Updates from: 02/10/2022 06:32:40
Category Microsoft Docs article Related commit history on GitHub Change details
admin About Admin Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/about-admin-roles.md
You'll probably only need to assign the following roles in your organization. By
||| |Billing admin | Assign the Billing admin role to users who make purchases, manage subscriptions and service requests, and monitor service health. <br><br> Billing admins also can:<br> - Manage all aspects of billing <br> - Create and manage support tickets in the Azure portal <br> | |Exchange admin | Assign the Exchange admin role to users who need to view and manage your user's email mailboxes, Microsoft 365 groups, and Exchange Online. <br><br> Exchange admins can also:<br> - Recover deleted items in a user's mailbox <br> - Set up "Send As" and "Send on behalf" delegates <br> |
-|Global admin | Assign the Global admin role to users who need global access to most management features and data across Microsoft online services. <br><br> Giving too many users global access is a security risk and we recommend that you have between 2 and 4 Global admins. <br><br> Only global admins can:<br> - Reset passwords for all users <br> - Add and manage domains <br> <br> **Note:** The person who signed up for Microsoft online services automatically becomes a Global admin. |
+|Global admin | Assign the Global admin role to users who need global access to most management features and data across Microsoft online services. <br><br> Giving too many users global access is a security risk and we recommend that you have between 2 and 4 Global admins. <br><br> Only global admins can:<br> - Reset passwords for all users <br> - Add and manage domains <br> - Unblock another global admin <br> <br> **Note:** The person who signed up for Microsoft online services automatically becomes a Global admin. |
|Global reader | Assign the global reader role to users who need to view admin features and settings in admin centers that the global admin can view. The global reader admin can't edit any settings. | |Groups admin | Assign the groups admin role to users who need to manage all groups settings across admin centers, including the Microsoft 365 admin center and Azure Active Directory portal. <br><br> Groups admins can:<br> - Create, edit, delete, and restore Microsoft 365 groups <br> - Create and update group creation, expiration, and naming policies <br> - Create, edit, delete, and restore Azure Active Directory security groups| |Helpdesk admin | Assign the Helpdesk admin role to users who need to do the following:<br> - Reset passwords <br> - Force users to sign out <br> - Manage service requests <br> - Monitor service health <br> <br> **Note**: The Helpdesk admin can only help non-admin users and users assigned these roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, and Reports reader. |
admin Remove Former Employee Step 4 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-4.md
To give access to the email messages, calendar, tasks, and contacts of the forme
> [!TIP] > If you want to import or restore only a few items from an Outlook Data File (.pst), you can open the Outlook Data File. Then, in the navigation pane, drag the items from Outlook Data File folders to your existing Outlook folders.
+### Cancel Outlook meetings
+
+Make sure to cancel all meetings that the former user had on their calendar. This lets people remove the meetings created by the former user.
+
+If the person had meetings that booked equipment or rooms, they won't be available to be booked until those meetings are canceled. Read [Delete an appointment or a meeting](https://support.microsoft.com/office/delete-an-appointment-or-a-meeting-2703bfdb-9a07-4396-be3b-a9f79438455b) for the steps.
+ ## Related content [Add and remove admins on a OneDrive account](/sharepoint/manage-user-profiles#add-and-remove-admins-for-a-users-onedrive) (article)
admin Enable Usage Analytics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/usage-analytics/enable-usage-analytics.md
See [about admin roles](../add-users/about-admin-roles.md) for more information.
3. On the Reports panel that opens, set **Make report data available to Microsoft 365 usage analytics for Power BI** to **On** \> **Save**.
-The data collection process will complete in two to 48 hours depending on the size of your tenant. The **Go to Power BI** button will be enabled (no longer gray) when data collection is complete.
+The data collection process will complete in two to 48 hours depending on the size of your tenant. The **Go to Power BI** button will be enabled (no longer gray) when data collection is complete. Once it's done, the app provides historical usage data at your organization level.
+
+> [!NOTE]
+> The data for the **"User Activity"** tab is only refreshed after the fifteenth day of the current month and the first day of the next month, so it will remain empty initially until the first refresh is completed.
## Start the template app
admin Usage Analytics Data Model https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/usage-analytics/usage-analytics-data-model.md
This table provides user level details for all users that have a license assigne
|UPN <br/> |User principal name, uniquely identifies the user to be able to join with other external data sources. <br/> | |DisplayName <br/> |User's display name. <br/> | |IDType <br/> |ID type is set to 1 if the user is a Yammer user who connects by using their Yammer ID or 0 if they connect to Yammer by using their Microsoft 365 ID. <br/> Value is 1 to represent that this user connects to Yammer with their Yammer ID and not their Microsoft 365 ID <br/> |
-|HasLicenseEXO <br/> |Set to true if user is assigned a license and enabled to use Exchange. <br/> |
-|HasLicenseODB <br/> |Set to true if user is assigned a license and enabled to use OneDrive for Business. <br/> |
-|HasLicenseSPO <br/> |Set to true if user is assigned a license and enabled to use SharePoint Online. <br/> |
-|HasLicenseYAM <br/> |Set to true if user is assigned a license and enabled to use Yammer. <br/> |
-|HasLicenseSFB <br/> |Set to true if user is assigned a license and enabled to use Skype For Business. <br/> |
-|HasLicenseTeams <br/> |Set to true if user is assigned a license and enable to use Microsoft Teams. <br/> |
+|HasLicenseEXO <br/> |Set to true if user is assigned a license and enabled to use Exchange on the last day of the month. <br/> |
+|HasLicenseODB <br/> |Set to true if user is assigned a license and enabled to use OneDrive for Business on the last day of the month. <br/> |
+|HasLicenseSPO <br/> |Set to true if user is assigned a license and enabled to use SharePoint Online on the last day of the month. <br/> |
+|HasLicenseYAM <br/> |Set to true if user is assigned a license and enabled to use Yammer on the last day of the month. <br/> |
+|HasLicenseSFB <br/> |Set to true if user is assigned a license and enabled to use Skype For Business on the last day of the month. <br/> |
+|HasLicenseTeams <br/> |Set to true if user is assigned a license and enable to use Microsoft Teams on the last day of the month. <br/> |
|Company <br/> |Company data represented in Azure Active Directory for this user. <br/> | |Department <br/> |Department data represented in Azure Active Directory for this user. <br/> | |LocationCity <br/> |City data represented in Azure Active Directory for this user. <br/> |
admin Whats New In Preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/whats-new-in-preview.md
And if you'd like to know what's new with other Microsoft cloud
- [Office updates](/OfficeUpdates/) - [How to check Windows release health](/windows/deployment/update/check-release-health)
+## February 2022
+
+### Net promoter score (NPS) survey insights
+
+You can now view NPS survey data and insights from your users in the Microsoft 365 admin center. With this new feature you can obtain actionable insights from NPS survey responses from your end users, and achieve higher end user delight by addressing any issues and concerns.
+
+In the admin center, go to **Health** > **Product feedback** > **NPS survey insights**.
++
+We've identified the common themes from user feedback. Then we used machine learning models techniques to train the data sets and automatically organize the feedback into Top Topics.
+
+There are nine topics available. Look out for more topics in future updates.
++
+The NPS survey insight dashboard also contains these three new reports and pivots:
+
+- NPS monthly NPS trend volume for the last 12 months
+- Able to identify passives, promoters, and detractors
+- NPS volume per platform and app
+
+To provide you with a better experience using the NPS survey insight dashboard:
+
+- Encourage your end users to submit feedback
+- Confirm in-product surveys policies are enabled
+- Improve diagnosis by turning on Windows Error Reporting
+
+Learn more at [Microsoft product NPS feedback and insights for your organization](manage/manage-feedback-product-insights.md).
+
+> [!NOTE]
+> If you're interested in joining our design sessions, send us an email at: prosight@microsoft.com
+
+### Microsoft 365 admin center video training
+
+We've updated our Microsoft 365 admin center video training. Go to the [Admin training video library](admin-video-library.yml) page to learn how to set up and manage Microsoft 365 for your business.
++ ## July 2021 ### Microsoft 365 admin center search
For more information, see [Changes to update channels for Microsoft 365 Apps](/D
### New admin roles
-We've added some new Azure Active Directory admin roles to the <<a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>.
+We've added some new Azure Active Directory admin roles to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>.
- Hybrid identity admin role gives users permission to manage cloud provisioning and authentication services.-- Network admin role lets users manage network locations and review network insights for Microsoft 365 Software as a Service apps.
+- Network admin role lets users manage network locations and review network insights for Microsoft 365 Software as a Service app.
- Printer admin role grants permission to manage all aspects of printers and printer connections. - Printer technician is a subset of the Printer admin role where those users can register and unregister printers, and update printer status. To find out more about these roles, see [About admin roles](./add-users/about-admin-roles.md).
We've got two updates for Groups this month:
### Featured Feedback Fix: Improve "add user" reliability for licensing
-We received a lot of feedback from admins about the how hard it is to assign licenses when adding users. We've made the first update to this fix and we've migrated to a more reliable behind-the-scenes service to process those requests. And if something goes wrong, you'll now get an error message that lets you to try again.
+We received a lot of feedback from admins about how hard it is to assign licenses when adding users. We've made the first update to this fix and we've migrated to a more reliable behind-the-scenes service to process those requests. And if something goes wrong, you'll now get an error message that lets you try again.
![Add user confirmation page with the error.](../media/MAC-WN-ImprovedLicensing.png)
compliance Alert Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/alert-policies.md
You can also define user tags as a condition of an alert policy. This results in
> [!TIP] > When setting up an alert policy, consider assigning a higher severity to activities that can result in severely negative consequences, such as detection of malware after delivery to users, viewing of sensitive or classified data, sharing data with external users, or other activities that can result in data loss or security threats. This can help you prioritize alerts and the actions you take to investigate and resolve the underlying causes.
+- **Automated investigations**. Some alerts will trigger automated investigations to identify potential threats and risks that need remediation or mitigation. In most cases these alerts are triggered by detection of malicious emails or activities, but in some cases the alerts are triggered by administrator actions in the security portal. For more information about automated investigations, see [Automated investigation and response (AIR) in Microsoft Defender for Office 365](../security/office-365-security/office-365-air.md).
+ - **Email notifications**. You can set up the policy so that email notifications are sent (or not sent) to a list of users when an alert is triggered. You can also set a daily notification limit so that once the maximum number of notifications has been reached, no more notifications are sent for the alert during that day. In addition to email notifications, you or other administrators can view the alerts that are triggered by a policy on the **Alerts** page. Consider enabling email notifications for alert policies of a specific category or that have a higher severity setting. ## Default alert policies
Microsoft provides built-in alert policies that help identify Exchange admin per
The following table lists and describes the available default alert policies and the category each policy is assigned to. The category is used to determine which alerts a user can view on the Alerts page. For more information, see [RBAC permissions required to view alerts](#rbac-permissions-required-to-view-alerts). The table also indicates the Office 365 Enterprise and Office 365 US Government plan required for each one. Some default alert policies are available if your organization has the appropriate add-on subscription in addition to an E1/F1/G1 or E3/F3/G3 subscription.-
-| Default alert policy | Description | Category | Enterprise subscription |
-|:--|:--|:--|:--|
-|**A potentially malicious URL click was detected**|Generates an alert when a user protected by [Safe Links](../security/office-365-security/safe-links.md) in your organization clicks a malicious link. This event is triggered when URL verdict changes are identified by Microsoft Defender for Office 365 or when users override the Safe Links pages (based on your organization's Microsoft 365 for business Safe Links policy). This alert policy has a **High** severity setting. For Defender for Office 365 P2, E5, G5 customers, this alert automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md). For more information on events that trigger this alert, see [Set up Safe Links policies](../security/office-365-security/set-up-safe-links-policies.md).|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription|
-|**Admin Submission result completed**|Generates an alert when an [Admin Submission](../security/office-365-security/admin-submission.md) completes the rescan of the submitted entity. An alert will be triggered every time a rescan result is rendered from an Admin Submission. These alerts are meant to remind you to [review the results of previous submissions](https://compliance.microsoft.com/reportsubmission), submit user reported messages to get the latest policy check and rescan verdicts, and help you determine if the filtering policies in your organization are having the intended impact. This policy has a **Informational** severity setting.|Threat management|E1/F1, E3/F3, or E5|
-|**Admin triggered manual investigation of email**|Generates an alert when an admin triggers the manual investigation of an email from Threat Explorer. For more information, see [Example: A security administrator triggers an investigation from Threat Explorer](../security/office-365-security/automated-investigation-response-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer). This alert notifies your organization that the investigation was started. The alert provides information about who triggered it and includes a link to the investigation. This policy has an **Informational** severity setting.|Threat management| E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription|
-|**Admin triggered user compromise investigation**|Generates an alert when an admin triggers the manual user compromise investigation of either an email sender or recipient from Threat Explorer. For more information, see [Example: A security administrator triggers an investigation from Threat Explorer](../security/office-365-security/automated-investigation-response-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer), which shows the related manual triggering of an investigation on an email. This alert notifies your organization that the user compromise investigation was started. The alert provides information about who triggered it and includes a link to the investigation. This policy has a **Medium** severity setting.|Threat management| E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription|
-|**Creation of forwarding/redirect rule**|Generates an alert when someone in your organization creates an inbox rule for their mailbox that forwards or redirects messages to another email account. This policy only tracks inbox rules that are created using Outlook on the web (formerly known as Outlook Web App) or Exchange Online PowerShell. This policy has a **Informational** severity setting. For more information about using inbox rules to forward and redirect email in Outlook on the web, see [Use rules in Outlook on the web to automatically forward messages to another account](https://support.office.com/article/1433e3a0-7fb0-4999-b536-50e05cb67fed).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5|
-|**eDiscovery search started or exported**|Generates an alert when someone uses the Content search tool in the Security and compliance center. An alert is triggered when the following content search activities are performed: <br><br> <li> A content search is started <li> The results of a content search are exported <li> A content search report is exported <br><br> Alerts are also triggered when the previous content search activities are performed in association with an eDiscovery case. This policy has a **Informational** severity setting. For more information about content search activities, see [Search for eDiscovery activities in the audit log](search-for-ediscovery-activities-in-the-audit-log.md#ediscovery-activities).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5|
-|**Elevation of Exchange admin privilege**|Generates an alert when someone is assigned administrative permissions in your Exchange Online organization. For example, when a user is added to the Organization Management role group in Exchange Online. This policy has a **Low** severity setting.|Permissions|E1/F1/G1, E3/F3/G3, or E5/G5|
-|**Email messages containing malicious file removed after delivery**|Generates an alert when any messages containing a malicious file are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](../security/office-365-security/zero-hour-auto-purge.md). This policy has an **Informational** severity setting and automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md). For more information on this new policy, see [New alert policies in Microsoft Defender for Office 365](new-defender-alert-policies.md).|Threat management|E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription|
-|**Email messages containing malicious URL removed after delivery**|Generates an alert when any messages containing a malicious URL are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](../security/office-365-security/zero-hour-auto-purge.md). This policy has an **Informational** severity setting and automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md). For more information on this new policy, see [New alert policies in Microsoft Defender for Office 365](new-defender-alert-policies.md).|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription|
-|**Email messages from a campaign removed after delivery**|Generates an alert when any messages associated with a [Campaign](../security/office-365-security/campaigns.md) are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](../security/office-365-security/zero-hour-auto-purge.md). This policy has an **Informational** severity setting and automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md). For more information on this new policy, see [New alert policies in Microsoft Defender for Office 365](new-defender-alert-policies.md).|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription|
-|**Email messages removed after delivery**|Generates an alert when any malicious messages that do not contain a malicious entity (URL or File), or associated with a Campaign, are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](../security/office-365-security/zero-hour-auto-purge.md). This policy has an **Informational** severity setting and automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md). For more information on this new policy, see [New alert policies in Microsoft Defender for Office 365](new-defender-alert-policies.md).|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription|
-|**Email reported by user as malware or phish**|Generates an alert when users in your organization report messages as phishing email using the Report Message add-in. This policy has an **Low** severity setting. For more information about this add-in, see [Use the Report Message add-in](https://support.office.com/article/b5caa9f1-cdf3-4443-af8c-ff724ea719d2). For Defender for Office 365 P2, E5, G5 customers, this alert automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5|
-|**Email sending limit exceeded**|Generates an alert when someone in your organization has sent more mail than is allowed by the outbound spam policy. This is usually an indication the user is sending too much email or that the account may be compromised. This policy has a **Medium** severity setting. If you get an alert generated by this alert policy, it's a good idea to [check whether the user account is compromised](../security/office-365-security/responding-to-a-compromised-email-account.md).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5|
-|**Form blocked due to potential phishing attempt**|Generates an alert when someone in your organization has been restricted from sharing forms and collecting responses using Microsoft Forms due to detected repeated phishing attempt behavior. This policy has a **High severity** setting.|Threat management|E1, E3/F3, or E5|
-|**Form flagged and confirmed as phishing**|Generates an alert when a form created in Microsoft Forms from within your organization has been identified as potential phishing through Report Abuse and confirmed as phishing by Microsoft. This policy has a **High** severity setting.|Threat management|E1, E3/F3, or E5|
-|**Messages have been delayed**|Generates an alert when Microsoft can't deliver email messages to your on-premises organization or a partner server by using a connector. When this happens, the message is queued in Office 365. This alert is triggered when there are 2,000 messages or more that have been queued for more than an hour. This policy has a **High** severity setting.|Mail flow|E1/F1/G1, E3/F3/G3, or E5/G5|
-|**Malware campaign detected after delivery**|Generates an alert when an unusually large number of messages containing malware are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes. This policy has a **High** severity setting.|Threat management|E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription|
-|**Malware campaign detected and blocked**|Generates an alert when someone has attempted to send an unusually large number of email messages containing a certain type of malware to users in your organization. If this event occurs, the infected messages are blocked by Microsoft and not delivered to mailboxes. This policy has a **Low** severity setting.|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription|
-|**Malware campaign detected in SharePoint and OneDrive**|Generates an alert when an unusually high volume of malware or viruses is detected in files located in SharePoint sites or OneDrive accounts in your organization. This policy has a **High** severity setting.|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription|
-|**Malware not zapped because ZAP is disabled**| Generates an alert when Microsoft detects delivery of a malware message to a mailbox because Zero-Hour Auto Purge for Phish messages is disabled. This policy has an **Informational** severity setting. |Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription|
-|**Phish delivered because a user's Junk Mail folder is disabled**|Generates an alert when Microsoft detects a userΓÇÖs Junk Mail folder is disabled, allowing delivery of a high confidence phishing message to a mailbox. This policy has an **Informational** severity setting.|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5|
-|**Phish delivered due to an ETR override**|Generates an alert when Microsoft detects an Exchange Transport Rule (ETR) that allowed delivery of a high confidence phishing message to a mailbox. This policy has an **Informational** severity setting. For more information about Exchange Transport Rules (Mail flow rules), see [Mail flow rules (transport rules) in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5|
-|**Phish delivered due to an IP allow policy**|Generates an alert when Microsoft detects an IP allow policy that allowed delivery of a high confidence phishing message to a mailbox. This policy has an **Informational** severity setting. For more information about the IP allow policy (connection filtering), see [Configure the default connection filter policy - Office 365](../security/office-365-security/configure-the-connection-filter-policy.md).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5|
-|**Phish not zapped because ZAP is disabled**| Generates an alert when Microsoft detects delivery of a high confidence phishing message to a mailbox because Zero-Hour Auto Purge for Phish messages is disabled. This policy has an **Informational** severity setting.|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription|
-|**Phish delivered due to tenant or user override**<sup>1</sup>|Generates an alert when Microsoft detects an admin or user override allowed the delivery of a phishing message to a mailbox. Examples of overrides include an inbox or mail flow rule that allows messages from a specific sender or domain, or an anti-spam policy that allows messages from specific senders or domains. This policy has a **High** severity setting.|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription|
-|**Suspicious email forwarding activity**|Generates an alert when someone in your organization has autoforwarded email to a suspicious external account. This is an early warning for behavior that may indicate the account is compromised, but not severe enough to restrict the user. This policy has a **High** severity setting. Although it's rare, an alert generated by this policy may be an anomaly. It's a good idea to [check whether the user account is compromised](../security/office-365-security/responding-to-a-compromised-email-account.md).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5|
-|**Suspicious email sending patterns detected**|Generates an alert when someone in your organization has sent suspicious email and is at risk of being restricted from sending email. This is an early warning for behavior that may indicate that the account is compromised, but not severe enough to restrict the user. This policy has a **Medium** severity setting. Although it's rare, an alert generated by this policy may be an anomaly. However, it's a good idea to [check whether the user account is compromised](../security/office-365-security/responding-to-a-compromised-email-account.md).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5 |
