| Category | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| admin | Secure Your Business Data | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/security-and-compliance/secure-your-business-data.md | audience: Admin Previously updated : 12/21/2022 Last updated : 01/03/2023 ms.localizationpriority: medium - highpri search.appverid: description: "Best practices to protect your small or medium sized business from ransomware, phishing, and malicious URLs or attachments." -# Top 10 ways to secure your data - Best practices for small and medium sized businesses +# Top 10 ways to secure your business data - Best practices for small and medium-sized businesses **Applies to** description: "Best practices to protect your small or medium sized business from - Microsoft 365 Business Standard - Microsoft 365 Business Premium -> [!NOTE] -> This article is designed for small and medium-sized businesses with up to 300 users. If you're an enterprise organization, see [Deploy ransomware protection for your Microsoft 365 tenant](../../solutions/ransomware-protection-microsoft-365.md). +> [!TIP] +> This article is designed for small and medium-sized businesses with up to 300 users. If you're looking for information for enterprise organizations, see [Deploy ransomware protection for your Microsoft 365 tenant](../../solutions/ransomware-protection-microsoft-365.md). -Microsoft 365 for business plans include security capabilities, such as antiphishing, antispam, and antimalware protection. Microsoft 365 Business Premium includes even more capabilities, such as device security, advanced threat protection, and information protection. This article describes how to secure your data with Microsoft 365 for business. This article also includes a section where you can [compare capabilities across Microsoft 365 for business plans](#comparing-microsoft-365-for-business-plans). +Microsoft 365 for business plans, such as Microsoft 365 Business Basic, Standard, and Premium, include security capabilities, such as antiphishing, antispam, and antimalware protection. Microsoft 365 Business Premium includes even more capabilities, such as device security, advanced threat protection, and information protection. This article describes how to secure your data with Microsoft 365 for business. This article also includes information to [compare capabilities across Microsoft 365 for business plans](#comparing-microsoft-365-for-business-plans). :::image type="content" source="../../media/top-10-ways-secure-data.png" alt-text="Diagram listing top 10 ways to secure business data."::: Microsoft 365 for business plans include security capabilities, such as antiphis ## Comparing Microsoft 365 for business plans -Microsoft 365 for business plans include Microsoft Exchange, Microsoft Teams, SharePoint, and OneDrive for secure email, collaboration, and file storage. These plans also include baseline antiphishing, antimalware, and antispam protection. With Microsoft 365 Business Premium, you get more capabilities, such as device management, advanced threat protection, and information protection. --The following table compares capabilities in Microsoft 365 for business plans. +Microsoft 365 for business plans include Microsoft Exchange, Microsoft Teams, SharePoint, and OneDrive for secure email, collaboration, and file storage. These plans also include baseline antiphishing, antimalware, and antispam protection. With Microsoft 365 Business Premium, you get more capabilities, such as device management, advanced threat protection, and information protection. The following table compares capabilities in Microsoft 365 for business plans. | Capability | [Microsoft 365 Business Basic](../setup/setup-business-basic.md) | [Microsoft 365 Business Standard](../setup/setup-business-standard.md) | [Microsoft 365 Business Premium](../../business-premium/index.md) | |:|:--:|:--:|:--:| |
| business-premium | M365bp Map Protection Features To Intune Settings | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-map-protection-features-to-intune-settings.md | Title: "How do protection features in Microsoft 365 Business Premium map to Intune settings" + Title: "How protection features in Microsoft 365 Business Premium map to Intune settings" f1.keywords: - NOCSH audience: Admin Previously updated : 10/18/2022 Last updated : 01/03/2023 ms.localizationpriority: high - tier1 search.appverid: description: "Learn how protection features in Microsoft 365 Business Premium map to Intune settings. The subscription provides you with a license to modify Intune settings." -# How do protection features in Microsoft 365 Business Premium map to Intune settings +# How protection features in Microsoft 365 Business Premium map to Intune settings ## Android and iOS application protection settings |
| commerce | Tax Information | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/tax-information.md | Businesses in the following countries can provide their VAT number or local equi When you buy Microsoft 365 services in the EMEA region, this purchase could be subject to Value-Added Tax (VAT). -- If you're located in a European Union Member State, Armenia, Belarus, Norway, Turkey, or United Arab Emirates, and you don't provide your valid local VAT ID, Microsoft Ireland Operations Ltd. will apply the current local VAT rate, based on the billing country your account is set to.+- If you're located in a European Union Member State, Armenia, Belarus, Norway, Turkey, or United Arab Emirates, and you don't provide your valid local VAT ID, Microsoft Ireland Operations Ltd. will apply the current local VAT rate, based on the billing country or region your account is set to. - If you're located in Liechtenstein, Russia, Serbia, South Africa, or Switzerland, the VAT is applied, whether you provide your VAT ID or not. |
| compliance | Communication Compliance Plan | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-plan.md | search.appverid: Before getting started with [communication compliance](/microsoft-365/compliance/communication-compliance) in your organization, there are important planning activities and considerations that should be reviewed by your information technology and compliance management teams. Thoroughly understanding and planning for deployment in the following areas will help ensure that your implementation and use of communication compliance features goes smoothly and is aligned with the best practices for the solution. +Watch the video below to learn how to fulfill regulatory compliance requirements with communication compliance: +<br> +<br> +>[!VIDEO https://www.microsoft.com/videoplayer/embed/RE5dQo1] + For more information and an overview of the planning process to address compliance and risky activities in your organization, see [Starting an insider risk management program](https://download.microsoft.com/download/b/2/0/b208282a-2482-4986-ba07-15a9b9286df0/pwc-starting-an-insider-risk-management-program-with-pwc-and-microsoft.pdf). You can also check out the [Microsoft Mechanics video](https://www.youtube.com/watch?v=Ynkfu8OF0wQ) for how insider risk management and communication compliance work together to help minimize data risks from users in your organization. |
