+## Week of January 22, 2024

+| Published On |Topic title | Change |

+|||--|

+| 1/23/2024 | [Data, Privacy, and Security for Microsoft Copilot for Microsoft 365](/microsoft-365-copilot/microsoft-365-copilot-privacy) | modified |

+| 1/24/2024 | [Manage access to web content in Microsoft Copilot for Microsoft 365 responses](/microsoft-365-copilot/manage-public-web-access) | modified |

+- Tier2

+- M365-subscription-management

+ *Using Microsoft 365 for business to help you to mitigate and manage GDPR compliance*

+The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that mandates how an organization should handle personal data. If your business sells to, provides services to, or employs citizens of the European Union, then the [GDPR](https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-does-general-data-protection-regulation-gdpr-govern_en) will affect you.

+> The Microsoft 365 solutions and recommendations in this article are tools and resources that can help you manage and protect your data, but are not a guarantee of GDPR compliance. It is up to you to assess your own compliance status. Consult with your own legal and/or professional advisors when needed.

+The GDPR is all about data and how it's used. Think of data as having a life cycle. The cycle starts when you collect data, continues as you store it and use it (processing), and ends when you completely delete it from your systems.

+The GDPR is concerned with the following types of data:

+- **Sensitive personal data** This is data that adds more details to personal data. Examples include religion, trade union membership, ethnic origin, and so on. Sensitive personal data also includes biometric data and DNA. Under GDPR, sensitive data has more stringent protection rules than personal data.

+**Consent**:

+**Data subject rights**:

+- **Be informed about their data:** You must inform individuals about your use of their data.

+- **Have access to their data:** You must give individuals access to any of their data that you hold (for example, by using account access or in some manual manner).

+- **Ask for data rectification:** Individuals can ask you to correct inaccurate data.

+- **Ask for data to be deleted:** Also known as the 'right to erasure', this right allows an individual to request that any of their personal data a company has collected is deleted across all systems that use it or share it.

+- **Request restricted processing:** An individual can ask that you suppress or restrict their data. However, it's only applicable under certain circumstances.

+- **Have data portability:** An individual can ask for their data to be transferred to another company.

+- **Object:** An individual can object to their data being used for various uses including direct marketing.

+- **Ask not to be subject to automated decision-making, including profiling:** The GDPR has strict rules about using data to profile people and automate decisions based on that profiling.

+on the employment contract and for legal reasons (for example,

+#### Microsoft 365 features that can help in Step 1

+[Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) can help you discover, classify, and protect sensitive information in your company. You can use trainable classifiers to help you identify and label document types that contain personal data.

+You also have to be able to inform individuals on request about the personal data you hold on them and give them access to their data. Being organized with your data makes it easier to provide to them, if needed.

+#### Microsoft 365 features that can help in Step 3

+[Retention policies and labels](/microsoft-365/compliance/retention) can be used to help you keep personal data for a certain time and delete it when itΓÇÖs no longer needed.

+If you choose to store personal data in the cloud, such as through Microsoft 365, you have security features such as the ability to help you to manage permissions to files and folders, centralized secure locations to save your files (OneDrive or SharePoint document libraries), and data encryption when sending or retrieving your files.

+#### Microsoft 365 features that can help in Step 4

+|Information|Examples|

+You can find MicrosoftΓÇÖs contractual commitments with regard to the GDPR in the [Microsoft Online Services Data Protection Addendum](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=2&Keyword=DPA), which provides MicrosoftΓÇÖs privacy and security commitments, data processing terms and GDPR Terms for Microsoft-hosted services to which customers subscribe under a volume licensing agreement.

+measures).

+of clients, you typically do not need to do a Data Protection Impact Assessment.

+You should also make sure that personal data that you collect is protected. This means that you need to encrypt it and make sure that access to it is controlled using at least a password. Keeping your customer data on a spreadsheet on your desktop with no protection won't meet GDPR expectations.

+Also, check that the database that stores the data is protected. Your web hosting company or cloud storage vendor will be able to advise on this. If you use Microsoft 365 for business, storage of data is GDPR-compliant.

+- A U.S. company that hires cars to EU citizens will need to satisfy GDPR requirements when they collect and process the customer's data. The company will be required to take consent when they take the customer's data and ensure that the data is stored securely. They will also need to make sure the customer can apply all of their data subject rights.

+- An Australian company sells products online, and its users set up online accounts. GDPR data subject rights and consent will be applied to EU citizens who open an account. The company will need to make sure the customer can apply all of their data subject rights.

+Under the GDPR, if you collect data you are affected to some extent. The GDPR has the concept of a data processor and a data controller:

+- **Data Controller:** An individual or organization (you can have joint controllers) that decides how, what, and why data is collected. They may store it using another company's cloud servers. For example, a website that collects customer data is a controller.

+- **Data Processor:** An individual or organization that stores data on behalf of the controller(s) and processes these data upon request. For example, Microsoft 365 Apps for business data storage acts as a processor and is fully GDPR compliant.

+You need to make sure your customers, even ones that you've had for years, have consented to use their data for marketing. You may have previously captured consent, as well as a record to show it. If so, you're all set to continue marketing. If not, you need to get permission from the customer to continue marketing to them. This usually involves sending an email asking customers to go to your site and select an option to consent to receive future emails.

+Becoming compliant with the GDPR is about making sure that personal data is protected. The GDPR has a concept known as Privacy by Design and Default. This means that data protection should be "baked in" to a system and a product so that satisfying privacy concerns is second nature.

+- **Discover:** An important step to GDPR compliance is knowing what data you have.

+- **Manage:** Controlling access to data and managing its use is an integral part of GDPR. Microsoft 365 for business protects business data based on policies you want to apply to devices. Device management is vital in an age where employees work remotely. Microsoft 365 for business includes device management features that make sure data is protected across all devices. For example, you can specify that all Windows 10 devices in your business are protected via Windows Defender.

+- **Protect:** Microsoft 365 for business is designed for security. Its device management and data protection controls work across your business network, including remote devices, to help keep data secure. Microsoft 365 for business offers controls such as privacy settings in Microsoft 365 apps and encryption of documents. With Microsoft 365 for business, you can perform GDPR compliance monitoring to make sure you have the right level of protection set.

+- **Report:** The GDPR places a lot of emphasis on reporting. Even a business with a single employee, if that business processes large amounts of data, is required to document and report on their procedures. Microsoft 365 for business takes the headache out of reporting requirements for smaller organizations.

+ Tools such as audit logs allow you to track and report on data movement. Reports include classifying the data you collect and store, what you do with the data, and transfers of the data.

+Customers, employees, and clients are becoming more aware of the importance of data privacy and now expect a company or organization to respect that privacy. Microsoft 365 for business provides you with the tools to achieve and maintain GDPR compliance without a massive upheaval to your business.

+- Investigate [Microsoft 365 for business](/microsoft-365/business) as a solution for achieving and maintaining compliance with GDPR.

+[Microsoft Trust Center overview of the GDPR](https://www.microsoft.com/trust-center/privacy/gdpr-overview)

+- [EU data protection rules](https://commission.europa.eu/law/law-topic/data-protection/eu-data-protection-rules)

+There are a couple of options in this case:

+ 1. Go to <https://myapps.microsoft.com/>.

+You will need to leave your previous Microsoft 365 Business subscription first. Either talk to your previous technical admin or business owner and ask them to remove you. You can also visit <https://myaccount.microsoft.com/> and follow the steps below.

+|**Enterprise Social** <br> (Viva Engage) | - [Introducing Microsoft Viva Engage](/viva/engage/overview) <br> - Use the [Viva Engage Enterprise setup guide](https://aka.ms/yammerdeploy) to get customized setup guidance |

+> [!NOTE]

+> Cross-Tenant SharePoint migration is currently in a private preview stage of development. As an unfinished project, any information or availability is subject to change at any time. Support for private-preview customers will be handled via email. Cross-Tenant SharePoint migration is covered by the preview terms of the [Microsoft Universal License Terms for Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all).

+- Step 7: [Post migration steps](cross-tenant-SharePoint-migration-step7.md)\n

+|`admin@source.com`|`new.userA@target.com`|

+|`admin@source.com`|`new.userB@target.com`|

+|`admin@source.com`|`new.userC@target.com`|

+|`userA@source.com`|`new.userA@target.com`|

+|`userB@source.com`|`new.userB@target.com`|

+|`userC@source.com`|`new.userC@target.com`|

+|||||

+> [!IMPORTANT]

+> When creating your Identity Mapping for Group Connected sites, the Target site URL **must** align with the alias of the new Group created on the Target tenant.

+> **Example:**

+> - Source site: `https://contoso.sharepoint.com/teams/O365SourceGroup`

+> - New Target Group Alias = O365TargetGroup

+> In your Identity Mapping file the Target site needs to be: `https://fabrikam.sharepoint.com/teams/O365TargetGroup`.

+>

+> If the Target Alias and Target URL don't align, the migration will fail.

+>

+> **Do NOT include column headings in your CSV file.** In the examples below we include them for illustrative purposes only.

+> Before you run the *Add-SPOTenantIdentityMap -IdentityMapPath* command, save and close the identitymap.csv file on your Desktop/SharePoint/SharePoint.

+- Step 4: [Pre-create users and groups](cross-tenant-SharePoint-migration-step4.md)

+ ```PowerShell

+ Start-SPOCrossTenantGroupContentMove  -SourceSiteUrl <…> -TargetSiteUrl <…> -TargetCrossTenantHostUrl| <…>

+ ```

+ |Parameters|Description|

+ |||

+ |SourceSiteUrl|Full URL of the SharePoint Site of the Source tenant, for example: `https://sourcetenant.sharepoint.com/sites/sitename`.|

+ |TargetSiteUrl |Full URL of the SharePoint Site of the Target tenant, for example: `https://targettenant.sharepoint.com/sites/newsitename`.|

+ |TargetCrossTenantHostUrl|The Cross-tenant host URL of the target tenant. The target tenant Admin can determine the TargetCrossTenantHostUrl by running *Get-SPOCrossTenantHostUrl* on their tenant.|

+ ```powershell

+ Start-SPOCrossTenantGroupContentMove  -SourceGroupAlias <…> -TargetGroupAlias <…> -TargetCrossTenantHostUrl <…>

+ ```

+ |Parameters|Description|

+ |||

+ |SourceGroupAlias|Alias of the Microsoft 365 Group connected to the SharePoint Site on the Source tenant. For example: SourceGroup1|

+ |TargetGroupAlias|Alias of the Microsoft 365 that was created on the target tenant |

+ |TargetCrossTenantHostUrl|The Cross-tenant Host URL of the target tenant. The target tenant Admin can determine the TargetCrossTenantHostUrl by running *Get-SPOCrossTenantHostUrl* on their tenant|

+Get-SPOCrossTenantUserContentMoveState -PartnerCrossTenantHostURL https://ttesttenant-my.sharepoint.com -SourceUserPrincipalName User3@stesttenant.onmicrosoft.com -Verbose

+- Active Directory schema changes for Exchange [2016](/Exchange/plan-and-deploy/active-directory/ad-schema-changes), [2013](/exchange/exchange-2013-active-directory-schema-changes-exchange-2013-help), [2010](/previous-versions/office/developer/exchange-server-2010/dd877014(v=exchg.140))

+- For information about troubleshooting and resolving eDiscovery compliance issues, see [Microsoft Purview troubleshooting](/microsoft-365/troubleshoot/microsoft-365-compliance-welcome).

+An Exchange Online service advisory informs you about mailboxes that are on hold and at risk of reaching or exceeding their quota. These service advisories provide visibility to the number of mailboxes in your organization that might require admin intervention.

+These service advisories are displayed in the Microsoft 365 admin center. To view these service advisories, you can go to **Health** \> **Service health** \> **Exchange Online** and then look for **Mailbox Storage Limits under the Organization Scenarios**, or you can go **Health** \> **Service health** \> **Exchange Online** and select the **Active issues** tab. Here's an example of a mailbox utilization service advisory under active issues.

+When you access the service advisory, you see a link under **User Impact**. Selecting that link opens a flyout window that lists affected mailbox GUIDs for your tenant. This list is limited to no more than 155 mailboxes.

+If your tenant exceeds more than 155 mailboxes at or nearing their storage quota, visit your admin portal and access your mailbox usage report. Alternatively, the direct URL to the mailbox usage report is <https://admin.microsoft.com/Adminportal/Home?source=applauncher#/reportsUsage/MailboxUsage>.

+The service advisories for mailbox utilization inform admins about mailboxes on hold that are nearing the mailbox storage quota. The type of holds that that can be placed on mailboxes include Litigation holds, eDiscovery hold, and Microsoft 365 retention policies (that are configured to retain data). When a mailbox is on hold, users (or automated processes) can't permanently remove data from their mailbox. Instead, admins should configure Messaging Records Management (MRM) retention policies in Exchange Online (in line with their organization's compliance policies related to data retention) to move data from a user's primary mailbox to their archive mailbox.

+If a mailbox on hold doesn't have an archive and reaches a critical or warning state, admins should [enable archive mailboxes](../compliance/enable-archive-mailboxes.md) and [enable auto-expanding archiving](../compliance/enable-autoexpanding-archiving.md). Make sure the retention period for the archive policy assigned to the mailbox (which moves email from the primary mailbox to the archive mailbox) only retains data in the main mailbox for as long as needed. If nothing is done to resolve the quota issues identified by the mailbox utilization service advisory, users might not be able to send or receive email messages or meeting invites.

