-description: "Learn about Copilot for Microsoft 365 admin and how it can help simplify admin tasks."

-# Copilot for Microsoft 365 admin (Preview)

-Copilot for Microsoft 365 admin harnesses the value of generative AI to boost IT admins' productivity by simplifying administration of Microsoft 365 and Microsoft 365 Copilot, and empowering you to focus on more strategic priorities. Copilot for Microsoft 365 admin helps admins perform tasks across different Microsoft 365 services using natural language interactions, contextual guidance, and proactive suggestions. Copilot for Microsoft 365 admin also leverages the power of Copilot to provide transferable skills across different admin centers and surfaces, breaking the barriers of switching between multiple admin tools and interfaces.

-> Copilot for Microsoft 365 admin is currently available in an invite-only preview.

-You must have a Microsoft 365 Copilot license enabled for your tenant. To learn more about Copilot licensing, see [Get started with Microsoft 365 Copilot](microsoft-365-copilot-setup.md).

-To use Copilot for Microsoft 365 admin, follow these steps:

-2. Select the Copilot button in the upper right shell to launch Copilot for Microsoft 365 admin.

-## How can I use Copilot for Microsoft 365 admin?

-You can use Copilot to help manage your organization and focus on whatΓÇÖs important.

-| Mailbox search | Find insights about your usersΓÇÖ mailboxes through natural language queries. | *ΓÇ£Find all the mailboxes which are hidden from address listsΓÇ¥* <br> *ΓÇ£Show me all mailboxes put on litigation hold date before 13th August 2017ΓÇ¥* |

-| Get support | Get support for any challenges or questions that you have related to administering Microsoft 365 for your tenant. Copilot can also give you an alert for a service incident ongoing for your organization if your question is relevant to that incident, along with a self-help insight. For certain issues, Copilot can give you diagnostic solutions that will leverage the information and details you provide to help diagnose and solve your problems. | *"How do I view my bill?"* <br> *"How do I set up Multi-factor Authentication?"* <br> *“How do I restore a deleted user?”* |

-| Discover products | Discover products to help take advantage of value from Microsoft 365. Copilot can help you find the right product to suit your needs. When applicable, you can initiate trials and purchases directly from the Copilot response. | *ΓÇ£What is included in Business Premium?ΓÇ¥* <br> *ΓÇ£What is the price of Viva Goals?ΓÇ¥* <br> *ΓÇ£How do I get email?ΓÇ¥* |

-| Identity management | Use Copilot to guide you in managing various aspects of identity and security within your organizationΓÇÖs ecosystem. | *ΓÇ£How many hybrid users am I syncing?ΓÇ¥* <br> *ΓÇ£Which authentication methods do I have on?ΓÇ¥* <br> *ΓÇ£Perform a guest access reviewΓÇ¥* |

-| Copilot guidance | Get Microsoft 365 Copilot guidance to help you with your Copilot onboarding and deployment journey with the help of guidance and insights. | *ΓÇ£How do I give access to Copilot?ΓÇ¥* <br> *ΓÇ£See Copilot requirements for my organizationΓÇ¥* <br> *ΓÇ£How many Copilot licenses have I assigned?ΓÇ¥* <br> *ΓÇ£Review Copilot user readinessΓÇ¥* |

-| Onboard users | Onboard users to your organization with one prompt. Copilot can help with adding a new user by leveraging the information you provide in a prompt in combination with the data it has about the tenant (like domains and licenses). Copilot can seamlessly recommend a configuration for this new user, which saves time. | *ΓÇ£Onboard John Smith as a new user to my organizationΓÇ¥* |

-| Admin recap | See Admin recap to get a personalized and concise summary of key insights and trends across admin areas, such as Service Health, Message Center, Experience Insights, and more to save valuable time. Admin recap is personalized based on your role and usage patterns. You can copy the text for easier sharing and also personalize what shows in the recap. | *ΓÇ£Recap the latest admin info for meΓÇ¥* |

- During the preview, use the prepopulated prompt options in the Copilot pane for the best results. You can also explore the [Copilot Lab](https://copilot.cloud.microsoft/prompts), which provides a library of prompts specifically designed for Copilot for Microsoft 365 admin. With Copilot Lab, you can experiment with Copilot's capabilities, easily filter prompts by categories, and even save your favorite prompts for later use.

-via a security group. Start by creating a security group with the following name: "**CopilotForM365AdminExclude**", no description or additional settings are required. The Copilot for Microsoft 365 admin experience will then be disabled for any admins added to this group.

-### Which admin roles can use Copilot for Microsoft 365 admin?

-### Does Copilot for Microsoft 365 admin support audit logging?

-Copilot for Microsoft 365 admin is aligned with our commitment to providing enterprise-grade compliance capabilities for all Copilot products. These capabilities include auditing, eDiscovery & legal hold, data retention controls, and more.

-### How much does Copilot for Microsoft 365 admin cost?

-Copilot for Microsoft 365 admin is available to a select set of customers for private preview today. More details on pricing and bundling will be shared soon.

-> [!NOTE]

-> WeΓÇÖre making some improvements to web search query transparency in the near future. For more information, see

-[Introducing web search query transparency for Microsoft 365 Copilot and Microsoft Copilot](https://techcommunity.microsoft.com/t5/microsoft-365-copilot/introducing-web-search-query-transparency-for-microsoft-365/ba-p/4253080).

-The Bing search service operates separately from Microsoft 365 and has different data-handling practices. The use of Bing is covered by the [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement) between each user and Microsoft, together with the [Microsoft Privacy Statement](https://www.microsoft.com/privacy/privacystatement). The [Microsoft Products and Services Data Protection Addendum (DPA)](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) doesn't apply to the use of the **Web content** toggle in Microsoft 365 Copilot, Microsoft Copilot, or the Bing search service.

-Customers are keen to explore these opportunities, and theyΓÇÖre thoughtfully considering the important aspects of security that come with them. Based on our interactions with customers who are on their AI transformation journey, we understand that topics such as data security, privacy, model robustness, and cyberattacks are top of mind.

-This article provides an overview of MicrosoftΓÇÖs overall security posture for AI, and how different Microsoft security solutions work together to help secure your data and interactions in Microsoft 365 Copilot and other AI applications. We will update this article with new information about emerging risks and innovations in solutions as they become available.

-Microsoft safeguards privacy, security, and reliability for Microsoft 365 CopilotΓÇÖs AI features, from the user input stage through the system output stage. Microsoft 365 Copilot is compliant with our existing [privacy, security, and compliance commitments](microsoft-365-copilot-privacy.md), including the General Data Protection Regulation (GDPR) and European Union (EU) Data Boundary. In keeping with these commitments, Microsoft handles the information in any prompts entered using Copilot, and the retrieved data and generated responses remain secured as Customer Data and subject to our contractual data handling requirements.

-Microsoft 365 Copilot accesses resources on behalf of the user, so it can only access resources the user already has permission to access. If the user doesnΓÇÖt have access to a document for example, then Microsoft 365 Copilot working on the userΓÇÖs behalf will also not have access either.

-Microsoft 365 Copilot uses pretrained LLM models hosted by Microsoft; it doesnΓÇÖt use Customer Data to train these models. In addition, prompt and grounding data isnΓÇÖt used to train AI models and is never shared with OpenAI or other third parties.

-Microsoft has built-in protections against the generation of protected content, which includes the industryΓÇÖs first [Customer Copyright Commitment](https://blogs.microsoft.com/on-the-issues/2023/09/07/copilot-copyright-commitment-ai-legal-concerns/) program to defend customers and compensate for any adverse judgments, in the event of a copyright infringement lawsuit.

-While Microsoft safeguards provide strong threat mitigation against misinformation and compromise, as with any AI application, Microsoft 365 CopilotΓÇÖs responses might not always be accurate. You should still apply human judgment to check these responses.

-### Does Microsoft 365 Copilot have access to data I donΓÇÖt have when grounding content?

