+If you have Microsoft Business Premium, the quickest way to setup security and begin collaborating safely is to follow the guidance in this library: [Microsoft 365 for smaller businesses and campaigns](../../business-premium/index.md). This guidance was developed in partnership with the Microsoft Defending Democracy team to protect all small business customers against cyber threats launched by sophisticated hackers.

+## Change organization settings for Cloud PCs

+By default, new Cloud PCs are created with the Windows 11 operating system and the Standard User account type. To change these default settings, use the following steps:

+1. Sign in to the Microsoft 365 admin center with a Global admin account.

+2. Go to the **Settings** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2053743" target="_blank">**Org settings**</a> page.

+3. On the **Services** tab, select **Windows 365**.

+4. Select your preferred operating system and account type, then select **Save**.

+Organization settings only apply to newly-created Cloud PCs. When these settings are changed, they wonΓÇÖt change the OS or account type of existing Cloud PCs.

+## What configuration is right for your organization?

+Before setting up any configuration for Microsoft 365 support integration, understand how your ServiceNow environment is set up.

+- If your ServiceNow environment allows Basic Authentication (access with ServiceNow user credential) for inbound webservice calls, then follow instructions in [Set up Microsoft 365 support integration with ServiceNow Basic Authentication](servicenow-basic-authentication.md).

+- If your ServiceNow environment does NOT allows Basic Authentication (access with ServiceNow user credential) for inbound webservice calls, then follow instructions in [Set up Microsoft 365 support integration with Azure AD Auth Token](servicenow-aad-oauth-token.md).

+ - This configuration will require an SSO tenant in order for the AAD Auth Token to work correctly.

+To understand each feature, see [Microsoft 365 support integration](https://store.servicenow.com/sn_appstore_store.do#!/store/application/6d05c93f1b7784507ddd4227cc4bcb9f).

+If you have Microsoft Business Premium, the quickest way to setup security and begin collaborating safely is to follow the guidance in this library: [Microsoft 365 for smaller businesses and campaigns](../../business-premium/index.md). This guidance was developed in partnership with the Microsoft Defending Democracy team to protect all small business customers against cyberthreats launched by sophisticated hackers.

+ Title: "Create a SharePoint communications site"

+f1.keywords:

+- NOCSH

+ms.audience: Admin

+ms.localizationpriority: medium

+- Adm_O365

+- M365-subscription-management

+- M365-identity-device-management

+- M365-Campaigns

+- Adm_O365

+- MiniMaven

+- MSB365

+search.appverid:

+- BCS160

+- MET150

+- MOE150

+description: "Learn why and how to create a SharePoint communications site for your campaign or business with Microsoft 365."

+# Create a communications site in SharePoint

+A great way to communicate priorities, share strategy documents, and highlight upcoming events is to use a communications site in SharePoint. Communications sites are for sharing things broadly across your whole business or campaign; it's your internal strategy site.

+## Best practices

+Include the following elements in your Communications site:

+1. Add your logo and colors as a header image and theme.

+2. Lead with your strategy, message, important documents, a directory, and FAQ in a **Hero web part**.

+3. Include a CEO or candidate statement to the team in a **Text web part**.

+4. Add events to an **Events web part** so everyone can see what's coming up.

+5. Add photos that people can use or share to an **Image gallery web part**.

+

+## Infographic: Create a Communications Site infographic

+The following links for PowerPoint and PDF can be downloaded and printed in tabloid format (also known as ledger, 11 x 17, or A3).

+[](https://download.microsoft.com/download/3/f/f/3ff49b41-e5a4-4993-a00c-7f791a80b627/M365CampaignsCreateCommunicationSite.pdf)

+[PDF](https://download.microsoft.com/download/3/f/f/3ff49b41-e5a4-4993-a00c-7f791a80b627/M365CampaignsCreateCommunicationSite.pdf) | [PowerPoint](https://download.microsoft.com/download/3/f/f/3ff49b41-e5a4-4993-a00c-7f791a80b627/M365CampaignsCreateCommunicationSite.pptx)

+## Set it up

+1. Sign in to https://Office.com.

+2. In the top-left corner of the page, select the app launcher icon and then select the **SharePoint** tile. If you don't see the **SharePoint** tile, click the **Sites** tile or **All** if SharePoint isn't visible.

+3. At the top of the SharePoint home page, click **+ Create site** and choose the **Communication site** option.

+Learn all [about Communications sites](https://support.office.com/article/What-is-a-SharePoint-communication-site-94A33429-E580-45C3-A090-5512A8070732) and how to [create a communication site in SharePoint Online](https://support.microsoft.com/en-us/office/create-a-communication-site-in-sharepoint-online-7fb44b20-a72f-4d2c-9173-fc8f59ba50eb).

+## Admin settings

+If you don't see the **+ Create** site link, self-service site creation might not be available in Microsoft 365. To create a team site, contact the person administering Microsoft 365 in your organization. If you're a Microsoft 365 admin, see [Manage site creation in SharePoint Online](/sharepoint/manage-site-creation) to enable self-service site creation for your organization or [Manage sites in the new SharePoint admin center](/sharepoint/manage-sites-in-new-admin-center) to create a site from the SharePoint Online admin center.

+ Title: "Create a team in Microsoft Teams so your small business or campaign can collaborate"

+f1.keywords:

+- NOCSH

+ms.audience: Admin

+ms.localizationpriority: medium

+- Adm_O365

+- M365-subscription-management

+- M365-identity-device-management

+- M365-Campaigns

+- Adm_O365

+- MiniMaven

+- MSB365

+search.appverid:

+- BCS160

+- MET150

+- MOE150

+description: "Learn why and how to create a team in Microsoft Teams so your small business or campaign can collaborate."

+# Create a team in Microsoft Teams so your small business or campaign can collaborate

+Microsoft Teams is a collaboration app that helps your staff stay organized and have conversations, from any device. You can use Microsoft Teams to have instant conversations with members of your staff or guests outside your organization. You can also make phone calls, host meetings, and share files.

+## Best practices

+1. Create private teams for sensitive information.

+1. Create an org-wide team for communication with everyone across your organization.

+1. Create teams for specific projects and apply the right amount of protection based on who should be included.

+1. Create specific teams for communication with external partners to keep them separate from anything sensitive for your business.

+For example, a business, legal firm, or healthcare practice could create the following teams:

+1. **A business-, firm-, or practice-wide team:** This is for everyone to use for day to day communications and work across your business. You can use this team to post announcements or share information of interest for your whole firm or practice.

+1. **Individual teams:** Set up teams for smaller groups to collaborate about their day to day work.

+1. **An external communications team or teams:** Coordinate with your vendors, partners, or clients without allowing them into anything sensitive. Set up different channels for specific groups.

+

+And campaigns could create the following teams to communicate and collaborate securely:

+1. **A campaign Leads team:** Set this up as a private team so that only your key campaign members can access it and discuss potentially sensitive concerns.

+2. **A general campaign team:** This is for everyone to use for day to day communications and work. Individuals, groups, or committees can set up channels in this team to do their work. For example, the event planning people can set up a channel to chat and coordinate logistics for campaign events.

+3. **A partners team:** Coordinate with your vendors, partners, or volunteers without allowing them into anything sensitive.

+

+When you create a team, here's what else gets created:

+- A new [Microsoft 365 group](/MicrosoftTeams/office-365-groups)

+- A [SharePoint Online](/MicrosoftTeams/sharepoint-onedrive-interact) site and document library to store team files

+- An [Exchange Online](/MicrosoftTeams/exchange-teams-interact) shared mailbox and calendar

+- A OneNote notebook

+- Ties into other Office 365 apps such as Planner and Power BI

+Inside Microsoft Teams, you can find:

+1. **Teams:** Find channels to belong to or create your own. Inside channels you can hold on-the-spot meetings, have conversations, and share files.

+2. **Meetings:** See everything you've got lined up for the day or week. Or, schedule a meeting. This calendar syncs with your Outlook calendar.

+3. **Calls:** In some cases, if your organization has it set up, you can call anyone from Microsoft Teams, even if they're not using Microsoft Teams.

+4. **Activity:** Catch up on all your unread messages, @mentions, replies, and more.

+Use the command box at the top to search for specific items or people, take quick actions, and launch apps.

+## Set it up

+Create a private team for just the business owner and managers, or campaign manager and candidate like this.

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWeqWA]

+Create an organization-wide team that everyone in the business or campaign can use to communicate and share files.

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE2GCG9]

+Create a team that you share with guests outside your organization, such as for advertising or finances.

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE1FQMp]

+Learn more about Microsoft Teams at [Microsoft Teams technical documentation](/microsoftteams/microsoft-teams)

+## Admin settings

+You must be an admin to create an organization-wide team. For more information, see [What is an Admin in Microsoft 365?](https://support.office.com/article/what-is-an-admin-e123627e-4892-4461-b9aa-1b6d57a5cfa4?ui=en-US&rs=en-US&ad=US).

+ Title: "Get Microsoft 365 Business Premium"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- Adm_O365

+- M365-subscription-management

+- M365-Campaigns

+- m365solution-smb

+- Adm_O365

+- Core_O365Admin_Migration

+- MiniMaven

+- MSB365

+search.appverid:

+- BCS160

+- MET150

+description: "Get Microsoft 365 Business Premium so you can protect your company from cybersecurity threats to devices, email, data, and communications."

+# How to get Microsoft 365 Business Premium

+This article describes how to get Microsoft 365 Business Premium for your company. You can choose to:

+- [Buy or try Microsoft 365 Business Premium on your own](#get-microsoft-365-business-premium-on-your-own)

+- [Work with a solution provider](#work-with-a-microsoft-solution-provider-to-get-microsoft-365-business-premium)

+## Get Microsoft 365 Business Premium on your own

+See [Try or buy a Microsoft 365 for business subscription](../commerce/try-or-buy-microsoft-365.md). On the [Microsoft 365 Products site](https://www.aka.ms/office365signup), choose **Microsoft 365 Business Premium**.

+## Work with a Microsoft Solution Provider to get Microsoft 365 Business Premium

+Microsoft has a list of solution providers who are authorized to sell offerings, including Microsoft 365 Business Premium.

+To find a solution provider in your area, take the following steps:

+1. Go to the **Microsoft Solution Providers** page ([https://www.microsoft.com/solution-providers](https://www.microsoft.com/solution-providers)).

+

+2. In the search box, fill in your location and company size.

+3. In the **Search for products, services, skills, industries** box, put `Microsoft 365`, and then select **Go**.

+4. Review the list of results. Select a provider to learn more about their expertise and the services they provide.

+## What does Microsoft 365 Business Premium include?

+[View the Microsoft 365 User Subscription Suites for Small and Medium-sized Businesses](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWR6bM)

+ Title: "Get Microsoft 365 for Campaigns"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- Adm_O365

+- M365-subscription-management

+- M365-Campaigns

+- m365solution-smb

+- Adm_O365

+- Core_O365Admin_Migration

+- MiniMaven

+- MSB365

+search.appverid:

+- BCS160

+- MET150

+ms.assetid: 5abfef7b-5957-484a-b06b-a7c55e013e44

+description: "Get Microsoft 365 for Campaigns so you can protect your campaign from cybersecurity threats to email, data, and communications."

+# Get Microsoft 365 for Campaigns

+Anybody with Microsoft 365 Business Premium can use this guidance to configure extra security for email and collaboration. However, campaigns and political parties in the USA are eligible for special pricing for Microsoft 365. Currently this special pricing is available to:

+- National-level political parties in the United States, Canada, and New Zealand

+- National or federal political campaigns in the United States and New Zealand

+- U.S. State-wide political campaigns (eg: campaigns seeking office for governor, state legislature, or attorney general)*

+ *Due to local regulations, we are unable to offer Microsoft 365 for Campaigns in the following states at this time: CO, DE, IL, OK, WI & WY. We encourage campaigns in those states to explore additional offerings at [Microsoft 365 for business](https://www.office.com/business).

+- State-level political parties in the United States

+If your campaign or political party qualifies, Microsoft 365 for Campaigns is the least expensive plan available through Microsoft. See [Sign up for Microsoft 365 for Campaigns](m365-campaigns-sign-up.md).

+If you're not eligible for special pricing, Microsoft 365 Business Premium is still the most cost-effective way obtain comprehensive security for a collaboration environment. See [Set up Microsoft 365 Business Premium](../business/set-up.md?toc=/microsoft-365/campaigns/toc.json&bc=/microsoft-365/campaigns/breadcrumb/toc.json) and then use this library to configure extra security and to help your team collaborate securely.

+## What does Microsoft 365 for Campaigns include?

+This configuration of Microsoft 365 Business Premium includes simple controls that help you and your staff work together securely:

+- **Protect user identity**: Make sure that users are who they say they are when they sign in to send email or to access files (multifactor authentication).

+- **Protect sensitive information**: Protect sensitive information to monitor information that gets shared outside your organization (data loss prevention).

+- **Protect mobile devices**: Protect data on mobile devices (mobile app protection policy).

+- **Guard against malicious content**: Prevent access to malicious content by scanning email attachments (Defender for Office 365).

+- **Protect passwords**: Set passwords to never expire which is more secure and helps prevent work stoppages (password policy).

+- **AccountGuard Program Access**: Microsoft AccountGuard is a security service offered at no additional cost to customers in the political space. The service is designed to inform and help these highly targeted customers protect themselves from cybersecurity threats across their organizational and personal Microsoft email accounts. View more information at [Microsoft AccountGuard](https://www.microsoftaccountguard.com/).

+## What does it cost, who needs it, and what is the commitment?

+If your campaign qualifies for special pricing Microsoft 365 for Campaigns costs $5 per user per month.

+To protect your campaign, we recommend a license for the candidate, the campaign manager, all senior staff who are part of the campaign or party, and usually all full-time staff. Certain volunteer employees might also need a license. In general, assign a license to anyone in your campaign who needs protected email and devices.

+There's no minimum time commitment when you sign up for Microsoft 365 for Campaigns. You can pay monthly for the licenses you need and stop using the service anytime.

+## How do I qualify for special pricing?

+1. Go to [aka.ms/m365forcampaigns](https://aka.ms/m365forcampaigns/) and provide a few details about your organization. The details you provide help us to verify that you represent a national-level political campaign or party in the United States. There's no commitment when you complete this form.

+2. After you've completed the form, it takes us a few days to review your information.

+3. After we've verified that you represent a national-level political campaign or party, you'll receive an email invitation from Microsoft. Your invite includes a sign-up link specific to your organization.

+When you receive your invitation, [Sign up for Microsoft 365 for Campaigns](m365-campaigns-sign-up.md).

+ Title: "Microsoft 365 Business Premium Overview"

+f1.keywords:

+- NOCSH

+ms.audience: Admin

+ms.localizationpriority: medium

+- Adm_O365

+- M365-subscription-management

+- M365-Campaigns

+- m365solution-overview

+- m365solution-smb

+- Adm_O365

+- Core_O365Admin_Migration

+- MiniMaven

+- MSB365

+search.appverid:

+- BCS160

+- MET150

+ms.assetid: 5abfef7b-5957-484a-b06b-a7c55e013e44

+description: "Learn how to collaborate securely in your small business or campaign with Microsoft 365 Business Premium."

+# Microsoft 365 Business Premium Overview

+In our current world, keeping data and communications secure is a priority, particularly for medical and legal practices, political campaigns, and many other smaller businesses. Take advantage of the security features in Microsoft 365 Business Premium to collaborate safely within your small business. This solution provides a set of recommendations designed to help protect you and your data. This library includes help for setting up and using this recommended environment, no matter your business type.

+

+This configuration includes the following guidance for productivity, collaboration, file storage, email, devices, and identity to protect your business:

+| Protection for | Description | Links |

+| -- | -- | -- | -- |

+|Email | Use multi-factor authentication, and ATP Advanced Phishing Protection, and ATP Safe Links and Safe Attachments, and use encrypted email for sensitive information.| [Set up multi-factor authentication](m365-campaigns-multifactor-authentication.md), [Protect against phishing attacks](m365-campaigns-phishing-and-attacks.md), [Encrypt or label your sensitive email](send-encrypted-email.md) |

+|iPhones and Android devices |Use multi-factor authentication, and set up Microsoft mobile apps, and require a PIN | [Set up multi-factor authentication](m365-campaigns-multifactor-authentication.md), [Set up mobile devices](../business/set-up-mobile-devices.md?toc=/microsoft-365/campaigns/toc.json)|

+|Bring-your-own-devices (BYOD) Macs and Windows 10 PCs |Keep Office up to date, keep operating systems updated, and enable security features. | [Protect unmanaged Windows 10 PCs and Macs](m365-campaigns-protect-pcs-macs.md) |

+|Storing and sharing files securely | Share files and videos from Microsoft Teams, OneDrive, SharePoint, and Microsoft Stream, and protect sensitive data.| [Share files and videos](share-files-and-videos.md) |

+|Managed Windows 10 devices |Use managed devices for key staff and secure these devices. | [Set up managed devices](../business/set-up-windows-devices.md?toc=/microsoft-365/campaigns/toc.json) |

+## A recommended security configuration for Microsoft 365 Business Premium

+This recommended secure configuration for Microsoft 365 Business Premium lets you:

+- Rely on trusted business productivity and collaboration tools, such as Outlook, Word, Excel, and other Office products.

+- Protect your work files on all of your iOS, Android, and Windows 10 devices with enterprise-grade security that is simple to manage.

+- Apply extra protection for user accounts and identity.

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE3clbH]

+While federal and some state election campaigns in the United States qualify for [special pricing](get-microsoft-365-campaigns.md) for the Microsoft 365 for Campaigns offering of Microsoft 365 Business Premium, any organization with the Business Premium plan can take advantage of this guidance to configure increased security and learn how to collaborate securely.

