-| Cllipchamp Premium | CFQ7TTC0N8SS | No |

-| Python in Excel | CFQ7TTC0S3X1 | Yes |

-## Use the Azure Active Directory PowerShell for Graph module

-First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-azure-active-directory-powershell-for-graph-module).

-### Block access to individual user accounts

-Set-AzureADUser -ObjectID <sign-in name of the user account> -AccountEnabled $false

-> The *-ObjectID* parameter in the **Set-AzureAD** cmdlet accepts either the account sign-in name, also known as the User Principal Name, or the account's object ID.

-Set-AzureADUser -ObjectID fabricec@litwareinc.com -AccountEnabled $false

-Set-AzureADUser -ObjectID fabricec@litwareinc.com -AccountEnabled $true

-Write-Host (Get-AzureADUser | where {$_.DisplayName -eq $userName}).UserPrincipalName

-Write-Host (Get-AzureADUser | where {$_.DisplayName -eq $userName}).UserPrincipalName

-Set-AzureADUser -ObjectID (Get-AzureADUser | where {$_.DisplayName -eq $userName}).UserPrincipalName -AccountEnabled $false

-Get-AzureADUser -ObjectID <UPN of user account> | Select DisplayName,AccountEnabled

-Get-Content "C:\My Documents\Accounts.txt" | ForEach {Set-AzureADUser -ObjectID $_ -AccountEnabled $false}

-Get-Content "C:\My Documents\Accounts.txt" | ForEach {Set-AzureADUser -ObjectID $_ -AccountEnabled $true}

-```

-## Use the Microsoft Azure Active Directory module for Windows PowerShell

-First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-microsoft-azure-active-directory-module-for-windows-powershell).

-### Block individual user accounts

-Use the following syntax to block access for an individual user account:

-```powershell

-Set-MsolUser -UserPrincipalName <sign-in name of user account> -BlockCredential $true

-```

->[!Note]

->PowerShell Core doesn't support the Microsoft Azure Active Directory module for Windows PowerShell module and cmdlets that have *Msol* in their name. You have to run these cmdlets from Windows PowerShell.

-This example blocks access to the user account *fabricec\@litwareinc.com*.

-```powershell

-Set-MsolUser -UserPrincipalName fabricec@litwareinc.com -BlockCredential $true

-```

-To unblock the user account, run the following command:

-```powershell

-Set-MsolUser -UserPrincipalName <sign-in name of user account> -BlockCredential $false

-To check the blocked status of a user account run the following command:

-```powershell

-Get-MsolUser -UserPrincipalName <sign-in name of user account> | Select DisplayName,BlockCredential

-```

-### Block access for multiple user accounts

-First, create a text file that contains one account on each line like this:

-```powershell

-akol@contoso.com

-tjohnston@contoso.com

-kakers@contoso.com

-```

-In the following commands, the example text file is *C:\My Documents\Accounts.txt*. Replace this file name with the path and file name of your text file.

-To block access for the accounts that are listed in the text file, run the following command:

- ```powershell

- Get-Content "C:\My Documents\Accounts.txt" | ForEach { Set-MsolUser -UserPrincipalName $_ -BlockCredential $true }

- ```

-To unblock the accounts listed in the text file, run the following command:

- ```powershell

- Get-Content "C:\My Documents\Accounts.txt" | ForEach { Set-MsolUser -UserPrincipalName $_ -BlockCredential $false }

- ```

->

-

-## Use the Azure Active Directory PowerShell for Graph module

-First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-azure-active-directory-powershell-for-graph-module).

-After you connect, use the following syntax to remove an individual user account:

-

-```powershell

-Remove-AzureADUser -ObjectID <sign-in name>

-```

-This example removes the user account *fabricec\@litwareinc.com*.

-

-Remove-AzureADUser -ObjectID fabricec@litwareinc.com

-> [!NOTE]

-> The *-ObjectID* parameter in the **Remove-AzureADUser** cmdlet accepts either the account's sign-in name, also known as the User Principal Name or the account's object ID.

-

-To display the account name based on the user's name, use the following commands:

-$userName="<User name>"

-Write-Host (Get-AzureADUser | where {$_.DisplayName -eq $userName}).UserPrincipalName

-This example displays the account name for the user *Caleb Sills*.

