Updates from: 02/01/2024 05:19:45
Category Microsoft Docs article Related commit history on GitHub Change details
microsoft-365-copilot-privacy Microsoft 365 Copilot Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-privacy.md
ms.localizationpriority: medium
description: "Learn how Microsoft Copilot for Microsoft 365 uses data and how it stores and protects that data." hideEdit: true Previously updated : 01/23/2024 Last updated : 01/31/2024 # Data, Privacy, and Security for Microsoft Copilot for Microsoft 365
For Microsoft Teams chats with Copilot, admins can also use [Microsoft Teams Exp
### Deleting the history of user interactions with Microsoft Copilot for Microsoft 365
-To delete a user's history of interactions with Microsoft Copilot for Microsoft 365, which includes user prompts and the responses Copilot returns, Microsoft 365 admins can [submit an online support ticket](/microsoft-365/admin/get-help-support#online-support) in the Microsoft 365 admin center. In this ticket, admins should include their [Tenant ID](/entra/fundamentals/how-to-find-tenant) and the userΓÇÖs [Object ID](/partner-center/marketplace/find-tenant-object-id#find-user-object-id) for which they want data deleted. The ticket will mark the history for permanent, [hard-deletion](/compliance/regulatory/gdpr-dsr-Office365#deleting-personal-data). For any new requests, open a new ticket with support and avoid editing your existing requests.
+Your users can delete their Copilot interaction history, which includes their prompts and the responses Copilot returns, by going to the [My Account portal](https://myaccount.microsoft.com/). For more information, see [Delete your Microsoft Copilot interaction history](https://support.microsoft.com/office/76de8afa-5eaf-43b0-bda8-0076d6e0390f).
## Microsoft Copilot for Microsoft 365 and the EU Data Boundary
enterprise Office 365 Network Mac Perf Nppdetails https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/office-365-network-mac-perf-nppdetails.md
+
+ Title: "Network provider details in the Microsoft 365 Admin Center (PREVIEW)"
+++ Last updated : 01/30/2024
+audience: Admin
++
+ms.localizationpriority: medium
+search.appverid:
+- MET150
+
+- scotvorg
+- Ent_O365
+- Strat_O365_Enterprise
+- must-keep
+description: "Network provider connectivity attribution in the Microsoft 365 Admin Center"
+++
+# Network provider details in the Microsoft 365 Admin Center
+
+We try to detect network provider device interference between your tenant users and Microsoft 365 services. Here are the types of device interference we can detect.
+
+Percentage refers to the percentage of media streams for Teams, and percentage of connections for Exchange and SharePoint.
+
+## SSL break and inspect test
+
+This test detects a private or unknown certificate presented by a network device to your tenant users for data path connections to Microsoft 365 services, a private certificate is typically used when the network device intends to perform break and inspect operation at the SSL or TLS layer for those connections. We may not be able to show you the detected certificate issuer names due to privacy reasons.
++
+## Incorrect destination IP address detected
+
+This indicates that the destination endpoint representing Microsoft 365 endpoints have incorrect or unfamiliar IP addresses assigned to them. Typically, this means there's an intermediate network device acting as a proxy and we'll show you the incorrect or unfamiliar IP address detected.
++
+## VPN or tunneling detected
+
+This indicates that the network taken to connect to Microsoft 365 endpoints involves a VPN or traffic tunneling. A VPN or traffic tunneling might cause backhaul of network traffic and lead to network performance issues that impacts user experience.
++
+## No device interference detected
+
+This is aligned with our connectivity principles and indicates that there was no device interference detected between your tenant users and Microsoft 365 services.
+
+## Related articles
+
+[Network connectivity in the Microsoft 365 admin center](office-365-network-mac-perf-overview.md)
+
+[Network provider program data calculations](office-365-network-mac-perf-nppdata.md)
+
+[Microsoft 365 network assessment](office-365-network-mac-perf-score.md)
+
+[Microsoft 365 network connectivity test tool](office-365-network-mac-perf-onboarding-tool.md)
enterprise Urls And Ip Address Ranges https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/urls-and-ip-address-ranges.md
Title: "Office 365 URLs and IP address ranges"
Previously updated : 12/01/2023 Last updated : 01/30/2024 audience: Admin
Office 365 requires connectivity to the Internet. The endpoints below should be
|Notes|Download|Use| ||||
-|**Last updated:** 12/01/2023 - ![RSS.](../medi#pacfiles)|
+|**Last updated:** 01/30/2024 - ![RSS.](../medi#pacfiles)|
| Start with [Managing Office 365 endpoints](managing-office-365-endpoints.md) to understand our recommendations for managing network connectivity using this data. Endpoints data is updated as needed at the beginning of each month with new IP Addresses and URLs published 30 days in advance of being active. This cadence allows for customers who don't yet have automated updates to complete their processes before new connectivity is required. Endpoints may also be updated during the month if needed to address support escalations, security incidents, or other immediate operational requirements. The data shown on this page below is all generated from the REST-based web services. If you're using a script or a network device to access this data, you should go to the [Web service](microsoft-365-ip-web-service.md) directly.
frontline Flw Deploy Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-deploy-overview.md
Last updated 10/10/2023
# Learn where to start with a frontline deployment
-Thanks for choosing Microsoft 365 for frontline workers. Whether you're an independent business or a large multi-national enterprise, Microsoft 365 and Teams for frontline workers can help bring your organization together with tools for communication, collaboration, and productivity. And no matter whether you're just getting into collaboration tools for the first time, or you've already been using Microsoft 365 and Teams for your non-frontline workers, we can help you get up and running.
+Thanks for choosing Microsoft 365 for frontline workers. Whether you're an independent business or a large multi-national enterprise, Microsoft 365 and Teams for frontline workers can help bring your organization together with tools for communication, collaboration, and productivity. And no matter whether you're just getting into collaboration tools for the first time, or you're already using Microsoft 365 and Teams for your non-frontline workers, we can help you get up and running.
