Updates from: 02/12/2021 04:27:48
Category Microsoft Docs article Related commit history on GitHub Change details
commerce https://docs.microsoft.com/en-us/microsoft-365/commerce/subscriptions/cancel-your-subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/cancel-your-subscription.md
@@ -31,7 +31,7 @@ Last updated
::: moniker-end
-*Eligibility:* If you have fewer than 25 licenses assigned to users, you can cancel your Microsoft 365 for business trial or paid subscription online in the Microsoft 365 admin center at any time. If you have more than 25 licenses assigned to users, [call support to cancel your subscription](../../admin/contact-support-for-business-products.md).
+*Eligibility:* If you have fewer than 25 licenses assigned to users, you can cancel your Microsoft 365 for business trial or paid subscription online in the Microsoft 365 admin center at any time. If you have more than 25 licenses assigned to users, reduce it to less than 25 or [call support to cancel your subscription](../../admin/contact-support-for-business-products.md).
*Refund:* Any prorated credit will be returned to you within the next billing cycle.
@@ -152,4 +152,4 @@ If you want to completely close your account with Microsoft, see [Close your acc
[Renew your subscription](renew-your-subscription.md) (article)\ [Reactivate your subscription](reactivate-your-subscription.md) (article)\
-[Move users to a different subscription](move-users-different-subscription.md) (article)
+[Move users to a different subscription](move-users-different-subscription.md) (article)
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/apply-irm-to-a-list-or-library https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-irm-to-a-list-or-library.md
@@ -25,7 +25,7 @@
# Apply Information Rights Management (IRM) to a list or library
-You can use Information Rights Management (IRM) to help control and protect files that are downloaded from lists or libraries.
+You can use Information Rights Management (IRM) to help control and protect files that are downloaded from lists or libraries. This feature is only supported in the Microsoft global cloud. IRM is not supported for SharePoint lists and libraries in national cloud deployments.
## Administrator preparations before applying IRM
@@ -68,7 +68,7 @@ You can use Information Rights Management (IRM) to help control and protect file
|Select this option if you want to restrict access to content to a specified period of time. If you select this option, people's issuance licenses to access the content will expire after the specified number of days, and people will be required to return to the server to verify their credentials and download a new copy.|Select the **After download, document access rights will expire after these number of days (1-365)** check box, and then specify the number of days for which you want the document to be viewable.| | Prevent people from uploading documents that do not support IRM to this list or library. If you select this option, people will not be able to upload any of the following file types: File types that do not have corresponding IRM protectors installed on all of the front-end web servers. File types that SharePoint Server 2010 cannot decrypt. File types that are IRM protected in another program.|Select the **Do not allow users to upload documents that do not support IRM** check box.| |Remove restricted permissions from this list or library on a specific date.|Select the **Stop restricting access to the library at** check box, and then select the date that you want.|
-|Control the interval that credentials are cached for the program that is licensed to open the document. This setting is only supported in the Microsoft global cloud. The setting is not available in national cloud deployments.|Select the **Users must verify their credentials using this interval (days)** check box, then enter the interval for caching credentials in number of days.|
+|Control the interval that credentials are cached for the program that is licensed to open the document.|Select the **Users must verify their credentials using this interval (days)** check box, then enter the interval for caching credentials in number of days.|
|Allow group protection so that users can share with members of the same group.|Select **Allow group protection**, and enter the group's name for sharing.| 8. After you finish selecting the options you want, select **OK**.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/communication-compliance-feature-reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-feature-reference.md
@@ -60,8 +60,8 @@ Choose from these role group options when configuring communication compliance:
|:--|:--| | **Communication Compliance** | Use this role group to manage communication compliance for your organization in a single group. By adding all user accounts for designated administrators, analysts, investigators, and viewers, you can configure communication compliance permissions in a single group. This role group contains all the communication compliance permission roles. This configuration is the easiest way to quickly get started with communication compliance and is a good fit for organizations that do not need separate permissions defined for separate groups of users. | | **Communication Compliance Admin** | Use this role group to initially configure communication compliance and later to segregate communication compliance administrators into a defined group. Users assigned to this role group can create, read, update, and delete communication compliance policies, global settings, and role group assignments. Users assigned to this role group cannot view message alerts. |
-| **Communication Compliance Analyst** | Use this group to assign permissions to users that will act as communication compliance analysts. Users assigned to this role group can view policies where they are assigned as Reviewers, view message metadata (not message content), escalate to additional reviewers, or send notifications to users. Analysts cannot resolve pending alerts. |
-| **Communication Compliance Investigator** | Use this group to assign permissions to users that will act as communication compliance investigators. Users assigned to this role group can view message metadata and content, escalate to additional reviewers, escalate to an Advanced eDiscovery case, send notifications to users, and resolve the alert. |
+| **Communication Compliance Analyst** | Use this group to assign permissions to users that will act as communication compliance analysts. Users assigned to this role group can view policies where they are assigned as Reviewers, view message metadata (not message content), escalate to other reviewers, or send notifications to users. Analysts cannot resolve pending alerts. |
+| **Communication Compliance Investigator** | Use this group to assign permissions to users that will act as communication compliance investigators. Users assigned to this role group can view message metadata and content, escalate to other reviewers, escalate to an Advanced eDiscovery case, send notifications to users, and resolve the alert. |
| **Communication Compliance Viewer** | Use this group to assign permissions to users that will manage communication reports. Users assigned to this role group can access all reporting widgets on the communication compliance home page and can view all communication compliance reports. | ### For organizations using the original permissions and role groups
@@ -409,6 +409,8 @@ Complete the following steps to delete a Power Automate flow:
The new **Reports** dashboard is the central location for viewing all communication compliance reports. Report widgets provide a quick view of insights most commonly needed for an overall assessment of the status of communication compliance activities. Information contained in the report widgets is not exportable. Detailed reports provide in-depth information related to specific communication compliance areas and offer the ability to filter, group, sort, and export information while reviewing.
+![Communication compliance reports dashboard](../media/communication-compliance-reports-dashboard.png)
+ The **Reports dashboard** contains the following report widgets and detailed reports links: - **Recent policy matches** widget: displays the number of matches by active policy over time.
@@ -416,9 +418,46 @@ The **Reports dashboard** contains the following report widgets and detailed rep
- **Users with most policy match** widget: displays the users (or anonymized usernames) and number of policy matches for a given period. - **Policy with most matches** widget: displays the policies and the number of matches for a given period, ranked highest to lowest for matches. - **Escalations by policy** widget: displays the number of escalations per policy over a given time.-- **Policy settings and status** detailed report: provides a detailed look at policy configuration and settings, as well as the general status for each of the policy (matches and actions) on messages. Use the *Export* option to create a .CSV file containing the report details.-- **Items and actions per policy** detailed report: Review and export matching items and remediation actions per policy. Use the *Export* option to create a .CSV file containing the report details.-- **Item and actions per location** detailed report: Review and export matching items and remediation actions per Microsoft 365 location. Use the *Export* option to create a .CSV file containing the report details.
+- **Policy settings and status** detailed report: provides a detailed look at policy configuration and settings, as well as the general status for each of the policy (matches and actions) on messages. Includes policy information and how policies are associated with users and groups, locations, review percentages, reviewers, status, and when the policy was last modified. Use the *Export* option to create a .CSV file containing the report details.
