Updates from: 10/29/2022 01:19:40
Category Microsoft Docs article Related commit history on GitHub Change details
admin About Admin Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/about-admin-roles.md
You'll probably only need to assign the following roles in your organization. By
|License admin | Assign the License admin role to users who need to assign and remove licenses from users and edit their usage location. <br/><br/> License admins also can: <br> - Reprocess license assignments for group-based licensing <br> - Assign product licenses to groups for group-based licensing | |Message center privacy reader | Assign the Message center privacy reader role to users who need to read privacy and security messages and updates in the Microsoft 365 Message center. Message center privacy readers may get email notifications related to data privacy, depending on their preferences, and they can unsubscribe using Message center preferences. Only global administrators and Message center privacy readers can read data privacy messages. This role has no permission to view, create, or manage service requests. <br><br>Message center privacy readers can also: <br> - Monitor all notifications in the Message Center, including data privacy messages <br> - View groups, domains, and subscriptions | |Message center reader | Assign the Message center reader role to users who need to do the following: <br> - Monitor message center notifications <br> - Get weekly email digests of message center posts and updates <br> - Share message center posts <br> - Have read-only access to Azure AD services, such as users and groups|
-|Office Apps admin | Assign the Office Apps admin role to users who need to do the following: <br> - Use the Office cloud policy service to create and manage cloud-based policies for Office <br> - Create and manage service requests <br> - Manage the What's New content that users see in their Office apps <br> - Monitor service health |
+|Office Apps admin | Assign the Office Apps admin role to users who need to do the following: <br> - Use the Cloud Policy service for Microsoft 365 to create and manage cloud-based policies for Office <br> - Create and manage service requests <br> - Manage the What's New content that users see in their Office apps <br> - Monitor service health |
|Password admin | Assign the Password admin role to a user who needs to reset passwords for non-administrators and Password Administrators. | |Power Platform admin | Assign the Power Platform admin role to users who need to do the following: <br> - Manage all admin features for Power Apps, Power Automate, and Microsoft Purview Data Loss Prevention <br> - Create and manage service requests <br> - Monitor service health | |Reports reader | Assign the Reports reader role to users who need to do the following: <br> - View usage data and the activity reports in the Microsoft 365 admin center <br> - Get access to the Power BI adoption content pack <br> - Get access to sign-in reports and activity in Azure AD <br> - View data returned by Microsoft Graph reporting API|
business-premium M365bp Conditional Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-conditional-access.md
audience: Admin
Previously updated : 09/15/2022 Last updated : 10/26/2022 ms.localizationpriority: high - M365-Campaigns
This article provides information about:
Security defaults were designed to help protect your company's user accounts from the start. When turned on, security defaults provide secure default settings that help keep your company safe by: -- Requiring all users and admins to register for MFA using the Microsoft Authenticator app.
+- Requiring all users and admins to register for MFA using the [Microsoft Authenticator app](/azure/active-directory/authentication/concept-authentication-authenticator-app) or any third-party application using [OATH TOTP](/azure/active-directory/authentication/concept-authentication-oath-tokens#oath-software-tokens).
- Challenging users with MFA, mostly when they show up on a new device or app, but more often for critical roles and tasks. - Disabling authentication from legacy authentication clients that can't do MFA. - Protecting admins by requiring extra authentication every time they sign in.
compliance Communication Compliance Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-policies.md
The *Report a concern* option is enabled by default and can be controlled via Te
## Policy for insider risk management integration (preview)
-When users experience employment stressors, they may become disgruntled. This feeling may lead to uncharacteristic or malicious behavior by some users that could surface as potentially inappropriate behavior on your organization's messaging systems. Communication compliance can provide disgruntlement signals detected in applicable messages to [insider risk management](/microsoft-365/compliance/insider-risk-management) disgruntlement policies by using a dedicated [Detect inappropriate text](#policy-templates) policy. This policy is automatically created (if selected as an option) during configuration of a [Data leaks by disgruntled employees](/microsoft-365/compliance/insider-risk-management-policies#data-leaks-by-disgruntled-users-preview) or [Security policy violations by disgruntled employees](/microsoft-365/compliance/insider-risk-management-policies#security-policy-violations-by-disgruntled-users-preview) policy in insider risk management.
+When users experience employment stressors, they may engage in risky activities. Workplace stress may lead to uncharacteristic or malicious behavior by some users that could surface as potentially inappropriate behavior on your organization's messaging systems. Communication compliance can provide risk signals detected in applicable messages to [insider risk management](/microsoft-365/compliance/insider-risk-management) risky user policies by using a dedicated [Detect inappropriate text](#policy-templates) policy. This policy is automatically created (if selected as an option) during configuration of a [Data leaks by risky employees](/microsoft-365/compliance/insider-risk-management-policies#data-leaks-by-risky-users-preview) or [Security policy violations by risky employees](/microsoft-365/compliance/insider-risk-management-policies#security-policy-violations-by-risky-users-preview) policy in insider risk management.
-When configured for an insider risk management disgruntlement policy, a dedicated policy named *Disgruntlement in messages - (date created)* is created in communication compliance and automatically includes all organization users in the policy. This policy starts detecting disgruntlement behavior in messages by using the built-in [Threat, Harassment, and Discrimination classifiers](#classifiers) and automatically sends these signals to insider risk management. If needed, this policy can be edited to update the scope of included users and the policy conditions and classifiers.
+When configured for an insider risk management policy, a dedicated policy named *Risky users in messages - (date created)* is created in communication compliance and automatically includes all organization users in the policy. This policy starts detecting risky behavior in messages by using the built-in [Threat, Harassment, and Discrimination classifiers](#classifiers) and automatically sends these signals to insider risk management. If needed, this policy can be edited to update the scope of included users and the policy conditions and classifiers.
-Users that send 5 or more messages classified as disgruntled within 24 hours are automatically brought in-scope for insider risk management policies that include this option. Once in-scope, the insider risk management detect risky activities configured in the policy and generate alerts as applicable. It may take up to 48 hours from the time disgruntlement messages are sent until the time a user is brought in-scope in an insider risk management policy. If an alert is generated for a risky activity detected by the insider risk management policy, the triggering event for the alert is identified as being sourced from the communication compliance disgruntlement activity.
+Users that send 5 or more messages classified as potentially risky within 24 hours are automatically brought in-scope for insider risk management policies that include this option. Once in-scope, the insider risk management policy detects potentially risky activities configured in the policy and generates alerts as applicable. It may take up to 48 hours from the time risky messages are sent until the time a user is brought in-scope in an insider risk management policy. If an alert is generated for a potentially risky activity detected by the insider risk management policy, the triggering event for the alert is identified as being sourced from the communication compliance risky activity.
-All users assigned to the [Insider Risk Management Investigators](/microsoft-365/compliance/insider-risk-management-plan#plan-for-the-review-and-investigation-workflow) role group are automatically assigned as reviewers in the dedicated communication compliance policy. If inside risk management investigators need to review the associated disgruntlement alert directly on the communication compliance alerts page (linked from the insider risk management alert details), they must be manually added to the *Communication Compliance Investigators* role group.
+All users assigned to the [Insider Risk Management Investigators](/microsoft-365/compliance/insider-risk-management-plan#plan-for-the-review-and-investigation-workflow) role group are automatically assigned as reviewers in the dedicated communication compliance policy. If inside risk management investigators need to review the associated risky user alert directly on the communication compliance alerts page (linked from the insider risk management alert details), they must be manually added to the *Communication Compliance Investigators* role group.
Before integrating communication compliance with insider risk management, you should also consider the following guidance when detecting messages containing potentially inappropriate text: -- **For organizations without an existing *Detect inappropriate text* policy**. The new *Disgruntlement in messages - (date created)* policy will be automatically created by the insider risk management policy wizard. In most cases, no further actions are needed.-- **For organizations with an existing *Detect inappropriate text* policy**. The new *Disgruntlement in messages - (date created)* policy will be automatically created by the insider risk management policy wizard. Although you'll have two communication compliance policies for potentially inappropriate text in messages, investigators will not see duplicate alerts for the same activity. Insider risk management investigators will only see alerts for the dedicated integration policy and communication compliance investigators will only see the alerts for the existing policy. If needed, you can edit the dedicated policy to change the in-scope users or individual policy conditions as applicable.
