Updates from: 12/30/2020 04:05:39
Category Microsoft Docs article Related commit history on GitHub Change details
admin https://docs.microsoft.com/en-us/microsoft-365/admin/email/convert-user-mailbox-to-shared-mailbox https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/convert-user-mailbox-to-shared-mailbox.md
@@ -88,9 +88,11 @@ Let's say you've deleted a user account and now you want to convert their old ma
## Convert a user's mailbox in a hybrid environment
-More details about converting an user mailbox to a shared mailbox, into an Exchange Hybrid environment can be found on:
-https://support.microsoft.com/office/cmdlets-to-create-or-modify-a-remote-shared-mailbox-in-an-on-premises-exchange-environment-9e83fb59-c001-729c-a4c0-b2964c154b49
-https://docs.microsoft.com/exchange/troubleshoot/user-and-shared-mailboxes/shared-mailboxes-unexpectedly-converted-to-user-mailboxes
+For more info about converting a user mailbox to a shared mailbox in an Exchange Hybrid environment, see:
+
+ - [Cmdlets to create or modify a remote shared mailbox in an on-premises Exchange environment](https://support.microsoft.com/office/cmdlets-to-create-or-modify-a-remote-shared-mailbox-in-an-on-premises-exchange-environment-9e83fb59-c001-729c-a4c0-b2964c154b49)
+ - [Shared mailboxes are unexpectedly converted to user mailboxes after directory synchronization runs in an Exchange hybrid deployment](https://docs.microsoft.com/exchange/troubleshoot/user-and-shared-mailboxes/shared-mailboxes-unexpectedly-converted-to-user-mailboxes)
+
> [!NOTE] > If you are a member of the Organization Management or Recipient Management role group, you can use the Exchange Management Shell to change a user mailbox to a shared mailbox on-premises. For example, `Set-Mailbox -Identity mailbox1@contoso.com -Type Shared`.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/add-custodians-to-case https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/add-custodians-to-case.md
@@ -23,88 +23,89 @@ ms.custom: seo-marvel-apr2020
Use the built-in custodian management tool in Advanced eDiscovery to coordinate your workflows around managing custodians and identifying relevant, custodial data sources associated with a case. When you add a custodian, the system can automatically identify and place a hold on their Exchange mailbox and OneDrive for Business account. During the discovery process of your investigation, you might also identify additional data sources (such as mailboxes, sites, or Teams) that a custodian accessed or contributed to. In this situation, you can use the custodian management tool to associate those data sources will a specific custodian. After you add custodians to a case and associate other data source with them, you can quickly preserve data and search the custodial data.
-Use the following workflow to add and manage custodians in Advanced eDiscovery cases.
+You can add and manage custodians in Advanced eDiscovery cases in four steps:
+
+1. Identify the custodians
+
+2. Choose custodian data locations
+
+3. Configure hold settings
+
+4. Review the custodians and complete the process
![Sources tab in Advanced eDiscovery case](../media/AeD-Sources-Tab.png) ## Make sure you have the necessary permissions
-To add custodians to a case, you must be a member of the eDiscovery Manager role group. This will provide you with the necessary permissions to add custodians to a case and place a hold on the custodial data sources.
+To add custodians to a case, you must be a member of the eDiscovery Manager role group. This provides you with the necessary permissions to add custodians to a case and place a hold on the custodial data sources. For more information, see [Assign eDiscovery permissions](get-started-with-advanced-ediscovery.md#step-2-assign-ediscovery-permissions).
-## Step 1: Add potential custodians
+## Step 1: Identify custodians
-The first step is to identify and add custodians to the case.
+1. Go to [https://compliance.microsoft.com](https://compliance.microsoft.com) and sign in with a user account that has been assigned the appropriate eDiscovery permissions.
-1. On the **Advanced eDiscovery** home page, click the case that you want to add custodians to.
+2. In the left navigation pane of the Microsoft 365 compliance center, click **Show all**, and then click **eDiscovery > Advanced**.
-2. Click the **Sources** tab and then click **Add custodians**.
+3. On the **Advanced eDiscovery** page, click the **Cases** tab, and then select the case that you want to add custodians to.
-3. Find the custodians to add to the case. Type the first part of a person's name to display users from your organization's Azure Active Directory. When you find the correct person, click their name to add them to the list.
+4. Click the **Data sources** tab and then click **Add data source** > **Add new custodians**.
- ![Identify Potential Custodians](../media/AddCustodianStep1.png)
+5. Add one or more users in your organization as custodians to the case by typing the first part of a person's name or alias. After you find the correct person, select their name to add them to the list.
-4. After added all the relevant custodians, click **Next** to select the custodians' primary data sources.
-
-## Step 2: Select custodian data sources
+## Step 2: Choose custodian data locations
-After adding custodians, the custodian tool will help you identify the primary data sources owned by each custodian. These data locations are the custodian's Exchange mailbox and OneDrive account.
+After you select custodians, the system automatically attempts to identify and verify these users and their data sources. After adding custodians to the list, the tool automatically includes the primary mailbox and OneDrive account for each custodian. You can choose not to include these data sources when adding custodians to the case.
-To identify custodian data sources:
+In addition to a custodian's mailbox and OneDrive account, you can also associate additional data locations to a custodian, such as SharePoint site or a Microsoft Team the custodian is a member of. This allows you preserve, collect, analyze, and review content in other data sources associated with the custodians of the case.
-1. To select the Exchange mailbox for all custodians, select the **Exchange** check box at the top of the column. You can then clear the check box for any specific custodian to remove a mailbox as a custodial location. Alternatively, you can leave the **Exchange** check box at the top of the column unselected and then select the check box for individual custodians.
+To deselect the primary mailbox and OneDrive account for a custodian:
- ![Select Custodial Data Sources](../media/AddCustodianStep2.png)
+1. Expand the custodian to view the primary data locations that have been automatically associated to each custodian.
-2. Repeat the same thing for the custodians' OneDrive accounts.
+2. Select **Clear** next to **Mailbox** or **OneDrive** to remove a custodian's mailbox or OneDrive account from being associated as a data location for this custodian.
- After you select the custodian data sources, the system automatically attempts to identify and verify these data sources, and then adds them to the case as data sources associated with the custodians.
+ ![Configure locations to associate to a custodian](../media/ConfigureCustodianLocations.png)
-3. Click **Next** to begin associating additional data sources to the custodians in the case.
+To associate other mailboxes, sites, Teams, or Yammer groups to a specific custodian:
-## Step 3: Associate additional data sources to a custodian
+1. Expand a custodian to display the following services to associate data locations with the custodian. Click **Edit** next to a service to add a data location.
-Depending on the case you're investigating, you may also need to search (and preserve content in) mailboxes that a specific custodian may have accessed, Microsoft 365 groups that a custodian is currently a member of, or sites that a custodian has also accessed. So in addition to the primary custodian data sources that you specified in the previous step, you can also associate additional Microsoft data sources with a custodian in the case.
+ - **Exchange**: Use to associate other mailboxes to the custodian. Type into the search box the name or alias (a minimum of 3 characters) of user mailboxes or distribution groups. Select the mailboxes to assign to the custodian and then click **Add**.
-To map mailboxes, sites, or teams to a specific custodian:
+ - **SharePoint**: Use to associate SharePoint sites to the custodian. Select a site in the list or search for a site by typing a URL in the search box. Select the sites to assign to the custodian and then click **Add**.
-1. On the **Select additional data sources** page, click **Add** in the row for the specific custodian.
-
- ![Map Additional Data Sources](../media/AddCustodianStep3.PNG)
+ - **Teams**: Use to assign the Microsoft Teams the custodian is currently a member of. Select the teams to assign to the custodian and then click **Add**. After you add a team, the system automatically identifies and locates the SharePoint site and group mailbox associated to that team and assigns them to the custodian.
-2. On the flyout page, you can specify a data source from any of the following services:
-
- - **Exchange email** - Click **Choose users, groups, or Teams** and then click **Choose users, groups, or teams** again. Use the search box to find mailboxes to associate with the custodian. To specify mailboxes to assign to the selected custodian, use the search box to find user mailboxes and distribution groups. You can also assign the associated mailbox for a Microsoft 365 group or a Microsoft Team. Select the user, group, team check box, click **Choose**, and then click **Done**.
+ - **Yammer**: Use to assign the Yammer groups the custodian is currently a member of. Select the groups to assign to the custodian and then click **Add**. After you add a team, the system automatically identifies and locates the SharePoint site and group mailbox associated to that group and assigns them to the custodian.