| compliance | Communication Compliance | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance.md | Additionally, there may be a separation of duties between your IT admins and you For more information and an overview of the planning process to address compliance and risky activities in your organization, see [Starting an insider risk management program](https://download.microsoft.com/download/b/2/0/b208282a-2482-4986-ba07-15a9b9286df0/pwc-starting-an-insider-risk-management-program-with-pwc-and-microsoft.pdf). -For the latest Ignite videos for communication compliance, see the following: --- [Foster a culture of safety and inclusion with communication compliance](https://www.youtube.com/watch?v=oLVzxcaef3w)-- [Learn how to reduce communication risks within your organization](https://www.youtube.com/watch?v=vzARb1YaxGo)-- [Fulfill regulatory compliance requirements with communication compliance](https://www.youtube.com/watch?v=gagOhtCBfgU)-- [Better with Microsoft Teams - Learn more about the latest native Teams integrated features in communication compliance](https://www.youtube.com/watch?v=m4jukD5Fh-o)--For a quick overview of communication compliance, see the [Detect workplace harassment and respond with Communication Compliance](https://youtu.be/z33ji7a7Zho) video on the [Microsoft Mechanics channel](https://www.youtube.com/user/OfficeGarageSeries). --Check out how [TD Securities is using communication compliance](https://customers.microsoft.com/story/1391545301764211731-td-securities-banking-capital-markets-compliance) to address their regulatory obligations and meet their security and stability needs. --Check out the [Microsoft Mechanics video](https://www.youtube.com/watch?v=Ynkfu8OF0wQ) on how insider risk management and communication compliance work together to help minimize data risks from users in your organization. --To keep up with the latest communication compliance updates, select **What's new** in [communication compliance](https://compliance.microsoft.com/) for your organization. +Watch the video below to learn how to fulfill regulatory compliance requirements with communication compliance: +<br> +<br> +>[!VIDEO https://www.microsoft.com/videoplayer/embed/RE5dQo1] > [!IMPORTANT] > Communication compliance is currently available in tenants hosted in geographical regions and countries supported by Azure service dependencies. To verify that communication compliance is supported for your organization, see [Azure dependency availability by country/region](/troubleshoot/azure/general/dependency-availability-by-country). Keeping track and mitigating compliance issues identified by communication compl - For planning information, see [Plan for communication compliance](/microsoft-365/compliance/communication-compliance-plan). - Check out the [case study for Contoso](/microsoft-365/compliance/communication-compliance-case-study) and see how they quickly configured a communication compliance policy to detect potentially inappropriate content in Microsoft Teams, Exchange Online, and Yammer communications. - To configure communication compliance for your Microsoft 365 organization, see [Configure communication compliance](/microsoft-365/compliance/communication-compliance-configure).++## More resources ++For the latest Ignite videos for communication compliance, see the following: ++- [Foster a culture of safety and inclusion with communication compliance](https://www.youtube.com/watch?v=oLVzxcaef3w) +- [Learn how to reduce communication risks within your organization](https://www.youtube.com/watch?v=vzARb1YaxGo) +- [Better with Microsoft Teams - Learn more about the latest native Teams integrated features in communication compliance](https://www.youtube.com/watch?v=m4jukD5Fh-o) ++For a quick overview of communication compliance, see the [Detect workplace harassment and respond with Communication Compliance](https://youtu.be/z33ji7a7Zho) video on the [Microsoft Mechanics channel](https://www.youtube.com/user/OfficeGarageSeries). ++Check out how [TD Securities is using communication compliance](https://customers.microsoft.com/story/1391545301764211731-td-securities-banking-capital-markets-compliance) to address their regulatory obligations and meet their security and stability needs. ++Check out the [Microsoft Mechanics video](https://www.youtube.com/watch?v=Ynkfu8OF0wQ) on how insider risk management and communication compliance work together to help minimize data risks from users in your organization. ++To keep up with the latest communication compliance updates, select **What's new** in [communication compliance](https://compliance.microsoft.com/) for your organization. |
| compliance | Create And Manage Inactive Mailboxes | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-and-manage-inactive-mailboxes.md | For step-by-step procedures, see [Restore an inactive mailbox](restore-an-inacti ## Delete an inactive mailbox -If you no longer need to retain the contents of an inactive mailbox, you can permanently delete the inactive mailbox by removing the hold applied to the inactive mailbox. -The mailbox will be retained for 183 days after you remove the hold or retention policy and be recoverable during that time. After 183 days, the mailbox will be marked for permanent deletion, and the mailbox will become non-recoverable. +If you no longer need to retain the contents of an inactive mailbox, you can permanently delete the inactive mailbox by removing the hold applied to the inactive mailbox. -For step-by-step procedures for removing a hold or a retention policy to permanently delete an inactive mailbox, see [Delete an inactive mailbox](delete-an-inactive-mailbox.md). +For more details and step-by-step procedures, see [Delete an inactive mailbox](delete-an-inactive-mailbox.md). |
