+|[Viva Insights activity](viva-insights-activity.md)|Yes|Yes|N/A|N/A|N/A|

+ Title: "Microsoft 365 Reports in the admin center - Viva Insights activity"

+audience: Admin

+ms.localizationpriority: medium

+- M365-subscription-management

+- Adm_O365

+- Adm_NonTOC

+search.appverid:

+- BCS160

+- MET150

+- MOE150

+- GEA150

+description: "Learn how to get a Microsoft 365 Apps for usage report for Viva Insights activity in the Microsoft 365 Reports dashboard in the Microsoft 365 admin center."

+# Microsoft 365 Reports in the admin center - Viva Insights activity

+As a Microsoft 365 admin, the Reports dashboard shows you the activity overview across various products in your organization. It enables you to drill in to get more granular insight about the activities specific to each product. Check out the activity reports in the Microsoft 365 admin center.

+For example, you can understand the adoption of Viva Insights by looking at the active users. Additionally, you can find a deployment guide to further boost adoption in your organization.

+## How do I get to the to the Viva Insights activity report?

+1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.

+2. Find **Viva Insights activity**.

+## Interpret the Microsoft 365 Apps usage report

+You can get a view into your user's Viva Insights activity by looking at the **Active users chart**. The Viva Insights active user chart can be viewed for trends over the last 7 days, 30 days, 90 days, or 180 days.

+> [!div class="mx-imgBorder"]

+> 

+**Active users** are users that have engaged with at least one Viva Insights feature that day. This includes dwelling for more than 20 seconds on any Viva Insight email, clicking or taking an action on any Insights surfacing, or visiting the Viva Insights app in Teams, Outlook add-in, or web dashboards.

+## View the Viva Insights deployment guide

+You can click **Boost adoption of Viva Insights** to view the [Viva Insights Deployment guide](/viva/insights/personal/setup/deployment-guide).

+- admindeeplinkSPO

+When you purchase a Microsoft 365 subscription, a team site is automatically created, and the global admin is set as the primary site collection administrator. Assign the SharePoint admin role to users who you want to access to the <a href="https://go.microsoft.com/fwlink/?linkid=2185219" target="_blank">SharePoint admin center</a>. Users with the SharePoint admin role can create and manage site collections, designate site collection administrators and manage user profiles. Users with the SharePoint admin role can also manage Microsoft 365 groups and open support requests through Microsoft support. [Learn more](/sharepoint/sharepoint-admin-role)

+- admindeeplinkSPO

+If you don't see the **+ Create** site link, self-service site creation might not be available in Microsoft 365. To create a team site, contact the person administering Microsoft 365 in your organization. If you're a Microsoft 365 admin, see [Manage site creation in SharePoint Online](/sharepoint/manage-site-creation) to enable self-service site creation for your organization or [Manage sites in the new SharePoint admin center](/sharepoint/manage-sites-in-new-admin-center) to create a site from the <a href="https://go.microsoft.com/fwlink/?linkid=2185219" target="_blank">SharePoint admin center</a>.

+- admindeeplinkSPO

+2. In the SharePoint admin center, go to **Policies** \> <a href="https://go.microsoft.com/fwlink/?linkid=2185222" target="_blank">**Sharing**</a>.

+- admindeeplinkSPO

+1. In the SharePoint admin center, go to <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites**</a>, and sign in with an account that has [admin permissions](/sharepoint/sharepoint-admin-role) for your organization.

+ Title: "Manage custodian communications templates in the Communications library in Advanced eDiscovery"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+search.appverid:

+- MOE150

+- MET150

+ms.assetid:

+description: "You can add custodian communications templates (such as a template for hold notification) in Advanced eDiscovery so they can be used in any case in your organization."

+# Manage custodian communications templates in Advanced eDiscovery

+When you or other users create a hold notification or other types of custodian communications, you had to create the communication document from scratch by using the communications editor on the **Communications** tab in an Advanced eDiscovery case. Now, we've released a new feature that lets you create communications templates that can be used to create communications in any case in your organization. After communication templates are created, they're available to be used in a case. This means that paralegals or other users who create custodian communications don't have to start from scratch to build a notification. Instead, they can select a template to build the notification that is sent to a custodian.

+This article explains how to create organization-wide communications templates and select them when creating a new custodian notification for a specific Advanced eDiscovery case.

+## Before you create templates in the Communications library

+- You must be an eDiscovery Administrator in your organization to add or remove templates in the Communications library in Advanced eDiscovery. For more information, see [Assign eDiscovery permissions in the Microsoft 365 compliance center](assign-ediscovery-permissions.md)

+- Your organization can have a maximum of 50 templates in the Communications library.

+## Create a communications template

+1. In the Microsoft 365 compliance center, go to [Advanced eDiscovery](https://go.microsoft.com/fwlink/p/?linkid=2173764), and then click **Advanced eDiscovery settings**.

+ 

+2. On the **Settings** page, select the **Communications library** tab.

+3. On the **Communications library** page, click **Create**.

+4. Follow the procedure to create a custodian communication. For step-by-step instructions, see [Create a legal hold notification](create-hold-notification.md).

+ > [!NOTE]

+ > The steps to create a communications template are the same as the workflow to create a notification within a case. The only difference is that when you create a template, you don't specify an issuing officer and you don't assign custodians. Specifying an issuing officer and assigning custodians is done when you use a communications template to create a custodian notification for a case.

+5. After you create a template, it's displayed on the **Communications library** page.

+ 

+You or other eDiscovery Administrators can edit a communications template. Any changes that you make to a template don't affect or modify any notifications that were previously created using that template. These changes will only apply to new notifications that created using the updated template.

+## Use a communications template to create a custodian notification

+After one or more communications templates are created in the Communications library, these templates can be selected to create a custodian notification in a case.

+To select a template:

+1. In the Microsoft 365 compliance center, go to **eDiscovery > Advanced** to display the list of cases in your organization.

+2. Select a case, click the **Communications** tab, and then click **New communication**.

+3. On the **Name communication** page, use the **Select communication template** drop-down list to select a communications template to use to create the custodian notification.

+ The list of templates in your organization's Communication library is displayed in the drop-down list.

+ 

+ Title: "Manage issuing officers in Advanced eDiscovery"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+search.appverid:

+- MOE150

+- MET150

+ms.assetid:

+description: "You can add organization-wide issuing officers in Advanced eDiscovery so they can be added to any custodial communication in any case in your organization."

+# Manage issuing officers in Advanced eDiscovery

+When you or others create a hold notification or other type of communication that is sent to a user who is a custodian in case, you have to specify an issuing officer. The notification is sent to the custodian on behalf of the specified issuing officer. For example, a paralegal in your organization might be responsible for creating and sending hold notifications to custodians in a case. In this scenario, the paralegal can specify an attorney in the organization as the issuing officer. Who can be specified as an issuing officer? There are two types of users who can be selected as an issuing officer for a custodian communication:

+- Any member of the specific case the communication is being sent in behalf of.

+- Any user who is added to a list of organization-wide issuing officers. Users from this list can be added an issuing officer to any case in your organization.

+This article explains how to add and remove users to the list of organization-wide issuing officers.

+## Before you add an issuing officer

+- You must be an eDiscovery Administrator in your organization to add or remove issuing officers. For more information, see [Assign eDiscovery permissions in the Microsoft 365 compliance center](assign-ediscovery-permissions.md)

+- The user who is added as an issuing officer must have an active mailbox in your Microsoft 365 organization.

+- Your organization can have a maximum of 15 issuing officers. Members of a case who can be specified as an issuing officer aren't counted toward this limit. This limit only applies to the number of users that can be added to the **Issuing officers** page in Advanced eDiscovery.

+## Add an issuing officer

+1. In the Microsoft 365 compliance center, go to [Advanced eDiscovery](https://go.microsoft.com/fwlink/p/?linkid=2173764), and then click **Advanced eDiscovery settings**.

+ 

+2. On the **Settings** page, select the **Issuing officers** tab to display the **Manage issuing officers** page.

+ 

+3. Click **Add** and then search for and add one or more users to the list of issuing officers.

+After you add users as issuing officers, you or other users will be able to specify these users as an issuing officer for custodian communications for any case in your organization. For more information about creating custodian communications, see [Create a legal hold notice](create-hold-notification.md).

+## Remove an issuing officer

+1. In the Microsoft 365 compliance center, go to [Advanced eDiscovery](https://go.microsoft.com/fwlink/p/?linkid=2173764), and then click **Advanced eDiscovery settings**.

+2. On the **Settings** page, select the **Issuing officers** tab.

+3. Select one or more users in the issuing officers list, and then click **Delete**.

+After you delete users from the list of issuing officers, those users can no longer be specified as an issuing officer in new custodian communications, unless the user is a member of the specific case the communication is being issued from. Also, removing an issuing officer won't affect any communications that were sent before the user was removed as an issuing officer.

+- The user who creates the BlackBerry DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Bloomberg DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Cisco Jabber DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the FactSet DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Fuze DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the FX Connect DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the ICE DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the InvestEdge DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the LivePerson Conversational Cloud DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Quip DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Refinitiv Eikon Messenger DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the ServiceNow DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Skype for Business Server DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Slack DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the SQL DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Symphony DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Cisco Webex DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Zoom DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates a Android Archiver connector must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates a AT&T Network connector must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates a Bell Network connector must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates a Bloomberg Message connector in Step 3 (and who downloads the public keys and IP address in Step 1) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the CellTrust connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Cisco Jabber connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Cisco Jabber on Oracle connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Cisco Jabber on PostgreSQL connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the CellTrust SL2 data connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the EML connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates a Enterprise Number Archiver connector must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who sets up the custom connector in the Microsoft 365 compliance center (in Step 5) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the FX Connect connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The admin who creates the ICE Chat connector in Step 3 (and who downloads the public keys and IP address in Step 1) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates an Instant Bloomberg connector in Step 3 (and who downloads the public keys and IP address in Step 1) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Jive connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates a LinkedIn Company Page connector must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the MS SQL Database Importer connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates an O2 Network connector must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Pivot connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Redtail Speak Importer connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Reuters Dealing connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Reuters Eikon connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Reuters FX connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the RingCentral connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates a Rogers Network Archiver connector in Step 3 must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Salesforce Chatter connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the ServiceNow connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates a Signal Archiver connector in Step 3 must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Skype for Business connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- Obtain the username and password for your organization's Slack enterprise account. You use these credentials to sign into this account when you create the data connector. It's also recommended that you have automated user provisioning in your Slack organization configured to use single sign-on (SSO). [Roles in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center)

+- The user who creates the Slack eDiscovery connector must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Slack eDiscovery connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Symphony connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates a Telegram Archiver connector in Step 3 must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates a TELUS Network connector must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the text-delimited connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who sets up the Twitter connector in the Microsoft 365 compliance center (in Step 5) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the YouTube connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates a Verizon Network connector must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Webex Teams connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Webpage Capture connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates a WeChat Archiver connector in the Microsoft 365 compliance center must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates a Verizon Network connector must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Workplace from Facebook connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the XIP connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the XSLT/XML connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Yieldbroker connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the YouTube connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Zoom Meetings connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- admindeeplinkCOMPLIANCE

+- admindeeplinkSPO

+In the <a href="https://go.microsoft.com/fwlink/?linkid=2185219" target="_blank">SharePoint admin center</a>, open the Search configuration, and select **Manage Search Schema** to view and configure the crawled properties.

+For the KQL query to automatically apply the correct retention label to product document content, we map the crawled properties **ows\_Doc\_x0020\_Type* and *ows\_\_Status** to two refinable managed properties. In our test environment for this scenario, **RefinableString00** and **RefinableString01** aren't being used. We determined this by looking at **Managed Properties** in **Manage Search Schema** in the <a href="https://go.microsoft.com/fwlink/?linkid=2185219" target="_blank">SharePoint admin center</a>.

+- A query-based hold initially preserves all documents in a site for a short period of time after they're deleted. That means when a document is deleted, it will be moved to the Preservation Hold library even if it doesn't match the criteria of the query-based hold. However, deleted documents that don't match a query-based hold will be removed by a timer job that processes the Preservation Hold library. The timer job runs periodically and compares all documents in the Preservation Hold library to your query-based eDiscovery holds (and other types of holds and retention policies). The timer job deletes the documents that don't match a query-based hold and preserves the documents that do.

+- Query-based holds shouldn't be used to perform targeted preservation, like preserving documents in a specific folder or site or by using other location-based hold criteria. Doing so may have unintended results. We recommend using non-location based hold criteria such as keywords, date ranges, or other document properties to preserve site documents.

+- If an Exchange mailbox, SharePoint site, or OneDrive account is moved to a different region in a multi-geo environment, the statistics for that site won't be included in the hold statistics. But the content in those locations will still be preserved. Also, if a mailbox or site is moved to a different region, the SMTP address or URL that's displayed in the hold won't automatically be updated. You'll have to edit the hold and update the URL or SMTP address so the content locations are once again included in the hold statistics

+ |Maximum number of eDiscovery hold policies for an organization. This limit includes the combined total of hold policies in Core eDiscovery and Advanced eDiscovery cases. <br/> |10,000¹ <br/> |

+ |Maximum number of cases displayed on the eDiscovery home page, and the maximum number of items displayed on the Holds, Searches, and Export tabs within a case. |1,000²|

+ > ¹ When you put more than 1,000 mailboxes or 100 sites on hold in a single hold policy, the system will automatically scale the hold as needed. This means the system will automatically add data locations to multiple hold policies, instead of adding them to a single hold policy. However, the limit of 10,000 case hold policies per organization still applies.

+ >

+ > ² To view a list of more than 1,000 cases, holds, searches, or exports, you can use the corresponding Security & Compliance PowerShell cmdlet:

+

+3. On the **Name communication** page, specify the following communication settings.

+ - **Issuing officer**: The drop-down list displays users in your organization who can be selected as the issuing officer for the communication. Each communication sent to custodians will be sent on behalf of the selected issuing officer. The list of users in the drop-down consists of the members of the case and the organization-wide issuing officers. These issuing officers are added by an eDiscovery Administrator, and are available in all Advanced eDiscovery cases in your organization. For more information, see [Manage issuing officers](advanced-ediscovery-issuing-officers.md).

+ - **Select communication template**: The drop-down list displays the templates from the Communications library on the Advanced eDiscovery settings page. If you select a template, it will be displayed on the **Define portal content** as a starting point for the text of the notification that you're creating. If you don't select a template, then you'll have to create the notice yourself from scratch. For more information about communication templates, see [Manage custodian communications templates](advanced-ediscovery-communications-library.md).

+Next, you can create and add the content of the hold notice. On the **Define portal content** page in the **Create communication** wizard, specify the contents of the hold notice. This content will be automatically appended to the Issuance, Re-Issue, Reminder, and Escalation notices. Additionally, this content will appear in the custodian's Compliance Portal. If you selected a template from the Communications library, it will be displayed and provide a starting point for the notice you're creating.

+

+1. Type (or cut and paste from another document) your hold notice in the textbox for the portal content. If you selected a communications template on the previous wizard page, the template is displayed. You can edit the template content as necessary.

+As the case progresses, custodians may be required to preserve additional or less data than was previously instructed. After you update the portal content, the reissuance notification is sent and alerts custodians about any changes to their preservation obligations.

+To create a reissuance notification:

+4. Specify the contents or additional instructions that you would like to provide to the custodian (required). The portal content you defined in Step 2 is added to the end of the reissuance notice.

+After a matter is resolved or if a custodian is no longer subject to preserve content, you can release the custodian from a case. If the custodian was previously issued a hold notice, the release notification can be used to alert custodians that they've been released from their obligation.

+

+After you've finalized the content for notifications, select the custodians that you would like to send notifications to.

+

+|Reissuance notices|Updating the portal content on the **Define Portal Content** page in the **Edit communication** wizard.|

+|Teams chat and channel messages |account or distribution group |

+|Use sensitivity labels to configure the default sharing link type for sites and individual documents in SharePoint and OneDrive |[Use sensitivity labels to set the default sharing link for sites and documents in SharePoint and OneDrive](sensitivity-labels-default-sharing-link.md)|

+- The user who creates the Epic connector in Step 3 must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Healthcare connector in Step 3 must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the HR connector in Step 3 must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the HR connector in Step 3 must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the physical badging connector in Step 3 must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+| 2|Label and protect items for Microsoft 365 apps and services. <br /><br />Sensitivity labels are supported for Microsoft 365 Word, Excel, PowerPoint, Outlook, and containers that include SharePoint and OneDrive sites, and Microsoft 365 groups. Use a combination of labeling methods such as manual labeling, automatic labeling, a default label, and mandatory labeling.| [Manage sensitivity labels in Office apps](sensitivity-labels-office-apps.md) <br /><br /> [Enable sensitivity labels for Office files in SharePoint and OneDrive](sensitivity-labels-sharepoint-onedrive-files.md) <br /><br /> [Enable co-authoring for files encrypted with sensitivity labels](sensitivity-labels-coauthoring.md) <br /><br /> [Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) <br /><br /> [Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites](sensitivity-labels-teams-groups-sites.md) <br /><br /> [Use sensitivity labels to set the default sharing link for sites and documents in SharePoint and OneDrive](sensitivity-labels-default-sharing-link.md) <br /><br /> [Apply a sensitivity label to a model in Microsoft SharePoint Syntex](/microsoft-365/contentunderstanding/apply-a-sensitivity-label-to-a-model) <br /><br /> [Sensitivity labels in Power BI](/power-bi/admin/service-security-sensitivity-label-overview) |

+|Maximum number of unique tags per case. <br/> |1,000¹ |

+|Maximum concurrent jobs in your organization to add content to a review set. These jobs are named **Adding data to a review set** and are displayed on the **Jobs** tab in a case.| 10² |

+|Maximum number of hold policies for an organization. This limit includes the combined total of hold policies in Core eDiscovery and Advanced eDiscovery cases. <br/> |10,000³ <br/> |

+|Maximum number of characters extracted from a single file. <br/> |10 million⁴ <br/> |

+|Maximum size of a single file. <br/> |150 MB⁴ <br/> |

+|Maximum depth of embedded items in a document. <br/> |25⁴ <br/> |

+|Maximum size of files processed by Optical Character Recognition (OCR). <br/> |24 MB⁴ <br/>

+|Maximum number of characters for a search query (including operators and conditions). |10,000⁵|

+|Maximum number of characters for a search query for SharePoint and OneDrive for Business sites (including operators and conditions). |10,000<br>4,000 with Wildcards⁵|

+|Maximum variants returned when using prefix wildcard to search for an exact phrase or when using a prefix wildcard and the **NEAR** Boolean operator. |10,000⁶|

+|Total file size or maximum number of documents downloaded from a review set. <br/> |3 MB or 50 documents⁷|

+## Notes

+> ¹ This is the maximum number of tags that you can create in a case. This limit isn't related to the number of documents that can be tagged.