+- **Items and actions per policy** detailed report: Review and export matching items and remediation actions per policy. Includes policy information and how policies are associated with:
+
+ - Items matched
+ - Escalated items
+ - Resolved items
+ - Tagged as compliant
+ - Tagged as non-compliant
+ - Tagged as questionable
+ - Items pending review
+ - User notified
+ - Case created
+
+ Use the *Export* option to create a .csv file containing the report details.
+- **Item and actions per location** detailed report: Review and export matching items and remediation actions per Microsoft 365 location. Includes information about how workload platforms are associated with:
+
+ - Items matched
+ - Escalated items
+ - Resolved items
+ - Tagged as compliant
+ - Tagged as non-compliant
+ - Tagged as questionable
+ - Items pending review
+ - User notified
+ - Case created
+
+ Use the *Export* option to create a .csv file containing the report details.
+- **Activity by user** detailed report: Review and export matching items and remediation actions per user. Includes information about how users are associated with:
+
+ - Items matched
+ - Escalated items
+ - Resolved items
+ - Tagged as compliant
+ - Tagged as non-compliant
+ - Tagged as questionable
+ - Items pending review
+ - User notified
+ - Case created
+
+ Use the *Export* option to create a .csv file containing the report details.
## Audit
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/insider-risk-management-configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-configure.md
@@ -39,6 +39,7 @@ Before you get started with insider risk management, you should confirm your [Mi
- Microsoft 365 G5 subscription (paid or trial version) - Microsoft 365 G3 subscription + the Microsoft 365 G5 Compliance add-on - Microsoft 365 G3 subscription + the Microsoft 365 G5 Insider Risk Management add-on
+- Office 365 E3 subscription + Enterprise Mobility and Security E3 + the Microsoft 365 E5 Compliance add-on
Users included in insider risk management policies must be assigned one of the licenses above.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/insider-risk-solution-overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-solution-overview.md
@@ -76,6 +76,7 @@ Insider risk management is available in the following subscriptions:
- Microsoft 365 G5 subscription (paid or trial version) - Microsoft 365 G3 subscription + the Microsoft 365 G5 Compliance add-on - Microsoft 365 G3 subscription + the Microsoft 365 G5 Insider Risk Management add-on
+- Office 365 E3 subscription + Enterprise Mobility and Security E3 + the Microsoft 365 E5 Compliance add-on
### Information barriers
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/prepare-tls-1.2-in-office-365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/prepare-tls-1.2-in-office-365.md
@@ -1,7 +1,7 @@
Title: Preparing for TLS 1.2 in Office 365 and Office 365 GCC description: How to prepare to use TLS 1.2 for all client-server and browser-server combinations in Office 365 and Office 365 GCC after support for TLS 1.0 and 1.1 is disabled.-+ localization_priority: Normal search.appverid:
@@ -31,6 +31,8 @@ We have already begun deprecation of TLS 1.0 and 1.1 as of January 2020. Any cli
We recommend that all client-server and browser-server combinations use TLS 1.2 (or a later version) in order to maintain connection to Office 365 services. You might have to update certain client-server and browser-server combinations.
+You'll need to update applications that call Microsoft 365 APIs over TLS 1.0 or TLS 1.1 to use TLS 1.2. .NET 4.5 defaults to TLS 1.1. To update your .NET configuration, see [How to enable Transport Layer Security (TLS) 1.2 on clients](https://docs.microsoft.com/mem/configmgr/core/plan-design/security/enable-tls-1-2-client).
+ The following clients are known to be unable to use TLS 1.2. Update these clients to ensure uninterrupted access to the service. - Android 4.3 and earlier versions
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-office-apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
@@ -80,7 +80,7 @@ The numbers listed are the minimum Office application version required for each
|[Apply a default label](sensitivity-labels.md#what-label-policies-can-do) | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes | |[Require a justification to change a label](sensitivity-labels.md#what-label-policies-can-do) | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes | |[Provide help link to a custom help page](sensitivity-labels.md#what-label-policies-can-do) | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |
-|[Mark the content](sensitivity-labels.md#what-label-policies-can-do) | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |
+|[Mark the content](sensitivity-labels.md#what-sensitivity-labels-can-do) | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |
|[Dynamic markings with variables](#dynamic-markings-with-variables) | Under review | Under review | Under review | Under review | Under review | |[Assign permissions now](encryption-sensitivity-labels.md#assign-permissions-now) | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes | |[Let users assign permissions](encryption-sensitivity-labels.md#let-users-assign-permissions) | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/technical-reference-details-about-encryption https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/technical-reference-details-about-encryption.md
@@ -5,7 +5,6 @@ f1.keywords:
Previously updated : 06/15/2020 audience: ITPro
@@ -51,7 +50,7 @@ TLS version 1.3 (TLS 1.3) is currently not supported.
## Support for TLS 1.0 and 1.1 deprecation
-Office 365 stopped supporting TLS 1.0 and 1.1 on October 31, 2018. New issues found in clients, devices, or services that connect to Office 365 over TLS 1.0 and 1.1 won't be fixed. Official deprecation for GCC High and DoD environments began January 15, 2020. Deprecation of TLS 1.0 and 1.1 for Worldwide and GCC environments began October 15, 2020.
+Office 365 stopped supporting TLS 1.0 and 1.1 on October 31, 2018. We have completed disabling TLS 1.0 and 1.1 in GCC High and DoD environments. We began disabling TLS 1.0 and 1.1 for Worldwide and GCC environments beginning on October 15, 2020 and will continue with roll-out over the next weeks and months.
To maintain a secure connection to Office 365 and Microsoft 365 services, all client-server and browser-server combinations use TLS 1.2 and modern cipher suites. You might have to update certain client-server and browser-server combinations. For information about how this change impacts you, see [Preparing for the mandatory use of TLS 1.2 in Office 365](https://support.microsoft.com/help/4057306/preparing-for-tls-1-2-in-office-365).
@@ -72,7 +71,7 @@ Office 365 responds to a connection request by first attempting to connect using
> [!IMPORTANT] > Be aware that TLS versions deprecate, and that deprecated versions *should not be used* where newer versions are available. TLS 1.3 is currently not supported. If your legacy services do not require TLS 1.0 or 1.1 you should disable them.
-| Cipher suite | Key exchange algorithm/strength | Perfect Forward Secrecy | Cipher/strength | Authentication algorithm |
+| Cipher suite | Key exchange algorithm/strength | Forward Secrecy | Cipher/strength | Authentication algorithm |
|:--|:--|:--|:--|:--| |TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 <br/> |ECDH/192 <br/>|Yes <br/>|AES/256 <br/>|RSA/112 <br/> | |TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 <br/> |ECDH/128 <br/>|Yes <br/>|AES/128 <br/>|RSA/112 <br/> |
@@ -85,7 +84,7 @@ Office 365 responds to a connection request by first attempting to connect using
These cipher suites supported TLS 1.0 and 1.1 protocols until their deprecation date. For GCC High and DoD environments that deprecation date was January 15, 2020, and for Worldwide and GCC environments that date was October 15, 2020.