+- **For organizations without an existing *Detect inappropriate text* policy**. The new *Risky user in messages - (date created)* policy will be automatically created by the insider risk management policy wizard. In most cases, no further actions are needed.
+- **For organizations with an existing *Detect inappropriate text* policy**. The new *Risky user in messages - (date created)* policy will be automatically created by the insider risk management policy wizard. Although you'll have two communication compliance policies for potentially inappropriate text in messages, investigators will not see duplicate alerts for the same activity. Insider risk management investigators will only see alerts for the dedicated integration policy and communication compliance investigators will only see the alerts for the existing policy. If needed, you can edit the dedicated policy to change the in-scope users or individual policy conditions as applicable.
## Pause a policy
compliance Communication Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance.md
To learn more about messaging channel support in communication compliance polici
## Integration with insider risk management (preview)
-Communication compliance can provide disgruntlement signals detected in messages to insider risk management disgruntlement policies. Using a dedicated [Detect inappropriate text](/microsoft-365/compliance/communication-compliance-policies#policy-templates) policy in communication compliance, you can choose to add this policy to a [Data leaks by disgruntled employees](/microsoft-365/compliance/insider-risk-management-policies#data-leaks-by-disgruntled-users-preview) or [Security policy violations by disgruntled employees](/microsoft-365/compliance/insider-risk-management-policies#security-policy-violations-by-disgruntled-users-preview) policy in insider risk management. Disgruntlement detected in messages by the communication compliance policy act as a triggering event to bring users into scope for the insider risk management policies.
+Communication compliance can provide risk signals detected in messages to insider risk management risky user policies. Using a dedicated [Detect inappropriate text](/microsoft-365/compliance/communication-compliance-policies#policy-templates) policy in communication compliance, you can choose to add this policy to a [Data leaks by risky employees](/microsoft-365/compliance/insider-risk-management-policies#data-leaks-by-risky-users-preview) or [Security policy violations by risky employees](/microsoft-365/compliance/insider-risk-management-policies#security-policy-violations-by-risky-users-preview) policy in insider risk management. Risky users detected in messages by the communication compliance policy act as a triggering event to bring users into scope for the insider risk management policies.
To learn more about integration with insider risk management, see [Create and manage communication compliance policies](/microsoft-365/compliance/communication-compliance-policies#integration-with-insider-risk-management-preview). To learn more about insider risk management, see [Learn about insider risk management](/microsoft-365/compliance/insider-risk-management).
compliance Create Retention Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-retention-policies.md
When you've more than one retention policy, and when you also use retention labe
> [!NOTE] > Retention policies support [shared channels](/MicrosoftTeams/shared-channels). When you configure retention settings for the **Teams channel message** location, if a team has any shared channels, they inherit retention settings from their parent team.
+>
+> Retention policies also support newly created call data records, which are system-generated messages. However, call data records for private channel messages are included in the **Teams chats** location, instead of the **Teams private channel messages** location.
1. From the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), select **Data lifecycle management** > **Microsoft 365** > **Retention Policies**.
For technical details about how retention works for Teams, including what elemen
- When you select **Edit** for the Teams chats location, you might see guests and non-mailbox users. Retention policies aren't designed for these users, so don't select them.
+- To include newly created call data records for Teams private channel messages, you must select the **Teams chats** location, instead of the **Teams private channel messages** location.
+ #### Additional retention policy needed to support Teams
compliance Deploy Scanner Prereqs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/deploy-scanner-prereqs.md
While the unified labeling client cannot apply encryption without an internet co
To support a disconnected computer, use one of the following methods: -- [Use the Azure portal](#use-the-azure-portal-with-a-disconnected-computer) (recommended when possible)
+- [Use the compliance portal](#use-the-microsoft-purview-compliance-portal-with-a-disconnected-computer) (recommended when possible)
- [Use PowerShell](#use-powershell-with-a-disconnected-computer)
-#### Use the Azure portal with a disconnected computer
+#### Use the Microsoft Purview compliance portal with a disconnected computer
-To support a disconnected computer from the Azure portal, perform the following steps:
+To support a computer that can't connect to the Microsoft Purview compliance portal, perform the following steps:
1. Configure labels in your policy, and then use the [procedure to support disconnected computers](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#support-for-disconnected-computers) to enable offline classification and labeling.
compliance Deploy Scanner https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/deploy-scanner.md
The information protection scanner can inspect any files that Windows can index.
The following image shows the scanner architecture, where the scanner discovers files across your on-premises and SharePoint servers. To inspect your files, the scanner uses IFilters installed on the computer. To determine whether the files need labeling, the scanner uses sensitive information types and pattern detection, or regex patterns.
compliance Dlp Microsoft Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-microsoft-teams.md
You can extend the Teams DLP policy to cover SharePoint Online and OneDrive for
> [!NOTE] > Only those Teams policies that have rules with conditions or exceptions of **content contains** or **content is shared from Microsoft 365** can be extended for automatic file protection. If the condition or exception configuration has **Sender is**, **sender domain is**, **recipient is**, and **recipient domain is** present, the extension action will fail because these conditions donΓÇÖt apply to SharePoint and OneDrive. -- **Example 3: Protecting communications in Teams Shared Channels**. For shared channels, the host Teams team DLP policy are applied. For example letΓÇÖs say there's a shared channel owned by TeamA of Contoso. TeamA has a DLP policy P1. There are 3 ways to share a channel:
+- **Example 3: Protecting communications in Teams Shared Channels**. For shared channels, the host Teams team DLP policy is applied. For example letΓÇÖs say there's a shared channel owned by TeamA of Contoso. TeamA has a DLP policy P1. There are 3 ways to share a channel:
- **Share with member**: You invite user1 from Contoso to join the shared channel without making him a member of TeamA. Everyone in this shared channel, including user1, will be covered by P1. - **Share with team (internally)**: You share the channel with another team TeamB in Contoso. That another team may have a different DLP policy, but that doesnΓÇÖt matter. P1 will apply to everyone in this shared channel, including both TeamA and TeamB users. - **Share with team (cross tenant)**: You share the channel with a team TeamF in Fabrikam. Fabrikam may have its own DLP policy, but that doesnΓÇÖt matter. P1 will apply to everyone in this shared channel, including both TeamA (Contoso) and TeamF (Fabrikam) users.
To perform this task, you must be assigned a role that has permissions to edit D
5. On the **Choose locations** tab, keep the default setting of all accounts, or select **Let me choose specific locations**. You can specify: 1. Up to 1000 individual accounts to include or exclude
- 1. Distribution lists and security groups to include or exclude.
+ 1. Distribution lists and security groups (mail enabled) to include or exclude.
<!-- 1. the shared mailbox of a shared channel. **This is a public preview feature.**--> 6. Then choose **Next**.
compliance Import Hr Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/import-hr-data.md
The type of HR data to import depends on the insider risk management policy and
| Policy template | HR data type | |:|:--| | Data theft by departing users | Employee resignations|
-| General data leaks | Not applicable|
+| Data leaks | Not applicable|
| Data leaks by priority users | Not applicable | | Data leaks by risky users | Job level changes, Performance reviews, Performance improvement plans|
-| General security policy violations | Not applicable |
+| Security policy violations | Not applicable |
| Security policy violations by departing users | Employee resignations| | Security policy violations by priority users | Not applicable| | Security policy violations by risky users| Job level changes, Performance reviews, Performance improvement plans |
compliance Retention Limits https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-limits.md
A single tenant can have a maximum of 10,000 policies (any configuration). This
- Auto-labeling policies for SharePoint and OneDrive, unless they are for cloud attachments. - Published label policies for SharePoint and OneDrive that delete-only, rather than retain-only, or retain and then delete. - Exchange retention policies from [messaging records management (MRM)](/exchange/security-and-compliance/messaging-records-management/messaging-records-management).-- Litigation holds
+- Litigation holds.
Within this 10,000 policies limit, there are also some limits on the maximum number of policies for retention per workload:
compliance Retention Policies Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-teams.md
For other workloads, see:
> > Retention policies also support messages posted with the [chat with yourself](https://support.microsoft.com/office/start-a-chat-in-teams-0c71b32b-c050-4930-a887-5afbe742b3d8?storagetype=live#bkmk_chatwithself) feature.
