Updates from: 02/21/2024 06:17:14
Category Microsoft Docs article Related commit history on GitHub Change details
commerce Allowselfservicepurchase Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/allowselfservicepurchase-powershell.md
The following table lists the available products and their **ProductId**. It als
| Product | ProductId | Is trial without payment method enabled? | |--|--|--|
-| Cllipchamp Premium | CFQ7TTC0N8SS | No |
+| Clipchamp Premium | CFQ7TTC0N8SS | No |
| Power Apps per user* | CFQ7TTC0LH2H | No | | Power Automate per user* | CFQ7TTC0LH3L | No | | Power Automate RPA* | CFQ7TTC0LSGZ | No |
The following table lists the available products and their **ProductId**. It als
| Power BI Pro* | CFQ7TTC0H9MP | No | | Project Plan 1* | CFQ7TTC0HDB1 | Yes | | Project Plan 3* | CFQ7TTC0HDB0 | No |
-| Python in Excel | CFQ7TTC0S3X1 | Yes |
| Teams Exploratory | CFQ7TTC0J1FV | Yes | | Teams Premium Introductory Pricing | CFQ7TTC0RM8K | Yes | | Visio Plan 1* | CFQ7TTC0HD33 | Yes |
enterprise Block User Accounts With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/block-user-accounts-with-microsoft-365-powershell.md
Title: "Block Microsoft 365 user accounts with PowerShell"
Previously updated : 07/16/2020 Last updated : 02/14/2024 audience: Admin
search.appverid:
- scotvorg - Ent_O365
+- must-keep
f1.keywords: - CSH
- PowerShell - seo-marvel-apr2020 - has-azure-ad-ps-ref
+ - azure-ad-ref-level-one-done
ms.assetid: 04e58c2a-400b-496a-acd4-8ec5d37236dc description: How to use PowerShell to block and unblock access to Microsoft 365 accounts.
description: How to use PowerShell to block and unblock access to Microsoft 365
When you block access to a Microsoft 365 account, you prevent anyone from using the account to sign in and access the services and data in your Microsoft 365 organization. You can use PowerShell to block access to individual or multiple user accounts.
-## Use the Azure Active Directory PowerShell for Graph module
+## Block access to individual user accounts
-First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-azure-active-directory-powershell-for-graph-module).
+>[!NOTE]
+> The Azure Active Directory module is being replaced by the Microsoft Graph PowerShell SDK. You can use the Microsoft Graph PowerShell SDK to access all Microsoft Graph APIs. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started).
-### Block access to individual user accounts
+First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md).
+
+Blocking and unblocking user accounts requires the **User.ReadWrite.All** permission scope or one of the other permissions listed in the ['List subscribedSkus' Graph API reference page](/graph/api/subscribedsku-list).
+
+```powershell
+Connect-Graph -Scopes User.ReadWrite.All
+```
Use the following syntax to block an individual user account: ```powershell
-Set-AzureADUser -ObjectID <sign-in name of the user account> -AccountEnabled $false
+$params = @{
+ accountEnabled = $false
+}
+Update-MgUser -UserId <sign-in name of the user account> -BodyParameter $params
``` > [!NOTE]
-> The *-ObjectID* parameter in the **Set-AzureAD** cmdlet accepts either the account sign-in name, also known as the User Principal Name, or the account's object ID.
+> The *-UserId* parameter in the **Update-MgUser** cmdlet accepts either the account sign-in name, also known as the User Principal Name, or the account's object ID.
This example blocks access to the user account *fabricec@litwareinc.com*. ```powershell
-Set-AzureADUser -ObjectID fabricec@litwareinc.com -AccountEnabled $false
+$params = @{
+ accountEnabled = $false
+}
+Update-MgUser -UserId "fabricec@litwareinc.com" -BodyParameter $params
``` To unblock this user account, run the following command: ```powershell
-Set-AzureADUser -ObjectID fabricec@litwareinc.com -AccountEnabled $true
+$params = @{
+ accountEnabled = $true
+}
+Update-MgUser -UserId "fabricec@litwareinc.com" -BodyParameter $params
``` To display the user account UPN based on the user's display name, use the following commands: ```powershell $userName="<display name>"
-Write-Host (Get-AzureADUser | where {$_.DisplayName -eq $userName}).UserPrincipalName
+Write-Host (Get-MgUser -All | where {$_.DisplayName -eq $userName}).UserPrincipalName
```
This example displays the user account UPN for the user *Caleb Sills*.
```powershell $userName="Caleb Sills"
-Write-Host (Get-AzureADUser | where {$_.DisplayName -eq $userName}).UserPrincipalName
+Write-Host (Get-MgUser -All | where {$_.DisplayName -eq $userName}).UserPrincipalName
``` To block an account based on the user's display name, use the following commands: ```powershell $userName="<display name>"
-Set-AzureADUser -ObjectID (Get-AzureADUser | where {$_.DisplayName -eq $userName}).UserPrincipalName -AccountEnabled $false
-
+$user = Get-MgUser -Filter "displayName eq '$userName'"
+$params = @{
+ accountEnabled = $false
+}
+Update-MgUser -UserId $user.Id -BodyParameter $params
``` To check the blocked status of a user account use the following command: ```powershell
-Get-AzureADUser -ObjectID <UPN of user account> | Select DisplayName,AccountEnabled
+Get-MgUser -ObjectID <UPN of user account> -Property "displayName,accountEnabled" | Select displayName, accountEnabled
``` ### Block multiple user accounts
In the following commands, the example text file is *C:\My Documents\Accounts.tx
To block access to the accounts listed in the text file, run the following command: ```powershell
-Get-Content "C:\My Documents\Accounts.txt" | ForEach {Set-AzureADUser -ObjectID $_ -AccountEnabled $false}
+$params = @{
+ accountEnabled = $false
+}
+Get-Content "C:\My Documents\Accounts.txt" | ForEach {Update-MgUser -UserId $_ -BodyParameter $params}
``` To unblock the accounts that are listed in the text file, run the following command: ```powershell
-Get-Content "C:\My Documents\Accounts.txt" | ForEach {Set-AzureADUser -ObjectID $_ -AccountEnabled $true}
-```
-
-## Use the Microsoft Azure Active Directory module for Windows PowerShell
-
-First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-microsoft-azure-active-directory-module-for-windows-powershell).
-
-### Block individual user accounts
-
-Use the following syntax to block access for an individual user account:
-
-```powershell
-Set-MsolUser -UserPrincipalName <sign-in name of user account> -BlockCredential $true
-```
-
->[!Note]
->PowerShell Core doesn't support the Microsoft Azure Active Directory module for Windows PowerShell module and cmdlets that have *Msol* in their name. You have to run these cmdlets from Windows PowerShell.
-
-This example blocks access to the user account *fabricec\@litwareinc.com*.
-
-```powershell
-Set-MsolUser -UserPrincipalName fabricec@litwareinc.com -BlockCredential $true
-```
-
-To unblock the user account, run the following command:
-
-```powershell
-Set-MsolUser -UserPrincipalName <sign-in name of user account> -BlockCredential $false
+$params = @{
+ accountEnabled = $true
+}
+Get-Content "C:\My Documents\Accounts.txt" | ForEach {Update-MgUser -UserId $_ -BodyParameter $params}
```
-To check the blocked status of a user account run the following command:
-
-```powershell
-Get-MsolUser -UserPrincipalName <sign-in name of user account> | Select DisplayName,BlockCredential
-```
-
-### Block access for multiple user accounts
-
-First, create a text file that contains one account on each line like this:
-
-```powershell
-akol@contoso.com
-tjohnston@contoso.com
-kakers@contoso.com
-```
-
-In the following commands, the example text file is *C:\My Documents\Accounts.txt*. Replace this file name with the path and file name of your text file.
-
-To block access for the accounts that are listed in the text file, run the following command:
-
- ```powershell
- Get-Content "C:\My Documents\Accounts.txt" | ForEach { Set-MsolUser -UserPrincipalName $_ -BlockCredential $true }
- ```
-To unblock the accounts listed in the text file, run the following command:
-
- ```powershell
- Get-Content "C:\My Documents\Accounts.txt" | ForEach { Set-MsolUser -UserPrincipalName $_ -BlockCredential $false }
- ```
- ## See also [Manage Microsoft 365 user accounts, licenses, and groups with PowerShell](manage-user-accounts-and-licenses-with-microsoft-365-powershell.md)
enterprise Delete And Restore User Accounts With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/delete-and-restore-user-accounts-with-microsoft-365-powershell.md
Title: "Delete Microsoft 365 user accounts with PowerShell"
Previously updated : 09/23/2020 Last updated : 02/12/2024 audience: Admin
search.appverid:
- scotvorg - Ent_O365
+- must-keep
f1.keywords: - CSH
- O365ITProTrain - seo-marvel-apr2020 - has-azure-ad-ps-ref
+ - azure-ad-ref-level-one-done
ms.assetid: 209c9868-448c-49bc-baae-11e28b923a39 description: Learn how to use different modules in PowerShell to delete Microsoft 365 user accounts.
You can use PowerShell for Microsoft 365 to delete and restore user accounts.
>Learn how to [restore a user account](../admin/add-users/restore-user.md) by using the Microsoft 365 admin center. > >For a list of additional resources, see [Manage users and groups](/admin).
->
-
-## Use the Azure Active Directory PowerShell for Graph module
+>
-First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-azure-active-directory-powershell-for-graph-module).
