+Anyone who is interested can contribute to the topics. When you contribute, your work will go directly into the content set after being merged. It will then be published to [Microsoft Learn](https://learn.microsoft.com/) and you will be listed as a contributor at: <https://github.com/MicrosoftDocs/microsoft-365-docs/graphs/contributors>.

+2. Browse to the page you want to edit on Microsoft Learn.

+ 

+ 

+ 

+ 

+ 

+## Permissions based on Admin role and Group type in M365 Admin page

+|Admin Role | M365 Groups | Security Groups | Distribution Groups | Mail Enabled Security Groups |

+| | | | | |

+| Global admin | Create, Read, Update, Delete | Create, Read, Update, Delete | Create, Read, Update, Delete | Create, Read, Update, Delete |

+| Global reader | Read | Read | Read | Read |

+| User admin | Create, Read, Update, Delete, ***Can't update EXO properties*** | Create, Read, Update, Delete | Read | Read |

+| Exchange admin | Create, Read, Update, Delete | Create, Read, Update, Delete - *only groups they own* | Create, Read, Update, Delete | Create, Read, Update, Delete |

+| Teams admin | Create, Read, Update, Delete, ***Can't update EXO properties*** | Create, Read, Update, Delete - _only groups they own_ | Read | Read |

+| SharePoint admin | Create, Read, Update, Delete, ***Can't update EXO properties*** | Create, Read, Update, Delete -_only groups they own_ | Read | Read |

+| Billing admin | Read | Read | Read | Read |

+| Skype admin | Read | Read | Read | Read |

+| Service admin | Read | Read | Read | Read |

+| Group admin | Create, Read, Update, Delete, ***Can't update EXO properties*** | Create, Read, Update, Delete | Read | Read |

+Alternative Phone Number:\

+00 800101716\

+Local toll-free

+ :::column-end:::

+ :::column:::

+Businesses in the following countries or regions can provide their VAT number or local equivalent:

+*For most of the countries or regions listed, providing a VAT number or local equivalent is optional. For Brazil and India, the tax identifier number is required.

+|Applied sensitivity label to site|SiteSensitivityLabelApplied|A sensitivity label was applied to a SharePoint or Teams site.|

+|Removed sensitivity label from site|SiteSensitivityLabelRemoved|A sensitivity label was removed from a SharePoint or Teams site.|

+|Changed sensitivity label on a site|SiteSensitivityLabelChanged|A different sensitivity label was applied to a SharePoint or Teams site.|

+Archive mailboxes in Microsoft Purview provide user mailboxes and shared mailboxes with additional mailbox storage space. After an archive mailbox is enabled, up to 100 GB of additional storage becomes available.

+When auto-expanding archiving is enabled for a user's mailbox archive or a shared mailbox archive, Microsoft Purview periodically checks the size of the archive mailbox. When the archive mailbox gets close to its storage limit, additional storage space is automatically created and this process continues until the mailbox archive reaches 1.5 TB. The additional storage creation happens automatically, which means administrators don't have to request additional archive storage or manage auto-expanding archiving.

+For information what happens when the maximum 1.5 TB is reached, and other size-related limitations for email storage, see [Important considerations and limitations for auto-expanding archiving](#important-considerations-and-limitations-for-auto-expanding-archiving) on this page.

+## Important considerations and limitations for auto-expanding archiving

+If a mailbox with an auto-expanding archive reaches a total of 1.5 TB of data stored in the auto-expanding archive, no more data will be stored in the auto-expanding archive or moved from the main archive to the auto-expanding archive.

+Should the main archive also reaches its quota, no more data will be stored there, which can result in the primary mailbox also reaching its quota. Then, processing can stop for sending or receiving email and other items. To reduce this risk and minimize liability for your organization, we recommend using Microsoft 365 retention policies to delete content that no longer has business value. Configure these policies to [delete items after a specified period](retention-settings.md#settings-for-retaining-and-deleting-content). If you're not yet familiar with retention policies that can automatically delete email and other Microsoft 365 items, see [Learn about retention policies and retention labels](retention.md).

