Updates from: 01/09/2021 04:07:17
Category Microsoft Docs article Related commit history on GitHub Change details
admin https://docs.microsoft.com/en-us/microsoft-365/admin/manage/manage-messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/manage-messages.md
@@ -204,7 +204,7 @@ Need to get a archived message back? No problem.
## Track your message center tasks in Planner
-A lot of actionable information about changes to Microsoft 365 services arrives in the Microsoft 365 message center. It can be difficult to keep track of which changes require tasks to be done, when, and by whom, and to track each task to completion. You also might want to make a note of something and tag it to check on later. You can do all this and more when you sync your messages from the Microsoft 365 admin center to Microsoft Planner. For more information, see [Track your message center tasks in Planner](https://docs.microsoft.comoffice365/planner/track-message-center-tasks-planner).
+A lot of actionable information about changes to Microsoft 365 services arrives in the Microsoft 365 message center. It can be difficult to keep track of which changes require tasks to be done, when, and by whom, and to track each task to completion. You also might want to make a note of something and tag it to check on later. You can do all this and more when you sync your messages from the Microsoft 365 admin center to Microsoft Planner. For more information, see [Track your message center tasks in Planner](https://docs.microsoft.com/office365/planner/track-message-center-tasks-planner).
For an overview of Message center, see [Message center in Microsoft 365](message-center.md). Or, to learn how to set your language preferences to enable machine translation for Message center posts, see [Language translation for Message center posts](language-translation-for-message-center-posts.md). If you'd like to program an alternative way to get real-time service health information and Message Center communications, please reference [Microsoft 365 Service Communications API Overview](https://go.microsoft.com/fwlink/p/?linkid=848507).
admin https://docs.microsoft.com/en-us/microsoft-365/admin/manage/test-and-deploy-microsoft-365-apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/test-and-deploy-microsoft-365-apps.md
@@ -48,7 +48,7 @@ By choosing Integrated apps in the Microsoft 365 admin center, you can manage te
Review the details of the test or full deployment on the **Overview** tab.
-## Find published apps for test and full deployment
+## Find published apps for testing and full deployment
You can find, test, and fully deploy published apps that do not already appear in the list on the Integrated apps page. By purchasing and licensing the apps from the admin center, you can add Microsoft and Microsoft partner apps to your list from a single location.
@@ -82,4 +82,12 @@ In the Microsoft 365 admin center, each deployed app **Status** is **OK** with a
> [!NOTE] > If an app was previously deployed from somewhere other than the Integrated Apps portal, the **Deployment Type** is **Custom.**+
+## Unsupported scenarios
+
+The following scenarios are not currently supported for deployment from the Integrated Apps portal:
+
+- The app or add-in is linked to more than one software as a service (SaaS) offer.
+- The SaaS app is linked to apps and add-ins but it doesn't have an associated AADid.
+- Two SaaS apps share the same AADid and they are both linked to apps or add-ins.
\ No newline at end of file
admin https://docs.microsoft.com/en-us/microsoft-365/admin/multi-tenant/manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/multi-tenant/manage.md
@@ -36,7 +36,7 @@ Multi-tenant management offers a unified form of management that allows admins t
:::image type="content" source="../../media/macorgswitcher.png" alt-text="Multi-tenant switcher."::: -- From the **Tenant switcher** you can move quickly between tenants you manage.
+- From the **Tenant switcher**, you can move quickly between tenants you manage.
:::image type="content" source="../../media/yourtenantslist.png" alt-text="Your tenants list with search functionality.":::
@@ -57,14 +57,22 @@ If you've marked a tenant as a favorite, it's automatically expanded so you can
The service health view shows you if any incidents or advisories are affecting the tenants. It will even tell you how many of your managed tenants are affected. 1. In the Microsoft 365 admin center, in the multi-tenant view, select **Service Health**.
-2. On the **Service health** page, you can review issues under **All services** or **All issues** tabs.
-3. Select an incident on the **All services** or **All issues** tab to get more information about any incident on the **Overview** tab. Select the **Tenants affected** tab to get a list of the affected tenants.
+2. On the **Service health** page aggregated view, you can also see the total number of incidents, the total number of advisories affecting any of the managed tenants, and the number of services with active incidents. You can also see how many of your tenants are affected by incidents and advisories.
+
+ - You can use the filter option to view issues by issue type or by service
+
+ - You can review issues under **All services** or **All issues** tabs.
+
+ :::image type="content" source="../../media/multitenant-servicehealth.png" alt-text="Multi-tenant Service health page.":::
+1. Select an incident on the **All services** or **All issues** tab to get more information about any incident on the **Overview** tab. Select the **Tenants affected** tab to get a list of the affected tenants.
:::image type="content" source="../../media/tenantsaffected.png" alt-text="List of tenants affected by a service health issue.":::
+The list of affected tenants can be exported to CSV format so that admins can share it with support teams.
+ ## View a single tenant in the Microsoft 365 admin center You can return to the Microsoft 365 admin center for any of the tenants from the **All tenants** page.
-1. On the **All tenants** page, click on the tenant name for which you want to view the admin center.
+1. On the **All tenants** page, select the tenant name for which you want to view the admin center.
2. You are directed to the admin center for that tenant.\ No newline at end of file
admin https://docs.microsoft.com/en-us/microsoft-365/admin/whats-new-in-preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/whats-new-in-preview.md
@@ -52,7 +52,7 @@ Welcome to Microsoft Ignite - our first online-only Ignite. We hope to see you i
### Multi-tenant management
-We've developed a set of features for multi-tenant admins like you to get your job done faster and more efficiently.
+We've developed a set of features for multi-tenant admins like you to get your job done faster and more efficiently. For more information, see [Manage multiple tenants](multi-tenant/manage.md).
