| Category | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| commerce | Pay For Your Subscription | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/pay-for-your-subscription.md | The Microsoft 365 admin center supports two alternate payment options for custom - NetBanking (Internet Banking) provides customers with access to banking services on an online platform. > [!IMPORTANT]-> UPI and NetBanking are only supported for one-time transactions. +> UPI and NetBanking are only supported for one-time transactions for existing customers only. #### How do I make a payment with UPI or NetBanking? -1. If you're a returning customer, when you make a payment, select **UPI / NetBanking** from the **Payment method** drop-down list, then select M**ake payment**. Continue to step 4. -2. For new customers, when you make your first payment, select **Add payment method**. -3. Select **UPI / NetBanking**, then select **Make payment**. -4. You're redirected to the payment partner, BillDesk, where you choose UPI or NetBanking for your payment method. -5. Follow the instructions in BillDesk to complete the transaction. +1. If you're a returning customer, when you make a payment, select **UPI / NetBanking** from the **Payment method** drop-down list, then select **Make payment**. +2. You're redirected to the payment partner, BillDesk, where you choose UPI or NetBanking for your payment method. +3. Follow the instructions in BillDesk to complete the transaction. After you submit the payment, allow time for the payment to appear in the admin center. |
| compliance | Apply Retention Labels Automatically | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-retention-labels-automatically.md | To consider when auto-applying retention labels to cloud attachments: - When a user is added to a Teams conversation and given access to the full history of the conversation, that history can include cloud attachments. If they were shared within 48 hours of the user added to the conversation, current copies of the cloud attachments are auto-labeled for retention. Cloud attachments shared before this time period aren't supported for newly added users. +- Cloud attachments in encrypted emails aren't supported. + - Cloud attachments shared outside Teams and Outlook aren't supported. - The following items aren't supported as cloud attachments that can be retained: |
| compliance | Compliance Easy Trials Compliance Playbook | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-easy-trials-compliance-playbook.md | Custom assessments are helpful for: 1. [Extend a Compliance Manager template by adding your own controls and improvement actions](compliance-manager-templates-extend.md) 1. [Create your own custom template](compliance-manager-templates-create.md) 1. [Modify an existing template to add or remove controls and actions](compliance-manager-templates-modify.md)- 1. [Set up automated testing of improvement actions](compliance-manager-setup.md#set-up-automated-testing) + 1. [Set up automated testing of improvement actions](compliance-manager-setup.md#testing-source-for-automated-testing) 1. [Reassign improvement actions to another user](compliance-manager-setup.md#reassign-improvement-actions-to-another-user) **Organizational Concerns** |
| compliance | Compliance Manager Assessments | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-assessments.md | The Microsoft actions tab appears for assessments based on templates that suppor Learn more about [how controls and improvement actions are tracked and scored.](compliance-score-calculation.md) +## Grant user access to individual assessments ++When you assign users a Compliance Manager role in the Microsoft Purview compliance portal, they can view or edit data within all assessments by default (review the [Compliance Manager role types](compliance-manager-setup.md#role-types)). You can restrict user access to only certain assessments by managing user roles from within an assessment or assessment template. Restricting access in this way can help ensure that users who play a role in overseeing compliance with particular regulations or standards have access only to the data and information they need to perform their duties. ++External users who need access for auditing or other purposes can also be assigned a role for viewing assessments and editing test data. You'll provide access to external individual by assigning them an Azure Active Directory (AD) role. Learn more about [assigning Azure AD roles](compliance-manager-setup.md#more-about-azure-ad). ++#### Steps for granting access ++Follow the steps to grant user access to an assessment. ++1. From your **Assessments** page, find the assessment you want to grant access to. Select it to open its details page. ++1. In the upper-right corner, select **Manage user access**. ++1. A **Manage user access** flyout pane appears. It has three tabs, one for each role of Readers, Assessors, and Contributors. Navigate to the tab for the role you want your user to hold for this assessment. Users who currently have access to the assessment will have a blue box with a check mark to the left of their name. ++1. Select the **+ Add** command for the role tab you're on: **Add reader**, or **Add assessor** or **Add contributor**. ++1. Another flyout pane appears which lists all the users in your organization. You can select the checkbox next to the username you want to add, or you can enter their name in the search bar adn select the user from there. You can select multiple users at once. ++1. After making all your selections, select **Add**. + > [!NOTE] + > If you assign a role to someone who already has an existing role, the new role assignment you choose will override their existing role. In this case, you'll see a confirmation box asking you to confirm the change in role. ++1. The flyout pane will close and you'll arrive back at your assessment details page. A confirmation message at the top will confirm the new role assignment for that assessment. ++#### Steps for removing access ++You can remove a user's access to individual assessments by following the steps below: ++1. On the assessment's details page, select **Manage user access**. +1. On the **Manage user access** flyout pane, go the tab corresponding to the user's role you want to remove. ++1. Find the user whose role you want to remove. Check the circle to the left of their name, then select the **Remove** command just below the role tab. To remove all users at once, simply select the **Remove all** command without checking the circle next to every user's name. ++1. A **Remove access?** dialog appears, asking you to confirm the removal. Select **Remove access** to confirm the role removal. ++1. Select **Save** on the flyout pane. The users' roles will now be removed from the assessment. ++Learn how to get a broad [view of all users with access to assessments](compliance-manager-setup.md#user-access). ++##### Note about multiple roles ++- A user can have one role that applies to an assessment, while also holding another role that applies broadly to overall Compliance Manager access. + - For example, if you've assigned a user a **Compliance Manager Reader** role in Microsoft Purview compliance portal **Permissions,** you can also assign that user a **Compliance Manager Assessor** role for a specific assessment. In effect, the user will hold the two roles at the same time, but their ability to edit data will be limited to the assessment to which they've been assigned the **Assessor** role. + - Removing an assessment-based role won't remove the user's overall Compliance Manager role if they have one. ++- For an individual assessment, one user can only hold one assessment-based role at a time. + - For example, if a user holds a reader role for a GDPR assessment and you want to change them to a contributor role, you'll first need to remove their reader role, and then re-assign them the reader role. + ## Accept updates to assessments When an update is available for an assessment, you'll see a notification and have the option to accept the update or defer it for a later time. |
| compliance | Compliance Manager Improvement Actions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-improvement-actions.md | Compliance Manager provides you options for how to test improvement actions. In Improvement actions set for manual testing are actions which you manually test and implement. You set the necessary implementation and test status states, and upload any evidence files on the **Documents** tab. For some actions, this is the only available method for testing improvement actions. #### Automatic testing source-Certain improvement actions can be automatically tested by Compliance Manager. [Get details](compliance-manager-setup.md#set-up-automated-testing) on which improvement actions can and can't be tested automatically. +Certain improvement actions can be automatically tested by Compliance Manager. [Get details](compliance-manager-setup.md#testing-source-for-automated-testing) on which improvement actions can and can't be tested automatically. For those improvement actions that can be automatically tested, you'll see the **Automatic** option for testing source. Compliance Manager will detect signals from other compliance solutions you've set up in your Microsoft 365 environment, as well as any complementary actions that Microsoft Secure Score also monitors. The **Testing logic** field on the **Testing** tab will show what kind of policy or configuration is required in another solution in order for the action to pass and earn points toward your compliance score. To delete evidence files or links, select the action menu (the three dots) to th After you complete the work, conduct testing, and upload evidence, the next step is to assign the improvement action to an assessor for validation. The assessor validates the work and examines the documentation, and selects the appropriate test status. -**If test status is set to ΓÇ£PassedΓÇ¥**: the action is complete and the points achieved shows the maximum points achieved. The points are then counted toward your overall compliance score. +- **If test status is set to ΓÇ£PassedΓÇ¥**: the action is complete and the points achieved shows the maximum points achieved. The points are then counted toward your overall compliance score. -**If test status is set to ΓÇ£FailedΓÇ¥**: the action doesn't meet the requirements, and the assessor can assign it back to the appropriate user for additional work. +- **If test status is set to ΓÇ£FailedΓÇ¥**: the action doesn't meet the requirements, and the assessor can assign it back to the appropriate user for additional work. ++Users will need a **Compliance Manager Assessor** role in order to edit improvement action testing notes. You may also want to grant users access only to certain assessments. Learn [how to set permissions](compliance-manager-setup.md#set-user-permissions-and-assign-roles) and [how to grant role-based assess to assessments](compliance-manager-setup.md#role-based-access-to-assessments). ## Accepting updates to improvement actions |
