Updates from: 01/07/2021 04:08:35
Category Microsoft Docs article Related commit history on GitHub Change details
business-video https://docs.microsoft.com/en-us/microsoft-365/business-video/buy-licenses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/buy-licenses.md new file mode 100644
@@ -0,0 +1,45 @@
+---
+title: "Buy new licenses"
+f1.keywords:
+- NOCSH
+ms.author: twerner
+author: twernermsft
+manager: scotv
+audience: Admin
+ms.topic: article
+ms.service: o365-administration
+localization_priority: Normal
+ROBOTS: NOINDEX, NOFOLLOW
+ms.collection:
+- M365-subscription-management
+- Adm_O365
+ms.custom:
+- AdminSurgePortfolio
+- adminvideo
+monikerRange: 'o365-worldwide'
+search.appverid:
+- BCS160
+- MET150
+- MOE150
+description: "Learn how to buy new Microsoft 365 for business licenses."
+---
+
+# Buy Microsoft 365 licenses
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4KWvE?autoplay=false]
+
+As you add new users, you will need to purchase more licenses for those users.
+
+## Try it!
+
+1. In the Microsoft 365 admin center, choose **Billing**, **Your Products**, then select your subscription.
+1. Choose **Buy licenses**.
+1. Enter the number of licenses you want to buy.
+1. Select **Save**.
+1. Then close the window.
+1. The new licenses are added to your subscription.
+1. To assign the new licenses, select **Assign licenses**.
+1. Then, **Assign licenses** again.
+1. Type the name of the user you want to assign the license to, then select the name.
+1. Decide which apps or services you want the user to have, then select **Assign**.
+1. The license is now assigned to the user.
\ No newline at end of file
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/archive-redtailspeak-data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-redtailspeak-data.md
@@ -1,5 +1,5 @@
---
-title: "Set up a connector to archive Redtail Speak data in Microsoft 365"
+title: "Set up a connector to archive Red tail Speak data in Microsoft 365"
f1.keywords: - NOCSH ms.author: markjjo
@@ -11,7 +11,7 @@ ms.topic: how-to
ms.service: O365-seccomp localization_priority: Normal ms.collection: M365-security-compliance
-description: "Admins can set up a connector to import and archive Redtail Speak data from Globanet to Microsoft 365. This connector lets you archive data from third-party data sources in Microsoft 365. After your archive this data, you can use compliance features such as legal hold, content search, and retention policies to manage third-party data."
+description: "Admins can set up a connector to import and archive Red tail Speak data from Globanet to Microsoft 365. This connector lets you archive data from third-party data sources in Microsoft 365. After your archive this data, you can use compliance features such as legal hold, content search, and retention policies to manage third-party data."
--- # Set up a connector to archive Redtail Speak data
@@ -38,21 +38,21 @@ The following overview explains the process of using a connector to archive the
- Create a Globanet Merge1 account for Microsoft connectors. To create an account, contact [Globanet Customer Support](https://globanet.com/contact-us/). You need to sign into this account when you create the connector in Step 1. -- In Step 2, you need to specify your organization's SFTP server. This is necessary so that Globanet Merge1 can contact it to collect Redtail Speak data via SFTP.
+- In Step 2, you need to specify your organization's SFTP server. This step is necessary so that Globanet Merge1 can contact it to collect Redtail Speak data via SFTP.
-- The user who creates the Redtail Speak Importer connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the Data connectors page in the Microsoft 365 compliance center. By default, this role is not assigned to any role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](https://docs.microsoft.com/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](https://docs.microsoft.com/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+- The user who creates the Redtail Speak Importer connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the Data connectors page in the Microsoft 365 compliance center. This role is not assigned to any role group in Exchange Online by default. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](https://docs.microsoft.com/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](https://docs.microsoft.com/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
## Step 1: Set up the Redtail Speak connector The first step is to access to the **Data Connectors** page in the Microsoft 365 compliance center and create a connector for the Redtail Speak data.
-1. Go to [https://compliance.microsoft.com](https://compliance.microsoft.com/) and click **Data connectors** > **Redtail Speak**.
+1. Go to [https://compliance.microsoft.com](https://compliance.microsoft.com/) and select **Data connectors** > **Redtail Speak**.
-2. On the **Redtail Speak** product description page, click **Add new connector**.
+2. On the **Redtail Speak** product description page, select **Add new connector**.
-3. On the **Terms of service** page, click **Accept**.
+3. On the **Terms of service** page, select **Accept**.
-4. Enter a unique name that identifies the connector, and then click **Next**.
+4. Enter a unique name that identifies the connector, and then select **Next**.
5. Sign in to your Merge1 account to configure the connector.
@@ -60,7 +60,7 @@ The first step is to access to the **Data Connectors** page in the Microsoft 365
The second step is to configure the Redtail Speak connector on the Merge1 site. For information about how to configure the Redtail Speak connector, see [Merge1 Third-Party Connectors User Guide](https://docs.ms.merge1.globanetportal.com/Merge1%20Third-Party%20Connectors%20Redtail%20Speak%20User%20Guide%20.pdf).
-After you click **Save & Finish**, the **User mapping** page in the connector wizard in the Microsoft 365 compliance center is displayed.
+After you select **Save & Finish**, the **User mapping** page in the connector wizard in the Microsoft 365 compliance center is displayed.
## Step 3: Map users and complete the connector setup
@@ -68,17 +68,17 @@ To map users and complete the connector setup, follow these steps:
1. On the **Map Redtail Speak users to Microsoft 365 users** page, enable automatic user mapping. The Redtail Speak items include a property called *Email*, which contains email addresses for users in your organization. If the connector can associate this address with a Microsoft 365 user, the items are imported to that userΓÇÖs mailbox.
-2. Click **Next**, review your settings, and go to the **Data connectors** page to see the progress of the import process for the new connector.
+2. Select **Next**, review your settings, and go to the **Data connectors** page to see the progress of the import process for the new connector.
## Step 4: Monitor the Redtail Speak connector After you create the Redtail Speak connector, you can view the connector status in the Microsoft 365 compliance center.
-1. Go to [https://compliance.microsoft.com](https://compliance.microsoft.com/) and click **Data connectors** in the left nav.
+1. Go to [https://compliance.microsoft.com](https://compliance.microsoft.com/) and select **Data connectors** in the left nav.
-2. Click the **Connectors** tab and then select the **Redtail Speak** connector to display the flyout page. This page displays properties and information about the connector.
+2. Select the **Connectors** tab and then select the **Redtail Speak** connector to display the flyout page. This page displays properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, select the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
## Known issues
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/assessment-in-relevance-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/assessment-in-relevance-in-advanced-ediscovery.md
@@ -6,7 +6,7 @@ ms.author: markjjo
author: markjjo manager: laurawi titleSuffix: Office 365
-ms.date: 09/14/2017
+ms.date:
audience: Admin ms.topic: conceptual ms.service: O365-seccomp
@@ -20,10 +20,7 @@ ROBOTS: NOINDEX, NOFOLLOW
ms.custom: seo-marvel-apr2020 ---
-# Understand Assessment in Relevance in Advanced eDiscovery (classic)
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
+# Assessment in the Relevance module in Advanced eDiscovery
Advanced eDiscovery enables early assessment, for example, for the defined issues and the data imported for a case. Advanced eDiscovery lets the expert make decisions about an adopted approach and to apply these decisions to the document review project.
@@ -38,14 +35,14 @@ The statistics, which are presented in the Track and Decide tabs during training
After the expert reviews an initial assessment set of 500 files, Relevance can determine the current margin of error of the recall values. Relevance will also recommend a default margin of error to reach to optimize the assessment set. Here are some examples: - If the assessment set already yielded a margin of error of plus or minus 10%, Relevance will recommend moving on to training (no additional assessment review is needed).
-
+ - If the assessment set yielded a margin of error of plus or minus 13%, Relevance might recommend the review of another set of assessment files to reach a smaller margin.
-
+ - If richness is extremely low, Relevance might recommend stopping assessment even though the margin of error is large (making statistics impractical), because the assessment set needed to reach a useful margin of error is too large.
-
+ Each issue has its own richness, current margin of error, and as a result, estimated number of additional assessment files. The next assessment set is created according to the maximum number of files (up to 1,000 in a single set). You can accept the Relevance recommendations or adjust the current margin of error according to your needs. The default current margin of error is determined for recall at equal or above 75%. > [!NOTE]
-> The Assessment stage can be bypassed, in the **Relevance \> Track** tab in the expanded view for an issue, by clearing the **Assessment** check box per issue and then for "all issues". However, as a result, there will be no statistics for this issue. > Clearing the **Assessment** check box can only be done before assessment is performed. Where multiple issues exist in a case, assessment is bypassed only if the check box is cleared for each issue.
\ No newline at end of file
+> The Assessment stage can be bypassed, in the **Relevance \> Track** tab in the expanded view for an issue, by clearing the **Assessment** check box per issue and then for "all issues". As a result, there will be no statistics for this issue. Clearing the **Assessment** check box can only be done before assessment is performed. Where multiple issues exist in a case, assessment is bypassed only if the check box is cleared for each issue.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/decision-based-on-the-results-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/decision-based-on-the-results-in-advanced-ediscovery.md
@@ -19,12 +19,9 @@ ROBOTS: NOINDEX, NOFOLLOW
ms.custom: seo-marvel-apr2020 ---
-# Decision based on the results in Advanced eDiscovery (classic)
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
+# Decisions based on Relevance results in Advanced eDiscovery
- In Advanced eDiscovery, the Decide tab provides additional information for viewing and using decision-support statistics for determining the size of the review set of case files.
+In the Relevance module in Advanced eDiscovery, the Decide tab provides additional information for viewing and using decision-support statistics for determining the size of the review set of case files.
## Using the Decide tab
@@ -32,21 +29,20 @@ ms.custom: seo-marvel-apr2020
This tab includes the following components: -- **Issue**: From here, you can select the issue of interest from the list.
-
+- **Issue**: From here, you can select the issue of interest from the list.
+ - **Review-recall ratio**: Comparisons of Advanced eDiscovery review according to Relevance scores. The Cutoff point in the chart represents the percentage of files to review, mapped to a Relevance score. This is used in the Relevance Test phase and as an Export threshold for culling. The default cutoff point, for the number of files to review is at the point in which the balance between Recall and Precision is optimal. The actual cutoff point should be determined by the user depending on objectives and the cost tradeoff (%review) and risk (%recall). Using the slider, you can adjust the cutoff point and see the effect on the graph and parameters, when adjusting the percent of relevant files to be retrieved, and before validating a decision.
-
+ - **Parameters**: Review, Recall, Next relevant and Total cost parameters are cumulative calculated statistics pertaining to the review set in relation to the collection for the entire case. Definitions for these parameters are as follows:
-
- **Review**: Percentage of files to review based on this cutoff.
-
- **Recall**: Percentage of relevant files in the review set.
-
- **Next relevant**: Cost to review and identify an additional relevant file that is not currently in the review set.
-
- **Total cost**: Cost for reviewing this percentage of the case files. Cost parameter settings can be set by the Case manager.
-
-- **Distribution by relevance score**: Files in the dark gray display to the left are below the cutoff score. A tool-tip displays the Relevance score and the related percentage of files in the review file set in relation to the total files.
-
-The expanded Details pane displays additional details. Files in collection figures do not include empty or nebulous files. Family files figures represent files that are not loaded in Relevance, yet still counted as part of the family.
-
+
+ - **Review**: Percentage of files to review based on this cutoff.
+
+ - **Recall**: Percentage of relevant files in the review set.
+
+ - **Next relevant**: Cost to review and identify another relevant file that is not currently in the review set.
+
+ - **Total cost**: Cost for reviewing this percentage of the case files. Cost parameter settings can be set by the Case manager.
+
+ - **Distribution by relevance score**: Files in the dark gray display to the left are below the cutoff score. A tool-tip displays the Relevance score and the related percentage of files in the review file set in relation to the total files.
+
+The expanded **Details** pane displays more details. Files in collection figures do not include empty or nebulous files. Family files figures represent files that are not loaded in Relevance, yet still counted as part of the family.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/insider-risk-solution-overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-solution-overview.md
@@ -25,7 +25,7 @@ Insider risks are one of the top concerns of security and compliance professiona
Microsoft 365 risk prevention features are designed and built-in to our insider risk products and solutions. These solutions work together and use advanced service and 3rd-party indicators to help you quickly identify, triage, and act on risk activity. Most solutions offer a comprehensive detection, alert, and remediation workflow for your data analysts and investigators to use to quickly act on and minimize these risks.
-| | Risks | Communication compliance | Insider risk management | Information barriers | Privileged access management |
+| Risk icon | Risks | Communication compliance | Insider risk management | Information barriers | Privileged access management |
| :---- | :-------- | :--------------------------- | :-------------------------- |:-------------------------| :--------------------------------| | ![Data spillage icon](../media/ir-risk-data-spillage.png)| Data spillage | ![Supported](../media/check-mark.png) | ![Supported](../media/check-mark.png) | | | | ![Confidentiality violations icon](../media/ir-risk-confidentiality-violations.png)| Confidentiality violations | ![Supported](../media/check-mark.png) | ![Supported](../media/check-mark.png) | ![Supported](../media/check-mark.png) | |
@@ -46,10 +46,10 @@ To help protect your organization against insider risks, use these Microsoft 365
| Solution/capabilities | Description | Licensing | | :------------------------ | :-------------- | :------------ |
-| Communication compliance | Communication compliance helps minimize communication risks by helping you detect, capture, and act on inappropriate messages in your organization. | Microsoft 365 E5 subscription (paid or trial version) <br> Microsoft 365 E3 subscription + the Microsoft 365 E5 Compliance add-on <br> Microsoft 365 E3 subscription + the Microsoft 365 E5 Insider Risk Management add-on <br> Microsoft 365 A5 subscription (paid or trial version) <br> Microsoft 365 A3 subscription + the Microsoft 365 A5 Compliance add-on <br> Microsoft 365 A3 subscription + the Microsoft 365 A5 Insider Risk Management add-on <br> Microsoft 365 G5 subscription (paid or trial version) <br> Microsoft 365 G5 subscription + the Microsoft 365 G5 Compliance add-on <br> Microsoft 365 G5 subscription + the Microsoft 365 G5 Insider Risk Management add-on <br> Office 365 Enterprise E5 subscription (paid or trial version) <br> Office 365 A5 subscription (paid or trial version) <br> Office 365 Enterprise E3 subscription + the Office 365 Advanced Compliance add-on (no longer available for new subscriptions) |
-| Insider risk management | Insider risk management helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization. | Microsoft 365 E5 subscription (paid or trial version) Microsoft 365 E3 subscription + the Microsoft 365 E5 Compliance add-on <br> Microsoft 365 E3 subscription + the Microsoft 365 E5 Insider Risk Management add-on <br> Microsoft 365 A5 subscription (paid or trial version) <br> Microsoft 365 A3 subscription + the Microsoft 365 A5 Compliance add-on <br> Microsoft 365 A3 subscription + the Microsoft 365 A5 Insider Risk Management add-on |
-| Information barriers | Information barriers allow you to restrict communication and collaboration between two internal groups to avoid a conflict of interest from occurring in your organization. | Microsoft 365 E5/A5 <br> Office 365 E5/A5 <br> Office 365 Advanced Compliance <br> Microsoft 365 Compliance E5/A5 <br> Microsoft 365 Insider Risk Management |
-| Privileged access management | Privileged access management allows granular access control over privileged Exchange Online admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. | Microsoft 365 E5/A5 <br> Office 365 E5/A5 <br> Microsoft 365 E5/A5 Compliance <br> Microsoft 365 E5/A5 Information Protection and Governance |
+| Communication compliance | Communication compliance helps minimize communication risks by helping you detect, capture, and act on inappropriate messages in your organization. | Microsoft 365 E5 subscription (paid or trial version) <br><br> Microsoft 365 E3 subscription + the Microsoft 365 E5 Compliance add-on <br><br> Microsoft 365 E3 subscription + the Microsoft 365 E5 Insider Risk Management add-on <br><br> Microsoft 365 A5 subscription (paid or trial version) <br><br> Microsoft 365 A3 subscription + the Microsoft 365 A5 Compliance add-on <br><br> Microsoft 365 A3 subscription + the Microsoft 365 A5 Insider Risk Management add-on <br><br> Microsoft 365 G5 subscription (paid or trial version) <br><br> Microsoft 365 G5 subscription + the Microsoft 365 G5 Compliance add-on <br> Microsoft 365 G5 subscription + the Microsoft 365 G5 Insider Risk Management add-on <br><br> Office 365 Enterprise E5 subscription (paid or trial version) <br><br> Office 365 A5 subscription (paid or trial version) <br><br> Office 365 Enterprise E3 subscription + the Office 365 Advanced Compliance add-on (no longer available for new subscriptions) |
+| Insider risk management | Insider risk management helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization. | Microsoft 365 E5 subscription (paid or trial version) <br><br> Microsoft 365 E3 subscription + the Microsoft 365 E5 Compliance add-on <br><br> Microsoft 365 E3 subscription + the Microsoft 365 E5 Insider Risk Management add-on <br><br> Microsoft 365 A5 subscription (paid or trial version) <br><br> Microsoft 365 A3 subscription + the Microsoft 365 A5 Compliance add-on <br><br> Microsoft 365 A3 subscription + the Microsoft 365 A5 Insider Risk Management add-on |
+| Information barriers | Information barriers allow you to restrict communication and collaboration between two internal groups to avoid a conflict of interest from occurring in your organization. | Microsoft 365 E5/A5 <br><br> Office 365 E5/A5 <br><br> Office 365 Advanced Compliance <br><br> Microsoft 365 Compliance E5/A5 <br><br> Microsoft 365 Insider Risk Management |
+| Privileged access management | Privileged access management allows granular access control over privileged Exchange Online admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. | Microsoft 365 E5/A5 <br><br> Office 365 E5/A5 <br><br> Microsoft 365 E5/A5 Compliance <br><br> Microsoft 365 E5/A5 Information Protection and Governance |
## Deploy Microsoft 365 insider risk solutions
@@ -64,7 +64,7 @@ To help protect your organization against insider risks, set up and deploy the f
## Illustrations with examples
-To help you plan an integrated strategy for implementing Microsoft 365 insider risk capabilities, download the *Microsoft 365 information protection and compliance capabilities* set of illustrations. For insider risk capabilities, see the architecture illustration topics 5-7. Feel free to adapt these illustrations for your own use.
+To help you plan an integrated strategy for implementing Microsoft 365 insider risk capabilities, download the *Microsoft 365 information protection and compliance capabilities* set of illustrations. For insider risk capabilities, see the architecture illustration pages 5-7. Feel free to adapt these illustrations for your own use.
| Item | Description | |:-----|:------------|
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/office-365-service-encryption https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/office-365-service-encryption.md
@@ -20,15 +20,15 @@ description: "Summary: Understand data resiliency in Microsoft Office 365."
In addition to using volume-level encryption, Exchange Online, Skype for Business, SharePoint Online, and OneDrive for Business also use Service Encryption to encrypt customer data. Service Encryption allows for two key management options:
-## Microsoft managed keys
-Microsoft manages all cryptographic keys including the root keys for service encryption. This option is currently enabled by default for Exchange Online, SharePoint Online, OneDrive for Business. Microsoft managed keys provide default service encryption unless you decide to onboard using Customer Key. If, at a later date, you decide to stop using Customer Key without following the data purge path, then your data stays encrypted using the Microsoft managed keys. Your data is always encrypted at this default level at a minimum.
+## Microsoft-managed keys
+Microsoft manages all cryptographic keys including the root keys for service encryption. This option is currently enabled by default for Exchange Online, SharePoint Online, OneDrive for Business. Microsoft-managed keys provide default service encryption unless you decide to onboard using Customer Key. If, at a later date, you decide to stop using Customer Key without following the data purge path, then your data stays encrypted using the Microsoft-managed keys. Your data is always encrypted at this default level at a minimum.
## Customer Key You supply root keys used with service encryption and you manage these keys using Azure Key Vault. Microsoft manages all other keys. This option is called Customer Key, and it is currently available for Exchange Online, SharePoint Online, and OneDrive for Business. (Previously referred to as Advanced Encryption with BYOK. See [Enhancing transparency and control for Office 365 customers](https://blogs.office.com/2015/04/21/enhancing-transparency-and-control-for-office-365-customers/) for the original announcement.) Service encryption provides multiple benefits: -- Provides an added layer of protection on top of bitlocker.
+- Provides an added layer of protection on top of BitLocker.
- Provides separation of Windows operating system administrators from access to application data stored or processed by the operating system.
@@ -38,7 +38,7 @@ Service encryption provides multiple benefits:
Using Customer Key, you can generate your own cryptographic keys using either an on-premises Hardware Service Module (HSM) or Azure Key Vault (AKV). Regardless of how you generate the key, you use AKV to control and manage the cryptographic keys used by Office 365. Once your keys are stored in AKV, they can be used as the root of one of the keychains that encrypts your mailbox data or files.
-Another benefit of Customer Key is the control you have over the ability of Microsoft to process your data. If you want to remove data from Office 365, such as if you want to terminate service with Microsoft or remove a portion of your data stored in the cloud, you can do so and use Customer Key as a technical control. This ensures that no one, including Microsoft, can access or process the data. Customer Key is in addition and complementary to Customer Lockbox that you use to control access to your data by Microsoft personnel.
+Another benefit of Customer Key is the control you have over the ability of Microsoft to process your data. If you want to remove data from Office 365, such as if you want to terminate service with Microsoft or remove a portion of your data stored in the cloud, you can do so and use Customer Key as a technical control. Removing data ensures that no one, including Microsoft, can access or process the data. Customer Key is in addition and complementary to Customer Lockbox that you use to control access to your data by Microsoft personnel.
To learn how to set up Customer Key for Microsoft 365 for Exchange Online, Skype for Business, SharePoint Online, including Team Sites, and OneDrive for Business, see these articles:
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/permissions-filtering-for-content-search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/permissions-filtering-for-content-search.md
@@ -41,58 +41,48 @@ Search permissions filtering is supported by the Content Search feature in the S
## Requirements to configure permissions filtering - To run the compliance security filter cmdlets, you have to be a member of the Organization Management role group in the Security & Compliance Center. For more information, see [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md).
-
-- You have to connect Windows PowerShell to both the Security & Compliance Center and to your Exchange Online organization to use the compliance security filter cmdlets. This is necessary because these cmdlets require access to mailbox properties, which is why you have to connect to Exchange Online. See the steps in the next section.
-
-- See the [More information](#more-information) section for additional information about search permissions filters.
-
-- Search permissions filtering is applicable to inactive mailboxes, which means you can use mailbox and mailbox content filtering to limit who can search an inactive mailbox. See the [More information](#more-information) section for additional information about permissions filtering and inactive mailboxes.
-
-- Search permissions filtering can't be used to limit who can search public folders in Exchange.