+This library includes the following:

+- Prescriptive setup guidance for adding increased security.

+- Help for users to setup devices for secure access.

+- Guidance on how to collaborate and share securely.

+For more information about what's included, see [Microsoft 365 Business Premium](https://www.microsoft.com/microsoft-365/business).

+## Get started

+Follow these steps to get started:

+- For campaigns: [Get Microsoft 365 campaigns](get-microsoft-365-campaigns.md)

+- For any business: [Learn how your users will work with Microsoft 365](m365-campaigns-users.md)

+- For any business: [Set up Microsoft 365](microsoft-365-campaigns-setup-overview.md)

+## Solutions for your business

+After you set up your secure Microsoft 365 environment, you can use the following solutions to get working:

+| Create teams for collaboration | Set up online meetings |

+| - | - |

+|  |  |

+| Collaborate with teams for key staff, all staff, and partners or vendors.<br>[Create your team](create-teams-for-collaboration.md) | Schedule a meeting with audio, video, and sharing with Microsoft Teams.<br>[Set up a meeting](set-up-meetings.md) |

+| Encrypt or label your sensitive email | Create a communications site |

+| - | - |

+|  |  |

+| Use encryption and sensitivity labels to protect email that contains confidential or sensitive information.<br>[Send encrypted email](send-encrypted-email.md) | Share events, message, images, and more with your team in an internal communications site created with SharePoint.<br>[Create your site](create-communications-site.md) |

+| Share files and videos |

+| - |

+|  |

+| Save your files and videos to the cloud so they're available <br>to all of the appropriate people.<br>[Start sharing](share-files-and-videos.md) |

+ Title: "Turn on security defaults"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- Adm_O365

+- M365-subscription-management

+- M365-identity-device-management

+- M365-Campaigns

+- m365solution-smb

+- Adm_O365

+- MiniMaven

+- MSB365

+search.appverid:

+- BCS160

+- MET150

+- MOE150

+description: "Learn how security defaults can help protect your organization from identity-related attacks by providing preconfigured security settings."

+# Turn on security defaults

+Security defaults help protect your organization from identity-related attacks by providing preconfigured security settings that Microsoft manages on behalf of your organization. These settings include enabling multi-factor authentication (MFA) for all admins and user accounts. For most organizations, security defaults offer a good level of additional sign-in security.

+For more information about security defaults and the policies they enforce, see [What are security defaults?](/azure/active-directory/fundamentals/concept-fundamentals-security-defaults)

+If your subscription was created on or after October 22, 2019, security defaults might have been automatically enabled for you&mdash;you should check your settings to confirm.

+To enable security defaults in your Azure Active Directory (Azure AD) or to check to see if they're already enabled:

+1. Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a> with security administrator, Conditional Access administrator, or Global admin credentials.

+2. In the left pane, select **Show All,** and then under **Admin centers**, select **Azure Active Directory**.

+3. In the left pane of the **Azure Active Directory admin center,** select **Azure Active Directory**.

+4. From the left menu of the Dashboard, in the **Manage** section, select **Properties**.

+ :::image type="content" source="../media/m365-campaigns-conditional-access/azure-ad-properties.png" alt-text="Screenshot of the Azure Active Directory admin center showing the location of the Properties menu item.":::

+5. At the bottom of the **Properties** page, select **Manage Security defaults**.

+6. In the right pane, you'll see the **Enable Security defaults** setting. If **Yes** is selected, then security defaults are already enabled and no further action is required. If security defaults are not currently enabled, then select **Yes** to enable them, and then select **Save**.

+> [!NOTE]

+> If you've been using Conditional Access policies, you'll need to turn them off before using security defaults.

+>

+> You can use either security defaults or Conditional Access policies, but you can't use both at the same time.

+## Consider using Conditional Access

+If your organization has complex security requirements or you need more granular control over your security policies, then you should consider using Conditional Access instead of security defaults to achieve a similar or higher security posture.

+Conditional Access lets you create and define policies that react to sign-in events and request additional actions before a user is granted access to an application or service. Conditional Access policies can be granular and specific, empowering users to be productive wherever and whenever, but also protecting your organization.

+Security defaults are available to all customers, while Conditional Access requires a license for one of the following plans:

+- Azure Active Directory Premium P1 or P2

+- Microsoft 365 Business Premium

+- Microsoft 365 E3 or E5

+- Enterprise Mobility & Security E3 or E5

+If you want to use Conditional Access to configure policies equivalent to those enabled by security defaults, check out the following step-by-step guides:

+- [Require MFA for administrators](/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa)

+- [Require MFA for Azure management](/azure/active-directory/conditional-access/howto-conditional-access-policy-azure-management)

+- [Block legacy authentication](/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy)

+- [Require MFA for all users](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa)

+- [Require Azure AD MFA registration](/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy) - Requires Azure AD Identity Protection, which is part of Azure Active Directory Premium P2

+To learn more about Conditional Access, see [What is Conditional Access?](/azure/active-directory/conditional-access/overview) For more information about creating Conditional Access policies, see [Create a Conditional Access policy](/azure/active-directory/authentication/tutorial-enable-azure-mfa#create-a-conditional-access-policy).

+> [!NOTE]

+> If you have a plan or license that provides Conditional Access but haven't yet created any Conditional Access policies, you're welcome to use security defaults. However, you'll need to turn off security defaults before you can use Conditional Access policies.

+ Title: "Increase threat protection"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- Adm_O365

+- M365-subscription-management

+- M365-Campaigns

+- m365solution-smb

+- Adm_O365

+- MiniMaven

+- MSB365

+- admindeeplinkMAC

+- admindeeplinkEXCHANGE

+search.appverid:

+- BCS160

+- MET150

+ms.assetid: 5abfef7b-5957-484a-b06b-a7c55e013e44

+description: "Get help with increasing the level of protection in Microsoft 365"

+# Increase threat protection for Microsoft 365 Business Premium

+This article helps you increase the protection in your Microsoft 365 subscription to protect against phishing, malware, and other threats. These recommendations are appropriate for organizations with an increased need for security, like political campaigns, law offices, and health care clinics.

+Before you begin, check your Microsoft Secure Score. Microsoft Secure Score analyzes your organization's security based on your regular activities and security settings and assigns a score. Begin by taking note of your current score. Taking the actions recommended in this article increases your score. The goal isn't to achieve the max score, but to be aware of opportunities to protect your environment that don't negatively affect productivity for your users.

+For more information, see [Microsoft Secure Score](../security/defender/microsoft-secure-score.md).

+## Raise the level of protection against malware in mail

+Your Office 365 or Microsoft 365 environment includes protection against malware, but you can increase this protection by blocking attachments with file types that are commonly used for malware. To bump up malware protection in email:

+1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077143" target="_blank">Office 365 Security & Compliance Center</a> and sign in with your admin account credentials.

+2. In the left navigation pane, under **Threat management**, choose **Policy** \> **Anti-Malware**.

+3. Double-click the default policy to edit this company-wide policy.

+4. Click **Settings**.

+5. Under **Common Attachment Types Filter**, select **On**. The file types that are blocked are listed in the window directly below this control. Make sure you add these filetypes:

+ `ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh, exe, pif`

+ You can add or delete file types later, if needed.

+6. Click **Save.**

+For more information, see [Anti-malware protection in EOP](../security/office-365-security/anti-malware-protection.md).

+## Protect against ransomware

+Ransomware restricts access to data by encrypting files or locking computer screens. It then attempts to extort money from victims by asking for "ransom," usually in the form of cryptocurrencies like Bitcoin, in exchange for access to data.

+You can protect against ransomware by creating one or more mail flow rules to block file extensions that are commonly used for ransomware (these were added in the [raise the level of protection against malware in mail](#raise-the-level-of-protection-against-malware-in-mail) step), or to warn users who receive these attachments in email.

+In addition to the files that you blocked in the previous step, it's also good practice to create a rule to warn users before opening Office file attachments that include macros. Ransomware can be hidden inside macros, so warn users to not open these files from people they don't know.

+To create a mail transport rule:

+1. Go to the admin center at <https://admin.microsoft.com> and choose **Admin centers** \> **Exchange**.

+2. In the **mail flow** category, click **rules**.

+3. Click **+**, and then click **Create a new rule**.

+4. Click **More options** at the bottom of the dialog box to see the full set of options.

+5. Apply the settings in the following table for the rule. Leave the rest of the settings at the default, unless you want to change them.

+6. Click **Save**.

+|Setting|Warn users before opening attachments of Office files|

+|||

+|Name|Anti-ransomware rule: warn users|

+|Apply this rule if . . .|Any attachment . . . file extension matches . . .|

+|Specify words or phrases|Add these file types: <br/> `dotm, docm, xlsm, sltm, xla, xlam, xll, pptm, potm, ppam, ppsm, sldm`|

+|Do the following . . .|Notify the recipient with a message|

+|Provide message text|Do not open these types of files from people you do not know because they might contain macros with malicious code.|

+For more information, see:

+- [Ransomware: how to reduce risk](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/)

+- [Restore your OneDrive](https://support.microsoft.com//office/fa231298-759d-41cf-bcd0-25ac53eb8a15)

+## Stop auto-forwarding for email

+Hackers who gain access to a user's mailbox can steal your mail by setting the mailbox to automatically forward email. This can happen even without the user's awareness. You can prevent this from happening by configuring a mail flow rule.

+To create a mail transport rule, either watch [this short video](https://support.office.com/article/f9d693ba-5c78-47c0-b156-8e461e062aa7) or follow these steps:

+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>, click **Admin centers** \> **Exchange**.

+2. In the **mail flow** category, click **rules**.

+3. Click **+**, and then click **Create a new rule**.

+4. Click **More options** at the bottom of the dialog box to see the full set of options.

+5. Apply the settings in the following table. Leave the rest of the settings at the default, unless you want to change them.

+6. Click **Save**.

+|Setting|Warn users before opening attachments of Office files|

+|||

+|Name|Prevent auto forwarding of email to external domains|

+|Apply this rule if ...|The sender . . . is external/internal . . . Inside the organization|

+|Add condition|The message properties . . . include the message type . . . Auto-forward|

+|Do the following ...|Block the message . . . reject the message and include an explanation.|

+|Provide message text|Auto-forwarding email outside this organization is prevented for security reasons.|

+## Protect your email from phishing attacks

+If you've configured one or more custom domains for your Office 365 or Microsoft 365 environment, you can configure targeted anti-phishing protection. Anti-phishing protection, part of Microsoft Defender for Office 365, can help protect your organization from malicious impersonation-based phishing attacks and other phishing attacks. If you haven't configured a custom domain, you don't need to do this.

+We recommend that you get started with this protection by creating a policy to protect your most important users and your custom domain.

+To create an anti-phishing policy in Defender for Office 365, watch [this short training video](https://support.office.com/article/86c425e1-1686-430a-9151-f7176cce4f2c), or complete the following steps:

+1. Go to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077143" target="_blank">Office 365 Security & Compliance Center</a>.

+2. In the left navigation pane, under **Threat management**, choose **Policy**.

+3. On the **Policy** page, choose **Anti-phishing**.

+4. On the **Anti-phishing** page, select **+ Create**. A wizard launches that steps you through defining your anti-phishing policy.

+5. Specify the name, description, and settings for your policy as recommended in the chart below. For more information, see [Learn about anti-phishing policy in Microsoft Defender for Office 365 options](../security/office-365-security/set-up-anti-phishing-policies.md).

+6. After you've reviewed your settings, choose **Create this policy** or **Save**, as appropriate.

+|Setting or option|Recommended setting|

+|||

+|Name|Domain and most valuable staff|

+|Description|Ensure most important staff and our domain are not being impersonated.|

+|Add users to protect|Select **+ Add a condition, The recipient is**. Type user names or enter the email address of the business owners, partners, or candidate, managers, and other important staff members. You can add up to 20 internal and external addresses that you want to protect from impersonation.|

+|Add domains to protect|Select **+ Add a condition, The recipient domain is**. Enter the custom domain associated with your Microsoft 365 subscription, if you defined one. You can enter more than one domain.|

+|Choose actions|If email is sent by an impersonated user: Choose **Redirect message to another email address**, and then type the email address of the security administrator; for example, *Alice<span><span>@contoso.com*. <br/> If email is sent by an impersonated domain: Choose **Quarantine message**.|

+|Mailbox intelligence|By default, mailbox intelligence is selected when you create a new anti-phishing policy. Leave this setting **On** for best results.|

+|Add trusted senders and domains|Here you can add your own domain, or any other trusted domains.|

+|Applied to|Select **The recipient domain is**. Under **Any of these**, select **Choose**. Select **+ Add**. Select the check box next to the name of the domain, for example, *contoso.<span><span>com*, in the list, and then select **Add**. Select **Done**.|

+For more information, see [Set up anti-phishing policies in Defender for Office 365](../security/office-365-security/set-up-anti-phishing-policies.md).

+## Protect against malicious attachments, files, and links with Defender for Office 365

+

+First, make sure, in the admin center at <https://admin.microsoft.com> that you have the new admin center preview turned on. Turn on the toggle next to the text **The new admin center**.

+ 

+If you don't see the **Setup** page with cards in your tenant yet, see how to complete these steps in Security & Compliance Center. See [Set up Safe Attachments in the Security & Compliance Center](#set-up-safe-attachments-in-the-security--compliance-center) and [Set up Safe Links in the Security & Compliance Center](#set-up-safe-links-in-the-security--compliance-center).

+1. In the left nav, choose **Setup**.

+2. On the **Setup** page, choose **View** on the **Increase protection from advanced threats** card.

+ 

+3. On the **Increase protection from advanced threats** page, choose **Get started**.

+4. On the pane that opens, select the check boxes next to **Links and attachments in email**, **Scan files in SharePoint, OneDrive, and Teams**, and **Scan links in Office desktop and Office Online apps** under **Scan items for malicious content**.

+ Under **Links and attachments in email**, Type in All Users, or the specific users whose email you want scanned.

+ 

+5. Choose **Create policies** to turn on Safe Attachments and Safe Links.

+### Set up Safe Attachments in the Security & Compliance Center

+People regularly send, receive, and share attachments, such as documents, presentations, spreadsheets, and more. It's not always easy to tell whether an attachment is safe or malicious just by looking at an email message. Microsoft Defender for Office 365 includes Safe Attachment protection, but this protection is not turned on by default. We recommend that you create a new rule to begin using this protection. This protection extends to files in SharePoint, OneDrive, and Microsoft Teams.

+To create an Safe Attachment policy, either watch [this short video](https://support.office.com/article/e7e68934-23dc-4b9c-b714-e82e27a8f8a5), or complete the following steps:

+1. Go to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077143" target="_blank">Office 365 Security & Compliance Center</a> and sign in with your admin account.

+2. In the left navigation pane, under **Threat management**, choose **Policy**.

+3. On the Policy page, choose **Safe Attachments**.

+4. On the Safe attachments page, apply this protection broadly by selecting the **Turn on ATP for SharePoint, OneDrive, and Microsoft Teams** check box.

+5. Select **+** to create a new policy.

+6. Apply the settings in the following table.

+7. After you review your settings, choose **Create this policy** or **Save**, as appropriate.

+|Setting or option|Recommended setting|

+|||

+|Name|Block current and future emails with detected malware.|

+|Description|Block current and future emails and attachments with detected malware.|

+|Save attachments unknown malware response|Select **Block - Block the current and future emails and attachments with detected malware**.|

+|Redirect attachment on detection|Enable redirection (select this box) <br/> Enter the admin account or a mailbox setup for quarantine. <br/> Apply the above selection if malware scanning for attachments times out or error occurs (select this box).|

+|Applied to|The recipient domain is . . . select your domain.|

+For more information, see [Set up anti-phishing policies in Defender for Office 365](../security/office-365-security/set-up-anti-phishing-policies.md).

+### Set up Safe Links in the Security & Compliance Center

+Hackers sometimes hide malicious websites in links in email or other files. Safe Links, part of Microsoft Defender for Office 365, can help protect your organization by providing time-of-click verification of web addresses (URLs) in email messages and Office documents. Protection is defined through Safe Links policies.

+We recommend that you do the following:

+- Modify the default policy to increase protection.

+- Add a new policy targeted to all recipients in your domain.

+To set up Safe Links, watch [this short training video](https://support.office.com/article/61492713-53c2-47da-a6e7-fa97479e97fa), or complete the following steps:

+1. Go to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077143" target="_blank">Office 365 Security & Compliance Center</a> and sign in with your admin account.

+2. In the left navigation pane, under **Threat management**, choose **Policy**.

+3. On the Policy page, choose **Safe Links**.

+To modify the default policy:

+1. On the Safe links page, under **Policies that apply to the entire organization**, select the **Default** policy.

+2. Under **Settings that apply to content except email**, select **Microsoft 365 Apps for enterprise, Office for iOS and Android**.

+3. Click **Save**.

+To create a new policy targeted to all recipients in your domain:

+1. On the Safe links page, under **Policies that apply to the entire organization**, click **+** to create a new policy.

+2. Apply the settings listed in the following table.

+3. Click **Save**.

+|Setting or option|Recommended setting|

+|||

+|Name|Safe links policy for all recipients in the domain|

+|Select the action for unknown potentially malicious URLs in messages|Select **On - URLs will be rewritten and checked against a list of known malicious links when user clicks on the link**.|

+|Use Safe Attachments to scan downloadable content|Select this box.|

+|Applied to|The recipient domain is . . . select your domain.|

+For more information, see [Safe Links in Defender for Office 365](../security/office-365-security/safe-links.md).

