+ Title: "Microsoft Adoption Score Organizational Message"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: high

+monikerRange: 'o365-worldwide'

+- Tier2

+- scotvorg

+- M365-subscription-management

+- Adm_O365

+- Adm_TOC

+- AdminSurgePortfolio

+- AdminTemplateSet

+search.appverid:

+- MET150

+- MOE150

+description: "Learn how to send messages to your organization in Microsoft 365 using organizational messages in Adoption Score."

+# Adoption Score Organizational Message

+Organizational messages enable IT admins to deliver clear, actionable messages in-product and in a targeted way, while maintaining user-level privacy. Organizational messages in Adoption Score use targeted in-product notifications to advise on Microsoft 365 recommended practices based on Adoption Score insights. Users can be reminded to use products that have recently been deployed, encouraged to try a product on a different surface, or to recommend new ways of working, such as using @mentions to improve response rates in communications. Templated messages are delivered to users in their flow of work through surfaces including Outlook, Excel, PowerPoint, and Word. Authorized professionals can use the organizational messages wizard in Adoption Score to choose from up to three templated message types, define when and how often a message can be displayed, and exclude groups or priority accounts from receiving the message.

+Organizational messages for Adoption Score will initially roll out to Communication, Content Collaboration, Mobility, and more to follow to support all People Experience categories. Check out the [2022 Ignite session](https://ignite.microsoft.com/en-US/sessions/ff17a80f-2fa6-4e52-b92c-745f0ca8d574?source=sessions) for a detailed demonstration and feature description.

+> [!NOTE]

+> The feature is currently in preview. If you encounter any bugs or have any suggestions, please give us feedback in the Microsoft 365 admin center. We appreciate your feedback and will reach out to you as fast as we can.

+## Who can use the feature?

+For a successful preview experience, you need to be one of the following admin roles:

+- Global administrator

+- Organizational message writer

+The organizational message writer role is the new built-in role that allows assigned admins to view and configure messages. The global administrator can assign the organizational message writer role to admin:

+1) Go to **Roles** > **Role assignments**

+2) Search for and select **Organizational message writer**

+3) Under **Assigned**, select **Add users** or **Add groups**

+4) Choose a group of admins youΓÇÖd like to assign the role to, and select **Add**

+## Where will the messages appear?

+In this preview, we support the teaching call-out and business bars in Word, Excel, PowerPoint, and Outlook Desktop Apps.

+Business bars are supported by Microsoft 365 Consumer subscribers, Office 2019, Office 2016, Office 2013, and Office 2010.

+The desktop teaching call-out is supported by Microsoft 365 Consumer and Commercial Office 2019, and Office 2016 Consumer.

+## How to enable Adoption Score Organizational Message

+To enable Adoption Score Organizational Message, the global administrator needs to enable Adoption Score first:

+1. Sign in to the [admin center](https://admin.microsoft.com/) as a global administrator and go to **Reports** > **Adoption Score**

+1. Select **Enable Adoption Score**. It can take up to 24 hours for insights to become available.

+1. Under the **Organizational Messages** tab, select **Allow approved admins to send in-product recommendations to specified users**

+> [!NOTE]

+> Only a global administrator can enable Adoption Score. The organizational message writer role can only opt in for Adoption Score Organizational Messages.

+After Adoption Score is enabled, the global administrator and organizational message writer role can opt in for Adoption Score Organizational Message.

+Visit [privacy controls for Adoption Score](privacy.md) to understand how to enable Adoption Score.

+## Getting Started

+In the Microsoft 365 admin center, go to **Reports** > **Adoption Score.**

+We currently have organizational messages for three people experience categories: Communication, Content collaboration, and Mobility. In each category, youΓÇÖll find available actions to take under the **How can I impact my score** section. Select **See what action you can take** > **Create message** to start the process.

+To see all available organizational messages, go to the **Action (Preview)** tab next to **Overview**. There are currently five available messages for you to create. Choose one and select **Create message** to start.

+## Capabilities

+As global administrator or organizational message writer role, you can do any of the following actions:

+- Choose a message from a set of templated content for business bars or teaching call-outs

+- Select the recipients based on user activities, Azure AD user groups, and group level aggregates

+- Schedule a time frame and frequency for delivery of the messages

+- Save drafts anytime during the message creation process

+- Track the status of organizational messages and user engagement

+- Manage scheduled or active organizational messages

+## Choose a message for business bars or teaching call-out

+1. Under the **Messages** tab, view where the messages will appear.

+2. Choose a message from a set of templated content.

+3. Select **Preview this message** to see an example of what recipients will see during the date range you choose.

+4. The messages will show up in the same language as the userΓÇÖs surface. Currently, there are 41 languages supported. [Check the appendix to see which languages are supported](#appendix).

+5. Select **Next** to proceed to the **Recipients** tab.

+6. If you want to exit the message creation process for now and save a draft, select **Save and close**. The drafts are stored in the **Your orgΓÇÖs messages** tab under **Actions**.

+## Select the recipients

+1) Under the **Recipients** tab, the recipients are by default selected based on their activities. For example, targeted users who aren't actively using OneDrive or SharePoint with the apps enabled for the past 28 days.

+2) Select **Apply filter** > **Choose organizational attribute**

+ - **Groups**: In addition to the default recipients, you can send messages to specific Azure AD user groups

+ - **Companies, Country (State) ΓÇô City, Departments**: Using group-level aggregates, you can apply attributes filter such as attributes like location, departments, and companies to target specific groups of audiences.

+3) You can also omit users with priority accounts or in certain Microsoft 365 groups.

+4) Select **Next** to proceed to the **Schedule** tab.

+> [!NOTE]

+> The recipient list is refreshed daily. The users who adopted the recommended practices will be removed from the recipient lists.

+## Schedule a time window and frequency for delivery of the messages

+1) Under the **Schedule** tab, select **Start date**.

+2) Selecting an **End date** is optional. The default duration is 365 days.

+3) Choose **Frequency**.

+4) Select **Next** to proceed to the **Finish** tab.

+> [!NOTE]

+> If the frequency of the message is set as once a week, the message will only show on one of the surfaces per week. After the user clicks or dismisses the message, it wonΓÇÖt show up again. Teaching call-out messages only appear twice in their lifetime even if the user doesnΓÇÖt click on it.

+## Finish or Save Draft

+1) Under the **Finish** tab, confirm the message details and then select **Schedule**.

+2) If you want to exit the message creation process for now and save a draft, select **Save and close.** The drafts are stored in the **Your orgΓÇÖs messages** tab under **Actions**.

+## Track the status of the messages and user engagement

+Once messages have been created, you'll see the reporting in the table under the **Your orgΓÇÖs messages** tab under **Actions**. The following information is available:

+- Message name

+- Status: Draft/Scheduled/Active/Scheduled/Canceled/Completed/Error

+- Last edited date

+- Start date

+- End date  

+- Related category

+- Related metric

+- Creator

+- (Available after messages are active) Total messages seen: total number of times the message was shown to users

+- (Available after messages are active) Total clicks: total number of times the message was clicked by users

+> [!NOTE]

+> This capability is only available to Product admins, report reader roles, and user success specialists who have reader permissions.

+## Cancel or clone messages

+Once messages have been created, you'll see the reporting in the table under the **Your orgΓÇÖs messages** tab under **Actions**.

+- Select three dots to the right of **Message name** to see a dropdown of actions

+- Select **cancel** or **clone**.

+> [!NOTE]

+> Each tenant can have one active message for each insight. If you want to schedule a new message, you can go to the **Your orgΓÇÖs message** page to cancel active ones.

+## FAQ

+### Q: Why does the total number of messages seen differ from the expected number?

+A: For any given message, not every user **in its selected audience** (selected as message recipients) will receive the message. This is expected behavior because the message delivery depends on other factors that affect a messageΓÇÖs reach, including:

+- **User behavior**: some delivery channels require the user to go to a specific location/app to have a chance to see the message (for example, an Office desktop app call-out message can only be delivered to a user who opens the Office desktop app).

+- **System protections to prevent over-messaging and user dissatisfaction**: some communication channels have message frequency limits if too many messages are live at a given time (for example, a Teaching call-out won't appear more than twice to each user).

+### Q: How can I test the messages before sending them to users of my entire company?

+A: You can send messages to specific Azure AD groups, such as your IT department. See [Select the recipients](#select-the-recipients) for details.

+### Q: What is the recommended time frame window for the messages?

+A: As the frequency of the messages is at most once a week, the recommended minimum duration is one month. The recommended length of the time window is 12 months. The recipientΓÇÖs list is refreshed daily. Your messages will always be sent to users who havenΓÇÖt adopted the recommended practices in the last 28 days. Messages wonΓÇÖt repeatedly send to users who have already adopted.

+### Q: Will I be able to customize the text in the messages?

+A: Not currently.

+## Organizational Messages in Windows Endpoint Manager

+Organizational messages in Windows Endpoint Manager enable organizations to deliver branded personalized messages to their employees via native Windows 11 surfaces, such as Notification Center and the Get started app. These messages are intended to help people ramp up in new roles quicker, learn more about their organization, and stay informed of new updates and trainings. [Learn more about Organizational messages in Windows Endpoint Manager](/mem/intune/remote-actions/custom-notifications).

+## Appendix

+### Messages Localization supported

+| Languages | Locale |

+|-||

+| Arabic | ar |

+| Bulgarian | bg |

+| Chinese (Simplified) | zh-cn |

+| Chinese (Traditional) | zh-tw |

+| Croatian | hr |

+| Czech | cs |

+| Danish | da |

+| Dutch | nl |

+| English (United States) | en |

+| Estonian | et |

+| Finnish | fi |

+| French (France) | fr |

+| German | de |

+| Greek | el |

+| Hebrew | he |

+| Hungarian | hu |

+| Indonesian | id |

+| Italian | it |

+| Japanese | ja |

+| Korean | ko |

+| Latvian | lv |

+| Lithuanian | lt |

+| Norwegian (Bokmål) | no |

+| Polish | pl |

+| Portuguese (Brazil) | pt-br |

+| Portuguese (Portugal) | pt-pt |

+| Romanian | ro |

+| Russian | ru |

+| Serbian (Latin) | sr |

+| Slovak | sk |

+| Slovenian | sl |

+| Spanish (Spain) | es |

+| Swedish | sv |

+| Thai | th |

+| Turkish | tr |

+| Ukrainian | uk |

+| Vietnamese | vi |

+| Catalan | ca |

+| Basque | eu |

+| Galician | gl |

+| Serbian (Cyrillic) RS | sr-Cyrl |

+## Related content

+[Microsoft 365 apps health ΓÇô Technology experiences](apps-health.md) (article)\

+[Content collaboration ΓÇô People experiences](content-collaboration.md) (article)\

+[Meetings ΓÇô People experiences](meetings.md) (article)\

+[Mobility ΓÇô People experiences](mobility.md) (article)\

+[Privacy controls for Adoption Score](privacy.md) (article)\

+[Teamwork ΓÇô People experiences](teamwork.md) (article)

+description: Learn how the on-premises scanner from Microsoft Purview Information Protection can discover, classify, and protect files on data stores.

+Use the information in this section to learn about the Microsoft Purview Information Protection scanner, and then how to successfully install, configure, run and if necessary, troubleshoot it.

+This scanner runs as a service on Windows Server and lets you discover, classify, and protect files on the following data stores:

+The SMTP protocol is the main protocol used to transfer messages between mail servers and is, by default, not secure. The Transport Layer Security (TLS) protocol was introduced years ago to support encrypted transmission of messages over SMTP. ItΓÇÖs commonly used opportunistically rather than as a requirement, leaving much email traffic in clear text, vulnerable to interception by nefarious actors. Furthermore, SMTP determines the IP addresses of destination servers through the public DNS infrastructure, which is susceptible to spoofing and Man-in-the-Middle (MITM) attacks. This vulnerability has led to many new standards being created to increase security for sending and receiving email, one of those standards being DNS-based Authentication of Named Entities (DANE).

+DANE for SMTP [RFC 7672](https://tools.ietf.org/html/rfc7672) uses the presence of a Transport Layer Security Authentication (TLSA) record in a domain's DNS record set to signal a domain and its mail server(s) support DANE. If there's no TLSA record present, DNS resolution for mail flow will work as usual without any DANE checks being attempted. The TLSA record securely signals TLS support and publishes the DANE policy for the domain. So, sending mail servers can successfully authenticate legitimate receiving mail servers using SMTP DANE. This authentication makes it resistant to downgrade and MITM attacks. DANE has direct dependencies on DNSSEC, which works by digitally signing records for DNS lookups using public key cryptography. DNSSEC checks occur on recursive DNS resolvers, the DNS servers that make DNS queries for clients. DNSSEC ensures that DNS records aren't tampered with and are authentic.

+After the authentic TLSA record is received, the sending mail server establishes an SMTP connection to the MX host associated with the authentic TLSA record. The sending mail server will try to set up TLS and compare the server's TLS certificate with the data in the TLSA record to validate that the destination mail server connected to the sender is the legitimate receiving mail server. The message will be transmitted (using TLS) if authentication succeeds. When authentication fails or if TLS isn't supported by the destination server, Exchange Online will retry the entire validation process beginning with a DNS query for the same destination domain again after 15 minutes, then 15 minutes after that, then every hour for the next 24 hours. If authentication continues to fail after 24 hours of retrying, the message will expire, and an NDR with error details will be generated and sent to the sender.

+The TLS Authentication (TLSA) record is used to associate a server's X.509 certificate or public key value with the domain name that contains the record. TLSA records can only be trusted if DNSSEC is enabled on your domain. If you're using a DNS provider to host your domain, the DNSSEC may be a setting offered when configuring a domain with them. To learn more about DNSSEC zone signing, visit this link: [Overview of DNSSEC | Microsoft Docs](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj200221(v=ws.11)).