| compliance | Compliance Manager Quickstart | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-quickstart.md | You can also set up automated testing of all or a subset of improvement actions. - [Extend a Compliance Manager template by adding your own controls and improvement actions](compliance-manager-templates-extend.md) - [Create your own custom template](compliance-manager-templates-create.md) - [Modify an existing template to add or remove controls and actions](compliance-manager-templates-modify.md)-- [Set up automated testing of improvement actions](compliance-manager-setup.md#set-up-automated-testing)+- [Set up automated testing of improvement actions](compliance-manager-setup.md#testing-source-for-automated-testing) - [Reassign improvement actions to another user](compliance-manager-setup.md#reassign-improvement-actions-to-another-user) |
| compliance | Compliance Manager Setup | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-setup.md | The direct link to access Compliance Manager is [https://compliance.microsoft.co ## Set user permissions and assign roles -Compliance Manager uses a role-based access control (RBAC) permission model. Only users who are assigned a role may access Compliance Manager, and the actions allowed by each user are restricted by [role type](#role-types). +Compliance Manager uses a role-based access control (RBAC) permission model. Only users who are assigned a role may access Compliance Manager, and the actions allowed by each user are restricted by [role type](#role-types). Our RBAC model also allows you to grant user access to individual assessments. See [role-based access to assessments](#role-based-access-to-assessments) below to learn more. ### Where to set permissions Users with Azure AD identities who don't have Office 365 or Microsoft 365 subscr The table below shows the functions allowed by each role in Compliance Manager. The table also shows how each [Azure AD role](/azure/active-directory/roles/permissions-reference) maps to Compliance Manager roles. Users will need at least the Compliance Manager reader role, or Azure AD global reader role, to access Compliance Manager. +A user can only hold one role at a time. Any change in a user's role will override their previous role. + | User can: | Compliance Manager role | Azure AD role | | :- | :-: | :: | | **Read but not edit data**| Compliance Manager Reader | Azure AD Global reader, Security reader |-| **Edit data**| Compliance Manager Contribution | Compliance Administrator | -| **Edit test results**| Compliance Manager Assessor | Compliance Administrator | +| **Edit data - for example, can create an assessment and edit improvement action data**| Compliance Manager Contribution | Compliance Administrator | +| **Edit improvement action testing notes**| Compliance Manager Assessor | Compliance Administrator | | **Manage assessments, templates, and tenant data; assign improvement actions**| Compliance Manager Administration | Compliance Administrator, Compliance Data Administrator, Security Administrator | +### Role-based access to assessments ++You can assign roles to users in order to grant access to specific assessments. Granting access to individual assessments is useful when you need to ensure that only the people working on certain regulatory requirements have access to that data. You can grant access to individual assessments to users outside of your organization, which helps when you have external auditors. For users outside your organization, you'll need to assign them an Azure AD role. For instructions, see [More about Azure AD](#more-about-azure-ad). ++The four roles listed in table above provide access to assessments: Compliance Manager Reader, Compliance Manager Contribution, Compliance Manager Assessor, and Compliance Manager Administration. What you can do with each assessment remains restricted based on which activities the role allows. ++To grant users access to an assessment, open the assessment's details page and select **Manage users access** to add users by role. ++If a user has a role assigned to them in the Microsoft Purview compliance portal for overall access to Compliance Manager, any role you assign them for a specific assessment will apply only to that assessment. ++See [Grant user access to assessments](compliance-manager-assessments.md#grant-user-access-to-individual-assessments) for more detailed information and instructions. + ## Start a premium assessments trial The Compliance Manager premium assessments trial is a great way to quickly set up assessments that are most relevant to your organization. Our library of over 300 templates correspond to governmental regulations and industry standards around the world. You can start your trial directly from Compliance Manager and set up recommended Learn more about getting started with assessments by visiting the [Assessments page](#assessments-page) section below. -## Settings for automated testing and user history +## Compliance Manager settings ++You can find settings for specific Compliance Manager functions by selecting **Compliance Manager settings** in the upper-right of the screen. The types of settings include: ++- [Testing source](#testing-source-for-automated-testing): allows you to turn off or on the automatic testing of improvement actions +- [Manage user history](#manage-user-history): allows you to manage the data of users associated to improvement actions, including the ability to reassign improvement actions to a different user +- [User access](#user-access): allows you to view and manage user roles for access to assessments or assessment templates -The Compliance Manager settings in the Microsoft Purview compliance portal allow you to enable and disable automatic testing of improvement actions. The settings also allow you to manage the data of users associated to improvement actions, including the ability to reassign improvement actions to a different user. Only people with a global administrator or Compliance Manager Administrator role can access the Compliance Manager settings. +Compliance Manager settings can only be accessed by users who hold a global administrator or Compliance Manager Administrator role. > [!NOTE] > The automated testing feature is not available to customers in GCC High and DoD environments because Secure Score isn't available in these environments. GCC High and DoD customers will need to manually implement and test their improvement actions. -### Set up automated testing +### Testing source for automated testing Compliance Manager detects signals from other Microsoft Purview solutions that your organization may subscribe to, including data lifecycle management, information protection, Microsoft Purview Data Loss Prevention, communication compliance, and insider risk management. Compliance Manager also detects signals from complementary improvement actions that are monitored by [Microsoft Secure Score](../security/defender/microsoft-secure-score.md). Deleting a userΓÇÖs history will remove them as an owner of improvement actions, To delete a userΓÇÖs history, follow the steps below: -1. Select <a href="https://go.microsoft.com/fwlink/p/?linkid=2174201" target="_blank">**Settings**</a> in the Microsoft Purview compliance portal. +1. In **Compliance Manager settings,** select **Manage user history**. -2. On the settings page, select **Compliance Manager**. +1. Find a user by searching the list email addresses on the page, or by selecting **Search** and entering that userΓÇÖs email address. -3. Select **Manage user history** from the navigation at left. +1. From the **Select** drop-down menu, choose **Delete history**. -4. Find a user by searching the list email addresses, or by selecting **Search** and entering that userΓÇÖs email address. +1. A window appears asking you to confirm the permanent deletion of the userΓÇÖs history. To continue with deletion, select **Delete history**. To leave without deleting the history, select **Cancel**. ++1. YouΓÇÖll arrive back at the **Manage user history** page with a confirmation message at the top that the history for the user was deleted. ++### User access ++The **User access** section of **Settings** displays a list of all users who have a role that allows access to one or more assessments. This section is also where you can revoke access to an assessment by removing their assessment-specific role. ++[Visit these instructions](compliance-manager-assessments.md#grant-user-access-to-individual-assessments) for assigning user roles from an assessment's details page. ++To remove a user's access to an assessment: ++1. In **Compliance Manager settings,** select **User access**. ++1. Select the checkbox next to the name of the user whose role you want to edit. Only one user can be selected at a time. ++1. Select **Manage assessments**. An **Edit assessment permissions** flyout pane will appear. ++1. Go to the tab that corresponds to the role you want to remove: Reader, Assessor, or Contributor. ++1. Select the button next to the assessment for which you want to remove access, and select **Remove assessment**. -5. From the **Select** drop-down menu, choose **Delete history**. +1. A **Remove access?** confirmation box appears. Select **Confirm** to remove the user's role for that assessment, or select **Cancel** to cancel. The name of the assessment will now be removed from the role tab. -6. A window appears asking you to confirm the permanent deletion of the userΓÇÖs history. To continue with deletion, select **Delete history**. To leave without deleting the history, select **Cancel**. +1. Select **Save** on the flyout pane. The role removal won't be completed until you select the Save button. Selecting **Close** will cancel out of the process without saving the role removal. -7. YouΓÇÖll arrive back at the **Manage user history** page with a confirmation message at the top that the history for the user was deleted. +The user list on the **User access** page will now reflect the changes you made. ## Understand the Compliance Manager dashboard |
| compliance | Compliance Manager Templates Create | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-templates-create.md | Only users who hold a Global Administrator or Compliance Manager Administration - If thereΓÇÖs an error with your file, an error message at the top explains whatΓÇÖs wrong. YouΓÇÖll need to fix your file and upload it again. Errors will result if your spreadsheet is formatted improperly, or if thereΓÇÖs invalid information in certain fields. 6. The **Review and finish** screen shows the number of improvement actions and controls and the maximum score for the template. When ready to approve, select **Create template.** (If you need to make changes, select **Back**.) 7. The last screen confirms a new template has been created. Select **Done** to exit the wizard.-8. YouΓÇÖll arrive at your new templateΓÇÖs details page, where you can [create your assessment](compliance-manager-assessments.md#create-assessments). +8. YouΓÇÖll arrive at your new templateΓÇÖs details page, where you can [create your assessment](compliance-manager-assessments.md#create-assessments). |