+## Turn on the Unified Audit Log

+After you turn on the audit log search in the Security & Compliance Center, you can retain the admin and other user activity in the log and search it.

+You must be assigned the Audit Logs role in Exchange Online to turn audit log search on or off in your Microsoft 365 subscription. By default, this role is assigned to the Compliance Management and Organization Management role groups on the Permissions page in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a>. Global admins in Microsoft 365 are members of this group by default.

+1. To turn on the audit log search, go to the admin center at <https://admin.microsoft.com> and then choose **Security** under **Admin centers** in the left nav.

+2. On the **Microsoft 365 Security** page, choose **More resources**, and then **Open** on the **Office 365 Security & Compliance Center** card.

+ 

+3. On the security and compliance page, choose **Search** and then **Audit log search**.

+4. On the top of the **Audit log search** page, choose **Turn on auditing**.

+After the feature is turned on, you can search for files, folders, and many activities. For more information, see [search the audit log](../compliance/search-the-audit-log-in-security-and-compliance.md).

+## Tune-up anonymous sharing settings for SharePoint and OneDrive files and folders

+(change default anonymous link expiration to 14 days, change default sharing type to "Specific People")

+To change the sharing settings for OneDrive and SharePoint:

+1. Go to the admin center at <https://admin.microsoft.com> and then choose **SharePoint** under **Admin centers** in the left nav.

+2. In the SharePoint admin center, go to **Policies** \> **Sharing**.

+3. On the **Sharing** page, under **File and folder links**, select **Specific people**, and under **Advanced settings for "Anyone" links**, select **These links must expire within this many days**, and type in 14 (or another number of days you want to restrict the link lifetime to).

+ 

+## Activity alerts

+You can use activity alerts to track admin and user activities and detect malware and data loss prevention incidents in your organization. Your subscription includes a set of default policies, but you can also create custom ones. For more information, see [alert policies](../compliance/alert-policies.md). For example, if you store an important file in SharePoint that you don't want anyone to share externally, you can create a notification that alerts you if someone does share it.

+The following figure shows the default policies that are included with Microsoft 365.

+

+## Disable or manage calendar sharing

+You can prevent people in your organization from sharing their calendars, or you can also manage what they can share. For example, you can restrict the sharing to free/busy times only.

+1. Go to the admin center at <https://admin.microsoft.com> and choose **Settings** \> **Org Settings** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2053743" target="_blank">**Services**</a>.

+1. Choose **Calendar**, and choose whether people in your organization can share their calendars with people outside who have Office 365 or Exchange, or with anyone.

+ If you choose the share with anyone option, you can decide to also only share free/busy information.

+3. Choose **Save changes** on the bottom of the page.

+ The following figure shows calendar sharing not allowed.

+ 

+ The following figure shows the settings when calendar sharing is allowed with an email link with only free/busy information.

+ 

+If your users are allowed to share their calendars, see [these instructions](https://support.office.com/article/7ecef8ae-139c-40d9-bae2-a23977ee58d5) for how to share from Outlook on the web.

+ Title: "Set up multifactor authentication"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- Adm_O365

+- M365-subscription-management

+- M365-identity-device-management

+- M365-Campaigns

+- m365solution-smb

+- Adm_O365

+- MiniMaven

+- MSB365

+search.appverid:

+- BCS160

+- MET150

+- MOE150

+description: "Set up multifactor authentication."

+# Set up multi-factor authentication on your mobile device

+Multi-factor authentication provides more security for your business. After your admin has required you to use MFA, you can set up the Microsoft Authenticator app to let you log into key apps securely with your phone.

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE2MmQR]

+See more at [Set up multifactor authentication in Microsoft 365](https://support.office.com/article/a32541df-079c-420d-9395-9d59354f7225)

+## Use the Outlook app in your devices

+After your admin has required you to use MFA and you've set up an authenticator app as a second form of authentication, we recommend that you install and only use the Outlook app to access your Microsoft 365 email. See [Set up mobile devices](../business/set-up-mobile-devices.md) for how to install Office apps, including Outlook, on your phone.

+ Title: "Protect yourself against phishing and other attacks"

+f1.keywords:

+- NOCSH

+ms.audience: Admin

+ms.localizationpriority: medium

+- Adm_O365

+- M365-subscription-management

+- M365-identity-device-management

+- M365-Campaigns

+- m365solution-smb

+- Adm_O365

+- MiniMaven

+- MSB365

+search.appverid:

+- BCS160

+- MET150

+- MOE150

+description: "Protect against phishing and other attacks with Microsoft 365."

+# Protect yourself against phishing and other attacks

+Microsoft 365 Business Premium includes many protections to guard against attacks, but there are things you can do yourself to limit and minimize the risk of online attacks.

+- **Spam or junk mail** There are many reasons you might receive junk e-mail and not all junk mail is the same. However, you can reduce what gets through to you, and thus reduce the risks of attacks, by filtering out junk mail.

+- **Phishing** A phishing scam is an email that seems legitimate but is an attempt to get your personal information or steal your money.

+- **Spoofing** Scammers can also use a technique called spoofing to make it appear as if you've received an email from yourself.

+- **Malware** is malicious software that can be installed on your computer, usually installed after you've clicked a link or opened a document from an email. There are various types of malware (for example, ransomware, when your computer is taken over), but you don't want to have any of them.

+## Best practices

+### Reduce spam mail

+Follow these [10 tips on how to help reduce spam](https://support.microsoft.com/en-us/office/10-tips-on-how-to-help-reduce-spam-55f756e8-688b-41c3-a086-8f68ccc592f6).

+### Report it!

+Report any phishing or other scam emails you receive.

+Select the message, and choose **Report message** on the ribbon.

+Here's more information about [reporting junk and phishing emails](https://support.office.com/article/Use-the-Report-Message-add-in-b5caa9f1-cdf3-4443-af8c-ff724ea719d2).

+### Avoid phishing

+- Never reply to an email that asks you to send personal or account information.

+- If you receive an email that looks suspicious or asks you for this type of information, never click links that supposedly take you to a company website.

+- Never open any file attached to a suspicious-looking email.

+- If the email appears to come from a company, contact the company's customer service via phone or web browser to see if the email is legitimate.

+- Search the web for the email subject line followed by the word hoax to see if anyone else has reported this scam.

+Read about five common types of scams in [Deal with abuse, phishing, or spoofing](https://support.office.com/article/Deal-with-abuse-phishing-or-spoofing-in-Outlook-com-0d882ea5-eedc-4bed-aebc-079ffa1105a3).

+### Make sure your emails look legitimate to others

+Help your customers trust your communications by adding a digital signature to prove that it's coming from you. See [Secure messages by using a digital signature](https://support.office.com/article/secure-messages-by-using-a-digital-signature-549ca2f1-a68f-4366-85fa-b3f4b5856fc6).

+## Help protect your campaign from online threats

+Download this infographic with tips for you and the members of your campaign team:

+[](https://download.microsoft.com/download/f/c/5/fc58bc0c-773a-4ac8-a232-6f986f61ef58/M365CampaignsWhatCanUsersDoToSecure.pdf)

+[PDF](https://download.microsoft.com/download/f/c/5/fc58bc0c-773a-4ac8-a232-6f986f61ef58/M365CampaignsWhatCanUsersDoToSecure.pdf) | [PowerPoint](https://download.microsoft.com/download/f/c/5/fc58bc0c-773a-4ac8-a232-6f986f61ef58/M365CampaignsWhatCanUsersDoToSecure.pptx)

+## Set it up

+Learn more about how to:

+- [Keep your files and communications safe with Office](https://support.microsoft.com/en-us/office/keep-your-files-and-communications-safe-with-office-c4ddc381-7395-42da-887c-8836a3bb975f).

+- [Stay secure and private at work](https://support.office.com/article/stay-secure-and-private-at-work-104c7d91-b25a-453d-beee-ba64b6c6fc2d).

+

+ Title: "Protect your administrator accounts"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- Adm_O365

+- M365-subscription-management

+- M365-Campaigns

+- m365solution-smb

+- Adm_O365

+- MiniMaven

+- MSB365

+search.appverid:

+- BCS160

+- MET150

+description: "Learn how to set up and protect your administrator accounts."

+# Protect your administrator accounts

+Because admin accounts come with elevated privileges, they're valuable targets for hackers and cyber criminals. This article describes:

+- How to set up an additional administrator account for emergencies.

+- How to protect these accounts.

+When you sign up for Microsoft 365 and enter your information, you automatically become the Global admin. A Global admin has the ultimate control of user accounts and all the other settings in the Microsoft admin center, but there are many different kinds of admin accounts with varying degrees of access. See [about admin roles](/office365/admin/add-users/about-admin-roles) for information about the different access levels for each kind of admin role.

+## Create additional admin accounts

+Use admin accounts only for administration. Admins should have a separate user account for regular use of Office apps and only use their administrative account when necessary to manage accounts and devices, and while working on other admin functions. It's also a good idea to remove the Microsoft 365 license from the admin accounts so you don't have to pay for them.

+You'll want to set up at least one additional Global admin account to give admin access to another trusted employee. You can also create separate admin accounts for user management (this role is called **User management administrator**). For more information, see [about admin roles](/office365/admin/add-users/about-admin-roles).

+To create additional admin accounts:

+ 1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">admin center</a> and then choose **Users** \> **Active users** in the left nav.

+ 

+ 2. On the **Active users** page, select **Add a user** at the top of the page, and on the **New user** panel, enter the name and other information.

+ 3. Expand the **Roles** section, and choose **Global administrator** to give this user global admin access. You can also choose **Customized administrator** and choose any of the roles that are displayed.

+ Enter an alternate email in the **Alternative email address** text box. You can use this address to recover your password information if you get locked out. For Global admins, a billing statement will also be sent to this address.

+ 

+ 4. In the **Product licenses** section, move the selector for **Microsoft 365 Business** to **Off** and the **Create user without product license** to **On**.

+ 

+## Create an emergency admin account

+You should also create a backup account that isn't set up with multi-factor authentication (MFA) so you don't accidentally lock yourself out (for example if you lose your phone that you're using as a second form of verification). Make sure that the password for this account is a phrase or at least 16 characters long. This is often referred to as a "break-glass account."

+## Create a user account for yourself

+Use your user account to participate in collaboration with your organization, including checking mail. This means your admin credentials might be similar to *Alice.Chavez<span></span>@Contoso.org* and your regular user account might be similar to *Alice<span></span>@Contoso.com*.

+To create a new user account:

+1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">admin center</a> and then choose **Users** \> **Active users** in the left nav.

+2. On the **Active users** page, select **Add a user** at the top of the page, and on the **New user** panel, enter the name and other information.

+3. Expand the **Roles** section, and choose **User (no administrative access)**.

+4. In the **Product licenses** section, move the selector for **Microsoft 365 Business** to **On**.

+## Turn on security defaults

+Security defaults help protect your organization from identity-related attacks by providing preconfigured security settings that Microsoft manages on behalf of your organization. These settings include enabling multi-factor authentication (MFA) for all admins and user accounts. For more information about security defaults and to learn how to enable them on, see [Turn on security defaults](m365-campaigns-conditional-access.md).

+## Additional recommendations

+- Before using admin accounts, close out all unrelated browser sessions and apps, including personal email accounts. You can also use in private, or incognito browser windows.

+- After completing admin tasks, be sure to sign out of the browser session.

+ Title: "Infographic: Help protect your campaign"

+f1.keywords:

+- NOCSH

+ms.audience: Admin

+ms.localizationpriority: medium

+- Adm_O365

+- M365-subscription-management

+- M365-identity-device-management

+- M365-Campaigns

+- m365solution-smb

+- Adm_O365

+- MiniMaven

+- MSB365

+search.appverid:

+- BCS160

+- MET150

+- MOE150

+description: "What you can do to help protect your campaign from digital attacks."

+# Infographic: Help protect yourself and your campaign from digital threats

+The following links for PowerPoint and PDF can be downloaded and printed in tabloid format (also known as ledger, 11 x 17, or A3).

+[](https://download.microsoft.com/download/f/c/5/fc58bc0c-773a-4ac8-a232-6f986f61ef58/M365CampaignsWhatCanUsersDoToSecure.pdf)

+[PDF](https://download.microsoft.com/download/f/c/5/fc58bc0c-773a-4ac8-a232-6f986f61ef58/M365CampaignsWhatCanUsersDoToSecure.pdf) | [PowerPoint](https://download.microsoft.com/download/f/c/5/fc58bc0c-773a-4ac8-a232-6f986f61ef58/M365CampaignsWhatCanUsersDoToSecure.pptx)

+ Title: "Protect unmanaged Windows 10 PCs and Macs"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- Adm_O365

+- M365-subscription-management

+- M365-identity-device-management

+- M365-Campaigns

+- m365solution-smb

+- Adm_O365

+- MiniMaven

+- MSB365

+search.appverid:

+- BCS160

+- MET150

+- MOE150

+description: "Protect unmanaged or bring-your-own devices (BYOD) with Microsoft 365."

+# Protect unmanaged Windows 10 PCs and Macs

+You can manage Windows 10 PCs and Macs by enrolling them in Microsoft Intune, which allows you to ensure they're healthy and secure before accessing data in your environment. However, many campaigns and small businesses include staff who bring their own devices (BYOD), which will not be managed by the organization. For these unmanaged PCs and Macs, use this article to ensure that minimum security capabilities are configured.

+<!--A Windows 10 PC is considered managed after you have completed the following two steps:

+1. You (or the admin) set up device and data protection policies in the [setup wizard](../business/set-up.md).

+2. You have [connected your computer to Azure Active Directory](../business/set-up-windows-devices.md) and use your Microsoft 365 username and password to sign in.

+3. -->

+## Protect a computer running Windows 10 or a Mac

+<!--If you have a PC that is running Windows 10 that is not connected to Microsoft 365, or a Mac, the Microsoft 365 protections do not apply to it, but here are some things you can do to keep your data secure on these devices as well:

+-->

+If your Windows 10 PC or Mac is not managed by your organization, be sure to configure these security capabilities.

+## [Windows 10](#tab/Windows10)

+**Turn on device encryption**<p>

+Device encryption is available on a wide range of Windows devices and helps protect your data by encrypting it. If you turn on device encryption, only authorized individuals will be able to access your device and data. See [turn on device encryption](https://support.microsoft.com/help/4028713/windows-10-turn-on-device-encryption) for instructions.

+ If device encryption isn't available on your device, you can turn on standard [BitLocker encryption](https://support.microsoft.com/help/4028713/windows-10-turn-on-device-encryption) instead. (BitLocker isn't available on Windows 10 Home edition.)

+**Protect your device with Windows Security**<p>

+If you have Windows 10, you'll get the latest antivirus protection with Windows Security. When you start up Windows 10 for the first time, Windows Security is on and actively helping to protect your PC by scanning for malware (malicious software), viruses, and security threats. Windows Security uses real-time protection to scan everything you download or run on your PC.

+Windows Update downloads updates for Windows Security automatically to help keep your PC safe and protect it from threats.

+If you have an earlier version of Windows and are using Microsoft Security Essentials, it's a good idea to move to Windows Security. For more information, see [help protect my device with Windows Security](https://support.microsoft.com/help/17464/windows-10-help-protect-my-device-with-windows-security).

+**Turn on Windows Firewall**<p>

+You should always run Windows Firewall even if you have another firewall turned on. Turning off Windows Firewall might make your device (and your network, if you have one) more vulnerable to unauthorized access. See [Turn Windows Firewall on or off](https://support.microsoft.com/help/4028544/windows-10-turn-windows-defender-firewall-on-or-off) for instructions.

+## [Mac](#tab/Mac)

+**Use FileVault to encrypt your Mac disk**<p>

+Disk encryption protects data when devices are lost or stolen. FileVault full-disk encryption helps prevent unauthorized access to the information on your startup disk. See [use FileVault to encrypt the startup disk on your Mac](https://support.apple.com/HT204837) for instructions.

+**Protect your mac from malware**<p>

+Microsoft recommends that you install and use reliable antivirus software on your Mac. See the following article for a list of choices: [Best Mac antivirus 2019](https://www.macworld.co.uk/feature/mac-software/mac-antivirus-3672182/).

+You can also reduce the risk of malware by using software only from reliable sources. The settings in Security & Privacy preferences allow you to specify the sources of software installed on your Mac. For more information, see [protect your Mac from malware](https://support.apple.com/kb/PH25087).

+**Turn on firewall protection**<p>

+Use firewall settings to protect your Mac from unwanted contact initiated by other computers when you're connected to the Internet or a network. Without this protection, your Mac might be more vulnerable to unauthorized access. See [about the application firewall](https://support.apple.com/HT201642) for instructions.

+ Title: "Bump up security protection for your campaign or business"

+f1.keywords:

+- NOCSH

+ms.audience: Admin

+ms.localizationpriority: medium

+- Adm_O365

+- M365-subscription-management

+- M365-identity-device-management

+- M365-Campaigns

+- m365solution-smb

+- Adm_O365

+- MiniMaven

+- MSB365

+search.appverid:

+- BCS160

+- MET150

+- MOE150

+description: "Learn how to protect your campaign or business by increasing your security with Microsoft 365."

