Docs update tracker

Updates from: 02/23/2024 07:00:40

Category	Microsoft Docs article	Related commit history on GitHub	Change details
microsoft-365-copilot-privacy	Microsoft 365 Copilot Privacy	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-privacy.md	ms.localizationpriority: medium description: "Learn how Microsoft Copilot for Microsoft 365 uses data and how it stores and protects that data." hideEdit: true Previously updated : 01/31/2024 Last updated : 02/22/2024 # Data, Privacy, and Security for Microsoft Copilot for Microsoft 365 Microsoft [Advanced Data Residency (ADR)](/microsoft-365/enterprise/advanced-dat Microsoft Copilot with Graph-grounded chat can reference web content from the Bing search index to ground user prompts and responses. Based on the userΓÇÖs prompt, Copilot for Microsoft 365 determines whether it needs to use Bing to query web content to help provide a relevant response to the user. There are [controls available to manage the use of web content](#controls-available-to-manage-the-use-of-web-content) for both admins and users. -> [!NOTE] -> Web grounding in Copilot uses only the Bing Search service. Copilot with commercial data protection (previously named Bing Chat Enterprise) is a separate offering and not involved with web grounding. - ### Details on how web grounding works When web grounding is enabled, Copilot for Microsoft 365 may automatically generate a web search query, if Copilot for Microsoft 365 determines that web data can improve the quality of the response. The search query is based on the userΓÇÖs prompt, Copilot interaction history, and relevant data the user has access to in Microsoft 365. This web search query might be displayed to the user after the prompt is entered. For example, the user might see the phrase "searching for..." followed by the search query. The query is passed to the [Bing Search API](/bing/search-apis/bing-web-search/overview), which is part of the Bing Search service, to retrieve information from the web to ground a response.
microsoft-365-copilot-requirements	Microsoft 365 Copilot Requirements	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-requirements.md	The following are the prerequisites for using Microsoft Copilot for Microsoft 36 > [!NOTE] > - For Copilot to work in Word Online, Excel Online, and PowerPoint Online, you need to have third-party cookies enabled. > - Review your privacy settings for Microsoft 365 Apps because those settings might have an effect on the availability of Microsoft Copilot for Microsoft 365 features. For more information, see [Microsoft Copilot for Microsoft 365 and policy settings for connected experiences](microsoft-365-copilot-privacy.md#microsoft-copilot-for-microsoft-365-and-policy-settings-for-connected-experiences). +> - Copilot is not available on Device-Based Licensing for Office 365 Apps. ### Microsoft Entra ID There are many Copilot experiences, including some core experiences like Excel, - [Microsoft Copilot for Microsoft 365 setup guide](https://admin.microsoft.com/Adminportal/Home?Q=learndocs#/modernonboarding/microsoft365copilotsetupguide) - [Microsoft 365 AI help and learning](https://support.microsoft.com/copilot)-- [Microsoft Copilot for Microsoft 365 - Microsoft Community Hub](https://techcommunity.microsoft.com/t5/microsoft-365-copilot/ct-p/Microsoft365Copilot) +- [Microsoft Copilot for Microsoft 365 - Microsoft Community Hub](https://techcommunity.microsoft.com/t5/microsoft-365-copilot/ct-p/Microsoft365Copilot)
admin	Assign Licenses To Users	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/assign-licenses-to-users.md	You can assign or unassign licenses for users in the Microsoft 365 admin center > [!NOTE] > -> - As an admin, you can't assign or unassign licenses for a self-service purchase subscription bought by a user in your organization. You can [take over a purchase or trial subscription](../../commerce/subscriptions/manage-self-service-purchases-admins.md#take-over-a-purchase-or-trial-subscription), and then assign or unassign licenses. +> - As an admin, you can't assign or unassign licenses for a self-service purchase subscription bought by a user in your organization. You can [take over a purchase or trial subscription](../../commerce/subscriptions/manage-self-service-purchases-admins.md#take-over-a-self-service-purchase-or-trial-subscription), and then assign or unassign licenses. > - For some subscriptions, you can only cancel during a limited window of time after you buy or renew your subscription. If the cancellation window has passed, turn off recurring billing to cancel the subscription at the end of its term. [Learn how to add a user and assign a license at the same time](../add-users/add-users.md).
admin	Centralized Deployment Of Add Ins	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/centralized-deployment-of-add-ins.md	It can take up to 24 hours for an add-in to show up for client for all users. ## Before you begin -Centralized deployment of add-ins requires that the users are using Microsoft 365 Business licenses (Business Basic, Business Standard, Business Premium), Office 365 Enterprise licenses (E1/E3/E5/F3), or Microsoft 365 Enterprise licenses (E3/E5/F3) (and are signed in Microsoft 365 using their organizational ID), Office 365 Education licenses (A1/A3/A5), or Microsoft 365 Education licenses (A3/A5), and have Exchange Online and active Exchange Online mailboxes. Your subscription directory must either be in or federated to Microsoft Entra ID. +Centralized deployment of add-ins requires that the users have one of the following licenses + +- Microsoft 365 Business (Business Basic, Business Standard, Business Premium) +- Office 365 Enterprise (E1/E3/E5/F3) +- Microsoft 365 Enterprise (E3/E5/F3) (and are signed in Microsoft 365 using their organizational ID) +- Office 365 Education (A1/A3/A5) +- Microsoft 365 Education (A3/A5) +- Office 365 Government (G3/G5) +- Microsoft 365 Government (G3/G5) + +Users must also have Exchange Online and active Exchange Online mailboxes. Your subscription directory must either be in or federated to Microsoft Entra ID. + You can view specific requirements for Microsoft 365 and Exchange below, or use the [Centralized Deployment Compatibility Checker](#centralized-deployment-compatibility-checker). Centralized Deployment doesn't support the following:
admin	Set Up Multi Factor Authentication	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication.md	Check out [Microsoft 365 small business help](https://go.microsoft.com/fwlink/?l Multifactor authentication means you and your employees must provide more than one way to sign in to Microsoft 365 is one of the easiest ways to secure your business. Based on your understanding of [multifactor authentication (MFA) and its support in Microsoft 365](multi-factor-authentication-microsoft-365.md), it's time to set it up and roll it out to your organization. -Multifactor authentication (MFA) is a very important first step in securing your organization. Microsoft 365 for Business gives you the option to use security defaults or Conditional Access policies to turn on MFA for your admins and user accounts. For most organizations, Security defaults offer a good level of sign-in security. But if your organization must meet more stringent requirements, you can use Conditional Access policies instead. - -> [!IMPORTANT] -> If you purchased your subscription or trial after October 21, 2019, and you're prompted for MFA when you sign in, [security defaults](/azure/active-directory/fundamentals/concept-fundamentals-security-defaults) have been automatically enabled for your subscription. +Multifactor authentication (MFA) is an important first step in securing your organization. Microsoft 365 for business gives you the option to use security defaults or Conditional Access policies to turn on MFA for your admins and user accounts. For most organizations, Security defaults offer a good level of sign-in security. But if your organization must meet more stringent requirements, you can use [Conditional Access policies](https://go.microsoft.com/fwlink/?linkid=2261708). > [!TIP] > If you need help with the steps in this topic, consider [working with a Microsoft small business specialist](https://go.microsoft.com/fwlink/?linkid=2186871). With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use. -## Watch: Turn on multifactor authentication +## Before you begin -Check out this video and others on our [YouTube channel](https://go.microsoft.com/fwlink/?linkid=2197909). +- You must be a Global admin to manage MFA. For more information, see [About admin roles](../add-users/about-admin-roles.md). +- If you have legacy per-user MFA turned on, [Turn off legacy per-user MFA](#turn-off-per-user-mfa). +- Advanced: If you have third-party directory services with Active Directory Federation Services (AD FS), set up the Azure MFA Server. See [advanced scenarios with Microsoft Entra multifactor authentication and third-party VPN solutions](/azure/active-directory/authentication/howto-mfaserver-nps-vpn) for more information. + +## Watch: Turn on multifactor authentication > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE2MuO3?autoplay=false] +## Steps: Turn on multifactor authentication + +If you purchased your subscription or trial after October 21, 2019, and you're prompted for MFA when you sign in, [security defaults](/azure/active-directory/fundamentals/concept-fundamentals-security-defaults) have been automatically enabled for your subscription. If you purchased your subscription before October 2019, follow these steps to turn on security default MFA. + 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as least a [Security Administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator). 1. Browse toΓÇ»IdentityΓÇ»> Overview > Properties. 1. Select Manage security defaults. 1. Set Security defaults to Enabled. 1. Select Save. -## Before you begin +For more information, see [What are security defaults](/azure/active-directory/fundamentals/concept-fundamentals-security-defaults)? -- You must be a Global admin to manage MFA. For more information, see [About admin roles](../add-users/about-admin-roles.md).-- If you have legacy per-user MFA turned on, [Turn off legacy per-user MFA](#turn-off-legacy-per-user-mfa).-- Advanced: If you have third-party directory services with Active Directory Federation Services (AD FS), set up the Azure MFA Server. See [advanced scenarios with Microsoft Entra multifactor authentication and third-party VPN solutions](/azure/active-directory/authentication/howto-mfaserver-nps-vpn) for more information.- -### Turn off legacy per-user MFA - -Per-user MFA is a legacy service and you should give consideration to using the newer Security defaults or Conditional Access policies. +## Turn off per-user MFA If you've previously turned on per-user MFA, you must turn it off before enabling Security defaults. You should also turn off per-user MFA after you've configure your policies and settings in Conditional Access. If you've previously turned on per-user MFA, you must turn it off before enablin 1. On the Active users page, choose multifactor authentication. 1. On the multifactor authentication page, select each user and set their multifactor authentication status to Disabled. -## Turn Security defaults on or off - -For most organizations, Security defaults offer a good level of additional sign-in security. For more information, see [What are security defaults?](/azure/active-directory/fundamentals/concept-fundamentals-security-defaults) +## Turn Security default MFA off -If your subscription is new, Security defaults might already be turned on for you automatically. +> [!IMPORTANT] +> It's not recommended to turn off MFA. -You enable or disable security defaults from the Properties pane in the Microsoft Entra admin center. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [security administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator), [conditional access administrator](/entra/identity/role-based-access-control/permissions-reference#conditional-access-administrator) or [global administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator). -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as least a [Security Administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator). 1. Browse toΓÇ»IdentityΓÇ»>ΓÇ»Overview > Properties. 1. Select Manage security defaults. 1. Set Security defaults to Disabled (not recommended). You enable or disable security defaults from the Properties pane in the Micr ## Use Conditional Access policies -If your organization has more granular sign-in security needs, Conditional Access policies can offer you more control. Conditional Access lets you create and define policies that react to sign in events and request additional actions before a user is granted access to an application or service. +If your organization has more granular sign-in security needs, [Conditional Access policies](https://go.microsoft.com/fwlink/?linkid=2261708) can offer you more control. Conditional Access lets you create and define policies that react to sign in events and request additional actions before a user is granted access to an application or service. You can also get started by using [conditional access templates](/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation). > [!IMPORTANT] > Do not forget to disable per-user MFA after you have enabled Conditional Access policies. This is important as it will result in inconsistent user experience. -Conditional Access is available for customers who have purchased Microsoft Entra ID P1, or licenses that include this, such as Microsoft 365 Business Premium, and Microsoft 365 E3. For more information, see [create a Conditional Access policy](/azure/active-directory/authentication/tutorial-enable-azure-mfa). +Conditional Access is available for customers who bought Microsoft Entra ID P1, or licenses that include this, such as Microsoft 365 Business Premium, and Microsoft 365 E3. For more information, see [create a Conditional Access policy](/azure/active-directory/authentication/tutorial-enable-azure-mfa). -Risk-based conditional access is available through Microsoft Entra ID P2 license, or licenses that include this, such as Microsoft 365 E5. For more information, see [risk-based Conditional Access](/azure/active-directory/conditional-access/howto-conditional-access-policy-risk). +Risk-based conditional access is available through Microsoft Entra ID P2 license, or licenses that include risk based conditional access, like Microsoft 365 E5. For more information, see [risk-based Conditional Access](/azure/active-directory/conditional-access/howto-conditional-access-policy-risk). For more information about the Microsoft Entra ID P1 and P2, see [Microsoft Entra pricing](https://azure.microsoft.com/pricing/details/active-directory/). -### Turn on Modern authentication for your organization - -For most subscriptions modern authentication is automatically turned on, but if you purchased your subscription before August 2017, it's likely that you'll need to turn on Modern Authentication in order to get features like multifactor authentication to work in Windows clients like Outlook. - -1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>, in the left nav choose Settings \> Org settings. -2. Under the Services tab, choose Modern authentication, and in the Modern authentication pane, make sure Enable Modern authentication is selected. Choose Save changes. - ## Next steps - Send to your users - [What is multifactor authentication](https://support.microsoft.com/help/4577374/what-is-multifactor-authentication)-- [How to sign-in after registration](https://support.microsoft.com/office/2b856342-170a-438e-9a4f-3c092394d3cb)-- [How to change their additional verification method](https://support.microsoft.com/office/956ec8d0-7081-4518-a701-f8414cc20831)-- [How to register for their additional verification method](https://support.microsoft.com/office/ace1d096-61e5-449b-a875-58eb3d74de14) +- [Sign-in after registration](https://support.microsoft.com/office/2b856342-170a-438e-9a4f-3c092394d3cb) +- [Change additional verification method](https://support.microsoft.com/office/956ec8d0-7081-4518-a701-f8414cc20831) +- [Register for additional verification method](https://support.microsoft.com/office/ace1d096-61e5-449b-a875-58eb3d74de14) ## Related content -[Set up multifactor authentication](set-up-multi-factor-authentication.md) (video)\ +[Set up multifactor authentication](set-up-multi-factor-authentication.md) (video) -[Turn on multifactor authentication for your phone](https://support.microsoft.com/office/ace1d096-61e5-449b-a875-58eb3d74de14) (article)\ +[Turn on multifactor authentication for your phone](https://support.microsoft.com/office/ace1d096-61e5-449b-a875-58eb3d74de14) (article) [Security defaults and multifactor authentication](/microsoft-365/business-premium/m365bp-turn-on-mfa) (article)
commerce	Understand Your Invoice	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/understand-your-invoice.md	- AdminTemplateSet search.appverid: MET150 description: "Learn how to interpret the charges on your invoice for your Microsoft business subscription with an MCA billing account." Previously updated : 08/08/2023 Last updated : 02/22/2024 # Understand your invoice for your Microsoft MCA billing account This article only applies to customers with a Microsoft Customer Agreement (MCA) The invoice for your Microsoft business subscription provides a summary of the charges and instructions for how to pay your bill. You can [view your online invoice](view-your-bill-or-invoice.md) in the Microsoft 365 admin center. You can also download a copy of your invoice in the Portable Document Format (.PDF) to send via email. If you want to receive the invoice .PDF as an attachment in the email notification, see [Receive your organization's invoices as email attachments](manage-billing-notifications.md#receive-your-organizations-invoices-as-email-attachments). -> [!IMPORTANT] -> As of April 1, 2023, we no longer accept checks as a payment method for subscriptions paid by invoice. Pay by check is no longer available as a payment option, and check payment instructions have been removed from invoices. You can still pay for your invoice by wire transfer. See your invoice for wire transfer payment information. If you're an existing customer who currently pays by check, you have until September 30, 2023 to change to paying by wire transfer, and avoid possible service disruption. - ## Before you begin - [Find out what type of billing account you have](../manage-billing-accounts.md#view-my-billing-accounts). The invoice for your Microsoft business subscription provides a summary of the c Depending on the billing frequency that you chose when you bought your subscription, you receive an invoice monthly, every three months, every six months, or annually. The amount of time since the last invoice date is called the Billing Period and is shown on page one of the invoice, above the Billing Summary section. This time period represents the date range during which charges accrue for the current invoice. If you made a change to your subscription outside of this date range, like adding or removing licenses, the associated charges appear on the invoice for the next billing period. +Each new subscription purchase is billed the next day. You receive an invoice on the same day of the month either monthly, every three months, every six months or, annually, depending on the billing frequency you chose. Changes you make to an existing subscription are also charged the next day, except when you add and remove licenses or cancel which appear on the monthly invoice around the beginning of the following month. + > [!NOTE] > You can only change the billing frequency for a subscription when you buy, upgrade, or renew a subscription. The Billing Summary shows the summary of charges since the previous billing \| Charges\|Total number of products purchased for this billing period, and their related charges and taxes. Purchases are aggregated to provide a concise view of your bill. \| \| Credits \|Credits you received from returns \| \| Azure credits applied \|Your Azure credits that are automatically applied to Azure charges each billing period. If you don't have any Azure credits, this field is hidden. For more information about Azure credits, see [Track Microsoft Customer Agreement Azure credit balance](/azure/billing/billing-mca-check-azure-credits-balance). \| -\| Subtotal \|The pre-tax amount due \| +\| Subtotal \|The pretax amount due \| \| Tax \|The type and amount of tax that you pay, depending on the country/region of your billing profile. If you don't have to pay tax, no tax is shown on your invoice. \| ### Understand page two of your invoice Some invoices are generated within 24 hours of the purchase. Other invoices are ### How do I pay the amount due on my invoice? -Payment instructions depend on your payment method and are provided at the bottom of the invoice PDF. If your payment method is a credit or debit card, it's automatically charged within 10 days of the invoice date. If your payment method is by wire transfer, see the information under Payment Instructions in the PDF. +Payment instructions depend on your payment method and are provided at the bottom of the invoice PDF. If your payment method is a credit or debit card, we automatically charge the card within 10 days of the invoice date. If your payment method is by wire transfer, see the information under Payment Instructions in the PDF. ### What's the difference between "Sold to" and "Bill to" addresses?
commerce	Buy Licenses	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/buy-licenses.md	- adminvideo search.appverid: MET150 description: "Learn how to buy more licenses or reduce the number of licenses for your business subscription in the Microsoft 365 admin center." Previously updated : 01/26/2024 Last updated : 02/22/2024 # Buy or remove licenses for a Microsoft business subscription As an admin, you can add or remove licenses for your business subscriptions in t - If you have a Microsoft Customer Agreement (MCA) billing account type, you must be a Billing account owner or contributor, or a Billing profile owner or contributor to do the tasks in this article. - If you have a Microsoft Online Subscription Agreement (MOSA) billing account type, you must be a Global or Billing admin to complete the tasks in this article. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md). - You can [add users and assign licenses at the same time](../../admin/add-users/add-users.md).-- If you bought your subscription through a Microsoft representative, contact them directly for help with increasing or reducing your license count. +- If you bought your subscription through a Microsoft representative, contact them directly to increase or reduce your license count. - You can't reduce the number of licenses for your subscription if all licenses are currently assigned to users. To reduce the number of licenses, first [unassign one or more licenses from users](../../admin/manage/assign-licenses-to-users.md), then remove the licenses from the subscription. > [!NOTE] As an admin, you can add or remove licenses for your business subscriptions in t [Find out what type of billing account you have](../manage-billing-accounts.md#view-my-billing-accounts). -If you have an MCA billing account type, you can buy more licenses for your subscription at any time. However, you can only remove licenses from your subscription if itΓÇÖs within seven days of you buying or renewing your subscription. For more information, see [Remove licenses from your subscription](#remove-licenses-from-your-subscription). +If you have an MCA billing account type, you can buy more licenses for your subscription at any time. However, you can only remove licenses from your subscription if itΓÇÖs within seven days of buying or renewing your subscription. For more information, see [Remove licenses from your subscription](#remove-licenses-from-your-subscription). ### Buy more licenses for your subscription -If you have an MCA billing account type and buy licenses in the middle of your billing period, you have seven days from when you buy them to reduce the number of licenses you bought. +If you buy licenses in the middle of your billing period, you have seven days from when you buy them to reduce the number of licenses you bought. 1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>. - If youΓÇÖre using the Simplified view, select Subscriptions. - If youΓÇÖre using the Dashboard view, go to the Billing > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page. 2. Select the subscription that you want to change. -3. On the subscription details page, select Buy licenses. +3. On the subscription details page, select Buy licenses. [What if I can't select the Buy licenses or Remove licenses buttons?](#what-if-i-cant-select-the-buy-licenses-or-remove-licenses-buttons) 4. Choose when to schedule the license change to happen. - If recurring billing is turned on, you can choose to make the change now, or when the subscription renews. - If recurring billing is turned off, you can only make the change now. If you have an MCA billing account type and buy licenses in the middle of your b ### Remove licenses from your subscription -If you have an MCA billing account type, you can only remove licenses from your subscription during a limited time window after you buy or renew your subscription, or if you recently bought more licenses. If the window is closed, the subscription details page lists the date when your plan changes take effect. +You can only remove licenses from your subscription during a limited time window after you buy or renew your subscription, or if you recently bought more licenses. If the window is closed, the subscription details page lists the date when your plan changes take effect. + +> [!NOTE] +> You can only remove licenses when recurring billing is turned on. 1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>. - If youΓÇÖre using the Simplified view, select Subscriptions. - If youΓÇÖre using the Dashboard view, go to the Billing > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page. 2. Select the subscription that you want to change. -3. On the subscription details page, select Remove licenses. +3. On the subscription details page, select Remove licenses. [What if I can't select the Buy licenses or Remove licenses buttons?](#what-if-i-cant-select-the-buy-licenses-or-remove-licenses-buttons) 4. Under New quantity in the Total licenses box, enter the total number of licenses that you want for this subscription. For example, if you have 100 licenses and you want to remove 25 licenses, enter 75. 5. Select Save. If you have an MCA billing account type, you can only remove licenses from your - If youΓÇÖre using the Simplified view, select Subscriptions. - If youΓÇÖre using the Dashboard view, go to the Billing > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page. 2. Select the subscription that you want to change. -3. On the subscription details page, select Buy licenses or Remove licenses. +3. On the subscription details page, select Buy licenses or Remove licenses. [What if I can't select the Buy licenses or Remove licenses buttons?](#what-if-i-cant-select-the-buy-licenses-or-remove-licenses-buttons) 4. To change the number of licenses, under New quantity in the Total licenses box, enter the total number of licenses that you want for this subscription. For example, if you have 100 licenses and you want to add five more, enter 105. If you want to remove five of them, enter 95. 5. Select Save. -## Add licenses to a prepaid subscription by using a product key +## Add or reduce licenses for a prepaid subscription Prepaid product licenses are issued to you as a 25-character alphanumeric code, called a product key. After you buy the licenses you need, you can add them to your subscription by using the following steps. You can also use a product key to [extend the expiration date of your subscription](../enter-your-product-key.md#extend-the-expiration-date-for-an-existing-subscription). > [!NOTE] -> If you don't want to buy a new product key, you can always choose to add a credit card or debit card to your subscription to pay for more licenses. For more information, see [Renew your subscription](../subscriptions/renew-your-subscription.md). - -1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>. +> If you don't want to buy a new product key, you can always choose to add a credit card or debit card to your subscription to pay for more licenses. For more information, see [What if I have a prepaid subscription?](../subscriptions/renew-your-subscription.md#what-if-i-have-a-prepaid-subscription). + +### Add licenses to a prepaid subscription by using a product key + +1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>. - If youΓÇÖre using the Simplified view, select Subscriptions. - If youΓÇÖre using the Dashboard view, go to the Billing > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page. 2. Select the subscription to which you want to add licenses. Prepaid product licenses are issued to you as a 25-character alphanumeric code, > If you have more than one product key, you can select Add another product key to enter them. 6. Review your order details, then select Redeem. +### Reduce licenses for a prepaid subscription by using a product key + +If you used a product key to add licenses and you want to reduce the number of licenses in your subscription, you must renew your subscription with a product key that has fewer licenses. + +1. Buy a prepaid product key that has the desired number of licenses. For example, if you currently have 50 licenses, but you only need 30, buy a prepaid product key with 30 licenses. +2. Reduce the total number of licenses that are currently assigned. +3. Extend the subscription by using the new prepaid product key. + ## What if I can't select the Buy licenses or Remove licenses buttons? This table describes the reasons why the Buy licenses or Remove licenses buttons aren't available, and possible solutions. \|Reason \|Description \|Solution \| \|\|\|\| -\|A credit check is pending. \|If a credit check is pending, you can't buy or remove licenses until the credit check is complete. \| Check back later to see if the credit check is complete. Credit checks typically take up to two working days to complete. After the credit check is complete, you should be able to select the Buy licenses and Remove licenses buttons. \| +\|A credit check is pending. \|If a credit check is pending, you can't buy or remove licenses until the credit check is complete. \| Check back later to see if the credit check is complete. Credit checks typically take up to two working days to complete.<br/><br/>After the credit check is complete, you can select the Buy licenses and Remove licenses buttons. \| \|You activated the subscription by using a product key.\| If the subscription was bought and activated by using a 25-character product key, you see the word "Prepaid" in the Purchase channel column of the Your products page. \|See [Add licenses to a prepaid subscription by using a product key](#add-licenses-to-a-prepaid-subscription-by-using-a-product-key). \| \|You bought your subscription through a reseller.\| You see the word "Reseller" in the Purchase information section under Purchase channel on the subscription details page, and in the Purchase channel column of the Your products page. \| If you bought the subscription through a Cloud Solution Provider (CSP) partner, contact your CSP partner to buy more licenses. \| \|You have a trial subscription. \| To view your trial subscriptions, select the filter button, then choose Trial. \| First buy your trial subscription, then you can buy more licenses.\| +\|The product has reached end of sale \| On the subscription details page, you see the following message: "This product is no longer available to buy, so some actions below are turned off." \| You can [buy a different subscription](../try-or-buy-microsoft-365.md#buy-a-different-subscription). In some cases, you might be able to convert your subscription.<br/><br/>For more information, see [Understand end-of-sale products in the Microsoft 365 admin center](../subscriptions/understand-eos-products.md) \| ## When are the new licenses available to assign? The payment method associated with your subscription or billing profile is charg If you prepaid for your subscription with a product key, you can add more licenses by using another product key, or by adding a credit card or debit card to cover the extra cost of the new licenses. If your subscription is prepaid, you can't remove licenses. -## How does buying or removing licenses affect my billing statements? +## How does buying or removing licenses affect my invoice? Licenses added in the middle of your billing period appear on your next invoice. If you pay annually, you're invoiced within a month for these changes. If you have an MCA billing account type, you have seven days to reduce the number of licenses. If you reduce the number of licenses after that seven day period, the change appears on the first invoice you receive after the subscription renewal date. -If you have an MOSA billing account type, the previous charge for the original number of licenses is deducted on your next billing statement. We add a prorated charge for the time period with the original number of licenses and add a charge for the new license count. There's also a charge for the current license count for the remainder of your billing period. +If you have an MOSA billing account type, the previous charge for the original number of licenses is deducted on your next invoice. We add a prorated charge for the time period with the original number of licenses and add a charge for the new license count. There's also a charge for the current license count for the remainder of your billing period. ## Next steps
commerce	E3 Extra Features Licenses	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/e3-extra-features-licenses.md	Microsoft 365 E3 or E5 Extra Features provides additional features for your user \|Microsoft Endpoint DLP \| No \| Yes \| \|Microsoft Insider Risk Management \| No \| Yes \| \|Safe Documents \| No \| Yes \| +\|Universal Print\|Yes\|Yes\| ## Assign the Microsoft 365 E3 or E5 Extra Features license to users
commerce	Manage Self Service Purchases Admins	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/manage-self-service-purchases-admins.md	Title: Manage self-service purchases and trials (for admins) + Title: "Manage self-service purchases and trials (for admins)" f1.keywords: - NOCSH -+ audience: Admin - commerce_ssp - AdminSurgePortfolio - okr_smb - - has-azure-ad-ps-ref, azure-ad-ref-level-one-done search.appverid: - MET150 description: "Learn how admins can use the Microsoft 365 admin center to manage self-service purchases and trials made by users in their organization." Previously updated : 02/15/2023 Last updated : 02/22/2024 # Manage self-service purchases and trials (for admins) -As an admin, you can use the Microsoft 365 admin center to see self-service purchases and trials (referred to in this article as purchases and trials) made by people in your organization. You can see the product name, purchaser name, subscriptions purchased, expiration date, purchase price, and assigned users for each purchase or trial subscription. You have the same data management and access policies over products bought through self-service purchase or centrally. +As an admin, you can use the Microsoft 365 admin center to see self-service purchases and trials (referred to in this article as purchases and trials) made by people in your organization. You have the same data management and access policies over products bought through self-service purchase or centrally in the Microsoft 365 admin center marketplace. -You can also control whether users in your organization can make purchases or sign up for trials. To learn how to manage these settings, see [Use AllowSelfServicePurchase for the MSCommerce PowerShell module](allowselfservicepurchase-powershell.md). - -## Understand purchases and trials - -Purchases require a payment method at sign-up, and automatically renew at the end of the subscription term. - -Some trials require a payment method at sign-up, and automatically convert to a paid version when the trial ends. +For each purchase or trial subscription, you can see the following details: -Other trials don't require a payment method at sign-up, and don't automatically renew. Trials without a payment method are only available to select customers with an existing subscription agreement. +- product name +- purchaser name +- subscriptions purchased +- expiration date +- purchase price +- assigned users -## How we use a user's directory data +You can also control whether users in your organization can make purchases or sign up for trials. To learn how to manage these settings, see [Use AllowSelfServicePurchase for the MSCommerce PowerShell module](allowselfservicepurchase-powershell.md). -When you enable the AllowSelfServicePurchase policy, you permit Microsoft's Commerce service to process a user's directory data, which is outside the boundaries of the Microsoft 365 tenant. Specifically, Microsoft Commerce collects an Azure Active Directory v1.0 access token, which contains the user's first and last name, email address, IP address, and tenant and user GUID. For a full list of attributes included in the access token, see [Microsoft identity platform access tokens](/azure/active-directory/develop/access-tokens). +## Before you begin -We use the directory data to provide the user with a license and to send email about the subscription to the user. The directory data processed by Microsoft Commerce is governed by the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement). To learn more about the terms that apply to self-service trials, see [Organizational trial ΓÇô Terms of service](/legal/microsoft-365/in-app-trials-terms-of-service). Like other Microsoft products used by your organization, use of a self-service purchase or trial product is governed by the [Microsoft Product Terms](https://www.microsoft.com/licensing/terms). Before a user makes a purchase or starts a trial, we advise the user of the personal data that we process and the terms that apply. +- [Find out what type of billing account you have](../manage-billing-accounts.md#view-my-billing-accounts). +- If you have a Microsoft Customer Agreement (MCA) billing account type, you must be a Billing account owner or contributor or a Billing profile owner or contributor to do the tasks in this article. For more information about billing account roles, see [Understand your Microsoft business billing account](../manage-billing-accounts.md) and [Manage your Microsoft business billing profiles](../billing-and-payments/manage-billing-profiles.md). +- If you have a Microsoft Online Services Agreement (MOSA) billing account type, you must be a Global or Billing admin to do the tasks in this article. For more information, see [About admin roles in the Microsoft 365 admin center](../../admin/add-users/about-admin-roles.md). -## View self-service subscriptions +> [!NOTE] +> If you're the person who signed up for the subscription, you're automatically a Billing account owner or Global admin. +## Payment methods for self-service purchases and trials -1. In the Microsoft 365 admin center, go to the Billing > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page. +Self-service purchases require a payment method at sign-up, and automatically renew at the end of the subscription term. +Some self-service trials require a payment method at sign-up, and automatically convert to a paid version when the trial ends. +Other self-service trials don't require a payment method at sign-up, and don't automatically renew. Trials without a payment method are only available to select customers with an existing subscription agreement. -1. In the admin center, go to the Billing \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Your products</a> page. +## How we use directory data -2. On the Products tab, select the filter icon, then select Self-service. -3. To view more details about a subscription, choose one from the list. +When you enable the AllowSelfServicePurchase policy, you allow Microsoft's Commerce service to process a user's directory data, which is outside the boundaries of the Microsoft 365 tenant. Specifically, Microsoft Commerce collects a Microsoft Entra ID v1.0 access token, which contains the user's first and last name, email address, IP address, and tenant and user GUID. For a full list of attributes included in the access token, see [Microsoft identity platform access tokens](/azure/active-directory/develop/access-tokens). -## View who has licenses for a purchase or trial subscription +We use the directory data to provide the user with a license and to send email about the subscription to that user. The directory data processed by Microsoft Commerce is governed by the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement). To learn more about the terms that apply to self-service trials, see [Organizational trial ΓÇô Terms of service](/legal/microsoft-365/in-app-trials-terms-of-service). Like other Microsoft products used by your organization, the use of a self-service purchase or trial product is governed by the [Microsoft Product Terms](https://www.microsoft.com/licensing/terms). Before a user makes a purchase or starts a trial, we notify the user of the personal data that we process and the terms that apply. -> [!NOTE] -> As an admin, you can't assign or unassign licenses for a purchase or trial subscription bought by a user in your organization. You can [take over a purchase or trial subscription](#take-over-a-purchase-or-trial-subscription), and then assign or unassign licenses. - +## View self-service subscriptions -1. In the Microsoft 365 admin center, go to the Billing > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page. +1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>, go to the Billing > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page. +2. On the Products tab, select the filter icon, then select Self-service. +3. To view more details about a subscription, select one from the list. +## View who has licenses for a self-service purchase or trial subscription - 1. In the Microsoft 365 admin center, go to the Billing > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page. +As an admin, you can't assign or unassign licenses for a purchase or trial subscription bought by a user in your organization. However, you can [Take over a self-service purchase or trial subscription](#take-over-a-self-service-purchase-or-trial-subscription), and then assign or unassign licenses. +1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>, go to the Billing > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page. 2. On the Products tab, select the filter icon, then select Self-service. 3. Select a product to see licenses assigned to people. > [!NOTE] > If there are multiple purchases or trials for a product, that product is only listed once, and the Available quantity column shows the total of all subscriptions acquired for that product. 4. The Users list is grouped by the names of people who made purchases or started trials. -5. To export a list of users with licenses for these subscriptions, choose the subscriptions that you want to export, then choose Export users. +5. To export a list of users with licenses for these subscriptions, select the subscriptions that you want to export, then select Export users. -## Enable or disable purchases and trials +## Enable or disable self-service purchases and trials -You can enable or disable purchases and trials for users in your organization. The MSCommerce PowerShell module includes a PolicyID parameter value for AllowSelfServicePurchase that lets you control whether users in your organization can make purchases or start trials, and for which products. +You can enable or disable self-service purchases and trials for users in your organization. The MSCommerce PowerShell module includes a PolicyID parameter value for AllowSelfServicePurchase that lets you control whether users in your organization can make purchases or start trials, and for which products. -You can use the MSCommerce PowerShell module to: +You can use the MSCommerce PowerShell module to do the following actions: - View the default state of the AllowSelfServicePurchase parameter valueΓÇöwhether it's enabled or disabled by product - View a list of applicable products and whether purchases or trials are enabled or disabled for those products You can use the MSCommerce PowerShell module to: For more information, see [Use AllowSelfServicePurchase for the MSCommerce PowerShell module](allowselfservicepurchase-powershell.md). -<a name='use-powershell-and-azure-ad-to-enable-or-disable-all-self-service-sign-ups'></a> - -## Use PowerShell and Microsoft Entra ID to enable or disable all self-service sign-ups - -You can use PowerShell commands to change the settings that control self-service sign-ups. To turn off all self-service sign-ups, use the Microsoft Graph PowerShell module to change the MgPolicyAuthorizationPolicy setting for AllowedToSignUpEmailBasedSubscriptions in Microsoft Entra ID. For the steps to turn off self-service sign-ups, see [Update-MgPolicyAuthorizationPolicy](/powershell/module/microsoft.graph.identity.signins/update-mgpolicyauthorizationpolicy). - ## Centralize licenses under a single subscription -You can assign existing licenses or buy extra subscriptions through existing agreements for users assigned to purchases or trials. After you assign these centrally purchased licenses, you can request that users cancel their existing subscriptions. Alternatively, you can take over the subscription and cancel it yourself in the admin center. For steps to do that, see [Take over a purchase or trial subscription](#take-over-a-purchase-or-trial-subscription). +You can assign existing licenses or buy extra subscriptions through existing agreements for users assigned to self-service purchases or trials. After you assign these centrally purchased licenses, you can request that users cancel their existing subscriptions. Alternatively, you can take over the subscription and cancel it yourself in the admin center. For steps to do that, see [Take over a self-service purchase or trial subscription](#take-over-a-self-service-purchase-or-trial-subscription). -1. In the admin center, go to the Billing > <a href="https://go.microsoft.com/fwlink/p/?linkid=868433" target="_blank">Purchase services</a> page. --- -1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the Billing > Purchase services page. -- -2. Find and choose the product that you want to buy, then choose Buy. +1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>, go to the Billing > <a href="https://go.microsoft.com/fwlink/p/?linkid=868433" target="_blank">Purchase services</a> page. +2. Find and select the product that you want to buy, then select Buy. 3. Complete the remaining steps to complete your purchase. -4. Follow the steps in [View who has licenses for a purchase or trial subscription](#view-who-has-licenses-for-a-purchase-or-trial-subscription) to export a list of users to reference in the next step. -5. Assign licenses to everyone who has a license in the other subscription. For full steps, see [Assign licenses to users](../../admin/manage/assign-licenses-to-users.md). +4. To export a list of users to reference in the next step, follow the steps in [View who has licenses for a self-service purchase or trial subscription](#view-who-has-licenses-for-a-self-service-purchase-or-trial-subscription). +5. Assign licenses to everyone who has a license in the other subscription. For instructions on how to do this, see [Assign licenses to users](../../admin/manage/assign-licenses-to-users.md). 6. Contact the person who bought the original subscription and ask them to [cancel it](manage-self-service-purchases-users.md#cancel-a-subscription). -## Take over a purchase or trial subscription +## Take over a self-service purchase or trial subscription -You can take over a purchase or trial subscription made by a user in your organization. When you take over a purchase or trial subscription, you have two options: +You can take over a self-service purchase or trial subscription made by a user in your organization. When you take over a purchase or trial subscription, you have two options: 1. Move the users to a different subscription and cancel the original subscription. 2. Cancel the subscription and remove licenses from assigned users. ### Move users to a different subscription -When you move users to a different subscription, the old subscription is automatically canceled. The user who originally bought the purchase or trial subscription receives an email that says the subscription was canceled. +When you move users to a different subscription, the old subscription is automatically canceled. The user who originally bought the self-service purchase or trial subscription receives an email that says the subscription was canceled. > [!NOTE] > You must have an available license for each user you're moving in the subscription that you're moving users to. - -1. In the admin center, go to the Billing > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page. --- -1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the Billing > Your products page. - +1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>, go to the Billing > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page. 2. On the Products tab, select the filter icon, then select Self-service. 3. Select the subscription that you want to take over. 4. On the subscription details page, in the Subscriptions and settings section, select Take control of this subscription. -5. In the right pane, select Move users. +5. In the details pane, select Move users. 6. Select the product that you want to move the users to, then select Move users. 7. In the Move users to box, select Move users. The move process might take several minutes. Don't close your browser while the process runs. 8. When the move process is finished, close the Move completed pane. 9. On the subscription details page, the Subscription status for the purchase or trial subscription shows as Deleted. -### Cancel a purchase or trial subscription - -When you choose to cancel a purchase or trial subscription, users with licenses lose access to the product. The user who originally signed up for the purchase or trial subscription receives an email that says the subscription was canceled. -- -1. In the admin center, go to the Billing > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page. -- +### Cancel a self-service purchase or trial subscription -1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the Billing > Your products page. +When you choose to cancel a self-service purchase or trial subscription, users with licenses lose access to the product. The user who originally signed up for the subscription receives an email that says the subscription was canceled. +1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>, go to the Billing > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page. 2. On the Products tab, select the filter icon, then select Self-service. 3. Select the subscription that you want to cancel. 4. On the subscription details page, in the Subscriptions and settings section, select Take control of this subscription. -5. In the right pane, select Cancel subscription. +5. In the details pane, select Cancel subscription. 6. Select a reason for your cancellation from the drop-down list, then select Cancel subscription. 7. In the Are you sure you want to cancel? box, select Cancel subscription. -8. Close the right pane. +8. Close the details pane. 9. On the subscription details page, the Subscription status shows as Deleted. ## Need help? Contact us -For common questions about purchases and trials, see [Self-service purchases FAQ](self-service-purchase-faq.yml). +For common questions about self-service purchases and trials, see [Self-service purchases FAQ](self-service-purchase-faq.yml). -If you have questions or need help with purchases and trials, [contact support](../../admin/get-help-support.md). +If you have questions or need help with self-service purchases and trials, [contact support](../../admin/get-help-support.md).