|Article |Description | |-|-| |[Start with a pilot deployment of Microsoft 365 for frontline workers](flw-pilot.md)|Before you commit to a full rollout of Microsoft 365 for frontline workers across your organization, it's a good idea to try it out first with a small set of real people in your organization. |
-|[Set up Microsoft 365 for frontline workers](flw-setup-microsoft-365.md)|Follow this setup path if you're an IT pro or responsible for planning, or deploying Teams for Frontline Workers. It walks through preparing your environment, setting up the core of Microsoft 365, and then setting up the services you need for your scenarios. |
-|Deploy Teams at scale for your frontline workers |After you've set up Microsoft 365 and assigned licenses to your users, you can use the Teams admin center or PowerShell to create and manage Teams for your whole frontline workforce. <ul><li>[Deploy frontline dynamic teams at scale](deploy-dynamic-teams-at-scale.md)</li><li>[Deploy frontline static teams at scale with PowerShell](deploy-teams-at-scale.md)</li></ul>|
+|[Set up Microsoft 365 for frontline workers](flw-setup-microsoft-365.md)|Follow this setup path if you're an IT Pro or responsible for planning, or deploying Teams for frontline workers. It walks through preparing your environment, setting up the core of Microsoft 365, and then setting up the services you need for your scenarios. |
+|Deploy Teams at scale for your frontline workers |After you set up Microsoft 365 and assigned licenses to your users, you can use the Teams admin center or PowerShell to create and manage teams for your whole frontline workforce. <ul><li>[Deploy frontline dynamic teams at scale](deploy-dynamic-teams-at-scale.md)</li><li>[Deploy frontline static teams at scale with PowerShell](deploy-teams-at-scale.md)</li></ul>|
-After you've set up Microsoft 365, Microsoft Teams, and any services you need, you can configure Teams and the apps in Teams to support your scenarios. Each of the paths walks you through the whole process, from initial setup to a configured team with the apps that your frontline workforce need to start working.
+After you set up Microsoft 365, Teams, and any services you need, you can configure Teams and the apps in Teams to support your scenarios. Each of the paths walks you through the process, from initial setup to configured teams with the apps that your frontline workforce need to start working.
frontline Flw Scenario Posters https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-scenario-posters.md
- m365solution-frontline - m365solution-scenario - contentengagementFY23- appliesto: - Microsoft Teams - Microsoft 365 for frontline workers Previously updated : 10/28/2022 Last updated : 01/31/2024
Last updated 10/28/2022
Use these scenario overviews to start envisioning what your organization can do with Microsoft 365 for frontline workers. You can download these posters in PDF or Visio format and customize them for your organization.
-To learn more about how Microsoft 365 can help your frontline workers, see [Choose your scenarios for Microsoft 365 for frontline workers](flw-choose-scenarios.md). To learn more about planning and implementing scenarios, see [Technical planning guide for deploying frontline solutions (white paper)](flw-technical-planning-guide-deployment.md).
+To learn more about how Microsoft 365 can help your frontline workers, see [Choose your scenarios for Microsoft 365 for frontline workers](flw-choose-scenarios.md).
## Scenarios for frontline workers | Item | Description | |:--|:--|
-|[![Microsoft 365 for frontline worker scenarios.](media/m365-frontline-scenarios-thumb.png)](https://go.microsoft.com/fwlink/?linkid=2206713) <br/> [PDF](https://go.microsoft.com/fwlink/?linkid=2206713) \| [Visio](https://go.microsoft.com/fwlink/?linkid=2206386) <br>Updated September 2022 |This poster provides an overview of the scenarios you can implement for your frontline workforce to increase communications, enhance wellbeing and engagement, train and onboard your workers, and manage your workforce and operations.|
+|[![Microsoft 365 for frontline worker scenarios.](media/m365-frontline-scenarios-thumb.png)](https://go.microsoft.com/fwlink/?linkid=2206713) <br/> [PDF](https://go.microsoft.com/fwlink/?linkid=2206713) \| [Visio](https://go.microsoft.com/fwlink/?linkid=2206386) <br>Updated January 2024 |This poster provides an overview of the scenarios you can implement for your frontline workforce to increase communications, enhance wellbeing and engagement, train and onboard your workers, and manage your workforce and operations.|
## Scenarios for healthcare organizations
Use the following poster to start envisioning what your organization can do with
| Item | Description | |:--|:--|
-|[![Microsoft 365 for frontline workers: Healthcare scenarios.](media/m365-frontline-healthcare-thumb.png)](https://go.microsoft.com/fwlink/?linkid=2206475) <br/> [PDF](https://go.microsoft.com/fwlink/?linkid=2206475) \| [Visio](https://go.microsoft.com/fwlink/?linkid=2206474) <br>Updated September 2022 |This poster provides an overview of the scenarios you can implement for your frontline workforce in a healthcare setting.|
+|[![Microsoft 365 for frontline workers: Healthcare scenarios.](media/m365-frontline-healthcare-thumb.png)](https://go.microsoft.com/fwlink/?linkid=2206475) <br/> [PDF](https://go.microsoft.com/fwlink/?linkid=2206475) \| [Visio](https://go.microsoft.com/fwlink/?linkid=2206474) <br>Updated January 2024 |This poster provides an overview of the scenarios you can implement for your frontline workforce in a healthcare setting.|
## Scenarios for retail organizations
Use the following poster to start envisioning what your organization can do with
| Item | Description | |:--|:--|
-|[![Microsoft 365 for frontline workers: Retail scenarios.](media/m365-frontline-retail-thumb.png)](https://go.microsoft.com/fwlink/?linkid=2206476) <br/> [PDF](https://go.microsoft.com/fwlink/?linkid=2206476) \| [Visio](https://go.microsoft.com/fwlink/?linkid=2206271) <br>Updated September 2022 |This poster provides an overview of the scenarios you can implement for your frontline workforce in a retail setting.|
+|[![Microsoft 365 for frontline workers: Retail scenarios.](media/m365-frontline-retail-thumb.png)](https://go.microsoft.com/fwlink/?linkid=2206476) <br/> [PDF](https://go.microsoft.com/fwlink/?linkid=2206476) \| [Visio](https://go.microsoft.com/fwlink/?linkid=2206271) <br>Updated January 2024 |This poster provides an overview of the scenarios you can implement for your frontline workforce in a retail setting.|
## See also
frontline Flw Team Collaboration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-team-collaboration.md
searchScope:
appliesto: - Microsoft Teams - Microsoft 365 for frontline workers Previously updated : 1/17/2024 Last updated : 01/17/2024 # Frontline team collaboration
frontline Hc Delegates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/hc-delegates.md
appliesto:
- Microsoft 365 for frontline workers description: Learn how a user with Away status or Do not disturb status can set another user as a delegate in their Teams status message. Previously updated : 1/17/2024 Last updated : 01/17/2024 # Use a Teams status message to assign a delegate
frontline Messaging Policies Hc https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/messaging-policies-hc.md
appliesto:
description: Learn how to customize a messaging policy for Microsoft Teams that can include read receipts and priority notifications. Previously updated : 1/17/2024 Last updated : 01/17/2024 # Messaging policies for healthcare organizations
security Get All Vulnerabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-all-vulnerabilities.md
Here is an example of the response.
"exploitVerified": false, "exploitInKit": false, "exploitTypes": [],
- "exploitUris": []
+ "exploitUris": [],
+ "CveSupportability": "supported"
}
- ...