-|**Tenant Allow/Block List entry is about to expire**|Generates an alert when a Tenant Allow/Block List entry is about to be removed. This event is triggered three days prior to expiration date, which is based when the entry was created or last updated. This alert policy has an **Informational** severity setting. This is to inform admins of upcoming changes in the filters since the allow or block could be going away. For blocks, you can extend the expiration date to keep the block in place. For allows, you need to resubmit the item so that our analysts can take another look. However, if the allow has already been graded as a false positive, then the entry will only expire when the system filters have been updated to naturally allow the entry. For more information on events that trigger this alert, see [Manage the Tenant Allow/Block list](../security/office-365-security/tenant-allow-block-list.md).|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription|
-|**Tenant restricted from sending email**|Generates an alert when most of the email traffic from your organization has been detected as suspicious and Microsoft has restricted your organization from sending email. Investigate any potentially compromised user and admin accounts, new connectors, or open relays, and then contact Microsoft Support to unblock your organization. This policy has a **High** severity setting. For more information about why organizations are blocked, see [Fix email delivery issues for error code 5.7.7xx in Exchange Online](/Exchange/mail-flow-best-practices/non-delivery-reports-in-exchange-online/fix-error-code-5-7-700-through-5-7-750).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5|
-|**Tenant restricted from sending unprovisioned email**|Generates an alert when too much email is being sent from unregistered domains (also known as *unprovisioned* domains). Office 365 allows a reasonable amount of email from unregistered domains, but you should configure every domain that you use to send email as an accepted domain. This alert indicates that all users in the organization can no longer send email. This policy has a **High** severity setting. For more information about why organizations are blocked, see [Fix email delivery issues for error code 5.7.7xx in Exchange Online](/Exchange/mail-flow-best-practices/non-delivery-reports-in-exchange-online/fix-error-code-5-7-700-through-5-7-750).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5|
-|**Unusual external user file activity**|Generates an alert when an unusually large number of activities are performed on files in SharePoint or OneDrive by users outside of your organization. This includes activities such as accessing files, downloading files, and deleting files. This policy has a **High** severity setting.|Information governance|E5/G5, Microsoft Defender for Office 365 P2, or Microsoft 365 E5 add-on subscription|
-|**Unusual volume of external file sharing**|Generates an alert when an unusually large number of files in SharePoint or OneDrive are shared with users outside of your organization. This policy has a **Medium** severity setting.|Information governance|E5/G5, Defender for Office 365 P2, or Microsoft 365 E5 add-on subscription|
-|**Unusual volume of file deletion**|Generates an alert when an unusually large number of files are deleted in SharePoint or OneDrive within a short time frame. This policy has a **Medium** severity setting.|Information governance|E5/G5, Defender for Office 365 P2, or Microsoft 365 E5 add-on subscription|
-|**Unusual increase in email reported as phish**|Generates an alert when there's a significant increase in the number of people in your organization using the Report Message add-in in Outlook to report messages as phishing mail. This policy has a **Medium** severity setting. For more information about this add-in, see [Use the Report Message add-in](https://support.office.com/article/b5caa9f1-cdf3-4443-af8c-ff724ea719d2).|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription|
-|**User impersonation phish delivered to inbox/folder**<sup>1,</sup><sup>2</sup>|Generates an alert when Microsoft detects that an admin or user override has allowed the delivery of a user impersonation phishing message to the inbox (or other user-accessible folder) of a mailbox. Examples of overrides include an inbox or mail flow rule that allows messages from a specific sender or domain, or an anti-spam policy that allows messages from specific senders or domains. This policy has a **Medium** severity setting.|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription|
-|**User requested to release a quarantined message**|Generates an alert when a user requests release for a quarantined message. To request the release of quarantined messages, the **Allow recipients to request a message to be released from quarantine** (_PermissionToRequestRelease_) permission is required in the quarantine policy (for example, from the **Limited access** preset permissions group). For more information, see [Allow recipients to request a message to be released from quarantine permission](../security/office-365-security/quarantine-policies.md#allow-recipients-to-request-a-message-to-be-released-from-quarantine-permission). This policy has an **Informational** severity setting.|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5|
-|**User restricted from sending email**|Generates an alert when someone in your organization is restricted from sending outbound mail. This typically results when an account is compromised, and the user is listed on the **Restricted Users** page in the Microsoft 365 compliance center. (To access this page, go to **Threat management > Review > Restricted Users**). This policy has a **High** severity setting. For more information about restricted users, see [Removing a user, domain, or IP address from a block list after sending spam email](/office365/securitycompliance/removing-user-from-restricted-users-portal-after-spam).|Threat management|E1/F1/G1, E3/F3/G3, or E5/G5|
-|**User restricted from sharing forms and collecting responses**|Generates an alert when someone in your organization has been restricted from sharing forms and collecting responses using Microsoft Forms due to detected repeated phishing attempt behavior. This policy has a **High** severity setting.|Threat management|E1, E3/F3, or E5|
+
+| Default alert policy | Description | Category | Automated investigation | Enterprise subscription |
+|:--|:--|:--|:--|:--|
+|**A potentially malicious URL click was detected**|Generates an alert when a user protected by [Safe Links](../security/office-365-security/safe-links.md) in your organization clicks a malicious link. This event is triggered when URL verdict changes are identified by Microsoft Defender for Office 365 or when users override the Safe Links pages (based on your organization's Microsoft 365 for business Safe Links policy). This alert policy has a **High** severity setting. For Defender for Office 365 P2, E5, G5 customers, this alert automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md). For more information on events that trigger this alert, see [Set up Safe Links policies](../security/office-365-security/set-up-safe-links-policies.md).|Threat management|Yes|E5/G5 or Defender for Office 365 P2 add-on subscription|
+|**Admin Submission result completed**|Generates an alert when an [Admin Submission](../security/office-365-security/admin-submission.md) completes the rescan of the submitted entity. An alert will be triggered every time a rescan result is rendered from an Admin Submission. These alerts are meant to remind you to [review the results of previous submissions](https://compliance.microsoft.com/reportsubmission), submit user reported messages to get the latest policy check and rescan verdicts, and help you determine if the filtering policies in your organization are having the intended impact. This policy has a **Informational** severity setting.|Threat management|No|E1/F1, E3/F3, or E5|
+|**Admin triggered manual investigation of email**|Generates an alert when an admin triggers the manual investigation of an email from Threat Explorer. For more information, see [Example: A security administrator triggers an investigation from Threat Explorer](../security/office-365-security/automated-investigation-response-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer). This alert notifies your organization that the investigation was started. The alert provides information about who triggered it and includes a link to the investigation. This policy has an **Informational** severity setting.|Threat management|Yes|E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription|
+|**Admin triggered user compromise investigation**|Generates an alert when an admin triggers the manual user compromise investigation of either an email sender or recipient from Threat Explorer. For more information, see [Example: A security administrator triggers an investigation from Threat Explorer](../security/office-365-security/automated-investigation-response-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer), which shows the related manual triggering of an investigation on an email. This alert notifies your organization that the user compromise investigation was started. The alert provides information about who triggered it and includes a link to the investigation. This policy has a **Medium** severity setting.|Threat management|Yes|E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription|
+|**Creation of forwarding/redirect rule**|Generates an alert when someone in your organization creates an inbox rule for their mailbox that forwards or redirects messages to another email account. This policy only tracks inbox rules that are created using Outlook on the web (formerly known as Outlook Web App) or Exchange Online PowerShell. This policy has a **Informational** severity setting. For more information about using inbox rules to forward and redirect email in Outlook on the web, see [Use rules in Outlook on the web to automatically forward messages to another account](https://support.office.com/article/1433e3a0-7fb0-4999-b536-50e05cb67fed).|Threat management|No|E1/F1/G1, E3/F3/G3, or E5/G5|
+|**eDiscovery search started or exported**|Generates an alert when someone uses the Content search tool in the Security and compliance center. An alert is triggered when the following content search activities are performed: <br><br> <li> A content search is started <li> The results of a content search are exported <li> A content search report is exported <br><br> Alerts are also triggered when the previous content search activities are performed in association with an eDiscovery case. This policy has a **Informational** severity setting. For more information about content search activities, see [Search for eDiscovery activities in the audit log](search-for-ediscovery-activities-in-the-audit-log.md#ediscovery-activities).|Threat management|No|E1/F1/G1, E3/F3/G3, or E5/G5|
+|**Elevation of Exchange admin privilege**|Generates an alert when someone is assigned administrative permissions in your Exchange Online organization. For example, when a user is added to the Organization Management role group in Exchange Online. This policy has a **Low** severity setting.|Permissions|No|E1/F1/G1, E3/F3/G3, or E5/G5|
+|**Email messages containing malicious file removed after delivery**|Generates an alert when any messages containing a malicious file are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](../security/office-365-security/zero-hour-auto-purge.md). This policy has an **Informational** severity setting and automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md). For more information on this new policy, see [New alert policies in Microsoft Defender for Office 365](new-defender-alert-policies.md).|Threat management|Yes|E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription|
+|**Email messages containing malicious URL removed after delivery**|Generates an alert when any messages containing a malicious URL are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](../security/office-365-security/zero-hour-auto-purge.md). This policy has an **Informational** severity setting and automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md). For more information on this new policy, see [New alert policies in Microsoft Defender for Office 365](new-defender-alert-policies.md).|Threat management|Yes|E5/G5 or Defender for Office 365 P2 add-on subscription|
+|**Email messages from a campaign removed after delivery**|Generates an alert when any messages associated with a [Campaign](../security/office-365-security/campaigns.md) are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](../security/office-365-security/zero-hour-auto-purge.md). This policy has an **Informational** severity setting and automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md). For more information on this new policy, see [New alert policies in Microsoft Defender for Office 365](new-defender-alert-policies.md).|Threat management|Yes|E5/G5 or Defender for Office 365 P2 add-on subscription|
+|**Email messages removed after delivery**|Generates an alert when any malicious messages that do not contain a malicious entity (URL or File), or associated with a Campaign, are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](../security/office-365-security/zero-hour-auto-purge.md). This policy has an **Informational** severity setting and automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md). For more information on this new policy, see [New alert policies in Microsoft Defender for Office 365](new-defender-alert-policies.md).|Threat management|Yes|E5/G5 or Defender for Office 365 P2 add-on subscription|
+|**Email reported by user as malware or phish**|Generates an alert when users in your organization report messages as phishing email using the Report Message add-in. This policy has an **Low** severity setting. For more information about this add-in, see [Use the Report Message add-in](https://support.office.com/article/b5caa9f1-cdf3-4443-af8c-ff724ea719d2). For Defender for Office 365 P2, E5, G5 customers, this alert automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md).|Threat management|Yes|E1/F1/G1, E3/F3/G3, or E5/G5|
+|**Email sending limit exceeded**|Generates an alert when someone in your organization has sent more mail than is allowed by the outbound spam policy. This is usually an indication the user is sending too much email or that the account may be compromised. This policy has a **Medium** severity setting. If you get an alert generated by this alert policy, it's a good idea to [check whether the user account is compromised](../security/office-365-security/responding-to-a-compromised-email-account.md).|Threat management|No|E1/F1/G1, E3/F3/G3, or E5/G5|
+|**Form blocked due to potential phishing attempt**|Generates an alert when someone in your organization has been restricted from sharing forms and collecting responses using Microsoft Forms due to detected repeated phishing attempt behavior. This policy has a **High severity** setting.|Threat management|No|E1, E3/F3, or E5|
+|**Form flagged and confirmed as phishing**|Generates an alert when a form created in Microsoft Forms from within your organization has been identified as potential phishing through Report Abuse and confirmed as phishing by Microsoft. This policy has a **High** severity setting.|Threat management|No|E1, E3/F3, or E5|
+|**Messages have been delayed**|Generates an alert when Microsoft can't deliver email messages to your on-premises organization or a partner server by using a connector. When this happens, the message is queued in Office 365. This alert is triggered when there are 2,000 messages or more that have been queued for more than an hour. This policy has a **High** severity setting.|Mail flow|No|E1/F1/G1, E3/F3/G3, or E5/G5|
+|**Malware campaign detected after delivery**|Generates an alert when an unusually large number of messages containing malware are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes. This policy has a **High** severity setting.|Threat management|No|E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription|
+|**Malware campaign detected and blocked**|Generates an alert when someone has attempted to send an unusually large number of email messages containing a certain type of malware to users in your organization. If this event occurs, the infected messages are blocked by Microsoft and not delivered to mailboxes. This policy has a **Low** severity setting.|Threat management|No|E5/G5 or Defender for Office 365 P2 add-on subscription|
+|**Malware campaign detected in SharePoint and OneDrive**|Generates an alert when an unusually high volume of malware or viruses is detected in files located in SharePoint sites or OneDrive accounts in your organization. This policy has a **High** severity setting.|Threat management|No|E5/G5 or Defender for Office 365 P2 add-on subscription|
+|**Malware not zapped because ZAP is disabled**| Generates an alert when Microsoft detects delivery of a malware message to a mailbox because Zero-Hour Auto Purge for Phish messages is disabled. This policy has an **Informational** severity setting. |Threat management|No|E5/G5 or Defender for Office 365 P2 add-on subscription|
+|**Phish delivered because a user's Junk Mail folder is disabled**|Generates an alert when Microsoft detects a userΓÇÖs Junk Mail folder is disabled, allowing delivery of a high confidence phishing message to a mailbox. This policy has an **Informational** severity setting.|Threat management|No|E1/F1/G1, E3/F3/G3, or E5/G5|
+|**Phish delivered due to an ETR override**|Generates an alert when Microsoft detects an Exchange Transport Rule (ETR) that allowed delivery of a high confidence phishing message to a mailbox. This policy has an **Informational** severity setting. For more information about Exchange Transport Rules (Mail flow rules), see [Mail flow rules (transport rules) in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules).|Threat management|No|E1/F1/G1, E3/F3/G3, or E5/G5|
+|**Phish delivered due to an IP allow policy**|Generates an alert when Microsoft detects an IP allow policy that allowed delivery of a high confidence phishing message to a mailbox. This policy has an **Informational** severity setting. For more information about the IP allow policy (connection filtering), see [Configure the default connection filter policy - Office 365](../security/office-365-security/configure-the-connection-filter-policy.md).|Threat management|No|E1/F1/G1, E3/F3/G3, or E5/G5|
+|**Phish not zapped because ZAP is disabled**| Generates an alert when Microsoft detects delivery of a high confidence phishing message to a mailbox because Zero-Hour Auto Purge for Phish messages is disabled. This policy has an **Informational** severity setting.|Threat management|No|E5/G5 or Defender for Office 365 P2 add-on subscription|
+|**Phish delivered due to tenant or user override**<sup>1</sup>|Generates an alert when Microsoft detects an admin or user override allowed the delivery of a phishing message to a mailbox. Examples of overrides include an inbox or mail flow rule that allows messages from a specific sender or domain, or an anti-spam policy that allows messages from specific senders or domains. This policy has a **High** severity setting.|Threat management|No|E5/G5 or Defender for Office 365 P2 add-on subscription|
+|**Suspicious email forwarding activity**|Generates an alert when someone in your organization has autoforwarded email to a suspicious external account. This is an early warning for behavior that may indicate the account is compromised, but not severe enough to restrict the user. This policy has a **High** severity setting. Although it's rare, an alert generated by this policy may be an anomaly. It's a good idea to [check whether the user account is compromised](../security/office-365-security/responding-to-a-compromised-email-account.md).|Threat management|No|E1/F1/G1, E3/F3/G3, or E5/G5|
+|**Suspicious email sending patterns detected**|Generates an alert when someone in your organization has sent suspicious email and is at risk of being restricted from sending email. This is an early warning for behavior that may indicate that the account is compromised, but not severe enough to restrict the user. This policy has a **Medium** severity setting. Although it's rare, an alert generated by this policy may be an anomaly. However, it's a good idea to [check whether the user account is compromised](../security/office-365-security/responding-to-a-compromised-email-account.md).|Threat management|Yes|E1/F1/G1, E3/F3/G3, or E5/G5 |
+|**Tenant Allow/Block List entry is about to expire**|Generates an alert when a Tenant Allow/Block List entry is about to be removed. This event is triggered three days prior to expiration date, which is based when the entry was created or last updated. This alert policy has an **Informational** severity setting. This is to inform admins of upcoming changes in the filters since the allow or block could be going away. For blocks, you can extend the expiration date to keep the block in place. For allows, you need to resubmit the item so that our analysts can take another look. However, if the allow has already been graded as a false positive, then the entry will only expire when the system filters have been updated to naturally allow the entry. For more information on events that trigger this alert, see [Manage the Tenant Allow/Block list](../security/office-365-security/tenant-allow-block-list.md).|Threat management|No|E5/G5 or Defender for Office 365 P2 add-on subscription|
+|**Tenant restricted from sending email**|Generates an alert when most of the email traffic from your organization has been detected as suspicious and Microsoft has restricted your organization from sending email. Investigate any potentially compromised user and admin accounts, new connectors, or open relays, and then contact Microsoft Support to unblock your organization. This policy has a **High** severity setting. For more information about why organizations are blocked, see [Fix email delivery issues for error code 5.7.7xx in Exchange Online](/Exchange/mail-flow-best-practices/non-delivery-reports-in-exchange-online/fix-error-code-5-7-700-through-5-7-750).|Threat management|No|E1/F1/G1, E3/F3/G3, or E5/G5|
+|**Tenant restricted from sending unprovisioned email**|Generates an alert when too much email is being sent from unregistered domains (also known as *unprovisioned* domains). Office 365 allows a reasonable amount of email from unregistered domains, but you should configure every domain that you use to send email as an accepted domain. This alert indicates that all users in the organization can no longer send email. This policy has a **High** severity setting. For more information about why organizations are blocked, see [Fix email delivery issues for error code 5.7.7xx in Exchange Online](/Exchange/mail-flow-best-practices/non-delivery-reports-in-exchange-online/fix-error-code-5-7-700-through-5-7-750).|Threat management|No|E1/F1/G1, E3/F3/G3, or E5/G5|
+|**Unusual external user file activity**|Generates an alert when an unusually large number of activities are performed on files in SharePoint or OneDrive by users outside of your organization. This includes activities such as accessing files, downloading files, and deleting files. This policy has a **High** severity setting.|Information governance|No|E5/G5, Microsoft Defender for Office 365 P2, or Microsoft 365 E5 add-on subscription|
+|**Unusual volume of external file sharing**|Generates an alert when an unusually large number of files in SharePoint or OneDrive are shared with users outside of your organization. This policy has a **Medium** severity setting.|Information governance|No|E5/G5, Defender for Office 365 P2, or Microsoft 365 E5 add-on subscription|
+|**Unusual volume of file deletion**|Generates an alert when an unusually large number of files are deleted in SharePoint or OneDrive within a short time frame. This policy has a **Medium** severity setting.|Information governance|No|E5/G5, Defender for Office 365 P2, or Microsoft 365 E5 add-on subscription|
+|**Unusual increase in email reported as phish**|Generates an alert when there's a significant increase in the number of people in your organization using the Report Message add-in in Outlook to report messages as phishing mail. This policy has a **Medium** severity setting. For more information about this add-in, see [Use the Report Message add-in](https://support.office.com/article/b5caa9f1-cdf3-4443-af8c-ff724ea719d2).|Threat management|No|E5/G5 or Defender for Office 365 P2 add-on subscription|
+|**User impersonation phish delivered to inbox/folder**<sup>1,</sup><sup>2</sup>|Generates an alert when Microsoft detects that an admin or user override has allowed the delivery of a user impersonation phishing message to the inbox (or other user-accessible folder) of a mailbox. Examples of overrides include an inbox or mail flow rule that allows messages from a specific sender or domain, or an anti-spam policy that allows messages from specific senders or domains. This policy has a **Medium** severity setting.|Threat management|No|E5/G5 or Defender for Office 365 P2 add-on subscription|
+|**User requested to release a quarantined message**|Generates an alert when a user requests release for a quarantined message. To request the release of quarantined messages, the **Allow recipients to request a message to be released from quarantine** (_PermissionToRequestRelease_) permission is required in the quarantine policy (for example, from the **Limited access** preset permissions group). For more information, see [Allow recipients to request a message to be released from quarantine permission](../security/office-365-security/quarantine-policies.md#allow-recipients-to-request-a-message-to-be-released-from-quarantine-permission). This policy has an **Informational** severity setting.|Threat management|No|E1/F1/G1, E3/F3/G3, or E5/G5|
+|**User restricted from sending email**|Generates an alert when someone in your organization is restricted from sending outbound mail. This typically results when an account is compromised, and the user is listed on the **Restricted Users** page in the Microsoft 365 compliance center. (To access this page, go to **Threat management > Review > Restricted Users**). This policy has a **High** severity setting. For more information about restricted users, see [Removing a user, domain, or IP address from a block list after sending spam email](/office365/securitycompliance/removing-user-from-restricted-users-portal-after-spam).|Threat management|Yes|E1/F1/G1, E3/F3/G3, or E5/G5|
+|**User restricted from sharing forms and collecting responses**|Generates an alert when someone in your organization has been restricted from sharing forms and collecting responses using Microsoft Forms due to detected repeated phishing attempt behavior. This policy has a **High** severity setting.|Threat management|No|E1, E3/F3, or E5|
> [!NOTE] > <sup>1</sup> We've temporarily removed this default alert policy based on customer feedback. We're working to improve it, and will replace it with a new version in the near future. Until then, you can create a custom alert policy to replace this functionality by using the following settings: <ul><li>Activity is Phish email detected at time of delivery</li> <li>Mail is not ZAP'd</li> <li>Mail direction is Inbound</li> <li>Mail delivery status is Delivered</li> <li>Detection technology is Malicious URL retention, URL detonation, Advanced phish filter, General phish filter, Domain impersonation, User impersonation, and Brand impersonation</li></ul> For more information about anti-phishing in Office 365, see [Set up anti-phishing and anti-phishing policies](../security/office-365-security/set-up-anti-phishing-policies.md).<br/><br/><sup>2</sup> To recreate this alert policy, follow the guidance in the previous footnote, but choose User impersonation as the only Detection technology.
