Category | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
business-premium | M365bp Mdb Whats New | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-mdb-whats-new.md | f1.keywords: NOCSH This article lists new features in the latest release of [Microsoft 365 Business Premium](m365bp-overview.md) and [Microsoft Defender for Business](../security/defender-business/mdb-overview.md). Features that are currently in preview are denoted with **(preview)**. +## January 2024 ++- **Ability to manage endpoint security subscription settings**. Defender for Business customers who have a mix of subscriptions (such as Defender for Business and Defender for Endpoint Plan 2 licenses) can now change their subscription settings to apply Defender for Endpoint Plan 2 features and capabilities across devices. See [Manage your endpoint security subscription settings across client devices](../security/defender-business/mdb-manage-subscription.md). + ## December 2023 - **Streaming API is now generally available for Defender for Business**. For partners or customers looking to build their own security operations center, the Defender for Endpoint streaming API is now available for Defender for Business and Microsoft 365 Business Premium. See [Use the streaming API with Microsoft Defender for Business](../security/defender-business/mdb-streaming-api.md). |
commerce | Manage Self Service Signup Subscriptions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/manage-self-service-signup-subscriptions.md | You must be a global or billing admin to perform the tasks in this article. For ## How are these subscriptions different from self-service purchase subscriptions? -Self-service sign-up subscriptions are free and are available for a larger list of products than self-service purchase subscriptions. When a user signs up for a self-service purchase subscription, they're responsible for paying for it. Self-service purchase subscriptions are only available for Power Platform products (Power BI, Power Apps, and Power Automate), Project, and Visio. For more information, see [Self-service purchase FAQ](self-service-purchase-faq.yml). +Self-service sign-up subscriptions are free and are available for a larger list of products than self-service purchase subscriptions. When a user signs up for a self-service purchase subscription, they're responsible for paying for it. For more information, see [Self-service purchase FAQ](self-service-purchase-faq.yml). ## Block users from signing up |
enterprise | Add A Sharepoint Geo Admin | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/add-a-sharepoint-geo-admin.md | f1.keywords: description: Need to configure separate administrators for each geo location? Learn how to add or remove a geo administrator in Microsoft 365 Multi-Geo. - seo-marvel-apr2020- - has-azure-ad-ps-ref + - has-azure-ad-ps-ref, azure-ad-ref-level-one-done # Add or remove a _Geography_ administrator in Microsoft 365 Multi-Geo To add a group as a _Geography_ administrator, run `Add-SPOGeoAdministrator -Gro To remove a group as a _Geography_ administrator, run `Remove-SPOGeoAdministrator -GroupAlias <alias>` -Note that not all security groups have a group alias. If you want to add a security group that does not have an alias, run [Get-MsolGroup](/powershell/module/msonline/get-msolgroup) to retrieve a list of groups, find your security group's ObjectID, and then run: +Note that not all security groups have a group alias. If you want to add a security group that does not have an alias, run [Get-MgGroup](/powershell/module/microsoft.graph.groups/get-mggroup) to retrieve a list of groups, find your security group's ObjectID, and then run: `Add-SPOGeoAdministrator -ObjectID <ObjectID>` To remove a group by using the ObjectID, run `Remove-SPOGeoAdministrator -Object [Remove-SPOGeoAdministrator](/powershell/module/sharepoint-online/remove-spogeoadministrator) -[Set an alias (MailNickName) for a security group](/powershell/module/azuread/set-azureadgroup) +[Set an alias (MailNickName) for a security group](/powershell/module/microsoft.graph.groups/update-mggroup) |
loop | Loop Compliance Summary | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/loop/loop-compliance-summary.md | Admins can perform the following tasks for Loop workspaces, which are containers - PowerShell ability to - enumeration of list of Loop workspaces created - get container details including labels, storage, owners etc.- - delete, recover and purge deleted Loop workspaces + - delete, recover and purge Loop workspaces (note that the Loop app workspaces views do not yet reflect the changes, so a user would need to visit a page link for a workspace that's recovered in order to see it again) - set sharing settings at a tenant level -See more about how to use PowerShell to perform these tasks in the [SharePoint Embedded admin management documentation](/microsoft-365/syntex/powershell-syntex-intro). +See more about how to use PowerShell to perform these tasks on Loop application containers in the [Consuming Tenant admin](/sharepoint/dev/embedded/concepts/admin-exp/cta) article. ### Capabilities that aren't yet available See more about how to use PowerShell to perform these tasks in the [SharePoint E - add storage to enumeration list of Loop workspace - control external sharing of a Loop workspace - **Multi-Geo capabilities**, including creation of .loop files in a user's Loop workspaces in the geo that matches the user's preferred data location, and **Multi-Geo rehome** of Loop workspaces and .loop files as needed- - delete and restore Loop workspaces - get and set sensitivity labels, conditional access policy, block download policy - SharePoint Admin Center - Loop workspaces page for active and deleted workspaces, restore, permanently delete, sort, filter, storage information |
security | Mdb Manage Subscription | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-manage-subscription.md | + + Title: Change your endpoint security subscription +description: Learn about your options for managing your Defender for Business or Defender for Endpoint subscription settings. Choose between Defender for Endpoint or Defender for Business. +search.appverid: MET150 ++++audience: ITPro + Last updated : 01/02/2024++ms.localizationpriority: medium ++f1.keywords: NOCSH ++- M365-security-compliance +- m365initiative-defender-business +++# Change your endpoint security subscription ++[Microsoft Defender for Business](mdb-overview.md) and [Microsoft Defender for Endpoint](../defender-endpoint/microsoft-defender-endpoint.md) are endpoint security subscriptions that your organization can use to protect devices, such as computers, tablets, and phones. As your organization grows, you might have a mix of subscriptions and licenses. For example, you might have some Defender for Business licenses, and some Defender for Endpoint licenses. ++This article describes how to apply either Defender for Business or Defender for Endpoint Plan 2 features and capabilities across all your organization's devices. (To learn more about mixed-licensing scenarios with Defender for Endpoint Plan 1 and Plan 2, see [Manage Microsoft Defender for Endpoint subscription settings across client devices](../defender-endpoint/defender-endpoint-subscription-settings.md).) ++## Before you begin ++- You should have active trial or paid licenses for both Defender for Business and Defender for Endpoint Plan 2. ++- If you're using Defender for Business only, you can continue using it. In this case, no changes are needed. But if you're considering