enterprise	Assign Roles To User Accounts With Microsoft 365 Powershell	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/assign-roles-to-user-accounts-with-microsoft-365-powershell.md	Title: "Assign roles to Microsoft 365 user accounts with PowerShell" Previously updated : 09/23/2020 Last updated : 02/22/2024 audience: Admin search.appverid: - scotvorg - Ent_O365 +- must-keep f1.keywords: - CSH - Ent_Office_Other - seo-marvel-apr2020 - has-azure-ad-ps-ref + - azure-ad-ref-level-one-done ms.assetid: ede7598c-b5d5-4e3e-a488-195f02f26d93 description: In this article, learn how quickly and easily use PowerShell for Microsoft 365 to assign admin roles to user accounts. You can easily assign roles to user accounts by using PowerShell for Microsoft 3 >For a list of additional resources, see [Manage users and groups](/admin). > -## Use the Azure Active Directory PowerShell for Graph module +## Assign roles to user accounts using Microsoft Graph PowerShell + +>[!NOTE] +> The Azure Active Directory module is being replaced by the Microsoft Graph PowerShell SDK. You can use the Microsoft Graph PowerShell SDK to access all Microsoft Graph APIs. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started). + +First, use a Microsoft Entra DC admin, Cloud Application Admin, or Global admin account to [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md). The cmdlets in this article require the permission scope RoleManagement.ReadWrite.Directory or one of the other permissions listed in the ['List subscribedSkus' Graph API reference page](/graph/api/subscribedsku-list). Some commands in this article may require different permission scopes, in which case this will be noted in the relevant section. + +```powershell +Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory" +``` -First, use a Microsoft Entra DC admin, Cloud Application Admin, or Global admin account to [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-azure-active-directory-powershell-for-graph-module). - For more information, see [About admin roles](/microsoft-365/admin/add-users/about-admin-roles?). Next, identify the sign-in name of the user account that you want to add to a role (example: fredsm\@contoso.com). This is also known as the user principal name (UPN). Next, determine the name of the role. See [Microsoft Entra built-in roles](/azur >Pay attention to the notes in this article. Some role names are different for Azure Active Directory (Azure AD) PowerShell. For example, the SharePoint Administrator role in the Microsoft 365 admin center is SharePoint Service Administrator in Azure AD PowerShell. > -Next, fill in the sign-in and role names and run these commands: +Next, fill in the user UPN and role names and run these commands: ```powershell -$userName="<sign-in name of the account>" -$roleName="<admin role name>" -$role = Get-AzureADDirectoryRole \| Where {$_.displayName -eq $roleName} +$userUPN="<user UPN>" +$roleName="<role name>" +$role = Get-MgDirectoryRole \| Where-Object {$_.displayName -eq $roleName} if ($role -eq $null) { -$roleTemplate = Get-AzureADDirectoryRoleTemplate \| Where {$_.displayName -eq $roleName} -Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId -$role = Get-AzureADDirectoryRole \| Where {$_.displayName -eq $roleName} + $roleTemplate = (Get-MgDirectoryRoleTemplate \| Where-Object {$_.displayName -eq $roleName}).id + New-MgDirectoryRole -DisplayName $roleName -RoleTemplateId $roleTemplate + $role = Get-MgDirectoryRole \| Where-Object {$_.displayName -eq $roleName} } -Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId (Get-AzureADUser \| Where {$_.UserPrincipalName -eq $userName}).ObjectID +$userId = (Get-MgUser -Filter "userPrincipalName eq '$userUPN'").Id +$newRoleMember =@{ + "@odata.id"= "https://graph.microsoft.com/v1.0/users/$userId" + } +New-MgDirectoryRoleMemberByRef -DirectoryRoleId $role.Id -BodyParameter $newRoleMember ``` Here's an example of a completed command set that assigns the SharePoint Service Administrator role to the belindan\@contoso.com account: - + ```powershell -$userName="belindan@contoso.com" -$roleName="SharePoint Service Administrator" -$role = Get-AzureADDirectoryRole \| Where {$_.displayName -eq $roleName} +$userUPN="adelev@contoso.com" +$roleName="Exchange Administrator" +$role = Get-MgDirectoryRole \| Where-Object {$_.displayName -eq $roleName} if ($role -eq $null) { -$roleTemplate = Get-AzureADDirectoryRoleTemplate \| Where {$_.displayName -eq $roleName} -Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId -$role = Get-AzureADDirectoryRole \| Where {$_.displayName -eq $roleName} + $roleTemplate = (Get-MgDirectoryRoleTemplate \| Where-Object {$_.displayName -eq $roleName}).id + New-MgDirectoryRole -DisplayName $roleName -RoleTemplateId $roleTemplate + $role = Get-MgDirectoryRole \| Where-Object {$_.displayName -eq $roleName} } -Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId (Get-AzureADUser \| Where {$_.UserPrincipalName -eq $userName}).ObjectID +$userId = (Get-MgUser -Filter "userPrincipalName eq '$userUPN'").Id +$newRoleMember =@{ + "@odata.id"= "https://graph.microsoft.com/v1.0/users/$userId" + } +New-MgDirectoryRoleMemberByRef -DirectoryRoleId $role.Id -BodyParameter $newRoleMember ``` -To display the list of user names for a specific admin role, use these commands. +To display the list of user IDs for a specific admin role, use these commands. ```powershell $roleName="<role name>" -Get-AzureADDirectoryRole \| Where { $_.DisplayName -eq $roleName } \| Get-AzureADDirectoryRoleMember \| Ft DisplayName -``` - -## Use the Microsoft Azure Active Directory module for Windows PowerShell - -First, use a global administrator account to [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-microsoft-azure-active-directory-module-for-windows-powershell). - -### For a single role change - -The most common ways to specify the user account is by using its display name or its email name, which also known as its sign-in name or user principal name (UPN). - -#### Display names of user accounts - -If you're used to working with the display names of user accounts, determine the following information: - -- The user account that you want to configure - - To specify the user account, you must determine its Display Name. To get a complete list of accounts, use this command: - - ```powershell - Get-MsolUser -All \| Sort DisplayName \| Select DisplayName \| More - ``` - - This command lists the Display Name of your user accounts, sorted by the Display Name, one screen at a time. You can filter the list to a smaller set by using the Where cmdlet. See the following example. - - >[!Note] - >PowerShell Core doesn't support the Microsoft Azure Active Directory module for Windows PowerShell module and cmdlets with Msol in their name. Run these cmdlets from Windows PowerShell. - > - - ```powershell - Get-MsolUser -All \| Where DisplayName -like "John" \| Sort DisplayName \| Select DisplayName \| More - ``` - - This command lists only the user accounts for which the Display Name starts with "John". - -- The role you want to assign - - To display the list of available admin roles that you can assign to user accounts, use this command: - - ```powershell - Get-MsolRole \| Sort Name \| Select Name,Description - ``` - -After you determine the Display Name of the account and the name of the role, use these commands to assign the role to the account: - -```powershell -$dispName="<The Display Name of the account>" -$roleName="<The admin role name you want to assign to the account>" -Add-MsolRoleMember -RoleMemberEmailAddress (Get-MsolUser -All \| Where DisplayName -eq $dispName).UserPrincipalName -RoleName $roleName -``` - -Paste the commands into Notepad. For the $dispName* and $roleName variables, replace the description text with their values. Remove the \< and > characters but keep the quotation marks. Paste the modified lines into the Microsoft Azure Active Directory module for Windows PowerShell window to run them. Alternately, you can use the Windows PowerShell Integrated Script Environment (ISE). - -Here's an example of a completed command set: - -```powershell -$dispName="Scott Wallace" -$roleName="SharePoint Service Administrator" -Add-MsolRoleMember -RoleMemberEmailAddress (Get-MsolUser -All \| Where DisplayName -eq $dispName).UserPrincipalName -RoleName $roleName -``` - -#### Sign-in names of user accounts - -If you're used to working with the sign-in names or UPNs of user accounts, determine the following information: - -- The user account's UPN - - If you don't know the UPN, use this command: - - ```powershell - Get-MsolUser -All \| Sort UserPrincipalName \| Select UserPrincipalName \| More - ``` - - This command lists the UPN of your user accounts, sorted by UPN, one screen at a time. You can use the Where cmdlet to filter the list. Here's an example: - - ```powershell - Get-MsolUser -All \| Where DisplayName -like "John" \| Sort UserPrincipalName \| Select UserPrincipalName \| More - ``` - - This command lists only the user accounts for which the Display Name starts with "John". - -- The role you want to assign - - To display the list of available roles that you can assign to user accounts, use this command: - - ```powershell - Get-MsolRole \| Sort Name \| Select Name,Description - ``` - -After you have the UPN of the account and the name of the role, use these commands to assign the role to the account: - -```powershell -$upnName="<The UPN of the account>" -$roleName="<The role name you want to assign to the account>" -Add-MsolRoleMember -RoleMemberEmailAddress $upnName -RoleName $roleName -``` - -Copy the commands and paste them into Notepad. For the $upnName* and $roleName variables. Replace the description text with their values. Remove the \< and > characters but keep the quotation marks. Paste the modified lines into Microsoft Azure Active Directory module for Windows PowerShell window to run them. Alternately, you can use the Windows PowerShell ISE. - -Here's an example of a completed command set: - -```powershell -$upnName="scottw@contoso.com" -$roleName="SharePoint Service Administrator" -Add-MsolRoleMember -RoleMemberEmailAddress $upnName -RoleName $roleName -``` - -### Multiple role changes - -For multiple role changes, determine the following information: - -- Which user accounts you want to configure. You can use the methods in the previous section to gather the set of display names or UPNs. - -- Which roles you want to assign to each user account. To display the list of available roles that you can assign to user accounts, use this command: - - ```powershell - Get-MsolRole \| Sort Name \| Select Name,Description - ``` - -Next, create a comma-separated value (CSV) text file that has the display name or UPN and role name fields. You can do this easily in Microsoft Excel. - -Here's an example for display names: - -```powershell -DisplayName,RoleName -"Belinda Newman","Billing Administrator" -"Scott Wallace","SharePoint Service Administrator" -``` - -Next, fill in the location of the CSV file and run the resulting commands at the PowerShell command prompt. - -```powershell -$fileName="<path and file name of the input CSV file that has the role changes, example: C:\admin\RoleUpdates.CSV>" -$roleChanges=Import-Csv $fileName \| ForEach {Add-MsolRoleMember -RoleMemberEmailAddress (Get-MsolUser \| Where DisplayName -eq $_.DisplayName).UserPrincipalName -RoleName $_.RoleName } - -``` - -Here's an example for UPNs: - -```powershell -UserPrincipalName,RoleName -"belindan@contoso.com","Billing Administrator" -"scottw@contoso.com","SharePoint Service Administrator" -``` - -Next, fill in the location of the CSV file and run the resulting commands at the PowerShell command prompt. - -```powershell -$fileName="<path and file name of the input CSV file that has the role changes, example: C:\admin\RoleUpdates.CSV>" -$roleChanges=Import-Csv $fileName \| ForEach { Add-MsolRoleMember -RoleMemberEmailAddress $_.UserPrincipalName -RoleName $_.RoleName } - +Connect-MgGraph -Scopes "Directory.Read.All" +Get-MgDirectoryRole \| Where-Object { $_.DisplayName -eq $roleName } \| ForEach-Object { Get-MgDirectoryRoleMember -DirectoryRoleId $_.Id } ``` ## See also
enterprise	Request Fasttrack Assistance Microsoft 365	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/request-fasttrack-assistance-microsoft-365.md	# Request FastTrack assistance for Microsoft 365 -The FastTrack request for assistance (RFA) form is now available in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2226341" target="_blank">Microsoft 365 admin center</a> and the <a href="https://setup.microsoft.com/" target="_blank">Microsoft 365 Setup portal</a>. Submit this form to request guidance from FastTrack specialists with your Microsoft 365 deployment and migration efforts. FastTrack assistance is available for tenants with 150 or more licenses for the following Microsoft product families: Microsoft 365, Office 365, Microsoft Viva, Enterprise Mobility + Security, and Windows 10/11. See <a href="https://learn.microsoft.com/microsoft-365/fasttrack/eligibility" target="_blank">eligible plans</a> for details. +The FastTrack request for assistance (RFA) form is now available in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2226341" target="_blank">Microsoft 365 admin center</a> and the <a href="https://setup.microsoft.com/" target="_blank">Microsoft 365 Setup portal</a>. Submit this form to request guidance from FastTrack specialists with your Microsoft 365 deployment and migration efforts. FastTrack assistance is available for tenants with 150 or more licenses for the following Microsoft product families: Microsoft 365, Office 365, Microsoft Viva, Enterprise Mobility + Security, and Windows 10/11. See <a href="/microsoft-365/fasttrack/eligibility" target="_blank">eligible plans</a> for details. ## Submit an RFA in the Microsoft 365 admin center The FastTrack request for assistance (RFA) form is now available in the <a href= 1. Select <a href="https://go.microsoft.com/fwlink/?linkid=2226341" target="_blank">Advanced deployment guides & assistance</a> on the home page. -1. Select the FastTrack assistance tab and then select Submit a new request +1. Select the FastTrack assistance tab and then select Submit a new request. - a. After submission, receipt is confirmed with an RFA ID number, and the option to provide feedback about your experience. + After submission, receipt is confirmed with an RFA ID number, and the option to provide feedback about your experience. 1. Select Done. The FastTrack request for assistance (RFA) form is now available in the <a href= 1. Sign in with your work or school account. -1. Select Submit a new request +1. Select Submit a new request. - a. After submission, receipt is confirmed with an RFA ID number, and the option to provide feedback about your experience. + After submission, receipt is confirmed with an RFA ID number, and the option to provide feedback about your experience. 1. Select Done. For tenant admins: For non-admins: -1. Go to <a href="https://setup.microsoft.com/microsoft-365-fasttrack-assistance" target="_blank">setup.microsoft.com/microsoft-365-fasttrack-assistance</a>. +1. Go to <a href="https://setup.microsoft.com/microsoft-365-fasttrack-assistance" target="_blank">setup.microsoft.com/microsoft-365-fasttrack-assistance</a>. <!--2024-02-22: The doc build says the target site doesn't exist, but this link works fine.--> 1. Select Sign in and choose I'm not an admin before entering your work or school account.
enterprise	Upgrade Office 2013 Clients Servers	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/upgrade-office-2013-clients-servers.md	Title: "Resources to help you upgrade from Office 2013 clients and servers"---+++ Last updated 04/05/2022 audience: ITPro
lighthouse	M365 Lighthouse Data Privacy And Compliance	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-data-privacy-and-compliance.md	+ + Title: "Data privacy and compliance in Microsoft 365 Lighthouse" +f1.keywords: CSH ++++ Last updated : 02/22/2024 +audience: Admin ++ +ms.localizationpriority: medium + +- Tier1 +- scotvorg +- M365-subscription-management +- Adm_O365 +- essentials-privacy + +- AdminSurgePortfolib +- M365-Lighthouse +search.appverid: MET150 +description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, learn about data privacy and compliance in Lighthouse." ++ +# Data privacy and compliance in Microsoft 365 Lighthouse + +Data privacy is the protection of data from misuse. It's also the ability for a person to decide how personal data is collected, shared, stored, and used. In today's world, data privacy is a critical concern because it can affect the reputation, security, and trust of everyone involved. By ensuring a person's right to control their personal data, organizations can not only safeguard sensitive information, but also maintain a positive reputation and meet expectations for transparency and trustworthiness. + +> [!NOTE] +> This article is not a substitute for professional legal advice. You should consult your legal counsel for specific guidance on compliance with privacy regulations. + +## Shared responsibility + +Microsoft and Managed Service Providers (MSPs) share the responsibility for data protection when using data in Lighthouse. Both parties should ensure data protection aligns with Microsoft terms and conditions and complies with relevant regulations. The data protection roles and responsibilities are as follows: + +- Microsoft is responsible for providing the Lighthouse service and ensuring it's compliant and secure. +- MSPs are responsible for using customer data in a responsible and transparent manner. +- Customers are responsible for granting and revoking the relationships that provide their MSP access to the data. + +This collaborative approach ensures that all involved parties take necessary steps to safeguard the data and uphold the highest standards of data privacy. ++ +## Data access + +Data access is the authorized ability to access and use data. When it comes to accessing data in Lighthouse, Microsoft follows several key principles: + +- Openness: Microsoft believes in openness and collaboration. Data should be accessible to everyone who needs it, and it should foster innovation and inform decision-making. Open-data initiatives promote transparency and enable cross-organizational collaboration. +- Usability: Data access should be straightforward and user-friendly. Microsoft provides tools, APIs, and interfaces that allow developers and users to interact with data efficiently. Usability ensures that data is accessible without unnecessary complexity. +- Empowerment: Data access empowers individuals, organizations, and communities. Enabling access to relevant data allows Microsoft to contribute to solving real-world challenges and make a positive impact on society. +- Security: Microsoft prioritizes security when promoting data access. Robust authentication, authorization, and encryption mechanisms protect data from unauthorized access. Security measures ensure that data remains confidential and integral. +- Privacy: Respecting user privacy is paramount. Microsoft adheres to privacy regulations and best practices. Data access shouldn't compromise individual privacy rights, and personal data must be handled responsibly. + +These principles guide Microsoft's approach to data access. They emphasize responsible sharing and collaboration and foster innovation, while also safeguarding privacy and security. + +### Data access relationships + +In Lighthouse, data access relationships play a pivotal role in governing how MSPs interact with customer data. These relationships define the foundation for ethical and transparent data handling. The two key data access relationship types in Lighthouse include: + +- Delegated admin relationship + - Role: Delegated admins perform administrative tasks on behalf of customers. + - Purpose: This type of relationship streamlines routine actions like user management and service monitoring. + - Value added: Fine-grained permissions ensure controlled access. + +- Reseller relationship + - Role: Resellers act as intermediaries between Microsoft services and users. + - Purpose: They manage licensing, billing, and other services. + - Value added: Resellers often provide additional support and expertise. + +These relationships ensure MSPs access data responsibly while enhancing customer satisfaction. By understanding and optimizing these connections, organizations can build a robust data ecosystem. + +### Data feature areas + +Data access relationships intersect with the following data feature areas: + +- Customer success insights<br> + These features include opportunities and subscription renewals and enable MSPs to offer proactive guidance and recommendations to their customers. + - Data source: Lighthouse uses anonymized tenant-level usage data, which combines subscription information with aggregated insights. This approach ensures valuable analytics while safeguarding individual privacy. + - Example: By using the subscription renewals feature, an MSP can proactively connect with their customer to discuss their needs and take the appropriate actions to prevent a service interruption. + +- Customer management<br> + These features help MSPs monitor and manage customer data, devices, and users. + - Data source: Lighthouse collects data from customers who have an active delegated admin relationship with the MSP and whose tenant was successfully onboarded to Lighthouse. + - Example: By using the device compliance feature, an MSP can assess the status of customer devices and identify any issues affecting productivity and security. + +By understanding these feature areas and their connection to data access relationships, organizations can navigate data responsibly while enhancing customer satisfaction. + +## Data residency + +Data residency refers to the physical location where data is stored and processed. Data privacy, protection laws, and regulations might vary by region and country, and some customers might prefer or require their data to reside in certain locations. MSPs should understand how Lighthouse handles data residency and which options are available for them and their customers. + +Lighthouse processes and stores data in compliance with regional data protection laws and regulations. However, it's important to note that Lighthouse has different data residency commitments than other Microsoft 365 services. For example, some Microsoft 365 services allow customers to choose a specific country for their data processing and storage, whereas Lighthouse doesn't offer this option. MSPs and customers should be aware that Lighthouse processes and stores data in the region associated with the customer tenant. + +This approach is designed to provide a consistent and unified experience for MSPs who manage customers in different regions. By processing and storing data in the customer tenant's region, Lighthouse can optimize performance, reliability, and scalability for these MSPs. + +For more information on how Lighthouse handles data collection, see [Data collection for Microsoft 365 Lighthouse](m365-lighthouse-data-collection.md). + +## Data removal + +The data available in Lighthouse plays an important role in the valuable features and functions that Lighthouse provides for MSPs, such as optimized tenant management experiences and customer success insights. But what if you want to remove your data from Lighthouse? How do you remove it and what are the consequences? + +Data removal is the process of withdrawing permission to access and use data that was previously granted to a service. Data removal may also involve stopping the access and use of data that's already stored by the service. This can be done without impacting an MSP's relationship with its customer, since the MSP can still perform other administrative actions on behalf of the customer. Data removal is a crucial aspect of data governance because it allows MSPs and customers to control their data and protect their privacy and security. + +### Data removal for partner tenants + +MSPs control whether Lighthouse can access and use their data. To remove their data from Lighthouse, MSPs can do one of the following: + +- Contact Microsoft Support, who will process the partner tenant for offboarding from the Lighthouse service. +- Remove the service principals for Microsoft 365 Lighthouse on their own, if they have experience in managing service principals and Microsoft Entra ID. + +By performing one of these actions, MSPs can maintain control over their data while discontinuing the use of Lighthouse. These actions result in losing access to the features and functions provided by Lighthouse, such as tenant management experiences and customer success insights. + +### Data removal for customer tenants + +Customers control whether Lighthouse can access and use their data. Withdrawing the ability for Lighthouse to access and use customer data can affect the MSP's ability to effectively manage and secure the customer tenant. Before making any changes to data access, customers should consider the following: + +- Lighthouse might be the solution their MSP chose to provide the managed services that the customer purchased from the MSP. +- Lighthouse will no longer be able to provide the MSP with valuable insights into the configuration of the customer tenant and potential security issues might arise as a result. + +If an MSP wants to prevent Lighthouse from accessing and using customer data, the MSP can inactivate the customer tenant. Inactivation can be a useful approach since it doesn't affect the delegated admin relationship or reseller relationship between the customer and the MSP. To inactivate a customer tenant, MSPs should follow these steps: + +1. In the left navigation pane of Lighthouse, select Tenants to open the Tenants page. +2. Find the tenant that you want to inactivate, select the three dots (more actions) next to the tenant's name, and then select Inactivate tenant. +3. In the confirmation dialog, select Confirm to inactivate the tenant. + +Alternatively, the customer can withdraw the MSP's ability to access or use the customer's data by ending the delegated admin relationship and reseller relationship that they have with the MSP. Before removing either relationship, it's important to consider the following: + +- Removing the delegated admin relationship means the MSP can no longer perform admin actions on behalf of the customer, such as configuring services, resetting passwords, and much more. +- Removing the reseller relationship means the MSP will cancel any subscriptions the customer purchased through the MSP. + +## Data restrictions + +Data privacy and compliance are important aspects of using data in Lighthouse. The data restrictions are based on the product terms and conditions and the agreements that apply to the Cloud Solution Provider program. These agreements might change from time to time, and it's the responsibility of the MSP to follow them and consult with legal counsel as needed. + +Data restrictions limit the use of data. For example, data can't be used for marketing or sales purposes. MSPs can use data in Lighthouse for customer success purposes only, and only if it doesn't violate data restrictions or the customer's privacy preferences. Customer success purposes ensure customers achieve their desired outcomes while using a product or service. Marketing and sales purposes involve persuading customers to buy a product or service. + +Some examples of how data can be used for customer success include: + +- Providing relevant and timely communications and feedback to customers. +- Helping customers to adopt and use the features and capabilities that best suit their needs and goals. +- Providing customers with additional value or services that enhance their experience and outcomes with Microsoft online services. +- Providing proactive guidance and support to customers to resolve issues and prevent problems. + +## Data retention + +Lighthouse follows different data retention policies for different types of data that it collects from partner and customer tenants. The following table summarizes the data retention policies for each type of data, the deletion method, and the principles followed. + +\| Data type \| Retention period \| Deletion method \| Principles followed \| +\|--\|--\|--\|--\| +\| Data collected from customer tenants \| 30 days \| Automatic          \| Data minimization, transparency, accountability \| +\| Data generated by MSPs through use of the Lighthouse service \| Until deleted by the MSP or until the customer or MSP is offboarded \| Manual \| User control, consent \| +\| Diagnostic data collected from MSPs \| 30 days \| Automatic \| Data minimization, transparency, accountability \| + +The data retention policies are designed to minimize the amount of customer data that's stored outside of customer tenants, while still providing valuable insights and actions for MSPs. The policies are also designed to help MSPs manage their customers effectively and efficiently. Data retention policies follow the principles of data minimization, transparency, accountability, user control, consent, and choice when managing data. + +MSPs and customers can't configure data retention periods. When Lighthouse deletes data that's older than 30 days, it's permanently erased from the service and can't be recovered. The data isn't stored or transferred to any other location or service. + +For more information, see [Data retention, deletion, and destruction in Microsoft 365](/compliance/assurance/assurance-data-retention-deletion-and-destruction-overview). + +## Related content + +[Microsoft Trust Center](https://www.microsoft.com/trust-center/product-overview) (link page)\ +[Privacy at Microsoft](https://privacy.microsoft.com/) (link page)\ +[Data collection for Microsoft 365 Lighthouse](m365-lighthouse-data-collection.md) (article)\ +[Data retention, deletion, and destruction in Microsoft 365](/compliance/assurance/assurance-data-retention-deletion-and-destruction-overview) (article)\ +[Microsoft Compliance Hub](/compliance/) (link page)
security	Android Configure Mam	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-configure-mam.md	Title: Configure Microsoft Defender for Endpoint on Android risk signals using App Protection Policies (MAM) description: Describes how to configure Microsoft Defender for Endpoint risk signals using App Protection policies -search.product: eADQiWindows 10XVcnh search.appverid: met150
security	Get Agent Details	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/Get-agent-details.md	Title: Get scan agent by ID description: Learn how to use the get agent details api keywords: apis, graph api, supported apis, agent details, definition -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Scan History By Definition	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/Get-scan-history-by-definition.md	ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Scan History By Session	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/Get-scan-history-by-session.md	Title: Get scan history by session -description: Learn how to use the get scan history by session api -keywords: apis, graph api, supported apis, scan history by session +description: Learn how to use the get scan history by session api. -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security Retrieves a list of the scan history by session. ## Limitations -1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. +1. Rate limitations for this API are 100 calls per minute and 1,500 calls per hour. ## Permissions Delegated (work or school account)\|Machine.Read.All\|Read all scan information. > [!NOTE] > When obtaining a token using user credentials: > -> - To view data the user needs to have at least the following role permission: 'ViewData' or 'TvmViewData' (See [Create and manage roles](../user-roles.md) for more information) +> - To view data the user needs to have at least the following role permission: `ViewData` or `TvmViewData`. For more information, see [Create and manage roles](../user-roles.md). ## HTTP request If successful, this method returns 200 - OK response code with a list of the sca ## Example request -Here is an example of the request. +Here's an example of the request. ```http POST https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/GetScanHistoryBySessionId
security	Add A New Scan Definition	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/add-a-new-scan-definition.md	Title: Add, update or delete a scan definition -description: Learn how to use the Add, update or delete scan definitions. -keywords: apis, graph api, supported apis, scans, network scans, authenticated scan + Title: Add, update, or delete a scan definition +description: Learn how to use the Add, update, or delete scan definitions. -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security search.appverid: met150 Last updated 12/14/2022 -# Add, update or delete a scan definition +# Add, update, or delete a scan definition [!INCLUDE [Microsoft Defender XDR rebranding](../../../includes/microsoft-defender.md)] Last updated 12/14/2022 ## API description -API to add, update or delete an authenticated scan. +API to add, update, or delete an authenticated scan. ## Limitations -Rate limitations for this API are 100 calls per minute and 1500 calls per hour. +Rate limitations for this API are 100 calls per minute and 1,500 calls per hour. You can post on machines last seen according to your configured retention period. Delegated (work or school account)\|Machine.Read.Write\|Read and write all scan in > [!NOTE] > When obtaining a token using user credentials: > -> - To view data the user needs to have at least the following role permission: 'ViewData' or 'TvmViewData' (See [Create and manage roles](../user-roles.md) for more information) -> - To edit data the user needs to have at least the following role permission: 'ManageSecurity' (See [Create and manage roles](../user-roles.md) for more information) +> - To view data the user needs to have at least the following role permission: `ViewData` or `TvmViewData` (See [Create and manage roles](../user-roles.md) for more information) +> - To edit data the user needs to have at least the following role permission: `ManageSecurity` (See [Create and manage roles](../user-roles.md) for more information) ## HTTP request
security	Add Or Remove Machine Tags	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/add-or-remove-machine-tags.md	Title: Add or remove a tag for a machine description: Learn how to use the Add or Remove machine tags API to adds or remove a tag for a machine in Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, tags, machine tags -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Add Or Remove Multiple Machine Tags	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/add-or-remove-multiple-machine-tags.md	Title: Add or remove a tag for multiple machines description: Learn how to use the Add or Remove machine tags API to add or remove a tag for multiple devices in Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, tags, machine tags -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security Adds or removes a tag for the specified set of machines. ## Limitations 1. You can post on machines last seen according to your configured retention period. -2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. -3. We can add or remove tag a for up to 500 machines per API call. +2. Rate limitations for this API are 100 calls per minute and 1,500 calls per hour. +3. We can add or remove a tag for up to 500 machines per API call. ## Permissions Delegated (work or school account)\|Machine.ReadWrite\|'Read and write machine inf > [!NOTE] > When obtaining a token using user credentials: > -> - The user needs to have at least the following role permission: 'Manage security setting'. For more (See [Create and manage roles](../user-roles.md) for more information). +> - The user needs to have at least the following role permission: 'Manage security setting'. For more information, see [Create and manage roles](../user-roles.md). > - The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](../machine-groups.md) for more information). ## HTTP request Parameter\|Type\|Description :\|:\|: Value\|String\|The tag name. Required. Action\|Enum\|Add or Remove. Allowed values are: 'Add' or 'Remove'. Required. -MachineIds\|List (String)\|List of machine ids to update. Required.\| +MachineIds\|List (String)\|List of machine IDs to update. Required.\| ## Response If successful, this method returns 200 - Ok response code and the updated machin ## Example Request -Here is an example of a request that adds a tag to multiple machines. +Here's an example of a request that adds a tag to multiple machines. ```http POST https://api.securitycenter.microsoft.com/api/machines/AddOrRemoveTagForMultipleMachines
security	Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/alerts.md	Title: Get alerts API description: Learn about the methods and properties of the Alert resource type in Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, get, alerts, recent -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security Last updated 12/18/2020 \|lastEventTime\|Nullable DateTimeOffset\|The last occurrence of the event that triggered the alert on the same device.\| \|firstEventTime\|Nullable DateTimeOffset\|The first occurrence of the event that triggered the alert on that device.\| \|lastUpdateTime\|Nullable DateTimeOffset\|The date and time (in UTC) the alert was last updated.\| -\|resolvedTime\|Nullable DateTimeOffset\|The date and time in which the status of the alert was changed to 'Resolved'.\| +\|resolvedTime\|Nullable DateTimeOffset\|The date and time in which the status of the alert was changed to Resolved.\| \|incidentId\|Nullable Long\|The [Incident](../view-incidents-queue.md) ID of the Alert.\| \|investigationId\|Nullable Long\|The [Investigation](../automated-investigations.md) ID related to the Alert.\| -\|investigationState\|Nullable Enum\|The current state of the [Investigation](../automated-investigations.md). Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.\| +\|investigationState\|Nullable Enum\|The current state of the [Investigation](../automated-investigations.md). Possible values are: Unknown, Terminated, SuccessfullyRemediated, Benign, Failed, PartiallyRemediated, Running, PendingApproval, PendingResource, PartiallyInvestigated, TerminatedByUser, TerminatedBySystem, Queued, InnerFailure, PreexistingAlert, UnsupportedOs, UnsupportedAlertType, SuppressedAlert.\| \|assignedTo\|String\|Owner of the alert.\| \|rbacGroupName\|String\|Role-based access control device group name.\| \|mitreTechniques\|String\|Mitre Enterprise technique ID.\| \|relatedUser\|String\|Details of user related to a specific alert.\| -\|severity\|Enum\|Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'.\| -\|status\|Enum\|Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.\| +\|severity\|Enum\|Severity of the alert. Possible values are: UnSpecified, Informational, Low, Medium, and High.\| +\|status\|Enum\|Specifies the current status of the alert. Possible values are: Unknown, New, InProgress and Resolved.\| \|classification\|Nullable Enum\|Specification of the alert. Possible values are: `TruePositive`, `Informational, expected activity`, and `FalsePositive`.\| -\|determination\|Nullable Enum\|Specifies the determination of the alert. <p>Possible determination values for each classification are: <br><li> <b>True positive</b>: `Multistage attack` (MultiStagedAttack), `Malicious user activity` (MaliciousUserActivity), `Compromised account` (CompromisedUser) ΓÇô consider changing the enum name in public api accordingly, `Malware` (Malware), `Phishing` (Phishing), `Unwanted software` (UnwantedSoftware), and `Other` (Other). <li> <b>Informational, expected activity:</b> `Security test` (SecurityTesting), `Line-of-business application` (LineOfBusinessApplication), `Confirmed activity` (ConfirmedUserActivity) - consider changing the enum name in public api accordingly, and `Other` (Other). <li> <b>False positive:</b> `Not malicious` (Clean) - consider changing the enum name in public api accordingly, `Not enough data to validate` (InsufficientData), and `Other` (Other).\| +\|determination\|Nullable Enum\|Specifies the determination of the alert. <p>Possible determination values for each classification are: <br><li> <b>True positive</b>: `Multistage attack` (MultiStagedAttack), `Malicious user activity` (MaliciousUserActivity), `Compromised account` (CompromisedUser) ΓÇô consider changing the enum name in public API accordingly, `Malware` (Malware), `Phishing` (Phishing), `Unwanted software` (UnwantedSoftware), and `Other` (Other). <li> <b>Informational, expected activity:</b> `Security test` (SecurityTesting), `Line-of-business application` (LineOfBusinessApplication), `Confirmed activity` (ConfirmedUserActivity) - consider changing the enum name in public API accordingly, and `Other` (Other). <li> <b>False positive:</b> `Not malicious` (Clean) - consider changing the enum name in public API accordingly, `Not enough data to validate` (InsufficientData), and `Other` (Other).\| \|category\|String\|Category of the alert.\| \|detectionSource\|String\|Detection source.\| \|threatFamilyName\|String\|Threat family.\| Last updated 12/18/2020 \|Evidence\|List of Alert evidence\|Evidence related to the alert. See the following example.\| > [!NOTE] -> Around August 29, 2022, previously supported alert determination values ('Apt' and 'SecurityPersonnel') will be deprecated and no longer available via the API. +> Around August 29, 2022, previously supported alert determination values (Apt and SecurityPersonnel) will be deprecated and no longer available via the API. ### Response example for getting single alert: GET https://api.securitycenter.microsoft.com/api/alerts/da637472900382838869_136 ## Related articles [Use the Microsoft Graph security API - Microsoft Graph \| Microsoft Learn](/graph/api/resources/security-api-overview)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../../includes/defender-mde-techcommunity.md)]
security	Api Explorer	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/api-explorer.md	Title: API Explorer in Microsoft Defender for Endpoint description: Use the API Explorer to construct and do API queries, test, and send requests for any available API -keywords: api, explorer, send, request, get, post, -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Api Hello World	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/api-hello-world.md	Title: Hello World for Microsoft Defender for Endpoint API description: Create a practice 'Hello world'-style API call to the Microsoft Defender for Endpoint API. -keywords: apis, supported apis, advanced hunting, query, microsoft defender atp, microsoft defender for endpoint -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Api Power Bi	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/api-power-bi.md	Title: Microsoft Defender for Endpoint APIs connection to Power BI description: Create a Power Business Intelligence (BI) report on top of Microsoft Defender for Endpoint APIs. -keywords: apis, supported apis, Power BI, reports -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security Last updated 12/18/2020 [!include[Improve request performance](../../../includes/improve-request-performance.md)] -In this section you will learn to create a Power BI report on top of Defender for Endpoint APIs. +In this section, you learn to create a Power BI report on top of Defender for Endpoint APIs. The first example demonstrates how to connect Power BI to Advanced Hunting API, and the second example demonstrates a connection to our OData APIs, such as Machine Actions or Alerts. The first example demonstrates how to connect Power BI to Advanced Hunting API, :::image type="content" source="../images/power-bi-set-credentials-organizational-cont.png" alt-text="The sign-in confirmation message in the Organizational account menu item" lightbox="../images/power-bi-set-credentials-organizational-cont.png"::: -Now the results of your query will appear as a table and you can start to build visualizations on top of it! +Now the results of your query appear as a table and you can start to build visualizations on top of it! You can duplicate this table, rename it, and edit the Advanced Hunting query inside to get any data you would like. You can duplicate this table, rename it, and edit the Advanced Hunting query ins The only difference from the previous example is the query inside the editor. Follow steps 1-3 above. -At step 4, instead of the code in that example, copy the code below and paste it in the editor to pull all Machine Actions from your organization: +At step 4, instead of the code in that example, copy the following code, and paste it in the editor to pull all Machine Actions from your organization: ``` let At step 4, instead of the code in that example, copy the code below and paste it ``` You can do the same for Alerts and Machines. -You also can use OData queries for queries filters, see [Using OData Queries](exposed-apis-odata-samples.md). +You also can use OData queries for queries filters. See [Using OData Queries](exposed-apis-odata-samples.md). ## Power BI dashboard samples in GitHub -For more information see the [Power BI report templates](https://github.com/microsoft/MicrosoftDefenderATP-PowerBI). +For more information, see the [Power BI report templates](https://github.com/microsoft/MicrosoftDefenderATP-PowerBI). ## Sample reports View the Microsoft Defender for Endpoint Power BI report samples. For more information, see [Browse code samples](/samples/browse/?products=mdatp). -## Related topics +## Related articles - [Defender for Endpoint APIs](apis-intro.md) - [Advanced Hunting API](run-advanced-query-api.md) - [Using OData Queries](exposed-apis-odata-samples.md)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../../includes/defender-mde-techcommunity.md)]
security	Api Release Notes	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/api-release-notes.md	Title: Microsoft Defender for Endpoint API release notes description: Release notes for updates made to the Microsoft Defender for Endpoint set of APIs. -keywords: Microsoft Defender for Endpoint API release notes, mde, APIs, Microsoft Defender for Endpoint API, updates, notes, release -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Apis Intro	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/apis-intro.md	Title: Access the Microsoft Defender for Endpoint APIs description: Learn how you can use APIs to automate workflows and innovate based on Microsoft Defender for Endpoint capabilities -keywords: apis, api, wdatp, open api, microsoft defender for endpoint api, microsoft defender atp, public api, supported apis, alerts, device, user, domain, ip, file, advanced hunting, query -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium Last updated 01/25/2022-+ audience: ITPro - m365-security
security	Batch Delete Ti Indicators	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/batch-delete-ti-indicators.md	Title: Batch Delete Indicators API description: Learn how to use the Batch Delete Indicators API to delete indicator entities by ID in Microsoft Defender for Endpoint. -keywords: apis, public api, supported apis, delete, ti indicator, entity, id --+++ ms.localizationpriority: medium-+ - m365-security - tier3 Deletes [Indicator](ti-indicator.md) entities by ID. ## Limitations -Rate limitations for this API are 30 calls per minute and 1500 calls per hour. +Rate limitations for this API are 30 calls per minute and 1,500 calls per hour. Batch size limit of up to 500 [Indicator](ti-indicator.md) IDs. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md). -Permission type \| Permission \| Permission display name -:\|:\|: -Application \| Ti.ReadWrite \| 'Read and write TI Indicators' -Application \| Ti.ReadWrite.All \| 'Read and write Indicators' +\| Permission type \| Permission \| Permission display name \| +\|\|\|\| +\| Application \| Ti.ReadWrite \| 'Read and write TI Indicators' \| +\| Application \| Ti.ReadWrite.All \| 'Read and write Indicators' \| ## HTTP request In the request body, supply a JSON object with the following parameters: ## Response -If Indicators all existed and were deleted successfully - 204 OK without content +If Indicators all existed and were deleted successfully - 204 OK without content. -if indicator IDs list is empty or exceeds size limit - 400 Bad Request +If indicator IDs list is empty or exceeds size limit - 400 Bad Request. -if any indicator ID is invalid - 400 Bad Request +If any indicator ID is invalid - 400 Bad Request. -if requestor is not exposed to any indicator's device groups - 403 Forbidden +If requestor isn't exposed to any indicator's device groups - 403 Forbidden. -If any Indicator ID was not found - 404 Not Found +If any Indicator ID wasn't found - 404 Not Found. ## Example
security	Batch Update Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/batch-update-alerts.md	Title: Batch Update alert entities API description: Learn how to update Microsoft Defender for Endpoint alerts in a batch by using this API. You can update the status, determination, classification, and assignedTo properties. -keywords: apis, graph api, supported apis, get, alert, information, id -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Cancel Machine Action	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/cancel-machine-action.md	Title: Cancel machine action API description: Learn how to cancel an already launched machine action -keywords: apis, graph api, search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Collect Investigation Package	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/collect-investigation-package.md	Title: Collect investigation package API description: Use this API to create calls related to the collecting an investigation package from a device. -keywords: apis, graph api, supported apis, collect investigation package -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Common Errors	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/common-errors.md	Title: Common Microsoft Defender for Endpoint API errors description: List of common Microsoft Defender for Endpoint API errors with descriptions. -keywords: APIs, Microsoft Defender for Endpoint API, errors, troubleshooting -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Create Alert By Reference	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/create-alert-by-reference.md	Title: Create alert from event API description: Learn how to use the Create alert API to create a new Alert on top of Event in Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, get, alert, information, id -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security Creates new [Alert](alerts.md) on top of Event. - Microsoft Defender for Endpoint Event is required for the alert creation. - You need to supply three parameters from the Event in the request: Event Time, Machine ID, and Report ID. See example below. - You can use an event found in Advanced Hunting API or Portal.-- If there existing an open alert on the same Device with the same Title, the new created alert will be merged with it. +- If there existing an open alert on the same Device with the same Title, the new created alert is merged with it. - An automatic investigation starts automatically on alerts created via the API. ## Limitations Creates new [Alert](alerts.md) on top of Event. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md). Permission type \| Permission \| Permission display name :\|:\|: Delegated (work or school account) \| Alert.ReadWrite \| 'Read and write alerts' > [!NOTE] > When obtaining a token using user credentials: > -> - The user needs to have at least the following role permission: 'Alerts investigation' (For more information see [Create and manage roles](../user-roles.md)) -> - The user needs to have access to the device associated with the alert, based on device group settings (For more information, see [Create and manage device groups](../machine-groups.md) +> - The user needs to have at least the following role permission: Alerts investigation. For more information, see [Create and manage roles](../user-roles.md). +> - The user needs to have access to the device associated with the alert, based on device group settings. For more information, see [Create and manage device groups](../machine-groups.md). > > Device Group creation is supported in both Defender for Endpoint Plan 1 and Plan 2 In the request body, supply the following values (all are required): Property \| Type \| Description :\|:\|: -eventTime \| DateTime(UTC) \| The precise time of the event as string, as obtained from advanced hunting. e.g., ```2018-08-03T16:45:21.7115183Z``` Required. +eventTime \| DateTime(UTC) \| The precise time of the event as string, as obtained from advanced hunting. For example, ```2018-08-03T16:45:21.7115183Z``` Required. reportId \| String \| The reportId of the event, as obtained from advanced hunting. Required. machineId \| String \| Id of the device on which the event was identified. Required. severity \| String \| Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. Required. category\| String \| Category of the alert. The property values are: "General", "C ## Response -If successful, this method returns 200 OK, and a new [alert](alerts.md) object in the response body. If event with the specified properties (_reportId_, _eventTime_ and _machineId_) was not found - 404 Not Found. +If successful, this method returns 200 OK, and a new [alert](alerts.md) object in the response body. If event with the specified properties (_reportId_, _eventTime_ and _machineId_) wasn't found - 404 Not Found. ## Example