- > [!NOTE]
- > When you click Choose users, groups, or teams to specify mailboxes, the mailbox picker that's displayed is empty. This is by design to enhance performance. To add mailbox to this list, type a name or alias (a minimum of 3 characters) in the search box.
-
- - **SharePoint sites** - Click **Choose sites** and then click **Choose sites** again to display a list of SharePoint sites in your organization. To associate a site with the custodian, you can select a site in the list or you can type the URL of a different site or a site associated with a Microsoft 365 group, Microsoft Team, or a OneDrive account.
-
- - **Teams** ΓÇô Click **Choose teams** and then click **Choose teams** again to display a list of Microsoft Teams that the custodian is currently a member of. Select the Teams that you would like to add to your custodian. Once selected, the system will automatically identify & select the associated SharePoint site and Group Mailbox associated to that Microsoft Team. Click **Choose**, and then click **Done**.
+ > [!NOTE]
+ > You can use the **Exchange** and **SharePoint** location pickers to associate other teams or Yammer groups (that a custodian is not a member of) to a custodian. To do this, you have to add both the mailbox and site associated with each team or Yammer group.
- ![Map Data Sources](../media/AddCustodianStep4.PNG)
-
- > [!NOTE]
- > To associate an additional team with a custodian, you have to separately add the mailbox and site associated with the team by using the **Exchange mail** and **SharePoint sites** locations.
+2. You can view the total number of mailboxes, sites, Teams, and Yammer groups assigned to each custodian by expanding each custodian in the table. When you've finalized the assigned data locations for each custodian, these associations will be maintained and used during the collection, processing, and review stages in the Advanced eDiscovery workflow.
-After you've finished associating additional data sources with the custodians, you can view the total number of mailboxes, sites, and teams associated with each custodian on the **Select additional data sources page**. When you've finalized the relevant data sources for a specific custodian, this association will be maintained and used during the collection, processing, and review stages in eDiscovery workflow.
+3. After adding custodians and configuring their data locations, click **Next** to go to the **Hold settings** page.
-## Step 4: Place custodians on hold
+## Step 3: Configure hold settings
-After you've finalized the custodians and data sources to add to the case, you can optionally place some or all of the custodians on hold. When you place a custodian on hold, all content in all content locations that are associated with the custodian is preserved until you remove the hold or release the custodian from the hold. In some cases, you may want to add custodians to a case without placing them on hold.
+ After you've finalized the custodians and their data locations, you can place some or all of the custodians on hold. When you place a custodian on hold, all content in all content locations that are associated with the custodian is preserved until you remove the hold or release the custodian from the hold. In some cases, you may want to add custodians to a case without placing them on hold.
To place the custodians and data sources on hold:
-1. On the **Place a hold on the selected custodians** page, select the **Hold** check box at the top of the column to place all custodians on hold. You can then clear the check box for any specific custodian to remove from the hold. Alternatively, you can leave the **Hold** check box at the top of the column unselected and then select the check box for individual custodians.
+1. On the **Hold settings** page, you can apply a hold to individual custodians by selecting the checkbox under the **Hold** column.
+
+ Alternatively, you can place all custodians on hold by selecting the **Hold** checkbox at the top of the column.
+
+2. Verify the custodian hold selections and then click **Next**.
+
+> [!NOTE] If you don't place a hold on a custodian, the custodian and their associated data sources will be added to the case but the content in those data sources won't preserved by the hold that associated with the case.
- ![Place Holds](../media/AddCustodianStep5.PNG)
+## Step 4: Review the custodians and complete the process
-2. Verify the custodian hold selections and then click **Complete**.
+Before you actually add the custodians to the case, you can review the list of custodians, the data locations assigned to them, and the hold settings.
-If you don't place a hold on a custodian, the custodian and their associated data sources will be added to the case but the content in those data sources won't be placed on hold.
+1. Verify and review all the data sources count and the hold setting associated with each custodian in the table. If necessary, go back to the **Identify custodian** or **Hold settings** pages to make any changes.
-After a custodian is placed on hold, a custodian hold policy that contains all custodial sources will be automatically created. To view this policy:
+2. Click **Submit** to add custodians and their data locations to the case and apply all custodial hold settings.
-1. On the **Home** page of the case, click the **Holds** tab and then click **CustodianHold-Guid**,
+ The new custodians are added to the case and displayed on the **Data sources** tab.
-2. On the flyout page, click **Edit hold** to view all the custodian data sources that are placed on hold.
+ ![Custodians listed on the Data sources tab](../media/DataSourcesTab.png)
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/bulk-add-custodians https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/bulk-add-custodians.md
@@ -1,5 +1,5 @@
---
-title: "Bulk-add custodians to an Advanced eDiscovery case"
+title: "Import custodians to an Advanced eDiscovery case"
f1.keywords: - NOCSH ms.author: markjjo
@@ -13,81 +13,92 @@ localization_priority: Normal
ms.collection: M365-security-compliance search.appverid: - MOE150-- MET150
-ROBOTS: NOINDEX, NOFOLLOW
-description: "Use the bulk-add tool to quickly add multiple custodians and their associated data sources to a case in Advanced eDiscovery."
+- MET150
+description: "Use the import tool dto quickly add multiple custodians and their associated data sources to a case in Advanced eDiscovery."
---
-# Bulk-add custodians to an Advanced eDiscovery case
+# Import custodians to an Advanced eDiscovery case
-For Advanced eDiscovery cases that involve a lot of custodians, you can import multiple custodians at once by a CSV file that contains all the information necessary to add them to a case.
+For Advanced eDiscovery cases that involve a lot of custodians, you can import multiple custodians at once by using a CSV file that contains the information necessary to add them to a case.
-## Bulk-add custodians
+## Import custodians
-1. Enter case and navigate to the **Sources** tab.
+1. Open the Advanced eDiscovery case and select the **Data sources** tab.
-2. Click **Import custodians**
+2. Click **Add data source** > **Import custodians**.
-3. On the flyout page, click **Download a blank template** to download a CSV custodian template file.
+3. On the **Import custodians** flyout page, click **Download a blank template** to download a custodian template CSV file.
-4. Add the custodial information to the CSV file and save it on your local computer. See the next section for information about the properties in the CSV file.
+ ![Download a CSV template from Import custodians flyout page](../media/ImportCustodians1.png)
-5. On the **Sources** tab, click **Import Custodians** again.
+4. Add the custodial information to the CSV file and save it to your local computer. See the [Custodian CSV file](#custodian-csv-file) section for information about the required properties in the CSV file.
-6. On flyout page, click **Browse** and the upload your CSV file.
+5. After you've prepared the CSV file with the custodian information, go back to the **Data sources** tab, and click **Add data source** > **Import custodians** again.
- After the CSV file is uploaded, a BulkAddCustodian job is created and displayed on the **Jobs** tab. The job validates the custodians and their corresponding data sources and then adds them to the **Custodians** tab on the **Sources** page of the case.
+6. On the **Import custodians** flyout page, click **Browse** and then upload the CSV file that contains the custodian information.
+
+ After the CSV file is uploaded, a job named **BulkAddCustodian** is created and displayed on the **Jobs** tab. The job validates the custodians and their associated data sources and then adds them to the the **Data sources** page of the case.
## Custodian CSV file
-After you download the CSV template, you can add custodians and their data source in each row. Be sure not to change the column names in the header row.