-
+
+- You have to connect to both Exchange Online and Security & Compliance Center PowerShell to use the compliance security filter cmdlets. This is necessary because these cmdlets require access to mailbox properties, which is why you have to connect to Exchange Online PowerShell. See the steps in the next section.
+
+- See the [More information](#more-information) section for additional information about search permissions filters.
+
+- Search permissions filtering is applicable to inactive mailboxes, which means you can use mailbox and mailbox content filtering to limit who can search an inactive mailbox. See the [More information](#more-information) section for additional information about permissions filtering and inactive mailboxes.
+
+- Search permissions filtering can't be used to limit who can search public folders in Exchange.
+ - There is no limit to the number of search permissions filters that can be created in an organization. But search performance will be impacted when there are more than 100 search permissions filters. To keep the number of search permissions filters in your organization as small as possible, create filters that combine rules for Exchange, SharePoint, and OneDrive in a single filter whenever possible.
-
-## Connect to the Security & Compliance Center and Exchange Online in a single remote PowerShell session
-1. Save the following text to a Windows PowerShell script file by using a filename suffix of **.ps1**. For example, you could save it to a file named **ConnectEXO-CC.ps1**.
-
+## Connect to Exchange Online and Security & Compliance Center PowerShell in a single session
+
+Before you can successfully run the script in this section, you have to download and install the Exchange Online PowerShell V2 module. For information, see [About the Exchange Online PowerShell V2 module](https://docs.microsoft.com/powershell/exchange/exchange-online-powershell-v2#install-and-maintain-the-exo-v2-module).
+
+1. Save the following text to a Windows PowerShell script file by using a filename suffix of **.ps1**. For example, you could save it to a file named **ConnectEXO-SCC.ps1**.
+ ```powershell
+ Import-Module ExchangeOnlineManagement
$UserCredential = Get-Credential
- $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid -Credential $UserCredential -Authentication Basic -AllowRedirection
- Import-PSSession $Session -DisableNameChecking
- $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $UserCredential -Authentication Basic -AllowRedirection
- Import-PSSession $Session -AllowClobber -DisableNameChecking
+ Connect-ExchangeOnline -Credential $UserCredential
+ Connect-IPPSSession -Credential $UserCredential
$Host.UI.RawUI.WindowTitle = $UserCredential.UserName + " (Exchange Online + Compliance Center)" ``` 2. On your local computer, open Windows PowerShell, go to the folder where the script that you created in the previous step is located, and then run the script; for example:
-
+ ```powershell
- .\ConnectEXO-CC.ps1
+ .\ConnectEXO-SCC.ps1
```
-How do you know if this worked? After you run the script, cmdlets from the Security & Compliance Center and Exchange Online are imported into your local Windows PowerShell session. If you don't receive any errors, you connected successfully. A quick test is to run a Security & Compliance Center cmdlet and an Exchange Online cmdlet. For example, you can run **Install-UnifiedCompliancePrerequisite** and **Get-Mailbox**.
-
-If you receive errors, check the following requirements:
-
-- A common problem is an incorrect password. Run the two steps again and pay close attention to the user name and password you enter in Step 1.
-
-- Verify that your account has permission to access the Security & Compliance Center. For details, see [Give users access to the Security & Compliance Center](../security/office-365-security/grant-access-to-the-security-and-compliance-center.md).
-
-- To help prevent denial-of-service (DoS) attacks, you're limited to three open remote PowerShell connections to the Security & Compliance Center.
-
-- Windows PowerShell must be configured to run scripts. This only has to be done once, not every time you connect. To enable Windows PowerShell to run signed scripts, run the following command in an elevated Windows PowerShell window (a Windows PowerShell window you opened by selecting **Run as administrator**).
+How do you know if this worked? After you run the script, cmdlets from Exchange Online and Security & Compliance PowerShell are imported to your local Windows PowerShell session. If you don't receive any errors, you connected successfully. A quick test is to run an Exchange Online and Security & Compliance Center cmdlet. For example, you can run and **Get-Mailbox** and **Get-ComplianceSearch**.
- ```powershell
- Set-ExecutionPolicy RemoteSigned
- ```
+For troubleshooting PowerShell connection errors, see:
-- TCP port 80 traffic needs to be open between your local computer and Office 365. It's probably open, but it's something to consider if your organization has a restrictive Internet access policy.
+- [Connect to Exchange Online PowerShell](https://docs.microsoft.com/powershell/exchange/connect-to-exchange-online-powershell#how-do-you-know-this-worked)
+
+- [Connect to Security & Compliance Center PowerShell](https://docs.microsoft.com/powershell/exchange/connect-to-scc-powershell#how-do-you-know-this-worked)
-
## New-ComplianceSecurityFilter
-The **New-ComplianceSecurityFilter** is used to create a search permissions filter. The following table describes the parameters for this cmdlet. All parameters are required to create a compliance security filter.
+The **New-ComplianceSecurityFilter** is used to create a search permissions filter. The following table describes the parameters for this cmdlet. All parameters are required to create a compliance security filter.
|**Parameter**|**Description**| |:-----|:-----|
@@ -139,7 +129,7 @@ This example allows the user annb@contoso.com to perform all Content Search acti
New-ComplianceSecurityFilter -FilterName CountryFilter -Users annb@contoso.com -Filters "Mailbox_CountryCode -eq '124'" -Action All ```
-This example allows the users' donh and suzanf to search only the mailboxes that have the value 'Marketing' for the CustomAttribute1 mailbox property.
+This example allows the users donh and suzanf to search only the mailboxes that have the value 'Marketing' for the CustomAttribute1 mailbox property.
```powershell New-ComplianceSecurityFilter -FilterName MarketingFilter -Users donh,suzanf -Filters "Mailbox_CustomAttribute1 -eq 'Marketing'" -Action Search
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/retention-policies-sharepoint https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-sharepoint.md
@@ -44,7 +44,9 @@ The following files can be deleted:
> [!TIP] > When you use a [query with an auto-apply policy for a retention label](apply-retention-labels-automatically.md#auto-apply-labels-to-content-with-keywords-or-searchable-properties), you can exclude specific document libraries by using the following entry: `NOT(DocumentLink:"<URL to document library>")`
-Retention settings do not apply to organizing structures that include libraries, lists, and folders. Or to items in system lists, which are hidden lists used by SharePoint to manage the system and include the master page catalog, solution catalog, and data sources.
+List items are not supported by retention policies but are supported by retention labels with the exception of items in system lists. These are hidden lists used by SharePoint to manage the system and include the master page catalog, solution catalog, and data sources.
+
+Retention settings from both retention policies and retention labels do not apply to organizing structures that include libraries, lists, and folders.
For retention policies and auto-apply label policies: SharePoint sites must be indexed for the retention settings to be applied. However, if items in SharePoint document libraries are configured to not appear in search results, this configuration doesn't exclude files from the retention settings.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-office-apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
@@ -59,10 +59,10 @@ The numbers listed are the minimum Office application version required for each
|[Dynamic markings with variables](#dynamic-markings-with-variables) | 2010+ | 16.42+ | 2.42+ | 16.0.13328+ | Under review | |[Assign permissions now](encryption-sensitivity-labels.md#assign-permissions-now) | 1910+ | 16.21+ | 2.21+ | 16.0.11231+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |[Let users assign permissions](encryption-sensitivity-labels.md#let-users-assign-permissions) |2004+ | 16.35+ | Under review | Under review | Under review |
-|[View label usage with label analytics](label-analytics.md) and send data for administrators | Under review | Under review | Under review | Under review | Yes <sup>\*</sup> |
-|[Require users to apply a label to their email and documents](sensitivity-labels.md#what-label-policies-can-do) | Preview: [Beta Channel](https://office.com/insider) | Preview: [Beta Channel](https://office.com/insider) | Preview: [Beta Channel](https://office.com/insider) | Under review | Under review
+|[View label usage with label analytics](label-analytics.md) and send data for administrators | Preview: [Current Channel (Preview)](https://office.com/insider) | Preview: [Current Channel (Preview)](https://office.com/insider) | Under review | Under review | Yes <sup>\*</sup> |
+|[Require users to apply a label to their email and documents](sensitivity-labels.md#what-label-policies-can-do) | Preview: Rolling out to [Current Channel (Preview)](https://office.com/insider) | Preview: Rolling out to [Current Channel (Preview)](https://office.com/insider) | Under review | Preview: [Beta Channel](https://office.com/insider) | Under review
|[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) | 2009+ | Preview for Word and PowerPoint: Rolling out to [Current Channel (Preview)](https://office.com/insider) | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |
-|Support [AutoSave](https://support.office.com/article/6d6bd723-ebfd-4e40-b5f6-ae6e8088f7a5) and [coauthoring](https://support.office.com/article/ee1509b4-1f6e-401e-b04a-782d26f564a4) on labeled and protected documents | Under review | Under review | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |
+|Support [AutoSave](https://support.office.com/article/6d6bd723-ebfd-4e40-b5f6-ae6e8088f7a5) and [coauthoring](https://support.office.com/article/ee1509b4-1f6e-401e-b04a-782d26f564a4) on labeled and encrypted documents | Under review | Under review | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |
| **Footnote:**
@@ -84,8 +84,8 @@ The numbers listed are the minimum Office application version required for each
|[Dynamic markings with variables](#dynamic-markings-with-variables) | Under review | Under review | Under review | Under review | Under review | |[Assign permissions now](encryption-sensitivity-labels.md#assign-permissions-now) | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes | |[Let users assign permissions](encryption-sensitivity-labels.md#let-users-assign-permissions) | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |
-|[Require users to apply a label to their email and documents](#require-users-to-apply-a-label-to-their-email-and-documents) | Preview: [Beta Channel](https://office.com/insider) | 16.43+ | 4.57.0+ | 4.2037.4+ | Yes |
-|[View label usage with label analytics](label-analytics.md) and send data for administrators | Under review | Under review | Under review | Under review | Yes |
+|[Require users to apply a label to their email and documents](#require-users-to-apply-a-label-to-their-email-and-documents) | Preview: [Current Channel (Preview)](https://office.com/insider)) | 16.43+ | 4.57.0+ | 4.2037.4+ | Yes |
+|[View label usage with label analytics](label-analytics.md) and send data for administrators | Preview: [Current Channel (Preview)](https://office.com/insider) | Preview: [Current Channel (Preview)](https://office.com/insider) | Under review | Under review | Yes |
|[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) | 2009+ | Under review | Under review | Under review | Yes | |
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/tagging-and-assessment-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/tagging-and-assessment-in-advanced-ediscovery.md
@@ -6,7 +6,7 @@ ms.author: markjjo
author: markjjo manager: laurawi titleSuffix: Office 365
-ms.date: 09/14/2017
+ms.date:
audience: Admin ms.topic: article ms.service: O365-seccomp
@@ -19,91 +19,88 @@ ROBOTS: NOINDEX, NOFOLLOW
description: "Review the steps to perform Assessment training, including tagging files, and reviewing assessment results in Advanced eDiscovery." ---
-# Tagging and Assessment in Advanced eDiscovery (classic)
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
+# Tagging and Assessment in the Relevance module in Advanced eDiscovery
-This section describes the procedure for the Advanced eDiscovery Relevance Assessment module.
+This section describes the procedure for Assessment in the Relevance module in Advanced eDiscovery.
## Performing Assessment training and analysis
-1. In the **Relevance \> Track** tab, click **Assessment** to start case assessment.
-
+1. In the **Relevance \> Track** tab, click **Assessment** to start case assessment.
+ For example purposes in this procedure, a sample assessment set of 500 files is created and the **Tag** tab is displayed, which contains the Tagging panel, displayed file content and other tagging options.
-
+ ![Relevance Tag tab for Assessment](../media/c8acf891-b1cd-4344-816c-eabb8cbbe742.png) 2. Review each file in the sample, determine the file's relevance for each case issue, and tag the file using the Relevance (R), Not relevant (NR) and Skip buttons in the **Tagging panel** pane.
-
+ > [!NOTE] > Assessment requires 500 tagged files. If files are "skipped", you will receive more files to tag.
-3. After tagging all files in the sample, click **Calculate**.
-
- The Assessment current error margin and richness are calculated and displayed in the **Relevance Track** tab, with expanded details per issue, as shown below. More details about this dialog are described in the later section "Reviewing Assessments results".
-
+3. After tagging all files in the sample, click **Calculate**.
+
+ The Assessment current error margin and richness are calculated and displayed in the **Relevance Track** tab, with expanded details per issue, as shown below. More details about this dialog are described in the [Reviewing assessment results](#reviewing-assessment-results) section.
+ ![Relevance Track - Assessment](../media/da911ba5-8678-40d6-9ad5-fd0b058355c1.png) > [!TIP]
- > By default, we recommend that you proceed to the default Next step when the Assessment progress indicator for the issue has completed, indicating that the assessment sample was reviewed and sufficient relevant files were tagged. > Otherwise, if you want to view the **Track** tab results and control the margin of error and the next step, click **Modify** adjacent to **Next Step**, select **Continue assessment**, and then click **OK**.
+ > By default, we recommend that you proceed to the default Next step when the Assessment progress indicator for the issue has completed, indicating that the assessment sample was reviewed and sufficient relevant files were tagged. > Otherwise, if you want to view the **Track** tab results and control the margin of error and the next step, click **Modify** adjacent to **Next Step**, select **Continue assessment**, and then click **OK**.
-1. Click **Modify** to the right of the **Assessment** check box to view and specify assessment parameters per issue. An **Assessment level** dialog for each issue is displayed, as shown in the following example:
-
+4. Click **Modify** to the right of the **Assessment** check box to view and specify assessment parameters per issue. An **Assessment level** dialog for each issue is displayed, as shown in the following example:
+ ![Assessment level case issue](../media/b7113fef-d125-4617-ae1b-c9eb0bf79aec.png) The following parameters for the issue are calculated and displayed in the **Assessment level** dialog:
-
- **Target error margin for recall estimates**: Based on this value, the estimated number of additional files necessary to review is calculated. The margin used for recall is greater than 75% and with a 95% confidence level.
-
+
+ **Target error margin for recall estimates**: Based on this value, the estimated number of additional files necessary to review is calculated. The margin used for recall is greater than 75% and with a 95% confidence level.
+ **Additional assessment files required**: Indicates how many more files are necessary if the current error margin's requirements have not been met.
-
-2. To adjust the current error margin and see the effect of different error margins (per issue):
-
-1. In the **Select issue** list, select an issue.
-
-2. In **Target error margin for recall estimates**, enter a new value.
-
-3. Click **Update values** to see the impact of the adjustments.
-
-3. Click **Advanced** in the **Assessment level** dialog to see the following additional parameters and details:
-
+
+5. To adjust the current error margin and see the effect of different error margins (per issue):
+
+6. In the **Select issue** list, select an issue.
+
+7. In **Target error margin for recall estimates**, enter a new value.
+
+8. Click **Update values** to see the impact of the adjustments.
+
+9. Click **Advanced** in the **Assessment level** dialog to see the following additional parameters and details:
+ ![Assessment Level Case Issue advanced view](../media/577d7e0e-95df-48c2-9dec-bdeab5e801d8.png)
- **Estimated richness**: Estimated richness according to the current assessment results
-
- **For assumed recall**: By default, the target error margin applies to recall above 75%. Click **Edit** if you want to change this parameter and control the margin of error on a different range of recall values.
-
- **Confidence level**: By default, the recommended error margin for confidence is 95%. Click **Edit** if you want to change this parameter.
-
- **Expected richness error margin**: Given the updated values, this is the expected margin of error of the richness, after all additional assessment files are reviewed.
-
- **Additional assessment files required**: Given the updated values, the number of additional assessment files that need to be reviewed to reach the target.
-
- **Total assessment files required**: Given the updated values, total assessment files required for review.
-
- **Expected number of relevant files in assessment**: Given the updated values, the expected number of relevant files in the entire assessment after all additional assessment files are reviewed.
-
-4. Click **Recalculate values**, if parameters are changed. When you are done, if there is one issue, click **OK** to save the changes (or **Next** when there are multiple issues to review or modify and then **Finish**).
-
+ - **Estimated richness**: Estimated richness according to the current assessment results
+
+ - **For assumed recall**: By default, the target error margin applies to recall above 75%. Click **Edit** if you want to change this parameter and control the margin of error on a different range of recall values.
+
+ - **Confidence level**: By default, the recommended error margin for confidence is 95%. Click **Edit** if you want to change this parameter.
+
+ - **Expected richness error margin**: Given the updated values, this is the expected margin of error of the richness, after all additional assessment files are reviewed.
+
+ - **Additional assessment files required**: Given the updated values, the number of additional assessment files that need to be reviewed to reach the target.
+
+ - **Total assessment files required**: Given the updated values, total assessment files required for review.
+
+ - **Expected number of relevant files in assessment**: Given the updated values, the expected number of relevant files in the entire assessment after all additional assessment files are reviewed.
+
+10. Click **Recalculate values**, if parameters are changed. When you're done, if there is one issue, click **OK** to save the changes (or **Next** when there are multiple issues to review or modify and then **Finish**).
+ When there are multiple issues, after all issues have been reviewed or adjusted, an **Assessment level: summary** dialog is displayed, as shown in the following example.
-
+ ![Assessment level summary](../media/4997b46d-10a5-4abc-b3b2-7b75a370eb9e.png)
- Upon successful completion of assessment, proceed to the next stage in Relevance training.
-
+ On successful completion of assessment, proceed to the next stage in Relevance training.
+ ## Reviewing assessment results After an Assessment sample is tagged, the assessment results are calculated and displayed in the Relevance Track tab.
-The following results are displayed in the expanded Track display:
+The following results are displayed in the expanded Track display:
- Assessment current error margin for recall estimates
-
+ - Estimated richness
-
+ - Additional assessment files required (for review)
-
+ The Assessment current error margin is the error margin recommended by Advanced eDiscovery. The number displayed for the "Additional assessment files required" corresponds to that recommendation. The Assessment progress indicator shows the level of completion of the assessment, given the current error margin. When assessment is underway, the user will tag another assessment sample.
@@ -112,10 +109,15 @@ When the assessment progress indicator shows assessment as complete, that means
The expanded Track display shows the recommended next step, the assessment statistics, and access to detailed results.
-When richness is very low, the number of additional assessment files needed to reach a minimal number of relevant files to produce useful statistics is very high. Advanced eDiscovery will then recommend moving on to training. The assessment progress indicator will be shaded, and no statistics will be available.
+When richness is very low, the number of additional assessment files needed to reach a minimal number of relevant files to produce useful statistics is very high. Advanced eDiscovery will then recommend moving on to training. The assessment progress indicator will be shaded, and no statistics will be available.
In the absence of statistically based stabilization, there will be results with a lower level of accuracy and confidence level. However, these results can be used to find relevant files when you do not need to know the percentage of relevant files found. Similarly, this status can be used to train issues with low richness, where Relevance scores can accelerate access to files relevant to a specific issue. > [!TIP]
-> In the **Relevance \> Track** tab, expanded issue display, the following viewing options are available: > The recommended next step, such as **Next step: Tagging** can be bypassed (per issue) by clicking the **Modify** button to its right, and then selecting an different step in the **Next step**. When the assessment progress indicator has not completed, assessment will be the next recommended option, to tag more assessment files and increase statistics accuracy. > You can change the error margin and assess its impact, by clicking **Modify**, and in the **Assessment level dialog**, changing the **Target error margin for recall estimates**, and clicking **Update values**. Also, in this dialog, you can view advanced options, by clicking **Advanced**. > You can view additional assessment level statistics and their impact by clicking **View**. In the displayed Detail results dialog, statistics are available per issue, when there are at least 500 tagged assessment files and at least 18 files are tagged as Relevant for the issue.
-
\ No newline at end of file
+> In the **Relevance \> Track** tab, expanded issue display, the following viewing options are available:
+>
+> The recommended next step, such as **Next step: Tagging** can be bypassed (per issue) by clicking the **Modify** button to its right, and then selecting an different step in the **Next step**. When the assessment progress indicator has not completed, assessment will be the next recommended option, to tag more assessment files and increase statistics accuracy.
+>
+> You can change the error margin and assess its impact, by clicking **Modify**, and in the **Assessment level dialog**, changing the **Target error margin for recall estimates**, and clicking **Update values**. Also, in this dialog, you can view advanced options, by clicking **Advanced**.
+>
+> You can view additional assessment level statistics and their impact by clicking **View**. In the displayed Detail results dialog, statistics are available per issue, when there are at least 500 tagged assessment files and at least 18 files are tagged as Relevant for the issue.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/tagging-and-relevance-training-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/tagging-and-relevance-training-in-advanced-ediscovery.md
@@ -6,7 +6,7 @@ ms.author: markjjo
author: markjjo manager: laurawi titleSuffix: Office 365
-ms.date: 09/14/2017
+ms.date:
audience: Admin ms.topic: article ms.service: O365-seccomp
@@ -19,78 +19,75 @@ ROBOTS: NOINDEX, NOFOLLOW
description: "Learn the steps to tag and then work with a training sample of 40 files during the Relevance training stage of Advanced eDiscovery." ---
-# Tagging and Relevance training in Advanced eDiscovery (classic)
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
+# Tagging and Relevance training in Advanced eDiscovery
-This topic describes the procedure for working with the Advanced eDiscovery Relevance training module.
+This article describes the procedure for working with the Relevance training module in Advanced eDiscovery.
-After Assessment is completed in Advanced eDiscovery, and you enter the Relevance training stage, a training sample of 40 files is brought into the Tag tab for tagging.
+After Assessment is completed in Advanced eDiscovery, and you enter the Relevance training stage, a training sample of 40 files is brought into the Tag tab for tagging.
## Performing Relevance training
-1. In the **Relevance \> Tag** tab, the Tagging pane is displayed by default in the left pane and the sample files are displayed, one at a time for tagging.
-
+1. In the **Relevance \> Tag** tab, the Tagging pane is displayed by default in the left pane and the sample files are displayed, one at a time for tagging.
+ ![Relevance Tag panel](../media/0cf19ab4-b427-4a7f-8749-0f4ed9afaf58.png)
- In the **Tag** tab, the file's display name is shown. This could be the path, email subject, title, or user-defined name. The ID, file path or text path can be copied by right-clicking on the file's path.
-
- The **Tag** tab tagging statistics show the file sample number (at the top of the left pane), the number of the currently displayed file out of the total files in the sample (bottom of right pane), and the current total number of tagged files in the sample (bottom of the left pane), which changes as you tag files. This applies for any Relevance tagging done, whether in Assessment, Training, Catch-up, or Test.
-
+ In the **Tag** tab, the file's display name is shown. This could be the path, email subject, title, or user-defined name. The ID, file path or text path can be copied by right-clicking on the file's path.
+
+ The **Tag** tab tagging statistics show the file sample number (at the top of the left pane), the number of the currently displayed file out of the total files in the sample (bottom of right pane), and the current total number of tagged files in the sample (bottom of the left pane), which changes as you tag files. This applies for any Relevance tagging done, whether in Assessment, Training, Catch-up, or Test.
+ Icons indicating the existence of comments, tags, and family files are displayed in the file view in a bar above the file.