+## Use Microsoft Graph PowerShell to delete a user account
-After you connect, use the following syntax to remove an individual user account:
-
-```powershell
-Remove-AzureADUser -ObjectID <sign-in name>
-```
+> [!NOTE]
+> The Azure Active Directory (AzureAD) PowerShell module is being deprecated and replaced by the Microsoft Graph PowerShell SDK. You can use the Microsoft Graph PowerShell SDK to access all Microsoft Graph APIs. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started).
+>
+> Also see [Install the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation) and [Upgrade from Azure AD PowerShell to Microsoft Graph PowerShell](/powershell/microsoftgraph/migration-steps) for information on how to install and upgrade to Microsoft Graph PowerShell, respectively.
+>
+> For information about how to use different methods to authenticate ```Connect-Graph``` in an unattended script, see the article [Authentication module cmdlets in Microsoft Graph PowerShell](/powershell/microsoftgraph/authentication-commands).
+
+Deleting a user account requires the User.ReadWrite.All permission scope, which is listed in the ['Assign license' Microsoft Graph API reference page](/graph/api/user-assignlicense).
+
+The User.Read.All permission scope is required to read the user account details in the tenant.
+
+First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md).
-This example removes the user account *fabricec\@litwareinc.com*.
-
```powershell
-Remove-AzureADUser -ObjectID fabricec@litwareinc.com
+# Connect to your tenant
+Connect-MgGraph -Scopes User.Read.All, User.ReadWrite.All
```
-> [!NOTE]
-> The *-ObjectID* parameter in the **Remove-AzureADUser** cmdlet accepts either the account's sign-in name, also known as the User Principal Name or the account's object ID.
-
-To display the account name based on the user's name, use the following commands:
+After you connect, use the following syntax to remove an individual user account:
```powershell
-$userName="<User name>"
-Write-Host (Get-AzureADUser | where {$_.DisplayName -eq $userName}).UserPrincipalName
+$userName="<display name>"
+# Get the user
+$userId = (Get-MgUser -Filter "displayName eq '$userName'").Id
+# Remove the user
+Remove-MgUser -UserId $userId -Confirm:$false
```
-This example displays the account name for the user *Caleb Sills*.
-
+This example removes the user account *Caleb Sills*.
+ ```powershell $userName="Caleb Sills"
-Write-Host (Get-AzureADUser | where {$_.DisplayName -eq $userName}).UserPrincipalName
+$userId = (Get-MgUser -Filter "displayName eq '$userName'").Id
+Remove-MgUser -UserId $userId -Confirm:$false
```
-To remove an account based on the user's display name, use the following commands:
-
-```powershell
-$userName="<display name>"
-Remove-AzureADUser -ObjectID (Get-AzureADUser | where {$_.DisplayName -eq $userName}).UserPrincipalName
-```
+## Restore a user account
-## Use the Microsoft Azure Active Directory module for Windows PowerShell
+To a restore a user account using Microsoft Graph PowerShell, first [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md).
-When you delete a user account through the Microsoft Azure Active Directory module for Windows PowerShell, the account isn't permanently deleted. You can restore the deleted user account within 30 days.
+To restore a deleted user account, the permission scope *Directory.ReadWrite.All* is required. Connect to the tenant with this permision scope:
-First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-microsoft-azure-active-directory-module-for-windows-powershell).
+```powershell
+# Connect to your tenant
+Connect-MgGraph -Scopes Directory.ReadWrite.All
+```
+
+Deleted user accounts no longer exist except as objects in the directory, so you can't search for the user account to restore. Instead, use the following PowerShell script to search the directory for deleted objects of the type *microsoft.graph.user*:
-To delete a user account, use the following syntax:
-
```powershell
-Remove-MsolUser -UserPrincipalName <sign-in name>
+$DeletedUsers = Get-MgDirectoryDeletedItem -DirectoryObjectId microsoft.graph.user -Property '*'
+$DeletedUsers = $DeletedUsers.AdditionalProperties['value']
+foreach ($deletedUser in $DeletedUsers)
+{
+ $deletedUser | Format-Table
+}
```
->[!Note]
->PowerShell Core doesn't support the Microsoft Azure Active Directory module for Windows PowerShell module and cmdlets with *Msol* in their name. Run these cmdlets from Windows PowerShell.
->
+The output of this script, assuming any deleted user objects exist in the directory, will look like this:
-This example deletes the user account *BelindaN@litwareinc.com*.
-
```powershell
-Remove-MsolUser -UserPrincipalName belindan@litwareinc.com
+Key Value
+ --
+businessPhones {}
+displayName Caleb Sills
+givenName Caleb
+mail CalebS@litware.com
+surname Sills
+userPrincipalName cdea706c3fdc4bbd95925d92d9f71eb8CalebS@litware.com
+id cdea706c-3fdc-4bbd-9592-5d92d9f71eb8
```
-To restore a deleted user account within the 30-day grace period, use the following syntax:
-
+Use the following syntax to restore an individual user account:
+ ```powershell
-Restore-MsolUser -UserPrincipalName <sign-in name>
+# Input user account ID
+$userId = "<id>"
+# Restore the user
+Restore-MgDirectoryDeletedItem -DirectoryObjectId $userId
```
-This example restores the deleted account *BelindaN\@litwareinc.com*.
-
+This example restores the user account *calebs\@litwareinc.com* using the value for ```$userID``` from the output of the above script.
+ ```powershell
-Restore-MsolUser -UserPrincipalName BelindaN@litwareinc.com
+$userId = "cdea706c-3fdc-4bbd-9592-5d92d9f71eb8"
+Restore-MgDirectoryDeletedItem -DirectoryObjectId $userId
```
->[!Note]
-> To see the list of deleted users that can be restored, run the following command:
->
-> ```powershell
-> Get-MsolUser -All -ReturnDeletedUsers
-> ```
->
-> If the user account's original user principal name is used by another account, use the _NewUserPrincipalName_ parameter instead of _UserPrincipalName_ to specify a different user principal name when you restore the user account.
+The output of this command looks like this:
+```powershell
+Id DeletedDateTime
+--
+cdea706c-3fdc-4bbd-9592-5d92d9f71eb8
+```
## See also
enterprise Manage Microsoft 365 Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-microsoft-365-groups.md
Title: "Manage Microsoft 365 groups"
Previously updated : 09/25/2020 Last updated : 02/20/2024 audience: Admin
- scotvorg - Ent_O365 - M365-subscription-management
+- must-keep
search.appverid: - MET150 - MOE150
description: "Learn about how to manage Microsoft 365 groups."
*This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.*
-You can manage Microsoft 365 groups in several different ways, depending on your configuration. You can manage user accounts in the [Microsoft 365 admin center](/admin), PowerShell, in Active Directory Domain Services (AD DS), or in the [Microsoft Entra admin center](/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal).
+You can manage Microsoft 365 groups in several different ways, depending on your configuration. You can manage user accounts in the [Microsoft 365 admin center](/admin), PowerShell, in Active Directory Domain Services (AD DS), or in the [Microsoft Entra admin center](/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal).
-## Plan for where and how you will manage your groups
+## Plan for where and how you'll manage your groups
Where and how you can manage your user accounts depends on the identity model you want to use for your Microsoft 365. The two overall models are cloud-only and hybrid.
Where and how you can manage your user accounts depends on the identity model yo
You create and manage groups with: - [The Microsoft 365 admin center](/admin)-- [PowerShell](maintain-group-membership-with-microsoft-365-powershell.md)
+- PowerShell
+ - [Manage Microsoft 365 groups with PowerShell](manage-microsoft-365-groups-with-powershell.md)
+ - [Maintain security group membership with PowerShell](maintain-group-membership-with-microsoft-365-powershell.md)
- [Microsoft Entra admin center](/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal)
-
-### Hybrid
-AD DS groups are synchronized with Microsoft 365 from AD DS, so you must use on-premises AD DS tools to manage these groups.
+### Hybrid
-You can also create and manage Microsoft Entra groups that are separate from AD DS groups but can contain users and groups from AD DS. In this case, you can use:
+To manage hybrid groups, you can use the same tools you use for cloud-only groups. AD DS groups are synchronized with Microsoft 365 from AD DS, so you must use on-premises AD DS tools to manage these groups.
-- [The Microsoft 365 admin center](/admin)-- [PowerShell](maintain-group-membership-with-microsoft-365-powershell.md)-- [Microsoft Entra admin center](/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal)
+You can also create and manage Microsoft Entra groups that are separate from AD DS groups but can contain users and groups from AD DS.
## Allow users to create and manage their own groups
-Microsoft Entra ID allows groups that can be managed by group owners instead of IT administrators. Known as *self-service group management*, this feature allows group owners who are not assigned an administrative role to create and manage security groups.
+Microsoft Entra ID allows groups that can be managed by group owners instead of IT administrators. Known as *self-service group management*, this feature allows group owners who aren't assigned an administrative role to create and manage security groups.
Users can request membership in a security group and that request goes to the group owner, rather than an IT administrator. This allows the day-to-day control of group membership to be delegated to team, project, or business owners who understand the business use for the group and can manage its membership. >[!Note] >Self-service group management is available only for Microsoft Entra security and Microsoft 365 groups. It is not available for mail-enabled groups, distribution lists, or any group that has been synchronized from AD DS.
->
For more information, see the [instructions to configure a Microsoft Entra group for self-service management](/azure/active-directory/active-directory-accessmanagement-self-service-group-management).
Here's how the rules are applied:
- If a new user account matches all the rules for the group, it becomes a member. - If a user account isn't a member of the group, but its attributes change so that it matches all the rules for the group, it becomes a member of that group. - If a user account doesn't match all the rules for the group, it isn't added to the group.-- If a user account is a member of the group, but its attributes change so that it no longer matches all the rules for the group, it is removed as a member of the group.
