-A question we often get is, "What should I do to secure data and protect access when an employee leaves my organization?" This article series explains how to block access to Microsoft 365 so these user's can't sign in to Microsoft 365, the steps you should take to secure organization data, and how to allow other employees to access email and OneDrive data.

-|[Step 3 - Forward a former employee's email to another employee or convert to a shared mailbox](remove-former-employee-step-3.md)|This lets you keep the former employee's email address active. If you have customers or partners still sending email to the former employee's address, this gets them to the person taking over the work.|

-|[Step 4 - Give another employee access to OneDrive and Outlook data](remove-former-employee-step-4.md)|If you only remove a user's license but don't delete the account, the content in the user's OneDrive will remain accessible to you even after 30 days. <p> Before you delete the account, you should give access of their OneDrive and Outlook to another user. After you delete an employee's account, the content in their OneDrive and Outlook is retained for **30** days. During that 30 days, however, you can restore the user's account, and gain access to their content. If you restore the user's account, the OneDrive and Outlook content will remain accessible to you even after 30 days.|

-|[Step 5 - Wipe and block a former employee's mobile device](remove-former-employee-step-5.md)|Removes your business data from the phone or tablet.|

-|

-## Watch: Set up Microsoft 365 Business Premium

-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE471FJ]

-description: "Microsoft 365 Group members get a group email and shared workspace for conversations, files, and calendar events, Stream and a Planner."

-Microsoft 365 Groups are used for collaboration between users, both inside and outside your company. With each Microsoft 365 Group, members get a group email and shared workspace for conversations, files, and calendar events, Stream and a Planner.

-Users with permissions to the group mailbox can send as or send on behalf of the mailbox email address if the administrator has given that user permissions to do that. This is particularly useful for help and support mailboxes because users can send emails from "Contoso Support" or "Building A Reception Desk."

-It's not possible to migrate a shared mailbox to a Microsoft 365 Group.

- *To Add, modify or remove domains you **must** be a **Global Administrator** of a [business or enterprise plan](https://products.office.com/business/office). These changes affect the whole tenant, *Customized administrators* or *regular users* won't be able to make these changes.*

-You can choose from the following top level domains for your domain.

-Request the transfer at the registrar that you want to move your domain to. Look on their website for an option such as **Transfer DNS**. Be aware that after they make the changes, it can take a few days update across the Internet.

-After you register your domain (at a domain registrar), you sign in to Microsoft 365 as an admin and set up your domain so you can use it with your email address and other services..

-

-

-

-

-[Update DNS records to keep your website with your current hosting provider](../dns/update-dns-records-to-retain-current-hosting-provider.md) (article)

-In order to deploy an add-in via Centralized Deployement, you need to be either a Global admin or an Exchange admin in the organization.

-> An Exchange admin can deploy an add-in only if the **App Registrations** property is set to true in Azure Active Directory admin center as shown in the following image:

-description: "Scoped Certified application installation and configuration guide for ServiceNow."

-# Microsoft 365 support integration for service health incidents and recommended solutions only

-This configuration doesn't allow you to create a case with Microsoft support through your ServiceNow instance. This option provides you only with the Service Health Incident information and Recommend Solutions available through your ServiceNow instance.

-## Prerequisites (Service Health Incidents and Recommended Solutions ONLY)

-These prerequisites are necessary to set up the **Microsoft 365 support integration**.

-1. \[AAD Admin\] Create Azure AD Application for Outbound under your Microsoft 365 tenant.

- 1. Log on to the Azure Portal with your Microsoft 365 tenant credentials and create a new application on the [App registrations page](https://portal.azure.com/?Microsoft_AAD_RegisteredApps=true#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade).

- 2. Select **Accounts in this organizational directory only ({Microsoft-365-tenant-name} only ΓÇô Single tenant)**, and then select **Register**.

- :::image type="content" source="../../media/ServiceNow-guide/servicenow-guide-image3.png" lightbox="../../media/ServiceNow-guide/servicenow-guide-image3.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::

-1. Go to **Authentication** and select **Add a platform**. Select the **Web** option and enter the redirect URL: `https://{your-servicenow-instance``}.service-now.com/auth_redirect.do`

- :::image type="content" source="../../media/ServiceNow-guide/servicenow-guide-image4.png" lightbox="../../media/ServiceNow-guide/servicenow-guide-image4.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::

-1. Get the Application Client ID and create a Client secret and get that value.

-1. \[ServiceNow Admin\] Set up the Outbound OAuth Provider in ServiceNow.

- If the scope is not set to **Global**, go to **Settings &gt; Developer &gt; Applications** and switch to **Global**.

- :::image type="content" source="../../media/ServiceNow-guide/Servicenow-guide-image5.png" lightbox="../../media/ServiceNow-guide/Servicenow-guide-image5.png" alt-text="Graphical user interface, text, application, chat or text message Description automatically generated":::

-1. Go to **System OAuth &gt; Application Registry**.

-1. Create a new application by using the **Connect to a third party OAuth Provider** option and entering these values:

- - Client ID: This is the Client ID of the application created in Prerequisites (Insights ONLY) step \#1.

- - Client Secret: This is the Client Secret value of the application created in Prerequisites (Insights ONLY) step \#1.

- - Default Grant type: Client Credentials

- - Token URL: `https://login.microsoftonline.com/{microsoft-365-tenant-name}/oauth2/token`

- - Redirect URL: `https://{service-now-instance-name``}.service-now.com/auth_redirect.do`

- :::image type="content" source="../../media/ServiceNow-guide/servicenow-guide-image6.png" lightbox="../../media/ServiceNow-guide/servicenow-guide-image6.png" alt-text="Graphical user interface, application Description automatically generated":::

-## Configure the Microsoft 365 support integration Application

-The Microsoft 365 support integration application can be set up under Microsoft 365 support.

-These steps are required to set up the integration between your ServiceNow instance and Microsoft 365 support.

-1. \[ServiceNow Admin\] Switch the scope to **Microsoft 365 support integration**.

- :::image type="content" source="../../media/ServiceNow-guide/servicenow-guide-image9.png" lightbox="../../media/ServiceNow-guide/servicenow-guide-image9.png" alt-text="Graphical user interface, table Description automatically generated":::

-1. \[ServiceNow Admin\] Go to **Microsoft 365 Support &gt; Setup** to open the integration workflow.

- > [!NOTE]

- > If you see the error "Read operation against 'oauth\_entity' from scope 'x\_mioms\_m365\_assis' has been refused due to the tableΓÇÖs cross-scope access policy," it was caused by your table access policy. You must make sure **All application scopes &gt; Can read** is checked for the table oauth\_entity.

- :::image type="content" source="../../media/ServiceNow-guide/servicenow-guide-image27.png" lightbox="../../media/ServiceNow-guide/servicenow-guide-image27.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::

-1. \[ServiceNow Admin\] Select **Agree** to continue.

- :::image type="content" source="../../media/ServiceNow-guide/servicenow-guide-image11.png" lightbox="../../media/ServiceNow-guide/servicenow-guide-image11.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::

-1. \[ServiceNow Admin\] Set up the Outbound OAuth Provider.

- Select the OAuth profile for Outbound OAuth Provider, and then select **Next**.

- :::image type="content" source="../../media/ServiceNow-guide/servicenow-guide-image12.png" lightbox="../../media/ServiceNow-guide/servicenow-guide-image12.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::

-1. \[ServiceNow Admin\] Skip the Inbound OAuth Provider.

- Check **Skip current step**, and then select **Next**.

-1. \[ServiceNow Admin\] Skip the Inbound Call Integration User.

- Check **Skip current step**, and then select **Next**.

- :::image type="content" source="../../media/ServiceNow-guide/servicenow-guide-image34.png" lightbox="../../media/ServiceNow-guide/servicenow-guide-image34.png" alt-text="Graphical user interface, text, application Description automatically generated":::

-1. \[ServiceNow Admin\] Set up the Repository ID.

- Specify the repository ID, and then select **Next**.

- :::image type="content" source="../../media/ServiceNow-guide/servicenow-guide-image15.png" lightbox="../../media/ServiceNow-guide/servicenow-guide-image15.png" alt-text="Graphical user interface, text, application Description automatically generated":::

-1. \[ServiceNow Admin\] Set up Application Settings.

- Select these settings, and then select **Next**:

- - SSO with Microsoft 365: Check whether the ServiceNow instance is set up as SSO with Microsoft 365 tenants, otherwise uncheck it.

- - Microsoft 365 admin email: The email of Microsoft 365 admin user who is contacted when Microsoft 365 support cases are created.

- - Test Environment: Check the box to indicate a test phase to avoid Microsoft support agents contacting you to address the issue. If youΓÇÖre ready to move forward officially with Microsoft 365 support integration, uncheck the box.

- :::image type="content" source="../../media/ServiceNow-guide/servicenow-guide-image16.png" lightbox="../../media/ServiceNow-guide/servicenow-guide-image16.png" alt-text="Graphical user interface, text, application Description automatically generated":::

-1. \[Microsoft 365 Tenant Admin\] Complete the integration.

- Verify the information below is correct. DO NOT select **Next** at this time.

- :::image type="content" source="../../media/ServiceNow-guide/servicenow-guide-image35.png" lightbox="../../media/ServiceNow-guide/servicenow-guide-image35.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::

-1. Go to **Microsoft 365 Admin Portal &gt; Settings &gt; Org settings &gt; Organization profiles**.

