+This article covers the differences between Azure Information Protection (AIP) support for Office 365 operated by 21Vianet and commercial offerings, as well as specific instructions for configuring AIP for customers in China—including how to install the information protection scanner and manage content scan jobs.

+- The scanner area of the compliance portal is unavailable to customers in China. Use [PowerShell commands](#step-6-install-the-information-protection-scanner-and-manage-content-scan-jobs) instead of performing actions in the portal, such as managing and running your content scan jobs.

+1. [Install the information protection scanner and manage content scan jobs](#step-6-install-the-information-protection-scanner-and-manage-content-scan-jobs).

+### Step 6: Install the information protection scanner and manage content scan jobs

+Install the Microsoft Purview Information Protection scanner to scan your network and content shares for sensitive data, and apply classification and protection labels as configured in your organization's policy.

+When configuring and managing your content scan jobs, use the following procedure instead of the [Microsoft Purview compliance portal](../../compliance/deploy-scanner-configure-install.md) that's used by the commercial offerings.

+For more information, see [Learn about the information protection scanner](../../compliance/deploy-scanner.md) and [Manage your content scan jobs using PowerShell only](../../compliance/deploy-scanner-prereqs.md#use-powershell-with-a-disconnected-computer).

+- [Run a discovery cycle and view reports for the scanner](../../compliance/deploy-scanner-manage.md#run-a-discovery-cycle-and-view-reports-for-the-scanner)

+- [Use PowerShell to configure the scanner to apply classification and protection](../../compliance/deploy-scanner-configure-install.md?tabs=azure-portal-only#use-powershell-to-configure-the-scanner-to-apply-classification-and-protection)

+- [Use PowerShell to configure a DLP policy with the scanner](../../compliance/deploy-scanner-configure-install.md?tabs=azure-portal-only#use-powershell-to-configure-a-dlp-policy-with-the-scanner)

+- [Learn about the information protection scanner](../../compliance/deploy-scanner.md)

+- [Configuring and installing the information protection scanner](../../compliance/deploy-scanner-configure-install.md?tabs=powershell-only)

+- [Manage your content scan jobs using PowerShell only](../../compliance/deploy-scanner-prereqs.md#use-powershell-with-a-disconnected-computer).

+ - For files in on-premises data stores, such as network shares and SharePoint Server libraries: Use the [scanner](deploy-scanner.md) to discover sensitive information in these files and label them appropriately. If you're planning to migrate or upload these files to SharePoint in Microsoft 365, use the scanner to label the files before you move them to the cloud.

+- Deploy the AIP client and scanner. For more information see, [Install the AIP unified labeling client](/azure/information-protection/rms-client/install-unifiedlabelingclient-app) and, [Configuring and installing the information protection scanner](deploy-scanner-configure-install.md).

+2. Follow the procedures in [Configuring and installing the information protection scanner](deploy-scanner-configure-install.md) to complete the scanner installation.

+- [Learn about the information protection scanner](deploy-scanner.md)

+- [Get started with the information protection scanner](deploy-scanner-prereqs.md)

+- [Configuring and installing the information protection scanner](deploy-scanner-configure-install.md)

+|**Block these people from accessing file stored in on-premises scanner - Everyone** | When enforced, this action blocks access to all accounts except the content owner, the last account that modified the item and the administrator. It does this by removing all accounts from NTFS/SharePoint permissions at the file level except the file owner, repository owner (set in the [Use a DLP policy](deploy-scanner-configure-install.md#use-a-dlp-policy)) setting in content scan job), last modifier (can be identified in SharePoint only) and admin. The scanner account is also granted FC rights on the file.|

+If you want, once you're finished setting up DKE, you can migrate content that you've protected using HYOK labels to DKE labels. To migrate, you'll use the Microsoft Purview Information Protection scanner. To get started using the scanner, see [Understand the information protection scanner](deploy-scanner.md).

+|Discover, label, and protect files stored in data stores that are on premises |[Deploying the information protection scanner to automatically classify and protect files](deploy-scanner.md)|

+|4|Discover, label, and protect sensitive items that reside in data stores on premises by deploying the [information protection scanner](deploy-scanner.md) with your sensitivity labels.| [Configuring and installing the information protection scanner](deploy-scanner-configure-install.md)|

+|[Information protection scanner](deploy-scanner.md)| Discovers, labels, and protects sensitive information that resides in data stores that are on premises. | [Configuring and installing the information protection scanner](deploy-scanner-configure-install.md)|

+- **Risk factors**: Select one or more risk factors to filter the alert list. The options are *Cumulative exfiltration activities*, *Activities include priority content*, *Sequence activities*, *Activities include unallowed domains*, *Member of a priority user group*, and *Potential high impact user*.

+This section contains general information about the user and alert. This information is available for context while reviewing detailed information about the detected risk management activity included in the alert for the user:

+- **User details**: Displays general information about the user assigned to the alert. If anonymization is enabled, the username, email address, alias, and organization fields are anonymized.

+> [!NOTE]

+> When a user is detected as a potential high impact user, this information is highlighted in the alert header in the **User details** page. The user details also include a summary with the reasons the user has been detected as such. To learn more about setting policy indicators for potential high impact users, see [Insider risk management settings](insider-risk-management-settings.md#indicators).

+- **Cumulative exfiltration detection**: Cumulative exfiltration detection analyzes event logs, but applies a model that includes de-duplicating similar activities to compute cumulative exfiltration risk. Additionally, there may also be a difference in the number of potentially risky activities displayed in the Activity explorer if you have made changes to your existing policy or settings. For example, if you modify allowed/unallowed domains or add new file type exclusions after a policy has been created and potentially risky activity matches have occurred, the cumulative exfiltration detection activities will differ from the results before the policy or settings changes. Cumulative exfiltration detection activity totals are based on the policy and settings configuration at the time of computation and don't include activities prior to the policy and settings changes.

+- **User's risk score**: The current calculated risk level of the user for the case. This score is calculated every 24 hours and uses alert risk scores from all active alerts associated to the user. When *User is detected as a potential high impact user* or *User is a member of a priority user group* risk booster is enabled as **Risk score boosters** in the **Policy indicators** section of the **Insider risk management settings** page, the **User details** page includes detailed information about the user's calculated risk level.

+Depending on how you wish to manage insider risk management policies and alerts, you'll need to assign users to specific role groups to manage different sets of insider risk management features. You have the option to assign users with different compliance responsibilities to specific role groups to manage different areas of insider risk management features. Or you may decide to assign all user accounts for designated administrators, analysts, investigators, and viewers to the *Insider Risk Management* role group. Use a single role group or multiple role groups to best fit your compliance management requirements.

+You can create a priority user group and assign users to the group to help you scope policies specific to the unique circumstances presented by these identified users. To enable the *priority user groups* risk score booster, go to the *Insider risk management settings* page, then select **Policy indicators** and **Risk score boosters**. These identified users are more likely to receive [alerts](insider-risk-management-activities.md#alert-dashboard), so analysts and investigators can review and prioritize these users' risk severity to help triage alerts in accordance with your organization's risk policies and standards.

+See the [Getting started with insider risk management settings](insider-risk-management-settings.md#priority-user-groups) article for step-by-step configuration guidance.

+Depending on how you want to manage insider risk management policies and alerts, you'll need to assign users to specific role groups to manage different sets of insider risk management features. You have the option to assign users with different compliance responsibilities to specific role groups to manage different areas of insider risk management features. Or you may decide to assign all user accounts for designated administrators, analysts, investigators, and viewers to the *Insider Risk Management* role group. Use a single role group or multiple role groups to best fit your compliance management requirements.

+Insider risk analytics gives you an aggregate view of anonymized user activities related to security and compliance, enabling you to evaluate potential insider risks in your organization without configuring any insider risk policies. This evaluation can help your organization identify potential areas of higher risk and help determine the type and scope of insider risk management policies you may consider configuring. If you decide to act on analytics scan results for [data leaks](#data-leaks) or [data theft](#data-theft-by-departing-users) by departing users policies, you even have the option to configure a quick policy based on these results.

