Updates from: 11/18/2022 02:59:03
Category Microsoft Docs article Related commit history on GitHub Change details
admin Microsoft Teams Device Usage Preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-teams-device-usage-preview.md
Title: "Microsoft 365 admin center Teams app usage reports"
+ Title: "Microsoft 365 admin center Teams device usage reports"
f1.keywords: - NOCSH
- Adm_O365 - Adm_NonTOC - search.appverid: - BCS160 - MST160 - MET150 - MOE150
-description: "Gain insights into the Microsoft Teams apps used in your organization by getting the Microsoft Teams app usage report from Microsoft 365 Reports."
+description: "Gain insights into the devices on which Microsoft Teams apps are being used in your organization by getting the Microsoft Teams device usage report from Microsoft 365 Reports."
# Microsoft 365 Reports in the admin center - Microsoft Teams device usage
compliance Apply Sensitivity Label Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md
Make sure you're aware of the prerequisites before you configure auto-labeling p
- Simulation mode: - Auditing for Microsoft 365 must be turned on. If you need to turn on auditing or you're not sure whether auditing is already on, see [Turn audit log search on or off](turn-audit-log-search-on-or-off.md).
- - To view file or email contents in the source view, you must have the **Data Classification Content Viewer** role, which is included in the **Content Explorer Content Viewer** role group, or **Information Protection** and **Information Protection Investigators** role groups (currently in preview). Without the required role, you don't see the preview pane when you select an item from the **Matched Items** tab. Global admins don't have this role by default.
+ - To view file or email contents in the source view, you must have the **Data Classification Content Viewer** role, which is included in the **Content Explorer Content Viewer** role group, or **Information Protection** and **Information Protection Investigators** role groups. Without the required role, you don't see the preview pane when you select an item from the **Matched Items** tab. Global admins don't have this role by default.
- To auto-label files in SharePoint and OneDrive: - You have [enabled sensitivity labels for Office files in SharePoint and OneDrive](sensitivity-labels-sharepoint-onedrive-files.md).
compliance Audit New Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/audit-new-search.md
Some examples of different searches include the following criteria. Explore thes
- Information about the date, IP Address, User, Activity, and Item can be found in the search job results page for each item - Select an activity to see a fly-out window with more details about the activity - The filtering feature for search job results can help to parse through results.-- Export is fully functional and exports all search job items to a .csv file. Export supports results up to 50KB.
+- Export is fully functional and exports all search job items to a .csv file. Export supports results up to 500 KB (500,000 rows).
## Frequently asked questions
compliance Compliance Manager Templates List https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-templates-list.md
description: "Microsoft Purview Compliance Manager provides templates for buildi
> [!IMPORTANT] > The assessment templates that are available to your organization depend on your licensing agreement. [Review the details](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-compliance-manager).
+>
+> Starting in mid-December 2022, licensing updates will affect which templates are included as part of licensing agreements. [Learn more about these changes below](#included-templates).
[!INCLUDE [purview-preview](../includes/purview-preview.md)]
To review the templates available to your organization, go to your **Assessment
## Included templates
+> [!NOTE]
+> Starting mid-December 2022, we're rolling out changes to included and premium templates. Listed below is a summary of changes, which will be fully documented when the rollout begins:
+>
+> - Customers at all subscription levels will have the Microsoft Data Protection Baseline template included as part of their subscription.
+> - Customers at the A5/E5/G5 subscription levels will be able to choose any three premium templates to use for free. The use of any premium templates beyond those three will require purchase.
+> - The included templates for US Government Community (GCC) Moderate, GCC High, and Department of Defense (DoD) customers are the Cybersecurity Maturity Model Certification (CMMC) template (levels 1 through 5) in addition to the Microsoft Data Protection Baseline template.
+> - Templates that correspond to a regulation will now all be grouped together and treated as a single template. For example, CMMC - Level 1, and CMMC - Level 2 will now be counted as one template; you won't need to purchase multiple templates for the same regulation when that regulation has multiple levels or versions.
+>
+> Get additional details on our [frequently asked questions](compliance-manager-faq.yml) page.
+ One or more of the templates listed below are included as part of your licensing agreement. The Microsoft Data Protection Baseline template is included for all organizations. - [Microsoft Data Protection Baseline](compliance-manager-assessments.md#data-protection-baseline-default-assessment)
One or more of the templates listed below are included as part of your licensing
> [!NOTE] > For US Government Community (GCC) Moderate, GCC High, and Department of Defense (DoD) customers: the Cybersecurity Maturity Model Certification (CMMC) Levels 1 through 5 templates are included, in addition to the templates listed above.
-## Preview templates
+#### Preview templates
-The templates listed below are currently available for preview. Creating assessments using these templates will not count toward your total of licensed templates used.
+The templates listed below are available in preview. Creating assessments from these templates won't count toward your total of licensed templates used.
- ISO 27001:2013 for Azure (Preview) - ISO 27001:2013 for Dynamics 365 (Preview)
The templates listed below are currently available for preview. Creating assessm
## Premium templates
-The templates listed below may be purchased by your organization.
+The templates listed below may be purchased by your organization. See the [note above](#included-templates) about upcoming changes in December 2022.
### Global
The templates listed below may be purchased by your organization.
- Japan - Act on Prohibition of Unauthorized Computer Access - Japan - Common Model of Information Security Measures for Government Agencies and Related Agencies - Japan - Common Standards for Information Security Measures for Government Agencies and Related Agencies -- Japan Privacy Mark - JIS Q 15001 : 2017
+- Japan Privacy Mark - JIS Q 15001: 2017
- Japanese Act on the Protection of Personal Information (Law No. 57 of 2003) - Korea - Credit Information Use And Protection Act - Korea - The Act on Promotion of Information and Communications Network Utilization and Data Protection
compliance Compliance Manager Templates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-templates.md
description: "Understand how to use and manage templates for building assessment
**In this article:** Understand **how templates work** and **how to manage them** from your assessment templates page. Get instructions for **creating** new templates, **extending** and **modifying** existing templates, **formatting your template data with Excel**, and exporting template **reports**. > [!IMPORTANT]
-> The assessment templates that are available to your organization depend on your licensing agreement. [Review the details](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-compliance-manager).
+> The assessment templates that are available to your organization depend on your licensing agreement. [Review licensing details](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-compliance-manager).
+>
+> Starting in mid-December 2022, licensing updates will affect which templates are included as part of licensing agreements. [Learn more about these changes below](#template-availability-and-licensing).
[!INCLUDE [purview-preview](../includes/purview-preview.md)]
Note that US Government Community (GCC) Moderate, GCC High, and Department of De
## Template availability and licensing
-There are two categories of templates in Compliance
+> [!NOTE]
+> Starting mid-December 2022, we're rolling out changes to included and premium templates. Listed below is a summary of changes, which will be fully documented when the rollout begins:
+>
+> - Customers at all subscription levels will have the Microsoft Data Protection Baseline template included as part of their subscription.
+> - Customers at the A5/E5/G5 subscription levels will be able to choose any three premium templates to use for free. The use of any premium templates beyond those three will require purchase.
+> - The included templates for US Government Community (GCC) Moderate, GCC High, and Department of Defense (DoD) customers are the Cybersecurity Maturity Model Certification (CMMC) template (levels 1 through 5) in addition to the Microsoft Data Protection Baseline template.
+> - Templates that correspond to a regulation will now all be grouped together and treated as a single template. For example, CMMC - Level 1, and CMMC - Level 2 will now be counted as one template; you won't need to purchase multiple templates for the same regulation when that regulation has multiple levels or versions.
+>
+> Get additional details on our [frequently asked questions](compliance-manager-faq.yml) page.
+
+There are two categories of templates in Compliance
1. **Included templates** are granted by your Compliance Manager license and cover key regulations and requirements. To learn more about what templates are available under your licensing agreement, see [licensing details](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#compliance-manager). 2. **Premium templates** to cover additional needs and scenarios can be obtained by purchasing template licenses.
compliance Create A Dlp Policy From A Template https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-dlp-policy-from-a-template.md
For more information, see [Permissions in the Microsoft Purview compliance porta
These permissions are required to create and apply a DLP policy not to enforce policies.
-### Roles and Role Groups in preview
+### Roles and Role Groups
-There are roles and role groups in preview that you can test out to fine tune your access controls.
+There are roles and role groups that you can use to fine tune your access controls.
Here's a list of applicable roles. To learn more about them, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md)
compliance Create Test Tune Dlp Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-test-tune-dlp-policy.md
For more information, see [Add users to a compliance role group](microsoft-365-c
These permissions are required to create and apply a DLP policy not to enforce policies.
-### Roles and Role Groups in preview
+### Roles and Role Groups
-There are roles and role groups in preview that you can test out to fine tune your access controls.
+There are roles and role groups that you can use to fine tune your access controls.
-Here's a list of applicable roles that are in preview. To learn more about them, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).
+Here's a list of applicable roles that you can use to fine tune your access controls. To learn more about them, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).
- Information Protection Admin - Information Protection Analyst - Information Protection Investigator - Information Protection Reader
-Here's a list of applicable role groups that are in preview. To learn more, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).
+Here's a list of applicable role groups that you can use. To learn more, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).
- Information Protection - Information Protection Admins
compliance Data Classification Content Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-classification-content-explorer.md
You can also assign either or both of the roles to a custom role group to tailor
A Global admin, can assign the necessary Content Explorer List Viewer, and Content Explorer Content Viewer role group membership.
-#### Roles and Role Groups in preview
+#### Roles and Role Groups
-There are roles and role groups in preview that you can test out to fine tune your access controls.
+There are roles and role groups that you useto fine tune your access controls.
-Here's a list of applicable roles that are in preview. To learn more about them, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).
+Here's a list of applicable roles. To learn more about them, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).
- Information Protection Admin - Information Protection Analyst - Information Protection Investigator - Information Protection Reader
-Here's a list of applicable role groups that are in preview. To learn more, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).
+Here's a list of applicable role groups. To learn more, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).
- Information Protection - Information Protection Admins
compliance Data Classification Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-classification-overview.md
Data classification will scan your sensitive content and labeled content before
#### Roles and Role Groups
-There are roles and role groups in preview that you can test out to fine tune your access controls.
+There are roles and role groups that you can use to fine tune your access controls.
-Here's a list of applicable roles that are in preview. To learn more about them, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).
+Here's a list of applicable roles. To learn more about them, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).