-1. Configure the support integration settings:

- Select the **Basic information** tab > **Internal support tool** > **ServiceNow**, and enter the **Outbound App ID** value in the **Application ID to issue Auth Token** field. This Outbound App ID is on Step 6 ΓÇô Complete the Integration, which was created in [Prerequisite (Insights ONLY) step \#1](#prerequisites-service-health-incidents-and-recommended-solutions-only).

- :::image type="content" source="../../media/ServiceNow-guide/servicenow-guide-image18.png" lightbox="../../media/ServiceNow-guide/servicenow-guide-image18.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::

-1. On the **Repositories** tab, select **New repository** and update it with the following settings:

- - Repository: The **Repository ID** value from Step 6 ΓÇô Complete the Integration.

- - Endpoint: The **Endpoint** value from Step 6 ΓÇô Complete the Integration.

- - Authentication type: Select **AAD Auth**.

- - Client ID: A random value (example: ignored).

- - Rest username: A random value (example: ignored).

- - Rest user password: A random value (example: ignored).

- :::image type="content" source="../../media/ServiceNow-guide/servicenow-guide-image36.png" lightbox="../../media/ServiceNow-guide/servicenow-guide-image36.png" alt-text="Graphical user interface, application Description automatically generated":::

-1. Go back to ServiceNow.

-1. Select **Next** to complete the integration.

- :::image type="content" source="../../media/ServiceNow-guide/servicenow-guide-image37.png" lightbox="../../media/ServiceNow-guide/servicenow-guide-image37.png" alt-text="Graphical user interface, application Description automatically generated":::

-1. \[ServiceNow Admin\] Enable Microsoft support integration for an existing user.

- Microsoft 365 support integration is enabled for the user with one of these roles:

- - x\_mioms\_m365\_assis.insights\_user

- - x\_mioms\_m365\_assis.administrator

- > [!NOTE]

- > The user with the role x\_mioms\_m365\_assis.insights\_user can see Service Health Incidents, Recommended Solutions. The user with the role x\_mioms\_m365\_assis.administrator also can open a case with Microsoft 365 support. With Insights ONLY, no one should be assigned the role x\_mioms\_m365\_assis.administrator.

-1. Select **Next** and verify that you own the domain you want to take over by adding a TXT record to your domain registrar.

-1. On the **You're now the admin** page, select **Go to the admin center**.

-YouTube: [3 steps to do an IT Admin Takeover for Power BI and Microsoft 365](https://www.youtube.com/watch?v=xt5EsrQBZZk) (video)\

-Password expiration requirements do more harm than good, because these requirements make users select predictable passwords, composed of sequential words and numbers which are closely related to each other. In these cases, the next password can be predicted based on the previous password. Password expiration requirements offer no containment benefits because cyber criminals almost always use credentials as soon as they compromise them. Check out [Time to rethink mandatory password changes](https://go.microsoft.com/fwlink/p/?linkid=861018) for more info.

-Password length requirements (greater than about 10 characters) can result in user behavior that is predictable and undesirable. For example, users who are required to have a 16-character password may choose repeating patterns like **fourfourfourfour** or **passwordpassword** that meet the character length requirement but aren't hard to guess. Additionally, length requirements increase the chances that users will adopt other insecure practices, such as writing their passwords down, re-using them, or storing them unencrypted in their documents. To encourage users to think about a unique password, we recommend keeping a reasonable 8-character minimum length requirement.

-Most people use similar patterns, for example, a capital letter in the first position, a symbol in the last, and a number in the last 2. Cyber criminals know this, so they run their dictionary attacks using the most common substitutions, "$" for "s", "@" for "a," "1" for "l". Forcing your users to choose a combination of upper, lower, digits, special characters has a negative effect. Some complexity requirements even prevent users from using secure and memorable passwords, and force them into coming up with less secure and less memorable passwords.

-### Educate users to not re-use organization passwords anywhere else

-One of the most important messages to get across to users in your organization is to not re-use their organization password anywhere else. The use of organization passwords in external websites greatly increases the likelihood that cyber criminals will compromise these passwords.

-|SharePoint Online <br/> |Any user who has interacted with a file by creating, modifying, viewing, deleting, sharing internally or externally, or synchronizing to clients on any site or viewed a page on any site. <br/> |The active user metric for SharePoint Online in the Microsoft 365 Usage Analytics template app only reflect users who did file activity against a SharePoint Team site or a Group site. The template app will be updated to synchronize the definition to the same as that on the usage reports in the admin center. <br/> |

-|Microsoft Teams <br/> |Any user who has participated in chat messages, private chat messages, calls,meetings or other activity. Other activity is defined as the number of other team activities by the user some of which include, and not limited to: liking messages, apps, working on files, searching, following teams and channel and favoriting them. <br/> ||

-[Microsoft 365 usage analytics](usage-analytics.md) contains additional adoption metrics related to active users to show adoption of the products over time. These metrics are valid for the month, year, and product selected and are defined as follows.

-MoMReturningUsers, FirstTimeUsers, &amp; CumulativeActiveUsers were reset starting January 1st 2018 with the inclusion of Microsoft Teams.

-| Estimated revenue | This shows the estimated revenue the youΓÇÖve earned through Bookings. This is calculated based on the price that youΓÇÖve defined for each service. This is an estimate because you may have charged a different fee at service time, the fee was set to an hourly charge, youΓÇÖve gotten tips, or a customer hasn't paid yet. For example, if your service is charging $10 per hour and the booking is 2 hours long, Bookings will only estimate $10 for that service.<br/><br/>**Important:** This is only an estimate and does not guarantee your actual revenue. |

-| Customers booked | The number of customers who have booked appointments for today and for the last 30 days.<br/><br/>**Note:** This metric shows the number of customers who have booked appointments, not the total number of appointments. For example, if one customer booked three appointments in the last 30 days and two more customers made one booking each, youΓÇÖll see 3 customers booked. |

-1. Fill in the details, including a title, start and end date and times, location, and additional notes.

-1. Fill in the details, including a title, start and end date and times, location, and additional notes. If the employee will be gone for a full day or for several days, select **All day event**.

-With [Advanced eDiscovery](overview-ediscovery-20.md), organizations can discover data where it lives, and manage more end-to-end eDiscovery workflows with intelligent machine-learning and analytics capabilities to reduce data to the relevant set ΓÇô all while the data stays within the Microsoft 365 security and compliance boundary.

-In the example below, a regular expression - Regex_credit_card_AdditionalDelimiters is defined for Credit card which is then validated using the checksum function for credit card by using Func_credit_card as a validator.

-|Is the Exchange DLP policy tightly scoped and does it have well-defined conditions, actions, inclusions, and exclusions? |If yes, this is a good candidate to migrate with the wizard, make note of the policy so that you remember to come back to delete it later | migrate with the wizard|

-4. Select the policies you want to migrate. You can migrate them individually, or in groups using a phased approach or all at once . Select **Next**.

-7. If desired, you can create additional policies that are based on the Exchange DLP policies for other unified DLP locations. This will result in one new unified DLP policy for the migrated Exchange policy and one new unified DLP policy for any additional locations that you pick here.

-9. Review the migration report. Pay attention to any failures involving Exchange mailflow rules. You can fix them and re-migrate the associated policies.

-|`DLP-group@contoso.com` canΓÇÖt be used as a value for the Shared By condition because itΓÇÖs a distribution group or mail-enabled security group. Please use Shared by Member of predicate to detect activities by members of certain groups. |Transport rules allow groups to be used in the `sender is` condition but unified DLP does not allow it. | Update the transport rule to remove all group email addresses from the `sender is` condition and add the group to the `sender is a member of` condition if required. Retry the migration for the impacted policy|

-|Could not find recipient `DLP-group@contoso.com`. If newly created please retry the operation after sometime. If deleted or expired please reset with valid values and try again. |It is likely that the group address used in `sender is a member of` or `recipient is a member of` condition is expired or invalid. | - Remove/replace all the invalid group email addresses in the transport rule in Exchange admin center. </br> - Retry the migration for the impacted policy.|

-|The value specified in `FromMemberOf` predicate must be mail enabled security group. |Transport rules allow individual users to be used in the `sender is a member of` condition but unified DLP does not allow it. | - Update the transport rule to remove all individual user email addresses from the `sender is a member of` condition and add the users to the `sender is` condition if required. </br> - Retry the migration for the impacted policy.|

-|The value specified in `SentToMemberOf` predicate must be mail enabled security group. |Transport rules allow individual users to be used under the `recipient is a member of` condition but unified DLP does not allow it. | - Update the transport rule to remove all individual user email addresses from the `recipient is a member of` condition and add the users to the `recipient is` condition if required. </br> - Retry the migration for the impacted policy.|

-2. Export the [EAC DLP report](/powershell/module/exchange/get-maildetaildlppolicyreport?view=exchange-ps). You can copy this cmdlet and insert the appropriate values:

-3. Export the [Unified DLP report](/powershell/module/exchange/get-dlpdetailreport?view=exchange-ps). You can copy this cmdlet and insert the appropriate values:

-description: learn about the services and item types that you can use sensitivity labels as conditions in DLP policies

-You can use [sensitivity labels](sensitivity-labels.md) as a condition in DLP policies for these location:

-Download offers a simple way to download content from a review set in native format. The download tool in Advanced eDiscovery uses the browser's data transfer features. A browser prompt will appear when a download is ready. Files downloaded using this method are zipped in a container file and will contain item-level files. This means that if you select to download an attachment, you will receive the email message with the attachment included. Similarly, if you export an Excel spreadsheet that is embedded in a Word document, the Word document and the embedded Excel spreadsheet are included in the download. When you downloaded items, the Last Modified Data property is preserved and can be viewed as a file property.