] }
security Vulnerability https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/vulnerability.md
Last updated 12/18/2020
[!INCLUDE [Microsoft Defender XDR rebranding](../../../includes/microsoft-defender.md)] - **Applies to:**+ - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)
Last updated 12/18/2020
Method|Return Type|Description :|:|: [Get all vulnerabilities](get-all-vulnerabilities.md)|Vulnerability collection|Retrieves a list of all the vulnerabilities affecting the organization
-[Get vulnerability by Id](get-vulnerability-by-id.md)|Vulnerability|Retrieves vulnerability information by its ID
-[List devices by vulnerability](get-machines-by-vulnerability.md)|MachineRef collection|Retrieve a list of devices that are associated with the vulnerability ID
+[Get vulnerability by Id](get-vulnerability-by-id.md)|Vulnerability|Retrieves vulnerability information by its Id
+[List devices by vulnerability](get-machines-by-vulnerability.md)|MachineRef collection|Retrieve a list of devices that are associated with the vulnerability Id
[List vulnerabilities by machine and software](get-all-vulnerabilities-by-machines.md)|Vulnerability|Retrieves a list of all the vulnerabilities affecting the organization per machine and software. ## Properties Property|Type|Description :|:|:
-id|String|Vulnerability ID
+Id|String|Vulnerability Id
Name|String|Vulnerability title Description|String|Vulnerability description
-Severity|String|Vulnerability Severity. Possible values are: "Low", "Medium", "High", "Critical"
+Severity|String|Vulnerability Severity. Possible values are: **Low**, **Medium**, **High**, or **Critical**
cvssV3|Double|CVSS v3 score
+cvssVector|String| A compressed textual representation that reflects the values used to derive the score
exposedMachines|Long|Number of exposed devices publishedOn|DateTime|Date when vulnerability was published updatedOn|DateTime|Date when vulnerability was updated publicExploit|Boolean|Public exploit exists exploitVerified|Boolean|Exploit is verified to work exploitInKit|Boolean|Exploit is part of an exploit kit
-exploitTypes|String collection|Exploit impact. Possible values are: "Local privilege escalation", "Denial of service", "Local"
+exploitTypes|String collection|Exploit affect. Possible values are: **Local privilege escalation**, **Denial of service**, or **Local**
exploitUris|String collection|Exploit source URLs
+CveSupportability| String collection| Possible values are: **Supported**, **Not Supported**, or **SupportedInPremium**
+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../../includes/defender-mde-techcommunity.md)]
security Basic Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/basic-permissions.md
ms.localizationpriority: medium
- - has-azure-ad-ps-ref
+ - has-azure-ad-ps-ref, azure-ad-ref-level-one-done
audience: ITPro
- tier2 search.appverid: met150 Previously updated : 12/18/2020 Last updated : 01/18/2024 # Use basic permissions to access the portal
Refer to the instructions below to use basic permissions management.
You can use either of the following solutions: -- Azure PowerShell
+- Microsoft Graph PowerShell
- Azure portal For granular control over permissions, [switch to role-based access control](rbac.md).
-## Assign user access using Azure PowerShell
+## Assign user access using Microsoft Graph PowerShell
You can assign users with one of the following levels of permissions:
You can assign users with one of the following levels of permissions:
### Before you begin -- Install Azure PowerShell. For more information, see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).
+- Install Microsoft Graph PowerShell. For more information, see, [How to install Microsoft Graph PowerShell](/powershell/microsoftgraph/installation).
> [!NOTE] > You need to run the PowerShell cmdlets in an elevated command-line. -- Connect to your Microsoft Entra ID. For more information, see [Connect-MsolService](/powershell/module/msonline/connect-msolservice).
+- Connect to your Microsoft Entra ID. For more information, see [Connect-MgGraph](/powershell/microsoftgraph/authentication-commands).
- **Full access**: Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package. Assigning full access rights requires adding the users to the "Security Administrator" or "Global Administrator" Microsoft Entra built-in roles. - **Read-only access**: Users with read-only access can log in, view all alerts, and related information.
Use the following steps to assign security roles:
- For **read and write** access, assign users to the security administrator role by using the following command: ```PowerShell
- Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"
+ $Role = Get-MgDirectoryRole -Filter "DisplayName eq 'Security Administrator'"
+ $UserId = (Get-MgUser -UserId "secadmin@Contoso.onmicrosoft.com").Id
+
+ $DirObject = @{
+ "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$UserId"
+ }
+
+ New-MgDirectoryRoleMemberByRef -DirectoryRoleId $Role.Id -BodyParameter $DirObject
``` - For **read-only** access, assign users to the security reader role by using the following command: ```PowerShell
- Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@Contoso.onmicrosoft.com"
+ $Role = Get-MgDirectoryRole -Filter "DisplayName eq 'Security Reader'"
+ $UserId = (Get-MgUser -UserId "reader@Contoso.onmicrosoft.com").Id
+
+ $DirObject = @{
+ "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$UserId"
+ }
+
+ New-MgDirectoryRoleMemberByRef -DirectoryRoleId $Role.Id -BodyParameter $DirObject
``` For more information, see [Add or remove group members using Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal).
security Threat Protection Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-protection-reports.md
- tier2 search.appverid: met150 Previously updated : 11/29/2023 Last updated : 1/31/2024 # Threat protection report in Microsoft Defender for Endpoint
Last updated 11/29/2023
- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804) > [!IMPORTANT]
-> The Microsoft Defender for Endpoint Threat Protection report page is deprecated and will no longer be available after January 31st, 2024. Microsoft recommends that you transition to either the Defender XDR Incidents page or Advanced hunting to understand endpoint threat protection details. See the following sections for more information.
+> The Microsoft Defender for Endpoint Threat Protection report page is now deprecated and is no longer available. Microsoft recommends that you transition to either the Defender XDR alerts or advanced hunting to understand endpoint threat protection details. See the following sections for more information.
-## Use the Alert queue filter in Defender XDR
-Due to the deprecation of the Defender for Endpoint Threat protection report, you can use the Defender XDR Incidents view, filtered against Defender for Endpoint, to see the current status of alerts for protected devices. For alert status, such as unresolved, you can filter against New and In progress. [Learn more about Defender XDR Incidents](../defender/incident-queue.md#available-filters)
+## Use the alert queue filter in Defender XDR
+Due to the deprecation of the Defender for Endpoint Threat protection report, you can use the Defender XDR alerts view, filtered against Defender for Endpoint, to see the current status of alerts for protected devices. For alert status, such as *unresolved*, you can filter against *New* and *In progress* items. [Learn more about Defender XDR Alerts](../defender/investigate-alerts.md).
## Use Advanced hunting queries Due to the deprecation of the Defender for Endpoint Threat protection report, you can use Advanced hunting queries to find Defender for Endpoint threat protection information. Note that currently there is no alert status in Advanced hunting elements that maps to resolve/unresolve. [Learn more about Advanced hunting in Defender XDR](../defender/advanced-hunting-overview.md). See below for a sample advanced hunting query that shows endpoint related threat protection details.