- Information Protection Admin - Information Protection Analyst - Information Protection Investigator - Information Protection Reader
-Here's a list of applicable role groups that are in preview. To learn more about them, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).
+Here's a list of applicable role groups. To learn more about them, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).
- Information Protection - Information Protection Admins
compliance Delete An Inactive Mailbox https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/delete-an-inactive-mailbox.md
See the [More information](#more-information) section for a description of what
- You can copy the contents of an inactive mailbox to another mailbox before you remove the hold and delete an inactive mailbox. For details, see [Restore an inactive mailbox in Office 365](restore-an-inactive-mailbox.md). -- If you remove the hold or retention policy from an inactive mailbox and the soft-deleted mailbox retention period for the mailbox has expired, the mailbox will be permanently deleted after the 183-day soft-deleted mailbox retention period expires. For more information about the soft-deleted mailbox retention period, see the [More information](#more-information) section in this article. After the inactive mailbox is permanently deleted, it can't be recovered. Before you remove the hold, be sure that you no longer need the contents in the mailbox. If you want to reactivate an inactive mailbox, you can recover it. For details, see [Recover an inactive mailbox in Office 365](recover-an-inactive-mailbox.md).
+- If you remove the hold or retention policy from an inactive mailbox and the soft-deleted mailbox retention period for the mailbox has expired, the mailbox will be permanently deleted after the 30-day soft-deleted mailbox retention period expires. For more information about the soft-deleted mailbox retention period, see the [More information](#more-information) section in this article. After the inactive mailbox is permanently deleted, it can't be recovered. Before you remove the hold, be sure that you no longer need the contents in the mailbox. If you want to reactivate an inactive mailbox, you can recover it. For details, see [Recover an inactive mailbox in Office 365](recover-an-inactive-mailbox.md).
- For more information about inactive mailboxes, see [Learn about inactive mailboxes](inactive-mailboxes-in-office-365.md).
If the In-Place Hold contains a large number of source mailboxes, it's possible
## More information -- **An inactive mailbox is a type of soft-deleted mailbox.** In Exchange Online, a soft-deleted mailbox is a mailbox that's been deleted but can be recovered within a specific retention period. For soft-deleted mailboxes that aren't on hold, the mailbox is recoverable within 30 days. An inactive mailbox (a mailbox on hold before it was deleted) will remain in a soft-deleted with hold state until the hold is removed. After the hold is removed from an inactive mailbox, the mailbox will no longer be in an inactive state. Instead it will become soft-deleted and remain in Exchange Online for 183 days from the day the hold was removed and recoverable during that time. After 183 days, a soft-deleted mailbox is marked for permanent deletion and can't be recovered.
+- **An inactive mailbox is a type of soft-deleted mailbox.** In Exchange Online, a soft-deleted mailbox is a mailbox that's been deleted but can be recovered within a specific retention period. For soft-deleted mailboxes that aren't on hold, the mailbox is recoverable within 30 days. An inactive mailbox (a mailbox on hold before it was deleted) will remain in a soft-deleted with hold state until the hold is removed. After the hold is removed from an inactive mailbox, the mailbox will no longer be in an inactive state. Instead it will become soft-deleted and remain in Exchange Online for 30 days from the day the hold was removed and recoverable during that time. After 30 days, a soft-deleted mailbox is marked for permanent deletion and can't be recovered.
-- **What happens after you remove the hold on an inactive mailbox?** The mailbox is treated like other soft-deleted mailboxes and is marked for permanent deletion after the 183-day soft-deleted mailbox retention period expires. This retention period starts on the date when the hold is removed from the inactive mailbox. The *InactiveMailboxRetireTime* property is set when the mailbox transitions from being inactive (soft-deleted on hold) to no longer being inactive (soft-deleted with no holds). At that point, the *InactiveMailboxRetireTime* property is set to the current date when the transition occurred. There is an assistant that runs (called the *MailboxLifeCycle* assistant) that looks for mailboxes that have the *InactiveMailboxRetireTime* property set. If "InactiveMailboxRetireTime + 183 days" is less than the current date, then it will purge the mailbox.
+- **What happens after you remove the hold on an inactive mailbox?** The mailbox is treated like other soft-deleted mailboxes and is marked for permanent deletion after the 30-day soft-deleted mailbox retention period expires. This retention period starts on the date when the hold is removed from the inactive mailbox. The *InactiveMailboxRetireTime* property is set when the mailbox transitions from being inactive (soft-deleted on hold) to no longer being inactive (soft-deleted with no holds). At that point, the *InactiveMailboxRetireTime* property is set to the current date when the transition occurred. There is an assistant that runs (called the *MailboxLifeCycle* assistant) that looks for mailboxes that have the *InactiveMailboxRetireTime* property set. If "InactiveMailboxRetireTime + 30 days" is less than the current date, then it will purge the mailbox.
-- **Is an inactive mailbox permanently deleted immediately after the hold is removed?** A formerly inactive mailbox will be available in the soft-deleted state for 183 days. After 183 days, the mailbox will be marked for permanent deletion.
+- **Is an inactive mailbox permanently deleted immediately after the hold is removed?** A formerly inactive mailbox will be available in the soft-deleted state for 30 days. After 30 days, the mailbox will be marked for permanent deletion.
- **How do you display information about an inactive mailbox after the hold is removed?** After a hold is removed and the inactive mailbox is reverted back to a soft-deleted mailbox, it won't be returned by using the *InactiveMailboxOnly* parameter with the **Get-Mailbox** cmdlet. But you can display information about the mailbox by using the **Get-Mailbox -SoftDeletedMailbox** command. For example:
compliance Dlp Alerts Dashboard Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-alerts-dashboard-get-started.md
which has the data classification content viewer role pre-assigned.
### Roles and Role Groups
-There are roles and role groups in preview that you can test out to fine tune your access controls.
+There are roles and role groups that you use to fine tune your access controls.
-Here's a list of applicable roles that are in preview. To learn more about them, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).
+Here's a list of applicable roles. To learn more about them, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).
- Information Protection Admin - Information Protection Analyst - Information Protection Investigator - Information Protection Reader
-Here's a list of applicable role groups that are in preview. To learn more about them, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).
+Here's a list of applicable role groups. To learn more about them, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).
- Information Protection - Information Protection Admins
compliance Dlp Chrome Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-chrome-get-started.md
Data from Endpoint DLP can be viewed in [Activity explorer](data-classification-
#### Roles and Role Groups
-There are roles and role groups in preview that you can test out to fine tune your access controls.
+There are roles and role groups that you can use to fine tune your access controls.
-Here's a list of applicable roles that are in preview. To learn more about them, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).
+Here's a list of applicable roles. To learn more about them, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).
- Information Protection Admin - Information Protection Analyst - Information Protection Investigator - Information Protection Reader
-Here's a list of applicable role groups that are in preview. To learn more about the, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).
+Here's a list of applicable role groups. To learn more about the, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).
- Information Protection - Information Protection Admins
compliance Get Started With Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/get-started-with-sensitivity-labels.md
To see the options for licensing your users to benefit from Microsoft Purview fe
Members of your compliance team who will create sensitivity labels need permissions to the Microsoft Purview compliance portal.
-By default, global administrators for your tenant have access to this admin center and can give compliance officers and other people access, without giving them all of the permissions of a tenant admin. For this delegated limited admin access, add users to the **Compliance Data Administrator**, **Compliance Administrator**, or **Security Administrator** role group.
-
-Alternatively to using the default roles, you can create a new role group and add either **Sensitivity Label Administrator** or **Organization Configuration** roles to this group. For a read-only role, use **Sensitivity Label Reader**.
-
-> [!NOTE]
-> Now in preview, you can use the following role groups:
-> - **Information Protection**
-> - **Information Protection Admins**
-> - **Information Protection Analysts**
-> - **Information Protection Investigators**
-> - **Information Protection Readers**
->
-> For an explanation of each one, and the new roles that they contain, select a role group in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft Purview compliance portal</a> > **Permissions & roles** > **Compliance center** > **Roles**, and then review the description in the flyout pane. Or, see [Role groups in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#role-groups-in-the-defender-and-compliance-portals).
+By default, global administrators for your tenant have access to this admin center and can give compliance officers and other people access, without giving them all of the permissions of a tenant admin. For this limited admin access, you can use the following role groups:
+- **Information Protection**
+- **Information Protection Admins**
+- **Information Protection Analysts**
+- **Information Protection Investigators**
+- **Information Protection Readers**
+
+For an explanation of each one, and the roles that they contain, select a role group in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft Purview compliance portal</a> > **Permissions & roles** > **Compliance center** > **Roles**, and then review the description in the flyout pane. Or, see [Role groups in the Defender and compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#role-groups-in-the-defender-and-compliance-portals).
+
+Alternatively to using the default roles, you can create a new role group and add the **Sensitivity Label Administrator** role to this group. For a read-only role, use **Sensitivity Label Reader**.
+
+Another option is to add users to the **Compliance Data Administrator**, **Compliance Administrator**, or **Security Administrator** role group.
For instructions to add users to the default role group, roles, or create your own role groups, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).
compliance Records Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/records-management.md
A records management system, also known as records and information management, i
Use the following capabilities to support your records management solution for Microsoft 365 data: -- **Label content as a record**. Create and configure retention labels to mark content as a [record](#records) that can then be applied by users or automatically applied by identifying sensitive information, keywords, or content types.
+- **Label items as a record**. Create and configure retention labels to mark items as a [record](#records) that can then be applied by users or automatically applied by identifying sensitive information, keywords, or content types.
- **Migrate and manage your retention requirements with file plan**. By using a [file plan](file-plan-manager.md), you can bring in an existing retention plan to Microsoft 365, or build a new one for enhanced management capabilities.
In addition to the online documentation, you might find it useful to download a
## Records
-When content is declared a record:
+When an item is declared a record:
-- Restrictions are placed on the items in terms of what [actions are allowed or blocked](#compare-restrictions-for-what-actions-are-allowed-or-blocked).
+- Restrictions are placed on the item in terms of what [actions are allowed or blocked](#compare-restrictions-for-what-actions-are-allowed-or-blocked).
- Additional activities about the item are logged. -- You have proof of disposition when the items are deleted at the end of their retention period.
+- You have proof of disposition when the item is deleted at the end of their retention period.
-You use [retention labels](retention.md#retention-labels) to mark content as a **record**, or a **regulatory record**. The difference between these two are explained in the next section. You can either publish those labels so that users and administrators can manually apply them to content, or auto-apply those labels to content that you want to mark as a record or a regulatory record.