+> ² This limit is shared with exporting content in other eDiscovery tools. This means that concurrent exports in Content search and Core eDiscovery (and adding content to review sets in Advanced eDiscovery) are all applied against this limit.

+>

+> ³ When you put more than 1,000 mailboxes or 100 sites on hold in a single hold policy, the system will automatically scale the hold as needed. This means the system will automatically add data locations to multiple hold policies, instead of adding them to a single hold policy. However, the limit of 10,000 case hold policies per organization still applies.

+>

+> ⁴ Any item that exceeds a single file limit will show up as a processing error.

+>

+> ⁵ When searching SharePoint and OneDrive for Business locations, the characters in the URLs of the sites being searched count against this limit. The total number of characters consists of:<br>

+> ⁶ For non-phrase queries (a keyword value that doesn't use double quotation marks) we use a special prefix index. This tells us that a word occurs in a document, but not where it occurs in the document. To do a phrase query (a keyword value with double quotation marks), we need to compare the position within the document for the words in the phrase. This means that we can't use the prefix index for phrase queries. In this case, we internally expand the query with all possible words that the prefix expands to; for example, **time\*** can expand to **"time OR timer OR times OR timex OR timeboxed OR ΓǪ"**. The limit of 10,000 is the maximum number of variants the word can expand to, not the number of documents matching the query. There is no upper limit for non-phrase terms.

+> ⁷ This limit applies to downloading selected documents from a review set. It doesn't apply to exporting documents from a review set. For more information about downloading and exporting documents, see [Export case data in Advanced eDiscovery](exporting-data-ediscover20.md).

+- admindeeplinkSPO

+Before you can use a Windows Server FCI property or other property in a DLP policy, you need to create a managed property in the <a href="https://go.microsoft.com/fwlink/?linkid=2185219" target="_blank">SharePoint admin center</a>. Here's why.

+2. In the left navigation, choose **Admin centers** \> **SharePoint**. You're now in the <a href="https://go.microsoft.com/fwlink/?linkid=2185219" target="_blank">SharePoint admin center</a>.

+These SITs are created by Microsoft show up in the compliance console by default. These SITs cannot be edited, but they can be used as templates and copied to create custom sensitive information types. See, [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md) for a full listing of all SITs.

+Learn more about confidence levels in this short video.

+ Title: "Use sensitivity labels to configure the default sharing link type for sites and documents in SharePoint and OneDrive"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: high

+- M365-security-compliance

+- SPO_Content

+search.appverid:

+- MOE150

+- MET150

+description: "Use sensitivity labels to configure the default sharing link type for sites and documents in SharePoint and OneDrive."

+# Use sensitivity labels to configure the default sharing link type for sites and documents in SharePoint and OneDrive

+>*[Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).*

+As an additional configuration to the settings you see in the Microsoft 365 compliance center for [sensitivity labels](sensitivity-labels.md), you can use these labels to configure settings for the default sharing link type for a SharePoint site or OneDrive account, and for individual documents. These settings are automatically selected, but not highly visible to users when they select the **Share** button in their Office apps. As an example:

+

+The default sharing link type sets the scope (who) and permissions (view or edit) that are automatically selected when users share files and folders. Although users can always override these default settings before sending the sharing link, the settings you choose provide a safe baseline. Typically, users don't change the settings before sharing.

+At the site level (SharePoint site or OneDrive account), sensitivity labels provide a convenient alternative for setting the default sharing link type that can be configured for a site in the SharePoint admin center. For more information, see [Change the default link type for a site](/sharepoint/change-default-sharing-link) from the SharePoint documentation.

+This site-level configuration works well for SharePoint sites that have documents all with the same level of sensitivity. But if sites contain some documents that have a higher level of sensitivity that require more restrictive settings, you can configure a sensitivity label with different settings for the default sharing link type, and then apply this label to documents.

+In this scenario where the site has default sharing link type settings, and a document in that site has different default link type settings, the more restrictive scope settings will be applied at the time the user selects the sharing option for the document. For example:

+- The default sharing link type for the site is scoped to anybody in your organization. A document in that site is labeled with the default sharing link type set to specific people. When a user shares that document, the default sharing link type selected will be scoped to specific people.

+- The default sharing link type for the site is scoped to specific people, with edit permissions. A document in that site is labeled with the default sharing link type set to anybody in the organization, with view permissions. When a user shares that document, the default sharing link type selected will be scoped to specific people with edit permissions.

+Configuring the default link type for documents might also be appropriate without the site-level setting. For example, although SharePoint sites are typically organized to host the same type of documents, that isn't the case for OneDrive accounts. Users typically save a wide range of files to OneDrive, often including a mix of personal and business documents. Setting a default link type for all documents for a user's OneDrive account is probably not practical, but individual documents can still benefit from these settings. For example:

+- Documents labeled **Highly Confidential** have a default sharing link type that restricts sharing to specific people rather than anybody in the organization.

+- Documents labeled **General** have a default sharing link type that restricts sharing to people in your organization.

+- Documents labeled **Personal** have a default sharing link type that allows sharing to anyone with the link.

+## Prerequisites

+To apply the default sharing link type for sites, sensitivity labels must be enabled for containers. If this capability isn't yet enabled for your tenant, see [How to enable sensitivity labels for containers and synchronize labels](sensitivity-labels-teams-groups-sites.md#how-to-enable-sensitivity-labels-for-containers-and-synchronize-labels).

+To apply the default sharing link type for documents in SharePoint and OneDrive, sensitivity labels must be enabled for these services. If this capability isn't yet enabled for your tenant, see [How to enable sensitivity labels for SharePoint and OneDrive (opt-in)](sensitivity-labels-sharepoint-onedrive-files.md#how-to-enable-sensitivity-labels-for-sharepoint-and-onedrive-opt-in).

+In a PowerShell session, you must [connect to Office 365 Security & Compliance Center PowerShell](/powershell/exchange/office-365-scc/connect-to-scc-powershell/connect-to-scc-powershell) to configure the settings for the default sharing link type.

+> [!NOTE]

+> Although not required, it's easiest to first [create and configure sensitivity labels in the Microsoft 365 compliance center](create-sensitivity-labels.md), and then modify these labels with the settings that configure the default sharing link type.

+## How to configure settings for the default sharing link type

+The configuration settings for the default sharing link type use the PowerShell *AdvancedSettings* parameter with the [Set-Label](/powershell/module/exchange/set-label) and [New-Label](/powershell/module/exchange/new-labelpolicy) cmdlets from [Security & Compliance Center PowerShell](/powershell/exchange/scc-powershell):

+- **DefaultSharingScope**: The available values are:

+ - **SpecificPeople**: Sets the default sharing link for the site to the "Specific people" link

+ - **Organization**: Sets the default sharing link for the site to the "organization" link or company shareable link

+ - **Anyone**: Sets the default sharing link for the site to an Anonymous Access or Anyone link

+- **DefaultShareLinkPermission**: The available values are:

+ - **View**: Sets the default link permission for the site to "view" permissions

+ - **Edit**: Sets the default link permission for the site to "edit" permissions

+These two settings and values are the equivalent of the parameters *DefaultSharingScope* and *DefaultShareLinkPermission* from the [Set-SPOSite](/powershell/module/sharepoint-online/set-sposite) cmdlet.

+PowerShell examples, where the sensitivity label GUID is **8faca7b8-8d20-48a3-8ea2-0f96310a848e**:

+- To set the default sharing link type to SpecificPeople:

+

+ ````powershell

+ Set-Label -Identity 8faca7b8-8d20-48a3-8ea2-0f96310a848e -AdvancedSettings @{DefaultSharingScope="SpecificPeople"}

+ ````

+- To set the default sharing link type permissions to Edit:

+

+ ````powershell

+ Set-Label -Identity 8faca7b8-8d20-48a3-8ea2-0f96310a848e -AdvancedSettings @{DefaultShareLinkPermission="Edit"}

+ ````

+To configure the settings for the default sharing link type for a site, the [scope of the sensitivity label](sensitivity-labels.md#label-scopes) must include **Groups & sites** when you create the sensitivity label in the Microsoft 365 compliance center. After it's created, you see this displayed as **Site, UnifiedGroup** in the **Scope** column on the **Labels** page, and the PowerShell *ContentType* setting also displays this same value. For documents, the scope must include **Files & emails**, which displays as **File, Email**. Then:

+- When the scope includes **Groups & sites**, you can apply the label to a site, which sets the default sharing link type for that site. For information how to apply a sensitivity label to a site, see [How to apply sensitivity labels to containers](sensitivity-labels-teams-groups-sites.md#how-to-apply-sensitivity-labels-to-containers).

+- When the scope of the sensitivity label includes **Files & emails**, you can apply the label to documents, which sets the default sharing link type for that document. The label can be applied [manually](https://support.microsoft.com/office/apply-sensitivity-labels-to-your-files-and-email-in-office-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9) or [automatically](apply-sensitivity-label-automatically.md).

+> [!TIP]

+> You can also specify that the label is the default sensitivity label to be applied for new sites or new documents, as a [label policy setting](sensitivity-labels.md#what-label-policies-can-do).

+### PowerShell tips for specifying the advanced settings

+Although you can specify the sensitivity label by its name, we recommend using the label GUID to avoid potential confusion over specifying the label name or display name. To find the GUID and confirm the label's scope:

+````powershell

+Get-Label | Format-Table -Property DisplayName, Name, Guid, ContentType

+````

+To remove either of these advanced settings from a sensitivity label, use the same AdvancedSettings parameter syntax, but specify a null string value. For example:

+````powershell

+Set-Label -Identity 8faca7b8-8d20-48a3-8ea2-0f96310a848e -AdvancedSettings @{DefaultSharingScope=""}

+````

+This auditing information is visually represented in [content explorer](data-classification-content-explorer.md) and [activity explorer](data-classification-activity-explorer.md) to help you understand how your sensitivity labels are being used and where this labeled content is located.

+You can also create custom reports with your choice of security information and event management (SIEM) software when you [export and configure the audit log records](export-view-audit-log-records.md). For larger-scale reporting solutions, see the [Office 365 Management Activity API reference](/office/office-365-management-api/office-365-management-activity-api-reference).

+> [!TIP]

+> To help create custom reports, see the following blog posts:

+> - [Microsoft 365 Compliance audit log activities via O365 Management API - Part 1](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-365-compliance-audit-log-activities-via-o365/ba-p/2957171)

+> - [Microsoft 365 Compliance audit log activities via O365 Management API - Part 2](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-365-compliance-audit-log-activities-via-o365/ba-p/2957297)

+- SharePoint and OneDrive can't process some files that are labeled and encrypted from Office desktop apps when these files contain PowerQuery data, data stored by custom add-ins, or custom XML parts such as Cover Page Properties, content type schemas, custom Document Information Panel, and Custom XSN. This limitation also applies to files that include a [bibliography](https://support.microsoft.com/en-us/office/create-a-bibliography-citations-and-references-17686589-4824-4940-9c69-342c289fa2a5), and a [Document ID](https://support.microsoft.com/office/enable-and-configure-unique-document-ids-ea7fee86-bd6f-4cc8-9365-8086e794c984) added when they are uploaded.

+### Configure settings for the default sharing link type for a site by using PowerShell advanced settings

+In addition to the label settings for sites and groups that you can configure from the compliance center, you can also configure the default sharing link type for a site. Sensitivity labels for documents can also be configured for a default sharing link type. These settings that help to prevent over-sharing are automatically selected when users select the **Share** button in their Office apps.

+For more information and instructions, see [Use sensitivity labels to configure the default sharing link type for sites and documents in SharePoint and OneDrive](sensitivity-labels-default-sharing-link.md).

+To view, sort, and search the applied sensitivity labels, use <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites**</a> in the new SharePoint admin center. You might need to first add the **Sensitivity** column:

+- **Set the default sharing link type** for SharePoint sites and individual documents. To help prevent users oversharing, set the [default scope and permissions](sensitivity-labels-default-sharing-link.md) for when users share documents from SharePoint and OneDrive.

+- seo-marvel-apr2020

+- admindeeplinkSPO

+3. In the left pane, choose **Admin centers** \> <a href="https://go.microsoft.com/fwlink/?linkid=2185219" target="_blank">SharePoint admin center</a>.

+2. Select your EDM SIT from the list and then select **Test** in the flyout pane. This option is only present under sensitive information types.

+3. Upload an item that contains data you want to detect. For example, create an item that contains a subset of the rows in your sensitive information table. If you used the configurable match feature in your schema to define ignored delimiters, make sure the item includes examples with and without those delimiters.

+5. If the **Test** function in the SIT detects a match, validate that it isn't trimming it or extracting it incorrectly. For example by extracting only a substring of the full string it's supposed to detect, or picking up only the first word in a multi-word string, or including extra symbols or characters in the extraction. See [Regular Expression Language - Quick Reference](/dotnet/standard/base-types/regular-expression-language-quick-reference) for the regular expression language reference.

+To force re-crawling of existing content in a SharePoint site or library or in OneDrive, follow the instructions in [Manually request crawling and reindexing of a site, a library or a list](/sharepoint/crawl-site-content).

+1. Add some content that will trigger the EDM SIT and some content that won't trigger the EDM SIT to a location that your policy is monitoring.

+- [Auto-labeling policies](apply-sensitivity-label-automatically.md#how-to-configure-auto-labeling-for-office-apps)

+If you don't find any matches, here are some troubleshooting tips.

+|Issue |Troubleshooting tip |

+|||

+|No matches found | Confirm that your sensitive data was uploaded correctly using the commands explained in [Hash and upload the sensitive information source table for exact data match sensitive information types](sit-get-started-exact-data-match-hash-upload.md#hash-and-upload-the-sensitive-information-source-table-for-exact-data-match-sensitive-information-types)|

+|No matches found | Test the SIT you used when you configured the primary element in each of your patterns. This will confirm that the SIT is able to match the examples in the item. Using an incorrectly defined SIT as the classification element of an EDM Sensitive information type is the most common cause for detection failures in EDM. |

+|The SIT you selected for a primary element in the EDM type doesn't find a match in the item or finds fewer matches than you expected | Check that it supports the separators and delimiters that are in the content. Be sure to include the ignored delimiters defined in your schema. |

+|The primary element SIT finds matches in an item, but the EDM SIT doesn't. | - Check your REGEX statements for starting or ending a capturing whitespace delimiter, like /s. The whitespace won't match the hashed value in the data table. Use a word delimiter like /b instead. </br> - Check your REGEX statements to ensure that they capture the whole string you want to capture, not just a substring. For example, this pattern for email addresses [a-zA-Z]{30}@[a-zA-Z]{20}.[a-zA-Z]{2,3} will match *user@contoso.com* and *user@contoso.co.jp*. |

+|An EDM SIT with primary elements and no secondary elements defined detects items, but doesn't detect, or detects fewer than expected, when primary and secondary elements are required. | Make sure values for secondary evidence are composed of a single word or string that doesn't contain spaces or use REGEX statements that detect multi-word strings. For example, \b[A-Z][a-z]{1,25}([ -][A-Z][a-z]{1,25}){0,4}\b, which will match any sequence of one to five consecutive words that start with an uppercase character. Use this SIT as the classification element for the additional evidence conditions in your EDM sensitive info type XML. See [Create a rule package manually](sit-get-started-exact-data-match-create-rule-package.md#create-a-rule-package-manually)|

+|SIT test function doesn't detect any matches at all. | Check if the SIT you selected includes requirements for additional keywords or other validations. For the built-in SITs, see [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md#sensitive-information-type-entity-definitions) to verify what the minimum requirements are for matching each type. |

+|The Test functionality works but your SharePoint or OneDrive items aren't being detected in DLP or auto-labeling rules | Check if the documents you would expect to match show up in Content Explorer. If they aren't there, remember that only content created after the changes to the sensitive information type will show as matches. You have to recrawl the sites and libraries for pre-existing items to show up. See [Manually request crawling and reindexing of a site, a library or a list](/sharepoint/crawl-site-content) for details on recrawling SharePoint and OneDrive. |

+|DLP or auto-labeling rules that require multiple matches don't trigger |Check that the proximity requirements for both your EDM type and the base sensitive information types are met. For example, if the maximum distance of between the primary element and supporting keywords is 300 characters, but the keywords are only present in the first row of a long table, only the first few rows of matching values are likely to meet the proximity requirements. Modify your SIT definitions to support more relaxed proximity rules or use the anywhere in the document option for the additional evidence conditions. |

+|Detection of an EDM type is inconsistent or erratic |Check that the sensitive information type you used as the base for the primary element in your EDM type isn't detecting unnecessary content. Using a SIT that matches too much unrelated content, like any word, any number, or all email addresses, might cause the service to saturate and ignore relevant matches. Check the number of content pieces that match the sensitive type you used for your primary elements in content explorer. </br> To estimate if the SIT is matching too much content: </br> - Dividing the number of content items in Content Explorer by the number of days since the sensitive type was created. </br> - If the number of matches per day is in the range of hundreds of thousands or millions, it's possible that the primary SIT is too broad. See [Learn about exact data match based sensitive information types](sit-learn-about-exact-data-match-based-sits.md#learn-about-exact-data-match-based-sensitive-information-types) for recommendations and best practices on selecting the right sensitive information type for an EDM type. |

+- seo-marvel-apr2020

+- admindeeplinkSPO

+- **Name of your SharePoint domain:** The script prompts you to enter this name so it can connect to the <a href="https://go.microsoft.com/fwlink/?linkid=2185219" target="_blank">SharePoint admin center</a>. It also uses the domain name for the OneDrive URLs in your organization. For example, if the URL for your admin center is `https://contoso-admin.sharepoint.com` and the URL for OneDrive is `https://contoso-my.sharepoint.com`, then you would enter `contoso` when the script prompts you for your domain name.

+- Container labels now support [default sharing link settings by using PowerShell advanced settings](sensitivity-labels-teams-groups-sites.md#configure-settings-for-the-default-sharing-link-type-for-a-site-by-using-powershell-advanced-settings).

+Select **Advanced settings** if you want to map this model to an existing enterprise content type in the SharePoint <a href="https://go.microsoft.com/fwlink/?linkid=2185074" target="_blank">Content type gallery</a> to use its schema. Enterprise content types are stored in the Content Type Hub in the SharePoint admin center and are syndicated to all sites in the tenant. Note that while you can use an existing content type to leverage its schema to help with identification and classification, you still need to train your model to extract information from files it identifies.</br>

+1. On the Microsoft 365 admin center, go to the <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">SharePoint admin center > **Active sites**</a>.

+After you create a content center site, you will see it listed on <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites**</a> in the SharePoint admin center.

+4. When you create a form processing model, you create a new SharePoint content type. A SharePoint content type represents a category of documents that have common characteristics and share a collection of columns or metadata properties for that particular content. SharePoint content types are managed through the <a href="https://go.microsoft.com/fwlink/?linkid=2185219" target="_blank">SharePoint admin center</a>.