compliance Annotating And Redacting Documents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/annotating-and-redacting-documents.md
- Title: Viewing documents in a review set in Advanced eDiscovery-- NOCSH--- Previously updated : ----- MOE150-- MET150-
-description: "You can annotate and redact documents in a review set in Advanced eDiscovery."
---
-# Annotate and redact documents in a review set in Advanced eDiscovery
-
-Content coming soon.
compliance Building Search Queries https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/building-search-queries.md
Alternatively, you can select the **Show keyword list** check box and the type a
![Use the keyword list to get statistics on each keyword in the query.](../media/KeywordListSearch.png)
-Why use the keyword list? You can get statistics that show how many items match each keyword in the keyword list. This can help you quickly identify the keywords that are the most (and least) effective. You can also use a keyword phrase (surrounded by parentheses) in a row in the keywords list. For more information about search statistics, see [Search statistics](search-statistics-in-advanced-ediscovery.md).
+Why use the keyword list? You can get statistics that show how many items match each keyword in the keyword list. This can help you quickly identify the keywords that are the most (and least) effective. You can also use a keyword phrase (surrounded by parentheses) in a row in the keywords list. For more information about search statistics, see [Collection statistics and reports](collection-statistics-reports.md)
## Conditions
compliance Create Search To Collect Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-search-to-collect-data.md
- Title: "Create a search"-- NOCSH--- Previously updated : ----- MOE150-- MET150-
-description: Learn how to create, define, and choose custodians and custodial locations for a search in an Advanced eDiscovery case.
---
-# Create a search
-
-On the **Searches** tab in your case, you can create a new search by clicking **New search** and following the wizard.
-
-![The search wizard in an Advanced eDiscovery case.](../media/AeDSearch1.png)
-
-## Name the search and give it a description
-
-Each search with a case should have a unique name. You can optionally provide a description for your search.
-
-## Choose the custodians and custodial locations to search
-
-Choose custodian content locations to search by specifying that custodians you have added to the case. By selecting a custodian, you will run the search against all data sources mapped to the custodian. You also have the option to narrow the search to selected data sources for each custodian. For more information about how to add custodians and manage their data sources, see [Work with custodians](managing-custodians.md).
-
-## Choose non-custodial locations
-
-In some cases, you may want to search data sources that are not associated with a custodian. In this case, you can specify the locations you want to search, or choose to search all content locations for a specific Microsoft service (such as searching all Exchange mailboxes or all SharePoint sites and OneDrive accounts).
-
-## Define the search query and conditions
-
-You can define the keywords query and any conditions for the search by using the pre-built condition cards or using Keyword Query Language (KQL). For more information, see [Build search queries](building-search-queries.md).
compliance Create Tag Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-tag-groups.md
- Title: "Create a new case in Advanced eDiscovery"-- NOCSH--- Previously updated : ----- MOE150-- MET150-
-description: ""
--
-# Create tag groups
-
-Before you or other people can tag documents in a review set, the tags must be created. You can do this by creating tag groups that contain child tags. Tags are displayed in the tagging panel when reviewing documents in a review set.
-
-To create a tag group:
-
-1. In a review set, click **Manage review set**.
-
- ![Click Manage review set.](../media/ED-managews.png)
-
-2. In the **Tags** tile, click **Manage tags**.
-
- ![Click Manage tags in the Tags tile.](../media/ED-managetags.png)
-
-Once inside the tag management, tags can be created to meet the requirements of your case. You can start by creating a tag group.
-
-1. Click **Add section**.
-
- ![Adding a tag group.](../media/ED-addtagsection.png)
-
- The preview screen will update when you save so you can preview the tag panel without having to close the tag management screen and go back to the working set.
-
-2. Enter a title and optional description.
-
-3. To create a tag within that group, click the ellipses on the new tag group to create tags in that new section.
-
- ![Creating tags in a tag group.](../media/ED-createtag.png)
-
- - **Option tags** will force users to select one tag from a group of tags.
-
- - **Check box tags** will allow users to select any combination of tags. |
-
-## Nested tags
-
-To nest tags, click the ellipses next to a tag and then select a new tag to add.
-
-![Nesting tags.](../media/ED-tagnesting.png)
-
compliance Customer Lockbox Requests https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customer-lockbox-requests.md
description: "Learn about Customer Lockbox requests that allow you to control ho
# Customer Lockbox in Office 365
-This article provides deployment and configuration guidance for Customer Lockbox. Customer Lockbox supports requests to access data in Exchange Online, SharePoint Online, and OneDrive for Business. To recommend support for other services, submit a request at [Office 365 UserVoice](https://office365.uservoice.com/).
+This article provides deployment and configuration guidance for Customer Lockbox. Customer Lockbox supports requests to access data in Exchange Online, SharePoint Online, and OneDrive for Business. To recommend support for other services, submit a request at [Office 365 UserVoice](https://feedbackportal.microsoft.com/feedback/).
To see the options for licensing your users to benefit from Microsoft 365 compliance offerings, see the [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).
compliance Ediscovery Cjk Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-cjk-support.md
It depends on your search scenario.
- When you [query data in a review set](review-set-search.md) in Advanced eDiscovery, you can search for multiple languages. -- When you [create a search to collect data](create-search-to-collect-data.md), create a separate search for each language you're targeting. For example, if you are searching for a document that contains both Chinese and Korean, select Chinese for your first query and select Korean for your second query.
+- When you [create a search to collect data](create-draft-collection.md), create separate collections for each language you're targeting. For example, if you are searching for a document that contains both Chinese and Korean, select Chinese for your first collection and select Korean for your second collection.
**I don't see the query language-country/region icon to select a language for queries in a review set. How can I specify a query language in a review set search?**
compliance Manage Load Sets In Advanced Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/manage-load-sets-in-advanced-ediscovery.md
- Title: "Manage load sets in Advanced eDiscovery"-- NOCSH--- Previously updated : ----- MOE150-- MET150-
-description: "Learn about managing load sets in Advanced eDiscovery."
--
-# Manage load sets in Advanced eDiscovery
-
-Content coming soon.
compliance Managing Jobs Ediscovery20 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/managing-jobs-ediscovery20.md
Here's a list of the jobs (which are typically long-running processes) that are
|Adding remediated data to a review set | Data with processing errors is remediated and loaded back into a review set. For more information, see:</br>ΓÇó [Error remediation when processing data](error-remediation-when-processing-data-in-advanced-ediscovery.md)</br>ΓÇó [Single item error remediation](single-item-error-remediation.md)| |Comparing load sets | A user looks at the differences between different load sets in a review set. A load set is an instance of adding data to a review set. For example, if you add the results of two different searches to the same review set, each would represent a load set. | |Conversation reconstruction|When a user adds the results of a search to a conversation review set, instant message conversations (also called *threaded conversations*) in services like Microsoft Teams are reconstructed in a PDF file. This job is also triggered when a user clicks **Action > Create conversation PDFs** in a review set. For more information, see [Review conversations in Advanced eDiscovery](conversation-review-sets.md).
-|Converting redacted documents to PDF|After a user annotates a document in a review set and redacts a portion of it, they can choose to convert the redacted document to a PDF file. This ensures that the redacted portion will not be visible if the document is exported for presentation. For more information, see [View documents in a review set](annotating-and-redacting-documents.md). |
+|Converting redacted documents to PDF|After a user annotates a document in a review set and redacts a portion of it, they can choose to convert the redacted document to a PDF file. This ensures that the redacted portion will not be visible if the document is exported for presentation. For more information, see [View documents in a review set](view-documents-in-review-set.md). |
|Estimating search results | After a user creates and runs or reruns a draft collection, the search tool searches the index for items that match the search query and prepares an estimate that includes the number and total size of all items by the search, and the number of data sources searched. For more information, see [Collect data for a case](collecting-data-for-ediscovery.md). | |Preparing data for export | A user exports documents from a review set. When the export process is complete, they can download the exported data to a local computer. For more information, see [Export case data](exporting-data-ediscover20.md). | |Preparing for error resolution |When a user selects a file and creates a new error remediation in the Error view on the **Processing** tab of a case, the first step in the process is to upload the file that has the processing error to an Azure Storage location in the Microsoft cloud. This job tracks the progress of the upload process. For more information about the error remediation workflow, see [Error remediation when processing data](error-remediation-when-processing-data-in-advanced-ediscovery.md). |
compliance Relevance Module Retirement https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/relevance-module-retirement.md
- Title: "Retirement of Relevance module in Advanced eDiscovery"-- NOCSH------- MET150--
-description: "The Relevance module in Advanced eDiscovery will be retired on March 10, 2021. This article explains what to do before Relevance is retired. Specifically, finishing any unfinished models by running Batch calculation so that you can retain the metadata from the model."
--
-# Retirement of the Relevance module in Advanced eDiscovery
-
-On March 10, 2021, we are retiring the Relevance module in Advanced eDiscovery. This retirement means that organizations will no longer have access to the Relevance module (by going to **Manage review set** > **Relevance** in an Advanced eDiscovery case) or be able to access any existing Relevance models. The current Relevance module that is being retired will be replaced with a new predictive coding solution in Q2 CY 2021. This new functionality will let organizations build their own predictive coding models in an easier and more intuitive workflow.
-
-To prepare for this upcoming retirement, we recommend that organizations who use the Relevance module export their modelΓÇÖs output before the retirement date by running a Batch calculation for all existing models. All Relevance scores from your model will be permanently stored in the corresponding review set and accessible when documents are exported. Relevance scores are also retained as metadata in the load file. Also, you will still be able to filter content in the review set based on relevance score and have access to all metadata produced by your Relevance models.
-
-## Complete unfinished models
-
-For any unfinished Relevance models, please complete assessment, training, and Batch calculation so that you can apply the model to the documents in a review set. Completing the Batch calculation will preserve the information after the retirement date of the Relevance module.
-
-Here are the steps to complete any unfinished models:
-
-1. Train your model until it is stabilized and ready for Batch calculation. See [Tagging and Relevance training](tagging-and-relevance-training-in-advanced-ediscovery.md).
-
- The following screenshot shows a module that is ready for a Batch calculation. Notice that the Assessment and Training is complete, and the next step is to run Batch calculation.
-
- ![Screenshot of model ready for Batch calculation.](../media/ReadyForBatchCalculation.png)
-
-2. Run the Batch calculation. See [Performing Batch calculation](track-relevance-analysis-in-advanced-ediscovery.md#performing-batch-calculation).
-
-3. Verify that Batch calculation was successful. See [Batch calculation results](track-relevance-analysis-in-advanced-ediscovery.md#batch-calculation-results).
-
-For help with completing unfinished Relevance models, contact Microsoft Support.
compliance Reviewing Data In Review Set https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/reviewing-data-in-review-set.md
- Title: "Review case data in Advanced eDiscovery"-- NOCSH--- Previously updated : ----- MOE150-- MET150-
-description: "Learn about reviewing case data in a review set in Advanced eDiscovery."
--
-# Review case data in Advanced eDiscovery
-
-Coming soon.
compliance Search Statistics In Advanced Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-statistics-in-advanced-ediscovery.md
- Title: "Search statistics in Advance eDiscovery"-- NOCSH--- Previously updated : ----- MOE150-- MET150
-description: "Validate your search results by viewing the statistics that are generated after you run a collection search in Advanced eDiscovery."
--
-# Search statistics in Advanced eDiscovery
-
-One way you can validate your search results is to look at the statistics around your results to make sure they align with your expectations. When a search completes, high-level statistics are shown on the search details flyout:
--- Number and volume of items retrieved by the search--- Number and volume of partially indexed or unindexed items that were found in the search locations--- Number of mailboxes and locations searched.
-In order to view more detailed statistics, click on "Statistics" from the search details flyout.
-
-## Summary view
-
-In the Summary view, you can see the search results broken down by location type (e.g. Exchange). For each location type, you can see:
--- Number of locations that had items that matched the search conditions--- Number of items from these locations that matched the search conditions--- Total volume of items that matched the search conditions.-
-## Top locations view
-
-In the Top locations view, you see the individual locations with the most matches. For each location, you will see:
--- Location name (e.g. SharePoint URL)--- Location type--- Number of items that matched the search conditions--- Total volume of items that matched the search conditions.-
-## Queries view
-
-If you have used (c:s) keyword or keyword rows in your query, then you can see the breakdown of your query in Queries view per location type. For each location type, you will see:
--- Part: this column will either have the word "Primary" or "Keyword". "Primary" means that the row presents statistics on the entire query, whereas "Keyword" means one of the query components.--- Query: the actual query component the row refers to. If Part is "Primary", this will be the entire query; if Part was "Keyword", you will see one of the query components here.
-
- - When you search all contentin mailboxes (by not specifying any keywords), the actual query is (size >= 0) so that all items are returned
-
- - When you search SharePoint Online and OneDrive for Business sites, the two following components are added:
-
- - NOT IsExternalContent:1 - excludes any content from an on-premises SharePoint organization
-
- - NOT isOneNotePage: 1 - excludes all OneNote files because these would be duplicates of any document that matches the search query.