| compliance | Ediscovery Configure Edge To Export Search Results | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-configure-edge-to-export-search-results.md | Title: "Use the eDiscovery Export Tool in Microsoft Edge" -description: "You have to enable SelectOnce support to use the newest version of Microsoft Edge to download search results from Content Search and eDiscovery in the security and compliance portal." +description: "You have to enable ClickOnce support to use the newest version of Microsoft Edge to download search results from Content Search and eDiscovery in the security and compliance portal." f1.keywords: - NOCSH search.appverid: # Use the eDiscovery Export Tool in Microsoft Edge -As a result of recent changes to the newest version of Microsoft Edge, SelectOnce support is no longer enabled by default. To continue using the eDiscovery Export Tool to download Content Search or eDiscovery search results, you either need to use [Microsoft Internet Explorer](https://support.microsoft.com/help/17621/internet-explorer-downloads) or enable SelectOnce support in the newest version of Microsoft Edge. +As a result of recent changes to the newest version of Microsoft Edge, ClickOnce support is no longer enabled by default. To continue using the eDiscovery Export Tool to download Content Search or eDiscovery search results, you either need to use [Microsoft Internet Explorer](https://support.microsoft.com/help/17621/internet-explorer-downloads) or enable ClickOnce support in the newest version of Microsoft Edge. [!INCLUDE [purview-preview](../includes/purview-preview.md)] -## Enable SelectOnce support in Microsoft Edge +## Enable ClickOnce support in Microsoft Edge -1. In Microsoft Edge, go to **edge://flags/#edge-select-once**. +1. In Microsoft Edge, go to **edge://flags/#edge-click-once**. 2. If the existing value is set to **Default** or **Disabled** in the dropdown list, change it to **Enabled**.++  + 3. Scroll down to the bottom of the browser window and select **Restart** to restart Microsoft Edge. +  + > [!NOTE]-> Organizations can use Group Policy to disable SelectOnce support. To check if there's an organizational policy for SelectOnce support, go to **edge://policy**. The following screenshot shows that SelectOnce is enabled across the entire organization. If this policy value is set to **false**, you'll need to contact an admin in your organization. +> Organizations can use Group Policy to disable ClickOnce support. To check if there's an organizational policy for ClickOnce support, go to **edge://policy**. The following screenshot shows that ClickOnce is enabled across the entire organization. If this policy value is set to **false**, you'll need to contact an admin in your organization. ++ ## Install and run the eDiscovery Export Tool 1. Select **Download results** on the flyout page of an export in Content Search or an eDiscovery case.-2. You'll be prompted with a confirmation to launch the tool, select **Open**. If the eDiscovery Export Tool isn't installed, you'll be prompted with a Security Warning, -3. Select **Install**. After it's installed, the export tool will launch automatically. ++  ++1. You'll be prompted with a confirmation to launch the tool, select **Open**. If the eDiscovery Export Tool isn't installed, you'll be prompted with a Security Warning. ++  ++1. Select **Install**. After it's installed, the export tool will launch automatically. For more information, see the following articles: |
| compliance | Ediscovery Decryption | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-decryption.md | The following table identifies the supported tasks that can be performed in Micr |Export encrypted documents in SharePoint and OneDrive |No |No |Yes | ||||| +## Supported decryption ++The following table describes the decryption supported by eDiscovery (Standard) and eDiscovery (Premium) for email, email with attachments, and files hosted by SharePoint. ++| **Item type** | **Task** | **eDiscovery (Standard)** | **eDiscovery (Premium)** | +|:--|:|:--|:-| +| Encrypted email | Search | Yes | Yes | +| Encrypted email | Decryption to .pst | No | Yes | +| Encrypted email | Decryption to file | Yes | Yes | +| Encrypted mail and attachment | Search | No | Yes (with advanced indexing)<sup>1</sup> | +| Encrypted mail and attachment | Decryption to .pst | No | Yes | +| Encrypted mail and attachment | Decryption to file | Yes | Yes | +| File in SharePoint with MIP label | Search | Yes | Yes | +| File in SharePoint with MIP label | Decryption | No | Yes | +| File in SharePoint with other encryption<sup>2</sup> | Search, Decryption | No | No | +||||| + ## Decryption limitations with sensitivity labels in SharePoint and OneDrive eDiscovery doesn't support encrypted files in SharePoint and OneDrive when a sensitivity label that applied the encryption is configured with either of the following settings: |
| compliance | Office 365 Bitlocker And Distributed Key Manager For Encryption | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/office-365-bitlocker-and-distributed-key-manager-for-encryption.md | The following table describes the BitLocker key protection chain for a given ser | AES 256-bit External Key | Per Server | BitLocker APIs | TPM or Secret Safe | Lockbox / Access Control | | | | | Mailbox Server Registry | TPM encrypted | | 48-digit Numerical Password | Per Disk | BitLocker APIs | Active Directory | Lockbox / Access Control |-| X.509 Certificate as Data Recovery Agent (DRA) also called Public Key Protector | Environment (e.g., Exchange Online multitenant) | Microsoft CA | Build System | No one user has the full password to the private key. The password is under physical protection. | -+| X.509 Certificate as Data Recovery Agent (DRA) also called Public Key Protector | Environment (for example, Exchange Online multitenant) | Microsoft CA | Build System | No one user has the full password to the private key. The password is under physical protection. | BitLocker key management involves the management of recovery keys that are used to unlock/recover encrypted disks in a Microsoft datacenter. Microsoft 365 stores the master keys in a secured share, only accessible by individuals who have been screened and approved. The credentials for the keys are stored in a secured repository for access control data (what we call a "secret store"), which requires a high level of elevation and management approvals to access using a just-in-time access elevation tool. BitLocker supports keys which fall into two management categories: -- BitLocker-managed keys, which are generally short-lived and tied to the lifetime of an operating system instance installed on a server or to a given disk. These keys are deleted and reset during server reinstallation or disk formatting.