+# Microsoft 365 reports in the admin center ΓÇô Microsoft 365 Copilot usage

+| Business Chat (work) | Chat | Typing a message into the chat window or selecting a suggested prompt and submitting. | [Ask questions and get answers using Microsoft Copilot with Graph-grounded chat - Microsoft Support](https://support.microsoft.com/topic/ask-questions-and-get-answers-using-microsoft-copilot-with-graph-grounded-chat-fd8d88af-9492-48cd-8385-7e8615b42d80) |

+| Teams | Summarizing key points during meetings | Summarizing key discussion points during meeting using Copilot in Microsoft Teams. | [Get started with Copilot in Microsoft Teams meetings - Microsoft Support](https://support.microsoft.com/office/get-started-with-copilot-in-microsoft-teams-meetings-0bf9dd3c-96f7-44e2-8bb8-790bedf066b1) |

+| | Intelligent Recap | Selecting **Recap** tab in the meeting chat for Teams calendar event and viewing the AI Notes section after the meeting ends (meeting is recorded and transcribed). | [Get started with Microsoft 365 Copilot in Teams - Microsoft Support](https://support.microsoft.com/office/get-started-with-copilot-for-microsoft-365-in-teams-60c37fde-6e13-4412-8101-40bbbc711ec9) |

+> The metrics displayed in this report are powered by data that is classified as required service data. Optional diagnostic data is not required for comprehensive information, although this may change in the future. [Learn more about required service data](/DeployOffice/privacy/required-service-data).

+> [!NOTE]

+>

+> - Once extensibility is disabled in the tenant, it can take up to 24 hours for agents to disappear for users.

+> - The Microsoft pinned Visual Creator agent will still be visible even when extensibility is disabled.

+To see and manage license requests, use the **Requests** tab on the **Licensing** page in the admin center. The list shows the name of the product requested, name of the person requesting a license, date requested, and status of the request. You can filter the list to show requests that are pending or completed. Requests are held for 12 months.

+- SPO_Content

+- must-keep

+| Service | URL |

+|**Last updated:** 09/30/2024 -  [Change Log subscription](https://endpoints.office.com/version/USGOVDoD?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)|**Download:** the full list in [JSON format](https://endpoints.office.com/endpoints/USGOVDoD?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)|

+|**Last updated:** 09/30/2024 -  [Change Log subscription](https://endpoints.office.com/version/USGOVGCCHigh?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)|**Download:** the full list in [JSON format](https://endpoints.office.com/endpoints/USGOVGCCHigh?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)|

+The OneDrive iOS and Android mobile apps show you your OneDrive files and files shared with you regardless of their _Geography_ location. Searches from the OneDrive mobile apps show relevant results from all _Geography_ locations. Download the latest version of these apps.

+For more information, see [Use OneDrive on iOS](https://support.office.com/article/08d5c5b2-ccc6-40eb-a244-fe3597a3c247) and [Use OneDrive for Android](https://support.office.com/article/eee1d31c-792d-41d4-8132-f9621b39eb36) for more information.

+**Featured Links**

+Admins can configure Featured links in SharePoint home as appropriate to each _Geography_ location. This allows the admin to feature in the SP Home for each region the links that are appropriate for users in the region.

+The people picker experience shows all users regardless of their _Geography_ location. This allows a user to share with another user in their same geo or in any other of your _Tenant's_ _Geography_ locations. Content from different _Geography_ locations shows up in the **Shared with Me** view in the user's OneDrive, Word, Excel, PowerPoint, and Office.com and can be accessed with single sign-On experience regardless of which _Geography_ location it's hosted in.

+## Microsoft 365 Person experience

+The **Microsoft 365 Person** encompasses the complete set of properties, attributes and associated people contacts that are representative of a user in the Microsoft 365 tenant. The Microsoft 365 Person dataset is mastered and stored in the Primary Data Location of the user.

+There are two constituents of the Microsoft 365 Person data:

+- Microsoft 365 Profile ([profile resource type](/graph/api/resources/profile?view=graph-rest-beta&preserve-view=true)), which constitutes the information that can be viewed by other users within the tenant about the Microsoft 365 person. This includes the user's Microsoft Entra ID details along with other information like position and photo ([Get profilePhoto](https://aka.ms/profileimage)). The fields and attributes that are exposed can be controlled by the tenant admin ([Add or remove custom attributes on a profile card using the profile card API](/graph/add-properties-profilecard)).

+- My Microsoft 365 People dataset ([contact resource type](/graph/api/resources/contact?view=graph-rest-1.0&preserve-view=true)), which represents the list of the user's Microsoft 365 contacts along with the userΓÇÖs version of their contacts' Microsoft 365 profile. This edited or unedited version of another userΓÇÖs profile will always remain private in the current userΓÇÖs mailbox and won't be replicated anywhere.

+To enable discovery, rich people search, and full fidelity collaboration experiences, the Microsoft 365 profile of users in the tenant is replicated across geos when a Multi-Geo tenant is first set up (for instance, to provide the Global Address List) and in response to user actions. Examples of user actions include direct and indirect interactions with one or more users in the tenant via activities like joining the Organization, creating and\or joining Teams meetings, sharing and\or co-editing files, profile card lookup, and adding of contacts as described in [Add, find, edit, or delete a contact in Outlook](https://support.microsoft.com/office/add-find-edit-or-delete-a-contact-in-outlook-e1dc4548-3bd6-4644-aecd-47b5728f7b0d#:~:text=information%20any%20time.-,Select%20the%20contact%20from%20the%20list%2C%20then%20select%20Edit%20contact,and%20begin%20adding%20more%20information.&text=someone's%20profile%20card-,In%20Mail%2C%20open%20an%20email%20message%20in%20the%20reading%20pane,card%2C%20select%20Add%20to%20contacts.). The replicated Microsoft 365 profiles of other users from an interaction\collaboration are stored in the Microsoft 365 People dataset of the target user shard.

+```powershell

+Set-SPOSite -Identity <siteURL> -RestrictedToGeo <restriction>

+```

+```powershell

+Set-SPOSite -Identity https://contoso.sharepoint.com/sites/RegionRestrictedTeamSite -RestrictedToGeo BlockFull

+```

+**Last updated:** 09/30/2024 -  [Change Log subscription](https://endpoints.office.com/version/China?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)

+|**Last updated:** 09/30/2024 - |

+<!--Please contact the Office 365 Endpoints team with any questions.-->

+<!--China endpoints version 2024093000-->

+<!--File generated 2024-09-30 06:04:21.0424-->

+ID | Category | ER | Addresses | Ports

+-- | -- | -- | -- |

+1 | Optimize<BR>Required | No | `partner.outlook.cn`<BR>`40.73.132.0/24, 40.73.164.128/25, 40.73.165.0/26, 42.159.40.0/24, 42.159.44.0/22, 42.159.163.128/25, 42.159.165.0/24, 42.159.172.0/22, 2406:e500:4010::/48, 2406:e500:4030::/53, 2406:e500:4030:800::/54, 2406:e500:4040::/53, 2406:e500:4040:800::/54, 2406:e500:4040:1000::/54, 2406:e500:4040:1400::/54, 2406:e500:4110::/48, 2406:e500:4210::/48, 2406:e500:4310::/48` | **TCP:** 443, 80

