-Download offers a simple way to download content from a review set in native format. The download tool in Advanced eDiscovery leverages the browser's data transfer features. A browser prompt will appear when a download is ready. Files downloaded using this method are zipped in a container file and will contain item-level files. This means that if you select to download an attachment, you will receive the email message with the attachment included. Similarly, if you export an Excel spreadsheet that is embedded in a Word document, the Word document with the embedded Excel spreadsheet are included in the download. When you downloaded items, the Last Modified Data property is preserved and can be viewed as a file property.

-You can use the Import service in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft 365 compliance center</a> to quickly bulk-import PST files to Exchange Online mailboxes in your organization. There are two ways you can import PST files to Office 365:

-See one of the following topics for detailed, step-by-step instructions for bulk-importing your organization's PST files to Office 365.

-3. **Create a PST import mapping file** - After the PST files have been uploaded to the Azure Storage location or copied to a hard drive, the next step is to create a comma-separated value (CSV) file that specifies which user mailboxes the PST files will be imported to (and a PST file can be imported to a user's primary mailbox or their archive mailbox). [Download a copy of the PST Import mapping file](https://go.microsoft.com/fwlink/p/?LinkId=544717). The Office 365 Import service will use the information to import the PST files.

-Here are some frequently asked questions about using the Office 365 Import service to bulk-import PST files to Microsoft 365 mailboxes.

-#### What permissions are required to create import jobs in the Office 365 Import Service using network upload?

-> Consider creating a new role group in Exchange Online that's specifically intended for importing PST files to Office 365. For the minimum level of privileges required to import PST files, assign the Mailbox Import Export and Mail Recipients roles to the new role group, and then add members.

-This also means that after PST files are deleted from the Azure Storage area, they're no longer displayed in the list of files for a completed import job in the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?linkid=2024339). Although an import job might still be listed on the **Import data to Office 365** page, the list of PST files might be empty when you view the details of older import jobs.

-#### What version of the PST file format is supported for importing to Office 365?

-There are two versions of the PST file format: ANSI and Unicode. We recommend importing files that use the Unicode PST file format. However, files that use the ANSI PST file format, such as those for languages that use a double-byte character set (DBCS), can also be imported to Office 365. For more information about importing ANSI PST files, see Step 4 in [Use network upload to import PST files to Office 365](./use-network-upload-to-import-pst-files.md).

-Additionally, PST files from Outlook 2007 and later versions can be imported to Office 365.

-It depends on the capacity of your network, but it typically takes several hours for each terabyte (TB) of data to be uploaded to the Azure Storage area for your organization. After the PST files are copied to the Azure Storage area, a PST file is imported to a Microsoft 365 mailbox at a rate of approximately 24 GB per day^\*. If this rate doesn't meet your needs, you might consider other methods to get email data into Office 365. For more information, see [Ways to migrate multiple email accounts to Office 365](/Exchange/mailbox-migration/mailbox-migration).

-#### Can I use network upload to import PST files to an inactive mailbox in Office 365?

-#### What permissions are required to create import jobs in the Office 365 Import Service using drive shipping?

-> Consider creating a new role group in Exchange Online that's specifically intended for importing PST files to Office 365. For the minimum level of privileges required to import PST files, assign the Mailbox Import Export and Mail Recipients roles to the new role group, and then add members.

-Only 2.5-inch solid-state drives (SSDs) or 2.5 inch or 3.5 inch SATA II/III internal hard drives are supported for use with the Office 365 Import service. You can use hard drives up to 10 TB. For import jobs, only the first data volume on the hard drive will be processed. The data volume must be formatted with NTFS. When copying data to a hard drive, you can attach it directly using a 2.5 inch SSD or 2.5 inch or 3.5 inch SATA II/III connector or you can attach it externally using an external 2.5 inch SSD or 2.5 inch or 3.5 inch SATA II/III USB adapter.

-> External hard drives that come with a built-in USB adapter aren't supported by the Office 365 Import service. Additionally, the disk inside the casing of an external hard drive can't be used. Please don't ship external hard drives.

-To help you with investigating compromise email accounts, we're now auditing accesses of mail data by mail protocols and clients with the *MailItemsAccessed* mailbox auditing action. This new audited action will help investigators better understand email data breaches and help you identify the scope of compromises to specific mail items that may been compromised. The goal of using this new auditing action is forensics defensibility to help assert that a specific piece of mail data was not compromised. If an attacker gained access to a specific piece of mail, Exchange Online audits the event even though there is no indication that the mail item was actually read.

-Sync operations are only recorded when a mailbox is accessed by a desktop version of the Outlook client for Windows or Mac. During the sync operation, these clients typically download a large set of mail items from the cloud to a local computer. The audit volume for sync operations is huge. So, instead of generating an audit record for each mail item that's synched, we just generate an audit event for the mail folder containing items that were synched. This makes the assumption that *all* mail items in the synched folder have been compromised. The access type is recorded in the OperationProperties field of the audit record.

-If more than 1,000 MailItemsAccessed audit records are generated in less than 24 hours, Exchange Online will stop generating auditing records for MailItemsAccessed activity. When a mailbox is throttled, MailItemsAccessed activity will not be logged for 24 hours after the mailbox was throttled. If this occurs, there's a potential that mailbox could have been compromised during this period. The recording of MailItemsAccessed activity will be resumed following a 24-hour period.

-2. Check for sync activities. If an attacker uses an email client to downloaded messages in a mailbox, they can disconnect the computer from the Internet and access the messages locally without interacting with the server. This means that mailbox auditing would not be able to audit these activities.

- |SessionId|Session ID helps to differentiate attacker actions vs day-to-day user activities on the same account (in the case of a compromised account)|

- - Use the InternetMessageId to search audit records related to a set of potentially sensitive email messages. This is useful if you're concerned only about a small number of messages.

-A legal hold (also known as a *litigation hold*) notice is a notification sent from an organizationΓÇÖs legal department to employees, contingent staff, or custodians of data that may be relevant to a legal investigation. These notifications instruct custodians to preserve electronically stored information as well as any content that may be relevant to an active or impending legal matter. Legal teams must know that each custodian has received, read, understood, and has agreed to comply with the given instructions.

-With Advanced eDiscovery, legal teams can create and customize their legal hold notification workflow. The custodian communications tool lets legal teams to configure the following notices and workflows:

-2. **Re-Issuance notice:** During a case, custodians may be required to preserve additional content (or less content) than was previously requested. For this scenario, you can update the existing hold notice and re-issue it to custodians.

-3. **Release notice:** Once a matter is resolved and the custodian is no longer subject to a preservation requirement, the custodian can be released from the case. Additionally, you can notify the custodian that they are no longer required to preserve content, and provide instructions about how to resume their normal work activity with regard to their data.

- - **Reminders:** After a legal hold notice has been issued or re-issued to a set of custodians, an organization can set up reminders to alert unresponsive custodians.

-Yammer user messages and community messages can be deleted by using retention policies for Yammer, and in addition to the text in the messages, the following items can be retained for compliance reasons: Hypertext links and links to other Yammer messages.

-Copies of community messages can also be stored in the hidden folder of user mailboxes when they @ mention users or notify the user of a reply. Although these messages originate as a community message, a retention policy for Yammer user messages will often include copies of community messages.

-[Use explanation templates in SharePoint Syntex](explanation-templates.md)

-description: Use REST API to apply a document understanding model to one or more libraries.

-# Batch Apply model

-Applies (or syncs) a trained document understanding model to one or more libraries (see [example](rest-applymodel-method.md#examples)).

-## HTTP request

-```HTTP

-POST /_api/machinelearning/publications HTTP/1.1

-```

-## URI parameters

-None

-## Request headers

-| Header | Value |

-|--|-|

-|Accept|application/json;odata=verbose|

-|Content-Type|application/json;odata=verbose;charset=utf-8|

-|x-requestdigest|The appropriate digest for current site.|

-## Request body

-| Name | Required | Type | Description |

-|--|-|--||

-|__metadata|yes|string|Set the object meta on the SPO. Always use the value: {"type": "Microsoft.Office.Server.ContentCenter.SPMachineLearningPublicationsEntityData"}.|

-|Publications|yes|MachineLearningPublicationEntityData[]|The collection of MachineLearningPublicationEntityData each of which specifies the model and target document library.|

-### MachineLearningPublicationEntityData

-| Name | Required | Type | Description |

-|--|-|--||

-|ModelUniqueId|yes|string|The unique ID of the model file.|

-|TargetSiteUrl|yes|string|The full URL of the target library site.|

-|TargetWebServerRelativeUrl|yes|string|The server relative URL of the web for the target library.|

-|TargetLibraryServerRelativeUrl|yes|string|The server relative URL of the target library.|

-|ViewOption|no|string|Specifies whether to set new model view as the library default.|

-## Response

-| Name | Type | Description|

-|--|-||

-|201 Created||This is a customized API to support applying a model to multi document libraries. In the case of partial success, 201 created could still be returned and the caller needs to inspect the response body to understand if the model has been successfully applied to a document library.|

-## Response Body

-| Name | Type | Description|

-|--|-||

-|TotalSuccesses|int|The total number of a model being successfully applied to a document library.|

-|TotalFailures|int|The total number of a model failing to be applied to a document library.|

-|Details|MachineLearningPublicationResult[]|The collection of MachineLearningPublicationResult each of which specifies the detailed result of applying the model to the document library.|

-### MachineLearningPublicationResult

-| Name | Type | Description|

-|--|-||

-|StatusCode|int|The HTTP status code.|

-|ErrorMessage|string|The error message which tells what's wrong when apply the model to the document library.|

-|Publication|MachineLearningPublicationEntityData|It specifies the model info and the target document library.|

-### MachineLearningPublicationEntityData

-| Name | Type | Description |

-|--|--||

-|ModelUniqueId|string|The unique ID of the model file.|

-|TargetSiteUrl|string|The full URL of the target library site.|

-|TargetWebServerRelativeUrl|string|The server relative URL of the web for the target library.|

-|TargetLibraryServerRelativeUrl|string|The server relative URL of the target library.|

-## Examples

-### Apply a model to the contracts document library in the repository site

-In this sample, the ID of the Contoso Contract document understanding model is `7645e69d-21fb-4a24-a17a-9bdfa7cb63dc`.

