+## January 2024

+- **Ability to manage endpoint security subscription settings**. Defender for Business customers who have a mix of subscriptions (such as Defender for Business and Defender for Endpoint Plan 2 licenses) can now change their subscription settings to apply Defender for Endpoint Plan 2 features and capabilities across devices. See [Manage your endpoint security subscription settings across client devices](../security/defender-business/mdb-manage-subscription.md).

+Self-service sign-up subscriptions are free and are available for a larger list of products than self-service purchase subscriptions. When a user signs up for a self-service purchase subscription, they're responsible for paying for it. For more information, see [Self-service purchase FAQ](self-service-purchase-faq.yml).

+ - has-azure-ad-ps-ref, azure-ad-ref-level-one-done

+Note that not all security groups have a group alias. If you want to add a security group that does not have an alias, run [Get-MgGroup](/powershell/module/microsoft.graph.groups/get-mggroup) to retrieve a list of groups, find your security group's ObjectID, and then run:

+[Set an alias (MailNickName) for a security group](/powershell/module/microsoft.graph.groups/update-mggroup)

+ - delete, recover and purge Loop workspaces (note that the Loop app workspaces views do not yet reflect the changes, so a user would need to visit a page link for a workspace that's recovered in order to see it again)

+See more about how to use PowerShell to perform these tasks on Loop application containers in the [Consuming Tenant admin](/sharepoint/dev/embedded/concepts/admin-exp/cta) article.

+ Title: Change your endpoint security subscription

+description: Learn about your options for managing your Defender for Business or Defender for Endpoint subscription settings. Choose between Defender for Endpoint or Defender for Business.

+search.appverid: MET150

+audience: ITPro

+ms.localizationpriority: medium

+f1.keywords: NOCSH

+- M365-security-compliance

+- m365initiative-defender-business

+# Change your endpoint security subscription

+[Microsoft Defender for Business](mdb-overview.md) and [Microsoft Defender for Endpoint](../defender-endpoint/microsoft-defender-endpoint.md) are endpoint security subscriptions that your organization can use to protect devices, such as computers, tablets, and phones. As your organization grows, you might have a mix of subscriptions and licenses. For example, you might have some Defender for Business licenses, and some Defender for Endpoint licenses.

+This article describes how to apply either Defender for Business or Defender for Endpoint Plan 2 features and capabilities across all your organization's devices. (To learn more about mixed-licensing scenarios with Defender for Endpoint Plan 1 and Plan 2, see [Manage Microsoft Defender for Endpoint subscription settings across client devices](../defender-endpoint/defender-endpoint-subscription-settings.md).)

+## Before you begin

+- You should have active trial or paid licenses for both Defender for Business and Defender for Endpoint Plan 2.

+- If you're using Defender for Business only, you can continue using it. In this case, no changes are needed. But if you're considering switching to Defender for Endpoint Plan 2, follow the guidance in this article.

+- To access license information, you must have one of the following roles assigned in Microsoft Entra ID:

+

+ - Global Admin

+ - Security Admin

+## View and manage your endpoint security subscription settings

+1. As an admin, go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.

+2. Go to **Settings** > **Endpoints** > **Licenses**. Your usage report opens and displays information about your organization's Defender for Business and Defender for Endpoint licenses.

+3. To change your subscription, under **Subscriptions applied to your devices**, select **Change subscription settings**.

+ > [!NOTE]

+ > If you don't see **Change subscription settings**, at least one of the following conditions is true:

+ > - You have Defender for Business or Defender for Endpoint (but not both); or

+ > - The ability to change your subscription settings hasn't rolled out to your organization yet.

+4. On the **Subscription settings** flyout, choose whether to use only Defender for Business or Defender for Endpoint Plan 2 across your organization's devices.

+ > [!IMPORTANT]

+ > Keep the following important points in mind before you save your changes:

+ >

+ > - Make sure you have enough licenses for the subscription you're using for all users in your organization. If you choose Defender for Endpoint Plan 2, you're no longer using your Defender for Business licenses.

+ > - If you select **Only Microsoft Defender for Endpoint Plan 2**, the simplified configuration experience for Defender for Business is replaced with advanced settings that you can configure in Defender for Endpoint. If this change is applied, you can't undo it.

+ > - Make sure to review your security policies and settings. To get help with Defender for Endpoint policies and settings, see [Configure Microsoft Defender for Endpoint capabilities](../defender-endpoint/onboard-configure.md). If you're keeping Defender for Business, see [Set up, review, and edit your security policies and settings in Microsoft Defender for Business](mdb-configure-security-settings.md).

+ > - It can take up to three hours for your changes to be applied.