+2 | Allow<BR>Required | No | `*.protection.partner.outlook.cn`<BR>`42.159.33.192/27, 42.159.36.0/24, 42.159.161.192/27, 42.159.164.0/24, 139.219.16.0/27, 139.219.17.0/24, 139.219.24.0/22, 139.219.145.0/27, 139.219.146.0/24, 139.219.156.0/22, 2406:e500:4420::/43, 2406:e500:4440::/43, 2406:e500:c020::/44, 2406:e500:c120::/44` | **TCP:** 25, 443, 53, 80

+12 | Default<BR>Required | No | `*.partner.outlook.cn, attachments.office365-net.cn` | **TCP:** 443, 80

+20 | Allow<BR>Required | No | `*.partner.outlook.cn`<BR>`40.73.132.0/24, 40.73.164.128/25, 40.73.165.0/26, 42.159.40.0/24, 42.159.44.0/22, 42.159.163.128/25, 42.159.165.0/24, 42.159.172.0/22, 2406:e500:4010::/48, 2406:e500:4030::/53, 2406:e500:4030:800::/54, 2406:e500:4040::/53, 2406:e500:4040:800::/54, 2406:e500:4040:1000::/54, 2406:e500:4040:1400::/54, 2406:e500:4110::/48, 2406:e500:4210::/48, 2406:e500:4310::/48` | **TCP:** 587, 993, 995

+ID | Category | ER | Addresses | Ports

+-- | - | -- | | -

+4 | Allow<BR>Required | No | `*.sharepoint.cn`<BR>`40.73.129.0/24, 40.73.161.0/24, 42.159.38.0/23, 2406:e500:4600::/39` | **TCP:** 443, 80

+21 | Default<BR>Required | No | `*.wns.windows.com` | **TCP:** 443, 80

+ID | Category | ER | Addresses | Ports

+-- | -- | -- | - | -

+3 | Optimize<BR>Required | No | `42.159.34.32/27, 42.159.34.64/27, 42.159.34.96/28, 42.159.162.32/27, 42.159.162.64/27, 42.159.162.96/28, 159.27.160.0/21, 2406:e500:4a00::/39` | **UDP:** 3479, 3480, 3481, 3478

+19 | Allow<BR>Required | No | `*.partner.lync.cn, *.teams.microsoftonline.cn, teams.microsoftonline.cn`<BR>`40.72.124.128/28, 42.159.34.32/27, 42.159.34.64/27, 42.159.34.96/28, 42.159.162.32/27, 42.159.162.64/27, 42.159.162.96/28, 159.27.160.0/21, 2406:e500:4a00::/39` | **TCP:** 443, 80

+ID | Category | ER | Addresses | Ports

+-- | | -- | -- | -

+7 | Allow<BR>Required | No | `*.azure-mobile.cn, *.chinacloud-mobile.cn, *.chinacloudapi.cn, *.chinacloudapp.cn, *.chinacloudsites.cn, *.partner.microsoftonline-m-i.net.cn, *.partner.microsoftonline-m.net.cn, *.partner.microsoftonline-p.net.cn, *.partner.officewebapps.cn, *.windowsazure.cn, portal.partner.microsoftonline.cdnsvc.com, r4.partner.outlook.cn`<BR>`23.236.126.0/24, 40.73.240.0/24, 40.73.242.0/24, 58.68.168.0/24, 112.25.33.0/24, 123.150.49.0/24, 125.65.247.0/24, 171.107.84.0/24, 180.210.232.0/24, 180.210.234.0/24, 209.177.86.0/24, 209.177.90.0/24, 209.177.94.0/24, 222.161.226.0/24, 2406:e500:4900::/48` | **TCP:** 443, 80

+8 | Allow<BR>Required | No | `*.onmschina.cn, *.partner.microsoftonline-i.net.cn, *.partner.microsoftonline.net.cn`<BR>`101.28.252.0/24, 115.231.150.0/24, 123.235.32.0/24, 171.111.154.0/24, 175.6.10.0/24, 180.210.229.0/24, 211.90.28.0/24` | **TCP:** 443, 80

+9 | Allow<BR>Required | No | `*.partner.microsoftonline-p.cn`<BR>`182.50.87.0/24` | **TCP:** 443, 80

+10 | Allow<BR>Required | No | `*.partner.microsoftonline.cn`<BR>`103.9.8.0/22` | **TCP:** 443, 80

+11 | Default<BR>Required | No | `activation.sls.microsoft.com, crl.microsoft.com, odc.officeapps.live.com, officecdn.microsoft.com, officeclient.microsoft.com` | **TCP:** 443, 80

+13 | Default<BR>Required | No | `*.msauth.cn, *.msauthimages.cn, *.msftauth.cn, *.msftauthimages.cn, login.microsoftonline.com` | **TCP:** 443, 80

+15 | Default<BR>Required | No | `loki.office365.cn` | **TCP:** 443

+16 | Default<BR>Required | No | `*.cdn.office.net, shellprod.msocdn.com` | **TCP:** 443

+17 | Allow<BR>Required | No | `*.auth.microsoft.cn, login.partner.microsoftonline.cn, microsoftgraph.chinacloudapi.cn`<BR>`40.72.70.0/23, 52.130.2.32/27, 52.130.3.64/27, 52.130.17.192/27, 52.130.18.32/27, 2406:e500:5500::/48` | **TCP:** 443, 80

+18 | Default<BR>Optional<BR>**Notes:** If using Exchange Online, follow Allow category guidance for *.protection.partner.outlook.cn | No | `*.aadrm.cn, *.protection.partner.outlook.cn` | **TCP:** 443

+22 | Default<BR>Required | No | `*.partner.office365.cn` | **TCP:** 443, 80

+23 | Default<BR>Required | No | `*.microsoftonline.cn` | **TCP:** 443, 80

+25 | Default<BR>Required | No | `purview.microsoftonline.cn` | **TCP:** 443

+<!--Please contact the Office 365 Endpoints team with any questions.-->

+<!--USGovDoD endpoints version 2024093000-->

+<!--File generated 2024-09-30 06:04:23.1217-->

+ID | Category | ER | Addresses | Ports

+-- | -- | | | -

+1 | Optimize<BR>Required | Yes | `outlook-dod.office365.us, webmail.apps.mil`<BR>`20.35.192.0/20, 40.66.24.0/21, 2001:489a:2200:500::/56, 2001:489a:2200:700::/56` | **TCP:** 443, 80

+4 | Default<BR>Required | Yes | `outlook-dod.office365.us, webmail.apps.mil` | **TCP:** 143, 25, 587, 993, 995

