-## Week of December 12, 2022

-

-

-

-6. Follow the prompts in the wizard to select a retention label, and then review and submit your configuration choices.

-For more information about these options, see the following guidance from the DLP documentation [Tuning rules to make them easier or harder to match](data-loss-prevention-policies.md#tuning-rules-to-make-them-easier-or-harder-to-match).

-You can learn more about these configuration options from the DLP documentation: [Tuning rules to make them easier or harder to match](data-loss-prevention-policies.md#tuning-rules-to-make-them-easier-or-harder-to-match).

-Also similarly to DLP policy configuration, you can choose whether a condition must detect all sensitive information types, or just one of them. And to make your conditions more flexible or complex, you can add [groups and use logical operators between the groups](data-loss-prevention-policies.md).

-6. For the page **Choose locations where you want to apply the label**: Select and specify locations for Exchange, SharePoint, and OneDrive. If you don't want to keep the default of **All** included for your chosen locations, select the link to choose specific instances to include, or select the link to choose specific instances to exclude. Then select **Next**.

- If you change the default settings by using **Included** or **Excluded**:

-7. For the **Set up common or advanced rules** page: Keep the default of **Common rules** to define rules that identify content to label across all your selected locations. If you need different rules per location, including more options for Exchange, select **Advanced rules**. Then select **Next**.

-8. Depending on your previous choices, you'll now have an opportunity to create new rules by using conditions and exceptions.

-9. For the **Choose a label to auto-apply** page: Select **+ Choose a label**, select a label from the **Choose a sensitivity label** pane, and then select **Next**.

-10. If your policy includes the Exchange location: Specify optional configurations on the **Additional settings for email** page:

-10. For the **Decide if you want to test out the policy now or later** page: Select **Run policy in simulation mode** if you're ready to run the auto-labeling policy now, in simulation mode. Then decide whether to automatically turn on the policy if it's not edited for 7 days:

-11. For the **Summary** page: Review the configuration of your auto-labeling policy and make any changes that needed, and complete the configuration.

- - If **Groups & sites** is selected, you can configure settings that apply to Microsoft 365 groups, and sites for Teams and SharePoint. If this option isn't selected, you see the first page of these settings but you can't configure them and the labels won't be available for users to select for groups and site.

-4. Review the selected labels and to make any changes, select **Edit**. Otherwise, select **Next**.

-5. Follow the prompts to configure the policy settings.

-6. Repeat these steps if you need different policy settings for different users or scopes. For example, you want additional labels for a group of users, or a different default label for a subset of users. Or, if you have configured labels to have different scopes.

-# rename the md file to the above title

-feedback_system: None

-description: data loss prevention reference material

-# Data loss prevention reference

-> [!IMPORTANT]

-> This is reference topic is no longer the main resource for Microsoft Purview Data Loss Prevention (DLP) information. The DLP content set is being updated and restructured. The topics covered in this article will be moving to new, updated articles. For more information about DLP, see [Learn about data loss prevention](dlp-learn-about-dlp.md).

-<!-- this topic needs to be split into smaller, more coherent ones. It is confusing as it is. -->

-<!-- move this note to a more appropriate place, no topic should start with a note -->

-> [!NOTE]

-> Data loss prevention capabilities were recently added to Microsoft Teams chat and channel messages for users licensed for Office 365 Advanced Compliance, which is available as a standalone option and is included in Office 365 E5 and Microsoft 365 E5 Compliance. To learn more about licensing requirements, see [Microsoft 365 Tenant-Level Services Licensing Guidance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance).

-<!-- MOVED TO LEARN ABOUT To comply with business standards and industry regulations, organizations must protect sensitive information and prevent its inadvertent disclosure. Sensitive information can include financial data or personally identifiable information (PII) such as credit card numbers, social security numbers, or health records. With a data loss prevention (DLP) policy in the Microsoft Purview compliance portal, you can identify, monitor, and automatically protect sensitive information across Office 365.

-With a DLP policy, you can:

- For example, you can identify any document containing a credit card number that's stored in any OneDrive for Business site, or you can monitor just the OneDrive sites of specific people.

- For example, you can identify any document or email containing a health record that's shared with people outside your organization, and then automatically block access to that document or block the email from being sent.

- Just like in Exchange Online, SharePoint Online, and OneDrive for Business, these Office desktop programs include the same capabilities to identify sensitive information and apply DLP policies. DLP provides continuous monitoring when people share content in these Office programs.

- You can educate your users about DLP policies and help them remain compliant without blocking their work. For example, if a user tries to share a document containing sensitive information, a DLP policy can both send them an email notification and show them a policy tip in the context of the document library that allows them to override the policy if they have a business justification. The same policy tips also appear in Outlook on the web, Outlook, Excel, PowerPoint, and Word.

- To view alerts and metadata related to your DLP policies you can use the [DLP Alerts Management Dashboard](dlp-configure-view-alerts-policies.md). You can also view policy match reports to assess how your organization is complying with a DLP policy. If a DLP policy allows users to override a policy tip and report a false positive, you can also view what users have reported

-## Create and manage DLP policies

-You create and manage DLP policies on the data loss prevention page in the Microsoft Purview compliance portal.

-

-<!-- MOVED TO LEARN ABOUT ## What a DLP policy contains

-A DLP policy contains a few basic things:

- - **Conditions** the content must match before the rule is enforced. For example, a rule might be configured to look only for content containing Social Security numbers that's been shared with people outside your organization.

- - **Actions** that you want the rule to take automatically when content matching the conditions is found. For example, a rule might be configured to block access to a document and send both the user and compliance officer an email notification.

-You can use a rule to meet a specific protection requirement, and then use a DLP policy to group together common protection requirements, such as all of the rules needed to comply with a specific regulation.

-For example, you might have a DLP policy that helps you detect the presence of information subject to the Health Insurance Portability and Accountability Act (HIPAA). This DLP policy could help protect HIPAA data (the what) across all SharePoint Online sites and all OneDrive for Business sites (the where) by finding any document containing this sensitive information that's shared with people outside your organization (the conditions) and then blocking access to the document and sending a notification (the actions). These requirements are stored as individual rules and grouped together as a DLP policy to simplify management and reporting.

- -->

-<!-- MOVED TO LEARN ABOUT ### Locations

-DLP policies are applied to sensitive items across Microsoft 365 locations and can be further scoped as detailed in this table.

-|Location | Include/exclude by|

-|||

-|Exchange email| distribution groups|

-|SharePoint sites |sites |

-|OneDrive accounts |accounts |

-|Teams chat and channel messages |accounts |

-|Windows 10 devices |user or group |

-|Microsoft Cloud App Security |instance |

- -->

-<!-- moved to dlp-policy-reference.md

-If you choose to include specific distribution groups in Exchange, the DLP policy will be scoped only to the members of that group. Similarly excluding a distribution group will exclude all the members of that distribution group from policy evaluation. You can choose to scope a policy to the members of distribution lists, dynamic distribution groups, and security groups. A DLP policy can contain no more than 50 such inclusions and exclusions.

-If you choose to include or exclude specific SharePoint sites, a DLP policy can contain no more than 100 such inclusions and exclusions. Although this limit exists, you can exceed this limit by applying either an org-wide policy or a policy that applies to entire locations.