+Insider risk management analysts and investigators may use cumulative exfiltration detection insights to help identify exfiltration activities that may not typically generate [alerts](insider-risk-management-activities.md#alert-dashboard) but are above what is typical for their organization. Some examples may be departing users slowly exfiltrate data across a range of days, or when users repeatedly share data across multiple channels more than usual for data sharing for your organization, or compared to their peer groups.

+>[!NOTE]

+> By default, cumulative exfiltration detection generates risk scores based on a user's cumulative exfiltration activity compared to their organization norms. You can enable *Cumulative exfiltration detection* options in the **Policy indicators** section of the Insider risk management settings page.

+Higher risk scores are assigned to cumulative exfiltration activities for SharePoint sites, sensitive information types, and content with [sensitivity labels](/microsoft-365/compliance/sensitivity-labels#label-priority-order-matters) configured as priority content in a policy or for activity involving labels configured as high priority in [Microsoft Purview Information Protection](information-protection.md).

+### Peer groups for cumulative exfiltration detection

+Insider risk management identifies three types of peer groups for analyzing exfiltration activity performed by users. Peer groups defined for users are based on the following criteria:

+**SharePoint sites**: Insider risk management identifies peer groups based on users who access similar SharePoint sites.

+**Similar organization**: Users with reports and team members based on organization hierarchy. This option requires that your organization uses Azure Active Directory (Azure AD) to maintain organization hierarchy.

+**Similar job title**: Users with a combination of organizational distance and similar job titles. For example, a user with a Senior Sales Manager title with a similar role designation as a Lead Sales Manager in the same organization would be identified as similar job title. This option requires that your organization uses Azure AD to maintain organization hierarchy, role designations, and job titles. If you do not have Azure AD configured for organization structure and job titles, then insider risk management identifies peer groups based on common SharePoint sites.

+

+If you enable cumulative exfiltration detection, your organization is agreeing to sharing Azure AD data with the compliance portal, including organization hierarchy and job titles. If your organization does not use Azure AD to maintain this information, then detection may be less accurate.

+When cumulative exfiltration detection is enabled for data theft or data leak policies, insights from cumulative exfiltration activities are displayed on the **User activity** tab within an insider risk management case. To learn more about user activity management, see [Insider risk management cases: User activities](insider-risk-management-cases.md#user-activity).

+- **Physical access indicators**: These include policy indicators for physical access to sensitive assets. For example, attempted access to a restricted area in your physical badging system logs can be shared with insider risk management policies. To receive these types of alerts in insider risk management, you must have priority physical assets enabled in insider risk management and the [Physical badging data connector](import-physical-badging-data.md) configured. To learn more about configuring physical access, see the [Priority physical access section](#priority-physical-assets-preview) in this article.

+- **Microsoft Defender for Cloud Apps indicators**: These include policy indicators from shared alerts from Defender for Cloud Apps. Automatically enabled anomaly detection in Defender for Cloud Apps immediately starts detecting and collating results, targeting numerous behavioral anomalies across your users and the machines and devices connected to your network. To include these activities in insider risk management policy alerts, select one or more indicators in this section. To learn more about Defender for Cloud Apps analytics and anomaly detection, see [Get behavioral analytics and anomaly detection](/cloud-app-security/anomaly-detection-policy).

+- **Risky browsing indicators (preview)**: These include policy indicators for user browsing activity related to websites that are considered malicious or risky and pose potential insider risk that may lead to a security or compliance incident. Risky browsing activity refers to users who visit potentially risky websites, such as those associated with malware, pornography, violence, and other unallowed activities. To include these risk management activities in policy alerts, select one or more indicators in this section. To learn about configuring browser exfiltration signals, see [Insider risk management browser signal detection](insider-risk-management-browser-support.md).

+- **Cumulative exfiltration detection (preview)**: These include analyses for cumulative exfiltration detection when a userΓÇÖs exfiltration activities exceed organization or peer group norms. When a user shares or emails data outside of the organization at a higher rate than the average user, insider risk management policies can be enabled to detect exfiltration anomalies as compared to organization norms and others in the user's peer groups. For example, if a user is in a sales role and communicates regularly with customers and partners outside of the organization, their external email activity will likely be much higher than the organization's average. However, the user's activity may not be unusual compared to the user's teammates, or others with similar job titles.

+ > [!NOTE]

+ > Peer groups are defined based on organization hierarchy, access to shared SharePoint resources, and job titles in Azure AD. If you enable cumulative exfiltration detection, your organization is agreeing to sharing Azure AD data with the compliance portal, including organization hierarchy and job titles. If your organization does not use Azure AD to maintain this information, then detection may be less accurate.

+- **Risk score boosters**: These include raising the risk score for activity for the following reasons:

+ - *Activity that is above the user's usual activity for that day*: Scores are boosted if the detected activity deviates from the user's typical behavior.

+ - *User had a previous case resolved as a policy violation*: Scores are boosted in the user has a previous case in Insider risk management that was resolved as a policy violation.

+ - *User is a member of a priority user group*: Scores are boosted if the user is a member of a priority user group.

+ - *User is detected as a potential high impact user*: When this is enabled, users are automatically flagged as potential high impact users based on the following criteria:

+ - User interacts with more sensitive content compared to others in the organization

+ - The user's level in organization's Azure AD hierarchy

+ - The total number of users reporting to the user based on Azure AD hierarchy

+ - The user is a member of an Azure AD built-in role with elevated permissions

+ > [!NOTE]

+ > When you enable the potential high impact user risk score booster, you're agreeing to share Azure AD data with the compliance portal. If your organization doesn't use sensitivity labels or has not configured organization hierarchy in Azure AD, then this detection may be less accurate. If a user is detected as both a member of a priority user group and also a potential high impact user, their risk score will only be boosted once.

+2. The user account used to log into the Windows 10 device must be an active Azure AD account. The Windows 10 device may be [Azure AD](/azure/active-directory/devices/concept-azure-ad-join), Azure AD hybrid, joined, or registered.

+ By specifying allowed domains in settings, the risk management activity with these domains is treated similarly to how internal organization activity is treated. For example, domains added here map to activities may involve sharing content with someone outside your organization (such as sending email to someone with a gmail.com address).

+To create a new priority user group, use the setting controls in the **Insider risk management** solution in the Microsoft Purview compliance portal. (You must be a member of the *Insider Risk Management* or *Insider Risk Management Admins* role group.)

+To update an existing priority user group, use setting controls in the **Insider risk management** solution in the Microsoft Purview compliance portal. (You must be a member of the *Insider Risk Management* or *Insider Risk Management Admins* role group.)

+To delete an existing priority user group, use setting controls in the **Insider risk management** solution in the Microsoft Purview compliance portal. (You must be a member of the *Insider Risk Management* or *Insider Risk Management Admin* role group).

+To configure priority physical assets, you'll configure the Physical badging connector and use setting controls in the **Insider risk management** solution in the Microsoft Purview compliance portal. To configure priority physical assets, you must be a member of the *Insider Risk Management* or *Insider Risk Management Admin* role group.

+To delete an existing priority physical asset, you'll use setting controls in the Insider risk management solution in the Microsoft Purview compliance portal. You must be a member of the *Insider Risk Management* or *Insider Risk Management Admins* role group.

+- **Azure Active Directory**: Included in all scans, Azure AD history helps identify risky activities associated with users with deleted user accounts.

+- **Data theft insights**: For departing users or users with deleted Azure AD accounts that may include risky sharing of information outside your organization or data theft by users with malicious intent.

+

+- Users identified as potential high impact users or in priority user groups

+ - **User details**: Lists whether the user has been identified as a potential high impact user or if the user is in priority user groups.

+ - **Alert and activity summary**: Lists active user alerts and open cases.

