+Microsoft Defender Threat Intelligence (Defender TI) is a platform that streamlines triage, incident response, threat hunting, vulnerability management, and cyber threat intelligence analyst workflows when conducting threat infrastructure analysis and gathering threat intelligence. Analysts spend a significant amount of time on data discovery, collection, and parsing, instead of focusing on what actually helps their organization defend themselves--deriving insights about the actors through analysis and correlation.

+The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out the [Reports overview topic](activity-reports.md).

+2. From the dashboard homepage, select **View more** on the Yammer card.

+Select the **Device usage** tab to view the usage in the OneDrive report.

+You also can export the report data into an Excel .csv file by selecting the Export link. This link exports data of all users and enables you to do simple sorting and filtering for further analysis.

+|Metric|Definition|

+|Username |The email address of the user. You can display the actual email address or make this field anonymous. This grid shows users who logged in to Yammer using the Microsoft 365 account or who logged in to the network using single sign-on. |

+|Display name |The full name of the user. You can display the actual email address or make this field anonymous. |

+|User state |One of three values: Active, Deleted, or Suspended. These reports show data for active, suspended, and deleted users. They don't reflect pending users, because pending users can't post, read, or like a message. |

+|State change date (UTC) |The date on which the user's state was changed in Yammer. |

+|Last activity date (UTC) |The last date (UTC) that the user participated in a Yammer activity. |

+|Web |Indicates if the user has used Yammer on the web. |

+|Windows phone | Indicates if the user has used Yammer on a Windows phone. |

+|Android phone |Indicates if the user has used Yammer on an Android phone. |

+|iPhone | Indicates if the user has used Yammer on an iPhone. |

+|iPad |Indicates if the user has used Yammer on an iPad. |

+|other |Indicates if the user has used Yammer on another client, which wasn't listed previously. This includes Yammer Embed, SharePoint Web Part, Viva Engage, and select Outlook emails. |

+[Manage teams in the Microsoft Teams admin center](/microsoftteams/manage-teams-in-modern-portal)\

+> [!NOTE]

+> This feature is not available in GCC High, GCC, and DOD tenants.

+[Overview of the Microsoft 365 admin center](../admin-overview/admin-center-overview.md) (video)

+ |SRV|Use your *domain_name*; for example, contoso.com|_sipfederationtls|TCP|30 minutes|100|1|5061|sipfed.online.lync.com|

+It can take as little as five minutes for Microsoft 365 to remove a domain if it's not referenced in a lot of places such as security groups, distribution lists, users, aliases, shared mailboxes, resource mailboxes, and Microsoft 365 groups. If there are many references that use the domain it can take several hours (a day) for the domain to be removed.

+Sign in as a global administrator, follow these steps to get a code at Microsoft 365, and then go to the other domain registrar website to set up transferring your domain name to the new registrar.

+ - Redirect URL: `https://{your-servicenow-instance}.service-now.com/oauth_redirect.do`

+1. Select **New**, and then select **Configure and OIDC provider to verify ID tokens**.

+1. In this new application, fill the fields with these values:

+ - Redirect URL: `https://{service-now-instance-name}.service-now.com/oauth_redirect.do`

+description: Learn how Microsoft 365 global administrators can apply your organization's branding to encrypted email messages & contents of the encryption portal.

+# Add your organization's brand to your Microsoft Purview Message Encryption encrypted messages

+Apply your company branding to customize the look of your organization's email messages and the encryption portal. You'll need to apply global administrator permissions to your work or school account before you can get started. Use the Get-OMEConfiguration and Set-OMEConfiguration cmdlets in Exchange Online PowerShell to customize these parts of encrypted email messages:

+- Text in the encrypted message portal

+- Logo that appears in the email message and encrypted message portal, or whether to use a logo at all

+- Background color in the email message and encrypted message portal

+Once you've created the templates, apply them to encrypted emails sent from your online mailbox by using Exchange mail flow rules. If you have Microsoft Purview Advanced Message Encryption, you can revoke any email that you've branded.