-#### Sample request

-```HTTP

-{

- "__metadata": {

- "type": "Microsoft.Office.Server.ContentCenter.SPMachineLearningPublicationsEntityData"

- },

- "Publications": {

- "results": [

- {

- "ModelUniqueId": "7645e69d-21fb-4a24-a17a-9bdfa7cb63dc",

- "TargetSiteUrl": "https://contoso.sharepoint.com/sites/repository/",

- "TargetWebServerRelativeUrl": "/sites/repository",

- "TargetLibraryServerRelativeUrl": "/sites/repository/contracts",

- "ViewOption": "NewViewAsDefault"

- }

- ]

- }

-}

-```

-#### Sample response

-In the response, TotalFailures and TotalSuccesses refers to the number of failures and successes of the model being applies to the specified libraries.

-**Status code:** 201

-```JSON

-{

- "Details": [

- {

- "ErrorMessage": null,

- "Publication": {

- "ModelUniqueId": "7645e69d-21fb-4a24-a17a-9bdfa7cb63dc",

- "TargetSiteUrl": "https://contoso.sharepoint.com/sites/repository/",

- "TargetWebServerRelativeUrl": "/sites/repository",

- "TargetLibraryServerRelativeUrl": "/sites/repository/contracts",

- "ViewOption": "NewViewAsDefault"

- },

- "StatusCode": 201

- }

- ],

- "TotalFailures": 0,

- "TotalSuccesses": 1

-}

-```

-## See also

-[Syntex document understanding model REST API](syntex-model-rest-api.md)

-description: Use REST API to remove an applied document understanding model from one or more libraries.

-# BatchDelete

-Removes an applied document understanding model from one or more libraries. Note that a model must be removed from all libraries before it can be deleted (see [example](rest-batchdelete-method.md#examples)).

-## HTTP request

-```HTTP

-POST /_api/machinelearning/publications/batchdelete HTTP/1.1

-```

-## URI parameters

-None

-## Request headers

-| Header | Value |

-|--|-|

-|Accept|application/json;odata=verbose|

-|Content-Type|application/json;odata=verbose;charset=utf-8|

-|x-requestdigest|The appropriate digest for current site.|

-## Request body

-| Name | Required | Type | Description |

-|--|-|--||

-|Publications|yes|MachineLearningPublicationEntityData[]|The collection of MachineLearningPublicationEntityData each of which specifies the model and target document library.|

-### MachineLearningPublicationEntityData

-| Name | Required | Type | Description |

-|--|-|--||

-|ModelUniqueId|yes|string|The unique ID of the model file.|

-|TargetSiteUrl|yes|string|The full URL of the target library site.|

-|TargetWebServerRelativeUrl|yes|string|The server relative URL of the web for the target library.|

-|TargetLibraryServerRelativeUrl|yes|string|The server relative URL of the target library.|

-## Response

-| Name | Type | Description|

-|--|-||

-|200 OK||This is a customized API to support removing a model from multi document libraries. In the case of partial success, 200 OK could still be returned and the caller needs to inspect the response body to understand if the model has been successfully removed from a document library.|

-## Response Body

-| Name | Type | Description|

-|--|-||

-|TotalSuccesses|int|The total number of a model being successfully removed from a document library.|

-|TotalFailures|int|The total number of a model failing to be removed from a document library.|

-|Details|MachineLearningPublicationResult[]|The collection of MachineLearningPublicationResult each of which specifies the detailed result of removing the model from a document library.|

-### MachineLearningPublicationResult

-| Name | Type | Description|

-|--|-||

-|StatusCode|int|The HTTP status code.|

-|ErrorMessage|string|The error message which tells what's wrong when apply the model to the document library.|

-|Publication|MachineLearningPublicationEntityData|It specifies the model info and the target document library.|

-### MachineLearningPublicationEntityData

-| Name | Type | Description |

-|--|--||

-|ModelUniqueId|string|The unique ID of the model file.|

-|TargetSiteUrl|string|The full URL of the target library site.|

-|TargetWebServerRelativeUrl|string|The server relative URL of the web for the target library.|

-|TargetLibraryServerRelativeUrl|string|The server relative URL of the target library.|

-## Examples

-### Remove a model from the contracts document library in the repository site

-In this sample, the ID of the Contoso Contract document understanding model is `7645e69d-21fb-4a24-a17a-9bdfa7cb63dc`.

-#### Sample request

-```HTTP

-{

- "publications": [

- {

- "ModelUniqueId": "7645e69d-21fb-4a24-a17a-9bdfa7cb63dc",

- "TargetSiteUrl": "https://constco.sharepoint-df.com/sites/docsite",

- "TargetWebServerRelativeUrl": "/sites/docsite ",

- "TargetLibraryServerRelativeUrl": "/sites/dcocsite/joedcos"

- }

- ]

-}

-```

-#### Sample response

-In the response, TotalFailures and TotalSuccesses refer to the number of failures and successes of the model being removed from the specified libraries.

-**Status code:** 200

-```JSON

-{

- "Details": [

- {

- "ErrorMessage": null,

- "Publication": {

- "ModelUniqueId": "7645e69d-21fb-4a24-a17a-9bdfa7cb63dc",

- "TargetSiteUrl": "https://contoso.sharepoint.com/sites/repository/",

- "TargetWebServerRelativeUrl": "/sites/repository",

- "TargetLibraryServerRelativeUrl": "/sites/repository/contracts",

- "ViewOption": "NewViewAsDefault"

- },

- "StatusCode": 200

- }

- ],

- "TotalFailures": 0,

- "TotalSuccesses": 1

-}

-```

-## See also

-[Syntex document understanding model REST API](syntex-model-rest-api.md)

-description: Use REST API to create a request to classify one or more files using a trained document understanding model.

-# Create file classification request

-Creates a request to classify one or more files using the applied document understanding model. (For more information, see [example](rest-createclassificationrequest.md#examples).)

-The REST service of SharePoint Online (and SharePoint 2016 and later on-premises) supports the combining of multiple requests. Requests are combined into a single call to the service by using the OData $batch query option. This method can be used to enqueue classification work items for hundreds of documents at one time.

-## HTTP request

-```http

-POST /_api/machinelearning/workItems HTTP/1.1

-```

-## URI Parameters

-None

-## Request headers

-| Header | Value |

-|--|-|

-|Accept|application/json;odata=verbose|

-|Content-Type|application/json;odata=verbose;charset=utf-8|

-|x-requestdigest|The appropriate digest for current site|

-## Request body

-|Name |Type |Description |

-|--|-||

-|_metadata|string |Set the object meta on the SPO. Always use the value: {"type": "Microsoft.Office.Server.ContentCenter.SPMachineLearningWorkItemEntityData"}. |

-|TargetSiteId|guid|The ID of the site where the file to classify is located. This can be omitted when TargetSiteUrl has a value. |

-|TargetSiteUrl|string|The full URL of the site where the file to classify is located. This can be omitted when TargeSiteId has a value.|

-|TargetWebId|guid|The ID of the web where the file to classify is located. This can be omitted when TargetWebServerRelativeUrl has a value. |

-|TargetWebServerRelativeUrl|string|The server relative URL of the web where the file to classify is located. This can be omitted when TargetWebId has a value. |

-|TargetUniqueId|guid|The ID of the folder to classify. This can be omitted when TargetServerRelativeUrl has a value. |

-|TargetServerRelativeUrl|string|The server relative URL of the file to classify is located. This can be omitted when TargetUniqueId has a value.|

-## Responses

-| Name | Type | Description|

-|--|-||

-|201 Created| |The response is customized. In there is failure, it could still return 201 Created. The caller should further check the response body to determine the exact result.|

-## Examples

-### Enqueue a request to classify a file of ID "e6cff8b7-c90c-4564-b5b8-033449090932"

-#### Sample request

-```JSON

-{

- "__metadata": {

- "type": "Microsoft.Office.Server.ContentCenter.SPMachineLearningWorkItemEntityData"

- },

- "TargetSiteId": "f686e63b-aba7-48e5-97c7-68c4c1df292f",

- "TargetWebId": "66d6b64d-6f88-4dd9-b3db-47e6f00c53e8",

- "TargetUniqueId": "e6cff8b7-c90c-4564-b5b8-033449090932"

-}

-```

-#### Sample response

-**Status code:** 201

-```JSON

-{

- "ErrorMessage": null,

- "StatusCode": 201

-}

-```

-```JSON

-{

- "ErrorMessage": null,

- "StatusCode": 201

-}

-```

-## See also

-[Syntex document understanding model REST API](syntex-model-rest-api.md)

-description: Use REST API to create a request to classify an entire folder using a trained document understanding model.

-# Create folder classification request

-Creates a request to classify a whole folder during off-peak hours by using the applied document understanding model. (For more information, see [example](rest-createfolderclassificationrequest.md#examples).)

-This API can be used to classify a whole document library by creating a work item for its root folder.

