg /Users/admin/Downloads/wdav.pkg -target /*

-> [!Note]

-> The amount of disk space required for installation is around 777 MB.

-3. At the end of the installation process, for macOS Big Sur (11.0) or latest version, you're prompted to approve the system extensions used by the product. Select **Open Security Preferences**.

- :::image type="content" source="images/monterey-install-2.png" alt-text="Screenshot that shows the system extension approval":::

-4. From the **Security & Privacy** window, select the checkboxes next to **Microsoft Defender** and select **OK**.

-5. Repeat steps 11 and 12 for all system extensions distributed with Microsoft Defender for Endpoint on Mac.

-6. As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on Mac inspects socket traffic and reports this information to the Microsoft Defender portal. When prompted to grant Microsoft Defender for Endpoint permissions to filter network traffic, select **Allow**.

- :::image type="content" source="images/monterey-install-4.png" alt-text="Screenshot that shows the system extension security preferences2":::

-> [!Note]

- The client device isn't associated with *org_id*. The *org_id* attribute is blank.

- ```bash

- mdatp health --field org_id

- ```

- ```bash

- sudo bash -x MicrosoftDefenderATPOnboardingMacOs.sh

- ```

- ```bash

- mdatp health --field org_id

- ```

- After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.

- > [!div class="mx-imgBorder"]

- > :::image type="content" source="images/mdatp-icon-bar.png" alt-text="Screenshot that shows the Microsoft Defender icon in status bar":::

- ```bash

- mdatp connectivity test

- ```

- You can [troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on macOS](troubleshoot-cloud-connect-mdemac.md).

-See the following article to test for an EDR detection review: [EDR detection test to verify device onboarding and reporting services](/microsoft-365/security/defender-endpoint/edr-detection.md)

- > [!Tip]

- > - Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: [Microsoft Defender for Endpoint Tech Community](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bd-p/MicrosoftDefenderATP).

- > - If you have any feedback that you will like to share, submit it by opening Microsoft Defender Endpoint on Mac on your device and navigate to **Help** \> **Send feedback**.

-Review the _read me_ article at [Readme](https://github.com/microsoft/defender-updatecontrols/blob/main/README.md)

-https://github.com/microsoft/defender-updatecontrols/blob/main/README.md

-1. Download the latest Windows Defender .admx and .adml

- - [WindowsDefender.admx](https://github.com/microsoft/defender-updatecontrols/blob/main/WindowsDefender.admx)

-## Setting up the pilot environment

- | Feature | Recommendation for the pilot systems |

- |:|:|

- | Select the channel for Microsoft Defender daily **Security Intelligence updates** | Current Channel (Staged) |

- | Select the channel for Microsoft Defender monthly **Engine updates** | Beta Channel |

- | Select the channel for Microsoft Defender monthly **Platform updates** | Beta Channel |

-1. Go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**.

-1. In [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265969(v=ws.11)) (GPMC, GPMC.msc), go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**.

- :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-gp-microsoft-defender-antivirus-channels.png" alt-text="Screenshot that shows a screen capture of the production Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus update channels." lightbox="images/microsoft-defender-antivirus-deploy-ring-gp-microsoft-defender-antivirus-channels.png":::

-1. Set the three policies as follows:

- | Feature | Recommendation for the production systems | Remarks |

- |:|:|

- | Select the channel for Microsoft Defender daily **Security Intelligence updates** | Current Channel (Broad) | This setting provides you with 3 hours of time to find an FP and prevent the production systems from getting an incompatible signature update. |

- | Select the channel for Microsoft Defender monthly **Engine updates** | Critical ΓÇô Time delay | Updates are delayed by two days. |

- | Select the channel for Microsoft Defender monthly **Platform updates** | Critical ΓÇô Time delay | Updates are delayed by two days. |

-

- :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-edit.png" alt-text="Screenshot that shows a screen capture of the administrator-defined Microsoft Defender Antivirus policy Edit option." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-edit.png":::

-1. Select the radio button named **Enabled**.