+If a mailbox is on hold and is nearing or has reached its quota and doesn't have an archive, an admin can [enable an archive mailbox](../compliance/enable-archive-mailboxes.md) (and potentially [enable auto-expanding archiving](../compliance/enable-autoexpanding-archiving.md)) along with ensuring an MRM archive policy is applied to the mailbox. (An MRM archive policy is a retention policy in Exchange Online that moves items to the archive mailbox.) For more information about how holds interact with quotas and recommended quota sizes for the main mailbox and Recoverable Items folder, see [Increase the Recoverable Items quota for mailboxes on hold](../compliance/ediscovery-increase-the-recoverable-quota-for-mailboxes-on-hold.md).

+If a mailbox is on hold, has an archive, and is nearing or has reached its Recoverable Items Quota, an admin can increase the quota for the Recoverable Items folder. For more information, see [Increase the Recoverable Items quota for mailboxes on hold](../compliance/ediscovery-increase-the-recoverable-quota-for-mailboxes-on-hold.md).

+Archive retention policies can be configured in a variety of ways, depending on your organization's needs. For detailed information about retention policies, see [Retention tags and retention policies in Exchange Online](/exchange/security-and-compliance/messaging-records-management/retention-tags-and-policies). An admin can view existing retention policies by running the following command:

+```powershell

+Get-RetentionPolicy | FL

+```

+Retention policies can be applied to and take different actions on mailboxes with or without archives. The following is a brief overview of common archive retention policy actions:

+- MovePrimaryToArchive and MoveDumpsterToArchive instruct the retention policy to move the contents of the main mailbox, or Recoverable Items folder respectively, to the mailbox's archive once the policy's conditions have been met. These tags are set by admins and apply regardless of a user's individual settings.

+ - The retention policy applied to moving Recoverable Items content should be relatively short to ensure the user's primary mailbox doesn't reach its Recoverable Items quota.

+- A Personal Archive tag means this policy can be applied by users to their personal folders to archive content on the specified schedule.

+### MRM retention policies don't function as expected

+If you don't resolve the quota issues, you can expect to see this type of service advisory every seven days. Subsequent service advisories might contain higher mailbox counts for other mailboxes that are nearing their quota. If you resolve quota issues, this service advisory only occurs when another mailbox with quota issues is identified.

+- For information about troubleshooting and resolving archive mailbox issues, see [Microsoft Purview troubleshooting](/microsoft-365/troubleshoot/microsoft-365-compliance-welcome).

+description: Learn which types of SharePoint 2013 solutions can be hosted in Microsoft Azure virtual machines, and how to set up Azure to host one.

+|Solution|Why this solution is recommended for Azure|

+|||

+|Development and test environments|It's easy to create and manage these environments.|

+|Disaster recovery of on-premises SharePoint farms to Azure|**Hosted secondary datacenter** Use Azure instead of investing in a secondary datacenter in a different region. <br/> **Lower-cost disaster-recovery environments** Maintain and pay for fewer resources than an on-premises disaster recovery environment. The number of resources depends on the disaster recovery environment you choose: cold standby, warm standby, or hot standby. <br/> **More elastic platform** In the event of a disaster, easily scale-out your recovery SharePoint farm to meet load requirements. Scale in when you no longer need the resources. <br/> See [SharePoint Server 2013 Disaster Recovery in Microsoft Azure](sharepoint-server-2013-disaster-recovery-in-microsoft-azure.md).|

+|Internet-facing sites that use features and scale not available in Microsoft 365|**Focus your efforts** Concentrate on building a great site rather than building infrastructure. <br/> **Take advantage of elasticity in Azure** Size the farm for the demand by adding new servers, and pay only for resources you need. Dynamic machine allocation is not supported (auto scale). <br/> **Use Microsoft Entra ID** Take advantage of Microsoft Entra ID for customer accounts. <br/> **Add SharePoint functionality not available in Microsoft 365** Add deep reporting and web analytics. <br/> See [Internet Sites in Microsoft Azure using SharePoint Server 2013](internet-sites-in-microsoft-azure-using-sharepoint-server-2013.md).|

+|App farms to support Microsoft 365 or on-premises environments|**Build, test, and host apps** in Azure to support both on-premises and cloud environments. <br/> **Host this role** in Azure instead of buying new hardware for on-premises environments.|

+- If Microsoft 365 does not meet all your business requirements, consider a standard implementation of SharePoint 2013 on premises from Microsoft Consulting Services (MCS). A standard architecture can be a quicker, cheaper, and easier solution for you to support than a customized one.

+|Option|Description|

+|||

+|Dedicated domain|You can deploy a dedicated and isolated Active Directory domain to Azure to support your SharePoint farm. This is a good choice for public-facing Internet sites.|

+|Extend the on-premises domain through a cross-premises connection|When you extend the on-premises domain through a cross-premises connection, users access the SharePoint farm via your intranet as if it were hosted on-premises. You can take advantage of your on-premises Active Directory and DNS implementation. <br/> A cross-premises connection is required for building a disaster-recovery environment in Azure to fail over to from your on-premises farm.|

+If you are extending your on-premises network to Azure through a cross-premises connection (required for a disaster recovery environment), you must choose a private address space that is not already in use elsewhere in your organization network, which can include your on-premises environment and other Azure virtual networks.

+**Figure 1: On-premises environment with a virtual network in Azure**:

+The next deployment step is to create the cross-premises connection (if this applies to your solution). For cross-premises connections, an Azure gateway resides in a separate gateway subnet, which you must create and assign an address space.

+**Figure 2: Using an Azure gateway and an on-premises gateway device to provide site-to-site connectivity between the on-premises environment and Azure**:

+**Figure 3: Hybrid Active Directory domain configuration**:

+This diagram builds on the previous diagrams by adding two virtual machines to a Windows Server AD and DNS subnet. These virtual machines are replica domain controllers and DNS servers. They are an extension of the on-premises Windows Server AD environment.

+|Item|Configuration|

+|||

+|Virtual machine size in Azure|A1 or A2 size in the Standard tier|

+|Operating system|Windows Server 2012 R2|

+|Active Directory role|AD DS domain controller designated as a global catalog server. This configuration reduces egress traffic across the cross-premises connection. <br/> In a multidomain environment with high rates of change (this is not common), configure domain controllers on premises not to sync with the global catalog servers in Azure, to reduce replication traffic.|

+|DNS role|Install and configure the DNS Server service on the domain controllers.|

+|Data disks|Place the Active Directory database, logs, and SYSVOL on additional Azure data disks. Do not place these on the operating system disk or the temporary disks provided by Azure.|

+|IP addresses|Use static IP addresses and configure the virtual network to assign these addresses to the virtual machines in the virtual network after the domain controllers have been configured.|

+> Before you deploy Active Directory in Azure, read [Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100). These help you determine if a different architecture or different configuration settings are needed for your solution.

+**Figure 4: Placement of SharePoint virtual machines**:

+**Figure 5: Use Azure Availability Sets to provide high availability for the SharePoint farm tiers**:

+**Figure 6: Planning example for capacity and performance goals in a three-tier farm**:

+**Figure 7: Application server tier before fine tuning**:

+**Figure 8: Application server tier after fine tuning**:

+**Figure 9: The completed SharePoint farm in Azure infrastructure services**:

+Check out this [Microsoft Mechanics video](https://www.youtube.com/watch?v=gdkTnPdIRS4&t=461s) for an overview of how to set up and deploy your frontline dynamic teams.

+1. In the left navigation of the [Teams admin center](https://admin.teams.microsoft.com), choose **Frontline deployment** > **Manage frontline teams**.

+9. Review your settings, and then choose **Finish setup.**

+4. Select **Deploy**. This process can take several hours depending on how many teams you're creating. After deployment is completed, you'll see the number updated in the **Frontline teams** card. On this card, you can download a CSV file with a list of your frontline teams. If any errors occurred, you can download the error CSV file on the **Last deployment health** card.

+1. In the left navigation of the [Teams admin center](https://admin.teams.microsoft.com), choose **Frontline deployment** > **Manage frontline teams**.

+1. In the left navigation of the [Teams admin center](https://admin.teams.microsoft.com), choose **Frontline deployment** > **Manage frontline teams**.

+2. In the **Deployment settings** column, choose **Deploy frontline dynamic teams**.

+ > To get a list of your frontline team IDs, in the Teams admin center, go to **Frontline deployment** > **Manage frontline teams**, and then in the **Frontline teams** section, select **Download CSV**.

+## Week of January 22, 2024

+| Published On |Topic title | Change |

+|||--|

+| 1/21/2024 | [Vulnerable components](/microsoft-365/security/defender-vulnerability-management/tvm-vulnerable-components?view=o365-worldwide) | added |

+| 1/22/2024 | [Review detected threats on devices and take action](/microsoft-365/business-premium/m365bp-review-threats-take-action?view=o365-worldwide) | modified |

+| 1/22/2024 | [Email security with Threat Explorer in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/email-security-in-microsoft-defender?view=o365-worldwide) | modified |

+| 1/22/2024 | [Manage quarantined messages and files as an admin](/microsoft-365/security/office-365-security/quarantine-admin-manage-messages-files?view=o365-worldwide) | modified |

+| 1/22/2024 | [Manage allows and blocks in the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list-about?view=o365-worldwide) | modified |

+| 1/23/2024 | [Connect to all Microsoft 365 services in a single PowerShell window](/microsoft-365/enterprise/connect-to-all-microsoft-365-services-in-a-single-windows-powershell-window?view=o365-worldwide) | modified |

+| 1/23/2024 | [Prioritize incidents in Microsoft Defender XDR](/microsoft-365/security/defender/incident-queue?view=o365-worldwide) | modified |

+| 1/23/2024 | [Responding to your first incident in Microsoft Defender XDR](/microsoft-365/security/defender/respond-first-incident-365-defender?view=o365-worldwide) | modified |

+| 1/23/2024 | [What's new in Microsoft Defender XDR](/microsoft-365/security/defender/whats-new?view=o365-worldwide) | modified |

+| 1/23/2024 | [Onboard non-Windows devices to the Microsoft Defender for Endpoint service](/microsoft-365/security/defender-endpoint/configure-endpoints-non-windows?view=o365-worldwide) | modified |

+| 1/23/2024 | [Microsoft Defender for Endpoint demonstration scenarios](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstrations?view=o365-worldwide) | modified |

+| 1/24/2024 | [Configure the advanced delivery policy for third-party phishing simulations and email delivery to SecOps mailboxes](/microsoft-365/security/office-365-security/advanced-delivery-policy-configure?view=o365-worldwide) | modified |

+| 1/24/2024 | [Create Microsoft 365 user accounts with PowerShell](/microsoft-365/enterprise/create-user-accounts-with-microsoft-365-powershell?view=o365-worldwide) | modified |

+| 1/24/2024 | [Get started with PowerShell for Microsoft 365](/microsoft-365/enterprise/getting-started-with-microsoft-365-powershell?view=o365-worldwide) | modified |

+| 1/24/2024 | [View directory synchronization errors in Microsoft 365](/microsoft-365/enterprise/identify-directory-synchronization-errors?view=o365-worldwide) | modified |

+| 1/24/2024 | [Manage SharePoint users and groups with PowerShell](/microsoft-365/enterprise/manage-sharepoint-users-and-groups-with-powershell?view=o365-worldwide) | modified |

+| 1/24/2024 | [Microsoft 365 Network Connectivity Overview](/microsoft-365/enterprise/microsoft-365-networking-overview?view=o365-worldwide) | modified |

+| 1/24/2024 | [Use the Page Diagnostics tool for SharePoint Online](/microsoft-365/enterprise/page-diagnostics-for-spo?view=o365-worldwide) | modified |

+| 1/24/2024 | [Investigate incidents in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/investigate-incidents?view=o365-worldwide) | modified |

+| 1/24/2024 | [What's new in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-endpoint?view=o365-worldwide) | modified |

+| 1/24/2024 | [Security, privacy, and compliance](/microsoft-365/business-premium/m365bp-security-privacy-compliance?view=o365-worldwide) | added |

+| 1/24/2024 | [View Defender for Office 365 reports](/microsoft-365/security/office-365-security/reports-defender-for-office-365?view=o365-worldwide) | modified |

+| 1/24/2024 | [View email security reports](/microsoft-365/security/office-365-security/reports-email-security?view=o365-worldwide) | modified |

+| 1/24/2024 | [Manage submissions](/microsoft-365/security/office-365-security/submissions-admin?view=o365-worldwide) | modified |

+| 1/25/2024 | [Allow or block URLs using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list-urls-configure?view=o365-worldwide) | modified |

+| 1/25/2024 | [Use the Microsoft 365 admin center to manage your Shifts connection to UKG Pro Workforce Management](/microsoft-365/frontline/shifts-connector-ukg-admin-center-manage?view=o365-worldwide) | modified |

+| 1/25/2024 | [Vulnerability support in Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/fixed-reported-inaccuracies?view=o365-worldwide) | modified |

+| 1/25/2024 | [Understand the Microsoft 365 E3 and E5 Extra Features license](/microsoft-365/commerce/licenses/e3-extra-features-licenses?view=o365-worldwide) | modified |

+| 1/25/2024 | [Corporate communications with frontline workers](/microsoft-365/frontline/flw-corp-comms?view=o365-worldwide) | modified |

+| 1/25/2024 | [Provide initial and ongoing training to help onboard your frontline workers](/microsoft-365/frontline/flw-onboarding-training?view=o365-worldwide) | modified |

+| 1/25/2024 | [Microsoft 365 documentation # < 60 chars](/microsoft-365/index?view=o365-worldwide) | modified |

+| 1/26/2024 | [Microsoft 365 admin center Teams app usage reports](/microsoft-365/admin/activity-reports/microsoft-teams-apps-usage?view=o365-worldwide) | modified |

+| 1/26/2024 | [Migrate business email and calendar from Google Workspace](/microsoft-365/admin/moveto-microsoft-365/migrate-email?view=o365-worldwide) | modified |