+|1|SHA-256|The data in the TSLA record is an SHA-256 hash of either the certificate or the SPKI.|

+|2|SHA-512|The data in the TSLA record is an SHA-512 hash of either the certificate or the SPKI.|

+In the example TLSA record, the Matching Type Field is set to '1' so the Certificate Association Data is an SHA-256 hash of the Subject Public Key Info from the destination server certificate

+In the example TLSA record, the Certificate Association data is set to 'abc123..xyz789'. Since the Selector Field value in the example is set to '1', it would reference the destination server certificate's public key and the algorithm that's identified to be used with it. And since the Matching Type field value in the example is set to '1', it would reference the SHA-256 hash of the Subject Public Key Info from the destination server certificate.

+As an Exchange Online customer, there isn't anything you need to do to configure this enhanced email security for your outbound email. This enhanced email security is something we have built for you and it's ON by default for all Exchange Online customers and is used when the destination domain advertises support for DANE. To reap the benefits of sending email with DNSSEC and DANE checks, communicate to your business partners with whom you exchange email that they need to implement DNSSEC and DANE so they can receive email using these standards.

+Currently, inbound SMTP DANE isn't supported for Exchange Online. Support is expected to be released at the end of 2022.

+|4/5.7.321|starttls-not-supported: Destination mail server must support TLS to receive mail.|

+|4/5.7.322|certificate-expired: Destination mail server's certificate is expired.|

+|4/5.7.323|tlsa-invalid: The domain failed DANE validation.|

+|4/5.7.324|dnssec-invalid: Destination domain returned invalid DNSSEC records.|

+> We are actively working to remedy this known limitation. If you receive this error statement,

+### Troubleshooting 4/5.7.321 starttls-not-supported

+This error usually indicates an issue with the destination mail server. After receiving the message:

+### Troubleshooting 4/5.7.322 certificate-expired

+### Troubleshooting 4/5.7.323 tlsa-invalid

+### Troubleshooting 4/5.7.324 dnssec-invalid

+The second method is to use the Remote Connectivity Analyzer [Microsoft Remote Connectivity Analyzer](https://testconnectivity.microsoft.com/tests/o365), which can do the same DNSSEC and DANE checks against your DNS configuration that Exchange Online will do when sending email outside the service. This method is the most direct way of troubleshooting errors in your configuration to receive email from Exchange Online using these standards.

+When errors are being troubleshooted, the below error codes may be generated:

+> We are actively working to remedy this known limitation. If you receive this error statement,

+### Troubleshooting 4/5.7.321 starttls-not-supported

+This error usually indicates an issue with the destination mail server. The mail server that the Remote Connectivity Analyzer is testing connecting with. There are generally two scenarios that generate this code:

+6. If there are no failures, this message may indicate the mail server you're using to receive mail doesn't support STARTTLS and you may need to upgrade to one that does in order to use DANE.

+### Troubleshooting 4/5.7.322 certificate-expired

+2. Sign in to your certificate provider's website.

+### Troubleshooting 4/5.7.323 tlsa-invalid

+ 1. Sign in to your certificate provider's website.

+### Troubleshooting 4/5.7.324 dnssec-invalid

+ 1. Broken trust chain, when the parent zone holds a set of DS records that point to something that doesn't exist in the child zone. Such pointers by DS records can result in the child zone being marked as bogus by validating resolvers.

+> [!NOTE]

+> This error code is also generated if Exchange Online receives SERVFAIL response from DNS server on TLSA query for the destination domain.

+When an outbound email is being sent, if the receiving domain has DNSSEC enabled, we query for TLSA records associated with MX entries in the domain. If no TLSA record is published, the response to the TLSA lookup must be NOERROR (no records of requested type for this domain) or NXDOMAIN (there's no such domain). DNSSEC requires this response if no TLSA record is published; otherwise, Exchange Online interprets the lack of response as a SERVFAIL error. As per [RFC 7672](https://tools.ietf.org/html/rfc7672), a SERVFAIL response is untrustworthy; so, the destination domain fails DNSSEC validation. This email is then deferred with the following error:

+`450 4.7.324 dnssec-invalid: Destination domain returned invalid DNSSEC records`

+### If the email sender reports receipt of the message

+If you're using a DNS provider, for example, GoDaddy, alert your DNS provider of the error so that they can troubleshoot the DNS response. If you're managing your own DNSSEC infrastructure, it could be an issue with the DNS server itself or with the network.

+We strongly believe DNSSEC and DANE will significantly increase the security position of our service and benefit all of our customers. We've worked diligently over the last year to reduce the risk and severity of the potential impact this deployment might have for Microsoft 365 customers. We'll be actively monitoring and tracking the deployment to ensure negative impact is minimized as it rolls out. Because of this, tenant-level exceptions or opt-out won't be available.

+DNSSEC adds a layer of trust into DNS resolution by applying the public key infrastructure to ensure the records returned in response to a DNS query are authentic. DANE ensures that the receiving mail server is the legitimate and expected mail server for the authentic MX record.

+Opportunistic TLS will encrypt communication between two endpoints if both agree to support it. However, even if TLS encrypts the transmission, a domain could be spoofed during DNS resolution such that it points to a malicious actor's endpoint instead of the real endpoint for the domain. This spoof is a gap in email security that is addressed by implementing MTA-STS and/or SMTP DANE with DNSSEC.

+**Multiple users and groups in a CSV file:** </br>

+*Example:*

+>We recommend waiting a period of 48 hours. If your tenants are still reporting as *incompatible*, contact support.

+You can stop the cross-tenant migration of a user's OneDrive by using the following command, provided the migration doesn't have a status of *In Progress*, *Rescheduled* or *Success*.

+- The maximum size of a OneDrive that can be moved is 2 terabytes (2 TB).

+**Last updated:** 10/31/2022 -  [Change Log subscription](https://endpoints.office.com/version/China?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)

+|**Last updated:** 10/31/2022 - |

+## Week of September 19, 2022

+| Published On |Topic title | Change |

+|||--|

+| 9/19/2022 | [Increase Classifier Accuracy](/microsoft-365/compliance/data-classification-increase-accuracy?view=o365-worldwide) | added |

+| 9/19/2022 | [Built-in protection helps guard against ransomware](/microsoft-365/security/defender-endpoint/built-in-protection?view=o365-worldwide) | added |

+| 9/19/2022 | [Data Loss Prevention policy reference](/microsoft-365/compliance/dlp-policy-reference?view=o365-worldwide) | modified |

+| 9/19/2022 | [Microsoft Purview insider risk solutions](/microsoft-365/compliance/insider-risk-solution-overview?view=o365-worldwide) | modified |

+| 9/19/2022 | [Overview - Advanced hunting](/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide) | modified |

+| 9/19/2022 | [Choose Microsoft Purview Information Protection built-in labeling for Office apps over the Azure Information Protection (AIP) add-in](/microsoft-365/compliance/sensitivity-labels-aip?view=o365-worldwide) | modified |

+| 9/19/2022 | [Manage sensitivity labels in Office apps](/microsoft-365/compliance/sensitivity-labels-office-apps?view=o365-worldwide) | modified |

+| 9/20/2022 | Email collaboration | removed |

+| 9/20/2022 | [Bookings with me](/microsoft-365/bookings/bookings-in-outlook?view=o365-worldwide) | modified |

+| 9/20/2022 | [What's new in Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score-whats-new?view=o365-worldwide) | modified |

+| 9/20/2022 | [Manage submissions](/microsoft-365/security/office-365-security/admin-submission?view=o365-worldwide) | modified |

+| 9/20/2022 | [Detect and remediate the Outlook rules and custom forms injections attacks.](/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide) | modified |

+| 9/20/2022 | Security Incident Response | removed |

+| 9/20/2022 | Office 365 Security overview, Microsoft Defender for Office 365, EOP, MSDO | removed |

+| 9/20/2022 | Reporting and message trace | removed |

+| 9/20/2022 | Smart reports and insights | removed |

+| 9/20/2022 | Security dashboard overview | removed |

+| 9/20/2022 | Microsoft 365 security roadmap - Top priorities | removed |

+| 9/20/2022 | [User-reported email settings for spam, phish, as malicious mail](/microsoft-365/security/office-365-security/user-submission?view=o365-worldwide) | modified |

+| 9/20/2022 | [Delete a booking calendar](/microsoft-365/bookings/delete-calendar?view=o365-worldwide) | modified |

+| 9/20/2022 | [Use communication compliance reports and audits](/microsoft-365/compliance/communication-compliance-reports-audits?view=o365-worldwide) | modified |

+| 9/20/2022 | [Configure permissions filtering for eDiscovery](/microsoft-365/compliance/permissions-filtering-for-content-search?view=o365-worldwide) | modified |

+| 9/20/2022 | [What's new in Microsoft Purview risk and compliance solutions](/microsoft-365/compliance/whats-new?view=o365-worldwide) | modified |

+| 9/20/2022 | [Configure Microsoft Defender for Endpoint risk signals using App Protection Policies (MAM)](/microsoft-365/security/defender-endpoint/android-configure-mam?view=o365-worldwide) | modified |

+| 9/20/2022 | [Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune](/microsoft-365/security/defender-endpoint/android-intune?view=o365-worldwide) | modified |

+## Week of September 12, 2022

+| Published On |Topic title | Change |

+|||--|

+| 9/12/2022 | [Learn about and configure insider risk management browser signal detection](/microsoft-365/compliance/insider-risk-management-browser-support?view=o365-worldwide) | modified |

+| 9/12/2022 | [Insider risk management policies](/microsoft-365/compliance/insider-risk-management-policies?view=o365-worldwide) | modified |

+| 9/12/2022 | [Insider risk management settings](/microsoft-365/compliance/insider-risk-management-settings?view=o365-worldwide) | modified |

+| 9/12/2022 | [Learn about insider risk management](/microsoft-365/compliance/insider-risk-management?view=o365-worldwide) | modified |

+| 9/12/2022 | [Add users and assign licenses in Microsoft 365](/microsoft-365/admin/add-users/add-users?view=o365-worldwide) | modified |

+| 9/12/2022 | Create, edit, or delete a custom user view | removed |

+| 9/12/2022 | Resend a user's password - Admin Help | removed |

+| 9/12/2022 | [Reset passwords](/microsoft-365/admin/add-users/reset-passwords?view=o365-worldwide) | modified |

+| 9/12/2022 | Turn off strong password requirements for users | removed |

+| 9/12/2022 | How to get help in the Microsoft 365 admin center | removed |

+| 9/12/2022 | [Basic Mobility and Security frequently-asked questions (FAQ)](/microsoft-365/admin/basic-mobility-security/frequently-asked-questions?view=o365-worldwide) | modified |

+| 9/12/2022 | Get details about Basic Mobility and Security managed devices | removed |

+| 9/12/2022 | [Manage device access settings in Basic Mobility and Security](/microsoft-365/admin/basic-mobility-security/manage-device-access-settings?view=o365-worldwide) | modified |

+| 9/12/2022 | Troubleshoot Basic Mobility and Security | removed |

+| 9/12/2022 | Empower your small business with remote work | removed |

+| 9/12/2022 | [Use sensitivity labels to configure the default sharing link type](/microsoft-365/compliance/sensitivity-labels-default-sharing-link?view=o365-worldwide) | modified |

+| 9/12/2022 | [Configure Microsoft Defender for Endpoint on iOS features](/microsoft-365/security/defender-endpoint/ios-configure-features?view=o365-worldwide) | modified |

+| 9/12/2022 | [App-based deployment for Microsoft Defender for Endpoint on iOS](/microsoft-365/security/defender-endpoint/ios-install?view=o365-worldwide) | modified |

+| 9/12/2022 | [Microsoft Defender for Endpoint - Mobile Threat Defense](/microsoft-365/security/defender-endpoint/mtd?view=o365-worldwide) | modified |

+| 9/13/2022 | [Microsoft 365 admin center katakana glossary](/microsoft-365/admin/m365_glossary?view=o365-worldwide) | added |

+| 9/13/2022 | [Microsoft 365 admin center help # < 60 chars](/microsoft-365/admin/index?view=o365-worldwide) | modified |

+| 9/13/2022 | [Microsoft 365 Business Premium resources # < 60 chars](/microsoft-365/business/index?view=o365-worldwide) | modified |

+| 9/13/2022 | [Customize an archive and deletion policy (MRM) for mailboxes](/microsoft-365/compliance/set-up-an-archive-and-deletion-policy-for-mailboxes?view=o365-worldwide) | modified |

+| 9/13/2022 | [Microsoft 365 for frontline workers # < 60 chars](/microsoft-365/frontline/index?view=o365-worldwide) | modified |

+| 9/13/2022 | [Microsoft 365 documentation # < 60 chars](/microsoft-365/index?view=o365-worldwide) | modified |

+| 9/13/2022 | [Onboard devices to Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-onboard-devices?view=o365-worldwide) | modified |

+| 9/13/2022 | [Investigate domains and URLs associated with a Microsoft Defender for Endpoint alert](/microsoft-365/security/defender-endpoint/investigate-domain?view=o365-worldwide) | modified |

+| 9/13/2022 | [What's new in Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-whatsnew?view=o365-worldwide) | modified |

+| 9/13/2022 | [Microsoft 365 admin center katakana glossary](/microsoft-365/admin/m365_glossary?view=o365-worldwide) | modified |

+| 9/13/2022 | [Planning your portal launch roll-out plan in SharePoint Online](/microsoft-365/enterprise/planportallaunchroll-out?view=o365-worldwide) | modified |

+| 9/13/2022 | [Prepare for directory synchronization to Microsoft 365](/microsoft-365/enterprise/prepare-for-directory-synchronization?view=o365-worldwide) | modified |

+| 9/13/2022 | [Retrieve customer tenant reporting data with Windows PowerShell for DAP partners](/microsoft-365/enterprise/retrieve-customer-tenant-reporting-data-with-windows-powershell-for-delegated-ac?view=o365-worldwide) | modified |

