+ Title: "Configure Microsoft 365 support integration with Azure AD Auth Token"

+# Configure Microsoft 365 support integration with Azure AD Auth Token

+## Prerequisites (Azure AD Auth Token)

+1. \[AAD Admin\] Create Azure AD Application for Outbound under your Microsoft 365 tenant.

+1. \[AAD Admin\] Create an Azure AD Application for Rest API under your Microsoft 365 tenant.

+1. \[AAD Admin\] Create an Azure AD Application for Rest User under your Microsoft 365 tenant.

+ - Client ID: This is the Client ID of the application created in Prerequisites (Azure AD Auth Token) step \#1.

+ - Client Secret: This is the Client Secret value of the application created in Prerequisites (Azure AD Auth Token) step \#1.

+ - Client ID: The Client ID of the application created in Prerequisites (Azure AD Auth Token) step \#2.

+ - Client Secret: The App Secret of the application created in Prerequisites (Azure AD Auth Token) step \#2.

+ You must specify an integration user. If you donΓÇÖt have an existing integration user or if you want to create one specifically for this integration, go to **Organization > Users** to create a new user. The value of the **User ID** is the application Client ID created in [Prerequisites (Azure AD Auth Token)](#prerequisites-azure-ad-auth-token).

+ :::image type="content" source="../../media/ServiceNow-guide/snowaadoauth-1.png" lightbox="../../media/ServiceNow-guide/snowaadoauth-1.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::

+1. \[ServiceNow Admin\] Configure the environment and setup type.

+ If this installation is on a test environment, select the option This is a test environment. You will be able to quickly disable this option after the setup and all of your tests are completed later.

+ If your instance allows Basic Authentication for inbound connections, select Yes and refer to the [Basic Auth setup process](servicenow-basic-authentication.md). Otherwise, select **No** and click **Start setup**.

+ :::image type="content" source="../../media/ServiceNow-guide/snowaadoauth-2.png" lightbox="../../media/ServiceNow-guide/snowaadoauth-2.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::

+1. \[ServiceNow Admin\] Enter your Microsoft 365 tenant domain.

+ :::image type="content" source="../../media/ServiceNow-guide/snowaadoauth-3.png" lightbox="../../media/ServiceNow-guide/snowaadoauth-3.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::

+1. \[ServiceNow Admin\] Configure Outbound OAuth provider.

+ 1. Configure Outbound OAuth provider.

+ 1. After completing the instructions in the prerequisites section, click Done. Otherwise, follow the instructions in the wizard to create the necessary application registration in AAD.

+ :::image type="content" source="../../media/ServiceNow-guide/snowaadoauth-4.png" lightbox="../../media/ServiceNow-guide/snowaadoauth-4.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::

+ 1. Register the ServiceNow OAuth App.

+ 1. After completing the instructions in the prerequisites section, select the newly created OAuth application registration and click Next. Otherwise, follow the instructions to create the entity in ServiceNow and then select the new application registration.

+ :::image type="content" source="../../media/ServiceNow-guide/snowaadoauth-5.png" lightbox="../../media/ServiceNow-guide/snowaadoauth-5.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::

+1. \[ServiceNow Admin\] Configure Inbound settings.

+ 1. Configure the Inbound AAD App.

+ 1. After completing the instructions in the prerequisites section, click Done to go to the next step. Otherwise, follow the instructions to create the AAD App Registration for inbound connectivity.

+ :::image type="content" source="../../media/ServiceNow-guide/snowaadoauth-6.png" lightbox="../../media/ServiceNow-guide/snowaadoauth-6.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::

+ 1. Configure the ServiceNow External OpenID Connect Provider (OIDC Provider).

+ 1. After completing the instructions in the prerequisites section, select the newly created entity and click Done. Otherwise, follow the instructions to create the entity in ServiceNow and then select the new External OIDC Provider app registration.

+ :::image type="content" source="../../media/ServiceNow-guide/snowaadoauth-7.png" lightbox="../../media/ServiceNow-guide/snowaadoauth-7.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::

+ 1. Configure the AAD App Registration for Inbound Integration User.

+ 1. After completing the instructions in the prerequisites section, click Done to go to the next step. Otherwise, follow the instructions to create the AAD App Registration for inbound REST user (integration user).

+ :::image type="content" source="../../media/ServiceNow-guide/snowaadoauth-8.png" lightbox="../../media/ServiceNow-guide/snowaadoauth-8.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::

+ 1. Configure the Integration User.

+ 1. After completing the instructions in the prerequisites section, select the newly created entity and click Next. Otherwise follow the instructions to create the integration user in ServiceNow then select the entity.

