+- To set up directory synchronization with your on-premises Active Directory, see [Set up directory synchronization for Microsoft 365](../../enterprise/set-up-directory-synchronization.md), and to understand the different identity models in Microsoft 365, read [Deploy your identity infrastructure for Microsoft 365](../../enterprise/deploy-identity-solution-overview.md).

+ Title: "Migrate Google files to Microsoft 365 for business with Migration Manager"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- M365-subscription-management

+- Adm_O365

+- AdminSurgePortfolio

+- adminvideo

+monikerRange: 'o365-worldwide'

+search.appverid:

+- BCS160

+- MET150

+- MOE150

+description: "Learn how to migrate Google files to Microsoft 365 for business by using the SharePoint Migration Manager."

+# Migrate Google files to Microsoft 365 for business with Migration Manager

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWSx43?autoplay=false]

+When you move to Microsoft 365 for business from Google Workspace, you'll want to migrate your files from Google Drive. You can use the SharePoint Migration Manager to move files from personal and shared Drives. This video and summary of the required steps gives you an overview of how to do this. For more information, see [Migrate Google Workspace to Microsoft 365 with Migration Manager](/sharepointmigration/mm-google-overview).

+> [!NOTE]

+> Migration Manager will make a copy of the files and move the copies to Microsoft 365 for business. The original files will stay in Google Drives also.

+## Before you start

+All the users should have signed in to Microsoft 365 for business and set up their OneDrive for Business. To do this, go to [office.com](https://office.com), sign in with your Microsoft 365 for business credentials, and then choose OneDrive.

+## Try it!

+### Install the Microsoft 365 Migration App

+Use the following steps to install the Microsoft 365 Migration app in your Google Workspace environment.

+1. In the SharePoint Admin Center, select **Migration**.

+2. On the **Migration** page, in the **Google Workspace** section, select **Get Started**.

+3. On the **Migrate your Google Workspace content to Microsoft 365** page, select **Connect to Google Workspace**.

+4. Select **Install and authorize**.

+5. On the **Google Workspace Marketplace** page, select **Sign in** and enter your Google Workspace admin credentials.

+6. Select **Domain Install**.

+7. Select **Continue**.

+8. Select the checkbox, then select **Allow**.

+9. When the installation completes, select **Done**.

+10. Return to the **Install the migration app** page, and select **Next**.

+11. Select **Sign in to Google Workspace**, and then enter your Google Workspace admin credentials.

+12. Select **Finish**.

+### Select and scan your drives

+After installing the Microsoft 365 Migration App in your Google environment, you can now select the drives you want to migrate and then scan them to make sure that they are safe to copy to Microsoft 365.

+1. On the **Scan** tab, select the Google drives you want to copy to Microsoft 365.

+2. Select **Scan**. When the scan completes, the drives will show a scan status of **Ready to migrate**.

+3. Select **Copy to migration**.

+### Start the migration

+After selecting and scanning the drives you want to migrate, use the following steps to migrate them.

+1. On the **Migration** tab, verify the destination paths of the drives you want to migrate. Edit them if needed.

+2. Select the drives you want to migrate, then select **Migrate**.

+3. When migration successfully completes, each drive will show a **Migration status** of **Completed**.

+You can use the following steps to move your data, email, and users from Google Workspace to Microsoft 365 for business. Use the articles and videos in each step to help you prepare and configure your environment to migrate and use the migration tools available to you in the Microsoft Admin center.

+|Step 8|Use [Migration Manager to move everyone's data](migrate-files-migration-manager.md) from Drive to OneDrive and from shared Drives to Team sites.</br> In this step, all the data in personal and shared Drives is copied and moved to Microsoft 365.|

+We use the registration number (also referred to as a Tax Identification Number (TIN)) to review the details of your account. This lets us determine if Microsoft can provide you products and services. For information about what registration numbers are needed for a country or region, see [Tax Identification Numbers](https://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/).

+If you donΓÇÖt have a valid registration number, see [Tax Identification Numbers](https://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/).

+If your billing profile is backed by an invoice, you get an email when your billing statement is ready to view. This email doesnΓÇÖt contain a copy of your billing statement. However, you can choose to [receive your organization's invoices as email attachments](manage-billing-notifications.md#receive-your-organizations-invoices-as-email-attachments). Your billing statement includes details about your options for making a payment, and where to send it. If you enter a purchase order (PO) number in your billing profile, the number appears on your billing statement. For information about accessing billing statements, see [View your bill or invoice](view-your-bill-or-invoice.md).

+You can pay for your subscription with a credit or debit card, or a bank account. When you pay with one of these payment methods, we continue to charge that payment method until the subscription expires, or is canceled. You can [manage payment methods](manage-payment-methods.md) whenever you need to. You can also choose to [receive your organization's invoices as email attachments](manage-billing-notifications.md#receive-your-organizations-invoices-as-email-attachments).

+If you pay by invoice for your subscription, you get an email when your billing statement is ready to view. This email doesnΓÇÖt contain a copy of your billing statement. However, you can choose to [receive your organization's invoices as email attachments](manage-billing-notifications.md#receive-your-organizations-invoices-as-email-attachments). Your billing statement includes details about your options for making a payment, and where to send it. If you enter a purchase order (PO) number when you buy a subscription, the number appears on your billing statement. For information about accessing billing statements, see [View your bill or invoice](view-your-bill-or-invoice.md).

+If you want to receive a copy of your billing statement in email, see [Manage billing notifications and invoice attachments](manage-billing-notifications.md).

+|25 or fewer licenses | Cancel your trial or paid subscription online in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a> at any time. |

+To help you track the labels applied from your auto-labeling policies:

+- [Monitoring retention labels](retention.md#monitoring-retention-labels)

+- [Using Content Search to find all content with a specific retention label](retention.md#using-content-search-to-find-all-content-with-a-specific-retention-label)

+- [Auditing retention actions](retention.md#auditing-retention-actions)

+1. Do one of the following:

+ 

+ In this example, to protect sensitive information stored in all OneDrive for Business accounts, turn off the **Status** for both **Exchange email** and **SharePoint sites**, and leave the **Status** on for **OneDrive accounts**.

+To help you track the labels applied from your published retention labeling policies:

+- [Monitoring retention labels](retention.md#monitoring-retention-labels)

+- [Using Content Search to find all content with a specific retention label](retention.md#using-content-search-to-find-all-content-with-a-specific-retention-label)

+- [Auditing retention actions](retention.md#auditing-retention-actions)

+Event-based retention is another supported scenario for retention labels. For more information, see [Start retention when an event occurs](event-driven-retention.md).

+- PowerBI sites

+|PowerBI| workspaces | data-in-use | No|

+|PowerBI|Yes | Yes| No|

+> DLP supports detecting sensitivity labels on emails and attachments See, [Use sensitivity labels as conditions in DLP policies](dlp-sensitivity-label-as-condition.md#use-sensitivity-labels-as-conditions-in-dlp-policies).

+##### Conditions Exchange supports

+##### Conditions Teams chat and channel messages supports

+##### Conditions Microsoft Defender for Cloud Apps supports

+##### Conditions On-premises repositories supports

+##### Conditions PowerBI supports

+- Content contains

+#### Exchange location actions

+#### SharePoint sites location actions

+#### OneDrive account location actions

+#### Teams Chat and Channel Messages actions

+#### Devices actions

+#### Microsoft Defender for Cloud Apps

+#### On-premises repositories

+#### PowerBI actions

+- Notify users with email and policy tips

+- Send alerts to Administrator

+- [Send email notifications and show policy tips for DLP policies](use-notifications-and-policy-tips.md#send-email-notifications-and-show-policy-tips-for-dlp-policies).

+- Items that have been deleted from the mailbox will follow one of two paths depending on if they are labeled or not:

+ - **Unlabeled items** will follow the same path deleted items take when no holds apply to the mailbox. The time that it takes for these items to be permanently deleted is determined by the [deleted item retention](/exchange/security-and-compliance/recoverable-items-folder/recoverable-items-folder#deleted-item-retention) configuration and whether [single item recovery](/exchange/security-and-compliance/recoverable-items-folder/recoverable-items-folder#single-item-recovery) is enabled for the mailbox or not.

+ - **Labeled items** will be retained within the [recoverable items folder](/exchange/security-and-compliance/recoverable-items-folder/recoverable-items-folder#recoverable-items-folder) in the same way they would be if a Microsoft 365 retention policy applied, but at the individual item level. If multiple items have different labels that are configured to *retain* or *retain and then delete* content at different intervals, each item will be retained based on the configuration of the applied label.

+- Other holds, such as Microsoft 365 retention policies, eDiscovery holds or litigation hold can extend how long labeled items are retained based on the [principles of retention](retention.md#the-principles-of-retention-or-what-takes-precedence).

+### Obtain the GUIDs for any organization-wide retention policies applied to mailboxes

+ - Teams admin center

+|application/octet-stream|Yes|No|No|No|No|.fluid|

+> [!NOTE]

+> If two or more document understanding models are applied to the same library, the uploaded file is classified using the model that has the highest average confidence score. The extracted entities will be from the applied model only. <br><br>If a custom form processing model and document understanding model are applied to the same library, the file is classified using the document understanding model and any trained extractors for that model. If there are any empty columns that match the form processing model, the columns will be populated using those extracted values.

+> [!NOTE]

+> If a custom form processing model and document understanding model are applied to the same library, the file is classified using the document understanding model and any trained extractors for that model. If there are any empty columns that match the form processing model, the columns will be populated using those extracted values.

+ Title: Prebuilt models overview in Microsoft SharePoint Syntex

+audience: admin

+ms.customer: intro-overview

+search.appverid:

+ - enabler-strategic

+ - m365initiative-syntex

+ms.localizationpriority: medium

+description: Learn about prebuilt models in Microsoft SharePoint Syntex.

+# Prebuilt models overview in Microsoft SharePoint Syntex

+In addition to [document understanding models](document-understanding-overview.md) and [form processing models](form-processing-overview.md), SharePoint Syntex provides prebuilt models to automate the extraction of information.

+Prebuilt models are pretrained to recognize documents and the structured information in the documents. Instead of having to create a new custom model from scratch, you can iterate on an existing pretrained model to add specific fields that fit the needs of your organization.

+Prebuilt models use optical character recognition (OCR) combined with deep learning models to identify and extract predefined text and data fields common to specific document types. You start by analyzing one of your files against the prebuilt model. You then select the detected fields that make sense for your purpose. If the model doesn't detect the fields that you need, you can analyze again by using a different file.

+Like document understanding models, prebuilt models are created and managed in the [content center](create-a-content-center.md). When applied to a SharePoint document library, the model is associated with a content type and has columns to store the information being extracted.

+After publishing your model, use the content center to apply it to any SharePoint document library that you have access to.

+## Requirements

+- Supported file formats: JPEG, PNG, BMP, TIFF, and PDF (text-embedded or scanned).

+- Text-embedded PDFs are best to eliminate the possibility of error in character extraction and location.

+- For PDF and TIFF, up to 2,000 pages can be processed.

+- The file size must be less than 50 MB.

+- Image dimensions must be between 50 x 50 pixels and 10,000 x 10,000 pixels.

+- PDF dimensions are up to 17 x 17 inches, corresponding to Legal or A3 paper size, or smaller.

+- The total size of the training data is 500 pages or less.

+### File limitations

+Note the following differences about Microsoft Office text-based files and OCR-scanned files (PDF, image, or TIFF):

+- Office files: Truncated at 64,000 characters (when run against files in a document library).

+- OCR-scanned files: There's a 20-page limit.

+## Model considerations

+- If two or more prebuilt models are applied to the same library, the file is classified using the model that has the highest average confidence score. The extracted entities will be from the applied model only.

+- If a prebuilt model is applied to a library that has a document understanding model, the file is classified using the document understanding model and any trained extractors for that model. If there are any empty columns that match the prebuilt model, the columns will be populated using those extracted values.

+- If a prebuilt model is applied to a library that has a custom form processing model, the file is classified using the prebuilt model and any detected extractors for that model. If there are any empty columns that match the form processing model, the columns will be populated using those extracted values.

+- Applying more than one custom form processing model to a library is not supported.

+## See Also

+[Use a prebuilt model to extract info from invoices or receipts](prebuilt-overview.md)

+

+[Deploy identity](deploy-identity-solution-overview.md)

+[Deploy identity](deploy-identity-solution-overview.md)

+For more information about Microsoft 365 and Azure AD, see [Microsoft 365 identity models](deploy-identity-solution-identity-model.md).

+If you have chosen the cloud-only identity model, you already have an Azure Active Directory (Azure AD) tenant for your Microsoft 365 subscription to store all of your users, groups, and contacts. After setting up protection for administrator accounts in [Step 2](protect-your-global-administrator-accounts.md) and user accounts in [Step 3](microsoft-365-secure-sign-in.md) of this solution, you are now ready to begin creating the new accounts and groups that your organization needs.

+Here are the basic components of cloud-only identity.

+- Provision permissions and levels of access for teams and SharePoint Online team sites.

+[Deploy identity](deploy-identity-solution-overview.md)

+- For the Azure Active Directory PowerShell for Graph module, you must use PowerShell version 5.1.

+PowerShell version 7 and later don't support the Microsoft Azure Active Directory Module for Windows PowerShell module and cmdlets with *Msol* in their name. For PowerShell version 7 and later, you must use the Microsoft Graph PowerShell SDK.

+[Deploy identity for Microsoft 365](deploy-identity-solution-overview.md)

+ Title: "Step 1. Determine your cloud identity model"

+audience: Admin

+ms.localizationpriority: medium

+- Ent_O365

+- M365-identity-device-management

+- M365-security-compliance

+f1.keywords:

+- CSH

+ - Adm_O365

+ - seo-marvel-mar2020

+search.appverid:

+- MET150

+- MOE150

+- BCS160

+ms.assetid: 06a189e7-5ec6-4af2-94bf-a22ea225a7a9

+description: Step 1. Determine your Microsoft cloud identity model

+# Step 1. Determine your cloud identity model

+Microsoft 365 uses Azure Active Directory (Azure AD), a cloud-based user identity and authentication service that is included with your Microsoft 365 subscription, to manage identities and authentication for Microsoft 365. Getting your identity infrastructure configured correctly is vital to managing Microsoft 365 user access and permissions for your organization.

+Before you begin, watch this video for an overview of identity models and authentication for Microsoft 365.

+<p> </p>

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE2Pjwu]

+Your first planning choice is your cloud identity model.