+After you download the CSV custodian template, you can add custodians and their data source in each row. Be sure not to change the column names in the header row. Use the workload type and workload location columns to associate additional data sources to a custodian.
| Column name|Description| |:------- |:------------------------------------------------------------|
-|**Custodian ContactEmail** | UPN email of custodian. Example: sarad@onmicrosoft.contoso.com |
-|**Exchange Enabled** | TRUE/FALSE value on whether to add custodian's mailbox. |
-|**OneDrive Enabled** | TRUE/FALSE value on whether to add custodian's OneDrive for Business account. |
-|**Is OnHold** | TRUE/FALSE value on whether to place custodian on hold. |
-|**Workload1 Type** | String value indicating the type of data source to associate with the custodian. <br />Possible values include: <br />ExchangeMailbox, SharePointSite, TeamsMailbox, TeamsSite, YammerMailbox, YammerSite |
-|**Workload1 Location** | Depending on your workload type, this would be the data location of your workload (for example, the email address of an Exchange mailbox or the URL for a SharePoint site). |
+|**Custodian contactEmail** |The custodian's UPN email address. For example, sarad@contoso.onmicrosoft.com. |
+|**Exchange Enabled** | TRUE/FALSE value to include or not include the custodian's mailbox. |
+|**OneDrive Enabled** | TRUE/FALSE value to include or not included the custodian's OneDrive for Business account. |
+|**Is OnHold** | TRUE/FALSE value to indicate whether to place the custodian data sources on hold. |
+|**Workload1 Type** |String value indicating the type of data source to associate with the custodian. Possible values include: <br/>- ExchangeMailbox<br/> - SharePointSite<br/>- TeamsMailbox<br/>- TeamsSite<br/> - YammerMailbox<br/>- YammerSite |
+|**Workload1 Location** | Depending on your workload type, this would be the location of the data source. For example, the email address for an Exchange mailbox or the URL for a SharePoint site. |
||| Here's an example of a CSV file with custodian information:
-| ContactEmail | Exchange Enabled | OneDrive Enabled | Is OnHold | Workload1 Type | Workload1 Location |
+|Custodian contactEmail | Exchange Enabled | OneDrive Enabled | Is OnHold | Workload1 Type | Workload1 Location |
| ----------------- | ---------------- | ---------------- | --------- | -------------- | ------------------------------ |
-|sarad@onmicrosoft.contoso.com | TRUE | TRUE | TRUE | SharePointSite | https://contoso.sharepoint.com |
+|robinc@onmicrosoft.contoso.com | TRUE | TRUE | TRUE | SharePointSite | https://contoso.sharepoint.com |
|pillarp@onmicrosoft.contoso.com | TRUE | TRUE | TRUE | | | |||||| ## Custodian and data source validation
-When you upload the custodian CSV file, Advanced eDiscovery does the following things:
+After you upload the custodian CSV file, Advanced eDiscovery does the following things:
-1. Validates the custodians and their data sources.
+1. Validates the custodians and their data sources.
-2. Indexes all data sources for each custodian and places them on hold (if the Is OnHold property is set to TRUE).
+2. Indexes all data sources for each custodian and places them on hold (if the **Is OnHold** property in the CSV file is set to TRUE).
### Custodian validation
-Currently, we only support importing custodians that are in Azure Active Directory (AAD).
+Currently, we only support importing custodians that are included in your organization's Azure Active Directory (Azure AD).
-We validate and find custodians using the UPN value in the **Contact Email** column in the CSV file. Custodians that are validated are automatically added to the case and listed on the **Custodian** tab on the **Sources** page of the case. If a custodian can't be validated, they are listed in the error log for the BulkAddCustodian job that is listed on the **Jobs** tab in the case. Unvalidated custodians are not added to the case.
+The custodian import tool finds and validates custodians using the UPN value in the **Custodian contactEmail** column in the CSV file. Custodians that are validated are automatically added to the case and listed on the **Data sources** tab of the case. If a custodian can't be validated, they are listed in the error log for the BulkAddCustodian job that is listed on the **Jobs** tab in the case. Unvalidated custodians are not added to the case or listed on the **Data sources** tab.
### Data source validation
-After custodians are validated and added to the case, each data source that's associated with a custodian is validated. If any data source for a custodian can't be found, the value **Not validated** would be displayed in the **Validated** column on the **Custodian** tab for that custodian.
+After custodians are validated and added to the case, each primary mailbox and OneDrive account that's associated with a custodian is added.
+
+However, if any of the additional data sources (such as SharePoint sites, Microsoft Teams, Microsoft 365 Groups, or Yammer groups) associated with a custodian can't be found, none of them are assigned to the custodian and the value **Not validated** is displayed in the **Status** column next to the custodian on the **Data sources** tab.
+
+To add validated data sources for a custodian:
+
+1. On the **Data sources** tab, select a custodian that contains data sources that aren't validated.
+
+2. On the custodian flyout page, scroll to the **Custodial locations** section to view both validated and unvalidated data sources that are associated with custodian.
+
+3. Click **Edit** at the top of the flyout page to remove invalid data sources or add new ones.
-### Remediating unvalidated data sources
+4. After you remove unvalidated data sources or add a new one, the value **Active** is displayed in **Status** column for the custodian on the **Data sources** tab. To add sources that previously appeared to be invalid, follow the remediation steps below to manually add them to a custodian.
-To remediate custodians with unvalidated data sources:
+### Remediating invalid data sources
-1. On the **Custodian** tab, select a custodian who isn't validated.
+To manually add and associate a data source that was previously invalid:
-2. On the custodian flyout page, scroll to the **Data sources** section to view the data sources that are associated with custodian. Both validated and unvalidated data sources are listed.
+1. On the **Data sources** tab, select a custodian to manually add and associate a data source that was previously invalid.
-3. In the **Data sources** section, click **Edit**.
+2. Click **Edit** at the top of the flyout page to associate mailboxes, sites, Teams, or Yammer groups to the custodian. Do this by clicking **Edit** next to the appropriate data location type.
-4. On the **Choose custodial locations** page, remove an unvalidated data source.
+3. Click **Next** to display the **Hold settings** page and configure the hold setting for the data sources you added.
-5. On the **Select additional locations** page, click **Update** to add additional data sources for a custodian.
+4. Click **Next** to display the **Review custodians** page, and then click **Submit** to save your changes.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/legacy-information-for-message-encryption https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/legacy-information-for-message-encryption.md
@@ -174,8 +174,9 @@ As an Exchange Online and Exchange Online Protection administrator, you can cust
You can also revert back to the default look and feel at any time. The following example shows a custom logo for ContosoPharma in the email attachment:
-
-![Sample of the view encrypted message page](../media/TA-OME-3attachment2.jpg)
+
+> [!div class="mx-imgBorder"]
+> ![Sample of the view encrypted message page](../media/TA-OME-3attachment2.jpg)
**To customize encryption email messages and the encryption portal with your organization's brand**
@@ -185,12 +186,12 @@ The following example shows a custom logo for ContosoPharma in the email attachm
**Encryption customization options**
-**To customize this feature of the encryption experience**|**Use these Windows PowerShell commands**|
-|:-----|:-----|
-|Default text that accompanies encrypted email messages <br/> The default text appears above the instructions for viewing encrypted messages <br/> | `Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -EmailText "<string of up to 1024 characters>"` <br/> **Example:** `Set-OMEConfiguration -Identity "OME Configuration" -EmailText "Encrypted message from ContosoPharma secure messaging system"` <br/> |
-|Disclaimer statement in the email that contains the encrypted message <br/> | `Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> DisclaimerText "<your disclaimer statement, string of up to 1024 characters>"` <br/> **Example:** `Set-OMEConfiguration -Identity "OME Configuration" -DisclaimerText "This message is confidential for the use of the addressee only"` <br/> |
-|Text that appears at the top of the encrypted mail viewing portal <br/> | `Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -PortalText "<text for your portal, string of up to 128 characters>"` <br/> **Example:** `Set-OMEConfiguration -Identity "OME Configuration" -PortalText "ContosoPharma secure email portal"` <br/> |
-|Logo <br/> | `Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -Image <Byte[]>` <br/> **Example:** `Set-OMEConfiguration -Identity "OME configuration" -Image (Get-Content "C:\Temp\contosologo.png" -Encoding byte)` <br/> Supported file formats: .png, .jpg, .bmp, or .tiff <br/> Optimal size of logo file: less than 40 KB <br/> Optimal size of logo image: 170x70 pixels <br/> |
+ | To customize this feature of the encryption experience | Use these Windows PowerShell commands |
+ |:-----|:-----|
+ |Default text that accompanies encrypted email messages <br/> The default text appears above the instructions for viewing encrypted messages <br/> | `Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -EmailText "<string of up to 1024 characters>"` <br/> **Example:** `Set-OMEConfiguration -Identity "OME Configuration" -EmailText "Encrypted message from ContosoPharma secure messaging system"` <br/> |
+ |Disclaimer statement in the email that contains the encrypted message <br/> | `Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> DisclaimerText "<your disclaimer statement, string of up to 1024 characters>"` <br/> **Example:** `Set-OMEConfiguration -Identity "OME Configuration" -DisclaimerText "This message is confidential for the use of the addressee only"` <br/> |