+Auto-expanding archiving is supported only for mailboxes used for individual users (or shared mailboxes) with a growth rate that doesn't exceed 1 GB per day. A user's archive mailbox is intended for just that user. Using journaling, transport rules, or auto-forwarding rules to copy messages to an archive mailbox is not permitted. Microsoft reserves the right to deny additional archiving in instances where a user's archive mailbox is used to store archive data for other users or in other cases of the inappropriate use.

+Evaluate the impact of the controls by implementing them with a DLP policy in test mode. Actions defined in a policy are not applied while the policy is in test mode. It's ok to apply the policy to all workloads in test mode, so that you can get the full breadth of results, but you can start with one workload if you need to.

+**Cohasset Assessment - Microsoft 365 - SEC Rule 17a-4(f) - Immutable Storage for SharePoint, OneDrive, Exchange, Teams, and Yammer** - [Download assessment](https://servicetrust.microsoft.com/DocumentPage/f028b699-8e39-451e-8af4-e8a66426068b)

+> This feature is currently rolling out in preview and subject to change.

+> You won't be able to configure all the options referenced on this page if a [Teams Premium license](/MicrosoftTeams/enhanced-teams-experience) isn't found for your tenant. For those settings, you'll see an information bar in the Microsoft Purview compliance portal that your organization doesn't have this license.

+> This feature is in preview and subject to change.

+To read the preview announcement for this feature, see the [blog post](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/public-preview-default-label-for-a-document-library-in/ba-p/3585136).

+If you need to review a list of file types that are supported by sensitivity labels in SharePoint, see [Supported file types](sensitivity-labels-sharepoint-onedrive-files.md#supported-file-types).

+- Updated table for [built-in trainable and global classifiers](/microsoft-365/compliance/communication-compliance-policies) to increase visibility for details specific to pre-trained classifiers. Includes updated word count requirements for messages in English and non-English languages.

+### Compliance Manager

+- Assessment templates that belong to the same regulation family now count as one template. The [definition of **included templates**](compliance-manager-templates-list.md#included-templates) has been updated to align with [template licensing changes starting December 2022](compliance-manager-faq.yml#what-changed-with-template-licensing-in-december-2022-).

+- Improvement actions now provide greater visibility into related controls and assessments. Improvement action details pages have a new [**Related controls** tab](compliance-manager-improvement-actions.md#related-controls), and the **Summary** section has a clickable **Assessments** number that, when selected, lists all the assessments related to that action.

+### Microsoft Priva

+- [Tags for reviewing data in a subject rights request](/privacy/priva/subject-rights-requests-data-review#apply-tags) provide greater flexibility. There are now two default tags and 21 custom tags that can be named and defined by an organization. Tags can now be applied to, or removed from, mutlipe content items at once.

+- The maximum file size for [file import during data review](/privacy/priva/subject-rights-requests-data-review#import-additional-files) for a subject rights request has increased to 500 MB.

+- Instructions for working with the [action execution log report](/privacy/priva/subject-rights-requests-delete#action-execution-log-report) for a delete request have been updated; including a clarification that its retention period is the same as all other subject rights request reports.

+ Title: "Service advisories for auto-expanding archive utilization in Exchange Online monitoring"

+audience: Admin

+ms.localizationpriority: medium

+search.appverid:

+- MET150

+- scotvorg

+- Ent_O365

+- Strat_O365_Enterprise

+- admindeeplinkMAC

+- admindeeplinkEXCHANGE

+f1.keywords:

+- NOCSH

+description: "Use service advisories to monitor mailboxes that are at risk of reaching or exceeding the auto-expanding archive size limits."