+# Bump up security protection for your campaign or business

+## Overview

+Watch this video to see how you can protect your campaign or business:

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE3cfV1]

+Then follow the steps to:

+- [Protect against malware and other threats](m365-campaigns-increase-protection.md)

+- [Protect access to your campaign data](m365-campaigns-conditional-access.md) by protecting your accounts and apps

+- [Protect admin accounts](m365-campaigns-protect-admin-accounts.md)

+- [Set up mobile devices](../business/set-up-mobile-devices.md?toc=/microsoft-365/campaigns/toc.json)

+- [Train your users](m365-campaigns-users.md)

+ Title: "Sign in to Microsoft 365"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- Adm_O365

+- M365-subscription-management

+- M365-Campaigns

+- m365solution-smb

+- Adm_O365

+- Core_O365Admin_Migration

+- MiniMaven

+- MSB365

+search.appverid:

+- BCS160

+- MET150

+description: "Sign in to Microsoft 365. Protect your business, practice, or campaign from cybersecurity threats to email, data, and communication."

+# Sign in to Microsoft 365 Business Premium

+## For business or campaign admins

+If you signed up for Microsoft 365, you're the Microsoft 365 admin. Here's how to sign in:

+1. Find the username and password that we sent to the email address that you gave us in step 2 of [Steps to sign up](m365-campaigns-sign-up.md#steps-to-sign-up).

+2. In the browser, go to the Microsoft 365 admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">https://admin.microsoft.com</a>.

+3. Type in your username and password. Select **Sign in**.

+4. In the top right of the page, find the **Preview on** control. Select **Preview on** so you can use all the controls described in [Bump up protection for your campaign](m365-campaigns-security-overview.md).

+## For staff

+Set up staff as described in [Add users](../admin/add-users/add-users.md?toc=%2fmicrosoft-365%2fcampaigns%2ftoc.json)

+You can also reset and resend passwords on the **Add users** page.

+All staff can sign in at <a href="https://office.com" target="_blank">https://Office.com</a>.

+ Title: "Sign up for Microsoft 365 for Campaigns"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- Adm_O365

+- M365-subscription-management

+- M365-Campaigns

+- m365solution-smb

+- Adm_O365

+- Core_O365Admin_Migration

+- MiniMaven

+- MSB365

+search.appverid:

+- BCS160

+- MET150

+ms.assetid: 5abfef7b-5957-484a-b06b-a7c55e013e44

+description: "Step-by-step sign-up for Microsoft 365 for Campaigns. Protect your campaign from cybersecurity threats to email, data, and communication."

+# Sign up for Microsoft 365 for Campaigns

+Here's how to complete your sign-up for Microsoft 365 for Campaigns.

+## Before you start:

+- Get your invite to Microsoft 365 for Campaigns by completing the steps in [Get Microsoft 365 for Campaigns](get-microsoft-365-campaigns.md#get-microsoft-365-for-campaigns).

+- Open your email invitation from Microsoft. The invite has a unique sign-up link for your organization. You need this to get campaigns special pricing.

+- Have your business credit card and a phone ready.

+ > [!TIP]

+ > Your sign-up link is unique to your campaign. It only works once, so make sure you have enough time to complete sign-up. You need about ten minutes.

+## Steps to sign up

+1. In your invitation to Microsoft 365 for Campaigns email, select **ENROLL YOUR ORGANIZATION >**. This takes you to Microsoft 365 sign-up.

+ > [!NOTE]

+ > If you already have an existing Microsoft 365 for business subscription and you want to add the Microsoft 365 for Campaigns offer to it, go to [add Microsoft 365 for Campaigns to an existing subscription](#steps-to-add-microsoft-365-for-campaigns-to-an-existing-subscription).

+1. **On the Microsoft 365 Business page**, enter your business details. For **Business email address**, use a current email address. We only need this address to stay in touch with you during the setup process. Select **Next**.

+1. **On the Create your user ID page**:

+ 1. In **Username**, enter the name or alias you want for your email address. For example, you might want to be known as just Alice, or Rob. In a larger campaign, AliceC or AliceChavez might make more sense.

+ 2. In **Your company**, enter the name of the campaign you work for. For example, ContosoCampaign. If you already own a domain, use that name here.

+ 3. In **Select a domain**, select **.onmicrosoft.com** for now. We can set you up with a domain later, or help you get Microsoft 365 connected to a domain that you already own.

+ > [!IMPORTANT]

+ > The name you enter for your .onmicrosoft.com domain will be used for all your SharePoint and OneDrive URLs and you might not be able to change it. Make sure youΓÇÖve considered the name from a branding perspective and spelled it correctly.

+ 4. Create a password and select **Create my account**.

+ > [!NOTE]

+ > If your campaign or party doesn't own a domain, and you have decided what domain you want, you can buy one now by selecting it.

+4. **Prove. You're. Not. A. Robot. page**:

+ 1. Have your phone ready, and select **Text me** (or **Call me** if you prefer). Then enter your phone number.

+ 2. When you select **Text me**, we'll send you a verification code. Or we'll call you with a code if you select **Call me**.

+ 3. Enter the code from your text message (or call) and select **Next**. Expect a short wait.

+5. **Where will you be using this page**: Enter the campaign's primary work location details and phone number. Select **Next**.

+6. **How does this look page**:

+ 1. Verify the cost per user is $5.00.

+ 2. If you only want to set yourself up for now, select **Next**.

+ 3. Optional: Add some extra licenses now by changing the number in the **user** field. [The staff you work with can be assigned licenses to Microsoft 365](../admin/add-users/add-users.md?toc=%2fmicrosoft-365%2fcampaigns%2ftoc.json) at any time.

+7. **How do you want to pay? page**: Select **New credit card**, enter your business credit card details, and select **Place order**. If you prefer, it's also possible to use a bank account.

+8. **This may take a moment page**: You'll find details about where to sign in and your user ID. We'll also send this information to the email address that you entered during step 2 above.

+Your sign-up steps are complete!

+If you want to continue with the next steps, select **Start Setup**, or come back later to finish the steps. When you're ready, check your email (from step 2) to find your user name and password so you can log in next time.

+These are called your admin or global admin credentials.

+## Steps to add Microsoft 365 for Campaigns to an existing subscription

+If you already have and existing subscription to Microsoft 365 for business, for example, Microsoft 365 Business Standard, you can use the Microsoft 365 for Campaigns offer to add licenses to it.

+> [!IMPORTANT]

+> You cannot add the Microsoft 365 for Campaigns offer to an existing Microsoft 365 account.

+1. In your invitation to Microsoft 365 for Campaigns email, select **ENROLL YOUR ORGANIZATION >**. This takes you to Microsoft 365 sign-up.

+2. On the **Welcome, let's get to know you** page, click or tap **Want to add this to an existing subscription? Sign in**.

+

+ 

+3. On the sign in page, enter the admin alias for your existing subscription, for example *Alice@VoteContoso<span></span>.org*, choose **Next**, enter your password, and then choose **Sign in**.

+4. On the **How does this look?** enter the number of users you have and choose **Next**. You don't have to enter a promo code here because it is already included in the invitation URL.

+5. On the **How do you want to pay?** page, enter your payment method and choose **Place order**.

+After you have completed these steps, you're ready to [assign the new licenses](../admin/manage/assign-licenses-to-users.md) to your campaign staff.

+## What's next?

+- [Set up Microsoft 365](../business/set-up.md?toc=/microsoft-365/campaigns/toc.json) to complete your Microsoft 365 for Campaigns set up.

+- [Add users](../admin/add-users/add-users.md?toc=%2fmicrosoft-365%2fcampaigns%2ftoc.json) to your plan. Include the campaign candidate, all senior campaign staff, and anyone who will have access to sensitive campaign or party information.

+- [Bump up protection for your campaign](m365-campaigns-security-overview.md)

+ Title: "How these security recommendations affect your users"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- Adm_O365

+- M365-subscription-management

+- M365-identity-device-management

+- M365-Campaigns

+- m365solution-smb

+- Adm_O365

+- MiniMaven

+- MSB365

+search.appverid:

+- BCS160

+- MET150

+- MOE150

+description: "Learn how these security recommendations for Microsoft 365 Business Premium affects your users and protects your data."

+# How these security recommendations affect your users

+The security recommendations for Microsoft 365 in this solution make it much harder for hackers to gain access to your environment. The tradeoff is that your users will need to be aware of how to work within this more secure environment. We understand a little extra patience is required, but it's worth it to keep your organization protected.

+

+## Use secure email practices

+All users should be aware of and use these email practices to help keep their email secure:

+- Set up email to use multi-factor authentication with the authenticator app.

+- Verify legitimate emails and look for safety tips from Advanced Phishing in Defender for Office 365 Protection.

+- Open only safe links and attachments, as verified by Safe Links and Safe Attachments.

+Learn more about [multi-factor authentication](m365-campaigns-multifactor-authentication.md) and [phishing and other attacks](m365-campaigns-phishing-and-attacks.md).

+Download an [infographic](m365-campaigns-protect-campaign-infographic.md) with tips for you and the members of your team.

+## Set up iPhones and Android devices

+All users you add to your environment will need to take a few minutes to [setup iPhones and Android devices](../business/set-up-mobile-devices.md?toc=%2Fmicrosoft-365%2Fcampaigns%2Ftoc.json) to work securely:

+- Set up devices to use multi-factor authentication with the authenticator app.

+- Use Microsoft mobile apps, including Outlook Mobile, Word, OneDrive, and other Microsoft apps from the app store. The native mail apps that are included on iPhones and Android devices aren't supported.

+- Require a PIN for users to unlock their device.

+After setting these up, your users will be prompted to use the authenticator app when accessing your organization data on these devices, including mail.

+## Keep BYOD Macs and Windows 10 PCs fresh

+It's also important that users keep their primary work device up to date:

+- Install the latest versions of Office desktop apps and keep these fresh with updates, when prompted.

+- Stay on top of operating system updates, such as Windows updates.

+For [unmanaged Windows 10 and Mac devices](m365-campaigns-protect-pcs-macs.md), users have the responsibility to ensure that basic security features are enabled.

+**Enable basic security capabilities on BYOD Windows 10 and Mac devices**

+|**Windows 10**|**Mac**|

+|:--|:|

+|Turn on BitLocker device protection<p><p> Ensure Windows Defender remains on <p>Turn on Windows Firewall| Use FileVault to encrypt the Mac disk <p><p>Use a reliable antivirus software <p>Turn on firewall protection|

+To learn more about these recommendations, see [Protect your account and devices from hackers and malware](https://support.office.com/article/Protect-your-account-and-devices-from-hackers-and-malware-066d6216-a56b-4f90-9af3-b3a1e9a327d6#ID0EAABAAA=Windows_10).

+## Collaborate using Microsoft Teams, OneDrive, SharePoint Online, and other tools

+Your users might be tempted to share and store your organization files in places other than Microsoft 365. Microsoft 365 makes it as easy as possible to collaborate and share securely. You can [share files and videos](share-files-and-videos.md) directly from Microsoft Teams, OneDrive, Stream, and even from within a file. Sharing from within these tools helps keep your data from leaking. You can add additional protection to sensitive data to prevent sharing outside your organization.

+## Set up managed Windows 10 devices

+We recommend that your most important staff members use freshly acquired Windows 10 devices that you manage. We'll show you how to [manage and secure these devices](../business/set-up-windows-devices.md?toc=/microsoft-365/campaigns/toc.json). This ensures that staff members who are the highest value target to hackers receive the most protection.

+ Title: "Customize sign-in page with a privacy and consent notice"

+f1.keywords:

+- NOCSH

+ms.audience: Admin

+ms.localizationpriority: medium

+- Adm_O365

+- M365-subscription-management

+- M365-Campaigns

+- m365solution-smb

+- Adm_O365

+- MiniMaven

+- MSB365

+search.appverid:

+- BCS160

+- MET150

+description: "Customize your sign-in page with a privacy and consent notice for Microsoft 365."

+# Customize your sign-in page with a privacy and consent notice

+Your business or campaign can make it easier for law enforcement agencies to file legal charges against online criminals by adding a privacy and consent notice to your sign-in page.

+You can customize your sign-in page with your branding. You can also add text to help your users sign in, or to point out legal requirements or restrictions for getting access to Microsoft 365 resources.

+## Design customization the text on your sign-in page

+To update the customizable elements on the sign-in page, you have to be a global admin. For specific instructions, see [add company branding](/azure/active-directory/fundamentals/customize-branding) article.

+The elements you can update are:

+- **Sign-in page text**

+ An easy place to add the privacy and consent statement.

+- Sign-in page background image

+- Banner logo

+- Username hint

+For examples of privacy and consent notices, see Appendix A in [Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations](https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ssmanual2009.pdf).

+ Title: "Setup overview for Microsoft 365 Business Premium"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- Adm_O365

+- M365-subscription-management

+- M365-Campaigns

+- m365solution-smb

+- Adm_O365

+- Core_O365Admin_Migration

+- MiniMaven

+- MSB365

+search.appverid:

+- BCS160

+- MET150

+ms.assetid: 496e690b-b75d-4ff5-bf34-cc32905d0364

+description: "Setup overview for Microsoft 365 Business Premium for campaigns or other businesses"

+# Set up Microsoft 365 Business Premium

+This article describes the process of setting up Microsoft 365. Anybody with Microsoft 365 Business Premium can use this guidance to step up security.

+## Admins: Set up Microsoft 365

+The following diagram describes how admins set up Microsoft 365.

+

+For campaigns that qualify for special pricing, get started by [requesting an invite from Microsoft](https://m365forcampaigns.microsoft.com/), then [signing up for Microsoft 365 for Campaigns](m365-campaigns-sign-up.md). To complete setup, [run the setup wizard](../business/set-up.md?toc=/microsoft-365/campaigns/toc.json) to configure the core settings.

+For all other organizations, after you've [signed up for Microsoft 365 Business Premium](../admin/admin-overview/sign-up-for-office-365.md)), complete setup by [running the setup wizard](../business/set-up.md?toc=/microsoft-365/campaigns/toc.json) to configure the core settings.

+For all organizations, bump up security protection by: [protecting admin accounts](m365-campaigns-protect-admin-accounts.md), [protecting access to mail and data](m365-campaigns-conditional-access.md), and [increasing threat protection](m365-campaigns-increase-protection.md).

+## Everyone: Set up your devices

+Users will need to take a few minutes to set up devices to work with this environment. For your key users (those who are the highest value targets for hackers), you can set up and pre-configure new devices. This helps them to get started when they sign in with their Microsoft 365 credentials.

+

+

+To set up user devices:

+1. Each user [sets up their mobile devices](../business/set-up-mobile-devices.md?toc=%2Fmicrosoft-365%2Fcampaigns%2Ftoc.json).

+2. For unmanaged devices, users set up their [PCs and Macs](m365-campaigns-protect-pcs-macs.md).

+For key staff, we recommend that you use [managed devices](../business/set-up-windows-devices.md?toc=/microsoft-365/campaigns/toc.json) for even better protection. For all devices, you'll want to set up [multifactor authentication](m365-campaigns-multifactor-authentication.md).

+3. All users should learn how to protect themselves and your campaign by learning about [phishing and other attacks](m365-campaigns-phishing-and-attacks.md). This [infographic](m365-campaigns-protect-campaign-infographic.md) can also help your users understand how to help protect your campaign from online threats.

+## Contact support

+ **If you need to contact support:**

+

+As a Microsoft 365 admin, you have access to our customer support team, **[Contact support for business products - Admin Help](../business-video/get-help-support.md)**

+ Title: "Send encrypted email"

+f1.keywords:

+- NOCSH

+ms.audience: Admin

+ms.localizationpriority: medium

+- Adm_O365

+- M365-subscription-management

+- M365-Campaigns

+- m365solution-smb

+- Adm_O365

+- Core_O365Admin_Migration

+- MiniMaven

+- MSB365

+- admindeeplinkEXCHANGE

+search.appverid:

+- BCS160

+- MET150

+ms.assetid: 496e690b-b75d-4ff5-bf34-cc32905d0364

+description: "Learn how to send encrypted email using Outlook."

+# Encrypt or label your sensitive email

+Your data and campaign information is important and often confidential. Help protect this sensitive information by using encryption and sensitivity labels so you and your email recipients treat the information with the sensitivity it requires.

+## Best practices

+Before you send email with confidential or sensitive information, consider turning on:

+- **Encryption:** You can encrypt your email to protect the privacy of the information in the email. When you encrypt an email message, it's converted from readable plain text into scrambled cypher text. Only the recipient who has the private key that matches the public key used to encrypt the message can decipher the message for reading. Any recipient without the corresponding private key, however, sees indecipherable text. Your admin can define rules to automatically encrypt messages that meet certain criteria. For instance, your admin can create a rule that encrypts all messages sent outside your organization or all messages that mention specific words or phrases. Any encryption rules will be applied automatically.

+- **Sensitivity labels:** Your campaign can also set up sensitivity labels that you can apply to your files and email to keep them compliant with your campaign's information protection policies. When you set a label, the label persists with your email, even when it's sent - for example, by appearing as a header to your message.

+

+## Set it up

+If you want to encrypt a message that doesn't meet a pre-defined rule or your admin hasn't set up any rules, you can apply a variety of different encryption rules before you send the message. To send an encrypted message from Outlook 2013 or 2016, or Outlook 2016 for Mac, select **Options > Permissions**, then select the protection option you need. You can also send an encrypted message by selecting the **Protect** button in Outlook on the web. For more information, see [Send, view, and reply to encrypted messages in Outlook for PC](https://support.microsoft.com/en-us/office/send-view-and-reply-to-encrypted-messages-in-outlook-for-pc-eaa43495-9bbb-4fca-922a-df90dee51980).

+## Admin settings

+You can learn all about setting up email encryption at [Email encryption in Microsoft 365](../compliance/email-encryption.md).

+### Automatically encrypt email messages

+Admins can create mail flow rules to automatically protect email messages that are sent and received from your campaign. Set up rules to encrypt any outgoing email messages, and remove encryption from encrypted messages coming from inside your organization or from replies to encrypted messages sent from your organization.