+ |Text that appears at the top of the encrypted mail viewing portal <br/> | `Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -PortalText "<text for your portal, string of up to 128 characters>"` <br/> **Example:** `Set-OMEConfiguration -Identity "OME Configuration" -PortalText "ContosoPharma secure email portal"` <br/> |
+ |Logo <br/> | `Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -Image <Byte[]>` <br/> **Example:** `Set-OMEConfiguration -Identity "OME configuration" -Image (Get-Content "C:\Temp\contosologo.png" -Encoding byte)` <br/> Supported file formats: .png, .jpg, .bmp, or .tiff <br/> Optimal size of logo file: less than 40 KB <br/> Optimal size of logo image: 170x70 pixels <br/> |
**To remove brand customizations from encryption email messages and the encryption portal**
@@ -200,19 +201,19 @@ The following example shows a custom logo for ContosoPharma in the email attachm
**Encryption customization options**
-|**To revert this feature of the encryption experience back to the default text and image**|**Use these Windows PowerShell commands**|
-|:-----|:-----|
-|Default text that accompanies encrypted email messages <br/> The default text appears above the instructions for viewing encrypted messages <br/> | `Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -EmailText "<empty string>"` <br/> **Example:** `Set-OMEConfiguration -Identity "OME Configuration" -EmailText ""` <br/> |
-|Disclaimer statement in the email that contains the encrypted message <br/> | `Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> DisclaimerText "<empty string>"` <br/> **Example:** `Set-OMEConfiguration -Identity "OME Configuration" -DisclaimerText ""` <br/> |
-|Text that appears at the top of the encrypted mail viewing portal <br/> | `Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -PortalText "<empty string>"` <br/> **Example reverting back to default:** `Set-OMEConfiguration -Identity "OME Configuration" -PortalText ""` <br/> |
-|Logo <br/> | `Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -Image <"$null">` <br/> **Example reverting back to default:** `Set-OMEConfiguration -Identity "OME configuration" -Image $null` <br/> |
+ | To revert this feature of the encryption experience back to the default text and image | Use these Windows PowerShell commands |
+ |:-----|:-----|
+ |Default text that accompanies encrypted email messages <br/> The default text appears above the instructions for viewing encrypted messages <br/> | `Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -EmailText "<empty string>"` <br/> **Example:** `Set-OMEConfiguration -Identity "OME Configuration" -EmailText ""` <br/> |
+ |Disclaimer statement in the email that contains the encrypted message <br/> | `Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> DisclaimerText "<empty string>"` <br/> **Example:** `Set-OMEConfiguration -Identity "OME Configuration" -DisclaimerText ""` <br/> |
+ |Text that appears at the top of the encrypted mail viewing portal <br/> | `Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -PortalText "<empty string>"` <br/> **Example reverting back to default:** `Set-OMEConfiguration -Identity "OME Configuration" -PortalText ""` <br/> |
+ |Logo <br/> | `Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -Image <"$null">` <br/> **Example reverting back to default:** `Set-OMEConfiguration -Identity "OME configuration" -Image $null` <br/> |
## Service information for legacy Office 365 Message Encryption prior to the release of the new OME capabilities <a name="LegacyServiceInfo"> </a> The following table provides technical details for the Office 365 Message Encryption service prior to the release of the new OME capabilities.
-|**Service details**|**Description**|
+| Service details | Description |
|:-----|:-----| |Client device requirements <br/> |Encrypted messages can be viewed on any client device, as long as the HTML attachment can be opened in a modern browser that supports Form Post. <br/> | |Encryption algorithm and Federal Information Processing Standards (FIPS) compliance <br/> |Office 365 Message Encryption uses the same encryption keys as Windows Azure Information Rights Management (IRM) and supports Cryptographic Mode 2 (2K key for RSA and 256 bits key for SHA-1 systems). For more information about the underlying IRM cryptographic modes, see [AD RMS Cryptographic Modes](https://technet.microsoft.com/library/hh867439%28WS.10%29.aspx). <br/> |
@@ -293,7 +294,7 @@ All EHE customers have been upgraded to Office 365 Message Encryption. For more
Yes. You have to add URLs for Exchange Online to the allow list for your organization to enable authentication for messages encrypted by Office 365 Message Encryption. For a list of Exchange Online URLs, see [Microsoft 365 URLs and IP address ranges](https://docs.microsoft.com/microsoft-365/enterprise/urls-and-ip-address-ranges).
- **Q. How many recipients can I send an Microsoft 365 encrypted message to?**
+ **Q. How many recipients can I send a Microsoft 365 encrypted message to?**
The recipient limit is 500 recipients per message, or, when combined after distribution list expansion, 11,980 characters in the message's **To** field, whichever comes first.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/non-custodial-data-sources https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/non-custodial-data-sources.md
@@ -14,12 +14,12 @@ ms.collection: M365-security-compliance
search.appverid: - MOE150 - MET150
-description: "You can add non-custodial data sources to an Advanced eDiscovery case and place a hold on the data source. Non-custodial data sources are reindexed, so any content that was deemed as partially indexed is reprocessed to make it fully and quickly searchable."
+description: "You can add non-custodial data sources to an Advanced eDiscovery case and place a hold on the data source. Non-custodial data sources are reindexed, so any content that was marked as partially indexed is reprocessed to make it fully and quickly searchable."
--- # Add non-custodial data sources to an Advanced eDiscovery case
-In Advanced eDiscovery cases, it doesn't always meet your needs to associate a Microsoft 365 data source with a custodian in the case. But you may still need to associate that data with a case so that you search it, add it to review set, and review it. The new feature called *non-custodial data sources* lets you add data to a case without having to associate the data to a custodian. It also applies the same Advanced eDiscovery functionality to non-custodial data that's available for data associated with custodian. Two of the most useful features that you can apply to non-custodial data is placing it on hold and processing it using [Advanced indexing](indexing-custodian-data.md).
+In Advanced eDiscovery cases, it doesn't always meet your needs to associate a Microsoft 365 data source with a custodian in the case. But you may still need to associate that data with a case so that you can search it, add it to a review set, and analyze and review it. The feature in Advanced eDiscovery is called *non-custodial data sources* and lets you add data to a case without having to associate it to a custodian. It also applies the same Advanced eDiscovery functionality to non-custodial data that's available for data associated with custodian. Two of the most useful things that you can apply to non-custodial data is placing it on hold and processing it using [Advanced indexing](indexing-custodian-data.md).
## Add a non-custodial data source
@@ -27,34 +27,43 @@ Follow these steps to add and manage non-custodial data sources in an Advanced e
1. On the **Advanced eDiscovery** home page, click the case that you want to add the data to.
-2. On the **Sources** page, click the **Data locations** tab, and then click **Add data location**.
+2. Click the **Data sources** tab and then click **Add data source** > **Add data locations**
-3. Click **Add data location** and choose the data sources that you want to add to the case. You can add multiple mailboxes and sites.
+3. On the **New non-custodial data locations** flyout page, choose the data sources that you want to add to the case. You can add multiple mailboxes and sites by expanding the **SharePoint** or **Exchange** sections and then clicking **Edit**.
-4. On the **Choose locations** page in the wizard, add mailboxes or sites (or both) as non-custodial data sources to the case.
+ ![Add SharePoint sites and Exchange mailboxes as non-custodial data sources](../media/NonCustodialDataSources1.png)
-5. After adding the data sources, click **Next**.
+ - **SharePoint** - Click **Edit** to add sites. Select a site in the list or you can search for a site by typing the URL of the site in the search bar. Select the sites that you want to add as non-custodian data sources and click **Add**.
-6. On the **Place holds** page, choose which data sources you want to place on hold by selecting or unselecting the associated checkbox.
+ - **Exchange** - Click **Edit** to add mailboxes. Type a name or alias (a minimum of 3 characters) in the search box for mailboxes or distribution groups. Select the mailboxes that you want to add as non-custodian data sources and click **Add**.
-7. Verify the hold selections and then click **Submit**.
+ > [!NOTE]
+ > You can use the **SharePoint** and **Exchange** sections to add sites and mailboxes associated with a Team or Yammer group as non-custodia data sources. You have to separately add the mailbox and site associated with a Team or Yammer group.
- Each non-custodial data source that you added is listed on the **Data sources** page.
+4. After you add non-custodial data sources, you have the option to place those locations on hold or not. Select or unselect the **Hold** checkbox next to the data source to place it on hold.
- Also, a job named *Reindexing non-custodial data* is created and displayed on the **Jobs** tab of the case. After the job is created, the Advanced indexing process in initiated and the data sources are reindexed.
+5. Click **Add** at the bottom of the **New non-custodial data locations** flyout page to add the data sources to the case.
-## Managing the hold on non-custodial data sources
+ Each non-custodial data source that you added is listed on the **Data sources** page. Non-custodial data sources are identified by the **Data location** value in the **Source type** column.
-After you place a hold on a non-custodial data source, a hold policy that contains all non-custodial data sources for the case is automatically created. When you place additional non-custodial data sources on hold, they are added to this hold policy.
+ ![Add SharePoint sites and Exchange mailboxes as non-custodial data sources](../media/NonCustodialDataSources2.png)
-1. On the **Home** page of the case, click the **Holds** tab.
