Updates from: 01/08/2021 04:10:11
Category Microsoft Docs article Related commit history on GitHub Change details
business-video https://docs.microsoft.com/en-us/microsoft-365/business-video/buy-licenses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/buy-licenses.md
@@ -28,7 +28,7 @@ description: "Learn how to buy new Microsoft 365 for business licenses."
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4KWvE?autoplay=false]
-As you add new users, you will need to purchase more licenses for those users.
+As you add new users, you will need to purchase more Microsoft 365 licenses for those users.
## Try it!
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/permissions-filtering-for-content-search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/permissions-filtering-for-content-search.md
@@ -61,7 +61,7 @@ Before you can successfully run the script in this section, you have to download
```powershell Import-Module ExchangeOnlineManagement $UserCredential = Get-Credential
- Connect-ExchangeOnline -Credential $UserCredential
+ Connect-ExchangeOnline -Credential $UserCredential -ShowBanner:$false
Connect-IPPSSession -Credential $UserCredential $Host.UI.RawUI.WindowTitle = $UserCredential.UserName + " (Exchange Online + Compliance Center)" ```
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/retention-policies-teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-teams.md
@@ -102,7 +102,7 @@ When external users are included in a meeting that your organization hosts:
## When a user leaves the organization
-If a user leaves your organization and their Microsoft 365 account is deleted, their chat messages that are subject to retention are stored in an inactive mailbox. The chat messages remain subject to any retention policy that was placed on the user before their mailbox was made inactive, and the contents are available to an eDiscovery search. For more information, see [Inactive mailboxes in Exchange Online](inactive-mailboxes-in-office-365.md).
+If a user who has a mailbox in Exchange Online leaves your organization and their Microsoft 365 account is deleted, their chat messages that are subject to retention are stored in an inactive mailbox. The chat messages remain subject to any retention policy that was placed on the user before their mailbox was made inactive, and the contents are available to an eDiscovery search. For more information, see [Inactive mailboxes in Exchange Online](inactive-mailboxes-in-office-365.md).
If the user stored any files in Teams, see the [equivalent section](retention-policies-sharepoint.md#when-a-user-leaves-the-organization) for SharePoint and OneDrive.
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/additional-office365-ip-addresses-and-urls https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/additional-office365-ip-addresses-and-urls.md
@@ -75,6 +75,12 @@ Apart from DNS, these are all optional for most customers unless you need the sp
[Content delivery networks](https://support.office.com/article/content-delivery-networks-0140f704-6614-49bb-aa6c-89b75dcd7f1f)
-[Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/download/details.aspx?id=41653)
+[Azure IP Ranges and Service Tags ΓÇô Public Cloud](https://www.microsoft.com/download/details.aspx?id=56519)
+
+[Azure IP Ranges and Service Tags ΓÇô US Government Cloud](https://www.microsoft.com/download/details.aspx?id=57063)
+
+[Azure IP Ranges and Service Tags ΓÇô Germany Cloud](https://www.microsoft.com/download/details.aspx?id=57064)
+
+[Azure IP Ranges and Service Tags ΓÇô China Cloud](https://www.microsoft.com/download/details.aspx?id=57062)
[Microsoft Public IP Space](https://www.microsoft.com/download/details.aspx?id=53602)
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/address-space-calculator-for-azure-gateway-subnets https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/address-space-calculator-for-azure-gateway-subnets.md
@@ -3,7 +3,7 @@ title: "Address space calculator for Azure gateway subnets"
ms.author: josephd author: JoeDavies-MSFT manager: laurawi
-ms.date: 09/01/2020
+ms.date: 01/07/2021
audience: ITPro ms.topic: hub-page ms.service: o365-administration
@@ -20,14 +20,14 @@ description: "Summary: Calculate the address space of an Azure gateway subnet wi
# Address space calculator for Azure gateway subnets
-A virtual network (VNet) in Azure infrastructure services that is connected to other networks must have a gateway subnet. The best practices for defining this subnet are the following:
+A virtual network (VNet) in Azure infrastructure services that is connected to other networks must have a gateway subnet. The best practices for defining the gateway subnet are:
- The prefix length of the gateway subnet can have a maximum prefix length of 29 (for example, 10.119.255.248/29), but the current recommendation is that you use a prefix length of 27 (for example, 10.119.255.224/27).-- When defining the address space of the gateway subnet, use the very last part of the VNet address space.
+- When defining the address space of the gateway subnet, use the last part of the VNet address space.
-For the second recommendation, you can determine the address space of the gateway subnet by setting the bits used for the gateway subnet to 0 and the remaining variable bits in the VNet address space to 1. To quickly calculate the gateway subnet address space without having to convert to binary and back to decimal, you can use a console application written in C# or Python or with a PowerShell command block.
+For the second recommendation, you can determine the address space of the gateway subnet by setting the bits used for the gateway subnet to 0 and the remaining bits in the VNet address space to 1. To quickly calculate the gateway subnet address space without having to convert to binary and back to decimal, you can use a console application written in C# or Python or with a PowerShell command block.
-This article contains C#, Python and PowerShell code blocks that collect five integersΓÇöthe values of w.x.y.z/n for the VNet address prefix and the gateway subnet prefix lengthΓÇöand calculates the gateway subnet address space.
+This article contains C#, Python, and PowerShell code blocks that calculate the gateway subnet address space based on the values of w.x.y.z/n for the VNet address prefix and the gateway subnet prefix length.
## C# code block
@@ -144,7 +144,7 @@ print(gwAddrPref)
## PowerShell command block
-Fill in the values and run the resulting command block in a PowerShell window or in the PowerShell ISE.
+Fill in the values and run the resulting command block in a PowerShell window or in the PowerShell Integrated Script Environment (ISE).
```powershell # Specify the values of w.x.y.z/n for your VNet address space and g, the prefix length of your gateway subnet:
@@ -174,5 +174,4 @@ Write-Host "Your gateway address prefix is: " $dx
## Related topics
-[Manage Microsoft 365 with PowerShell](manage-microsoft-365-with-microsoft-365-powershell.md)
-
+[Manage Microsoft 365 with PowerShell](manage-microsoft-365-with-microsoft-365-powershell.md)
\ No newline at end of file
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication.md
@@ -35,11 +35,11 @@ Before we begin, I call:
- Exchange Online \> EXO
-Also, *if a graphic in this article has an object that's 'grayed-out' or 'dimmed' that means the element shown in gray is not included in HMA-specific configuration* .
+Also, *if a graphic in this article has an object that's 'grayed-out' or 'dimmed' that means the element shown in gray is not included in HMA-specific configuration*.
## Enabling Hybrid Modern Authentication
-Turning HMA on means:
+Turning on HMA means:
1. Being sure you meet the prereqs before you begin.
@@ -80,15 +80,15 @@ Ensure the URLs clients may connect to are listed as HTTPS service principal nam
**Note** You need to use the _Connect-MsolService_ option from this page to be able to use the command below.
-2. For your Exchange related URLs, type the following command:
+2. For your Exchange-related URLs, type the following command:
```powershell Get-MsolServicePrincipal -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000 | select -ExpandProperty ServicePrincipalNames ```
- Take note of (and screenshot for later comparison) the output of this command, which should include an https:// *autodiscover.yourdomain.com* and https:// *mail.yourdomain.com* URL, but mostly consist of SPNs that begin with 00000002-0000-0ff1-ce00-000000000000/. If there are https:// URLs from your on-premises that are missing we will need to add those specific records to this list.
+ Take note of (and screenshot for later comparison) the output of this command, which should include an https:// *autodiscover.yourdomain.com* and https:// *mail.yourdomain.com* URL, but mostly consist of SPNs that begin with 00000002-0000-0ff1-ce00-000000000000/. If there are https:// URLs from your on-premises that are missing, we will need to add those specific records to this list.
-3. If you don't see your internal and external MAPI/HTTP, EWS, ActiveSync, OAB and Autodiscover records in this list, you must add them using the command below (the example URLs are '`mail.corp.contoso.com`' and '`owa.contoso.com`', but you'd **replace the example URLs with your own** ):
+3. If you don't see your internal and external MAPI/HTTP, EWS, ActiveSync, OAB, and Autodiscover records in this list, you must add them using the command below (the example URLs are '`mail.corp.contoso.com`' and '`owa.contoso.com`', but you'd **replace the example URLs with your own**):
```powershell $x= Get-MsolServicePrincipal -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000
@@ -97,7 +97,7 @@ Ensure the URLs clients may connect to are listed as HTTPS service principal nam
Set-MSOLServicePrincipal -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000 -ServicePrincipalNames $x.ServicePrincipalNames ```
-4. Verify your new records were added by running the Get-MsolServicePrincipal command from step 2 again, and looking through the output. Compare the list / screenshot from before to the new list of SPNs (you may also screenshot the new list for your records). If you were successful, you will see the two new URLs in the list. Going by our example, the list of SPNs will now include the specific URLs `https://mail.corp.contoso.com` and `https://owa.contoso.com`.
+4. Verify your new records were added by running the Get-MsolServicePrincipal command from step 2 again, and looking through the output. Compare the list / screenshot from before to the new list of SPNs. You might also take a screenshot of the new list for your records. If you were successful, you will see the two new URLs in the list. Going by our example, the list of SPNs will now include the specific URLs `https://mail.corp.contoso.com` and `https://owa.contoso.com`.
## Verify Virtual Directories are Properly Configured
@@ -123,7 +123,7 @@ InternalAuthenticationMethods : {Ntlm, OAuth, Negotiate}
ExternalAuthenticationMethods : {Ntlm, OAuth, Negotiate} ```
-If OAuth is missing from any server and any of the four virtual directories then you need to add it using the relevant commands before proceeding ([Set-MapiVirtualDirectory](https://docs.microsoft.com/powershell/module/exchange/set-mapivirtualdirectory), [Set-WebServicesVirtualDirectory](https://docs.microsoft.com/powershell/module/exchange/set-webservicesvirtualdirectory), [Set-OABVirtualDirectory](https://docs.microsoft.com/powershell/module/exchange/set-oabvirtualdirectory), and [Set-AutodiscoverVirtualDirectory](https://docs.microsoft.com/powershell/module/exchange/set-autodiscovervirtualdirectory)).