-description: "In addition to the Office 365 Trust Center which provides Security, Privacy and Compliance Information for Microsoft 365, you might want to know how Microsoft helps protect secrets you store in its datacenters. We use a technology called Distributed Key Manager (DKM)."

-In addition to the Office 365 Trust Center which provides [Security, Privacy and Compliance Information for Office 365](./get-started-with-service-trust-portal.md), you might want to know how Microsoft helps protects secrets you provide in its datacenters. We use a technology called Distributed Key Manager (DKM).

-To help you with investigating compromise email accounts, we're now auditing accesses of mail data by mail protocols and clients with the *MailItemsAccessed* mailbox auditing action. This new audited action will help investigators better understand email data breaches and help you identify the scope of compromises to specific mail items that may been compromised. The goal of using this new auditing action is forensics defensibility to help assert that a specific piece of mail data was not compromised. If an attacker gained access to a specific piece of mail, Exchange Online audits the event even though there is no indication that the mail item was read.

-## The MailItemsAccessed mailbox auditing action

-The MailItemsAccessed mailbox auditing action covers all mail protocols: POP, IMAP, MAPI, EWS, Exchange ActiveSync, and REST. It also covers both types of accessing mail: *sync* and *bind*.

-1. Check whether the mailbox has been throttled. If so, this would mean that some mailbox auditing records would not have been logged. In the case that any audit records have the "IsThrottled" is "True," you should assume that for a 24-hour period afterwards that record was generated, that any access to the mailbox was not audited and that all mail data has been compromised.

- Email messages that were accessed are identified by their internet message Id. You can also check to see if any audit records have the same context as the ones for other attacker activity. For more information, see the [Identifying the access contexts of different audit records](#identifying-the-access-contexts-of-different-audit-records) section.

-|SessionId|The Session Id helps to differentiate attacker actions and day-to-day user activities in the same mailbox (in the case of account compromise) For more information about sessions, see [Contextualizing attacker activity within sessions in Exchange Online](https://techcommunity.microsoft.com/t5/exchange-team-blog/contextualizing-attacker-activity-within-sessions-in-exchange/ba-p/608801).|

-It's common that an attacker may access a mailbox at the same time the mailbox owner is accessing it. To differentiate between access by the attacker and the mailbox owner, there are audit record properties that define the context of the access. As previously explained, when the values for these properties are different, even when the activity occurs within the aggregation interval, separate audit records are generated. In the following example, there are three different audit records. Each one is differentiated by the Session Id and ClientIPAddress properties. The messages that were accessed are also identified.

-2. **Re-Issuance notice:** During a case, custodians may be required to preserve additional content (or less content) than was previously requested. For this scenario, you can update the existing hold notice and reissue it to custodians.

-3. **Release notice:** Once a matter is resolved and the custodian is no longer subject to a preservation requirement, the custodian can be released from the case. Additionally, you can notify the custodian that they are no longer required to preserve content, and provide instructions about how to resume their normal work activity and their data.

-## Collection, Processing and Use of Your Information

-The new OME capabilities Portal enables you to view email encrypted with Office 365 from a variety of end points, such as desktop computers or mobile devices. The encrypted email arrives in your mailbox as an HTML attachment to a regular mail. If the mail is sent to your Microsoft account, work or school account, or Gmail account, you will be asked to sign in to the web-based the new OME capabilities Portal with such account. If the encrypted mail is sent to an account other than the Microsoft Account, the work or school account, or a Gmail account, you will be prompted to create a Microsoft account and associate it with the account to which the encrypted message was sent; alternatively, you can choose to request a one-time passcode for authentication which will be sent to the same email address to which the encrypted message was sent. After successful authentication, the message will be decrypted and displayed via the new OME capabilities Portal.

-Your credential information to the Microsoft account, the work or school account, or the Gmail account, as well as the one-time passcode, will be used solely for the purpose of authentication; it will not be stored in the new OME capabilities Portal, or used by the new OME capabilities for any other purpose.

-Please direct privacy related inquiries to Microsoft through [omepriv@microsoft.com](mailto:omepriv@microsoft.com), or by mail, at the following address:

-Another top recommendation is to use workstations specifically configured for administrative work. These are dedicated devices that are only used for administrative tasks. See [Securing privileged access](/windows-server/identity/securing-privileged-access/securing-privileged-access).

-Microsoft recommends you protect content in SharePoint sites with sensitive and highly-regulated content with device access controls. For more information, see [Policy recommendations for securing SharePoint sites and files](../security/office-365-security/sharepoint-file-access-policies.md).

-These resources are available to download from the [Data Protection Resources, FAQ and White Papers](https://servicetrust.microsoft.com/ViewPage/TrustDocuments) page of the Service Trust Portal.

- 4. **File, folder, or site**: Type some or all of a file or folder name to search for activity related to the file of folder that contains the specified keyword. You can also specify a URL of a file or folder. If you use a URL, be sure the type the full URL path or if you type a portion of the URL, don't include any special characters or spaces.<br/><br/>Leave this box blank to return entries for all files and folders in your organization.

- > - If you're looking for all activities related to a **site**, add the wildcard symbol (\*) after the URL to return all entries for that site; for example, `"https://contoso-my.sharepoint.com/personal*"`.

- > - If you're looking for all activities related to a **file**, add the wildcard symbol (\*) before the file name to return all entries for that file; for example, `"*Customer_Profitability_Sample.csv"`.

-In Microsoft you can define filters or additional checks while creating a custom sensitive information types (SIT).

-Description: Allows you to exclude matches which have all digits as duplicate digits, like 111111111 or 111-111-111

-you can use this xml

-you can use this xml

-you can use this xml

-you can use this xml

-you can use this xml

-you can use this xml

-For example, to exclude occurrences of phone numbers which have **Phone number** and **call me at** strings before the phone number, in a list like this:

-you can use this xml

-you can use this xml

-For example, top exclude occurrences if there are 5 more instances of four digits as suffix in a list like this:

-you can use this xml

-you can use this xml

-``xml

-you can use this xml

-The sensitive data table is a text file containing rows of values against which you will be comparing content in your documents to identify sensitive data. These values might be personally identifiable information, product records or other sensitive data in text form that you want to detect in content and take protective actions on.

-## Save sensitive data in .csv, .tsv or pipe-separated format

-description: "Smart tags let you apply the machine learning capabilities when reviewing content in an Advanced eDiscovery case. Use smart tag groups to display the results of machine-learning detection models, such as the attorney-client privilege model."

-By participating in [the free trial (ΓÇ£TrialΓÇ¥) of the Microsoft Compliance Services](compliance-easy-trials.md), you agree to be bound by our [Online Services Terms](https://go.microsoft.com/fwlink/?linkid=2108910) and the following terms (ΓÇ£Trial TermsΓÇ¥), provided that in the event of a conflict the Trial Terms shall govern. The Trial period will be for ninety (90) days from the date you activate the Trial. Unless you purchase a subscription to Microsoft Compliance prior to the expiration or termination of your Trial period, you will no longer have access to (i) any data related to the features of the Trial that you entered into your account, and (ii) configurations or customizations made by you or for you using the features of the Trial. Microsoft reserves the right to terminate or modify the Trial and/or these Trial Terms at any time without prior notice and without liability. Trial offer is not available for customers in all regions and countries.

-Although current analysis of connections to Microsoft Online services shows that most services and endpoints see very little TLS 1.1 and 1.0 usage, we're providing notice of this change so that you can update any affected clients or servers as necessary before support for TLS 1.1 and 1.0 ends. If you are using any on-premises infrastructure for hybrid scenarios or Active Directory Federation Services (AD FS), make sure that the infrastructure can support both inbound and outbound connections that use TLS 1.2 (or a later version).

-| Supported languages| English <br>Coming later in 2021: Latin alphabet languages | Models work on all latin alphabet languages. In addition to English: German, Swedish, French, Spanish, Italian, and Portuguese.|

- Five metadata search fields are currently available. More fields will be added in the future.

- |Name |Search in the **Name** column in the library. |

- |Modified |Search by selected date range in the **Modified** column in the library. |

- |Type |Search by selected file type. |

-This article describes how you can deploy to SharePoint Online without traditional load testing, since load-testing is not permitted on SharePoint Online. SharePoint Online is a cloud service and the load capabilities, health and overall balance of load in the service is managed by Microsoft.

-The best approach to ensuring the success of launching your site is to follow basic principles, practices and recommendations which are highlighted in the [plan your portal launch roll-out](planportallaunchroll-out.md).

-One of the main benefits of SharePoint Online over an on-premises deployment is the elasticity of the cloud as well as optimizations for users in distributed regions. Our large scale environment is set up to service millions of users on a daily basis, so it is important that we handle capacity effectively by balancing and expanding farms.

-In order to efficiently use capacity and deal with unexpected growth, in any farm, we have automation that tracks and monitors various elements of the service. Multiple metrics are utilized, with one of the main ones being CPU load, which is used as a signal to scale-up front end servers. Additionally to this we recommend a [phased / wave approach](planportallaunchroll-out.md), as SQL environments will scale according to load and growth over time, and following the phases and waves allows for the correct distribution of that load and growth.

-With SharePoint Online we need to do things differently because the scale is relatively fluid and adjusts, throttles and controls load, based on certain heuristics. Being such a large scale multi-tenant environment, we must protect all tenants in the same farm, so we will automatically throttle any load tests.

-Instead of trying to load test SharePoint as a service, rather focus on following the recommended practices and follow the [Creating, launching and maintaining a healthy portal](/sharepoint/portal-health) guidance.