-If you choose to include or exclude specific OneDrive accounts or groups, a DLP policy can contain no more than 100 user accounts or 50 groups as inclusion or exclusion.

-### Rules

-> [!NOTE]

-> The default behavior of a DLP policy, when there is no alert configured, is not to alert or trigger. This applies only to default information types. For custom information types, the system will alert even if there is no action defined in the policy.

-Rules are what enforce your business requirements on your organization's content. A policy contains one or more rules, and each rule consists of conditions and actions. For each rule, when the conditions are met, the actions are taken automatically. Rules are executed sequentially, starting with the highest-priority rule in each policy.

-A rule also provides options to notify users (with policy tips and email notifications) and admins (with email incident reports) that content has matched the rule.

-Here are the components of a rule, each explained below.

-

-#### Conditions

-Conditions are important because they determine what types of information you're looking for, and when to take an action. For example, you might choose to ignore content containing passport numbers unless the content contains more than 10 such numbers and is shared with people outside your organization.

-Conditions focus on the **content**, such as what types of sensitive information you're looking for, and also on the **context**, such as who the document is shared with. You can use conditions to assign different actions to different risk levels. For example, sensitive content shared internally might be lower risk and require fewer actions than sensitive content shared with people outside the organization.

-

-The conditions now available can determine if:

- > [!NOTE]

- > Users who have non-guest accounts in a host organization's Active Directory or Azure Active Directory tenant are considered as people inside the organization.

-#### Types of sensitive information

-A DLP policy can help protect sensitive information, which is defined as a **sensitive information type**. Microsoft 365 includes definitions for many common sensitive information types across many different regions that are ready for you to use, such as a credit card number, bank account numbers, national ID numbers, and passport numbers.

-

-When a DLP policy looks for a sensitive information type such as a credit card number, it doesn't simply look for a 16-digit number. Each sensitive information type is defined and detected by using a combination of:

-This helps DLP detection achieve a high degree of accuracy while reducing the number of false positives that can interrupt peoples' work.

-#### Actions

-When content matches a condition in a rule, you can apply actions to automatically protect the content.

-

-With the actions now available, you can:

- 1. Restrict access to content for everyone.

- 2. Restrict access to content for people outside the organization.

- 3. Restrict access to "Anyone with the link."

- For site content, this means that permissions for the document are restricted for everyone except the primary site collection administrator, document owner, and person who last modified the document. These people can remove the sensitive information from the document or take other remedial action. When the document is in compliance, the original permissions are automatically restored. When access to a document is blocked, the document appears with a special policy tip icon in the library on the site.

- 

- For email content, this action blocks the message from being sent. Depending on how the DLP rule is configured, the sender sees an NDR or (if the rule uses a notification) a policy tip and/or email notification.

- 

-#### User notifications and user overrides

-You can use notifications and overrides to educate your users about DLP policies and help them remain compliant without blocking their work. For example, if a user tries to share a document containing sensitive information, a DLP policy can both send them an email notification and show them a policy tip in the context of the document library that allows them to override the policy if they have a business justification.

-

-The email can notify the person who sent, shared, or last modified the content and, for site content, the primary site collection administrator and document owner. In addition, you can add or remove whomever you choose from the email notification.

-In addition to sending an email notification, a user notification displays a policy tip:

-The email notification and policy tip explain why content conflicts with a DLP policy. If you choose, the email notification and policy tip can allow users to override a rule by reporting a false positive or providing a business justification. This can help you educate users about your DLP policies and enforce them without preventing people from doing their work. Information about overrides and false positives is also logged for reporting (see below about the DLP reports) and included in the incident reports (next section), so that the compliance officer can regularly review this information.

-Here's what a policy tip looks like in a OneDrive for Business account.

-

- To learn more about user notifications and policy tips in DLP policies, see [Use notifications and policy tips](use-notifications-and-policy-tips.md).

-#### Alerts and Incident reports

-When a rule is matched, you can send an alert email to your compliance officer (or any person(s) you choose) with details of the alert. This alert email will carry a link of the [DLP Alerts Management Dashboard](dlp-configure-view-alerts-policies.md) which the compliance officer can go to view the details of alert and events. The dashboard contains details of the event that triggered the alert along with details of the DLP policy matched and the sensitive content detected.

-In addition, you can also send an incident report with details of the event. This report includes information about the item that was matched, the actual content that matched the rule, and the name of the person who last modified the content. For email messages, the report also includes as an attachment the original message that matches a DLP policy.

-> [!div class="mx-imgBorder"]

-> 

-DLP scans email differently from items in SharePoint Online or OneDrive for Business. In SharePoint Online and OneDrive for Business, DLP scans existing items as well as new ones and generates an alert and incident report whenever a match is found. In Exchange Online, DLP only scans new email messages and generates a report if there is a policy match. DLP ***does not*** scan or match previously existing email items that are stored in a mailbox or archive.

-## Grouping and logical operators

-Often your DLP policy has a straightforward requirement, such as to identify all content that contains a U.S. Social Security Number. However, in other scenarios, your DLP policy might need to identify more loosely defined data.

-For example, to identify content subject to the U.S. Health Insurance Act (HIPAA), you need to look for:

- AND

-You can easily identify such loosely defined data by using grouping and logical operators (AND, OR). When you create a DLP policy, you can:

-### Choosing the operator within a group

-Within a group, you can choose whether any or all of the conditions in that group must be satisfied for the content to match the rule.

-

-### Adding a group

-You can quickly add a group, which can have its own conditions and operator within that group.

-

-### Choosing the operator between groups

-Between groups, you can choose whether the conditions in just one group or all of the groups must be satisfied for the content to match the rule.

-For example, the built-in **U.S. HIPAA** policy has a rule that uses an **AND** operator between the groups so that it identifies content that contains:

- **AND**

-

-## The priority by which rules are processed

-When you create rules in a policy, each rule is assigned a priority in the order in which it's created ΓÇö meaning, the rule created first has first priority, the rule created second has second priority, and so on.

-> [!div class="mx-imgBorder"]

-> 

-After you have set up more than one DLP policy, you can change the priority of one or more policies. To do that, select a policy, choose **Edit policy**, and use the **Priority** list to specify its priority.

-> [!div class="mx-imgBorder"]

-> 

-When content is evaluated against rules, the rules are processed in priority order. If content matches multiple rules, the rules are processed in priority order and the most restrictive action is enforced. For example, if content matches all of the following rules, Rule 3 is enforced because it's the highest priority, most restrictive rule:

-In this example, note that matches for all of the rules are recorded in the audit logs and shown in the DLP reports, even though only the most restrictive rule is enforced.

-Regarding policy tips, note that:

-## Tuning rules to make them easier or harder to match

-After people create and turn on their DLP policies, they sometimes run into these issues:

-To address these issues, you can tune your rules by adjusting the instance count and match accuracy to make it harder or easier for content to match the rules. Each sensitive information type used in a rule has both an instance count and match accuracy.

-### Instance count

-Instance count means simply how many occurrences of a specific type of sensitive information must be present for content to match the rule. For example, content matches the rule shown below if between 1 and 9 unique U.S. or U.K. passport numbers are identified.

