Category | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
admin | Microsoft 365 Copilot Usage | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-365-copilot-usage.md | To make the data in the Copilot for Microsoft 365 report anonymous, you must be ### What's the difference between the user activity table and audit log? -The information captured in audit log records differs from that in [Microsoft 365 usage reports](#user-last-activity-table). It's important to note that audit logs are not designed for assessing user engagement in Microsoft 365, and they should not be used should not be used to replace or augment information in Microsoft 365 usage reports. To learn more about audit logs, see [Export, configure, and view audit log records](/purview/audit-log-export-records#step-1-export-audit-log-search-results). +The information captured in audit log records differs from that in [Microsoft 365 usage reports](#user-last-activity-table). It's important to note that audit logs are not designed for assessing user engagement in Microsoft 365, and they should not be used to replace or augment information in Microsoft 365 usage reports. To learn more about audit logs, see [Export, configure, and view audit log records](/purview/audit-log-export-records#step-1-export-audit-log-search-results). |
enterprise | M365 Dr Workload Spo | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/m365-dr-workload-spo.md | Required Conditions: 1. Total purchased Multi-Geo units must be greater than 5% of the total eligible licenses in the _Tenant_. **Commitment:**-Customers can assign users of SharePoint Online/OneDrive for Business to any _Satellite Geography_ supported by Multi-Geo (see Section 4.1.3). The following customer data will be stored in the relevant _Satellite Geography_: +Customers can assign users of SharePoint Online/OneDrive for Business to any _Satellite Geography_ supported by Multi-Geo (see Section 4.1.3). The following customer data is stored in the relevant _Satellite Geography_: - SharePoint Online site content and the files stored within that site, and files uploaded to OneDrive for Business. When SharePoint Online is moved, data for the following services is also moved: - Microsoft 365 Apps for enterprise - Visio Pro for Microsoft 365 -After we've completed moving your SharePoint Online data, you might see some of the following effects. +After the move completes, you might see some of the following effects. ### Microsoft 365 Video Services - The data move for video takes longer than the moves for the rest of your content in SharePoint Online.-- After the SharePoint Online content is moved, there will be a time frame when videos aren't able to be played.+- After the SharePoint Online content is moved, there's a time frame when videos aren't able to be played. - We're removing the trans-coded copies from the previous datacenter and transcoding them again in the new datacenter. ### Search -In the course of moving your SharePoint Online data, we migrate your search index and search settings to a new location. Until we've **completed** the move of your SharePoint Online data, we continue to serve your users from the index in the original location. In the new location, search automatically starts crawling your content after we've completed moving your SharePoint Online data. From this point and onwards, we serve your users from the migrated index. Changes to your content that occurred after the migration aren't included in the migrated index until crawling picks them up. Most customers don't notice that results are less fresh right after we've completed moving their SharePoint Online data, but some customers might experience reduced freshness in the first 24-48 hours. +In the course of moving your SharePoint Online data, we migrate your search index and search settings to a new location. Until we've **completed** the move of your SharePoint Online data, we continue to serve your users from the index in the original location. In the new location, search automatically starts crawling your content after your move completes. From this point and onwards, we serve your users from the migrated index. Changes to your content that occurred after the migration aren't included in the migrated index until crawling picks them up. Most customers don't notice that results are less fresh right after your move completes, but some customers might experience reduced freshness in the first 24-48 hours. The following search features are affected: The following search features are affected: - eDiscovery: Items that changed during the migration aren't shown until crawling picks up the changes. - Data Loss Protection (DLP): Policies aren't enforced on items that change until crawling picks up the changes. -As part of the migration, the _Primary Provisioned Geography_ changes and all new content will be stored at rest in the new _Primary Provisioned Geography_. Existing content will move in the background with no impact to you for up to 90 days after the first change to the SharePoint Online data location in the admin center. +As part of the migration, the _Primary Provisioned Geography_ changes and all new content are stored at rest in the new _Primary Provisioned Geography_. Existing content moves in the background with no impact to you for up to 90 days after the first change to the SharePoint Online data location in the admin center. ## **Multi-Geo Capabilities in SharePoint Online / OneDrive for Business** Each user's OneDrive can be provisioned in or moved by an administrator to a _Sa Management of the Multi-Geo feature is available through the SharePoint admin center. -When a user creates a SharePoint group-connected site in a multi-geo environment, their PDL is used to determine the _Macro Region Geography_ or _Local Region Geography_ location where the site and its associated Group mailbox are created. (If the user's PDL value hasn't been set, or has been set to _Macro Region Geography_ or _Local Region Geography_ location that hasn't been configured as a _Satellite Geography_ location, then the site and mailbox are created in the _Primary Provisioned Geography_.) +When a user creates a SharePoint group-connected site in a multi-geo environment, their PDL is used to determine the _Macro Region Geography_ or _Local Region Geography_ location where the site and its associated Group mailbox are created. (If the user's PDL value isn't set, or is set to _Macro Region Geography_ or _Local Region Geography_ location that isn't configured as a _Satellite Geography_ location, then the site and mailbox are created in the _Primary Provisioned Geography_.) -Microsoft 365 services other than Exchange, OneDrive, SharePoint, and Teams aren't available with Multi-Geo. However, Microsoft 365 Groups that are created by these services will be configured with the PDL of the creator and their Exchange Group mailbox, SharePoint site are provisioned in the corresponding _Macro Region Geography_ or _Local Region Geography_. +Microsoft 365 services other than Exchange, OneDrive, SharePoint, and Teams aren't available with Multi-Geo. However, Microsoft 365 Groups that are created by these services are configured with the PDL of the creator and their Exchange Group mailbox, SharePoint site are provisioned in the corresponding _Macro Region Geography_ or _Local Region Geography_. ### **Managing the Multi-Geo environment** Setting up and managing your Multi-Geo environment is done through the SharePoin By default, all _Geography_ locations of a multi-geo environment share the available _Tenant_ storage quota. -With the SharePoint geo storage quota setting, you can manage the storage quota for each _Geography_ location. When you allocate a storage quota for a _Geography_ location, it becomes the maximum amount of storage available for that _Geography_ location, and is deducted from the available _Tenant_ storage quota. The remaining available _Tenant_ storage quota is then shared across the configured _Geography_ locations for which a specific storage quota has not been allocated. +With the SharePoint geo storage quota setting, you can manage the storage quota for each _Geography_ location. When you allocate a storage quota for a _Geography_ location, it becomes the maximum amount of storage available for that _Geography_ location, and is deducted from the available _Tenant_ storage quota. The remaining available _Tenant_ storage quota is then shared across the configured _Geography_ locations for which a specific storage quota hasn't been allocated. -The SharePoint storage quota for any _Geography_ location can be allocated by the SharePoint Online administrator by connecting to the _Primary Provisioned Geography_. _Geography_ administrators for _Satellite Geography_ locations can view the storage quota but cannot allocate it. +The SharePoint storage quota for any _Geography_ location can be allocated by the SharePoint Online administrator by connecting to the _Primary Provisioned Geography_. _Geography_ administrators for _Satellite Geography_ locations can view the storage quota but can't allocate it. #### **Configure a storage quota for a _Geography_ location** -Use the [Microsoft SharePoint Online Management Shell](https://www.microsoft.com/download/details.aspx?id=35588) and connect to the _Primary Provisioned Geography_ location to allocate the storage quota for a _Geography_ location. +To allocate the storage quota for a _Geography_ location, use the [Microsoft SharePoint Online Management Shell](https://www.microsoft.com/download/details.aspx?id=35588) and connect to the _Primary Provisioned Geography_ location. To allocate Storage Quota for a location, run cmdlet: Set-SPOGeoStorageQuota -GeoLocation <geolocationcode> -StorageQuotaMB 0 With OneDrive _Geography_ move, you can move a user's OneDrive to a different _Geography_ location. OneDrive _Geography_ move is performed by the SharePoint Online administrator or the Microsoft 365 global administrator. Before you start a OneDrive _Geography_ move, be sure to notify the user whose OneDrive is being moved and recommend they close all files for the duration of the move. (If the user has a document open using the Office client during the move, then upon move completion the document will need to be saved to the new location.) The move can be scheduled for a future time, if desired. -The OneDrive service uses Azure Blob Storage to store content. The Storage blob associated with the user's OneDrive will be moved from the source to destination _Geography_ location within 40 days of destination OneDrive being available to the user. The access to the user's OneDrive will be restored as soon as the destination OneDrive is available. +The OneDrive service uses Azure Blob Storage to store content. The Storage blob associated with the user's OneDrive is moved from the source to destination _Geography_ location within 40 days of destination OneDrive being available to the user. The access to the user's OneDrive is restored as soon as the destination OneDrive is available. -During OneDrive _Geography_ move window (about 2-6 hours) the user's OneDrive is set to read-only. The user can still access their files via the OneDrive sync app or their OneDrive site in SharePoint Online. After OneDrive _Geography_ move is complete, the user will be automatically connected to their OneDrive at the destination _Geography_ location when they navigate to OneDrive in the Microsoft 365 app launcher. The sync app will automatically begin syncing from the new location. +During OneDrive _Geography_ move window (about 2-6 hours) the user's OneDrive is set to read-only. The user can still access their files via the OneDrive sync app or their OneDrive site in SharePoint Online. After OneDrive _Geography_ move is complete, the user is automatically connected to their OneDrive at the destination _Geography_ location when they navigate to OneDrive in the Microsoft 365 app launcher. The sync app automatically begins syncing from the new location. The procedures in this article require the [Microsoft SharePoint Online PowerShell Module](https://www.microsoft.com/download/details.aspx?id=35588). When moving OneDrive sites between _Geography_ locations, it's important to comm - When the move is expected to start and how long it is expected to take - What _Geography_ location their OneDrive is moving to, and the URL to access the new location - They should close their files and not make edits during the move.