-|Right for highly technical users and developers. <p> Be the first to access the latest builds earliest in the development cycle with the new newest code. <p> There will be rough edges and some instability.|Dev|N/A|

-|Right for customers who want the latest releases as soon as they are ready.|Semi-Annual Channel|[Current Channel](/deployoffice/overview-update-channels#current-channel-overview)|[Latest releases](deploy-update-channels-examples-rapid-deploy.md)|

-|Right for enterprises who want the latest release with additional predictability.|Semi-Annual Channel|[Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview)||

-| MX | 0 | @ | *tenant*.mail.protection.office365.us (see below for additional details) | 1 Hour |

-| TXT | - | @ | v=spf1 include:spf.protection.office365.us -all | 1 Hour |

-| CNAME | - | autodiscover | autodiscover-dod.office365.us | 1 Hour |

-| CNAME | sip | sipdir.online.dod.skypeforbusiness.us | 1 Hour |

-| CNAME | lyncdiscover | webdir.online.dod.skypeforbusiness.us | 1 Hour |

-| SRV | \_sip | \_tls | 443 | 1 | 100 | @ | sipdir.online.dod.skypeforbusiness.us | 1 Hour |

-| SRV | \_sipfederationtls | \_tcp | 5061 | 1 | 100 | @ | sipfed.online.dod.skypeforbusiness.us | 1 Hour |

-## Additional DNS records

-| MX | 0 | @ | *tenant*.mail.protection.office365.us (see below for additional details) | 1 Hour |

-| TXT | - | @ | v=spf1 include:spf.protection.office365.us -all | 1 Hour |

-| CNAME | - | autodiscover | autodiscover.office365.us | 1 Hour |

-| CNAME | sip | sipdir.online.gov.skypeforbusiness.us | 1 Hour |

-| CNAME | lyncdiscover | webdir.online.gov.skypeforbusiness.us | 1 Hour |

-| SRV | \_sip | \_tls | 443 | 1 | 100 | @ | sipdir.online.gov.skypeforbusiness.us | 1 Hour |

-| SRV | \_sipfederationtls | \_tcp | 5061 | 1 | 100 | @ | sipfed.online.gov.skypeforbusiness.us | 1 Hour |

-## Additional DNS records

-Because Skype for Business works closely with Exchange, the login behavior Skype for Business client users will see will be affected by the modern authentication status of Exchange. This will also apply if you have a Skype for Business _split-domain_ hybrid architecture, in which you have both Skype for Business Online and Skype for Business on-premises, with users homed in both locations.

-For example, if a Skype for Business client needs to access Exchange server to get calendar information on behalf of a user, it uses the Microsoft Authentication Library (MSAL) to do so. MSAL is a code library designed to make secured resources in your directory available to client applications using OAuth security tokens. MSAL works with OAuth to verify claims and to exchange tokens (rather than passwords), to grant a user access to a resource. In the past, the authority in a transaction like this one--the server that knows how to validate user claims and issue the needed tokens -- might have been a Security Token Service on-premises, or even Active Directory Federation Services. However, modern authentication centralizes that authority by using Azure AD.

-Because modern authentication changes the authorization server used when services leverage OAuth/S2S, you need to know if modern authentication is enabled or disabled for your on-premises Skype for Business and Exchange environments. You can check the status on your Exchange servers by running the following PowerShell command:

- - All SFB Front Ends must have connections outbound to the internet, to Office 365 Authentication URLs (TCP 443) and well known certificate root CRLs (TCP 80) listed in Rows 56 and 125 of the 'Microsoft 365 Common and Office' section of [Office 365 URLs and IP address ranges](urls-and-ip-address-ranges.md).

- - SSL Offloading is not configured. SSL termination and re-encryption is supported.

- - If you are using Exchange Server 2013, at least one server must have the Mailbox and Client Access server roles installed. While it is possible to install the Mailbox and Client Access roles on separate servers, we strongly recommend that you install both roles on the same server to provide additional reliability and improved performance.

- The availability of modern authentication is determined by the combination of the client, protocol, and configuration. If modern authentication is not supported by the client, protocol, and/or configuration, then the client will continue to leverage legacy authentication.

- |Outlook 2013 and later <br/> |MAPI over HTTP <br/> |MAPI over HTTP must be enabled within Exchange in order to leverage modern authentication with these clients (usually enabled or True for new installs of Exchange 2013 Service Pack 1 and above); for more information see [How modern authentication works for Office 2013 and Office 2016 client apps](modern-auth-for-office-2013-and-2016.md). <br/> Ensure you are running the minimum required build of Outlook; see [Latest updates for versions of Outlook that use Windows Installer (MSI)](/officeupdates/outlook-updates-msi). <br/> |

- |Exchange ActiveSync clients (e.g., iOS11 Mail) <br/> |Exchange ActiveSync <br/> |For Exchange ActiveSync clients that support modern authentication, you must recreate the profile in order to switch from basic authentication to modern authentication. <br/> |

- Clients and/or protocols that are not listed (e.g., POP3) do not support modern authentication with on-premises Exchange and continue to leverage legacy authentication mechanisms even after modern authentication is enabled in the environment.

- - Make sure both an on-premises test user, as well as a hybrid test user homed in Office 365, can login to the Skype for Business desktop client (if you want to use modern authentication with Skype) and Microsoft Outlook (if you want to use modern authentication with Exchange).

-You must carefully plan your ExpressRoute for Office 365 implementation to accommodate for the network complexities of having routing available via both a dedicated circuit with routes injected into your core network and the internet. If you and your team don't perform the detailed planning and testing in this guide, there is a high risk you'll experience intermittent or a total loss of connectivity to Office 365 services when the ExpressRoute circuit is enabled.

- - Identify all edge devices, such as proxies, firewalls, and so on and catalog their relationship to flows going over the Internet and ExpressRoute.

- - Document whether end users will access Office 365 services via direct routing or indirect application proxy for both Internet and ExpressRoute flows.

-For each service that requires an inbound connection, you'll need some additional information. Servers in the Microsoft cloud will establish connections to your on-premises network. to ensure the connections are made correctly, you'll want to describe all aspects of this connectivity, including; the public DNS entries for the services that will accept these inbound connections, the CIDR formatted IPv4 IP addresses, which ISP equipment is involved, and how inbound NAT or source NAT is handled for these connections.

-Inbound connections should be reviewed regardless of whether they're connecting over the internet or ExpressRoute to ensure asymmetric routing hasn't been introduced. In some cases, on-premises endpoints that Office 365 services initiate inbound connections to may also need to be accessed by other Microsoft and non-Microsoft services. It is paramount that enabling ExpressRoute routing to these services for Office 365 purposes doesn't break other scenarios. In many cases, customers may need to implement specific changes to their internal network, such as source based NAT, to ensure that inbound flows from Microsoft remain symmetric after ExpressRoute is enabled.

-|**Public (Internet) DNS entry** <br/> |\*.sharepoint.com (and additional FQDNs) <br/> |

-|**CDN Referrals** <br/> |cdn.sharepointonline.com (and additional FQDNs) - IP addresses maintained by CDN providers) <br/> |

-7. Locations and portions of your internal network topology, where Microsoft IP prefixes learned from ExpressRoute will be accepted, filtered and propagated to.

-Often times, there are multiple meet-me locations that could be selected within a region with relative proximity to your users. Fill out the following table to guide your decisions.

-Once the global network architecture showing the Office 365 region, ExpressRoute network service provider meet-me locations, and the quantity of people by location has been developed, it can be used to identify if any optimizations can be made. It may also show global hairpin network connections where traffic routes to a distant location in order to get the meet-me location. If a hairpin on the global network is discovered it should be remediated before continuing. Either find another meet-me location, or use selective Internet breakout egress points to avoid the hairpin.

-Expanding this concept slightly further, the second diagram shows an example multi-national customer faced with similar information and decision making. This customer has a small office in Bangladesh with only a small team of ten people focused on growing their footprint in the region. There is a meet-me location in Chennai and a Microsoft datacenter with Office 365 hosted in Chennai so a meet-me location would make sense; however, for ten people, the expense of the additional circuit is burdensome. As you look at your network, you'll need to determine if the latency involved in sending your network traffic across your network is more effective than spending the capital to acquire another ExpressRoute circuit.

-Your implementation plan should encompass both the technical details of configuring ExpressRoute as well as the details of configuring all the other infrastructure on your network, such as the following.

-### Plan your bandwidth, security, high availability and failover

-Skype for Business Online also has specific additional network requirements which are detailed in the article [Media Quality and Network Connectivity Performance in Skype for Business Online](https://support.office.com/article/Media-Quality-and-Network-Connectivity-Performance-in-Skype-for-Business-Online-5fe3e01b-34cf-44e0-b897-b0b2a83f0917).

-The majority of enterprise Office 365 deployments assume some form of inbound connectivity from Office 365 to on-premises services, such as for Exchange, SharePoint, and Skype for Business hybrid scenarios, mailbox migrations, and authentication using ADFS infrastructure. When ExpressRoute you enable an additional routing path between your on-premises network and Microsoft for outbound connectivity, these inbound connections may inadvertently be impacted by asymmetric routing, even if you intend to have those flows continue to use the Internet. A few precautions described below are recommended to ensure there is no impact to Internet based inbound flows from Office 365 to on-premises systems.

-To minimize the risks of asymmetric routing for inbound network traffic flows, all of the inbound connections should use source NAT before they're routed into segments of your network which have routing visibility into ExpressRoute. If the incoming connections are allowed onto a network segment with routing visibility into ExpressRoute without source NAT, requests originating from Office 365 will enter from the internet, but the response going back to Office 365 will prefer the ExpressRoute network path back to the Microsoft network, causing asymmetric routing.