-> [!NOTE]

-> The instance count includes only **unique** matches for sensitive information types and keywords. For example, if an email contains 10 occurrences of the same credit card number, those 10 occurrences count as a single instance of a credit card number.

-To use instance count to tune rules, the guidance is straightforward:

-Typically, you use less restrictive actions, such as sending user notifications, in a rule with a lower instance count (for example, 1-9). And you use more restrictive actions, such as restricting access to content without allowing user overrides, in a rule with a higher instance count (for example, 10-any).

-

-### Match accuracy

-As described above, a sensitive information type is defined and detected by using a combination of different types of evidence. Commonly, a sensitive information type is defined by multiple such combinations, called patterns. A pattern that requires less evidence has a lower match accuracy (or confidence level), while a pattern that requires more evidence has a higher match accuracy (or confidence level). To learn more about the actual patterns and confidence levels used by every sensitive information type, see [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md).

-For example, the sensitive information type named Credit Card Number is defined by two patterns:

- - A number in the format of a credit card number.

- - A number that passes the checksum.

- - A number in the format of a credit card number.

- - A number that passes the checksum.

- - A keyword or an expiration date in the right format.

-You can use these confidence levels (or match accuracy) in your rules. Typically, you use less restrictive actions, such as sending user notifications, in a rule with lower match accuracy. And you use more restrictive actions, such as restricting access to content without allowing user overrides, in a rule with higher match accuracy.

-It's important to understand that when a specific type of sensitive information, such as a credit card number, is identified in content, only a single confidence level is returned:

-So if you want to create two mutually exclusive rules for credit cards, one for the 65% match accuracy and one for the 85% match accuracy, the ranges for match accuracy would look like this. The first rule picks up only matches of the 65% pattern. The second rule picks up matches with **at least one** 85% match and **can potentially have** other lower-confidence matches.

-

-For these reasons, the guidance for creating rules with different match accuracies is:

-## Using a retention label as a condition in a DLP policy

-When you use a previously created and published [retention label](retention.md#retention-labels) as a condition in a DLP policy, there are some things to be aware of:

- 

- You might want to use a retention label in a DLP policy if you have items that are under retention and disposition, and you also want to apply other controls to them, for example:

- - You published a retention label named **tax year 2018**, which when applied to tax documents from 2018 that are stored in SharePoint retains them for 10 years then disposes of them. You also don't want those items being shared outside your organization, which you can do with a DLP policy.

- > [!IMPORTANT]

- > You'll get this error if you specify a retention label as a condition in a DLP policy and you also include Exchange and/or Teams as a location: **"Protecting labeled content in email and teams messages isn't supported. Either remove the label below or turn off Exchange and Teams as a location."** This is because Exchange transport does not evaluate the label metadata during message submission and delivery.

-### Using a sensitivity label as a condition in a DLP policy

-[Learn more](./dlp-sensitivity-label-as-condition.md) about using Sensitivity label as a condition in DLP policies.

-### How this feature relates to other features

-Several features can be applied to content containing sensitive information:

-

-Note that a DLP policy has a richer detection capability than a label or retention policy applied to sensitive information. A DLP policy can enforce protective actions on content containing sensitive information, and if the sensitive information is removed from the content, those protective actions are undone the next time the content's scanned. But if a retention policy or label is applied to content containing sensitive information, that's a one-time action that won't be undone even if the sensitive information is removed.

-By using a label as a condition in a DLP policy, you can enforce both retention and protection actions on content with that label. You can think of content containing a label exactly like content containing sensitive information - both a label and a sensitive information type are properties used to classify content, so that you can enforce actions on that content.

-

-## Simple settings vs. advanced settings

-When you create a DLP policy, you'll choose between simple or advanced settings:

-Don't worry, under the covers, simple settings and advanced settings work exactly the same, by enforcing rules comprised of conditions and actionsΓÇöonly with simple settings, you don't see the rule editor. It's a quick way to create a DLP policy.

-### Simple settings

-By far, the most common DLP scenario is creating a policy to help protect content containing sensitive information from being shared with people outside your organization, and taking an automatic remediating action such as restricting who can access the content, sending end-user or admin notifications, and auditing the event for later investigation. People use DLP to help prevent the inadvertent disclosure of sensitive information.

-To simplify achieving this goal, when you create a DLP policy, you can choose **Use simple settings**. These settings provide everything you need to implement the most common DLP policy, without having to go into the rule editor.

-

-### Advanced settings

-If you need to create more customized DLP policies, you can choose **Use advanced settings**.

-The advanced settings present you with the rule editor, where you have full control over every possible option, including the instance count and match accuracy (confidence level) for each rule.

-To jump to a section quickly, click an item in the top navigation of the rule editor to go to that section below.

-

-## DLP policy templates

-The first step in creating a DLP policy is choosing what information to protect. By starting with a DLP template, you save the work of building a new set of rules from scratch, and figuring out which types of information should be included by default. You can then add to or modify these requirements to fine tune the rule to meet your organization's specific requirements.

-A preconfigured DLP policy template can help you detect specific types of sensitive information, such as HIPAA data, PCI-DSS data, Gramm-Leach-Bliley Act data, or even locale-specific personally identifiable information (P.I.). To make it easy for you to find and protect common types of sensitive information, the policy templates included in Microsoft 365 already contain the most common sensitive information types necessary for you to get started.

-

-Your organization may also have its own specific requirements, in which case you can create a DLP policy from scratch by choosing the **Custom policy** option. A custom policy is empty and contains no premade rules.

-<!-- ## Roll out DLP policies gradually with test mode

-rehomed to Plan for DLP

-When you create your DLP policies, you should consider rolling them out gradually to assess their impact and test their effectiveness before fully enforcing them. For example, you don't want a new DLP policy to unintentionally block access to thousands of documents that people require access to in order to get their work done.

-If you're creating DLP policies with a large potential impact, we recommend following this sequence:

-1. **Start in test mode without Policy Tips** and then use the DLP reports and any incident reports to assess the impact. You can use DLP reports to view the number, location, type, and severity of policy matches. Based on the results, you can fine tune the rules as needed. In test mode, DLP policies will not impact the productivity of people working in your organization.

-2. **Move to Test mode with notifications and Policy Tips** so that you can begin to teach users about your compliance policies and prepare them for the rules that are going to be applied. At this stage, you can also ask users to report false positives so that you can further refine the rules.

-3. **Start full enforcement on the policies** so that the actions in the rules are applied and the content's protected. Continue to monitor the DLP reports and any incident reports or notifications to make sure that the results are what you intend.

- 

- You can turn off a DLP policy at any time, which affects all rules in the policy. However, each rule can also be turned off individually by toggling its status in the rule editor.

- 

- You can also change the priority of multiple rules in a policy. To do that, open a policy for editing. In a row for a rule, choose the ellipses (**...**), and then choose an option, such as **Move down** or **Bring to last**.

- > [!div class="mx-imgBorder"]

- > -->

-## DLP reports

-After you create and turn on your DLP policies, you'll want to verify that they're working as you intended and helping you stay compliant. With DLP reports, you can quickly view the number of DLP policy and rule matches over time, and the number of false positives and overrides. For each report, you can filter those matches by location, time frame, and even narrow it down to a specific policy, rule, or action.