+| 1/26/2024 | [Launch your portal using the Portal launch scheduler](/microsoft-365/enterprise/portallaunchscheduler?view=o365-worldwide) | modified |

+| 1/26/2024 | [OneDrive Cross-tenant OneDrive migration Step 1](/microsoft-365/enterprise/cross-tenant-onedrive-migration-step1?view=o365-worldwide) | modified |

+| 1/26/2024 | [OneDrive Cross-tenant OneDrive migration Step 6](/microsoft-365/enterprise/cross-tenant-onedrive-migration-step6?view=o365-worldwide) | modified |

+| 1/26/2024 | [SharePoint site Cross-tenant SharePoint migration Step 6 (preview)](/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step6?view=o365-worldwide) | modified |

+| 1/26/2024 | [Join or leave a multitenant organization in Microsoft 365 (Preview)](/microsoft-365/enterprise/join-leave-multi-tenant-org?view=o365-worldwide) | modified |

+| 1/26/2024 | [Use Office 365 Content Delivery Network (CDN) with SharePoint Online](/microsoft-365/enterprise/use-microsoft-365-cdn-with-spo?view=o365-worldwide) | modified |

+| 1/26/2024 | [Manual deployment for Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-install-manually?view=o365-worldwide) | modified |

+| 1/26/2024 | [Production ring deployment using Group Policy and network share](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-group-policy-network-share?view=o365-worldwide) | modified |

+| 1/26/2024 | [Use network protection to help prevent Linux connections to bad sites](/microsoft-365/security/defender-endpoint/network-protection-linux?view=o365-worldwide) | modified |

+| 1/26/2024 | [Professional services supported by Microsoft Defender XDR](/microsoft-365/security/defender-endpoint/professional-services?view=o365-worldwide) | modified |

+| 1/26/2024 | [Take response actions on a device in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide) | modified |

+| 1/26/2024 | [Incident response with Microsoft Defender XDR](/microsoft-365/security/defender/incidents-overview?view=o365-worldwide) | modified |

+| 1/26/2024 | [Buy or remove licenses for a Microsoft business subscription](/microsoft-365/commerce/licenses/buy-licenses?view=o365-worldwide) | modified |

+| 1/26/2024 | [Build queries using guided mode in Microsoft Defender XDR advanced hunting](/microsoft-365/security/defender/advanced-hunting-query-builder?view=o365-worldwide) | modified |

+| 1/26/2024 | [Investigate data loss alerts with Microsoft Defender XDR](/microsoft-365/security/defender/dlp-investigate-alerts-defender?view=o365-worldwide) | modified |

+| 1/26/2024 | [Remediate your first incident in Microsoft Defender XDR](/microsoft-365/security/defender/respond-first-incident-remediate?view=o365-worldwide) | modified |

+| 1/26/2024 | [Step 7. Verify app configuration](/microsoft-365/solutions/apps-config-step-7?view=o365-worldwide) | modified |

+| 1/26/2024 | [Onboard trusted vendors to collaborate in Microsoft 365](/microsoft-365/solutions/trusted-vendor-onboarding?view=o365-worldwide) | modified |

+| 1/26/2024 | [Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-defender-portal?view=o365-worldwide) | modified |

+| 1/26/2024 | [How Microsoft identifies malware and potentially unwanted applications](/microsoft-365/security/intelligence/criteria?view=o365-worldwide) | modified |

+> The scheduled tasks are triggered by [Moodle Cron](https://docs.moodle.org/403/en/Cron), which needs to be configured to run frequently. Each scheduled task can have a default schedule, which can be customized.

+- [Microsoft 365 integration documentation on Moodle Docs](https://docs.moodle.org/403/en/Microsoft_365).

+> For more information on registering your Open LMS instance manually, see [Register your Open LMS instance as an application](https://docs.moodle.org/403/en/Microsoft_365#Azure_App_Creation_and_Configuration).

+> Once you register your app, verify that all the Azure app permissions are applied. For more information, see [Azure app permissions](https://docs.moodle.org/403/en/Microsoft_365#Azure_app_permissions).

+> The scheduled tasks are triggered by [Moodle Cron](https://docs.moodle.org/403/en/Cron), which needs to be configured to run frequently. Each scheduled task can have a default schedule and can be customized.

+- [Microsoft 365 integration documentation on Moodle Docs](https://docs.moodle.org/403/en/Microsoft_365).

+This feature is only available if you have an active subscription for Office 365 E5 or the Threat Intelligence add-on. For more information, see the [Office 365 E5 product page](https://www.microsoft.com/microsoft-365/enterprise/office-365-e5?activetab=pivot:overviewtab).

+[Endpoint Attack Notifications](/microsoft-365/security/defender-endpoint/endpoint-attack-notifications) enable Microsoft to actively hunt for critical threats to be prioritized based on urgency and impact over your endpoint data.

+> If you encounter any issues, [submit in-app feedback](/microsoft-365/security/defender-endpoint/android-support-signin#send-in-app-feedback).

+In addition, for Saltstack deployment, you need to be familiar with Saltstack administration, have Saltstack installed, configure the Master and Minions, and know how to apply states. Saltstack has many ways to complete the same task. These instructions assume availability of supported Saltstack modules, such as *apt* and *unarchive* to help deploy the package. Your organization might use a different workflow. Refer to the [Saltstack documentation](https://docs.saltproject.io/) for details.

+- Saltstack is installed on at least one computer (Saltstack calls the computer as the master).

+- The Saltstack master accepted the managed nodes (Saltstack calls the nodes as minions) connections.

+- The Saltstack minions are able to resolve communication to the Saltstack master (be default the minions try to communicate with a machine named 'salt').

+ Defender for Endpoint on Linux can be deployed from one of the following channels (described as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository.

+ In order to preview new features and provide early feedback, we recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*.

+ In the following commands, replace *[distro]* and *[version]* with your information.

+ - dist: [codename]

+- Add the package installed state to `install_mdatp.sls` after the `add_ms_repo` state as previously defined.

+- Add the onboarding file deployment to `install_mdatp.sls` after the `install_mdatp_package` as previously defined.

+ The completed install state file should look similar to this output:

+ - dist: [codename]

+- Add the offboarding file deployment to the `uninstall_mdatp.sls` file after the `remove_mde_onboarding_file` state defined in the previous section.

+- Add the removal of the MDATP package to the `uninstall_mdatp.sls` file after the `offboard_mde` state defined in the previous section.

+For more information on how to find the automatically generated log that's created by the installer when an error occurs, see [Log installation issues](linux-resources.md#log-installation-issues).

+0 * * * * /etc/opt/microsoft/mdatp/logrorate.sh

+0 2 * * sat /bin/mdatp scan quick>~/mdatp_cron_job.log

+### To back up crontab entries

+<details>

+ <summary> January-2024 (Build: 101.23112.0009 | Release version: 30.123112.0009.0)</summary>

+## January-2024 Build: 101.23112.0009 | Release version: 30.123112.0009.0

+&ensp;Released: **January 29,2024**<br/>

+&ensp;Published: **January 29, 2024**<br/>

+&ensp;Build: **101.23112.0009**<br/>

+&ensp;Release version: **30.123112.0009.0**<br/>

+&ensp;Engine version: **1.1.23110.4**<br/>

+&ensp;Signature version: **1.403.1579.0**<br/>

+**What's new**

+- Updated default engine version to `1.1.23110.4`, and default signatures version to `1.403.1579.0`.

+- General stability and performance improvements.

+- Bug fix for behavior monitoring configuration.

+- Bug fixes.

+</details>

+|Web Protection|Anti-phishing, blocking unsafe network connections, and support for custom indicators for URLs and domains. (File and IP indicators are not currently supported.)|

+- Commands to stop the agent (wdavdaemon) fail

+If you also require Defender Antivirus support logs (MpSupportFiles.cab), then fetch "..\Tools\MDELiveAnalyzerAV.ps1"

+> - The latest preview version of MDEClientAnalyzer can be downloaded here: <https://aka.ms/Betamdeanalyzer>.

+> - The LiveAnalyzer script downloads the troubleshooting package on the destination machine from: `https://mdatpclientanalyzer.blob.core.windows.net`.

+>

+>

+- [What is Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management)

+| `DistinguishedName` [*](#mdi-only) | string | The user's [distinguished name](/previous-versions/windows/desktop/ldap/distinguished-names) |

+ Title: Communicating with Microsoft Defender Experts

+description: Defender Experts for XDR has multiple channels to discuss incidents, managed response, and service support

+keywords: XDR, Xtended detection and response, defender experts for xdr, Microsoft Defender Experts for XDR, managed threat hunting, managed detection and response (MDR) service, service delivery manager, Managed response in Teams, real-time visibility with XDR experts, ask defender experts

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ - m365-security

+ - tier1

+ - essentials-overview

+search.appverid: met150

+# Communicating with experts in the Microsoft Defender Experts for XDR service

+**Applies to:**

+- [Microsoft Defender XDR](microsoft-365-defender.md)

+Microsoft Defender Experts for XDR provides you with multiple channels of communication to discuss incidents with our experts, ask them questions on demand, or get service readiness or operations support from your service delivery managers (SDMs).

+## Incident and managed response notifications

+When an incident requires your attention, such as the incidents our experts issue [managed response actions](start-using-mdex-xdr.md#managed-detection-and-response), you're notified through one or more of the following channels:

+### In-portal chat

+> [!NOTE]

+> The chat option is only available for incidents where we issued managed response.

+The **Chat** tab within the Microsoft Defender XDR portal provides you with a space to engage with our experts and further understand the incident, our investigation, and the required actions we provided. You could ask about a malicious executable, malicious attachment, information about activity groups, advanced hunting queries, or any other information that would assist you with the incident resolution.

+### Teams chat

+Apart from using the in-portal chat, you can also engage in real-time chat conversations with Defender Experts directly within Microsoft Teams. This capability provides you and your security operations center (SOC) team more flexibility when responding to incidents that require managed response. [Learn more about turning on notifications and chat on Teams](get-started-xdr.md#receive-managed-response-notifications-and-updates-in-microsoft-teams)

+Once you turn on chat on Teams, a new team named **Defender Experts team** is created and the Defender Experts Teams app is installed in it. Each incident that requires your attention is posted on this teamΓÇÖs **Managed response** channel as a new post. To engage with our experts (for example, ask follow-up questions about the investigation summary or actions published by Defender Experts), use the **Reply** text bar to mention or tag *@Defender Experts* and type your message.

+**Important reminders when using the Teams chat:**

+- Our experts have access to messages in **Defender Experts team** through the Defender Experts Teams app so you don't have to explicitly them to this team.

+- Our experts only see replies to existing posts created by Defender Experts regarding a managed response. If you create a new post, our experts won't be able to see it.

+- While Defender Experts might have access to all messages in any channel in **Defender Experts team**, tag or mention our experts by typing *@Defender Experts* in your replies, so they're notified to join the chat conversation.

+- DonΓÇÖt attach any attachments (for example, files for analysis) in the chat. For security reasons, Defender Experts won't be able to view the attachments. Instead, send them to appropriate submissions channels or provide links where they can be found in Microsoft Defender XDR portal.

+- Conversations in the Teams chat about an incident are also synchronized with the incidentΓÇÖs **Chat** tab in the Microsoft Defender XDR portal so that you can see messages and updates about an investigation wherever you go.

+### Email

+The Defender Experts for XDR service typically sends automated emails whenever a managed response with completed or pending actions is published in the Microsoft XDR portal, or when it needs to remind you about incidents awaiting your action.

+However, our experts could also send out emails to your identified notification contacts directly during any of the following situations:

+- When they require additional information or context to investigate an incident

+- When they detect a malicious or suspicious activity manually and outside of incidents or alerts in the Microsoft Defender XDR portal, and it requires a response action

+- When they reply to the requests or queries sent to them through email

+> [!IMPORTANT]

+> Remember to verify emails claiming to be from Defender Experts.

+### Phone call

+In break-glass scenarios or matters that require immediate attention (for example, malware on high-value infrastructure, ransomware, data exfiltration, insider threat, or other signs of a determined human adversary), our experts reach out to your identified **incident notification contacts** using the details you provided, including calling their listed phone numbers. [Learn more about adding contact persons or groups for incident notifications](get-started-xdr.md#tell-us-who-to-contact-for-important-matters)

+## Ask Defender Experts

+While the previous scenarios involve our experts initiating communication with you, you can also request advanced threat expertise on demand by selecting **Ask Defender Experts** directly inside the Microsoft Defender XDR portal. [Learn more](start-using-mdex-xdr.md#request-advanced-threat-expertise-on-demand)

+## Collaborating with your service delivery manager

+The service delivery manager (SDM) is responsible for managing the overall relationship for your organization with the Defender Experts for XDR service. They are your trusted advisor working along with XDR experts' team to help you protect your organization.

+The SDM provides the following

+- Service readiness support

+ - Educate customers about the end-to-end service experience, from signup to regular operations and escalation process.

+ - Help establish a service-ready security posture, including guidance on required controls and policy updates.

+- Service operations support

+ - Provide tailored service delivery content and reporting, including periodic business reviews.

+ - Serve as a single point of contact for feedback and escalations related to Defender Experts Service.

+The SDM engages with your identified **service review contacts**. [Learn more about adding contact persons or groups for service review and delivery](get-started-xdr.md#tell-us-who-to-contact-for-important-matters)

+### See also

+- [Get started with Microsoft Defender Experts for XDR](get-started-xdr.md)

+- [Start using Defender Experts for XDR service](start-using-mdex-xdr.md)

+The following section lists down questions your SOC team might have regarding the receipt of [incident notifications](start-using-mdex-xdr.md#incident-updates).