-For example, we recently introduced new Microsoft Defender and Purview capabilities that provide purpose-built tools for robust security and governance of generative AI applications and their data. In addition, the seamless integration of [Microsoft Copilot for Security](/copilot/security/microsoft-security-copilot) across our products streamlines the overall process and experience for security analysts. By prioritizing security and offering these advanced features, Microsoft empowers organizations to confidently apply the benefits and opportunities AI applications provide.

-If you discover new vulnerabilities in any AI platform, we encourage you to follow responsible disclosure practices for the platform owner. MicrosoftΓÇÖs own procedure (for Copilot) is explained in this page: [Microsoft AI Bounty Program](https://www.microsoft.com/msrc/bounty-ai).

-After licensing your users for Microsoft 365 Copilot, we recommend sending them a welcome email to introduce them to Microsoft 365 Copilot and help them understand what it can do for them. The easiest way to do this is to use the [Microsoft 365 Copilot setup guide](https://admin.microsoft.com/Adminportal/Home?Q=learndocs#/modernonboarding/microsoft365copilotsetupguide), which includes an option for sending a welcome email to your Copilot users. HereΓÇÖs an example of this email:

-# Adoption and enablement resources available for Microsoft 365 Copilot

-Take advantage of the many helpful resources available on the [Microsoft Adoption site](https://adoption.microsoft.com/) as you enable Microsoft 365 Copilot in your organization. This site includes many resources, including the following:

-* A downloadable Success Kit to help drive user enablement and technical readiness in your organization.

-* A Launch Day kit to help create hype around your rollout.

-* The interactive Scenario Library with example outcomes and success measures for several different industries and roles.

-See [Microsoft 365 Copilot](https://adoption.microsoft.com/copilot/) to explore and download resources.

-Microsoft 365 Copilot is available as an [add-on plan](https://www.microsoft.com/microsoft-365/microsoft-copilot) with one of the following licensing prerequisites:

-**For Business and Enterprise:**

-**For Education Faculty and Higher Education Students Aged 18+:**

-description: Learn how Microsoft 365 Copilot works, how it uses Microsoft Graph to get your organization user data, and the common Copilot features in Microsoft 365 apps, like Word, Excel, PowerPoint, and Teams.

-[Microsoft 365 Copilot](/office365/servicedescriptions/office-365-platform-service-description/microsoft-365-copilot) is an AI-powered productivity tool.

-It provides real-time intelligence that enables users to complete tasks more efficiently, enhance their productivity & skills, and improve their overall work experience. Users get content relevant to their tasks, like drafting, summarizing, and answering questions; all in the context of their work within their Microsoft 365 app.

-To learn more, see:

-This article describes how Microsoft 365 Copilot works, the components it uses, and the Copilot features in Microsoft 365 apps.

-## How Microsoft 365 Copilot works

-The following diagram provides a visual representation of how Microsoft 365 Copilot works.

-Let's take a look:

-1. Copilot receives an input prompt from a user in a Microsoft 365 app, like Word or PowerPoint.

-2. Copilot preprocesses the input prompt using **grounding**.

- Grounding improves the specificity of your prompt, and helps you get answers that are relevant and actionable to your specific task. The prompt can include text from input files or other content Copilot discovers.

- Copilot only accesses data that an individual user is authorized to access, based on, for example, existing Microsoft 365 role-based access controls. Copilot doesn't access data that the user doesn't have permission to access.

- To learn more, see [Data stored about user interactions with Microsoft 365 Copilot](microsoft-365-copilot-privacy.md#data-stored-about-user-interactions-with-microsoft-365-copilot).

-3. Copilot sends the grounded prompt to the LLM. The LLM uses the prompt to generate a response that is contextually relevant to the user's task.

-4. Copilot takes this response from the LLM and post-processes it.

-5. This post-processing includes more grounding calls to Microsoft Graph, responsible AI checks, security, compliance and Purview tasks, and command generation.

-Copilot returns the response to the app, where the user can review and assess the response.

-The user's prompt and Copilot's response to that prompt is the **content of interactions**. The record of those interactions is in the user's Copilot interaction history. So, users can review and reuse their previous prompts.

-> To learn how users can use Copilot within Microsoft 365 apps, including sample prompts, see [Copilot Lab](https://copilot.cloud.microsoft/prompts).

-You can manage Microsoft 365 Copilot through the Microsoft 365 admin center by going to the Settings tab on the Copilot page. Manage how users in your organization interact with Microsoft 365 Copilot, Copilot for Security, and more.

-For users signed in with a Microsoft Entra account, Microsoft Copilot offers [enterprise data protection](/copilot/microsoft-365/enterprise-data-protection) (EDP) in an experience designed for work and education. Users who arenΓÇÖt signed in, or are signed in with a personal account, can use the public version of Copilot, accessed primarily through [copilot.microsoft.com](https://copilot.microsoft.com/) and [bing.com/chat](https://bing.com/chat).

-### Microsoft Copilot for Security

-This link directs you to the Copilot for Security portal to manage settings. Copilot for Security is a separate product and license from Microsoft 365 Copilot. If purchased, you can use this link to navigate to Copilot for Security settings page. To learn more, see [Copilot for Security](/copilot/security/).

->[!IMPORTANT]

-# Get started with Microsoft 365 Copilot - admin guide

-This article covers how IT admins can prepare their organization for Copilot.

-> [!TIP]

-> If you're an end user, then the [Copilot Lab](https://copilot.cloud.microsoft/prompts) is a good resource.

-## Before you begin

-This section gives an overview of the prerequisites (licensing and admin centers access), and apps that can use Copilot. There might be more requirements at [Microsoft Copilot 365 requirements](microsoft-365-copilot-requirements.md).

-### Prerequisites

- - **[Microsoft 365 admin center](https://admin.microsoft.com)**: There are different roles, depending on the task you need to complete. To learn more about roles, see [Commonly used Microsoft 365 admin center roles](/microsoft-365/admin/add-users/about-admin-roles#commonly-used-microsoft-365-admin-center-roles).

- - **[Microsoft Purview portal](https://purview.microsoft.com)**: There are different roles, depending on the task you need to complete. To learn more, see:

- You can purchase Microsoft 365 Copilot licenses through the [Microsoft 365 admin center](https://admin.microsoft.com) (**Billing** > **Purchase services**), Microsoft partners, or your Microsoft account team.

-### App requirements

- To enable Copilot in Teams to reference meeting content after the meeting end, transcription or meeting recording must be enabled. To learn more about configuring transcription and recording, see [Configure transcription and captions for Teams meetings](/microsoftteams/meeting-transcription-captions) and [Teams meeting recording](/microsoftteams/meeting-recording).

-## Step 1 - Optimize search in SharePoint

-✅ **Optimize your SharePoint content for search**

-When a user makes a request to Copilot, it processes the request and then generates a response with LLMs. LLMs leverage content from Microsoft Graph and web content (optional).

-Content in Microsoft Graph includes emails, files, meetings, chats, calendars, and contacts. A significant portion of this data is [stored in SharePoint](/sharepoint/get-ready-copilot-sharepoint-advanced-management#copilot-and-sharepoint). Copilot gathers SharePoint content in the same way SharePoint Search gathers content.

-To get the most out of Copilot and get the best results, optimize your SharePoint content for search:

-Microsoft 365 Copilot allows users to find and access their content through natural language prompting. Copilot ensures data security and privacy by following existing obligations and integrating with your organization's policies. It uses your Microsoft Graph content with the same access controls as other Microsoft 365 services.

-To learn more about privacy with Microsoft 365 Copilot, see [Data, Privacy, and Security for Microsoft 365 Copilot](microsoft-365-copilot-privacy.md).

-## Step 2 - Apply principles of Just Enough Access

-### Prevent oversharing and control access with SharePoint and OneDrive

-To get ready for your organizationΓÇÖs Microsoft 365 Copilot adoption, there are a few [highly recommended steps you can take with SharePoint and OneDrive](/sharepoint/get-ready-copilot-sharepoint-advanced-management).