- **Your tenants**: Quickly switch between the tenants you manage. - **All tenants**: A new page where you can quickly see the health of all your tenants' services, any open service requests, your products and billing, recommended setup tasks, and the number of users in that tenant.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/archive-bloomberg-message-data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-bloomberg-message-data.md
@@ -63,8 +63,9 @@ Some of the implementation steps required to archive Bloomberg Message data are
- Port number for Bloomberg SFTP site -- The user who creates a Bloomberg Message connector in Step 3 (and who downloads the public keys and IP address in Step 1) must be assigned the Mailbox Import Export role in Exchange Online. This is required to add connectors in the **Data connectors** page in the Microsoft 365 compliance center. By default, this role isn't assigned to any role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](https://docs.microsoft.com/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](https://docs.microsoft.com/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+- The Bloomberg Message connector can import a total of 200,000 items in a single day. If there are more than 200,000 items on the SFTP site, none of those items will be imported to Microsoft 365.
+- The user who creates a Bloomberg Message connector in Step 3 (and who downloads the public keys and IP address in Step 1) must be assigned the Mailbox Import Export role in Exchange Online. This is required to add connectors in the **Data connectors** page in the Microsoft 365 compliance center. By default, this role isn't assigned to any role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](https://docs.microsoft.com/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](https://docs.microsoft.com/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
## Step 1: Obtain SSH and PGP public keys
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/archive-facebook-data-with-sample-connector https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-facebook-data-with-sample-connector.md
@@ -14,7 +14,7 @@ search.appverid:
- MET150 ms.collection: M365-security-compliance ms.custom: seo-marvel-apr2020
-description: "Learn how to setup & use a connector in the Microsoft 365 compliance center to import & archive data from Facebook Business pages to Microsoft 365."
+description: "Learn how to set up & use a connector in the Microsoft 365 compliance center to import & archive data from Facebook Business pages to Microsoft 365."
--- # Set up a connector to archive Facebook data (preview)
@@ -31,13 +31,15 @@ Complete the following prerequisites before you can set up and configure a conne
- Your organization must have a valid Azure subscription. If you don't have an existing Azure subscription, you can sign up for one of these options:
- - [Sign up for a free one year Azure subscription](https://azure.microsoft.com/free)
+ - [Sign up for a free one year Azure subscription](https://azure.microsoft.com/free)
- [Sign up for a Pay-As-You-Go Azure subscription](https://azure.microsoft.com/pricing/purchase-options/pay-as-you-go/) > [!NOTE] > The [free Azure Active Directory subscription](use-your-free-azure-ad-subscription-in-office-365.md) that's included with your Microsoft 365 subscription doesn't support the connectors in the Security & Compliance Center.
+- The connector for Facebook Business pages can import a total of 200,000 items in a single day. If there are more than 200,000 Facebook Business items in a day, none of those items will be imported to Microsoft 365.
+ - The user who sets up the custom connector in the Microsoft 365 compliance center (in Step 5) must be assigned the Mailbox Import Export role in Exchange Online. By default, this role isn't assigned to any role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](https://docs.microsoft.com/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](https://docs.microsoft.com/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online". ## Step 1: Create an app in Azure Active Directory
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/archive-icechat-data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-icechat-data.md
@@ -44,6 +44,8 @@ Some of the implementation steps required to archive ICE Chat data are external
- You must set up an ICE Chat SFTP site before creating the connector in Step 3. After working with ICE Chat to set up the SFTP site, data from ICE Chat is uploaded to the SFTP site every day. The connector you create in Step 3 connects to this SFTP site and transfers the chat data to Microsoft 365 mailboxes. SFTP also encrypts the ICE Chat data that's sent to mailboxes during the transfer process.
+- The ICE Chat connector can import a total of 200,000 items in a single day. If there are more than 200,000 items on the SFTP site, none of those items will be imported to Microsoft 365.
+ - The admin who creates the ICE Chat connector in Step 3 (and who downloads the public keys and IP address in Step 1) must be assigned the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role isn't assigned to any role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](https://docs.microsoft.com/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](https://docs.microsoft.com/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online". ## Step 1: Obtain SSH and PGP public keys
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/archive-instant-bloomberg-data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-instant-bloomberg-data.md
@@ -61,7 +61,7 @@ Some of the implementation steps required to archive Instant Bloomberg data are
- Port number for Bloomberg SFTP site -- The Instant Bloomberg connector can import a total of 200,000 items in a single day. If there are more than 200,000 items in a day present in the SFTP site, none of those itmes will be imported to Microsoft 365.
+- The Instant Bloomberg connector can import a total of 200,000 items in a single day. If there are more than 200,000 items on the SFTP site, none of those items will be imported to Microsoft 365.
- The user who creates an Instant Bloomberg connector in Step 3 (and who downloads the public keys and IP address in Step 1) must be assigned the Mailbox Import Export role in Exchange Online. This is required to add connectors in the **Data connectors** page in the Microsoft 365 compliance center. By default, this role isn't assigned to any role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](https://docs.microsoft.com/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](https://docs.microsoft.com/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/archive-linkedin-data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-linkedin-data.md
@@ -23,12 +23,14 @@ Use a connector in the Microsoft 365 compliance center to import and archive dat
After the LinkedIn Company page data is stored in a mailbox, you can apply Microsoft 365 compliance features such as Litigation Hold, Content Search, In-Place Archiving, Auditing, and Microsoft 365 retention policies to LinkedIn data. For example, you can search for these items using Content Search or associate the storage mailbox with a custodian in an Advanced eDiscovery case. Creating a connector to import and archive LinkedIn data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
-## Assign roles, and verify credentials
+## Before you set up a connector
- The user who creates a LinkedIn Company Page connector must be assigned the Mailbox Import Export role in Exchange Online. This is required to add connectors in the **Data connectors** page in the Microsoft 365 compliance center. By default, this role isn't assigned to any role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](https://docs.microsoft.com/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](https://docs.microsoft.com/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online". - You must have the sign-in credentials (email address or phone number and password) of a LinkedIn user account that is an admin for the LinkedIn Company Page that you want to archive. You use these credentials to sign into LinkedIn when setting up the connector.