+5 | Default<BR>Required | Yes | `attachments-dod.office365-net.us, autodiscover-s-dod.office365.us, autodiscover.<tenant>.mail.onmicrosoft.com, autodiscover.<tenant>.mail.onmicrosoft.us, autodiscover.<tenant>.onmicrosoft.com, autodiscover.<tenant>.onmicrosoft.us` | **TCP:** 443, 80

+6 | Allow<BR>Required | Yes | `*.protection.apps.mil, *.protection.office365.us`<BR>`23.103.191.0/24, 23.103.199.0/25, 23.103.204.0/22, 2001:489a:2202::/62, 2001:489a:2202:8::/62, 2001:489a:2202:2000::/63` | **TCP:** 25, 443

+34 | Default<BR>Required | No | `admin.exchange.apps.mil` | **TCP:** 443

+ID | Category | ER | Addresses | Ports

+-- | -- | | -- | -

+9 | Optimize<BR>Required | Yes | `*.dps.mil, *.sharepoint-mil.us`<BR>`20.34.12.0/22, 2001:489a:2204:902::/63, 2001:489a:2204:c00::/63` | **TCP:** 443, 80

+10 | Default<BR>Required | No | `*.wns.windows.com, g.live.com, oneclient.sfx.ms` | **TCP:** 443, 80

+19 | Allow<BR>Required | Yes | `*.od.apps.mil, od.apps.mil` | **TCP:** 443, 80

+20 | Default<BR>Required | No | `*.svc.ms, az741266.vo.msecnd.net, spoprod-a.akamaihd.net, static.sharepointonline.com` | **TCP:** 443, 80

+ID | Category | ER | Addresses | Ports

+-- | -- | | - | --

+7 | Optimize<BR>Required | Yes | `*.dod.teams.microsoft.us, *.online.dod.skypeforbusiness.us, dod.teams.microsoft.us`<BR>`13.72.128.0/20, 52.127.64.0/21, 104.212.32.0/22, 195.134.240.0/22, 2001:489a:2250::/44` | **TCP:** 443<BR>**UDP:** 3478, 3479, 3480, 3481

+21 | Default<BR>Required | No | `dodteamsapuiwebcontent.blob.core.usgovcloudapi.net, msteamsstatics.blob.core.usgovcloudapi.net, statics.teams.microsoft.com` | **TCP:** 443

+22 | Allow<BR>Required | Yes | `endpoint1-proddodcecompsvc-dodc.streaming.media.usgovcloudapi.net, endpoint1-proddodeacompsvc-dode.streaming.media.usgovcloudapi.net`<BR>`52.181.167.113/32, 52.182.52.226/32, 2001:489a:2250::/44` | **TCP:** 443

+ID | Category | ER | Addresses | Ports

+-- | - | | - | -

+11 | Allow<BR>Required | Yes | `*.dod.online.office365.us`<BR>`52.127.80.0/23, 2001:489a:2208:8000::/49` | **TCP:** 443

+12 | Default<BR>Required | No | `*.office365.us` | **TCP:** 443, 80

+13 | Allow<BR>Required | Yes | `*.auth.microsoft.us, *.gov.us.microsoftonline.com, dod-graph.microsoft.us, graph.microsoftazure.us, login.microsoftonline.us`<BR>`20.140.232.0/23, 52.126.194.0/23, 2001:489a:3500::/50` | **TCP:** 443

+14 | Default<BR>Required | No | `*.msauth.net, *.msauthimages.us, *.msftauth.net, *.msftauthimages.us, clientconfig.microsoftonline-p.net, graph.windows.net, login-us.microsoftonline.com, login.microsoftonline-p.com, login.microsoftonline.com, login.windows.net, loginex.microsoftonline.com, mscrl.microsoft.com, nexus.microsoftonline-p.com, secure.aadcdn.microsoftonline-p.com` | **TCP:** 443

+15 | Allow<BR>Required | Yes | `portal.apps.mil, reports.apps.mil, webshell.dodsuite.office365.us, www.ohome.apps.mil`<BR>`52.127.72.42/32, 52.127.76.42/32, 52.180.251.166/32, 52.181.24.112/32, 52.181.160.113/32, 52.182.24.200/32, 52.182.54.237/32` | **TCP:** 443

+16 | Allow<BR>Required | Yes | `*.osi.apps.mil, dod.loki.office365.us`<BR>`52.127.72.0/21, 2001:489a:2206::/48` | **TCP:** 443

+17 | Default<BR>Required | No | `activation.sls.microsoft.com, crl.microsoft.com, go.microsoft.com, insertmedia.bing.office.net, ocsa.officeapps.live.com, ocsredir.officeapps.live.com, ocws.officeapps.live.com, office15client.microsoft.com, officecdn.microsoft.com, officecdn.microsoft.com.edgesuite.net, officepreviewredir.microsoft.com, officeredir.microsoft.com, ols.officeapps.live.com, r.office.microsoft.com` | **TCP:** 443, 80

+18 | Default<BR>Required | No | `cdn.odc.officeapps.live.com, mrodevicemgr.officeapps.live.com, odc.officeapps.live.com, officeclient.microsoft.com` | **TCP:** 443, 80

+24 | Default<BR>Required | No | `lpcres.delve.office.com` | **TCP:** 443

+25 | Default<BR>Required | No | `*.cdn.office.net` | **TCP:** 443

+26 | Allow<BR>Required | Yes | `*.security.apps.mil, compliance.apps.mil, purview.apps.mil, scc.protection.apps.mil, security.apps.mil`<BR>`23.103.204.0/22, 52.127.72.0/21` | **TCP:** 443, 80

+28 | Default<BR>Required | No | `activity.windows.com, dod.activity.windows.us` | **TCP:** 443

+29 | Default<BR>Required | No | `dod-mtis.cortana.ai` | **TCP:** 443

+30 | Default<BR>Required | No | `*.aadrm.us, *.informationprotection.azure.us` | **TCP:** 443

+31 | Default<BR>Required | No | `pf.events.data.microsoft.com, pf.pipe.aria.microsoft.com` | **TCP:** 443, 80

+32 | Default<BR>Required | No | `config.apps.mil` | **TCP:** 443

+<!--Please contact the Office 365 Endpoints team with any questions.-->

+<!--USGovGCCHigh endpoints version 2024093000-->

+<!--File generated 2024-09-30 06:04:19.2942-->

+ID | Category | ER | Addresses | Ports

+-- | -- | | - | -

+1 | Optimize<BR>Required | Yes | `outlook.office365.us`<BR>`20.35.208.0/20, 20.35.240.0/21, 40.66.16.0/21, 2001:489a:2200:100::/56, 2001:489a:2200:400::/56, 2001:489a:2200:600::/56` | **TCP:** 443, 80

+4 | Default<BR>Required | Yes | `attachments.office365-net.us, autodiscover-s.office365.us, autodiscover.<tenant>.mail.onmicrosoft.com, autodiscover.<tenant>.mail.onmicrosoft.us, autodiscover.<tenant>.onmicrosoft.com, autodiscover.<tenant>.onmicrosoft.us` | **TCP:** 443, 80