+# Service advisories for auto-expanding archive utilization in Exchange Online monitoring

+We've released a new Exchange Online service advisory that informs you of auto-expanding archives attached to mailboxes that are at risk of reaching or exceeding the 1.5TB cumulative limit on auto-expanding archive size. These service advisories provide visibility to the mailboxes in your organization that may require admin intervention.

+These service advisories are displayed in the Microsoft 365 admin center. To view these service advisories, go to **Health** \> **Service health** \> **Exchange Online** and then click the **Active issues** tab.

+## What do these service advisories indicate?

+This service advisory informs you of potential data storage limits being reached in your organization. Mailboxes with archive mailboxes that have the auto-expanding archive feature enabled may store a maximum of 1.5TB of data in the auto-expanding archive. The service advisory contains a table with information about the mailboxes nearing this limit in your organization. Here's an example of the table:

+| mailboxGuid | Status | SizeInGB |

+| | | |

+| b47c25fd-3d78-481c-970b-6799bc454275 | Warning | 1312 |

+| faf1c53e-9214-48aa-b91e-f908f3c1c762 | Warning | 1316 |

+| c874b925-989a-4119-aa39-b6280a456b9e | Critical | 1499 |

+The following list describes each column in the previous example.

+- **mailboxGuid** : The GUID of the main archive for the mailbox or one of the additional storage units in the auxiliary archive ("AuxArchive").

+- **Status** : _Warning_ if the auto-expanding archive total size is over 1.2TB but less than 1.4TB; _Critical_ if the auto-expanding archive total size is over 1.4TB.

+- **SizeInGB** : The total size of the auto-expanding archive associated with the mailbox.

+## More information

+For more information about auto-expanding archive limits and considerations, see the following articles:

+- [Learn about auto-expanding archiving](/microsoft-365/compliance/autoexpanding-archiving)

+- [Customize an archive and deletion policy for mailboxes in your organization](/microsoft-365/compliance/set-up-an-archive-and-deletion-policy-for-mailboxes)

+# Microsoft 365 Multi-Tenant Organization People Search (private preview)

+The Multi-Tenant Organization (MTO) People Search is a collaboration feature that enables search and discovery of people across multiple tenants. A tenant admin can enable cross-tenant synchronization that will allow users to be synced to another tenant and be discoverable in its global address list. Once enabled, users will be able to search and discover synced user profiles from the other tenant and view their corresponding people cards.

+>[!NOTE]

+>This Private Preview program is designed to offer select customers the opportunity to try out the multi-tenant people search feature. You can then validate the scenario and provide feedback to the product development team. The purpose of this article is to:

+>

+>- Give an overview of the feature

+>- Define use cases that we currently support as part of the preview

+>- Provide instructions on how you can configure and test the feature

+> _Fig 1: Azure AD sync illustration_

+## Example scenario

+Megan's user account has been synced from the _Fabrikam_ tenant to the target tenant, _Contoso_. Nestor from Contoso would like to search and view Megan's people card in Teams. After Megan's account has been synced, Nestor can search and discover Megan's people card in any of the Microsoft 365 apps.

+> _Fig 2: User can view a limited people card_

+### In-tenant view of people card

+The people card shows all the user's attributes including the profile picture when viewing a user's people card within the same tenant.

+

+> _Fig 3: User can view extended people card within the same tenant_

+## Known limitations

+- The Microsoft Teams audio and video call buttons will direct the call to the user's home tenant Teams instance (Fabrikam) and not the Teams instance target tenant (Contoso).

+## Prerequisites

+To test the MTO People Search feature, it is assumed that you already have the following settings:

+- Both tenants have the **Azure AD Cross-tenant Synchronization** feature enabled (currently in private preview - make sure you sign up for both preview features)

+- Provisioned users from home to target tenants as described in [Instructions to enable Tenant-to-Tenant Sync](https://github.com/ArvindHarinder1/CrossTenantSynchronization/blob/main/CrossTenantSynchronization.md)

+## Use Cases

+1. **Microsoft Outlook (OWA, desktop and mobile app)**

+ - Nestor (<nestor@contoso.com>) searches for "Megan" on the centralized search bar in OWA and gets the results and can view Megan's people card with limited profile information.