+ - **In scope**: Lists in-scope assignment of the user to policies.

+- [Security policy violations (preview)](insider-risk-management-policies.md#security-policy-violations-preview)

+- [Patient data misuse (preview)](insider-risk-management-policies.md#patient-data-misuse-preview)

+Containers include SharePoint sites, OneDrive accounts, and Exchange mailboxes.

+ Title: "Search for and export Teams chat data for on-premises users"

+- contentengagementFY23

+# Search for and export Teams chat data for on-premises users

+If your organization has an Exchange hybrid deployment, you can use eDiscovery tools to search for and export Teams chat data for on-premises users. This option is also available for organizations that synchronize on-premises Exchange organization with Microsoft 365.

+For a cloud-based users using Microsoft Teams enabled in your organization, chat data (also called *1x1 or 1xN chats*) is saved to their primary cloud-based mailbox. When an on-premises user uses the Teams chat application, their chat messages can't be stored in their primary mailbox, which is located on-premises. To get around this limitation, a feature where a cloud-based storage area is created so that you use eDiscovery tools to search for and export Teams chat data for on-premises users.

+- Only the Teams chat data associated with an on-premises user is stored in the cloud-based storage area. An on-premises user can't access this storage area.

+## Searching for and exporting Teams chat content for on-premises users

+Microsoft started storing the Teams chat data for on-premises users on January 31, 2018. If the identity of an on-premises Teams user has been synched between your on-premises Active Directory and Azure Active Directory in Microsoft 365 since this date, then their Teams chat data is stored in the cloud and is searchable using eDiscovery tools.

+|[Sensitivity bar](#sensitivity-bar) and [display label color](#label-colors) | Preview: Rolling out to [Current Channel (Preview)](https://office.com/insider) | Under review | Under review | Under review | Under review |

+ Title: OneDrive Cross-tenant OneDrive migration FAQs

+recommendations: true

+audience: ITPro

+ms.localizationpriority: high

+- SPMigration

+- M365-collaboration

+- m365initiative-migratetom365

+search.appverid: MET150

+description: "OneDrive Cross-tenant migration feature FAQs"

+# Cross-tenant OneDrive migration FAQs

+**Question**: Can a OneDrive account have any content in the target tenant before migration?</br>

+Answer: No. The tool does not support Merge functionality with existing content at present. The user being migrated must not have a pre-existing OneDrive on the target tenant.

+**Question**: Can users be pre-created on the target tenant?</br>

+Answer: Yes, all Users/Groups that are identified for migration should be pre-created on the target tenant and appropriate licenses assigned prior to staring any migrations. Also:

+- OneDrive site creation should be restricted in the target tenant to prevent users creating OneDrive sites.

+- If a OneDrive site already exists for the user on the target tenant the migration will fail.

+- You cannot overwrite an existing site.

+- OneDrive sites should NOT be created Prior OR during a migration.

+**Question**: Can my OneDrive accounts be in Read-only mode prior to starting any cross-tenant migrations?</br>

+Answer: No, Prior to starting any migrations, you need to ensure that your Source OneDrive accounts are NOT set to Read-Only, the migration will fail if they are.

+**Question**: Can anyone access the OneDrive while the migration process is running?</br>

+Answer: During the migration, the userΓÇÖs OneDrive is set to Read-only in Source.

+**Question**: Can my OneDrive accounts be in **Read-only** mode prior to starting any cross-tenant migrations?</br>

+Answer: No, before starting any migrations, ensure that your source OneDrive accounts are NOT set to Read-only. Otherwise, the migration will fail.

+**Question**: Can anyone access their OneDrive account while the migration process is running?</br>

+Answer: No. During the migration, the userΓÇÖs OneDrive is set to Read-Only in source.

+**Question**: Does the tool support GCC and GCC-High tenants?</br>

+Answer: We do NOT currently support government environments (GCC & GCC-High) but we plan to support them in the future.

+ Title: OneDrive Cross-tenant OneDrive migration Step 1

+ Title: OneDrive Cross-tenant OneDrive migration Step 2

+ Title: OneDrive Cross-tenant OneDrive migration Step 3

+ Title: OneDrive Cross-tenant OneDrive migration Step 4

+ Title: OneDrive Cross-tenant OneDrive migration Step 5

+ Title: OneDrive Cross-tenant OneDrive migration Step 6

+ Title: Cross-tenant OneDrive migration overview

+>[!Important]

+>We recommend that OneDrive site creation be restricted in the target tenant to prevent users from creating OneDrive sites. If a OneDrive site already exists for the user on the target tenant, the migration will fail. You can't overwrite an existing site.

+Tenants in EU member Countries maintain data in Macro Region Geography 1 ΓÇô EMEA. All other tenants have customer data stored in the United States, except Australia. For customers in Australia, Microsoft Forms customer data will be stored at rest in Australia for all new tenants using Forms and existing tenants that have not previously used Forms.

+ - contentengagementFY23

+ - contentengagementFY23

+1. **[Provision users, configure groups, and assign licenses](#step-3-provision-users-configure-groups-and-assign-licenses)**: Learn how to provision users and create groups in Azure AD, then assign frontline licenses to your users.

+1. **[Configure device enrollment](#step-4-configure-device-enrollment)**: Set up shared and personal devices to work with Microsoft 365 and Microsoft Teams and to allow your frontline workers to communicate more securely within your organization.

+1. **[Set up any other services needed for your scenario](#step-5-set-up-other-services)**: Set up services including Exchange, Outlook, SharePoint, and Microsoft Viva.

+1. **[Configure security](#step-6-configure-security)**: Learn how to create security policies to keep your organization secure.

+1. **[Configure apps](#step-7-configure-apps-for-your-scenario)**: After everything is set up and configured in the admin center, you can follow the guidance for your scenarios to further configure the apps you need for each scenario.

+[](media/setup-steps.png#lightbox)

+| [Team communication and collaboration](flw-team-collaboration.md) | [Microsoft Teams](#set-up-microsoft-teams) <br>[Email with Exchange Online](#set-up-email-with-exchange-online) |

+| [Corporate communications](flw-corp-comms.md) | [Microsoft Teams](#set-up-microsoft-teams) <br>[SharePoint](#set-up-sites-with-sharepoint-in-microsoft-365) <br>[Viva Connections](#set-up-viva-connections) <br>[Viva Engage](#set-up-your-organizations-social-network-with-viva-engage) |

+| [Virtual appointments](virtual-appointments.md) | [Microsoft Teams](#set-up-microsoft-teams) |

+| [Engage your employees and focus on employee wellbeing](flw-wellbeing-engagement.md)| [Microsoft Teams](#set-up-microsoft-teams) <br>[SharePoint](#set-up-sites-with-sharepoint-in-microsoft-365) <br>[Viva Connections](#set-up-viva-connections) <br>[Viva Engage](#set-up-your-organizations-social-network-with-viva-engage) |

+| [Schedule your team with Shifts](shifts-for-teams-landing-page.md) | [Microsoft Teams](#set-up-microsoft-teams) |

+| [Onboard new employees](/sharepoint/onboard-employees)| [Microsoft Teams](#set-up-microsoft-teams) <br>[SharePoint](#set-up-sites-with-sharepoint-in-microsoft-365) <br>[Viva Connections](#set-up-viva-connections) <br>[Viva Learning](#set-up-viva-learning)|

+| [Ongoing training](flw-onboarding-training.md) | [Microsoft Teams](#set-up-microsoft-teams) <br>[Viva Learning](#set-up-viva-learning) |

+| [Simplify business processes](simplify-business-processes.md) | [Microsoft Teams](#set-up-microsoft-teams) <br>[Power Apps, Power Automate, and Power BI](#set-up-power-apps-power-automate-and-power-bi) |

+## Step 3: Provision users, configure groups, and assign licenses

+Now that you have Microsoft 365 set up, you can start to add users, organize them into groups, and assign licenses.