+| 9/13/2022 | [Get started with troubleshooting mode in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/enable-troubleshooting-mode?view=o365-worldwide) | modified |

+| 9/13/2022 | [Manage Microsoft Defender Antivirus updates and apply baselines](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus?view=o365-worldwide) | modified |

+| 9/14/2022 | [Apply encryption using sensitivity labels](/microsoft-365/compliance/encryption-sensitivity-labels?view=o365-worldwide) | modified |

+| 9/14/2022 | [Attack surface reduction frequently asked questions (FAQ)](/microsoft-365/security/defender-endpoint/attack-surface-reduction-faq?view=o365-worldwide) | modified |

+| 9/14/2022 | [Investigate agent health issues](/microsoft-365/security/defender-endpoint/health-status?view=o365-worldwide) | modified |

+| 9/14/2022 | [Investigate devices in the Defender for Endpoint Devices list](/microsoft-365/security/defender-endpoint/investigate-machines?view=o365-worldwide) | modified |

+| 9/14/2022 | [Onboarding using Microsoft Endpoint Configuration Manager](/microsoft-365/security/defender-endpoint/onboarding-endpoint-configuration-manager?view=o365-worldwide) | modified |

+| 9/14/2022 | [Deploy and manage Removable Storage Access Control using group policy](/microsoft-365/security/defender-endpoint/deploy-manage-removable-storage-group-policy?view=o365-worldwide) | added |

+| 9/14/2022 | [Deploy and manage Removable Storage Access Control using Intune](/microsoft-365/security/defender-endpoint/deploy-manage-removable-storage-intune?view=o365-worldwide) | added |

+| 9/14/2022 | [Microsoft Defender for Endpoint Device Control Removable Storage frequently asked questions](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control-faq?view=o365-worldwide) | added |

+| 9/14/2022 | Create and edit Autopilot profiles | removed |

+| 9/14/2022 | Use this step-by-step guide to add Autopilot devices and profile | removed |

+| 9/14/2022 | Set app protection settings for Android or iOS devices | removed |

+| 9/14/2022 | About Autopilot Profile settings | removed |

+| 9/14/2022 | Create and edit Autopilot devices | removed |

+| 9/14/2022 | Enable domain-joined Windows 10 devices to be managed by Microsoft 365 for business | removed |

+| 9/14/2022 | Set up managed devices | removed |

+| 9/14/2022 | [Set up and secure managed devices](/microsoft-365/business-premium/m365bp-protect-devices?view=o365-worldwide) | modified |

+| 9/14/2022 | Edit or set application protection settings for Windows devices | removed |

+| 9/14/2022 | [Microsoft 365 Business Premium - Productivity and security](/microsoft-365/business-premium/m365bp-secure-users?view=o365-worldwide) | modified |

+| 9/14/2022 | Secure Windows devices | removed |

+| 9/14/2022 | [Microsoft 365 Business Premium trial playbook](/microsoft-365/business-premium/m365bp-trial-playbook-microsoft-business-premium?view=o365-worldwide) | modified |

+| 9/14/2022 | Validate app protection settings on Android or iOS devices | removed |

+| 9/14/2022 | Validate app protection settings for Windows 10 PCs | removed |

+| 9/14/2022 | [View or edit device protection policies](/microsoft-365/business-premium/m365bp-view-edit-create-mdb-policies?view=o365-worldwide) | modified |

+| 9/14/2022 | [Cross-tenant mailbox migration](/microsoft-365/enterprise/cross-tenant-mailbox-migration?view=o365-worldwide) | modified |

+| 9/14/2022 | [Integrate Microsoft OneDrive LTI with Canvas](/microsoft-365/lti/onedrive-lti?view=o365-worldwide) | modified |

+| 9/14/2022 | [Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control?view=o365-worldwide) | modified |

+| 9/14/2022 | [The Microsoft Defender for Office 365 email entity page](/microsoft-365/security/office-365-security/mdo-email-entity-page?view=o365-worldwide) | modified |

+| 9/14/2022 | [Get started with communication compliance](/microsoft-365/compliance/communication-compliance-configure?view=o365-worldwide) | modified |

+| 9/14/2022 | [Top 10 ways to secure your business](/microsoft-365/admin/security-and-compliance/secure-your-business-data?view=o365-worldwide) | modified |

+| 9/14/2022 | [Overview of the Device security page in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-device-security-overview?view=o365-worldwide) | modified |

+| 9/14/2022 | [Compare security features in Microsoft 365 plans for small and medium-sized businesses](/microsoft-365/security/defender-business/compare-mdb-m365-plans?view=o365-worldwide) | modified |

+| 9/14/2022 | [Onboard devices to Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-onboard-devices?view=o365-worldwide) | modified |

+| 9/15/2022 | [Device health Microsoft Defender Antivirus health report](/microsoft-365/security/defender-endpoint/device-health-microsoft-defender-antivirus-health?view=o365-worldwide) | renamed |

+| 9/15/2022 | [Device health reporting in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/device-health-reports?view=o365-worldwide) | added |

+| 9/15/2022 | [Device health Sensor health & OS report](/microsoft-365/security/defender-endpoint/device-health-sensor-health-os?view=o365-worldwide) | added |

+| 9/15/2022 | [Microsoft Defender Antivirus export device antivirus health details API methods and properties](/microsoft-365/security/defender-endpoint/device-health-api-methods-properties?view=o365-worldwide) | modified |

+| 9/15/2022 | Microsoft Defender Antivirus Device Health details API | removed |

+| 9/15/2022 | [Create a SharePoint communications site in Teams with Microsoft 365 for business](/microsoft-365/business-premium/create-communications-site?view=o365-worldwide) | modified |

+| 9/15/2022 | [Maintain your environment](/microsoft-365/business-premium/m365bp-maintain-environment?view=o365-worldwide) | modified |

+| 9/15/2022 | [Trojan malware](/microsoft-365/security/intelligence/trojans-malware?view=o365-worldwide) | modified |

+| 9/15/2022 | [Report spam, non-spam, phishing, suspicious emails and files to Microsoft](/microsoft-365/security/office-365-security/report-junk-email-messages-to-microsoft?view=o365-worldwide) | modified |

+| 9/15/2022 | [Microsoft Purview Compliance Manager templates list](/microsoft-365/compliance/compliance-manager-templates-list?view=o365-worldwide) | modified |

+| 9/16/2022 | [Capabilities of Basic Mobility and Security](/microsoft-365/admin/basic-mobility-security/capabilities?view=o365-worldwide) | modified |

+| 9/16/2022 | [Enhancing mail flow with MTA-STS ](/microsoft-365/compliance/enhancing-mail-flow-with-mta-sts?view=o365-worldwide) | modified |

+| 9/16/2022 | [Get started with the Microsoft Service Trust Portal](/microsoft-365/compliance/get-started-with-service-trust-portal?view=o365-worldwide) | modified |

+| 9/16/2022 | [Customize an archive and deletion policy (MRM) for mailboxes](/microsoft-365/compliance/set-up-an-archive-and-deletion-policy-for-mailboxes?view=o365-worldwide) | modified |

+| 9/16/2022 | [Review architecture requirements and planning concepts for Microsoft Defender for Office 365](/microsoft-365/security/defender/eval-defender-office-365-architecture?view=o365-worldwide) | modified |

+| 9/16/2022 | [Pilot Microsoft Defender for Office 365, use the evaluation in your production environment](/microsoft-365/security/defender/eval-defender-office-365-pilot?view=o365-worldwide) | modified |

+| 9/16/2022 | [Evaluate and pilot Microsoft 365 Defender, an XDR solution](/microsoft-365/security/defender/eval-overview?view=o365-worldwide) | modified |

+| 9/16/2022 | [How-to deploy and configure the report message add-in](/microsoft-365/security/office-365-security/step-by-step-guides/deploy-and-configure-the-report-message-add-in?view=o365-worldwide) | modified |

+| 9/16/2022 | Microsoft Defender Security Center Security operations dashboard | removed |

+| 9/16/2022 | [Try and evaluate Defender for Office 365](/microsoft-365/security/office-365-security/try-microsoft-defender-for-office-365?view=o365-worldwide) | modified |

+## Week of September 05, 2022

+| Published On |Topic title | Change |

+|||--|

+| 9/6/2022 | [About the Microsoft Purview Compliance Manager premium assessment trial](/microsoft-365/compliance/compliance-easy-trials-compliance-manager-assessments?view=o365-worldwide) | modified |

+| 9/6/2022 | [Device health and compliance report in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/machine-reports?view=o365-worldwide) | modified |

+| 9/6/2022 | [Manage Microsoft Defender Antivirus updates and apply baselines](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus?view=o365-worldwide) | modified |

+| 9/6/2022 | [Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes](/microsoft-365/security/office-365-security/configure-advanced-delivery?view=o365-worldwide) | modified |

+| 9/6/2022 | [Microsoft recommendations for EOP and Defender for Office 365 security settings](/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365?view=o365-worldwide) | modified |

+| 9/6/2022 | [Choose your scenarios for Microsoft 365 for frontline workers](/microsoft-365/frontline/flw-choose-scenarios?view=o365-worldwide) | modified |

+| 9/6/2022 | [Start with a pilot deployment of Microsoft 365 for frontline workers](/microsoft-365/frontline/flw-pilot?view=o365-worldwide) | modified |

+| 9/6/2022 | [Microsoft 365 for frontline workers - scenario posters](/microsoft-365/frontline/flw-scenario-posters?view=o365-worldwide) | added |

+| 9/6/2022 | [Frontline team collaboration](/microsoft-365/frontline/flw-team-collaboration?view=o365-worldwide) | modified |

+| 9/6/2022 | [Message delegation](/microsoft-365/frontline/hc-delegates?view=o365-worldwide) | modified |

+| 9/6/2022 | [Microsoft 365 for retail organizations](/microsoft-365/frontline/teams-for-retail-landing-page?view=o365-worldwide) | modified |

+| 9/6/2022 | [Get started with Microsoft 365 for healthcare organizations](/microsoft-365/frontline/teams-in-hc?view=o365-worldwide) | modified |

+| 9/6/2022 | [Attack surface reduction rules reporting](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-report?view=o365-worldwide) | added |

+| 9/6/2022 | [What's new in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-endpoint?view=o365-worldwide) | modified |

+| 9/6/2022 | [Anti-malware protection](/microsoft-365/security/office-365-security/anti-malware-protection?view=o365-worldwide) | modified |

+| 9/6/2022 | [Preset security policies](/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide) | modified |

+| 9/6/2022 | [Safe Attachments](/microsoft-365/security/office-365-security/safe-attachments?view=o365-worldwide) | modified |

+| 9/6/2022 | [Complete Safe Links overview for Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/safe-links?view=o365-worldwide) | modified |

+| 9/6/2022 | [Microsoft 365 productivity illustrations](/microsoft-365/solutions/productivity-illustrations?view=o365-worldwide) | modified |

+| 9/8/2022 | [Bookings with me](/microsoft-365/bookings/bookings-in-outlook?view=o365-worldwide) | modified |

+| 9/8/2022 | [Attack surface reduction (ASR) rules reporting](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-report?view=o365-worldwide) | modified |

+| 9/8/2022 | [Enable Microsoft 365 support integration for ServiceNow Virtual Agent](/microsoft-365/admin/manage/servicenow-support-integration?view=o365-worldwide) | added |

+| 9/8/2022 | [Enable archive mailboxes for Microsoft 365](/microsoft-365/compliance/enable-archive-mailboxes?view=o365-worldwide) | modified |

+| 9/8/2022 | [Manage Microsoft Defender Antivirus updates and apply baselines](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus?view=o365-worldwide) | modified |

+| 9/9/2022 | [Microsoft 365 admin center activity reports](/microsoft-365/admin/activity-reports/activity-reports?view=o365-worldwide) | modified |

+| 9/9/2022 | [Top 20 most-viewed admin help articles this month # < 60 chars](/microsoft-365/admin/top-m365-admin-articles?view=o365-worldwide) | modified |

+| 9/9/2022 | [Manage sensitivity labels in Office apps](/microsoft-365/compliance/sensitivity-labels-office-apps?view=o365-worldwide) | modified |

+| 9/9/2022 | [Manage submissions](/microsoft-365/security/office-365-security/admin-submission?view=o365-worldwide) | modified |

+| 9/9/2022 | [Sign up for Microsoft 365 Business Basic](/microsoft-365/admin/setup/signup-business-basic?view=o365-worldwide) | added |

+| 9/9/2022 | [Set up Microsoft 365 Business Basic](/microsoft-365/admin/setup/setup-business-basic?view=o365-worldwide) | modified |

+| 9/9/2022 | [Accept an email invitation to a Microsoft 365 for business subscription (User)](/microsoft-365/admin/simplified-signup/user-invite-business-standard?view=o365-worldwide) | modified |

+| 9/9/2022 | [Accept an email invitation to a Microsoft 365 for business subscription organization using an Outlook, Yahoo, Gmail or other account (User)](/microsoft-365/admin/simplified-signup/user-invite-msa-nodomain-join?view=o365-worldwide) | modified |

+| 9/9/2022 | About the Microsoft Defender for Office 365 trial | removed |

+| 9/9/2022 | [Allow or block emails using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/allow-block-email-spoof?view=o365-worldwide) | modified |

+| 9/9/2022 | [Allow or block files using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/allow-block-files?view=o365-worldwide) | modified |

+| 9/9/2022 | [Allow or block URLs using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/allow-block-urls?view=o365-worldwide) | modified |

+| 9/9/2022 | [Try and evaluate Defender for Office 365](/microsoft-365/security/office-365-security/try-microsoft-defender-for-office-365?view=o365-worldwide) | modified |

+## Week of August 29, 2022

+| Published On |Topic title | Change |

+|||--|

+| 8/29/2022 | [Insider risk management settings](/microsoft-365/compliance/insider-risk-management-settings?view=o365-worldwide) | modified |