-2. Ensure that ExpressRoute routes are not propagated to the network segments where inbound services, such as front end servers or reverse proxy systems, handling Internet connections reside.

-There may be cases where you may choose to direct some inbound flows over ExpressRoute connections. For these scenarios, take the following additional considerations into account.

-3. In order to receive inbound network connections over ExpressRoute, the public IP subnets for these endpoints must to be advertised to Microsoft over ExpressRoute.

-It helps to do this paper walk through of routes with a second person. Explain to them where each network hop is expected to get its next route from and ensure that you're familiar with the routing paths. Remember that ExpressRoute will always provide a more scoped route to Microsoft server IP addresses giving it lower route cost than an Internet default route.

-If you're using a proxy server for internet bound traffic then you need to adjust any PAC or client configuration files to ensure client computers on your network are correctly configured to send the ExpressRoute traffic you desire to Office 365 without transiting your proxy server, and the remaining traffic, including some Office 365 traffic, is sent to the relevant proxy. Read our guide on [managing Office 365 endpoints](./managing-office-365-endpoints.md) for example PAC files.

-Your implementation plan should include both testing and rollback planning. If your implementation isn't functioning as expected, the plan should be designed to affect the least number of people before problems are discovered. The following are some high level principles your plan should consider.

-3. If deploying Office 365 for the first time, use the ExpressRoute network deployment as a pilot for a small number of people.

-4. If using proxy servers, you can alternatively configure a test PAC file to direct a small number of people to ExpressRoute with testing and feedback before adding more.

-Your implementation plan should list each of the deployment procedures that must be taken or commands that need to be used to deploy the networking configuration. When the network outage time arrives all of the changes being made should be from the written deployment plan which was written in advance and peer reviewed. See our guidance on the technical configuration of ExpressRoute.

-After your ExpressRoute deployment is complete the procedures in the test plan should be executed. Results for each procedure should be logged. You must include procedures for rolling back to the original production environment in the event the test plan results indicate the implementation was not successful.

-Choose an outage window that is long enough to run through the entire deployment plan and the test plan, has some time available for troubleshooting and time for rolling back if required.

-Identify which inbound or outbound services failed during testing. Get specifically the IP addresses and subnets for each of the services which failed. Go ahead and walk the network topology diagram on paper and validate the routing. Validate specifically where the ExpressRoute routing is advertised to, Test that routing during the outage if possible with traces.

-The following broad metrics for SharePoint Online provide real world data about performance:

-A Site Collection Administrator, Site Owner, Editor, or Contributor belong to additional security groups, have additional permissions, and therefore have additional elements that SharePoint loads on a page.

-In order to correctly evaluate how a page will perform for users, you should use a standard user account to avoid loading the authoring controls and additional traffic related to security groups.

-As you would expect, you have far more control over how servers perform with on-premises SharePoint. With SharePoint Online things are a little different. The more work you make a server do, the longer it takes to render a page. With SharePoint, the biggest culprit in this respect are complex pages with multiple web parts.

-Examples of these server to server interactions are:

-The other thing that can slow down server interactions is cache misses. Unlike on-premises SharePoint, there is a very slim chance that you will hit the same server for a page that you have visited previously; this makes object caching obsolete.

-With on-premises SharePoint that doesn't make use of a WAN, you may use a high-speed connection between datacenter and end-users. Generally, things are easy to manage from a network perspective.

-One feature that you can leverage in SharePoint Online is the Microsoft CDN (Content Delivery Network). A CDN is basically a distributed collection of servers deployed across multiple datacenters. With a CDN, content on pages can be hosted on a server close to the client even if the client is far away from the originating SharePoint Server. Microsoft will be using this more in the future to store local instances of pages which cannot be customized, for example the SharePoint Online admin home page. For more information about CDNs, see [Content delivery networks](content-delivery-networks.md).

-Visiting complex pages will affect performance. Most browsers only have a small cache (around 90MB), while the average web page is typically around 1.6MB. This doesn't take long to get used up.

-You can still use the previous groups classification feature. You can create classifications that the users in your organization can set when they create an Microsoft 365 Group. For example, you can allow users to set "Standard", "Secret", and "Top Secret" on groups they create. Group classifications aren't set by default and you need to create it in order for your users to set it. Use Azure Active Directory PowerShell to point your users to your organization's usage guidelines for Microsoft 365 Groups.

-In order to associate a description to each classification you can use the settings attribute *ClassificationDescriptions* to define.

-where Classification matches the strings in the ClassificationList.

-Along with MailTip, you can also set MailTipTranslations, which specifies additional languages for the MailTip. Suppose you want to have the Spanish translation, then run the following command:

-|[Remove-UserPhoto](/powershell/module/exchange/remove-userphoto) <br/> |Remove the photo for an Microsoft 365 Group <br/> |

-Note that the full output of the request in this example would contain other endpoint sets.

-The output for example 2 is similar to example 1 except that the results would not include endpoints for SharePoint Online or Skype for Business Online.

- ΓÇö AddedIpAndUrl ΓÇö Both an IP address and a URL were added. This represents a change you need to take on either a firewall layer 3 device or a proxy server or URL parsing device. If you donΓÇÖt add this IP/URL pair before we start using it, you may experience an outage.

- ΓÇö effectiveDate ΓÇö Defines the data when the additions will be live in the service.

- ΓÇö ips ΓÇö Items to be added to the _ips_ array.

- ΓÇö ips ΓÇö Items to be removed from the _ips_ array.

-Here is a Python script, tested with Python 3.6.3 on Windows 10, that you can run to see if there are actions you need to take for updated data. This script checks the version number for the Office 365 Worldwide instance endpoints. When there is a change, it downloads the endpoints and filters for the _Allow_ and _Optimize_ category endpoints. It also uses a unique ClientRequestId across multiple calls and saves the latest version found in a temporary file. You should call this script once an hour to check for a version update.

-Within this model, there is no single source of directory data. Specific systems own individual pieces of data, but no single system holds all the data. Microsoft 365 services cooperate with Azure AD in this data model. Azure AD is the "system of truth" for shared data, which is typically small and static data used by every service. The federated model used within Microsoft 365 and Azure AD provides the shared view of the data.

-Microsoft 365 uses both physical storage and Azure cloud storage. Exchange Online (including Exchange Online Protection) and Skype for Business use their own storage for customer data. SharePoint Online uses both SQL Server storage and Azure Storage, hence the need for additional isolation of customer data at the storage level.

-Each mailbox database within Exchange Online contains mailboxes from multiple tenants. An authorization code secures each mailbox, including within a tenancy. By default, only the assigned user has access to a mailbox. The access control list (ACL) that secures a mailbox contains an identity authenticated by Azure AD at the tenant level. The mailboxes for each tenant are limited to identities authenticated against the tenant's authentication provider, which includes only users from that tenant. Content in tenant A cannot in any way be obtained by users in tenant B, unless explicitly approved by tenant A.

-If a user could gain direct access to the storage containing the data, the content is not interpretable to a human or any system other than SharePoint Online. These mechanisms include security access control and properties. All SharePoint Online resources are secured by the authorization code and RBAC policy, including within a tenancy. The access control list (ACL) that secures a resource contains an identity authenticated at the tenant level. SharePoint Online data for a tenant is limited to identities authenticated by the authentication provider for the tenant.

-In addition to the ACLs, a tenant level property that specifies the authentication provider (which is the tenant-specific Azure AD), is written once and cannot be changed once set. Once the authentication provider tenant property has been set for a tenant, it cannot be changed using any APIs exposed to a tenant.

-A unique *SubscriptionId* is used for each tenant. All customer sites are owned by a tenant and assigned a *SubscriptionId* unique to the tenant. The *SubscriptionId* property on a site is written once and is permanent. Once assigned to a tenant, a site cannot be moved to a different tenant. The *SubscriptionId* is the key used to create the security scope for the authentication provider and is tied to the tenant.

-Media used in chats (except for Giphy GIFs which aren't stored but are a reference link to the original Giphy service URL, Giphy is a non-Microsoft service) is stored in an Azure-based media service that is deployed to the same locations as the chat service.

-When you customize your website you can end up adding a large number of extra files to the server to support the customization. Adding extra JavaScript, CSS, and images increases the number of HTTP requests to the server which in turn increases the time it takes to display a web page. If you have multiple files of the same type, you can bundle these files to make downloading these files faster.

-In addition, if the minify flag is set to true in the bundling recipe the files are reduced in size as well as bundled together. This means that new, minified versions of the JavaScript files were created that you can reference in your master page.

-After bundling, the JavaScript bundle file is reduced significantly from 815KB to 365KB:

-There is a read-only window during the SharePoint site geo move of approximately 4-6 hours, depending on site contents.

-|InProgress (n/4)|The move is in progress in one of the following states: Validation (1/4), Backup (2/4), Restore (3/4), Cleanup (4/4).|

-While the move is in progress the site is set to read-only. Once the move is completed, the user is directed to the new site in the new geo location when they click on bookmarks or other links to the site.

-SharePoint 2013 workflows need to be republished after the site move. SharePoint 2010 workflows should continue to function normally.

-If you are moving a site with apps, you must re-instantiate the app in the site's new geo location as the app and its connections may not be available in the destination geo location.

-In most cases Flows will continue to work after a SharePoint site geo move. We recommend that you test them once the move has completed.

-Multi-Geo capabilities in Teams enables Teams chat data to be stored at rest in a specified geo location. Chat data consists of chat messages, including private messages, channel messages, and images used in chats.

-Teams uses the Preferred Data Location (PDL) for users and groups to determine where to store data. If the PDL is not set or is invalid, data is stored in the tenant's central location.