+After you add non-custodial data sources to the case, a job named *Reindexing non-custodial data* is created and displayed on the **Jobs** tab of the case. After the job is created, the Advanced indexing process in initiated and the data sources are reindexed.
-2. On the **Holds** page, and click **NCDSHold-\<GUID\>**, where the GUID value is unique to the case.
+## Manage the hold for non-custodial data sources
-3. On the flyout page, click **Edit hold** to view all the non-custodial data sources that are placed on hold.
+After you place a hold on a non-custodial data source, a hold policy that contains the non-custodial data sources for the case is automatically created. When you place additional non-custodial data sources on hold, they are added to this hold policy.
-You can perform the following management task on non-custodial data sources:
+1. Open the Advanced eDiscovery case and select the **Hold** tab.
-- You can edit the hold to create a query-based hold that is applied to all non-custodial data sources in the case.
+2. Click **NCDSHold-\<GUID\>**, where the GUID value is unique to the case.
-- You can release a non-custodial data source from the hold. Releasing a data source doesn't remove the non-custodial data source from the case. It only removes the hold that was placed on the data source.
+ The flyout page display information and statistics about the non-custodial data sources on hold.
+
+ ![The flyout page for non-custodial data sources hold displays statistics](../media/NonCustodialDataSourcesHoldFlyout.png)
+
+4. Click **Edit hold** to view the non-custodial data sources placed on hold and perform the following management tasks:
+
+ - On the **Locations** page, you can release a non-custodial data source by removing it from the hold. Releasing a data source doesn't remove the non-custodial data source from the case. It only removes the hold that was placed on the data source.
+
+ - On the **Query** page, you can edit the hold to create a query-based hold that is applied to all tha non-custodial data sources in the case.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/office-365-encryption-risks-and-protections https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/office-365-encryption-risks-and-protections.md
@@ -22,7 +22,7 @@ description: In this article, you'll learn about risks to Office 365 and the enc
# Encryption Risks and Protections
-Microsoft follows a control and compliance framework that focuses on risks to the Microsoft 365 service and to customer data. Microsoft implements a large set of technology and process-based methods (referred to as controls) to mitigate these risks. Identification, evaluation and mitigation of risks via controls is a continuous process.
+Microsoft follows a control and compliance framework that focuses on risks to the Microsoft 365 service and to customer data. Microsoft implements a large set of technology and process-based methods (referred to as controls) to mitigate these risks. Identification, evaluation, and mitigation of risks via controls is a continuous process.
The implementation of controls within various layers of our cloud services such as facilities, network, servers, applications, users (such as Microsoft administrators) and data form a defense-in-depth strategy. The key to this strategy is that many different controls are implemented at different layers to protect against the same or similar risk scenarios. This multi-layered approach provides fail-safe protection in case a control fails for some reason.
@@ -35,20 +35,20 @@ Some risk scenarios and the currently available encryption technologies that mit
| Customer Key | SharePoint Online, OneDrive for Business, Exchange Online, and Skype for Business | Customer | N/A (This feature is designed as a compliance feature; not as a mitigation for any risk.) | Helps customers meet internal regulation and compliance obligations, and the ability to leave the service and revoke Microsoft's access to data | | TLS between Microsoft 365 and clients | Exchange Online, SharePoint Online, OneDrive for Business, Skype for Business, Teams, and Yammer | Microsoft, Customer | Man-in-the-middle or other attack to tap the data flow between Microsoft 365 and client computers over Internet. | This implementation provides value to both Microsoft and customers and assures data integrity as it flows between Microsoft 365 and the client. | | TLS between Microsoft datacenters | Exchange Online, SharePoint Online, OneDrive for Business, and Skype for Business | Microsoft | Man-in-the-middle or other attack to tap the customer data flow between Microsoft 365 servers located in different Microsoft datacenters. | This implementation is another method to protect data against attacks between Microsoft datacenters. |
-| Azure Rights Management (included in Microsoft 365 or Azure Information Protection) | Exchange Online, SharePoint Online, and OneDrive for Business | Customer | Data falls into the hands of a person who should not have access to the data. | Azure Information Protection uses Azure RMS which provides value to customers by using encryption, identity, and authorization policies to help secure files and email across multiple devices. Azure RMS provides value to customers where all emails originating from Microsoft 365 that match certain criteria (i.e., all emails to a certain address) can be automatically encrypted before they get sent to another recipient. |
+| Azure Rights Management (included in Microsoft 365 or Azure Information Protection) | Exchange Online, SharePoint Online, and OneDrive for Business | Customer | Data falls into the hands of a person who should not have access to the data. | Azure Information Protection uses Azure RMS, which provides value to customers by using encryption, identity, and authorization policies to help secure files and email across multiple devices. Azure RMS provides value to customers where all emails originating from Microsoft 365 that match certain criteria (i.e., all emails to a certain address) can be automatically encrypted before they get sent to another recipient. |
| S/MIME | Exchange Online | Customer | Email falls into the hands of a person who is not the intended recipient. | S/MIME provides value to customers by assuring that email encrypted with S/MIME can only be decrypted by the direct recipient of the email. | | Office 365 Message Encryption | Exchange Online, SharePoint Online | Customer | Email, including protected attachments, falls in hands of a person either within or outside Microsoft 365 who is not the intended recipient of the email. | OME provides value to customers where all emails originating from Microsoft 365 that match certain criteria (i.e., all emails to a certain address) are automatically encrypted before they get sent to another internal or an external recipient. | | SMTP TLS with partner organization | Exchange Online | Customer | Email is intercepted via a man-in-the-middle or other attack while in transit from a Microsoft 365 tenant to another partner organization. | This scenario provides value to the customer such that they can send/receive all emails between their Microsoft 365 tenant and their partner's email organization inside an encrypted SMTP channel. | ## Encryption technologies available in multi-tenant environments
-| Encryption Technology | Implemented by | Key Exchange Algorithm and Strength | Key Management* | FIPS 140-2 Validated |
+| Encryption Technology | Implemented by | Key Exchange Algorithm and Strength | Key Management\* | FIPS 140-2 Validated |
|----------------------------------------------------------------------------------|-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------| | BitLocker | Exchange Online | AES 256-bit | AES external key is stored in a Secret Safe and in the registry of the Exchange server. The Secret Safe is a secured repository that requires high-level elevation and approvals to access. Access can be requested and approved only by using an internal tool called Lockbox. The AES external key is also stored in the Trusted Platform Module in the server. A 48-digit numerical password is stored in Active Directory and protected by Lockbox. | Yes | | | SharePoint Online | AES 256-bit | AES external key is stored in a Secret Safe. The Secret Safe is a secured repository that requires high-level elevation and approvals to access. Access can be requested and approved only by using an internal tool called Lockbox. The AES external key is also stored in the Trusted Platform Module in the server. A 48-digit numerical password is stored in Active Directory and protected by Lockbox. | Yes | | | Skype for Business | AES 256-bit | AES external key is stored in a Secret Safe. The Secret Safe is a secured repository that requires high-level elevation and approvals to access. Access can be requested and approved only by using an internal tool called Lockbox. The AES external key is also stored in the Trusted Platform Module in the server. A 48-digit numerical password is stored in Active Directory and protected by Lockbox. | Yes | | Service Encryption | SharePoint Online | AES 256-bit | The keys used to encrypt the blobs are stored in the SharePoint Online Content Database. The SharePoint Online Content Database is protected by database access controls and encryption at rest. Encryption is performed using TDE in Azure SQL Database. These secrets are at the service level for SharePoint Online, not at the tenant level. These secrets (sometimes referred to as the master keys) are stored in a separate secure repository called the Key Store. TDE provides security at rest for both the active database and the database backups and transaction logs. When customers provide the optional key, the customer key is stored in Azure Key Vault, and the service uses the key to encrypt a tenant key, which is used to encrypt a site key, which is then used to encrypt the file level keys. Essentially, a new key hierarchy is introduced when the customer provides a key. | Yes |