AlertInfo
| render timechart ```
-## Threat protection reports overview
-
-The threat protection report provides high-level information about alerts generated in your organization. The report includes trending information showing the detection sources, categories, severities, statuses, classifications, and determinations of alerts across time.
-
-The dashboard is structured into two sections:
--
-Section|Description
-|
-1|Alerts trends
-2|Alert summary
-
-## Alert trends
-By default, the alert trends display alert information from the 30-day period ending in the latest full day. To gain better perspective on trends occurring in your organization, you can fine-tune the reporting period by adjusting the time period shown. To adjust the time period, select a time range from the drop-down options:
--- 30 days-- 3 months-- 6 months-- Custom-
-> [!NOTE]
-> These filters are only applied on the alert trends section. It doesn't affect the alert summary section.
-
-## Alert summary
-
-While the alert trends shows trending alert information, the alert summary shows alert information scoped to the current day.
-
- The alert summary allows you to drill down to a particular alert queue with the corresponding filter applied to it. For example, clicking on the EDR bar in the Detection sources card will bring you the alerts queue with results showing only alerts generated from EDR detections.
-
-> [!NOTE]
-> The data reflected in the summary section is scoped to 180 days prior to the current date. For example if today's date is November 5, 2019, the data on the summary section will reflect numbers starting from May 5, 2019 to November 5, 2019.
->
-> The filter applied on the trends section is not applied on the summary section.
-
-## Alert attributes
-
-The report is made up of cards that display the following alert attributes:
--- **Detection sources**: shows information about the sensors and detection technologies that provide the data used by Microsoft Defender for Endpoint to trigger alerts.-- **Threat categories**: shows the types of threat or attack activity that triggered alerts, indicating possible focus areas for your security operations.-- **Severity**: shows the severity level of alerts, indicating the collective potential impact of threats to your organization and the level of response needed to address them.-- **Status**: shows the resolution status of alerts, indicating the efficiency of your manual alert responses and of automated remediation (if enabled).-- **Classification & determination**: shows how you have classified alerts upon resolution, whether you have classified them as actual threats (true alerts) or as incorrect detections (false alerts). These cards also show the determination of resolved alerts, providing additional insight like the types of actual threats found or the legitimate activities that were incorrectly detected.-
-## Filter data
-
-Use the provided filters to include or exclude alerts with certain attributes.
-
-> [!NOTE]
-> These filters apply to **all** the cards in the report.
-
-For example, to show data about high-severity alerts only:
-
-1. Under **Incidents & alerts** \> **Alerts** \> **Filters > Severity**, select **High**.
-2. Ensure that all other options under **Severity** are deselected.
-3. Select **Apply**.
-
-## Related topic
+## Related topics
- [Device health and compliance report](device-health-reports.md) [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security Tvm Weaknesses Security Advisories https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-weaknesses-security-advisories.md
+
+ Title: Security advisories
+description: Lists the firmware security advisories for devices in your organization. Discovered by the Microsoft Defender vulnerability management capabilities.
+++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+ - m365-security
+ - Tier1
+
+search.appverid: met150
Last updated : 01/25/2024++
+# Security advisories
+
+Security advisories provide an efficient way to view, track, and monitor firmware advisories for affected devices. You can filter on exposed devices and view advisories that affect specific devices. By monitoring these advisories, security teams can take action more quickly to prevent attackers from targeting firmware vulnerabilities.
+
+> [!NOTE]
+> This capability is currently available in public preview and may be substantially modified before it's commercially released.
+
+**Applies to:**
+
+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)
+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Servers Plan 1 & 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
+
+> [!NOTE]
+> To use this feature you'll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
+
+> [!TIP]
+> Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](../defender-vulnerability-management/defender-vulnerability-management-trial.md).
+
+To view firmware security advisories:
+
+1. Select **Weaknesses** from the **Vulnerability management** navigation menu in the [Microsoft Defender portal](https://security.microsoft.com)
+2. Select the **Security advisories** tab.
++
+Security advisories include information about specific version of affected devices or software in your organization that are affected and, if available, instructions for how to update the firmware to address the vulnerability.
+
+> [!NOTE]
+> Security Advisories are available for the following vendors: Lenovo, Dell, HP.
+
+For each published advisory, you can see the following information:
+
+- Advisory ID
+- Severity (provided by the vendor)
+- Related CVEs
+- Advisory link
+- Vendor
+- Age
+- Published on
+- Updated on
+- Exposed devices
+
+## Related articles
+
+- [Security recommendations](tvm-security-recommendation.md)
+- [Weaknesses](tvm-weaknesses.md)
security Tvm Weaknesses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-weaknesses.md
- Tier1 search.appverid: met150 Previously updated : 03/04/2022 Last updated : 01/09/2024 # Vulnerabilities in my organization
+The [Weaknesses page](https://security.microsoft.com/vulnerabilities/cves) in Microsoft Defender Vulnerability Management lists known Common Vulnerabilities and Exposures (CVE) by their CVE ID.
+
+CVE IDs are unique IDs assigned to publicly disclosed cybersecurity vulnerabilities that affect software, hardware and firmware. They provide organizations with a standard way to identify and track vulnerabilities, and helps them understand, prioritize, and address these vulnerabilities in their organization. CVEs are tracked in a public registry accessed from [https://www.cve.org/](https://www.cve.org/).
+
+Defender Vulnerability Management uses endpoint sensors to scan and detect for these and other vulnerabilities in an organization.
+ **Applies to:** - [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)
Last updated 03/04/2022
> [!IMPORTANT] > Defender Vulnerability Management can help identify Log4j vulnerabilities in applications and components. [Learn more](../defender-endpoint/tvm-manage-Log4shell-guidance.md).
-Microsoft Defender Vulnerability Management uses the same signals in Defender for Endpoint's endpoint protection to scan and detect vulnerabilities.
-
-The **Weaknesses** page lists the software vulnerabilities your devices are exposed to by listing the Common Vulnerabilities and Exposures (CVE) ID. You can also view the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, threat insights, and more.
-
-> [!NOTE]
-> If there is no official CVE-ID assigned to a vulnerability, the vulnerability name is assigned by Microsoft Defender Vulnerability Management, formerly known as threat and vulnerability management.
- > [!TIP] > Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](../defender-vulnerability-management/defender-vulnerability-management-trial.md).
-## Navigate to the Weaknesses page
-
-Access the Weaknesses page a few different ways:
+## Weaknesses overview page
-### Navigation menu
+To access the Weaknesses page, select **Weaknesses** from the **Vulnerability management** navigation menu in the [Microsoft Defender portal](https://security.microsoft.com)
-- Select **Weaknesses** from the **Vulnerability management** navigation menu in the [Microsoft Defender portal](https://security.microsoft.com) to open the list of CVEs.
+The Weaknesses page opens with a list of the CVEs your devices are exposed to. You can view the severity, Common Vulnerability Scoring System (CVSS) rating, corresponding breach and threat insights, and more.