+If OAuth is missing from any server and any of the four virtual directories, you need to add it using the relevant commands before proceeding ([Set-MapiVirtualDirectory](https://docs.microsoft.com/powershell/module/exchange/set-mapivirtualdirectory), [Set-WebServicesVirtualDirectory](https://docs.microsoft.com/powershell/module/exchange/set-webservicesvirtualdirectory), [Set-OABVirtualDirectory](https://docs.microsoft.com/powershell/module/exchange/set-oabvirtualdirectory), and [Set-AutodiscoverVirtualDirectory](https://docs.microsoft.com/powershell/module/exchange/set-autodiscovervirtualdirectory)).
## Confirm the EvoSTS Auth Server Object is Present
@@ -148,15 +148,15 @@ Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
## Verify
-Once you enable HMA, a client's next login will use the new auth flow. Note that just turning on HMA won't trigger a re-authentication for any client. The clients re-authenticate based on the lifetime of the auth tokens and/or certs they have.
+Once you enable HMA, a client's next login will use the new auth flow. Note that just turning on HMA won't trigger a reauthentication for any client. The clients reauthenticate based on the lifetime of the auth tokens and/or certs they have.
-You should also hold down the CTRL key at the same time you right click the icon for the Outlook client (also in the Windows Notifications tray) and click 'Connection Status'. Look for the client's SMTP address against an 'Authn' type of 'Bearer\*', which represents the bearer token used in OAuth.
+You should also hold down the CTRL key at the same time you right-click the icon for the Outlook client (also in the Windows Notifications tray) and click 'Connection Status'. Look for the client's SMTP address against an 'Authn' type of 'Bearer\*', which represents the bearer token used in OAuth.
**Note** Need to configure Skype for Business with HMA? You'll need two articles: One that lists [supported topologies](https://docs.microsoft.com/skypeforbusiness/plan-your-deployment/modern-authentication/topologies-supported), and one that shows you [how to do the configuration](configure-skype-for-business-for-hybrid-modern-authentication.md). ## Using hybrid Modern Authentication with Outlook for iOS and Android
-If you are an on-premises customer using Exchange server on TCP 443, please whitelist the following IP ranges:
+If you are an on-premises customer using Exchange server on TCP 443, bypass traffic processing for the following IP ranges:
```text 52.125.128.0/20
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/data-move-faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/data-move-faq.md
@@ -3,7 +3,6 @@ title: "Data move general FAQ"
ms.author: josephd author: JoeDavies-MSFT manager: laurawi
-ms.date: 06/17/2020
audience: ITPro ms.topic: article ms.service: o365-administration
@@ -23,7 +22,7 @@ Here are answers to general questions about moving core customer data at rest to
## What customers are eligible to request a move?
-Existing Microsoft 365 commercial customers who selected a country eligible for the new datacenter geo will be able to request a move. The program exists only for tenants with an eligible country code assigned to the Microsoft 365 tenant to migrate core customer data at rest for eligible workloads to the corresponding Microsoft 365 datacenter geo. Please refer to the [How to request your data move](request-your-data-move.md) page to confirm country eligibility. 
+Existing Microsoft 365 commercial customers who selected a country eligible for the new datacenter geo will be able to request a move. The program exists only for tenants with an eligible country code assigned to the Microsoft 365 tenant to migrate core customer data at rest for eligible workloads to the corresponding Microsoft 365 datacenter geo. Please refer to the [How to request your data move](request-your-data-move.md) page to confirm country eligibility. 
## How do we define Core Customer Data?  
@@ -34,21 +33,21 @@ Core customer data is a term that refers to a subset of customer data defined in
## What is in scope for Teams migration?
-In addition to Exchange Online, SharePoint Online, and OneDrive for Business; Microsoft will migrate Teams data to the local datacenter.
+In addition to Exchange Online, SharePoint Online, and OneDrive for Business; Microsoft will migrate Teams data to the local datacenter.
- Teams chat messages, including private messages and channel messages. - Teams images used in chats.
-Teams files are stored in SharePoint Online and Teams chat files are stored in OneDrive for Business. Voicemail, calendar, and contacts are stored in Exchange Online. In many cases, Exchange Online, SharePoint Online and OneDrive for Business are already used by the customer in the local datacenter geo and are also part of the Microsoft 365 migration program for eligible customer countries.
+Teams files are stored in SharePoint Online and Teams chat files are stored in OneDrive for Business. Voicemail, calendar, and contacts are stored in Exchange Online. In many cases, Exchange Online, SharePoint Online, and OneDrive for Business are already used by the customer in the local datacenter geo and are also part of the Microsoft 365 migration program for eligible customer countries.
## At what point is my migration complete so that my tenant's core customer data is being stored at rest in my new geo? Due to shared dependencies between Exchange Online and SharePoint Online/OneDrive for Business, any migration cannot be considered
-completed until both services are migrated. Exchange Online and SharePoint Online/OneDrive for Business often migrate at separate times and independently from one another. Customer tenant admins receive confirmation in Message Center when each service migration is completed and can view the data location card in the Admin Center at any time to confirm the core customer data at rest location for
+completed until both services are migrated. Exchange Online and SharePoint Online/OneDrive for Business often migrate at separate times and independently from one another. Customer tenant admins receive confirmation in Message Center when each service migration is completed and can view the data location card in the Admin Center at any time to confirm the core customer data at rest location for
each service. ## How do you make sure my customer data is safe during the move and that I won't experience downtime?
-Data moves are a back-end service operation with minimal impact to end-users. Features that can be impacted are listed in [During and after your data move](during-and-after-your-data-move.md). We adhere to the [Microsoft Online Services Service Level Agreement (SLA)](https://go.microsoft.com/fwlink/p/?LinkId=523897) for availability so there is nothing that customers need to prepare for or to monitor during the move.
+Data moves are a back-end service operation with minimal impact to end users. Features that can be impacted are listed in [During and after your data move](during-and-after-your-data-move.md). We adhere to the [Microsoft Online Services Service Level Agreement (SLA)](https://go.microsoft.com/fwlink/p/?LinkId=523897) for availability so there is nothing that customers need to prepare for or to monitor during the move.
All Microsoft 365 services run the same versions in the datacenters, so you can be assured of consistent functionality. Your service is fully supported throughout the process.
@@ -60,7 +59,7 @@ Some of the Microsoft 365 services may be located in different geos for some exi
Customer tenant admins can view the data location card in the Admin Center at any time to confirm the core customer data at rest location for each service, specifically for their tenant.  We also publish the location of datacenter geos, datacenters, and location of Office
-365 customer data on the [Microsoft 365 interactive datacenter maps ](https://office.com/datamaps) as a reference for the current default core customer data at rest locations for new tenants. You can verify the location of your customer data at rest via the Data Location section under your Organization Profile in the Microsoft 365 Admin Center.  
+365 customer data on the [Microsoft 365 interactive datacenter maps ](https://office.com/datamaps) as a reference for the current default core customer data at rest locations for new tenants. You can verify the location of your customer data at rest via the Data Location section under your Organization Profile in the Microsoft 365 admin center.  
## When will I be able to request a move?
@@ -80,7 +79,7 @@ We cannot accept requests for migration after the open enrollment period.
## What if I want to move my data in order to get better network performance?
-Physical proximity to a Microsoft 365 datacenter is not a guarantee for a better networking performance. There are many factors and components that affect the network performance between the end-user and the Microsoft 365 service. For more information about this and performance tuning see [Network planning and performance tuning for Microsoft 365](network-planning-and-performance.md).
+Physical proximity to a Microsoft 365 datacenter is not a guarantee for a better networking performance. There are many factors and components that affect the network performance between the end user and the Microsoft 365 service. For more information about this and performance tuning, see [Network planning and performance tuning for Microsoft 365](network-planning-and-performance.md).
## Do all the services move their data on the same day?
@@ -90,9 +89,9 @@ Each service moves independently and will likely move their data at different ti
Customers are not able to select a specific date, they cannot delay their move, and we cannot share a specific date or timeframe for the moves.
- ## Can you share when my data will be be moved?
+ ## Can you share when my data will be moved?
-Data moves are a back-end operation with minimal impact to end-users. The complexity, precision and scale at which we need to perform data moves within a globally operated and automated environment prohibit us from sharing when a data move is expected to complete for your tenant or any other single tenant. Customers will receive one confirmation in Message Center per participating service when its data move has completed.
+Data moves are a back-end operation with minimal impact to end users. The complexity, precision, and scale at which we need to perform data moves within a globally operated and automated environment prohibit us from sharing when a data move is expected to complete for your tenant or any other single tenant. Customers will receive one confirmation in Message Center per participating service when its data move has completed.
## What happens if users access services while the data is being moved?
@@ -100,7 +99,7 @@ See [During and after your data move](during-and-after-your-data-move.md) for a
## How do I know the move is complete?
-Watch the Microsoft 365 Message Center for confirmation that the move of each service's data is complete. When each service's data is moved, we'll post a completion notice so you'll get three completion notices: one each for Exchange Online, SharePoint Online, and Skype for Business Online. You can also verify the location of your customer data at rest via the Data Location section under your Organization Profile in the Microsoft 365 Admin Center.  
+Watch the Microsoft 365 Message Center for confirmation that the move of each service's data is complete. When each service's data is moved, we'll post a completion notice so you'll get three completion notices: one each for Exchange Online, SharePoint Online, and Skype for Business Online. You can also verify the location of your customer data at rest via the Data Location section under your Organization Profile in the Microsoft 365 admin center.  