+ :::image type="content" source="../../media/ServiceNow-guide/snowaadoauth-9.png" lightbox="../../media/ServiceNow-guide/snowaadoauth-9.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::

+ 1. Go to **Microsoft 365 Admin Portal > Settings > Org settings > Organization profiles**.

+ 1. Configure the support integration settings:

+ Select the **Basic information** tab > **Internal support tool** > **ServiceNow**, and enter the **Outbound App ID** value in the **Application ID to issue Auth Token** field. This Outbound App ID is on Step 6 ΓÇô Complete the Integration, which was created in [Prerequisites (Azure AD Auth Token)](#prerequisites-azure-ad-auth-token).

+ 1. On the **Repositories** tab, select **New repository** and update it with the following settings:

+ - Client secret: The secret of the inbound OAuth provider that was created in Prerequisites (Azure AD Auth Token) step \#2.

+ - Rest username: The **User Name** value from Step 6 ΓÇô Complete the Integration, which is the **Client ID** of the application created in Prerequisites (Azure AD Auth Token) step \#3.

+ - Rest user password: The App Secret of the application that was created in Prerequisites (Azure AD Auth Token) step \#3.

+ 1. Go back to ServiceNow.

+ 1. Select **Next** to complete the integration.

+ :::image type="content" source="../../media/ServiceNow-guide/snowaadoauth-10.png" lightbox="../../media/ServiceNow-guide/snowaadoauth-10.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::

+ The Microsoft 365 support integration app will execute tests to ensure the integration is working. If there is a problem with the configuration, an error message will explain what needs to be fixed. Otherwise, the application is ready.

+ :::image type="content" source="../../media/ServiceNow-guide/snowaadoauth-11.png" lightbox="../../media/ServiceNow-guide/snowaadoauth-11.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::

+1. \[AAD Admin\] Create Azure AD Application under your Microsoft 365 tenant.

+ :::image type="content" source="../../media/ServiceNow-guide/snowbasic-1.png" lightbox="../../media/ServiceNow-guide/snowbasic-1.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::

+1. \[ServiceNow Admin\] Configure the environment and setup type.

+ If this installation is on a test environment, select the option This is a test environment. You will be able to quickly disable this option after the setup and all of your tests are completed later.

+ If your instance allows Basic Authentication for inbound connections, select Yes, otherwise please refer to the [Advanced Setup with AAD](servicenow-aad-oauth-token.md).

+ :::image type="content" source="../../media/ServiceNow-guide/snowbasic-2.png" lightbox="../../media/ServiceNow-guide/snowbasic-2.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::

+1. \[ServiceNow Admin\] Enter your Microsoft 365 tenant domain.

+ :::image type="content" source="../../media/ServiceNow-guide/snowbasic-3.png" lightbox="../../media/ServiceNow-guide/snowbasic-3.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::

+1. \[ServiceNow Admin\] Configure Outbound settings.

+ 1. Register the Azure Active Directory (AAD) App.

+ 1. After completing the instructions in the prerequisites section, click **Done**. Otherwise, follow the instructions in the wizard to create the necessary application registration in AAD.

+ :::image type="content" source="../../media/ServiceNow-guide/snowbasic-4.png" lightbox="../../media/ServiceNow-guide/snowbasic-4.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::

+ 1. Register the ServiceNow OAuth App.

+ 1. After completing the instructions in the prerequisites section, select the newly created OAuth application registration and click Next. Otherwise, follow the instructions to create the entity in ServiceNow and then select the new application registration.

+ :::image type="content" source="../../media/ServiceNow-guide/snowbasic-5.png" lightbox="../../media/ServiceNow-guide/snowbasic-5.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::

+1. \[ServiceNow Admin\] Configure Inbound settings.

+ 1. Configure the Inbound OAuth API endpoint.

+ 1. After completing the instructions in the prerequisites section, select the newly created OAuth application registration and click Done. Otherwise, follow the instructions to create the entity in then select the new REST endpoint registration.

+ :::image type="content" source="../../media/ServiceNow-guide/snowbasic-6.png" lightbox="../../media/ServiceNow-guide/snowbasic-6.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::

+ 1. Configure the Integration User.

+ 1. After completing the instructions in the prerequisites section, select the newly created integration user and click Next. Otherwise, follow the instructions to create the entity in ServiceNow and then select the new integration user.

+ :::image type="content" source="../../media/ServiceNow-guide/snowbasic-7.png" lightbox="../../media/ServiceNow-guide/snowbasic-7.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::

+1. \[Microsoft 365 Tenant Admin\] Complete the integration in the Microsoft 365 Admin Portal.