-| Protocols | Cipher suite name | Key exchange algorithm/Strength | Perfect Forward Secrecy support | Authentication algorithm/Strength | Cipher/Strength |
+| Protocols | Cipher suite name | Key exchange algorithm/Strength | Forward Secrecy support | Authentication algorithm/Strength | Cipher/Strength |
|:--|:--|:--|:--|:--|:--| |TLS 1.0, 1.1, 1.2 <br/> |TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA <br/> |ECDH/192 <br/> |Yes <br/> |RSA/112 <br/> |AES/256 <br/> | |TLS 1.0, 1.1, 1.2 <br/> |TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA <br/> |ECDH/128 <br/> |Yes <br/> |RSA/112 <br/> |AES/128 <br/> |
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/tls-1-2-in-office-365-gcc https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/tls-1-2-in-office-365-gcc.md
@@ -28,10 +28,6 @@ Although the [Microsoft TLS 1.0 implementation](https://support.microsoft.com/he
[Solving the TLS 1.0 problem](https://www.microsoft.com/download/details.aspx?id=55266)
-You must use TLS version 1.2 instead. For more information, see [Preparing for the mandatory use of TLS 1.2 in Office 365](https://support.microsoft.com/help/4057306/preparing-for-tls-1-2-in-office-365).
-
-For SharePoint and OneDrive, you'll need to update and configure .NET to support TLS 1.2. For information, see [How to enable TLS 1.2 on clients](https://docs.microsoft.com/mem/configmgr/core/plan-design/security/enable-tls-1-2-client).
- ## More information Starting on January 15, 2020, Office 365 in the GCC High and DoD environments will deprecate TLS 1.1 and 1.0.
@@ -40,7 +36,11 @@ By January 15, 2020, all combinations of client servers and browser servers shou
If you do not update to TLS version 1.2 (or a later version) by January 15, 2020, you will experience issues when you try to connect to Office 365. Additionally, you will be required to update to TLS 1.2 (or a later version) as part of the resolution.
-We know that the following clients cannot use TLS 1.2:
+You must update your client computers to make sure that you maintain uninterrupted access to Office 365 GCC High and DoD.
+
+You'll need to update applications that call Microsoft 365 APIs over TLS 1.0 or TLS 1.1 to use TLS 1.2. .NET 4.5 defaults to TLS 1.1. To update your .NET configuration, see [How to enable Transport Layer Security (TLS) 1.2 on clients](https://docs.microsoft.com/mem/configmgr/core/plan-design/security/enable-tls-1-2-client). For more information, see [Preparing for the mandatory use of TLS 1.2 in Office 365](https://support.microsoft.com/help/4057306/preparing-for-tls-1-2-in-office-365).
+
+We know that the following client applications cannot use TLS 1.2:
- Android 4.3 and earlier versions - Firefox version 5.0 and earlier versions
@@ -48,9 +48,7 @@ We know that the following clients cannot use TLS 1.2:
- Internet Explorer 10 on Windows Phone 8.0 - Safari 6.0.4/OS X 10.8.4 and earlier versions
-We recommend that you update your clients to make sure that you maintain uninterrupted access to Office 365 GCC High and DoD.
-
-Although current analysis of connections to Microsoft Online services shows that most services and endpoints see very little TLS 1.1 and 1.0 usage, we are providing notice of this change so that you can update any affected clients or servers as necessary before support for TLS 1.1 and 1.0 ends. If you are using any on-premises infrastructure for hybrid scenarios or Active Directory Federation Services (AD FS), make sure that the infrastructure can support both inbound and outbound connections that use TLS 1.2 (or a later version).
+Although current analysis of connections to Microsoft Online services shows that most services and endpoints see very little TLS 1.1 and 1.0 usage, we're providing notice of this change so that you can update any affected clients or servers as necessary before support for TLS 1.1 and 1.0 ends. If you are using any on-premises infrastructure for hybrid scenarios or Active Directory Federation Services (AD FS), make sure that the infrastructure can support both inbound and outbound connections that use TLS 1.2 (or a later version).
In addition to the outages that you might experience if you use the listed clients that cannot use TLS 1.2, removing TLS 1.1 and 1.0 will prevent you from being able to use the following Microsoft product:
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/tls-1.0-and-1.1-deprecation-for-office-365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/tls-1.0-and-1.1-deprecation-for-office-365.md
@@ -1,6 +1,6 @@
Title: TLS 1.0 and 1.1 deprecation for Office 365
-description: Describes TLS 1.0 and 1.1 deprecation for Office 365.
+ Title: Disabling TLS 1.0 and 1.1 for Microsoft 365
+description: Describes TLS 1.0 and 1.1 deprecation and disablement for Microsoft 365.
localization_priority: Normal
@@ -9,7 +9,7 @@ search.appverid:
audience: ITPro -+ appliesto: - Microsoft 365 Apps for enterprise
@@ -19,13 +19,16 @@ appliesto:
- Office Web Apps
-# TLS 1.0 and 1.1 deprecation for Office 365
+# Disabling TLS 1.0 and 1.1 for Microsoft 365
+ > [!IMPORTANT]
-> We temporarily halted deprecation enforcement of TLS 1.0 and 1.1 for commercial customers due to COVID-19, but as supply chains have adjusted and certain countries open back up, we are resetting the TLS enforcement to begin October 15, 2020, and rollout will continue over the following weeks and months.
+> We temporarily halted disablement of TLS 1.0 and 1.1 for commercial customers due to COVID-19. As supply chains have adjusted and certain countries open back up, we restarted the TLS 1.2 enforcement rollout on October 15, 2020. Rollout will continue over the following weeks and months.
+
+As of October 31, 2018, the Transport Layer Security (TLS) 1.0 and 1.1 protocols are deprecated for the Microsoft 365 service. The effect for end-users is minimal. This change has been publicized for over two years, with the first public announcement made in December 2017. This article is only intended to cover the Office 365 local client in relation to the Office 365 service but can also apply to on-premises TLS issues with Office and Office Online Server/Office Web Apps.
-As of October 31, 2018, the Transport Layer Security (TLS) 1.0 and 1.1 protocols are deprecated for the Office 365 service. The effect for end-users is expected to be minimal. This change has been publicized for over two years, with the first public announcement made in December 2017. This article is only intended to cover the Office 365 local client in relation to the Office 365 service but can also apply to on-premises TLS issues with Office and Office Online Server/Office Web Apps.
+For SharePoint and OneDrive, you'll need to update and configure .NET to support TLS 1.2. For information, see [How to enable TLS 1.2 on clients](https://docs.microsoft.com/mem/configmgr/core/plan-design/security/enable-tls-1-2-client).
-## Office and TLS overview
+## Office 365 and TLS overview
The Office client relies on the Windows web service (WINHTTP) to send and receive traffic over TLS protocols. The Office client can use TLS 1.2 if the web service of the local computer can use TLS 1.2. All Office clients can use TLS protocols, as TLS and SSL protocols are part of the operating system and not specific to the Office client.
@@ -70,8 +73,16 @@ The following table shows the appropriate registry key values in Office 365 clie
|TLS 1.2|0x00000800| > [!IMPORTANT]
-> We don't recommend that you use the SSL 2.0 and 3.0 protocols, which can also be set by using the **DefaultSecureProtocols** key. SSL 2.0 and 3.0 are considered deprecated protocols. The best practice is to end the use of SSL 2.0 and SSL 3.0, although the decision to do this ultimately depends on what best meets your product needs. For more information about SSL 3.0 vulnerabilities, refer to [KB 3009008](https://support.microsoft.com/help/3009008).