+You create mail flow rules to encrypt email messages with the new Office 365 Message Encryption (OME) capabilities. Define mail flow rules for triggering message encryption with the new OME capabilities by using the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center (EAC)</a>.

+1. In a web browser, using a work or school account that has been granted global administrator permissions, sign in.

+2. Choose the Admin tile.

+3. In the admin center, choose **Admin centers > Exchange**.

+For more information, see [Define mail flow rules to encrypt email messages](../compliance/define-mail-flow-rules-to-encrypt-email.md).

+### Brand your encryption messages

+You can also apply your campaign branding to customize the look and the text in the email messages. For more information, see [Add your organization's brand to your encrypted messages](../compliance/email-encryption.md).

+ Title: "Set up online meetings"

+f1.keywords:

+- NOCSH

+ms.audience: Admin

+ms.localizationpriority: medium

+- Adm_O365

+- M365-subscription-management

+- M365-identity-device-management

+- M365-Campaigns

+- m365solution-smb

+- Adm_O365

+- Core_O365Admin_Migration

+- MiniMaven

+- MSB365

+search.appverid:

+- BCS160

+- MET150

+- MOE150

+description: "Set up online meetings with Microsoft Teams."

+# Set up meetings

+Meetings in Microsoft Teams include audio, video, and sharing. And because they're online, you'll always have a meeting space (without needing a room or projector!), even if your staff is geographically distributed or working remotely. Microsoft Teams meetings are a great way to come together with your staff both inside and outside of your organization. You don’t need to be a member of your organization or even have an account to join a meeting. You can schedule and run online meetings using Microsoft Teams. During a meeting, you can share your screen, share files, assign tasks, and more. Political campaigns can include staff, volunteers, and guests outside your organization in the meeting. Small firms or practices can meet with their staff, or meet with clients or partners over Microsoft Teams.

+[](https://go.microsoft.com/fwlink/?linkid=2078712)

+Download an infographic in [PDF](https://go.microsoft.com/fwlink/?linkid=2078712) or [PowerPoint](https://go.microsoft.com/fwlink/?linkid=2079515) to get a quick overview of how to join or host an online meeting with Microsoft Teams.

+## Best practices

+Follow these best practices for your online meetings:

+- Schedule your online meetings right in Microsoft Teams. You can choose a team and channel, and Teams will invite the participants in that team or channel automatically.

+- Need an impromptu meeting? If you're in a one-on-one chat, choose **Meet now** to start a video or audio call with the person you're chatting with.

+## Schedule a meeting

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE1FOhP]

+## Join a meeting

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE1FYWn]

+Learn more about meeting in Microsoft Teams:

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWeokQ]

+ Title: "Share files and videos"

+f1.keywords:

+- NOCSH

+ms.audience: Admin

+ms.localizationpriority: medium

+- Adm_O365

+- M365-subscription-management

+- M365-identity-device-management

+- M365-Campaigns

+- m365solution-smb

+- Adm_O365

+- Core_O365Admin_Migration

+- MiniMaven

+- MSB365

+search.appverid:

+- BCS160

+- MET150

+- MOE150

+description: "Share files and videos inside your campaign with Microsoft Teams and SharePoint."

+# Share files and videos

+When you need to control who can view and who can edit your files, you need to store the files in a secure location, where you can make sure permissions are applied appropriately. You can use Microsoft Teams to store your files, and then share the files either inside or outside of your firm, practice, or campaign by using Microsoft Teams or by sending SharePoint links. Sending a link rather than an email attachment means that you know who is viewing and modifying the files, and they can't be viewed or modified without your permission.

+

+With your files in Microsoft Teams and SharePoint, you can also work on the files together and review each other's changes. Use Microsoft Teams to share files inside of a firm, practice, or campaign. If you need to share externally with people outside your organization, you can add them as guests to a team or send them a secure SharePoint link.

+You can also use Microsoft Stream to store and share videos internally. These videos are not viewable to the public so they are ideal for internal campaign messaging.

+## Best practices

+Use these methods to share files and videos securely:

+1. Store files in Microsoft Teams or SharePoint, and make sure that only the people who need access to those files have them.

+2. When you want to share, don't attach files to an email. Instead, choose **Get link** from Microsoft Teams or SharePoint and send the link in email.

+3. To share a file externally, add the user as a guest to your team, or use SharePoint to get a secure link to share just that file.

+4. Use Microsoft Stream to host videos you want your campaign to see.

+5. Use Microsoft Teams or SharePoint to store video files you need your team to collaborate on or share.

+## Set up

+To create a team and add guests, like advertisers or financing partners, to it, follow these steps.

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE1FQMp]

+To share a secure link with a guest, without using Microsoft Teams, follow these steps.

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE22Yf0]

+To create and share videos, follow these steps.

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWrv0F]

+Download an infographic in [PDF](https://go.microsoft.com/fwlink/?linkid=2079435) or [PowerPoint](https://go.microsoft.com/fwlink/?linkid=2079438) to get a quick overview of ways to share your files.

+[](https://go.microsoft.com/fwlink/?linkid=2079435)

+|Automatically applied or default label from policy, lower priority |Word, Excel, PowerPoint: Yes <br /><br> Outlook: Yes | SharePoint and OneDrive: Yes <br /><br> Exchange: Yes |

+|Automatically applied or default label from policy, higher priority |Word, Excel, PowerPoint: No <br /><br> Outlook: No |SharePoint and OneDrive: No <br /><br> Exchange: No by default, but configurable |

+The Azure Information Protection unified labeling client supports automatic labeling only for built-in and custom sensitive info types, and doesn't support trainable classifiers or sensitive info types that use Exact Data Match (EDM) or named entities.

+If you use this option with Microsoft 365 Apps for Windows version 2106 or lower, or Microsoft 365 Apps for Mac version 16.50 or lower, make sure you've published in your tenant at least one other sensitivity label that's configured for auto-labeling and the [sensitive info types option](#configuring-sensitive-info-types-for-a-label). This requirement isn't necessary when you use later versions on these platforms.

+|Financial| U.S. Gramm-Leach-Bliley Act (GLBA) Enhanced|- [Credit card number](sensitive-information-type-entity-definitions.md#credit-card-number) </br> - [U.S. bank account number](sensitive-information-type-entity-definitions.md#us-bank-account-number)</br> - [U.S. Individual Taxpayer Identification Number (ITIN)](sensitive-information-type-entity-definitions.md#us-individual-taxpayer-identification-number-itin) </br> - [U.S. social security number (SSN)](sensitive-information-type-entity-definitions.md#us-social-security-number-ssn)</br> - [U.S./U.K. passport number](sensitive-information-type-entity-definitions.md#usuk-passport-number) </br> -[U.S. driver's license number](sensitive-information-type-entity-definitions.md#us-drivers-license-number)|

+|Privacy| U.K. Data Protection Act|- [U.K. national insurance number (NINO)](sensitive-information-type-entity-definitions.md#uk-national-insurance-number-nino) </br> - [U.S./U.K. passport number](sensitive-information-type-entity-definitions.md#usuk-passport-number) </br> - [SWIFT code](sensitive-information-type-entity-definitions.md#swift-code)|

+|Privacy| U.K. Personally Identifiable Information (PII) Data|- [U.K. national insurance number (NINO)](sensitive-information-type-entity-definitions.md#uk-national-insurance-number-nino) </br> - [U.S./U.K. passport number](sensitive-information-type-entity-definitions.md#usuk-passport-number)|

+|Privacy| U.S. Personally Identifiable Information (PII) Data Enhanced|- [U.S. Individual Taxpayer Identification Number (ITIN)](sensitive-information-type-entity-definitions.md#us-individual-taxpayer-identification-number-itin) </br> - [U.S. social security number (SSN)](sensitive-information-type-entity-definitions.md#us-social-security-number-ssn)</br> - [U.S./U.K. passport number](sensitive-information-type-entity-definitions.md#usuk-passport-number)|

+|Privacy| U.S. Personally Identifiable Information (PII) Data|- [U.S. Individual Taxpayer Identification Number (ITIN)](sensitive-information-type-entity-definitions.md#us-individual-taxpayer-identification-number-itin) </br> - [U.S. social security number (SSN)](sensitive-information-type-entity-definitions.md#us-social-security-number-ssn)</br> - [U.S./U.K. passport number](sensitive-information-type-entity-definitions.md#usuk-passport-number)|

+|Privacy| U.S. State Breach Notification Laws Enhanced|- [Credit card number](sensitive-information-type-entity-definitions.md#credit-card-number) </br> - [U.S. bank account number](sensitive-information-type-entity-definitions.md#us-bank-account-number)</br> -[U.S. driver's license number](sensitive-information-type-entity-definitions.md#us-drivers-license-number) </br> - [U.S. social security number (SSN)](sensitive-information-type-entity-definitions.md#us-social-security-number-ssn) </br> - [U.S./U.K. passport number](sensitive-information-type-entity-definitions.md#usuk-passport-number)|

+description: "There are many sensitive information types that are ready for you to use in your DLP policies. This article lists all of these sensitive information types and shows what a DLP policy looks for when it detects each type."

+## All full names

+This is a bundled named entity which detects full names for people from all supported countries/regions, which include Australia, China, Japan, U.S., and countries in the EU. Use this SIT to detect all possible matches of full names.

+### Format

+Various.

+### Pattern

+Various.

+### Checksum

+No.

+### Description

+This named entity SIT matches personal names that a human would identify as a name with high confidence. It uses three primary resources:

+- A dictionary of given names.

+- A dictionary of family names.

+- Patterns of how names are formed.

+The three resources are different for each country. For example, for names in United States dictionary, if a string is found consisting of a given name and is followed by a family name then a match is made with high confidence. The strings *Olivia Wilson* would trigger a match.Common given/family names are given a higher confidence than rarer names. However, the pattern also allows partial matches. For example a given name from the dictionary followed by an family name that is not in the dictionary, like *Tomas Richard* would trigger a partial match. Partial matches are given lower confidence.

+In addition, patterns that a human would see as indicative of names are also matched with appropriate confidence. Like *O. Wilson*, *O.P. Wilson*, *Dr. O. P. Wilson*, *Wilson, O.P.* or *T. Richard, Jr.* would be matches.

+### Supported languages

+- English

+- Bulgarian

+- Chinese

+- Croatian

+- Czech

+- Danish

+- Estonian

+- Finnish

+- French

+- German

+- Hungarian

+- Icelandic

+- Irish

+- Italian

+- Japanese

+- Latvian

+- Lithuanian

+- Maltese

+- Dutch

+- Norwegian

+- Polish

+- Portuguese

+- Romanian

+- Slovak

+- Slovenian

+- Spanish

+- Swedish

+- Turkish

+## All medical terms and conditions

+This is a bundled named entity which detects medical terms and medical conditions. It detects English terms only. Use this SIT to detect all possible matches of medical terms and conditions.

+### Format

+Dictionary

+### Pattern

+Dictionary

+### Checksum

+No

+### Description

+This bundled named entity matches text that mentions medical conditions that are present in curated dictionaries. There is one curated dictionary per supported language. The dictionaries are from a number of international medical resources. The curated dictionaries incorporate as many medical conditions as possible without risking a large number of false positives. .Each entry contains the different forms that a single condition is commonly written in to ensure coverage, for example:

+- *TB*

+- *tuberculosis*

+- *phthisis pulmonalis*

+### Contains

+This bundled named entity SIT contains these individual SITs.

+- Blood test terms

+- Types of medication

+- Diseases

+- Generic medication names

+- Impairments listed in the U.S. Disability Evaluation Under Social Security

+- Lab test terms

+- Lifestyles that relate to medical conditions

+- Medical specialties

+- Surgical procedures

+- Brand medication names

+## All Physical Addresses

+This is a bundled entity SIT which detects patterns related to physical addresses from all supported countries/regions.

+### Format

+Various

+### Pattern

+Various

+### Checksum

+No

+### Description

+The matching of street addresses is designed to match strings that a human would identify as a street address. To do this it uses several primary resources:

+- A dictionary of settlements, counties and regions.

+- A dictionary of street suffixes, like Road, Street, or Avenue.

+- Patterns of postal codes.

+- Patterns of address formats.

+The resources are different for each country. The primary resources are the patterns of address formats that are used in a given country. The different formats are chosen to make sure that as many addresses as possible are matched, without risking a high number of false positives. These formats allow flexibility for example, an address may omit the postal code or omit a town name or have a street with no street suffix. In all cases such matches are used to increase the confidence of the match.

+Note that the patterns are designed to match individual single addresses, not generic locations. So strings such as *Redmond, WA 98052* or *Main Street, Albuquerque* will not be matched.

+### Contains

+This bundled named entity SIT contains these individual SITs:

+- Australia physical address

+- Austria physical address

+- Belgium physical address

+- Brazil physical address

+- Bulgaria physical address

+- Canada physical address

+- Croatia physical address

+- Cyprus physical address

+- Czech Republic physical address

+- Denmark physical address

+- Estonia physical address

+- Finland physical address

+- France physical address

+- Germany physical address

+- Greece physical address

+- Hungary physical address

+- Iceland physical address

+- Ireland physical address

+- Italy physical address

+- Latvia physical address

+- Liechtenstein physical address

+- Lithuania physical address

+- Luxembourg physical address

+- Malta physical address

+- Netherlands physical address

+- New Zealand physical address

+- Norway physical address

+- Poland physical address

+- Portugal physical address

+- Romania physical address

+- Slovakia physical address

+- Slovenia physical address

+- Spain physical address

+- Sweden physical address

+- Switzerland physical address

+- Turkey physical address

+- United Kingdom physical address

+- United States physical address

+### Supported languages

+- English

+- Bulgarian

+- Chinese

+- Croatian

+- Czech

+- Danish

+- Estonian

+- Finnish

+- French

+- German

+- Hungarian

+- Icelandic

+- Irish

+- Italian

+- Japanese

+- Latvian

+- Lithuanian

+- Maltese

+- Dutch

+- Norwegian

+- Polish

+- Portuguese

+- Romanian

+- Slovak

+- Slovenian

+- Spanish

+- Swedish

+- Turkish

+## Australia physical addresses

+Unbundled named entity, detects patterns related to physical address from Australia.

+### Confidence level

+medium

+## Austria physical addresses

+This unbundled named entity detects patterns related to physical address from Austria.

+### Confidence level

+Medium

+This sensitive information type identifies these keywords by using a regular expression, not a keyword list.

+This sensitive information type identifies these keywords by using a regular expression, not a keyword list.

+## Belgium physical addresses

+This unbundled named entity detects patterns related to physical addresses from Belgium.

+### Confidence level

+Medium

+## Blood test terms

+This unbundled named entity detects terms related to blood tests, such as *hCG*. It supports English terms only.

+### Confidence level

+High

+## Brand medication names

+This unbundled named entity detects names of brand medication, such as *Tylenol*. It supports English terms only.

+### Confidence level

+High

+## Brazil physical addresses

+This unbundled named entity detects patterns related to physical address from Brazil.

+### Confidence level

+Medium

+## Bulgaria passport number

+### Format

+nine digits without spaces and delimiters

+### Pattern

+nine digits

+### Checksum

+No

+### Definition

+A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:

+- The regular expression `Regex_bulgaria_eu_passport_number` finds content that matches the pattern.

+- A keyword from `Keywords_eu_passport_number` or `Keywords_bulgaria_eu_passport_number` is found.

+- The regular expression `Regex_eu_passport_date1` finds date in the format DD.MM.YYYY or a keyword from `Keywords_eu_passport_date` is found

+A DLP policy has medium confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:

+- The regular expression `Regex_bulgaria_eu_passport_number` finds content that matches the pattern.

+- A keyword from `Keywords_eu_passport_number` or `Keywords_bulgaria_eu_passport_number` is found.

+```xml

+ <!-- Bulgaria Passport Number -->

+ <Entity id="f7172b82-c588-4216-845e-4e54e397f29a" patternsProximity="300" recommendedConfidence="75">

+ <Pattern confidenceLevel="85">

+ <IdMatch idRef="Regex_bulgaria_eu_passport_number" />

+ <Any minMatches="1">

+ <Match idRef="Keywords_eu_passport_number" />

+ <Match idRef="Keywords_bulgaria_eu_passport_number" />

+ </Any>

+ <Any minMatches="1">

+ <Match idRef="Regex_eu_passport_date1" />

+ <Match idRef="Keywords_eu_passport_date" />

+ </Any>

+ </Pattern>

+ <Pattern confidenceLevel="75">

+ <IdMatch idRef="Regex_bulgaria_eu_passport_number" />

+ <Any minMatches="1">

+ <Match idRef="Keywords_eu_passport_number" />

+ <Match idRef="Keywords_bulgaria_eu_passport_number" />

+ </Any>

+ </Pattern>

+ </Entity>

+```

+### Keywords

+#### Keywords_eu_passport_number

+- passport#

+- passport #

+- passportid

+- passports

+- passportno

+- passport no

+- passportnumber

+- passport number

+- passportnumbers

+- passport numbers

+#### Keywords_bulgaria_eu_passport_number

+- номер на паспорта

+- номер на паспорт

+- паспорт №

+#### Keywords_eu_passport_date

+- date of issue

+- date of expiry

+## Bulgaria physical addresses

+This unbundled named entity detects patterns related to physical address from Bulgaria.

+### Confidence level

+Medium

+## Canada bank account number

+7 or 12 digits

+A Canada Bank Account Number is 7 or 12 digits.