-With the DLP reports, you can get business insights and:

-In addition, you can use the DLP reports to fine tune your DLP policies as you run them.

-

-## How DLP policies work

-DLP detects sensitive information by using deep content analysis (not just a simple text scan). This deep content analysis uses keyword matches, dictionary matches, the evaluation of regular expressions, internal functions, and other methods to detect content that matches your DLP policies. Potentially only a small percentage of your data is considered sensitive. A DLP policy can identify, monitor, and automatically protect just that data, without impeding or affecting people who work with the rest of your content.

-### Policies are synced

-After you create a DLP policy in the Microsoft Purview compliance portal, it's stored in a central policy store, and then synced to the various content sources, including:

-After the policy's synced to the right locations, it starts to evaluate content and enforce actions.

-<!-- what is the time delay for first deployment of a policy and what is the sync schedule? -->

-### Policy evaluation in OneDrive for Business and SharePoint Online sites

-Across all of your SharePoint Online sites and OneDrive for Business sites, documents are constantly changing ΓÇö they're continually being created, edited, shared, and so on. This means documents can conflict or become compliant with a DLP policy at any time. For example, a person can upload a document that contains no sensitive information to their team site, but later, a different person can edit the same document and add sensitive information to it.

-For this reason, DLP policies check documents for policy matches frequently in the background. You can think of this as asynchronous policy evaluation.

-<!-- what is the frequency? looks like it is tied to the search crawl schedule -->

-#### How it works

-As people add or change documents in their sites, the search engine scans the content, so that you can search for it later. While this is happening, the content's also scanned for sensitive information and to check if it's shared. Any sensitive information that's found is stored securely in the search index, so that only the compliance team can access it, but not typical users. Each DLP policy that you've turned on runs in the background (asynchronously), checking search frequently for any content that matches a policy, and applying actions to protect it from inadvertent leaks.

-

-<!-- conflict with a DLP policy is bad wording -->

-Finally, documents can conflict with a DLP policy, but they can also become compliant with a DLP policy. For example, if a person adds credit card numbers to a document, it might cause a DLP policy to block access to the document automatically. But if the person later removes the sensitive information, the action (in this case, blocking) is automatically undone the next time the document is evaluated against the policy.

-DLP evaluates any content that can be indexed. For more information on what file types are crawled by default, see [Default crawled file name extensions and parsed file types in SharePoint Server](/SharePoint/technical-reference/default-crawled-file-name-extensions-and-parsed-file-types).

-> [!NOTE]

-> In order to prevent documents from being shared before DLP policies had the opportunity to analyze them, sharing of new files in SharePoint can be blocked until its content has been indexed. See, [Mark new files as sensitive by default](/sharepoint/sensitive-by-default) for detailed information.

-### Policy evaluation in Exchange Online, Outlook, and Outlook on the web

-When you create a DLP policy that includes Exchange Online as a location, the policy's synced from the Microsoft Purview compliance portal to Exchange Online, and then from Exchange Online to Outlook on the web and Outlook.

-When a message is being composed in Outlook, the user can see policy tips as the content being created is evaluated against DLP policies. And after a message is sent, it's evaluated against DLP policies as a normal part of mail flow, along with Exchange mail flow rules (also known as transport rules) and DLP policies created in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a>. DLP policies scan both the message and any attachments.

-### Policy evaluation in the Office desktop programs

-<!-- same capability to identify sensitive information line conflates sensitive information types and such -->

-Excel, PowerPoint, and Word include the same capability to identify sensitive information and apply DLP policies as SharePoint Online and OneDrive for Business. These Office programs sync their DLP policies directly from the central policy store, and then continuously evaluate the content against the DLP policies when people work with documents opened from a site that's included in a DLP policy.

-DLP policy evaluation in Office is designed not to affect the performance of the programs or the productivity of people working on content. If they're working on a large document, or the user's computer is busy, it might take a few seconds for a policy tip to appear.

-### Policy evaluation in Microsoft Teams

- <!--what do you mean that it's synched to user accounts? I thought DLP policies were applied to locations not users like sensitivity labels are -->

-When you create a DLP policy that includes Microsoft Teams as a location, the policy's synced from the Microsoft Purview compliance portal to user accounts and Microsoft Teams channels and chat messages. Depending on how DLP policies are configured, when someone attempts to share sensitive information in a Microsoft Teams chat or channel message, the message can be blocked or revoked. And, documents that contain sensitive information and that are shared with guests (external users) won't open for those users. To learn more, see [Data loss prevention and Microsoft Teams](dlp-microsoft-teams.md).

-## Permissions

-By default, Global admins, Security admins, and Compliance admins will have access to create and apply a DLP policy. Other Members of your compliance team who will create DLP policies need permissions to the Microsoft Purview compliance portal. By default, your Tenant admin will have access to this location and can give compliance officers and other people access to the Microsoft Purview compliance portal, without giving them all of the permissions of a Tenant admin. To do this, we recommend that you:

-1. Create a group in Microsoft 365 and add compliance officers to it.

-2. Create a role group on the **Permissions** page of the Microsoft Purview compliance portal.

-3. While creating the role group, use the **Choose Roles** section to add the following role to the Role Group: **DLP Compliance Management**.

-4. Use the **Choose Members** section to add the Microsoft 365 group you created before to the role group.

-You can also create a role group with view-only privileges to the DLP policies and DLP reports by granting the **View-Only DLP Compliance Management** role.

-For more information, see [Add users to a compliance role group](microsoft-365-compliance-center-permissions.md#add-users-to-a-compliance-role-group).

-These permissions are required only to create and apply a DLP policy. Policy enforcement does not require access to the content.

-## Find the DLP cmdlets

-To use most of the cmdlets for the Microsoft Purview compliance portal, you need to:

-1. [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell).

-2. Use any of these [policy-and-compliance-dlp cmdlets](/powershell/module/exchange/export-dlppolicycollection).

-However, DLP reports need pull data from across Microsoft 365, including Exchange Online. For this reason, ***the cmdlets for the DLP reports are available in Exchange Online Powershell -- not in Microsoft Purview compliance portal Powershell***. Therefore, to use the cmdlets for the DLP reports, you need to:

-1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).

-2. Use any of these cmdlets for the DLP reports:

- - [Get-DlpDetectionsReport](/powershell/module/exchange/Get-DlpDetectionsReport)

- - [Get-DlpDetailReport](/powershell/module/exchange/Get-DlpDetailReport)

-## More information

-The account you use to create and deploy policies must be a member of one of these roles/role groups

-#### Roles and Role Groups

-|"We need to block emails to all recipients..."|- **Where to monitor**: Exchange </br> - **Action**: Restrict access or encrypt the content in Microsoft 365 locations > Block users from receiving email or accessing shared SharePoint, OneDrive, and Teams files > Block everyone |

-2. **Choose where you want to monitor** - You pick one or more locations that you want DLP to monitor for sensitive information. You can monitor:

-3. **Choose the conditions that must be matched for a policy to be applied to an item** - You can accept pre-configured conditions or define custom conditions. Some examples are:

-4. **Choose the action to take when the policy conditions are met** - The actions depend on the location where the activity is happening. Some examples are:

-## Licensing and Subscriptions

-See the [licensing requirements for Information Protection](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-protection) for details on the subscriptions that support DLP.