-
+ 2. Determine the file's relevance for the case issue and tag the file using either the Tagging option icon buttons or keyboard shortcuts, as shown in the following table:
-|**Tagging option**|**Description**|**Keyboard shortcut**|**For multiple issues - bulk tag keyboard shortcut**|
-|-----|-----|-----|-----|
-|R <br/> |Relevant <br/> |Z <br/> |Shift + Z <br/> |
-|NR <br/> |Not relevant <br/> |X <br/> |Shift + X <br/> |
-|Skip <br/> |Skip <br/> |C <br/> |Shift + A <br/> |
-
- - When multiple issues exist for a file, after tagging one issue, the selection moves to the next issue (if any).
-
- - Keywords that were defined by the Administrator or Case manager when highlighting keywords (Relevance setup \> Highlighted keywords), will be displayed (in specified colors) to help identify relevant files while tagging. If a keyword has a double underline, it can be clicked to display a tool-tip with the keyword's description.
-
- Optionally, in the **Tag** tab, click **Tag settings** to set the following options:
-
- ![Relevance Tag settings](../media/533e89fa-7eb4-409e-ab07-f5aab9296dd8.png)
+ |**Tagging option**|**Description**|**Keyboard shortcut**|**Bulk tagging keyboard shortcut (for multiple issues)**|
+ |-----|-----|-----|-----|
+ |R <br/> |Relevant <br/> |Z <br/> |`Shift + Z` <br/> |
+ |NR <br/> |Not relevant <br/> |X <br/> |`Shift + X` <br/> |
+ |Skip <br/> |Skip <br/> |C <br/> |`Shift + A` <br/> |
+ |||||
+
+ - When multiple issues exist for a file, after tagging one issue, the selection moves to the next issue (if any).
+
+ - Keywords that were defined by the Administrator or Case manager when highlighting keywords (Relevance setup \> Highlighted keywords), will be displayed (in specified colors) to help identify relevant files while tagging. If a keyword has a double underline, it can be clicked to display a tool-tip with the keyword's description.
+
+ Optionally, in the **Tag** tab, click **Tag settings** to set the following options:
+
+ ![Relevance Tag settings](../media/533e89fa-7eb4-409e-ab07-f5aab9296dd8.png)
- - **Bulk tag**: Use this option to assign multiple issues for a file by selecting **All** to set the tag for the selected file for all issues (overrides already tagged issues) or by selecting **The rest** to apply the tag to the remaining untagged issues. The selected option remains in effect for all of this user's cases until changed by that user (setting is per user for all the user's cases).
-
- - **Auto tag**: Select this check box to set other issues for a file as Not relevant after a single Relevant tagging.
-
- - **Auto advance**: Select this check box to move the displayed file selection to the next file when tagging the last or only untagged issue.
-
+ - **Bulk tag**: Use this option to assign multiple issues for a file by selecting **All** to set the tag for the selected file for all issues (overrides already tagged issues) or by selecting **The rest** to apply the tag to the remaining untagged issues. The selected option remains in effect for all of this user's cases until changed by that user (setting is per user for all the user's cases).
+
+ - **Auto tag**: Select this check box to set other issues for a file as Not relevant after a single Relevant tagging.
+
+ - **Auto advance**: Select this check box to move the displayed file selection to the next file when tagging the last or only untagged issue.
+ Skipped files will not be considered for Relevance training and Relevance scoring purposes.
-
-3. Free-text comments, associated with a file, can be viewed and edited via the **Comment** option in the left pane drop-down list. (optional)
-
-4. Guidelines for tagging can be viewed by selecting the **Tagging guidelines** option in the left pane drop-down list.
-
-5. After you finish tagging all files in the list and are ready to calculate the results, click **Calculate**. The **Track** tab is displayed.
-
+
+3. Free-text comments, associated with a file, can be viewed and edited via the **Comment** option in the left pane drop-down list. (optional)
+
+4. Guidelines for tagging can be viewed by selecting the **Tagging guidelines** option in the left pane drop-down list.
+
+5. After you finish tagging all files in the list and are ready to calculate the results, click **Calculate**. The **Track** tab is displayed.
+ ## Working with the sample files list
-The sample files list allows you to view a list of the files in a training sample and perform various action on one or more files. In the **Relevance** \> **Tag** tab, the **Sample files** left pane displays a list of sample files for processing with Assessment, Training, Catch-up, and Inconsistencies processes.
+The sample files list allows you to view a list of the files in a training sample and perform various actions on one or more files. In the **Relevance** \> **Tag** tab, the **Sample files** left pane displays a list of sample files for processing with Assessment, Training, Catch-up, and Inconsistencies processes.
-1. In the **Relevance \> Tag** tab, select the Sample files in the left pane drop-down list. The sample files are listed in the left pane.
-
+1. In the **Relevance \> Tag** tab, select the Sample files in the left pane drop-down list. The sample files are listed in the left pane.
+ ![Relevance Tag sample files list](../media/fd058bdd-645a-4af1-a1eb-bff08581cb18.png)
-2. Select a specific sample or file number by entering or selecting its number in the **Sample** or **File** boxes.
-
- - - A file sequence number is listed in the left column of the displayed file list on the **Tag** tab. By clicking the header, the original displayed order of the files returns to its original order.
-
- - Clicking on a file row displays its content in the right pane.
-
- - Navigate between files in the current sample by using the lower menu bar options. In addition, navigational keyboard shortcuts are available:
-
- To navigate to the first file in the sample: Shift + Ctrl + \<
-
- To navigate to the previous file in the sample: Shift + \<
-
- To navigate to the next file in the sample: Shift + \>
-
- To navigate to the last file in the sample: Shift + Ctrl + \>
-
\ No newline at end of file
+2. Select a specific sample or file number by entering or selecting its number in the **Sample** or **File** boxes.
+
+ - A file sequence number is listed in the left column of the displayed file list on the **Tag** tab. By clicking the header, the original displayed order of the files returns to its original order.
+
+ - Clicking on a file row displays its content in the right pane.
+
+ - Navigate between files in the current sample by using the lower menu bar options. In addition, navigational keyboard shortcuts are available:
+
+ - To go to the first file in the sample: `Shift + Ctrl + <`
+
+ - To go to the previous file in the sample: `Shift + <`
+
+ - To go to the next file in the sample: `Shift + >`
+
+ - To go to the last file in the sample: `Shift + Ctrl + >`
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/test-relevance-analysis-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/test-relevance-analysis-in-advanced-ediscovery.md
@@ -6,7 +6,7 @@ ms.author: markjjo
author: markjjo manager: laurawi titleSuffix: Office 365
-ms.date: 09/14/2017
+ms.date:
audience: Admin ms.topic: article ms.service: O365-seccomp
@@ -19,12 +19,9 @@ ROBOTS: NOINDEX, NOFOLLOW
description: "Learn how to use the Test tab after Batch calculation in Advanced eDiscovery to test, compare, and validate the overall quality of processing." ---
-# Test Relevance analysis in Advanced eDiscovery (classic)
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
+# Test Relevance analysis in Advanced eDiscovery
-The Test tab in Advanced eDiscovery enables you to test, compare, and validate the overall quality of processing. These tests are performed after Batch calculation. By tagging the files in the collection, an expert makes the final judgment about whether each tagged file is actually relevant to the case.
+The Test tab in Advanced eDiscovery enables you to test, compare, and validate the overall quality of processing. These tests are performed after Batch calculation. By tagging the files in the collection, an expert makes the final judgment about whether each tagged file is relevant to the case.
In single and multiple-issue scenarios, tests are typically performed per issue. Results can be viewed after each test, and test results can be reworked with specified sample test files.
@@ -32,76 +29,80 @@ In single and multiple-issue scenarios, tests are typically performed per issue.
The "Test the Rest" test is used to validate culling decisions, for example, to review only files above a specific Relevance cutoff score based on the final Advanced eDiscovery results. The expert reviews a sample of files under a selected cutoff score to evaluate the number of relevant files within that set.
-This test provides statistics and a comparison between the Review set and the Test the Rest population. The results of the review set are those calculated by Relevance during Training. The results include calculations , based on settings and input parameters, such as:
+This test provides statistics and a comparison between the Review set and the Test the Rest population. The results of the review set are those calculated by Relevance during Training. The results include calculations based on settings and input parameters, such as:
-- Test sample statistics of the number of files in a sample and identified relevant files.
-
-- Tabular comparison of the Population parameters of the Review set and the Rest, for example, the number of files, estimated number of relevant files, estimated richness, and the average cost of finding an additional relevant file. Cost parameter settings can be set by the administrator.
-
-1. Open the **Relevance \> Test** tab.
-
-2. In the **Test** tab, click **New test**. The **Create test** dialog is displayed, as shown in the following example.
-
+- Test sample statistics of the number of files in a sample and identified relevant files.
+
+- Tabular comparison of the Population parameters of the Review set and the Rest, for example, the number of files, estimated number of relevant files, estimated richness, and the average cost of finding another relevant file. Cost parameter settings can be set by the administrator.
+
+To run the "Test the Rest" test:
+
+1. Open the **Relevance \> Test** tab.
+
+2. In the **Test** tab, click **New test**. The **Create test** dialog is displayed, as shown in the following example.
+ ![Relevance Test the Rest results](../media/46e6898a-f929-4fd0-88d9-6f91d04b6ce2.png) 3. In **Test name**, and **Description**, type the name and description.
-
+ 4. In the **Test type** list, select **Test the Rest**
-
-5. In the **Issue / Category** list, select the issue name.
-
+
+5. In the **Issue / Category** list, select the issue name.
+ 6. In the **Load** list, select the load.
-
+ 7. In **Read %**, accept the default value or select a value for the cutoff Relevance score.
-
-8. In **Set size**, or accept the default value. Note that the restore icons will restore the default values.
-
+
+8. In **Set size**, or accept the default value. The restore icons will restore the default values.
+ 9. Click **Start tagging**. A test sample is generated.
-
+ 10. Review and tag each of the files in the **Relevance \> Tag** tab and when done, click **Calculate**.
-
-11. In the Test tab, you can click **View results** to see the test results. An example is shown in the following figure.
-
+
+11. In the Test tab, you can click **View results** to see the test results. An example is shown in the following screenshot.
+ ![Test the rest results](../media/b95744a9-047d-4c29-992d-04fa7e58e58a.png)
-In the figure above, the **Sample parameters** section of the table contains details about the number of files in the sample tagged by the expert, and the number of relevant files found in that sample.
+In the previous screenshot, the **Sample parameters** section of the table contains details about the number of files in the sample tagged by the expert, and the number of relevant files found in that sample.
-The **Population parameters** section of the table contains the test results, including the Review set population of files with a score below the selected cutoff and "The Rest" population of files with a score above the selected cutoff. For each population, the following results are displayed:
+The **Population parameters** section of the table contains the test results, including the Review set population of files with a score below the selected cutoff and "The Rest" population of files with a score above the selected cutoff. For each population, the following results are displayed:
- Includes files with read % - Stated cutoff
-
-- The total number of files
-
-- The estimated number of relevant files
-
-- The estimated richness
-
+
+- The total number of files
+
+- The estimated number of relevant files
+
+- The estimated richness
+ - The average review cost of finding another relevant file
-
+ ## Testing the slice The "Test the Slice" test performs testing similar to the "Test the Rest" test, but to a segment of the file set as specified by Relevance Read %.+
+To run the "Test the Slice" test:
-1. Open the **Relevance \> Test** tab.
-
-2. In the **Test** tab, click **New test**. The **Create test** dialog is displayed.
-
+1. Open the **Relevance \> Test** tab.
+
+2. In the **Test** tab, click **New test**. The **Create test** dialog is displayed.
+ 3. In **Test name** and **Description**, type the information.
-
+ 4. In the **Test type** list, select **Test the Slice**.
-
-5. In the **Issue** list, select the issue name.
-
-6. In the **Load** list, select the load.
-
-7. In **Read % between**, accept the default low and high range values or select values for the cutoff Relevance scores.
-
+
+5. In the **Issue** list, select the issue name.
+
+6. In the **Load** list, select the load.
+
+7. In **Read % between**, accept the default low and high range values or select values for the cutoff Relevance scores.
+ 8. In **Set size**, select a value or accept the default value.
-
+ The restore icons will restore the default value.
-
+ 9. Click **Start tagging**. A test sample is generated.
-
-10. Review and tag each of the files in the **Relevance \> Tag** tab and when done, click **Calculate**.
-
-11. In the Test tab, you can click **View results** to see the test results.
+
+10. Review and tag each of the files in the **Relevance \> Tag** tab and when done, click **Calculate**.
+
+11. In the Test tab, you can click **View results** to see the test results.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/tls-1.0-and-1.1-deprecation-for-office-365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/tls-1.0-and-1.1-deprecation-for-office-365.md
@@ -21,7 +21,7 @@ appliesto:
# TLS 1.0 and 1.1 deprecation for Office 365 > [!IMPORTANT]
-> We temporarily halted deprecation enforcement of TLS 1.0 and 1.1 for commercial customers due to covid-19, but as supply chains have adjusted and certain countries open back up, we are resetting the TLS enforcement to begin Oct 15, 2020 and rollout will continue over the following weeks and months.
+> We temporarily halted deprecation enforcement of TLS 1.0 and 1.1 for commercial customers due to COVID-19, but as supply chains have adjusted and certain countries open back up, we are resetting the TLS enforcement to begin October 15, 2020, and rollout will continue over the following weeks and months.
As of October 31, 2018, the Transport Layer Security (TLS) 1.0 and 1.1 protocols are deprecated for the Office 365 service. The effect for end-users is expected to be minimal. This change has been publicized for over two years, with the first public announcement made in December 2017. This article is only intended to cover the Office 365 local client in relation to the Office 365 service but can also apply to on-premises TLS issues with Office and Office Online Server/Office Web Apps.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/track-relevance-analysis-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/track-relevance-analysis-in-advanced-ediscovery.md
@@ -2,11 +2,11 @@
title: "Track Relevance analysis in Advanced eDiscovery" f1.keywords: - NOCSH
-ms.author: chrfox
-author: chrfox
+ms.author: markjjo
+author: markjjo
manager: laurawi titleSuffix: Office 365
-ms.date: 9/14/2017
+ms.date:
audience: Admin ms.topic: article ms.service: O365-seccomp
@@ -19,42 +19,39 @@ ROBOTS: NOINDEX, NOFOLLOW
description: "Learn how to view and interpret the Relevance training status and results for case issues in Advanced eDiscovery." ---
-# Track Relevance analysis in Advanced eDiscovery (classic)
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
+# Track Relevance analysis in Advanced eDiscovery
In Advanced eDiscovery, the Relevance Track tab displays the calculated validity of the Relevance training performed in the Tag tab and indicates the next step to take in the iterative training process in Relevance. ## Tracking Relevance training status
-1. View the following details in Relevance Track for the case issues, as shown in the following example of an **Issue name** dialog below.
-
- - **Assessment**: This progress indicator shows to what degree the Relevance training performed to this point has achieved the assessment target in terms of margin of error. The richness of the Relevance training results is also displayed.
-
- - **Training**: This color-coded progress indicator and tool-tip display indicates the Relevance training results stability and a numeric scale showing the number of Relevance training samples tagged for each issue. The expert monitors the progress of the iterative Relevance training process.
-
- - **Batch calculation**: This progress indicator provides information about the completion of Batch calculation.
-
- - **Next step**: Displays the recommendation for the next step to be performed.
-
+1. View the following details in Relevance Track for the case issues, as shown in the following example of an **Issue name** dialog below.
+
+ - **Assessment**: This progress indicator shows to what degree the Relevance training performed to this point has achieved the assessment target in terms of margin of error. The richness of the Relevance training results is also displayed.
+
+ - **Training**: This color-coded progress indicator and tool-tip indicates the Relevance training results stability and a numeric scale showing the number of Relevance training samples tagged for each issue. The expert monitors the progress of the iterative Relevance training process.
+
+ - **Batch calculation**: This progress indicator provides information about the completion of Batch calculation.
+
+ - **Next step**: Displays the recommendation for the next step to be performed.
+
In the example, a successfully completed Assessment for an issue is shown, indicated by the completed color progress indicator and the checkmark. Tagging is underway, but the case is still considered unstable (stability status also shown in a tool-tip). The next step recommendation is "Training".
-
+
![Relevance Track training step 1](../media/a00fe607-680a-48eb-9d61-4565319f7ab6.png) The expanded view displays additional information and options. The displayed current error margin is the error margin of the recall in the current state of assessment, given the existing (already tagged) assessment files.
-
+
> [!NOTE] > The Assessment stage can be bypassed by clearing the **Assessment** check box per issue and then for "all issues". However, as a result, there will be no statistics for this issue. > Clearing the **Assessment** check box can only be done before assessment is performed. Where multiple issues exist in a case, assessment is bypassed only if the check box is cleared for each issue
- When assessment is not completed with the first sample set of files, assessment might be the next step for tagging more files.
-
+ When assessment is not completed with the first sample set of files, assessment might be the next step for tagging more files.
+
In **Relevance** \> **Track**, the training progress indicator and tool-tip indicate the estimated number of additional samples needed to reach stability. This estimate provides a guideline for the additional training needed.
-
+
![Relevance Track training](../media/98dbc3f5-5238-4d73-9f88-1aa4d77ea729.png) 2. When you're done tagging and if you need to continue training, click **Training**. Another sample set of files is generated from the loaded file set for additional training. You are then returned to the Tag tab to tag and train more files.
-
+ ### Reaching stable training levels After the assessment files have attained a stable level of training, Advanced eDiscovery is ready for Batch calculation.
@@ -77,21 +74,21 @@ If you want to import new files after Batch calculation, the administrator can a
### Assessing tagging consistency
-If there are inconsistencies in file tagging, it can affect the analysis. The Advanced eDiscovery tagging consistency process can be used when results are not optimal or consistency is in doubt. A list of possible inconsistently tagged files is returned, and they can be reviewed and re-tagged, as necessary.
+If there are inconsistencies in file tagging, it can affect the analysis. The Advanced eDiscovery tagging consistency process can be used when results are not optimal or consistency is in doubt. A list of possible inconsistently tagged files is returned, and they can be reviewed and retagged, as necessary.
> [!NOTE]
-> After seven or more training rounds following assessment, tagging consistency can be viewed in **Relevance** \> **Track** \> **Issue** \> **Detailed results** \> **Training progress**. This review is done for one issue at a time.
+> After seven or more training rounds following assessment, tagging consistency can be viewed in **Relevance** \> **Track** \> **Issue** \> **Detailed results** \> **Training progress**. This review is done for one issue at a time.
1. In **Relevance \> Track**, expand an issue's row.
-
+
2. To the right of **Next step**, click **Modify**.
-
+
3. Select **Tag inconsistencies** as the **Next step** option, after seven training samples and click **OK**.
-
-4. Select **Tag inconsistencies**. The **Tag** tab opens displaying a list of the inconsistencies to re-tag as necessary.
-
+
+4. Select **Tag inconsistencies**. The **Tag** tab opens displaying a list of the inconsistencies to retag as necessary.
+
5. Click **Calculate** to submit the changes. The next step after tagging inconsistencies is "Training".
-
+
## Viewing and using Relevance results In the **Relevance \> Track** tab, expand an issue's row, and next to **Detailed results**, click **View**. The Detailed results panes are displayed, as shown and described below.
@@ -100,7 +97,7 @@ In the **Relevance \> Track** tab, expand an issue's row, and next to **Detailed
### Tagging summary
- In the example shown below, the **Tagging summary** displays totals for each of Assessment, Training, and Catch-up file tagging processes.
+ In the example shown below, the **Tagging summary** displays totals for each of Assessment, Training, and Catch-up file tagging processes.
![Relevance Track tagging summary](../media/0ec906fc-bc84-4245-a964-fb3ca37891db.png)
@@ -108,45 +105,45 @@ In the **Relevance \> Track** tab, expand an issue's row, and next to **Detailed
A keyword is a unique string, word, phrase, or sequence of words in a file identified by Advanced eDiscovery as a significant indicator of whether a file is relevant. The "Include" columns list keyword and weights in files tagged as Relevant, and the "Exclude" columns lists keywords and weights in files tagged as Not relevant.
-Advanced eDiscovery assigns negative or positive keyword weight values. The higher the weight, the higher the likelihood that a file in which the keyword appears is assigned a higher Relevance score during Batch calculation.
+Advanced eDiscovery assigns negative or positive keyword weight values. The higher the weight, the higher the likelihood that a file in which the keyword appears is assigned a higher Relevance score during Batch calculation.
The Advanced eDiscovery list of keywords can be used to supplement a list built by an expert or as an indirect sanity check at any point in the file review process. ### Training progress
-The **Training Progress** pane includes a training progress graph and quality indicator display, as shown in the example below.
+The **Training Progress** pane includes a training progress graph and quality indicator display, as shown in the example below.
![Relevance Track training progress](../media/8a5089f5-a162-4246-ae09-bc1921859860.png)
- **Training quality indicator**: Displays the rating of the tagging consistency as follows:
+**Training quality indicator**: Displays the rating of the tagging consistency as follows:
- **Good**: Files are tagged consistently. (Green light displayed)
-
+
- **Medium**: Some files may be tagged inconsistently. (Yellow light displayed)
-
+ - **Warning**: Many files may be tagged inconsistently. (Red light displayed)
-
- **Training progress graph**: Shows the degree of Relevance training stability after a number of Relevance training cycles in comparison to the F-measure value. As we move from the left to the right across the graph, the confidence interval narrows and is used, along with the F-measure, by Advanced eDiscovery Relevance to determine stability when the Relevance training results are optimized.
+
+**Training progress graph**: Shows the degree of Relevance training stability after many Relevance training cycles in comparison to the F-measure value. As we move from the left to the right across the graph, the confidence interval narrows and is used, along with the F-measure, by Advanced eDiscovery Relevance to determine stability when the Relevance training results are optimized.
> [!NOTE]
-> Relevance uses F2, an F-measure metric where Recall receives twice as much weight as Precision. For cases with high richness (over 25%), Relevance uses F1 (1:1 ratio). The F-measure ratio can be configured in **Relevance setup** \> **Advanced settings**.
+> Relevance uses F2, an F-measure metric where Recall receives twice as much weight as Precision. For cases with high richness (over 25%), Relevance uses F1 (1:1 ratio). The F-measure ratio can be configured in **Relevance setup** \> **Advanced settings**.
### Batch calculation results The **Batch calculation results** pane includes the number of files that were scored for Relevance, as follows: - **Success**
-
+
- **Empty**: Contains no text, for example, only spaces/tabs
-
+
- **Failed**: Due to excessive size or could not be read
-
+
- **Ignored**: Due to excessive size
-
+
- **Nebulous**: Contains meaningless text or no features relevant to the issue
-
+
> [!NOTE]
-> Empty, Failed, Ignored, or Nebulous will receive a Relevance score of -1.
+> Empty, Failed, Ignored, or Nebulous will receive a Relevance score of -1.