+| **What actions are in scope for managed response?** | All actions found below are in scope for managed response for any device and user that isn't excluded.<br><br>*For devices* *(Available now)*<ul><li>Isolate machine<br><li>Release machine from isolation<br><li>Run antivirus scan<br><li>Stop and quarantine file<br><li>Restrict app execution<br><li>Remove app restriction</ul><br>*For users (Coming soon)*<ul><li>Force password reset<br><li>Disable user<br><li>Enable user<br><li>Soft delete emails </ul><br> |

+Apart from email and [in-portal chat](communicate-defender-experts-xdr.md#in-portal-chat), you also have to option to use Microsoft Teams to receive updates about managed responses and communicate with our experts in real time. When this setting is turned on, a new team named **Defender Experts team** is created, where managed response notifications related to ongoing incidents are sent as new posts in the **Managed response** channel. [Learn more about using Teams chat](communicate-defender-experts-xdr.md#teams-chat)

+Once our experts begin to perform comprehensive response work on your behalf, youΓÇÖll start receiving [notifications about incidents](../defender/start-using-mdex-xdr.md#incident-updates) that require remediation steps and targeted recommendations on critical incidents. You can also chat with our experts or your SDMs regarding important queries and regular business and security posture reviews, and [view real-time reports](../defender/start-using-mdex-xdr.md#understand-the-defender-experts-for-xdr-report) on the number of incidents weΓÇÖve investigated and resolved on your behalf.

+ - [Search across long time spans in large datasets](/azure/sentinel/search-jobs)

+Microsoft Defender XDR is one of the [Microsoft plugins](/security-copilot/manage-plugins#microsoft-plugins) that enable the Security Copilot platform to generate accurate and relevant information. Through the Microsoft Defender XDR plugin, the Security Copilot portal can provide more context to incidents and generate more accurate results. The key features mentioned in this article are capabilities that are also available in the Security Copilot portal.

+- Names of [threat actors](/microsoft-365/security/intelligence/microsoft-threat-actor-naming) involved.

+- [Security Copilot Early Access Program FAQs](/security-copilot/faq-security-copilot)

+- [Get started with Security Copilot](/security-copilot/get-started-security-copilot)

+- [Learn about other Security Copilot embedded experiences](/security-copilot/experiences-security-copilot)

+keywords: XDR, Xtended detection and response, defender experts for xdr, Microsoft Defender Experts for XDR, managed threat hunting, managed detection and response (MDR) service, service delivery manager, Managed response in Teams, real-time visibility with XDR experts, threat hunting and analysis, incidents by category, impacted assets

+### Incident updates

+Otherwise, if an incident is classified as _True Positive_, our experts then identify the required response actions that need to be performed. The method in which the actions are performed depends on the permissions and access levels you have given the Defender Experts for XDR service. [Learn more about granting permissions to our experts](get-started-xdr.md#grant-permissions-to-our-experts).

+- If you have granted Defender Experts for XDR the recommended Security Operator access permissions, our experts could perform the required response actions on the incident on your behalf. These actions, along with an **Investigation summary**, show up in the incident's [Managed response](#how-to-use-managed-response-in-microsoft-365-defender) flyout panel in your Microsoft Defender portal for you or your SOC team to review. All actions that are completed by Defender Experts for XDR appear under the **Completed actions** section. Any pending actions that require you or you SOC team to complete are listed under the **Pending actions** section. For more information, see the [Actions](#actions) section. Once our experts have taken all the necessary actions on the incident, its **Status** field is then updated to _Resolved_ and the **Assigned to** field is updated to _Unassigned_.

+- If you have granted Defender Experts for XDR the default Security Reader access, then the required response actions, along with an **Investigation summary**, show up in the incident's **Managed response** flyout panel under the **Pending actions** section in your Microsoft Defender portal for you or your SOC team to perform. For more information, see the [Actions](#actions) section. To identify this handover, the incident's **Status** field is updated to _Awaiting Customer Action_ and the **Assigned to** field is updated to _Customer_.

+You can check the number of incidents that require your action in the Defender Experts banner at the top of the Microsoft Defender homepage.

+The **Investigation summary** section provides you with more context about the incident analyzed by our experts to provide you with visibility about its severity and potential impact if not addressed immediately. It could include the device timeline, indicators of attack, and indicators of compromise (IOCs) observed, and other details.

+The **Actions** tab displays task cards that contain response actions recommended by our experts.

+|[Restrict app execution](/microsoft-365/security/defender-endpoint/respond-machine-alerts##restrict-app-execution)| Restricts the execution of potentially malicious programs and locks down the device to prevent further attempts.|

+|[Release from isolation](/microsoft-365/security/defender-endpoint/respond-machine-alerts#isolate-devices-from-the-network)| Undoes isolation of a device.|

+|[Remove app restriction](/microsoft-365/security/defender-endpoint/respond-machine-alerts#restrict-app-execution)| Undoes release from isolation.|

+1. Select the arrow buttons in an action card to expand it and read more information about the required action.

+ :::image type="content" source="../../media/xdr/action-card-1.png" alt-text="Screenshot of managed response action to isolate the device prod server." lightbox="../../media/xdr/action-card-1.png":::

+2. For cards with one-click response actions, select the required action. The **Action status** in the card changes to **In progress**, then to **Failed** or **Completed**, depending on the action's outcome.

+ :::image type="content" source="../../media/xdr/action-card-2.png" alt-text="Screenshot of managed response action showing in-progress to isolate the device prod server." lightbox="../../media/xdr/action-card-2.png":::

+ > [!TIP]

+ > You can also monitor the status of in-portal response actions in the [Action center](m365d-action-center.md). If a response action fails, try doing it again from the **View device details** page or [initiate a chat](communicate-defender-experts-xdr.md#in-portal-chat) with Defender Experts.

+3. For cards with required actions that you need to perform manually, select **I've completed this action** once you've performed them, then select **Yes, I've done it** in the confirmation dialog box that appears.

+ :::image type="content" source="../../media/xdr/ive-completed-this-action.png" alt-text="Screenshot of managed response action to confirm action completion." lightbox="../../media/xdr/ive-completed-this-action.png":::

+4. If you don't want to complete a required action right away, select **Skip**, then select **Yes, skip this action** in the confirmation dialog box that appears.

+>

+>If you notice that any of the buttons on the action cards are grayed out, it could indicate that you don't have the necessary permissions to perform the action. Make sure that you're signed into the Microsoft Defender XDR portal with the appropriate permissions. Most managed response actions require that you have at least the Security Operator access.

+>

+>If you still encounter this issue even with the appropriate permissions, navigate to **View device details** and complete the steps from there.

+> The status of incidents investigated by Defender Experts in Microsoft Defender XDR typically transitions from _Active_ to _In progress_ to _Awaiting Customer Action_ to _Resolved_, while in Sentinel, it follows the _New_ to _Active_ to _Resolved_ path. The Microsoft Defender XDR Status _**Awaiting Customer Action**_ doesn't have an equivalent field in Sentinel; instead, it's displayed as a tag in an incident in Sentinel.

+The **Average time to resolve incidents** section displays a bar chart of the average time, in minutes, our experts spent investigating and closing incidents in your environment and the average time you spent performing the required managed response actions.

+The **Incidents by severity**, **Incidents by category**, and **Incidents by service source** sections break down resolved incidents by severity, attack technique, and Microsoft security service source, respectively. These sections let you identify potential attack entry points and types of threats detected in your environment, assess their impact, and develop strategies to mitigate and prevent them. Select **View incidents** to get a filtered view of the incident queue based on the selections you made in each of the two sections.

+The **Most impacted assets** section shows the users and devices in your environment that were involved in the most number of incidents during your selected date range. You can see the volume of incidents each asset was involved in. Select an asset to get a filtered view of the incident queue based on the incidents that included the said asset.

+Select **Ask Defender Experts** directly inside the Microsoft Defender XDR portal to get swift and accurate responses to all your threat questions. Experts can provide insights to better understand the complex threats your organization might face. Consult an expert to:

+>

+|Configuration scenario|Description|

+|Account setup configuration|Used with managed devices that have been enrolled in a unified endpoint management (UEM) solution. Any UEM provider is supported. Outlook for iOS/iPadOS and Android offers administrators the ability to "push" account configurations to their Office 365 and on-premises users leveraging hybrid Modern Authentication users. For more information on account setup configuration, see [Account setup with modern authentication in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/setup-with-modern-authentication#account-setup-configuration-via-enterprise-mobility-management).|

+|Organization allowed accounts mode|Used with managed devices that have been enrolled in a unified endpoint management (UEM) solution. Any UEM provider is supported. Examples may include only allowing work or school accounts. Outlook for iOS/iPadOS and Android offers administrators the ability to restrict email and storage provider accounts to only corporate accounts. For more information on organization allowed accounts mode, see [Account setup with modern authentication in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/setup-with-modern-authentication#organization-allowed-accounts-mode).|

+|General app configuration settings|Outlook for iOS/iPadOS and Android offers administrators the ability to customize the default configuration for several in-app settings. This capability is offered for both enrolled devices via any UEM provider and for devices that aren't enrolled when Outlook for iOS/iPadOS and Android has an Intune App Protection Policy applied.<p>If an App Protection Policy is targeted to the users, the recommendation is to deploy the general app configuration settings in a **Managed Apps** device enrollment model. This deployment ensures the App Configuration Policy is deployed to both enrolled devices and unenrolled devices.|

+|S/MIME settings|On enrolled devices, Outlook for iOS/iPadOS and Android supports automated certificate delivery. Outlook for iOS/iPadOS and Android also supports app configuration settings that enable or disable S/MIME in the app, as well as the user's ability to change the setting. For more information on how to deploy these settings via Microsoft Endpoint Manager, see [S/MIME overview to sign and encrypt email in Intune](/mem/intune/protect/certificates-s-mime-encryption-sign). For more information on the configuration keys, see [Configuration settings](/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune).|

+|Data protection settings|Outlook for iOS/iPadOS and Android supports app configuration policies for the following data protection settings when the app is managed by Microsoft Endpoint Manager with an Intune App Protection Policy applied:<ul><li>Managing the use of wearable technology</li><li>Managing sensitive data in mail and calendar reminder notifications</li><li>Managing the contact fields synchronized to the native contacts app</li><li>Managing calendar sync availability</li><li>Managing add-ins availability</li><li><p>These settings can be deployed to the app regardless of device enrollment status. For more information on the configuration keys, see [Configuration settings](/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune).|

+You can configure account configuration setting for Microsoft Outlook on iOS/iPadOS and Android devices using Intune or other Unified Endpoint Management (UEM) providers. Once account setup configuration has been created as an App Configuration Policy in Intune (or other UEM provider) and the user enrolls their device, Outlook for iOS/iPadOS and Android will detect the related account and will then prompt the user to sign-in to the account. The only information the user needs to enter to complete the setup process is their password. Then, the user's mailbox content loads and the user can begin using the app. This process ensures that every device user successfully sets up Outlook.

+When creating an App Configuration Policy in Intune, you can set up account configuration options for devices by specifically setting a key and value in the policy and assigning the policy to members of your organization.

+Outlook for iOS/iPadOS and Android on corporate-managed devices can be configured to only allow a single, corporate account to be provisioned within Outlook for iOS/iPadOS and Android. This capability is supported with Microsoft 365 and Office 365 accounts or on-premises accounts using hybrid modern authentication, however, only a single corporate account can be added to Outlook for iOS/iPadOS and Android. Similar to account setup configuration, you can configure organization allowed accounts mode settings for Microsoft Outlook on iOS/iPadOS and Android devices using Intune or other Unified Endpoint Management (UEM) providers. Once account setup configuration has been created as an App Configuration Policy in Intune (or other UEM provider), you have assigned the policy, and the user enrolls their device, Outlook for iOS/iPadOS and Android will detect the related account and will then prompt the user to sign-in to the account.

+When you create an app configuration policy to be applied to a managed device in Intune, you specifically choose **Managed devices**. Managed devices are those devices that are managed by Intune or other unified endpoint management provider. The app, in this case Microsoft Outlook, must be pinned to the management profile on iOS/iPadOS or deployed through Managed Google Play on Android devices.