- :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-define-order.png" alt-text="Screenshot that shows a screen capture of the Define the order of sources for downloading security intelligence updates page." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-define-order.png":::

- :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-disabled.png" alt-text="Screenshot that shows a screen capture of the Define the order of sources for downloading security intelligence updates page with Security Intelligence updates disabled." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-policy-disabled.png":::

- If you have multiple forests/domains, force replication or wait 10-15 minutes. Then force a Group Policy Update from the Group Policy Management Console.

- :::image type="content" source="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-management-console.png" alt-text="Screenshot that shows a screen capture of the Group Policy Management console, initiating a forced update." lightbox="images/microsoft-defender-antivirus-deploy-ring-group-policy-wsus-gp-management-console.png":::

-A. Check Network Protection has effect on always blocked sites:

-<!--These links are purposely blocked; will trigger as broken link>

-B. Inspect diagnostic logs

-```bash

-$ sudo mdatp log level set --level debug

-$ sudo tail -f /var/log/microsoft/mdatp/microsoft_defender_np_ext.log

-```

-$ sudo mdatp config network-protection enforcement-level --value disabled

-

-|[Managed XDR for Microsoft](https://go.microsoft.com/fwlink/?linkid=2202386)|CyberProof|CyberProof's Managed XDR (Extended Detection and Response) for Microsoft identifies intrusions across your enterprise as you migrate to the cloud ΓÇô from applications to endpoints, identities and data - enabling timely response to reduce the impact of the attack. The combination of their human expertise and experience in security operations with Microsoft's 365 Defender and Microsoft Sentinel technology reduces the costs and complexity of adopting and operating a cloud-native cyber defense architecture.|

-|[Managed Microsoft XDR](https://go.cyberproof.com/hubfs/CyberProof_Managed%20XDR%20for%20Microsoft_2022_06.pdf)|Quorum Cyber|Quorum Cyber's Managed Microsoft XDR, a solution designed to enable customers to unleash the power of Microsoft security to reduce cyber risk and maximize return of investment in security.|

-|[Managed Microsoft XDR](https://go.cyberproof.com/hubfs/CyberProof_Managed%20XDR%20for%20Microsoft_2022_06.pdf)|Quorum Cyber|Quorum Cyber's Managed Microsoft XDR, a solution designed to enable customers to unleash the power of Microsoft security to reduce cyber risk and maximize return of investment in security.|

-|[Managed Microsoft XDR](https://go.cyberproof.com/hubfs/CyberProof_Managed%20XDR%20for%20Microsoft_2022_06.pdf)|Quorum Cyber|Quorum Cyber's Managed Microsoft XDR, a solution designed to enable customers to unleash the power of Microsoft security to reduce cyber risk and maximize return of investment in security.|

-|[Managed Microsoft XDR](https://go.cyberproof.com/hubfs/CyberProof_Managed%20XDR%20for%20Microsoft_2022_06.pdf)|Quorum Cyber|Quorum Cyber's Managed Microsoft XDR, a solution designed to enable customers to unleash the power of Microsoft security to reduce cyber risk and maximize return of investment in security.|

-|[Managed Microsoft XDR](https://go.cyberproof.com/hubfs/CyberProof_Managed%20XDR%20for%20Microsoft_2022_06.pdf)|Quorum Cyber|Quorum Cyber's Managed Microsoft XDR, a solution designed to enable customers to unleash the power of Microsoft security to reduce cyber risk and maximize return of investment in security.|

-2. Add comments and select **Confirm**.

-3. Select **Action center** from the response actions section of the device page.

-4. Click the **Package collection package available** to download the collection package.

-For Windows devices, the package contains the following folders:

-|Folder|Description|

-The collection packages for macOS and Linux devices contain the following:

-|Object|macOS|Linux|

-> - You can use the device isolation capability on all supported Microsoft Defender for Endpoint on Linux listed in [System requirements](microsoft-defender-endpoint-linux.md#system-requirements).

-> The device will remain connected to the Defender for Endpoint service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the device is isolated.