+> Don't use the SSL 2.0 and 3.0 protocols, which can also be set by using the **DefaultSecureProtocols** key. SSL 2.0 and 3.0 are considered outdated and insecure protocols. The best practice is to end the use of SSL 2.0 and SSL 3.0, although the decision to do this ultimately depends on what best meets your product needs. For more information about SSL 3.0 vulnerabilities, refer to [KB 3009008](https://support.microsoft.com/help/3009008).
You can use the default Windows Calculator in Programmer mode to set up the same reference registry key values. For more information, see [KB 3140245 Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows](https://support.microsoft.com/help/3140245). Regardless if the Windows 7 update ([KB 3140245](https://support.microsoft.com/help/3140245)) is installed or not, the DefaultSecureProtocols registry sub key isn't present and must be added manually or through a group policy object (GPO). That is, unless you have to customize what secure protocols are enabled or restricted, this key is not required. You only need the Windows 7 SP1 ([KB 3140245](https://support.microsoft.com/help/3140245)) update.+
+## Update and configure the .NET Framework to support TLS 1.2
+
+You'll need to update applications that call Microsoft 365 APIs over TLS 1.0 or TLS 1.1 to use TLS 1.2. .NET 4.5 defaults to TLS 1.1. To update your .NET configuration, see [How to enable Transport Layer Security (TLS) 1.2 on clients](https://docs.microsoft.com/mem/configmgr/core/plan-design/security/enable-tls-1-2-client).
+
+## More information
+
+For more information, see [Preparing for the mandatory use of TLS 1.2 in Office 365](https://support.microsoft.com/help/4057306/preparing-for-tls-1-2-in-office-365).
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/whats-new https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/whats-new.md
@@ -31,6 +31,25 @@ Whether it be adding new solutions to the [Microsoft 365 compliance center](micr
> Interested in what's going on in other admin centers? Check out these articles:<br>[What's new in the Microsoft 365 admin center](https://docs.microsoft.com/office365/admin/whats-new-in-preview)<br>[What's new in the SharePoint admin center](https://docs.microsoft.com/sharepoint/what-s-new-in-admin-center)<br>[What's new in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/whats-new)<br><br> And visit the [Microsoft 365 Roadmap](https://www.microsoft.com/en-us/microsoft-365/roadmap) to learn about Microsoft 365 features that were launched, are rolling out, are in development, have been cancelled, or previously released.
+## January 2021
+
+### Support for card content in Teams
+
+The following Microsoft 365 compliance solutions now support the detection of [card content](https://docs.microsoft.com/microsoftteams/platform/task-modules-and-cards/what-are-cards) generated through apps in Teams messages:
+
+- **Core and Advanced eDiscovery**. Card content can now be [placed on hold](create-ediscovery-holds.md#preserve-card-content) or included in [searches](https://docs.microsoft.com/microsoftteams/ediscovery-investigation#search-for-card-content) (applies to content search as well).
+- **Audit**. Card activity is now [recorded to the audit log](https://docs.microsoft.com/microsoftteams/audit-log-events#teams-activities).
+- **Retention policies**. Can now use retention policies to [retain and delete card content](retention-policies-teams.md#whats-included-for-retention-and-deletion).
+
+### Information governance and records management
+
+[New assessment](retention-regulatory-requirements.md#new-zealand-public-records-act) to address using information governance and records management to help meet compliance obligations for the New Zealand Public Records Act.
+
+### Sensitivity labels
+
+- Sensitivity labels are now supported for US Government tenants (GCC and GCC-H).
+- New [automatic labeling](sensitivity-labels-office-apps.md) support for macOS.
+ ## December 2020 ### Spotlight: New content for insider risk solutions
@@ -235,29 +254,3 @@ Retention-related admin activity is now recorded and available to review in the
- When [adding a collection to a review set](add-data-to-review-set.md#define-options-to-scope-your-collection-for-review), you can now include modern attachments (also called ΓÇ£cloud attachmentsΓÇ¥) and SharePoint document versions. - New [direct download export experience](export-documents-from-review-set.md), eliminating the need to use Azure Storage Explorer to download case content.-
-## July 2020
-
-### Spotlight on help docs
-
-To help you understand which compliance solutions are used to protect and govern your organizationΓÇÖs sensitive data, we created two new landing pages with overviews of how the solutions work together to achieve those goals, including links to related docs so you can dive in further.
-
-[Microsoft Information Protection in Microsoft 365](information-protection.md)<br>
-[Microsoft Information Governance in Microsoft 365](manage-Information-governance.md)
-
-### Advanced eDiscovery: Add non-custodial data sources to your cases
-
-Add data to a case without having to associate it with a custodian (known as [non-custodial data sources](non-custodial-data-sources.md)). And if you need to place this non-custodial data on hold, youΓÇÖll be able to do so using our new Advanced Indexing feature.
-
-### Data connectors: HR connector enhancements
-
-(In preview) A new version of the [HR connector](import-hr-data.md) lets you import data related to job level changes, performance reviews, and performance improvement plans. This data can then be used in several [insider risk policies](insider-risk-management-policies.md) to detect related activity.
-
-### Retention labels: New support for email
-
-You can now create a [retention label](retention.md#retention-labels) to start retaining email based on when messages were labeled. This doesnΓÇÖt apply to calendar items, which will be retained based on when the item is sent.
-
-### Sensitivity labels: New feature and an improvement
--- (In preview) When configuring encryption settings for a label, look for the new option to use [Double Key Encryption](encryption-sensitivity-labels.md#double-key-encryption) to further protect labeled files and emails.-- When creating or deleting sensitivity labels or creating, editing, or deleting their label policies, changes now synchronize within 1 hour to all users, apps, and services.
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/cloud-only-prereqs-m365-test-environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cloud-only-prereqs-m365-test-environment.md
@@ -5,7 +5,6 @@ f1.keywords:
- NOCSH Previously updated : 12/12/2019 audience: ITPro
@@ -21,19 +20,20 @@ description: Create a Microsoft 365 environment to test identity and device acce
*This Test Lab Guide can only be used for Microsoft 365 for enterprise test environments.*
-[Identity and device access configurations](../security/office-365-security/microsoft-365-policies-configurations.md) are a set of configurations and conditional access policies to protect access to all services that are integrated with Azure Active Directory (Azure AD).
+[Identity and device access configurations](../security/office-365-security/microsoft-365-policies-configurations.md) are a set of recommended configurations and conditional access policies to protect access to all services that are integrated with Azure Active Directory (Azure AD).
This article describes how to configure a Microsoft 365 test environment that meets the requirements of the [cloud only prerequisite configuration](../security/office-365-security/identity-access-prerequisites.md#prerequisites) for identity and device access.