-Teams chats messages, channel messages, and private channel messages can be deleted by using retention policies for Teams, and in addition to the text in the messages, the following items can be retained for compliance reasons: [Video clips](https://support.microsoft.com/office/record-a-video-clip-in-teams-0c57dae5-2974-4214-9c46-7a2136386f1c), embedded images, tables, hypertext links, links to other Teams messages and files, and [card content](/microsoftteams/platform/task-modules-and-cards/what-are-cards). Chat messages and private channel messages include all the names of the people in the conversation, and channel messages include the team name and the message title (if supplied).
+Teams chats messages, channel messages, and private channel messages can be deleted by using retention policies for Teams, and in addition to the text in the messages, the following items can be retained for compliance reasons: [Video clips](https://support.microsoft.com/office/record-a-video-clip-in-teams-0c57dae5-2974-4214-9c46-7a2136386f1c), embedded images, tables, hypertext links, links to other Teams messages and files, and [card content](/microsoftteams/platform/task-modules-and-cards/what-are-cards). Newly created call data records, which are system-generated messages, are also included. Chat messages and private channel messages include all the names of the people in the conversation, and channel messages include the team name and the message title (if supplied).
Code snippets, recorded voice memos from the Teams mobile client, thumbnails, announcement images, and reactions from others in the form of emoticons aren't retained when you use retention policies for Teams.
compliance Sensitivity Labels Aip https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-aip.md
For your Windows Office apps that support built-in labeling, use the configurati
|Outlook | `MSIP.OutlookAddin` | | | |
-Deploy this setting by using Group Policy, or by using the [Office cloud policy service](/DeployOffice/overview-office-cloud-policy-service).
+Deploy this setting by using Group Policy, or by using the [Cloud Policy service for Microsoft 365](/DeployOffice/overview-office-cloud-policy-service).
> [!IMPORTANT] > If you use the Group Policy setting **Use the Sensitivity feature in Office to apply and view sensitivity labels** and set this to **1**, there are some situations where the AIP add-in might still load in Office apps. Blocking the add-in from loading in each app prevents this happening.
In the [newer versions of Office](#how-to-disable-the-aip-add-in-to-use-built-in
This new setting is still rolling out. If you don't see it yet, wait a few more days and try again.
-Deploy this setting by using Group Policy, or by using the [Office cloud policy service](/DeployOffice/overview-office-cloud-policy-service).
+Deploy this setting by using Group Policy, or by using the [Cloud Policy service for Microsoft 365](/DeployOffice/overview-office-cloud-policy-service).
Additional Office settings you might need to configure:
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
The numbers listed are the minimum Office application versions required for each
|[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) <br /> - Using sensitive info types | Current Channel: 2009+ <br /><br> Monthly Enterprise Channel: 2009+ <br /><br> Semi-Annual Enterprise Channel: 2102+ | 16.44+ | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) <br /> - Using trainable classifiers | Current Channel: 2105+ <br /><br> Monthly Enterprise Channel: 2105+ <br /><br> Semi-Annual Enterprise Channel: 2108+ | 16.49+ | Under review | Under review | Under review | |[Support co-authoring and AutoSave](sensitivity-labels-coauthoring.md) for labeled and encrypted documents | Current Channel: 2107+ <br /><br> Monthly Enterprise Channel: 2107+ <br /><br> Semi-Annual Enterprise Channel: 2202+ | 16.51+ | 2.58+ | 16.0.14931+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |
-|[PDF support](#pdf-support)| Current Channel: 2208+ <br /><br> Monthly Enterprise Channel: 2208+ <br /><br> Semi-Annual Enterprise Channel: Under review| Under review | Under review | Under review | Under review |
+|[PDF support](#pdf-support)| Current Channel: 2208+ <br /><br> Monthly Enterprise Channel: 2209+ <br /><br> Semi-Annual Enterprise Channel: Under review| Under review | Under review | Under review | Under review |
|[Sensitivity bar](#sensitivity-bar) and [display label color](#label-colors) | Preview: Rolling out to [Beta Channel](https://office.com/insider) | Under review | Under review | Under review | Under review | ### Sensitivity label capabilities in Outlook
If both of these conditions are met but you need to turn off the built-in labels
If you later need to revert this configuration, change the value to **1**. You might also need to change this value to 1 if the **Sensitivity** button isn't displayed on the ribbon as expected. For example, a previous administrator turned this labeling setting off.
-Deploy this setting by using Group Policy, or by using the [Office cloud policy service](/DeployOffice/overview-office-cloud-policy-service). The setting takes effect when these Office apps restart.
+Deploy this setting by using Group Policy, or by using the [Cloud Policy service for Microsoft 365](/DeployOffice/overview-office-cloud-policy-service). The setting takes effect when these Office apps restart.
Because this setting is specific to Windows Office apps, it has no impact on other apps on Windows that support sensitivity labels (such as Power BI) or other platforms (such as macOS, mobile devices, and Office for the web). If you don't want some or all users to see and use sensitivity labels across all apps and all platforms, don't assign a sensitivity label policy to those users.
compliance Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/whats-new.md
Whether it be adding new solutions to the [Microsoft Purview compliance portal](
### Communication compliance -- **In preview**: New communication compliance [integration with insider risk management](/microsoft-365/compliance/communication-compliance#integration-with-insider-risk-management-preview). Communication compliance can now provide disgruntlement signals detected in messages to insider risk management disgruntlement policies. Disgruntlement detected in messages by the communication compliance policy act as a triggering event to bring users into scope for the insider risk management policies.
+- **In preview**: New communication compliance [integration with insider risk management](/microsoft-365/compliance/communication-compliance#integration-with-insider-risk-management-preview). Communication compliance can now provide risk signals detected in messages to insider risk management policies. Risky users detected in messages by the communication compliance policy act as a triggering event to bring users into scope for the insider risk management policies.
### Insider risk management - **In preview**: Insider risk management introduces [forensic evidence](/microsoft-365/compliance/insider-risk-management-forensic-evidence), which enables customizable visual activity capturing across devices to help your organization better mitigate, understand, and respond to potential data risks like unauthorized data exfiltration of sensitive data.-- **In preview**: Insider risk management [integration with communication compliance](/microsoft-365/compliance/communication-compliance#integration-with-insider-risk-management-preview) when using the *Data leaks by disgruntled users* or *Security policy violations by disgruntled users* policy templates. Communication compliance can now provide disgruntlement signals detected in messages to insider risk management disgruntlement policies.
+- **In preview**: Insider risk management [integration with communication compliance](/microsoft-365/compliance/communication-compliance#integration-with-insider-risk-management-preview) when using the *Data leaks by risky users* or *Security policy violations by risky users* policy templates. Communication compliance can now provide risk signals detected in messages to insider risk management policies.
- **In preview**: New [inline alert customization](/microsoft-365/compliance/insider-risk-management-settings#inline-alert-customization-preview) allows analysts and investigators to quickly edit policies when reviewing alerts. - New [priority content scoring updates](/microsoft-365/compliance/insider-risk-management-policies#prioritize-content-in-policies) that allow you to choose whether to assign risk scores to all activities detected by a policy or only activities that include priority content. - Security teams are now able to [customize a security trigger](/microsoft-365/compliance/insider-risk-management-policies#policy-templates) in the 'data leaks' policy to surface when a user performs a sequence, enabling them to respond to user actions that might be considered riskier.
enterprise Cross Tenant Mailbox Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-mailbox-migration.md
f1.keywords:-- NOCSH
+ - NOCSH
Last updated 06/20/2022 -- it-pro-- admindeeplinkMAC-- admindeeplinkEXCHANGE
+ - it-pro
+ - admindeeplinkMAC
+ - admindeeplinkEXCHANGE
-- scotvorg-- M365-subscription-management
+ - scotvorg
+ - M365-subscription-management
# Cross-tenant mailbox migration (preview)
Cross-tenant Exchange mailbox migrations are supported for tenants in hybrid or
This article describes the process for cross-tenant mailbox moves and provides guidance on how to prepare source and target tenants for the Exchange Online mailbox content moves. > [!IMPORTANT]
-> When a mailbox is migrated Cross-Tenant with this feature, all email, including email held for litigation, is migrated. After successful migration, the source mailbox is deleted. This means that after the migration, under no circumstances (including mailboxes on litigation or retention hold), is the source mailbox available, discoverable, or accessible in the source tenant.