-Similar to how DLP works in [Exchange, Outlook, Outlook on the web](data-loss-prevention-policies.md#policy-evaluation-in-exchange-online-outlook-and-outlook-on-the-web), [SharePoint Online, OneDrive for Business sites](data-loss-prevention-policies.md#policy-evaluation-in-onedrive-for-business-and-sharepoint-online-sites), and [Office desktop clients](data-loss-prevention-policies.md#policy-evaluation-in-the-office-desktop-programs), policy tips appear when an action triggers with a DLP policy. Here's an example of a policy tip:

-To perform this task, you must be assigned a role that has permissions to edit DLP policies. To learn more, see [Permissions](data-loss-prevention-policies.md#permissions).

-To perform this task, you must be assigned a role that has permissions to edit DLP policies. To learn more, see [Permissions](data-loss-prevention-policies.md#permissions).

-To perform this task, you must be assigned a role that has permissions to edit DLP policies. To learn more, see [Permissions](data-loss-prevention-policies.md#permissions).

-3. Choose a [template](data-loss-prevention-policies.md#dlp-policy-templates), and then choose **Next**.

-6. On the **Policy settings** tab, under **Customize the type of content you want to protect**, keep the default simple settings, or choose **Use advanced settings**, and then choose **Next**. If you choose advanced settings, you can create or edit rules for your policy. To get help with this, see [Simple settings vs. advanced settings](data-loss-prevention-policies.md#simple-settings-vs-advanced-settings).

-# Get started with the Microsoft Purview Data Loss Prevention migration assistant for Symantec (preview)

-Now that you have installed Microsoft Purview Data Loss Prevention migration assistant for Symantec (preview), you're ready to move on to your next step where you use the migration assistant.

-# Learn about the Microsoft Purview Data Loss Prevention migration assistant for Symantec (preview)

-# Use the Microsoft Purview Data Loss Prevention migration assistant for Symantec (preview)

-Let's break the example draft statement down and map it to DLP policy configuration points.

-|...that are stored in OneDrive/SharePoint and protect against that information being shared in Teams chat and channel messages...|- **Where to monitor**: [Location scoping](dlp-policy-reference.md#locations) by including or excluding OneDrive and SharePoint sites and Teams chat/channel accounts or distribution groups.|

-If you are new to Microsoft Purview DLP, here's a list of the core articles you'll need as you implement DLP:

-## Locations

-|Location |Include/Exclude scope |Data state |Additional pre-requisites |

-|||||

-|Exchange email online |distribution group | data-in-motion| No |

-|SharePoint online sites |sites | data-at-rest </br> data-in-use | No|

-|OneDrive for Business accounts| account or distribution group |data-at-rest </br> data-in-use|No|

-|Teams chat and channel messages | account or distribution group |data-in-motion </br> data-in-use | No |

-|Microsoft Defender for Cloud Apps | cloud app instance |data-at-rest | - [Use data loss prevention policies for non-Microsoft cloud apps](dlp-use-policies-non-microsoft-cloud-apps.md#use-data-loss-prevention-policies-for-non-microsoft-cloud-apps) |

-|Devices |user or group |data-at-rest </br> data-in-use </br> data-in-motion |- [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md) </br>- [Get started with Endpoint data loss prevention](endpoint-dlp-getting-started.md) </br>- [Configure device proxy and internet connection settings for Information Protection](device-onboarding-configure-proxy.md#configure-device-proxy-and-internet-connection-settings-for-information-protection) |

-|On-premises repositories (file shares and SharePoint) |repository | data-at-rest | - [Learn about the data loss prevention on-premises scanner](dlp-on-premises-scanner-learn.md) </br> - [Get started with the data loss prevention on-premises scanner](dlp-on-premises-scanner-get-started.md#get-started-with-the-data-loss-prevention-on-premises-scanner) |

-|Power BI| workspaces | data-in-use | No|

-<! [**Exceptions**](#exceptions) to the conditions

-> [!IMPORTANT]

-> The **Exceptions** UI is only available in **Classic rule builder** mode. If you have switched to the **New DLP rule builder** [mode](dlp-policy-design.md#complex-rule-design), exceptions are displayed as nested groups and joined to the other conditions by a boolean NOT function.-->

-##### Conditions PowerBI supports

-Sometimes you need a rule to only identify one thing, like all content that contains a U.S. Social Security Number, which is defined by a single SIT. But in many scenarios, where the types of items you are trying to identify are more complex and therefore harder to define, more flexibility in defining conditions is required.

-#### PowerBI actions

-Whether an action takes effect or not depends on how you configure the mode of the policy. You can choose to run the policy in test mode with or without showing policy tip by selecting the **Test it out first** option. You choose to run the policy as soon as an hour after it is created by selecting the **Turn it on right away** option, or you can choose to just save it and come back to it later by selecting the **Keep it off** option.

-If you selected Devices only, you will get all the same options that are available for Exchange, SharePoint, OneDrive, Teams Chat and Channel and Defender for Cloud Apps plus the option to customize the notification title and content that appears on the Windows 10 device.

-*%%AppliedActions%% File name %%FileName%% via %%ProcessName%% is not allowed by your organization. Click 'Allow' if you want to bypass the policy %%PolicyName%%*

-|- **Content is shared from Microsoft 365** </br>- **with people outside my organization** | - **Restrict access or encrypt the content in Microsoft 365 locations** is selected </br>- **Block users from receiving email or accessing shared SharePoint, OneDrive, and Teams files** is selected </br>- **Block only people outside your organization** is selected |- **User notifications** set to **On** </br>- **Notify users in Office 365 service with a policy tip** is selected </br>- **Notify the user who sent, shared, or last modified the content** is selected | - **Send an alert to admins when a rule match occurs** set to **On** </br>- **Send alert every time an activity matches the rule** is selected </br>- **Use email incident reports to notify you when a policy match occurs** set to **On** | - Access to a sensitive file is blocked as soon as it is uploaded </br>- Notifications sent when content is shared from Microsoft 365 with people outside my organization |

-DLP feeds incident information to other Microsoft Purview information protection services, like [insider risk management](insider-risk-management.md). In order to get incident information to insider risk management, you must set the **Incident reports** severity level to **High**.

-If you have multiple rules in a policy, you can use the **Additional options** to control further rule processing if there is a match to the rule you are editing as well as setting the priority for evaluation of the rule.

-1. Create a [Custom Role Group](/microsoft-365/compliance/microsoft-365-compliance-center-permissions#create-a-custom-role-group) for the users you want to share alerts with. For example `DLPAlertInvestigator`. Add these roles to the group:

-**.NET Core 3.1 SDK**. Download and install the SDK from [Download .NET Core 3.1](https://dotnet.microsoft.com/download/dotnet-core/3.1).

-These scenarios require that you already have devices onboarded and reporting into Activity explorer. If you haven't onboarded devices yet, see [Get started with Endpoint data loss prevention](endpoint-dlp-getting-started.md).

-2. Choose **Create policy**.

-3. For this scenario, choose **Privacy**, then **U.S. Personally Identifiable Information (PII) Data** and choose **Next**.

-4. Toggle the **Status** field to off for all locations except **Devices**. Choose **Next**.