### Training statistics
@@ -157,11 +154,11 @@ The **Training statistics** pane displays statistics and graphs based on results
This view shows the following: - **Review-recall ratio**: Comparison of results according to Relevance scores in a hypothetically linear review. Recall is estimated given the review set size set.
-
+
- **Parameters**: Cumulative calculated statistics pertaining to the review set in relation to the file population for the entire case.
-
+
- **Review**: Percentage of files to review based on this cutoff.
-
+
- **Recall**: Percentage of Relevant files in the review set.
-
+
- **Distribution by relevance score**: Files in the dark gray display to the left are below the cutoff score. A tool-tip displays the Relevance score and the related percentage of files in the review file set in relation to the total files.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/using-communications-editor https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/using-communications-editor.md
@@ -22,24 +22,25 @@ ms.custom: seo-marvel-mar2020
# Use the communications editor
-As you define the content of your portal content, legal hold notifications, and related reminders/escalations, you can leverage the Communications Editor to format and dynamically customize your content.
+As you define the content of your portal content, legal hold notifications, and related reminders/escalations, you can use the Communications Editor to format and dynamically customize your content.
-## Rich text editor
+## Rich text editor
-The Communications Editor allows user to customize the text using the editor options. For example, users can change font types, create bulleted lists, highlight content, and more.
+The Communications Editor allows user to customize the text using the editor options. For example, users can change font types, create bulleted lists, highlight content, and more.
## Merge field variables
-You can leverage email merge variables from the Communications Editor to embed customized custodian attributes into a communication's body text. When sent to the custodian, the merge field will be populated with the corresponding field. For example, when sent to custodian John Smith, the merge field [Custodian Name] would be translated with the corresponding name.
+You can use email merge variables from the Communications Editor to embed customized custodian attributes into a communication's body text. When sent to the custodian, the merge field will be populated with the corresponding field. For example, when sent to custodian John Smith, the merge field [Custodian Name] would be translated with the corresponding name.
-You can use email merge fields by selecting the **Merge field** icons on the top of the rich-text editor control. The placeholder will be added based off the location of the users' cursor.
+You can use email merge fields by selecting the **Merge field** icons on the top of the rich-text editor control. The placeholder will be added based off the location of the users' cursor.
### List of merge field variables
-| Field name | Field details |
+| Field name | Field details |
| :------------------- | :------------------- | | Display Name | The custodian's first and last name. |
-| Acknowledgement Link | A customized link to record each custodian's acknowledgement.| |
+| Acknowledgment Link | A customized link to record each custodian's acknowledgment.| |
| Portal Link | A customized link for the custodian's Compliance Portal.| | | Issuing Officer | The email address of the specified issuing officer.| | | Issuing Date | The date that the notice was issued (UTC). |
+|||
contentunderstanding https://docs.microsoft.com/en-us/microsoft-365/contentunderstanding/adoption-getstarted https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/adoption-getstarted.md
@@ -22,13 +22,16 @@ Think of the intelligent content services available in SharePoint Syntex as havi
- **Content processing:** Automate capture, ingestion and categorization of content and streamline content-centric processes using Power Automate. Learn more about [content processing](form-processing-overview.md). - **Content compliance:** Control and manage content to improve security and governance with integration to Microsoft Information Protection.
-With new AI services and capabilities, you can build content understanding and classification apps directly into the content management flow using SharePoint Syntex:
+With new AI services and capabilities, you can build content understanding and classification apps directly into the content management flow using SharePoint Syntex. There are two different ways of understanding your content. The model type you use is based on file format and use case:
-|Manual entry| Form processing | Document understanding |
-|:-------|:--------|:--------|
-| Data entry and labor-intensive on any content. | Identify files and extract data from structured or semi-structured documents, such as forms or invoices. | Identify and extract data from unstructured documents, such as letters or contracts, where the text entities you want to extract reside in sentences or specific regions of the document. |
-| Interactive. | Custom, assisted. | Pre-built, automated. |
-| People doing the work. | Taught by your subject matter experts (SMEs). | SMEs are less involved. |
+| Form processing | Document understanding |
+|:-------|:-------|
+| Created from document library. | Created in the content center, part of SharePoint Syntex. |
+| Model created in AI builder. | Model created in native interface. |
+| Used for semi-structured file formats. | Used for unstructured file formats. |
+| Settable classifier. | Trainable classifier with optional extractors. |
+| Restricted to a single library. | Can be applied to multiple libraries. |
+| Train on PDF, JPG, PNG format, total 50 MB/500 pp. | Train on 5-10 PDF, Office, or email files, including negative examples. |
The following table explains availability and licensing for SharePoint Syntex:
@@ -40,17 +43,6 @@ The following table explains availability and licensing for SharePoint Syntex:
For more information about AI Builder credits and units, see [AI Builder licensing](https://docs.microsoft.com/ai-builder/administer-licensing).
-There are two different ways of understanding your content. The model type you use is based on file format and use case:
-
-| Form processing | Document understanding |
-|:-------|:-------|
-| Created from document library. | Created in the content center, part of SharePoint Syntex. |
-| Model created in AI builder. | Model created in native interface. |
-| Used for semi-structured file formats. | Used for unstructured file formats. |
-| Settable classifier. | Trainable classifier with optional extractors. |
-| Restricted to a single library. | Can be applied to multiple libraries. |
-| Train on PDF, JPG, PNG format, total 50 MB/500 pp. | Train on 5-10 PDF, Office, or email files, including negative examples. |
- SharePoint Syntex integrates with Microsoft 365 compliance features like: - Retention labels that define records policy based on document age or external events.
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/ms-cloud-germany-transition-add-devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-add-devices.md
@@ -56,7 +56,7 @@ Device registration is deactivated after migration of the tenant and cannot be e
Get-AzureADServicePrincipal -All:$true |Where-object -Property AppId -eq "0000000a-0000-0000-c000-000000000000" | Set-AzureADServicePrincipal -AccountEnabled:$false ```
-## Windows Hybrid Azure AD join
+## Hybrid Azure AD join
### Windows down-level
@@ -130,7 +130,7 @@ The preceding command only needs to be run once in an administrative context on
The device is automatically joined to Azure AD without user or admin intervention as long as the device has network connectivity to global Azure AD endpoints.
-## Windows Azure AD Join
+## Azure AD Join
**IMPORTANT:** The Intune service principal will be enabled after commerce migration, which implies the activation of Azure AD Device Registration. If you blocked Azure AD Device Registration before migration, you must disable the Intune service principal with PowerShell to disable Azure AD Device Registration with the Azure AD portal again. You can disable the Intune service principal with this command in the Azure Active Directory PowerShell for Graph module.
@@ -175,7 +175,7 @@ The preceding command only needs to be run once in an administrative context on
The user can join the device to Azure AD from Windows settings: **Settings > Accounts > Access Work Or School > Connect**.
-## Windows Azure AD Registered (Company owned)
+## Azure AD Registered (Company owned)
To determine whether the Windows 10 device is Azure ADΓÇôregistered, run the following command on the device:
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/get-started/conditional-access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/conditional-access.md
@@ -13,7 +13,7 @@ ms.topic: article
# Adjust settings after enrollment
-After you've completed enrollment in Microsoft Managed Desktop, you need to adjust certain Microsoft Intune and Azure Active Directory (Azure AD) settings to allow for management and maintain security. Set the following settings to exclude the Azure AD groups that contain Microsoft Managed Desktop devices and users. For steps to exclude groups, see [Conditional Access: Users and groups](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-users-groups#exclude-users).
+After you've completed enrollment in Microsoft Managed Desktop, you need to adjust the Microsoft Intune and Azure Active Directory (Azure AD) settings specified in this article to allow for management and maintain security. Set the following settings to exclude specific Azure AD groups that contain Microsoft Managed Desktop devices and users. For steps to exclude groups, see [Conditional Access: Users and groups](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-users-groups#exclude-users).
> [!NOTE] > If you make any changes after enrollment to policies in Microsoft Intune, Azure Active Directory, or Microsoft 365, it's possible that Microsoft Managed Desktop could stop operating properly. To avoid problems with Microsoft Managed Desktop operations, check the specific settings described in [Fix issues found by the readiness assessment tool](../get-ready/readiness-assessment-fix.md) before you change any policies.
@@ -21,11 +21,11 @@ After you've completed enrollment in Microsoft Managed Desktop, you need to adju
## Microsoft Intune settings -- Autopilot deployment profile: exclude the **Modern Workplace Devices -All** Azure AD group. For steps, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/mem/autopilot/enrollment-autopilot).-- Conditional Access policies: exclude the **Modern Workplace Service Accounts** Azure AD group. For steps, see [Conditional Access: Users and groups](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-users-groups).-- Multifactor authentication: make sure any conditional access policies that require multifactor authentication exclude the **Modern Workplace Service Accounts** Azure AD group. For more information, see [Conditional access policies](../get-ready/readiness-assessment-fix.md#conditional-access-policies) and [Conditional Access: Require MFA for all users](https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa).-- Security baseline: exclude the **Modern Workplace Devices -All** Azure AD group. For steps, see [Use security baselines to configure Windows 10 devices in Intune](https://docs.microsoft.com/mem/intune/protect/security-baselines).-- Windows 10 update ring: exclude the **Modern Workplace Devices -All** Azure AD group. For steps, see [Manage Windows 10 software updates in Intune](https://docs.microsoft.com/mem/intune/protect/windows-update-for-business-configure).
+- Autopilot deployment profile: for Autopilot profiles created by admins in your company, exclude the **Modern Workplace Devices -All** Azure AD group. For steps, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/mem/autopilot/enrollment-autopilot). Do not exclude the **Modern Workplace Devices -All** Azure AD group from any deployment policies created by Microsoft Managed Desktop that have "Modern Workplace" in the name (for example, **Modern Workplace Autopilot Profile**).
+- Conditional Access policies: for conditional access policies created by admins in your company, exclude the **Modern Workplace Service Accounts** Azure AD group. For steps, see [Conditional Access: Users and groups](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-users-groups). Do not exclude the **Modern Workplace Devices -All** Azure AD group from any policies created by Microsoft Managed Desktop that have "Modern Workplace" in the name (for example, **Modern Workplace Secure Workstation**).
+- Multifactor authentication: make sure any conditional access policies created by admins in your company that require multifactor authentication exclude the **Modern Workplace Service Accounts** Azure AD group. For more information, see [Conditional access policies](../get-ready/readiness-assessment-fix.md#conditional-access-policies) and [Conditional Access: Require MFA for all users](https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa).
+- Security baseline: for security baseline policies created by admins in your company, exclude the **Modern Workplace Devices -All** Azure AD group. For steps, see [Use security baselines to configure Windows 10 devices in Intune](https://docs.microsoft.com/mem/intune/protect/security-baselines). Do not exclude the **Modern Workplace Devices -All** Azure AD group from from any policies created by Microsoft Managed Desktop that have "Modern Workplace" in the name (for example, **Modern Workplace Security Baseline**).
+- Windows 10 update ring: for Windows 10 update ring policies created by admins in your company, exclude the **Modern Workplace Devices -All** Azure AD group. For steps, see [Manage Windows 10 software updates in Intune](https://docs.microsoft.com/mem/intune/protect/windows-update-for-business-configure). Do not exclude the **Modern Workplace Devices -All** Azure AD group from any policies created by Microsoft Managed Desktop that have "Modern Workplace" in the name (for example, the **Modern Workplace Update** policy).
## Azure Active Directory settings
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-devicefileevents-table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-devicefileevents-table.md
@@ -79,6 +79,9 @@ For information on other tables in the advanced hunting schema, [see the advance
| `SensitivitySubLabel` | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently | | `IsAzureInfoProtectionApplied` | boolean | Indicates whether the file is encrypted by Azure Information Protection |
+>[!NOTE]
+> File hash information will always be shown when it is available. However, there are several possible reasons why a SHA1, SHA256, or MD5 cannot be calculated. For instance, the file might be located in remote storage, locked by another process, compressed, or marked as virtual. In these scenarios, the file hash information appears empty.
+ ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md)
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center.md
@@ -84,7 +84,7 @@ To see how to grant access to the Security & Compliance Center, check out [Give
|**Privacy Management Investigators**|Analysts of privacy management solution that can investigate policy matches, view message content, and take remediation actions.|Privacy Management Investigation| |**Privacy Management Viewers**|Viewer of privacy management solution that can access the available dashboards and widgets.|Privacy Management Viewer| |**Records Management**|Members can configure all aspects of records management, including retention labels and disposition reviews.|Disposition Management <p> RecordManagement <p> Retention Management|
-|**Reviewer**|Members can only view the list of cases on the eDiscovery cases page in the Security & Compliance Center. They can't create, open, or manage an eDiscovery case. The primary purpose of this role group is to allow members to view and access case data in [Advanced eDiscovery (classic)](../../compliance/office-365-advanced-ediscovery.md) (also known as *Advanced eDiscovery v1*). <p> This role group has the most restrictive eDiscovery-related permissions. <p> **Note:** At this time, users who are a member of the Reviewer role group can't access data in [Advanced eDiscovery in Microsoft 365](../../compliance/overview-ediscovery-20.md) (also known as *Advanced eDiscovery v2*). To add members to a case in Advanced eDiscovery v2 so that they can review case data, a user must be a member of the eDiscovery Manager role group.|Review|
+|**Reviewer**|Members can access review sets in [Advanced eDiscovery](https://docs.microsoft.com/microsoft-365/compliance/overview-ediscovery-20) cases. Members of this role group can see and open the list of cases on the **eDiscovery > Advanced** page in the Microsoft 365 compliance center that they're members of. After the user accesses an Advanced eDiscovery case, they can select **Review sets** to access case data. This role doesn't allow the user to preview the results of a collection search that's associated with the case or do other search or case management tasks. Members of this role group can only access the data in a review set.|Review|
|**Security Administrator**|Members have access to a number of security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and Security & Compliance Center. <p> By default, this role group may not appear to have any members. However, the Security Administrator role from Azure Active Directory is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Administrator role from Azure Active Directory. <p> To manage permissions centrally, add and remove group members in the Azure Active Directory admin center. For more information, see [Administrator role permissions in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles). If you edit this role group in the Security & Compliance Center (membership or roles), those changes apply only to the Security & Compliance Center and not to any other services. <p> This role group includes all of the read-only permissions of the Security reader role, plus a number of additional administrative permissions for the same services: Azure Information Protection, Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and Security & Compliance Center.|Audit Logs <p> Device Management <p> DLP Compliance Management <p> IB Compliance Management <p> Manage Alerts <p> Quarantine <p> Security Administrator <p> Sensitivity Label Administrator <p> Tag Contributor <p> Tag Manager <p> Tag Reader <p> View-Only Audit Logs <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Manage Alerts| |**Security Operator**|Members can manage security alerts, and also view reports and settings of security features.|Compliance Search <p> Manage Alerts <p> Security Reader <p> Tag Contributor <p> Tag Reader <p> View-Only Audit Logs <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Manage Alerts| |**Security Reader**|Members have read-only access to a number of security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and Security & Compliance Center. <p> By default, this role group may not appear to have any members. However, the Security Reader role from Azure Active Directory is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Reader role from Azure Active Directory. <p> To manage permissions centrally, add and remove group members in the Azure Active Directory admin center. For more information, see [Administrator role permissions in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles). If you edit this role group in the Security & Compliance Center (membership or roles), those changes apply only to the Security & Compliance Center and not to any other services.|Security Reader <p> Sensitivity Label Reader <p> Tag Reader <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Manage Alerts|
@@ -186,7 +186,7 @@ Note that the following roles aren't assigned to the Organization Management rol
|**Quarantine**|Allows viewing and releasing quarantined email.|Quarantine Administrator <p> Security Administrator <p> Organization Management| |**RecordManagement**|View and edit the configuration of the records management feature.|Compliance Administrator <p> Compliance Data Administrator <p> Organization Management <p> Records Management| |**Retention Management**|Manage retention policies, retention labels, and retention label policies.|Compliance Administrator <p> Compliance Data Administrator <p> Organization Management <p> Records Management|
-|**Review**|Use Advanced eDiscovery to track, tag, analyze, and test documents that are assigned to them.|eDiscovery Manager <p> Reviewer|
+|**Review**|This role lets users access review sets in Advanced eDiscovery cases. Users who are assigned this role can see and open the list of cases on the **eDiscovery > Advanced** page in the Microsoft 365 compliance center that they're members of. After the user accesses an Advanced eDiscovery case, they can select **Review sets** to access case data. This role doesn't allow the user to preview the results of a collection search that's associated with the case or do other search or case management tasks. Users with this role can only access the data in a review set.|eDiscovery Manager <p> Reviewer|
|**RMS Decrypt**|Decrypt RMS-protected content when exporting search results.|eDiscovery Manager| |**Role Management**|Manage role group membership and create or delete custom role groups.|Organization Management| |**Search And Purge**|Lets people bulk-remove data that matches the criteria of a content search.|Organization Management|
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/security-recommendations-for-priority-accounts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/security-recommendations-for-priority-accounts.md
@@ -27,6 +27,8 @@ For attackers, ordinary phishing attacks that cast a random net to get the crede
Microsoft 365 and Microsoft Defender for Office 365 contain many different features that can help you to provided additional layers of security for your priority accounts. The available features and how to use them are discussed in this article.
+![Summary of the security recommendations in icon form](../../media/security-recommendations-for-priority-users.png)
+ ## Increase sign-in security for priority accounts Priority accounts require increased sign-in security. You can increase their sign-in security by requiring multi-factor authentication (MFA) and disabling legacy authentication protocols.
@@ -55,7 +57,7 @@ Preset security policies are a convenient and central location to apply our reco
For details about how the Strict policy settings differ from the the default and Standard policy settings, see [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365-atp.md).
-## User tags
+## Apply user tags to priority accounts
User tags in Microsoft Defender for Office 365 Plan 2 (as part of Microsoft 365 E5 or an add-on subscription) are a way to quickly identify and classify specific users or groups of users in reports and incident investigations.
@@ -63,7 +65,11 @@ User tags in Microsoft Defender for Office 365 Plan 2 (as part of Microsoft 365
You can also create custom tags to further identify and classify your priority accounts. For more information, see [User tags](user-tags.md). Note that you can manage **priority accounts** (system tags) in the same interface as custom user tags.
-## Priority accounts in reports and investigations in Microsoft 365
+## Monitor priority accounts in alerts, reports, and detections
+
+After you secure and tag your priority users, you can use the available reports, alerts, and investigations in EOP and Defender for Office 365 to quickly identify incidents or detections that involve priority accounts. The features that support user tags are described in the following table.
+
+<br>
****
solutions https://docs.microsoft.com/en-us/microsoft-365/solutions/configure-secure-access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/configure-secure-access.md
@@ -1,6 +1,6 @@
--- title: Configure secure access to Microsoft 365 services
-description: Description.
+description: Find prescriptive guidance for implementing MFA, conditional access, and related policies for three tiers of protection - baseline, sensitive, highly sensitive.
ms.author: samanro author: samanro manager: bcarter
solutions https://docs.microsoft.com/en-us/microsoft-365/solutions/foundation-solutions-overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/foundation-solutions-overview.md
@@ -1,6 +1,6 @@
--- title: Microsoft 365 Foundation Solutions Overview
-description: Description.
+description: Read these foundation solution guides to understand concepts and features and help you make the choices that lead to a functioning end result, from planning to implementation, to adoption.
ms.author: samanro author: samanro manager: bcarter
solutions https://docs.microsoft.com/en-us/microsoft-365/solutions/identity-design-principles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/identity-design-principles.md
@@ -16,7 +16,7 @@ ms.custom: seo-marvel-jun2020
f1.keywords: NOCSH ---
-# To identity and beyond ΓÇö One architect's viewpoint
+# To identity and beyondΓÇöOne architect's viewpoint
In this article, [Alex Shteynberg](https://www.linkedin.com/in/alex-shteynberg/), Principal Technical Architect at Microsoft, discusses top design strategies for enterprise organizations adopting Microsoft 365 and other Microsoft cloud services.
@@ -24,70 +24,70 @@ In this article, [Alex Shteynberg](https://www.linkedin.com/in/alex-shteynberg/)
![Alex Shteynberg photo](../media/solutions-architecture-center/identity-and-beyond-alex-shteynberg.jpg)
-I am a Principal Technical Architect at the New York [Microsoft Technology Center](https://www.microsoft.com/mtc?rtc=1). I mostly work with large customers and complex requirements. My viewpoint and opinions are based on these interactions and may not apply to every situation. However, in my experience, if we can help customers with the most complex challenges, we can help all customers.
+I'm a Principal Technical Architect at the New York [Microsoft Technology Center](https://www.microsoft.com/mtc?rtc=1). I mostly work with large customers and complex requirements. My viewpoint and opinions are based on these interactions and may not apply to every situation. However, in my experience, if we can help customers with the most complex challenges, we can help all customers.
-I typically work with 100+ customers each year. While every organization has unique characteristics, it's interesting to see trends and commonalities. For example, one trend is cross-industry interest for a lot of customers. After all, a bank branch can also be a coffee shop and a community center.
+I typically work with 100+ customers each year. While every organization has unique characteristics, it's interesting to see trends and commonalities. For example, one trend is cross-industry interest for many customers. After all, a bank branch can also be a coffee shop and a community center.
-In my role, I focus on helping customers arrive at the best technical solution to address their unique set of business goals. Officially, I focus on Identity, Security, Privacy, and Compliance. I love the fact that these touch everything we do. It gives me an opportunity to be involved with most projects. This keeps me quite busy and enjoying this role.
+In my role, I focus on helping customers arrive at the best technical solution to address their unique set of business goals. Officially, I focus on Identity, Security, Privacy, and Compliance. I love the fact that these touch everything we do. It gives me an opportunity to be involved with most projects. This keeps me quite busy and enjoying this role.
I live in New York City (the best!) and really enjoy the diversity of its culture, food, and people (not traffic). I love to travel when I can and hope to see most of the world in my lifetime. I'm currently researching a trip to Africa to learn about wildlife.
-## Guiding principles
+## Guiding principles
-- **Simple is often better** ΓÇö You can do (almost) anything with technology. It does not mean you should. Especially in the security space, many customers overengineer solutions. I like [this video](https://www.youtube.com/watch?v=SOQgABDSYZE) from GoogleΓÇÖs Stripe conference to underscore this point.-- **People, process, technology** ΓÇö [Design for people](https://en.wikipedia.org/wiki/Human-centered_design) to enhance process, not tech first. There are no "perfect" solutions. We need to balance various risk factors and decisions will be different for each business. Too many customers design an approach which their users later avoid.-- **Focus on 'why' first and 'how' later** ΓÇö Be the annoying 7 yr old kid with a million questions. We can't arrive at the right answer if we don't know the right questions to ask. Lots of customers make assumptions on how things need to work instead of defining the business problem. There are always multiple paths that can be taken.-- **Long tail of past best practices** ΓÇö Recognize that best practices are changing at light speed. If you have looked at Azure AD more than 3 month ago, you are likely out of date. Everything here is subject to change after publication. ΓÇ£BestΓÇ¥ option today may be not be the same 6 months from now.
