Category | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
includes | Copilot Content Updates | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/includes/copilot-content-updates.md | +## Week of January 22, 2024 +++| Published On |Topic title | Change | +|||--| +| 1/23/2024 | [Data, Privacy, and Security for Microsoft Copilot for Microsoft 365](/microsoft-365-copilot/microsoft-365-copilot-privacy) | modified | +| 1/24/2024 | [Manage access to web content in Microsoft Copilot for Microsoft 365 responses](/microsoft-365-copilot/manage-public-web-access) | modified | ++ ## Week of January 15, 2024 | 1/16/2024 | [Microsoft Copilot for Microsoft 365 requirements](/microsoft-365-copilot/microsoft-365-copilot-requirements) | modified | | 1/16/2024 | [Data, Privacy, and Security for Microsoft Copilot for Microsoft 365](/microsoft-365-copilot/microsoft-365-copilot-privacy) | modified | | 1/16/2024 | [Microsoft Copilot for Microsoft 365 documentation # < 60 chars](/microsoft-365-copilot/index) | modified |---## Week of December 18, 2023 ---| Published On |Topic title | Change | -|||--| -| 12/18/2023 | [Provide user feedback for Microsoft Copilot for Microsoft 365](/microsoft-365-copilot/provide-feedback) | added | -| 12/20/2023 | [Enable users for Microsoft Copilot for Microsoft 365](/microsoft-365-copilot/microsoft-365-copilot-enable-users) | modified | -| 12/20/2023 | [Microsoft Copilot for Microsoft 365 overview](/microsoft-365-copilot/microsoft-365-copilot-overview) | modified | |
admin | Gdpr Compliance | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/security-and-compliance/gdpr-compliance.md | +- Tier2 - scotvorg - highpri-- M365-subscription-management +- M365-subscription-management - Adm_O365 - Adm_TOC-+ - VSBFY23 - AdminSurgePortfolio search.appverid: description: "Learn how Microsoft 365 for business can help you with the General Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585). - *Using Microsoft 365 for business to help you to mitigate and manage GDPR compliance* - -The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that mandates how an organization should handle personal data. If your business sells to, provides services to, or employs citizens of the European Union, then the [GDPR](https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-does-general-data-protection-regulation-gdpr-govern_en) will affect you. + *Using Microsoft 365 for business to help you to mitigate and manage GDPR compliance* ++The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that mandates how an organization should handle personal data. If your business sells to, provides services to, or employs citizens of the European Union, then the [GDPR](https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-does-general-data-protection-regulation-gdpr-govern_en) will affect you. As a small business admin, you're probably asking yourself "how do I get started"? This may be especially true if your business doesn't handle personal data as a core business activity, or if GDPR is totally new to you. You can get started by reviewing this article, which is aimed at helping you und It also includes answers to common questions about GDPR that small businesses may have, and highlights steps a small business can take to prepare for GDPR. > [!IMPORTANT]-> The Microsoft 365 solutions and recommendations in this article are tools and resources that can help you manage and protect your data, but are not a guarantee of GDPR compliance. It is up to you to assess your own compliance status. Consult with your own legal and/or professional advisors when needed. - +> The Microsoft 365 solutions and recommendations in this article are tools and resources that can help you manage and protect your data, but are not a guarantee of GDPR compliance. It is up to you to assess your own compliance status. Consult with your own legal and/or professional advisors when needed. + ## A quick overview of the GDPR The GDPR is an EU regulation that updates and expands the earlier Data Protection Directive (DPD) first enacted in 1995. The GDPR is concerned with the privacy of an individual's data, be that individual a client, customer, employee, or business partner. The GDPR's goal is to strengthen personal data protection for EU citizens, whether they reside in the EU or elsewhere. The regulation sets out expectations and advises on how to achieve them. Organizations must have measures in place that satisfy the requirements of the GDPR.- -The GDPR is all about data and how it's used. Think of data as having a life cycle. The cycle starts when you collect data, continues as you store it and use it (processing), and ends when you completely delete it from your systems. - -The GDPR is concerned with the following types of data: - ++The GDPR is all about data and how it's used. Think of data as having a life cycle. The cycle starts when you collect data, continues as you store it and use it (processing), and ends when you completely delete it from your systems. ++The GDPR is concerned with the following types of data: + - **Personal data:** If you can link data to an individual and identify them, then that data is considered personal with respect to the GDPR. Examples of personal data include name, address, date of birth, and IP address. The GDPR considers even encoded information (also known as "pseudonymous" information) to be personal data, regardless of how obscure or technical the data is, if the data can be linked to an individual.- -- **Sensitive personal data** This is data that adds more details to personal data. Examples include religion, trade union membership, ethnic origin, and so on. Sensitive personal data also includes biometric data and DNA. Under GDPR, sensitive data has more stringent protection rules than personal data. - ++- **Sensitive personal data** This is data that adds more details to personal data. Examples include religion, trade union membership, ethnic origin, and so on. Sensitive personal data also includes biometric data and DNA. Under GDPR, sensitive data has more stringent protection rules than personal data. + ## GDPR terms You'll see some terms referred to frequently in the GDPR. It's important to understand these terms.- - **Consent** - ++**Consent**: + The GDPR states: "The processing of personal data should be designed to serve mankind." The GDPR hopes to achieve this goal by using consent when processing personal data. That could be the simple act of asking your customers if they want to receive email messages from your company. It also means no more opt-out check boxes on your website when you want to use data for marketing. You must take explicit consent using a "clear affirmative act". And, you'll need to also keep records of when a consent is taken or revoked.- - **Data subject rights** - ++**Data subject rights**: + The GDPR establishes data subject rights, which means that, with respect to their personal data, customers, employees, business partners, clients, contractors, students, suppliers, and so forth have the right to:- -- **Be informed about their data:** You must inform individuals about your use of their data. - -- **Have access to their data:** You must give individuals access to any of their data that you hold (for example, by using account access or in some manual manner). - -- **Ask for data rectification:** Individuals can ask you to correct inaccurate data. - -- **Ask for data to be deleted:** Also known as the 'right to erasure', this right allows an individual to request that any of their personal data a company has collected is deleted across all systems that use it or share it. - -- **Request restricted processing:** An individual can ask that you suppress or restrict their data. However, it's only applicable under certain circumstances. - -- **Have data portability:** An individual can ask for their data to be transferred to another company. - -- **Object:** An individual can object to their data being used for various uses including direct marketing. - -- **Ask not to be subject to automated decision-making, including profiling:** The GDPR has strict rules about using data to profile people and automate decisions based on that profiling. +- **Be informed about their data:** You must inform individuals about your use of their data. ++- **Have access to their data:** You must give individuals access to any of their data that you hold (for example, by using account access or in some manual manner). ++- **Ask for data rectification:** Individuals can ask you to correct inaccurate data. ++- **Ask for data to be deleted:** Also known as the 'right to erasure', this right allows an individual to request that any of their personal data a company has collected is deleted across all systems that use it or share it. ++- **Request restricted processing:** An individual can ask that you suppress or restrict their data. However, it's only applicable under certain circumstances. ++- **Have data portability:** An individual can ask for their data to be transferred to another company. ++- **Object:** An individual can object to their data being used for various uses including direct marketing. ++- **Ask not to be subject to automated decision-making, including profiling:** The GDPR has strict rules about using data to profile people and automate decisions based on that profiling. ## Steps to prepare for GDPR A good way for a small business to get started with GDPR is to make sure to appl - Collect personal data with clearly defined purposes for what you are using it for, and donΓÇÖt use them for anything else. For example, if you tell your clients to give you their email addresses so they can get your new offers or promotions, you can only use their email addresses for only that specific purpose. - DonΓÇÖt collect more data than you need. For example, if your business requires a mailing address for you to deliver goods, you need a customer's address and a name, but you donΓÇÖt need to know the person's marital status. - ### Step 1: Know the personal data that you collect and use within your business, and the reasons you need it As a small business, one of the first steps you should take is to make an inventory of the personal data you collect and use within your business, and why it's needed. This includes data on both your employees and your customers. For example, you may need your employee's personal data based-on the employment contract and for legal reasons (for example, +on the employment contract and for legal reasons (for example, reporting taxes to the Internal Revenue Service). As another example, you may manage lists of individual customers to send them notices about special offers, if they have consented to this. -#### Microsoft 365 features that can help +#### Microsoft 365 features that can help in Step 1 -[Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) can help you discover, classify, and protect sensitive information in your company. You can use trainable classifiers to help you identify and label document types that contain personal data. +[Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) can help you discover, classify, and protect sensitive information in your company. You can use trainable classifiers to help you identify and label document types that contain personal data. ### Step 2: Inform your customers, employees, and other individuals when you need to collect their personal data for which purpose. For example, if a customer needs to create a customer profile But there is no need to inform individuals when they already know how you will use the data. For example, when they provide you a home address for a delivery they ordered. -You also have to be able to inform individuals on request about the personal data you hold on them and give them access to their data. Being organized with your data makes it easier to provide to them, if needed. +You also have to be able to inform individuals on request about the personal data you hold on them and give them access to their data. Being organized with your data makes it easier to provide to them, if needed. ### Step 3: Keep personal data for only as long as necessary For employees data, keep it as long as the employment relationship remains and f For customer data, keep it as long as the customer relationship lasts and for related legal obligations (for example, tax purposes). Delete the data when it is no longer needed for the purposes for which you collected it. -#### Microsoft 365 features that can help -[Retention policies and labels](/microsoft-365/compliance/retention) can be used to help you keep personal data for a certain time and delete it when itΓÇÖs no longer needed. +#### Microsoft 365 features that can help in Step 3 +[Retention policies and labels](/microsoft-365/compliance/retention) can be used to help you keep personal data for a certain time and delete it when itΓÇÖs no longer needed. ### Step 4: Secure the personal data you are processing files containing the data, for example, by a strong password. Regularly update t If you store physical documents with personal data, make sure that they are not accessible by unauthorized persons. -If you choose to store personal data in the cloud, such as through Microsoft 365, you have security features such as the ability to help you to manage permissions to files and folders, centralized secure locations to save your files (OneDrive or SharePoint document libraries), and data encryption when sending or retrieving your files. +If you choose to store personal data in the cloud, such as through Microsoft 365, you have security features such as the ability to help you to manage permissions to files and folders, centralized secure locations to save your files (OneDrive or SharePoint document libraries), and data encryption when sending or retrieving your files. -#### Microsoft 365 features that can help +#### Microsoft 365 features that can help in Step 4 You can use [Set up compliance features](../../business-premium/m365bp-set-up-compliance.md) to help to protect your business's sensitive information. Compliance Manager can help you get started right away! For example, you can [Create and Deploy data loss prevention policies](../../compliance/dlp-create-deploy-policy.md) that uses the [GDPR template](/microsoft-365/compliance/what-the-dlp-policy-templates-include#general-data-protection-regulation-gdpr). if needed. Such documents should include the information listed below. -| Information | Examples | +|Information|Examples| ||| |The purpose of data processing|Alerting customers about special offers such as providing home delivery; paying suppliers; salary and social security coverage for employees| |The types of personal data|Contact details of customers; contact details of suppliers; employee data| Such documents should include the information listed below. |The technical and organizational security measures to protect the personal data|IT system solutions regularly updated; secured location; access control; data encryption; data backup| |Whether personal data is transferred to recipients outside the EU|Use of a processor outside the EU (for example, storage in the cloud); data location of the processor; contractual commitments| -</br> --You can find MicrosoftΓÇÖs contractual commitments with regard to the GDPR in the [Microsoft Online Services Data Protection Addendum](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=2&Keyword=DPA), which provides MicrosoftΓÇÖs privacy and security commitments, data processing terms and GDPR Terms for Microsoft-hosted services to which customers subscribe under a volume licensing agreement. -+You can find MicrosoftΓÇÖs contractual commitments with regard to the GDPR in the [Microsoft Online Services Data Protection Addendum](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=2&Keyword=DPA), which provides MicrosoftΓÇÖs privacy and security commitments, data processing terms and GDPR Terms for Microsoft-hosted services to which customers subscribe under a volume licensing agreement. ### Step 6: Make sure your subcontractors respect the rules If you sub-contract processing of personal data to another company, only use a service provider who guarantees the processing in compliance with the requirements of the GDPR (for instance, security-measures). --+measures). ### Step 7: Assign someone to oversee personal data protection- + To better protect personal data, organizations might have to appoint a <b>Data Protection Officer (DPO)</b>. However, you may not need to designate a Data Protection Officer if processing of personal data isnΓÇÖt a core part of your business, or if you are a small business. For example, if your business only collects data on your customers for home delivery, you should not need to appoint a DPO. Even if you need to make use of a DPO, these duties might be assigned to an existing employee in addition to his/her other tasks. Or you could choose to hire an external consultant for this duty as needed. of personal data isnΓÇÖt a core part of your business, or if you are a small bus You normally donΓÇÖt need to carry out a [Data Protection Impact Assessment](https://gdpr.eu/article-35-impact-assessment/). This is reserved for businesses that pose more risk to personal data (for example, if they do a large-scale monitoring of a publicly accessible area, such as video-surveillance). If you are a small business managing employee wages and a list-of clients, you typically do not need to do a Data Protection Impact Assessment. - +of clients, you typically do not need to do a Data Protection Impact Assessment. - ## Common small business questions about the GDPR ### I'm a sole proprietor - do I really have to worry about the GDPR? The GDPR is about the data you process, not the number of employees you have. It affects companies of all sizes, even sole proprietors. However, companies with fewer than 250 employees do have some exemptions, such as reduced record keeping, but only if you are sure the data processing doesn't affect the individual's rights and is occasional processing.- + As an example, processing of non-personal data would be exempt or need reduced measures. However, if you process any data that is seen as "special category sensitive data", even if it only occasionally, you will have to record this data processing. The definition of "occasional processing" is vague, but it's meant to apply to data that is used once or rarely.- -You should also make sure that personal data that you collect is protected. This means that you need to encrypt it and make sure that access to it is controlled using at least a password. Keeping your customer data on a spreadsheet on your desktop with no protection won't meet GDPR expectations. - ++You should also make sure that personal data that you collect is protected. This means that you need to encrypt it and make sure that access to it is controlled using at least a password. Keeping your customer data on a spreadsheet on your desktop with no protection won't meet GDPR expectations. + ### How can I tell if our company website is GDPR compliant? The first question to ask yourself is: Do you collect personal data anywhere on your site? For example, you might have a contact form that asks for a name and email address. If you want to send marketing emails, make sure you add an 'opt-in' checkbox that explains exactly what you will use the data for. Only if the recipient checks that box can you use their personal data for marketing purposes.- -Also, check that the database that stores the data is protected. Your web hosting company or cloud storage vendor will be able to advise on this. If you use Microsoft 365 for business, storage of data is GDPR-compliant. - ++Also, check that the database that stores the data is protected. Your web hosting company or cloud storage vendor will be able to advise on this. If you use Microsoft 365 for business, storage of data is GDPR-compliant. + ### My company is outside Europe. Does the GDPR really affect us? The GDPR is a regulation that protects EU citizens. If your company deals with EU citizens now, or you hope to in the future, you will be affected. This applies to both citizens living in an EU State and those living elsewhere.- + Consider the following examples:- -- A U.S. company that hires cars to EU citizens will need to satisfy GDPR requirements when they collect and process the customer's data. The company will be required to take consent when they take the customer's data and ensure that the data is stored securely. They will also need to make sure the customer can apply all of their data subject rights. - -- An Australian company sells products online, and its users set up online accounts. GDPR data subject rights and consent will be applied to EU citizens who open an account. The company will need to make sure the customer can apply all of their data subject rights. - ++- A U.S. company that hires cars to EU citizens will need to satisfy GDPR requirements when they collect and process the customer's data. The company will be required to take consent when they take the customer's data and ensure that the data is stored securely. They will also need to make sure the customer can apply all of their data subject rights. ++- An Australian company sells products online, and its users set up online accounts. GDPR data subject rights and consent will be applied to EU citizens who open an account. The company will need to make sure the customer can apply all of their data subject rights. + - An international charity collects data about donors and uses it to send out updates and requests for donations. The GDPR states: '...the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest." However, the responsibility is on the organization to prove their interests override those of the data subject. The company (or in this case, the charitable organization) should always get informed, explicit, opt-in consent.- + The GDPR also applies if customer data moves across borders. If you use cloud computing for data storage, you will need to make sure the service is fully GDPR-compliant. It can get complicated if data storage is in locations that have a poor record of data protection. If you use Microsoft 365 for business, we have the correct legal documentation in place to cover GDPR requirements.- + ### Sure, I collect data, but some other company stores it. Does that get me off the hook? -Under the GDPR, if you collect data you are affected to some extent. The GDPR has the concept of a data processor and a data controller: - -- **Data Controller:** An individual or organization (you can have joint controllers) that decides how, what, and why data is collected. They may store it using another company's cloud servers. For example, a website that collects customer data is a controller. - -- **Data Processor:** An individual or organization that stores data on behalf of the controller(s) and processes these data upon request. For example, Microsoft 365 Apps for business data storage acts as a processor and is fully GDPR compliant. - +Under the GDPR, if you collect data you are affected to some extent. The GDPR has the concept of a data processor and a data controller: ++- **Data Controller:** An individual or organization (you can have joint controllers) that decides how, what, and why data is collected. They may store it using another company's cloud servers. For example, a website that collects customer data is a controller. ++- **Data Processor:** An individual or organization that stores data on behalf of the controller(s) and processes these data upon request. For example, Microsoft 365 Apps for business data storage acts as a processor and is fully GDPR compliant. + An organization or system can act as both a controller and a processor. Microsoft 365 for business can act as both and complies with the GDPR.- + ### Can I still send out marketing emails to my old customers? -You need to make sure your customers, even ones that you've had for years, have consented to use their data for marketing. You may have previously captured consent, as well as a record to show it. If so, you're all set to continue marketing. If not, you need to get permission from the customer to continue marketing to them. This usually involves sending an email asking customers to go to your site and select an option to consent to receive future emails. - +You need to make sure your customers, even ones that you've had for years, have consented to use their data for marketing. You may have previously captured consent, as well as a record to show it. If so, you're all set to continue marketing. If not, you need to get permission from the customer to continue marketing to them. This usually involves sending an email asking customers to go to your site and select an option to consent to receive future emails. + ### Do I have to worry about the GDPR when I recruit new employees? What about current employees? The GDPR doesn't just affect customer data; it extends to employee data, too. New recruits are often located using social media platforms such as LinkedIn. Make sure that you don't store any potential recruit data without their express permission.- + As for existing employees and new employee contracts, a signature at the end of a contract does not necessarily assume consent, especially when a non-affirmative clause is used in a contract. In this case, you must capture consent in an explicit manner associated with the clause. What this means depends on your employee contract, but you can use "legitimate interest" in some cases and add an employee data processing notice to make sure your employees are aware of what you will do with their data.- + ## Satisfy privacy concerns using Microsoft 365 for business -Becoming compliant with the GDPR is about making sure that personal data is protected. The GDPR has a concept known as Privacy by Design and Default. This means that data protection should be "baked in" to a system and a product so that satisfying privacy concerns is second nature. - +Becoming compliant with the GDPR is about making sure that personal data is protected. The GDPR has a concept known as Privacy by Design and Default. This means that data protection should be "baked in" to a system and a product so that satisfying privacy concerns is second nature. + Like their larger counterparts, a small business needs convenience without sacrificing security. Microsoft 365 for business is designed for companies of fewer than 300 employees. Small companies can use Microsoft cloud-based tools to improve business productivity. With Microsoft 365 for business, a small business can manage emails, documentation, and even meetings and events. It also has built-in security measures and device management, which are vital for GDPR compliance.- + Microsoft 365 for business can help you with the GDPR process in the following ways:- -- **Discover:** An important step to GDPR compliance is knowing what data you have. - -- **Manage:** Controlling access to data and managing its use is an integral part of GDPR. Microsoft 365 for business protects business data based on policies you want to apply to devices. Device management is vital in an age where employees work remotely. Microsoft 365 for business includes device management features that make sure data is protected across all devices. For example, you can specify that all Windows 10 devices in your business are protected via Windows Defender. - -- **Protect:** Microsoft 365 for business is designed for security. Its device management and data protection controls work across your business network, including remote devices, to help keep data secure. Microsoft 365 for business offers controls such as privacy settings in Microsoft 365 apps and encryption of documents. With Microsoft 365 for business, you can perform GDPR compliance monitoring to make sure you have the right level of protection set. - -- **Report:** The GDPR places a lot of emphasis on reporting. Even a business with a single employee, if that business processes large amounts of data, is required to document and report on their procedures. Microsoft 365 for business takes the headache out of reporting requirements for smaller organizations. - Tools such as audit logs allow you to track and report on data movement. Reports include classifying the data you collect and store, what you do with the data, and transfers of the data. +- **Discover:** An important step to GDPR compliance is knowing what data you have. -Customers, employees, and clients are becoming more aware of the importance of data privacy and now expect a company or organization to respect that privacy. Microsoft 365 for business provides you with the tools to achieve and maintain GDPR compliance without a massive upheaval to your business. +- **Manage:** Controlling access to data and managing its use is an integral part of GDPR. Microsoft 365 for business protects business data based on policies you want to apply to devices. Device management is vital in an age where employees work remotely. Microsoft 365 for business includes device management features that make sure data is protected across all devices. For example, you can specify that all Windows 10 devices in your business are protected via Windows Defender. ++- **Protect:** Microsoft 365 for business is designed for security. Its device management and data protection controls work across your business network, including remote devices, to help keep data secure. Microsoft 365 for business offers controls such as privacy settings in Microsoft 365 apps and encryption of documents. With Microsoft 365 for business, you can perform GDPR compliance monitoring to make sure you have the right level of protection set. ++- **Report:** The GDPR places a lot of emphasis on reporting. Even a business with a single employee, if that business processes large amounts of data, is required to document and report on their procedures. Microsoft 365 for business takes the headache out of reporting requirements for smaller organizations. + Tools such as audit logs allow you to track and report on data movement. Reports include classifying the data you collect and store, what you do with the data, and transfers of the data. +Customers, employees, and clients are becoming more aware of the importance of data privacy and now expect a company or organization to respect that privacy. Microsoft 365 for business provides you with the tools to achieve and maintain GDPR compliance without a massive upheaval to your business. ## Next steps To get ready for the GDPR, here are some suggestions for next steps to take:- + - Evaluate your GDPR program with [Accountability Readiness Checklists](/compliance/regulatory/gdpr-arc).- -- Investigate [Microsoft 365 for business](/microsoft-365/business) as a solution for achieving and maintaining compliance with GDPR. - ++- Investigate [Microsoft 365 for business](/microsoft-365/business) as a solution for achieving and maintaining compliance with GDPR. > [!IMPORTANT] > Get legal advice appropriate for your company or organization.- + ## Additional resources -[Microsoft Trust Center overview of the GDPR](https://www.microsoft.com/trust-center/privacy/gdpr-overview -) - +[Microsoft Trust Center overview of the GDPR](https://www.microsoft.com/trust-center/privacy/gdpr-overview) + The Official Microsoft Blog: [Microsoft commitment to GDPR](https://blogs.microsoft.com/on-the-issues/2018/05/21/microsofts-commitment-to-gdpr-privacy-and-putting-customers-in-control-of-their-own-data/)- + European Commission sites:- + - [Data protection](https://ec.europa.eu/info/law/law-topic/data-protection)- -- [2018 reform of EU data protection rules](https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules)+- [EU data protection rules](https://commission.europa.eu/law/law-topic/data-protection/eu-data-protection-rules) |
admin | User Invite Msa Nodomain Join | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/simplified-signup/user-invite-msa-nodomain-join.md | audience: Admin ms.localizationpriority: medium-+ - Tier1 - scotvorg - Adm_TOC-+ - AdminSurgePortfolio description: "Accept an email invitation to join a Microsoft 365 Business Standard organization using an Outlook, Yahoo, Gmail or other account." For further information about data privacy, refer to the [Terms of use](https:// ### How can I leave this business (and stop using this license)? -There are a couple of options in this case: +There are a couple of options in this case: 1. You can contact the business owner or admin of the other business and ask to be removed from that business. 2. You can remove yourself by following the steps below: - 1. Go to https://myapps.microsoft.com/. + 1. Go to <https://myapps.microsoft.com/>. 2. Sign in to your account, and select your profile initials. 3. Select **View account** > **Manage organizations** > **Leave organization** 4. Select **Leave** > **OK**. ### IΓÇÖm getting an error saying IΓÇÖm part of another business. What do I do? -You will need to leave your previous Microsoft 365 Business subscription first. Either talk to your previous technical admin or business owner and ask them to remove you. You can also visit [https://myaccount.microsoft.com/](https://myaccount.microsoft.com/) and follow the steps below. +You will need to leave your previous Microsoft 365 Business subscription first. Either talk to your previous technical admin or business owner and ask them to remove you. You can also visit <https://myaccount.microsoft.com/> and follow the steps below. 1. Sign in to your account, and select your profile initials. 2. Select **View account** > **Manage organizations** > **Leave organization** |
enterprise | Configure Services And Applications | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/configure-services-and-applications.md | If you want help getting Microsoft 365 set up, use **[FastTrack](https://www.mic |**IM and online meetings** <br> (Teams) | - [Microsoft Teams deployment overview](/microsoftteams/deploy-overview)<br> - [Meetings and conferencing in Microsoft Teams](/microsoftteams/deploy-meetings-microsoft-teams-landing-page) <br> - [Plan your Teams voice solution](/microsoftteams/cloud-voice-landing-page) | | **File storage & sharing** <br> (OneDrive and SharePoint) | - [Set up Microsoft 365 file storage and sharing](https://support.office.com/article/7aa9cdc8-2245-4218-81ee-86fa7c35f1de#BKMK_WhatDif): Learn when you should use OneDrive to store files and when you should use SharePoint team sites <br> - Use the [OneDrive setup guide](https://aka.ms/OD4Bguidance) to get customized setup guidance | |**Microsoft 365 applications** | - Microsoft 365 administrators should use the [Office Deployment Guide](/deployoffice) to get help planning a Microsoft 365 Apps for enterprise deployment or upgrade. <br> - [Power BI for Microsoft 365 admin center](https://support.office.com/article/Power-BI-for-Office-365-Admin-Center-Help-5e391ecb-500c-47a3-bd0f-a6173b541044) <br> - [Get started with Project for the web](/project-for-the-web/projectforweb-admin-home). <br> - [Microsoft Intune deployment advisor](/mem/intune/) |-|**Enterprise Social** <br> (Viva Engage) | - [Use Viva Engage with Microsoft 365](https://support.office.com/article/Plan-for-yammer-integration-with-Office-365-4086681f-6de1-4d39-aa72-752b2af1cbd7) <br> - Use the [Viva Engage Enterprise setup guide](https://aka.ms/yammerdeploy) to get customized setup guidance | +|**Enterprise Social** <br> (Viva Engage) | - [Introducing Microsoft Viva Engage](/viva/engage/overview) <br> - Use the [Viva Engage Enterprise setup guide](https://aka.ms/yammerdeploy) to get customized setup guidance | |
enterprise | Cross Tenant Sharepoint Migration Step5 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step5.md | description: "Step 5 of the SharePoint Cross-tenant migration feature" # Step 5: Identity mapping (preview) ->[!Note] ->Cross-Tenant SharePoint migration is currently in a private preview stage of development. As an unfinished project, any information or availability is subject to change at any time. Support for private-preview customers will be handled via email. Cross-Tenant SharePoint migration is covered by the preview terms of the [Microsoft Universal License Terms for Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all). +> [!NOTE] +> Cross-Tenant SharePoint migration is currently in a private preview stage of development. As an unfinished project, any information or availability is subject to change at any time. Support for private-preview customers will be handled via email. Cross-Tenant SharePoint migration is covered by the preview terms of the [Microsoft Universal License Terms for Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all). This is Step 5 in a solution designed to complete a Cross-tenant SharePoint migration. To learn more, see [Cross-tenant SharePoint migration overview](cross-tenant-SharePoint-migration.md). This is Step 5 in a solution designed to complete a Cross-tenant SharePoint migr - Step 4: [Pre-create users and groups](cross-tenant-SharePoint-migration-step4.md) - **Step 5: [Prepare identity mapping](cross-tenant-SharePoint-migration-step5.md)** - Step 6: [Start a Cross-tenant SharePoint migration](cross-tenant-SharePoint-migration-step6.md)-- Step 7: [Post migration steps](cross-tenant-SharePoint-migration-step7.md)+- Step 7: [Post migration steps](cross-tenant-SharePoint-migration-step7.md)\n ## Create the identity mapping file There's a one-to-one relationship in the identity mapping file. You can't map t |Source Tenant Owner|Target Tenant User| |||-|admin@source.com|new.userA@target.com| -|admin@source.com|new.userB@target.com| -|admin@source.com|new.userC@target.com| +|`admin@source.com`|`new.userA@target.com`| +|`admin@source.com`|`new.userB@target.com`| +|`admin@source.com`|`new.userC@target.com`| Cross-tenant migration supports this scenario: Cross-tenant migration supports this scenario: |Source Tenant Owner|Target Tenant User| |||-|userA@source.com|new.userA@target.com| -|userB@source.com|new.userB@target.com| -|userC@source.com|new.userC@target.com| +|`userA@source.com`|`new.userA@target.com`| +|`userB@source.com`|`new.userB@target.com`| +|`userC@source.com`|`new.userC@target.com`| ### Create the CSV file There are six columns needed in your CSV file. The first three are your source v Users and groups are included in the same file. Depending on whether it's a user or group, what you enter in the column is different. In each of the columns enter values as shown in the examples. **Do NOT include column headings.** |Column|User|Group|Microsoft 365 Group|-||||:--| +||||| |1|User|Group|Group| |2|SourceTenantCompanyID|SourceTenantCompanyID|SourceTenantCompanyID| |3|SourceUserUpn|SourceGroupObjectID|SourceGroupObjectID| Users and groups are included in the same file. Depending on whether it's a user |5|TargetUserEmail|GroupName|M365GroupAlias| |6|UserType|GroupType|GroupType| -->[!Important] ->When creating your Identity Mapping for Group Connected sites, the Target site URL **must** align with the alias of the new Group created on the Target tenant. +> [!IMPORTANT] +> When creating your Identity Mapping for Group Connected sites, the Target site URL **must** align with the alias of the new Group created on the Target tenant. >->**Example:** ->Source site: https://contoso.sharepoint.com/teams/O365SourceGroup ->New Target Group Alias = O365TargetGroup +> **Example:** >->In your Identity Mapping file the Target site needs to be: -> - https://fabrikam.sharepoint.com/teams/**O365TargetGroup** +> - Source site: `https://contoso.sharepoint.com/teams/O365SourceGroup` +> - New Target Group Alias = O365TargetGroup >->If the Target Alias and Target URL don't align, the migration will fail. ---> [!IMPORTANT] -> **Do NOT include column headings in your CSV file.** In the examples below we include them for illustrative purposes only. +> In your Identity Mapping file the Target site needs to be: `https://fabrikam.sharepoint.com/teams/O365TargetGroup`. +> +> If the Target Alias and Target URL don't align, the migration will fail. +> +> **Do NOT include column headings in your CSV file.** In the examples below we include them for illustrative purposes only. **Users**. Enter your values as shown in this example for Users: Users and groups are included in the same file. Depending on whether it's a user :::image type="content" source="../media/cross-tenant-migration/t2t-onedrive-csv-mapping-users-example.png" alt-text="example of csv for users"::: - **Guest users**. You can map guest accounts in the source tenant to member accounts in the target tenant. You can also map a guest account in the source to a guest account in the target if the guest has been previously created. Enter your values as shown in this example for guests: :::image type="content" source="../media/cross-tenant-migration/t2t-onedrive-csv-mapping-users-guests.png" alt-text="csv example when mapping a guest to a member"::: To obtain Source Tenant Company ID: Once the identity mapping file has been prepared, the SharePoint Administrator on the target tenant uploads the file to SharePoint. This will allow identity mapping to occur automatically as part of the cross-tenant migration. > [!IMPORTANT]-> Before you run the *Add-SPOTenantIdentityMap -IdentityMapPath* command, save and close the identitymap.csv file on your Desktop/SharePoint/SharePoint. +> Before you run the *Add-SPOTenantIdentityMap -IdentityMapPath* command, save and close the identitymap.csv file on your Desktop/SharePoint/SharePoint. > >If the file remains open, you will receive the following error. > *Add-SPOTenantIdentityMap: The process cannot access the file 'C:\Users\myuser\Test-Identity-Map.csv' because it is being used by another process.* |
enterprise | Cross Tenant Sharepoint Migration Step6 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step6.md | audience: ITPro ms.localizationpriority: high-+ - SPMigration - M365-collaboration - m365initiative-migratetom365 This is Step 6 in a solution designed to complete a Cross-tenant SharePoint migr - Step 1: [Connect to the source and the tarIPs tenants](cross-tenant-SharePoint-migration-step1.md) - Step 2: [Establish trust between the source and the target tenant](cross-tenant-SharePoint-migration-step2.md) - Step 3: [Verify trust has been established](cross-tenant-SharePoint-migration-step3.md)-- Step 4: [Pre-create users and groups](cross-tenant-SharePoint-migration-step4.md) +- Step 4: [Pre-create users and groups](cross-tenant-SharePoint-migration-step4.md) - Step 5: [Prepare identity mapping](cross-tenant-SharePoint-migration-step5.md) - **Step 6: [Start a Cross-tenant SharePoint migration](cross-tenant-SharePoint-migration-step6.md)** - Step 7: [Post migration steps](cross-tenant-SharePoint-migration-step7.md) Now you're ready to start your SharePoint migration. Before starting any cross-t 2. To start the migration, a SharePoint Online Admin or Microsoft 365 Global Admin of the source tenant must run the following command: -```PowerShell -Start-SPOCrossTenantGroupContentMove  -SourceSiteUrl <…> -TargetSiteUrl <…> -TargetCrossTenantHostUrl| <…> --``` + ```PowerShell + Start-SPOCrossTenantGroupContentMove  -SourceSiteUrl <…> -TargetSiteUrl <…> -TargetCrossTenantHostUrl| <…> + ``` -|Parameters|Description| -||| -|SourceSiteUrl|Full URL of the SharePoint Site of the Source tenant, for example: https://sourcetenant.sharepoint.com/sites/sitename | -|TargetSiteUrl |Full URL of the SharePoint Site of the Target tenant, for example: https://targettenant.sharepoint.com/sites/newsitename | -|TargetCrossTenantHostUrl|The Cross-tenant host URL of the target tenant. The target tenant Admin can determine the TargetCrossTenantHostUrl by running *Get-SPOCrossTenantHostUrl* on their tenant.| -| + |Parameters|Description| + ||| + |SourceSiteUrl|Full URL of the SharePoint Site of the Source tenant, for example: `https://sourcetenant.sharepoint.com/sites/sitename`.| + |TargetSiteUrl |Full URL of the SharePoint Site of the Target tenant, for example: `https://targettenant.sharepoint.com/sites/newsitename`.| + |TargetCrossTenantHostUrl|The Cross-tenant host URL of the target tenant. The target tenant Admin can determine the TargetCrossTenantHostUrl by running *Get-SPOCrossTenantHostUrl* on their tenant.| ### Start a SharePoint Microsoft 365 Group connected site cross-tenant migration Start-SPOCrossTenantGroupContentMove  -SourceSiteUrl <…> -TargetSiteUrl < 2. To start the migration, a SharePoint Online Admin or Microsoft 365 Global Admin of the source tenant must run the following command: -```powershell -Start-SPOCrossTenantGroupContentMove  -SourceGroupAlias <…> -TargetGroupAlias <…> -TargetCrossTenantHostUrl <…> --``` --|Parameters|Description| -||| -|SourceGroupAlias|Alias of the Microsoft 365 Group connected to the SharePoint Site on the Source tenant. For example: SourceGroup1| -|TargetGroupAlias|Alias of the Microsoft 365 that was created on the target tenant | -|TargetCrossTenantHostUrl|The Cross-tenant Host URL of the target tenant. The target tenant Admin can determine the TargetCrossTenantHostUrl by running *Get-SPOCrossTenantHostUrl* on their tenant| + ```powershell + Start-SPOCrossTenantGroupContentMove  -SourceGroupAlias <…> -TargetGroupAlias <…> -TargetCrossTenantHostUrl <…> + ``` + |Parameters|Description| + ||| + |SourceGroupAlias|Alias of the Microsoft 365 Group connected to the SharePoint Site on the Source tenant. For example: SourceGroup1| + |TargetGroupAlias|Alias of the Microsoft 365 that was created on the target tenant | + |TargetCrossTenantHostUrl|The Cross-tenant Host URL of the target tenant. The target tenant Admin can determine the TargetCrossTenantHostUrl by running *Get-SPOCrossTenantHostUrl* on their tenant| ## Schedule a migration for a later time To schedule a migration for a later time, add one of the following parameters to For example: ```powershell- Start-SPOCrossTenantGroupContentMove  -SourceGroupAlias <…> -TargetGroupAlias <…> -TargetCrossTenantHostUrl <…> -PreferredMoveBeginDate <…>- ``` - These commands can be useful when planning bulk batches of site migrations.  You can queue and migrate up to 4,000 migrations per batch.  If your count exceeds 4,000, then separate batches can be created and scheduled to run once the current batch is close to completion. |Parameter|Description| Stop-SPOCrossTenantSiteContentMove – SourceSiteURL [URL of Site you wish to ```powershell Stop-SPOCrossTenantGroupContentMove – SourceGroupAlias [Alias of Group connected to site you wish to stop]- ``` ## Determining current status of a migration To get the status of the move based on a particular user’s UPN but with more i Example: ```PowerShell-Get-SPOCrossTenantUserContentMoveState -PartnerCrossTenantHostURL https://ttesttenant-my.sharepoint.com -SourceUserPrincipalName User3@stesttenant.onmicrosoft.com -Verbose +Get-SPOCrossTenantUserContentMoveState -PartnerCrossTenantHostURL https://ttesttenant-my.sharepoint.com -SourceUserPrincipalName User3@stesttenant.onmicrosoft.com -Verbose ``` ## Migration States |