-To start, you can:

-✅ **Reduce accidental oversharing with SharePoint sharing settings**

-To minimize accidental content oversharing with Copilot results, implement sharing settings at the organization and site levels:

-1. At the organization level:

- - Update [sharing settings for SharePoint and OneDrive](/sharepoint/turn-external-sharing-on-or-off) for your tenant from organization-wide sharing to specific people links.

- - Consider hiding broad-scope permissions from your end users. For example, use the SharePoint `Set-SPOTenant` PowerShell cmdlet to [hide "Everyone Except External Users" in the People Picker control](/powershell/module/sharepoint-online/set-spotenant) so end users can't use it.

- - Use [Restricted SharePoint Search (RSS)](/sharepoint/restricted-sharepoint-search) to temporarily restrict Copilot results up to 100 selected SharePoint sites. Child sites of Hub sites aren't counted toward the 100 limit.

- RSS gives you time to review & audit site permissions. It should be used only as a temporary solution to give your organization time to adopt Copilot.

-2. Reduce accidental oversharing at the site level:

- - Educate site admins on the site-level controls they can use to [restrict members from sharing](/sharepoint/change-external-sharing-site).

- - Make sure that [Site Owners receive a request to access the site](https://support.microsoft.com/office/set-up-and-manage-access-requests-94b26e0b-2822-49d4-929a-8455698654b3).

- - [Change the external sharing setting for a user's OneDrive](/sharepoint/user-external-sharing-settings). When a user saves a file to OneDrive, it's in the end user's personal storage. The user has full control over the file and can share it with others. To ensure data security, review OneDrive sharing features.

-✅ **Check permissions and site access in SharePoint admin center**

-To ensure data is secure, review SharePoint site access and permissions. Prioritize sites that contain sensitive information.

-1. In the [SharePoint admin center](https://go.microsoft.com/fwlink/?linkid=2185219), see **Active Sites** > select a site > **Edit** > **Settings**.

- **Private** means that only users in your organization with access to the site can find it. **Public** (default) means anyone in your organization can find the site and access its content.

- :::image type="content" source="media/sharepoint-active-sites-setting.png" alt-text="Screenshot showing the SharePoint admin center active sites panel." lightbox="media/sharepoint-active-sites-setting.png":::

-1. In the **Membership** tab, review access to site owners, members, and visitors. Ensure that only the necessary users have access to the site.

-✅ **Identify sites with potentially overshared content and control access**

-1. Use the following SharePoint Advanced Management (SAM) activity-based reports to quickly identify the most actively overshared sites:

- - [Usage of "Everyone Except External Users"](/sharepoint/data-access-governance-reports#content-shared-with-everyone-except-external-users-eeeu-reports)

- - [Usage of ΓÇ£People in your organization" sharing links](/sharepoint/data-access-governance-reports#sharing-links-reports)

- - [Usage of "Anyone" sharing links](/sharepoint/data-access-governance-reports#sharing-links-reports)

-2. [Initiate a Site Access Review](/sharepoint/restricted-access-control) for site owners to confirm overshared content and take remediation steps. SharePoint admins can use the [Restricted Access Control Policy](/sharepoint/restricted-access-control) to restrict access to a site with overshared content.

-For business-critical sites, there are features in SharePoint Advanced Management and Microsoft Purview you can use:

-> [!NOTE]

-> SharePoint Advanced Management has more features to help you get ready for Copilot fast and at scale. To learn more, see [Get ready for Copilot for Microsoft 365 with SharePoint Advanced Management (SAM)](/sharepoint/get-ready-copilot-sharepoint-advanced-management).

-### Sensitivity labels from Microsoft Purview

-✅ **Use sensitivity labels to protect your data**

-In the [Microsoft Purview portal](https://purview.microsoft.com), you can create [sensitivity labels](/purview/create-sensitivity-label) (**Information protection** > **Sensitivity labels**). Use these labels to identify how sensitive the data is in your organization. When they're applied to items like documents and emails, the labels add an extra layer of protection and can affect Copilot results.

-The extra later of protection includes:

-With sensitivity labels, you can:

-1. **Create labels or activate default labels**: If you don't already have sensitivity labels, you might be eligible to have some [default labels](/purview/mip-easy-trials#default-sensitivity-labels) automatically created for you, like Public, General, and Confidential. The default labels are suitable for items like files, emails, and meetings. You can modify the default labels and always create your own labels.

- To learn more, see:

- - [Create and configure sensitivity labels and their policies](/purview/create-sensitivity-labels)

- - [Default labels and policies to protect your data](/purview/mip-easy-trials)

-2. **Define the data sensitivity requirements** and review your SharePoint sites & files in OneDrive. Focus on the most critical repositories and determine the sensitivity of the data on these sites.

- If you're piloting Copilot, deploy Copilot licenses to users who have access to these critical sites. Then, iterate through the rest of your repositories and expand your user base.

- For a more detailed strategy to deploy and drive adoption, see [Step 7 - Deploy to some users and measure adoption](#step-7deploy-to-some-users-and-measure-adoption) (in this article).

-3. **Enable and apply sensitivity labels**: [Enable sensitivity labels for files in SharePoint and OneDrive](/purview/sensitivity-labels-sharepoint-onedrive-files). Then, with a publishing label policy, you can configure a default label and users can manually apply your labels. To label at scale, use [autolabeling](/purview/apply-sensitivity-label-automatically) to automatically apply labels based on sensitive information detected.

- For more information about the different ways that you can apply sensitivity labels, see [Common scenarios for sensitivity labels](/purview/get-started-with-sensitivity-labels#common-scenarios-for-sensitivity-labels).

- One of the available labeling methods is to apply sensitivity labels based on content found in documents when you use [data loss prevention (DLP) policies](/purview/dlp-learn-about-dlp). DLP policies can automatically apply sensitivity labels when specific types of information are identified in a document, like personal data that includes addresses, tax information, or passport numbers.

- With DLP policies, you can also:

- - Use the [trainable classifier tool](/purview/trainable-classifiers-get-started-with) to identify categories of content, like source code, financial documents, and HR.

- - Set up [endpoint DLP policies](/purview/endpoint-dlp-learn-about) that restrict users from specific actions, like copying content to clipboard or removable USB devices, or printing.

-Once applied, the sensitivity labels enforce your protection settings.

-To learn more about sensitivity labels, see [Learn about sensitivity labels](/purview/sensitivity-labels).

-### Copilot activity and Microsoft Purview

-✅ **Audit Copilot activity, create retention policies, and use eDiscovery and communication compliance**

-In the [Microsoft Purview portal](https://purview.microsoft.com), you can use the following features to search for specific content and activities that include Copilot prompts and responses.

- You can search for specific activities, activities performed by specific users, and activities that occurred with a date range. To learn more, see [Learn about auditing solutions in Microsoft Purview](/purview/audit-solutions-overview).

- Configure retention policies to retain the Copilot prompts and responses if this data is needed for compliance reasons, even if users delete their chat history. To learn more, see [Learn about retention for Copilot](/purview/retention-policies-copilot).

- Use eDiscovery and communication compliance policies to analyze Copilot user prompts and responses. The policies can detect inappropriate or risky interactions, or sharing of confidential information.

- To learn more, see [Microsoft Purview eDiscovery solutions](/purview/ediscovery) and [Configure a communication compliance policy to detect for Copilot interactions](/purview/communication-compliance-copilot?tabs=purview-portal).

-> [!TIP]

-> To learn more about these Microsoft Purview security and compliance protections for Copilot, and how Microsoft Purview AI Hub can help you more quickly deploy them, see [Microsoft Purview data security and compliance protections for generative AI apps](/purview/ai-microsoft-purview).

-## Step 3 - Review app privacy

-## Step 4 - Update channels

-## Step 5 - Provision Microsoft 365 Copilot licenses

-## Step 6 - Configure settings for Copilot

-To learn more, see [Manage Microsoft 365 Copilot with the Copilot page](microsoft-365-copilot-page.md).

-## Step 7 - Deploy to some users and measure adoption

- To learn more about driving adoption, visit the [Microsoft 365 Copilot adoption hub](https://adoption.microsoft.com/Copilot/).