+ 1. In the <a href="https://go.microsoft.com/fwlink/?linkid=2185074" target="_blank">Content type gallery</a>, choose whether to create a new content type or to use an existing one.

+1. In the SharePoint admin center, expand **Content services**, and then select <a href="https://go.microsoft.com/fwlink/?linkid=2185073" target="_blank">**Term store**</a>.

+Term sets are configured in the Managed Metadata services (MMS) term store in the <a href="https://go.microsoft.com/fwlink/?linkid=2185219" target="_blank">SharePoint admin center</a>. In the example below, the *Contract Services* [term set](/sharepoint/managed-metadata#term-set) is configured to include several terms, including *Creative*. The details for it show that the term has three synonyms (*Design*, *Graphics*, and *Topography*) and the synonyms should be translated to *Creative*.

+1. In the SharePoint admin center, expand **Content services**, and then select <a href="https://go.microsoft.com/fwlink/?linkid=2185074" target="_blank">**Content type gallery**</a>.

+- admindeeplinkMAC

+You can access reports for <a href="https://go.microsoft.com/fwlink/?linkid=2185073" target="_blank">Term store</a> in the SharePoint admin center. This feature requires a [SharePoint Syntex](index.md) license.

+- seo-marvel-apr2020

+- admindeeplinkSPO

+The SharePoint admin center has a <a href="https://go.microsoft.com/fwlink/?linkid=2185076" target="_blank">**Geo locations** tab</a> in the left navigation that features a geo locations map where you can view and manage your geo locations. Use this page to add or delete geo locations for your tenant.

+- seo-marvel-mar2020

+- admindeeplinkSPO

+If you no longer need a satellite location, you can delete it from your tenant from the <a href="https://go.microsoft.com/fwlink/?linkid=2185219" target="_blank">SharePoint admin center</a>.

+1. Open the SharePoint admin center, and go to the <a href="https://go.microsoft.com/fwlink/?linkid=2185076" target="_blank">**Geo locations** tab</a>.

+1. On the map, select the geo location that you want to delete.

+1. Select **Delete location**.

+1. Confirm the deletion by selecting the confirmation check boxes.

+1. Select **Delete**.

+- admindeeplinkSPO

+3. On the new **SharePoint admin center** tab, select **Policies** > <a href="https://go.microsoft.com/fwlink/?linkid=2185071" target="_blank">**Access control**</a>.

+4. Select **Apps that don't support modern authentication**, select **Block access**, and then select **Save**.

+1. From the SharePoint admin center, select <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites**</a>, and then select the URL of the site.

+2. On the site page, select <a href="https://go.microsoft.com/fwlink/?linkid=2185072" target="_blank">**Settings**</a> (located in the upper right-hand corner of the page), and then select **Site permissions**.

+ Title: "External recipients service alerts"

+audience: Admin

+ms.localizationpriority: medium

+search.appverid:

+- MET150

+- Ent_O365

+- Strat_O365_Enterprise

+- admindeeplinkMAC

+- admindeeplinkEXCHANGE

+f1.keywords:

+- NOCSH

+description: "Use external recipients service alerts to monitor mailboxes on hold that are reaching their mailbox quota."

+# Service alerts for messages pending delivery to external recipients in Exchange Online monitoring

+The service alerts inform admins of mail queuing to external recipients outside of Exchange Online. These alerts may require remediation actions that are outside of Microsoft, but they can provide you with information needed to remediate.

+These service alerts are displayed in the Microsoft 365 admin center. To view these service alerts, go to **Health** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842900" target="_blank">**Service health**</a> > **Exchange Online** and then click the **Active issues** tab. The name for these service alerts is "Message Queueing to External Recipients Above Thresholds".

+

+When you double-click the service alert, a flyout page similar to the following is displayed.

+

+## What do these service alerts indicate?

+The service alerts for messages pending delivery to external recipients informs you that messages destined to recipients outside of Exchange Online may be delayed. The queueing of messages may be caused by your on-premises environment or a third-party messaging or journaling solution.

+Here are some common reasons for queueing messages to external recipients. However, the issues causing these service alerts may not be limited to these reasons.

+- DNS changes

+- Excessive sending rates

+- On-premises Message Transfer Agents (MTA) or journaling solutions with low to no free disk space

+- MTAs in backpressure

+- Network issues, including load balancers

+- Certificate issues

+Each service alert contains high-level recommendations for remediating the issue. The service alert also indicates the number of messages queued at the time of alert, the domain where the messages are queued to, and the SMTP error code associated with most of the queued messages.

+For more information for determining the root cause for these service alerts, see [Mail flow intelligence in Exchange Online](../security/office-365-security/mail-flow-intelligence-in-office-365.md). This article also includes suggested actions to fix the root cause.

+> [!NOTE]

+> Microsoft can't account for every SMTP error code provided by third-party vendors. Therefore, admins may be required to investigate errors codes that are specific to their MTA or journaling solutions used by their organization.

+## More information

+If your organization has recently created or changed mail flow connectors in your on-premises or Exchange Online organization, see the following articles for more information.

+- [Configure mail flow using connectors in Exchange Online](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/use-connectors-to-configure-mail-flow)

+- [Set up connectors to route mail](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-to-route-mail)

+- [Mail flow best practices](/exchange/mail-flow-best-practices/mail-flow-best-practices)

+- [Mail flow insights in the Security & Compliance Center](/microsoft-365/security/office-365-security/mail-flow-insights-v2)

+- [Queues insight in the Mail flow dashboard](/microsoft-365/security/office-365-security/mfi-queue-alerts-and-queues#queues-insight-in-the-mail-flow-dashboard)

+- [Trace an email message in Exchange Online](/exchange/monitoring/trace-an-email-message/trace-an-email-message)

+- seo-marvel-apr2020

+- admindeeplinkSPO

+If you need to create a group with a specific PDL, you can do that using from the <a href="https://go.microsoft.com/fwlink/?linkid=2185219" target="_blank">SharePoint admin center</a> or through the Exchange Online New-UnifiedGroup Microsoft PowerShell cmdlet. When you do this, both the group mailbox and SharePoint site associated with the group will be provisioned in the specified PDL.

+To create a Microsoft 365 Group with the PDL that you specify, go to the <a href="https://go.microsoft.com/fwlink/?linkid=2185219" target="_blank">SharePoint admin center</a> in the geo location where you want to create the group site.

+Management of the Multi-Geo feature is available through the <a href="https://go.microsoft.com/fwlink/?linkid=2185219" target="_blank">SharePoint admin center</a>. Detailed information can be found in the [corresponding blog post](https://techcommunity.microsoft.com/t5/Office-365-Blog/Now-available-Multi-Geo-in-SharePoint-and-Office-365-Groups/ba-p/263302).

+Setting up and managing your multi-geo environment is done through the <a href="https://go.microsoft.com/fwlink/?linkid=2185219" target="_blank">SharePoint admin center</a>.

+1. Open the SharePoint admin center. and go to <a href="https://go.microsoft.com/fwlink/?linkid=2185076" target="_blank">**Geo locations**</a>.

+1. Select **Add location**.

+1. Select the location that you want to add, and then select **Next**.

+1. Type the domain that you want to use with the geo location, and then select **Add**.

+1. Select **Close**.

+The Risky Users tab shows user accounts across your tenants that have been flagged for risky behavior. Select any of the users to view more information on a detected risk or to mitigate a risk by resetting a user's password or blocking sign-in. For more information about risk types and detection, see [What is risk?](/azure/active-directory/identity-protection/concept-identity-protection-risks).

+The Risky Users tab also includes the following options:

+- **Export:** Select to export device compliance data to an Excel comma-separated values (.csv) file.

+- **Refresh:** Select to retrieve the most current device compliance data.

+- **Confirm user(s) compromised:** Select to confirm the user was compromised.

+- **Dismiss user(s) risk:** Select to dismiss the user risk.

+- **Reset password:** Select to change or reset user password.

+- **Block Sign-in:** Select to prevent anyone from signing in as this user.

+The Multifactor Authentication tab provides detailed information on the status of multifactor authentication (MFA) enablement across your tenants. Select any tenant in the list to see more details for that tenant, including which Conditional Access policies requiring MFA are already configured and which users haven't yet registered for MFA.

+ Title: "View and manage risky users"

+f1.keywords: NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- M365-subscription-management

+- Adm_O365

+- AdminSurgePortfolio

+- M365-Lighthouse

+search.appverid: MET150

+description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, learn how to view and manage risky users."

+# View and manage risky users

+> [!NOTE]

+> The features described in this article are in Preview, are subject to change, and are only available to partners who meet the [requirements](m365-lighthouse-requirements.md). If your organization does not have Microsoft 365 Lighthouse, see [Sign up for Microsoft 365 Lighthouse](m365-lighthouse-sign-up.md).

+Microsoft collects and analyzes trillions of user sign-in signals each day. These signals are used to help build good user sign-in behavior patterns and identify potential risky sign-in attempts. Azure Active Directory (Azure AD) Identity Protection uses these signals to review user sign-in attempts and take action if there's suspicious activity.

+Microsoft 365 Lighthouse helps manage risks detected by Azure AD Identity Protection by providing a single view of risky users across all your managed tenants. You can quickly secure risky users by either resetting their password or blocking them from signing in to their Microsoft 365 account. You can also view insights to better understand a userΓÇÖs risk and determine next steps.

+Azure AD Identity Protection identifies risks of many types, including:

+- Leaked credentials

+- Anonymous IP use

+- Atypical travel

+- Signing in from infected devices

+- Signing in from IP addresses with suspicious activity

+- Signing in from unfamiliar locations

+## Before you begin

+The following conditions must be met before users can appear in the risky users list:

+- The customer tenant must have an Azure AD Premium license for each user. For more information on which licenses support Azure AD Identity Protection, see [What is Identity Protection?](/azure/active-directory/identity-protection/overview-identity-protection)

+- The customer tenant must be active within Microsoft 365 Lighthouse. To determine if a tenant is active, see [Microsoft 365 Lighthouse Tenants page overview](m365-lighthouse-tenant-list-overview.md).

+## Review detected risks and take action

+In Azure AD Identity Protection, risk detections include any identified suspicious actions related to user accounts in Azure AD.

+1. In the left navigation pane in Lighthouse, select **Users**.

+2. Select the **Risky Users** tab.

+3. Review the users in the list with a risk state of **At risk**.

+4. Select **View risk detections** to get detailed information about the risks detected for each user. For more information about risk types and detection, see [What is risk?](/azure/active-directory/identity-protection/concept-identity-protection-risks).

+5. For each user, assess the risk detections and select one of the following actions, as appropriate:

+ - Reset password ΓÇô change or reset the user password.

+ - Block sign-in - prevents anyone from signing in as this user.

+ - Confirm user compromised ΓÇô set risk state to confirmed compromised.

+ - Dismiss user risk - set risk state to dismissed.

+## Take action on multiple user accounts at once

+To take action on multiple affected users at once:

+1. From the **Risky Users** tab, select the set of users you want to take action on.

+2. Choose one of the following actions to perform:

+ - Reset password

+ - Block sign-in

+ - Confirm user compromised

+ - Dismiss user risk

+> [!NOTE]

+> If the organization you are managing has an Azure AD Premium P2 license, it is recommended you enable User risk-based conditional access policies. For more information, see [Conditional Access: User risk-based Conditional Access](/azure/active-directory/conditional-access/howto-conditional-access-policy-risk-user).

+## Related content

+[Use risk detections for user sign-ins to trigger Azure AD Multi-Factor Authentication or password changes](/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa) (tutorial)\

+[What is risk?](/azure/active-directory/identity-protection/concept-identity-protection-risks) (article) \

+[Remediate risks and unblock users](/azure/active-directory/identity-protection/howto-identity-protection-remediate-unblock) (article)

+[Register new devices yourself](get-started/manual-registration.md) | Updated article

+[Register new devices yourself](get-started/manual-registration.md) | Updated article

+[Steps for Partners to register devices](get-started/partner-registration.md) | Updated article

+[Register new devices yourself](get-started/manual-registration.md) |Updated article

+[Set up Microsoft Managed Desktop devices](get-started/prepare-devices.md) | Updated article

+[Steps for Partners to register devices](get-started/partner-registration.md) | Updated article

+[Register new devices yourself](get-started/manual-registration.md) | Updated article

+[Register existing devices yourself](get-started/manual-registration-existing-devices.md) | Updated article

+[Set up Microsoft Managed Desktop devices](get-started/prepare-devices.md) | Updated article

+[Register new devices yourself](get-started/manual-registration.md) | Updated article

+[Steps for Partners to register devices](get-started/partner-registration.md) | Updated article

+[Steps for Partners to register devices](get-started/partner-registration.md) | Updated article

+[Register new devices yourself](get-started/manual-registration.md) | Updated article

+[Register new devices yourself](get-started/manual-registration.md) | Updated article

+[Register existing devices yourself](get-started/manual-registration-existing-devices

+.md) | Updated article

+[Steps for Partners to register devices](get-started/partner-registration.md) | Updated article

+[Register new devices yourself](get-started/manual-registration.md) | Updated article

+[Steps for Partners to register devices](get-started/partner-registration.md)| Updated article

+[Register new devices yourself](get-started/manual-registration.md) | Updated article

+[Register new devices yourself](get-started/manual-registration.md) | Updated article

+[Register existing devices yourself](get-started/manual-registration-existing-devices.md) | Updated article

+[Set up Microsoft Managed Desktop devices](get-started/prepare-devices.md) | New article

+[Register new devices yourself](get-started/manual-registration.md) | Updated article

+[Register existing devices yourself](get-started/manual-registration-existing-devices.md) | New article

+## May 201

+[Install Microsoft Project and Microsoft Visio on Microsoft Managed Desktop devices](get-started/project-visio.md) | New article

+[Register devices in Microsoft Managed Desktop](get-started/manual-registration.md) | New article

+[Register devices in Microsoft Managed Desktop for Partners](get-started/partner-registration.md) | New article

+[Manage apps for Microsoft Managed Desktop](working-with-managed-desktop/manage-apps.md) | Updated with info on how to update or roll back to a previous version of line-of-business apps.

+Content reorganized: added section for [Microsoft Managed Desktop service description](service-description/index.md).

+1. [Prepare devices](prepare-devices.md).

+1. [Prepare devices](Prepare-devices.md).

+1. [Prepare devices](prepare-devices.md).

+1. [Prepare devices](prepare-devices.md)

+1. [Prepare devices](prepare-devices.md).

+1. [Prepare devices](prepare-devices.md).

+1. [Prepare devices](prepare-devices.md).

+6. [Prepare devices](prepare-devices.md).

+To provide the ESP experience, you must register devices in the Microsoft Managed Desktop service. For more about registration, see [Manual registration](../get-started/manual-registration.md) or [Partner registration](../get-started/partner-registration.md).

+1. [Prepare devices](prepare-devices.md).

+1. [Prepare devices](prepare-devices.md).

+1. [Prepare devices](prepare-devices.md).

+1. [Prepare devices](prepare-devices.md).

+ Title: Manual registration for existing devices

+description: Register existing devices so they can be managed by Microsoft Managed Desktop

+f1.keywords:

+- NOCSH

+ms.localizationpriority: medium

+audience: Admin

+# Manual registration for existing devices

+>[!NOTE]

+>This article describes the steps for you to reuse devices you already have, and register them in Microsoft Managed Desktop. If you are working with brand-new devices, follow the steps in [Register new devices in Microsoft Managed Desktop yourself](manual-registration.md) instead. <br> <br> The process for Partners is documented in [Steps for Partners to register devices](partner-registration.md).

+Microsoft Managed Desktop can work with brand-new devices, or you can reuse devices you might already have. If you reuse devices, you must reimage them. You're able to register devices with Microsoft Managed Desktop in the Microsoft Endpoint Manager portal.

+## Prepare to register existing devices

+**To register existing devices:**

+1. [Obtain the hardware hash for each device.](#obtain-the-hardware-hash)

+2. [Merge the hash data](#merge-hash-data).

+3. [Register the devices in Microsoft Managed Desktop](#register-devices-by-using-the-admin-portal).

+4. [Double-check that the image is correct.](#check-the-image)

+5. [Deliver the device](#deliver-the-device).

+### Obtain the hardware hash

+Microsoft Managed Desktop identifies each device uniquely by referencing its hardware hash. You have four options for getting this information from devices you're already using.

+**To obtain the hardware hash:**

+- Ask your OEM supplier for the AutoPilot registration file, which will include the hardware hashes.

+- Collect information in [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager).

+- Run a Windows PowerShell script either by using [Active Directory](#active-directory-powershell-script-method), or [manually](#manual-powershell-script-method) on each device, and collect the results in a file.

+- Start each device, but don't complete the Windows setup experience, and [collect the hashes on a removable flash drive](#flash-drive-method).

+#### Microsoft Endpoint Configuration Manager

+You can use Microsoft Endpoint Configuration Manager to collect the hardware hashes from existing devices that you want to register with Microsoft Managed Desktop. If you've met all these prerequisites, you're ready to collect the information.

+> [!IMPORTANT]

+> Any devices you want to get this information for must be running Windows 10, version 1703 or later.

+**To collect the hardware hash information:**

+1. In the Configuration Manager console, select **Monitoring**.

+2. In the Monitoring workspace, expand the **Reporting** node, expand **Reports**, and select the **Hardware - General** node.

+3. Run the report, **Windows Autopilot Device Information**, and view the results.

+4. In the report viewer, select the **Export** icon, and select the **CSV (comma-delimited)** option.

+5. After saving the file, you'll need to filter results to just the devices you plan to register with Microsoft Managed Desktop. Then, upload the data to Microsoft Managed Desktop.

+ - Open Microsoft Endpoint Manager and navigate to the **Devices** menu.

+ - In the Microsoft Managed Desktop section, select **Devices**.

+ - Select **+ Register devices**, which opens a fly-in to register new devices.

+For more information, see [Register devices by using the Admin Portal](#register-devices-by-using-the-admin-portal) below.

+#### Active Directory PowerShell script method

+In an Active Directory environment, you can use the `Get-WindowsAutoPilotInfo` PowerShell cmdlet to remotely collect the information from devices in Active Directory Groups by using WinRM. You can also use the `Get-AD Computer` cmdlet and get filtered results for a specific hardware model name included in the catalog. Before you proceed, confirm these prerequisites, and then proceed.

+**To use the Active Directory PowerShell script method:**

+1. Ensure WinRM is enabled.

+1. The devices you want to register are active on the network. That is, they aren't disconnected or turned off.

+1. Ensure you have a domain credential parameter that has permission to execute remotely on the devices.

+1. Ensure that Windows Firewall allows access to WMI. To do that, follow these steps:

+ - Open the **Windows Defender Firewall** control panel and select **Allow an app or feature through Windows Defender Firewall**.

+ - Find **Windows Management Instrumentation (WMI)** in the list, enable for both **Private and Public**, and then select **OK**.

+1. Open a PowerShell prompt with administrative rights.