-| | Skype for Business | AES 256-bit | Each piece of data is encrypted using a different randomly generated 256-bit key. The encryption key is stored in a corresponding metadata XML file which is also encrypted by a per-conference master key. The master key is also randomly generated once per conference. | Yes |
+| | Skype for Business | AES 256-bit | Each piece of data is encrypted using a different randomly generated 256-bit key. The encryption key is stored in a corresponding metadata XML file, which is also encrypted by a per-conference master key. The master key is also randomly generated once per conference. | Yes |
| | Exchange Online | AES 256-bit | Each mailbox is encrypted using a data encryption policy that uses encryption keys controlled by Microsoft (on roadmap) or by the customer (when Customer Key is used). | Yes | | TLS between Microsoft 365 and clients/partners | Exchange Online | [Opportunistic TLS supporting multiple cipher suites](https://technet.microsoft.com/library/mt163898.aspx) | The TLS certificate for Exchange Online (outlook.office.com) is a 2048-bit SHA256RSA certificate issued by Baltimore CyberTrust Root. <br> <br> The TLS root certificate for Exchange Online is a 2048-bit SHA1RSA certificate issued by Baltimore CyberTrust Root. | Yes, when TLS 1.2 with 256-bit cipher strength is used | | | SharePoint Online | TLS 1.2 with AES 256 <br> <br> [Data Encryption in OneDrive for Business and SharePoint Online](https://technet.microsoft.com/library/dn905447.aspx) | The TLS certificate for SharePoint Online (*.sharepoint.com) is a 2048-bit SHA256RSA certificate issued by Baltimore CyberTrust Root. <br> <br> The TLS root certificate for SharePoint Online is a 2048-bit SHA1RSA certificate issued by Baltimore CyberTrust Root. | Yes |
@@ -61,17 +61,17 @@ Some risk scenarios and the currently available encryption technologies that mit
| Office 365 Message Encryption | Exchange Online | Same as Azure RMS ([Cryptographic Mode 2](https://technet.microsoft.com/library/dn569290.aspx) - RSA 2048 for signature and encryption, and SHA-256 for signature) | Uses Azure Information Protection as its encryption infrastructure. The encryption method used depends on where you obtain the RMS keys used to encrypt and decrypt messages. | Yes | | SMTP TLS with partner organization | Exchange Online | TLS 1.2 with AES 256 | The TLS certificate for Exchange Online (outlook.office.com) is a 2048-bit SHA256RSA certificate issued by Baltimore CyberTrust Root. <br> <br> The TLS root certificate for Exchange Online is a 2048-bit SHA1RSA certificate issued by Baltimore CyberTrust Root. | Yes, when TLS 1.2 with 256-bit cipher strength is used |
-**TLS certificates referenced in this table are for US datacenters; non-US datacenters also use 2048-bit SHA256RSA certificates.*
+*\*TLS certificates referenced in this table are for US datacenters; non-US datacenters also use 2048-bit SHA256RSA certificates.*
## Encryption technologies available in Government cloud community environments
-| Encryption Technology | Implemented by | Key Exchange Algorithm and Strength | Key Management* | FIPS 140-2 Validated |
+| Encryption Technology | Implemented by | Key Exchange Algorithm and Strength | Key Management\* | FIPS 140-2 Validated |
|---------------------------------------------|--------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------| | BitLocker | Exchange Online | AES 256-bit | AES external key is stored in a Secret Safe and in the registry of the Exchange server. The Secret Safe is a secured repository that requires high-level elevation and approvals to access. Access can be requested and approved only by using an internal tool called Lockbox. The AES external key is also stored in the Trusted Platform Module in the server. A 48-digit numerical password is stored in Active Directory and protected by Lockbox. | Yes | | | SharePoint Online | AES 256-bit | AES external key is stored in a Secret Safe. The Secret Safe is a secured repository that requires high-level elevation and approvals to access. Access can be requested and approved only by using an internal tool called Lockbox. The AES external key is also stored in the Trusted Platform Module in the server. A 48-digit numerical password is stored in Active Directory and protected by Lockbox. | Yes | | | Skype for Business | AES 256-bit | AES external key is stored in a Secret Safe. The Secret Safe is a secured repository that requires high-level elevation and approvals to access. Access can be requested and approved only by using an internal tool called Lockbox. The AES external key is also stored in the Trusted Platform Module in the server. A 48-digit numerical password is stored in Active Directory and protected by Lockbox. | Yes | | Service Encryption | SharePoint Online | AES 256-bit | The keys used to encrypt the blobs are stored in the SharePoint Online Content Database. The SharePoint Online Content Databases is protected by database access controls and encryption at rest. Encryption is performed using TDE in Azure SQL Database. These secrets are at the service level for SharePoint Online, not at the tenant level. These secrets (sometimes referred to as the master keys) are stored in a separate secure repository called the Key Store. TDE provides security at rest for both the active database and the database backups and transaction logs. When customers provide the optional key, the Customer Key is stored in Azure Key Vault, and the service uses the key to encrypt a tenant key, which is used to encrypt a site key, which is then used to encrypt the file level keys. Essentially, a new key hierarchy is introduced when the customer provides a key. | Yes |
-| | Skype for Business | AES 256-bit | Each piece of data is encrypted using a different randomly generated 256-bit key. The encryption key is stored in a corresponding metadata XML file which is also encrypted by a per-conference master key. The master key is also randomly generated once per conference. | Yes |
+| | Skype for Business | AES 256-bit | Each piece of data is encrypted using a different randomly generated 256-bit key. The encryption key is stored in a corresponding metadata XML file, which is also encrypted by a per-conference master key. The master key is also randomly generated once per conference. | Yes |
| | Exchange Online | AES 256-bit | Each mailbox is encrypted using a data encryption policy that uses encryption keys controlled by Microsoft or by the customer (when Customer Key is used). | Yes | | TLS between Microsoft 365 and clients/partners | Exchange Online | [Opportunistic TLS supporting multiple cipher suites](https://technet.microsoft.com/library/mt163898.aspx) | The TLS certificate for Exchange Online (outlook.office.com) is a 2048-bit SHA256RSA certificate issued by Baltimore CyberTrust Root. <br> <br> The TLS root certificate for Exchange Online is a 2048-bit SHA1RSA certificate issued by Baltimore CyberTrust Root. | Yes, when TLS 1.2 with 256-bit cipher strength is used | | | SharePoint Online | TLS 1.2 with AES 256 | The TLS certificate for SharePoint Online (*.sharepoint.com) is a 2048-bit SHA256RSA certificate issued by Baltimore CyberTrust Root. <br> <br> The TLS root certificate for SharePoint Online is a 2048-bit SHA1RSA certificate issued by Baltimore CyberTrust Root. | Yes |
@@ -83,6 +83,6 @@ Some risk scenarios and the currently available encryption technologies that mit
| | SharePoint Online | Supports [Cryptographic Mode 2](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/hh867439(v=ws.10)), an updated and enhanced RMS cryptographic implementation. It supports RSA 2048 for signature and encryption, and SHA-256 for hash in the signature. | [Managed by Microsoft](https://docs.microsoft.com/azure/information-protection/plan-implement-tenant-key), which is the default setting; or <br> <br> Customer-managed (also known as BYOK), which is an alternative to Microsoft-managed keys. Organizations that have an IT-managed Azure subscription can use BYOK and log its usage at no extra charge. For more information, see [Implementing bring your own key](https://docs.microsoft.com/azure/information-protection/plan-implement-tenant-key). <br> <br> In the BYOK scenario, nCipher HSMs are used to protect your keys. For more information, see [nCipher HSMs and Azure RMS](https://www.thales-esecurity.com/msrms/cloud). | Yes | | S/MIME | Exchange Online | Cryptographic Message Syntax Standard 1.5 (PKCS #7) | Depends on the public key infrastructure deployed. | Yes, when configured to encrypt outgoing messages with 3DES or AES-256. | | Office 365 Message Encryption | Exchange Online | Same as Azure RMS ([Cryptographic Mode 2](https://technet.microsoft.com/library/dn569290.aspx) - RSA 2048 for signature and encryption, and SHA-256 for hash in the signature) | Uses Azure RMS as its encryption infrastructure. The encryption method used depends on where you obtain the RMS keys used to encrypt and decrypt messages. <br> <br> If you use Microsoft Azure RMS to obtain the keys, Cryptographic Mode 2 is used. If you use Active Directory (AD) RMS to obtain the keys, either Cryptographic Mode 1 or Cryptographic Mode 2 is used. The method used depends on your on-premises AD RMS deployment. Cryptographic Mode 1 is the original AD RMS cryptographic implementation. It supports RSA 1024 for signature and encryption and supports SHA-1 for signature. This mode continues to be supported by all current versions of RMS, except for BYOK configurations that use HSMs. | Yes |