-Each Microsoft 365 group has a Preferred Data Location (PDL) which denotes the geo location where related data is to be stored. Teams uses the PDL for the group associated with each team to determine where to store channel messaging data for that team. This includes private channels as well as chat that occurs within a channel meeting.

-When a user creates a new team, that user's PDL determines what PDL is assigned to the Microsoft 365 group. The group PDL determines where that team's data is stored. If that user's PDL later changes, the group's PDL is not changed.

-Changing the PDL of the Microsoft 365 group queues the Teams data to migrate to the chosen location. However, this does not migrate the SharePoint site or files associated with the Group automatically. You must move the site separately by following the procedures in [Move a SharePoint site to a different geo location](/microsoft-365/enterprise/move-sharepoint-between-geo-locations). Be sure to do both steps to avoid Teams data and SharePoint data for one group in different locations.

-Teams Multi-Geo is seamless to the end user. Once you change the PDL of a user or a group, the respective data will queue for migration and the migration will occur automatically with no impact to the user or their Teams client even if they are active while the migration occurs.

-> For new users with no OneDrive provisioned, wait at least 24 hours after a user's PDL is synchronized to Azure AD for the changes to propagate before the user logs in to OneDrive for Business. (Setting the preferred data location before the user logs in to provision their OneDrive for Business ensures that the user's new OneDrive will be provisioned in the correct location.)

-> For new users with no OneDrive provisioned, wait at least 24 hours after a user's PDL is set for the changes to propagate before the user logs in to OneDrive. (Setting the preferred data location before the user logs in to provision their OneDrive for Business ensures that the user's new OneDrive will be provisioned in the correct location.)

-Try sharing OneDrive files. Confirm that the people picker shows you all your SharePoint online users regardless of their geo location.

-SharePoint Hub sites enhances the discovery and engagement with content for employees, while creating a complete and consistent representation of projects, departments or regions. In a multi-geo environment, sites from satellite locations can easily be associated with a hub site regardless the hub site's geo location. Users can search and get results across the hub through a single search experience, regardless of the geo location of the sites.

-The OneDrive sync app (version 17.3.6943.0625 and later) will automatically detect the correct OneDrive geo location for the user. Sync app support includes the ability to sync groups-based sites regardless of their geo location. Note that the Groove sync client is not supported for multi-geo.

-The OneDrive iOS and Android mobile apps will show you your OneDrive files and files shared with you regardless of their geo location. Search from the OneDrive mobile apps will show relevant results from all geo locations. Please download the latest version of these apps.

-See Use [OneDrive on iOS](https://support.office.com/article/08d5c5b2-ccc6-40eb-a244-fe3597a3c247) and [Use OneDrive for Android](https://support.office.com/article/eee1d31c-792d-41d4-8132-f9621b39eb36) for more information.

-In SharePoint Multi-Geo your SharePoint home is hosted in the location where the user resides as determined by their OneDrive location. For example: if the user has their OneDrive hosted in a European satellite location, their SharePoint Home will be rendered from Europe. SharePoint home includes all content relevant to the user regardless of its geo location.

-## SharePoint Mobile Client

-The People Picker experience shows all users regardless of their geo location. This allows a user to share with another user in their same geo or in any other of your tenant's geo locations. Content from different geo locations will show up in the **Shared with Me** view in the user's OneDrive, Word, Excel, PowerPoint and Office.com and can be accessed with Single Sign-On experience regardless of which geo location it is hosted in.

-|High availability planning. <br/> |Failover to an alternate internet network connection <br/> |Failover to an alternate ExpressRoute connection <br/> |

-If you're using an existing Azure ExpressRoute circuit and would like to add Office 365 connectivity over this circuit, you should look at the number of circuits, egress locations, and size of the circuits to ensure they'll meet the needs of your Office 365 usage. Most customers require additional bandwidth and many require additional circuits.

-To find the right level of bandwidth, the best mechanism is to test your existing network consumption. This is the only way to get a true measure of usage and need as every network configuration and applications are in some ways unique. When measuring you'll want to pay close attention to the total bandwidth consumption, latency, and TCP congestion to understand your network needs.

-|Co-located at a cloud exchange <br/> |Install new or leverage existing security/perimeter infrastructure in the co-location facility where the ExpressRoute connection is established. <br/> Leverage co-location facility purely for routing/interconnect purposes and back haul connections from co-location facility into the on-premises security/perimeter infrastructure. <br/> |

-|Any-to-Any IPVPN <br/> |Leverage an existing on-premises security/perimeter infrastructure at all locations that egress into the IPVPN used for ExpressRoute for Office 365 connectivity. <br/> Hairpin the IPVPN used for ExpressRoute for Office 365 to specific on-premises locations designated to serve as the security/perimeter. <br/> |

-When considering the topology placement of the network/security perimeter options used for ExpressRoute for Office 365 connections, following are additional considerations

-Woodgrove's existing infrastructure is reliable and can handle the additional work, as a result, Woodgrove Bank is able to use the infrastructure for their Azure ExpressRoute and internet perimeter security. If this weren't the case, Woodgrove could choose to purchase additional equipment to supplement their existing equipment or to handle a different type of connection.

-Inside the egress point of your network are many other devices and circuits that play a critical role in how people perceive availability. These portions of your connectivity scenarios are not covered by ExpressRoute or Office 365 SLAs, but they play a critical role in the end to end service availability as perceived by people in your organization.

-Leveraging the internet as a backup configuration isn't recommended. This breaks Woodgrove's reliability principle, resulting in an inconsistent experience using the connection. Additionally, manual configuration would be required to failover considering the BGP advertisements that have been configured, NAT configuration, DNS configuration, and the proxy configuration. This added failover complexity increases the time to recover and decreases their ability to diagnose and troubleshoot the steps involved.

-Choose the locations of your circuits based on your bandwidth, latency, security, and high availability planning. Once you know the optimal locations you'd like to place circuits [review the current list of providers by region](/azure/expressroute/expressroute-locations).

-One network intermediary insight we show is SSL break and inspection when critical Microsoft 365 network endpoints for Exchange, SharePoint and Teams are intercepted and decrypted by network intermediary devices.

-Once the client application starts, the web page will update to show this result. Test data will start to be received to the web page. The page updates each time new data is received and you can review the data as it arrives.

-The location looked up from the network egress IP Address may not be accurate and this would lead to a false result from this test. To validate if this error is occurring for a specific IP Address you can use publicly accessible network IP Address location web sites.

-We measure the download speed for a 15Mb file from the SharePoint service front door. The result is shown in megabytes per second to indicate what size file in megabytes can be downloaded from SharePoint or OneDrive in **one second**. The number should be similar to one tenth of the minimum circuit bandwidth in megabits per second. For example if you have a 100mbps internet connection, you may expect 10 megabytes per second (10MBps).

-This tests for UDP connectivity to the Microsoft Teams service front door. If this is blocked then Microsoft Teams may still work using TCP, but audio and video will be impaired. Read more about these UDP network measurements, which also apply to Microsoft Teams at [Media Quality and Network Connectivity Performance in Skype for Business Online](/skypeforbusiness/optimizing-your-network/media-quality-and-network-connectivity-performance).

-Shows the UDP packet loss measured in a 10 second test audio call from the client to the Microsoft Teams service front door. This should be lower than **1.00%** for a pass.

-There are several large challenges posed by the problem statements above. Specifically, too many ambiguities to deal with. for example:

-When users report a performance problem, there's a lot of information to collect. Getting and recording information is called scoping the issue. Here is a basic scoping list you can use to collect information about performance issues. This list is not exhaustive, but it's a place to start:

-Some of these questions are more obvious than others. Most everyone will understand a troubleshooter needs the exact steps to reproduce the issue. After all, how else can you record what's wrong, and how else can you test if the issue is fixed? Less obvious are things like "What date and time did you see the issue?", and "Where in the world are you located?", information that can be used in tandem. Depending on when the user was working, a few hours of time difference may mean maintenance is already underway on parts of your company's network. If, for example, your company has a hybrid implementation, like a hybrid SharePoint Search, which can query search indexes in both SharePoint Online and an On-premises SharePoint Server 2013 instance, updates may be underway in the on-premises farm. If your company is all in the cloud, system maintenance may include adding or removing network hardware, rolling out updates that are company-wide, or making changes to DNS, or other core infrastructure.

-What's missing here is a performance baseline.

- - You need to know your devices so that you have context (IP addresses, type of device, et cetera) for performance problems that arise.

- - There are third party tools that can discover and map your network, but the safest way to know your devices is to ask a member of your network team.

-You'll know the impact when it goes bad, but if you don't know your historical performance data, it's not possible to have a context for how bad it may have become, and when. So without a baseline, you're missing the key clue to solve the puzzle: the picture on the puzzle box. In performance troubleshooting, you need a point of *comparison* . Simple performance baselines aren't difficult to take. Your Operations team can be tasked with carrying these out on a schedule. For example, let's say your connection looks like this:

-The options are listed as **Simple** and **Advanced** because of the amount of expertise you need in order to find the performance data. A network trace will take a lot of time, compared to running command-line tools like PsPing and TraceTCP. These two command-line tools were chosen because they don't use ICMP packets, which will be blocked by Office 365, and because they give the time in milliseconds that it takes to leave the client computer, or proxy server (if you have access) and arrive at Office 365. Each individual hop from one computer to another will end up with a time value, and that's great for baselines! Just as importantly, these command-line tools allow you to add a port number onto the command, this is useful because Office 365 communicates over port 443, which is the port used by Secure Sockets Layer and Transport Layer Security (SSL and TLS). However, other third-party tools may be better solutions for your situation. Microsoft doesn't support all of these tools, so if, for some reason, you can't get PsPing and TraceTCP working, move on to a network trace with a tool like Netmon.