+## Work with branding templates

+You can modify several features within a branding template, and modify, but not remove, the default template. If you have Advanced Message Encryption, you can also create, modify, and remove custom templates. Use Exchange Online PowerShell to work with one branding template at a time.

+## Modify a branding template

+|Background color|`Set-OMEConfiguration -Identity "<ConfigurationName>" -BackgroundColor "<#RRGGBB hexadecimal color code or name value>"` <p> **Example:** <p> `Set-OMEConfiguration -Identity "Branding Template 1" -BackgroundColor "#ffffff"` <p> For more information about background colors, see the [Background colors](#background-color-reference) section later in this article.|

+|Logo|`Set-OMEConfiguration -Identity "<ConfigurationName>" -Image <Byte[]>` <p> **Example:** <p> `Set-OMEConfiguration -Identity "Branding Template 1" -Image ([System.IO.File]::ReadAllBytes('C:\Temp\contosologo.png'))` <p> Supported file formats: .png, .jpg, .bmp, or .tiff <p> Optimal size of logo file: less than 40 KB <p> Optimal size of logo image: 170x70 pixels. If your image exceeds these dimensions, the service resizes your logo for display in the portal. The service doesn't modify the graphic file itself. For best results, use the optimal size.|

+|Text next to the sender's name and email address|`Set-OMEConfiguration -Identity "<ConfigurationName>" -IntroductionText "<String up to 1024 characters>"` <p> **Example:** <p> `Set-OMEConfiguration -Identity "Branding Template 1" -IntroductionText "has sent you a secure message."`|

+|Text that appears on the "Read Message" button|`Set-OMEConfiguration -Identity "<ConfigurationName>" -ReadButtonText "<String up to 1024 characters>"` <p> **Example:** <p> `Set-OMEConfiguration -Identity "Message encryption configuration" -ReadButtonText "Read Secure Message."`|

+|Text that appears below the "Read Message" button|`Set-OMEConfiguration -Identity "<ConfigurationName>" -EmailText "<String up to 1024 characters>"` <p> **Example:** <p> `Set-OMEConfiguration -Identity "Message encryption configuration" -EmailText "Encrypted message from ContosoPharma secure messaging system."`|

+|URL for the Privacy Statement link|`Set-OMEConfiguration -Identity "<ConfigurationName>" -PrivacyStatementURL "<URL>"` <p> **Example:** <p> `Set-OMEConfiguration -Identity "Branding Template 1" -PrivacyStatementURL "https://contoso.com/privacystatement.html"`|

+|Text that appears at the top of the encrypted mail viewing portal|`Set-OMEConfiguration -Identity "<OMEConfigurationName>" -PortalText "<Text for your portal. String of up to 128 characters.>"` <p> **Example:** <p> `Set-OMEConfiguration -Identity "Message encryption cfonfiguration" -PortalText "ContosoPharma secure email portal."`|

+## Create an encrypted message branding template (Advanced Message Encryption)

+If you have Microsoft Purview Advanced Message Encryption, you can create custom branding templates for your organization by using the [New-OMEConfiguration](/powershell/module/exchange/new-omeconfiguration) cmdlet. Once you've created the template, you modify the template by using the Set-OMEConfiguration cmdlet as described in [Modify a branding template](#modify-a-branding-template). You can create multiple templates.

+ |Default text that comes with encrypted email messages. The default text appears above the instructions for viewing encrypted messages|`Set-OMEConfiguration -Identity "<OMEConfigurationName>" -EmailText "<empty string>"` <p> **Example:** <p> `Set-OMEConfiguration -Identity "Message encryption configuration" -EmailText ""`|

+ |Disclaimer statement in the email that contains the encrypted message|`Set-OMEConfiguration -Identity "<OMEConfigurationName>" DisclaimerText "<empty string>"` <p> **Example:** <p> `Set-OMEConfiguration -Identity "Message encryption configuration" -DisclaimerText ""`|