-- File permissions and sharing will not change as a result of the move.+- File permissions and sharing don't change as a result of the move. - What to expect from the user experience in a multi-geo environment -Be sure to send your users an email when the move has successfully completed informing them that they can resume working in OneDrive. +Be sure to send your users an email when the move completes, informing them that they can resume working in OneDrive. #### Scheduling OneDrive site moves -You can schedule OneDrive site moves in advance (described later in this article). We recommend that you start with a small number of users to validate your workflows and communication strategies. Once you are comfortable with the process, you can schedule moves as follows: +You can schedule OneDrive site moves in advance (described later in this article). We recommend that you start with a small number of users to validate your workflows and communication strategies. Once you're comfortable with the process, you can schedule moves as follows: - You can schedule up to 4,000 moves at a time. - As the moves begin, you can schedule more, with a maximum of 4,000 pending moves in the queue and any given time.-- The maximum size of a OneDrive that can be moved is 2 terabytes (2 TB).+- The maximum size of a OneDrive that can be moved is 5 terabytes (5 TB). #### **Moving a OneDrive site** To ensure that all _Geography_ locations are compatible, run: Get-SPOGeoMoveCrossCompatibilityStatus ``` -You will see a list of your _Geography_ locations and whether content can be moved between will be denoted as "Compatible". If the command returns "Incompatible" please retry validating the status at a later date. +You will see a list of your _Geography_ locations and whether content can be moved between is denoted as "Compatible". If the command returns "Incompatible", please retry validating the status later. -If a OneDrive contains a subsite, for example, it cannot be moved. You can use the `Start-SPOUserAndContentMove` cmdlet with the `-ValidationOnly` parameter to validate if the OneDrive is able to be moved: +If a OneDrive contains a subsite, for example, it can't be moved. You can use the `Start-SPOUserAndContentMove` cmdlet with the `-ValidationOnly` parameter to validate if the OneDrive is able to be moved: ```powershell Start-SPOUserAndContentMove -UserPrincipalName <UPN> -DestinationDataLocation <DestinationDataLocation> -ValidationOnly ``` - This will return Success if the OneDrive is ready to be moved or Fail if there is a legal hold or subsite that would prevent the move. Once you have validated that the OneDrive is ready to move, you can start the move. + This returns Success if the OneDrive is ready to be moved or Fail if there's a legal hold or subsite that would prevent the move. Once you have validated that the OneDrive is ready to move, you can start the move. #### **Start a OneDrive geo move** The move statuses are described in the following table. |Status|Description| |||-|NotStarted|The move has not started| +|NotStarted|The move is pending| |InProgress (_n_/4)|The move is in progress in one of the following states: <ul><li>Validation (1/4)</li><li>Backup (2/4)</li><li>Restore (3/4)</li><li>Cleanup (4/4)</li></ul>|-|Success|The move has completed successfully.| +|Success|The move completed successfully.| |Failed|The move failed.| To find the status of a specific user's move, use the _UserPrincipalName_ parameter: You can also add the _Verbose_ parameter for more verbose descriptions of the mo #### **User Experience** -Users of OneDrive should notice minimal disruption if their OneDrive is moved to a different _Geography_ location. Aside from a brief read-only state during the move, existing links and permissions will continue to work as expected once the move is completed. +Users of OneDrive should notice minimal disruption if their OneDrive is moved to a different _Geography_ location. Aside from a brief read-only state during the move, existing links and permissions continue to work as expected once the move is completed. #### **User's OneDrive** -While the move is in progress the user's OneDrive is set to read-only. Once the move is completed, the user is directed to their OneDrive in the new _Geography_ location when they navigate to OneDrive the Microsoft 365 app launcher or a web browser. +While the move is in progress, the user's OneDrive is set to read-only. Once the move is completed, the user is directed to their OneDrive in the new _Geography_ location when they navigate to OneDrive the Microsoft 365 app launcher or a web browser. #### **Permissions on OneDrive content** -Users with permissions to OneDrive content will continue to have access to the content during the move and after it's complete. +Users with permissions to OneDrive content continue to have access to the content during the move and after it's complete. #### **OneDrive sync app** -The OneDrive sync app automatically detects and seamlessly transfers syncing to the new OneDrive location once the OneDrive _Geography_ move is complete. The user doesn't need to sign-in again or take any other action. (Version 17.3.6943.0625 or later of the sync app required.) If a user updates a file while the OneDrive _Geography_ move is in progress, the sync app will notify them that file uploads are pending while the move is underway. +The OneDrive sync app automatically detects and seamlessly transfers syncing to the new OneDrive location once the OneDrive _Geography_ move is complete. The user doesn't need to sign-in again or take any other action. (Version 17.3.6943.0625 or later of the sync app required.) If a user updates a file while the OneDrive _Geography_ move is in progress, the sync app notifies them that file uploads are pending while the move is underway. #### **Sharing links** -Upon OneDrive _Geography_ move completion, the existing shared links for the files that were moved will automatically redirect to the new _Geography_ location. +Upon OneDrive _Geography_ move completion, the existing shared links for the files that were moved automatically redirect to the new _Geography_ location. #### **OneNote Experience** OneNote Win32 client and UWP (Universal) App automatically detects and seamlessl #### **Teams app** -Upon OneDrive _Geography_ move completion, users will have access to their OneDrive files on the Teams app. Additionally, files shared via Teams chat from their OneDrive prior to _Geography_ move will continue to work after move is complete. +Upon OneDrive _Geography_ move completion, users have access to their OneDrive files on the Teams app. Additionally, files shared via Teams chat from their OneDrive before the _Geography_ move continue to work after move is complete. #### **OneDrive Mobile App (iOS)** Upon OneDrive _Geography_ move completion, the user would need to sign out and s #### **Existing followed groups and sites** -Followed sites and groups will show up in the user's OneDrive regardless of their _Geography_ location. Sites and groups hosted in another _Geography_ location will open in a separate tab. +Followed sites and groups show up in the user's OneDrive regardless of their _Geography_ location. Sites and groups hosted in another _Geography_ location will open in a separate tab. #### **Delve Geo URL updates** -Users will be sent to the Delve _Geography_ corresponding to their PDL only after their OneDrive has been moved to the new _Geography_. +Users are sent to the Delve _Geography_ corresponding to their PDL only after their OneDrive has been moved to the new _Geography_. ### **Move a SharePoint site** The following types of site can be moved between _Geography_ locations: > [!NOTE] > You must be a Global Administrator or SharePoint Administrator to move a site between _Geography_ locations. -There is a read-only window during the SharePoint site _Geography_ move of approximately 4-6 hours, depending on site contents. +There's a read-only window during the SharePoint site _Geography_ move of approximately 4-6 hours, depending on site contents. #### **Best practices** - Try a SharePoint site move on a test site to get familiar with the procedure.-- Validate whether the site can be moved prior to scheduling or performing the move.+- Validate whether the site can be moved before scheduling or performing the move. - When possible schedule cross-geo sites moves for outside business hours to reduce user impact.-- Communicate with impacted users prior to the sites move.+- Communicate with impacted users before the sites move. #### **Communicating to your users** When moving SharePoint sites between _Geography_ locations, it's important to co - When the move is expected to start and how long it is expected to take. - What _Geography_ location their site is moving to, and the URL to access the new location. - They should close their files and not make edits during the move.-- File permissions and sharing will not change because of the move.+- File permissions and sharing don't change because of the move. - What to expect from the user experience in a multi-geo environment. -Be sure to send your sites' users an email when the move has successfully completed informing them that they can resume working on their sites. +Be sure to send your sites' users an email when the move completes, informing them that they can resume working on their sites. #### **Scheduling SharePoint site moves** You can schedule SharePoint site moves in advance (described later in this artic - You can schedule up to 4,000 moves at a time. - As the moves begin, you can schedule more, with a maximum of 4,000 pending moves in the queue and any given time.-- The maximum size of a SharePoint site that can be moved is 2 terabytes (2 TB).+- The maximum size of a SharePoint site that can be moved is 5 terabytes (5 TB). To schedule a SharePoint site _Geography_ move for a later time, include one of the following parameters when you start the move: Connect-SPOService -Url https://contosohealthcare-admin.sharepoint.com We recommend that before scheduling any site move, you perform a validation to ensure that the site can be moved. -We do not support moving sites with: +We don't support moving sites with: - Business Connectivity Services - InfoPath forms To perform a validation-only check on your site, use `Start-SPOSiteContentMove` Start-SPOSiteContentMove -SourceSiteUrl <SourceSiteUrl> -ValidationOnly -DestinationDataLocation <DestinationLocation> ``` -This will return _Success_ if the site is ready to be moved or _Fail_ if any of blocked conditions are present. +This returns _Success_ if the site is ready to be moved or _Fail_ if any of blocked conditions are present. #### **Start a SharePoint site _Geography_ move for a site with no associated Microsoft 365 group** Set-SPOUnifiedGroup -PreferredDataLocation <PDL> -GroupAlias <GroupAlias> Get-SPOUnifiedGroup -GroupAlias <GroupAlias> ``` -Once you have updated the PDL, you can start the site move: +Once you update the PDL, you can start the site move: ```PowerShell Start-SPOUnifiedGroupMove -GroupAlias <GroupAlias> -DestinationDataLocation <DestinationDataLocation> You can stop a SharePoint site _Geography_ move, provided the move is not in pro #### **Determining the status of a SharePoint site _Geography_ move** -You can determine the status of a site move in our out of the _Geography_ that you are connected to by using the following cmdlets: +You can determine the status of a site move in our out of the _Geography_ that you're connected to by using the following cmdlets: - [Get-SPOSiteContentMoveState](/powershell/module/sharepoint-online/get-spositecontentmovestate) (non-Group-connected sites) - [Get-SPOUnifiedGroupMoveState](/powershell/module/sharepoint-online/get-spounifiedgroupmovestate) (Group-connected sites) The move statuses are described in the following table. |Status|Description| |||-|Ready to Trigger|The move has not started.| -|Scheduled|The move is in queue but has not yet started.| +|Ready to Trigger|The move is pending.| +|Scheduled|The move is in queue but is yet to start.| |InProgress (n/4)|The move is in progress in one of the following states: Validation (1/4), Back up (2/4), Restore (3/4), Cleanup (4/4).|-|Success|The move has completed successfully.| +|Success|The move completed successfully.| |Failed|The move failed.