+ Select the **Basic information** tab > **Internal support tool** > **ServiceNow**, and enter the **Outbound App ID** value in the **Application ID to issue Auth Token** field. This Outbound App ID is on Step 6 ΓÇô Complete the Integration, which was created in [Prerequisite (Basic Authentication) step \#1](#prerequisites-basic-authentication).

+1. \[ServiceNow Admin\] Test the connection

+ After completing the previous step, click **Test connection**.

+ :::image type="content" source="../../media/ServiceNow-guide/snowbasic-8.png" lightbox="../../media/ServiceNow-guide/snowbasic-8.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::

+ The Microsoft 365 support integration app will execute tests to ensure the integration is working. If there is a problem with the configuration, an error message will explain what needs to be fixed. Otherwise, the application is ready.

+ :::image type="content" source="../../media/ServiceNow-guide/snowbasic-9.png" lightbox="../../media/ServiceNow-guide/snowbasic-9.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::

+1. \[OPTIONAL\] [The user with role x_mioms_m365_assis.administrator link] Link Microsoft 365 Admin account.

+ If any user has the role x_mioms_m365_assis.administrator and is using different Microsoft 365 accounts to manage a Microsoft 365 support case, they must go to Microsoft 365 support > Link Account to set up their Microsoft 365 admin email.

+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image21.png" alt-text="Graphical user interface, text, application Description automatically generated":::

+- Azure Active Directory (AAD) admin who can create Azure AD Applications

+- Create ServiceNow entities with Microsoft Azure AD Application for both outbound and inbound data flow.

+| No | Yes | Service Health Incidents Recommended Solutions Microsoft service request | [Set up Microsoft 365 support integration with Azure AD Auth Token](servicenow-aad-oauth-token.md) |

+1. \[AAD Admin\] Create Azure AD Application for Outbound under your Microsoft 365 tenant.

+ Select the **Basic information** tab > **Internal support tool** > **ServiceNow**, and enter the **Outbound App ID** value in the **Application ID to issue Auth Token** field. This Outbound App ID is on Step 6 ΓÇô Complete the Integration, which was created in [Prerequisite (Insights ONLY) step \#1](#prerequisites-service-health-incidents-and-recommended-solutions-only).

+ Because this labeling is applied by services rather than by applications, you don't need to worry about what apps users have and what version. As a result, this capability is immediately available throughout your organization and suitable for labeling at scale. Auto-labeling policies don't support recommended labeling because the user doesn't interact with the labeling process. Instead, the administrator runs the policies in simulation to help ensure the correct labeling of content before actually applying the label.

+#### Deleted OneDrive accounts and simulation results

+Expect possible display discrepancies in the simulation results when deleted OneDrive accounts are still in the [retention stage of the deletion process](/onedrive/retention-and-deletion#the-onedrive-deletion-process). For example, an employee has left the organization and their manager has temporary access to that user's OneDrive files.

+In this scenario, if the OneDrive account was specified by URL in the auto-labeling policy, matched files from the deleted OneDrive account are included in the simulation results.

+However, if the OneDrive account wasn't specified by URL, but was included with the **All** default setting:

+- When the SharePoint location is included in the policy, matched files from the deleted OneDrive account display as SharePoint items in the simulation results.

+- When the SharePoint location isn't included in the policy, matched files from the deleted OneDrive account aren't included in the simulation results.

+In all cases, matched files are labeled until the OneDrive account is permanently deleted. The display discrepancies listed apply only to the simulation results.

+Auto-labeling policies run continuously until they're deleted. For example, new and modified files will be included with the current policy settings.

+The labeling progress includes the files to be labeled by the policy, the files labeled in the last seven days, and the total files labeled. Because of the maximum of labeling 25,000 files a day, this information provides you with visibility into the current labeling progress for your policy and how many files are still to be labeled.

+Investigating risky user activities is an important first step in minimizing insider risks for your organization. These risks may be activities that generate alerts from insider risk management policies, or risks from activities that are detected by policies but don't immediately create an insider risk management alert for users. You can investigate these types of activities by using the **User activity reports (preview)** or with the **Alert dashboard**.

+After you've configured indicators on the insider risk management **Settings** page, user activity is detected for risky activity associated with the selected indicators. You don't have to configure a policy for user activity reports to detect and report risky activities by users in your organization. Activities included in user activity reports don't require triggering events for the activities to be displayed. This configuration means that all detected activity for the user is available for review, regardless if it has a triggering event or if it creates an alert. Reports are created on a per-user basis and can include all activities for a custom 90-day period. Multiple reports for the same user aren't supported.

+New reports typically take up to 10 hours before they're ready for review. When the report is ready, you'll see *Report ready* in the **Status** column on the User activity report page. Select the user to view the detailed report:

+- **Needs review**: A new alert where triage actions haven't yet been taken.