-To measure the impact of Copilot on your organization, use the [Copilot Dashboard from Viva Insights](/viva/insights/org-team-insights/copilot-dashboard). Viva Insights gives organizational leaders and IT decision makers insights into readiness, adoption, impact, and user sentiment.

-3. Enter the email address of the user who reported the issue. Then, choose the number of rounds of conversations that youΓÇÖd like to share with Microsoft, and then select **Review**.

-4. After a short wait, youΓÇÖll receive a JSON file containing the user's conversations with Copilot for the past X interactions (utterance/response pairs) that you select, along with their feedback logs. The file is redacted to protect Microsoft IP, if any. You can use any JSON viewer tool to inspect the data and include additional comments for the feedback. The file will be available for download once it's generated.

-5. Decide whether or not to move forward with the feedback submission to Microsoft. If you choose to share the data, select **Submit**. If you donΓÇÖt want to share the data, select **Cancel**.

-6. If you select, **Submit**, the log files will be sent to Microsoft along with your consent and youΓÇÖll see a confirmation message. If you select **Cancel**, no data will be sent to Microsoft, and youΓÇÖll see cancellation message. Microsoft doesnΓÇÖt collect anything before you select **Submit**.

-In the Microsoft 365 Copilot usage report, which is in continuous enhancement, you can view a summary of how usersΓÇÖ adoption, retention, and engagement are with Microsoft 365 Copilot, and the activity of every Copilot user in your organization. For Copilot activity on a given day, the report becomes available within 72 hours of the end of that day (in UTC).

-You can view a table list to show each Microsoft 365 Copilot enabled userΓÇÖs last activity date among Microsoft 365 Copilot products.

-The audit log data that powers Microsoft Purview solutions, such as AI hub, are built for data security and compliance purposes, and provide comprehensive visibility into Copilot interactions for these use cases (for example, to discover data oversharing risks or to collect interactions for regulatory compliance or legal purposes). They are not, however, intended to be used as the basis for Copilot usage reporting. Any aggregated metrics that customers build on top of this data, such as "prompt count" or "active user count," may not be consistent with the corresponding data points in the official Copilot usage reports provided by Microsoft. Microsoft cannot provide guidance on how to use audit log data as the basis for usage reporting, nor can Microsoft guarantee that aggregated usage metrics built on top of audit log data will match similar usage metrics reported in other tools.

-### WhatΓÇÖs the scope of the user-level table?

-2. In the URL window enter "https://<i></i>reports.office.com/pbi/v1.0/\<tenantid\>"

-|Operating systems (servers)|Windows Server or Linux Server <br/> (Requires an additional license, such as [Microsoft Defender for Business servers](../security/defender-business/get-defender-business.md#how-to-get-microsoft-defender-for-business-servers).)|

-9. On the **Configuration settings** page, review and edit settings as needed, and then choose **Next**. For more information about these settings, see [Understand next-generation configuration settings in Microsoft Defender for Business](../security/defender-business/mdb-next-gen-configuration-settings.md).

-Microsoft Defender for Business is included with Microsoft 365 Business Premium, as of March 1, 2022. This offering provides additional security features for devices. [Learn more about Defender for Business](../security/defender-business/mdb-overview.md).

-[Resources for Microsoft partners working with small and medium-sized businesses](../security/defender-business/mdb-partners.md)

-After you have set up and configured [Microsoft 365 Business Premium](m365bp-overview.md) or the standalone version of [Microsoft Defender for Business](../security/defender-business/mdb-overview.md), your next step is to prepare a plan for maintenance and operations. It's important to keep your systems, devices, user accounts, and security policies up to date to help protect against cyberattacks. You can use this article as a guide to prepare your plan.

-|**Manage false positives/negatives**|A false positive is an entity, such as a file or a process that was detected and identified as malicious even though the entity isn't actually a threat. A false negative is an entity that wasn't detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including Microsoft Defender for Office 365 and Microsoft Defender for Business, which are both included in Microsoft 365 Business Premium. Fortunately, steps can be taken to address and reduce these kinds of issues. <br/><br/>For false positives/negatives on devices, see [Address false positives/negatives in Microsoft Defender for Endpoint](../security/defender-endpoint/defender-endpoint-false-positives-negatives.md).<br/><br/>For false positives/negatives in email, see the following articles: <br/>- [How to handle malicious emails that are delivered to recipients (False Negatives), using Microsoft Defender for Office 365](/defender-office-365/step-by-step-guides/how-to-handle-false-negatives-in-microsoft-defender-for-office-365)<br/>- [How to handle Legitimate emails getting blocked (False Positive), using Microsoft Defender for Office 365](/defender-office-365/step-by-step-guides/how-to-handle-false-positives-in-microsoft-defender-for-office-365)|

-|**Strengthen your security posture**|Defender for Business includes a vulnerability management dashboard that provides you with exposure score and enables you to view information about exposed devices and see relevant security recommendations. You can use your Defender Vulnerability Management dashboard to reduce exposure and improve your organization's security posture. <br/><br/>See the following articles:<br/>- [Use your vulnerability management dashboard in Microsoft Defender for Business](../security/defender-business/mdb-view-tvm-dashboard.md)<br/>- [Dashboard insights](../security/defender-vulnerability-management/tvm-dashboard-insights.md)|

-|**Adjust security policies**|[Reports](../security/defender-business/mdb-reports.md) are available so that you can view information about detected threats, device status, and more. Sometimes it's necessary to adjust your security policies. For example, you might apply strict protection to some user accounts or devices, and standard protection to others. <br/><br/>See the following articles: <br/>- For device protection: [View or edit policies in Microsoft Defender for Business](../security/defender-business/mdb-view-edit-create-policies.md) <br/>- For email protection: [Recommended settings for EOP and Microsoft Defender for Office 365 security](../security/office-365-security/recommended-settings-for-eop-and-office365.md)|

-|**Protect priority user accounts**|Not all user accounts have access to the same company information. Some accounts have access to sensitive information, such as financial data, product development information, partner access to critical build systems, and more. If compromised, accounts that have access to highly confidential information pose a serious threat. We call these types of accounts priority accounts. Priority accounts include (but aren't limited to) CEOs, CISOs, CFOs, infrastructure admin accounts, build system accounts, and more.<br/><br/>See the following articles: <br/>- [Protect your administrator accounts](m365bp-protect-admin-accounts.md) <br/>- [Security recommendations for priority accounts in Microsoft 365](../security/office-365-security/priority-accounts-security-recommendations.md)|

-|**Protect high-risk devices**|The overall risk assessment of a device is based on a combination of factors, such as the types and severity of active alerts on the device. As your security team resolves active alerts, approves remediation activities, and suppresses subsequent alerts, the risk level decreases. <br/><br/>See [Manage devices in Microsoft Defender for Business](../security/defender-business/mdb-manage-devices.md).|

-|**Onboard or offboard devices**|As devices are replaced or retired, new devices are purchased, or your business needs change, you can onboard or offboard devices from Defender for Business. <br/><br/>See the following articles: <br/>- [Onboard devices to Microsoft Defender for Business](../security/defender-business/mdb-onboard-devices.md) <br/>- [Offboard a device from Microsoft Defender for Business](../security/defender-business/mdb-offboard-devices.md)|

-|**Manage false positives/negatives**|A false positive is an entity, such as a file or a process that was detected and identified as malicious even though the entity isn't actually a threat. A false negative is an entity that wasn't detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including Microsoft Defender for Office 365 and Microsoft Defender for Business, which are both included in Microsoft 365 Business Premium. Fortunately, steps can be taken to address and reduce these kinds of issues. <br/><br/>For false positives/negatives on devices, see [Address false positives/negatives in Microsoft Defender for Endpoint](../security/defender-endpoint/defender-endpoint-false-positives-negatives.md).<br/><br/>For false positives/negatives in email, see the following articles: <br/>- [How to handle malicious emails that are delivered to recipients (False Negatives), using Microsoft Defender for Office 365](/defender-office-365/step-by-step-guides/how-to-handle-false-negatives-in-microsoft-defender-for-office-365)<br/>- [How to handle Legitimate emails getting blocked (False Positive), using Microsoft Defender for Office 365](/defender-office-365/step-by-step-guides/how-to-handle-false-positives-in-microsoft-defender-for-office-365)|