| | You can also apply the `-Verbose` option to see additional information about the #### **User experience** -Site users should notice minimal disruption when their site is moved to a different _Geography_ location. Aside from a brief read-only state during the move, existing links and permissions will continue to work as expected once the move is completed. +Site users should notice minimal disruption when their site is moved to a different _Geography_ location. Aside from a brief read-only state during the move, existing links and permissions continue to work as expected once the move is completed. #### **Site** While the move is in progress, the site is set to read-only. Once the move is co #### **Permissions** -Users with permissions to site will continue to have access to the site during the move and after it's complete. +Users with permissions to site continue to have access to the site during the move and after it's complete. #### **Sync app** The sync app automatically detects and seamlessly transfers syncing to the new site location once the site move is complete. The user doesn't need to sign in again or take any other action. (Version 17.3.6943.0625 or later of the sync app required.)-If a user updates a file while the move is in progress, the sync app will notify them that file uploads are pending while the move is underway. +If a user updates a file while the move is in progress, the sync app notifies them that file uploads are pending while the move is underway. #### **Sharing links** -When the SharePoint site _Geography_ move completes, the existing shared links for the files that were moved will automatically redirect to the new _Geography_ location. +When the SharePoint site _Geography_ move completes, the existing shared links for the files that were moved automatically redirect to the new _Geography_ location. #### **Most Recently Used files in Office (MRU)** OneNote Win32 client and UWP (Universal) App automatically detects and seamlessl #### **Teams (applicable to Microsoft 365 group connected sites)** -When the SharePoint site _Geography_ move completes, users will have access to their Microsoft 365 group site files on the Teams app. Additionally, files shared via Teams chat from their site prior to _Geography_ move will continue to work after move is complete. -SharePoint site _Geography_ move does not support moving sites backing Private and Shared Channels from one _Geography_ to another, when using the `Start-SPOUnifiedGroupMove` command. Sites backing Private and Shared Channels remain in the original _Geography_. To move those sites individually, admins can initiate direct moves using the `Start-SPOSiteContentMove` command. +When the SharePoint site _Geography_ move completes, users have access to their Microsoft 365 group site files on the Teams app. Additionally, files shared via Teams chat from their site before the _Geography_ move continue to work after move is complete. +SharePoint site _Geography_ move doesn't support moving sites backing Private and Shared Channels from one _Geography_ to another, when using the `Start-SPOUnifiedGroupMove` command. Sites backing Private and Shared Channels remain in the original _Geography_. To move those sites individually, admins can initiate direct moves using the `Start-SPOSiteContentMove` command. #### **SharePoint Mobile App (iOS/Android)** SharePoint 2013 workflows have to be republished after the site move. SharePoint #### **Apps** -If you are moving a site with apps, you must reinstantiate the app in the site's new _Geography_ location as the app and its connections may not be available in the destination _Geography_ location. +If you're moving a site with apps, you must reinstantiate the app in the site's new _Geography_ location as the app and its connections may not be available in the destination _Geography_ location. #### **Power Automate** -In most cases, Power Automate Flows will continue to work after a SharePoint site _Geography_ move. We recommend that you test them once the move completes. +In most cases, Power Automate Flows continue to work after a SharePoint site _Geography_ move. We recommend that you test them once the move completes. #### **Power Apps** SharePoint uses Azure Blob Storage for its content, while the metadata associate ### **Enabling SharePoint Multi-Geo in your _Satellite Geography_ location** -This article is for Global or SharePoint administrators who have created a Multi-Geo _Satellite Geography_ location **before** SharePoint Multi-Geo capabilities became generally available on March 27, 2019, and who have not enabled SharePoint Multi-Geo in their _Satellite Geography_ location(s). +This article is for Global or SharePoint administrators who created a Multi-Geo _Satellite Geography_ location **before** SharePoint Multi-Geo capabilities became generally available on March 27, 2019, and who have not enabled SharePoint Multi-Geo in their _Satellite Geography_ location(s). > [!NOTE]-> If you have added a new _Geography_ location **after March 27th, 2019**, you do not need to perform these instructions, as your new _Geography_ location will already be enabled for OneDrive and SharePoint Multi-Geo. +> If you have added a new _Geography_ location **after March 27th, 2019**, you don't need to perform these instructions, as your new _Geography_ location will already be enabled for OneDrive and SharePoint Multi-Geo. -These instructions will allow you to enable SharePoint in your _Satellite Geography_ location, so your Multi-Geo satellite users can take advantage of both OneDrive and SharePoint Multi-Geo capabilities in Microsoft 365. +These instructions allow you to enable SharePoint in your _Satellite Geography_ location, so your Multi-Geo satellite users can take advantage of both OneDrive and SharePoint Multi-Geo capabilities in Microsoft 365. > [!IMPORTANT] > Please note that this is a one way enablement. Once you set SPO mode, you will not be able to revert your _Tenant_ to OneDrive only Multi-Geo mode without an escalation with support. Set-SPOMultiGeoExperience ![Set-SPOMultiGeoExperience.](../media/Set-SPO-MultiGeo.jpg) -This operation usually takes about an hour while we perform various publish backs in the service and re-stamp your _Tenant_. After at least 1 hour, please perform a Get-SPOMultiGeoExperience. This will show you whether this _Geography_ location is in SPO mode. +This operation usually takes about an hour while we perform various publish backs in the service and restamp your _Tenant_. After at least 1 hour, please perform a Get-SPOMultiGeoExperience. This shows you whether this _Geography_ location is in SPO mode. ![Image of Set-SPOMultiGeoExperience.](../media/Get-SPO-MultiGeo.jpg) > [!NOTE]-> Certain caches in the service update every 24 hours, so it is possible that for a period of up to 24 hours, your _Satellite Geography_ may intermittently behave as if it was still in ODB mode. This does not cause any technical issues. +> Certain caches in the service update every 24 hours, so it is possible that for a period of up to 24 hours, your _Satellite Geography_ may intermittently behave as if it was still in ODB mode. This doesn't cause any technical issues. ## How can I determine customer data location? -You can find the actual data location in Microsoft 365 admin center. As a _Tenant_ administrator you can find the actual data location, for committed data, by navigating to **Admin->Settings->Org Settings->Organization Profile->Data Location**. If you do not have a _Tenant_ created, you can have a _Tenant_ created when signing up for a Microsoft 365 trial. +You can find the actual data location in Microsoft 365 admin center. As a _Tenant_ administrator you can find the actual data location, for committed data, by navigating to **Admin->Settings->Org Settings->Organization Profile->Data Location**. If you don't have a _Tenant_ created, you can have a _Tenant_ created when signing up for a Microsoft 365 trial. |
security | Linux Resources | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-resources.md | The following table lists commands for some of the most common scenarios. Run `m |Quarantine management|Add a file detected as a threat to the quarantine|`mdatp threat quarantine add --id [threat-id]`| |Quarantine management|Remove a file detected as a threat from the quarantine|`mdatp threat quarantine remove --id [threat-id]`| |Quarantine management|Restore a file from the quarantine. Available in Defender for Endpoint version lower than 101.23092.0012.|`mdatp threat quarantine restore --id [threat-id] --path [destination-folder]`|-|Quarantine management|Restore a file from the quarantine with Threat ID. Available in Defender for Endpoint version 101.23092.0012 or higher.|`mdatp threat restore threat-id --id [threat-id] --destination-path [destination-folder]`| -|Quarantine management|Restore a file from the quarantine with Threat Original Path. Available in Defender for Endpoint version 101.23092.0012 or higher.|`mdatp threat restore threat-path --path [threat-original-path] --destination-path [destination-folder]`| +|Quarantine management|Restore a file from the quarantine with Threat ID. Available in Defender for Endpoint version 101.23092.0012 or higher.|`mdatp threat quarantine restore threat-id --id [threat-id] --destination-path [destination-folder]`| +|Quarantine management|Restore a file from the quarantine with Threat Original Path. Available in Defender for Endpoint version 101.23092.0012 or higher.|`mdatp threat quarantine restore threat-path --path [threat-original-path] --destination-path [destination-folder]`| |Endpoint Detection and Response|Set early preview |`mdatp edr early-preview [enabled\|disabled]`| |Endpoint Detection and Response|Set group-id|`mdatp edr group-ids --group-id [group-id]`| |Endpoint Detection and Response|Set / remove tag, only `GROUP` supported|`mdatp edr tag set --name GROUP --value [tag]`| |
security | Mac Resources | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-resources.md | Supports table and JSON format output types. For each command, there's a default - `sudo '/Library/Application Support/Microsoft/Defender/uninstall/uninstall'` +### Using JAMF Pro ++To uninstall Microsoft Defender for Endpoint on macOS using JAMF Pro upload the **offboarding profile**. ++The **offboarding profile** should be uploaded without any modifications, and with Preference Domain name set to **com.microsoft.wdav.atp.offboarding**: ++ :::image type="content" source="../../media/defender-endpoint/jamf-pro-offboarding.png" alt-text="Screenshot of the JAMF offboarding screen" lightbox="../../media/defender-endpoint/jamf-pro-offboarding.png"::: + ## Configuring from the command line Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: |
security | Manage Gradual Rollout | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-gradual-rollout.md | Capabilities are provided through several components: - [Next-generation protection](microsoft-defender-antivirus-windows.md) with [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md) - [Attack Surface Reduction](overview-attack-surface-reduction.md) -Updates are released monthly using a gradual release process. This process helps to enable early failure detection to catch impact as it occurs and address it quickly before a larger rollout. +Updates are released monthly using a gradual release process. This process helps to enable early failure detection to identify issues as they occur and address them quickly before a larger rollout. > [!NOTE] > For more information on how to control daily security intelligence updates, see [Schedule Microsoft Defender Antivirus protection updates](manage-protection-update-schedule-microsoft-defender-antivirus.md). Updates ensure that next-generation protection can defend against new threats, even if cloud-delivered protection is not available to the endpoint. Our engineers continuously monitor impact and escalate any issues to create a fi ## How to customize your internal deployment process + If your machines are receiving Defender updates from Windows Update, the gradual rollout process can result in some of your devices receiving Defender updates sooner than others. The following section explains how to define a strategy that will allow automatic updates to flow differently to specific groups of devices by using update channel configuration. + > [!NOTE] > When planning for your own gradual release, please make sure to always have a selection of devices subscribed to the preview and staged channels. This will provide your organization as well as Microsoft the opportunity to prevent or find and fix issues specific to your environment. For machines receiving updates through, for example, Windows Server Update Services (WSUS) or Microsoft Configuration Manager, more options are available to all Windows updates, including options for Microsoft Defender for Endpoint. -- Read more about how to use a solution like WSUS, MECM to manage the distribution and application of updates at [Manage Microsoft Defender Antivirus updates and apply baselines - Windows security](microsoft-defender-antivirus-updates.md#product-updates).