enterprise | Exchange 2007 End Of Support | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/exchange-2007-end-of-support.md | If you decided to keep your email on-premises, use the following resources to he - [Exchange Deployment Assistant](/exchange/exchange-deployment-assistant) -- Active Directory schema changes for Exchange [2016](/Exchange/plan-and-deploy/active-directory/ad-schema-changes), [2013](/exchange/exchange-2013-active-directory-schema-changes-exchange-2013-help), [2010](https://www.microsoft.com/download/en/details.aspx?displaylang=en&id=5401)+- Active Directory schema changes for Exchange [2016](/Exchange/plan-and-deploy/active-directory/ad-schema-changes), [2013](/exchange/exchange-2013-active-directory-schema-changes-exchange-2013-help), [2010](/previous-versions/office/developer/exchange-server-2010/dd877014(v=exchg.140)) - System requirements for Exchange [2016](/Exchange/plan-and-deploy/system-requirements), [2013](/exchange/exchange-2013-system-requirements-exchange-2013-help), [2010](/previous-versions/office/exchange-server-2010/aa996719(v=exchg.141)) |
enterprise | Microsoft 365 Ediscovery Throttling Service Advisory | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-ediscovery-throttling-service-advisory.md | You can expect to see this type of advisory until the time where the Search and ## More information -- For information about troubleshooting and resolving eDiscovery compliance issues, see [Microsoft Purview troubleshooting](/troubleshoot/microsoft-365-compliance-welcome).+- For information about troubleshooting and resolving eDiscovery compliance issues, see [Microsoft Purview troubleshooting](/microsoft-365/troubleshoot/microsoft-365-compliance-welcome). - For information about Microsoft Purview, see [What is Microsoft Purview?](/purview/purview) - To learn more about Microsoft Purview eDiscovery solutions, see [Microsoft Purview eDiscovery solutions](~/compliance/ediscovery.md) |
enterprise | Microsoft 365 Mailbox Utilization Service Alerts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-mailbox-utilization-service-alerts.md | Title: "Mailbox utilization service alerts" Previously updated : 08/10/2021 Last updated : 1/26/2024 audience: Admin description: "Use mailbox utilization service advisories to monitor mailboxes on # Service advisories for mailbox utilization in Exchange Online monitoring -We've released a new Exchange Online service advisory that informs you of mailboxes that are on hold that are at risk of reaching or exceeding their quota. These service advisories provide visibility to the number of mailboxes in your organization that may require admin intervention. +An Exchange Online service advisory informs you about mailboxes that are on hold and at risk of reaching or exceeding their quota. These service advisories provide visibility to the number of mailboxes in your organization that might require admin intervention. -These service advisories are displayed in the Microsoft 365 admin center. To view these service advisories, you can go to **Health** > **Service health** > **Exchange Online** and then look for **Mailbox Storage Limits** under the **Organization Scenarios** or you can go **Health** > **Service health** > **Exchange Online** and click the **Active issues** tab. Here is an example of a mailbox utilization service advisory under active issues. +These service advisories are displayed in the Microsoft 365 admin center. To view these service advisories, you can go to **Health** \> **Service health** \> **Exchange Online** and then look for **Mailbox Storage Limits under the Organization Scenarios**, or you can go **Health** \> **Service health** \> **Exchange Online** and select the **Active issues** tab. Here's an example of a mailbox utilization service advisory under active issues. :::image type="content" alt-text="Mailbox utilization service alert." source="../media/MailboxUtilizationServiceAlert.png" lightbox="../media/MailboxUtilizationServiceAlert.png"::: -When you access the service advisory, youΓÇÖll see a link under User Impact. Clicking on that link will produce a flyout window which lists impacted mailbox guids for your tenant. This list will be limited to no more than 155 mailboxes. +When you access the service advisory, you see a link under **User Impact**. Selecting that link opens a flyout window that lists affected mailbox GUIDs for your tenant. This list is limited to no more than 155 mailboxes. :::image type="content" alt-text="Mailbox utilization service alert details view" source="../media/MailboxUtilizationAffectedMailboxes.png" lightbox="../media/MailboxUtilizationAffectedMailboxes.png"::: -If your tenant exceeds more than 155 mailboxes at or nearing their storage quota, please visit your admin portal and access your mailbox usage report. Alternatively, the direct URL to the mailbox usage report is <https://admin.microsoft.com/Adminportal/Home?source=applauncher#/reportsUsage/MailboxUsage>. +If your tenant exceeds more than 155 mailboxes at or nearing their storage quota, visit your admin portal and access your mailbox usage report. Alternatively, the direct URL to the mailbox usage report is <https://admin.microsoft.com/Adminportal/Home?source=applauncher#/reportsUsage/MailboxUsage>. > [!NOTE] > The mailbox usage report information could be 24 hours behind your mailbox utilization service advisory alert. ## What do these service advisories indicate? -The service advisories for mailbox utilization inform admins about mailboxes on hold that are nearing the mailbox storage quota. The type of holds that that can be placed on mailboxes include Litigation holds, eDiscovery hold, and Microsoft 365 retention policies (that are configured to retain data). When a mailbox is on hold, users (or automated processes) cannot permanently remove data from their mailbox. Instead, admins should configure Messaging Records Management (MRM) retention policies in Exchange Online (in line with their organization's compliance policies related to data retention) to move data from a user's primary mailbox to their archive mailbox. +The service advisories for mailbox utilization inform admins about mailboxes on hold that are nearing the mailbox storage quota. The type of holds that that can be placed on mailboxes include Litigation holds, eDiscovery hold, and Microsoft 365 retention policies (that are configured to retain data). When a mailbox is on hold, users (or automated processes) can't permanently remove data from their mailbox. Instead, admins should configure Messaging Records Management (MRM) retention policies in Exchange Online (in line with their organization's compliance policies related to data retention) to move data from a user's primary mailbox to their archive mailbox. -If a mailbox on hold does not have an archive and reaches a critical or warning state, admins should [enable archive mailboxes](../compliance/enable-archive-mailboxes.md) and [enable auto-expanding archiving](../compliance/enable-autoexpanding-archiving.md). Make sure the retention period for the archive policy assigned to the mailbox (which moves email from the primary mailbox to the archive mailbox) only retains data in the main mailbox for as long as needed. If nothing is done to resolve the quota issues identified by the mailbox utilization service advisory, users might not be able to send or receive email messages or meeting invites. +If a mailbox on hold doesn't have an archive and reaches a critical or warning state, admins should [enable archive mailboxes](../compliance/enable-archive-mailboxes.md) and [enable auto-expanding archiving](../compliance/enable-autoexpanding-archiving.md). Make sure the retention period for the archive policy assigned to the mailbox (which moves email from the primary mailbox to the archive mailbox) only retains data in the main mailbox for as long as needed. If nothing is done to resolve the quota issues identified by the mailbox utilization service advisory, users might not be able to send or receive email messages or meeting invites. ### Mailboxes on hold without an archive -If a mailbox is on hold and is nearing or has reached its quota and does not have an archive, an admin may [enable an archive mailbox](../compliance/enable-archive-mailboxes.md) (and potentially [enable auto-expanding archiving](../compliance/enable-autoexpanding-archiving.md)) along with ensuring an MRM archive policy is applied to the mailbox. (An MRM archive policy is a retention policy in Exchange Online that moves items to the archive mailbox.) For more information about how holds interact with quotas and recommended quota sizes for the main mailbox and Recoverable Items folder, see [Increase the Recoverable Items quota for mailboxes on hold](../compliance/ediscovery-increase-the-recoverable-quota-for-mailboxes-on-hold.md). +If a mailbox is on hold and is nearing or has reached its quota and doesn't have an archive, an admin can [enable an archive mailbox](../compliance/enable-archive-mailboxes.md) (and potentially [enable auto-expanding archiving](../compliance/enable-autoexpanding-archiving.md)) along with ensuring an MRM archive policy is applied to the mailbox. (An MRM archive policy is a retention policy in Exchange Online that moves items to the archive mailbox.) For more information about how holds interact with quotas and recommended quota sizes for the main mailbox and Recoverable Items folder, see [Increase the Recoverable Items quota for mailboxes on hold](../compliance/ediscovery-increase-the-recoverable-quota-for-mailboxes-on-hold.md). ### Mailboxes on hold with an archive -If a mailbox is on hold, has an archive, and is nearing or has reached its Recoverable Items Quota, an admin may increase the quota for the Recoverable Items folder. For more information, see [Increase the Recoverable Items quota for mailboxes on hold](../compliance/ediscovery-increase-the-recoverable-quota-for-mailboxes-on-hold.md). +If a mailbox is on hold, has an archive, and is nearing or has reached its Recoverable Items Quota, an admin can increase the quota for the Recoverable Items folder. For more information, see [Increase the Recoverable Items quota for mailboxes on hold](../compliance/ediscovery-increase-the-recoverable-quota-for-mailboxes-on-hold.md). If an admin increases the Recoverable Items Quota, they should also make sure that an MRM archive policy that moves items to the archive mailbox is applied to the mailboxes. The retention period for the archive policy must be short enough so that items aren't retained too long in the primary mailbox before they're moved to the archive. If an admin increases the Recoverable Items Quota, they should also make sure th ### MRM retention policies in your organization -Archive retention policies may be configured in a variety of ways, depending on your organizationΓÇÖs needs. For detailed information about retention policies, see [Retention tags and retention policies in Exchange Online](/exchange/security-and-compliance/messaging-records-management/retention-tags-and-policies). An admin may view existing retention policies by running the following command: +Archive retention policies can be configured in a variety of ways, depending on your organization's needs. For detailed information about retention policies, see [Retention tags and retention policies in Exchange Online](/exchange/security-and-compliance/messaging-records-management/retention-tags-and-policies). An admin can view existing retention policies by running the following command: - ```powershell - Get-RetentionPolicy | FL - ``` +```powershell +Get-RetentionPolicy | FL +``` -Retention policies may be applied to and take different actions on mailboxes with or without archives. The following is a brief overview of common archive retention policy actions: +Retention policies can be applied to and take different actions on mailboxes with or without archives. The following is a brief overview of common archive retention policy actions: -* MovePrimaryToArchive and MoveDumpsterToArchive instruct the retention policy to move the contents of the main mailbox, or Recoverable Items folder respectively, to the mailboxΓÇÖs archive once the policyΓÇÖs conditions have been met. These tags are set by admins and apply regardless of a user's individual settings. - * The retention policy applied to moving Recoverable Items content should be relatively short to ensure the userΓÇÖs primary mailbox does not reach its Recoverable Items quota. -* A Personal Archive tag means this policy may be applied by users to their personal folders to archive content on the specified schedule. +- MovePrimaryToArchive and MoveDumpsterToArchive instruct the retention policy to move the contents of the main mailbox, or Recoverable Items folder respectively, to the mailbox's archive once the policy's conditions have been met. These tags are set by admins and apply regardless of a user's individual settings. + - The retention policy applied to moving Recoverable Items content should be relatively short to ensure the user's primary mailbox doesn't reach its Recoverable Items quota. +- A Personal Archive tag means this policy can be applied by users to their personal folders to archive content on the specified schedule. -### MRM retention policies do not function as expected +### MRM retention policies don't function as expected Administrators possess the necessary tools to evaluate the cause of a nonfunctional retention policy and address any errors. Some common scenarios of failure include the policy not being correctly applied or failure to process a mailbox. For information on troubleshooting retention policies, see [Troubleshooting Rete ## How often will I see these service advisories? -If you do not resolve the quota issues, you can expect to see this type of service advisory every seven days. Subsequent service advisories may contain higher mailbox counts for other mailboxes that are nearing their quota. If you resolve quota issues, this service advisory will only occur when another mailbox with quota issues is identified. +If you don't resolve the quota issues, you can expect to see this type of service advisory every seven days. Subsequent service advisories might contain higher mailbox counts for other mailboxes that are nearing their quota. If you resolve quota issues, this service advisory only occurs when another mailbox with quota issues is identified. ## More information -- For information about troubleshooting and resolving archive mailbox issues, see [Microsoft Purview troubleshooting](/office365/troubleshoot/microsoft-365-compliance-welcome).+- For information about troubleshooting and resolving archive mailbox issues, see [Microsoft Purview troubleshooting](/microsoft-365/troubleshoot/microsoft-365-compliance-welcome). - For guidance about identifying the holds placed on a mailbox, see [How to identify the type of hold placed on a mailbox](../compliance/ediscovery-identify-a-hold-on-an-exchange-online-mailbox.md). |
enterprise | Microsoft Azure Architectures For Sharepoint 2013 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-azure-architectures-for-sharepoint-2013.md | audience: ITPro ms.localizationpriority: medium-+ - scotvorg - Ent_O365 f1.keywords: - CSH-+ - Ent_Architecture - seo-marvel-apr2020 ms.assetid: 98fc1006-9399-4ff0-a216-c7c05820d822-description: Learn which types of SharePoint 2013 solutions can be hosted in Microsoft Azure virtual machines, and how to set up Azure to host one. +description: Learn which types of SharePoint 2013 solutions can be hosted in Microsoft Azure virtual machines, and how to set up Azure to host one. # Microsoft Azure Architectures for SharePoint 2013 Azure is a good environment for hosting a SharePoint Server 2013 solution. In most cases, we recommend Microsoft 365, but a SharePoint Server farm hosted in Azure can be a good option for specific solutions. This article describes how to architect SharePoint solutions so they are a good fit in the Azure platform. The following two specific solutions are used as examples:- + - [SharePoint Server 2013 Disaster Recovery in Microsoft Azure](sharepoint-server-2013-disaster-recovery-in-microsoft-azure.md)- + - [Internet Sites in Microsoft Azure using SharePoint Server 2013](internet-sites-in-microsoft-azure-using-sharepoint-server-2013.md)- + ## Recommended SharePoint solutions for Azure Infrastructure Services Azure infrastructure services is a compelling option for hosting SharePoint solutions. Some solutions are a better fit for this platform than others. The following table shows recommended solutions.- -|**Solution**|**Why this solution is recommended for Azure**| -|:--|:--| -|Development and test environments <br/> |It's easy to create and manage these environments. <br/> | -|Disaster recovery of on-premises SharePoint farms to Azure <br/> |**Hosted secondary datacenter** Use Azure instead of investing in a secondary datacenter in a different region. <br/> **Lower-cost disaster-recovery environments** Maintain and pay for fewer resources than an on-premises disaster recovery environment. The number of resources depends on the disaster recovery environment you choose: cold standby, warm standby, or hot standby. <br/> **More elastic platform** In the event of a disaster, easily scale-out your recovery SharePoint farm to meet load requirements. Scale in when you no longer need the resources. <br/> See [SharePoint Server 2013 Disaster Recovery in Microsoft Azure](sharepoint-server-2013-disaster-recovery-in-microsoft-azure.md). <br/> | -|Internet-facing sites that use features and scale not available in Microsoft 365 <br/> |**Focus your efforts** Concentrate on building a great site rather than building infrastructure. <br/> **Take advantage of elasticity in Azure** Size the farm for the demand by adding new servers, and pay only for resources you need. Dynamic machine allocation is not supported (auto scale). <br/> **Use Microsoft Entra ID** Take advantage of Microsoft Entra ID for customer accounts. <br/> **Add SharePoint functionality not available in Microsoft 365** Add deep reporting and web analytics. <br/> See [Internet Sites in Microsoft Azure using SharePoint Server 2013](internet-sites-in-microsoft-azure-using-sharepoint-server-2013.md). <br/> | -|App farms to support Microsoft 365 or on-premises environments <br/> |**Build, test, and host apps** in Azure to support both on-premises and cloud environments. <br/> **Host this role** in Azure instead of buying new hardware for on-premises environments. <br/> | - ++|Solution|Why this solution is recommended for Azure| +||| +|Development and test environments|It's easy to create and manage these environments.| +|Disaster recovery of on-premises SharePoint farms to Azure|**Hosted secondary datacenter** Use Azure instead of investing in a secondary datacenter in a different region. <br/> **Lower-cost disaster-recovery environments** Maintain and pay for fewer resources than an on-premises disaster recovery environment. The number of resources depends on the disaster recovery environment you choose: cold standby, warm standby, or hot standby. <br/> **More elastic platform** In the event of a disaster, easily scale-out your recovery SharePoint farm to meet load requirements. Scale in when you no longer need the resources. <br/> See [SharePoint Server 2013 Disaster Recovery in Microsoft Azure](sharepoint-server-2013-disaster-recovery-in-microsoft-azure.md).| +|Internet-facing sites that use features and scale not available in Microsoft 365|**Focus your efforts** Concentrate on building a great site rather than building infrastructure. <br/> **Take advantage of elasticity in Azure** Size the farm for the demand by adding new servers, and pay only for resources you need. Dynamic machine allocation is not supported (auto scale). <br/> **Use Microsoft Entra ID** Take advantage of Microsoft Entra ID for customer accounts. <br/> **Add SharePoint functionality not available in Microsoft 365** Add deep reporting and web analytics. <br/> See [Internet Sites in Microsoft Azure using SharePoint Server 2013](internet-sites-in-microsoft-azure-using-sharepoint-server-2013.md).| +|App farms to support Microsoft 365 or on-premises environments|**Build, test, and host apps** in Azure to support both on-premises and cloud environments. <br/> **Host this role** in Azure instead of buying new hardware for on-premises environments.| + For intranet and collaboration solutions and workloads, consider the following options:- + - Determine if Microsoft 365 meets your business requirements or can be part of the solution. Microsoft 365 provides a rich feature set that is always up to date.- -- If Microsoft 365 does not meet all your business requirements, consider a standard implementation of SharePoint 2013 on premises from Microsoft Consulting Services (MCS). A standard architecture can be a quicker, cheaper, and easier solution for you to support than a customized one. - ++- If Microsoft 365 does not meet all your business requirements, consider a standard implementation of SharePoint 2013 on premises from Microsoft Consulting Services (MCS). A standard architecture can be a quicker, cheaper, and easier solution for you to support than a customized one. + - If a standard implementation doesn't meet your business requirements, consider a customized on-premises solution.- + - If using a cloud platform is important for your business requirements, consider a standard or customized implementation of SharePoint 2013 hosted in Azure infrastructure services. SharePoint solutions are much easier to support in Azure than other non-native Microsoft public cloud platforms.- + ## Before you design the Azure environment While this article uses example SharePoint topologies, you can use these design concepts with any SharePoint farm topology. Before you design the Azure environment, use the following topology, architecture, capacity, and performance guidance to design the SharePoint farm:- + - [Architecture design for SharePoint 2013 IT pros](/SharePoint/technical-reference/technical-diagrams)- + - [Plan for performance and capacity management in SharePoint Server 2013](/SharePoint/administration/performance-planning-in-sharepoint-server-2013)- + ## Determine the Active Directory domain type Each SharePoint Server farm relies on Active Directory to provide administrative accounts for farm setup. At this time, there are two options for SharePoint solutions in Azure. These are described in the following table.- -|**Option**|**Description**| -|:--|:--| -|Dedicated domain <br/> |You can deploy a dedicated and isolated Active Directory domain to Azure to support your SharePoint farm. This is a good choice for public-facing Internet sites. <br/> | -|Extend the on-premises domain through a cross-premises connection <br/> |When you extend the on-premises domain through a cross-premises connection, users access the SharePoint farm via your intranet as if it were hosted on-premises. You can take advantage of your on-premises Active Directory and DNS implementation. <br/> A cross-premises connection is required for building a disaster-recovery environment in Azure to fail over to from your on-premises farm. <br/> | - ++|Option|Description| +||| +|Dedicated domain|You can deploy a dedicated and isolated Active Directory domain to Azure to support your SharePoint farm. This is a good choice for public-facing Internet sites.| +|Extend the on-premises domain through a cross-premises connection|When you extend the on-premises domain through a cross-premises connection, users access the SharePoint farm via your intranet as if it were hosted on-premises. You can take advantage of your on-premises Active Directory and DNS implementation. <br/> A cross-premises connection is required for building a disaster-recovery environment in Azure to fail over to from your on-premises farm.| + This article includes design concepts for extending the on-premises domain through a cross-premises connection. If your solution uses a dedicated domain, you don't need a cross-premises connection.- + ## Design the virtual network First you need a virtual network in Azure, which includes subnets on which you will place your virtual machines. The virtual network needs a private IP address space, portions of which you assign to the subnets.- -If you are extending your on-premises network to Azure through a cross-premises connection (required for a disaster recovery environment), you must choose a private address space that is not already in use elsewhere in your organization network, which can include your on-premises environment and other Azure virtual networks. - -**Figure 1: On-premises environment with a virtual network in Azure** ++If you are extending your on-premises network to Azure through a cross-premises connection (required for a disaster recovery environment), you must choose a private address space that is not already in use elsewhere in your organization network, which can include your on-premises environment and other Azure virtual networks. ++**Figure 1: On-premises environment with a virtual network in Azure**: ![Microsoft Azure virtual network design for a SharePoint solution. One subnet for the Azure gateway. One subnet for the virtual machines.](../media/OPrrasconWA-AZarch.png)- + In this diagram:- + - A virtual network in Azure is illustrated side-by-side to the on-premises environment. The two environments are not yet connected by a cross-premises connection, which can be a site-to-site VPN connection or ExpressRoute.- + - At this point, the virtual network just includes the subnets and no other architectural elements. One subnet will host the Azure gateway and other subnets host the tiers of the SharePoint farm, with an additional one for Active Directory and DNS.- + ## Add cross-premises connectivity -The next deployment step is to create the cross-premises connection (if this applies to your solution). For cross-premises connections, an Azure gateway resides in a separate gateway subnet, which you must create and assign an address space. - +The next deployment step is to create the cross-premises connection (if this applies to your solution). For cross-premises connections, an Azure gateway resides in a separate gateway subnet, which you must create and assign an address space. + When you plan for a cross-premises connection, you define and create an Azure gateway and connection to an on-premises gateway device.- -**Figure 2: Using an Azure gateway and an on-premises gateway device to provide site-to-site connectivity between the on-premises environment and Azure** ++**Figure 2: Using an Azure gateway and an on-premises gateway device to provide site-to-site connectivity between the on-premises environment and Azure**: ![On-premises environment connected to an Azure virtual network by a cross-premise connection, which can be a site-to-site VPN connection or ExpressRoute.](../media/AZarch-VPNgtwyconnct.png)- + In this diagram:- + - Adding to the previous diagram, the on-premises environment is connected to the Azure virtual network by a cross-premise connection, which can be a site-to-site VPN connection or ExpressRoute.- + - An Azure gateway is on a gateway subnet.- + - The on-premises environment includes a gateway device, such as a router or VPN server.- + For additional information to plan for and create a cross-premises virtual network, see [Connect an on-premises network to a Microsoft Azure virtual network](connect-an-on-premises-network-to-a-microsoft-azure-virtual-network.md).- + ## Add Active Directory Domain Services (AD DS) and DNS For disaster recovery in Azure, you deploy Windows Server AD and DNS in a hybrid scenario where Windows Server AD is deployed both on-premises and on Azure virtual machines.- -**Figure 3: Hybrid Active Directory domain configuration** ++**Figure 3: Hybrid Active Directory domain configuration**: ![STwo virtual machines deployed to the Azure virtual network and the SharePoint Farm subnet are replica domain controllers and DNS servers.](../media/AZarch-HyADdomainConfig.png)- -This diagram builds on the previous diagrams by adding two virtual machines to a Windows Server AD and DNS subnet. These virtual machines are replica domain controllers and DNS servers. They are an extension of the on-premises Windows Server AD environment. - ++This diagram builds on the previous diagrams by adding two virtual machines to a Windows Server AD and DNS subnet. These virtual machines are replica domain controllers and DNS servers. They are an extension of the on-premises Windows Server AD environment. + The following table provides configuration recommendations for these virtual machines in Azure. Use these as a starting point for designing your own environmentΓÇöeven for a dedicated domain where your Azure environment doesn't communicate with your on-premises environment.- -|**Item**|**Configuration**| -|:--|:--| -|Virtual machine size in Azure <br/> |A1 or A2 size in the Standard tier <br/> | -|Operating system <br/> |Windows Server 2012 R2 <br/> | -|Active Directory role <br/> |AD DS domain controller designated as a global catalog server. This configuration reduces egress traffic across the cross-premises connection. <br/> In a multidomain environment with high rates of change (this is not common), configure domain controllers on premises not to sync with the global catalog servers in Azure, to reduce replication traffic. <br/> | -|DNS role <br/> |Install and configure the DNS Server service on the domain controllers. <br/> | -|Data disks <br/> |Place the Active Directory database, logs, and SYSVOL on additional Azure data disks. Do not place these on the operating system disk or the temporary disks provided by Azure. <br/> | -|IP addresses <br/> |Use static IP addresses and configure the virtual network to assign these addresses to the virtual machines in the virtual network after the domain controllers have been configured. <br/> | - ++|Item|Configuration| +||| +|Virtual machine size in Azure|A1 or A2 size in the Standard tier| +|Operating system|Windows Server 2012 R2| +|Active Directory role|AD DS domain controller designated as a global catalog server. This configuration reduces egress traffic across the cross-premises connection. <br/> In a multidomain environment with high rates of change (this is not common), configure domain controllers on premises not to sync with the global catalog servers in Azure, to reduce replication traffic.| +|DNS role|Install and configure the DNS Server service on the domain controllers.| +|Data disks|Place the Active Directory database, logs, and SYSVOL on additional Azure data disks. Do not place these on the operating system disk or the temporary disks provided by Azure.| +|IP addresses|Use static IP addresses and configure the virtual network to assign these addresses to the virtual machines in the virtual network after the domain controllers have been configured.| + > [!IMPORTANT]-> Before you deploy Active Directory in Azure, read [Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100). These help you determine if a different architecture or different configuration settings are needed for your solution. +> Before you deploy Active Directory in Azure, read [Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100). These help you determine if a different architecture or different configuration settings are needed for your solution. ## Add the SharePoint farm Place the virtual machines of the SharePoint farm in tiers on the appropriate subnets.- -**Figure 4: Placement of SharePoint virtual machines** ++**Figure 4: Placement of SharePoint virtual machines**: ![Database servers and SharePoint server roles added to the Azure virtual network within the SharePoint Farm subnet.](../media/AZarch-SPVMsinCloudSer.png)- + This diagram builds on the previous diagrams by adding the SharePoint farm server roles in their respective tiers.- + - Two database virtual machines running SQL Server create the database tier.- + - Two virtual machines running SharePoint Server 2013 for each of the following tiers: front end servers, distributed cache servers, and back end servers.- + ## Design and fine tune server roles for availability sets and fault domains A fault domain is a grouping of hardware in which role instances run. Virtual machines within the same fault domain can be updated by the Azure infrastructure at the same time. Or, they can fail at the same time because they share the same rack. To avoid the risk of having two virtual machines on the same fault domain, you can configure your virtual machines as an availability set, which ensures that each virtual machine is in a different fault domain. If three virtual machines are configured as an availability set, Azure guarantees that no more than two of the virtual machines are located in the same fault domain.- + When you design the Azure architecture for a SharePoint farm, configure identical server roles to be part of an availability set. This ensures that your virtual machines are spread across multiple fault domains.- -**Figure 5: Use Azure Availability Sets to provide high availability for the SharePoint farm tiers** ++**Figure 5: Use Azure Availability Sets to provide high availability for the SharePoint farm tiers**: ![Configuration of availability sets in the Azure infrastructure for a SharePoint 2013 solution.](../media/AZenv-WinAzureAvailSetsHA.png)- + This diagram calls out the configuration of availability sets within the Azure infrastructure. Each of the following roles share a separate availability set:- + - Active Directory and DNS- + - Database- + - Back end- + - Distribute cache- + - Front end- + The SharePoint farm might need to be fine tuned in the Azure platform. To ensure high availability of all components, ensure that the server roles are all configured identically.- + Here is an example that shows a standard Internet Sites architecture that meets specific capacity and performance goals. This example is featured in the following architecture model: [Internet Sites Search Architectures for SharePoint Server 2013](https://go.microsoft.com/fwlink/p/?LinkId=261519).- -**Figure 6: Planning example for capacity and performance goals in a three-tier farm** ++**Figure 6: Planning example for capacity and performance goals in a three-tier farm**: ![Standard SharePoint 2013 Internet Sites architecture with component allocations that meet specific capacity and performance goals.](../media/AZarch-CapPerfexmpArch.png)- + In this diagram:- + - A three-tier farm is represented: web servers, application servers, and database servers.- + - The three web servers are configured identically with multiple components.- + - The two database servers are configured identically.- + - The three application servers are not configured identically. These server roles require fine tuning for availability sets in Azure.- + Let's look closer at the application server tier.- -**Figure 7: Application server tier before fine tuning** ++**Figure 7: Application server tier before fine tuning**: ![Example SharePoint Server 2013 application server tier before tuning for Microsoft Azure availability sets.](../media/AZarch-AppServtierBefore.png)- + In this diagram:- + - Three servers are included in the application tier.- + - The first server includes four components.- + - The second server includes three components.- + - The third server includes two components.- + You determine the number of components by the performance and capacity targets for the farm. To adapt this architecture for Azure, we'll replicate the four components across all three servers. This increases the number of components beyond what is necessary for performance and capacity. The tradeoff is that this design ensures high availability of all four components in the Azure platform when these three virtual machines are assigned to an availability set.- -**Figure 8: Application server tier after fine tuning** ++**Figure 8: Application server tier after fine tuning**: ![Example SharePoint Server 2013 application server tier after tuning for Microsoft Azure availability sets.](../media/AZarch-AppServtierAfter.png)- + This diagram shows all three application servers configured identically with the same four components.- + When we add availability sets to the tiers of the SharePoint farm, the implementation is complete.- -**Figure 9: The completed SharePoint farm in Azure infrastructure services** ++**Figure 9: The completed SharePoint farm in Azure infrastructure services**: ![Example SharePoint 2013 farm in Azure infrastructure services with virtual network, cross-premises connectivity, subnets, VMs, and availability sets.](../media/7256292f-bf11-485b-8917-41ba206153ee.png)- + This diagram shows the SharePoint farm implemented in Azure infrastructure services, with availability sets to provide fault domains for the servers in each tier.- + ## See Also [Microsoft 365 solution and architecture center](../solutions/index.yml)- + [Internet Sites in Microsoft Azure using SharePoint Server 2013](internet-sites-in-microsoft-azure-using-sharepoint-server-2013.md)- + [SharePoint Server 2013 Disaster Recovery in Microsoft Azure](sharepoint-server-2013-disaster-recovery-in-microsoft-azure.md) |
frontline | Deploy Dynamic Teams At Scale | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/deploy-dynamic-teams-at-scale.md | Then, you can choose which locations you want to create dynamic frontline teams Team membership is automatically managed over time through the power of dynamic teams. As frontline workers are onboarded, offboarded, or change locations, their membership in these teams are updated accordingly. +Check out this [Microsoft Mechanics video](https://www.youtube.com/watch?v=gdkTnPdIRS4&t=461s) for an overview of how to set up and deploy your frontline dynamic teams. + > [!NOTE] > If you would like to provide feedback and improve this feature, please fill out [this form](https://forms.microsoft.com/r/DWaJXA6Dax). When evaluating the right solution for your organization, we recommend you do th ## Set up your frontline dynamic teams -1. In the left navigation of the [Teams admin center](https://admin.teams.microsoft.com), choose **Teams** > **Manage frontline teams**. +1. In the left navigation of the [Teams admin center](https://admin.teams.microsoft.com), choose **Frontline deployment** > **Manage frontline teams**. 2. In the table, choose **Setup**. :::image type="content" source="media/dtas-manage-setup.png" alt-text="Screenshot of the Manage frontline teams page, showing the Setup button." lightbox="media/dtas-manage-setup.png"::: When evaluating the right solution for your organization, we recommend you do th 1. Select **Users**, and then choose your user. 1. Copy the user's object ID. -9. Review the settings, and then choose **Finish setup.** +9. Review your settings, and then choose **Finish setup.** >[!NOTE] >Setup can take several hours to run. You can refresh the **Manage frontline teams** page to get the latest status of your setup. When evaluating the right solution for your organization, we recommend you do th :::image type="content" source="media/dtas-deploy-locations.png" alt-text="Screenshot of the table of locations." lightbox="media/dtas-deploy-locations.png"::: -4. Select **Deploy**. This process can take several hours depending on how many teams you're creating. After deployment is completed, you'll see the number updated in the **Frontline teams** tile. On this tile, you can download a CSV file with a list of your frontline teams. If any errors occurred, you can download the error CSV file on the **Last deployment health** tile. +4. Select **Deploy**. This process can take several hours depending on how many teams you're creating. After deployment is completed, you'll see the number updated in the **Frontline teams** card. On this card, you can download a CSV file with a list of your frontline teams. If any errors occurred, you can download the error CSV file on the **Last deployment health** card. :::image type="content" source="media/dtas-view-errors.png" alt-text="Screenshot of where you can get the CSV file on the Manage frontline teams page." lightbox="media/dtas-view-errors.png"::: You can manage your teams when changes happen in your organization. ### Create new teams for newly opened locations -1. In the left navigation of the [Teams admin center](https://admin.teams.microsoft.com), choose **Teams** > **Manage frontline teams**. +1. In the left navigation of the [Teams admin center](https://admin.teams.microsoft.com), choose **Frontline deployment** > **Manage frontline teams**. 2. In the table, choose **Deploy**. You can manage your teams when changes happen in your organization. ### Edit your frontline team settings -1. In the left navigation of the [Teams admin center](https://admin.teams.microsoft.com), choose **Teams** > **Manage frontline teams**. -2. In the **Deploy settings** column, choose **Deploy frontline teams** . +1. In the left navigation of the [Teams admin center](https://admin.teams.microsoft.com), choose **Frontline deployment** > **Manage frontline teams**. +2. In the **Deployment settings** column, choose **Deploy frontline dynamic teams**. 3. Edit your settings on this page, and then select **Save**. Your settings might take several hours to update. See the following table for the effects of updating your settings. |Setting |Effect on existing frontline teams |Effect on new frontline teams | The [Teams usage report](/microsoft-365/admin/activity-reports/microsoft-teams-u 5. Filter the spreadsheet based on your frontline team IDs. > [!NOTE]- > To get a list of your frontline team IDs, in the Teams admin center, go to **Teams** > **Manage frontline teams**, and then in the **Frontline teams** section, select **Download CSV**. + > To get a list of your frontline team IDs, in the Teams admin center, go to **Frontline deployment** > **Manage frontline teams**, and then in the **Frontline teams** section, select **Download CSV**. ## Frequently asked questions |