-### Vulnerabilities in global search
+ :::image type="content" source="../../media/defender-vulnerability-management/tvm-weaknesses-overviewnew.png" alt-text="Screenshot of the weaknesses landing page" lightbox="../../media/defender-vulnerability-management/tvm-weaknesses-overviewnew.png":::
-1. Go to the global search drop-down menu.
-2. Select **Vulnerability** and key in the Common Vulnerabilities and Exposures (CVE) ID that you're looking for, for example "CVE-2018-5568", then select the search icon. The **Weaknesses** page opens with the CVE information that you're looking for.
-3. Select the CVE to open a flyout panel with more information, including the vulnerability description, details, threat insights, and exposed devices.
-
-To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then select search.
-
-## Weaknesses overview
-
-The Weaknesses page lists the software vulnerabilities your devices are exposed to by listing the Common Vulnerabilities and Exposures (CVE) ID. You can also view the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, threat insights, and more.
-
-Remediate the vulnerabilities in exposed devices to reduce the risk to your assets and organization. If the **Exposed Devices** column shows 0, that means you aren't at risk.
-
- :::image type="content" source="../../media/defender-vulnerability-management/tvm-weaknesses-overview.png" alt-text="Screenshot of the weaknesses landing page" lightbox="../../media/defender-vulnerability-management/tvm-weaknesses-overview.png":::
+> [!NOTE]
+> If there is no official CVE-ID assigned to a vulnerability, the vulnerability name is assigned by Microsoft Defender Vulnerability Management and will be the format **TVM-2020-002**.
> [!NOTE]
-> The maximum number of records you can export from the weaknesses page to a CSV file is 10,000.
+> The maximum number of records you can export from the weaknesses page to a CSV file is 10,000.
### Breach and threat insights
-View any related breach and threat insights in the **Threats** column when the icons are colored red.
+It's important to prioritize recommendations that are associated with ongoing threats. You can use the information available in the **Threats** column to help you prioritize vulnerabilities. To see vulnerabilities with ongoing threats, filter the **Threats** column by:
- > [!NOTE]
- > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight icon ![Simple drawing of a red bug.](../../media/defender-vulnerability-management/tvm_bug_icon.png) and breach insight icon ![Simple drawing of an arrow hitting a target.](../../media/defender-vulnerability-management/tvm_alert_icon.png).
+- Associated active alert
+- Exploit is available
+- Exploit is Verified
+- This exploit is part of an exploit kit
-The breach insights icon is highlighted if there's a vulnerability found in your organization.
-![Example of a breach insights text that could show up when hovering over icon. This one says "possible active alert is associated with this recommendation.](../../media/defender-vulnerability-management/tvm-breach-insights.png)
-
-The threat insights icon is highlighted if there are associated exploits in the vulnerability found in your organization. Hovering over the icon shows whether the threat is a part of an exploit kit, or connected to specific advanced persistent campaigns or activity groups. When available, there's a link to a Threat Analytics report with zero-day exploitation news, disclosures, or related security advisories.
-
-![Threat insights text that that could show up when hovering over icon. This one has multiple bullet points and linked text.](../../media/defender-vulnerability-management/tvm-threat-insights.png)
+The threat insights icon ![Simple drawing of a red bug.](../../media/defender-vulnerability-management/tvm_bug_icon.png) is highlighted in the **Threats** column if there are associated exploits in a vulnerability.
-### Security advisory
+ :::image type="content" source="../../media/defender-vulnerability-management/weaknesses-threats.png" alt-text="Screenshot of the threats column icons" lightbox="../../media/defender-vulnerability-management/weaknesses-threats.png":::
-Security advisories provide an efficient way to view, track, and monitor firmware advisories for affected devices. You can filter on exposed devices and view advisories that affect specific devices. By monitoring these advisories, security teams can take action more quickly to prevent attackers from targeting firmware vulnerabilities.
+Hovering over the icon shows whether the threat is a part of an exploit kit or connected to specific advanced persistent campaigns or activity groups. When available, there's a link to a Threat Analytics report with zero-day exploitation news, disclosures, or related security advisories.
-> [!NOTE]
-> To use this feature you'll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
-
-> [!NOTE]
-> This capability is currently available in public preview and may be substantially modified before it's commercially released.
+![Threat insights text that that could show up when hovering over icon. This one has multiple bullet points and linked text.](../../media/defender-vulnerability-management/tvm-threat-insights.png)
-To view firmware security advisories, click **Security advisories** tab.
+The breach insights icon is highlighted if there's a vulnerability found in your organization. ![Simple drawing of an arrow hitting a target.](../../media/defender-vulnerability-management/tvm_alert_icon.png).
+![Example of a breach insights text that could show up when hovering over icon. This one says "possible active alert is associated with this recommendation.](../../media/defender-vulnerability-management/tvm-breach-insights.png)
-Security advisories include information about specific version of affected devices or software in your organization that are affected and, if available, instructions for how to update the firmware to address the vulnerability.
+The **Exposed Devices** column shows how many devices are currently exposed to a vulnerability. If the column shows 0, that means you aren't at risk.
-> [!NOTE]
-> Security Advisories are available for the following vendors: Lenovo, Dell, HP.
+## Gain vulnerability insights
-For each published advisory, you can see the following information:
+If you select a CVE from the weaknesses page, a flyout panel opens with more information such as the vulnerability description, details and threat insights. The AI generated vulnerability description provides detailed information on the vulnerability, its impact, recommended remediation steps, and any additional information, if available.
-- Advisory ID-- Severity (provided by the vendor)-- Related CVEs-- Advisory link-- Vendor-- Age-- Published on-- Updated on-- Exposed devices
+ :::image type="content" source="../../media/defender-vulnerability-management/weaknesses-cve-description.png" alt-text="Screenshot of the weaknesses weaknesses-flyout pane" lightbox="../../media/defender-vulnerability-management/weaknesses-cve-description.png":::
-### Gain vulnerability insights
+For each CVE, you can see a list of the exposed devices and the affected software.
-If you select a CVE, a flyout panel will open with more information such as the vulnerability description, details and threat insights. For each CVE, you can see a list of the exposed devices and the software affected.
+## Related security recommendations
-When a security recommendation is available you can select **Go to the related security recommendation** for details on how to remediate the vulnerability.
+Use security recommendations to remediate the vulnerabilities in exposed devices and to reduce the risk to your assets and organization. When a security recommendation is available, you can select **Go to the related security recommendation** for details on how to remediate the vulnerability.
:::image type="content" alt-text="Weakness flyout example." source="../../media/defender-vulnerability-management/weaknesses-cve-vulntab.png" lightbox="../../media/defender-vulnerability-management/weaknesses-cve-vulntab.png"::: Recommendations for a CVE are often to remediate the vulnerability through a security update for the related software. However, Some CVEs won't have a security update available. This might apply to all the related software for a CVE or just a subset, for example, a software vendor might decide not to fix the issue on a particular vulnerable version.