+1. Run *either one* of these scripts:

+ ```powershell

+ Install-script -name Get-WindowsAutoPilotInfo

+ #example one ΓÇô leverage Get-ADComputer to enumerate devices

+ Get-ADComputer -filter * | powershell -ExecutionPolicy Unrestricted Get-WindowsAutoPilotInfo.ps1 -credential Domainname\<accountname>

+ ```

+ ```powershell

+ #example two ΓÇô target specific devices:

+ Set-ExecutionPolicy powershell -ExecutionPolicy Unrestricted Get-WindowsAutoPilotInfo.ps1 -credential Domainname\<accountname> -Name Machine1,Machine2,Machine3

+ ```

+1. Access any directories where there might be entries for the devices. Remove entries for each device from *all* directories, including Windows Server Active Directory Domain Services and Azure Active Directory. It could take a few hours to completely process.

+1. Access management services where there might be entries for the devices. Remove entries for each device from *all* management services, including Microsoft Endpoint Configuration Manager, Microsoft Intune, and Windows Autopilot. It could take a few hours to completely process.

+Now you can proceed to [register devices](#register-devices-by-using-the-admin-portal).

+#### Manual PowerShell script method

+**To use the manual Powershell script method:**

+1. Open a PowerShell prompt with administrative rights.

+2. Run `Install-Script -Name Get-WindowsAutoPilotInfo`.

+3. Run `powershell -ExecutionPolicy Unrestricted Get-WindowsAutoPilotInfo -OutputFile <path>\hardwarehash.csv`.

+4. [Merge the hash data.](#merge-hash-data)

+#### Flash drive method

+**To use the flash drive method:**

+1. On a device other than the one you're registering, insert a USB drive.

+2. Open a PowerShell prompt with administrative rights.

+3. Run `Save-Script -Name Get-WindowsAutoPilotInfo -Path <pathToUsb>`.

+4. Turn on the device you're registering, but *don't start the setup experience*. If you accidentally start the setup experience, you'll have to reset or reimage the device.

+5. Insert the USB drive, and then press SHIFT + F10.

+6. Open a PowerShell prompt with administrative rights, and then run `cd <pathToUsb>`.

+7. Run `Set-ExecutionPolicy -ExecutionPolicy Unrestricted`.

+8. Run `.\Get-WindowsAutoPilotInfo -OutputFile <path>\hardwarehash.csv`.

+9. Remove the USB drive, and then shut down the device by running `shutdown -s -t 0`.

+10. [Merge the hash data.](#merge-hash-data)

+> [!IMPORTANT]

+> Do not power on the device you are registering again until you've completed registration for it.

+### Merge hash data

+If you collected the hardware hash data by the manual PowerShell or flash drive methods, you must combine the data in the two CSV files into a single file to complete registration. Here's a sample PowerShell script to make it easy:

+```powershell

+Import-CSV -Path (Get-ChildItem -Filter *.csv) | ConvertTo-Csv -NoTypeInformation | % {$_.Replace('"', '')} | Out-File .\aggregatedDevices.csv

+```

+With the hash data merged into one CSV file, you can now proceed to [register the devices](#register-devices-by-using-the-admin-portal).

+## Register devices by using the Admin Portal

+In [Microsoft Endpoint Manager](https://endpoint.microsoft.com/), select **Devices** in the left navigation pane. In the Microsoft Managed Desktop section, select **Devices**. In the Microsoft Managed Desktop Devices workspace, Select **+ Register devices**, which opens a fly-in to register new devices.

+<!-- Update with new picture [](../../media/new-registration-ui.png) -->

+<!--Registering any existing devices with Managed Desktop will completely re-image them; make sure you've backed up any important data prior to starting the registration process.-->

+**To register devices using the Admin Portal:**

+1. In **File upload**, provide a path to the CSV file you created previously.

+2. Select a [device profile](../service-description/profiles.md) in the dropdown menu.

+3. Select **Register devices**. The system will add the devices to your list of devices on the **Devices blade**. The devices are marked as **Registration Pending**. Registration typically takes less than 10 minutes, and when successful, the device will show as **Ready for user**. **Ready for user** means it's ready and waiting for a user to start using.

+> [!NOTE]

+> If you manually change the Azure Active Directory (AAD) group membership of a device, it will be automatically reassigned to the group for its device profile and removed from any conflicting groups.

+You can monitor the progress of device registration on the main page. Possible states reported include:

+| State | Description |

+| -- | -- |

+| Registration Pending | Registration isn't completed yet. Check back later. |

+| Registration failed | Registration couldn't be completed. For more information, see [Troubleshooting device registration](#troubleshooting-device-registration). |

+| Ready for user | Registration succeeded. The device is now ready to be delivered to the user. Microsoft Managed Desktop will guide them through first-time set-up, so there's no need for you to do any further preparations. |

+| Active | The device has been delivered to the user and they've registered with your tenant. This state also indicates that they're regularly using the device. |

+| Inactive | The device has been delivered to the user and they've registered with your tenant. However, the user hasn't used the device recently (in the last seven days). |

+### Troubleshooting device registration

+| Error message | Details |

+| -- | -- |

+| Device not found | We couldn't register this device because we couldn't find a match for the provided manufacturer, model, or serial number. Confirm these values with your device supplier. |

+| Hardware hash not valid | The hardware hash you provided for this device wasn't formatted correctly. Double-check the hardware hash and then resubmit. |

+| Device already registered | This device is already registered to your organization. No further action required. |

+| Device claimed by another organization | This device has already been claimed by another organization. Check with your device supplier. |

+| Unexpected error | Your request couldn't be automatically processed. Contact Support and provide the Request ID: `<requestId>` |

+## Check the image

+If your device has come from a Microsoft Managed Desktop partner supplier, the image should be correct.

+You're also welcome to apply the image on your own if you prefer. To get started, contact the Microsoft representative you're working with and they'll provide you the location and steps for applying the image.

+## Deliver the device

+> [!IMPORTANT]

+> Before you hand off the device to your user, make sure you have obtained and applied the [appropriate licenses](../get-ready/prerequisites.md) for that user.

+If all the licenses are applied, you can [get your users ready to use the devices](get-started-devices.md). Then, your user can start up the device and proceed through the Windows setup experience.

+ Title: Manual registration

+description: Register devices to be managed by Microsoft Managed Desktop

+f1.keywords:

+- NOCSH

+ms.localizationpriority: medium

+audience: Admin

+# Manual registration

+Microsoft Managed Desktop can work with brand-new devices, or you can reuse devices you might already have. If you reuse devices, you must reimage them. You're able to register devices with Microsoft Managed Desktop in the Microsoft Endpoint Manager portal.

+> [!NOTE]

+> Working with a partner to obtain devices? If so, you don't need to worry about getting the hardware hashes; they'll take care of that for you. Make sure your partner establishes a relationship with you at the [Partner Center](https://partner.microsoft.com/dashboard). Your partner can learn more at [Partner Center help](/partner-center/request-a-relationship-with-a-customer). <br><br>Once this relationship established, your partner will simply register devices on your behalf ΓÇô no further action required from you. If you want to see the details, or your partner has questions, see [Partner registration](partner-registration.md). Once the devices are registered, you can proceed with [checking the image](#check-the-image) and [delivering the devices](#deliver-the-device) to your users.

+## Prepare to register brand-new devices

+Once you have the new devices in hand, you'll follow these steps:

+1. [Obtain the hardware hash for each device.](#obtain-the-hardware-hash)

+2. [Merge the hash data](#merge-hash-data).

+3. [Register the devices in Microsoft Managed Desktop](#register-devices-by-using-the-admin-portal).

+4. [Double-check that the image is correct.](#check-the-image)

+5. [Deliver the device](#deliver-the-device).

+### Obtain the hardware hash

+Microsoft Managed Desktop identifies each device uniquely by referencing its hardware hash. You have three options for getting this information.

+**To obtain the hardware hash:**

+- Ask your OEM supplier for the AutoPilot registration file, which will include the hardware hashes.

+- Run a [Windows PowerShell script](#powershell-script-method) on each device and collect the results in a file.

+- Start each device, but don't complete the Windows setup experience, and [collect the hashes on a removable flash drive](#flash-drive-method).

+#### PowerShell script method

+You can use the [Get-WindowsAutoPilotInfo.ps1](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) PowerShell script on the PowerShell Gallery website. For more information about device identification and hardware hash, see [Adding devices to Windows Autopilot](/mem/autopilot/add-devices#device-identification).

+**To use the Powershell script method:**

+1. Open a PowerShell prompt with administrative rights.

+2. Run `Install-Script -Name Get-WindowsAutoPilotInfo`.

+3. Run `powershell -ExecutionPolicy Unrestricted Get-WindowsAutoPilotInfo -OutputFile <path>\hardwarehash.csv`.

+4. Run `powershell -ExecutionPolicy restricted` to prevent subsequent unrestricted scripts from running.

+#### Flash drive method

+**To use the flash drive method:**

+1. On a device other than the one you're registering, insert a USB drive.

+2. Open a PowerShell prompt with administrative rights.

+3. Run `Save-Script -Name Get-WindowsAutoPilotInfo -Path <pathToUsb>`

+4. Turn on the device you're registering, but *don't start the setup experience*. If you accidentally start the setup experience, you'll have to reset or reimage the device.

+5. Insert the USB drive, and then press SHIFT + F10.

+6. Open a PowerShell prompt with administrative rights, and then run `cd <pathToUsb>`.

+7. Run `Set-ExecutionPolicy -ExecutionPolicy Unrestricted`

+8. Run `.\Get-WindowsAutoPilotInfo -OutputFile <path>\hardwarehash.csv`

+9. Remove the USB drive, and then shut down the device by running `shutdown -s -t 0`

+> [!IMPORTANT]

+> Do not power on the device you are registering again until you've completed registration for it.

+### Merge hash data

+You'll need to have the data in the CSV files combined into a single file to complete registration. Here's a sample PowerShell script to make it easy:

+`Import-CSV -Path (Get-ChildItem -Filter *.csv) | ConvertTo-Csv -NoTypeInformation | % {$_.Replace('"', '')} | Out-File .\aggregatedDevices.csv`

+> [!NOTE]

+> Extra columns are not supported. Quotes are not supported. Only ANSI-format text files can be used (not Unicode). Headers are case-sensitive. Editing the file in Excel and saving it as a CSV file will not generate a usable file due to these requirements. Be sure to preserve any leading zeroes in the device serial numbers.

+### Register devices by using the Admin Portal

+In [Microsoft Endpoint Manager](https://endpoint.microsoft.com/), select **Devices** in the left navigation pane. In the Microsoft Managed Desktop section, select **Devices**. In the Microsoft Managed Desktop Devices workspace, Select **+ Register devices**, which opens a fly-in to register new devices.

+<!-- [](../../media/new-registration-ui.png) -->

+<!--Registering any existing devices with Managed Desktop will completely re-image them; make sure you've backed up any important data prior to starting the registration process.-->

+**To register devices using the Admin Portal:**

+1. In **File upload**, provide a path to the CSV file you created previously.

+2. Select a [device profile](../service-description/profiles.md) in the drop-down menu.

+3. Select **Register devices**. The system will add the devices to your list of devices on **Devices**, marked as **Registration Pending**. Registration typically takes less than 10 minutes, and when successful the device will show as **Ready for user** meaning it's ready and waiting for a user to start using.

+> [!NOTE]

+> If you manually change the Azure Active Directory (AAD) group membership of a device, it will be automatically reassigned to the group for its device profile and removed from any conflicting groups.

+You can monitor the progress of device registration on the main page. Possible states reported include:

+| State | Description |

+| --|--|

+| Registration Pending | Registration isn't completed yet. Check back later. |

+| Registration failed | Registration couldn't be completed. For more information, see [Troubleshooting device registration](#troubleshooting-device-registration). |

+| Ready for user | Registration succeeded. The device is now ready to be delivered to the user. Microsoft Managed Desktop will guide them through first-time set-up, so there's no need for you to do any further preparations. |

+| Active | The device has been delivered to the user and they've registered with your tenant. This state also indicates that they're regularly using the device. |

+| Inactive | The device has been delivered to the user and they've registered with your tenant. However, they haven't used the device recently (in the last seven days). |

+#### Troubleshooting device registration

+| Error message | Details |

+|--| -- |

+| Device not found | We couldn't register this device because we couldn't find a match for the provided manufacturer, model, or serial number. Confirm these values with your device supplier. |

+| Hardware hash not valid | The hardware hash you provided for this device wasn't formatted correctly. Double-check the hardware hash and then resubmit. |

+| Device already registered | This device is already registered to your organization. No further action required. |

+| Device claimed by another organization | This device has already been claimed by another organization. Check with your device supplier. |

+| Unexpected error | Your request couldn't be automatically processed. Contact Support and provide the Request ID: `<requestId>` |

+### Check the image

+If your device has come from a Microsoft Managed Desktop partner supplier, the image should be correct.

+You're also welcome to apply the image on your own if you prefer. To get started, contact the Microsoft representative you're working with. The representative will provide you the location and steps for applying the image.

+### Autopilot group tag

+When you use the Admin portal to register devices, we automatically assign the Autopilot Group Tag associated with the device profile listed in [Register devices by using Partner Center](partner-registration.md).

+The service monitors all Microsoft Managed Desktop devices daily and assigns the group tag to any that don't already have it.

+### Deliver the device

+> [!IMPORTANT]

+> Before you hand off the device to your user, make sure you have obtained and applied the [appropriate licenses](../get-ready/prerequisites.md) for that user.

+If all the licenses are applied, you can [get your users ready to use devices](get-started-devices.md). Then, your user can start up the device and proceed through the Windows setup experience.

+ Title: Partner registration

+description: Partners can register devices to be managed by Microsoft Managed Desktop

+f1.keywords:

+- NOCSH

+ms.localizationpriority: medium

+audience: Admin

+# Partner registration

+This article describes the steps for Partners to register devices. The process for registering devices yourself is documented in [Manual registration](manual-registration.md).

+## Prepare for registration

+Before completing registration for a customer, you must first establish a relationship with them in the [Partner Center](https://partner.microsoft.com/dashboard). For more information on that process, see the [consent documentation](/windows/deployment/windows-autopilot/registration-auth#csp-authorization). Any CSP partner can add devices on behalf of any customer, as long as the customer consents. You can also learn more about partner relationships and Autopilot permissions at [Partner Center help](/partner-center/customers_revoke_admin_privileges#windows-autopilot).

+> [!NOTE]

+> This documentation is only for Partners and OEMs. The process for self-registration is documented in [Manual registration](manual-registration.md).

+## Register devices using the Partner Center

+Once you've established the relationship with your customers, you can use Partner Center to add devices to Autopilot for any of the customers.

+**To register devices using the Partner Center:**

+1. Navigate to [Partner Center](https://partner.microsoft.com/dashboard).

+2. Select **Customers** from the Partner Center menu and then select the customer whose devices you want to manage.

+3. On the customer's detail page, select **Devices**.

+4. Under **Apply profiles** to devices, select **Add devices**.

+5. Enter the appropriate Group Tag for the device profile you've selected (as shown in the following table) and then select **Browse** to upload the customer's list (in .csv file format) to Partner Center.

+| [Device profile](../service-description/profiles.md) | Group Tag |

+| -- | --|

+| Sensitive data | **Microsoft365Managed\_SensitiveData** |

+| Power user | **Microsoft365Managed\_PowerUser** |

+| Standard | **Microsoft365Managed\_Standard** |

+> [!IMPORTANT]

+> The Group Name must match those listed in the table exactly, including capitalization and special characters. This will allow the newly registered devices to be assigned with the Microsoft Managed Desktop Autopilot profile.

+>[!NOTE]

+> You should have received this .csv file with your device purchase. If you didn't receive a .csv file, you can create one yourself by following the steps in [Adding devices to Windows Autopilot](/windows/deployment/windows-autopilot/add-devices#collecting-the-hardware-id-from-existing-devices-using-powershell). Requirements: <ul><li>Extra columns are not supported.</li> <li>Quotes are not supported.</li> <li>Only ANSI-format text files can be used (not Unicode).</li> <li>Headers are case-sensitive.</li></ul> Editing the file in Excel and saving it as a CSV file will not generate a usable file due to these requirements. Ensure that you preserve any leading zeroes in the device serial numbers. Partners should use [Get-WindowsAutoPilotInfo](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) to register devices for Microsoft Managed Desktop devices in Partner Center.

+If you receive an error message while trying to upload the .csv file, check the format of the file. Make sure the column order matches what is described in [Use Windows Autopilot profiles on new devices to customize a customer's out-of-box experience](/partner-center/autopilot#add-devices-to-a-customers-account). You can also use the sample .csv file provided from the link next to **Add devices** to create a device list.

+For more information about Autopilot in Partner scenarios, see [Add devices to a customer's account](/partner-center/autopilot#add-devices-to-a-customers-account).

+## Register devices by using the OEM API

+Before completing registration for a customer, you must first establish a relationship with them. You should have a unique link to provide to your respective customers. See [How to establish OEM relationship](/windows/deployment/windows-autopilot/registration-auth#oem-authorization).

+Once you've established the relationship, you can start registering devices for customers using the appropriate Group Tag for each device profile they've selected:

+| Device profile | Group Tag |

+| -- | -- |

+| Sensitive data | **Microsoft365Managed\_SensitiveData** |

+| Power user | **Microsoft365Managed\_PowerUser** |

+| Standard | **Microsoft365Managed\_Standard** |

+> [!IMPORTANT]

+> The Group Tags must match those listed in the table exactly, including capitalization and special characters. This will allow the newly registered devices to be assigned with the Microsoft Managed Desktop Autopilot profile.

+ Title: Prepare devices for Microsoft Managed Desktop

+description: Prepare new devices or reuse existing ones that qualify

+keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

+ms.localizationpriority: medium

+audience: Admin

+# Prepare devices

+You can use both new and existing devices in Microsoft Managed Desktop.

+## Obtain new devices

+We recommend working with one of our approved device partners. You can work with your Microsoft account contact for more help setting up a device partnership.

+**To obtain new devices:**

+1. Review the list of currently recommended devices by filtering for Microsoft Managed Desktop in the [Shop Windows Pro business devices](https://www.microsoft.com/windows/business/devices) site.

+1. Order one or a few examples of the devices you want to use with a compliant image. Ordering might require [specific ordering steps](../service-description/device-images.md).

+1. [Validate](validate-device.md) the example devices.

+1. After successful validation, order the devices, working with an approved device partner.

+1. Once they've arrived, either:

+ - [Manually register](manual-registration.md).

+ - Work with a partner to register the devices.

+1. [Get your users ready](get-started-devices.md) to use Microsoft Managed Desktop devices.

+## Reuse existing devices

+> [!IMPORTANT]

+>Check that your existing devices meet our [device requirements](../service-description/device-requirements.md). You can also use the downloadable [readiness assessment checker](../get-ready/readiness-assessment-downloadable.md) to verify that a given device meets the necessary requirements. <br><br>If you reuse an existing device, you may have to reimage it. For image options, see [Device images](../service-description/device-images.md).