+- If a user account is a member of the group, but its attributes change so that it no longer matches all the rules for the group, it's removed as a member of the group.
To use dynamic membership, you must first determine the sets of groups that have a common set of user account attributes. For example, all members of the Sales department should be in the Sales Microsoft Entra group, based on the user account attribute Department set to "Sales".
Make sure you have enough licenses for all the group members. If you run out of
>[!Note] >You should not configure group-based licensing for groups that contain Azure business to business (B2B) accounts.
->
For more information, see [Group-based licensing basics in Microsoft Entra ID](/azure/active-directory/active-directory-licensing-whatis-azure-portal).
enterprise Manage Security Groups With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-security-groups-with-microsoft-365-powershell.md
Title: "Manage security groups with PowerShell"
Previously updated : 08/10/2020 Last updated : 02/14/2024 audience: Admin
search.appverid:
- scotvorg - Ent_O365
+- must-keep
f1.keywords: - CSH
- Ent_Office_Other - O365ITProTrain - has-azure-ad-ps-ref
+ - azure-ad-ref-level-one-done
description: "Learn how to use PowerShell to manage security groups."
When a command block in this article requires that you specify variable values,
See [Maintain security group membership](maintain-group-membership-with-microsoft-365-powershell.md) to manage group membership with PowerShell.
-## Use the Azure Active Directory PowerShell for Graph module
+## Manage security groups using Microsoft Graph PowerShell
-First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-azure-active-directory-powershell-for-graph-module).
+>[!NOTE]
+> The Azure Active Directory module is being replaced by the Microsoft Graph PowerShell SDK. You can use the Microsoft Graph PowerShell SDK to access all Microsoft Graph APIs. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started).
+
+First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md).
+
+Managing security groups requires the **Group.ReadWrite.All** permission scope or one of the other permissions listed in the ['List subscribedSkus' Graph API reference page](/graph/api/subscribedsku-list). Some commands in this article may require different permission scopes, in which case this will be noted in the relevant section.
+
+```powershell
+Connect-Graph -Scopes Group.ReadWrite.All
+```
### List your groups Use this command to list all of your groups. ```powershell
-Get-AzureADGroup
+Get-MgGroup -All
```+ Use these commands to display the settings of a specific group by its display name. ```powershell $groupName="<display name of the group>"
-Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }
+Get-MgGroup -All | Where-Object { $_.DisplayName -eq $groupName }
``` ### Create a new group
Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }
Use this command to create a new security group. ```powershell
-New-AzureADGroup -Description "<group purpose>" -DisplayName "<name>" -MailEnabled $false -SecurityEnabled $true -MailNickName "<email name>"
+Connect-MgGraph -Scopes "Group.Create"
+New-MgGroup -Description "<group purpose>" -DisplayName "<name>" -MailEnabled:$false -SecurityEnabled -MailNickname "<email name>"
```
-### Change the settings on a group
+### Display the settings of a group
Display the settings of the group with these commands. ```powershell $groupName="<display name of the group>"
-Get-AzureADGroup | Where { $_.DisplayName -eq $groupName } | Select *
+Get-MgGroup -All | Where-Object { $_.DisplayName -eq $groupName } | Select-Object *
```
-Then, use the [Set-AzureADGroup](/powershell/module/azuread/set-azureadgroup) article to determine how to change a setting.
- ### Remove a security group Use these commands to remove a security group. ```powershell $groupName="<display name of the group>"
-Remove-AzureADGroup -ObjectId (Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectId
+$group = Get-MgGroup -Filter "displayName eq '$groupName'"
+Remove-MgGroup -GroupId $group.Id
``` ### Manage the owners of a security group
Use these commands to display the current owners of a security group.
```powershell $groupName="<display name of the group>"
-Get-AzureADGroupOwner -ObjectId (Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectId
+
+# Connect to Microsoft Graph
+Connect-MgGraph -Scopes "GroupMember.Read.All"
+
+# Display group owners
+Get-MgGroupOwner -GroupId (Get-MgGroup | Where-Object { $_.DisplayName -eq $groupName }).Id
```+ Use these commands to add a user account by its **user principal name (UPN)** to the current owners of a security group. ```powershell $userUPN="<UPN of the user account to add>" $groupName="<display name of the group>"
-Add-AzureADGroupOwner -ObjectId (Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectId -RefObjectId (Get-AzureADUser | Where { $_.UserPrincipalName -eq $userUPN }).ObjectId
-```
-Use these commands to add a user account by its **display name** to the current owners of a security group.
-```powershell
-$userName="<Display name of the user account to add>"
-$groupName="<display name of the group>"
-Add-AzureADGroupOwner -ObjectId (Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectId -RefObjectId (Get-AzureADUser | Where { $_.DisplayName -eq $userName }).ObjectId
-```
-Use these commands to remove a user account by its **UPN** to the current owners of a security group.
+# Connect to Microsoft Graph
+Connect-MgGraph -Scopes "Group.ReadWrite.All", "User.ReadBasic.All"
-```powershell
-$userUPN="<UPN of the user account to remove>"
-$groupName="<display name of the group>"
-Remove-AzureADGroupOwner -ObjectId (Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectId -OwnerId (Get-AzureADUser | Where { $_.UserPrincipalName -eq $userUPN }).ObjectId
+# Get the group and user
+$group = Get-MgGroup -Filter "displayName eq '$groupName'"
+$userId = (Get-MgUser -Filter "userPrincipalName eq '$userUPN'").Id
+
+# Add the user as an owner to the group
+$newGroupOwner =@{
+ "@odata.id"= "https://graph.microsoft.com/v1.0/users/$userId"
+ }
+
+New-MgGroupOwnerByRef -GroupId $group.Id -BodyParameter $newGroupOwner
```
-Use these commands to remove a user account by its **display name** to the current owners of a security group.
+Use these commands to add a user account by its **display name** to the current owners of a security group.
```powershell
-$userName="<Display name of the user account to remove>"
+$userName="<Display name of the user account to add>"
$groupName="<display name of the group>"
-Remove-AzureADGroupOwner -ObjectId (Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectId -OwnerId (Get-AzureADUser | Where { $_.DisplayName -eq $userName }).ObjectId
-```
-
-## Use the Microsoft Azure Active Directory module for Windows PowerShell
-First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-microsoft-azure-active-directory-module-for-windows-powershell).
+# Connect to Microsoft Graph
+Connect-MgGraph -Scopes "Group.ReadWrite.All", "Directory.Read.All", "User.ReadBasic.All"
-### List your groups
+# Get the group and user
+$group = Get-MgGroup -All | Where-Object { $_.DisplayName -eq $groupName }
+$userId = (Get-MgUser -All | Where-Object { $_.DisplayName -eq $userName }).Id
-Use this command to list all of your groups.
+# Add the user as an owner to the group
+$newGroupOwner =@{
+ "@odata.id"= "https://graph.microsoft.com/v1.0/users/$userId"
+ }
-```powershell
-Get-MsolGroup
+New-MgGroupOwnerByRef -GroupId $group.Id -BodyParameter $newGroupOwner
```
-Use these commands to display the settings of a specific group by its display name.
+
+Use these commands to remove a user account by its **UPN** from the current owners of a security group.
```powershell
+$userUPN="<UPN of the user account to remove>"
$groupName="<display name of the group>"
-Get-MsolGroup | Where { $_.DisplayName -eq $groupName }
-```
-### Create a new group
+# Connect to Microsoft Graph
+Connect-MgGraph -Scopes "Group.ReadWrite.All", "Directory.ReadWrite.All"
-Use this command to create a new security group.
+# Get the group and user
+$group = Get-MgGroup -Filter "displayName eq '$groupName'" | Select-Object -First 1
+$user = Get-MgUser -Filter "userPrincipalName eq '$userUPN'" | Select-Object -First 1
-```powershell
-New-MsolGroup -Description "<group purpose>" -DisplayName "<name>"
+# Remove the user from the group
+Remove-MgGroupOwnerByRef -GroupId $group.Id -DirectoryObjectId $user.Id
```
-### Change the settings on a group
-
-Display the settings of the group with these commands.
+Use these commands to remove a user account by its **display name** from the current owners of a security group.
```powershell
+$userName="<Display name of the user account to remove>"
$groupName="<display name of the group>"
-Get-MsolGroup | Where { $_.DisplayName -eq $groupName } | Select *
-```
-
-Then, use the [Set-MsolGroup](/powershell/module/msonline/set-msolgroup) article to determine how to change a setting.
+$group = Get-MgGroup | Where-Object { $_.DisplayName -eq $groupName }
+$user = Get-MgUser | Where-Object { $_.DisplayName -eq $userName }
-### Remove a security group
-
-Use these commands to remove a security group.
-
-```powershell
-$groupName="<display name of the group>"
-Remove-MsolGroup -ObjectId (Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectId
+Remove-MgGroupOwnerByRef -GroupId $group.Id -DirectoryObjectId $user.Id
``` ## See also
enterprise Microsoft 365 Mailbox Utilization Service Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-mailbox-utilization-service-alerts.md
Title: "Mailbox utilization service alerts"
Previously updated : 1/26/2024 Last updated : 02/20/2024 audience: Admin
- scotvorg - Ent_O365 - Strat_O365_Enterprise
+- must-keep
- admindeeplinkMAC - admindeeplinkEXCHANGE
If an admin increases the Recoverable Items Quota, they should also make sure th
### MRM retention policies in your organization
-Archive retention policies can be configured in a variety of ways, depending on your organization's needs. For detailed information about retention policies, see [Retention tags and retention policies in Exchange Online](/exchange/security-and-compliance/messaging-records-management/retention-tags-and-policies). An admin can view existing retention policies by running the following command:
+Archive retention policies can be configured in various ways, depending on your organization's needs. For detailed information about retention policies, see [Retention tags and retention policies in Exchange Online](/exchange/security-and-compliance/messaging-records-management/retention-tags-and-policies). An admin can view existing retention policies by running the following command:
```powershell Get-RetentionPolicy | FL
frontline Advanced Virtual Appointments Activity Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/advanced-virtual-appointments-activity-report.md
audience: Admin-+ f1.keywords:
frontline Browser Join https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/browser-join.md
audience: ITPro-+ search.appverid: searchScope:
frontline Deploy Shifts At Scale https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/deploy-shifts-at-scale.md
Choose the Shifts capabilities that you want enabled for your frontline teams. C
In this step, you identify the schedule owners in your organization and define how schedule groups are created and managed across your frontline teams.