-|**Strengthen your security posture**|Defender for Business includes a vulnerability management dashboard that provides you with exposure score and enables you to view information about exposed devices and see relevant security recommendations. You can use your Defender Vulnerability Management dashboard to reduce exposure and improve your organization's security posture. <br/><br/>See the following articles:<br/>- [Use your vulnerability management dashboard in Microsoft Defender for Business](../security/defender-business/mdb-view-tvm-dashboard.md)<br/>- [Dashboard insights](../security/defender-vulnerability-management/tvm-dashboard-insights.md)|

-|**Adjust security policies**|[Reports](../security/defender-business/mdb-reports.md) are available so that you can view information about detected threats, device status, and more. Sometimes it's necessary to adjust your security policies. For example, you might apply strict protection to some user accounts or devices, and standard protection to others. <br/><br/>See the following articles: <br/>- For device protection: [View or edit policies in Microsoft Defender for Business](../security/defender-business/mdb-view-edit-create-policies.md) <br/>- For email protection: [Recommended settings for EOP and Microsoft Defender for Office 365 security](../security/office-365-security/recommended-settings-for-eop-and-office365.md)|

-|**Analyze admin submissions**|Sometimes it's necessary to submit entities, such as email messages, URLs, or attachments to Microsoft for further analysis. Reporting items can help reduce the occurrence of false positives/negatives and improve threat detection accuracy. <br/><br/>See the following articles: <br/>- [Use the Submissions page to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft](../security/office-365-security/submissions-admin.md)<br/>- [Admin review for user reported messages](../security/office-365-security/submissions-admin-review-user-reported-messages.md)|

-|**Protect priority user accounts**|Not all user accounts have access to the same company information. Some accounts have access to sensitive information, such as financial data, product development information, partner access to critical build systems, and more. If compromised, accounts that have access to highly confidential information pose a serious threat. We call these types of accounts priority accounts. Priority accounts include (but aren't limited to) CEOs, CISOs, CFOs, infrastructure admin accounts, build system accounts, and more.<br/><br/>See the following articles: <br/>- [Protect your administrator accounts](m365bp-protect-admin-accounts.md) <br/>- [Security recommendations for priority accounts in Microsoft 365](../security/office-365-security/priority-accounts-security-recommendations.md)|

-|**Protect high-risk devices**|The overall risk assessment of a device is based on a combination of factors, such as the types and severity of active alerts on the device. As your security team resolves active alerts, approves remediation activities, and suppresses subsequent alerts, the risk level decreases. <br/><br/>See [Manage devices in Microsoft Defender for Business](../security/defender-business/mdb-manage-devices.md).|

-|**Onboard or offboard devices**|As devices are replaced or retired, new devices are purchased, or your business needs change, you can onboard or offboard devices from Defender for Business. <br/><br/>See the following articles: <br/>- [Onboard devices to Microsoft Defender for Business](../security/defender-business/mdb-onboard-devices.md) <br/>- [Offboard a device from Microsoft Defender for Business](../security/defender-business/mdb-offboard-devices.md)|

-|View current status of and manage devices|[Manage devices in Microsoft Defender for Business](../security/defender-business/mdb-manage-devices.md)|

-|Onboard devices to Defender for Business|[Onboard devices to Defender for Business](../security/defender-business/mdb-onboard-devices.md)|

-|Offboard devices from Defender for Business|[Offboard a device from Defender for Business](../security/defender-business/mdb-offboard-devices.md)|

-This article lists new features in the latest release of [Microsoft 365 Business Premium](m365bp-overview.md) and [Microsoft Defender for Business](../security/defender-business/mdb-overview.md). Features that are currently in preview are denoted with **(preview)**.

- - [How to get Microsoft Defender for Business servers](../security/defender-business/get-defender-business-servers.md)

- - [What is Microsoft Defender for Business?](../security/defender-business/mdb-overview.md)

- - [Get Microsoft Defender for Business](../security/defender-business/get-defender-business.md)

-Microsoft 365 Business Premium includes [Microsoft Defender for Business](../security/defender-business/mdb-overview.md), an endpoint security solution for small and medium-sized businesses. Defender for Business provides next-generation protection (antivirus, antimalware, and cloud-delivered protection), firewall protection, web content filtering, and more for your company's devices. Protection is applied when you onboard devices and apply security policies to those devices.

-> If something goes wrong and your onboarding process fails, see [Microsoft Defender for Business troubleshooting](../security/defender-business/mdb-troubleshooting.yml).

-To learn more about automatic onboarding, see [Use the wizard to set up Microsoft Defender for Business](../security/defender-business/mdb-use-wizard.md).

-See [Onboard devices to Microsoft Defender for Business](../security/defender-business/mdb-onboard-devices.md) for detailed instructions.

-You can now onboard Android and iOS devices using the Microsoft Defender app. With [mobile threat defense capabilities in Defender for Business](../security/defender-business/mdb-mtd.md), users download the Microsoft Defender app from Google Play or the Apple App Store, sign in, and complete onboarding steps.

-For detailed instructions, see the **Mobile devices** tab in [Onboard devices to Microsoft Defender for Business](../security/defender-business/mdb-onboard-devices.md).

-To learn more about mobile threat defense, see [Mobile threat defense capabilities in Microsoft Defender for Business](../security/defender-business/mdb-mtd.md).

-To onboard servers, an additional license, such as Microsoft Defender for Business servers, is required. See [How to get Microsoft Defender for Business servers](../security/defender-business/get-defender-business-servers.md).

- - Windows devices: [Offboard Windows devices using a local script](../security/defender-endpoint/configure-endpoints-script.md#offboard-devices-using-a-local-script)

- - Mac: [Uninstalling on Mac](../security/defender-endpoint/mac-resources.md#uninstalling)

-Your subscription includes [preset security policies](../security/office-365-security/preset-security-policies.md) that use recommended settings for anti-spam, anti-malware, and anti-phishing protection. By default, built-in protection is enabled; however, consider applying standard or strict protection for increased security.

-To learn more about preset security policies, see [Preset security policies in EOP and Microsoft Defender for Office 365](../security/office-365-security/preset-security-policies.md).

-> - [Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users](../security/office-365-security/preset-security-policies.md#use-the-microsoft-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)

-> - [Recommended settings for email and collaboration content](../security/office-365-security/recommended-settings-for-eop-and-office365.md) (Microsoft 365 Business Premium includes Exchange Online Protection and Microsoft Defender for Office 365 Plan 1)

-Microsoft 365 Business Premium includes [Defender for Business](../security/defender-business/mdb-overview.md), which provides advanced protection for your organization's devices, including client computers, tablets, and mobile phones. Server protection is also available if you have Microsoft Defender for Business servers.

- - [Set up and configure Microsoft Defender for Business](../security/defender-business/mdb-setup-configuration.md) now, and then return to this article to complete the remaining steps.

-For more information about using preset security policies or custom policies, see [Determine your protection policy strategy](../security/office-365-security/mdo-deployment-guide.md#determine-your-protection-policy-strategy).

-For our recommended policy settings, see the tables in [Recommended settings for EOP and Microsoft Defender for Office 365 security](../security/office-365-security/recommended-settings-for-eop-and-office365.md).

-Microsoft 365 Business Premium includes [Microsoft Defender for Business](../security/defender-business/mdb-overview.md) to help protect your organization's devices from ransomware, malware, phishing, and other threats.