-> Currently we are investigating an issue where in some scenarios, Teams chat data is also held in the mailbox, but the Teams chat data is not migrated. If Teams chat data must be preserved, do not use this feature to migrate the mailbox.
+> Do not use this feature to migrate mailboxes on any type of hold. Migrating source mailboxes for users on hold is not supported.
+> When a mailbox is migrated cross-tenant with this feature, only user visible content in the mailbox (email, contacts, calendar, tasks, and notes) is migrated. to the target (destination tenant). After successful migration, the source mailbox is deleted. This means that after the migration, under no circumstances, is the source mailbox available, discoverable, or accessible in the source tenant.
> [!NOTE] > If you are interested in previewing our new feature Domain Sharing for email alongside your cross-tenant mailbox migrations, please complete the form at [aka.ms/domainsharingpreview](https://aka.ms/domainsharingpreview). Domain sharing for email enables users in separate Microsoft 365 tenants to send and receive email using addresses from the same custom domain. The feature is intended to solve scenarios where users in separate tenants need to represent a common corporate brand in their email addresses. The current preview supports sharing domains indefinitely and shared domains during cross-tenant mailbox migration coexistence.
Ensure the following objects and attributes are set in the target organization.
- ExchangeGUID (direct flow from source to target): The mailbox GUID must match. The move process will not proceed if this isn't present on target object. - ArchiveGUID (direct flow from source to target): The archive GUID must match. The move process won't proceed if this isn't present on the target object. (This is only required if the source mailbox is Archive enabled).
- - LegacyExchangeDN (flow as proxyAddress, "x500:\<LegacyExchangeDN>"): The LegacyExchangeDN must be present on target MailUser as x500: proxyAddress. In addition, you also need to copy all x500 addresses from the source mailbox to the target mail user. The move processes won't proceed if these aren't present on the target object.
+ - LegacyExchangeDN (flow as proxyAddress, "x500:\<LegacyExchangeDN>"): The LegacyExchangeDN must be present on target MailUser as x500: proxyAddress. In addition, you also need to copy all x500 addresses from the source mailbox to the target mail user. The move processes won't proceed if these aren't present on the target object. Also, this step is important for enabling reply ability for emails that are sent before migration. The sender/recipient address in each email item and the auto-complete cache in Microsoft Outlook and in Microsoft Outlook Web App (OWA) uses the value of the LegacyExchangeDN attribute. If a user cannot be located using the LegacyExchangeDN value then the delivery of email messages may fail with a 5.1.1 NDR.
- UserPrincipalName: UPN will align to the user's NEW identity or target company (for example, user@northwindtraders.onmicrosoft.com). - Primary SMTPAddress: Primary SMTP address will align to the user's NEW company (for example, user@northwind.com). - TargetAddress/ExternalEmailAddress: MailUser will reference the user's current mailbox hosted in source tenant (for example user@contoso.onmicrosoft.com). When assigning this value, verify that you have/are also assigning PrimarySMTPAddress or this value will set the PrimarySMTPAddress, which will cause move failures.
Ensure the following objects and attributes are set in the target organization.
- msExchSafeRecipientsHash ΓÇô Writes back online safe and blocked sender data from clients to on-premises Active Directory. - msExchSafeSendersHash ΓÇô Writes back online safe and blocked sender data from clients to on-premises Active Directory.
-2. If the source mailbox is on LitigationHold and the source mailbox Recoverable Items size is greater than our database default (30 GB), moves will not proceed since the target quota is less than the source mailbox size. You can update the target MailUser object to transition the ELC mailbox flags from the source environment to the target, which triggers the target system to expand the quota of the MailUser to 100 GB, thus allowing the move to the target. These instructions will work only for hybrid identity running Azure AD Connect, as the commands to stamp the ELC flags are not exposed to tenant administrators.
+2. If the source mailbox Recoverable Items size is greater than our database default (30 GB), moves will not proceed since the target quota is less than the source mailbox size. You can update the target MailUser object to transition the ELC mailbox flags from the source environment to the target, which triggers the target system to expand the quota of the MailUser to 100 GB, thus allowing the move to the target. In a Hybrid environment you will need set the appropriate msExchELCMailboxFlags on the target ADUser.
- > [!NOTE]
- > SAMPLE ΓÇô AS IS, NO WARRANTY
- >
- > This script assumes a connection to both source mailbox (to get source values) and the target on-premises Active Directory (to stamp the ADUser object). If source has litigation or single item recovery enabled, set this on the destination account. This will increase the dumpster size of destination account to 100 GB.
-
- ```powershell
- $ELCValue = 0
- if ($source.LitigationHoldEnabled) {$ELCValue = $ELCValue + 8} if ($source.SingleItemRecoveryEnabled) {$ELCValue = $ELCValue + 16} if ($ELCValue -gt 0) {Set-ADUser -Server $domainController -Identity $destination.SamAccountName -Replace @{msExchELCMailboxFlags=$ELCValue}}
- ```
-
-3. Non-hybrid target tenants can modify the quota on the Recoverable Items folder for the MailUsers prior to migration by running the following command to enable Litigation Hold on the MailUser object and increasing the quota to 100 GB:
+3. Non-hybrid target tenants can modify the quota on the Recoverable Items folder for the MailUsers prior to migration by running the following command to enable Litigation Hold on the target MailUser object and increasing the quota to 100 GB:
```powershell Set-MailUser -Identity <MailUserIdentity> -EnableLitigationHoldForMigration
The meetings will move, however the Teams meeting URL does not update when items
### Does the Teams chat folder content migrate cross-tenant?
-No, the Teams chat folder content does not migrate cross-tenant. When a mailbox is migrated Cross-Tenant with this feature, all email, including email held for litigation, is migrated. After successful migration, the source mailbox is deleted. This means that after the migration, under no circumstances (including mailboxes on litigation or retention hold), is the source mailbox available, discoverable, or accessible in the source tenant. Currently we are investigating an issue where in some scenarios, Teams chat data is also held in the mailbox, but the Teams chat data is not migrated. If Teams chat data must be preserved, do not use this feature to migrate the mailbox.
+No, the Teams chat folder content does not migrate cross-tenant. When a mailbox is migrated cross-tenant with this feature, only user visible content in the mailbox (email, contacts, calendar, tasks, and notes) is migrated.
### How can I see just moves that are cross-tenant moves, not my onboarding and off-boarding moves?
Get-MoveRequest -Flags "CrossTenant"
> [!NOTE] > SAMPLE ΓÇô AS IS, NO WARRANTY
-> This script assumes a connection to both source mailbox (to get source values) and the target on-premises Active Directory Domain Services (to stamp the ADUser object). If source has litigation or single item recovery enabled, set this on the destination account. This will increase the dumpster size of destination account to 100 GB.
+> This script assumes a connection to both source mailbox (to get source values) and the target on-premises Active Directory Domain Services (to stamp the ADUser object).
```powershell # This will export users from the source tenant with the CustomAttribute1 = "Cross-Tenant-Project"
There is a matrix of roles based on assumption of delegated duties when executin
Exchange mailbox moves using MRS craft the targetAddress on the original source mailbox when converting to a MailUser by matching an email address (proxyAddress) on the target object. The process takes the -TargetDeliveryDomain value passed into the move command, then checks for a matching proxy for that domain on the target side. When we find a match, the matching proxyAddress is used to set the ExternalEmailAddress (targetAddress) on the converted mailbox (now MailUser) object.
+### How mail flow works after migration?
+
+Cross-Tenant mail flow after migration works similar to Exchange Hybrid mail flow. Each migrated mailbox needs the source MailUser with the correct targetaddress to forward incoming mail from source tenant to mailboxes in target tenant. Transport rules, security and compliance features will run as configured in each tenant that the mail flows through. So, for inbound mail, features like anti-spam, anti-malware, quarantine, as well as transport rules and journaling rules will run in the source tenant first, then in the target tenant.