| compliance | Compliance Manager Whats New | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-whats-new.md | description: "Find out whatΓÇÖs new in Compliance Manger and whatΓÇÖs to come. R [!INCLUDE [purview-preview](../includes/purview-preview.md)] +## November 2022 ++Compliance Manager now allows you to assign user roles that are specific to individual assessments. This feature allows you to provide assessors with scoped access to Compliance Manager. Learn more about [granting user access to individual assessments](compliance-manager-assessments.md#grant-user-access-to-individual-assessments). + ## August 2022 Compliance Manager has published the following new assessment template: View our [full list of assessment templates](compliance-manager-templates-list.m ### Continuous compliance assessment of improvement actions -We're adding automated testing and evidence generation for over 35 improvement actions in Compliance Manager that were not previously covered by Secure Score. With continuous compliance assessment, you can receive updates about which of these improvement actions you've completed if they're relevant for your compliance assessments and you're licensed to access the relevant solutions. Continuous compliance assessment also gives users visibility into the scoring logic of your improvement actions and provides insight and evidence about why you received a certain score. This feature works alongside existing integrations with Microsoft 365 Secure Score, and any automated actions you've previously configured will continue to work as-is. Learn more about [automated testing settings](compliance-manager-setup.md#set-up-automated-testing). +We're adding automated testing and evidence generation for over 35 improvement actions in Compliance Manager that were not previously covered by Secure Score. With continuous compliance assessment, you can receive updates about which of these improvement actions you've completed if they're relevant for your compliance assessments and you're licensed to access the relevant solutions. Continuous compliance assessment also gives users visibility into the scoring logic of your improvement actions and provides insight and evidence about why you received a certain score. This feature works alongside existing integrations with Microsoft 365 Secure Score, and any automated actions you've previously configured will continue to work as-is. Learn more about [automated testing settings](compliance-manager-setup.md#testing-source-for-automated-testing). ## February 2022 |
| compliance | Deploy Scanner Configure Install | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/deploy-scanner-configure-install.md | Before you install the scanner, or upgrade it from an older general availability 1. Sign in to the [Microsoft Purview compliance portal](https://compliance.microsoft.com) with one of the following roles: + - **Global administrator** - **Compliance administrator** - **Compliance data administrator** - **Security administrator**- - **Global administrator** + - **Security operator** + - **Security reader** + - **Global reader** Then, navigate to the **Settings** pane. |
| compliance | Retention Policies Sharepoint | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-sharepoint.md | When a document with versions is subject to retention settings to retain that co If the retention settings are configured to delete at the end of the retention period: -- If the retention period is based on when the content was created, each version has the same expiration date as the original document. The original document and its versions all expire at the same time.+- If the retention period is based on when the content was created, when labeled, or when an event starts, each version has the same expiration date as the original document. The original document and its versions all expire at the same time. - If the retention period is based on when the content was last modified: - **After the change where all versions of the file are retained in a single file in the Preservation Hold library**: Each version has the same expiration date as the last version of the document. The last version of the document and its versions all expire at the same time. |
| compliance | Sensitivity Labels Aip | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-aip.md | To keep informed when new labeling capabilities become available for built-in la For the latest Office apps, the AIP add-in is disabled by default, so there's nothing for you to configure: - Currently rolling out to [Current Channel (Preview)](https://office.com/insider)-- **Current Channel** and **Monthly Enterprise Channel**: Not before version 2211+ (not yet released)+- **Current Channel** and **Monthly Enterprise Channel**: Not before version 2212+ (not yet released) - **Semi-Annual Channel**: Not before version 2301+ (not yet released) If you have a version that disabled the AIP add-in by default, and you need to use the AIP add-in rather than built-in labeling, you must [configure a new setting to override the default](#how-to-configure-newer-versions-of-office-to-enable-the-aip-add-in). |
| compliance | Sensitivity Labels Coauthoring | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-coauthoring.md | Before you enable the tenant setting for co-authoring for files encrypted with s ## How to enable co-authoring for files with sensitivity labels > [!CAUTION]-> Turning on this setting is a one-way action. Enable it only after you have read and understood the metadata changes, prerequisites, limitations, and any known issues documented on this page. +> Enable this option only after you have read and understood the metadata changes, prerequisites, limitations, and any known issues documented on this page. 1. Sign in to the [Microsoft Purview compliance portal](https://compliance.microsoft.com) as a global admin for your tenant. 2. From the navigation pane, select **Settings** > **Co-authoring for files with sensitivity files**. -2. On the **Co-authoring for files with sensitivity labels** page, read the summary description, prerequisites, what to expect, and the warning that you can't turn off this setting after you've turned it on. +2. On the **Co-authoring for files with sensitivity labels** page, read the summary description, prerequisites, and what to expect. Then select **Turn on co-authoring for files with sensitivity labels**, and **Apply**: Before you enable the tenant setting for co-authoring for files encrypted with s 3. Wait 24 hours for this setting to replicate across your environment before you use this new feature for co-authoring. -## Contact Support if you need to disable this feature +## If you need to disable this feature > [!IMPORTANT]-> If you do need to disable this feature, be aware that labeling information can be lost. +> If you do need to disable this feature, for example, you've discovered some apps don't support the metadata changes and you can't immediately update these apps, be aware that labeling information can be lost. -After you've enabled co-authoring for files with sensitivity labels for your tenant, you can't disable this setting yourself. That's why it's so important that you check and understand the prerequisites, consequences, and limitations before you enable this setting. +After you've enabled co-authoring for files with sensitivity labels for your tenant, you can't disable this setting in the compliance portal and this action is supported only by using PowerShell. This is not a setting that you casually disable, and why it's so important that you check and understand the prerequisites, consequences, and limitations before you enable the setting. - --As you see from the screenshot when this setting has been turned on, you can contact [Microsoft Support](../admin/get-help-support.md) and request to turn off this setting. This request might take several days and you'll need to prove that you're a global administrator for your tenant. Expect usual support charges to apply. --If a support engineer disables this setting for your tenant: +If you do disable this setting for your tenant: - For apps and services that support the new labeling metadata, they now revert to the original metadata format and location when labels are read or saved. If a support engineer disables this setting for your tenant: - Co-authoring and AutoSave no longer work in your tenant for labeled and encrypted documents. - Sensitivity labels remain enabled for Office files in OneDrive and SharePoint.++### To disable co-authoring for your tenant ++Use the [Set-PolicyConfig](/powershell/module/exchange/set-policyconfig) cmdlet with the *EnableLabelCoauth* parameter. ++1. In a PowerShell session, [connect to Security & Compliance PowerShell](/powershell/exchange/office-365-scc/connect-to-scc-powershell/connect-to-scc-powershell). ++2. Run the following command: + + ```PowerShell + Set-PolicyConfig -EnableLabelCoauth:$false + ``` ++The command completes without a prompt or confirmation. |
| contentunderstanding | Create Local Model | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/create-local-model.md | This feature is available for all [model types](model-types-overview.md). 4. Select **Create a model**. -5. On the **Create a model** panel, type the name of the model, select the model type, and then select **Create**. +5. On the **Create a model** panel, type the name of the model, add a description, and then select **Create**.  |
| contentunderstanding | Model Types Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/model-types-overview.md | When you create a custom model, you'll select the training method associated wit |||| |  |  |  | +> [!NOTE] +> To make the **Freeform selection method** and the **Layout method** options available to users, they first must be configured in the Microsoft 365 admin center. + ### Unstructured document processing Use the unstructured document processing model to automatically classify documents and extract information from them. It works best with unstructured documents, such as letters or contracts. These documents must have text that can be identified based on phrases or patterns. The identified text designates both the type of file it is (its classification) and what you'd like to extract (its extractors). |