-5. Accept the default **Review and customize settings from the template** selection and choose **Next**.

-6. Accept the default **Protection actions** values and choose **Next**.

-7. Select **Audit or restrict activities on Windows devices** and leave the actions set to **Audit only**. Choose **Next**.

-8. Accept the default **I'd like to test it out first** value and choose **Show policy tips while in test mode**. Choose **Next**.

-9. Review your settings and choose **Submit**.

-10. The new DLP policy will appear in the policy list.

-11. Check Activity explorer for data from the monitored endpoints. Set the location filter for devices and add the policy, then filter by policy name to see the impact of this policy; see [Get started with activity explorer](data-classification-activity-explorer.md), if needed.

-12. Attempt to share a test item that contains content that will trigger the U.S. Personally Identifiable Information (PII) Data condition with someone outside your organization. This should trigger the policy.

-13. Check Activity explorer for the event.

-2. Choose the **U.S. Personally Identifiable Information (PII) Data** policy that you created in scenario 1.

-3. Choose **edit policy**.

-4. Go to the **Advanced DLP rules** page and edit the **Low volume of content detected U.S. Personally Identifiable Inf**.

-5. Scroll down to the **Incident reports** section and set **Send an alert to admins when a rule match occurs** to **On**. Email alerts will be automatically sent to the administrator and anyone else you add to the list of recipients.

-2. Choose the **U.S. Personally Identifiable Information (PII) Data** policy that you created in scenario 1.

-3. Choose **edit policy**.

-4. Go to the **Advanced DLP rules** page and edit the **Low volume of content detected U.S. Personally Identifiable Inf**.

-5. Scroll down to the **Audit or restrict activities on Windows device** section and for each activity set the corresponding action to **Block with override**.

-6. Choose **Save**.

-7. Repeat steps 4-7 for the **High volume of content detected U.S. Personally Identifiable Inf**.

-8. Retain all your previous settings by choosing **Next** and then **Submit** the policy changes.

-9. Attempt to share a test item that contains content that will trigger the U.S. Personally Identifiable Information (PII) Data condition with someone outside your organization. This should trigger the policy.

-10. Check Activity explorer for the event.

-2. Expand **Unallowed apps**.

-3. Choose **Add or edit unallowed apps** and add *OneDrive* as a display name and the executable name *onedrive.exe* to disallow onedrive.exe from accessing items the **Highly Confidential** label.

-4. Select **Auto-quarantine** and **Save**.

-5. Under **Auto-quarantine settings** choose **Edit auto-quarantine settings**.

-6. Enable **Auto-quarantine for unallowed apps**.

-7. Enter the path to the folder on local machines where you want the original sensitive files to be moved to. For example:

-8. Choose **Replace the files with a .txt file that contains the following text** and enter the text you want in the placeholder file. For example for a file named *auto quar 1.docx*:

-9. Choose **Save**

-2. Choose **Create policy**.

-3. For this scenario, choose **Custom**, then **Custom policy** and choose **Next**.

-4. Fill in the **Name** and **Description** fields, choose **Next**.

-5. Toggle the **Status** field to off for all locations except **Devices**. If you have a specific end user account that you want to test this from, be sure to select it in the scope. Choose **Next**.

-6. Accept the default **Create or customize advanced DLP rules** selection and choose **Next**.

-7. Create a rule with these values:

-8. Choose **Save** and **Next**.

-9. Choose **Turn it on right away**. Choose **Next**.

-10. Review your settings and choose **Submit**.

-11. The new DLP policy will appear in the policy list.

-2. Create a folder whose contents will not be synchronized to OneDrive. For example:

-3. Open Microsoft Word and create a file in the auto-quarantine source folder. Apply the **Highly confidential** sensitivity label; see [Apply sensitivity labels to your files and email in Office](https://support.microsoft.com/topic/apply-sensitivity-labels-to-your-files-and-email-in-office-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9).

-4. Copy the file you just created to your OneDrive synchronization folder. A user notification toast should appear telling you that the action is not allowed and that the file will be quarantined. For example, for user name *Isaiah Langer*, and a document titled *auto-quarantine doc 1.docx* you would see this message:

-5. Choose **Dismiss**.

-6. Open the place holder text file. It will be named **auto-quarantine doc 1.docx_*date_time*.txt**.

-7. Open the quarantine folder and confirm that the original file is there.

-8. Check Activity explorer for data from the monitored endpoints. Set the location filter for devices and add the policy, then filter by policy name to see the impact of this policy; see [Get started with activity explorer](data-classification-activity-explorer.md), if needed.

-9. Check Activity explorer for the event.

-2. Add the browsers that arenΓÇÖt allowed to access certain sensitive items when a DLP policy match occurs.

-3. Configure DLP policies to define the kinds of sensitive items for which upload should be restricted to these places by turning on **Upload to cloud services** and **Access from unallowed browser**.

-1. Create and scope a policy that is applied only to **Devices**. See, [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) for more information on how to create a policy.

-1. Select the user activities you want to monitor or restrict and the actions you DLP to take in response to those activities.

-1. Finish configuring the rule and policy and apply it.

-1. Create and scope a policy that is applied only to **Devices**. See, [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) for more information on how to create a policy.

-1. Scope the location to only **Devices**.

-10. Save.

-11. Accept the default **I'd like to test it out first** value and choose **Show policy tips while in test mode**. Choose **Next**.

-12. Review your settings and choose **Submit**.

-13. The new DLP policy will appear in the policy list.

-1. Find the **ServerAddress** field and record that value. You'll use this when you create a VPN entry in the VPN list.

-1. Find the **Name** field and record that value. The **Name** field maps to the **Network address** field when you create a VPN entry in the VPN list.

-1. Scope the location to only **Devices**.

-8. Save.

-

-For more information on incident reports or restricting access, see [Data loss prevention reference](data-loss-prevention-policies.md).

-|View device health report|Yes|Yes|No|No|No|No|

-6. Choose **Select**, then **Next**.

-7. Select **Save** to add the users to the role group. Select **Done** to complete the steps.

- > To maintain referential integrity for users who have insider risk alerts or cases in Microsoft 365 or other systems, anonymization of usernames isn't preserved for exported alerts when using the exporting API or when exporting to [Microsoft Purview eDiscovery solutions](/microsoft-365/compliance/ediscovery). Exported alerts will display usernames for each alert in this case. If you're exporting to CSV files from alerts or cases, anonymization *is* preserved.

-> To maintain referential integrity for users who have insider risk alerts or cases in Microsoft 365 or other systems, anonymization of usernames isn't preserved for exported alerts when using the exporting API or when exporting to [Microsoft Purview eDiscovery solutions](/microsoft-365/compliance/ediscovery). Exported alerts will display usernames for each alert in this case. If you're exporting to CSV files from alerts or cases, anonymization *is* preserved.

- b) To add a list of physical asset IDs from a .csv file, choose **Import priority physical assets**. From the file explorer dialog, select the CSV file you wish to import, then select **Open**. The physical asset IDs from the CSV files are added to the list.

-## Add users to a compliance role group

-Complete the following steps to add users to a compliance role group:

-1. Sign into the permissions area of the compliance portal using credentials for an admin account in your Microsoft 365 organization, and go to <a href="https://go.microsoft.com/fwlink/p/?linkid=2173597" target="_blank">**Permissions**</a> to select the link to view and manage compliance roles in Microsoft 365.