+- BitLocker-managed keys, which are short-lived and tied to the lifetime of an operating system instance installed on a server or to a given disk. These keys are deleted and reset during server reinstallation or disk formatting. - BitLocker recovery keys, which are managed outside of BitLocker but used for disk decryption. BitLocker uses recovery keys for the scenario in which an operating system is reinstalled, and encrypted data disks already exist. Recovery keys are also used by Managed Availability monitoring probes in Exchange Online where a responder may need to unlock a disk. -BitLocker-protected volumes are encrypted with a full volume encryption key, which in turn is encrypted with a volume master key. BitLocker uses FIPS-compliant algorithms to ensure that encryption keys are never stored or sent over the wire in the clear. The Microsoft 365 implementation of customer data-at-rest-protection does not deviate from the default BitLocker implementation. +BitLocker-protected volumes are encrypted with a full volume encryption key, which in turn is encrypted with a volume master key. BitLocker uses FIPS-compliant algorithms to ensure that encryption keys are never stored or sent over the wire in the clear. The Microsoft 365 implementation of customer data-at-rest-protection doesn't deviate from the default BitLocker implementation. |
| compliance | Sensitivity Labels Meetings | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-meetings.md | Other label policy settings that are specific just to calendar items, Teams meet The label setting to prevent copying chat to the clipboard is enforced for all channel chats, even outside channel meetings. For non-channel meetings, it's enforced only for meetings. -Currently, this setting isn't supported for users outside your organization, which includes anonymous users and external users. For meetings, it's also not supported for users who join the chat but weren't invited to the meeting. +Currently, this setting isn't supported for users outside your organization, which includes anonymous users and external users. It is supported for guest user accounts in your tenant. For meetings, it's also not supported for users who join the chat but weren't invited to the meeting. The methods supported to prevent copying chat: Select the text and then right-click \> **Copy** or Ctrl+C. Copying using developer tools or third-party apps won't be prevented. |
| compliance | Whats New | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/whats-new.md | Whether it be adding new solutions to the [Microsoft Purview compliance portal]( ### Compliance Manager -- [Compliance Manager templates list](compliance-manager-templates-list.md) - added new premium template in the Asia-Pacific countries category for "Hong Kong - Code of Banking Practice and Payment Card".+- [Compliance Manager templates list](compliance-manager-templates-list.md) - added new premium template in the Asia-Pacific country/region category for "Hong Kong - Code of Banking Practice and Payment Card". ### Compliance offerings & service assurance |
| contentunderstanding | Syntex Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/syntex-overview.md | This feature is useful when you have a specific piece of information you want to For more information, see [Search for metadata in document libraries in Microsoft Syntex](metadata-search.md). -> - ## Content compliance :::row::: |
| enterprise | M365 Dr Workload Spo | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/m365-dr-workload-spo.md | Each user, Group mailbox, and SharePoint site have a Preferred Data Location (PD Users get a seamless experience when using Microsoft 365 services, including Office applications, OneDrive, and Search. See User experience in a Multi-Geo environment for details. +>[!NOTE] +>Once your tenant has enabled the Multi-Geo add-on, changing the default location for the tenant is not supported. This applies even for the [Data Residency Legacy Move Program](/microsoft-365/enterprise/m365-dr-legacy-move-program) and the Advanced Data Residency add-on. + ### **OneDrive** Each user's OneDrive can be provisioned in or moved by an administrator to a _Satellite Geography_ location in accordance with the user's PDL. Personal files are then kept in that _Satellite Geography_ location, though they can be shared with users in other _Macro Region Geography_ or _Local Region Geography_ locations. OneNote win32 client and UWP (Universal) App will automatically detect and seaml #### **Teams (applicable to Microsoft 365 group connected sites)** When the SharePoint site _Geography_ move completes, users will have access to their Microsoft 365 group site files on the Teams app. Additionally, files shared via Teams chat from their site prior to _Geography_ move will continue to work after move is complete.-SharePoint site _Geography_ move does not support moving Private Channels from one _Geography_ to another. Private channels remain in the original _Geography_. +SharePoint site _Geography_ move does not support moving sites backing Private and Shared Channels from one _Geography_ to another, when using the `Start-SPOUnifiedGroupMove` command. Sites backing Private and Shared Channels remain in the original _Geography_. To move those sites individually, admins can initiate direct moves using the `Start-SPOSiteContentMove` command. #### **SharePoint Mobile App (iOS/Android)** The SharePoint Mobile App is cross _Geography_ compatible and able to detect the site's new _Geography_ location. |
| enterprise | M365 Personnel Location | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/personnel-loc/m365-personnel-location.md | + + Title: Locations of Microsoft Online Services Personnel with Remote Access to Data +description: Learn about locations of Microsoft Online services personnel with remote access to data ++++++f1.keywords: +- NOCSH +++- it-pro ++++<! +IMPORTANT! +The content in this topic is CELA-reviewed and affects Microsoft legal obligations. Do not edit or republish this article without express approval from the E+D Subprocessor Governance team (EDSUBGOV@microsoft.com). +--> ++# Locations of Microsoft Online Services Personnel with Remote Access to Data ++When you use Microsoft Online Services, personnel with specialized technical expertise operate, deliver, and maintain the Online Services. These personnel are part of our global workforce, which is made up of both employees of Microsoft and its subsidiaries and staff we obtain via contract with third party organizations to assist Microsoft employees. These third-party organizations are disclosed on our published Online