+- Learn more about how to use solutions such as WSUS and MECM to manage the distribution and application of updates at [Manage Microsoft Defender Antivirus updates and apply baselines - Windows security](microsoft-defender-antivirus-updates.md#product-updates). ## Update channels for monthly updates The following update channels are available: |Channel name|Description|Application| ||||-|Beta Channel - Prerelease|Test updates before others|Devices set to this channel will be the first to receive new monthly updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in test environments only.| -|Current Channel (Preview)|Get Current Channel updates **earlier** during gradual release|Devices set to this channel will be offered updates earliest during the gradual release cycle. Suggested for pre-production/validation environments.| +|Beta Channel - Prerelease|Test updates before others|Devices set to this channel are the first to receive new monthly updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in test environments only.| +|Current Channel (Preview)|Get Current Channel updates **earlier** during gradual release|Devices set to this channel are offered updates earliest during the gradual release cycle. Suggested for pre-production/validation environments.| |Current Channel (Staged)|Get Current Channel updates later during gradual release|Devices are offered updates later during the gradual release cycle. Suggested to apply to a small, representative part of your device population (~10%).| |Current Channel (Broad)|Get updates at the end of gradual release|Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).| |Critical: Time Delay|Delay Defender updates|Devices are offered updates with a 48-hour delay. Best for datacenter machines that only receive limited updates. Suggested for critical environments only.|-|(default)||If you disable or don't configure this policy, the device remains in Current Channel (Default): Stay up to date automatically during the gradual release cycle. Suitable for most devices.| +|(default)||If you disable or don't configure this policy, the device remains in Current Channel (Default): Stay up to date automatically during the gradual release cycle. This means Microsoft assigns a channel to the device. The channel selected by Microsoft might be one that receives updates early during the gradual release cycle, which isn't suitable for devices in a production or critical environment.| -### Update channels for daily updates +### Update channels for security intelligence updates -You can also assign a machine to a channel to define the cadence in which it receives daily updates. Unlike the monthly process, there's no Beta channel and this gradual release cycle occurs multiple times a day. +You can also assign a machine to a channel to define the cadence in which it receives SIUs (formerly referred to as signature, definition, or daily updates). Unlike the monthly process, there's no Beta channel and this gradual release cycle occurs multiple times a day. |Channel name|Description|Application| |||| |Current Channel (Staged)|Get Current Channel updates later during gradual release|Devices are offered updates later during the gradual release cycle. Suggested to apply to a small, representative part of your device population (~10%).| |Current Channel (Broad)|Get updates at the end of gradual release|Devices will be offered updates after the gradual release cycle. Best for datacenter machines that only receive limited updates. Note: this setting applies to all Defender updates.|-|(default)||If you disable or don't configure this policy, the device remains in Current Channel (Default): Stay up to date automatically during the gradual release cycle. Suitable for most devices| +|(default)||If you disable or don't configure this policy, the device remains in Current Channel (Default): Stay up to date automatically during the gradual release cycle. This means Microsoft assigns a channel to the device. The channel selected by Microsoft might be one that receives updates early during the gradual release cycle, which isn't suitable for devices in a production or critical environment.| > [!NOTE] > In case you wish to force an update to the newest signature instead of leveraging the time delay, you will need to remove this policy first. |
security | Configure Attack Disruption | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/configure-attack-disruption.md | Whether automated investigations run, and whether remediation actions are taken 3. Review your device group policies. Look at the **Automation level** column. We recommend using **Full - remediate threats automatically**. You might need to create or edit your device groups to get the level of automation you want. To exclude a device group from automated containment, set its automation level to **no automated response**. Note that this is not highly recommended and should only be done for a limited number of devices. +>[!NOTE] +>Attack disruption can act on devices independent of a device's Microsoft Defender Antivirus operating state. The operating state can be in Active, Passive, or EDR Block Mode. + ## Review or change automated response exclusions for users Automatic attack disruption enables the exclusion of specific user accounts from automated containment actions. Excluded users won't be affected by automated actions triggered by attack disruption. You must be a global administrator or security administrator to perform the following procedure: |
security | Eval Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-overview.md | Title: Evaluate and pilot Microsoft Defender XDR, an XDR solution -description: What is XDR security? How can you evaluate a Microsoft XDR in Microsoft Defender XDR? Use this blog series to plan your Microsoft Defender XDR trial lab or pilot environment to test and pilot a security solution designed to protect devices, identity, data, and applications. Start your XDR cyber security journey here and take that test to production. + Title: Evaluate and pilot Microsoft Defender XDR security, an XDR solution that unifies threat data so you can take action. +description: What is XDR security? How can you evaluate a Microsoft XDR in Microsoft Defender XDR? Use this blog series to plan your Microsoft Defender XDR trial lab or pilot environment and test and pilot a security solution designed to protect devices, identity, data, and applications. Take that XDR seccurity test to production. search.product: eADQiWindows 10XVcnh search.appverid: met150 f1.keywords: - NOCSH Previously updated : 09/15/2022 Last updated : 02/26/2024 ms.localizationpriority: medium audience: ITPro-# Evaluate and pilot Microsoft Defender XDR +# Evaluate and pilot Microsoft Defender XDR security **Applies to:** -This series of articles is designed to step you through the entire process of setting up a trial XDR environment, *end-to-end*, so you can evaluate the features and capabilities of Microsoft Defender XDR and even promote the evaluation environment straight to production when and if you're ready. +This series is designed to step you through the entire process of setting up a trial XDR environment, *end-to-end*, so you can evaluate the features and capabilities of Microsoft Defender XDR and even promote the evaluation environment straight to production when you're ready. -If you're new to thinking about XDR, you can scan these 7 linked articles to get a feel for how comprehensive the solution is. +If you're new to thinking about XDR security, you can scan the 7 linked articles in this series to get a feel for how comprehensive the solution is. - [How to create the environment](eval-create-eval-environment.md) - Set up or learn about each technology of this Microsoft XDR If you're new to thinking about XDR, you can scan these 7 linked articles to get <a name='microsoft-365-defender-is-a-microsoft-xdr-cyber-security-solution'></a> -## Microsoft Defender XDR is a Microsoft XDR cyber security solution +## What is XDR and Microsoft Defender XDR? -Microsoft Defender XDR is an **eXtended detection and response (XDR) solution** that automatically collects, correlates, and analyzes signal, threat, and alert data from *across* your Microsoft 365 environment, including *endpoint, email, applications, and identities*. It leverages artificial intelligence (AI) and automation to *automatically* stop attacks, and remediate affected assets into a safe state. +XDR security is a step forward in cyber security because it takes the threat data from systems that were once isolated and unifies them so that you can see patterns and act on them faster. -Think of XDR as the next step in security, unifying endpoint (endpoint detection and response or EDR), email, app, and identity security in one place. +For example, Microsoft XDR unifies endpoint (endpoint detection and response or EDR), email, app, and identity security in one place. ++Microsoft Defender XDR is an **eXtended detection and response (XDR) solution** that automatically collects, correlates, and analyzes signal, threat, and alert data from *across* your Microsoft 365 environment, including *endpoint, email, applications, and identities*. It leverages **artificial intelligence (AI) and automation to *automatically* stop attacks**, and remediate affected assets to a safe state. <a name='microsoft-recommendations-for-evaluating-microsoft-365-defender'></a> -## Microsoft recommendations for evaluating Microsoft Defender XDR +## Microsoft recommendations for evaluating Microsoft Defender XDR security Microsoft recommends you create your evaluation in an existing production subscription of Office 365. This way you will gain real-world insights immediately and can tune settings to work against current threats in your environment. After you've gained experience and are comfortable with the platform, simply promote each component, one at a time, to production. |
security | Whats New | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/whats-new.md | You can also get product updates and important notifications through the [messag ## February 2024-- (GA) **Assigning severity to incidents** and the ***go hunt*** option from the attack story graph are now generally available. Read [assign or change incident severity](manage-incidents.md#assign-or-change-incident-severity) to learn how to change an incident's severity, and learn how you can use the *go hunt* option by exploring [attack story](investigate-incidents.md#attack-story).+- (GA) **Assigning severity to incidents**, **assigning an incident to a group**, and the ***go hunt*** option from the attack story graph are now generally available. Guides to learn how to [assign or change incident severity](manage-incidents.md#assign-or-change-incident-severity) and [assign an incident to a group](manage-incidents.md#assign-an-incident) are in the [Manage incidents](manage-incidents.md) page. Learn how you can use the *go hunt* option by exploring [attack story](investigate-incidents.md#attack-story). - (Preview) **[Custom detection rules in Microsoft Graph security API](/graph/api/resources/security-api-overview?view=graph-rest-beta&preserve-view=true#custom-detections)** are now available. Create advanced hunting custom detection rules specific to your org to proactively monitor for threats and take action. |