-|[Automated attack disruption](../security/defender-business/mdb-attack-disruption.md) (NEW!)|<ul><li>Contain a device</li><li>Contain a user account on a device</li></ul>|

-|[Automated investigations](../security/defender-endpoint/automated-investigations.md)|<ul><li>Quarantine a file/li><li>Remove a registry key/li><li>Kill a process/li><li>Stop a service/li><li>Disable a driver/li><li>Remove a scheduled task</li></ul>|

-|[Manual response actions](../security/defender-endpoint/respond-machine-alerts.md)|<ul><li>Run antivirus scan/li><li>Isolate device/li><li>Add an indicator to block or allow a file</li></ul>|

-|[Live response](../security/defender-endpoint/live-response.md)|<ul><li>Collect forensic data/li><li>Analyze a file/li><li>Run a script/li><li>Send a suspicious entity to Microsoft for analysis/li><li>Remediate a file/li><li>Proactively hunt for threats</li></ul>|

-[Overview of Microsoft Defender for Business](../security/defender-business/mdb-overview.md) (Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022)

-> If you're a Microsoft partner, see [Resources for Microsoft partners working with small and medium-sized businesses](../security/defender-business/mdb-partners.md) and download our security guide and checklist!

-1. [Set up your trial](../business-premium/m365-business-premium-setup.md)!

-3. Use your [preset security policies](../security/office-365-security/preset-security-policies.md). These policies represent a baseline protection profile that's suitable for most users. Standard protection includes:

- - [Safe Links](../security/office-365-security/safe-links-about.md), [Safe Attachments](../security/office-365-security/safe-attachments-about.md) and [Anti-Phishing](../security/office-365-security/anti-phishing-protection-about.md) policies that are scoped to the entire tenant or the subset of users you choose during the trial setup process. (Your trial subscription is for up to 25 users.)

-Microsoft 365 Business Premium includes Defender for Business, a new security solution to protect devices. See [Onboard devices to Microsoft Defender for Business](../security/defender-business/mdb-onboard-devices.md).

-2. Go to **Assets** > **Devices**. If Defender for Business isn't already set up, you're prompted to run the [setup wizard](../security/defender-business/mdb-use-wizard.md).

-3. [Onboard devices](../security/defender-business/mdb-onboard-devices.md).

-4. [Review your security policies](../security/defender-business/mdb-configure-security-settings.md).

-2. Take some time to [familiarize yourself with the portal](../security/defender-business/mdb-get-started.md).

-3. Now, [assess your security posture](../security/defender/microsoft-secure-score.md), and see how you can improve your score.

-4. Learn how to [respond to a security incident](../security/defender-business/mdb-respond-mitigate-threats.md).

-5. Lastly, [review remediation actions](../security/defender-business/mdb-review-remediation-actions.md).

- - [Understand next-generation configuration settings](../security/defender-business/mdb-next-generation-protection.md)

- - [Firewall settings](../security/defender-business/mdb-firewall.md)

- 2. Review the policy order, and edit it if necessary. (For more information, see [Policy order](../security/defender-business/mdb-policy-order.md).)

- To learn more about device groups, see [Device groups in Microsoft Defender for Business](../security/defender-business/mdb-create-edit-device-groups.md).

-6. On the **Configuration settings** tab, specify the settings for your policy, and then choose **Next**. For more information about the individual settings, see [Understand next-generation configuration settings in Microsoft Defender for Business](../security/defender-business/mdb-next-generation-protection.md).

-> If you're a Microsoft partner, see [Resources for Microsoft partners working with small and medium-sized businesses](../security/defender-business/mdb-partners.md).

-|- [Anti-spam, anti-malware, and anti-phishing protection](../security/office-365-security/eop-about.md) for email|:::image type="content" source="media/green-check-mark.png" alt-text="Included":::|:::image type="content" source="media/green-check-mark.png" alt-text="Included":::|:::image type="content" source="media/green-check-mark.png" alt-text="Included":::|

-|- [Advanced anti-phishing, spoof settings, impersonation settings, Safe Links, and Safe Attachments](../security/office-365-security/mdo-about.md#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet) for email and Office documents|:::image type="content" source="media/green-check-mark.png" alt-text="Included":::|||

-|- [Anti-spam, anti-malware, and anti-phishing protection](../security/office-365-security/eop-about.md) for email|:::image type="content" source="media/green-check-mark.png" alt-text="Included":::|:::image type="content" source="media/green-check-mark.png" alt-text="Included":::|:::image type="content" source="media/green-check-mark.png" alt-text="Included":::|

-|- [Advanced threat protection](../security/office-365-security/mdo-about.md#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet) for email and Office documents|:::image type="content" source="media/green-check-mark.png" alt-text="Included":::|||

-https:// \<tenant\>/\_api/search/query?querytext='sharepoint'&Properties='EnableMultiGeoSearch:true'&ClientType='my\_client\_id'

-https:// \<tenant\>/\_api/search/query?querytext='site'&ClientType='my_client_id'&Properties='EnableMultiGeoSearch:true, MultiGeoSearchConfiguration:[{DataLocation\\:"NAM"\\,Endpoint\\:"https\\://contosoNAM.sharepoint.com"\\,SourceId\\:"B81EAB55-3140-4312-B0F4-9459D1B4FFEE"}\\,{DataLocation\\:"CAN"\\,Endpoint\\:"https\\://contosoCAN.sharepoint-df.com"}]'

-4. Check the certificate. With a browser, connect to the IP address using *HTTPS://\<IP_ADDRESS\>* and check the domains listed on the certificate to understand what domains are associated with the IP address. If it's a Microsoft-owned IP address and not on the list of Microsoft 365 IP addresses, it's likely the IP address is associated with a Microsoft CDN such as *MSOCDN.NET* or another Microsoft domain without published IP information. If you do find the domain on the certificate is one where we claim to list the IP address, please let us know.

-> | `https://\<tenant\>.sharepoint.com` | TCP 443 | This is the primary URL for SharePoint Online and has high-bandwidth usage. |

-> | `https://\<tenant\>-my.sharepoint.com` | TCP 443 | This is the primary URL for OneDrive for Business and has high bandwidth usage and possibly high connection count from the OneDrive for Business Sync tool. |

-> See [WfiRequest](#wfirequest) in the **Endpoint reference** section of this article for more information on Request and Response models.

- "id": " SHFT_5e2b51ac-dc47-4a66-83ea-1bbbf81ac029",

- "id": " SHFT_5e2b51ac-dc47-4a66-83ea-1bbbf81ac029",

- "id": " SHFT_5e2b51ac-dc47-4a66-83ea-1bbbf81ac029",

-|method |String|Use `POST` to create an entity, `PUT` to update an entity, `DELETE` to delete an entity. |

-#### For POST /teams/{teamsId}/read

-|method |Is always `GET`.|

-|method|String|The method being invoked on this item. For example, POST, PUT.|

-#### WfiResponse

-|**Word for the web**|<ul><li> Can open and edit macro-enabled documents (.docm) and templates (.dotm) but macros don't run.</li><li>Can open but not edit Information Rights Management (IRM)-protected documents.</li></ul>|<ul><li>[Word for the web service description](/office365/servicedescriptions/office-online-service-description/word-online)</li><li>[Word Features Comparison: Web vs Desktop](https://support.microsoft.com//office/differences-between-using-a-document-in-the-browser-and-in-word-3e863ce3-e82c-4211-8f97-5b33c36c55f8)</li></ul>|

-Copilot insights help you easily manage and monitor Microsoft 365 Copilot success across your customer tenants&mdash;from a single **Copilot insights** page in Lighthouse. In addition to recommending customers who are likely to benefit from Copilot, the page shows Copilot usage and license assignments, Copilot adoption insights, and links to key resources to help you become a Copilot expert, including Copilot Lab, learning paths, training videos, the latest Copilot product updates, and more. The page also provides links to resources that you can share with your customers to help them succeed with Copilot.