-When a security update is only available for some of the related software, the CVE will have the tag 'Some updates available'. Once there is at least one update available, you'll have the option to go to the related security recommendation.
-
+When a security update is only available for some of the related software, the CVE will have the tag 'Some updates available' under the CVE name. Once there is at least one update available, you have the option to go to the related security recommendation.
-If there is no security update available, the CVE will have the tag 'No security update'. There will be no option to go to the related security recommendation as software that doesn't have a security update available is excluded from the Security recommendations page.
+If there's no security update available, the CVE will have the tag 'No security update' under the CVE name. There will be no option to go to the related security recommendation as software that doesn't have a security update available is excluded from the Security recommendations page.
> [!NOTE] > Security recommendations only include devices and software packages that have security updates available.
-The information on security update availability is also visible in the _Update availability_ column on the **Exposed devices** and **Related software** tabs.
+## Request CVE support
+A CVE for software that isn't currently supported by vulnerability management still appears in the Weaknesses page. Because the software is not supported, only limited data will be available. Exposed device information will not be available for CVEs with unsupported software.
-### Software that isn't supported
+To view a list of unsupported software, filter the weaknesses page by the "Not available" option in the "Exposed devices" section.
-A CVE for software that isn't currently supported by vulnerability management still appears in the Weaknesses page. Because the software is not supported, only limited data will be available.
+You can request for support to be added to Defender Vulnerability Management for a particular CVE. To request support:
-Exposed device information will not be available for CVEs with unsupported software. Filter by unsupported software by selecting the "Not available" option in the "Exposed devices" section.
+1. Select the CVE from the [Weaknesses](https://security.microsoft.com/vulnerabilities/cves) page in the Microsoft Defender portal
+2. Select **Please support this CVE** from the Vulnerability details tab
+This request will be sent to Microsoft and will assist us in prioritizing this CVE among others in our system.
+ ## View Common Vulnerabilities and Exposures (CVE) entries in other places
Exposed device information will not be available for CVEs with unsupported softw
2. Select the software you want to investigate. 3. Select the **Discovered vulnerabilities** tab.
-4. Select the vulnerability you want to investigate for more information on the vulnerability details.
+4. Select the vulnerability that you want to investigate to open up a flyout panel with the CVE details.
### Discover vulnerabilities in the device page View related weaknesses information in the device page.
-1. Select **Device inventory** from the **Assets** navigation menu in the [Microsoft Defender portal](https://security.microsoft.com).
+1. Select **Devices** from the **Assets** navigation menu in the [Microsoft Defender portal](https://security.microsoft.com).
2. In the **Device inventory** page, select the device name that you want to investigate.
-3. Select **Discovered vulnerabilities** from the device page.
-
- :::image type="content" alt-text="Device page with details and response options." source="../../media/defender-vulnerability-management/tvm-discovered-vulnerabilities-secupdate.png" lightbox="../../media/defender-vulnerability-management/tvm-discovered-vulnerabilities-secupdate.png":::
-
-4. Select the vulnerability that you want to investigate to open up a flyout panel with the CVE details, such as, vulnerability description, threat insights, and detection logic.
+3. Select **Open device page** and select **Discovered vulnerabilities** from the device page.
+4. Select the vulnerability that you want to investigate to open up a flyout panel with the CVE details.
#### CVE Detection logic
Similar to the software evidence, we show the detection logic we applied on a de
To see the detection logic: 1. Select a device from the Device inventory page.
-2. Select **Discovered vulnerabilities** from the device page.
+2. Select **Open device page** and select **Discovered vulnerabilities** from the device page.
3. Select the vulnerability you want to investigate. A flyout will open and the **Detection logic** section shows the detection logic and source.
security Automatic Attack Disruption https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/automatic-attack-disruption.md
Last updated 05/31/2023
- Microsoft Defender XDR
-Using the power of XDR, Microsoft Defender XDR correlates millions of individual signals to identify active ransomware campaigns or other sophisticated attacks in the environment with high confidence. While an attack is in progress, Microsoft Defender XDR disrupts the attack by automatically containing compromised assets that the attacker is using through automatic attack disruption.
+Microsoft Defender XDR correlates millions of individual signals to identify active ransomware campaigns or other sophisticated attacks in the environment with high confidence. While an attack is in progress, Defender XDR disrupts the attack by automatically containing compromised assets that the attacker is using through automatic attack disruption.
-Automatic attack disruption limits lateral movement early on and reduces the overall impact of an attack, from associated costs to loss of productivity. At the same time, it leaves the SOC team in complete control of investigating, remediating, and bringing assets back online.
+Automatic attack disruption limits lateral movement early on and reduces the overall impact of an attack, from associated costs to loss of productivity. At the same time, it leaves security operations teams in complete control of investigating, remediating, and bringing assets back online.
-This article provides an overview of automated attack disruption and includes links to the next steps and additional resources.
-
-> [!NOTE]
-> Automatic attack disruption is currently not available for US Government customers using GCC and GCC High.
+This article provides an overview of automated attack disruption and includes links to the next steps and other resources.
## How automatic attack disruption works
-Automatic attack disruption is designed to contain attacks in progress, limit the impact on an organization's assets, and provide more time for the SOC to remediate the attack fully. Unlike known protection methods such as prevention and blocking based on a single indicator of compromise, the attack disruption in Microsoft Defender XDR leverages the full breadth of our XDR signal to act at the incident level, taking the entire attack into account.
+Automatic attack disruption is designed to contain attacks in progress, limit the impact on an organization's assets, and provide more time for security teams to remediate the attack fully. Attack disruption in uses the the full breadth of our extended detection and response (XDR) signals, taking the entire attack into account to act at the incident level. This capability is unlike known protection methods such as prevention and blocking based on a single indicator of compromise.
-While many XDR and SOAR solutions allow you to create your automatic response actions, the key difference to Microsoft Defender XDR's automatic attack disruption is that it is built-in and uses insights from our security researchers and advanced AI models to counteract the complexities of advanced attacks. It considers the entire context of signals from different sources to determine compromised assets.
+While many XDR and security orchestration, automation, and response (SOAR) platforms allow you to create your automatic response actions, automatic attack disruption is built-in and uses insights from Microsoft security researchers and advanced AI models to counteract the complexities of advanced attacks. Automatic attack disruption considers the entire context of signals from different sources to determine compromised assets.
Automatic attack disruption operates in three key stages: -- It uses Microsoft Defender XDR's XDR ability to correlate signals from many different sources into a single, high-confidence incident through insights from endpoints, identities, email and collaboration tools, as well as SaaS apps.