+ - Nestor types in "Megan" in the _To_ line of the email and can send an email to Megan after getting the results for <megan@fabrikam.com>.

+ - Nestor \@mentions "Megan" in the body of the email and can get the result for <megan@fabrikam.com>.

+ - Nestor types in "Megan" in the _cc_ line of the email and can get the result for <megan@fabrikam.com>.

+ - Nestor can hover and/or click on Megan's profile picture/initials to view Megan's limited people card.

+ - Nestor (<nestor@contoso.com>) searches for "Megan" in the centralized search bar on SharePoint and can get the result for <megan@fabrikam.com>.

+ - Nestor can hover and/or click on Megan's profile picture/initials to view Megan's limited people card.

+ - Nestor can share and collaborate on Office documents with Megan.

+3. **Microsoft Teams (Web, desktop and mobile app)**

+ - Nestor (<nestor@contoso.com>) searches for "Megan" on the Teams people picker and can view Megan's limited people card.

+ - Nestor searches for "Megan" on the Teams power bar and can view Megan's limited people card Team membership.

+ - Nestor (<nestor@contoso.com>) searches for "Megan" on the search bar and can view Megan's limited people card (<megan@fabrikam.com>).

+## Key terminology

+- _Home tenant_: The tenant you want to search from. The direction of the search is _outbound_.

+- _Resource tenant_: The tenant you want to search in. The direction of the search is _inbound_.

+ A tenant can be both home and resource tenant simultaneously.

+- _Cross-Tenant synchronization_ is a feature that enables multi-tenant organizations to grant users access to applications in other tenants within the organization. It achieves this by synchronizing internal member users from a home tenant into a resource tenant as external B2B users.

+## Contact us

+ Title: How to check Microsoft 365 service health

+description: View the health status of Microsoft 365 services before you call support to see if there is an active service interruption.

+|Vulnerability assessment of apps |By default only information about apps installed in the work profile is sent for vulnerability assessment. Admins can disable privacy to include personal apps|

+> [!NOTE]

+> For performance-specific issues related to Microsoft Defender Antivirus, see: [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md).

+- [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md)

+>

+> For performance-specific issues related to Microsoft Defender Antivirus, see: [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md).

+- [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md)

+Follow the instructions for [Onboarding blob](#onboarding-blob) from above, using "Defender for Background Services" as profile name, and downloaded **background_services.mobileconfig** as Configuration profile name.

+## Indicator of compromise (IoC) overview

+An Indicator of compromise (IoC) is a forensic artifact, observed on the network or host. An IoC indicates - with high confidence - a computer or network intrusion has occurred. IoCs are observable, which link them directly to measurable events. Some IoC examples include:

+- hashes of known malware

+- signatures of malicious network traffic

+- URLs or domains that are known malware distributors

+To halt additional compromise or prevent breaches of known IoCs, successful IoC tools should be able to detect all malicious data that is enumerated by the tool's rule set.

+IoC matching is an essential feature in every endpoint protection solution. This capability gives SecOps the ability to set a list of indicators for detection and for blocking (prevention and response).

+Organizations can create indicators that define the detection, prevention, and exclusion of IoC entities. You can define the action to be taken as well as the duration for when to apply the action, and the scope of the device group to apply it to.

+### About Microsoft indicators

+As a general rule, you should only create indicators for known bad IoCs, or for any files / websites that should be explicitly allowed in your organization. For more information on the types of sites that MDE may block by default, see [Microsoft Defender SmartScreen overview](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview).

+False Positive (FP) refers to a SmartScreen false positive, Microsoft says it is malware / phish but it is actually a safe site, so customer wants to create an allow policy for this.