-## HTTP request

-```http

-POST /_api/machinelearning/workItems HTTP/1.1

-```

-## URI Parameters

-None

-## Request headers

-| Header | Value |

-|--|-|

-|Accept|application/json;odata=verbose|

-|Content-Type|application/json;odata=verbose;charset=utf-8|

-|x-requestdigest|The appropriate digest for current site|

-## Request body

-|Name |Type |Description |

-|--|-||

-|_metadata|string |Set the object meta on the SPO. Always use the value: {"type": "Microsoft.Office.Server.ContentCenter.SPMachineLearningWorkItemEntityData"}. |

-|TargetSiteId|guid|The ID of the site where the folder to classify is located. This can be omitted when TargetSiteUrl has a value. |

-|TargetSiteUrl|string|The full URL of the site where the folder to classify is located. This can be omitted when TargeSiteId has a value.|

-|TargetWebId|guid|The ID of the web where the folder to classify is located. This can be omitted when TargetWebServerRelativeUrl has a value. |

-|TargetWebServerRelativeUrl|string|The server relative URL of the web where the folder to classify is located. This can be omitted when TargetWebId has a value. |

-|TargetUniqueId|guid|The ID of the folder to classify. This can be omitted when TargetServerRelativeUrl has a value. |

-|TargetServerRelativeUrl|string|The server relative URL of the folder to classify is located. This can be omitted when TargetUniqueId has a value.|

-|IsFolder|boolean|The flag that indicates if what will be classified is a folder. Always set this to true for creating a folder classification work item. |

-## Responses

-| Name | Type | Description|

-|--|-||

-|201 Created| |The response is customized. If there is failure, it could still return 201 Created. The caller should further check the response body to determine the exact result.|

-## Response body

-| Name | Type | Description|

-|--|-||

-|StatusCode |int |The HTTP status code. If itΓÇÖs not 200 or 201, the API should have failed.|

-|ErrorMessage |string |The error message that tells what's wrong when apply the model to the document library.|

-## Examples

-### Enqueue a request to classify a whole folder of ID "e6cff8b7-c90c-4564-b5b8-033449090932"

-#### Sample request

-```JSON

-{

- "__metadata": {

- "type": "Microsoft.Office.Server.ContentCenter.SPMachineLearningWorkItemEntityData"

- },

- "TargetSiteId": "f686e63b-aba7-48e5-97c7-68c4c1df292f",

- "TargetWebId": "66d6b64d-6f88-4dd9-b3db-47e6f00c53e8",

- "TargetUniqueId": "e6cff8b7-c90c-4564-b5b8-033449090932",

- "IsFolder": true

-}

-```

-#### Sample response

-**Status code:** 201

-```JSON

-{

- "ErrorMessage": null,

- "StatusCode": 201

-}

-```

-## See also

-[Syntex document understanding model REST API](syntex-model-rest-api.md)

-description: Use REST API to create a model and its associated content type.

-# Create model

-Creates a model and its associated content type. Note that this only creates the model. It will still need to be trained in the content center (see [example](rest-createmodel-method.md#examples)).

-## HTTP request

-```http

-POST /_api/machinelearning/models HTTP/1.1

-```

-## URI Parameters

-None

-## Request headers

-| Header | Value |

-|--|-|

-|Accept|application/json;odata=verbose|

-|Content-Type|application/json;odata=verbose;charset=utf-8|

-|x-requestdigest|The appropriate digest for current site|

-## Request body

-|Name |Type |Description |

-|--|-||

-|_metadata| |Set the object meta on the SPO. Always use the value: {"type": "Microsoft.Office.Server.ContentCenter.SPMachineLearningModelEntityData"}. |

-|ContentTypeGroup|string|The associated content type group associated with the model. Defaulted to "Intelligent Document Content Types".|

-|ContentTypeName|string|The associated content type name. The created model file will have the same name.|

-## Responses

-| Name | Type | Description|

-|--|-||

-|201 Created| |Success|

-## Examples

-### Create a new document understanding model called "Contoso Contract"

-#### Sample request

-```json

-{

- "__metadata": {

- "type": "Microsoft.Office.Server.ContentCenter.SPMachineLearningModelEntityData"

- },

- "ContentTypeGroup": "Intelligent Document Content Types",

- "ContentTypeName": "Contoso Contract"

-}

-```

-#### Sample response

-**Status code:** 201

-## See also

-[Syntex document understanding model REST API](syntex-model-rest-api.md)

-description: Use REST API to get or update information about a SharePoint Syntex document understanding model using the model title.

-# GetByTitle

-Gets or updates information about a SharePoint Syntex document understanding model using the model title (see [example](rest-getbytitle-method.md#examples)).

-## HTTP request

-```HTTP

-GET /_api/machinelearning/models/getbytitle('{modelFileName}') HTTP/1.1

-```

-This same method can be used for deleting a model, too.

-```HTTP

-DELETE /_api/machinelearning/models/getbytitle('{modelFileName}') HTTP/1.1

-```

-## URI parameters

-|Name |In |Required|Type|Description|

-|--||--|-|--|

-|modelFileName|query|True|string|Name of the Syntex model file.|

-## Request headers

-| Header | Value |

-|--|-|

-|Accept|application/json;odata=verbose|

-## Request body

-For GET, no request body is needed.

-## Responses

-| Name | Type | Description|

-|--|-||

-|200 OK| |Success|

-## Examples

-### Get information about the Contoso Contract model

-In this sample, the name of the Syntex document understanding model is `Contoso Contract`.

-#### Sample request

-```HTTP

-GET /_api/machinelearning/models/getbytitle('Contoso Contract') HTTP/1.1

-```

-#### Sample response

-**Status code:** 200

-```HTTP

-{

- "@odata.context": "https://contoso.sharepoint.com/sites/filerepository/_api/$metadata#models/$entity",

- "@odata.type": "#Microsoft.Office.Server.ContentCenter.SPMachineLearningModel",

- "@odata.id": "https://contoso.sharepoint.com/sites/filerepository/_api/machinelearning/models/getbyuniqueId('7645e69d-21fb-4a24-a17a-9bdfa7cb63dc')",

- "@odata.etag": "\"7645e69d-21fb-4a24-a17a-9bdfa7cb63dc,111\"",

- "@odata.editLink": " https://contoso.sharepoint.com/sites/filerepository /_api/machinelearning/models/getbyuniqueId('7645e69d-21fb-4a24-a17a-9bdfa7cb63dc')",

- "ConfidenceScore": "{\"trainingStatus\":{\"kind\":\"original\",\"ClassifierStatus\":{\"TrainingStatus\":\"success\",\"TimeStamp\":1611716640535},\"ExtractorsStatus\":[{\"TimeStamp\":1585175746775,\"ExtractorName\":\"Contract Name\",\"TrainingStatus\":\"success\"},{\"TimeStamp\":1586905975794,\"ExtractorName\":\"Client \",\"TrainingStatus\":\"success\"},{\"TimeStamp\":1586906061099,\"ExtractorName\":\"Contract Date\",\"TrainingStatus\":\"success\"},{\"TimeStamp\":1586907912388,\"ExtractorName\":\"Fee\",\"TrainingStatus\":\"success\"},{\"TimeStamp\":1611716640115,\"ExtractorName\":\"ServiceType\",\"TrainingStatus\":\"success\"}]},\"modelAccuracy\":{\"Classifier\":1,\"Extractors\":{\"Contract Name\":1,\"Client \":1,\"Contract Date\":1,\"Fee\":1,\"ServiceType\":1}},\"perSampleAccuracy\":{\"133\":{\"Classifier\":1,\"Extractors\":{\"ServiceType\":1}},\"249\":{\"Classifier\":1,\"Extractors\":{\"ServiceType\":1}},\"252\":{\"Classifier\":1,\"Extractors\":{\"ServiceType\":1}},\"253\":{\"Classifier\":1,\"Extractors\":{\"ServiceType\":1}},\"254\":{\"Classifier\":1,\"Extractors\":{\"ServiceType\":1}},\"255\":{\"Classifier\":1,\"Extractors\":{\"ServiceType\":1}},\"256\":{\"Extractors\":{\"ServiceType\":1}},\"257\":{\"Extractors\":{\"ServiceType\":1}}},\"perSamplePrediction\":{\"133\":{\"Extractors\":{\"ServiceType\":[]}},\"249\":{\"Extractors\":{\"ServiceType\":[\"Writing\"]}},\"252\":{\"Extractors\":{\"ServiceType\":[\"Catering\"]}},\"253\":{\"Extractors\":{\"ServiceType\":[\"Design\"]}},\"254\":{\"Extractors\":{\"ServiceType\":[\"Marketing\"]}},\"255\":{\"Extractors\":{\"ServiceType\":[\"Financial Planning\"]}},\"256\":{\"Extractors\":{\"ServiceType\":[\"Writing\"]}},\"257\":{\"Extractors\":{\"ServiceType\":[\"Writing\"]}}},\"trainingFailures\":{}}",

- "ContentTypeGroup": "Intelligent Document Content Types",

- "ContentTypeId": "0x01010083DF84D4F59BBD4CB06F075AA81F58AA",

- "ContentTypeName": "Contoso Contract",

- "Created": "2020-03-25T22:04:04Z",

- "CreatedBy": "i:0#.f|membership|meganb@contoso.com",

- "DriveId": "b!O-aG9qer5UiXx2jEwd8pL0221maIb9lNs9tH5vAMU-h2NuHxlYUiTJyiwKQHZobK",