+**To reuse existing devices:**

+1. Select one or a few examples of the devices you want to reuse, and then [validate them](validate-device.md).

+1. After successful validation, either:

+ - [Manually register existing devices](manual-registration-existing-devices.md).

+ - Work with a partner to register the devices.

+1. [Get your users ready](get-started-devices.md) to use Microsoft Managed Desktop devices.

+## Steps to get started with Microsoft Managed Desktop

+1. Access [admin portal](access-admin-portal.md).

+1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md).

+1. [Adjust settings after enrollment](conditional-access.md).

+1. Deploy and assign [Intune Company Portal](company-portal.md).

+1. [Assign licenses](assign-licenses.md).

+1. [Deploy apps](deploy-apps.md).

+1. Set up devices (this article).

+1. Set up [first-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md).

+1. [Enable user support features](enable-support.md).

+1. [Get your users ready to use devices](get-started-devices.md).

+1. [Get started with app control](get-started-app-control.md).

+- Modern Workplace - Teams Machine Wide Installer x64

+- Modern Workplace - Teams Machine Wide Installer x32

+ - [Prepare devices](prepare-devices.md)

+- [Prepare devices](../get-started/prepare-devices.md)

+Microsoft Managed Desktop uses deployment groups to manage the release of updates and configuration changes to devices. Devices are added to deployment groups ("rings" or "update groups") automatically when they're enrolled into Microsoft Managed Desktop. Deployment groups allow for devices to receive changes in a phased timeline.

+You might want to assign certain devices for test purposes only, or designate specific early adopters to receive the changes first. If you have critical devices, such as those used by executives or that do business-critical functions, you might want to keep them in the group that gets updates on the slowest cadence. Microsoft Managed Desktop allows you to specify that a device should stay in any one of the following groups.

+| Group | Description |

+| -- | -- |

+| Test | The Test group is best for devices that are used for testing, or users who can tolerate frequent changes, exposure to new features, and are able to provide early feedback.<br><br>This group receives changes frequently and experiences in this group have a strong effect. The Test group is exempt from any established service level agreements and user support. It's best to move just a few devices at first and then review the user experience. Microsoft Managed Desktop won't automatically assign devices to this group. This group will only contain devices you specify.

+| First | The First group is ideal for early adopters, volunteer, designated validators, IT Pros, or representatives of business functions. That is, people who can validate changes and provide you feedback on the experience.

+| Fast | The Fast group is ideal for representatives of business functions. These individuals can validate changes prior to broad deployment.

+| Broad | The Broad group receives changes last.<br><br>Most of your organization will typically be in this group. You can specify devices that must be in this group. These devices should receive changes last because they're doing business critical functions, or belong to users in critical roles.

+| Automatic | Select Automatic when you want Microsoft Managed Desktop to automatically assign devices to one of the other groups.<br><br>We won't automatically assign devices to Test. If you want to release a device that you've previously specified so it can be automatically assigned again, select this option.

+## Labels

+The Group assigned by column contains the following labels:

+| Label | Description |

+| -- | -- |

+| Admin | The device is in a group you've specified. |

+| Auto | Microsoft Managed Desktop assigned the group. |

+| Pending | The device is in the process of moving to a group. |

+The **Group** column always shows the group the device is currently in and only updates when a move is complete.

+When you order a new device from an [approved manufacturer](device-requirements.md#minimum-requirements), follow these steps to make sure they ship devices with the right Microsoft Managed Desktop image and software configuration.

+Anytime you plan to enroll a particular device model in the service for the first time, you should test an example to ensure it will deliver the user experience you expect. For more information, see [Validate new devices](/microsoft-365/managed-desktop/get-started/validate-device).

+Work directly with the Dell sales representative.

+The representative will ensure that the image approved by Microsoft Managed Desktop is applied to devices in your order. For more information on Dell devices, the image, and the ordering process, contact MMD_at_dell@dell.com.

+### HP

+When you order new devices from HP, be sure to use the specific SKU listed in the Additional requirements section for each model found in the [Shop Windows Pro business devices](https://www.microsoft.com/windows/business/devices#view-all-filter) page. Filter the view to list the Microsoft Managed Desktop devices.

+If you're ordering a device from HP that has been approved as an [exception](customizing.md), but isn't currently listed on the Device List page, request the SKU to be used for your model. We'll work with HP to get you this information by using your exception request. You can also contact HP directly for any questions about devices and device ordering instructions by using these addresses:

+When you order devices from Lenovo, you must indicate a specific part number in the order. Contact your Lenovo sales representative or Lenovo Channel Partner and ask them to create a "*special bid model*" with a system that meets our [device requirements](device-requirements.md#minimum-requirements).

+To include a pre-loaded image compatible with Microsoft Managed Desktop, ask the sales representative to reference "*system building block part number SBB0Q94938 - MMD Enablement*." Work with your Lenovo sales representative or Lenovo Channel Partner for recommended services, support, and imaging services.

+You can reuse existing devices as long as they meet both:

+- [Device requirements](device-requirements.md#minimum-requirements)

+- [Software requirements](device-requirements.md#installed-software).

+Follow the steps relevant to your manufacturer.

+You can reimage devices either with an image from the manufacturer, or by using the Microsoft Managed Desktop "universal image." To get an appropriate manufacturer image, order at least one [new device](#new-devices) of the model you're reusing. Then, you can obtain the image from that device and apply it to other devices of the exact same model.

+> It's your the responsibility to create, test, and deploy images. We also recommend using appropriate images provided by the manufacturer whenever possible instead of custom images; this includes the "universal image."

+HP Commercial PCs shipped with the HP Corporate Ready Image include a `.WIM` file for recovery. You can use this image to apply the factory restoration image to other devices of the same model.

+The following steps will remove all data on the device. Before starting, you should back up any data on you want to keep.

+**To remove data on the device:**

+2. Copy these files from `C:\\SOURCES` to the USB drive:

+ - The factory recovery WIM file (for example, `HP\_EliteBook\_840\_G7\_Notebook\_PC\_CR\_2004.wim`)

+ - `DEPLOY.CMD`

+ - `ReCreatePartitions.txt`

+7. In the command prompt, run `deploy.cmd <sys_disk> <recovery_wim>`, where `sys_disk` is the disk number of the primary storage disk you determined, and `recovery_wim` is the filename of the `.WIM` file you copied earlier.

+### Microsoft

+These images use the Windows Recovery Environment (WinRE). This is a manual process (not automated). Follow the steps in [Creating and using a USB recovery drive for Surface](https://support.microsoft.com/surface/creating-and-using-a-usb-recovery-drive-for-surface-677852e2-ed34-45cb-40ef-398fc7d62c07).

+Microsoft Managed Desktop has created an image containing Windows Pro and Microsoft 365 Apps for Enterprise that you can use with Microsoft Managed Desktop.

+However, it's best to use images appropriate to Microsoft Managed Desktop provided by the manufacturer whenever possible, even if that means an older Windows version must be updated once the user signs in. Using the Microsoft Managed Desktop Universal image should be a final option.

+- We update the image with the latest Windows monthly quality updates every 30-60 days, and Microsoft 365 Apps for Enterprise updates at least twice a year.

+- You can deploy the image with USB drives. It contains a scriptable process to insert drivers. This process is outlined in the documentation included with the image.

+- You can modify the included scripts and folders with other customizations, such as adding specific cumulative updates, file copy code, or performing other checks.

+Submit requests for the Universal Image content and documentation by creating a change request it the [Admin portal](../get-started/access-admin-portal.md).

+Microsoft Managed Desktop uses Windows Autopilot, Azure Active Directory, and Microsoft Intune.

+For these services to work together seamlessly, devices need consistent, standardized names. Microsoft Managed Desktop applies a standardized name format (of the form `MMD-%RAND11`) when devices are enrolled. Windows Autopilot assigns these names. For more information about Autopilot, see [First-run experience with Autopilot and the Enrollment Status Page](../get-started/esp-first-run.md).

+If a device is renamed later, Microsoft Managed Desktop will automatically rename it to a new name in the standardized format. This process occurs every four hours. The name change takes place the next time the user restarts the device.

+> If your environment depends on specific device names (for example, to support a particular network configuration), you should investigate options to remove that dependency before enrolling in Microsoft Managed Desktop.<br><br>If you must keep the name dependency, you can submit a request through the [Admin portal](../working-with-managed-desktop/admin-support.md) to disable the renaming function and use your desired name format.

+When a new Microsoft Managed Desktop device is being set up, we ensure that the configuration is optimized Microsoft Managed Desktop.

+The configuration includes a set of default policies that are set as part of the onboarding process. These policies are delivered using Mobile Device Management (MDM) whenever possible. For more information, see [Mobile Device Management](/windows/client-management/mdm/).

+This table highlights the default policies that are applied to all Microsoft Managed Desktop devices during device provisioning. All detected changes to objects not approved by Microsoft Managed Desktop Operations Team and managed by Microsoft Managed Desktop will be reverted.

+| Policy | Description

+| -- | -- |

+| Security baseline | [Microsoft security baseline](/windows/device-security/windows-security-baselines) for mobile device management is configured for all Microsoft Managed Desktop devices. This baseline is the industry-standard configuration. It's publicly released, well tested, and reviewed by Microsoft security experts to keep Microsoft Managed Desktop devices, and apps secure in the modern workplace. <br><br>To mitigate threats in the constantly evolving security threat landscape, the Microsoft security baseline will be updated, and deployed to Microsoft Managed Desktop devices with each Windows 10 feature update.<br><br>For more information, see [Windows security baselines](/windows/security/threat-protection/windows-security-baselines).

+| Microsoft Managed Desktop recommended security template | This template is a set of recommended changes to the security baseline that optimizes the user experience. These changes are documented in [the Security Addendum](#security-addendum). Updates to the policy addendum occur on an as needed basis.

+| Update deployment | Use Windows Update for Business to perform gradual deployment of software updates. IT admins can't modify settings for the deployment group policies. For more information on group-based deployment, see [How updates are handled in Microsoft Managed Desktop](updates.md).

+| Metered connections | By default, updates over metered connections (such as LTE networks) are turned off. Though, each user can independently turn on this setting by navigating to **Settings, then Updates, then to Advanced options**. <br><br>If you want to allow all users to enable updates over metered connections, [submit a change request](../working-with-managed-desktop/admin-support.md), which will turn on this setting for all devices.

+ Devices will be set to provide enhanced diagnostic data to Microsoft under a known commercial identifier. As part of Microsoft Managed Desktop, IT admins can't change these settings.

+For customers in General Data Protection Regulation (GDPR) regions, users can reduce the level of diagnostic data that is provided, but there will be a reduction in service. For example, Microsoft Managed Desktop will be unable to collect the data necessary to iterate on settings and policies to best serve performance and security needs. For more information, see [Configure Windows diagnostic data in your organization.](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enhanced-level)

+ This section outlines the policies that will be deployed in addition to the standard Microsoft Managed Desktop policies listed in [Default policies](#default-policies). This configuration is designed with financial services and highly regulated industries in mind, and optimized for the highest security while maintaining user productivity.

+### Additional security policies

+ These policies are added to increase security for highly regulated industries:

+| Policy | Description |

+| -- | -- |

+|Security monitoring | Microsoft will monitor devices using [Microsoft Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). If a threat is detected, Microsoft will notify the customer, isolate the device, and rectify the issue remotely. |

+ | Disable PowerShell V2 | Microsoft removed PowerShell V2 in August 2017.<br><br>This feature has been disabled on all Microsoft Managed Desktop devices. For more information on this change, see [Windows PowerShell 2.0 Deprecation](https://devblogs.microsoft.com/powershell/windows-powershell-2-0-deprecation/). |

+Microsoft Managed Desktop regularly evaluates device requirements to be included in the service. This article describes the hardware and software requirements a device must meet in order to work with Microsoft Managed Desktop.

+You can review a list of specific devices already approved for use based on these requirements. Filter for Microsoft Managed Desktop in the [Shop Windows Pro business devices](https://www.microsoft.com/en-us/windows/business/devices) page.

+> These requirements can change at any time, but we'll provide 30 days notice of any hardware requirement changes. The requirements most recently changed are marked with <b>\*</b>.

+Besides reviewing device specs, you can also use the downloadable [readiness assessment checker](../get-ready/readiness-assessment-downloadable.md) to verify that the device meets the necessary requirements.

+This tool also checks network settings and endpoints that are necessary for the service to work.

+> [!NOTE]

+> As of Mar 01, 2022, devices managed by Microsoft Managed Desktop must be supported by the OEM.<br><br>Work with your OEM to find out when devices in your portfolio will reach end of life support. Customers will be responsible for ensuring devices are replaced prior to end of life support. Any devices falling outside of OEM support will continue to be managed by Microsoft Managed Desktop, but support for these devices may be limited as they are at risk of security and performance issues that may not be mitigated by our service.

+- <b>\*</b> Windows 10 or Windows 11: Enterprise, Pro, or Pro Workstation edition.

+- 64-bit version of Microsoft 365 Apps for Enterprise.

+- All applicable device drivers.

+- Enabled for UEFI secure boot.

+- Trusted Platform Module 2.0.

+- Capable of Virtualization-based security.

+- [Hypervisor-protected code integrity](/windows-hardware/drivers/bringup/device-guard-and-credential-guard) supported by the BIOS.

+>- ARM processors aren't supported.

+- Either an Intel vPro-platform processor or an AMD Ryzen Pro processor.

+- Boot drive of the SSD type with a capacity of at least 256 GB.

+- Internal device memory (RAM) of at least 16 GB.

+- Support for Modern Standby.

+- Device is of Secured-core PC type.

+- Supports Kernel DMA Protection.

+description: This article lists device services and limitation for Microsoft Managed Desktop.

+This article lists the services and service limitations for Microsoft Managed Desktop devices.

+Microsoft will provide the following services for Microsoft Managed Desktop devices. For a list of recommended Microsoft Managed Desktop program devices, filter for Microsoft Managed Desktop on the [Shop Windows Pro business devices](https://www.microsoft.com/windows/business/devices) page.

+| Service | Description |

+| -- | -- |

+| Support | Support agents will answer questions directly related to device functionality and diagnose device issues.

+| Inventory | All devices are tracked in the Microsoft Managed Desktop Admin portal for inventory and status.

+| Firmware and driver updates | By default, Microsoft Managed Desktop devices receive firmware and driver updates from Windows Update.<br><br>Not all hardware partners deploy their updates via Windows Update. Updates not published as Automatic require an exception and must be deployed by the customer.

+| Accessories | Accessories that come with your device are covered by the same services as the device itself, but warranty terms may differ. Refer to the warranty terms when selecting your devices.

+| Device setup | Devices will be pre-configured with the current version of Windows and receive their apps and configurations via the cloud.

+Microsoft won't provide service for these items:

+| Service | Description |

+| -- | -- |

+| Personalization | Devices and accessories provided with the service are unable to be customized.<br><br>All devices and accessories are provided with standard branding, specification, and color combinations. Application deployment and policy configurations are handled through IT-as-a-Service.

+| Data recovery | User and team data, including personalization, is stored in OneDrive for Business, with only the cache data residing locally.<br><br>If data is intentionally stored on the device's internal storage system, any data recovery must be attempted, and completed prior to returning the device to Microsoft.

+| Device setup | Devices are delivered to the customer address. The device must be powered on and set up by the customer.

+Microsoft Managed Desktop provides your users with a secure modern experience and always keeps devices up to date with the latest versions of Windows 10 Enterprise edition, Microsoft 365 Apps for enterprise, and Microsoft security services, including:

+- Simplified enrollment of new devices.

+- Configuration of devices.

+- Features to keep users and devices secure, including Windows Hello, BitLocker, SecureBoot, and Virtualization-based security according to Microsoft best practices.

+- Device security monitoring and remediation services.

+- App compatibility, through [App Assure](/fasttrack/products-and-capabilities#app-assure).

+- Management of updates for Windows 10 and Microsoft 365 Apps for enterprise apps.

+- Analytical data about device and app usage.

+- IT support for your users.

+- Operational support for IT pros.

+## Included services

+For details about the specific services included with Microsoft Managed Desktop, see the articles below.

+If you've already decided that Microsoft Managed Desktop is for you, the articles in [Get ready for enrollment in Microsoft Managed Desktop](../get-ready/index.md) will provide you with the steps to prepare to join the service.

+| Service | Description |

+| -- | -- |

+| [Supported regions and languages](regions-languages.md) | Explains which regions and languages are supported with the service. |

+| [Program devices](device-list.md) | To guarantee the best experience for your users, only certain devices are supported by Microsoft Managed Desktop. [Program devices](device-list.md) specifies the exact device models and configurations you can use with the service. You provide them or work with a partner. |

+| [Device services](device-services.md) | Specifies the device-related services that Microsoft will provide to subscribers.

+| [Device configuration](device-policies.md) | Clarifies the default and security-related Mobile Device Management policies that the service will apply to enrolled devices. |

+| [Security](security.md) | Specifies the data collected from enrolled devices, the features and policies related to device security, identity and access management, network security, and information security. |

+| [Updates](updates.md) | Describes the various update groups that Microsoft Managed Desktop uses to roll out updates to your devices.

+| [Support](support.md) | Clarifies the support Microsoft provides for your organization and users. |

+| [Operations and monitoring](operations-and-monitoring.md) | Explains how change management works with Microsoft Managed Desktop. This includes standard procedures for requesting and preparing for changes in the deployment. |

+| [Application requirements](mmd-app-requirements.md) | Describes the types of apps and behaviors allowed in Microsoft Managed Desktop, and the division of roles and responsibilities for app deployment and management. |

+Microsoft Intune collects, processes, and shares data to Microsoft Managed Desktop to support business operations and services. For more information about the data collected in Intune, see [Data collection in Intune](/mem/intune/protect/privacy-data-collect)

+| Device configuration options | Description

+| -- | -- |

+| Your configurations | At the top are your own configurations, such as network details or applications. A device can have any number of these configurations, which aren't managed or blocked by Microsoft Managed Desktop. |

+| Customizations | The next higher level is additional [customizations](customizing.md). Each device can have one or more (or no) customizations. The customizations can either modify a lower-level layer (Device profiles or the foundational configuration), or be an entirely new request that's layered on top of the standard configuration. |

+| Device profiles | Every Microsoft Managed Desktop device must have one, and only one, profile assigned. Admins can select which profile a device is assigned.<br><br>You can assign different pre-set profiles to devices. Each profile is optimized for the needs of specific types of users. Three device profiles are available:<ul><li>Standard</li><li>Sensitive Data</li><li>Power user</li> |

+| Foundation | Fundamentally, every Microsoft Managed Desktop device has a foundation that includes:<br><ul><li>Standard security baseline</li><li>Compliance policies</li><li>Windows Update settings</li><li>Groups</li></ul><br>To work with Microsoft Managed Desktop, every device must include all of these elements. These elements can't be changed by admins. You must submit a request to Microsoft Managed Desktop. |

+The following table summarizes the settings and their default values for each setting configured by device profiles. Behind the scenes, these settings are configured with OMA-URIs by using Custom Configuration Profiles in Microsoft Endpoint Manager.