| enterprise | Office 365 Network Mac Perf Onboarding Tool | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/office-365-network-mac-perf-onboarding-tool.md | The commandline tool uses Windows Location Services to find the users City State The commandline tool will attempt to install the .NET Framework if it is not already installed. It will also download the main testing executable from the Microsoft 365 network connectivity test tool and launch that. +## Test using the Microsoft Support and Recovery Assistant ++[Microsoft Support and Recovery Assistant](https://aka.ms/SaRA_home) (Assistant) automates all the steps required to execute the command-line version of the Microsoft 365 network connectivity test tool on a userΓÇÖs machine and creates a report similar to the one created by the web version of the connectivity test tool. Note, the Assistant runs the command line version of Microsoft 365 network connectivity test tool to produce the same JSON result file, but the JSON file is converted into .CSV file format. ++[Download and Run the Assistant Here](https://aka.ms/SaRA-NetworkConnectivity-Learn) ++### Viewing Test Results ++Reports can be accessed in the following ways: ++The reports will be available on the below screen once the Assistant has finished scanning the user's machine. To access these reports, simply click on the “View log” option to view them. ++> [!div class="mx-imgBorder"] +>  ++Connectivity test results and Telemetry data are collected and uploaded to the **uploadlogs** folder. To access this folder, use one of the following methods: ++- Open Run (**Windows logo key + R**), and run the **%localappdata%/saralogs/uploadlogs** command as follows: ++> [!div class="mx-imgBorder"] +>  ++- In File Explorer, type C:\Users\<UserName>\AppData\Local\saralogs\uploadlogs and press **Enter** as follows: ++> [!div class="mx-imgBorder"] +>  ++**Note:** <UserName> is the user's Windows profile name. +To view the information about the test results and telemetry, double-click and open the files. ++> [!div class="mx-imgBorder"] +>  ++### Types of result files ++Microsoft Support and Recovery Assistant creates 2 files: ++1. Network Connectivity Report (CSV) +This report runs the raw JSON file against a rule engine to make sure defined thresholds are being met and if they are not met a “warning” or “error” is displayed in the output column of the CSV file. You can view the NetworkConnectivityReport.csv file to be informed about any detected issues or defects. Please see [What happens at each test step](office-365-network-mac-perf-onboarding-tool.md#what-happens-at-each-test-step) for details on each test and the thresholds for warnings. ++1. Network Connectivity Scan Report (JSON) +This file provides the raw output test results from the command-line version of the Microsoft 365 network connectivity test tool (MicrosoftConnectivityTest.exe). + ## FAQ Here are answers to some of our frequently asked questions. |
| frontline | Bookings Virtual Visits | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/bookings-virtual-visits.md | + - tier2 description: Learn how to schedule, manage, and conduct virtual appointments using the Bookings app in Teams. appliesto: |
| frontline | Browser Join | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/browser-join.md | + - tier2 description: Learn about the join experience for Teams virtual appointments on browsers. appliesto: |
| frontline | Collab Features Apps Toolkit | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/collab-features-apps-toolkit.md | + - tier1 description: Resources to help you train your frontline workers on communication and collaboration features in Teams and Teams apps. appliesto: |
| frontline | Deploy Teams At Scale | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/deploy-teams-at-scale.md | + - tier2 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Ehr Admin Cerner | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/ehr-admin-cerner.md | + - tier2 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Ehr Admin Epic | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/ehr-admin-epic.md | + - tier2 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Ehr Connector Report | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/ehr-connector-report.md | + - tier2 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Flw Choose Scenarios | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-choose-scenarios.md | - - highpri + - tier1 appliesto: - Microsoft Teams |
| frontline | Flw Corp Comms | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-corp-comms.md | - - highpri + - tier1 ms.localizationpriority: high search.appverid: MET150 searchScope: |
| frontline | Flw Deploy Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-deploy-overview.md | ms.localizationpriority: high - m365-frontline - highpri+ - tier2 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Flw Devices | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-devices.md | ms.localizationpriority: high search.appverid: MET150 description: Get an overview of managing mobile devices for frontline workers in your organization. - - m365-frontline - - highpri + - m365-frontline + - highpri + - tier2 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Flw Licensing Options | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-licensing-options.md | ms.localizationpriority: high - m365-frontline - highpri+ - tier1 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Flw Onboarding Training | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-onboarding-training.md | - - highpri + - tier1 ms.localizationpriority: high search.appverid: MET150 searchScope: |
| frontline | Flw Onboarding Wizard | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-onboarding-wizard.md | + - tier2 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Flw Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-overview.md | - - highpri + - tier1 appliesto: - Microsoft Teams |
| frontline | Flw Pilot | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-pilot.md | ms.localizationpriority: medium - m365-frontline - highpri+ - tier2 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Flw Scenario Posters | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-scenario-posters.md | + - tier1 appliesto: - Microsoft Teams |
| frontline | Flw Setup Microsoft 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-setup-microsoft-365.md | - - highpri + - tier1 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Flw Team Collaboration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-team-collaboration.md | - - highpri + - tier1 ms.localizationpriority: high search.appverid: MET150 searchScope: |
| frontline | Flw Technical Planning Guide Deployment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-technical-planning-guide-deployment.md | + - tier2 appliesto: - Microsoft 365 for frontline workers Last updated 10/28/2022 |
| frontline | Flw Trial | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-trial.md | ms.localizationpriority: high - m365-frontline - highpri+ - tier2 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Flw Wellbeing Engagement | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-wellbeing-engagement.md | - - highpri + - tier2 ms.localizationpriority: high search.appverid: MET150 searchScope: |
| frontline | Get Up And Running | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/get-up-and-running.md | + - tier2 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Hc Delegates | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/hc-delegates.md | + - tier2 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Manage Shift Based Access Flw | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/manage-shift-based-access-flw.md | + - tier2 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Messaging Policies Hc | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/messaging-policies-hc.md | + - tier2 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Pin Teams Apps Based On License | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/pin-teams-apps-based-on-license.md | + - tier2 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Schedule Owner For Shift Management | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/schedule-owner-for-shift-management.md | + - tier2 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Shifts Connector Blue Yonder Admin Center Manage | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-blue-yonder-admin-center-manage.md | ms.localizationpriority: high - M365-collaboration - m365-frontline+ - tier2 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Shifts Connector Blue Yonder Known Issues | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-blue-yonder-known-issues.md | ms.localizationpriority: high - M365-collaboration - m365-frontline+ - tier2 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Shifts Connector Blue Yonder Powershell Setup | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-blue-yonder-powershell-setup.md | + - tier2 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Shifts Connector Powershell Manage | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-powershell-manage.md | + - tier2 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Shifts Connector Ukg Admin Center Manage | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-ukg-admin-center-manage.md | ms.localizationpriority: high - M365-collaboration - m365-frontline+ - tier2 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Shifts Connector Ukg Known Issues | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-ukg-known-issues.md | ms.localizationpriority: high - M365-collaboration - m365-frontline+ - tier2 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Shifts Connector Ukg Powershell Manage | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-ukg-powershell-manage.md | ms.localizationpriority: high - M365-collaboration - m365-frontline+ - tier2 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Shifts Connector Ukg Powershell Setup | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-ukg-powershell-setup.md | ms.localizationpriority: high - M365-collaboration - m365-frontline+ - tier2 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Shifts Connector Wizard Ukg | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-wizard-ukg.md | ms.localizationpriority: high - M365-collaboration - m365-frontline+ - tier2 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Shifts Connector Wizard | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-wizard.md | + - tier2 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Shifts Connectors | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connectors.md | + - tier2 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Shifts For Teams Landing Page | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-for-teams-landing-page.md | - - highpri + - tier1 search.appverid: MET150 ms.localizationpriority: high searchScope: |
| frontline | Shifts Toolkit | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-toolkit.md | + - tier1 description: Resources to help train your frontline team in using Shifts to access and manage their schedules. appliesto: |
| frontline | Simplify Business Processes | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/simplify-business-processes.md | - - highpri + - tier1 ms.localizationpriority: high search.appverid: MET150 searchScope: |
| frontline | Switch From Enterprise To Frontline | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/switch-from-enterprise-to-frontline.md | + - tier2 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Teams For Financial Services | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/teams-for-financial-services.md | - - highpri + - tier1 ms.localizationpriority: high search.appverid: MET150 searchScope: |
| frontline | Teams For Manufacturing | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/teams-for-manufacturing.md | - - highpri + - tier1 ms.localizationpriority: high search.appverid: MET150 searchScope: |
| frontline | Teams For Retail Landing Page | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/teams-for-retail-landing-page.md | - - highpri + - tier1 ms.localizationpriority: high search.appverid: MET150 searchScope: |
| frontline | Teams In Hc | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/teams-in-hc.md | + - tier1 appliesto: - Microsoft Teams - Microsoft 365 for frontline workers |