switching to Defender for Endpoint Plan 2, follow the guidance in this article. +- To access license information, you must have one of the following roles assigned in Microsoft Entra ID: + + - Global Admin + - Security Admin ++## View and manage your endpoint security subscription settings ++1. As an admin, go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in. ++2. Go to **Settings** > **Endpoints** > **Licenses**. Your usage report opens and displays information about your organization's Defender for Business and Defender for Endpoint licenses. ++3. To change your subscription, under **Subscriptions applied to your devices**, select **Change subscription settings**. ++ > [!NOTE] + > If you don't see **Change subscription settings**, at least one of the following conditions is true: + > - You have Defender for Business or Defender for Endpoint (but not both); or + > - The ability to change your subscription settings hasn't rolled out to your organization yet. ++4. On the **Subscription settings** flyout, choose whether to use only Defender for Business or Defender for Endpoint Plan 2 across your organization's devices. ++ > [!IMPORTANT] + > Keep the following important points in mind before you save your changes: + > + > - Make sure you have enough licenses for the subscription you're using for all users in your organization. If you choose Defender for Endpoint Plan 2, you're no longer using your Defender for Business licenses. + > - If you select **Only Microsoft Defender for Endpoint Plan 2**, the simplified configuration experience for Defender for Business is replaced with advanced settings that you can configure in Defender for Endpoint. If this change is applied, you can't undo it. + > - Make sure to review your security policies and settings. To get help with Defender for Endpoint policies and settings, see [Configure Microsoft Defender for Endpoint capabilities](../defender-endpoint/onboard-configure.md). If you're keeping Defender for Business, see [Set up, review, and edit your security policies and settings in Microsoft Defender for Business](mdb-configure-security-settings.md). + > - It can take up to three hours for your changes to be applied. ++## Review license usage ++The license usage report is estimated based on sign-in activities on the device. Defender for Endpoint Plan 2 licenses are per user, and each user can have up to five concurrent, onboarded devices. To learn more about license terms, see [Microsoft Licensing](https://www.microsoft.com/en-us/licensing/default). ++To reduce management overhead, there's no requirement for device-to-user mapping and assignment. Instead, the license report provides a utilization estimation that is calculated based on device usage seen across your organization. It might take up to one day for your usage report to reflect the active usage of your devices. ++> [!IMPORTANT] +> To access license information, you must have one of the following roles assigned in Microsoft Entra ID: +> - Security Admin +> - Global Admin ++1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in. ++2. Choose **Settings** > **Endpoints** > **Licenses**. ++3. Review your available and assigned licenses. The calculation is based on detected users who have accessed devices that are onboarded to Defender for Business (or Defender for Endpoint). ++## More information ++- [Licensing and product terms for Microsoft 365 subscriptions](https://www.microsoft.com/licensing/terms/productoffering/Microsoft365/MCA). +- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) +- [Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-overview) (endpoint protection for small and medium-sized businesses) + |
security | Defender Endpoint Subscription Settings | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-subscription-settings.md | In Defender for Endpoint, a mixed-licensing scenario is a situation in which an You can also use a newly added license usage report to track status. +> [!NOTE] +> If you're using Microsoft Defender for Business and you want to switch to Defender for Endpoint Plan 2, see [Change your endpoint security subscription](../defender-business/mdb-manage-subscription.md). + ## [**Use mixed mode**](#tab/mixed) ## Set your tenant to mixed mode and tag devices |
security | Microsoft Defender Endpoint Mac | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac.md | Microsoft Defender for Endpoint on Mac requires one of the following Microsoft V - Microsoft 365 Business Premium - Windows 11 Enterprise E5 - Microsoft Defender for Endpoint P2-- Microsoft Defender for Endpoint P1 (which includes [Microsoft 365 E3 (M365 E3)](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-plan-1-now-included-in-m365-e3/ba-p/3060639)) - Antimalware only.+- Microsoft Defender for Endpoint P1 (which includes [Microsoft 365 E3 (M365 E3)](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-plan-1-now-included-in-m365-e3/ba-p/3060639)) > [!NOTE] > Eligible licensed users may use Microsoft Defender for Endpoint on up to five concurrent devices. |
security | Respond Machine Alerts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-machine-alerts.md | Response actions run along the top of a specific device page and include: - **Search box** - Select Device from the drop-down menu and enter the device name. > [!IMPORTANT]-> -> - These response actions are only available for devices on Windows 10, version 1703 or later, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2022. -> - For non-Windows platforms, response capabilities (such as isolate device) are dependent on the third-party capabilities. -> - For Microsoft first party agents, please refer to the "more information" link under each feature for minimum OS requirements. +> For information on availability and support for each response action, please refer to the supported/minimum operating system requirements found under each feature. ## Manage tags All other related details are also shown, for example, submission date/time, sub - [Manual response actions in Microsoft Defender for Endpoint Plan 1](defender-endpoint-plan-1.md#manual-response-actions) - [Report inaccuracy](/microsoft-365/security/defender-endpoint/tvm-security-recommendation#report-inaccuracy) [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]+ |
security | Microsoft 365 Security Center Mdi | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-mdi.md | f1.keywords: Previously updated : 08/29/2023 Last updated : 12/28/2023 audience: ITPro search.appverid: The following sections describe enhanced Defender for Identity features found in |**Global exclusions** | Global exclusions allow you to define certain entities, such as IP addresses, devices, or domains, to be excluded across all Defender for Identity detections. For example, if you only exclude a device, the exclusion applies only to detections that have a *device* identification as part of the detection. <br><br> For more information, see [Global excluded entities](/defender-for-identity/exclusions). | |**Manage action and directory service accounts** | You might want to respond to compromised users by disabling their accounts or resetting their password. When you take either of these actions, Microsoft Defender XDR is configured by default to use the *local system* account. Therefore, you'll only need to configure action and directory service account settings if you want to have more control, and define a different user account to perform user remediation actions.