+- The LinkedIn connector can import a total of 200,000 items in a single day. If there are more than 200,000 LinkedIn items in a day, none of those items will be imported to Microsoft 365.
+ ## Create a LinkedIn connector 1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **LinkedIn Company pages**.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/archive-twitter-data-with-sample-connector https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-twitter-data-with-sample-connector.md
@@ -25,7 +25,7 @@ After the Twitter data is imported, you can apply Microsoft 365 compliance featu
After Twitter data is imported, you can apply Microsoft 365 compliance features such as Litigation Hold, Content Search, In-Place Archiving, Auditing, Communication compliance, and Microsoft 365 retention policies to the data stored in the mailbox. For example, you can search Twitter data using Content Search or associate the mailbox where the data is stored with a custodian in an Advanced eDiscovery case. Using a connector to import and archive Twitter data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
-## Prerequisites for setting up a connector for Twitter
+## Before you set up a connector
Complete the following prerequisites before you can set up and configure a connector in the Microsoft 365 compliance center to import and archive data from your organization's Twitter account.
@@ -40,6 +40,8 @@ Complete the following prerequisites before you can set up and configure a conne
> [!NOTE] > The [free Azure Active Directory subscription](use-your-free-azure-ad-subscription-in-office-365.md) that's included with your Microsoft 365 subscription doesn't support the connectors in the Security & Compliance Center.
+- The Twitter connector can import a total of 200,000 items in a single day. If there are more than 200,000 Twitter items in a day, none of those items will be imported to Microsoft 365.
+ - The user who sets up the Twitter connector in the Microsoft 365 compliance center (in Step 5) must be assigned the Mailbox Import Export role in Exchange Online. By default, this role isn't assigned to any role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](https://docs.microsoft.com/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](https://docs.microsoft.com/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online". ## Step 1: Create an app in Azure Active Directory
@@ -58,7 +60,7 @@ During the completion of this step (by following the step-by-step instructions),
## Step 2: Deploy connector web service from GitHub repository to your Azure account
-The next step is to deploy the source code for the Twitter connector app that will use Twitter API to connect to your Twitter account and extract data so you can import it to Microsoft 365. The Twitter connector that you deploy for your organization will upload the items from your organization's Twitter account to the Azure Storage location that is created in this step. After you create a Twitter connector in the Microsoft 365 compliance center (in Step 5), the Microsoft 365 Import service will copy the Twitter data from the Azure Storage location to a mailbox in Microsoft 365. As previous explained in the [Prerequisites](#prerequisites-for-setting-up-a-connector-for-twitter) section, you must have a valid Azure subscription to create an Azure Storage account.
+The next step is to deploy the source code for the Twitter connector app that will use Twitter API to connect to your Twitter account and extract data so you can import it to Microsoft 365. The Twitter connector that you deploy for your organization will upload the items from your organization's Twitter account to the Azure Storage location that is created in this step. After you create a Twitter connector in the Microsoft 365 compliance center (in Step 5), the Microsoft 365 Import service will copy the Twitter data from the Azure Storage location to a mailbox in Microsoft 365. As previous explained in the [Before you set up a connector](#before-you-set-up-a-connector) section, you must have a valid Azure subscription to create an Azure Storage account.
To deploy the source code for the Twitter connector app:
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/dlp-microsoft-teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-microsoft-teams.md
@@ -79,6 +79,7 @@ To perform this task, you must be assigned a role that has permissions to edit D
Allow approximately one hour for your changes to work their way through your data center and sync to user accounts. <!-- why are these syncing to user accounts? -->+ ## Add Microsoft Teams as a location to existing DLP policies To perform this task, you must be assigned a role that has permissions to edit DLP policies. To learn more, see [Permissions](data-loss-prevention-policies.md#permissions).
@@ -91,12 +92,13 @@ To perform this task, you must be assigned a role that has permissions to edit D
4. In the **Status** column, turn the policy on for **Teams chat and channel messages**.<br/>![DLP for Teams chats and channels](../media/dlp-teams-addteamschatschannels.png)<br/>
-5. Keep the default settings of all accounts, or specify which accounts to include or exclude.
+5. On the **Choose locations** tab, keep the default setting of all accounts, or select **Let me choose specific locations** and specify which accounts, distribution lists, or security groups for inclusion and exclusion. Then choose **Next**.
6. Click **Save**. Allow approximately one hour for your changes to work their way through your data center and sync to user accounts. <!-- again, why user accounts? -->+ ## Define a new DLP policy for Microsoft Teams To perform this task, you must be assigned a role that has permissions to edit DLP policies. To learn more, see [Permissions](data-loss-prevention-policies.md#permissions).
@@ -109,11 +111,13 @@ To perform this task, you must be assigned a role that has permissions to edit D
4. On the **Name your policy** tab, specify a name and description for the policy, and then choose **Next**.
-5. On the **Choose locations** tab, keep the default setting of all locations, or select **Let me choose specific locations**, and then choose **Next**.<br/>If you chose specific locations, select them for your DLP policy, and then choose **Next**.<br/>![DLP policy locations](../media/dlp-teams-selectlocationsnewpolicy.png)<br/>
- > [!NOTE]
- > If you want to make sure documents that contain sensitive information are not shared inappropriately in Teams, make sure **SharePoint sites** and **OneDrive accounts** are turned on, along with **Teams chat and channel messages**.
+5. On the **Choose locations** tab, keep the default setting of all accounts, or select **Let me choose specific locations** and specify which accounts, distribution lists, or security groups for inclusion and exclusion. Then choose **Next**.