+## Microsoft cloud identity models

+To plan for user accounts, you first need to understand the two identity models in Microsoft 365. You can maintain your organization's identities only in the cloud, or you can maintain your on-premises Active Directory Domain Services (AD DS) identities and use them for authentication when users access Microsoft 365 cloud services.

+Here are the two types of identity and their best fit and benefits.

+| Attribute | Cloud-only identity | Hybrid identity |

+|:-|:--|:--|

+| **Definition** | User account only exists in the Azure AD tenant for your Microsoft 365 subscription. | User account exists in AD DS and a copy is also in the Azure AD tenant for your Microsoft 365 subscription. The user account in Azure AD might also include a hashed version of the already hashed AD DS user account password. |

+| **How Microsoft 365 authenticates user credentials** | The Azure AD tenant for your Microsoft 365 subscription performs the authentication with the cloud identity account. | The Azure AD tenant for your Microsoft 365 subscription either handles the authentication process or redirects the user to another identity provider. |

+| **Best for** | Organizations that do not have or need an on-premises AD DS. | Organizations using AD DS or another identity provider. |

+| **Greatest benefit** | Simple to use. No extra directory tools or servers required. | Users can use the same credentials when accessing on-premises or cloud-based resources. |

+||||

+## Cloud-only identity

+A cloud-only identity uses user accounts that exist only in Azure AD. Cloud-only identity is typically used by small organizations that do not have on-premises servers or do not use AD DS to manage local identities.

+Here are the basic components of cloud-only identity.

+

+Both on-premises and remote (online) users use their Azure AD user accounts and passwords to access Microsoft 365 cloud services. Azure AD authenticates user credentials based on its stored user accounts and passwords.

+### Administration

+Because user accounts are only stored in Azure AD, you manage cloud identities with tools such as the [Microsoft 365 admin center](/admin) and [Windows PowerShell](manage-user-accounts-and-licenses-with-microsoft-365-powershell.md).

+## Hybrid identity

+Hybrid identity uses accounts that originate in an on-premises AD DS and have a copy in the Azure AD tenant of a Microsoft 365 subscription. Most changes, with the exception of [specific account attributes](/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized), only flow one way. Changes that you make to AD DS user accounts are synchronized to their copy in Azure AD.

+Azure AD Connect provides the ongoing account synchronization. It runs on an on-premises server, checks for changes in the AD DS, and forwards those changes to Azure AD. Azure AD Connect provides the ability to filter which accounts are synchronized and whether to synchronize a hashed version of user passwords, known as password hash synchronization (PHS).

+When you implement hybrid identity, your on-premises AD DS is the authoritative source for account information. This means that you perform administration tasks mostly on-premises, which are then synchronized to Azure AD.

+Here are the components of hybrid identity.

+

+The Azure AD tenant has a copy of the AD DS accounts. In this configuration, both on-premises and remote users accessing Microsoft 365 cloud services authenticate against Azure AD.

+> [!NOTE]

+> You always need to use Azure AD Connect to synchronize user accounts for hybrid identity. You need the synchronized user accounts in Azure AD to perform license assignment and group management, configure permissions, and other administrative tasks that involve user accounts.

+### Hybrid identity and directory synchronization for Microsoft 365

+Depending on your business needs and technical requirements, the hybrid identity model and directory synchronization is the most common choice for enterprise customers who are adopting Microsoft 365. Directory synchronization allows you to manage identities in your Active Directory Domain Services (AD DS) and all updates to user accounts, groups, and contacts are synchronized to the Azure Active Directory (Azure AD) tenant of your Microsoft 365 subscription.

+>[!Note]

+>When AD DS user accounts are synchronized for the first time, they are not automatically assigned a Microsoft 365 license and cannot access Microsoft 365 services, such as email. You must first assign them a usage location. Then, assign a license to these user accounts, either individually or dynamically through group membership.

+>

+#### Authentication for hybrid identity

+There are two types of authentication when using the hybrid identity model:

+- Managed authentication

+ Azure AD handles the authentication process by using a locally-stored hashed version of the password or sends the credentials to an on-premises software agent to be authenticated by the on-premises AD DS.

+- Federated authentication

+ Azure AD redirects the client computer requesting authentication to another identity provider.

+#### Managed authentication

+There are two types of managed authentication:

+- Password hash synchronization (PHS)

+ Azure AD performs the authentication itself.

+- Pass-through authentication (PTA)

+ Azure AD has AD DS perform the authentication.

+##### Password hash synchronization (PHS)

+With PHS, you synchronize your AD DS user accounts with Microsoft 365 and manage your users on-premises. Hashes of user passwords are synchronized from your AD DS to Azure AD so that the users have the same password on-premises and in the cloud. This is the simplest way to enable authentication for AD DS identities in Azure AD.

+

+When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The user passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected.

+

+See [choosing the right authentication method](/azure/active-directory/hybrid/choose-ad-authn) to learn more.

+

+##### Pass-through authentication (PTA)

+PTA provides a simple password validation for Azure AD authentication services using a software agent running on one or more on-premises servers to validate the users directly with your AD DS. With PTA, you synchronize AD DS user accounts with Microsoft 365 and manage your users on-premises.

+

+PTA allows your users to sign in to both on-premises and Microsoft 365 resources and applications using their on-premises account and password. This configuration validates users passwords directly against your on-premises AD DS without storing password hashes in Azure AD.

+PTA is also for organizations with a security requirement to immediately enforce on-premises user account states, password policies, and logon hours.

+

+See [choosing the right authentication method](/azure/active-directory/hybrid/choose-ad-authn) to learn more.

+

+##### Federated authentication

+Federated authentication is primarily for large enterprise organizations with more complex authentication requirements. AD DS identities are synchronized with Microsoft 365 and users accounts are managed on-premises. With federated authentication, users have the same password on-premises and in the cloud and they do not have to sign in again to use Microsoft 365.

+Federated authentication can support additional authentication requirements, such as smartcard-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD.

+

+See [choosing the right authentication method](/azure/active-directory/hybrid/choose-ad-authn) to learn more.

+

+For third-party authentication and identity providers, on-premises directory objects may be synchronized to Microsoft 365 and cloud resource access that are primarily managed by a third-party identity provider (IdP). If your organization uses a third-party federation solution, you can configure sign-on with that solution for Microsoft 365 provided that the third-party federation solution is compatible with Azure AD.

+

+See the [Azure AD federation compatibility list](/azure/active-directory/connect/active-directory-aadconnect-federation-compatibility) to learn more.

+

+### Administration

+Because the original and authoritative user accounts are stored in the on-premises AD DS, you manage your identities with the same tools as you manage your AD DS.

+You don't use the Microsoft 365 admin center or PowerShell for Microsoft 365 to manage synchronized user accounts in Azure AD.

+## Next step

+[

+Continue with [Step 2](protect-your-global-administrator-accounts.md) to secure your global administrator accounts.

+ Title: "Deploy your identity infrastructure for Microsoft 365"

+f1.keywords:

+- NOCSH

+audience: ITPro

+ms.localizationpriority: medium

+- M365-identity-device-management

+- Strat_O365_Enterprise

+- m365initiative-coredeploy

+- m365solution-m365-identity

+- m365solution-scenario

+- m365solution-overview

+- intro-overview

+description: Deploy your identity infrastructure for Microsoft 365.

+# Deploy your identity infrastructure for Microsoft 365

+In Microsoft 365 for enterprise, a well-planned and executed identity infrastructure paves the way for stronger security, including restricting access to your productivity workloads and their data to only authenticated users and devices. Security for identities is a key element of a Zero Trust deployment, in which all attempts to access resources both on-premises and in the cloud are authenticated and authorized.

+For information about the identity features of each Microsoft 365 for enterprise, the role of Azure Active Directory (Azure AD), on-premises and cloud-based components, and the most common authentication configurations, see the [Identity Infrastructure poster](../downloads/m365e-identity-infra.pdf).

+[](../downloads/m365e-identity-infra.pdf)

+Review this two-page poster to quickly ramp up on identity concepts and configurations for Microsoft 365 for enterprise.

+You can [download this poster](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/m365e-identity-infra.pdf) and can print it in letter, legal, or tabloid (11 x 17) format.

+## WhatΓÇÖs in this solution

+This solution steps you through the deployment of an identity infrastructure for your Microsoft 365 tenant to provide access for your employees and protection against identity-based attacks.

+

+The steps in this solution are:

+1. [Determine your identity model.](deploy-identity-solution-identity-model.md)

+2. [Protect your Microsoft 365 privileged accounts.](protect-your-global-administrator-accounts.md)

+3. [Protect your Microsoft 365 user accounts.](microsoft-365-secure-sign-in.md)

+4. [Deploy your identity model.](cloud-only-identities.md)

+This solution supports the key principles of [Zero Trust](https://www.microsoft.com/security/business/zero-trust/):

+- **Verify explicitly:** Always authenticate and authorize based on all available data points.

+- **Use least privilege access:** Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection.

+- **Assume breach:** Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.

+Unlike conventional intranet access, which trusts everything behind an organization's firewall, Zero Trust treats each sign-in and access as though it originated from an uncontrolled network, whether it's behind the organization firewall or on the Internet. Zero Trust requires protection for the network, infrastructure, identities, endpoints, apps, and data.

+## Microsoft 365 capabilities and features

+Azure AD provides a full suite of identity management and security capabilities for your Microsoft 365 tenant.

+|Capability or feature|Description|Licensing|

+||||

+|[Multi-factor authentication (MFA)](/azure/active-directory/authentication/concept-mfa-howitworks)|MFA requires users to provide two forms of verification, such as a user password plus a notification from the Microsoft Authenticator app or a phone call. MFA greatly reduces the risk that stolen credentials can be used to access your environment. Microsoft 365 uses the Azure AD Multi-Factor Authentication service for MFA-based sign-ins.|Microsoft 365 E3 or E5|

+|[Conditional Access](/azure/active-directory/conditional-access/overview)|Azure AD evaluates the conditions of the user sign-in and uses Conditional Access policies to determine the allowed access. For example, in this guidance we show you how to create a Conditional Access policy to require device compliance for access to sensitive data. This greatly reduces the risk that a hacker with their own device and stolen credentials can access your sensitive data. It also protects sensitive data on the devices, because the devices must meet specific requirements for health and security.|Microsoft 365 E3 or E5|

+|[Azure AD groups](/azure/active-directory/fundamentals/active-directory-manage-groups)|Conditional Access policies, device management with Intune, and even permissions to files and sites in your organization rely on the assignment to user accounts or Azure AD groups. We recommend you create Azure AD groups that correspond to the levels of protection you are implementing. For example, your executive staff are likely higher value targets for hackers. Therefore, it makes sense to add the user accounts of these employees to an Azure AD group and assign this group to Conditional Access policies and other policies that enforce a higher level of protection for access.|Microsoft 365 E3 or E5|

+|[Azure AD Identity Protection](/azure/active-directory/identity-protection/overview)|Enables you to detect potential vulnerabilities affecting your organization's identities and configure automated remediation policy to low, medium, and high sign-in risk and user risk. This guidance relies on this risk evaluation to apply Conditional Access policies for multi-factor authentication. This guidance also includes a Conditional Access policy that requires users to change their password if high-risk activity is detected for their account.|Microsoft 365 E5, Microsoft 365 E3 with the E5 Security add-on, EMS E5, or Azure AD Premium P2 licenses|

+|[Self-service password reset (SSPR)](/azure/active-directory/authentication/concept-sspr-howitworks)|Allow your users to reset their passwords securely and without help-desk intervention, by providing verification of multiple authentication methods that the administrator can control.|Microsoft 365 E3 or E5|

+|[Azure AD password protection](/azure/active-directory/authentication/concept-password-ban-bad)|Detect and block known weak passwords and their variants and additional weak terms that are specific to your organization. Default global banned password lists are automatically applied to all users in an Azure AD tenant. You can define additional entries in a custom banned password list. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.|Microsoft 365 E3 or E5|

+|

+## Next steps

+Use these steps to deploy an identity model and authentication infrastructure for your Microsoft 365 tenant:

+1. [Determine your cloud identity model.](deploy-identity-solution-identity-model.md)

+2. [Protect your Microsoft 365 privileged accounts.](protect-your-global-administrator-accounts.md)

+3. [Protect your Microsoft 365 user accounts.](microsoft-365-secure-sign-in.md)

+4. Deploy your cloud identity model: [cloud-only](cloud-only-identities.md) or [hybrid](prepare-for-directory-synchronization.md).

+[

+

+## Additional Microsoft cloud identity resources

+### Manage

+To manage your Microsoft cloud identity deployment, see:

+- [User accounts](manage-microsoft-365-accounts.md)

+- [Licenses](assign-licenses-to-user-accounts.md)

+- [Passwords](manage-microsoft-365-passwords.md)

+- [Groups](manage-microsoft-365-groups.md)

+- [Governance](manage-microsoft-365-identity-governance.md)

+- [Directory synchronization](view-directory-synchronization-status.md)

+### How Microsoft does identity for Microsoft 365

+Learn how IT experts at Microsoft [manage identities and secure access](https://www.microsoft.com/en-us/itshowcase/managing-user-identities-and-secure-access-at-microsoft).

+>[!Note]

+>This IT Showcase resource is available only in English.

+>

+### How Contoso did identity for Microsoft 365

+For an example of how a fictional but representative multinational organization has deployed a hybrid identity infrastructure for Microsoft 365 cloud services, see [Identity for the Contoso Corporation](contoso-identity.md).

+<!--

+## Plan

+To plan for your identity implementation:

+- [Understand the different identity models](about-microsoft-365-identity.md)

+- [Plan for hybrid identity and directory synchronization](plan-for-directory-synchronization.md)

+## Deploy

+To deploy your identity implementation:

+- [Protect your global administrator accounts](protect-your-global-administrator-accounts.md)

+- [Configure and use cloud-only identities](cloud-only-identities.md)

+- [Configure and use hybrid identities](prepare-for-directory-synchronization.md)

+- [Set up directory synchronization](set-up-directory-synchronization.md)

+- If needed, deploy [hybrid identity scenarios](hybrid-solutions.md)

+### Identity and device access recommendations

+To help ensure a secure and productive workforce, Microsoft provides a set of recommendations for [identity and device access](../security/office-365-security/microsoft-365-policies-configurations.md). For identity, use the recommendations and settings in these articles:

+- [Prerequisites](../security/office-365-security/identity-access-prerequisites.md)

+- [Common identity and device access policies](../security/office-365-security/identity-access-policies.md)

+-->

+[Understanding Microsoft 365 identity models](deploy-identity-solution-identity-model.md)

+[Deploy identity](deploy-identity-solution-overview.md)

+Before you integrate Microsoft 365 and an on-premises environment, you also need to do [network planning and performance tuning](network-planning-and-performance.md). You will also want to understand the available [identity models](deploy-identity-solution-identity-model.md).