+5 | Default<BR>Required | Yes | `outlook.office365.us` | **TCP:** 143, 25, 587, 993, 995

+6 | Allow<BR>Required | Yes | `*.manage.office365.us, *.protection.office365.us, *.scc.office365.us, manage.office365.us, scc.office365.us`<BR>`23.103.191.0/24, 23.103.199.128/25, 23.103.208.0/22, 52.227.182.149/32, 52.238.74.212/32, 52.244.65.13/32, 2001:489a:2202:4::/62, 2001:489a:2202:c::/62, 2001:489a:2202:2000::/63` | **TCP:** 25, 443

+ID | Category | ER | Addresses | Ports

+-- | -- | | | -

+9 | Optimize<BR>Required | Yes | `*.sharepoint.us`<BR>`20.34.8.0/22, 2001:489a:2204:800::/63, 2001:489a:2204:900::/63` | **TCP:** 443, 80

+10 | Default<BR>Required | No | `*.wns.windows.com, admin.onedrive.us, g.live.com, oneclient.sfx.ms` | **TCP:** 443, 80

+20 | Default<BR>Required | No | `*.svc.ms, az741266.vo.msecnd.net, spoprod-a.akamaihd.net, static.sharepointonline.com` | **TCP:** 443, 80

+ID | Category | ER | Addresses | Ports

+-- | -- | | - | -

+7 | Optimize<BR>Required | Yes | `13.72.144.0/20, 52.127.88.0/21, 104.212.44.0/22, 2001:489a:2240::/44` | **UDP:** 3478, 3479, 3480, 3481

+21 | Default<BR>Required | No | `msteamsstatics.blob.core.usgovcloudapi.net, statics.teams.microsoft.com, teamsapuiwebcontent.blob.core.usgovcloudapi.net` | **TCP:** 443

+31 | Allow<BR>Required | Yes | `*.gov.teams.microsoft.us, gov.teams.microsoft.us`<BR>`13.72.144.0/20, 52.127.88.0/21, 104.212.44.0/22, 2001:489a:2240::/44` | **TCP:** 443, 80

+ID | Category | ER | Addresses | Ports

+-- | - | | -- | -

+11 | Allow<BR>Required | Yes | `*.gov.online.office365.us`<BR>`52.127.37.0/24, 52.127.82.0/23, 2001:489a:2208::/49` | **TCP:** 443

+13 | Allow<BR>Required | Yes | `*.auth.microsoft.us, *.gov.us.microsoftonline.com, graph.microsoft.us, graph.microsoftazure.us, login.microsoftonline.us`<BR>`20.140.232.0/23, 52.126.194.0/23, 2001:489a:3500::/50` | **TCP:** 443

+14 | Default<BR>Required | No | `*.msauth.net, *.msauthimages.us, *.msftauth.net, *.msftauthimages.us, clientconfig.microsoftonline-p.net, graph.windows.net, login-us.microsoftonline.com, login.microsoftonline-p.com, login.microsoftonline.com, login.windows.net, loginex.microsoftonline.com, mscrl.microsoft.com, nexus.microsoftonline-p.com, secure.aadcdn.microsoftonline-p.com` | **TCP:** 443

+15 | Default<BR>Required | No | `officehome.msocdn.us, prod.msocdn.us` | **TCP:** 443, 80

+16 | Allow<BR>Required | Yes | `www.office365.us`<BR>`52.227.170.242/32` | **TCP:** 443, 80

+17 | Allow<BR>Required | Yes | `*.osi.office365.us, gcchigh.loki.office365.us, tasks.office365.us`<BR>`52.127.240.0/20, 2001:489a:2206::/48` | **TCP:** 443

+18 | Default<BR>Required | No | `*.office.delivery.microsoft.com, activation.sls.microsoft.com, crl.microsoft.com, go.microsoft.com, insertmedia.bing.office.net, mrodevicemgr.officeapps.live.com, ocsa.officeapps.live.com, ocsredir.officeapps.live.com, ocws.officeapps.live.com, office15client.microsoft.com, officecdn.microsoft.com, officecdn.microsoft.com.edgesuite.net, officepreviewredir.microsoft.com, officeredir.microsoft.com, ols.officeapps.live.com, r.office.microsoft.com` | **TCP:** 443, 80

+19 | Default<BR>Required | No | `cdn.odc.officeapps.live.com, odc.officeapps.live.com, officeclient.microsoft.com` | **TCP:** 443, 80

+23 | Default<BR>Required | No | `*.office365.us` | **TCP:** 443, 80

+24 | Default<BR>Required | No | `lpcres.delve.office.com` | **TCP:** 443

+25 | Default<BR>Required | No | `*.cdn.office.net` | **TCP:** 443, 80

+26 | Allow<BR>Required | Yes | `*.security.microsoft.us, compliance.microsoft.us, purview.microsoft.us, scc.office365.us, security.microsoft.us`<BR>`20.158.112.0/21, 52.127.240.0/20, 2001:489a:2209::/49` | **TCP:** 443, 80

+28 | Default<BR>Required | No | `activity.windows.com, gcc-high.activity.windows.us` | **TCP:** 443

+29 | Default<BR>Required | No | `gcch-mtis.cortana.ai` | **TCP:** 443

+30 | Default<BR>Required | No | `*.aadrm.us, *.informationprotection.azure.us` | **TCP:** 443

+32 | Default<BR>Required | No | `tb.events.data.microsoft.com, tb.pipe.aria.microsoft.com` | **TCP:** 443, 80

+<!--Please contact the Office 365 Endpoints team with any questions.-->

+<!--Worldwide endpoints version 2024093000-->

+<!--File generated 2024-09-30 06:04:22.0404-->

+ID | Category | ER | Addresses | Ports

+-- | - | | - | --

+1 | Optimize<BR>Required | Yes | `outlook.cloud.microsoft, outlook.office.com, outlook.office365.com`<BR>`13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128` | **TCP:** 443, 80<BR>**UDP:** 443

+2 | Allow<BR>Optional<BR>**Notes:** POP3, IMAP4, SMTP Client traffic | Yes | `outlook.office365.com, smtp.office365.com`<BR>`13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128` | **TCP:** 587, 993, 995, 143

+8 | Default<BR>Required | No | `*.outlook.com, autodiscover.<tenant>.onmicrosoft.com` | **TCP:** 443, 80

+9 | Allow<BR>Required | Yes | `*.protection.outlook.com`<BR>`40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 52.238.78.88/32, 104.47.0.0/17, 2a01:111:f400::/48, 2a01:111:f403::/48` | **TCP:** 443

+10 | Allow<BR>Required | Yes | `*.mail.protection.outlook.com, *.mx.microsoft`<BR>`40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 104.47.0.0/17, 2a01:111:f400::/48, 2a01:111:f403::/48` | **TCP:** 25