## I am a Microsoft 365 customer in one of the new datacenter geos, but when I signed up, I selected a different country. How can I be moved to the new datacenter geo?
@@ -108,7 +107,7 @@ It is not possible to change the signup country associated with your tenant. Ins
## What happens if we are in process of email data migration to Microsoft 365 during the Exchange Online move?
-This is a very common scenario and is fully supported. Cloud migration between datacenter geos does not interfere with any on-premises to cloud mailbox migrations.
+This is a very common scenario and is fully supported. Cloud migration between datacenter geos does not interfere with any on-premises to cloud mailbox migrations.
## Can I pilot some users?
@@ -122,7 +121,7 @@ If you create a new tenant after the new datacenter geo is available, the new te
## My customer data has already been moved to a new datacenter geo. Can I move back?
-No, this is not possible. Customers who have been moved to new geo datacenters cannot be moved back. As a customer in any geo, you will experience the same quality of service, performance, and security controls as you did before. [Microsoft 365 Multi Geo](https://aka.ms/multi-geo) is available to some customers as an add-on and lets a single tenant create multiple satellite geos and move user data to those geos with data residency commitments.
+No, this is not possible. Customers who have been moved to new geo datacenters cannot be moved back. As a customer in any geo, you will experience the same quality of service, performance, and security controls as you did before. [Microsoft 365 Multi Geo](https://aka.ms/multi-geo) is available to some customers as an add-on and lets a single tenant create multiple satellite geos and move user data to those geos with data residency commitments.
## Will Microsoft 365 tenants hosted in the new datacenters be available to users outside of the country?
@@ -132,9 +131,9 @@ Yes. Microsoft maintains a large global network with public Internet connections
Yes, your tenant is eligible to enroll but there are significant considerations as tenant-level move is not fully supported for customers that have configured Multi-Geo.
-SharePoint Online and OneDrive for Business cannot migrate to the new datacenter geo at the tenant level through this program. The customer administrator can configure OneDrive for Business shares to move to any available region using Multi-Geo, but the default location for the tenant cannot be changed once Multi-Geo has been configured for a tenant.
+SharePoint Online and OneDrive for Business cannot migrate to the new datacenter geo at the tenant level through this program. The customer administrator can configure OneDrive for Business shares to move to any available region using Multi-Geo, but the default location for the tenant cannot be changed once Multi-Geo has been configured for a tenant.
-For customers that opt-in for migration - we will move all Exchange Online mailboxes from your current default geo to your new local datacenter geo and update the default Exchange Online region. We will not move any EXO mailboxes configured in Multi Geo satellite regions to continue to respect satellite region data residency as youΓÇÖve intended.
+For customers that opt-in for migration - we will move all Exchange Online mailboxes from your current default geo to your new local datacenter geo and update the default Exchange Online region. We will not move any EXO mailboxes configured in Multi Geo satellite regions to continue to respect satellite region data residency as youΓÇÖve intended.
## Related topics
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/managing-office-365-endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/managing-office-365-endpoints.md
@@ -3,7 +3,6 @@ title: "Managing Office 365 endpoints"
ms.author: josephd author: JoeDavies-MSFT manager: laurawi
-ms.date: 1/24/2020
audience: ITPro ms.topic: conceptual ms.service: o365-administration
@@ -23,19 +22,19 @@ description: Learn how to manage Office 365 endpoints so that they work with you
# Managing Office 365 endpoints
-Most enterprise organizations that have multiple office locations and a connecting WAN will need configuration for Office 365 network connectivity. You can optimize your network by sending all trusted Office 365 network requests directly through your firewall, bypassing all additional packet level inspection or processing. This reduces latency and your perimeter capacity requirements. Identifying Office 365 network traffic is the first step in providing optimal performance for your users. For more information about Office 365 network connectivity, see [Office 365 Network Connectivity Principles](microsoft-365-network-connectivity-principles.md).
+Most enterprise organizations that have multiple office locations and a connecting WAN will need configuration for Office 365 network connectivity. You can optimize your network by sending all trusted Office 365 network requests directly through your firewall, bypassing all additional packet level inspection or processing. This reduces latency and your perimeter capacity requirements. Identifying Office 365 network traffic is the first step in providing optimal performance for your users. For more information, see [Office 365 Network Connectivity Principles](microsoft-365-network-connectivity-principles.md).
-Microsoft recommends you access the Office 365 network endpoints and changes to them using the [Office 365 IP Address and URL Web Service](microsoft-365-ip-web-service.md).
+Microsoft recommends you access the Office 365 network endpoints and ongoing changes to them using the [Office 365 IP Address and URL Web Service](microsoft-365-ip-web-service.md).
Regardless of how you manage vital Office 365 network traffic, Office 365 requires Internet connectivity. Other network endpoints where connectivity is required are listed at [Additional endpoints not included in the Office 365 IP Address and URL Web service](additional-office365-ip-addresses-and-urls.md).
-How you use the Office 365 network endpoints will depend on your enterprise organization network architecture. This article outlines several ways that enterprise network architectures can integrate with Office 365 IP addresses and URLs. The easiest way to choose which network requests to trust is to use SDWAN devices that support automated Office 365 configuration at each of your office locations.
+How you use the Office 365 network endpoints will depend on your enterprise organization network architecture. This article outlines several ways that enterprise network architectures can integrate with Office 365 IP addresses and URLs. The easiest way to choose which network requests to trust is to use SD-WAN devices that support automated Office 365 configuration at each of your office locations.
-## SDWAN for local branch egress of vital Office 365 network traffic
+## SD-WAN for local branch egress of vital Office 365 network traffic
-At each branch office location, you can provide an SDWAN device that is configured to route traffic for Office 365 Optimize category of endpoints, or Optimize and Allow categories, directly to Microsoft's network. Other network traffic including on-premises datacenter traffic, general Internet web sites traffic, and traffic to Office 365 Default category endpoints is sent to another location where you have a more substantial network perimeter.
+At each branch office location, you can provide an SD-WAN device that is configured to route traffic for Office 365 Optimize category of endpoints, or Optimize and Allow categories, directly to Microsoft's network. Other network traffic including on-premises datacenter traffic, general Internet web sites traffic, and traffic to Office 365 Default category endpoints is sent to another location where you have a more substantial network perimeter.
-Microsoft is working with SDWAN providers to enable automated configuration. For more information, see [Office 365 Networking Partner Program](microsoft-365-networking-partner-program.md).
+Microsoft is working with SD-WAN providers to enable automated configuration. For more information, see [Office 365 Networking Partner Program](microsoft-365-networking-partner-program.md).
<a name="pacfiles"> </a> ## Use a PAC file for direct routing of vital Office 365 traffic
@@ -67,12 +66,12 @@ Here's a simple example of calling the PowerShell script:
Get-PacFile -ClientRequestId b10c5ed1-bad1-445f-b386-b919946339a7 ```
-There are a number of parameters you can pass to the script:
+There are many parameters you can pass to the script:
| Parameter | Description | |:-----|:-----| |**ClientRequestId** <br/> |This is required and is a GUID passed to the web service that represents the client machine making the call. <br/> |
-|**Instance** <br/> |The Office 365 service instance which defaults to Worldwide. Also passed to the web service. <br/> |
+|**Instance** <br/> |The Office 365 service instance, which defaults to Worldwide. This is also passed to the web service. <br/> |
|**TenantName** <br/> |Your Office 365 tenant name. Passed to the web service and used as a replaceable parameter in some Office 365 URLs. <br/> | |**Type** <br/> |The type of the proxy PAC file that you want to generate. <br/> |
@@ -86,7 +85,7 @@ Get-PacFile -Type 2 -Instance Worldwide -TenantName Contoso -ClientRequestId b10
Where PAC files are not used for direct outbound traffic, you still want to bypass processing on your network perimeter by configuring your proxy server. Some proxy server vendors have enabled automated configuration of this as described in the [Office 365 Networking Partner Program](microsoft-365-networking-partner-program.md).
-If you are doing this manually you will need to get the Optimize and Allow endpoint category data from the Office 365 IP Address and URL Web Service and configure your proxy server to bypass processing for these. It is important to avoid SSL Break and Inspect and Proxy Authentication for the Optimize and Allow category endpoints.
+If you are doing this manually, you will need to get the Optimize and Allow endpoint category data from the Office 365 IP Address and URL Web Service and configure your proxy server to bypass processing for these. It is important to avoid SSL Break and Inspect and Proxy Authentication for the Optimize and Allow category endpoints.
<a name="bkmk_changes"> </a> ## Change management for Office 365 IP addresses and URLs
@@ -116,7 +115,7 @@ For information about a Microsoft Flow sample and template, see [Use Microsoft F
<a name="FAQ"> </a> ## Office 365 network endpoints FAQ
-Frequently-asked administrator questions about Office 365 connectivity:
+See these frequently asked questions about Office 365 network connectivity.
### How do I submit a question?
@@ -142,12 +141,12 @@ See an IP associated with Office 365 that you want more information on?
1. Check if the IP address is included in a larger published range using a CIDR calculator, such as these for [IPv4](https://www.ipaddressguide.com/cidr) or [IPv6](https://www.ipaddressguide.com/ipv6-cidr). For example, 40.96.0.0/13 includes the IP Address 40.103.0.1 despite 40.96 not matching 40.103. 2. See if a partner owns the IP with a [whois query](https://dnsquery.org/). If it's Microsoft owned, it may be an internal partner. Many partner network endpoints are listed as belonging to the _default_ category, for which IP addresses are not published. 3. The IP address may not be part of Office 365 or a dependency. Office 365 network endpoint publishing does not include all of Microsoft network endpoints.
-4. Check the certificate, in a browser connect to the IP address using *HTTPS://\<IP_ADDRESS\>* , check the domains listed on the certificate to understand what domains are associated with the IP address. If it's a Microsoft owned IP address and not on the list of Office 365 IP addresses, it's likely the IP address is associated with a Microsoft CDN such as *MSOCDN.NET* or another Microsoft domain without published IP information. If you do find the domain on the certificate is one where we claim to list the IP address, please let us know.