+ Title: "Step 3: Protect your Microsoft 365 user accounts"

+# Step 3: Protect your Microsoft 365 user accounts

+Your first step in using MFA is to [require it for all administrator accounts](protect-your-global-administrator-accounts.md), also known as privileged accounts. Beyond this first step, Microsoft recommends MFA For all users.

+There are three ways to require your users to use MFA based on your Microsoft 365 plan.

+|All Microsoft 365 plans (without Azure AD Premium P1 or P2 licenses) |[Enable security defaults in Azure AD](/azure/active-directory/fundamentals/concept-fundamentals-security-defaults). Security defaults in Azure AD include MFA for users and administrators. |

+|Microsoft 365 E3 (includes Azure AD Premium P1 licenses) | Use the [common Conditional Access policies](/azure/active-directory/conditional-access/concept-conditional-access-policy-common) to configure the following policies: <br>- [Require MFA for administrators](/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa) <br>- [Require MFA for all users](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa) <br> - [Block legacy authentication](/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy) |

+|Microsoft 365 E5 (includes Azure AD Premium P2 licenses) | Taking advantage of Azure AD Identity Protection, begin to implement Microsoft's recommended set of Conditional Access and related policies by creating these two policies:<br> - [Require MFA when sign-in risk is medium or high](/azure/active-directory/conditional-access/howto-conditional-access-policy-risk) <br>- [High risk users must change password](/azure/active-directory/conditional-access/howto-conditional-access-policy-risk-user) |

+## Zero Trust identity and device access configurations

+Zero Trust identity and device access settings and policies are recommended prerequisite features and their settings combined with Conditional Access, Intune, and Azure AD Identity Protection policies that determine whether a given access request should be granted and under what conditions. This determination is based on the user account of the sign-in, the device being used, the app the user is using for access, the location from which the access request is made, and an assessment of the risk of the request. This capability helps ensure that only approved users and devices can access your critical resources.

+Microsoft highly recommends configuring and rolling out Zero Trust identity and device access policies in your organization, including specific settings for Microsoft Teams, Exchange Online, and SharePoint. For more information, see [Zero Trust identity and device access configurations](../security/office-365-security/microsoft-365-policies-configurations.md).

+See [more information about Azure AD Identity Protection](/azure/active-directory/identity-protection/overview-identity-protection).

+See the [steps to enable Azure AD Identity Protection](/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies).

+- [Deploy identity for Microsoft 365](deploy-identity-solution-overview.md)

+

+Continue with Step 4 to deploy the identity infrastructure based on your chosen identity model:

+- [Cloud-only identity](cloud-only-identities.md)

+- [Hybrid identity](prepare-for-directory-synchronization.md)

+[Deploy identity](deploy-identity-solution-overview.md)

+[Deploy identity](deploy-identity-solution-overview.md)

+If you have chosen the hybrid identity model and configured protection for administrator accounts in [Step 2](protect-your-global-administrator-accounts.md) and user accounts in [Step 3](microsoft-365-secure-sign-in.md) of this solution, your next task is to deploy directory synchronization. The benefits of directory synchronization for your organization include:

+For more information about the advantages of using directory synchronization, see [hybrid identity with Azure Active Directory (Azure AD)](/azure/active-directory/hybrid/whatis-hybrid-identity).

+## AD DS Preparation

+To help ensure a seamless transition to Microsoft 365 by using synchronization, you must prepare your AD DS forest before you begin your Microsoft 365 directory synchronization deployment.

+

+Your directory preparation should focus on the following tasks:

+- Remove duplicate **proxyAddress** and **userPrincipalName** attributes.

+- Update blank and invalid **userPrincipalName** attributes with valid **userPrincipalName** attributes.

+- Remove invalid and questionable characters in the **givenName**, surname ( **sn** ), **sAMAccountName**, **displayName**, **mail**, **proxyAddresses**, **mailNickname**, and **userPrincipalName** attributes. For details about preparing attributes, see [List of attributes that are synced by the Azure Active Directory Sync Tool](https://go.microsoft.com/fwlink/p/?LinkId=396719).

+ > [!NOTE]

+ > These are the same attributes that Azure AD Connect synchronizes.

+

+## Multi-forest deployment considerations

+For multiple forests and SSO options, use a [Custom Installation of Azure AD Connect](/azure/active-directory/hybrid/how-to-connect-install-custom).

+

+If your organization has multiple forests for authentication (logon forests), we highly recommend the following:

+

+- **Consider consolidating your forests.** In general, there's more overhead required to maintain multiple forests. Unless your organization has security constraints that dictate the need for separate forests, consider simplifying your on-premises environment.

+- **Use only in your primary logon forest.** Consider deploying Microsoft 365 only in your primary logon forest for your initial rollout of Microsoft 365.

+If you can't consolidate your multi-forest AD DS deployment or are using other directory services to manage identities, you may be able to synchronize these with the help of Microsoft or a partner.

+

+See [Topologies for Azure AD Connect](/azure/active-directory/hybrid/plan-connect-topologies) for more information.

+

+## Features that are dependent on directory synchronization

+

+Directory synchronization is required for the following features and functionality:

+

+- Azure AD Seamless Single Sign-On (SSO)

+- Skype coexistence

+- Exchange hybrid deployment, including:

+ - Fully shared global address list (GAL) between your on-premises Exchange environment and Microsoft 365.

+ - Synchronizing GAL information from different mail systems.

+ - The ability to add users to and remove users from Microsoft 365 service offerings. This requires the following:

+ - Two-way synchronization must be configured during directory synchronization setup. By default, directory synchronization tools write directory information only to the cloud. When you configure two-way synchronization, you enable write-back functionality so that a limited number of object attributes are copied from the cloud, and then written them back to your local AD DS. Write-back is also referred to as Exchange hybrid mode.

+ - An on-premises Exchange hybrid deployment

+ - The ability to move some user mailboxes to Microsoft 365 while keeping other user mailboxes on-premises.

+ - Safe senders and blocked senders on-premises are replicated to Microsoft 365.

+ - Basic delegation and send-on-behalf-of email functionality.

+ - You have an integrated on-premises smart card or multi-factor authentication solution.

+- Synchronization of photos, thumbnails, conference rooms, and security groups

+After you have done 1 through 5 above, see [Set up directory synchronization](set-up-directory-synchronization.md).

+[Deploy identity](deploy-identity-solution-overview.md)

+ Title: "Step 2. Protect your Microsoft 365 privileged accounts"

+description: This article provides information about protecting privileged access to your Microsoft 365 tenant.

+# Step 2. Protect your Microsoft 365 privileged accounts

+Security breaches of a Microsoft 365 tenant, including information harvesting and phishing attacks, are typically done by compromising the credentials of a Microsoft 365 privileged account. Security in the cloud is a partnership between you and Microsoft:

+Microsoft provides capabilities to help protect your organization, but they are effective only if you use them. If you do not use them, you may be vulnerable to attack. To protect your privileged accounts, Microsoft is here to help you with detailed instructions to:

+1. Create dedicated, privileged, cloud-based accounts and use them only when necessary.

+2. Configure multi-factor authentication (MFA) for your dedicated Microsoft 365 privileged accounts and use the strongest form of secondary authentication.

+3. Protect privileged accounts with Zero Trust identity and device access recommendations.

+## 1. Create dedicated, privileged, cloud-based user accounts and use them only when necessary

+Instead of using everyday user accounts that have been assigned administrator roles, create dedicated user accounts that have the admin roles in Azure AD.

+From this moment onward, you sign in with the dedicated privileged accounts only for tasks that require administrator privileges. All other Microsoft 365 administration must be done by assigning other administration roles to user accounts.

+> This does require additional steps to sign out as your everyday user account and sign in with a dedicated administrator account. But this only needs to be done occasionally for administrator operations. Consider that recovering your Microsoft 365 subscription after an administrator account breach requires a lot more steps.

+You also need to create [emergency access accounts](/azure/active-directory/roles/security-emergency-access) to prevent being accidentally locked out of Azure AD.

+You can further protect your privileged accounts with Azure AD Privileged Identity Management (PIM) for on-demand, just-in-time assignment of administrator roles.

+

+## 2. Configure multi-factor authentication for your dedicated Microsoft 365 privileged accounts

+- A smart card (virtual or physical) (requires federated authentication)

+- Oauth token

+-

+If you are a small business that is using user accounts stored only in the cloud (the cloud-only identity model), [set up MFA](/office365/admin/security-and-compliance/set-up-multi-factor-authentication) to configure MFA using a phone call or a text message verification code sent to a smart phone for each dedicated privileged account.

+If you are a larger organization that is using a Microsoft 365 hybrid identity model, you have more verification options. If you have the security infrastructure already in place for a stronger secondary authentication method, [set up MFA](../admin/security-and-compliance/set-up-multi-factor-authentication.md) and configure each dedicated privileged account for the appropriate verification method.

+If the security infrastructure for the desired stronger verification method is not in place and functioning for Microsoft 365 MFA, we strongly recommend that you configure dedicated privileged accounts with MFA using the Microsoft Authenticator app, a phone call, or a text message verification code sent to a smart phone for your privileged accounts as an interim security measure. Do not leave your dedicated privileged accounts without the additional protection provided by MFA.

+## 3. Protect administrator accounts with Zero Trust identity and device access recommendations

+To help ensure a secure and productive workforce, Microsoft provides a set of recommendations for [identity and device access](../security/office-365-security/microsoft-365-policies-configurations.md). For identity, use the recommendations and settings in these articles:

+- [Prerequisites](../security/office-365-security/identity-access-prerequisites.md)

+- [Common identity and device access policies](../security/office-365-security/identity-access-policies.md)

+Use these additional methods to ensure that your privileged account, and the configuration that you perform using it, are as secure as possible.

+To ensure that the execution of highly privileged tasks is as secure as possible, use a privileged access workstation (PAW). A PAW is a dedicated computer that is only used for sensitive configuration tasks, such as Microsoft 365 configuration that requires a privileged account. Because this computer is not used daily for Internet browsing or email, it is better protected from Internet attacks and threats.

+Rather than having your privileged accounts be permanently assigned an administrator role, you can use Azure AD PIM to enable on-demand, just-in-time assignment of the administrator role when it is needed.

+Your administrator accounts go from being permanent admins to eligible admins. The administrator role is inactive until someone needs it. You then complete an activation process to add the administrator role to the privileged account for a predetermined amount of time. When the time expires, PIM removes the administrator role from the privileged account.

+Using PIM and this process significantly reduces the amount of time that your privileged accounts are vulnerable to attack and use by malicious users.

+For more information, see:

+- [Azure AD Privileged Identity Management](/azure/active-directory/active-directory-privileged-identity-management-configure).

+- [Securing privileged access for hybrid and cloud deployments in Azure AD](/azure/active-directory/roles/security-planning)

+[

+Continue with [Step 3](microsoft-365-secure-sign-in.md) to secure your user accounts.

+[Deploy identity](deploy-identity-solution-overview.md)

+### Configure multi-factor authentication (MFA)

+The [Configure multi-factor authentication (MFA) guide](https://admin.microsoft.com/Adminportal/Home?source=applauncher#/featureexplorer/security/ConditionalAccess) provides information to secure your organization against breaches due to lost or stolen credentials. MFA immediately increases account security by prompting for multiple forms of verification to prove a user's identity when they sign in to an app or other company resource. This prompt could be to enter a code on the user's mobile device or to provide a fingerprint scan. MFA is enabled through Conditional Access, security defaults, or per-user MFA. This guide will provide the recommended MFA option for your org, based on your licenses and existing configuration.

+- Build out your [identity infrastructure](deploy-identity-solution-overview.md).

+|**apply** | Tenants | Apply deployment plan | Azure AD, Microsoft Endpoint Manager |

+|**changeDeploymentStatus** | Tenants | Action plan status for deployment plan | Microsoft 365 Lighthouse |

+|**offboardTenant** | Tenants | Inactivate a customer | Microsoft 365 Lighthouse |

+|**resetTenantOnboardingStatus** | Tenants | Reactive a customer | Microsoft 365 Lighthouse |

+|**tenantTags** | Tenants | Create or delete a tag | Microsoft 365 Lighthouse |

+|**unassignTag** | Tenants | Remove a tag from a customer | Microsoft 365 Lighthouse |

+| **blockUserSignin** | Users | Block sign-in | Azure AD |

+| **syncDevice** | Devices | Sync | Microsoft Endpoint Manager |

+| **windowsDefenderScanFull** | Threat management | Full scan | Microsoft Endpoint Manager |

+| **windowsDefenderScan** | Threat management | Quick scan | Microsoft Endpoint Manager |

+| **windowsDefenderUpdateSignatures** | Threat management | Update antivirus | Microsoft Endpoint Manager |

+Part of onboarding to Microsoft Managed Desktop includes adding and deploying apps to your user's devices. Once you're using the Microsoft Managed Desktop portal, you can add and deploy your apps.

+1. [Add apps to Microsoft Managed Desktop portal](#1): These apps can be existing line-of-business (LOB) apps, or apps from Microsoft Store for Business that you've synced with Intune.

+2. [Create Azure Active Directory (AD) groups for app assignment](#2): You'll use these groups to manage app assignment.

+3. [Assign apps to your users](#3).

+### Win32 or Windows MSI-based apps to Microsoft Managed Desktop

+You can add your line-of-business (LOB) apps to Microsoft Managed Desktop portal. For requirement information for apps installed on Microsoft Managed Desktop devices, see [Microsoft Managed Desktop app requirements](../service-description/mmd-app-requirements.md).

+In this procedure, you'll select which kind of app you want to add, and then configure and upload the app source.

+**To add your LOB app or Windows app to Microsoft Managed Desktop portal:**

+You can sign in to the Microsoft Managed Desktop portal, or sign in to Intune and then search for Microsoft Managed Desktop. We'll show signing in to Microsoft Managed Desktop portal below:

+1. Sign in to [Microsoft Managed Desktop Admin portal](https://aka.ms/mmdportal).

+2. Under **Inventory**, select **Apps**.

+3. In the Apps workload section, select **Add**.

+4. In **Add app**, select **Line-of-business app** or **Windows app (Win32)**.

+If you haven't signed up with Microsoft Store for Business, you can sign up when you shop for apps. After you have your apps, you can sync them with Microsoft Managed Desktop.

+**To buy apps from the Microsoft Store for Business:**

+4. In the product details, select **Get the App**.