includes | Microsoft 365 Content Updates | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/microsoft-365-content-updates.md | +## Week of January 22, 2024 +++| Published On |Topic title | Change | +|||--| +| 1/21/2024 | [Vulnerable components](/microsoft-365/security/defender-vulnerability-management/tvm-vulnerable-components?view=o365-worldwide) | added | +| 1/22/2024 | [Review detected threats on devices and take action](/microsoft-365/business-premium/m365bp-review-threats-take-action?view=o365-worldwide) | modified | +| 1/22/2024 | [Email security with Threat Explorer in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/email-security-in-microsoft-defender?view=o365-worldwide) | modified | +| 1/22/2024 | [Manage quarantined messages and files as an admin](/microsoft-365/security/office-365-security/quarantine-admin-manage-messages-files?view=o365-worldwide) | modified | +| 1/22/2024 | [Manage allows and blocks in the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list-about?view=o365-worldwide) | modified | +| 1/23/2024 | [Connect to all Microsoft 365 services in a single PowerShell window](/microsoft-365/enterprise/connect-to-all-microsoft-365-services-in-a-single-windows-powershell-window?view=o365-worldwide) | modified | +| 1/23/2024 | [Prioritize incidents in Microsoft Defender XDR](/microsoft-365/security/defender/incident-queue?view=o365-worldwide) | modified | +| 1/23/2024 | [Responding to your first incident in Microsoft Defender XDR](/microsoft-365/security/defender/respond-first-incident-365-defender?view=o365-worldwide) | modified | +| 1/23/2024 | [What's new in Microsoft Defender XDR](/microsoft-365/security/defender/whats-new?view=o365-worldwide) | modified | +| 1/23/2024 | [Onboard non-Windows devices to the Microsoft Defender for Endpoint service](/microsoft-365/security/defender-endpoint/configure-endpoints-non-windows?view=o365-worldwide) | modified | +| 1/23/2024 | [Microsoft Defender for Endpoint demonstration scenarios](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstrations?view=o365-worldwide) | modified | +| 1/24/2024 | [Configure the advanced delivery policy for third-party phishing simulations and email delivery to SecOps mailboxes](/microsoft-365/security/office-365-security/advanced-delivery-policy-configure?view=o365-worldwide) | modified | +| 1/24/2024 | [Create Microsoft 365 user accounts with PowerShell](/microsoft-365/enterprise/create-user-accounts-with-microsoft-365-powershell?view=o365-worldwide) | modified | +| 1/24/2024 | [Get started with PowerShell for Microsoft 365](/microsoft-365/enterprise/getting-started-with-microsoft-365-powershell?view=o365-worldwide) | modified | +| 1/24/2024 | [View directory synchronization errors in Microsoft 365](/microsoft-365/enterprise/identify-directory-synchronization-errors?view=o365-worldwide) | modified | +| 1/24/2024 | [Manage SharePoint users and groups with PowerShell](/microsoft-365/enterprise/manage-sharepoint-users-and-groups-with-powershell?view=o365-worldwide) | modified | +| 1/24/2024 | [Microsoft 365 Network Connectivity Overview](/microsoft-365/enterprise/microsoft-365-networking-overview?view=o365-worldwide) | modified | +| 1/24/2024 | [Use the Page Diagnostics tool for SharePoint Online](/microsoft-365/enterprise/page-diagnostics-for-spo?view=o365-worldwide) | modified | +| 1/24/2024 | [Investigate incidents in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/investigate-incidents?view=o365-worldwide) | modified | +| 1/24/2024 | [What's new in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-endpoint?view=o365-worldwide) | modified | +| 1/24/2024 | [Security, privacy, and compliance](/microsoft-365/business-premium/m365bp-security-privacy-compliance?view=o365-worldwide) | added | +| 1/24/2024 | [View Defender for Office 365 reports](/microsoft-365/security/office-365-security/reports-defender-for-office-365?view=o365-worldwide) | modified | +| 1/24/2024 | [View email security reports](/microsoft-365/security/office-365-security/reports-email-security?view=o365-worldwide) | modified | +| 1/24/2024 | [Manage submissions](/microsoft-365/security/office-365-security/submissions-admin?view=o365-worldwide) | modified | +| 1/25/2024 | [Allow or block URLs using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list-urls-configure?view=o365-worldwide) | modified | +| 1/25/2024 | [Use the Microsoft 365 admin center to manage your Shifts connection to UKG Pro Workforce Management](/microsoft-365/frontline/shifts-connector-ukg-admin-center-manage?view=o365-worldwide) | modified | +| 1/25/2024 | [Vulnerability support in Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/fixed-reported-inaccuracies?view=o365-worldwide) | modified | +| 1/25/2024 | [Understand the Microsoft 365 E3 and E5 Extra Features license](/microsoft-365/commerce/licenses/e3-extra-features-licenses?view=o365-worldwide) | modified | +| 1/25/2024 | [Corporate communications with frontline workers](/microsoft-365/frontline/flw-corp-comms?view=o365-worldwide) | modified | +| 1/25/2024 | [Provide initial and ongoing training to help onboard your frontline workers](/microsoft-365/frontline/flw-onboarding-training?view=o365-worldwide) | modified | +| 1/25/2024 | [Microsoft 365 documentation # < 60 chars](/microsoft-365/index?view=o365-worldwide) | modified | +| 1/26/2024 | [Microsoft 365 admin center Teams app usage reports](/microsoft-365/admin/activity-reports/microsoft-teams-apps-usage?view=o365-worldwide) | modified | +| 1/26/2024 | [Migrate business email and calendar from Google Workspace](/microsoft-365/admin/moveto-microsoft-365/migrate-email?view=o365-worldwide) | modified | +| 1/26/2024 | [Launch your portal using the Portal launch scheduler](/microsoft-365/enterprise/portallaunchscheduler?view=o365-worldwide) | modified | +| 1/26/2024 | [OneDrive Cross-tenant OneDrive migration Step 1](/microsoft-365/enterprise/cross-tenant-onedrive-migration-step1?view=o365-worldwide) | modified | +| 1/26/2024 | [OneDrive Cross-tenant OneDrive migration Step 6](/microsoft-365/enterprise/cross-tenant-onedrive-migration-step6?view=o365-worldwide) | modified | +| 1/26/2024 | [SharePoint site Cross-tenant SharePoint migration Step 6 (preview)](/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step6?view=o365-worldwide) | modified | +| 1/26/2024 | [Join or leave a multitenant organization in Microsoft 365 (Preview)](/microsoft-365/enterprise/join-leave-multi-tenant-org?view=o365-worldwide) | modified | +| 1/26/2024 | [Use Office 365 Content Delivery Network (CDN) with SharePoint Online](/microsoft-365/enterprise/use-microsoft-365-cdn-with-spo?view=o365-worldwide) | modified | +| 1/26/2024 | [Manual deployment for Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-install-manually?view=o365-worldwide) | modified | +| 1/26/2024 | [Production ring deployment using Group Policy and network share](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-group-policy-network-share?view=o365-worldwide) | modified | +| 1/26/2024 | [Use network protection to help prevent Linux connections to bad sites](/microsoft-365/security/defender-endpoint/network-protection-linux?view=o365-worldwide) | modified | +| 1/26/2024 | [Professional services supported by Microsoft Defender XDR](/microsoft-365/security/defender-endpoint/professional-services?view=o365-worldwide) | modified | +| 1/26/2024 | [Take response actions on a device in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide) | modified | +| 1/26/2024 | [Incident response with Microsoft Defender XDR](/microsoft-365/security/defender/incidents-overview?view=o365-worldwide) | modified | +| 1/26/2024 | [Buy or remove licenses for a Microsoft business subscription](/microsoft-365/commerce/licenses/buy-licenses?view=o365-worldwide) | modified | +| 1/26/2024 | [Build queries using guided mode in Microsoft Defender XDR advanced hunting](/microsoft-365/security/defender/advanced-hunting-query-builder?view=o365-worldwide) | modified | +| 1/26/2024 | [Investigate data loss alerts with Microsoft Defender XDR](/microsoft-365/security/defender/dlp-investigate-alerts-defender?view=o365-worldwide) | modified | +| 1/26/2024 | [Remediate your first incident in Microsoft Defender XDR](/microsoft-365/security/defender/respond-first-incident-remediate?view=o365-worldwide) | modified | +| 1/26/2024 | [Step 7. Verify app configuration](/microsoft-365/solutions/apps-config-step-7?view=o365-worldwide) | modified | +| 1/26/2024 | [Onboard trusted vendors to collaborate in Microsoft 365](/microsoft-365/solutions/trusted-vendor-onboarding?view=o365-worldwide) | modified | +| 1/26/2024 | [Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-defender-portal?view=o365-worldwide) | modified | +| 1/26/2024 | [How Microsoft identifies malware and potentially unwanted applications](/microsoft-365/security/intelligence/criteria?view=o365-worldwide) | modified | ++ ## Week of January 15, 2024 | 12/29/2023 | [DeviceLogonEvents table in the advanced hunting schema](/microsoft-365/security/defender/advanced-hunting-devicelogonevents-table?view=o365-worldwide) | modified | | 12/29/2023 | [DeviceProcessEvents table in the advanced hunting schema](/microsoft-365/security/defender/advanced-hunting-deviceprocessevents-table?view=o365-worldwide) | modified | | 12/29/2023 | [DeviceRegistryEvents table in the advanced hunting schema](/microsoft-365/security/defender/advanced-hunting-deviceregistryevents-table?view=o365-worldwide) | modified |---## Week of December 18, 2023 ---| Published On |Topic title | Change | -|||--| -| 12/18/2023 | Options for accessing email from your mobile device | removed | -| 12/18/2023 | [Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux?view=o365-worldwide) | modified | -| 12/18/2023 | [Microsoft Defender for Cloud in Microsoft Defender XDR](/microsoft-365/security/defender/microsoft-365-security-center-defender-cloud?view=o365-worldwide) | modified | -| 12/18/2023 | [Manage Office Scripts settings](/microsoft-365/admin/manage/manage-office-scripts-settings?view=o365-worldwide) | modified | -| 12/19/2023 | [Manage Microsoft 365 Apps licenses for devices](/microsoft-365/commerce/licenses/manage-licenses-for-devices?view=o365-worldwide) | modified | -| 12/19/2023 | [Manage self-service purchases (Users)](/microsoft-365/commerce/subscriptions/manage-self-service-purchases-users?view=o365-worldwide) | modified | -| 12/19/2023 | [Manage self-service sign-up subscriptions in the Microsoft 365 admin center](/microsoft-365/commerce/subscriptions/manage-self-service-signup-subscriptions?view=o365-worldwide) | modified | -| 12/19/2023 | [Verify eligibility for Microsoft 365 Education subscriptions](/microsoft-365/commerce/subscriptions/verify-academic-eligibility?view=o365-worldwide) | modified | -| 12/20/2023 | About the admin roles page in Microsoft 365 | removed | -| 12/20/2023 | [Assign admin roles the Microsoft 365 admin center](/microsoft-365/admin/add-users/assign-admin-roles?view=o365-worldwide) | modified | -| 12/21/2023 | [Manage payment methods for Microsoft business accounts](/microsoft-365/commerce/billing-and-payments/manage-payment-methods?view=o365-worldwide) | modified | |
lti | Moodle Plugin Configuration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lti/moodle-plugin-configuration.md | You must configure the connection between the Microsoft 365 plugins and Microsof 1. The default *Teacher* role has the `local/o365:teamowner` capability, and the default *Student* role has the `local/o365:teammember` capability. > [!NOTE]-> The scheduled tasks are triggered by [Moodle Cron](https://docs.moodle.org/400/en/Cron), which needs to be configured to run frequently. Each scheduled task can have a default schedule, which can be customized. +> The scheduled tasks are triggered by [Moodle Cron](https://docs.moodle.org/403/en/Cron), which needs to be configured to run frequently. Each scheduled task can have a default schedule, which can be customized. > > - The default schedule of the **Sync users with Microsoft Entra ID** task is every minute. > - The default schedule of the **Sync Moodle courses to Microsoft Teams** task is daily at 1am in the Moodle server default time zone. After the plugins are installed and configured, you can: If you would like to review Moodle's Microsoft 365 integration guides and release notes, see these resources: -- [Microsoft 365 integration documentation on Moodle Docs](https://docs.moodle.org/400/en/Microsoft_365).+- [Microsoft 365 integration documentation on Moodle Docs](https://docs.moodle.org/403/en/Microsoft_365). |
lti | Open Lms Plugin Configuration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lti/open-lms-plugin-configuration.md | Register Open LMS as an application in your Microsoft Entra ID using the PowerSh - On operating systems that aren't Windows, you should only follow the manual process to register your Open LMS instance in Azure. Check the *Important* alert section below for details. > [!IMPORTANT]-> For more information on registering your Open LMS instance manually, see [Register your Open LMS instance as an application](https://docs.moodle.org/400/en/Microsoft_365#Azure_App_Creation_and_Configuration). +> For more information on registering your Open LMS instance manually, see [Register your Open LMS instance as an application](https://docs.moodle.org/403/en/Microsoft_365#Azure_App_Creation_and_Configuration). >-> Once you register your app, verify that all the Azure app permissions are applied. For more information, see [Azure app permissions](https://docs.moodle.org/400/en/Microsoft_365#Azure_app_permissions). +> Once you register your app, verify that all the Azure app permissions are applied. For more information, see [Azure app permissions](https://docs.moodle.org/403/en/Microsoft_365#Azure_app_permissions). ### Register application in Azure using PowerShell Register Open LMS as an application in your Microsoft Entra ID using the PowerSh 1. The default *Teacher* role has the `local/o365:teamowner` capability, and the default *Student* role has the `local/o365:teammember` capability. > [!NOTE]-> The scheduled tasks are triggered by [Moodle Cron](https://docs.moodle.org/400/en/Cron), which needs to be configured to run frequently. Each scheduled task can have a default schedule and can be customized. +> The scheduled tasks are triggered by [Moodle Cron](https://docs.moodle.org/403/en/Cron), which needs to be configured to run frequently. Each scheduled task can have a default schedule and can be customized. > > - The default schedule of the **Sync users with Microsoft Entra ID** task is every minute. > - The default schedule of the **Sync Moodle courses to Microsoft Teams** task is daily at 1 am in the Open LMS server default time zone. After the plugins are installed and configured, you can: If you would like to review Open LMS's Microsoft 365 integration guides and release notes, see these resources: -- [Microsoft 365 integration documentation on Moodle Docs](https://docs.moodle.org/400/en/Microsoft_365).+- [Microsoft 365 integration documentation on Moodle Docs](https://docs.moodle.org/403/en/Microsoft_365). |
security | Advanced Features | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-features.md | Enabling the Skype for Business integration gives you the ability to communicate > [!IMPORTANT] > This setting was used when Microsoft Defender for Office 365 and Microsoft Defender for Endpoint were in different portals previously. After the convergence of security experiences into a unified portal that is now called Microsoft Defender XDR, these settings are irrelevant and don't have any functionality associated with them. You can safely ignore the status of the control until it is removed from the portal. -This feature is only available if you have an active subscription for Office 365 E5 or the Threat Intelligence add-on. For more information, see the [Office 365 E5 product page](https://www.microsoft.com/en-us/microsoft-365/enterprise/office-365-e5?activetab=pivot:overviewtab). +This feature is only available if you have an active subscription for Office 365 E5 or the Threat Intelligence add-on. For more information, see the [Office 365 E5 product page](https://www.microsoft.com/microsoft-365/enterprise/office-365-e5?activetab=pivot:overviewtab). This feature enables you to incorporate data from Microsoft Defender for Office 365 into Microsoft Defender XDR to conduct a comprehensive security investigation across Office 365 mailboxes and Windows devices. To receive contextual device integration in Office 365 Threat Intelligence, you' ## Endpoint Attack Notifications -[Endpoint Attack Notifications](/security/defender-endpoint/endpoint-attack-notifications) enable Microsoft to actively hunt for critical threats to be prioritized based on urgency and impact over your endpoint data. +[Endpoint Attack Notifications](/microsoft-365/security/defender-endpoint/endpoint-attack-notifications) enable Microsoft to actively hunt for critical threats to be prioritized based on urgency and impact over your endpoint data. For proactive hunting across the full scope of Microsoft Defender XDR, including threats that span email, collaboration, identity, cloud applications, and endpoints, [learn more](https://aka.ms/DefenderExpertsForHuntingGetStarted) about Microsoft Defender Experts. |
security | Android Whatsnew | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-whatsnew.md | It includes several admin controls to offer flexibility, such as the ability to > Microsoft Defender is no longer supported for versions 1.0.3011.0302 or earlier. Users are requested to upgrade to latest versions to keep their devices secure. To update, users can use the following steps:+ > 1. On your work profile, go to Managed Play Store. > 2. Tap on the profile icon on the top right corner and select "Manage apps and device". > 3. Locate MDE under updates available and select update.-> If you encounter any issues, [submit in-app feedback](/security/defender-endpoint/android-support-signin#send-in-app-feedback). +> If you encounter any issues, [submit in-app feedback](/microsoft-365/security/defender-endpoint/android-support-signin#send-in-app-feedback). ## Microsoft Defender for Endpoint is now Microsoft Defender in the Play store |
security | Linux Install With Saltack | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-saltack.md | This article describes how to deploy Defender for Endpoint on Linux using Saltst Before you get started, see [the main Defender for Endpoint on Linux page](microsoft-defender-endpoint-linux.md) for a description of prerequisites and system requirements for the current software version. -In addition, for Saltstack deployment, you need to be familiar with Saltstack administration, have Saltstack installed, have configured the Master and Minions, and know how to apply states. Saltstack has many ways to complete the same task. These instructions assume availability of supported Saltstack modules, such as *apt* and *unarchive* to help deploy the package. Your organization might use a different workflow. Refer to the [Saltstack documentation](https://docs.saltproject.io/) for details. +In addition, for Saltstack deployment, you need to be familiar with Saltstack administration, have Saltstack installed, configure the Master and Minions, and know how to apply states. Saltstack has many ways to complete the same task. These instructions assume availability of supported Saltstack modules, such as *apt* and *unarchive* to help deploy the package. Your organization might use a different workflow. Refer to the [Saltstack documentation](https://docs.saltproject.io/) for details. -- Saltstack needs to be installed on at least one computer (Saltstack calls the computer as the master).-- The Saltstack master must have accepted the managed nodes (Saltstack calls the nodes as minions) connections.-- The Saltstack minions must be able to resolve communication to the Saltstack master (be default the minions try to communicate with a machine named 'salt').+- Saltstack is installed on at least one computer (Saltstack calls the computer as the master). +- The Saltstack master accepted the managed nodes (Saltstack calls the nodes as minions) connections. +- The Saltstack minions are able to resolve communication to the Saltstack master (be default the minions try to communicate with a machine named 'salt'). - Rung this ping test: ```bash sudo salt '*' test.ping ```+ - The Saltstack master has a file server location where the Microsoft Defender for Endpoint files can be distributed from (by default Saltstack uses the /srv/salt folder as the default distribution point) ## Download the onboarding package Download the onboarding package from Microsoft Defender portal. ```bash ls -l ```+ ```Output total 8 -rw-r--r-- 1 test staff 4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip ```+ ```bash unzip WindowsDefenderATPOnboardingPackage.zip -d /srv/salt/mde ```+ ```Output Archive: WindowsDefenderATPOnboardingPackage.zip inflating: /srv/salt/mde/mdatp_onboard.json Create a SaltState state file in your configuration repository (typically `/srv/ - Add the Defender for Endpoint repository and key, `install_mdatp.sls`: - Defender for Endpoint on Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository. + Defender for Endpoint on Linux can be deployed from one of the following channels (described as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository. The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*. - In order to preview new features and provide early feedback, it's recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*. + In order to preview new features and provide early feedback, we recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*. > [!WARNING] > Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location. Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/[distro]/`. - In the following commands, replace *[distro]* and *[version]* with the information you've identified. + In the following commands, replace *[distro]* and *[version]* with your information. > [!NOTE] > In case of Oracle Linux and Amazon Linux 2, replace *[distro]* with "rhel". For Amazon Linux 2, replace *[version]* with "7". For Oracle utilize, replace *[version]* with the version of Oracle Linux. Create a SaltState state file in your configuration repository (typically `/srv/ ```bash cat /srv/salt/install_mdatp.sls ```+ ```output add_ms_repo: pkgrepo.managed: - humanname: Microsoft Defender Repository {% if grains['os_family'] == 'Debian' %} - name: deb [arch=amd64,armhf,arm64] https://packages.microsoft.com/[distro]/[version]/[channel] [codename] main- - dist: [codename] + - dist: [codename] - file: /etc/apt/sources.list.d/microsoft-[channel].list - key_url: https://packages.microsoft.com/keys/microsoft.asc - refresh: true Create a SaltState state file in your configuration repository (typically `/srv/ {% endif %} ``` -- Add the package installed state to `install_mdatp.sls` after the `add_ms_repo` state defined above+- Add the package installed state to `install_mdatp.sls` after the `add_ms_repo` state as previously defined. ```Output install_mdatp_package: Create a SaltState state file in your configuration repository (typically `/srv/ - required: add_ms_repo ``` -- Add the onboarding file deployment to `install_mdatp.sls` after the `install_mdatp_package` state defined above+- Add the onboarding file deployment to `install_mdatp.sls` after the `install_mdatp_package` as previously defined. ```Output copy_mde_onboarding_file: Create a SaltState state file in your configuration repository (typically `/srv/ - required: install_mdatp_package ``` - The completed install state file should look similar to this: + The completed install state file should look similar to this output: ```Output add_ms_repo: Create a SaltState state file in your configuration repository (typically `/srv/ - humanname: Microsoft Defender Repository {% if grains['os_family'] == 'Debian' %} - name: deb [arch=amd64,armhf,arm64] https://packages.microsoft.com/[distro]/[version]/prod [codename] main- - dist: [codename] + - dist: [codename] - file: /etc/apt/sources.list.d/microsoft-[channel].list - key_url: https://packages.microsoft.com/keys/microsoft.asc - refresh: true Create a SaltState state file in your configuration repository (typically `/srv/ pkg.installed: - name: matp - required: add_ms_repo- + copy_mde_onboarding_file: file.managed: - name: /etc/opt/microsoft/mdatp/mdatp_onboard.json Create a SaltState state file in your configuration repository (typically `/srv/ ```bash cat /srv/salt/uninstall_mdatp.sls ```+ ```Output remove_mde_onboarding_file: file.absent: - name: /etc/opt/microsoft/mdatp/mdatp_onboard.json ``` -- Add the offboarding file deployment to the `uninstall_mdatp.sls` file after the `remove_mde_onboarding_file` state defined in the previous section+- Add the offboarding file deployment to the `uninstall_mdatp.sls` file after the `remove_mde_onboarding_file` state defined in the previous section. + ```Output offboard_mde: file.managed: Create a SaltState state file in your configuration repository (typically `/srv/ - source: salt://mde/mdatp_offboard.json ``` -- Add the removal of the MDATP package to the `uninstall_mdatp.sls` file after the `offboard_mde` state defined in the previous section+- Add the removal of the MDATP package to the `uninstall_mdatp.sls` file after the `offboard_mde` state defined in the previous section. + ```Output remove_mde_packages: pkg.removed: Create a SaltState state file in your configuration repository (typically `/srv/ ``` The complete uninstall state file should look similar to the following output:- + ```Output remove_mde_onboarding_file: file.absent: Now apply the state to the minions. The below command applies the state to machi ```bash salt 'mdetest*' cmd.run 'mdatp connectivity test' ```+ ```bash salt 'mdetest*' cmd.run 'mdatp health' ``` Now apply the state to the minions. The below command applies the state to machi ## Log installation issues -For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Log installation issues](linux-resources.md#log-installation-issues). +For more information on how to find the automatically generated log that's created by the installer when an error occurs, see [Log installation issues](linux-resources.md#log-installation-issues). ## Operating system upgrades When upgrading your operating system to a new major version, you must first unin ## References - [Add or remove YUM repositories](https://docs.Saltstack.com/Saltstack/latest/collections/Saltstack/builtin/yum_repository_module.html)- - [Manage packages with the dnf package manager](https://docs.Saltstack.com/Saltstack/latest/collections/Saltstack/builtin/dnf_module.html)- - [Add and remove APT repositories](https://docs.Saltstack.com/Saltstack/latest/collections/Saltstack/builtin/apt_repository_module.html)- - [Manage apt-packages](https://docs.Saltstack.com/Saltstack/latest/collections/Saltstack/builtin/apt_module.html) ## See also+ - [Investigate agent health issues](health-status.md) [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Linux Update Mde Linux | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-update-mde-linux.md | Title: How to schedule an update of the Microsoft Defender for Endpoint (Linux) description: Learn how to schedule an update of the Microsoft Defender for Endpoint (Linux) to better protect your organization's assets. -keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, scans, antivirus, microsoft defender for endpoint (linux) -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium sudo crontab -e You might see: ```output-0****/etc/opt/microsoft/mdatp/logrorate.sh +0 * * * * /etc/opt/microsoft/mdatp/logrorate.sh ``` And ```output-02**sat /bin/mdatp scan quick>~/mdatp_cron_job.log +0 2 * * sat /bin/mdatp scan quick>~/mdatp_cron_job.log ``` See [Schedule scans with Microsoft Defender for Endpoint (Linux)](linux-schedule-scan-mde.md) crontab -l crontab -u username -l ``` -### To backup crontab entries +### To back up crontab entries ```bash crontab -l > /var/tmp/cron_backup.dat |
security | Linux Whatsnew | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-whatsnew.md | This article is updated frequently to let you know what's new in the latest rele - [What's new in Defender for Endpoint on macOS](mac-whatsnew.md) - [What's new in Defender for Endpoint on iOS](ios-whatsnew.md) +<details> + <summary> January-2024 (Build: 101.23112.0009 | Release version: 30.123112.0009.0)</summary> ++## January-2024 Build: 101.23112.0009 | Release version: 30.123112.0009.0 ++ Released: **January 29,2024**<br/> + Published: **January 29, 2024**<br/> + Build: **101.23112.0009**<br/> + Release version: **30.123112.0009.0**<br/> + Engine version: **1.1.23110.4**<br/> + Signature version: **1.403.1579.0**<br/> ++**What's new** +- Updated default engine version to `1.1.23110.4`, and default signatures version to `1.403.1579.0`. +- General stability and performance improvements. +- Bug fix for behavior monitoring configuration. +- Bug fixes. ++</details> + <details> <summary> November-2023 (Build: 101.23102.0003 | Release version: 30.123102.0003.0)</summary> |
security | Mtd | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mtd.md | Title: Microsoft Defender for Endpoint - Mobile Threat Defense-+ description: Overview of Mobile Threat Defense in Microsoft Defender for Endpoint keywords: mobile, defender, Microsoft Defender for Endpoint, ios, mtd, android, security -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium Previously updated : 12/07/2022 Last updated : 01/28/2024 audience: ITPro Microsoft Defender for Endpoint on Android and iOS provides the below key capabi |Capability|Description| |||-|Web Protection|Anti-phishing, blocking unsafe network connections, and support for custom indicators.| +|Web Protection|Anti-phishing, blocking unsafe network connections, and support for custom indicators for URLs and domains. (File and IP indicators are not currently supported.)| |Malware Protection (Android-only)|Scanning for malicious apps.| |Jailbreak Detection (iOS-only)|Detection of jailbroken devices.| |Microsoft Defender Vulnerability Management (MDVM) |Vulnerability assessment of onboarded mobile devices. Includes OS and Apps vulnerabilities assessment for both Android and iOS. Visit this [page](next-gen-threat-and-vuln-mgt.md) to learn more about Microsoft Defender Vulnerability Management in Microsoft Defender for Endpoint.| |
security | Tamperprotection Macos | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tamperprotection-macos.md | Title: Protect macOS security settings with tamper protection description: Use tamper protection to prevent malicious apps from changing important macOS security settings. -keywords: macos, tamper protection, security settings, malware -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium audience: ITPro When tamper protection is set to audit or block mode, you can expect the followi - Creation of new files under Defender for Endpoint location is blocked - Deletion of Defender for Endpoint files is blocked - Renaming of Defender for Endpoint files is blocked-- Commands to stop the agent fail+- Commands to stop the agent (wdavdaemon) fail Here's an example of a system message in response to a blocked action: |
security | Troubleshoot Collect Support Log | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log.md | Last updated 12/18/2020 # Collect support logs in Microsoft Defender for Endpoint using live response - **Applies to:** - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-pullalerts-abovefoldlink) - When contacting support, you may be asked to provide the output package of the Microsoft Defender for Endpoint Client Analyzer tool. This topic provides instructions on how to run the tool via Live Response. 1. Download and fetch the required scripts available from within the 'Tools' sub-directory of the [Microsoft Defender for Endpoint Client Analyzer](https://aka.ms/BetaMDEAnalyzer). <br> For example, to get the basic sensor and device health logs, fetch "..\Tools\MDELiveAnalyzer.ps1".<br>-If you also require Defender Antivirus support logs (MpSupportFiles.cab), then fetch "..\Tools\MDELiveAnalyzerAV.ps1" +If you also require Defender Antivirus support logs (MpSupportFiles.cab), then fetch "..\Tools\MDELiveAnalyzerAV.ps1" 2. Initiate a [Live Response session](live-response.md#initiate-a-live-response-session-on-a-device) on the machine you need to investigate. If you also require Defender Antivirus support logs (MpSupportFiles.cab), then f > [!NOTE] >-> - The latest preview version of MDEClientAnalyzer can be downloaded here: [https://aka.ms/Betamdeanalyzer](https://aka.ms/Betamdeanalyzer). -> -> - The LiveAnalyzer script downloads the troubleshooting package on the destination machine from: https://mdatpclientanalyzer.blob.core.windows.net. +> - The latest preview version of MDEClientAnalyzer can be downloaded here: <https://aka.ms/Betamdeanalyzer>. +> - The LiveAnalyzer script downloads the troubleshooting package on the destination machine from: `https://mdatpclientanalyzer.blob.core.windows.net`. > > If you cannot allow the machine to reach the above URL, then upload MDEClientAnalyzerPreview.zip file to the library before running the LiveAnalyzer script: > If you also require Defender Antivirus support logs (MpSupportFiles.cab), then f > ``` > > - For more information on gathering data locally on a machine in case the machine isn't communicating with Microsoft Defender for Endpoint cloud services, or does not appear in Microsoft Defender for Endpoint portal as expected, see [Verify client connectivity to Microsoft Defender for Endpoint service URLs](verify-connectivity.md).-> +> > - As described in [Live response command examples](live-response-command-examples.md), you may want to use the '&' symbol at the end of the command to collect logs as a background action:+> > ```console > Run MDELiveAnalyzer.ps1& > ``` - ## See also+ - [Client analyzer overview](overview-client-analyzer.md) - [Download and run the client analyzer](download-client-analyzer.md) - [Run the client analyzer on Windows](run-analyzer-windows.md) |
security | Tvm Manage Log4shell Guidance | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-manage-Log4shell-guidance.md | You can use the following advanced hunting query to identify vulnerabilities in ## Related articles -- [Defender Vulnerability Management overview](http://next-gen-threat-and-vuln-mgt.md)+- [What is Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management) - [Security recommendations](tvm-security-recommendation.md) |
security | Advanced Hunting Identityinfo Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-identityinfo-table.md | For information on other tables in the advanced hunting schema, [see the advance | `AccountName` | `string` | User name of the account | | `AccountDomain` [*](#mdi-only) | `string` | Domain of the account | | `Type` [*](#mdi-only) | `string` | Type of record |-| `DistinguishedName` [*](#mdi-only) | string | The user's [distinguished name](/windows/desktop/ldap/distinguished-names) | +| `DistinguishedName` [*](#mdi-only) | string | The user's [distinguished name](/previous-versions/windows/desktop/ldap/distinguished-names) | | `CloudSid` | `string` | Cloud security identifier of the account | | `GivenName` | `string` | Given name or first name of the account user | | `Surname` | `string` | Surname, family name, or last name of the account user | |
security | Communicate Defender Experts Xdr | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/communicate-defender-experts-xdr.md | + + Title: Communicating with Microsoft Defender Experts ++description: Defender Experts for XDR has multiple channels to discuss incidents, managed response, and service support +keywords: XDR, Xtended detection and response, defender experts for xdr, Microsoft Defender Experts for XDR, managed threat hunting, managed detection and response (MDR) service, service delivery manager, Managed response in Teams, real-time visibility with XDR experts, ask defender experts ++ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +++ms.localizationpriority: medium ++audience: ITPro ++ - m365-security + - tier1 + - essentials-overview ++search.appverid: met150 Last updated : 01/29/2024+++# Communicating with experts in the Microsoft Defender Experts for XDR service ++**Applies to:** ++- [Microsoft Defender XDR](microsoft-365-defender.md) ++Microsoft Defender Experts for XDR provides you with multiple channels of communication to discuss incidents with our experts, ask them questions on demand, or get service readiness or operations support from your service delivery managers (SDMs). ++## Incident and managed response notifications ++When an incident requires your attention, such as the incidents our experts issue [managed response actions](start-using-mdex-xdr.md#managed-detection-and-response), you're notified through one or more of the following channels: ++### In-portal chat ++> [!NOTE] +> The chat option is only available for incidents where we issued managed response. ++The **Chat** tab within the Microsoft Defender XDR portal provides you with a space to engage with our experts and further understand the incident, our investigation, and the required actions we provided. You could ask about a malicious executable, malicious attachment, information about activity groups, advanced hunting queries, or any other information that would assist you with the incident resolution. ++### Teams chat ++Apart from using the in-portal chat, you can also engage in real-time chat conversations with Defender Experts directly within Microsoft Teams. This capability provides you and your security operations center (SOC) team more flexibility when responding to incidents that require managed response. [Learn more about turning on notifications and chat on Teams](get-started-xdr.md#receive-managed-response-notifications-and-updates-in-microsoft-teams) ++Once you turn on chat on Teams, a new team named **Defender Experts team** is created and the Defender Experts Teams app is installed in it. Each incident that requires your attention is posted on this teamΓÇÖs **Managed response** channel as a new post. To engage with our experts (for example, ask follow-up questions about the investigation summary or actions published by Defender Experts), use the **Reply** text bar to mention or tag *@Defender Experts* and type your message. +++**Important reminders when using the Teams chat:** ++- Our experts have access to messages in **Defender Experts team** through the Defender Experts Teams app so you don't have to explicitly them to this team. +- Our experts only see replies to existing posts created by Defender Experts regarding a managed response. If you create a new post, our experts won't be able to see it. +- While Defender Experts might have access to all messages in any channel in **Defender Experts team**, tag or mention our experts by typing *@Defender Experts* in your replies, so they're notified to join the chat conversation. +- DonΓÇÖt attach any attachments (for example, files for analysis) in the chat. For security reasons, Defender Experts won't be able to view the attachments. Instead, send them to appropriate submissions channels or provide links where they can be found in Microsoft Defender XDR portal. +- Conversations in the Teams chat about an incident are also synchronized with the incidentΓÇÖs **Chat** tab in the Microsoft Defender XDR portal so that you can see messages and updates about an investigation wherever you go. ++### Email ++The Defender Experts for XDR service typically sends automated emails whenever a managed response with completed or pending actions is published in the Microsoft XDR portal, or when it needs to remind you about incidents awaiting your action. ++However, our experts could also send out emails to your identified notification contacts directly during any of the following situations: ++- When they require additional information or context to investigate an incident +- When they detect a malicious or suspicious activity manually and outside of incidents or alerts in the Microsoft Defender XDR portal, and it requires a response action +- When they reply to the requests or queries sent to them through email ++> [!IMPORTANT] +> Remember to verify emails claiming to be from Defender Experts. ++### Phone call ++In break-glass scenarios or matters that require immediate attention (for example, malware on high-value infrastructure, ransomware, data exfiltration, insider threat, or other signs of a determined human adversary), our experts reach out to your identified **incident notification contacts** using the details you provided, including calling their listed phone numbers. [Learn more about adding contact persons or groups for incident notifications](get-started-xdr.md#tell-us-who-to-contact-for-important-matters) ++## Ask Defender Experts ++While the previous scenarios involve our experts initiating communication with you, you can also request advanced threat expertise on demand by selecting **Ask Defender Experts** directly inside the Microsoft Defender XDR portal. [Learn more](start-using-mdex-xdr.md#request-advanced-threat-expertise-on-demand) ++## Collaborating with your service delivery manager ++The service delivery manager (SDM) is responsible for managing the overall relationship for your organization with the Defender Experts for XDR service. They are your trusted advisor working along with XDR experts' team to help you protect your organization. ++The SDM provides the following ++- Service readiness support + - Educate customers about the end-to-end service experience, from signup to regular operations and escalation process. + - Help establish a service-ready security posture, including guidance on required controls and policy updates. +- Service operations support + - Provide tailored service delivery content and reporting, including periodic business reviews. + - Serve as a single point of contact for feedback and escalations related to Defender Experts Service. ++The SDM engages with your identified **service review contacts**. [Learn more about adding contact persons or groups for service review and delivery](get-started-xdr.md#tell-us-who-to-contact-for-important-matters) ++### See also ++- [Get started with Microsoft Defender Experts for XDR](get-started-xdr.md) +- [Start using Defender Experts for XDR service](start-using-mdex-xdr.md) + |
security | Faq Incident Notifications Xdr | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/faq-incident-notifications-xdr.md | Last updated 08/29/2023 - [Microsoft Defender XDR](microsoft-365-defender.md) -The following section lists down questions your SOC team might have regarding the receipt of [incident notifications](start-using-mdex-xdr.md#incident-notifications). +The following section lists down questions your SOC team might have regarding the receipt of [incident notifications](start-using-mdex-xdr.md#incident-updates). <a name='in-microsoft-365-defender-portal-and-graph-security-api'></a> |