+ - Schedule owners, similar to team owners, are frontline managers who create and manage schedules for their teams. [Learn more about schedule owners](shifts-frontline-manager-worker-roles.md).
- Schedule groups are used to further group employees based on common characteristics within a team. For example, schedule groups can be departments or job types. You can choose to allow schedule owners to create and manage schedule groups or you can do so centrally in the Teams admin center.
frontline Hc Delegates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/hc-delegates.md
audience: ITPro-+ search.appverid: MET150 searchScope:
frontline Schedule Owner For Shift Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/schedule-owner-for-shift-management.md
- Title: Manage schedule owners for shift management------
-searchScope:
- - Microsoft Teams
- - Microsoft Cloud for Healthcare
- - Microsoft Cloud for Retail
-description: Learn how to manage shift owners for schedule management. You can set a policy to elevate the permission of a team member to a schedule owner.
-- NOCSH-
- - M365-collaboration
- - m365-frontline
- - highpri
- - microsoftcloud-healthcare
- - microsoftcloud-retail
-appliesto:
- - Microsoft Teams
- - Microsoft 365 for frontline workers
- Previously updated : 10/28/2022--
-# Schedule Owner for shift management
-
-## Overview
-
-The Schedule Owner feature lets you elevate the permissions of a team member so that they can manage schedules without making the employee a team owner. With Schedule Owner permissions, an employee can manage their teamΓÇÖs schedule without being able to modify any other team properties such as updating, editing, or deleting team channels.
-
-What can a user with schedule owner permissions do?
--- Create, edit, and publish schedules to manage their teamΓÇÖs shift assignments.-- View and approve shift requests including requests to swap shifts and take open shifts.-- Manage settings in Shifts to enable certain features for the team.-- View and modify their teamΓÇÖs timesheet to process employee payrolls.-
-## Why Schedule Owner?
-
-Without the Schedule Owner feature, day-to-day business functions could be disrupted. While the team owner helps to run the team, they might not necessarily be the person in charge of day-to-day scheduling. In this case, transferring only the schedule management responsibility to another team member streamlines daily operations within the team and eliminates the confusion of two team members having the same access privileges.
-
-## Scenario
-
-HereΓÇÖs an example of how your organization can use the Schedule Owner feature.
-
-You work in a large organization where department managers report directly to the store manager. The store manager has more authority within your company and is the team owner in Shifts. Department managers, on the other hand, are only ever added to Shifts as team members. While store managers have more seniority than department managers, it makes more sense for department managers to handle the day-to-day scheduling of their teamΓÇÖs employees.
-
-*Without Schedule Owner*, department managers must be given the exact same privileges as the team owner. Recently, department managers have been moving information around, and changing the name of channels, and it has caused complications with the store managerΓÇÖs work. The store manager wants the department managers to be able to organize their schedules, but doesn't want them to be able to change anything else on the team, outside of Shifts.
-
-*With Schedule Owner*, the department managers can be given scheduling privileges, without any other team owner privileges.
-
-## Manage schedule ownership
-
-As an admin, you use policies to control schedule management ownership in your organization. You manage these policies by using the following PowerShell cmdlets:
--- [New-CsTeamsShiftsPolicy](/powershell/module/teams/new-csteamsshiftspolicy?view=teams-ps)-- [Get-CsTeamsShiftsPolicy](/powershell/module/teams/get-csteamsshiftspolicy?view=teams-ps)-- [Set-CsTeamsShiftsPolicy](/powershell/module/teams/set-csteamsshiftspolicy?view=teams-ps)-- [Grant-CsTeamsShiftsPolicy](/powershell/module/teams/grant-csteamsshiftspolicy?view=teams-ps)-- [Remove-CsTeamsShiftsPolicy](/powershell/module/teams/remove-csteamsshiftspolicy?view=teams-ps)-
-### Example 1
-
-Here, we create a new policy named ScheduleOwnerPolicy with the Schedule Owner feature turned on.
-
-```powershell
-New-CsTeamsShiftsPolicy ΓÇôIdentity ScheduleOwnerPolicy -EnableScheduleOwnerPermissions $true -AccessType UnrestrictedAccess_TeamsApp
-```
-
-### Example 2
-
-In this example, we assign a policy named ScheduleOwnerPolicy to a user named remy@contoso.com.
-
-```powershell
-Grant-CsTeamsShiftsPolicy -Identity remy@contoso.com -PolicyName ScheduleOwnerPolicy
-```
-
-### Example 3
-
-In this example, we assign a policy named ScheduleOwnerPolicy to a group specified by its object id.
-
-```powershell
-Grant-CsTeamsShiftsPolicy -Group 83d3ca56-50e9-46fb-abd4-4f66939188f8 -PolicyName ScheduleOwnerPolicy
-```
-
-## Related articles
--- [Manage the Shifts app for your organization in Teams](/microsoftteams/expand-teams-across-your-org/shifts/manage-the-shifts-app-for-your-organization-in-teams?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json)
frontline Set Up Targeted Communications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/set-up-targeted-communications.md
Title: Set up targeted communications for your frontline
-+ audience: admin
frontline Shifts Connector Ukg Prerequisites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-ukg-prerequisites.md
-+ audience: admin search.appverid: MET150
Configure the connector's redirection URL. This allows UKG Pro WFM to redirect t
Create at least one team in Teams, and add the following people and account to it: - Frontline workers as team members.-- Frontline managers as team owners and/or schedule owners. To learn more about schedule owners, see [Schedule Owner for shift management](schedule-owner-for-shift-management.md).
+- Frontline managers as team owners and/or schedule owners. To learn more about team owners and schedule owners in Shifts, see [Use roles to define your frontline managers and workers in Shifts](shifts-frontline-manager-worker-roles.md).
> [!NOTE] > When adding people to your teams, make sure you do the following:
frontline Shifts For Teams Landing Page https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-for-teams-landing-page.md
appliesto:
- Microsoft Teams - Microsoft 365 for frontline workers Previously updated : 12/12/2023 Last updated : 02/20/2024 # Shifts for frontline workers
Use the following resources to help you set up and manage Shifts in your organiz
||| |:::image type="icon" source="/office/medi)** (Preview) Configure and manage Shifts settings centrally in the Teams admin center and deploy Shifts to your frontline teams at scale. | |:::image type="icon" source="/office/media/icons/administrator.png":::|**[Manage Shifts](/microsoftteams/expand-teams-across-your-org/shifts/manage-the-shifts-app-for-your-organization-in-teams?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json)** Get an overview of how to manage Shifts for your organization. Learn how to control access to Shifts, pin Shifts to the Teams app bar for easy access, enable shift-based tags, and more. |
-|:::image type="icon" source="/office/medi)** Elevate the permissions of a team member to a schedule owner without making the employee a team owner. Schedule owners can manage their team's schedules in Shifts but can't change other team properties. |
+|:::image type="icon" source="/office/medi)** Learn how to use team owner and team member roles in Teams and the schedule owner role in Shifts to define your frontline managers and workers in Shifts. |
|:::image type="icon" source="/office/media/icons/help.png":::| **[Shifts data FAQ](/microsoftteams/expand-teams-across-your-org/shifts/shifts-data-faq?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json)** Learn where Shifts data is stored and other topics related to Shifts data, including retention, retrieval, and encryption.| ## Shifts connectors
frontline Shifts Frontline Manager Worker Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-frontline-manager-worker-roles.md
+
+ Title: Use roles to define your frontline managers and workers in Shifts
++++
+audience: admin
++
+search.appverid: MET150
+searchScope:
+ - Microsoft Teams
+ - Microsoft Cloud for Healthcare
+ - Microsoft Cloud for Retail
+description: Learn how to use team owner and team member roles in Teams and the schedule owner role in Shifts to define your frontline managers and workers in Shifts.
+f1.keywords:
+- NOCSH
+ms.localizationpriority: high
+
+ - M365-collaboration
+ - m365-frontline
+ - teams-1p-app-admin
+ - highpri
+ - microsoftcloud-healthcare
+ - microsoftcloud-retail
+appliesto:
+ - Microsoft Teams
+ - Microsoft 365 for frontline workers
+ Last updated : 02/20/2024++
+# Use roles to define your frontline managers and workers in Shifts
+
+## Overview
+
+In Shifts, there are two user personas&mdash;frontline manager and frontline worker&mdash;based on users' responsibilities and activities within a team. This article explains these user personas and how to use roles in Shifts and Teams to define your frontline mangers and workers.
+
+- **Frontline managers** are responsible for the creation and overall management of their teamΓÇÖs schedule and shift requests. They're part of the frontline workforce with managerial responsibilities. A frontline manager in Shifts requires one of the following roles:
+
+ - Team owner in Teams
+ - Team member in Teams who is elevated to a schedule owner in Shifts
+
+- **Frontline workers** are employees who aren't responsible for scheduling. They view their schedules and interact with their manager or coworkers through requests in Shifts. A frontline worker in Shifts requires the team member role in Teams.