+You use [retention labels](retention.md#retention-labels) to mark items as a **record**, or a **regulatory record**. The difference between these two are explained in the next section. You can either publish those labels so that users and administrators can manually apply them to items, or for labels that mark items as a record, you can auto-apply those labels.
By using retention labels to declare records, you can implement a single and consistent strategy for managing records across your Microsoft 365 environment. ### Compare restrictions for what actions are allowed or blocked
-Use the following table to identify what restrictions are placed on content as a result of applying a standard retention label, and retention labels that mark content as a record or regulatory record.
+Use the following table to identify what restrictions are placed on items as a result of applying a standard retention label, and retention labels that mark items as a record or regulatory record.
-A standard retention label has retention settings and actions but doesn't mark content as a record or a regulatory record.
+A standard retention label has retention settings and actions but doesn't mark items as a record or a regulatory record.
> [!NOTE] > For completeness, the table includes columns for a locked and unlocked record, which is applicable to SharePoint and OneDrive, but not Exchange. The ability to lock and unlock a record uses [record versioning](record-versioning.md) that isn't supported for Exchange items. So for all Exchange items that are marked as a record, the behavior maps to the **Record - locked** column, and the **Record - unlocked column** is not relevant.
compliance Search The Audit Log In Security And Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance.md
Why a unified audit log? Because you can search the audit log for activities per
| Power Automate|MicrosoftFlow| | Power BI|PowerBIAudit| | Quarantine|Quarantine|
-| Retention policies and retention labels|MIPLabel, MipAutoLabelExchangeItem, MipAutoLabelSharePointItem, MipAutoLabelSharePointPolicyLocation|
+| Microsoft Purview Information Protection (MIP) labels|MIPLabel, MipAutoLabelExchangeItem, MipAutoLabelSharePointItem, MipAutoLabelSharePointPolicyLocation|
| Sensitive information types|DlpSensitiveInformationType| | Sensitivity labels|MIPLabel, SensitivityLabelAction, SensitivityLabeledFileAction, SensitivityLabelPolicyMatch| | Encrypted message portal|OMEPortal|
Here's the process for searching the audit log in Microsoft 365.
> [!TIP] > Use a private browsing session (not a regular session) to access the compliance portal because this will prevent the credential that you are currently logged on with from being used. Press **CTRL+SHIFT+N** to open an InPrivate Browsing session in Microsoft Edge or a private browsing session in Google Chrome (called an incognito window).
-2. In the left pane of the compliance portal, click **Audit**.
+2. In the left pane of the compliance portal, select **Audit**.
The **Audit** page is displayed.
Here's the process for searching the audit log in Microsoft 365.
> [!TIP] > If you're using the maximum date range of 90 days, select the current time for the **Start date**. Otherwise, you'll receive an error saying that the start date is earlier than the end date. If you've turned on auditing within the last 90 days, the maximum date range can't start before the date that auditing was turned on.
- 2. **Activities**: Click the drop-down list to display the activities that you can search for. User and admin activities are organized into groups of related activities. You can select specific activities or you can click the activity group name to select all activities in the group. You can also click a selected activity to clear the selection. After you run the search, only the audit log entries for the selected activities are displayed. Selecting **Show results for all activities** displays results for all activities performed by the selected user or group of users.<br/><br/>Over 100 user and admin activities are logged in the audit log. Click the **Audited activities** tab at the topic of this article to see the descriptions of every activity in each of the different services.
+ 2. **Activities**: Select the drop-down list to display the activities that you can search for. User and admin activities are organized into groups of related activities. You can select specific activities or you can select the activity group name to select all activities in the group. You can also select a selected activity to clear the selection. After you run the search, only the audit log entries for the selected activities are displayed. Selecting **Show results for all activities** displays results for all activities performed by the selected user or group of users.<br/><br/>Over 100 user and admin activities are logged in the audit log. Select the **Audited activities** tab at the article of this article to see the descriptions of every activity in each of the different services.
- 3. **Users**: Click in this box and then select one or more users to display search results for. The audit log entries for the selected activity performed by the users you select in this box are displayed in the list of results. Leave this box blank to return entries for all users (and service accounts) in your organization.
+ 3. **Users**: Select in this box and then select one or more users to display search results for. The audit log entries for the selected activity performed by the users you select in this box are displayed in the list of results. Leave this box blank to return entries for all users (and service accounts) in your organization.
4. **File, folder, or site**: Type some or all of a file or folder name to search for activity related to the file of folder that contains the specified keyword. You can also specify a URL of a file or folder. If you use a URL, be sure the type the full URL path or if you type a portion of the URL, don't include any special characters or spaces (however, using the wildcard character (\*) is supported).<br/><br/>Leave this box blank to return entries for all files and folders in your organization.
Here's the process for searching the audit log in Microsoft 365.
> > - If you're looking for all activities related to a **file**, add the wildcard character (\*) before the file name to return all entries for that file; for example, `"*Customer_Profitability_Sample.csv"`.
-4. Click **Search** to run the search using your search criteria.
+4. Select **Search** to run the search using your search criteria.
- The search results are loaded, and after a few moments they are displayed on a new page. When the search is finished, the number of results found is displayed. A maximum of 50,000 events will be displayed in increments of 150 events. If more than 50,000 events meet the search criteria, only the 50,000 unsorted events returned will be displayed.
+ The search results are loaded, and after a few moments they're displayed on a new page. When the search is finished, the number of results found is displayed. A maximum of 50,000 events will be displayed in increments of 150 events. If more than 50,000 events meet the search criteria, only the 50,000 unsorted events returned will be displayed.
![The number of results are displayed after the search is finished.](../media/986216f1-ca2f-4747-9480-e232b5bf094c.png) #### Tips for searching the audit log -- You can select specific activities to search for by clicking the activity name. Or you can search for all activities in a group (such as **File and folder activities**) by clicking the group name. If an activity is selected, you can click it to cancel the selection. You can also use the search box to display the activities that contain the keyword that you type.
+- You can select specific activities to search for by clicking the activity name. Or you can search for all activities in a group (such as **File and folder activities**) by clicking the group name. If an activity is selected, you can select it to cancel the selection. You can also use the search box to display the activities that contain the keyword that you type.
![Click activity group name to select all activities.](../media/3cde97cb-6f35-47c0-8612-ecd9c6ac36a3.png) -- You have to select **Show results for all activities** in the **Activities** list to display events from the Exchange admin audit log. Events from this audit log display a cmdlet name (for example, **Set-Mailbox**) in the **Activity** column in the results. For more information, click the **Audited activities** tab in this topic and then click **Exchange admin activities**.
+- You have to select **Show results for all activities** in the **Activities** list to display events from the Exchange admin audit log. Events from this audit log display a cmdlet name (for example, **Set-Mailbox**) in the **Activity** column in the results. For more information, select the **Audited activities** tab in this article and then select **Exchange admin activities**.
Similarly, there are some auditing activities that don't have a corresponding item in the **Activities** list. If you know the name of the operation for these activities, you can search for all activities, then filter the operations after you export the search results to a CSV file. -- Click **Clear** to clear the current search criteria. The date range returns to the default of the last seven days. You can also click **Clear all to show results for all activities** to cancel all selected activities.
+- Select **Clear** to clear the current search criteria. The date range returns to the default of the last seven days. You can also select **Clear all to show results for all activities** to cancel all selected activities.
- If 50,000 results are found, you can probably assume that there are more than 50,000 events that met the search criteria. You can either refine the search criteria and rerun the search to return fewer results, or you can export the 50,000 search results by selecting **Export results** \> **Download all results**.
You can export the results of an audit log search to a comma-separated value (CS
1. Run an audit log search, and then revise the search criteria until you have the desired results.
-2. On the search results page, click **Export** > **Download all results**.
+2. On the search results page, select **Export** > **Download all results**.
All entries from the audit log that meet the search criteria are exported to a CSV file. The raw data from the audit log is saved to a CSV file. Additional information from the audit log entry is included in a column named **AuditData** in the CSV.
The tables in this section describe the activities that are audited in Microsoft
These tables group related activities or the activities from a specific service. The tables include the friendly name that's displayed in the **Activities** drop-down list and the name of the corresponding operation that appears in the detailed information of an audit record and in the CSV file when you export the search results. For descriptions of the detailed information, see [Detailed properties in the audit log](detailed-properties-in-the-office-365-audit-log.md).
-Click one of the following links to go to a specific table.
+Select one of the following links to go to a specific table.