| frontline | Virtual Appointments Toolkit | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/virtual-appointments-toolkit.md | + - tier1 description: Customizable resources and infographics you can add to your website to help your clients understand how to use virtual appointments that have been scheduled in Bookings with your organization. appliesto: |
| frontline | Virtual Appointments | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/virtual-appointments.md | - - highpri + - tier1 f1.keywords: - NOCSH appliesto: |
| frontline | Virtual Visits Usage Report | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/virtual-visits-usage-report.md | + - tier2 description: Learn how to use the Virtual Visits usage report in the Microsoft Teams admin center to get an overview of virtual appointment activity in your organization. appliesto: - Microsoft Teams |
| security | TOC | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md | ### [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) ### [Create an onboarding or offboarding notification rule](onboarding-notification.md) -### [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md) - ### [Manage Microsoft Defender for Endpoint configuration settings on devices with Microsoft Endpoint Manager](security-config-management.md) ### [Troubleshoot onboarding issues]() ##### [Better together: Microsoft Defender Antivirus and Office 365](office-365-microsoft-defender-antivirus.md) #### [Evaluate Microsoft Defender Antivirus](evaluate-microsoft-defender-antivirus.md) #### [Configure Microsoft Defender Antivirus features](configure-microsoft-defender-antivirus-features.md)+#### [Manage exclusions for Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md) #### [Cloud protection and Microsoft Defender Antivirus](cloud-protection-microsoft-defender-antivirus.md) ##### [Why cloud protection should be on](why-cloud-protection-should-be-on-mdav.md) ##### [Turn on cloud protection](enable-cloud-protection-microsoft-defender-antivirus.md) |
| security | Defender Endpoint Antivirus Exclusions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-antivirus-exclusions.md | Title: Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus + Title: Manage exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus description: Learn about exclusions for Defender for Endpoint and Microsoft Defender Antivirus. Suppress alerts, submit files for analysis, and define exclusions and indicators to reduce noise and risk for your organization. ms.mktglfcycl: manage-# Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus +# Manage exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] search.appverid: met150 > [!NOTE] > As a Microsoft MVP, [Fabian Bader](https://cloudbrothers.info) contributed to and provided material feedback for this article. -[Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) includes a wide range of capabilities to prevent, detect, investigate, and respond to advanced cyberthreats. As with any endpoint protection or antivirus solution, sometimes files, folders, or processes that aren't a threat can be detected as malicious by Defender for Endpoint or Microsoft Defender Antivirus. These entities can be blocked or sent to quarantine, even though they're not actually a threat. You can take certain actions to prevent false positives and similar issues from occurring. These actions include: +[Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) includes a wide range of capabilities to prevent, detect, investigate, and respond to advanced cyberthreats. These capabilities include [Next-generation protection](next-generation-protection.md) (which includes Microsoft Defender Antivirus). As with any endpoint protection or antivirus solution, sometimes files, folders, or processes that aren't actually a threat can be detected as malicious by Defender for Endpoint or Microsoft Defender Antivirus. These entities can be blocked or sent to quarantine, even though they're not really a threat. ++You can take certain actions to prevent false positives and similar issues from occurring. These actions include: - [Submitting a file to Microsoft for analysis](#submitting-files-for-analysis) - [Suppressing an alert](#suppressing-alerts) When you're dealing with false positives, or known entities that are generating | Scenario | Steps to consider | |:|:-|-| [False positive](defender-endpoint-false-positives-negatives.md): An entity, such as a file or a process, was detected and identified as malicious, even though the entity isn't a threat. | 1. [Review and classify alerts](defender-endpoint-false-positives-negatives.md#part-1-review-and-classify-alerts) that were generated as a result of the detected entity. <br/><br/>2. [Suppress an alert](defender-endpoint-false-positives-negatives.md#suppress-an-alert) for a known entity. <br/><br/>3. [Review remediation actions](defender-endpoint-false-positives-negatives.md#part-2-review-remediation-actions) that were taken for the detected entity. <br/><br/>4. [Submit the false positive to Microsoft](/microsoft-365/security/intelligence/submission-guide.md) for analysis. <br/><br/>5. [Define an exclusion](defender-endpoint-false-positives-negatives.md#part-3-review-or-define-exclusions) for the entity (only if necessary). | -| [Performance issues](troubleshoot-performance-issues.md) such as one of the following issues: <br/>- A system is having high CPU usage or other performance issues. <br/>- A system is having memory leak issues. <br/>- An app is slow to load on devices. <br/>- An app is slow to open a file on devices. | 1. [Collect diagnostic data](collect-diagnostic-data.md) for Microsoft Defender Antivirus. <br/><br/>2. If you're using a non-Microsoft antivirus solution, [check with the vendor for any needed exclusions](troubleshoot-performance-issues.md#check-with-vendor-for-antivirus-exclusions). <br/><br/>3. [Analyze the Microsoft Protection Log](troubleshoot-performance-issues.md#analyze-the-microsoft-protection-log) to see the estimated performance impact. <br/><br/>4. Define an exclusion for Microsoft Defender Antivirus](configure-exclusions-microsoft-defender-antivirus.md) (if necessary). <br/><br/>5. [Create an indicator for Defender for Endpoint](manage-indicators.md) (only if necessary). | -| [Compatibility issues](microsoft-defender-antivirus-compatibility.md) with non-Microsoft antivirus products. <br/>Example: Defender for Endpoint relies on security intelligence updates for devices, whether they're running Microsoft Defender Antivirus or a non-Microsoft antivirus solution. | 1. If you're using a non-Microsoft antivirus product as your primary antivirus/antimalware solution, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-compatibility.md#requirements-for-microsoft-defender-antivirus-to-run-in-passive-mode). <br/><br/>2. If you're switching from a non-Microsoft antivirus/antimalware solution to Defender for Endpoint, see [Make the switch to Defender for Endpoint](switch-to-mde-overview.md). This guidance includes: <br/> - [Exclusions you might need to define for the non-Microsoft antivirus/antimalware solution](switch-to-mde-phase-2.md#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-your-existing-solution); <br/> - [Exclusions you might need to define for Microsoft Defender Antivirus](switch-to-mde-phase-2.md#add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-antivirus); and <br/> - [Troubleshooting information](switch-to-mde-troubleshooting.md) (just in case something goes wrong while migrating). | +| [False positive](defender-endpoint-false-positives-negatives.md): An entity, such as a file or a process, was detected and identified as malicious, even though the entity isn't a threat. | <ol><li>[Review and classify alerts](defender-endpoint-false-positives-negatives.md#part-1-review-and-classify-alerts) that were generated as a result of the detected entity. </li><li>[Suppress an alert](defender-endpoint-false-positives-negatives.md#suppress-an-alert) for a known entity. </li><li>[Review remediation actions](defender-endpoint-false-positives-negatives.md#part-2-review-remediation-actions) that were taken for the detected entity. </li><li>[Submit the false positive to Microsoft](/microsoft-365/security/intelligence/submission-guide.md) for analysis. </li><li>[Define an exclusion](defender-endpoint-false-positives-negatives.md#part-3-review-or-define-exclusions) for the entity (only if necessary).</li></ol> | +| [Performance issues](troubleshoot-performance-issues.md) such as one of the following issues:<ul><li>A system is having high CPU usage or other performance issues.</li><li>A system is having memory leak issues.</li><li>An app is slow to load on devices. </li><li>An app is slow to open a file on devices.</li></ul> | <ol><li>[Collect diagnostic data](collect-diagnostic-data.md) for Microsoft Defender Antivirus.</li><li>If you're using a non-Microsoft antivirus solution, [check with the vendor for any needed exclusions](troubleshoot-performance-issues.md#check-with-vendor-for-antivirus-exclusions).</li><li>[Analyze the Microsoft Protection Log](troubleshoot-performance-issues.md#analyze-the-microsoft-protection-log) to see the estimated performance impact.</li><li>[Define an exclusion for Microsoft Defender Antivirus](configure-exclusions-microsoft-defender-antivirus.md) (if necessary).</li><li>[Create an indicator for Defender for Endpoint](manage-indicators.md) (only if necessary).</li></ul> | +| [Compatibility issues](microsoft-defender-antivirus-compatibility.md) with non-Microsoft antivirus products. <br/>Example: Defender for Endpoint relies on security intelligence updates for devices, whether they're running Microsoft Defender Antivirus or a non-Microsoft antivirus solution. | <ol><li>If you're using a non-Microsoft antivirus product as your primary antivirus/antimalware solution, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-compatibility.md#requirements-for-microsoft-defender-antivirus-to-run-in-passive-mode). </li><li>If you're switching from a non-Microsoft antivirus/antimalware solution to Defender for Endpoint, see [Make the switch to Defender for Endpoint](switch-to-mde-overview.md). This guidance includes:<ul><li>[Exclusions you might need to define for the non-Microsoft antivirus/antimalware solution](switch-to-mde-phase-2.md#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-your-existing-solution);</li><li>[Exclusions you might need to define for Microsoft Defender Antivirus](switch-to-mde-phase-2.md#add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-antivirus); </li><li>[Troubleshooting information](switch-to-mde-troubleshooting.md) (just in case something goes wrong while migrating).