+- **Simple is often better**: You can do (almost) anything with technology, but it doesn't mean you should. Especially in the security space, many customers overengineer solutions. I like [this video](https://www.youtube.com/watch?v=SOQgABDSYZE) from GoogleΓÇÖs Stripe conference to underscore this point.
+- **People, process, technology**: [Design for people](https://en.wikipedia.org/wiki/Human-centered_design) to enhance process, not tech first. There are no "perfect" solutions. We need to balance various risk factors and decisions will be different for each business. Too many customers design an approach that their users later avoid.
+- **Focus on 'why' first and 'how' later**: Be the annoying 7-yr old kid with a million questions. We can't arrive at the right answer if we don't know the right questions to ask. Lots of customers make assumptions on how things need to work instead of defining the business problem. There are always multiple paths that can be taken.
+- **Long tail of past best practices**: Recognize that best practices are changing at light speed. If you've looked at Azure AD more than three month ago, you are likely out of date. Everything here is subject to change after publication. ΓÇ£BestΓÇ¥ option today may not be the same six months from now.
## Baseline concepts Don't skip this section. I often find that I must step-back to these topics, even for customers who have been using cloud services for years.
-Alas, language is not a precise tool. We quite often use the same word to mean different concepts or different words to mean the same concept. I often use this diagram below to establish some baseline terminology and "hierarchy model."
+Alas, language isn't a precise tool. We quite often use the same word to mean different concepts or different words to mean the same concept. I often use this diagram below to establish some baseline terminology and "hierarchy model."
<br><br> ![Illustration of tenant, subscription, service, and data](../media/solutions-architecture-center/Identity-and-beyond-tenant-level.png) <br>
-When you learn to swim it's better to start in the pool and not in the middle of the ocean. I am not trying to be technically accurate with this diagram. It's a model to discuss some basic concepts.
+When you learn to swim it's better to start in the pool and not in the middle of the ocean. I'm not trying to be technically accurate with this diagram. It's a model to discuss some basic concepts.
In the diagram:-- Tenant = an instance of Azure AD. It is at the "top" of a hierarchy, or Level 1 in the diagram. We can consider this to be the "[boundary](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-directory-independence)" where everything else occurs ([Azure AD B2B](https://docs.microsoft.com/azure/active-directory/b2b/what-is-b2b) aside). All Microsoft enterprise cloud services are part of one of these tenants. Consumer services are separate. "Tenant" appears in documentation as Office 365 tenant, Azure tenant, WVD tenant, etc. I often find these variations cause confusion for customers.-- Services/subscriptions, Level 2 in the diagram, belong to one and only one tenant. Most SaaS services are 1:1 and can't move without migration. Azure is different, you can [move billing](https://docs.microsoft.com/azure/cost-management-billing/manage/billing-subscription-transfer) and/or a [subscription](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory) to another tenant. There are many customers that need to move Azure subscriptions. This has various implication. Objects that exist outside of the subscription (for example, RBAC and Azure AD objects including groups, apps, policies, etc.) do not move. Also, some services (Azure Key Vault, Data Bricks, etc.) move in a non-functional state. Don't migrate services without a good business need. Some scripts that can be helpful for migration are [shared on GitHub](https://github.com/lwajswaj/azure-tenant-migration). -- A given service usually has some sort of "sub-level" boundary, or Level 3 (L3). This is useful to understand for segregation of security, policies, governance, etc. Unfortunately, there is no uniform name that I know of. Some examples names for L3 are: Azure Subscription = [resource](https://docs.microsoft.com/azure/azure-resource-manager/management/manage-resources-portal); Dynamics 365 CE = [instance](https://docs.microsoft.com/dynamics365/admin/new-instance-management); Power BI = [workspace](https://docs.microsoft.com/power-bi/service-create-the-new-workspaces); Power Apps = [environment](https://docs.microsoft.com/power-platform/admin/environments-overview); etc.+
+- Tenant = an instance of Azure AD. It is at the "top" of a hierarchy, or Level 1 in the diagram. We can consider this to be the "[boundary](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-directory-independence)" where everything else occurs ([Azure AD B2B](https://docs.microsoft.com/azure/active-directory/b2b/what-is-b2b) aside). All Microsoft enterprise cloud services are part of one of these tenants. Consumer services are separate. "Tenant" appears in documentation as Office 365 tenant, Azure tenant, WVD tenant, and so on. I often find these variations cause confusion for customers.
+- Services/subscriptions, Level 2 in the diagram, belong to one and only one tenant. Most SaaS services are 1:1 and can't move without migration. Azure is different, you can [move billing](https://docs.microsoft.com/azure/cost-management-billing/manage/billing-subscription-transfer) and/or a [subscription](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory) to another tenant. There are many customers that need to move Azure subscriptions. This has various implications. Objects that exist outside of the subscription do not move (for example, role-based access control, or Azure RBAC, and Azure AD objects including groups, apps, policies, and so on). Also, some services (such as Azure Key Vault, Data Bricks, and so on). Don't migrate services without a good business need. Some scripts that can be helpful for migration are [shared on GitHub](https://github.com/lwajswaj/azure-tenant-migration).
+- A given service usually has some sort of "sublevel" boundary, or Level 3 (L3). This is useful to understand for segregation of security, policies, governance, and so on. Unfortunately, there is no uniform name that I know of. Some examples names for L3 are: Azure Subscription = [resource](https://docs.microsoft.com/azure/azure-resource-manager/management/manage-resources-portal); Dynamics 365 CE = [instance](https://docs.microsoft.com/dynamics365/admin/new-instance-management); Power BI = [workspace](https://docs.microsoft.com/power-bi/service-create-the-new-workspaces); Power Apps = [environment](https://docs.microsoft.com/power-platform/admin/environments-overview); and so on.
- Level 4 is where the actual data lives. This 'data plane' is a complex topic. Some services are using Azure AD for RBAC, others are not. I'll discuss it a bit when we get to delegation topics. Some additional concepts that I find many customers (and Microsoft employees) are confused about or have questions about include the following: --- Anyone can [create](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) many tenants at [no cost](https://azure.microsoft.com/pricing/details/active-directory/). You do not need a service provisioned within it. I have dozens. Each Tenant name is unique in Microsoft's worldwide cloud service (i.e. no two tenants can have the same name). They all are in the format of TenantName.onmicrosoft.com. There are also processes that create Tenants automatically ([unmanaged tenants](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-self-service-signup)). For example, this can occur when a user signs-up for an enterprise service with an email domain which does not exist in any other tenant. -- In a managed tenant, many [DNS domains](https://docs.microsoft.com/azure/active-directory/fundamentals/add-custom-domain) can be registered in it. This does not change the original tenant name. There is currently no easy way to rename a tenant (other than migration). Although the tenant name is technically not critical these days, some may find this to be limiting.
+- Anyone can [create](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) many tenants at [no cost](https://azure.microsoft.com/pricing/details/active-directory/). You do not need a service provisioned within it. I have dozens. Each Tenant name is unique in Microsoft's worldwide cloud service (in other words, no two tenants can have the same name). They all are in the format of TenantName.onmicrosoft.com. There are also processes that create Tenants automatically ([unmanaged tenants](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-self-service-signup)). For example, this can occur when a user signs up for an enterprise service with an email domain that does not exist in any other tenant.
+- In a managed tenant, many [DNS domains](https://docs.microsoft.com/azure/active-directory/fundamentals/add-custom-domain) can be registered in it. This doesn't change the original tenant name. There is currently no easy way to rename a tenant (other than migration). Although the tenant name is technically not critical these days, some may find this to be limiting.
- You should reserve a tenant name for your organization even if you are not yet planning to deploy any services. Otherwise somebody can take it from you and there is no simple process to take it back (same problem as DNS names). I hear this way too often from customers. What your tenant name should be is a debate topic as well.-- If you own DNS namespace(s), you should add all of these to your tenant(s). Otherwise one could create an [unmanaged tenant](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-self-service-signup) with this name which then causes disruption to [make it managed](https://docs.microsoft.com/azure/active-directory/users-groups-roles/domains-admin-takeover).-- DNS namespace (e.g. contoso.com) can belong to one and only one Tenant. This has implication for various scenarios (for example, sharing an email domain during a merger or acquisition, etc.) There is a way to register a DNS sub (e.g. div.contoso.com) in a different tenant, but that should be avoided. By registering a top-level domain name, all subdomains are assumed to belong to the same tenant. In multi-tenant scenarios (see below) I would normally recommend using another top-level domain name (e.g. contoso.ch or ch-contoso.com).-- Who should "own" a tenant? I often see customers that do not know who currently owns their tenant. This is a big red flag. Call Microsoft support ASAP. Just as problematic is when a service owner (often an Exchange administrator) is designated to manage a tenant. The tenant will contain all services that you may want in the future. The tenant owner should be a group which can make decision for enablement of all cloud services in an organization. Another problem is when a tenant owner group is asked to manage all services. This does not scale for large organizations.
+- If you own DNS namespace(s), you should add all of these to your tenant(s). Otherwise one could create an [unmanaged tenant](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-self-service-signup) with this name, which then causes disruption to [make it managed](https://docs.microsoft.com/azure/active-directory/users-groups-roles/domains-admin-takeover).
+- DNS namespace (such as contoso.com) can belong to one and only one Tenant. This has implications for various scenarios (for example, sharing an email domain during a merger or acquisition, and so on). There is a way to register a DNS sub (such as div.contoso.com) in a different tenant, but that should be avoided. By registering a top-level domain name, all subdomains are assumed to belong to the same tenant. In multi-tenant scenarios (see below) I would normally recommend using another top-level domain name (such as contoso.ch or ch-contoso.com).
+- Who should "own" a tenant? I often see customers that do not know who currently owns their tenant. This is a big red flag. Call Microsoft support ASAP. Just as problematic is when a service owner (often an Exchange administrator) is designated to manage a tenant. The tenant will contain all services that you may want in the future. The tenant owner should be a group that can make decision for enablement of all cloud services in an organization. Another problem is when a tenant owner group is asked to manage all services. This doesn't scale for large organizations.
- There is no concept of a sub/super tenant. For some reason, this myth keeps repeating itself. This applies to [Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/) tenants as well. I hear too many times, "My B2C environment is in my XYZ Tenant," or "How do I move my Azure tenant into my Office 365 tenant?" - This document mostly focuses on the commercial worldwide cloud as this is what most customers are using. It sometimes useful to know about [sovereign clouds](https://docs.microsoft.com/azure/active-directory/develop/authentication-national-cloud). Sovereign clouds have additional implications to discuss which are out of scope for this discussion. - ## Baseline identity topics
-There is a lot of documentation about Microsoft's identity platform ΓÇô Azure Active Directory (Azure AD). For those who are just starting, it often feels overwhelming. Even after you learn about it, keeping up with constant innovation and change can be challenging. In my customer interactions I often find myself serving as "translator" between business goals and "Good, Better, Best" approaches to address these (as well as human "cliff notes" for these topics). There is rarely a perfect answer and the "right" decision is a balance of various risk factors. Below are some of the common questions and confusion areas I tend to discuss with customers.
+There is much documentation about Microsoft's identity platform ΓÇô Azure Active Directory (Azure AD). For those who are just starting, it often feels overwhelming. Even after you learn about it, keeping up with constant innovation and change can be challenging. In my customer interactions I often find myself serving as "translator" between business goals and "Good, Better, Best" approaches to address these (and human "cliff notes" for these topics). There's rarely a perfect answer and the "right" decision is a balance of various risk factors. Below are some of the common questions and confusion areas I tend to discuss with customers.
### Provisioning
-Azure AD does not solve for lack of governance in your identity world! [Identity governance](https://docs.microsoft.com/azure/active-directory/governance/identity-governance-overview) should be a critical element independent of any cloud decisions. Governance requirements change over time which is why it is a program and not a tool.
-[Azure AD Connect](https://docs.microsoft.com/azure/active-directory/hybrid/whatis-azure-ad-connect) vs. [Microsoft Identity Manager](https://docs.microsoft.com/microsoft-identity-manager/microsoft-identity-manager-2016) (MIM) vs. something else (3rd party or custom)? Save yourself a lot of headache now and in the future and go with Azure AD Connect. There are all kinds of smarts in this tool to address peculiar customer configurations and ongoing innovations.
+Azure AD does not solve for lack of governance in your identity world! [Identity governance](https://docs.microsoft.com/azure/active-directory/governance/identity-governance-overview) should be a critical element independent of any cloud decisions. Governance requirements change over time, which is why it is a program and not a tool.
+
+[Azure AD Connect](https://docs.microsoft.com/azure/active-directory/hybrid/whatis-azure-ad-connect) vs. [Microsoft Identity Manager](https://docs.microsoft.com/microsoft-identity-manager/microsoft-identity-manager-2016) (MIM) vs. something else (third party or custom)? Save yourself a lot of headache now and in the future and go with Azure AD Connect. There are all kinds of smarts in this tool to address peculiar customer configurations and ongoing innovations.
+
+Some edge cases that may drive towards a more complex architecture:
-Some edge cases which may drive towards a more complex architecture:
- I have multiple AD forests without network connectivity between these. There is a new option called [Cloud Provisioning](https://docs.microsoft.com/azure/active-directory/cloud-provisioning/what-is-cloud-provisioning). - I don't have Active Directory, nor do I want to install it. Azure AD Connect can be configures to [sync from LDAP](https://docs.microsoft.com/azure/active-directory/hybrid/plan-hybrid-identity-design-considerations-tools-comparison) (partner may be required).-- I need to provision the same objects to multiple tenants. This is not technically supported but depends on definition of "same."-
-Should I customize default synchronization rules ([filter objects](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-configure-filtering), [change attributes](https://docs.microsoft.com/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized), [alternate login ID](https://docs.microsoft.com/azure/active-directory/hybrid/plan-connect-userprincipalname), etc.)? Avoid it! An identity platform is only as valuable as the services that use it. While you can do all kinds of nutty configurations, to answer this question you need to look at the impact on applications. If you filter mail-enabled objects, then the GAL for online services will be incomplete; if the application relies on specific attributes, filtering these will have unpredictable impact; etc. It is not an identity team decision.
+- I need to provision the same objects to multiple tenants. This isn't technically supported but depends on definition of "same."
-XYZ SaaS supports Just-in-Time (JIT) provisioning, why are you requiring me to synchronize? See above. Many applications need "profile" information for functionality. You can't have a GAL if all mail-enabled objects are not available. Same applies to [user provisioning](https://docs.microsoft.com/azure/active-directory/app-provisioning/user-provisioning) in applications integrated with Azure AD.
+Should I customize default synchronization rules ([filter objects](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-configure-filtering), [change attributes](https://docs.microsoft.com/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized), [alternate login ID](https://docs.microsoft.com/azure/active-directory/hybrid/plan-connect-userprincipalname), and so on)? Avoid it! An identity platform is only as valuable as the services that use it. While you can do all kinds of nutty configurations, to answer this question you need to look at the impact on applications. If you filter mail-enabled objects, then the GAL for online services will be incomplete; if the application relies on specific attributes, filtering these will have unpredictable impact; and so on. It's not an identity team decision.
+XYZ SaaS supports Just-in-Time (JIT) provisioning, why are you requiring me to synchronize? See above. Many applications need "profile" information for functionality. You can't have a GAL if all mail-enabled objects aren't available. Same applies to [user provisioning](https://docs.microsoft.com/azure/active-directory/app-provisioning/user-provisioning) in applications integrated with Azure AD.
### Authentication
@@ -96,37 +96,37 @@ XYZ SaaS supports Just-in-Time (JIT) provisioning, why are you requiring me to s
Usually there is a passionate [debate](https://docs.microsoft.com/azure/active-directory/hybrid/choose-ad-authn) around federation. Simpler is usually better and therefore use PHS unless you have a good reason not to. It is also possible to configure different authentication methods for different DNS domains in the same tenant. Some customers enable federation + PHS mainly for:-- An option to [fall back](https://docs.microsoft.com/azure/active-directory/hybrid/plan-migrate-adfs-password-hash-sync) to (for disaster recovery) if the federation service is not available.-- Additional capabilities (ex.: [Azure AD DS](https://docs.microsoft.com/azure/active-directory-domain-services/tutorial-configure-password-hash-sync)) and security services (ex.: [leaked credentials](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-risk-events#leaked-credentials))-- Support for services in Azure which do not understand federated authentication (ex.: [Azure Files](https://docs.microsoft.com/azure/storage/files/storage-files-active-directory-overview)).
-I often walk customers through client authentication flow to clarify some misconceptions. The result looks like the picture below, which is not as good as the interactive process of getting there.
+- An option to [fall back](https://docs.microsoft.com/azure/active-directory/hybrid/plan-migrate-adfs-password-hash-sync) to (for disaster recovery) if the federation service isn't available.
+- Additional capabilities (ex.: [Azure AD DS](https://docs.microsoft.com/azure/active-directory-domain-services/tutorial-configure-password-hash-sync)) and security services (ex.: [leaked credentials](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-risk-events#leaked-credentials))
+- Support for services in Azure that do not understand federated authentication (for example, [Azure Files](https://docs.microsoft.com/azure/storage/files/storage-files-active-directory-overview)).
+I often walk customers through client authentication flow to clarify some misconceptions. The result looks like the picture below, which isn't as good as the interactive process of getting there.
![Example whiteboard conversation](../media/solutions-architecture-center/identity-beyond-whiteboard-example.png) This type of whiteboard drawing illustrates where security policies are applied within the flow of an authentication request. In this example, policies enforced through Active Directory Federation Service (AD FS) are applied to the first service request, but not subsequent service requests. This is at least one reason to move security controls to the cloud as much as possible.
-We've been chasing the dream of [single sign-on](https://docs.microsoft.com/azure/active-directory/manage-apps/what-is-single-sign-on) (SSO) for as long as I can remember. Some customers believe they can achieve this by choosing the "right" federation (STS) provider. Azure AD can help significantly to [enable SSO](https://docs.microsoft.com/azure/active-directory/manage-apps/plan-sso-deployment) capabilities, but no STS is magical. There are too many "legacy" authentication methods which are still used for critical applications. Extending Azure AD with [partner solutions](https://docs.microsoft.com/azure/active-directory/saas-apps/tutorial-list) can address many of these scenarios. SSO is a strategy and a journey. You can't get there without moving towards [standards for applications](https://docs.microsoft.com/azure/active-directory/develop/v2-app-types). Related to this topic is a journey to [passwordless](https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless) authentication which also does not have a magical answer.
-
-[Multi-factor authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks) (MFA) is essential today ([here](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984) for more). Add to it [user behavior analytics](https://docs.microsoft.com/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa) and you have a solution which prevents the majority of common cyber-attacks. Even consumer services are moving to require MFA. Yet, I still meet with many customers who do not want to move to [modern authentication](https://docs.microsoft.com/microsoft-365/enterprise/hybrid-modern-auth-overview) approaches. The biggest argument I hear is that it will impact users and legacy applications. Sometimes a good kick might help customers move along - Exchange Online [announced changes](https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-auth-and-exchange-online-february-2020-update/ba-p/1191282). Lots of Azure AD [reports](https://docs.microsoft.com/azure/active-directory/fundamentals/concept-fundamentals-block-legacy-authentication) are now available to help customers with this transition.
-
+We've been chasing the dream of [single sign-on](https://docs.microsoft.com/azure/active-directory/manage-apps/what-is-single-sign-on) (SSO) for as long as I can remember. Some customers believe they can achieve this by choosing the "right" federation (STS) provider. Azure AD can help significantly to [enable SSO](https://docs.microsoft.com/azure/active-directory/manage-apps/plan-sso-deployment) capabilities, but no STS is magical. There are too many "legacy" authentication methods that are still used for critical applications. Extending Azure AD with [partner solutions](https://docs.microsoft.com/azure/active-directory/saas-apps/tutorial-list) can address many of these scenarios. SSO is a strategy and a journey. You can't get there without moving towards [standards for applications](https://docs.microsoft.com/azure/active-directory/develop/v2-app-types). Related to this topic is a journey to [passwordless](https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless) authentication, which also doesn't have a magical answer.
+[Multi-factor authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks) (MFA) is essential today ([here](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984) for more). Add to it [user behavior analytics](https://docs.microsoft.com/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa) and you have a solution that prevents most common cyber-attacks. Even consumer services are moving to require MFA. Yet, I still meet with many customers who don't want to move to [modern authentication](https://docs.microsoft.com/microsoft-365/enterprise/hybrid-modern-auth-overview) approaches. The biggest argument I hear is that it will impact users and legacy applications. Sometimes a good kick might help customers move along - Exchange Online [announced changes](https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-auth-and-exchange-online-february-2020-update/ba-p/1191282). Lots of Azure AD [reports](https://docs.microsoft.com/azure/active-directory/fundamentals/concept-fundamentals-block-legacy-authentication) are now available to help customers with this transition.
### Authorization
-Per [Wikipedia](https://en.wikipedia.org/wiki/Authorization), "to authorize" is to define an access policy. Many people look at it as the ability to define access controls to an object (file, service, etc.). In the current world of cyber threats, this concept is rapidly evolving to a dynamic policy which can react to various threat vectors and quickly adjust access controls in response to these. For example, if I access my bank account from an unusual location, I get additional confirmation steps. To approach this, we need to consider not just the policy itself but the ecosystem of threat detection and signal correlation methodologies.
+Per [Wikipedia](https://en.wikipedia.org/wiki/Authorization), "to authorize" is to define an access policy. Many people look at it as the ability to define access controls to an object (file, service, and so on). In the current world of cyber threats, this concept is rapidly evolving to a dynamic policy that can react to various threat vectors and quickly adjust access controls in response to these. For example, if I access my bank account from an unusual location, I get additional confirmation steps. To approach this, we need to consider not just the policy itself but the ecosystem of threat detection and signal correlation methodologies.
-The policy engine of Azure AD is implemented using [Conditional Access policies](https://docs.microsoft.com/azure/active-directory/conditional-access/overview). This system depends on information from a variety of other threat detection systems to make dynamic decisions. A simple view would be something like the following illustration.
+The policy engine of Azure AD is implemented using [Conditional Access policies](https://docs.microsoft.com/azure/active-directory/conditional-access/overview). This system depends on information from a variety of other threat detection systems to make dynamic decisions. A simple view would be something like the following illustration:
![Policy engine in Azure AD](../media/solutions-architecture-center/identity-and-beyond-illustration-3.png) Combining all these signals together allows for dynamic policies like these:+ - If a threat is detected on your device, your access to data will be reduced to web only without the ability to download. - If you are downloading an unusually high volume of data, anything you download will be encrypted and restricted.-- If you access a service from an unmanaged device, you will be blocked from highly sensitive data but allowed to access non-restricted data without the ability to copy it to another location.
+- If you access a service from an unmanaged device, you'll be blocked from highly sensitive data but allowed to access non-restricted data without the ability to copy it to another location.