+ ### How do mailbox permissions transition? Mailbox permissions include Send on Behalf of and Mailbox Access: - Send On Behalf Of (AD:publicDelegates) stores the DN of recipients with access to a user's mailbox as a delegate. This value is stored in Active Directory and currently does not move as part of the mailbox transition. If the source mailbox has publicDelegates set, you will need to restamp the publicDelegates on the target Mailbox once the MEU to Mailbox conversion completes in the target environment by running `Set-Mailbox <principle> -GrantSendOnBehalfTo <delegate>`. -- Mailbox Permissions that are stored in the mailbox will move with the mailbox when both the principal and the delegate are moved to the target system. For example, the user TestUser_7 is granted FullAccess to the mailbox TestUser_8 in the tenant SourceCompany.onmicrosoft.com. After the mailbox move completes to TargetCompany.onmicrosoft.com, the same permissions are set up in the target directory. Examples using _Get-MailboxPermission_ for TestUser_7 in both source and target tenants are shown below. Exchange cmdlets are prefixed with source and target accordingly.
+- Mailbox Permissions that are stored in the mailbox will move with the mailbox when both the principal and the delegate are moved to the target system. For example, the user TestUser*7 is granted FullAccess to the mailbox TestUser_8 in the tenant SourceCompany.onmicrosoft.com. After the mailbox move completes to TargetCompany.onmicrosoft.com, the same permissions are set up in the target directory. Examples using \_Get-MailboxPermission* for TestUser_7 in both source and target tenants are shown below. Exchange cmdlets are prefixed with source and target accordingly.
Here is an example of the output of the mailbox permission before a move.
enterprise Modern Desktop Deployment And Management Lab https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/modern-desktop-deployment-and-management-lab.md
description: Learn about where to access the Windows and Office Deployment Lab K
# Windows and Office 365 deployment lab kit
-The Windows and Office 365 deployment lab kit is designed to help you plan, test, and validate your deployment and management of desktops running Windows 10 Enterprise or Windows 11 Enterprise and Microsoft 365 Apps for enterprise. The labs in the kit cover using Microsoft Endpoint Configuration Manager, OneDrive, Windows Autopilot, and more. This kit is highly recommended for organizations preparing for desktop upgrades. As an isolated environment, the lab is also ideal for exploring deployment tool updates and testing your deployment-related automation.
-
-There are two versions of the lab available for free download:
+The Windows and Office 365 deployment lab kits are designed to help you plan, test, and validate your deployment and management of desktops running Windows 10 Enterprise or Windows 11 Enterprise and Microsoft 365 Apps. The labs in the kit cover using Microsoft Intune and Microsoft Configuration Manager. This kit is highly recommended for organizations preparing for desktop upgrades. As an isolated environment, the lab is also ideal for exploring deployment tool updates and testing your deployment-related automation. The following lab kits are available for free download:
|Windows 10 Lab|Windows 11 Lab| |||
-|[Windows 10 lab environment](https://download.microsoft.com/download/8/5/e/85e007b0-1f3e-460c-bd0a-5a8c6ec490b5/Win10_21H2_lab.zip)|[Windows 11 lab environment](https://download.microsoft.com/download/5/0/b/50bbe36a-9291-4339-9dcc-2a444fcd1659/Microsoft365DeviceLabKit.zip)|
-|[Windows 10 lab guides](https://download.microsoft.com/download/b/d/4/bd4f430b-8cd1-4a07-97b1-c32100fce7ae/Win_10_21H2_lab_guides.zip)|[Windows 11 lab guides](https://download.microsoft.com/download/5/0/b/50bbe36a-9291-4339-9dcc-2a444fcd1659/Win11_SetUp_Guide_08.05.zip)|
+|[Windows 10 lab environment](https://download.microsoft.com/download/b/7/6/b7696d5b-940e-4af6-ba8b-32cfa3532e6e/Windows10_21H2_2022-10-19.zip)|[Windows 11 lab environment](https://download.microsoft.com/download/a/1/0/a10d1f67-b499-4c2f-8db1-79d29cd98b05/Windows11_21H1_2022-10-18.zip)|
+|[Windows 10 lab guides](https://download.microsoft.com/download/b/d/4/bd4f430b-8cd1-4a07-97b1-c32100fce7ae/Win_10_21H2_lab_guides.zip)|[Windows 11 lab guides](https://download.microsoft.com/download/a/1/0/a10d1f67-b499-4c2f-8db1-79d29cd98b05/Win11_Lab_Guides_10.18.zip)|
## A complete lab environment
The lab provides you with an automatically provisioned virtual lab environment,
|Windows 10 Lab|Windows 11 Lab| |||
-|Windows 10 Enterprise, Version 21H2|Windows 11 Enterprise|
-|Microsoft Endpoint Configuration Manager, Version 2103|Microsoft Endpoint Configuration Manager, Version 2203|
+|Windows 10 Enterprise, Version 21H2|Windows 11 Enterprisem, Version 21H2|
+|Microsoft Endpoint Configuration Manager, Version 2103|Microsoft Endpoint Configuration Manager, Version 2207|
|Windows Assessment and Deployment Kit for Windows 10|Windows Assessment and Deployment Kit for Windows 11| |Windows Server 2019|Windows Server 2022|
Detailed lab guides take you through multiple deployment and management scenario
- Servicing Windows using Microsoft Intune - Servicing Windows with Configuration Manager
-### Deploy Microsoft 365 Apps for enterprise
+### Deploy Microsoft 365 Apps
- Cloud managed deployment - Locally managed deployment-- Microsoft 365 Apps for enterprise Deployment on Non-AD Joined Devices
+- Microsoft 365 Apps deployment on Non-AD Joined Devices
- Enterprise managed deployment using Configuration Manager - Enterprise managed deployment using Microsoft Intune-- Servicing Microsoft 365 Apps for enterprise using Configuration Manager-- Servicing Microsoft 365 Apps for enterprise using Intune
+- Servicing Microsoft 365 Apps using Configuration Manager
+- Servicing Microsoft 365 Apps using Intune
- LOB Deployment and Management with Microsoft Intune - Deploy Microsoft Teams - Assignment filters
Detailed lab guides take you through multiple deployment and management scenario
> [!NOTE]
-> Please use a broadband internet connection to download this content and allow approximately 30 minutes for automatic provisioning. The lab environment requires a minimum of 16 GB of available memory and 150 GB of free disk space. For optimal performance, 32 GB of available memory and 300 GB of free space is recommended. The Windows client virtual machines expire 90 days after activation of the lab. New versions of the labs will be published on or before November 5, 2022.
+> Please use a broadband internet connection to download this content and allow approximately 30 minutes for automatic provisioning. The lab environment requires a minimum of 16 GB of available memory and 150 GB of free disk space. For optimal performance, 32 GB of available memory and 300 GB of free space is recommended. The Windows client virtual machines expire 90 days after activation of the lab. New versions of the labs will be published on or before December 31, 2022.