+
+![DLP policy locations](../media/dlp-teams-selectlocationsnewpolicy.png)
+
+> [!NOTE]
+> If you want to make sure documents that contain sensitive information are not shared inappropriately in Teams, make sure **SharePoint sites** and **OneDrive accounts** are turned on, along with **Teams chat and channel messages**.
-<br/>
6. On the **Policy settings** tab, under **Customize the type of content you want to protect**, keep the default simple settings, or choose **Use advanced settings**, and then choose **Next**. If you choose advanced settings, you can create or edit rules for your policy. (To get help with this, see [Simple settings vs. advanced settings](data-loss-prevention-policies.md#simple-settings-vs-advanced-settings).)
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/enable-unlimited-archiving https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/enable-unlimited-archiving.md
@@ -110,7 +110,7 @@ Keep the following things in mind after you enable auto-expanding archiving:
- After you turn on auto-expanding archiving, it can't be turned off. -- Auto-expanding archiving is supported for cloud-based archive mailboxes in an Exchange hybrid deployment for users who have an on-premises primary mailbox. However, after auto-expanding archiving is enabled for a cloud-based archive mailbox, you can't off-board that archive mailbox back to the on-premises Exchange organization. Auto-expanding archiving isn't supported for on-premises mailboxes in Exchange Server 2010.
+- Auto-expanding archiving is supported for cloud-based archive mailboxes in an Exchange hybrid deployment for users who have an on-premises primary mailbox. However, after auto-expanding archiving is enabled for a cloud-based archive mailbox, you can't off-board that archive mailbox back to the on-premises Exchange organization. Auto-expanding archiving isn't supported for on-premises mailboxes in any version of Exchange Server.
- For a list of Outlook clients that users can use to access items in the additional storage area in their archive mailbox, see the "Outlook requirements for accessing items in an auto-expanded archive" section in [Overview of unlimited archiving](unlimited-archiving.md#outlook-requirements-for-accessing-items-in-an-auto-expanded-archive).
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/records-management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/records-management.md
@@ -100,11 +100,13 @@ Containers include SharePoint document libraries and Exchange mailboxes.
>[!IMPORTANT] > The most important difference for a regulatory record is that after it is applied to content, nobody, not even a global administrator, can remove the label. >
-> In addition, retention labels configured for regulatory records have the following admin restrictions:
+> Retention labels configured for regulatory records also have the following admin restrictions:
> - The retention period can't be made shorter after the label is saved, only extended. > - These labels aren't supported by auto-labeling policies, and must be applied by using [retention label policies](create-apply-retention-labels.md).
+>
+> In addition, a regulatory label can't be applied to a document that's checked out in SharePoint.
>
-> Because of these irreversible actions, make sure you really do need to use regulatory records before you select this option for your retention labels. To help prevent accidental configuration, this option is not available by default but must first be enabled by using PowerShell. Instructions are included in [Declare records by using retention labels](declare-records.md).
+> Because of the restrictions and irreversible actions, make sure you really do need to use regulatory records before you select this option for your retention labels. To help prevent accidental configuration, this option is not available by default but must first be enabled by using PowerShell. Instructions are included in [Declare records by using retention labels](declare-records.md).
## Configuration guidance
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/retention-policies-teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-teams.md
@@ -41,9 +41,9 @@ Emails and files that you use with Teams aren't included in retention policies f
## How retention works with Microsoft Teams
-You can use a retention policy to retain chats and channel messages in Teams. Teams chats are stored in a hidden folder in the mailbox of each user included in the chat, and Teams channel messages are stored in a similar hidden folder in the group mailbox for the team.
+You can use a retention policy to retain data from chats and channel messages in Teams. Data from Teams chats are stored in a hidden folder in the mailbox of each user included in the chat, and data from Teams channel messages are stored in a similar hidden folder in the group mailbox for the team.
-It's important to understand that Teams uses an Azure-powered chat service that also stores this data, and by default this service stores the data indefinitely. For this reason, we recommend that you create a retention policy that uses the Teams locations to retain and delete this Teams data. This retention policy can permanently delete data from both the Exchange mailboxes and the underlying Azure-powered chat service. For more information, see [Security and compliance in Microsoft Teams](https://go.microsoft.com/fwlink/?linkid=871258) and specifically, the [Information Protection Architecture](https://docs.microsoft.com/MicrosoftTeams/security-compliance-overview#information-protection-architecture) section.
+It's important to understand that Teams uses an Azure-powered chat service that also stores this data, and by default this service stores the data indefinitely. For this reason, we recommend that you create a retention policy that uses the Teams locations to retain and delete this Teams data. This retention policy can permanently delete this data from both the Exchange mailboxes and the underlying Azure-powered chat service. For more information, see [Security and compliance in Microsoft Teams](https://go.microsoft.com/fwlink/?linkid=871258) and specifically, the [Information Protection Architecture](https://docs.microsoft.com/MicrosoftTeams/security-compliance-overview#information-protection-architecture) section.
Teams chats and channel messages are not affected by retention policies that are configured for user or group mailboxes. Even though Teams chats and channel messages are stored in Exchange, this Teams data is included only by a retention policy that's configured for the **Teams channel messages** and **Teams chats** locations.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/retention https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention.md
@@ -161,19 +161,15 @@ For more information, see [Using a retention label as a condition in a DLP polic
#### Retention labels and policies that apply them
-Retention labels are independent, reusable building blocks. The primary purpose of a retention label policy is to group a set of retention labels and specify the locations where you want those labels to appear. Then, admins and users can apply those labels to content in those locations.
-
-![Diagram of labels, label policies, and locations](../media/eee42516-adf0-4664-b5ab-76727a9a3511.png)
-
-When you publish retention labels, they're included in a retention label policy that make them available for admins and users to select:
+When you publish retention labels, they're included in a **retention label policy** that makes them available for admins and users to apply to content. As the following diagram shows:
-- A single retention label can be included in many retention label policies.