+**To verify that a sync between Intune and Microsoft Store for Business is active:**

+**To force a sync between Intune and Microsoft Store for Business:**

+2. Select **Tenant administration** , then **Connectors and tokens**, then **Microsoft Store for Business**.

+3. Select **Enabled** for **Enabling Microsoft Store for Business sync lets you access volume-purchased apps with Intune.**

+Create three Azure AD groups for each app. This table outlines the groups you'll need (Available, Required, and Uninstall).

+App assignment type | Group use | Example Azure AD name |

+ | | |

+Available | The app will be available from Company Portal app or website. | MMD ΓÇô *app name* ΓÇô Available |

+Required | The app is installed on devices in the selected groups. | MMD ΓÇô *app name* ΓÇô Required |

+Uninstall | The app is uninstalled from devices in the selected groups. | MMD ΓÇô *app name* ΓÇô Uninstall |

+Add your users to these groups to either:

+- Make the app available

+- Install the app, or

+- Remove the app from their Microsoft Managed Desktop device.

+**To assign the app to your users:**

+2. In the Managed Desktop pane, select **Apps**.

+3. In the Apps workload section, select the app you want to assign users to, and select **Assign users groups**.

+description: Describes how to have Windows location services turned on for your devices

+Devices in Microsoft Managed Desktop are registered by using Windows Autopilot. This process lets us manage them with Azure Active Directory and Microsoft Intune.

+By default, the Windows 10 location service is disabled when a device is turned on for the first time, unless, this feature is enabled in the Privacy settings during the "out of box experience." These settings are hidden during Autopilot enrollment in Microsoft Managed Desktop. For more information about how Autopilot is set up, see [First-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md).

+For this reason, Microsoft Managed Desktop devices can't obtain their device location, and limits the functionality of several Windows features, such as time zones. For more information about the Windows 10 location service, see [Windows 10 location service and privacy](https://support.microsoft.com/windows/windows-10-location-service-and-privacy-3a8eee0a-5b0b-dc07-eede-2a5ca1c49088).

+You don't have to use the location service in order to participate in Microsoft Managed Desktop. The user experience will be restricted. For example, devices won't be able to automatically determine the time zone they're in when your users work in a different time zone.

+You can either:

+- Opt in to use the location service when you enroll devices into the Microsoft Managed Desktop service, or

+- You can turn the service on or off after enrollment.

+You can have the location service turned on (or off), at any time, by submitting a [support request](../working-with-managed-desktop/admin-support.md) through the [Admin portal](access-admin-portal.md).

+> If you opt in to using the location service, this applies only to the Windows operating system itself. Apps are not allowed to use location services. Each user can choose whether to allow apps to access their location.

+description: Explains how the new Microsoft Edge browser is deployed and updated

+The new [Microsoft Edge browser](https://www.microsoft.com/edge) provides world-class performance with more privacy, more productivity, and more value while you browse. Microsoft Managed Desktop is offering a public preview of deployment of the new Microsoft Edge browser in your environment.

+To migrate your Microsoft Managed Desktop devices to the new Microsoft Edge browser, file an IT Support Ticket through the Microsoft Managed Desktop Portal.

+We'll deploy the Microsoft Edge Stable channel to the Test Group when you file the ticket. Then, we deploy it in each subsequent deployment group every 24 hours. To pause the deployment, file another ticket asking Operations to hold.

+Microsoft Managed Desktop deploys the [Stable channel](/deployedge/microsoft-edge-channels#stable-channel) of Microsoft Edge, which is automatically updated about every six weeks. Updates on the Stable channel are rolled out [progressively](/deployedge/microsoft-edge-update-progressive-rollout) by the Microsoft Edge product group to ensure the best experience for customers.

+The [Beta Channel](/deployedge/microsoft-edge-channels#beta-channel) is deployed to devices in both the Test and First groups for representative validation within the organization. This channel is fully supported and automatically updated with new features approximately every six weeks.

+> [!IMPORTANT]

+> To ensure that Microsoft Edge updates correctly, don't modify the Microsoft Edge [update policies](/deployedge/microsoft-edge-update-policies).

+The security baseline for Microsoft Edge on Microsoft Managed Desktop devices sets two policies to disable all Chrome extensions and secure users. To enable and deploy extensions in your environment, see [Settings you manage](#settings-you-manage).

+| Setting | Default value | Description |

+| | | |

+| Extension installation blocklist | All | Microsoft Managed Desktop sets this policy to prevent Chrome extensions from being installed on managed endpoints. There are known risks associated with the Chromium extension model including data loss protection, privacy, and other risks that can compromise devices. |

+| Allow user-level native messaging hosts (installed without admin permissions) | Disabled | By disabling this policy, Microsoft Edge will only use native messaging hosts installed on the system level. Native messaging hosts are a part of Chrome extensions, which allow for the browser to interact with other parts of user's endpoint, creating various security concerns. |

+| Setting | Default value | Description

+| | | |

+| Minimum TLS version | Minimum TLS 1.2 supported | If you want to use the less secure TLS 1.1, you can file a request to do so. |

+| Allow users to proceed from the SSL warning page | Disabled | We don't recommend enabling this setting since it allows users to visit sites with TSL errors. |

+| Setting | Default value | Description

+| | | |

+| Configure Windows Defender SmartScreen | Enabled | Enabled by default to help protect users. |

+| Windows Defender SmartScreen prompts for sites | Enabled | We don't recommend disabling this setting since that would allow users to ignore warnings and continue to potentially malicious sites. |

+| Prevent bypassing of Windows Defender SmartScreen warnings about downloads | Enabled | We don't recommend disabling this setting since that would allow users to ignore warnings and complete unverified downloads. |

+| Setting | Default value | Description

+| | | |

+| Default Adobe Flash setting | Disabled | We don't recommend using Flash because of associated security risks. <br><br> If you still have processes that depend on Flash, set the **[PluginsAllowedForUrls](/deployedge/microsoft-edge-policies#pluginsallowedforurls)** policy to enable Flash for sites that need it. If you can't maintain an allowed list of sites to use Flash, file a change request to change the value to **Click to Play**, which allows users choose when it's appropriate to run Flash. |

+| Setting | Default value | Description

+| | | |

+| Enable saving passwords to the password manager | Disabled | The password manager is disabled by default. If you'd like this feature enabled, file a support request and our service engineers can enable the setting in your environment. |

+IE mode on Microsoft Edge makes it easy to use all of the sites your organization needs in a single browser. It uses the integrated Chromium engine for sites that are compatible with the Chromium rendering engine. Microsoft Edge uses the Trident MSHTML engine from Internet Explorer 11 (IE11) for sites that aren't or have dependencies on IE functionality. [Learn more](/DeployEdge/edge-ie-mode)

+| Setting | Default value | Description

+| | | |

+| Internet Explorer mode integration | Internet Explorer mode | By default, devices are set to use Internet Explorer mode, but you can set them to open sites in a standalone Internet Explorer 11 window instead. To change this behavior, file a support request. |

+| Add sites to the Enterprise Mode Site List | See description | For sites to open in Internet Explorer mode you must include them on the [Enterprise Site list](/DeployEdge/edge-ie-mode-sitelist). Maintaining and deploying the Enterprise Site list is your responsibility. For details, see [Configure using the Configure Enterprise Mode Site List policy](/DeployEdge/edge-ie-mode-policies#configure-using-the-configure-the-enterprise-mode-site-list-policy). |

+| Setting | Default value | Description

+| | | |

+| Enable site isolation for every site | Enabled | When this policy is enabled, users can't opt out of the default behavior in which each site runs in its own process. |

+| Supported authentication schemes | NTLM, Negotiate | Microsoft Managed Desktop doesn't support Basic or Digest Authentication schemes. |

+| Automatically import another browser's data and settings at first run | Automatically import all supported datatypes and settings from the default browser. | With this policy applied, the First Run Experience will skip the import section, minimizing user interaction. The browser data from older versions of Microsoft Edge will always be silently migrated at the first run, regardless of this setting. |

+You can deploy any Microsoft Edge settings not previously described by using the Administrative Templates profile in Microsoft Intune. For details, see [Configure Microsoft Edge policy settings with Microsoft Intune](/deployedge/configure-edge-with-intune). If you want to evaluate a policy that isn't currently included in the Microsoft Edge Administrative Templates in Intune, you can use custom settings for Windows 10 devices in Intune.

+| Setting | Description

+| | |

+| Enable specific Chrome extensions | The Administrative Template offers a setting to deploy particular Chrome extensions with Microsoft Intune. You can find it in **Computer Configuration > Microsoft Edge > Extensions > Allow Specific Extensions to be installed**. |

+| Install extensions silently | You can also use the Administrative Template to set Microsoft Edge to install extensions without alerting the user. You can find it in **Computer Configuration > Microsoft Edge > Extensions > Control which extensions are installed silently**. |

+| Microsoft Edge update policies | To ensure that Microsoft Edge updates correctly, don't modify the Microsoft Edge [update policies](/deployedge/microsoft-edge-update-policies). |

+| Other common enterprise policies | Microsoft Edge offers a great many other policies. The following are some of the more common ones: <ul> <li> [Configure Sites on the Enterprise Site List and IE Mode](/deployedge/edge-ie-mode-sitelist)</li><li> [Configure start-up, home page, and new tab page settings](/deployedge/microsoft-edge-policies#startup-home-page-and-new-tab-page)</li> <li> [Configure Surf game setting](/deployedge/microsoft-edge-policies#allowsurfgame)</li> <li> [Configure proxy server settings](/deployedge/microsoft-edge-policies#proxy-server)</li></ul>

+Whether you're providing your own user support or working with a partner to provide support, follow the steps below to enable the support provider to request elevated device access, or escalate issues to Microsoft Managed Desktop, if needed.

+1. If they don't already have one, users need an account in same the Azure Active Directory (AAD) domain as the Microsoft Managed Desktop devices.

+1. Add the user accounts to the **Modern Workplace Roles-Support Partner** security group in the Azure Active Directory (AAD).

+<!--when available, add link to downloadable articles at DLC-->

+1. [Get started with app control](get-started-app-control.md).

+| Setting | Value |

+| -- | -- |

+| Deployment mode | User Driven |

+| Join to Azure AD as | Azure AD joined |

+| Language (Region) | User Select |

+| Automatically configure keyboard | No |

+| Microsoft Software License Terms | Hide |

+| Privacy settings | Hide |

+| Hide change account options | Show |

+| User account type| Standard |

+| Allow White Glove Out of Box Experience (OOBE) | Yes |

+| Apply device name template | Yes |

+| Enter a name | `MMD-%RAND:11%` |

+| Setting | Value |

+| -- | -- |

+| Show app and profile configuration progress | Yes |

+| Show an error when installation takes longer than specified number of minutes | 60 |

+| Show custom message when time limit error occurs | No |

+| Allow users to collect logs about installation errors| Yes |

+| Only show page to devices provisioned by out-of-box experience (OOBE) | Yes |

+| Block device use until all apps and profiles are installed | Yes |

+| Allow users to reset device if installation error occurs | Yes |

+| Allow users to use device if installation error occurs | Yes |

+| Block device use until these required apps are installed if they're assigned to the user/device|Modern Workplace - Time Correction | Modern Workplace - Client Library |

+2. The device opens the Enrollment Status Page and proceeds through Device Preparation and Device Set up phases. The third step (Account Setup) is *currently skipped* in the Microsoft Managed Desktop configuration because the User ESP is disabled. The device restarts.

+3. After restarting, the device opens the Windows sign-in page with **Other user**.

+- If you have devices that were registered using the Microsoft Managed Desktop portal before August 2020, de-register and re-register the devices.

+- Devices must have a factory image that includes the November 2020 cumulative update [19H1/19H2 2020.11C](https://support.microsoft.com/topic/november-19-2020-kb4586819-os-builds-18362-1237-and-18363-1237-preview-25cbb849-74af-b8b8-29b8-68aa925e8cc3), or [20H1 2020.11C](https://support.microsoft.com/topic/november-30-2020-kb4586853-os-builds-19041-662-and-19042-662-preview-8fb07fb8-a7dd-ea62-d65e-3305da09f92e) installed, or must be reimaged with the latest Microsoft Managed Desktop image.

+6. The account setup step is currently skipped in the Microsoft Managed Desktop configuration, since we disable User ESP.

+You might want to request a different device name template. You can't, however, change Deployment Mode, Join to Azure AD As, Privacy Settings, or User Account Type.

+- Adding or removing applications in the "Block device use until these required apps are installed if they're assigned to the user/device" setting.

+- No applications should require the device to restart. We recommend that applications be set to "Do nothing" when you build the application package if the device requires a restart.

+- Ideally, apps shouldn't have any dependencies. If you have apps that *must* have dependencies, be sure you configure, test, and validate them as part of your ESP evaluation.

+- Microsoft Teams can't be included in ESP.

+1. [Get started with app control](get-started-app-control.md).

+Microsoft Managed Desktop simplifies app control by taking care of the more challenging aspects of getting a secure base policy.

+Your IT Administrators must test your apps in the Test ring, and review the logs for any warnings, or errors. If an app needs an exemption, you can file a request, or Microsoft Managed Desktop Operation might, depending on who detects it first.

+If you don't yet have any devices in use, open a support ticket with Microsoft Managed Desktop Operations to request to turn on app control. Operations will progressively deploy policies to deployment groups following this schedule:

+| Deployment group | Policy type | Timing |

+| | | |

+| Test | Audit | Day 0 |

+| First | Enforced | Day 1 |

+| Fast | Enforced | Day 2 |

+| Broad | Enforced | Day 3 |

+You can always open another support request to pause or roll back part of this deployment at any time during the rollout.

+2. [Test your applications](../working-with-managed-desktop/work-with-app-control.md#add-a-new-app) to see if any would be blocked. If an application would be blocked, open a [signer request](../working-with-managed-desktop/work-with-app-control.md#add-or-remove-a-trusted-signer).

+3. Once you've completed your testing (whatever the results), notify Operations, noting any pending signer requests. Operations will progressively deploy policies to deployment groups following this schedule:

+| Deployment group | Policy type | Timing |

+| | | |

+| Test | Audit | Day 0 |

+| First | Enforced | Day 1 |

+| Fast | Enforced | Paused, rollout on request |

+| Broad | Enforced | Paused, rollout on request |

+You can always open another support request to pause or roll back part of this deployment at any time during the rollout.

+Once a Microsoft Managed Desktop device is in the hands of your user, getting started is fast and easy. Devices come pre-configured with the current version of Windows and configurations, and apps are installed from the cloud as the user completes setup.