security	Delete Library	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/delete-library.md	Title: Delete a file from the live response library description: Learn how to delete a file from the live response library. -keywords: apis, graph api, supported apis, delete from library -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Delete Ti Indicator By Id	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/delete-ti-indicator-by-id.md	Title: Delete Indicator API. description: Learn how to use the Delete Indicator API to delete an Indicator entity by ID in Microsoft Defender for Endpoint. -keywords: apis, public api, supported apis, delete, ti indicator, entity, id -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security Deletes an [Indicator](ti-indicator.md) entity by ID. ## Limitations -Rate limitations for this API are 100 calls per minute and 1500 calls per hour. +Rate limitations for this API are 100 calls per minute and 1,500 calls per hour. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md). -Permission type \| Permission \| Permission display name -:\|:\|: -Application \| Ti.ReadWrite \| 'Read and write TI Indicators' -Application \| Ti.ReadWrite.All \| 'Read and write Indicators' +\| Permission type \| Permission \| Permission display name \| +\| :\|:\|:\| +\| Application \| Ti.ReadWrite \| 'Read and write TI Indicators' \| +\| Application \| Ti.ReadWrite.All \| 'Read and write Indicators' \| ## HTTP request Empty ## Response -If Indicator exists and deleted successfully - 204 OK without content +If Indicator exists and deleted successfully - 204 OK without content. -If Indicator with the specified id wasn't found - 404 Not Found +If Indicator with the specified ID wasn't found - 404 Not Found. ## Example Here's an example of the request. ```http DELETE https://api.securitycenter.microsoft.com/api/indicators/995 ```++ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../../includes/defender-mde-techcommunity.md)]
security	Device Health Api Methods Properties	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/device-health-api-methods-properties.md	Title: Microsoft Defender Antivirus export device antivirus health details API methods and properties description: "Learn how to export a list of Microsoft Defender Antivirus device health details." -keywords: apis, graph api, supported apis, get, device health api, Microsoft Defender for Endpoint report api microsoft defender reports api, microsoft defender for endpoint reporting api, windows defender reporting api, defender for endpoint reporting api, windows defender report api -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium Last updated 11/03/2022-+ audience: ITPro - m365-security
security	Device Health Export Antivirus Health Report Api	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/device-health-export-antivirus-health-report-api.md	Title: Microsoft Defender Antivirus Device Health export device antivirus health reporting description: Presents methods to retrieve Microsoft Defender Antivirus device health details. -keywords: apis, graph api, supported apis, get, device health api, Microsoft Defender for Endpoint report api microsoft defender reports api, microsoft defender for endpoint reporting api, windows defender reporting api, defender for endpoint reporting api, windows defender report api -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium Last updated 11/03/2022-+ audience: ITPro - m365-security
security	Export Certificate Inventory Assessment	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/export-certificate-inventory-assessment.md	Title: Certificate assessment methods and properties per device description: Provides information about the certificates APIs that pull "Microsoft Defender Vulnerability Management" data. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization. -keywords: api, apis, export assessment, per device assessment, per machine assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine, -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Export Firmware Hardware Assessment	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/export-firmware-hardware-assessment.md	Title: Hardware and firmware assessment methods and properties per device description: Provides information about the Firmware and Hardware APIs that pull "Microsoft Defender Vulnerability Management" data. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization. -keywords: api, apis, export assessment, per device assessment, per machine assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine, firmware and hardware assessment -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Export Security Baseline Assessment	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/export-security-baseline-assessment.md	Title: Security baseline assessment methods and properties per device description: Provides information about the security baselines APIs that pull "Microsoft Defender Vulnerability Management" data. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization. -keywords: api, apis, export assessment, per device assessment, per machine assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine, -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Exposed Apis Create App Nativeapp	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/exposed-apis-create-app-nativeapp.md	Title: Use Microsoft Defender for Endpoint APIs description: Learn how to design a native Windows app to get programmatic access to Microsoft Defender for Endpoint without a user. -keywords: apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file, advanced hunting, query -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium Last updated 01/25/2023-+ audience: ITPro - m365-security
security	Exposed Apis Create App Partners	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/exposed-apis-create-app-partners.md	Title: Partner access through Microsoft Defender for Endpoint APIs description: Learn how to design a web app to get programmatic access to Microsoft Defender for Endpoint on behalf of your users. -keywords: apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file, advanced hunting, query -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium Last updated 01/25/2023-+ audience: ITPro - m365-security search.appverid: met150 This page describes how to create a Microsoft Entra application to get programmatic access to Microsoft Defender for Endpoint on behalf of your customers. -Microsoft Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate work flows and innovate based on Microsoft Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). +Microsoft Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs help you automate work flows and innovate based on Microsoft Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). -In general, you'll need to take the following steps to use the APIs: +In general, you need to take the following steps to use the APIs: - Create a multi-tenant Microsoft Entra application. - Get authorized(consent) by your customer administrator for your application to access Defender for Endpoint resources it needs. - Get an access token using this application. - Use the token to access Microsoft Defender for Endpoint API. -The following steps will guide you how to create a Microsoft Entra application, get an access token to Microsoft Defender for Endpoint and validate the token. +The following steps guide you how to create a Microsoft Entra application, get an access token to Microsoft Defender for Endpoint and validate the token. -## Create the multi-tenant app +## Create the multitenant app 1. Sign in to your [Azure tenant](https://portal.azure.com) with user that has Global Administrator role. The following steps will guide you how to create a Microsoft Entra application, - On your application page, select API Permissions \> Add permission \> APIs my organization uses > type WindowsDefenderATP and select on WindowsDefenderATP. - - Note: WindowsDefenderATP does not appear in the original list. Start writing its name in the text box to see it appear. + - Note that WindowsDefenderATP doesn't appear in the original list. Start writing its name in the text box to see it appear. :::image type="content" source="../images/add-permission.png" alt-text="The Add a permission option" lightbox="../images/add-permission.png"::: ### Request API permissions -To determine which permission you need, review the Permissions section in the API you are interested to call. For instance: +To determine which permission you need, review the Permissions section in the API you're interested to call. For instance: - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission - To [isolate a device](isolate-machine.md), select 'Isolate machine' permission -In the following example we will use 'Read all alerts' permission: +In the following example we use 'Read all alerts' permission: 1. Choose Application permissions \> Alert.Read.All > select on Add permissions In the following example we will use 'Read all alerts' permission: - Select Certificates & secrets, add description to the secret and select Add. - Important: After click Add, copy the generated secret value. You won't be able to retrieve after you leave! + Important: After you select Add, make sure to copy the generated secret value. You won't be able to retrieve it after you leave! :::image type="content" source="../images/webapp-create-key2.png" alt-text="The create app key" lightbox="../images/webapp-create-key2.png"::: In the following example we will use 'Read all alerts' permission: 5. Add the application to your customer's tenant. - You need your application to be approved in each customer tenant where you intend to use it. This is because your application interacts with Microsoft Defender for Endpoint application on behalf of your customer. + You need your application to be approved in each customer tenant where you intend to use it. This approval is necessary because your application interacts with Microsoft Defender for Endpoint application on behalf of your customer. A user with Global Administrator from your customer's tenant need to select the consent link and approve your application. In the following example we will use 'Read all alerts' permission: :::image type="content" source="../images/app-consent-partner.png" alt-text="The Accept button" lightbox="../images/app-consent-partner.png"::: - In addition, you will need to ask your customer for their tenant ID and save it for future use when acquiring the token. + In addition, you'll need to ask your customer for their tenant ID and save it for future use when acquiring the token. -6. Done! You have successfully registered an application! See examples below for token acquisition and validation. +6. Done! You successfully registered an application! See the following examples for token acquisition and validation. ## Get an access token example Note: To get access token on behalf of your customer, use the customer's tenant ID on the following token acquisitions. -For more information on Microsoft Entra token, see [Microsoft Entra tutorial](/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds) +For more information on Microsoft Entra token, see [Microsoft Entra tutorial](/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds). ### Using PowerShell return $token using Microsoft.Identity.Client; ``` -- Copy/Paste the below code in your application (do not forget to update the three variables: `tenantId`, `appId`, and `appSecret`) +- Copy/Paste the below code in your application (don't forget to update the three variables: `tenantId`, `appId`, and `appSecret`) ```csharp string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here return $token ### Using Python -Refer to [Get token using Python](run-advanced-query-sample-python.md#get-token) +Refer to [Get token using Python](run-advanced-query-sample-python.md#get-token). ### Using Curl > [!NOTE] > The below procedure supposed Curl for Windows is already installed on your computer -- Open a command window-- Set CLIENT_ID to your Azure application ID-- Set CLIENT_SECRET to your Azure application secret-- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access Microsoft Defender for Endpoint application-- Run the below command: +1. Open a command window. -```curl -curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID%/oauth2/v2.0/token" -k -``` +2. Set CLIENT_ID to your Azure application ID. -You will get an answer of the form: +3. Set CLIENT_SECRET to your Azure application secret. -```console -{"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn <truncated> aWReH7P0s0tjTBX8wGWqJUdDA"} -``` +4. Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access Microsoft Defender for Endpoint application. + +5. Run the following command: + + ```curl + curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID%/oauth2/v2.0/token" -k + ``` + + You get an answer of the form: + + ```console + {"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn <truncated> aWReH7P0s0tjTBX8wGWqJUdDA"} + ``` ## Validate the token -Sanity check to make sure you got a correct token: +Confirm you received a correct token. + +1. Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it. + +2. Confirm you get a 'roles' claim with the desired permissions. + + In the following screenshot, you can see a decoded token acquired from an Application with multiple permissions to Microsoft Defender for Endpoint: -- Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it-- Validate you get a 'roles' claim with the desired permissions-- In the screenshot below, you can see a decoded token acquired from an Application with multiple permissions to Microsoft Defender for Endpoint:-- The "tid" claim is the tenant ID the token belongs to. + The "tid" claim is the tenant ID the token belongs to. + :::image type="content" source="../images/webapp-decoded-token.png" alt-text="The token validation page" lightbox="../images/webapp-decoded-token.png"::: ## Use the token to access Microsoft Defender for Endpoint API -- Choose the API you want to use, for more information, see [Supported Microsoft Defender for Endpoint APIs](exposed-apis-list.md)-- Set the Authorization header in the Http request you send to "Bearer {token}" (Bearer is the Authorization scheme)-- The Expiration time of the token is 1 hour (you can send more than one request with the same token) +1. Choose the API you want to use. For more information, see [Supported Microsoft Defender for Endpoint APIs](exposed-apis-list.md). -- Example of sending a request to get a list of alerts using C# +2. Set the Authorization header in the Http request you send to "Bearer {token}" (Bearer is the Authorization scheme). The Expiration time of the token is 1 hour (you can send more than one request with the same token). - ```csharp - var httpClient = new HttpClient(); + Here's an example of sending a request to get a list of alerts using C# + + ```csharp + var httpClient = new HttpClient(); - var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.microsoft.com/api/alerts"); + var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.microsoft.com/api/alerts"); - request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token); + request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token); - var response = httpClient.SendAsync(request).GetAwaiter().GetResult(); + var response = httpClient.SendAsync(request).GetAwaiter().GetResult(); // Do something useful with the response ``` Sanity check to make sure you got a correct token: - [Supported Microsoft Defender for Endpoint APIs](exposed-apis-list.md) - [Access Microsoft Defender for Endpoint on behalf of a user](exposed-apis-create-app-nativeapp.md)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../../includes/defender-mde-techcommunity.md)]
security	Exposed Apis Create App Webapp	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/exposed-apis-create-app-webapp.md	Title: Create an app to access Microsoft Defender for Endpoint without a user description: Learn how to design a web app to get programmatic access to Microsoft Defender for Endpoint without a user. -keywords: apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file, advanced hunting, query -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium Last updated 01/25/2023-+ audience: ITPro - m365-security
security	Exposed Apis Full Sample Powershell	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/exposed-apis-full-sample-powershell.md	Title: Advanced Hunting with PowerShell API Guide description: Use these code samples, querying several Microsoft Defender for Endpoint APIs. -keywords: apis, supported apis, advanced hunting, query -search.product: eADQiWindows 10XVcnh -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Exposed Apis List	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/exposed-apis-list.md	Title: Supported Microsoft Defender for Endpoint APIs description: Learn about the specific supported Microsoft Defender for Endpoint entities where you can create API calls to. -keywords: apis, supported apis, actor, alerts, device, user, domain, ip, file, advanced queries, advanced hunting -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium Last updated 01/25/2023-+ audience: ITPro - m365-security
security	Exposed Apis Odata Samples	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/exposed-apis-odata-samples.md	Title: OData queries with Microsoft Defender for Endpoint description: Use these examples of Open Data Protocol (OData) queries to help with data access protocols in Microsoft Defender for Endpoint. -keywords: apis, supported apis, odata, query -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium Last updated 01/25/2023-+ audience: ITPro - m365-security
security	Fetch Alerts Mssp	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/fetch-alerts-mssp.md	Title: Fetch alerts from MSSP customer tenant description: Learn how to fetch alerts from a customer tenant -keywords: managed security service provider, mssp, configure, integration -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Files	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/files.md	Title: File resource type description: Retrieve recent Microsoft Defender for Endpoint alerts related to files. -keywords: apis, graph api, supported apis, get, alerts, recent -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security Represent a file entity in Defender for Endpoint. ## Methods -Method\|Return Type \|Description -:\|:\|: -[Get file](get-file-information.md) \| [file](files.md) \| Get a single file -[List file related alerts](get-file-related-alerts.md) \| [alert](alerts.md) collection \| Get the [alert](alerts.md) entities that are associated with the file. -[List file related machines](get-file-related-machines.md) \| [machine](machine.md) collection \| Get the [machine](machine.md) entities associated with the alert. -[file statistics](get-file-statistics.md) \| Statistics summary \| Retrieves the prevalence for the given file. +\|Method\|Return Type \|Description\| +\|:\|:\|:\| +\|[Get file](get-file-information.md) \| [file](files.md) \| Get a single file \| +\|[List file related alerts](get-file-related-alerts.md) \| [alert](alerts.md) collection \| Get the [alert](alerts.md) entities that are associated with the file.\| +\|[List file related machines](get-file-related-machines.md) \| [machine](machine.md) collection \| Get the [machine](machine.md) entities associated with the alert.\| +\|[file statistics](get-file-statistics.md) \| Statistics summary \| Retrieves the prevalence for the given file.\| ## Properties Method\|Return Type \|Description \|globalLastObserved \| DateTimeOffset \| Last time the file was observed \| \|size \| Nullable long \| Size of the file \| \|fileType \| String \| Type of the file \| -\|isPeFile \| Boolean \| true if the file is portable executable (e.g. "DLL", "EXE", etc.) \| +\|isPeFile \| Boolean \| true if the file is portable executable (for example `DLL`, `EXE`, etc.) \| \|filePublisher \| String \| File publisher \| \|fileProductName \| String \| Product name \| \|signer \| String \| File signer \|
security	Find Machine Info By Ip	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/find-machine-info-by-ip.md	Title: Find device information by internal IP API description: Use this API to create calls related to finding a device entry around a specific timestamp by internal IP. -keywords: ip, apis, graph api, supported apis, find device, device information -search.product: eADQiWindows 10XVcnh -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Find Machines By Ip	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/find-machines-by-ip.md	Title: Find devices by internal IP API description: Find devices seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp -keywords: apis, graph api, supported apis, get, device, IP, find, find device, by ip, ip -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Find Machines By Tag	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/find-machines-by-tag.md	Title: Find devices by tag API description: Find all devices that contain specific tag -keywords: apis, supported apis, get, device, find, find device, by tag, tag -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Alert Info By Id	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-alert-info-by-id.md	Title: Get alert information by ID API description: Learn how to use the Get alert information by ID API to retrieve a specific alert by its ID in Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, get, alert, information, id -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Alert Related Domain Info	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-alert-related-domain-info.md	Title: Get alert related domains information description: Retrieve all domains related to a specific alert using Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, get alert information, alert information, related domain -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Alert Related Files Info	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-alert-related-files-info.md	Title: Get alert related files information description: Retrieve all files related to a specific alert using Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, get alert information, alert information, related files -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Alert Related Ip Info	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-alert-related-ip-info.md	Title: Get alert-related IPs' information description: Retrieve all IPs related to a specific alert using Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, get alert information, alert information, related ip -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Alert Related Machine Info	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-alert-related-machine-info.md	Title: Get alert related machine information description: Retrieve all devices related to a specific alert using Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, get alert information, alert information, related device -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Alert Related User Info	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-alert-related-user-info.md	Title: Get alert related user information description: Learn how to use the Get alert-related user information API to retrieve the user related to a specific alert in Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, get, alert, information, related, user -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-alerts.md	Title: List alerts API description: Learn how to use the List alerts API to retrieve a collection of alerts in Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, get, alerts, recent -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security Last updated 12/18/2020 ## API description+ Retrieves a collection of Alerts. -<br>Supports [OData V4 queries](https://www.odata.org/documentation/). -<br>OData supported operators: -<br>```$filter``` on: ```alertCreationTime```, ```lastUpdateTime```, ```incidentId```, ```InvestigationId```, ```id```, ```asssignedTo```, ```detectionSource```, ```lastEventTime```, ```status```, ```severity``` and ```category``` properties. -<br>```$top``` with max value of 10,000 -<br>```$skip``` -<br>```$expand``` of ```evidence``` -<br>See examples at [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md) + +Supports [OData V4 queries](https://www.odata.org/documentation/). + +OData supported operators: + +- ```$filter``` on: ```alertCreationTime```, ```lastUpdateTime```, ```incidentId```, ```InvestigationId```, ```id```, ```asssignedTo```, ```detectionSource```, ```lastEventTime```, ```status```, ```severity``` and ```category``` properties. +- ```$top``` with max value of 10,000 +- ```$skip``` +- ```$expand``` of ```evidence``` +- See examples at [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md). ## Limitations+ 1. You can get alerts last updated according to your configured retention period.+ 2. Maximum page size is 10,000. -3. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + +3. Rate limitations for this API are 100 calls per minute and 1,500 calls per hour. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md). -Permission type \| Permission \| Permission display name -:\|:\|: -Application \| Alert.Read.All \| 'Read all alerts' -Application \| Alert.ReadWrite.All \| 'Read and write all alerts' -Delegated (work or school account) \| Alert.Read \| 'Read alerts' -Delegated (work or school account) \| Alert.ReadWrite \| 'Read and write alerts' +\|Permission type \| Permission \| Permission display name\| +\|:\|:\|:\| +\|Application \| Alert.Read.All \| `Read all alerts`\| +\|Application \| Alert.ReadWrite.All \| `Read and write all alerts`\| +\|Delegated (work or school account) \| Alert.Read \| `Read alerts`\| +\|Delegated (work or school account) \| Alert.ReadWrite \| `Read and write alerts`\| > [!NOTE] > When obtaining a token using user credentials: > -> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](../user-roles.md) for more information) -> - The response will include only alerts that are associated with devices that the user can access, based on device group settings (See [Create and manage device groups](../machine-groups.md) for more information) +> - The user needs to have at least the following role permission: `View Data` (See [Create and manage roles](../user-roles.md) for more information) +> - The response includes only alerts that are associated with devices that the user can access, based on device group settings (See [Create and manage device groups](../machine-groups.md) for more information) > > Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2. GET /api/alerts ## Request headers -Name\|Type\|Description -:\|:\|: -Authorization \| String \| Bearer {token}. Required. +\|Name\|Type\|Description\| +\|:\|:\|:\| +\|Authorization \| String \| Bearer {token}. Required.\| ## Request body If successful, this method returns 200 OK, and a list of [alert](alerts.md) obje ### Request -Here is an example of the request. +Here's an example of the request. ```http GET https://api.securitycenter.microsoft.com/api/alerts GET https://api.securitycenter.microsoft.com/api/alerts ### Response -Here is an example of the response. +Here's an example of the response. > [!NOTE] > The response list shown here may be truncated for brevity. All alerts will be returned from an actual call. Here is an example of the response. ### Request -Here is an example of the request. +Here's an example of the request. ```http GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence ### Response -Here is an example of the response. +Here's an example of the response. > [!NOTE] > The response list shown here may be truncated for brevity. All alerts will be returned from an actual call. Here is an example of the response. ## See also [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../../includes/defender-mde-techcommunity.md)]
security	Get All Recommendations	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-all-recommendations.md	Title: List all recommendations description: Retrieves a list of all security recommendations affecting the organization. -keywords: apis, graph api, supported apis, get, security recommendations, Microsoft Defender for Endpoint tvm api, threat and vulnerability management, threat and vulnerability management api, mdvm -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get All Scan Agents	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-all-scan-agents.md	Title: Get all scan agents description: Learn how to use the Get all scan agents API -keywords: apis, graph api, supported apis, scan, authenticated scan, agent -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get All Scan Definitions	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-all-scan-definitions.md	Title: Get scan definitions description: Learn how to use the Get all scan definition APIs -keywords: apis, graph api, supported apis, scan, authenticated scan -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get All Vulnerabilities By Machines	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-all-vulnerabilities-by-machines.md	Title: Get all vulnerabilities by machine and software description: Retrieves a list of all the vulnerabilities affecting the organization by Machine and Software -keywords: apis, graph api, supported apis, get, vulnerability information, Microsoft Defender for Endpoint tvm api -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get All Vulnerabilities	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-all-vulnerabilities.md	Title: Get all vulnerabilities description: Retrieves a list of all the vulnerabilities affecting the organization -keywords: apis, graph api, supported apis, get, vulnerability information, Microsoft Defender for Endpoint tvm api -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Assessment Browser Extensions	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-assessment-browser-extensions.md	Title: Export browser extensions assessment description: Returns a table with an entry for every unique combination of DeviceId, BrowserName, ExtensionID. -keywords: api, apis, export assessment, per device assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, browser extension assessment -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Assessment Information Gathering	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-assessment-information-gathering.md	Title: Export information gathering assessment description: Returns a table with an entry for every unique combination of DeviceId, DeviceName, Additional fields. -keywords: api, apis, export assessment, per device assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, information gathering assessment -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Assessment Methods Properties	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-assessment-methods-properties.md	Title: Export assessment methods and properties per device description: Provides information about the APIs that pull "Microsoft Defender Vulnerability Management" data. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization. -keywords: api, apis, export assessment, per device assessment, per machine assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine, -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Assessment Non Cpe Software Inventory	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-assessment-non-cpe-software-inventory.md	Title: Export non product code software inventory assessment per device description: Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion for software that doesn't have a Common Platform Enumeration (CPE) -keywords: api, apis, export assessment, per device assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine, -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Assessment Secure Config	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-assessment-secure-config.md	Title: Export secure configuration assessment per device description: Returns an entry for every unique combination of DeviceId, ConfigurationId. -keywords: api, apis, export assessment, per device assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine, -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Assessment Software Inventory	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-assessment-software-inventory.md	Title: Export software inventory assessment per device description: Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion. -keywords: api, apis, export assessment, per device assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine, -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Assessment Software Vulnerabilities	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-assessment-software-vulnerabilities.md	Title: Export software vulnerabilities assessment per device description: The API response is per device and contains vulnerable software installed on your exposed devices and any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. -keywords: api, apis, export assessment, per device assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine, -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Authenticated Scan Properties	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-authenticated-scan-properties.md	Title: Authenticated scan methods and properties description: The API response contains Microsoft Defender Vulnerability Management authenticated scans created in your tenant. You can request all the scans, all the scan definitions or add a new network our authenticated scan. -keywords: apis, scan, authenticated scan, get, authenticated methods, authenticated properties, -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security Last updated 12/14/2022 Method\|Description :\|:\|: [Get all scan definitions](get-all-scan-definitions.md)\|List all scan definitions. -[Add, delete or update a scan definition](add-a-new-scan-definition.md)\|Add, delete, or update a new scan definition. +[Add, delete, or update a scan definition](add-a-new-scan-definition.md)\|Add, delete, or update a new scan definition. [Get all scan agents](get-all-scan-agents.md)\|List all scan agents. -[Get scan agent by Id](Get-agent-details.md)\| Retrieves the details for a specified agent by its Id. +[Get scan agent by ID](Get-agent-details.md)\| Retrieves the details for a specified agent by its ID. [Get scan history by definition](get-scan-history-by-definition.md)\|List scan definition history. [Get scan history by session](get-scan-history-by-session.md)\|List scan history for a session. Learn more about [Windows authenticated scan](../../defender-vulnerability-manag Property\|Data type\|Description :\|:\|: id\|String\| Scan ID. -scanType\|Enum\|The type of scan. Possible values are: "Windows", "Network". +scanType\|Enum\|The type of scan. Possible values are: `Windows`, `Network`. scanName\|String\|Name of the scan. isActive\|Boolean\|Status of whether the scan actively running. orgId \|String\| Related organization ID. intervalInHours\|Int\|The interval at which the scan runs. createdBy\|String\| Unique identity of the user that created the scan. -targetType\|String\|The target type in the target field. Possible types are "IP Address" or "Hostname". Default value is IP Address. +targetType\|String\|The target type in the target field. Possible types are `IP Address` or `Hostname`. Default value is IP Address. target\|String\| A comma separated list of targets to scan, either IP addresses or hostnames. scanAuthenticationParams\|Object\|An object representing the authentication parameters, see [Authentication parameters object properties](#authentication-parameters-object-properties) for expected fields. This property is mandatory when creating a new scan and is optional when updating a scan. scannerAgent\|Object\|An object representing the scanner agent, contains the machine Id of the scanning device. scannerAgent\|Object\|An object representing the scanner agent, contains the machi Property\|Data type\|Description :\|:\|: -@odata.type\|Enum\|The scan type authentication parameters. Possible values are: "#microsoft.windowsDefenderATP.api.SnmpAuthParams" for "Network" scan type, and "#microsoft.windowsDefenderATP.api.WindowsAuthParams" for "Windows" scan type. -type\|Enum\|The authentication method. Possible values vary based on @odata.type property. <br/> - If @odata.type is "SnmpAuthParams", possible values are "CommunityString", "NoAuthNoPriv", "AuthNoPriv", "AuthPriv". <br/> - If @odata.type is "WindowsAuthParams" possible values are "Kerberos" or "Negotiate". -KeyVaultUrl\|String (Optional)\|An optional property that specifies from which KeyVault the scanner should retrieve credentials. If KeyVault is specified there's no need to specify username, password. -KeyVaultSecretName\|String (Optional)\|An optional property that specifies KeyVault secret name from which the scanner should retrieve credentials. If KeyVault is specified there's no need to specify username, password. -Domain\|String (Optional)\|Domain name when using "WindowsAuthParams". -Username\|String (Optional)\|Username when using "WindowsAuthParams" or the username when choosing "SnmpAuthParams" with any type other than "CommunityString". -IsGMSAUser\|Boolean (Optional)\|Must be set to true when choosing "WindowsAuthParams". -CommunityString\|String (Optional)\|Community string to use when choosing "SnmpAuthParams" with "CommunityString" -AuthProtocol\|String (Optional)\|Auth protocol to use with "SnmpAuthParams" and "AuthNoPriv" or "AuthPriv". Possible values are "MD5", "SHA1". -AuthPassword\|String (Optional)\|Auth password to use with "SnmpAuthParams" and "AuthNoPriv" or "AuthPriv". -PrivProtocol\|String (Optional)\|Priv protocol to use with "SnmpAuthParams" and "AuthPriv". Possible values are "DES", "3DES", "AES". -PrivPassword\|String (Optional)\|Priv password to use with "SnmpAuthParams" and "AuthPriv". +\|@odata.type\|Enum\|The scan type authentication parameters. Possible values are: `#microsoft.windowsDefenderATP.api.SnmpAuthParams` for `Network` scan type, and `#microsoft.windowsDefenderATP.api.WindowsAuthParams` for `Windows` scan type.\| +\|type\|Enum\|The authentication method. Possible values vary based on @odata.type property. <br/> - If @odata.type is `SnmpAuthParams`, possible values are `CommunityString`, `NoAuthNoPriv`, `AuthNoPriv`, `AuthPriv`. <br/> - If `@odata.type` is `WindowsAuthParams` possible values are `Kerberos` or `Negotiate`.\| +\|KeyVaultUrl\|String (Optional)\|An optional property that specifies from which KeyVault the scanner should retrieve credentials. If KeyVault is specified there's no need to specify username, password.\| +\|KeyVaultSecretName\|String (Optional)\|An optional property that specifies KeyVault secret name from which the scanner should retrieve credentials. If KeyVault is specified there's no need to specify username, password.\| +\|Domain\|String (Optional)\|Domain name when using `WindowsAuthParams`.\| +\|Username\|String (Optional)\|Username when using `WindowsAuthParams` or the username when choosing `SnmpAuthParams` with any type other than `CommunityString`.\| +\|IsGMSAUser\|Boolean (Optional)\|Must be set to true when choosing `WindowsAuthParams`.\| +\|CommunityString\|String (Optional)\|Community string to use when choosing `SnmpAuthParams` with `CommunityString`\| +\|AuthProtocol\|String (Optional)\|Auth protocol to use with `SnmpAuthParams` and `AuthNoPriv` or `AuthPriv`. Possible values are `MD5`, `SHA1`.\| +\|AuthPassword\|String (Optional)\|Auth password to use with `SnmpAuthParams` and `AuthNoPriv` or `AuthPriv`.\| +\|PrivProtocol\|String (Optional)\|Priv protocol to use with `SnmpAuthParams` and `AuthPriv`. Possible values are `DES`, `3DES`, `AES`.\| +\|PrivPassword\|String (Optional)\|Priv password to use with `SnmpAuthParams` and `AuthPriv`.\| + [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../../includes/defender-mde-techcommunity.md)]
security	Get Browser Extensions Permission Info	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-browser-extensions-permission-info.md	Title: Get browser extensions permission info description: Retrieves a list of all permissions required for a browser extension -keywords: apis, graph api, supported apis, get, browser extension information, Microsoft Defender for Endpoint, Microsoft Defender Vulnerability Management -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Device Secure Score	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-device-secure-score.md	Title: Get the device secure score description: Retrieves the organizational device secure score. -keywords: apis, graph api, supported apis, get, alerts, recent -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Discovered Vulnerabilities	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-discovered-vulnerabilities.md	Title: Get discovered vulnerabilities description: Retrieves a collection of discovered vulnerabilities related to a given device ID. -keywords: apis, graph api, supported apis, get, list, file, information, discovered vulnerabilities, threat & vulnerability management api, Microsoft Defender for Endpoint tvm api -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Domain Related Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-domain-related-alerts.md	Title: Get domain-related alerts API description: Learn how to use the Get domain-related alerts API to retrieve alerts related to a given domain address in Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, get, domain, related, alerts -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Domain Related Machines	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-domain-related-machines.md	Title: Get domain-related machines API description: Learn how to use the Get domain-related machines API to get machines that communicated to or from a domain in Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, get, domain, related, devices -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Domain Statistics	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-domain-statistics.md	Title: Get domain statistics API description: Learn how to use the Get domain statistics API to retrieve the statistics on the given domain in Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, get, domain, domain related devices -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Exposure Score	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-exposure-score.md	Title: Get exposure score description: Retrieves the organizational exposure score. -keywords: apis, graph api, supported apis, get, exposure score, organizational exposure score -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get File Information	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-file-information.md	Title: Get file information API description: Learn how to use the Get file information API to get a file by Sha1, Sha256, or MD5 identifier in Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, get, file, information, sha1, sha256, md5 -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get File Related Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-file-related-alerts.md	Title: Get file-related alerts API description: Learn how to use the Get file-related alerts API to get a collection of alerts related to a given file hash in Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, get, file, hash -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get File Related Machines	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-file-related-machines.md	Title: Get file-related machines API description: Learn how to use the Get file-related machines API to get a collection of machines related to a file hash in Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, get, devices, hash -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get File Statistics	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-file-statistics.md	Title: Get file statistics API description: Learn how to use the Get file statistics API to retrieve the statistics for the given file in Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, get, file, statistics -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Installed Software	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-installed-software.md	Title: Get installed software description: Retrieves a collection of installed software related to a given device ID. -keywords: apis, graph api, supported apis, get, list, file, information, software inventory, installed software per device, threat & vulnerability management api, Microsoft Defender for Endpoint tvm api -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Investigation Collection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-investigation-collection.md	Title: List Investigations API -description: Use this API to create calls related to get Investigations collection -keywords: apis, graph api, supported apis, Investigations collection +description: Use this API to create calls related to get Investigations collection. -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security Retrieves a collection of [Investigations](investigation.md). Supports [OData V4 queries](https://www.odata.org/documentation/). -The OData's `$filter` query is supported on: `startTime`, `id`, `state`, `machineId` and `triggeringAlertId` properties. +The OData's `$filter` query is supported on: `startTime`, `id`, `state`, `machineId`, and `triggeringAlertId` properties. <br>```$stop``` with max value of 10,000 <br>```$skip``` See examples at [OData queries with Microsoft Defender for Endpoint](exposed-api ## Limitations 1. Maximum page size is 10,000. -2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. +2. Rate limitations for this API are 100 calls per minute and 1,500 calls per hour. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md). -Permission type\|Permission\|Permission display name -:\|:\|: -Application\|Alert.Read.All\|'Read all alerts' -Application\|Alert.ReadWrite.All\|'Read and write all alerts' -Delegated (work or school account)\|Alert.Read\|'Read alerts' -Delegated (work or school account)\|Alert.ReadWrite\|'Read and write alerts' +\|Permission type\|Permission\|Permission display name\| +\|:\|:\|:\| +\|Application\|Alert.Read.All\|`Read all alerts` \| +\|Application\|Alert.ReadWrite.All\|`Read and write all alerts` \| +\|Delegated (work or school account)\|Alert.Read\|`Read alerts` \| +\|Delegated (work or school account)\|Alert.ReadWrite\|`Read and write alerts` \| > [!NOTE] > When obtaining a token using user credentials: > -> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](../user-roles.md) for more information) +> - The user needs to have at least the following role permission: `View Data`. For more information, see [Create and manage roles](../user-roles.md) for more information. ## HTTP request GET https://api.securitycenter.microsoft.com/api/investigations ## Request headers -Name\|Type\|Description -:\|:\|: -Authorization\|String\|Bearer {token}. Required. +\|Name\|Type\|Description\| +\|:\|:\|:\| +\|Authorization\|String\|Bearer {token}. Required.\| ## Request body If successful, this method returns 200, Ok response code with a collection of [I ### Request example -Here is an example of a request to get all investigations: +Here's an example of a request to get all investigations: ```http GET https://api.securitycenter.microsoft.com/api/investigations GET https://api.securitycenter.microsoft.com/api/investigations ### Response example -Here is an example of the response: +Here's an example of the response: ```json {
security	Get Investigation Object	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-investigation-object.md	Title: Get Investigation object API description: Use this API to create calls related to get Investigation object -keywords: apis, graph api, supported apis, Investigation object -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Ip Related Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-ip-related-alerts.md	Title: Get IP related alerts API -description: Retrieve a collection of alerts related to a given IP address using Microsoft Defender for Endpoint -keywords: apis, graph api, supported apis, get, ip, related, alerts +description: Retrieve a collection of alerts related to a given IP address using Microsoft Defender for Endpoint. -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security Retrieves a collection of alerts related to a given IP address. ## Limitations -1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. +1. Rate limitations for this API are 100 calls per minute and 1,500 calls per hour. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md). -Permission type\|Permission\|Permission display name -:\|:\|: -Application\|Alert.Read.All\|'Read all alerts' -Application\|Alert.ReadWrite.All\|'Read and write all alerts' -Delegated (work or school account) \| Alert.Read \| 'Read alerts' -Delegated (work or school account) \| Alert.ReadWrite \| 'Read and write alerts' +\|Permission type\|Permission\|Permission display name\| +\|:\|:\|:\| +\|Application\|Alert.Read.All\|`Read all alerts`\| +\|Application\|Alert.ReadWrite.All\|`Read and write all alerts`\| +\|Delegated (work or school account) \| Alert.Read \| `Read alerts`\| +\|Delegated (work or school account) \| Alert.ReadWrite \| `Read and write alerts`\| > [!NOTE] > When obtaining a token using user credentials: > -> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](../user-roles.md) for more information) -> - Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](../machine-groups.md) for more information) +> - The user needs to have at least the following role permission: `View Data`. For more information, see [Create and manage roles](../user-roles.md) for more information. +> - Response includes only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](../machine-groups.md) for more information) > > Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2. Empty ## Response -If successful and IP exists - 200 OK with list of [alert](alerts.md) entities in the body. If IP address is unknown but valid, it will return an empty set. -If the IP address is invalid, it will return HTTP 400. +If successful and IP exists - 200 OK with list of [alert](alerts.md) entities in the body. If IP address is unknown but valid, it returns an empty set. +If the IP address is invalid, it returns HTTP 400. ## Example ### Request -Here is an example of the request. +Here's an example of the request. ```http GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/alerts