+### Provision users

+Now that you have Microsoft 365 set up, you can start to add users, organize them into groups, and assign licenses. Before you provision frontline users, you should create new administrator accounts or review and update your existing [administrator accounts in Azure AD](/azure/active-directory/roles/permissions-reference). [Learn more about what Azure AD admin roles you might need for Microsoft 365](/microsoft-365/admin/add-users/about-admin-roles).

+In this step, you'll create user identities for your frontline workers in Azure AD. You can import users in three ways:

+- **Integrate Azure AD with an existing Active Directory instance:** [Azure AD Connect](/azure/active-directory/hybrid/how-to-connect-install-prerequisites) replicates Active Directory user accounts to Azure AD, allowing a user to have a single identity capable of accessing both local and cloud-based resources.

+- **Integrate Azure AD with a third-party identity solution:** Azure AD supports integration with some third-party providers through federation.

+ - [Learn how to use Okta for Hybrid Microsoft AAD Join](https://www.okta.com/resources/whitepaper/using-okta-for-hybrid-microsoft-aad-join/).

+ - [Learn how to configure PingFederate with Azure AD Connect](/azure/active-directory/hybrid/how-to-connect-install-custom#configuring-federation-with-pingfederate).

+- **Import users from your organization's HR systems:** [Azure AD user provisioning service](/azure/active-directory/app-provisioning/plan-auto-user-provisioning) automates the creation, maintenance, and removal of user identities based on rules set by your organization.

+ - **On-premises HR systems:** You can use [Microsoft Identity Manager](/microsoft-identity-manager/microsoft-identity-manager-2016) to provision users from your on-premises HR systems to Active Directory or directly to Azure AD.

+ - **Cloud-based HR systems:** Learn how to connect [SAP SuccessFactors](/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-tutorial) and [Workday](/azure/active-directory/saas-apps/workday-inbound-tutorial#planning-your-deployment) to Azure AD.

+Use this table to validate your HR-driven user provisioning.

+|Test scenario |Expected results |

+|--|--|

+|New employee is created in the cloud HR app |The user account is provisioned in Azure AD and can access assigned cloud resources. <br> If Azure AD Connect sync is configured, the user account also gets created in Active Directory. <br> The user can sign into Active Directory domain apps and perform their desired actions.|

+|User is terminated in the cloud HR app |The user account is disabled in Azure AD, and, if applicable, Active Directory. <br>The user canΓÇÖt sign into cloud or on-premises applications and resources assigned to them. |

+|Supervisor is updated in the cloud HR app |User remains active with the new mapping. |

+|HR rehires an employee into a new role. |The results depend on how the cloud HR app is configured to generate employee IDs. <br>If the old employee ID is reused for a rehire, the connector enables the existing Active Directory account for the user. <br>If the rehire gets a new employee ID, the connector creates a new Active Directory account for the user. |

+|HR converts the employee to a contract worker or vice-versa |A new Active Directory account is created for the new persona and the old account is disabled on the effective date of the conversion. |

+[Learn more about Azure AD deployment](/azure/active-directory/fundamentals/active-directory-deployment-checklist-p2).

+### Configure Azure AD groups

+Configuring groups in Azure AD allows you to create and manage policies and license assignments at scale.

+- **Assign a unique attribute to frontline workers:** The ability to identify all frontline workers is useful when applying groups to the frontline workforce or for validating that integrations between Azure AD and HR systems are functioning properly. Organizations frequently use the Job ID attribute for this purpose.

+- **Create Azure AD groups and assign frontline users:** With Azure AD groups, you can grant access and permissions to a group of users instead of for each individual user. Groups are used to manage users that all need the same access and permissions to resources, such as potentially restricted apps and services. Instead of adding special permissions to individual users, you create a group that applies the special permissions to every member of that group.

+The table below includes recommendations for applying groups in frontline implementations. For more information on group types, membership types, and assignment, see the [Azure AD documentation for groups and membership](/azure/active-directory/fundamentals/concept-learn-about-groups?context=%2Fazure%2Factive-directory%2Fenterprise-users%2Fcontext%2Fugr-context) and [managing groups](/azure/active-directory/fundamentals/how-to-manage-groups). For more information on security group limits and other Azure AD service limits, see [Azure Active Directory Service limits and restrictions](/azure/active-directory/enterprise-users/directory-service-limits-restrictions).

+|Use case |Group type |

+||--|

+|Assign licenses, policies, and permissions automatically. If a memberΓÇÖs attributes change, the system looks at dynamic group rules for the directory to see if the member meets the rule requirements (is added), or no longer meets the rule requirements (is removed). |Security group (limit 5,000 groups) <br> dynamic user |

+|Manage access for users without automatic assignment to groups. |Security groups or distribution list (no limit applies) |

+|Create an email alias to distribute groups messages to groups of users without automatic user management. |Distribution list or static Microsoft 365 group |

+|Create an email alias or team in Microsoft Teams and manage membership automatically. |Microsoft 365 groups, dynamic user |

+|Use [My Staff](/azure/active-directory/roles/my-staff-configure) to delegate permissions to frontline managers to view employee profiles, change phone numbers, and reset passwords. |[Administrative Unit](/azure/active-directory/roles/administrative-units) |

+### Assign frontline licenses

+You can add licenses to individual users or to groups of users in Azure AD. Group assignment is the most scalable way to assign licenses to your frontline workers. You can assign one or more product licenses to a group.

+[Learn more about group-based licensing](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal) and [assigning licenses to groups](/azure/active-directory/enterprise-users/licensing-groups-assign).

+## Step 4: Configure device enrollment

+Registering devices in Azure AD creates a unique identity that can be used to secure and manage devices. [Learn more about Azure AD device identity](/azure/active-directory/devices/).

+### Shared device enrollment with Intune

+**Android:** Automatically enroll Android devices into shared device mode with [Microsoft Endpoint Manager](/mem/intune/fundamentals/whats-new#intune-support-for-provisioning-azure-active-directory-shared-devices). [Learn more about enrolling shared devices in Intune](https://techcommunity.microsoft.com/t5/intune-customer-success/enroll-android-enterprise-dedicated-devices-into-azure-ad-shared/ba-p/1820093).

+**iOS:** Not currently available.

+### BYOD device enrollment with Intune

+Use Microsoft Intune to keep your frontline workers' devices secure and protected. Learn more about how to enroll different types of BYOD devices in Intune:

+- [Windows](/mem/intune/enrollment/windows-enrollment-methods#user-self-enrollment-in-intune)

+- [Android](/mem/intune/enrollment/android-work-profile-enroll)

+- [iOS](/mem/intune/enrollment/ios-enroll#user-owned-iosipados-and-ipados-devices-byod)

+### Configuring devices for shared device mode with third-party mobile device management

+Zero-touch provisioning of shared device mode isnΓÇÖt currently supported by third-party mobile device management(MDM) solutions. However, you can [manually configure shared device mode](/azure/active-directory/develop/tutorial-v2-shared-device-mode#set-up-an-android-device-in-shared-mode) for Android and iOS devices managed in third-party MDM solutions.

+> [!NOTE]

+> While these steps register the device in Azure AD, they don't connect Azure AD to the MDM solution. Conditional access won't be available for these devices.

+[Learn more about configuration with VMware Workspace ONE](https://docs.vmware.com/en/VMware-Workspace-ONE-Access/21.08/ws1_access_connector_install/GUID-271C47F6-856C-40F0-97AB-A8AD95025F9C.html) and [SOTI](https://www.soti.net/mc/help/v15.0/en/console/configurations/advancedconfigurations/shareddevice/shareddevice.html).

+If you choose to manually configure devices in shared device mode, youΓÇÖll need to take more steps to re-enroll Android devices in shared device mode when third-party MDM support is available by uninstalling and reinstalling Authenticator from the device.

+To set up shared and personal devices to work with Microsoft 365 and Microsoft Teams and to allow your frontline workers to communicate more securely within your organization, see [Manage mobile devices for frontline workers](flw-devices.md).