-| SMTP TLS with partner organization | Exchange Online | TLS 1.2 with AES 256 | The TLS certificate for Exchange Online (outlook.office.com) is a 2048-bit SHA256RSA certificate issued by Baltimore CyberTrust Root. <br> <br> The TLS root certificate for Exchange Online is a 2048-bit sha1RSA certificate issued by Baltimore CyberTrust Root. <br> <br> Be aware that for security reasons, our certificates do change from time to time. | Yes |
+| SMTP TLS with partner organization | Exchange Online | TLS 1.2 with AES 256 | The TLS certificate for Exchange Online (outlook.office.com) is a 2048-bit SHA256RSA certificate issued by Baltimore CyberTrust Root. <br> <br> The TLS root certificate for Exchange Online is a 2048-bit sha1RSA certificate issued by Baltimore CyberTrust Root. <br> <br> Be aware that, for security reasons, our certificates do change from time to time. | Yes |
-**TLS certificates referenced in this table are for US datacenters; non-US datacenters also use 2048-bit SHA256RSA certificates.*
+*\*TLS certificates referenced in this table are for US datacenters; non-US datacenters also use 2048-bit SHA256RSA certificates.*
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/sp-compatible-pdf-readers-for-irm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sp-compatible-pdf-readers-for-irm.md
@@ -25,7 +25,7 @@ Microsoft SharePoint 2013 supports Information Rights Management (IRM) protectio
To use PDF files in libraries that the owner has protected with IRM, the user will need to obtain one of the following PDF-compatible readers:
-|**Operating System**|**Compatible Readers**|**Download Link**|
+| Operating System | Compatible Readers | Download Link |
|:-----|:-----|:-----| |Windows Vista <br/> |Foxit Reader <br/> NitroPDF <br/> |[Download Foxit Reader](https://go.microsoft.com/fwlink/?linkid=2139326) <br/> [Download NitroPDF](https://go.microsoft.com/fwlink/?linkid=2139327) <br/> | |Windows 7 <br/> |Azure Information Protection app <br/> Foxit Reader <br/> NitroPDF <br/> Edge Chromium <br/>|[Download Azure Information Protection app](https://go.microsoft.com/fwlink/?linkid=837797) <br/> [Download Foxit Reader](https://go.microsoft.com/fwlink/?linkid=2139326) <br/> [Download NitroPDF](https://go.microsoft.com/fwlink/?linkid=2139327) <br/> [Download Edge Chromium](https://support.microsoft.com/microsoft-edge/download-the-new-microsoft-edge-based-on-chromium-0f4a3dd7-55df-60f5-739f-00010dba52cf) <br/>|
@@ -34,6 +34,6 @@ To use PDF files in libraries that the owner has protected with IRM, the user wi
|Windows 10 <br/> |Azure Information Protection app <br/> Foxit Reader <br/> NitroPDF <br/> Edge Chromium <br/> |[Download Azure Information Protection app](https://go.microsoft.com/fwlink/?linkid=837797) <br/> [Download Foxit Reader](https://go.microsoft.com/fwlink/?linkid=2139326) <br/> [Download NitroPDF](https://go.microsoft.com/fwlink/?linkid=2139327) <br/> [Download Edge Chromium](https://support.microsoft.com/microsoft-edge/download-the-new-microsoft-edge-based-on-chromium-0f4a3dd7-55df-60f5-739f-00010dba52cf) <br/> | |Android <br/> |Azure Information Protection app <br/> Foxit MobilePDF with RMS <br/> |[Download Azure Information Protection app](https://go.microsoft.com/fwlink/?linkid=836827) <br/> [Purchase Foxit MobilePDF](https://play.google.com/store/apps/details?id=com.foxit.mobile.pdf.lite) <br/> | |Windows Phone <br/> |N/A <br/> |N/A <br/> |
-|MacOS <br/> |N/A <br/> |N/A <br/> |
+|macOS <br/> |N/A <br/> |N/A <br/> |
|IOS <br/> |Azure Information Protection app <br/> Foxit MobilePDF with RMS <br/> |[Download Azure Information Protection app](https://go.microsoft.com/fwlink/?linkid=836828) <br/> [Purchase Foxit MobilePDF](https://play.google.com/store/apps/details?id=com.foxit.mobile.pdf.lite) <br/> |
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score-history-metrics-trends https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/microsoft-secure-score-history-metrics-trends.md
@@ -26,7 +26,6 @@ ms.custom:
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] - [Microsoft Secure Score](microsoft-secure-score.md) is a measurement of an organization's security posture, with a higher number indicating more improvement actions taken. It can be found at https://security.microsoft.com/securescore in the [Microsoft 365 security center](overview-security-center.md). ## Gain insights into activity that has affected your score
@@ -51,7 +50,7 @@ In the **Metrics & trends** tab, there are several graphs and charts to give you
* **Regression trend** - A timeline of points that have regressed because of configuration, user, or device changes. * **Comparison trend** - How your organization's Secure Score compares to others' over time. This view can include lines representing the score average of organizations with similar seat count and a custom comparison view that you can set. * **Risk acceptance trend** - Timeline of improvement actions marked as "risk accepted."
-* **Score changes** - The number of points achieved, points regressed, along with the subsequent score change, in the specified date range.
+* **Score changes** - The number of points achieved, points regressed, and changes to your score in the specified date range.
### Compare your score to organizations like yours
@@ -59,18 +58,18 @@ There are two places to see how your score compares to organizations that are si
#### Comparison bar chart
-The comparison bar chart is the **Overview** tab. Hover over the chart to view the score and score opportunity. The comparison data is anonymized so we donΓÇÖt know exactly which others tenant are in the mix.
+The comparison bar chart is the **Overview** tab. Hover over the chart to view the score and score opportunity. The comparison data is anonymized so we donΓÇÖt know exactly which others tenants are in the mix.
![Bar graph of similar organization's scores](../../media/secure-score/secure-score-comparison-bar.png) -- **Organizations like yours**: we give you an average score of other tenants (provided we have at least 5 or more tenants to compare) that qualify with the following criteria:
+- **Organizations like yours**: an average score of other tenants (provided we have at least five or more tenants to compare) that qualify with the following criteria:
1. Same industry 2. Same organization size 3. All regions 4. Microsoft products used are 80% similar 5. Opportunity (max score that can be achieved by current license) within a 20% range from your tenant -- **Custom Comparison**: needs to be setup up first by selecting **Manage Comparison** (only if we find 5 or more tenants) based on the following criteria:
+- **Custom Comparison**: needs to be set up by selecting **Manage Comparison** based on the following criteria:
1. Selected industry(s) 2. Selected organization size(s) 3. Selected region(s)
@@ -78,7 +77,7 @@ The comparison bar chart is the **Overview** tab. Hover over the chart to view t
5. Microsoft products used are 80% similar 6. Opportunity (max score that can be achieved by current license) within a 20% range from your tenant
-If you have not made a selection for custom selection of the selection result in getting less than 5 other tenants that we can compare against, you will see ΓÇ£Not available due to limited dataΓÇ¥.
+If you've made a custom selection but the results have less than five other tenants that we can compare against, you'll see ΓÇ£Not available due to limited dataΓÇ¥.
#### Comparison trend
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score-improvement-actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/microsoft-secure-score-improvement-actions.md
@@ -37,13 +37,13 @@ To help you the information you need more quickly, Microsoft improvement actions
>[!NOTE] >In the recent release of Microsoft Secure Score, an improved scoring model has been released which made Microsoft Secure Score temporarily incompatible with Identity Secure Score and the Graph API. [View details](microsoft-secure-score-whats-new.md)
-In the Microsoft Secure Score overview page, see how points are split between these groups and what points are available. You can also get an all-up view of the total score, historical trend of your secure score with benchmark comparisons, and prioritized improvement actions that can be taken to improve your score.
+In the Microsoft Secure Score overview page, view how points are split between these groups and what points are available. You can also get an all-up view of the total score, historical trend of your secure score with benchmark comparisons, and prioritized improvement actions that can be taken to improve your score.
![Secure Score homepage](../../media/secure-score/secure-score-homepage-new.png) ## Check your current score
-To check on your current score, go to the Microsoft Secure Score overview page and look for the tile that says **Your secure score**. Your score will be shown as a percentage, along with the number of points you've achieved out of a total possible points.
+To check on your current score, go to the Microsoft Secure Score overview page and look for the tile that says **Your secure score**. Your score will be shown as a percentage, along with the number of points you've achieved out of the total possible points.
Additionally, if you select the **Include** button next to your score, you can choose different views of your score. These different score views will display in the graph on the score tile and the point breakdown chart.
@@ -70,13 +70,14 @@ Ranking is based on the number of points left to achieve, implementation difficu
When you select a specific improvement action, a full page flyout appears. ![Improvement action flyout example](../../media/secure-score/secure-score-improvement-action-details.png)
-*Figure 2: Improvement action flyout example*
To complete the action, you have a few options:
-* Select **Manage** to go the configuration screen and make the change. You'll then gain the points that the action is worth, visible in the fly out. Points generally take about 24 hours to update.