+ |Text that appears at the top of the encrypted mail viewing portal|`Set-OMEConfiguration -Identity "<OMEConfigurationName>" -PortalText "<empty string>"` <p> **Example reverting back to default:** <p> `Set-OMEConfiguration -Identity "Message encryption configuration" -PortalText ""`|

+ |Logo|`Set-OMEConfiguration -Identity "<OMEConfigurationName>" -Image <"$null">` <p> **Example reverting back to default:** <p> `Set-OMEConfiguration -Identity "Message encryption configuration" -Image $null`|

+ |Background color|`Set-OMEConfiguration -Identity "<ConfigurationName>" -BackgroundColor "$null">` <p> **Example reverting back to default:** <p> `Set-OMEConfiguration -Identity "Message encryption configuration" -BackgroundColor $null`|

+1. Using a work or school account that has global administrator permissions in your organization, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).

+ Remove-OMEConfiguration -Identity "<OMEConfigurationName>"

+## Create an Exchange mail flow rule that applies your custom branding to encrypted emails sent from your online organization to external recipients

+> Third-party applications that scan and modify mail can prevent branding from being applied correctly.

+After you've either modified the default template or created new branding templates, you can create Exchange mail flow rules to apply your custom branding based on certain conditions. Most importantly, the email must be encrypted. Such a rule will apply custom branding to mail sent from your online mailbox in the following scenarios:

+To ensure Microsoft Purview Message Encryption applies your custom branding, set up a mail flow rule to encrypt your messages. The priority of the encryption rule should be higher than the branding rule so that the encryption rule is processed first. By default, if you create the encryption rule before the branding rule, then the encryption rule will have a higher priority. For information, see [Define mail flow rules to encrypt email messages in Office 365](define-mail-flow-rules-to-encrypt-email.md). For information on setting the priority of a mail flow rule, see [Manage mail flow rules](/exchange/security-and-compliance/mail-flow-rules/manage-mail-flow-rules#set-the-priority-of-a-mail-flow-rule).

+3. In the Microsoft 365 admin center, choose **Admin centers** \> **Exchange**.

+5. In **Name**, type a name for the rule, such as **Branding for sales department**.

+7. If you've already defined a mail flow rule to apply encryption, skip this step. Otherwise, to configure the mail flow rule to apply encryption, from **Do the following**, select **Modify the message security**, and then select **Apply Office 365 Message Encryption and rights protection**. Select a Rights Management Service (RMS) template from the list and then select **add action**.

+ The list of templates includes default templates and options and any custom templates you create. If the list is empty, ensure that you have set up Microsoft Purview Message Encryption. For instructions, see [Set up Microsoft Purview Message Encryption](set-up-new-message-encryption-capabilities.md). For information about the default templates, see [Configuring and managing templates for Azure Information Protection](/information-protection/deploy-use/configure-policy-templates). For information about the **Do Not Forward** option, see [Do Not Forward option for emails](/information-protection/deploy-use/configure-usage-rights#do-not-forward-option-for-emails). For information about the **Encrypt Only** option, see [Encrypt Only option for emails](/information-protection/deploy-use/configure-usage-rights#encrypt-only-option-for-emails).

+ Select **add action** if you want to specify another action, or select **Save**, and then select **OK**.

+Classifiers are available to use as a condition for:

+- [Office auto-labeling with sensitivity labels](apply-sensitivity-label-automatically.md)

+- [Auto-apply retention label policy based on a condition](apply-retention-labels-automatically.md#configuring-conditions-for-auto-apply-retention-labels)

+- [Communication compliance](communication-compliance.md)

+- Sensitivity labels can use classifiers as conditions, see [Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md).

+- [Data loss prevention](dlp-learn-about-dlp.md)

+Compliance Manager can alert you to changes as soon as they happen so that you can stay on track with your compliance goals. For example, you can set up alerts to inform you when an improvement action's score value has increased or decreased due to a configuration change in your tenant, or when an improvement action has been assigned to a user to perform implementation or testing work. View the [types of events](#create-an-alert-policy) for which you can create alerts.