- "Explanations": "{\"Classifier\":[{\"id\":\"8122ac1d-8fcb-4705-8872-2825cbf05bfe\",\"kind\":\"dictionaryFeature\",\"name\":\"agreement\",\"active\":true,\"nGrams\":[\"CONSULTING AGREEMENT\",\"SERVICES AGREEMENT\"],\"caseSensitive\":false,\"ignoreDigitIdentity\":false,\"ignoreLetterIdentity\":false},{\"id\":\"af83bea8-bc53-4e93-a3da-f1e697eb6bef\",\"kind\":\"modelFeature\",\"name\":\"Contract Name\",\"active\":true,\"modelReference\":\"Contract Name\",\"conceptId\":\"841d0dcf-7f1d-4a39-931c-53923d10c346\"},{\"id\":\"e3734994-9e34-40e3-82c7-bb6c7bc5a0c3\",\"kind\":\"modelFeature\",\"name\":\"Client \",\"active\":true,\"modelReference\":\"Client \",\"conceptId\":\"8b8490d0-9a09-4c16-bcff-59ce62e05c28\"},{\"id\":\"7c93e7fe-cbfb-47ee-8cca-46ecdf5f628f\",\"kind\":\"modelFeature\",\"name\":\"Contract Date\",\"active\":true,\"modelReference\":\"Contract Date\",\"conceptId\":\"6ba58918-e2f0-4685-9080-98ec4c3adc7c\"},{\"id\":\"5cc85b62-148a-4b07-9155-d9fb7cebb6d0\",\"kind\":\"modelFeature\",\"name\":\"Fee\",\"active\":true,\"modelReference\":\"Fee\",\"conceptId\":\"9c7f764d-afd2-49cd-aaa2-e9407156bfb3\"},{\"id\":\"0f8a23a6-c744-4cae-82bd-d836332ceb56\",\"kind\":\"modelFeature\",\"name\":\"ServiceType\",\"active\":true,\"modelReference\":\"ServiceType\",\"conceptId\":\"4aa9f2fe-cfab-49f8-86b1-11646c79cdbf\"}],\"Extractors\":{\"Contract Name\":[{\"id\":\"8804fbeb-bcf8-44c0-8ade-3fc65496037f\",\"kind\":\"dictionaryFeature\",\"name\":\"before\",\"active\":true,\"nGrams\":[\"- AND -\"],\"caseSensitive\":false,\"ignoreDigitIdentity\":false,\"ignoreLetterIdentity\":false}],\"Client \":[{\"id\":\"606c56de-9e71-42ef-8ec6-f0bbf351d673\",\"kind\":\"dictionaryFeature\",\"name\":\"start\",\"active\":true,\"nGrams\":[\"BETWEEN:\"],\"caseSensitive\":false,\"ignoreDigitIdentity\":false,\"ignoreLetterIdentity\":false},{\"id\":\"334e6df5-e076-40db-a47b-f11ceec7af9a\",\"kind\":\"dictionaryFeature\",\"name\":\"after\",\"active\":true,\"nGrams\":[\"of\"],\"caseSensitive\":false,\"ignoreDigitIdentity\":false,\"ignoreLetterIdentity\":false},{\"id\":\"bccefd2e-88a4-406c-aa9d-81d508bbafb3\",\"kind\":\"proximityFeature\",\"name\":\"prox\",\"active\":true,\"patterns\":[[{\"id\":\"606c56de-9e71-42ef-8ec6-f0bbf351d673\",\"kind\":\"proximityFeatureReference\"},{\"kind\":\"proximityTokenRange\",\"minCount\":1,\"maxCount\":6},{\"id\":\"334e6df5-e076-40db-a47b-f11ceec7af9a\",\"kind\":\"proximityFeatureReference\"}]]}],\"Contract Date\":[{\"id\":\"fabe1ed3-07af-4dc6-852d-fe9521c64801\",\"kind\":\"dictionaryFeature\",\"name\":\"dated\",\"active\":true,\"nGrams\":[\"dated\"],\"caseSensitive\":false,\"ignoreDigitIdentity\":false,\"ignoreLetterIdentity\":false},{\"id\":\"983da7b8-51d7-4a85-9644-007b488fce0b\",\"kind\":\"dictionaryFeature\",\"name\":\"betw\",\"active\":true,\"nGrams\":[\"between\"],\"caseSensitive\":false,\"ignoreDigitIdentity\":false,\"ignoreLetterIdentity\":false}],\"Fee\":[{\"id\":\"f4cf89dc-64d1-49a1-9be4-41debda251b6\",\"kind\":\"dictionaryFeature\",\"name\":\"flat fee of \",\"active\":true,\"nGrams\":[\"flat fee of $\",\"flat fee of $$\"],\"caseSensitive\":false,\"ignoreDigitIdentity\":false,\"ignoreLetterIdentity\":false}],\"ServiceType\":[{\"id\":\"c04408f5-ce14-4eb0-81d0-f72ea9fa7e83\",\"kind\":\"dictionaryFeature\",\"name\":\"Before label\",\"active\":true,\"nGrams\":[\"will provide \"],\"caseSensitive\":false,\"ignoreDigitIdentity\":false,\"ignoreLetterIdentity\":false},{\"id\":\"ea94fa7f-e41b-4e09-a484-355912bfbdff\",\"kind\":\"dictionaryFeature\",\"name\":\"After label\",\"active\":true,\"nGrams\":[\"services for \"],\"caseSensitive\":false,\"ignoreDigitIdentity\":false,\"ignoreLetterIdentity\":false}]}}",

- "ID": 16,

- "LastTrained": "2021-01-27T03:04:00Z",

- "ListID": "f1e13676-8595-4c22-9ca2-c0a4076686ca",

- "ModelSettings": null,

- "ModelType": 2,

- "Modified": "2021-01-27T03:05:04Z",

- "ModifiedBy": "i:0#.f|membership|kevinche@contoso.com",

- "ObjectId": "01ZBWEM5E54ZCXN6ZBERFKC6U336T4WY64",

- "PublicationType": 0,

- "Schemas": "{\"Extractors\":{\"Contract Name\":{\"concepts\":{\"841d0dcf-7f1d-4a39-931c-53923d10c346\":{\"name\":\"Contract Name\"}},\"relationships\":[]},\"Client \":{\"concepts\":{\"8b8490d0-9a09-4c16-bcff-59ce62e05c28\":{\"name\":\"Client \"}},\"relationships\":[]},\"Contract Date\":{\"concepts\":{\"6ba58918-e2f0-4685-9080-98ec4c3adc7c\":{\"name\":\"Contract Date\"}},\"relationships\":[]},\"Fee\":{\"concepts\":{\"9c7f764d-afd2-49cd-aaa2-e9407156bfb3\":{\"name\":\"Fee\"}},\"relationships\":[]},\"ServiceType\":{\"concepts\":{\"4aa9f2fe-cfab-49f8-86b1-11646c79cdbf\":{\"name\":\"ServiceType\",\"termSetId\":\"76c12efb-5173-4982-ae9b-5f9e37187171\"}},\"relationships\":[]}}}",

- "SourceUrl": null,

- "UniqueId": "7645e69d-21fb-4a24-a17a-9bdfa7cb63dc"

-}

-```

-### Get and delete the Contoso Contract model by name

-In this sample, the name of the Contoso Contract document understanding model is `Contoso Contract`.

-##### Sample request

-```HTTP

-DELETE /_api/machinelearning/models/getbytitle('Contoso Contract') HTTP/1.1

-```

-## See also

-[Syntex document understanding model REST API](syntex-model-rest-api.md)

-description: Use REST API to get or update information about a SharePoint Syntex document understanding model.

-# GetByUniqueId

-Gets or updates information about a SharePoint Syntex document understanding model (see [example](rest-getbyuniqueid-method.md#examples)).

-## HTTP request

-```HTTP

-GET /_api/machinelearning/models/getbyuniqueid('{modelUniqueId}') HTTP/1.1

-```

-This same method can be used for deleting a model, too.

-```HTTP

-DELETE /_api/machinelearning/models/getbyuniqueid('{modelUniqueId}') HTTP/1.1

-```

-## URI parameters

-|Name |In |Required|Type|Description|

-|--||--|-|--|

-|modelUniqueId|query|True|string|ID of the Syntex model file.|

-## Request headers

-| Header | Value |

-|--|-|

-|Accept|application/json;odata=verbose|

-## Request body

-For GET, no request body is needed.

-## Responses

-| Name | Type | Description|

-|--|-||

-|200 OK| |Success|

-## Examples

-### Get the Contoso Contract model by ID

-In this sample, the ID of the Contoso Contract document understanding model is `7645e69d-21fb-4a24-a17a-9bdfa7cb63dc`.

-#### Sample request

-```HTTP

-GET /_api/machinelearning/models/getbyuniqueid('7645e69d-21fb-4a24-a17a-9bdfa7cb63dc') HTTP/1.1

-```

-#### Sample response

-**Status code:** 200

-```HTTP

-{

- "@odata.context": "https://contoso.sharepoint.com/sites/filerepository/_api/$metadata#models/$entity",

- "@odata.type": "#Microsoft.Office.Server.ContentCenter.SPMachineLearningModel",

- "@odata.id": "https://contoso.sharepoint.com/sites/filerepository/_api/machinelearning/models/getbyuniqueId('7645e69d-21fb-4a24-a17a-9bdfa7cb63dc')",

- "@odata.etag": "\"7645e69d-21fb-4a24-a17a-9bdfa7cb63dc,111\"",

- "@odata.editLink": " https://contoso.sharepoint.com/sites/filerepository /_api/machinelearning/models/getbyuniqueId('7645e69d-21fb-4a24-a17a-9bdfa7cb63dc')",

- "ConfidenceScore": "{\"trainingStatus\":{\"kind\":\"original\",\"ClassifierStatus\":{\"TrainingStatus\":\"success\",\"TimeStamp\":1611716640535},\"ExtractorsStatus\":[{\"TimeStamp\":1585175746775,\"ExtractorName\":\"Contract Name\",\"TrainingStatus\":\"success\"},{\"TimeStamp\":1586905975794,\"ExtractorName\":\"Client \",\"TrainingStatus\":\"success\"},{\"TimeStamp\":1586906061099,\"ExtractorName\":\"Contract Date\",\"TrainingStatus\":\"success\"},{\"TimeStamp\":1586907912388,\"ExtractorName\":\"Fee\",\"TrainingStatus\":\"success\"},{\"TimeStamp\":1611716640115,\"ExtractorName\":\"ServiceType\",\"TrainingStatus\":\"success\"}]},\"modelAccuracy\":{\"Classifier\":1,\"Extractors\":{\"Contract Name\":1,\"Client \":1,\"Contract Date\":1,\"Fee\":1,\"ServiceType\":1}},\"perSampleAccuracy\":{\"133\":{\"Classifier\":1,\"Extractors\":{\"ServiceType\":1}},\"249\":{\"Classifier\":1,\"Extractors\":{\"ServiceType\":1}},\"252\":{\"Classifier\":1,\"Extractors\":{\"ServiceType\":1}},\"253\":{\"Classifier\":1,\"Extractors\":{\"ServiceType\":1}},\"254\":{\"Classifier\":1,\"Extractors\":{\"ServiceType\":1}},\"255\":{\"Classifier\":1,\"Extractors\":{\"ServiceType\":1}},\"256\":{\"Extractors\":{\"ServiceType\":1}},\"257\":{\"Extractors\":{\"ServiceType\":1}}},\"perSamplePrediction\":{\"133\":{\"Extractors\":{\"ServiceType\":[]}},\"249\":{\"Extractors\":{\"ServiceType\":[\"Writing\"]}},\"252\":{\"Extractors\":{\"ServiceType\":[\"Catering\"]}},\"253\":{\"Extractors\":{\"ServiceType\":[\"Design\"]}},\"254\":{\"Extractors\":{\"ServiceType\":[\"Marketing\"]}},\"255\":{\"Extractors\":{\"ServiceType\":[\"Financial Planning\"]}},\"256\":{\"Extractors\":{\"ServiceType\":[\"Writing\"]}},\"257\":{\"Extractors\":{\"ServiceType\":[\"Writing\"]}}},\"trainingFailures\":{}}",