Services subprocessor list at [https://aka.ms/subprocessor](https://aka.ms/subprocessor) and the staff augmentation resources they provide are referred to as "contract staff". ++The following tables include the locations of these Microsoft personnel and contract staff who may require limited remote access to Customer or Personal Data (consisting of pseudonymized personal identifiers). This data resides only on Microsoft systems and is subject to Microsoft policies and supervision. The location of the Customer and Personal Data is distinct from its remote access by personnel in other locations; this data remains within Microsoft datacenter infrastructure in the locations you select when deploying your Online Services (when regional selection is available). For more information on Microsoft datacenters, please see the [Azure global infrastructure site](https://azure.microsoft.com/global-infrastructure/). ++Remote access to data by Microsoft personnel, including contract staff, is limited and controlled. Microsoft employs the least privileged access mechanisms to control access to Customer Data and Personal Data. Role-based access controls are employed to ensure that access to Customer Data and Personal Data required for service operations is for an appropriate purpose and approved with management oversight. Personnel also undergo background checks and use multi-factor authentication as part of Microsoft standard business requirements, and access to Customer and Personal Data is logged and monitored by Microsoft. ++For more information on remote access to data by personnel, see [Continuing data transfers that apply to all EU Data Boundary services](/privacy/eudb/eu-data-boundary-transfers-for-all-services). ++| Microsoft Subsidiary <br>Personnel Locations |||| +||||| +| Albania | Egypt | Latvia | Qatar | +| Algeria | El Salvador | Lebanon | Romania | +| Angola | Estonia | Lithuania | Saudi Arabia | +| Argentina | Finland | Luxembourg | Senegal | +| Armenia | France | Macao SAR | Serbia | +| Australia | Georgia | Madagascar | Singapore | +| Austria | Germany | Malaysia | Slovakia | +| Azerbaijan | Ghana | Malta | Slovenia | +| Bahrain | Greece | Mauritius | South Africa | +| Bangladesh | Guatemala | Mexico | Spain | +| Belgium | Honduras | Montenegro | Sri Lanka | +| Bolivia | Hong Kong SAR | Morocco | Sweden | +| Bosnia and Herzegovina | Hungary | Namibia | Switzerland | +| Brazil | Iceland | Netherlands | Taiwan | +| Bulgaria | India | New Zealand | Tajikistan | +| Canada | Indonesia | Nigeria | Thailand | +| Chile | Ireland | North Macedonia | Trinidad and Tobago | +| China | Israel | Norway | Tunisia | +| Colombia | Italy | Oman | Turkey | +| Costa Rica | Jamaica | Pakistan | Ukraine | +| C├┤te d'Ivoire | Japan | Palestinian Authority | United Arab Emirates | +| Croatia | Jordan | Panama | United Kingdom | +| Cyprus | Kazakhstan | Paraguay | United States | +| Czech Republic | Kenya | Peru | Uruguay | +| Denmark | South Korea | Philippines | Vietnam | +| Dominican Republic | Kuwait | Poland | | +| Ecuador | Kyrgyzstan | Portugal | | ++| Contract Staff <br>Personnel Locations |||| +||||| +| Argentina | Egypt | Japan | Serbia | +| Armenia | El Salvador | Korea | Singapore | +| Australia | Finland | Malaysia | South Africa | +| Austria | France | Mexico | Spain | +| Belgium | Georgia | Netherlands | Sweden | +| Bolivia | Germany | New Zealand | Switzerland | +| Brazil | Ghana | Norway | Taiwan | +| Bulgaria | Guatemala | Panama | Trinidad and Tobago | +| Canada | Honduras | Paraguay | Turkey | +| China | Hong Kong SAR | Peru | United Kingdom | +| Costa Rica | Hungary | Philippines | United States | +| Czech Republic | India | Poland | Uruguay | +| Denmark | Ireland | Portugal | | +| Dominican Republic | Italy | Qatar | | +| Ecuador | Jamaica | Romania | | |
| frontline | Flw Setup Microsoft 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-setup-microsoft-365.md | Use this table to validate your HR-driven user provisioning. Configuring groups in Azure AD allows you to create and manage policies and license assignments at scale. -- **Assign a unique attribute to frontline workers:** The ability to identify all frontline workers is useful when applying groups to the frontline workforce or for validating that integrations between Azure AD and HR systems are functioning properly. Organizations frequently use the Job ID attribute for this purpose.+- **Assign a unique attribute to frontline workers:** The ability to identify all frontline workers is useful when applying groups to the frontline workforce or for validating that integrations between Azure AD and HR systems are functioning properly. Organizations frequently use the Job ID attribute for this purpose. Depending on your organization's structure, you may also need [custom security attributes](/azure/active-directory/fundamentals/custom-security-attributes-overview) or [directory extension attributes](/azure/active-directory/develop/active-directory-schema-extensions). - **Create Azure AD groups and assign frontline users:** With Azure AD groups, you can grant access and permissions to a group of users instead of for each individual user. Groups are used to manage users that all need the same access and permissions to resources, such as potentially restricted apps and services. Instead of adding special permissions to individual users, you create a group that applies the special permissions to every member of that group. The table below includes recommendations for applying groups in frontline implementations. For more information on group types, membership types, and assignment, see the [Azure AD documentation for groups and membership](/azure/active-directory/fundamentals/concept-learn-about-groups?context=%2Fazure%2Factive-directory%2Fenterprise-users%2Fcontext%2Fugr-context) and [managing groups](/azure/active-directory/fundamentals/how-to-manage-groups). For more information on security group limits and other Azure AD service limits, see [Azure Active Directory Service limits and restrictions](/azure/active-directory/enterprise-users/directory-service-limits-restrictions). The table below includes recommendations for applying groups in frontline implem |Create an email alias or team in Microsoft Teams and manage membership automatically. |Microsoft 365 groups, dynamic user | |Use [My Staff](/azure/active-directory/roles/my-staff-configure) to delegate permissions to frontline managers to view employee profiles, change phone numbers, and reset passwords. |[Administrative Unit](/azure/active-directory/roles/administrative-units) | +[Learn more about