security | Air User Automatic Feedback Response | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-user-automatic-feedback-response.md | appliesto: # Automatic user notifications for user reported phishing results in AIR > [!NOTE]-> The features described in this article are currently in Private Preview, aren't available in all organizations, and are subject to change. +> The features described in this article are currently in Public Preview, aren't available in all organizations, and are subject to change. In Microsoft 365 organizations with Exchange Online mailboxes, admins can configure the backend for messages that users report as malicious or not malicious in Outlook (send to Microsoft, send to a reporting mailbox, or both), and configure the various notification options for user reported messages. For more information, see [User reported settings](submissions-user-reported-messages-custom-mailbox.md). After you enable automated feedback response, the user who reported the message - **No threats found**: If a user reports a message as phishing, the submission triggers AIR on the reported message. If the investigation finds no threats, the user who reported the message receives a notification email that looks like this: - :::image type="content" source="../../media/air-automatic-feedback-no-threats-found-email.png" alt-text="An example notification email for No threats found." lightbox="../../media/air-automatic-feedback-no-threats-found-email.png"::: + :::image type="content" source="../../media/air-automatic-feedback-no-threats-found-email.png" alt-text="An example notification email for No threats found." lightbox="../../media/air-automatic-feedback-no-threats-found-email.png"::: - **Spam**: If a user reports a message as phishing, the submission triggers AIR on the reported message. If the investigation finds the message is spam, the user who reported the message receives a notification email that looks like this: - :::image type="content" source="../../media/air-automatic-feedback-spam-email.png" alt-text="An example notification email for Spam found." lightbox="../../media/air-automatic-feedback-spam-email.png"::: + :::image type="content" source="../../media/air-automatic-feedback-spam-email.png" alt-text="An example notification email for spam found." lightbox="../../media/air-automatic-feedback-spam-email.png"::: - **Phishing or malware**: If a user reports a message as phishing, the submission triggers AIR on the reported message. What happens next depends on the results of the investigation: - **High confidence phishing or malware**: The message needs to be remediated using one of the following actions: After you enable automated feedback response, the user who reported the message > [!TIP] > For high confidence phishing or malware, the investigation might immediate close as **Remediated** if the message isn't found in the mailbox (the message was deleted). There's no pending investigation to close, so no email notification is sent to the user who reported the message. - - **Phishing**: The investigation creates no pending actions, but the user still receives a notification email that the message was found to be phishing. + - **Phishing**: The investigation creates no pending actions, but the user still receives a notification email that the message was found to be phishing. The notification email looks like this: - The notification email looks like this: -- :::image type="content" source="../../media/air-automatic-feedback-phishing-or-malware-email.png" alt-text="An example notification email for Phishing or malware found." lightbox="../../media/air-automatic-feedback-phishing-or-malware-email.png"::: + :::image type="content" source="../../media/air-automatic-feedback-phishing-or-malware-email.png" alt-text="An example notification email for phishing or malware found." lightbox="../../media/air-automatic-feedback-phishing-or-malware-email.png"::: When AIR reaches a verdict and the notification email is sent to the user who reported the message as phishing, the following property values are shown for the entry on the **User reported** tab on the **Submissions** page in the Defender portal: |
solutions | Apps Protect Access Requirements | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/apps-protect-access-requirements.md | + + Title: "Understand app protection access requirements using Microsoft Intune" ++++audience: ITPro ++description: Understand app protection access requirements using Microsoft Intune. ++ms.localizationpriority: high ++- highpri ++keywords: +++# Understand app protection access requirements ++The **Access requirements** settings allow you to configure the PIN and credential requirements that users must meet to access apps in a work context. As the admin, you can control whether to use a PIN for app access, require work or school account credentials for access, and how often to recheck access requirements. ++> [!NOTE] +> The **Access requirement** settings only apply to iOS/iPadOS and Android app protection policies. ++## Access requirements for app protection policies ++For iOS/iPadOS and Android app protection policies, the available app access settings are similar between iOS/iPadOS and Android. Differences include details for biometrics and PIN reset. ++### iOS access requirement settings ++You'll see that iOS/iPadOS offer slightly different app protection functionality. +++### Android access requirement settings ++Android offers similar functionality to iOS/iPadOS functionality. + |
solutions | Apps Protect Conditional Launch | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/apps-protect-conditional-launch.md | + + Title: "Understand app protection conditional launch using Microsoft Intune" ++++audience: ITPro ++description: Understand app protection conditional launch using Microsoft Intune. ++ms.localizationpriority: high ++- highpri ++keywords: +++# Understand app protection conditional launch ++The **Conditional launch** settings allow you to select the sign-in security requirements for your access protection policy. App protection policies offer both app and device conditions. ++You must select a setting and enter the value that users must meet to sign in to your company app. Then select the Action you want to take if users don't meet your requirements. In some cases, multiple actions can be configured for a single setting. Learn more about conditional launch actions. ++Conditional launch settings offer similarities between iOS/iPadOS and Android. ++## Conditional launch for iOS/iPadOS and Android app protection policy ++iOS/iPadOS app conditional settings allow the similar settings configuration as Android, however you can also set a **Min SDK version** for iOS/iPadOS. ++| App condition setting | iOS/iPadOS | Android | +|::|::|::| +| Max PIN attempts | Γ£ö | Γ£ö | +| Office grace period | Γ£ö | Γ£ö | +| Min app version | Γ£ö | Γ£ö | +| Max SDK version | Γ£ö | Γ£û | +| Disabled account | Γ£ö | Γ£ö | +++In addition, Android device condition settings offer several more setting configuration options compared to iOS/iPadOS. ++| Device condition setting | iOS/iPadOS | Android | +|::|::|::| +| Jailbroken/rooted devices | Γ£ö | Γ£ö | +| Min OS version | Γ£ö | Γ£ö | +| Max OS version | Γ£ö | Γ£ö | +| Min patch version | Γ£ö | Γ£ö | +| Device model(s) | Γ£ö | Γ£û | +| Device manufacturer(s) | Γ£û | Γ£ö | +| SafetyNet device attestation | Γ£û | Γ£ö | +| Require threat scan on apps | Γ£û | Γ£ö | +| Required SafetyNet evaluation type | Γ£û | Γ£ö | +| Require device lock | Γ£û | Γ£ö | +| Min Company Portal version | Γ£û | Γ£ö | +| Max Company Portal version age (days) | Γ£û | Γ£ö | +| Samsung Knox device attestation | Γ£û | Γ£ö | +| Max allowed device threat level | Γ£ö | Γ£ö | +| Primary MTD service | Γ£ö | Γ£ö | ++ |
solutions | Apps Protect Data Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/apps-protect-data-protection.md | + + Title: "Understand app data protection using Microsoft Intune" ++++audience: ITPro ++description: Understand app data protection using Microsoft Intune. ++ms.localizationpriority: high ++- highpri ++keywords: +++# Understand app data protection ++The **Data Protection** settings in Intune determine how users interact with org data and context in policy-managed apps. As the admin, you can control the movement of data into and out of the context of org protection. The org context is defined by documents, services, and sites accessed by the specified org account (Microsoft Entra ID) owned by the end-user. The app protection policy settings help control external data received into the org context and org data sent out of the org context. ++> [!NOTE] +> The term *policy-managed apps* refers to apps that are configured with app protection policies. ++Data protection is available for policy-managed apps that support the [iOS/iPadOS](/mem/intune/apps/app-protection-policy-settings-ios#data-protection), [Android](/mem/intune/apps/app-protection-policy-settings-android#data-protection), and [Windows](/mem/intune/apps/app-protection-policy-settings-windows#data-protection) platforms. Each platform offers a different set of settings related to data protection. ++The **Data Protection** settings within app protection policies provides the following categories for each platform: ++| Data Protection | Categories | +||| +| iOS/iPadOS | [Data Transfer](#data-transfer-for-iosipados-app-protection-policy), [Encryption](#encryption-for-iosipados-app-protection-policy), [Functionality](#functionality-for-iosipados-and-android-app-protection-policy) | +| Android | [Data Transfer](#data-transfer-for-android-app-protection-policy), [Encryption](#encryption-for-android-app-protection-policy), [Functionality](#functionality-for-iosipados-and-android-app-protection-policy) | +| Windows | [Data Transfer](#data-transfer-for-windows-app-protection-policy), [Functionality](#functionality-for-windows-app-protection-policy) | ++## Data Transfer ++### Data Transfer for iOS/iPadOS app protection policy ++The **Data Transfer** section of the **Data Protection** settings for a iOS/iPadOS specific app protection policy has settings that are specific to the iOS/iPadOS platform. These settings determine how end-users interact with org data in the iOS/iPadOS apps on a device. You select settings to allow or block iTunes and iCloud backups, determine how apps can send and receive org data, restrict end-user initiated data movement between apps, and prevent third-party keyboards. +++### Data Transfer for Android app protection policy ++The **Data Transfer** section of the **Data Protection** settings for an Android specific app protection policy has settings that are also specific to the Android platform. In addition to the commonly offered app protection settings, Android app protection provides additional settings, such as allowing screen capture and Google Assistant. +++### Data Transfer for Windows app protection policy ++The **Data Transfer** section of the **Data Protection** settings for a Windows specific app protection policy has settings that are specific to the Windows platform. These DLP settings provide three main options for Android apps. These settings involve how data is received, sent, and moved between apps. +++## Encryption ++Encryption is available for iOS/iPadOS and Android as part of an app protection policy. The **Encryption** section under the **Data Transfer** section, is also part of the **Data Protection** settings. ++> [!IMPORTANT] +> You must choose **Require** to enable encryption of work or school data in an app. ++### Encryption for iOS/iPadOS app protection policy ++ Intune enforces iOS/iPadOS device encryption to protect app data while the device is locked. Applications may optionally encrypt app data using Intune APP SDK encryption. Intune APP SDK uses iOS/iPadOS cryptography methods to apply 128-bit AES encryption to app data. ++When you enable this setting, the user may be required to set up and use a PIN to access their device. If there's no device PIN and encryption is required, the user is prompted to set a PIN with the message "Your organization has required you to first enable a device PIN to access this app." ++> [!NOTE] +> Go to the official Apple documentation to see which iOS encryption modules are FIPS 140-2 compliant or pending FIPS 140-2 compliance. +++### Encryption for Android app protection policy ++Intune uses a wolfSSL, 256-bit AES encryption scheme along with the Android Keystore system to securely encrypt app data. Data is encrypted synchronously during file I/O tasks. Content on the device storage is always encrypted. New files will be encrypted with 256-bit keys. Existing 128-bit encrypted files will undergo a migration attempt to 256-bit keys, but the process is not guaranteed. Files encrypted with 128-bit keys will remain readable. ++> [!NOTE] +> The encryption method is FIPS 140-2 compliant. +++## Functionality ++The **Functionality** section is the last section in the **Data Protection** settings of an app protection policy. This section provides additional data protection settings. ++> [!TIP] +> Apps may provide additional configuration capability with app configuration policies. For more information, see the app developer's documentation. ++### Functionality for iOS/iPadOS and Android app protection policy ++For iOS/iPadOS and Android app protection policies, you can choose to block policy managed apps from saving data to the device's native apps (like Contacts, Calendar and widgets), or to prevent the use of add-ins within the policy managed apps. If you choose **Allow**, the policy managed app can save data to the native apps or use add-ins, if those features are supported and enabled within the policy managed app. ++Additionally, you can allow or block printing org data, restrict web content transfer with other apps, and determine how org data notifications are handled. When you restrict transferring web content, consider allowing web content to open only in Microsoft Edge. ++> [!NOTE] +> Android and iOS/iPadOS offer sightly different options when restricting transferring web content using app protection policies. For iOS/iPadOS, you can enter a specific protocol for a single unmanaged browser. For Android, You can enter an unmanaged browser ID, or an unmanaged browser name. ++You'll see that iOS/iPadOS offer slightly different app protection functionality: +++Android offers similar functionality to iOS/iPadOS functionality: +++Additionally, Android allows you to select a connection to Microsoft Tunnel VPN when the app specified by your app protection policy is launched. ++### Functionality for Windows app protection policy ++For Windows app protection policies, you can choose to allow or block printing org data. +++> [!IMPORTANT] +> Windows app protection policies allow only Microsoft Edge as the managed app specified in the policy. |