+You can also help drive improvements to Microsoft's security intelligence by submitting false positives, and suspicious or known-bad IoCs for analysis. If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can submit a file to Microsoft for review. For more information, see [Submit files for analysis](https://www.microsoft.com/en-us/wdsi/filesubmission/).

+#### IP/URL indicators

+There several reasons for using IP/URL indicators, such as unblocking users from a SmartScreen false positive (FP) or overriding a Web Content Filtering (WFC) block.

+You can use URL and IP indicators to manage site access. You can create interim IP and URL indicators to temporarily unblock users from a SmartScreen block. You may also have indicators that you keep for a long period of time to selectively bypass web content filtering blocks.

+Consider the case where you have a web content filtering categorization for a particular site that is correct. In this example, you have web content filtering set to block all social media, which is correct for your overall organizational goals. However, the marketing team has a real need to use a specific social media site for advertising and announcements. In that case, you can unblock the specific social media site using IP or URL indicators for the specific group (or groups) to use.

+See [Web protection](web-protection-overview.md) and [Web content filtering](web-content-filtering.md)

+#### File hash indicators

+In some cases, creating a new indicator for a newly identified file IoC - as an immediate stop-gap measure - might be appropriate to block files or even applications. However, using indicators to attempt to block an application may not provide the expected results as applications are typically composed of many different files. The preferred methods of blocking applications are to use [Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview) or AppLocker.

+Because each version of an application has a different file hash, using indicators to block hashes is not recommended.

+[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create)

+#### Certificate indicators

+In some cases, there may be a specific certificate that has been used to sign a file or application that your organization would like to allow / block. Certificate indicators are supported in MDE, provided they are of the .CER or .PEM file format. See [Create indicators based on certificates](indicator-certificates.md) for more details.

+## IoC detection engines

+Currently, the supported Microsoft sources for IoCs are:

+- [Cloud detection engine](#cloud-detection-engine) of Defender for Endpoint

+- [Automated investigation and remediation (AIR) engine](#automated-investigation-and-remediation-engine) in Microsoft Defender for Endpoint

+- [Endpoint prevention engine](#endpoint-prevention-engine) (Microsoft Defender Antivirus)

+The `EnableFileHashComputation` setting computes the file hash for the cert and file IoC during file scans. It supports IoC enforcement of hashes and certs belong to trusted applications. It will be concurrently enabled and disabled with the allow or block file setting. `EnableFileHashComputation` is enabled manually through Group Policy, and is disabled by default.

+## Enforcement types for Indicators

+- **Allow** ΓÇô the IoC will be allowed to run on your devices.

+- **Audit** ΓÇô an alert will be triggered when the IoC runs.

+- **Warn** ΓÇô the IoC will prompt a warning that the user can bypass

+- **Block execution** - the IoC will not be allowed to run.

+- **Block and remediate** - the IoC will not be allowed to run and a remediation action will be applied to the IoC.

+> Using Warn mode will prompt your users with a warning if they open a risky app or website. The prompt won't block them from allowing the application or website to run, but you can provide a custom message and links to a company page that describes appropriate usage of the app. Users can still bypass the warning and continue to use the app if they need. For more information, see Govern apps discovered by Microsoft Defender for Endpoint.

+- [IP addresses](indicator-ip-domain.md)

+- [URLs/domains](indicator-ip-domain.md)

+| [Files](indicator-file.md) | Allow <br> Audit <br> Warn <br> Block execution <br> Block and remediate |

+| [IP addresses](indicator-ip-domain.md) | Allow <br> Audit <br> Warn <br> Block execution |

+| [URLs and domains](indicator-ip-domain.md) | Allow <br> Audit <br> Warn <br> Block execution |

+> [!NOTE]

+>

+For performance-specific issues related to Microsoft Defender Antivirus, see: [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md)

+- [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md)

+For troubleshooting performance-specific issues related to Microsoft Defender Antivirus, see: [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md).