+4. Check the certificate. With a browser, connect to the IP address using *HTTPS://\<IP_ADDRESS\>* and check the domains listed on the certificate to understand what domains are associated with the IP address. If it's a Microsoft-owned IP address and not on the list of Office 365 IP addresses, it's likely the IP address is associated with a Microsoft CDN such as *MSOCDN.NET* or another Microsoft domain without published IP information. If you do find the domain on the certificate is one where we claim to list the IP address, please let us know.
<a name="bkmk_cname"> </a> ### Some Office 365 URLs point to CNAME records instead of A records in the DNS. What do I have to do with the CNAME records?
-Client computers need a DNS A or AAAA record that includes one or more IP Address(s) to connect to a cloud service. Some URLs included in Office 365 show CNAME records instead of A or AAAA records. These CNAME records are intermediary and there may be several in a chain. They will always eventually resolve to an A or AAAA record for an IP Address. For example, consider the following series of DNS records, which ultimately resolves to the IP address _IP_1_:
+Client computers need a DNS A or AAAA record t)hat includes one or more IP address(es) to connect to a cloud service. Some URLs included in Office 365 show CNAME records instead of A or AAAA records. These CNAME records are intermediary and there may be several in a chain. They will always eventually resolve to an A or AAAA record for an IP Address. For example, consider the following series of DNS records, which ultimately resolves to the IP address _IP_1_:
```console serviceA.office.com -> CNAME: serviceA.domainA.com -> CNAME: serviceA.domainB.com -> A: IP_1
@@ -155,18 +154,18 @@ serviceA.office.com -> CNAME: serviceA.domainA.com -> CNAME: serviceA.domainB.co
These CNAME redirects are a normal part of the DNS and are transparent to the client computer and transparent to proxy servers. They are used for load balancing, content delivery networks, high availability, and service incident mitigation. Microsoft does not publish the intermediary CNAME records, they are subject to change at any time, and you should not need to configure them as allowed in your proxy server.
-A proxy server validates the initial URL which in the above example is serviceA.office.com and this URL would be included in Office 365 publishing. The proxy server requests DNS resolution of that URL to an IP Address and will receive back IP_1. It does not validate the intermediary CNAME redirection records.
+A proxy server validates the initial URL, which in the above example is serviceA.office.com, and this URL would be included in Office 365 publishing. The proxy server requests DNS resolution of that URL to an IP Address and will receive back IP_1. It does not validate the intermediary CNAME redirection records.
-Hard-coded configurations or whitelisting based on indirect Office 365 FQDNs is not recommended, not supported by Microsoft, and is known to cause customer connectivity issues. DNS solutions that block on CNAME redirection, or that otherwise incorrectly resolve Office 365 DNS entries, can be solved via DNS conditional forwarding (scoped to directly used Office 365 FQDNs) with DNS recursion enabled. Many third party network perimeter products natively integrate recommended Office 365 endpoint whitelisting in their configuration using the [Office 365 IP Address and URL Web service](microsoft-365-ip-web-service.md).
+Hard-coded configurations or allowing traffic based on indirect Office 365 FQDNs is not recommended, not supported by Microsoft, and is known to cause customer connectivity issues. DNS solutions that block on CNAME redirection, or that otherwise incorrectly resolve Office 365 DNS entries, can be solved via DNS conditional forwarding (scoped to directly used Office 365 FQDNs) with DNS recursion enabled. Many third-party network perimeter products natively integrate recommended Office 365 endpoint traffic bypass in their configuration using the [Office 365 IP Address and URL Web service](microsoft-365-ip-web-service.md).
<a name="bkmk_akamai"> </a> ### Why do I see names such as nsatc.net or akadns.net in the Microsoft domain names?
-Office 365 and other Microsoft services use several third-party services such as Akamai and MarkMonitor to improve your Office 365 experience. To keep giving you the best experience possible, we may change these services in the future. Third party domains may host content, such as a CDN, or they may host a service, such as a geographical traffic management service. Some of the services currently in use include:
+Office 365 and other Microsoft services use several third-party services such as Akamai and MarkMonitor to improve your Office 365 experience. To keep giving you the best experience possible, we may change these services in the future. Third-party domains may host content, such as a CDN, or they may host a service, such as a geographical traffic management service. Some of the services currently in use include:
-[MarkMonitor](https://www.markmonitor.com/) is in use when you see requests that include *\*.nsatc.net* . This service provides domain name protection and monitoring to protect against malicious behavior.
+[MarkMonitor](https://www.markmonitor.com/) is in use when you see requests that include *\*.nsatc.net*. This service provides domain name protection and monitoring to protect against malicious behavior.
-[ExactTarget](https://www.marketingcloud.com/) is in use when you see requests to *\*.exacttarget.com* . This service provides email link management and monitoring against malicious behavior.
+[ExactTarget](https://www.marketingcloud.com/) is in use when you see requests to *\*.exacttarget.com*. This service provides email link management and monitoring against malicious behavior.
[Akamai](https://www.akamai.com/) is in use when you see requests that include one of the following FQDNs. This service offers geo-DNS and content delivery network services.
@@ -187,7 +186,7 @@ Office 365 and other Microsoft services use several third-party services such as
As Office 365 is a suite of services built to function over the internet, the reliability and availability promises are based on many standard internet services being available. For example, standard internet services such as DNS, CRL, and CDNs must be reachable to use Office 365 just as they must be reachable to use most modern internet services.
-The Office 365 suite is broken down into major service areas. These can be selectively enabled for connectivity and there is a Common area which is a dependency for all and is always required.
+The Office 365 suite is broken down into major service areas. These can be selectively enabled for connectivity and there is a Common area, which is a dependency for all and is always required.
| Service Area | Description | |:-----|:-----|
@@ -196,9 +195,9 @@ The Office 365 suite is broken down into major service areas. These can be selec
|**Skype for Business Online and Microsoft Teams** <br/> |Skype for Business and Microsoft Teams <br/> | |**Common** <br/> |Office 365 Pro Plus, Office in a browser, Azure AD, and other common network endpoints <br/> |
-In addition to basic internet services, there are third-party services that are only used to integrate functionality. While these are needed for integration, they're marked as optional in the Office 365 endpoints article which means core functionality of the service will continue to function if the endpoint isn't accessible. Any network endpoint which is required will have the required attribute set to true. Any network endpoint which is optional will have the required attribute set to false and the notes attribute will detail the missing functionality you should expect if connectivity is blocked.
+In addition to basic internet services, there are third-party services that are only used to integrate functionality. While these are needed for integration, they're marked as optional in the Office 365 endpoints article, which means core functionality of the service will continue to function if the endpoint isn't accessible. Any network endpoint that is required will have the required attribute set to true. Any network endpoint that is optional will have the required attribute set to false and the notes attribute will detail the missing functionality you should expect if connectivity is blocked.
-If you're trying to use Office 365 and are finding third party services aren't accessible you'll want to [ensure all FQDNs marked required or optional in this article are allowed through the proxy and firewall](urls-and-ip-address-ranges.md).
+If you're trying to use Office 365 and are finding third-party services aren't accessible, you'll want to [ensure all FQDNs marked required or optional in this article are allowed through the proxy and firewall](urls-and-ip-address-ranges.md).
<a name="bkmk_consumer"> </a> ### How do I block access to Microsoft's consumer services?
@@ -210,9 +209,9 @@ Keep in mind that blocking access to the Microsoft consumer services alone won't
<a name="bkmk_IPOnlyFirewall"> </a> ### My firewall requires IP Addresses and cannot process URLs. How do I configure it for Office 365?
-Office 365 does not provide IP addresses of all required network endpoints. Some are provided as URLs only and are categorized as default. URLs in the default category which are required should be allowed through a proxy server. If you do not have a proxy server then look at how you have configured web requests for URLs that users type into the address bar of a web browser; the user doesnΓÇÖt provide an IP address either. The Office 365 default category URLs which do not provide IP addresses should be configured in the same way.
+Office 365 does not provide IP addresses of all required network endpoints. Some are provided as URLs only and are categorized as default. URLs in the default category that are required should be allowed through a proxy server. If you don't have a proxy server, look at how you have configured web requests for URLs that users type into the address bar of a web browser; the user doesnΓÇÖt provide an IP address either. The Office 365 default category URLs that do not provide IP addresses should be configured in the same way.
-## Related Topics
+## Related topics
[Office 365 IP Address and URL Web service](microsoft-365-ip-web-service.md)
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/modern-desktop-deployment-and-management-lab https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/modern-desktop-deployment-and-management-lab.md
@@ -19,15 +19,15 @@ description: Learn about and where to access the Windows and Office Deployment L
# Windows and Office deployment lab kit
-These labs are designed to help you plan, test, and validate your deployment and management of desktops running Windows 10 Enterprise and Microsoft 365 Apps for enterprise. The labs cover using Microsoft Endpoint Configuration Manager, Desktop Analytics, Office Customization Tool, OneDrive, Windows Autopilot and more.
+The Windows and Office deployment lab kit is designed to help you plan, test, and validate your deployment and management of desktops running Windows 10 Enterprise and Microsoft 365 Apps for enterprise. The labs in the kit cover using Microsoft Endpoint Configuration Manager, Desktop Analytics, the Office Customization Tool, OneDrive, Windows Autopilot, and more.
-This kit is highly recommended for organizations preparing for Windows 8 upgrades, and also applies if you're currently using Windows 10, Microsoft 365 Apps for enterprise (formerly Office 365 ProPlus), or Office 2019. Additionally, as an isolated environment, the lab is ideal for exploring deployment tool updates and testing your deployment-related automation.