+Alert risk scores are automatically calculated from several risk activity indicators. These indicators include the type of risk activity, the number and frequency of the activity occurrence, the history of user risk activity, and the addition of activity risks that may boost the seriousness of the activity. The alert risk score drives the programmatic assignment of a risk severity level for each alert and can't be customized. If alerts remain untriaged and risk activities continue to accrue to the alert, the risk severity level can increase. Risk analysts and investigators can use the alert risk severity to help triage alerts in accordance with your organization's risk policies and standards.

+- **Low severity**: The activities and indicators for the alert pose a minor risk. The associated risk activities are minor, more infrequent, and don't corelate to other significant risk factors.

+3. On the **Alert detail** page, you can review information about the alert and you can confirm the alert and create a new case, confirm the alert and add to an existing case, or to dismiss the alert. This page also includes the current status for the alert and the alert risk severity level, listed as High, Medium, or Low. The severity level may increase or decrease over time if the alert isn't triaged.

+## Retention and item limits

+As insider risk management alerts age, their value to minimize risky activity diminishes for most organizations. Conversely, active cases and associated artifacts (alerts, insights, activities) are always valuable to organizations and shouldn't have an automatic expiration date. This includes all future alerts and artifacts in an active status for any user associated with an active case.

+To help minimize the number of older items that provide limited current value, the following retention and limits apply for insider risk management alerts, cases, and user activity reports:

+|**Item**|**Retention/Limit**|

+|:-|:|

+| Alerts with Needs review status | 120 days from alert creation, then automatically deleted |

+| Active cases (and associated artifacts) | Indefinite retention, never expire |

+| Resolved cases (and associated artifacts) | 120 days from case resolution, then automatically deleted |

+| Maximum number of active cases | 100 |

+| User activities reports | 120 days from activity detection, then automatically deleted |

+- **Cumulative exfiltration detection**: Cumulative exfiltration detection analyzes event logs, but applies a model that includes de-duplicating similar activities to compute cumulative exfiltration risk. Additionally, there may also be a difference in the number of activities displayed in the Activity explorer if you have made changes to your existing policy or settings. For example, if you modify allowed/unallowed domains or add new file type exclusions after a policy has been created and activity matches have occurred, the cumulative exfiltration detection activities will differ from the results before the policy or settings changes. Cumulative exfiltration detection activity totals are based on the policy and settings configuration at the time of computation and don't include activities prior to the policy and settings changes

+- **Assign users as analysts and investigators**. Having the right user assigned to the proper roles is an important part of the insider risk alert review process. Make sure you've assigned the appropriate users to the *Insider Risk Management Analysts* and *Insider Risk Management Investigators* role groups.

+> If you want to use Exchange Management PowerShell to enable and configure privileged access, follow the steps in [Connect to Exchange Online PowerShell using Multi-Factor authentication](/powershell/exchange/connect-to-exchange-online-powershell#connect-to-exchange-online-powershell-using-mfa) to connect to Exchange Online PowerShell with your Office 365 credentials. You do not need to enable multi-factor authentication for your organization to use the steps to enable privileged access while connecting to Exchange Online PowerShell. Connecting with multi-factor authentication creates an Auth Token that is used by privileged access for signing your requests.

+The modified date of the OneNote page itself doesn't change after it's created.

+Some network endpoints were previously published and haven't been included in the [Office 365 IP Address and URL Web Service](microsoft-365-ip-web-service.md). The web service publishes network endpoints that are required for Office 365 connectivity across an enterprise perimeter network. This scope currently doesn't include:

+|1|**[Import Service](https://support.office.com/article/use-network-upload-to-import-your-organization-pst-files-to-office-365-103f940c-0468-4e1a-b527-cc8ad13a5ea6) for PST and file ingestion**|Refer to the [Import Service](https://support.office.com/article/use-network-upload-to-import-your-organization-pst-files-to-office-365-103f940c-0468-4e1a-b527-cc8ad13a5ea6) for more requirements.|Uncommon outbound scenario|

+|2|**[Microsoft Support and Recovery Assistant for Office 365](https://diagnostics.office.com/#/)**|<https://autodiscover.outlook.com> <br> <https://officecdn.microsoft.com> <br> <https://api.diagnostics.office.com> <br> <https://apibasic.diagnostics.office.com> <br> <https://autodiscover-s.outlook.com> <br> <https://cloudcheckenabler.azurewebsites.net> <br> <https://login.live.com> <br> <https://login.microsoftonline.com> <br> <https://login.windows.net> <br> <https://o365diagtelemetry.trafficmanager.net> <br> <https://odc.officeapps.live.com> <br> <https://offcatedge.azureedge.net> <br> <https://officeapps.live.com> <br> <https://outlook.office365.com> <br> <https://outlookdiagnostics.azureedge.net>|Outbound server traffic|