+To make getting started even easier, we offer a guide that walks your users through the initial setup. The guide provides helpful resources for both the setup, and for use later, if needed. You can customize the following guide to include certain details specific to your organization. You then distribute the guide directly to your users along with their device.

+## Prepare the guide

+**To prepare the guide:**

+1. Download the [Microsoft Managed Desktop - Get started with your device](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/managed-desktop/get-started/downloads/microsoft-managed-desktop-user-guide-no-help-custom-v2.pdf) guide.

+2. Use any app capable of opening PDF files to enter details relevant to your organization:

+ - The name of the network your users should connect to in order to continue setup (Step 3 in the guide).

+ - The name of your organization's Azure tenant account (Step 4 in the guide).

+ - Contact information for your organization's internal IT support (top of second page).

+3. Save the edited PDF, and then distribute to your users.

+## Ready-to-use guide

+We also provide a more generic version of the guide for those organizations that don't need to customize it.

+Just download the [Microsoft Managed Desktop - Get started with your device (ready to use)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/managed-desktop/get-started/downloads/microsoft-managed-desktop-user-guide-no-help-v2.pdf) guide.

+At this point, you're ready to move on to [deploying apps](deploy-apps.md).

+1. [Get started with app control](get-started-app-control.md).

+Microsoft Project and Microsoft Visio require specific steps to be installed on Microsoft Managed Desktop devices. This article documents the prerequisites and installation process for these applications.

+| Prerequisites | Description |

+| | |

+| License quantities | The correct amount of Microsoft Project and Microsoft Visio licenses must be available for your users. Microsoft Managed Desktop currently only supports 64-bit versions of these applications. |

+| License names | The appropriate license names for these applications are: <ul><li>**Microsoft Project** - Project Online Professional or Project Online Premium</li><li>**Microsoft Visio** - Visio Online Plan 2</li><ul> |

+| Company Portal | The Company Portal must be available in your tenant for your users to install these applications. If the Company Portal isn't deployed in your tenant, see [Company Portal](company-portal.md). |

+Microsoft Managed Desktop will add Microsoft Project and Microsoft Visio as two Win32 Applications in Microsoft Intune. We'll also create two groups in Azure Active Directory. The groups will be assigned to the corresponding application with the "Available" intent.

+**To deploy Project and Visio:**

+Add the user to the appropriate group and the application will become available in the Company Portal. It may take a few minutes to sync, but then your users can install the apps from Company Portal.

+Azure AD Group name | Which users to assign?

+It's important for IT administrators to let their users know how to install Project and Visio. This communication includes:

+- Notifying users when these applications are available to them.

+Microsoft Managed Desktop can work with brand-new devices, or you can reuse devices you might already have (which will require that you reimage them). You can register devices with Microsoft Managed Desktop in the Microsoft Endpoint Manager portal.

+> Working with a partner to obtain devices? If so, you don't need to worry about getting the hardware hashes; they'll take care of that for you. Make sure your partner establishes a relationship with you at the [Partner Center](https://partner.microsoft.com/dashboard). Your partner can learn more at [Partner Center help](/partner-center/request-a-relationship-with-a-customer). Once this relationship established, your partner will simply register devices on your behalf ΓÇô no further action required from you. If you want to see the details, or your partner has questions, see [Steps for Partners to register devices](register-devices-partner.md). Once the devices are registered, you can proceed with [checking the image](#check-the-image) and [delivering the devices](#deliver-the-device) to your users.

+> Do not power on the device you are registering again until you've completed registration for it.

+| Inactive | The device has been delivered to the user and they have registered with your tenant. However, they have not used the device recently (in the last 7 days). |

+>This article describes the steps for you to reuse devices you already have, and register them in Microsoft Managed Desktop. If you are working with brand-new devices, follow the steps in [Register new devices in Microsoft Managed Desktop yourself](register-devices-self.md) instead. <br> <br> The process for Partners is documented in [Steps for Partners to register devices](register-devices-partner.md).

+Microsoft Managed Desktop can work with brand-new devices, or you can reuse devices you might already have. If you reuse devices, you must reimage them. You're able to register devices with Microsoft Managed Desktop in the Microsoft Endpoint Manager portal.

+**To register existing devices:**

+2. [Merge the hash data](#merge-hash-data).

+5. [Deliver the device](#deliver-the-device).

+**To obtain the hardware hash:**

+- Run a Windows PowerShell script either by using [Active Directory](#active-directory-powershell-script-method), or [manually](#manual-powershell-script-method) on each device, and collect the results in a file.

+- Start each device, but don't complete the Windows setup experience, and [collect the hashes on a removable flash drive](#flash-drive-method).

+You can use Microsoft Endpoint Configuration Manager to collect the hardware hashes from existing devices that you want to register with Microsoft Managed Desktop. If you've met all these prerequisites, you're ready to collect the information.

+> Any devices you want to get this information for must be running Windows 10, version 1703 or later.

+**To collect the hardware hash information:**

+1. In the Configuration Manager console, select **Monitoring**.

+2. In the Monitoring workspace, expand the **Reporting** node, expand **Reports**, and select the **Hardware - General** node.

+4. In the report viewer, select the **Export** icon, and select the **CSV (comma-delimited)** option.

+5. After saving the file, you'll need to filter results to just the devices you plan to register with Microsoft Managed Desktop. Then, upload the data to Microsoft Managed Desktop.

+ - Open Microsoft Endpoint Manager and navigate to the **Devices** menu.

+ - In the Microsoft Managed Desktop section, select **Devices**.

+ - Select **+ Register devices**, which opens a fly-in to register new devices.

+For more information, see [Register devices by using the Admin Portal](#register-devices-by-using-the-admin-portal) below.

+In an Active Directory environment, you can use the `Get-WindowsAutoPilotInfo` PowerShell cmdlet to remotely collect the information from devices in Active Directory Groups by using WinRM. You can also use the `Get-AD Computer` cmdlet and get filtered results for a specific hardware model name included in the catalog. Before you proceed, confirm these prerequisites, and then proceed.

+**To use the Active Directory PowerShell script method:**

+1. Ensure WinRM is enabled.

+1. The devices you want to register are active on the network. That is, they aren't disconnected or turned off.

+1. Ensure you have a domain credential parameter that has permission to execute remotely on the devices.

+1. Ensure that Windows Firewall allows access to WMI. To do that, follow these steps:

+ - Open the **Windows Defender Firewall** control panel and select **Allow an app or feature through Windows Defender Firewall**.

+ - Find **Windows Management Instrumentation (WMI)** in the list, enable for both **Private and Public**, and then select **OK**.