the different types of groups you can create in the Microsoft 365 admin center](/microsoft-365/admin/create-groups/compare-groups). + ### Assign frontline licenses You can add licenses to individual users or to groups of users in Azure AD. Group assignment is the most scalable way to assign licenses to your frontline workers. You can assign one or more product licenses to a group. [Learn more about group-based licensing](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal) and [assigning licenses to groups](/azure/active-directory/enterprise-users/licensing-groups-assign). +You may need to [unassign licenses](/microsoft-365/admin/manage/remove-licenses-from-users) if you're changing some users from E to F licenses. [Learn more about how to switch specific users from E to F licenses](switch-from-enterprise-to-frontline.md#switch-users-to-a-microsoft-365-f-plan). + ## Step 4: Configure device enrollment Registering devices in Azure AD creates a unique identity that can be used to secure and manage devices. [Learn more about Azure AD device identity](/azure/active-directory/devices/). |
| includes | Office 365 Operated By 21Vianet Endpoints | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-operated-by-21vianet-endpoints.md | <!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> -<!--China endpoints version 2022103100--> -<!--File generated 2022-10-31 14:00:04.4126--> +<!--China endpoints version 2023010300--> +<!--File generated 2023-01-03 08:00:07.4128--> ## Exchange Online ID | Category | ER | Addresses | Ports ## Skype for Business Online and Microsoft Teams ID | Category | ER | Addresses | Ports | -- | -- | -- | --3 | Optimize<BR>Required | No | `*.partner.lync.cn`<BR>`42.159.34.32/27, 42.159.34.64/27, 42.159.34.96/28, 42.159.162.32/27, 42.159.162.64/27, 42.159.162.96/28` | **TCP:** 443, 80 +-- | -- | -- | -- | - +3 | Optimize<BR>Required | No | `42.159.34.32/27, 42.159.34.64/27, 42.159.34.96/28, 42.159.162.32/27, 42.159.162.64/27, 42.159.162.96/28, 159.27.160.0/21` | **UDP:** 3479, 3480, 3481, 3478 +19 | Allow<BR>Required | No | `*.partner.lync.cn, *.teams.microsoftonline.cn`<BR>`40.72.124.128/28, 42.159.34.32/27, 42.159.34.64/27, 42.159.34.96/28, 42.159.162.32/27, 42.159.162.64/27, 42.159.162.96/28, 159.27.160.0/21` | **TCP:** 443, 80 ## Microsoft 365 Common and Office Online |
| includes | Office 365 U.S. Government Dod Endpoints | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-u.s.-government-dod-endpoints.md | <!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> -<!--USGovDoD endpoints version 2022092900--> -<!--File generated 2022-09-29 08:00:07.0042--> +<!--USGovDoD endpoints version 2023010300--> +<!--File generated 2023-01-03 08:00:04.1075--> ## Exchange Online ID | Category | ER | Addresses | Ports | -- | | | --1 | Optimize<BR>Required | Yes | `outlook-dod.office365.us, webmail.apps.mil`<BR>`20.35.192.0/20, 40.66.24.0/21, 131.253.80.0/24, 131.253.83.64/26, 131.253.84.0/26, 131.253.84.128/26, 131.253.87.0/25, 131.253.87.128/28, 131.253.87.160/27, 131.253.87.192/28, 131.253.87.224/28, 131.253.88.16/28, 131.253.88.64/28, 131.253.88.80/28, 131.253.88.112/28, 131.253.88.176/28, 131.253.88.208/28, 131.253.88.224/28, 2001:489a:2200:2c::/62, 2001:489a:2200:38::/62, 2001:489a:2200:40::/62, 2001:489a:2200:68::/61, 2001:489a:2200:70::/61, 2001:489a:2200:78::/64, 2001:489a:2200:7a::/63, 2001:489a:2200:7c::/64, 2001:489a:2200:7e::/64, 2001:489a:2200:81::/64, 2001:489a:2200:84::/63, 2001:489a:2200:87::/64, 2001:489a:2200:8b::/64, 2001:489a:2200:8d::/64, 2001:489a:2200:8e::/64, 2001:489a:2200:500::/56, 2001:489a:2200:700::/56` | **TCP:** 443, 80 +-- | -- | | | - +1 | Optimize<BR>Required | Yes | `outlook-dod.office365.us, webmail.apps.mil`<BR>`20.35.192.0/20, 40.66.24.0/21, 2001:489a:2200:500::/56, 2001:489a:2200:700::/56` | **TCP:** 443, 80 4 | Default<BR>Required | Yes | `outlook-dod.office365.us, webmail.apps.mil` | **TCP:** 143, 25, 587, 993, 995 5 | Default<BR>Required | Yes | `attachments-dod.office365-net.us, autodiscover.<tenant>.mail.onmicrosoft.com, autodiscover.<tenant>.mail.onmicrosoft.us, autodiscover.<tenant>.onmicrosoft.com, autodiscover.<tenant>.onmicrosoft.us, autodiscover-s-dod.office365.us` | **TCP:** 443, 80 6 | Allow<BR>Required | Yes | `*.protection.apps.mil, *.protection.office365.us`<BR>`23.103.191.0/24, 23.103.199.0/25, 23.103.204.0/22, 52.181.167.52/32, 52.181.167.91/32, 52.182.95.219/32, 2001:489a:2202::/62, 2001:489a:2202:8::/62, 2001:489a:2202:2000::/63` | **TCP:** 25, 443 |
| includes | Office 365 U.S. Government Gcc High Endpoints | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-u.s.-government-gcc-high-endpoints.md | <!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> -<!--USGovGCCHigh endpoints version 2022092900--> -<!--File generated 2022-09-30 08:00:04.2160--> +<!--USGovGCCHigh endpoints version 2023010300--> +<!--File generated 2023-01-03 08:00:06.0752--> ## Exchange Online ID | Category | ER | Addresses | Ports | -- | | - | --1 | Optimize<BR>Required | Yes | `outlook.office365.us`<BR>`20.35.208.0/20, 20.35.240.0/21, 40.66.16.0/21, 131.253.83.0/26, 131.253.84.64/26, 131.253.84.192/26, 131.253.86.0/24, 131.253.87.144/28, 131.253.87.208/28, 131.253.87.240/28, 131.253.88.0/28, 131.253.88.32/28, 131.253.88.48/28, 131.253.88.96/28, 131.253.88.128/28, 131.253.88.144/28, 131.253.88.160/28, 131.253.88.192/28, 131.253.88.240/28, 2001:489a:2200:28::/62, 2001:489a:2200:3c::/62, 2001:489a:2200:44::/62, 2001:489a:2200:58::/61, 2001:489a:2200:60::/62, 2001:489a:2200:79::/64, 2001:489a:2200:7d::/64, 2001:489a:2200:7f::/64, 2001:489a:2200:80::/64, 2001:489a:2200:82::/63, 2001:489a:2200:86::/64, 2001:489a:2200:88::/63, 2001:489a:2200:8a::/64, 2001:489a:2200:8c::/64, 2001:489a:2200:8f::/64, 2001:489a:2200:100::/56, 2001:489a:2200:400::/56, 2001:489a:2200:600::/56` | **TCP:** 443, 80 +-- | -- | | -- | - +1 | Optimize<BR>Required | Yes | `outlook.office365.us`<BR>`20.35.208.0/20, 20.35.240.0/21, 40.66.16.0/21, 2001:489a:2200:100::/56, 2001:489a:2200:400::/56, 2001:489a:2200:600::/56` | **TCP:** 443, 80 4 | Default<BR>Required | Yes | `attachments.office365-net.us, autodiscover.<tenant>.mail.onmicrosoft.com, autodiscover.<tenant>.mail.onmicrosoft.us, autodiscover.<tenant>.onmicrosoft.com, autodiscover.<tenant>.onmicrosoft.us, autodiscover-s.office365.us` | **TCP:** 443, 80 5 | Default<BR>Required | Yes | `outlook.office365.us` | **TCP:** 143, 25, 587, 993, 995 6 | Allow<BR>Required | Yes | `*.manage.office365.us, *.protection.office365.us, *.scc.office365.us, manage.office365.us, scc.office365.us`<BR>`13.72.179.197/32, 13.72.183.70/32, 23.103.191.0/24, 23.103.199.128/25, 23.103.208.0/22, 52.227.170.14/32, 52.227.170.120/32, 52.227.178.94/32, 52.227.180.138/32, 52.227.182.149/32, 52.238.74.212/32, 52.244.65.13/32, 2001:489a:2202:4::/62, 2001:489a:2202:c::/62, 2001:489a:2202:2000::/63` | **TCP:** 25, 443 |