-There are seven phases to setting up this test environment:
+There are eight phases to setting up this test environment:
-1. Build out your lightweight test environment
-2. Configure named locations
-3. Configure password writeback
-4. Configure self-service password resets
-5. Configure multifactor authentication
-6. Enable Azure AD Identity Protection
-7. Enable modern authentication for Exchange Online and Skype for Business Online
+1. Build out your lightweight test environment
+2. Configure named locations
+3. Configure self-service password reset
+4. Configure multifactor authentication
+5. Enable automatic device registration of domain-joined Windows computers
+6. Configure Azure AD password protection
+7. Enable Azure AD Identity Protection
+8. Enable modern authentication for Exchange Online and Skype for Business Online
## Phase 1: Build out your lightweight Microsoft 365 test environment
@@ -42,18 +42,13 @@ Here is the resulting configuration.
![The lightweight Microsoft 3656 Enterprise test environment](../media/lightweight-base-configuration-microsoft-365-enterprise/Phase4.png) - ## Phase 2: Configure named locations First, determine the public IP addresses or address ranges used by your organization. Next, follow the instructions in [Configure named locations in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/reports-monitoring/quickstart-configure-named-locations) to add the addresses or address ranges as named locations.
-## Phase 3: Configure password writeback
-
-Follow the instructions in [Phase 2 of the password writeback Test Lab Guide](password-writeback-m365-ent-test-environment.md#phase-2-enable-password-writeback-for-the-testlab-ad-ds-domain).
-
-## Phase 4: Configure self-service password reset
+## Phase 3: Configure self-service password reset
Follow the instructions in [Phase 3 of the password reset Test Lab Guide](password-reset-m365-ent-test-environment.md#phase-3-configure-and-test-password-reset).
@@ -66,7 +61,7 @@ When enabling password reset for the accounts in a specific Azure AD group, add
Test password reset only for the User 2 account.
-## Phase 5: Configure multi-factor authentication
+## Phase 4: Configure multi-factor authentication
Follow the instructions in [Phase 2 of the multi-factor authentication Test Lab Guide](multi-factor-authentication-microsoft-365-test-environment.md#phase-2-enable-and-test-multi-factor-authentication-for-the-user-2-account) for the following user accounts:
@@ -77,11 +72,19 @@ Follow the instructions in [Phase 2 of the multi-factor authentication Test Lab
Test multi-factor authentication only for the User 2 account.
-## Phase 6: Enable Azure AD Identity Protection
+## Phase 5: Enable automatic device registration of domain-joined Windows computers
+
+Follow [these instructions](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) to enable automatic device registration of domain-joined Windows computers.
+
+## Phase 6: Configure Azure AD password protection
+
+Follow [these instructions](https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad) to block known weak passwords and their variants.
+
+## Phase 7: Enable Azure AD Identity Protection
Follow the instructions in [Phase 2 of the Azure AD Identity Protection Test Lab Guide](azure-ad-identity-protection-microsoft-365-test-environment.md#phase-2-use-azure-ad-identity-protection).
-## Phase 7: Enable modern authentication for Exchange Online and Skype for Business Online
+## Phase 8: Enable modern authentication for Exchange Online and Skype for Business Online
For Exchange Online, follow [these instructions](https://docs.microsoft.com/Exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online#enable-or-disable-modern-authentication-in-exchange-online-for-client-connections-in-outlook-2013-or-later).
@@ -101,7 +104,7 @@ For Skype for Business Online:
Get-CsOAuthConfiguration ```
-The result is a test environment that meets the requirements of the [cloud only prerequisite configuration](../security/office-365-security/identity-access-prerequisites.md#prerequisites) for identity and device access.
+The result is a test environment that meets the requirements of the [cloud-only prerequisite configuration](../security/office-365-security/identity-access-prerequisites.md#prerequisites) for identity and device access.
## Next step
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/identity-device-access-m365-test-environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/identity-device-access-m365-test-environment.md
@@ -5,7 +5,6 @@ f1.keywords:
- NOCSH Previously updated : 04/23/2019 audience: ITPro
@@ -21,7 +20,7 @@ description: Create a Microsoft 365 environment to test identity and device acce
*This Test Lab Guide can only be used for Microsoft 365 for enterprise test environments.*
-[Identity and device access configurations](../security/office-365-security/microsoft-365-policies-configurations.md) are a set of features and conditional access policies to protect access to all services that are integrated with Azure Active Directory (Azure AD).
+[Identity and device access configurations](../security/office-365-security/microsoft-365-policies-configurations.md) are a set of recommended configurations and conditional access policies to protect access to all services that are integrated with Azure Active Directory (Azure AD).
To create a test environment that has the common identity and device access configurations in place:
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/ms-cloud-germany-transition-add-experience https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-add-experience.md
@@ -76,12 +76,6 @@ If you're using a hybrid, on-premises deployment:
(i) Customers with Microsoft Power BI must take action in this migration scenario as defined by the Migration process provided. (ii) Failure by the customer to take action will mean that Microsoft will be unable to complete the migration. (iii) When Microsoft is unable to complete the migration due to the customer's inaction, then the customer's subscription will expire on October 29, 2021.
-### Office Apps (Phase 9 of 9)
-
-| Step(s) | Description | Applies to | Impact |
-|:-|:--|:-|:-|
-| Clients, Office Online during Office client cutover, Azure AD finalizes the tenant scope to point to the Office 365 services. | This configuration change enables Office clients to update and point to the Office 365 services endpoints. | All Office customers | - Notify users to close _all_ Office apps and then sign back in (or force clients to restart and users to sign in) to enable Office clients to pick up the change. <br><br> - Notify users and help desk staff that users *may* see an Office banner that prompts them to reactivate Office apps within 72 hours of the cutover. <br><br> - All Office applications on personal machines must be closed, and users must sign out then sign in again. In the Yellow activation bar, sign in to reactivate against Office 365 services. <br><br> - Shared machines will require actions that are similar to personal machines, and won't require a special procedure. <br><br> - On mobile devices, users must sign out of apps, close them, and then sign in again. |
-|||||
## During migration
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/ms-cloud-germany-transition-add-pre-work https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-add-pre-work.md
@@ -40,8 +40,7 @@ Use these links to get to the pre-work steps relevant to your organization:
| Step(s) | Description | Applies to | Impact | |:-|:--|:-|:-|
-| Ensure network connectivity to [Office 365 services URLs and IP addresses](https://aka.ms/o365urls). | All clients and services hosted by the customer that are used to access Office 365 service must be able to access the Office 365 services endpoints. | All transitioning customers, and customers with network access restricted to Microsoft Cloud Deutschland. | Required action. Inaction may result in failures of the service or client software. |
-| Review and prepare for migration-related DNS changes. | Customer prepares DNS entries for Exchange Online and Exchange Online Protection (MX record, etc.). | Exchange Online customers | This is a recommended action. No action means migrated customers' email may route through Microsoft Cloud Deutschland until Microsoft Cloud Deutschland services are disabled. |
+| Ensure network connectivity to [Office 365 services URLs and IP addresses](https://aka.ms/o365urls). | All clients and services hosted by the customer that are used to access Office 365 service must be able to access the Office 365 services endpoints. | All transitioning customers, and customers with network access restricted to Microsoft Cloud Deutschland. | Required action. Failures of the service or client software can occur if this is not done before Phase 4 of 9. |