+|General app configuration setting|Description|

+|Focused Inbox|Focused Inbox separates your inbox into two tabsΓÇöFocused and Other. Your most important emails are on the Focused tab while the rest remains easily accessibleΓÇöbut out of the wayΓÇöon the Other tab. When set as not configured, the default app setting is set to On.|

+|Require Biometrics to Access App|Biometrics, such as TouchID or FaceID, can be required for users to access the app on their device. When required, biometrics are used in addition to the authentication method selected in this profile. This setting shouldn't be enabled when Intune App Protection Policies are deployed, as the app protection policy includes access requirements prior to accessing managed data. Enabling both will result in multiple access prompts to access Outlook mobile. When set as not configured, the default app setting is set to off. If you configure this setting, you can choose to use the **Allow user to change setting** option.|

+|Save Contacts|Saving contacts to the mobile deviceΓÇÖs native address book allows new calls and text messages to be linked with the userΓÇÖs existing Outlook contacts. When set as not configured, the default app setting is set to off. If you configure this setting, you can choose to use the **Allow user to change setting** option.|

+|External Recipients MailTip|The External Recipients MailTip is displayed if the sender adds a recipient that's external or adds a distribution group that contains external recipients. This MailTip informs senders if a message they're composing will leave the organization, helping them make the correct decisions about wording, tone, and content. Available only for Exchange Online accounts and on-premises accounts leveraging hybrid modern authentication. When set as not configured, the default app setting is set to On.|

+|Block External Images|When block external images is enabled, the app prevents the download of images hosted on the Internet that are embedded in the message body. When set as not configured, the default app setting is set to Off. If you configure this setting, you can choose to the **Allow user to change setting** option.|

+|Default App Signature|Default app signature indicates whether the app uses ΓÇ£Get Outlook for iOSΓÇ¥ as the default signature during message composition. If the setting is configured as Off, the default signature won't be used; however, users can add their own signature. When set as Not Configured, the default app setting is set to On.|

+|Suggested Replies|When you open a message, Outlook might suggest replies below the message. If you select a suggested reply, you can edit the reply before sending it. When set as not configured, the default app setting is set to On. If you configure this setting, you can choose to the **Allow user to change setting** option.|

+|Organize mail by thread|The default behavior in Outlook is to bundle mail conversations into a threaded conversation view. If this setting is disabled Outlook displays each mail individually and won't group them by thread.|

+|Discover Feed|Discover Feed surfaces your most frequently accessed Office files. By default, this feed is enabled when Delve is enabled for the user. When set as not configured, the default app setting is set to On.|

+|Play My Emails|The Play My Emails feature isn't enabled by default in the app, but it's promoted to eligible users via a banner in the inbox. When set to Off, this feature won't be promoted to eligible users in the app. Users can choose to manually enable Play My Emails from within the app, even when this feature is set to Off. When set as Not configured, the default app setting is On and the feature will be promoted to eligible users.|

+|Sync Calendars|By default, an App Protection Policy allows for calendar synchronization to the native Calendar app but can be used to block calendar sync availability with the "Sync policy managed app data with native apps or add-in" setting. Configuring this setting to "Off" will block calendar synchronization when the App Protection Policy setting is set to Allowed. If you configure this setting, you can choose to use the **Allow user to change setting** option.|

+|Text Predictions|Outlook can suggest words and phrases as you compose messages. When Outlook offers a suggestion, swipe to accept it. When set as not configured, the default app setting is set to On. If you configure this setting, you can choose to use the **Allow user to change setting** option.|

+|Data Protection configuration setting|Description|

+|Org Data on Wearables|This value specifies if Outlook data can be synchronized to a wearable device. Setting the value to No disables wearable synchronization.|

+|Calendar Notifications|Allow calendar notifications to display full details when the App Protection Policy setting "Org data notifications" is set to "Block Org Data".|

+|Allow Add-ins|By default, an App Protection Policy allows users to utilize third-party add-ins but can be used to block add-ins with the "Sync policy managed app data with native apps or add-ins" setting. Configuring this setting to "Off" will block add-ins when the App Protection Policy setting is set to Allowed.|

+|Allow Calendar Sync|By default, an App Protection Policy allows for calendar synchronization to the native Calendar app, but can be used to block calendar sync availability. This setting operates independent of the App Protection Policy setting and enables organizations to define whether calendar sync is available for the work or school account.|

+|Sync contact fields to native contacts app configuration settings|Description|

+|Address|This value specifies if the contact's address should be synchronized to native contacts.|

+|Birthday|This value specifies if the contact's birthday should be synchronized to native contacts.|

+|Company|This value specifies if the contact's company name should be synchronized to native contacts.|

+|Department|This value specifies if the contact's department should be synchronized to native contacts.|

+|Email Address|This value specifies if the contact's email address should be synchronized to native contacts.|

+|Instant Messaging Address|This value specifies if the contact's instant messaging address should be synchronized to native contacts.|

+|Job Title|This value specifies if the contact's job title should be synchronized to native contacts.|

+|Name Prefix|This value specifies if the contact's name prefix should be synchronized to native contacts.|

+|Name Suffix|This value specifies if the contact's name suffix should be synchronized to native contacts.|

+|Nickname|This value specifies if the contact's nickname should be synchronized to native contacts.|

+|Notes|This value specifies if the contact's notes should be synchronized to native contacts.|

+|Phone Home Number|This value specifies if the contact's home phone number should be synchronized to native contacts.|

+|Phone Home Fax Number|This value specifies if the contact's home fax number should be synchronized to native contacts.|

+|Phone Mobile Number|This value specifies if the contact's mobile phone number should be synchronized to native contacts.|

+|Phone Other Number|This value specifies if the contact's other phone number should be synchronized to native contacts.|

+|Phone Pager Number|This value specifies if the contact's pager phone number should be synchronized to native contacts.|

+|Phone Work Number|This value specifies if the work phone number should be synchronized to native contacts.|

+|Phone Work Fax Number|This value specifies if the contact's work fax number should be synchronized to native contacts.|

+For more information about Microsoft Tunnel for MAM, see [Microsoft Tunnel for Mobile Application Management](/mem/intune/protect/microsoft-tunnel-mam).

+Secure Multipurpose Internet Mail Extensions (S/MIME) is a specification that allows users to send and receive digitally signed and encrypted emails. You can use an app configuration policy in Intune to configure your S/MIME settings for Outlook on iOS/iPadOS devices or Android devices. You can enable Outlook S/MIME settings to always sign and/or always encrypt on iOS/iPadOS and Android devices when using the **Managed apps** configuration option.

+S/MIME settings for Outlook can be configured by selecting the available options in an app configuration policy, or by using specific keys and values. When you select the options within the app configuration policy, you can choose from standard options.

+|Outlook S/MIME settings|Description|

+|Enable S/MIME|Specify whether or not S/MIME controls are enabled when composing an email. If you configure this setting, you can choose to use the **Allow user to change setting** option.|

+|Encrypt all emails|Specify whether all emails must be encrypted. Encrypting converts data to cipher text so that only the intended recipient can read it. If you configure this setting, you can choose to use the **Allow user to change setting** option.|

+|Sign all emails|Specify whether all emails must be signed. A digital signature verifies the authenticity of the email and ensures that the contents aren't tampered with in transit. If you configure this setting, you can choose to use the **Allow user to change setting** option.|

+|LDAP URL|This is the LDAP hostname where clients can get the public encryption keys for email recipients. Emails are encrypted when a key is available.|

+The energy industry provides society with fuel and critical infrastructure that people rely on every day. In order to ensure the reliability of infrastructure related to bulk power systems, regulatory authorities impose strict standards on energy industry organizations. These regulatory standards relate not only to the generation and transmission of power, but also to the data and communications that are critical to the day-to-day operations of energy companies.

+Organizations in the energy industry work with and exchange many types of information as part of their regular operations. This information includes customer data, capital engineering design documentation, resource location maps, project management artifacts, performance metrics, field service reports, environmental data, and performance metrics. As these organizations look to transform their operations and collaboration systems into modern digital platforms, they're looking to Microsoft as a trusted Cloud Service Provider (CSP) and Microsoft 365 as their best-of-breed collaboration platform. Since Microsoft 365 is built on the Microsoft Azure platform, organizations should examine both platforms as they consider their compliance and security controls when moving to the Cloud.

+In North America, the North America Electric Reliability Corporation (NERC) enforces reliability standards that are referred to as NERC [Critical Infrastructure Protection (CIP) standards](https://nercstg.nerc.com/pa/Stand/Pages/CIPStandards.aspx). NERC is subject to oversight by the U.S. Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. All bulk power system owners, operators, and users must register with NERC and must comply with NERC CIP standards. Cloud Service Providers and third-party vendors such as Microsoft aren't subject to NERC CIP standards. However, the CIP standards include objectives that should be considered when Registered Entities use vendors in the operation of the Bulk Electric System (BES). Microsoft customers operating Bulk Electric Systems are wholly responsible for ensuring their own compliance with NERC CIP standards.

+- Microsoft Office 365 and Office 365 U.S. Government have each been granted a FedRAMP ATO (Authorization to Operate) at the Moderate Impact Level.

+- Azure and Azure Government have each been granted a FedRAMP High P-ATO (Provisional Authorization to Operate), which represents the highest level of FedRAMP authorization.

+Microsoft 365 is a modern workplace cloud environment. It provides secure and flexible collaboration across the enterprise, including controls and policy enforcement to adhere to the most stringent regulatory compliance frameworks. Through the following articles, this paper explores how Microsoft 365 helps the energy industry move to a modern collaboration platform while helping to keep data and systems both secure and compliant with regulations:

+Collaboration typically requires multiple forms of communication, the ability to store and access documents, and the ability to integrate other applications as needed. Whether they're global enterprises or local companies, employees in the energy sector typically need to collaborate and communicate with members of other departments or across teams. They also often need to communicate with external partners, vendors, or clients. As a result, using systems that create silos or make it difficult to share information is typically not recommended. That said, we still want to ensure that employees are sharing information securely and according to policy.

+Providing employees with a modern and cloud-based collaboration platform that allows them to choose and easily integrate the tools that make them most productive empowers them to find the best ways to work and collaborate. Using Microsoft Teams, together with security controls and governance policies to protect the organization, can help your workforce to easily collaborate in the cloud.

+Microsoft Teams provides a collaboration hub for your organization to bring people together to work and collaborate together on common initiatives or projects. It allows team members to conduct conversations, collaborate, and coauthor documents. It enables people to store and share files with team members or those outside the team. It also allows them to hold live meetings with integrated enterprise voice and video. Microsoft Teams can be customized with easy access to Microsoft apps such as Planner, Dynamics 365, Power BI, and other third-party line-of-business applications. Teams simplifies access to Office 365 services and third-party apps to centralize collaboration and communication needs for the organization.

+Every Microsoft Team is backed by an Office 365 Group. An Office 365 Group is considered the membership provider for Office 365 services, including Microsoft Teams. Office 365 Groups are used to securely control which users are considered members and which are owners of the group. This design allows us to easily control which users have access to varying capabilities within Teams. As a result, Team members and owners can only access the capabilities that they're permitted to utilize.

+A common scenario where Microsoft Teams can benefit energy organizations is collaborating with contractors or external firms as part of a field service program, such as vegetation management. Contractors are typically engaged to manage vegetation or remove trees around power system installations. They often need to receive work instructions, communicate with dispatchers and other field service personnel, take and share pictures of external surroundings, sign out when work is complete, and share data back with head office. Traditionally, these programs are run using phone, text, paper work orders, or custom applications. This method can present many challenges. For example:

+- Communications aren't all captured in one place

+- Work might not be performed consistently or efficiently

+- Custom applications aren't integrated with collaboration tools, making it difficult to extract and share data or measure performance

+Microsoft Teams can provide an easy-to-use collaboration space to securely share information and conduct conversations between team members and external field service contractors. Teams can be used to conduct meetings, place voice calls, centrally store and share work orders, collect field data, upload photos, integrate with business process solutions (built with Power Apps and Power Automate), and integrate line-of-business apps. This type of field service data might be considered low impact; however, efficiencies can be gained by centralizing communications and access data between employees and field service personnel in these scenarios.

+Another example where Microsoft Teams can benefit the energy industry is when field service personnel are working to restore service during an outage. Field staff often requires fast access to schematic data for substations, generating stations, or blue prints for assets in the field. This data is considered high impact and must be protected according to NERC CIP regulations. Field service work during outages requires communication between field staff and office employees, and in turn with end customers. Centralizing communications and data sharing in Microsoft Teams provides field staff with an easy method to both access critical data and communicate information or status back to head office.

+For example, Microsoft Teams enables field staff to join conference calls while on route to an outage. Field staff can also take photos or video of their environment and share those with head office, which is particularly important when field equipment doesn't match schematics. Data and status collected from the field can then be surfaced to office employees and leadership through data visualization tools such as Power BI. Ultimately, Microsoft Teams can make field staff more efficient and productive in these critical situations.

+**Office 365 Group Naming Policies** help ensure that Office 365 Groups, and therefore Microsoft Teams, are named according to corporate policy. The name of a Team can present challenges if not named appropriately. For example, employees might not know which teams to work or share information within if they're incorrectly named. Group naming policies help enforce good hygiene and might also prevent use of specific words, such as reserved words or inappropriate terminology.

+**Office 365 Group Expiration Policies** help to ensure that Office 365 Groups, and therefore Microsoft Teams, aren't retained for longer periods of time than required by the organization. This capability helps to prevent two key information management issues:

+- The proliferation of Microsoft Teams that aren't necessary or used

+Administrators can specify an expiration period in days for Office 365 Groups (such as 90, 180 or 365 days). If a service backed by an Office 365 group is inactive for the expiration period, group owners are notified. If no action is taken, then the Office 365 Group and all its related services including Microsoft Teams are deleted.

+As mentioned, Microsoft Office 365 and Office 365 U.S. Government have each achieved FedRAMP ATO at the Moderate Impact Level. Azure and Azure Government have achieved a FedRAMP High P-ATO which represents the highest level of FedRAMP authorization. Additionally, the FedRAMP moderate control set encompasses all of the NERC CIP requirements, thereby allowing energy industry organizations ("registered entities") to leverage existing FedRAMP authorizations as a scalable and efficient approach to addressing NERC audit requirements. However, it's important to note that FedRAMP isn't a point-in-time certification but an assessment and authorization program that includes provisions for [continuous monitoring](https://www.fedramp.gov/assets/resources/documents/CSP_Continuous_Monitoring_Strategy_Guide.pdf). Although this provision applies primarily to the CSP, Microsoft customers operating Bulk Electric Systems are responsible for ensuring their own compliance with NERC CIP standards. It's generally a recommended practice to continuously monitor the organization's compliance posture to help ensure ongoing compliance with regulations.