+| 8/29/2022 | Work with a Microsoft partner | removed |

+| 8/29/2022 | [About the Microsoft Defender Vulnerability Management public preview trial](/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-trial?view=o365-worldwide) | added |

+| 8/29/2022 | [Trial user guide - Microsoft Defender Vulnerability Management (public preview)](/microsoft-365/security/defender-vulnerability-management/trial-playbook-defender-vulnerability-management?view=o365-worldwide) | added |

+| 8/29/2022 | [Steps to set up a weekly digest email of message center changes for Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/step-by-step-guides/stay-informed-with-message-center?view=o365-worldwide) | modified |

+| 8/29/2022 | [Add or Remove Machine Tags API](/microsoft-365/security/defender-endpoint/add-or-remove-machine-tags?view=o365-worldwide) | modified |

+| 8/29/2022 | [Manage submissions](/microsoft-365/security/office-365-security/admin-submission?view=o365-worldwide) | modified |

+| 8/29/2022 | [Steps to quickly set up the Standard or Strict preset security policies for Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/step-by-step-guides/ensuring-you-always-have-the-optimal-security-controls-with-preset-security-policies?view=o365-worldwide) | modified |

+| 8/30/2022 | [Export browser extensions assessment](/microsoft-365/security/defender-endpoint/get-assessment-browser-extensions?view=o365-worldwide) | added |

+| 8/30/2022 | [Get browser extensions permission info](/microsoft-365/security/defender-endpoint/get-browser-extensions-permission-info?view=o365-worldwide) | added |

+| 8/30/2022 | [Overview of the Users page in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-users-page-overview?view=o365-worldwide) | modified |

+| 8/30/2022 | [Compare security features in Microsoft 365 plans for small and medium-sized businesses](/microsoft-365/security/defender-business/compare-mdb-m365-plans?view=o365-worldwide) | modified |

+| 8/30/2022 | [Certificate assessment methods and properties per device](/microsoft-365/security/defender-endpoint/export-certificate-inventory-assessment?view=o365-worldwide) | modified |

+| 8/30/2022 | [Export software inventory assessment per device](/microsoft-365/security/defender-endpoint/get-assessment-software-inventory?view=o365-worldwide) | modified |

+| 8/30/2022 | [Manage inactive users in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-manage-inactive-users?view=o365-worldwide) | added |

+| 8/30/2022 | [What's the difference between junk email and bulk email?](/microsoft-365/security/office-365-security/what-s-the-difference-between-junk-email-and-bulk-email?view=o365-worldwide) | modified |

+| 8/30/2022 | [Microsoft 365 solutions for the financial services industry](/microsoft-365/solutions/financial-services-overview?view=o365-worldwide) | added |

+| 8/30/2022 | [Microsoft 365 for Retail](/microsoft-365/frontline/teams-for-retail-landing-page?view=o365-worldwide) | modified |

+| 8/30/2022 | [Microsoft 365 documentation # < 60 chars](/microsoft-365/index?view=o365-worldwide) | modified |

+| 8/30/2022 | [Track and respond to emerging security threats with campaigns view in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/step-by-step-guides/track%20and%20respond%20to%20emerging%20threats%20with%20campaigns?view=o365-worldwide) | added |

+| 8/30/2022 | [Microsoft Defender Offline in Windows](/microsoft-365/security/defender-endpoint/microsoft-defender-offline?view=o365-worldwide) | modified |

+| 8/30/2022 | [Step 4. Evaluate Microsoft Defender for Endpoint overview, including reviewing the architecture](/microsoft-365/security/defender/eval-defender-endpoint-overview?view=o365-worldwide) | modified |

+| 8/31/2022 | [Cross-Tenant Identity Mapping (preview)](/microsoft-365/enterprise/cross-tenant-identity-mapping?view=o365-worldwide) | added |

+| 8/31/2022 | [Manage sharing for Microsoft Whiteboard in GCC environments](/microsoft-365/whiteboard/manage-sharing-gcc?view=o365-worldwide) | modified |

+| 8/31/2022 | [Deploy Teams at scale for frontline workers](/microsoft-365/frontline/deploy-teams-at-scale?view=o365-worldwide) | modified |

+| 8/31/2022 | [Onboard Microsoft Defender for IoT with Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/enable-microsoft-defender-for-iot-integration?view=o365-worldwide) | modified |

+| 8/31/2022 | [Use network protection to help prevent connections to bad sites](/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide) | modified |

+| 8/31/2022 | [Web protection](/microsoft-365/security/defender-endpoint/web-protection-overview?view=o365-worldwide) | modified |

+| 8/31/2022 | [Manage clients for Microsoft Whiteboard in GCC environments](/microsoft-365/whiteboard/manage-clients-gcc?view=o365-worldwide) | modified |

+| 8/31/2022 | [Manage data for Microsoft Whiteboard in GCC environments](/microsoft-365/whiteboard/manage-data-gcc?view=o365-worldwide) | modified |

+| 8/31/2022 | [Manage access to Microsoft Whiteboard for GCC environments](/microsoft-365/whiteboard/manage-whiteboard-access-gcc?view=o365-worldwide) | modified |

+| 8/31/2022 | [Search for and delete chat messages in Teams](/microsoft-365/compliance/search-and-delete-teams-chat-messages?view=o365-worldwide) | modified |

+| 8/31/2022 | [What's new in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-whats-new?view=o365-worldwide) | modified |

+| 8/31/2022 | [Microsoft Defender for Business and Microsoft partner resources](/microsoft-365/security/defender-business/mdb-partners?view=o365-worldwide) | modified |

+| 8/31/2022 | [Get alerts API](/microsoft-365/security/defender-endpoint/alerts?view=o365-worldwide) | modified |

+| 8/31/2022 | [Microsoft Defender for Endpoint APIs connection to Power BI](/microsoft-365/security/defender-endpoint/api-power-bi?view=o365-worldwide) | modified |

+| 8/31/2022 | [Machine resource type](/microsoft-365/security/defender-endpoint/machine?view=o365-worldwide) | modified |

+| 8/31/2022 | [Allow or block emails using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/allow-block-email-spoof?view=o365-worldwide) | modified |

+| 8/31/2022 | [Manage sensitivity labels in Office apps](/microsoft-365/compliance/sensitivity-labels-office-apps?view=o365-worldwide) | modified |

+| 9/1/2022 | [Microsoft Defender Antivirus export device antivirus health details API methods and properties](/microsoft-365/security/defender-endpoint/device-health-api-methods-properties?view=o365-worldwide) | modified |

+| 9/1/2022 | [Microsoft Defender Antivirus Device Health export device antivirus health reporting](/microsoft-365/security/defender-endpoint/device-health-export-antivirus-health-report-api?view=o365-worldwide) | modified |

+| 9/1/2022 | [Device health and compliance report in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/machine-reports?view=o365-worldwide) | modified |

+| 9/1/2022 | [Exchange 2013 end of support roadmap](/microsoft-365/enterprise/exchange-2013-end-of-support?view=o365-worldwide) | modified |

+| 9/1/2022 | [Defender for Endpoint onboarding Windows Server](/microsoft-365/security/defender-endpoint/onboard-windows-server?view=o365-worldwide) | modified |

+| 9/1/2022 | [Getting started with defense in-depth configuration for email security](/microsoft-365/security/office-365-security/step-by-step-guides/defense-in-depth-guide?view=o365-worldwide) | added |

+| 9/1/2022 | [Review architecture requirements and planning concepts for Microsoft Defender for Office 365](/microsoft-365/security/defender/eval-defender-office-365-architecture?view=o365-worldwide) | modified |

+| 9/1/2022 | [Enable the evaluation environment for Microsoft Defender for Office 365 in your production environment](/microsoft-365/security/defender/eval-defender-office-365-enable-eval?view=o365-worldwide) | modified |

+| 9/1/2022 | [Step 3. Evaluate Microsoft Defender for Office 365 overview](/microsoft-365/security/defender/eval-defender-office-365-overview?view=o365-worldwide) | modified |

+| 9/1/2022 | [Pilot Microsoft Defender for Office 365, use the evaluation in your production environment](/microsoft-365/security/defender/eval-defender-office-365-pilot?view=o365-worldwide) | modified |

+| 9/2/2022 | [SKOS format reference for SharePoint taxonomy](/microsoft-365/contentunderstanding/skos-format-reference) | modified |

+| 9/2/2022 | [Device health and compliance report in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/machine-reports?view=o365-worldwide) | modified |

+| 9/2/2022 | [Assess data privacy risks and identify sensitive items with Microsoft 365](/microsoft-365/solutions/information-protection-deploy-assess?view=o365-worldwide) | modified |

+| 9/2/2022 | [Networking up (to the cloud)ΓÇöOne architect's viewpoint](/microsoft-365/solutions/networking-design-principles?view=o365-worldwide) | modified |

+| 9/2/2022 | [User roles for starting Microsoft 365 trials](/microsoft-365/compliance/compliance-easy-trials-roles?view=o365-worldwide) | added |

+| 9/2/2022 | [What's new in Microsoft Purview risk and compliance solutions](/microsoft-365/compliance/whats-new?view=o365-worldwide) | modified |

+| 9/2/2022 | [Deploy, manage, and report on Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/deploy-manage-report-microsoft-defender-antivirus?view=o365-worldwide) | modified |

+| 9/2/2022 | [Deploy Microsoft Defender for Endpoint on Linux with Puppet](/microsoft-365/security/defender-endpoint/linux-install-with-puppet?view=o365-worldwide) | modified |

+| 9/2/2022 | [How Sender Policy Framework (SPF) prevents spoofing](/microsoft-365/security/office-365-security/how-office-365-uses-spf-to-prevent-spoofing?view=o365-worldwide) | modified |

+## Week of August 22, 2022

+| Published On |Topic title | Change |

+|||--|

+| 8/22/2022 | [Enable co-authoring for encrypted documents](/microsoft-365/compliance/sensitivity-labels-coauthoring?view=o365-worldwide) | modified |

+| 8/22/2022 | [Choose between guided and advanced modes for hunting in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-modes?view=o365-worldwide) | added |

+| 8/22/2022 | [Supported data types and filters in guided mode for hunting in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-query-builder-details?view=o365-worldwide) | added |

+| 8/22/2022 | [Work with query results in guided mode for hunting in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-query-builder-results?view=o365-worldwide) | added |

+| 8/22/2022 | [Build queries using guided mode in Microsoft 365 Defender advanced hunting](/microsoft-365/security/defender/advanced-hunting-query-builder?view=o365-worldwide) | added |

+| 8/22/2022 | [Overview - Advanced hunting](/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide) | modified |

+| 8/22/2022 | [Manage Microsoft feedback for your organization](/microsoft-365/admin/manage/manage-feedback-ms-org?view=o365-worldwide) | modified |

+| 8/22/2022 | [Get started using Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-get-started?view=o365-worldwide) | modified |

+| 8/22/2022 | [Payloads in Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-payloads?view=o365-worldwide) | modified |

+| 8/22/2022 | [Simulation automations for Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide) | modified |

+| 8/22/2022 | [Simulate a phishing attack with Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training?view=o365-worldwide) | modified |

+| 8/22/2022 | [View email security reports](/microsoft-365/security/office-365-security/view-email-security-reports?view=o365-worldwide) | modified |

+| 8/23/2022 | [About the Microsoft Defender Vulnerability Management public preview trial](/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-trial?view=o365-worldwide) | added |

+| 8/23/2022 | [Trial user guide - Microsoft Defender Vulnerability Management (public preview)](/microsoft-365/security/defender-vulnerability-management/trial-playbook-defender-vulnerability-management?view=o365-worldwide) | added |

+| 8/23/2022 | [Top 10 ways to secure your business data - Best practices for small and medium-sized businesses](/microsoft-365/admin/security-and-compliance/secure-your-business-data?view=o365-worldwide) | modified |

+| 8/23/2022 | [Onboard and offboard macOS devices into Microsoft Purview solutions using Microsoft Intune](/microsoft-365/compliance/device-onboarding-offboarding-macos-intune?view=o365-worldwide) | modified |

+| 8/23/2022 | [Integrate Microsoft Teams classes and meetings with Moodle](/microsoft-365/lti/teams-classes-meetings-with-moodle?view=o365-worldwide) | modified |

+| 8/23/2022 | [Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes](/microsoft-365/security/office-365-security/configure-advanced-delivery?view=o365-worldwide) | modified |

+| 8/24/2022 | [Message encryption FAQ](/microsoft-365/compliance/ome-faq?view=o365-worldwide) | modified |

+| 8/24/2022 | [Office 365 Message Encryption](/microsoft-365/compliance/ome?view=o365-worldwide) | modified |

+| 8/24/2022 | [Help your frontline workers use collaboration apps and features](/microsoft-365/frontline/collab-features-apps-toolkit?view=o365-worldwide) | added |

+| 8/24/2022 | [Help your frontline workers track time and attendance](/microsoft-365/frontline/shifts-toolkit?view=o365-worldwide) | added |

+| 8/24/2022 | [Choose your scenarios for Microsoft 365 for frontline workers](/microsoft-365/frontline/flw-choose-scenarios?view=o365-worldwide) | modified |

+| 8/24/2022 | [Frontline team collaboration](/microsoft-365/frontline/flw-team-collaboration?view=o365-worldwide) | modified |

+| 8/24/2022 | [What's new in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-whats-new?view=o365-worldwide) | modified |

+| 8/24/2022 | [Top 10 ways to secure your data - Best practices for small and medium-sized businesses](/microsoft-365/admin/security-and-compliance/secure-your-business-data?view=o365-worldwide) | modified |

+| 8/24/2022 | [Set up and secure managed devices](/microsoft-365/business-premium/m365bp-protect-devices?view=o365-worldwide) | modified |

+| 8/24/2022 | [Microsoft 365 Business Premium - Productivity and security](/microsoft-365/business-premium/m365bp-secure-users?view=o365-worldwide) | modified |

+| 8/24/2022 | [Security incident management](/microsoft-365/business-premium/m365bp-security-incident-management?view=o365-worldwide) | modified |