<br><br> For more information, see [Microsoft Defender for Identity action accounts](/defender-for-identity/manage-action-accounts). | |**Custom permission roles** | Microsoft Defender XDR supports custom permission roles. <br><br>For more information, see [Microsoft Defender XDR role-based access control (RBAC)](manage-rbac.md) |-|**Microsoft Secure Score** | Defender for Identity security posture assessments are available in [Microsoft Secure Score](https://security.microsoft.com/securescore). Each assessment is a downloadable report with instructions for use and tools to build an action plan for remediating or resolving the issue. Filter Microsoft Secure Score by **Identity** to view Defender for Identity assessments. <br><br> For more information, see [Microsoft Defender for Identity's security posture assessments](/defender-for-identity/security-assessment). | +|**Microsoft Secure Score** | Defender for Identity security posture assessments is available in [Microsoft Secure Score](https://security.microsoft.com/securescore). Each assessment is a downloadable report with instructions for use and tools to build an action plan for remediating or resolving the issue. Filter Microsoft Secure Score by **Identity** to view Defender for Identity assessments. <br><br> For more information, see [Microsoft Defender for Identity's security posture assessments](/defender-for-identity/security-assessment). | |**API** | Use any of the following Microsoft Defender XDR APIs with Defender for Identity: <br><br>- [Query activities via API](api-advanced-hunting.md) <br>- [Manage security alerts via API](api-incident.md) <br>- [Stream security alerts and activities to Microsoft Sentinel](streaming-api.md)<br><br>**Tip**: Microsoft Defender XDR only stores advanced hunting data for 30 days. If you need longer retention periods, stream the activities to Microsoft Sentinel or another partner security information and event management (SIEM) system. | | **Onboarding** | Defender for Identity onboarding is now automatic for new customers, with no need to configure a workspace. <br><br>If you need to delete your instance, open a Microsoft support case. | The following sections describe enhanced Defender for Identity features found in |Area |Description | |||+| **Identities** area| In Microsoft Defender XDR, expand the **Identities** area to view a **Dashboard** of graphs and widgets with commonly used data, a **Health issues** page, listing all health issues for your Defender for Identity deployment, and a **Tools** page, with links to commonly used tools and documentation. <br><br>For more information, see [View the ITDR dashboard](/defender-for-identity/dashboard) and [Defender for Identity health issues](/defender-for-identity/health-alerts). | |**Identity page** | The Microsoft Defender XDR identity details page provides inclusive data about each identity, such as: <br><br>- Any associated alerts <br>- Active Directory account control<br>- Risky lateral movement paths<br>- A timeline of activities and alerts<br>- Details about observed locations, devices and groups. <br><br>For more information, see [Investigate users in Microsoft Defender XDR](investigate-users.md). | |**Device page** | Microsoft Defender XDR alert evidence lists all devices and users connected to each suspicious activity. Investigate further by selecting a specific device in an alert to access a device details page. <br><br>For more information, see [Investigate devices in the Microsoft Defender for Endpoint Devices list](../defender-endpoint/investigate-machines.md). | |**Advanced hunting** | Microsoft Defender XDR helps you proactively search for threats and malicious activity by using advanced hunting queries. These powerful queries can be used to locate and review threat indicators and entities for both known and potential threats. <br><br>Build custom detection rules from advanced hunting queries to help you proactively watch for events that might be indicative of breach activity and misconfigured devices. <br><br>For more information, see [Proactively hunt for threats with advanced hunting in Microsoft Defender XDR](advanced-hunting-overview.md). | The following sections describe enhanced Defender for Identity features found in |Area |Description | |||-| **Alert and incident correlation** |Defender for Identity alerts are now included in Microsoft Defender XDR's alert queue, making them available to the automated incident correlation feature. <br><br>View all of your alerts in one place, and determine the scope of the breach even quicker than before. <br><br>For more information, see [Investigate Defender for Identity alerts in Microsoft Defender XDR](/defender-for-identity/manage-security-alerts). | +| **Alert and incident correlation** |Defender for Identity alerts is now included in Microsoft Defender XDR's alert queue, making them available to the automated incident correlation feature. <br><br>View all of your alerts in one place, and determine the scope of the breach even quicker than before. <br><br>For more information, see [Investigate Defender for Identity alerts in Microsoft Defender XDR](/defender-for-identity/manage-security-alerts). | | **Alert exclusions** |Microsoft Defender XDR's alert interface is more user friendly, and includes a search function and global exclusions, meaning you can exclude any entity from all alerts generated by Defender for Identity. <br><br>For more information, see [Configure Defender for Identity detection exclusions in Microsoft Defender XDR](/defender-for-identity/exclusions).| | **Alert tuning** |Alert tuning, previously known as *alert suppression*, allows you to adjust and optimize your alerts. Alert tuning reduces false positives, allowing your SOC teams to focus on high-priority alerts, and improves threat detection coverage across your system.<br><br> In Microsoft Defender XDR, create rule conditions based on evidence types, and then apply your rule on any rule type that matches your conditions. For more information, see [Tune an alert](investigate-alerts.md#tune-an-alert).| | **Remediation actions** |Defender for Identity remediation actions, such as disabling accounts or requiring password resets, are available from the Microsoft Defender XDR user details page. <br><br>For more information, see [Remediation actions in Microsoft Defender for Identity](/defender-for-identity/remediation-actions). The table below lists the changes in navigation between Microsoft Defender for I | **Group page** | Microsoft Defender XDR groups side pane | | **Alert page** | Microsoft Defender XDR alert details page <br><br>**Tip**: Use [alert tuning](investigate-alerts.md#tune-an-alert) to optimize the alerts you see in Microsoft Defender XDR. | | **Search** | Microsoft Defender XDR global search |-| **Health center** | **Settings** -> **Identities** -> **Health issues** -> **Global / Sensor health issues** | +| **Health issues** | Microsoft Defender XDR **Identities > Health issues** | | **Entity activities** | - **Advanced hunting** <br>- Device page > **Timeline** <br>- Identity page > **Timeline** tab | | **Settings** | **Settings** -> **Identities** | | **Users and accounts** | **Assets** -> **Identities** | |