+A Canada bank account transit number is:

+- five digits

+- a hyphen

+- three digits

+OR

+- a zero "0"

+- eight digits

+- The regular expression Regex_canada_bank_account_number finds content that matches the pattern.

+- A keyword from Keyword_canada_bank_account_number is found.

+- The regular expression Regex_canada_bank_account_transit_number finds content that matches the pattern.

+A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:

+- The regular expression Regex_canada_bank_account_number finds content that matches the pattern.

+- A keyword from Keyword_canada_bank_account_number is found.

+## Canada physical addresses

+This unbundled named entity detects patterns related to physical address from Canada.

+### Confidence level

+Medium

+## Croatia physical addresses

+This unbundled named entity detects patterns related to physical address from Croatia.

+### Confidence level

+Medium

+## Cyprus physical addresses

+This unbundled named entity detects patterns related to physical address from Cyprus.

+### Confidence level

+Medium

+## Czech Republic physical addresses

+This unbundled named entity detects patterns related to physical address from the Czech Republic.

+### Confidence level

+Medium

+## Denmark physical addresses

+This unbundled named entity detects patterns related to physical address from Denmark.

+### Confidence level

+Medium

+## Diseases

+This unbundled named entity detects text that match disease names, such as *diabetes*. It supports English terms only.

+### Confidence level

+High

+## Estonia passport number

+### Format

+one letter followed by seven digits with no spaces or delimiters

+### Pattern

+one letter followed by seven digits

+### Checksum

+No

+### Definition

+A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:

+- The regular expression `Regex_estonia_eu_passport_number` finds content that matches the pattern.

+- A keyword from `Keywords_eu_passport_number` or `Keywords_estonia_eu_passport_number` is found.

+- The regular expression `Regex_eu_passport_date1` finds date in the format DD.MM.YYYY or a keyword from `Keywords_eu_passport_date` is found

+A DLP policy has medium confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:

+- The regular expression `Regex_estonia_eu_passport_number` finds content that matches the pattern.

+- A keyword from `Keywords_eu_passport_number` or `Keywords_estonia_eu_passport_number` is found.

+```xml

+ <!-- Estonia Passport Number -->

+ <Entity id="61f7073a-509e-425b-a754-bc01bb5d5b8c" patternsProximity="300" recommendedConfidence="75">

+ <Pattern confidenceLevel="85">

+ <IdMatch idRef="Regex_estonia_eu_passport_number" />

+ <Any minMatches="1">

+ <Match idRef="Keywords_eu_passport_number" />

+ <Match idRef="Keywords_estonia_eu_passport_number" />

+ </Any>

+ <Any minMatches="1">

+ <Match idRef="Regex_eu_passport_date1" />

+ <Match idRef="Keywords_eu_passport_date" />

+ </Any>

+ </Pattern>

+ <Pattern confidenceLevel="75">

+ <IdMatch idRef="Regex_estonia_eu_passport_number" />

+ <Any minMatches="1">

+ <Match idRef="Keywords_eu_passport_number" />

+ <Match idRef="Keywords_estonia_eu_passport_number" />

+ </Any>

+ </Pattern>

+ </Entity>

+```

+### Keywords

+#### Keywords_eu_passport_number_common

+- passport#

+- passport #

+- passportid

+- passports

+- passportno

+- passport no

+- passportnumber

+- passport number

+- passportnumbers

+- passport numbers

+#### Keywords_estonia_eu_passport_number

+eesti kodaniku pass

+passi number

+passinumbrid

+document number

+document no

+dokumendi nr

+#### Keywords_eu_passport_date

+- date of issue

+- date of expiry

+## Estonia physical addresses

+This unbundled named entity detects patterns related to physical address from Estonia.

+### Confidence level

+Medium

+- [U.S./U.K. passport number](#usuk-passport-number)

+These are the entities that are in the EU Social Security Number or equivalent identification and are sensitive information types.

+## Finland physical addresses

+This unbundled named entity detects patterns related to physical address from Finland.

+### Confidence level

+Medium

+## France physical addresses

+This unbundled named entity detects patterns related to physical address from France.

+### Confidence level

+Medium

+## Generic medication names

+This unbundled named entity detects names of generic medications, such as *acetominophen*. It supports English terms only.

+### Confidence level

+High

+## Germany driver's license number

+This sensitive information type entity is included in the EU Driver's License Number sensitive information type. It's also available as a stand-alone sensitive information type entity.

+### Format

+## Germany physical addresses

+This unbundled named entity detects patterns related to physical address from Germany.

+### Confidence level

+Medium

+## Greece physical addresses

+This unbundled named entity detects patterns related to physical address from Greece.

+### Confidence level

+Medium

+## Hungary personal identification number

+This sensitive information type is only available for use in:

+- data loss prevention policies

+- communication compliance policies

+- information governance

+- records management

+- Microsoft Defender for Cloud Apps

+### Format

+11 digits

+### Pattern

+11 digits:

+- One digit that corresponds to gender, 1 for male, 2 for female. Other numbers are also possible for citizens born before 1900 or citizens with double citizenship.

+- Six digits that correspond to birth date (YYMMDD)

+- Three digits that correspond to a serial number

+- One check digit

+### Checksum

+Yes

+### Definition

+A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:

+- The function `Func_hungary_eu_national_id_card` finds content that matches the pattern.

+- A keyword from `Keywords_hungary_eu_national_id_card` is found.

+A DLP policy has medium confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:

+- The function `Func_hungary_eu_national_id_card` finds content that matches the pattern.

+```xml

+ <!-- Hungary Personal Identification Number -->

+ <Entity id="7b5cc218-7046-47d9-80c9-f325b50896ca" patternsProximity="300" recommendedConfidence="85">

+ <Pattern confidenceLevel="85">

+ <IdMatch idRef="Func_hungary_eu_national_id_card" />

+ <Match idRef="Keywords_hungary_eu_national_id_card" />

+ </Pattern>

+ <Pattern confidenceLevel="75">

+ <IdMatch idRef="Func_hungary_eu_national_id_card" />

+ <Any minMatches="0" maxMatches="0">

+ <Match idRef="Keywords_hungary_eu_telephone_number" />

+ <Match idRef="Keywords_hungary_eu_mobile_number" />

+ </Any>

+ </Pattern>

+ </Entity>

+```

+### Keywords

+#### Keywords_hungary_eu_national_id_card

+- id number

+- identification number

+- sz ig

+- sz. ig.

+- sz.ig.

+- személyazonosító igazolvány

+- személyi igazolvány

+## Hungary physical addresses

+This unbundled named entity detects patterns related to physical address from Hungary.

+### Confidence level

+Medium

+## Iceland physical addresses

+This unbundled named entity detects patterns related to physical address from Iceland.

+### Confidence level

+Medium

+## Impairments Listed In The U.S. Disability Evaluation Under Social Security

+This unbundled named entity detects names of impairments listed in the U.S. Disability Evaluation Under Social Security, such as *muscular dystrophy*. It supports English terms only.

+### Confidence level

+High

+## Ireland physical addresses

+This unbundled named entity detects patterns related to physical address from Ireland.

+### Confidence level

+Medium

+## Italy physical addresses

+This unbundled named entity detects patterns related to physical address from Italy.

+### Confidence level

+Medium

+## Lab test terms

+This unbundled named entity detects terms related to lab tests, such as *Insulin C-peptide*. It supports English terms only.

+### Confidence level

+High

+## Latvia passport number

+two letters or digits followed by seven digits with no spaces or delimiters

+two letters or digits followed by seven digits:

+- two digits or letters (not case-sensitive)

+- seven digits

+No

+- The regular expression `Regex_latvia_eu_passport_number` finds content that matches the pattern.

+- A keyword from `Keywords_eu_passport_number` or `Keywords_latvia_eu_passport_number` is found.

+- The regular expression `Regex_eu_passport_date1` finds date in the format DD.MM.YYYY or a keyword from `Keywords_eu_passport_date` is found

+- The regular expression `Regex_latvia_eu_passport_number` finds content that matches the pattern.

+- A keyword from `Keywords_eu_passport_number` or `Keywords_latvia_eu_passport_number` is found.

+ <!-- Latvia Passport Number -->

+ <Entity id="23ae25ec-cc28-421b-b77a-3054eadf1ede" patternsProximity="300" recommendedConfidence="75">

+ <IdMatch idRef="Regex_latvia_eu_passport_number" />

+ <Any minMatches="1">

+ <Match idRef="Keywords_eu_passport_number" />

+ <Match idRef="Keywords_latvia_eu_passport_number" />

+ </Any>

+ <Any minMatches="1">

+ <Match idRef="Regex_eu_passport_date1" />

+ <Match idRef="Keywords_eu_passport_date" />

+ <IdMatch idRef="Regex_latvia_eu_passport_number" />

+ <Any minMatches="1">

+ <Match idRef="Keywords_eu_passport_number" />

+ <Match idRef="Keywords_latvia_eu_passport_number" />

+#### Keywords_eu_passport_number_common

+- passport#

+- passport #

+- passportid

+- passports

+- passportno

+- passport no

+- passportnumber

+- passport number

+- passportnumbers

+- passport numbers

+#### Keywords_latvia_eu_passport_number

+- pase numurs

+- pase numur

+- pases numuri

+- pases nr

+- passeport no

+- n┬░ du Passeport

+#### Keywords_eu_passport_date

+- date of issue

+- date of expiry

+## Latvia personal code

+### Format

+11 digits and an optional hyphen

+### Pattern

+Old format

+11 digits and a hyphen:

+- six digits that correspond to the birth date (DDMMYY)

+- a hyphen

+- one digit that corresponds to the century of birth ("0" for 19th century, "1" for 20th century, and "2" for 21st century)

+- four digits, randomly generated

+New format

+11 digits

+- Two digits "32"

+- Nine digits

+### Checksum

+Yes

+### Definition

+A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:

+- The function `Func_latvia_eu_national_id_card` or the regex `Regex_latvia_eu_national_id_card_new_format` finds content that matches the pattern.

+- A keyword from `Keywords_latvia_eu_national_id_card` is found.

+A DLP policy has medium confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:

+- The function `Func_latvia_eu_national_id_card` or the regex `Regex_latvia_eu_national_id_card_new_format` finds content that matches the pattern.

+```xml

+ <!-- Latvia Personal Code -->

+ <Entity id="03fcf763-27c2-49ed-9422-2641c6c895c9" patternsProximity="300" recommendedConfidence="85">

+ <Pattern confidenceLevel="85">

+ <IdMatch idRef="Func_latvia_eu_national_id_card" />

+ <Match idRef="Keywords_latvia_eu_national_id_card" />

+ </Pattern>

+ <Pattern confidenceLevel="75">

+ <IdMatch idRef="Func_latvia_eu_national_id_card" />

+ <Any minMatches="0" maxMatches="0">

+ <Match idRef="Keywords_latvia_eu_telephone_number" />

+ <Match idRef="Keywords_latvia_eu_mobile_number" />

+ </Any>

+ </Pattern>

+ <Pattern confidenceLevel="85">

+ <IdMatch idRef="Regex_latvia_eu_national_id_card_new_format" />

+ <Match idRef="Keywords_latvia_eu_national_id_card" />

+ </Pattern>

+ <Pattern confidenceLevel="75">

+ <IdMatch idRef="Regex_latvia_eu_national_id_card_new_format" />

+ <Any minMatches="0" maxMatches="0">

+ <Match idRef="Keywords_latvia_eu_telephone_number" />

+ <Match idRef="Keywords_latvia_eu_mobile_number" />

+ </Any>

+ </Pattern>

+ </Entity>

+```

+### Keywords

+#### Keywords_latvia_eu_national_id_card

+- administrative number

+- alvas nē

+## Latvia physical addresses

+This unbundled named entity detects patterns related to physical address from Latvia.

+### Confidence level

+Medium

+## Liechtenstein physical addresses

+This unbundled named entity detects patterns related to physical address from Liechtenstein .

+### Confidence level

+Medium

+## Lifestyles that relate to medical conditions

+This unbundled named entity detects terms related to lifestyles that might result in a medical condition, such as *smoking*. It supports English terms only.

+### Confidence level

+High

+## Lithuania physical addresses

+This unbundled named entity detects patterns related to physical address from Lithuania.

+### Confidence level

+Medium

+## Luxemburg national identification number (non-natural persons)

+11 digits

+11 digits

+- two digits

+- an optional space

+- three digits

+- an optional space

+- three digits

+- an optional space

+- two digits

+- one check digit

+Yes

+- The function `Func_luxemburg_eu_tax_file_number_non_natural` finds content that matches the pattern.

+- A keyword from `Keywords_luxemburg_eu_tax_file_number` is found.

+- The function `Func_luxemburg_eu_tax_file_number_non_natural` finds content that matches the pattern.

+ <!-- Luxemburg National Identification Number (Non-natural persons) -->

+ <Entity id="84bffa3a-d805-4788-a613-b1e4df3804cf" patternsProximity="300" recommendedConfidence="85">

+ <IdMatch idRef="Func_luxemburg_eu_tax_file_number_non_natural" />

+ <Match idRef="Keywords_luxemburg_eu_tax_file_number" />

+ <IdMatch idRef="Func_luxemburg_eu_tax_file_number_non_natural" />

+ <Any minMatches="0" maxMatches="0">

+ <Match idRef="Keywords_luxemburg_eu_telephone_number" />

+ <Match idRef="Keywords_luxemburg_eu_mobile_number" />

+#### Keywords_luxemburg_eu_tax_file_number

+## Luxemburg passport number

+### Format

+eight digits or letters with no spaces or delimiters

+### Pattern

+eight digits or letters (not case-sensitive)

+### Checksum

+No

+### Definition

+A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:

+- The regular expression `Regex_luxemburg_eu_passport_number` finds content that matches the pattern.

+- A keyword from `Keywords_eu_passport_number` or `Keywords_luxemburg_eu_passport_number` is found.

+- The regular expression `Regex_eu_passport_date3` finds date in the format DD MM YYYY or a keyword from `Keywords_eu_passport_date` is found

+A DLP policy has medium confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:

+- The regular expression `Regex_luxemburg_eu_passport_number` finds content that matches the pattern.

+- A keyword from `Keywords_eu_passport_number` or `Keywords_luxemburg_eu_passport_number` is found.

+```xml

+ <!-- Luxemburg Passport Number -->

+ <Entity id="81d5c027-bed9-4421-91a0-3b2e55b3eb85" patternsProximity="300" recommendedConfidence="75">

+ <Pattern confidenceLevel="85">

+ <IdMatch idRef="Regex_luxemburg_eu_passport_number" />

+ <Any minMatches="1">

+ <Match idRef="Keywords_eu_passport_number" />

+ <Match idRef="Keywords_luxemburg_eu_passport_number" />

+ </Any>

+ <Any minMatches="1">

+ <Match idRef="Regex_eu_passport_date3" />

+ <Match idRef="Keywords_eu_passport_date" />

+ </Any>

+ </Pattern>

+ <Pattern confidenceLevel="75">

+ <IdMatch idRef="Regex_luxemburg_eu_passport_number" />

+ <Any minMatches="1">

+ <Match idRef="Keywords_eu_passport_number" />

+ <Match idRef="Keywords_luxemburg_eu_passport_number" />

+ </Any>

+ </Pattern>

+ </Entity>

+```

+### Keywords

+#### Keywords_eu_passport_number

+- passport#

+- passport #

+- passportid

+- passports

+- passportno

+- passport no

+- passportnumber

+- passport number

+- passportnumbers

+- passport numbers

+#### Keywords_luxemburg_eu_passport_number

+- ausweisnummer

+- luxembourg pass

+- luxembourg passeport

+- luxembourg passport

+- no de passeport

+- no-reisepass

+- nr-reisepass

+- numéro de passeport

+- pass net

+- pass nr

+- passnummer

+- passeport nombre

+- reisepässe

+- reisepass-nr

+- reisepassnummer

+#### Keywords_eu_passport_date

+- date of issue

+- date of expiry

+## Luxemburg physical addresses

+This unbundled named entity detects patterns related to physical address from Luxemburg.

+### Confidence level

+Medium

+## Malta physical addresses

+This unbundled named entity detects patterns related to physical address from Malta.

+### Confidence level

+Medium

+## Medical specialities

+This unbundled named entity detects terms related to medical specialties, such as *dermatology*. It supports English terms only.

+### Confidence level

+High

+## Netherlands physical addresses

+This unbundled named entity detects patterns related to physical address from the Netherlands.

+### Confidence level

+Medium

+## New Zealand physical addresses

+This unbundled named entity detects patterns related to physical address from New Zealand.

+### Confidence level

+Medium

+## Norway physical addresses

+This unbundled named entity detects patterns related to physical address from Norway.

+### Confidence level

+Medium

+## Poland physical addresses

+This unbundled named entity detects patterns related to physical address from Poland.

+### Confidence level

+Medium

+## Portugal physical addresses

+This unbundled named entity detects patterns related to physical address from Portugal.

+### Confidence level

+Medium

+## Romania passport number

+eight or nine digits without spaces and delimiters

+eight or nine digits

+No

+- The regular expression `Regex_romania_eu_passport_number` finds content that matches the pattern.

+- A keyword from `Keywords_eu_passport_number` or `Keywords_romania_eu_passport_number` is found.

+- The regular expression `Regex_romania_eu_passport_date` finds date in the format DD MMM/MMM YY (Example- 01 FEB/FEB 10) or a keyword from `Keywords_eu_passport_date` is found

+- The regular expression `Regex_romania_eu_passport_number` finds content that matches the pattern.

+- A keyword from `Keywords_eu_passport_number` or `Keywords_romania_eu_passport_number` is found.