-

-Write-Host (Get-AzureADUser | where {$_.DisplayName -eq $userName}).UserPrincipalName

-To remove an account based on the user's display name, use the following commands:

-

-```powershell

-$userName="<display name>"

-Remove-AzureADUser -ObjectID (Get-AzureADUser | where {$_.DisplayName -eq $userName}).UserPrincipalName

-```

-## Use the Microsoft Azure Active Directory module for Windows PowerShell

-When you delete a user account through the Microsoft Azure Active Directory module for Windows PowerShell, the account isn't permanently deleted. You can restore the deleted user account within 30 days.

-First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-microsoft-azure-active-directory-module-for-windows-powershell).

-To delete a user account, use the following syntax:

-

-Remove-MsolUser -UserPrincipalName <sign-in name>

->[!Note]

->PowerShell Core doesn't support the Microsoft Azure Active Directory module for Windows PowerShell module and cmdlets with *Msol* in their name. Run these cmdlets from Windows PowerShell.

->

-This example deletes the user account *BelindaN@litwareinc.com*.

-

-Remove-MsolUser -UserPrincipalName belindan@litwareinc.com

-To restore a deleted user account within the 30-day grace period, use the following syntax:

-

-Restore-MsolUser -UserPrincipalName <sign-in name>

-This example restores the deleted account *BelindaN\@litwareinc.com*.

-

-Restore-MsolUser -UserPrincipalName BelindaN@litwareinc.com

->[!Note]

-> To see the list of deleted users that can be restored, run the following command:

->

-> ```powershell

-> Get-MsolUser -All -ReturnDeletedUsers

-> ```

->

-> If the user account's original user principal name is used by another account, use the _NewUserPrincipalName_ parameter instead of _UserPrincipalName_ to specify a different user principal name when you restore the user account.

-You can manage Microsoft 365 groups in several different ways, depending on your configuration. You can manage user accounts in the [Microsoft 365 admin center](/admin), PowerShell, in Active Directory Domain Services (AD DS), or in the [Microsoft Entra admin center](/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal).

-## Plan for where and how you will manage your groups

-

-### Hybrid

-AD DS groups are synchronized with Microsoft 365 from AD DS, so you must use on-premises AD DS tools to manage these groups.

-You can also create and manage Microsoft Entra groups that are separate from AD DS groups but can contain users and groups from AD DS. In this case, you can use:

-Microsoft Entra ID allows groups that can be managed by group owners instead of IT administrators. Known as *self-service group management*, this feature allows group owners who are not assigned an administrative role to create and manage security groups.

->

->

-## Use the Azure Active Directory PowerShell for Graph module

-First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-azure-active-directory-powershell-for-graph-module).

-Get-AzureADGroup

-Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }

-New-AzureADGroup -Description "<group purpose>" -DisplayName "<name>" -MailEnabled $false -SecurityEnabled $true -MailNickName "<email name>"

-### Change the settings on a group

-Get-AzureADGroup | Where { $_.DisplayName -eq $groupName } | Select *

-Then, use the [Set-AzureADGroup](/powershell/module/azuread/set-azureadgroup) article to determine how to change a setting.

-Remove-AzureADGroup -ObjectId (Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectId

-Get-AzureADGroupOwner -ObjectId (Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectId

-Add-AzureADGroupOwner -ObjectId (Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectId -RefObjectId (Get-AzureADUser | Where { $_.UserPrincipalName -eq $userUPN }).ObjectId

-```

-Use these commands to add a user account by its **display name** to the current owners of a security group.

-```powershell

-$userName="<Display name of the user account to add>"

-$groupName="<display name of the group>"

-Add-AzureADGroupOwner -ObjectId (Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectId -RefObjectId (Get-AzureADUser | Where { $_.DisplayName -eq $userName }).ObjectId

-```

-Use these commands to remove a user account by its **UPN** to the current owners of a security group.

-```powershell

-$userUPN="<UPN of the user account to remove>"

-$groupName="<display name of the group>"

-Remove-AzureADGroupOwner -ObjectId (Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectId -OwnerId (Get-AzureADUser | Where { $_.UserPrincipalName -eq $userUPN }).ObjectId

-Use these commands to remove a user account by its **display name** to the current owners of a security group.

-$userName="<Display name of the user account to remove>"

-Remove-AzureADGroupOwner -ObjectId (Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectId -OwnerId (Get-AzureADUser | Where { $_.DisplayName -eq $userName }).ObjectId

-```

-## Use the Microsoft Azure Active Directory module for Windows PowerShell

-First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-microsoft-azure-active-directory-module-for-windows-powershell).