| security | Mdb Offboard Devices | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-offboard-devices.md | As devices are replaced or retired, or your business needs change, you can offbo 7. Run the script on each device that you want to offboard. -## Next steps --- [Use your Microsoft Defender Vulnerability Management dashboard in Microsoft Defender for Business](mdb-view-tvm-dashboard.md)-- [View or edit policies in Microsoft Defender for Business](mdb-view-edit-create-policies.md)-- [Manage devices in Microsoft Defender for Business](mdb-manage-devices.md)- ## [**Mac**](#tab/mac) -## Offboard a Mac +## Mac 1. Go to **Finder** > **Applications**. 2. Right click on **Microsoft Defender for Business**, and then choose **Move to Trash**. <br/> or <br/> Use the following command: `sudo '/Library/Application Support/Microsoft/Defender/uninstall/uninstall'`. -## Next steps --- [Use your Microsoft Defender Vulnerability Management dashboard in Microsoft Defender for Business](mdb-view-tvm-dashboard.md)-- [View or edit policies in Microsoft Defender for Business](mdb-view-edit-create-policies.md)-- [Manage devices in Microsoft Defender for Business](mdb-manage-devices.md)-- ## [**Servers**](#tab/Servers) ## Servers Choose the operating system for your server: > [!TIP] > For more information, see [Uninstall](../defender-endpoint/linux-resources.md) in the Microsoft Defender for Endpoint on Linux guidance. -## Next steps --- [Use your Microsoft Defender Vulnerability Management dashboard in Microsoft Defender for Business](mdb-view-tvm-dashboard.md)-- [View or edit policies in Microsoft Defender for Business](mdb-view-edit-create-policies.md)-- [Manage devices in Microsoft Defender for Business](mdb-manage-devices.md)- ## [**Mobile devices**](#tab/mobiles) ## Mobile devices You can use Microsoft Intune to manage mobile devices, such as iOS, iPadOS, and See [Microsoft Intune device management](/mem/intune/remote-actions/device-management). ++ ## Next steps - [Use your Microsoft Defender Vulnerability Management dashboard in Microsoft Defender for Business](mdb-view-tvm-dashboard.md) |
| security | Mdb Onboard Devices | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-onboard-devices.md | After you've onboarded Windows devices to Defender for Business, you can run a d After the command runs, the Command Prompt window will close automatically. If successful, the detection test will be marked as completed, and a new alert will appear in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) for the newly onboarded device in about 10 minutes. -## View the list of onboarded devices --To view the list of devices that are onboarded to Defender for Business, go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). In the navigation pane, go to **Assets** > **Devices**. --## Next steps --- If you have other devices to onboard, select the tab for those devices ([Windows 10 and 11, Mac, Servers, or Mobile devices](#what-to-do)), and follow the guidance on that tab.-- If you're done onboarding devices, go to [Step 5: Configure your security settings and policies in Defender for Business](mdb-configure-security-settings.md)-- See [Get started using Defender for Business](mdb-get-started.md).- ## [**Mac**](#tab/mac) ## Mac If your business prefers to have people enroll their own devices in Intune, dire After a device is enrolled in Intune, you can add it to a device group. [Learn more about device groups in Defender for Business](mdb-create-edit-device-groups.md). -## View a list of onboarded devices --To view the list of devices that are onboarded to Defender for Business, go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). In the navigation pane, go to **Assets** > **Devices**. --## Next steps --- If you have other devices to onboard, select the tab for those devices ([Windows 10 and 11, Mac, Servers, or Mobile devices](#what-to-do)), and follow the guidance on that tab.-- If you're done onboarding devices, go to [Step 5: Configure your security settings and policies in Defender for Business](mdb-configure-security-settings.md).-- See [Get started using Defender for Business](mdb-get-started.md).- ## [**Servers**](#tab/Servers) ## Servers You can use the following methods to onboard an instance of Linux Server to Defe > [!NOTE] > Onboarding an instance of Linux Server to Defender for Business is the same as onboarding to [Microsoft Defender for Endpoint on Linux](../defender-endpoint/microsoft-defender-endpoint-linux.md). -## View a list of onboarded devices --To view the list of devices that are onboarded to Defender for Business, go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). In the navigation pane, go to **Assets** > **Devices**. --## Next steps --- If you have other devices to onboard, select the tab for those devices ([Windows 10 and 11, Mac, Servers, or Mobile devices](#what-to-do)), and follow the guidance on that tab.-- If you're done onboarding devices, go to [Step 5: Configure your security settings and policies in Defender for Business](mdb-configure-security-settings.md).-- See [Get started using Defender for Business](mdb-get-started.md).- ## [**Mobile devices**](#tab/mobiles) ## Mobile devices After a device is enrolled in Intune, you can add it to a device group. [Learn m > [!NOTE] > The standalone version of Defender for Business does not include the Intune license that is required to onboard iOS and Android devices. You can add Intune to your Defender for Business subscription to onboard mobile devices. Intune is included in Microsoft 365 Business Premium. ++ ## View a list of onboarded devices To view the list of devices that are onboarded to Defender for Business, go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). In the navigation pane, go to **Assets** > **Devices**. |