- "ContentTypeGroup": "Intelligent Document Content Types",

- "ContentTypeId": "0x01010083DF84D4F59BBD4CB06F075AA81F58AA",

- "ContentTypeName": "Contoso Contract",

- "Created": "2020-03-25T22:04:04Z",

- "CreatedBy": "i:0#.f|membership|meganb@contoso.com",

- "DriveId": "b!O-aG9qer5UiXx2jEwd8pL0221maIb9lNs9tH5vAMU-h2NuHxlYUiTJyiwKQHZobK",

- "Explanations": "{\"Classifier\":[{\"id\":\"8122ac1d-8fcb-4705-8872-2825cbf05bfe\",\"kind\":\"dictionaryFeature\",\"name\":\"agreement\",\"active\":true,\"nGrams\":[\"CONSULTING AGREEMENT\",\"SERVICES AGREEMENT\"],\"caseSensitive\":false,\"ignoreDigitIdentity\":false,\"ignoreLetterIdentity\":false},{\"id\":\"af83bea8-bc53-4e93-a3da-f1e697eb6bef\",\"kind\":\"modelFeature\",\"name\":\"Contract Name\",\"active\":true,\"modelReference\":\"Contract Name\",\"conceptId\":\"841d0dcf-7f1d-4a39-931c-53923d10c346\"},{\"id\":\"e3734994-9e34-40e3-82c7-bb6c7bc5a0c3\",\"kind\":\"modelFeature\",\"name\":\"Client \",\"active\":true,\"modelReference\":\"Client \",\"conceptId\":\"8b8490d0-9a09-4c16-bcff-59ce62e05c28\"},{\"id\":\"7c93e7fe-cbfb-47ee-8cca-46ecdf5f628f\",\"kind\":\"modelFeature\",\"name\":\"Contract Date\",\"active\":true,\"modelReference\":\"Contract Date\",\"conceptId\":\"6ba58918-e2f0-4685-9080-98ec4c3adc7c\"},{\"id\":\"5cc85b62-148a-4b07-9155-d9fb7cebb6d0\",\"kind\":\"modelFeature\",\"name\":\"Fee\",\"active\":true,\"modelReference\":\"Fee\",\"conceptId\":\"9c7f764d-afd2-49cd-aaa2-e9407156bfb3\"},{\"id\":\"0f8a23a6-c744-4cae-82bd-d836332ceb56\",\"kind\":\"modelFeature\",\"name\":\"ServiceType\",\"active\":true,\"modelReference\":\"ServiceType\",\"conceptId\":\"4aa9f2fe-cfab-49f8-86b1-11646c79cdbf\"}],\"Extractors\":{\"Contract Name\":[{\"id\":\"8804fbeb-bcf8-44c0-8ade-3fc65496037f\",\"kind\":\"dictionaryFeature\",\"name\":\"before\",\"active\":true,\"nGrams\":[\"- AND -\"],\"caseSensitive\":false,\"ignoreDigitIdentity\":false,\"ignoreLetterIdentity\":false}],\"Client \":[{\"id\":\"606c56de-9e71-42ef-8ec6-f0bbf351d673\",\"kind\":\"dictionaryFeature\",\"name\":\"start\",\"active\":true,\"nGrams\":[\"BETWEEN:\"],\"caseSensitive\":false,\"ignoreDigitIdentity\":false,\"ignoreLetterIdentity\":false},{\"id\":\"334e6df5-e076-40db-a47b-f11ceec7af9a\",\"kind\":\"dictionaryFeature\",\"name\":\"after\",\"active\":true,\"nGrams\":[\"of\"],\"caseSensitive\":false,\"ignoreDigitIdentity\":false,\"ignoreLetterIdentity\":false},{\"id\":\"bccefd2e-88a4-406c-aa9d-81d508bbafb3\",\"kind\":\"proximityFeature\",\"name\":\"prox\",\"active\":true,\"patterns\":[[{\"id\":\"606c56de-9e71-42ef-8ec6-f0bbf351d673\",\"kind\":\"proximityFeatureReference\"},{\"kind\":\"proximityTokenRange\",\"minCount\":1,\"maxCount\":6},{\"id\":\"334e6df5-e076-40db-a47b-f11ceec7af9a\",\"kind\":\"proximityFeatureReference\"}]]}],\"Contract Date\":[{\"id\":\"fabe1ed3-07af-4dc6-852d-fe9521c64801\",\"kind\":\"dictionaryFeature\",\"name\":\"dated\",\"active\":true,\"nGrams\":[\"dated\"],\"caseSensitive\":false,\"ignoreDigitIdentity\":false,\"ignoreLetterIdentity\":false},{\"id\":\"983da7b8-51d7-4a85-9644-007b488fce0b\",\"kind\":\"dictionaryFeature\",\"name\":\"betw\",\"active\":true,\"nGrams\":[\"between\"],\"caseSensitive\":false,\"ignoreDigitIdentity\":false,\"ignoreLetterIdentity\":false}],\"Fee\":[{\"id\":\"f4cf89dc-64d1-49a1-9be4-41debda251b6\",\"kind\":\"dictionaryFeature\",\"name\":\"flat fee of \",\"active\":true,\"nGrams\":[\"flat fee of $\",\"flat fee of $$\"],\"caseSensitive\":false,\"ignoreDigitIdentity\":false,\"ignoreLetterIdentity\":false}],\"ServiceType\":[{\"id\":\"c04408f5-ce14-4eb0-81d0-f72ea9fa7e83\",\"kind\":\"dictionaryFeature\",\"name\":\"Before label\",\"active\":true,\"nGrams\":[\"will provide \"],\"caseSensitive\":false,\"ignoreDigitIdentity\":false,\"ignoreLetterIdentity\":false},{\"id\":\"ea94fa7f-e41b-4e09-a484-355912bfbdff\",\"kind\":\"dictionaryFeature\",\"name\":\"After label\",\"active\":true,\"nGrams\":[\"services for \"],\"caseSensitive\":false,\"ignoreDigitIdentity\":false,\"ignoreLetterIdentity\":false}]}}",

- "ID": 16,

- "LastTrained": "2021-01-27T03:04:00Z",

- "ListID": "f1e13676-8595-4c22-9ca2-c0a4076686ca",

- "ModelSettings": null,

- "ModelType": 2,

- "Modified": "2021-01-27T03:05:04Z",

- "ModifiedBy": "i:0#.f|membership|kevinche@contoso.com",

- "ObjectId": "01ZBWEM5E54ZCXN6ZBERFKC6U336T4WY64",

- "PublicationType": 0,

- "Schemas": "{\"Extractors\":{\"Contract Name\":{\"concepts\":{\"841d0dcf-7f1d-4a39-931c-53923d10c346\":{\"name\":\"Contract Name\"}},\"relationships\":[]},\"Client \":{\"concepts\":{\"8b8490d0-9a09-4c16-bcff-59ce62e05c28\":{\"name\":\"Client \"}},\"relationships\":[]},\"Contract Date\":{\"concepts\":{\"6ba58918-e2f0-4685-9080-98ec4c3adc7c\":{\"name\":\"Contract Date\"}},\"relationships\":[]},\"Fee\":{\"concepts\":{\"9c7f764d-afd2-49cd-aaa2-e9407156bfb3\":{\"name\":\"Fee\"}},\"relationships\":[]},\"ServiceType\":{\"concepts\":{\"4aa9f2fe-cfab-49f8-86b1-11646c79cdbf\":{\"name\":\"ServiceType\",\"termSetId\":\"76c12efb-5173-4982-ae9b-5f9e37187171\"}},\"relationships\":[]}}}",

- "SourceUrl": null,

- "UniqueId": "7645e69d-21fb-4a24-a17a-9bdfa7cb63dc"

-}

-```

-### Get and delete the Contoso Contract model by ID

-In this sample, the ID of the Contoso Contract document understanding model is `7645e69d-21fb-4a24-a17a-9bdfa7cb63dc`.

-#### Sample request

-```HTTP

-DELETE /_api/machinelearning/models/getbyuniqueid('7645e69d-21fb-4a24-a17a-9bdfa7cb63dc') HTTP/1.1

-```

-## See also

-[Syntex document understanding model REST API](syntex-model-rest-api.md)

-description: Use REST API to get information about a model and the library where it has been applied.

-# Get model and library information

-Gets information about a model and the library where it has been applied (see [example](rest-getmodelandlibraryinfo.md#examples)).

-## HTTP request

-```HTTP

-GET /_api/machinelearning/publications/getbymodeluniqueid('{modelUniqueId}') HTTP/1.1

-```

-## URI parameters

-| Name | In | Required | Type | Description |

-|--|-|--||--|

-|ModelUniqueId|query|True|GUID|The unique id of the model file.|

-## Request headers

-| Header | Value |

-|--|-|

-|Accept|application/json;odata=verbose|

-## Response

-| Name | Type | Description|

-|--|-||

-|200 OK| |Success|

-## Examples

-### Get information about the contracts model and primed document library in the repository site

-In this sample, the ID of the Contoso Contract document understanding model is `7645e69d-21fb-4a24-a17a-9bdfa7cb63dc`.