:::row::: :::column:::
The following table describes the file and page activities in SharePoint Online
|Friendly name|Operation|Description| |:--|:--|:--|
-|Accessed file|FileAccessed|User or system account accesses a file. Once a user accesses a file, the FileAccessed event is not logged again for the same user for same file for the next five minutes.|
+|Accessed file|FileAccessed|User or system account accesses a file. Once a user accesses a file, the FileAccessed event isn't logged again for the same user for same file for the next five minutes.|
|(none)|FileAccessedExtended|This is related to the "Accessed file" (FileAccessed) activity. A FileAccessedExtended event is logged when the same person continually accesses a file for an extended period (up to 3 hours). <br/><br/> The purpose of logging FileAccessedExtended events is to reduce the number of FileAccessed events that are logged when a file is continually accessed. This helps reduce the noise of multiple FileAccessed records for what is essentially the same user activity, and lets you focus on the initial (and more important) FileAccessed event.| |Changed retention label for a file|ComplianceSettingChanged|A retention label was applied to or removed from a document. This event is triggered when a retention label is manually or automatically applied to a message.| |Changed record status to locked|LockRecord|The record status of a retention label that classifies a document as a record was locked. This means the document can't be modified or deleted. Only users assigned at least the contributor permission for a site can change the record status of a document.|
The following table describes the file and page activities in SharePoint Online
|Renamed file|FileRenamed|User renames a document.| |Restored file|FileRestored|User restores a document from the recycle bin of a site.| |Uploaded file|FileUploaded|User uploads a document to a folder on a site.|
-|Viewed page|PageViewed|User views a page on a site. This doesn't include using a Web browser to view files located in a document library. Once a user views a page, the PageViewed event is not logged again for the same user for same page for the next five minutes.|
+|Viewed page|PageViewed|User views a page on a site. This doesn't include using a Web browser to view files located in a document library. Once a user views a page, the PageViewed event isn't logged again for the same user for same page for the next five minutes.|
|(none)|PageViewedExtended|This is related to the "Viewed page" (PageViewed) activity. A PageViewedExtended event is logged when the same person continually views a web page for an extended period (up to 3 hours). <br/><br/> The purpose of logging PageViewedExtended events is to reduce the number of PageViewed events that are logged when a page is continually viewed. This helps reduce the noise of multiple PageViewed records for what is essentially the same user activity, and lets you focus on the initial (and more important) PageViewed event.| |View signaled by client|ClientViewSignaled|A user's client (such as website or mobile app) has signaled that the indicated page has been viewed by the user. This activity is often logged following a PagePrefetched event for a page. <br/><br/>**NOTE**: Because ClientViewSignaled events are signaled by the client, rather than the server, it's possible the event may not be logged by the server and therefore may not appear in the audit log. It's also possible that information in the audit record may not be trustworthy. However, because the user's identity is validated by the token used to create the signal, the user's identity listed in the corresponding audit record is accurate. The system waits five minutes before it logs the same event when the same user's client signals that the page has been viewed again by the user.| |(none)|PagePrefetched|A user's client (such as website or mobile app) has requested the indicated page to help improve performance if the user browses to it. This event is logged to indicate that the page content has been served to the user's client. This event isn't a definitive indication that the user navigated to the page. <br/><br/> When the page content is rendered by the client (as per the user's request) a ClientViewSignaled event should be generated. Not all clients support indicating a pre-fetch, and therefore some pre-fetched activities might instead be logged as PageViewed events.|
The following table lists file synchronization activities in SharePoint Online a
|Friendly name|Operation|Description| |:--|:--|:--| |Allowed computer to sync files|ManagedSyncClientAllowed|User successfully establishes a sync relationship with a site. The sync relationship is successful because the user's computer is a member of a domain that's been added to the list of domains (called the *safe recipients list*) that can access document libraries in your organization. <br/><br/> For more information about this feature, see [Use PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list](/powershell/module/sharepoint-online/).|
-|Blocked computer from syncing files|UnmanagedSyncClientBlocked|User tries to establish a sync relationship with a site from a computer that isn't a member of your organization's domain or is a member of a domain that hasn't been added to the list of domains (called the *safe recipients list)* that can access document libraries in your organization. The sync relationship is not allowed, and the user's computer is blocked from syncing, downloading, or uploading files on a document library. <br/><br/> For information about this feature, see [Use PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list](/powershell/module/sharepoint-online/).|
+|Blocked computer from syncing files|UnmanagedSyncClientBlocked|User tries to establish a sync relationship with a site from a computer that isn't a member of your organization's domain or is a member of a domain that hasn't been added to the list of domains (called the *safe recipients list)* that can access document libraries in your organization. The sync relationship isn't allowed, and the user's computer is blocked from syncing, downloading, or uploading files on a document library. <br/><br/> For information about this feature, see [Use PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list](/powershell/module/sharepoint-online/).|
|Downloaded files to computer|FileSyncDownloadedFull|User downloads a file to their computer from a SharePoint document library or OneDrive for Business using OneDrive sync app (OneDrive.exe).| |Downloaded file changes to computer|FileSyncDownloadedPartial|This event has been deprecated along with the old OneDrive for Business sync app (Groove.exe).| |Uploaded files to document library|FileSyncUploadedFull|User uploads a new file or changes to a file in SharePoint document library or OneDrive for Business using OneDrive sync app (OneDrive.exe).|
The following table lists the activities that can be logged by mailbox audit log
|Added or removed user with delegate access to calendar folder|UpdateCalendarDelegation|A user was added or removed as a delegate to the calendar of another user's mailbox. Calendar delegation gives someone else in the same organization permissions to manage the mailbox owner's calendar.| |Added permissions to folder|AddFolderPermissions|A folder permission was added. Folder permissions control which users in your organization can access folders in a mailbox and the messages located in those folders.| |Copied messages to another folder|Copy|A message was copied to another folder.|
-|Created mailbox item|Create|An item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox. For example, a new meeting request is created. Creating, sending, or receiving a message isn't audited. Also, creating a mailbox folder is not audited.|
+|Created mailbox item|Create|An item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox. For example, a new meeting request is created. Creating, sending, or receiving a message isn't audited. Also, creating a mailbox folder isn't audited.|
|Created new inbox rule in Outlook web app|New-InboxRule|A mailbox owner or other user with access to the mailbox created an inbox rule in the Outlook web app.| |Deleted messages from Deleted Items folder|SoftDelete|A message was permanently deleted or deleted from the Deleted Items folder. These items are moved to the Recoverable Items folder. Messages are also moved to the Recoverable Items folder when a user selects it and presses **Shift+Delete**.| |Labeled message as a record|ApplyRecordLabel|A message was classified as a record. This occurs when a retention label that classifies content as a record is manually or automatically applied to a message.|
The following table lists the activities that can be logged by mailbox audit log
In audit records for some mailbox activities (especially **Add-MailboxPermissions**), you may notice the user who performed the activity (and is identified in the User and UserId fields) is NT AUTHORITY\SYSTEM or NT AUTHORITY\SYSTEM(Microsoft.Exchange.Servicehost). This indicates that the "user" who performed the activity was a system account in Exchange service in the Microsoft cloud. This system account often performs scheduled maintenance tasks on behalf of your organization. For example, a common audited activity performed by the NT AUTHORITY\SYSTEM(Microsoft.Exchange.ServiceHost) account is to update the permissions on the DiscoverySearchMailbox, which is a system mailbox. The purpose of this update is to verify that the FullAccess permission (which is the default) is assigned to the Discovery Management role group for the DiscoverySearchMailbox. This ensures that eDiscovery administrators can perform necessary tasks in their organization.
-Another system user account that may be identified in an audit record for **Add-MailboxPermission** is Administrator@apcprd03.prod.outlook.com. This service account is also included in mailbox audit records related to verifying and updating the FullAccess permission is assigned to the Discovery Management role group for the DiscoverySearchMailbox system mailbox. Specifically, audit records that identify the Administrator@apcprd03.prod.outlook.com account are typically triggered when Microsoft support personnel run an RBAC role diagnostic tool on behalf of your organization.
+Another system user account that may be identified in an audit record for **Add-MailboxPermission** is Administrator@apcprd03.prod.outlook.com. This service account is also included in mailbox audit records related to verifying and updating the FullAccess permission is assigned to the Discovery Management role group for the DiscoverySearchMailbox system mailbox. Specifically, audit records that identify the Administrator@apcprd03.prod.outlook.com account are typically triggered when Microsoft support personnel run a role-based access control diagnostic tool on behalf of your organization.
### User administration activities
If a Forms activity is performed by a coauthor or an anonymous responder, it wil
|Viewed form (design time)|ViewForm|Form owner opens an existing form for editing. <br><br>Property AccessDenied:boolean indicates access of current form is denied due to permission check. Property FromSummaryLink:boolean indicates current request comes from the summary link page.| |Previewed form|PreviewForm|Form owner previews a form using the Preview function.| |Exported form|ExportForm|Form owner exports results to Excel. <br><br>Property ExportFormat:string indicates if the Excel file is Download or Online.|
-|Allowed share form for copy|AllowShareFormForCopy|Form owner creates a template link to share the form with other users. This event is logged when the form owner clicks to generate template URL.|
+|Allowed share form for copy|AllowShareFormForCopy|Form owner creates a template link to share the form with other users. This event is logged when the form owner selects to generate template URL.|
|Disallowed share form for copy|DisallowShareFormForCopy|Form owner deletes template link.| |Added form coauthor|AddFormCoauthor|A user uses a collaboration link to help design for/view responses. This event is logged when a user uses a collab URL (not when collab URL is first generated).| |Removed form coauthor|RemoveFormCoauthor|Form owner deletes a collaboration link.|
If a Forms activity is performed by a coauthor or an anonymous responder, it wil
|Deleted summary link|DeleteSummaryLink|Form owner deletes summary results link.| |Updated form phishing status|UpdatePhishingStatus|This event is logged whenever the detailed value for the internal security status was changed, regardless of whether this changed the final security state (for example, form is now Closed or Opened). This means you may see duplicate events without a final security state change. The possible status values for this event are:<br/>- Take Down <br/>- Take Down by Admin <br/>- Admin Unblocked <br/>- Auto Blocked <br/>- Auto Unblocked <br/>- Customer Reported <br/>- Reset Customer Reported| |Updated user phishing status|UpdateUserPhishingStatus|This event is logged whenever the value for the user security status was changed. The value of the user status in the audit record is **Confirmed as Phisher** when the user created a phishing form that was taken down by the Microsoft Online safety team. If an admin unblocks the user, the value of the user's status is set to **Reset as Normal User**.|
-|Sent Forms Pro invitation|ProInvitation|User clicks to activate a Pro trial.|
+|Sent Forms Pro invitation|ProInvitation|User selects to activate a Pro trial.|
|Updated form setting<sup>*</sup> |UpdateFormSetting|Form owner updates one or multiple form settings. <br><br>Property FormSettingName:string indicates updated sensitive settings' name. Property NewFormSettings:string indicates updated settings' name and new value. Property thankYouMessageContainsLink:boolean indicates updated thank-you message contains a URL link.| |Updated user setting|UpdateUserSetting|Form owner updates a user setting. <br><br>Property UserSettingName:string indicates the setting's name and new value| |Listed forms<sup>*</sup>|ListForms|Form owner is viewing a list of forms. <br><br>Property ViewType:string indicates which view the form owner is looking at: All Forms, Shared with Me, or Group Forms|
The following table lists the activities for usage reports that are logged in th
### Exchange admin audit log
-Exchange administrator audit logging (which is enabled by default in Microsoft 365) logs an event in the audit log when an administrator (or a user who has been assigned administrative permissions) makes a change in your Exchange Online organization. Changes made by using the Exchange admin center or by running a cmdlet in Exchange Online PowerShell are logged in the Exchange admin audit log. Cmdlets that begin with the verbs **Get-**, **Search-**, or **Test-** are not logged in the audit log. For more detailed information about admin audit logging in Exchange, see [Administrator audit logging](/exchange/administrator-audit-logging-exchange-2013-help).
+Exchange administrator audit logging (which is enabled by default in Microsoft 365) logs an event in the audit log when an administrator (or a user who has been assigned administrative permissions) makes a change in your Exchange Online organization. Changes made by using the Exchange admin center or by running a cmdlet in Exchange Online PowerShell are logged in the Exchange admin audit log. Cmdlets that begin with the verbs **Get-**, **Search-**, or **Test-** aren't logged in the audit log. For more detailed information about admin audit logging in Exchange, see [Administrator audit logging](/exchange/administrator-audit-logging-exchange-2013-help).