+1. Run *either one* of these scripts:

+ ```powershell

+1. Access any directories where there might be entries for the devices. Remove entries for each device from *all* directories, including Windows Server Active Directory Domain Services and Azure Active Directory. It could take a few hours to completely process.

+1. Access management services where there might be entries for the devices. Remove entries for each device from *all* management services, including Microsoft Endpoint Configuration Manager, Microsoft Intune, and Windows Autopilot. It could take a few hours to completely process.

+**To use the manual Powershell script method:**

+2. Run `Install-Script -Name Get-WindowsAutoPilotInfo`.

+3. Run `powershell -ExecutionPolicy Unrestricted Get-WindowsAutoPilotInfo -OutputFile <path>\hardwarehash.csv`.

+**To use the flash drive method:**

+3. Run `Save-Script -Name Get-WindowsAutoPilotInfo -Path <pathToUsb>`.

+4. Turn on the device you're registering, but *don't start the setup experience*. If you accidentally start the setup experience, you'll have to reset or reimage the device.

+7. Run `Set-ExecutionPolicy -ExecutionPolicy Unrestricted`.

+8. Run `.\Get-WindowsAutoPilotInfo -OutputFile <path>\hardwarehash.csv`.

+9. Remove the USB drive, and then shut down the device by running `shutdown -s -t 0`.

+> Do not power on the device you are registering again until you've completed registration for it.

+If you collected the hardware hash data by the manual PowerShell or flash drive methods, you must combine the data in the two CSV files into a single file to complete registration. Here's a sample PowerShell script to make it easy:

+In [Microsoft Endpoint Manager](https://endpoint.microsoft.com/), select **Devices** in the left navigation pane. In the Microsoft Managed Desktop section, select **Devices**. In the Microsoft Managed Desktop Devices workspace, Select **+ Register devices**, which opens a fly-in to register new devices.

+**To register devices using the Admin Portal:**

+2. Select a [device profile](../service-description/profiles.md) in the dropdown menu.

+3. Select **Register devices**. The system will add the devices to your list of devices on the **Devices blade**. The devices are marked as **Registration Pending**. Registration typically takes less than 10 minutes, and when successful, the device will show as **Ready for user**. **Ready for user** means it's ready and waiting for a user to start using.

+You can monitor the progress of device registration on the main page. Possible states reported include:

+| -- | -- |

+| Registration Pending | Registration isn't completed yet. Check back later. |

+| Registration failed | Registration couldn't be completed. For more information, see [Troubleshooting device registration](#troubleshooting-device-registration). |

+| Ready for user | Registration succeeded. The device is now ready to be delivered to the user. Microsoft Managed Desktop will guide them through first-time set-up, so there's no need for you to do any further preparations. |

+| Active | The device has been delivered to the user and they've registered with your tenant. This state also indicates that they're regularly using the device. |

+| Inactive | The device has been delivered to the user and they've registered with your tenant. However, the user hasn't used the device recently (in the last seven days). |

+| -- | -- |

+| Device not found | We couldn't register this device because we couldn't find a match for the provided manufacturer, model, or serial number. Confirm these values with your device supplier. |

+| Hardware hash not valid | The hardware hash you provided for this device wasn't formatted correctly. Double-check the hardware hash and then resubmit. |

+| Unexpected error | Your request couldn't be automatically processed. Contact Support and provide the Request ID: `<requestId>` |

+You're also welcome to apply the image on your own if you prefer. To get started, contact the Microsoft representative you're working with and they'll provide you the location and steps for applying the image.

+If all the licenses are applied, you can [get your users ready to use the devices](get-started-devices.md). Then, your user can start up the device and proceed through the Windows setup experience.

+| **Severity A: <br> Critical Impact** | **Critical business impact** <br>Your business has significant loss or degradation of services and requires immediate attention.<p>**Major application compatibility impact**<br>Your entire business is experiencing financial impact due to devices not responding or loss of critical functionality. | **Initial:** < 1 hour <p> **Update**: 60 minutes <br> 24-hour support every day is available.</p> | When you select Severity A, you confirm that the issue has critical business impact, with severe loss and degradation of services. <br><br> The issue demands an immediate response, and you commit to continuous engagement every day with the Microsoft team until resolution. Otherwise, Microsoft can, at its discretion, decrease the Severity to level B.<br><br> You also ensure that Microsoft has your accurate contact information.

+**Severity B: <br> Moderate Impact** | **Moderate business impact**<br>Your business has moderate loss or degradation of services, but work can reasonably continue in an impaired manner.<p>**Moderate application compatibility impact**<br>A specific business group is no longer productive, due to devices not responding or loss of critical functionality.| **Initial**: < 4 hours. <p> **Update**: 12 hours; 24 hours a day during admin support hours (Monday through Friday).| When you select Severity B, you confirm that the issue has moderate impact to your business with loss and degradation of services. However, workarounds enable reasonable, albeit temporary, business continuity. <br><br> The issue demands an urgent response. If you select all day every day support when you submit the support request, you commit to continuous engagement every day with the Microsoft team until resolution. Otherwise, Microsoft might, at its discretion, decrease the severity to level C. If you select admin support-hours support when you submit a Severity B incident, Microsoft will contact you during admin support hours only.<br><br>You also ensure that Microsoft has your accurate contact information.

+**Severity C: <br> Minimal Impact** | **Minimum business impact**<br> Your business is functioning with minor impediments of services.<p>**Minor application compatibility impact**<br>Potentially unrelated users experience minor compatibility issues that don't prevent productivity. | **Initial**: < 8 hours.<p> **Update**: 24 hours; Support 24 hours a day during admin support hours (Monday through Friday). | When you select Severity C, you confirm that the issue has minimum impact to your business with minor impediment of service.<br><br> For a Severity C incident, Microsoft will contact you during admin support hours only.<br><br> You also ensure that Microsoft has your accurate contact information.

+| Application compatibility | For an application compatibility issue to be considered, there must be a reproducible error. The error must use the same version of the application, between the previous and current version of Windows, or Microsoft 365 Apps for enterprise. <br><br> To resolve application compatibility issues, we require a point of contact in your organization to work with. The contact must work directly with our Fast Track team to investigate and resolve the issue. |

+| Customer response time | If you aren't able to meet the expected response requirements, we'll downgrade the request by one severity level to the minimum severity level (Severity C). <br><br> If you're unresponsive to requests for action, we'll mitigate and close the support request within 48 hours of the last request. |

+| Subscription | Microsoft Defender for Business (currently in preview!). See [How to get Microsoft Defender for Business (preview)](get-defender-business.md).<br/><br/>**You're not required to have another Microsoft 365 subscription to try Microsoft Defender for Business** (preview).<br/><br/>If you have multiple subscriptions, the highest subscription takes precedence. For example, if you have Microsoft Defender for Endpoint Plan 2 (purchased or trial subscription), and you get Microsoft Defender for Business (preview), Defender for Endpoint Plan 2 takes precedence. In this case, you won't see the Defender for Business (preview) experience. |

+| User accounts | User accounts are created<br/><br/>Microsoft Defender for Business (preview) licenses are assigned <br/><br/>To get help with this task, see [Add users and assign licenses](../../admin/add-users/add-users.md). |

+| Operating system | To manage devices in Microsoft Defender for Business (preview), your devices must be running one of the following operating systems: <br/>- Windows 10 Business or later <br/>- Windows 10 Professional or later <br/>- Windows 10 Enterprise or later <br/><br/>Make sure that [KB5006738](https://support.microsoft.com/topic/october-26-2021-kb5006738-os-builds-19041-1320-19042-1320-and-19043-1320-preview-ccbce6bf-ae00-4e66-9789-ce8e7ea35541) is installed. <br/><br/>If you're already managing devices in Microsoft Intune (or Microsoft Endpoint Manager), or if you're using a non-Microsoft device management solution, your devices must be running one of the [operating systems that are supported in Microsoft Defender for Endpoint](../defender-endpoint/minimum-requirements.md). |

+In Microsoft Defender for Business (preview), security settings are configured through policies that are applied to devices. To help simplify your setup and configuration experience, Defender for Business (preview) includes preconfigured policies to help protect your company's devices as soon as they are onboarded. You can use the default policies, edit policies, or create your own policies.

+- [Get an overview of your default policies](#default-policies-in-defender-for-business)

+## Default policies in Defender for Business

+In Defender for Business (preview), there are two main types of policies to protect your company's devices:

+- **Next-generation protection policies**, which determine how Microsoft Defender Antivirus and other threat protection features are configured

+- **Firewall policies**, which determine what network traffic is permitted to flow to and from your company's devices

+|Malware report |Admins can set up privacy control for malware report - If privacy is enabled, then Defender for Endpoint will not send the malware app name and other app details as part of the malware alert report |

+|Phish report |Admins can set up privacy control for phish report - If privacy is enabled, then Defender for Endpoint will not send the domain name and details of the unsafe website as part of the phish alert report |

+> [!NOTE]

+> Vulnerability assessment is part of [Threat and Vulnerability management](next-gen-threat-and-vuln-mgt.md) in Microsoft Defender for Endpoint.

+To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, your security team must configure your network to allow connections between your endpoints and certain Microsoft servers. This article lists connections that must be allowed for using the firewall rules. It also provides instructions for validating your connection. Configuring your protection properly will ensure you receive the best value from your cloud-delivered protection services.

+> [!IMPORTANT]

+> This article contains information about configuring network connections only for Microsoft Defender Antivirus. If you are using Microsoft Defender for Endpoint (which includes Microsoft Defender Antivirus), see [Configure device proxy and Internet connectivity settings for Defender for Endpoint](configure-proxy-internet.md).

+The Microsoft Defender Antivirus cloud service provides fast, and strong protection for your endpoints. It's optional to enable the cloud-delivered protection service. Microsoft Defender Antivirus cloud service is recommended, because it provides important protection against malware on your endpoints and network. For more information, see [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) for enabling service with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or individual clients in the Windows Security app.

+After you've enabled the service, you need to configure your network or firewall to allow connections between network and your endpoints. Because your protection is a cloud service, computers must have access to the internet and reach the Microsoft cloud services. Don't exclude the URL `*.blob.core.windows.net` from any kind of network inspection.

+> The Microsoft Defender Antivirus cloud service delivers updated protection to your network and endpoints. The cloud service should not be considered as only protection for your files that are stored in the cloud; instead, the cloud service uses distributed resources and machine learning to deliver protection for your endpoints at a faster rate than the traditional Security intelligence updates.

+The table in this section lists services and their associated website addresses (URLs).

+Make sure that there are no firewall or network filtering rules denying access to these URLs. Otherwise, you must create an allow rule specifically for those URLs (excluding the URL `*.blob.core.windows.net`). The URLs in the following table use port 443 for communication.

+|Microsoft Defender Antivirus cloud-delivered protection service is referred as Microsoft Active Protection Service (MAPS).<p> The Microsoft Defender Antivirus uses the MAPS service to provide cloud-delivered protection.|`*.wdcp.microsoft.com` <p> `*.wdcpalt.microsoft.com` <p> `*.wd.microsoft.com`|

+|Microsoft Update Service (MU) and Windows Update Service (WU) <p>These services will allow security intelligence and product updates.|`*.update.microsoft.com` <p> `*.delivery.mp.microsoft.com`<p> `*.windowsupdate.com` <p> For more information, see [Connection endpoints for Windows Update](/windows/privacy/manage-windows-1709-endpoints#windows-update)|

+|Security intelligence updates Alternate Download Location (ADL)<p>This is an alternate location for Microsoft Defender Antivirus Security intelligence updates, if the installed Security intelligence is out of date (Seven or more days behind).|`*.download.microsoft.com` <p> `*.download.windowsupdate.com`<p> `go.microsoft.com`<p> `https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx`|

+|Malware submission storage <p>This is an upload location for files submitted to Microsoft via the Submission form or automatic sample submission.|`ussus1eastprod.blob.core.windows.net` <p> `ussus2eastprod.blob.core.windows.net` <p> `ussus3eastprod.blob.core.windows.net` <p> `ussus4eastprod.blob.core.windows.net` <p> `wsus1eastprod.blob.core.windows.net` <p> `wsus2eastprod.blob.core.windows.net` <p> `ussus1westprod.blob.core.windows.net` <p> `ussus2westprod.blob.core.windows.net` <p> `ussus3westprod.blob.core.windows.net` <p> `ussus4westprod.blob.core.windows.net` <p> `wsus1westprod.blob.core.windows.net` <p> `wsus2westprod.blob.core.windows.net` <p> `usseu1northprod.blob.core.windows.net` <p> `wseu1northprod.blob.core.windows.net` <p> `usseu1westprod.blob.core.windows.net` <p> `wseu1westprod.blob.core.windows.net` <p> `ussuk1southprod.blob.core.windows.net` <p> `wsuk1southprod.blob.core.windows.net` <p> `ussuk1westprod.blob.core.windows.net` <p> `wsuk1westprod.blob.core.windows.net`|

+|Certificate Revocation List (CRL) <p> Windows use this list while creating the SSL connection to MAPS for updating the CRL.|`http://www.microsoft.com/pkiops/crl/` <p> `http://www.microsoft.com/pkiops/certs` <p> `http://crl.microsoft.com/pki/crl/products` <p> `http://www.microsoft.com/pki/certs`|

+|Symbol Store <p>Microsoft Defender Antivirus use the Symbol Store to restore certain critical files during the remediation flows.|`https://msdl.microsoft.com/download/symbols`|

+|Universal GDPR Client <p> Windows use this client to send the client diagnostic data. <p> Microsoft Defender Antivirus uses General Data Protection Regulation for product quality, and monitoring purposes.|The update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: <p> `vortex-win.data.microsoft.com` <p> `settings-win.data.microsoft.com`|

+After allowing the URLs listed, test whether you're connected to the Microsoft Defender Antivirus cloud service. Test the URLs are correctly reporting and receiving information to ensure you're fully protected.

+> Open Command Prompt as an administrator. Right-click the item in the **Start** menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703 or higher, or Windows 11.

+You can download a sample file that Microsoft Defender Antivirus will detect and block if you're properly connected to the cloud. Visit [https://aka.ms/ioavtest](https://aka.ms/ioavtest) to download the file.

+> The downloaded file is not exactly malware. It's a fake file designed to test if you're properly connected to the cloud.

+#### View the fake malware detection in your Windows Security app