-There are lots of different ways to do this, but using the format **\<dateTime\>\<what's happening in the test\>** is a good place to start. Being diligent about this will help a lot when you are trying to troubleshoot issues later. Later, you'll be able to say "I took two traces on February 8th, one showed good performance and one showed bad, so we can compare them". This is extremely helpful for troubleshooting.

-You need to have an organized way to keep your historical baselines. In this example, the simple methods produced three command line outputs and the results were collected as screen shots, but you may have network capture files instead. Use the method that works best for you. Store your historical baselines and refer to them at points where you notice changes in the behavior of online services.

-There is no better time to start making baselines than during a pilot of the Office 365 service. Your office may have thousands of users, hundreds of thousands, or it may have five, but even with a small number of users, you can perform tests to measure fluctuations in performance. In the case of a large company, a representative sample of several hundred users piloting Office 365 can be projected outward to several thousands so you know where issues might arise before they happen.

-In the case of a small company, where on-boarding means that all users go to the service at the same time and there is no pilot, keep performance measures so that you have data to show to anyone who may have to troubleshoot a badly performing operation. For example, if you notice that all of a sudden you can walk around your building in the time it takes to upload a medium-sized graphic where it used to happen very quickly.

-The objective of these simple methods is to learn to take, understand, and properly store simple performance baselines over time so that you are informed about Office 365 performance. Here's the very simple diagram for simple, as you've seen before:

-Once you bypass your proxy, you should be able to use ping or PsPing directly on an Office 365 URL. The next step will be to test ping **outlook.office365.com**. Or, if you're using PsPing or another tool that will let you supply a port number to the command, PsPing against **portal.microsoftonline.com:443** to see the average round trip time in milliseconds.

-The round trip time, or RTT, is a number value that measures how long it takes to send a HTTP request to a server like outlook.office365.com and get a response back that acknowledges the server knows that you did it. You'll sometimes see this abbreviated as RTT. This should be a relatively short amount of time.

-You have to use [PSPing](/sysinternals/downloads/psping) or another tool that does not use ICMP packets which are blocked by Office 365 in order to do this test.

-If you're not familiar with proxy bypass, and prefer to take things step-by-step, you need to first find out the name of your proxy server. In Internet Explorer go to **Tools** \> **Internet Options** \> **Connections** \> **LAN settings** \> **Advanced**. The **Advanced** tab is where you will see your proxy server listed. Ping that proxy server at a command prompt by completing this task:

-3. When the trace stops sending test packets, you'll get a small summary that lists an average, in milliseconds, and that's the value you're after. Take a screen shot of the prompt and save it using your naming convention. At this point it may also help to fill in the diagram with the value.

-In terms of troubleshooting, you may find something interesting just from keeping these baselines. For example, if you find that you generally have about 40 to 59 milliseconds of latency from the proxy or egress point to the Office 365 URL, and have a client to proxy or egress point latency of about 3 to 7 milliseconds (depending on the amount network traffic you're seeing during that time of day) then you will surely know something is problematic if your last three client to proxy or egress baselines show a latency of 45 milliseconds.

-Taking a performance baseline is the simple part of this method, and many of the steps are the same as when you troubleshoot a performance issue. The more advanced methods of creating baselines for performance requires you to take and store network traces. Most of the examples in this article use SharePoint Online, but you should develop a list of common actions across the Office 365 services to which you subscribe to test and record. Here is a baseline example:

-This list should include the most important common actions that users take against SharePoint Online. Notice that the last step, to trace going to OneDrive for Business, builds-in a comparison between the load of the SharePoint Online home page (which is often customized by companies) and OneDrive for Business home page, which is seldom customized. This is a very basic test when it comes to a slow-loading SharePoint Online site. You can build a record of this difference into your testing.

-To tackle a performance problem, *right now* , you need to be taking a trace at the time you are experiencing the performance issue. You need to have the proper tools available to gather logs, and you need an action plan, that is, a list of troubleshooting actions to take to gather the best information that you can. The first thing to do is record the date and time of the test so that the files can be saved in a folder that reflect the timing. Next, narrow down to the problem steps themselves. These are the exact steps you will use for testing. Don't forget the basics: if the issue is only with Outlook, make sure to record that the problem behavior happens in only one Office 365 service. Narrowing down the scope of this issue will help you to focus on something you can resolve.

-Change your primary domain to a domain you have verified in Microsoft 365, for example, contoso.com. Every user that has the domain contoso.local is then updated to contoso.com. This is a very involved process, however, and an easier solution is described in the following section.

-After you have updated the UPNs to use the verified domain, you are ready to synchronize your on-premises AD DS with Microsoft 365.

-If you have a lot of user accounts to update, it's easier to use PowerShell. The following example uses the cmdlets [Get-ADUser](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee617241(v=technet.10)) and [Set-ADUser](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee617215(v=technet.10)) to change all contoso.local suffixes to contoso.com in AD DS.

-The following are scenarios where communications from Office 365 to your on-premises network will be initiated. To simplify your network design, we recommend routing these over the Internet path.

-3) Be aware that any route advertised to Microsoft will attract network traffic from any server in Microsoft's network, not only those for which routes are advertised to your network over ExpressRoute. Only advertise routes to servers where routing scenarios are defined and well understood by your team. Advertise separate IP Address route prefixes at each of multiple ExpressRoute circuits from your network.

-In some situations we've used a wildcard domain where one or more sub-FQDNs are advertised differently than the higher-level wildcard domain. This usually happens when the wildcard represents a long list of servers that are all advertised to ExpressRoute and the Internet, while a small subset of destinations is only advertised to the Internet, or the reverse. Refer to the tables below to understand where the differences are.

-|\*.office.com <br/> |\*.outlook.office.com <br/> home.office.com <br/> outlook.office.com <br/> portal.office.com <br/> <div style="display: inline">www.office.com</div> <br/> |

-2. What egress location(s) you want the network traffic to leave your network from. You should plan to minimize the network latency for connectivity to Office 365 as this will impact performance. Because Skype for Business uses real-time voice and video, it is particularly susceptible to poor network latency.

-With a single ExpressRoute circuit, there is no high availability for Trey Research. In the event Trey's redundant pair of edge devices that are servicing the ExpressRoute connectivity fail, there is not an additional ExpressRoute circuit to failover to. This leaves Trey Research in a predicament as failing over to the internet will require manual reconfiguration and in some cases new IP addresses. If Trey wants to add high availability, the simplest solution is to add additional ExpressRoute circuits for each location and configure the circuits in an active/active manner.

-The additional questions that must be answered for customers with multiple locations in multiple geographies include:

-This example is a scenario for a fictitious company called Humongous Insurance who has multiple geographic locations.

-When Humongous Insurance is planning their multi-geography strategy, there are a number of things to consider around size of circuit, number of circuits, failover, and so on.

-Selective routing with ExpressRoute may be needed for a variety of reasons, such as testing, rolling out ExpressRoute to a subset of users. There are various tools customers can use to selectively route Office 365 network traffic over ExpressRoute:

-Methods like 'side-by-side' are important in the scheme of upgrade logic. When you upgrade side-by-side, you maintain your Microsoft Office SharePoint Server 2007 farm, but build a farm the next version up from it (SharePoint Server 2010) on new hardware. This helps in three ways:

-2. If you figure out that only a small number of critical document libraries and other information are in use on your Microsoft Office SharePoint Server 2007 farm, you can choose to manually move data from Microsoft Office SharePoint Server 2007 to SharePoint Server 2010, or take only specific sites and webs to the next version (which can make your job easier).

-When upgrading, your decision-making should be based on what your farm does for your organization. What need does it satisfy? What's its role? Each farm in your company may have a different role. Some of your SharePoint farms may be *critical* , some may be file archives -- there for safe-keeping. Or, if your farm fills many roles at once, then you may need to know what site collections, webs, or even document libraries do, any customizations, and how important they are. Analyzing your data at this level may seem like a lot of work, but it saves time and effort to master your domain before you upgrade, or migrate, it. Once you know all the moving parts, and the most important bits, you'll also know what you've outgrown and can leave behind. That knowledge will only benefit you going forward.

-If you run something essential to your business from your SharePoint farm, say it acts like a large catalog of critical data about client service requirements, you may put a tick beside 'Critical apps', but also 'Availability' -- that is, your business would be impacted if you couldn't use SharePoint for a while. Likewise, you might check 'Customizations' because the critical services your farm offers are based on custom code, site definitions, or a number of customizations that work together.

-If SharePoint met those needs without your having to do anything outside of using what's built-in to the software, and you generally update it and carry out normal administration and maintenance, you may have chosen 'Built-in SharePoint' -- this may also be your reason for sitting on an older version of SharePoint. In other words, it already does what you need it to and you haven't needed to upgrade until now, at Microsoft Office SharePoint Server 2007 end of support.

-There may need to be wider consensus with leadership and other admins on the path your SharePoint Upgrade will take. SharePoint Server Administrators often cooperate with Microsoft SQL Server admins, work with Networking and Security teams, and more. Where there are a lot of stakeholders, you may need to build agreement for, or adjust, your upgrade and migration plan. For example, if you migrate data so that part of your company uses SharePoint Online in Microsoft 365, there will likely need to be performance tuning or testing inside your network. Affected teams should be informed ahead of time.