+1. A single retention label can be included in multiple retention label policies.
-- Retention label policies specify the locations to publish the retention labels.
+2. Retention label policies specify the locations to publish the retention labels. The same location can be included in multiple retention label policies.
-- A single location can also be included in many retention label policies.
+![How retention labels can be added to label policies that specify locations](../media/retention-labels-and-policies.png)
-In addition to retention label policies, you can also create one or more auto-apply policies, each with a single retention label. With this policy, a retention label is automatically applied when conditions that you specify in the policy are met.
+You can also create one or more **auto-apply retention label policies**, each with a single retention label. With this policy, a retention label is automatically applied when conditions that you specify in the policy are met.
#### Retention label policies and locations
@@ -185,7 +181,7 @@ Different types of retention labels can be published to different locations, dep
|Auto-applied based on sensitive information types or trainable classifiers <br/> |Exchange (all mailboxes only), SharePoint, OneDrive <br/> | |Auto-applied based on a query <br/> |Exchange, SharePoint, OneDrive, Microsoft 365 Groups <br/> |
-In Exchange, auto-apply retention labels are applied only to messages newly sent (data in transit), not to all items currently in the mailbox (data at rest). Also, auto-apply retention labels for sensitive information types and trainable classifiers apply to all mailboxes; you can't select specific mailboxes.
+In Exchange, retention labels that you auto-apply are applied only to messages newly sent (data in transit), not to all items currently in the mailbox (data at rest). Also, auto-apply retention labels for sensitive information types and trainable classifiers apply to all mailboxes; you can't select specific mailboxes.
Exchange public folders, Skype, Teams and Yammer messages do not support retention labels. To retain and delete contain from these locations, use retention policies instead.
@@ -282,7 +278,7 @@ Use the following flow to understand the retention and deletion outcomes for a s
> [!IMPORTANT] > If you are using retention labels: Before using this flow to determine the outcome of multiple retention settings on the same item, make sure you know [which retention label is applied](#only-one-retention-label-at-a-time).
-![Diagram of the principles of retention](../media/1693d6ec-b340-4805-9da3-89aa41bc6afb.png)
+![Diagram of the principles of retention](../media/principles-of-retention.png)
Explanation for the four different levels:
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/additional-office365-ip-addresses-and-urls https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/additional-office365-ip-addresses-and-urls.md
@@ -1,7 +1,7 @@
--- title: "Additional endpoints not included in the Office 365 IP Address and URL Web service"
-ms.author: josephd
-author: JoeDavies-MSFT
+ms.author: kvice
+author: kelleyvice-msft
manager: laurawi ms.date: 04/29/2020 audience: Admin
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/managing-office-365-endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/managing-office-365-endpoints.md
@@ -1,7 +1,7 @@
--- title: "Managing Office 365 endpoints"
-ms.author: josephd
-author: JoeDavies-MSFT
+ms.author: kvice
+author: kelleyvice-msft
manager: laurawi audience: ITPro ms.topic: conceptual
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-endpoints.md
@@ -1,9 +1,8 @@
--- title: "Microsoft 365 endpoints"
-ms.author: josephd
-author: JoeDavies-MSFT
+ms.author: kvice
+author: kelleyvice-msft
manager: laurawi
-ms.date: 11/07/2018
audience: ITPro ms.topic: hub-page ms.service: o365-solutions
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-germany-endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-germany-endpoints.md
@@ -1,7 +1,7 @@
--- title: Office 365 endpoints for Germany
-ms.author: josephd
-author: JoeDavies-MSFT
+ms.author: kvice
+author: kelleyvice-msft
manager: laurawi ms.date: 01/04/2021 audience: ITPro
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-networking-partner-program https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-networking-partner-program.md
@@ -1,7 +1,7 @@
--- title: "Microsoft 365 Networking Partner Program"
-ms.author: josephd
-author: JoeDavies-MSFT
+ms.author: kvice
+author: kelleyvice-msft
manager: laurawi audience: ITPro ms.topic: conceptual
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-u-s-government-dod-endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-u-s-government-dod-endpoints.md
@@ -1,7 +1,7 @@
--- title: Office 365 US Government DOD endpoints
-ms.author: josephd
-author: JoeDavies-MSFT
+ms.author: kvice
+author: kelleyvice-msft
manager: laurawi ms.date: 01/04/2021 audience: ITPro
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-u-s-government-gcc-high-endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-u-s-government-gcc-high-endpoints.md
@@ -1,7 +1,7 @@
--- title: "Office 365 U.S. Government GCC High endpoints"
-ms.author: josephd
-author: JoeDavies-MSFT
+ms.author: kvice
+author: kelleyvice-msft
manager: laurawi ms.date: 01/04/2021 audience: ITPro
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/networking-roadmap-microsoft-365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/networking-roadmap-microsoft-365.md
@@ -2,8 +2,8 @@
title: "Networking roadmap for Microsoft 365" f1.keywords: - NOCSH
-ms.author: josephd
-author: JoeDavies-MSFT
+ms.author: kvice
+author: kelleyvice-msft
manager: laurawi ms.date: 08/10/2020 audience: ITPro
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges-21vianet https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/urls-and-ip-address-ranges-21vianet.md
@@ -1,7 +1,7 @@
--- title: "URLs and IP address ranges for Office 365 operated by 21Vianet"
-ms.author: josephd
-author: JoeDavies-MSFT
+ms.author: kvice
+author: kelleyvice-msft
manager: laurawi ms.date: 01/04/2021 audience: ITPro
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/urls-and-ip-address-ranges.md
@@ -1,7 +1,7 @@
--- title: "Office 365 URLs and IP address ranges"
-ms.author: josephd
-author: JoeDavies-MSFT
+ms.author: kvice
+author: kelleyvice-msft
manager: laurawi ms.date: 01/04/2021 audience: Admin
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/get-started/conditional-access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/conditional-access.md
@@ -13,24 +13,35 @@ ms.topic: article
# Adjust settings after enrollment
-After you've completed enrollment in Microsoft Managed Desktop, you need to adjust the Microsoft Intune and Azure Active Directory (Azure AD) settings specified in this article to allow for management and maintain security. Set the following settings to exclude specific Azure AD groups that contain Microsoft Managed Desktop devices and users. For steps to exclude groups, see [Conditional Access: Users and groups](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-users-groups#exclude-users).