+| 8/24/2022 | [Microsoft Defender for Business Premium trial playbook](/microsoft-365/business-premium/m365bp-trial-playbook-microsoft-business-premium?view=o365-worldwide) | modified |

+| 8/24/2022 | Set up a connector to archive Jive data in Microsoft 365 | removed |

+| 8/24/2022 | Get CVE-KB map API | removed |

+| 8/24/2022 | Get KB collection API | removed |

+| 8/24/2022 | Get RBAC machine groups collection API | removed |

+| 8/24/2022 | Get machines security states collection API | removed |

+| 8/24/2022 | [Microsoft security portals and admin centers](/microsoft-365/security/defender/portals?view=o365-worldwide) | modified |

+| 8/24/2022 | [Sensitive information type limits](/microsoft-365/compliance/sit-limits?view=o365-worldwide) | added |

+| 8/24/2022 | [Create custom sensitive information types](/microsoft-365/compliance/create-a-custom-sensitive-information-type?view=o365-worldwide) | modified |

+| 8/24/2022 | [What's new in Microsoft Purview risk and compliance solutions](/microsoft-365/compliance/whats-new?view=o365-worldwide) | modified |

+| 8/25/2022 | [Microsoft Adoption Score](/microsoft-365/admin/adoption/adoption-score?view=o365-worldwide) | renamed |

+| 8/25/2022 | [Microsoft Adoption Score - Microsoft 365 apps health](/microsoft-365/admin/adoption/apps-health?view=o365-worldwide) | renamed |

+| 8/25/2022 | [Microsoft Adoption Score - Communication](/microsoft-365/admin/adoption/communication?view=o365-worldwide) | renamed |

+| 8/25/2022 | [Microsoft Adoption Score - Content collaboration](/microsoft-365/admin/adoption/content-collaboration?view=o365-worldwide) | renamed |

+| 8/25/2022 | [Microsoft Adoption Score - Meetings](/microsoft-365/admin/adoption/meetings?view=o365-worldwide) | renamed |

+| 8/25/2022 | [Microsoft Adoption Score - Mobility](/microsoft-365/admin/adoption/mobility?view=o365-worldwide) | renamed |

+| 8/25/2022 | [Microsoft Adoption Score - Privacy](/microsoft-365/admin/adoption/privacy?view=o365-worldwide) | renamed |

+| 8/25/2022 | [Microsoft Adoption Score - Teamwork](/microsoft-365/admin/adoption/teamwork?view=o365-worldwide) | renamed |

+| 8/25/2022 | [Troubleshoot issues on Microsoft Defender for Endpoint on Android](/microsoft-365/security/defender-endpoint/android-support-signin?view=o365-worldwide) | modified |

+| 8/25/2022 | [What's new in Microsoft Defender for Endpoint on Android](/microsoft-365/security/defender-endpoint/android-whatsnew?view=o365-worldwide) | modified |

+| 8/25/2022 | About the Microsoft Defender Vulnerability Management public preview trial | removed |

+| 8/25/2022 | Trial playbook - Microsoft Defender Vulnerability Management (public preview) | removed |

+| 8/25/2022 | [What's new in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-endpoint?view=o365-worldwide) | modified |

+| 8/25/2022 | [Preset security policies](/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide) | modified |

+| 8/25/2022 | [Manage clients for Microsoft Whiteboard in GCC environments](/microsoft-365/whiteboard/manage-clients-gcc?view=o365-worldwide) | added |

+| 8/25/2022 | [Manage data for Microsoft Whiteboard in GCC environments](/microsoft-365/whiteboard/manage-data-gcc?view=o365-worldwide) | added |

+| 8/25/2022 | [Manage sharing for Microsoft Whiteboard in GCC environments](/microsoft-365/whiteboard/manage-sharing-gcc?view=o365-worldwide) | added |

+| 8/25/2022 | [Manage access to Microsoft Whiteboard for GCC environments](/microsoft-365/whiteboard/manage-whiteboard-access-gcc?view=o365-worldwide) | added |

+| 8/25/2022 | [Onboard non-persistent virtual desktop infrastructure (VDI) devices](/microsoft-365/security/defender-endpoint/configure-endpoints-vdi?view=o365-worldwide) | modified |

+| 8/25/2022 | [Review events and errors using Event Viewer](/microsoft-365/security/defender-endpoint/event-error-codes?view=o365-worldwide) | modified |

+| 8/25/2022 | [What's the difference between junk email and bulk email?](/microsoft-365/security/office-365-security/what-s-the-difference-between-junk-email-and-bulk-email?view=o365-worldwide) | modified |

+| 8/26/2022 | [Supported Microsoft Defender for Endpoint capabilities by platform](/microsoft-365/security/defender-endpoint/supported-capabilities-by-platform?view=o365-worldwide) | added |

+| 8/26/2022 | [Top 10 ways to secure your data - Best practices for small and medium-sized businesses](/microsoft-365/admin/security-and-compliance/secure-your-business-data?view=o365-worldwide) | modified |

+| 8/26/2022 | [Onboard and offboard macOS devices into Microsoft Purview solutions using Microsoft Intune](/microsoft-365/compliance/device-onboarding-offboarding-macos-intune?view=o365-worldwide) | modified |

+| 8/26/2022 | [Migrating servers from Microsoft Monitoring Agent to the unified solution](/microsoft-365/security/defender-endpoint/application-deployment-via-mecm?view=o365-worldwide) | modified |

+| 8/26/2022 | [Onboard devices and configure Microsoft Defender for Endpoint capabilities](/microsoft-365/security/defender-endpoint/onboard-configure?view=o365-worldwide) | modified |

+| 8/26/2022 | Microsoft Defender Experts for Hunting preview | removed |

+### [Trial user guide: Microsoft Defender for Endpoint](defender-endpoint-trial-user-guide.md)

+>To be eligible to purchase Microsoft Defender for Endpoint Server SKU, you already must have purchased a combined minimum of any of the following: Windows E5/A5, Microsoft 365 E5/A5, or Microsoft 365 E5 Security subscription licenses.

+> [!IMPORTANT]

+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

+> [Microsoft Defender for Endpoint Alert](alerts.md) is composed from one or more suspicious or malicious events that occurred on the device and their related details. The Microsoft Defender for Endpoint Alert API is the latest API for alert consumption and contains a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).

+## Use the new Microsoft 365 Defender API for all your alerts

+> [!IMPORTANT]

+> Information in this section relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

+The new Microsoft 365 Defender alerts API enables customers to work with alerts across all products within Microsoft 365 Defender using a single integration. The alerts API enumerates alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Purview Data Loss Prevention.

+The new central API provides customers with the best possible experience across Microsoft Defender products. The Microsoft Defender for Endpoint SIEM API will be deprecated over time, but Microsoft will provide organizations ample time to plan and prepare their migration to the new Microsoft 365 Defender APIs.

+You can find more information on the timeline and additional details about the new API in the blog post [The new Microsoft 365 Defender APIs in Microsoft Graph are now available in public preview!](https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/the-new-microsoft-365-defender-apis-in-microsoft-graph-are-now/ba-p/3603099).

+Read about the new Microsoft 365 Defender [alerts and incidents API](https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/the-new-microsoft-365-defender-apis-in-microsoft-graph-are-now/ba-p/3603099#:~:text=Incidents%3A%20Contain%20incident%20metadata%20and%20a%20collection%20of,richer%20and%20actionable%20information%20for%20your%20automation%20flows.)

+If you are currently using the SIEM API, we recommend starting to plan for your migration. The following sections provide details about the different options that are available and how to get started today.

+1. [Pulling Defender for Endpoint alerts into an external system](#pulling-defender-for-endpoint-alerts-into-an-external-system) SIEM/SOAR

+1. [Calling the Microsoft 365 Defender alerts API directly](#calling-the-microsoft-365-defender-alerts-api-directly)

+### Pulling Defender for Endpoint alerts into an external system

+If you are pulling Defender for Endpoint alerts into an external system, there are various supported options to give organizations the flexibility to work with the solution of their choice:

+1. **Microsoft Sentinel** is a scalable, cloud-native, SIEM and Security orchestration, automation, and response (SOAR) solution. Delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for attack detection, threat visibility, proactive hunting, and threat response. The Microsoft 365 Defender connector allows customers to easily pull in all their incidents and alerts from all Microsoft 365

+1. **IBM Security QRadar** SIEM provides centralized visibility and intelligent security analytics to identify and prevent threats and vulnerabilities from disrupting business operations. [QRadar SIEM team has just announced the release of a new DSM](https://community.ibm.com/community/user/security/blogs/gaurav-sharma/2022/10/18/ibm-qradar-and-microsoft-defender) that is integrated with the new Microsoft 365 Defender alerts API to pull in Microsoft Defender for Endpoint alerts. New customers are welcome to take advantage of the new DSM upon release. Learn more about the new DSM and how to easily migrate to it at [Microsoft 365 Defender - IBM Documentation](https://www.ibm.com/docs/en/dsm?topic=microsoft-365-defender).

+1. **Splunk SOAR** helps customers orchestrate workflows and automate tasks in seconds to work smarter and respond faster. Spunk SOAR is integrated with the new Microsoft 365 Defender APIs, including the alerts API. For more information, see [Microsoft 365 Defender | Splunkbase](https://splunkbase.splunk.com/app/6563)

+1. **Defender products** To learn more about the integration, see [Microsoft 365 Defender integration with Microsoft Sentinel](/azure/sentinel/microsoft-365-defender-sentinel-integration).

+Additional integrations are listed in [Technological partners of Microsoft 365 Defender](technological-partners.md), or contact your SIEM / SOAR provider to learn about integrations they may provide.

+### Calling the Microsoft 365 Defender alerts API directly

+#### Migrate to the new Microsoft 365 Defender alerts API

+The below table provides a mapping between the SIEM API to the Microsoft 365 Defender alerts API:

+| SIEM API property | Mapping | Microsoft 365 Defender alert API property |

+|:|::|:|

+| AlertTime |->| createdDateTime |

+| ComputerDnsName |->| evidence/deviceEvidence: deviceDnsName |

+| AlertTitle |->| title |

+| Category |->| category |

+| Severity |->| severity |

+| AlertId |->| id |

+| Actor |->| actorDisplayName |

+| LinkToWDATP |->| alertWebUrl |

+| IocName | X | IoC fields not supported |

+| IocValue | X | IoC fields not supported |

+| CreatorIocName | X | IoC fields not supported |

+| CreatorIocValue | X | IoC fields not supported |

+| Sha1 |->| evidence/fileEvidence/fileDetails: sha1 (or evidence/processEvidence/imageFile: sha1) |

+| FileName |->| evidence/fileEvidence/fileDetails: fileName (or evidence/processEvidence/image: fileName) |

+| FilePath |->| evidence/fileEvidence/fileDetails: filePath (or evidence/processEvidence/image: filePath) |

+| IPAddress |->| evidence/ipEvidence: ipAddress |

+| URL | -> | evidence/urlEvidence: url |

+| IoaDefinitionId |->| detectorId |

+| UserName |->| evidence/userEvidence/userAccount: accountName |

+| AlertPart | X | Obsolete (MDE alerts are atomic/complete that are updatable, while the SIEM API were immutable records of detections) |

+| FullId | X | IoC fields not supported |

+| LastProcessedTimeUtc |->| lastActivityDateTime |

+| ThreatCategory |->| mitreTechniques [] |

+| ThreatFamilyName |->| threatFamilyName |

+| ThreatName |->| threatDisplayName |

+| RemediationAction |->| evidence: remediationStatus |

+| RemediationIsSuccess |->| evidence: remediationStatus (implied) |

+| Source |->| detectionSource (use with serviceSource: microsoftDefenderForEndpoint) |

+| Md5 | X | Not supported |

+| Sha256 |->| evidence/fileEvidence/fileDetails: sha256 (or evidence/processEvidence/imageFile: sha256) |

+| WasExecutingWhileDetected |->| evidence/processEvidence: detectionStatus |

+| UserDomain |->| evidence/userEvidence/userAccount: domainName |

+| LogOnUsers |->| evidence/deviceEvidence: loggedOnUsers [] |

+| MachineDomain |->| Included in evidence/deviceEvidence: deviceDnsName |

+| MachineName |->| Included in evidence/deviceEvidence: deviceDnsName |

+| InternalIPV4List | X | Not supported |

+| InternalIPV6List | X | Not supported |

+| FileHash |->| Use sha1 or sha256 |

+| DeviceID |->| evidence/deviceEvidence: mdeDeviceId |

+| MachineGroup |->| evidence/deviceEvidence: rbacGroupName |

+| Description |->| description |

+| DeviceCreatedMachineTags |->| evidence: tags [] (for deviceEvidence) |

+| CloudCreatedMachineTags |->| evidence: tags [] (for deviceEvidence) |

+| CommandLine | -> | evidence/processEvidence: processCommandLine |

+| IncidentLinkToWDATP |->| incidentWebUrl |

+| ReportId | X | Obsolete (MDE alerts are atomic/complete that are updatable, while the SIEM API were immutable records of detections) |

+| LinkToMTP |->| alertWebUrl |

+| IncidentLinkToMTP |->| incidentWebUrl |

+| ExternalId | X | Obsolete |

+| IocUniqueId | X | IoC fields not supported |

+## Generally available SIEM solution integrations

+Microsoft Defender for Endpoint currently supports the following SIEM solution integrations:

+ Title: Trial user guide - Microsoft Defender for Endpoint

+description: Use this guide to get the most of your 90-day free trial. See how Defender for Endpoint can help prevent, detect, investigate, and respond to advanced threats.

+search.appverid: MET150

+audience: ITPro

+- m365-security

+- tier2

+ms.localizationpriority: medium

+f1.keywords: NOCSH

+# Trial user guide: Microsoft Defender for Endpoint

+Welcome to the Microsoft Defender for Endpoint Plan 2 trial user guide!