+- It uses Defender XDR's ability to correlate signals from many different sources into a single, high-confidence incident through insights from endpoints, identities, email and collaboration tools, and SaaS apps.
- It identifies assets controlled by the attacker and used to spread the attack. - It automatically takes response actions across relevant Microsoft Defender products to contain the attack in real-time by isolating affected assets.
This game-changing capability limits a threat actor's progress early on and dram
## Establishing high confidence when taking automatic action
-We understand that taking automatic action sometimes comes with hesitation from security teams, given the potential impact it can have on an organization. Therefore, the automatic attack disruption capabilities in Microsoft Defender XDR are designed to rely on high-fidelity signals. In addition to XDR capabilities that correlate incidents with millions of Defender product signals across email, identity, applications, documents, devices, networks, and files. Insights from the continuous investigation of thousands of incidents by Microsoft's security research team ensure that automatic attack disruption maintains a high signal-to-noise ratio (SNR).
+We understand that taking automatic action sometimes comes with hesitation from security teams, given the potential impact it can have on an organization. Therefore, the automatic attack disruption capabilities in Defender XDR are designed to rely on high-fidelity signals. It also uses Defender XDR's incident correlation with millions of Defender product signals across email, identity, applications, documents, devices, networks, and files. Insights from the continuous investigation of thousands of incidents by Microsoft's security research team ensure that automatic attack disruption maintains a high signal-to-noise ratio (SNR).
Investigations are integral to monitoring our signals and the attack threat landscape to ensure high quality and accurate protection.
Investigations are integral to monitoring our signals and the attack threat land
## Automated response actions
-In automatic attack disruption, we leverage Microsoft-based XDR response actions. Examples of these actions are:
+Automatic attack disruption uses Microsoft-based XDR response actions. Examples of these actions are:
- [Device contain](/microsoft-365/security/defender-endpoint/respond-machine-alerts#contain-devices-from-the-network) - based on Microsoft Defender for Endpoint's capability, this action is an automatic containment of a suspicious device to block any incoming/outgoing communication with the said device. - [Disable user](/defender-for-identity/remediation-actions) - based on Microsoft Defender for Identity's capability, this action is an automatic suspension of a compromised account to prevent additional damage like lateral movement, malicious mailbox use, or malware execution.-- [Contain user](../defender-endpoint/respond-machine-alerts.md#contain-user-from-the-network) - This response action automatically contains suspicious identities temporarily. This helps to block any lateral movement and remote encryption related to incoming communication with Microsoft Defender for Endpoint's onboarded devices.
+- [Contain user](../defender-endpoint/respond-machine-alerts.md#contain-user-from-the-network) - This response action automatically contains suspicious identities temporarily to help block any lateral movement and remote encryption related to incoming communication with Defender for Endpoint's onboarded devices.
For more information, see [remediation actions](m365d-remediation-actions.md) in Microsoft Defender XDR. ## Identify when an attack disruption happens in your environment
-The Microsoft Defender XDR incident page will reflect the automatic attack disruption actions through the attack story and the status indicated by a yellow bar (Figure 1). The incident will show a dedicated disruption tag, highlight the status of the assets contained in the incident graph, and add an action to the Action Center.
+The Defender XDR incident page will reflect the automatic attack disruption actions through the attack story and the status indicated by a yellow bar (Figure 1). The incident shows a dedicated disruption tag, highlight the status of the assets contained in the incident graph, and add an action to the Action Center.
:::image type="content" source="../../media/automatic-attack-disruption/Fig1-auto-attack-disruption.png" alt-text="Selecting an incident in the Microsoft Defender portal" lightbox="../../media/automatic-attack-disruption/Fig1-auto-attack-disruption.png"::: *Figure 1. Incident view showing the yellow bar where automatic attack disruption took action*
-The Microsoft Defender XDR user experience now includes additional visual cues to ensure visibility of these automatic actions. You will find them across the following experiences:
+The Defender XDR user experience now includes additional visual cues to ensure visibility of these automatic actions. You can find them across the following experiences:
1. In the incident queue: - A tag titled *Attack Disruption* appears next to affected incidents
-2. On the incident page:
+1. On the incident page:
- A tag titled *Attack Disruption* - A yellow banner at the top of the page that highlights the automatic action taken
- - The current asset status is shown in the incident graph if an action is done on an asset, e.g., account disabled or device contained
-
+ - The current asset status is shown in the incident graph if an action is done on an asset, for example, account disabled or device contained
+
3. Via API: An **(attack disruption)** string is added to the end of the titles of incidents with high confidence likely to be automatically disrupted. For example:
security Manage Rbac https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/manage-rbac.md
Centralized permissions management is supported for the following solutions:
|Microsoft Defender XDR|Centralized permissions management for Microsoft Defender XDR experiences.| |Microsoft Defender for Endpoint|Full support for all endpoint data and actions. All roles are compatible with the device group's scope as defined on the device groups page.| |Microsoft Defender Vulnerability Management|Centralized permissions management for all Defender Vulnerability Management capabilities.|
-|Microsoft Defender for Office 365|Full support for all data and actions scenarios that are controlled by [Email & Collaboration roles](../office-365-security/mdo-portal-permissions.md) and scenarios controlled by [Exchange Online permissions](/exchange/permissions-exo/permissions-exo). </br></br> **Note:** <ul><li>The Microsoft Defender XDR RBAC model is initially available for organizations with Microsoft Defender for Office 365 Plan 2 licenses only. This capability isn't available to users on trial licenses.</li><li>Granular delegated admin privileges (GDAP) isn't supported.</li><li>Cmdlets in Exchange Online PowerShell and Security & Compliance PowerShell continue to use the old RBAC models and aren't affected by Microsoft Defender XDR Unified RBAC.</ul><li>|
+|Microsoft Defender for Office 365|Full support for all data and actions scenarios that are controlled by [Email & Collaboration roles](../office-365-security/mdo-portal-permissions.md) and scenarios controlled by [Exchange Online permissions](/exchange/permissions-exo/permissions-exo). </br></br> **Note:** <ul><li>The Microsoft Defender XDR RBAC model is initially available for organizations with Microsoft Defender for Office 365 Plan 2 licenses only. This capability isn't available to users on trial licenses.</li><li>Granular delegated admin privileges (GDAP) isn't supported.</li><li>Cmdlets in Exchange Online PowerShell and Security & Compliance PowerShell continue to use the old RBAC models and aren't affected by Microsoft Defender XDR Unified RBAC.</li><li>Azure B2B invited guests aren't supported by Defender XDR RBAC, for experiences that were previously under Exchange Online RBAC.</li></ul>|
|Microsoft Defender for Identity|Full support for all identity data and actions. </br></br> **Note:** Defender for Identity experiences will also adhere to permissions granted from [Microsoft Defender for Cloud Apps](https://security.microsoft.com/cloudapps/permissions/roles). For more information, see [Microsoft Defender for Identity role groups](https://go.microsoft.com/fwlink/?linkid=2202729).| |Microsoft Defender for Cloud|Support access management for all Defender for Cloud data that is available in Microsoft Defender portal.| |Microsoft Secure Score|Full support for all Secure Score data from the [Products included in Secure Score](../defender/microsoft-secure-score.md#products-included-in-secure-score).|
security Start Using Mdex Xdr https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/start-using-mdex-xdr.md
If an incident is classified as _False Positive_ or _Informational_, _Expected A
> [!NOTE] > Incident comments are one-way posts. Defender Experts can't respond to any comments or questions you add in the **Comments and history** panel. For more information about how to correspond with our experts, see [Communicating with experts in the Microsoft Defender Experts for XDR service](communicate-defender-experts-xdr.md).