+1. On your task bar, select the Shield icon, open the **Windows Security** app. Or, search the **Start** for *Security*.

+- [Configure device proxy and Internet connectivity settings for Microsoft Defender for Endpoint](configure-proxy-internet.md)

+- [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](use-group-policy-microsoft-defender-antivirus.md)

+- [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006)

+- Autodiscovery methods:

+Configure a registry-based static proxy for Defender for Endpoint detection and response (EDR) sensor to report diagnostic data and communicate with Defender for Endpoint services if a computer isn't permitted to connect to the Internet.

+6. Open *MDEClientAnalyzerResult.txt* and verify that you've performed the proxy configuration steps to enable server discovery and access to the service URLs.

+## Related articles

+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.

+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.

+ - **High plus**: Uses the **High** level and applies more protection measures (may affect client performance).

+ > [!NOTE]

+ > MAPS settings are equal to cloud-delivered protection.

+ You can choose to send basic or additional information about detected software:

+ - Basic MAPS: Basic membership will send basic information to Microsoft about malware and potentially unwanted software that has been detected on your device. Information includes where the software came from (like URLs and partial paths), the actions taken to resolve the threat, and whether the actions were successful.

+ - Advanced MAPS: In addition to basic information, advanced membership will send detailed information about malware and potentially unwanted software, including the full path to the software, and detailed information about how the software has affected your device.

+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar), and then, under **Manage settings** select **Virus & threat protection settings**.

+Microsoft Defender for Endpoint on iOS, which already protects enterprise users on Mobile Device Management (MDM) scenarios, now extends support to Mobile App Management (MAM), for devices that are not enrolled using Intune mobile device management (MDM). It also extends this support to customers who use other enterprise mobility management solutions, while still using Intune for mobile application management (MAM).This capability allows you to manage and protect your organization's data within an application.

+Microsoft Defender for Endpoint on iOS threat information is leveraged by Intune App Protection Policies to protect these apps. App protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. A managed application has app protection policies applied to it and can be managed by Intune.

+Microsoft Defender for Endpoint on iOS supports both the configurations of MAM

+Select **Setting > Max allowed device threat level** in **Device Conditions** and enter a value. Then select **Action: "Block Access"**. Microsoft Defender for Endpoint on iOS shares this Device Threat Level.

+ "proxy": "<EXAMPLE DO NOT USE> http://proxy.server:port/"

+ "proxy": "<EXAMPLE DO NOT USE> http://proxy.server:port/"

+ "cloudService": {

+ "enabled": true,

+ "diagnosticLevel": "optional",

+ "automaticSampleSubmissionConsent": "safe",

+ "automaticDefinitionUpdateEnabled": true,

+ "proxy": "http://proxy.server:port/"

+ },

+ "edr": {

+ "groupIds":"GroupIdExample",

+ "tags": [

+ {

+ "key": "GROUP",

+ "value": "Tag"

+ }

+ ]

+ }

+ > DonΓÇÖt forget to add the comma after the closing curly bracket at the end of the `cloudService` block. Also, make sure that there are two closing curly brackets after adding Tag or Group ID block (please see the above example). At the moment, the only supported key name for tags is `GROUP`.

+1. In [Microsoft 365 Defender](https://security.microsoft.com), navigate to **Settings > Endpoints > Onboarding**.

+3. In the Jamf Pro dashboard, open **Computers**, and their **Configuration Profiles**. Click **New** and switch to the **General** tab.

+|metadata|Information about the content of the support log.|

+- [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft anti-malware](https://www.microsoft.com/wdsi/defenderupdates) <sup>[[2](#fn1)]<sup></sup>

+(<a id="fn1">1</a>) Intune Internal Definition Update Server - If you use SCCM/SUP to get definition updates for Microsoft Defender Antivirus, and need to access Windows Update on blocked on client devices, you can transition to co-management and offload the endpoint protection workload to Intune. In the anti-malware policy configured in Intune there is an option for 'internal definition update server' which can be configured to use on-premises WSUS as the update source. This helps you control which updates from the official WU server are approved for the enterprise, and also help proxy and save network traffic to the official Windows UPdates network.

+|Security intelligence updates for Microsoft Defender Antivirus and other Microsoft anti-malware (formerly referred to as MMPC)|[Make sure your devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively. <br/>Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-microsoft-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](/windows/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).|

+|Threat and Vulnerability Management (TVM) |Vulnerability assessment of onboarded mobile devices. Visit this [page](next-gen-threat-and-vuln-mgt.md) to learn more about threat and vulnerability management in Microsoft Defender for Endpoint. *Note that on iOS only OS vulnerabilities are supported in this preview.*|

+## Data center location

+Microsoft Defender for Endpoint will store and process data in the [same location as used by Microsoft 365 Defender](/microsoft-365/security/defender/m365d-enable). If Microsoft 365 Defender has not been turned on yet, onboarding to Microsoft Defender for Endpoint will also turn on Microsoft 365 Defender and a new data center location is automatically selected based on the location of active Microsoft 365 security services. The selected data center location is shown on the screen.

+Before you start troubleshooting issues with onboarding tools, it is important to check if the minimum requirements are met for onboarding devices to the services. [Learn about the licensing, hardware, and software requirements to onboard devices to the service](minimum-requirements.md).

+ Title: Alert grading for suspicious email forwarding activity

+description: Alert grading for suspicious email forwarding activity to review the alerts and take recommended actions to remediate the attack and protect your network.

+keywords: incidents, alerts, investigate, analyze, response, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ - M365-security-compliance

+ - m365initiative-m365-defender

+search.appverid:

+ - MOE150

+ms.technology: m365d

+# Alert grading for suspicious email forwarding activity

+**Applies to:**

+- Microsoft 365 Defender

+Threat actors can use compromised user accounts for several malicious purposes, including reading emails in a userΓÇÖs inbox, forwarding emails to external recipients, and sending phishing mails, among others. The targeted user might be unaware that their emails are being forwarded. This is a very common tactic that attackers use when user accounts are compromised.

+Emails can be forwarded either manually or automatically using forwarding rules. Automatic forwarding can be implemented in multiple ways like Inbox Rules, Exchange Transport Rule (ETR), and SMTP Forwarding. While manual forwarding requires direct action from users, they might not be aware of all the auto-forwarded emails. In Microsoft 365, an alert is raised when a user auto-forwards an email to a potentially malicious email address.

+This playbook helps you investigate alerts for suspicious email forwarding and quickly grade them as either a True Positive (TP) or a False Positive (FP). You can then take recommended actions for the TP alerts to remediate the attack.

+For an overview of alert grading for Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps, see the [introduction article](alert-grading-playbooks.md).

+The results of using this playbook are:

+- You have identified the alerts associated with auto-forwarded emails as malicious (TP) or benign (FP) activities.

+ If malicious, you have [stopped email auto-forwarding](../office-365-security/external-email-forwarding.md) for the affected mailboxes.

+- You have taken the necessary action if emails have been forwarded to a malicious email address.

+## Email forwarding rules

+Email forwarding rule allows users to set up a rule to forward email messages sent to a user's mailbox to another user's mailbox inside or outside of the organization. Some email users, particularly those with multiple mailboxes, configure forwarding rules to move employer emails to their private email accounts. Email forwarding is a useful feature but can also pose a security risk because of the potential disclosure of information. Attackers might use this information to attack your organization or its partners.

+### Suspicious email forwarding rules

+Attackers might set up email rules to hide incoming emails in the compromised user mailbox to obscure their malicious activities from the user. They might also set rules in the compromised user mailbox to delete emails, move the emails into another less noticeable folder such as an RSS folder, or forward emails to an external account.

+Some rules might move all the emails to another folder and mark them as ΓÇ£readΓÇ¥, while some rules might move only mails which contain specific keywords in the email message or subject. For example, the inbox rule might be set to look for keywords like ΓÇ£invoiceΓÇ¥, ΓÇ£phishΓÇ¥, ΓÇ£do not replyΓÇ¥, ΓÇ£suspicious emailΓÇ¥, or ΓÇ£spamΓÇ¥ among others, and move them to an external email account. Attackers might also use the compromised user mailbox to distribute spam, phishing emails, or malware.

+

+Microsoft Defender for Office 365 can detect and alert on suspicious email forwarding rules, allowing you to find and delete hidden rules at the source.

+For more information, see these blog posts:

+- [Business Email Compromise](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/business-email-uncompromised-part-one/ba-p/2159900)

+- [Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign](https://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/)

+## Alert details

+To review the specific alert, open the **Alerts** page to see the **Activity list** section. Here's an example.

+

+Select **Activity** to view the details of that activity in the sidebar. Here's an example.

+

+The **Reason** field contains the following information related to this alert.

+- Forwarding Type (FT) is one of the following:

+ - Exchange Transport Rule (ETR): Forwarded using and Exchange Transport Rule

+ - SMTP: Forwarded using Mailbox Forwarding

+ - InboxRule: Forwarded using an Inbox Rule

+- Message Trace ID (MTI): This is the identifier (NetworkMessageId) of the forwarded email that triggered this alert. NetworkMessageId is the unique identifier of an email in your organization.

+- Forwarder (F): The user who forwarded this email.

+- Suspicious Recipient List (SRL): The list of recipients considered suspicious in this email.

+- Recipient List (RL): The list of all the recipients in this email.

+## Investigation workflow

+While investigating this alert, you must determine:

+- Is the user account and its mailbox compromised?

+- Are the activities malicious?

+### Is the user account and its mailbox compromised?

+By looking at senderΓÇÖs past behavior and recent activities, you should be able to determine whether the user's account should be considered compromised or not. You can see the details of alerts raised from the userΓÇÖs page in the Microsoft 365 Defender portal.

+You can also analyze these additional activities for the affected mailbox:

+- Use Threat Explorer to understand email related threats

+ - Observe how many of the recent email sent by the sender are detected as phish, spam or malware.

+ - Observe how many of the sent emails contain sensitive information.

+- Assess risky sign-in behavior in the Microsoft Azure portal.

+- Check for any malicious activities on the userΓÇÖs device.

+### Are the activities malicious?

+Investigate the email forwarding activity. For instance, check the type of email, recipient of this email, or the manner in which the email is forwarded.

+For more information, see the following articles:

+- [Auto-forwarded messages insight](/microsoft-365/security/office-365-security/mfi-auto-forwarded-messages-report)

+- [New users forwarding email insight](/microsoft-365/security/office-365-security/mfi-new-users-forwarding-email)

+- [Responding to a Compromised Email Account](/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account)

+- [Report false positives and false negatives in Outlook](/microsoft-365/security/office-365-security/report-false-positives-and-false-negatives)

+Here is the workflow to identify suspicious email forwarding activities.

+You can investigate an email forwarding alert using Threat Explorer or with advanced hunting queries, based on the availability of features in the Microsoft 365 Defender portal. You may choose to follow the entire process or a part of the process as needed.

+## Using Threat Explorer

+Threat Explorer provides an interactive investigation experience for email related threats to determine whether this activity is suspicious or not. You can use the following indicators from the alert information:

+- SRL/RL: Use the (Suspicious) Recipients List (SRL) to find these details:

+

+ :::image type="content" source="../../media/alert-grading-playbook-email-forwarding/alert-grading-playbook-email-forwarding-recipients-list.png" alt-text="Example of the list of recipients" lightbox="../../media/alert-grading-playbook-email-forwarding/alert-grading-playbook-email-forwarding-recipients-list.png":::

+ - Who else has forwarded emails to these recipients?

+ - How many emails have been forwarded to these recipients?

+ - How frequently are emails forwarded to these recipients?

+

+- MTI: Use the Message Trace ID/Network Message ID to find these details:

+ :::image type="content" source="../../media/alert-grading-playbook-email-forwarding/alert-grading-playbook-email-forwarding-network-message-id.png" alt-text="Example of the Network Message ID" lightbox="../../media/alert-grading-playbook-email-forwarding/alert-grading-playbook-email-forwarding-network-message-id.png":::

+ - What additional details are available for this email? For example: subject, return path, and timestamp.

+ - What is the origin of this email? Are there any similar emails?

+ - Does this email contain any URLs? Does the URL point to any sensitive data?

+ - Does the email contain any attachments? Do the attachments contain sensitive information?

+ - What was the action taken on the email? Was it deleted, marked as read, or moved to another folder?

+ - Are there any threats associated with this email? Is this email part of any campaign?

+Based on answers to these questions, you should be able to determine whether an email is malicious or benign.

+## Advanced hunting queries

+To use [advanced Hunting](advanced-hunting-overview.md) queries to gather information related to an alert and determine whether or not the activity is suspicious, make sure you have access to the following tables:

+- EmailEvents - Contains information related to email flow.

+- EmailUrlInfo - Contains information related to URLs in emails.

+- CloudAppEvents -Contains audit log of user activities.

+- IdentityLogonEvents - Contains login information for all users.

+Here's an example.

+Use queries to gather information for the following questions.

+>[!Note]

+>Certain parameters are unique to your organization or network. Fill in these specific parameters as instructed in each query.

+>

+Run this query to find out who else has forwarded emails to these recipients (SRL/RL).

+```kusto

+let srl=pack_array("{SRL}"); //Put values from SRL here.

+EmailEvents

+| where RecipientEmailAddress in (srl)

+| distinct SenderDisplayName, SenderFromAddress, SenderObjectId

+```

+Run this query to find out how many emails were forwarded to these recipients.

+```kusto

+let srl=pack_array("{SRL}"); //Put values from SRL here.

+EmailEvents

+| where RecipientEmailAddress in (srl)

+| summarize Count=dcount(NetworkMessageId) by RecipientEmailAddress

+```

+Run this query to find out how frequently are emails forwarded to these recipients.

+```kusto

+let srl=pack_array("{SRL}"); //Put values from SRL here.

+EmailEvents

+| where RecipientEmailAddress in (srl)

+| summarize Count=dcount(NetworkMessageId) by RecipientEmailAddress, bin(Timestamp, 1d)

+```

+Run this query to find out if the email contains any URLs.

+

+```kusto

+let mti='{MTI}'; //Replace {MTI} with MTI from alert

+EmailUrlInfo

+| where NetworkMessageId == mti

+```

+Run this query to find out if the email contains any attachments.