+This playbook is a simple guide to help you make the most of your free trial. Using the suggested steps in this article from the Microsoft Defender team, you'll learn how Defender for Endpoint can help you to prevent, detect, investigate, and respond to advanced threats.

+## What is Defender for Endpoint?

+[Defender for Endpoint](microsoft-defender-endpoint.md) is an enterprise endpoint security platform that uses the following combination of technology built into Windows and Microsoft's robust cloud service:

+- **Endpoint behavioral sensors**: Embedded in Windows, these sensors collect and process behavioral signals from the operating system and send sensor data to your private, isolated, cloud instance of Defender for Endpoint.

+- **Cloud security analytics**: Using big data, device learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products (such as Microsoft 365), and online assets, behavioral signals are translated into insights, detections, and recommended responses to advanced threats.

+- **Threat intelligence**: Generated by Microsoft hunters and security teams, and augmented by threat intelligence provided by partners, threat intelligence enables Defender for Endpoint to identify attacker tools, techniques, and procedures, and generate alerts when they're observed in collected sensor data.

+<center><h2>Microsoft Defender for Endpoint</center></h2>

+<table>

+<tr>

+<td><a href="microsoft-defender-endpoint.md#tvm"><center><img src="images/logo-mdvm.png" alt="Vulnerability Management"> <br><b> Core Defender Vulnerability Management</b></center></a></td>

+<td><a href="microsoft-defender-endpoint.md#asr"><center><img src="images/asr-icon.png" alt="Attack surface reduction"><br><b>Attack surface reduction</b></center></a></td>

+<td><center><a href="microsoft-defender-endpoint.md#ngp"><img src="images/ngp-icon.png" alt="Next-generation protection"><br> <b>Next-generation protection</b></a></center></td>

+<td><center><a href="microsoft-defender-endpoint.md#edr"><img src="images/edr-icon.png" alt="Endpoint detection and response"><br> <b>Endpoint detection and response</b></a></center></td>

+<td><center><a href="microsoft-defender-endpoint.md#ai"><img src="images/air-icon.png" alt="Automated investigation and remediation"><br> <b>Automated investigation and remediation</b></a></center></td>

+<td><center><a href="microsoft-defender-endpoint.md#mte"><img src="images/mte-icon.png" alt="Microsoft Threat Experts"><br> <b>Microsoft Threat Experts</b></a></center></td>

+</tr>

+<tr>

+<td colspan="7">

+<a href="microsoft-defender-endpoint.md#apis"><center><b>Centralized configuration and administration, APIs</a></b></center></td>

+</tr>

+<tr>

+<td colspan="7"><a href="microsoft-defender-endpoint.md#mtp"><center><b>Microsoft 365 Defender</a></center></b></td>

+</tr>

+</table>

+<br>

+**Let's get started!**

+## Set up your trial

+1. [Confirm your license state](#step-1-confirm-your-license-state).

+2. [Set up role-based access control and grant permissions to your security team](#step-2-set-up-role-based-access-control-and-grant-permissions-to-your-security-team).

+3. [Visit the Microsoft 365 Defender portal](#step-3-visit-the-microsoft-365-defender-portal).

+4. [Onboard endpoints using any of the supported management tools](#step-4-onboard-endpoints-using-any-of-the-supported-management-tools).

+5. [Configure capabilities](#step-5-configure-capabilities).

+6. [Experience Microsoft Defender for Endpoint through simulated attacks](#step-6-experience-microsoft-defender-for-endpoint-through-simulated-attacks).

+7. [Set up the Microsoft Defender for Endpoint evaluation lab](#step-7-set-up-the-microsoft-defender-for-endpoint-evaluation-lab).

+## Step 1: Confirm your license state

+To make sure your Defender for Endpoint subscription is properly provisioned, you can check your license state in either the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)) or Azure Active Directory ([https://portal.azure.com](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products)).

+[Check your license state](production-deployment.md#check-license-state).

+## Step 2: Set up role-based access control and grant permissions to your security team

+Microsoft recommends using the concept of least privileges. Defender for Endpoint uses built-in roles within Azure Active Directory. [Review the different roles that are available](/azure/active-directory/roles/permissions-reference) and choose appropriate roles for your security team. Some roles may need to be applied temporarily and removed after the trial has been completed.

+Use [Privileged Identity Management](/azure/active-directory/active-directory-privileged-identity-management-configure) to manage your roles to provide extra auditing, control, and access review for users with directory permissions.

+Defender for Endpoint supports two ways to manage permissions:

+- Basic permissions management: Set permissions to either full access or read-only. Users with Global Administrator or Security Administrator roles in Azure Active Directory have full access. The Security reader role has read-only access and doesn't grant access to view machines/device inventory.

+- Role-based access control (RBAC): Set granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to device groups. For more information, see [Manage portal access using role-based access control](rbac.md).

+ > [!NOTE]

+ > Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.

+## Step 3: Visit the Microsoft 365 Defender portal

+The Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) is where you can access your Defender for Endpoint capabilities.

+1. [Review what to expect](../defender/microsoft-365-defender-portal.md) in the Microsoft 365 Defender portal.

+2. Go to [https://security.microsoft.com](https://security.microsoft.com) and sign in.

+3. In the navigation pane, see the **Endpoints** section to access your capabilities.

+## Step 4: Onboard endpoints using any of the supported management tools

+This section outlines the general steps you to onboard devices (endpoints).

+1. [Watch this video](https://www.microsoft.com/videoplayer/embed/RE4bGqr) for a quick overview of the onboarding process and learn about the available tools and methods.

+2. Review your [device onboarding tool options](onboarding.md) and select the most appropriate option for your environment.

+## Step 5: Configure capabilities

+After onboarding devices (endpoints), you'll configure the various capabilities, such as endpoint detection and response, next-generation protection, and attack surface reduction.

+Use [this table](onboarding.md) to choose components to configure. We recommend configuring all available capabilities, but you're able to skip the ones that don't apply.

+## Step 6: Experience Microsoft Defender for Endpoint through simulated attacks

+You might want to experience Defender for Endpoint before you onboard more than a few devices to the service. To do this, you can run controlled attack simulations on a few test devices. After running the simulated attacks, you can review how Defender for Endpoint surfaces malicious activity and explore how it enables an efficient response.

+To run any of the provided simulations, you need at least [one onboarded device](onboard-configure.md).

+1. Access the tutorials. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, under **Endpoints**, choose **Tutorials**.

+2. Read the walkthrough document provided with each attack scenario. Each document includes OS and application requirements and detailed instructions that are specific to an attack scenario.

+3. [Run a simulation](attack-simulations.md).

+## Step 7: Set up the Microsoft Defender for Endpoint evaluation lab

+The Microsoft Defender for Endpoint evaluation lab is designed to eliminate the complexities of device and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action. Using the simplified set-up experience in evaluation lab, you can focus on running your own test scenarios and the pre-made simulations to see how Defender for Endpoint performs.

+- [Watch the video overview](https://www.microsoft.com/videoplayer/embed/RE4qLUM) of the evaluation lab

+- [Get started with the lab](evaluation-lab.md)

+## See also

+- [Defender for Endpoint technical documentation](microsoft-defender-endpoint.md)

+- [Microsoft Security technical content library](https://www.microsoft.com/security/content-library/Home/Index)

+- [Defender for Endpoint demonstration](https://cdx.transform.microsoft.com/experience-detail/d5eca65d-13a3-464d-9171-c24cf9dd6050)

+ :::image type="content" source="images/ios-deploy-1.png" alt-text="The Add applications tab in the Microsoft Endpoint Manager Admin Center" lightbox="images/ios-deploy-1.png":::

+1. Select **iOS 12.0** as the Minimum operating system. Review the rest of information about the app and click **Next**.

+ :::image type="content" source="images/ios-deploy-3.png" alt-text="The Device install status page" lightbox="images/ios-deploy-3.png":::

+> [!NOTE]

+> This app configuration policy for supervised devices is applicable only to managed devices and should be targeted for ALL managed iOS devices as a best practice.

+ :::image type="content" source="images/ios-deploy-4.png" alt-text="Image of Microsoft Endpoint Manager Admin Center4." lightbox="images/ios-deploy-4.png":::

+ :::image type="content" source="images/ios-deploy-5.png" alt-text="Image of Microsoft Endpoint Manager Admin Center5." lightbox="images/ios-deploy-5.png":::

+1. In the next screen, select **Use configuration designer** as the format. Specify the following properties:

+ :::image type="content" source="images/ios-deploy-6.png" alt-text="Image of Microsoft Endpoint Manager Admin Center6." lightbox="images/ios-deploy-6.png":::

+> [!NOTE]

+> For devices that run iOS/iPadOS (in Supervised Mode), there is custom **.mobileconfig** profile, called the **ControlFilter** profile available. This profile enables Web Protection **without setting up the local loopback VPN on the device**. This gives end-users a seamless experience while still being protected from phishing and other web-based attacks.

+Deploy a custom profile on supervised iOS devices. This is for enhanced Anti-phishing capabilities. Follow the steps below:

+1. Download the config profile from [https://aka.ms/mdeiosprofilesupervised](https://aka.ms/mdeiosprofilesupervised).

+1. Navigate to **Devices** > **iOS/iPadOS** > **Configuration profiles** > **Create Profile**.

+1. Select **Profile Type** > **Templates** and **Template name** > **Custom**.

+ :::image type="content" source="images/ios-deploy-7.png" alt-text="Image of Microsoft Endpoint Manager Admin Center7." lightbox="images/ios-deploy-7.png":::

+ > [!NOTE]

+ > Device Group creation is supported in both Defender for Endpoint Plan 1 and Plan 2.

+1. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list of configuration profiles.

+> [!NOTE]

+> For supervised devices, a VPN is not needed for Web Protection capability and requires admins to set up a configuration profile on supervised devices. To configure for supervised devices, follow the steps in the [Complete deployment for supervised devices](#complete-deployment-for-supervised-devices) section.

+ - Connection Name = Microsoft Defender for Endpoint

+ - VPN server address = 127.0.0.1

+ - Auth method = "Username and password"

+ - Split Tunneling = Disable

+ - VPN identifier = com.microsoft.scmx

+ - In the key-value pairs, enter the key **AutoOnboard** and set the value to **True**.

+ - Type of Automatic VPN = On-demand VPN

+ - Select **Add** for **On Demand Rules** and select **I want to do the following = Connect VPN**, **I want to restrict to = All domains**.

+ :::image type="content" source="images/ios-deploy-8.png" alt-text="The VPN profile Configuration settings tab." lightbox="images/ios-deploy-8.png":::

+

+ - To mandate that VPN cannot be disabled in users device, Admins can select **Yes** from **Block users from disabling automatic VPN**. By default, it's not configured and users can disable VPN only in the Settings.

+ - To allow Users to Change the VPN toggle from within the app, add **EnableVPNToggleInApp = TRUE**, in the key-value pairs. By default, users cannot change the toggle from within the app.

+1. Click **Next** and assign the profile to targeted users.

+ - Connection Name = Microsoft Defender for Endpoint

+ - VPN server address = 127.0.0.1

+ - Auth method = "Username and password"

+ - Split Tunneling = Disable

+ - VPN identifier = com.microsoft.scmx

+ - In the key-value pairs, enter the key **SilentOnboard** and set the value to **True**.

+ - Type of Automatic VPN = On-demand VPN

+ - Select **Add** for **On Demand Rules** and select **I want to do the following = Connect VPN**, **I want to restrict to = All domains**.

+ :::image type="content" source="images/ios-deploy-9.png" alt-text="The VPN profile Configuration page" lightbox="images/ios-deploy-9.png":::

+ - To mandate that VPN can't be disabled in users device, Admins can select **Yes** from **Block users from disabling automatic VPN**. By default, it's not configured and users can disable VPN only in the Settings.

+ - To allow Users to Change the VPN toggle from within the app, add **EnableVPNToggleInApp = TRUE**, in the key-value pairs. By default, users can't change the toggle from within the app.

+- Microsoft Defender for Endpoint will be deployed and silently onboarded and the device will be seen in the Defender for Endpoint portal.

+- A provisional notification will be sent to the user device.

+- Web Protection and other features will be activated.

+> [!NOTE]

+> For supervised devices, although a VPN profile is not required, admins still can set up Zero-touch onboarding by configuring the Defender for Endpoint VPN profile through Intune. The VPN profile will be deployed on the device but will only be present on the device as a pass-through profile and can be deleted after initial onboarding.

+1. Once Defender for Endpoint on iOS has been installed on the device, you will see the app icon.

+ :::image type="icon" source="images/41627a709700c324849bf7e13510c516.png":::

+ :::image type="content" source="images/device-inventory-screen.png" alt-text="The Device inventory page." lightbox="images/device-inventory-screen.png":::

+> [!NOTE]

+> This app configuration policy for supervised devices is applicable only to managed devices and should be targeted for all managed iOS devices as a best practice.

+ :::image type="content" source="images/ios-deploy-4.png" alt-text="The Managed devices option." lightbox="images/ios-deploy-4.png":::

+ - Policy Name

+ - Platform: Select iOS/iPadOS

+ - Targeted app: Select **Microsoft Defender for Endpoint** from the list.

+ :::image type="content" source="images/ios-deploy-5.png" alt-text="The basic fields for the configuration policy for the application." lightbox="images/ios-deploy-5.png":::

+1. In the next screen, select **Use configuration designer** as the format. Specify the following properties:

+ - Configuration Key: `issupervised`

+ - Value type: String

+ - Configuration Value: `{{issupervised}}`

+ :::image type="content" source="images/ios-deploy-6.png" alt-text="The page from which to choose the format for the settings of the policy configuration." lightbox="images/ios-deploy-6.png":::

+The issue impacts Microsoft Defender for endpoint security extensions, and might result in losing Full Disk Access Authorization, impacting its ability to function properly.