+ID | Category | ER | Addresses | Ports

+-- | -- | | -- | -

+31 | Optimize<BR>Required | Yes | `*.sharepoint.com`<BR>`13.107.136.0/22, 40.108.128.0/17, 52.104.0.0/14, 104.146.128.0/17, 150.171.40.0/22, 2603:1061:1300::/40, 2620:1ec:8f8::/46, 2620:1ec:908::/46, 2a01:111:f402::/48` | **TCP:** 443, 80

+32 | Default<BR>Optional<BR>**Notes:** OneDrive for Business: supportability, telemetry, APIs, and embedded email links | No | `ssw.live.com, storage.live.com` | **TCP:** 443

+33 | Default<BR>Optional<BR>**Notes:** SharePoint Hybrid Search - Endpoint to SearchContentService where the hybrid crawler feeds documents | No | `*.search.production.apac.trafficmanager.net, *.search.production.emea.trafficmanager.net, *.search.production.us.trafficmanager.net` | **TCP:** 443

+35 | Default<BR>Required | No | `*.wns.windows.com, admin.onedrive.com, officeclient.microsoft.com` | **TCP:** 443, 80

+36 | Default<BR>Required | No | `g.live.com, oneclient.sfx.ms` | **TCP:** 443, 80

+37 | Default<BR>Required | No | `*.sharepointonline.com, spoprod-a.akamaihd.net` | **TCP:** 443, 80

+39 | Default<BR>Required | No | `*.svc.ms` | **TCP:** 443, 80

+ID | Category | ER | Addresses | Ports

+ | - | | | -

+11 | Optimize<BR>Required | Yes | `52.112.0.0/14, 52.122.0.0/15, 2603:1063::/38` | **UDP:** 3478, 3479, 3480, 3481

+12 | Allow<BR>Required | Yes | `*.lync.com, *.teams.cloud.microsoft, *.teams.microsoft.com, teams.cloud.microsoft, teams.microsoft.com`<BR>`52.112.0.0/14, 52.122.0.0/15, 52.238.119.141/32, 52.244.160.207/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2603:1063::/38, 2620:1ec:6::/48, 2620:1ec:40::/42` | **TCP:** 443, 80

+16 | Default<BR>Required | No | `*.keydelivery.mediaservices.windows.net, *.streaming.mediaservices.windows.net, mlccdn.blob.core.windows.net` | **TCP:** 443

+17 | Default<BR>Required | No | `aka.ms` | **TCP:** 443

+18 | Default<BR>Optional<BR>**Notes:** Federation with Skype and public IM connectivity: Contact picture retrieval | No | `*.users.storage.live.com` | **TCP:** 443

+19 | Default<BR>Optional<BR>**Notes:** Applies only to those who deploy the Conference Room Systems | No | `adl.windows.com` | **TCP:** 443, 80

+27 | Default<BR>Required | No | `*.secure.skypeassets.com, mlccdnprod.azureedge.net` | **TCP:** 443

+127 | Default<BR>Required | No | `*.skype.com` | **TCP:** 443, 80

+180 | Default<BR>Required | No | `compass-ssl.microsoft.com` | **TCP:** 443

+ID | Category | ER | Addresses | Ports

+ | | | -- | -

+46 | Allow<BR>Required | Yes | `*.officeapps.live.com, *.online.office.com, office.live.com`<BR>`13.107.6.171/32, 13.107.18.15/32, 13.107.140.6/32, 52.108.0.0/14, 52.244.37.168/32, 2603:1006:1400::/40, 2603:1016:2400::/40, 2603:1026:2400::/40, 2603:1036:2400::/40, 2603:1046:1400::/40, 2603:1056:1400::/40, 2603:1063:2000::/38, 2620:1ec:c::15/128, 2620:1ec:8fc::6/128, 2620:1ec:a92::171/128, 2a01:111:f100:2000::a83e:3019/128, 2a01:111:f100:2002::8975:2d79/128, 2a01:111:f100:2002::8975:2da8/128, 2a01:111:f100:7000::6fdd:6cd5/128, 2a01:111:f100:a004::bfeb:88cf/128` | **TCP:** 443, 80

+47 | Default<BR>Required | No | `*.office.net` | **TCP:** 443, 80

+49 | Default<BR>Required | No | `*.onenote.com` | **TCP:** 443

+50 | Default<BR>Optional<BR>**Notes:** OneNote notebooks (wildcards) | No | `*.microsoft.com` | **TCP:** 443

+51 | Default<BR>Required | No | `*cdn.onenote.net` | **TCP:** 443

+53 | Default<BR>Required | No | `ajax.aspnetcdn.com, apis.live.net, officeapps.live.com, www.onedrive.com` | **TCP:** 443

+56 | Allow<BR>Required | Yes | `*.auth.microsoft.com, *.msftidentity.com, *.msidentity.com, account.activedirectory.windowsazure.com, accounts.accesscontrol.windows.net, adminwebservice.microsoftonline.com, api.passwordreset.microsoftonline.com, autologon.microsoftazuread-sso.com, becws.microsoftonline.com, ccs.login.microsoftonline.com, clientconfig.microsoftonline-p.net, companymanager.microsoftonline.com, device.login.microsoftonline.com, graph.microsoft.com, graph.windows.net, login-us.microsoftonline.com, login.microsoft.com, login.microsoftonline-p.com, login.microsoftonline.com, login.windows.net, logincert.microsoftonline.com, loginex.microsoftonline.com, nexus.microsoftonline-p.com, passwordreset.microsoftonline.com, provisioningapi.microsoftonline.com`<BR>`20.20.32.0/19, 20.190.128.0/18, 20.231.128.0/19, 40.126.0.0/18, 2603:1006:2000::/48, 2603:1007:200::/48, 2603:1016:1400::/48, 2603:1017::/48, 2603:1026:3000::/48, 2603:1027:1::/48, 2603:1036:3000::/48, 2603:1037:1::/48, 2603:1046:2000::/48, 2603:1047:1::/48, 2603:1056:2000::/48, 2603:1057:2::/48` | **TCP:** 443, 80

+59 | Default<BR>Required | No | `*.hip.live.com, *.microsoftonline-p.com, *.microsoftonline.com, *.msauth.net, *.msauthimages.net, *.msecnd.net, *.msftauth.net, *.msftauthimages.net, *.phonefactor.net, enterpriseregistration.windows.net, policykeyservice.dc.ad.msft.net` | **TCP:** 443, 80

+64 | Allow<BR>Required | Yes | `*.protection.office.com, *.security.microsoft.com, compliance.microsoft.com, defender.microsoft.com, protection.office.com, purview.microsoft.com, security.microsoft.com`<BR>`13.107.6.192/32, 13.107.9.192/32, 2620:1ec:4::192/128, 2620:1ec:a92::192/128` | **TCP:** 443