| Review and prepare for migration-related DNS changes. | Customer-owned DNS zone changes for Skype for Business Online. | Skype For Business Online customers | - We recommend that you update the Time-to-Live (TTL) for any customer-owned domain DNS records to 5 minutes to expedite the refreshing of DNS records. However, the Microsoft-managed cutover associated with this DNS change may occur anytime within the provided 24-hour change window. <br><br> - Disruption of service is possible in the future. Users won't be able to log into Skype for Business and will be redirected to the migrated Teams experience in the Office 365 services. | | Prepare End User and Administration training and readiness for the transition to Microsoft Teams. | Be successful in your transition from Skype to Teams by planning user communication and readiness. | Skype For Business Online customers | - Clients need to be aware of the new services and how to use once their services are transitioned to the Office 365 services. <br><br> - After DNS changes are made for both the customer vanity domains and the initial domain, users would sign into Skype for Business and see that they now are migrated to Teams. This would also download the desktop client for Teams in the background. | | Prepare end-user and administration training about users removing and re-adding their account to Microsoft Outlook for iOS and Android. | Microsoft Outlook for iOS and Android accounts configured with mailboxes in Microsoft Cloud Deutschland may have to be removed and added again to Outlook in order to properly synchronize the new Office 365 services configuration. | Microsoft Outlook for iOS and Android customers | Outlook mailboxes previously configured for Microsoft Cloud Deutschland may not pick up the new Office 365 Services configuration, leading to errors and degraded performance of other user experiences. IT admins are encouraged to provide documentation that proactively instructs users to remove and re-add their accounts to Microsoft Outlook for iOS and Android if issues with signing in or synchronizing mail occur after migration. |
@@ -49,8 +48,8 @@ Use these links to get to the pre-work steps relevant to your organization:
| Cancel any trial subscriptions. | Trial subscriptions will not be migrated and will block transfer of paid subscriptions. | All customers | Trial services are expired and non-functioning if accessed by users after cancellation. | | Deploy Teams desktop client for users who access Skype for Business in Germany. | Migration moves users to Teams for collaboration, calling, and chat. Either, deploy the Teams desktop client or ensure that a supported browser is available. | Skype for Business customers | Inaction will result in unavailability of Teams collaboration services. | | Analyze differences in license features between Microsoft Cloud Deutschland and Office 365 Services. | Office 365 services include additional features and services not available in the current Microsoft Cloud Deutschland. During subscription transfer, new features will be available to users. | All customers | - Analyze the different features provided by the licenses for Microsoft Cloud Deutschland and Office 365 Services. Start with the [Office 365 platform Service Description](https://docs.microsoft.com/office365/servicedescriptions/office-365-platform-service-description/office-365-platform-service-description). <br><br> - Determine if any new features of Office 365 services should be initially disabled to limit effects on users or on user change management, and alter user license assignments as needed. <br><br> - Prepare users and help desk staff for new services and features provided by Office 365 services. |
-| Create organization-wide [retention policies](https://docs.microsoft.com/microsoft-365/compliance/retention) to protect from inadvertent deletion of content during migration. | - To ensure that content isn't inadvertently deleted by end users during the migration, customers may choose to enable an organization-wide retention policy. <br><br> - Although retention isn't required, since holds placed at any time during the migration should work as expected, having a retention policy is a back-up safety mechanism. At the same time, a retention policy might not be used by all customers, especially those who are concerned about over preservation. | Office customers | Apply retention policy as described in [Learn about retention policies and retention labels](https://docs.microsoft.com/microsoft-365/compliance/retention-policies). |
-| [Backup of Active Directory Federation Services (AD FS) farm](ms-cloud-germany-transition-add-adfs.md#backup) for disaster recovery scenarios. | Customers need to back up the AD FS farm appropriately to ensure the relying party trusts to global & Germany endpoints can be restored without touching the issuer URI of the domains. Microsoft recommends using AD FS Rapid Restore for a backup of the farm and the respective restore, if necessary. | Federated Authentication organizations | Required Action. Inaction will result in service impact during the migration if the AD FS farm of the customer fails. |
+| Create organization-wide [retention policies](https://docs.microsoft.com/microsoft-365/compliance/retention) to protect from inadvertent deletion of content during migration. | - To ensure that content isn't inadvertently deleted by end users during the migration, customers may choose to enable an organization-wide retention policy. <br><br> - Although retention isn't required, since holds placed at any time during the migration should work as expected, having a retention policy is a back-up safety mechanism. At the same time, a retention policy might not be used by all customers, especially those who are concerned about over preservation. | Office customers | Apply retention policy as described in [Learn about retention policies and retention labels](https://docs.microsoft.com/microsoft-365/compliance/retention-policies). Failures of the service or client software can occur if this is not done before Phase 4 of 9. |
+| [Backup of Active Directory Federation Services (AD FS) farm](ms-cloud-germany-transition-add-adfs.md#backup) for disaster recovery scenarios. | Customers need to back up the AD FS farm appropriately to ensure the relying party trusts to global & Germany endpoints can be restored without touching the issuer URI of the domains. Microsoft recommends using AD FS Rapid Restore for a backup of the farm and the respective restore, if necessary. | Federated Authentication organizations | Required Action. Inaction will result in service impact during the migration if the AD FS farm of the customer fails. For more information, refer to [ADFS Migration steps] (https://docs.microsoft.com/microsoft-365/enterprise/ms-cloud-germany-transition-add-adfs) |
## Exchange Online
@@ -86,7 +85,7 @@ Reworked as text:
| Step(s) | Description | Applies to | Impact | |:-|:--|:-|:-|
-| Uninstall previous versions of Hybrid Configuration wizard (HCW), and then install and execute the latest version, 17.0.5378.0, from [https://aka.ms/hybridwizard](https://aka.ms/hybridwizard). | The latest version of the HCW includes necessary updates to support customers who are transitioning from Microsoft Cloud Deutschland to Office 365 Services. <br><br> Updates include changes to on-premises certificate settings for Send connector and Receive connector. | Exchange Online customers running Hybrid deployment | Required action. Failure to do so may result in service or client failure. |
+| Uninstall previous versions of Hybrid Configuration wizard (HCW), and then install and execute the latest version, 17.0.5378.0, from [https://aka.ms/hybridwizard](https://aka.ms/hybridwizard). | The latest version of the HCW includes necessary updates to support customers who are transitioning from Microsoft Cloud Deutschland to Office 365 Services. <br><br> Updates include changes to on-premises certificate settings for Send connector and Receive connector. | Exchange Online customers running Hybrid deployment | Required action. Failure to do so before Phase 5 of 9 (Exchange) may result in service or client failure. |
||||| <!--
@@ -181,7 +180,7 @@ Office 365 Germany customers who have Azure subscriptions under the same identit
| Step(s) | Description | Applies to | Impact | |:-|:--|:-|:-|
-| Add an identifier for single sign-on (SSO) to an existing relying party trust and disable AD FS metadata auto-updates. | An ID must be added to the AD FS relying party trust before starting your migration. To avoid accidental removal of the relying party identifier, disable auto-update for metadata updates. <br><br> Run this command on the AD FS server: <br> `Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:microsoftonline.de -Identifier @('urn:federation:microsoftonline.de','https://login.microsoftonline.de/extSTS.srf','https://login.microsoftonline.de') -AutoUpdate $False` | Federated authentication organizations | Required Action. Inaction will result in service impact during the migration. |