-#### Sample request

-```HTTP

-GET /sites/TestCC/_api/machinelearning/publications/getbymodeluniqueid('7645e69d-21fb-4a24-a17a-9bdfa7cb63dc') HTTP/1.1

-```

-#### Sample response

-**Status code:** 200

-```JSON

-{

- "@odata.context": "https://contoso.sharepoint.com/sites/TestCC/_api/$metadata#publications",

- "value": [

- {

- "@odata.type": "#Microsoft.Office.Server.ContentCenter.SPMachineLearningPublication",

- "@odata.id": "https://contoso.sharepoint.com/sites/repository /_api/machinelearning/publications/getbyuniqueId('7645e69d-21fb-4a24-a17a-9bdfa7cb63dc')",

- "@odata.etag": "\"7645e69d-21fb-4a24-a17a-9bdfa7cb63dc,94\"",

- "@odata.editLink": " https://contoso.sharepoint.com/sites/TestCC /_api/machinelearning/publications/getbyuniqueId('7645e69d-21fb-4a24-a17a-9bdfa7cb63dc')",

- "Created": "2021-04-27T03:05:25Z",

- "CreatedBy": "i:0#.f|membership|meganb@contoso.com",

- "DriveId": "b!O-aG9qer5UiXx2jEwd8pL0221maIb9lNs9tH5vAMU-gPy9BrxT7GTrtXtdtv1Uzb",

- "ID": 26,

- "ModelId": 16,

- "ModelName": "contosocontract.classifier",

- "ModelType": 0,

- "ModelUniqueId": "7645e69d-21fb-4a24-a17a-9bdfa7cb63dc",

- "ModelVersion": "8.0",

- "Modified": "2021-03-17T17:56:42Z",

- "ModifiedBy": "i:0#.f|membership|joedoe@contoso.com",

- "ObjectId": "01ZBWEM5FZRILGLXTEB5CZ2NNNSCTWBJMQ",

- "PublicationType": 1,

- "TargetLibraryRemoved": false,

- "TargetLibraryServerRelativeUrl": "/sites/repository/contracts",

- "TargetLibraryUrl": " https://contoso.sharepoint.com/sites/repository/contracts",

- "TargetSiteUrl": "https://contoso.sharepoint.com/sites/repository",

- "TargetWebServerRelativeUrl": "/sites/repository",

- "UniqueId": "7645e69d-21fb-4a24-a17a-9bdfa7cb63dc",

- "ViewOption": "NewViewAsDefault"

- },

- {

- "@odata.type": "#Microsoft.Office.Server.ContentCenter.SPMachineLearningPublication",

- "@odata.id": "https://contoso.sharepoint.com /sites/legal/_api/machinelearning/publications/getbyuniqueId('7645e69d-21fb-4a24-a17a-9bdfa7cb63dc')",

- "@odata.etag": "\"7645e69d-21fb-4a24-a17a-9bdfa7cb63dc,101\"",

- "@odata.editLink": "https://contoso.sharepoint.com /sites/legal/_api/machinelearning/publications/getbyuniqueId('7645e69d-21fb-4a24-a17a-9bdfa7cb63dc')",

- "Created": "2021-01-27T03:17:44Z",

- "CreatedBy": "i:0#.f|membership|esherman@contoso.com ",

- "DriveId": "b!O-aG9qer5UiXx2jEwd8pL0221maIb9lNs9tH5vAMU-gPy9BrxT7GTrtXtdtv1Uzb",

- "ID": 27,

- "ModelId": 16,

- "ModelName": "dispositions.classifier",

- "ModelType": 0,

- "ModelUniqueId": "7645e69d-21fb-4a24-a17a-9bdfa7cb63dc",

- "ModelVersion": "8.0",

- "Modified": "2021-03-17T23:17:46Z",

- "ModifiedBy": "i:0#.f|membership|esherman@contoso.com ",

- "ObjectId": "01ZBWEM5B3ERSZK4PAARGLFZ7JP6GMXG2R",

- "PublicationType": 1,

- "TargetLibraryRemoved": false,

- "TargetLibraryServerRelativeUrl": "/sites/legal/dispositions",

- "TargetLibraryUrl": "https://contoso.sharepoint.com/sites/legal/dispositions",

- "TargetSiteUrl": " https://contoso.sharepoint.com/sites/legal",

- "TargetWebServerRelativeUrl": "/sites/legal",

- "UniqueId": "7645e69d-21fb-4a24-a17a-9bdfa7cb63dc",

- "ViewOption": "NewViewAsDefault"

- }

- ]

-}

-```

-## See also

-[Syntex document understanding model REST API](syntex-model-rest-api.md)

-description: Use REST API to update available models settings for a SharePoint Syntex document understanding model.

-# UpdateModelSettings

-Updates available models settings (associated retention label and model description) for a SharePoint Syntex document understanding model (see [example](rest-updatemodelsettings-method.md#examples)).

-## HTTP request

-```HTTP

-POST /_api/machinelearning/models/getbytitle('{modelFileName}')/updatemodelsettings HTTP/1.1

-```

-## URI parameters

-|Name |In |Required|Type|Description|

-|--||--|-|--|

-|modelFileName|query|True|string|Name of the Syntex model file.|

-## Request headers

-| Header | Value |

-|--|-|

-|Accept|application/json;odata=verbose|

-|Content-Type|application/json;odata=verbose;charset=utf-8|

-|x-requestdigest|The appropriate digest for the current site.|

-## Request body

-|Name |Type |Description |

-|--|-|-|

-|ModelSettings|string|JSON of model settings.|

-|Description|string|The model description.|

-|RetentionLabel| |Info for the associated label (label ID and name).|

-## Responses

-| Name | Type | Description|

-|--|-||

-|200 OK| |Success|

-## Examples

-### Update model settings for Contoso Contract

-In this example, the model description and "Standard Hold" retention label are updated. The ID of the retention label is `27c5fcba-abfd-4c34-823d-0b4a48f7ffe6`.

-#### Sample request

-```HTTP

-{

- "ModelSettings": "{\"Description\":\"This model is used to set files classified as Contoso Contracts with a standard hold retention.\", \"RetentionLabel\":{\"Id\":\"27c5fcba-abfd-4c34-823d-0b4a48f7ffe6\",\"Name\":\"Standard Hold\"}}"

-}

-```

-#### Sample response

-**Status code:** 200

-## See also

-[Syntex document understanding model REST API](syntex-model-rest-api.md)

-description: Overview of the SharePoint Syntex document understanding model REST API.

-# SharePoint Syntex document understanding model REST API

-You can use the SharePoint REST interface to create a document understanding model, apply or remove the model to one or more libraries, and obtain or update information about the model.

-The SharePoint Online (and SharePoint 2016 and later on-premises) REST service supports combining multiple requests into a single call to the service by using the OData $batch query option.

-For details and links to code samples, see [Make batch requests with the REST APIs](/sharepoint/dev/sp-add-ins/make-batch-requests-with-the-rest-apis).

-## Prerequisites

-Before you get started, make sure that you're familiar with the following:

-## REST commands

-The following REST commands are available for working with Syntex document understanding models:

-## Scenarios

-Note the following scenario examples that aren't intuitive from the method name. For more information, see each article.

-The create model method only creates the model object and its associated content type. You'll need to first train the model in the content center before it can be applied to a library.

-The apply model method is used to configure the model on the target library to classify documents and optionally extract additional information. This API also supports batch applying the model to multiple libraries.

-The remove model method just removes the model from one or more libraries where it was previously applied. If you want to delete the model, it must first be removed from all the libraries where it was applied.

-## See also

-[Document understanding overview](../document-understanding-overview.md)

-The Microsoft 365 Defender portal enables your security team to respond to and mitigate detected threats.

-Policy|Setting

-|

-Configure Controlled folder access| Enabled, Audit Mode

-Browse to **Computer Configuration** \> **Policies** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Signature Updates**

-> This script has been optimized for use on up to 10 devices.

->

-> To deploy at scale, use [other deployment options](configure-endpoints.md). For example, you can deploy an onboarding script to more than 10 devices in production with the script available in [Onboard Windows devices using Group Policy](configure-endpoints-gp.md).

-If you have fully updated your machines with the latest [monthly rollup](/troubleshoot/windows-client/deployment/standard-terminology-software-updates.md#monthly-rollup) package, there are **no** additional prerequisites.

-> If there are conflicting URL indicator policies, the longer path is applied. For example, the URL indicator policy `https:\\support.microsoft.com/office` takes precedence over the URL indicator policy `https:\\support.microsoft.com`.

-expirationTime|DateTimeOffset|The expiration time of the indicator in the following format YYYY-MM-DDTHH:MM:SS.0Z. **Optional**

- repo: deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/config/[distro]/[version]/prod [channel] main

-2. In the Jamf Pro dashboard, select **New**.

-4. In **Application & Custom Settings** select **Configure**.

- > For passive mode to work on endpoints running Windows Server 2016 and Windows Server 2012 R2, those endpoints must be onboarded using the instructions in [Onboard Windows servers](configure-server-endpoints.md#windows-server-2012-r2-and-windows-server-2016).

- | Passive mode | In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are *not* remediated by Microsoft Defender Antivirus. Threats can be remediated by [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md), however. <br/><br/> Files are scanned, and reports are provided for threat detections that are shared with the Defender for Endpoint service. You might see alerts in the [Defender for Cloud](microsoft-defender-security-center.md) showing Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in passive mode. <br/><br/> When Microsoft Defender Antivirus is in passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into active mode if your devices have a non-Microsoft antivirus product that is providing real-time protection from malware. <br/><br/> For optimal security layered defense and detection efficacy, make sure to get your antivirus and antimwalware updates, even if Microsoft Defender Antivirus is running in passive mode. See [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md). <br/><br/> **NOTE**: Passive mode is not supported on Windows Server 2016. |

-Microsoft Defender for Endpoint for servers requires one of the following licensing options:

-> Customers may acquire server licenses (one per covered server Operating System Environment (OSE)) for Microsoft Defender for Endpoint for Servers if they have a combined minimum of 50 licenses for one or more of the following user licenses:

-1. Open the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> and go to **Incidents & alerts** \> **Alerts**. Or, to go directly to the **Alerts** page, use <https://security.microsoft.com/alerts>.

-The feature is designed to give feedback to your users but doesn't change the verdicts of messages in the system. To help Microsoft update and improve its filters, you need to submit messages for analysis using [Admin submission](admin-submission.md).

- - Organization Management or Security Administrator in the [Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).

- - Organization Management in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups).

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go directly to the **Submissions** page: [https://security.microsoft.com/reportsubmission](https://security.microsoft.com/reportsubmission).

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **User reported message settings** in the **Others** section.

-4. When you're finished, click **Save**. To clear these values, click **Discard** on the User submissions page.

- - seo-marvel-apr2020

- - admindeeplinkDEFENDER

- - **Organization Management** or **Security Reader** in the [Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, under **Actions & submissions**, go to **Submissions**.

-2. On the **Submissions** page, verify that the **Emails** tab is selected, select the email you want to report, and then click  **Submit to Microsoft for analysis**.

-1. In the Microsoft 365 Defender portal, under **Actions & submissions**, go to **Submissions**.

-2. Select **User reported messages** tab, and then select the message you want to mark and notify.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, under **Actions & submissions**, go to **Submissions**.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, under **Actions & submissions**, go to **Submissions**.

-1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>.

-2. In the navigation pane, select **Action center**.

-3. Select the **History** tab to view the list of completed actions.

-4. Select an item. Its flyout pane opens.

-5. In the flyout pane, select **Undo**. (Only actions that can be undone will have an **Undo** button.)