> [!IMPORTANT] > Some Exchange Online cmdlets that aren't logged in the Exchange admin audit log (or in the audit log). Many of these cmdlets are related to maintaining the Exchange Online service and are run by Microsoft datacenter personnel or service accounts. These cmdlets aren't logged because they would result in a large number of "noisy" auditing events. If there's an Exchange Online cmdlet that isn't being audited, please submit a design change request (DCR) to Microsoft Support.
Here are some tips for searching for Exchange admin activities when searching th
- To return entries from the Exchange admin audit log, you have to select **Show results for all activities** in the **Activities** list. Use the date range boxes and the **Users** list to narrow the search results for cmdlets run by a specific Exchange administrator within a specific date range. -- To display events from the Exchange admin audit log, click the **Activity** column to sort the cmdlet names in alphabetical order.
+- To display events from the Exchange admin audit log, select the **Activity** column to sort the cmdlet names in alphabetical order.
- To get information about what cmdlet was run, which parameters and parameter values were used, and what objects were affected, you can export the search results by selecting the **Download all results** option. For more information, see [Export, configure, and view audit log records](export-view-audit-log-records.md).
Each audit entry for a tracked message will contain the following fields:
- AuthenticationStatus - Contains a value indicating that the authentication succeeded or failed. - OperationStatus - Indicates whether the indicated operation succeeded or failed. - AttachmentName - Name of the attachment.-- OperationProperties - A list of optional properties, for example the number of OTP passcodes sent, or the email subject.
+- OperationProperties - A list of optional properties. For example, the number of OTP passcodes sent, or the email subject.
### SystemSync activities
We currently have auditing pipeline deployments in the NA (North America), EMEA
**Is auditing data encrypted?**
-Auditing data is stored in Exchange mailboxes (data at rest) in the same region where the unified auditing pipeline is deployed. Mailbox data at rest is not encrypted by Exchange. However, service-level encryption encrypts all mailbox data because Exchange servers in Microsoft datacenters are encrypted via BitLocker. For more information, see [Microsoft 365 Encryption for Skype for Business, OneDrive for Business, SharePoint Online, and Exchange Online](/compliance/assurance/assurance-encryption-for-microsoft-365-services).
+Auditing data is stored in Exchange mailboxes (data at rest) in the same region where the unified auditing pipeline is deployed. Mailbox data at rest isn't encrypted by Exchange. However, service-level encryption encrypts all mailbox data because Exchange servers in Microsoft datacenters are encrypted via BitLocker. For more information, see [Microsoft 365 Encryption for Skype for Business, OneDrive for Business, SharePoint Online, and Exchange Online](/compliance/assurance/assurance-encryption-for-microsoft-365-services).
Mail data in transit is always encrypted.
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
The numbers listed are the minimum Office application versions required for each
|[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) <br /> - Using trainable classifiers | Current Channel: 2105+ <br /><br> Monthly Enterprise Channel: 2105+ <br /><br> Semi-Annual Enterprise Channel: 2108+ | 16.49+ | Under review | Under review | Yes | |[Different settings for default label and mandatory labeling](#outlook-specific-options-for-default-label-and-mandatory-labeling) | Current Channel: 2105+ <br /><br> Monthly Enterprise Channel: 2105+ <br /><br> Semi-Annual Enterprise Channel: 2108+ | 16.43+ <sup>\*</sup> | 4.2111+ | 4.2111+ | Yes | |[PDF support](#pdf-support) | Current Channel: 2205+ <br /><br> Monthly Enterprise Channel: 2205+ <br /><br> Semi-Annual Enterprise Channel: Under review| Under review | Under review | Under review | Under review |
-|[Apply S/MIME protection](#configure-a-label-to-apply-smime-protection-in-outlook) | Preview: [Beta Channel](https://office.com/insider) | 16.61+ <sup>\*</sup> | 4.2226+ | 4.2203+ | Under review |
+|[Apply S/MIME protection](#configure-a-label-to-apply-smime-protection-in-outlook) | Preview: Rolling out to [Current Channel (Preview)](https://office.com/insider) | 16.61+ <sup>\*</sup> | 4.2226+ | 4.2203+ | Under review |
|[Sensitivity bar](#sensitivity-bar) and [display label color](#label-colors) | Under review | Under review | Under review | Under review | Under review | **Footnotes:**
contentunderstanding Create A Classifier https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/create-a-classifier.md
description: Learn how to create a classifier in Microsoft Syntex.
<sup>**Applies to:** &ensp; &#10003; Unstructured document processing </sup>
+Follow the instructions in [Create a model in Syntex](create-syntex-model.md) to create an unstructured document processing model in a content center. Or, follow the instructions in [Create a model on a local SharePoint site](create-local-model.md) to create the model on a local site. Then start with this article to begin training your model.
+ </br> > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4CL0R]
contentunderstanding Difference Between Document Understanding And Form Processing Model https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/difference-between-document-understanding-and-form-processing-model.md
Use the following table to see differences in custom models to help identify the
| Feature | Unstructured document processing | Freeform document processing | Structured document processing | | - | - | - | - |
+| Associated with this training method in the UI | ![Tile for teaching method.](../media/content-understanding/teaching-method-tile.png) | ![Tile for freeform seletion method.](../media/content-understanding/freeform-selection-method-tile.png) | ![Tile for layout method.](../media/content-understanding/layout-method-tile.png) |
| Use for this type of content | Unstructured or semi-structured file formats, for example Office documents where there are differences in the layout, but still similar information to be extracted. | Unstructured and free-form file formats, for example documents that have no set structure such as letters, contracts, and statements of work. | Structured and semi-structured file formats, for example PDFs for forms content such as invoices or purchase orders where the layout and formatting is similar. |
-| Training method | Teaching method | Freeform selection method | Layout method |
| Model creation | Model created in SharePoint in a new site, the content center. | Model created in [AI Builder](/ai-builder/overview) with seamless access from SharePoint document library.| Model created in [AI Builder](/ai-builder/overview) with seamless access from SharePoint document library. | | Classification type | Trainable classifier with optional extractors using machine teaching to assign document location on what data to extract. | Not applicable | Not applicable | | Locations | Can be applied to multiple libraries. | Can be applied to multiple libraries. | Can be applied to multiple libraries. |
contentunderstanding Model Types Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/model-types-overview.md
Custom models include:
To view the side-by-side differences in custom models, see [Compare custom models](./difference-between-document-understanding-and-form-processing-model.md).
+When you create a custom model, you'll select the training method associated with the model type. For example, if you want to create an unstructured document processing model, on the **Options for model creation** page where you create a model, you will choose the **Teaching method** option. The following table shows the training method associated with each custom model type.
+
+|Unstructured<br> document processing |Freeform<br> document processing |Structured<br> document processing |
+||||
+| ![Tile for teaching method.](../media/content-understanding/teaching-method-tile-2.png) | ![Tile for freeform seletion method.](../media/content-understanding/freeform-selection-method-tile-2.png) | ![Tile for layout method.](../media/content-understanding/layout-method-tile-2.png) |
+ ### Unstructured document processing Use the unstructured document processing model to automatically classify documents and extract information from them. It works best with unstructured documents, such as letters or contracts. These documents must have text that can be identified based on phrases or patterns. The identified text designates both the type of file it is (its classification) and what you'd like to extract (its extractors).
For example, an unstructured document could be a contract renewal letter that ca
This model type supports the widest range of file types and only works on files using the Latin alphabet (English characters).
+When you create an unstructured document processing model, use the **Teaching method** option.
+ For more information, see [Overview of unstructured document processing](document-understanding-overview.md). ### Freeform document processing
Because your organization receives letters and documents in large quantities fro
This model type is the best option for English documents in PDF or image files when you don't require automatic classification of the type of document.
+When you create a freeform document processing model, use the **Freeform selection method** option.
+ For more information, see [Overview of freeform document processing](freeform-document-processing-overview.md). ### Structured document processing
Structured document processing models use Microsoft Power Apps [AI Builder](/ai-
This model type supports the widest range of languages and is trained to understand the layout of your form from example documents, and then learns to look for the data you need to extract from similar locations. Forms usually have a more structured layout where entities are in the same location (for example, a social security number on a tax form).
+When you create a structured document processing model, use the **Layout method** option.
+ For more information, see [Overview of structured document processing](form-processing-overview.md). ## Prebuilt models
contentunderstanding Set Up Content Understanding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/set-up-content-understanding.md
For details about Syntex licensing, see [Microsoft Syntex licensing](syntex-lice
Click **Next**.
-5. On the **Create Content Center** page, you can create a SharePoint content center site where your users can create and manage unstructured document processing models. If you previously created a content center from the SharePoint admin center, that information will display here and you can just select **Next**.
+5. On the **Create Content Center** page, you can create a SharePoint content center site where your users can create and manage document processing models. If you previously created a content center from the SharePoint admin center, that information will display here and you can just select **Next**.
1. For **Site name**, type the name you want to give your content center site.
enterprise Cross Tenant Mailbox Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-mailbox-migration.md
Make sure that all the users in the source and target organization must be licen
![Azure Logon](../media/tenant-to-tenant-mailbox-move/74f26681e12df3308c7823ee7d527587.png)
-2. Click view under Manage Azure Active Directory.
+2. Click View under "Manage Azure Active Directory".
![Azure Active Directory Button](../media/tenant-to-tenant-mailbox-move/109ac3dfbac2403fb288f085767f393b.png)
-3. On the left navigation bar, select App registrations.
+3. On the left navigation bar, select "App registrations".
-4. Select New registration
+4. Select "New registration"
![New Application](../media/tenant-to-tenant-mailbox-move/b36698df128e705eacff4bff7231056a.png)
-5. On the Register an application page, under Supported account types, select Accounts in any organizational directory (Any Azure AD directory - Multitenant). Then, under Redirect URI (optional), select Web and enter <https://office.com>. Lastly, select Register.
+5. On the "Register an application page", under "Supported account types", select" Accounts in any organizational directory (Any Azure AD directory - Multitenant)". Then, under "Redirect URI (optional)", select Web and enter <https://office.com>. Lastly, select Register.
![Application Registration](../media/tenant-to-tenant-mailbox-move/edcdf18b9f504c47284fe4afb982c433.png) 6. On the top-right corner of the page, you'll see a notification pop-up that states the app was successfully created.