+| Add an identifier for single sign-on (SSO) to an existing relying party trust and disable AD FS metadata auto-updates. | An ID must be added to the AD FS relying party trust before starting your migration. To avoid accidental removal of the relying party identifier, disable auto-update for metadata updates. <br><br> Run this command on the AD FS server: <br> `Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:microsoftonline.de -Identifier @('urn:federation:microsoftonline.de','https://login.microsoftonline.de/extSTS.srf','https://login.microsoftonline.de') -AutoUpdate $False` | Federated authentication organizations | Required Action. Inaction before Phase 4 of 9 (SharePoint) will result in service impact during the migration. |
| Generate relying party trust for global Azure AD endpoints. | Customers need to manually create a relying party trust (RPT) to [global](https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadata.xml) endpoints. This is done by adding a new RPT via GUI by leveraging the global federation metadata URL and then using [Azure AD RPT Claim Rules](https://adfshelp.microsoft.com/AadTrustClaims/ClaimsGenerator#:~:text=%20Azure%20AD%20RPT%20Claim%20Rules%20%201,Azure%20AD.%20This%20will%20be%20what...%20More%20) (in AD FS Help) to generate the claim rules and import them into the RPT. | Federated authentication organizations | Required Action. Inaction will result in service impact during the migration. | |||||
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/ms-cloud-germany-transition-phases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-phases.md
@@ -91,6 +91,15 @@ Back-end Exchange Online Protection (EOP) features are copied to new Germany reg
| Migration of Skype for Business to Teams. | Existing Skype for Business customers are migrated to Office 365 services in Europe and then transitioned to Microsoft Teams in the Germany region of Office 365 services. | Skype for Business customers | - Users won't be able to sign in to Skype for Business on the migration date. Ten days before migration, we'll post to the Admin center to let you know about when the migration will take place, and again when we begin the migration. <br><br> - Policy configuration is migrated. <br><br> - Users will be migrated to Teams and will no longer have Skype for Business after migration. <br><br> - Users must have the Teams desktop client installed. Installation will happen during the 10 days via policy on the Skype for Business infrastructure, but if this fails, users will still need to download the client or connect with a supported browser. <br><br> - Contacts and meetings will be migrated to Teams. <br><br> - Users won't be able to sign in to Skype for Business between time service transitions to Office 365 services, and not until customer DNS entries are completed. <br><br> - Contacts and existing meetings will continue to function as Skype for Business meetings. | ||||| +
+## Office Apps (Phase 8 of 9)
+
+| Step(s) | Description | Applies to | Impact |
+|:-|:--|:-|:-|
+| Clients, Office Online during Office client cutover, Azure AD finalizes the tenant scope to point to the Office 365 services. | This configuration change enables Office clients to update and point to the Office 365 services endpoints. | All Office customers | - Notify users to close _all_ Office apps and then sign back in (or force clients to restart and users to sign in) to enable Office clients to pick up the change. <br><br> - Notify users and help desk staff that users *may* see an Office banner that prompts them to reactivate Office apps within 72 hours of the cutover. <br><br> - All Office applications on personal machines must be closed, and users must sign out then sign in again. In the Yellow activation bar, sign in to reactivate against Office 365 services. <br><br> - Shared machines will require actions that are similar to personal machines, and won't require a special procedure. <br><br> - On mobile devices, users must sign out of apps, close them, and then sign in again. |
+|||||
++ ## Office Services The most recently used (MRU) service in Office is a cutover from the Germany service to Office 365 services, not a migration. Only MRU links from the Office 365 services side will be visible after migration from the Office.com portal. MRU links from the Germany service aren't visible as MRU links in Office 365 services. In Office 365, MRU links are accessible only after the tenant migration is complete.
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/phs-prereqs-m365-test-environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/phs-prereqs-m365-test-environment.md
@@ -5,7 +5,6 @@ f1.keywords:
- NOCSH Previously updated : 12/12/2019 audience: ITPro
@@ -23,22 +22,24 @@ description: Create a Microsoft 365 environment to test identity and device acce
[Identity and device access configurations](../security/office-365-security/microsoft-365-policies-configurations.md) are a set of configurations and conditional access policies to protect access to all services in Microsoft 365 for enterprise that are integrated with Azure Active Directory (Azure AD).
-This article describes how to configure a Microsoft 365 test environment that meets the requirements of the [Active Directory with password hash sync prerequisite configuration](../security/office-365-security/identity-access-prerequisites.md#prerequisites) for identity and device access.
+This article describes how to configure a Microsoft 365 test environment that meets the requirements of the [hybrid with password hash sync authentication prerequisite configuration](../security/office-365-security/identity-access-prerequisites.md#prerequisites) for identity and device access.
-There are eight phases to setting up this test environment:
+There are ten phases to setting up this test environment:
-1. Create a simulated enterprise with password hash sync test environment
-2. Configure Azure AD seamless single sign-on
-3. Configure named locations
-4. Configure password writeback
-5. Configure self-service password reset for all user accounts
-6. Configure multifactor authentication for all user accounts
-7. Enable Azure AD Identity Protection
-8. Enable modern authentication for Exchange Online and Skype for Business Online
+1. Create a simulated enterprise with password hash sync test environment
+2. Configure Azure AD seamless single sign-on
+3. Configure named locations
+4. Configure password writeback
+5. Configure self-service password reset for all user accounts
+6. Configure multifactor authentication for all user accounts
+7. Enable automatic device registration of domain-joined Windows computers
+8. Configure Azure AD password protection
+9. Enable Azure AD Identity Protection
+10. Enable modern authentication for Exchange Online and Skype for Business Online
## Phase 1: Build out your simulated enterprise with password hash sync Microsoft 365 test environment
-Follow the instructions in [Password hash synchronization](password-hash-sync-m365-ent-test-environment.md).
+Follow the instructions in [the password hash synchronization](password-hash-sync-m365-ent-test-environment.md) Test Lab Guide.
Here is the resulting configuration. ![The simulated enterprise with password hash synchronization test environment](../media/password-hash-sync-m365-ent-test-environment/Phase3.png)
@@ -81,11 +82,19 @@ Follow the instructions in [Phase 2 of the multi-factor authentication Test Lab
Test multi-factor authentication only for the User 2 account.
-## Phase 7: Enable Azure AD Identity Protection
+## Phase 7: Enable automatic device registration of domain-joined Windows computers
+
+Follow [these instructions](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) to enable automatic device registration of domain-joined Windows computers.
+
+## Phase 8: Configure Azure AD password protection
+
+Follow [these instructions](https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad) to block known weak passwords and their variants.
+
+## Phase 9: Enable Azure AD Identity Protection
Follow the instructions in [Phase 2 of the Azure AD Identity Protection Test Lab Guide](azure-ad-identity-protection-microsoft-365-test-environment.md#phase-2-use-azure-ad-identity-protection).
-## Phase 8: Enable modern authentication for Exchange Online and Skype for Business Online
+## Phase 10: Enable modern authentication for Exchange Online and Skype for Business Online
For Exchange Online, follow [these instructions](https://docs.microsoft.com/Exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online#enable-or-disable-modern-authentication-in-exchange-online-for-client-connections-in-outlook-2013-or-later).