## Additional guidance
frontline Bookings Virtual Visits https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/bookings-virtual-visits.md
audience: ITPro-+ search.appverid: searchScope:
frontline Browser Join https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/browser-join.md
audience: ITPro-+ search.appverid: searchScope:
frontline Collab Features Apps Toolkit https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/collab-features-apps-toolkit.md
audience: ITPro-+ search.appverid: searchScope:
frontline Deploy Teams At Scale https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/deploy-teams-at-scale.md
-+ audience: admin search.appverid: MET150
frontline Flw Choose Scenarios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-choose-scenarios.md
audience: admin-+ ms.localizationpriority: high
frontline Flw Deploy Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-deploy-overview.md
-+ audience: admin search.appverid: MET150
frontline Flw Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-devices.md
-+ audience: admin ms.localizationpriority: high
frontline Flw Licensing Options https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-licensing-options.md
-+ audience: admin search.appverid: MET150
frontline Flw Onboarding Wizard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-onboarding-wizard.md
-+ audience: admin search.appverid: MET150
frontline Flw Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-overview.md
audience: admin-+ ms.localizationpriority: high
frontline Flw Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-pilot.md
-+ audience: admin search.appverid: MET150
frontline Flw Scenario Posters https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-scenario-posters.md
audience: admin-+ ms.localizationpriority: high
frontline Flw Setup Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-setup-microsoft-365.md
-+ audience: admin search.appverid: MET150
frontline Flw Technical Planning Guide Deployment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-technical-planning-guide-deployment.md
-+ audience: admin search.appverid: MET150
frontline Flw Trial https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-trial.md
-+ audience: admin search.appverid: MET150
frontline Get Up And Running https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/get-up-and-running.md
-+ audience: admin search.appverid: MET150
frontline Hc Delegates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/hc-delegates.md
audience: ITPro-+ search.appverid: MET150 searchScope:
frontline Manage Shift Based Access Flw https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/manage-shift-based-access-flw.md
-+ audience: admin search.appverid: MET150
frontline Messaging Policies Hc https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/messaging-policies-hc.md
audience: ITPro-+ search.appverid: MET150 searchScope:
frontline Pin Teams Apps Based On License https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/pin-teams-apps-based-on-license.md
-+ audience: admin search.appverid: MET150
frontline Schedule Owner For Shift Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/schedule-owner-for-shift-management.md
-+ audience: admin search.appverid: MET150
frontline Shifts Connector Blue Yonder Admin Center Manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-blue-yonder-admin-center-manage.md
-+ audience: admin search.appverid: MET150
Here's the list of error messages that you may encounter and information to help
|Error type |Error details |Resolution | ||||
-|Unable to authenticate workforce management system.|The workforce management system account credentials you've provided are invalid or this account doesn't have the required permissions.|Update your WFM service account credentials in the connection settings. To do this, do one of the following:<ul><li>In the Microsoft 365 admin center, choose **Edit** on the Connector Management page or the connection details page to go to the Shifts connector wizard.</li><li>Use the [Set-CsTeamsShiftsConnectionInstance](/powershell/module/teams/set-csteamsshiftsconnectioninstance) or Update-CsTeamsShiftConnectionInstance cmdlet.</li><li>Use [this PowerShell script](shifts-connector-powershell-manage.md#change-connection-settings).</li></ul>|
+|Unable to authenticate workforce management system.|The workforce management system account credentials you've provided are invalid or this account doesn't have the required permissions.|Update your WFM service account credentials in the connection settings. To do this, do one of the following:<ul><li>In the Microsoft 365 admin center, choose **Edit** on the Connector Management page or the connection details page to go to the Shifts connector wizard.</li><li>Use the [Set-CsTeamsShiftsConnectionInstance](/powershell/module/teams/set-csteamsshiftsconnectioninstance) or [Update-CsTeamsShiftsConnectionInstance](/powershell/module/teams/update-csteamsshiftsconnectioninstance) cmdlet.</li><li>Use [this PowerShell script](shifts-connector-powershell-manage.md#change-connection-settings).</li></ul>|
|Unable to authenticate Graph. |Authentication failed. Ensure that you've entered valid credentials for the designated actor and have the required permissions.|Make sure that your Microsoft 365 system account (also known as designated actor) is added as a team owner.<br> Or, update your Microsoft 365 system account credentials in the connection settings.| |Some users have failed to map correctly|Mapping failed for some users: \<X\> succeeded, \<X\> failed AAD user(s) and \<X\> failed workforce management system user(s).|Use the [Get-CsTeamsShiftsConnectionSyncResult](/powershell/module/teams/get-csteamsshiftsconnectionsyncresult) cmdlet or [this PowerShell script](shifts-connector-powershell-manage.md#user-mapping-errors) to identify the users for whom the mapping failed. Make sure that the users in the mapped team match the users in the WFM instance.| |Unable to map a team or teams in this batch. |This designated actor profile doesn't have team ownership privileges. |Make sure your Microsoft 365 system account (also known as designated actor) is added as a team owner.<br>If youΓÇÖve changed your Microsoft 365 system account, add that account as a team owner, and update the connection settings to use that account.|
frontline Shifts Connector Blue Yonder Known Issues https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-blue-yonder-known-issues.md
-+ audience: admin search.appverid: MET150
frontline Shifts Connector Blue Yonder Powershell Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-blue-yonder-powershell-setup.md
-+ audience: admin search.appverid: MET150
For help with Shifts connector cmdlets, including the cmdlets used in the script
- [New-CsTeamsShiftsConnectionInstance](/powershell/module/teams/new-csteamsshiftsconnectioninstance) - [Get-CsTeamsShiftsConnectionInstance](/powershell/module/teams/get-csteamsshiftsconnectioninstance) - [Set-CsTeamsShiftsConnectionInstance](/powershell/module/teams/set-csteamsshiftsconnectioninstance)
+- [Update-CsTeamsShiftsConnectionInstance](/powershell/module/teams/update-csteamsshiftsconnectioninstance)
- [Remove-CsTeamsShiftsConnectionInstance](/powershell/module/teams/remove-csteamsshiftsconnectioninstance) - [Test-CsTeamsShiftsConnectionValidate](/powershell/module/teams/test-csteamsshiftsconnectionvalidate) - [New-CsTeamsShiftsConnectionTeamMap](/powershell/module/teams/new-csteamsshiftsconnectionteammap)
frontline Shifts Connector Powershell Manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-powershell-manage.md
-+ audience: admin search.appverid: MET150
Here's the list of error messages that you may encounter and information to help
|Error type |Error details |Resolution | ||||
-|Unable to authenticate workforce management system.|The workforce management system account credentials you've provided are invalid or this account doesn't have the required permissions.|Update your WFM service account credentials in the connection settings. To do this, do one of the following:<ul><li>In the Microsoft 365 admin center, choose **Edit** on the Connector Management page or the connection details page to go to the Shifts connector wizard.</li><li>Use the [Set-CsTeamsShiftsConnectionInstance](/powershell/module/teams/set-csteamsshiftsconnectioninstance) or Update-CsTeamsShiftConnectionInstance cmdlet.</li><li>Use [this PowerShell script](#change-connection-settings).</li></ul>|
+|Unable to authenticate workforce management system.|The workforce management system account credentials you've provided are invalid or this account doesn't have the required permissions.|Update your WFM service account credentials in the connection settings. To do this, do one of the following:<ul><li>In the Microsoft 365 admin center, choose **Edit** on the Connector Management page or the connection details page to go to the Shifts connector wizard.</li><li>Use the [Set-CsTeamsShiftsConnectionInstance](/powershell/module/teams/set-csteamsshiftsconnectioninstance) or [Update-CsTeamsShiftsConnectionInstance](/powershell/module/teams/update-csteamsshiftsconnectioninstance) cmdlet.</li><li>Use [this PowerShell script](#change-connection-settings).</li></ul>|
|Unable to authenticate Graph. |Authentication failed. Ensure that you've entered valid credentials for the designated actor and have the required permissions.|Make sure that your Microsoft 365 system account (also known as designated actor) is added as a team owner.<br> Or, update your Microsoft 365 system account credentials in the connection settings.| |Some users have failed to map correctly|Mapping failed for some users: \<X\> succeeded, \<X\> failed AAD user(s) and \<X\> failed workforce management system user(s).|Use the [Get-CsTeamsShiftsConnectionSyncResult](/powershell/module/teams/get-csteamsshiftsconnectionsyncresult) cmdlet or [this PowerShell script](#user-mapping-errors) to identify the users for whom the mapping failed. Make sure that the users in the mapped team match the users in the WFM instance.| |Unable to map a team or teams in this batch. |This designated actor profile doesn't have team ownership privileges. |Make sure your Microsoft 365 system account (also known as designated actor) is added as a team owner.<br>If youΓÇÖve changed your Microsoft 365 system account, add that account as a team owner, and update the connection settings to use that account.|
For help with Shifts connector cmdlets, search for **CsTeamsShiftsConnection** i