--- Number of locations that had items that matched the search conditions.--- Number of items from these locations that matched the search conditions.--- Total volume of items that matched the search conditions.
compliance Search The Audit Log In Security And Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance.md
Why a unified audit log? Because you can search the audit log for activities per
| Azure Information Protection|AipDiscover, AipSensitivityLabelAction, AipProtectionAction, AipFileDeleted, AipHeartBeat | | Communication compliance|ComplianceSuperVisionExchange| | Content explorer|LabelContentExplorer|
-| Data loss prevention (DLP)|ComplianceDLPSharePoint, ComplianceDLPExchange|
-| Defender for Endpoint|DLPEndpoint, MSDEResponseActions, MSDEGeneralSettings, MSDEIndicatorsSettings, MSDERolesSettings|
+| Data loss prevention (DLP)|ComplianceDLPSharePoint, ComplianceDLPExchange, DLPEndpoint|
| Dynamics 365|CRM| | eDiscovery|Discovery, AeD| | Exact Data Match|MipExactDataMatch|
compliance Tagging And Assessment In Advanced Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/tagging-and-assessment-in-advanced-ediscovery.md
- Title: "Tagging and Assessment in Advanced eDiscovery"-- NOCSH---- Previously updated : ---- MOE150-- MET150-
-description: "Review the steps to perform Assessment training, including tagging files, and reviewing assessment results in Advanced eDiscovery."
--
-# Tagging and Assessment in the Relevance module in Advanced eDiscovery
-
-This section describes the procedure for Assessment in the Relevance module in Advanced eDiscovery.
-
-## Performing Assessment training and analysis
-
-1. In the **Relevance \> Track** tab, click **Assessment** to start case assessment.
-
- For example purposes in this procedure, a sample assessment set of 500 files is created and the **Tag** tab is displayed, which contains the Tagging panel, displayed file content and other tagging options.
-
- ![Relevance Tag tab for Assessment.](../media/c8acf891-b1cd-4344-816c-eabb8cbbe742.png)
-
-2. Review each file in the sample, determine the file's relevance for each case issue, and tag the file using the Relevance (R), Not relevant (NR) and Skip buttons in the **Tagging panel** pane.
-
- > [!NOTE]
- > Assessment requires 500 tagged files. If files are "skipped", you will receive more files to tag.
-
-3. After tagging all files in the sample, click **Calculate**.
-
- The Assessment current error margin and richness are calculated and displayed in the **Relevance Track** tab, with expanded details per issue, as shown below. More details about this dialog are described in the [Reviewing assessment results](#reviewing-assessment-results) section.
-
- ![Relevance Track - Assessment.](../media/da911ba5-8678-40d6-9ad5-fd0b058355c1.png)
-
- > [!TIP]
- > By default, we recommend that you proceed to the default Next step when the Assessment progress indicator for the issue has completed, indicating that the assessment sample was reviewed and sufficient relevant files were tagged. > Otherwise, if you want to view the **Track** tab results and control the margin of error and the next step, click **Modify** adjacent to **Next Step**, select **Continue assessment**, and then click **OK**.
-
-4. Click **Modify** to the right of the **Assessment** check box to view and specify assessment parameters per issue. An **Assessment level** dialog for each issue is displayed, as shown in the following example:
-
- ![Assessment level case issue.](../media/b7113fef-d125-4617-ae1b-c9eb0bf79aec.png)
-
- The following parameters for the issue are calculated and displayed in the **Assessment level** dialog:
-
- **Target error margin for recall estimates**: Based on this value, the estimated number of additional files necessary to review is calculated. The margin used for recall is greater than 75% and with a 95% confidence level.
-
- **Additional assessment files required**: Indicates how many more files are necessary if the current error margin's requirements have not been met.
-
-5. To adjust the current error margin and see the effect of different error margins (per issue):
-
-6. In the **Select issue** list, select an issue.
-
-7. In **Target error margin for recall estimates**, enter a new value.
-
-8. Click **Update values** to see the impact of the adjustments.
-
-9. Click **Advanced** in the **Assessment level** dialog to see the following additional parameters and details:
-
- ![Assessment Level Case Issue advanced view.](../media/577d7e0e-95df-48c2-9dec-bdeab5e801d8.png)
-
- - **Estimated richness**: Estimated richness according to the current assessment results
-
- - **For assumed recall**: By default, the target error margin applies to recall above 75%. Click **Edit** if you want to change this parameter and control the margin of error on a different range of recall values.
-
- - **Confidence level**: By default, the recommended error margin for confidence is 95%. Click **Edit** if you want to change this parameter.
-
- - **Expected richness error margin**: Given the updated values, this is the expected margin of error of the richness, after all additional assessment files are reviewed.
-
- - **Additional assessment files required**: Given the updated values, the number of additional assessment files that need to be reviewed to reach the target.
-
- - **Total assessment files required**: Given the updated values, total assessment files required for review.
-
- - **Expected number of relevant files in assessment**: Given the updated values, the expected number of relevant files in the entire assessment after all additional assessment files are reviewed.
-
-10. Click **Recalculate values**, if parameters are changed. When you're done, if there is one issue, click **OK** to save the changes (or **Next** when there are multiple issues to review or modify and then **Finish**).
-
- When there are multiple issues, after all issues have been reviewed or adjusted, an **Assessment level: summary** dialog is displayed, as shown in the following example.
-
- ![Assessment level summary.](../media/4997b46d-10a5-4abc-b3b2-7b75a370eb9e.png)
-
- On successful completion of assessment, proceed to the next stage in Relevance training.
-
-## Reviewing assessment results
-
-After an Assessment sample is tagged, the assessment results are calculated and displayed in the Relevance Track tab.
-
-The following results are displayed in the expanded Track display:
-
-- Assessment current error margin for recall estimates--- Estimated richness--- Additional assessment files required (for review)-
-The Assessment current error margin is the error margin recommended by Advanced eDiscovery. The number displayed for the "Additional assessment files required" corresponds to that recommendation.
-
-The Assessment progress indicator shows the level of completion of the assessment, given the current error margin. When assessment is underway, the user will tag another assessment sample.
-
-When the assessment progress indicator shows assessment as complete, that means the assessment sample review was completed and sufficient relevant files were tagged.
-
-The expanded Track display shows the recommended next step, the assessment statistics, and access to detailed results.
-
-When richness is very low, the number of additional assessment files needed to reach a minimal number of relevant files to produce useful statistics is very high. Advanced eDiscovery will then recommend moving on to training. The assessment progress indicator will be shaded, and no statistics will be available.
-
-In the absence of statistically based stabilization, there will be results with a lower level of accuracy and confidence level. However, these results can be used to find relevant files when you do not need to know the percentage of relevant files found. Similarly, this status can be used to train issues with low richness, where Relevance scores can accelerate access to files relevant to a specific issue.
-
-> [!TIP]
-> In the **Relevance \> Track** tab, expanded issue display, the following viewing options are available:
->
-> The recommended next step, such as **Next step: Tagging** can be bypassed (per issue) by clicking the **Modify** button to its right, and then selecting an different step in the **Next step**. When the assessment progress indicator has not completed, assessment will be the next recommended option, to tag more assessment files and increase statistics accuracy.
->
-> You can change the error margin and assess its impact, by clicking **Modify**, and in the **Assessment level dialog**, changing the **Target error margin for recall estimates**, and clicking **Update values**. Also, in this dialog, you can view advanced options, by clicking **Advanced**.
->
-> You can view additional assessment level statistics and their impact by clicking **View**. In the displayed Detail results dialog, statistics are available per issue, when there are at least 500 tagged assessment files and at least 18 files are tagged as Relevant for the issue.
managed-desktop Apps MCS https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/apps-MCS.md
audience: Admin
# Working with Microsoft Consulting Services
-You can engage with Microsoft Consulting Services (MCS) to get your apps packaged for use with Microsoft Managed Desktop. For exact details, work with your account representative to contact MCS and scope your specific app packaging project.
+You can engage with Microsoft Consulting Services (MCS) to get your apps packaged for use with Microsoft Managed Desktop. For more information, work with your account representative to contact MCS to review your specific app packaging project.
## Roles and responsibilities
-To work with MCS app packaging, **you must provide these elements**:
--- The source installer files (for example, setup.exe or .msi).-- The installation instructions, specifying details about how the final installation should look. For example, should there be a desktop shortcut to the app? What should the app's visibility be? Should the app connect to a server and if so, which one? For details, see the [application packaging request template](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/managed-desktop/get-ready/downloads/app-packaging-template.docx).-- You must perform your own acceptance testing to verify that the app works as you need it to in your environment.-
-**MCS will take care of these actions:**
--- Checking whether the app is prohibited or restricted in the Microsoft Managed Desktop environment.-- Testing of installation, starting, and uninstallation of the app to ensure compatibility with Windows 10. If MCS discovers a compatibility issue, they will hand off the app to the [App Assure](/fasttrack/products-and-capabilities#app-assure) program for remediation.-- Packaging the app to your specification and then testing app deployment by using Microsoft Intune.
+| Role | Responsibility |
+| | |
+| You | To work with MCS app packaging, **you must provide the following elements**: <ul><li> The source installer files (for example, setup.exe or .msi).</li><li>The installation instructions that specify details about how the final installation should look. For example, should there be a desktop shortcut to the app? What should the app's visibility be? Should the app connect to a server and if so, which one? For more information, see the [application packaging request template](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/managed-desktop/get-ready/downloads/app-packaging-template.docx).</li><li>You must perform your own acceptance testing to verify that the app works as expected in your environment.</li><ul> |
+| Microsoft Consulting Services (MCS) | **MCS will take care of the following actions:** <ul><li>Check whether the app is prohibited or restricted in the Microsoft Managed Desktop environment.</li><li>Test installation, start, and uninstallation of the app to ensure compatibility with Windows 10. If MCS discovers a compatibility issue, they'll hand off the app to the [App Assure](/fasttrack/products-and-capabilities#app-assure) program for remediation.</li><li>Package the app to your specifications, and test app deployment by using Microsoft Intune.</li><ul>
## App delivery schedule
-Start the packaging process by uploading the app information to the Microsoft Managed Desktop portal. The packaging team reviews new submissions every Thursday. After review and packaging, the packaged apps are delivered the following Friday. Up to five apps per week can be packaged to start but the service can scale to meet your needs.
+Start the packaging process by uploading the app information to the Microsoft Managed Desktop portal. The packaging team reviews new submissions every Thursday. After review and packaging, the packaged apps are delivered the following Friday. Up to five apps per week can be packaged to start, but the service can scale to meet your needs.
![calendar showing app inflow on a Thursday (the 21st in this example), media validation the next day, packaging on the following Monday (the 25th), and app delivery on the subsequent Friday (the 29th).](../../media/MCS-cal.png)
-You'll be notified once the app has been delivered. At that point, you have 21 days to perform acceptance testing and approve the work in the Microsoft Managed Desktop portal. If discover some problem with the app during your acceptance testing, reject the app in the Microsoft Managed Desktop portal and you will be connected via email with an MCS packager to understand and resolve the issue.
+You'll be notified once the app has been delivered. At that point, you have 21 days to perform acceptance testing, and approve the work in the Microsoft Managed Desktop portal. If you discover a problem with the app during your acceptance testing, reject the app in the Microsoft Managed Desktop portal. You'll be connected via email with a Microsoft Consulting Services (MCS) packager to understand and resolve the issue.
## Testing accounts and environment
-For the packaging team to complete the migration to Microsoft Intune, we recommend that you provide certain permissions:
+In order for the packaging team to complete the migration to Microsoft Intune, we recommend that you provide certain permissions:
-- Access to Microsoft IntuneΓÇÖs App Deployment capabilities for the packager to add and assign the app-- Test groups, user accounts, and licenses for the packagers to be able to test the apps
+- Access to Microsoft Intune's App Deployment capabilities for the packager to add and assign the app.
+- Test groups, user accounts, and licenses for the packagers to be able to test the apps.
MCS will use those permissions to perform the following actions: -- Ensuring that the app works on virtual machine configured for Microsoft Managed Desktop-- Uploading the app to Microsoft Intune for deployment to your users
+- Ensure that the app works on virtual machine configured for Microsoft Managed Desktop.
+- Upload the app to Microsoft Intune for deployment to your users.
-Without these permissions, it is possible for MCS to move forward, but they will not be able to upload the applications to your environment.
+Without these permissions, it's possible for MCS to move forward, but they won't be able to upload the applications to your environment.
managed-desktop Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/apps.md
audience: Admin
<!--This topic is the target for 2 "Learn more" links in the Admin Portal (aka.ms/app-overview;app-package); also target for link from Online resources (aka.ms/app-overviewmmd-app-prep) do not delete.--> <!--Applications: supported/onboard/deployment -->
-
+ ## Apps generally Microsoft includes certain key apps along with the Microsoft 365 E3 or E5 license needed to participate in Microsoft Managed Desktop. However, even though we provide these apps, you still have certain responsibilities and actions to complete.
-You can also deploy additional non-Microsoft apps to your users for self-service through the Company Portal or a required background installation, all using Microsoft IntuneΓÇÖs deployment pipeline.
+You can also deploy additional non-Microsoft apps to your users via self-service through the Company Portal, or a required background installation using Microsoft Intune's deployment pipeline.
## Apps provided by Microsoft
-Included with your Microsoft Managed Desktop license are 64-bit versions of the apps in the Microsoft 365 Apps for enterprise Standard Suite (Word, Excel, PowerPoint, Outlook, Publisher, Access, Teams, and OneNote.) Click-to-Run versions of Microsoft Project and Visio are *not* included by default, but you can request them to be added. For more information about these apps, see [Install Microsoft Project or Microsoft Visio on Microsoft Managed Desktop devices](../get-started/project-visio.md).
+Included with your Microsoft Managed Desktop license are 64-bit versions of the apps in the Microsoft 365 Apps for Enterprise Standard Suite (Word, Excel, PowerPoint, Outlook, Publisher, Access, Teams, and OneNote.)
+
+Click-to-Run versions of Microsoft Project and Visio *aren't* included by default, but you can request them to be added. For more information about these apps, see [Install Microsoft Project or Microsoft Visio on Microsoft Managed Desktop devices](../get-started/project-visio.md).
### What Microsoft does to support the apps we provide
-Microsoft will provide full service for the deployment, update, and support for the included Microsoft 365 Apps for enterprise apps. Click-to-Run versions of Microsoft Project and Visio are *not* included by default, but Microsoft Managed Desktop will provide deployment groups allowing your IT administrator to manage licenses and deploy these applications appropriately for your organization. Microsoft will support users of these applications through the Microsoft Managed Desktop support channels.
+Microsoft will provide full service for the deployment, update, and support for the included Microsoft 365 Apps for enterprise apps. Click-to-Run versions of Microsoft Project and Visio *aren't* included by default. However, Microsoft Managed Desktop will provide deployment groups to allow your IT administrator to manage licenses, and deploy these applications appropriately for your organization. Microsoft will support users of these applications through the Microsoft Managed Desktop support channels.
### What you need to do to support the apps we provide There are still certain things you need to do with these apps: -- **Assign licenses** - You are responsible for obtaining and assigning the appropriate licenses to users for Microsoft 365 Apps for enterprise.-- **Add users to security groups** - If you're using Microsoft Project or Visio, your IT administrator must add those users to the appropriate deployment groups. IT administrators are also responsible for reclaiming licenses from those users if they leave the company.-- **Deploy Microsoft 365 Add-ons** - If you need any Add-ons for any of the Microsoft 365 Apps for enterprise apps, deploy them centrally like any other Windows 32 app.
+| Task | Description |
+| | |
+| Assign Licenses | You're responsible for obtaining and assigning the appropriate licenses to users for Microsoft 365 Apps for enterprise. |
+| Add users to security groups | If you're using Microsoft Project or Visio, your IT administrator must add those users to the appropriate deployment groups. IT administrators are also responsible for reclaiming licenses from those users if they leave the company. |
+| Deploy Microsoft 365 Add-ons | If you need any Add-ons for any of the Microsoft 365 Apps for enterprise apps, deploy them centrally like any other Windows 32 app.
## Apps you provide
-You probably have other apps you need for your business operations. These apps can only be deployed to Microsoft Managed Desktop devices by using Microsoft IntuneΓÇÖs deployment pipeline. For more information about application deployment follow the steps in [Deploy apps to Microsoft Managed Desktop devices](../get-started/deploy-apps.md).
+You probably have other apps you need for your business operations. These apps can only be deployed to Microsoft Managed Desktop devices by using Microsoft Intune's deployment pipeline. For more information about application deployment, follow the steps in [Deploy apps to Microsoft Managed Desktop devices](../get-started/deploy-apps.md).
### Preparing your own apps for inclusion in Microsoft Managed Desktop+ Review your apps, checking: - None of the apps are prohibited or have restricted behavior, as described in [Microsoft Managed Desktop app requirements](../service-description/mmd-app-requirements.md).-- Apps must be ready for management by Microsoft Intune. For more about this topic, see [Windows 10 app deployment using Microsoft Intune](/intune/apps-windows-10-app-deploy) and [Add apps to Microsoft Intune](/intune/apps-add).
+- Apps must be ready for management by Microsoft Intune. For more information, see [Windows 10 app deployment using Microsoft Intune](/intune/apps-windows-10-app-deploy) and [Add apps to Microsoft Intune](/intune/apps-add).
- Other pre-packaging requirements such as providing license keys, agreement with license terms, and pre-setting server connections. ## Steps to get ready for Microsoft Managed Desktop 1. Review [prerequisites for Microsoft Managed Desktop](prerequisites.md).
-2. Run [readiness assessment tools](readiness-assessment-tool.md).
+1. Run [readiness assessment tools](readiness-assessment-tool.md).
1. Buy [Company Portal](../get-started/company-portal.md). 1. Review [prerequisites for guest accounts](guest-accounts.md). 1. Check [network configuration](network.md).
managed-desktop Authentication https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/authentication.md
audience: Admin
-# Prepare on-premises resources access for Microsoft Managed Desktop
+# Prepare on-premises resources access for Microsoft Managed Desktop
-In Microsoft Managed Desktop, devices are automatically joined to Azure Active Directory (Azure AD). For this reason, if you are using an on-premises Active Directory, you'll have to check some things to ensure that devices joined to Azure AD can communicate with your on-premises Active Directory.
+In Microsoft Managed Desktop, devices are automatically joined to Azure Active Directory (Azure AD). For this reason, if you're using an on-premises Active Directory, you must ensure that devices joined to Azure AD can communicate with your on-premises Active Directory.
> [!NOTE] > *Hybrid* Azure AD join is not supported by Microsoft Managed Desktop.
-Azure Active Directory lets your users take advantage of Single Sign-On (SSO), which means they typically won't have to provide credentials every time they use resources.
+Azure Active Directory lets your users take advantage of Single Sign-On (SSO). Single Sign-on means they typically won't have to provide credentials every time they use resources.