-The analyst can choose which data set to look at and which filters and conditions to use to narrow the data down to what they need.

-In the **Advanced hunting** page, select **Create new** to open a new query tab and select **Query in builder**.

-Selecting **All** includes data from all domains you currently have access to. Narrowing down to a specific domain allows filters relevant to that domain only.

-By default, guided hunting includes a few basic filters to get you started fast.

-Once the query is ready, select the blue **Run query** button. If the button is grayed out, it means the query needs to be filled out or edited further.

-> The basic filter view uses the **AND** operator only, meaning running the query generates results for which all set filters are true.

-Another quick way to get familiar with guided hunting is to load sample queries using the **Load sample queries** dropdown menu.

-> [!NOTE]

-> Selecting a sample query overrides the existing query.

-If the loaded sample query uses filters outside of the basic filter set, the toggle button is grayed out. To go back to the basic filter set, select **Clear all** then toggle **All filters**.

-

-You can add more conditions to your query by using **AND**, and **OR** conditions. AND returns results that fulfill all conditions in the query, while OR returns results that fulfill any of the conditions in the query.

-Another way to get familiar with guided hunting is to load sample queries pre-created in guided mode.

-### Hunt for high confidence phish or spam emails delivered to inbox

-Then, add another condition, this time specifying the folder or **DeliveryLocation, Inbox/folder**.

-> **Try our new APIs using MS Graph security API**. Find out more at: [Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn](/graph/api/resources/security-api-overview). For information about the new _update incident_ API using MS Graph security API, see [Update incident](/graph/api/resources/security-incident-update).

-> The built-in [deception](deception-overview.md) capability in Microsoft Defender XDR covers all Windows clients onboarded to Microsoft Defender for Endpoint. Learn how to onboard clients to Defender for Endpoint in [Onboard to Microsoft Defender for Endpoint](/defender-for-endpoint/onboarding/).

-> |Deployment requirements|Requirements:</br> - Defender for Endpoint is the primary EDR solution</br> - [Automated investigation and response capabilities in Defender for Endpoint](/defender-endpoint/configure-automated-investigations-remediation/) is configured</br> - Devices are [joined](/entra/identity/devices/concept-directory-join/) or [hybrid joined](/entra/identity/devices/concept-hybrid-join/) in Microsoft Entra</br> - PowerShell is enabled on the devices</br> - The deception feature covers clients operating on Windows 10 RS5 and later in preview|

-> Lures are only planted on Windows clients defined in the scope of a deception rule. However, attempts to use any decoy host or account on any Defender for Endpoint-onboarded client raises a deception alert. Learn how to onboard clients in [Onboard to Microsoft Defender for Endpoint](/defender-for-endpoint/onboarding/). Planting lures on Windows Server 2016 and later is planned for future development.

-2. Select **Filters** on the top right, and choose **Service Source : Data Loss Prevention** to view all incidents with DLP alerts. Here's a few examples of the subfilters that are available in preview:

- 1. by user and device names

-If you're new to advanced hunting, you should review [Get started with advanced hunting](/microsoft-365/security/defender/advanced-hunting-overview.md).

-Before you can use advance hunting you must have [access to the **CloudAppEvents** table](/defender-cloud-apps/connect-office-365.md) that contains the Microsoft Purview data.

-1. Select an event.

-| **How do I get Defender Experts updates in Sentinel?** | If you have enabled the data connector between Microsoft Defender XDR and Microsoft Sentinel, updates made by Defender Experts in Defender to incidents are synchronized with Microsoft Sentinel. [Learn more](/articles/sentinel/connect-microsoft-365-defender).<br><br>The **Assigned to**, **Status**, and **Classification** fields in Microsoft Defender XDR incidents are mapped to the corresponding fields in Sentinel, namely **Owner**, **Status**, and **Reason for closing**.|