-1. Open the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> and sign in.

-2. In the navigation pane, select **Incidents & alerts > Incidents**.

-3. Select an incident name to open its summary page.

-4. Select the **Evidence and Response** tab.

-5. Select an item in the list. Its side pane opens.

-6. In the side pane, take approve or reject actions.

-## Investigation queue

-1. Open the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> and sign in.

-2. Navigate from the alerts/incident page.

-3. On the Investigation page, go to the **pending actions** tab.

-1. Open the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> and sign in.

-2. In the navigation pane, select **Action center**.

-3. On the **Pending** tab, review the list of actions that are awaiting approval.

-1. Open the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> and sign in.

-2. Open pending investigations.

-3. On the Investigation page, go to the **pending actions** tab.

-4. Select an item in the list. Its side pane opens.

-5. In the side pane, take approve or reject actions.

-1. Go to the [unified action center](https://security.microsoft.com/action-center) and sign in.

-2. On the **History** tab, select an action that you want to change or undo.

-1. Go to the [Office action center](https://security.microsoft.com/threatincidents) and sign in.

-2. Select the appropriate remediation.

-3. In the side pane, click on the mail submissions entry and wait for the list to load.

-Alerts are in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>. Here's how to get to the page:

-In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Alerts**. Or, to go direct to the **Alerts** page, use <https://security.microsoft.com/alerts>.

-The following table describes the tools that are available under **Alerts** in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>.

- - admindeeplinkDEFENDER

- > NOR, ZAF, ARE and DEU are the latest additions. All features except reported email telemetry will be available in these regions. We are working to enable this and will notify our customers as soon as reported email telemetry becomes available.

-To go to the **Overview** tab, open the Microsoft 365 Defender portal at <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">https://security.microsoft.com</a>, go to **Email & collaboration** \> **Attack simulation training**, and verify that the **Overview** tab is selected (it's the default). To go directly to the **Overview** tab on the **Attack simulation training** page, use <https://security.microsoft.com/attacksimulator?viewid=overview>.

-To go to the **Simulations** tab, open the Microsoft 365 Defender portal at <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">https://security.microsoft.com</a>, go to **Email & collaboration** \> **Attack simulation training**, and then click the **Simulations** tab. To go directly to the **Simulations** tab on the **Attack simulation training** page, use <https://security.microsoft.com/attacksimulator?viewid=simulations>.

-1. In the Microsoft 365 Defender portal at <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">https://security.microsoft.com</a>, go to **Email & collaboration** \> **Attack simulation training** \> **Simulations** tab.

-Campaign Views is available in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> at **Email & collaboration** \> **Campaigns**, or directly at <https://security.microsoft.com/campaigns>.

-In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Configuration analyzer** in the **Templated policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Advanced delivery** in the **Rules** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Advanced delivery** in the **Rules** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Links** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Links** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section.

- - admindeeplinkDEFENDER

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.

- - admindeeplinkDEFENDER

-The difference between these two elements isn't obvious when you manage outbound spam polices in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>:

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.

-1. In the<a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.

-1. In the<a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.

- - admindeeplinkDEFENDER

-With Microsoft Defender for Office 365, your organization's security team can configure protection by defining policies in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> \> **Email & collaboration** \> **Policies & rules** \> **Threat policies**).

-Microsoft Defender for Office 365 includes [reports](view-reports-for-mdo.md) to monitor Defender for Office 365. You can access the reports in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> at **Reports** \> **Email & collaboration** \> **Email & collaboration reports** or directly at <https://security.microsoft.com/securityreports>.

-1. Open the Microsoft 365 Defender portal at <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">https://security.microsoft.com</a> and then select **Audit**. Or, to go directly to the **Audit** page, use <https://security.microsoft.com/auditlogsearch>.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, choose **Email & collaboration** \> **Explorer** (or **Real-time detections**; This example uses Explorer).

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, choose **Email & collaboration** \> **Explorer** (or **Real-time detections**; This example uses Explorer).

-, choose **Email & collaboration** \> **Explorer** (or **Real-time detections**; This example uses Explorer).

- - admindeeplinkDEFENDER

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & collaboration** \> **Review** \> **Quarantine**.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section.

-|Use Threat Explorer (and Real-time detections) to analyze threats |Global Administrator <p> Security Administrator <p> Security Reader|No|

-|Use Threat Explorer (and Real-time detections) to view headers for email messages as well as preview and download quarantined email messages|Global Administrator <p> Security Administrator <p> Security Reader|No|

-|Use Threat Explorer to view headers, preview email (only in the email entity page) and download email messages delivered to mailboxes|Global Administrator <p> Security Administrator <p> Security Reader <p> Preview|Yes|

-> *Preview* is a role, not a role group. The Preview role must be added to an existing role group in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>. Go to **Permissions**, and then either edit an existing role group or add a new role group with the **Preview** role assigned.

-> The Global Administrator role is assigned the Microsoft 365 admin center (<https://admin.microsoft.com>), and the Security Administrator and Security Reader roles are assigned in <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>. To learn more about roles and permissions, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).

-We understand previewing and downloading email are sensitive activities, and so we auditing is enabled for these. Once an admin performs these activities on emails, audit logs are generated for the same and can be seen in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>. Go to **Audit** \> **Search** tab, and filter on the admin name in **Users** box. The filtered results will show activity **AdminMailAccess**. Select a row to view details in the **More information** section about previewed or downloaded email.

-1. Open the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> and sign in using your work or school account for Office 365.

-2. Go to **Threat Explorer** by choosing **Email & collaboration** \> **Explorer** in the left navigation. To go to **Threat Explorer** directly, use <https://security.microsoft.com/threatexplorer>.

-3. In the **View** menu, choose **Email** \> **All email** from the drop down list.

- - admindeeplinkDEFENDER

-The rest of this article explains how to use the spoof intelligence insight in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> and in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Tenant Allow/Block Lists** in the **Rules** section.

- - In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a>, disable or delete the connector that delivers email from Microsoft 365 to your on-premises email environment:

- 1. In the EAC, go to **Mail flow** \> **Connectors**.

- - admindeeplinkDEFENDER

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & collaboration** \> **Review** \> **Quarantine**.

-1. In the<a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & collaboration** \> **Review** \> **Quarantine**.

-The email entity page is available in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> at **Email & collaboration** \> **Explorer**. Or, to go directly to the **Explorer** page, use <https://security.microsoft.com/threatexplorer>.

- - admindeeplinkDEFENDER

- - admindeeplinkEXCHANGE

-Message trace in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> follows email messages as they travel through your Exchange Online organization. You can determine if a message was received, rejected, deferred, or delivered by the service. It also shows what actions were taken on the message before it reached its final status.

-> Message trace in the Microsoft 365 Defender portal is just a pass through to Message trace in the Exchange admin center. For more information, see [Message trace in the modern <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a>](/exchange/monitoring/trace-an-email-message/message-trace-modern-eac).

-In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & collaboration** \> **Exchange message trace**. Or, to go directly to the message trace page, use <https://admin.exchange.microsoft.com/#/messagetrace>.

- - admindeeplinkEXCHANGE

-The new and improved <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> brings together AIR capabilities in [Microsoft Defender for Office 365](defender-for-office-365.md) and in [Microsoft Defender for Endpoint](../defender-endpoint/automated-investigations.md). With these updates and improvements, your security operations team will be able to view details about automated investigations and remediation actions across your email, collaboration content, user accounts, and devices, all in one place.

-> The new <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> replaces the following centers:

-description: Defender for Office 365 in evaluation mode creates Defender for Office 365 email policies that log verdicts, such as malware, but don't act on messages.

-> If you're in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, you can start a Defender for Office 365 evaluation here: **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Evaluation mode** in the **Others** section.

-Defender for Office 365 in evaluation mode creates Defender for Office 365 email policies that log verdicts, such as malware, but don't act on messages. You are not required to change your MX record configuration.

-With evaluation mode,ΓÇ»[Safe Attachments](safe-attachments.md),ΓÇ»[Safe Links](safe-links.md), andΓÇ»[mailbox intelligence in anti-pishing policies](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) are set up on your behalf. All Defender for Office 365 policies is created in non-enforcement mode in the background and are not visible to you.

-As part of the setup, evaluation mode also configuresΓÇ»[Enhanced Filtering for Connectors](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) (also known as _skip listing_). It improves filtering accuracy by preserving IP address and sender information, which are otherwise lost when mail passes through an email security gateway (ESG) in front of Defender for Office 365. Enhanced Filtering for Connectors also improves the filtering accuracy for your existing Exchange Online Protection (EOP) anti-spam and anti-phishing policies.

-Enhanced Filtering for Connectors improves filtering accuracy but may alter deliverability for certain messages if you have an ESG in front of Defender for Office 365, and currently do not bypass EOP filtering. The impact is limited to EOP policies; Defender for Office 365 policies set up as part of the evaluation are created in non-enforcement mode. To minimize potential production impact, you can bypass most EOP filtering by creating a mail flow rule (also known as a transport rule) to set the spam confidence level (SCL) of messages to -1. See [Use mail flow rules to set the spam confidence level (SCL) in messages in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl) for details.

-To access the evaluation, you'll need to meet the licensing requirements. Any of the following licenses will work:

-Prepare the corresponding details that you will need to set up how your email is currently routed, including the name of the inbound connector that routes your mail. If you are just using Exchange Online Protection, you won't have a connector.ΓÇ»[Learn about mail flow and email routing](/office365/servicedescriptions/exchange-online-service-description/mail-flow)

-Find the Microsoft Defender for Office 365 evaluation set-up card in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> from three access points:

-If you have an existing gateway, enabling evaluation mode will activate Enhanced Filtering for Connectors. This feature improves filtering accuracy by altering the incoming sender IP address. This feature might change the filter verdicts, and if you are not bypassing Exchange Online Protection, this may alter deliverability for certain messages. In this case, you might want to temporarily bypass filtering to analyze impact. To bypass filtering, open the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a> and create a mail flow rule that sets the SCL of messages to -1 (if you don't already have one). For instructions, see [Use mail flow rules to set the spam confidence level (SCL) in messages in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl).

- - admindeeplinkDEFENDER

-Threat investigation and response capabilities surface in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, as a set of tools and response workflows, including the following:

-To view and use this report, in the Microsoft 365 Defender portal, go to **Email & collaboration** > **Explorer**.