solutions | Apps Protect Framework | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/apps-protect-framework.md | + + Title: "Use the app protection framework with Microsoft Intune" ++++audience: ITPro ++description: Use the app protection framework with Microsoft Intune. ++ms.localizationpriority: high ++- highpri ++keywords: +++# Use the app protection framework ++Your organization's data protection requirements may differ from other organizations. For this reason, you can tailor the app protection that you deploy from Intune based on your organization's specific needs. You can use the App protection policy (APP) data protection framework to apply app protection across your organization. The APP data protection framework is organized into three distinct configuration levels, with each consecutive level building off the previous level. ++| Protection level | Description | +||| +| Enterprise basic data protection<br>(Level 1) | This is an entry level configuration that provides similar data protection control in Exchange Online mailbox policies and introduces you and your IT admins APP. Microsoft recommends this configuration as the minimum data protection configuration for an enterprise device. | +| Enterprise enhanced data protection<br>(Level 2) | This protection level, which builds on the previous level, is applicable to most mobile users accessing work or school data. Microsoft recommends this configuration for devices where users access sensitive or confidential information. | +| Enterprise high data protection<br>(Level 3) | This protection level, which also builds on the previous level, is desirable for users that are accessing high risk data. Microsoft recommends this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (users who handle highly sensitive data where unauthorized disclosure causes considerable material loss to the organization). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration. | ++> [!IMPORTANT] +> Because each protection level builds on the previous, you should consider implementing them in order. ++## Steps before applying the app protection framework ++Once you have followed the [prerequisites](apps-protect-overview.md#prerequisites) and understood the different app data protection settings available for each support platform, you can use the following process to add app protection policies. ++Process to add app data protection: +1. **Determine which platforms you must support at your organization** - For more information about app platforms, see [Supported platforms](apps-protect-overview.md#supported-platforms). +2. **Add one or more protected apps to Intune** - For more information, see [Intune protected apps](/mem/intune/apps/apps-supported-intune-apps). These apps have been enhanced to support Intune app protection policies. If you are uncertain, start with a Core Microsoft App. For more information, see [Apps to include in the App Protection Policies](/mem/intune/apps/app-protection-framework) and [Microsoft apps](/mem/intune/apps/apps-supported-intune-apps#microsoft-apps). +3. **Determine the level of app protection your organization requires**: + 1. [Minimum data protection](apps-protect-step-1.md) + 2. [Enhanced data protection](apps-protect-step-2.md) + 3. [High data protection](apps-protect-step-3.md) ++> [!TIP] +> For more information about protected apps, suppported platforms, app store links, supported app configuration, and supported protection, see [Microsoft apps](/mem/intune/apps/apps-supported-intune-apps#microsoft-apps). ++## Steps to apply the app protection framework ++This solution steps you through the process of creating app protection policies in Microsoft Intune for specific apps and assigning those policies to members of your organization. Once you've completed the above [prerequisites](apps-protect-overview.md#prerequisites), you're ready to create app protection policies for your organization in Intune. Using configuration and protection policies as part of your app management efforts allows members of your organization to safely use apps. By managing apps at your organization, you help to protect and secure your organizationΓÇÖs data. ++Follow these steps to add the recommended settings when adding app protection policies in Intune: +1. [Apply minimum data protection](apps-protect-step-1.md) +2. [Apply enhanced data protection](apps-protect-step-2.md) +3. [Apply high data protection](apps-protect-step-3.md) +4. [Understand app protection delivery](apps-protect-step-4.md) +5. [Verify and monitor app protection](apps-protect-step-5.md) +6. [Use app protection actions](apps-protect-step-6.md) ++[:::image type="content" source="../medi) ++After you completed the above steps, you are ready to deploy, manage, and monitor the managed apps your organization uses. |
solutions | Apps Protect Health Checks | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/apps-protect-health-checks.md | + + Title: "Understand app protection health checks using Microsoft Intune" ++++audience: ITPro ++description: Understand app protection health checks using Microsoft Intune. ++ms.localizationpriority: high ++- highpri ++keywords: +++# Understand app protection health checks ++Much like **Conditional Launch** settings for iOS/iPadOS and Android app protection policies, **Health checks** for Windows app protection policies allow you to also configure conditional launch capabilities. To do this, you must set the health check conditions for your app protection policy. Select a **Setting** and enter the **Value** that users must meet to access your org data. Then select the **Action** you want to take if users do not meet your conditionals. In some cases, multiple actions can be configured for a single setting. ++## Health checks for Windows app protection policy ++Windows app condition settings allow similar settings configuration to the other supported platforms, however you cannot set a **Max PIN attempts**. ++| App condition setting | Windows | iOS/iPadOS | Android | +|::|::|::|::| +| Max PIN attempts | Γ£û | Γ£ö | Γ£ö | +| Office grace period | Γ£ö | Γ£ö | Γ£ö | +| Min app version | Γ£ö | Γ£ö | Γ£ö | +| Max SDK version | Γ£ö | Γ£ö | Γ£û | +| Disabled account | Γ£ö | Γ£ö | Γ£ö | +++Windows device condition settings are also available for Windows app protection settings. + |
solutions | Apps Protect Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/apps-protect-overview.md | + + Title: "Secure and protect apps using Microsoft Intune" ++++audience: ITPro ++description: Secure and protect apps using Microsoft Intune. ++ms.localizationpriority: high ++- highpri ++keywords: +++# Secure and protect apps using Microsoft Intune ++Once you've [set up and deployed the capabilities of Intune](/microsoft-365/solutions/apps-guide-overview#deploying-intune), [added the apps you want to manage to Intune](/microsoft-365/solutions/apps-add-overview), and [configured the apps that you manage in Intune](/microsoft-365/solutions/apps-config-overview), you can begin the process of creating app protection policies. App protection policies (APP) are rules that ensure your organization's data remains safe and contained in a managed app. These policies enforce how your end-users access and move "corporate" data, as well as how you control actions that are prohibited or monitored when end-users are using the app. This enforcement allows you to control how data is accessed and shared by apps on mobile devices at your organization. ++The content provided in this solution will help you understand the different aspects of app protection for each of the supported platforms. In addition, this solution will step you through creating your app protection policies based on our recommended settings for basic, enhanced, and high level app protection. ++Managed apps are apps that you have assigned to users via a unified endpoint management provider, such as Intune. Managed apps support app protection policies, as well as app configuration policies. These apps use mobile application management (MAM) that is provided by the unified endpoint management provider. MAM enables organizations to manage and protect their data within an application. A managed app in Intune is a [protected app](/mem/intune/apps/apps-supported-intune-apps) that has Intune app protection policies applied to it and is assigned and managed by Intune. A managed app has either integrated the Intune App SDK or has been wrapped using the Intune Wrapping Tool to support App Protection Policies (APP) and/or app configuration policies. You can use MAM policies to configure and protect apps on unmanaged devices, which are your end-user's personal devices that aren't MDM enrolled in Intune. ++> [!TIP] +> For information about when you should consider deploying MAM policies, see [Migration guide: Set up or move to Microsoft Intune](/mem/intune/fundamentals/deployment-guide-intune-setup). ++Using app protection policies provides the benefit of protecting your organization's data at the app level. For end-users, productivity isn't affected and app protection policies don't apply when end-users are using the app in a personal context. There are several situations where you commonly should use app protection policies. For instance, if your end-users are using their personal device, you may want to use an app protection policy to control the access to the app by using a PIN. You may want to enforce data sharing restrictions that your organization's data isn't shared with nonmanaged apps. Also, you may want to prevent end-users from saving organization data to personal locations. For more information, see [Benefits of using App protection policies](/mem/intune/apps/app-protection-policy#benefits-of-using-app-protection-policies). ++> [!IMPORTANT] +> You can use Intune to help enforce a [Zero Trust](/security/zero-trust/zero-trust-overview) security strategy for your organization. Zero Trust is an approach to use when designing and implementing a set of security principles. For more information, see [Zero Trust with Microsoft Intune](/mem/intune/fundamentals/zero-trust-with-microsoft-intune) and [Zero Trust identity and device access configurations](/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-overview). ++Organizations can use app protection policies with and without Mobile Device Management (MDM) at the same time. For example, consider an end-user (employee or organization member) that uses both a phone issued by the company, and their own personal tablet. The organization issued phone is enrolled in MDM and protected by app protection policies, while the personal device is protected by app protection policies only. ++## Supported platforms ++There are three primary platforms that are supported when creating an app