| security | Custom Roles | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/custom-roles.md | f1.keywords: ms.localizationpriority: medium Last updated : 01/03/2023 audience: ITPro The following table outlines the roles and permissions required to access each u > [!NOTE] > Incident management requires management permissions for all products that are part of the incident. -|Microsoft 365 Defender workload|One of the following roles is required for Defender for Endpoint|One of the following roles is required for Defender for Office 3655|One of the following roles is required for Defender for Cloud Apps| +|Microsoft 365 Defender workload|One of the following roles is required for Defender for Endpoint|One of the following roles is required for Defender for Office 365|One of the following roles is required for Defender for Cloud Apps| ||||| |Viewing investigation data: <ul><li>Alert page</li> <li>Alerts queue</li> <li>Incidents</li> <li>Incident queue</li> <li>Action center</li></ul>|View data- security operations|<ul><li>View-only Manage alerts </li> <li>Organization configuration</li><li>Audit logs</li> <li>View-only audit logs</li> <li>Security reader</li> <li>Security admin</li><li>View-only recipients</li></ul>|<ul><li>Global admin</li> <li>Security admin</li> <li>Compliance admin</li> <li>Security operator</li> <li>Security reader</li> <li>Global reader</li></ul>| |Viewing hunting data|View data- security operations|<ul><li>Security reader</li> <li>Security admin</li> <li>View-only recipients</li>|<ul><li>Global admin</li> <li>Security admin</li> <li>Compliance admin</li> <li>Security operator</li> <li>Security reader</li> <li>Global reader</li></ul>| |
| security | Microsoft 365 Security Center Defender Cloud Apps | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-defender-cloud-apps.md | The images and the tables below list the changes in navigation between Microsoft | Defender for Cloud Apps | Microsoft 365 Defender | |||-| Policies | Cloud apps -> Policy management. Note: Azure AD identity protection policies will be removed gradually from the Cloud apps policies list. To configure alerts from these policies, see [Configure AAD IP alert service](investigate-alerts.md#configure-aad-ip-alert-service) | +| Policies | Cloud apps -> Policy management. Note: Azure AD identity protection policies will be removed gradually from the Cloud apps policies list. To configure alerts from these policies, see [Configure AAD IP alert service](investigate-alerts.md#configure-aad-ip-alert-service) | | Templates | Cloud apps -> Policy templates | ### Settings Global search in Microsoft 365 Defender (using the search bar at the top of the As part of the creation of a dedicated **Assets** section that spans the entire Microsoft 365 Defender experience, the **Users and Accounts** section of Defender for Cloud Apps is rebranded as the **Identities** section. No changes to functionality are expected. +### Preview features in Defender for Cloud Apps ++Turn on the preview experience setting to be among the first to try upcoming features. ++> [!NOTE] +> This feature is now available in public preview. ++1. In the navigation pane, select **Settings**. +1. Select **Cloud apps**. +1. Select **Preview features** > **Enable preview features**. +1. Select **Save**. ++You'll know you have preview features turned on when you see that the **Enable preview features** check box is selected. +++For more information, see [Microsoft Defender for Cloud Apps preview features](/defender-cloud-apps/preview-features). + ## Related videos Learn how to protect your cloud apps in Microsoft 365 Defender: |
| security | Microsoft 365 Security Mdi Redirection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-mdi-redirection.md | This guide explains how to route accounts to Microsoft 365 Defender by enabling ## What to expect -Once automatic redirection is enabled, accounts accessing the former Microsoft Defender for Identity portal at portal.atp.azure.com, will be automatically routed to the Microsoft 365 Defender portal at <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">security.microsoft.com</a>. +Starting January 31, 2023, the portal redirection setting will be automatically enabled for each tenant. Once the redirection setting is enabled, any requests to the standalone Defender for Identity portal (`portal.atp.azure.com`) will be redirected to Microsoft 365 Defender (<https://security.microsoft.com>) along with any direct links to its functionality. Accounts accessing the former Microsoft Defender for Identity portal will be automatically routed to the Microsoft 365 Defender portal. ## When does this take effect? To start routing accounts to Microsoft 365 Defender: 1. Sign in to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a>. -1. Navigate to **Settings** > **Identities** > **General** > **Portal redirection** or [click here](https://security.microsoft.com/preferences2/portal_redirection). +1. Navigate to **Settings** > **Identities** > **General** > **Portal redirection** or [go here](https://security.microsoft.com/preferences2/portal_redirection). :::image type="content" source="../../media/portal-redirection.png" alt-text="Portal redirection."lightbox="../../media/portal-redirection.png"::: |
| whiteboard | Manage Sharing Organizations | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/whiteboard/manage-sharing-organizations.md | These changes should take approximately 60 minutes to apply across your tenancy. > [!NOTE] > If a Whiteboard is stored in OneDrive and already attached to a meeting, it cannot be initiated on a Surface Hub or Microsoft Teams Rooms device. An authenticated user on another device will need to do so. We plan to enable this functionality in a future release. +## Share in Teams calls ++During a one-on-one or group call, you might start sharing a Whiteboard. Similar limitations apply to who can share a Whiteboard regarding scenarios where users from different organizations are involved in a call. ++When all members of the call are from the same organization, any person can start and access the Whiteboard. For calls involving users from different organizations, only some users can access the Whiteboard sharing button. During a one-on-one call, only the original user who created a conversation or call (the first person to send a message or call another user, whichever occurs first) between the two users can access the Whiteboard sharing button from the drop-down share tray button. ++This cannot be changed after two users have started a conversation. Deleting the chat involving the two users will not restart the chat, therefore, this will not reset who created or started the chat. Having the other user call will also not change who can share the Whiteboard, even if a Whiteboard has not been shared yet. The purpose of this limitation is to prevent out-of-organization user access to a Whiteboard unless sharing starts from an in-organization user. + ## Add as a tab in Teams channels and chats When you add a whiteboard as a tab in a Teams channel or chat, Whiteboard will create a sharing link that's accessible by anyone in the organization. |