+
+## Capabilities of each role in Shifts and Teams
+
+Each role has different capabilities in Shifts and in Teams. Here's a summary of the capabilities of each role.
+
+|Capability in Shifts |Team member |Schedule owner |Team owner |
+||::|::|::|
+|Create, edit, and publish schedules to manage their team’s shifts assignments.||✔️|✔️|
+|View and manage (approve or deny) shift requests.||✔️|✔️|
+|Manage settings in Shifts for their teams.||✔️| ✔️|
+|View and modify their team’s timesheet to process employee payrolls.||✔️|✔️|
+|Manage settings in Shifts for their teams.||✔️|✔️|
+|View their schedules and their team's schedules.|✔️|✔️|✔️|
+|Create and cancel shift requests.|✔️||
+|Clock in and out of shifts.|✔️|✔️|✔️|
+|Set availability (or working preferences) in Shifts.|✔️|||
+
+|Capability in Teams* |Team member |Schedule owner |Team owner |
+||::|::|::|
+|Add or remove members and guests.|||✔️|
+|Edit or delete a team.|||✔️|
+|Archive or restore a team.|||✔️|
+|Share chat and channel files.|✔️|✔️|✔️|
+
+*Keep in mind that this table compares capabilities in Teams across the three roles. It's not a comprehensive list of capabilities for team owners and members in Teams. Learn more about [team owner and member capabilities in Teams](https://support.microsoft.com/office/team-owner-member-and-guest-capabilities-in-microsoft-teams-d03fdf5b-1a6e-48e4-8e07-b13e1350ec7b).
+
+## Example scenario
+
+HereΓÇÖs an example of how to use roles in Teams and Shifts for your frontline managers and workers.
+
+At Contoso Ltd., department managers report directly to the store manager. The store manager has more authority within the company as they oversee the hiring of department managers and store associates, help their departments on specific issues, and manage the generation of revenue within their store. Department managers, on the other hand, are responsible for managing the day-to-day operations and people within their department.
+
+Contoso set up their team roles as follows based on employees' responsibilities:
+
+- Store managers are responsible for their store's success, and only get involved in daily department management activities if necessary. For their store's team, the store manager is assigned a **team owner** role in Teams.
+
+- Department managers manage the day-to-day activities of their team in Shifts, including managing schedules and shift requests. They donΓÇÖt need team owner privileges in Teams. Department managers are assigned the **team member** role in Teams and **schedule owner** role in Shifts.
+
+- Store associates work in a specific department, and are assigned the **team member** role in Teams.
+
+## Frontline manager role assignment
+
+Determine the capabilities you want to provide your frontline managers in Shifts, based on your organization's needs.
+
+As mentioned earlier, a frontline manager in Shifts can be a team owner in Teams *or* a team member in Teams who is a schedule owner in Shifts. Team owners can manage their team in Teams. Schedule owners are team members in Teams who can manage schedules in Shifts for their team.
+
+You can elevate the permissions of a team member to a schedule owner role in Shifts so they can create schedules and manage shift requests without making that person a team owner. With schedule owner permissions, a frontline manager can manage their teamΓÇÖs schedule without being able to do things like add or remove members or delete the team.
+
+### Team owner in Teams
+
+Admins can add members to teams and assign team owners in the Teams admin center. To learn more, see [Assign team owners and members in Teams admin center](/microsoftteams/assign-roles-permissions).
+
+The person who creates a new team in Teams is the team owner by default. Team owners can make any member of their team a co-owner when they invite them to the team or at any point after they join the team. To learn more, see [Add members to a team in Teams](https://support.microsoft.com/office/add-members-to-a-team-in-microsoft-teams-aff2249d-b456-4bc3-81e7-52327b6b38e9).
+
+### Schedule owner in Shifts
+
+As an admin, you use policies to assign schedule owner roles in Shifts for your organization. Use PowerShell to create a policy and assign that policy to individual users or groups of users.
+
+1. Create a TeamsShiftsPolicy instance by using the [New-CsTeamsShiftsPolicy](/powershell/module/teams/new-csteamsshiftspolicy?view=teams-ps) PowerShell cmdlet.
+
+ Here, we create a new policy named ShiftsScheduleOwners and enable schedule owner permissions in the policy.
+
+ ```powershell
+ New-CsTeamsShiftsPolicy -Identity ShiftsScheduleOwners -EnableScheduleOwnerPermissions $true -AccessType UnrestrictedAccess_TeamsApp
+ ```
+
+1. Assign the policy to a specific user or group of users by using the [Grant-CsTeamsShiftsPolicy](/powershell/module/teams/grant-csteamsshiftspolicy?view=teams-ps) PowerShell cmdlet.
+
+ In this example, we assign the ShiftsScheduleOwners policy to a user named remy@contoso.com.
+
+ ```powershell
+ Grant-CsTeamsShiftsPolicy -Identity remy@contoso.com -PolicyName ShiftsScheduleOwners
+ ```
+
+ In this example, we assign the ShiftsScheduleOwners policy to a group specified by its object ID.
+
+ ```powershell
+ Grant-CsTeamsShiftsPolicy -Group 83d3ca56-50e9-46fb-abd4-4f66939188f8 -PolicyName ShiftsScheduleOwners
+ ```
+
+ > [!IMPORTANT]
+ > When a policy is assigned to a group, all members of that group become schedule owners across every Shifts schedule they belong to. Say, for example, adelev@contoso.com is part of the group to which we assigned the ShiftsScheduleOwners policy. This means that adelev@contoso.com is a frontline manager (with the schedule owner role) in Shifts in every team they're a member of.
+
+ Group membership can be static or dynamic. Learn more about [groups in Microsoft Entra ID](/entra/fundamentals/concept-learn-about-groups) and [how to manage Microsoft Entra groups and group membership](/entra/fundamentals/how-to-manage-groups).
+
+After you assign the policy, it can take up to 12 hours for the policy to take effect for your users. The schedule owner policy doesn't show up as one of the listed policies for a user in the Teams admin center.
+
+See also:
+
+- [Get-CsTeamsShiftsPolicy](/powershell/module/teams/get-csteamsshiftspolicy?view=teams-ps)
+- [Set-CsTeamsShiftsPolicy](/powershell/module/teams/set-csteamsshiftspolicy?view=teams-ps)
+- [Remove-CsTeamsShiftsPolicy](/powershell/module/teams/remove-csteamsshiftspolicy?view=teams-ps)
+
+## Related articles
+
+- [Shifts for frontline workers](shifts-for-teams-landing-page.md)
+- [Manage the Shifts app for your organization in Teams](/microsoftteams/expand-teams-across-your-org/shifts/manage-the-shifts-app-for-your-organization-in-teams?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json)
+- [Teams PowerShell overview](/microsoftteams/teams-powershell-overview)
frontline Sms Notifications Usage Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/sms-notifications-usage-report.md
audience: Admin-+ f1.keywords:
frontline Virtual Appointments Call Quality https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/virtual-appointments-call-quality.md
audience: Admin-+ f1.keywords:
description: Learn how to use the Call Quality Dashboard for Virtual Appointment
appliesto: - Microsoft Teams - Microsoft 365 for frontline workers Previously updated : 1/30/2023 Last updated : 02/20/2024 # Microsoft Teams Virtual Appointments in Call Quality Dashboard
When you access this data, you can use it to analyze high-level metrics such as
## Get started
-To begin, you'll want to get familiar with [using Call Quality Dashboard](/microsoftteams/turning-on-and-using-call-quality-dashboard). You'll need [appropriate admin credentials](/microsoftteams/turning-on-and-using-call-quality-dashboard#assign-admin-roles-for-access-to-cqd) to [sign into CQD](https://cqd.teams.microsoft.com) and begin working with your data.
+To begin, get familiar with [using Call Quality Dashboard](/microsoftteams/turning-on-and-using-call-quality-dashboard). You need [appropriate admin credentials](/microsoftteams/turning-on-and-using-call-quality-dashboard#assign-admin-roles-for-access-to-cqd) to [sign in to CQD](https://cqd.teams.microsoft.com) and begin working with your data.
-You can also access CQD from Teams Admin Center:
-1. From the menu bar, select **Analysis & Reports**.
-1. Then, choose **Call Quality Dashboard**.
+You can also access CQD from the Teams admin center:
+1. In the left navigation of the [Teams admin center](https://admin.teams.microsoft.com/), select **Analysis & Reports**.
+1. Then, choose **Call quality dashboard**.
-One you've logged into CQD, you can begin to analyze data from the existing dashboards. You can find these in the dropdown menu at the top of the page. You can also use [Power BI desktop](https://apps.microsoft.com/detail/9ntxr16hnw1t#activetab=pivot:overviewtab) to create highly customizable reports. Use the [CQD Power BI template files](/microsoftteams/cqd-data-and-reports#import-the-cqd-report-templates) to get started. These template files contain many of the most frequently requested call quality metrics and charts.
+After you sign in to CQD, you can begin to analyze data from the existing dashboards. You can find these in the dropdown menu at the top of the page. You can also use [Power BI desktop](https://apps.microsoft.com/detail/9ntxr16hnw1t#activetab=pivot:overviewtab) to create highly customizable reports. Use the [CQD Power BI template files](/microsoftteams/cqd-data-and-reports#import-the-cqd-report-templates) to get started. These template files contain many of the most frequently requested call quality metrics and charts.