+|3|**Azure AD Connect (w/SSO option)** <p> WinRM & remote PowerShell|Customer STS environment (AD FS Server and AD FS Proxy) \| TCP ports 80 & 443|Inbound server traffic|

+|4|**STS** such as AD FS Proxy server(s) (for federated customers only)|Customer STS (such as AD FS Proxy) \| Ports TCP 443 or TCP 49443 w/ClientTLS|Inbound server traffic|

+|5|**[Exchange Online Unified Messaging/SBC integration](/exchange/voice-mail-unified-messaging/telephone-system-integration-with-um/configuration-notes-for-session-border-controllers)**|Bidirectional between on-premises Session Border Controller and \*.um.outlook.com|Outbound server-only traffic|

+|6|**Mailbox Migration**<p>When mailbox migration is initiated from on-premises [Exchange Hybrid](/exchange/exchange-deployment-assistant) to Office 365, Office 365 will connect to your published Exchange Web Services (EWS)/Mailbox Replication Services (MRS) server. If you need the NAT IP addresses used by Exchange Online servers to restrict inbound connections from specific source IP ranges, they are listed in [Office 365 URL & IP ranges](urls-and-ip-address-ranges.md) under the "Exchange Online" service area. <p> Care should be taken to ensure that access to published EWS endpoints like OWA is not impacted by ensuring the MRS proxy resolves to a separate FQDN and public IP address before restricting TCP 443 connections from specific source IP ranges.|Customer on-premises EWS/MRS Proxy <br> TCP port 443|Inbound server traffic|

+|7|**[Exchange Hybrid](/exchange/exchange-deployment-assistant) coexistence functions** such as Free/Busy sharing.|Customer on-premises Exchange server|Inbound server traffic|

+|8|**[Exchange Hybrid](/exchange/exchange-deployment-assistant) proxy authentication**|Customer on-premises STS|Inbound server traffic|

+|9|Used to configure [Exchange Hybrid](/exchange/exchange-deployment-assistant), using the **[Exchange Hybrid Configuration Wizard](/exchange/hybrid-configuration-wizard)** <p> Note: These endpoints are only required to configure Exchange hybrid|domains.live.com on TCP ports 80 & 443, only required for Exchange 2010 SP3 Hybrid Configuration Wizard <p> GCC High, DoD IP addresses: 40.118.209.192/32; 168.62.190.41/32 <p> Worldwide Commercial & GCC: \*.store.core.windows.net; asl.configure.office.com; tds.configure.office.com; mshybridservice.trafficmanager.net ; <br> aka.ms/hybridwizard; <br> shcwreleaseprod.blob.core.windows.net/shcw/\*;|Outbound server-only traffic|

+|10|The **AutoDetect service** is used in [Exchange Hybrid](/exchange/exchange-deployment-assistant) scenarios with [Hybrid Modern Authentication with Outlook for iOS and Android](/Exchange/clients/outlook-for-ios-and-android/use-hybrid-modern-auth) <p> `*.acompli.net` <br> `*.outlookmobile.com` <br> `*.outlookmobile.us` <br> `52.125.128.0/20` <br> `52.127.96.0/23`|Customer on-premises Exchange server on TCP 443|Inbound server traffic|

+|11|**Exchange hybrid Azure AD authentication**|*.msappproxy.net|TCP outbound server-only traffic|

+|12|Skype for Business in Office 2016 includes **video based screen sharing**, which uses UDP ports. Prior Skype for Business clients in Office 2013 and earlier used RDP over TCP port 443.|TCP port 443 opens to 52.112.0.0/14|Skype for Business older client versions in Office 2013 and earlier|

+|13|**Skype for Business hybrid on-premises server connectivity** to Skype for Business Online|13.107.64.0/18, 52.112.0.0/14 <br> UDP ports 50,000-59,999 <br> TCP ports 50,000-59,999; 5061|Skype for Business on-premises server outbound connectivity|

+|14|**Cloud PSTN** with on-premises hybrid connectivity requires network connectivity open to the on-premises hosts. For more details about Skype for Business Online hybrid configurations|See [Plan hybrid connectivity between Skype for Business Server and Office 365](/skypeforbusiness/hybrid/plan-hybrid-connectivity)|Skype for Business on-premises hybrid inbound|