For information about joining Azure Active Directory, refer to [How to: Plan your Azure AD join implementation](/azure/active-directory/devices/azureadjoin-plan). For background information about Single Sign-On (SSO) on devices joined to Azure AD, see [How SSO to on-premises resources works on Azure AD joined devices](/azure/active-directory/devices/azuread-join-sso#how-it-works). -
-This article explains the things you need to check in order to ensure that apps and other resources that depend on local Active Directory connectivity will work smoothly with Microsoft Managed Desktop.
-
+This article explains the things you must check in order to ensure that apps, and other resources that depend on local Active Directory connectivity, will work smoothly with Microsoft Managed Desktop.
## Single Sign-On for on-premises resources
-Single Sign-On (SSO) by using UPN and password is enabled by default on Microsoft Managed Desktop Devices. But your users can also use Windows Hello for Business, which requires some extra setup steps.
+Single Sign-On (SSO) by using UPN and password is enabled by default on Microsoft Managed Desktop Devices. But your users can also use Windows Hello for Business, which requires some extra setup steps.
### Single Sign-On by using UPN and password
-In most organizations, your users will be able to use SSO to authenticate by UPN and password on Microsoft Managed Desktop Devices. However, to make sure this function will work, you should double-check the following things:
--- Confirm that Azure AD Connect is set up and uses an on-premises Active Directory server running Windows Server 2008 R2 or later.-- Confirm that Azure AD Connect is running a supported version and is set to sync these three attributes with Azure AD:
- - DNS domain name of the on-premises Active Directory (where the users are located)
- - NetBIOS of your on-premises Active Directory (where the users are located)
- - SAM account name of the user
+In most organizations, your users will be able to use SSO to authenticate by UPN and password on Microsoft Managed Desktop Devices. To make sure this function will work, you should double-check the following things:
+- Confirm that Azure AD Connect is set up. It must use an on-premises Active Directory server running Windows Server 2008 R2 or later.
+- Confirm that Azure AD Connect is running a supported version. It must be set to sync these three attributes with Azure AD:
+ - DNS domain name of the on-premises Active Directory (where the users are located).
+ - NetBIOS of your on-premises Active Directory (where the users are located).
+ - SAM account name of the user.
### Single Sign-On by using Windows Hello for Business
-Microsoft Managed Desktop devices also offer your users a fast, passwordless experience by employing Windows Hello for Business. To ensure Windows Hello for Business will work without your users having to provide respective UPN and password, visit [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base) to check the requirements, and then follow the steps provided there.
-
+Microsoft Managed Desktop devices also offer your users a fast, password-less experience by employing Windows Hello for Business. To ensure Windows Hello for Business will work without your users having to provide respective UPN and password, visit [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base) to check the requirements, and then follow the steps provided there.
## Apps and resources that use authentication Refer to [Understand considerations for applications and resources](/azure/active-directory/devices/azureadjoin-plan#understand-considerations-for-applications-and-resources) in the Azure content set for full guidance on setting up apps to work with Azure Active Directory. In summary: --- If you use **cloud-based apps**, such as those added to the Azure AD app gallery, most don't require any further preparation to work with Microsoft Managed Desktop. However, any Win32 apps that don't use Web Account Manager (WAM) might still prompt users for authentication.--- For apps that are **hosted on-premises**, be sure to add those apps to the trusted sites list in your browsers. This step will enable Windows authentication to work seamlessly, without users being prompted for credentials. To add apps, refer to [Trusted sites](../working-with-managed-desktop/config-setting-ref.md#trusted-sites) in the [Configurable settings reference](../working-with-managed-desktop/config-setting-ref.md).--- If you are using Active Directory Federated Services, check that SSO is enabled by using the steps in [Verify and manage single sign-on with AD FS](/previous-versions/azure/azure-services/jj151809(v=azure.100)). --- For apps that are **on-premises and use older protocols**, no extra setup is required, as long as the devices have access to an on-premises domain controller to authenticate. To provide secure access for these applications, however, you should deploy Azure AD Application Proxy. For more information, see [Remote access to on-premises applications through Azure Active Directory's Application Proxy](/azure/active-directory/manage-apps/application-proxy).--- Apps that run **on-premises and rely on machine authentication** aren't supported, so you should consider replacing them with newer versions.
+| App or service | Task |
+| | |
+| Cloud-based apps | If you use **cloud-based apps**, such as those added to the Azure AD app gallery, most don't require any further preparation to work with Microsoft Managed Desktop. However, any Win32 apps that don't use Web Account Manager (WAM) might still prompt users for authentication. |
+| Apps hosted on-premises | For apps that are **hosted on-premises**, be sure to add those apps to the trusted sites list in your browsers. This step will enable Windows authentication to work seamlessly, without users being prompted for credentials. To add apps, refer to [Trusted sites](../working-with-managed-desktop/config-setting-ref.md#trusted-sites) in the [Configurable settings reference](../working-with-managed-desktop/config-setting-ref.md). |
+| Active Directory Federated Services | If you're using Active Directory Federated Services, check that SSO is enabled by using the steps in [Verify and manage single sign-on with AD FS](/previous-versions/azure/azure-services/jj151809(v=azure.100)). |
+| On-premises apps using older protocols | For apps that are **on-premises and use older protocols**, no extra setup is required, as long as the devices have access to an on-premises domain controller to authenticate. To provide secure access for these applications, however, you should deploy Azure AD Application Proxy. For more information, see [Remote access to on-premises applications through Azure Active Directory's Application Proxy](/azure/active-directory/manage-apps/application-proxy). |
+| On-premises apps with on machine authentication | Apps that run **on-premises and rely on machine authentication** aren't supported, so you should consider replacing them with newer versions. |
### Network shares that use authentication
No extra setup is required for users to access network shares, as long as the de
### Printers
-Microsoft Managed Desktop devices cannot connect to printers that are published to your on-premises Active Directory unless you have configured [Hybrid Cloud Print](/windows-server/administration/hybrid-cloud-print/hybrid-cloud-print-deploy).
+Microsoft Managed Desktop devices can't connect to printers that are published to your on-premises Active Directory unless you have configured [Hybrid Cloud Print](/windows-server/administration/hybrid-cloud-print/hybrid-cloud-print-deploy).
-While printers can't be automatically discovered in a cloud only environment, your users can use on-premises printers by using the printer path or printer queue path, as long as the devices have access to an on-premises domain controller.
+While printers can't be automatically discovered in a cloud only environment, your users can use on-premises printers by using the printer path, or printer queue path, as long as the devices have access to an on-premises domain controller.
<!--add fuller material on printers when available--> ## Steps to get ready for Microsoft Managed Desktop 1. Review [prerequisites for Microsoft Managed Desktop](prerequisites.md).
-2. Run [readiness assessment tools](readiness-assessment-tool.md).
+1. Run [readiness assessment tools](readiness-assessment-tool.md).
1. Buy [Company Portal](../get-started/company-portal.md). 1. Review [prerequisites for guest accounts](guest-accounts.md). 1. Check [network configuration](network.md).
While printers can't be automatically discovered in a cloud only environment, yo
1. [Prepare apps](apps.md). 1. [Prepare mapped drives](mapped-drives.md). 1. [Prepare printing resources](printing.md).
-1. Address [device names](address-device-names.md).
+1. Address [device names](address-device-names.md).
managed-desktop Certs Wifi Lan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/certs-wifi-lan.md
audience: Admin
# Prepare certificates and network profiles for Microsoft Managed Desktop
-
-Certificate-based authentication is a common requirement for customers using Microsoft Managed Desktop. You might require certificates to access Wi-Fi or LAN, to connect to VPN solutions, or for accessing internal resources in your organization.
-
-Because Microsoft Managed Desktop devices are joined to Azure Active Directory (Azure AD) and are managed by Microsoft Intune, you must deploy such certificates by using a Simple Certificate Enrollment Protocol (SCEP) or Public Key Cryptography Standard (PKCS) certificate infrastructure that is integrated with Intune.
-
-## Certificate requirements
-
-Root certificates are required to deploy certificates through a SCEP or PKCS infrastructure. Other applications and services in your organization might require root certificates to be deployed to your Microsoft Managed Desktop devices.
-
+
+Certificate-based authentication is a common requirement for customers using Microsoft Managed Desktop. You might require certificates to:
+
+- Access Wi-Fi or LAN
+- Connect to VPN solutions
+- Access internal resources in your organization
+
+Because Microsoft Managed Desktop devices are joined to Azure Active Directory (Azure AD) and are managed by Microsoft Intune, you must deploy such certificates by using the:
+
+- Simple Certificate Enrollment Protocol (SCEP), or
+- Public Key Cryptography Standard (PKCS) certificate infrastructure that is integrated with Intune.
+
+## Certificate requirements
+
+Root certificates are required to deploy certificates through a SCEP or PKCS infrastructure. Other applications and services in your organization might require root certificates to be deployed to your Microsoft Managed Desktop devices.
+ Before you deploy SCEP or PKCS certificates to Microsoft Managed Desktop, you should gather requirements for each service that requires a user or device certificate in your organization. To make this activity easier, you can use one of the following planning templates:
-
-- [PKCS certificate template](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/managed-desktop/get-ready/downloads/PKCS-certificate-template.xlsx) +
+- [PKCS certificate template](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/managed-desktop/get-ready/downloads/PKCS-certificate-template.xlsx)
- [SCEP certificate template](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/managed-desktop/get-ready/downloads/SCEP-certificate-template.xlsx)
-ΓÇ»
## Wi-Fi connectivity requirements
-To allow a device to be automatically provided with the required Wi-Fi configuration for your enterprise network, you might need a Wi-Fi configuration profile. You can configure Microsoft Managed Desktop to deploy these profiles to your devices. If your network security requires devices to be part of the local domain, you might also need to evaluate your Wi-Fi network infrastructure to make sure it's compatible with Microsoft Managed Desktop devices (Microsoft Managed Desktop devices are Azure AD-joined only).
-
-Before you deploy a Wi-Fi configuration to Microsoft Managed Desktop devices, you will be required to gather your organizationΓÇÖs requirements for each Wi-Fi network. To make this activity easier, you can use this [WiFi profile template](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/managed-desktop/get-ready/downloads/WiFi-profile-template.xlsx).
-
-
-## Wired connectivity requirements and 802.1x authentication
-
-If you use 802.1x authentication to secure access from devices to your local area network (LAN), you will need to push the required configuration details to your Microsoft Managed Desktop devices. Microsoft Managed Desktop devices running Windows 10, version 1809 or later support deploying an 802.1x configuration through the WiredNetwork configuration service provider (CSP). For more information, see [WiredNetwork CSP](/windows/client-management/mdm/wirednetwork-csp) documentation.
-
-Before you deploy a wired network configuration profile to Microsoft Managed Desktop devices, gather your organizationΓÇÖs requirements for your wired corporate network. To do so, follow these steps:
-
-
+To allow a device to be automatically provided with the required Wi-Fi configuration for your enterprise network, you might need a Wi-Fi configuration profile.
+
+You can configure Microsoft Managed Desktop to deploy these profiles to your devices. If your network security requires devices to be part of the local domain, you might need to evaluate your Wi-Fi network infrastructure to ensure it's compatible with Microsoft Managed Desktop devices. Microsoft Managed Desktop devices are Azure AD-joined only.
+
+Before you deploy a Wi-Fi configuration to Microsoft Managed Desktop devices, you'll be required to gather your organization's requirements for each Wi-Fi network. To make this activity easier, you can use this [WiFi profile template](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/managed-desktop/get-ready/downloads/WiFi-profile-template.xlsx).
+
+## Wired connectivity requirements and 802.1x authentication
+
+If you use 802.1x authentication to secure access from devices to your local area network (LAN), you'll need to push the required configuration details to your Microsoft Managed Desktop devices.
+
+Microsoft Managed Desktop devices running Windows 10, version 1809 or later support deploying an 802.1x configuration through the WiredNetwork configuration service provider (CSP). For more information, see [WiredNetwork CSP](/windows/client-management/mdm/wirednetwork-csp) documentation.
+
+Before you deploy a wired network configuration profile to Microsoft Managed Desktop devices, gather your organization's requirements for your wired corporate network.
+
+**To gather wired corporate network requirements:**
+ 1. Sign on to a device that has your existing 802.1x profile configured and is connected to the LAN network.
-2. Open a command prompt with administrative credentials.
-3. Find the LAN interface name by running **netsh interface show interface**.
-4. Export the LAN profile XML by running **netsh lan export profile folder=. Interface=ΓÇ¥interface_nameΓÇ¥**.
-5. If you need to test your exported profile on Microsoft Managed Desktop device, run **netsh lan add profile filename="PATH_AND_FILENAME.xml" interface="INTERFACE_NAME"**.
-
-
+2. Open a command prompt with administrative credentials.
+3. Find the LAN interface name by running `netsh interface show interface`.
+4. Export the LAN profile XML by running `netsh lan export profile folder=. Interface=ΓÇ¥interface_nameΓÇ¥`.
+5. If you need to test your exported profile on Microsoft Managed Desktop device, run `netsh lan add profile filename="PATH_AND_FILENAME.xml" interface="INTERFACE_NAME"`.
+ ## Deploy certificate infrastructure
-
-If you already have an existing SCEP or PKCS infrastructure with Intune and this approach meets your requirements, you can also use it for Microsoft Managed Desktop. If no SCEP or PKCS infrastructure already exists, you'll have to prepare one.
-
-For more information, see [Configure a certificate profile for your devices in Microsoft Intune](/intune/certificates-configure).
-
-
-
-## Deploy a LAN profile
-
-Once your LAN profile has been exported, you can prepare the policy for Microsoft Managed Desktop by following these steps:
-
-1. Create a custom profile in Microsoft Intune for the LAN profile using the following settings (see [Use custom settings for Windows 10 devices in Intune](/intune/custom-settings-windows-10)). In **Custom OMA-URI Settings**, select **Add**, and then enter the following values:
- - Name: *Modern Workplace-Windows 10 LAN Profile*
- - Description: Enter a description that gives an overview of the setting, and any other important details.
- - OMA-URI (case sensitive): Enter *./Device/Vendor/MSFT/WiredNetwork/LanXML*
- - Data type: select **String (XML file)**.
+
+If you already have an existing SCEP or PKCS infrastructure with Intune and this approach meets your requirements, you can also use it for Microsoft Managed Desktop.
+
+If no SCEP or PKCS infrastructure already exists, you'll have to prepare one. For more information, see [Configure a certificate profile for your devices in Microsoft Intune](/intune/certificates-configure).
+
+## Deploy a LAN profile
+
+Once your LAN profile has been exported, you can prepare the policy for Microsoft Managed Desktop.
+
+**To prepare the policy for Microsoft Managed Desktop:**
+
+1. Create a custom profile in Microsoft Intune for the LAN profile using the following settings (see [Use custom settings for Windows 10 devices in Intune](/intune/custom-settings-windows-10)). In **Custom OMA-URI Settings**, select **Add**, and then enter the following values:
+ - Name: Modern Workplace-Windows 10 LAN Profile
+ - Description: Enter a description that gives an overview of the setting, and any other important details.
+ - OMA-URI (case sensitive): Enter `./Device/Vendor/MSFT/WiredNetwork/LanXML`
+ - Data type: Select **String (XML file)**.
- Custom XML: Upload the exported XML file.
-2. Assign the custom profile to the *Modern Workplace Devices ΓÇô Test* group.
-3. Do any testing you feel necessary using a device that it's in the Test deployment group. If successful, then assign the custom profile to the *Modern Workplace Devices ΓÇô First*, *Modern Workplace Devices ΓÇô Fast*, and *Modern Workplace Devices ΓÇô Broad* groups.
-
-## Deploy certificates and Wi-Fi/VPN profile
-
-
-To deploy certificates and profiles, follow these steps:
+2. Assign the custom profile to the **Modern Workplace Devices - Test** group.
+3. Do any testing you feel necessary using a device that's in the Test deployment group. If successful, then assign the custom profile to the following groups:
+ - Modern Workplace Devices - First
+ - Modern Workplace Devices - Fast
+ - Modern Workplace Devices - Broad
+
+## Deploy certificates and Wi-Fi/VPN profile
+
+**To deploy certificates and profiles:**
1. Create a profile for each of the Root and Intermediate certificates (see [Create trusted certificate profiles](/intune/protect/certificates-configure#step-3-create-trusted-certificate-profiles). Each of these profiles must have a description that includes an expiration date in DD/MM/YYYY format. **Certificate profiles must have an expiration date.**
-2. Create a profile for each SCEP or PKCS certificates (see [Create a SCEP certificate profile](/intune/protect/certificates-scep-configure#create-a-scep-certificate-profile) or [Create a PKCS certificate profile](/intune/protect/certficates-pfx-configure#create-a-pkcs-certificate-profile)) Each of these profiles must have a description that includes an expiration date in DD/MM/YYYY format. **Certificate profiles must have an expiration date.**
+2. Create a profile for each SCEP or PKCS certificates (see [Create a SCEP certificate profile](/intune/protect/certificates-scep-configure#create-a-scep-certificate-profile) or [Create a PKCS certificate profile](/intune/protect/certficates-pfx-configure#create-a-pkcs-certificate-profile)). Each of these profiles must have a description that includes an expiration date in DD/MM/YYYY format. **Certificate profiles must have an expiration date.**
3. Create a profile for each corporate WiFi network (see [Wi-Fi settings for Windows 10 and later devices](/intune/wi-fi-settings-windows)). 4. Create a profile for each corporate VPN (see [Windows 10 and Windows Holographic device settings to add VPN connections using Intune](/intune/vpn-settings-windows-10)).
-5. Assign the profiles to the *Modern Workplace Devices ΓÇô Test* group.
-6. Do any testing you feel necessary using a device that it's in the Test deployment group. If successful, then assign the custom profile to the *Modern Workplace Devices ΓÇô First*, *Modern Workplace Devices ΓÇô Fast*, and *Modern Workplace Devices ΓÇô Broad* groups.
+5. Assign the profiles to the **Modern Workplace Devices - Test** group.
+6. Do any testing you feel necessary using a device that's in the Test deployment group. If successful, then assign the custom profile to the following groups:
+ - Modern Workplace Devices - First
+ - Modern Workplace Devices - Fast
+ - Modern Workplace Devices - Broad
-
## Steps to get ready for Microsoft Managed Desktop 1. Review [prerequisites for Microsoft Managed Desktop](prerequisites.md).
-2. Run [readiness assessment tools](readiness-assessment-tool.md).
+1. Run [readiness assessment tools](readiness-assessment-tool.md).