+| Feature | Sensitive Data | Power User | Standard |

+| -- | :--: | :--: | :--: |

+|**Block External Storage**| Yes | Yes | No |

+|**[Cloud Block Level](/windows/client-management/mdm/policy-csp-defender#defender-cloudblocklevel)**| High | High | High |

+|**Disable Microsoft Accounts**| Yes | Yes | No |

+|**Disable personal OneDrive**| Yes | Yes | No |

+|**[Switch to secure desktop for elevation](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation)**| No | Yes | No |

+|**Microsoft Defender for Endpoint Device Tag**| M365Managed-SensitiveData | M365Managed-PowerUser | M365Managed-Standard |

+|**Admin on the device?**| No | Yes | No |

+|**Autopilot Profile**| MMD Standard | MMD Power User | MMD Standard |

+|**AppLocker**| Yes | No | No |

+|**Block Public Store**| Yes | Yes | No |

+- A dynamic membership Azure Active Directory device group.

+- A static membership Azure Active Directory device group.

+- A Microsoft Endpoint Manager Configuration profile.

+> Don't modify the membership of these groups directly. Use the interface as described in [Reassign profiles](../working-with-managed-desktop/change-device-profile.md).

+You can request exceptions to the device profiles and their details as you would with any other policy.

+Keep in mind that you can only have one of each device profile in your Azure Active Directory organization ("tenant"). For example, you can't request that the Sensitive data device profile disables AppLocker for only some of your users. All devices with the sensitive data device profile must have the same configuration.

+This article provides details about which regions support Microsoft Managed Desktop.

+You can still use managed devices outside of these regions without interruption to the Microsoft Managed Desktop service. For example, an employee in the United Kingdom can work securely and receive updates on their managed device while traveling to Asia, Europe, or South America.

+For more information about languages supported by Microsoft Managed Desktop, see [Localize devices for users](../get-started/localization.md).

+## Service availability

+If you're enrolling devices yourself, follow the steps in [Manual registration](../get-started/manual-registration.md), and then add them to the **Modern Workplace Devices - Shared Device Mode** group.

+If you're having a partner enroll devices, follow the steps in [Partner registration](../get-started/partner-registration.md), but append **-Shared** to the group tag, as shown in the following table:

+Microsoft Managed Desktop disables Company Portal by default for devices in shared device mode. If you want the Company Portal enabled, you can file a [change request](../working-with-managed-desktop/admin-support.md). However, you should be aware of some limitations in this feature in this public preview:

+### Redeployment of Microsoft 365 Apps for Enterprise

+To move separate devices to different profiles, you'll need to repeat this process for each device profile.

+The following are the statuses you'll see for each deployment.

+As an example, we'll use a desktop background picture in these instructions. After you've staged a deployment, you deploy changes from the Deployment status page.

+> The orange caution icon indicates there is a previous group available for deployment as it's recommended to roll out in order.

+After you've deployed a change, you can revert from **Deployment status**. When you revert a change that is **In progress** or **Complete**, the current deployment stops. The setting will revert to the last version that was deployed to all groups.

+As an example, we'll revert the desktop background picture.

+description: This article describes the Device inventory report

+| Other | The label aggregates several error states that can occur, typically during device registration. For more information, see [Troubleshooting device registration](../get-started/manual-registration.md#troubleshooting-device-registration). |

+You can remove devices from Microsoft Managed Desktop management by using the Admin portal. This action is permanent, but you can register them with Microsoft Managed Desktop again by following the [manual registration steps](../get-started/manual-registration.md).

+If you donΓÇÖt already have Microsoft Defender for Business, you can choose from several options:

+- [Work with a Microsoft solution provider](#work-with-a-microsoft-solution-provider)

+- [Sign up for the preview program](#sign-up-for-the-preview-program)

+If you have signed up for a trial, after you receive your acceptance email, you can [activate your trial](#activate-your-trial), [view and manage users](#view-and-manage-users), and then proceed to your [next steps](#next-steps).

+## Work with a Microsoft Solution Provider

+Microsoft has a list of solution providers who are authorized to sell offerings, including Microsoft Defender for Business.

+To find a solution provider in your area, take the following steps:

+1. Go to the **Microsoft Solution Providers** page ([https://www.microsoft.com/solution-providers](https://www.microsoft.com/solution-providers)).

+

+2. In the search box, fill in your location and company size.

+3. In the **Search for products, services, skills, industries** box, put `Microsoft 365`, and then select **Go**.

+4. Review the list of results. Select a provider to learn more about their expertise and the services they provide. Your provider can help you sign up for Defender for Business.

+## Sign up for the preview program

+ Participating in the preview program enables you to try out Defender for Business before it becomes generally available. The preview program is available to:

+Here's how to sign up:

+| The Microsoft 365 admin center ([https://admin.microsoft.com/](https://admin.microsoft.com/)) | Use the Microsoft 365 admin center activate your trial and sign in for the first time.<br/><br/> You'll also use the Microsoft 365 admin center to: <br/>- Add or remove users<br/>- Assign user licenses<br/>- View your products and services<br/>- Complete setup tasks for your Microsoft 365 subscription <br/><br/> To learn more, see [Overview of the Microsoft 365 admin center](../../admin/admin-overview/admin-center-overview.md). |

+| The Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) | Use the Microsoft 365 Defender portal to set up and configure Defender for Business. <br/><br/>You'll use the Microsoft 365 Defender portal to: <br/>- View your devices and device protection policies<br/>- View detected threats and take action<br/>- View security recommendations and manage your security settings <br/><br/>To learn more, see [Get started using the Microsoft 365 Defender portal](mdb-get-started.md). |

+If your organization is using Microsoft 365 Business Premium, then you have Microsoft Intune (part of Microsoft Endpoint Manager), and you might be using the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com/](https://endpoint.microsoft.com/)). Endpoint Manager enables you to manage devices and configure security settings as well. To learn more, see [Microsoft Intune is an MDM and MAM provider for your devices](/mem/intune/fundamentals/what-is-intune).

+## Activate your trial

+When you receive your acceptance email, here's how to activate your trial of Defender for Business.

+1. In your acceptance email, select the link that includes your promo code.

+2. If you already have a Microsoft 365 subscription, sign in using your account. If you don't already have a subscription, follow the prompts to create a new account.

+3. When you sign in for the first time, you'll go to the Microsoft 365 admin center ([https://admin.microsoft.com/](https://admin.microsoft.com/)). See [Overview of the Microsoft 365 admin center](../../admin/admin-overview/admin-center-overview.md).

+4. If you're setting up things for the first time, select **Go to guided setup** and complete the following steps:

+ a. Install your Office apps or choose **Continue** to skip this step for now.

+ b. If your company has a domain, you can add it now (this option is recommended). Alternately, you could choose to use your default `.onmicrosoft.com` domain for now.

+ c. Add users and assign licenses. Each user you list will be assigned a license automatically.

+- [Set up and configure Microsoft Defender for Business (preview)](mdb-setup-configuration.md).

+ Title: View and edit your security settings in Microsoft Defender for Business

+# View and edit your security policies and settings in Microsoft Defender for Business (preview)

+## Overview

+After you've onboarded your organization's devices to Microsoft Defender for Business (preview), your next step is to view and if necessary, edit your security policies and settings. Security policies include:

+- **[Next-generation protection policies](#view-or-edit-your-next-generation-protection-policies)**, which determine antivirus and antimalware protection for your organization's devices

+- **[Firewall protection and rules](#view-or-edit-your-firewall-policies-and-custom-rules)**, which determine what network traffic is allowed to flow to or from your organization's devices

+- **[Web content filtering](#set-up-web-content-filtering)**, which prevents people from visiting certain websites (URLs) based on categories, such as adult content or legal liability.

+In Defender for Business (preview), security policies are applied to devices through [device groups](mdb-create-edit-device-groups.md#what-is-a-device-group).

+In addition to your security policies, you can [view and edit settings](#view-and-edit-other-settings-in-the-microsoft-365-defender-portal), such as which time zone to use in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and whether to receive preview features as they become available.

+Use this article as a guide to managing your security policies and settings.

+## What to do

+1. [Choose where to manage your security policies and devices](#choose-where-to-manage-security-policies-and-devices).

+2. [View or edit your next-generation protection policies](#view-or-edit-your-next-generation-protection-policies).

+3. [View or edit your firewall policies and custom rules](#view-or-edit-your-firewall-policies-and-custom-rules).

+4. [Set up web content filtering](#set-up-web-content-filtering).

+5. [View and edit other settings in the Microsoft 365 Defender portal](#view-and-edit-other-settings-in-the-microsoft-365-defender-portal).

+6. [Proceed to your next steps](#next-steps).

+Defender for Business (preview) features a [simplified configuration process](mdb-simplified-configuration.md) that helps streamline the setup and configuration process. If you select the simplified configuration process, you can view and manage your security policies in the Microsoft 365 Defender portal ([https://security.microsoft.com/](https://security.microsoft.com/)). However, you're not limited to this option. If you've been using Microsoft Endpoint Manager (which includes Microsoft Intune), you can keep using your Endpoint Manager.

+| **Use the Microsoft 365 Defender portal** (*recommended*) | The Microsoft 365 Defender portal ([https://security.microsoft.com/](https://security.microsoft.com/)) can be your one-stop shop for managing your organization's devices, security policies, and security settings. You can access your security policies and settings, use your [Threat & Vulnerability Management dashboard](mdb-view-tvm-dashboard.md), and [view and manage incidents](mdb-view-manage-incidents.md) all in one place. |

+| **Use Microsoft Endpoint Manager** | If your organization is already using Endpoint Manager (which includes Microsoft Intune) to manage security policies, you can continue using Endpoint Manager to manage devices and security policies. To learn more, see [Manage device security with endpoint security policies in Microsoft Intune](/mem/intune/protect/endpoint-security-policy). <br/><br/>If you decide to switch to the [simplified configuration process in Defender for Business](mdb-simplified-configuration.md) to use the Microsoft 365 Defender portal instead, you'll be prompted to delete any existing security policies in Endpoint Manager to avoid [policy conflicts](mdb-troubleshooting.yml) later. |

+> [!NOTE]

+> If you are managing our security policies in the Microsoft 365 Defender portal, you can *view* those policies in Endpoint Manager, listed as Antivirus or Firewall policies. When you view your firewall policies in Endpoint Manager, you'll see two policies listed: one policy for your firewall protection, and another for custom rules.

+## View or edit your next-generation protection policies

+Depending on whether you're using the Microsoft 365 Defender portal or Microsoft Endpoint Manager to manage your next-generation protection policies, use one of the procedures in the following table: <br/><br/>

+| Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) | 1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in. <br/><br/>2. In the navigation pane, choose **Device configuration**. Policies are organized by operating system and policy type.<br/><br/>3. Select an operating system tab (such as **Windows clients**).<br/><br/>4. Expand **Next-generation protection** to view your list of policies.<br/><br/>5. Select a policy to view more details about the policy. To make changes or to learn more about policy settings, see the following articles: <br/>- [View or edit device policies](mdb-view-edit-policies.md)<br/>- [Understand next-generation configuration settings](mdb-next-gen-configuration-settings.md) |

+| Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) | 1. Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in. You're now in the Microsoft Endpoint Manager admin center.<br/><br/>2. Select **Endpoint security**.<br/><br/>3. Select **Antivirus** to view your policies in that category. <br/><br/>To get help managing your security settings in Microsoft Endpoint Manager, start with [Manage endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security). |

+## View or edit your firewall policies and custom rules

+Depending on whether you're using the Microsoft 365 Defender portal or Microsoft Endpoint Manager to manage your firewall protection, use one of the procedures in the following table: <br/><br/>

+| Portal | Procedure |

+|:|:|

+| Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) | 1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in. <br/><br/>2. In the navigation pane, choose **Device configuration**. Policies are organized by operating system and policy type.<br/><br/>3. Select an operating system tab (such as **Windows clients**).<br/><br/>4. Expand **Firewall** to view your list of policies.<br/><br/>5. Select a policy to view more details about the policy. To make changes or to learn more about policy settings, see the following articles: <br/>- [View or edit device policies](mdb-view-edit-policies.md)<br/>- [Firewall settings](mdb-firewall.md)<br/>- [Manage your custom rules for firewall policies](mdb-custom-rules-firewall.md) |

+| Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) | 1. Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in. You're now in the Microsoft Endpoint Manager admin center.<br/><br/>2. Select **Endpoint security**.<br/><br/>3. Select **Firewall** to view your policies in that category. Custom rules that are defined for firewall protection are listed as separate policies.<br/><br/>To get help managing your security settings in Microsoft Endpoint Manager, start with [Manage endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security). |

+## Set up web content filtering

+Web content filtering enables your security team to track and regulate access to websites based on their content categories, such as:

+- Adult content: Sites that are related to cults, gambling, nudity, pornography, sexually explicit material, or violence

+- High bandwidth: Download sites, image sharing sites, or peer-to-peer hosts

+- Legal liability: Sites that include child abuse images, promote illegal activities, foster plagiarism or school cheating, or that promote harmful activities

+- Leisure: Sites that provide web-based chat rooms, online gaming, web-based email, or social networking

+- Uncategorized: Sites that have no content or that are newly registered

+Not all of the websites in these categories are malicious, but they could be problematic for your organization because of compliance regulations, bandwidth usage, or other concerns. In addition, you can create an audit-only policy to get a better understanding of whether your security team should block any website categories.

+Web content filtering is available on the major web browsers, with blocks performed by Windows Defender SmartScreen (Microsoft Edge) and Network Protection (Chrome, Firefox, Brave, and Opera). For more information see [Prerequisites for web content filtering](../defender-endpoint/web-content-filtering.md#prerequisites).

+### To set up web content filtering

+1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), choose **Settings** > **Web content filtering** > **+ Add policy**.

+2. Specify a name and description for your policy.

+3. Select categories to block. Use the expand icon to fully expand each parent category and select specific web content categories.

+ To set up an audit-only policy that does not block any websites, do not select any categories.

+ Do not select **Uncategorized**.

+4. Specify the policy scope by selecting device groups to apply the policy. Only devices in the selected device groups will be prevented from accessing websites in the selected categories.

+5. Review the summary and save the policy. The policy refresh might take up to 2 hours to apply to your selected devices.

+> [!TIP]

+> To learn more about web content filtering, see [Web content filtering](../defender-endpoint/web-content-filtering.md).

+> You might see more settings in your tenant than are listed in this article. This article highlights the most important settings that you should review in Defender for Business (preview).

+1. See your options for [onboarding devices](#device-onboarding-methods), and select one of the following methods:

+ - [Automatic onboarding for Windows devices enrolled in Microsoft Endpoint Manager](#automatic-onboarding-for-windows-devices-enrolled-in-microsoft-endpoint-manager)

+ - [Microsoft Defender for Business security configuration](#microsoft-defender-for-business-security-configuration)

+ - [Microsoft Endpoint Manager (Microsoft Intune)](#microsoft-endpoint-manager)

+ - [Local script for evaluating Defender for Business](#local-script-in-defender-for-business)

+2. [Run a detection test](#run-a-detection-test) for newly onboarded Windows devices.

+3. [See your next steps](#next-steps).

+| Onboarding method | Description | OS |

+||||

+| **Automatic onboarding**<br/>(*available to customers who are already using Microsoft Endpoint Manager*) | Automatic onboarding sets up a connection between Defender for Business (preview) and Microsoft Endpoint Manager, and then onboards Windows devices to Defender for Business (preview). In order to use this option, your devices must already be enrolled in Endpoint Manager.<br/><br/>To learn more, see [Use automatic onboarding for Windows devices enrolled in Microsoft Endpoint Manager](#automatic-onboarding-for-windows-devices-enrolled-in-microsoft-endpoint-manager). | Windows |

+| **Microsoft Defender for Business security configuration** <br/>(*uses the Microsoft 365 Defender portal*) | To use this option, you configure certain settings to facilitate communication between Defender for Business and Endpoint Manager. Then, you onboard devices in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com) by using a package that you download and run on each device. A trust is established between devices and Azure Active Directory (Azure AD), and Defender for Business security policies are pushed to devices.<br/><br/>To learn more, see [Microsoft Defender for Business security configuration](#microsoft-defender-for-business-security-configuration). | Windows <br/>macOS<br/>Linux |

+| **Microsoft Intune** or **Microsoft Endpoint Manager**<br/>(*available to customers who are using Microsoft Intune or Endpoint Manager*) | [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Mobile Device Management](/mem/intune/enrollment/device-enrollment) are part of Endpoint Manager. If you were already using Endpoint Manager before you got Defender for Business (preview), you can opt to continue using Endpoint Manager to onboard and manage devices<br/><br/>To use this method, see [Microsoft Endpoint Manager](#microsoft-endpoint-manager). | Windows <br/>macOS<br/>Linux<br/>iOS<br/>Android OS |

+| **Local script** <br/>(*for evaluating Defender for Business*) | This option enables you to onboard individual devices to Defender for Business manually. It's not recommended for a production deployment, but is useful for evaluating how Defender for Business will work in your environment on up to 10 devices per script.<br/><br/>To learn more, see [Local script in Defender for Business](#local-script-in-defender-for-business). | Windows <br/>macOS <br/>Linux |

+The automatic onboarding option applies to Windows devices only. Automatic onboarding is available if your organization was already using Microsoft Endpoint Manager, Microsoft Intune, or Mobile Device Management (MDM) in Microsoft Intune before you got Defender for Business (preview), and you already have Windows devices enrolled in Endpoint Manager.

+If Windows devices are already enrolled in Endpoint Manager, Defender for Business will detect those devices while you are in the process of setting up and configuring Defender for Business. You'll be asked if you want to use automatic onboarding for all or some of your Windows devices. You can onboard all Windows devices at once, or select specific devices to start with, and then add more later.

+To learn more about automatic onboarding, see step 3 in [Use the wizard to set up Microsoft Defender for Business (preview)](mdb-use-wizard.md).

+## Microsoft Defender for Business security configuration

+> [!NOTE]

+> If you're already using Endpoint Manager to manage your devices and security policies, skip this method, and see [Microsoft Endpoint Manager](#microsoft-endpoint-manager) instead.

+Microsoft Defender for Business security configuration was built on a capability known as [Security Management for Microsoft Defender for Endpoint (preview)](/mem/intune/protect/mde-security-integration). It enables you to onboard devices to Defender for Business in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) without requiring those devices to be fully enrolled in Microsoft Endpoint Manager beforehand.

+This method enables you to onboard devices and manage your antivirus and firewall policies in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). Here's how it works:

+1. You download an onboarding package from the Microsoft 365 Defender portal, and then run the package on your devices to onboard those devices to Defender for Business.

+2. Running the package establishes a trust between each device (if the trust doesn't already exist) and Azure Active Directory (Azure AD).