+All alerts are listed on the **Alerts** tab in Compliance Manager, and all alert policies are listed on the **Alert Policies tab**. All organizations have a [default score change policy](#default-score-change-policy) already set up for them.

+Select the **Alert policies** tab in Compliance Manager to view and manage your alert policies. The **Alert policies** page contains a table listing all the policies created by your organization. From this page, you can create new policies, edit existing policies, change activation status, and delete policies.

+In the **Status column**, **Active** means the policy is in effect and triggering alerts when conditions are met. **Inactive** means the policy exists but isn't generating alerts. The policies table also shows you the severity of the policy and the date the policy was last modified.

+After making your selections, select **Apply**. The flyout pane will close and your updated **Alerts** page shows your filtered view. Your filters are displayed at the top of the table, though not all filter columns may show in the table.

+DLP supports using trainable classifiers as a condition to detect sensitive documents. Content can be defined by trainable classifiers in Exchange Online, SharePoint Online sites, OneDrive for Business accounts, Teams Chat and Channels, and Devices. For more information, see [Trainable Classifiers](classifier-learn-about.md).

+- [Trainable Classifiers](classifier-learn-about.md)

+The following tables list the minimum Office version that introduced specific capabilities for sensitivity labels built in to Office apps. Or, if the label capability is in public preview or under review for a future release:

+- [Capabilities table for Word, Excel, and PowerPoint](#sensitivity-label-capabilities-in-word-excel-and-powerpoint)

+- [Capabilities table for Outlook](#sensitivity-label-capabilities-in-outlook)

+Use the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=Microsoft%20Information%20Protection&searchterms=label) for details about new labeling capabilities that are planned for future releases.

+The ordering of sublabels is used with [auto-labeling policies](apply-sensitivity-label-automatically.md#how-to-configure-auto-labeling-policies-for-sharepoint-onedrive-and-exchange), though. When you configure more than one auto-labeling policy for the same location, multiple matches can result for more than one label. To determine the label to apply, the label ordering is used even with sublabels: The last sensitive label is selected, and then if applicable, the last sublabel.

+## External DNS records required for Teams and Skype for Business Online

+There are specific steps to take when you use [Office 365 URLs and IP address ranges](urls-and-ip-address-ranges.md) to make sure your network is configured correctly.

+These DNS records apply to Teams, Skype for Business Online or both as indicated.

+|**SRV** <br/> **(Teams and Skype for Business Online)**|Allows your Office 365 domain to share instant messaging (IM) features with external clients by enabling SIP federation.|**Service:** sipfederationtls <br/> **Protocol:** TCP <br/> **Priority:** 100 <br/> **Weight:** 1 <br/> **Port:** 5061 <br/> **Target:** sipfed.online.lync.com <br/> **Note:** If the firewall or proxy server blocks SRV lookups on an external DNS, you should add this record to the internal DNS record. |

+|**SRV** <br/> **(Teams and Skype for Business Online)**|Required by both Teams and Skype for Business Online to communicate between Skype for Business on-premises, Teams and Skype for Business cross-cloud (e.g., between Office 365 @ _sipfed.online.lync.com_ and Office 365 operated by 21Vianet @ _sipfed.online.partner.lync.cn_ or US government clouds).<br/>Required in both Teams-only and hybrid mode. In Teams-only mode it points to online edge servers (e.g. _sipfed.online.lync.com_) while in hybrid mode it points to on-premises edge servers (e.g. _sipfed.\<domain>_).|**Service:** sipfederationtls <br/> **Protocol:** TCP <br/> **Priority:** 100 <br/> **Weight:** 1 <br/> **Port:** 5061 <br/> **Target:** _sipfederationtls.tcp.\<domain> <br/> **Note:** If the firewall or proxy server blocks SRV lookups on an external DNS, you should add this record to the internal DNS record. |