1. Buy [Company Portal](../get-started/company-portal.md). 1. Review [prerequisites for guest accounts](guest-accounts.md). 1. Check [network configuration](network.md).
managed-desktop Guest Accounts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/guest-accounts.md
audience: Admin
Microsoft Managed Desktop recommends the following configuration in your Azure AD organization for guest account access. You can adjust these settings at the [Azure portal](https://portal.azure.com) under **External Identities / External collaboration settings**: -- For **Guest user access**, set to **Guest users have limited access to properties and memberships of directory objects**-- For **Guest invite settings**, set to **Member users and users assigned to specific admin roles can invite guest users including guests with member permissions**
+| Setting | Set to |
+| | |
+| Guest access | Guests have limited access to properties and memberships of directory objects. |
+| Guest invite settings | Member users and users assigned to specific admin roles can invite guests including guests with member permissions |
Microsoft Managed Desktop requires the following configuration in your Azure AD organization for guest account access. You can adjust this setting at the [Azure portal](https://portal.azure.com) under **External Identities / External collaboration settings**: -- **Collaboration restrictions**, choose any of these options:
- - If you select **Allow invitations to be sent to any domain (most inclusive)**, no other configuration required.
- - If you select **Deny invitations to the specified domains**, make sure that Microsoft.com isnΓÇÖt listed in the target domains.
- - If you select **Allow invitations only to the specified domains (most restrictive)**, make sure that Microsoft.com *is* listed in the target domains.
+| Setting | Option |
+| | |
+| Collaboration restrictions | Select any of these options: <ul><li>If you select **Allow invitations to be sent to any domain (most inclusive)**, no other configuration required.</li><li>If you select **Deny invitations to the specified domains**, make sure that Microsoft.com isn't listed in the target domains.</li><li>If you select **Allow invitations only to the specified domains (most restrictive)**, make sure that Microsoft.com *is* listed in the target domains.</li><ul>
-If you set restrictions that interact with these settings, make sure to exclude the Azure Active Directory **Modern Workplace Service Accounts**. For example, if you have a conditional access policy that prevents guest accounts from accessing the Intune portal, exclude the **Modern Workplace Service Accounts** group from this policy.
+If you set restrictions that interact with these settings, ensure to exclude the Azure Active Directory **Modern Workplace Service Accounts**. For example, if you have a conditional access policy that prevents guest accounts from accessing the Intune portal, exclude the **Modern Workplace Service Accounts** group from this policy.
For more information, see [Enable B2B external collaboration and manage who can invite guests](/azure/active-directory/external-identities/delegate-invitations#to-configure-external-collaboration-settings). ## Unlicensed Intune admin
-The **Allow access to unlicensed admins** setting must be enabled. Without this setting enabled, errors can occur when we try to access your Azure AD organization for service. You can safely enable this setting without worrying about security implications, since the scope of access is defined by the roles assigned to users, including our operations staff.
+The **Allow access to unlicensed admins** setting must be enabled. Without this setting enabled, errors can occur when we try to access your Azure AD organization for service. You can safely enable this setting without worrying about security implications. The scope of access is defined by the roles assigned to users, including our operations staff.
-To enable this setting, follow these steps:
+**To enable this setting:**
1. Go to the Microsoft Endpoint Manager [admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Navigate to **Tenant administration** > **Roles** > **Administrator licensing**.
-3. In **Allow access to unlicensed admins**, select **Yes**.
+2. Navigate to **Tenant administration**, select **Roles**. Then, select **Administrator licensing**.
+3. In the **Allow access to unlicensed admins** section, select **Yes**.
> [!IMPORTANT] > You cannot undo this setting after you select **Yes**.
For more information, see [Unlicensed admins in Microsoft Intune](/mem/intune/fu
## Steps to get ready for Microsoft Managed Desktop 1. Review [prerequisites for Microsoft Managed Desktop](prerequisites.md).
-2. Run [readiness assessment tools](readiness-assessment-tool.md).
+1. Run [readiness assessment tools](readiness-assessment-tool.md).
1. Buy [Company Portal](../get-started/company-portal.md). 1. Review prerequisites for guest accounts (this article). 1. Check [network configuration](network.md).
managed-desktop Network https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/network.md
audience: Admin
-# Network configuration for Microsoft Managed Desktop
+# Network configuration for Microsoft Managed Desktop
<!--Proxy config--> ## Proxy configuration
-Microsoft Managed Desktop is a cloud-managed service. There are a set of endpoints the Microsoft Managed Desktop services needs to be able to reach. This section lists the endpoints that need to be allowed for the various aspects of the Microsoft Managed Desktop service.
+Microsoft Managed Desktop is a cloud-managed service. There's a set of endpoints the Microsoft Managed Desktop services needs to be able to reach. This section lists the endpoints that need to be allowed for the various aspects of the Microsoft Managed Desktop service.
-Customers can optimize their network by sending all trusted Microsoft 365 network requests directly through their firewall or proxy, bypassing authentication and all additional packet-level inspection or processing. This reduces latency and your perimeter capacity requirements.
+Customers can optimize their network by sending all trusted Microsoft 365 network requests directly through their firewall or proxy. It bypasses authentication, and all additional packet-level inspection or processing. This process reduces latency and your perimeter capacity requirements.
-Also, to optimize performance to Microsoft Managed Desktop cloud-based services, these endpoints need special handling by customer client browsers and the devices in their edge network. These devices include firewalls, SSL Break and Inspect, packet inspection devices, and data loss prevention systems.
+Also, to optimize performance for Microsoft Managed Desktop cloud-based services, these endpoints need special handling by customer client browsers, and the devices in their edge network. These devices include:
+
+- Firewalls
+- SSL Break and Inspect
+- Packet inspection devices
+- Data loss prevention systems
### Proxy requirement
The proxy or firewall must support TLS 1.2. Otherwise, you might have to disable
### Allowed endpoints that are necessary for Microsoft Managed Desktop
-Microsoft Managed Desktop uses the Azure Portal to host its web console. The following URLs must be on the allowed list of your proxy and firewall so that Microsoft Managed Desktop devices can communicate with Microsoft Services.
+Microsoft Managed Desktop uses the Azure portal to host its web console. The following URLs must be on the allowed list of your proxy and firewall so that Microsoft Managed Desktop devices can communicate with Microsoft Services.
The Microsoft Managed Desktop URL is used for anything our service runs on the customer API. You must ensure this URL is always accessible on your corporate network.
-Microsoft service | URLs required on allow list
- |
-Microsoft Managed Desktop | prod-mwaas-services-customerapi.azurewebsites.net <br>mmd-support-prod-nam.trafficmanager.net <br>mmdls.microsoft.com
+| Microsoft service | URLs required on allowlist |
+| -- | -- |
+| Microsoft Managed Desktop | prod-mwaas-services-customerapi.azurewebsites.net <br>mmd-support-prod-nam.trafficmanager.net <br>mmdls.microsoft.com
Get Help | \*.support.services.microsoft.com <br>inprod.support.services.microsoft.com <br>supportchannels.services.microsoft.com <br>graph.windows.net <br>login.windows.net <br>prod-mwaas-services-customerapi.azurewebsites.net <br>concierge.live.com Quick Assist | remoteassistance.support.services.microsoft.com <br>relay.support.services.microsoft.com <br>channelwebsdks.azureedge.net <br>web.vortex.data.microsoft.com <br>gateway.channelservices.microsoft.com <br>\*.lync.com
-Microsoft Support and Recovery Assistant | \*.apibasic.diagnostics.office.com <br>\*.api.diagnostics.office.com
-
+Microsoft Support and Recovery Assistant | \*.apibasic.diagnostics.office.com <br>\*.api.diagnostics.office.com |
+ ### Allowed endpoints used by other Microsoft products
-There are URLs from several Microsoft products that need to be in the allowed list so that Microsoft Managed Desktop devices can communicate with those Microsoft Services. Use the links to see the complete list for each product.
-
-Microsoft service | Documentation
- |
-Windows 10 Enterprise including Windows Update for Business | [Manage connection endpoints for Windows 10, version 1803](/windows/privacy/manage-windows-1803-endpoints)<br><br>[Manage connection endpoints for Windows 10, version 1809](/windows/privacy/manage-windows-1809-endpoints)<br><br>[Manage connection endpoints for Windows 10, version 1903](/windows/privacy/manage-windows-1903-endpoints)<br><br>[Manage connection endpoints for Windows 10, version 2004](/windows/privacy/manage-windows-2004-endpoints)
-Delivery Optimization | [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization)
-Microsoft 365 | [Microsoft 365 URL and IP address ranges](../../enterprise/urls-and-ip-address-ranges.md)
-Azure Active Directory | [Hybrid identity required ports and protocols](/azure/active-directory/hybrid/reference-connect-ports) and [Active Directory and Active Directory Domain Services Port Requirements](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10))
-Microsoft Intune | [Intune network configuration requirements](/intune/network-bandwidth-use)<br>[Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
-Microsoft Defender for Endpoint | [Microsoft Defender for Endpoint requirements](/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server)
-Windows Autopilot | [Windows Autopilot Networking Requirements](/windows/deployment/windows-autopilot/windows-autopilot-requirements#networking-requirements)
-
-Microsoft service | URLs required on allow list | Documentation source
- | |
-Windows Update for Business (WUfB) | update.microsoft.com<br>\*.update.microsoft.com<br>download.windowsupdate.com<br>\*.download.windowsupdate.com<br>download.microsoft.com<br>\*.download.microsoft.com<br>windowsupdate.com<br>\*.windowsupdate.com<br>ntservicepack.microsoft.com<br>wustat.windows.com<br>login.live.com <br>mp.microsoft.com<br>\*.mp.microsoft.com | [Windows Update for Business firewall and proxy requirements](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p)
-Delivery Optimization | \*.do.dsp.mp.microsoft.com<br>\*.dl.delivery.mp.microsoft.com <br>\*.emdl.ws.microsoft.com<br>\*.download.windowsupdate.com <br>\*.windowsupdate.com | [Windows Update proxy requirements](https://support.microsoft.com/help/3175743/proxy-requirements-for-windows-update)
-Microsoft Store for Business | login.live.com <br>account.live.com <br>clientconfig.passport.net <br>wustat.windows.com <br>\*.windowsupdate.com <br>\*.wns.windows.com <br>\*.hotmail.com <br>\*.outlook.com <br>\*.microsoft.com <br>\*.msftncsi.com/ncsi.txt | [Microsoft Store allow list](https://support.microsoft.com/help/2778122/using-authenticated-proxy-servers-together-with-windows-8)
-Microsoft 365 | \*.office365.com<br>\*.office.com<br>\*.office.net<br>\*.live.com<br>\*.portal.cloudappsecurity.com<br>\*.portal.cloudappsecurity.com<br>\*.us.portal.cloudappsecurity.com<br>\*.eu.portal.cloudappsecurity.com<br>\*.us2.portal.cloudappsecurity.com<br>&lt;tenant>.onmicrosoft.com<br>account.office.net<br>agent.office.net<br>apc.delve.office.com<br>aus.delve.office.com<br>can.delve.office.com<br>delve.office.com<br>eur.delve.office.com<br>gbr.delve.office.com<br>home.office.com<br>ind.delve.office.com<br>jpn.delve.office.com<br>kor.delve.office.com<br>lam.delve.office.com<br>nam.delve.office.com<br>admin.microsoft.com<br>outlook.office365.com<br>suite.office.net<br>webshell.suite.office.com<br>www.office.com<br>\*.aria.microsoft.com<br>browser.pipe.aria.microsoft.com<br>mobile.pipe.aria.microsoft.com<br>portal.microsoftonline.com<br>clientlog.admin.microsoft.com<br>nexus.officeapps.live.com<br>nexusrules.officeapps.live.com<br>amp.azure.net<br>\*.o365weve.com<br>auth.gfx.ms<br>appsforoffice.microsoft.com<br>assets.onestore.ms<br>az826701.vo.msecnd.net<br>c.microsoft.com<br>c1.microsoft.com<br>client.hip.live.com<br>contentstorage.osi.office.net<br>dgps.support.microsoft.com<br>docs.microsoft.com<br>groupsapi-<br>rod.outlookgroups.ms<br>groupsapi2-prod.outlookgroups.ms<br>groupsapi3-prod.outlookgroups.ms<br>groupsapi4-prod.outlookgroups.ms<br>msdn.microsoft.com<br>platform.linkedin.com<br>products.office.com<br>prod.msocdn.com<br>r1.res.office365.com<br>r4.res.office365.com<br>res.delve.office.com<br>shellprod.msocdn.com<br>support.content.office.net<br>support.microsoft.com<br>support.office.com<br>technet.microsoft.com<br>templates.office.com<br>video.osi.office.net<br>videocontent.osi.office.net<br>videoplayercdn.osi.office.net<br>\*.manage.office.com<br>\*.protection.office.com<br>manage.office.com<br>Protection.office.com<br>diagnostics.office.com | [Microsoft 365 URL and IP address ranges](../../enterprise/urls-and-ip-address-ranges.md)
-Azure Active Directory | api.login.microsoftonline.com<br>api.passwordreset.microsoftonline.com<br>autologon.microsoftazuread-sso.com<br>becws.microsoftonline.com<br>clientconfig.microsoftonline-p.net <br>companymanager.microsoftonline.com <br>device.login.microsoftonline.com <br>hip.microsoftonline-p.net <br>hipservice.microsoftonline.com <br>login.microsoft.com<br>login.microsoftonline.com <br>logincert.microsoftonline.com <br>loginex.microsoftonline.com<br>login-us.microsoftonline.com <br>login.microsoftonline-p.com <br>login.windows.net <br>nexus.microsoftonline-p.com <br>passwordreset.microsoftonline.com <br>provisioningapi.microsoftonline.com<br>stamp2.login.microsoftonline.com<br>\*.msappproxy.net<br>ccs.login.microsoftonline.com<br>ccs-sdf.login.microsoftonline.com<br>accounts.accesscontrol.windows.net<br>secure.aadcdn.microsoftonline-p.com<br>\*.phonefactor.net<br>account.activedirectory.windowsazure.com<br>secure.aadcdn.microsoftonline-p.com<br>graph.microsoft.com | [Hybrid identity required ports and protocols](/azure/active-directory/connect/active-directory-aadconnect-ports) and [Active Directory and Active Directory Domain Services Port Requirements](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10))
-Microsoft Intune | login.microsoftonline.com<br>portal.manage.microsoft.com<br>m.manage.microsoft.com<br>sts.manage.microsoft.com<br>Manage.microsoft.com <br>i.manage.microsoft.com <br>r.manage.microsoft.com <br>a.manage.microsoft.com <br>p.manage.microsoft.com <br>EnterpriseEnrollment.manage.microsoft.com <br>EnterpriseEnrollment-s.manage.microsoft.com<br>portal.fei.msua01.manage.microsoft.com<br>m.fei.msua01.manage.microsoft.com<br>fei.msua01.manage.microsoft.com<br>portal.fei.msua01.manage.microsoft.com <br>m.fei.msua01.manage.microsoft.com<br>fei.msua02.manage.microsoft.com<br>portal.fei.msua02.manage.microsoft.com<br>m.fei.msua02.manage.microsoft.com<br>fei.msua02.manage.microsoft.com<br>portal.fei.msua02.manage.microsoft.com<br>m.fei.msua02.manage.microsoft.com<br>fei.msua04.manage.microsoft.com<br>portal.fei.msua04.manage.microsoft.com <br>m.fei.msua04.manage.microsoft.com<br>fei.msua04.manage.microsoft.com<br>portal.fei.msua04.manage.microsoft.com <br>m.fei.msua04.manage.microsoft.com<br>fei.msua05.manage.microsoft.com <br>portal.fei.msua05.manage.microsoft.com <br>m.fei.msua05.manage.microsoft.com<br>fei.msua05.manage.microsoft.com <br>portal.fei.msua05.manage.microsoft.com <br>m.fei.msua05.manage.microsoft.com<br>fei.amsua0502.manage.microsoft.com <br>portal.fei.amsua0502.manage.microsoft.com <br>m.fei.amsua0502.manage.microsoft.com<br>fei.amsua0502.manage.microsoft.com <br>portal.fei.amsua0502.manage.microsoft.com <br>m.fei.amsua0502.manage.microsoft.com<br>fei.msua06.manage.microsoft.com <br>portal.fei.msua06.manage.microsoft.com <br>m.fei.msua06.manage.microsoft.com<br>fei.msua06.manage.microsoft.com <br>portal.fei.msua06.manage.microsoft.com <br>m.fei.msua06.manage.microsoft.com<br>fei.amsua0602.manage.microsoft.com <br>portal.fei.amsua0602.manage.microsoft.com <br>m.fei.amsua0602.manage.microsoft.com<br>fei.amsua0602.manage.microsoft.com <br>portal.fei.amsua0602.manage.microsoft.com <br>m.fei.amsua0602.manage.microsoft.com<br>fei.msub01.manage.microsoft.com <br>portal.fei.msub01.manage.microsoft.com <br>m.fei.msub01.manage.microsoft.com<br>fei.msub01.manage.microsoft.com <br>portal.fei.msub01.manage.microsoft.com <br>m.fei.msub01.manage.microsoft.com<br>fei.amsub0102.manage.microsoft.com <br>portal.fei.amsub0102.manage.microsoft.com <br>m.fei.amsub0102.manage.microsoft.com<br>fei.amsub0102.manage.microsoft.com <br>portal.fei.amsub0102.manage.microsoft.com <br>m.fei.amsub0102.manage.microsoft.com<br>fei.msub02.manage.microsoft.com <br>portal.fei.msub02.manage.microsoft.com <br>m.fei.msub02.manage.microsoft.com<br>fei.msub02.manage.microsoft.com <br>portal.fei.msub02.manage.microsoft.com <br>m.fei.msub02.manage.microsoft.com<br>fei.msub03.manage.microsoft.com <br>portal.fei.msub03.manage.microsoft.com <br>m.fei.msub03.manage.microsoft.com<br>fei.msub03.manage.microsoft.com <br>portal.fei.msub03.manage.microsoft.com <br>m.fei.msub03.manage.microsoft.com<br>fei.msub05.manage.microsoft.com <br>portal.fei.msub05.manage.microsoft.com <br>m.fei.msub05.manage.microsoft.com<br>fei.msub05.manage.microsoft.com <br>portal.fei.msub05.manage.microsoft.com <br>m.fei.msub05.manage.microsoft.com<br>fei.msuc01.manage.microsoft.com <br>portal.fei.msuc01.manage.microsoft.com <br>m.fei.msuc01.manage.microsoft.com<br>fei.msuc01.manage.microsoft.com <br>portal.fei.msuc01.manage.microsoft.com <br>m.fei.msuc01.manage.microsoft.com<br>fei.msuc02.manage.microsoft.com <br>portal.fei.msuc02.manage.microsoft.com <br>m.fei.msuc02.manage.microsoft.com<br>fei.msuc02.manage.microsoft.com <br>portal.fei.msuc02.manage.microsoft.com <br>m.fei.msuc02.manage.microsoft.com<br>fei.msuc03.manage.microsoft.com <br>portal.fei.msuc03.manage.microsoft.com <br>m.fei.msuc03.manage.microsoft.com<br>fei.msuc03.manage.microsoft.com <br>portal.fei.msuc03.manage.microsoft.com <br>m.fei.msuc03.manage.microsoft.com<br>fei.msuc05.manage.microsoft.com <br>portal.fei.msuc05.manage.microsoft.com <br>m.fei.msuc05.manage.microsoft.com<br>fei.msuc05.manage.microsoft.com <br>portal.fei.msuc05.manage.microsoft.com <br>m.fei.msuc05.manage.microsoft.com<br>fef.msua01.manage.microsoft.com<br>fef.msua02.manage.microsoft.com<br>fef.msua04.manage.microsoft.com<br>fef.msua05.manage.microsoft.com<br>fef.msua06.manage.microsoft.com<br>fef.msua07.manage.microsoft.com<br>fef.msub01.manage.microsoft.com<br>fef.msub02.manage.microsoft.com<br>fef.msub03.manage.microsoft.com<br>fef.msub05.manage.microsoft.com<br>fef.msuc01.manage.microsoft.com<br>fef.msuc02.manage.microsoft.com<br>fef.msuc03.manage.microsoft.com<br>fef.msuc05.manage.microsoft.com | [Intune network configuration requirements](/intune/network-bandwidth-use)