-### List your groups

-Use this command to list all of your groups.

-```powershell

-Get-MsolGroup

-Use these commands to display the settings of a specific group by its display name.

-Get-MsolGroup | Where { $_.DisplayName -eq $groupName }

-```

-### Create a new group

-Use this command to create a new security group.

-```powershell

-New-MsolGroup -Description "<group purpose>" -DisplayName "<name>"

-### Change the settings on a group

-Display the settings of the group with these commands.

-Get-MsolGroup | Where { $_.DisplayName -eq $groupName } | Select *

-```

-Then, use the [Set-MsolGroup](/powershell/module/msonline/set-msolgroup) article to determine how to change a setting.

-### Remove a security group

-Use these commands to remove a security group.

-```powershell

-$groupName="<display name of the group>"

-Remove-MsolGroup -ObjectId (Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectId

-Archive retention policies can be configured in a variety of ways, depending on your organization's needs. For detailed information about retention policies, see [Retention tags and retention policies in Exchange Online](/exchange/security-and-compliance/messaging-records-management/retention-tags-and-policies). An admin can view existing retention policies by running the following command:

-searchScope:

- - Microsoft Teams

- - Microsoft Cloud for Healthcare

- - Microsoft Cloud for Retail

-description: Learn how to manage shift owners for schedule management. You can set a policy to elevate the permission of a team member to a schedule owner.

- - M365-collaboration

- - m365-frontline

- - highpri

- - microsoftcloud-healthcare

- - microsoftcloud-retail

-appliesto:

- - Microsoft Teams

- - Microsoft 365 for frontline workers

-# Schedule Owner for shift management

-## Overview

-The Schedule Owner feature lets you elevate the permissions of a team member so that they can manage schedules without making the employee a team owner. With Schedule Owner permissions, an employee can manage their teamΓÇÖs schedule without being able to modify any other team properties such as updating, editing, or deleting team channels.

-What can a user with schedule owner permissions do?

-## Why Schedule Owner?

-Without the Schedule Owner feature, day-to-day business functions could be disrupted. While the team owner helps to run the team, they might not necessarily be the person in charge of day-to-day scheduling. In this case, transferring only the schedule management responsibility to another team member streamlines daily operations within the team and eliminates the confusion of two team members having the same access privileges.

-## Scenario

-HereΓÇÖs an example of how your organization can use the Schedule Owner feature.

-You work in a large organization where department managers report directly to the store manager. The store manager has more authority within your company and is the team owner in Shifts. Department managers, on the other hand, are only ever added to Shifts as team members. While store managers have more seniority than department managers, it makes more sense for department managers to handle the day-to-day scheduling of their teamΓÇÖs employees.

-*Without Schedule Owner*, department managers must be given the exact same privileges as the team owner. Recently, department managers have been moving information around, and changing the name of channels, and it has caused complications with the store managerΓÇÖs work. The store manager wants the department managers to be able to organize their schedules, but doesn't want them to be able to change anything else on the team, outside of Shifts.

-*With Schedule Owner*, the department managers can be given scheduling privileges, without any other team owner privileges.

-## Manage schedule ownership

-As an admin, you use policies to control schedule management ownership in your organization. You manage these policies by using the following PowerShell cmdlets:

-### Example 1

-Here, we create a new policy named ScheduleOwnerPolicy with the Schedule Owner feature turned on.

-```powershell

-New-CsTeamsShiftsPolicy ΓÇôIdentity ScheduleOwnerPolicy -EnableScheduleOwnerPermissions $true -AccessType UnrestrictedAccess_TeamsApp

-```

-### Example 2

-In this example, we assign a policy named ScheduleOwnerPolicy to a user named remy@contoso.com.

-```powershell

-Grant-CsTeamsShiftsPolicy -Identity remy@contoso.com -PolicyName ScheduleOwnerPolicy

-```

-### Example 3

-In this example, we assign a policy named ScheduleOwnerPolicy to a group specified by its object id.