+> To mitigate the risk with this issue, make sure that [Microsoft Defender for Endpoint has Full Disk Access Authorization](mac-install-manually.md).

+<summary>October-2022 (Platform: 4.18.2210.5 | Engine: 1.1.19800.4)</summary>

+&ensp;Security intelligence update version: **1.379.4.0**<br/>

+&ensp;Release date: **November 7, 2022**<br/>

+&ensp;Platform: **4.18.2210.5**<br/>

+&ensp;Engine: **1.1.19800.4**<br/>

+Engine version: 1.1.19800.4<br/>

+Security intelligence update version: 1.379.4.0<br/>

+- Added opt-in for Defender updates during OOBE (out of box experience) process

+<summary>20221102.3</summary>

+&ensp;Defender package version: **20221102.3**<br/>

+&ensp;Security intelligence version: **1.377.1180.0**<br/>

+&ensp;Engine version: **1.1.19700.3**<br/>

+&ensp;Platform version: **4.18.2210.4**<br/>

+### Fixes

+- None

+### Additional information

+- None

+<br/>

+</details><details>

+ Title: Trial user guide - Microsoft Defender Vulnerability Management (public preview)

+description: Learn how Microsoft Defender Vulnerability Management can help you protect all your users and data.

+keywords: vulnerability management, threat and vulnerability management, Microsoft Defender for Endpoint TVM, Microsoft Defender for Endpoint-TVM, vulnerability management, vulnerability assessment, threat and vulnerability scanning, secure configuration assessment, Microsoft Defender for Endpoint, Microsoft Defender Vulnerability Management, endpoint vulnerabilities, next generation

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+- m365-security-compliance

+- tier1

+search.appverid: met150

+# Trial user guide: Microsoft Defender Vulnerability Management

+## Welcome to the Microsoft Defender Vulnerability Management trial user guide

+This user guide is a simple guide to help you make the most of your free trial. Using the suggested steps in this user guide from the Microsoft Security team, you'll learn how vulnerability management can help you protect all your users and data.

+## What is Microsoft Defender Vulnerability Management?

+Reducing cyber risk requires a comprehensive risk-based vulnerability management program to identify, assess, remediate, and track important vulnerabilities across your most critical assets.

+Microsoft Defender Vulnerability Management is a new service that proactively provides continuous real-time discovery and assessment of vulnerabilities, context-aware threat & business prioritization, and built-in remediation processes. It includes all Defender Vulnerability Management capabilities in Microsoft Defender for Endpoint and new enhanced capabilities so your teams can further intelligently assess, prioritize, and seamlessly remediate the biggest risks to your organization.

+Watch the following video to learn more about Defender Vulnerability Management:

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4Y1FX]

+## Let's get started

+### Step 1: Set-up

+> [!NOTE]

+> Users need to have the global admin role defined in Azure AD to onboard the trial.

+1. Check [permissions and pre-requisites.](tvm-prerequisites.md)

+2. The Microsoft Defender Vulnerability Management preview trial can be accessed in several ways:

+ Via the [Microsoft 365 Defender portal](https://security.microsoft.com) under Trials.

+ :::image type="content" source="../../medivm-trialshub.png" alt-text="Screenshot of Microsoft Defender Vulnerability Management trial hub landing page.":::

+ Via the [Microsoft Admin Center](https://admin.microsoft.com/#/catalog) (global admins only).

+3. Sign up for the trial depends on whether you already have Microsoft Defender for Endpoint Plan 2 or not.

+ - If you have Defender for Endpoint Plan 2, choose [Defender Vulnerability Management Add-on](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-the-defender-vulnerability-management-add-on-public-preview-trial-for-defender-for-endpoint-plan-2-customers).

+ - If you don't have Defender for Endpoint Plan 1 or Plan 2, or Microsoft 365 E3, choose [Defender Vulnerability Management Standalone](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-defender-vulnerability-management-standalone).

+4. When you're ready to get started, visit the [Microsoft 365 Defender portal](https://security.microsoft.com) to start using the Defender Vulnerability Management trial.

+> [!NOTE]

+> This is a public preview trial. Details on your purchase options for this new offering will be made available once the offering is generally available.

+> [!NOTE]

+> Once you activate the trial it can take up to 6 hours for the new features to become available in the portal.

+Now that you have set up your trial, it's time to try key capabilities.

+### Step 2: Know what to protect in a single view

+Built-in and agentless scanners continuously monitor and detect risk even when devices aren't connected to the corporate network. Expanded asset coverage consolidates software applications, digital certificates, network shares, and browser extensions into a single inventory view.

+1. [**Device inventory**](../defender-endpoint/machines-view-overview.md) - The device inventory shows a list of the devices in your network. By default, the list displays devices seen in the last 30 days. At a glance, you'll see information such as domains, risk levels, OS platform, associated CVEs, and other details for easy identification of devices most at risk.

+2. Discover and assess your organization's software in a single, consolidated inventory view:

+ - [**Software application inventory**](tvm-software-inventory.md) - the software inventory in Defender Vulnerability Management is a list of known applications in your organization. The view includes vulnerability and misconfiguration insights across installed software with prioritized impact scores and details such as OS platforms, vendors, number of weaknesses, threats, and an entity-level view of exposed devices.

+ - [**Browser extension assessments**](tvm-browser-extensions.md) - the browser extensions page displays a list of the extensions installed across different browsers in your organization. Extensions usually need different permissions to run properly. Defender Vulnerability Management provides detailed information on the permissions requested by each extension and identifies those with the highest associated risk levels, the devices with the extension turned on, installed versions, and more.

+ - [**Certificate inventory**](tvm-certificate-inventory.md) - the certificate inventory allows you to discover, assess, and manage digital certificates installed across your organization in a single view. This can help you:

+ - Identify certificates that are about to expire so you can update them and prevent service disruption.

+ - Detect potential vulnerabilities due to the use of weak signature algorithm (for example, SHA-1-RSA), short key size (for example, RSA 512 bit), or weak signature hash algorithm (for example, MD5).

+ - Ensure compliance with regulatory guidelines and organizational policy.

+3. [Assign device value](tvm-assign-device-value.md) - defining a device's value helps you differentiate between asset priorities. The device value is used to incorporate the risk appetite of an individual asset into the Defender Vulnerability Management exposure score calculation. Devices assigned as "high value" will receive more weight. Device value options:

+ - Low

+ - Normal (Default)

+ - High

+ You can also use the [set device value API](/microsoft-365/security/defender-endpoint/set-device-value).

+### Step 3: Track and mitigate remediation activities

+1. [**Request remediation**](tvm-remediation.md#request-remediation) - vulnerability management capabilities bridge the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Recommendation** pages to [Intune](/mem/intune/).

+2. [**View your remediation activities**](tvm-remediation.md#view-your-remediation-activities) - when you submit a remediation request from the Security recommendations page, it kicks-off a remediation activity. A security task is created that can be tracked on a **Remediation** page, and a remediation ticket is created in Microsoft Intune.

+3. [**Block vulnerable applications**](tvm-block-vuln-apps.md) - Remediating vulnerabilities takes time and can be dependent on the responsibilities and resources of the IT team. Security admins can temporarily reduce the risk of a vulnerability by taking immediate action to block all currently known vulnerable versions of an application or warn users with customizable messages before opening vulnerable app versions until the remediation request is completed. The block option gives IT teams time to patch the application without security admins worrying that the vulnerabilities will be exploited in the meantime.

+ - [How to block vulnerable applications](tvm-block-vuln-apps.md#how-to-block-vulnerable-applications)

+ - [View remediation activities](tvm-block-vuln-apps.md#view-remediation-activities)

+ - [View blocked applications](tvm-block-vuln-apps.md#view-blocked-applications)

+ - [Unblock applications](tvm-block-vuln-apps.md#unblock-applications)

+4. Use enhanced assessment capabilities such as [Network shares analysis](tvm-network-share-assessment.md) to protect vulnerable network shares. As network shares can be easily accessed by network users, small common weaknesses can make them vulnerable. These types of misconfigurations are commonly used in the wild by attackers for lateral movement, reconnaissance, data exfiltration, and more. That's why we built a new category of configuration assessments in Defender Vulnerability Management that identify the common weaknesses that expose your endpoints to attack vectors in Windows network shares. This helps you:

+ - Disallow offline access to shares

+ - Remove shares from the root folder

+ - Remove share write permission set to 'Everyone'

+ - Set folder enumeration for shares

+

+5. View and monitor your organization's devices using a [**Vulnerable devices report**](tvm-vulnerable-devices-report.md) that shows graphs and bar charts with vulnerable device trends and current statistics. The goal is for you to understand the breath and scope of your device exposure.

+### Step 4: Set up security baseline assessments

+Instead of running point-in-time compliance scans, security baselines assessment helps you to continuously and proactively monitor your organization's compliance against industry security benchmarks in real time. A security baseline profile is a customized profile that you can create to assess and monitor endpoints in your organization against industry security benchmarks (CIS, NIST, MS). When you create a security baseline profile, you're creating a template that consists of multiple device configuration settings and a base benchmark to compare against.

+Security baselines provide support for Center for Internet Security (CIS) benchmarks for Windows 10, Windows 11, and Windows Server 2008 R2 and above, as well as Security Technical Implementation Guides (STIG) benchmarks for Windows 10 and Windows Server 2019.

+1. Get started with [security baselines assessment](tvm-security-baselines.md#get-started-with-security-baselines-assessment)

+2. Review [security baseline profile assessment results](tvm-security-baselines.md#review-security-baseline-profile-assessment-results)

+3. [Use advanced hunting](tvm-security-baselines.md#use-advanced-hunting)

+### Step 5: Create meaningful reports to get in-depth insights using APIs and Advanced Hunting

+Defender Vulnerability Management APIs can help drive clarity in your organization with customized views into your security posture and automation of vulnerability management workflows. Alleviate your security team's workload with data collection, risk score analysis, and integrations with your other organizational processes and solutions. For more information, see:

+- [Export assessment methods and properties per device](../defender-endpoint/get-assessment-methods-properties.md)

+- [Defender Vulnerability Management APIs blog](https://techcommunity.microsoft.com/t5/microsoft-defender-vulnerability/new-threat-amp-vulnerability-management-apis-create-reports/ba-p/2445813)

+Advanced hunting enables flexible access to Defender Vulnerability Management raw data, which allows you to proactively inspect entities for known and potential threats.

+For more information, see [Hunt for exposed devices](../defender-endpoint/advanced-hunting-overview.md).

+## Additional resources

+- Compare offerings: [Microsoft Defender Vulnerability Management](defender-vulnerability-management-capabilities.md)

+- [Defender Vulnerability Management documentation](../defender-vulnerability-management/index.yml)

+- Datasheet: [Microsoft Defender Vulnerability Management: Reduce cyber risk with continuous vulnerability discovery and assessment, risk-based prioritization, and remediation](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4XR02)

+Microsoft Defender for Cloud Apps is now part of Microsoft 365 Defender. The Microsoft 365 Defender portal allows security admins to perform their security tasks in one location. This simplifies workflows, and adds the functionality of the other Microsoft 365 Defender services. Microsoft 365 Defender will be the home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure.

+Learn how to protect your cloud apps in Microsoft 365 Defender:

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE59yVU]

+- Microsoft Defender for Cloud Apps

+To learn more about supply chain attacks, read this blog post called [attack inception: compromised supply chain within a supply chain poses new risks](https://www.microsoft.com/security/blog/2018/07/26/attack-inception-compromised-supply-chain-within-a-supply-chain-poses-new-risks/).

+ > - In each anti-phishing policy, you can specify a maximum of 350 protected users (sender email addresses). You can't specify the same protected user in multiple policies.

+ > As of September 2022, if an allowed sender, domain, or subdomain is in an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization, that sender, domain, or subdomain must pass [email authentication](email-validation-and-authentication.md) checks in order to skip anti-spam filtering.

+ >

+ > Never add common domains (for example, microsoft.com or office.com) to the allowed domains list. If these domains are allowed to bypass spam filtering, attackers can easily send messages that spoof these trusted domains into your organization.

+> Do not use popular domains (for example, microsoft.com) in allowed domain lists.

+> [!NOTE]

+> As of September 2022, if an allowed sender, domain, or subdomain is in an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization, that sender, domain, or subdomain must pass [email authentication](email-validation-and-authentication.md) checks in order to skip anti-spam filtering.

+> [!NOTE]

+> In the Tenant Allow/Block List, block entries take precedence over allow entries.

+ You can specify a maximum of 350 users, and you can't specify the same user in the user impersonation protection settings in multiple policies.

+ > - In each anti-phishing policy, you can specify a maximum of 350 protected users (sender email addresses). You can't specify the same protected user in multiple policies. So, regardless of how many policies apply to a recipient, the maximum number of protected users (sender email addresses) for each individual recipient is 350. For more information about policy priority and how policy processing stops after the first policy is applied, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).

+ Title: "Microsoft Defender for Office 365 trial user guide"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: high

+search.appverid:

+- MOE150

+- MET150

+description: "Microsoft Defender for Office 365 solutions trial user guide."

+# Trial user guide: Microsoft Defender for Office 365

+**Applies to:**

+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)

+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)

+Welcome to the Microsoft Defender for Office 365 trial user guide! This user guide will help you make the most of your free trial by teaching you how to safeguard your organization against malicious threats posed by email messages, links (URLs), and collaboration tools.

+## What is Defender for Office 365?

+Defender for Office 365 helps organizations secure their enterprise by offering a comprehensive slate of capabilities including threat protection policies, reports, threat investigation and response capabilities and automated investigation and response capabilities.

+In addition to the detection of advanced threats, the following video shows how the SecOps capabilities of Defender for Office 365 can help your team respond to threats:

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWMmIe]

+### Audit mode vs. blocking mode for Defender for Office 365

+Do you want your Defender for Office 365 experience to be active or passive? These are the two modes that you can select from:

+- **Audit mode**: Special *evaluation policies* are created for anti-phishing (which includes impersonation protection), Safe Attachments, and Safe Links. These evaluation policies are configured to *detect* threats only. Defender for Office 365 detects harmful messages for reporting, but the messages aren't acted upon (for example, detected messages aren't quarantined). The settings of these evaluation policies are described in the [Policies in audit mode](try-microsoft-defender-for-office-365.md#policies-in-audit-mode) section later in this article.