security | Faq Managed Response | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/faq-managed-response.md | The following section lists down questions you or your SOC team might have regar | Questions | Answers | ||| | **What is managed response?** | Microsoft Defender Experts for XDR offers **Managed response** where our experts manage the entire remediation process for incidents that require them. This process includes investigating the incident to identify the root cause, determining the required response actions, and taking those actions on your behalf.|-| **What actions are in scope for managed response?** | All actions found below are in scope for managed response for any device and user that isn't excluded.<br><br>*For devices* *(Available now)*<ul><li>Isolate machine<br><li>Release machine from isolation<br><li>Run antivirus scan<br><li>Stop and quarantine file<br><li>Release file from quarantine<br><li>Restrict app execution<br><li>Remove app restriction</ul><br>*For users (Coming soon)*<ul><li>Force password reset<br><li>Disable user<br><li>Enable user<br><li>Suspend user<br><li>Soft delete emails </ul><br> | +| **What actions are in scope for managed response?** | All actions found below are in scope for managed response for any device and user that isn't excluded.<br><br>*For devices* *(Available now)*<ul><li>Isolate machine<br><li>Release machine from isolation<br><li>Run antivirus scan<br><li>Stop and quarantine file<br><li>Restrict app execution<br><li>Remove app restriction</ul><br>*For users (Coming soon)*<ul><li>Force password reset<br><li>Disable user<br><li>Enable user<br><li>Soft delete emails </ul><br> | | **Can I customize the extent of managed response?** | You can configure the extent to which our experts do managed response actions on your behalf by excluding certain devices and users (individually or by groups) either during onboarding or later by modifying your service's settings. [Read more about excluding device and user groups](../defender/get-started-xdr.md#exclude-devices-and-users-from-remediation) | | **What support do Defender Experts offer for excluded assets?** | If our experts determine that you need to perform response actions on excluded devices or users, we notify you through various customizable methods and direct you to your Microsoft Defender XDR portal. From your portal, you can then view a detailed summary of our investigation process and the required response actions in the portal, and perform these required actions directly. Similar capabilities are also available through Defender APIs, in case you prefer using a security information and event management (SIEM), IT service management (ITSM), or any other third-party tool. | | **How am I going to be informed about the response actions?** | Response actions that our experts have completed on your behalf and any pending ones that you need to perform on your excluded assets are displayed in the **Managed response** panel in your Microsoft Defender XDR portal's **Incidents** page. <br><br>In addition, you'll also receive an email containing a link to the incident and instructions to view the managed response in the portal. Moreover if you have integration with Microsoft Sentinel or APIs, you'll also be notified within those tools by looking for DEX statuses. For more information, see [FAQs related to Microsoft Defender Experts for XDR incident notifications](../defender/faq-incident-notifications-xdr.md).| |
security | Get Started Xdr | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/get-started-xdr.md | To edit or update your notification contacts after the initial setup, go to **Se ## Receive managed response notifications and updates in Microsoft Teams -Apart from email and [in-portal chat](start-using-mdex-xdr.md#in-portal-chat), you also have to option to use Microsoft Teams to receive updates about managed responses and communicate with our experts in real time. When this setting is turned on, a new team named **Defender Experts team** is created, where managed response notifications related to ongoing incidents are sent as new posts in the **Managed response** channel. [Learn more about using Teams chat](../defender/start-using-mdex-xdr.md#teams-chat) +Apart from email and [in-portal chat](communicate-defender-experts-xdr.md#in-portal-chat), you also have to option to use Microsoft Teams to receive updates about managed responses and communicate with our experts in real time. When this setting is turned on, a new team named **Defender Experts team** is created, where managed response notifications related to ongoing incidents are sent as new posts in the **Managed response** channel. [Learn more about using Teams chat](communicate-defender-experts-xdr.md#teams-chat) > [!IMPORTANT] > Defender Experts will have access to all messages posted on any channel in the created **Defender Experts team**. To prevent Defender Experts from accessing messages in this team, go to **Apps** in Teams then navigate to **Manage your apps** > **Defender Experts** > **Remove**. This removal action cannot be reversed. The readiness assessment has two parts: After you complete all the required tasks and met the onboarding targets in your readiness assessment, your service delivery manager (SDM) initiates the monitoring phase of the Defender Experts for XDR service, where, for a few days, our experts start monitoring your environment closely to identify latent threats, sources of risk, and normal activity. As we get better understanding of your critical assets, we can streamline the service and fine-tune our responses. -Once our experts begin to perform comprehensive response work on your behalf, youΓÇÖll start receiving [notifications about incidents](../defender/start-using-mdex-xdr.md#incident-notifications) that require remediation steps and targeted recommendations on critical incidents. You can also chat with our experts or your SDMs regarding important queries and regular business and security posture reviews, and [view real-time reports](../defender/start-using-mdex-xdr.md#understand-the-defender-experts-for-xdr-report) on the number of incidents weΓÇÖve investigated and resolved on your behalf. -+Once our experts begin to perform comprehensive response work on your behalf, youΓÇÖll start receiving [notifications about incidents](../defender/start-using-mdex-xdr.md#incident-updates) that require remediation steps and targeted recommendations on critical incidents. You can also chat with our experts or your SDMs regarding important queries and regular business and security posture reviews, and [view real-time reports](../defender/start-using-mdex-xdr.md#understand-the-defender-experts-for-xdr-report) on the number of incidents weΓÇÖve investigated and resolved on your behalf. ### Next step |
security | Microsoft Sentinel Onboard | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-sentinel-onboard.md | After you connect your workspace to the Defender portal, you'll see **Microsoft You'll also see many of the existing Microsoft Sentinel features are integrated into the Defender portal. For these features, you'll notice that the experience between Microsoft Sentinel in the Azure portal and Defender portal are similar. Use the following articles to help you start working with Microsoft Sentinel in the Defender portal. When using these articles, keep in mind that your starting point in this context is the [Defender portal](https://security.microsoft.com/) instead of the Azure portal. - Search- - [Search across long time spans in large datasets](/sentinel/search-jobs) + - [Search across long time spans in large datasets](/azure/sentinel/search-jobs) - [Restore archived logs from search](/azure/sentinel/restore) - Threat management - [Visualize and monitor your data by using workbooks](/azure/sentinel/monitor-your-data) |
security | Security Copilot In Microsoft 365 Defender | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/security-copilot-in-microsoft-365-defender.md | All key features have an option for providing feedback. To provide feedback, per ## Microsoft Defender XDR plugin in Security Copilot -Microsoft Defender XDR is one of the [Microsoft plugins](/security-copilot/manage-plugins.md#microsoft-plugins) that enable the Security Copilot platform to generate accurate and relevant information. Through the Microsoft Defender XDR plugin, the Security Copilot portal can provide more context to incidents and generate more accurate results. The key features mentioned in this article are capabilities that are also available in the Security Copilot portal. +Microsoft Defender XDR is one of the [Microsoft plugins](/security-copilot/manage-plugins#microsoft-plugins) that enable the Security Copilot platform to generate accurate and relevant information. Through the Microsoft Defender XDR plugin, the Security Copilot portal can provide more context to incidents and generate more accurate results. The key features mentioned in this article are capabilities that are also available in the Security Copilot portal. You can learn more about plugins implemented in the Security Copilot portal in [Manage plugins in Security Copilot](/security-copilot/manage-plugins). Additionally, you can learn more about the embedded experiences in other Microsoft security products in [Microsoft Security Copilot experiences](/security-copilot/experiences-security-copilot) |
security | Security Copilot M365d Incident Summary | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/security-copilot-m365d-incident-summary.md | Incidents containing up to 100 alerts can be summarized into one incident summar - A summary of timelines of how the attack unfolded. - The assets involved in the attack. - Indicators of compromise (IOCs).-- Names of [threat actors](/security/intelligence/microsoft-threat-actor-naming) involved.+- Names of [threat actors](/microsoft-365/security/intelligence/microsoft-threat-actor-naming) involved. To summarize an incident, perform the following steps: You can validate or report the results of the incident summary provided by Secur ## See also -- [Security Copilot Early Access Program FAQs](/security-copilot/faq-security-copilot.md)+- [Security Copilot Early Access Program FAQs](/security-copilot/faq-security-copilot) - [Investigate incidents in Microsoft Defender XDR](investigate-incidents.md)-- [Get started with Security Copilot](/security-copilot/get-started-security-copilot.md)-- [Learn about other Security Copilot embedded experiences](/security-copilot/experiences-security-copilot.md)+- [Get started with Security Copilot](/security-copilot/get-started-security-copilot) +- [Learn about other Security Copilot embedded experiences](/security-copilot/experiences-security-copilot) [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/defender-m3d-techcommunity.md)] |
security | Start Using Mdex Xdr | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/start-using-mdex-xdr.md | Title: How to use the Microsoft Defender Experts for XDR service description: Defender Experts for XDR helps prioritize and customize recommendations to fit your environment -keywords: XDR, Xtended detection and response, defender experts for xdr, Microsoft Defender Experts for XDR, managed threat hunting, managed detection and response (MDR) service, service delivery manager, Managed response in Teams, real-time visibility with XDR experts, threat hunting and analysis +keywords: XDR, Xtended detection and response, defender experts for xdr, Microsoft Defender Experts for XDR, managed threat hunting, managed detection and response (MDR) service, service delivery manager, Managed response in Teams, real-time visibility with XDR experts, threat hunting and analysis, incidents by category, impacted assets ms.mktglfcycl: deploy Once our experts begin to perform comprehensive response work on your behalf, yo Through a combination of automation and human expertise, Defender Experts for XDR triages Microsoft Defender XDR incidents, prioritizes them on your behalf, filters out the noise, carries out detailed investigations, and provides actionable managed response to your security operations center (SOC) teams. -### Incident notifications +### Incident updates Once our experts start investigating an incident, the incident's **Assigned to** and **Status** fields are updated to _Defender Experts_ and _In progress_, respectively. If an incident is classified as _False Positive_ or _Informational_, _Expected A > [!NOTE] > Incident comments are one-way posts. Defender Experts can't respond to any comments or questions you add in the **Comments and history** panel. If you wish to correspond with our experts, reply to the email Defender Experts sent you instead. -Otherwise, if an incident is classified as _True Positive_, our experts then identify recommended response actions that need to be performed. The method in which the actions are performed depends on the permissions and access levels you have given the Defender Experts for XDR service. [Learn more about granting permissions to our experts](get-started-xdr.md#grant-permissions-to-our-experts). +Otherwise, if an incident is classified as _True Positive_, our experts then identify the required response actions that need to be performed. The method in which the actions are performed depends on the permissions and access levels you have given the Defender Experts for XDR service. [Learn more about granting permissions to our experts](get-started-xdr.md#grant-permissions-to-our-experts). -- If you have granted Defender Experts for XDR the recommended Security Operator access permissions, our experts could perform the recommended response actions on the incident on your behalf. These actions, along with an **Investigation summary**, show up in the incident's [Managed response](#how-to-use-managed-response-in-microsoft-365-defender) flyout panel in your Microsoft Defender portal for you or your SOC team to review. Once our experts conclude their work on the incident, its **Status** field is then updated to _Resolved_ and the **Assigned to** field is updated to _Unassigned_.+- If you have granted Defender Experts for XDR the recommended Security Operator access permissions, our experts could perform the required response actions on the incident on your behalf. These actions, along with an **Investigation summary**, show up in the incident's [Managed response](#how-to-use-managed-response-in-microsoft-365-defender) flyout panel in your Microsoft Defender portal for you or your SOC team to review. All actions that are completed by Defender Experts for XDR appear under the **Completed actions** section. Any pending actions that require you or you SOC team to complete are listed under the **Pending actions** section. For more information, see the [Actions](#actions) section. Once our experts have taken all the necessary actions on the incident, its **Status** field is then updated to _Resolved_ and the **Assigned to** field is updated to _Unassigned_. -- If you have granted Defender Experts for XDR the default Security Reader access, then the recommended response actions, along with an **Investigation summary**, show up in the incident's **Managed response** flyout panel in your Microsoft Defender portal for you or your SOC team to perform. To identify this handover, the incident's **Status** field is updated to _Awaiting Customer Action_ and its **Assigned to** field is updated to _Customer_.+- If you have granted Defender Experts for XDR the default Security Reader access, then the required response actions, along with an **Investigation summary**, show up in the incident's **Managed response** flyout panel under the **Pending actions** section in your Microsoft Defender portal for you or your SOC team to perform. For more information, see the [Actions](#actions) section. To identify this handover, the incident's **Status** field is updated to _Awaiting Customer Action_ and the **Assigned to** field is updated to _Customer_. -You can check the number of incidents that are awaiting your action in the Defender Experts card in your Microsoft Defender portal: +You can check the number of incidents that require your action in the Defender Experts banner at the top of the Microsoft Defender homepage. :::image type="content" source="../../media/xdr/view-incidents.png" alt-text="Screenshot of the Defender Experts card in Microsoft Defender portal showing the number of incidents awaiting customer action." lightbox="../../media/xdr/view-incidents.png"::: To view the incidents our experts have investigated or are currently investigating, filter the incident queue in your Microsoft Defender portal using the _Defender Experts_ tag. <a name='how-to-use-managed-response-in-microsoft-365-defender'></a> Select **View managed response** on the task card or on the top of the portal pa #### Investigation summary -The **Investigation summary** section provides you with more context about the incident analyzed by our experts to provide you with visibility about its severity and potential impact if not addressed immediately. It could include the device timeline, indicators of attack and indicators of compromise (IOCs) observed, and other details. +The **Investigation summary** section provides you with more context about the incident analyzed by our experts to provide you with visibility about its severity and potential impact if not addressed immediately. It could include the device timeline, indicators of attack, and indicators of compromise (IOCs) observed, and other details. :::image type="content" source="../../media/xdr/investigation-summary.png" alt-text="Screenshot of managed response investigation summary." lightbox="../../media/xdr/investigation-summary.png"::: #### Actions -The **Actions** tab displays task cards that contain response actions recommended by our experts. +The **Actions** tab displays task cards that contain response actions recommended by our experts. Defender Experts for XDR currently supports the following one-click managed response actions: Defender Experts for XDR currently supports the following one-click managed resp ||--| |[Isolate device](/microsoft-365/security/defender-endpoint/respond-machine-alerts##isolate-devices-from-the-network)|Isolates a device, which helps prevent an attacker from controlling it and performing further activities such as data exfiltration and lateral movement. The isolated device will still be connected to Microsoft Defender for Endpoint.| |[Quarantine file](/microsoft-365/security/defender-endpoint/respond-file-alerts##stop-and-quarantine-files)|Stops running processes, quarantines the files, and deletes persistent data such as registry keys.|+|[Restrict app execution](/microsoft-365/security/defender-endpoint/respond-machine-alerts##restrict-app-execution)| Restricts the execution of potentially malicious programs and locks down the device to prevent further attempts.| +|[Release from isolation](/microsoft-365/security/defender-endpoint/respond-machine-alerts#isolate-devices-from-the-network)| Undoes isolation of a device.| +|[Remove app restriction](/microsoft-365/security/defender-endpoint/respond-machine-alerts#restrict-app-execution)| Undoes release from isolation.| Apart from these one-click actions, you can also receive managed responses from our experts that you need to perform manually. Apart from these one-click actions, you can also receive managed responses from **To view and perform the managed response actions:** -1. Select the arrow buttons in a task card to expand it and read more information about the recommendation or collapse it. -1. For cards with one-click response actions, select the recommended action. The **Action status** in the card changes to **In progress**, then to **Failed** or **Completed**, depending on the action's outcome. +1. Select the arrow buttons in an action card to expand it and read more information about the required action. -> [!TIP] -> You can also monitor the status of in-portal response actions in the [Action center](m365d-action-center.md). + :::image type="content" source="../../media/xdr/action-card-1.png" alt-text="Screenshot of managed response action to isolate the device prod server." lightbox="../../media/xdr/action-card-1.png"::: -3. For cards with recommended actions that you need to perform manually, select **Mark as complete** once you've performed them. -1. If you don't want to complete a recommended action right away, select the ellipsis icon on the top of the card and choose any of the following other options: - - **Mark in progress** - - **Mark as skipped** - - **Mark as new** +2. For cards with one-click response actions, select the required action. The **Action status** in the card changes to **In progress**, then to **Failed** or **Completed**, depending on the action's outcome. -### Chat with Defender Experts + :::image type="content" source="../../media/xdr/action-card-2.png" alt-text="Screenshot of managed response action showing in-progress to isolate the device prod server." lightbox="../../media/xdr/action-card-2.png"::: -> [!NOTE] -> The chat option is only available for incidents where we issued managed response. --#### In-portal chat --The **Chat** tab within the Microsoft Defender XDR portal provides you with a space to engage with our experts and further understand the incident, our investigation, and the recommended actions we provided. You could ask about a malicious executable, malicious attachment, information about activity groups, advanced hunting queries, or any other information that would assist you with the incident resolution. --#### Teams chat --Apart from using the in-portal chat, you also have the option to engage in real-time chat conversations with Defender Experts directly within Microsoft Teams, providing you and your SOC team additional flexibility when responding to incidents that require managed response. [Learn more about turning on notifications and chat on Teams](../defender/get-started-xdr.md#receive-managed-response-notifications-and-updates-in-microsoft-teams) --Once you turn on chat on Teams, a new team named **Defender Experts team** is created. An incident that requires your attention is posted on this teamΓÇÖs Managed response channel as a new post. To engage with our experts (for example, ask follow-up questions), use the **Reply** text bar to type your message. + > [!TIP] + > You can also monitor the status of in-portal response actions in the [Action center](m365d-action-center.md). If a response action fails, try doing it again from the **View device details** page or [initiate a chat](communicate-defender-experts-xdr.md#in-portal-chat) with Defender Experts. +3. For cards with required actions that you need to perform manually, select **I've completed this action** once you've performed them, then select **Yes, I've done it** in the confirmation dialog box that appears. -**Important reminders when using the Teams chat:** + :::image type="content" source="../../media/xdr/ive-completed-this-action.png" alt-text="Screenshot of managed response action to confirm action completion." lightbox="../../media/xdr/ive-completed-this-action.png"::: -- Only reply to posts (announcing managed response is published on an incident) created by Defender Experts. When you create a new post, our experts will not be able to see it.-- Tag or mention our experts by typing *@Defender Experts* in your replies, so they are notified to join the chat conversation.-- DonΓÇÖt attach any attachments (for example, files for analysis) in the chat. For security reasons, Defender Experts won't be able to view the attachments. Instead, send them to appropriate submissions channels or provide links where they can be found in Microsoft Defender XDR portal.--Conversations in the Teams chat about an incident are also synchronized with the incidentΓÇÖs **Chat** tab in the Microsoft Defender XDR portal so that you can see messages and updates about an investigation wherever you go. +4. If you don't want to complete a required action right away, select **Skip**, then select **Yes, skip this action** in the confirmation dialog box that appears. > [!IMPORTANT]-> Defender Experts will have access to all messages in any channel in this team. +> +>If you notice that any of the buttons on the action cards are grayed out, it could indicate that you don't have the necessary permissions to perform the action. Make sure that you're signed into the Microsoft Defender XDR portal with the appropriate permissions. Most managed response actions require that you have at least the Security Operator access. +> +>If you still encounter this issue even with the appropriate permissions, navigate to **View device details** and complete the steps from there. + ## Get visibility to Defender Experts investigations in your SIEM or ITSM application You can get incident visibility in Microsoft Sentinel by turning on its out-of-t Once you have turned on the connector, updates by Defender Experts to the **Status**, **Assigned to**, **Classification**, and **Determination** fields in Microsoft Defender XDR will show up in the corresponding **Status**, **Owner**, and **Reason for closing** fields in Sentinel. > [!NOTE]-> The status of incidents investigated by Defender Experts in Microsoft Defender XDR typically transitions from _Active_ to _In progress_ to _Awaiting Customer Action_ to _Resolved_, while in Sentinel, it follows the _New_ to _Active_ to _Resolved_ path. The Microsoft Defender XDR Status ***Awaiting Customer Action*** doesn't have an equivalent field in Sentinel; instead, it's displayed as a tag in an incident in Sentinel. +> The status of incidents investigated by Defender Experts in Microsoft Defender XDR typically transitions from _Active_ to _In progress_ to _Awaiting Customer Action_ to _Resolved_, while in Sentinel, it follows the _New_ to _Active_ to _Resolved_ path. The Microsoft Defender XDR Status _**Awaiting Customer Action**_ doesn't have an equivalent field in Sentinel; instead, it's displayed as a tag in an incident in Sentinel. The following section describes how an incident handled by our experts is updated in Sentinel as it progresses through the investigation journey: After configuring a connector, the updates by Defender Experts to an incident's Defender Experts for XDR includes an interactive, on-demand report that provides a clear summary of the work our expert analysts are doing on your behalf, aggregate information about your incident landscape, and granular details about specific incidents. Your service delivery manager (SDM) also uses the report to provide you with more context regarding the service during a monthly business review. Each section of the report is designed to provide more insights about the incidents our experts investigated and resolved in your environment in real time. You can also select the **Date range** to get detailed information about incidents based on severity, category, and understand the time taken to investigate and resolve an incident during a specific period. The topmost section of the Defender Experts for XDR report provides the percenta - **Resolved directly** ΓÇô The number of investigated incidents that we were able to close directly on your behalf. - **Resolved with your help** ΓÇô The number of investigated incidents that were resolved because of your action on one or more managed response tasks. -The **Incidents by severity** and **Incidents by category** sections break down resolved incidents by severity and attack technique or threat type, respectively. These sections let you identify potential attack entry points and types of threats detected in your environment, assess their impact, and develop strategies to mitigate and prevent them. Select **View incidents** to get a filtered view of the incident queue based on the selections you made in each of the two sections. --The **Average incident resolution time** section displays a bar chart of the average time, in minutes, our experts spent investigating and closing incidents in your environment and the average time you spent performing the recommended managed response actions. --If you've set Defender Experts for XDR to have **Security Reader** access, the **Average incident resolution time** section also displays the estimated **Potential time savings** you could realize if you let our experts take managed remediation actions on your behalf by [providing them the permissions](get-started-xdr.md#grant-permissions-to-our-experts) to do so. The potential time savings are derived by calculating the total time it took you to complete recommended managed response actions after our experts issued them to you during your selected date range. Otherwise, if the service has **Security Operator** access, this report section displays the estimated time you already saved by granting us permission to take managed remediation actions on your behalf. To change access levels, select **Edit permissions**. --## Collaborate with a trusted advisor --The service delivery manager (SDM) is responsible for managing the overall relationship for your organization with the Defender Experts for XDR service. They are your trusted advisor working along with XDR experts' team to help you protect your organization. +The **Average time to resolve incidents** section displays a bar chart of the average time, in minutes, our experts spent investigating and closing incidents in your environment and the average time you spent performing the required managed response actions. -The SDM provides the following +The **Incidents by severity**, **Incidents by category**, and **Incidents by service source** sections break down resolved incidents by severity, attack technique, and Microsoft security service source, respectively. These sections let you identify potential attack entry points and types of threats detected in your environment, assess their impact, and develop strategies to mitigate and prevent them. Select **View incidents** to get a filtered view of the incident queue based on the selections you made in each of the two sections. -- Service readiness support- - Educate customers about the end-to-end service experience, from signup to regular operations and escalation process. - - Help establish a service-ready security posture, including guidance on required controls and policy updates. -- Service operations support- - Provide tailored service delivery content and reporting, including periodic business reviews. - - Serve as a single point of contact for feedback and escalations related to Defender Experts Service. +The **Most impacted assets** section shows the users and devices in your environment that were involved in the most number of incidents during your selected date range. You can see the volume of incidents each asset was involved in. Select an asset to get a filtered view of the incident queue based on the incidents that included the said asset. ## Proactive managed hunting Defender Experts for XDR also includes proactive threat hunting offered by [Micr ## Request advanced threat expertise on demand -Select **Ask Defender Experts** directly inside the Microsoft 365 security portal to get swift and accurate responses to all your threat questions. Experts can provide insights to better understand the complex threats your organization may face. Consult an expert to: +Select **Ask Defender Experts** directly inside the Microsoft Defender XDR portal to get swift and accurate responses to all your threat questions. Experts can provide insights to better understand the complex threats your organization might face. Consult an expert to: - Gather additional information on alerts and incidents, including root causes and scope. - Gain clarity into suspicious devices, alerts, or incidents and get the next steps if faced with an advanced attacker. |
solutions | Apps Config Step 2 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/apps-config-step-2.md | Microsoft Intune makes it easy to provide Microsoft Outlook to your end-users at > [!NOTE] > The methods described use Microsoft Intune as the unified endpoint management service and Exchange as the messaging platform.-> +> > If your organization uses a native email app or a different email service, you don't need to configure Microsoft Outlook. > > App configuration policies are targeted to the iOS/iPadOS and Android platforms. However some apps, such as M365 apps for Windows and later devices, have configuration options available when you add the app to Intune. Outlook app configuration can be delivered by selecting either of the following methods:+ 1. **Managed devices** - Select the mobile device management (MDM) OS channel. - **iOS**: Use an App Configuration Policy for iOS. For related information, see the [Managed App Configuration](https://developer.apple.com/library/content/samplecode/sc2279/Introduction/Intro.html) channel for iOS. - **Android**: Use an App Configuration Policy for Android Enterprise. For related information, see the [Android in the Enterprise](https://developer.android.com/work/managed-configurations) channel for Android. Outlook app configuration can be delivered by selecting either of the following > Managed devices are those devices that have been enrolled in a mobile device management (MDM) solution. Unmanaged devices that use managed apps, follow a mobile application management (MAM) scenario. Outlook for iOS/iPadOS and Android supports the following configuration scenarios:+ - **Account setup configuration** - Must have enrolled devices. - **Organization allowed accounts mode** - Must have enrolled devices. - **General app configuration settings** Outlook for iOS/iPadOS and Android supports the following configuration scenario > [!IMPORTANT] > For configuration scenarios that require device enrollment on Android, the devices must be enrolled in Android Enterprise, and Outlook for Android must be deployed via the managed Google Play store. For more information, see [Set up enrollment of Android work profile devices](/intune/android-work-profile-enroll) and [Add app configuration policies for managed Android devices](/intune/app-configuration-policies-use-android). -| Configuration scenario | Description | +|Configuration scenario|Description| |||-| Account setup configuration | Used with managed devices that have been enrolled in a unified endpoint management (UEM) solution. Any UEM provider is supported. Outlook for iOS/iPadOS and Android offers administrators the ability to "push" account configurations to their Office 365 and on-premises users leveraging hybrid Modern Authentication users. For more information on account setup configuration, see [Account setup with modern authentication in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/setup-with-modern-authentication#account-setup-configuration-via-enterprise-mobility-management). | -| Organization allowed accounts mode | Used with managed devices that have been enrolled in a unified endpoint management (UEM) solution. Any UEM provider is supported. Examples may include only allowing work or school accounts. Outlook for iOS/iPadOS and Android offers administrators the ability to restrict email and storage provider accounts to only corporate accounts. For more information on organization allowed accounts mode, see [Account setup with modern authentication in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/setup-with-modern-authentication#organization-allowed-accounts-mode). | -| General app configuration settings | Outlook for iOS/iPadOS and Android offers administrators the ability to customize the default configuration for several in-app settings. This capability is offered for both enrolled devices via any UEM provider and for devices that aren't enrolled when Outlook for iOS/iPadOS and Android has an Intune App Protection Policy applied.<p>If an App Protection Policy is targeted to the users, the recommendation is to deploy the general app configuration settings in a **Managed Apps** device enrollment model. This deployment ensures the App Configuration Policy is deployed to both enrolled devices and unenrolled devices. | -| S/MIME settings | On enrolled devices, Outlook for iOS/iPadOS and Android supports automated certificate delivery. Outlook for iOS/iPadOS and Android also supports app configuration settings that enable or disable S/MIME in the app, as well as the user's ability to change the setting. For more information on how to deploy these settings via Microsoft Endpoint Manager, see [Understanding S/MIME](/mem/intune/apps/sensitive-labeling-and-protection-outlook-for-ios-android#understanding-smime). For more information on the configuration keys, see [Configuration settings](/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune). | -| Data protection settings | Outlook for iOS/iPadOS and Android supports app configuration policies for the following data protection settings when the app is managed by Microsoft Endpoint Manager with an Intune App Protection Policy applied:<ul><li>Managing the use of wearable technology</li><li>Managing sensitive data in mail and calendar reminder notifications</li><li>Managing the contact fields synchronized to the native contacts app</li><li>Managing calendar sync availability</li><li>Managing add-ins availability</li><li><p>These settings can be deployed to the app regardless of device enrollment status. For more information on the configuration keys, see [Configuration settings](/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune). | +|Account setup configuration|Used with managed devices that have been enrolled in a unified endpoint management (UEM) solution. Any UEM provider is supported. Outlook for iOS/iPadOS and Android offers administrators the ability to "push" account configurations to their Office 365 and on-premises users leveraging hybrid Modern Authentication users. For more information on account setup configuration, see [Account setup with modern authentication in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/setup-with-modern-authentication#account-setup-configuration-via-enterprise-mobility-management).| +|Organization allowed accounts mode|Used with managed devices that have been enrolled in a unified endpoint management (UEM) solution. Any UEM provider is supported. Examples may include only allowing work or school accounts. Outlook for iOS/iPadOS and Android offers administrators the ability to restrict email and storage provider accounts to only corporate accounts. For more information on organization allowed accounts mode, see [Account setup with modern authentication in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/setup-with-modern-authentication#organization-allowed-accounts-mode).| +|General app configuration settings|Outlook for iOS/iPadOS and Android offers administrators the ability to customize the default configuration for several in-app settings. This capability is offered for both enrolled devices via any UEM provider and for devices that aren't enrolled when Outlook for iOS/iPadOS and Android has an Intune App Protection Policy applied.<p>If an App Protection Policy is targeted to the users, the recommendation is to deploy the general app configuration settings in a **Managed Apps** device enrollment model. This deployment ensures the App Configuration Policy is deployed to both enrolled devices and unenrolled devices.| +|S/MIME settings|On enrolled devices, Outlook for iOS/iPadOS and Android supports automated certificate delivery. Outlook for iOS/iPadOS and Android also supports app configuration settings that enable or disable S/MIME in the app, as well as the user's ability to change the setting. For more information on how to deploy these settings via Microsoft Endpoint Manager, see [S/MIME overview to sign and encrypt email in Intune](/mem/intune/protect/certificates-s-mime-encryption-sign). For more information on the configuration keys, see [Configuration settings](/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune).| +|Data protection settings|Outlook for iOS/iPadOS and Android supports app configuration policies for the following data protection settings when the app is managed by Microsoft Endpoint Manager with an Intune App Protection Policy applied:<ul><li>Managing the use of wearable technology</li><li>Managing sensitive data in mail and calendar reminder notifications</li><li>Managing the contact fields synchronized to the native contacts app</li><li>Managing calendar sync availability</li><li>Managing add-ins availability</li><li><p>These settings can be deployed to the app regardless of device enrollment status. For more information on the configuration keys, see [Configuration settings](/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune).| For specific procedural steps and detailed documentation on the app configuration settings Outlook for iOS/iPadOS and Android supports, see [Deploying Outlook for iOS/iPadOS and Android app configuration settings](/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune). ## Configure Outlook on managed devices You can configure Microsoft Outlook for managed devices by using an App Configuration Policy specifically for either the iOS/iPadOS or Android platforms. There are two areas to consider when configuring Outlook for managed devices:+ - [Account setup configuration](#account-setup-configuration) - [Organization allowed accounts mode settings](#organization-allowed-accounts-mode-settings) You can configure Microsoft Outlook for managed devices by using an App Configur ### Account setup configuration -You can configure account configuration setting for Microsoft Outlook on iOS/iPadOS and Android devices using Intune or other Unified Endpoint Management (UEM) providers. Once account setup configuration has been created as an App Configuration Policy in Intune (or other UEM provider) and the user enrolls their device, Outlook for iOS/iPadOS and Android will detect the related account and will then prompt the user to sign-in to the account. The only information the user needs to enter to complete the setup process is their password. Then, the user's mailbox content loads and the user can begin using the app. This process ensures that every device user successfully sets up Outlook. +You can configure account configuration setting for Microsoft Outlook on iOS/iPadOS and Android devices using Intune or other Unified Endpoint Management (UEM) providers. Once account setup configuration has been created as an App Configuration Policy in Intune (or other UEM provider) and the user enrolls their device, Outlook for iOS/iPadOS and Android will detect the related account and will then prompt the user to sign-in to the account. The only information the user needs to enter to complete the setup process is their password. Then, the user's mailbox content loads and the user can begin using the app. This process ensures that every device user successfully sets up Outlook. -When creating an App Configuration Policy in Intune, you can set up account configuration options for devices by specifically setting a key and value in the policy and assigning the policy to members of your organization. +When creating an App Configuration Policy in Intune, you can set up account configuration options for devices by specifically setting a key and value in the policy and assigning the policy to members of your organization. Available account setup configuration keys for Outlook include the following:+ - `com.microsoft.outlook.Settings.OpenLinks.UseSystemDefaultBrowser` - `com.microsoft.outlook.Settings.OpenLinks.UserChangeAllowed` - `com.microsoft.outlook.EmailProfile.EmailAddress` For more information about using the above keys, see [Account setup configuratio ### Organization allowed accounts mode settings -Outlook for iOS/iPadOS and Android on corporate-managed devices can be configured to only allow a single, corporate account to be provisioned within Outlook for iOS/iPadOS and Android. This capability is supported with Microsoft 365 and Office 365 accounts or on-premises accounts using hybrid modern authentication, however, only a single corporate account can be added to Outlook for iOS/iPadOS and Android. Similar to account setup configuration, you can configure organization allowed accounts mode settings for Microsoft Outlook on iOS/iPadOS and Android devices using Intune or other Unified Endpoint Management (UEM) providers. Once account setup configuration has been created as an App Configuration Policy in Intune (or other UEM provider), you have assigned the policy, and the user enrolls their device, Outlook for iOS/iPadOS and Android will detect the related account and will then prompt the user to sign-in to the account. +Outlook for iOS/iPadOS and Android on corporate-managed devices can be configured to only allow a single, corporate account to be provisioned within Outlook for iOS/iPadOS and Android. This capability is supported with Microsoft 365 and Office 365 accounts or on-premises accounts using hybrid modern authentication, however, only a single corporate account can be added to Outlook for iOS/iPadOS and Android. Similar to account setup configuration, you can configure organization allowed accounts mode settings for Microsoft Outlook on iOS/iPadOS and Android devices using Intune or other Unified Endpoint Management (UEM) providers. Once account setup configuration has been created as an App Configuration Policy in Intune (or other UEM provider), you have assigned the policy, and the user enrolls their device, Outlook for iOS/iPadOS and Android will detect the related account and will then prompt the user to sign-in to the account. Available organization allowed accounts mode configuration keys for Outlook include the following:+ - `IntuneMAMAllowedAccountsOnly` - `IntuneMAMUPN` - `com.microsoft.intune.mam.AllowedAccountUPNs` For more information on the settings that need to be configured to deploy organi ### Configuration process for managed devices -When you create an app configuration policy to be applied to a managed device in Intune, you specifically choose **Managed devices**. Managed devices are those devices that are managed by Intune or other unified endpoint management provider. The app, in this case Microsoft Outlook, must be pinned to the management profile on iOS/iPadOS or deployed through Managed Google Play on Android devices. +When you create an app configuration policy to be applied to a managed device in Intune, you specifically choose **Managed devices**. Managed devices are those devices that are managed by Intune or other unified endpoint management provider. The app, in this case Microsoft Outlook, must be pinned to the management profile on iOS/iPadOS or deployed through Managed Google Play on Android devices. For more information about creating an app configuration policy in Intune, see [Create an app configuration policy](/mem/intune/apps/app-configuration-policies-use-ios#create-an-app-configuration-policy) for iOS/iPadOS devices and [Create an app configuration policy](/mem/intune/apps/app-configuration-policies-use-android#create-an-app-configuration-policy) for Android Enterprise devices. In addition, see [Email apps](/mem/intune/apps/app-configuration-policies-use-android#email-apps) for Android Enterprise devices. For more information about creating an app configuration policy in Intune, see [ Outlook for iOS/iPadOS and Android offers administrators the ability to customize the default configuration for several in-app settings. This capability is offered for both enrolled devices via any UEM provider and for devices that aren't enrolled when Outlook for iOS/iPadOS and Android has an Intune App Protection Policy applied. Within Intune, you can create an app configuration policy that allows you to set the following types of configuration settings:+ - Outlook configuration settings - Microsoft Tunnel for Mobile Application Management settings - S/MIME settings Within Intune, you can create an app configuration policy that allows you to set ### Outlook configuration settings In Intune, you can use an app configuration policy to set Outlook specific configuration settings for iOS/iPadOS and Android platforms. These settings are divided into the following categories:+ - **General app configuration** settings - **Data Protection configuration** settings - **Sync contact fields to native contacts app configuration** settings The following table provides a list of the **General app configuration** settings for Outlook: -| General app configuration setting | Description | +|General app configuration setting|Description| |||-| Focused Inbox | Focused Inbox separates your inbox into two tabsΓÇöFocused and Other. Your most important emails are on the Focused tab while the rest remains easily accessibleΓÇöbut out of the wayΓÇöon the Other tab. When set as not configured, the default app setting is set to On. | -| Require Biometrics to Access App | Biometrics, such as TouchID or FaceID, can be required for users to access the app on their device. When required, biometrics are used in addition to the authentication method selected in this profile. This setting shouldn't be enabled when Intune App Protection Policies are deployed, as the app protection policy includes access requirements prior to accessing managed data. Enabling both will result in multiple access prompts to access Outlook mobile. When set as not configured, the default app setting is set to off. If you configure this setting, you can choose to use the **Allow user to change setting** option. | -| Save Contacts | Saving contacts to the mobile deviceΓÇÖs native address book allows new calls and text messages to be linked with the userΓÇÖs existing Outlook contacts. When set as not configured, the default app setting is set to off. If you configure this setting, you can choose to use the **Allow user to change setting** option. | -| External Recipients MailTip | The External Recipients MailTip is displayed if the sender adds a recipient that's external or adds a distribution group that contains external recipients. This MailTip informs senders if a message they're composing will leave the organization, helping them make the correct decisions about wording, tone, and content. Available only for Exchange Online accounts and on-premises accounts leveraging hybrid modern authentication. When set as not configured, the default app setting is set to On. | -| Block External Images | When block external images is enabled, the app prevents the download of images hosted on the Internet that are embedded in the message body. When set as not configured, the default app setting is set to Off. If you configure this setting, you can choose to the **Allow user to change setting** option. | -| Default App Signature | Default app signature indicates whether the app uses ΓÇ£Get Outlook for iOSΓÇ¥ as the default signature during message composition. If the setting is configured as Off, the default signature won't be used; however, users can add their own signature. When set as Not Configured, the default app setting is set to On. | -| Suggested Replies | When you open a message, Outlook might suggest replies below the message. If you select a suggested reply, you can edit the reply before sending it. When set as not configured, the default app setting is set to On. If you configure this setting, you can choose to the **Allow user to change setting** option. | -| Organize mail by thread | The default behavior in Outlook is to bundle mail conversations into a threaded conversation view. If this setting is disabled Outlook displays each mail individually and won't group them by thread. | -| Discover Feed | Discover Feed surfaces your most frequently accessed Office files. By default, this feed is enabled when Delve is enabled for the user. When set as not configured, the default app setting is set to On. | -| Play My Emails | The Play My Emails feature isn't enabled by default in the app, but it's promoted to eligible users via a banner in the inbox. When set to Off, this feature won't be promoted to eligible users in the app. Users can choose to manually enable Play My Emails from within the app, even when this feature is set to Off. When set as Not configured, the default app setting is On and the feature will be promoted to eligible users. | -| Sync Calendars | By default, an App Protection Policy allows for calendar synchronization to the native Calendar app but can be used to block calendar sync availability with the "Sync policy managed app data with native apps or add-in" setting. Configuring this setting to "Off" will block calendar synchronization when the App Protection Policy setting is set to Allowed. If you configure this setting, you can choose to use the **Allow user to change setting** option. | -| Text Predictions | Outlook can suggest words and phrases as you compose messages. When Outlook offers a suggestion, swipe to accept it. When set as not configured, the default app setting is set to On. If you configure this setting, you can choose to use the **Allow user to change setting** option. | +|Focused Inbox|Focused Inbox separates your inbox into two tabsΓÇöFocused and Other. Your most important emails are on the Focused tab while the rest remains easily accessibleΓÇöbut out of the wayΓÇöon the Other tab. When set as not configured, the default app setting is set to On.| +|Require Biometrics to Access App|Biometrics, such as TouchID or FaceID, can be required for users to access the app on their device. When required, biometrics are used in addition to the authentication method selected in this profile. This setting shouldn't be enabled when Intune App Protection Policies are deployed, as the app protection policy includes access requirements prior to accessing managed data. Enabling both will result in multiple access prompts to access Outlook mobile. When set as not configured, the default app setting is set to off. If you configure this setting, you can choose to use the **Allow user to change setting** option.| +|Save Contacts|Saving contacts to the mobile deviceΓÇÖs native address book allows new calls and text messages to be linked with the userΓÇÖs existing Outlook contacts. When set as not configured, the default app setting is set to off. If you configure this setting, you can choose to use the **Allow user to change setting** option.| +|External Recipients MailTip|The External Recipients MailTip is displayed if the sender adds a recipient that's external or adds a distribution group that contains external recipients. This MailTip informs senders if a message they're composing will leave the organization, helping them make the correct decisions about wording, tone, and content. Available only for Exchange Online accounts and on-premises accounts leveraging hybrid modern authentication. When set as not configured, the default app setting is set to On.| +|Block External Images|When block external images is enabled, the app prevents the download of images hosted on the Internet that are embedded in the message body. When set as not configured, the default app setting is set to Off. If you configure this setting, you can choose to the **Allow user to change setting** option.| +|Default App Signature|Default app signature indicates whether the app uses ΓÇ£Get Outlook for iOSΓÇ¥ as the default signature during message composition. If the setting is configured as Off, the default signature won't be used; however, users can add their own signature. When set as Not Configured, the default app setting is set to On.| +|Suggested Replies|When you open a message, Outlook might suggest replies below the message. If you select a suggested reply, you can edit the reply before sending it. When set as not configured, the default app setting is set to On. If you configure this setting, you can choose to the **Allow user to change setting** option.| +|Organize mail by thread|The default behavior in Outlook is to bundle mail conversations into a threaded conversation view. If this setting is disabled Outlook displays each mail individually and won't group them by thread.| +|Discover Feed|Discover Feed surfaces your most frequently accessed Office files. By default, this feed is enabled when Delve is enabled for the user. When set as not configured, the default app setting is set to On.| +|Play My Emails|The Play My Emails feature isn't enabled by default in the app, but it's promoted to eligible users via a banner in the inbox. When set to Off, this feature won't be promoted to eligible users in the app. Users can choose to manually enable Play My Emails from within the app, even when this feature is set to Off. When set as Not configured, the default app setting is On and the feature will be promoted to eligible users.| +|Sync Calendars|By default, an App Protection Policy allows for calendar synchronization to the native Calendar app but can be used to block calendar sync availability with the "Sync policy managed app data with native apps or add-in" setting. Configuring this setting to "Off" will block calendar synchronization when the App Protection Policy setting is set to Allowed. If you configure this setting, you can choose to use the **Allow user to change setting** option.| +|Text Predictions|Outlook can suggest words and phrases as you compose messages. When Outlook offers a suggestion, swipe to accept it. When set as not configured, the default app setting is set to On. If you configure this setting, you can choose to use the **Allow user to change setting** option.| The following table provides a list of the **Data Protection configuration** settings for Outlook: -| Data Protection configuration setting | Description | +|Data Protection configuration setting|Description| |||-| Org Data on Wearables | This value specifies if Outlook data can be synchronized to a wearable device. Setting the value to No disables wearable synchronization. | -| Calendar Notifications | Allow calendar notifications to display full details when the App Protection Policy setting "Org data notifications" is set to "Block Org Data". | -| Allow Add-ins | By default, an App Protection Policy allows users to utilize third-party add-ins but can be used to block add-ins with the "Sync policy managed app data with native apps or add-ins" setting. Configuring this setting to "Off" will block add-ins when the App Protection Policy setting is set to Allowed. | -| Allow Calendar Sync | By default, an App Protection Policy allows for calendar synchronization to the native Calendar app, but can be used to block calendar sync availability. This setting operates independent of the App Protection Policy setting and enables organizations to define whether calendar sync is available for the work or school account. | +|Org Data on Wearables|This value specifies if Outlook data can be synchronized to a wearable device. Setting the value to No disables wearable synchronization.| +|Calendar Notifications|Allow calendar notifications to display full details when the App Protection Policy setting "Org data notifications" is set to "Block Org Data".| +|Allow Add-ins|By default, an App Protection Policy allows users to utilize third-party add-ins but can be used to block add-ins with the "Sync policy managed app data with native apps or add-ins" setting. Configuring this setting to "Off" will block add-ins when the App Protection Policy setting is set to Allowed.| +|Allow Calendar Sync|By default, an App Protection Policy allows for calendar synchronization to the native Calendar app, but can be used to block calendar sync availability. This setting operates independent of the App Protection Policy setting and enables organizations to define whether calendar sync is available for the work or school account.| The following table provides a list of the **Sync contact fields to native contacts app configuration** settings for Outlook: -| Sync contact fields to native contacts app configuration settings | Description | +|Sync contact fields to native contacts app configuration settings|Description| |||-| Address | This value specifies if the contact's address should be synchronized to native contacts. | -| Birthday | This value specifies if the contact's birthday should be synchronized to native contacts. | -| Company | This value specifies if the contact's company name should be synchronized to native contacts. | -| Department | This value specifies if the contact's department should be synchronized to native contacts. | -| Email Address | This value specifies if the contact's email address should be synchronized to native contacts. | -| Instant Messaging Address | This value specifies if the contact's instant messaging address should be synchronized to native contacts. | -| Job Title | This value specifies if the contact's job title should be synchronized to native contacts. | -| Name Prefix | This value specifies if the contact's name prefix should be synchronized to native contacts. | -| Name Suffix | This value specifies if the contact's name suffix should be synchronized to native contacts. | -| Nickname | This value specifies if the contact's nickname should be synchronized to native contacts. | -| Notes | This value specifies if the contact's notes should be synchronized to native contacts. | -| Phone Home Number | This value specifies if the contact's home phone number should be synchronized to native contacts. | -| Phone Home Fax Number | This value specifies if the contact's home fax number should be synchronized to native contacts. | -| Phone Mobile Number | This value specifies if the contact's mobile phone number should be synchronized to native contacts. | -| Phone Other Number | This value specifies if the contact's other phone number should be synchronized to native contacts. | -| Phone Pager Number | This value specifies if the contact's pager phone number should be synchronized to native contacts. | -| Phone Work Number | This value specifies if the work phone number should be synchronized to native contacts. | -| Phone Work Fax Number | This value specifies if the contact's work fax number should be synchronized to native contacts. | +|Address|This value specifies if the contact's address should be synchronized to native contacts.| +|Birthday|This value specifies if the contact's birthday should be synchronized to native contacts.| +|Company|This value specifies if the contact's company name should be synchronized to native contacts.| +|Department|This value specifies if the contact's department should be synchronized to native contacts.| +|Email Address|This value specifies if the contact's email address should be synchronized to native contacts.| +|Instant Messaging Address|This value specifies if the contact's instant messaging address should be synchronized to native contacts.| +|Job Title|This value specifies if the contact's job title should be synchronized to native contacts.| +|Name Prefix|This value specifies if the contact's name prefix should be synchronized to native contacts.| +|Name Suffix|This value specifies if the contact's name suffix should be synchronized to native contacts.| +|Nickname|This value specifies if the contact's nickname should be synchronized to native contacts.| +|Notes|This value specifies if the contact's notes should be synchronized to native contacts.| +|Phone Home Number|This value specifies if the contact's home phone number should be synchronized to native contacts.| +|Phone Home Fax Number|This value specifies if the contact's home fax number should be synchronized to native contacts.| +|Phone Mobile Number|This value specifies if the contact's mobile phone number should be synchronized to native contacts.| +|Phone Other Number|This value specifies if the contact's other phone number should be synchronized to native contacts.| +|Phone Pager Number|This value specifies if the contact's pager phone number should be synchronized to native contacts.| +|Phone Work Number|This value specifies if the work phone number should be synchronized to native contacts.| +|Phone Work Fax Number|This value specifies if the contact's work fax number should be synchronized to native contacts.| > [!TIP] > For recommendations about using these settings, see [General app configuration scenarios](/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune#general-app-configuration-scenarios). When you use the Microsoft Tunnel VPN Gateway, you can extend Tunnel support by > [!NOTE] > This capability is available when you add Microsoft Intune Plan 2 or Microsoft Intune Suite as an add-on license. For more information, see [Use Intune Suite add-on capabilities](/mem/intune/fundamentals/intune-add-ons). -For more information about Microsoft Tunnel for MAM, see [Microsoft Tunnel for Mobile Application Management](\memdocs\intune\protect\microsoft-tunnel-mam). +For more information about Microsoft Tunnel for MAM, see [Microsoft Tunnel for Mobile Application Management](/mem/intune/protect/microsoft-tunnel-mam). ### S/MIME settings -Secure Multipurpose Internet Mail Extensions (S/MIME) is a specification that allows users to send and receive digitally signed and encrypted emails. You can use an app configuration policy in Intune to configure your S/MIME settings for Outlook on iOS/iPadOS devices or Android devices. You can enable Outlook S/MIME settings to always sign and/or always encrypt on iOS/iPadOS and Android devices when using the **Managed apps** configuration option. +Secure Multipurpose Internet Mail Extensions (S/MIME) is a specification that allows users to send and receive digitally signed and encrypted emails. You can use an app configuration policy in Intune to configure your S/MIME settings for Outlook on iOS/iPadOS devices or Android devices. You can enable Outlook S/MIME settings to always sign and/or always encrypt on iOS/iPadOS and Android devices when using the **Managed apps** configuration option. -S/MIME settings for Outlook can be configured by selecting the available options in an app configuration policy, or by using specific keys and values. When you select the options within the app configuration policy, you can choose from standard options. +S/MIME settings for Outlook can be configured by selecting the available options in an app configuration policy, or by using specific keys and values. When you select the options within the app configuration policy, you can choose from standard options. The following table provides a list of the **Sync contact fields to native contacts app configuration** settings for Outlook: -| Outlook S/MIME settings | Description | +|Outlook S/MIME settings|Description| |||-| Enable S/MIME | Specify whether or not S/MIME controls are enabled when composing an email. If you configure this setting, you can choose to use the **Allow user to change setting** option. | -| Encrypt all emails | Specify whether all emails must be encrypted. Encrypting converts data to cipher text so that only the intended recipient can read it. If you configure this setting, you can choose to use the **Allow user to change setting** option. | -| Sign all emails | Specify whether all emails must be signed. A digital signature verifies the authenticity of the email and ensures that the contents aren't tampered with in transit. If you configure this setting, you can choose to use the **Allow user to change setting** option. | -| LDAP URL | This is the LDAP hostname where clients can get the public encryption keys for email recipients. Emails are encrypted when a key is available. | +|Enable S/MIME|Specify whether or not S/MIME controls are enabled when composing an email. If you configure this setting, you can choose to use the **Allow user to change setting** option.| +|Encrypt all emails|Specify whether all emails must be encrypted. Encrypting converts data to cipher text so that only the intended recipient can read it. If you configure this setting, you can choose to use the **Allow user to change setting** option.| +|Sign all emails|Specify whether all emails must be signed. A digital signature verifies the authenticity of the email and ensures that the contents aren't tampered with in transit. If you configure this setting, you can choose to use the **Allow user to change setting** option.| +|LDAP URL|This is the LDAP hostname where clients can get the public encryption keys for email recipients. Emails are encrypted when a key is available.| You can find this setting in [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) when using managed apps by selecting **Apps** > **App configuration policies**. In addition, you can add an LDAP (Lightweight Directory Access Protocol) URL for Outlook S/MIME on iOS/iPadOS and Android devices for both managed apps and managed devices. For related information, see [App configuration policies for Microsoft Intune](/mem/intune/apps/app-configuration-policies-overview) and [S/MIME for Outlook for iOS/iPadOS and Android in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/smime-outlook-for-ios-and-android). |
solutions | Energy Secure Collaboration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/energy-secure-collaboration.md | Title: "Key Compliance and Security Considerations for the Energy Industry" Previously updated : 04/10/2020 Last updated : 1/26/2024 audience: ITPro -+ - highpri - Ent_O365 - Strat_O365_Enterprise-The energy industry provides society with fuel and critical infrastructure that people rely on every day. In order to ensure the reliability of infrastructure related to bulk power systems, regulatory authorities impose strict standards on energy industry organizations. These regulatory standards relate not only to the generation and transmission of power, but also to the data and communications that are critical to the day-to-day operations of energy companies. +The energy industry provides society with fuel and critical infrastructure that people rely on every day. In order to ensure the reliability of infrastructure related to bulk power systems, regulatory authorities impose strict standards on energy industry organizations. These regulatory standards relate not only to the generation and transmission of power, but also to the data and communications that are critical to the day-to-day operations of energy companies. -Organizations in the energy industry work with and exchange many types of information as part of their regular operations. This includes customer data, capital engineering design documentation, resource location maps, project management artifacts, performance metrics, field service reports, environmental data, and performance metrics. As these organizations look to transform their operations and collaboration systems into modern digital platforms, they are looking to Microsoft as a trusted Cloud Service Provider (CSP) and Microsoft 365 as their best-of-breed collaboration platform. Since Microsoft 365 is built on the Microsoft Azure platform, organizations should examine both platforms as they consider their compliance and security controls when moving to the Cloud. +Organizations in the energy industry work with and exchange many types of information as part of their regular operations. This information includes customer data, capital engineering design documentation, resource location maps, project management artifacts, performance metrics, field service reports, environmental data, and performance metrics. As these organizations look to transform their operations and collaboration systems into modern digital platforms, they're looking to Microsoft as a trusted Cloud Service Provider (CSP) and Microsoft 365 as their best-of-breed collaboration platform. Since Microsoft 365 is built on the Microsoft Azure platform, organizations should examine both platforms as they consider their compliance and security controls when moving to the Cloud. -In North America, the North America Electric Reliability Corporation (NERC) enforces reliability standards that are referred to as NERC [Critical Infrastructure Protection (CIP) standards](https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx). NERC is subject to oversight by the U.S. Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. All bulk power system owners, operators, and users must register with NERC and must comply with NERC CIP standards. Cloud Service Providers and third-party vendors such as Microsoft are not subject to NERC CIP standards. However, the CIP standards include objectives that should be considered when Registered Entities use vendors in the operation of the Bulk Electric System (BES). Microsoft customers operating Bulk Electric Systems are wholly responsible for ensuring their own compliance with NERC CIP standards. +In North America, the North America Electric Reliability Corporation (NERC) enforces reliability standards that are referred to as NERC [Critical Infrastructure Protection (CIP) standards](https://nercstg.nerc.com/pa/Stand/Pages/CIPStandards.aspx). NERC is subject to oversight by the U.S. Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. All bulk power system owners, operators, and users must register with NERC and must comply with NERC CIP standards. Cloud Service Providers and third-party vendors such as Microsoft aren't subject to NERC CIP standards. However, the CIP standards include objectives that should be considered when Registered Entities use vendors in the operation of the Bulk Electric System (BES). Microsoft customers operating Bulk Electric Systems are wholly responsible for ensuring their own compliance with NERC CIP standards. For information about Microsoft cloud services and NERC, see the following resources: For information about Microsoft cloud services and NERC, see the following resou Regulatory standards that are recommended for consideration by energy organizations include FedRAMP (US Federal Risk and Authorization Management Program) which is based on and augments the NIST SP 800-53 Rev 4 standard (National Institute of Standards and Technology). -- Microsoft Office 365 and Office 365 U.S. Government have each been granted a FedRAMP ATO (Authorization to Operate) at the Moderate Impact Level. -- Azure and Azure Government have each been granted a FedRAMP High P-ATO (Provisional Authorization to Operate), which represents the highest level of FedRAMP authorization. +- Microsoft Office 365 and Office 365 U.S. Government have each been granted a FedRAMP ATO (Authorization to Operate) at the Moderate Impact Level. +- Azure and Azure Government have each been granted a FedRAMP High P-ATO (Provisional Authorization to Operate), which represents the highest level of FedRAMP authorization. For information about Microsoft cloud services and FedRAMP, see the following resources: As the energy industry looks to modernize their collaboration platforms, careful - Regulatory compliance requirements - Associated risks to data, customers and the organization -Microsoft 365 is a modern workplace cloud environment. It provides secure and flexible collaboration across the enterprise, including controls and policy enforcement to adhere to the most stringent regulatory compliance frameworks. Through the following topics, this paper explores how Microsoft 365 helps the energy industry move to a modern collaboration platform while helping to keep data and systems both secure and compliant with regulations: +Microsoft 365 is a modern workplace cloud environment. It provides secure and flexible collaboration across the enterprise, including controls and policy enforcement to adhere to the most stringent regulatory compliance frameworks. Through the following articles, this paper explores how Microsoft 365 helps the energy industry move to a modern collaboration platform while helping to keep data and systems both secure and compliant with regulations: - Provide a Comprehensive Collaboration Platform with Microsoft Teams - Provide Secure and Compliant Collaboration in the Energy Industry As a Microsoft partner, Protiviti contributed to and provided material feedback ## Provide a Comprehensive Collaboration Platform with Microsoft Teams -Collaboration typically requires multiple forms of communication, the ability to store and access documents, and the ability to integrate other applications as needed. Whether they are global enterprises or local companies, employees in the energy sector typically need to collaborate and communicate with members of other departments or across teams. They also often need to communicate with external partners, vendors, or clients. As a result, using systems that create silos or make it difficult to share information is typically not recommended. That said, we still want to ensure that employees are sharing information securely and according to policy. +Collaboration typically requires multiple forms of communication, the ability to store and access documents, and the ability to integrate other applications as needed. Whether they're global enterprises or local companies, employees in the energy sector typically need to collaborate and communicate with members of other departments or across teams. They also often need to communicate with external partners, vendors, or clients. As a result, using systems that create silos or make it difficult to share information is typically not recommended. That said, we still want to ensure that employees are sharing information securely and according to policy. -Providing employees with a modern and cloud-based collaboration platform, that allows them to choose and easily integrate the tools that make them most productive, empowers them to find the best ways to work and collaborate. Using Microsoft Teams, together with security controls and governance policies to protect the organization, can help your workforce to easily collaborate in the cloud. +Providing employees with a modern and cloud-based collaboration platform that allows them to choose and easily integrate the tools that make them most productive empowers them to find the best ways to work and collaborate. Using Microsoft Teams, together with security controls and governance policies to protect the organization, can help your workforce to easily collaborate in the cloud. -Microsoft Teams provides a collaboration hub for your organization to bring people together to work and collaborate together on common initiatives or projects. It allows team members to conduct conversations, collaborate, and co-author documents. It enables people to store and share files with team members or those outside the team. It also allows them to hold live meetings with integrated enterprise voice and video. Microsoft Teams can be customized with easy access to Microsoft apps such as Planner, Dynamics 365, Power BI, and other third-party line-of-business applications. Teams simplifies access to Office 365 services and third-party apps to centralize collaboration and communication needs for the organization. +Microsoft Teams provides a collaboration hub for your organization to bring people together to work and collaborate together on common initiatives or projects. It allows team members to conduct conversations, collaborate, and coauthor documents. It enables people to store and share files with team members or those outside the team. It also allows them to hold live meetings with integrated enterprise voice and video. Microsoft Teams can be customized with easy access to Microsoft apps such as Planner, Dynamics 365, Power BI, and other third-party line-of-business applications. Teams simplifies access to Office 365 services and third-party apps to centralize collaboration and communication needs for the organization. -Every Microsoft Team is backed by an Office 365 Group. An Office 365 Group is considered the membership provider for Office 365 services, including Microsoft Teams. Office 365 Groups are used to securely control which users are considered members and which are owners of the group. This allows us to easily control which users have access to varying capabilities within Teams. As a result, Team members and owners may only access the capabilities that they are permitted to utilize. +Every Microsoft Team is backed by an Office 365 Group. An Office 365 Group is considered the membership provider for Office 365 services, including Microsoft Teams. Office 365 Groups are used to securely control which users are considered members and which are owners of the group. This design allows us to easily control which users have access to varying capabilities within Teams. As a result, Team members and owners can only access the capabilities that they're permitted to utilize. -A common scenario where Microsoft Teams can benefit energy organizations is collaborating with contractors or external firms as part of a field service program, such as vegetation management. Contractors are typically engaged to manage vegetation or remove trees around power system installations. They often need to receive work instructions, communicate with dispatchers and other field service personnel, take and share pictures of external surroundings, sign off when work is complete, and share data back with head office. Traditionally, these programs have been run using phone, text, paper work orders, or custom applications. This can present many challenges including: +A common scenario where Microsoft Teams can benefit energy organizations is collaborating with contractors or external firms as part of a field service program, such as vegetation management. Contractors are typically engaged to manage vegetation or remove trees around power system installations. They often need to receive work instructions, communicate with dispatchers and other field service personnel, take and share pictures of external surroundings, sign out when work is complete, and share data back with head office. Traditionally, these programs are run using phone, text, paper work orders, or custom applications. This method can present many challenges. For example: - Processes are manual or analog, making metrics difficult to track-- Communications are not all captured in one place+- Communications aren't all captured in one place - Data is siloed and not necessarily shared with all employees that need it-- Work may not be performed consistently or efficiently-- Custom applications are not integrated with collaboration tools, making it difficult to extract and share data or measure performance+- Work might not be performed consistently or efficiently +- Custom applications aren't integrated with collaboration tools, making it difficult to extract and share data or measure performance -Microsoft Teams can provide an easy-to-use collaboration space to securely share information and conduct conversations between team members and external field service contractors. Teams can be used to conduct meetings, place voice calls, centrally store and share work orders, collect field data, upload photos, integrate with business process solutions (built with Power Apps and Power Automate), and integrate line-of-business apps. This type of field service data may be considered low impact; however, efficiencies can be gained by centralizing communications and access data between employees and field service personnel in these scenarios. +Microsoft Teams can provide an easy-to-use collaboration space to securely share information and conduct conversations between team members and external field service contractors. Teams can be used to conduct meetings, place voice calls, centrally store and share work orders, collect field data, upload photos, integrate with business process solutions (built with Power Apps and Power Automate), and integrate line-of-business apps. This type of field service data might be considered low impact; however, efficiencies can be gained by centralizing communications and access data between employees and field service personnel in these scenarios. -Another example where Microsoft Teams can benefit the energy industry is when field service personnel are working to restore service during an outage. Field staff often requires fast access to schematic data for substations, generating stations, or blue prints for assets in the field. This data is considered high impact and must be protected according to NERC CIP regulations. Field service work during outages requires communication between field staff and office employees, and in turn with end customers. Centralizing communications and data sharing in Microsoft Teams provides field staff with an easy method to both access critical data and communicate information or status back to head office. -For example, Microsoft Teams enables field staff to join conference calls while on route to an outage. Field staff can also take photos or video of their environment and share those with head office, which is particularly important when field equipment does not match schematics. Data and status collected from the field can then be surfaced to office employees and leadership through data visualization tools such as Power BI. Ultimately, Microsoft Teams can make field staff more efficient and productive in these critical situations. +Another example where Microsoft Teams can benefit the energy industry is when field service personnel are working to restore service during an outage. Field staff often requires fast access to schematic data for substations, generating stations, or blue prints for assets in the field. This data is considered high impact and must be protected according to NERC CIP regulations. Field service work during outages requires communication between field staff and office employees, and in turn with end customers. Centralizing communications and data sharing in Microsoft Teams provides field staff with an easy method to both access critical data and communicate information or status back to head office. +For example, Microsoft Teams enables field staff to join conference calls while on route to an outage. Field staff can also take photos or video of their environment and share those with head office, which is particularly important when field equipment doesn't match schematics. Data and status collected from the field can then be surfaced to office employees and leadership through data visualization tools such as Power BI. Ultimately, Microsoft Teams can make field staff more efficient and productive in these critical situations. ### Teams: Improve collaboration and reduce compliance risk Microsoft 365 provides common policy capabilities for Microsoft Teams through its use of Office 365 Groups as an underlying membership provider. These policies can help improve collaboration and help meet compliance needs. -**Office 365 Group Naming Policies** help ensure that Office 365 Groups, and therefore Microsoft Teams, are named according to corporate policy. The name of a Team can present challenges if not named appropriately. For example, employees might not know which teams to work or share information within if they are incorrectly named. Group naming policies help enforce good hygiene and may also prevent use of specific words, such as reserved words or inappropriate terminology. +**Office 365 Group Naming Policies** help ensure that Office 365 Groups, and therefore Microsoft Teams, are named according to corporate policy. The name of a Team can present challenges if not named appropriately. For example, employees might not know which teams to work or share information within if they're incorrectly named. Group naming policies help enforce good hygiene and might also prevent use of specific words, such as reserved words or inappropriate terminology. -**Office 365 Group Expiration Policies** help to ensure that Office 365 Groups, and therefore Microsoft Teams, are not retained for longer periods of time than required by the organization. This capability helps to prevent two key information management issues: +**Office 365 Group Expiration Policies** help to ensure that Office 365 Groups, and therefore Microsoft Teams, aren't retained for longer periods of time than required by the organization. This capability helps to prevent two key information management issues: -- The proliferation of Microsoft Teams that are not necessary or used+- The proliferation of Microsoft Teams that aren't necessary or used - The over-retention of data that is no longer required by the organization -Administrators can specify an expiration period in days for Office 365 Groups (such as 90, 180 or 365 days). If a service backed by an Office 365 group is inactive for the expiration period, group owners are notified. If no action is taken, then the Office 365 Group and all its related services including Microsoft Teams are deleted. +Administrators can specify an expiration period in days for Office 365 Groups (such as 90, 180 or 365 days). If a service backed by an Office 365 group is inactive for the expiration period, group owners are notified. If no action is taken, then the Office 365 Group and all its related services including Microsoft Teams are deleted. The over-retention of data in a Microsoft Team can pose litigation risks to organizations. The use of expiration policies is a recommended method for protecting the organization. Combined with built-in retention labels and policies, Microsoft 365 helps ensure that organizations are only retaining the data required to meet regulatory compliance obligations. Microsoft Teams enables self-service creation of Teams by default. However, many ## Provide Secure and Compliant Collaboration in the Energy Industry -As mentioned, Microsoft Office 365 and Office 365 U.S. Government have each achieved FedRAMP ATO at the Moderate Impact Level. Azure and Azure Government have achieved a FedRAMP High P-ATO which represents the highest level of FedRAMP authorization. Additionally, the FedRAMP moderate control set encompasses all of the NERC CIP requirements, thereby allowing energy industry organizations ("registered entities") to leverage existing FedRAMP authorizations as a scalable and efficient approach to addressing NERC audit requirements. However, it's important to note that FedRAMP is not a point-in-time certification but an assessment and authorization program that includes provisions for [continuous monitoring](https://www.fedramp.gov/assets/resources/documents/CSP_Continuous_Monitoring_Strategy_Guide.pdf). Although this provision applies primarily to the CSP, Microsoft customers operating Bulk Electric Systems are responsible for ensuring their own compliance with NERC CIP standards. It is generally a recommended practice to continuously monitor the organization's compliance posture to help ensure ongoing compliance with regulations. +As mentioned, Microsoft Office 365 and Office 365 U.S. Government have each achieved FedRAMP ATO at the Moderate Impact Level. Azure and Azure Government have achieved a FedRAMP High P-ATO which represents the highest level of FedRAMP authorization. Additionally, the FedRAMP moderate control set encompasses all of the NERC CIP requirements, thereby allowing energy industry organizations ("registered entities") to leverage existing FedRAMP authorizations as a scalable and efficient approach to addressing NERC audit requirements. However, it's important to note that FedRAMP isn't a point-in-time certification but an assessment and authorization program that includes provisions for [continuous monitoring](https://www.fedramp.gov/assets/resources/documents/CSP_Continuous_Monitoring_Strategy_Guide.pdf). Although this provision applies primarily to the CSP, Microsoft customers operating Bulk Electric Systems are responsible for ensuring their own compliance with NERC CIP standards. It's generally a recommended practice to continuously monitor the organization's compliance posture to help ensure ongoing compliance with regulations. Microsoft provides a key tool to assist with monitoring compliance with regulations over time: -- **Microsoft Purview Compliance Manager** helps the organization understand its current compliance posture and the actions it can take to help improve that posture. Compliance Manager calculates a risk-based score measuring progress in completing actions that help reduce risks around data protection and regulatory standards. Compliance Manager provides an initial score based on the Microsoft 365 data protection baseline. This baseline is a set of controls that include common industry regulations and standards. While this score is a good starting point, Compliance Manager becomes more powerful once an organization adds assessments that are more relevant to their industry. Compliance Manager supports a number of regulatory standards that are relevant for NERC CIP compliance obligations, including the [FedRAMP Moderate Control Set](https://www.fedramp.gov/documents/), [NIST 800-53 Rev. 4](https://go.microsoft.com/fwlink/?linkid=2109075), and [AICPA SOC 2](https://go.microsoft.com/fwlink/?linkid=2115184). Energy industry organizations may also create or import custom control sets if needed.