+|**SRV** <br/> **(Teams and Skype for Business Online)**|Required by Skype for Business Windows Desktop client and Skype for Business phones for sign-in. It may be needed by Teams-only tenants that use Skype for Business Online phones for Teams and must point to online edge servers (e.g. _sip.online.lync.com_). <br/>It is needed by hybrid tenants to support their Windows Desktop clients and phones that sign in to on-premises deployments (e.g. _sip.\<domain>_).|**Target:** _sip._tls.\<domain>|

+|**CNAME** <br/> **(Teams and Skype for Business Online)**|Required by the Skype for Business desktop client for Windows, Mac, and web clients as well as Skype Meeting Application (SMA) to sign in. <br/>Also used by PowerShell cmdlets that still use Skype for Business Online infrastructure for management. Therefore, it is also needed for both Teams-only and hybrid tenants.|**Target:** lyncdiscover.\<domain>|

+|**SRV** <br/> **(Skype for Business Online)**|Required by Skype for Business to coordinate the flow of information between Lync clients.|**Service:** sip <br/> **Protocol:** TLS <br/> **Priority:** 100 <br/> **Weight:** 1 <br/> **Port:** 443 <br/> **Target:** sipdir.online.lync.com|

+|**CNAME** <br/> **(Skype for Business Online)**|Required by the Lync desktop client to locate the Skype for Business Online service and sign in.|**Alias:** sip <br/> **Target:** sipdir.online.lync.com|

+|**CNAME** <br/> **(Skype for Business Online)**|Required by the Lync mobile client to help find the Skype for Business Online service and sign in.|**Alias:** lyncdiscover <br/> **Target:** webdir.online.lync.com|

+With the growing adoption and support of IPv6 across enterprise networks, service providers, and devices, many customers are wondering if their users can continue to access Microsoft 365 services from IPv6 clients and IPv6 networks. Microsoft 365 services can be successfully used from both IPv6 dual stack and IPv6-only devices (IPv6-only devices require translation technologies such as DNS64 or NAT64). In fact, we have an increasing number of customers, from consumers to large enterprises, who are moving towards greater adoption of IPv6. For most customers, IPv4 won't completely disappear from their digital landscape, so we aren't planning to require IPv6 or to de-prioritize IPv4 in any Microsoft 365 features or services.

+##### [Manage tamper protection using Microsoft Intune](manage-tamper-protection-microsoft-endpoint-manager.md)

+ Title: Manage tamper protection for your organization using Microsoft Intune

+description: Turn tamper protection on or off for your organization in Microsoft Intune.

+keywords: malware, defender, antivirus, tamper protection, Microsoft Intune

+# Manage tamper protection for your organization using Microsoft Intune

+If your organization uses [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com). Use Intune when you want to fine-tune tamper protection settings. For example, if you want to enable tamper protection on some devices, but not all, use Intune.

+## Requirements for managing tamper protection in Intune

+- Your organization uses [Intune to manage devices](/mem/endpoint-manager-getting-started). (Intune licenses are required; Intune is included in Microsoft 365 E3/E5, Enterprise Mobility + Security E3/E5, Microsoft 365 Business Premium, Microsoft 365 F1/F3, Microsoft 365 Government G3/G5, and corresponding education licenses.)

+- Your Windows devices must be running Windows 10 [version 1709 or later](/lifecycle/announcements/revised-end-of-service-windows-10-1709) or Windows 11. (For more information about releases, see [Windows 10 release information](/windows/release-health/release-information).)

+- Your Intune and Defender for Endpoint tenants must share the same Microsoft Entra (Azure Active Directory) infrastructure.

+- Your devices must be onboarded to Defender for Endpoint.

+> [!NOTE]

+> If your devices are not enrolled in Microsoft Defender for Endpoint, tamper protection will show as **Not Applicable** until the onboarding process completes.

+## Turn tamper protection on (or off) in Microsoft Intune

+ - In the **Platform** list, select **Windows 10, Windows 11, and Windows Server**.