-7. Go back to Home, Azure Active Directory and click on App registrations.
+7. Go back to Home, Azure Active Directory and click on "App registrations".
-8. Under Owned applications, find the app you created and click on it.
+8. Under "Owned applications", find the app you created and click on it.
-9. Under Essentials, you'll need to copy down the Application (client) ID as you'll need it later to create a URL for the target tenant.
+9. Under "Essentials", you'll need to copy down the "Application (client) ID" as you'll need it later to create a URL for the target tenant.
-10. Now, on the left navigation bar, click on API permissions to view permissions assigned to your app.
+10. Now, on the left navigation bar, click on "API permissions" to view permissions assigned to your app.
11. By default, User. Read permissions are assigned to the app you created, but we don't require them for mailbox migrations, you can remove that permission. ![Application Permissions](../media/tenant-to-tenant-mailbox-move/6a8c13a36cb3e10964a6920b8138e12b.png)
-12. Now we need to add permission for mailbox migration, select Add a permission
+12. Now we need to add permission for mailbox migration, select "Add a permission"
-13. In the Request API permissions windows, select APIs my organization uses, search for Office 365 Exchange Online, and select it.
+13. In the "Request API permissions" window, select "APIs my organization uses", search for "Office 365 Exchange Online", and select it.
![Select API](../media/tenant-to-tenant-mailbox-move/0b4dc1eea3910e9c475724d9473aca58.png)
-14. Next, select Application permissions
+14. Next, select "Application permissions"
-15. Then, under Select permissions, expand Mailbox, check Mailbox.Migration, and, at the bottom on the screen, select Add permissions.
+15. Then, under "Select permissions", expand Mailbox, and check "Mailbox.Migration", and "Add permissions" at the bottom on the screen.
![Set API](../media/tenant-to-tenant-mailbox-move/0038a4cf74bb13de0feb51800e078803.png) 16. Now select Certificates & secrets on the left navigation bar for your application.
-17. Under Client secrets, select new client secret.
+17. Under "Client secrets", select "New client secret".
![Client Secrets](../media/tenant-to-tenant-mailbox-move/273dafd5e6c6455695f9baf35ef9977a.png)
Make sure that all the users in the source and target organization must be licen
19. Now that you've successfully created the migration application and secret, you'll need to consent to the application. To consent to the application, go back to the Azure Active Directory landing page, click on Enterprise applications in the left navigation, find your migration app you created, select it, and select Permissions on the left navigation.
-20. Click on the Grant admin consent for [your tenant] button.
+20. Click on the "Grant admin consent for [your tenant]" button.
-21. A new browser window will open and select Accept.
+21. A new browser window will open and select "Accept".
22. You can go back to your portal window and select Refresh to confirm your acceptance.
Make sure that all the users in the source and target organization must be licen
$targetTenantId="[tenant id of your trusted partner, where the mailboxes are being moved to]" $appId="[application id of the mailbox migration app you consented to]" $scope="[name of the mail enabled security group that contains the list of users who are allowed to migrate]"
- $orgrels=Get-OrganizationRelationship
+ New-DistributionGroup -Type Security -Name $scope
+ $orgrels=Get-OrganizationRelationship
$existingOrgRel = $orgrels | ?{$_.DomainNames -like $targetTenantId} If ($null -ne $existingOrgRel) {
Make sure that all the users in the source and target organization must be licen
### How do I know this worked? You can verify cross-tenant mailbox migration configuration by running the [Test-MigrationServerAvailability](/powershell/module/exchange/Test-MigrationServerAvailability) cmdlet against the cross-tenant migration endpoint that you created on your target tenant.
+Run the following cmdlet from target tenant:
```powershell
-Test-MigrationServerAvailability -EndPoint "Migration endpoint for cross-tenant mailbox moves" -TestMailbox "Primary SMTP of MailUser object in target tenant"
+Test-MigrationServerAvailability -EndPoint "[the name of your migration endpoint]" -TestMailbox "[Primary SMTP of MailUser object in target tenant]"
``` ### Move mailboxes back to the original source
Ensure the following objects and attributes are set in the target organization.
Note this will not work for tenants in hybrid.
-4. Users in the target organization must be licensed with appropriate Exchange Online subscriptions applicable for the organization. You may apply a license in advance of a mailbox move but ONLY once the target MailUser is properly set up with ExchangeGUID and proxy addresses. Applying a license before the ExchangeGUID is applied will result in a new mailbox provisioned in target organization. You must also apply a Cross Tenant User Data Migration licenses or you may see a transient error saying needs approval which will report a warning in the move report that a license is not applied to the target user.
+4. Users in the target organization must be licensed with appropriate Exchange Online subscriptions applicable for the organization. You may apply a license in advance of a mailbox move but ONLY once the target MailUser is properly set up with ExchangeGUID and proxy addresses. Applying a license before the ExchangeGUID is applied will result in a new mailbox provisioned in target organization. You must also apply a Cross Tenant User Data Migration license or you may see a transient error saying needs approval which will report a warning in the move report that a license is not applied to the target user.
> [!NOTE] > When you apply a license on a Mailbox or MailUser object, all SMTP type proxyAddresses are scrubbed to ensure only verified domains are included in the Exchange EmailAddresses array.
enterprise Move Sharepoint Between Geo Locations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/move-sharepoint-between-geo-locations.md
You can schedule SharePoint site moves in advance (described later in this artic
- You can schedule up to 4,000 moves at a time. - As the moves begin, you can schedule more, with a maximum of 4,000 pending moves in the queue and any given time.-- The maximum size of a SharePoint site that can be moved is 1 terabyte (1 TB).
+- The maximum size of a SharePoint site that can be moved is 2 terabytes (2 TB).
To schedule a SharePoint site geo move for a later time, include one of the following parameters when you start the move:
In most cases, Power Automate Flows will continue to work after a SharePoint sit
### Power Apps
-Power Apps need to be recreated in the destination location.
+Power Apps needs to be recreated in the destination location.
### Data movement between geo locations
security Advanced Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-features.md
Depending on the Microsoft security products that you use, some advanced feature
## Enable advanced features
-1. In the navigation pane, select **Settings** \> **Endpoints** \> **Advanced features**.
-2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.
-3. Select **Save preferences**.
+1. Log in to [Microsoft 365 Defender](https://go.microsoft.com/fwlink/p/?linkid=2077139) using an account with the Security administrator or Global administrator role assigned.
+
+2. In the navigation pane, select **Settings** \> **Endpoints** \> **Advanced features**.
+
+3. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.
+
+4. Select **Save preferences**.
Use the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations.
security Api Hello World https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-hello-world.md
Done! You have successfully registered an application!
$dateTime = (Get-Date).ToUniversalTime().AddHours(-48).ToString("o") # The URL contains the type of query and the time filter we create above
- # Read more about other query options and filters at Https://TBD- add the documentation link
+ # Read more about [other query options and filters](get-alerts.md).
$url = "https://api.securitycenter.microsoft.com/api/alerts?`$filter=alertCreationTime ge $dateTime" # Set the WebRequest headers
security Attack Surface Reduction Rules Deployment Implement https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-implement.md
Implementing attack surface reduction (ASR) rules moves the first test ring into
## Step 1: Transition ASR Rules from Audit to Block
-1. After all exclusions are determined while in audit mode, start setting some ASR rules to "block" mode, starting with the rule that has the fewest triggered events. See" [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
+1. After all exclusions are determined while in audit mode, start setting some ASR rules to "block" mode, starting with the rule that has the fewest triggered events. See [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
2. Review the reporting page in the Microsoft 365 Defender portal; see [Threat protection report in Microsoft Defender for Endpoint](threat-protection-reports.md). Also review feedback from your ASR champions. 3. Refine exclusions or create new exclusions as determined necessary. 4. Switch problematic rules back to Audit.
- >[!Note]
- >For problematic rules (rules creating too much noise), it is better to create exclusions than to turn rules off or switching back to Audit. You will have to determine what is best for your environment.
+ > [!NOTE]
+ > For problematic rules (rules creating too much noise), it is better to create exclusions than to turn rules off or switching back to Audit. You will have to determine what is best for your environment.
- >[!Tip]
- >When available, take advantage of the Warn mode setting in rules to limit disruptions. Enabling ASR rules in Warn mode enables you to capture triggered events and view their potential disruptions, without actually blocking end-user access. Learn more: [Warn mode for users](attack-surface-reduction.md#warn-mode-for-users).
+ > [!TIP]
+ > When available, take advantage of the Warn mode setting in rules to limit disruptions. Enabling ASR rules in Warn mode enables you to capture triggered events and view their potential disruptions, without actually blocking end-user access. Learn more: [Warn mode for users](attack-surface-reduction.md#warn-mode-for-users).
### How does Warn mode work?
security Attack Surface Reduction Rules Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference.md
When the allow button is clicked, the block will be suppressed for 24 hours. Aft
You can also set a rule in warn mode via PowerShell by specifying the AttackSurfaceReductionRules_Actions as "Warn". For example: ```powershell--command "& {&'Add-MpPreference' -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Warn"}
+Add-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Warn
``` ## Per rule descriptions
security Configure Email Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-email-notifications.md
The email notification includes basic information about the alert and a link to
## Create rules for alert notifications You can create rules that determine the devices and alert severities to send email notifications for and the notification recipients.
-1. In the navigation pane, select **Settings** \> **Endpoints** \> **General** \> **Email notifications**.
+1. Go to [Microsoft 365 Defender](https://go.microsoft.com/fwlink/p/?linkid=2077139) and sign in using an account with the Security administrator or Global administrator role assigned.
+
+2. In the navigation pane, select **Settings** \> **Endpoints** \> **General** \> **Email notifications**.
2. Click **Add item**.
security Data Collection Analyzer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/data-collection-analyzer.md
The analyzer and all the above scenario flags can be initiated remotely by runni
> - **-r** - Indicates that tool is being run from remote (or non-interactive context) > - **-i** - Scenario flag for collection of network trace along with other related logs > - **-m** \# - The number of minutes to run (5 minutes in the above example)
+>
+> - When using MDEClientAnalyzer.cmd the script checks for privileges using "net session" which requires the service "Server" to be running. If it is not, you will get the error message _Script is running with insufficient privileges_. Run it with administrator privileges if ECHO is off.
security Data Retention Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/data-retention-settings.md
You can verify the data location by navigating to **Settings** \> **Endpoints**
You can update the data retention settings. By default, the retention period is 180 days.