-```powershell

-Grant-CsTeamsShiftsPolicy -Group 83d3ca56-50e9-46fb-abd4-4f66939188f8 -PolicyName ScheduleOwnerPolicy

-```

-## Related articles

-|:::image type="icon" source="/office/medi)** Elevate the permissions of a team member to a schedule owner without making the employee a team owner. Schedule owners can manage their team's schedules in Shifts but can't change other team properties. |

-To begin, you'll want to get familiar with [using Call Quality Dashboard](/microsoftteams/turning-on-and-using-call-quality-dashboard). You'll need [appropriate admin credentials](/microsoftteams/turning-on-and-using-call-quality-dashboard#assign-admin-roles-for-access-to-cqd) to [sign into CQD](https://cqd.teams.microsoft.com) and begin working with your data.

-You can also access CQD from Teams Admin Center:

-1. From the menu bar, select **Analysis & Reports**.

-1. Then, choose **Call Quality Dashboard**.

-One you've logged into CQD, you can begin to analyze data from the existing dashboards. You can find these in the dropdown menu at the top of the page. You can also use [Power BI desktop](https://apps.microsoft.com/detail/9ntxr16hnw1t#activetab=pivot:overviewtab) to create highly customizable reports. Use the [CQD Power BI template files](/microsoftteams/cqd-data-and-reports#import-the-cqd-report-templates) to get started. These template files contain many of the most frequently requested call quality metrics and charts.

-Before you begin analyzing organizational call quality data, you'll need to [install](https://apps.microsoft.com/detail/9ntxr16hnw1t#activetab=pivot:overviewtab) and [learn to use](https://powerbi.microsoft.com/learning/) Power BI desktop. To access the CQD database through Power BI, you'll need to [download and install the Microsoft Call Quality connector](/microsoftteams/cqd-power-bi-connector). Make sure to install the connector in the appropriate Documents folder.

-Once you've installed the connector, you'll be able to access your CQD data in Power BI.

-## Virtual appointments data

-### Differentiate EHR and Bookings appointments

-The report contains the following tabs. The information youΓÇÖll see in the report depends on the license you have.

-The graphs you'll see here depend on the license you have.

-You can use parameters to set conditions for specific entries. Here's a [group example XML file for Allow Read access for each removable storage](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Allow%20Read.xml).

-keywords: XDR, Xtended detection and response, defender experts for xdr, Microsoft Defender Experts for XDR, managed threat hunting, managed detection and response (MDR) service, service delivery manager, Managed response in Teams, real-time visibility with XDR experts, ask defender experts

-description: Learn about the capabilities of the vulnerability management dashboard in multi-tenant management in Microsoft Defender XDR

-description: Learn what steps you need to take to get started with multi-tenant management in Microsoft Defender XDR

-| Permissions | Users must be assigned the correct roles and permission,s at the individual tenant level, in order to view and manage the associated data in multi-tenant management. To learn more, see: <br/><br/> - [Manage access to Microsoft Defender XDR with Microsoft Entra global roles](./m365d-permissions.md) <br/> - [Custom roles in role-based access control for Microsoft Defender XDR](./custom-roles.md)<br/><br/> To learn how to grant permissions for multiple users at scale, see [What is entitlement management](/azure/active-directory/governance/entitlement-management-overview).|

-<a name='verify-your-tenant-access-with-azure-active-directory-b2b'></a>

-1. Go to [My account](https://myaccount.microsoft.com/organizations)

-1. Sign in to [Multi-tenant management in Microsoft Defender XDR](https://mto.security.microsoft.com/).

-3. Choose the tenants you want to manage and select **Add**.

-description: Learn about multi-tenant device view in multi-tenant management of the Microsoft Defender XDR

-The Tenants page in multi-tenant management lists each tenant you have access to. For each tenant, the page includes details such as the number of devices and device types, the number of high value and high exposure devices, and the number of devices available to onboard:

-description: Learn about the tenant list in multi-tenant management in Microsoft Defender XDR

-Hovering over the red warning sign displays the issues that have occurred and the tenant information. By expanding each section, you see all the tenants with this issue.

-Permissions are granted through certain roles, such as those that are described in the following table:

-|Task|Role(s) required|

-|||

-|Set up AIR features|One of the following roles: <ul><li>Global Administrator</li><li>Security Administrator</li></ul> <br/> These roles can be assigned in [Microsoft Entra ID](/entr).|

-|Start an automated investigation <p> or <p> Approve or reject recommended actions|One of the following roles, assigned in [Microsoft Entra ID](/entr). You might need to create a new **Email & collaboration** role group there and add the Search and Purge role to that new role group.</li></ul>|

-> In the Microsoft Defender XDR preview program, a different Microsoft Defender 365 RBAC model is also available. The permissions in this RBAC model are different from the Defender for Office 365 permissions as described in this article. For more information, see [Microsoft Defender XDR role-based access control (RBAC)](../defender/manage-rbac.md).