security | Anti Spam Policies Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-policies-configure.md | Creating an anti-spam policy in PowerShell is a two-step process: #### Step 1: Use PowerShell to create a spam filter policy -To create a spam filter policy, use this syntax: +To create a spam filter policy, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) and use this syntax: ```PowerShell New-HostedContentFilterPolicy -Name "<PolicyName>" [-AdminDisplayName "<Comments>"] <Additional Settings> For detailed syntax and parameter information, see [New-HostedContentFilterPolic #### Step 2: Use PowerShell to create a spam filter rule -To create a spam filter rule, use this syntax: +To create a spam filter rule, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) and use this syntax: ```PowerShell New-HostedContentFilterRule -Name "<RuleName>" -HostedContentFilterPolicy "<PolicyName>" <Recipient filters> [<Recipient filter exceptions>] [-Comments "<OptionalComments>"] For detailed syntax and parameter information, see [New-HostedContentFilterRule] ### Use PowerShell to view spam filter policies -To return a summary list of all spam filter policies, run this command: +To return a summary list of all spam filter policies, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) and run this command: ```PowerShell Get-HostedContentFilterPolicy For detailed syntax and parameter information, see [Get-HostedContentFilterPolic ### Use PowerShell to view spam filter rules -To view existing spam filter rules, use the following syntax: +To view existing spam filter rules, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) and use the following syntax: ```PowerShell Get-HostedContentFilterRule [-Identity "<RuleIdentity>] [-State <Enabled | Disabled] Other than the following items, the same settings are available when you modify - The _MakeDefault_ switch that turns the specified policy into the default policy (applied to everyone, always **Lowest** priority, and you can't delete it) is only available when you modify a spam filter policy in PowerShell. - You can't rename a spam filter policy (the **Set-HostedContentFilterPolicy** cmdlet has no _Name_ parameter). When you rename an anti-spam policy in the Microsoft Defender portal, you're only renaming the spam filter _rule_. -To modify a spam filter policy, use this syntax: +To modify a spam filter policy, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) and use this syntax: ```PowerShell Set-HostedContentFilterPolicy -Identity "<PolicyName>" <Settings> The only setting that isn't available when you modify a spam filter rule in Powe Otherwise, no additional settings are available when you modify a spam filter rule in PowerShell. The same settings are available when you create a rule as described in the [Step 2: Use PowerShell to create a spam filter rule](#step-2-use-powershell-to-create-a-spam-filter-rule) section earlier in this article. -To modify a spam filter rule, use this syntax: +To modify a spam filter rule, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) and use this syntax: ```PowerShell Set-HostedContentFilterRule -Identity "<RuleName>" <Settings> For detailed syntax and parameter information, see [Set-HostedContentFilterRule] Enabling or disabling a spam filter rule in PowerShell enables or disables the whole anti-spam policy (the spam filter rule and the assigned spam filter policy). You can't enable or disable the default anti-spam policy (it's always applied to all recipients). -To enable or disable a spam filter rule in PowerShell, use this syntax: +To enable or disable a spam filter rule, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) and use this syntax: ```PowerShell <Enable-HostedContentFilterRule | Disable-HostedContentFilterRule> -Identity "<RuleName>" For detailed syntax and parameter information, see [Enable-HostedContentFilterRu The highest priority value you can set on a rule is 0. The lowest value you can set depends on the number of rules. For example, if you have five rules, you can use the priority values 0 through 4. Changing the priority of an existing rule can have a cascading effect on other rules. For example, if you have five custom rules (priorities 0 through 4), and you change the priority of a rule to 2, the existing rule with priority 2 is changed to priority 3, and the rule with priority 3 is changed to priority 4. -To set the priority of a spam filter rule in PowerShell, use the following syntax: +To set the priority of a spam filter rule, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) and use the following syntax: ```PowerShell Set-HostedContentFilterRule -Identity "<RuleName>" -Priority <Number> Set-HostedContentFilterRule -Identity "Marketing Department" -Priority 2 When you use PowerShell to remove a spam filter policy, the corresponding spam filter rule isn't removed. -To remove a spam filter policy in PowerShell, use this syntax: +To remove a spam filter policy, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) and use this syntax: ```PowerShell Remove-HostedContentFilterPolicy -Identity "<PolicyName>" For detailed syntax and parameter information, see [Remove-HostedContentFilterPo When you use PowerShell to remove a spam filter rule, the corresponding spam filter policy isn't removed. -To remove a spam filter rule in PowerShell, use this syntax: +To remove a spam filter rule, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) and use this syntax: ```PowerShell Remove-HostedContentFilterRule -Identity "<PolicyName>" |
security | Defender For Office 365 Whats New | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/defender-for-office-365-whats-new.md | f1.keywords: NOCSH ms.localizationpriority: medium Previously updated : 11/13/2023 Last updated : 1/2/2024 audience: ITPro For more information on what's new with other Microsoft Defender security produc - [What's new in Microsoft Defender for Identity](/defender-for-identity/whats-new) - [What's new in Microsoft Defender for Cloud Apps](/cloud-app-security/release-notes) +## December 2023 ++- **Microsoft Defender XDR Unified RBAC is now generally available**: Defender XDR Unified RBAC supports all Defender for Office 365 scenarios that were previously controlled by [Email & collaboration permissions](mdo-portal-permissions.md) and [Exchange Online permissions](/exchange/permissions-exo/permissions-exo). To learn more about the supported workloads and data resources, see [Microsoft Defender XDR Unified role-based access control (RBAC)](/microsoft-365/security/defender/manage-rbac). ++ > [!TIP] + > Defender XDR Unified RBAC isn't generally available in Microsoft 365 Government Community Cloud High (GCC High) or Department of Defense (DoD). + ## November 2023 -- **Enhanced Action experience from Email Entity/ Summary Panel** As part of the change security admins can take multiple actions as part of FP/FN flows.[Learn more](mdo-email-entity-page.md).+- **Enhanced Action experience from Email Entity/ Summary Panel**: As part of the change security admins can take multiple actions as part of FP/FN flows. [Learn more](mdo-email-entity-page.md). - The [Tenant Allow/Block List](tenant-allow-block-list.md) supports more entries in each category (Domains & email addresses, Files, and URLs: - Microsoft Defender for Office 365 Plan 2 supports 10,000 block entries and 5,000 allow entries (via admin submissions) in each category. - Microsoft Defender for Office 365 Plan 1 supports 1,000 block entries and 1,000 allow entries (via admin submissions) in each category. For more information on what's new with other Microsoft Defender security produc ## October 2023 - **Create and manage simulations using the Graph API** in Attack simulation training. [Learn more](/graph/api/attacksimulationroot-post-simulation)+- **Exchange Online permission management in Defender for Office 365 is now supported in Microsoft Defender XDR Unified role-based access control (RBAC)**: In addition to the existing support for [Email & collaboration permissions](mdo-portal-permissions.md), Defender XDR Unified RBAC now also supports protection-related [Exchange Online permissions](/exchange/permissions-exo/permissions-exo). To learn more about the supported Exchange Online permissions, see [Exchange Online permissions mapping](/microsoft-365/security/defender/compare-rbac-roles#exchange-online-permissions-mapping). ## September 2023 |