+- **Microsoft Purview Compliance Manager** helps the organization understand its current compliance posture and the actions it can take to help improve that posture. Compliance Manager calculates a risk-based score measuring progress in completing actions that help reduce risks around data protection and regulatory standards. Compliance Manager provides an initial score based on the Microsoft 365 data protection baseline. This baseline is a set of controls that include common industry regulations and standards. While this score is a good starting point, Compliance Manager becomes more powerful once an organization adds assessments that are more relevant to their industry. Compliance Manager supports a number of regulatory standards that are relevant for NERC CIP compliance obligations, including the [FedRAMP Moderate Control Set](https://www.fedramp.gov/documents/), [NIST 800-53 Rev. 4](https://go.microsoft.com/fwlink/?linkid=2109075), and [AICPA SOC 2](https://go.microsoft.com/fwlink/?linkid=2115184). Energy industry organizations might also create or import custom control sets if needed. The workflow capabilities built into Compliance Manager allow energy organizations to transform and digitize their regulatory compliance processes. Traditionally, compliance teams in the energy industry face the following challenges: The workflow capabilities built into Compliance Manager allow energy organizatio - Insufficient resources or lack of ownership - Lack of real-time information and human error -By automating aspects of regulatory compliance processes through the use of Compliance Manager, organizations can reduce the administrative burden on legal and compliance functions. This tooling can help address these challenges by providing more up-to-date information on remediation actions, more consistent reporting, and documented ownership of actions (linked to the implementation of actions). Organizations can automatically track remediation actions over time and see overall efficiency gains. This enables staff to focus more effort on gaining insights and developing strategies to help navigate risk more effectively. +By automating aspects of regulatory compliance processes through the use of Compliance Manager, organizations can reduce the administrative burden on legal and compliance functions. This tooling can help address these challenges by providing more up-to-date information on remediation actions, more consistent reporting, and documented ownership of actions (linked to the implementation of actions). Organizations can automatically track remediation actions over time and see overall efficiency gains. This feature enables staff to focus more effort on gaining insights and developing strategies to help navigate risk more effectively. -Compliance Manager does not express an absolute measure of organizational compliance with any particular standard or regulation. It expresses the extent to which you have adopted controls which can reduce the risks to personal data and individual privacy. Recommendations from Compliance Manager should not be interpreted as a guarantee of compliance. The customer actions provided in Compliance Manager are recommendations. It is up to each organization to evaluate the effectiveness of these recommendations to meet their regulatory obligations prior to implementation. Recommendations found in Compliance Manager should not be interpreted as a guarantee of compliance. +Compliance Manager doesn't express an absolute measure of organizational compliance with any particular standard or regulation. It expresses the extent to which you have adopted controls which can reduce the risks to personal data and individual privacy. Recommendations from Compliance Manager shouldn't be interpreted as a guarantee of compliance. The customer actions provided in Compliance Manager are recommendations. It's up to each organization to evaluate the effectiveness of these recommendations to meet their regulatory obligations prior to implementation. Recommendations found in Compliance Manager shouldn't be interpreted as a guarantee of compliance. -Many cyber security-related controls are included in the [FedRAMP Moderate Control Set](https://www.fedramp.gov/documents/) and [NERC CIP standards](https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx). However, key controls related to the Microsoft 365 platform include security management controls (CIP-003-6), account and access management/access revocation (CIP-004-6), electronic security perimeter (CIP-005-5), security event monitoring, and incident response (CIP-008-5). The following foundational Microsoft 365 capabilities help to address the risks and requirements included in these topics. +Many cyber security-related controls are included in the [FedRAMP Moderate Control Set](https://www.fedramp.gov/documents/) and [NERC CIP standards](https://nercstg.nerc.com/pa/Stand/Pages/CIPStandards.aspx). However, key controls related to the Microsoft 365 platform include security management controls (CIP-003-6), account and access management/access revocation (CIP-004-6), electronic security perimeter (CIP-005-5), security event monitoring, and incident response (CIP-008-5). The following foundational Microsoft 365 capabilities help to address the risks and requirements included in these articles. ### Secure User Identities and Control Access -Protecting access to documents and applications begins with strongly securing user identities. As a foundation, this requires providing a secure platform for the enterprise to store and manage identities and providing a trusted means of authentication. It also requires dynamically controlling access to these applications. As employees work, they may move from application to application or across multiple locations and devices. As a result, access to data must be authenticated at each step of the way. In addition, the authentication process must support a strong protocol and multiple factors of authentication (one-time SMS pass code, authenticator app, certificate, etc.) to ensure that identities have not been compromised. Finally, enforcing risk-based access policies are a key recommendation to protecting data and applications from insider threats, inadvertent data leaks, and data exfiltration. +Protecting access to documents and applications begins with strongly securing user identities. As a foundation, this action requires providing a secure platform for the enterprise to store and manage identities and providing a trusted means of authentication. It also requires dynamically controlling access to these applications. As employees work, they might move from application to application or across multiple locations and devices. As a result, access to data must be authenticated at each step of the way. In addition, the authentication process must support a strong protocol and multiple factors of authentication (one-time SMS pass code, authenticator app, certificate, etc.) to ensure that identities haven't been compromised. Finally, enforcing risk-based access policies are a key recommendation to protecting data and applications from insider threats, inadvertent data leaks, and data exfiltration. Microsoft 365 provides a secure identify platform with **Microsoft Entra ID** where identities are centrally stored and securely managed. Microsoft Entra ID, along with a host of related Microsoft 365 security services, forms the basis for providing employees with the access they need to work securely while also protecting the organization from threats. -**Microsoft Entra multifactor authentication (MFA)** is built into the platform and provides an additional layer of protection to help ensure users are who they say they are when accessing sensitive data and applications. Azure MFA requires at least two forms of authentication, such as a password and a known mobile device. It supports several second factor authentication options, including: the Microsoft Authenticator app, a one-time passcode delivered via SMS, receiving a phone call where a user must enter a PIN, and smart cards or certificate-based authentication. In the event a password is compromised, a potential hacker still needs the user's phone to gain access to organizational data. In addition, Microsoft 365 uses Modern Authentication as a key protocol, bringing the same strong authentication experience from web browsers to collaboration tools, including Microsoft Outlook and Microsoft Office apps. +**Microsoft Entra multifactor authentication (MFA)** is built into the platform and provides an additional layer of protection to help ensure users are who they say they are when accessing sensitive data and applications. Microsoft Entra multifactor authentication requires at least two forms of authentication, such as a password and a known mobile device. It supports several second factor authentication options, including: the Microsoft Authenticator app, a one-time passcode delivered via SMS, receiving a phone call where a user must enter a PIN, and smart cards or certificate-based authentication. In the event a password is compromised, a potential hacker still needs the user's phone to gain access to organizational data. In addition, Microsoft 365 uses Modern Authentication as a key protocol, bringing the same strong authentication experience from web browsers to collaboration tools, including Microsoft Outlook and Microsoft Office apps. -**Microsoft Entra Conditional Access** provides a robust solution for automating access control decisions and enforcing policies to protect company assets. A common example is when an employee tries to access an application containing sensitive customer data and they are automatically required to perform a multifactor authentication. Azure Conditional Access brings together signals from a user's access request (such as properties about the user, their device, location, network, and the app or repository they are trying to access). It dynamically evaluates every attempt to access the application against policies you configure. If the user or device risk is elevated, or if other conditions are not met, Microsoft Entra ID automatically enforces policy (such as dynamically requiring MFA, restricting, or even blocking access). This helps ensure that sensitive assets are protected in dynamically changing environments. +**Microsoft Entra Conditional Access** provides a robust solution for automating access control decisions and enforcing policies to protect company assets. A common example is when an employee tries to access an application containing sensitive customer data and they're automatically required to perform a multifactor authentication. Azure Conditional Access brings together signals from a user's access request (such as properties about the user, their device, location, network, and the app or repository they're trying to access). It dynamically evaluates every attempt to access the application against policies you configure. If the user or device risk is elevated, or if other conditions aren't met, Microsoft Entra ID automatically enforces policy (such as dynamically requiring MFA, restricting, or even blocking access). This design helps ensure that sensitive assets are protected in dynamically changing environments. -**Microsoft Defender for Office 365** provides an integrated service to protect organizations from malicious links and malware delivered through email. One of the most common attack vectors impacting users today is email phishing attacks. These attacks can be carefully targeted at specific high-profile employees and can be crafted to be very convincing. They typically contain some call to action requiring a user to click a malicious link or open an attachment with malware. Once infected, an attacker can steal a user's credentials and move laterally across the organization. They can also exfiltrate emails and data looking for sensitive information. Microsoft Defender for Office 365 evaluates links at click-time for potentially malicious sites and blocks them. Email attachments are opened in a protected sandbox prior to delivering them to a user's mailbox. +**Microsoft Defender for Office 365** provides an integrated service to protect organizations from malicious links and malware delivered through email. One of the most common attack vectors affecting users today is email phishing attacks. These attacks can be carefully targeted at specific high-profile employees and can be crafted to be very convincing. They typically contain some call to action requiring a user to select a malicious link or open an attachment with malware. Once infected, an attacker can steal a user's credentials and move laterally across the organization. They can also exfiltrate emails and data looking for sensitive information. Microsoft Defender for Office 365 evaluates links at click-time for potentially malicious sites and blocks them. Email attachments are opened in a protected sandbox prior to delivering them to a user's mailbox. -**Microsoft Defender for Cloud Apps** provides organizations with the ability enforce policies at a granular level. This includes detecting behavioral anomalies based on individual user profiles that are automatically defined using Machine Learning. Defender for Cloud Apps builds on Azure Conditional Access policies by evaluating additional signals related to user behavior and properties of the documents being accessed. Over time, Defender for Cloud Apps learns the typical behavior for each employee (the data they access and the applications they use). Based on learned behavioral patterns, policies can automatically enforce security controls if an employee goes outside of that behavioral profile. For example, if an employee typically accesses an accounting app from 9:00 a.m. to 5:00 p.m., Monday to Friday, but that same user begins to access that application heavily on a Sunday evening, Defender for Cloud Apps can dynamically enforce policies to require the user to re-authenticate. This helps ensure that credentials have not been compromised. In addition, Defender for Cloud Apps can help discover and identify Shadow IT in the organization. This helps InfoSec teams ensure that employees use sanctioned tools when working with sensitive data. Finally, Defender for Cloud Apps can protect sensitive data anywhere in the Cloud, even outside of the Microsoft 365 platform. It allows organizations to sanction (or un-sanction) specific external Cloud apps, controlling access and monitoring when users work in those applications. +**Microsoft Defender for Cloud Apps** provides organizations with the ability enforce policies at a granular level. This design includes detecting behavioral anomalies based on individual user profiles that are automatically defined using Machine Learning. Defender for Cloud Apps builds on Azure Conditional Access policies by evaluating additional signals related to user behavior and properties of the documents being accessed. Over time, Defender for Cloud Apps learns the typical behavior for each employee (the data they access and the applications they use). Based on learned behavioral patterns, policies can automatically enforce security controls if an employee goes outside of that behavioral profile. For example, if an employee typically accesses an accounting app from 9:00 a.m. to 5:00 p.m., Monday to Friday, but that same user begins to access that application heavily on a Sunday evening, Defender for Cloud Apps can dynamically enforce policies to require the user to re-authenticate. This requirement helps ensure that credentials haven't been compromised. In addition, Defender for Cloud Apps can help discover and identify Shadow IT in the organization. This feature helps InfoSec teams ensure that employees use sanctioned tools when working with sensitive data. Finally, Defender for Cloud Apps can protect sensitive data anywhere in the Cloud, even outside of the Microsoft 365 platform. It allows organizations to sanction (or unsanction) specific external Cloud apps, controlling access and monitoring when users work in those applications. -**Microsoft Entra ID**, and the related Microsoft 365 security services, provide the foundation upon which a modern cloud collaboration platform can be rolled out to energy industry organizations. Microsoft Entra ID includes controls to protect access to data and applications. In addition to providing strong security, these controls help organizations meet regulatory compliance obligations. +**Microsoft Entra ID**, and the related Microsoft 365 security services, provide the foundation upon which a modern cloud collaboration platform can be rolled out to energy industry organizations. Microsoft Entra ID includes controls to protect access to data and applications. In addition to providing strong security, these controls help organizations meet regulatory compliance obligations. Microsoft Entra ID and Microsoft 365 services and are deeply integrated and provides the following important capabilities: Microsoft Entra ID and Microsoft 365 services and are deeply integrated and prov ## Identify Sensitive Data and Prevent Data Loss -The FedRAMP Moderate Control Set and NERC CIP standards also include information protection as a key control requirement (CIP-011-2). These requirements specifically address the need to identify information related to BES (Bulk Electric System) Cyber System Information and the protection and secure handling of that information (including storage, transit, and use). Specific examples of BES Cyber System Information can include security procedures or security information about systems that are fundamental to operating the bulk electric system (BES Cyber Systems, Physical Access Control Systems, and Electronic Access Control or monitoring systems) that is not publicly available and could be used to allow unauthorized access or unauthorized distribution. However, the same need exists to identify and protect customer information that is critical to the day-to-day operations of energy organizations. +The FedRAMP Moderate Control Set and NERC CIP standards also include information protection as a key control requirement (CIP-011-2). These requirements specifically address the need to identify information related to BES (Bulk Electric System) Cyber System Information and the protection and secure handling of that information (including storage, transit, and use). Specific examples of BES Cyber System Information can include security procedures or security information about systems that are fundamental to operating the bulk electric system (BES Cyber Systems, Physical Access Control Systems, and Electronic Access Control or monitoring systems) that isn't publicly available and could be used to allow unauthorized access or unauthorized distribution. However, the same need exists to identify and protect customer information that is critical to the day-to-day operations of energy organizations. Microsoft 365 allows sensitive data to be identified and protected within the organization through a combination of powerful capabilities, including: - **Microsoft Purview Information Protection** for both user-based classification and automated classification of sensitive data -- **Microsoft Purview Data Loss Prevention (DLP)** for automated identification of sensitive data using sensitive data types (i.e. regular expressions) and keywords, and policy enforcement+- **Microsoft Purview Data Loss Prevention (DLP)** for automated identification of sensitive data using sensitive data types (that is, regular expressions) and keywords, and policy enforcement -**Microsoft Purview Information Protection** allows employees to classify documents and emails with sensitivity labels. Sensitivity labels can be applied manually by users to documents within the Microsoft Office apps and to emails within Microsoft Outlook. Sensitivity labels can automatically apply document markings, protection through encryption, and enforce rights management. Sensitivity labels can also be applied automatically by configuring policies which use keywords and sensitive data types (credit card numbers, social security numbers, identity numbers, etc.). +**Microsoft Purview Information Protection** allows employees to classify documents and emails with sensitivity labels. Sensitivity labels can be applied manually by users to documents within the Microsoft Office apps and to emails within Microsoft Outlook. Sensitivity labels can automatically apply document markings, protection through encryption, and enforce rights management. Sensitivity labels can also be applied automatically by configuring policies that use keywords and sensitive data types (credit card numbers, social security numbers, identity numbers, etc.). -Microsoft also provides trainable classifiers. These use machine learning models to identify sensitive data based on what the content is, as opposed to simply through pattern matching or by the elements within the content. A classifier learns how to identify a type of content by looking at many examples of the content to be classified. Training a classifier begins by providing it with examples of content within a particular category. Once it processes the examples, the model is tested by providing it with a mix of both matching and non-matching examples. The classifier then predicts whether a given example falls into the category or not. A person then confirms the results, sorting the positives, negatives, false positives, and false negatives to help increase the accuracy of the classifier's predictions. When the trained classifier is published, it processes and automatically classifies content in SharePoint Online, Exchange Online, and OneDrive for Business. +Microsoft also provides trainable classifiers. These use machine learning models to identify sensitive data based on what the content is, as opposed to simply through pattern matching or by the elements within the content. A classifier learns how to identify a type of content by looking at many examples of the content to be classified. Training a classifier begins by providing it with examples of content within a particular category. Once it processes the examples, the model is tested by providing it with a mix of both matching and non-matching examples. The classifier then predicts whether a given example falls into the category or not. A person then confirms the results, sorting the positives, negatives, false positives, and false negatives to help increase the accuracy of the classifier's predictions. When the trained classifier is published, it processes and automatically classifies content in SharePoint Online, Exchange Online, and OneDrive. -Applying sensitivity labels to documents and emails embeds metadata within the object which identifies the chosen sensitivity, thereby allowing the sensitivity to travel with the data. As a result, even if a labeled document is stored on a user's desktop or within an on-premise system, it is still protected. This enables other Microsoft 365 solutions, such as Microsoft Defender for Cloud Apps or network edge devices, to identify sensitive data and automatically enforce security controls. Sensitivity labels have the added benefit of educating employees about which data within an organization is considered sensitive and how to handle that data. +Applying sensitivity labels to documents and emails embeds metadata within the object that identifies the chosen sensitivity, thereby allowing the sensitivity to travel with the data. As a result, even if a labeled document is stored on a user's desktop or within an on-premises system, it's still protected. This design enables other Microsoft 365 solutions, such as Microsoft Defender for Cloud Apps or network edge devices, to identify sensitive data and automatically enforce security controls. Sensitivity labels have the added benefit of educating employees about which data within an organization is considered sensitive and how to handle that data. -**Microsoft Purview Data Loss Prevention (DLP)** automatically identifies documents, emails, and conversations that contain sensitive data. It does this by scanning these for sensitive data types and then enforcing policy on those objects. Policies are enforced on documents within SharePoint and OneDrive for Business. Policies are also enforced when users send email and in Microsoft Teams within chat and channel conversations. Policies may be configured to look for keywords, sensitive data types, retention labels, and whether data is shared within the organization or externally. Controls are provided to help organizations fine-tune DLP policies to better avoid false positives. When sensitive data is found, customizable policy tips can be displayed to users within Microsoft 365 applications. Policy tips inform users that their content contains sensitive data and can propose corrective actions. Policies can also prevent users from accessing documents, sharing documents, or sending emails that contain certain types of sensitive data. Microsoft 365 supports over 100 built-in sensitive data types. Organizations can configure custom sensitive data types to meet their policies. +**Microsoft Purview Data Loss Prevention (DLP)** automatically identifies documents, emails, and conversations that contain sensitive data by scanning these items for sensitive data types, and then enforcing policies on those objects. Policies are enforced on documents within SharePoint and OneDrive for Business. Policies are also enforced when users send email and in Microsoft Teams within chat and channel conversations. Policies can be configured to look for keywords, sensitive data types, retention labels, and whether data is shared within the organization or externally. Controls are provided to help organizations fine-tune DLP policies to better avoid false positives. When sensitive data is found, customizable policy tips can be displayed to users within Microsoft 365 applications. Policy tips inform users that their content contains sensitive data and can propose corrective actions. Policies can also prevent users from accessing documents, sharing documents, or sending emails that contain certain types of sensitive data. Microsoft 365 supports over 100 built-in sensitive data types. Organizations can configure custom sensitive data types to meet their policies. Rolling out Microsoft Purview Information Protection and DLP policies to organizations requires careful planning. It also requires user education so employees understand the organization's data classification schema and which types of data are sensitive. Providing employees with tools and education programs that help them identify sensitive data and help them understand how to handle it makes them part of the solution for mitigating information security risks. ## Govern Data by Effectively Managing Records -Regulations require many organizations to manage the retention of key organizational documents according to a managed corporate retention schedule. Organizations face regulatory compliance risks if data is under-retained (deleted too early), or legal risks if data is over-retained (kept too long). Effective records management strategies help ensure that organization documents are retained according to predetermined retention periods which are designed to minimize risk to the organization. Retention periods are prescribed in a centrally managed organizational record retention schedule. Retention periods are based on the nature of each type of document, the regulatory compliance requirements for retaining specific types of data, and the defined policies of the organization. +Regulations require many organizations to manage the retention of key organizational documents according to a managed corporate retention schedule. Organizations face regulatory compliance risks if data is under-retained (deleted too early), or legal risks if data is over-retained (kept too long). Effective records management strategies help ensure that organization documents are retained according to predetermined retention periods which are designed to minimize risk to the organization. Retention periods are prescribed in a centrally managed organizational record retention schedule. Retention periods are based on the nature of each type of document, the regulatory compliance requirements for retaining specific types of data, and the defined policies of the organization. -Assigning record retention periods accurately across organizational documents may require a granular process which assigns retention periods uniquely to individual documents. Applying record retention policies at scale can be challenging for many reasons. These reasons include the vast number of documents within energy industry organizations together with the fact that, in many cases, retention periods can be triggered by organizational events (such as contracts expiring or an employee leaving the organization). +Assigning record retention periods accurately across organizational documents might require a granular process which assigns retention periods uniquely to individual documents. Applying record retention policies at scale can be challenging for many reasons. These reasons include the vast number of documents within energy industry organizations together with the fact that, in many cases, retention periods can be triggered by organizational events (such as contracts expiring or an employee leaving the organization). Microsoft 365 provides capabilities for defining retention labels and policies to easily implement records management requirements. A record manager defines a retention label, which represents a "record type" in a traditional retention schedule. The retention label contains settings which define: - How long a record is retained for - The concurrency requirements or what occurs when retention period expires (delete the document, start a disposition review, or take no action) - What triggers the retention period to start (created date, last modified date, labeled date, or an event), and-- If the document or email is a record (meaning it cannot be edited or deleted)+- If the document or email is a record (meaning it can't be edited or deleted) -Retention labels are then published to SharePoint or OneDrive sites, Exchange mailboxes, and Office 365 Groups. Users may then apply retention labels manually to documents and emails. Or, record managers can use rules to automatically apply retention labels. Auto-apply rules can be based on keywords or sensitive data found within documents or emails, such as credit card numbers, social security numbers, or other personally identifiable information (PII). Auto-apply rules can also be based on SharePoint metadata. +Retention labels are then published to SharePoint or OneDrive sites, Exchange mailboxes, and Office 365 Groups. Users can then apply retention labels manually to documents and emails. Or, record managers can use rules to automatically apply retention labels. Auto-apply rules can be based on keywords or sensitive data found within documents or emails, such as credit card numbers, social security numbers, or other personally identifiable information (PII). Auto-apply rules can also be based on SharePoint metadata. -The FedRAMP Moderate Control Set and NERC CIP standards also include Asset Reuse and Disposal as a key control requirement (CIP-011-2). These requirements once again specifically address BES (Bulk Electric System) Cyber System Information. However, other jurisdictional regulations will require energy industry organizations to manage and dispose of records effectively for many types of information. This information includes financial statements, capital project information, budgets, customer data, etc. In all cases, energy organizations are required to maintain robust records management programs and evidence related to the defensible disposition of corporate records. +The FedRAMP Moderate Control Set and NERC CIP standards also include Asset Reuse and Disposal as a key control requirement (CIP-011-2). These requirements once again specifically address BES (Bulk Electric System) Cyber System Information. However, other jurisdictional regulations require energy industry organizations to manage and dispose of records effectively for many types of information. This information includes financial statements, capital project information, budgets, customer data, etc. In all cases, energy organizations are required to maintain robust records management programs and evidence related to the defensible disposition of corporate records. -With each retention label, Microsoft 365 allows record managers to determine if a disposition review is required. Then when those record types come up for disposition, after their retention period has expired, a review must be conducted by the designated disposition reviewers before content is deleted. Once the disposition review is approved, content deletion will proceed. However, evidence of the deletion (the user that performed the deletion and date/time in which it occurred) is still retained for multiple years as a certificate of destruction. If organizations require longer or permanent retention of certificates of destruction, Microsoft Sentinel may be used for long-term cloud-based storage of log and audit data. Microsoft Sentinel gives organizations full control over the long-term storage and retention of activity data, log data, and retention/disposition data. +With each retention label, Microsoft 365 allows record managers to determine if a disposition review is required. Then when those record types come up for disposition, after their retention period has expired, a review must be conducted by the designated disposition reviewers before content is deleted. Once the disposition review is approved, content deletion proceeds. However, evidence of the deletion (the user that performed the deletion and date/time in which it occurred) is still retained for multiple years as a certificate of destruction. If organizations require longer or permanent retention of certificates of destruction, they can use Microsoft Sentinel for long-term cloud-based storage of log and audit data. Microsoft Sentinel gives organizations full control over the long-term storage and retention of activity data, log data, and retention/disposition data. ## Comply with FERC and FTC Regulations for Energy Markets Traditionally, communication monitoring solutions are costly and they can be com ### Implement Supervisory Control -Microsoft 365 enables organizations to configure supervision policies which capture employee communications (based on configured conditions) and allow these to be reviewed by designated supervisors. Supervision policies can capture internal/external email and attachments, Microsoft Teams chat and channel communications, Skype for Business Online chat communications and attachments, and communications through third-party services (such as Facebook or Dropbox). +Microsoft 365 enables organizations to configure supervision policies which capture employee communications (based on configured conditions) and allow these to be reviewed by designated supervisors. Supervision policies can capture internal/external email and attachments, Microsoft Teams chat and channel communications, Skype for Business Online chat communications and attachments, and communications through third-party services (such as Facebook or Dropbox). -The comprehensive nature of communications that may be captured and reviewed within an organization and the extensive conditions with which policies may be configured allow Microsoft 365 Supervision Policies to help organizations comply with FERC energy market regulations. Supervision policies can be configured to review communications for individuals or groups. In addition, supervisors may be configured to be individuals or groups. Comprehensive conditions may be configured to capture communications based on inbound or outbound messages, domains, retention labels, keywords or phrases, keyword dictionaries, sensitive data types, attachments, message size, or attachment size. Reviewers are provided with a dashboard where they can review flagged communications, act on communications that potentially violate policies, or mark flagged items as resolved. They may also review the results of previous reviews and items that have been resolved. +The comprehensive nature of communications that might be captured and reviewed within an organization and the extensive conditions with which policies can be configured allow Microsoft 365 Supervision Policies to help organizations comply with FERC energy market regulations. Supervision policies can be configured to review communications for individuals or groups. In addition, supervisors can be configured to be individuals or groups. Comprehensive conditions can be configured to capture communications based on inbound or outbound messages, domains, retention labels, keywords or phrases, keyword dictionaries, sensitive data types, attachments, message size, or attachment size. Reviewers are provided with a dashboard where they can review flagged communications, act on communications that potentially violate policies, or mark flagged items as resolved. They might also review the results of previous reviews and items that have been resolved. -Microsoft 365 provides reports which allow supervision policy review activities to be audited based on the policy and the reviewer. The available reports can be used to validate that supervision policies are working as defined by the organizations written supervision policies. Reports can also be used to identify communications that require review, including communications that are not compliant with corporate policy. Finally, all activities related to configuring supervision policies and reviewing communications are audited in the Office 365 unified audit log. +Microsoft 365 provides reports which allow supervision policy review activities to be audited based on the policy and the reviewer. The available reports can be used to validate that supervision policies are working as defined by the organizations written supervision policies. Reports can also be used to identify communications that require review, including communications that aren't compliant with corporate policy. Finally, all activities related to configuring supervision policies and reviewing communications are audited in the Office 365 unified audit log. -Microsoft 365 Supervision Policies allow organizations to monitor communications for compliance with corporate policies, such as human resources harassment violations and offensive language in company communications. It also allows organizations to reduce risk, by monitoring communications when organizations are undergoing sensitive organizational changes, such as mergers and acquisitions, or leadership changes. +Microsoft 365 Supervision Policies allow organizations to monitor communications for compliance with corporate policies, such as human resources harassment violations and offensive language in company communications. It also allows organizations to reduce risk, by monitoring communications when organizations are undergoing sensitive organizational changes, such as mergers and acquisitions, or leadership changes. ### Communication compliance With many communication channels available to employees, organizations increasin Communication Compliance helps compliance teams effectively and efficiently review messages for potential violations of: -- corporate Policies, such as acceptable use, ethical standards, and corporate specific policies +- corporate Policies, such as acceptable use, ethical standards, and corporate specific policies - sensitivity or sensitive business disclosures, such as unauthorized communications about sensitive projects like upcoming acquisitions, mergers, earnings disclosures, reorganizations, or leadership team changes - regulatory compliance requirements, such as employee communications regarding the types of businesses or transactions in which an organization engages in compliance with FERC regulations for energy markets -Communication compliance provides built-in threat, harassment, and profanity classifiers to help reduce false positives when reviewing communications. This saves reviewers time during the investigation and remediation process. It helps reviewers focus on specific messages within long threads that have been highlighted by policy alerts. This helps compliance teams more quickly identify and remediate risks. It provides compliance teams with the ability to easily configure and fine-tune policies, adjusting the solution to the organization's specific needs and reducing false positives. Communication compliance can also help to identify potentially risky user behavior over time, highlighting potential patterns in risky behavior or policy violations. Finally, it provides flexible built-in remediation workflows. These workflows help reviewers quickly take action to escalate to legal or human resources teams according to defined corporate processes. +Communication compliance provides built-in threat, harassment, and profanity classifiers to help reduce false positives when reviewing communications. This classification saves reviewers time during the investigation and remediation process. It helps reviewers focus on specific messages within long threads that have been highlighted by policy alerts. This result helps compliance teams more quickly identify and remediate risks. It provides compliance teams with the ability to easily configure and fine-tune policies, adjusting the solution to the organization's specific needs and reducing false positives. Communication compliance can also help to identify potentially risky user behavior over time, highlighting potential patterns in risky behavior or policy violations. Finally, it provides flexible built-in remediation workflows. These workflows help reviewers quickly take action to escalate to legal or human resources teams according to defined corporate processes. ## Protect against data exfiltration and insider risk -A common threat to enterprises is data exfiltration, or the act of extracting data from an organization. This can be a significant concern for energy organizations due to the sensitive nature of the information that may be accessed by employees or field service staff day-to-day. This data includes both BES (Bulk Electric System) Cyber System information as well as business-related information and customer data. With the increasing methods of communications available and many tools for moving data, advanced tools are typically required to mitigate risks of data leaks, policy violations, and insider risk. +A common threat to enterprises is data exfiltration, or the act of extracting data from an organization. This action can be a significant concern for energy organizations due to the sensitive nature of the information that might be accessed by employees or field service staff day-to-day. This data includes both BES (Bulk Electric System) Cyber System information as well as business-related information and customer data. With the increasing methods of communications available and many tools for moving data, advanced tools are typically required to mitigate risks of data leaks, policy violations, and insider risk. ### Insider risk management -Enabling employees with online collaboration tools that may be accessed anywhere inherently brings risk to an organization. Employees may inadvertently or maliciously leak data to attackers or to competitors. Alternatively, they may exfiltrate data for personal use or take data with them to a future employer. These scenarios present serious risks to organizations from a security and a compliance standpoint. Identifying these risks when they occur and quickly mitigating them requires both intelligent tools for data collection and collaboration across departments such as legal, human resources, and information security. +Enabling employees with online collaboration tools that might be accessed anywhere inherently brings risk to an organization. Employees might inadvertently or maliciously leak data to attackers or to competitors. Alternatively, they might exfiltrate data for personal use or take data with them to a future employer. These scenarios present serious risks to organizations from a security and a compliance standpoint. Identifying these risks when they occur and quickly mitigating them requires both intelligent tools for data collection and collaboration across departments such as legal, human resources, and information security. [Microsoft Purview Insider Risk Management](/microsoft-365/compliance/insider-risk-management) is a compliance solution that helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization. Insider risk policies allow you to define the types of risks to identify and detect in your organization, including acting on cases and escalating cases to Microsoft eDiscovery (Premium) if needed. Risk analysts in your organization can quickly take appropriate actions to make sure users are compliant with your organization's compliance standards. Insider risk management is a significant increase in capabilities in Microsoft 3 Microsoft 365 provides an integrated and comprehensive solution which enables easy-to-use cloud-based collaboration across the enterprise with Microsoft Teams. Microsoft Teams also enables better communication and collaboration with field service staff, helping energy organizations to be more efficient and effective. Better collaboration across the enterprise and with field staff can ultimately help energy organizations to better serve customers. -Energy industry organizations must comply with strict regulations related to how they store, secure, manage, and retain information related to their operations and customers. They must also comply with regulations related to how they monitor and prevent the manipulation of energy markets. Microsoft 365 provides robust security controls for protecting data, identities, devices, and applications from risks and complying with strict energy industry regulations. Built-in tools are provided to help energy organizations assess their compliance, as well as take action and track remediation activities over time. These tools also provide easy to use methods for monitoring and supervising communications. The Microsoft 365 platform is built on foundational components like Microsoft Azure and Microsoft Entra ID, helping to secure the overall platform and helping the organization meet compliance requirements for FedRAMP Moderate and High control sets. This in turn contributes to an energy organization's ability to meet NERC CIP standards. +Energy industry organizations must comply with strict regulations related to how they store, secure, manage, and retain information related to their operations and customers. They must also comply with regulations related to how they monitor and prevent the manipulation of energy markets. Microsoft 365 provides robust security controls for protecting data, identities, devices, and applications from risks and complying with strict energy industry regulations. Built-in tools are provided to help energy organizations assess their compliance, as well as take action and track remediation activities over time. These tools also provide easy to use methods for monitoring and supervising communications. The Microsoft 365 platform is built on foundational components like Microsoft Azure and Microsoft Entra ID, helping to secure the overall platform and helping the organization meet compliance requirements for FedRAMP Moderate and High control sets. This design, in turn, contributes to an energy organization's ability to meet NERC CIP standards. Overall, Microsoft 365 helps energy organizations to better protect the organization, to have more robust compliance programs, and to enable staff to focus on gaining better insights and implementing strategies to better reduce risk. |