security	Get Ip Statistics	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-ip-statistics.md	Title: Get IP statistics API description: Get the latest stats for your IP using Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, get, ip, statistics, prevalence -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Live Response Result	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-live-response-result.md	Title: Get live response results description: Learn how to retrieve a specific live response command result by its index. -keywords: apis, graph api, supported apis, upload to library search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Machine By Id	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-machine-by-id.md	Title: Get machine by ID API description: Learn how to use the Get machine by ID API to retrieve a machine by its device ID or computer name in Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, get, devices, entity, id -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Machine Group Exposure Score	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-machine-group-exposure-score.md	Title: List exposure score by device group description: Retrieves a list of exposure scores by device group. -keywords: apis, graph api, supported apis, get, exposure score, device group, device group exposure score -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Machine Log On Users	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-machine-log-on-users.md	Title: Get machine logon users API description: Learn how to use the Get machine logon users API to retrieve a collection of logged on users on a device in Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, get, device, log on, users -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Machine Related Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-machine-related-alerts.md	Title: Get machine related alerts API description: Learn how to use the Get machine related alerts API. This API allows you to retrieve all alerts that are related to a specific device in Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, get, devices, related, alerts -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Machineaction Object	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-machineaction-object.md	Title: Get MachineAction object API description: Learn how to use the Get MachineAction API to retrieve a specific Machine Action by its ID in Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, machineaction object -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Machineactions Collection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-machineactions-collection.md	Title: List machineActions API description: Learn how to use the List MachineActions API to retrieve a collection of Machine Actions in Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, machineaction collection -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Machines By Software	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-machines-by-software.md	Title: List devices by software description: Retrieve a list of devices that has this software installed. -keywords: apis, graph api, supported apis, get, list devices, devices list, list devices by software, Microsoft Defender for Endpoint tvm api -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Machines By Vulnerability	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-machines-by-vulnerability.md	Title: List devices by vulnerability description: Retrieves a list of devices affected by a vulnerability. -keywords: apis, graph api, supported apis, get, devices list, vulnerable devices, Microsoft Defender for Endpoint tvm api -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Machines	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-machines.md	Title: List machines API description: Learn how to use the List machines API to retrieve a collection of machines that have communicated with Microsoft Defender for Endpoint cloud. --++ ms.localizationpriority: medium-+ audience: ITPro
security	Get Missing Kbs Machine	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-missing-kbs-machine.md	Title: Get missing KBs by device ID description: Retrieves missing security updates by device ID -keywords: apis, graph api, supported apis, get, list, file, information, device id, threat & vulnerability management api, Microsoft Defender for Endpoint tvm api -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Missing Kbs Software	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-missing-kbs-software.md	Title: Get missing KBs by software ID description: Retrieves missing security updates by software ID -keywords: apis, graph api, supported apis, get, list, file, information, software id, threat & vulnerability management api, Microsoft Defender for Endpoint tvm api, mdvm, Microsoft Defender Vulnerability Management -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Package Sas Uri	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-package-sas-uri.md	Title: Get package SAS URI API description: Use this API to get a URI that allows downloading an investigation package. -keywords: apis, graph api, supported apis, get package, sas, uri -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Recommendation By Id	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-recommendation-by-id.md	Title: Get recommendation by Id description: Retrieves a security recommendation by its ID. -keywords: apis, graph api, supported apis, get, security recommendation, security recommendation by ID, threat and vulnerability management, threat and vulnerability management api -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Recommendation Machines	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-recommendation-machines.md	Title: List devices by recommendation description: Retrieves a list of devices associated with the security recommendation. -keywords: apis, graph api, supported apis, get, security recommendation for vulnerable devices, threat and vulnerability management, threat and vulnerability management api -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Recommendation Vulnerabilities	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-recommendation-vulnerabilities.md	Title: List vulnerabilities by recommendation description: Retrieves a list of vulnerabilities associated with the security recommendation. -keywords: apis, graph api, supported apis, get, list of vulnerabilities, security recommendation, security recommendation for vulnerabilities, threat and vulnerability management, threat and vulnerability management api -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Remediation All Activities	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-remediation-all-activities.md	Title: List all remediation activities description: Returns information about all remediation activities. -keywords: apis, remediation, remediation api, get, remediation tasks, all remediation, -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Remediation Exposed Devices Activities	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-remediation-exposed-devices-activities.md	Title: List exposed devices of one remediation activity description: Returns information about exposed devices for the specified remediation task. -keywords: apis, remediation, remediation api, get, remediation tasks, remediation exposed devices -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Remediation Methods Properties	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-remediation-methods-properties.md	Title: Remediation activity methods and properties description: The API response contains Microsoft Defender Vulnerability Management remediation activities created in your tenant. You can request all the remediation activities, only one remediation activity, or information about exposed devices for a selected remediation task. -keywords: apis, remediation, remediation api, get, remediation tasks, remediation methods, remediation properties, -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Remediation One Activity	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-remediation-one-activity.md	Title: Get one remediation activity by ID description: Returns information for the specified remediation activity. -keywords: apis, remediation, remediation api, get, remediation tasks, remediation by ID, -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Security Baselines Assessment Configurations	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-security-baselines-assessment-configurations.md	Title: Get baseline profile configurations description: Provides information about the security baselines assessment configurations that pull "Microsoft Defender Vulnerability Management" data. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization. -keywords: api, apis, export assessment, per device assessment, per machine assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine, -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Security Baselines Assessment Profiles	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-security-baselines-assessment-profiles.md	Title: Security baselines assessment profiles description: Provides information about the security baselines assessment profiles APIs that pull "Microsoft Defender Vulnerability Management" data. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization. -keywords: api, apis, export assessment, per device assessment, per machine assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine, -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Security Recommendations	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-security-recommendations.md	Title: Get security recommendations description: Retrieves a collection of security recommendations related to a given device ID. -keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per device, threat & vulnerability management api, Microsoft Defender for Endpoint tvm api -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Software By Id	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-software-by-id.md	Title: Get software by ID description: Retrieves a list of software details by ID. -keywords: apis, graph api, supported apis, get, software, Microsoft Defender for Endpoint tvm api, mdvm, Microsoft Defender Vulnerability Management -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Software Ver Distribution	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-software-ver-distribution.md	Title: List software version distribution description: Retrieves a list of your organization's software version distribution -keywords: apis, graph api, supported apis, get, software version distribution, Microsoft Defender for Endpoint tvm api -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Software	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-software.md	Title: List software description: Retrieves a list of software inventory -keywords: apis, graph api, supported apis, get, list, file, information, software inventory, threat & vulnerability management api, Microsoft Defender for Endpoint tvm api -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Ti Indicators Collection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-ti-indicators-collection.md	Title: List Indicators API description: Learn how to use the List Indicators API to retrieve a collection of all active Indicators in Microsoft Defender for Endpoint. -keywords: apis, public api, supported apis, Indicators collection -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security The OData's `$filter` query is supported on: `application`, `createdByDisplayNam <br>```$stop``` with max value of 10,000. <br>```$skip```. -See examples at [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md) +See examples at [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md). ## Limitations -1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. +Rate limitations for this API are 100 calls per minute and 1,500 calls per hour. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md). -Permission type\|Permission\|Permission display name -:\|:\|: -Application\|Ti.ReadWrite\|'Read and write Indicators' -Application\|Ti.ReadWrite.All\|'Read and write All Indicators' -Delegated (work or school account)\|Ti.ReadWrite\|'Read and write Indicators' +\|Permission type\|Permission\|Permission display name\| +\|\|\|\| +\| Application\|Ti.ReadWrite\|`Read and write Indicators` \| +\| Application\|Ti.ReadWrite.All\|`Read and write All Indicators` \| +\| Delegated (work or school account)\|Ti.ReadWrite\|`Read and write Indicators` \| ## HTTP request GET https://api.securitycenter.microsoft.com/api/indicators ## Request headers -Name\|Type\|Description -:\|:\|: -Authorization\|String\|Bearer {token}. Required. +\|Name\|Type\|Description\| +\|\|\|\| +\|Authorization\|String\|Bearer {token}. Required.\| ## Request body Empty If successful, this method returns 200, Ok response code with a collection of [Indicator](ti-indicator.md) entities. > [!NOTE] -> If the Application has 'Ti.ReadWrite.All' permission, it will be exposed to all Indicators. Otherwise, it will be exposed only to the Indicators it created. +> If the Application has `Ti.ReadWrite.All` permission, it will be exposed to all Indicators. Otherwise, it will be exposed only to the Indicators it created. ## Example 1 ### Example 1 request -Here is an example of a request that gets all Indicators +Here's an example of a request that gets all indicators. ```http GET https://api.securitycenter.microsoft.com/api/indicators GET https://api.securitycenter.microsoft.com/api/indicators ### Example 1 response -Here is an example of the response. +Here's an example of the response. ```json HTTP/1.1 200 Ok Content-type: application/json ### Example 2 request -Here is an example of a request that gets all Indicators with 'AlertAndBlock' action +Here's an example of a request that gets all Indicators with `AlertAndBlock` action. ```http GET https://api.securitycenter.microsoft.com/api/indicators?$filter=action+eq+'AlertAndBlock' GET https://api.securitycenter.microsoft.com/api/indicators?$filter=action+eq+'A ### Example 2 response -Here is an example of the response. +Here's an example of the response. ```json HTTP/1.1 200 Ok Content-type: application/json ] } ```+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../../includes/defender-mde-techcommunity.md)]
security	Get User Related Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-user-related-alerts.md	Title: Get user-related alerts API description: Retrieve a collection of alerts related to a given user ID using Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, get, user, related, alerts -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get User Related Machines	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-user-related-machines.md	Title: Get user-related machines API description: Learn how to use the Get user-related machines API to retrieve a collection of devices related to a user ID in Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, get, user, user related alerts -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Vuln By Software	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-vuln-by-software.md	Title: List vulnerabilities by software description: Retrieve a list of vulnerabilities in the installed software. -keywords: apis, graph api, supported apis, get, vulnerabilities list, Microsoft Defender for Endpoint tvm api -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Get Vulnerability By Id	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-vulnerability-by-id.md	Title: Get vulnerability by ID description: Retrieves vulnerability information by its ID. -keywords: apis, graph api, supported apis, get, vulnerability information, Microsoft Defender for Endpoint tvm api -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Import Ti Indicators	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/import-ti-indicators.md	Title: Import Indicators API description: Learn how to use the Import batch of Indicator API in Microsoft Defender for Endpoint. -keywords: apis, supported apis, submit, ti, indicator, update -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security Last updated 02/02/2021 Submits or Updates batch of [Indicator](ti-indicator.md) entities. -CIDR notation for IPs is not supported. +CIDR notation for IPs isn't supported. ## Limitations 1. Rate limitations for this API are 30 calls per minute. -2. There is a limit of 15,000 active [Indicators](ti-indicator.md) per tenant. +2. There's a limit of 15,000 active [Indicators](ti-indicator.md) per tenant. 3. Maximum batch size for one API call is 500. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md). -Permission type\|Permission\|Permission display name -:\|:\|: -Application\|Ti.ReadWrite\|'Read and write Indicators' -Application\|Ti.ReadWrite.All\|'Read and write All Indicators' -Delegated (work or school account)\|Ti.ReadWrite\|'Read and write Indicators' +\|Permission type\|Permission\|Permission display name\| +\|\|\|\| +\|Application\|Ti.ReadWrite\|`Read and write Indicators`\| +\|Application\|Ti.ReadWrite.All\|`Read and write All Indicators`\| +\|Delegated (work or school account)\|Ti.ReadWrite\|`Read and write Indicators`\| ## HTTP request POST https://api.securitycenter.microsoft.com/api/indicators/import ## Request headers -Name\|Type\|Description -:\|:\|: -Authorization\|String\|Bearer {token}. Required. -Content-Type\|string\|application/json. Required. +\| Name\|Type\|Description\| +\|\|\|\| +\|Authorization\|String\|Bearer {token}. Required.\| +\|Content-Type\|string\|application/json. Required.\| ## Request body In the request body, supply a JSON object with the following parameters: -Parameter\|Type\|Description -:\|:\|: -Indicators\|List<[Indicator](ti-indicator.md)>\|List of [Indicators](ti-indicator.md). Required +\|Parameter\|Type\|Description\| +\|\|\|\| +\|Indicators\|List<[Indicator](ti-indicator.md)>\|List of [Indicators](ti-indicator.md). Required \| ## Response -- If successful, this method returns 200 - OK response code with a list of import results per indicator, see example below. +- If successful, this method returns 200 - OK response code with a list of import results per indicator, see the following example. - If not successful: this method return 400 - Bad Request. Bad request usually indicates incorrect body. ## Example ### Request example -Here is an example of the request. +Here's an example of the request. ```http POST https://api.securitycenter.microsoft.com/api/indicators/import POST https://api.securitycenter.microsoft.com/api/indicators/import ### Response example -Here is an example of the response. +Here's an example of the response. ```json { Here is an example of the response. } ``` -## Related topic +## Related article - [Manage indicators](../manage-indicators.md) [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../../includes/defender-mde-techcommunity.md)]
security	Initiate Autoir Investigation	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/initiate-autoir-investigation.md	Title: Start Investigation API description: Use this API to start investigation on a device. -keywords: apis, graph api, supported apis, investigation -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Investigation	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/investigation.md	Title: Investigation resource type description: Microsoft Defender for Endpoint Investigation entity. -keywords: apis, graph api, supported apis, get, alerts, investigations -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Isolate Machine	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/isolate-machine.md	Title: Isolate machine API description: Learn how to use the Isolate machine API to isolate a device from accessing external network in Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, isolate device -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	List Library Files	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/list-library-files.md	Title: List library files description: Learn how to list live response library files. -keywords: apis, graph api, supported apis, get, devices -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security List live response library files. ## Limitations -1. Rate limitations for this API are 100 calls per minute and 1500 calls per +1. Rate limitations for this API are 100 calls per minute and 1,500 calls per hour. ## Permissions If successful, this method returns 200 - OK response code with a collection Request -Here is an example of a request that gets all live response library files +Here's an example of a request that gets all live response library files. ```HTTP GET https://api.securitycenter.microsoft.com/api/libraryfiles GET https://api.securitycenter.microsoft.com/api/libraryfiles ## Response example -Here is an example of the response. +Here's an example of the response. ```JSON HTTP/1.1 200 Ok Content-type: application/json ``` -## Related topic +## Related article - [Run live response](run-live-response.md) [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../../includes/defender-mde-techcommunity.md)]
security	List Recommendation Software	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/list-recommendation-software.md	Title: List software by recommendation description: Retrieves a security recommendation related to a specific software. -keywords: apis, graph api, supported apis, get, security recommendation, security recommendation for software, threat and vulnerability management, threat and vulnerability management api -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Machine	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/machine.md	Title: Machine resource type description: Learn about the methods and properties of the Machine resource type in Microsoft Defender for Endpoint. -keywords: apis, supported apis, get, machines -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security Last updated 12/18/2020 \|firstSeen\|DateTimeOffset\|First date and time where the [machine](machine.md) was observed by Microsoft Defender for Endpoint.\| \|lastSeen\|DateTimeOffset\|Time and date of the last received full device report. A device typically sends a full report every 24 hours. <br> NOTE: This property doesn't correspond to the last seen value in the UI. It pertains to the last device update.\| \|osPlatform\|String\|Operating system platform.\| -\|onboardingstatus\|String\|Status of machine onboarding. Possible values are: "onboarded", "CanBeOnboarded", "Unsupported", and "InsufficientInfo".\| +\|onboardingstatus\|String\|Status of machine onboarding. Possible values are: `onboarded`, `CanBeOnboarded`, `Unsupported`, and `InsufficientInfo`.\| \|osProcessor\|String\|Operating system processor. Use osArchitecture property instead.\| \|version\|String\|Operating system Version.\| \|osBuild\|Nullable long\|Operating system build number.\| \|lastIpAddress\|String\|Last IP on local NIC on the [machine](machine.md).\| \|lastExternalIpAddress\|String\|Last IP through which the [machine](machine.md) accessed the internet.\| -\|healthStatus\|Enum\|[machine](machine.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData", "NoSensorDataImpairedCommunication" and "Unknown".\| +\|healthStatus\|Enum\|[machine](machine.md) health status. Possible values are: `Active`, `Inactive`, `ImpairedCommunication`, `NoSensorData`, `NoSensorDataImpairedCommunication`, and `Unknown`.\| \|rbacGroupName\|String\|Machine group Name.\| \|rbacGroupId\|String\|Machine group ID.\| -\|riskScore\|Nullable Enum\|Risk score as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Informational', 'Low', 'Medium' and 'High'.\| +\|riskScore\|Nullable Enum\|Risk score as evaluated by Microsoft Defender for Endpoint. Possible values are: `None`, `Informational`, `Low`, `Medium`, and `High`.\| \|aadDeviceId\|Nullable representation Guid\|Microsoft Entra Device ID (when [machine](machine.md) is Microsoft Entra joined).\| \|machineTags\|String collection\|Set of [machine](machine.md) tags.\| -\|exposureLevel\|Nullable Enum\|Exposure level as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Low', 'Medium' and 'High'.\| -\|deviceValue\|Nullable Enum\|The [value of the device](../tvm-assign-device-value.md). Possible values are: 'Normal', 'Low' and 'High'.\| +\|exposureLevel\|Nullable Enum\|Exposure level as evaluated by Microsoft Defender for Endpoint. Possible values are: `None`, `Low`, `Medium`, and `High`.\| +\|deviceValue\|Nullable Enum\|The [value of the device](../tvm-assign-device-value.md). Possible values are: `Normal`, `Low`, and `High`.\| \|ipAddresses\|IpAddress collection\|Set of *IpAddress* objects. See [Get machines API](get-machines.md).\| -\|osArchitecture\|String\|Operating system architecture. Possible values are: "32-bit", "64-bit". Use this property instead of osProcessor.\| +\|osArchitecture\|String\|Operating system architecture. Possible values are: `32-bit`, `64-bit`. Use this property instead of osProcessor.\| + [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../../includes/defender-mde-techcommunity.md)]
security	Machineaction	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/machineaction.md	Title: machineAction resource type description: Learn about the methods and properties of the MachineAction resource type in Microsoft Defender for Endpoint. -keywords: apis, supported apis, get, machineaction, recent -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security Last updated 12/18/2020 \|Property\|Type\|Description\| \|\|\|\| \|ID\|Guid\|Identity of the [Machine Action](machineaction.md) entity.\| -\|type\|Enum\|Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "LiveResponse", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution", and "UnrestrictCodeExecution".\| -\|scope\|string\|Scope of the action. "Full" or "Selective" for Isolation, "Quick" or "Full" for Anti-Virus scan.\| +\|type\|Enum\|Type of the action. Possible values are: `RunAntiVirusScan`, `Offboard`, `LiveResponse`, `CollectInvestigationPackage`, `Isolate`, `Unisolate`, `StopAndQuarantineFile`, `RestrictCodeExecution`, and `UnrestrictCodeExecution`.\| +\|scope\|string\|Scope of the action. `Full` or `Selective` for Isolation, `Quick` or `Full` for antivirus scan.\| \|requestor\|String\|Identity of the person that executed the action.\| \|externalID\|String\|Id the customer can submit in the request for custom correlation.\| \|requestSource\|string\|The name of the user/application that submitted the action.\| Last updated 12/18/2020 \|cancellationRequestor\|String\|Identity of the person that canceled the action.\| \|requestorComment\|String\|Comment that was written when issuing the action.\| \|cancellationComment\|String\|Comment that was written when canceling the action.\| -\|status\|Enum\|Current status of the command. Possible values are: "Pending", "InProgress", "Succeeded", "Failed", "TimeOut", and "Cancelled".\| +\|status\|Enum\|Current status of the command. Possible values are: `Pending`, `InProgress`, `Succeeded`, `Failed`, `TimeOut`, and `Cancelled`.\| \|machineId\|String\|ID of the [machine](machine.md) on which the action was executed.\| \|computerDnsName\|String\|Name of the [machine](machine.md) on which the action was executed.\| \|creationDateTimeUtc\|DateTimeOffset\|The date and time when the action was created.\| \|cancellationDateTimeUtc\|DateTimeOffset\|The date and time when the action was canceled.\| \|lastUpdateDateTimeUtc\|DateTimeOffset\|The last date and time when the action status was updated.\| \|title\|String\|Machine action title.\| -\|relatedFileInfo\|Class\|Contains two Properties. string `fileIdentifier`, Enum `fileIdentifierType` with the possible values: "Sha1", "Sha256", and "Md5".\| +\|relatedFileInfo\|Class\|Contains two Properties. string `fileIdentifier`, Enum `fileIdentifierType` with the possible values: `Sha1`, `Sha256`, and `Md5`.\| ## Json representation
security	Management Apis	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/management-apis.md	Title: Overview of management and APIs description: Learn about the management tools and API categories in Microsoft Defender for Endpoint -keywords: onboarding, api, siem, rbac, access, portal, integration, investigation, response, entities, entity, user context, application context, streaming -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Offboard Machine Api	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/offboard-machine-api.md	Title: Offboard machine API description: Learn how to use an API to offboard a device from Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, collect investigation package --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Post Ti Indicator	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/post-ti-indicator.md	Title: Submit or Update Indicator API description: Learn how to use the Submit or Update Indicator API to submit or update a new Indicator entity in Microsoft Defender for Endpoint. -keywords: apis, graph api, supported apis, submit, ti, indicator, update -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security Last updated 12/18/2020 Submits or Updates new [Indicator](ti-indicator.md) entity. -CIDR notation for IPs is not supported. +CIDR notation for IPs isn't supported. ## Limitations -1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. -2. There is a limit of 15,000 active indicators per tenant. +1. Rate limitations for this API are 100 calls per minute and 1,500 calls per hour. +2. There's a limit of 15,000 active indicators per tenant. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md). -Permission type\|Permission\|Permission display name -:\|:\|: -Application\|Ti.ReadWrite\|'Read and write Indicators' -Application\|Ti.ReadWrite.All\|'Read and write All Indicators' -Delegated (work or school account)\|Ti.ReadWrite\|'Read and write Indicators' +\|Permission type\|Permission\|Permission display name\| +\|:\|:\|:\| +\|Application\|Ti.ReadWrite\|`Read and write Indicators`\| +\|Application\|Ti.ReadWrite.All\|`Read and write All Indicators`\| +\|Delegated (work or school account)\|Ti.ReadWrite\|`Read and write Indicators`\| ## HTTP request In the request body, supply a JSON object with the following parameters: Parameter\|Type\|Description :\|:\|: indicatorValue\|String\|Identity of the [Indicator](ti-indicator.md) entity. Required -indicatorType\|Enum\|Type of the indicator. Possible values are: "FileSha1", "FileMd5", "CertificateThumbprint", "FileSha256", "IpAddress", "DomainName" and "Url". Required -action\|Enum\|The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "Warn", "Block", "Audit, "BlockAndRemediate", "AlertAndBlock", and "Allowed". Required. The "GenerateAlert" parameter must be set to "TRUE" when creating an action with "Audit". -application\|String\|The application associated with the indicator. This field only works for new indicators. It will not update the value on an existing indicator. Optional +indicatorType\|Enum\|Type of the indicator. Possible values are: `FileSha1`, `FileMd5`, `CertificateThumbprint`, `FileSha256`, `IpAddress`, `DomainName`, and `Url`. Required +action\|Enum\|The action that is taken if the indicator is discovered in the organization. Possible values are: `Alert`, `Warn`, `Block`, `Audit`, `BlockAndRemediate`, `AlertAndBlock`, and `Allowed`. Required. The `GenerateAlert` parameter must be set to `TRUE` when creating an action with `Audit`. +application\|String\|The application associated with the indicator. This field only works for new indicators. It doesn't update the value on an existing indicator. Optional title\|String\|Indicator alert title. Required description\|String\|Description of the indicator. Required expirationTime\|DateTimeOffset\|The expiration time of the indicator. Optional -severity\|Enum\|The severity of the indicator. Possible values are: "Informational", "Low", "Medium", and "High". Optional +severity\|Enum\|The severity of the indicator. Possible values are: `Informational`, `Low`, `Medium`, and `High`. Optional recommendedActions\|String\|TI indicator alert recommended actions. Optional rbacGroupNames\|String\|Comma-separated list of RBAC group names the indicator would be applied to. Optional educateUrl\|String\|Custom notification/support URL. Supported for Block and Warn action types for URL indicators. Optional -generateAlert\|Enum\|True if alert generation is required, False if this indicator should not generate an alert. +generateAlert\|Enum\|True if alert generation is required, False if this indicator shouldn't generate an alert. ## Response - If successful, this method returns 200 - OK response code and the created / updated [Indicator](ti-indicator.md) entity in the response body. generateAlert\|Enum\|True if alert generation is required, False if this i ### Request -Here is an example of the request. +Here's an example of the request. ```http POST https://api.securitycenter.microsoft.com/api/indicators POST https://api.securitycenter.microsoft.com/api/indicators } ``` -## Related topic +## Related article - [Manage indicators](../manage-indicators.md) [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../../includes/defender-mde-techcommunity.md)]
security	Raw Data Export Event Hub	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/raw-data-export-event-hub.md	Title: Stream Microsoft Defender for Endpoint events to Azure Event Hubs description: Learn how to configure Microsoft Defender for Endpoint to stream Advanced Hunting events to your Event Hubs. -keywords: raw data export, streaming API, API, Azure Event Hubs, Azure storage, storage account, Advanced Hunting, raw data sharing --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Raw Data Export Storage	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/raw-data-export-storage.md	Title: Stream Microsoft Defender for Endpoint events to your Storage account description: Learn how to configure Microsoft Defender for Endpoint to stream Advanced Hunting events to your Storage account. -keywords: raw data export, streaming API, API, Event Hubs, Azure storage, storage account, Advanced Hunting, raw data sharing -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security Last updated 12/18/2020 1. Create a [Storage account](/azure/storage/common/storage-account-overview) in your tenant. -2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to Subscriptions > Your subscription > Resource Providers > Register to Microsoft.insights. +2. Sign in to your [Azure tenant](https://ms.portal.azure.com/), go to Subscriptions > Your subscription > Resource Providers > Register to Microsoft.insights. ## Enable raw data streaming -1. Log in to [Microsoft Defender XDR](https://security.microsoft.com) as a *Global Administrator* or *Security Administrator. +1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com) as a Global Administrator* or *Security Administrator. 2. Go to [Data export settings page](https://security.microsoft.com/settings/mtp_settings/raw_data_export) in Microsoft Defender XDR. -3. Click on Add data export settings. +3. Select on Add data export settings. 4. Choose a name for your new settings. Last updated 12/18/2020 :::image type="content" source="../images/storage-account-resource-id.png" alt-text="The Event Hubs with resource ID1" lightbox="../images/storage-account-resource-id.png"::: -7. Choose the events you want to stream and click Save. +7. Choose the events you want to stream and select Save. ## The schema of the events in the Storage account -- A blob container will be created for each event type: +- A blob container is created for each event type: :::image type="content" source="../images/storage-account-event-schema.png" alt-text="The Event Hubs with resource ID2" lightbox="../images/storage-account-event-schema.png"::: Last updated 12/18/2020 - Each blob contains multiple rows. -- Each row contains the event name, the time Defender for Endpoint received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties". +- Each row contains the event name, the time Defender for Endpoint received the event, the tenant it belongs (you get events only from your tenant), and the event in JSON format in a property called "properties". - For more information about the schema of Microsoft Defender for Endpoint events, see [Advanced Hunting overview](../advanced-hunting-overview.md). -- In Advanced Hunting, the DeviceInfo* table has a column named MachineGroup which contains the group of the device. Here every event will be decorated with this column as well. See [Device Groups](../machine-groups.md) for more information. +- In Advanced Hunting, the DeviceInfo table has a column named MachineGroup which contains the group of the device. Here, every event is decorated with this column as well. For more information, see [Device Groups](../machine-groups.md). > [!NOTE] > Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2. Last updated 12/18/2020 In order to get the data types for our events properties do the following: -1. Log in to [Microsoft Defender XDR](https://security.microsoft.com) and go to [Advanced Hunting page](https://security.microsoft.com/hunting-package). +1. Sign in to [Microsoft Defender XDR](https://security.microsoft.com) and go to [Advanced Hunting page](https://security.microsoft.com/hunting-package). 2. Run the following query to get the data types mapping for each event: In order to get the data types for our events properties do the following: \| project ColumnName, ColumnType ``` -- Here is an example for Device Info event: +- Here's an example for Device Info event: :::image type="content" source="../images/data-types-mapping-query.png" alt-text="The Event Hubs with resource ID3" lightbox="../images/data-types-mapping-query.png"::: -## Related topics +## Related articles - [Stream Microsoft Defender XDR events \| Microsoft Learn](/microsoft-365/security/defender/streaming-api)
security	Raw Data Export	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/raw-data-export.md	Title: Stream Microsoft Defender for Endpoint event description: Learn how to configure Microsoft Defender for Endpoint to stream Advanced Hunting events to Event Hubs or Azure storage account -keywords: raw data export, streaming API, API, Event hubs, Azure storage, storage account, Advanced Hunting, raw data sharing -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Recommendation	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/recommendation.md	Title: Recommendation methods and properties description: Retrieves the top recent alerts. -keywords: apis, graph api, supported apis, get, alerts, recent -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security Want to experience Defender for Endpoint? [Sign up for a free trial.](https://si \|recommendedVersion\|String\|Recommended version\| \|recommendedProgram\|String\|Recommended program\| \|recommendedVendor\|String\|Recommended vendor\| -\|recommendationCategory\|String\|Recommendation category. Possible values are: "Accounts", "Application", "Network", "OS", "SecurityControls"\| -\|subCategory\|String\|Recommendation sub-category\| +\|recommendationCategory\|String\|Recommendation category. Possible values are: `Accounts`, `Application`, `Network`, `OS`, `SecurityControls`\| +\|subCategory\|String\|Recommendation subcategory\| \|severityScore\|Double\|Potential impact of the configuration to the organization's Microsoft Secure Score for Devices (1-10)\| \|publicExploit\|Boolean\|Public exploit is available\| \|activeAlert\|Boolean\|Active alert is associated with this recommendation\| \|associatedThreats\|String collection\|Threat analytics report is associated with this recommendation\| -\|remediationType\|String\|Remediation type. Possible values are: "ConfigurationChange","Update","Upgrade","Uninstall"\| -\|Status\|Enum\|Recommendation exception status. Possible values are: "Active" and "Exception"\| +\|remediationType\|String\|Remediation type. Possible values are: `ConfigurationChange`,`Update`,`Upgrade`,`Uninstall`\| +\|Status\|Enum\|Recommendation exception status. Possible values are: `Active` and `Exception`\| \|configScoreImpact\|Double\|Microsoft Secure Score for Devices impact\| \|exposureImpact\|Double\|Exposure score impact\| \|totalMachineCount\|Long\|Number of installed devices\| \|exposedMachinesCount\|Long\|Number of installed devices that are exposed to vulnerabilities\| -\|nonProductivityImpactedAssets\|Long\|Number of devices that are not affected\| +\|nonProductivityImpactedAssets\|Long\|Number of devices that aren't affected\| \|relatedComponent\|String\|Related software component\| \| [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../../includes/defender-mde-techcommunity.md)]
security	Restrict Code Execution	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/restrict-code-execution.md	Title: Restrict app execution API description: Use this API to create calls related to restricting an application from executing. -keywords: apis, graph api, supported apis, collect investigation package -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Run Advanced Query Api	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/run-advanced-query-api.md	Title: Advanced Hunting API description: Learn to use the advanced hunting API to run advanced queries on Microsoft Defender for Endpoint. Find out about limitations and see an example. -keywords: apis, supported apis, advanced hunting, query -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security Last updated 12/18/2020 1. You can only run a query on data from the last 30 days. -2. The results will include a maximum of 100,000 rows. +2. The results include a maximum of 100,000 rows. 3. The number of executions is limited per tenant: - - API calls: Up to 45 calls per minute, up to 1500 calls per hour. + - API calls: Up to 45 calls per minute, and up to 1,500 calls per hour. - Execution time: 10 minutes of running time every hour and 3 hours of running time a day. 4. The maximal execution time of a single request is 200 seconds. -5. `429` response will represent reaching quota limit either by number of requests or by CPU. Read response body to understand what limit has been reached. +5. `429` response represents reaching quota limit either by number of requests or by CPU. Read response body to understand what limit was reached. -6. The maximum query result size of a single request cannot exceed 124 MB. If exceeded, HTTP 400 Bad Request with the message "Query execution has exceeded the allowed result size. Optimize your query by limiting the number of results and try again" will appear. +6. The maximum query result size of a single request can't exceed 124 MB. If exceeded, an HTTP 400 Bad Request with the message "Query execution has exceeded the allowed result size. Optimize your query by limiting the number of results and try again" occurs. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) -Permission type\|Permission\|Permission display name -:\|:\|: -Application\|AdvancedQuery.Read.All\|'Run advanced queries' -Delegated (work or school account)\|AdvancedQuery.Read\|'Run advanced queries' +\|Permission type\|Permission\|Permission display name\| +\|:\|:\|:\| +\|Application\|AdvancedQuery.Read.All\|`Run advanced queries`\| +\|Delegated (work or school account)\|AdvancedQuery.Read\|`Run advanced queries`\| > [!NOTE] > When obtaining a token using user credentials: > -> - The user needs to have 'View Data' AD role +> - The user needs to have the `View Data` role assigned in Microsoft Entra ID > - The user needs to have access to the device, based on device group settings (See [Create and manage device groups](../machine-groups.md) for more information) > > Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2. If successful, this method returns 200 OK, and _QueryResponse_ object in the res ### Request example -Here is an example of the request. +Here's an example of the request. ```http POST https://api.securitycenter.microsoft.com/api/advancedqueries/run POST https://api.securitycenter.microsoft.com/api/advancedqueries/run ### Response example -Here is an example of the response. +Here's an example of the response. > [!NOTE] > The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. Here is an example of the response. } ``` -## Related topics +## Related articles - [Use the Microsoft Graph security API - Microsoft Graph \| Microsoft Learn](/graph/api/resources/security-api-overview)
security	Run Advanced Query Sample Powershell	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/run-advanced-query-sample-powershell.md	Title: Advanced Hunting with PowerShell API Basics description: Learn the basics of querying the Microsoft Defender for Endpoint API, using PowerShell. -keywords: apis, supported apis, advanced hunting, query -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security Last updated 12/18/2020 [!include[Improve request performance](../../../includes/improve-request-performance.md)] -Run advanced queries using PowerShell, see [Advanced Hunting API](run-advanced-query-api.md). +Run advanced queries using PowerShell. For more information, see [Advanced Hunting API](run-advanced-query-api.md). In this section, we share PowerShell samples to retrieve a token and use it to run a query. You first need to [create an app](apis-intro.md). - Open a PowerShell window. -- If your policy does not allow you to run the PowerShell commands, you can run the following command: +- If your policy doesn't allow you to run the PowerShell commands, you can run the following command: ```powershell Set-ExecutionPolicy -ExecutionPolicy Bypass ``` -For more information, see [PowerShell documentation](/powershell/module/microsoft.powershell.security/set-executionpolicy) +For more information, see [PowerShell documentation](/powershell/module/microsoft.powershell.security/set-executionpolicy). ## Get token $response = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $body -ErrorActi $aadToken = $response.access_token ``` -where -- $tenantId: ID of the tenant on behalf of which you want to run the query (that is, the query will be run on the data of this tenant) +Where +- $tenantId: ID of the tenant on behalf of which you want to run the query (that is, the query is run on the data of this tenant) - $appId: ID of your Microsoft Entra app (the app must have 'Run advanced queries' permission to Defender for Endpoint) - $appSecret: Secret of your Microsoft Entra app $results \| ConvertTo-Json \| Set-Content file1.json ``` -## Related topic +## Related article - [Microsoft Defender for Endpoint APIs](apis-intro.md) - [Advanced Hunting API](run-advanced-query-api.md) - [Advanced Hunting using Python](run-advanced-query-sample-python.md)
security	Run Advanced Query Sample Python	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/run-advanced-query-sample-python.md	Title: Advanced Hunting with Python API Guide description: Learn how to query using the Microsoft Defender for Endpoint API, by using Python, with examples. -keywords: apis, supported apis, advanced hunting, query -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security jsonResponse = json.loads(response.read()) aadToken = jsonResponse["access_token"] ``` -where +Where -- tenantId: ID of the tenant on behalf of which you want to run the query (that is, the query will be run on the data of this tenant) +- tenantId: ID of the tenant on behalf of which you want to run the query (that is, the query is run on the data of this tenant) - appId: ID of your Microsoft Entra app (the app must have 'Run advanced queries' permission to Microsoft Defender for Endpoint) - appSecret: Secret of your Microsoft Entra app queryFile.close() You can now use the query results. -To iterate over the results do the below: +To iterate over the results, use the following command: ```python for result in results: for result in results: print(result["EventTime"]) # Prints only the property 'EventTime' from the result ``` -To output the results of the query in CSV format in file file1.csv do the below: +To output the results of the query in CSV format in file file1.csv use the following command: ```python import csv for result in results: outputFile.close() ``` -To output the results of the query in JSON format in file file1.json do the below: +To output the results of the query in JSON format in file file1.json use the following command: ```python outputFile = open("D:\\Temp\\file1.json", 'w')
security	Run Av Scan	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/run-av-scan.md	Title: Run antivirus scan API description: Use this API to create calls related to running an antivirus scan on a device. -keywords: apis, graph api, supported apis, remove device from isolation -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Run Live Response	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/run-live-response.md	Title: Run live response commands on a device description: Learn how to run a sequence of live response commands on a device. -keywords: apis, graph api, supported apis, upload to library search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Score	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/score.md	Title: Score methods and properties description: Retrieves your organization's exposure score, device secure score, and exposure score by device group -keywords: apis, graph api, supported apis, score, exposure score, device secure score, exposure score by device group -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Set Device Value	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/set-device-value.md	Title: Set device value API description: Learn how to specify the value of a device using a Microsoft Defender for Endpoint API. -keywords: apis, graph api, supported apis, tags, machine tags -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Software	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/software.md	Title: Software methods and properties description: Retrieves top recent alerts. -keywords: apis, graph api, supported apis, get, alerts, recent -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Stop And Quarantine File	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/stop-and-quarantine-file.md	Title: Stop and quarantine file API description: Learn how to stop running a file on a device and delete the file in Microsoft Defender for Endpoint. See an example. -keywords: apis, graph api, supported apis, stop and quarantine file -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Ti Indicator	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/ti-indicator.md	Title: Indicator resource type description: Specify the entity details and define the expiration of the indicator using Microsoft Defender for Endpoint. -keywords: apis, supported apis, get, TiIndicator, Indicator, recent -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security Method\|Return Type\|Description ## Properties -Property\|Type\|Description -:\|:\|: -id\|String\|Identity of the [Indicator](../ti-indicator.md) entity. -indicatorValue\|String\|The value of the [Indicator](../ti-indicator.md). -indicatorType\|Enum\|Type of the indicator. Possible values are: "FileSha1", "FileSha256", "FileMd5", "CertificateThumbprint", "IpAddress", "DomainName" and "Url". -application\|String\|The application associated with the indicator. -action\|Enum\|The action that is taken if the indicator will be discovered in the organization. Possible values are: "Warn", "Block", "Audit", "Alert", "AlertAndBlock", "BlockAndRemediate" and "Allowed". +\|Property\|Type\|Description \| +\|\|\|--\| +\|id\|String\|Identity of the [Indicator](../ti-indicator.md) entity.\| +\|indicatorValue\|String\|The value of the [Indicator](../ti-indicator.md).\| +\|indicatorType\|Enum\|Type of the indicator. Possible values are: `FileSha1`, `FileSha256`, `FileMd5`, `CertificateThumbprint`, `IpAddress`, `DomainName`, and `Url`.\| +\|application\|String\|The application associated with the indicator.\| +\|action\|Enum\|The action that is taken if the indicator is discovered in the organization. Possible values are: `Warn`, `Block`, `Audit`, `Alert`, `AlertAndBlock`, `BlockAndRemediate`, and `Allowed`.\| \|externalID\|String\|Id the customer can submit in the request for custom correlation.\| -sourceType\|Enum\|"User" in case the Indicator created by a user (for example, from the portal), "AadApp" in case it submitted using automated application via the API. -createdBySource\|string\|The name of the user/application that submitted the indicator. -createdBy\|String\|Unique identity of the user/application that submitted the indicator. -lastUpdatedBy\|String\|Identity of the user/application that last updated the indicator. -creationTimeDateTimeUtc\|DateTimeOffset\|The date and time when the indicator was created. -expirationTime\|DateTimeOffset\|The expiration time of the indicator. -lastUpdateTime\|DateTimeOffset\|The last time the indicator was updated. -severity\|Enum\|The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High". -title\|String\|Indicator title. -description\|String\|Description of the indicator. -recommendedActions\|String\|Recommended actions for the indicator. -rbacGroupNames\|List of strings\|RBAC device group names where the indicator is exposed and active. Empty list in case it exposed to all devices. -rbacGroupIds\|List of strings\|RBAC device group IDs where the indicator is exposed and active. Empty list in case it exposed to all devices. -generateAlert\|Enum\|True if alert generation is required, False if this indicator shouldn't generate an alert. +\|sourceType\|Enum\|`User` in case the Indicator created by a user (for example, from the portal), `AadApp` in case it submitted using automated application via the API.\| +\|createdBySource\|string\|The name of the user/application that submitted the indicator.\| +\|createdBy\|String\|Unique identity of the user/application that submitted the indicator.\| +\|lastUpdatedBy\|String\|Identity of the user/application that last updated the indicator.\| +\|creationTimeDateTimeUtc\|DateTimeOffset\|The date and time when the indicator was created.\| +\|expirationTime\|DateTimeOffset\|The expiration time of the indicator.\| +\|lastUpdateTime\|DateTimeOffset\|The last time the indicator was updated.\| +\|severity\|Enum\|The severity of the indicator. Possible values are: `Informational`, `Low`, `Medium`, and `High`.\| +\|title\|String\|Indicator title.\| +\|description\|String\|Description of the indicator.\| +\|recommendedActions\|String\|Recommended actions for the indicator.\| +\|rbacGroupNames\|List of strings\|RBAC device group names where the indicator is exposed and active. Empty list in case it exposed to all devices.\| +\|rbacGroupIds\|List of strings\|RBAC device group IDs where the indicator is exposed and active. Empty list in case it exposed to all devices.\| +\|generateAlert\|Enum\|True if alert generation is required, False if this indicator shouldn't generate an alert.\| ## Indicator Types The indicator action types supported by the API are: For more information on the description of the response action types, see [Create indicators](../manage-indicators.md). -> [!Note] +> [!NOTE] > -> The prior response actions (AlertAndBlock, and Alert) will be supported until January 2022. After this date, all customers must be use one of the action types listed above. +> The prior response actions (AlertAndBlock, and Alert) will be supported until January 2022. After this date, all customers must be use one of the action types listed in this section. ## Json representation