- [New-CsTeamsShiftsConnectionInstance](/powershell/module/teams/new-csteamsshiftsconnectioninstance) - [Get-CsTeamsShiftsConnectionInstance](/powershell/module/teams/get-csteamsshiftsconnectioninstance) - [Set-CsTeamsShiftsConnectionInstance](/powershell/module/teams/set-csteamsshiftsconnectioninstance)
+- [Update-CsTeamsShiftsConnectionInstance](/powershell/module/teams/update-csteamsshiftsconnectioninstance)
- [Remove-CsTeamsShiftsConnectionInstance](/powershell/module/teams/remove-csteamsshiftsconnectioninstance) - [Test-CsTeamsShiftsConnectionValidate](/powershell/module/teams/test-csteamsshiftsconnectionvalidate) - [New-CsTeamsShiftsConnectionTeamMap](/powershell/module/teams/new-csteamsshiftsconnectionteammap)
frontline Shifts Connector Ukg Admin Center Manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-ukg-admin-center-manage.md
-+ audience: admin search.appverid: MET150
Here's the list of error messages that you may encounter and information to help
|Error type |Error details |Resolution | ||||
-|Unable to authenticate workforce management system.|The workforce management system account credentials you've provided are invalid or this account doesn't have the required permissions.|Update your WFM service account credentials in the connection settings. To do this, do one of the following:<ul><li>In the Microsoft 365 admin center, choose **Edit** on the Connector Management page or the connection details page to go to the Shifts connector wizard.</li><li>Use the [Set-CsTeamsShiftsConnectionInstance](/powershell/module/teams/set-csteamsshiftsconnectioninstance) or Update-CsTeamsShiftConnectionInstance cmdlet.</li><li>Use [this PowerShell script](shifts-connector-ukg-powershell-manage.md#change-connection-settings).</li></ul>|
+|Unable to authenticate workforce management system.|The workforce management system account credentials you've provided are invalid or this account doesn't have the required permissions.|Update your WFM service account credentials in the connection settings. To do this, do one of the following:<ul><li>In the Microsoft 365 admin center, choose **Edit** on the Connector Management page or the connection details page to go to the Shifts connector wizard.</li><li>Use the [Set-CsTeamsShiftsConnectionInstance](/powershell/module/teams/set-csteamsshiftsconnectioninstance) or [Update-CsTeamsShiftsConnectionInstance](/powershell/module/teams/update-csteamsshiftsconnectioninstance) cmdlet.</li><li>Use [this PowerShell script](shifts-connector-ukg-powershell-manage.md#change-connection-settings).</li></ul>|
|Unable to authenticate Graph. |Authentication failed. Ensure that you've entered valid credentials for the designated actor and have the required permissions.|Make sure that your Microsoft 365 system account (also known as designated actor) is added as a team owner.<br> Or, update your Microsoft 365 system account credentials in the connection settings.| |Some users have failed to map correctly|Mapping failed for some users: \<X\> succeeded, \<X\> failed AAD user(s) and \<X\> failed workforce management system user(s).|Use the [Get-CsTeamsShiftsConnectionSyncResult](/powershell/module/teams/get-csteamsshiftsconnectionsyncresult) cmdlet or [this PowerShell script](shifts-connector-ukg-powershell-manage.md#user-mapping-errors) to identify the users for whom the mapping failed. Make sure that the users in the mapped team match the users in the WFM instance.| |Unable to map a team or teams in this batch. |This designated actor profile doesn't have team ownership privileges. |Make sure your Microsoft 365 system account (also known as designated actor) is added as a team owner.<br>If youΓÇÖve changed your Microsoft 365 system account, add that account as a team owner, and update the connection settings to use that account.|
frontline Shifts Connector Ukg Known Issues https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-ukg-known-issues.md
-+ audience: admin search.appverid: MET150
frontline Shifts Connector Ukg Powershell Manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-ukg-powershell-manage.md
-+ audience: admin search.appverid: MET150
Here's the list of error messages that you may encounter and information to help
|Error type |Error details |Resolution | ||||
-|Unable to authenticate workforce management system.|The workforce management system account credentials you've provided are invalid or this account doesn't have the required permissions.|Update your WFM service account credentials in the connection settings. To do this, do one of the following:<ul><li>In the Microsoft 365 admin center, choose **Edit** on the Connector Management page or the connection details page to go to the Shifts connector wizard.</li><li>Use the [Set-CsTeamsShiftsConnectionInstance](/powershell/module/teams/set-csteamsshiftsconnectioninstance) or Update-CsTeamsShiftConnectionInstance cmdlet.</li><li>Use [this PowerShell script](#change-connection-settings).</li></ul>|
+|Unable to authenticate workforce management system.|The workforce management system account credentials you've provided are invalid or this account doesn't have the required permissions.|Update your WFM service account credentials in the connection settings. To do this, do one of the following:<ul><li>In the Microsoft 365 admin center, choose **Edit** on the Connector Management page or the connection details page to go to the Shifts connector wizard.</li><li>Use the [Set-CsTeamsShiftsConnectionInstance](/powershell/module/teams/set-csteamsshiftsconnectioninstance) or [Update-CsTeamsShiftsConnectionInstance](/powershell/module/teams/update-csteamsshiftsconnectioninstance) cmdlet.</li><li>Use [this PowerShell script](#change-connection-settings).</li></ul>|
|Unable to authenticate Graph. |Authentication failed. Ensure that you've entered valid credentials for the designated actor and have the required permissions.|Make sure that your Microsoft 365 system account (also known as designated actor) is added as a team owner.<br> Or, update your Microsoft 365 system account credentials in the connection settings.| |Some users have failed to map correctly|Mapping failed for some users: \<X\> succeeded, \<X\> failed AAD user(s) and \<X\> failed workforce management system user(s).|Use the [Get-CsTeamsShiftsConnectionSyncResult](/powershell/module/teams/get-csteamsshiftsconnectionsyncresult) cmdlet or [this PowerShell script](#user-mapping-errors) to identify the users for whom the mapping failed. Make sure that the users in the mapped team match the users in the WFM instance.| |Unable to map a team or teams in this batch. |This designated actor profile doesn't have team ownership privileges. |Make sure your Microsoft 365 system account (also known as designated actor) is added as a team owner.<br>If youΓÇÖve changed your Microsoft 365 system account, add that account as a team owner, and update the connection settings to use that account.|
For help with Shifts connector cmdlets, search for **CsTeamsShiftsConnection** i
- [New-CsTeamsShiftsConnectionInstance](/powershell/module/teams/new-csteamsshiftsconnectioninstance) - [Get-CsTeamsShiftsConnectionInstance](/powershell/module/teams/get-csteamsshiftsconnectioninstance) - [Set-CsTeamsShiftsConnectionInstance](/powershell/module/teams/set-csteamsshiftsconnectioninstance)
+- [Update-CsTeamsShiftsConnectionInstance](/powershell/module/teams/update-csteamsshiftsconnectioninstance)
- [Remove-CsTeamsShiftsConnectionInstance](/powershell/module/teams/remove-csteamsshiftsconnectioninstance) - [Test-CsTeamsShiftsConnectionValidate](/powershell/module/teams/test-csteamsshiftsconnectionvalidate) - [New-CsTeamsShiftsConnectionTeamMap](/powershell/module/teams/new-csteamsshiftsconnectionteammap)
frontline Shifts Connector Ukg Powershell Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-ukg-powershell-setup.md
-+ audience: admin search.appverid: MET150
For help with Shifts connector cmdlets, including the cmdlets used in the script
- [New-CsTeamsShiftsConnectionInstance](/powershell/module/teams/new-csteamsshiftsconnectioninstance) - [Get-CsTeamsShiftsConnectionInstance](/powershell/module/teams/get-csteamsshiftsconnectioninstance) - [Set-CsTeamsShiftsConnectionInstance](/powershell/module/teams/set-csteamsshiftsconnectioninstance)
+- [Update-CsTeamsShiftsConnectionInstance](/powershell/module/teams/update-csteamsshiftsconnectioninstance)
- [Remove-CsTeamsShiftsConnectionInstance](/powershell/module/teams/remove-csteamsshiftsconnectioninstance) - [Test-CsTeamsShiftsConnectionValidate](/powershell/module/teams/test-csteamsshiftsconnectionvalidate) - [New-CsTeamsShiftsConnectionTeamMap](/powershell/module/teams/new-csteamsshiftsconnectionteammap)
frontline Shifts Connector Wizard Ukg https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-wizard-ukg.md
-+ audience: admin search.appverid: MET150
frontline Shifts Connector Wizard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-wizard.md
-+ audience: admin search.appverid: MET150
frontline Shifts Connectors https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connectors.md
-+ audience: admin search.appverid: MET150
frontline Shifts Toolkit https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-toolkit.md
audience: ITPro-+ search.appverid: searchScope:
frontline Switch From Enterprise To Frontline https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/switch-from-enterprise-to-frontline.md
-+ audience: admin search.appverid: MET150
frontline Teams In Hc https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/teams-in-hc.md
audience: ITPro-+ search.appverid: MET150 searchScope:
frontline Virtual Appointments Toolkit https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/virtual-appointments-toolkit.md
audience: ITPro-+ search.appverid: searchScope:
frontline Virtual Appointments https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/virtual-appointments.md
-+ audience: admin search.appverid: MET150
frontline Virtual Visits Usage Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/virtual-visits-usage-report.md
audience: Admin-+ f1.keywords:
lighthouse M365 Lighthouse Setup Gdap https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-setup-gdap.md
+
+ Title: "Set up GDAP for your customers"
+f1.keywords: CSH
++++
+audience: Admin
++
+ms.localizationpriority: medium
+
+- Tier1
+- scotvorg
+- M365-subscription-management
+- Adm_O365
+
+- AdminSurgePortfolib
+- M365-Lighthouse
+search.appverid: MET150
+description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, learn how to set up GDAP for your customers."