-OneDrive for Business | onedrive.com <br> <br>\*.onedrive.com <br>onedrive.live.com <br>login.live.com <br>spoprod-a.akamaihd.net <br>\*.mesh.com <br>p.sfx.ms <br>\*.microsoft.com <br>fabric.io <br>\*.crashlytics.com <br>vortex.data.microsoft.com <br>https://posarprodcssservice.accesscontrol.windows.net <br>redemptionservices.accesscontrol.windows.net <br>token.cp.microsoft.com/ <br>tokensit.cp.microsoft-tst.com/ <br>\*.office.com <br>\*.officeapps.live.com <br>\*.aria.microsoft.com <br>\*.mobileengagement.windows.net <br>\*.branch.io <br>\*.adjust.com <br>\*.servicebus.windows.net <br>vas.samsungapps.com <br>odc.officeapps.live.com <br>login.windows.net <br>login.microsoftonline.com <br>\*.files.1drv.com <br>\*.onedrive.live.com <br>\*.\*.onedrive.live.com <br>storage.live.com <br>\*.storage.live.com <br>\*.\*.storage.live.com <br>\*.groups.office.live.com <br>\*.groups.photos.live.com <br>\*.groups.skydrive.live.com <br>favorites.live.com <br>oauth.live.com <br>photos.live.com <br>skydrive.live.com <br>api.live.net <br>apis.live.net <br>docs.live.net <br>\*.docs.live.net <br>policies.live.net <br>\*.policies.live.net <br>settings.live.net <br>\*.settings.live.net <br>skyapi.live.net <br>snapi.live.net <br>\*.livefilestore.com <br>\*.\*.livefilestore.com <br>storage.msn.com <br>\*.storage.msn.com <br>\*.*.storage.msn.com | [Required URLs and ports for OneDrive](/onedrive/required-urls-and-ports)
-Microsoft Defender Advanced Threat Protection (ATP) | \ *.oms.opinsights.azure.com <br>\*.blob.core.windows.net <br>\*.azure-automation.net <br>\*.ods.opinsights.azure.com <br>winatp-gw-cus.microsoft.com <br>winatp-gw-eus.microsoft.com <br>winatp-gw-neu.microsoft.com <br>winatp-gw-weu.microsoft.com <br>winatp-gw-uks.microsoft.com <br>winatp-gw-ukw.microsoft.com <br>winatp-gw-aus.microsoft.com <br>winatp-gw-aue.microsoft.com | [Windows Defender ATP endpoints](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection)
-Get Help | \*.support.services.microsoft.com <br>inprod.support.services.microsoft.com <br>supportchannels.services.microsoft.com <br>graph.windows.net <br>login.windows.net <br>prod-mwaas-services-customerapi.azurewebsites.net <br>concierge.live.com <br>rave.office.net |
-Quick Assist | remoteassistance.support.services.microsoft.com <br>relay.support.services.microsoft.com <br>channelwebsdks.azureedge.net <br>web.vortex.data.microsoft.com <br>gateway.channelservices.microsoft.com <br>\*.lync.com |
-SharePoint Online | \*.sharepoint.com <br>\ *.svc.ms <br>\<tenant\>.sharepoint.com <br>\<tenant\>-my.sharepoint.com <br>\<tenant\>-files.sharepoint.com <br>\<tenant\>-myfiles.sharepoint.com <br>\*.sharepointonline.com <br>cdn.sharepointonline.com <br>static.sharepointonline.com <br>spoprod-a.akamaihd.net <br>publiccdn.sharepointonline.com <br>privatecdn.sharepointonline.com | [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
-OneDrive for Business | admin.onedrive.com <br>officeclient.microsoft.com <br>odc.officeapps.live.com <br>skydrive.wns.windows.com <br>g.live.com <br>oneclient.sfx.ms <br>\*.log.optimizely.com <br>click.email.microsoftonline.com <br>ssw.live.com <br>storage.live.com | [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
-Microsoft Teams | \*.teams.skype.com <br>\*.teams.microsoft.com <br>teams.microsoft.com <br>\*.asm.skype.com <br>\ *.cc.skype.com <br>\*.conv.skype.com <br>\*.dc.trouter.io <br>\*.msg.skype.com <br>prod.registrar.skype.com <br>prod.tpc.skype.com <br>\*.broker.skype.com <br>\*.config.skype.com <br>\*.pipe.skype.com <br>\*.pipe.aria.microsoft.com <br>config.edge.skype.com <br>pipe.skype.com <br>s-0001.s-msedge.net <br>s-0004.s-msedge.net <br>scsinstrument-ss-us.trafficmanager.net <br>scsquery-ss- <br>us.trafficmanager.net <br>scsquery-ss-eu.trafficmanager.net <br>scsquery-ss-asia.trafficmanager.net <br>\*.msedge.net <br>compass-ssl.microsoft.com <br>feedback.skype.com <br>\*.secure.skypeassets.com <br>mlccdnprod.azureedge.net <br>videoplayercdn.osi.office.net <br>\*.mstea.ms | [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
-Power BI | maxcdn.bootstrapcdn.com <br>ajax.aspnetcdn.com <br>netdna.bootstrapcdn.com <br>cdn.optimizely.com <br>google-analytics.com <br>\*.mktoresp.com <br>\*.aadcdn.microsoftonline-p.com <br>\*.msecnd.com <br>\*.localytics.com <br>ajax.aspnetcdn.com <br>\*.localytics.com <br>\*.virtualearth.net <br>platform.bing.com <br>powerbi.microsoft.com <br>c.microsoft.com <br>app.powerbi.com <br>\*.powerbi.com <br>dc.services.visualstudio.com <br>support.powerbi.com <br>powerbi.uservoice.com <br>go.microsoft.com <br>c1.microsoft.com <br>\*.azureedge.net |[Power BI & Express Route](/power-bi/service-admin-power-bi-expressroute)
-OneNote | apis.live.net <br>www.onedrive.com <br>login.microsoft.com <br>www.onenote.com <br>\*.onenote.com <br>\*.msecnd.net <br>\*.microsoft.com <br>\*.office.net <br>cdn.onenote.net <br>site-cdn.onenote.net <br>cdn.optimizely.com <br>Ajax.aspnetcdn.com <br>officeapps.live.com <br>\\*.onenote.com <br>\*cdn.onenote.net <br>contentstorage.osi.office.net <br>\*onenote.officeapps.live.com <br>\*.microsoft.com | [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
+There are URLs from several Microsoft products that must be in the allowed list so that Microsoft Managed Desktop devices can communicate with those Microsoft Services. Use the links to see the complete list for each product.
+
+| Microsoft service | Documentation |
+| -- | -- |
+| Windows 10 Enterprise including Windows Update for Business | [Manage connection endpoints for Windows 10, version 1803](/windows/privacy/manage-windows-1803-endpoints)<br><br>[Manage connection endpoints for Windows 10, version 1809](/windows/privacy/manage-windows-1809-endpoints)<br><br>[Manage connection endpoints for Windows 10, version 1903](/windows/privacy/manage-windows-1903-endpoints)<br><br>[Manage connection endpoints for Windows 10, version 2004](/windows/privacy/manage-windows-2004-endpoints)
+| Delivery Optimization | [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization) |
+| Microsoft 365 | [Microsoft 365 URL and IP address ranges](../../enterprise/urls-and-ip-address-ranges.md) |
+|Azure Active Directory | [Hybrid identity required ports and protocols](/azure/active-directory/hybrid/reference-connect-ports) <br><br> [Active Directory and Active Directory Domain Services Port Requirements](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)) |
+| Microsoft Intune | [Intune network configuration requirements](/intune/network-bandwidth-use)<br><br>[Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
+| Microsoft 365 Defender for Endpoint | [Microsoft 365 Defender for Endpoint requirements](/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server)
+Windows Autopilot | [Windows Autopilot Networking Requirements](/windows/deployment/windows-autopilot/windows-autopilot-requirements#networking-requirements) |
+
+| Microsoft service | URLs required on allowlist | Documentation source
+| -- | -- | -- |
+| Windows Update for Business (WUfB) | update.microsoft.com<br>\*.update.microsoft.com<br>download.windowsupdate.com<br>\*.download.windowsupdate.com<br>download.microsoft.com<br>\*.download.microsoft.com<br>windowsupdate.com<br>\*.windowsupdate.com<br>ntservicepack.microsoft.com<br>wustat.windows.com<br>login.live.com <br>mp.microsoft.com<br>\*.mp.microsoft.com | [Windows Update for Business firewall and proxy requirements](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p) |
+| Delivery Optimization | \*.do.dsp.mp.microsoft.com<br>\*.dl.delivery.mp.microsoft.com <br>\*.emdl.ws.microsoft.com<br>\*.download.windowsupdate.com <br>\*.windowsupdate.com | [Windows Update proxy requirements](https://support.microsoft.com/help/3175743/proxy-requirements-for-windows-update) |
+| Microsoft Store for Business | login.live.com <br>account.live.com <br>clientconfig.passport.net <br>wustat.windows.com <br>\*.windowsupdate.com <br>\*.wns.windows.com <br>\*.hotmail.com <br>\*.outlook.com <br>\*.microsoft.com <br>\*.msftncsi.com/ncsi.txt | [Microsoft Store allowlist](https://support.microsoft.com/help/2778122/using-authenticated-proxy-servers-together-with-windows-8) |
+| Microsoft 365 | \*.office365.com<br>\*.office.com<br>\*.office.net<br>\*.live.com<br>\*.portal.cloudappsecurity.com<br>\*.portal.cloudappsecurity.com<br>\*.us.portal.cloudappsecurity.com<br>\*.eu.portal.cloudappsecurity.com<br>\*.us2.portal.cloudappsecurity.com<br>&lt;tenant>.onmicrosoft.com<br>account.office.net<br>agent.office.net<br>apc.delve.office.com<br>aus.delve.office.com<br>can.delve.office.com<br>delve.office.com<br>eur.delve.office.com<br>gbr.delve.office.com<br>home.office.com<br>ind.delve.office.com<br>jpn.delve.office.com<br>kor.delve.office.com<br>lam.delve.office.com<br>nam.delve.office.com<br>admin.microsoft.com<br>outlook.office365.com<br>suite.office.net<br>webshell.suite.office.com<br>www.office.com<br>\*.aria.microsoft.com<br>browser.pipe.aria.microsoft.com<br>mobile.pipe.aria.microsoft.com<br>portal.microsoftonline.com<br>clientlog.admin.microsoft.com<br>nexus.officeapps.live.com<br>nexusrules.officeapps.live.com<br>amp.azure.net<br>\*.o365weve.com<br>auth.gfx.ms<br>appsforoffice.microsoft.com<br>assets.onestore.ms<br>az826701.vo.msecnd.net<br>c.microsoft.com<br>c1.microsoft.com<br>client.hip.live.com<br>contentstorage.osi.office.net<br>dgps.support.microsoft.com<br>docs.microsoft.com<br>groupsapi-<br>rod.outlookgroups.ms<br>groupsapi2-prod.outlookgroups.ms<br>groupsapi3-prod.outlookgroups.ms<br>groupsapi4-prod.outlookgroups.ms<br>msdn.microsoft.com<br>platform.linkedin.com<br>products.office.com<br>prod.msocdn.com<br>r1.res.office365.com<br>r4.res.office365.com<br>res.delve.office.com<br>shellprod.msocdn.com<br>support.content.office.net<br>support.microsoft.com<br>support.office.com<br>technet.microsoft.com<br>templates.office.com<br>video.osi.office.net<br>videocontent.osi.office.net<br>videoplayercdn.osi.office.net<br>\*.manage.office.com<br>\*.protection.office.com<br>manage.office.com<br>Protection.office.com<br>diagnostics.office.com | [Microsoft 365 URL and IP address ranges](../../enterprise/urls-and-ip-address-ranges.md) |
+| Azure Active Directory | api.login.microsoftonline.com<br>api.passwordreset.microsoftonline.com<br>autologon.microsoftazuread-sso.com<br>becws.microsoftonline.com<br>clientconfig.microsoftonline-p.net <br>companymanager.microsoftonline.com <br>device.login.microsoftonline.com <br>hip.microsoftonline-p.net <br>hipservice.microsoftonline.com <br>login.microsoft.com<br>login.microsoftonline.com <br>logincert.microsoftonline.com <br>loginex.microsoftonline.com<br>login-us.microsoftonline.com <br>login.microsoftonline-p.com <br>login.windows.net <br>nexus.microsoftonline-p.com <br>passwordreset.microsoftonline.com <br>provisioningapi.microsoftonline.com<br>stamp2.login.microsoftonline.com<br>\*.msappproxy.net<br>ccs.login.microsoftonline.com<br>ccs-sdf.login.microsoftonline.com<br>accounts.accesscontrol.windows.net<br>secure.aadcdn.microsoftonline-p.com<br>\*.phonefactor.net<br>account.activedirectory.windowsazure.com<br>secure.aadcdn.microsoftonline-p.com<br>graph.microsoft.com | [Hybrid identity required ports and protocols](/azure/active-directory/connect/active-directory-aadconnect-ports) and [Active Directory and Active Directory Domain Services Port Requirements](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)) |
+| Microsoft Intune | login.microsoftonline.com<br>portal.manage.microsoft.com<br>m.manage.microsoft.com<br>sts.manage.microsoft.com<br>Manage.microsoft.com <br>i.manage.microsoft.com <br>r.manage.microsoft.com <br>a.manage.microsoft.com <br>p.manage.microsoft.com <br>EnterpriseEnrollment.manage.microsoft.com <br>EnterpriseEnrollment-s.manage.microsoft.com<br>portal.fei.msua01.manage.microsoft.com<br>m.fei.msua01.manage.microsoft.com<br>fei.msua01.manage.microsoft.com<br>portal.fei.msua01.manage.microsoft.com <br>m.fei.msua01.manage.microsoft.com<br>fei.msua02.manage.microsoft.com<br>portal.fei.msua02.manage.microsoft.com<br>m.fei.msua02.manage.microsoft.com<br>fei.msua02.manage.microsoft.com<br>portal.fei.msua02.manage.microsoft.com<br>m.fei.msua02.manage.microsoft.com<br>fei.msua04.manage.microsoft.com<br>portal.fei.msua04.manage.microsoft.com <br>m.fei.msua04.manage.microsoft.com<br>fei.msua04.manage.microsoft.com<br>portal.fei.msua04.manage.microsoft.com <br>m.fei.msua04.manage.microsoft.com<br>fei.msua05.manage.microsoft.com <br>portal.fei.msua05.manage.microsoft.com <br>m.fei.msua05.manage.microsoft.com<br>fei.msua05.manage.microsoft.com <br>portal.fei.msua05.manage.microsoft.com <br>m.fei.msua05.manage.microsoft.com<br>fei.amsua0502.manage.microsoft.com <br>portal.fei.amsua0502.manage.microsoft.com <br>m.fei.amsua0502.manage.microsoft.com<br>fei.amsua0502.manage.microsoft.com <br>portal.fei.amsua0502.manage.microsoft.com <br>m.fei.amsua0502.manage.microsoft.com<br>fei.msua06.manage.microsoft.com <br>portal.fei.msua06.manage.microsoft.com <br>m.fei.msua06.manage.microsoft.com<br>fei.msua06.manage.microsoft.com <br>portal.fei.msua06.manage.microsoft.com <br>m.fei.msua06.manage.microsoft.com<br>fei.amsua0602.manage.microsoft.com <br>portal.fei.amsua0602.manage.microsoft.com <br>m.fei.amsua0602.manage.microsoft.com<br>fei.amsua0602.manage.microsoft.com <br>portal.fei.amsua0602.manage.microsoft.com <br>m.fei.amsua0602.manage.microsoft.com<br>fei.msub01.manage.microsoft.com <br>portal.fei.msub01.manage.microsoft.com <br>m.fei.msub01.manage.microsoft.com<br>fei.msub01.manage.microsoft.com <br>portal.fei.msub01.manage.microsoft.com <br>m.fei.msub01.manage.microsoft.com<br>fei.amsub0102.manage.microsoft.com <br>portal.fei.amsub0102.manage.microsoft.com <br>m.fei.amsub0102.manage.microsoft.com<br>fei.amsub0102.manage.microsoft.com <br>portal.fei.amsub0102.manage.microsoft.com <br>m.fei.amsub0102.manage.microsoft.com<br>fei.msub02.manage.microsoft.com <br>portal.fei.msub02.manage.microsoft.com <br>m.fei.msub02.manage.microsoft.com<br>fei.msub02.manage.microsoft.com <br>portal.fei.msub02.manage.microsoft.com <br>m.fei.msub02.manage.microsoft.com<br>fei.msub03.manage.microsoft.com <br>portal.fei.msub03.manage.microsoft.com <br>m.fei.msub03.manage.microsoft.com<br>fei.msub03.manage.microsoft.com <br>portal.fei.msub03.manage.microsoft.com <br>m.fei.msub03.manage.microsoft.com<br>fei.msub05.manage.microsoft.com <br>portal.fei.msub05.manage.microsoft.com <br>m.fei.msub05.manage.microsoft.com<br>fei.msub05.manage.microsoft.com <br>portal.fei.msub05.manage.microsoft.com <br>m.fei.msub05.manage.microsoft.com<br>fei.msuc01.manage.microsoft.com <br>portal.fei.msuc01.manage.microsoft.com <br>m.fei.msuc01.manage.microsoft.com<br>fei.msuc01.manage.microsoft.com <br>portal.fei.msuc01.manage.microsoft.com <br>m.fei.msuc01.manage.microsoft.com<br>fei.msuc02.manage.microsoft.com <br>portal.fei.msuc02.manage.microsoft.com <br>m.fei.msuc02.manage.microsoft.com<br>fei.msuc02.manage.microsoft.com <br>portal.fei.msuc02.manage.microsoft.com <br>m.fei.msuc02.manage.microsoft.com<br>fei.msuc03.manage.microsoft.com <br>portal.fei.msuc03.manage.microsoft.com <br>m.fei.msuc03.manage.microsoft.com<br>fei.msuc03.manage.microsoft.com <br>portal.fei.msuc03.manage.microsoft.com <br>m.fei.msuc03.manage.microsoft.com<br>fei.msuc05.manage.microsoft.com <br>portal.fei.msuc05.manage.microsoft.com <br>m.fei.msuc05.manage.microsoft.com<br>fei.msuc05.manage.microsoft.com <br>portal.fei.msuc05.manage.microsoft.com <br>m.fei.msuc05.manage.microsoft.com<br>fef.msua01.manage.microsoft.com<br>fef.msua02.manage.microsoft.com<br>fef.msua04.manage.microsoft.com<br>fef.msua05.manage.microsoft.com<br>fef.msua06.manage.microsoft.com<br>fef.msua07.manage.microsoft.com<br>fef.msub01.manage.microsoft.com<br>fef.msub02.manage.microsoft.com<br>fef.msub03.manage.microsoft.com<br>fef.msub05.manage.microsoft.com<br>fef.msuc01.manage.microsoft.com<br>fef.msuc02.manage.microsoft.com<br>fef.msuc03.manage.microsoft.com<br>fef.msuc05.manage.microsoft.com | [Intune network configuration requirements](/intune/network-bandwidth-use) |