solutions | Best Practices Anonymous Sharing | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/best-practices-anonymous-sharing.md | To create a DLP rule: 7. On the **Customize advanced DLP rules** page, click **Create rule** and type a name for the rule. 8. Under **Conditions**, click **Add condition**, and choose **Content contains**. 9. Click **Add** and choose the type of information for which you want to prevent unauthenticated sharing.-- ![Screenshot of conditions options, sensitive info types, sensitivity labels, and retention labels.](../media/limit-accidental-exposure-dlp-conditions.png) - 10. Under **Actions** click **Add an action** and choose **Restrict access or encrypt the content in Microsoft 365 locations**. 11. Select the **Restrict access or encrypt the content in Microsoft 365 locations** check box and then choose the **Only people who were given access to the content through the "Anyone with the link" options** option. |
solutions | Create Secure Guest Sharing Environment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/create-secure-guest-sharing-environment.md | Title: "Create a more secure guest sharing environment" + Title: Create a more secure guest sharing environment Previously updated : 03/10/2020 Last updated : 01/02/2024 audience: ITPro +ms.localizationpriority: medium f1.keywords: NOCSH recommendations: false-description: Learn about available options to create a more secure guest sharing environment in Microsoft 365, providing guest access for improved collaboration. +description: Learn about available options to create a more secure guest sharing environment in Microsoft 365. # Create a more secure guest sharing environment -In this article, we'll walk through a variety of options for creating a more secure guest sharing environment in Microsoft 365. These are examples to give you an idea of the options available. You can use these procedures in different combinations to meet the security and compliance needs of your organization. +In this article, we walk through various options for creating a more secure guest sharing environment in Microsoft 365. These are examples to give you an idea of the options available. You can use these procedures in different combinations to meet the security and compliance needs of your organization. This article includes: This article includes: Some of the options discussed in this article require guests to have an account in Microsoft Entra ID. To ensure that guests are included in the directory when you share files and folders with them, use the [SharePoint and OneDrive integration with Microsoft Entra B2B Preview](/sharepoint/sharepoint-azureb2b-integration-preview). -Note that we won't discuss enabling guest sharing settings in this article. See [Collaborating with people outside your organization](collaborate-with-people-outside-your-organization.md) for details about enabling guest sharing for different scenarios. +Note that we don't discuss enabling guest sharing settings in this article. See [Collaborating with people outside your organization](collaborate-with-people-outside-your-organization.md) for details about enabling guest sharing for different scenarios. <a name='set-up-multi-factor-authentication-for-guests'></a> Note that we won't discuss enabling guest sharing settings in this article. See Multifactor authentication greatly reduces the chances of an account being compromised. Since guests may be using personal email accounts that don't adhere to any governance policies or best practices, it's especially important to require multifactor authentication for guests. If a guest's username and password is stolen, requiring a second factor of authentication greatly reduces the chances of unknown parties gaining access to your sites and files. -In this example, we'll set up multifactor authentication for guests by using a conditional access policy in Microsoft Entra ID. +In this example, we set up multifactor authentication for guests by using a conditional access policy in Microsoft Entra ID. To set up multifactor authentication for guests -1. Go to [Azure conditional access policies](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade). -1. On the **Conditional Access | Policies** blade, click **New policy**. +1. Open the [Microsoft Entra admin center](https://entra.microsoft.com). +1. Expand **Protection**, and then select **Conditional Access**. +1. On the **Conditional Access | Overview** page, select **Create new policy**. 1. In the **Name** field, type a name. 1. Select the **Users** link.-1. Select **Select users and groups**, and then select the **Guest or external users** check box. +1. Choose **Select users and groups**, and then select the **Guest or external users** check box. 1. In the dropdown, select **B2B collaboration guest users** and **B2B collaboration member users**.-1. Select the **Cloud apps or actions** link. +1. Select the **Target resources** link. 1. Select **All cloud apps** on the **Include** tab. 1. Select the **Grant** link. 1. On the **Grant** blade, select the **Require multifactor authentication** check box, and then click **Select**.-1. Under **Enable policy**, click **On**, and then click **Create**. +1. Under **Enable policy**, select **On**, and then select **Create**. -Now, guest will be required to enroll in multifactor authentication before they can access shared content, sites, or teams. +Now, guests are required to enroll in multifactor authentication before they can access shared content, sites, or teams. ### More information -[Planning a Microsoft Entra multifactor authentication deployment](/azure/active-directory/authentication/howto-mfa-getstarted) +[Plan a Microsoft Entra multifactor authentication deployment](/entra/identity/authentication/howto-mfa-getstarted) ## Set up a terms of use for guests -In some situations guests may not have signed non-disclosure agreements or other legal agreements with your organization. You can require guests to agree to a terms of use before accessing files that are shared with them. The terms of use can be displayed the first time they attempt to access a shared file or site. +In some situations, guests may not have signed non-disclosure agreements or other legal agreements with your organization. You can require guests to agree to a terms of use before accessing files that are shared with them. The terms of use can be displayed the first time they attempt to access a shared file or site. To create a terms of use, you first need to create the document in Word or another authoring program, and then save it as a .pdf file. This file can then be uploaded to Microsoft Entra ID. To create a Microsoft Entra terms of use -1. Sign in to Azure as a Global Administrator, Security Administrator, or Conditional Access Administrator. -1. Navigate to [Terms of use](https://aka.ms/catou). -1. Click **New terms**. +1. Open the [Microsoft Entra admin center](https://entra.microsoft.com). +1. Expand **Protection**, and then select **Conditional Access**. +1. Select **Terms of use**. +1. Select **New terms**. ![Screenshot of Microsoft Entra new terms of use settings.](../media/azure-ad-guest-terms-of-use.png) To create a Microsoft Entra terms of use 1. Type a display name. 1. Set **Require users to expand the terms of use** to **On**. 