-| Administrator | Administrators have full administrative permissions in Lighthouse. <br><br>Administrators can manage RBAC and GDAP permissions and can create baselines, tags, and alerts.<br><br>Administrators are automatically assigned the Privileged Role Administrator, User Administrator, and Group Administrator roles in Microsoft Entra ID and the Admin Agent role in Partner Center. |

-| Area | Actions | Account&nbsp;Manager | Administrator | Operator | Reader | Need Microsoft Entra&nbsp;role? |

-|||::|::|::|::|::|

-| **Home page** | View data on cards | | | | | Yes |

-| | Add users | | | | | Yes |

-| | Reset password | | | | | Yes |

-| | Offboard users | | | | | Yes |

-| **Alerts** | View alerts and alert rules | &check; | &check; | | &check; | No |

-| | Manage alerts (change severity, status, or assignment) | | &check; | | | No |

-| | Create, edit, and delete alert rules | | &check; | | | No |

-| **Copilot insights** | View opportunities and adoption data | | | | | Yes|

-| **Tenants** | View the **Tenants** page | &check; | &check; | &check; | &check; | No |

-| | View tenant details | | | | | Yes |

-| | Export data | &check; | &check; | &check; | &check; | No |

-| | View tags | &check; | &check; | &check; | &check; | No |

-| | Create, update, and delete tags in Lighthouse | | &check; | | | No |

-| | Assign and remove tags from tenants | | &check; | | | No |

-| | Activate and inactivate a tenant | | &check; | | | No |

-| | View delegated access status | &check; | &check; | &check; | &check; | No |

-| | View Microsoft Secure Score | | | | | Yes |

-| | View baseline assignments | &check; | &check; | &check; | &check; | No |

-| | View deployment status | | | &check; | | Yes |

-| | View apps and services usage | | | &check; | | Yes |

-| | View and edit customer contact and website info | &check; | &check; | &check; | &check; | No |

-| **Users** | Search for users | | | | | Yes |

-| | View user metrics | | | | | Yes |

-| | Onboard new users | | | | | Yes |

-| | Offboard users | | | | | Yes |

-| | View inactive users | | | | | Yes |

-| | View shared mailboxes | | | | | Yes |

-| | View and manage risky users | | | | | Yes |

-| | View and manage multifactor authentication | | | | | Yes |

-| | View and manage self-service password reset | | | | | Yes |

-| **Devices** | View device security data | | | | | Yes |

-| | View vulnerability management data | | | | | Yes |

-| | View device compliance data | | | | | Yes |

-| | View threat management data | | | | | Yes |

-| | View device health data | | | | | Yes |

-| | View Windows 365 data | | | | | Yes |

-| | View Windows event logs | | | | | Yes |

-| **Apps** | View app performance and app management data | | | | | Yes |

-| **Quarantined messages** | View and manage quarantined messages | | | | | Yes |

-| **Baselines** | View baselines (default, custom) and task details | | &check; | &check; | &check; | No|

-| | Create, clone, edit, and assign baselines | | &check; | | | No |

-| | View deployment insights | | | | | Yes |

-| **Service&nbsp;health** | Monitor service health¹ | | | | | No |

-| **Support** | Create and manage service requests² | | | | | No |

-| **Audit logs** | View audit logs | | &check; | | | Yes

-| **Permissions** | View the **Lighthouse Permissions** page | | &check; | | | No|

-| | Set up and manage Lighthouse permissions | | &check; | | | No |

-| | View, set up, and manage GDAP on the **Delegated access** page | | &check; | | | No |

-| **Sales Advisor** | View opportunities | &check; | &check; | | | No |

-| | View subscription renewals | &check; | &check; | | | No |

-| | View license requests | &check; | &check; | | | No |

-The new **Copilot insights** page lets you easily manage and monitor Copilot success across your customer tenants&mdash;all in one place. In addition to recommending customers who are likely to find value from Copilot, the page shows Copilot usage and license assignment and provides links to key resources for you to become a Copilot expert, including Copilot Lab, learning paths, and training videos. The page also shows deployment progress for tasks that we specifically recommend for enabling Copilot.

-The Harvard Kennedy School [Cybersecurity Campaign Handbook](https://go.microsoft.com/fwlink/?linkid=2015598&amp;clcid=0x409) provides excellent guidance on establishing a strong culture of security awareness within your organization, including training users to identify phishing attacks.

-The most efficient way to add users is in bulk in the Intune admin center. Adding users to your Intune tenant involves creating and uploading a *.csv* file containing the full list of members for your organization. For more information about downloading the *.csv* file, understanding the fields within the *.csv* file, and uploading the *.csv* file, see [Add multiple Intune users in the Microsoft Intune admin center](/intune/fundamentals/users-add#add-multiple-intune-users-in-the-microsoft-intune-admin-center).

-> For configuration scenarios that require device enrollment on Android, the devices must be enrolled in Android Enterprise, and Outlook for Android must be deployed via the managed Google Play store. For more information, see [Set up enrollment of Android work profile devices](/intune/android-work-profile-enroll) and [Add app configuration policies for managed Android devices](/intune/app-configuration-policies-use-android).

-## Related topics

-[Governance & Security Practices for Microsoft 365 - Microsoft Ignite](https://ignite.microsoft.com/sessions/bd7aa4f7-f9a6-4dc0-a900-bd06254e1281)

-In North America, the North America Electric Reliability Corporation (NERC) enforces reliability standards that are referred to as NERC [Critical Infrastructure Protection (CIP) standards](https://nercstg.nerc.com/pa/Stand/Pages/CIPStandards.aspx). NERC is subject to oversight by the U.S. Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. All bulk power system owners, operators, and users must register with NERC and must comply with NERC CIP standards. Cloud Service Providers and third-party vendors such as Microsoft aren't subject to NERC CIP standards. However, the CIP standards include objectives that should be considered when Registered Entities use vendors in the operation of the Bulk Electric System (BES). Microsoft customers operating Bulk Electric Systems are wholly responsible for ensuring their own compliance with NERC CIP standards.

-Many cyber security-related controls are included in the [FedRAMP Moderate Control Set](https://www.fedramp.gov/documents/) and [NERC CIP standards](https://nercstg.nerc.com/pa/Stand/Pages/CIPStandards.aspx). However, key controls related to the Microsoft 365 platform include security management controls (CIP-003-6), account and access management/access revocation (CIP-004-6), electronic security perimeter (CIP-005-5), security event monitoring, and incident response (CIP-008-5). The following foundational Microsoft 365 capabilities help to address the risks and requirements included in these articles.

-## Create a model

-From the **Models** library, select **Create a model**.

-On the **Options for model creation** page, there are two sections:

-

-

-> [!NOTE]

-> All model options might not be available. These options are configured by your Microsoft 365 admin.

-## Train a custom model

-The **Train a custom model** section shows the training method for the type of custom models you want to create.

-

-Select one of the following tabs to continue with the custom model you want to use.

-# [Teaching method](#tab/teaching-method)

-Use the **Teaching method** to create an [unstructured document processing model](document-understanding-overview.md).

-1. Select **Teaching method**.

-2. On the **Teaching method: Details** page, you'll find more information about the model. If you want to proceed with creating the model, select **Next**.

-3. On the right panel of the **Create a model with the teaching method** page, enter the following information.

-

- - In the **Compliance** section, under **Retention labels**, select the retention label you want to add. Under **Sensitivity labels**, select the sensitivity label you want to add. If a compliance label has been already applied to the library where the file is stored, it will be shown.

-# [Freeform selection method](#tab/freeform-selection-method)

-Use the **Freeform selection method** to create a [freeform document processing model](form-processing-overview.md).

-1. Select **Freeform selection method**.

-2. On the **Freeform selection method: Details** page, you'll find more information about the model. If you want to proceed with creating the model, select **Next**.

-3. On the right panel of the **Create a model with the freeform selection method** page, enter the following information.

-

- - In the **Compliance** section, under **Retention labels**, select the retention label you want to add. If a compliance label has been already applied to the library where the file is stored, it will be shown.

- > [!NOTE]

- > Sensitivity labels are not available for **Freeform selection method** (freeform document processing models) at this time.

-# [Layout method](#tab/layout-method)

-Use the **Layout method** to create a [structured document processing model](form-processing-overview.md).

-1. Select **Layout method**.

-2. On the **Layout method: Details** page, you'll find more information about the model. If you want to proceed with creating the model, select **Next**.

-3. On the right panel of the **Create a model with the layout method** page, enter the following information.