-1. Expand the **Compliance center** section and select **Roles**.

-1. On the **Compliance center roles** page, select a compliance role group you want to add users to, then select **Edit role group** on the details pane.

-1. Select **Choose members** from the left navigation pane, then select **Edit**.

-1. Select **Add** and then select the checkbox for all users you want to add to the role group.

-1. Select **Add**, then select **Done**.

-1. Select **Save** to add the users to the role group. Select **Close** to complete the steps.

-## Remove users from a compliance role group

-Complete the following steps to remove users from a compliance role group:

-1. Expand the Compliance center section and select **Roles**.

-1. On the **Compliance center roles** page, select a compliance role group you want to remove users from, then select **Edit role group** on the details pane.

-1. Select **Choose members** from the left navigation pane, then select **Edit**.

-1. Select **Remove** and then select the checkbox for all users you want to remove from the role group.

-1. Select **Remove**, then select **Done**.

-1. Select **Save** to remove the users from the role group. Select **Close** to complete the steps.

-## Create a custom role group

-Complete the following steps to create a custom role group:

-1. Sign into the permissions area of the compliance portal using credentials for an admin account in your Microsoft 365 organization, and go to <a href="https://go.microsoft.com/fwlink/p/?linkid=2173597" target="_blank">**Permissions**</a>.

-1. On the **Permissions & roles** page, select **Compliance center > Roles**.

-1. On the **Compliance center roles** page, select **Create**.

-1. On the **Name your role group** page, enter a name for the custom role group in the **Name** field. The name of the role group cannot be changed after creation of the role group. If needed, enter a description for the custom role group in the **Description** field. Select **Next** to continue.

-1. On the **Choose roles** page, select **Choose roles**.

-1. Select **Add**, then choose the roles to add to the custom role group. Select **Add** to add the role group, then select **Done**.

-1. Select **Next** to continue.

-1. On the **Choose members** page, select **Choose members**.

-1. Select **Add**, then choose the members to add to the custom role group. Select **Add** to add the members, then select **Done**.

-1. Select **Next** to continue.

-1. On the **Review your settings** page, review the details for the custom role group. If you need to edit the information, select **Edit** in the appropriate section. When all the settings are correct, select **Create role group** to create the custom role group or select **Cancel** to discard the changes and not create the custom role group.

-## Update a custom role group

-Complete the following steps to update a custom role group:

-1. On the **Permissions & roles** page, select **Compliance center > Roles**.

-1. On the **Compliance center roles** page and select the role group to update.

-1. On the details pane for the selected role group, select **Edit role group**.

-1. On the **Editing role group name** page, update the description for the custom role group in the **Description** field. The name of the custom role group cannot be changed.

-1. On the **Choose roles** page, select **Edit** to update the roles assigned to the role groups.

-1. Select **Add**, then choose the roles to add to the custom role group. Select **Add** to add the role group, then select **Done**.

-1. On the **Choose members** page, select **Edit**.

-1. Select **Add**, then choose the members to add to the custom role group. Select **Add** to add the members, then select **Done**.

-1. Select **Save** to save updated *Description*, *Role groups*, and *Members* values.

-1. On the details pane for the selected role group, select **Close**.

-## Delete a custom role group

-Complete the following steps to update a custom role group:

-1. On the **Permissions & roles** page, select **Compliance center > Roles**.

-1. On the **Compliance center roles** page and select the role group to update.

-1. On the details pane for the selected role group, select **Delete role group**.

-1. On the **Warning** dialog, select **Yes** to delete the role group or select **No** to cancel the deletion process.

-The account you use to create and edit data loss prevention (DLP) policies, must have the **DLP Compliance Management** role permissions. For more information, see [Add users to a compliance role group](microsoft-365-compliance-center-permissions.md#add-users-to-a-compliance-role-group).

-If you want to apply your DLP policy to content with specific Microsoft 365 labels, you should not follow the steps here. Instead, learn how to [Using a retention label as a condition in a DLP policy](data-loss-prevention-policies.md#using-a-retention-label-as-a-condition-in-a-dlp-policy).

-For more information, see [Using a retention label as a condition in a DLP policy](data-loss-prevention-policies.md#using-a-retention-label-as-a-condition-in-a-dlp-policy).

-> This feature is in preview and subject to change.

-The permissions required to set and change a default sensitivity label for a SharePoint library are inherited. As with the ability to change the library name and description, any SharePoint site member has this permission.

-You can use the [Set-SPOSite](/powershell/module/sharepoint-online/set-sposite) and [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant) cmdlet with the *SensitivityLabel* parameter from the current [SharePoint Online Management Shell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online) to apply a sensitivity label to many sites. The sites can be any SharePoint site collection, or a OneDrive site.

-|Manually apply, change, or remove label <br /> - [Calendar items](sensitivity-labels-meetings.md)| Preview: Rolling out to [Current Channel (Preview)](https://office.com/insider) | Under review | Under review | Under review | Yes |

-To learn more about DLP permissions, see [Permissions](data-loss-prevention-policies.md#permissions).

-You must be a global admin, compliance administrator, or Exchange Online administrator to perform the tasks described in this article. To learn more about DLP permissions, see [Permissions](data-loss-prevention-policies.md#permissions).

-## August 2022

-### Compliance Manager

-### Compliance offerings & service assurance

-### Data lifecycle management and records management

-### Data loss prevention

-### Insider risk management

-### Microsoft Priva

-### Sensitive Information Types

- - [Get started with exact data match based sensitive information types](sit-get-started-exact-data-match-based-sits-overview.md)

- - [Create exact data match sensitive information type/rule package](sit-get-started-exact-data-match-create-rule-package.md)

- - [Create the schema for exact data match based sensitive information types](sit-get-started-exact-data-match-create-schema.md)

- - [Export source data for exact data match based sensitive information type](sit-get-started-exact-data-match-export-data.md)

- - [Hash and upload the sensitive information source table for exact data match sensitive information types](sit-get-started-exact-data-match-hash-upload.md)

- - [Test an exact data match sensitive information type](sit-get-started-exact-data-match-test.md)

- - [Learn about exact data match sensitive information types](sit-learn-about-exact-data-match-based-sits.md)

-### Sensitivity labels

-## July 2022

-### Compliance Manager

-### Compliance offerings & service assurance

-### Data lifecycle management and records management

-### Data Loss Prevention

-### eDiscovery

-### Sensitive information types

-### Sensitivity labels

-## June 2022

-### Compliance Manager

-### Data Loss Prevention

-### Data lifecycle management and records management

-### Microsoft Priva

- - [Learn about Priva Subject Rights Requests](/privacy/priva/subject-rights-requests) - clearer articulation of customer value prop and general outline of the SRR process.

- - [Understand the workflow and details pages](/privacy/priva/subject-rights-requests-workflow) - articulates the steps in completing a request, indicating manual vs. automatic progression, and linking off to detailed content; a section explains how to interpret and work with a request's details page, including the new "History" tab.

- - [Create a request and define search settings](/privacy/priva/subject-rights-requests-create) - new framing with subheads explaining there are now two ways to create a request: via a custom method using a guided process, and via the new feature of using a template, whose search parameters aim to retrieve the most relevant content for the situation.