protection policy in Intune. ++| Platform | Description | +||| +| iOS/iPadOS | You can apply app protection policies to iOS/iPadOS apps that have been developed to support Intune app protection capabilities. You can apply app protection to groups of users that sign into iOS/iPadOS devices. Specifically, you can apply app protection based on data protection, access requirements, and conditional launch settings within an app protection policy for iOS/iPadOS. For more information, see [iOS app protection policy settings in Microsoft Intune](/mem/intune/apps/app-protection-policy-settings-ios). | +| Android | You can apply app protection policies to Android apps that have been developed to support Intune app protection capabilities. You can apply app protection to groups of users that sign into Android devices. Specifically, you can apply app protection based on data protection, access requirements, and conditional launch settings within an app protection policy for Android. For more information, see [Android app protection policy settings in Microsoft Intune](/mem/intune/apps/app-protection-policy-settings-android). | +| Windows | Currently, you can apply app protection policies to Microsoft Edge for Windows devices. Using Microsoft Edge, you can control how your organization's data is accessed. You can apply app protection to groups of users that sign in to Windows devices. Specifically, you can apply app protection based on data protection and health checks settings within an app protection policy for Windows. Data protection settings allow you to control how the movement of data into and out of your organization (org) context. The org context is defined by documents, services, and sites accessed by the specified org account. You can use app protection policy settings to help control external data received into the org context and org data sent out of the org context. These settings include receiving and sending org data. Also, you can implement Data Loss Prevention (DLP) controls, like cut, copy, paste, and save-as restrictions. Additionally, you can allow or block printing of org data. For more information, see [App protection policy settings for Windows](/mem/intune/apps/app-protection-policy-settings-windows). | ++For a more information about supported platforms, see [App management capabilities by platform](/mem/intune/apps/app-management#app-management-capabilities-by-platform). ++## Supported apps ++For iOS/iPadOS and Android platforms, you can apply app protection policies to any managed app that has been developed to support Intune app protection capabilities. The managed app has either integrated the [Intune App SDK](/mem/intune/developer/app-sdk) or has been wrapped using the [Intune App Wrapping Tool](/mem/intune/developer/apps-prepare-mobile-application-management#intune-app-wrapping-tool). For the Windows platform, you can enable data protection of corporate data on personal Windows devices using [Windows MAM](/mem/intune/apps/protect-mam-windows). Windows MAM is where you apply app protection policies to Microsoft Edge for Windows. Microsoft Edge, as well as most Microsoft applications, have been integrated to support Intune by using the Intune App SDK. For a list of apps that include SDK integration, see [Microsoft Intune protected apps](/mem/intune/apps/apps-supported-intune-apps). ++## Prerequisites ++Before you can protect apps with Microsoft Intune, you must follow a few prerequisites to set up Intune, as well as understand key app management configurations. ++> [!NOTE] +> If you're new to Intune, start with the [Microsoft Intune free trial](/mem/intune/fundamentals/free-trial-sign-up). Trying out Intune is free for 30 days. When you complete the sign-up process, you'll have a new tenant that you can use to evaluate Intune. A tenant is a dedicated instance of [Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-whatis) (Microsoft Entra ID) where your subscription to Intune is hosted. You can then configure the tenant, which involves many capabilities that you can use to protect your organization. One of those involves adding and configuring apps for Intune. ++Follow these steps if you haven't already set up Intune and added the apps you need to manage and protect: +1. Set up and [deploy Intune](/microsoft-365/solutions/apps-guide-overview#deploying-intune&preserve-view=true) +2. Understand [application protection](apps-protect-overview.md#app-protection) +3. [Understand app types](/microsoft-365/solutions/apps-guide-overview#understand-app-types&preserve-view=true) +4. [Add apps to Intune](/microsoft-365/solutions/apps-add-overview) ++> [!IMPORTANT] +> To use Microsoft Intune beyond the free trial, you'll need to acquire a license from Microsoft. For more information about licenses that include Microsoft Intune, see [Microsoft Intune licensing](/mem/intune/fundamentals/licenses). +> +> Although many apps that you can deploy to the members of your organization are free, some apps may require either a license, subscription, or account for each user to use the app. For more information about app licenses, see [Understand app licenses used in Intune](/microsoft-365/solutions/apps-license-overview). ++## App protection ++App protection can be applied to supported managed apps on supported device platforms that are either enrolled with Microsoft Intune, enrolled in a third-party Mobile device management (MDM) solution, or aren't enrolled in any mobile device management solution. ++When creating an app protection policy, you choose the following details in the following order: ++1. The platform +2. The app you want to protect +3. The data protection settings for the app +4. The access requirements for the app +5. The conditional launch settings for the app ++In addition to the above list, you can also choose [scope tags](/mem/intune/fundamentals/scope-tags) and [app assignments](/mem/intune/apps/apps-deploy). ++> [!IMPORTANT] +> The Intune Company Portal app is required on Android devices because it enables device users to receive app protection policies as a [Device Policy Controller](https://support.google.com/work/android/answer/6192678). It enables device users to receive app protection policies. For more information, see [How to configure the Intune Company Portal apps, Company Portal website, and Intune app](/mem/intune/apps/company-portal-app) and [Customize and configure the Company Portal](/microsoft-365/solutions/apps-config-step-1). ++### App protection categories by platform ++Different app protection settings are available for each supported platform. It's important to recognize that the iOS/iPadOS and Android platform have the same app protection categories. However, Windows is different. The Windows platform protects organization data by managing the flow of data through Microsoft Edge to your organization's storage locations. +++> [!TIP] +> To see where app protection and compliance policies fit into the overall Intune architecture, see [High-level architecture for Microsoft Intune](/mem/intune/fundamentals/high-level-architecture). ++When you create an app protection policy, you choose the platform, the app to target, as well as the specific settings from the app protection categories. ++### How app protection policies protect app data ++Your end-users (members of your organization) use mobile devices for both personal and work tasks. While making sure your end-users can be productive, you want to prevent your organization's data from moving to locations where you cannot secure it, for both intentional and unintentional situations. You'll also want to protect company data that is accessed from devices that aren't managed by you. You can use Intune app protection policies independent of any mobile device management (MDM) solution. This independence helps you protect your company's data with or without enrolling devices in a device management solution. By implementing app-level protection policies, you can restrict access to company resources and keep data within the purview of your IT department. ++When apps are used without restrictions, company and personal data can get intermingled. Company data can end up in locations like personal storage or transferred to apps beyond your purview and result in data loss. The following table provides details about data, device, and app protection. ++| Data, device, and app protection | Description | +||| +| Apps without app protection policies | When apps are used without restrictions, company and personal data can get intermingled. Company data can end up in locations like personal storage or transferred to apps beyond your purview and result in data loss. | +| Data protection with app protection policies | You can use App protection policies to prevent company data from saving to the local storage of the device. You can also restrict data movement to other apps that aren't protected by App protection policies. | +| Data protection with app protection policies on managed devices | Provides both app and device management and protection. | +| Data protection with app protection policies for devices without enrollment | App protection policies can help protect company data at the app level. However, there are limitations related to deploying apps, provisioning device certificate profiles, and provisioning device organization settings. You can avoid these limitations by enrolling and managing the devices in Intune. | ++For more information, see [How app protection policies protect app data](/mem/intune/apps/app-protection-policy#how-app-protection-policies-protect-app-data). ++## What's in this solution ++This solution helps you understand app data protection in Microsoft Intune. In addition, this solution provides recommended steps for creating app protection policies in Intune for specific apps and assigning those policies to members of your organization. Once you've completed the above [prerequisites](#prerequisites), you're ready to create app protection policies for your organization in Intune. Using configuration and protection policies as part of your app management efforts allows members of your organization to safely use apps. By managing apps at your organization, you help to protect and secure your organizationΓÇÖs data. ++To learn about app protection in Intune, see the following topics: +- [Understand app data protection](apps-protect-data-protection.md) +- [Understand app protection access requirements](apps-protect-access-requirements.md) +- [Understand app protection conditional launch](apps-protect-conditional-launch.md) +- [Understand app protection health checks](apps-protect-health-checks.md) ++To follow the recommended settings when adding app protection policies in Intune, see the following topics: +1. [Apply minimum data protection](apps-protect-step-1.md) +2. [Apply enhanced data protection](apps-protect-step-2.md) +3. [Apply high data protection](apps-protect-step-3.md) +4. [Understand app protection delivery](apps-protect-step-4.md) +5. [Verify and monitor app protection](apps-protect-step-5.md) +6. [Use app protection actions](apps-protect-step-6.md) ++[:::image type="content" source="../medi) ++After you've completed the above steps, you're ready to deploy, manage, and monitor the managed apps your organization uses. |
solutions | Apps Protect Step 1 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/apps-protect-step-1.md | + + Title: "Step 1. Apply minimum data protection" ++++audience: ITPro ++description: Step 1. Apply minimum data protection. ++ms.localizationpriority: high ++- highpri ++keywords: +++# Step 1. Apply enterprise basic data protection ++Once you have followed the [prerequisites](apps-protect-overview.md#prerequisites), determined which platforms you must support at your organization, understood the different [app data protection categories available for each support platform](apps-protect-overview.md#app-protection-categories-by-platform), and completed the [steps needed before applying the app protection framework](apps-protect-framework.md#steps-before-applying-the-app-protection-framework), you're ready to add app protection policies. ++Level 1 is the minimum data protection configuration for an enterprise mobile device. This configuration replaces the need for basic Exchange Online device access policies by requiring a PIN to access work or school data, encrypting the work or school account data, and providing the capability to selectively wipe the school or work data. However, unlike Exchange Online device access policies, the below App Protection Policy settings apply to all the apps selected in the policy, thereby ensuring data access is protected beyond mobile messaging scenarios. ++The policies in level 1 enforce a reasonable data access level while minimizing the impact to users and mirror the default data protection and access requirements settings when creating an App Protection Policy within Microsoft Intune. ++## Recommended app protection settings ++Use the following recommended app protection settings when creating and applying Intune app protection for Level 1 enterprise basic data protection. ++## Next step ++[:::image type="content" source="../medi) ++Continue with [Step 2](apps-protect-step-2.md) to apply enhanced data protection in Microsoft Intune. |