+66 | Default<BR>Required | No | `*.portal.cloudappsecurity.com` | **TCP:** 443

+68 | Default<BR>Optional<BR>**Notes:** Portal and shared: 3rd party office integration. (including CDNs) | No | `firstpartyapps.oaspapps.com, prod.firstpartyapps.oaspapps.com.akadns.net, telemetryservice.firstpartyapps.oaspapps.com, wus-firstpartyapps.oaspapps.com` | **TCP:** 443

+69 | Default<BR>Required | No | `*.aria.microsoft.com, *.events.data.microsoft.com` | **TCP:** 443

+70 | Default<BR>Required | No | `*.o365weve.com, amp.azure.net, appsforoffice.microsoft.com, assets.onestore.ms, auth.gfx.ms, c1.microsoft.com, dgps.support.microsoft.com, docs.microsoft.com, msdn.microsoft.com, platform.linkedin.com, prod.msocdn.com, shellprod.msocdn.com, support.microsoft.com, technet.microsoft.com` | **TCP:** 443

+71 | Default<BR>Required | No | `*.office365.com` | **TCP:** 443, 80

+73 | Default<BR>Required | No | `*.aadrm.com, *.azurerms.com, *.informationprotection.azure.com, ecn.dev.virtualearth.net, informationprotection.hosting.portal.azure.net` | **TCP:** 443

+75 | Default<BR>Optional<BR>**Notes:** Graph.windows.net, Office 365 Management Pack for Operations Manager, SecureScore, Azure AD Device Registration, Forms, StaffHub, Application Insights, captcha services | No | `*.sharepointonline.com, dc.services.visualstudio.com, mem.gfx.ms, staffhub.ms, staffhubweb.azureedge.net` | **TCP:** 443

+78 | Default<BR>Optional<BR>**Notes:** Some Office 365 features require endpoints within these domains (including CDNs). Many specific FQDNs within these wildcards have been published recently as we work to either remove or better explain our guidance relating to these wildcards. | No | `*.microsoft.com, *.msocdn.com, *.onmicrosoft.com` | **TCP:** 443, 80

+79 | Default<BR>Required | No | `o15.officeredir.microsoft.com, officepreviewredir.microsoft.com, officeredir.microsoft.com, r.office.microsoft.com` | **TCP:** 443, 80

+83 | Default<BR>Required | No | `activation.sls.microsoft.com` | **TCP:** 443

+84 | Default<BR>Required | No | `crl.microsoft.com` | **TCP:** 443, 80

+86 | Default<BR>Required | No | `office15client.microsoft.com, officeclient.microsoft.com` | **TCP:** 443

+89 | Default<BR>Required | No | `go.microsoft.com` | **TCP:** 443, 80

+91 | Default<BR>Required | No | `ajax.aspnetcdn.com, cdn.odc.officeapps.live.com` | **TCP:** 443, 80

+92 | Default<BR>Required | No | `officecdn.microsoft.com, officecdn.microsoft.com.edgesuite.net, otelrules.azureedge.net` | **TCP:** 443, 80

+93 | Default<BR>Optional<BR>**Notes:** ProPlus: auxiliary URLs | No | `*.virtualearth.net, c.bing.net, ocos-office365-s2s.msedge.net, tse1.mm.bing.net, www.bing.com` | **TCP:** 443, 80

+95 | Default<BR>Optional<BR>**Notes:** Outlook for Android and iOS | No | `*.acompli.net, *.outlookmobile.com` | **TCP:** 443

+96 | Default<BR>Optional<BR>**Notes:** Outlook for Android and iOS: Authentication | No | `login.windows-ppe.net` | **TCP:** 443

+97 | Default<BR>Optional<BR>**Notes:** Outlook for Android and iOS: Consumer Outlook.com and OneDrive integration | No | `account.live.com, login.live.com` | **TCP:** 443

+105 | Default<BR>Optional<BR>**Notes:** Outlook for Android and iOS: Outlook Privacy | No | `www.acompli.com` | **TCP:** 443

+114 | Default<BR>Optional<BR>**Notes:** Office Mobile URLs | No | `*.appex-rf.msn.com, *.appex.bing.com, c.bing.com, c.live.com, d.docs.live.net, docs.live.net, partnerservices.getmicrosoftkey.com, signup.live.com` | **TCP:** 443, 80

+116 | Default<BR>Optional<BR>**Notes:** Office for iPad URLs | No | `account.live.com, auth.gfx.ms, login.live.com` | **TCP:** 443, 80

+117 | Default<BR>Optional<BR>**Notes:** Yammer | No | `*.yammer.com, *.yammerusercontent.com` | **TCP:** 443

+118 | Default<BR>Optional<BR>**Notes:** Yammer CDN | No | `*.assets-yammer.com` | **TCP:** 443

+121 | Default<BR>Optional<BR>**Notes:** Planner: auxiliary URLs | No | `www.outlook.com` | **TCP:** 443, 80

+122 | Default<BR>Optional<BR>**Notes:** Sway CDNs | No | `eus-www.sway-cdn.com, eus-www.sway-extensions.com, wus-www.sway-cdn.com, wus-www.sway-extensions.com` | **TCP:** 443

+124 | Default<BR>Optional<BR>**Notes:** Sway | No | `sway.com, www.sway.com` | **TCP:** 443

+125 | Default<BR>Required | No | `*.entrust.net, *.geotrust.com, *.omniroot.com, *.public-trust.com, *.symcb.com, *.symcd.com, *.verisign.com, *.verisign.net, apps.identrust.com, cacerts.digicert.com, cert.int-x3.letsencrypt.org, crl.globalsign.com, crl.globalsign.net, crl.identrust.com, crl3.digicert.com, crl4.digicert.com, isrg.trustid.ocsp.identrust.com, mscrl.microsoft.com, ocsp.digicert.com, ocsp.globalsign.com, ocsp.msocsp.com, ocsp2.globalsign.com, ocspx.digicert.com, secure.globalsign.com, www.digicert.com, www.microsoft.com` | **TCP:** 443, 80

+126 | Default<BR>Optional<BR>**Notes:** Connection to the speech service is required for Office Dictation features. If connectivity is not allowed, Dictation will be disabled. | No | `officespeech.platform.bing.com` | **TCP:** 443

+147 | Default<BR>Required | No | `*.office.com, www.microsoft365.com` | **TCP:** 443, 80

+152 | Default<BR>Optional<BR>**Notes:** These endpoints enable the Office Scripts functionality in Office clients available through the Automate tab and the Python in Excel functionality available through the Formulas tab. The Office Scripts feature can also be disabled through the Office 365 Admin portal. For admin controls related to Python in Excel, see [Data security and Python in Excel](https://support.microsoft.com/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327). | No | `*.microsoftusercontent.com` | **TCP:** 443

+153 | Default<BR>Required | No | `*.azure-apim.net, *.flow.microsoft.com, *.powerapps.com, *.powerautomate.com` | **TCP:** 443

+156 | Default<BR>Required | No | `*.activity.windows.com, activity.windows.com` | **TCP:** 443

+158 | Default<BR>Required | No | `*.cortana.ai` | **TCP:** 443

+159 | Default<BR>Required | No | `admin.microsoft.com` | **TCP:** 443, 80

+160 | Default<BR>Required | No | `cdn.odc.officeapps.live.com, cdn.uci.officeapps.live.com` | **TCP:** 443, 80

+184 | Default<BR>Required | No | `*.cloud.microsoft, *.static.microsoft, *.usercontent.microsoft` | **TCP:** 443, 80

+ Title: "Overview of the Delegated access page in Microsoft 365 Lighthouse"

+# Overview of the Delegated access page in Microsoft 365 Lighthouse

+Microsoft 365 Lighthouse provides delegated relationship insights across all your customer tenants in a single view. You can create and manage Granular Delegated Administrative Privileges (GDAP) relationships from the Delegated access page. Data is available for any customer tenant in Lighthouse, regardless of the customers' licensing, user count, or geographic region. To access these insights, select **Permissions** > **Delegated access** in the left navigation pane in [Lighthouse](https://lighthouse.microsoft.com).