+- **Microsoft Purview Compliance Manager** helps the organization understand its current compliance posture and the actions it can take to help improve that posture. Compliance Manager calculates a risk-based score measuring progress in completing actions that help reduce risks around data protection and regulatory standards. Compliance Manager provides an initial score based on the Microsoft 365 data protection baseline. This baseline is a set of controls that include common industry regulations and standards. While this score is a good starting point, Compliance Manager becomes more powerful once an organization adds assessments that are more relevant to their industry. Compliance Manager supports a number of regulatory standards that are relevant for NERC CIP compliance obligations, including the [FedRAMP Moderate Control Set](https://www.fedramp.gov/documents/), [NIST 800-53 Rev. 4](https://go.microsoft.com/fwlink/?linkid=2109075), and [AICPA SOC 2](https://go.microsoft.com/fwlink/?linkid=2115184). Energy industry organizations might also create or import custom control sets if needed.

+By automating aspects of regulatory compliance processes through the use of Compliance Manager, organizations can reduce the administrative burden on legal and compliance functions. This tooling can help address these challenges by providing more up-to-date information on remediation actions, more consistent reporting, and documented ownership of actions (linked to the implementation of actions). Organizations can automatically track remediation actions over time and see overall efficiency gains. This feature enables staff to focus more effort on gaining insights and developing strategies to help navigate risk more effectively.

+Compliance Manager doesn't express an absolute measure of organizational compliance with any particular standard or regulation. It expresses the extent to which you have adopted controls which can reduce the risks to personal data and individual privacy. Recommendations from Compliance Manager shouldn't be interpreted as a guarantee of compliance. The customer actions provided in Compliance Manager are recommendations. It's up to each organization to evaluate the effectiveness of these recommendations to meet their regulatory obligations prior to implementation. Recommendations found in Compliance Manager shouldn't be interpreted as a guarantee of compliance.

+Many cyber security-related controls are included in the [FedRAMP Moderate Control Set](https://www.fedramp.gov/documents/) and [NERC CIP standards](https://nercstg.nerc.com/pa/Stand/Pages/CIPStandards.aspx). However, key controls related to the Microsoft 365 platform include security management controls (CIP-003-6), account and access management/access revocation (CIP-004-6), electronic security perimeter (CIP-005-5), security event monitoring, and incident response (CIP-008-5). The following foundational Microsoft 365 capabilities help to address the risks and requirements included in these articles.

+Protecting access to documents and applications begins with strongly securing user identities. As a foundation, this action requires providing a secure platform for the enterprise to store and manage identities and providing a trusted means of authentication. It also requires dynamically controlling access to these applications. As employees work, they might move from application to application or across multiple locations and devices. As a result, access to data must be authenticated at each step of the way. In addition, the authentication process must support a strong protocol and multiple factors of authentication (one-time SMS pass code, authenticator app, certificate, etc.) to ensure that identities haven't been compromised. Finally, enforcing risk-based access policies are a key recommendation to protecting data and applications from insider threats, inadvertent data leaks, and data exfiltration.

+**Microsoft Entra multifactor authentication (MFA)** is built into the platform and provides an additional layer of protection to help ensure users are who they say they are when accessing sensitive data and applications. Microsoft Entra multifactor authentication requires at least two forms of authentication, such as a password and a known mobile device. It supports several second factor authentication options, including: the Microsoft Authenticator app, a one-time passcode delivered via SMS, receiving a phone call where a user must enter a PIN, and smart cards or certificate-based authentication. In the event a password is compromised, a potential hacker still needs the user's phone to gain access to organizational data. In addition, Microsoft 365 uses Modern Authentication as a key protocol, bringing the same strong authentication experience from web browsers to collaboration tools, including Microsoft Outlook and Microsoft Office apps.

+**Microsoft Entra Conditional Access** provides a robust solution for automating access control decisions and enforcing policies to protect company assets. A common example is when an employee tries to access an application containing sensitive customer data and they're automatically required to perform a multifactor authentication. Azure Conditional Access brings together signals from a user's access request (such as properties about the user, their device, location, network, and the app or repository they're trying to access). It dynamically evaluates every attempt to access the application against policies you configure. If the user or device risk is elevated, or if other conditions aren't met, Microsoft Entra ID automatically enforces policy (such as dynamically requiring MFA, restricting, or even blocking access). This design helps ensure that sensitive assets are protected in dynamically changing environments.

+**Microsoft Defender for Office 365** provides an integrated service to protect organizations from malicious links and malware delivered through email. One of the most common attack vectors affecting users today is email phishing attacks. These attacks can be carefully targeted at specific high-profile employees and can be crafted to be very convincing. They typically contain some call to action requiring a user to select a malicious link or open an attachment with malware. Once infected, an attacker can steal a user's credentials and move laterally across the organization. They can also exfiltrate emails and data looking for sensitive information. Microsoft Defender for Office 365 evaluates links at click-time for potentially malicious sites and blocks them. Email attachments are opened in a protected sandbox prior to delivering them to a user's mailbox.

+**Microsoft Defender for Cloud Apps** provides organizations with the ability enforce policies at a granular level. This design includes detecting behavioral anomalies based on individual user profiles that are automatically defined using Machine Learning. Defender for Cloud Apps builds on Azure Conditional Access policies by evaluating additional signals related to user behavior and properties of the documents being accessed. Over time, Defender for Cloud Apps learns the typical behavior for each employee (the data they access and the applications they use). Based on learned behavioral patterns, policies can automatically enforce security controls if an employee goes outside of that behavioral profile. For example, if an employee typically accesses an accounting app from 9:00 a.m. to 5:00 p.m., Monday to Friday, but that same user begins to access that application heavily on a Sunday evening, Defender for Cloud Apps can dynamically enforce policies to require the user to re-authenticate. This requirement helps ensure that credentials haven't been compromised. In addition, Defender for Cloud Apps can help discover and identify Shadow IT in the organization. This feature helps InfoSec teams ensure that employees use sanctioned tools when working with sensitive data. Finally, Defender for Cloud Apps can protect sensitive data anywhere in the Cloud, even outside of the Microsoft 365 platform. It allows organizations to sanction (or unsanction) specific external Cloud apps, controlling access and monitoring when users work in those applications.

+**Microsoft Entra ID**, and the related Microsoft 365 security services, provide the foundation upon which a modern cloud collaboration platform can be rolled out to energy industry organizations. Microsoft Entra ID includes controls to protect access to data and applications. In addition to providing strong security, these controls help organizations meet regulatory compliance obligations.

+The FedRAMP Moderate Control Set and NERC CIP standards also include information protection as a key control requirement (CIP-011-2). These requirements specifically address the need to identify information related to BES (Bulk Electric System) Cyber System Information and the protection and secure handling of that information (including storage, transit, and use). Specific examples of BES Cyber System Information can include security procedures or security information about systems that are fundamental to operating the bulk electric system (BES Cyber Systems, Physical Access Control Systems, and Electronic Access Control or monitoring systems) that isn't publicly available and could be used to allow unauthorized access or unauthorized distribution. However, the same need exists to identify and protect customer information that is critical to the day-to-day operations of energy organizations.

+- **Microsoft Purview Data Loss Prevention (DLP)** for automated identification of sensitive data using sensitive data types (that is, regular expressions) and keywords, and policy enforcement

+**Microsoft Purview Information Protection** allows employees to classify documents and emails with sensitivity labels. Sensitivity labels can be applied manually by users to documents within the Microsoft Office apps and to emails within Microsoft Outlook. Sensitivity labels can automatically apply document markings, protection through encryption, and enforce rights management. Sensitivity labels can also be applied automatically by configuring policies that use keywords and sensitive data types (credit card numbers, social security numbers, identity numbers, etc.).

+Microsoft also provides trainable classifiers. These use machine learning models to identify sensitive data based on what the content is, as opposed to simply through pattern matching or by the elements within the content. A classifier learns how to identify a type of content by looking at many examples of the content to be classified. Training a classifier begins by providing it with examples of content within a particular category. Once it processes the examples, the model is tested by providing it with a mix of both matching and non-matching examples. The classifier then predicts whether a given example falls into the category or not. A person then confirms the results, sorting the positives, negatives, false positives, and false negatives to help increase the accuracy of the classifier's predictions. When the trained classifier is published, it processes and automatically classifies content in SharePoint Online, Exchange Online, and OneDrive.

+Applying sensitivity labels to documents and emails embeds metadata within the object that identifies the chosen sensitivity, thereby allowing the sensitivity to travel with the data. As a result, even if a labeled document is stored on a user's desktop or within an on-premises system, it's still protected. This design enables other Microsoft 365 solutions, such as Microsoft Defender for Cloud Apps or network edge devices, to identify sensitive data and automatically enforce security controls. Sensitivity labels have the added benefit of educating employees about which data within an organization is considered sensitive and how to handle that data.

+**Microsoft Purview Data Loss Prevention (DLP)** automatically identifies documents, emails, and conversations that contain sensitive data by scanning these items for sensitive data types, and then enforcing policies on those objects. Policies are enforced on documents within SharePoint and OneDrive for Business. Policies are also enforced when users send email and in Microsoft Teams within chat and channel conversations. Policies can be configured to look for keywords, sensitive data types, retention labels, and whether data is shared within the organization or externally. Controls are provided to help organizations fine-tune DLP policies to better avoid false positives. When sensitive data is found, customizable policy tips can be displayed to users within Microsoft 365 applications. Policy tips inform users that their content contains sensitive data and can propose corrective actions. Policies can also prevent users from accessing documents, sharing documents, or sending emails that contain certain types of sensitive data. Microsoft 365 supports over 100 built-in sensitive data types. Organizations can configure custom sensitive data types to meet their policies.

+Regulations require many organizations to manage the retention of key organizational documents according to a managed corporate retention schedule. Organizations face regulatory compliance risks if data is under-retained (deleted too early), or legal risks if data is over-retained (kept too long). Effective records management strategies help ensure that organization documents are retained according to predetermined retention periods which are designed to minimize risk to the organization. Retention periods are prescribed in a centrally managed organizational record retention schedule. Retention periods are based on the nature of each type of document, the regulatory compliance requirements for retaining specific types of data, and the defined policies of the organization.

+Assigning record retention periods accurately across organizational documents might require a granular process which assigns retention periods uniquely to individual documents. Applying record retention policies at scale can be challenging for many reasons. These reasons include the vast number of documents within energy industry organizations together with the fact that, in many cases, retention periods can be triggered by organizational events (such as contracts expiring or an employee leaving the organization).

+- If the document or email is a record (meaning it can't be edited or deleted)

+Retention labels are then published to SharePoint or OneDrive sites, Exchange mailboxes, and Office 365 Groups. Users can then apply retention labels manually to documents and emails. Or, record managers can use rules to automatically apply retention labels. Auto-apply rules can be based on keywords or sensitive data found within documents or emails, such as credit card numbers, social security numbers, or other personally identifiable information (PII). Auto-apply rules can also be based on SharePoint metadata.

+The FedRAMP Moderate Control Set and NERC CIP standards also include Asset Reuse and Disposal as a key control requirement (CIP-011-2). These requirements once again specifically address BES (Bulk Electric System) Cyber System Information. However, other jurisdictional regulations require energy industry organizations to manage and dispose of records effectively for many types of information. This information includes financial statements, capital project information, budgets, customer data, etc. In all cases, energy organizations are required to maintain robust records management programs and evidence related to the defensible disposition of corporate records.

+With each retention label, Microsoft 365 allows record managers to determine if a disposition review is required. Then when those record types come up for disposition, after their retention period has expired, a review must be conducted by the designated disposition reviewers before content is deleted. Once the disposition review is approved, content deletion proceeds. However, evidence of the deletion (the user that performed the deletion and date/time in which it occurred) is still retained for multiple years as a certificate of destruction. If organizations require longer or permanent retention of certificates of destruction, they can use Microsoft Sentinel for long-term cloud-based storage of log and audit data. Microsoft Sentinel gives organizations full control over the long-term storage and retention of activity data, log data, and retention/disposition data.

+Microsoft 365 enables organizations to configure supervision policies which capture employee communications (based on configured conditions) and allow these to be reviewed by designated supervisors. Supervision policies can capture internal/external email and attachments, Microsoft Teams chat and channel communications, Skype for Business Online chat communications and attachments, and communications through third-party services (such as Facebook or Dropbox).

+The comprehensive nature of communications that might be captured and reviewed within an organization and the extensive conditions with which policies can be configured allow Microsoft 365 Supervision Policies to help organizations comply with FERC energy market regulations. Supervision policies can be configured to review communications for individuals or groups. In addition, supervisors can be configured to be individuals or groups. Comprehensive conditions can be configured to capture communications based on inbound or outbound messages, domains, retention labels, keywords or phrases, keyword dictionaries, sensitive data types, attachments, message size, or attachment size. Reviewers are provided with a dashboard where they can review flagged communications, act on communications that potentially violate policies, or mark flagged items as resolved. They might also review the results of previous reviews and items that have been resolved.

+Microsoft 365 provides reports which allow supervision policy review activities to be audited based on the policy and the reviewer. The available reports can be used to validate that supervision policies are working as defined by the organizations written supervision policies. Reports can also be used to identify communications that require review, including communications that aren't compliant with corporate policy. Finally, all activities related to configuring supervision policies and reviewing communications are audited in the Office 365 unified audit log.

+Microsoft 365 Supervision Policies allow organizations to monitor communications for compliance with corporate policies, such as human resources harassment violations and offensive language in company communications. It also allows organizations to reduce risk, by monitoring communications when organizations are undergoing sensitive organizational changes, such as mergers and acquisitions, or leadership changes.

+- corporate Policies, such as acceptable use, ethical standards, and corporate specific policies

+Communication compliance provides built-in threat, harassment, and profanity classifiers to help reduce false positives when reviewing communications. This classification saves reviewers time during the investigation and remediation process. It helps reviewers focus on specific messages within long threads that have been highlighted by policy alerts. This result helps compliance teams more quickly identify and remediate risks. It provides compliance teams with the ability to easily configure and fine-tune policies, adjusting the solution to the organization's specific needs and reducing false positives. Communication compliance can also help to identify potentially risky user behavior over time, highlighting potential patterns in risky behavior or policy violations. Finally, it provides flexible built-in remediation workflows. These workflows help reviewers quickly take action to escalate to legal or human resources teams according to defined corporate processes.