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/pta-prereqs-m365-test-environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/pta-prereqs-m365-test-environment.md
@@ -5,7 +5,6 @@ f1.keywords:
- NOCSH Previously updated : 12/12/2019 audience: ITPro
@@ -25,16 +24,18 @@ description: Create a Microsoft 365 environment to test identity and device acce
This article describes how you can configure a Microsoft 365 test environment that meets the requirements of the [Pass-through authentication prerequisite configuration](../security/office-365-security/identity-access-prerequisites.md#prerequisites) for identity and device access.
-There are eight phases to setting up this test environment:
+There are ten phases to setting up this test environment:
-1. Build out your simulated enterprise with pass-through authentication Microsoft 365 test environment
-2. Configure Azure AD seamless single sign-on
-3. Configure named locations
-4. Configure password writeback
-5. Configure self-service password reset
-6. Configure multifactor authentication
-7. Enable Azure AD Identity Protection
-8. Enable modern authentication for Exchange Online and Skype for Business Online
+1. Build out your simulated enterprise with pass-through authentication Microsoft 365 test environment
+2. Configure Azure AD seamless single sign-on
+3. Configure named locations
+4. Configure password writeback
+5. Configure self-service password reset
+6. Configure multifactor authentication
+7. Enable automatic device registration of domain-joined Windows computers
+8. Configure Azure AD password protection
+9. Enable Azure AD Identity Protection
+10. Enable modern authentication for Exchange Online and Skype for Business Online
## Phase 1: Build out your simulated enterprise with pass-through authentication Microsoft 365 test environment
@@ -82,11 +83,19 @@ Follow the instructions in [Phase 2 of the multi-factor authentication Test Lab
Test multi-factor authentication only for the User 2 account.
-## Phase 7: Enable Azure AD Identity Protection
+## Phase 7: Enable automatic device registration of domain-joined Windows computers
+
+Follow [these instructions](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) to enable automatic device registration of domain-joined Windows computers.
+
+## Phase 8: Configure Azure AD password protection
+
+Follow [these instructions](https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad) to block known weak passwords and their variants.
+
+## Phase 9: Enable Azure AD Identity Protection
Follow the instructions in [Phase 2 of the Azure AD Identity Protection Test Lab Guide](azure-ad-identity-protection-microsoft-365-test-environment.md#phase-2-use-azure-ad-identity-protection).
-## Phase 8: Enable modern authentication for Exchange Online and Skype for Business Online
+## Phase 10: Enable modern authentication for Exchange Online and Skype for Business Online
For Exchange Online, follow [these instructions](https://docs.microsoft.com/Exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online#enable-or-disable-modern-authentication-in-exchange-online-for-client-connections-in-outlook-2013-or-later).
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/identity-access-prerequisites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-prerequisites.md
@@ -6,7 +6,6 @@
ms.prod: m365-security Previously updated : 09/01/2020 f1.keywords: - NOCSH
@@ -23,15 +22,15 @@ ms.technology: mdo
# Prerequisite work for implementing identity and device access policies
-This article describes the prerequisites admins must meet to use recommended identity and device access policies, and to use Conditional Access. It also discusses the recommended defaults for configuring client platforms for the best single sign-on (SSO) experience.
-
-## Prerequisites
- **Applies to** - [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611) - [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715) - Azure
+This article describes the prerequisites admins must meet to use recommended identity and device access policies, and to use Conditional Access. It also discusses the recommended defaults for configuring client platforms for the best single sign-on (SSO) experience.
+
+## Prerequisites
+ Before using the identity and device access policies that are recommended, your organization needs to meet prerequisites. The requirements are different for the various identity and authentication models listed: - Cloud-only
@@ -45,7 +44,7 @@ The following table details the prerequisite features and their configuration th
||::| |[Configure PHS](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization). This must be enabled to detect leaked credentials and to act on them for risk-based Conditional Access. **Note:** This is required regardless of whether your organization uses federated authentication.|Cloud-only| |[Enable seamless single sign-on](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-sso) to automatically sign users in when they are on their organization devices connected to your organization network.|Cloud-only and federated|
-|[Configure named networks](https://docs.microsoft.com/azure/active-directory/active-directory-known-networks-azure-portal). Azure AD Identity Protection collects and analyzes all available session data to generate a risk score. We recommend you specify your organization's public IP ranges for your network in the Azure AD named networks configuration. Traffic coming from these ranges is given a reduced risk score, and traffic from outside the organization environment is given a higher risk score.||
+|[Configure named locations](https://docs.microsoft.com/azure/active-directory/reports-monitoring/quickstart-configure-named-locations). Azure AD Identity Protection collects and analyzes all available session data to generate a risk score. We recommend you specify your organization's public IP ranges for your network in the Azure AD named locations configuration. Traffic coming from these ranges is given a reduced risk score, and traffic from outside the organization environment is given a higher risk score.||
|[Register all users for self-service password reset (SSPR) and multi-factor authentication (MFA)](https://docs.microsoft.com/azure/active-directory/authentication/concept-registration-mfa-sspr-converged). We recommend you register users for Azure AD Multi-Factor Authentication ahead of time. Azure AD Identity Protection makes use of Azure AD Multi-Factor Authentication to perform additional security verification. Additionally, for the best sign-in experience, we recommend users install the [Microsoft Authenticator app](https://docs.microsoft.com/azure/active-directory/user-help/microsoft-authenticator-app-how-to) and the Microsoft Company Portal app on their devices. These can be installed from the app store for each platform.|| |[Enable automatic device registration of domain-joined Windows computers](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup). Conditional Access will make sure devices connecting to apps are domain-joined or compliant. To support this on Windows computers, the device must be registered with Azure AD. This article discusses how to configure automatic device registration.|Cloud-only| |**Prepare your support team**. Have a plan in place for users that cannot complete MFA. This could be adding them to a policy exclusion group, or registering new MFA information for them. Before making either of these security-sensitive changes, you need to ensure that the actual user is making the request. Requiring users' managers to help with the approval is an effective step.||
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/microsoft-365-policies-configurations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/microsoft-365-policies-configurations.md
@@ -6,7 +6,6 @@
ms.prod: m365-security Previously updated : 09/29/2020 f1.keywords: - NOCSH
@@ -42,6 +41,11 @@ These capabilities and their recommendations:
If your organization has unique environment requirements or complexities, use these recommendations as a starting point. However, most organizations can implement these recommendations as prescribed.
+Watch this video for a quick overview of identity and device access configurations for Microsoft 365 for enterprise.
+<br>
+<br>
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWxEDQ]
+ > [!NOTE] > Microsoft also sells Enterprise Mobility + Security (EMS) licenses for Office 365 subscriptions. EMS E3 and EMS E5 capabilities are equivalent to those in Microsoft 365 E3 and Microsoft 365 E5. See [EMS plans](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing) for the details.
solutions https://docs.microsoft.com/en-us/microsoft-365/solutions/setup-secure-collaboration-with-teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/setup-secure-collaboration-with-teams.md
@@ -22,6 +22,8 @@ description: Learn how to set up secure content collaboration in Teams to protec
Being able to easily share information with the right people while preventing oversharing is key to an organization's success. This includes being able to share sensitive data safely with only those who should have access to it. Depending on the project, this might include sharing sensitive data with people outside your organization.
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWxMmL?autoplay=false]
+ This collaboration solution guidance includes two components to help you: - Deploy Microsoft Teams with the right level of protection for each project - Configure external sharing with appropriate security settings for each project