+After youΓÇÖve completed enrollment in Microsoft Managed Desktop, some management settings might need to be adjusted. To check and adjust if needed, follow these steps:
+
+1. Review the Microsoft Intune and Azure Active Directory settings described in the next section.
+2. If any of the items apply to your environment, make the adjustments described.
+3. If you want to double-check that all settings are correct, you can rerun the [readiness assessment tool](https://aka.ms/mmdart) to make sure nothing conflicts with Microsoft Managed Desktop.
> [!NOTE]
-> If you make any changes after enrollment to policies in Microsoft Intune, Azure Active Directory, or Microsoft 365, it's possible that Microsoft Managed Desktop could stop operating properly. To avoid problems with Microsoft Managed Desktop operations, check the specific settings described in [Fix issues found by the readiness assessment tool](../get-ready/readiness-assessment-fix.md) before you change any policies.
+> As your operations continue in following months, if you make changes after enrollment to policies in Microsoft Intune, Azure Active Directory, or Microsoft 365 that affect Microsoft Managed Desktop, it's possible that Microsoft Managed Desktop could stop operating properly. To avoid problems with the service, check the specific settings described in [Fix issues found by the readiness assessment tool](../get-ready/readiness-assessment-fix.md) before you change the policies listed there. You can also rerun the readiness assessment tool at any time.
## Microsoft Intune settings -- Autopilot deployment profile: for Autopilot profiles created by admins in your company, exclude the **Modern Workplace Devices -All** Azure AD group. For steps, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/mem/autopilot/enrollment-autopilot). Do not exclude the **Modern Workplace Devices -All** Azure AD group from any deployment policies created by Microsoft Managed Desktop that have "Modern Workplace" in the name (for example, **Modern Workplace Autopilot Profile**). -- Conditional Access policies: for conditional access policies created by admins in your company, exclude the **Modern Workplace Service Accounts** Azure AD group. For steps, see [Conditional Access: Users and groups](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-users-groups). Do not exclude the **Modern Workplace Devices -All** Azure AD group from any policies created by Microsoft Managed Desktop that have "Modern Workplace" in the name (for example, **Modern Workplace Secure Workstation**).-- Multifactor authentication: make sure any conditional access policies created by admins in your company that require multifactor authentication exclude the **Modern Workplace Service Accounts** Azure AD group. For more information, see [Conditional access policies](../get-ready/readiness-assessment-fix.md#conditional-access-policies) and [Conditional Access: Require MFA for all users](https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa).-- Security baseline: for security baseline policies created by admins in your company, exclude the **Modern Workplace Devices -All** Azure AD group. For steps, see [Use security baselines to configure Windows 10 devices in Intune](https://docs.microsoft.com/mem/intune/protect/security-baselines). Do not exclude the **Modern Workplace Devices -All** Azure AD group from from any policies created by Microsoft Managed Desktop that have "Modern Workplace" in the name (for example, **Modern Workplace Security Baseline**).-- Windows 10 update ring: for Windows 10 update ring policies created by admins in your company, exclude the **Modern Workplace Devices -All** Azure AD group. For steps, see [Manage Windows 10 software updates in Intune](https://docs.microsoft.com/mem/intune/protect/windows-update-for-business-configure). Do not exclude the **Modern Workplace Devices -All** Azure AD group from any policies created by Microsoft Managed Desktop that have "Modern Workplace" in the name (for example, the **Modern Workplace Update** policy).
+- Autopilot deployment profile: if you use any Autopilot policies, update each one to exclude the **Modern Workplace Devices -All** Azure AD group. To update them, in the **Excluded groups** section under **Assignments**, select the **Modern Workplace Devices -All** Azure AD group that was created during Microsoft Managed Desktop enrollment. Microsoft Managed Desktop will also have created an Autopilot profile, which will have "Modern Workplace" in the name (the **Modern Workplace Autopilot Profile**). When you update your own Autopilot profiles, make sure that you *do not* exclude the **Modern Workplace Devices -All** Azure AD group from the **Modern Workplace Autopilot Profile** that was created by Microsoft Managed Desktop.
+- Conditional Access policies: for conditional access policies you've created, exclude the **Modern Workplace Service Accounts** Azure AD group. For steps, see [Conditional Access: Users and groups](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-users-groups). Microsoft Managed Desktop will also have created some conditional access policies, all of which will have "Modern Workplace" in the name (for example, **Modern Workplace Secure Workstation**). When you update your own conditional access policies, make sure you *do not* exclude the **Modern Workplace Devices -All** Azure AD group from any policies created by Microsoft Managed Desktop.
+- Multifactor authentication: make sure any of your conditional access policies that require multifactor authentication exclude the **Modern Workplace Service Accounts** Azure AD group. For more information, see [Conditional access policies](../get-ready/readiness-assessment-fix.md#conditional-access-policies) and [Conditional Access: Require MFA for all users](https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa).