-| **How do I get Defender Experts updates in Sentinel to automatically trigger a playbook?** | To get Defender Experts updates, first, set up automation rules in Sentinel that are triggered with the following Defender Experts updates:<ul><li>When the **Owner** field in Microsoft Sentinel is updated to _Defender Experts_ or _Customer_.</li><li> When the **Status** field in Microsoft Sentinel is updated to _Active_ or _Closed_, which corresponds to Microsoft Defender XDR **Status** _Active_ and _In Progress_ respectively.</li><li>When Sentinel **Tag** _Awaiting Customer Action_ gets added, which corresponds to Microsoft Defender XDR **Status** _Awaiting Customer Action_.</li></ul>Next, set up playbooks in Microsoft Sentinel to automatically sync incident updates or [send incident notifications into other apps](/articles/sentinel/tutorial-respond-threats-playbook).<ul><li>Send email, or Teams message, or Slack message to your SOC team when a Defender Experts analyst is assigned to an incident.</li><li>Send SMS or phone call via Azure Communications Services or Twilio connector to your SOC lead when Defender Experts publishes response action for your team.</li><li>Create a task or ticket in apps such as Azure DevOps, ServiceNow, Jira, ZenDesk, FreshService, PagerDuty, etc. for your IT Ops team. </li></ul>|

-Defender Experts for XDR lets you exclude devices and users from remediation actions taken by our experts and instead get remediation guidance for those entities. These exclusions are based on identified [device groups](../defender-endpoint/machine-groups.md) in Microsoft Defender for Endpoint and identified [user groups](/entr) in Microsoft Entra ID.

- > This page only lists existing user groups. If you wish to create a new user group, you first need to sign into the Microsoft Entra ID admin center as a Global Administrator. Then, refresh this page to search for and choose the newly created group. [Learn more about creating user groups](/entr)

-For more information about incident response across Microsoft products, see [this article](/security/compass/incident-response-overview).

-| **Experienced** | <ol><li> Get started with the incident queue from the **Incidents** page of the Microsoft Defender portal. From here you can: </li> <ul><li> See which incidents should be [prioritized](incident-queue.md) based on severity and other factors. </li><li> [Manage incidents](manage-incidents.md), which includes renaming, assigning, classifying, and adding tags and comments based on your incident management workflow. </li><li> Perform [investigations](investigate-incidents.md) of incidents. </li></ul> </li><li> Track and respond to emerging threats with [threat analytics](threat-analytics.md). </li><li> Proactively hunt for threats with [advanced threat hunting](advanced-hunting-overview.md). </li><li> See these [incident response playbooks](/security/compass/incident-response-playbooks) for detailed guidance for phishing, password spray, and app consent grant attacks. </li></ol> |

-| Security investigator or analyst (Tier 2) | <ol><li> Perform [investigations](investigate-incidents.md) of incidents from the **Incidents** page of the Microsoft Defender portal. </li><li> See these [incident response playbooks](/security/compass/incident-response-playbooks) for detailed guidance for phishing, password spray, and app consent grant attacks. </li></ol> |

-| Advanced security analyst or threat hunter (Tier 3) | <ol><li>Perform [investigations](investigate-incidents.md) of incidents from the **Incidents** page of the Microsoft Defender portal. </li><li> Track and respond to emerging threats with [threat analytics](threat-analytics.md). </li><li> Proactively hunt for threats with [advanced threat hunting](advanced-hunting-overview.md). </li><li> See these [incident response playbooks](/security/compass/incident-response-playbooks) for detailed guidance for phishing, password spray, and app consent grant attacks. |

-|Protection for email content and Office files|<ul><li>[Microsoft Defender for Office 365 is configured](/microsoft-365/security/office-365-security/defender-for-office-365#configure-atp-policies)</li><li>[Automated investigation and remediation capabilities in Defender for Endpoint are configured](../defender-endpoint/configure-automated-investigations-remediation.md) (required for manual response actions, such as deleting email messages on devices)</li></ul>|

-Access to Microsoft Defender XDR data can be controlled using the scope assigned to user groups in Microsoft Defender for Endpoint role-based access control (RBAC). If your access has not been scoped to a specific set of devices in the Defender for Endpoint, you will have full access to data in Microsoft Defender XDR. However, once your account is scoped, you will only see data about the devices in your scope.