solutions | Apps Protect Step 2 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/apps-protect-step-2.md | + + Title: "Step 2. Apply enhanced data protection" ++++audience: ITPro ++description: Step 2. Apply enhanced data protection ++ms.localizationpriority: high ++- highpri ++keywords: +++# Step 2. Apply enhanced data protection ++Level 1 is the minimum data protection configuration for an enterprise mobile device. This configuration replaces the need for basic Exchange Online device access policies by requiring a PIN to access work or school data, encrypting the work or school account data, and providing the capability to selectively wipe the school or work data. However, unlike Exchange Online device access policies, the below App Protection Policy settings apply to all the apps selected in the policy, thereby ensuring data access is protected beyond mobile messaging scenarios. ++The policies in level 1 enforce a reasonable data access level while minimizing the impact to users and mirror the default data protection and access requirements settings when creating an App Protection Policy within Microsoft Intune. ++## Recommended app protection settings ++Use the following recommended app protection settings when creating and applying Intune app protection for Level 2 enterprise enhanced data protection. ++## Next step ++[:::image type="content" source="../medi) ++Continue with [Step 3](apps-protect-step-3.md) to apply high data protection in Microsoft Intune. |
solutions | Apps Protect Step 3 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/apps-protect-step-3.md | + + Title: "Step 3. Apply high data protection" ++++audience: ITPro ++description: Step 3. Apply high data protection ++ms.localizationpriority: high ++- highpri ++keywords: +++# Step 3. Apply high data protection +++++## Recommended app protection settings ++Use the following recommended app protection settings when creating and applying Intune app protection for Level 3 enterprise high data protection. +++## Next step ++[:::image type="content" source="../medi) ++Continue with [Step 4](apps-protect-step-4.md) to understand app protection delivery in Microsoft Intune. |
solutions | Apps Protect Step 4 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/apps-protect-step-4.md | + + Title: "Step 4. Understand app protection delivery" ++++audience: ITPro ++description: Step 4. Understand app protection delivery. ++ms.localizationpriority: high ++- highpri ++keywords: +++# Step 4. Understand app protection delivery +++> [!IMPORTANT] +> You can require that an Intune app protection policy is present for the client app before access is available to the selected applications. For more information, see [Require app protection policy](/entra/identity/conditional-access/concept-conditional-access-grant#require-app-protection-policy). ++Before an app protection policy can be used to protect an app on a device, the policy must be delivered and applied to the user at your organization. There are several timing reasons and remedies that impact app protection policy delivery. ++Common user state issues that impact the delivery of app protection policies: +- **Issue**: Tenant not on-boarded.<br> + **Solution**: You must set up your tenant for Intune. +- **Issue**: User isn't licensed.<br> + **Solution**: You must assign an Intune license to the user. +- **Issue**: User isn't assigned app protection policies.<br> + **Solution**: You must assign app protection policy settings to the user. +- **Issue**: User is assigned an app protection policy, but the related app isn't included in the policy.<br> + **Solution**: You must include the app that you want to protect in the app protection policy. +- **Issue**: User successfully registered for Intune MAM, however they haven't had the app protection policy applied yet.<br> + **Solution**: Intune typically takes 30 minutes to register users. ++For specific timing for each of the above issues, see [Delivery timing summary](/mem/intune/apps/app-protection-policy-delivery#delivery-timing-summary). ++## Limiting app extensions ++You can limit Outlook add-ins and LinkedIn account connections as a method of protecting your organization's data. Outlook add-ins are available to integrate extended functionality for Outlook. These add-ins are available on the web. You can't directly manage these add-ins using Intune. However, you can remove specific roles for your end-users that will prevent them from installing and side-loading add-ins. ++Additionally, you can disable LinkedIn account connections for your entire organization, or you can enable LinkedIn account connections for selected user groups in your organization. These settings affect LinkedIn connections across Microsoft 365 apps on all platforms (web, mobile, and desktop). ++For more information, see [Protecting application extensions](/mem/intune/apps/app-protection-policy-extensions). ++## Next step ++[:::image type="content" source="../medi) ++Continue with [Step 5](apps-protect-step-5.md) to verify and monitor app protection in Microsoft Intune. |
solutions | Apps Protect Step 5 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/apps-protect-step-5.md | + + Title: "Step 5. Verify and monitor app protection" ++++audience: ITPro ++description: Step 5. Verify and monitor app protection ++ms.localizationpriority: high ++- highpri ++keywords: +++# Step 5. Verify and monitor app protection ++You can verify and monitor the status of the app protection policies that you've applied to users from Intune. The **App protections status** report provides the name and email of the user, the app protection status, the app protection policy targeted to the related app for the user, and the timestamp of the last sync of the app with Microsoft Intune. Additionally, there are several other details provided in the **App protection status** report that can be used to filter the success of applied app protection policies. ++> [!NOTE] +> App protection data is retained for a minimum of 90 days. Any app instances that have checked in to the Intune service within the past 90 days is included in the app protection status report. ++Before checking on successfully deployed app protection policies, check to make sure the user has installed the app. For more information, see the following reports: +- [App Install Status report](/mem/intune/fundamentals/reports#app-install-status-report-operational) +- [User Install Status for apps report](/mem/intune/fundamentals/reports#user-install-status-for-apps-report-operational) +- [Managed Apps report](/mem/intune/fundamentals/reports#user-install-status-for-apps-report-operational) ++To verify an app protection policy, start by viewing the **App protection status** report in Intune (**Apps** > **Monitor** > **App protection status**). Next, export your data so you can filter and sort the results. You will need to filter the **App Protection Status** column to determine whether the related app is unprotected by not being targeted with a MAM policy. You will want to sort the list by **App**. Determine whether the end-user is licensed for app protection and Microsoft 365. If they are not licensed, assign an [Intune license](/mem/intune/fundamentals/licenses) and/or a [Microsoft 365 license](/mem/intune/fundamentals/licenses) to the user. If a user's app is listed as **Not checked in**, check if you've correctly configured the app protection policy for that app. In addition, look for issues based on **App version** and **Platform**. If you find a particular set of users that need an app protection policy for a specific app, verify the last sync of the app with Intune. ++> [!NOTE] +> Ensure that the conditions of your app protection policy applies across all end-users that must have the policy. ++For more information, see [How to validate your app protection policy setup in Microsoft Intune](/mem/intune/apps/app-protection-policies-validate). ++## App protection logs ++You can enable and collect app protection logs by enabling Intune Diagnostics on the end-user's device. Each platform has a different process to enable and collect app logs. For more information, see [Review client app protection logs](/mem/intune/apps/app-protection-policy-settings-log). ++## Intune diagnostics ++The Intune Company Portal app has multiple options for gathering diagnostic information. +The Company Portal includes UI that: +- Enables end users to gather Company Portal logs. +- Displays device and account metadata. +- Includes per-app information about the current MAM policy. +++End users can also launch the Company Portal's diagnostic console through Microsoft Edge, by entering `about:intunehelp` in the address bar to assist in debugging. ++> [!IMPORTANT] +> Diagnostics information for the device is only available when the Company Portal is installed on device. ++## Next step ++[:::image type="content" source="../medi) ++Continue with [Step 6](apps-protect-step-6.md) to use app protection actions in Microsoft Intune. |
solutions | Apps Protect Step 6 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/apps-protect-step-6.md | + + Title: "Step 6. Use app protection actions" ++++audience: ITPro ++description: Step 6. Use app protection actions. ++ms.localizationpriority: high ++- highpri ++keywords: +++# Step 6. Use app protection actions ++In addition to applying conditional launch actions as part of your app protection policy, you can remove organizational or corporate app data by creating a device based wipe request or a user based wipe request. Applying this form of protection is done when either a member of your organization leaves, the devices is lost, or the device is stolen. This method only removes your organization data, not personal data on the device. ++## Device based wipe ++You can create a device based wipe request for an end-user. Sometimes end-users have multiple devices, such as a tablet and a phone. You can choose which device to wipe. In addition, you can see the state of the wipe request in Intune. For more information, see [Create a device based wipe request](/mem/intune/apps/apps-selective-wipe#create-a-device-based-wipe-request). ++## User based wipe ++You can also create a user based wipe request. This wipe request removes organizational data from all apps on all the user's devices that are managed by Intune. You can also see the state of the wipe request in Intune. For more information, see [Create a user based wipe request](/mem/intune/apps/apps-selective-wipe#create-a-user-based-wipe-request). ++## Additional actions ++In addition to the above actions, you can also do the following actions: +- [Monitor your wipe requests](/mem/intune/apps/apps-selective-wipe#monitor-your-wipe-requests) +- [Delete a device wipe request](/mem/intune/apps/apps-selective-wipe#delete-a-device-wipe-request) +- [Delete a user wipe request](/mem/intune/apps/apps-selective-wipe#delete-a-user-wipe-request) ++## After securing and protecting apps in Intune ++Once you have reviewed and completed the steps provided in this solution, you're ready to configure, protect, assign, and monitor the managed apps your organization uses. ++For more information about how to proceed, see the following articles: +- [App configuration policies for Microsoft Intune](/mem/intune/apps/app-configuration-policies-overview) +- [App protection policies overview](/mem/intune/apps/app-protection-policy) +- [Data protection framework using app protection policies](/mem/intune/apps/app-protection-framework) +- [Assign apps to groups with Microsoft Intune](/mem/intune/apps/apps-deploy) +- [Monitor app information and assignments with Microsoft Intune](/mem/intune/apps/apps-monitor) |