->
->Otherwise, if an incident is classified as _True Positive_, our experts then identify the required response actions that need to be performed. The method in which the actions are performed depends on the permissions and access levels you have given the Defender Experts for XDR service. [Learn more about granting permissions to our experts](get-started-xdr.md#grant-permissions-to-our-experts).
+
+Otherwise, if an incident is classified as _True Positive_, our experts then identify the required response actions that need to be performed. The method in which the actions are performed depends on the permissions and access levels you have given the Defender Experts for XDR service. [Learn more about granting permissions to our experts](get-started-xdr.md#grant-permissions-to-our-experts).
- If you have granted Defender Experts for XDR the recommended Security Operator access permissions, our experts could perform the required response actions on the incident on your behalf. These actions, along with an **Investigation summary**, show up in the incident's [Managed response](#how-to-use-managed-response-in-microsoft-365-defender) flyout panel in your Microsoft Defender portal for you or your SOC team to review. All actions that are completed by Defender Experts for XDR appear under the **Completed actions** section. Any pending actions that require you or you SOC team to complete are listed under the **Pending actions** section. For more information, see the [Actions](#actions) section. Once our experts have taken all the necessary actions on the incident, its **Status** field is then updated to _Resolved_ and the **Assigned to** field is updated to _Unassigned_.
solutions Productivity Illustrations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/productivity-illustrations.md
Use the following posters to start envisioning what your organization can do wit
| Item | Description | |:--|:--|
-|[![Microsoft 365 for frontline worker scenarios.](/microsoft-365/frontline/media/m365-frontline-scenarios-thumb.png)](https://go.microsoft.com/fwlink/?linkid=2206713) <br/> [PDF](https://go.microsoft.com/fwlink/?linkid=2206713) \| [Visio](https://go.microsoft.com/fwlink/?linkid=2206386) <br>Updated September 2022 |**Frontline worker scenarios**<br><br>This poster provides an overview of the scenarios you can implement for your frontline workforce to increase communications, enhance wellbeing and engagement, train and onboard your workers, and manage your workforce and operations.<br/><br/>**Related solution guides** <br/> <ul><li>[Microsoft 365 for frontline workers](/microsoft-365/frontline/flw-overview)|
-|[![Microsoft 365 for frontline workers: Healthcare scenarios.](/microsoft-365/frontline/media/m365-frontline-healthcare-thumb.png)](https://go.microsoft.com/fwlink/?linkid=2206475) <br/> [PDF](https://go.microsoft.com/fwlink/?linkid=2206475) \| [Visio](https://go.microsoft.com/fwlink/?linkid=2206474) <br>Updated September 2022 |**Healthcare scenarios**<br><br>This poster provides an overview of the scenarios you can implement for your frontline workforce in a healthcare setting.<br/><br/>**Related solution guides** <br/> <ul><li>[Get started with Microsoft 365 for healthcare organizations](/microsoft-365/frontline/teams-in-hc)|
-|[![Microsoft 365 for frontline workers: Retail scenarios.](/microsoft-365/frontline/media/m365-frontline-retail-thumb.png)](https://go.microsoft.com/fwlink/?linkid=2206476) <br/> [PDF](https://go.microsoft.com/fwlink/?linkid=2206476) \| [Visio](https://go.microsoft.com/fwlink/?linkid=2206271) <br>Updated September 2022 |**Retail scenarios**<br><br>This poster provides an overview of the scenarios you can implement for your frontline workforce in a retail setting.<br/><br/>**Related solution guides** <br/> <ul><li>[Get started with Microsoft 365 for retail organizations](/microsoft-365/frontline/teams-for-retail-landing-page)|
+|[![Microsoft 365 for frontline worker scenarios.](/microsoft-365/frontline/media/m365-frontline-scenarios-thumb.png)](https://go.microsoft.com/fwlink/?linkid=2206713) <br/> [PDF](https://go.microsoft.com/fwlink/?linkid=2206713) \| [Visio](https://go.microsoft.com/fwlink/?linkid=2206386) <br>Updated January 2024 |**Frontline worker scenarios**<br><br>This poster provides an overview of the scenarios you can implement for your frontline workforce to increase communications, enhance wellbeing and engagement, train and onboard your workers, and manage your workforce and operations.<br/><br/>**Related solution guides** <br/> <ul><li>[Microsoft 365 for frontline workers](/microsoft-365/frontline/flw-overview)|
+|[![Microsoft 365 for frontline workers: Healthcare scenarios.](/microsoft-365/frontline/media/m365-frontline-healthcare-thumb.png)](https://go.microsoft.com/fwlink/?linkid=2206475) <br/> [PDF](https://go.microsoft.com/fwlink/?linkid=2206475) \| [Visio](https://go.microsoft.com/fwlink/?linkid=2206474) <br>Updated January 2024 |**Healthcare scenarios**<br><br>This poster provides an overview of the scenarios you can implement for your frontline workforce in a healthcare setting.<br/><br/>**Related solution guides** <br/> <ul><li>[Get started with Microsoft 365 for healthcare organizations](/microsoft-365/frontline/teams-in-hc)|
+|[![Microsoft 365 for frontline workers: Retail scenarios.](/microsoft-365/frontline/media/m365-frontline-retail-thumb.png)](https://go.microsoft.com/fwlink/?linkid=2206476) <br/> [PDF](https://go.microsoft.com/fwlink/?linkid=2206476) \| [Visio](https://go.microsoft.com/fwlink/?linkid=2206271) <br>Updated January 2024 |**Retail scenarios**<br><br>This poster provides an overview of the scenarios you can implement for your frontline workforce in a retail setting.<br/><br/>**Related solution guides** <br/> <ul><li>[Get started with Microsoft 365 for retail organizations](/microsoft-365/frontline/teams-for-retail-landing-page)|
## Corporate communications with Microsoft 365 ΓÇö a Contoso case study Employee engagement is a significant contributor to workplace satisfaction, retention, and productivity at any organization. Across Microsoft 365, there are multiple ways to communicate and engage your audience.