If you agree with this expanded definition of authorization, then you need to implement additional solutions. Which solutions you implement will depend on how dynamic you want the policy to be and which threats you want to prioritize. Some examples of such systems are:+ - [Azure AD Identity Protection](https://docs.microsoft.com/azure/active-directory/identity-protection/) - [Microsoft Defender for Identity](https://docs.microsoft.com/azure-advanced-threat-protection/) - [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)
@@ -135,16 +135,17 @@ If you agree with this expanded definition of authorization, then you need to im
- [Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection?view=o365-worldwide) - [Microsoft Intune](https://docs.microsoft.com/mem/intune/) - [Microsoft Information Protection](https://docs.microsoft.com/microsoft-365/compliance/protect-information?view=o365-worldwide) (MIP)-- [Azure Sentinel](https://docs.microsoft.com/azure/sentinel/)
+- [Azure Sentinel](https://docs.microsoft.com/azure/sentinel/)
Of course, in addition to Azure AD, various services and applications have their own specific authorization models. Some of these are discussed later in the delegation section. ### Audit+ Azure AD has detailed [audit and reporting](https://docs.microsoft.com/azure/active-directory/reports-monitoring/) capabilities. However, this is usually not the only source of information needed to make security decisions. See more discussion on this in the delegation section.
-## There is no Exchange
+## There's no Exchange
-Don't Panic! This does not mean Exchange is being deprecated (or SharePoint, etc.) It is still a core service. What I mean is, for quite some time now, technology providers have been transitioning user experiences (UX) to encompass components of multiple services. In Microsoft 365, a simple example is "[modern attachments](https://support.office.com/article/Attach-files-or-insert-pictures-in-Outlook-email-messages-BDFAFEF5-792A-42B1-9A7B-84512D7DE7FC)" where attachments to email are stored in SharePoint Online or OneDrive for Business.
+Don't Panic! This does not mean Exchange is being deprecated (or SharePoint, and so on). It is still a core service. What I mean is, for quite some time now, technology providers have been transitioning user experiences (UX) to encompass components of multiple services. In Microsoft 365, a simple example is "[modern attachments](https://support.office.com/article/Attach-files-or-insert-pictures-in-Outlook-email-messages-BDFAFEF5-792A-42B1-9A7B-84512D7DE7FC)" where attachments to email are stored in SharePoint Online or OneDrive for Business.
![Attaching a file to an email](../media/solutions-architecture-center/modern-attachments.png)
@@ -154,11 +155,11 @@ Looking at the Outlook client you can see many services that are "connected" as
Read about [Microsoft Fluid Framework](https://techcommunity.microsoft.com/t5/microsoft-365-blog/microsoft-ignite-blog-microsoft-fluid-framework-preview/ba-p/978268) for preview of upcoming capabilities. In preview now, I can read and reply to Teams conversations directly in Outlook. In fact, the [Teams client](https://products.office.com/microsoft-teams/download-app) is one of the more prominent examples of this strategy.
-Overall, it is becoming harder to draw a clear line between Office 365 and other services in Microsoft clouds. I view it as a great benefit to customers since they can benefit from total innovation across everything we do even if they use one component. Pretty cool and has far reaching implications for many customers.
+Overall, it's becoming harder to draw a clear line between Office 365 and other services in Microsoft clouds. I view it as a great benefit to customers since they can benefit from total innovation across everything we do even if they use one component. Pretty cool and has far reaching implications for many customers.
-Today, I find many customer IT groups are structured around "products." It's logical for an on-premises world since you need an expert for each specific product. However, I am totally happy that I don't have to debug an Active Directory or Exchange database ever again as these services have moved to the cloud. Automation (which cloud kind of is) removes certain repetitive manual jobs (look what happened to factories). However, these are replaced with more complex requirements to understand cross-services interaction, impact, business needs, etc. If you are willing to [learn](https://docs.microsoft.com/learn/), there are great opportunities enabled by cloud transformation. Before jumping into technology, I often talk to customers about managing change in IT skills and team structures.
+Today, I find many customer IT groups are structured around "products." It's logical for an on-premises world since you need an expert for each specific product. However, I am totally happy that I don't have to debug an Active Directory or Exchange database ever again as these services have moved to the cloud. Automation (which cloud kind of is) removes certain repetitive manual jobs (look what happened to factories). However, these are replaced with more complex requirements to understand cross-services interaction, impact, business needs, and so on. If you are willing to [learn](https://docs.microsoft.com/learn/), there are great opportunities enabled by cloud transformation. Before jumping into technology, I often talk to customers about managing change in IT skills and team structures.
-To all SharePoint fan-people and developers, please stop asking "How can I do XYZ in SharePoint online?" Use [Power Automate](https://docs.microsoft.com/power-automate/) (aka Flow) for workflow, it is a much more powerful platform. Use [Azure Bot Framework](https://docs.microsoft.com/azure/bot-service/?view=azure-bot-service-4.0) to create a better UX for your 500K item list. Start using [Microsoft Graph](https://developer.microsoft.com/graph/) instead of CSOM. [Microsoft Teams](https://docs.microsoft.com/MicrosoftTeams/Teams-overview) includes SharePoint but also a world more. There are many other examples I can list. There is a vast and wonderful universe out there. Open the door and [start exploring](https://docs.microsoft.com).
+To all SharePoint fan-people and developers, please stop asking "How can I do XYZ in SharePoint online?" Use [Power Automate](https://docs.microsoft.com/power-automate/) (or Flow) for workflow, it is a much more powerful platform. Use [Azure Bot Framework](https://docs.microsoft.com/azure/bot-service/?view=azure-bot-service-4.0) to create a better UX for your 500-K item list. Start using [Microsoft Graph](https://developer.microsoft.com/graph/) instead of CSOM. [Microsoft Teams](https://docs.microsoft.com/MicrosoftTeams/Teams-overview) includes SharePoint but also a world more. There are many other examples I can list. There's a vast and wonderful universe out there. Open the door and [start exploring](https://docs.microsoft.com).
The other common impact is in the compliance area. This cross-services approach seems to completely confuse many compliance policies. I keep seeing organizations that state, "I need to journal all email communications to an eDiscovery system." What does this really mean when email is no longer just email but a window into other services? Office 365 has a comprehensive approach for [compliance](https://docs.microsoft.com/microsoft-365/compliance/), but changing people and processes are often much more difficult than technology.
@@ -168,22 +169,23 @@ There are many other people and process implications. In my opinion, this is a c
### Single tenant vs. multi-tenant
-In general, most customers should have only one production tenant. There are many reasons why multiple tenants are challenging (give it a [Bing search](https://www.bing.com/search?q=office%20365%20multiple%20tenants)) or read this [whitepaper](https://aka.ms/multi-tenant-user). At the same time, many enterprise customers I work with have another (small) tenant for IT learning, testing, and experimentation. Cross-tenant Azure access is made easier with [Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/). Office 365 and many other SaaS services have limits for cross-tenant scenarios. There is a lot to consider in [Azure AD B2B](https://docs.microsoft.com/azure/active-directory/b2b/what-is-b2b) scenarios.
+In general, most customers should have only one production tenant. There are many reasons why multiple tenants are challenging (give it a [Bing search](https://www.bing.com/search?q=office%20365%20multiple%20tenants)) or read this [whitepaper](https://aka.ms/multi-tenant-user). At the same time, many enterprise customers I work with have another (small) tenant for IT learning, testing, and experimentation. Cross-tenant Azure access is made easier with [Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/). Office 365 and many other SaaS services have limits for cross-tenant scenarios. There's a lot to consider in [Azure AD B2B](https://docs.microsoft.com/azure/active-directory/b2b/what-is-b2b) scenarios.
-Many customers end-up with multiple production tenants after a merger and acquisition (M&A) and want to consolidate. Today that's not simple and would require Microsoft Consulting Services (MCS) or a partner plus 3rd party software. There is an ongoing engineering work to address various scenarios with multi-tenant customers in the future.
+Many customers end-up with multiple production tenants after a merger and acquisition (M&A) and want to consolidate. Today that's not simple and would require Microsoft Consulting Services (MCS) or a partner plus third-party software. There's ongoing engineering work to address various scenarios with multi-tenant customers in the future.
Some customers choose to go with more than one tenant. This should be a very careful decision and almost always business reason driven! Some examples include the following:+ - A holding type company structure where easy collaboration between different entities is not required and there is strong administrative and other isolation needs. - After an acquisition, a business decision is made to keep two entities separate.-- Simulation of a customer's environment which does not change the customer's production environment.
+- Simulation of a customer's environment that does not change the customer's production environment.
- Development of software for customers. In these multi-tenant scenarios, customers often want to keep some configuration the same across tenants, or report on configuration changes and drifts. This often means moving from manual changes to configuration as code. Microsoft Premiere support offers a workshop for these types of requirements based on this public IP: [https://Microsoft365dsc.com](https://Microsoft365dsc.com).
+### Multi-Geo
-### Multi-Geo
+To [Multi-Geo](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-multi-geo) or not to Multi-Geo, that is the question. With Office 365 Multi-Geo, you can provision and store data at rest in the geo locations that you've chosen to meet [data residency](https://docs.microsoft.com/microsoft-365/enterprise/o365-data-locations) requirements. There are many misconceptions about this capability. Keep the following in mind:
-To [Multi-Geo](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-multi-geo) or not to Multi-Geo, that is the question. With Office 365 Multi-Geo, you can provision and store data at rest in the geo locations that you've chosen to meet [data residency](https://docs.microsoft.com/microsoft-365/enterprise/o365-data-locations) requirements. There are many misconceptions about this capability. Keep the following in mind:
- It does not to provide performance benefits. It could make performance worse if the [network design](https://aka.ms/office365networking) is not correct. Get devices "close" to the Microsoft network, not necessarily to your data. - It is not a solution for [GDPR compliance](https://www.microsoft.com/trust-center/privacy/gdpr-overview). GDPR does not focus on data sovereignty or storage locations. There are other compliance frameworks for that. - It does not solve delegation of administration (see below) or [information barriers](https://docs.microsoft.com/microsoft-365/compliance/information-barriers).
@@ -196,39 +198,39 @@ In most large organizations, separation of duties and role-based access control
### Azure AD and Microsoft 365 admin centers
-There is a long and growing list of [built-in roles](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles). Each role consists of a list of role permissions grouped together to allow specific actions to be performed. You can see these permissions in the "Description" tab inside each role. Alternatively you can see a more human readable version of these in the Microsoft 365 Admin Center. The definitions for built-in roles cannot be modified. I generally, group these into three categories:
+There's a long and growing list of [built-in roles](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles). Each role consists of a list of role permissions grouped together to allow specific actions to be performed. You can see these permissions in the "Description" tab inside each role. Alternatively you can see a more human readable version of these in the Microsoft 365 Admin Center. The definitions for built-in roles cannot be modified. I generally, group these into three categories:
-- **Global administrator** ΓÇö This "all powerful" role should be [highly protected](https://docs.microsoft.com/microsoft-365/enterprise/protect-your-global-administrator-accounts) just like you would in other systems. Typical recommendations include: no permanent assignment and use Azure AD Privileged Identity Management (PIM); strong authentication; etc. Interestingly, this role does not give you access to everything by default. Typically, I see confusion about compliance access and Azure access, discussed later. However, this role can always assign access to other services in the tenant. -- **Specific service admins** ΓÇö Some services (Exchange, SharePoint, Power BI, etc.) consume high-level administration roles from Azure AD. This is not consistent across all services and there are more service specific roles discussed later.-- **Functional** ΓÇö There is a long (and growing) list of roles focused on specific operations (guest inviter, etc.). Periodically, more of these are added based on customer needs.
+- **Global administrator**: This "all powerful" role should be [highly protected](https://docs.microsoft.com/microsoft-365/enterprise/protect-your-global-administrator-accounts) just like you would in other systems. Typical recommendations include: no permanent assignment and use Azure AD Privileged Identity Management (PIM); strong authentication; and so on. Interestingly, this role doesn't give you access to everything by default. Typically, I see confusion about compliance access and Azure access, discussed later. However, this role can always assign access to other services in the tenant.
+- **Specific service admins**: Some services (Exchange, SharePoint, Power BI, and so on) consume high-level administration roles from Azure AD. This isn't consistent across all services and there are more service-specific roles discussed later.
+- **Functional**: There is a long (and growing) list of roles focused on specific operations (guest inviter, and so on). Periodically, more of these are added based on customer needs.
It is not possible to delegate everything (although the gap is decreasing), which means the Global admin role would need to be used sometimes. Configuration-as-code and automation should be considered instead of people membership of this role. **Note**: The Microsoft 365 admin center has a more user-friendly interface but has subset of capabilities compared to the Azure AD admin experience. Both portals use the same Azure AD roles, so changes are occurring in the same place. Tip: if you want an identity-management focused admin UI without all the Azure clutter, use [https://aad.portal.azure.com](https://aad.portal.azure.com).
-What's in the name? Don't make assumptions from the name of the role. Language is not a very precise tool. The goal should be to define operations that need to be delegated before looking at what roles are needed. Adding somebody to the "Security Reader" role does not make them see security settings across everything.
+What's in the name? Don't make assumptions from the name of the role. Language is not a very precise tool. The goal should be to define operations that need to be delegated before looking at what roles are needed. Adding somebody to the "Security Reader" role does not make them see security settings across everything.
The ability to create [custom roles](https://docs.microsoft.com/azure/active-directory/users-groups-roles/roles-custom-overview) is a common question. This is limited in Azure AD today (see below) but will grow in capabilities over time. I think of these as applicable to functions in Azure AD and may not span "down" the hierarchy model (discussed above). Whenever I deal with "custom," I tend to go back to my principal of "simple is better."
-Another common question is ability to scope roles to a subset of a directory. One example is something like "Helpdesk Administrator for users in EU only." [Administrative Units](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-administrative-units) (AU) are intended to address this. Like above, I think of these as applicable to functions in Azure AD and may not span "down." Of course, certain roles do not make sense to scope (global admins, service admins, etc.)
+Another common question is ability to scope roles to a subset of a directory. One example is something like "Helpdesk Administrator for users in EU only." [Administrative Units](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-administrative-units) (AU) are intended to address this. Like above, I think of these as applicable to functions in Azure AD and may not span "down." Of course, certain roles don't make sense to scope (global admins, service admins, and so on).
-Today, all these roles require direct membership (or dynamic assignment if you use [Azure AD PIM](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/)). This means customers must manage these directly in Azure AD and these cannot be based on a security group membership. I am not a fan of creating scripts to manage these as it would need to run with elevated rights. I generally recommend API integration with process systems like ServiceNow or using partner governance tools like Saviynt. There is engineering work going on to address this over time.
+Today, all these roles require direct membership (or dynamic assignment if you use [Azure AD PIM](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/)). This means customers must manage these directly in Azure AD and these cannot be based on a security group membership. I'm not a fan of creating scripts to manage these as it would need to run with elevated rights. I generally recommend API integration with process systems like ServiceNow or using partner governance tools like Saviynt. There's engineering work going on to address this over time.
-I mentioned [Azure AD PIM](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/) a few times. There is a corresponding Microsoft Identity Manager (MIM) [Privileged Access Management](https://docs.microsoft.com/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services) (PAM) solution for on-premises controls. You might also want to look at [Privileged Access Workstations](https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstations) (PAWs) and [Azure AD Identity Governance](https://docs.microsoft.com/azure/active-directory/governance/identity-governance-overview). There are a variety of 3rd party tools as well which can enable just-in-time, just-enough, and dynamic role elevation. This is usually part of a larger discussion for securing an environment.
+I mentioned [Azure AD PIM](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/) a few times. There is a corresponding Microsoft Identity Manager (MIM) [Privileged Access Management](https://docs.microsoft.com/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services) (PAM) solution for on-premises controls. You might also want to look at [Privileged Access Workstations](https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstations) (PAWs) and [Azure AD Identity Governance](https://docs.microsoft.com/azure/active-directory/governance/identity-governance-overview). There are various third-party tools as well, which can enable just-in-time, just-enough, and dynamic role elevation. This is usually part of a larger discussion for securing an environment.
Sometimes scenarios call for adding an external user to a role (see the multi-tenant section, above). This works just fine. [Azure AD B2B](https://docs.microsoft.com/azure/active-directory/b2b/) is another large and fun topic to walk customers through, perhaps in another article. ### Security and Compliance Center (SCC)
-[Permissions in the Office 365 Security & Compliance Center](https://docs.microsoft.com/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center) are a collection of "role groups" which are separate and distinct from Azure AD roles. This can be confusing because some of these role groups have the same name as Azure AD roles (for example, Security Reader), yet they can have different membership. I prefer the use of Azure AD roles. Each role group consists of one or more "roles" (see what I mean about reusing the same word?) and have members from Azure AD which are email enabled objects. Also, you can create a role group with the same name as a role which may or may not contain that role (avoid this confusion).
+[Permissions in the Office 365 Security & Compliance Center](https://docs.microsoft.com/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center) are a collection of "role groups", which are separate and distinct from Azure AD roles. This can be confusing because some of these role groups have the same name as Azure AD roles (for example, Security Reader), yet they can have different membership. I prefer the use of Azure AD roles. Each role group consists of one or more "roles" (see what I mean about reusing the same word?) and have members from Azure AD, which are email enabled objects. Also, you can create a role group with the same name as a role, which may or may not contain that role (avoid this confusion).
In a sense, these are an evolution of the Exchange role groups model. However, Exchange Online has its own [role group management](https://docs.microsoft.com/exchange/permissions-exo) interface. Some role groups in Exchange Online are locked and managed from Azure AD or the Security & Compliance Center, but others might have the same or similar names and are managed in Exchange Online (adding to the confusion). I recommend you avoid using the Exchange Online user interface unless you need scopes for Exchange management.
-You cannot create custom roles. Roles are defined by services created by Microsoft and will grow as new services are introduced. This is similar in concept to [roles defined by applications](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) in Azure AD. When new services are enabled, often new role groups need to be created in order to grant or delegate access to these (for example, [insider risk management](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-configure?view=o365-worldwide#step-1-required-enable-permissions-for-insider-risk-management)).
+You can't create custom roles. Roles are defined by services created by Microsoft and will grow as new services are introduced. This is similar in concept to [roles defined by applications](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) in Azure AD. When new services are enabled, often new role groups need to be created in order to grant or delegate access to these (for example, [insider risk management](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-configure?view=o365-worldwide#step-1-required-enable-permissions-for-insider-risk-management)).
These role groups also require direct membership and cannot contain Azure AD groups. Unfortunately, today these role groups are not supported by Azure AD PIM. Like Azure AD roles, I tend to recommend management of these through APIs or a partner governance product like Saviynt, or others.
-Security & Compliance Center roles span Microsoft 365 and you can't scope these role groups to a subset of the environment (like you can with administrative units in Azure AD). Many customers ask how they can sub-delegate. For example, "create a DLP policy only for EU users." Today, if you have rights to a specific function in the Security & Compliance Center, you have rights to everything covered by this function in the tenant. However, many policies have capabilities to target a subset of the environment (for example, "make these [labels](https://docs.microsoft.com/microsoft-365/compliance/create-sensitivity-labels#publish-sensitivity-labels-by-creating-a-label-policy) available only to these users"). Proper governance and communication are a key component to avoid conflicts. Some customers choose to implement a "configuration as code" approach to address sub-delegation in the Security & Compliance Center. Some specific services support sub-delegation (see below).
+Security & Compliance Center roles span Microsoft 365 and you can't scope these role groups to a subset of the environment (like you can with administrative units in Azure AD). Many customers ask how they can subdelegate. For example, "create a DLP policy only for EU users." Today, if you have rights to a specific function in the Security & Compliance Center, you have rights to everything covered by this function in the tenant. However, many policies have capabilities to target a subset of the environment (for example, "make these [labels](https://docs.microsoft.com/microsoft-365/compliance/create-sensitivity-labels#publish-sensitivity-labels-by-creating-a-label-policy) available only to these users"). Proper governance and communication are a key component to avoid conflicts. Some customers choose to implement a "configuration as code" approach to address subdelegation in the Security & Compliance Center. Some specific services support subdelegation (see below).
It's worth noting that controls currently managed through the Security & Compliance Center (protection.office.com) are in the process of being migrated to two separate admin portals: security.microsoft.com and compliance.microsoft.com. Change is the only constant!
@@ -251,7 +253,7 @@ As stated earlier, many customers are looking to achieve a more granular delegat
+ **Power Apps** - [https://docs.microsoft.com/power-platform/admin/wp-security ](https://docs.microsoft.com/power-platform/admin/wp-security ) <br> Note: there are multiple types with variations in the admin/delegation models. + **Power Automate** - [https://docs.microsoft.com/power-automate/environments-overview-admin ](https://docs.microsoft.com/power-automate/environments-overview-admin )
- + **PowerBI** - [https://docs.microsoft.com/power-bi/service-admin-governance ](https://docs.microsoft.com/power-bi/service-admin-governance ) <br>
+ + **Power BI** - [https://docs.microsoft.com/power-bi/service-admin-governance ](https://docs.microsoft.com/power-bi/service-admin-governance ) <br>
Note: data platform security and delegation (which Power BI is a component) is a complex area. - **MEM/Intune** - [https://docs.microsoft.com/mem/intune/fundamentals/role-based-access-control ](https://docs.microsoft.com/mem/intune/fundamentals/role-based-access-control ) - **Microsoft Defender for Endpoint** - [https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles ](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles )
@@ -262,14 +264,15 @@ Note: data platform security and delegation (which Power BI is a component) is a
For the rest, search in Docs has been really good lately - [https://docs.microsoft.com/](https://docs.microsoft.com/microsoft-365/compliance/information-barriers). - ### Activity Logs
-Office 365 has a [unified audit log](https://docs.microsoft.com/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance). ItΓÇÖs a very [detailed log](https://docs.microsoft.com/office/office-365-management-api/office-365-management-activity-api-schema), but donΓÇÖt read too much into the name. It may not contain everything you want or need for your security and compliance needs. Also, some customers are really interested in [Advanced Audit](https://docs.microsoft.com/microsoft-365/compliance/advanced-audit).
-Examples of Microsoft 365 logs which are accessed through other APIΓÇÖs include the following:
+Office 365 has a [unified audit log](https://docs.microsoft.com/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance). ItΓÇÖs a very [detailed log](https://docs.microsoft.com/office/office-365-management-api/office-365-management-activity-api-schema), but donΓÇÖt read too much into the name. It may not contain everything you want or need for your security and compliance needs. Also, some customers are really interested in [Advanced Audit](https://docs.microsoft.com/microsoft-365/compliance/advanced-audit).
+
+Examples of Microsoft 365 logs that are accessed through other APIs include the following:
+ - [Azure AD](https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings) (activities not related to Office 365) - [Exchange Message Tracking](https://docs.microsoft.com/powershell/module/exchange/get-messagetrace)-- Threat/UEBA Systems discussed above (for example, Azure AD Identity Protection, Microsoft Cloud App Security, Microsoft Defender for Endpoint, etc.)