+## Review license usage

+The license usage report is estimated based on sign-in activities on the device. Defender for Endpoint Plan 2 licenses are per user, and each user can have up to five concurrent, onboarded devices. To learn more about license terms, see [Microsoft Licensing](https://www.microsoft.com/en-us/licensing/default).

+To reduce management overhead, there's no requirement for device-to-user mapping and assignment. Instead, the license report provides a utilization estimation that is calculated based on device usage seen across your organization. It might take up to one day for your usage report to reflect the active usage of your devices.

+> [!IMPORTANT]

+> To access license information, you must have one of the following roles assigned in Microsoft Entra ID:

+> - Security Admin

+> - Global Admin

+1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.

+2. Choose **Settings** > **Endpoints** > **Licenses**.

+3. Review your available and assigned licenses. The calculation is based on detected users who have accessed devices that are onboarded to Defender for Business (or Defender for Endpoint).

+## More information

+- [Licensing and product terms for Microsoft 365 subscriptions](https://www.microsoft.com/licensing/terms/productoffering/Microsoft365/MCA).

+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint)

+- [Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-overview) (endpoint protection for small and medium-sized businesses)

+> [!NOTE]

+> If you're using Microsoft Defender for Business and you want to switch to Defender for Endpoint Plan 2, see [Change your endpoint security subscription](../defender-business/mdb-manage-subscription.md).

+- Microsoft Defender for Endpoint P1 (which includes [Microsoft 365 E3 (M365 E3)](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-plan-1-now-included-in-m365-e3/ba-p/3060639))

+> For information on availability and support for each response action, please refer to the supported/minimum operating system requirements found under each feature.

+|**Microsoft Secure Score** | Defender for Identity security posture assessments is available in [Microsoft Secure Score](https://security.microsoft.com/securescore). Each assessment is a downloadable report with instructions for use and tools to build an action plan for remediating or resolving the issue. Filter Microsoft Secure Score by **Identity** to view Defender for Identity assessments. <br><br> For more information, see [Microsoft Defender for Identity's security posture assessments](/defender-for-identity/security-assessment). |

+| **Identities** area| In Microsoft Defender XDR, expand the **Identities** area to view a **Dashboard** of graphs and widgets with commonly used data, a **Health issues** page, listing all health issues for your Defender for Identity deployment, and a **Tools** page, with links to commonly used tools and documentation. <br><br>For more information, see [View the ITDR dashboard](/defender-for-identity/dashboard) and [Defender for Identity health issues](/defender-for-identity/health-alerts). |

+| **Alert and incident correlation** |Defender for Identity alerts is now included in Microsoft Defender XDR's alert queue, making them available to the automated incident correlation feature. <br><br>View all of your alerts in one place, and determine the scope of the breach even quicker than before. <br><br>For more information, see [Investigate Defender for Identity alerts in Microsoft Defender XDR](/defender-for-identity/manage-security-alerts). |

+| **Health issues** | Microsoft Defender XDR **Identities > Health issues** |

+To create a spam filter policy, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) and use this syntax:

+To create a spam filter rule, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) and use this syntax:

+To return a summary list of all spam filter policies, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) and run this command:

+To view existing spam filter rules, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) and use the following syntax:

+To modify a spam filter policy, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) and use this syntax:

+To modify a spam filter rule, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) and use this syntax:

+To enable or disable a spam filter rule, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) and use this syntax:

+To set the priority of a spam filter rule, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) and use the following syntax:

+To remove a spam filter policy, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) and use this syntax:

+To remove a spam filter rule, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) and use this syntax:

+## December 2023

+- **Microsoft Defender XDR Unified RBAC is now generally available**: Defender XDR Unified RBAC supports all Defender for Office 365 scenarios that were previously controlled by [Email & collaboration permissions](mdo-portal-permissions.md) and [Exchange Online permissions](/exchange/permissions-exo/permissions-exo). To learn more about the supported workloads and data resources, see [Microsoft Defender XDR Unified role-based access control (RBAC)](/microsoft-365/security/defender/manage-rbac).

+ > [!TIP]

+ > Defender XDR Unified RBAC isn't generally available in Microsoft 365 Government Community Cloud High (GCC High) or Department of Defense (DoD).

+- **Enhanced Action experience from Email Entity/ Summary Panel**: As part of the change security admins can take multiple actions as part of FP/FN flows. [Learn more](mdo-email-entity-page.md).

+- **Exchange Online permission management in Defender for Office 365 is now supported in Microsoft Defender XDR Unified role-based access control (RBAC)**: In addition to the existing support for [Email & collaboration permissions](mdo-portal-permissions.md), Defender XDR Unified RBAC now also supports protection-related [Exchange Online permissions](/exchange/permissions-exo/permissions-exo). To learn more about the supported Exchange Online permissions, see [Exchange Online permissions mapping](/microsoft-365/security/defender/compare-rbac-roles#exchange-online-permissions-mapping).