+ Audit mode provides access to customized reports for threats detected by Defender for Office 365 on the **Evaluation mode** page at <https://security.microsoft.com/atpEvaluation>.

+- **Blocking mode**: The Standard template for [preset security policies](preset-security-policies.md) is turned on and used for the trial, and the users you specify to include in the trial are added to the Standard preset security policy. Defender for Office 365 *detects* and *takes action on* harmful messages (for example, detected messages are quarantined).

+ The default and recommended selection is to scope these Defender for Office 365 policies to all users in the organization. But during or after the setup of your trial, you can change the policy assignment to specific users, groups, or email domains in the Microsoft 365 Defender portal or in [Policy settings associated with Defender for Office 365 trials](try-microsoft-defender-for-office-365.md#policy-settings-associated-with-defender-for-office-365-trials)

+ Blocking mode does not provide customized reports for threats detected by Defender for Office 365. Instead, the information is available in the regular reports and investigation features of Defender for Office 365 Plan 2.

+A key factor in audit mode vs. blocking mode is how email is delivered to your Microsoft 365 organization:

+- Mail from the internet flows directly Microsoft 365, but your current subscription has only [Exchange Online Protection (EOP)](exchange-online-protection-overview.md) or [Defender for Office 365 Plan 1](overview.md#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet).

+ 

+ In these environments, you can select **audit mode** or **blocking mode**.

+- You're currently using a third-party service or device for email protection of your Microsoft 365 mailboxes. Mail from the internet flows through the protection service before delivery into your Microsoft 365 organization. Microsoft 365 protection is as low as possible (it's never completely off; for example, malware protection is always enforced).

+ 

+ In these environments, you can select **audit mode** only. You don't need to change your mail flow (MX records).

+Let's get started!

+## Blocking mode

+### Step 1: Getting started in blocking mode

+#### Start your Microsoft Defender for Office 365 trial

+After you've initiated the trial and completed the [setup process](try-microsoft-defender-for-office-365.md#set-up-an-evaluation-or-trial-in-blocking-mode), it may take up to 2 hours for changes to take effect.

+We've automatically configured [Preset security policies](preset-security-policies.md) in your environment. These policies represent a baseline protection profile that's suitable for most users. Standard protection includes:

+- Safe Links, Safe Attachments and anti-phishing policies that are scoped to the entire tenant or subset of users you may have chosen during the trial setup process.

+- Safe Attachments protection for SharePoint, OneDrive, and Microsoft Teams.

+- Safe Links protection for supported Office 365 apps.

+Watch this video to learn more: [Protect against malicious links with Safe Links in Microsoft Defender for Office 365 - YouTube](https://www.youtube.com/watch?v=vhIJ1Veq36Y&list=PL3ZTgFEc7LystRja2GnDeUFqk44k7-KXf&index=9).

+#### Enable users to report suspicious content in blocking mode

+Defender for Office 365 enables users to report messages to their security teams and allows admins to submit messages to Microsoft for analysis.

+- Deploy the [Report Message add-in or the Report Phishing add-in](enable-the-report-message-add-in.md).

+- Establish a workflow to [Report false positives and false negatives](report-false-positives-and-false-negatives.md).

+- Use the [Submissions portal](admin-submission.md).

+Watch this video to learn more: [Learn how to use the Submissions portal to submit messages for analysis - YouTube](https://www.youtube.com/watch?v=ta5S09Yz6Ks&ab_channel=MicrosoftSecurit).

+#### Review reports to understand the threat landscape in blocking mode

+Use the reporting capabilities in Defender for Office 365 to get more details about your environment.

+- Understand threats received in email and collaboration tools with the [Threat protection status report](view-email-security-reports.md#threat-protection-status-report).

+- See where threats are blocked with the [Mailflow status report](view-email-security-reports.md#mailflow-status-report).

+- [Review links](view-reports-for-mdo.md#url-protection-report) that were viewed by users or blocked by the system.

+### Step 2: Intermediate steps in blocking mode

+#### Prioritize focus on your most targeted users

+Protect your most targeted and most visible users with Priority Account Protection in Defender for Office 365, which helps you prioritize your workflow to ensure these users are safe.

+- Identify your most targeted or most visible users.

+- [Tag these users](../../admin/setup/priority-accounts.md#add-priority-accounts-from-the-setup-page) as priority accounts.

+- Track threats to priority account throughout the portal.

+Watch this video to learn more: [Protecting priority accounts in Microsoft Defender for Office 365 - YouTube](https://www.youtube.com/watch?v=tqnj0TlzQcI&list=PL3ZTgFEc7LystRja2GnDeUFqk44k7-KXf&index=11).

+### Avoid costly breaches by preventing user compromise

+Get alerted to potential compromise and automatically limit the impact of these threats to prevent attackers from gaining deeper access to your environment.

+- Review [compromised user alerts](address-compromised-users-quickly.md#compromised-user-alerts).

+- [Investigate and respond](address-compromised-users-quickly.md) to compromised users.

+Watch this video to learn more: [Detect and respond to compromise in Microsoft Defender for Office 365 - YouTube](https://www.youtube.com/watch?v=Pc7y3a-wdR0&list=PL3ZTgFEc7LystRja2GnDeUFqk44k7-KXf&index=5).

+#### Use Threat Explorer to investigate malicious email

+Defender for Office 365 enables you to investigate activities that put people in your organization at risk and to take action to protect your organization. You can do this using [Threat Explorer](threat-explorer.md).

+- [Find suspicious email that was delivered](investigate-malicious-email-that-was-delivered.md#find-suspicious-email-that-was-delivered): Find and delete messages, identify the IP address of a malicious email sender, or start an incident for further investigation.

+- [Check the delivery action and location](investigate-malicious-email-that-was-delivered.md#check-the-delivery-action-and-location): This check lets you know the location of problem email messages.

+- [View the timeline of your email](investigate-malicious-email-that-was-delivered.md#view-the-timeline-of-your-email): Simply hunting for your security operations team.

+#### See campaigns targeting your organization

+See the bigger picture with Campaign Views in Defender for Office 365, which gives you a view of the attack campaigns targeting your organization and the impact they have on your users.

+- [Identify campaigns](campaigns.md#what-is-a-campaign) targeting your users.

+- [Visualize the scope](campaigns.md#campaign-views-in-the-microsoft-365-defender-portal) of the attack.

+- [Track user interaction](campaigns.md#campaign-details) with these messages.

+ :::image type="content" source="../../medio-trial-playbook-campaign-details.png":::

+Watch this video to learn more: [Campaign Views in Microsoft Defender for Office 365 - YouTube](https://www.youtube.com/watch?v=DvqzzYKu7cQ&list=PL3ZTgFEc7LystRja2GnDeUFqk44k7-KXf&index=14).

+#### Use automation to remediate risks

+Respond efficiently using Automated investigation and response (AIR) to review, prioritize, and respond to threats.

+- [Learn more](automated-investigation-response-office.md) about investigation user guides.

+- [View details and results](email-analysis-investigations.md) of an investigation.

+- Eliminate threats by [approving remediation actions](air-remediation-actions.md).

+### Step 3: Advanced content in blocking mode

+#### Dive deep into data with query-based hunting

+Use Advanced hunting to write custom detection rules, proactively inspect events in your environment, and locate threat indicators. Explore raw data in your environment.

+- [Build custom detection rules](../defender/custom-detections-overview.md).

+- [Access shared queries](../defender/advanced-hunting-shared-queries.md) created by others.

+Watch this video to learn more: [Threat hunting with Microsoft 365 Defender - YouTube](https://www.youtube.com/watch?v=l3OmH4U6XAs&list=PL3ZTgFEc7Lyt1O81TZol31YXve4e6lyQu&index=4).

+#### Train users to spot threats by simulating attacks

+Equip your users with the right knowledge to identify threats and report suspicious messages with Attack simulation training in Defender for Office 365.

+- [Simulate realistic threats](attack-simulation-training.md) to identify vulnerable users.

+- [Assign training](attack-simulation-training.md#assign-training) to users based on simulation results.

+- [Track progress](attack-simulation-training-insights.md) of your organization in simulations and training completion.

+ :::image type="content" source="../../medio-trial-playbook-attack-simulation-training-results.png":::

+## Auditing mode

+### Step 1: Get started in auditing mode

+#### Start your Defender for Office 365 evaluation

+After you've completed the [setup process](try-microsoft-defender-for-office-365.md#set-up-an-evaluation-or-trial-in-audit-mode), it may take up to 2 hours for changes to take effect. We've automatically configured Preset Evaluation policies in your environment.

+Evaluation policies ensure no action is taken on email that's detected by Defender for Office 365.

+#### Enable users to report suspicious content in auditing mode

+Defender for Office 365 enables users to report messages to their security teams and allows admins to submit messages to Microsoft for analysis.

+- Deploy the [Report Message add-in or the Report Phishing add-in](enable-the-report-message-add-in.md).

+- Establish a workflow to [Report false positives and false negatives](report-false-positives-and-false-negatives.md).

+- Use the [Submissions portal](admin-submission.md).

+Watch this video to learn more: [Learn how to use the Submissions portal to submit messages for analysis - YouTube](https://www.youtube.com/watch?v=ta5S09Yz6Ks&ab_channel=MicrosoftSecurit).

+#### Review reports to understand the threat landscape in auditing mode

+Use the reporting capabilities in Defender for Office 365 to get more details about your environment.

+- The [Evaluation dashboard](try-microsoft-defender-for-office-365.md#reports-for-audit-mode) provides an easy view of the threats detected by Defender for Office 365 during evaluation.

+- Understand threats received in email and collaboration tools with the [Threat protection status report](view-email-security-reports.md#threat-protection-status-report).

+### Step 2: Intermediate steps in auditing mode

+#### Use Threat Explorer to investigate malicious email in auditing mode

+Defender for Office 365 enables you to investigate activities that put people in your organization at risk and to take action to protect your organization. You can do this using [Threat Explorer](threat-explorer.md).

+- [Find suspicious email that was delivered](investigate-malicious-email-that-was-delivered.md#find-suspicious-email-that-was-delivered): Find and delete messages, identify the IP address of a malicious email sender, or start an incident for further investigation.

+- [Check the delivery action and location](investigate-malicious-email-that-was-delivered.md#check-the-delivery-action-and-location): This check lets you know the location of problem email messages.

+- [View the timeline of your email](investigate-malicious-email-that-was-delivered.md#view-the-timeline-of-your-email): Simply hunting for your security operations team.

+#### Convert to Standard Protection at the end of evaluation period

+When you're ready to turn on Defender for Office 365 policies in production, you can use "Convert to Standard Protection" within the evaluation management experience to easily move to Standard protection in [preset security policies](preset-security-policies.md).

+1. On the **Microsoft Defender for Office 365 evaluation** page at <https://security.microsoft.com/atpEvaluation>, click **Manage**.

+ :::image type="content" source="../../medio-evaluation-page.png":::

+2. In the flyout that opens, click **Convert to Standard protection**

+ :::image type="content" source="../../medio-trial-playbook-manage-flyout.png":::

+3. In the **Convert to standard protection** dialog that opens, click **Continue** to initiate the setup.

+#### Migrate from a third-party protection service or device to Defender for Office 365

+If you already have an existing third-party protection service or device that sits in front of Microsoft 365, you can migrate your protection to Microsoft Defender for Office 365 to get the benefits of a consolidated management experience, potentially reduced cost (using products that you already pay for), and a mature product with integrated security protection.

+For more information, see [Migrate from a third-party protection service or device to Microsoft Defender for Office 365](migrate-to-defender-for-office-365.md).

+### Step 3: Advanced content in auditing mode

+#### Train users to spot threats by simulating attacks in auditing mode

+Equip your users with the right knowledge to identify threats and report suspicious messages with Attack simulation training in Defender for Office 365.

+- [Simulate realistic threats](attack-simulation-training.md) to identify vulnerable users.

+- [Assign training](attack-simulation-training.md#assign-training) to users based on simulation results.

+- [Track progress](attack-simulation-training-insights.md) of your organization in simulations and training completion.

+ :::image type="content" source="../../medio-trial-playbook-attack-simulation-training-results.png":::

+## Additional resources

+- **Interactive guide**: Unfamiliar with Defender for Office 365? Review the [interactive guide](https://mslearn.cloudguides.com/guides/Safeguard%20your%20organization%20with%20Microsoft%20Defender%20for%20Office%20365) to understand how to get started.

+- **Fast Track Get Started Guide***: [Microsoft Defender for Office 365](https://go.microsoft.com/fwlink/p/?linkid=2197415)

+- **Microsoft Defender for Office 365 documentation**: Get detailed information on how Defender for Office 365 works and how to best implement it for your organization. Visit the [Microsoft Defender for Office 365 documentation](defender-for-office-365.md).

+- **What's included**: For a full list of Office 365 email security features listed by product tier, view the [Feature Matrix](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#feature-availability).

+- **Why Defender for Office 365**: The [Defender for Office 365 Datasheet](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4FCiy) shows the top 10 reasons customers choose Microsoft.

+For a companion guide for how to use your trial, see [Trial User Guide: Microsoft Defender for Office 365](trial-user-guide-defender-for-office-365.md).

+ Turning on Enhanced Filtering for Connectors without an SCL=-1 rule for incoming mail from the protection service will vastly improve the detection capabilities of EOP protection features like [spoof intelligence](anti-spoofing-protection.md), and could impact the delivery of those newly detected messages (for example, move to the Junk Email folder or to quarantine). This impact is limited to EOP policies; as previously explained, Defender for Office 365 policies are created in audit mode.