+|19|Use **[Azure AD Connect](/azure/active-directory/hybrid/)** to sync on-premises user accounts to Azure AD.|See [Hybrid Identity Required Ports and Protocols](/azure/active-directory/hybrid/reference-connect-ports), [Troubleshoot Azure AD connectivity](/azure/active-directory/hybrid/tshoot-connect-connectivity), and [Azure AD Connect Health Agent Installation](/azure/active-directory/hybrid/how-to-connect-health-agent-install#outbound-connectivity-to-the-azure-service-endpoints).|Outbound server-only traffic|

+|20|**[Azure AD Connect](/azure/active-directory/hybrid/)** with 21 ViaNet in China to sync on-premises user accounts to Azure AD.|\*.digicert.com:80 <BR> \*.entrust.net:80 <BR> \*.chinacloudapi.cn:443 <br> secure.aadcdn.partner.microsoftonline-p.cn:443 <br> \*.partner.microsoftonline.cn:443 <p> Also see [Troubleshoot ingress with Azure AD connectivity issues](https://docs.azure.cn/zh-cn/active-directory/hybrid/tshoot-connect-connectivity).|Outbound server-only traffic|

+|21|**Microsoft Stream** (needs the Azure AD user token). <br> Office 365 Worldwide (including GCC)|\*.cloudapp.net <br> \*.api.microsoftstream.com <br> \*.notification.api.microsoftstream.com <br> amp.azure.net <br> api.microsoftstream.com <br> az416426.vo.msecnd.net <br> s0.assets-yammer.com <br> vortex.data.microsoft.com <br> web.microsoftstream.com <br> TCP port 443|Inbound server traffic|

+|22|Use **MFA server** for multi-factor authentication requests, both new installations of the server and setting it up with Active Directory Domain Services (AD DS).|See [Getting started with the Azure AD multi-factor authentication Server](/azure/active-directory/authentication/howto-mfaserver-deploy#plan-your-deployment).|Outbound server-only traffic|

+|23|**Microsoft Graph Change Notifications** <p> Developers can use [change notifications](/graph/webhooks?context=graph%2fapi%2f1.0&view=graph-rest-1.0) to subscribe to events in the Microsoft Graph.|Public Cloud: 52.159.23.209, 52.159.17.84, 52.147.213.251, 52.147.213.181, 13.85.192.59, 13.85.192.123, 13.89.108.233, 13.89.104.147, 20.96.21.67, 20.69.245.215, 137.135.11.161, 137.135.11.116, 52.159.107.50, 52.159.107.4, 52.229.38.131, 52.183.67.212, 52.142.114.29, 52.142.115.31, 51.124.75.43, 51.124.73.177, 20.44.210.83, 20.44.210.146, 40.80.232.177, 40.80.232.118, 20.48.12.75, 20.48.11.201, 104.215.13.23, 104.215.6.169, 52.148.24.136, 52.148.27.39, 40.76.162.99, 40.76.162.42, 40.74.203.28, 40.74.203.27, 13.86.37.15, 52.154.246.238, 20.96.21.98, 20.96.21.115, 137.135.11.222, 137.135.11.250, 52.159.109.205, 52.159.102.72, 52.151.30.78, 52.191.173.85, 51.104.159.213, 51.104.159.181, 51.138.90.7, 51.138.90.52, 52.148.115.48, 52.148.114.238, 40.80.233.14, 40.80.239.196, 20.48.14.35, 20.48.15.147, 104.215.18.55, 104.215.12.254, 20.199.102.157, 20.199.102.73, 13.87.81.123, 13.87.81.35, 20.111.9.46, 20.111.9.77, 13.87.81.133, 13.87.81.141 <p> Microsoft Cloud for US Government: 52.244.33.45, 52.244.35.174, 52.243.157.104, 52.243.157.105, 52.182.25.254, 52.182.25.110, 52.181.25.67, 52.181.25.66, 52.244.111.156, 52.244.111.170, 52.243.147.249, 52.243.148.19, 52.182.32.51, 52.182.32.143, 52.181.24.199, 52.181.24.220 <p> Microsoft Cloud China operated by 21Vianet: 42.159.72.35, 42.159.72.47, 42.159.180.55, 42.159.180.56, 40.125.138.23, 40.125.136.69, 40.72.155.199, 40.72.155.216 <br> TCP port 443 <p> Note: Developers can specify different ports when creating the subscriptions.|Inbound server traffic|