+ - **TamperProtection (Device): Enable**

+> Microsoft does not allow you to create allow entries directly as it leads to creation of allows that are not needed, thus exposing the customer's tenant to malicious emails which might otherwise have been filtered by the system.

+> Microsoft manages the allow creation process from Submission by creating allows for those entities (domains or email addresses, spoofed senders, URLs, files) which were determined to be malicious by filters during mail flow. For example, if the sender and a URL in the message were determined to be bad, an allow entry is created for the sender, and an allow entry is created for the URL.

+> When that entity (domain or email address, URL, file) is encountered again, all filters associated with that entity are skipped.

+> During mail flow, if messages from the domain or email address pass other checks in the filtering stack, the messages will be delivered. For example, if [email authentication](email-validation-and-authentication.md) passes, a message from a sender in the allow entry will be delivered.

+Note that with **allow expiry management** (currently in private preview), if Microsoft has not learned from the allow, Microsoft will automatically extend the expiry time of allows, which are going to expire soon, by 30 days to prevent legitimate email from going to junk or quarantine again. If Microsoft does not learn within 90 calendar days from the date of allow creation, Microsoft will remove the allow.

+If Microsoft has learned from the allow, the allow will be removed and you will get an alert informing you about it.

+- [Email entity page](mdo-email-entity-page.md)

+ - If the message was blocked by [spoof intelligence](learn-about-spoof-intelligence.md), an allow entry for the sender is created, and it appears on the **Spoofed senders** tab in the Tenant Allow Block List.

+ - If the message was blocked for other reasons, an allow entry for the sender is created, and it appears on the **Domains & addresses** tab in the Tenant Allow Block List.

+ - If the message was not blocked, and an allow entry for the sender is not created, it won't on the **Spoofed senders** tab or the **Domains & addresses** tab.

+> Microsoft does not allow you to create allow entries directly as it leads to creation of allows that are not needed, thus exposing the customer's tenant to malicious emails which might otherwise have been filtered by the system.

+> Microsoft manage the allow creation process from Submission by creating allows for those entities (domains or email addresses, spoofed senders, URLs, files) which were determined to be malicious by filters during mail flow. For example, if the sender and a URL in the message were determined to be bad, an allow entry is created for the sender, and an allow entry is created for the URL.

+Note that with **allow expiry management** (currently in private preview), if Microsoft has not learned from the allow, Microsoft will automatically extend the expiry time of allows, which are going to expire soon, by 30 days to prevent legitimate email from going to junk or quarantine again. If Microsoft does not learn within 90 calendar days from the date of allow creation, Microsoft will remove the allow.

+If Microsoft has learned from the allow, the allow will be removed and you will get an alert informing you about it.

+- [Reach the email entity page](#how-to-get-to-the-email-entity-page)

+- [Read the email entity page](#how-to-read-the-email-entity-page)

+- [Use email entity page tabs](#how-to-use-the-email-entity-page-tabs)

+- [New to the email entity page](#available-on-the-email-entity-page)

+1. Click a report, for example *Mailflow status summary* and the click the **View details** button to dig into the data (which even includes a funnel view for easier interpretation of total mail flow vs. blocked, spam, and phishing emails, and more).

+|Security reports| Identities and device security reports such as users and devices with malware detections, device compliance, and users at risk.|

+- [Email entity page](mdo-email-entity-page.md)

+## October 2022

+- **[Manage your allows and blocks in the Tenant Allow/Block List](manage-tenant-allow-block-list.md):**

+ - With **allow expiry management** (currently in private preview), if Microsoft has not learned from the allow, Microsoft will automatically extend the expiry time of allows, which are going to expire soon, by 30 days to prevent legitimate email from going to junk or quarantine again.

+ - Customers in the government cloud environments will now be able to create allow and block entries for URLs and attachments in the Tenant Allow/Block List using the admin URL and email attachment submissions. The data submitted through the submissions experience will not leave the customer tenant, thus satisfying the data residency commitments for government cloud clients.