1. Under **Conditional Access**, in the **Enforce with Conditional Access policy template** list choose **Create conditional access policy later**.-1. Click **Create**. +1. Select **Create**. Once you've created the terms of use, the next step is to create a conditional access policy that displays the terms of use to guests. To create a conditional access policy -1. Go to [Azure conditional access policies](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade). -1. On the **Conditional Access | Policies** blade, click **New policy**. +1. In the Microsoft Entra admin center, under **Protection**, select **Conditional access**. +1. On the **Conditional Access | Overview** page, select **Create new policy**. 1. In the **Name** box, type a name. 1. Select the **Users** link. 1. Select **Select users and groups**, and then select the **Guest or external users** check box. 1. In the dropdown, select **B2B collaboration guest users** and **B2B collaboration member users**.-1. Select the **Cloud apps or actions** link. +1. Select the **Target resources** link. 1. On the **Include** tab, select **Select apps**, and then click the **Select** link. 1. On the **Select** blade, select **Office 365**, then click **Select**. 1. Select the **Grant** link.-1. On the **Grant** blade, select **Guest terms of use**, and then click **Select**. -1. Under **Enable policy**, click **On**, and then click **Create**. --Now, the first time a guest attempts to access content or a team or site in your organization, they will be required to accept the terms of use. +1. On the **Grant** blade, select the check box for the terms of use that you created, and then click **Select**. +1. Under **Enable policy**, select **On**, and then select **Create**. -> [!NOTE] -> Using Conditional Access requires a Microsoft Entra ID P1 license. For more information, see [What is Conditional Access](/azure/active-directory/conditional-access/overview). +Now, the first time a guest attempts to access content or a team or site in your organization, they'll be required to accept the terms of use. ### More information [Microsoft Entra terms of use](/azure/active-directory/conditional-access/terms-of-use) +[Overview of Microsoft SharePoint eSignature](/microsoft-365/syntex/esignature-overview) + ## Set up guest access reviews -With access reviews in Microsoft Entra ID, you can automate a periodic review of user access to various teams and groups. By requiring an access review for guests specifically, you can help ensure guests do not retain access to your organization's sensitive information for longer than is necessary. +With access reviews in Microsoft Entra ID, you can automate a periodic review of user access to various teams and groups. By requiring an access review for guests specifically, you can help ensure guests don't retain access to your organization's sensitive information for longer than is necessary. To set up a guest access review -1. On the [Identity Governance page](https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade), in the left menu, click **Access reviews**. -1. Click **New access review**. +1. Open the [Microsoft Entra admin center](https://entra.microsoft.com). +1. Expand **Identity governance**, and select **Access reviews**. +1. Select **New access review**. 1. Choose the **Teams + Groups** option. 1. Choose the **All Microsoft 365 groups with guest users** option. Click **Select group(s) to exclude** if you want to exclude any groups.-1. Choose the **Guest users only** option, and then click **Next: Reviews**. +1. Choose the **Guest users only** option, and then select **Next: Reviews**. 1. Under **Select reviewers**, choose **Group Owner(s)**. 1. Click **Select fallback reviewers**, choose who should be the fallback reviewers, and then click **Select**. 1. Choose a **Duration (in days)** for the review to be open for comments. 1. Under **Specify recurrence of review**, choose **Quarterly**. 1. Select a start date and duration.-1. For **End**, choose **Never**, and then click **Next: Settings**. +1. For **End**, choose **Never**, and then select **Next: Settings**. ![Screenshot of Microsoft Entra access review tab.](../media/azure-ad-create-access-review.png) To set up a guest access review ![Screenshot of Microsoft Entra access review settings tab.](../media/azure-ad-create-access-review-settings.png) -1. Click **Next: Review + Create**. +1. Select **Next: Review + Create**. 1. Type a **Review name** and review the settings.-1. Click **Create**. +1. Select **Create**. ### More information -[Manage guest access with Microsoft Entra access reviews](/azure/active-directory/governance/manage-guest-access-with-access-reviews) +[Manage guest access with access reviews](/entra/id-governance/manage-guest-access-with-access-reviews) -[Create an access review of groups or applications in Microsoft Entra access reviews](/azure/active-directory/governance/create-access-review) +[Create an access review of groups and applications in Microsoft Entra ID](/entra/id-governance/create-access-review) ## Set up web-only access for guests with unmanaged devices -If your guests use devices that are not managed by your organization or another organization that you have a trust relationship with, you can require them to access your teams, sites, and files by using a web browser only. This reduces the chance that they might download sensitive files and leave them on an unmanaged device. This is also useful when sharing with environments that use shared devices. +If your guests use devices that aren't managed by your organization or another organization that you have a trust relationship with, you can require them to access your teams, sites, and files by using a web browser only. This reduces the chance that they might download sensitive files and leave them on an unmanaged device. This is also useful when sharing with environments that use shared devices. -For Microsoft 365 Groups and Teams, this is done with a Microsoft Entra Conditional Access policy. For SharePoint, this is configured in the SharePoint admin center. (You can also [use sensitivity labels to restrict guests to web-only access](../compliance/sensitivity-labels-teams-groups-sites.md).) +For Microsoft 365 Groups and Teams, this is done with a Microsoft Entra Conditional Access policy. For SharePoint, this is configured in the SharePoint admin center. (You can also [use sensitivity labels to restrict guests to web-only access](/purview/sensitivity-labels-teams-groups-sites).) To restrict guests to web-only access for Groups and Teams: -1. Go to [Azure conditional access policies](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade). -1. Click **New policy**. +1. Open the [Microsoft Entra admin center](https://entra.microsoft.com). +1. Expand **Protection**, and then select **Conditional Access**. +1. On the **Conditional Access | Overview** page, select **Create new policy**. 1. In the **Name** box, type a name.-1. Click the **Users** link. +1. Select the **Users** link. 1. Select **Select users and groups**, and then select the **Guest or external users** check box. 1. In the dropdown, select **B2B collaboration guest users** and **B2B collaboration member users**.-1. Click the **Cloud apps or actions** link. +1. Select the **Target resources** link. 1. On the **Include** tab, select **Select apps**, and then click the **Select** link. 1. On the **Select** blade, select **Office 365**, and then click **Select**.