-Privileged Identity Management (PIM) is an Azure feature that, once set up, gives users access to data for a limited period of time (sometimes called a _time-boxed_ period of time) so that a specific task can be done. Access is given 'just-in-time' to do the action that's required, and then revoked. PIM limits the access and time that user has to sensitive data, reducing exposure risk when compared to privileged administration accounts that have long-term access to data and other settings. So how can we use this feature (PIM) in conjunction with Microsoft Defender for Office 365?

-> PIM access is scoped to the role and identity level and allows completion of multiple tasks. It's not to be confused with Privileged Access Management (PAM) which is scoped at a Task level.

-By setting up PIM to work with Defender for Office 365, admins create a process for a user to request access to take the actions they need. The user must *justify* the need for the elevation of their privileges.

-In this example we configure "Alex", a member of our security team who has zero-standing access within Microsoft 365, but can elevate to both a role required for normal day-to-day operations, such as [Threat Hunting](threat-explorer-threat-hunting.md) and then also to a higher level of privilege when less frequent but sensitive operations, such as [remediating malicious delivered email](remediate-malicious-email-delivered-office-365.md) is required.

-> [!NOTE]

-> This will walk you through the steps required to setup PIM for a Security Analyst who requires the ability to purge emails using Threat Explorer in Microsoft Defender for Office 365, but the same steps can be used for other RBAC roles within the Security, and Compliance portal. For example this process could be used for an information worker who requires day-to-day access in eDiscovery to perform searches and case work, but only occasionally needs the elevated right to export data from the tenant.

-1. Sign into the [Microsoft Entra Admin Center](https://aad.portal.azure.com/) and select **Microsoft Entra ID** \> **Roles and administrators**.

-2. Select **Security Reader** in the list of roles and then **Settings** > **Edit**

-4. As this is Alex's normal privilege level for day-to-day operations, we will Uncheck **Require justification on activation** \> **Update**.

-6. Click the **Select** button to choose the member you need to add for PIM privileges > click **Next** > make no changes on the Add Assignment page (both assignment type *Eligible* and duration *Permanently Eligible* will be defaults) and **Assign**.

-The name of your user (here 'Alex') will appear under Eligible assignments on the next page, this means they are able to PIM into the role with the settings configured earlier.

-***Step 2***. Create the required second (elevated) permission group for additional tasks and assign eligibility.

-### Create a role group requiring the permissions we need

-In the Microsoft Defender portal, create a custom role group that contains the permissions that we want.

-1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Permissions** \> **Email & collaboration roles** \> **Roles**. Or, to go directly to the **Permissions** page, use <https://security.microsoft.com/emailandcollabpermissions>.

-2. On the **Permissions** page, click :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create**.

-3. Name your group to reflect its purpose such as 'Search and Purge PIM'.

-4. Don't add members, simply save the group and move on to the next part!

-1. Browse back to the [Microsoft Entra Admin Center](https://aad.portal.azure.com/) and navigate to **Microsoft Entra ID** > **Groups** > **New Group**.

-4. Don't add any roles, members or owners, create the group.

-5. Go back into the group you've just created, and select **Privileged Identity Management** > **Enable PIM**.

-6. Within the group, select **Eligible assignments** > **Add assignments** > Add the user who needs Search & Purge as a role of **Member**.

-8. Change the activation time to suit your organization. In this example require *Azure MFA*, *justification*, and *ticket information* before selecting **Update**.

-1. Login with the test user (Alex), who should have no administrative access within the [Microsoft Defender portal](/microsoft-365/security/defender/overview-security-center) at this point.

-3. If you try to purge an email using Threat Explorer, you get an error stating you need additional permissions.

-Permanent assignment of administrative roles and permissions such as Search and Purge Role doesn't hold with the Zero Trust security initiative, but as you can see, PIM can be used to grant just-in-time access to the toolset required.

-Document translation is available for the following file types: .csv, .docx, .htm, .html, .markdown, .md, .msg, .pdf, .pptx, .txt, and .xlsx. For legacy file types .doc, .rtf, .xls, .ods, .ppt, and .odp, the translated copy is created in the modern equivalent (.docx, .xlsx, or .pptx).