-|Upgrade with farms side-by-side <br/> |Hybrid Upgrade <br/> |

-

-## Articles about fine tuning Microsoft 365 and Office 365 performance

-Take a look at the [top 10 tips for optimizing and troubleshooting your Office 365 network connectivity](/archive/blogs/onthewire/top-10-tips-for-optimising-troubleshooting-your-office-365-network-connectivity) by Paul Collinge.

-When SharePoint Server 2013 is hosted on-premises, the customer has private front-end web servers that host the object cache. This means the cache is dedicated to one customer and is only limited by how much memory is available and allocated to the object cache. Because only one customer is served in the on-premises scenario the front-end web servers typically have users making requests to the same sites over and over. This means that the cache gets full quickly and remains full of the list query results and SharePoint objects that your users are requesting on a regular basis.

-Since you shouldn't rely on caching in SharePoint Online, you should evaluate alternative design approaches for SharePoint customizations that use the object cache. This means using approaches for performance issues which do not rely on the object caching in order to produce good results for users. This is described in some of the other articles in this series and include:

-

-Microsoft Managed Desktop provides a curated device list, [standard device settings](device-policies.md), applications requirements, and certain [configurable settings](../working-with-managed-desktop/config-setting-overview.md), all designed to provide a secure, productive, and pleasant experience for users. ItΓÇÖs best to always stay with the service as provided. However, we recognize that some details of the service might not fit exactly with your organizationΓÇÖs needs. If you feel you need to alter the service in some way, itΓÇÖs important that you follow the following processes to request those changes.

-

-|Type |Description |

-|||

-|Productivity software | Foreground software needed by users, restricted by the [application requirements](mmd-app-requirements.md) |

-|Security agents & VPNs | Software used to secure, monitor, or change the behavior of the device or network |

-|Digital experience monitoring | Software used to track data on a userΓÇÖs device to report to IT |

-|Hardware or software drivers | Device drivers, restricted by the [application requirements](mmd-app-requirements.md) |

-|Policies | Windows 10 or Microsoft 365 Apps for enterprise settings on a managed device |

-|Devices | Devices that are not on the Microsoft Managed Desktop [device list](device-list.md) |

-|Other | Anything not covered by the other areas |

-

-

-2. Restricted productivity software required by a user to do their job will likely be approved.

-3. If we can meet your requirement by using Microsoft technology, weΓÇÖll likely approve your request for an exception migration period of three to 12 months (depending on the scope of the project).

-4. If we canΓÇÖt meet your requirement by using Microsoft technology, weΓÇÖll likely approve your request unless it violates one of the [Key conditions](#key-conditions).

-These principles ensure that Microsoft Managed Desktop can always meet your needs while tracking deviations from our standard template.

-These conditions could change in the future. If we do make such changes, weΓÇÖll provide 30 days notice prior to those conditions coming into effect. If Microsoft Managed Desktop delivers an alternative way to meet an approved exception, Microsoft Managed Desktop will notify the customer should Microsoft Managed Desktop alter the way in supporting the exception.

-After a requested exception is approved and deployed, itΓÇÖs possible that we might discover problems that violate the key conditions that werenΓÇÖt evident when we approved the change in the first place. In this situation, we might have to revoke approval for the exception.

-

-If this happens, weΓÇÖll notify you by using the Microsoft Managed Desktop admin portal. From the first time we notify you, you have 90 days to remove the exception before the devices with the exception are no longer bound by Microsoft Managed Desktop service level agreements. We'll send you several notifications according to a strict timeline--however, a severe incident or threat might require us to change the timeline or our decisions about an exception. We won't *remove* an exception without your consent, but any device with a revoked exception will no longer be bound by our service level agreement. Here is the timeline of notifications we will send you:

-| **Service Metrics Report** (*in preview*) | This report provides straightforward summaries of key metrics for Microsoft Managed Desktop month over month. |

-2. Copy the files from the WindowsDefenderATPOnboardingPackage folder extracted from the .zip file into the golden/master image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`.

-keywords: heuristic, machine-learning, behavior monitor, real-time protection, always-on, Microsoft Defender Antivirus, antimalware, security, defender

-description: Enable and configure Microsoft Defender Antivirus real-time protection features such as behavior monitoring, heuristics, and machine-learning

-keywords: antivirus, real-time protection, rtp, machine-learning, behavior monitoring, heuristics

-In addition to standard on-premises or hardware configurations, you can also use Microsoft Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment.

-| [Configure Next-generation protection (NGP)](configure-microsoft-defender-antivirus-features.md) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes:<br> <br>-Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus.<br> <br> - Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection").<br><br> - Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research. |

-| [Next-generation protection (NGP)](microsoft-defender-antivirus-windows.md) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes:<br> <br>-Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus.<br> <br> - Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection").<br><br> - Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research. |

-|Next-generation protection (NGP)|Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes: <ul><li>Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus.</li><li>Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection").</li><li>Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research.</li></ul> <p> [Learn more](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10).|3|

-The CSP support string with approved USB printers via 'ApprovedUsbPrintDevices' property, example `<enabled><data id="ApprovedUsbPrintDevices_List" value="03F0/0853,0351/0872">`:

-> Because this alert is based on machine-learning models that require additional backend processing, it might take some time before you see this alert in the portal.

- Microsoft's next-gen protection product stopped all public and targeted attacks. Microsoft Defender Antivirus achieved such good results with it's ability to block malicious URLs, handle exploits, and correctly classify legitimate applications and websites.

-|Microsoft Defender for Office 365 Plan 1|Microsoft Defender for Office 365 Plan 2|

-|Configuration, protection, and detection capabilities: <ul><li>[Safe Attachments](safe-attachments.md)</li><li>[Safe Links](safe-links.md)</li><li>[Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md)</li><li>[Anti-phishing in Defender for Office 365 protection](set-up-anti-phishing-policies.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>[Real-time detections](threat-explorer.md)</li></ul>|Microsoft Defender for Office 365 Plan 1 capabilities <br> plus <br> Automation, investigation, remediation, and education capabilities:<ul><li>[Threat Trackers](threat-trackers.md)</li><li>[Threat Explorer](threat-explorer.md)</li><li>[Automated investigation and response](office-365-air.md)</li><li>[Attack simulation training](attack-simulation-training.md)</li><li>[Campaign Views](campaigns.md)</li></ul>|

-|

-**Applies to:** Word, Excel, and PowerPoint for Microsoft 365, Windows 10

-Enterprise

-* **Windows 10**: Windows 10 Enterprise edition, Client Build version 2004 (20H1) build 19041 or later

-* **Office**: Office Current Channel and Monthly Enterprise Channel, Build version 2011 16.0.13530.10000 or later. Both 32-bit and 64-bit versions of Office are supported.

-|Configuration, protection, and detection capabilities: <ul><li>[Safe Attachments](safe-attachments.md)</li><li>[Safe Links](safe-links.md)</li><li>[Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md)</li><li>[Anti-phishing protection in Defender for Office 365](set-up-anti-phishing-policies.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>[Real-time detections](threat-explorer.md)</li></ul>|Defender for Office 365 Plan 1 capabilities <p> plus <p> Automation, investigation, remediation, and education capabilities: <ul><li>[Threat Trackers](threat-trackers.md)</li><li>[Threat Explorer](threat-explorer.md)</li><li>[Automated investigation and response](office-365-air.md)</li><li>[Attack simulation training](attack-simulation-training.md)</li></ul>|

-|

-It's important to note that guests can be given access to teams or groups, or to individual files and folders. When given access to files and folders, guests may not be added to any particular group. If you want to do access reviews on guests who don't belong to a team or group, you can create a dynamic group in Azure AD to contain all guests and then create an access review for that group. Site owners can also manage [guest expiration for the site](https://support.microsoft.com/office/25bee24f-42ad-4ee8-8402-4186eed74dea)

-[Create a B2B extranet with managed guests](b2b-extranet.md)

-In addition, Microsoft provides "trainable classifiers" that use machine-learning models to identify sensitive data based on the content, as opposed to simply through pattern matching or by the elements within the content. A classifier learns how to identify a type of content by looking at numerous examples of the content to be classified. Training a classifier begins by giving it examples of content in a particular category. After it learns from those examples, the model is tested by giving it a mix of matching and non-matching examples. The classifier predicts whether a given example falls into the category or not. A person then confirms the results, sorting the positives, negatives, false positives, and false negatives to help increase the accuracy of the classifier's predictions. When the trained classifier is published, it processes content in Microsoft SharePoint Online, Exchange Online, and OneDrive for Business and automatically classifies the content.

-Security services from Microsoft 365 are powered by the Intelligent Security Graph. To combat cyberthreats, the Intelligent Security Graph uses advanced analytics to link threat intelligence and security signals from Microsoft and its partners. Microsoft operates global services at a massive scale, gathering trillions of security signals that power protection layers across the stack. Machine-learning models assess this intelligence, and the signal and threat insights are widely shared across our products and services. This enables us to detect and respond to threats quickly and bring actionable alerts and information to customers for remediation. Our machine learning models are continuously trained and updated with new insights, helping us build more-secure products and provide more proactive security.

-Financial institutions manage vast amounts of data. And some retention periods are triggered by events, such as a contract expiring or an employee leaving the organization. In this atmosphere, it can be challenging to apply record retention policies. Approaches to assigning record retention periods accurately across organizational documents can vary. Some apply retention policies broadly or leverage autoclassification and machine-learning techniques. Others identify an approach that requires a more granular process that assigns retention periods uniquely to individual documents.

-Microsoft 365 recently launched an insider risk management solution that correlates signals across Microsoft 365 services and uses machine-learning models to analyze user behavior for hidden patterns and signs of insider risk. This tool enables collaboration between security operations, internal investigators, and HR so that they can easily remediate cases based on predetermined workflows.