-For example, if you belong to only one user group with a Microsoft Defender for Endpoint role and that user group has been given access to sales devices only, you will see only data about sales devices in Microsoft Defender XDR. [Learn more about RBAC settings in Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/rbac)

-During the preview, Microsoft Defender XDR does not enforce access controls based on Defender for Cloud Apps settings. Access to Microsoft Defender XDR data is not affected by these settings.

-## Related topics

-## Learning Hub

-The Defender portal includes a learning hub that provides guidance from resources such as the Microsoft security blog, the Microsoft security community on YouTube, and the official documentation.

-> [!TIP]

-> There are helpful **filters** along the top of Microsoft Defender XDR learning hub that will let you choose between products (currently Microsoft Defender XDR, Microsoft Defender for Endpoint, and Microsoft Defender for Office 365). Notice that the number of learning resources for each section is listed, which can help learners keep track of how many resources they have at hand for training and learning.

->

-> Along with the Product filter, current topics, types of resources (from videos to webinars), levels of familiarity or experience with security areas, security roles, and product features are listed.

->

-> There are lots of other learning opportunities in [Microsoft Learn](/training/). You'll find certification training such as [Course MS-500T00: Microsoft 365 Security Administration](/training/courses/ms-500t00).

-> [Start >](/training/paths/dsc-200-mitigate-threats-using-microsoft-365-defender/)

-To ensure access to Defender for Cloud alerts in Microsoft Defender XDR, you must be subscribed to any of the plans listed in [Connect your Azure subscriptions](/defender-for-cloud/connect-azure-subscription/).

-> |Alerts|All Defender for Cloud alerts, including multi-cloud, internal and external providers' alerts will be integrated to Microsoft Defender XDR. Defender for Cloud alerts will show on the Microsoft Defender XDR [alert queue](/defender-endpoint/alerts-queue-endpoint-detection-response/).</br></br> The *cloud resource* asset will show up in the Asset tab of an alert. Resources are clearly identified as an Azure, Amazon, or a Google Cloud resource.</br></br>Defender for Cloud alerts will automatically be associated with a tenant.</br></br>There will be no duplication of alerts from other Defender workloads.|

-For information about preventing ransomware attacks, see [Rapidly protect against ransomware and extortion](/security/compass/protect-against-ransomware-phase3).

-1. Configure your IT and cloud infrastructure for ransomware prevention with the [Rapidly protect against ransomware and extortion](/security/compass/protect-against-ransomware-phase3) guidance. The phases and tasks in this guidance can be done in parallel with the following steps.

-NOTE: For information about preventing ransomware attacks, see [Rapidly protect against ransomware and extortion](/security/compass/protect-against-ransomware).

-* If you have online backups, consider disconnecting the backup system from the network until you're confident that the attack is contained, see [Backup and restore plan to protect against ransomware | Microsoft Docs](/security/compass/backup-plan-to-protect-against-ransomware).

- - [Add comments to incidents in Microsoft Defender XDR](manage-incidents.md#add-comments)

- - [Add comments to incidents in Microsoft Sentinel](/azure/sentinel/investigate-cases.md#comment-on-incidents)

-You can access the script analysis capability in the alert timeline within an incident and in the [device timeline](/defender-endpoint/device-timeline-event-flag.md).

-keywords: security, malware, virus research threats, research malware, device protection, computer infection, virus infection, descriptions, remediation, latest threats, MMdevice, Microsoft Malware Protection Center, PUA, potentially unwanted applications

-ms.sitesec: library

-Microsoft aims to provide a delightful and productive Windows experience by working to ensure you're safe and in control of your devices. Microsoft helps protect you from potential threats by identifying and analyzing software and online content. When you download, install, and run software, we check the reputation of downloaded programs and ensure you're protected against known threats. You are also warned about software that is unknown to us.