-To view the list of current incidents for your organization, in the Microsoft 365 Defender portal, go to **Incidents & alerts** > **Incidents**.

-To view and use this feature in the Microsoft 365 Defender portal, go to **Email & collaboration** > **Attack simulation training**.

-Managing permissions in the Security & Compliance Center only gives users access to the compliance features that are available within the Security & Compliance Center itself. If you want to grant permissions to other compliance features that aren't in the Security & Compliance Center, such as Exchange mail flow rules (also known as transport rules), you need to use the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a>.

-The Microsoft 365 Defender portal at <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">https://security.microsoft.com</a> supports directly managing permissions for users who perform security tasks in Microsoft 365. By using the Microsoft 365 Defender portal to manage permissions, you can manage permissions centrally for all tasks related to security.

-Permissions in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> are based on the role-based access control (RBAC) permissions model. RBAC is the same permissions model that's used by most Microsoft 365 services, so if you're familiar with the permission structure in these services, granting permissions in the Microsoft 365 Defender portal will be very familiar.

-The <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> includes default role groups for the most common tasks and functions that you'll need to assign. Generally, we recommend simply adding individual users as **members** to the default role groups.

-The following types of roles and role groups are available in **Permissions & roles** in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>:

-When you go to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> \> **Email & collaboration roles** \> **Permissions & roles** \> **Azure AD roles** \> **Roles** (or directly to <https://security.microsoft.com/aadpermissions>) you'll see the Azure AD roles that are described in this section.

-When you go to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> \> **Email & collaboration roles** \> **Permissions & roles** \> **Email & collaboration roles** \> **Roles** (or directly to <https://security.microsoft.com/emailandcollabpermissions>) you'll see the same role groups that are available in the Security & Compliance Center.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & collaboration roles** \> **Permissions & roles** \> **Email & collaboration roles** \> **Roles**.

-2. In the **Permissions** page that opens, select the role group that you want to modify from the list. You can click on the **Name** column header to sort the list by name, or you can click **Search**  to find the role group.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Preset Security Policies** in the **Templated policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Preset Security Policies** in the **Templated policies** section.

-In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & collaboration**, and then choose **Explorer** _or_ **Real-time detections**.

-The user is added to the **Restricted users** page in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>. When they try to send email, the message is returned in a non-delivery report (also known as an NDR or bounce messages) with the error code [5.1.8](/Exchange/mail-flow-best-practices/non-delivery-reports-in-exchange-online/fix-error-code-5-1-8-in-exchange-online) and the following text:

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & collaboration** \> **Review** \> **Restricted users**.

- - admindeeplinkMAC

- - admindeeplinkDEFENDER

- - admindeeplinkEXCHANGE

-If a user reports any of the above symptoms, you should perform further investigation. The <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> and the Azure portal offer tools to help you investigate the activity of a user account that you suspect may be compromised.

-1. Go to the Microsoft 365 admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.microsoft.com</a>.

-2. Go to **Users** \> **Active users**. Find the user account in question, and select the user (row) without selecting the checkbox.

-1. Go to the Microsoft 365 admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.microsoft.com</a> and go to **Users** \> **Active users**.

-2. Find and select the user account, click , and then select **Edit sign-in status**.

-4. Open the Exchange admin center (EAC), and go to **Recipients** \> <a href="https://go.microsoft.com/fwlink/?linkid=2183135" target="_blank">**Mailboxes**</a>.

-5. Find and select the user. In the mailbox details flyout that opens, do the following steps:

- - In the **Email apps** section, block all of the available settings by moving the toggle to the right :

-1. Go to the Microsoft 365 admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.microsoft.com</a> with a global administrator account and do the following steps:

- 1. Go to **Users** \> **Active users**.

- 2. Find and select the user account, click , and then select **Manage roles**.

-2. Open the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> and do the following steps:

- 1. Go to **Permissions & roles** \> **Email & collaboration roles** \> **Roles**.

-3. Open the EAC and do the following steps:

- 1. Select **Roles** \> <a href="https://go.microsoft.com/fwlink/?linkid=2183234" target="_blank">**Admin roles**</a>.

-1. Open the Microsoft 365 Defender portal and go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section.

-|Email issues for priority accounts report|The **Email issues for priority accounts** report in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a> contains information about undelivered and delayed messages for **priority accounts**. For more information, see [Email issues for priority accounts report](/exchange/monitoring/mail-flow-reports/mfr-email-issues-for-priority-accounts-report).|

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section.

-1. In the Microsoft 365 Defender portal,<a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Policies & rules** \> **Threat Policies** \> **Policies** section \> **Safe Links**.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Policies & rules** \> **Threat Policies** \> **Policies** section \> **Safe Links**.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Links** in the **Policies** section.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Safe Links** in the **Policies** section.

-In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**.

-In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & collaboration**, and then choose **Explorer** or **Real-time detections**. To do directly to the page, use <https://security.microsoft.com/threatexplorer> or <https://security.microsoft.com/realtimereports>

-To view and use your Threat Trackers for your organization, go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> and choose **Email & collaboration** \> **Threat tracker**.

-Welcome to the Microsoft Defender for Office 365 trial playbook. This playbook will help you make the most of your 90-day free trial by teaching you how to safeguard your organization with Defender for Office 365. Using Microsoft recommendations, you'll learn how Defender for Office 365 can help you define protection policies, analyze threats to your organization, and respond to attacks.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Policies & rules** \> **Threat policies** \> **Policies** section \> **Safe Attachments**.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Policies & rules** \> **Alert policy** or open <https://security.microsoft.com/alertpolicies>.

- - admindeeplinkDEFENDER

-1. Open the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> using your work or school account.

-2. Go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **DKIM** in the **Rules** section. Or, to go directly to the DKIM page, use <https://security.microsoft.com/dkimv2>.

-3. On the **DKIM** page, select the domain by clicking on the name.

-4. In the details flyout that appears, change the **Sign messages for this domain with DKIM signatures** setting to **Enabled** ()

-5. Repeat these step for each custom domain.

-6. If you are configuring DKIM for the first time and see the error 'No DKIM keys saved for this domain' you will have to use Windows PowerShell to enable DKIM signing as explained in the next step.

-Once you have set up DKIM, if you have not already set up SPF you should do so. For a quick introduction to SPF and to get it configured quickly, see [**Set up SPF in Microsoft 365 to help prevent spoofing**](set-up-spf-in-office-365-to-help-prevent-spoofing.md). For a more in-depth understanding of how Microsoft 365 uses SPF, or for troubleshooting or non-standard deployments such as hybrid deployments, start with [How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing](how-office-365-uses-spf-to-prevent-spoofing.md).

-[Use DMARC to validate email](/microsoft-365/security/office-365-security/use-dmarc-to-validate-email?view=o365-worldwide)

- - admindeeplinkDEFENDER

-In this example we will configure "Alex", a member of our security team who will have zero standing access within Office 365, but can elevate to both a role required for normal day to day operations, such as [Threat Hunting](threat-hunting-in-threat-explorer.md) and then also to a higher level of privilege when less frequent but sensitive operations, such as [remediating malicious delivered email](remediate-malicious-email-delivered-office-365.md) is required.

-> This will walk you through the steps required to setup PIM for a Security Analyst who requires the ability to purge emails using Threat Explorer in Microsoft Defender for Office 365, but the same steps can be used for other RBAC roles within the Security, and Compliance portal. For example this process could be used for a information worker who requires day to day access in eDiscovery to perform searches and case work, but only occasionally needs the elevated right to export data from the tenant.

-4. As this is Alex's normal privilege level for day to day operations, we will Uncheck **Require justification on activation**' > **Update**.

-6. Click the **Select** button to choose the member you need to add for PIM privileges > click **Next** > make no changes on the Add Assignment page (both assignment type *Eligible* and duration *Permenantly Eligible* will be defaults ) and **Assign**.

-In the Security Portal, create a custom role group that contains the permissions that we want.

-1. Browse to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> > **Permissions & Roles** > select **Roles** under Email and Collaboration > **Create**.

-2. Name your group to reflect its purpose such as 'Search and Purge PIM'.

-3. Don't add members, simply save the group and move on to the next part!

-2. Name your AAD group to reflect its purpose, **no owners or members are required** right now.

-6. Within the group select **Eligible assignments** > **Add assignments** > Add the user who needs Search & Purge as a role of **Member**.

-### Nest the newly created security group into the role group.

-1. [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell) and run the following:

- `Add-RoleGroupMember "<<Role Group Name>>" -Member "<<Azure Security Group>>"`

-1. Login with the test user (Alex), who will should have no administrative access within the [Microsoft 365 Defender portal](/microsoft-365/security/defender/overview-security-center) at this point.

-2. Navigate to PIM, where the user can activate their day to day security reader role.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Policies & rules** \> **Threat policies** \> **User reported message settings** in the **Others** \> **User submissions**.

- - **Only display when user reports phishing**: Check this option if you want to display the message only when an email is reported as phish. If not, checked messages will be shown for any kind of report.

-This article explains how to configure user tags in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>. There are no cmdlets in Microsoft 365 Defender portal to manage user tags.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Settings** \> **Email & collaboration** \> **User tags**.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Settings** \> **Email & collaboration** \> **User tags**.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Settings** \> **Email & collaboration** \> **User tags**.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Settings** \> **Email & collaboration** \> **User tags**.

-> Reports that are related to mail flow are now in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a>. For more information about these reports, see [Mail flow reports in the new Exchange admin center](/exchange/monitoring/mail-flow-reports/mail-flow-reports).

-> Most of the reports in this article are also available in the Microsoft 365 Defender portal or the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a>. For more information, see the following topics:

-1. Go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. To go directly to the **Email & collaboration reports** page, open <https://security.microsoft.com/emailandcollabreport>.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Reports** > **Email & collaboration**.

-2. Select **Reports for download**.

-> Reports that are related to mail flow are now in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a>. For more information about these reports, see [Mail flow reports in the new Exchange admin center](/exchange/monitoring/mail-flow-reports/mail-flow-reports).

-To view the report, open the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **Mail latency report** and then click **View details**. To go directly to the report, open <https://security.microsoft.com/mailLatencyReport>.

- - To go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.