+A common threat to enterprises is data exfiltration, or the act of extracting data from an organization. This action can be a significant concern for energy organizations due to the sensitive nature of the information that might be accessed by employees or field service staff day-to-day. This data includes both BES (Bulk Electric System) Cyber System information as well as business-related information and customer data. With the increasing methods of communications available and many tools for moving data, advanced tools are typically required to mitigate risks of data leaks, policy violations, and insider risk.

+Enabling employees with online collaboration tools that might be accessed anywhere inherently brings risk to an organization. Employees might inadvertently or maliciously leak data to attackers or to competitors. Alternatively, they might exfiltrate data for personal use or take data with them to a future employer. These scenarios present serious risks to organizations from a security and a compliance standpoint. Identifying these risks when they occur and quickly mitigating them requires both intelligent tools for data collection and collaboration across departments such as legal, human resources, and information security.

+Energy industry organizations must comply with strict regulations related to how they store, secure, manage, and retain information related to their operations and customers. They must also comply with regulations related to how they monitor and prevent the manipulation of energy markets. Microsoft 365 provides robust security controls for protecting data, identities, devices, and applications from risks and complying with strict energy industry regulations. Built-in tools are provided to help energy organizations assess their compliance, as well as take action and track remediation activities over time. These tools also provide easy to use methods for monitoring and supervising communications. The Microsoft 365 platform is built on foundational components like Microsoft Azure and Microsoft Entra ID, helping to secure the overall platform and helping the organization meet compliance requirements for FedRAMP Moderate and High control sets. This design, in turn, contributes to an energy organization's ability to meet NERC CIP standards.

+I'm a Principal Technical Architect at the New York [Microsoft Technology Center](https://www.microsoft.com/mtc?rtc=1). I mostly work with large customers and complex requirements. My viewpoint and opinions are based on these interactions and might not apply to every situation. However, in my experience, if we can help customers with the most complex challenges, we can help all customers.

+- **People, process, technology**: [Design for people](https://en.wikipedia.org/wiki/Human-centered_design) to enhance process, not tech first. There are no "perfect" solutions. We need to balance various risk factors and decisions that might be different for each business. Too many customers design an approach that their users later avoid.

+- **Long tail of past best practices**: Recognize that best practices are changing at light speed. If you looked at Microsoft Entra more than three months ago, you're likely out of date. Everything here's subject to change after publication. "Best" option today might not be the same six months from now.

+Alas, language isn't a precise tool. We often use the same word to mean different concepts or different words to mean the same concept. I often use the following diagram to establish some baseline terminology and "hierarchy model."

+- Tenant = an instance of Microsoft Entra ID. It's at the "top" of a hierarchy, or Level 1 in the diagram. We can consider this level to be the "[boundary](/azure/active-directory/users-groups-roles/licensing-directory-independence)" where everything else occurs ([Microsoft Entra B2B](/azure/active-directory/b2b/what-is-b2b) aside). All Microsoft enterprise cloud services are part of one of these tenants. Consumer services are separate. "Tenant" appears in documentation as Microsoft 365 tenant, Azure tenant, WVD tenant, and so on. I often find these variations cause confusion for customers.

+Some other concepts that I find many customers (and Microsoft employees) are confused about or have questions about include the following issues:

+- Anyone can [create](/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) many tenants at [no cost](https://azure.microsoft.com/pricing/details/active-directory/). You don't need a service provisioned within it. I have dozens. Each Tenant name is unique in Microsoft's worldwide cloud service (in other words, no two tenants can have the same name). They're all in the format of TenantName.onmicrosoft.com. There are also processes that create Tenants automatically ([unmanaged tenants](/azure/active-directory/users-groups-roles/directory-self-service-signup)). For example, this result can happen when a user signs up for an enterprise service with an email domain that doesn't exist in any other tenant.

+- In a managed tenant, many [DNS domains](/azure/active-directory/fundamentals/add-custom-domain) can be registered in it. This result doesn't change the original tenant name. There's currently no easy way to rename a tenant (other than migration). Although the tenant name is technically not critical these days, some people might feel limited by this reality.

+- If you own DNS namespace, you should add all of these namespaces to your tenants. Otherwise one could create an [unmanaged tenant](/azure/active-directory/users-groups-roles/directory-self-service-signup) with this name, which then causes disruption to [make it managed](/azure/active-directory/users-groups-roles/domains-admin-takeover).

+- A DNS namespace (for example, contoso.com) can belong to one and only one Tenant. This requirement has implications for various scenarios (for example, sharing an email domain during a merger or acquisition, and so on). There's a way to register a DNS sub (such as div.contoso.com) in a different tenant, but that should be avoided. By registering a top-level domain name, all subdomains are assumed to belong to the same tenant. In multi-tenant scenarios (as explained next) I would normally recommend using another top-level domain name (such as contoso.ch or ch-contoso.com).

+- Who should "own" a tenant? I often see customers that don't know who currently owns their tenant. This lack of knowledge is a significant red flag. Call Microsoft support ASAP. Just as problematic is when a service owner (often an Exchange administrator) is designated to manage a tenant. The tenant contains all services that you might want in the future. The tenant owner should be a group that can make decision for enablement of all cloud services in an organization. Another problem is when a tenant owner group is asked to manage all services. This method doesn't scale for large organizations.

+- There's no concept of a sub/super tenant. For some reason, this myth keeps repeating itself. This concept applies to [Azure Active Directory B2C](/azure/active-directory-b2c/) tenants as well. I hear too many times, "My B2C environment is in my XYZ Tenant," or "How do I move my Azure tenant into my Microsoft 365 tenant?"

+- This document mostly focuses on the commercial worldwide cloud, because that's what most customers are using. It sometimes useful to know about [sovereign clouds](/azure/active-directory/develop/authentication-national-cloud). Sovereign clouds have other implications to discuss which are out of scope for this discussion.

+There's much documentation about Microsoft's identity platform ΓÇô Microsoft Entra ID. For people who are just starting, it often feels overwhelming. Even after you learn about it, keeping up with constant innovation and change can be challenging. In my customer interactions, I often find myself serving as "translator" between business goals and "Good, Better, Best" approaches to address these concerns (and human "cliff notes" for these articles). There's rarely a perfect answer and the "right" decision is a balance of various risk factors. Up next are some of the common questions and confusion areas I tend to discuss with customers.

+[Microsoft Entra Connect](/azure/active-directory/hybrid/whatis-azure-ad-connect) vs. [Microsoft Identity Manager](/microsoft-identity-manager/microsoft-identity-manager-2016) (MIM) vs. something else (third party or custom)? Save yourself problems now and in the future and go with Microsoft Entra Connect. There are all kinds of smarts in this tool to address peculiar customer configurations and ongoing innovations.

+Some edge cases that might drive towards a more complex architecture:

+- I have multiple AD forests without network connectivity between them. There's a new option called [Cloud Provisioning](/azure/active-directory/cloud-provisioning/what-is-cloud-provisioning).

+- I don't have Active Directory, nor do I want to install it. Microsoft Entra Connect can be configures to [sync from LDAP](/azure/active-directory/hybrid/plan-hybrid-identity-design-considerations-tools-comparison) (partner might be required).

+Should I customize default synchronization rules ([filter objects](/azure/active-directory/hybrid/how-to-connect-sync-configure-filtering), [change attributes](/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized), [alternate login ID](/azure/active-directory/hybrid/plan-connect-userprincipalname), and so on)? Avoid it! An identity platform is only as valuable as the services that use it. While you can do all kinds of nutty configurations, to answer this question you need to look at the effect on applications. If you filter mail-enabled objects, then the GAL for online services is incomplete; if the application relies on specific attributes, filtering on these attributes has unpredictable effects; and so on. It's not an identity team decision.

+XYZ SaaS supports Just-in-Time (JIT) provisioning, why are you requiring me to synchronize? See the previous paragraph. Many applications need "profile" information for functionality. You can't have a GAL if all mail-enabled objects aren't available. Same applies to [user provisioning](/azure/active-directory/app-provisioning/user-provisioning) in applications integrated with Microsoft Entra ID.

+- Additional capabilities (for example, [Microsoft Entra Domain Services](/azure/active-directory-domain-services/tutorial-configure-password-hash-sync)) and security services (for example, [leaked credentials](/azure/active-directory/reports-monitoring/concept-risk-events#leaked-credentials))

+- Support for services in Azure that don't understand federated authentication (for example, [Azure Files](/azure/storage/files/storage-files-active-directory-overview)).

+I often walk customers through client authentication flow to clarify some misconceptions. The result looks like the following picture, which isn't as good as the interactive process of getting there.

+We've been chasing the dream of [single sign-on](/azure/active-directory/manage-apps/what-is-single-sign-on) (SSO) for as long as I can remember. Some customers believe they can achieve single sign-on by choosing the "right" federation (STS) provider. Microsoft Entra ID can help significantly to [enable SSO](/azure/active-directory/manage-apps/plan-sso-deployment) capabilities, but no STS is magical. There are too many "legacy" authentication methods that are still used for critical applications. Extending Microsoft Entra ID with [partner solutions](/azure/active-directory/saas-apps/tutorial-list) can address many of these scenarios. SSO is a strategy and a journey. You can't get there without moving towards [standards for applications](/azure/active-directory/develop/v2-app-types). Related to this article is a journey to [passwordless](/azure/active-directory/authentication/concept-authentication-passwordless) authentication, which also doesn't have a magical answer.

+[Multifactor authentication](/azure/active-directory/authentication/concept-mfa-howitworks) (MFA) is essential today ([here](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984) for more). Add to it [user behavior analytics](/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa) and you have a solution that prevents most common cyber-attacks. Even consumer services are moving to require MFA. Yet, I still meet with many customers who don't want to move to [modern authentication](../enterprise/hybrid-modern-auth-overview.md) approaches. The biggest argument I hear is that it impacts users and legacy applications. Sometimes a good kick might help customers move along - Exchange Online [announced changes](https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-auth-and-exchange-online-february-2020-update/ba-p/1191282). Lots of Microsoft Entra [reports](/azure/active-directory/fundamentals/concept-fundamentals-block-legacy-authentication) are now available to help customers with this transition.

+Per [Wikipedia](https://en.wikipedia.org/wiki/Authorization), "to authorize" is to define an access policy. Many people look at it as the ability to define access controls to an object (file, service, and so on). In the current world of cyber threats, this concept is rapidly evolving to a dynamic policy that can react to various threat vectors and quickly adjust access controls in response to them. For example, if I access my bank account from an unusual location, I get extra confirmation steps. To approach this reality, we need to consider not just the policy itself but the ecosystem of threat detection and signal correlation methodologies.

+The policy engine of Microsoft Entra ID is implemented using [Conditional Access policies](/azure/active-directory/conditional-access/overview). This system depends on information from other threat detection systems to make dynamic decisions. A simple view would be something like the following illustration:

+- If a threat is detected on your device, your access to data is reduced to web only without the ability to download.

+- If you're downloading an unusually high volume of data, anything you download is encrypted and restricted.

+- If you access a service from an unmanaged device, you're be blocked from highly sensitive data but allowed to access nonrestricted data without the ability to copy it to another location.

+If you agree with this expanded definition of authorization, then you need to implement additional solutions. Which solutions you implement depends on how dynamic you want the policy to be and which threats you want to prioritize. Some examples of such systems are:

+In addition to Microsoft Entra ID, various services and applications have their own specific authorization models. Some of these models are discussed later in the delegation section.

+Microsoft Entra ID has detailed [audit and reporting](/azure/active-directory/reports-monitoring/) capabilities. However, these reports are typically not the only source of information needed to make security decisions. See more discussion on this subject in the delegation section.

+Don't Panic! Exchange isn't being deprecated (or SharePoint, and so on). It's still a core service. What I mean is, for quite some time now, technology providers have been transitioning user experiences (UX) to encompass components of multiple services. In Microsoft 365, a simple example is "[modern attachments](https://support.office.com/article/Attach-files-or-insert-pictures-in-Outlook-email-messages-BDFAFEF5-792A-42B1-9A7B-84512D7DE7FC)" where attachments to email are stored in SharePoint Online or OneDrive.

+Looking at the Outlook client you can see many services that are "connected" as part of this experience, not just Exchange. Examples include Microsoft Entra ID, Microsoft Search, Apps, Profile, compliance, and Microsoft 365 groups.

+Overall, it's becoming harder to draw a clear line between Microsoft 365 and other services in Microsoft clouds. I view it as a great benefit to customers since they can benefit from total innovation across everything we do even if they use one component. Pretty cool and has far reaching implications for many customers.

+Today, I find many customer IT groups are structured around "products." It's logical for an on-premises world since you need an expert for each specific product. However, I'm happy that I don't have to debug an Active Directory or Exchange database ever again as these services have moved to the cloud. Automation (which the cloud basically is) removes certain repetitive manual jobs (look what happened to factories). However, these tasks are replaced with more complex requirements to understand cross-services interaction, effect, business needs, and so on. If you're willing to [learn](/training/), there are great opportunities enabled by cloud transformation. Before jumping into technology, I often talk to customers about managing change in IT skills and team structures.