</li></ul></li></ol> | > [!IMPORTANT]-> An "allow" indicator is the strongest type of exclusion you can define in Defender for Endpoint. Make sure to use indicators sparinglyΓÇöonly when necessaryΓÇöand review all exclusions periodically. +> An "allow" indicator is the strongest type of exclusion you can define in Defender for Endpoint. Make sure to use indicators sparingly (only when necessary), and review all exclusions periodically. ## Submitting files for analysis The following table summarizes exclusion types that can be defined for Defender | Product/service | Exclusion types | |:|:-|-| [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md) <br/>[Defender for Endpoint Plan 1 or Plan 2](defender-endpoint-plan-1-2.md) | - [Automatic exclusions](#automatic-exclusions) (for Windows Server 2016 and later) <br/>- [Custom exclusions](#custom-exclusions), such as process-based exclusions, folder location-based exclusions, file extension exclusions, or contextual file and folder exclusions<br/>- [Custom remediation actions](#custom-remediation-actions) based on threat severity or for specific threats <br/><br/> *The standalone versions of Defender for Endpoint Plan 1 and Plan 2 don't include server licenses. To onboard servers, you'll need another license, such as [Microsoft Defender for Servers Plan 1 or 2](/azure/defender-for-cloud/defender-for-servers-introduction). If you're a small or medium-sized business using [Microsoft Defender for Business](../defender-business/mdb-overview.md), you can get [Microsoft Defender for Business servers](../defender-business/get-defender-business-servers.md).* | -| [Defender for Endpoint Plan 1 or Plan 2](defender-endpoint-plan-1-2.md) | - [Indicators](#defender-for-endpoint-indicators) for files, certificates, or IP addresses, URLs/domains<br/>- [Attack surface reduction exclusions](#attack-surface-reduction-exclusions)<br/>- [Controlled folder access exclusions](#controlled-folder-access-exclusions) | -| [Defender for Endpoint Plan 2](microsoft-defender-endpoint.md) | - [Automation folder exclusions](#automation-folder-exclusions) (for automated investigation and remediation) | +| [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md) <br/>[Defender for Endpoint Plan 1 or Plan 2](defender-endpoint-plan-1-2.md) | <ul><li>[Automatic exclusions](#automatic-exclusions) (for Windows Server 2016 and later)</li><li>[Custom exclusions](#custom-exclusions), such as process-based exclusions, folder location-based exclusions, file extension exclusions, or contextual file and folder exclusions</li><li>[Custom remediation actions](#custom-remediation-actions) based on threat severity or for specific threats </li></ul> *The standalone versions of Defender for Endpoint Plan 1 and Plan 2 don't include server licenses. To onboard servers, you'll need another license, such as [Microsoft Defender for Servers Plan 1 or 2](/azure/defender-for-cloud/defender-for-servers-introduction). If you're a small or medium-sized business using [Microsoft Defender for Business](../defender-business/mdb-overview.md), you can get [Microsoft Defender for Business servers](../defender-business/get-defender-business-servers.md).* | +| [Defender for Endpoint Plan 1 or Plan 2](defender-endpoint-plan-1-2.md) |<ul><li>[Indicators](#defender-for-endpoint-indicators) for files, certificates, or IP addresses, URLs/domains</li><li>[Attack surface reduction exclusions](#attack-surface-reduction-exclusions)</li><li>[Controlled folder access exclusions](#controlled-folder-access-exclusions)</li></ul> | +| [Defender for Endpoint Plan 2](microsoft-defender-endpoint.md) | [Automation folder exclusions](#automation-folder-exclusions) (for automated investigation and remediation) | The following sections describe these exclusions in more detail: |
| security | Device Control Removable Storage Access Control Faq | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control-faq.md | search.appverid: met150 **Applies to:** - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) +This article provides answers to frequently asked questions about device control removable storage capabilities in Microsoft Defender for Endpoint. + ## How do I generate GUID for Group ID/PolicyRule ID/Entry ID? -You can generate the GUID through online open source, or through PowerShell. For more information, see [How to generate GUID through PowerShell](/powershell/module/microsoft.powershell.utility/new-guid). +You can generate the GUID through online open source or by using PowerShell. For more information, see [How to generate GUID through PowerShell](/powershell/module/microsoft.powershell.utility/new-guid).  ## What are the removable storage media and policy limitations? -The backend call is done through OMA-URI (GET to read or PATCH to update) either from the Microsoft Endpoint Manager admin center (Intune), or through Microsoft Graph API. The limitation is the same as any OMA-URI custom configuration profile at Microsoft, which is officially 350,000 characters for XML files. --For example, if you need two blocks of entries per user SID to "Allow" / "Audit allowed" specific users, and then two blocks of entries at the end to "Deny" all, you'll be able to manage 2,276 users. +The backend call is done through OMA-URI (GET to read or PATCH to update) either from Intune or through Microsoft Graph API. The limitation is the same as any OMA-URI custom configuration profile at Microsoft, which is officially 350,000 characters for XML files. For example, if you need two blocks of entries per user SID to "Allow" / "Audit allowed" specific users, and then two blocks of entries at the end to "Deny" all, you'll be able to manage 2,276 users. ## Why doesn't the policy work? -1. The most common reason is there's no required [anti-malware client version](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control#prepare-your-endpoints). +The most common reason is there's no required [anti-malware client version](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control#prepare-your-endpoints). ++Another reason could be that the XML file isn't correctly formatted. For example, not using the correct markdown formatting for the "&" character in the XML file or the text editor might add a byte order mark (BOM) 0xEF 0xBB 0xBF at the beginning of the files causing the XML parsing not to work. One simple solution is to download the [sample file](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) (select **Raw** and then **Save as**), and then update. -2. Another reason could be that the XML file isn't correctly formatted. For example, not using the correct markdown formatting for the "&" character in the XML file or the text editor might add a byte order mark (BOM) 0xEF 0xBB 0xBF at the beginning of the files causing the XML parsing not to work. One simple solution is to download the [sample file](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) (select **Raw** and then **Save as**), and then update. +If you're deploying and managing the policy by using Group Policy, make sure to combine all PolicyRules into one XML file within a parent node called `PolicyRules`. Also combine all Groups into one XML file within a parent node called `Groups`. If you manage through Intune, keep one PolicyRule XML file, and one Group XML file. -3. If you're deploying and managing the policy by using Group Policy, make sure to combine all PolicyRule into one XML file within a parent node called PolicyRules. Also combine all Group into one XML file within a parent node called Groups. If you manage through Intune, keep one PolicyRule one XML file, and one Group one XML file. +The device (machine) should have a valid certificate. Run the following command on the machine to check: -If it still doesn't work, contact support, and share your support cab. To get that file, use Command Prompt as an administrator: +`Get-AuthenticodeSignature C:\Windows\System32\wbem\WmiPrvSE.exe` ++ ++If the policy still isn't working, contact support, and share your support cab. To get that file, open Command Prompt as an administrator, and then use the following command: `"%programfiles%\Windows Defender\MpCmdRun.exe" -GetFiles` ## Why is there no configuration UX for some policy groups? -There is no configuration UX for **Define device control policy groups** and **Define device control policy rules** on your Group Policy. But, you can still get the related .adml and .admx files by selecting **Raw** and **Save as** at the [WindowsDefender.adml](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/WindowsDefender.adml) and [WindowsDefender.admx](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/WindowsDefender.admx) files. +There is no configuration UX for **Define device control policy groups** and **Define device control policy rules** on your Group Policy. But, you can still get the related `.adml` and `.admx` files by selecting **Raw** and **Save as** at the [WindowsDefender.adml](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/WindowsDefender.adml) and [WindowsDefender.admx](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/WindowsDefender.admx) files. ## How do I confirm that the latest policy has been deployed to the target machine? You can run the PowerShell cmdlet `Get-MpComputerStatus` as an administrator. The following value will show whether the latest policy has been applied to the target machine. ## How can I know which machine is using out of date anti-malware client version in the organization? DeviceFileEvents 4. Open **Details**, and select **Properties**. - :::image type="content" alt-text="Screenshot of device property in Device Manager." source="https://user-images.githubusercontent.com/81826151/181859852-00bc8b11-8ee5-4d46-9770-fa29f894d13f.png"::: + :::image type="content" alt-text="Screenshot of right-click menu for disk drives in Device Manager." source="https://user-images.githubusercontent.com/81826151/181859852-00bc8b11-8ee5-4d46-9770-fa29f894d13f.png"::: -## How do I find Sid or ComputerSid for AAD groud? -Different from AD group, the Sid or ComputerSid is using Object Id for AAD group. You can find the Object Id from Azure portal. +## How do I find Sid or ComputerSid for Azure AD group? ++Different from AD group, the Sid or ComputerSid is using Object Id for Azure AD group. You can find the Object Id from Azure portal.  |