solutions | Identity Design Principles | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/identity-design-principles.md | description: Learn about top design strategies for Microsoft Enterprise architec Previously updated : 05/01/2020 Last updated : 1/24/2024 ms.audience: ITPro In this article, [Alex Shteynberg](https://www.linkedin.com/in/alex-shteynberg/) ![Alex Shteynberg photo.](../media/solutions-architecture-center/identity-and-beyond-alex-shteynberg.jpg) -I'm a Principal Technical Architect at the New York [Microsoft Technology Center](https://www.microsoft.com/mtc?rtc=1). I mostly work with large customers and complex requirements. My viewpoint and opinions are based on these interactions and may not apply to every situation. However, in my experience, if we can help customers with the most complex challenges, we can help all customers. +I'm a Principal Technical Architect at the New York [Microsoft Technology Center](https://www.microsoft.com/mtc?rtc=1). I mostly work with large customers and complex requirements. My viewpoint and opinions are based on these interactions and might not apply to every situation. However, in my experience, if we can help customers with the most complex challenges, we can help all customers. I typically work with 100+ customers each year. While every organization has unique characteristics, it's interesting to see trends and commonalities. For example, one trend is cross-industry interest for many customers. After all, a bank branch can also be a coffee shop and a community center. I live in New York City (the best!) and really enjoy the diversity of its cultur ## Guiding principles - **Simple is often better**: You can do (almost) anything with technology, but it doesn't mean you should. Especially in the security space, many customers overengineer solutions. I like [this video](https://www.youtube.com/watch?v=SOQgABDSYZE) from Google's Stripe conference to underscore this point.-- **People, process, technology**: [Design for people](https://en.wikipedia.org/wiki/Human-centered_design) to enhance process, not tech first. There are no "perfect" solutions. We need to balance various risk factors and decisions will be different for each business. Too many customers design an approach that their users later avoid.+- **People, process, technology**: [Design for people](https://en.wikipedia.org/wiki/Human-centered_design) to enhance process, not tech first. There are no "perfect" solutions. We need to balance various risk factors and decisions that might be different for each business. Too many customers design an approach that their users later avoid. - **Focus on 'why' first and 'how' later**: Be the annoying 7-yr old kid with a million questions. We can't arrive at the right answer if we don't know the right questions to ask. Lots of customers make assumptions on how things need to work instead of defining the business problem. There are always multiple paths that can be taken.-- **Long tail of past best practices**: Recognize that best practices are changing at light speed. If you've looked at Microsoft Entra more than three months ago, you're likely out of date. Everything here's subject to change after publication. ΓÇ£BestΓÇ¥ option today may not be the same six months from now.+- **Long tail of past best practices**: Recognize that best practices are changing at light speed. If you looked at Microsoft Entra more than three months ago, you're likely out of date. Everything here's subject to change after publication. "Best" option today might not be the same six months from now. ## Baseline concepts Don't skip this section. I often find that I must step-back to these articles, even for customers who have been using cloud services for years.-Alas, language isn't a precise tool. We often use the same word to mean different concepts or different words to mean the same concept. I often use this diagram below to establish some baseline terminology and "hierarchy model." -<br><br> +Alas, language isn't a precise tool. We often use the same word to mean different concepts or different words to mean the same concept. I often use the following diagram to establish some baseline terminology and "hierarchy model." ![Illustration of tenant, subscription, service, and data.](../media/solutions-architecture-center/Identity-and-beyond-tenant-level.png) -<br> - When you learn to swim, it's better to start in the pool and not in the middle of the ocean. I'm not trying to be technically accurate with this diagram. It's a model to discuss some basic concepts. In the diagram: -- Tenant = an instance of Microsoft Entra ID. It's at the "top" of a hierarchy, or Level 1 in the diagram. We can consider this level to be the "[boundary](/azure/active-directory/users-groups-roles/licensing-directory-independence)" where everything else occurs ([Microsoft Entra B2B](/azure/active-directory/b2b/what-is-b2b) aside). All Microsoft enterprise cloud services are part of one of these tenants. Consumer services are separate. "Tenant" appears in documentation as Office 365 tenant, Azure tenant, WVD tenant, and so on. I often find these variations cause confusion for customers.+- Tenant = an instance of Microsoft Entra ID. It's at the "top" of a hierarchy, or Level 1 in the diagram. We can consider this level to be the "[boundary](/azure/active-directory/users-groups-roles/licensing-directory-independence)" where everything else occurs ([Microsoft Entra B2B](/azure/active-directory/b2b/what-is-b2b) aside). All Microsoft enterprise cloud services are part of one of these tenants. Consumer services are separate. "Tenant" appears in documentation as Microsoft 365 tenant, Azure tenant, WVD tenant, and so on. I often find these variations cause confusion for customers. - Services/subscriptions, Level 2 in the diagram, belong to one and only one tenant. Most SaaS services are 1:1 and can't move without migration. Azure is different, you can [move billing](/azure/cost-management-billing/manage/billing-subscription-transfer) and/or a [subscription](/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory) to another tenant. There are many customers that need to move Azure subscriptions. This scenario has various implications. Objects that exist outside of the subscription don't move. For example, role-based access control (Azure RBAC), Microsoft Entra objects (groups, apps, policies, etc.), and some services (Azure Key Vault, Data Bricks, etc.). Don't migrate services without a good business need. Some scripts that can be helpful for migration are [shared on GitHub](https://github.com/lwajswaj/azure-tenant-migration). - A given service usually has some sort of "sublevel" boundary, or Level 3 (L3). This boundary is useful to understand for segregation of security, policies, governance, and so on. Unfortunately, there's no uniform name that I know of. Some examples names for L3 are: Azure Subscription = [resource](/azure/azure-resource-manager/management/manage-resources-portal); Dynamics 365 CE = [instance](/dynamics365/admin/new-instance-management); Power BI = [workspace](/power-bi/service-create-the-new-workspaces); Power Apps = [environment](/power-platform/admin/environments-overview); and so on. - Level 4 is where the actual data lives. This 'data plane' is a complex article. Some services are using Microsoft Entra ID for RBAC, others aren't. I'll discuss it a bit when we get to delegation articles. -Some additional concepts that I find many customers (and Microsoft employees) are confused about or have questions about include the following issues: +Some other concepts that I find many customers (and Microsoft employees) are confused about or have questions about include the following issues: -- Anyone can [create](/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) many tenants at [no cost](https://azure.microsoft.com/pricing/details/active-directory/). You don't need a service provisioned within it. I have dozens. Each Tenant name is unique in Microsoft's worldwide cloud service (in other words, no two tenants can have the same name). They all are in the format of TenantName.onmicrosoft.com. There are also processes that create Tenants automatically ([unmanaged tenants](/azure/active-directory/users-groups-roles/directory-self-service-signup)). For example, this can occur when a user signs up for an enterprise service with an email domain that doesn't exist in any other tenant.-- In a managed tenant, many [DNS domains](/azure/active-directory/fundamentals/add-custom-domain) can be registered in it. This doesn't change the original tenant name. There's currently no easy way to rename a tenant (other than migration). Although the tenant name is technically not critical these days, some may find this to be limiting.+- Anyone can [create](/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) many tenants at [no cost](https://azure.microsoft.com/pricing/details/active-directory/). You don't need a service provisioned within it. I have dozens. Each Tenant name is unique in Microsoft's worldwide cloud service (in other words, no two tenants can have the same name). They're all in the format of TenantName.onmicrosoft.com. There are also processes that create Tenants automatically ([unmanaged tenants](/azure/active-directory/users-groups-roles/directory-self-service-signup)). For example, this result can happen when a user signs up for an enterprise service with an email domain that doesn't exist in any other tenant. +- In a managed tenant, many [DNS domains](/azure/active-directory/fundamentals/add-custom-domain) can be registered in it. This result doesn't change the original tenant name. There's currently no easy way to rename a tenant (other than migration). Although the tenant name is technically not critical these days, some people might feel limited by this reality. - You should reserve a tenant name for your organization even if you aren't yet planning to deploy any services. Otherwise somebody can take it from you and there's no simple process to take it back (same problem as DNS names). I hear this way too often from customers. What your tenant name should be is a debate article as well.-- If you own DNS namespace(s), you should add all of these to your tenant(s). Otherwise one could create an [unmanaged tenant](/azure/active-directory/users-groups-roles/directory-self-service-signup) with this name, which then causes disruption to [make it managed](/azure/active-directory/users-groups-roles/domains-admin-takeover).-- DNS namespace (such as contoso.com) can belong to one and only one Tenant. This has implications for various scenarios (for example, sharing an email domain during a merger or acquisition, and so on). There's a way to register a DNS sub (such as div.contoso.com) in a different tenant, but that should be avoided. By registering a top-level domain name, all subdomains are assumed to belong to the same tenant. In multi-tenant scenarios (see below) I would normally recommend using another top-level domain name (such as contoso.ch or ch-contoso.com).-- Who should "own" a tenant? I often see customers that do not know who currently owns their tenant. This lack of knowledge is a big red flag. Call Microsoft support ASAP. Just as problematic is when a service owner (often an Exchange administrator) is designated to manage a tenant. The tenant will contain all services that you may want in the future. The tenant owner should be a group that can make decision for enablement of all cloud services in an organization. Another problem is when a tenant owner group is asked to manage all services. This doesn't scale for large organizations.-- There's no concept of a sub/super tenant. For some reason, this myth keeps repeating itself. This applies to [Azure AD B2C](/azure/active-directory-b2c/) tenants as well. I hear too many times, "My B2C environment is in my XYZ Tenant," or "How do I move my Azure tenant into my Office 365 tenant?"-- This document mostly focuses on the commercial worldwide cloud, because that's what most customers are using. It sometimes useful to know about [sovereign clouds](/azure/active-directory/develop/authentication-national-cloud). Sovereign clouds have additional implications to discuss which are out of scope for this discussion.+- If you own DNS namespace, you should add all of these namespaces to your tenants. Otherwise one could create an [unmanaged tenant](/azure/active-directory/users-groups-roles/directory-self-service-signup) with this name, which then causes disruption to [make it managed](/azure/active-directory/users-groups-roles/domains-admin-takeover). +- A DNS namespace (for example, contoso.com) can belong to one and only one Tenant. This requirement has implications for various scenarios (for example, sharing an email domain during a merger or acquisition, and so on). There's a way to register a DNS sub (such as div.contoso.com) in a different tenant, but that should be avoided. By registering a top-level domain name, all subdomains are assumed to belong to the same tenant. In multi-tenant scenarios (as explained next) I would normally recommend using another top-level domain name (such as contoso.ch or ch-contoso.com). +- Who should "own" a tenant? I often see customers that don't know who currently owns their tenant. This lack of knowledge is a significant red flag. Call Microsoft support ASAP. Just as problematic is when a service owner (often an Exchange administrator) is designated to manage a tenant. The tenant contains all services that you might want in the future. The tenant owner should be a group that can make decision for enablement of all cloud services in an organization. Another problem is when a tenant owner group is asked to manage all services. This method doesn't scale for large organizations. +- There's no concept of a sub/super tenant. For some reason, this myth keeps repeating itself. This concept applies to [Azure Active Directory B2C](/azure/active-directory-b2c/) tenants as well. I hear too many times, "My B2C environment is in my XYZ Tenant," or "How do I move my Azure tenant into my Microsoft 365 tenant?" +- This document mostly focuses on the commercial worldwide cloud, because that's what most customers are using. It sometimes useful to know about [sovereign clouds](/azure/active-directory/develop/authentication-national-cloud). Sovereign clouds have other implications to discuss which are out of scope for this discussion. ## Baseline identity articles -There's much documentation about Microsoft's identity platform ΓÇô Microsoft Entra ID. For those who are just starting, it often feels overwhelming. Even after you learn about it, keeping up with constant innovation and change can be challenging. In my customer interactions I often find myself serving as "translator" between business goals and "Good, Better, Best" approaches to address these (and human "cliff notes" for these articles). There's rarely a perfect answer and the "right" decision is a balance of various risk factors. Below are some of the common questions and confusion areas I tend to discuss with customers. +There's much documentation about Microsoft's identity platform ΓÇô Microsoft Entra ID. For people who are just starting, it often feels overwhelming. Even after you learn about it, keeping up with constant innovation and change can be challenging. In my customer interactions, I often find myself serving as "translator" between business goals and "Good, Better, Best" approaches to address these concerns (and human "cliff notes" for these articles). There's rarely a perfect answer and the "right" decision is a balance of various risk factors. Up next are some of the common questions and confusion areas I tend to discuss with customers. ### Provisioning Microsoft Entra ID doesn't solve for lack of governance in your identity world! [Identity governance](/azure/active-directory/governance/identity-governance-overview) should be a critical element independent of any cloud decisions. Governance requirements change over time, which is why it's a program and not a tool. -[Microsoft Entra Connect](/azure/active-directory/hybrid/whatis-azure-ad-connect) vs. [Microsoft Identity Manager](/microsoft-identity-manager/microsoft-identity-manager-2016) (MIM) vs. something else (third party or custom)? Save yourself a lot of headache now and in the future and go with Microsoft Entra Connect. There are all kinds of smarts in this tool to address peculiar customer configurations and ongoing innovations. +[Microsoft Entra Connect](/azure/active-directory/hybrid/whatis-azure-ad-connect) vs. [Microsoft Identity Manager](/microsoft-identity-manager/microsoft-identity-manager-2016) (MIM) vs. something else (third party or custom)? Save yourself problems now and in the future and go with Microsoft Entra Connect. There are all kinds of smarts in this tool to address peculiar customer configurations and ongoing innovations. -Some edge cases that may drive towards a more complex architecture: +Some edge cases that might drive towards a more complex architecture: -- I have multiple AD forests without network connectivity between these. There's a new option called [Cloud Provisioning](/azure/active-directory/cloud-provisioning/what-is-cloud-provisioning).-- I don't have Active Directory, nor do I want to install it. Microsoft Entra Connect can be configures to [sync from LDAP](/azure/active-directory/hybrid/plan-hybrid-identity-design-considerations-tools-comparison) (partner may be required).+- I have multiple AD forests without network connectivity between them. There's a new option called [Cloud Provisioning](/azure/active-directory/cloud-provisioning/what-is-cloud-provisioning). +- I don't have Active Directory, nor do I want to install it. Microsoft Entra Connect can be configures to [sync from LDAP](/azure/active-directory/hybrid/plan-hybrid-identity-design-considerations-tools-comparison) (partner might be required). - I need to provision the same objects to multiple tenants. This scenario isn't technically supported but depends on definition of "same." -Should I customize default synchronization rules ([filter objects](/azure/active-directory/hybrid/how-to-connect-sync-configure-filtering), [change attributes](/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized), [alternate login ID](/azure/active-directory/hybrid/plan-connect-userprincipalname), and so on)? Avoid it! An identity platform is only as valuable as the services that use it. While you can do all kinds of nutty configurations, to answer this question you need to look at the impact on applications. If you filter mail-enabled objects, then the GAL for online services will be incomplete; if the application relies on specific attributes, filtering these will have unpredictable impact; and so on. It's not an identity team decision. +Should I customize default synchronization rules ([filter objects](/azure/active-directory/hybrid/how-to-connect-sync-configure-filtering), [change attributes](/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized), [alternate login ID](/azure/active-directory/hybrid/plan-connect-userprincipalname), and so on)? Avoid it! An identity platform is only as valuable as the services that use it. While you can do all kinds of nutty configurations, to answer this question you need to look at the effect on applications. If you filter mail-enabled objects, then the GAL for online services is incomplete; if the application relies on specific attributes, filtering on these attributes has unpredictable effects; and so on. It's not an identity team decision. -XYZ SaaS supports Just-in-Time (JIT) provisioning, why are you requiring me to synchronize? See above. Many applications need "profile" information for functionality. You can't have a GAL if all mail-enabled objects aren't available. Same applies to [user provisioning](/azure/active-directory/app-provisioning/user-provisioning) in applications integrated with Microsoft Entra ID. +XYZ SaaS supports Just-in-Time (JIT) provisioning, why are you requiring me to synchronize? See the previous paragraph. Many applications need "profile" information for functionality. You can't have a GAL if all mail-enabled objects aren't available. Same applies to [user provisioning](/azure/active-directory/app-provisioning/user-provisioning) in applications integrated with Microsoft Entra ID. ### Authentication Usually there's a passionate [debate](/azure/active-directory/hybrid/choose-ad-a Some customers enable federation + PHS mainly for: - An option to [fall back](/azure/active-directory/hybrid/plan-migrate-adfs-password-hash-sync) to (for disaster recovery) if the federation service isn't available.-- Additional capabilities (ex.: [Microsoft Entra Domain Services](/azure/active-directory-domain-services/tutorial-configure-password-hash-sync)) and security services (ex.: [leaked credentials](/azure/active-directory/reports-monitoring/concept-risk-events#leaked-credentials))-- Support for services in Azure that do not understand federated authentication (for example, [Azure Files](/azure/storage/files/storage-files-active-directory-overview)).+- Additional capabilities (for example, [Microsoft Entra Domain Services](/azure/active-directory-domain-services/tutorial-configure-password-hash-sync)) and security services (for example, [leaked credentials](/azure/active-directory/reports-monitoring/concept-risk-events#leaked-credentials)) +- Support for services in Azure that don't understand federated authentication (for example, [Azure Files](/azure/storage/files/storage-files-active-directory-overview)). -I often walk customers through client authentication flow to clarify some misconceptions. The result looks like the picture below, which isn't as good as the interactive process of getting there. +I often walk customers through client authentication flow to clarify some misconceptions. The result looks like the following picture, which isn't as good as the interactive process of getting there. ![Example whiteboard conversation.](../media/solutions-architecture-center/identity-beyond-whiteboard-example.png) This type of whiteboard drawing illustrates where security policies are applied within the flow of an authentication request. In this example, policies enforced through Active Directory Federation Service (AD FS) are applied to the first service request, but not subsequent service requests. This behavior is at least one reason to move security controls to the cloud as much as possible. -We've been chasing the dream of [single sign-on](/azure/active-directory/manage-apps/what-is-single-sign-on) (SSO) for as long as I can remember. Some customers believe they can achieve this by choosing the "right" federation (STS) provider. Microsoft Entra ID can help significantly to [enable SSO](/azure/active-directory/manage-apps/plan-sso-deployment) capabilities, but no STS is magical. There are too many "legacy" authentication methods that are still used for critical applications. Extending Microsoft Entra ID with [partner solutions](/azure/active-directory/saas-apps/tutorial-list) can address many of these scenarios. SSO is a strategy and a journey. You can't get there without moving towards [standards for applications](/azure/active-directory/develop/v2-app-types). Related to this article is a journey to [passwordless](/azure/active-directory/authentication/concept-authentication-passwordless) authentication, which also doesn't have a magical answer. +We've been chasing the dream of [single sign-on](/azure/active-directory/manage-apps/what-is-single-sign-on) (SSO) for as long as I can remember. Some customers believe they can achieve single sign-on by choosing the "right" federation (STS) provider. Microsoft Entra ID can help significantly to [enable SSO](/azure/active-directory/manage-apps/plan-sso-deployment) capabilities, but no STS is magical. There are too many "legacy" authentication methods that are still used for critical applications. Extending Microsoft Entra ID with [partner solutions](/azure/active-directory/saas-apps/tutorial-list) can address many of these scenarios. SSO is a strategy and a journey. You can't get there without moving towards [standards for applications](/azure/active-directory/develop/v2-app-types). Related to this article is a journey to [passwordless](/azure/active-directory/authentication/concept-authentication-passwordless) authentication, which also doesn't have a magical answer. -[Multi-factor authentication](/azure/active-directory/authentication/concept-mfa-howitworks) (MFA) is essential today ([here](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984) for more). Add to it [user behavior analytics](/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa) and you have a solution that prevents most common cyber-attacks. Even consumer services are moving to require MFA. Yet, I still meet with many customers who don't want to move to [modern authentication](../enterprise/hybrid-modern-auth-overview.md) approaches. The biggest argument I hear is that it will impact users and legacy applications. Sometimes a good kick might help customers move along - Exchange Online [announced changes](https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-auth-and-exchange-online-february-2020-update/ba-p/1191282). Lots of Microsoft Entra [reports](/azure/active-directory/fundamentals/concept-fundamentals-block-legacy-authentication) are now available to help customers with this transition. +[Multifactor authentication](/azure/active-directory/authentication/concept-mfa-howitworks) (MFA) is essential today ([here](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984) for more). Add to it [user behavior analytics](/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa) and you have a solution that prevents most common cyber-attacks. Even consumer services are moving to require MFA. Yet, I still meet with many customers who don't want to move to [modern authentication](../enterprise/hybrid-modern-auth-overview.md) approaches. The biggest argument I hear is that it impacts users and legacy applications. Sometimes a good kick might help customers move along - Exchange Online [announced changes](https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-auth-and-exchange-online-february-2020-update/ba-p/1191282). Lots of Microsoft Entra [reports](/azure/active-directory/fundamentals/concept-fundamentals-block-legacy-authentication) are now available to help customers with this transition. ### Authorization -Per [Wikipedia](https://en.wikipedia.org/wiki/Authorization), "to authorize" is to define an access policy. Many people look at it as the ability to define access controls to an object (file, service, and so on). In the current world of cyber threats, this concept is rapidly evolving to a dynamic policy that can react to various threat vectors and quickly adjust access controls in response to these. For example, if I access my bank account from an unusual location, I get additional confirmation steps. To approach this, we need to consider not just the policy itself but the ecosystem of threat detection and signal correlation methodologies. +Per [Wikipedia](https://en.wikipedia.org/wiki/Authorization), "to authorize" is to define an access policy. Many people look at it as the ability to define access controls to an object (file, service, and so on). In the current world of cyber threats, this concept is rapidly evolving to a dynamic policy that can react to various threat vectors and quickly adjust access controls in response to them. For example, if I access my bank account from an unusual location, I get extra confirmation steps. To approach this reality, we need to consider not just the policy itself but the ecosystem of threat detection and signal correlation methodologies. -The policy engine of Microsoft Entra ID is implemented using [Conditional Access policies](/azure/active-directory/conditional-access/overview). This system depends on information from a variety of other threat detection systems to make dynamic decisions. A simple view would be something like the following illustration: +The policy engine of Microsoft Entra ID is implemented using [Conditional Access policies](/azure/active-directory/conditional-access/overview). This system depends on information from other threat detection systems to make dynamic decisions. A simple view would be something like the following illustration: ![Policy engine in Microsoft Entra ID.](../media/solutions-architecture-center/identity-and-beyond-illustration-3.png) Combining all these signals together allows for dynamic policies like these: -- If a threat is detected on your device, your access to data will be reduced to web only without the ability to download.-- If you are downloading an unusually high volume of data, anything you download will be encrypted and restricted.-- If you access a service from an unmanaged device, you'll be blocked from highly sensitive data but allowed to access non-restricted data without the ability to copy it to another location.+- If a threat is detected on your device, your access to data is reduced to web only without the ability to download. +- If you're downloading an unusually high volume of data, anything you download is encrypted and restricted. +- If you access a service from an unmanaged device, you're be blocked from highly sensitive data but allowed to access nonrestricted data without the ability to copy it to another location. -If you agree with this expanded definition of authorization, then you need to implement additional solutions. Which solutions you implement will depend on how dynamic you want the policy to be and which threats you want to prioritize. Some examples of such systems are: +If you agree with this expanded definition of authorization, then you need to implement additional solutions. Which solutions you implement depends on how dynamic you want the policy to be and which threats you want to prioritize. Some examples of such systems are: - [Microsoft Entra ID Protection](/azure/active-directory/identity-protection/) - [Microsoft Defender for Identity](/azure-advanced-threat-protection/) If you agree with this expanded definition of authorization, then you need to im - [Microsoft Purview Information Protection](../compliance/information-protection.md) - [Microsoft Sentinel](/azure/sentinel/) -Of course, in addition to Microsoft Entra ID, various services and applications have their own specific authorization models. Some of these are discussed later in the delegation section. +In addition to Microsoft Entra ID, various services and applications have their own specific authorization models. Some of these models are discussed later in the delegation section. ### Audit -Microsoft Entra ID has detailed [audit and reporting](/azure/active-directory/reports-monitoring/) capabilities. However, these reports are usually not the only source of information needed to make security decisions. See more discussion on this in the delegation section. +Microsoft Entra ID has detailed [audit and reporting](/azure/active-directory/reports-monitoring/) capabilities. However, these reports are typically not the only source of information needed to make security decisions. See more discussion on this subject in the delegation section. ## There's no Exchange -Don't Panic! This doesn't mean Exchange is being deprecated (or SharePoint, and so on). It's still a core service. What I mean is, for quite some time now, technology providers have been transitioning user experiences (UX) to encompass components of multiple services. In Microsoft 365, a simple example is "[modern attachments](https://support.office.com/article/Attach-files-or-insert-pictures-in-Outlook-email-messages-BDFAFEF5-792A-42B1-9A7B-84512D7DE7FC)" where attachments to email are stored in SharePoint Online or OneDrive for Business. +Don't Panic! Exchange isn't being deprecated (or SharePoint, and so on). It's still a core service. What I mean is, for quite some time now, technology providers have been transitioning user experiences (UX) to encompass components of multiple services. In Microsoft 365, a simple example is "[modern attachments](https://support.office.com/article/Attach-files-or-insert-pictures-in-Outlook-email-messages-BDFAFEF5-792A-42B1-9A7B-84512D7DE7FC)" where attachments to email are stored in SharePoint Online or OneDrive. ![Attaching a file to an email.](../media/solutions-architecture-center/modern-attachments.png) -Looking at the Outlook client you can see many services that are "connected" as part of this experience, not just Exchange. This includes Microsoft Entra ID, Microsoft Search, Apps, Profile, compliance, and Office 365 groups. +Looking at the Outlook client you can see many services that are "connected" as part of this experience, not just Exchange. Examples include Microsoft Entra ID, Microsoft Search, Apps, Profile, compliance, and Microsoft 365 groups. ![Outlook interface with callouts.](../media/solutions-architecture-center/identity-and-beyond-conceptual-screenshot.png) Read about [Microsoft Fluid Framework](https://techcommunity.microsoft.com/t5/microsoft-365-blog/microsoft-ignite-blog-microsoft-fluid-framework-preview/ba-p/978268) for preview of upcoming capabilities. In preview now, I can read and reply to Teams conversations directly in Outlook. In fact, the [Teams client](https://products.office.com/microsoft-teams/download-app) is one of the more prominent examples of this strategy. -Overall, it's becoming harder to draw a clear line between Office 365 and other services in Microsoft clouds. I view it as a great benefit to customers since they can benefit from total innovation across everything we do even if they use one component. Pretty cool and has far reaching implications for many customers. +Overall, it's becoming harder to draw a clear line between Microsoft 365 and other services in Microsoft clouds. I view it as a great benefit to customers since they can benefit from total innovation across everything we do even if they use one component. Pretty cool and has far reaching implications for many customers. -Today, I find many customer IT groups are structured around "products." It's logical for an on-premises world since you need an expert for each specific product. However, I'm totally happy that I don't have to debug an Active Directory or Exchange database ever again as these services have moved to the cloud. Automation (which cloud kind of is) removes certain repetitive manual jobs (look what happened to factories). However, these tasks are replaced with more complex requirements to understand cross-services interaction, impact, business needs, and so on. If you are willing to [learn](/training/), there are great opportunities enabled by cloud transformation. Before jumping into technology, I often talk to customers about managing change in IT skills and team structures. +Today, I find many customer IT groups are structured around "products." It's logical for an on-premises world since you need an expert for each specific product. However, I'm happy that I don't have to debug an Active Directory or Exchange database ever again as these services have moved to the cloud. Automation (which the cloud basically is) removes certain repetitive manual jobs (look what happened to factories). However, these tasks are replaced with more complex requirements to understand cross-services interaction, effect, business needs, and so on. If you're willing to [learn](/training/), there are great opportunities enabled by cloud transformation. Before jumping into technology, I often talk to customers about managing change in IT skills and team structures. -To all SharePoint fan-people and developers, please stop asking "How can I do XYZ in SharePoint online?" Use [Power Automate](/power-automate/) (or Flow) for workflow, it's a much more powerful platform. Use [Azure Bot Framework](/azure/bot-service/) to create a better UX for your 500-K item list. Start using [Microsoft Graph](https://developer.microsoft.com/graph/) instead of CSOM. [Microsoft Teams](/MicrosoftTeams/Teams-overview) includes SharePoint but also a world more. There are many other examples I can list. There's a vast and wonderful universe out there. Open the door and [start exploring](). +To all SharePoint fan-people and developers, please stop asking "How can I do XYZ in SharePoint Online?" Use [Power Automate](/power-automate/) (or Flow) for workflow, it's a much more powerful platform. Use [Azure Bot Framework](/azure/bot-service/) to create a better UX for your 500-K item list. Start using [Microsoft Graph](https://developer.microsoft.com/graph/) instead of CSOM. [Microsoft Teams](/MicrosoftTeams/Teams-overview) includes SharePoint but also a world more. There are many other examples I can list. There's a vast and wonderful universe out there. Open the door and [start exploring](). -The other common impact is in the compliance area. This cross-services approach seems to completely confuse many compliance policies. I keep seeing organizations that state, "I need to journal all email communications to an eDiscovery system." What does this really mean when email is no longer just email but a window into other services? Office 365 has a comprehensive approach for [compliance](../compliance/index.yml), but changing people and processes are often much more difficult than technology. +The other common effect is in the compliance area. This cross-services approach seems to completely confuse many compliance policies. I keep seeing organizations that state, "I need to journal all email communications to an eDiscovery system." What does this statement really mean when email is no longer just email but a window into other services? Microsoft 365 has a comprehensive approach for [compliance](../compliance/index.yml), but changing people and processes are often much more difficult than technology. There are many other people and process implications. In my opinion, this factor is a critical and under-discussed area. Perhaps more in another article. There are many other people and process implications. In my opinion, this factor ### Single tenant vs. multi-tenant -In general, most customers should have only one production tenant. There are many reasons why multiple tenants are challenging (give it a [Bing search](https://www.bing.com/search?q=office%20365%20multiple%20tenants)) or read this [whitepaper](https://aka.ms/multi-tenant-user). At the same time, many enterprise customers I work with have another (small) tenant for IT learning, testing, and experimentation. Cross-tenant Azure access is made easier with [Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/). Office 365 and many other SaaS services have limits for cross-tenant scenarios. There's a lot to consider in [Microsoft Entra B2B](/azure/active-directory/b2b/what-is-b2b) scenarios. +In general, most customers should have only one production tenant. There are many reasons why multiple tenants are challenging (give it a [Bing search](https://www.bing.com/search?q=office%20365%20multiple%20tenants)) or read this [whitepaper](https://aka.ms/multi-tenant-user). At the same time, many enterprise customers I work with have another (small) tenant for IT learning, testing, and experimentation. Cross-tenant Azure access is made easier with [Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/). Microsoft 365 and many other SaaS services have limits for cross-tenant scenarios. There's a lot to consider in [Microsoft Entra B2B](/azure/active-directory/b2b/what-is-b2b) scenarios. Many customers end-up with multiple production tenants after a merger and acquisition (M&A) and want to consolidate. Today that's not simple and would require Microsoft Consulting Services (MCS) or a partner plus third-party software. There's ongoing engineering work to address various scenarios with multi-tenant customers in the future. -Some customers choose to go with more than one tenant. This should be a very careful decision and almost always business reason driven! Some examples include the following reasons: +Some customers choose to go with more than one tenant. This should be a careful decision and almost always business reason driven! Some examples include the following reasons: -- A holding type company structure where easy collaboration between different entities is not required and there's strong administrative and other isolation needs.