+This kit is highly recommended for organizations preparing for Windows 8.1 upgrades to Windows 10. It also applies if you're currently using Windows 10, Microsoft 365 Apps for enterprise (formerly Office 365 ProPlus), or Office 2019. As an isolated environment, the resulting lab is ideal for exploring deployment tool updates and testing your deployment-related automation.
[Download the Windows and Office Deployment Lab Kit](https://www.microsoft.com/evalcenter/evaluate-lab-kit). ## A complete lab environment
-The lab provides you with an automatically provisioned virtual lab environment, including domain-joined desktop clients, domain controller, Internet gateway and a fully configured Configuration Manager instance. The lab contains the latest evaluation versions of the following products:
+The kit provides you with an automatically provisioned virtual lab environment, including domain-joined desktop clients, a domain controller, an Internet gateway, and a fully configured Configuration Manager instance. The kit contains the latest evaluation versions of the following products:
- NEW! Windows 10 Enterprise, Version 20H2 - Windows 7 Enterprise
@@ -39,10 +39,10 @@ The lab provides you with an automatically provisioned virtual lab environment,
- Windows Server - Microsoft SQL Server
-PLUS, the lab is designed to be connected to trials for:
+The resulting lab is designed to be connected to trials for:
- Microsoft 365 E5
- - Office 365 Enterprise E5 with Enterprise Mobility + Security (EMS)
+ - Office 365 E5 with Enterprise Mobility + Security (EMS)
## Step-by-step labs
@@ -51,29 +51,33 @@ Detailed lab guides take you through multiple deployment and management scenario
### Plan and prepare infrastructure - Desktop Analytics - Cloud Management Gateway & Cloud Distribution Point -- Tenant attach, Co-management and switching workloads
+- Tenant attach, co-management, and switching workloads
- Remote access (VPN) ### Prepare configuration + - Optimize Windows 10 update delivery - Servicing Windows 10 using Group Policy - Servicing Windows 10 using Microsoft Intune - Servicing Windows 10 with Configuration Manager - Servicing Microsoft 365 Apps for enterprise using Configuration Manager - Servicing Microsoft 365 Apps for enterprise using Intune -- Security and Compliance
+- Security and compliance
### Prepare applications + - Readiness Toolkit for Office - MSIX Packaging and Conversion of Win32 applications ### Deploy Windows 10 + - OS Deployment task sequences in Configuration Manager-- OS Deployment task sequences in MDT
+- OS Deployment task sequences in the Microsoft Deployment Toolkit (MDT)
- Windows Autopilot - Deploy and manage the new Microsoft Edge ### Deploy Microsoft 365 Apps for enterprise + - Cloud managed deployment - Locally managed deployment - Microsoft 365 Apps for enterprise Deployment on Non-AD Joined Devices
@@ -83,13 +87,14 @@ Detailed lab guides take you through multiple deployment and management scenario
- Deploy Microsoft Teams ### Deploy Windows Virtual Desktop + - Prepare, deploy, optimize
-## Download the Windows and Office Deployment Lab Kit
+## Where to find the Windows and Office Deployment Lab Kit
[Download the Windows and Office Deployment Lab Kit](https://www.microsoft.com/evalcenter/evaluate-lab-kit).
-*Installed baseline version 2002 can be updated to Version 2010 using in-console update. Please use a broad bandwidth to download this content to enhance your downloading experience and allow 30-45 minutes for automatic provisioning. The lab environment requires a minimum of 16GB of available memory and 150GB of free disk space. For optimal performance, 32GB of available memory and 300GB of free space is recommended. The lab expires February 7, 2021. A new version will be published prior to expiration.
+* The installed baseline version 2002 can be updated to Version 2010 using and in-console update. Please use a broad bandwidth Internet connection to download this content and allow 30-45 minutes for automatic provisioning. The lab environment requires a minimum of 16 GB of available memory and 150 GB of free disk space. For optimal performance, 32 GB of available memory and 300 GB of free space is recommended. The kit expires February 7, 2021. A new version will be published prior to expiration.
## Additional guidance
@@ -97,20 +102,20 @@ Detailed lab guides take you through multiple deployment and management scenario
- [Microsoft Endpoint Configuration Manager OS Deployment](https://docs.microsoft.com/mem/configmgr/osd/understand/introduction-to-operating-system-deployment)
- - [<span class="underline">Plan for Windows 10 deployment</span>](https://docs.microsoft.com/windows/deployment/planning/index)
+ - [Plan for Windows 10 deployment](https://docs.microsoft.com/windows/deployment/planning/index)
- - [<span class="underline">Deployment guide for Microsoft 365 Apps</span>](https://docs.microsoft.com/deployoffice/deployment-guide-microsoft-365-apps)
+ - [Deployment guide for Microsoft 365 Apps](https://docs.microsoft.com/deployoffice/deployment-guide-microsoft-365-apps)
- - [<span class="underline">Getting Started with Intune</span>](https://docs.microsoft.com/intune/get-started-evaluation)
+ - [Getting Started with Intune](https://docs.microsoft.com/intune/get-started-evaluation)
## Related resources
- - [<span class="underline">Introducing Microsoft 365</span>](https://www.microsoft.com/microsoft-365/default.aspx)
+ - [Introducing Microsoft 365](https://www.microsoft.com/microsoft-365/default.aspx)
- - [<span class="underline">Office 365 for business</span>](https://products.office.com/business/office)
+ - [Office 365 for business](https://products.office.com/business/office)
- - [<span class="underline">Introducing Enterprise Mobility + Security</span>](https://www.microsoft.com/cloud-platform/enterprise-mobility-security)
+ - [Introducing Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security)
- - [<span class="underline">Windows 10 for enterprise</span>](https://www.microsoft.com/WindowsForBusiness/windows-for-enterprise)
+ - [Windows 10 for enterprise](https://www.microsoft.com/WindowsForBusiness/windows-for-enterprise)
- - [<span class="underline">Windows 10 for small and medium business</span>](https://www.microsoft.com/WindowsForBusiness/windows-for-small-business)
+ - [Windows 10 for small and medium business](https://www.microsoft.com/WindowsForBusiness/windows-for-small-business)
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/ms-cloud-germany-migration-opt-in https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-migration-opt-in.md
@@ -29,34 +29,35 @@ description: "Summary: "
## How to request migration
-Eligible customers with service provisioned in Microsoft Cloud Germany (Microsoft Cloud Deutschland) will see a page in the Microsoft 365 admin center that will allow a customer tenant administrator to opt-in for migration.
+If you are an eligible customer with your service provisioned in Microsoft Cloud Germany (Microsoft Cloud Deutschland) and you have signed in as a tenant (global) administrator, a page in the Microsoft 365 admin center allows you to opt-in for migration.
-To access the page in the Microsoft 365 admin center, in the navigation pane on the left, expand **Settings** and then click **Organization Profile**.
+To access the page, expand **Settings** in the navigation pane on the left, and then click **Organization Profile**.
On the **Organization Profile** page, scroll down to the **Migrate from Microsoft Cloud Germany (Microsoft Cloud Deutschland) to Office 365 services in the new German datacenter regions** section.
-If your organization wishes to migrate your service from Microsoft Cloud Germany (Microsoft Cloud Deutschland) to Office 365 services in the new German datacenter regions, click **Opt-in**.
+If you want to migrate your service from Microsoft Cloud Germany (Microsoft Cloud Deutschland) to Office 365 services in the new German datacenter regions, click **Opt-in**.
![Opt-in introduction](../media/ms-cloud-germany-migration-opt-in/tenant-migration.png)
-A new section will appear on the right side of your screen to accept your confirmation. Select the toggle button to **Yes**, and then click **Save**.
+A new section appears on the right side of your screen to accept your confirmation. Select **Yes**, and then click **Save**.
![Opt-in acceptance](../media/ms-cloud-germany-migration-opt-in/tenant-migration-new-regions.png)
-Once an administrator has opted-in on behalf of your tenant then all administrators will see the confirmation in **Migrate from Microsoft Cloud Germany (Microsoft Cloud Deutschland) to Office 365 services in the new German datacenter regions** section, including the date of opt-in. Administrators will also receive a confirmation in Message Center of the Microsoft 365 admin center.
+Once you have opted-in on behalf of your tenant, all administrators will see the confirmation in **Migrate from Microsoft Cloud Germany (Microsoft Cloud Deutschland) to Office 365 services in the new German datacenter regions** section, including the date of opt-in. Administrators will also receive a confirmation in the Message Center of the Microsoft 365 admin center.
![Opt-in confirmation](../media/ms-cloud-germany-migration-opt-in/tenant-migration2.png)
-## What happens after opting-in for migration?
+## What happens after opting in for migration?
-Migrations will begin in early 2021 for organizations that opt-in to the Microsoft-driven approach and will be complete before the Microsoft Cloud Germany (Microsoft Cloud Deutschland) retirement date on October 29, 2021. As a result of the migration, core customer data and subscriptions are moved to the new German regions. Microsoft will send updates throughout the migration process in Message Center. Please refer to articles referenced below to learn more.
+Migrations will begin in early 2021 for organizations that opt-in to the Microsoft-driven approach and will be complete before the Microsoft Cloud Germany (Microsoft Cloud Deutschland) retirement date on October 29, 2021. As a result of the migration, core customer data and subscriptions are moved to the new German regions. Microsoft will post updates throughout the migration process in the Message Center. See [these articles](#more-information) to learn more.
-## What happens if the customer tenant administrator does not opt-in for migration in Admin Center?
+## What happens if you do not opt-in for migration in Admin Center?
-The Online Services Terms have changed to include terms that will enable Microsoft to migrate your Microsoft 365, Dynamics 365 and Power BI data and subscriptions from Microsoft Cloud Deutschland to a new data center. These terms take effect on any Microsoft Cloud Germany (Microsoft Cloud Deutschland) subscription renewed since May 1, 2020. The customer tenant administrator will receive a notice in e-mail and Message Center advising that opt-in to migration will happen automatically opt in for a Microsoft-assisted migration. This notice will be sent at least 30 days prior to the automatic opt-in. After migration opt-in all communications and status updates are sent to customer tenant administrators in Message Center.