| security | Schedule Antivirus Scans | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/schedule-antivirus-scans.md | ms.localizationpriority: medium Previously updated : 10/18/2022 Last updated : 11/21/2022 In addition to always-on, real-time protection and [on-demand antivirus](run-sca When you set up scheduled scans, you can specify whether the scan should be a full or quick scan. In most cases, a quick scan is recommended; however, we also recommend that you run at least one full scan after installing or enabling Defender Antivirus. This scan provides an opportunity to find existing threats and helps populate the cache for future scans. -|Quick scan|Full scan|Custom scan| -|||| -|(Recommended) A quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. <br/><br/>Combined with always-on, real-time protection, which reviews files when they're opened and closed, and whenever a user navigates to a folder, a quick scan helps provide strong protection against malware that starts with the system and kernel-level malware.<br/><br/>In most cases, a quick scan is sufficient and is the recommended option for scheduled scans.|A full scan starts by running a quick scan and then continues with a sequential file scan of all mounted fixed disks and removable/network drives (if the full scan is configured to do so).<br/><br/>A full scan can take a few hours or days to complete, depending on the amount and type of data that needs to be scanned.<br/><br/>When the full scan is complete, new security intelligence is available, and a new scan is then required to make sure that no other threats are detected with the new security intelligence.<br/><br/>Because of the time and resources involved in a full scan, in general, Microsoft doesn't recommend scheduling full scans.|A custom scan runs on files and folders that you specify. For example, you can choose to scan a USB drive, or a specific folder on your device's local drive.| +| Scan type | Description | +|:|:| +| Quick scan | (Recommended) A quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. <br/><br/>Combined with always-on, real-time protection, which reviews files when they're opened and closed, and whenever a user navigates to a folder, a quick scan helps provide strong protection against malware that starts with the system and kernel-level malware.<br/><br/>In most cases, a quick scan is sufficient and is the recommended option for scheduled scans. | +| Full scan | A full scan starts by running a quick scan and then continues with a sequential file scan of all mounted fixed disks and removable/network drives (if the full scan is configured to do so).<br/><br/>A full scan can take a few hours or days to complete, depending on the amount and type of data that needs to be scanned.<br/><br/>When a full scan begins it uses the security intelligence definitions installed at the time the scan starts. If new security intelligence updates are made available during the full scan, another full scan is required in order to scan for new threat detections contained in the latest update.<br/><br/>Because of the time and resources involved in a full scan, in general, we do not recommend scheduling full scans.| +| Custom scan | A custom scan runs on files and folders that you specify. For example, you can choose to scan a USB drive or a specific folder on your device's local drive.| > [!NOTE] > By default, quick scans run on mounted removable devices, such as USB drives. When you set up scheduled scans, you can specify whether the scan should be a fu ## How do I know which scan type to choose? Use the following table to choose a scan type.-<br/><br/> |Scenario|Recommended scan type| ||| |
| security | Dex Xdr Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/dex-xdr-overview.md | + + Title: What is Microsoft Defender Experts for XDR offering ++description: Defender Experts for XDR augments your SOC with a combination of automation and human expertise +keywords: XDR, Xtended detection and response, defender experts for xdr, Microsoft Defender Experts for XDR, managed threat hunting, managed detection and response (MDR) service, service delivery manager, Microsoft Defender Experts for hunting, threat hunting and analysis. +search.product: Windows 10 +++ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +++ms.localizationpriority: medium ++audience: ITPro ++ - m365-security + - tier1 ++search.appverid: met150 +++# Expanded Microsoft Defender Experts for XDR preview +++**Applies to:** ++- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +++The **Microsoft Defender Experts for XDR** (Defender Experts for XDR) preview is a managed detection and response service that helps your security operations centers (SOCs) focus and accurately respond to incidents that matter. It provides extended detection and response for customers who use M365 Defender workloads: Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Azure Active Directory (Azure AD). ++DDefender Experts for XDR augments your SOC with a combination of automation and MicrosoftΓÇÖs security analyst expertise to help you detect and respond to threats with confidence and improve your security posture. With deep product expertise powered by threat intelligence, weΓÇÖre uniquely positioned to help you: ++- **Focus on incidents that matter** - Our experts prioritize incidents and alerts that matter, alleviate alert fatigue, and drive SOC efficiency for your team. +- **Manage response your way** - Our experts provide detailed, step-by-step, actionable guidance to respond to incidents with the option to act on your behalf as needed. +- **Access expertise when you need it** - Extend your teamΓÇÖs capacity with access to Defender Experts for assistance on an investigation. +- **Stay ahead of emerging threats** - OOur experts proactively hunt for emerging threats in your environment, informed by unparalleled threat intelligence and visibility. ++In addition to the constantly updated research and intelligence tailored for the threats currently seen across the various Microsoft 365 Defender signals, as part of the preview, youΓÇÖll receive guided response from our security analysts and support from MicrosoftΓÇÖs security-focused service delivery managers (SDMs). In this preview, you can try the service for free and enjoy the following capabilities: ++- **Managed detection and response** - Expert analysts manage your Microsoft 365 Defender incident queue and handle triage and investigation on your behalf. Expert analysts partner with you and your team to take action or guide you to respond to incidents. +- **Proactive threat hunting** - [Defender Experts for Hunting](../defender/defender-experts-for-hunting.md) is built-in to extend your teamΓÇÖs threat hunting capabilities and prioritize significant threats +- **Live dashboards and reports** - TTransparent view of our operations on your behalf and noise free, actionable view into what matters for you coupled with detailed analytics +- **Proactive check-ins for continuous security improvements** - Periodic check-ins with your named service delivery team to guide your Defender Experts for XDR experience and improve your security posture ++## Prerequisites ++> [!NOTE] +> The prerequisites specified in this section are currently applicable for preview. ++To enable us to get started with this managed service, we require the following prerequisites: ++- Microsoft Defender for Endpoint P2 must be licensed for devices and users in scope for the preview and Microsoft Defender Antivirus-enabled in active mode and devices onboarded to MDE. (Required for EDR capabilities) +- Azure Active Directory Premium P1 must be licensed for all users and enabled. (Required for enabling secure service provider access) ++Aside from the requirements stated above, to get Defender Experts for XDR coverage for the following eligible products, you must have their appropriate product licenses: ++- Defender for Office 365 P2 +- Defender for Identity +- Defender for Cloud Apps ++This service is available worldwide for our customers in our commercial public clouds. We are gradually expanding the preview to more customers. If youΓÇÖre interested to learn more, reach out to your Microsoft account team. ++## Go to the next step ++[Get started](get-started-xdr.md) |
| security | Frequently Asked Questions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/frequently-asked-questions.md | + + Title: FAQs related to Microsoft Defender Experts for XDR preview ++description: Frequently asked questions related to Defender Experts for XDR +keywords: XDR, Xtended detection and response, defender experts for xdr, Microsoft Defender Experts for XDR, managed threat hunting, managed detection and response (MDR) service, service delivery manager, real-time visibility with XDR experts, FAQ's related to XDR +search.product: Windows 10 +++ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +++ms.localizationpriority: medium ++audience: ITPro ++ - m365-security + - tier1 ++search.appverid: met150 ++# Frequently asked questions ++**Applies to:** ++- Microsoft 365 Defender +++| Questions | Answers | +||| +| **How is Defender Experts for XDR different from Defender Experts for Hunting?** | Defender Experts for Hunting provides threat hunting service to proactively find threats. This service is meant for customers with a robust security operations center and want that deep expertise in hunting to expose advanced threats. Defender Experts for XDR provides end-to-end security operations capabilities to monitor, investigate and respond to security alerts. This service is meant for customers with constrained security operations centers that are overburdened with alert volume, in need of skilled experts or both. Defender Experts for XDR also includes the proactive threat hunting offered by Defender Experts for Hunting| +| **What products does Defender Experts for XDR operate on?** | Refer to the [Prerequisites](../defender/dex-xdr-overview.md) section for details. | +| **Is there a minimum criteria or size requirements to get Defender Experts for XDR?** | Not in preview. We'll evaluate and provide these requirements as part of our general availability. | +| **Does Defender Experts for XDR replace by Security Operations Center (SOC) team?** | No. Defender Experts for XDR are meant to augment your SOC team reducing their workload and collaborating with them to protect your organization from threat actors. But we don't replace your SOC team or their processes. | +| **What actions can XDR experts take during incident investigation?** | Our expert analysts can take actions based on the roles granted to them in your Microsoft 365 Defender portal. If our analysts are granted a Security Reader role, they can investigate and provide guided response for your SOC team to act on. If our analysts are granted a Security Operator role, they can also take specific remediation actions agreed upon with your SOC team. And finally, if they are granted a Security Administrator role, they can take higher privilege actions like managing certain settings as agreed upon with you. | +| **Can XDR experts help me improve my security posture?** | Yes, we'll provide necessary guidance before and during the preview to improve your security posture. | +| **Can Defender Experts for XDR help with an active compromise or vulnerability?** | No, Defender Experts do not provide Incident Response services currently. Contact your Microsoft representative to engage Microsoft Detection and Response team for incident response assistance | +| **How can my organization participate in the Defender Experts for XDR preview?** |We are gradually expanding the preview to more customers. Please contact your Microsoft representative to access the preview.| +| **When will Defender Experts for XDR be generally available?** | We'll announce general availability dates closer to the launch date. | |