-You can assist Microsoft by [submitting unknown or suspicious software for analysis](https://www.microsoft.com/wdsi/filesubmission/). This will help ensure that unknown or suspicious software is scanned by our system to start establishing reputation. [Learn more about submitting files for analysis](submission-guide.md)

-Malware is the overarching name for applications and other code, like software, that Microsoft classifies more granularly as *malicious software* or *unwanted software*.

-Malicious software is an application or code that compromises user security. Malicious software may steal your personal information, lock your device until you pay a ransom, use your device to send spam, or download other malicious software. In general, malicious software wants to trick, cheat, or defrauds users, placing them in vulnerable states.

-* **Password stealer:** A type of malware that gathers your personal information, such as usernames and passwords. It often works along with a keylogger, which collects and sends information about the keys you press and websites you visit.

-* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note that states you must pay money or perform other actions before you can use your device again. [See more information about ransomware](/security/compass/human-operated-ransomware).

-* **Trojan clicker:** A type of trojan that automatically clicks buttons or similar controls on websites or applications. Attackers can use this trojan to click on online advertisements. These clicks can skew online polls or other tracking systems and can even install applications on your device.

-Software must not mislead or coerce you into making decisions about your device. It is considered behavior that limits your choices. In addition to the previous list, software that exhibits lack of choice might:

-Software that changes your browsing experience must only use the browser's supported extensibility model for installation, execution, disabling, or removal. Browsers that don't provide supported extensibility models are considered non-extensible and shouldn't be modified.

-*PUAs are not considered malware.*

-* **Advertising software:** Software that displays advertisements or promotions, or prompts you to complete surveys for other products or services in software other than itself. This includes software that inserts advertisements to webpages.

-* **Bundling software:** Software that offers to install other software that is not developed by the same entity or not required for the software to run. Also, software that offers to install other software that qualifies as PUA based on the criteria outlined in this document.

-> For information about securing _privileged accounts_ (admin accounts), see [this topic](/security/compass/critical-impact-accounts).

- - essentials-accountability

-Here, the analyst can take actions like reporting the mail as Spam, Phishing, or Malware, contacting recipients, or further investigations that can include triggering Automated Investigation and Response (or AIR) playbooks (if you have Plan 2). Or, the mail can also be reported as clean.

-The report provided the following list of app configuration status:

-

->[!NOTE]

-> The **Last Sync** column represents the same value in the in-console **User status report**, the **App Protection Policy** [exportable .csv report](/mdm/intune/app-protection-policies-monitor#export-app-protection-activities), and the **App Configuration Report**. The difference is a small delay in synchronization between the value in the reports.

-

-

-

-App configuration can be delivered either through the mobile device management (MDM) OS channel on enrolled devices (Managed App Configuration channel for iOS or the Android in the Enterprise channel for Android) or through the Mobile Application Management (MAM) channel.

-

- - Both communication channels or methods require that the user must be assigned an Intune license.

- - User, app, and device must meet the requirements under related app configuration policy channel.

- - For managed devices, the device must be properly enrolled in Intune MDM with a healthy enrollment profile and has synced with the service recently.

- - For managed apps, the app must support the Intune SDK and any related app protection policy must be applied correctly.

-

-

-

-

-

-

-

-

-

-

-

-To allow sharing invitations only from specified domains

-For more information about using allowlists or blocklists in Microsoft Entra ID, see [Allow or block invitations to B2B users from specific organizations](/azure/active-dir.ectory/external-identities/allow-deny-list)

-#### Allow the vendor's domain in Microsoft Entra cross-tenant access settings

-To add an organization

-To allow an organization in Teams external access

-If you already have an [**Image Tags** column in your library](https://support.microsoft.com/office/work-with-image-tags-in-a-sharepoint-library), use these steps to enable enhanced image tagging:

-1. On the **Image Tags** column, select **Column settings** > **Edit**.

- 

-

-> Through June 2024, you can try out optical character recognition and other selected Syntex services at no cost if you have [pay-as-you-go billing](syntex-azure-billing.md) set up. For information and limitations, see [Try out Microsoft Syntex and explore its services](promo-syntex.md).

- - essentials-accountability

- - essentials-accountability