security	Unisolate Machine	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/unisolate-machine.md	Title: Release device from isolation API description: Use this API to create calls related to release a device from isolation. -keywords: apis, graph api, supported apis, remove device from isolation -search.product: eADQiWindows 10XVcnh -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Unrestrict Code Execution	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/unrestrict-code-execution.md	Title: Remove app restriction API description: Use this API to create calls related to removing a restriction from applications from executing. -keywords: apis, graph api, supported apis, remove device from isolation -search.product: eADQiWindows 10XVcnh -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Update Alert	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/update-alert.md	Title: Update alert entity API description: Learn how to update a Microsoft Defender for Endpoint alert by using this API. You can update the status, determination, classification, and assignedTo properties. -keywords: apis, graph api, supported apis, get, alert, information, id -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Update Machine Method	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/update-machine-method.md	Title: Update machine entity API description: Learn how to update machine tags by using this API. You can update the tags and devicevalue properties. -keywords: apis, graph api, supported apis, get, alert, information, id -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Upload Library	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/upload-library.md	Title: Upload files to the live response library description: Learn how to upload a file to the live response library. -keywords: apis, graph api, supported apis, upload to library -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	User	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/user.md	Title: User resource type description: Retrieve recent Microsoft Defender for Endpoint alerts related to users. -keywords: apis, graph api, supported apis, get, alerts, recent -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Vulnerability	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/vulnerability.md	Title: Vulnerability methods and properties description: Retrieves vulnerability information -keywords: apis, graph api, supported apis, get, vulnerability -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Attack Surface Reduction Rules Deployment Implement	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-implement.md	Title: Implement attack surface reduction rules description: Provides guidance to implement your attack surface reduction rules deployment. -ms.pagetype: security ms.localizationpriority: medium audience: ITPro
security	Configure Endpoints Non Windows	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-non-windows.md	Title: Onboard non-Windows devices to the Microsoft Defender for Endpoint servic description: Configure non-Windows devices so that they can send sensor data to the Microsoft Defender for Endpoint service. search.appverid: met150 -ms.pagetype: security ms.localizationpriority: medium
security	Device Health Reports	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-health-reports.md	Title: Device health reporting in Microsoft Defender for Endpoint description: Use the device health report to track device health, antivirus status and versions, OS platforms, and Windows 10 versions. -keywords: health state, antivirus, os platform, windows 10 version, version, health, compliance, state -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security --++ localization_priority: Normal Last updated 09/06/2022
security	Feedback Loop Blocking	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/feedback-loop-blocking.md	Title: Feedback-loop blocking description: Feedback-loop blocking, also called rapid protection, is part of behavioral blocking and containment capabilities in Microsoft Defender for Endpoint keywords: behavioral blocking, rapid protection, feedback blocking, Microsoft Defender for Endpoint -ms.pagetype: security
security	Mac Exclusions	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-exclusions.md	Title: Configure and validate exclusions for Microsoft Defender for Endpoint on Mac description: Provide and validate exclusions for Microsoft Defender for Endpoint on Mac. Exclusions can be set for files, folders, and processes. -keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, exclusions, scans, antivirus -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium audience: ITPro
security	Mac Install Manually	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-manually.md	Title: Manual deployment for Microsoft Defender for Endpoint on macOS description: Install Microsoft Defender for Endpoint on macOS manually, from the command line. --++ ms.localizationpriority: medium audience: ITPro
security	Mac Install With Intune	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-intune.md	Title: Intune-based deployment for Microsoft Defender for Endpoint on Mac description: Install Microsoft Defender for Endpoint on Mac, using Microsoft Intune. -keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamf, macos, big sur, monterey, ventura, mde for mac -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium audience: ITPro
security	Manage Profiles Approve Sys Extensions Intune	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-profiles-approve-sys-extensions-intune.md	Title: Manage profiles and approve extensions using Intune description: Manage profiles and approve extensions using Intune for Microsoft Defender for Endpoint to work properly on macOS. -keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, performance, big sur, monterey, ventura, mde for mac -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium audience: ITPro
security	Manage Protection Update Schedule Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-protection-update-schedule-microsoft-defender-antivirus.md	Title: Schedule Microsoft Defender Antivirus protection updates description: Schedule the day, time, and interval for when protection updates should be downloaded -keywords: updates, security baselines, schedule updates search.appverid: met150 -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium Last updated 12/20/2022 --++
security	Manage Suppression Rules	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-suppression-rules.md	Title: Manage Microsoft Defender for Endpoint suppression rules description: You might need to prevent alerts from appearing in the portal by using suppression rules. Learn how to manage your suppression rules in Microsoft Defender for Endpoint. -keywords: manage suppression, rules, rule name, scope, action, alerts, turn on, turn off -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium audience: ITPro
security	Manage Sys Extensions Manual Deployment	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-sys-extensions-manual-deployment.md	Title: Manage system extensions using the manual methods of deployment description: Manage system extensions using the manual methods of deployment. -keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, performance, big sur, monterey, ventura, mde for mac -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium audience: ITPro
security	Manage Sys Extensions Using Jamf	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-sys-extensions-using-jamf.md	Title: Manage system extensions using JamF description: Manage system extensions using JamF for Microsoft Defender for Endpoint to work properly on macOS. -keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, performance, big sur, monterey, ventura, mde for mac -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium audience: ITPro search.appverid: met150 Previously updated : 08/28/2023 Last updated : 02/21/2024 # Manage system extensions using JamF This article describes the procedures to implement in the process of managing th To approve the system extensions, perform the following steps: -1. Select Computers > Configuration Profiles, and then select Options > System Extensions. -2. Select Allowed System Extensions from the System Extension Types drop-down list. -3. Use UBF8T346G9 for Team ID. -4. Add the following bundle identifiers to the Allowed System Extensions list: - - com.microsoft.wdav.epsext - - com.microsoft.wdav.netext +1. Select Computers > Configuration Profiles, and then select Options > System Extensions. + +2. Select Allowed System Extensions from the System Extension Types drop-down list. + +3. Use UBF8T346G9 for Team ID. + +4. Add the following bundle identifiers to the Allowed System Extensions list: + + - com.microsoft.wdav.epsext + - com.microsoft.wdav.netext :::image type="content" source="images/jamf-system-extensions-approval.png" alt-text="Approving system extensions in JamF." lightbox="images/jamf-system-extensions-approval.png"::: To approve the system extensions, perform the following steps: Add the following JAMF payload to grant Full Disk Access to the Microsoft Defender for Endpoint Security Extension. This policy is a prerequisite for running the extension on your device. 1. Select Options > Privacy Preferences Policy Control. -1. Use com.microsoft.wdav.epsext as the Identifier and Bundle ID as Bundle type. -1. Set Code Requirement to *identifier com.microsoft.wdav.epsext and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = UBF8T346G9. -1. Set App or service* to SystemPolicyAllFiles and access to Allow. + +2. Use com.microsoft.wdav.epsext as the Identifier and Bundle ID as Bundle type. + +3. Set Code Requirement to *identifier com.microsoft.wdav.epsext and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = UBF8T346G9. + +4. Set App or service* to SystemPolicyAllFiles and access to Allow. :::image type="content" source="images/privacy-preferences-policy-control.png" alt-text="Privacy preferences policy control." lightbox="images/privacy-preferences-policy-control.png"::: As part of the Endpoint Detection and Response capabilities, Microsoft Defender ```BashCopy $ plutil -lint <PathToFile>/com.microsoft.network-extension.mobileconfig ```+ For example, if the file was stored in Documents: ```BashCopy $ plutil -lint ~/Documents/com.microsoft.network-extension.mobileconfig <PathToFile>/com.microsoft.network-extension.mobileconfig: OK ``` -5. Follow the instructions on [this page](https://learn.jamf.com/bundle/technical-articles/page/Welcome.html) to create a signing certificate using JAMF's built-in certificate authority. +4. Follow the instructions on [this page](https://learn.jamf.com/bundle/technical-articles/page/Welcome.html) to create a signing certificate using JAMF's built-in certificate authority. + 5. After the certificate is created and installed to your device, run the following command from terminal to sign the file: ```BashCopy
security	Manage Tamper Protection Configuration Manager	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-tamper-protection-configuration-manager.md	ms.localizationpriority: medium Last updated 09/05/2023 audience: ITPro --++ - nextgen - admindeeplinkDEFENDER
security	Manage Tamper Protection Individual Device	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-tamper-protection-individual-device.md	ms.localizationpriority: medium Last updated 10/24/2023 audience: ITPro --++ - nextgen - admindeeplinkDEFENDER
security	Manage Tamper Protection Intune	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-tamper-protection-intune.md	ms.localizationpriority: medium Last updated 10/24/2023 audience: ITPro --++ - nextgen - admindeeplinkDEFENDER
security	Manage Tamper Protection Microsoft 365 Defender	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-tamper-protection-microsoft-365-defender.md	ms.localizationpriority: medium Last updated 10/24/2023 audience: ITPro --++ - nextgen - admindeeplinkDEFENDER
security	Manage Updates Mobile Devices Vms Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md	Title: Define how mobile devices are updated by Microsoft Defender Antivirus description: Manage how mobile devices, such as laptops, should be updated with Microsoft Defender Antivirus protection updates. -keywords: updates, protection, schedule updates, battery, mobile device, laptop, notebook, opt-in, microsoft update, wsus, override -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium --++
security	Mde P1 Setup Configuration	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-p1-setup-configuration.md	Title: Set up and configure Microsoft Defender for Endpoint Plan 1 description: Learn how to set up and configure Defender for Endpoint Plan 1. Review the requirements, plan your rollout, and set up your environment. search.appverid: MET150 ---+++ audience: ITPro
security	Mde Plan1 Getting Started	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-plan1-getting-started.md	Title: Get started with Microsoft Defender for Endpoint Plan 1 description: Get started using Defender for Endpoint Plan 1. Learn how to use the Microsoft Defender portal, manage alerts and devices, and view reports. search.appverid: MET150 ---+++ audience: ITPro Last updated 08/22/2023
security	Mde Planning Guide	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-planning-guide.md	Title: Get started with your Microsoft Defender for Endpoint deployment -description: Learn how to get started with the deploy, setup, licensing validation, tenant configuration, network configuration stages +description: Learn how to get started with the deploy, setup, licensing validation, tenant configuration, network configuration stages. ms.localizationpriority: medium-+ audience: ITPro - m365-security Last updated 01/19/2024 > [!TIP] > As a companion to this article, we recommend using the [Microsoft Defender for Endpoint automated setup guide](https://go.microsoft.com/fwlink/?linkid=2251910) when signed in to the Microsoft 365 admin center. This guide will customize your experience based on your environment. To review best practices without signing in and activating automated setup features, go to the [Microsoft 365 setup guide](https://go.microsoft.com/fwlink/?linkid=2251563). -Maximize available security capabilities and better protect your enterprise from cyber threats by deploying Microsoft Defender for Endpoint and onboarding your devices. Onboarding your devices will enable you to identify and stop threats quickly, prioritize risks, and evolve your defenses across operating systems and network devices. +Maximize available security capabilities and better protect your enterprise from cyber threats by deploying Microsoft Defender for Endpoint and onboarding your devices. Onboarding your devices enables you to identify and stop threats quickly, prioritize risks, and evolve your defenses across operating systems and network devices. -This guide provides five steps to help deploy Defender for Endpoint as your multi-platform endpoint protection solution. It will help you choose the best deployment tool, onboard devices, and configure capabilities. Each step corresponds to a separate article. +This guide provides five steps to help deploy Defender for Endpoint as your multi-platform endpoint protection solution. It helps you choose the best deployment tool, onboard devices, and configure capabilities. Each step corresponds to a separate article. The steps to deploy Defender for Endpoint are: The steps to deploy Defender for Endpoint are: ## Requirements -The following is a list of pre-requisites required to deploy Defender for Endpoint: +Here's a list of prerequisites required to deploy Defender for Endpoint: - You're a global admin-- You meet the [minimum requirements](minimum-requirements.md)-- You have a full inventory of your environment. The table below provides a starting point to gather information and ensure your environment is deeply understood by stakeholders, which will help identify potential dependencies and/or changes required in technologies or processes. +- Your environment meets the [minimum requirements](minimum-requirements.md) +- You have a full inventory of your environment. The following table provides a starting point to gather information and ensure your environment is deeply understood by stakeholders, which helps identify potential dependencies and/or changes required in technologies or processes. \|What\|Description\| \|\|\| The following is a list of pre-requisites required to deploy Defender for Endpoi ## Next step Start your deployment with [Step 1 - Set up Microsoft Defender for Endpoint deployment](production-deployment.md)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security	Mde Plugin Wsl	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-plugin-wsl.md	Title: Microsoft Defender for Endpoint plug-in for Windows Subsystem for Linux (WSL) description: Learn how to set up and use the MDE plugin for Windows Subsystem for Linux---+++ The Windows Subsystem for Linux (WSL) 2, which replaces the previous version of Be aware of the following before you start: -1. The plug-in doesn't yet automatically update. When a new plug-in version is released, the new MSI package needs to be applied to perform the update. You can apply the new package by using any tool that deploys software. Updates are coming soon through Microsoft Update. If preferred, you can continue to use the MSI package method. +1. The plug-in doesn't yet automatically update. When a new plug-in version is released, the new MSI package needs to be applied to perform the update. You can apply the new package by using any tool that deploys software. Updates are coming soon through Microsoft Update. If preferred, you can continue to use the MSI package method. -2. As it takes a few minutes for the plug-in to fully instantiate and up to 30 minutes for a WSL2 instance to onboard itself, short-lived WSL container instances might result in the WSL2 instance not showing up in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). Once a (any) distribution has been running long enough (at least 30 minutes), it does show up. +2. As it takes a few minutes for the plug-in to fully instantiate and up to 30 minutes for a WSL2 instance to onboard itself, short-lived WSL container instances might result in the WSL2 instance not showing up in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). Once a (any) distribution has been running long enough (at least 30 minutes), it does show up. -3. If you're using a proxy in your (test) environment, make sure that the plug-in is set up to use it correctly. WSL is typically not automatically configured to use a proxy. For more information, see the section, [Setting a proxy for Defender running in WSL](#setting-a-proxy-for-defender-running-in-wsl). +3. If you're using a proxy in your (test) environment, make sure that the plug-in is set up to use it correctly. WSL is typically not automatically configured to use a proxy. For more information, see the section, [Setting a proxy for Defender running in WSL](#setting-a-proxy-for-defender-running-in-wsl). -4. The use of a custom kernel in combination with the plug-in is not supported. When you attempt to launch WSL with the plugin installed, you will encounter the error A fatal error was returned by plugin 'DefenderforEndpointPlug-in'. Error message: 'Custom Kernel/Configuration not supported.'. +4. The use of a custom kernel in combination with the plug-in is not supported. When you attempt to launch WSL with the plugin installed, you will encounter the error A fatal error was returned by plugin 'DefenderforEndpointPlug-in'. Error message: 'Custom Kernel/Configuration not supported.'. ## Software prerequisites
security	Mde Sec Ops Guide	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-sec-ops-guide.md	Title: Security Operations Guide for Defender for Endpoint -+ description: A prescriptive playbook for SecOps personnel to manage Microsoft Defender for Endpoint. ms.localizationpriority: medium Last updated 02/07/2023 audience: ITPro --++ - nextgen - admindeeplinkDEFENDER
security	Microsoft Cloud App Security Config	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-cloud-app-security-config.md	Title: Configure Microsoft Defender for Cloud Apps integration description: Learn how to turn on the settings to enable the Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud Apps. -keywords: cloud, app, security, settings, integration, discovery, report -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Microsoft Cloud App Security Integration	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-cloud-app-security-integration.md	Title: Microsoft Defender for Cloud Apps integration overview description: Microsoft Defender for Endpoint integrates with Defender for Cloud Apps by forwarding all cloud app networking activities. -keywords: cloud, app, networking, visibility, usage -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Microsoft Defender Antivirus Compatibility	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility.md	ms.localizationpriority: medium Last updated 12/12/2023 --++ -+ - m365-security - tier2
security	Microsoft Defender Antivirus On Windows Server	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server.md	Title: Microsoft Defender Antivirus on Windows Server description: Learn how to enable and configure Microsoft Defender Antivirus on Windows Server 2016, Windows Server 2019, and Windows Server 2022. -keywords: windows defender, server, scep, system center endpoint protection, server 2016, current branch, server 2012 ms.localizationpriority: medium--++ -+ Last updated 04/06/2023
security	Microsoft Defender Antivirus Pilot Ring Deployment Group Policy Wsus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-pilot-ring-deployment-group-policy-wsus.md	Title: Pilot ring deployment using Group Policy and Windows Server Update Services description: Microsoft Defender Antivirus is an enterprise endpoint security platform that helps defend against advanced persistent threats. This article provides information about how to use a ring deployment method to update your Microsoft Defender Antivirus pilot clients using Group Policy and Windows Server Update Services (WSUS). -keywords: Deploy Microsoft Defender Antivirus updates, pilot ring deployment Microsoft Defender Antivirus, Microsoft Defender Antivirus Group Policy, Microsoft Defender Antivirus Windows Server Update Services (WSUS), Microsoft Defender Antivirus Group Policy Windows Server Update Services (WSUS), threat intelligence, cybersecurity, cloud security, -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: high-+ audience: ITPro - m365-security
security	Microsoft Defender Antivirus Production Ring Deployment Group Policy Wsus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-production-ring-deployment-group-policy-wsus.md	Title: Production ring deployment using Group Policy and Windows Server Update Services description: Microsoft Defender Antivirus is an enterprise endpoint security platform that helps defend against advanced persistent threats. This article provides information about how to use a ring deployment method to update your Microsoft Defender Antivirus production clients using Group Policy and Windows Server Update Services (WSUS). -keywords: Deploy Microsoft Defender Antivirus updates, ring deployment Microsoft Defender Antivirus, Microsoft Defender Antivirus Group Policy, Microsoft Defender Antivirus Windows Server Update Services (WSUS), Microsoft Defender Antivirus Group Policy Windows Server Update Services (WSUS), threat intelligence, cybersecurity, cloud security, -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: high-+ audience: ITPro - m365-security
security	Microsoft Defender Antivirus Ring Deployment Group Policy Microsoft Update	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-group-policy-microsoft-update.md	Title: Production ring deployment using Group Policy and Microsoft Update (MU) description: Microsoft Defender Antivirus is an enterprise endpoint security platform that helps defend against advanced persistent threats. This article provides information about how to use a ring deployment method to update your Microsoft Defender Antivirus clients using Group Policy and Microsoft Update (MU). -keywords: Deploy Microsoft Defender Antivirus updates, ring deployment Microsoft Defender Antivirus, Microsoft Defender Antivirus Group Policy, Microsoft Defender Antivirus Microsoft Update (MU), Microsoft Defender Antivirus Group Policy and Microsoft Update, threat intelligence, cybersecurity, cloud security, -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: high-+ audience: ITPro - m365-security
security	Microsoft Defender Antivirus Ring Deployment Group Policy Network Share	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-group-policy-network-share.md	Title: Production ring deployment using Group Policy and network share description: Microsoft Defender Antivirus is an enterprise endpoint security platform that helps defend against advanced persistent threats. This article provides information about how to use a ring deployment method to update your Microsoft Defender Antivirus clients using Group Policy over a network share. -keywords: Deploy Microsoft Defender Antivirus updates, ring deployment Microsoft Defender Antivirus, Microsoft Defender Antivirus Group Policy, Microsoft Defender Antivirus network share, Microsoft Defender Antivirus Group Policy network share, threat intelligence, cybersecurity, cloud security, -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: high-+ audience: ITPro - m365-security
security	Microsoft Defender Antivirus Ring Deployment Group Policy Wsus Appendices	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-group-policy-wsus-appendices.md	Title: Appendices for ring deployment using Group Policy and Windows Server Update Services (WSUS) description: Microsoft Defender for Endpoint is an enterprise endpoint security platform that helps defend against advanced persistent threats. This article provides supplemental information to the Microsoft Defender Antivirus Group Policy WSUS ring deployment guide. -keywords: deploy Microsoft Defender Antivirus updates, ring deployment Microsoft Defender Antivirus, Microsoft Defender Antivirus Intune Microsoft Defender Antivirus Microsoft Update, Microsoft Defender Antivirus Intune MU, threat intelligence, cybersecurity, cloud security, -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: high-+ audience: ITPro - m365-security
security	Microsoft Defender Antivirus Ring Deployment Intune Microsoft Update	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-intune-microsoft-update.md	Title: Ring deployment using Intune and Microsoft Update (MU) description: Microsoft Defender Antivirus is an enterprise endpoint security platform that helps defend against advanced persistent threats. This article provides information about how to use a ring deployment method to update your Microsoft Defender Antivirus clients using Intune and Microsoft Update (MU). -keywords: deploy Microsoft Defender Antivirus updates, ring deployment Microsoft Defender Antivirus, Microsoft Defender Antivirus Intune Microsoft Defender Antivirus Microsoft Update, Microsoft Defender Antivirus Intune MU, threat intelligence, cybersecurity, cloud security, -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: high-+ audience: ITPro - m365-security
security	Microsoft Defender Antivirus Ring Deployment Sscm Wsus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-sscm-wsus.md	Title: Ring deployment using System Center Configuration Manager and Windows Server Update Services description: Microsoft Defender Antivirus is an enterprise endpoint security platform that helps defend against advanced persistent threats. This article provides information about how to use a ring deployment method to update your Microsoft Defender Antivirus clients using System Center Configuration Manager (SCCM) and Windows Server Update Services (WSUS). -keywords: deploy Microsoft Defender Antivirus updates, ring deployment Microsoft Defender Antivirus, Microsoft Defender Antivirus SCCM, Microsoft Defender Antivirus WSUS, Microsoft Defender Antivirus SCCM and WSUS, threat intelligence, cybersecurity, cloud security, -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: high-+ audience: ITPro - m365-security
security	Microsoft Defender Antivirus Ring Deployment	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment.md	Title: Microsoft Defender Antivirus ring deployment guide overview description: Microsoft Defender Antivirus is an enterprise endpoint security platform that helps defend against advanced persistent threats. This article provides an overview about how to use ring deployment methods to update your Microsoft Defender Antivirus clients. -keywords: deploy Microsoft Defender Antivirus updates, ring deployment Microsoft Defender Antivirus, threat intelligence, cybersecurity, cloud security, -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: high-+ audience: ITPro - m365-security
security	Microsoft Defender Antivirus Updates	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-updates.md	ms.localizationpriority: high Last updated 12/06/2023 audience: ITPro --++ -+ - m365-security
security	Microsoft Defender Antivirus Windows	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows.md	ms.localizationpriority: high Last updated 01/16/2024 --++ -+
security	Microsoft Defender Endpoint Android	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android.md	Title: Microsoft Defender for Endpoint on Android description: Describes how to install and use Microsoft Defender for Endpoint on Android -keywords: microsoft, defender, Microsoft Defender for Endpoint, android, installation, deploy, uninstallation, intune -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Microsoft Defender Endpoint Antivirus Performance Mode	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-antivirus-performance-mode.md	description: Learn how to manage, configure, Microsoft Defender Antivirus perfor ms.localizationpriority: high --++ -+ - m365-security - tier2 search.appverid: met150 Previously updated : 11/02/2023 Last updated : 02/22/2024 # Protect Dev Drive using performance mode
security	Microsoft Defender Endpoint Ios	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-ios.md	Title: Microsoft Defender for Endpoint on iOS description: Describes how to install and use Microsoft Defender for Endpoint on iOS -keywords: microsoft, defender, Microsoft Defender for Endpoint, ios, overview, installation, deploy, uninstallation, intune -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security search.appverid: met150 Previously updated : 03/22/2021 Last updated : 02/22/2024 # Microsoft Defender for Endpoint on iOS
security	Microsoft Defender Endpoint Linux	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux.md	Title: Microsoft Defender for Endpoint on Linux description: Describes how to install and use Microsoft Defender for Endpoint on Linux. -keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Microsoft Defender Endpoint Mac	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac.md	Title: Microsoft Defender for Endpoint on Mac description: Learn how to install, configure, update, and use Microsoft Defender for Endpoint on Mac. --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Microsoft Defender Endpoint	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint.md	Title: Microsoft Defender for Endpoint description: Microsoft Defender for Endpoint is an enterprise endpoint security platform that helps defend against advanced persistent threats. --++ ms.localizationpriority: high-+ audience: ITPro - m365-security
security	Microsoft Defender Offline	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-offline.md	Title: Microsoft Defender Offline scan in Windows description: You can use Microsoft Defender Offline Scan straight from the Microsoft Defender Antivirus app. You can also manage how it's deployed in your network. -keywords: scan, defender, offline -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium Last updated 08/30/2022--++ -+
security	Microsoft Defender Security Center Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus.md	description: With Microsoft Defender Antivirus now included in the Windows Secur ms.localizationpriority: medium --++ -+ - m365-security
security	Migrate Devices Streamlined	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migrate-devices-streamlined.md	Title: Migrate devices to use the streamlined onboarding method description: Learn how to migrate devices to Defender for Endpoint using the streamlined connectivity method. search.appverid: met150 --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Migrating Asr Rules	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migrating-asr-rules.md	Title: Migrating from a third-party HIPS to ASR rules -description: Describes how to approach a migration from a third-party Host Intrusion Prevention System (HIPS) solution into ASR rules. -keywords: Attack surface reduction rules, asr, asr rules, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender for Endpoint + Title: Migrating from non-Microsoft HIPS to attack surface reduction rules +description: Describes how to approach a migration from a non-Microsoft Host Intrusion Prevention System (HIPS) solution into attack surface reduction rules. -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium audience: ITPro---+++ search.appverid: met150 Last updated 03/26/2021 -# Migrating from a third-party HIPS to ASR rules +# Migrating from a non-Microsoft HIPS to attack surface reduction rules Applies to: - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) Last updated 03/26/2021 This article helps you to map common rules to Microsoft Defender for Endpoint. -## Scenarios when migrating from a third-party HIPS product to ASR rules +## Scenarios when migrating from a non-Microsoft HIPS product to attack surface reduction rules ### Block creation of specific files - Applies to- All processes - Operation- File Creation - Examples of Files/Folders, Registry Keys/Values, Processes, Services- .zepto, .odin, .locky, .jaff, .lukitus, .wnry, .krab-- Attack Surface Reduction rules- ASR rules block the attack techniques and not the Indicators of Compromise (IOC). Blocking a specific file extension isn't always useful, as it doesn't prevent a device from compromise. It only partially thwarts an attack until attackers create a new type of extension for the payload.-- Other recommended features- Having Microsoft Defender Antivirus enabled, along with Cloud Protection and Behavior Analysis is highly recommended. We recommend that you use other prevention, such as the ASR rule "Use advanced protection against ransomware". This provides a greater level of protection against ransomware attacks. Furthermore, Microsoft Defender for Endpoint monitors many of these registry keys, such as ASEP techniques, which trigger specific alerts. The registry keys used require a minimum of Local Admin or Trusted Installer privileges can be modified. It's recommended to use a locked down environment with minimum administrative accounts or rights. Other system configurations can be enabled, including "Disable SeDebug for non-required roles" that's part of our wider security recommendations. +- Attack Surface Reduction rules- attack surface reduction rules block the attack techniques and not the Indicators of Compromise (IOC). Blocking a specific file extension isn't always useful, as it doesn't prevent a device from compromise. It only partially thwarts an attack until attackers create a new type of extension for the payload. +- Other recommended features- Having Microsoft Defender Antivirus enabled, along with Cloud Protection and Behavior Analysis is highly recommended. We recommend that you use other prevention, such as the attack surface reduction rule Use advanced protection against ransomware, which provides a greater level of protection against ransomware attacks. Furthermore, Microsoft Defender for Endpoint monitors many of these registry keys, such as ASEP techniques, which trigger specific alerts. The registry keys used require a minimum of Local Admin or Trusted Installer privileges can be modified. It's recommended to use a locked down environment with minimum administrative accounts or rights. Other system configurations can be enabled, including Disable SeDebug for nonrequired roles* that's part of our wider security recommendations. ### Block creation of specific registry keys This article helps you to map common rules to Microsoft Defender for Endpoint. - Processes- N/A - Operation- Registry Modifications - Examples of Files/Folders, Registry Keys/Values, Processes, Services- \Software,HKCU\Environment\UserInitMprLogonScript,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\StartExe, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Debugger, HKEY_CURRENT_USER\Software\Microsoft\HtmlHelp Author\location, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\MonitorProcess-- Attack Surface Reduction rules- ASR rules block the attack techniques and not the Indicators of Compromise (IOC). Blocking a specific file extension isn't always useful, because it doesn't prevent a device from compromise. It only partially thwarts an attack until attackers create a new type of extension for the payload.-- Other recommended features- Having Microsoft Defender Antivirus enabled, along with Cloud Protection and Behavior Analysis is highly recommended. We recommend you use extra prevention, such as the ASR rule "Use advanced protection against ransomware". This provides a greater level of protection against ransomware attacks. Furthermore, Microsoft Defender for Endpoint monitors several of these registry keys, such as ASEP techniques, which trigger specific alerts. Additionally, the registry keys used require a minimum of Local Admin or Trusted Installer privileges can be modified. It's recommended to use a locked down environment with minimum administrative accounts or rights. Other system configurations can be enabled, including "Disable SeDebug for non-required roles" that's part of our wider security recommendations. +- Attack Surface Reduction rules- attack surface reduction rules block the attack techniques and not the Indicators of Compromise (IOC). Blocking a specific file extension isn't always useful, because it doesn't prevent a device from compromise. It only partially thwarts an attack until attackers create a new type of extension for the payload. +- Other recommended features- Having Microsoft Defender Antivirus enabled, along with Cloud Protection and Behavior Analysis is highly recommended. We recommend you use extra prevention, such as the attack surface reduction rule Use advanced protection against ransomware. This provides a greater level of protection against ransomware attacks. Furthermore, Microsoft Defender for Endpoint monitors several of these registry keys, such as ASEP techniques, which trigger specific alerts. Additionally, the registry keys used require a minimum of Local Admin or Trusted Installer privileges can be modified. It's recommended to use a locked down environment with minimum administrative accounts or rights. Other system configurations can be enabled, including Disable SeDebug for nonrequired roles* that's part of our wider security recommendations. ### Block untrusted programs from running from removable drives This article helps you to map common rules to Microsoft Defender for Endpoint. - Processes- * - Operation- Process Execution - Examples of Files/Folders, Registry Keys/Values, Processes, -- Attack Surface Reduction rules- ASR rules have a built-in rule to prevent the launch of untrusted and unsigned programs from removable drives: "Block untrusted and unsigned processes that run from USB", GUID "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4". +- Attack Surface Reduction rules*- attack surface reduction rules have a built-in rule to prevent the launch of untrusted and unsigned programs from removable drives: Block untrusted and unsigned processes that run from USB, GUID b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4. - Other recommended features- Please explore more controls for USB devices and other removable media using Microsoft Defender for Endpoint:[How to control USB devices and other removable media using Microsoft Defender for Endpoint](/windows/security/threat-protection/device-control/control-usb-devices-using-intune). ### Block Mshta from launching certain child processes This article helps you to map common rules to Microsoft Defender for Endpoint. - Processes- mshta.exe - Operation- Process Execution - Examples of Files/Folders, Registry Keys/Values, Processes, Services- powershell.exe, cmd.exe, regsvr32.exe-- Attack Surface Reduction rules- ASR rules don't contain any specific rule to prevent child processes from "mshta.exe". This control is within the remit of Exploit Protection or Windows Defender Application Control.-- Other recommended features- Enable Windows Defender Application Control to prevent mshta.exe from being executed altogether. If your organization requires "mshta.exe" for line of business apps, configure a specific Windows Defender Exploit Protection rule, to prevent mshta.exe from launching child processes. +- Attack Surface Reduction rules- attack surface reduction rules don't contain any specific rule to prevent child processes from mshta.exe. This control is within the remit of Exploit Protection or Windows Defender Application Control. +- Other recommended features- Enable Windows Defender Application Control to prevent mshta.exe from being executed altogether. If your organization requires mshta.exe* for line of business apps, configure a specific Windows Defender Exploit Protection rule, to prevent mshta.exe from launching child processes. ### Block Outlook from launching child processes This article helps you to map common rules to Microsoft Defender for Endpoint. - Processes- outlook.exe - Operation- Process Execution - Examples of Files/Folders, Registry Keys/Values, Processes, Services- powershell.exe-- Attack Surface Reduction rules- ASR rules have a built-in rule to prevent Office communication apps (Outlook, Skype, and Teams) from launching child processes: "Block Office communication application from creating child processes", GUID "26190899-1602-49e8-8b27-eb1d0a1ce869". +- Attack Surface Reduction rules- attack surface reduction rules have a built-in rule to prevent Office communication apps (Outlook, Skype, and Teams) from launching child processes: Block Office communication application from creating child processes, GUID 26190899-1602-49e8-8b27-eb1d0a1ce869. - Other recommended features- We recommend enabling PowerShell constrained language mode to minimize the attack surface from PowerShell. ### Block Office Apps from launching child processes This article helps you to map common rules to Microsoft Defender for Endpoint. - Processes- winword.exe, powerpnt.exe, excel.exe - Operation- Process Execution - Examples of Files/Folders, Registry Keys/Values, Processes, Services- powershell.exe, cmd.exe, wscript.exe, mshta.exe, EQNEDT32.EXE, regsrv32.exe-- Attack Surface Reduction rules- ASR rules have a built-in rule to prevent Office apps from launching child processes: "Block all Office applications from creating child processes", GUID "d4f940ab-401b-4efc-aadc-ad5f3c50688a". +- Attack Surface Reduction rules- attack surface reduction rules have a built-in rule to prevent Office apps from launching child processes: Block all Office applications from creating child processes, GUID d4f940ab-401b-4efc-aadc-ad5f3c50688a. - Other recommended features- N/A ### Block Office Apps from creating executable content This article helps you to map common rules to Microsoft Defender for Endpoint. - Processes- wscript.exe - Operation- File Read - Examples of Files/Folders, Registry Keys/Values, Processes, Services- C:\Users\AppData.js, C:\Users\Downloads.js-- Attack Surface Reduction rules- Due to reliability and performance issues, ASR rules don't have the capability to prevent a specific process from reading a certain script file type. We do have a rule to prevent attack vectors that might originate from these scenarios. The rule name is "Block JavaScript or VBScript from launching downloaded executable content" (GUID "d3e037e1-3eb8-44c8-a917-57927947596d") and the "Block execution of potentially obfuscated scripts" (GUID " 5beb7efe-fd9a-4556-801d-275e5ffc04cc").-- Other recommended features- Though there are specific ASR rules that mitigate certain attack vectors within these scenarios, it's important to mention that AV is able by default to inspect scripts (PowerShell, Windows Script Host, JavaScript, VBScript, and more) in real time, through the Antimalware Scan Interface (AMSI). More info is available here: [Antimalware Scan Interface (AMSI)](/windows/win32/amsi/antimalware-scan-interface-portal). +- Attack Surface Reduction rules*- Due to reliability and performance issues, attack surface reduction rules don't have the capability to prevent a specific process from reading a certain script file type. We do have a rule to prevent attack vectors that might originate from these scenarios. The rule name is Block JavaScript or VBScript from launching downloaded executable content* (GUID d3e037e1-3eb8-44c8-a917-57927947596d) and the Block execution of potentially obfuscated scripts (GUID * 5beb7efe-fd9a-4556-801d-275e5ffc04cc). +- Other recommended features- Though there are specific attack surface reduction rules that mitigate certain attack vectors within these scenarios, it's important to mention that AV is able by default to inspect scripts (PowerShell, Windows Script Host, JavaScript, VBScript, and more) in real time, through the Antimalware Scan Interface (AMSI). More info is available here: [Antimalware Scan Interface (AMSI)](/windows/win32/amsi/antimalware-scan-interface-portal). ### Block launch of child processes This article helps you to map common rules to Microsoft Defender for Endpoint. - Processes- AcroRd32.exe, Acrobat.exe - Operation- Process Execution - Examples of Files/Folders, Registry Keys/Values, Processes, Services- cmd.exe, powershell.exe, wscript.exe-- Attack Surface Reduction rules- ASR rules allow blocking Adobe Reader from launching child processes. The rule name is "Block Adobe Reader from creating child processes", GUID "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c". +- Attack Surface Reduction rules- attack surface reduction rules allow blocking Adobe Reader from launching child processes. The rule name is Block Adobe Reader from creating child processes, GUID 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c. - Other recommended features- N/A ### Block download or creation of executable content This article helps you to map common rules to Microsoft Defender for Endpoint. - Processes- certutil.exe - Operation- File Creation - Examples of Files/Folders, Registry Keys/Values, Processes, Services- .exe-- Attack Surface Reduction rules- ASR rules don't support these scenarios because they're a part of Microsoft Defender Antivirus protection. +- Attack Surface Reduction rules- attack surface reduction rules don't support these scenarios because they're a part of Microsoft Defender Antivirus protection. - Other recommended features- Microsoft Defender Antivirus prevents CertUtil from creating or downloading executable content. ### Block processes from stopping critical System components This article helps you to map common rules to Microsoft Defender for Endpoint. - Processes- * - Operation- Process Termination - Examples of Files/Folders, Registry Keys/Values, Processes, Services- MsSense.exe, MsMpEng.exe, NisSrv.exe, svchost.exe, services.exe, csrss.exe, smss.exe, wininit.exe, and more.-- Attack Surface Reduction rules- ASR rules don't support these scenarios because they're protected with Windows built-in security protections. +- Attack Surface Reduction rules- attack surface reduction rules don't support these scenarios because they're protected with Windows built-in security protections. - Other recommended features- ELAM (Early Launch AntiMalware), PPL (Protection Process Light), PPL AntiMalware Light, and System Guard. ### Block specific launch Process Attempt - Applies to- Specific Processes-- Processes- "Name your Process" +- Processes- Name your Process* - Operation- Process Execution - Examples of Files/Folders, Registry Keys/Values, Processes, Services- tor.exe, bittorrent.exe, cmd.exe, powershell.exe, and more-- Attack Surface Reduction rules- Overall, ASR rules aren't designed to function as an Application manager. +- Attack Surface Reduction rules- Overall, attack surface reduction rules aren't designed to function as an Application manager. - Other recommended features- To prevent users from launching specific processes or programs, it's recommended to use Windows Defender Application Control. Microsoft Defender for Endpoint File and Cert indicators, can be used in an Incident Response scenario (shouldn't be seen as an application control mechanism). ### Block unauthorized changes to Microsoft Defender Antivirus configurations This article helps you to map common rules to Microsoft Defender for Endpoint. - Processes- * - Operation- Registry Modifications - Examples of Files/Folders, Registry Keys/Values, Processes, Services- HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware, HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\AllowRealTimeMonitoring, and so on.-- Attack Surface Reduction rules- ASR rules don't cover these scenarios because they're part of the Microsoft Defender for Endpoint built-in protection. +- Attack Surface Reduction rules- attack surface reduction rules don't cover these scenarios because they're part of the Microsoft Defender for Endpoint built-in protection. - Other recommended features- Tamper Protection (opt-in, managed from Intune) prevents unauthorized changes to DisableAntiVirus, DisableAntiSpyware, DisableRealtimeMonitoring, DisableOnAccessProtection, DisableBehaviorMonitoring, and DisableIOAVProtection registry keys (and more). See also