-1. In the navigation pane, select **Settings** \> **Endpoints** \> **Data retention** (under **General**).
+1. Log in to [Microsoft 365 Defender](https://go.microsoft.com/fwlink/p/?linkid=2077139) using an account with the Security administrator or Global administrator role assigned.
+
+2. In the navigation pane, select **Settings** \> **Endpoints** \> **Data retention** (under **General**).
2. Select the data retention duration from the drop-down list.
security Data Storage Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/data-storage-privacy.md
No. Customer data is isolated from other customers and is not shared. However, i
### At service onboarding
-By default, data is retained for 180 days; however, you can specify the data retention policy for your data. This determines how long Microsoft Defender for Endpoint will store your data. There's a flexibility of choosing in the range of one month to six months to meet your company's regulatory compliance needs.
+Data from Microsoft Defender for Endpoint is retained for 180 days, visible across the portal. However, in the advanced hunting investigation experience, it is accessible via a query for a period of 30 days.
### At contract termination or expiration
security Deployment Strategy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-strategy.md
Use the following material to select the appropriate Defender for Endpoint archi
| Item | Description | |:--|:--|
-|[:::image type="content" source="images/mde-deployment-strategy.png" alt-text="The strategy for deployment of Defender for Endpoint" lightbox="images/mde-deployment-strategy.png":::](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.pdf)<br/> [PDF](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.pdf) \| [Visio](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.vsdx) | The architectural material helps you plan your deployment for the following architectures: <ul><li> Cloud-native </li><li> Co-management </li><li> On-premise</li><li>Evaluation and local onboarding</li>
+|[:::image type="content" source="images/mde-deployment-strategy.png" alt-text="The strategy for deployment of Defender for Endpoint" lightbox="images/mde-deployment-strategy.png":::](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.pdf) <br/><br/> [PDF document](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.pdf) <br/> [Visio drawing](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.vsdx) | The architectural material helps you plan your deployment for the following architectures: <ul><li> Cloud-native </li><li> Co-management </li><li> On-premises</li><li>Evaluation and local onboarding</li></ul>|
## Step 2: Select deployment method
The following table lists the supported endpoints and the corresponding deployme
|Endpoint|Deployment tool| |||
-|**Windows**|[Local script (up to 10 devices)](configure-endpoints-script.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md) |
+|**Windows**|[Local script (up to 10 devices)](configure-endpoints-script.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md)|
|**macOS**|[Local script](mac-install-manually.md) <br> [Microsoft Endpoint Manager](mac-install-with-intune.md) <br> [JAMF Pro](mac-install-with-jamf.md) <br> [Mobile Device Management](mac-install-with-other-mdm.md)| |**Linux Server**|[Local script](linux-install-manually.md) <br> [Puppet](linux-install-with-puppet.md) <br> [Ansible](linux-install-with-ansible.md)| |**iOS**|[App-based](ios-install.md)|
security Indicator Manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-manage.md
Download the sample CSV to know the supported column attributes.
5. Select **Done**. > [!NOTE]
-> Only 500 indicators can be uploaded for each batch.
+> Only 500 indicators can be uploaded for each batch.
+>
+> Attempting to import indicators with specific categories requires the string to be written in Pascal case convention and only accepts the category list available at the portal.
The following table shows the supported parameters.
security Ios Configure Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-configure-features.md
Network protection in Microsoft Defender for endpoint is disabled by default. Ad
2. Provide a name and description to uniquely identify the policy. Then click on 'Select Public apps' and choose 'Microsoft Defender' for Platform iOS/IPadOS :::image type="content" source="images/nameiosconfig.png" alt-text="Name the configuration." lightbox="images/nameiosconfig.png":::
-3. In Settings page, add 'DefenderNetworkProtectionEnable' as the key and value as 'true' to enable Network Protection. (Network protection is disabled by default).
+3. In the Settings page, add 'DefenderNetworkProtectionEnable' as the key and the value as 'true' to enable Network Protection. (Network protection is disabled by default.)
:::image type="content" source="images/addiosconfigvalue.png" alt-text="Add configuration value." lightbox="images/addiosconfigvalue.png":::
security Manage Automation File Uploads https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-automation-file-uploads.md
For example, if you add *exe* and *bat* as file or attachment extension names, t
## Add file extension names and attachment extension names.
-1. In the navigation pane, select **Settings** \> **Endpoints** \> **Rules** \> **Automation uploads**.
+1. Log in to [Microsoft 365 Defender](https://go.microsoft.com/fwlink/p/?linkid=2077139) using an account with the Security administrator or Global administrator role assigned.
+
+2. In the navigation pane, select **Settings** \> **Endpoints** \> **Rules** \> **Automation uploads**.
2. Toggle the content analysis setting between **On** and **Off**.
security Manage Suppression Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-suppression-rules.md
There might be scenarios where you need to suppress alerts from appearing in the
You can view a list of all the suppression rules and manage them in one place. You can also turn an alert suppression rule on or off.
-1. In the navigation pane, select **Settings** \> **Endpoints** \> **Rules** \> **Alert suppression**. The list of suppression rules that users in your organization have created is displayed.
+1. Log in to [Microsoft 365 Defender](https://go.microsoft.com/fwlink/p/?linkid=2077139) using an account with the Security administrator or Global administrator role assigned.
+
+2. In the navigation pane, select **Settings** \> **Endpoints** \> **Rules** \> **Alert suppression**. The list of suppression rules that users in your organization have created is displayed.
2. Select a rule by clicking on the check-box beside the rule name.
security Run Advanced Query Api https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-advanced-query-api.md
search.appverid: met150
1. You can only run a query on data from the last 30 days.
-2. The results will include a maximum of 10,000 rows.
+2. The results will include a maximum of 100,000 rows.
3. The number of executions is limited per tenant: - API calls: Up to 45 calls per minute, up to 1500 calls per hour.
security Advanced Hunting Errors https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-errors.md
**Applies to:** - Microsoft 365 Defender-- Microsoft Defender for Endpoint Advanced hunting displays errors to notify for syntax mistakes and whenever queries hit [predefined quotas and usage parameters](advanced-hunting-limits.md). Refer to the table below for tips on how to resolve or avoid errors.
security Advanced Hunting Expert Training https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-expert-training.md
**Applies to:** - Microsoft 365 Defender-- Microsoft Defender for Endpoint Boost your knowledge of advanced hunting quickly with _Tracking the adversary_, a webcast series for new security analysts and seasoned threat hunters. The series guides you through the basics all the way to creating your own sophisticated queries. Start with the first video on fundamentals or jump to more advanced videos that suit your level of experience.
security Advanced Hunting Extend Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-extend-data.md
**Applies to:** - Microsoft 365 Defender-- Microsoft Defender for Endpoint [Advanced hunting](advanced-hunting-overview.md) relies on data coming from various sources, including your devices, your Office 365 workspaces, Azure AD, and Microsoft Defender for Identity. To get the most comprehensive data possible, ensure that you have the correct settings in the corresponding data sources.
security Advanced Hunting Go Hunt https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-go-hunt.md
**Applies to:** - Microsoft 365 Defender-- Microsoft Defender for Endpoint With the *go hunt* action, you can quickly investigate events and various entity types using powerful query-based [advanced hunting](advanced-hunting-overview.md) capabilities. This action automatically runs an advanced hunting query to find relevant information about the selected event or entity.
security Advanced Hunting Link To Incident https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-link-to-incident.md
**Applies to:** - Microsoft 365 Defender-- Microsoft Defender for Endpoint You can use the link to incident feature to add advanced hunting query results to a new or existing incident under investigation. This feature helps you easily capture records from advanced hunting activities, which enables you to create a richer timeline or context of events regarding an incident.
security Advanced Hunting Query Language https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-query-language.md
**Applies to:** - Microsoft 365 Defender-- Microsoft Defender for Endpoint Advanced hunting is based on the [Kusto query language](/azure/kusto/query/). You can use Kusto operators and statements to construct queries that locate information in a specialized [schema](advanced-hunting-schema-tables.md).
security Advanced Hunting Query Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-query-results.md
**Applies to:** - Microsoft 365 Defender-- Microsoft Defender for Endpoint [!INCLUDE [Prerelease information](../includes/prerelease.md)]
security Advanced Hunting Shared Queries https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-shared-queries.md
**Applies to:** - Microsoft 365 Defender-- Microsoft Defender for Endpoint [Advanced hunting](advanced-hunting-overview.md) queries can be shared among users in the same organization. You can also save queries that are only accessible to you. You can also find community queries that are shared publicly on GitHub. These saved queries let you quickly pursue specific threat hunting scenarios without having to write queries from scratch.
security Advanced Hunting Take Action https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-take-action.md
**Applies to:** - Microsoft 365 Defender-- Microsoft Defender for Endpoint [!INCLUDE [Prerelease information](../includes/prerelease.md)]
security Advanced Hunting Urlclickevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-urlclickevents-table.md
**Applies to:** - Microsoft 365 Defender-- Microsoft Defender for Office 365 The `UrlClickEvents` table in the advanced hunting schema contains information about [Safe Links](../office-365-security/safe-links.md) clicks from email messages, Microsoft Teams, and Office 365 apps in supported desktop, mobile, and web apps.
security Custom Detection Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/custom-detection-rules.md
**Applies to:** - Microsoft 365 Defender-- Microsoft Defender for Endpoint Custom detection rules are rules you can design and tweak using [advanced hunting](advanced-hunting-overview.md) queries. These rules let you proactively monitor various events and system states, including suspected breach activity and misconfigured endpoints. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
security Custom Detections Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/custom-detections-overview.md
**Applies to:** - Microsoft 365 Defender-- Microsoft Defender for Endpoint With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured endpoints. This is made possible by customizable detection rules that automatically trigger alerts as well as response actions.
security Microsoft 365 Defender Portal https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-defender-portal.md
Threat analytics is the Microsoft 365 Defender threat intelligence solution from
## Partner catalog Microsoft 365 Defender supports two types of partners:
-1. Third-party integrations to help secure users with effective threat protection, detection, investigation, and response in various security fields of endpoints, vulnerability management, email, identities, and cloud apps.
-2. Professional services where organizations can enhance the detection, investigation, and threat intelligence capabilities of the platform.
+- Third-party integrations to help secure users with effective threat protection, detection, investigation, and response in various security fields of endpoints, vulnerability management, email, identities, and cloud apps.
+- Professional services where organizations can enhance the detection, investigation, and threat intelligence capabilities of the platform.