+The Online Services Terms have changed to include terms that will enable Microsoft to migrate your Microsoft 365, Dynamics 365, and Power BI data and subscriptions from Microsoft Cloud Deutschland to a new data center. These terms take effect on any Microsoft Cloud Germany (Microsoft Cloud Deutschland) subscription renewed since May 1, 2020.
-Customer and partner tenant administrators are encouraged to opt-in for migration in Admin Center so the migration process can begin as soon as possible.
+The customer tenant administrator will receive a notice in e-mail and the Message Center advising that opt-in to migration will happen automatically for a Microsoft-assisted migration. This notice will be sent at least 30 days prior to the automatic opt-in. After migration opt-in, all communications and status updates are sent to customer tenant administrators in the Message Center.
+Customer and partner tenant administrators are encouraged to opt-in for migration in the Microsoft 365 admin center so the migration process can begin as soon as possible.
## Next step
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/prepare-a-non-routable-domain-for-directory-synchronization https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/prepare-a-non-routable-domain-for-directory-synchronization.md
@@ -21,31 +21,32 @@ search.appverid:
- MED150 - BCS160 ms.assetid: e7968303-c234-46c4-b8b0-b5c93c6d57a7
-description: "Learn what to do if you have a non-routale domain associated with your on-premises users before you synchronize with Microsoft 365."
+description: "Learn what to do if you have a non-routable domain associated with your on-premises user accounts before you synchronize them with your Microsoft 365 tenant."
--- # Prepare a non-routable domain for directory synchronization
-When you synchronize your on-premises directory with Microsoft 365 you have to have a verified domain in Azure Active Directory (Azure AD). Only the User Principal Names (UPN) that are associated with the on-premises domain are synchronized. However, any UPN that contains an non-routable domain, for example .local (like billa@contoso.local), will be synchronized to an .onmicrosoft.com domain (like billa@contoso.onmicrosoft.com).
-If you currently use a .local domain for your user accounts in Active Directory Domain Services (AD DS) it's recommended that you change them to use a verified domain (like billa@contoso.com) in order to properly sync with your Microsoft 365 domain.
+When you synchronize your on-premises directory with Microsoft 365, you have to have a verified domain in Azure Active Directory (Azure AD). Only the User Principal Names (UPNs) that are associated with the on-premises Active Directory Domain Services (AD DS) domain are synchronized. However, any UPN that contains a non-routable domain, such as ".local" (example: billa@contoso.local), will be synchronized to an .onmicrosoft.com domain (example: billa@contoso.onmicrosoft.com).
+
+If you currently use a ".local" domain for your user accounts in AD DS, it's recommended that you change them to use a verified domain, such as billa@contoso.com, in order to properly synchronize with your Microsoft 365 domain.
-## What if I only have a .local on-premises domain?
+## What if I only have a ".local" on-premises domain?
-The most recent tool you can use for synchronizing your AD DS to Azure AD is named Azure AD Connect. For more information, see [Integrating your on-premises identities with Azure AD](https://docs.microsoft.com/azure/architecture/reference-architectures/identity/azure-ad).
+You use Azure AD Connect for synchronizing your AD DS to the Azure AD tenant of your Microsoft 365 tenant. For more information, see [Integrating your on-premises identities with Azure AD](https://docs.microsoft.com/azure/architecture/reference-architectures/identity/azure-ad).
-Azure AD Connect synchronizes your users' UPN and password so that users can sign in with the same credentials they use on-premises. However, Azure AD Connect only synchronizes users to domains that are verified by Microsoft 365. This means that the domain also is verified by Azure AD because Microsoft 365 identities are managed by Azure AD. In other words, the domain has to be a valid Internet domain (for example, .com, .org, .net, .us, etc.). If your internal AD DS only uses a non-routable domain (for example, .local), this can't possibly match the verified domain you have on Microsoft 365. You can fix this issue by either changing your primary domain in your on premises AD DS, or by adding one or more UPN suffixes.
+Azure AD Connect synchronizes your users' UPN and password so that users can sign in with the same credentials they use on-premises. However, Azure AD Connect only synchronizes users to domains that are verified by Microsoft 365. This means that the domain also is verified by Azure AD because Microsoft 365 identities are managed by Azure AD. In other words, the domain has to be a valid Internet domain (such as, .com, .org, .net, .us). If your internal AD DS only uses a non-routable domain (for example, ".local"), this can't possibly match the verified domain you have for your Microsoft 365 tenant. You can fix this issue by either changing your primary domain in your on-premises AD DS, or by adding one or more UPN suffixes.
-### **Change your primary domain**
+### Change your primary domain
Change your primary domain to a domain you have verified in Microsoft 365, for example, contoso.com. Every user that has the domain contoso.local is then updated to contoso.com. This is a very involved process, however, and an easier solution is described in the following section.
-### **Add UPN suffixes and update your users to them**
+### Add UPN suffixes and update your users to them
-You can solve the .local problem by registering new UPN suffix or suffixes in AD DS to match the domain (or domains) you verified in Microsoft 365. After you register the new suffix, you update the user UPNs to replace the .local with the new domain name for example so that a user account looks like billa@contoso.com.
+You can solve the ".local" problem by registering new UPN suffix or suffixes in AD DS to match the domain (or domains) you verified in Microsoft 365. After you register the new suffix, you update the user UPNs to replace the ".local" with the new domain name, for example, so that a user account looks like billa@contoso.com.
After you have updated the UPNs to use the verified domain, you are ready to synchronize your on-premises AD DS with Microsoft 365.
- **Step 1: Add the new UPN suffix**
+#### Step 1: Add the new UPN suffix**
1. On the AD DS domain controller, in the Server Manager choose **Tools** \> **Active Directory Domains and Trusts**.
@@ -55,7 +56,7 @@ After you have updated the UPNs to use the verified domain, you are ready to syn
![Choose Active Directory Domains and Trusts.](../media/46b6e007-9741-44af-8517-6f682e0ac974.png)
-2. On the **Active Directory Domains and Trusts** window, right-click **Active Directory Domains and Trusts**, and then choose **Properties**.
+2. In the **Active Directory Domains and Trusts** window, right-click **Active Directory Domains and Trusts**, and then choose **Properties**.
![Right-click Active Directory Domains and Trusts and choose Properties](../media/39d20812-ffb5-4ba9-8d7b-477377ac360d.png)
@@ -65,7 +66,7 @@ After you have updated the UPNs to use the verified domain, you are ready to syn
Choose **OK** when you're done adding suffixes.
- **Step 2: Change the UPN suffix for existing users**
+ #### Step 2: Change the UPN suffix for existing users
1. On the AD DS domain controller, in the Server Manager choose **Tools** \> **Active Directory Users and Computers**.
@@ -82,11 +83,11 @@ After you have updated the UPNs to use the verified domain, you are ready to syn
4. Complete these steps for every user.
-### **You can also use Windows PowerShell to change the UPN suffix for all users**
+### Use PowerShell to change the UPN suffix for all of your users
-If you have a lot of users to update, it is easier to use Windows PowerShell. The following example uses the cmdlets [Get-ADUser](https://go.microsoft.com/fwlink/p/?LinkId=624312) and [Set-ADUser](https://go.microsoft.com/fwlink/p/?LinkId=624313) to change all contoso.local suffixes to contoso.com.
+If you have a lot of user accounts to update, it's easier to use PowerShell. The following example uses the cmdlets [Get-ADUser](https://go.microsoft.com/fwlink/p/?LinkId=624312) and [Set-ADUser](https://go.microsoft.com/fwlink/p/?LinkId=624313) to change all contoso.local suffixes to contoso.com in AD DS.
-For example, you could run the following Windows PowerShell commands to update all contoso.local suffixes to contoso.com:
+For example, you could run the following PowerShell commands to update all contoso.local suffixes to contoso.com:
```powershell $LocalUsers = Get-ADUser -Filter "UserPrincipalName -like '*contoso.local'" -Properties userPrincipalName -ResultSetSize $null
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-aadsignineventsbeta-table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-aadsignineventsbeta-table.md new file mode 100644
@@ -0,0 +1,110 @@
+---
+title: AADSignInEventsBeta table in the advanced hunting schema
+description: Learn about information associated with Azure Active Directory sign-in events table of the advanced hunting schema
+keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, file, IP address, device, machine, user, account, identity, AAD
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: microsoft-365-enterprise
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
+ms.author: maccruz
+author: schmurky
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365initiative-m365-defender
+ms.topic: article
+---
+# AADSignInEventsBeta
+
+**Applies to:**
+
+- Microsoft 365 Defender
+
+>[!IMPORTANT]
+> The `AADSignInEventsBeta` table is currently in beta and is being offered on a short-term basis to allow you to hunt through Azure Active Directory (AAD) sign-in events. We will eventually move all sign-in schema information to the `IdentityLogonEvents` table.<br><br>
+> Customers who can access Microsoft 365 Defender through the Azure Security CenterΓÇÖs integrated Microsoft Defender for Endpoint solution, but do not have licenses for Microsoft Defender for Office, Microsoft Defender for Identity, or Microsoft Cloud App Security, will not be able to view this schema.
+
+ 
+
+The `AADSignInEventsBeta` table in the advanced hunting schema contains
+information about Azure Active Directory interactive and non-interactive
+sign-ins. Learn more about sign-ins in [Azure
+Active Directory sign-in activity reports -
+preview](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-all-sign-ins).
+
+Use this reference to construct queries that return information from the table.
+For information on other tables in the advanced hunting schema, see [the
+advanced hunting
+reference](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference).