## Working with CQD data in Power BI
-Before you begin analyzing organizational call quality data, you'll need to [install](https://apps.microsoft.com/detail/9ntxr16hnw1t#activetab=pivot:overviewtab) and [learn to use](https://powerbi.microsoft.com/learning/) Power BI desktop. To access the CQD database through Power BI, you'll need to [download and install the Microsoft Call Quality connector](/microsoftteams/cqd-power-bi-connector). Make sure to install the connector in the appropriate Documents folder.
+Before you begin analyzing organizational call quality data, [install](https://apps.microsoft.com/detail/9ntxr16hnw1t#activetab=pivot:overviewtab) and [learn to use](https://powerbi.microsoft.com/learning/) Power BI desktop. To access the CQD database through Power BI, [download and install the Microsoft Call Quality connector](/microsoftteams/cqd-power-bi-connector). Make sure to install the connector in the appropriate Documents folder.
-Once you've installed the connector, you'll be able to access your CQD data in Power BI.
+After you install the connector, you can access your CQD data in Power BI.
[![Example screenshot of CQD data in Power BI.](media/call-quality-dashboard.png)](media/call-quality-dashboard-big.png) > [!TIP] > You can get a head start by using the [CQD Power BI template files](/microsoftteams/cqd-data-and-reports#import-the-cqd-report-templates). The template files are already connected to the CQD data source. You still need to have the connector installed to use the template files. - ### Start a report from scratch If you choose not to use the template files, you can create a Power BI report from scratch.
If you choose not to use the template files, you can create a Power BI report fr
You can analyze Teams data in several different ways. -- **[Teams Admin Center](https://admin.teams.microsoft.com/):** You can find a pre-made and easy to read set of reports and insights inside Teams Admin Center. However, you can't extensively customize these reports.
+- **[Teams admin center](https://admin.teams.microsoft.com/):** You can find a pre-made and easy-to-read set of reports and insights in the Teams admin center. However, you can't extensively customize these reports.
- **[Call Quality Dashboard](https://cqd.teams.microsoft.com/):** Here you can filter and customize reports that provide quick answers to many frequently asked questions.-- **[Call Quality connector for Power BI](/microsoftteams/cqd-power-bi-query-templates):** Using Power BI gives you the most customizable options for creating reports. Here you can use CQD data to understand user behavior, see usage patterns, and resolve individual call issues. You can use Power BI to supplement the aforementioned dashboards with answers that aren't available in the pre-made reports.
+- **[Call Quality connector for Power BI](/microsoftteams/cqd-power-bi-query-templates):** Using Power BI gives you the most customizable options for creating reports. Here you can use CQD data to understand user behavior, see usage patterns, and resolve individual call issues. You can use Power BI to supplement the dashboards with answers that aren't available in the pre-made reports.
-## Virtual appointments data
+## Virtual Appointments data
You can also use CQD to gather and analyze data specific to Virtual Appointments.
-### Differentiate EHR and Bookings appointments
+### Differentiate Electronic Health Record (EHR) and Bookings appointments
You can view the point of origin of a scheduled call by using the **Scheduling Source App ID** column. You can find this in the **Fields** list. Then drag and drop the slicer onto the canvas.
Bookings appointments have the ID 0eaa6b95-4a35-4a5d-9919-e4fc61fb4bdb.
> [!NOTE] > Scheduling Source App ID isn't one of the default slicers in the PBIT templates.-
frontline Virtual Appointments Usage Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/virtual-appointments-usage-report.md
audience: Admin-+ f1.keywords:
appliesto:
- Microsoft Teams - Microsoft 365 for frontline workers Previously updated : 02/01/2023 Last updated : 02/20/2024 # Microsoft Teams Virtual Appointments usage report
The Virtual Appointments usage report in the Microsoft Teams admin center gives
To view the report, you must be a Global admin, Teams admin, Global reader, or Report reader.
-The report contains the following tabs. The information youΓÇÖll see in the report depends on the license you have.
+The report contains the following tabs. The information you see in the report depends on the license you have.
|Tab |Description | |||
Here's what you'll see on each tab of the report.
### Virtual Appointments
-The graphs you'll see here depend on the license you have.
+The graphs you see here depend on the license you have.
:::image type="content" source="media/virtual-appts-report.png" alt-text="Screenshot of the Virtual Appointments tab of the Virtual Appointments usage report showing numbered callouts." lightbox="media/virtual-appts-report.png":::
security Device Control Deploy Manage Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-deploy-manage-intune.md
In the **Add Row** pane, specify the following settings:
- In the **OMA-URI** field, type `/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b[PolicyRule Id]%7d/RuleData`. - In the **Data Type** field, select **String (XML file)**, and use **Custom XML**.
-You can use parameters to set conditions for specific entries. Here's a [group example XML file for Allow Read access for each removable storage](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Allow%20Read.xml).
+You can use parameters to set conditions for specific entries. Here's a [group example XML file for Allow Read access for each removable storage](https://github.com/microsoft/mdatp-devicecontrol/blob/main/windows/device/Intune%20OMA-URI/Allow%20Read.xml).
> [!NOTE] > Comments using XML comment notation <!-- COMMENT --> can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.
security Communicate Defender Experts Xdr https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/communicate-defender-experts-xdr.md
Title: Communicating with Microsoft Defender Experts description: Defender Experts for XDR has multiple channels to discuss incidents, managed response, and service support
-keywords: XDR, Xtended detection and response, defender experts for xdr, Microsoft Defender Experts for XDR, managed threat hunting, managed detection and response (MDR) service, service delivery manager, Managed response in Teams, real-time visibility with XDR experts, ask defender experts
+keywords: XDR, Xtended detection and response, defender experts for xdr, Microsoft Defender Experts for XDR, managed threat hunting, managed detection and response (MDR) service, service delivery manager, Managed response in Teams, real-time visibility with XDR experts, ask defender experts, in-portal chat in teams
ms.mktglfcycl: deploy
- essentials-manage search.appverid: met150 Previously updated : 02/08/2024 Last updated : 02/20/2024 # Communicating with experts in the Microsoft Defender Experts for XDR service
When an incident requires your attention, such as the incidents our experts issu
The **Chat** tab within the Microsoft Defender XDR portal provides you with a space to engage with our experts and further understand the incident, our investigation, and the required actions we provided. You could ask about a malicious executable, malicious attachment, information about activity groups, advanced hunting queries, or any other information that would assist you with the incident resolution. + ### Teams chat Apart from using the in-portal chat, you can also engage in real-time chat conversations with Defender Experts directly within Microsoft Teams. This capability provides you and your security operations center (SOC) team more flexibility when responding to incidents that require managed response. [Learn more about turning on notifications and chat on Teams](get-started-xdr.md#receive-managed-response-notifications-and-updates-in-microsoft-teams)
security Mto Advanced Hunting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/mto-advanced-hunting.md
Last updated 1/5/2024
- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804) - Advanced hunting in multi-tenant management in Microsoft Defender XDR allows you to proactively hunt for intrusion attempts and breach activity in email, data, devices, and accounts across multiple tenants at the same time. ## Run cross-tenant queries
security Mto Dashboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/mto-dashboard.md
Title: Vulnerability management in multi-tenant management
-description: Learn about the capabilities of the vulnerability management dashboard in multi-tenant management in Microsoft Defender XDR
+ Title: Vulnerability management in multitenant management
+description: Learn about the capabilities of the vulnerability management dashboard in multitenant management in Microsoft Defender XDR
search.appverid: met150
Last updated 09/01/2023
- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804) - ## Microsoft Defender Vulnerability Management dashboard You can use the Defender Vulnerability Management dashboard in multi-tenant management to view aggregated and summarized information across all tenants, such as:
security Mto Incidents Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/mto-incidents-alerts.md
Last updated 09/01/2023
- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804) - Multi-tenant management in Microsoft Defender XDR enables security operation center (SOC) analysts to access and analyze data from multiple tenants in one place, allowing them to quickly identify and respond to threats. You can manage incidents & alerts originating from multiple tenants under **Incidents & alerts**.
security Mto Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/mto-overview.md
Last updated 09/01/2023
- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804) - >[!Tip] >To learn how to turn on preview features, see [Microsoft Defender XDR preview features](preview.md).
security Mto Requirements https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/mto-requirements.md
Title: Set up multi-tenant management in Microsoft Defender XDR
-description: Learn what steps you need to take to get started with multi-tenant management in Microsoft Defender XDR
+ Title: Set up multitenant management in Microsoft Defender XDR
+description: Learn what steps you need to take to get started with multitenant management in Microsoft Defender XDR.
Last updated 09/01/2023
- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804) - This article describes the steps you need to take to start using multi-tenant management in Microsoft Defender XDR.
+>[!Note]
+>In multi-tenant management, interactions between the multi-tenant user and the managed tenants could involve accessing data and managing configurations. The ability to undertake these actions is determined by the permissions a managed tenant has granted the multi-tenant user.