+ ```kusto

+ let mti='{MTI}'; //Replace {MTI} with MTI from alert

+ EmailAttachmentInfo

+ | where NetworkMessageId == mti

+ ```

+Run this query to find out if the Forwarder (sender) has created any new rules.

+```kusto

+let sender = "{SENDER}"; //Replace {SENDER} with display name of Forwarder

+let action_types = pack_array(

+ "New-InboxRule",

+ "UpdateInboxRules",

+ "Set-InboxRule",

+ "Set-Mailbox",

+ "New-TransportRule",

+ "Set-TransportRule");

+CloudAppEvents

+| where AccountDisplayName == sender

+| where ActionType in (action_types)

+```

+Run this query to find out if there were any anomalous login events from this user. For example: unknown IPs, new applications, uncommon countries, multiple LogonFailed events.

+```kusto

+let sender = "{SENDER}"; //Replace {SENDER} with email of the Forwarder IdentityLogonEvents

+| where AccountUpn == sender

+```

+### Investigating forwarding rules

+You can also find suspicious forwarding rules using the Exchange admin center, based on the rule type (the FT value in the alert).

+- ETR

+ Exchange transport rules are listed in the **Rules** section. Verify that all rules are as expected.

+- SMTP

+ You can see mailbox forwarding rules by selecting the senderΓÇÖs mailbox **\> Manage mail flow settings \> Email forwarding \> Edit**.

+- InboxRule

+ Inbox rules are configured with the e-mail client. You can use the [Get-InboxRule](/powershell/module/exchange/get-inboxrule) PowerShell cmdlet to list the inbox rules created by users.

+### Additional investigation

+Along with the evidence discovered so far, you can determine if there are new forwarding rules being created. Investigate the IP address associated with the rule. Ensure that it is not an anomalous IP address and is consistent with usual activities performed by the user.

+## Recommended actions

+Once you determine that the activities associated make this alert a True Positive, classify the alert and take these actions for remediation:

+1. Disable and delete the inbox forwarding rule.

+2. For the InboxRule forwarding type, reset the userΓÇÖs account credentials.

+3. For the SMTP or ETR forwarding type, investigate the activities of the user account that created the alert.

+ - Investigate any other suspicious admin activities.

+ - Reset the user accountΓÇÖs credentials.

+4. Check for additional activities originated from impacted accounts, IP addresses, and suspicious senders.

+## See also

+- [Overview of alert grading](alert-grading-playbooks.md)

+- [Suspicious inbox forwarding rules](alert-grading-playbook-inbox-forwarding-rules.md)

+- [Suspicious inbox manipulation rules](alert-grading-playbook-inbox-manipulation-rules.md)

+- [Investigate alerts](investigate-alerts.md)

+ Title: Alert grading for suspicious inbox forwarding rules

+description: Alert grading for suspicious inbox forwarding rules to review the alerts and take recommended actions to remediate the attack and protect your network.

+keywords: incidents, alerts, investigate, analyze, response, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ - M365-security-compliance

+ - m365initiative-m365-defender

+search.appverid:

+ - MOE150

+ms.technology: m365d

+# Alert grading for suspicious inbox forwarding rules

+**Applies to:**

+- Microsoft 365 Defender

+Threat actors can use compromised user accounts for several malicious purposes including reading emails in a userΓÇÖs inbox, creating inbox rules to forward emails to external accounts, sending phishing mails, among others. Malicious inbox rules are widely common during business email compromise (BEC) and phishing campaigns, and it important to monitor them consistently.

+This playbook helps you investigate alerts for suspicious inbox forwarding rules and quickly grade them as either a True Positive (TP) or a False Positive (TP). You can then take recommended actions for the TP alerts to remediate the attack.

+For an overview of alert grading for Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps, see the [introduction article](alert-grading-playbooks.md).

+The results of using this playbook are:

+- You have identified the alerts associated with inbox forwarding rules as malicious (TP) or benign (FP) activities.

+ If malicious, you have removed malicious inbox forwarding rules.

+- You have taken the necessary action if emails have been forwarded to a malicious email address.

+## Inbox forwarding rules

+You configure inbox rules to automatically manage email messages based on predefined criteria. For example, you can create an inbox rule to move all messages from your manager into another folder, or forward messages you receive to another email address.

+### Suspicious inbox forwarding rules

+After gaining access to users' mailboxes, attackers often create an inbox rule that allows them to exfiltrate sensitive data to an external email address and use it for malicious purposes.

+Malicious inbox rules automate the exfiltration process. With specific rules, every email in the target userΓÇÖs inbox that matches the rule criteria will be forwarded to the attackerΓÇÖs mailbox. For example, an attacker might want to gather sensitive data related to finance. They create an inbox rule to forward all emails that contain keywords, such as ΓÇÿfinanceΓÇÖ and ΓÇÿinvoiceΓÇÖ in the subject or message body, to their mailbox.

+Suspicious inbox forwarding rules might be very difficult to detect because maintenance of inbox rules is common task done by users. Therefore, itΓÇÖs important to monitor the alerts.

+## Workflow

+Here is the workflow to identify suspicious email forwarding rules.

+

+## Investigation steps

+This section contains detailed step-by-step guidance to respond to the incident and take the recommended steps to protect your organization from further attacks.

+### Review generated alerts

+Here's an example of an inbox forwarding rule alert in the alert queue.

+Here's an example of the details of alert that was triggered by a malicious inbox forwarding rule.

+### Investigate rule parameters

+The purpose of this stage is to determine if the rules look suspicious by certain criteria:

+Recipients of the forwarding rule:

+- Validate destination email address is not an additional mailbox owned by the same user (avoiding cases where the user is self-forwarding emails between personal mailboxes).

+- Validate the destination email address is not an internal address or sub-domain that belong to the company.

+Filters:

+

+- If the inbox rule contains filters which search for specific keywords in the subject or body of the email, check whether the provided keywords, such as finance, credentials, and networking, among others, seem related to malicious activity. You can find these filters under the following attributes (which shows up in the event RawEventData column): ΓÇ£BodyContainsWordsΓÇ¥, ΓÇ£SubjectContainsWordsΓÇ¥ or ΓÇ£SubjectOrBodyContainsWordsΓÇ¥

+- If the attacker chooses not to set any filter to the mails, and instead the inbox rule forwards all the mailbox items to the attackerΓÇÖs mailbox), then this behavior is suspicious as well.

+### Investigate IP address

+Review the attributes that related to the IP address that performed the relevant event of rule creation:

+1. Search for other suspicious cloud activities that originated from the same IP in the tenant. For instance, suspicious activity might be multiple failed logins attempts.

+2. Is the ISP common and reasonable for this user?

+3. Is the location common and reasonable for this user?

+### Investigate any suspicious activity with the user inbox before creating rules

+You can review all user activities before creating rules, check for indicators of compromise, and investigate user actions that seem suspicious. For instance, multiple failed sign ins.

+- Sign ins:

+ Validate that the sign in activity prior to the rule creation event is not suspicious (such as the common location, ISP, or user-agent).

+- Other alerts or incidents

+ - Did other alerts trigger for the user prior to the rule creation. If so, then this might indicate that the user got compromised.

+ - If the alert correlates with other alerts to indicate an incident, then does the incident contain other true positive alerts?

+## Advanced hunting queries

+[Advanced Hunting](advanced-hunting-overview.md) is a query-based threat hunting tool that lets you inspect events in your network and locate threat indicators.

+Run this query to find all the new inbox rule events during a specific time window.

+```kusto

+let start_date = now(-10h);

+let end_date = now();

+let user_id = ""; // enter here the user id

+CloudAppEvents

+| where Timestamp between (start_date .. end_date)

+| where AccountObjectId == user_id

+| where ActionType in ("Set-Mailbox", "New-InboxRule", "Set-InboxRule") //set new inbox rule related operations

+| project Timestamp, ActionType, CountryCode, City, ISP, IPAddress, RuleConfig = RawEventData.Parameters, RawEventData

+```

+*RuleConfig* will contain the rule configuration.

+Run this query to check whether the ISP is common for the user by looking at the history of the user.

+```kusto

+let alert_date = now(); //enter alert date

+let timeback = 30d;

+let userid = ""; //enter here user id

+CloudAppEvents

+| where Timestamp between ((alert_date-timeback)..(alert_date-1h))

+| where AccountObjectId == userid

+| make-series ActivityCount = count() default = 0 on Timestamp from (alert_date-timeback) to (alert_date-1h) step 12h by ISP

+```

+Run this query to check whether the country is common for the user by looking at the history of the user.

+```kusto

+let alert_date = now(); //enter alert date

+let timeback = 30d;

+let userid = ""; //enter here user id

+CloudAppEvents

+| where Timestamp between ((alert_date-timeback)..(alert_date-1h))

+| where AccountObjectId == userid

+| make-series ActivityCount = count() default = 0 on Timestamp from (alert_date-timeback) to (alert_date-1h) step 12h by CountryCode

+```

+Run this query to check whether the user-agent is common for the user by looking at the history of the user.

+```kusto

+let alert_date = now(); //enter alert date

+let timeback = 30d;

+let userid = ""; //enter here user id

+CloudAppEvents

+| where Timestamp between ((alert_date-timeback)..(alert_date-1h))

+| where AccountObjectId == userid

+| make-series ActivityCount = count() default = 0 on Timestamp from (alert_date-timeback) to (alert_date-1h) step 12h by UserAgent

+```

+Run this query to check if other users created forward rule to the same destination (could indicate that other users are compromised as well).

+```kusto

+let start_date = now(-10h);

+let end_date = now();

+let dest_email = ""; // enter here destination email as seen in the alert

+CloudAppEvents

+| where Timestamp between (start_date .. end_date)

+| where ActionType in ("Set-Mailbox", "New-InboxRule", "Set-InboxRule") //set new inbox rule related operations

+| project Timestamp, ActionType, CountryCode, City, ISP, IPAddress, RuleConfig = RawEventData.Parameters, RawEventData

+| where RuleConfig has dest_email

+```

+## Recommended actions

+1. Disable the malicious inbox rule.

+2. Reset the userΓÇÖs account credentials. You can also verify if the user account has been compromised with Microsoft Defender for Cloud Apps, which gets security signals from Azure Active Directory (Azure AD) Identity Protection.

+3. Search for other malicious activities performed by the impacted user.

+4. Check for other suspicious activity in the tenant originated from the same IP or from the same ISP (if the ISP is uncommon) to find other compromised users.

+## See also

+- [Overview of alert grading](alert-grading-playbooks.md)

+- [Suspicious email forwarding activity](alert-grading-playbook-email-forwarding.md)

+- [Suspicious inbox manipulation rules](alert-grading-playbook-inbox-manipulation-rules.md)

+- [Investigate alerts](investigate-alerts.md)

+ Title: Alert grading for suspicious inbox manipulation rules

+description: Alert grading for suspicious inbox manipulation rules to review the alerts and take recommended actions to remediate the attack and protect your network.

+keywords: incidents, alerts, investigate, analyze, response, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ - M365-security-compliance

+ - m365initiative-m365-defender

+search.appverid:

+ - MOE150

+ms.technology: m365d

+# Alert grading for suspicious inbox manipulation rules

+**Applies to:**

+- Microsoft 365 Defender

+Threat actors can use compromised user accounts for many malicious purposes including reading emails in a userΓÇÖs inbox, creating inbox rules to forward emails to external accounts, deleting traces, and sending phishing mails. Malicious inbox rules are common during business email compromise (BEC) and phishing campaigns and it is important to monitor for them consistently.

+This playbook helps you investigate any incident related to suspicious inbox manipulation rules configured by attackers and take recommended actions to remediate the attack and protect your network. This playbook is for security teams, including security operations center (SOC) analysts and IT administrators who review, investigate, and grade the alerts. You can quickly grade alerts as either a True Positive (TP) or a False Positive (TP) and take recommended actions for the TP alerts to remediate the attack.

+The results of using this playbook are:

+- You have identified the alerts associated with inbox manipulation rules as malicious (TP) or benign (FP) activities.

+ If malicious, you have removed malicious inbox manipulation rules.

+- You have taken the necessary action if emails have been forwarded to a malicious email address.

+## Inbox manipulation rules

+Inbox rules are set to automatically manage email messages based on predefined criteria. For example, you can create an inbox rule to move all messages from your manager into another folder, or forward messages you receive to another email address.

+### Malicious inbox manipulation rules

+Attackers might set up email rules to hide incoming emails in the compromised user mailbox to obscure their malicious activities from the user. They might also set rules in the compromised user mailbox to delete emails, move the emails into another less noticeable folder (like RSS), or forward mails to an external account. Some rules might move all the emails to another folder and mark them as ΓÇ£readΓÇ¥, while some rules might move only mails which contain specific keywords in the email message or subject.

+For example, the inbox rule might be set to look for keywords like ΓÇ£invoiceΓÇ¥, ΓÇ£phishΓÇ¥, ΓÇ£do not replyΓÇ¥, ΓÇ£suspicious emailΓÇ¥, or ΓÇ£spamΓÇ¥ among others, and move them to an external email account. Attackers might also use the compromised user mailbox to distribute spam, phishing emails, or malware.

+## Workflow

+Here is the workflow to identify suspicious inbox manipulation rule activities.

+## Investigation steps

+This section contains detailed step-by-step guidance to respond to the incident and take the recommended steps to protect your organization from further attacks.

+### 1. Review the alerts

+Here's an example of an inbox manipulation rule alert in the alert queue.

+Here's an example of the details of an alert that was triggered by a malicious inbox manipulation rule.

+### 2. Investigate inbox manipulation rule parameters

+Determine if the rules look suspicious according to the following rule parameters or criteria:

+- Keywords

+ The attacker might apply the manipulation rule only to emails that contains certain words. You can find these keywords under certain attributes such as: ΓÇ£BodyContainsWordsΓÇ¥, ΓÇ£SubjectContainsWordsΓÇ¥ or ΓÇ£SubjectOrBodyContainsWordsΓÇ¥.

+ If there are filtering by keywords, then check whether the keywords seem suspicious to you (common scenarios are to filter emails related to the attacker activities, such as ΓÇ£phishΓÇ¥, ΓÇ£spamΓÇ¥, ΓÇ£do not replyΓÇ¥, among others).

+ If there is no filter at all, it might be suspicious as well.

+- Destination folder

+ To evade security detection, the attacker might move the emails to a less noticeable folder and mark the emails as read (for example, ΓÇ£RSSΓÇ¥ folder). If the attacker applies ΓÇ£MoveToFolderΓÇ£ and ΓÇ£MarkAsReadΓÇ¥ action, check whether the destination folder is somehow related to the keywords in the rule to decide if it seems suspicious or not.

+- Delete all

+ Some attackers will just delete all the incoming emails to hide their activity. Mostly, a rule of ΓÇ£delete all incoming emailsΓÇ¥ without filtering them with keywords is an indicator of malicious activity.

+

+Here's an example of a ΓÇ£delete all incoming emailsΓÇ¥ rule configuration (as seen on RawEventData.Parameters) of the relevant event log.

+### 3. Investigate the IP address

+Review the attributes of the IP address that performed the relevant event of rule creation:

+- Search for other suspicious cloud activities that originated from the same IP in the tenant. For instance, suspicious activity might be multiple failed login attempts.

+- Is the ISP common and reasonable for this user?

+- Is the location common and reasonable for this user?

+### 4. Investigate suspicious activity by the user prior to creating the rules

+You can review all user activities before rules were created, check for indicators of compromise, and investigate user actions that seem suspicious.

+For instance, for multiple failed logins, examine:

+- Login activity

+ Validate that the login activity prior to the rule creation is not suspicious. (common location / ISP / user-agent).

+- Alerts

+ Check whether the user received alerts prior to creating the rules. This could indicate that the user account might be compromised. For example, impossible travel alert, infrequent country, multiple failed logins, among others.)

+- Incident

+ Check whether the alert is associated with other alerts that indicate an incident. If so, then check whether the incident contains other true positive alerts.

+## Advanced hunting queries

+[Advanced Hunting](advanced-hunting-overview.md) is a query-based threat hunting tool that lets you inspect events in your network to locate threat indicators.

+Use this query to find all the new inbox rule events during specific time window.

+```kusto

+let start_date = now(-10h);

+let end_date = now();

+let user_id = ""; // enter here the user id

+CloudAppEvents

+| where Timestamp between (start_date .. end_date)

+| where AccountObjectId == user_id

+| where ActionType in ("Set-Mailbox", "New-InboxRule", "Set-InboxRule") //set new inbox rule related operations

+| project Timestamp, ActionType, CountryCode, City, ISP, IPAddress, RuleConfig = RawEventData.Parameters, RawEventData

+```

+The *RuleConfig* column will provide the new inbox rule configuration.

+Use this query to check whether the ISP is common for the user by looking at the history of the user.

+```kusto

+let alert_date = now(); //enter alert date

+let timeback = 60d;

+let userid = ""; //enter here user id

+CloudAppEvents

+| where Timestamp between ((alert_date-timeback)..(alert_date-1h))

+| where AccountObjectId == userid

+| make-series ActivityCount = count() default = 0 on Timestamp from (alert_date-timeback) to (alert_date-1h) step 12h by ISP

+```

+Use this query to check whether the country is common for the user by looking at the history of the user.

+```kusto

+let alert_date = now(); //enter alert date

+let timeback = 60d;

+let userid = ""; //enter here user id

+CloudAppEvents

+| where Timestamp between ((alert_date-timeback)..(alert_date-1h))

+| where AccountObjectId == userid

+| make-series ActivityCount = count() default = 0 on Timestamp from (alert_date-timeback) to (alert_date-1h) step 12h by CountryCode

+```

+Use this query to check whether the user agent is common for the user by looking at the history of the user.

+```kusto

+let alert_date = now(); //enter alert date

+let timeback = 60d;

+let userid = ""; //enter here user id

+CloudAppEvents

+| where Timestamp between ((alert_date-timeback)..(alert_date-1h))

+| where AccountObjectId == userid

+| make-series ActivityCount = count() default = 0 on Timestamp from (alert_date-timeback) to (alert_date-1h) step 12h by UserAgent

+```

+## Recommended actions

+1. Disable the malicious inbox rule.

+2. Reset the user account's credentials. You can also verify if the user account has been compromised with Microsoft Defender for Cloud Apps, which gets security signals from Azure Active Directory (Azure AD) Identity Protection.

+3. Search for other malicious activities performed by the impacted user account.

+4. Check for other suspicious activity in the tenant that originated from the same IP or from the same ISP (if the ISP is uncommon) to find other compromised user accounts.

+## See also

+- [Overview of alert grading](alert-grading-playbooks.md)

+- [Suspicious email forwarding activity](alert-grading-playbook-email-forwarding.md)

+- [Suspicious inbox forwarding rules](alert-grading-playbook-inbox-forwarding-rules.md)

+- [Investigate alerts](investigate-alerts.md)

+ Title: Alert grading playbooks

+description: Review the alerts for well-known attacks and take recommended actions to remediate the attack and protect your network.

+keywords: incidents, alerts, investigate, analyze, response, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365

+search.appverid: met150

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+- NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+- M365-security-compliance

+- m365initiative-m365-defender

+- autoir

+- admindeeplinkDEFENDER

+ms.technology: m365d

+# Alert grading playbooks

+**Applies to:**

+- Microsoft 365 Defender

+Alert grading playbooks allow you to methodically review and quickly classify the alerts for well-known attacks and take recommended actions to remediate the attack and protect your network. Alert grading will also help in properly classifying the overall incident.

+As a security researcher or security operations center (SOC) analyst, you must have access to the Microsoft 365 Defender portal so that you can:

+- Assess and review the generated alerts and associated incidents. See [investigate alerts](investigate-alerts.md).

+- Search your tenant's security signal data and check for potential threats and suspicious activities. See [advanced hunting](advanced-hunting-overview.md).

+>[!Note]

+>You can provide feedback to Microsoft about true positive and false positives alerts, not only at the end of the investigation, but also during the investigation process. This can help Microsoft with future analysis and classification of security events.

+>

+## Microsoft Defender for Office 365

+[Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365) safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. Defender for Office 365 includes:

+- Threat protection policies

+ Define threat-protection policies to set the appropriate level of protection for your organization.

+- Reports

+ View real-time reports to monitor Defender for Office 365 performance in your organization.

+- Threat investigation and response capabilities

+ Use leading-edge tools to investigate, understand, simulate, and prevent threats.

+- Automated investigation and response capabilities

+ Save time and effort investigating and mitigating threats.

+Defender for Office 365 alerts can be classified as:

+- True positive (TP) for confirmed malicious activity.

+- False positive (FP) for confirmed non-malicious activity.

+>[!Note]

+>Microsoft 365 Defender portal [https://security.microsoft.com](https://security.microsoft.com) brings together functionality from existing Microsoft security portals. The Microsoft 365 Defender portal emphasizes quick access to information, simpler layouts, and bringing related information together for easier use.

+>

+## Microsoft Defender for Cloud Apps

+[Microsoft Defender for Cloud Apps](/defender-cloud-apps) is a Cloud Access Security Broker (CASB) that supports various deployment modes including log collection, API connectors, and reverse proxy. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your Microsoft and third-party cloud services.

+Defender for Cloud Apps natively integrates with leading Microsoft solutions and is designed with security professionals in mind. It provides simple deployment, centralized management, and innovative automation capabilities.

+The Defender for Cloud Apps framework includes the capability to protect your network against cyberthreats and anomalies, detects unusual behavior across cloud apps to identify ransomware, compromised users or rogue applications. It enables the analysis of high-risk usage and can remediate automatically to limit the risk to your organization.

+Defender for Cloud Apps alerts can be classified as:

+- TP for confirmed malicious activity.

+- Benign true positive (B-TP) for suspicious but not malicious activity, such as a penetration test or other authorized suspicious action.

+- FP for confirmed non-malicious activity.

+## Alert grading playbooks

+See these playbooks for steps to more quickly grade alerts for the following threats:

+- [Suspicious email forwarding activity](alert-grading-playbook-email-forwarding.md)

+- [Suspicious inbox manipulation rules](alert-grading-playbook-inbox-manipulation-rules.md)

+- [Suspicious inbox forwarding rules](alert-grading-playbook-inbox-forwarding-rules.md)

+See [Investigate alerts](investigate-alerts.md) for information on how to examine alerts with the Microsoft 365 Defender portal.

+- Microsoft Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. It shares signals resulting from these activities with Microsoft 365 Defender. Exchange Online Protection (EOP) is integrated to provide end-to-end protection for incoming emails and attachments.

+- [Identity infrastructure for Microsoft 365](../enterprise/deploy-identity-solution-overview.md)

+|[Virtual visits with Microsoft Teams and the Bookings app](/microsoftteams/expand-teams-across-your-org/bookings-virtual-visits) | The Bookings app in Microsoft Teams gives organizations a simple way to schedule and manage virtual appointments for staff and attendees. Use it to schedule virtual appointments such as healthcare visits, financial consultations, interviews, customer support, virtual shopping experiences, education office hours, and more. |