+
+ 
+
+ 
+
+| Column name | Data type | Description |
+|---------------------------------|---------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `Timestamp` | datetime | Date and time when the record was generated |
+| `Application` | string | Application that performed the recorded action |
+| `ApplicationId` | string | Unique identifier for the application |
+| `LogonType` | string | Type of logon session, specifically interactive, remote interactive (RDP), network, batch, and service |
+| `ErrorCode` | int | Contains the error code if a sign-in error occurs. To find a description of a specific error code, visit <https://aka.ms/AADsigninsErrorCodes>. |
+| `CorrelationId` | string | Unique identifier of the sign-in event |
+| `SessionId` | string | Unique number assigned to a user by a website's server for the duration of the visit or session |
+| `AccountDisplayName` | string | Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initial, and a last name or surname. |
+| `AccountObjectId` | string | Unique identifier for the account in Azure AD |
+| `AccountUpn` | string | User principal name (UPN) of the account |
+| `IsExternalUser` | int | Indicates if the user that signed in is external. Possible values: -1 (not set) , 0 (not external), 1 (external). |
+| `IsGuestUser` | boolean | Indicates whether the user that signed in is a guest in the tenant |
+| `AlternateSignInName` | string | On-premises user principal name (UPN) of the user signing in to Azure AD |
+| `LastPasswordChangeTimestamp` | datetime | Date and time when the user that signed in last changed their password |
+| `ResourceDisplayName` | string | Display name of the resource accessed |
+| `ResourceId` | string | Unique identifier of the resource accessed |
+| `ResourceTenantId` | string | Unique identifier of the tenant of the resource accessed |
+| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
+| `AadDeviceId` | string | Unique identifier for the device in Azure AD |
+| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
+| `DeviceTrustType` | string | Indicates the trust type of the device that signed in. For managed device scenarios only. Possible values are Workplace, AzureAd, and ServerAd. |
+| `IsManaged` | int | Indicates whether the device that initiated the sign-in is a managed device (1) or not a managed device (0) |
+| `IsCompliant` | int | Indicates whether the device that initiated the sign-in is compliant (1) or non-compliant (0) |
+| `AuthenticationProcessingDetails` | string | Details about the authentication processor |
+| `AuthenticationRequirement` | string | Type of authentication required for the sign-in. Possible values: multiFactorAuthentication (MFA was required) and singleFactorAuthentication (no MFA was required). |
+| `TokenIssuerType` | int | Indicates if the token issuer is Azure Active Directory (0) or Active Directory Federation Services (1) |
+| `RiskLevelAggregated` | int | Aggregated risk level during sign-in. Possible values: 0 (aggregated risk level not set), 1 (none), 10 (low), 50 (medium), or 100 (high). |
+| `RiskDetails` | int | Details about the risky state of the user that signed in |
+| `RiskState` | int | Indicates risky user state. Possible values: 0 (none), 1 (confirmed safe), 2 (remediated), 3 (dismissed), 4 (at risk), or 5 (confirmed compromised). |
+| `UserAgent` | string | User agent information from the web browser or other client application |
+| `ClientAppUsed` | string | Indicates the client app used |
+| `Browser` | string | Details about the version of the browser used to sign in |
+| `ConditionalAccessPolicies` | string | Details of the conditional access policies applied to the sign-in event |
+| `ConditionalAccessStatus` | int | Status of the conditional access policies applied to the sign-in. Possible values are 0 (policies applied), 1 (attempt to apply policies failed), or 2 (policies not applied). |
+| `IPAddress` | string | IP address assigned to the endpoint and used during related network communications |
+| `CountryCode` | string | Two-letter code indicating the country where the client IP address is geolocated |
+| `State` | string | State where the sign-in occurred, if available |
+| `City` | string | City where the account user is located |
+| `Latitude` | string | The north to south coordinates of the sign-in location |
+| `Longitude` | string | The east to west coordinates of the sign-in location |
+| `NetworkLocationDetails` | string | Network location details of the authentication processor of the sign-in event |
+| `RequestId` | string |  Unique identifier of the request |
+|`ReportId` | string | Unique identifier for the event |
+
+ 
+
+ 
+
+## Related articles
+
+- [AADSpnSignInEventsBeta](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-aadspnsignineventsbeta-table)
+- [Advanced hunting
+ overview](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview)
+- [Learn the query
+ language](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language)
+- [Understand the
+ schema](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference)
+
+ 
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-aadspnsignineventsbeta-table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-aadspnsignineventsbeta-table.md new file mode 100644
@@ -0,0 +1,84 @@
+---
+title: AADSpnSignInEventsBeta table in the advanced hunting schema
+description: Learn about information associated with Azure Active Directory service principal and managed identity sign-in events table of the advanced hunting schema
+keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, AlertInfo, alert, entities, evidence, file, IP address, device, machine, user, account, identity, AAD
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: microsoft-365-enterprise
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
+ms.author: maccruz
+author: schmurky
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365initiative-m365-defender
+ms.topic: article
+---
+# AADSpnSignInEventsBeta
+
+**Applies to:**
+
+- Microsoft 365 Defender
+
+>[!IMPORTANT]
+> The `AADSpnSignInEventsBeta` table is currently in beta and is being offered on a short-term basis to allow you to hunt through Azure Active Directory (AAD) service principal and managed identity sign-in events. We will eventually move all sign-in schema information to the `IdentityLogonEvents` table.<br><br>
+> Customers who can access Microsoft 365 Defender through the Azure Security CenterΓÇÖs integrated Microsoft Defender for Endpoint solution, but do not have licenses for Microsoft Defender for Office, Microsoft Defender for Identity, or Microsoft Cloud App Security, will not be able to view this schema.
+++
+The `AADSpnSignInEventsBeta` table in the advanced hunting schema contains
+information about Azure Active Directory service principal and managed identity
+sign-ins. You can learn more about the different kinds of sign-ins in [Azure
+Active Directory sign-in activity reports -
+preview](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-all-sign-ins).
+
+Use this reference to construct queries that return information from the table.
+
+For information on other tables in the advanced hunting schema, see [the
+advanced hunting
+reference](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference).
+++++
+| Column name | Data type | Description |
+| ----- | ----- | ---- |
+| `Timestamp` | datetime | Date and time when the record was generated |
+| `Application` | string | Application that performed the recorded action |
+| `ApplicationId` | string | Unique identifier for the application |
+| `IsManagedIdentity` | boolean | Indicates whether the sign-in was initiated by a managed identity |
+| `ErrorCode` | int | Contains the error code if a sign-in error occurs. To find a description of a specific error code, visit <https://aka.ms/AADsigninsErrorCodes>. |
+| `CorrelationId` | string | Unique identifier of the sign-in event |
+| `ServicePrincipalName` | string | Name of the service principal that initiated the sign-in |
+| `ServicePrincipalId` | string | Unique identifier of the service principal that initiated the sign-in |
+| `ResourceDisplayName` | string | Display name of the resource accessed |
+| `ResourceId` | string | Unique identifier of the resource accessed |
+| `ResourceTenantId` | string | Unique identifier of the tenant of the resource accessed |
+| `IPAddress` | string | IP address assigned to the endpoint and used during related network communications |
+| `CountryCode` | string | Two-letter code indicating the country where the client IP address is geolocated |
+| `State` | string | State where the sign-in occurred, if available |
+| `City` | string | City where the account user is located |
+| `Latitude` | string | The north to south coordinates of the sign-in location |
+| `Longitude` | string | The east to west coordinates of the sign-in location |
+| `RequestId` | string | Unique identifier of the request |
+|`ReportId` | string | Unique identifier for the event | 
+
+ 
+
+## Related articles
+
+- [AADSignInEventsBeta](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-aadsignineventsbeta-table)
+- [Advanced hunting
+ overview](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview)
+- [Learn the query
+ language](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language)
+- [Understand the
+ schema](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference)
+
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-emailevents-table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-emailevents-table.md
@@ -60,9 +60,9 @@ For information on other tables in the advanced hunting schema, [see the advance
| `PhishDetectionMethod` | string | Method used to detect the email as a phish: Malicious URL reputation, Safe Links URL Detonation, Advanced phish filter, General phish filter, Anti-Spoof: Intra-org, Anti-spoof: external domain, Domain impersonation, User impersonation, Brand impersonation | | `MalwareFilterVerdict` | string | Verdict of the email filtering stack on whether the email contains malware: Malware, Not malware | | `MalwareDetectionMethod` | string | Method used to detect malware in the email: Antimalware engine, File reputation, Safe Attachments |
-| `FinalEmailAction` | string | Final action taken on the email based on filter verdict, policies, and user actions: Move message to junk mail folder, Add X-header, Modify subject, Redirect message, Delete message, send to quarantine, No action taken, Bcc message |
-| `FinalEmailActionPolicy` | string | Action policy that took effect: Antispam high-confidence, Antispam, Antispam bulk mail, Antispam phishing, Anti-phishing domain impersonation, Anti-phishing user impersonation, Anti-phishing spoof, Anti-phishing graph impersonation, Antimalware, Safe Attachments, Enterprise Transport Rules (ETR) |
-| `FinalEmailActionPolicyGuid` | string | Unique identifier for the policy that determined the final mail action |
+| `EmailAction` | string | Final action taken on the email based on filter verdict, policies, and user actions: Move message to junk mail folder, Add X-header, Modify subject, Redirect message, Delete message, send to quarantine, No action taken, Bcc message |
+| `EmailActionPolicy` | string | Action policy that took effect: Antispam high-confidence, Antispam, Antispam bulk mail, Antispam phishing, Anti-phishing domain impersonation, Anti-phishing user impersonation, Anti-phishing spoof, Anti-phishing graph impersonation, Antimalware, Safe Attachments, Enterprise Transport Rules (ETR) |
+| `EmailActionPolicyGuid` | string | Unique identifier for the policy that determined the final mail action |
| `AttachmentCount` | int | Number of attachments in the email | | `UrlCount` | int | Number of embedded URLs in the email | | `EmailLanguage` | string | Detected language of the email content |
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-schema-changes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-schema-changes.md new file mode 100644
@@ -0,0 +1,50 @@
+---
+title: Naming changes in the Microsoft 365 Defender advanced hunting schema
+description: Track and review naming changes tables and columns in the advanced hunting schema
+keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, data, naming changes, rename, Microsoft Threat Protection
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: microsoft-365-enterprise
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365initiative-m365-defender
+ms.topic: article
+---
+
+# Advanced hunting schema - Naming changes
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
++
+**Applies to:**
+- Microsoft 365 Defender
+
+[!INCLUDE [Prerelease information](../includes/prerelease.md)]
+
+The [advanced hunting schema](advanced-hunting-schema-tables.md) is updated regularly to add new tables and columns. In some cases, existing columns names are renamed or replaced to improve the user experience. Refer to this article to review naming changes that could impact your queries.