security	Migrating Mde Server To Cloud	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migrating-mde-server-to-cloud.md	Title: Migrating servers from Microsoft Defender for Endpoint to Microsoft Defender for Cloud description: Learn how to migrate servers from Microsoft Defender for Endpoint to Microsoft Defender for Cloud. -keywords: migrate server, server, Microsoft Defender for Endpoint server, Microsoft Defender for Cloud, MDE, azure, azure cloud, CSPM, CWP, cloud workload protection, threat protection, advanced threat protection, Microsoft Azure, multi-cloud connector ---+++ audience: ITPro This article guides you in migrating servers from Microsoft Defender for Endpoin [Microsoft Defender for Endpoint](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-endpoint) is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. -[Microsoft Defender for Cloud](https://azure.microsoft.com/services/defender-for-cloud/) is a solution for cloud security posture management (CSPM) and cloud workload protection (CWP) that finds weak spots across your cloud configuration. It also helps strengthen the overall security posture of your environment, and can protect workloads across multi-cloud and hybrid environments from evolving threats. +[Microsoft Defender for Cloud](https://azure.microsoft.com/services/defender-for-cloud/) is a solution for cloud security posture management (CSPM) and cloud workload protection (CWP) that finds weak spots across your cloud configuration. It also helps strengthen the overall security posture of your environment, and can protect workloads across multicloud and hybrid environments from evolving threats. While both products offer server protection capabilities, Microsoft Defender for Cloud is our primary solution to protect infrastructure resources, including servers. To enable Defender for Servers for Azure VMs and non-Azure machines connected th 1. If you aren't already using Azure, plan your environment following the [Azure Well-Architected Framework](/azure/architecture/framework/). -2. Enable [Microsoft Defender for Cloud](/azure/defender-for-cloud/get-started) on your subscription(s). +2. Enable [Microsoft Defender for Cloud](/azure/defender-for-cloud/get-started) on your subscription. -3. Enable one of the Microsoft Defender for Server plans on your [subscription(s)](/azure/defender-for-cloud/enable-enhanced-security). In case you're using Defender for Servers Plan 2, make sure to also enable it on the Log Analytics workspace your machines are connected to; it enables you to use optional features like File Integrity Monitoring, Adaptive Application Controls and more. +3. Enable a Microsoft Defender for Server plan on your [subscription(s)](/azure/defender-for-cloud/enable-enhanced-security). In case you're using Defender for Servers Plan 2, make sure to also enable it on the Log Analytics workspace your machines are connected to; it enables you to use optional features like File Integrity Monitoring, Adaptive Application Controls, and more. -4. Make sure the [MDE integration](/azure/defender-for-cloud/integration-defender-for-endpoint?tabs=windows) is enabled on your subscription. If you have pre-existing Azure subscriptions, you may see one (or both) of the two opt-in buttons shown in the image below. +4. Make sure the [MDE integration](/azure/defender-for-cloud/integration-defender-for-endpoint?tabs=windows) is enabled on your subscription. If you have pre-existing Azure subscriptions, you might see one (or both) of the two opt-in buttons shown in the image below. :::image type="content" source="images/mde-integration.png" alt-text="Screenshot that shows how to enable MDE integration." lightbox="images/mde-integration.png"::: - If you have any of these buttons in your environment, make sure to enable integration for both. On new subscriptions, both options are enabled by default. In this case, you won't see these buttons in your environment. + If you have any of these buttons in your environment, make sure to enable integration for both. On new subscriptions, both options are enabled by default. In this case, you don't see these buttons in your environment. 5. Make sure the connectivity requirements for Azure Arc are met. Microsoft Defender for Cloud requires all on-premises and non-Azure machines to be connected via the Azure Arc agent. In addition, Azure Arc doesn't support all MDE supported operating systems. So, learn how to plan for [Azure Arc deployments here](/azure/azure-arc/servers/plan-at-scale-deployment). Once all prerequisites are met, [connect](/azure/defender-for-cloud/quickstart-o ## How do I migrate VMs from AWS or GCP environments? -1. Create a new multi-cloud connector on your subscription. (For more information on connector, see [AWS accounts](/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings) or [GCP projects](/azure/defender-for-cloud/quickstart-onboard-gcp?pivots=env-settings). +1. Create a new multicloud connector on your subscription. (For more information on connector, see [AWS accounts](/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings) or [GCP projects](/azure/defender-for-cloud/quickstart-onboard-gcp?pivots=env-settings). -2. On your multi-cloud connector, enable Defender for Servers on [AWS](/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings#prerequisites) or [GCP](/azure/defender-for-cloud/quickstart-onboard-gcp?pivots=env-settings#configure-the-servers-plan) connectors. +2. On your multicloud connector, enable Defender for Servers on [AWS](/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings#prerequisites) or [GCP](/azure/defender-for-cloud/quickstart-onboard-gcp?pivots=env-settings#configure-the-servers-plan) connectors. -3. Enable auto-provisioning on the multi-cloud connector for the Azure Arc agent, Microsoft Defender for Endpoint extension, Vulnerability Assessment and, optionally, Log Analytics extension. +3. Enable autoprovisioning on the multicloud connector for the Azure Arc agent, Microsoft Defender for Endpoint extension, Vulnerability Assessment and, optionally, Log Analytics extension. - :::image type="content" source="images/select-plans-aws-gcp.png" alt-text="Screenshot that shows how to enable auto-provisioning for Azure Arc agent." lightbox="images/select-plans-aws-gcp.png"::: + :::image type="content" source="images/select-plans-aws-gcp.png" alt-text="Screenshot that shows how to enable autoprovisioning for Azure Arc agent." lightbox="images/select-plans-aws-gcp.png"::: For more information, see [Defender for Cloud's multicloud capabilities](https://aka.ms/mdcmc). ## What happens once all migration steps are completed? -Once you've completed the relevant migration steps, Microsoft Defender for Cloud deploys the `MDE.Windows` or `MDE.Linux` extension to your Azure VMs and non-Azure machines connected through Azure Arc (including VMs in AWS and GCP compute). +After you complete the relevant migration steps, Microsoft Defender for Cloud deploys the `MDE.Windows` or `MDE.Linux` extension to your Azure VMs and non-Azure machines connected through Azure Arc (including VMs in AWS and GCP compute). The extension acts as a management and deployment interface, which orchestrates and wraps the MDE installation scripts inside the operating system and reflect its provisioning state to the Azure management plane. The installation process recognizes an existing Defender for Endpoint installation and connects it to Defender for Cloud by automatically adding Defender for Endpoint service tags. -In case you have Windows Server 2012 R2 or 2016 machines that are provisioned with the legacy, Log Analytics-based Microsoft Defender for Endpoint solution, Microsoft Defender for Cloud's deployment process deploys the Defender for Endpoint [unified solution](configure-server-endpoints.md#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution). After successful deployment, it will stop and disable the legacy Defender for Endpoint process on these machines. +In case you have devices running Windows Server 2012 R2 or Windows Server 2016, and those devices are provisioned with the legacy, Log Analytics-based Microsoft Defender for Endpoint solution, Microsoft Defender for Cloud's deployment process deploys the Defender for Endpoint [unified solution](configure-server-endpoints.md#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution). After successful deployment, it will stop and disable the legacy Defender for Endpoint process on these machines. [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security	Minimum Requirements	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/minimum-requirements.md	Title: Minimum requirements for Microsoft Defender for Endpoint description: Understand the licensing requirements and requirements for onboarding devices to the service --++ ms.localizationpriority: medium Last updated 11/15/2023-+ audience: ITPro - m365-security
security	Mobile Resources Defender Endpoint	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mobile-resources-defender-endpoint.md	Title: Resources for Microsoft Defender for Endpoint for mobile devices description: Learn about the configurations and privacy settings for all the features in Defender for Endpoint on mobile devices. -keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, macos, whatsnew -ms.sitesec: library -ms.pagetype: security --+++ ms.localizationpriority: medium-+ audience: ITPro - m365-security Microsoft Defender for Mobile TVM (Threat and Vulnerability Management) is the s ### Steps to exclude: -1. Create service principal for the apps that needs to be excluded. [Steps to create service principal.](/graph/api/serviceprincipal-post-serviceprincipals?view=graph-rest-1.0&tabs=powershell#request) -1. While creating the service principal object above, use these app IDs: Xplat Broker App ( a0e84e36-b067-4d5c-ab4a-3db38e598ae2), TVM app (e724aa31-0f56-4018-b8be-f8cb82ca1196). +1. Create service principal for the apps that needs to be excluded. [Steps to create service principal.](/graph/api/serviceprincipal-post-serviceprincipals?view=graph-rest-1.0&tabs=powershell#request&preserve-view=true). + +1. While creating the service principal object above, use these app IDs: Xplat Broker App ( a0e84e36-b067-4d5c-ab4a-3db38e598ae2), TVM app (e724aa31-0f56-4018-b8be-f8cb82ca1196). + 1. After the object is successfully created the two apps are visible in the CA screen and can be excluded.+ + :::image type="content" source="media/mobile-resources-defender-endpoint/appexclusion.png" alt-text="Image displaying Application exclusions.":::
security	Monthly Security Summary Report	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/monthly-security-summary-report.md	Title: Monthly security summary reporting in Microsoft Defender for Endpoint description: Use the monthly security summary to see threats detected and prevented, current status from Microsoft Secure Score, and recommended actions. -keywords: month report, security summary, managed devices, secure score, incidents -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security --++ localization_priority: Normal Last updated 06/12/2023-+ audience: ITPro - m365-security
security	Msda Updates Previous Versions Technical Upgrade Support	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/msda-updates-previous-versions-technical-upgrade-support.md	Title: Microsoft Defender Antivirus updates - Previous versions for technical upgrade support description: Understand the type of technical support offered for previous versions of Microsoft Defender Antivirus --++ ms.localizationpriority: medium Last updated 12/05/2023-+ audience: ITPro - m365-security
security	Mssp Support	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mssp-support.md	Title: Managed security service provider (MSSP) partnership opportunities description: Understand how Microsoft Defender for Endpoint integrates with managed security service providers (MSSP) -keywords: mssp, integration, managed, security, service, provider -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Mtd	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mtd.md	Title: Microsoft Defender for Endpoint - Mobile Threat Defense-+ description: Overview of Mobile Threat Defense in Microsoft Defender for Endpoint -keywords: mobile, defender, Microsoft Defender for Endpoint, ios, mtd, android, security --++ ms.localizationpriority: medium Last updated 01/28/2024-+ audience: ITPro - m365-security
security	Network Devices	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-devices.md	Title: Network device discovery and vulnerability management description: Security recommendations and vulnerability detection are now available for operating systems of switches, routers, WLAN controllers, and firewalls. -keywords: network devices, network devices vulnerability detection, operating systems of switches, routers, WLAN controllers, and firewalls -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Network Protection Linux	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-protection-linux.md	Title: Use network protection to help prevent Linux connections to bad sites description: Protect your network by preventing Linux users from accessing known malicious and suspicious network addresses -keywords: Network protection, Linux exploits, malicious website, ip, domain, domains, command and control, SmartScreen, toast notification -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium audience: ITPro----+++
security	Network Protection Macos	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-protection-macos.md	Title: Use network protection to help prevent macOS connections to bad sites description: Protect your network by preventing macOS users from accessing known malicious and suspicious network addresses -keywords: Network protection, MacOS exploits, malicious website, ip, domain, domains, command and control, SmartScreen, toast notification ms.localizationpriority: medium Last updated 12/08/2023 audience: ITPro--++ -+ search.appverid: met150 ## Overview -Microsoft Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host: +Microsoft Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that might host: - phishing scams - exploits Network protection expands the scope of Microsoft Defender XDR [SmartScreen](/wi ## Availability -Network Protection for macOS is now available for all Microsoft Defender for Endpoint onboarded macOS devices that meet the minimum requirements. All of your currently configured Network Protection and Web Threat Protection policies will be enforced on macOS devices where Network Protection is configured for block mode. +Network Protection for macOS is now available for all Microsoft Defender for Endpoint onboarded macOS devices that meet the minimum requirements. All of your currently configured Network Protection and Web Threat Protection policies are enforced on macOS devices where Network Protection is configured for block mode. -To roll out Network Protection for macOS, we recommend the following: +To roll out Network Protection for macOS, we recommend the following actions: - Create a device group for a small set of devices that you can use to test Network Protection. - Evaluate the impact of Web Threat Protection, Custom Indicators of Compromise, Web Content Filtering, and Microsoft Defender for Cloud Apps enforcement policies that target those macOS devices where Network Protection is in Block mode. - Deploy an audit or block mode policy to this device group and verify there are no issues or broken workstreams.-- Gradually deploy Network Protection to a larger set of devices until completely rolled out. +- Gradually deploy Network Protection to a larger set of devices until rolled out. ## Current capabilities - Custom Indicators of Compromise on Domains and IPs. - Web Content Filtering support: - - Block website categories scoped to device groups through policies created in the MDEP portal. + - Block website categories scoped to device groups through policies created in the Microsoft Defender portal. - Policies are applied to browsers, including Chromium Microsoft Edge for macOS. -- Advanced Hunting - Network Events will be reflected in the Machine Timeline, and queryable in Advanced Hunting to aid security investigations. +- Advanced Hunting - Network Events are reflected in the Machine Timeline, and queryable in Advanced Hunting to aid security investigations. - Microsoft Defender for Cloud Apps: - Shadow IT discovery - Identify which apps are being used in your organization. - Block applications - Block entire applications (such as Slack and Facebook) from being used in your organization. To roll out Network Protection for macOS, we recommend the following: ### Known issues -- Block/Warn UX isn't customizable and might require other look and feel changes - - Customer feedback is being collected to drive further design improvements -- There is a known application incompatibility issue with VMWare's "Per-App Tunnel" feature. - - This incompatibility might result in an inability to block traffic that goes through the "Per-App Tunnel." -- There is a known application incompatibility issue with Blue Coat Proxy. - - This incompatibility might result in network layer crashes in unrelated applications when both Blue Coat Proxy and Network Protection are enabled. +- Block/Warn UX isn't customizable and might require other look and feel changes. (Customer feedback is being collected to drive further design improvements) +- There's a known application incompatibility issue with VMware's "Per-App Tunnel" feature. (This incompatibility might result in an inability to block traffic that goes through the "Per-App Tunnel.") +- There's a known application incompatibility issue with Blue Coat Proxy. (This incompatibility might result in network layer crashes in unrelated applications when both Blue Coat Proxy and Network Protection are enabled.) ### Important notes After you create this configuration profile, assign it to the devices where you 7. Select OK 8. Select Manage \> Assignments. In the Include tab, select the devices for which you want to enable network protection. -#### mobileconfig deployment +#### Mobileconfig deployment -To deploy the configuration via a .mobileconfig file, which can be used with 3rd party MDM solutions or distributed to devices directly: +To deploy the configuration via a .mobileconfig file, which can be used with non-Microsoft MDM solutions or distributed to devices directly: 1. Save the following payload as _com.microsoft.wdav.xml.mobileconfig_ To deploy the configuration via a .mobileconfig file, which can be used with 3rd > > Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2. -4. [Integrate Microsoft Defender for Endpoint with Defender for Cloud Apps](/defender-cloud-apps/mde-integration) and your network protection-enabled macOS devices will have endpoint policy enforcement capabilities. +4. [Integrate Microsoft Defender for Endpoint with Defender for Cloud Apps](/defender-cloud-apps/mde-integration) and your network protection-enabled macOS devices have endpoint policy enforcement capabilities. > [!NOTE] > Discovery and other features are currently not supported on these platforms. The following scenarios are supported. ### Web threat protection -Web threat protection is part of web protection in Microsoft Defender XDR for Endpoint. It uses network protection to secure your devices against web threats. By integrating with Microsoft Edge for macOS and popular third-party browsers like Chrome and Firefox, web threat protection stops web threats without a web proxy. Web threat protection can protect devices while they're on premises or away. Web threat protection stops access to the following types of sites: +Web threat protection is part of web protection in Microsoft Defender XDR for Endpoint. It uses network protection to secure your devices against web threats. By integrating with Microsoft Edge for macOS and popular non-Microsoft browsers, such as Chrome and Firefox, web threat protection stops web threats without a web proxy. Web threat protection can protect devices while they're on premises or away. Web threat protection stops access to the following types of sites: - phishing sites - malware vectors - exploit sites - untrusted or low-reputation sites-- sites you've blocked in your custom indicator list +- sites that are blocked in your custom indicator list :::image type="content" source="images/network-protection-reports-web-protection.png" alt-text="Web Protection reports web threat detections." lightbox="images/network-protection-reports-web-protection.png"::: For more information, see: [Create indicators for IPs and URLs/domains](indicato Web content filtering is part of the [Web protection](web-protection-overview.md) capabilities in Microsoft Defender for Endpoint and Microsoft Defender for Business. Web content filtering enables your organization to track and regulate access to websites based on their content categories. Many of these websites (even if they're not malicious) might be problematic because of compliance regulations, bandwidth usage, or other concerns. -Configure policies across your device groups to block certain categories. Blocking a category prevents users within specified device groups from accessing URLs associated with the category. For any category that's not blocked, the URLs are automatically audited. Your users can access the URLs without disruption, and you'll gather access statistics to help create a more custom policy decision. Your users will see a block notification if an element on the page they're viewing is making calls to a blocked resource. +Configure policies across your device groups to block certain categories. Blocking a category prevents users within specified device groups from accessing URLs associated with the category. For any category that's not blocked, the URLs are automatically audited. Your users can access the URLs without disruption, and you gather access statistics to help create a more custom policy decision. Your users see a block notification if an element on the page they're viewing is making calls to a blocked resource. Web content filtering is available on the major web browsers, with blocks performed by Network Protection (Safari, Chrome, Firefox, Brave, and Opera). For more information about browser support, see [Prerequisites](#prerequisites). The Microsoft Defender for Cloud Apps / Cloud App Catalog identifies apps you wo :::image type="content" source="images/network-protection-macos-mcas-monitored-apps.png" alt-text="Shows network protection monitored apps."::: -Within 10-15 minutes, these domains will be listed in Microsoft Defender XDR under Indicators > URLs/Domains with Action=Warn. Within the enforcement SLA (see details at the end of this article), end users will be getting warn messages when attempting to access these domains: +Within 10-15 minutes, these domains are listed in Microsoft Defender XDR under Indicators > URLs/Domains with Action=Warn. Within the enforcement SLA (see details at the end of this article), end users are getting warn messages when attempting to access these domains: :::image type="content" source="images/network-protection-macos-indicators-urls-domains-warn.png" alt-text="Shows network protection indicators for urls or domains warning."::: -When the end user will be attempting to access monitored domains, they'll be warned by Microsoft Defender XDR for Endpoint. +When the end user is attempting to access monitored domains, they're warned by Defender for Endpoint. -- The user will get a plain block experience accompanied by the following toast message, which will be displayed by the operating system including the name of the blocked application (e.g Blogger.com) +- The user gets a plain block experience accompanied by the following toast message, which is displayed by the operating system including the name of the blocked application (e.g Blogger.com) :::image type="content" source="images/network-protection-macos-content-blocked.png" alt-text="Shows end-user network protection content blocked toast notification."::: -If the end user encounters a _block_, the user will have two possible resolutions: +If the end user encounters a _block_, the user has two possible resolutions: #### User bypass -- For toast message experience: Press the Unblock button. By reloading the webpage, the user will be able to proceed and use the cloud app. (This action is applicable for the next 24 hours, after which the user will have to unblock once again) +- For toast message experience: Press the Unblock button. By reloading the webpage, the user is able to proceed and use the cloud app. (This action is applicable for the next 24 hours, after which the user has to unblock once again) #### User education -- For toast message experience: Press the toast message itself. End user will be redirected to a custom redirect URL set globally in Microsoft Defender for Cloud Apps (More information at the bottom of this page) +- For toast message experience: Press the toast message itself. End user is redirected to a custom redirect URL set globally in Microsoft Defender for Cloud Apps (More information at the bottom of this page) > [!NOTE] > Tracking bypasses per app** ΓÇô You can track how many users have bypassed the warning in the _Application_ page in Microsoft Defender for Cloud Apps. For many organizations, it's important to take the cloud controls provided by Mi - what is the thinking behind this decision - how encountering block sites can be mitigated -Upon facing an unexpected behavior, users' confusion may be reduced by providing them as much information as possible, not only to explain about what has happened but to also educate them to be more aware the next time they choose a cloud app to complete their job. For example, this information can include: +Upon facing an unexpected behavior, users' confusion might be reduced by providing them as much information as possible, not only to explain about what has happened but to also educate them to be more aware the next time they choose a cloud app to complete their job. For example, this information can include: - Organization security and compliance policies and guidelines for internet and cloud use - Approved/recommended cloud apps for use For this page, we recommend that your organization uses a basic SharePoint site. ### Important things to know 1. It can take up to two hours (typically less) for app domains to propagate and to be update in the endpoint devices, after it's marked as _Monitored_. -2. By default, action will be taken for all apps and domains that were marked as Monitored in Microsoft Defender for Cloud Apps portal for all the onboarded endpoints in the organization. +2. By default, action is taken for all apps and domains that were marked as Monitored in Microsoft Defender for Cloud Apps portal for all the onboarded endpoints in the organization. 3. Full URLs are currently not supported and won't be sent from Microsoft Defender for Cloud Apps to Microsoft Defender XDR for Endpoint, if any full URLs are listed under Microsoft Defender for Cloud Apps monitored apps, hence, user won't get warned on access attempt (for example, google.com/drive isn't supported, while drive.google.com is supported). -No End-user notification on third party browsers? Check your toast message settings +No End-user notification on third party browsers? Check your toast message settings. ## See also
security	Network Protection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-protection.md	ms.localizationpriority: medium Last updated 02/02/2024 audience: ITPro--++ -+
security	Next Generation Protection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/next-generation-protection.md	description: Get an overview of next-generation protection in Microsoft Defender ms.localizationpriority: high --++ -+
security	Non Windows	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/non-windows.md	Title: Microsoft Defender for Endpoint on other platforms description: Learn about Microsoft Defender for Endpoint capabilities on other platforms -keywords: non windows, mac, macos, linux, android -search.product: eADQiWindows 10XVcnh -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Offboard Machines	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/offboard-machines.md	Title: Offboard devices description: Onboard Windows devices, servers, non-Windows devices from the Microsoft Defender for Endpoint service -keywords: offboarding, Microsoft Defender for Endpoint offboarding, offboarding -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Office 365 Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/office-365-microsoft-defender-antivirus.md	Title: Better together - Microsoft Defender Antivirus and Office 365 (including OneDrive) - better protection from ransomware and cyberthreats description: Office 365, which includes OneDrive, goes together wonderfully with Microsoft Defender Antivirus. Read this article to learn more. -keywords: windows defender, antivirus, office 365, onedrive, restore, ransomware -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium audience: ITPro --++ - nextgen - admindeeplinkDEFENDER -+ - m365-security
security	Onboard Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-configure.md	Title: Onboard devices and configure Microsoft Defender for Endpoint capabilities description: Onboard Windows 10 devices, servers, non-Windows devices and learn how to run a detection test. -keywords: onboarding, Microsoft Defender for Endpoint onboarding, sccm, group policy, mdm, local script, detection test -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Onboard Downlevel	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-downlevel.md	Title: Onboard previous versions of Windows on Microsoft Defender for Endpoint description: Onboard supported previous versions of Windows devices so that they can send sensor data to the Microsoft Defender for Endpoint sensor -keywords: onboard, windows, 7, 81, oms, sp1, enterprise, pro, down level ms.localizationpriority: medium-+ audience: ITPro
security	Onboard Windows Client	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-windows-client.md	Title: Defender for Endpoint onboarding Windows Client description: Onboard Windows Client. -keywords: onboarding, Microsoft Defender for Endpoint onboarding, sccm, group policy, mdm, local script, detection test -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Onboard Windows Multi Session Device	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-windows-multi-session-device.md	ms.localizationpriority: medium audience: ITPro --++ -+ - m365-security - tier3
security	Onboard Windows Server	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-windows-server.md	Title: Defender for Endpoint onboarding Windows Server description: Onboard Windows Server to Microsoft Defender for Endpoint. -keywords: onboarding, Microsoft Defender for Endpoint onboarding, sccm, group policy, mdm, local script, detection test -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Onboarding Endpoint Configuration Manager	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-endpoint-configuration-manager.md	Title: Onboarding using Microsoft Configuration Manager description: Learn how to onboard to Microsoft Defender for Endpoint using Microsoft Configuration Manager -keywords: onboarding, configuration, deploy, deployment, configuration manager, Microsoft Defender for Endpoint, collection creation, endpoint detection response, next generation protection, attack surface reduction, microsoft configuration manager -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Onboarding Endpoint Manager	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-endpoint-manager.md	Title: Onboarding using Microsoft Intune -description: Learn how to onboard to Microsoft Defender for Endpoint using Microsoft Intune -keywords: onboarding, configuration, deploy, deployment, endpoint manager, Microsoft Defender for Endpoint, collection creation, endpoint detection response, next generation protection, attack surface reduction, microsoft intune +description: Learn how to onboard to Microsoft Defender for Endpoint using Microsoft Intune. -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security Last updated 12/18/2020 This article acts as an example onboarding method. -In the [Planning](deployment-strategy.md) topic, there were several methods provided to onboard devices to the service. This topic covers the cloud-native architecture. +In the [Planning](deployment-strategy.md) article, there were several methods provided to onboard devices to the service. This article covers the cloud-native architecture. :::image type="content" source="images/cloud-native-architecture.png" alt-text="The cloud-native architecture" lightbox="images/cloud-native-architecture.png"::: Diagram of environment architectures -While Defender for Endpoint supports onboarding of various endpoints and tools, this article does not cover them. For information on general onboarding using other supported deployment tools and methods, see [Onboarding overview](onboarding.md). +While Defender for Endpoint supports onboarding of various endpoints and tools, this article doesn't cover them. For information on general onboarding using other supported deployment tools and methods, see [Onboarding overview](onboarding.md). The Microsoft Intune family of products is a solution platform that unifies several services. It includes [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Configuration Manager](/mem/configmgr). -This topic guides users in: +This article guides users in: - Step 1: Onboarding devices to the service by creating a group in Microsoft Intune to assign configurations on - Step 2: Configuring Defender for Endpoint capabilities using Microsoft Intune -This onboarding guidance will walk you through the following basic steps that you need to take when using Microsoft Intune: +This onboarding guidance walks you through the following basic steps that you need to take when using Microsoft Intune: - [Identifying target devices or users](#identify-target-devices-or-users) - Creating a Microsoft Entra group (User or Device) - [Creating a Configuration Profile](#step-2-create-configuration-policies-to-configure-microsoft-defender-for-endpoint-capabilities) - - In Microsoft Intune, we'll guide you in creating a separate policy for each capability. + - In Microsoft Intune, we guide you in creating a separate policy for each capability. ## Resources -Here are the links you'll need for the rest of the process: +Here are the links you need for the rest of the process: - [Intune admin center](https://aka.ms/memac) - [Microsoft Defender XDR](https://security.microsoft.com) For more information about Microsoft Intune, go to [Microsoft Intune securely ma ### Identify target devices or users -In this section, we will create a test group to assign your configurations on. +In this section, we create a test group to assign your configurations on. > [!NOTE] > Intune uses Microsoft Entra groups to manage devices and users. As an Intune admin, you can set up groups to suit your organizational needs. In this section, we will create a test group to assign your configurations on. ## Step 2: Create configuration policies to configure Microsoft Defender for Endpoint capabilities -In the following section, you'll create a number of configuration policies. +In the following section, you create several configuration policies. -First is a configuration policy to select which groups of users or devices will be onboarded to Defender for Endpoint: +First is a configuration policy to select which groups of users or devices are onboarded to Defender for Endpoint: - [Endpoint detection and response](#endpoint-detection-and-response) -Then you will continue by creating several different types of endpoint security policies: +Then, you continue by creating several different types of endpoint security policies: - [Next-generation protection](#next-generation-protection) - [Attack surface reduction](#attack-surface-reductionattack-surface-reduction-rules) Then you will continue by creating several different types of endpoint security 1. Open the Intune admin center. -2. Navigate to Endpoint security > Endpoint detection and response. Click on Create Policy. +2. Navigate to Endpoint security > Endpoint detection and response. Select on Create Policy. > [!div class="mx-imgBorder"] > :::image type="content" source="images/58dcd48811147feb4ddc17212b7fe840.png" alt-text="The Microsoft Intune admin center4" lightbox="images/58dcd48811147feb4ddc17212b7fe840.png"::: Then you will continue by creating several different types of endpoint security > [!div class="mx-imgBorder"] > :::image type="content" source="images/dfdadab79112d61bd3693d957084b0ec.png" alt-text="The Microsoft Intune admin center17" lightbox="images/dfdadab79112d61bd3693d957084b0ec.png"::: -9. You'll see the configuration policy you created. +9. You see the configuration policy you created. > [!div class="mx-imgBorder"] > :::image type="content" source="images/38180219e632d6e4ec7bd25a46398da8.png" alt-text="The Microsoft Intune admin center18" lightbox="images/38180219e632d6e4ec7bd25a46398da8.png"::: Then you will continue by creating several different types of endpoint security > [!div class="mx-imgBorder"] > :::image type="content" source="images/a5a71fd73ec389f3cdce6d1a6bd1ff31.png" alt-text="The Microsoft Intune admin center20" lightbox="images/a5a71fd73ec389f3cdce6d1a6bd1ff31.png"::: -6. In the Configuration settings page: Set the configurations you require for - Attack surface reduction rules, then select Next. +6. In the Configuration settings page: Set the configurations you require for Attack surface reduction rules, then select Next. > [!NOTE] > We will be configuring all of the Attack surface reduction rules to Audit. Then you will continue by creating several different types of endpoint security ### Confirm policies have been applied -Once the Configuration policy has been assigned, it will take some time to apply. +Once the Configuration policy has been assigned, it takes some time to apply. For information on timing, see [Intune configuration information](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned). -To confirm that the configuration policy has been applied to your test device, follow the following process for each configuration policy. +To confirm that the configuration policy is applied to your test device, follow the following process for each configuration policy. 1. Open the Intune admin center and navigate to the relevant policy as shown in the - steps above. The following example shows the next generation protection settings. + preceding section. The following example shows the next generation protection settings. > [!div class="mx-imgBorder"] > [![Image of Microsoft Intune admin center33.](images/43ab6aa74471ee2977e154a4a5ef2d39.png)](images/43ab6aa74471ee2977e154a4a5ef2d39.png#lightbox) To confirm that the configuration policy has been applied to your test device, f ### Confirm endpoint detection and response -1. Before applying the configuration, the Defender for Endpoint Protection service should not be started. +1. Before applying the configuration, the Defender for Endpoint Protection service shouldn't be started. > [!div class="mx-imgBorder"] > [![Image of Services panel1.](images/b418a232a12b3d0a65fc98248dbb0e31.png)](images/b418a232a12b3d0a65fc98248dbb0e31.png#lightbox) -2. After the configuration has been applied, the Defender for Endpoint Protection Service should be started. +2. After the configuration is applied, the Defender for Endpoint Protection service should be started. > [!div class="mx-imgBorder"] > [![Image of Services panel2.](images/a621b699899f1b41db211170074ea59e.png)](images/a621b699899f1b41db211170074ea59e.png#lightbox) To confirm that the configuration policy has been applied to your test device, f ### Confirm next-generation protection 1. Before applying the policy on a test device, you should be able to manually - manage the settings as shown below. + manage the settings as shown in the following image: > [!div class="mx-imgBorder"] > :::image type="content" source="images/88efb4c3710493a53f2840c3eac3e3d3.png" alt-text="The settings page-1" lightbox="images/88efb4c3710493a53f2840c3eac3e3d3.png"::: -2. After the policy has been applied, you should not be able to manually manage +2. After the policy is applied, you shouldn't be able to manually manage the settings. > [!NOTE] To confirm that the configuration policy has been applied to your test device, f 1. Before applying the policy on a test device, open a PowerShell Window and type `Get-MpPreference`. -2. This should respond with the following lines with no content: +2. You should see the following lines with no content: > AttackSurfaceReductionOnlyExclusions: > To confirm that the configuration policy has been applied to your test device, f 3. After applying the policy on a test device, open a PowerShell Windows and type `Get-MpPreference`. -4. This should respond with the following lines with content as shown below: +4. You should see the following lines with content, as shown in the following image: :::image type="content" source="images/619fb877791b1fc8bc7dfae1a579043d.png" alt-text="The command line-2" lightbox="images/619fb877791b1fc8bc7dfae1a579043d.png"::: To confirm that the configuration policy has been applied to your test device, f 1. On the test device, open a PowerShell Windows and type `(Get-MpPreference).EnableNetworkProtection`. -2. This should respond with a 0 as shown below. +2. This should respond with a 0 as shown in the following image: :::image type="content" source="images/196a8e194ac99d84221f405d0f684f8c.png" alt-text="The command line-3" lightbox="images/196a8e194ac99d84221f405d0f684f8c.png"::: 3. After applying the policy, open a PowerShell Windows and type `(Get-MpPreference).EnableNetworkProtection`. -4. This should respond with a 1 as shown below. +4. You should see a response with a 1 as shown in the following image: :::image type="content" source="images/c06fa3bbc2f70d59dfe1e106cd9a4683.png" alt-text="The command line-4" lightbox="images/c06fa3bbc2f70d59dfe1e106cd9a4683.png"::: + [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security	Onboarding Notification	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-notification.md	Title: Create an onboarding or offboarding notification rule description: Get a notification when a local onboarding or offboarding script is used. -keywords: onboarding, offboarding, local, script, notification, rule search.appverid: met150 -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security Last updated 12/18/2020 [!include[Improve request performance](../../includes/improve-request-performance.md)] -Create a notification rule so that when a local onboarding or offboarding script is used, you'll be notified. +Create a notification rule so that when a local onboarding or offboarding script is used, you are notified. ## Before you begin -You'll need to have access to: +You need to have access to: - Power Automate (Per-user plan at a minimum). For more information, see [Power Automate pricing page](https://make.powerautomate.com/pricing/). - Azure Table or SharePoint List or Library / SQL DB. You'll need to have access to: :::image type="content" source="images/build-flow.png" alt-text="The notification flow" lightbox="images/build-flow.png"::: -4. Select the + button to add a new action. The new action will be an HTTP request to the Defender for Endpoint device(s) API. You can also replace it with the out-of-the-box "WDATP Connector" (action: "Machines - Get list of machines"). +4. Select the + button to add a new action. The new action is an HTTP request to the Defender for Endpoint devices API. You can also replace it with the out-of-the-box WDATP Connector (action: Machines - Get list of machines). :::image type="content" source="images/recurrence-add.png" alt-text="The recurrence and add action" lightbox="images/recurrence-add.png"::: 5. Enter the following HTTP fields: - - Method: "GET" as a value to get the list of devices. + - Method: GET as a value to get the list of devices. - URI: Enter `https://api.securitycenter.microsoft.com/api/machines`. - - Authentication: Select "Active Directory OAuth". + - Authentication: Select Active Directory OAuth. - Tenant: Sign-in to https://portal.azure.com and navigate to Microsoft Entra ID > App Registrations and get the Tenant ID value. - Audience: `https://securitycenter.onmicrosoft.com/windowsatpservice\` - Client ID: Sign-in to https://portal.azure.com and navigate to Microsoft Entra ID > App Registrations and get the Client ID value. - - Credential Type: Select "Secret". + - Credential Type: Select Secret. - Secret: Sign-in to https://portal.azure.com and navigate to Microsoft Entra ID > App Registrations and get the Tenant ID value. :::image type="content" source="images/http-conditions.png" alt-text="The HTTP conditions" lightbox="images/http-conditions.png"::: You'll need to have access to: ``` -10. Extract the values from the JSON call and check if the onboarded device(s) is / are already registered at the SharePoint list as an example: +10. Extract the values from the JSON call and check if the onboarded devices is / are already registered at the SharePoint list as an example: - - If yes, no notification will be triggered - - If no, will register the new onboarded device(s) in the SharePoint list and a notification will be sent to the Defender for Endpoint admin + - If yes, no notification is triggered + - If no, will register the newly onboarded devices in the SharePoint list and a notification is sent to the Defender for Endpoint admin :::image type="content" source="images/flow-apply.png" alt-text="The application of the flow to each element" lightbox="images/flow-apply.png"::: The following image is an example of an email notification. - You can filter here using lastSeen only: - Every 60 min: - - Take all devices last seen in the past 7 days. + - Take all devices last seen in the past seven days. - For each device: - If last seen property is on the one hour interval of [-7 days, -7days + 60 minutes] -> Alert for offboarding possibility. - If first seen is on the past hour -> Alert for onboarding. -In this solution you will not have duplicate alerts: -There are tenants that have numerous devices. Getting all those devices might be very expensive and might require paging. +In this solution, you don't have duplicate alerts. + +There are tenants that have numerous devices. Getting all those devices might require paging. You can split it to two queries: 1. For offboarding take only this interval using the OData $filter and only notify if the conditions are met.+ 2. Take all devices last seen in the past hour and check first seen property for them (if the first seen property is on the past hour, the last seen must be there too).++ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security	Onboarding	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding.md	Title: Onboard to Microsoft Defender for Endpoint description: Learn how to onboard endpoints to Microsoft Defender for Endpoint service -keywords: microsoft defender for endpoint, onboard, deploy -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Overview Client Analyzer	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-client-analyzer.md	Title: Troubleshoot sensor health using Microsoft Defender for Endpoint Client Analyzer description: Troubleshoot sensor health on devices to identify potential configuration, environment, connectivity, or telemetry issue affecting sensor data or capability. -keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communications, communication -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Overview Endpoint Detection Response	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response.md	Title: Overview of endpoint detection and response capabilities description: Learn about the endpoint detection and response capabilities in Microsoft Defender for Endpoint -keywords: Microsoft Defender for Endpoint, endpoint detection and response, response, detection, cybersecurity, protection --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Partner Applications	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/partner-applications.md	Title: Partner applications in Microsoft Defender for Endpoint description: View supported partner applications to enhance the detection, investigation, and threat intelligence capabilities of the platform -keywords: partners, applications, third-party, connections, sentinelone, lookout, bitdefender, corrata, morphisec, paloalto, ziften, better mobile -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security Logo\|Partner name\|Description Logo\|Partner name\|Description :\|:\|: -![Logo for Cyren Web Filter.](images/cyren-logo.png)\|[Cyren Web Filter](https://go.microsoft.com/fwlink/?linkid=2108221)\|Enhance your Defender for Endpoint with advanced Web Filtering +![Logo for Cyren Web Filter.](images/cyren-logo.png)\|[Cyren Web Filter](https://www.cyren.com/security-center/url-category-check)\|Enhance your Defender for Endpoint with advanced Web Filtering ![Logo for Morphisec.](images/morphisec-logo.png)\|[Morphisec](https://go.microsoft.com/fwlink/?linkid=2086215)\|Provides Moving Target Defense-powered advanced threat prevention. Integrates forensics data directly into WD Defender for Cloud dashboards to help prioritize alerts, determine device at-risk score and visualize full attack timeline including internal memory information ![Logo for THOR Cloud.](images/nextron-thor-logo.png)\|[THOR Cloud](https://go.microsoft.com/fwlink/?linkid=862988)\|Provides on-demand live forensics scans using a signature base with focus on persistent threats
security	Partner Integration	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/partner-integration.md	Title: Microsoft Defender for Endpoint partner opportunities and scenarios -description: Learn how you can extend existing security offerings on top of the open framework and a rich set of APIs to build extensions and integrations with Microsoft Defender for Endpoint -keywords: API, partner, extend, open framework, apis, extensions, integrations, detection, management, response, vulnerabilities, intelligence +description: Learn how you can extend existing security offerings on top of the open framework and a rich set of APIs to build extensions and integrations with Microsoft Defender for Endpoint. -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security The APIs span functional areas including detection, management, response, vulner ## Scenario 1: External alert correlation and Automated investigation and remediation Defender for Endpoint offers unique automated investigation and remediation capabilities to drive incident response at scale. -Integrating the automated investigation and response capability with other solutions such as network security products or other endpoint security products will help to address alerts. The integration also minimizes the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices. +Integrating the automated investigation and response capability with other solutions such as network security products or other endpoint security products help to address alerts. The integration also minimizes the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices. Defender for Endpoint adds support for this scenario in the following forms: Defender for Endpoint adds support for this scenario in the following forms: - Once an alert is generated, the signal is shared across all Defender for Endpoint protected endpoints in the enterprise. Defender for Endpoint takes immediate automated or operator-assisted response to address the alert. ## Scenario 2: Security orchestration and automation response (SOAR) integration -Orchestration solutions can help build playbooks and integrate the rich data model and actions that Defender for Endpoint APIs expose to orchestrate responses, such as query for device data, trigger device isolation, block/allow, resolve alert and others. +Orchestration solutions can help build playbooks and integrate the rich data model and actions that Defender for Endpoint APIs expose to orchestrate responses, such as query for device data, trigger device isolation, block/allow, resolve alert, and others. ## Scenario 3: Indicators matching Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability is available in Defender for Endpoint and gives the ability to set a list of indicators for prevention, detection, and exclusion of entities. One can define the action to be taken as well as the duration for when to apply the action. -The above scenarios serve as examples of the extensibility of the platform. You are not limited to the examples and we certainly encourage you to leverage the open framework to discover and explore other scenarios. +The above scenarios serve as examples of the extensibility of the platform. You aren't limited to the examples and we certainly encourage you to use the open framework to discover and explore other scenarios. Follow the steps in [Become a Microsoft Defender for Endpoint partner](get-started-partner-integration.md) to integrate your solution in Defender for Endpoint. -## Related topic +## Related article + - [Overview of management and APIs](management-apis.md)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security	Preferences Setup	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/preferences-setup.md	ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Prepare Deployment	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prepare-deployment.md	Title: Assign roles and permissions description: Configure permissions deploying Microsoft Defender for Endpoint -keywords: deploy, prepare, permissions, environment, endpoint, server -ms.sitesec: library -ms.pagetype: security -+ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Prevent Changes To Security Settings With Tamper Protection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md	Title: Protect security settings with tamper protection -+ description: Use tamper protection to prevent malicious apps from changing important security settings. ms.localizationpriority: medium Last updated 02/13/2024 audience: ITPro --++ - nextgen - admindeeplinkDEFENDER search.appverid: met150 - [Microsoft 365 Business Premium](../../business-premium/m365bp-overview.md) Platforms+ - Windows - [macOS](tamperprotection-macos.md)