+- Threat/UEBA Systems discussed above (for example, Azure AD Identity Protection, Microsoft Cloud App Security, Microsoft Defender for Endpoint, and so on)
- [Microsoft information protection](https://docs.microsoft.com/microsoft-365/compliance/data-classification-activity-explorer?view=o365-worldwide) - [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/api-power-bi) - [Microsoft Graph](https://graph.microsoft.com)
@@ -284,31 +287,31 @@ High level diagram:
The diagram above represents built-in capabilities to send logs to Event Hub and/or Azure Storage and/or Azure Log Analytics. Not all systems include this out-of-the-box yet. But there are other approaches to send these logs to the same repository. For example, see [Protecting your Teams with Azure Sentinel](https://techcommunity.microsoft.com/t5/azure-sentinel/protecting-your-teams-with-azure-sentinel/ba-p/1265761).
-Combining all the logs into one storage location includes added benefit, such as cross-correlations, custom retention times, augmenting with data needed to support RBAC model, etc. Once data is in this storage system, you can create a PowerBI dashboard (or another type of visualization) with an appropriate RBAC model.
+Combining all the logs into one storage location includes added benefit, such as cross-correlations, custom retention times, augmenting with data needed to support RBAC model, and so on. Once data is in this storage system, you can create a Power BI dashboard (or another type of visualization) with an appropriate RBAC model.
Logs do not have to be directed to one place only. It might also be beneficial to integrate [Office 365 Logs with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/connect-office-365-to-microsoft-cloud-app-security) or a custom RBAC model in [Power BI](https://docs.microsoft.com/microsoft-365/admin/usage-analytics/usage-analytics?view=o365-worldwide). Different repositories have different benefits and audiences.
-It's worth mentioning that there is a very rich built-in analytics system for security, threats, vulnerabilities, etc. in a service called [Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection?view=o365-worldwide).
+It's worth mentioning that there is a very rich built-in analytics system for security, threats, vulnerabilities, and so on in a service called [Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection?view=o365-worldwide).
-Many large customers want to transfer this log data to a 3rd party system (for example, SIEM). There are different approaches for this, but in-general [Azure Event Hub](https://docs.microsoft.com/azure/azure-monitor/platform/stream-monitoring-data-event-hubs) and [Graph](https://docs.microsoft.com/graph/security-integration) are good starting points.
+Many large customers want to transfer this log data to a third-party system (for example, SIEM). There are different approaches for this, but in-general [Azure Event Hub](https://docs.microsoft.com/azure/azure-monitor/platform/stream-monitoring-data-event-hubs) and [Graph](https://docs.microsoft.com/graph/security-integration) are good starting points.
+### Azure
-### Azure
I am often asked if there is a way to separate high-privilege roles between Azure AD, Azure, and SaaS (ex.: Global Administrator for Office 365 but not Azure). Not really. Multi-tenant architecture is needed if complete administrative separation is required, but that adds significant [complexity](https://aka.ms/multi-tenant-user) (see above). All these services are part of the same security/identity boundary (look at the hierarchy model above).
-It is important to understand relationships between various services in the same tenant. I am working with many customers which are building business solutions which span Azure, Office 365, and Power Platform (and often also on-premises and 3rd party cloud services). One common example:
-- I want to collaborate on a set of documents/images/etc (Office 365)-- send each one of them through an approval process (Power Platform)-- once all components are approved, assemble these into a unified deliverable(s) (Azure)
+It is important to understand relationships between various services in the same tenant. I am working with many customers that are building business solutions that span Azure, Office 365, and Power Platform (and often also on-premises and third-party cloud services). One common example:
+
+1. I want to collaborate on a set of documents/images/etc (Office 365)
+2. Send each one of them through an approval process (Power Platform)
+3. After all components are approved, assemble these into a unified deliverable(s) (Azure)
[Microsoft Graph API](https://docs.microsoft.com/azure/active-directory/develop/microsoft-graph-intro) is your best friend for these. Not impossible, but significantly more complex to design a solution spanning [multiple tenants](https://docs.microsoft.com/azure/active-directory/develop/single-and-multi-tenant-apps).
-Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure. Using RBAC, you can manage access to resources by granting users the fewest permissions needed to perform their jobs. Details are out of scope for this document, but for more information on RBAC, see [What is role-based access control (RBAC) in Azure?](https://docs.microsoft.com/azure/role-based-access-control/overview) RBAC is important but only part of the governance considerations for Azure. [Cloud Adoption Framework](https://docs.microsoft.com/azure/cloud-adoption-framework/govern/) is a great starting point to learn more. I like how my friend, Andres Ravinet walks customers step-by-step though various components to decide on the approach. High-level view for various elements (not as good as the process to get to actual customer model) is something like this:
+Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure. Using RBAC, you can manage access to resources by granting users the fewest permissions needed to perform their jobs. Details are out of scope for this document, but for more information on RBAC, see [What is role-based access control (RBAC) in Azure?](https://docs.microsoft.com/azure/role-based-access-control/overview) RBAC is important but only part of the governance considerations for Azure. [Cloud Adoption Framework](https://docs.microsoft.com/azure/cloud-adoption-framework/govern/) is a great starting point to learn more. I like how my friend, Andres Ravinet walks customers step by step though various components to decide on the approach. High-level view for various elements (not as good as the process to get to actual customer model) is something like this:
![High-level view of Azure components for delegated administration](../media/solutions-architecture-center/identity-beyond-illustration-5.png)
-As you can see from above picture, many other services should be considered as part of the design (ex.: [Azure Policies](https://docs.microsoft.com/azure/governance/policy/overview), [Azure Blueprints](https://docs.microsoft.com/azure/governance/blueprints/overview), [Management Groups](https://docs.microsoft.com/azure/governance/management-groups/), etc.)
+As you can see from above picture, many other services should be considered as part of the design (ex.: [Azure Policies](https://docs.microsoft.com/azure/governance/policy/overview), [Azure Blueprints](https://docs.microsoft.com/azure/governance/blueprints/overview), [Management Groups](https://docs.microsoft.com/azure/governance/management-groups/), and so on).
## Conclusion
-Started as a short summary, ended-up longer than I expected. I hope you are now ready to venture into a deep see of creating delegation model for your organization. This conversation is very common with customers. There is no one model that works for everyone. Waiting for a few planned improvements from Microsoft engineering before documenting common patterns we see across customers. In the meantime, you can work with your Microsoft account team to arrange a visit to the nearest [Microsoft Technology Center](https://www.microsoft.com/mtc). See you there!
-
+Started as a short summary, ended-up longer than I expected. I hope you are now ready to venture into a deep see of creating delegation model for your organization. This conversation is very common with customers. There is no one model that works for everyone. Waiting for a few planned improvements from Microsoft engineering before documenting common patterns we see across customers. In the meantime, you can work with your Microsoft account team to arrange a visit to the nearest [Microsoft Technology Center](https://www.microsoft.com/mtc). See you there!
solutions https://docs.microsoft.com/en-us/microsoft-365/solutions/industry-specific-guidance-overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/industry-specific-guidance-overview.md
@@ -1,6 +1,6 @@
--- title: Microsoft 365 industry-specific guidance overview
-description: Description.
+description: Find best practices for your industry - finance, healthcare, and education.
ms.author: samanro author: samanro manager: bcarter
solutions https://docs.microsoft.com/en-us/microsoft-365/solutions/networking-design-principles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/networking-design-principles.md
@@ -1,6 +1,6 @@
---
-title: Networking up (to the cloud) ΓÇö One architectΓÇÖs viewpoint
-description: Description.
+title: Networking up (to the cloud)ΓÇöOne architectΓÇÖs viewpoint
+description: Learn how to optimize your network for cloud connectivity by avoiding the most common pitfalls.
ms.author: bcarter author: brendacarter manager: bcarter
@@ -15,7 +15,7 @@ ms.custom:
f1.keywords: NOCSH ---
-# Networking up (to the cloud) ΓÇö One architectΓÇÖs viewpoint
+# Networking up (to the cloud)ΓÇöOne architectΓÇÖs viewpoint
In this article, [Ed Fisher](https://www.linkedin.com/in/edfisher/), Security & Compliance Architect at Microsoft, describes how to optimize your network for cloud connectivity by avoiding the most common pitfalls.
@@ -23,83 +23,87 @@ In this article, [Ed Fisher](https://www.linkedin.com/in/edfisher/), Security &
![Ed Fisher photo](../media/solutions-architecture-center/ed-fisher-networking.jpg)
-I am currently a Principal Technical Specialist in the South East region focusing on Security & Compliance. I have worked with customers moving to Office 365 for the past ten years. IΓÇÖve worked with smaller shops with a handful of locations to government agencies and enterprises with millions of users distributed around the world, and many other customers in between, with the majority having tens of thousands of users, multiple locations in various parts of the world, the need for a higher degree of security, and a multitude of compliance requirements. I have helped hundreds of enterprises and millions of users move to the cloud safely and securely.
+I'm currently a Principal Technical Specialist in the South East region focusing on Security & Compliance. I've worked with customers moving to Office 365 for the past 10 years. IΓÇÖve worked with smaller shops with a handful of locations to government agencies and enterprises with millions of users distributed around the world, and many other customers in between, with the majority having tens of thousands of users, multiple locations in various parts of the world, the need for a higher degree of security, and a multitude of compliance requirements. I've helped hundreds of enterprises and millions of users move to the cloud safely and securely.
With a background over the past 25 years that includes security, infrastructure, and network engineering, and having moved two of my previous employers to Office 365 before joining Microsoft, IΓÇÖve been on your side of the table plenty of times, and do remember what thatΓÇÖs like. While no two customers are ever the same, most have similar needs, and when consuming a standardized service such as any SaaS or PaaS platform, the best approaches tend to be the same.
+## ItΓÇÖs not the networkΓÇöitΓÇÖs how youΓÇÖre (mis)using it!
+No matter how many times it happens, it never fails to amaze me how *creative* security teams and networking teams try to get with how they think they should connect to Microsoft cloud services. ThereΓÇÖs always some security policy, compliance standard, or better way they insist on using, without being willing to engage in a conversation about what it is they're trying to accomplish, or *how* they're better, easier, more cost-effective, and more performant ways of doing so.
-## ItΓÇÖs not the network ΓÇö itΓÇÖs how youΓÇÖre (mis)using it!
-
-No matter how many times it happens, it never fails to amaze me how *creative* security teams and networking teams try to get with how they think they should connect to Microsoft cloud services. ThereΓÇÖs always some security policy, compliance standard, or better way they insist on using, without being willing to engage in a conversation about what it is they are trying to accomplish, or *how* they are better, easier, more cost-effective, and more performant ways of doing so.
-
-When this sort of thing is escalated to me, IΓÇÖm usually willing to take the challenge and walk them through the hows and the whys and get them to where they need to be. But if I am being completely frank, I have to share that sometimes I want to just let them do what they will, and come back to say I told you so when they finally concede it doesnΓÇÖt work. I may want to do that sometimes, but I *donΓÇÖt*. What I do is try to explain all of what I am going to include in this post. Regardless of your role, if your organization wants to use Microsoft cloud services, thereΓÇÖs probably some wisdom in what follows that can help you out.
-
+When this sort of thing is escalated to me, IΓÇÖm usually willing to take the challenge and walk them through the how's and the why's and get them to where they need to be. But if I'm being completely frank, I have to share that sometimes I want to just let them do what they will, and come back to say I told you so when they finally concede it doesnΓÇÖt work. I may want to do that sometimes, but I *donΓÇÖt*. What I do is try to explain all of what I'm going to include in this post. Regardless of your role, if your organization wants to use Microsoft cloud services, thereΓÇÖs probably some wisdom in what follows that can help you out.
## Guiding principles+ Let’s start with some ground rules around what we’re doing here. We are discussing how to securely connect to cloud services to ensure the minimum complexity, and the maximum performance, while maintaining real security. None of what follows is counter to any of that, even if you, or your customer, won’t get to use your favorite proxy server for everything. -- **Just because you can, doesn’t mean you should** — Or to paraphrase Dr. Ian Malcolm from the Jurassic Park movie “. . . Yeah, yeah, but your security team was so preoccupied with whether or not they could that they didn't stop to think if they should.” -- **Security does not mean complexity** — You are not more secure just because you spend more money, route through more devices, or click more buttons.-- **Office 365 is accessed over the Internet** — But that’s not the same thing as Office 365 is the Internet. It’s a SaaS service managed by Microsoft and administered by you. Unlike websites you visit on the Internet, you actually do get to peek behind the curtain, and can apply the controls you need to meet your policies and your compliance standards, as long as you understand that while you can meet your objectives, you may just have to do them in a different way.-- **Chokepoints are bad, localized breakouts are good** — Everybody always wants to backhaul all their Internet traffic for all their users to some central point, usually so they can monitor it and enforce policy, but often because it’s either cheaper than provisioning Internet access in all their locations, or it’s just how they do it. But those chokepoints are exactly that…points where traffic chokes. There’s nothing wrong with preventing your users from browsing to Instagram or streaming cat videos, but don’t treat your mission-critical business application traffic the same way.-- **If DNS ain’t happy, ain’t nothing happy** — The best designed network can be hamstrung by poor DNS, whether that is by recursing requests to servers in other areas of the world or using your ISP’s DNS servers or other public DNS servers that cache DNS resolution information. -- **Just because that’s how you used to do it, doesn’t mean that’s how you should do it now** — Technology changes constantly and Office 365 is no exception. Applying security measures that were developed and deployed for on-premises services or to control web surfing aren’t going to provide the same level of security assurance, and can have a significant negative impact on performance.-- **Office 365 was built to be accessed over the Internet** — That’s it in a nutshell. No matter what you want to do between your users and your edge, the traffic still goes over the Internet once it leaves your network and before it gets onto ours. Even if you are using Azure ExpressRoute to route some latency sensitive traffic from your network directly to ours, Internet connectivity is absolutely required. Accept it. Don’t overthink it.
+- **Just because you can, doesnΓÇÖt mean you should**: Or to paraphrase Dr. Ian Malcolm from the Jurassic Park movie ΓÇ£...Yeah, yeah, but your security team was so preoccupied with whether or not they could that they didn't stop to think if they should.ΓÇ¥
+- **Security does not mean complexity**: You are not more secure just because you spend more money, route through more devices, or click more buttons.
+- **Office 365 is accessed over the Internet**: But thatΓÇÖs not the same thing as Office 365 is the Internet. ItΓÇÖs a SaaS service managed by Microsoft and administered by you. Unlike websites you visit on the Internet, you actually do get to peek behind the curtain, and can apply the controls you need to meet your policies and your compliance standards, as long as you understand that while you can meet your objectives, you may just have to do them in a different way.
+- **Chokepoints are bad, localized breakouts are good**: Everybody always wants to backhaul all their Internet traffic for all their users to some central point, usually so they can monitor it and enforce policy, but often because it’s either cheaper than provisioning Internet access in all their locations, or it’s just how they do it. But those chokepoints are exactly that…points where traffic chokes. There’s nothing wrong with preventing your users from browsing to Instagram or streaming cat videos, but don’t treat your mission-critical business application traffic the same way.
+- **If DNS ainΓÇÖt happy, ainΓÇÖt nothing happy**: The best designed network can be hamstrung by poor DNS, whether that is by recursing requests to servers in other areas of the world or using your ISPΓÇÖs DNS servers or other public DNS servers that cache DNS resolution information.
+- **Just because thatΓÇÖs how you used to do it, doesnΓÇÖt mean thatΓÇÖs how you should do it now**: Technology changes constantly and Office 365 is no exception. Applying security measures that were developed and deployed for on-premises services or to control web surfing arenΓÇÖt going to provide the same level of security assurance, and can have a significant negative impact on performance.
+- **Office 365 was built to be accessed over the Internet**: ThatΓÇÖs it in a nutshell. No matter what you want to do between your users and your edge, the traffic still goes over the Internet once it leaves your network and before it gets onto ours. Even if you are using Azure ExpressRoute to route some latency sensitive traffic from your network directly to ours, Internet connectivity is absolutely required. Accept it. DonΓÇÖt overthink it.
## Where bad choices are often made While there are plenty of places where bad decisions are made in the name of security, these are the ones I encounter most often with customers. Many customer conversations involve all of these at once. ### Insufficient resources at the edge+ Very few customers are deploying greenfield environments, and they have years of experience with how their users work and what their Internet egress is like. Whether customers have proxy servers or allow direct access and simply NAT outbound traffic, theyΓÇÖve been doing it for years and donΓÇÖt consider just how much more they are going to start pumping through their edge as they move traditionally internal applications out to the cloud. Bandwidth is always a concern, but NAT devices may not have enough horsepower to handle the increased load and may start prematurely closing connections to free up resources. Most of the client software that connects to Office 365 expects persistent connections and a user fully utilizing Office 365 may have 32 or more concurrent connections. If the NAT device is dropping them prematurely, those apps may become unresponsive as they try to use the connections that are no longer there. When they give up and try to establish new connections, they put even more load on your network gear. ### Localized breakout
-Everything else in this list comes down to one thing ΓÇö getting off your network and onto ours as quickly as possible. Backhauling your usersΓÇÖ traffic to a central egress point, especially when that egress point is in another region than your users are in, introduces unnecessary latency and impacts both the client experience and download speeds. Microsoft has points of presence throughout the world with front ends for all our services and peering established with practically every major ISP, so routing your usersΓÇÖ traffic out *locally* ensures it gets into our network quickly with minimum latency.
+
+Everything else in this list comes down to one thingΓÇögetting off your network and onto ours as quickly as possible. Backhauling your usersΓÇÖ traffic to a central egress point, especially when that egress point is in another region than your users are in, introduces unnecessary latency and impacts both the client experience and download speeds. Microsoft has points of presence throughout the world with front ends for all our services and peering established with practically every major ISP, so routing your usersΓÇÖ traffic out *locally* ensures it gets into our network quickly with minimum latency.
### DNS resolution traffic should follow the Internet egress path+ Of course, for a client to find any endpoint, it needs to use DNS. MicrosoftΓÇÖs DNS servers evaluate the source of DNS requests to ensure we return the response that is, in Internet terms, closest to the source of the request. Make sure your DNS is configured so that name resolution requests go out the same path as your usersΓÇÖ traffic, lest you give them local egress but to an endpoint in another region. That means letting local DNS servers ΓÇ£go to rootΓÇ¥ rather than forwarding to DNS servers in remote data centers. And watch out for public and private DNS services, which may cache results from one part of the world and serve them to requests from other parts of the world. ### To proxy or not to proxy, that is the question
-One of the first things to consider is whether to proxy usersΓÇÖ connections to Office 365. That oneΓÇÖs easy; do not proxy. Office 365 is accessed over the Internet, but it is not THE Internet. ItΓÇÖs an extension of your core services and should be treated as such. Anything you might want a proxy to do, such as DLP or antimalware or content inspection, is already available to you in the service, and can be used at scale and without needing to crack TLS-encrypted connections. But if you really want to proxy traffic that you cannot otherwise control, pay attention to our guidance at [https://aka.ms/pnc](https://aka.ms/pnc) and the categories of traffic at [https://aka.ms/ipaddrs](https://aka.ms/ipaddrs). We have three categories of traffic for Office 365. Optimize and Allow really should go direct and bypass your proxy. Default can be proxied. The details are in those docs . . . read them.
+
+One of the first things to consider is whether to proxy usersΓÇÖ connections to Office 365. That oneΓÇÖs easy; do not proxy. Office 365 is accessed over the Internet, but it is not THE Internet. ItΓÇÖs an extension of your core services and should be treated as such. Anything you might want a proxy to do, such as DLP or antimalware or content inspection, is already available to you in the service, and can be used at scale and without needing to crack TLS-encrypted connections. But if you really want to proxy traffic that you cannot otherwise control, pay attention to our guidance at [https://aka.ms/pnc](https://aka.ms/pnc) and the categories of traffic at [https://aka.ms/ipaddrs](https://aka.ms/ipaddrs). We have three categories of traffic for Office 365. Optimize and Allow really should go direct and bypass your proxy. Default can be proxied. The details are in those docs...read them.
Most customers who insist on using a proxy, when they actually look at what they are doing, come to realize that when the client makes an HTTP CONNECT request to the proxy, the proxy is now just an expensive extra router. The protocols in use such as MAPI and RTC are not even protocols that web proxies understand, so even with TLS cracking youΓÇÖre not really getting any extra security. You *are* getting extra latency. See [https://aka.ms/pnc](https://aka.ms/pnc) for more on this, including the Optimize, Allow, and Default categories for Microsoft 365 traffic. Finally, consider the overall impact to the proxy and its corresponding response to deal with that impact. As more and more connections are being made through the proxy, it may decrease the TCP Scale Factor so that it doesnΓÇÖt have to buffer so much traffic. IΓÇÖve seen customers where their proxies were so overloaded that they were using a Scale Factor of 0. Since Scale Factor is an exponential value and we like to use 8, each reduction in the Scale Factor value is a huge negative impact to throughput.
-TLS Inspection means SECURITY! But not really! Many customers with proxies want to use them to inspect all traffic, and that means TLS ΓÇ£break and inspect.ΓÇ¥ When you do that for a website accessed over HTTPS (privacy concerns notwithstanding) your proxy may have to do that for ten or even twenty concurrent streams for a few hundred milliseconds. If thereΓÇÖs a large download or maybe a video involved, one or more of those connections may last much longer, but on the whole, most of those connections establish, transfer, and close very quickly. Doing break and inspect means the proxy must do double the work. For each connection from the client to the proxy, the proxy must also make a separate connection back to the endpoint. So, one becomes two, two becomes four, thirty-two becomes sixty-four . . . see where I am going? You probably sized your proxy solution just fine for typical web surfing, but when you try to do the same thing for client connections to Office 365, the number of concurrent, long-lived connections may be orders of magnitude greater than what you sized for.
+TLS Inspection means SECURITY! But not really! Many customers with proxies want to use them to inspect all traffic, and that means TLS ΓÇ£break and inspect.ΓÇ¥ When you do that for a website accessed over HTTPS (privacy concerns notwithstanding) your proxy may have to do that for 10 or even 20 concurrent streams for a few hundred milliseconds. If thereΓÇÖs a large download or maybe a video involved, one or more of those connections may last much longer, but on the whole, most of those connections establish, transfer, and close very quickly. Doing break and inspect means the proxy must do double the work. For each connection from the client to the proxy, the proxy must also make a separate connection back to the endpoint. So, 1 becomes 2, 2 becomes 4, 32 becomes 64...see where I am going? You probably sized your proxy solution just fine for typical web surfing, but when you try to do the same thing for client connections to Office 365, the number of concurrent, long-lived connections may be orders of magnitude greater than what you sized for.
### Streaming isnΓÇÖt important, except that it *is*
-The only services in Office 365 that use UDP are Skype (soon to be retired) and Microsoft Teams. Teams uses UDP for streaming traffic including audio, video, and presentation sharing. Streaming traffic is live, such as when you are having an online meeting with voice, video, and presenting decks or performing demos. These use UDP because if packets are dropped, or arrive out of order, itΓÇÖs practically unnoticeable by the user and the stream can just keep going.