- 

-

- - In the **Compliance** section, under **Retention labels**, select the retention label you want to add. If a compliance label has been already applied to the library where the file is stored, it will be shown.

- > [!NOTE]

- > Sensitivity labels are not available for **Layout method** (structured document processing models) at this time.

-## Set up a prebuilt model

-The **Set up a prebuilt model** section shows the types of prebuilt models you can use.

-Select one of the following tabs to continue with the prebuilt model you want to use.

-1. Select **Contract processing**.

- - In the **Compliance** section, under **Retention labels**, select the retention label you want to add. If a retention label has been already applied to the library where the file is stored, it will be selected.

- > [!NOTE]

- > Sensitivity labels are not available for prebuilt models at this time.

-1. Select **Invoice processing**.

- - In the **Compliance** section, under **Retention labels**, select the retention label you want to add. If a retention label has been already applied to the library where the file is stored, it will be selected.

- > [!NOTE]

- > Sensitivity labels are not available for prebuilt models at this time.

-1. Select **Receipt processing**.

- - In the **Compliance** section, under **Retention labels**, select the retention label you want to add. If a retention label has been already applied to the library where the file is stored, it will be selected.

-1. Select **Sensitive information processing**.

-| Associated with this training method in the UI |  |  |  |

-Use the unstructured document processing model ([teaching method](create-syntex-model.md#train-a-custom-model)) to automatically classify files and extract information. It works best for unstructured documents, such as letters or contracts.

-### Manage sites

-By default, SharePoint eSignature is turned on for libraries in all SharePoint sites. Follow these steps to limit which sites users can use eSignature.

-2. On the **eSignature** panel, under **Sites where eSignature can be used**, select **Select sites**.

- 1. Choose the site or sites on which this service should be enabled.

- 1. To restrict user access to this service, select **No sites** or **Selected sites (up to 100)**. Follow the instructions to either select the sites or upload a CSV listing a maximum of 100 sites. Be sure to add your content center site if you want it to be included. You can then manage site access permissions for the sites you selected.

- 1. Select **Save**.

-> The first eSignature request in a Microsoft 365 tenant might take a little longer to execute than usual. It can take a few seconds to a few minutes; however, subsequent requests are executed normally. We recommend that admins create the first eSignature request in a SharePoint site as the final setup step.

-### Turn off eSignature

-1. On the Syntex page, in the **Document & image services** section, select **eSignature**.

-2. If SharePoint eSignature is turned on, on the **eSignature** panel, the **Turn off** button is visible. To turn off SharePoint eSignature, select **Turn off**.

-### Add other signature providers

-2. On the **eSignature** panel, under **Other signature providers**, select **Add or remove signature providers**.

-3. On the **Add or remove other signature providers** panel, select the provider you want to add.

- 

-4. Select **Save**.

-> [!NOTE]

-> Although [pay-as-you-go billing](syntex-azure-billing.md) must be set up to use eSignature, you are not charged for using other signature providers.

-Microsoft Entra B2B provides authentication and management of new guests. External signers or recipients are considered as guests within your tenant. To be able to send requests to new signers outside your organization, you need to enable [Microsoft Entra B2B integration for SharePoint and OneDrive](/sharepoint/sharepoint-azureb2b-integration). Consider whether this meets your compliance and security requirements when enabling eSignature.

-A guest user would no longer be able to access the request document or the final signed document if they are deleted from the tenant while the request is still ongoing and you would need to resend the eSignature request if this happens. If you need to delete a guest user, make sure they aren't a party to any ongoing request. This setting does not impact existing in your existing Azure Active Directory guest users.

-When a signature request is created for a document in SharePoint, the SharePoint eSignature service creates a working copy of the document. It's this working copy that is sent out to all recipients for signing, and it's how the sender can track the status of their requests. The working copy of the request is stored in a hidden document library in SharePoint. The signature will be added to the working copy of the request document only after all parties have signed. If any party has not signed, the document will appear as unsigned, even if one party has already added their signature.

-The working copy of the request is stored and retained for five years or in accordance with the document retention policy set up by the SharePoint or tenant admin. Learn more about [retention policies](/purview/retention-policies-sharepoint).

-Use the structured document processing model ([layout method](create-syntex-model.md#train-a-custom-model)) to automatically identify field and table values. It works best for structured or semi-structured documents, such as forms and invoices.

-Use the freeform document processing model ([freeform selection method](create-syntex-model.md#train-a-custom-model)) to automatically extract information from unstructured and freeform documents, such as letters and contracts.

-Content understanding in Microsoft Syntex starts with document processing models. Document processing models let you identify and classify documents that are uploaded to SharePoint document libraries, and then to extract the information you need from each file.

-Syntex uses [custom models](#custom-models) and [prebuilt models](#prebuilt-models).

-

-When you create a custom model, you'll select the training method associated with the model type. For example, if you want to create an unstructured document processing model, on the **Options for model creation** page where you create a model, you'll choose the **Teaching method** option. The following table shows the training method associated with each custom model type.

-When you create an unstructured document processing model, use the **Teaching method** option.

-When you create a freeform document processing model, use the **Freeform selection method** option.

-When you create a structured document processing model, use the **Layout method** option.

-

-Follow the instructions in [Create a model in Syntex](create-syntex-model.md#set-up-a-prebuilt-model) to create a contracts prebuilt model. Then continue with the following steps to complete your model.

-Follow the instructions in [Create a model in Syntex](create-syntex-model.md#set-up-a-prebuilt-model) to create an invoices prebuilt model. Then continue with the following steps to complete your model.

-Follow the instructions in [Create a model in Syntex](create-syntex-model.md#set-up-a-prebuilt-model) to create a receipts prebuilt model. Then continue with the following steps to complete your model.

-Follow the instructions in [Create a model in Syntex](create-syntex-model.md) to create a simple document processing model. Then continue with the following steps to complete your model.

-Currently, there are four prebuilt models available: [contracts](prebuilt-model-contract.md), [invoices](prebuilt-model-invoice.md), [receipts](prebuilt-model-receipt.md), and [sensitive information](prebuilt-model-sensitive-info.md).

-For information about requirements to consider when choosing this model, see [Requirements and limitations for models in Microsoft Syntex](requirements-and-limitations.md).

-

-> SharePoint Agreements is now generally available for early access customers. Contact your Microsoft representative or submit your nomination for the limited GA here: [Sign up for limited GA](https://aka.ms/AgreementsSelectiveGA). For a list of articles to help you set up and use this feature, see [Help documentation](#help-documentation).

-|[Licensing requirements](agreements-license-requirements.md) |Learn how to get and assign licenses for SharePoint Agreements. |

-|[Set up the solution](agreements-setup.md) |Learn how to set up and manage workspaces, add the Agreements app in Microsoft Teams, and more. |

-|[Get users ready](agreements-user-prereqs.md) |Learn how to get users ready to use all of the solution features. |

-|[Create a template](agreements-create-template.md) |Learn how to create and publish templates, set up fields and sections, configure workflows, and more. |

-|[Update a template](agreements-update-template.md) |Learn how to find and edit existing templates, and publish updates to a template. |

-|[Manage sections in a template](agreements-manage-sections.md) |Learn how to publish a new section, insert a section into a template, edit a section, and configure section settings. |

-|[Create an agreement](agreements-create-agreement.md) |Learn how to create an agreement from a template in Microsoft Teams and in Microsoft Word. |

-|[Analyze section revisions](agreements-analyze-sections.md) |Learn how to use the **Analyze section revisions** feature to detect changes in embedded sections, summarize the changes, and offer suggestions. |

-|[Import an agreement](agreements-import-agreement.md) |Learn how to add existing agreements by uploading signed documents. |

-More Syntex services will be added as they become available.

- Use a [prebuilt model](prebuilt-overview.md) to save time processing and extracting information from [contracts](prebuilt-model-contract.md), [invoices](prebuilt-model-invoice.md), and [receipts](prebuilt-model-receipt.md), and detecting and extracting [sensitive information](prebuilt-model-sensitive-info.md) from documents. Prebuilt models are pretrained to recognize common business documents and the structured information in the documents.