+3. Devices communicate with Endpoint Manager using their Azure AD Identity, and security policies in Defender for Business are pushed to devices.

+4. You can view your devices and policies in both the Microsoft 365 Defender portal and the Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)).

+To use this option, certain settings must be configured beforehand. To learn more, including prerequisites and supported operating systems, see [Manage Microsoft Defender for Endpoint on devices with Microsoft Endpoint Manager](/mem/intune/protect/mde-security-integration).

+## Microsoft Endpoint Manager

+If you were already using Endpoint Manager (which includes Microsoft Intune and Mobile Device Management), before you got Defender for Business (preview), you can continue to use Endpoint Manager to onboard your organization's devices. With Endpoint Manager, you can onboard computers, tablets, and phones, including iOS and Android devices.

+## Local script in Defender for Business

+You can use a local script to onboard some Windows, macOS, and Linux devices to evaluate how Defender for Business will work for you. When you run the onboarding script on a device, it creates a trust with Azure Active Directory, enrolls the device in Microsoft Endpoint Manager, and onboards the device to Defender for Business. This method is useful for onboarding devices in Defender for Business and for onboarding a few devices at a time. Each script can be used on up to 10 devices.

+> [!NOTE]

+> This method is not recommended for production deployment, but is useful for onboarding up to 10 devices per script.

+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.

+2. In the navigation pane, choose **Settings** > **Endpoints**, and then under **Device management**, choose **Onboarding**.

+3. Select an operating system, such as **Windows 10 and 11**, and then, under **Onboard a device**, in the **Deployment method** section, choose **Local script**.

+4. Select **Download onboarding package**. We recommend saving the onboarding package to a removable drive.

+5. Follow the guidance in the following articles:

+ - Windows devices: [Onboard Windows devices using a local script](../defender-endpoint/configure-endpoints-script.md#onboard-devices)

+ - macOS devices: [Manual deployment for Microsoft Defender for Endpoint on macOS](../defender-endpoint/mac-install-manually.md#client-configuration)

+ - Linux devices: [Deploy Microsoft Defender for Endpoint on Linux manually](../defender-endpoint/linux-install-manually.md#client-configuration)

+7. Run the script on each device that you want to offboard. Need help with this task? See the following resources:

+| Onboard devices using a local script | In Defender for Business (preview), you can onboard Windows 10 and 11 devices using a script that you download and run on each device. The script creates a trust with Azure Active Directory (Azure AD) and enrolls the device with Microsoft Intune. To learn more, see [Local script in Defender for Business](mdb-onboard-devices.md#local-script-in-defender-for-business). |

+2. **Onboard and configure Windows devices**. In this step, you can onboard your organization's Windows devices to Defender for Business quickly. Onboarding devices right away helps to protect those devices from day one. See [Onboard devices to Microsoft Defender for Business (preview)](mdb-onboard-devices.md) for more details.

+3. **Configure your security policies**. Defender for Business includes default security policies for next-generation protection and firewall protection that can be applied to your organization's devices. These default policies use recommended settings and are designed to provide strong protection for your devices.

+ You can also create your own security policies if you wish. And, if you're already using Endpoint Manager, you can continue using that to manage your security policies.

+ To learn more, see [View and edit your security policies and settings](mdb-configure-security-settings.md).

+- [Set up email notifications for your security team](mdb-email-notifications.md)

+- [Use your Threat & Vulnerability Management dashboard](mdb-view-tvm-dashboard.md)

+#### [Configure general Defender for Endpoint settings](preferences-setup.md)

+###### [Live response library]()

+####### [Live response library methods and properties](live-response-library-methods.md)

+####### [List library files](list-library-files.md)

+####### [Upload to live response library](upload-library.md)

+####### [Delete from library](delete-library.md)

+By default, MSSP customers access their Microsoft 365 Defender tenant through the following URL: `https://security.microsoft.com/`.

+MSSPs however, will need to use a tenant-specific URL in the following format: `https://security.microsoft.com?tid=customer_tenant_id` to access the MSSP customer portal.

+4. Access the MSSP customer portal by replacing the `customer_tenant_id` value in the following URL: `https://security.microsoft.com/?tid=customer_tenant_id`.

+If you have feedback or suggestions that would help us improve the Microsoft Defender for Endpoint client analyzer, please use the following link to submit feedback:

+Microsoft 365 Defender portal (security.microsoft.com):

+

+ Title: Delete a file from the live response library

+description: Learn how to delete a file from the live response library.

+keywords: apis, graph api, supported apis, delete from library

+search.product: eADQiWindows 10XVcnh

+search.appverid: met150

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+- NOCSH

+localization_priority: normal

+audience: ITPro

+- M365-security-compliance

+MS.technology: mde

+# Delete a file from the live response library

+**Applies to:**

+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)

+>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)

+## API description

+Delete a file from live response library.

+## Limitations

+1. Rate limitations for this API are 100 calls per minute and 1500 calls per

+ hour.

+## Permissions

+One of the following permissions is required to call this API. To learn more,

+including how to choose permissions, see [Get started](apis-intro.md).

+| Permission type | Permission | Permission display name |

+||-|--|

+| Application | Library.Manage | Manage live response library |

+| Delegated (work or school account) | Library.Manage | Manage live response library |

+## HTTP request

+DELETE https://api.securitycenter.microsoft.com/api/libraryfiles/{fileName}

+## Request headers

+| Name | Type | Description |

+|--|--||

+| Authorization | String | Bearer\<token>\. Required. |

+## Request body

+Empty

+## Response

+- If file exists in library and deleted successfully 204 No Content.

+- If specified file name was not found 404 Not Found.

+## Example

+Request

+Here is an example of the request.

+```HTTP

+DELETE https://api.securitycenter.microsoft.com/api/libraryfiles/script1.ps1

+```

+## Related topic

+- [Run live response](run-live-response.md)

+> EDR in block mode can be turned on only in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, and is applied tenant wide. You cannot set EDR in block mode to target specific device groups or users. You cannot use registry keys, Microsoft Intune, or Group Policy to enable or disable EDR in block mode.

+The best way for technology partners to certify that their integration works is to have a joint customer approve the suggested integration design (the customer can use the **Recommend a partner** option \(Partners and API > Partner applications\) in the [Partner Application page](https://security.microsoft.com/interoperability/partnersapps) in the Microsoft 365 Defender and have it tested and demoed to the Microsoft Defender for Endpoint team.

+|Quarantine management|Restore a file from the quarantine|`mdatp threat quarantine restore --id [threat-id] --path [destination-folder]`|

+## 101.58.80 (30.122012.15880.0)

+- The command-line tool now supports restoring quarantined files to a location other than the one where the file was originally detected. This can be done through `mdatp threat quarantine restore --id [threat-id] --path [destination-folder]`.

+- Bug fixes

+ Title: List library files

+description: Learn how to list live response library files.

+keywords: apis, graph api, supported apis, get, devices

+search.product: eADQiWindows 10XVcnh

+search.appverid: met150

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+- NOCSH

+localization_priority: normal

+audience: ITPro

+- M365-security-compliance

+MS.technology: mde

+# List library files

+**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)

+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)

+## API description

+List live response library files.

+## Limitations

+1. Rate limitations for this API are 100 calls per minute and 1500 calls per

+ hour.

+## Permissions

+One of the following permissions is required to call this API. To learn more,

+including how to choose permissions, see [Get

+started](apis-intro.md).

+|Permission type | Permission | Permission display name |

+|--|--||

+| Application | Library.Manage | Manage live response library |

+| Delegated (work or school account) | Library.Manage | Manage live response library |

+## HTTP request

+```HTTP

+GET https://api.securitycenter.microsoft.com/api/libraryfiles

+```

+## Request headers

+| Name | Type | Description

+|--|--||

+| Authorization | String | Bearer {token}. Required. |

+## Request body

+Empty

+## Response

+If successful, this method returns 200 - OK response code with a collection

+ of live response library file entities.

+## Example

+**Request**

+Here is an example of a request that gets all live response library files

+```HTTP

+GET https://api.securitycenter.microsoft.com/api/libraryfiles

+```

+## Response example

+Here is an example of the response.

+```JSON

+HTTP/1.1 200 Ok

+Content-type: application/json

+{

+"\@odata.context": "https://api.securitycenter.microsoft.com

+/api/\$metadata\#LibraryFiles",

+"value": [

+ {

+ "fileName": "script1.ps1",

+ "sha256": "6e212a0db618507c44e4ec8ee7499dfef7e5767e5f8d31144df3b96fd1145caf",

+ "description": null,

+ "creationTime": "2019-10-24T10:54:23.2009016Z",

+ "lastUpdatedTime": "2019-10-24T10:54:23.2009016Z",

+ "createdBy": "admin",

+ "hasParameters": true,

+ "parametersDescription": "test"

+ },

+ {

+ "fileName": "script.sh",

+ "sha256": "d0f3e3b0641dbf88ee39c822516e81a909d1d06d22341dd9b1f12aa5e5c027a2",

+ "description": null,

+ "creationTime": "2018-10-24T11:15:35.3688259Z",

+ "lastUpdatedTime": "2018-10-24T11:15:35.3688259Z",

+ "createdBy": "username",

+ "hasParameters": false

+ },

+ {

+ "fileName": "memdump.exe",

+ "sha256": "fa70b87730290c0d30fe255d1dfb65de82f96286ebfeeb1d88ed3cc831329825",

+ "description": "Process memory dump",

+ "creationTime": "2018-10-24T10:54:23.2009016Z",

+ "lastUpdatedTime": "2018-10-24T10:54:23.2009016Z",

+ "createdBy": "admin",

+ "hasParameters": false

+ }

+]

+}

+```

+## Related topic

+- [Run live response](run-live-response.md)

+ Title: Live response library methods and properties

+description: Learn how to use the live response library methods and properties.

+keywords: apis, graph api, supported apis, get, devices

+search.product: eADQiWindows 10XVcnh

+search.appverid: met150

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+- NOCSH

+localization_priority: normal

+audience: ITPro

+- M365-security-compliance

+ms.technology: m365d

+# Live response library methods and properties

+**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)

+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)

+## Methods

+| **Method** | **Return Type** | **Description** |

+||-|--|

+| List library files | Library file collection | List library file entities |

+| Upload to library | Library file entity | Upload a file to live response library |

+| Delete from library | No content | Delete library file entity |

+## Properties

+| **Property** | **Type** | **Description** |

+|--|-|--|

+| Commands | Live Response command collection | Array of Command objects. See [live response commands](live-response.md#live-response-commands). |

+ 

+[Configure Microsoft 365 Defender settings](https://sip.security.microsoft.com/settings) | Configure portal-related settings such as general settings, advanced features, or enable the preview experience.

+3. After the services are running on the device, the device appears in Microsoft 365 Defender portal.

+ > [](images/df0c64001b9219cfbd10f8f81a273190.png#lightbox)

+ Title: Configure general Defender for Endpoint settings

+# Configure general Defender for Endpoint settings

+The software inventory in threat and vulnerability management is a list of known software in your organization. The default filter on the software inventory page displays all software with official [Common Platform Enumerations (CPE)](https://nvd.nist.gov/products/cpe). The view includes details such as the name of the vendor, number of weaknesses, threats, and number of exposed devices.

+You can remove the **CPE Available** filter, to gain further visibility and increase your search scope across all installed software in your organization. This means all software, including software without a CPE, will now display in the software inventory list.

+> [!NOTE]

+> As CPEs are used by vulnerability management to identify the software and any vulnerabilities, even though software products without a CPE will be shown in the software inventory page, they will not be supported by threat and vulnerability management and information like, exploits, number of exposed devices, and weaknesses won't be available for them.

+Access the software inventory page by selecting **Software inventory** from the threat and vulnerability management navigation menu in the [Microsoft 365 Defender portal](portal-overview.md).

+By default, the view is filtered by **Product Code (CPE): Available**. You can also filter the list view based on weaknesses found in the software, threats associated with them, and tags like whether the software has reached end-of-support.

+Software that isn't currently supported by threat & vulnerability management may be present in the software inventory page. Because it is not supported, only limited data will be available. Filter by unsupported software with the "Not available" option in the "Weakness" section.

+Software may be visible at the device level even if it's currently not supported by threat and vulnerability management. However, only limited data will be available. You'll know if software is unsupported because it will say "Not available" in the "Weakness" column.

+See evidence of where we detected a specific software on a device from the registry, disk, or both. You can find it on any device in the device software inventory.

+- Side panel with vendor information, prevalence of the software in the organization (including number of devices it's installed on, and exposed devices that aren't patched), whether and exploit is available, and impact to exposure score.

+Report an inaccuracy when you see vulnerability information and assessment results that are incorrect.

+3. From the flyout pane, choose an issue to report from:

+ - a software detail is wrong

+ - the software is not installed on any device in my org

+ - the number of installed or exposed devices is wrong

+4. Fill in the requested details about the inaccuracy. This will vary depending on the issue you're reporting.

+

+5. Select **Submit**. Your feedback is immediately sent to the threat and vulnerability management experts.

+ Title: Upload files to the live response library

+description: Learn how to upload a file to the live response library.

+keywords: apis, graph api, supported apis, upload to library

+search.product: eADQiWindows 10XVcnh

+search.appverid: met150

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+- NOCSH

+localization_priority: normal

+audience: ITPro

+- M365-security-compliance

+MS.technology: mde

+# Upload files to the live response library

+**Applies to:**

+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)

+>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)

+## API description

+Upload file to live response library.

+## Limitations

+1. File max size limitation is 20MB.

+2. Rate limitations for this API are 100 calls per minute and 1500 calls per

+ hour.

+## Permissions

+One of the following permissions is required to call this API. To learn more,

+including how to choose permissions, see [Get started](apis-intro.md).

+| Permission type | Permission | Permission display name |

+||-|--|

+| Application | Library.Manage | Manage live response library |

+| Delegated (work or school account) | Library.Manage | Manage live response library |

+## HTTP request

+Upload

+```HTTP

+POST https://api.securitycenter.microsoft.com/api/libraryfiles

+```

+## Request headers

+| Name | Type | Description |

+|--|--|--|

+| Authorization | String | Bearer\<token>. Required. |

+| Content-Type | string | multipart/form-data. Required. |

+## Request body

+In the request body, supply a form-data object with the following parameters:

+| Parameter | Type | Description |

+|--|--||

+| File | File content | The file to be uploaded to live response library.Required |

+| Description | String | Description of the file. |

+| ParametersDescription | String | (Optional) Parameters required for the script to run. Default value is an empty string. |

+| OverrideIfExists | Boolean | (Optional) Whether to override the file if it already exists. Default value is an empty string. |

+## Response

+- If successful, this method returns 200 - OK response code and the uploaded

+ live response library entity in the response body.

+- If not successful: this method returns 400 - Bad Request.

+ Bad request usually indicates incorrect body.

+## Example

+Request

+Here is an example of the request using curl.

+```CURL

+curl -X POST https://api.securitycenter.microsoft.com/api/libraryfiles -H

+"Authorization: Bearer \$token" -F "file=\@mdatp1.png" -F

+"ParametersDescription=test"

+-F "HasParameters=true" -F "OverrideIfExists=true" -F "Description=test

+description"

+```

+## Related topic

+- [Run live response](run-live-response.md)

+| `ProductCodeCpe` | `string` | CPE of the software product or 'not available' where there is no CPE |

+The **Incident queue** shows a collection of incidents that were created across devices, users, and mailboxes. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision, a process known as incident triage.

+The incident queue also provides multiple filtering options, that when applied, enable you to perform a broad sweep of all existing incidents in your environment, or decide to focus on a specific scenario or threat. Applying filters on the incident queue can help determine which incident requires immediate attention.

+The **Filters** list above the list of incidents shows the currently applied filters.

+From the default incident queue, you can select **Filter** to see a **Filter** pane, from which you specify a filtered set of incidents. Here's an example.

+You can also see the **Filter** pane by selecting any of the filters in the **Filters** list above the list of incidents.

+| Incident assignment | Select the assigned user or users. |

+| Service sources | Specify incidents that contain alerts from: App Governance, Microsoft 365 Defender, Microsoft Defender for Office 365, Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps. |

+| Entities | Specify the name of an asset such as a user, device, mailbox, or application name. |

+| Data sensitivity | Some attacks focus on targeting to exfiltrate sensitive or valuable data. By applying a filter for specific sensitivity labels, you can quickly determine if sensitive information has potentially been compromised and prioritize addressing those incidents. <br><br> This filter is only available if Microsoft Information Protection is turned on. |

+| Device groups | Specify a [device group](/windows/security/threat-protection/microsoft-defender-atp/machine-groups) name. |

+| OS platform | Specify device operating systems. |

+| Classification | Specify the set of classifications of the related alerts. |

+| Automated investigation state | Specify the status of automated investigation. |

+| Associated threat | Specify a named threat. |

+| Actors | Specify a named threat actor. |

+The default filter is to show all alerts and incidents with a status of **New** and **In progress** and with a severity of **Low**, **Medium**, or **High**.

+You can quickly remove a filter by selecting the **X** in the name of a filter in the **Filters** list.

+## Save custom filters as URLs

+## Search for incidents

+From the **Search for name or ID** box above the list of incidents, you can type the incident ID or the incident name. When you select an incident from the list of search results, the Microsoft 365 Defender portal opens a new tab with the properties of the incident, from which you can start your [investigation](investigate-incidents.md).

+## Search for impacted assets

+You can name an asset&mdash;such as a user, device, mailbox, or application name&mdash;and find all the related incidents.

+## Specify a time range

+The default list of incidents is for those that occurred in the last six months. You can specify a new time range from the drop-down box next to the calendar icon by selecting:

+ - 1 day

+ - 3 days

+ - 1 week

+ - 30 days

+ - 30 days

+ - 6 months

+ - A custom range in which you can specify both dates and times

+Throughout an alert page, you can select the ellipses (**...**) beside any entity to see available actions, such as linking the alert to another incident. The list of available actions depends on the type of alert.

+To manage an alert, select **Manage alert** in the summary details section of the alert page. For a single alert, here's an example of the **Manage alert** pane.

+- The alert's classification:

+ - **Not set** (the default).

+ - **True positive** with a type of threat. Use this classification for alerts that accurately indicate a real threat. Specifying the threat type helps your security team see threat patterns and act to defend your organization from them.

+ - **Informational, expected activity** with a type of activity. Use the options in this category to classify alerts for security tests, red team activity, and expected unusual behavior from trusted apps and users.

+ - **False positive** for types of alerts that were created even when there is no malicious activity. Classifying alerts as false positive helps Microsoft 365 Defender improve its detection quality.

+To manage a *set of alerts similar to a specific alert*, select **View similar alerts** in the **INSIGHT** box in the summary details section of the alert page.

+From the **Manage alerts** pane, you can then classify all of the related alerts at the same time. Here's an example.

+If similar alerts were already classified in the past, you can save time by using Microsoft 365 Defender recommendations to learn how the other alerts were resolved. From the summary details section, select **Recommendations**.