+- A holding type company structure where easy collaboration between different entities isn't required and there's strong administrative and other isolation needs. - After an acquisition, a business decision is made to keep two entities separate. - Simulation of a customer's environment that doesn't change the customer's production environment. - Development of software for customers. In these multi-tenant scenarios, customers often want to keep some configuration ### Multi-Geo -To [Multi-Geo](../enterprise/microsoft-365-multi-geo.md) or not to Multi-Geo, that is the question. With Office 365 Multi-Geo, you can provision and store data at rest in the geo locations that you've chosen to meet [data residency](../enterprise/o365-data-locations.md) requirements. There are many misconceptions about this capability. Keep the following in mind: +To [Multi-Geo](../enterprise/microsoft-365-multi-geo.md) or not to Multi-Geo. That is the question. With Microsoft 365 Multi-Geo, you can provision and store data at rest in the geo locations you choose to meet [data residency](../enterprise/o365-data-locations.md) requirements. There are many misconceptions about this capability. Keep the following points in mind: -- It doesn't to provide performance benefits. It could make performance worse if the [network design](https://aka.ms/office365networking) is not correct. Get devices "close" to the Microsoft network, not necessarily to your data.-- It's not a solution for [GDPR compliance](https://www.microsoft.com/trust-center/privacy/gdpr-overview). GDPR doesn't focus on data sovereignty or storage locations. There are other compliance frameworks for that.+- It doesn't to provide performance benefits. It could make performance worse if the [network design](https://aka.ms/office365networking) isn't correct. Get devices "close" to the Microsoft network, not necessarily to your data. +- It's not a solution for [GDPR compliance](https://www.microsoft.com/trust-center/privacy/gdpr-overview). GDPR doesn't focus on data sovereignty or storage locations. There are other compliance frameworks for data sovereignty or storage locations. - It doesn't solve delegation of administration (see below) or [information barriers](../compliance/information-barriers.md).-- It is not the same as multi-tenant and requires additional [user provisioning](/azure/active-directory/hybrid/how-to-connect-sync-feature-preferreddatalocation) workflows.+- It isn't the same as multi-tenant and requires more [user provisioning](/azure/active-directory/hybrid/how-to-connect-sync-feature-preferreddatalocation) workflows. - It doesn't [move your tenant](../enterprise/moving-data-to-new-datacenter-geos.md) (your Microsoft Entra ID) to another geography. ## Delegation of administration -In most large organizations, separation of duties and role-based access control (RBAC) is a necessary reality. I'm going to apologize ahead of time. This activity is not as simple as some customers want it to be. Customer, legal, compliance, and other requirements are different and sometimes conflicting around the world. Simplicity and flexibility are often on opposite sides of each other. Don't get me wrong, we can do a better job at this. There have been (and will be) significant improvements over time. Visit your local [Microsoft Technology Center](https://www.microsoft.com/mtc) to work out the model that fits your business requirements without reading 379230 docs! Here, I'll focus on what you should think about and not why it's this way. Below are five different areas to plan for and some of the common questions I've encountered. +In most large organizations, separation of duties and role-based access control (RBAC) is a necessary reality. I'm going to apologize ahead of time. This activity isn't as simple as some customers want it to be. Customer, legal, compliance, and other requirements are different and sometimes conflicting around the world. Simplicity and flexibility are often on opposite sides of each other. Don't get me wrong, we can do a better job at this goal. There have been (and will be) significant improvements over time. Visit your local [Microsoft Technology Center](https://www.microsoft.com/mtc) to work out the model that fits your business requirements without reading 379,230 docs! Here, I focus on what you should think about and not why it's this way. Coming up are five different areas to plan for and some of the common questions I encounter. <a name='azure-ad-and-microsoft-365-admin-centers'></a> ### Microsoft Entra ID and Microsoft 365 admin centers -There's a long and growing list of [built-in roles](/azure/active-directory/roles/permissions-reference). Each role consists of a list of role permissions grouped together to allow specific actions to be performed. You can see these permissions in the "Description" tab inside each role. Alternatively, you can see a more human readable version of these permissions in the Microsoft 365 Admin Center. The definitions for built-in roles cannot be modified. I generally, group these roles into three categories: +There's a long and growing list of [built-in roles](/azure/active-directory/roles/permissions-reference). Each role consists of a list of role permissions grouped together to allow specific actions to be performed. You can see these permissions in the "Description" tab inside each role. Alternatively, you can see a more human readable version of these permissions in the Microsoft 365 Admin Center. The definitions for built-in roles can't be modified. I generally, group these roles into three categories: - **Global administrator**: This "all powerful" role should be [highly protected](../enterprise/protect-your-global-administrator-accounts.md) just like you would in other systems. Typical recommendations include: no permanent assignment and use Microsoft Entra Privileged Identity Management (PIM); strong authentication; and so on. Interestingly, this role doesn't give you access to everything by default. Typically, I see confusion about compliance access and Azure access, discussed later. However, this role can always assign access to other services in the tenant. - **Specific service admins**: Some services (Exchange, SharePoint, Power BI, and so on) consume high-level administration roles from Microsoft Entra ID. This behavior isn't consistent across all services and there are more service-specific roles discussed later. It's not possible to delegate everything (although the gap is decreasing), which **Note**: The Microsoft 365 admin center has a more user-friendly interface but has subset of capabilities compared to the Microsoft Entra admin experience. Both portals use the same Microsoft Entra roles, so changes are occurring in the same place. Tip: if you want an identity-management focused admin UI without all the Azure clutter, use <https://aad.portal.azure.com>. -What's in the name? Don't make assumptions from the name of the role. Language is not a very precise tool. The goal should be to define operations that need to be delegated before looking at what roles are needed. Adding somebody to the "Security Reader" role doesn't make them see security settings across everything. +What's in the name? Don't make assumptions from the name of the role. Language isn't a precise tool. The goal should be to define operations that need to be delegated before looking at what roles are needed. Adding somebody to the "Security Reader" role doesn't make them see security settings across everything. -The ability to create [custom roles](/azure/active-directory/users-groups-roles/roles-custom-overview) is a common question. This capability is limited in Microsoft Entra today (see below) but will grow in capabilities over time. I think of these custom roles as applicable to functions in Microsoft Entra ID and may not span "down" the hierarchy model (discussed above). Whenever I deal with "custom," I tend to go back to my principal of "simple is better." +The ability to create [custom roles](/azure/active-directory/users-groups-roles/roles-custom-overview) is a common question. This capability is limited in Microsoft Entra today (as explained later), but will grow in capabilities over time. I think of these custom roles as applicable to functions in Microsoft Entra ID and might not span "down" the hierarchy model (as previously discussed). Whenever I deal with "custom," I tend to go back to my principal of "simple is better." -Another common question is ability to scope roles to a subset of a directory. One example is something like "Helpdesk Administrator for users in EU only." [Administrative Units](/azure/active-directory/users-groups-roles/directory-administrative-units) (AU) are intended to address this. Like above, I think of these scopes as applicable to functions in Microsoft Entra ID and may not span "down." Of course, certain roles don't make sense to scope (global admins, service admins, and so on). +Another common question is ability to scope roles to a subset of a directory. One example is something like "Helpdesk Administrator for users in EU only." [Administrative Units](/azure/active-directory/users-groups-roles/directory-administrative-units) are intended to address this scenario. As previously described, I think of these scopes as applicable to functions in Microsoft Entra ID and might not span "down." Certain roles don't make sense to scope (global admins, service admins, and so on). -Today, all these roles require direct membership (or dynamic assignment if you use [Microsoft Entra PIM](/azure/active-directory/privileged-identity-management/)). This means customers must manage these directly in Microsoft Entra ID, and these roles cannot be based on a security group membership. I'm not a fan of creating scripts to manage these roles as it would need to run with elevated rights. I generally recommend API integration with process systems like ServiceNow or using partner governance tools like Saviynt. There's engineering work going on to address this over time. +Today, all these roles require direct membership (or dynamic assignment if you use [Microsoft Entra PIM](/azure/active-directory/privileged-identity-management/)). This means customers must manage these role directly in Microsoft Entra ID, and these roles can't be based on a security group membership. I'm not a fan of creating scripts to manage these roles as it would need to run with elevated rights. I generally recommend API integration with process systems like ServiceNow or using partner governance tools like Saviynt. There's engineering work going on to address this issue over time. -I mentioned [Microsoft Entra PIM](/azure/active-directory/privileged-identity-management/) a few times. There's a corresponding Microsoft Identity Manager (MIM) [Privileged Access Management](/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services) (PAM) solution for on-premises controls. You might also want to look at [Privileged Access Workstations](/windows-server/identity/securing-privileged-access/privileged-access-workstations) (PAWs) and [Microsoft Entra ID Governance](/azure/active-directory/governance/identity-governance-overview). There are various third-party tools as well, which can enable just-in-time, just-enough, and dynamic role elevation. This capability is usually part of a larger discussion for securing an environment. +I mentioned [Microsoft Entra PIM](/azure/active-directory/privileged-identity-management/) a few times. There's a corresponding Microsoft Identity Manager (MIM) [Privileged Access Management](/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services) (PAM) solution for on-premises controls. You might also want to look at [Privileged Access Workstations](/security/privileged-access-workstations/privileged-access-devices) (PAWs) and [Microsoft Entra ID Governance](/azure/active-directory/governance/identity-governance-overview). There are various third-party tools as well, which can enable just-in-time, just-enough, and dynamic role elevation. This capability is usually part of a larger discussion for securing an environment. -Sometimes scenarios call for adding an external user to a role (see the multi-tenant section, above). This works just fine. [Microsoft Entra B2B](/azure/active-directory/b2b/) is another large and fun article to walk customers through, perhaps in another article. +Sometimes scenarios call for adding an external user to a role (see the previous multi-tenant section). This outcome works fine. [Microsoft Entra B2B](/azure/active-directory/b2b/) is another large and fun article to walk customers through, perhaps in another article. <a name='microsoft-365-defender-and-microsoft-365-purview-compliance-portals'></a> ### Microsoft Defender XDR and Microsoft 365 Purview compliance portals -**Email & Collaboration roles** in the [Microsoft Defender portal](../security/office-365-security/mdo-portal-permissions.md) and ***Role groups for Microsoft Purview solutions** in the [Microsoft 365 Purview compliance portal](../compliance/microsoft-365-compliance-center-permissions.md) are a collection of "role groups", which are separate and distinct from Microsoft Entra roles. This can be confusing because some of these role groups have the same name as Microsoft Entra roles (for example, Security Reader), yet they can have different membership. I prefer the use of Microsoft Entra roles. Each role group consists of one or more "roles" (see what I mean about reusing the same word?) and have members from Microsoft Entra ID, which are email enabled objects. Also, you can create a role group with the same name as a role, which may or may not contain that role (avoid this confusion). +**Email & Collaboration roles** in the [Microsoft Defender portal](../security/office-365-security/mdo-portal-permissions.md) and ***Role groups for Microsoft Purview solutions** in the [Microsoft 365 Purview compliance portal](../compliance/microsoft-365-compliance-center-permissions.md) are a collection of "role groups", which are separate and distinct from Microsoft Entra roles. This can be confusing because some of these role groups have the same name as Microsoft Entra roles (for example, Security Reader), yet they can have different membership. I prefer the use of Microsoft Entra roles. Each role group consists of one or more "roles" (see what I mean about reusing the same word?) and have members from Microsoft Entra ID, which are email enabled objects. Also, you can create a role group with the same name as a role, which might or might not contain that role (avoid this confusion). In a sense, these permissions are an evolution of the Exchange role groups model. However, Exchange Online has its own [role group management](/exchange/permissions-exo) interface. Some role groups in Exchange Online are locked and managed from Microsoft Entra ID or the Microsoft Defender XDR and Microsoft 365 Purview compliance portals, but others might have the same or similar names and are managed in Exchange Online (adding to the confusion). I recommend you avoid using the Exchange Online user interface unless you need scopes for Exchange management. -You can't create custom roles. Roles are defined by services created by Microsoft and will grow as new services are introduced. This behavior is similar in concept to [roles defined by applications](/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) in Microsoft Entra ID. When new services are enabled, often new role groups need to be created in order to grant or delegate access to these (for example, [insider risk management](../compliance/insider-risk-management-configure.md). +You can't create custom roles. Roles are defined by services created by Microsoft and continue to grow as new services are introduced. This behavior is similar in concept to [roles defined by applications](/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) in Microsoft Entra ID. When new services are enabled, often new role groups need to be created in order to grant or delegate access to these (for example, [insider risk management](../compliance/insider-risk-management-configure.md). -These role groups also require direct membership and cannot contain Microsoft Entra groups. Unfortunately, today these role groups aren't supported by Microsoft Entra PIM. Like Microsoft Entra roles, I tend to recommend management of these role groups through APIs or a partner governance product like Saviynt, or others. +These role groups also require direct membership and can't contain Microsoft Entra groups. Unfortunately, today these role groups aren't supported by Microsoft Entra PIM. Like Microsoft Entra roles, I tend to recommend management of these role groups through APIs or a partner governance product like Saviynt, or others. -Microsoft Defender portal and Microsoft 365 Purview compliance portal roles span Microsoft 365 and you can't scope these role groups to a subset of the environment (like you can with administrative units in Microsoft Entra ID). Many customers ask how they can subdelegate. For example, "create a DLP policy only for EU users." Today, if you have rights to a specific function in the Microsoft Defender XDR and Microsoft 365 Purview compliance portals, you have rights to everything covered by this function in the tenant. However, many policies have capabilities to target a subset of the environment (for example, "make these [labels](../compliance/create-sensitivity-labels.md#publish-sensitivity-labels-by-creating-a-label-policy) available only to these users"). Proper governance and communication are a key component to avoid conflicts. Some customers choose to implement a "configuration as code" approach to address subdelegation in the Microsoft Defender XDR and Microsoft 365 Purview compliance portals. Some specific services support subdelegation (see below). +Microsoft Defender portal and Microsoft 365 Purview compliance portal roles span Microsoft 365 and you can't scope these role groups to a subset of the environment (like you can with administrative units in Microsoft Entra ID). Many customers ask how they can subdelegate. For example, "create a DLP policy only for EU users." Today, if you have rights to a specific function in the Microsoft Defender XDR and Microsoft 365 Purview compliance portals, you have rights to everything covered by this function in the tenant. However, many policies have capabilities to target a subset of the environment (for example, "make these [labels](../compliance/create-sensitivity-labels.md#publish-sensitivity-labels-by-creating-a-label-policy) available only to these users"). Proper governance and communication are a key component to avoid conflicts. Some customers choose to implement a "configuration as code" approach to address subdelegation in the Microsoft Defender XDR and Microsoft 365 Purview compliance portals. Some specific services support subdelegation (see the next section). ### Service Specific -As stated earlier, many customers are looking to achieve a more granular delegation model. A common example: ΓÇ£Manage XYZ service only for Division X users and locationsΓÇ¥ (or some other dimension). The ability to do this depends on each service and is not consistent across services and capabilities. In-addition, each service may have a separate and unique RBAC model. Instead of discussing all of these models (it will take forever), I'm adding relevant links for each service. This list is not complete, but it will get you started. +As stated earlier, many customers are looking to achieve a more granular delegation model. A common example: "Manage XYZ service only for Division X users and locations" (or some other dimension). The ability to do this depends on each service and isn't consistent across services and capabilities. In-addition, each service might have a separate and unique RBAC model. Instead of discussing all of these models (which would take forever), I'm adding relevant links for each service. This list isn't complete, but it can get you started. - **Exchange Online** - (/exchange/permissions-exo/permissions-exo) - **SharePoint Online** - (/sharepoint/manage-site-collection-administrators) As stated earlier, many customers are looking to achieve a more granular delegat - **Multi-geo** - (../enterprise/add-a-sharepoint-geo-admin.md) - **Dynamics 365** ΓÇô (/dynamics365/) - Note: this link is to the root of documentation. There are multiple types of services with variations in the admin/delegation model. +> [!NOTE] +> This link is to the root of documentation. There are multiple types of services with variations in the admin/delegation model. - **Power Platform** - (/power-platform/admin/admin-documentation) - **Power Apps** - (/power-platform/admin/wp-security) - Note: there are multiple types with variations in the admin/delegation models. + > [!NOTE] + > there are multiple types with variations in the admin/delegation models. - **Power Automate** - (/power-automate/environments-overview-admin) - **Power BI** - (/power-bi/service-admin-governance) As stated earlier, many customers are looking to achieve a more granular delegat ### Activity Logs -Office 365 has a [unified audit log](../compliance/search-the-audit-log-in-security-and-compliance.md). It's a very [detailed log](/office/office-365-management-api/office-365-management-activity-api-schema), but don't read too much into the name. It may not contain everything you want or need for your security and compliance needs. Also, some customers are really interested in [Audit (Premium)](../compliance/advanced-audit.md). +Microsoft 365 has a [unified audit log](../compliance/search-the-audit-log-in-security-and-compliance.md). It's a very [detailed log](/office/office-365-management-api/office-365-management-activity-api-schema), but don't read too much into the name. It might not contain everything you want or need for your security and compliance needs. Also, some customers are very interested in [Audit (Premium)](../compliance/advanced-audit.md). Examples of Microsoft 365 logs that are accessed through other APIs include the following features: -- [Microsoft Entra ID](/azure/azure-monitor/platform/diagnostic-settings) (activities not related to Office 365)+- [Microsoft Entra ID](/azure/azure-monitor/platform/diagnostic-settings) (activities not related to Microsoft 365) - [Exchange Message Tracking](/powershell/module/exchange/get-messagetrace)-- Threat/UEBA Systems discussed above (for example, Microsoft Entra ID Protection, Microsoft Defender for Cloud Apps, Microsoft Defender for Endpoint, and so on)+- Threat/UEBA Systems discussed previously (for example, Microsoft Entra ID Protection, Microsoft Defender for Cloud Apps, Microsoft Defender for Endpoint, and so on) - [Microsoft Purview Information Protection](../compliance/data-classification-activity-explorer.md) - [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/api-power-bi) - [Microsoft Graph](https://graph.microsoft.com) It's important to first identify all log sources needed for a security and compliance program. Also note that different logs have different on-line retention limits. -From the admin delegation perspective, most Microsoft 365 activity logs do not have a built-in RBAC model. If you have permission to see a log, then you can see everything in it. A common example of a customer requirement is: ΓÇ£I want to be able to query activity only for EU usersΓÇ¥ (or some other dimension). To achieve this requirement, we need to transfer logs to another service. In the Microsoft cloud, we recommend transferring it to either [Microsoft Sentinel](/azure/sentinel/overview) or [Log Analytics](/azure/azure-monitor/learn/quick-create-workspace). +From the admin delegation perspective, most Microsoft 365 activity logs don't have a built-in RBAC model. If you have permission to see a log, then you can see everything in it. A common example of a customer requirement is: "I want to be able to query activity only for EU users" (or some other dimension). To achieve this requirement, we need to transfer logs to another service. In the Microsoft cloud, we recommend transferring it to either [Microsoft Sentinel](/azure/sentinel/overview) or [Log Analytics](/azure/azure-monitor/learn/quick-create-workspace). High level diagram: ![diagram of log sources for a security and compliance program.](../media/solutions-architecture-center/identity-beyond-illustration-4.png) -The diagram above represents built-in capabilities to send logs to Event Hub and/or Azure Storage and/or Azure Log Analytics. Not all systems include this out-of-the-box yet. But there are other approaches to send these logs to the same repository. For example, see [Protecting your Teams with Microsoft Sentinel](https://techcommunity.microsoft.com/t5/azure-sentinel/protecting-your-teams-with-azure-sentinel/ba-p/1265761). +The diagram represents built-in capabilities to send logs to Event Hubs and/or Azure Storage and/or Azure Log Analytics. Not all systems include this out-of-the-box yet. But there are other approaches to send these logs to the same repository. For example, see [Protecting your Teams with Microsoft Sentinel](https://techcommunity.microsoft.com/t5/azure-sentinel/protecting-your-teams-with-azure-sentinel/ba-p/1265761). Combining all the logs into one storage location includes added benefit, such as cross-correlations, custom retention times, augmenting with data needed to support RBAC model, and so on. Once data is in this storage system, you can create a Power BI dashboard (or another type of visualization) with an appropriate RBAC model. -Logs do not have to be directed to one place only. It might also be beneficial to integrate [Office 365 Logs with Microsoft Defender for Cloud Apps](/cloud-app-security/connect-office-365-to-microsoft-cloud-app-security) or a custom RBAC model in [Power BI](../admin/usage-analytics/usage-analytics.md). Different repositories have different benefits and audiences. +Logs don't have to be directed to one place only. It might also be beneficial to integrate [Microsoft 365 Logs with Microsoft Defender for Cloud Apps](/cloud-app-security/connect-office-365-to-microsoft-cloud-app-security) or a custom RBAC model in [Power BI](../admin/usage-analytics/usage-analytics.md). Different repositories have different benefits and audiences. -It's worth mentioning that there's a very rich built-in analytics system for security, threats, vulnerabilities, and so on in a service called [Microsoft Defender XDR](../security/defender/microsoft-365-defender.md). +It's worth mentioning that there's a rich built-in analytics system for security, threats, vulnerabilities, and so on in a service called [Microsoft Defender XDR](../security/defender/microsoft-365-defender.md). -Many large customers want to transfer this log data to a third-party system (for example, SIEM). There are different approaches for this, but in-general [Azure Event Hub](/azure/azure-monitor/platform/stream-monitoring-data-event-hubs) and [Graph](/graph/security-integration) are good starting points. +Many large customers want to transfer this log data to a third-party system (for example, SIEM). There are different approaches for this result, but in-general [Azure Event Hubs](/azure/azure-monitor/platform/stream-monitoring-data-event-hubs) and [Graph](/graph/security-integration) are good starting points. ### Azure -I'm often asked if there's a way to separate high-privilege roles between Microsoft Entra ID, Azure, and SaaS (ex.: Global Administrator for Office 365 but not Azure). Not really. Multi-tenant architecture is needed if complete administrative separation is required, but that adds significant [complexity](https://aka.ms/multi-tenant-user) (see above). All these services are part of the same security/identity boundary (look at the hierarchy model above). +I'm often asked if there's a way to separate high-privilege roles between Microsoft Entra ID, Azure, and SaaS (ex.: Global Administrator for Microsoft 365 but not Azure). Not really. Multi-tenant architecture is needed if complete administrative separation is required, but that adds significant [complexity](https://aka.ms/multi-tenant-user) (as discussed earlier). All these services are part of the same security/identity boundary (as shown in the hierarchy model). -It's important to understand relationships between various services in the same tenant. I'm working with many customers that are building business solutions that span Azure, Office 365, and Power Platform (and often also on-premises and third-party cloud services). One common example: +It's important to understand relationships between various services in the same tenant. I'm working with many customers that are building business solutions that span Azure, Microsoft 365, and Power Platform (and often also on-premises and third-party cloud services). One common example: -1. I want to collaborate on a set of documents/images/etc (Office 365) +1. I want to collaborate on a set of documents/images/etc (Microsoft 365) 2. Send each one of them through an approval process (Power Platform) 3. After all components are approved, assemble these items into a unified deliverable(s) (Azure) [Microsoft Graph API](/azure/active-directory/develop/microsoft-graph-intro) is your best friend here. Not impossible, but significantly more complex to design a solution spanning [multiple tenants](/azure/active-directory/develop/single-and-multi-tenant-apps). -Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure. Using RBAC, you can manage access to resources by granting users the fewest permissions needed to perform their jobs. Details are out of scope for this document, but for more information on RBAC, see [What is role-based access control (RBAC) in Azure?](/azure/role-based-access-control/overview) RBAC is important but only part of the governance considerations for Azure. [Cloud Adoption Framework](/azure/cloud-adoption-framework/govern/) is a great starting point to learn more. I like how my friend, [Andres Ravinet](https://www.linkedin.com/in/andres-ravinet/), walks customers step by step though various components to decide on the approach. High-level view for various elements (not as good as the process to get to actual customer model) is something like this: +Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure. Using RBAC, you can manage access to resources by granting users the fewest permissions needed to perform their jobs. Details are out of scope for this document, but for more information on RBAC, see [What is role-based access control (RBAC) in Azure?](/azure/role-based-access-control/overview) RBAC is important but only part of the governance considerations for Azure. [Cloud Adoption Framework](/azure/cloud-adoption-framework/govern/) is a great starting point to learn more. I like how my friend, [Andres Ravinet](https://www.linkedin.com/in/andres-ravinet/), walks customers step by step through various components to decide on the approach. High-level view for various elements (not as good as the process to get to actual customer model) is something like this: ![High-level view of Azure components for delegated administration.](../media/solutions-architecture-center/identity-beyond-illustration-5.png) As you can see from above picture, many other services should be considered as p ## Conclusion -Started as a short summary, ended-up longer than I expected. I hope you are now ready to venture into a deep see of creating delegation model for your organization. This conversation is very common with customers. There's no one model that works for everyone. Waiting for a few planned improvements from Microsoft engineering before documenting common patterns we see across customers. In the meantime, you can work with your Microsoft account team to arrange a visit to the nearest [Microsoft Technology Center](https://www.microsoft.com/mtc). See you there! +This article started as a short summary, ended-up longer than I expected. I hope you're now ready to venture into a deep see of creating delegation model for your organization. This conversation is very common with customers. There's no one model that works for everyone. Waiting for a few planned improvements from Microsoft engineering before documenting common patterns we see across customers. In the meantime, you can work with your Microsoft account team to arrange a visit to the nearest [Microsoft Technology Center](https://www.microsoft.com/mtc). See you there! |
syntex | Difference Between Document Understanding And Form Processing Model | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/difference-between-document-understanding-and-form-processing-model.md | Use the following table to see differences in custom models to help identify the | Supported regions| Available in all regions. | Relies on Power Platform. For information about global availability for Power Platform and AI Builder, see [Power Platform availability](https://dynamics.microsoft.com/geographic-availability/). | Relies on Power Platform. For information about global availability for Power Platform and AI Builder, see [Power Platform availability](https://dynamics.microsoft.com/geographic-availability/). | | Transactional cost | Not applicable | For pay-as-you-go licensing, not applicable. <br>If you still have per-user licensing, uses AI Builder credits. 3,500 credits are included for each Syntex license per month. One million credits allow processing of 10,000 file pages. | For pay-as-you-go licensing, not applicable. <br>If you still have per-user licensing, uses AI Builder credits. 3,500 credits are included for each Syntex license per month. One million credits allow processing of 10,000 file pages.| | Capacity | No capacity restrictions. | Uses the default Power Platform environment (custom environments with Dataverse database supported). | Uses the default Power Platform environment (custom environments with Dataverse database supported). |-| Supported languages| Models work on all Latin alphabet languages. In addition to English: German, Swedish, French, Spanish, Italian, and Portuguese. | Current language support is for English. | Language support for [more than 100 languages](/ai-builder/form-processing-model-requirements#languages-supported). | +| Supported languages| Supports [more than 40 languages](/ai-builder/form-processing-model-requirements#model-for-unstructured-and-free-form-documents). | Supports [more than 40 languages](/ai-builder/form-processing-model-requirements#model-for-unstructured-and-free-form-documents). | Supports [more than 100 languages](/ai-builder/form-processing-model-requirements#model-for-structured-and-semi-structured-documents). | |
syntex | Image Tagging | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/image-tagging.md | +search.appverid: + - enabler-strategic - m365initiative-syntex ms.localizationpriority: medium If you don't have an **Image Tags** column in your library, use these steps to e 1. From the document library, select **Automate** > **Enable image tagger**. - ![Screenshot showing the Automate menu in a document library.](../media/content-understanding/image-tagger-automate-menu.png) + ![Screenshot showing the Automate menu in a document library.](../media/content-understanding/image-tagger-automate-menu.png) 2. Enhanced image tagging is then activated. Images uploaded are tagged with a set of descriptive keywords. The keywords are available in the **Image Tags** column that is added to the library view. - ![Screenshot showing the library view with the Image Tags column.](../media/content-understanding/image-tagger-image-tags-column.png) + ![Screenshot showing the library view with the Image Tags column.](../media/content-understanding/image-tagger-image-tags-column.png) 3. Once the **Image Tags** column is configured, you can upload images. The relevant tags are displayed in the library for each image. |
syntex | Model Types Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/model-types-overview.md | Use the unstructured document processing model to automatically classify documen For example, an unstructured document could be a contract renewal letter that can be written in different ways. However, information exists consistently in the body of each contract renewal document, such as the text string "Service start date of" followed by an actual date. -This model type supports the widest range of file types and only works on files using the Latin alphabet (English characters). +This model type supports the widest range of file types and supports [more than 40 languages](/ai-builder/form-processing-model-requirements#model-for-unstructured-and-free-form-documents). When you create an unstructured document processing model, use the **Teaching method** option. Freeform document processing models use Microsoft Power Apps [AI Builder](/ai-bu Because your organization receives letters and documents in large quantities from various sources, such as mail, fax, and email, processing these documents and manually entering them into a database can take a considerable amount of time. By using AI to extract the text and other information from these documents, this model automates this process. -This model type is the best option for English documents in PDF or image files when you don't require automatic classification of the type of document. +This model type is the best option for documents in PDF or image files when you don't require automatic classification of the type of document, and it supports [more than 40 languages](/ai-builder/form-processing-model-requirements#model-for-unstructured-and-free-form-documents). When you create a freeform document processing model, use the **Freeform selection method** option. Use the structured document processing model to automatically identify field and Structured document processing models use Microsoft Power Apps [AI Builder](/ai-builder/form-processing-model-overview) document processing (formerly known as form processing) to create and train models within Syntex. -This model type supports the widest range of languages and is trained to understand the layout of your form from example documents, and then learns to look for the data you need to extract from similar locations. Forms usually have a more structured layout where entities are in the same location (for example, a social security number on a tax form). +This model type supports the [widest range of languages](/ai-builder/form-processing-model-requirements#model-for-structured-and-semi-structured-documents) and is trained to understand the layout of your form from example documents, and then learns to look for the data you need to extract from similar locations. Forms usually have a more structured layout where entities are in the same location (for example, a social security number on a tax form). When you create a structured document processing model, use the **Layout method** option. |
syntex | Requirements And Limitations | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/requirements-and-limitations.md | Prebuilt models: | Icon | Description | | - | - | | ![Files symbol.](/office/medi, .msg, .pdf, .png, .ppt, .pptx, .rtf, .tif, .tiff, .txt, .xls, and .xlsx ( formulas in .xls and .xlsx files are not run).|-| ![Conversation symbol.](/office/media/icons/chat-room-conversation-blue.png) | **Supported languages** <br>This model supports any language that uses the Latin character set (for example, English, French, German, Italian, and Spanish). | +| ![Conversation symbol.](/office/media/icons/chat-room-conversation-blue.png) | **Supported languages** <br><br>This model supports the following languages: see [supported languages](/ai-builder/form-processing-model-requirements#model-for-unstructured-and-free-form-documents). | | ![Paragraph symbol.](/office/media/icons/paragraph-writing-blue.png) | **OCR considerations** <br>This model uses optical character recognition (OCR) technology to scan .pdf files, image files, and .tiff files. OCR processing works best on documents that meet the following requirements: <br> - File format of .jpg, .png, or .pdf (text or scanned). Text-embedded .pdf files are better, because there won't be any errors in character extraction and location. <br> - If your .pdf files are password-locked, you must remove the lock before submitting them. <br> - The combined file size of the documents used for training per collection must not exceed 50 MB, and PDF documents shouldn't have more than 500 pages. <br> - For images, dimensions must be between 50 x 50 and 10,000 x 10,000 pixels. Images that are very wide or have odd dimensions (for example, floor plans) might get truncated in the OCR process and lose accuracy. <br> - For .pdf files, dimensions must be at most 11 x 17 inches, corresponding to Legal or A3 paper sizes and smaller. <br> - If scanned from paper documents, scans should be high-quality images. <br> - Must use the Latin alphabet (English characters). <br> Note the following differences about Microsoft Office text-based files and OCR-scanned files (.pdf, image, or .tiff): <br> - All files: Truncated at 64,000 characters (in training and when run against files in a document library). <br> - OCR-scanned files: There's a 500-page limit. Only PDF and image file types are processed by OCR. | | ![Globe symbol.](/office/media/icons/globe-internet.png) | **Multi-Geo environments** <br>When setting up Syntex in a [Microsoft 365 Multi-Geo](/microsoft-365/enterprise/microsoft-365-multi-geo) environment, you can only configure it to use the model type in the central location. If you want to use this model type in a satellite location, contact Microsoft support. | | ![Objects symbol.](/office/media/icons/objects-blue.png) | **Multi-model libraries** <br>If two or more trained models are applied to the same library, the file is classified using the model that has the highest average confidence score. The extracted entities will be from the applied model only. | |
topics | Topic Experiences Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/topics/topic-experiences-overview.md | + - essentials-navigation ms.localizationpriority: medium description: Learn about how to use Topics in your organization. |