+- Select **Manage** to go the configuration screen and make the change. You'll then gain the points that the action is worth, visible in the fly out. Points generally take about 24 hours to update.
-* Select **Share** to copy the direct link to the improvement action. You can also choose the platform to share the link, such as email, Microsoft Teams, Microsoft Planner, or ServiceNow. Selecting ServiceNow will let you create a change ticket that will be visible in ServiceNow and the Microsoft 365 security center home. To learn more, see [Microsoft 365 security center and ServiceNow integration](tickets-security-center.md).
+- Select **Share** to copy the direct link to the improvement action. You can also choose the platform to share the link, such as email, Microsoft Teams, Microsoft Planner, or ServiceNow. Selecting ServiceNow will let you create a change ticket that will be visible in ServiceNow and the Microsoft 365 security center home. To learn more, see [Microsoft 365 security center and ServiceNow integration](tickets-security-center.md).
+
+Add **Notes** to keep track of progress or anything else you want to comment on. If you add your own **tags** to the improvement action, you can filter by those tags.
### Choose an improvement action status
@@ -87,25 +88,25 @@ Choose any statuses and record notes specific to the improvement action.
- **Risk accepted** - Security should always be balanced with usability, and not every recommendation will work for your environment. When that is the case, you can choose to accept the risk, or the remaining risk, and not enact the improvement action. You won't be given any points, but the action will no longer be visible in the list of improvement actions. You can view this action in history or undo it at any time. - **Resolved through third party** and **Resolved through alternate mitigation** - The improvement action has already been addressed by a third-party application or software, or an internal tool. You'll gain the points that the action is worth, so your score better reflects your overall security posture. If a third party or internal tool no longer covers the control, you can choose another status. Keep in mind, Microsoft will have no visibility into the completeness of implementation if the improvement action is marked as either of these statuses.
-#### Threat & Vulnerability Management improvement actions
+#### Threat & vulnerability management improvement actions
-For improvement actions in the "Device" category, you won't be able to choose statuses. Instead, you'll be directed to the associated [Threat & Vulnerability Management (TVM) security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) in the [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use) to take action. The exception you choose and justification you write will be specific to that portal. It won't be present in the Microsoft Secure Score portal.
+For improvement actions in the "Device" category, you can't choose statuses. Instead, you'll be directed to the associated [threat and vulnerability management security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) in the [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use) to take action. The exception you choose and justification you write will be specific to that portal. It won't be present in the Microsoft Secure Score portal.
#### Completed improvement actions
-Improvement actions have a "completed" status once all possible points for the improvement action have been achieved. Completed improvement actions are confirmed though Microsoft data, and you won't be able to change the status.
+Improvement actions have a "completed" status once all possible points for the improvement action have been achieved. Completed improvement actions are confirmed though Microsoft data, and you can't change the status.
### Assess information and review user impact The section called **At a glance** will tell you the category, attacks it can protect against, and the product.
-The **User impact** shows what the users will experience if the improvement action is enacted, and **Users affectedΓÇï** shows who will experience it.
+**User impact** is what the users will experience if the improvement action is enacted, and **Users affectedΓÇï** are the people who will be impacted.
### Implement the improvement action The **Implementation** section shows any prerequisites, step-by-step next steps to complete the improvement action, the current implementation status of the improvement action, and any learn more links.
-Prerequisites include any licenses that need to be obtained or actions that need to be completed before the improvement action is addressed. Make sure you have enough seats in your license to complete the improvement action and that those licenses are applied to the necessary users.
+Prerequisites include any licenses that are needed or actions to be completed before the improvement action is addressed. Make sure you have enough seats in your license to complete the improvement action and that those licenses are applied to the necessary users.
## We want to hear from you
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score-whats-coming https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/microsoft-secure-score-whats-coming.md
@@ -31,6 +31,8 @@ We're making some changes in the near future to make [Microsoft Secure Score](mi
### No Planned Changes
+There are no planned changes at this time.
+ ## Related resources - [Microsoft Secure Score overview](microsoft-secure-score.md)
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score-whats-new https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/microsoft-secure-score-whats-new.md
@@ -32,7 +32,7 @@ Microsoft Secure Score can be found at https://security.microsoft.com/securescor
## December 2020
-### Added 6 accounts-related improvement actions for Microsoft Defender for Endpoint (previously Microsoft Defender ATP):
+### Added six accounts-related improvement actions for Microsoft Defender for Endpoint (previously Microsoft Defender ATP):
- Set 'Minimum password length' to '14 or more characters' - Set 'Enforce password history' to '24 or more password(s)'
@@ -47,7 +47,7 @@ Microsoft Secure Score can be found at https://security.microsoft.com/securescor
The ability to create ServiceNow tickets through Secure Score by going to **Share > ServiceNow** is no longer available. Thank you for your feedback and continued support while we determine next steps.
-### Added 3 services-related improvement actions for Microsoft Defender for Endpoint (previously Microsoft Defender ATP):
+### Added three services-related improvement actions for Microsoft Defender for Endpoint (previously Microsoft Defender ATP):
- Fix unquoted service path for Windows services - Change service executable path to a common protected location
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/microsoft-secure-score.md
@@ -45,7 +45,7 @@ Organizations gain access to robust visualizations of metrics and trends, integr
You're given points for the following actions: - Configuring recommended security features-- Performing security-related tasks
+- Doing security-related tasks
- Addressing the improvement action with a third-party application or software, or an alternate mitigation Some improvement actions only give points when fully completed. Some give partial points if they're completed for some devices or users. If you can't or don't want to enact one of the improvement actions, you can choose to accept the risk or remaining risk.
@@ -60,7 +60,6 @@ Your score is updated in real time to reflect the information presented in the v
- [Compare your score to organizations like yours](microsoft-secure-score-history-metrics-trends.md#compare-your-score-to-organizations-like-yours) - [View improvement actions and decide an action plan](microsoft-secure-score-improvement-actions.md#take-action-to-improve-your-score) - [Initiate work flows to investigate or implement](microsoft-secure-score-improvement-actions.md#view-improvement-action-details)
- - [Microsoft 365 security center and ServiceNow integration](tickets-security-center.md)
### How improvement actions are scored
@@ -70,11 +69,19 @@ For example, an improvement action states you get 10 points by protecting all yo
### Products included in Secure Score
-Currently there are recommendations for Microsoft 365 (including Exchange Online), Azure Active Directory, Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Cloud App Security. Recommendations for other security products are coming soon. The recommendations won't cover all the attack surfaces associated with each product, but they're a good baseline. You can also mark the improvement actions as covered by a third party or alternate mitigation.
+Currently there are recommendations for the following products:
+
+- Microsoft 365 (including Exchange Online)
+- Azure Active Directory
+- Microsoft Defender for Endpoint
+- Microsoft Defender for Identity
+- Cloud App Security
+
+Recommendations for other security products are coming soon. The recommendations won't cover all the attack surfaces associated with each product, but they're a good baseline. You can also mark the improvement actions as covered by a third party or alternate mitigation.
### Security defaults
-Microsoft Secure Score has updated improvement actions to support [security defaults in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/concept-fundamentals-security-defaults), which make it easier to help protect your organization with preconfigured security settings for common attacks.
+Microsoft Secure Score has updated improvement actions to support [security defaults in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/concept-fundamentals-security-defaults), which make it easier to help protect your organization with pre-configured security settings for common attacks.
If you turn on security defaults, you'll be awarded full points for the following improvement actions:
@@ -112,7 +119,7 @@ With read-only access, you aren't able to edit status or notes for an improvemen
## Risk awareness
-Microsoft Secure Score is a numerical summary of your security posture based on system configurations, user behavior, and other security-related measurements. It isn't an absolute measurement of how likely your system or data will be breached. Rather, it represents the extent to which you have adopted security controls in your Microsoft environment that can help offset the risk of being breached. No online service is completely immune from security breaches, and secure score shouldn't be interpreted as a guarantee against security breach in any manner.
+Microsoft Secure Score is a numerical summary of your security posture based on system configurations, user behavior, and other security-related measurements. It isn't an absolute measurement of how likely your system or data will be breached. Rather, it represents the extent to which you have adopted security controls in your Microsoft environment that can help offset the risk of being breached. No online service is immune from security breaches, and secure score shouldn't be interpreted as a guarantee against security breach in any manner.
## We want to hear from you