+- Windows 10 update ring: for any Windows 10 update ring policies you've created, exclude the **Modern Workplace Devices -All** Azure AD group from each policy. For steps, see [Create and assign update rings](https://docs.microsoft.com/en-us/mem/intune/protect/windows-10-update-rings#create-and-assign-update-rings). Microsoft Managed Desktop will also have created some update ring policies, all of which will have "Modern Workplace" in the name (for example **Modern Workplace Update Policy [Broad]**, **Modern Workplace Update Policy [Fast]**, **Modern Workplace Update Policy [First]**, and **Modern Workplace Update Policy [Test]**). When you update your own policies, make sure that you *do not* exclude the **Modern Workplace Devices -All** Azure AD group from those that Microsoft Managed Desktop created.
## Azure Active Directory settings
-Self-service password reset: choose **Selected** setting, and then select **Modern Workplace Devices -All** Azure AD group. For more information, see [Tutorial: Enable users to unlock their account or reset passwords using Azure Active Directory self-service password reset](https://docs.microsoft.com/azure/active-directory/authentication/tutorial-enable-sspr).
+Self-service password reset: if you use self-service password reset for all users, adjust the assignment to exclude Microsoft Managed Desktop service accounts. To adjust this assignment, create a Azure AD dynamic group for all users *except* Microsoft Managed Desktop service accounts, and then use that group for assignment instead of "all users."
+
+To help you find and exclude the service accounts, here is an example of a dynamic query you can use:
+
+```Console
+(user.objectID -ne null) and (user.userPrincipalName -ne "MSADMIN@TENANT.onmicrosoft.com") and (user.userPrincipalName -ne "MSADMININT@TENANT.onmicrosoft.com") and (user.userPrincipalName -ne "MWAAS_SOC_RO@TENANT.onmicrosoft.com") and (user.userPrincipalName -ne "MWAAS_WDGSOC@TENANT.onmicrosoft.com") and (user.userPrincipalName -ne "MSTEST@TENANT.onmicrosoft.com")
+```
+
+In this query, replace @TENANT with your tenant domain name.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training.md
@@ -15,11 +15,11 @@ description: "Admins can learn how to simulate phishing attacks and train their
# Simulate a phishing attack
-Attack simulator training in Microsoft Defender for Office 365 lets you run benign cyberattack simulations on your organization to test your security policies and practices, as well as train your employees to increase their awareness and decrease their susceptibility to attacks. This article walks you through creating a simulated phishing attack using attack simulator training.
+Attack simulation training in Microsoft Defender for Office 365 lets you run benign cyberattack simulations on your organization to test your security policies and practices, as well as train your employees to increase their awareness and decrease their susceptibility to attacks. This article walks you through creating a simulated phishing attack using attack simulation training.
[!INCLUDE [Prerelease information](../includes/prerelease.md)]
-To launch a simulated phishing attack, open the [Microsoft 365 security center](https://security.microsoft.com/), go to **Email & collaboration** \> **Attack simulator**, and switch to the [**Simulations**](https://security.microsoft.com/attacksimulator?viewid=simulations) tab.
+To launch a simulated phishing attack, open the [Microsoft 365 security center](https://security.microsoft.com/), go to **Email & collaboration** \> **Attack simulation training**, and switch to the [**Simulations**](https://security.microsoft.com/attacksimulator?viewid=simulations) tab.
Under **Simulations**, select **+ Launch a simulation**.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulator https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulator.md
@@ -25,7 +25,6 @@ description: "Admins can learn how to use Attack Simulator to run simulated phis
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)] - If your organization has Microsoft Defender for Office 365 Plan 2, which includes [Threat Investigation and Response capabilities](office-365-ti.md), you can use Attack Simulator in the Security & Compliance Center to run realistic attack scenarios in your organization. These simulated attacks can help you identify and find vulnerable users before a real attack impacts your bottom line. Read this article to learn more. > [!NOTE]
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/campaigns https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/campaigns.md
@@ -160,7 +160,7 @@ After you create a basic or advanced filter, you can save it by using **Save que
To export the graph or the list of campaigns, click **Export** and select **Export chart data** or **Export campaign list**.
-If you have a Microsoft Defender for Endpoint subscription, you can click **WDATP** to connect or disconnect the campaigns information with Microsoft Defender for Endpoint. For more information, see [Integrate Microsoft Defender for Office 365 with Microsoft Defender for Endpoint](integrate-office-365-ti-with-wdatp.md).
+If you have a Microsoft Defender for Endpoint subscription, you can click **MDE Settings** to connect or disconnect the campaigns information with Microsoft Defender for Endpoint. For more information, see [Integrate Microsoft Defender for Office 365 with Microsoft Defender for Endpoint](integrate-office-365-ti-with-wdatp.md).
## Campaign details
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365.md
@@ -36,9 +36,9 @@ Mail flow rules allow the most flexibility to ensure that only the right message
> [!IMPORTANT] >
-> - Be careful to closely monitor *any* exceptions that you to spam filtering using safe sender lists.
+> - Be careful to closely monitor *any* exceptions that you make to spam filtering using safe sender lists.
>
-> - While you can use safe sender lists to help with false positives (good email marked as spam), you should consider the use of safe sender lists as a temporary solution that should be avoided if possible. We don't recommend managing false positives by using safe sender lists, because exceptions to spam filtering can open your organization to spoofing and other attacks. If you insist on using safe sender lists to manage false positives, you need to be vigilant and keep the topic [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md) at the ready.
+> - While you can use safe sender lists to help with false positives (good email marked as bad), you should consider the use of safe sender lists as a temporary solution that should be avoided if possible. We don't recommend managing false positives by using safe sender lists, because exceptions to spam filtering can open your organization to spoofing and other attacks. If you insist on using safe sender lists to manage false positives, you need to be vigilant and keep the topic [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md) at the ready.