+## Step 5: Set up other services

+Depending on your scenarios, you'll need to configure additional Microsoft 365 services, such as Exchange and Outlook for email or Microsoft Viva to expand your employee experience. Read on for information about each service.

+Your users can also install the Outlook app to use for their email, so you'll want to make sure you share where to download the Outlook app with them.

+#### Outlook

+Using dynamic group backed shared mailboxes based on attributes such as Location, Department, and Role enables your organization to send targeted communications to dynamic groups that donΓÇÖt require administrator intervention.

+### Set up Microsoft Teams

+For a pilot project, you can use the Frontline worker onboarding wizard to set up a single team, configured for your frontline workers. For step-by-step guidance, see [Use the Frontline Worker onboarding wizard to get your frontline workforce up and running](flw-onboarding-wizard.md).

+For full deployments, follow the guidance in [Deploy Teams at scale for frontline workers](deploy-teams-at-scale.md).

+### Set up employee experiences with Microsoft Viva

+#### Set up your organization's social network with Viva Engage

+[Viva Engage](/viva/engage/overview) helps connect your workforce across your company. Learn how to [Set up Viva Engage](/viva/engage/setup) to set it up.

+## Step 6: Configure security

+After provisioning users, enrolling your devices, and configuring your applications, youΓÇÖre now ready to create policies to secure your organizationΓÇÖs infrastructure resources.

+- **Conditional access:** Plan an [Azure Active Directory conditional access deployment](/azure/active-directory/conditional-access/plan-conditional-access).

+- **App protection policies:** [Learn about app management in Microsoft Intune](/mem/intune/apps/app-management).

+- **Multi-factor authentication:** Require [multi-factor authentication for Intune device enrollment](/mem/intune/enrollment/multi-factor-authentication).

+Once youΓÇÖre done setting up security policies, itΓÇÖs important for you to use a test user (non-admin) account to verify the policies work as expected, and to ensure that the end-user experience is right for your frontline workforceΓÇÖs needs. Some capabilities like multi-factor authentication and app protection policies can add additional steps to device enrollment or sign-on flows, which may not be acceptable for some frontline scenarios.

+## Step 7: Configure apps for your scenario

+Follow these best practices to set up Microsoft Teams for your frontline workforce.

+**Policy packages** are a collection of predefined policies and policy settings that you can assign to users who have similar roles in your organization. Policy packages simplify, streamline, and help provide consistency when managing policies. Teams provides [predefined policy packages](/microsoftteams/policy-packages-flw) for frontline workers and managers. You can also create a custom policy package and assign them to your frontline workers at scale in the Teams admin center.

+Use **team templates** in the Teams admin center or by using PowerShell. You can use prebuilt templates or [create your own](/microsoftteams/get-started-with-teams-templates-in-the-admin-console#create-your-own-team-templates). You can also apply template policies to control which templates are available to your users in Teams. Learn more about [how to get started with team templates in the Teams admin center](/microsoftteams/get-started-with-teams-templates-in-the-admin-console) and [how to set up and deploy teams](/microsoft-365/frontline/deploy-teams-at-scale?#set-up-and-deploy-your-teams). A prebuilt frontline template is accessible from the Teams admin center with the template ID "com.microsoft.teams.template.Frontline".

+The table below shows Teams applications commonly utilized in frontline solutions. Shifts, Approvals, and Walkie Talkie are present in the Teams mobile client out of the box. You can control which applications are available to all users in the Teams admin center.

+[Learn more about Microsoft Teams apps](/microsoftteams/deploy-apps-microsoft-teams-landing-page#core-apps).

+ - contentengagementFY23

+3. [Configure services and apps](flw-setup-microsoft-365.md#step-7-configure-apps-for-your-scenario) - Use team templates to set up the teams you need quickly, including the channels and apps you need for your business. Add in other apps from Microsoft as needed to support your scenarios.

+### [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)

+- [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)

+<!-- v-jweston/jweston-1 is scheduled to resume authorship Apr/May 2023.-->

+## See also

+- [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)

+- [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)

+<!-- v-jweston/jweston-1 is scheduled to resume authorship Apr/May 2023.-->

+- [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)

+> [!TIP]

+> Before defining your exclusion lists, see [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) and review the detailed information in [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md).

+## See also

+- [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)

+> [!TIP]

+> For a detailed overview of suppressions, submissions, and exclusions across Microsoft Defender Antivirus and Defender for Endpoint, see [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md).

+- [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)

+|`%LOCALAPPDATA%`|`C:\WINDOWS\system32\config\systemprofile\AppData\Local`|

+## See also

+- [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)

+- [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)

+- [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)

+ Title: Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus

+description: Learn about exclusions for Defender for Endpoint and Microsoft Defender Antivirus. Suppress alerts, submit files for analysis, and define exclusions and indicators to reduce noise and risk for your organization.

+ms.mktglfcycl: manage

+ms.sitesec: library

+ms.localizationpriority: medium

+- m365-security

+- tier2

+search.appverid: met150

+# Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus

+**Applies to:**

+- Microsoft Defender Antivirus

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+**Platforms**

+- Windows

+> [!NOTE]

+> As a Microsoft MVP, [Fabian Bader](https://cloudbrothers.info) contributed to and provided material feedback for this article.

+[Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) includes a wide range of capabilities to prevent, detect, investigate, and respond to advanced cyberthreats. As with any endpoint protection or antivirus solution, sometimes files, folders, or processes that aren't a threat can be detected as malicious by Defender for Endpoint or Microsoft Defender Antivirus. These entities can be blocked or sent to quarantine, even though theyΓÇÖre not actually a threat. You can take certain actions to prevent false positives and similar issues from occurring. These actions include:

+- [Submitting a file to Microsoft for analysis](#submitting-files-for-analysis)

+- [Suppressing an alert](#suppressing-alerts)

+- [Adding an exclusion or indicator](#exclusions-and-indicators)

+This article explains how these actions work, and describes the various types of exclusions that can be defined for Defender for Endpoint and Microsoft Defender Antivirus.

+> [!CAUTION]

+> Defining exclusions reduces the level of protection offered by Defender for Endpoint and Microsoft Defender Antivirus. Use exclusions as a last resort, and make sure to define only the exclusions that are necessary. Make sure to review your exclusions periodically, and remove the ones you no longer need. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) and [Common mistakes to avoid](common-exclusion-mistakes-microsoft-defender-antivirus.md).

+## Submissions, suppressions, and exclusions

+When youΓÇÖre dealing with false positives, or known entities that are generating alerts, you don't necessarily need to add an exclusion. Sometimes classifying and suppressing an alert is enough. We recommend submitting false positives (and false negatives) to Microsoft for analysis as well. The following table describes some scenarios and what steps to take with respect to file submissions, alert suppressions, and exclusions.