-1. Click the **Conditions** link. -1. On the **Conditions** blade, click the **Client apps** link. -1. On the **Client apps** blade, click **Yes** for **Configure**, and then select the **Mobile apps and desktop clients**, **Exchange ActiveSync clients**, and **Other clients** settings. Clear the **Browser** check box. +1. Select the **Conditions** link. +1. On the **Conditions** blade, select the **Client apps** link. +1. On the **Client apps** blade, select **Yes** for **Configure**, and then select the **Mobile apps and desktop clients**, **Exchange ActiveSync clients**, and **Other clients** settings. Clear the **Browser** check box. ![Screenshot of Microsoft Entra Conditional Access client apps settings.](../media/azure-ad-conditional-access-client-mobile.png) -1. Click **Done**. -1. Click the **Grant** link. +1. Select **Done**. +1. Select the **Grant** link. 1. On the **Grant** blade, select **Require device to be marked as compliant** and **Require Microsoft Entra hybrid joined device**. 1. Under **For multiple controls**, select **Require one of the selected controls**, and then click **Select**.-1. Under **Enable policy**, click **On**, and then click **Create**. +1. Under **Enable policy**, select **On**, and then select **Create**. ### More information -[SharePoint and OneDrive unmanaged device access controls for administrators](/sharepoint/control-access-from-unmanaged-devices) +[SharePoint and OneDrive unmanaged device access controls](/sharepoint/control-access-from-unmanaged-devices) ## Configure a session timeout for guests Requiring guests to authenticate on a regular basis can reduce the possibility o To configure a guest session timeout policy -1. Go to [Azure conditional access policies](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade). -1. Click **New policy**. -1. In the **Name** box, type *Guest session timeout*. -1. Click the **Users** link. +1. Open the [Microsoft Entra admin center](https://entra.microsoft.com). +1. Expand **Protection**, and then select **Conditional Access**. +1. On the **Conditional Access | Overview** page, select **Create new policy**. +1. In the **Name** field, type a name. +1. Select the **Users** link. 1. Select **Select users and groups**, and then select the **Guest or external users** check box. 1. In the dropdown, select **B2B collaboration guest users** and **B2B collaboration member users**.-1. Click the **Cloud apps or actions** link. +1. Select the **Target resources** link. 1. On the **Include** tab, select **Select apps**, and then click the **Select** link. 1. On the **Select** blade, select **Office 365**, and then click **Select**.-1. Click the **Session** link. +1. Select the **Session** link. 1. On the **Session** blade, select **Sign-in frequency**. 1. Choose **1** and **Days** for the time period, and then click **Select**.-1. Under **Enable policy**, click **On**, and then click **Create**. +1. Under **Enable policy**, select **On**, and then select **Create**. ## Create a sensitive information type for a highly sensitive project Sensitive information types are predefined strings that can be used in policy workflows to enforce compliance requirements. The Microsoft Purview compliance portal comes with over one hundred sensitive information types, including driver's license numbers, credit card numbers, bank account numbers, etc. -You can create custom sensitive information types to help manage content specific to your organization. In this example, we'll create a custom sensitive information type for a highly sensitive project. We can then use this sensitive information type to automatically apply a sensitivity label. +You can create custom sensitive information types to help manage content specific to your organization. In this example, we create a custom sensitive information type for a highly sensitive project. We can then use this sensitive information type to automatically apply a sensitivity label. To create a sensitive information type -1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com), in the left navigation, select **Data classification**, and then select the **Sensitive info types** tab. -1. Click **Create sensitive info type**. -1. For **Name** and **Description**, type **Project Saturn**, and then click **Next**. +1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com), in the left navigation, expand **Data classification**, and then select **Classifiers**. +1. select the **Sensitive info types** tab. +1. Select **Create sensitive info type**. +1. For **Name** and **Description**, type **Project Saturn**, and then select **Next**. 1. Select **Create pattern**. 1. On the **New pattern** panel, select **Add primary element**, and then select **Keyword list**. 1. Type an **ID** such as *Project Saturn*. To create a sensitive information type 1. Select **Create**. 1. Select **Done**. -For more information, see [Custom sensitive information types](/microsoft-365/compliance/sensitive-information-type-learn-about). +For more information, see [Learn about sensitive information types](/purview/sensitive-information-type-learn-about). ## Create an auto-labeling policy to assign a sensitivity label based on a sensitive information type -If you are using sensitivity labels in your organization, you can automatically apply a label to files that contain defined sensitive information types. +If you're using sensitivity labels in your organization, you can automatically apply a label to files that contain defined sensitive information types. To create an auto-labeling policy 1. Open the [Microsoft Purview admin center](https://compliance.microsoft.com).-1. In the left navigation, click **Information protection**. -1. On the **Auto-labeling** tab, click **Create auto-labeling policy**. -1. On the **Choose info you want this label applied to** page, choose **Custom** and then click **Custom policy**. -1. Click **Next**. -1. Type a name and description for the policy and click **Next**. -1. On the **Choose locations where you want to apply the label** page, turn on **SharePoint sites** and click **Choose sites**. -1. Add the URLs for the sites where you want to turn on auto-labeling and click **Done**. -1. Click **Next**. -1. On the **Set up common or advanced rules** page, choose **Common rules** and click **Next**. -1. On the **Define rules for content in all locations** page, click **New rule**. -1. On the **New rule** page, give the rule a name, click **Add condition**, and then click **Content contains**. -1. Click **Add**, click **Sensitive info types**, choose the sensitive info types that you want to use, click **Add**, and then click **Save**. -1. Click **Next**. -1. Click **Choose a label**, select the label you want to use, and then click **Add**. -1. Click **Next**. +1. In the left navigation, expand **Information protection**, and select **Auto-labeling**. +1. Select **Create auto-labeling policy**. +1. On the **Choose info you want this label applied to** page, choose **Custom** and then select **Custom policy**. +1. Select **Next**. +1. Type a name and description for the policy and select **Next**. +1. On the **Assign admin units** page, select **Next**. +1. On the **Choose locations where you want to apply the label** page, select **SharePoint sites** and optionally select **Edit** to choose the sites. +1. Select **Next**. +1. On the **Set up common or advanced rules** page, choose **Common rules** and select **Next**. +1. On the **Define rules for content in all locations** page, select **New rule**. +1. On the **New rule** page, give the rule a name, select **Add condition**, and then select **Content contains**. +1. Select **Add**, select **Sensitive info types**, choose the sensitive info types that you want to use, select **Add**, and then select **Save**. +1. Select **Next**. +1. Select **Choose a label**, select the label you want to use, and then select **Add**. +1. Select **Next**. 