++
+# Set up GDAP for your customers
++
+> [!NOTE]
+> This feature is rolling out at different speeds to our customers. If you aren't seeing this feature yet, you should see it soon.
+
+Partners onboarded to Microsoft 365 Lighthouse can now set up all their customers with Granular Delegated Administrative Privileges (GDAP) through Lighthouse, regardless of their licenses or size. Lighthouse enables partners to quickly transition their organization to GDAP and begin the journey to least-privilege for their delegated access to customers. By setting up your organization with GDAP for the customer tenants you manage, users in your organization have the permissions necessary to do their work while keeping customer tenants secure.
+
+Delegated access via DAP or GDAP is a prerequisite for customers to be fully onboard to Lighthouse. Therefore, creating GDAP relationships may be the first step in managing your customers in Lighthouse.
+
+During the GDAP setup process, you'll assign roles to tiers of job functions for employees in your organization and then create GDAP templates that will assign those tiered roles to specific security groups with users for groups of customers. GDAP roles are scoped to [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference), and when you set up GDAP, you'll see recommendations for a set of roles needed for each tier.
+
+## Before you begin
+
+- You'll need to have specific permissions in your own tenant:
+
+ - To establish GDAP security groups and add users, you'll need Global Administrator, User Administrator, or Groups Administrator to set up users with standing access to GDAP roles. You can assign these roles in Azure Active Directory (ADD).
+
+ - To enable the just-in-time (JIT) Only tier, you'll need to have Global Administrator or a combination of User Administrator and Privilege Role Administrator.
+
+ - To create and complete GDAP relationships, you must be a member of the Admin Agents group in Partner Center.
+
+- Any customer can be managed by a Lighthouse partner, if they're set up in Partner Center with either a reseller relationship or an existing delegated relationship (DAP or GDAP).
+
+- To enable the JIT Only tier permissions, you'll also need an Azure AD P2 license.
+
+## Set up GDAP for the first time
+
+When you set up GDAP for the first time, you must complete the following sections in order. Once completed, you can come back and edit any section as needed.
+
+To get started:
+
+1. In the left navigation in Lighthouse, select **Home.**
+
+2. On the **Set up GDAP for your organization** card, select **Begin setup.**
+
+3. Complete the following sections in order.
+
+ [Step 1: Define tiers of permissions](#step-1-define-tiers-of-permissions)
+
+ [Step 2: Create GDAP templates](#step-2-create-gdap-templates)
+
+ [Step 3: Create security groups](#step-3-create-security-groups)
+
+ [Step 4: Assign customer tenants](#step-4-assign-customer-tenants)
+
+ [Step 5: Review settings](#step-5-review-settings)
+
+### Step 1: Define tiers of permissions
+
+Choose the roles needed for each tier based on your employees' job functions.
+
+1. From the **Define tiers of permissions** page, select the roles needed for each tier based on your employees' job functions. You can
+
+ - Adopt recommended configurations, or
+
+ - Manually assign a role to each tier.
+
+2. Select **Next** to go to the next section or select **Save and close** to save your settings and exit GDAP Setup.
+
+You can rename tiers to match your organizational needs. You can remove roles from each tier within the recommendations. Certain roles can't be added to different tiers ΓÇô for example, the roles in the JIT Only tier can't be added to any other tier.
+
+### Step 2: Create GDAP templates
+
+A GDAP template is a collection of:
+
+- Tiers with roles
+
+- Security groups per tier
+
+- Users in each security group
+
+To create a GDAP template:
+
+1. From the **Create GDAP templates** page, select **Create template**.
+
+2. In the template pane, enter template name and description into the appropriate fields.
+
+3. Select one or more tiers from the list.
+
+4. Select **Save**.
+
+5. Select **Next** to go to the next section, or select **Save and close** to save your settings and exit GDAP Setup.
+
+### Step 3: Create security groups
+
+You'll need at least one security group per tier for each template. For the first template, you'll create a new security group, but on subsequent templates, you may reuse groups if desired.
+
+1. From the **Create security groups** page, select **Create security group**.
+
+2. In the security group pane, enter name and description.
+
+3. Select **Add users**.
+
+4. From the Add users list, select the users you want to include in this security group.
+
+5. Select **Save.**
+
+6. Select **Save** again.
+
+7. Select **Next** to go to the next section or select **Save and close** to save your settings and exit GDAP Setup.
+
+### Step 4: Assign customer tenants
+
+Assign groups of customers to each template. Each customer can only be assigned to one template, so once selected, that customer tenant won't be displayed as an option on subsequent templates.
+
+If you want to reassign a customer tenant, rerun GDAP Setup and deselect that customer from the existing assignment. Then you can reassign it to a different template. You can filter the list using the search box in the upper right corner.
+
+1. From the **Assign customer tenants** page, select the tenants you want to associate with the security group you created.
+
+2. Select **Next** to go to the next section or select **Save and close** to save your settings and exit GDAP Setup.
+
+### Step 5: Review settings
+
+1. From the **Review settings** page, review the settings you created and then select **Finish.**
+
+2. Select **Done.**
+
+If any customer tenants already had a DAP relationship, during the no consent window, these settings will be automatically applied. For customers without DAP, or if the no consent window has closed, choosing **Finish** will take you to the last page where a consent links are generated for each customer as needed. Once the customer consents to the GDAP relationship, the rest of the settings will be automatically applied.
+
+Once you've completed GDAP setup, you can navigate to different steps to make any updates or changes to tiers, roles, security groups, or templates. The GDAP relationships will also be visible in Partner Center, and the security groups will be visible in Azure AD as well.
+
+## Related content
+
+[Overview of permissions](m365-lighthouse-overview-of-permissions.md) (article)\
+[Configure portal security](m365-lighthouse-configure-portal-security.md) (article)\
+[Introduction to granular delegated admin privileges (GDAP)](/partner-center/gdap-introduction) (article)\
+[Azure AD built-in roles](/azure/active-directory/roles/permissions-reference) (article)\
+[Learn about groups and access rights in Azure Active Directory](/azure/active-directory/fundamentals/concept-learn-about-groups) (article)\
+[What is Azure AD entitlement management?](/azure/active-directory/governance/entitlement-management-overview) (article)
lighthouse M365 Lighthouse Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-whats-new.md
We're continuously adding new features to [Microsoft 365 Lighthouse](m365-lighth
> [!NOTE] > Some features get rolled out at different speeds to our customers. If you aren't seeing a feature yet, you should see it soon.
+## October 2022
+
+### App protection policies
+
+Managed Service Providers (MSPs) can now deploy app protection policies for their managed tenants from within the default baseline in Microsoft 365 Lighthouse, which allows greater protection of the tenants' company data. These policies use Mobile Application Management (MAM) on iOS and Android devices to provide the most secure protection for company data.
+
+### Device health monitoring
+
+We've added a new deployment sub-task called **Enable Device Health Monitoring** within the default baseline under the **Set up device enrollment** task. Once the new sub-task is enabled and the deployment task is deployed, Endpoint analytics in Microsoft Endpoint Manager will be able to analyze device data and can recommend software, help improve startup performance, and fix common support issues.
+
+For more information, see [What is Endpoint analytics?](/mem/analytics/overview).
+ ## September 2022 ### Fully automated setup of Microsoft Defender for Business
security Device Health Microsoft Defender Antivirus Health https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-health-microsoft-defender-antivirus-health.md
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security--++ localization_priority: Normal Last updated 09/06/2022
+<!-- v-jweston/jweston-1 is scheduled to resume authorship Apr/May 2023.-->
+ # Device health, Microsoft Defender Antivirus health report **Applies to:**
whiteboard Manage Data Organizations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/whiteboard/manage-data-organizations.md
Title: Manage data for Microsoft Whiteboard--++ audience: admin