+## Role requirements

+The following table outlines the role or roles that you must hold to manage GDAP relationships from the Delegated access page.

+| | Admin Agent<br>in Partner Center | Groups Administrator<br>in Microsoft Entra&nbsp;ID | User Administrator<br>in Microsoft Entra&nbsp;ID | Privileged Role Administrator<br>in Microsoft Entra&nbsp;ID |

+|--|:--:|:--:|:--:|:--:|

+| **View data on the Delegated access page** | &check; | | | |

+| **Create and edit Lighthouse GDAP templates** | | &check; | &check; | |

+| **Assign Lighthouse GDAP templates to customer tenants** | &check; | | | |

+| **Set up Just-in-Time (JIT) access** | | | | &check; |

+## GDAP templates tab

+From the GDAP templates tab, you can view, create, delete, and assign GDAP templates to customer tenants. The GDAP templates tab provides the following information:

+- **Name:** The name of the GDAP template.

+- **Support roles:** The name of the Lighthouse support roles associated with each template.

+- **Assigned tenants:** The number of customer tenants that the GDAP template is assigned to.

+Select a GDAP template from the list to open the edit pane, where you can update the name, description, support roles, and security groups for the template.

+To assign tenants to a GDAP template or delete a GDAP template, select the three dots (more actions) next to the template name.

+The GDAP templates tab also includes the following options:

+- **Export:** Select to export GDAP template data to an Excel comma-separated values (.csv) file.

+- **Refresh:** Select to retrieve the most current GDAP template data.

+- **Search:** Enter keywords to quickly locate a specific GDAP template in the list.

+## Relationships tab

+From the Relationships tab, you can view all GDAP relationships that you set up with your customers. The Relationships tab provides the following information:

+- **Tenant and relationship:** Customer tenant name and associated GDAP relationship.

+- **Status:**

+ - An **Active** status means you have at least one active GDAP relationship with the customer.

+ - A **Pending** status indicates a GDAP relationship was set up but the customer hasn't approved it yet.

+- **Template:** Name of the GDAP template assigned to the customer tenant.

+- **Security groups:** Number of security groups associated with the customer tenant.

+- **Start date:** Date of the oldest GDAP relationship with the customer.

+- **Expiration date:** Date of the next-expiring GDAP relationship.

+- **Tags:** Tags associated with the customer tenant.

+In the list of customer tenants, expand each tenant to show the active and pending GDAP relationship requests. After a customer approves a GDAP relationship request, you can select the relationship request from the list to open the relationship details pane and view the following information:

+- All security groups and GDAP Microsoft Entra roles associated with the tenant.

+- A summary of all GDAP Microsoft Entra roles associated with the tenant.

+

+The Relationships tab also includes the following options:

+- **Export:** Select to export GDAP relationship data to an Excel comma-separated values (.csv) file.

+- **Refresh:** Select to retrieve the most current GDAP relationship data.

+- **Search:** Enter keywords to quickly locate a specific tenant or tenant tag in the list.

+[Set up GDAP in Microsoft 365 Lighthouse](m365-lighthouse-setup-gdap.md) (article)\

+[Overview of permissions in Microsoft 365 Lighthouse](m365-lighthouse-overview-of-permissions.md) (article)\

+[Configure Microsoft 365 Lighthouse portal security](m365-lighthouse-configure-portal-security.md) (article)\

+ Title: "Set up GDAP in Microsoft 365 Lighthouse"

+description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, learn how to set up granular delegated admin privileges (GDAP) for the customer tenants that you manage."

+# Set up GDAP in Microsoft 365 Lighthouse

+Granular delegated admin privileges (GDAP) are a prerequisite for customer tenants to be fully onboarded to Lighthouse. You can set up all your customers with GDAP through Microsoft 365 Lighthouse. By setting up GDAP for the customer tenants that you manage, you help keep your customers secure while ensuring users in your partner organization have the permissions necessary to do their work.

+To walk through how to set up GDAP in your partner organization, complete the [Secure Microsoft 365 Lighthouse interactive guide](https://go.microsoft.com/fwlink/p/?linkid=2281856).

+If you encounter any problems during GDAP setup and need guidance, see [Troubleshoot error messages and problems in Microsoft 365 Lighthouse: GDAP setup and management](m365-lighthouse-troubleshoot.md#gdap-setup-and-management).

+- You must hold specific roles in Microsoft Entra ID and/or Partner Center, as outlined in the [Delegated Access Role Requirements table](m365-lighthouse-delegated-access-overview.md#role-requirements).

+- The customers you manage in Lighthouse need to be set up in Partner Center with either a reseller relationship or an existing GDAP relationship.

+## Set up GDAP

+3. On the **Delegated access** page, select the **GDAP templates** tab, and then select **Create a template**.

+4. In the **Create a template** pane, enter a name for the template and an optional description.

+5. Under **Support roles**, Lighthouse includes five default support roles: Account manager, Service desk agent, Specialist, Escalation engineer, and Administrator. For each support role that you want to use, do the following:

+

+ 1. Select **Edit** to open the **Edit support role** pane.

+ 2. Update the support role name and description, as needed, to align with the support roles in your partner organization.

+

+ 3. Under **Entra roles**, select the Microsoft Entra roles that the support role requires based on the role's job function. The following options are available:

+ - Use the Microsoft Entra roles that Microsoft recommends.

+ - Set the filter to **All** and select your preferred Microsoft Entra roles.

+

+ To learn more, see [Microsoft Entra built-in roles](/azure/active-directory/roles/permissions-reference).

+ 4. Select **Save**.

+6. For each support role that you want to use, select the **Add or create a security group** icon next to the support role to open the **Select or create a security group** pane. If you don't want to use a particular support role, don't assign any security groups to it.

+

+ > [!NOTE]

+ > Each GDAP template requires you to assign at least one security group to a support role.

+7. Do one of the following:

+

+ - To use an existing security group, select **Use an existing security group**, choose one or more security groups from the list, and then select **Save**.