+| Scenario | Steps to consider |

+|:|:-|

+| [False positive](defender-endpoint-false-positives-negatives.md): An entity, such as a file or a process, was detected and identified as malicious, even though the entity isn't a threat. | 1. [Review and classify alerts](defender-endpoint-false-positives-negatives.md#part-1-review-and-classify-alerts) that were generated as a result of the detected entity. <br/><br/>2. [Suppress an alert](defender-endpoint-false-positives-negatives.md#suppress-an-alert) for a known entity. <br/><br/>3. [Review remediation actions](defender-endpoint-false-positives-negatives.md#part-2-review-remediation-actions) that were taken for the detected entity. <br/><br/>4. [Submit the false positive to Microsoft](/microsoft-365/security/intelligence/submission-guide.md) for analysis. <br/><br/>5. [Define an exclusion](defender-endpoint-false-positives-negatives.md#part-3-review-or-define-exclusions) for the entity (only if necessary). |

+| [Performance issues](troubleshoot-performance-issues.md) such as one of the following issues: <br/>- A system is having high CPU usage or other performance issues. <br/>- A system is having memory leak issues. <br/>- An app is slow to load on devices. <br/>- An app is slow to open a file on devices. | 1. [Collect diagnostic data](collect-diagnostic-data.md) for Microsoft Defender Antivirus. <br/><br/>2. If youΓÇÖre using a non-Microsoft antivirus solution, [check with the vendor for any needed exclusions](troubleshoot-performance-issues.md#check-with-vendor-for-antivirus-exclusions). <br/><br/>3. [Analyze the Microsoft Protection Log](troubleshoot-performance-issues.md#analyze-the-microsoft-protection-log) to see the estimated performance impact. <br/><br/>4. Define an exclusion for Microsoft Defender Antivirus](configure-exclusions-microsoft-defender-antivirus.md) (if necessary). <br/><br/>5. [Create an indicator for Defender for Endpoint](manage-indicators.md) (only if necessary). |

+| [Compatibility issues](microsoft-defender-antivirus-compatibility.md) with non-Microsoft antivirus products. <br/>Example: Defender for Endpoint relies on security intelligence updates for devices, whether theyΓÇÖre running Microsoft Defender Antivirus or a non-Microsoft antivirus solution. | 1. If youΓÇÖre using a non-Microsoft antivirus product as your primary antivirus/antimalware solution, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-compatibility.md#requirements-for-microsoft-defender-antivirus-to-run-in-passive-mode). <br/><br/>2. If youΓÇÖre switching from a non-Microsoft antivirus/antimalware solution to Defender for Endpoint, see [Make the switch to Defender for Endpoint](switch-to-mde-overview.md). This guidance includes: <br/> - [Exclusions you might need to define for the non-Microsoft antivirus/antimalware solution](switch-to-mde-phase-2.md#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-your-existing-solution); <br/> - [Exclusions you might need to define for Microsoft Defender Antivirus](switch-to-mde-phase-2.md#add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-antivirus); and <br/> - [Troubleshooting information](switch-to-mde-troubleshooting.md) (just in case something goes wrong while migrating). |

+> [!IMPORTANT]

+> An ΓÇ£allowΓÇ¥ indicator is the strongest type of exclusion you can define in Defender for Endpoint. Make sure to use indicators sparinglyΓÇöonly when necessaryΓÇöand review all exclusions periodically.

+## Submitting files for analysis

+If you have a file that you think is wrongly detected as malware (a false positive), or a file that you suspect might be malware even though it wasnΓÇÖt detected (a false negative), you can submit the file to Microsoft for analysis. Your submission will be scanned immediately, and will then be reviewed by Microsoft security analysts. YouΓÇÖll be able to check the status of your submission on the [submission history page](https://www.microsoft.com/wdsi/submissionhistory).

+Submitting files for analysis helps reduce false positives and false negatives for all customers. To learn more, see the following articles:

+- [Submit files for analysis](/microsoft-365/security/intelligence/submission-guide.md) (available to all customers)

+- [Submit files using the new unified submissions portal in Defender for Endpoint](admin-submissions-mde.md) (available to customers who have Defender for Endpoint Plan 2 or Microsoft 365 Defender)

+## Suppressing alerts

+If youΓÇÖre getting alerts in the Microsoft 365 Defender portal for tools or processes that you know aren't actually a threat, you can suppress those alerts. To suppress an alert, you create a suppression rule, and specify what actions to take for that on other, identical alerts. You can create suppression rules for a specific alert on a single device, or for all alerts that have the same title across your organization.

+To learn more, see the following articles:

+- [Suppress alerts](manage-alerts.md#suppress-alerts)

+- [Introducing the new alert suppression experience](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/introducing-the-new-alert-suppression-experience/ba-p/3562719) (for Defender for Endpoint)

+## Exclusions and indicators

+Sometimes, the term *exclusions* is used to refer to exceptions that apply across Defender for Endpoint and Microsoft Defender Antivirus. A more accurate way to describe these exceptions is as follows:

+- [Indicators for Defender for Endpoint](manage-indicators.md); (which apply across Defender for Endpoint and Microsoft Defender Antivirus); and

+- [Exclusions for Microsoft Defender Antivirus](configure-exclusions-microsoft-defender-antivirus.md).

+The following table summarizes exclusion types that can be defined for Defender for Endpoint and Microsoft Defender Antivirus.

+> [!TIP]

+> - [Defender for Endpoint Plan 1](defender-endpoint-plan-1.md) is available as a standalone plan, and is included in Microsoft 365 E3.

+> - [Defender for Endpoint Plan 2](microsoft-defender-endpoint.md) is available as a standalone plan, and is included in Microsoft 365 E5.

+> - If you have Microsoft 365 E3 or E5, make sure to [set up your Defender for Endpoint capabilities](deployment-strategy.md).

+| Product/service | Exclusion types |

+|:|:-|

+| [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md) <br/>[Defender for Endpoint Plan 1 or Plan 2](defender-endpoint-plan-1-2.md) | - [Automatic exclusions](#automatic-exclusions) (for Windows Server 2016 and later) <br/>- [Custom exclusions](#custom-exclusions), such as process-based exclusions, folder location-based exclusions, file extension exclusions, or contextual file and folder exclusions<br/>- [Custom remediation actions](#custom-remediation-actions) based on threat severity or for specific threats <br/><br/> *The standalone versions of Defender for Endpoint Plan 1 and Plan 2 don't include server licenses. To onboard servers, youΓÇÖll need another license, such as [Microsoft Defender for Servers Plan 1 or 2](/azure/defender-for-cloud/defender-for-servers-introduction). If you're a small or medium-sized business using Defender for Endpoint Plan 1 or [Microsoft Defender for Business](../defender-business/mdb-overview.md), you can get [Microsoft Defender for Business servers](../defender-business/get-defender-business-servers.md).* |

+| [Defender for Endpoint Plan 1 or Plan 2](defender-endpoint-plan-1-2.md) | - [Indicators](#defender-for-endpoint-indicators) for files, certificates, or IP addresses, URLs/domains<br/>- [Attack surface reduction exclusions](#attack-surface-reduction-exclusions)<br/>- [Controlled folder access exclusions](#controlled-folder-access-exclusions) |

+| [Defender for Endpoint Plan 2](microsoft-defender-endpoint.md) | - [Automation folder exclusions](#automation-folder-exclusions) (for automated investigation and remediation) |

+The following sections describe these exclusions in more detail:

+- [Microsoft Defender Antivirus exclusions](#microsoft-defender-antivirus-exclusions)

+- [Defender for Endpoint indicators](#defender-for-endpoint-indicators)

+- [Attack surface reduction exclusions](#attack-surface-reduction-exclusions)

+- [Controlled folder access exclusions](#controlled-folder-access-exclusions)

+- [Automation folder exclusions](#automation-folder-exclusions) (for automated investigation and remediation)

+## Microsoft Defender Antivirus exclusions

+Microsoft Defender Antivirus exclusions can apply to antivirus scans and/or to real-time protection. These exclusions include:

+- [Automatic exclusions](#automatic-exclusions)

+- [Custom exclusions](#custom-exclusions)

+- [Custom remediation actions](#custom-remediation-actions)

+### Automatic exclusions

+[Automatic exclusions](configure-server-exclusions-microsoft-defender-antivirus.md#the-list-of-automatic-exclusions) include operating system files and server roles and features. These exclusions wonΓÇÖt be scanned by [real-time protection](configure-protection-features-microsoft-defender-antivirus.md) but are still subject to [quick, full, or on-demand antivirus scans](schedule-antivirus-scans.md#quick-scan-full-scan-and-custom-scan). The following table provides some examples and includes links to learn more.