+ Title: Create a more secure guest sharing environment

+ms.localizationpriority: medium

+description: Learn about available options to create a more secure guest sharing environment in Microsoft 365.

+In this article, we walk through various options for creating a more secure guest sharing environment in Microsoft 365. These are examples to give you an idea of the options available. You can use these procedures in different combinations to meet the security and compliance needs of your organization.

+Note that we don't discuss enabling guest sharing settings in this article. See [Collaborating with people outside your organization](collaborate-with-people-outside-your-organization.md) for details about enabling guest sharing for different scenarios.

+In this example, we set up multifactor authentication for guests by using a conditional access policy in Microsoft Entra ID.

+1. Open the [Microsoft Entra admin center](https://entra.microsoft.com).

+1. Expand **Protection**, and then select **Conditional Access**.

+1. On the **Conditional Access | Overview** page, select **Create new policy**.

+1. Choose **Select users and groups**, and then select the **Guest or external users** check box.

+1. Select the **Target resources** link.

+1. Under **Enable policy**, select **On**, and then select **Create**.

+Now, guests are required to enroll in multifactor authentication before they can access shared content, sites, or teams.

+[Plan a Microsoft Entra multifactor authentication deployment](/entra/identity/authentication/howto-mfa-getstarted)

+In some situations, guests may not have signed non-disclosure agreements or other legal agreements with your organization. You can require guests to agree to a terms of use before accessing files that are shared with them. The terms of use can be displayed the first time they attempt to access a shared file or site.

+1. Open the [Microsoft Entra admin center](https://entra.microsoft.com).

+1. Expand **Protection**, and then select **Conditional Access**.

+1. Select **Terms of use**.

+1. Select **New terms**.

+1. Select **Create**.

+1. In the Microsoft Entra admin center, under **Protection**, select **Conditional access**.

+1. On the **Conditional Access | Overview** page, select **Create new policy**.

+1. Select the **Target resources** link.

+1. On the **Grant** blade, select the check box for the terms of use that you created, and then click **Select**.

+1. Under **Enable policy**, select **On**, and then select **Create**.

+Now, the first time a guest attempts to access content or a team or site in your organization, they'll be required to accept the terms of use.

+[Overview of Microsoft SharePoint eSignature](/microsoft-365/syntex/esignature-overview)

+With access reviews in Microsoft Entra ID, you can automate a periodic review of user access to various teams and groups. By requiring an access review for guests specifically, you can help ensure guests don't retain access to your organization's sensitive information for longer than is necessary.

+1. Open the [Microsoft Entra admin center](https://entra.microsoft.com).

+1. Expand **Identity governance**, and select **Access reviews**.

+1. Select **New access review**.

+1. Choose the **Guest users only** option, and then select **Next: Reviews**.

+1. For **End**, choose **Never**, and then select **Next: Settings**.

+1. Select **Next: Review + Create**.

+1. Select **Create**.

+[Manage guest access with access reviews](/entra/id-governance/manage-guest-access-with-access-reviews)

+[Create an access review of groups and applications in Microsoft Entra ID](/entra/id-governance/create-access-review)

+If your guests use devices that aren't managed by your organization or another organization that you have a trust relationship with, you can require them to access your teams, sites, and files by using a web browser only. This reduces the chance that they might download sensitive files and leave them on an unmanaged device. This is also useful when sharing with environments that use shared devices.

+For Microsoft 365 Groups and Teams, this is done with a Microsoft Entra Conditional Access policy. For SharePoint, this is configured in the SharePoint admin center. (You can also [use sensitivity labels to restrict guests to web-only access](/purview/sensitivity-labels-teams-groups-sites).)

+1. Open the [Microsoft Entra admin center](https://entra.microsoft.com).

+1. Expand **Protection**, and then select **Conditional Access**.

+1. On the **Conditional Access | Overview** page, select **Create new policy**.

+1. Select the **Users** link.

+1. Select the **Target resources** link.

+1. Select the **Conditions** link.

+1. On the **Conditions** blade, select the **Client apps** link.

+1. On the **Client apps** blade, select **Yes** for **Configure**, and then select the **Mobile apps and desktop clients**, **Exchange ActiveSync clients**, and **Other clients** settings. Clear the **Browser** check box.

+1. Select **Done**.

+1. Select the **Grant** link.

+1. Under **Enable policy**, select **On**, and then select **Create**.