## Send us your feedback
security Allow Block Urls https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/allow-block-urls.md
Valid URL entries and their results are described in the following sections.
- payroll.contoso.com - test.com/contoso.com - test.com/q=contoso.com
- - contoso.com
- - contoso.com/q=a@contoso.com
+ - www.contoso.com
+ - www.contoso.com/q=a@contoso.com
- **Block match**: - contoso.com
Valid URL entries and their results are described in the following sections.
- payroll.contoso.com - test.com/contoso.com - test.com/q=contoso.com
- - contoso.com
- - contoso.com/q=a@contoso.com
+ - www.contoso.com
+ - www.contoso.com/q=a@contoso.com
- **Block not matched**: abc-contoso.com
Valid URL entries and their results are described in the following sections.
**Entry**: `*.contoso.com` - **Block match**:
+ - www.contoso.com
- xyz.abc.contoso.com - **Block not matched**: - 123contoso.com - contoso.com - test.com/contoso.com
- - contoso.com/abc
+ - www.contoso.com/abc
#### Scenario: Right wildcard at top of path
Valid URL entries and their results are described in the following sections.
- **Allow not matched** and **Block not matched**: - contoso.com - contoso.com/a
- - contoso.com
- - contoso.com/q=a@contoso.com
+ - www.contoso.com
+ - www.contoso.com/q=a@contoso.com
#### Scenario: Left tilde
Valid URL entries and their results are described in the following sections.
- **Allow match** and **Block match**: - contoso.com
- - contoso.com
+ - www.contoso.com
- xyz.abc.contoso.com - **Allow not matched** and **Block not matched**: - 123contoso.com - contoso.com/abc
- - contoso.com/abc
+ - www.contoso.com/abc
#### Scenario: Right wildcard suffix
Valid URL entries and their results are described in the following sections.
- **Block match**: - abc.contoso.com/ab - abc.xyz.contoso.com/a/b/c
- - contoso.com/a
- - contoso.com/b/a/c
+ - www.contoso.com/a
+ - www.contoso.com/b/a/c
- xyz.contoso.com/ba - **Block not matched**: contoso.com/b
Valid URL entries and their results are described in the following sections.
- contoso.com - contoso.com/a
- - contoso.com
- - contoso.com/b
+ - www.contoso.com
+ - www.contoso.com/b
- xyz.abc.contoso.com
+ - abc.xyz.contoso.com/a/b/c
+ - contoso.com/b/a/c
+ - test.com/contoso.com
+ - **Allow not matched** and **Block not matched**: - 123contoso.com - contoso.org
+ - test.com/q=contoso.com
#### Scenario: IP address
security Configure Junk Email Settings On Exo Mailboxes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-junk-email-settings-on-exo-mailboxes.md
The safelist collection on a mailbox includes the Safe Senders list, the Safe Re
<sup>\*</sup> **Notes**: -- In Exchange Online, **domain entries** in the Safe Senders list or _TrustedSendersAndDomains_ parameter aren't recognized, so only use email addresses. In standalone EOP with directory synchronization, domain entries aren't synchronized by default, but you can enable synchronization for domains. For more information, see [KB3019657](https://support.microsoft.com/help/3019657).
+- In Exchange Online, whether entries in the Safe Senders list or _TrustedSendersAndDomains_ parameter work or don't work depends on the verdict and action in the policy that identified the message:
+ - **Move messages to Junk Email folder**: Domain entries and sender email address entries are honored. Messages from those senders are not moved to the Junk Email folder.
+ - **Quarantine**: Domain entries are not honored (messages from those senders are quarantined). Email address entries are honored (messages from those senders are not quarantined) if either of the following statements are true:
+ - The message is not identified as malware or high confidence phishing (malware and high confidence phishing messages are quarantined).
+ - The email address is not also in a block entry in the [Tenant Allow/Block List](manage-tenant-allow-block-list.md) (messages from those senders will be quarantined).
+- In standalone EOP with directory synchronization, domain entries aren't synchronized by default, but you can enable synchronization for domains. For more information, see [KB3019657](https://support.microsoft.com/help/3019657).
- You can't directly modify the Safe Recipients list by using the **Set-MailboxJunkEmailConfiguration** cmdlet (the _TrustedRecipientsAndDomains_ parameter doesn't work). You modify the Safe Senders list, and those changes are synchronized to the Safe Recipients list. To configure the safelist collection on a mailbox, use the following syntax:
security Create Safe Sender Lists In Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365.md
Instead of an organizational setting, users or admins can add the sender email a
This method is not desirable in most situations since senders will bypass parts of the filtering stack. Although you trust the sender, the sender can still be compromised and send malicious content. You should let our filters check every message and then [report the false positive/negative to Microsoft](report-junk-email-messages-to-microsoft.md) if we got it wrong. Bypassing the filtering stack also interferes with [zero-hour auto purge (ZAP)](zero-hour-auto-purge.md).
-By design and for increased security of Exchange Online mailboxes, only the junk email settings for safe senders, blocked senders, and blocked domains are recognized. Safe mailing list settings are ignored.
+When messages skip spam filtering due to entries in a user's Safe Senders list, the **X-Forefront-Antispam-Report** header field will contain the value `SFV:SFE`, which indicates that filtering for spam, spoof, and phishing (not high confidence phishing) was bypassed.
-**Note**: In Exchange Online, domain entries in the Outlook Safe Senders list or TrustedSendersAndDomains parameter aren't recognized, so only use email addresses.
+**Notes**:
-When messages skip spam filtering due to a user's Safe Senders list, the **X-Forefront-Antispam-Report** header field will contain the value `SFV:SFE`, which indicates that filtering for spam, spoof, and phishing were bypassed.
+- In Exchange Online, whether entries in the Safe Senders list work or don't work depends on the verdict and action in the policy that identified the message:
+ - **Move messages to Junk Email folder**: Domain entries and sender email address entries are honored. Messages from those senders are not moved to the Junk Email folder.
+ - **Quarantine**: Domain entries are not honored (messages from those senders are quarantined). Email address entries are honored (messages from those senders are not quarantined) if either of the following statements are true:
+ - The message is not identified as malware or high confidence phishing (malware and high confidence phishing messages are quarantined).
+ - The email address is not also in a block entry in the [Tenant Allow/Block List](manage-tenant-allow-block-list.md) (messages from those senders will be quarantined).
+- Entries for blocked senders and blocked domains are honored (messages from those senders are moved to the Junk Email folder). Safe mailing list settings are ignored.
## Use the IP Allow List
security Permissions Microsoft 365 Security Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/permissions-microsoft-365-security-center.md
[!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] **Applies to**-- [Exchange Online Protection](exchange-online-protection-overview.md) - [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)
+- [Exchange Online Protection](exchange-online-protection-overview.md)
- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-You need to manage security scenarios that span all the Microsoft 365 services. And you need the flexibility to give the right admin permissions to the right people in your organization.
-
-The Microsoft 365 Defender portal at <https://security.microsoft.com> supports directly managing permissions for users who perform security tasks in Microsoft 365. By using the Microsoft 365 Defender portal to manage permissions, you can manage permissions centrally for all tasks related to security.
+Global roles in Azure Active Directory (Azure AD) allow you to manage permissions and access to capabilities in Microsoft 365, which also includes Microsoft Defender for Office 365. But, if you need to limit permissions and capabilities to security features in Defender for Office 365 only, you can assign permissions in the Microsoft 365 Defender portal.
-To manage permissions in the Microsoft 365 Defender portal, go to **Permissions & roles** or <https://security.microsoft.com/securitypermissions>. You need to be a **global administrator** or a member of the **Organization Management** role group in the Microsoft 365 Defender portal. Specifically, the **Role Management** role allows users to view, create, and modify role groups in the Microsoft 365 Defender portal, and by default, that role is assigned only to the **Organization Management** role group.
+To manage permissions in the Microsoft 365 Defender portal, go to **Permissions & roles** > **Email & collaboration roles** or <https://security.microsoft.com/securitypermissions>. You need to be a **Global administrator** or a member of the **Organization Management** role group in the Microsoft 365 Defender portal. Specifically, the **Role Management** role allows users to view, create, and modify role groups in the Microsoft 365 Defender portal, and by default, that role is assigned only to the **Organization Management** role group.
> [!NOTE]
+> Some capabilities of Microsoft Defender for Office require additional permissions in the Exchange admin center. For more information, see [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo).
+>
> For information about permissions in the Microsoft Purview compliance portal, see [Permissions in the Microsoft Purview compliance portal](../../compliance/microsoft-365-compliance-center-permissions.md). ## Relationship of members, roles, and role groups
When you select a role, a details flyout that contains the description of the ro
:::image type="content" source="../../media/permissions-manage-in-azure-ad-link.png" alt-text="The link to manage permissions in Azure Active Directory" lightbox="../../media/permissions-manage-in-azure-ad-link.png":::
-For more information, see [View and assign administrator roles in Azure Active Directory](/azure/active-directory/users-groups-roles/directory-manage-roles-portal).
+For more information, see [View and assign administrator roles in Azure Active Directory](/azure/active-directory/users-groups-roles/directory-manage-roles-portal) and [Manage access to Microsoft 365 Defender with Azure Active Directory global roles](/microsoft-365/security/defender/m365d-permissions).
|Role|Description| |||
security Protection Stack Microsoft Defender For Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/protection-stack-microsoft-defender-for-office365.md
In this phase the filtering stack begins to handle the specific contents of the
1. **Transport rules** (also known as mail flow rules or Exchange transport rules) allow an admin to take a wide range of actions when an equally wide range of conditions are met for a message. All messages that flow through your organization are evaluated against the enabled mail flow rules / transport rules.
-2. **Microsoft Defender Antivirus** and two *third-party Antivirus engines* are used to detect all known malware in attachments.
+2. **Microsoft Defender Antivirus** and a *third-party Antivirus engine* are used to detect all known malware in attachments.
-3. The anti-virus (AV) engines are also used to true-type all attachments, so that **Type blocking** can block all attachments of types the admin specifies.
+3. The anti-virus (AV) engines are also used to true-type supported attachment types, which allows **Type blocking** to correctly block file types specified by admins.
4. Whenever Microsoft Defender for Office 365 detects a malicious attachment, the file's hash, and a hash of its active content, are added to Exchange Online Protection (EOP) reputation. **Attachment reputation blocking** will block that file across all Office 365, and on endpoints, through MSAV cloud calls.