+ <!-- Romania Passport Number -->

+ <Entity id="5d31b90c-7fe2-4a76-a14b-767b8fd19d6c" patternsProximity="300" recommendedConfidence="75">

+ <IdMatch idRef="Regex_romania_eu_passport_number" />

+ <Any minMatches="1">

+ <Match idRef="Keywords_eu_passport_number" />

+ <Match idRef="Keywords_romania_eu_passport_number" />

+ </Any>

+ <Any minMatches="1">

+ <Match idRef="Regex_romania_eu_passport_date" />

+ <Match idRef="Keywords_eu_passport_date" />

+ </Any>

+ <IdMatch idRef="Regex_romania_eu_passport_number" />

+ <Any minMatches="1">

+ <Match idRef="Keywords_eu_passport_number" />

+ <Match idRef="Keywords_romania_eu_passport_number" />

+ </Any>

+#### Keywords_eu_passport_number

+- passport#

+- passport #

+- passportid

+- passports

+- passportno

+- passport no

+- passportnumber

+- passport number

+- passportnumbers

+- passport numbers

+#### Keywords_romania_eu_passport_number

+numărul pașaportului

+numarul pasaportului

+numerele pașaportului

+Pașaport nr

+#### Keywords_eu_passport_date

+- date of issue

+- date of expiry

+## Romania personal numeric code (CNP)

+This sensitive information type is only available for use in:

+- data loss prevention policies

+- communication compliance policies

+- information governance

+- records management

+- Microsoft Defender for Cloud Apps

+### Format

+13 digits without spaces and delimiters

+### Pattern

+- one digit from 1-9

+- six digits representing date of birth (YYMMDD)

+- two digits, which can be 01-52 or 99

+- four digits

+### Checksum

+Yes

+### Definition

+A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:

+- The function `Func_romania_eu_national_id_card` finds content that matches the pattern.

+- A keyword from `Keywords_romania_eu_national_id_card` is found.

+A DLP policy has medium confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:

+- The function `Func_romania_eu_national_id_card` finds content that matches the pattern.

+```xml

+ <!-- Romania Personal Numerical Code (CNP) -->

+ <Entity id="eb5fa399-fe28-4c67-8188-d63a616ed89c" patternsProximity="300" recommendedConfidence="85">

+ <Pattern confidenceLevel="85">

+ <IdMatch idRef="Func_romania_eu_national_id_card" />

+ <Match idRef="Keywords_romania_eu_national_id_card" />

+ </Pattern>

+ <Pattern confidenceLevel="75">

+ <IdMatch idRef="Func_romania_eu_national_id_card" />

+ </Pattern>

+ </Entity>

+```

+### Keywords

+#### Keywords_romania_eu_national_id_card

+- cnp#

+- cnp

+- cod identificare personal

+- cod numeric personal

+- cod unic identificare

+- codnumericpersonal#

+- codul fiscal nr.

+- identificarea fiscală nr#

+- id-ul taxei

+- insurance number

+## Romania physical addresses

+This unbundled named entity detects patterns related to physical address from Romania.

+### Confidence level

+Medium

+## Slovakia passport number

+### Format

+one digit or letter followed by seven digits with no spaces or delimiters

+### Pattern

+one digit or letter (not case-sensitive) followed by seven digits

+### Checksum

+No

+### Definition

+A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:

+- The regular expression `Regex_slovakia_eu_passport_number` finds content that matches the pattern.

+- A keyword from `Keywords_eu_passport_number` or `Keywords_slovakia_eu_passport_number` is found.

+- The regular expression `Regex_eu_passport_date1` finds date in the format DD.MM.YYYY or a keyword from `Keywords_eu_passport_date` is found

+A DLP policy has medium confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:

+- The regular expression `Regex_slovakia_eu_passport_number` finds content that matches the pattern.

+- A keyword from `Keywords_eu_passport_number` or `Keywords_slovakia_eu_passport_number` is found.

+```xml

+ <!-- Slovakia Passport Number -->

+ <Entity id="238e1f08-d80e-4793-af33-9b57918335b7" patternsProximity="300" recommendedConfidence="75">

+ <Pattern confidenceLevel="85">

+ <IdMatch idRef="Regex_slovakia_eu_passport_number" />

+ <Any minMatches="1">

+ <Match idRef="Keywords_eu_passport_number" />

+ <Match idRef="Keywords_slovakia_eu_passport_number" />

+ </Any>

+ <Any minMatches="1">

+ <Match idRef="Regex_eu_passport_date1" />

+ <Match idRef="Keywords_eu_passport_date" />

+ </Any>

+ </Pattern>

+ <Pattern confidenceLevel="75">

+ <IdMatch idRef="Regex_slovakia_eu_passport_number" />

+ <Any minMatches="1">

+ <Match idRef="Keywords_eu_passport_number" />

+ <Match idRef="Keywords_slovakia_eu_passport_number" />

+ </Any>

+ </Pattern>

+ </Entity>

+```

+### Keywords

+#### Keywords_eu_passport_number

+- passport#

+- passport #

+- passportid

+- passports

+- passportno

+- passport no

+- passportnumber

+- passport number

+- passportnumbers

+- passport numbers

+#### Keywords_slovakia_eu_passport_number

+- číslo pasu

+- čísla pasov

+- pas ─ì.

+- Passeport n┬░

+- n┬░ Passeport

+#### Keywords_eu_passport_date

+- date of issue

+- date of expiry

+## Slovakia physical addresses

+This unbundled named entity detects patterns related to physical address from Slovakia.

+### Confidence level

+Medium

+## Slovenia physical addresses

+This unbundled named entity detects patterns related to physical address from Slovenia.

+### Confidence level

+Medium

+## Slovenia Unique Master Citizen Number

+This sensitive information type is only available for use in:

+- data loss prevention policies

+- communication compliance policies

+- information governance

+- records management

+- Microsoft Defender for Cloud Apps

+### Format

+13 digits without spaces or delimiters

+### Pattern

+13 digits in the specified pattern:

+- seven digits that correspond to the birth date (DDMMLLL) where "LLL" corresponds to the last three digits of the birth year

+- two digits that correspond to the area of birth "50"

+- three digits that correspond to a combination of gender and serial number for persons born on the same day. 000-499 for male and 500-999 for female.

+- one check digit

+### Checksum

+Yes

+### Definition

+A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:

+- The function `Func_slovenia_eu_national_id_card` finds content that matches the pattern.

+- A keyword from `Keywords_slovenia_eu_national_id_card` is found.

+A DLP policy has medium confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:

+- The function `Func_slovenia_eu_national_id_card` finds content that matches the pattern.

+```xml

+ <!-- Slovenia Unique Master Citizen Number -->

+ <Entity id="68948b27-803d-41e4-adf1-13e05eb541bb" patternsProximity="300" recommendedConfidence="85">

+ <Pattern confidenceLevel="85">

+ <IdMatch idRef="Func_slovenia_eu_national_id_card" />

+ <Match idRef="Keywords_slovenia_eu_national_id_card" />

+ </Pattern>

+ <Pattern confidenceLevel="75">

+ <IdMatch idRef="Func_slovenia_eu_national_id_card" />

+ </Pattern>

+ </Entity>

+```

+### Keywords

+#### Keywords_slovenia_eu_national_id_card

+- edinstvena številka glavnega državljana

+- emšo

+- enotna maticna številka obcana

+- id card

+- identification number

+- identifikacijska številka

+- identity card

+- nacionalna id

+- nacionalni potni list

+- national id

+- osebna izkaznica

+- osebni koda

+- osebni ne

+- osebni številka

+- personal code

+- personal number

+- personal numeric code

+- številka državljana

+- unique citizen number

+- unique id number

+- unique identity number

+- unique master citizen number

+- unique registration number

+- uniqueidentityno #

+- uniqueidentityno#

+## Spain DNI

+This sensitive information type is only available for use in:

+- data loss prevention policies

+- communication compliance policies

+- information governance

+- records management

+- Microsoft Defender for Cloud Apps

+### Format

+eight digits followed by one character

+### Pattern

+seven digits followed by one character

+- eight digits

+- An optional space or hyphen

+- one check letter (not case-sensitive)

+### Checksum

+Yes

+### Definition

+A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:

+- The function `Func_spain_eu_DL_and_NI_number_citizen` or `Func_spain_eu_DL_and_NI_number_foreigner` finds content that matches the pattern.

+- A keyword from `Keywords_spain_eu_national_id_card"` is found.

+A DLP policy has medium confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:

+- The function `Func_spain_eu_DL_and_NI_number_citizen` or `Func_spain_eu_DL_and_NI_number_foreigner` finds content that matches the pattern.

+```xml

+ <!-- Spain DNI -->

+ <Entity id="8e6251b9-47b4-40e8-a42b-0f80876be192" patternsProximity="300" recommendedConfidence="85">

+ <Pattern confidenceLevel="85">

+ <IdMatch idRef="Func_spain_eu_DL_and_NI_number_citizen" />

+ <Match idRef="Keywords_spain_eu_national_id_card" />

+ </Pattern>

+ <Pattern confidenceLevel="75">

+ <IdMatch idRef="Func_spain_eu_DL_and_NI_number_citizen" />

+ </Pattern>

+ <Pattern confidenceLevel="85">

+ <IdMatch idRef="Func_spain_eu_DL_and_NI_number_foreigner" />

+ <Match idRef="Keywords_spain_eu_national_id_card" />

+ </Pattern>

+ <Pattern confidenceLevel="75">

+ <IdMatch idRef="Func_spain_eu_DL_and_NI_number_foreigner" />

+ </Pattern>

+ </Entity>

+```

+### Keywords

+#### Keywords_spain_eu_national_id_card

+- carné de identidad

+- dni#

+- dni

+- dnin├║mero#

+- documento nacional de identidad

+- identidad único

+- identidad├║nico#

+- insurance number

+- national identification number

+- national identity

+- nationalid#

+- nationalidno#

+- nie#

+- nie

+- nien├║mero#

+- número de identificación

+- número nacional identidad

+- personal identification number

+- personal identity no

+- unique identity number

+- uniqueid#

+## Spain physical addresses

+This unbundled named entity detects patterns related to physical address from Spain.

+### Confidence level

+Medium

+## Surgical procedures

+This unbundled named entity detects terms related to surgical procedures, such as *appendectomy*. It supports English terms only.

+### Confidence level

+High

+## Sweden physical addresses

+This unbundled named entity detects patterns related to physical address from Sweden.

+### Confidence level

+Medium

+## Switzerland physical addresses

+This unbundled named entity detects patterns related to physical address from Switzerland.

+### Confidence level

+Medium

+## Turkey national identification number

+## Turkey physical addresses

+This unbundled named entity detects patterns related to physical address from Turkey.

+### Confidence level

+Medium

+## Types of medication

+This unbundled named entity detects medication names, such as *insulin*. It supports English terms only.

+### Confidence level

+High

+## U.K. physical addresses

+This unbundled named entity detects patterns related to physical address from the U.K..

+### Confidence level

+Medium

+## U.S. physical addresses

+This unbundled named entity detects patterns related to physical address from the U.S..

+### Confidence level

+Medium

+## U.S./U.K. passport number

+- If you use the Azure Information Protection unified labeling client: Check the documentation for this labeling client for [more requirements or limitations](/azure/information-protection/known-issues#known-issues-for-co-authoring).

+ > [!NOTE]

+ > These limitations for the unified labeling client include a [change of dialog box](/azure/information-protection/known-issues#user-interface-changes-when-applying-labels) for users who select labels that prompt them to select permissions.

+| Not ready | You have an Autopilot profile that is assigned to all devices. <br><br> For more information, see [Enroll Windows devices in Intune by using Windows Autopilot](/mem/autopilot/enrollment-autopilot). After Microsoft Managed Desktop enrollment, set your Autopilot policy to exclude the **Modern Workplace Devices - All** Azure AD group.

+| Advisory | Make sure that your Autopilot profiles target an assigned or dynamic Azure AD group that doesn't include Microsoft Managed Desktop devices. <br><br> For more information, see [Enroll Windows devices in Intune by using Windows Autopilot](/mem/autopilot/enrollment-autopilot). After Microsoft Managed Desktop enrollment, set your Autopilot profiles to exclude the **Modern Workplace Devices - All** Azure AD group. |

+| Advisory | No certificate connectors are present. It's possible you don't need any connectors, but you should evaluate whether you might need some for network connectivity on your Microsoft Managed Desktop devices. <br><br> For more information, see [Prepare certificates and network profiles for Microsoft Managed Desktop](certs-wifi-lan.md). |

+| Advisory | At least one certificate connector has an error. If you need this connector for providing certificates to Microsoft Managed Desktop devices, you must resolve the error. <br><br> For more information, see [Prepare certificates and network profiles for Microsoft Managed Desktop](certs-wifi-lan.md). |

+| Advisory | You have at least one certificate connector, and no errors are reported. However, in preparation for deployment, you might need to create a profile to reuse the connector for Microsoft Managed Desktop devices. <br><br> For more information, see [Prepare certificates and network profiles for Microsoft Managed Desktop](certs-wifi-lan.md). |

+| Not ready | You don't have Company Portal installed for your users. Purchase Company Portal and force a sync between Intune and Microsoft Store for Business. <br><br> For more information, see [Install Intune Company Portal on devices](../get-started/company-portal.md).

+| Not ready | You have at least one conditional access policy that targets all users. <br><br> During enrollment, we'll exclude Microsoft Managed Desktop service accounts from relevant conditional access policies and apply new conditional access policies to restrict access to these accounts. <br><br> After enrollment, you can review the Microsoft Managed Desktop conditional access policy in Microsoft Endpoint Manager. For more about these service accounts, see [Standard operating procedures](../service-description/operations-and-monitoring.md#standard-operating-procedures). |

+| Advisory | You have conditional access policies that could prevent Microsoft Managed Desktop from managing the Microsoft Managed Desktop service. <br><br> During enrollment, we'll exclude Microsoft Managed Desktop service accounts from relevant conditional access policies and apply new conditional access policies to restrict access to these accounts. <br><br> For more information about these service accounts, see [Standard operating procedures](../service-description/operations-and-monitoring.md#standard-operating-procedures). |

+| Advisory | You have at least one compliance policy that applies all users. Microsoft Managed Desktop also includes compliance policies that will apply to your Microsoft Managed Desktop devices. Review all of the compliance policies created by your organization that apply to Microsoft Managed Desktop devices to ensure there are no conflicts. <br><br> For more information, see [Create a compliance policy in Microsoft Intune](/mem/intune/protect/create-compliance-policy). |

+| Not ready | You have at least one configuration profile that applies to all users, all devices, or both. Reset the profile to apply to a specific Azure AD group that doesn't include any Microsoft Managed Desktop devices. <br><br> For more information, see [Create a profile with custom settings in Microsoft Intune](/mem/intune/configuration/custom-settings-configure). |

+| Advisory | Make sure that any configuration policies you have don't include any Microsoft Managed Desktop devices or users. <br><br> For more information, see [Create a profile with custom settings in Microsoft Intune](/mem/intune/configuration/custom-settings-configure). |

+| Not ready | You currently have at least one enrollment restriction policy configured to prevent Windows devices from enrollment in Intune. <br><br> Follow the steps in [Set enrollment restrictions](/mem/intune/enrollment/enrollment-restrictions-set) for each enrollment restriction policy that targets Microsoft Managed Desktop users and change the **Windows (MDM)** setting to **Allow**. You can, however, set any **personally owned** **Windows (MDM)** devices to **Block**. |

+| Not ready | You have the ESP default profile set to **Show app and profile configuration progress**. <br><br> Disable this setting or ensure that assignments to any Azure AD group don't include Microsoft Managed Desktop devices by following the steps in [Set up the Enrollment Status Page](/mem/intune/enrollment/windows-enrollment-status). |

+| Advisory | Make sure that any profiles that have the **Show app and profile configuration progress** setting aren't assigned to any Azure AD group that includes Microsoft Managed Desktop devices. <br><br> For more information, see [Set up the Enrollment Status Page](/mem/intune/enrollment/windows-enrollment-status). |

+| Not ready | Microsoft Store for Business either isn't enabled or isn't synced with Intune. <br><br> For more information, see [How to manage volume purchased apps from the Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business) and [Install Intune Company Portal on devices](../get-started/company-portal.md). |

+| Not ready | You have some multi-factor authentication policies set as **required** for conditional access policies that are assigned to all users. <br><br> During enrollment, we'll exclude Microsoft Managed Desktop service accounts from relevant conditional access policies and apply new conditional access policies to restrict access to these accounts. <br><br> For more information about these service accounts, see [Standard operating procedures](../service-description/operations-and-monitoring.md#standard-operating-procedures). |

+| Advisory | You have multi-factor authentication required on conditional access policies that could prevent Microsoft Managed Desktop from managing the Microsoft Managed Desktop service. <br><br> During enrollment, well exclude Microsoft Managed Desktop service accounts from relevant conditional access policies and apply new conditional access policies to restrict access to these accounts. For more information about these service accounts, see [Standard operating procedures](../service-description/operations-and-monitoring.md#standard-operating-procedures). |

+| Advisory | Make sure that Windows PowerShell scripts in your Azure AD organization don't target any Microsoft Manage Desktop devices or users. Don't assign a PowerShell script to target all users, all devices, or both. Change the policy to use an Assignment that targets a specific Azure AD group that doesn't include any Microsoft Managed Desktop devices or users. <br><br> For more information, see [Use PowerShell scripts on Windows 10 devices in Intune](/mem/intune/apps/intune-management-extension). |