+ 1. [Review the requirements](#review-the-requirements) 2. [Verify your tenant access](#verify-your-tenant-access) 3. [Set up multi-tenant management in Microsoft Defender XDR](#set-up-multi-tenant-management)
The following table lists the basic requirements you need to use multi-tenant ma
|:|:| | Microsoft Defender XDR prerequisites | Verify you meet the [Microsoft Defender XDR prerequisites](prerequisites.md)| | Multi-tenant access | To view and manage the data you have access to in multi-tenant management, you need to ensure you have the necessary access. For each tenant you want to view and manage, you need to have either: <br/> <br/> - [Granular delegated admin privileges (GDAP)](/partner-center/gdap-introduction) <br/> - [Microsoft Entra B2B authentication](/azure/active-directory/external-identities/what-is-b2b) <br/> <br/> To learn more about how to synchronize multiple B2B users across tenants, see [Configure cross-tenant synchronization](/azure/active-directory/multi-tenant-organizations/cross-tenant-synchronization-configure).|
-| Permissions | Users must be assigned the correct roles and permission,s at the individual tenant level, in order to view and manage the associated data in multi-tenant management. To learn more, see: <br/><br/> - [Manage access to Microsoft Defender XDR with Microsoft Entra global roles](./m365d-permissions.md) <br/> - [Custom roles in role-based access control for Microsoft Defender XDR](./custom-roles.md)<br/><br/> To learn how to grant permissions for multiple users at scale, see [What is entitlement management](/azure/active-directory/governance/entitlement-management-overview).|
+| Permissions | Users must be assigned the correct roles and permissions at the individual tenant level, in order to view and manage the associated data in multi-tenant management. To learn more, see: <br/><br/> - [Manage access to Microsoft Defender XDR with Microsoft Entra global roles](./m365d-permissions.md) <br/> - [Custom roles in role-based access control for Microsoft Defender XDR](./custom-roles.md)<br/><br/> To learn how to grant permissions for multiple users at scale, see [What is entitlement management](/azure/active-directory/governance/entitlement-management-overview).|
>[!Note] > Setting up [multi-factor authentication trust](/azure/active-directory/external-identities/authentication-conditional-access) is highly recommended for each tenant to avoid missing data in multi-tenant management Microsoft Defender XDR.
The following table lists the basic requirements you need to use multi-tenant ma
In order to view and manage the data you have access to in multi-tenant management, you need to ensure you have the necessary permissions. For each tenant you want to view and manage, you need to either: -- [Verify your tenant access with Microsoft Entra B2B](#verify-your-tenant-access-with-azure-active-directory-b2b)
+- [Verify your tenant access with Microsoft Entra B2B](#verify-your-tenant-access-with-microsoft-entra-b2b)
- [Verify your tenant access with GDAP](#verify-your-tenant-access-with-gdap)
-<a name='verify-your-tenant-access-with-azure-active-directory-b2b'></a>
- ### Verify your tenant access with Microsoft Entra B2B
-1. Go to [My account](https://myaccount.microsoft.com/organizations)
+1. Go to [My account](https://myaccount.microsoft.com/organizations).
2. Under **Organizations > Other organizations you collaborate with** see the list of organizations you have guest access to. :::image type="content" source="../../media/defender/mto-myaccount.png" alt-text="Screenshot of organizations in the myaccount portal" lightbox="../../media/defender/mto-myaccount.png":::
In order to view and manage the data you have access to in multi-tenant manageme
The first time you use multi-tenant management in Microsoft Defender XDR, you need setup the tenants you want to view and manage. To get started:
-1. Sign in to [Multi-tenant management in Microsoft Defender XDR](https://mto.security.microsoft.com/).
+1. Sign in to [Multi-tenant management in Microsoft Defender XDR](https://mto.security.microsoft.com/)
2. Select **Add tenants**. :::image type="content" source="../../media/defender/mto-add-tenants.png" alt-text="Screenshot of the Microsoft Defender XDR multi-tenant portal setup screen" lightbox="../../media/defender/mto-add-tenants.png":::
-3. Choose the tenants you want to manage and select **Add**.
+3. Choose the tenants you want to manage and select **Add**
+
+>[!Note]
+> The multi-tenant view in Microsoft Defender XDR currently has a limit of 50 target tenants.
The features available in multi-tenant management now appear on the navigation bar and you're ready to view and manage security data across all your tenants.
security Mto Tenant Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/mto-tenant-devices.md
Title: Devices in multi-tenant management
-description: Learn about multi-tenant device view in multi-tenant management of the Microsoft Defender XDR
+description: Learn about multitenant device view in multitenant management of the Microsoft Defender XDR
search.appverid: met150
Last updated 09/01/2023
- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804) - ## Tenant device list
-The Tenants page in multi-tenant management lists each tenant you have access to. For each tenant, the page includes details such as the number of devices and device types, the number of high value and high exposure devices, and the number of devices available to onboard:
+The Tenants page in multi-tenant management lists each tenant you have access to. Each tenant page includes details such as the number of devices and device types, the number of high value and high exposure devices, and the number of devices available to onboard:
:::image type="content" source="../../media/defender/mto-tenant-page.png" alt-text="Screenshot of the Microsoft Defender XDR multi-tenant device list" lightbox="../../media/defender/mto-tenant-page.png":::
security Mto Tenants https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/mto-tenants.md
Title: Manage tenants with multi-tenant management in Microsoft Defender XDR
-description: Learn about the tenant list in multi-tenant management in Microsoft Defender XDR
+ Title: Manage tenants with multitenant management in Microsoft Defender XDR
+description: Learn about the tenant list in multitenant management in Microsoft Defender XDR
search.appverid: met150
Last updated 09/01/2023
- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804) - ## View the tenants page To view the list of tenants that appear in multi-tenant management, go to [Settings page](https://mto.security.microsoft.com/mtosettings) in multi-tenant management in Microsoft Defender XDR:
When an issue exists, the status indicator shows a red warning sign:
- ![data issues](../../media/defender/mto-data-issues.png)
-Hovering over the red warning sign displays the issues that have occurred and the tenant information. By expanding each section, you see all the tenants with this issue.
+Hovering over the red warning sign displays the issues that occurred and the tenant information. By expanding each section, you see all the tenants with this issue.
- ![tenant data issues](../../media/defender/mto-tenantdata-issues.png)
security Air About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-about.md
Microsoft 365 provides many built-in alert policies that help identify Exchange
## Required permissions to use AIR capabilities
-Permissions are granted through certain roles, such as those that are described in the following table:
-
-|Task|Role(s) required|
-|||
-|Set up AIR features|One of the following roles: <ul><li>Global Administrator</li><li>Security Administrator</li></ul> <br/> These roles can be assigned in [Microsoft Entra ID](/entr).|
-|Start an automated investigation <p> or <p> Approve or reject recommended actions|One of the following roles, assigned in [Microsoft Entra ID](/entr). You might need to create a new **Email & collaboration** role group there and add the Search and Purge role to that new role group.</li></ul>|
+You need to be assigned permissions to use AIR. You have the following options:
+
+- [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell):
+ - _Start an automated investigation_ or _Approve or reject recommended actions_: **Security Operator/Email advanced remediation actions (manage)**.
+- [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md):
+ - _Set up AIR features_: Membership in the **Organization Management** or **Security Administrator** role groups.
+ - _Start an automated investigation_ or _Approve or reject recommended actions_:
+ - Membership in the **Organization Management**, **Security Administrator**, **Security Operator**, **Security Reader**, or **Global Reader** role groups.
+ and
+ - Membership in a role group with the **Search and Purge** role assigned. By default, this role is assigned to the **Data Investigator** and **Organization Management** role groups. Or, you can [create a custom role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) to assign the **Search and Purge** role.
+- [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles):
+ - _Set up AIR features_ Membership in the **Global Administrator** or **Security Administrator** roles.
+ - _Start an automated investigation_ or _Approve or reject recommended actions_:
+ - Membership in the **Global Administrator**, **Security Administrator**, **Security Operator**, **Security Reader**, or **Global Reader** roles.
+ and
+ - Membership in an Email & collaboration role group with the **Search and Purge** role assigned. By default, this role is assigned to the **Data Investigator** and **Organization Management** role groups. Or, you can [create a custom Email & collaboration role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) to assign the **Search and Purge** role.
+
+ Microsoft Entra permissions give users the required permissions _and_ permissions for other features in Microsoft 365.
## Required licenses
security Mdo Portal Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-portal-permissions.md
You need to be member of the **Global Administrator** role in Microsoft Entra ID
> [!NOTE] > Some Defender for Office 365 features require additional permissions in Exchange Online. For more information, see [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo). >
-> In the Microsoft Defender XDR preview program, a different Microsoft Defender 365 RBAC model is also available. The permissions in this RBAC model are different from the Defender for Office 365 permissions as described in this article. For more information, see [Microsoft Defender XDR role-based access control (RBAC)](../defender/manage-rbac.md).
+> Microsoft Defender XDR has its own Unified role-based access control (RBAC). This model provides a single permissions management experience in one central location where admins can control permissions across different security solutions. These permissions are different from the permissions described in this article. For more information, see [Microsoft Defender XDR role-based access control (RBAC)](../defender/manage-rbac.md).
+>
+> **If you activate Defender XDR RBAC for Email & collaboration, the permissions page at <https://security.microsoft.com/emailandcollabpermissions> is no loger available in the Defender portal**.
> > For information about permissions in the Microsoft Purview compliance portal, see [Permissions in the Microsoft Purview compliance portal](/purview/microsoft-365-compliance-center-permissions).
security Pim In Mdo Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/pim-in-mdo-configure.md
f1.keywords:
Previously updated : 1/31/2023 Last updated : 2/20/2024 audience: ITPro ms.localizationpriority: high
# Privileged Identity Management (PIM) and why to use it with Microsoft Defender for Office 365
-Privileged Identity Management (PIM) is an Azure feature that, once set up, gives users access to data for a limited period of time (sometimes called a _time-boxed_ period of time) so that a specific task can be done. Access is given 'just-in-time' to do the action that's required, and then revoked. PIM limits the access and time that user has to sensitive data, reducing exposure risk when compared to privileged administration accounts that have long-term access to data and other settings. So how can we use this feature (PIM) in conjunction with Microsoft Defender for Office 365?
+Privileged Identity Management (PIM) is an Azure feature that gives users access to data for a limited period of time (sometimes called a _time-boxed_ period of time). Access is given 'just-in-time' to take the required action, and then access is removed. PIM limits user access to sensitive data, which reduces risk as compared to traditional admin accounts with permanent access to data and other settings. So, how can we use this feature (PIM) with Microsoft Defender for Office 365?