| security | Get Started Xdr | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/get-started-xdr.md | + + Title: Get started with Microsoft Defender Experts for XDR ++description: Once the Defender Experts for XDR team are ready to onboard you, weΓÇÖll reach out to get you started. +keywords: XDR, Xtended detection and response, defender experts for xdr, Microsoft Defender Experts for XDR, managed threat hunting, managed detection and response (MDR) service, service delivery manager, Microsoft Defender Experts for hunting, threat hunting and analysis +search.product: Windows 10 +++ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +++ms.localizationpriority: medium ++audience: ITPro ++ - m365-security + - tier1 ++search.appverid: met150 +++# Get started with Microsoft Defender Experts for XDR +++**Applies to:** ++- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +++Once the Defender Experts for XDR team is ready to onboard you, weΓÇÖll reach out to get you started. ++## Activate your trial license ++1. Select the link in the welcome email to go directly to the Defender Experts settings page in the Microsoft 365 Defender portal. You can also open this page by going to **Settings** > **Defender Experts**. +2. Read the Defender Experts for XDR preview terms and conditions then select **Accept** to accept them. +3. Get your free license in Microsoft 365 admin center. In the checkout page, select **Place order**. ++## Grant permissions to our experts ++By default, Defender Experts for XDR require the following permissions to investigate incidents and notify you when you need to take action: ++- **Service provider access** - This permission lets our experts sign in to your tenant and deliver services based on assigned security roles. For details [learn more about cross-tenant access](/azure/active-directory/external-identities/cross-tenant-access-overview). +- **Security reader** - This built-in Azure AD role lets our experts investigate incidents and provide guidance on necessary response actions. ++You can also provide our experts the following additional permissions to investigate incidents on your behalf: ++- **Security operator** (recommended) - In addition to the permissions provided to a security reader, this built-in Azure AD role lets our experts take necessary actions to remediate active threats. +- **Security administrator** (optimal) - In addition to the permissions provided to a security operator, this built-in Azure AD role lets our experts configure security settings and deploy preventive measures. ++[Learn more about Azure AD roles and permissions](/azure/active-directory/roles/permissions-reference) ++Follow these steps to grant our experts additional permissions: ++1. In the same Defender Experts setting page mentioned earlier, select **Manage permissions**. +2. Under **Additional permissions**, select the additional role(s) you want to grant. +3. Select **Give access**. ++> [!IMPORTANT] +> If you skip providing additional permissions, our experts won't be able to take certain response actions to secure your network. ++## Go to the next step ++[Start using Microsoft Defender Experts for XDR preview service](start-using-mdex-xdr.md) + |
| security | Opt Out Of Preview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/opt-out-of-preview.md | + + Title: How to opt out of Microsoft Defender Experts for XDR preview ++description: Consult your Service Delivery Manager (SDM) to opt out of the preview. +keywords: XDR, Xtended detection and response, defender experts for xdr, Microsoft Defender Experts for XDR, managed threat hunting, managed detection and response (MDR) service, service delivery manager, real-time visibility with XDR experts, threat hunting and analysis +search.product: Windows 10 +++ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +++ms.localizationpriority: medium ++audience: ITPro ++ - m365-security + - tier1 ++search.appverid: met150 +++# Opt out of Microsoft Defender Experts for XDR preview ++Consult your service delivery manager (SDM) to opt out of the preview. |
| security | Start Using Mdex Xdr | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/start-using-mdex-xdr.md | + + Title: How to use the Microsoft Defender Experts for XDR preview service ++description: Defender Experts for XDR will help prioritizing and customizing recommendations to fit your environment +keywords: XDR, Xtended detection and response, defender experts for xdr, Microsoft Defender Experts for XDR, managed threat hunting, managed detection and response (MDR) service, service delivery manager, real-time visibility with XDR experts, threat hunting and analysis +search.product: Windows 10 +++ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +++ms.localizationpriority: medium ++audience: ITPro ++ - m365-security + - tier1 ++search.appverid: met150 ++++# Start using Defender Experts for XDR preview service +++**Applies to:** ++- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +++Apart from onboarding service delivery, our expertise on the Microsoft 365 Defender product suite enables Defender Experts for XDR to run an initial readiness engagement to help you get the most out of your Microsoft security products. This engagement will be based on your [Microsoft Secure Score](microsoft-secure-score.md) and Defender ExpertsΓÇÖ policy recommendations. Our Experts will assist in prioritizing and customizing our recommendations to fit your environment. They will request your engagement to get those configurations implemented. ++## Managed detection and response ++Our service, through a combination of automation and human expertise, will triage M365 Defender incidents, prioritize them on your behalf, filter out the noise, carry out detailed investigations, and provide detailed guided response to your SOC teams. Optionally, our analysts can also take a response step on your behalf. ++Customers will receive detailed response playbooks via emails. They will also be able to filter M365 Defender portal incident view using Defender Experts tags to see the current state of incidents that Defender Experts are actively investigating, or incidents that require customer action. Our analysts will also add relevant comments in M365 Defender portalΓÇÖs **Comments & history** section so you and your SOC analysts can track the investigation progress: ++- Collect investigation package +- Run antivirus scan +- Trigger and prioritize action in an automatic investigation +- Stop and quarantine file +- Delete email +- Block designated OAuth cloud apps ++These recommendations also appear in the **Comments & History** section of each related incident in the Microsoft 365 Defender portal so you can view them at your convenience. ++## Get real-time visibility with Defender Experts for XDR reports ++Defender Experts for XDR will include an interactive, on-demand report that provides a clear summary of the work our expert analysts are doing on your behalf, aggregate information about your incident landscape, and granular details about specific incidents. Your service delivery manager (SDM) will also use the report to provide you with additional context regarding your XDR Experts service during a monthly business review. ++## Collaborate with a trusted advisor ++The service delivery manager (SDM) is responsible for managing the overall relationship for your organization with the Defender Experts for XDR service. They are your trusted advisor working along with XDR expertsΓÇÖ team to help you protect your organization. ++The SDM provides the following ++- Service readiness support ++ - Educate customers about the end-to-end service experience, from signup to regular operations and escalation process. + - Help establish a service-ready security posture, including guidance on required controls and policy updates. ++- Service operations support + - Provide unique service delivery content and reporting, including periodic business reviews. + - Serve as a single point of contact for feedback and escalations related to Defender Experts Service. ++## Proactive managed hunting +Defender Experts for XDR also includes proactive threat hunting offered by [Defender Experts for Hunting](defender-experts-for-hunting.md). Defender Experts for hunting was created for customers who have a robust security operations center but want Microsoft to help them proactively hunt threats using Microsoft Defender data. This proactive threat hunting service goes beyond the endpoint to hunt across endpoints, Office 365, cloud applications, and identity. Our experts will investigate anything they find, then hand off the contextual alert information along with remediation instructions, so you can quickly respond. ++## Request advanced threat expertise on demand +Select **Ask Defender Experts** directly inside the Microsoft 365 security portal to get swift and accurate responses to all your threat questions. Experts can provide insights to better understand the complex threats your organization may face. Consult an expert to: ++- Gather additional information on alerts and incidents, including root causes and scope +- Gain clarity into suspicious devices, alerts, or incidents and get the next steps if faced with an advanced attacker +- Determine risks and available protections related to threat actors, campaigns, or emerging attacker techniques ++> [!NOTE] +> Ask Defender Experts is not a security incident response service. It's intended to provide a better understanding of complex threats affecting your organization. Engage with your own security incident response team to address urgent security incident response issues. If you don't have your own security incident response team and would like Microsoft's help, create a support request in the [Premier Services Hub](/services-hub/). ++The option to **Ask Defender Experts** is available in the incidents and alerts pages for you to ask contextual questions about a specific incident or alert: ++- ***Alerts page flyout menu*** ++ ++- ***Incidents page actions menu*** ++ ++## Opt out of preview ++Consult your service delivery manager (SDM) to opt out of the preview. ++## See also ++[Read through frequently asked questions and answers](frequently-asked-questions.md) |
| security | Whats New | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/whats-new.md | For more information on what's new with other Microsoft Defender security produc You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter). +## November 2022 +- (Preview) Microsoft Defender Experts for XDR (Defender Experts for XDR) is now available for preview. Defender Experts for XDR is a managed detection and response service that helps your security operations centers (SOCs) focus and accurately respond to incidents that matter. It provides extended detection and response for customers who use M365 Defender workloads: Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Azure Active Directory (Azure AD). For details, refer to [Expanded Microsoft Defender Experts for XDR preview](dex-xdr-overview.md). + ## August 2022 - (GA) [Microsoft Defender Experts for Hunting](defender-experts-for-hunting.md) is now generally available. If you're a Microsoft 365 Defender customer with a robust security operations center but want Microsoft to help you proactively hunt for threats across endpoints, Office 365, cloud applications, and identity using Microsoft Defender data, then learn more about applying, setting up, and using the service. Defender Experts for Hunting is sold separately from other Microsoft 365 Defender products. - (Preview) [Guided mode](advanced-hunting-modes.md#get-started-with-guided-hunting-mode) is now available for public preview in advanced hunting. Analysts can now start querying their database for endpoint, identities, email & collaboration, and cloud apps data *without knowing Kusto Query Language (KQL)*. Guided mode features a friendly, easy-to-use, building-block style of constructing queries through dropdown menus containing available filters and conditions. See [Get started with query builder](advanced-hunting-query-builder.md). |