1. Leave the policy in simulation mode and choose if you want it to automatically turn on.-1. Click **Next**. -1. Click **Create policy**, and then click **Done**. +1. Select **Next**. +1. Select **Create policy**, and then select **Done**. With the policy in place, when a user types "Project Saturn" into a document, the auto-labeling policy will automatically apply the specified label when it scans the file. -For more information, see [Apply a sensitivity label to content automatically](../compliance/apply-sensitivity-label-automatically.md). +For more information about auto-labeling, see [Apply a sensitivity label to content automatically](/purview/apply-sensitivity-label-automatically). ++### More information ++[Configure a default sensitivity label for a SharePoint document library](/purview/sensitivity-labels-sharepoint-default-label) ## Create a DLP policy to remove guest access to highly sensitive files -You can use [Microsoft Purview Data Loss Prevention (DLP)](../compliance/dlp-learn-about-dlp.md) to prevent unwanted guest sharing of sensitive content. Data loss prevention can take action based on a file's sensitivity label and remove guest access. +You can use [Microsoft Purview Data Loss Prevention (DLP)](/purview/dlp-learn-about-dlp) to prevent unwanted guest sharing of sensitive content. Data loss prevention can take action based on a file's sensitivity label and remove guest access. To create a DLP rule -1. In the Microsoft Purview admin center, go to the [Data loss prevention page](https://compliance.microsoft.com/datalossprevention). -1. On the **Policies** tab, click **Create policy**. +1. Open the [Microsoft Purview admin center](https://compliance.microsoft.com). +1. In the left navigation, expand **Data loss prevention**, and select **Policies**. +1. Select **Create policy**. 1. Choose **Custom** and then **Custom policy**.-1. Click **Next**. -1. Type a name for the policy and click **Next**. -1. On the **Locations to apply the policy** page turn off all settings except **SharePoint sites** and **OneDrive accounts**, and then click **Next**. -1. On the **Define policy settings** page, click **Next**. -1. On the **Customize advanced DLP rules** page, click **Create rule** and type a name for the rule. -1. Under **Conditions**, click **Add condition**, and choose **Content is shared from Microsoft 365**. +1. Select **Next**. +1. Type a name for the policy and select **Next**. +1. On the **Assign admin units** page, select **Next**. +1. On the **Locations to apply the policy** page, turn off all settings except **SharePoint sites** and **OneDrive accounts**, and then select **Next**. +1. On the **Define policy settings** page, select **Next**. +1. On the **Customize advanced DLP rules** page, select **Create rule** and type a name for the rule. +1. Under **Conditions**, select **Add condition**, and choose **Content is shared from Microsoft 365**. 1. In the dropdown, choose **with people outside my organization**.-1. Under **Conditions**, click **Add condition**, and choose **Content contains**. -1. Click **Add**, choose **Sensitivity labels**, choose the labels you want to use, and click **Add**. -- ![Screenshot of conditions options, sensitive info types, sensitivity labels, and retention labels.](../media/limit-accidental-exposure-dlp-conditions.png) --1. Under **Actions** click **Add an action** and choose **Restrict access or encrypt the content in Microsoft 365 locations**. -1. Select the **Restrict access or encrypt the content in Microsoft 365 locations** check box and then choose the **Block only people outside your organization** option. +1. Under **Conditions**, select **Add condition**, and choose **Content contains**. +1. Select **Add**, choose **Sensitivity labels**, choose the labels you want to use, and select **Add**. +1. Under **Actions** select **Add an action** and choose **Restrict access or encrypt the content in Microsoft 365 locations**. +1. Choose the **Block only people outside your organization** option. ![Screenshot of DLP rule action options.](../media/dlp-remove-guest-access-sensitive-files.png) 1. Turn user notifications **On**, and then select the **Notify users in Office 365 service with a policy tip** check box.-1. Click **Save** and then click **Next**. -1. Choose your test options and click **Next**. -1. Click **Submit**, and then click **Done**. +1. Select **Save** and then select **Next**. +1. Choose your test options and select **Next**. +1. Select **Submit**, and then select **Done**. It's important to note that this policy doesn't remove access if the guest is a member of the site or team as a whole. If you plan to have highly sensitive documents in a site or team with guest members, consider these options: -- Use [private channels](/MicrosoftTeams/private-channels) and only allowing members of your organization in the private channels.+- Use [private channels](/MicrosoftTeams/private-channels) and only allow members of your organization in the private channels. - Use [shared channels](/MicrosoftTeams/shared-channels) to collaborate with people outside your organization while only having people from your organization in the team itself. ## Additional options There are some additional options in Microsoft 365 and Microsoft Entra ID that can help secure your guest sharing environment. -- You can create a list of allowed or denied sharing domains to limit who users can share with. See [Restrict sharing of SharePoint and OneDrive content by domain](/sharepoint/restricted-domains-sharing) and [Allow or block invitations to B2B users from specific organizations](/azure/active-directory/b2b/allow-deny-list) for more information.-- You can limit which other Microsoft Entra tenants your users can connect to. See [Use tenant restrictions to manage access to SaaS cloud applications](/azure/active-directory/manage-apps/tenant-restrictions) for information.-- You can create a managed environment where partners can help manage guest accounts. See [Create a B2B extranet with managed guests](/Office365/Enterprise/b2b-extranet) for information.+- You can create a list of allowed or denied sharing domains to limit who users can share with. See [Restrict sharing of SharePoint and OneDrive content by domain](/sharepoint/restricted-domains-sharing) and [Allow or block invitations to B2B users from specific organizations](/entra/external-id/allow-deny-list) for more information. +- You can limit which other Microsoft Entra tenants your users can connect to. See [Restrict access to a tenant](/entra/identity/enterprise-apps/tenant-restrictions) for information. +- You can create a managed environment where partners can help manage guest accounts. See [Create a B2B extranet with managed guests](b2b-extranet.md) for information. -## See Also +## Related articles [Limit accidental exposure to files when sharing with guests](share-limit-accidental-exposure.md) [Best practices for sharing files and folders with unauthenticated users](best-practices-anonymous-sharing.md)--[Create a B2B extranet with managed guests](b2b-extranet.md) |