security	Prevent End User Interaction Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus.md	Title: Hide the Microsoft Defender Antivirus interface description: You can hide virus and threat protection tile in the Windows Security app. ms.localizationpriority: medium--++ Last updated 07/26/2023 -+ You can use Group Policy to prevent users on endpoints from seeing the Microsoft ## Hide the Microsoft Defender Antivirus interface -In Windows 10, versions 1703, hiding the interface will hide Microsoft Defender Antivirus notifications and prevent the Virus & threat protection tile from appearing in the Windows Security app. +In Windows 10, versions 1703, hiding the interface hides Microsoft Defender Antivirus notifications and prevent the Virus & threat protection tile from appearing in the Windows Security app. With the setting set to Enabled: With the setting set to Disabled or not configured: > [!NOTE] > Hiding the interface will also prevent Microsoft Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender for Endpoint notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) -In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning that says, "Your system administrator has restricted access to this app." +In earlier versions of Windows 10, the setting hides the Windows Defender client interface. If the user attempts to open it, they'll receive a warning that says, "Your system administrator has restricted access to this app." :::image type="content" source="../../media/wdav-headless-mode-1607.png" alt-text="The warning message when headless mode is enabled in Windows 10, versions earlier than 1703" lightbox="../../media/wdav-headless-mode-1607.png"::: ## Use Group Policy to hide the Microsoft Defender Antivirus interface from users -1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click Edit. +1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and select Edit. 2. Using the Group Policy Management Editor go to Computer configuration. -3. Click Administrative templates. +3. Select Administrative templates. 4. Expand the tree to Windows components > Microsoft Defender Antivirus > Client interface. -5. Double-click the Enable headless UI mode setting and set the option to Enabled. Click OK. +5. Double-click the Enable headless UI mode setting and set the option to Enabled. Select OK. -See [Prevent users from locally modifying policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) for more options on preventing users form modifying protection on their PCs. +See [Prevent users from locally modifying policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) for more options on preventing users from modifying protection on their PCs. ## Prevent users from pausing a scan -You can prevent users from pausing scans, which can be helpful to ensure scheduled or on-demand scans are not interrupted by users. +You can prevent users from pausing scans, which can be helpful to ensure scheduled or on-demand scans aren't interrupted by users. > [!NOTE] > This setting is not supported on Windows 10. ### Use Group Policy to prevent users from pausing a scan -1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click Edit. +1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and select Edit. 2. Using the Group Policy Management Editor go to Computer configuration. -3. Click Administrative templates. +3. Select Administrative templates. 4. Expand the tree to Windows components \> Microsoft Defender Antivirus \> Scan. -5. Double-click the Allow users to pause scan setting and set the option to Disabled. Click OK. +5. Double-click the Allow users to pause scan setting and set the option to Disabled. Select OK. ## UI Lockdown mode -Indicates whether to disable UI Lockdown mode. If you specify a value of `$True`, Microsoft Defender Antivirus disables UI Lockdown mode. If you specify a value of `$False` or do not specify a value, UI Lockdown mode is enabled. +Indicates whether to disable UI Lockdown mode. If you specify a value of `$True`, Microsoft Defender Antivirus disables UI Lockdown mode. If you specify a value of `$False` or don't specify a value, UI Lockdown mode is enabled. ``` PS C:\>Set-MpPreference -UILockdown $true
security	Preview Settings	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/preview-settings.md	Title: Turn on the preview experience in Microsoft Defender for Endpoint description: Turn on the preview experience in Microsoft Defender for Endpoint to try upcoming features. -keywords: advanced features, settings, block file -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Preview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/preview.md	Title: Microsoft Defender for Endpoint preview features description: Learn how to access Microsoft Defender for Endpoint preview features. -keywords: preview, preview experience, Microsoft Defender for Endpoint, features, updates -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Production Deployment	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/production-deployment.md	Title: Set up Microsoft Defender for Endpoint deployment description: Learn how to set up the deployment for Microsoft Defender for Endpoint -keywords: deploy, setup, licensing validation, tenant configuration, network configuration -+ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Professional Services	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/professional-services.md	Title: Professional services supported by Microsoft Defender XDR description: See the list of professional services that Microsoft Defender XDR can integrate with. -keywords: professional service, managed security services, m365 defender, m365 defender services, mssp, configure, integration, protect, evolve, educate, defender for endpoint, detection -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security The following professional services can be integrated with the Microsoft Defende ## Manage -Managed security services that assist organizations to detect threats early and help minimize the impact of a breach. +Managed security services that assist organizations to detect threats early and help minimize the affects of a breach. \|Service name\|Vendor\|Description\| \|\|\|\| \|[Microsoft Defender Experts](https://go.microsoft.com/fwlink/?linkid=2203232)\|Microsoft\|Defender Experts for Hunting are a proactive threat hunting service for Microsoft Defender XDR.\| \|[Cloud Security Operations Center](https://go.microsoft.com/fwlink/?linkid=2202671)\|glueckkanja-gab AG\|Monitors your Microsoft Security Solutions 24/7, responds to threats on your behalf and works closely with your IT to continuously improve your security posture.\| -\|[Wortell Protect](https://go.microsoft.com/fwlink/?linkid=2202480)\|Wortell\|Wortell offers a 24.7.365 Managed Detection and Response service, SOC-as-a-service, to secure your Azure subscriptions and Microsoft 365 environment. With this managed service, Wortell will provide security monitoring and incident response, and operate Microsoft Defender and (optionally) Microsoft Sentinel on your behalf. The service also includes threat intelligence feeds and custom machine learning models\| -\|[CRITICALSTART┬« Managed Detection & Response Services for Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2202761)\|CRITICALSTART\|Critical Start Managed Detection and Response (MDR) services for Microsoft Defender XDR (M365D) extends security defenses to provide cross-domain threat protection and simplify breach prevention. Their team of Microsoft security experts leverages integration with M365D to detect, investigate and respond with the right actions to alerts from identity, to email and cloud ΓÇô before they disrupt business operations.\| -\|[CRITICALSTART┬« Managed Detection & Response Services for Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2202844)\|CRITICALSTART\|Critical Start Managed Detection & Response (MDR) service for Microsoft Defender for Endpoint simplifies security across an expanded attack surface by combining Microsoft's cross-enterprise visibility threat detection and auto investigation capabilities with optimized threat detection and response to deliver an 80% reduction in false positives on the first day of production monitoring.\| +\|[Wortell Protect](https://go.microsoft.com/fwlink/?linkid=2202480)\|Wortell\|Wortell offers a 24.7.365 Managed Detection and Response service, SOC-as-a-service, to secure your Azure subscriptions and Microsoft 365 environment. With this managed service, Wortell provides security monitoring and incident response, and operate Microsoft Defender and (optionally) Microsoft Sentinel on your behalf. The service also includes threat intelligence feeds and custom machine learning models\| +\|[CRITICALSTART┬« Managed Detection & Response Services for Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2202761)\|CRITICALSTART\|Critical Start Managed Detection and Response (MDR) services for Microsoft Defender XDR (M365D) extends security defenses to provide cross-domain threat protection and simplify breach prevention. Their team of Microsoft security experts uses integration with M365D to detect, investigate, and respond with the right actions to alerts from identity, to email and cloud ΓÇô before they disrupt business operations.\| +\|[CRITICALSTART┬« Managed Detection & Response Services for Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2202844)\|CRITICALSTART\|Critical Start Managed Detection & Response (MDR) service for Microsoft Defender for Endpoint simplifies security across an expanded attack surface area. It combines Microsoft's cross-enterprise visibility threat detection, and auto investigation capabilities with optimized threat detection and response to deliver an 80% reduction in false positives on the first day of production monitoring.\| \|[InSpark Cloud Security Center](https://go.microsoft.com/fwlink/?linkid=2202387)\|InSpark\|InSparks' Cloud Security Center is a 24x7 Managed Security Solution including SOC services. It continuously provides your Microsoft cloud platform with the highest level of security.\| -\|[Mandiant MDR for Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2202388)\|Mandiant, Inc.\|Mandiant Managed Defense protects your business with a managed detection and response (MDR) service fueled by dedicated and frontline IR experts who protect against motivated adversaries with a combination of up-to-the-minute threat intelligence, data science and real-world expertise. Managed Defense helps customers optimize investments in Microsoft technology, maximize resources and accelerate investigations.\| +\|[Mandiant MDR for Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2202388)\|Mandiant, Inc.\|Mandiant Managed Defense protects your business with a managed detection and response (MDR) service, fueled by dedicated and frontline experts who protect against motivated adversaries. With a combination of up-to-the-minute threat intelligence, data science, and real-world expertise, Managed Defense helps customers optimize investments in technology, maximize resources, and accelerate investigations.\| \|[Onevinn MDR](https://go.microsoft.com/fwlink/?linkid=2202390)\|Onevinn\|Onevinn MDR, Managed Detection and Response, built on Microsoft Defender and Microsoft Sentinel is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.\| \|[SepagoSOC](https://go.microsoft.com/fwlink/?linkid=2202677)\|Sepago GmbH\|SepagoSOC experts ensure that your environment is constantly monitored and protected utilizing the complete range of Microsoft Defender XDR solutions and Microsoft Sentinel. They help you to constantly evolve your security landscape with both technical and organizational experience.\| \|[MDR for Microsoft](https://go.microsoft.com/fwlink/?linkid=2202762)\|Red Canary\|MDR for Microsoft provides 24x7 managed detection, investigation, and response to threats across your Microsoft environment.\| -\|[Security Operations & MDR](https://go.microsoft.com/fwlink/?linkid=2202843)\|BDO\|BDO's Security Operations Center (SOC) provides continuous detection, protection and response for organizations globally. BDO MDR is like having eyes where you don't. It's modern technology and experts make hunting, detecting and responding one less thing to keep up with. Because they have eyes where we don't.\| +\|[Security Operations & MDR](https://go.microsoft.com/fwlink/?linkid=2202843)\|BDO\|BDO's Security Operations Center (SOC) provides continuous detection, protection, and response for organizations globally. BDO MDR is like having eyes where you don't. It's modern technology and experts make hunting, detecting, and responding one less thing to keep up with. Because they have eyes where we don't.\| \|[DXC Managed Endpoint Threat Detection and Response](https://go.microsoft.com/fwlink/?linkid=2202580)\|DXC\|DXC Managed Endpoint Threat Detection and Response gives your organization the capability to successfully detect and respond to threats in your environment. It's powered by Microsoft's Defender for Endpoint and DXC Technology security experts with unparalleled knowledge of global threats,\| \|[Managed Security Services for Microsoft Defender Suite](https://go.microsoft.com/fwlink/?linkid=2202476)\|Dell Technologies\|Dell Technologies is a Global services delivery company with a distributed Security Operations Center that is available 24 by 7 to serve customers with security monitoring and management. They help onboard customers and improve their security posture and offload the burden of hiring and managing a full security team while reaping the benefits of 24 hour detection and response.\| \|[CSIS Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2202385)\|CSIS\|Provides 24/7 monitoring and analysis of security alerts giving companies actionable insights into what, when, and how security incidents have taken place.\| \|[MDR for Endpoints](https://go.microsoft.com/fwlink/?linkid=2202676)\|NTT Ltd.\|MDR for Endpoints helps increase your cyber resilience with Managed Detection and Response (MDR) service. Combines 24/7 human & machine expertise, best-of-breed technologies, and global threat intelligence to detect and disrupt hard-to-find attacks, making it more secure.\| -\|[BlueVoyant MDR for Microsoft Defender XDR](https://www.bluevoyant.com/platform/mdr/mdr-for-microsoft)\|BlueVoyant\|BlueVoyant's MDR (Managed Detection and Response) for Microsoft Defender XDR combines the power of Microsoft's Defender product suite with BlueVoyant's elite 24x7 security operations team to identify, investigate and eradicate today's most sophisticated and advanced cyberattacks. In addition to MDR, services can include implementation, assessments, training, concierge, third party integrations, and more.\| +\|[BlueVoyant MDR for Microsoft Defender XDR](https://www.bluevoyant.com/platform/mdr/mdr-for-microsoft)\|BlueVoyant\|BlueVoyant's MDR (Managed Detection and Response) for Microsoft Defender XDR combines the power of Microsoft's Defender product suite with BlueVoyant's elite 24x7 security operations team to identify, investigate, and eradicate today's most sophisticated and advanced cyberattacks. In addition to MDR, services can include implementation, assessments, training, concierge, solution integrations, and more.\| \|[White Hat Managed Security Services](https://go.microsoft.com/fwlink/?linkid=2202391)\|White Hat IT Security\|White Hat MSS offers zero trust approach to managed security on every platform ΓÇô scalable and adaptive security from true experts.\| \|[eSentire Managed Detection and Response](https://go.microsoft.com/fwlink/?linkid=2202582)\|eSentire\|MDR you can trust that provides 24/7 threat investigations and responses via Microsoft Defender XDR suite.\| \|[Aujas Managed Security Services](https://go.microsoft.com/fwlink/?linkid=2202672)\|Aujas Cybersecurity\|Managed security services that assist organizations to detect threats early and help minimize the impact of a breach.\| \|[Expel for Microsoft](https://go.microsoft.com/fwlink/?linkid=2202477)\|Expel\|Provides 24/7 detection and response for Microsoft Defender for Endpoint, Azure, and Office 365.\| -\|[Managed XDR for Microsoft](https://www.cyberproof.com/security-services/managed-xdr-for-microsoft/)\|CyberProof\|CyberProof's Managed XDR (Extended Detection and Response) for Microsoft identifies intrusions across your enterprise as you migrate to the cloud ΓÇô from applications to endpoints, identities and data - enabling timely response to reduce the impact of the attack. The combination of their human expertise and experience in security operations with Microsoft's 365 Defender and Microsoft Sentinel technology reduces the costs and complexity of adopting and operating a cloud-native cyber defense architecture.\| +\|[Managed XDR for Microsoft](https://www.cyberproof.com/security-services/managed-xdr-for-microsoft/)\|CyberProof\|CyberProof's Managed XDR (Extended Detection and Response) for Microsoft identifies intrusions across your enterprise as you migrate to the cloud ΓÇô from applications to endpoints, identities, and data - enabling timely response to reduce the affects of the attack. The combination of their human expertise and experience in security operations with Microsoft's 365 Defender and Microsoft Sentinel technology reduces the costs and complexity of adopting and operating a cloud-native cyber defense architecture.\| \|[Taegis XDR](https://go.microsoft.com/fwlink/?linkid=2202848)\|Secureworks\|TaegisΓäó ManagedXDR is Secureworks┬« 24x7 managed detection and response service, which helps you detect advanced threats and take the right action. Included threat hunting and incident response capabilities help you scale your security operations as Secureworks uses threat data collected across thousands of customers to improve your security posture. Secureworks' combination of proprietary security analytics software, SecOps expertise, incident response and threat hunting experience, threat intelligence capabilities, and 20-year history of service excellence helps reduce risk to your business.\| -\|[Cloud Control - Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2202678)\|The Collective\|The Collective's Cloud Control Managed Protection, Detection and Response services is an enterprise grade managed service, delivering true Security Operations Center-as-a-Service (SOC) experience with a personal touch.\| -\|[Nedscaper Managed XDR](https://go.microsoft.com/fwlink/?linkid=2202478)\|Nedscaper\|Nedscaper Manager XDR (MDR) is a Managed Detect and Respond SaaS solution, which provides 24/7 Threat Protection, continues Vulnerability Management and combined Threat Intelligence built on Azure. The Microsoft (365 & Azure) Defender products, plus any non-Microsoft / 3P Security solution, is connected to Microsoft Sentinel as the core platform for the Security analysts.\| -\|[dinext. pi-SOC](https://go.microsoft.com/fwlink/?linkid=2202581)\|dinext AG\|Through a close integration of deployment support, security operations and consulting in hardening and architectural improvements, dinext AG accompanies customers holistically on their way to a modern security environment.\| +\|[Cloud Control - Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2202678)\|The Collective\|The Collective's Cloud Control Managed Protection, Detection, and Response services is an enterprise grade managed service, delivering true Security Operations Center-as-a-Service (SOC) experience with a personal touch.\| +\|[Nedscaper Managed XDR](https://nedscaper.com/mxdr/)\|Nedscaper\|Nedscaper Manager XDR (MDR) is a Managed Detect and Respond SaaS solution, which provides 24/7 Threat Protection, continues Vulnerability Management and combined Threat Intelligence built on Azure. The Microsoft Defender products and any security solution are connected to Microsoft Sentinel as the core platform for the Security analysts.\| +\|[dinext. pi-SOC](https://dinext-group.com/)\|dinext AG\|Through a close integration of deployment support, security operations and consulting in hardening and architectural improvements, dinext AG accompanies customers holistically on their way to a modern security environment.\| \|[Synergy Advisors Teams App](https://synergyadvisors.biz/e-visor-teams-app/)\|Synergy Advisors LLC\|E-Visor Teams App is a centralized place to involve and empower your end-users in the security and productivity of the organization by presenting unique information using data from Microsoft Defenders and Microsoft Entra ID while ensuring identity governance, and compliance.\| \|[Managed Microsoft XDR](https://www.cyberproof.com/security-services/managed-xdr-for-microsoft/)\|Quorum Cyber\|Quorum Cyber's Managed Microsoft XDR, a solution designed to enable customers to unleash the power of Microsoft security to reduce cyber risk and maximize return of investment in security.\| \|[SecureShield365](https://patriotconsultingtech.com/)\|Patriot Consulting\|SecureShield365 includes a full deployment of all Microsoft Defender XDR products including Intune plus 12 months of support. Microsoft XDR including Sentinel, Defender for Cloud, and MDR are available options.\| \|[Open Systems MDR+](https://go.microsoft.com/fwlink/?linkid=2208895)\|Open Systems\|Built for Microsoft security customers, MDR+ combines certified experts, exemplary processes, and seamless technology to deliver tailored, 24x7 protection while reducing attack surfaces and MTTR.\| -\|[Kroll](https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder)\|Kroll\|Kroll provides proprietary data, technology and insights to help our clients stay ahead of complex demands related to risk, governance and growth. Our solutions deliver a powerful competitive advantage, enabling faster, smarter and more sustainable decisions. With 5,000 experts around the world, we create value and impact for our clients and communities.\| +\|[Kroll](https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder)\|Kroll\|Kroll provides proprietary data, technology, and insights to help our clients stay ahead of complex demands related to risk, governance, and growth. Our solutions deliver a powerful competitive advantage, enabling faster, smarter and more sustainable decisions. With 5,000 experts around the world, we create value for our clients and communities.\| ## Respond Respond to security incidents quickly, effectively and at scale with complete in \|[Active Remediation](https://go.microsoft.com/fwlink/?linkid=)\|Red Canary\|Red Canary security experts respond to remediate threats on your endpoints, 24x7. Requires Red Canary MDR for Microsoft.\| \|[Onevinn DFIR](https://go.microsoft.com/fwlink/?linkid=2202584)\|Onevinn\|Onevinn DFIR, Digital Defense and Incident Response team, when you're having a breach and you need urgent assistance to gain back control of your IT Environment.\| \|[Cloud Security Operations Center](https://go.microsoft.com/fwlink/?linkid=2202671)\|glueckkanja-gab AG\|Monitors your Microsoft Security Solutions 24/7, respond to threats on your behalf and work closely with your IT to continuously improve your security posture.\| -\|[Wortell Protect](https://go.microsoft.com/fwlink/?linkid=2202480)\|Wortell\|Wortell offers a 24.7.365 Managed Detection and Response service, SOC-as-a-service, to secure your Azure subscriptions and Microsoft 365 environment. With this managed service, Wortell will provide security monitoring and incident response, and operate Microsoft Defender and (optionally) Microsoft Sentinel on your behalf. The service also includes threat intelligence feeds and custom machine learning models\| +\|[Wortell Protect](https://go.microsoft.com/fwlink/?linkid=2202480)\|Wortell\|Wortell offers a 24.7.365 Managed Detection and Response service, SOC-as-a-service, to secure your Azure subscriptions and Microsoft 365 environment. With this managed service, Wortell provides security monitoring and incident response, and operate Microsoft Defender and (optionally) Microsoft Sentinel on your behalf. The service also includes threat intelligence feeds and custom machine learning models\| \|[InSpark Cloud Security Center](https://go.microsoft.com/fwlink/?linkid=2202387)\|InSpark\|InSparks' Cloud Security Center is a 24x7 Managed Security Solution including SOC services. It continuously provides your Microsoft cloud platform with the highest level of security.\| -\|[Mandiant MDR for Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2202388)\|Mandiant, Inc.\|Mandiant Managed Defense protects your business with a managed detection and response (MDR) service fueled by dedicated and frontline IR experts who protect against motivated adversaries with a combination of up-to-the-minute threat intelligence, data science and real-world expertise. Managed Defense helps customers optimize investments in Microsoft technology, maximize resources and accelerate investigations.\| +\|[Mandiant MDR for Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2202388)\|Mandiant, Inc.\|Mandiant Managed Defense protects your business with a managed detection and response (MDR) service fueled by dedicated and frontline IR experts who protect against motivated adversaries with a combination of up-to-the-minute threat intelligence, data science, and real-world expertise. Managed Defense helps customers optimize investments in technology, maximize resources, and accelerate investigations.\| \|[Onevinn MDR](https://go.microsoft.com/fwlink/?linkid=2202390)\|Onevinn\|Onevinn MDR, Managed Detection and Response, built on Microsoft Defender and Microsoft Sentinel is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.\| \|[MDR for Microsoft](https://go.microsoft.com/fwlink/?linkid=2202762)\|Red Canary\|24x7 managed detection, investigation, and response to threats across your Microsoft environment.\| -\|[Security Operations & MDR](https://go.microsoft.com/fwlink/?linkid=2202843)\|BDO\|BDO's Security Operations Center (SOC) provides continuous detection, protection and response for organizations globally. BDO MDR is like having eyes where you don't. It's modern technology and experts make hunting, detecting and responding one less thing to keep up with. Because they have eyes where we don't.\| +\|[Security Operations & MDR](https://go.microsoft.com/fwlink/?linkid=2202843)\|BDO\|BDO's Security Operations Center (SOC) provides continuous detection, protection, and response for organizations globally. BDO MDR is like having eyes where you don't. It's modern technology and experts make hunting, detecting, and responding one less thing to keep up with. Because they have eyes where we don't.\| \|[DXC Managed Endpoint Threat Detection and Response](https://go.microsoft.com/fwlink/?linkid=2202580)\|DXC\|DXC Managed Endpoint Threat Detection and Response gives your organization the capability to successfully detect and respond to threats in your environment. Powered by Microsoft's Defender for Endpoint and DXC Technology security experts with unparalleled knowledge of global threats.\| -\|[Managed Security Services for Microsoft Defender Suite](https://go.microsoft.com/fwlink/?linkid=2202476)\|Dell Technologies\|Dell Technologies is a Global services delivery company with a distributed Security Operations Center that is available 24/7 to serve customers with security monitoring and management. They help onboard customers and improve their security posture and offload the burden of hiring and managing a full security team while reaping the benefits of 24 hour detection and response.\| -\|[CSIS Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2202385)\|CSIS\|24/7 monitoring and analysis of security alerts giving companies actionable insights into what, when, and how security incidents have taken place.\| +\|[Managed Security Services for Microsoft Defender Suite](https://go.microsoft.com/fwlink/?linkid=2202476)\|Dell Technologies\|Dell Technologies is a Global services delivery company with a distributed Security Operations Center that is available 24/7 to serve customers with security monitoring and management. Dell helps onboard customers and improve their security posture and offload the burden of hiring and managing a full security team while reaping the benefits of 24 hour detection and response.\| +\|[CSIS Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2202385)\|CSIS\|24/7 monitoring and analysis of security alerts giving companies actionable insights into what, when, and how security incidents occurred.\| \|[MDR for Endpoints](https://go.microsoft.com/fwlink/?linkid=2202676)\|NTT Ltd.\|Increase your cyber resilience with Managed Detection and Response (MDR) service. Combining 24/7 human & machine expertise, best-of-breed technologies, and global threat intelligence to detect and disrupt hard-to-find attacks, making you more secure.\| -\|[BlueVoyant MDR for Microsoft Defender XDR](https://www.bluevoyant.com/platform/mdr/mdr-for-microsoft)\|BlueVoyant\|BlueVoyant's MDR (Managed Detection and Response) for Microsoft Defender XDR combines the power of Microsoft's Defender product suite with BlueVoyant's elite 24x7 security operations team to identify, investigate and eradicate today's most sophisticated and advanced cyberattacks. In addition to MDR, services can include implementation, assessments, training, concierge, third party integrations, and more.\| +\|[BlueVoyant MDR for Microsoft Defender XDR](https://www.bluevoyant.com/platform/mdr/mdr-for-microsoft)\|BlueVoyant\|BlueVoyant's MDR (Managed Detection and Response) for Microsoft Defender XDR combines the power of Microsoft's Defender product suite with BlueVoyant's elite 24x7 security operations team to identify, investigate, and eradicate today's most sophisticated and advanced cyberattacks. In addition to MDR, services can include implementation, assessments, training, concierge, solution integrations, and more.\| \|[White Hat Managed Security Services](https://go.microsoft.com/fwlink/?linkid=2202391)\|White Hat IT Security\|White Hat MSS offers zero trust approach to managed security on every platform ΓÇô scalable and adaptive security from true experts.\| \|[eSentire Managed Detection and Response](https://go.microsoft.com/fwlink/?linkid=2202582)\|eSentire\|MDR you can trust that provides 24/7 threat investigations and responses via Microsoft Defender XDR suite.\| -\|[Aujas Managed Security Services](https://go.microsoft.com/fwlink/?linkid=2202672)\|Aujas Cybersecurity\|Managed security services that assist organizations to detect threats early and help minimize the impact of a breach.\| +\|[Aujas Managed Security Services](https://go.microsoft.com/fwlink/?linkid=2202672)\|Aujas Cybersecurity\|Managed security services that assist organizations to detect threats early and help minimize the affects of a breach.\| \|[Accenture Managed Extended Detection & Response (MxDR)](https://go.microsoft.com/fwlink/?linkid=2202842)\|Accenture\|Accenture's Managed Extended Detection & Response (MxDR) service provides a fully managed service that proactively finds and mitigates advanced cyber-attacks and malicious activity before they cause material business impact across IT and OT environments, both in the cloud and on-premises.\| \|[Taegis XDR](https://go.microsoft.com/fwlink/?linkid=2202848)\|Secureworks\|TaegisΓäó ManagedXDR is Secureworks┬« 24x7 managed detection and response service, which helps you detect advanced threats and take the right action. Included threat hunting and incident response capabilities help you scale your security operations as Secureworks uses threat data collected across thousands of customers to improve your security posture. Secureworks' combination of proprietary security analytics software, SecOps expertise, incident response and threat hunting experience, threat intelligence capabilities, and 20-year history of service excellence helps reduce risk to your business.\| -\|[Cloud Control - Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2202678)\|The Collective\|The Collective's Cloud Control Managed Protection, Detection and Response services is an enterprise grade managed service, delivering true Security Operations Center-as-a-Service (SOC) experience with a personal touch.\| -\|[dinext. pi-SOC](https://go.microsoft.com/fwlink/?linkid=2202581)\|dinext AG\|Through a close integration of deployment support, security operations and consulting in hardening and architectural improvements, dinext AG accompanies customers holistically on their way to a modern security environment.\| +\|[Cloud Control - Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2202678)\|The Collective\|The Collective's Cloud Control Managed Protection, Detection, and Response solution is an enterprise grade managed service, delivering true Security Operations Center-as-a-Service (SOC) experience with a personal touch.\| +\|[dinext. pi-SOC](https://dinext-group.com/)\|dinext AG\|Through a close integration of deployment support, security operations and consulting in hardening and architectural improvements, dinext AG accompanies customers holistically on their way to a modern security environment.\| \|[Synergy Advisors Teams App](https://synergyadvisors.biz/e-visor-teams-app/)\|Synergy Advisors LLC\|E-Visor Teams App is a centralized place to involve and empower your end-users in the security and productivity of the organization by presenting unique information using data from Microsoft Defenders and Microsoft Entra ID while ensuring identity governance, and compliance.\| -\|[SepagoSOC](https://go.microsoft.com/fwlink/?linkid=2202677)\|Sepago GmbH\|SepagoSOC experts ensure that your environment is constantly monitored and protected utilizing the complete range of Microsoft Defender XDR solutions and Microsoft Sentinel.They help you to constantly evolve your security landscape with both technical and organizational experience.\| +\|[SepagoSOC](https://go.microsoft.com/fwlink/?linkid=2202677)\|Sepago GmbH\|SepagoSOC experts ensure that your environment is constantly monitored and protected utilizing the complete range of Microsoft Defender XDR solutions and Microsoft Sentinel.SepagoSOC helps you to constantly evolve your security landscape with both technical and organizational experience.\| \|[SecureShield365](https://patriotconsultingtech.com/)\|Patriot Consulting\|SecureShield365 includes a full deployment of all Microsoft Defender XDR products including Intune plus 12 months of support. Microsoft XDR including Sentinel, Defender for Cloud, and MDR are available options.\| \|[Open Systems MDR+](https://go.microsoft.com/fwlink/?linkid=2208895)\|Open Systems\|Built for Microsoft security customers, MDR+ combines certified experts, exemplary processes, and seamless technology to deliver tailored, 24x7 protection while reducing attack surfaces and MTTR.\| Protect your organization proactively by evaluating your organization's ability \|[Microsoft Defender Experts](https://go.microsoft.com/fwlink/?linkid=2203232)\|Microsoft\|Defender Experts for Hunting is a proactive threat hunting service for Microsoft Defender XDR.\| \|[Microsoft Consulting Services - Security Operations and Threat Protection Services](https://www.microsoft.com/industrysolutions/solutions/security?activetab=pivot1:primaryr4)\|Microsoft\|The Microsoft Consulting Services (MCS) Security Operations and Threat Protection Services (SOTPS), provides a structured approach to modern Security Operations Center (SOC) design and implementation using effective change management techniques so your security professionals can detect attacks faster and respond more effectively.\| \|[Onevinn Threat Hunting](https://go.microsoft.com/fwlink/?linkid=2202584)\|Onevinn\|If your Internal SOC needs an extra pair of eyes looking for threats, Onevinn's Threat Hunters can be purchased as your extended hunting team.\| -\|[Microsoft 365 Security Assessment](https://go.microsoft.com/fwlink/?linkid=2202389)\|Nedscaper\|The Microsoft 365 Security assessment provides a risk-based approach to scan and analyze the security baseline (prevention is better than the cure) and settings of the Microsoft 365 Security products, from Microsoft 365 E3 security products like Microsoft Entra Conditional Access and Microsoft Intune (Microsoft Defender Antivirus policies) to the Microsoft 365 E5 Security products like Microsoft Defender XDR, Microsoft Entra ID Protection and Microsoft Defender for Identity, Devices, Office 365 and Cloud Apps.\| +\|[Microsoft 365 Security Assessment](https://go.microsoft.com/fwlink/?linkid=2202389)\|Nedscaper\|The Microsoft 365 Security assessment provides a risk-based approach to scan and analyze the security baseline (prevention is better than the cure) and settings of the Microsoft 365 Security products, from Microsoft 365 E3 security products like Microsoft Entra Conditional Access and Microsoft Intune (Microsoft Defender Antivirus policies) to the Microsoft 365 E5 Security products like Microsoft Defender XDR, Microsoft Entra ID Protection and Microsoft Defender for Identity, Devices, Microsoft 365, and Cloud Apps.\| \|[Invoke Monthly Microsoft 365 Security Assessments](https://go.microsoft.com/fwlink/?linkid=2202583)\|Invoke LLC\|Provides monthly detailed assessment reports of active threats, vulnerabilities active and Phishing/malware campaigns targeted on your Microsoft 365 Environment. Helps with prescribed mitigations for active threats and improvement actions for recurring threats if any. Monitor Secure score and recommendations, giving your security teams an extra set of eyes to stay on top of risks.\| \|[Cloud Security Operations Center](https://go.microsoft.com/fwlink/?linkid=2202671)\|glueckkanja-gab AG\|Monitors your Microsoft Security Solutions 24/7, respond to threats on your behalf and work closely with your IT to continuously improve your security posture.\| -\|[Wortell Protect](https://go.microsoft.com/fwlink/?linkid=2202480)\|Wortell\|Wortell offers a 24.7.365 Managed Detection and Response service, SOC-as-a-service, to secure your Azure subscriptions and Microsoft 365 environment. With this managed service, Wortell will provide security monitoring and incident response, and operate Microsoft Defender and (optionally) Microsoft Sentinel on your behalf. The service also includes threat intelligence feeds and custom machine learning models\| +\|[Wortell Protect](https://go.microsoft.com/fwlink/?linkid=2202480)\|Wortell\|Wortell offers a 24.7.365 Managed Detection and Response service, SOC-as-a-service, to secure your Azure subscriptions and Microsoft 365 environment. With this managed service, Wortell provides security monitoring and incident response, and operate Microsoft Defender and (optionally) Microsoft Sentinel on your behalf. The service also includes threat intelligence feeds and custom machine learning models\| \|[InSpark Cloud Security Center](https://go.microsoft.com/fwlink/?linkid=2202387)\|InSpark\|InSparks' Cloud Security Center is a 24x7 Managed Security Solution including SOC services. It continuously provides your Microsoft cloud platform with the highest level of security.\| -\|[Mandiant MDR for Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2202388)\|Mandiant, Inc.\|Mandiant Managed Defense protects your business with a managed detection and response (MDR) service fueled by dedicated and frontline IR experts who protect against motivated adversaries with a combination of up-to-the-minute threat intelligence, data science and real-world expertise. Managed Defense helps customers optimize investments in Microsoft technology, maximize resources and accelerate investigations.\| +\|[Mandiant MDR for Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2202388)\|Mandiant, Inc.\|Mandiant Managed Defense protects your business with a managed detection and response (MDR) service fueled by dedicated and frontline IR experts who protect against motivated adversaries with a combination of up-to-the-minute threat intelligence, data science, and real-world expertise. Managed Defense helps customers optimize investments in technology, maximize resources, and accelerate investigations.\| \|[Onevinn MDR](https://go.microsoft.com/fwlink/?linkid=2202390)\|Onevinn\|Onevinn MDR, Managed Detection and Response, built on Microsoft Defender and Microsoft Sentinel is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.\| \|[MDR for Microsoft](https://go.microsoft.com/fwlink/?linkid=2202762)\|Red Canary\|24x7 managed detection, investigation, and response to threats across your Microsoft environment.\| -\|[Security Operations & MDR](https://go.microsoft.com/fwlink/?linkid=2202843)\|BDO\|BDO's Security Operations Center (SOC) provides continuous detection, protection and response for organizations globally. BDO MDR is like having eyes where you don't. It's modern technology and experts make hunting, detecting and responding one less thing to keep up with. Because they have eyes where we don't.\| +\|[Security Operations & MDR](https://go.microsoft.com/fwlink/?linkid=2202843)\|BDO\|BDO's Security Operations Center (SOC) provides continuous detection, protection, and response for organizations globally. BDO MDR is like having eyes where you don't. It's modern technology and experts make hunting, detecting, and responding one less thing to keep up with. Because they have eyes where we don't.\| \|[DXC Managed Endpoint Threat Detection and Response](https://go.microsoft.com/fwlink/?linkid=2202580)\|DXC\|DXC Managed Endpoint Threat Detection and Response gives your organization the capability to successfully detect and respond to threats in your environment. Powered by Microsoft's Defender for Endpoint and DXC Technology security experts with unparalleled knowledge of global threats,\| \|[Managed Security Services for Microsoft Defender Suite](https://go.microsoft.com/fwlink/?linkid=2202476)\|Dell Technologies\|Dell Technologies is a Global services delivery company with a distributed Security Operations Center that is available 24 by 7 to serve customers with security monitoring and management. Help onboard customers and improve their security posture and offload the burden of hiring and managing a full security team while reaping the benefits of 24 hour detection and response.\| -\|[BlueVoyant MDR for Microsoft Defender XDR](https://www.bluevoyant.com/platform/mdr/mdr-for-microsoft)\|BlueVoyant\|BlueVoyant's MDR (Managed Detection and Response) for Microsoft Defender XDR combines the power of Microsoft's Defender product suite with BlueVoyant's elite 24x7 security operations team to identify, investigate and eradicate today's most sophisticated and advanced cyberattacks. In addition to MDR, services can include implementation, assessments, training, concierge, third party integrations, and more.\| +\|[BlueVoyant MDR for Microsoft Defender XDR](https://www.bluevoyant.com/platform/mdr/mdr-for-microsoft)\|BlueVoyant\|BlueVoyant's MDR (Managed Detection and Response) for Microsoft Defender XDR combines the power of Microsoft's Defender product suite with BlueVoyant's elite 24x7 security operations team to identify, investigate, and eradicate today's most sophisticated and advanced cyberattacks. In addition to MDR, services can include implementation, assessments, training, concierge, solution integrations, and more.\| \|[White Hat Managed Security Services](https://go.microsoft.com/fwlink/?linkid=2202391)\|White Hat IT Security\|White Hat MSS offers zero trust approach to managed security on every platform ΓÇô scalable and adaptive security from true experts.\| \|[eSentire Managed Detection and Response](https://go.microsoft.com/fwlink/?linkid=2202582)\|eSentire\|MDR you can trust that provides 24/7 threat investigations and responses via Microsoft Defender XDR suite.\| \|[Aujas Managed Security Services](https://go.microsoft.com/fwlink/?linkid=2202672)\|Aujas Cybersecurity\|Managed security services that assist organizations to detect threats early and help minimize the impact of a breach.\| \|[Accenture Managed Extended Detection & Response (MxDR)](https://go.microsoft.com/fwlink/?linkid=2202842)\|Accenture\|Accenture's Managed Extended Detection & Response (MxDR) service provides a fully managed service that proactively finds and mitigates advanced cyber-attacks and malicious activity before they cause material business impact across IT and OT environments, both in the cloud and on-premises.\| \|[Taegis XDR](https://go.microsoft.com/fwlink/?linkid=2202848)\|Secureworks\|TaegisΓäó ManagedXDR is Secureworks┬« 24x7 managed detection and response service, which helps you detect advanced threats and take the right action. Included threat hunting and incident response capabilities help you scale your security operations as Secureworks uses threat data collected across thousands of customers to improve your security posture. Secureworks' combination of proprietary security analytics software, SecOps expertise, incident response and threat hunting experience, threat intelligence capabilities, and 20-year history of service excellence helps reduce risk to your business.\| \|[Cloud Control - Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2202678)\|The Collective\|The Collective's Cloud Control Managed Protection, Detection and Response services is an enterprise grade managed service, delivering true Security Operations Center-as-a-Service (SOC) experience with a personal touch.\| -\|[dinext. pi-SOC](https://go.microsoft.com/fwlink/?linkid=2202581)\|dinext AG\|Through a close integration of deployment support, security operations and consulting in hardening and architectural improvements, dinext AG accompanies customers holistically on their way to a modern security environment.\| +\|[dinext. pi-SOC](https://dinext-group.com/)\|dinext AG\|Through a close integration of deployment support, security operations and consulting in hardening and architectural improvements, dinext AG accompanies customers holistically on their way to a modern security environment.\| \|[Synergy Advisors Teams App](https://synergyadvisors.biz/e-visor-teams-app/)\|Synergy Advisors LLC\|E-Visor Teams App is a centralized place to involve and empower your end-users in the security and productivity of the organization by presenting unique information using data from Microsoft Defenders and Microsoft Entra ID while ensuring identity governance, and compliance.\| \|[Managed Microsoft XDR](https://www.cyberproof.com/security-services/managed-xdr-for-microsoft/)\|Quorum Cyber\|Quorum Cyber's Managed Microsoft XDR, a solution designed to enable customers to unleash the power of Microsoft security to reduce cyber risk and maximize return of investment in security.\| \|[SepagoSOC](https://go.microsoft.com/fwlink/?linkid=2202677)\|Sepago GmbH\|SepagoSOC experts ensure that your environment is constantly monitored and protected utilizing the complete range of Microsoft Defender XDR solutions and Microsoft Sentinel. They help you to constantly evolve your security landscape with both technical and organizational experience.\| Protect your organization proactively by evaluating your organization's ability ## Evolve -Evolve your organization's security posture through improved processes and technologies that will up-level threat detection, containment, and remediation capabilities. +Evolve your organization's security posture through improved processes and technologies that up-level threat detection, containment, and remediation capabilities. \|Service name\|Vendor\|Description\| \|\|\|\| -\|[CRITICALSTART┬« Cybersecurity Consulting +\|[CRITICALSTART┬« Cybersecurity Consulting \|[Sepago Adapt](https://go.microsoft.com/fwlink/?linkid=2202677)\|Sepago GmbH\|Working with the full range of Microsoft Defender solutions requires a change in processes. Combining Microsoft and sepago best practices and your company-knowledge, together we'll build and establish processes for your organization to enable you to fully utilize the Defender solutions.\| \|[Zero Trust by Onevinn](https://go.microsoft.com/fwlink/?linkid=2202584)\|Onevinn\|Get started with Zero Trust by fully utilize your investment in Microsoft 365 Security Features\| \|[Cloud Security Operations Center](https://go.microsoft.com/fwlink/?linkid=2202671)\|glueckkanja-gab AG\|Monitors your Microsoft Security Solutions 24/7, respond to threats on your behalf and work closely with your IT to continuously improve your security posture.\| -\|[Wortell Protect](https://go.microsoft.com/fwlink/?linkid=2202480)\|Wortell\|Wortell offers a 24.7.365 Managed Detection and Response service, SOC-as-a-service, to secure your Azure subscriptions and Microsoft 365 environment. With this managed service, Wortell will provide security monitoring and incident response, and operate Microsoft Defender and (optionally) Microsoft Sentinel on your behalf. The service also includes threat intelligence feeds and custom machine learning models\| -\|[Mandiant MDR for Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2202388)\|Mandiant, Inc.\|Mandiant Managed Defense protects your business with a managed detection and response (MDR) service fueled by dedicated and frontline IR experts who protect against motivated adversaries with a combination of up-to-the-minute threat intelligence, data science and real-world expertise. Managed Defense helps customers optimize investments in Microsoft technology, maximize resources and accelerate investigations.\| +\|[Wortell Protect](https://go.microsoft.com/fwlink/?linkid=2202480)\|Wortell\|Wortell offers a 24.7.365 Managed Detection and Response service, SOC-as-a-service, to secure your Azure subscriptions and Microsoft 365 environment. With this managed service, Wortell provides security monitoring and incident response, and operate Microsoft Defender and (optionally) Microsoft Sentinel on your behalf. The service also includes threat intelligence feeds and custom machine learning models\| +\|[Mandiant MDR for Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2202388)\|Mandiant, Inc.\|Mandiant Managed Defense protects your business with a managed detection and response (MDR) service fueled by dedicated and frontline IR experts who protect against motivated adversaries with a combination of up-to-the-minute threat intelligence, data science, and real-world expertise. Managed Defense helps customers optimize investments in Microsoft technology, maximize resources, and accelerate investigations.\| \|[MDR for Microsoft](https://go.microsoft.com/fwlink/?linkid=2202762)\|Red Canary\|24x7 managed detection, investigation, and response to threats across your Microsoft environment.\| -\|[Security Operations & MDR](https://go.microsoft.com/fwlink/?linkid=2202843)\|BDO\|BDO's Security Operations Center (SOC) provides continuous detection, protection and response for organizations globally. BDO MDR is like having eyes where you don't. It's modern technology and experts make hunting, detecting and responding one less thing to keep up with. Because they have eyes where we don't.\| +\|[Security Operations & MDR](https://go.microsoft.com/fwlink/?linkid=2202843)\|BDO\|BDO's Security Operations Center (SOC) provides continuous detection, protection, and response for organizations globally. BDO MDR is like having eyes where you don't. It's modern technology and experts make hunting, detecting, and responding one less thing to keep up with. Because they have eyes where we don't.\| \|[DXC Managed Endpoint Threat Detection and Response](https://go.microsoft.com/fwlink/?linkid=2202580)\|DXC\|DXC Managed Endpoint Threat Detection and Response gives your organization the capability to successfully detect and respond to threats in your environment. Powered by Microsoft's Defender for Endpoint and DXC Technology security experts with unparalleled knowledge of global threats,\| -\|[BlueVoyant MDR for Microsoft Defender XDR](https://www.bluevoyant.com/platform/mdr/mdr-for-microsoft)\|BlueVoyant\|BlueVoyant's MDR (Managed Detection and Response) for Microsoft Defender XDR combines the power of Microsoft's Defender product suite with BlueVoyant's elite 24x7 security operations team to identify, investigate and eradicate today's most sophisticated and advanced cyberattacks. In addition to MDR, services can include implementation, assessments, training, concierge, third party integrations, and more.\| +\|[BlueVoyant MDR for Microsoft Defender XDR](https://www.bluevoyant.com/platform/mdr/mdr-for-microsoft)\|BlueVoyant\|BlueVoyant's MDR (Managed Detection and Response) for Microsoft Defender XDR combines the power of Microsoft's Defender product suite with BlueVoyant's elite 24x7 security operations team to identify, investigate, and eradicate today's most sophisticated and advanced cyberattacks. In addition to MDR, services can include implementation, assessments, training, concierge, solution integrations, and more.