+| OneDrive for Business | onedrive.com <br> <br>\*.onedrive.com <br>onedrive.live.com <br>login.live.com <br>spoprod-a.akamaihd.net <br>\*.mesh.com <br>p.sfx.ms <br>\*.microsoft.com <br>fabric.io <br>\*.crashlytics.com <br>vortex.data.microsoft.com <br>https://posarprodcssservice.accesscontrol.windows.net <br>redemptionservices.accesscontrol.windows.net <br>token.cp.microsoft.com/ <br>tokensit.cp.microsoft-tst.com/ <br>\*.office.com <br>\*.officeapps.live.com <br>\*.aria.microsoft.com <br>\*.mobileengagement.windows.net <br>\*.branch.io <br>\*.adjust.com <br>\*.servicebus.windows.net <br>vas.samsungapps.com <br>odc.officeapps.live.com <br>login.windows.net <br>login.microsoftonline.com <br>\*.files.1drv.com <br>\*.onedrive.live.com <br>\*.\*.onedrive.live.com <br>storage.live.com <br>\*.storage.live.com <br>\*.\*.storage.live.com <br>\*.groups.office.live.com <br>\*.groups.photos.live.com <br>\*.groups.skydrive.live.com <br>favorites.live.com <br>oauth.live.com <br>photos.live.com <br>skydrive.live.com <br>api.live.net <br>apis.live.net <br>docs.live.net <br>\*.docs.live.net <br>policies.live.net <br>\*.policies.live.net <br>settings.live.net <br>\*.settings.live.net <br>skyapi.live.net <br>snapi.live.net <br>\*.livefilestore.com <br>\*.\*.livefilestore.com <br>storage.msn.com <br>\*.storage.msn.com <br>\*.*.storage.msn.com | [Required URLs and ports for OneDrive](/onedrive/required-urls-and-ports) |
+| Microsoft Defender Advanced Threat Protection (ATP) | \ *.oms.opinsights.azure.com <br>\*.blob.core.windows.net <br>\*.azure-automation.net <br>\*.ods.opinsights.azure.com <br>winatp-gw-cus.microsoft.com <br>winatp-gw-eus.microsoft.com <br>winatp-gw-neu.microsoft.com <br>winatp-gw-weu.microsoft.com <br>winatp-gw-uks.microsoft.com <br>winatp-gw-ukw.microsoft.com <br>winatp-gw-aus.microsoft.com <br>winatp-gw-aue.microsoft.com | [Windows Defender ATP endpoints](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection)
+| Get Help | \*.support.services.microsoft.com <br>inprod.support.services.microsoft.com <br>supportchannels.services.microsoft.com <br>graph.windows.net <br>login.windows.net <br>prod-mwaas-services-customerapi.azurewebsites.net <br>concierge.live.com <br>rave.office.net |
+Quick Assist | remoteassistance.support.services.microsoft.com <br>relay.support.services.microsoft.com <br>channelwebsdks.azureedge.net <br>web.vortex.data.microsoft.com <br>gateway.channelservices.microsoft.com <br>\*.lync.com |
+| SharePoint Online | \*.sharepoint.com <br>\ *.svc.ms <br>\<tenant\>.sharepoint.com <br>\<tenant\>-my.sharepoint.com <br>\<tenant\>-files.sharepoint.com <br>\<tenant\>-myfiles.sharepoint.com <br>\*.sharepointonline.com <br>cdn.sharepointonline.com <br>static.sharepointonline.com <br>spoprod-a.akamaihd.net <br>publiccdn.sharepointonline.com <br>privatecdn.sharepointonline.com | [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) |
+| OneDrive for Business | admin.onedrive.com <br>officeclient.microsoft.com <br>odc.officeapps.live.com <br>skydrive.wns.windows.com <br>g.live.com <br>oneclient.sfx.ms <br>\*.log.optimizely.com <br>click.email.microsoftonline.com <br>ssw.live.com <br>storage.live.com | [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
+| Microsoft Teams | \*.teams.skype.com <br>\*.teams.microsoft.com <br>teams.microsoft.com <br>\*.asm.skype.com <br>\ *.cc.skype.com <br>\*.conv.skype.com <br>\*.dc.trouter.io <br>\*.msg.skype.com <br>prod.registrar.skype.com <br>prod.tpc.skype.com <br>\*.broker.skype.com <br>\*.config.skype.com <br>\*.pipe.skype.com <br>\*.pipe.aria.microsoft.com <br>config.edge.skype.com <br>pipe.skype.com <br>s-0001.s-msedge.net <br>s-0004.s-msedge.net <br>scsinstrument-ss-us.trafficmanager.net <br>scsquery-ss- <br>us.trafficmanager.net <br>scsquery-ss-eu.trafficmanager.net <br>scsquery-ss-asia.trafficmanager.net <br>\*.msedge.net <br>compass-ssl.microsoft.com <br>feedback.skype.com <br>\*.secure.skypeassets.com <br>mlccdnprod.azureedge.net <br>videoplayercdn.osi.office.net <br>\*.mstea.ms | [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) |
+| Power BI | maxcdn.bootstrapcdn.com <br>ajax.aspnetcdn.com <br>netdna.bootstrapcdn.com <br>cdn.optimizely.com <br>google-analytics.com <br>\*.mktoresp.com <br>\*.aadcdn.microsoftonline-p.com <br>\*.msecnd.com <br>\*.localytics.com <br>ajax.aspnetcdn.com <br>\*.localytics.com <br>\*.virtualearth.net <br>platform.bing.com <br>powerbi.microsoft.com <br>c.microsoft.com <br>app.powerbi.com <br>\*.powerbi.com <br>dc.services.visualstudio.com <br>support.powerbi.com <br>powerbi.uservoice.com <br>go.microsoft.com <br>c1.microsoft.com <br>\*.azureedge.net |[Power BI & Express Route](/power-bi/service-admin-power-bi-expressroute)
+| OneNote | apis.live.net <br>www.onedrive.com <br>login.microsoft.com <br>www.onenote.com <br>\*.onenote.com <br>\*.msecnd.net <br>\*.microsoft.com <br>\*.office.net <br>cdn.onenote.net <br>site-cdn.onenote.net <br>cdn.optimizely.com <br>Ajax.aspnetcdn.com <br>officeapps.live.com <br>\\*.onenote.com <br>\*cdn.onenote.net <br>contentstorage.osi.office.net <br>\*onenote.officeapps.live.com <br>\*.microsoft.com | [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) |
## Steps to get ready for Microsoft Managed Desktop 1. Review [prerequisites for Microsoft Managed Desktop](prerequisites.md).
-2. Run [readiness assessment tools](readiness-assessment-tool.md).
+1. Run [readiness assessment tools](readiness-assessment-tool.md).
1. Buy [Company Portal](../get-started/company-portal.md). 1. Review [prerequisites for guest accounts](guest-accounts.md). 1. Check network configuration (this article).
security Microsoft 365 Zero Trust https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/Microsoft-365-zero-trust.md
In the illustration:
For more information about this architecture, including deployment objectives for your entire digital estate, see [Zero Trust Rapid Modernization Plan (RaMP)](https://review.docs.microsoft.com/security/zero-trust/zero-trust-ramp-overview?branch=zt-content-prototype). -->
-For more information about Zero Trust, see Microsoft's [Zero Trust Guidance Center](/security/zero-trust).
+For more information about Zero Trust, see Microsoft's [**Zero Trust Guidance Center**](/security/zero-trust).
## Deploying Zero Trust for Microsoft 365
The first step is to build your Zero Trust foundation by configuring identity an
-Go to [Zero Trust identity and device access protection](office-365-security/microsoft-365-policies-configurations.md) for prescriptive guidance to accomplish this. This series of articles describes a set of identity and device access prerequisite configurations and a set of Azure Active Directory (Azure AD) Conditional Access, Microsoft Intune, and other policies to secure access to Microsoft 365 for enterprise cloud apps and services, other SaaS services, and on-premises applications published with Azure AD Application Proxy.
+Go to [**Zero Trust identity and device access protection**](office-365-security/microsoft-365-policies-configurations.md) for prescriptive guidance to accomplish this. This series of articles describes a set of identity and device access prerequisite configurations and a set of Azure Active Directory (Azure AD) Conditional Access, Microsoft Intune, and other policies to secure access to Microsoft 365 for enterprise cloud apps and services, other SaaS services, and on-premises applications published with Azure AD Application Proxy.
Next, enroll your devices into management and begin protecting these with more s
:::image type="content" source="../media/zero-trust/m365-zero-trust-architecture-step-2.png" alt-text="Manage endpoints with Intune" lightbox="../media/zero-trust/m365-zero-trust-architecture-step-2.png":::
-Go to [Manage devices with Intune](../solutions/manage-devices-with-intune-overview.md) for prescriptive guidance to accomplish this.
+Go to [**Manage devices with Intune**](../solutions/manage-devices-with-intune-overview.md) for prescriptive guidance to accomplish this.
|Includes |Prerequisites |Doesn't include |
With devices enrolled into management, you can now implement the full set of rec
:::image type="content" source="../media/zero-trust/m365-zero-trust-architecture-enterprise-policies.png" alt-text="Zero Trust identity and access policies with device management" lightbox="../media/zero-trust/m365-zero-trust-architecture-enterprise-policies.png":::
-Return to [Common identity and device access policies](office-365-security/identity-access-policies.md) and add the policies in the Enterprise tier.
+Return to [**Common identity and device access policies**](office-365-security/identity-access-policies.md) and add the policies in the Enterprise tier.
:::image type="content" source="../media/zero-trust/identity-access-enterprise-tier.png" alt-text="Zero Trust identity and access policies ΓÇö Enterprise (recommended) tier" lightbox="../media/zero-trust/identity-access-enterprise-tier.png":::
Microsoft 365 Defender is an extended detection and response (XDR) solution that
:::image type="content" source="../media/zero-trust/m365-zero-trust-architecture-defender.png" alt-text="Adding Microsoft 365 Defender to the Zero Trust architecture" lightbox="../media/zero-trust/m365-zero-trust-architecture-defender.png":::
-Go to [Evaluate and pilot Microsoft 365 Defender](defender/eval-overview.md) for a methodical guide to piloting and deploying Microsoft 365 Defender components.
+Go to [**Evaluate and pilot Microsoft 365 Defender**](defender/eval-overview.md) for a methodical guide to piloting and deploying Microsoft 365 Defender components.
|Includes |Prerequisites |Doesn't include | ||||
Microsoft Information Protection provides a framework, process, and capabilities
![Microsoft Information Protection (MIP) framework](../media/zero-trust/mip-solution-overview.png)
-For more information on how to plan and deploy information protection, see [Deploy a Microsoft Information Protection solution](../compliance/information-protection-solution.md).
+For more information on how to plan and deploy information protection, see [**Deploy a Microsoft Information Protection solution**](../compliance/information-protection-solution.md).
-If you're deploying information protection for data privacy regulations, this solution guide provides a recommended framework for the entire process: [Deploy information protection for data privacy regulations with Microsoft 365](../solutions/information-protection-deploy.md).
+If you're deploying information protection for data privacy regulations, this solution guide provides a recommended framework for the entire process: [**Deploy information protection for data privacy regulations with Microsoft 365**](../solutions/information-protection-deploy.md).
security Mdb Get Help https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-get-help.md
search.appverid: MET150 description: Find out how to get help or contact support in Microsoft Defender for Business (preview) Previously updated : 01/06/2022 Last updated : 02/07/2022 # Get help and support for Microsoft Defender for Business (preview)
security Mdb Manage Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-manage-devices.md
audience: Admin Previously updated : 01/06/2022 Last updated : 02/09/2022 ms.prod: m365-security ms.technology: mdb localization_priority: Normal
security Mdb Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-reports.md
audience: Admin Previously updated : 01/06/2022 Last updated : 02/07/2022 ms.prod: m365-security ms.technology: mdb localization_priority: Normal
> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here. Microsoft Defender for Business (preview) includes several reports as described in the following table:<br/><br/>
-Several reports are availble in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). This article describes these reports, how you can use them, and how to find them.
+Several reports are available in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). This article describes these reports, how you can use them, and how to find them.
> > **Got a minute?**
security Mdb Respond Mitigate Threats https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-respond-mitigate-threats.md
audience: Admin Previously updated : 12/13/2021 Last updated : 02/07/2022 ms.prod: m365-security ms.technology: mdb localization_priority: Normal
security Manage Updates Baselines Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md
ms.technology: mde Previously updated : 02/04/2022 Last updated : 02/09/2022 - M365-security-compliance - m365initiative-defender-endpoint
For more information, see [Manage the sources for Microsoft Defender Antivirus p
> - Monthly updates are released in phases, resulting in multiple packages visible in your [Window Server Update Services](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). > - This article lists changes that are included in the broad release channel. [See the latest broad channel release here](https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info). > - To learn more about the gradual rollout process, and to see more information about the next release, see [Manage the gradual rollout process for Microsoft Defender updates](manage-gradual-rollout.md).
-> - To learn more about security intelligence updates, see [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/wdsi/defenderupdates).
+> - To learn more about security intelligence updates, see [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates).
> - If you're looking for a list of Microsoft Defender processes, **[download the mde-urls workbook](https://download.microsoft.com/download/8/). ## Monthly platform and engine versions
All our updates contain
- Integration improvements (Cloud, [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender)) <br/><br/> <details>
-<summary>January-2022 (Platform: 4.18.2201.x | Engine: 1.1.18900.2)</summary>
+<summary>January-2022 (Platform: 4.18.2201.10 | Engine: 1.1.18900.2)</summary>
&ensp;Security intelligence update version: **1.357.8.0**<br/>
-&ensp;Released: **February 2, 2022**<br/>
-&ensp;Platform: **4.18.2201.x**<br/>
+&ensp;Released: **February 9, 2022**<br/>
+&ensp;Platform: **4.18.2201.10**<br/>
&ensp;Engine: **1.1.18900.2**<br/> &ensp;Support phase: **Security and Critical Updates**<br/>
Security intelligence update version: 1.357.8.0 <br/>
### What's new - Behavior monitoring improvements in filtering performance
+- Hardening to TrustedInstaller
+- Tamper protection improvements
+- Replaced `ScanScheduleTime` with new `ScanScheduleOffest` cmdlet in [Set-MpPreference](/powershell/module/defender/set-mppreference). This policy configures the number of minutes after midnight to perform a scheduled scan.
+- Added the `-ServiceHealthReportInterval` setting to [Set-MpPreference](/powershell/module/defender/set-mppreference). This policy configures the time interval (in minutes) to perform a scheduled scan.
+- Added the `AllowSwitchToAsyncInspection` setting to [Set-MpPreference](/powershell/module/defender/set-mppreference). This policy enables a performance optimization, that allows synchronously inspected network flows, to switch to async inspection once they have been checked and validated.
+- Performance Analyzer v2 updates: Remote PowerShell and PowerShell 7.x support added. See [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md).
### Known Issues
security Install App Guard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/install-app-guard.md
Title: Application Guard for Office 365 for admins
+ Title: Application Guard for Office for admins
keywords: application guard, protection, isolation, isolated container, hardware isolation f1.keywords: - NOCSH
audience: ITPro - ms.localizationpriority: medium search.appverid: - MET150
To learn more about Office update channels, see [Overview of update channels for
* Microsoft 365 E5 or Microsoft 365 E5 Security
+> [!NOTE]
+> Microsoft 365 Apps for enterprise with the device-based license do not have access to Application Guard for Office.
+ ## Deploy Application Guard for Office ### Enable Application Guard for Office
You can also configure Microsoft Defender for Office 365 to work with Defender f
## Limitations and considerations
-* Application Guard for Office is a protected mode that isolates untrusted documents so that they can't access trusted corporate resources, an intranet, the user's identity, and arbitrary files on the computer. As a result, if a user tries to access a feature that has a dependency on such accessΓÇöfor example, inserting a picture from a local file on diskΓÇöthe access will fail and produce a prompt like the following example. To enable an untrusted document to access trusted resources, users must remove Application Guard protection from the document.
+* Application Guard for Office is a protected mode that isolates untrusted documents so that they cannot access trusted corporate resources, an intranet, the user's identity, and arbitrary files on the computer. As a result, if a user tries to access a feature that has a dependency on such access, such as inserting a picture from a local file on disk, the access fails and produces a prompt that resembles the following example. To enable an untrusted document to access trusted resources, users must remove Application Guard protection from the document.
![Dialog box saying To help you keep safe, this feature is not available.](../../media/ag10-limitations.png) > [!NOTE] > Advise users to only remove protection if they trust the file and its source or where it came from.
+* When an untrusted document is stored in a trusted location, the trust from the location is inherited by the document. Typically, an organization's cloud storage is identified as a trusted location.
+
* Active content in documents like macros and ActiveX controls are disabled in Application Guard for Office. Users need to remove Application Guard protection to enable active content. * Untrusted files from network shares or files shared from OneDrive, OneDrive for Business, or SharePoint Online from a different organization open as read-only in Application Guard. Users can save a local copy of such files to continue working in the container or remove protection to directly work with the original file.