> > - To allow a domain to send unauthenticated email (bypass anti-spoofing protection) but not bypass anti-spam and anti-malware checks, you can add it to the [AllowedToSpoof safe sender list](walkthrough-spoof-intelligence-insight.md) >
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/security-recommendations-for-priority-accounts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/security-recommendations-for-priority-accounts.md
@@ -16,35 +16,47 @@ search.appverid:
ms.assetid: ms.collection: - M365-security-compliance
+- m365solution-overview
+- m365solution-protecthve
description: "Admins can learn how to elevate the security settings and use reports, alerts, and investigations for priority accounts in their Microsoft 365 organizations." --- # Security recommendations for priority accounts in Microsoft 365
-What would you do if you received an urgent message from an executive in your organization that asked you to do something? Would you do it? Most people would comply with the request.
+Not all user accounts have access to the same company information. Some accounts have access to sensitive information, such as financial data, product development information, partner access to critical build systems, and more. Accounts that have access to highly confidential information pose a serious threat if compromised. We call these types of accounts _priority accounts_. Priority accounts include CEOs, CISOs, CFOs, infrastructure admin accounts, build system accounts and more.
-For attackers, ordinary phishing attacks that cast a random net to get the credentials of random or unknown users are inefficient. On the other hand, _spear phishing_ or _whaling_ attacks that target users in positions of power or authority are much more rewarding for attackers. If these priority accounts are compromised, the attacker might gain access to accounts with admin, financial, product, or even physical access capabilities within the organization.
+For attackers, ordinary phishing attacks that cast a random net for ordinary or unknown users are inefficient. On the other hand, _spear phishing_ or _whaling_ attacks that target priority accounts are very rewarding for attackers. So, priority accounts require stronger than ordinary protection to help prevent account compromise.
-Microsoft 365 and Microsoft Defender for Office 365 contain many different features that can help you to provided additional layers of security for your priority accounts. The available features and how to use them are discussed in this article.
+Microsoft 365 and Microsoft Defender for Office 365 contain several key features that provide additional layers of security for your priority accounts. This article describes these capabilities and how to use them.
![Summary of the security recommendations in icon form](../../media/security-recommendations-for-priority-users.png)
+****
+
+|Task|All Office 365 Enterprise plans|Microsoft 365 E3|Microsoft 365 E5|
+|---|:---:|:---:|:---:|
+|[Increase sign-in security for priority accounts](#increase-sign-in-security-for-priority-accounts)|![Included](../../media/d238e041-6854-4a78-9141-049224df0795.png)|![Included](../../media/d238e041-6854-4a78-9141-049224df0795.png)|![Included](../../media/d238e041-6854-4a78-9141-049224df0795.png)|
+|[Use Strict preset security policies for priority accounts](#use-strict-preset-security-policies-for-priority-accounts)|![Included](../../media/d238e041-6854-4a78-9141-049224df0795.png)|![Included](../../media/d238e041-6854-4a78-9141-049224df0795.png)|![Included](../../media/d238e041-6854-4a78-9141-049224df0795.png)|
+|[Apply user tags to priority accounts](#apply-user-tags-to-priority-accounts)|||![Included](../../media/d238e041-6854-4a78-9141-049224df0795.png)|
+|[Monitor priority accounts in alerts, reports, and detections](#monitor-priority-accounts-in-alerts-reports-and-detections)|||![Included](../../media/d238e041-6854-4a78-9141-049224df0795.png)|
+|
+ ## Increase sign-in security for priority accounts Priority accounts require increased sign-in security. You can increase their sign-in security by requiring multi-factor authentication (MFA) and disabling legacy authentication protocols. For instructions, see [Step 1. Increase sign-in security for remote workers with MFA](https://docs.microsoft.com/microsoft-365/solutions/empower-people-to-work-remotely-secure-sign-in). Although this article is about remote workers, the same concepts apply to priority users.
-**Notes**:
--- Basic authentication is in the process of being deprecated in Exchange Online for Exchange Web Services (EWS), Exchange ActiveSync, POP3, IMAP4, and remote PowerShell. For details, see this [blog post](https://developer.microsoft.com/office/blogs/deferred-end-of-support-date-for-basic-authentication-in-exchange-online/).
+**Note**: We strongly recommend that you globally disable legacy authentication protocols for all priority users as described in the previous article. If your business requirements prevent you from doing so, Exchange Online offers the following controls to help limit the scope of legacy authentication protocols:
-- You can use [authentication policies](https://docs.microsoft.com/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online) and [Client Access Rules](https://docs.microsoft.com/exchange/clients-and-mobile-in-exchange-online/client-access-rules/client-access-rules) in Exchange Online to block Basic authentication and legacy authentication protocols like POP3, IMAP4, and authenticated SMTP.
+- You can use [authentication policies](https://docs.microsoft.com/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online) and [Client Access Rules](https://docs.microsoft.com/exchange/clients-and-mobile-in-exchange-online/client-access-rules/client-access-rules) in Exchange Online to block or allow Basic authentication and legacy authentication protocols like POP3, IMAP4, and authenticated SMTP for specific users.
- You can disable POP3 and IMAP4 access on individual mailboxes. You can disable authenticated SMTP at the organizational level and enable it on specific mailboxes that still require it. For instructions, see the following topics: - [Enable or Disable POP3 or IMAP4 access for a user](https://docs.microsoft.com/exchange/clients-and-mobile-in-exchange-online/pop3-and-imap4/enable-or-disable-pop3-or-imap4-access) - [Enable or disable authenticated client SMTP submission (SMTP AUTH)](https://docs.microsoft.com/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission)
+It's also worth noting that Basic authentication is in the process of being deprecated in Exchange Online for Exchange Web Services (EWS), Exchange ActiveSync, POP3, IMAP4, and remote PowerShell. For details, see this [blog post](https://developer.microsoft.com/office/blogs/deferred-end-of-support-date-for-basic-authentication-in-exchange-online/).
+ ## Use Strict preset security policies for priority accounts Priority users require more stringent actions for the various protections that are available in Exchange Online Protection (EOP) and Defender for Office 365.