+To all SharePoint fan-people and developers, please stop asking "How can I do XYZ in SharePoint Online?" Use [Power Automate](/power-automate/) (or Flow) for workflow, it's a much more powerful platform. Use [Azure Bot Framework](/azure/bot-service/) to create a better UX for your 500-K item list. Start using [Microsoft Graph](https://developer.microsoft.com/graph/) instead of CSOM. [Microsoft Teams](/MicrosoftTeams/Teams-overview) includes SharePoint but also a world more. There are many other examples I can list. There's a vast and wonderful universe out there. Open the door and [start exploring]().

+The other common effect is in the compliance area. This cross-services approach seems to completely confuse many compliance policies. I keep seeing organizations that state, "I need to journal all email communications to an eDiscovery system." What does this statement really mean when email is no longer just email but a window into other services? Microsoft 365 has a comprehensive approach for [compliance](../compliance/index.yml), but changing people and processes are often much more difficult than technology.

+In general, most customers should have only one production tenant. There are many reasons why multiple tenants are challenging (give it a [Bing search](https://www.bing.com/search?q=office%20365%20multiple%20tenants)) or read this [whitepaper](https://aka.ms/multi-tenant-user). At the same time, many enterprise customers I work with have another (small) tenant for IT learning, testing, and experimentation. Cross-tenant Azure access is made easier with [Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/). Microsoft 365 and many other SaaS services have limits for cross-tenant scenarios. There's a lot to consider in [Microsoft Entra B2B](/azure/active-directory/b2b/what-is-b2b) scenarios.

+Some customers choose to go with more than one tenant. This should be a careful decision and almost always business reason driven! Some examples include the following reasons:

+- A holding type company structure where easy collaboration between different entities isn't required and there's strong administrative and other isolation needs.

+To [Multi-Geo](../enterprise/microsoft-365-multi-geo.md) or not to Multi-Geo. That is the question. With Microsoft 365 Multi-Geo, you can provision and store data at rest in the geo locations you choose to meet [data residency](../enterprise/o365-data-locations.md) requirements. There are many misconceptions about this capability. Keep the following points in mind:

+- It doesn't to provide performance benefits. It could make performance worse if the [network design](https://aka.ms/office365networking) isn't correct. Get devices "close" to the Microsoft network, not necessarily to your data.

+- It's not a solution for [GDPR compliance](https://www.microsoft.com/trust-center/privacy/gdpr-overview). GDPR doesn't focus on data sovereignty or storage locations. There are other compliance frameworks for data sovereignty or storage locations.

+- It isn't the same as multi-tenant and requires more [user provisioning](/azure/active-directory/hybrid/how-to-connect-sync-feature-preferreddatalocation) workflows.

+In most large organizations, separation of duties and role-based access control (RBAC) is a necessary reality. I'm going to apologize ahead of time. This activity isn't as simple as some customers want it to be. Customer, legal, compliance, and other requirements are different and sometimes conflicting around the world. Simplicity and flexibility are often on opposite sides of each other. Don't get me wrong, we can do a better job at this goal. There have been (and will be) significant improvements over time. Visit your local [Microsoft Technology Center](https://www.microsoft.com/mtc) to work out the model that fits your business requirements without reading 379,230 docs! Here, I focus on what you should think about and not why it's this way. Coming up are five different areas to plan for and some of the common questions I encounter.

+There's a long and growing list of [built-in roles](/azure/active-directory/roles/permissions-reference). Each role consists of a list of role permissions grouped together to allow specific actions to be performed. You can see these permissions in the "Description" tab inside each role. Alternatively, you can see a more human readable version of these permissions in the Microsoft 365 Admin Center. The definitions for built-in roles can't be modified. I generally, group these roles into three categories:

+What's in the name? Don't make assumptions from the name of the role. Language isn't a precise tool. The goal should be to define operations that need to be delegated before looking at what roles are needed. Adding somebody to the "Security Reader" role doesn't make them see security settings across everything.

+The ability to create [custom roles](/azure/active-directory/users-groups-roles/roles-custom-overview) is a common question. This capability is limited in Microsoft Entra today (as explained later), but will grow in capabilities over time. I think of these custom roles as applicable to functions in Microsoft Entra ID and might not span "down" the hierarchy model (as previously discussed). Whenever I deal with "custom," I tend to go back to my principal of "simple is better."

+Another common question is ability to scope roles to a subset of a directory. One example is something like "Helpdesk Administrator for users in EU only." [Administrative Units](/azure/active-directory/users-groups-roles/directory-administrative-units) are intended to address this scenario. As previously described, I think of these scopes as applicable to functions in Microsoft Entra ID and might not span "down." Certain roles don't make sense to scope (global admins, service admins, and so on).

+Today, all these roles require direct membership (or dynamic assignment if you use [Microsoft Entra PIM](/azure/active-directory/privileged-identity-management/)). This means customers must manage these role directly in Microsoft Entra ID, and these roles can't be based on a security group membership. I'm not a fan of creating scripts to manage these roles as it would need to run with elevated rights. I generally recommend API integration with process systems like ServiceNow or using partner governance tools like Saviynt. There's engineering work going on to address this issue over time.

+I mentioned [Microsoft Entra PIM](/azure/active-directory/privileged-identity-management/) a few times. There's a corresponding Microsoft Identity Manager (MIM) [Privileged Access Management](/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services) (PAM) solution for on-premises controls. You might also want to look at [Privileged Access Workstations](/security/privileged-access-workstations/privileged-access-devices) (PAWs) and [Microsoft Entra ID Governance](/azure/active-directory/governance/identity-governance-overview). There are various third-party tools as well, which can enable just-in-time, just-enough, and dynamic role elevation. This capability is usually part of a larger discussion for securing an environment.

+Sometimes scenarios call for adding an external user to a role (see the previous multi-tenant section). This outcome works fine. [Microsoft Entra B2B](/azure/active-directory/b2b/) is another large and fun article to walk customers through, perhaps in another article.

+**Email & Collaboration roles** in the [Microsoft Defender portal](../security/office-365-security/mdo-portal-permissions.md) and ***Role groups for Microsoft Purview solutions** in the [Microsoft 365 Purview compliance portal](../compliance/microsoft-365-compliance-center-permissions.md) are a collection of "role groups", which are separate and distinct from Microsoft Entra roles. This can be confusing because some of these role groups have the same name as Microsoft Entra roles (for example, Security Reader), yet they can have different membership. I prefer the use of Microsoft Entra roles. Each role group consists of one or more "roles" (see what I mean about reusing the same word?) and have members from Microsoft Entra ID, which are email enabled objects. Also, you can create a role group with the same name as a role, which might or might not contain that role (avoid this confusion).

+You can't create custom roles. Roles are defined by services created by Microsoft and continue to grow as new services are introduced. This behavior is similar in concept to [roles defined by applications](/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) in Microsoft Entra ID. When new services are enabled, often new role groups need to be created in order to grant or delegate access to these (for example, [insider risk management](../compliance/insider-risk-management-configure.md).

+These role groups also require direct membership and can't contain Microsoft Entra groups. Unfortunately, today these role groups aren't supported by Microsoft Entra PIM. Like Microsoft Entra roles, I tend to recommend management of these role groups through APIs or a partner governance product like Saviynt, or others.

+Microsoft Defender portal and Microsoft 365 Purview compliance portal roles span Microsoft 365 and you can't scope these role groups to a subset of the environment (like you can with administrative units in Microsoft Entra ID). Many customers ask how they can subdelegate. For example, "create a DLP policy only for EU users." Today, if you have rights to a specific function in the Microsoft Defender XDR and Microsoft 365 Purview compliance portals, you have rights to everything covered by this function in the tenant. However, many policies have capabilities to target a subset of the environment (for example, "make these [labels](../compliance/create-sensitivity-labels.md#publish-sensitivity-labels-by-creating-a-label-policy) available only to these users"). Proper governance and communication are a key component to avoid conflicts. Some customers choose to implement a "configuration as code" approach to address subdelegation in the Microsoft Defender XDR and Microsoft 365 Purview compliance portals. Some specific services support subdelegation (see the next section).

+As stated earlier, many customers are looking to achieve a more granular delegation model. A common example: "Manage XYZ service only for Division X users and locations" (or some other dimension). The ability to do this depends on each service and isn't consistent across services and capabilities. In-addition, each service might have a separate and unique RBAC model. Instead of discussing all of these models (which would take forever), I'm adding relevant links for each service. This list isn't complete, but it can get you started.

+> [!NOTE]

+> This link is to the root of documentation. There are multiple types of services with variations in the admin/delegation model.

+ > [!NOTE]

+ > there are multiple types with variations in the admin/delegation models.

+Microsoft 365 has a [unified audit log](../compliance/search-the-audit-log-in-security-and-compliance.md). It's a very [detailed log](/office/office-365-management-api/office-365-management-activity-api-schema), but don't read too much into the name. It might not contain everything you want or need for your security and compliance needs. Also, some customers are very interested in [Audit (Premium)](../compliance/advanced-audit.md).

+- [Microsoft Entra ID](/azure/azure-monitor/platform/diagnostic-settings) (activities not related to Microsoft 365)

+- Threat/UEBA Systems discussed previously (for example, Microsoft Entra ID Protection, Microsoft Defender for Cloud Apps, Microsoft Defender for Endpoint, and so on)

+From the admin delegation perspective, most Microsoft 365 activity logs don't have a built-in RBAC model. If you have permission to see a log, then you can see everything in it. A common example of a customer requirement is: "I want to be able to query activity only for EU users" (or some other dimension). To achieve this requirement, we need to transfer logs to another service. In the Microsoft cloud, we recommend transferring it to either [Microsoft Sentinel](/azure/sentinel/overview) or [Log Analytics](/azure/azure-monitor/learn/quick-create-workspace).

+The diagram represents built-in capabilities to send logs to Event Hubs and/or Azure Storage and/or Azure Log Analytics. Not all systems include this out-of-the-box yet. But there are other approaches to send these logs to the same repository. For example, see [Protecting your Teams with Microsoft Sentinel](https://techcommunity.microsoft.com/t5/azure-sentinel/protecting-your-teams-with-azure-sentinel/ba-p/1265761).

+Logs don't have to be directed to one place only. It might also be beneficial to integrate [Microsoft 365 Logs with Microsoft Defender for Cloud Apps](/cloud-app-security/connect-office-365-to-microsoft-cloud-app-security) or a custom RBAC model in [Power BI](../admin/usage-analytics/usage-analytics.md). Different repositories have different benefits and audiences.

+It's worth mentioning that there's a rich built-in analytics system for security, threats, vulnerabilities, and so on in a service called [Microsoft Defender XDR](../security/defender/microsoft-365-defender.md).

+Many large customers want to transfer this log data to a third-party system (for example, SIEM). There are different approaches for this result, but in-general [Azure Event Hubs](/azure/azure-monitor/platform/stream-monitoring-data-event-hubs) and [Graph](/graph/security-integration) are good starting points.

+I'm often asked if there's a way to separate high-privilege roles between Microsoft Entra ID, Azure, and SaaS (ex.: Global Administrator for Microsoft 365 but not Azure). Not really. Multi-tenant architecture is needed if complete administrative separation is required, but that adds significant [complexity](https://aka.ms/multi-tenant-user) (as discussed earlier). All these services are part of the same security/identity boundary (as shown in the hierarchy model).

+It's important to understand relationships between various services in the same tenant. I'm working with many customers that are building business solutions that span Azure, Microsoft 365, and Power Platform (and often also on-premises and third-party cloud services). One common example:

+1. I want to collaborate on a set of documents/images/etc (Microsoft 365)

+Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure. Using RBAC, you can manage access to resources by granting users the fewest permissions needed to perform their jobs. Details are out of scope for this document, but for more information on RBAC, see [What is role-based access control (RBAC) in Azure?](/azure/role-based-access-control/overview) RBAC is important but only part of the governance considerations for Azure. [Cloud Adoption Framework](/azure/cloud-adoption-framework/govern/) is a great starting point to learn more. I like how my friend, [Andres Ravinet](https://www.linkedin.com/in/andres-ravinet/), walks customers step by step through various components to decide on the approach. High-level view for various elements (not as good as the process to get to actual customer model) is something like this:

+This article started as a short summary, ended-up longer than I expected. I hope you're now ready to venture into a deep see of creating delegation model for your organization. This conversation is very common with customers. There's no one model that works for everyone. Waiting for a few planned improvements from Microsoft engineering before documenting common patterns we see across customers. In the meantime, you can work with your Microsoft account team to arrange a visit to the nearest [Microsoft Technology Center](https://www.microsoft.com/mtc). See you there!

+| Supported languages| Supports [more than 40 languages](/ai-builder/form-processing-model-requirements#model-for-unstructured-and-free-form-documents). | Supports [more than 40 languages](/ai-builder/form-processing-model-requirements#model-for-unstructured-and-free-form-documents). | Supports [more than 100 languages](/ai-builder/form-processing-model-requirements#model-for-structured-and-semi-structured-documents). |

+search.appverid:

+ 

+ 

+This model type supports the widest range of file types and supports [more than 40 languages](/ai-builder/form-processing-model-requirements#model-for-unstructured-and-free-form-documents).

+This model type is the best option for documents in PDF or image files when you don't require automatic classification of the type of document, and it supports [more than 40 languages](/ai-builder/form-processing-model-requirements#model-for-unstructured-and-free-form-documents).

+This model type supports the [widest range of languages](/ai-builder/form-processing-model-requirements#model-for-structured-and-semi-structured-documents) and is trained to understand the layout of your form from example documents, and then learns to look for the data you need to extract from similar locations. Forms usually have a more structured layout where entities are in the same location (for example, a social security number on a tax form).

+|  | **Supported languages** <br><br>This model supports the following languages: see [supported languages](/ai-builder/form-processing-model-requirements#model-for-unstructured-and-free-form-documents). |

+ - essentials-navigation