+[SharePoint and OneDrive unmanaged device access controls](/sharepoint/control-access-from-unmanaged-devices)

+1. Open the [Microsoft Entra admin center](https://entra.microsoft.com).

+1. Expand **Protection**, and then select **Conditional Access**.

+1. On the **Conditional Access | Overview** page, select **Create new policy**.

+1. In the **Name** field, type a name.

+1. Select the **Users** link.

+1. Select the **Target resources** link.

+1. Select the **Session** link.

+1. Under **Enable policy**, select **On**, and then select **Create**.

+You can create custom sensitive information types to help manage content specific to your organization. In this example, we create a custom sensitive information type for a highly sensitive project. We can then use this sensitive information type to automatically apply a sensitivity label.

+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com), in the left navigation, expand **Data classification**, and then select **Classifiers**.

+1. select the **Sensitive info types** tab.

+1. Select **Create sensitive info type**.

+1. For **Name** and **Description**, type **Project Saturn**, and then select **Next**.

+For more information, see [Learn about sensitive information types](/purview/sensitive-information-type-learn-about).

+If you're using sensitivity labels in your organization, you can automatically apply a label to files that contain defined sensitive information types.

+1. In the left navigation, expand **Information protection**, and select **Auto-labeling**.

+1. Select **Create auto-labeling policy**.

+1. On the **Choose info you want this label applied to** page, choose **Custom** and then select **Custom policy**.

+1. Select **Next**.

+1. Type a name and description for the policy and select **Next**.

+1. On the **Assign admin units** page, select **Next**.

+1. On the **Choose locations where you want to apply the label** page, select **SharePoint sites** and optionally select **Edit** to choose the sites.

+1. Select **Next**.

+1. On the **Set up common or advanced rules** page, choose **Common rules** and select **Next**.

+1. On the **Define rules for content in all locations** page, select **New rule**.

+1. On the **New rule** page, give the rule a name, select **Add condition**, and then select **Content contains**.

+1. Select **Add**, select **Sensitive info types**, choose the sensitive info types that you want to use, select **Add**, and then select **Save**.

+1. Select **Next**.

+1. Select **Choose a label**, select the label you want to use, and then select **Add**.

+1. Select **Next**.

+1. Select **Next**.

+1. Select **Create policy**, and then select **Done**.

+For more information about auto-labeling, see [Apply a sensitivity label to content automatically](/purview/apply-sensitivity-label-automatically).

+### More information

+[Configure a default sensitivity label for a SharePoint document library](/purview/sensitivity-labels-sharepoint-default-label)

+You can use [Microsoft Purview Data Loss Prevention (DLP)](/purview/dlp-learn-about-dlp) to prevent unwanted guest sharing of sensitive content. Data loss prevention can take action based on a file's sensitivity label and remove guest access.

+1. Open the [Microsoft Purview admin center](https://compliance.microsoft.com).

+1. In the left navigation, expand **Data loss prevention**, and select **Policies**.

+1. Select **Create policy**.

+1. Select **Next**.

+1. Type a name for the policy and select **Next**.

+1. On the **Assign admin units** page, select **Next**.

+1. On the **Locations to apply the policy** page, turn off all settings except **SharePoint sites** and **OneDrive accounts**, and then select **Next**.

+1. On the **Define policy settings** page, select **Next**.

+1. On the **Customize advanced DLP rules** page, select **Create rule** and type a name for the rule.

+1. Under **Conditions**, select **Add condition**, and choose **Content is shared from Microsoft 365**.

+1. Under **Conditions**, select **Add condition**, and choose **Content contains**.

+1. Select **Add**, choose **Sensitivity labels**, choose the labels you want to use, and select **Add**.

+1. Under **Actions** select **Add an action** and choose **Restrict access or encrypt the content in Microsoft 365 locations**.

+1. Choose the **Block only people outside your organization** option.

+1. Select **Save** and then select **Next**.

+1. Choose your test options and select **Next**.

+1. Select **Submit**, and then select **Done**.

+- Use [private channels](/MicrosoftTeams/private-channels) and only allow members of your organization in the private channels.

+- You can create a list of allowed or denied sharing domains to limit who users can share with. See [Restrict sharing of SharePoint and OneDrive content by domain](/sharepoint/restricted-domains-sharing) and [Allow or block invitations to B2B users from specific organizations](/entra/external-id/allow-deny-list) for more information.

+- You can limit which other Microsoft Entra tenants your users can connect to. See [Restrict access to a tenant](/entra/identity/enterprise-apps/tenant-restrictions) for information.

+- You can create a managed environment where partners can help manage guest accounts. See [Create a B2B extranet with managed guests](b2b-extranet.md) for information.

+## Related articles