+|24|**Network Connection Status Indicator**<p>Used by Windows 10 and 11 to determine if the computer is connected to the internet (does not apply to non-Windows clients). When this URL cannot be reached, Windows will assume it is not connected to the Internet and M365 Apps for Enterprise will not try to verify activation status, causing connections to Exchange and other services to fail.|www.mstfconnecttest.com <br> 13.107.4.52<p>Also see [Manage connection endpoints for Windows 11 Enterprise](/windows/privacy/manage-windows-11-endpoints) and [Manage connection endpoints for Windows 10 Enterprise, version 21H2](/windows/privacy/manage-windows-21h2-endpoints).|Outbound server-only traffic|

+### Security analyzer

+The [Security analyzer](https://aka.ms/securityanalyzer) will analyze your security approach and introduce you to Microsoft integrated security and compliance solutions that can improve your security posture. YouΓÇÖll learn about advanced features, such as managing identities and helping to protect against modern attacks. You can then sign up for a trial subscription and be pointed to the corresponding setup guidance for each solution.

+|**Last updated:** 01/28/2022 - |

+#### [Attack surface reduction overview](overview-attack-surface-reduction.md)

+##### [ASR rules deployment overview](attack-surface-reduction-rules-deployment.md)

+##### [Attack surface reduction FAQ](attack-surface-reduction-faq.yml)

+#### [Controlled folder access]()

+##### [Protect folders](controlled-folders.md)

+##### [Evaluate controlled folder access](evaluate-controlled-folder-access.md)

+##### [Enable controlled folder access](enable-controlled-folders.md)

+##### [Customize controlled folder access](customize-controlled-folders.md)

+#### [Exploit protection]()

+##### [Protect devices from exploits](exploit-protection.md)

+##### [Exploit protection evaluation](evaluate-exploit-protection.md)

+##### [Enable exploit protection](enable-exploit-protection.md)

+##### [Customize exploit protection](customize-exploit-protection.md)

+##### [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)

+##### [Exploit protection reference](exploit-protection-reference.md)

+#### [Network protection]()

+##### [Protect your network](network-protection.md)

+##### [Evaluate network protection](evaluate-network-protection.md)

+##### [Turn on network protection](enable-network-protection.md)

+Following privacy controls are available for configuring the data that is sent by Defender for Endpoint from Android devices:

+|Threat Report |Details |

+|--|-|

+|Malware report |Admins can setup privacy control for malware report - If privacy is enabled, then Defender for Endpoint will not send the malware app name and other app details as part of the malware alert report |

+|Phish report |Admins can setup privacy control for phish report - If privacy is enabled, then Defender for Endpoint will not send the domain name and details of the unsafe website as part of the phish alert report |

+|Vulnerability assessment of apps (Android-only) |By default only information about apps installed in the work profile are sent for vulnerability assessment. Admins can disable privacy to include personal apps|

+- For other BYOD modes, by default, vulnerability assessment of apps will **not** be enabled. However, when the device is on administrator mode, admins can explicitly enable this feature through Microsoft Endpoint Manager to get the list of apps installed on the device. For more information, see details below.

+For Android Enterprise Fully managed devices - Information about Android application packages (APKs) installed on the device including

+- Name and package name of the app

+- Version number of the app

+- Vendor name

+For Android Enterprise with a work profile - Information about Android application packages (APKs) installed on the Work profile of the device including

+- Name and package name of the app

+- Version number of the app

+- Vendor name

+*Your organization can also choose to configure Defender for Endpoint to send information about all apps installed on the device. By default, this information is not sent to your organization.*

+- Full URL of the website only when a malicious connection or web page is detected and blocked.

+## Improved experience on supervised iOS devices

+Microsoft Defender for Endpoint on iOS now has specialized ability on supervised iOS/iPadOS devices, given the increased management capabilities provided by the platform on these types of devices. It can also provide Web Protection **without setting up a local VPN on the device**. This gives end-users a seamless experience while still being protected from phishing and other web-based attacks. For details, visit [this documentation](ios-install.md#complete-deployment-for-supervised-devices)

+On January 25, 2022, we announced the general availability of Threat and Vulnerability management on Android and iOS. For more details, see [the techcommunity post here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-general-availability-of-vulnerability-management/ba-p/3071663).

+|Threat and Vulnerability Management (TVM)|Vulnerability assessment of onboarded mobile devices. Visit this [page](next-gen-threat-and-vuln-mgt.md) to learn more about threat and vulnerability management in Microsoft Defender for Endpoint. *Note that on iOS only OS vulnerabilities are currently supported*|

+|Privacy Controls. In preview (see note below)|Configure privacy in the threat reports by controlling the data sent by Microsoft Defender for Endpoint. *Note that privacy controls are currently available only for enrolled devices. Controls for unenrolled devices will be added later*|

+> Privacy controls for Android and iOS are currently in preview and may be substantially modified before it's commercially released.