\| \|[White Hat Managed Security Services](https://go.microsoft.com/fwlink/?linkid=2202391)\|White Hat IT Security\|White Hat MSS offers zero trust approach to managed security on every platform ΓÇô scalable and adaptive security from true experts.\| \|[Taegis XDR](https://go.microsoft.com/fwlink/?linkid=2202848)\|Secureworks\|TaegisΓäó ManagedXDR is Secureworks┬« 24x7 managed detection and response service, which helps you detect advanced threats and take the right action. Included threat hunting and incident response capabilities help you scale your security operations as Secureworks uses threat data collected across thousands of customers to improve your security posture. Secureworks' combination of proprietary security analytics software, SecOps expertise, incident response and threat hunting experience, threat intelligence capabilities, and 20-year history of service excellence helps reduce risk to your business.\| -\|[Cloud Control - Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2202678)\|The Collective\|The Collective's Cloud Control Managed Protection, Detection and Response services is an enterprise grade managed service, delivering true Security Operations Center-as-a-Service (SOC) experience with a personal touch.\| -\|[dinext. pi-SOC](https://go.microsoft.com/fwlink/?linkid=2202581)\|dinext AG\|Through a close integration of deployment support, security operations and consulting in hardening and architectural improvements, it accompanies customers holistically on their way to a modern security environment.\| +\|[Cloud Control - Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2202678)\|The Collective\|The Collective's Cloud Control Managed Protection, Detection, and Response solution is an enterprise grade managed service, delivering true Security Operations Center-as-a-Service (SOC) experience with a personal touch.\| +\|[dinext. pi-SOC](https://dinext-group.com/)\|dinext AG\|Through a close integration of deployment support, security operations and consulting in hardening and architectural improvements, it accompanies customers holistically on their way to a modern security environment.\| \|[Managed Microsoft XDR](https://www.cyberproof.com/security-services/managed-xdr-for-microsoft/)\|Quorum Cyber\|Quorum Cyber's Managed Microsoft XDR, a solution designed to enable customers to unleash the power of Microsoft security to reduce cyber risk and maximize return of investment in security.\| \|[SepagoSOC](https://go.microsoft.com/fwlink/?linkid=2202677)\|Sepago GmbH\|SepagoSOC experts ensure that your environment is constantly monitored and protected utilizing the complete range of Microsoft Defender XDR solutions and Microsoft Sentinel. They help you to constantly evolve your security landscape with both technical and organizational experience.\| \|[SecureShield365](https://patriotconsultingtech.com/)\|Patriot Consulting\|SecureShield365 includes a full deployment of all Microsoft Defender XDR products including Intune plus 12 months of support. Microsoft XDR including Sentinel, Defender for Cloud, and MDR are available options.\| Mature and maintain your internal team's security capabilities to prevent, detec \|Service name\|Vendor\|Description\| \|\|\|\| -\|[CRITICALSTART┬« Cybersecurity Advisory +\|[CRITICALSTART┬« Cybersecurity Advisory \|[Chief 365 Defender](https://go.microsoft.com/fwlink/?linkid=2202584)\|Onevinn\|This course is aimed at IT security professionals and IT architects who want to get "Best Practices From the Field" within Microsoft 365 security and management of the Microsoft Defender XDR security suite.\| \|[Onevinn Chief Hunter](https://go.microsoft.com/fwlink/?linkid=2202584)\|Onevinn\|Onevinn Chief Hunter is a detection training on how to build proper detection in Microsoft Sentinel together with Microsoft Defender XDR.\| \|[Defend Against Threats with SIEM Plus XDR](https://go.microsoft.com/fwlink/?linkid=2202479)\|Netrix\|Enable customers with visibility into immediate threats across email, identity & data & how Microsoft Sentinel & Defender detect & quickly stop active threats\| \|[Defend Against Threats with SIEM Plus XDR Workshop](https://go.microsoft.com/fwlink/?linkid=2202479)\|Netrix\|Organizations today are managing a growing volume of data and alerts while dealing with tight budgets and vulnerable legacy systems. Get help achieving your broader security objectivesΓÇöand identify current and real threatsΓÇöby scheduling a Defend Against Threats with SIEM Plus XDR Workshop\| -\|[Secure Multi-Cloud Environments Workshop](https://go.microsoft.com/fwlink/?linkid=2202479)\|Netrix\|As the use of cloud services continues to grow, cyber risks and threats continue to evolve. Get help achieving your hybrid and multi-cloud security objectivesΓÇöand identify current and real threatsΓÇöby scheduling a Secure Multi-Cloud Environments Workshop.\| +\|[Secure Multicloud Environments Workshop](https://go.microsoft.com/fwlink/?linkid=2202479)\|Netrix\|As the use of cloud services continues to grow, cyber risks and threats continue to evolve. Get help achieving your hybrid and multicloud security objectivesΓÇöand identify current and real threatsΓÇöby scheduling a Secure Multicloud Environments Workshop.\| \|[Mitigate Compliance & Privacy Risks Workshop](https://go.microsoft.com/fwlink/?linkid=2202479)\|Netrix\|As your business-critical data expands and your workforce shifts to remote work, having an integrated approach that can help quickly identify, triage, and act on risky insider user activity is more important than ever. The Mitigate Compliance & Privacy Risks Workshop gives you the insights you need to understand insider and privacy risks in your organization.\| -\|[Secure Identities & Access Workshop](https://go.microsoft.com/fwlink/?linkid=2202479)\|Netrix\|Given the complexity of identities, data, applications, and devices, it's essential to learn how to ensure the right people are accessing the right information, securely. In this workshop, we'll show you how identity is the fundamental pillars of an integrated security philosophy and end-to-end security strategy.\| +\|[Secure Identities & Access Workshop](https://go.microsoft.com/fwlink/?linkid=2202479)\|Netrix\|Given the complexity of identities, data, applications, and devices, it's essential to learn how to ensure the right people are accessing the right information, securely. In this workshop, we show you how identity is the fundamental pillars of an integrated security philosophy and end-to-end security strategy.\| \|[Microsoft Defender XDR Professional Services](https://go.microsoft.com/fwlink/?linkid=2202675)\|Netwoven\|Consulting and deployment services for the Defender suite\| -\|[Wortell Protect](https://go.microsoft.com/fwlink/?linkid=2202480)\|Wortell\|Wortell offers a 24.7.365 Managed Detection and Response service, SOC-as-a-service, to secure your Azure subscriptions and Microsoft 365 environment. With this managed service, Wortell will provide security monitoring and incident response, and operate Microsoft Defender and (optionally) Microsoft Sentinel on your behalf. The service also includes threat intelligence feeds and custom machine learning models\| -\|[Mandiant MDR for Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2202388)\|Mandiant, Inc.\|Mandiant Managed Defense protects your business with a managed detection and response (MDR) service fueled by dedicated and frontline IR experts who protect against motivated adversaries with a combination of up-to-the-minute threat intelligence, data science and real-world expertise. Managed Defense helps customers optimize investments in Microsoft technology, maximize resources and accelerate investigations.\| -\|[BlueVoyant MDR for Microsoft Defender XDR](https://www.bluevoyant.com/platform/mdr/mdr-for-microsoft)\|BlueVoyant\|BlueVoyant's MDR (Managed Detection and Response) for Microsoft Defender XDR combines the power of Microsoft's Defender product suite with BlueVoyant's elite 24x7 security operations team to identify, investigate and eradicate today's most sophisticated and advanced cyberattacks. In addition to MDR, services can include implementation, assessments, training, concierge, third party integrations, and more.\| +\|[Wortell Protect](https://go.microsoft.com/fwlink/?linkid=2202480)\|Wortell\|Wortell offers a 24.7.365 Managed Detection and Response service, SOC-as-a-service, to secure your Azure subscriptions and Microsoft 365 environment. With this managed service, Wortell provides security monitoring and incident response, and operate Microsoft Defender and (optionally) Microsoft Sentinel on your behalf. The service also includes threat intelligence feeds and custom machine learning models\| +\|[Mandiant MDR for Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2202388)\|Mandiant, Inc.\|Mandiant Managed Defense protects your business with a managed detection and response (MDR) service fueled by dedicated and frontline IR experts who protect against motivated adversaries with a combination of up-to-the-minute threat intelligence, data science, and real-world expertise. Managed Defense helps customers optimize investments in Microsoft technology, maximize resources, and accelerate investigations.\| +\|[BlueVoyant MDR for Microsoft Defender XDR](https://www.bluevoyant.com/platform/mdr/mdr-for-microsoft)\|BlueVoyant\|BlueVoyant's MDR (Managed Detection and Response) for Microsoft Defender XDR combines the power of Microsoft's Defender product suite with BlueVoyant's elite 24x7 security operations team to identify, investigate, and eradicate today's most sophisticated and advanced cyberattacks. In addition to MDR, services can include implementation, assessments, training, concierge, solution integrations, and more.\| \|[White Hat Managed Security Services](https://go.microsoft.com/fwlink/?linkid=2202391)\|White Hat IT Security\|White Hat MSS offers zero trust approach to managed security on every platform ΓÇô scalable and adaptive security from true experts.\| -\|[Cloud Control - Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2202678)\|The Collective\|The Collective's Cloud Control Managed Protection, Detection and Response services is an enterprise grade managed service, delivering true Security Operations Center-as-a-Service (SOC) experience with a personal touch.\| +\|[Cloud Control - Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2202678)\|The Collective\|The Collective's Cloud Control Managed Protection, Detection, and Response solution is an enterprise grade managed service, delivering true Security Operations Center-as-a-Service (SOC) experience with a personal touch.\| \|[Synergy Advisors Teams App](https://synergyadvisors.biz/e-visor-teams-app/)\|Synergy Advisors LLC\|E-Visor Teams App is a centralized place to involve and empower your end-users in the security and productivity of the organization by presenting unique information using data from Microsoft Defenders and Microsoft Entra ID while ensuring identity governance, and compliance.\| \|[Managed Microsoft XDR](https://www.cyberproof.com/security-services/managed-xdr-for-microsoft/)\|Quorum Cyber\|Quorum Cyber's Managed Microsoft XDR, a solution designed to enable customers to unleash the power of Microsoft security to reduce cyber risk and maximize return of investment in security.\| \|[SecureShield365](https://patriotconsultingtech.com/)\|Patriot Consulting\|SecureShield365 includes a full deployment of all Microsoft Defender XDR products including Intune plus 12 months of support. Microsoft XDR including Sentinel, Defender for Cloud, and MDR are available options.\| -## Related topics +## Related articles - [Use the Microsoft Graph security API - Microsoft Graph \| Microsoft Learn](/graph/api/resources/security-api-overview)
security	Rbac	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/rbac.md	Title: Use role-based access control to grant fine-grained access to Microsoft Defender portal description: Create roles and groups within your security operations to grant access to the portal. -keywords: rbac, role, based, access, control, groups, control, tier, aad -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Respond File Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-file-alerts.md	ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Respond Machine Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-machine-alerts.md	ms.localizationpriority: medium Last updated 12/15/2023-+ audience: ITPro - m365-security
security	Restore Quarantined Files Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus.md	Title: Restore quarantined files in Microsoft Defender Antivirus description: You can restore quarantined files and folders in Microsoft Defender Antivirus. ms.localizationpriority: medium--++ Last updated 08/28/2023 -+
security	Review Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/review-alerts.md	Title: Review alerts in Microsoft Defender for Endpoint description: Review alert information, including a visualized alert story and details for each step of the chain. -keywords: incident, incidents, machines, devices, users, alerts, alert, investigation, graph, evidence -ms.pagetype: security f1.keywords: - NOCSH ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Review Detected Threats	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/review-detected-threats.md	Title: Review detected threats using the Microsoft Defender for Endpoint Antivirus and Intune integration description: Use the Microsoft Defender for Endpoint Antivirus and Intune integration to view and manage threat detections. -keywords: detect, threats, detected threats, devices, URL, -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Review Scan Results Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus.md	Title: Review the results of Microsoft Defender Antivirus scans description: Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app ms.localizationpriority: medium--++ Last updated 12/11/2023 -+
security	Run Analyzer Macos Linux	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux.md	description: Learn how to run the Microsoft Defender for Endpoint Client Analyze f1.keywords: - NOCSH--++ ms.localizationpriority: medium Last updated 02/02/2024-+ audience: ITPro - m365-security
security	Run Analyzer Windows	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-analyzer-windows.md	Title: Run the client analyzer on Windows description: Learn how to run the Microsoft Defender for Endpoint Client Analyzer on Windows. -keywords: client analyzer, troubleshoot sensor, analyzer, mdeanalyzer, windows f1.keywords: - NOCSH--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Run Detection Test	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-detection-test.md	Title: Run a detection test on a device to verify it has been properly onboarded to Microsoft Defender for Endpoint + Title: Run a detection test on a device recently onboarded to Microsoft Defender for Endpoint description: Run the detection test script on a device recently onboarded to the Microsoft Defender for Endpoint service to verify that it's properly added. search.appverid: met150 -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium Last updated 04/24/2023-+ audience: ITPro - m365-security -# Run a detection test on a newly onboarded Microsoft Defender for Endpoint device +# Run a detection test on a device recently onboarded to Microsoft Defender for Endpoint [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/microsoft-defender.md)] > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink) -When you add a device to the Microsoft Defender for Endpoint service for management, this is also called onboarding devices. Onboarding allows devices to report signals about their health status to the service. +When you add a device to the Microsoft Defender for Endpoint service for management, it's referred to as onboarding. Onboarding allows devices to report signals about their health status to the service. -Making sure, or verifying, that a device has been added to the service successfully is a critical step in the entire deployment process. It assures that all the devices expected are being managed. +Verifying that a device is added to the service successfully is a critical step in the entire deployment process. It helps ensure that all the devices expected are being managed. ## Verify Microsoft Defender for Endpoint onboarding of a device using a PowerShell detection test The Command Prompt window closes automatically. If successful, a new alert appea > [!NOTE] > You can also use the EICAR test string to perform this test. Create a text file, paste the EICAR line, and save the file as an executable file to your endpoint's local drive. You will receive a test endpoint notification and an alert in the Microsoft Defender portal. -## Related topics +## Related articles - [Onboard Windows devices](configure-endpoints.md) - [Onboard servers](configure-server-endpoints.md)
security	Run Scan Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus.md	description: Run and configure on-demand scans using PowerShell, Windows Managem ms.localizationpriority: medium --++ Last updated 12/15/2023 -+ - m365-security
security	Schedule Antivirus Scan In Mde	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/schedule-antivirus-scan-in-mde.md	Title: How to schedule an antivirus scan using Anacron in Microsoft Defender for Endpoint on Linux description: Learn how to schedule an antivirus scan in Microsoft Defender for Endpoint on Linux for better protection of your organization's assets. -keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, scans, antivirus, microsoft defender for endpoint on linux -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium Last updated 12/02/2022-+ audience: ITPro - m365-security
security	Schedule Antivirus Scans Group Policy	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/schedule-antivirus-scans-group-policy.md	Title: Schedule antivirus scans using Group Policy description: Use Group Policy to set up antivirus scans -keywords: quick scan, full scan, schedule, group policy, antivirus -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium--++ Last updated 03/06/2023 -+
security	Schedule Antivirus Scans Powershell	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/schedule-antivirus-scans-powershell.md	Title: Schedule antivirus scans using PowerShell description: Schedule antivirus scans using PowerShell -keywords: quick scan, full scan, antivirus, schedule, PowerShell -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium--++ Last updated 10/18/2021 -+
security	Schedule Antivirus Scans Wmi	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/schedule-antivirus-scans-wmi.md	Title: Schedule antivirus scans using Windows Management Instrumentation description: Schedule antivirus scans using WMI -keywords: quick scan, full scan, WMI, schedule, antivirus -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium--++ Previously updated : 10/18/2021-- Last updated : 02/21/2024++ search.appverid: met150 # Schedule antivirus scans using Windows Management Instrumentation (WMI) Applies to: +- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) +- [Microsoft Defender for Business - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - Microsoft Defender Antivirus Platforms - Windows +- Windows Server This article describes how to configure scheduled scans using WMI. To learn more about scheduling scans and about scan types, see [Configure scheduled quick or full Microsoft Defender Antivirus scans](schedule-antivirus-scans.md).
security	Schedule Antivirus Scans	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/schedule-antivirus-scans.md	Title: Schedule regular quick and full scans with Microsoft Defender Antivirus description: Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans ms.localizationpriority: medium--++ Last updated 12/14/2023 -+
security	Server Migration	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/server-migration.md	Title: Server migration scenarios for the new version of Microsoft Defender for Endpoint description: Read this article to get an overview of how to migrate your servers from the previous, MMA-based solution to the current Defender for Endpoint unified solution package. -keywords: migrate server, server, 2012r2, 2016, server migration, device management, configure Microsoft Defender for Endpoint servers, onboard Microsoft Defender for Endpoint servers -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium Last updated 09/19/2022-+ audience: ITPro - m365-security
security	Specify Cloud Protection Level Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus.md	description: Set your level of cloud protection for Microsoft Defender Antivirus ms.localizationpriority: medium --++ Last updated 04/11/2023 -+
security	Supported Capabilities By Platform	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/supported-capabilities-by-platform.md	Title: Supported Microsoft Defender for Endpoint capabilities by platform description: Get to know the Microsoft Defender for Endpoint capabilities supported for Windows 10 devices, servers, and non-Windows devices. -keywords: onboarding, Microsoft Defender for Endpoint onboarding, sccm, group policy, mdm, local script, detection test -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Switch To Mde Overview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-overview.md	Title: Migrate to Microsoft Defender for Endpoint from non-Microsoft endpoint protection description: Move to Microsoft Defender for Endpoint, which includes Microsoft Defender Antivirus for your endpoint protection solution. -keywords: migration, windows defender, advanced endpoint protection, antivirus, antimalware, passive mode, active mode -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Switch To Mde Phase 1	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-phase-1.md	Title: Migrate to Microsoft Defender for Endpoint - Prepare description: Get ready to move to Microsoft Defender for Endpoint. Update your devices and configure your network connections. --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Switch To Mde Phase 2	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-phase-2.md	Title: Migrate to Microsoft Defender for Endpoint - Setup description: Move to Defender for Endpoint. Review the setup process, which includes installing Microsoft Defender Antivirus. --++ ms.localizationpriority: medium Last updated 10/24/2023-+ audience: ITPro - m365-security
security	Switch To Mde Phase 3	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-phase-3.md	Title: Migrate to Microsoft Defender for Endpoint - Onboard description: Move to Microsoft Defender for Endpoint. Onboard devices and then uninstall your non-Microsoft solution. --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Switch To Mde Troubleshooting	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-troubleshooting.md	Title: Troubleshooting issues when moving to Microsoft Defender for Endpoint description: Learn how to troubleshoot issues when you migrate to Microsoft Defender for Endpoint. --++ ms.localizationpriority: medium-+ audience: ITPro - m365solution-scenario
security	Tamper Resiliency	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tamper-resiliency.md	Title: Tamper resiliency with Microsoft Defender for Endpoint description: Learn about the anti-tampering capabilities of Microsoft Defender for Endpoint.---+++
security	Tamperprotection Macos	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tamperprotection-macos.md	Title: Protect macOS security settings with tamper protection description: Use tamper protection to prevent malicious apps from changing important macOS security settings. --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Techniques Device Timeline	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/techniques-device-timeline.md	Title: Techniques in the device timeline description: Understanding the device timeline in Microsoft Defender for Endpoint -keywords: device timeline, endpoint, MITRE, MITRE ATT&CK, techniques, tactics -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Technological Partners	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/technological-partners.md	Title: Technological partners of Microsoft Defender XDR -description: View technological partners of M365 Defender to enhance detection, investigation, and threat intelligence capabilities of the platform. +description: View technological partners of Microsoft 365 Defender to enhance detection, investigation, and threat intelligence capabilities of the platform. --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security The following are the solution's categories: - Business cloud applications - Threat and vulnerability management - Secure service edge-- Additional integrations +- Other integrations ## Supported integrations and partners The following are the solution's categories: \|[Microsoft Sentinel](https://go.microsoft.com/fwlink/?linkid=2201962)\|Microsoft\|Microsoft Sentinel is a scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for attack detection, threat visibility, proactive hunting, and threat response.\| \|[ArcSight](https://go.microsoft.com/fwlink/?linkid=2202142)\|Micro Focus\|ArcSight provides multiple analytics capabilities for correlation, search, UEBA, enhanced and automated response, and log management.\| \|[Splunk SOAR](https://go.microsoft.com/fwlink/?linkid=2201773)\|Splunk\|Splunk SOAR orchestrates workflows and automates tasks in seconds to work smarter and respond faster.\| -\|[Security Incident Response](https://go.microsoft.com/fwlink/?linkid=2201874)\|ServiceNow\|The ServiceNow┬« Security Incident Response application tracks the progress of security incidents from discovery and initial analysis, through containment, eradication, and recovery, and into the final post-incident review, knowledge base article creation, and closure.\| +\|[Security Incident Response](https://go.microsoft.com/fwlink/?linkid=2201874)\|ServiceNow\|The ServiceNow® Security Incident Response application tracks the progress of security incidents from discovery and initial analysis, through containment, eradication, and recovery, and into the final post-incident review, knowledge base article creation, and closure.\| \|[Swimlane](https://go.microsoft.com/fwlink/?linkid=2202140)\|Swimlane Inc\|Automates your incident response capabilities with Swimlane (SOAR) and Microsoft Defender.\| -\|[InsightConnect](https://go.microsoft.com/fwlink/?linkid=2201877)\|Rapid7\|InsightConnect provides security orchestration, automation and response solution that accelerates incident response and vulnerability management processes.\| -\|[Demisto, a Palo Alto Networks Company](https://go.microsoft.com/fwlink/?linkid=2201777)\|Palo Alto Networks\|Demisto integrates with Microsoft Defender for Endpoint to enable security teams to orchestrate and automate endpoint security monitoring, enrichment and response.\| +\|[InsightConnect](https://go.microsoft.com/fwlink/?linkid=2201877)\|Rapid7\|InsightConnect provides security orchestration, automation, and response solution that accelerates incident response and vulnerability management processes.\| +\|[Demisto, a Palo Alto Networks Company](https://go.microsoft.com/fwlink/?linkid=2201777)\|Palo Alto Networks\|Demisto integrates with Microsoft Defender for Endpoint to enable security teams to orchestrate and automate endpoint security monitoring, enrichment, and response.\| ### Breach and attack simulation (BAS) \|Product name\|Vendor\|Description\| \|\|\|\| -\|[SafeBreach](https://go.microsoft.com/fwlink/?linkid=2201775)\|SafeBreach\|SafeBreach continuously executes attacks, correlates results to help visualize security gaps, and leverages contextual insights to highlight remediation efforts. With its Hacker's PlaybookΓäó, the industry's most extensive collection of attack data enabled by state-of-the-art threat intelligence research, SafeBreach empowers organizations to get proactive about security with a simple approach that replaces hope with data.\| +\|[SafeBreach](https://go.microsoft.com/fwlink/?linkid=2201775)\|SafeBreach\|SafeBreach continuously executes attacks, correlates results to help visualize security gaps, and uses contextual insights to highlight remediation efforts. With its Hacker's Playbook™, the industry's most extensive collection of attack data enabled by state-of-the-art threat intelligence research, SafeBreach empowers organizations to get proactive about security with a simple approach that replaces hope with data.\| \|[Extended Security Posture Management (XSPM)](https://go.microsoft.com/fwlink/?linkid=2201771)\|Cymulate\|Cymulate's Extended Security Posture Management enables companies to challenge, assess, and optimize their cybersecurity posture.\| \|[Vulnerability Control](https://go.microsoft.com/fwlink/?linkid=2201967)\|SkyBox\|Develops a vulnerability program strategy that accurately analyzes exposure risk across hybrid attack surface and prioritize the remediation.\| \|[Attack Path Management](https://go.microsoft.com/fwlink/?linkid=2201774)\|XM Cyber\|Attack Path Management is a hybrid cloud security company providing attack path management changing the ways organizations approach cyber risk.\| -\|[Better Mobile Security Platform](https://go.microsoft.com/fwlink/?linkid=2202043)\|Better Mobile Security Inc.\|Provides solution for Threat, Phishing and Privacy Protection and Simulation.\| +\|[Better Mobile Security Platform](https://go.microsoft.com/fwlink/?linkid=2202043)\|Better Mobile Security Inc.\|Provides solution for Threat, Phishing, and Privacy Protection and Simulation.\| ### Threat intelligence The following are the solution's categories: \|\|\|\| \|[Aruba ClearPass Policy Manager](https://go.microsoft.com/fwlink/?linkid=2201878)\|Aruba, a Hewlett Packard Enterprise company\|Network Access Control applies consistent policies and granular security controls to wired and wireless networks\| \|[Vectra Network Detection and Response (NDR)](https://go.microsoft.com/fwlink/?linkid=2201969)\|Vectra\|Vectra applies AI & security research to detect and respond to cyber-attacks in real time.\| -\|[Blue Hexagon for Network](https://go.microsoft.com/fwlink/?linkid=2201780)\|Blue Hexagon\|Blue Hexagon has built the industry's first real-time deep learning platform for network threat protection.\| +\|[Blue Hexagon for Network](https://go.microsoft.com/fwlink/?linkid=2201780)\|Blue Hexagon\|Blue Hexagon built the industry's first real-time deep learning platform for network threat protection.\| \|[CyberMDX](https://go.microsoft.com/fwlink/?linkid=2201880)\|CyberMDX\|Cyber MDX integrates comprehensive healthcare assets visibility, threat prevention and repose into your Microsoft Defender for Endpoint environment.\| \|[HYAS Protect](https://www.hyas.com/hyas-protect)\|HYAS\|HYAS Protect utilizes authoritative knowledge of attacker infrastructure to proactively protect MDE endpoints from cyber attacks.\| -\|[Better Mobile Security Platform](https://go.microsoft.com/fwlink/?linkid=2202043)\|Better Mobile Security Inc.\|Provides solution for Threat, Phishing and Privacy Protection and Simulation.\| +\|[Better Mobile Security Platform](https://go.microsoft.com/fwlink/?linkid=2202043)\|Better Mobile Security Inc.\|Provides solution for Threat, Phishing, and Privacy Protection and Simulation.\| \|[Vulnerability Control](https://go.microsoft.com/fwlink/?linkid=2201965)\|Skybox security\|Global security posture management leader with solutions for vulnerability management and network security policy management.\| ### Identity security The following are the solution's categories: \|Product name\|Vendor\|Description\| \|\|\|\| \|[Illusive Platform](https://go.microsoft.com/fwlink/?linkid=2201778)\|Illusive Networks\|Illusive continuously discovers and automatically remediates identity vulnerabilities, and it detects attacks using deceptive controls.\| -\|[Silverfort](https://go.microsoft.com/fwlink/?linkid=2201873)\|Silverfort\|Enforces Microsoft Entra Conditional Access and MFA across any user system and environment on-prem and in the cloud.\| +\|[Silverfort](https://go.microsoft.com/fwlink/?linkid=2201873)\|Silverfort\|Enforces Microsoft Entra Conditional Access and MFA across any user system and environment on-premises and in the cloud.\| ### Cross platform \|Product name\|Vendor\|Description\| \|\|\|\| -\|[Corrata Mobile Security](https://go.microsoft.com/fwlink/?linkid=2201879)\|Corrata\|Corrata is an immune system for mobile devices and tablets that detects & protects mobile devices from the full spectrum of security threats like phishing, malware, man-in-the-middle attacks and data loss.\| -\|[Better Mobile Security Platform](https://go.microsoft.com/fwlink/?linkid=2202043)\|Better Mobile Security Inc.\|Provides solution for Threat, Phishing and Privacy Protection and Simulation.\| +\|[Corrata Mobile Security](https://go.microsoft.com/fwlink/?linkid=2201879)\|Corrata\|Corrata is an immune system for mobile devices and tablets that detects & protects mobile devices from the full spectrum of security threats like phishing, malware, man-in-the-middle attacks, and data loss.\| +\|[Better Mobile Security Platform](https://go.microsoft.com/fwlink/?linkid=2202043)\|Better Mobile Security Inc.\|Provides solution for Threat, Phishing, and Privacy Protection and Simulation.\| \|[Zimperium Mobile Threat Defense](https://go.microsoft.com/fwlink/?linkid=2202141)\|Zimperuim\|Extends your Microsoft Defender for Endpoint to iOS and Android with Machine Learning-based Mobile Threat Defense.\| \|[Bitdefender](https://go.microsoft.com/fwlink/?linkid=2201968)\|Bitdefender\|Bitdefender GravityZone is a layered next generation endpoint protection platform offering comprehensive protection against the full spectrum of sophisticated cyber threats.\| The following are the solution's categories: \|[ServiceNow](https://go.microsoft.com/fwlink/?linkid=2201769)\|ServiceNow\|ServiceNow provides cloud-based solutions that define, structure, manage, and automate services for enterprise operations.\| \|[Slack](https://go.microsoft.com/fwlink/?linkid=2201870)\|Slack\|Slack is an enterprise software platform that allows teams and businesses of all sizes to communicate effectively.\| \|[SmartSheet](https://go.microsoft.com/fwlink/?linkid=2201871)\|SmartSheet\|Smartsheet is a cloud-based work management platform that empowers collaboration, drives better decision making, and accelerates innovation.\| -\|[Webex](https://go.microsoft.com/fwlink/?linkid=2201872)\|Cisco\|Webex, a Cisco company, provides on-demand applications for businesses to conduct web conferencing, telework and application remote control.\| +\|[Webex](https://go.microsoft.com/fwlink/?linkid=2201872)\|Cisco\|Webex, a Cisco company, provides on-demand applications for businesses to conduct web conferencing, telework, and application remote control.\| \|[Workday](https://go.microsoft.com/fwlink/?linkid=2201960)\|Workday\|Workday offers enterprise-level software solutions for human resource and financial management.\| \|[Zendesk](https://go.microsoft.com/fwlink/?linkid=2201961)\|Zendesk\|Zendesk is a customer service platform that develops software to empower organization and customer relationships.\| The following are the solution's categories: \|Product name\|Vendor\|Description\| \|\|\|\| \|[Attack Path Management](https://go.microsoft.com/fwlink/?linkid=2201774)\|XM Cyber\|Hybrid cloud security company providing attack path management changing the ways organizations approach cyber risk.\| -\|[Corrata Mobile Security](https://go.microsoft.com/fwlink/?linkid=2201879)\|Corrata\|Corrata is an immune system for mobile devices and tablets that detects & protects mobile devices from the full spectrum of security threats like phishing, malware, man-in-the-middle attacks and data loss.\| +\|[Corrata Mobile Security](https://go.microsoft.com/fwlink/?linkid=2201879)\|Corrata\|Corrata is an immune system for mobile devices and tablets that detects & protects mobile devices from the full spectrum of security threats like phishing, malware, man-in-the-middle attacks, and data loss.\| \|[Zimperium Mobile Threat Defense](https://go.microsoft.com/fwlink/?linkid=2202141)\|Zimperuim\|Extend your Microsoft Defender for Endpoint to iOS and Android with Machine Learning-based Mobile Threat Defense.\| \|[RiskAnalyzer](https://go.microsoft.com/fwlink/?linkid=2202245)\|DeepSurface Security\|DeepSurface RiskAnalyzer helps quickly and efficiently discover, analyze and prioritize cybersecurity risk.\| \|[Vulnerability Control](https://go.microsoft.com/fwlink/?linkid=2201965)\|Skybox security\|Global security posture management leader with solutions for vulnerability management and network security policy management.\|
security	Threat Analytics Analyst Reports	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-analytics-analyst-reports.md	Title: Understand the analyst report section in threat analytics. description: How the report section of threat analytics reports provides information about threats, mitigation, detections, advanced hunting queries, and more. -keywords: analyst report, threat analytics, detections, advanced hunting queries, mitigations, -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Threat Analytics	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-analytics.md	Title: Track and respond to emerging threats with Microsoft Defender for Endpoint threat analytics description: Understand emerging threats and attack techniques and how to stop them. Assess their impact to your organization and evaluate your organizational resilience. -keywords: threat analytics, risk evaluation, OS mitigation, microcode mitigation, mitigation status -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Threat Indicator Concepts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-indicator-concepts.md	Title: Understand threat intelligence concepts in Microsoft Defender for Endpoint description: Create custom threat alerts for your organization and learn the concepts around threat intelligence in Microsoft Defender for Endpoint -keywords: threat intelligence, alert definitions, indicators of compromise, ioc -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	Threat Protection Integration	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-protection-integration.md	Title: Integrate Microsoft Defender for Endpoint with other Microsoft solutions description: Learn how Microsoft Defender for Endpoint integrates with other Microsoft solutions, including Microsoft Defender for Identity and Microsoft Defender for Cloud.--++ -keywords: Microsoft Defender XDR, conditional access, office, Microsoft Defender for Endpoint, microsoft defender for identity, microsoft defender for office, Microsoft Defender for Cloud, microsoft cloud app security, azure sentinel -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security
security	User Roles	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/user-roles.md	Title: Create and manage roles for role-based access control description: Create roles and define the permissions assigned to the role as part of the role-based access control implementation in the Microsoft Defender XDR -ms.pagetype: security ms.localizationpriority: medium
security	Create Custom Rbac Roles	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/create-custom-rbac-roles.md	The following steps guide you on how to create custom roles in Microsoft Defende - Select all read and manage permissions ΓÇô Users will be assigned all permissions in this category (read and manage permissions). - Select custom permissions ΓÇô Users will be assigned the custom permissions selected. - :::image type="content" source="../../media/defender/m365-defender-rbac-permissions-secops-flyout.png" alt-text="Screenshot of the permissions flyout screen" lightbox="../../media/defender/m365-defender-rbac-permissions-secops-flyout.png"::: + :::image type="content" source="../../media/defender/m365-defender-rbac-assignments-fig.png" alt-text="Screenshot of the permissions flyout screen" lightbox="../../media/defender/m365-defender-rbac-assignments-fig.png"::: For more information on the RBAC custom permissions, see [About RBAC custom permissions](custom-permissions-details.md).
security	Custom Permissions Details	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/custom-permissions-details.md	Permissions for managing day-to-day operations and responding to incidents and a \|Basic live response\|Manage\|Initiate a live response session, download files, and perform read-only actions on devices remotely.\| \|Advanced live response\|Manage\|Create live response sessions and perform advanced actions, including uploading files and running scripts on devices remotely.\| \|File collection\|Manage\|Collect or download relevant files for analysis, including executable files.\| -\|Email quarantine\|Manage\|View and release email from quarantine.\| -\|Email advanced actions\|Manage\|Move or Delete email to the junk email folder, deleted items or inbox, including soft and hard delete of email.\| +\|Email & collaboration quarantine\|Manage\|View and release email from quarantine.\| +\|Email & collaboration advanced actions\|Manage\|Move or Delete email to the junk email folder, deleted items or inbox, including soft and hard delete of email.\| ### Security operations ΓÇô Raw data (Email & collaboration) \|Permission name\|Level\|Description\| \|\|\|\|\| -\|Email message headers\|Read\|View email and collaboration data in a hunting scenarios, including advanced hunting, threat explorer, campaigns, and email entity.\| -\|Email content\|Read\|View and download email content and attachments.\| +\|Email & collaboration metadata\|Read\|View email and collaboration data in a hunting scenarios, including advanced hunting, threat explorer, campaigns, and email entity.\| +\|Email & collaboration content\|Read\|View and download email content and attachments.\| ### Security posture ΓÇô Posture management
security	Whats New	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/whats-new.md	You can also get product updates and important notifications through the [messag ## February 2024 +- (GA) Assigning severity to incidents and the *go hunt* option from the attack story graph are now generally available. Read [assign or change incident severity](manage-incidents.md#assign-or-change-incident-severity) to learn how to change an incident's severity, and learn how you can use the go hunt option by exploring [attack story](investigate-incidents.md#attack-story). + - (Preview) [Custom detection rules in Microsoft Graph security API](/graph/api/resources/security-api-overview?view=graph-rest-beta&preserve-view=true#custom-detections) are now available. Create advanced hunting custom detection rules specific to your org to proactively monitor for threats and take action. ## January 2024
security	Quarantine Admin Manage Messages Files	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-admin-manage-messages-files.md	Watch this short video to learn how to manage quarantined messages as an admin. > [!TIP] > The ability to manage quarantined messages using [Exchange Online permissions](/exchange/permissions-exo/permissions-exo) ended in February 2023 per MC447339. + > + > Guest admins from other organizations can't manage quarantined messages. The admin needs to be in the same organization as the recipients. - Quarantined messages and files are retained for a default period of time based on why they were quarantined. After the retention period expires, the messages are automatically deleted and aren't recoverable. For more information, see [Quarantine retention](quarantine-about.md#quarantine-retention).
topics	Changes Coming To Topics	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/topics/changes-coming-to-topics.md	+ Last updated : 02/20/2024 + Title: Changes coming to Topics ++++ +audience: admin ++ + - m365initiative-viva-topics + - Tier1 ++ +search.appverid: + - MET150 +ms.localizationpriority: medium +description: Learn about changes coming to Topics. ++ +# Changes coming to Topics + +## Viva Topics to be retired on February 22, 2025 + +Viva Topics will be retired on February 22, 2025 and Microsoft won't invest in new feature development for Viva Topics going forward from February 22, 2024. + +With the generational shift in AI technology underway, we're now focusing our strategy and efforts on building new AI-powered knowledge management experiences in [Microsoft Copilot](https://www.microsoft.com/microsoft-365/enterprise/copilot-for-microsoft-365) and other parts of Microsoft 365. To help customers plan, please see [new guidance on the Managing Knowledge page](https://aka.ms/M365KnowledgeManagement) on the Microsoft 365 Adoption Center. + +## How will this affect you? + +After retirement, here are the changes that will occur: + +Topic pages that have been published by users will be standard SharePoint pages. This means that while existing Topic pages will no longer be automatically enhanced by the AI and machine learning algorithms of Viva Topics, users can still edit and publish updates as they would any other SharePoint page. Topic pages that were generated entirely by AI and machine learning algorithms will no longer be available. If you're already using Copilot, your SharePoint pages are already indexed and will be used in responding to usersΓÇÖ questions. + +The Topic Center site where the published Topics pages were stored will be converted to a standard SharePoint site and can be maintained and governed like any other SharePoint site. The knowledge management and analytics around topics will no longer be available. We recommend you use SharePoint to publish and organize knowledge that can be discovered via Microsoft Search and leveraged via Microsoft Copilot across the Microsoft 365 suite. + +The ability for Topics to appear automatically across Microsoft Search, Office apps, Outlook, Teams, and SharePoint modern pages will no longer be available. + +In Viva Engage, topics will return to a simplified public topics model and the integration with Viva Topics will be retired. The ability to hover over a topic pill to view the topic card, the use of AI-discovered Viva Topics, links to the Viva Topics pages, and access to management view of Viva Topics will no longer be available. Users will continue to be able to create topics, add topics to posts, follow topics, and see relevance of feeds by topics they follow, just as they would in the unlicensed experience. Topics will be public to Engage users. [Learn more about this experience.](https://support.microsoft.com/office/use-topics-and-hashtags-in-viva-engage-98c0a0bb-aad0-45d3-88f1-4f6d12bb1772) +
topics	Topics Changes Faq	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/topics/topics-changes-faq.md	+ Last updated : 02/20/2024 + Title: Frequently asked questions about changes coming to Topics ++++ +audience: admin ++ + - m365initiative-viva-topics + - Tier1 ++ +search.appverid: + - MET150 +ms.localizationpriority: medium +description: Get answers to frequently asked questions about changes coming to Topics. ++ +# Frequently asked questions about changes coming to Topics + +## Why is the Topics product being retired? + +As our AI strategy continues to evolve, weΓÇÖll be retiring Viva Topics in February 2025 and will focus our efforts on building AI-powered knowledge experiences in Copilot. Copilot enables people in your organization to discover and learn more about topics, projects, and concepts in a natural and automatic way and is integrated across the Microsoft 365 suite all while requiring minimal setup. + +## How should I invest in knowledge management going forward? + +We recommend you use SharePoint to publish and organize knowledge that can be discovered via Microsoft Search and leveraged via Microsoft Copilot across Microsoft 365. You'll get analytics on these sites and we'll enhance these experiences in the future. [Learn more](https://aka.ms/TopicsAdoptionFeb). + +## When will my Topics license expire? + +While Topics will be available until February 2025, we encourage you to start planning and transitioning away from using the service at your earliest convenience. On expiry, users will no longer see knowledge experiences such as in-line highlights in apps such as Outlook Web or SharePoint and won't be able to hover on these highlights to surface a topic card. Any topics that have been manually inserted by users will no longer appear as a highlight, although the link to the published SharePoint topic page will persist. + +## When will my trial license for Topics expire? + +There's no change in the duration of the trial license. You won't be able to extend these trials. + +## What happens to my Microsoft Graph Connector credits? + +The Topics product came with Graph Connector credits. These credits will expire February 2025. + +## What will happen to Topic Center and topic pages? + +- The existing Topic Center where the Topics data is located will be converted into a normal SharePoint site, capable of being maintained and governed like any other SharePoint site. +- Topic pages that have been published by a user will be converted into standard SharePoint pages. This means that while these pages won't continue to be updated by AI, users can still edit and publish updates as they would any other topic page. +- These SharePoint pages can still appear as results in Microsoft Search results page, according to usersΓÇÖ permissions. They'll appear with a SharePoint page icon. +- AI-suggested and confirmed topics will no longer appear as topic pages. Only topics that appear in the Site Pages library will remain after retirement. + +## Do I need to be concerned about data leakage? + +This change doesn't impact permissions on your content (files, sites, pages, etc.). In Topics, users only see AI-suggested content from files, sites, and pages that they have access to. Once Topics is retired, topic pages that are published will be governed by the permissions of the Topic Center SharePoint site and/or page. Any AI-suggested content that hasn't been touched by a user will be removed. + +## What if I need to remove an inaccurate or outdated topic page? + +Users with the appropriate level of permissions can delete the page from the Site Pages library of the Topic Center SharePoint site. + +## My organization used Topics in Viva Engage (Yammer) prior to acquiring Viva Topics. Will these Topics disappear? + +In Viva Engage, topics will return to a simplified public topics model. Public topics won't disappear from Engage threads. Topic pills will continue to link users to Engage topic pages with all conversations that have that topic attached. Core topics experiences such as adding topics to posts, following topics, and feeds of topics you follow will continue to be available. Users can no longer hover over a topic pill to open the topic card or see AI-suggested Viva Topics. A Topic Management experience will continue until retirement. + +Answers in Viva experiences will also continue to work for anyone with a Viva Suite or Viva Employee Communications and Communities license. + +## My organization uses Answers in Viva. How will the experience change? + +[Answers in Viva](https://support.microsoft.com/topic/answers-in-viva-introduction-e6331234-e044-4009-a0c8-7c519a2cf668) will continue to work without Viva Topics for anyone with Viva Suite or Viva Employee Communications and Communities licenses. Answers won't continue to show topics cards on hover or link to Viva Topics pages in SharePoint, Topic management experiences will continue to be supported. Customers will continue to be able to add topics to posts, click on topics pills to see posts with that topic attached, follow topics, or route the Answers digest through topic following and Answers activity. + +## How should I communicate this change to my users? + +This is a decision that you can make for your organization. There will be no in-product experience to message this change to your users. + +## What actions should Knowledge Managers take in advance of Topics being retired? + +Your organization will need to decide how to take the knowledge organized in Topic Center forward. The published topic pages can be discovered through Microsoft Search and leveraged by Microsoft Copilot across Microsoft 365. + +If you want to keep any AI-suggested topics, you can publish the suggested or confirmed topic, edit the properties and pin the names, types, people, and resources you want to keep. + +You can also prune any inaccurate/unhelpful Topics, by using the Topic Center Manage Topics view to remove the topic and delete the SharePoint page from the Site Pages library. + +## How long will customer support be available for Viva Topics? + +Support continues until Viva Topics is retired in February 2025.