+The **Recommendations** tab provides next-step actions and advice for investigation, remediation, and prevention. Here's an example.

+Once you're done analyzing an alert and it can be resolved, go to the **Manage alert** pane for the alert or similar alerts and mark the status as **Resolved** and then classify it as a **True positive** with a type of threat, an **Informational, expected activity** with a type of activity, or a **False positive**.

+Classifying alerts helps Microsoft 365 Defender improve its detection quality.

+- The source of the alerts (Microsoft Defender for Identity, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Defender for Cloud Apps, and the app governance add-on).

+You can select the check mark for a device to see details of the device, directory data, active alerts, and logged on users. Select the name of the device to see device details in the Defender for Endpoint device inventory. Here's an example.

+> You can do on-demand scans on a device page. In the Microsoft 365 Defender portal, choose **Endpoints > Device inventory**. Select a device that has alerts, and then run an antivirus scan. Actions, such as antivirus scans, are tracked and are visible on the **Device inventory** page. To learn more, see [Run Defender Antivirus scan on devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#run-microsoft-defender-antivirus-scan-on-devices).

+You can select the check mark for a mailbox to see a list of active alerts. Select the mailbox name to see additional mailbox details on the Explorer page for Defender for Office 365.

+The **Investigations** tab lists all the [automated investigations](m365d-autoir.md) triggered by alerts in this incident. Automated investigations will perform remediation actions or wait for analyst approval of actions, depending on how you configured your automated investigations to run in Defender for Endpoint and Defender for Office 365.

+- [Specify its classification](#specify-the-classification)

+## Specify the classification

+From the **Classification** field, you specify whether the incident is:

+- **Not set** (the default).

+- **True positive** with a type of threat. Use this classification for incidents that accurately indicate a real threat. Specifying the threat type helps your security team see threat patterns and act to defend your organization from them.

+- **Informational, expected activity** with a type of activity. Use the options in this category to classify incidents for security tests, red team activity, and expected unusual behavior from trusted apps and users.

+- **False positive** for types of incidents that you determine can be ignored because they are technically inaccurate or misleading.

+Classifying incidents and specifying their status and type helps tune Microsoft 365 Defender to provide better detection determination over time.

+For improvement actions in the "Device" category, you can't choose statuses. Instead, you'll be directed to the associated [threat and vulnerability management security recommendation](/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) in the Microsoft 365 Defender to take action. The exception you choose and justification you write will be specific to that portal. It won't be present in the Microsoft Secure Score portal.

+|Configuration, protection, and detection capabilities: <ul><li>[Safe Attachments](safe-attachments.md)</li><li>[Safe Links](safe-links.md)</li><li>[Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md)</li><li>[Anti-phishing protection in Defender for Office 365](set-up-anti-phishing-policies.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>[Real-time detections](threat-explorer.md)</li></ul>|Defender for Office 365 Plan 1 capabilities <p> plus <p> Automation, investigation, remediation, and education capabilities: <ul><li>[Threat Trackers](threat-trackers.md)</li><li>[Threat Explorer](threat-explorer.md)</li><li>[Automated investigation and response](office-365-air.md)</li><li>[Attack simulation training](attack-simulation-training.md)</li><li>[Proactively hunt for threats with advanced hunting in Microsoft 365 Defender](../defender/advanced-hunting-overview.md)</li><li>[Investigate incidents in Microsoft 365 Defender](../defender/investigate-incidents.md)</li><li>[Investigate alerts in Microsoft 365 Defender](../defender/investigate-alerts.md)</li></ul>|

+|Configuration, protection, and detection capabilities: <ul><li>[Safe Attachments](safe-attachments.md)</li><li>[Safe Links](safe-links.md)</li><li>[Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md)</li><li>[Anti-phishing protection in Defender for Office 365](set-up-anti-phishing-policies.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>[Real-time detections](threat-explorer.md)</li></ul>|Defender for Office 365 Plan 1 capabilities <p> plus <p> Automation, investigation, remediation, and education capabilities: <ul><li>[Threat Trackers](threat-trackers.md)</li><li>[Threat Explorer](threat-explorer.md)</li><li>[Automated investigation and response](office-365-air.md)</li><li>[Attack simulation training](attack-simulation-training.md)</li><li>[Proactively hunt for threats with advanced hunting in Microsoft 365 Defender](../defender/advanced-hunting-overview.md)</li><li>[Investigate incidents in Microsoft 365 Defender](../defender/investigate-incidents.md)</li><li>[Investigate alerts in Microsoft 365 Defender](../defender/investigate-alerts.md)</li></ul>|

+|**Communication Compliance**|Provides permission to all the communication compliance roles: administrator, analyst, investigator, and viewer.|Case Management <p> Communication Compliance Admin <p> Communication Compliance Analysis <p> Communication Compliance Case Management <p> Communication Compliance Investigation <p> Communication Compliance Viewer <p> Data Classification Feedback Provider <p> Data Connector Admin <p> View-Only Case|

+|**Communication Compliance Administrators**|Administrators of communication compliance that can create/edit policies and define global settings.|Communication Compliance Admin <p> Communication Compliance Case Management <p> Data Connector Admin|

+|**Compliance Administrator**¹|Members can manage settings for device management, data loss prevention, reports, and preservation.|Case Management <p> Communication Compliance Admin <p> Communication Compliance Case Management <p> Compliance Administrator <p> Compliance Search <p> Data Classification Feedback Provider <p> Data Classification Feedback Reviewer <p> Data Connector Admin <p> Data Investigation Management <p> Device Management <p> Disposition Management <p> DLP Compliance Management <p> Hold <p> IB Compliance Management <p> Information Protection Admin <p> Information Protection Analyst <p> Information Protection Investigator <p> Information Protection Reader <p> Insider Risk Management Admin <p> Manage Alerts <p> Organization Configuration <p> RecordManagement <p> Retention Management <p> View-Only Audit Logs <p> View-Only Case <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Manage Alerts <p> View-Only Recipients <p> View-Only Record Management <p> View-Only Retention Management|

+|**Compliance Data Administrator**|Members can manage settings for device management, data protection, data loss prevention, reports, and preservation.|Compliance Administrator <p> Compliance Search <p> Data Connector Admin <p> Device Management <p> Disposition Management <p> DLP Compliance Management <p> IB Compliance Management <p> Information Protection Admin <p> Information Protection Analyst <p> Information Protection Investigator <p> Information Protection Reader <p> Manage Alerts <p> Organization Configuration <p> RecordManagement <p> Retention Management <p> Sensitivity Label Administrator <p> View-Only Audit Logs <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Manage Alerts <p> View-Only Recipients <p> View-Only Record Management <p> View-Only Retention Management|

+|**Compliance Manager Administrators**|Manage template creation and modification.|Compliance Manager Administration <p> Compliance Manager Assessment <p> Compliance Manager Contribution <p> Compliance Manager Reader <p> Data Connector Admin|

+|**Compliance Manager Assessors**|Create assessments, implement improvement actions, and update test status for improvement actions.|Compliance Manager Assessment <p> Compliance Manager Contribution <p> Compliance Manager Reader <p> Data Connector Admin|

+|**Compliance Manager Contributors**|Create assessments and perform work to implement improvement actions.|Compliance Manager Contribution <p> Compliance Manager Reader <p> Data Connector Admin|

+|**Insider Risk Management**|Use this role group to manage insider risk management for your organization in a single group. By adding all user accounts for designated administrators, analysts, and investigators, you can configure insider risk management permissions in a single group. This role group contains all the insider risk management permission roles. This is the easiest way to quickly get started with insider risk management and is a good fit for organizations that do not need separate permissions defined for separate groups of users.|Case Management <p> Data Connector Admin <p> Insider Risk Management Admin <p> Insider Risk Management Analysis <p> Insider Risk Management Audit <p> Insider Risk Management Investigation <p> Insider Risk Management Sessions <p> View-Only Case|

+|**Insider Risk Management Admins**|Use this role group to initially configure insider risk management and later to segregate insider risk administrators into a defined group. Users in this role group can create, read, update, and delete insider risk management policies, global settings, and role group assignments.|Case Management <p> Data Connector Admin <p> Insider Risk Management Admin <p> View-Only Case|

+|**Organization Management**¹|Members can control permissions for accessing features in the Security & Compliance Center, and also manage settings for device management, data loss prevention, reports, and preservation. <p> Users who are not global administrators must be Exchange administrators to see and take action on devices that are managed by Basic Mobility and Security for Microsoft 365 (formerly known as Mobile Device Management or MDM). <p> Global admins are automatically added as members of this role group.|Audit Logs <p> Case Management <p> Communication Compliance Admin <p> Communication Compliance Case Management <p> Compliance Administrator <p> Compliance Search <p> Data Connector Admin <p> Device Management <p> DLP Compliance Management <p> Hold <p> IB Compliance Management <p> Insider Risk Management Admin <p> Manage Alerts <p> Organization Configuration <p> Quarantine <p> RecordManagement <p> Retention Management <p> Role Management <p> Search And Purge <p> Security Administrator <p> Security Reader <p> Sensitivity Label Administrator <p> Sensitivity Label Reader <p> Service Assurance View <p> Tag Contributor <p> Tag Manager <p> Tag Reader <p> View-Only Audit Logs <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Case <p> View-Only Manage Alerts <p> View-Only Recipients <p> View-Only Record Management <p> View-Only Retention Management|

+|**Data Connector Admin**|Create and manage connectors to import and archive non-Microsoft data in Microsoft 365.|Communication Compliance <p> Communication Compliance Administrators <p> Compliance Administrator <p> Compliance Data Administrator <p> Compliance Manager Administrators <p> Compliance Manager Assessors <p> Compliance Manager Contributors <p> Insider Risk Management <p> Insider Risk Management Admins <p> Organization Management|

+For custom permissions, use the previous table to get the binary value that corresponds to the permissions you want. Convert the binary value to a decimal value and use the decimal value for the _EndUserQuarantinePermissionsValue_ parameter. Don't use the binary value for the parameter value.

+ - admindeeplinkSPO

+- Configure this in the <a href="https://go.microsoft.com/fwlink/?linkid=2185219" target="_blank">SharePoint admin center</a> on the "device access' page ΓÇö "Control access from apps that don't use modern authentication." Choose Block.

+- admindeeplinkSPO

+1. Open the SharePoint admin center, expand **Policies**, and then select <a href="https://go.microsoft.com/fwlink/?linkid=2185222" target="_blank">**Sharing**</a>.

+1. Under **Choose expiration and permissions options for Anyone links**, select the **These links must expire within this many days** check box.</br>

+1. Type a number of days in the box, and then click **Save**.

+1. Open the SharePoint admin center, expand **Sites**, and then select <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites**</a>.

+1. Select the site you want to change, and then select **Sharing**.

+1. Under **Advanced settings for Anyone links**, under **Expiration of Anyone links**, clear the **Same as organization-level setting** check box.</br>

+1. Select the **These links must expire within this many days** option, and type a number of days in the box.

+1. Select **Save**.

+1. Open the SharePoint admin center, and select <a href="https://go.microsoft.com/fwlink/?linkid=2185222" target="_blank">**Sharing**</a>.

+1. Under **Advanced settings for "Anyone" links**, select the file and folder permissions that you want to use.</br>

+1. Open the SharePoint admin center, and select <a href="https://go.microsoft.com/fwlink/?linkid=2185222" target="_blank">**Sharing**</a>.

+1. Under **File and folder links**, select **Only people in your organization**.

+1. Select **Save**

+1. Open the SharePoint admin center, expand **Sites**, and then select <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites**</a>.

+1. Select the site you want to change, and then select **Sharing**.

+1. Under **Default sharing link type**, clear the **Same as organization-level setting** check box.

+1. Select the **Only people in your organization** option, and then select **Save**.

+- admindeeplinkSPO

+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>, in the left navigation pane, under **Admin centers**, select **SharePoint**.

+2. In the SharePoint admin center, in the left navigation pane, expand **Policies** and then select <a href="https://go.microsoft.com/fwlink/?linkid=2185222" target="_blank">**Sharing**</a>.

+4. If you made changes, select **Save**.

+1. Go to <a href="https://go.microsoft.com/fwlink/?linkid=2185222" target="_blank">**Sharing**</a> in the SharePoint admin center.

+3. If you made changes, select **Save**.

+1. In the SharePoint admin center, in the left navigation pane, expand **Sites** and select <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites**</a>.

+3. Select ... and choose **Sharing**.

+5. If you made changes, select **Save**.

+- admindeeplinkSPO

+1. In the Microsoft 365 admin center, in the left navigation pane, under **Admin centers**, select **SharePoint**.

+2. In the SharePoint admin center, in the left navigation pane, under **Policies**, select <a href="https://go.microsoft.com/fwlink/?linkid=2185222" target="_blank">**Sharing**</a>.

+4. If you made changes, select **Save**.

+1. In the SharePoint admin center, under **Sites**, select <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites**</a>.

+2. Select **Create**.

+3. Select **Team site**.

+6. Select **Next**.

+7. Select **Finish**.

+1. In the SharePoint admin center, in the left navigation, expand **Sites** and select <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites**</a>.

+3. Select ..., and select **Sharing**.

+5. If you made changes, select **Save**.

+2. Select **Members** link in the upper right which denotes the member count.

+3. Select **Add members**.

+4. Type the names or email addresses of the users that you want to invite to the site, and then select **Save**.

+- admindeeplinkSPO

+2. In the SharePoint admin center, in the left navigation pane, under **Policies**, select <a href="https://go.microsoft.com/fwlink/?linkid=2185222" target="_blank">**Sharing**</a>.

+4. If you made changes, select **Save**.

+1. Go to <a href="https://go.microsoft.com/fwlink/?linkid=2185222" target="_blank">**Sharing**</a> in the SharePoint admin center.

+1. In the SharePoint admin center, in the left navigation pane, expand **Sites** and select <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites**</a>.

+- admindeeplinkSPO

+1. Open the SharePoint admin center, under **Policies**, select <a href="https://go.microsoft.com/fwlink/?linkid=2185222" target="_blank">**Sharing**</a>.

+1. Under **File and folder links**, select **Only people in your organization**.

+1. Select **Save**.

+- admindeeplinkSPO

+1. Open the SharePoint admin center, and under **Sites**, select <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites**</a>.

+1. Select the site that is associated with team.

+1. On the **Policies** tab, under **External sharing**, select **Edit**.

+1. Under Default sharing link type, clear the **Same as organization-level setting** check box, and select **People with existing access**.

+1. Select **Save**.

+- admindeeplinkSPO

+1. Open the SharePoint admin center, and under **Sites**, select <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites**</a>.

+1. Select the site that is associated with team.

+1. On the **Policies** tab, under **External sharing**, click **Edit**.

+1. Under Default sharing link type, clear the **Same as organization-level setting** check box, and select **Specific people (only the people the user specifies)**.

+1. Select **Save**.

+- admindeeplinkSPO

+1. In the SharePoint admin center, expand **Policies** and select <a href="https://go.microsoft.com/fwlink/?linkid=2185071" target="_blank">**Access control**</a>.

+2. Select **Unmanaged devices**.

+3. Select the **Allow limited, web-only access** option, and then select **Save**.

+- admindeeplinkSPO

+**Navigation:** SharePoint admin center > <a href="https://go.microsoft.com/fwlink/?linkid=2185222" target="_blank">**Sharing**</a>

+**Navigation:** SharePoint admin center > <a href="https://go.microsoft.com/fwlink/?linkid=2185222" target="_blank">**Sharing**</a>

+**Navigation:** SharePoint admin center > <a href="https://go.microsoft.com/fwlink/?linkid=2185222" target="_blank">**Sharing**</a>

+**Navigation:** SharePoint admin center > <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites**</a> > select the site > **Policies** tab > **Edit External sharing**

+**Navigation:** SharePoint admin center > <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites**</a> > select the site > **Policies** tab > **Edit External sharing**

+- admindeeplinkSPO

+1. In the SharePoint admin center, under **Sites**, select <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites**</a>.

+2. Select the site that you want to configure.

+3. On the **Policies** tab, under **External sharing** select **Edit**.

+5. Add the domains that you want to allow or block, and then select **Save**.

+6. Select **Save**.

+1. In the SharePoint admin center, under **Policies**, select <a href="https://go.microsoft.com/fwlink/?linkid=2185222" target="_blank">**Sharing**</a>.

+3. Select **Save**.

+1. In the SharePoint admin center, under **Sites**, select <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites**</a>.

+2. Select the site that you want to configure.

+3. On the **Policies** tab, under **External sharing** select **Edit**.

+4. Under **External sharing**, choose **Only people in your organization**, and then select **Save**.

+1. In the SharePoint admin center, under **Policies**, select <a href="https://go.microsoft.com/fwlink/?linkid=2185222" target="_blank">**Sharing**</a>.

+3. Select **Save**.

+1. In the SharePoint admin center, under **Sites**, select <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites**</a>.

+2. Select the site that you want to configure.

+3. On the **Policies** tab, under **External sharing** select **Edit**.

+4. Under **External sharing**, choose **New and existing guests**, and then select **Save**.

+- admindeeplinkSPO

+1. Open the SharePoint admin center, and under **Sites**, select <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites**</a>.

+1. Select the site that is associated with team.

+1. On the **Policies** tab, under **Sensitivity**, select **Edit**.

+1. Select the label that you created, and then select **Save**.

+1. Open the SharePoint admin center, and under **Sites**, select <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites**</a>

+1. Select the site that is associated with team.

+1. On the **Policies** tab, under **External sharing**, select **Edit**.

+1. If you allowed guest sharing when you created the sensitive label, ensure that **New and existing guests** is selected. If you didn't allow sharing when you created the label, choose **Only people in your organization**.

+1. Under Default sharing link type, clear the **Same as organization-level setting** check box, and select **People with existing access**.

+1. Select **Save**.

+1. In the SharePoint admin center, in the left navigation, select <a href="https://go.microsoft.com/fwlink/?linkid=2185222" target="_blank">**Sharing**</a>.

+1. In the SharePoint admin center, in the left navigation, expand **Sites** and select <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites**</a>.

+3. In the ribbon, select **Sharing**.

+5. If you made changes, select **Save**.

+1. In the SharePoint admin center, in the left navigation, select <a href="https://go.microsoft.com/fwlink/?linkid=2185222" target="_blank">**Sharing**</a>

+1. In the SharePoint admin center, in the left navigation, under **Policies** select <a href="https://go.microsoft.com/fwlink/?linkid=2185222" target="_blank">**Sharing**</a>.

+- admindeeplinkCOMPLIANCE

+- admindeeplinkSPO

+1. Open the SharePoint admin center, under **Sites**, select <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites**</a>.

+1. Select the **Company Strategy** site.

+1. On the **Policies** tab, under **Sensitivity**, select **Edit**.

+1. Select the **Company Strategy** label, and then select **Save**.

+1. On the **Policies** tab, under **External sharing**, select **Edit**.

+1. Select **Save**.