+### Deploy

+The following table summarizes how to deploy Microsoft Defender for Endpoint on Android and iOS. For detailed documentation, see

+- [Overview of Microsoft Defender for Endpoint on Android](microsoft-defender-endpoint-android.md), and

+- [Overview of Microsoft Defender for Endpoint on iOS](microsoft-defender-endpoint-ios.md)

+**Android**

+|Enrollment type |Details |

+|--|-|

+|Android Enterprise with Intune Unified Endpoint Manager (Microsoft Endpoint Manager)|[Deploy on Android Enterprise enrolled devices](android-intune.md#deploy-on-android-enterprise-enrolled-devices)|

+|Device Administrator with Intune Unified Endpoint Manager (Microsoft Endpoint Manager)|[Deploy on Device Administrator enrolled devices](android-intune.md#deploy-on-device-administrator-enrolled-devices)|

+|Unmanaged BYOD OR devices managed by other Unified Endpoint Managers / Setup app protection policy (MAM)|[Configure Defender risk signals in app protection policy (MAM)](android-configure-mam.md)|

+**iOS**

+|Enrollment type |Details |

+|--|-|

+|Supervised devices with Intune Unified Endpoint Manager (Microsoft Endpoint Manager)|1. [Deploy as iOS store app](ios-install.md)<br/>2. [Setup Web Protection without VPN for supervised iOS devices](ios-install.md#complete-deployment-for-supervised-devices)|

+|Unsupervised (BYOD) devices enrolled with Intune UEM (Microsoft Endpoint Manager)|[Deploy as iOS store app](ios-install.md)|

+|Unmanaged BYOD OR devices managed by other UEMs / Setup app protection policy (MAM)|[Configure Defender risk signals in app protection policy (MAM)](ios-install-unmanaged.md)|

+- [Configure Zero-touch onboard for iOS enrolled devices](ios-install.md#zero-touch-onboarding-of-microsoft-defender-for-endpoint-preview): Admins can configure zero-touch install to silently onboard Microsoft Defender for Endpoint on enrolled iOS devices without requiring the user to open the app.

+- [iOS - Zero-Touch Onboard](ios-install.md#zero-touch-onboarding-of-microsoft-defender-for-endpoint-preview)

+## Pilot evaluation

+While evaluating mobile threat defense with Microsoft Defender for Endpoint, you can verify that certain criteria is met before proceeding to deploy the service to a larger set of devices. You can define the exit criteria and ensure that they are satisfied before deploying widely.

+This helps reduce potential issues that could arise while rolling out the service. Here are some tests and exit criteria that might help:

+- Devices show up in the device inventory list: After successful onboarding of Defender for Endpoint on the mobile device, verify that the device is listed in the Device Inventory in the [security console](https://security.microsoft.com).

+- Run a malware detection test on an Android device: Install any test virus app from the Google play store and verify that it gets detected by Microsoft Defender for Endpoint. Here is an example app that can be used for this test: [Test virus](https://play.google.com/store/apps/details?id=com.androidantivirus.testvirus). Note that on Android Enterprise with a work profile, only the work profile is supported.

+- Run a phishing test: Browse to https://smartscreentestratings2.net and verify that it gets blocked by Microsoft Defender for Endpoint. Note that on Android Enterprise with a work profile, only the work profile is supported.

+- Alerts appear in dashboard: Verify that alerts for above detection tests appear on the [security console](https://security.microsoft.com).

+Windows Server 2022|Yes|Yes|Yes|Not supported|Yes

+ Title: Simulate a phishing attack with Attack simulation training

+# Simulate a phishing attack with Attack simulation training in Defender for Office 365

+ - **Search for users or groups**: In box, you can type part of the **Name** or **Email address** of the user or group and then press Enter. You can select some or all of the results. When you're finished, click **Add x users**.

+ - **User tags**: User tags are identifiers for specific groups of users (for example, Priority accounts). For more information, see [User tags in Microsoft Defender for Office 365](user-tags.md).

+ Use the following options:

+ - **Search**: In  **Search by user tags**, you can type part of the user tag and then press Enter. You can select some or all of the results.

+ - Select **All user tags**

+ - Select existing user tags.

+ - **Search**: In  **Search by Department**, you can type part the Department value and then press Enter. You can select some or all of the results.

+ - **Search**: In  **Search by Title**, you can type part of the Title value and then press Enter. You can select some or all of the results.

+To determine if ZAP moved your message, you can use the [Mailflow view for the Mailflow status report](view-email-security-reports.md#mailflow-view-for-the-mailflow-status-report) or [Threat Explorer (and real-time detections)](threat-explorer.md). Note that as a system action, ZAP is not logged in the Exchange mailbox audit logs.