+
+Naming changes are automatically applied to queries that are saved in the security center, including queries used by custom detection rules. You don't need to update these queries manually. However, you will need to update the following queries:
+- Queries that are run using the API
+- Queries that are saved elsewhere outside the security center
+
+## December 2020
+
+| Table name | Original column name | New column name | Reason for change
+|--|--|--|--|
+| [EmailEvents](advanced-hunting-emailevents-table.md) | FinalEmailAction | EmailAction | Customer feedback |
+| [EmailEvents](advanced-hunting-emailevents-table.md) | FinalEmailActionPolicy | EmailActionPolicy | Customer feedback |
+| [EmailEvents](advanced-hunting-emailevents-table.md) | FinalEmailActionPolicyGuid | EmailActionPolicyGuid | Customer feedback |
+
+## Related topics
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
\ No newline at end of file
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-threat-protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/microsoft-threat-protection.md
@@ -46,9 +46,12 @@ With the integrated Microsoft 365 Defender solution, security professionals can
</table> <br>
+## Microsoft 365 Defender interactive guide
+
+In this interactive guide, you'll learn how to protect your organization with Microsoft 365 Defender. You'll see how Microsoft 365 Defender can help you detect security risks, investigate attacks to your organization, and prevent harmful activities automatically.
+
+> [!VIDEO https://aka.ms/M365Defender-InteractiveGuide]
->[!TIP]
->Check out this [Microsoft 365 Defender interactive guide](https://aka.ms/MTP-Interactive-Guide).
Microsoft 365 Defender suite protects:
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-payloads https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-payloads.md
@@ -29,7 +29,7 @@ In the next step name your payload. Optionally, you can give it a description.
## Configure payload
-Now it's time to build your payload. Input the sender's name, email address, and the email's subject in the **Sender details** section. Pick a phishing URL from the the provided list. This URL will later be embedded into the body of the message.
+Now it's time to build your payload. Input the sender's name, email address, and the email's subject in the **Sender details** section. Pick a phishing URL from the provided list. This URL will later be embedded into the body of the message.
> [!TIP] > You can choose an internal email for your payload's sender, which will make the payload appear as coming from another employee of the company. This will increase susceptibility to the payload and will help educate employees on the risk of internal threats.
@@ -45,7 +45,7 @@ Once you're done building the payload to your liking, click **Next**.
## Adding indicators
-Indicators will help employees going through the attack simulation understand clue they can look for in future attacks. To start, click **Add indicator**.
+Indicators will help employees going through the attack simulation understand the clue they can look for in future attacks. To start, click **Add indicator**.
Select an indicator you'd like to use from the drop-down list. This list is curated to contain the most common clues that appear in phishing email messages. Once selected, make sure the indicator placement is set to **From the body of the email** and click on **Select text**. Highlight the portion of your payload where this indicator appears and click **Select**.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulator https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulator.md
@@ -114,9 +114,7 @@ If you're going to use one of the built-in templates or create the email message
> [!NOTE] >
- > - All of the URLs are intentionally http, not https.
- >
- > - A URL reputation service might identify one or more of these URLs as unsafe. Check the availability of the URL in your supported web browsers before you use the URL in a phishing campaign.
+ > A URL reputation service might identify one or more of these URLs as unsafe. Check the availability of the URL in your supported web browsers before you use the URL in a phishing campaign.
- **Custom Landing Page URL**: Enter an optional landing page where users are taken if they click the phishing link and enter their credentials. This link replaces the default landing page. For example, if you have internal awareness training, you can specify that URL here.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/office-365-atp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-atp.md
@@ -39,6 +39,11 @@ Microsoft Defender for Office 365 safeguards your organization against malicious
- **[Automated investigation and response capabilities](office-365-air.md)**: Save time and effort investigating and mitigating threats.
+## Interactive guide to Microsoft Defender for Office 365
+In this interactive guide you'll learn how to safeguard your organization with Microsoft Defender for Office 365. You'll see how Defender for Office 365 can help you define protection policies, analyze threats to your organization, and respond to attacks.
+
+> [!VIDEO https://aka.ms/MSDO-IG]
+ ## Getting Started If you're new to Microsoft Defender for Office 365 or learn best by *doing*, you may benefit from breaking initial Defender for Office 365 configuration into chunks, investigating, and viewing reports using this article as a reference. Here are logical early configuration chunks:
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center.md
@@ -49,6 +49,11 @@ Managing permissions in the Security & Compliance Center only gives users access
To see how to grant access to the Security & Compliance Center, check out [Give users access to Microsoft 365 Compliance admin center](grant-access-to-the-security-and-compliance-center.md).
+> [!NOTE]
+> To view the **Permissions** tab in the Security & Compliance Center, you need to be an admin. Specifically, you need to be assigned the **Role Management** role, and that role is assigned only to the **Organization Management** role group in the Security & Compliance Center by default. Furthermore, the **Role Management** role allows users to view, create, and modify role groups.
+
+<br><br>
+ **** |Role group|Description|Default roles assigned|
@@ -137,6 +142,8 @@ Note that the following roles aren't assigned to the Organization Management rol
- RMS Decrypt - Supervisory Review Administrator
+<br><br>
+ **** |Role|Description|Default role group assignments|
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/secure-by-default https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/secure-by-default.md
@@ -63,5 +63,5 @@ You should only consider using overrides in the following scenarios:
- Phishing simulations: Simulated attacks can help you identify vulnerable users before a real attack impacts your organization. - Security/SecOps mailboxes: Dedicated mailboxes used by security teams to get unfiltered messages (both good and bad). Teams can then review to see if they contain malicious content.-- Third-party filters: Some third-party vendors will recommend turning off EOP (SCL=-1) as the third-party filter will manage the mail filtering. Microsoft does not recommend turning off EOP as EOP is required for [Microsoft Defender for Office 365](office-365-atp.md). Instead, the recommendation here is to turn on [Enhanced Filtering for Connectors](https://docs.microsoft.com/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors).
+- Third-party filters: Secure by default does not apply when the domain's MX record does not point to Office 365.
- False positives: You might want to temporarily allow certain messages that are still being analyzed by Microsoft [via Admin submissions](admin-submission.md). As with all overrides, it is recommended that they are temporary.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-atp-safe-attachments-policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-atp-safe-attachments-policies.md
@@ -54,11 +54,11 @@ In Exchange Online PowerShell or standalone EOP PowerShell, you manage the polic
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](https://docs.microsoft.com/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](https://docs.microsoft.com/powershell/exchange/connect-to-exchange-online-protection-powershell). -- You need to be assigned permissions in the Security & Compliance Center before you can do the procedures in this article:
- - To create, modify, and delete Safe Attachments policies, you need to be a member of the **Organization Management** or **Security Administrator** role groups.
- - For read-only access to Safe Attachments policies, you need to be a member of the **Global Reader** or **Security Reader** role groups.
+- You need to be assigned permissions before you can do the procedures in this article:
+ - To create, modify, and delete Safe Links policies, you need to be a member of the **Organization Management** or **Security Administrator** role groups in the Security & Compliance Center **and** a member of the **Organization Management** role group in Exchange Online.
+ - For read-only access to Safe Links policies, you need to be a member of the **Global Reader** or **Security Reader** role groups in the Security & Compliance Center.
- For more information, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
+ For more information, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md) and [Permissions in Exchange Online](https://docs.microsoft.com/exchange/permissions-exo/permissions-exo).
**Notes**:
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-atp-safe-links-policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-atp-safe-links-policies.md
@@ -54,11 +54,11 @@ In Exchange Online PowerShell or standalone EOP PowerShell, you manage the polic
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](https://docs.microsoft.com/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](https://docs.microsoft.com/powershell/exchange/connect-to-exchange-online-protection-powershell). -- You need to be assigned permissions in the Security & Compliance Center before you can do the procedures in this article:
- - To create, modify, and delete Safe Links policies, you need to be a member of the **Organization Management** or **Security Administrator** role groups.
+- You need to be assigned permissions before you can do the procedures in this article:
+ - To create, modify, and delete Safe Links policies, you need to be a member of the **Organization Management** or **Security Administrator** role groups in the Security & Compliance Center **and** a member of the **Organization Management** role group in Exchange Online.
- For read-only access to Safe Links policies, you need to be a member of the **Global Reader** or **Security Reader** role groups.
- For more information, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
+ For more information, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md) and [Permissions in Exchange Online](https://docs.microsoft.com/exchange/permissions-exo/permissions-exo).
**Notes**:
solutions https://docs.microsoft.com/en-us/microsoft-365/solutions/collaborate-as-team https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/collaborate-as-team.md
@@ -183,3 +183,5 @@ To invite guests to a team
[Create a B2B extranet with managed guests](b2b-extranet.md) [SharePoint and OneDrive integration with Azure AD B2B](https://docs.microsoft.com/sharepoint/sharepoint-azureb2b-integration-preview)+
+[Sharing options are greyed out when sharing from SharePoint or OneDrive](https://docs.microsoft.com/sharepoint/troubleshoot/administration/sharing-options-grayed-out-when-sharing-from-sharepoint-online-or-onedrive)