> [!TIP]
-> PIM access is scoped to the role and identity level and allows completion of multiple tasks. It's not to be confused with Privileged Access Management (PAM) which is scoped at a Task level.
+> PIM access is scoped to the role and identity level to allow the completion of multiple tasks. In contrast, Privileged Access Management (PAM) is scoped at the task level.
## Steps to use PIM to grant just-in-time access to Defender for Office 365 related tasks
-By setting up PIM to work with Defender for Office 365, admins create a process for a user to request access to take the actions they need. The user must *justify* the need for the elevation of their privileges.
+By setting up PIM to work with Microsoft Defender for Office 365, admins create a process for a user to _request and justify_ the elevated privileges that they need.
-In this example we configure "Alex", a member of our security team who has zero-standing access within Microsoft 365, but can elevate to both a role required for normal day-to-day operations, such as [Threat Hunting](threat-explorer-threat-hunting.md) and then also to a higher level of privilege when less frequent but sensitive operations, such as [remediating malicious delivered email](remediate-malicious-email-delivered-office-365.md) is required.
+This article uses the scenario for a user named Alex on the security team. We can elevate Alex's permissions for the following scenarios:
-> [!NOTE]
-> This will walk you through the steps required to setup PIM for a Security Analyst who requires the ability to purge emails using Threat Explorer in Microsoft Defender for Office 365, but the same steps can be used for other RBAC roles within the Security, and Compliance portal. For example this process could be used for an information worker who requires day-to-day access in eDiscovery to perform searches and case work, but only occasionally needs the elevated right to export data from the tenant.
+- Permissions for normal day-to-day operations (for example, [Threat Hunting](threat-explorer-threat-hunting.md)).
+- A temporary higher-level of privilege for less frequent, sensitive operations (for example, [remediating malicious delivered email](remediate-malicious-email-delivered-office-365.md)).
+
+> [!TIP]
+> Although article includes specific steps for the scenario as described, you can do the same steps for other permissions. For example, when an information worker requires day-to-day access in eDiscovery to perform searches and case work, but occasionally needs the elevated permissions to export data from the organization.
***Step 1***. In the Azure PIM console for your subscription, add the user (Alex) to the Azure Security Reader role and configure the security settings related to activation.
-1. Sign into the [Microsoft Entra Admin Center](https://aad.portal.azure.com/) and select **Microsoft Entra ID** \> **Roles and administrators**.
-2. Select **Security Reader** in the list of roles and then **Settings** > **Edit**
+1. Sign in to the [Microsoft Entra Admin Center](https://aad.portal.azure.com/) and select **Microsoft Entra ID** \> **Roles and administrators**.
+2. Select **Security Reader** in the list of roles and then **Settings** \> **Edit**
3. Set the '**Activation maximum duration (hours)**' to a normal working day and 'On activation' to require **Azure MFA**.
-4. As this is Alex's normal privilege level for day-to-day operations, we will Uncheck **Require justification on activation** \> **Update**.
+4. Because this is Alex's normal privilege level for day-to-day operations, Uncheck **Require justification on activation** \> **Update**.
5. Select **Add Assignments** \> **No member selected** \> select or type the name to search for the correct member.
-6. Click the **Select** button to choose the member you need to add for PIM privileges > click **Next** > make no changes on the Add Assignment page (both assignment type *Eligible* and duration *Permanently Eligible* will be defaults) and **Assign**.
+6. Select the **Select** button to choose the member you need to add for PIM privileges \> select **Next** \> make no changes on the Add Assignment page (both assignment type _Eligible_ and duration _Permanently Eligible_ are defaults) and **Assign**.
-The name of your user (here 'Alex') will appear under Eligible assignments on the next page, this means they are able to PIM into the role with the settings configured earlier.
+The name of the user (Alex in this scenario) appears under Eligible assignments on the next page. This result means they're able to PIM into the role with the settings configured earlier.
> [!NOTE] > For a quick review of Privileged Identity Management see [this video](https://www.youtube.com/watch?v=VQMAg0sa_lE). :::image type="content" source="../../medio-role-setting-details-for-security-reader-show-8-hr-duration.png":::
-***Step 2***. Create the required second (elevated) permission group for additional tasks and assign eligibility.
+***Step 2***. Create the required second (elevated) permission group for other tasks and assign eligibility.
Using [Privileged Access groups](/entra/id-governance/privileged-identity-management/concept-pim-for-groups) we can now create our own custom groups and combine permissions or increase granularity where required to meet your organizational practices and needs.
-### Create a role group requiring the permissions we need
+### Create a role or role group with the required permissions
+
+Use one of the following methods:
+
+- [Create an Email & collaboration role group in the Microsoft Defender portal](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal):
-In the Microsoft Defender portal, create a custom role group that contains the permissions that we want.
+Or
-1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Permissions** \> **Email & collaboration roles** \> **Roles**. Or, to go directly to the **Permissions** page, use <https://security.microsoft.com/emailandcollabpermissions>.
-2. On the **Permissions** page, click :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create**.
-3. Name your group to reflect its purpose such as 'Search and Purge PIM'.
-4. Don't add members, simply save the group and move on to the next part!
+- Create a custom role in Microsoft Defender XDR Unified role based access control (RBAC). For information and instructions, see [Start using Microsoft Defender XDR Unified RBAC model](../defender/manage-rbac.md#start-using-microsoft-defender-xdr-unified-rbac-model).
+
+For either method:
+
+- Use a descriptive name (for example, 'Contoso Search and Purge PIM').
+- Don't add members. Add the required permissions, save, and then go to the next step.
### Create the security group in Microsoft Entra ID for elevated permissions
-1. Browse back to the [Microsoft Entra Admin Center](https://aad.portal.azure.com/) and navigate to **Microsoft Entra ID** > **Groups** > **New Group**.
+1. Browse back to the [Microsoft Entra Admin Center](https://aad.portal.azure.com/) and navigate to **Microsoft Entra ID** \> **Groups** \> **New Group**.
2. Name your Microsoft Entra group to reflect its purpose, **no owners or members are required** right now. 3. Turn **Microsoft Entra roles can be assigned to the group** to **Yes**.
-4. Don't add any roles, members or owners, create the group.
-5. Go back into the group you've just created, and select **Privileged Identity Management** > **Enable PIM**.
-6. Within the group, select **Eligible assignments** > **Add assignments** > Add the user who needs Search & Purge as a role of **Member**.
+4. Don't add any roles, members, or owners, create the group.
+5. Go back into the group you created, and select **Privileged Identity Management** \> **Enable PIM**.
+6. Within the group, select **Eligible assignments** \> **Add assignments** \> Add the user who needs Search & Purge as a role of **Member**.
7. Configure the **Settings** within the group's Privileged Access pane. Choose to **Edit** the settings for the role of **Member**.
-8. Change the activation time to suit your organization. In this example require *Azure MFA*, *justification*, and *ticket information* before selecting **Update**.
+8. Change the activation time to suit your organization. This example requires _Microsoft Entra multifactor authentication_, _justification_, and _ticket information_ before selecting **Update**.
### Nest the newly created security group into the role group
+> [!NOTE]
+> This step is required only if you used an Email & collaboration role group in [Create a role or role group with the required permissions](#create-a-role-or-role-group-with-the-required-permissions). Defender XDR Unified RBAC supports direct permissions assignments to Microsoft Entra groups, and you can add members to the group for PIM.
+ 1. [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell) and run the following command: ```powershell
In the Microsoft Defender portal, create a custom role group that contains the p
## Test your configuration of PIM with Defender for Office 365
-1. Login with the test user (Alex), who should have no administrative access within the [Microsoft Defender portal](/microsoft-365/security/defender/overview-security-center) at this point.
+1. Sign in with the test user (Alex), who should have no administrative access within the [Microsoft Defender portal](/microsoft-365/security/defender/overview-security-center) at this point.
2. Navigate to PIM, where the user can activate their day-to-day security reader role.
-3. If you try to purge an email using Threat Explorer, you get an error stating you need additional permissions.
+3. If you try to purge an email using Threat Explorer, you get an error stating you need more permissions.
4. PIM a second time into the more elevated role, after a short delay you should now be able to purge emails without issue. :::image type="content" source="../../medio-add-the-search-and-purge-role-assignment-to-this-pim-role.PNG":::
-Permanent assignment of administrative roles and permissions such as Search and Purge Role doesn't hold with the Zero Trust security initiative, but as you can see, PIM can be used to grant just-in-time access to the toolset required.
+Permanent assignment of administrative roles and permissions doesn't align with the Zero Trust security initiative. Instead, you can use PIM to grant just-in-time access to the required tools.
*Our thanks to Customer Engineer Ben Harris for access to the blog post and resources used for this content.*
syntex Translation Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/translation-overview.md
You can also use the translation feature for translating video transcripts and c
### Supported file types
-Document translation is available for the following file types: .csv, .docx, .htm, .html, .markdown, .md, .msg, .pdf, .pptx, .txt, and .xlsx. For legacy file types .doc, .rtf, .xls, .ods, .ppt, and .odp, the translated copy is created in the modern equivalent (.docx, .xlsx, or .pptx).
+Document translation is available for the following file types: .csv, .docx, .htm, .html, .markdown, .md, .msg, .pdf, .pptx, .txt, and .xlsx. For legacy file types .doc, .rtf, .xls, .ods, .ppt, and .odp, the translated copy is created in the modern equivalent (.docx, .xlsx, or .pptx). SharePoint site pages aren't supported at this time.
### Supported file size