+| Automatic exclusion type | Examples |

+|:|:-|

+| Operating system files <br/>(See [Automatic exclusions](configure-server-exclusions-microsoft-defender-antivirus.md#the-list-of-automatic-exclusions).) | `%windir%\SoftwareDistribution\Datastore\*\Datastore.edb` <br/> `%allusersprofile%\NTUser.pol` <br/> Windows Update files <br/> Windows Security files <br/> … and more |

+| Server roles and features <br/>(See [Default exclusions for roles](configure-server-exclusions-microsoft-defender-antivirus.md#default-exclusions-for-all-roles).) | File Replication Service (FRS) <br/> Hyper-V <br/> SYSVOL <br/> Active Directory <br/> DNS Server <br/> Print Server <br/> Web Server <br/> Windows Server Update Services |

+### Custom exclusions

+[Custom exclusions](configure-exclusions-microsoft-defender-antivirus.md) include files and folders that you specify. Exclusions for files, folders, and processes will be skipped by scheduled scans, on-demand scans, and real-time protection. Exclusions for process-opened files wonΓÇÖt be scanned by [real-time protection](configure-protection-features-microsoft-defender-antivirus.md) but are still subject to [quick, full, or on-demand antivirus scans](schedule-antivirus-scans.md#quick-scan-full-scan-and-custom-scan).

+### Custom remediation actions

+When Microsoft Defender Antivirus detects a potential threat while running a scan, it attempts to remediate or remove the detected threat. You can define custom remediation actions to configure how Microsoft Defender Antivirus should address certain threats, whether a restore point should be created before remediating, and when threats should be removed. [Configure remediation actions for Microsoft Defender Antivirus detections](configure-remediation-microsoft-defender-antivirus.md).

+## Defender for Endpoint indicators

+You can define [indicators](manage-indicators.md) with specific actions for entities, such as files, IP addresses, URLs/domains, and certificates. In Defender for Endpoint, indicators are referred to as Indicators of Compromise (IoCs), and less often, as custom indicators. When you define your indicators, you can specify one of the following actions:

+- **Allow** ΓÇô Defender for Endpoint won't block files, IP addresses, URLs/domains, or certificates that have Allow indicators. (*Use this action with caution.*)

+- **Audit** ΓÇô Files, IP addresses, and URLs/domains with Audit indicators are monitored, and when theyΓÇÖre accessed by users, informational alerts are generated in the Microsoft 365 Defender portal.

+- **Block and Remediate** ΓÇô Files or certificates with Block and Remediate indicators are blocked and quarantined when detected.

+- **Block Execution** ΓÇô IP addresses and URLs/domains with Block Execution indicators are completely blocked. Users can't access those locations.

+- **Warn** ΓÇô IP addresses and URLs/domains with Warn indicators cause a warning message to be displayed when a user attempts to access those locations. Users can choose to bypass the warning and proceed to the IP address or URL/domain.

+> [!IMPORTANT]

+> You can have up to 15,000 indicators in your tenant.

+The following table summarizes IoC types and available actions:

+| Indicator type | Available actions |

+|:|:|

+| [Files](indicator-file.md) | - Allow <br/> - Audit <br/> - Warn <br/> - Block execution <br/> - Block and remediate |

+| [IP addresses and URLs/domains](indicator-ip-domain.md) | - Allow <br/> - Audit <br/> - Warn <br/> - Block execution |

+| [Certificates](indicator-certificates.md) | - Allow <br/> - Block and remediate |

+> [!TIP]

+> See the following resources to learn more about indicators:

+> - [Create indicators](manage-indicators.md)

+> - [Create indicators for files](indicator-file.md)

+> - [Create indicators for IP addresses and URLs/domains](indicator-ip-domain.md)

+> - [Create indicators based on certificates](indicator-certificates.md)

+> - [Manage indicators](indicator-manage.md)

+## Attack surface reduction exclusions

+[Attack surface reduction rules](attack-surface-reduction.md) (also known as ASR rules) target certain software behaviors, such as:

+- Launching executable files and scripts that attempt to download or run files

+- Running scripts that seem to be obfuscated or otherwise suspicious

+- Performing behaviors that apps don't usually initiate during normal day-to-day work

+Sometimes, legitimate applications exhibit software behaviors that could be blocked by attack surface reduction rules. If thatΓÇÖs occurring in your organization, you can define exclusions for certain files and folders. Such exclusions are applied to all attack surface reduction rules. See [Enable attack surface reduction (ASR) rules](attack-surface-reduction-rules-deployment-implement.md#exclude-files-and-folders).

+Also note that while most ASR rules exclusions are independent from Microsoft Defender Antivirus exclusions, some ASR rules do honor some Microsoft Defender Antivirus exclusions. See [Attack surface reduction rules reference - Microsoft Defender Antivirus exclusions and ASR rules](attack-surface-reduction-rules-reference.md#microsoft-defender-antivirus-exclusions-and-asr-rules).

+## Controlled folder access exclusions

+[Controlled folder access](controlled-folders.md) monitors apps for activities that are detected as malicious and protects the contents of certain (protected) folders on Windows devices. Controlled folder access allows only trusted apps to access protected folders, such as common system folders (including boot sectors) and other folders that you specify. You can allow certain apps or signed executables to access protected folders by defining exclusions. See [Customize controlled folder access](customize-controlled-folders.md).

+## Automation folder exclusions

+Automation folder exclusions apply to [automated investigation and remediation](automated-investigations.md) in Defender for Endpoint, which is designed to examine alerts and take immediate action to resolve detected breaches. As alerts are triggered, and an automated investigation runs, a verdict (Malicious, Suspicious, or No threats found) is reached for each piece of evidence investigated. Depending on the [automation level](automation-levels.md) and other security settings, remediation actions can occur automatically or only upon approval by your security operations team.

+You can specify folders, file extensions in a specific directory, and file names to be excluded from automated investigation and remediation capabilities. Such automation folder exclusions will apply to all devices onboarded to Defender for Endpoint. These exclusions are still subject to antivirus scans. See [Manage automation folder exclusions](manage-automation-folder-exclusions.md).

+## How exclusions and indicators are evaluated

+Most organizations have several different types of exclusions and indicators to determine whether users should be able to access and use a file or process. Exclusions and indicators are processed in a particular order so that [policy conflicts are handled systematically](indicator-file.md#policy-conflict-handling).

+The following image summarizes how exclusions and indicators are handled across Defender for Endpoint and Microsoft Defender Antivirus:

+Here's how it works:

+1. If a detected file/process isnΓÇÖt allowed by Windows Defender Application Control and AppLocker, itΓÇÖs blocked. Otherwise, it proceeds to Microsoft Defender Antivirus.

+2. If the detected file/process isnΓÇÖt part of an exclusion for Microsoft Defender Antivirus, itΓÇÖs blocked. Otherwise, Defender for Endpoint checks for a custom indicator for the file/process.

+3. If the detected file/process has a Block or Warn indicator, that action is taken. Otherwise, the file/process is allowed, and proceeds to evaluation by attack surface reduction rules, controlled folder access, and SmartScreen protection.

+4. If the detected file/process isnΓÇÖt blocked by attack surface reduction rules, controlled folder access, or SmartScreen protection, it proceeds to Microsoft Defender Antivirus.

+5. If the detected file/process isnΓÇÖt allowed by Microsoft Defender Antivirus, itΓÇÖs checked for an action based on its threat ID.

+## How policy conflicts are handled

+In cases where Defender for Endpoint indicators conflict, hereΓÇÖs what to expect:

+- If there are conflicting file indicators, the indicator that uses the most secure hash is applied. For example, SHA256 takes precedence over SHA-1, which takes precedence over MD5.

+- If there are conflicting URL indicators, the more strict indicator is used. For [Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview), an indicator that uses the longest URL path is applied. For example, `www.dom.ain/admin/` takes precedence over `www.dom.ain`. ([Network protection](network-protection.md) applies to domains, rather than subpages within a domain.)

+- If there are similar indicators for a file or process that have different actions, the indicator that is scoped to a specific device group takes precedence over an indicator that targets all devices.