-When you donΓÇÖt permit outbound UDP traffic from clients to the service, they can fall back to using TCP. But if a TCP packet is dropped, *everything stops* until the Retransmission Timeout (RTO) expires and the missing packet can be retransmitted. If a packet arrives out of order, everything stops until the other packets arrive and can be reassembled in order. Both lead to perceptible glitches in the audio (remember Max Headroom?) and video (did you click someth . . . oh, there it is) and lead to poor performance and a bad user experience. And remember what I put up above about proxies? When you force a Teams client to use a proxy, you force it to use TCP. So now youΓÇÖre causing negative performance impacts twice.
+The only services in Office 365 that use UDP are Skype (soon to be retired) and Microsoft Teams. Teams uses UDP for streaming traffic including audio, video, and presentation sharing. Streaming traffic is live, such as when you're having an online meeting with voice, video, and presenting decks or performing demos. These use UDP because if packets are dropped, or arrive out of order, itΓÇÖs practically unnoticeable by the user and the stream can just keep going.
+
+When you donΓÇÖt permit outbound UDP traffic from clients to the service, they can fall back to using TCP. But if a TCP packet is dropped, *everything stops* until the Retransmission Timeout (RTO) expires and the missing packet can be retransmitted. If a packet arrives out of order, everything stops until the other packets arrive and can be reassembled in order. Both lead to perceptible glitches in the audio (remember Max Headroom?) and video (did you click something...oh, there it is) and lead to poor performance and a bad user experience. And remember what I put up above about proxies? When you force a Teams client to use a proxy, you force it to use TCP. So now youΓÇÖre causing negative performance impacts twice.
### Split tunneling may seem scary+ But it isnΓÇÖt. All connections to Office 365 are over TLS. We have been offering TLS 1.2 for quite a while now and will be disabling older versions soon because legacy clients still use them and thatΓÇÖs a risk.
-Forcing a TLS connection, or thirty-two of them, to go over a VPN before they then go to the service does not add security. It does add latency and reduces overall throughput. In some VPN solutions, it even forces UDP to tunnel through TCP which again will have a very negative impact on streaming traffic. And, unless you are doing TLS inspection, there is no upside, all downside. A very common theme among customers at present, now that most of their workforce is remote, is that they are seeing significant bandwidth and performance impacts from making all their users connect using a VPN, instead of configuring split tunneling for access to [Optimize category Office 365 endpoints](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-network-connectivity-principles#new-office-365-endpoint-categories).
+Forcing a TLS connection, or 32 of them, to go over a VPN before they then go to the service doesn't add security. It does add latency and reduces overall throughput. In some VPN solutions, it even forces UDP to tunnel through TCP, which again will have a very negative impact on streaming traffic. And, unless you are doing TLS inspection, there's no upside, all downside. A very common theme among customers, now that most of their workforce is remote, is that they're seeing significant bandwidth and performance impacts from making all their users connect using a VPN, instead of configuring split tunneling for access to [Optimize category Office 365 endpoints](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-network-connectivity-principles#new-office-365-endpoint-categories).
ItΓÇÖs an easy fix to do split tunneling and itΓÇÖs one you should do. For more, make sure you review [Optimize Office 365 connectivity for remote users using VPN split tunneling](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-vpn-split-tunnel). - ## The sins of the past
-Many times, the reason bad choices are made comes from a combination of (1) not knowing how the service works, (2) trying to adhere to company policies that were written before adopting the cloud, and (3) security teams who may not be easily convinced that thereΓÇÖs more than one way to accomplish their goals. Hopefully the above, and the links below, will help with the first. Executive sponsorship may be required to get past the second. Addressing the security policiesΓÇÖ goals, rather than their methods, helps with the third. From conditional access to content moderation, DLP to information protection, endpoint validation to zero-day threats ΓÇö any end goal a reasonable security policy may have can be accomplished with what is available in Office 365, and without any dependency upon on-premises network gear, forced VPN tunnels, and TLS break and inspect.
-Other times, hardware that was sized and purchased before the organization started to move to the cloud simply cannot be scaled up to handle the new traffic patterns and loads. If you truly must route all traffic through a single egress point, and/or proxy it, be prepared to upgrade network equipment and bandwidth accordingly. Carefully monitor utilization on both, as the experience wonΓÇÖt diminish slowly as more users onboard. Everything will be fine until the tipping point is reached, then everyone suffers.
+Many times, the reason bad choices are made comes from a combination of (1) not knowing how the service works, (2) trying to adhere to company policies that were written before adopting the cloud, and (3) security teams who may not be easily convinced that thereΓÇÖs more than one way to accomplish their goals. Hopefully the above, and the links below, will help with the first. Executive sponsorship may be required to get past the second. Addressing the security policiesΓÇÖ goals, rather than their methods, helps with the third. From conditional access to content moderation, DLP to information protection, endpoint validation to zero-day threatsΓÇöany end goal a reasonable security policy may have can be accomplished with what is available in Office 365, and without any dependency upon on-premises network gear, forced VPN tunnels, and TLS break and inspect.
+
+Other times, hardware that was sized and purchased before the organization started to move to the cloud simply cannot be scaled up to handle the new traffic patterns and loads. If you truly must route all traffic through a single egress point, and/or proxy it, be prepared to upgrade network equipment and bandwidth accordingly. Carefully monitor utilization on both, as the experience wonΓÇÖt diminish slowly as more users onboard. Everything will be fine until the tipping point is reached, then everyone suffers.
## Exceptions to the rules
-If your organization requires [tenant restrictions](https://docs.microsoft.com/azure/active-directory/manage-apps/tenant-restrictions), youΓÇÖll need to use a proxy with TLS break and inspect to force some traffic through the proxy, but you donΓÇÖt have to force all traffic through it. ItΓÇÖs not an all or nothing proposition, so pay attention to what does need to be modified by the proxy.
+If your organization requires [tenant restrictions](https://docs.microsoft.com/azure/active-directory/manage-apps/tenant-restrictions), youΓÇÖll need to use a proxy with TLS break and inspect to force some traffic through the proxy, but you donΓÇÖt have to force all traffic through it. ItΓÇÖs not an all or nothing proposition, so pay attention to what does need to be modified by the proxy.
-If you are going to permit split tunneling but also use a proxy for general web traffic, make sure your PAC file defines what must go direct as well as how you define interesting traffic for what goes through the VPN tunnel. We offer sample PAC files at [https://aka.ms/ipaddrs](https://aka.ms/ipaddrs) that will make this easier to manage.
+If you're going to permit split tunneling but also use a proxy for general web traffic, make sure your PAC file defines what must go direct as well as how you define interesting traffic for what goes through the VPN tunnel. We offer sample PAC files at [https://aka.ms/ipaddrs](https://aka.ms/ipaddrs) that will make this easier to manage.
## Conclusion Tens of thousands of organizations, including almost all the Fortune 500, use Office 365 everyday for their mission critical functions. They do so securely, and they do so over the Internet.
- No matter what security goals you have in play, there are ways to accomplish them that donΓÇÖt require VPN connections, proxy servers, TLS break and inspect, or centralized Internet egress to get your usersΓÇÖ traffic off your network and on to ours as quickly as you can, which provides the best performance, whether your network is the company headquarters, a remote office, or that user working at home. Our guidance is based on how the Office 365 services are built and to ensure a secure and performant user experience.
+No matter what security goals you have in play, there are ways to accomplish them that donΓÇÖt require VPN connections, proxy servers, TLS break and inspect, or centralized Internet egress to get your usersΓÇÖ traffic off your network and on to ours as quickly as you can, which provides the best performance, whether your network is the company headquarters, a remote office, or that user working at home. Our guidance is based on how the Office 365 services are built and to ensure a secure and performant user experience.
## Further reading
solutions https://docs.microsoft.com/en-us/microsoft-365/solutions/security-design-principles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/security-design-principles.md
@@ -16,62 +16,59 @@ ms.custom: seo-marvel-jun2020
f1.keywords: NOCSH ---
-# Security hurdles you can sail over ΓÇö One architectΓÇÖs viewpoint
+# Security hurdles you can sail overΓÇöOne architectΓÇÖs viewpoint
-In this article, [Kozeta Garrett](https://www.linkedin.com/in/kozeta-garrett-53013a6/), Cybersecurity Architect at Microsoft, describes the top security challenges she encounters at enterprise organizations and recommends approaches for sailing over these hurdles.
+In this article, [Kozeta Garrett](https://www.linkedin.com/in/kozeta-garrett-53013a6/), Cybersecurity Architect at Microsoft, describes the top security challenges she encounters at enterprise organizations and recommends approaches for sailing over these hurdles.
## About the author
-![Kozeta Garrett photo](../media/solutions-architecture-center/kozeta-garrett-security.jpg)
+![Kozeta Garrett photo](../media/solutions-architecture-center/kozeta-garrett-security.jpg)
-In my role as a Cloud Security Architect, I have worked with multiple organizations to provide strategic and technical guidance focusing on designing and implementing security architecture for customers migrating to Microsoft 365 and Azure, developing enterprise security solutions, and helping transform security architecture and culture for business resilience. My experience includes incident detection and response, malware analysis, penetration testing, and recommending improvements to IT security and defense posture. I am very passionate about leading transformations that result in security as an enabler for the business, including modernization efforts.
+In my role as a Cloud Security Architect, I've worked with multiple organizations to provide strategic and technical guidance focusing on designing and implementing security architecture for customers migrating to Microsoft 365 and Azure, developing enterprise security solutions, and helping transform security architecture and culture for business resilience. My experience includes incident detection and response, malware analysis, penetration testing, and recommending improvements to IT security and defense posture. I'm very passionate about leading transformations that result in security as an enabler for the business, including modernization efforts.
-It has been MOST satisfying to see how organizations that adopted a security modernization mindset over the last couple of years are in a great position which is allowing them to continue to operate remotely in a secure manner, despite the recent COVID-19 situation. Unfortunately, these circumstances have also served as a wake-up call for some customers, who were not ready for this immediate need. Many organizations are realizing they must modernize rapidly, retire their accumulated IT security debt, and improve their security posture overnight so they can operate in these extremely unusual circumstances.
+It has been MOST satisfying to see how organizations that adopted a security modernization mindset over the last couple of years are in a great position that is allowing them to continue to operate remotely in a secure manner, despite the recent COVID-19 situation. Unfortunately, these circumstances have also served as a wake-up call for some customers, who weren't ready for this immediate need. Many organizations are realizing they must modernize rapidly, retire their accumulated IT security debt, and improve their security posture overnight so they can operate in these extremely unusual circumstances.
-The good news is Microsoft has curated some great resources to help organizations quickly ramp up their security posture. In addition to these resources, IΓÇÖd like to share the top challenges I have encountered with customers daily in the hopes that you can sail over these hurdles.
-
-I currently live in Northern Virginia, close to our country's Capital, Washington DC. I love just about every form of outdoor activities and exercise, like running, biking, hiking, and swimming. To counter these I enjoy just as much cooking, gourmet food, and travel.
+The good news is Microsoft has curated some great resources to help organizations quickly ramp up their security posture. In addition to these resources, IΓÇÖd like to share the top challenges I've encountered with customers daily in the hopes that you can sail over these hurdles.
+I currently live in Northern Virginia, close to our country's Capital, Washington DC. I love just about every form of outdoor activities and exercise, like running, biking, hiking, and swimming. To counter these I enjoy just as much cooking, gourmet food, and travel.
## Partner with the Security team from the start of cloud adoption
-To begin, I canΓÇÖt emphasize enough how important it is for teams in your organization to coordinate from the start. Security teams must be embraced as critical partners in the early stages of cloud adoption and design. This means getting security teams onboard to champion cloud adoption, not only for the added capabilities to the business (such as a great user experience from secure mobile devices, full functionality applications, or creating value on corporate data beyond the limited functionality email and productivity applications) but also to leverage the storage, AI and computing analytics capabilities which help solve new and old security challenges. Security teams must be included in managing all aspects of this shift, including people (culture), processes (training), and technology to be successful. It also means investing in the modernization and continuous improvement of the Security Operations Center (SOC). Work together to align your security strategy with your business strategy and environment trends to ensure the digital transformation is done securely. When this is done well, organizations develop the capability to adapt faster to changes, including changes to the business, IT, and security.
+To begin, I canΓÇÖt emphasize enough how important it is for teams in your organization to coordinate from the start. Security teams must be embraced as critical partners in the early stages of cloud adoption and design. This means getting security teams onboard to champion cloud adoption, not only for the added capabilities to the business (such as a great user experience from secure mobile devices, full functionality applications, or creating value on corporate data beyond the limited functionality email and productivity applications) but also to leverage the storage, AI, and computing analytics capabilities that help solve new and old security challenges. Security teams must be included in managing all aspects of this shift, including people (culture), processes (training), and technology to be successful. It also means investing in the modernization and continuous improvement of the Security Operations Center (SOC). Work together to align your security strategy with your business strategy and environment trends to ensure the digital transformation is done securely. When this is done well, organizations develop the capability to adapt faster to changes, including changes to the business, IT, and security.
-Where I see customers trip over hurdles the most is when there is no real partnership between the operations and the SOC teams. While the operations team is being pressured and mandated with tight deadlines to adopt the cloud, the security teams are not always included early in the process to revise and plan a comprehensive security strategy. This involves integrating different cloud components as well as components on-prem. This lack of partnership further trickles down to different teams which seem to work in silos to implement controls for their specific components, leading to the added complexity of implementation, troubleshooting, and integration.
+Where I see customers trip over hurdles the most is when there's no real partnership between the operations and the SOC teams. While the operations team is being pressured and mandated with tight deadlines to adopt the cloud, the security teams aren't always included early in the process to revise and plan a comprehensive security strategy. This involves integrating different cloud components and components on-prem. This lack of partnership further trickles down to different teams that seem to work in silos to implement controls for their specific components, leading to the added complexity of implementation, troubleshooting, and integration.
-Customers who sail over these hurdles have good partnerships between the Operations and Governance and the Security and Risk management teams to revamp the security strategy and requirements for protecting hybrid cloud workloads. They laser-focus on the ultimate security goals and outcomes ΓÇö data protection and systems and services availability in accordance with cybersecurity governance, risk, and compliance requirements. These organizations develop early-stage partnerships between their Operations and Governance team and SOC which is critical to the security design approach and will maximize the value of their investments.
+Customers who sail over these hurdles have good partnerships between the Operations and Governance and the Security and Risk management teams to revamp the security strategy and requirements for protecting hybrid cloud workloads. They laser-focus on the ultimate security goals and outcomesΓÇödata protection and systems and services availability in accordance with cybersecurity governance, risk, and compliance requirements. These organizations develop early-stage partnerships between their Operations and Governance team and SOC, which is critical to the security design approach and will maximize the value of their investments.
## Build a modern (identity-based) security perimeter
-Next, adopt a Zero Trust architecture approach. This starts with building a modern, identity-based security perimeter. Design the security architecture where every access attempt, whether on-prem or cloud, is treated as untrusted until it is verified ΓÇö ΓÇ£never trust, always verify.ΓÇ¥ This design approach not only increases security and productivity, but it also allows users to work from anywhere with any device type. The sophisticated cloud controls included with Microsoft 365 help you protect usersΓÇÖ identities while controlling access to valuable resources based on user risk level.
+Next, adopt a Zero Trust architecture approach. This starts with building a modern, identity-based security perimeter. Design the security architecture where every access attempt, whether on-prem or cloud, is treated as untrusted until it's verifiedΓÇöΓÇ£never trust, always verify.ΓÇ¥ This design approach not only increases security and productivity, but it also allows users to work from anywhere with any device type. The sophisticated cloud controls included with Microsoft 365 help you protect usersΓÇÖ identities while controlling access to valuable resources based on user risk level.
-For a recommended configuration, see [Identity and device access configurations](../security/office-365-security/microsoft-365-policies-configurations.md).
+For a recommended configuration, see [Identity and device access configurations](../security/office-365-security/microsoft-365-policies-configurations.md).
## Transition security controls to the cloud
-Many security teams are still using the traditional security best practices built for an all on-premises world, including maintaining a ΓÇ£network perimeter securityΓÇ¥ and trying to ΓÇ£forceΓÇ¥ the on-prem security tools and controls to cloud solutions. Such controls were not designed for the cloud, are ineffective, and hinder the adoption of modern cloud capabilities. Processes and tools which work for a network perimeter security approach have proven to be inefficient, obstructive to cloud capabilities, and do not allow for taking advantage of modern and automated security features.
+Many security teams are still using the traditional security best practices built for an all on-premises world, including maintaining a ΓÇ£network perimeter securityΓÇ¥ and trying to ΓÇ£forceΓÇ¥ the on-prem security tools and controls to cloud solutions. Such controls were not designed for the cloud, are ineffective, and hinder the adoption of modern cloud capabilities. Processes and tools that work for a network perimeter security approach have proven to be inefficient, obstructive to cloud capabilities, and don't allow for taking advantage of modern and automated security features.
You can sail over this hurdle by shifting the defense strategies to cloud-managed protection, automated investigation and remediation, automated pen-testing, Defender for Office 365, and incident analysis. Customers who are using modern device management solutions have implemented automated management, standardized patching, antivirus, policy enforcement, and application protection across all devices (whether a smartphone, personal computer, laptop, or tablet). This eliminates the need for a VPN, Microsoft System Center Configuration Manager (SCCM), and Active Directory group policies. This, combined with conditional access policies, provides powerful control and visibility, as well as streamlined access to resources regardless of where their users are operating from. ## Strive for ΓÇÿbest togetherΓÇÖ security tools
-Another hurdle I see customers stumble over is taking a ΓÇÿbest of breedΓÇÖ approach to security tools. Continually layering ΓÇÿbest of breedΓÇÖ point solutions to address emerging security needs causes enterprise security to breakdown. Even with the best intentions, tools in most environments do not get integrated because it becomes too expensive and complex. This, in turn, creates gaps in visibility as there are more alerts to triage than the team can handle. Retraining the SecOps team on new tools also becomes a constant challenge.
+Another hurdle I see customers stumble over is taking a ΓÇÿbest of breedΓÇÖ approach to security tools. Continually layering ΓÇÿbest of breedΓÇÖ point solutions to address emerging security needs causes enterprise security to break down. Even with the best intentions, tools in most environments don't get integrated because it becomes too expensive and complex. This, in turn, creates gaps in visibility as there are more alerts to triage than the team can handle. Retraining the SecOps team on new tools also becomes a constant challenge.
The ΓÇÿsimple is betterΓÇÖ approach works for security too. Instead of going after ΓÇÿbest of breedΓÇÖ tools, sail over this hurdle by adopting a ΓÇÿbest togetherΓÇÖ strategy with tools that work together by default. Microsoft security capabilities protect your entire organization with integrated threat protection that spans applications, users, and clouds. Integration enables an organization to be more resilient and reduce risk by containing attackers at entry and rapidly remediating attacks. ## Balance security with functionality
-As I come from a long cybersecurity background and experience, I tend to prefer starting with the most secure configuration out of the box and allowing organizations to relax security configurations based on their operational and security needs. However, this can come at a hefty price of lost functionality and poor user experience. As many organizations have learned, if security is too hard for users, they will find a way to work around you, including using unmanaged cloud services. As hard as it is for me to accept, I have come to realize that the delicate functionality-security balance must be achieved.
-
-Organizations that realize users will do whatever it takes to get their jobs done acknowledge that the "Shadow IT battle" is not worth fighting. They recognize that IT employees are the biggest offenders when it comes to Shadow IT and the use of non-approved SaaS applications for their job. They have shifted their strategy to encourage its use (instead of suppressing) and focusing on mitigating the risks exposure it could create. These organizationΓÇÖs security teams do not insist that everything gets blocked, logged, and sent through a reverse proxy or a VPN. Rather, these security teams double down their efforts to protect valuable and sensitive data from being exposed to the wrong parties or malicious apps. They work to protect the integrity of the data. They are making full use of more advanced cloud information protection capabilities, including encryption, secure multi-factor authentication, automated risk and compliance, and Cloud App Security Broker (CASB) capabilities while allowing and even encouraging the protected sharing across multiple platforms. They are turning shadow IT into inspiring creativity, productivity, and collaboration which allows their business to stay on the competitive edge.
+As I come from a long cybersecurity background and experience, I tend to prefer starting with the most secure configuration out of the box and allowing organizations to relax security configurations based on their operational and security needs. However, this can come at a hefty price of lost functionality and poor user experience. As many organizations have learned, if security is too hard for users, they'll find a way to work around you, including using unmanaged cloud services. As hard as it is for me to accept, I've come to realize that the delicate functionality-security balance must be achieved.
+Organizations that realize users will do whatever it takes to get their jobs done acknowledge that the "Shadow IT battle" isn't worth fighting. They recognize that IT employees are the biggest offenders when it comes to Shadow IT and the use of non-approved SaaS applications for their job. They've shifted their strategy to encourage its use (instead of suppressing) and focusing on mitigating the risks exposure it could create. These organizationΓÇÖs security teams don't insist that everything gets blocked, logged, and sent through a reverse proxy or a VPN. Rather, these security teams double down their efforts to protect valuable and sensitive data from being exposed to the wrong parties or malicious apps. They work to protect the integrity of the data. They're making full use of more advanced cloud information protection capabilities, including encryption, secure multi-factor authentication, automated risk and compliance, and Cloud App Security Broker (CASB) capabilities while allowing and even encouraging the protected sharing across multiple platforms. They're turning shadow IT into inspiring creativity, productivity, and collaboration, which allows their business to stay on the competitive edge.
-## Adopt a methodical approach
+## Adopt a methodical approach
Most of the challenges I have experienced with implementing cloud security at different organizations, regardless of industry, have been very similar. First of all, while there is plenty of great documentation on specific capabilities and features, there is a level of confusion at the organization level about what applies to them, where security features overlap, and how capabilities should be integrated. There is also a level of uncertainty about which security features come pre-configured out of the box and which require configuration by the organization. In addition, the SOC teams unfortunately have not had the full exposure, training, or the budget allocation needed to prepare for the rapid cloud adoption and digital transformation their organizations are already undergoing.
-To help you clear these hurdles, Microsoft has curated several resources designed to help you take a methodical approach to your security strategy and implementation.
-
+To help you clear these hurdles, Microsoft has curated several resources designed to help you take a methodical approach to your security strategy and implementation.
|Resource |More information | |---------|---------|
@@ -83,5 +80,4 @@ To help you clear these hurdles, Microsoft has curated several resources designe
|[docs.security.com/security](https://docs.microsoft.com/security/) | Technical guidance from across Microsoft for security strategy and architecture. | | | |
-All of these resources are designed to be used as a starting point and adapted for the needs of your organization.
-
+All of these resources are designed to be used as a starting point and adapted for the needs of your organization.
solutions https://docs.microsoft.com/en-us/microsoft-365/solutions/workload-solutions-scenarios-overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/workload-solutions-scenarios-overview.md
@@ -1,6 +1,6 @@
--- title: Microsoft 365 workload solutions and scenarios
-description: Description.
+description: Accomplish your business objectives with these solution guides for specific Microsoft 365 workloads.
ms.author: samanro author: samanro manager: bcarter