+ - To create a new security group, select **Create a new security group**, and then do the following:

+

+ 1. Enter a name and optional description for the new security group.

+

+ 2. If applicable, select **Create a just-in-time (JIT) access policy for this security group**, and then define the user eligibility expiration, JIT access duration, and JIT approver security group.

+

+ > [!NOTE]

+ > To create a just-in-time (JIT) access policy for a new security group, you must have a Microsoft Entra ID P2 license. If you're unable to select the checkbox to create a JIT access policy, verify that you have a Microsoft Entra ID P2 license.

+

+ 3. Add users to the security group, and then select **Save**.

+

+ > [!NOTE]

+ > Users who are part of a JIT agent security group are not automatically given access to GDAP roles in Microsoft Entra ID. These users must first request access from the <a href="https://myaccess.microsoft.com/#/access-packages" target="_blank">My Access portal</a> and a member of the JIT approver security group must review the JIT access request.

+

+ 4. If you created a JIT access policy for the security group, you can review the created policy on the <a href="https://entra.microsoft.com/#view/Microsoft_Azure_IdentityGovernance/Dashboard.ReactView" target="_blank">Identity Governance dashboard</a> in the Microsoft Entra admin center.

+

+ For more information on how JIT agents can request access, see [Request access to an access package in entitlement management](/entra/id-governance/entitlement-management-request-access).

+ For more information on how approvers can approve requests, see [Approve or deny requests for Microsoft Entra roles in Privileged Identity Management](/entra/id-governance/privileged-identity-management/pim-approval-workflow).

+8. When you're done defining the support roles and security groups, select **Save** in the **Create a template** pane to save the GDAP template.

+ The new template now appears in the list of templates on the **GDAP templates** tab of the **Delegated access** page.

+9. Follow steps 3 through 8 to create more GDAP templates, as needed.

+10. On the **GDAP templates** tab of the **Delegated access** page, select the three dots (more actions) next to a template in the list, and then select **Assign template**.

+11. In the **Assign this template to tenants** pane, choose one or more customer tenants that you want to assign the template to, and then select **Next**.

+ > [!NOTE]

+ > Each customer tenant can be associated with only one GDAP template at a time. If you want to assign a new template to a customer, the existing GDAP relationships are saved and only new relationships based on the new template are created.

+12. Review the assignment details, and then select **Assign**.

+

+ It might take a minute or two for the GDAP template assignments to apply. To refresh the data on the **GDAP templates** tab, select **Refresh**.

+13. Follow steps 10 through 12 to assign additional templates to tenants, as needed.

+## Obtain customer approval to administer their products

+As part of the GDAP setup process, a GDAP relationship request link is generated for each customer who doesn't have an existing GDAP relationship with your partner organization. You need to send the link to the appropriate customer contact so they can approve the GDAP relationship before you can administer their products for them.

+1. On the **Delegated access** page, select the **Relationships** tab.

+2. Expand the customer tenant whose approval you require.

+3. Select the GDAP relationship that shows a **Pending** status to open the relationship details pane.

+4. Select either **Open in email** or **Copy email to clipboard**, edit the text if needed (but don't edit the link URL that they need to select to give you administration permission), and then send the GDAP relationship request to your customer.

+Once the GDAP relationship request is approved, the GDAP template settings are applied. It might take up to an hour after relationship approval for changes to appear in Lighthouse.

+

+GDAP relationships are visible in Partner Center and the security groups are visible in Microsoft Entra ID.

+## Edit GDAP settings

+Once you complete GDAP setup, you can update or change roles, security groups, or templates at any time.

+1. In the left navigation pane in <a href="https://go.microsoft.com/fwlink/p/?linkid=2168110" target="_blank">Lighthouse</a>, select **Permissions** > **Delegated access**.

+2. On the **GDAP templates** tab, make any necessary changes to the GDAP templates or their associated configurations, and then save your changes.

+3. Assign the updated GDAP templates to the appropriate customer tenants so those tenants have the updated configurations from the templates.

+[Overview of permissions in Microsoft 365 Lighthouse](m365-lighthouse-overview-of-permissions.md) (article)\

+[Overview of the Delegated access page in Microsoft 365 Lighthouse](m365-lighthouse-delegated-access-overview.md) (article)\

+[Troubleshoot error messages and problems in Microsoft 365 Lighthouse](m365-lighthouse-troubleshoot.md) (article)\

+[Configure Microsoft 365 Lighthouse portal security](m365-lighthouse-configure-portal-security.md) (article)\

+For more information related to managing and maintaining apps with Intune, see the following topics:

+- [Microsoft Intune app management](/mem/intune/apps/app-management)

+- [App management troubleshooting documentation](/troubleshoot/mem/intune/app-management/app-management)

+- [Get started with your Microsoft Intune deployment](/mem/intune/fundamentals/get-started-with-intune)

+| MAM | Apps that are managed (MAM) without device management (MDM), can be configured and protected using Intune. MAM enables you to manage and protect your organization's data within an application. When you choose to manage only the apps on devices used by members of your organization without enrolling or managing devices, your app configuration policy channel must be set to **Managed apps** . This configuration is commonly referred to as MAM without device enrollment. You can manage apps using MAM by using Intune configuration and protection policies on devices not enrolled with Intune MDM. MAM is ideal to help protect organization data on mobile devices used by members of your organization for both personal and work tasks.<p>**NOTE:**<br>You can't deploy apps to the device. The end user has to get the apps from the store.<p>For more information, see [MAM without device management](/mem/intune/fundamentals/deployment-plan-protect-apps#mam-without-device-management). |

+| com.microsoft.intune.mam.managedbrowser.Chat | You can choose to hide or show the Bing button in the bottom bar of Edge as part of Microsoft Copilot. For more information, see [Microsoft Copilot](/copilot/overview). |

+| com.microsoft.intune.mam.managedbrowser.EdgeChatPageContext | You can choose whether Microsoft Copilot has access to page content. By default, this setting shows the **Page context** and **Show quick chat panel** options under the Copilot mode. For more information, see [Microsoft Copilot](/copilot/overview). |

+MAM in Intune is designed to protect organization data at the application level, including custom apps and store apps. App management can be used on organization-owned devices and personal devices. When it's used with personal devices, only organization-related access and data are managed. This configuration allows your organization's apps to be managed by Intune, but doesn't enroll the devices to be managed by Intune. This configuration is commonly referred to as **MAM without device enrollment**. IT administrators can manage apps using MAM by using Intune configuration and protection policies on devices not enrolled with Intune Mobile Device Management (MDM). In the MAM scenario, the apps are managed based on the signed-in user of the app on the device. MAM is ideal to help protect organization data on devices used by members of your organization for both personal and work tasks. MAM without MDM is popular for organizations that enable members of their organization to work remotely on their own devices (BYOD).

+- Translation actions are also available for files in your **My files** folder in OneDrive.

+1. From a SharePoint document library (or from your **My files** folder in OneDrive), select the file or files you want to translate. Then use either of the following methods to start the translation process.