+| Not ready | Your Azure AD organization region isn't currently supported by Microsoft Managed Desktop. <br><br> For more information, see [Microsoft Managed Desktop supported regions and languages](../service-description/regions-languages.md). |

+| Advisory | One or more of the countries where your Azure AD organization is located isn't supported by Microsoft Managed Desktop. <br><br> For more information, see [Microsoft Managed Desktop supported regions and languages](../service-description/regions-languages.md). |

+| Advisory | Make sure that any security baseline policies you have exclude Microsoft Managed Desktop devices. For more information, see [Use security baselines to configure Windows 10 devices in Intune](/mem/intune/protect/security-baselines). <br><br> During enrollment, we apply a new security baseline to all Microsoft Managed Desktop devices. The **Modern Workplace Devices - All** Azure AD group is a dynamic group that we create when you enroll in Microsoft Managed Desktop. You'll have to come back to exclude this group after enrollment. |

+| Not ready | You have an "update ring" policy that targets all devices, all users, or both. Change the policy to use an Assignment that targets a specific Azure AD group that doesn't include any Microsoft Managed Desktop devices. <br><br> For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure). |

+| Advisory | Make sure that any update ring policies you have exclude the **Modern Workplace Devices - All** Azure AD group. If you have assigned Azure AD user groups to these policies, make sure that any update ring policies you have also excluded the **Modern Workplace - All** Azure AD group that you add your Microsoft Managed Desktop users to (or an equivalent group). <br><br> For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure). Both the **Modern Workplace Devices - All** and **Modern Workplace - All** Azure AD groups are groups that we create when you enroll in Microsoft Managed Desktop. You'll have to come back to exclude this group after enrollment. |

+| Advisory | Make sure the **MDM User scope** is set to **Some** or **All**, not **None**. <br><br> If you choose **Some**, come back after enrollment and select the **Modern Workplace - All** Azure AD group for **Groups** or an equivalent group targeting all of your Microsoft Managed Desktop users. <br><br> For more information, see [Set up enrollment for Windows devices by using Microsoft Intune](/mem/intune/enrollment/windows-enroll#enable-windows-10-automatic-enrollment). |

+| Advisory | Ensure that **AllowAdHocSubscriptions** is set to **True**. Otherwise, Enterprise State Roaming might not work. <br><br> For more information, see [Set-MsolCompanySettings](/powershell/module/msonline/set-msolcompanysettings). |

+| Advisory | Make sure that Enterprise State Roaming is enabled for **All** or for **Selected** groups. <br><br> For more information, see [Enable Enterprise State Roaming in Azure Active Directory](/azure/active-directory/devices/enterprise-state-roaming-enable). |

+| Advisory | **Member users and users assigned to specific admin roles can invite guest including guests with member permissions** should be enabled. <br><br> For more information, see [Prerequisites for guest accounts](/microsoft-365/managed-desktop/get-ready/guest-accounts). |

+| Advisory | **Guest users have limited access to properties and memberships of directory objects** should be enabled. <br><br> For more information, see [Prerequisites for guest accounts](/microsoft-365/managed-desktop/get-ready/guest-accounts). |

+| Not Ready | You don't have all the licenses you need to use Microsoft Managed Desktop. <br><br> For more information, see [Microsoft Managed Desktop technologies](../intro/technologies.md) and [More about licenses](prerequisites.md#more-about-licenses). |

+| Not ready | You have Security defaults turned on. Turn off Security defaults and set up conditional access policies. <br><br> For more information, see [Common Conditional Access policies](/azure/active-directory/conditional-access/concept-conditional-access-policy-common). |

+Self-service Password Reset (SSPR) can be enabled for all Microsoft Managed Desktop users excluding Microsoft Managed Desktop service accounts. <br><br> For more information, see [Tutorial: Enable users to unlock their account or reset passwords using Azure Active Directory self-service password reset](/azure/active-directory/authentication/tutorial-enable-sspr).

+| Advisory | You're using the **Allow syncing only on PCs joined to specific domains** setting. This setting won't work with Microsoft Managed Desktop. Disable this setting. Instead, set up OneDrive to use a conditional access policy. <br><br> For more information, see [Plan a Conditional Access deployment](/azure/active-directory/conditional-access/plan-conditional-access) for help. |

+If you're enrolling devices yourself, follow the steps in [Register new devices yourself](../get-started/register-devices-self.md), and then add them to the **Modern Workplace Devices - Shared Device Mode** group.

+## Two portals for setup

+When you're ready to start your trial, you'll work with two main portals to get things set up. The following table summarizes the two main portals you'll use: <br/><br/>

+|Portal |Description |

+|||

+| The Microsoft 365 admin center ([https://admin.microsoft.com/](https://admin.microsoft.com/)) | Use the Microsoft 365 admin center to add or remove users, assign user licenses, view your products and services, and complete setup tasks for your Microsoft 365 subscription. <br/><br/> To learn more, see [Overview of the Microsoft 365 admin center](../../admin/admin-overview/admin-center-overview.md). |

+| The Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) | Use the Microsoft 365 Defender portal to manage security settings for email protection and for your organization's devices. <br/><br/>To learn more, see [Get started using the Microsoft 365 Defender portal](mdb-get-started.md). |

+If your organization is using Microsoft Intune (part of Microsoft Endpoint Manager) to manage devices, you might also use the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com/](https://endpoint.microsoft.com/)). To learn more, see [Microsoft Intune is an MDM and MAM provider for your devices](/mem/intune/fundamentals/what-is-intune).

+## View and manage users

+1. Go to the Microsoft 365 admin center ([https://admin.microsoft.com/](https://admin.microsoft.com/)) and sign in using the same account you used to request your trial subscription.

+2. In the navigation pane, choose **Users** > **Active users**. Review the list of users.

+3. To add users, follow the guidance in [Add users and assign licenses at the same time](../../admin/add-users/add-users.md).

+Now you're ready to proceed to [Set up and configure Microsoft Defender for Business (preview)](mdb-setup-configuration.md).

+- [Use the wizard to set up Microsoft Defender for Business (preview)](mdb-use-wizard.md)

+These changes will take effect if you are using Microsoft Defender for Endpoint on devices running Android 11 or later and updated Defender for Endpoint to release build 1.0.3501.0301 or later.

+ASR events shown in the advancing hunting portal are throttled to unique processes seen every hour. The time of the ASR event is the first time the event is seen within that hour.

+### Caveat

+Some rules donΓÇÖt work well if un-signed, internally developed application and scripts are in high usage. It is more difficult to deploy ASR rules if code signing is not enforced.

+- [Per-rule alert and notification details](#per-rule-alert-and-notification-details)

+| | | |

+> Unless otherwise indicated, the minimum Windows&nbsp;10 build is version 1709 (RS3, build 16299) or later; the minimum Windows&nbsp;Server build is version is 1809 or later.

+|[Block abuse of exploited vulnerable signed drivers](#block-abuse-of-exploited-vulnerable-signed-drivers) | Y | Y | Y version 1803 (Semi-Annual Channel) or later |

+## Per rule alert and notification details

+Toast notifications are generated for all rules in Block mode. Rules in any other mode will not generate toast notifications

+For rules with the ΓÇ£Rule StateΓÇ¥ specified:

+- ASR rules with \<ASR Rule, Rule State\> combinations are used to surface alerts (toast notifications) on Microsoft Defender for Endpoint only for devices at high-cloud block level. Devices not at high cloud block level will not generate alerts for any <ASR Rule, Rule State> combinations

+- EDR alerts are generated for ASR rules in the specified states, but only for devices at high cloud block level.

+| Rule name: | Rule state: | Generates alerts in EDR? <br> (Yes&nbsp;\|&nbsp;No) | Generates toast notifications? <br> (Yes&nbsp;\|&nbsp;No) |

+||::|::|::|

+| | | _Only for devices at high-cloud block level_ | _In Block mode only_ |

+|[Block abuse of exploited vulnerable signed drivers](#block-abuse-of-exploited-vulnerable-signed-drivers) | | N | Y |

+|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | Block | Y <br> Requires device at high-cloud block level | Y <br> Requires device at high-cloud block level |

+|[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | | N | Y |

+|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | | N | Y |

+|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | | Y <br> Requires device at high-cloud block level | Y <br> Requires device at high-cloud block level |

+|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | | N | Y |

+|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | Audit&nbsp;\|&nbsp;Block | Y \| Y <br> Requires device at high-cloud block level | N \| Y <br> Requires device at high-cloud block level |

+|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | Block | Y <br> Requires device at high-cloud block level | Y <br> Requires device at high-cloud block level |

+|[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | | N | Y |

+|[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | | N | Y |

+|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | | N | Y |

+|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | Audit&nbsp;\|&nbsp;Block | Y \| Y <br> Requires device at high-cloud block level | N \| Y <br> Requires device at high-cloud block level |

+|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | | N | Y |

+|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | Audit&nbsp;\|&nbsp;Block | Y \| Y <br> Requires device at high-cloud block level | N \| Y <br> Requires device at high-cloud block level |

+|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | | N | Y |

+|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | Audit&nbsp;\|&nbsp;Block | Y \| Y <br> Requires device at high-cloud block level | N \| Y <br> Requires device at high-cloud block level |

+| | | | |

+

+## ASR rule modes

+- **Not configured** or **Disable**: This is the state in which the ASR rule has not been enabled or has been disabled. The code for this state = 0.

+- **Block**: This is the state in which the ASR rule is enabled. The code for this state is 1.

+- **Audit**: This is the state in which the ASR rule is evaluated for its impactive behavior toward the organization or environment in which it is deployed. The code for this state is 2.

+- **Warn** This is the state in which the ASR rule is enabled and presents a notification to the end-user, but permits the end-user to bypass the block. The code for this state is 6.

+_Warn mode_ is a block-mode type that alerts users about potentially risky actions. Users can then choose to bypass the block warning message and allow the underlying action. Users can select **OK** to enforce the block, or select the bypass option - **Unblock** - through the end-user pop-up toast notification that is generated at the time of the block. After the warning is unblocked, the operation is allowed until the next time the warning message occurs, at which time the end-user will need to reperform the action.

+If the allow button is clicked, the block will be suppressed for 24 hours. After 24 hours, the end-user will need to allow the block again. The warn mode for ASR rules is only supported for RS5+ (1809+) devices. If bypass is assigned to ASR rules on devices with older versions, the rule will be in blocked mode.

+You can also set a rule in warn mode via PowerShell by simply specifying the AttackSurfaceReductionRules_Actions as ΓÇ£WarnΓÇ¥. For example:

+```powershell

+-command "& {&'Add-MpPreference' -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Warn"}

+```

+<!--The above link is the 'only link' that exists for having drivers examined. The 'en-us' component is required to make the link work. Any alterations to this link will result in a 404.

+-->

+For specific details about notification and alert functionality, see: [Per rule alert and notification details](attack-surface-reduction-rules-reference.md#per-rule-alert-and-notification-details), in the article **Attack surface reduction rules reference**.

+ >Windows Server 2016 and Windows Server 2012 R2 will need to be onboarded using the instructions in [Onboard Windows servers](configure-server-endpoints.md#windows-server-2012-r2-and-windows-server-2016) for this feature to work.

+ - M365-security-compliance

+ - m365-initiative-defender-endpoint

+ - M365-security-compliance

+ - m365-initiative-defender-endpoint

+ - m365-initiative-defender-endpoint

+ - M365-security-compliance

+ - m365-initiative-defender-endpoint

+ Replace \\servername-or-dfs-space\share-name with the UNC path, using the file server's fully qualified domain name (FQDN), of the shared *install.ps1* file. The installer package md4ws.msi must be placed in the same directory. Also ensure that the permissions of the UNC path allow read access to the computer account that's installing the platform.

+You can offboard Windows Server 2012 R2, Windows Server 2016, Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices.

+Apps can also be added manually to the trusted list by using Configuration Manager or Intune. Additional actions can be performed from the Microsoft 365 Defender portal.

+The protected folders include common system folders (including boot sectors), and you can add additional folders. You can also allow apps to give them access to the protected folders. The Windows systems folders that are protected by default are:

+Default folders appear in the user's profile, under **This PC**.

+ > [!div class="mx-imgBorder"]

+ > 

+Controlled folder access requires enabling [Microsoft Defender Antivirus real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md).

+Defender for Endpoint provides detailed reporting into events and blocks as part of its [alert investigation scenarios](investigate-alerts.md) in the Microsoft 365 Defender portal; see [Microsoft Defender for Endpoint in Microsoft 365 Defender](../defender/microsoft-365-security-center-mde.md).

+ - M365-security-compliance

+ - m365-initiative-defender-endpoint

+ mdatp$ * Everyone Allow Read

+- m365-initiative-defender-endpoint

+- [Windows Server 2012 R2](/windows/win32/srvnodes/what-s-new-for-windows-server-2012-r2)

+- **Not configured** | **Disabled**: Disable the ASR rule

+## Policy Conflict

+1. If a conflicting policy is applied via MDM and GP, the setting applied from MDM will take precedence.

+2. Attack surface reduction rules for MEM-managed devices now support behavior for merger of settings from different policies, to create a superset of policy for each device. Only the settings that are not in conflict are merged, while those that are in conflict are not added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile would be deployed. Attack surface reduction rule merge behavior is as follows:

+ - Attack surface reduction rules from the following profiles are evaluated for each device to which the rules apply:

+ - Devices > Configuration policy > Endpoint protection profile > **Microsoft Defender Exploit Guard** > [Attack Surface Reduction](/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction-rules).

+ - Endpoint security > **Attack surface reduction policy** > [Attack surface reduction rules](/mem/intune/protect/endpoint-security-asr-policy#devices-managed-by-intune).

+ - Endpoint security > Security baselines > **Microsoft Defender ATP Baseline** > [Attack Surface Reduction Rules](/mem/intune/protect/security-baseline-settings-defender-atp#attack-surface-reduction-rules).

+ - Settings that do not have conflicts are added to a superset of policy for the device.

+ - When two or more policies have conflicting settings, the conflicting settings are not added to the combined policy, while settings that donΓÇÖt conflict are added to the superset policy that applies to a device.

+ - Only the configurations for conflicting settings are held back.

+## Configuration methods

+This section provides configuration details for the following configuration methods:

+- [Intune](#intune)

+- [MEM](#mem)

+- [MDM](#mdm)

+- [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)

+- [Group Policy](#group-policy)

+- [PowerShell](#powershell)

+### Intune

+#### Device Configuration Profiles

+#### Endpoint security policy**

+### MEM

+### MDM

+### Microsoft Endpoint Configuration Manager

+### Group Policy

+### PowerShell

+ - m365-initiative-defender-endpoint

+ - m365-initiative-defender-endpoint

+ - m365-initiative-defender-endpoint

+ - m365-initiative-defender-endpoint

+ - m365-initiative-defender-endpoint

+ - m365-initiative-defender-endpoint

+This document provides instructions on how to narrow down performance issues related to Defender for Endpoint on Linux using the available diagnostic tools to be able to understand and mitigate the existing resource shortages and the processes that are making the system into such situations. Performance problems are mainly caused by bottlenecks in one or more hardware subsystems, depending on the profile of resource utilization on the system. Sometimes applications are sensitive to disk I/O resources and may need more CPU capacity, and sometimes some configurations are not sustainable, and may trigger too many new processes, and open too many file descriptors.

+> [!IMPORTANT]

+> When integrating Microsoft Defender for Endpoint and Defender for Cloud, the mdatp agent will automatically receive updates by default.

+The following table shows the exclusion types supported by Defender for Endpoint on Mac.

+- [Application installation (macOS 10.15)](#application-installation-macos-1015)

+## Application installation (macOS 10.15)

+This profile contains license information for Microsoft Defender for Endpoint. Without this profile, Microsoft Defender for Endpoint will report that it isn't licensed.

+ - m365-initiative-defender-endpoint

+ | [Real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md) | Yes | See note ^[[4](#fn4)] | No | No |

+ | Passive mode | In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are *not* remediated by Microsoft Defender Antivirus. Threats can be remediated by [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md), however. <br/><br/> Files are scanned by EDR, and reports are provided for threat detections that are shared with the Defender for Endpoint service. You might see alerts in the [Defender for Cloud](/defender-cloud-apps) showing Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in passive mode. <br/><br/> When Microsoft Defender Antivirus is in passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into active mode if your devices have a non-Microsoft antivirus product that is providing real-time protection from malware. <br/><br/> For optimal security layered defense and detection efficacy, make sure to get your antivirus and antimalware updates, even if Microsoft Defender Antivirus is running in passive mode. See [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md). <br/><br/> **NOTE**: Passive mode is not supported on Windows Server 2016. |

+ - m365-initiative-defender-endpoint

+ - m365-initiative-defender-endpoint

+ - m365-initiative-defender-endpoint

+ - m365-initiative-defender-endpoint

+ - M365-security-compliance

+ - m365-initiative-defender-endpoint

+ - m365-initiative-defender-endpoint

+ - M365-security-compliance

+ - m365-initiative-defender-endpoint

+ - m365-initiative-defender-endpoint

+ - M365-security-compliance

+ - m365-initiative-defender-endpoint

+ - m365-initiative-defender-endpoint

+ - m365-initiative-defender-endpoint

+ - m365-initiative-defender-endpoint

+| Azure portal | View and manage all your [Azure resources](/azure/azure-resource-manager/management/overview) | [portal.azure.com](https://portal.azure.com/) |

+| Azure Active Directory portal | View and manage [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) | [aad.portal.azure.com](https://aad.portal.azure.com/) |

+- [Microsoft 365 for Campaigns](../business-premium/index.md) (includes a recommended security configuration for Microsoft 365 Business)

+|[|