+## How automated investigation and remediation works with indicators

+[Automated investigation and remediation capabilities](automated-investigations.md) in Defender for Endpoint first determine a verdict for each piece of evidence, and then take an action depending on Defender for Endpoint indicators. Thus, a file/process could get a verdict of ΓÇ£goodΓÇ¥ (which means no threats were found) and still be blocked if thereΓÇÖs an indicator with that action. Similarly, an entity could get a verdict of ΓÇ£badΓÇ¥ (which means itΓÇÖs determined to be malicious) and still be allowed if thereΓÇÖs an indicator with that action.

+The following diagram shows how [automated investigation and remediation works with indicators](manage-indicators.md#automated-investigation-and-remediation-engine):

+## Additional server workloads and exclusions

+If your organization is using other server workloads, such as Exchange Server, SharePoint Server, or SQL Server, be aware that only built-in server roles (that could be prerequisites for software you install later) on Windows Server are excluded by [automatic exclusions](#automatic-exclusions) feature (and only when using their default installation location). YouΓÇÖll likely need to define antivirus exclusions for these additional workloads, or for all workloads if you disable automatic exclusions.

+Here are some examples of technical documentation to identify and implement the exclusions you need:

+- [Running antivirus software on Exchange Server](/exchange/antispam-and-antimalware/windows-antivirus-software?view=exchserver-2019&preserve-view=true)

+- [Folders to exclude from antivirus scans on SharePoint Server](https://support.microsoft.com/office/certain-folders-may-have-to-be-excluded-from-antivirus-scanning-when-you-use-file-level-antivirus-software-in-sharepoint-01cbc532-a24e-4bba-8d67-0b1ed733a3d9)

+- [Choosing antivirus software for SQL Server](https://support.microsoft.com/topic/how-to-choose-antivirus-software-to-run-on-computers-that-are-running-sql-server-feda079b-3e24-186b-945a-3051f6f3a95b)

+Depending on what you're using, you might need to refer to the documentation for that server workload.

+## See also

+- [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions)

+- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)

+- [Blog post: The HitchhikerΓÇÖs Guide to Microsoft Defender for Endpoint exclusions](https://cloudbrothers.info/en/guide-to-defender-exclusions/)

+Follow the instructions in [Block at first sight demo](https://demo.wd.microsoft.com/Page/BAFS).

+- [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)

+- [Learn about exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)

+description: Learn how to deploy Microsoft Defender Antivirus in a remote desktop or non-persistent virtual desktop environment.

+In addition to standard on-premises or hardware configurations, you can use Microsoft Defender Antivirus in a remote desktop (RDS) or non-persistent virtual desktop infrastructure (VDI) environment. With the ability to easily deploy updates to virtual machines (VMs) running in VDIs, you can get updates on your machines quickly and easily. You no longer need to create and seal golden images on a periodic basis, as updates are expanded into their component bits on the host server and are then downloaded directly to each VM when it's turned on.

+2. In the Group Policy Management Editor, go to **Computer configuration**.

+Suppressing notifications prevents notifications from Microsoft Defender Antivirus from showing up in the Action Center on Windows 10 when scans are done or remediation actions are taken. However, your security operations team will see the results of the scan while the attack was detected and stopped. Alerts, such as an initial access alert, are generated and will appear in the [Microsoft 365 Defender portal](https://security.microsoft.com).

+2. On the **Home** pane, select **Devices** > **Configuration Profiles**.

+4. In the **Properties** section, select **Edit** next to **Configuration settings** and then select **Microsoft Defender Antivirus**.

+6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.

+## Related articles

+- [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)

+- [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)

+5. Review the details in the **Summary** tab, then select **Save**.

+## Related articles

+- [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)

+- [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)

+## Related articles

+- [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)

+## Related articles

+- [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)

+## Related articles

+- [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)

+- [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)

+> - The device you're taking the action on is running Windows 10, version 1703 or later, Windows 11, and Windows Server 2012 R2+

+This action takes effect on devices with Windows 10, version 1703 or later, and Windows 11 and Server 2012 R2+, where the file was observed in the last 30 days.

+> Only files from Windows 10, Windows 11, and Windows Server 2012 R2+ can be automatically collected.

+You can also submit a sample through the [Microsoft 365 Defender Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file wasn't observed on a Windows 10 device (or Windows 11 or Windows Server 2012 R2+), and wait for **Submit for deep analysis** button to become available.

+> Depending on device availability, sample collection time can vary. There is a 3-hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 device (or Windows 11 or Windows Server 2012 R2+) reporting at that time. You can re-submit files for deep analysis to get fresh data on the file.

+## See also

+- [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)

+|Command Prompt|1. On a Windows device, open Command Prompt.<br/><br/>2. Type `sc query windefend`, and then press Enter.<br/><br/>3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. The state of WinDefend returns **STOPPABLE** if it is in **Passive mode** and **NOT_STOPPABLE** if it is in **Active mode**.|

+## See also

+- [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)

+ - **Threat and vulnerability management - Application handling** - Apply immediate mitigation actions by blocking vulnerable applications, as part of the remediation activity and manage the blocked apps and perform unblock actions

+- **Security baselines**

+ - **Threat and vulnerability management ΓÇô Manage security baselines assessment profiles** - Create and manage profiles so you can assess if your devices comply to security industry baselines.

+ >[!Note]

+ > For the Defender Vulnerability Management public preview trial this permission is not required. Users with "Threat and vulnerability management - View data" permissions can manage security baselines. However, when the trial ends and a license is purchased, this permission is required.

+5. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment.If you want to check how the ticket shows up in Intune, See [Use Intune to remediate vulnerabilities identified by Microsoft Defender for Endpoint](/mem/intune/protect/atp-manage-vulnerabilities) for details.

+When you submit a remediation request from the Security recommendations page, it kicks off a remediation activity. A security task is created that can be tracked on a **Remediation** page, and a remediation ticket is created in Microsoft Intune.

+ - Select **Go hunt** to go into [Advanced hunting](advanced-hunting-overview.md).

+## See also

+[Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](../defender-endpoint/defender-endpoint-antivirus-exclusions.md)

+ Title: Campaigns in Microsoft Defender for Office 365 Plan

+description: Learn about Campaigns in Microsoft Defender for Office 365.

+# Campaigns in Microsoft Defender for Office 365

+Campaigns in the Microsoft 365 Defender portal identifies and categorizes coordinated email attacks including phishing and malware. Campaigns can help you to:

+- Efficiently investigate and respond to phishing and malware attacks, delivered via email.

+- Better understand the scope of the email attack targetting your organization.

+- Show value of Microsoft Defender for Office to decision makers in preventing email threats.

+Campaigns lets you see the big picture of an email attack faster and more complete than any human.

+Watch this short video on how campaigns in Microsoft Defender for Office 365 help you understand coordinated email attacks targeting your organization.

+## Campaigns in the Microsoft 365 Defender portal

+Campaigns is available in the Microsoft 365 Defender portal at <https://security.microsoft.com> at **Email & collaboration** \> **Campaigns**, or directly at <https://security.microsoft.com/campaigns>.

+You can also view Campaigns from:

+## Required licenses and permissions

+

+- ** You must have Defender for Office 365 Plan 2 to view Campaigns.

+- ** To access Campaigns, you need to be a member of the **Organization Management**, **Security Administrator**, or **Security Reader** role groups in the Microsoft 365 Defender portal. For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).

+The main Campaigns page is a threat report with all campaigns targetting your organizations.

+> If you don't see any campaign data, or very limited data, try changing the date range or [filters](#filters-and-settings).

+### Attitional Actions

+The buttons at the bottom the campaign details view allows you to investigate and record details about the campaign:

+ > ⁴ For **High confidence phishing**, the action **Move message to Junk Email folder** has effectively been deprecated. Although you might be able to select **Move message to Junk Email folder**, high confidence phishing messages are always quarantined (equivalent to selecting **Quarantine message**).

+ - ContentEngagementFY23

+- [Visualize the scope](campaigns.md#campaigns-in-the-microsoft-365-defender-portal) of the attack.