- - [Data estimate and retrieval](/privacy/priva/subject-rights-requests-data-retrieval) - explains why some requests pause at the data estimate stage and how to adjust the search as a result; also explains how to set a request to pause first before automatically progressing to data retrieval.

- - [Review data for a subject rights request](/privacy/priva/subject-rights-requests-data-review) - new import file features allows users to bring files from non-Microsoft 365 locations, or files otherwise not picked up by the search, into the Data collected tab.

- - [Generate reports and close requests](/privacy/priva/subject-rights-requests-reports) - clarifies when final data packages are generated and what types of files they include.

- - [Integrate and extend through Microsoft Graph API and Power Automate](/privacy/priva/subject-rights-requests-automate) - revised the title of this previous Power Automate page and expanded page content to include Graph API content and reference links that previously lived on another page.

-### Sensitive Information Types

-### Sensitivity labels

-### Trainable Classifiers

-### Changes to product names

-You can control anonymous users' ability to join meetings at the organization level. If it'ss enabled for the organization, meeting organizers can control anonymous join through meeting policy settings.

-For information about configuring anonymous join for meetings, see [Manage meeting settings in Microsoft Teams](/microsoftteams/meeting-settings-in-teams).

-Data is stored is maintained within Exchange Online, SharePoint Online and Microsoft Teams. Migration processes are handled by the applicable/relevant workloads.

-## Week of December 26, 2022

-| Published On |Topic title | Change |

-|||--|

-| 12/28/2022 | [Working with improvement actions in Microsoft Purview Compliance Manager](/microsoft-365/compliance/compliance-manager-improvement-actions?view=o365-worldwide) | modified |

-| 12/28/2022 | [Get started with Microsoft Purview Compliance Manager](/microsoft-365/compliance/compliance-manager-setup?view=o365-worldwide) | modified |

-| 12/28/2022 | [Deploy and manage Removable Storage Access Control using Intune](/microsoft-365/security/defender-endpoint/deploy-manage-removable-storage-intune?view=o365-worldwide) | modified |

-| 12/29/2022 | [Manage submissions](/microsoft-365/security/office-365-security/submissions-admin?view=o365-worldwide) | modified |

- - **Configuration**, where you can apply attack surface reduction rules to devices

-| **Attack surface reduction rules** <br/>*(NEW!)* | The attack surface reduction rules report has three tabs: **Detections** (to show blocked or audited detections); **Configuration** (enabling you to implement standard protection rules quickly, by using a single toggle); and **Add exclusions** (enabling you to define exclusions, if needed). To access this report, in the navigation pane, choose **Reports** > **Endpoints** > Attack surface reduction rules**. <br/><br/>To learn more, see [Attack surface reduction capabilities in Microsoft Defender for Business](mdb-asr.md). |

-|Scan files on the network <p> **Scan** \> **Scan network files**|Disabled|`-DisableScanningNetworkFiles`|

- :::image type="content" source="images/config-windows-def-smartscr-explorer.png" alt-text="Configure windows defender smart screen Edge" lightbox="images/config-windows-def-smartscr-explorer.png":::

-10. [Schedule scans with Microsoft Defender for Endpoint on macOS](/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp)

-11. [Deploy Microsoft Defender for Endpoint on macOS](#step-11-deploy-microsoft-defender-for-endpoint-on-macos)

- :::image type="content" source="images/onboarding-macos.png" alt-text="The Settings page of the Microsoft Defender Security Center" lightbox="images/onboarding-macos.png":::

- :::image type="content" source="images/plist-onboarding-file.png" alt-text="The Windows Defender ATP Onboarding file" lightbox="images/plist-onboarding-file.png":::

- :::image type="content" source="images/jamf-pro-configure-profile.png" alt-text="The page on which you create a new Jamf Pro dashboard" lightbox="images/jamf-pro-configure-profile.png":::

-3. Enter the following details:

- **General**:

- :::image type="content" source="images/jamfpro-mac-profile.png" alt-text="The configurate app and custom settings" lightbox="images/jamfpro-mac-profile.png":::

- :::image type="content" source="images/jamfpro-plist-upload.png" alt-text="The jamfpro plist upload file" lightbox="images/jamfpro-plist-upload.png":::

- :::image type="content" source="images/jamfpro-plist-file.png" alt-text="The upload file property List file" lightbox="images/jamfpro-plist-file.png":::

- :::image type="content" source="images/jamfpro-plist-file-onboard.png" alt-text="The onboarding file" lightbox="images/jamfpro-plist-file-onboard.png":::

- :::image type="content" source="images/jamfpro-upload-plist.png" alt-text="The uploading plist file" lightbox="images/jamfpro-upload-plist.png":::

- :::image type="content" source="images/jamfpro-scope-tab.png" alt-text="The Scope tab" lightbox="images/jamfpro-scope-tab.png":::

- :::image type="content" source="images/jamfpro-target-computer.png" alt-text="The target computers" lightbox="images/jamfpro-target-computer.png":::

- :::image type="content" source="images/jamfpro-targets.png" alt-text="The targets" lightbox="images/jamfpro-targets.png":::

- :::image type="content" source="images/jamfpro-deployment-target.png" alt-text="The deployment of target computers" lightbox="images/jamfpro-deployment-target.png":::

- :::image type="content" source="images/jamfpro-target-selected.png" alt-text="The selection of target computers" lightbox="images/jamfpro-target-selected.png":::

- :::image type="content" source="images/jamfpro-target-group.png" alt-text="The computers of a target group" lightbox="images/jamfpro-target-group.png":::

- :::image type="content" source="images/jamfpro-configuration-policies.png" alt-text="The list of configuration profiles" lightbox="images/jamfpro-configuration-policies.png":::

- :::image type="content" source="images/644e0f3af40c29e80ca1443535b2fe32.png" alt-text="A new profile" lightbox="images/644e0f3af40c29e80ca1443535b2fe32.png":::

- :::image type="content" source="images/4137189bc3204bb09eed3aabc41afd78.png" alt-text="Add custom schema" lightbox="images/4137189bc3204bb09eed3aabc41afd78.png":::

-4. Enter `com.microsoft.wdav` as the Preference Domain, click on **Add Schema** and **Upload** the schema.json file downloaded on Step 1. Click **Save**.

- :::image type="content" source="images/a6f9f556037c42fabcfdcb1b697244cf.png" alt-text="Upload schema" lightbox="images/a6f9f556037c42fabcfdcb1b697244cf.png":::

- :::image type="content" source="images/817b3b760d11467abe9bdd519513f54f.png" alt-text="The chosen managed settings" lightbox="images/817b3b760d11467abe9bdd519513f54f.png":::

- :::image type="content" source="images/a14a79efd5c041bb8974cb5b12b3a9b6.png" alt-text="The page on which you change the settings values" lightbox="images/a14a79efd5c041bb8974cb5b12b3a9b6.png":::

- :::image type="content" source="images/9fc17529e5577eefd773c658ec576a7d.png" alt-text="The Configuration profile scope" lightbox="images/9fc17529e5577eefd773c658ec576a7d.png":::

- :::image type="content" source="images/cf30438b5512ac89af1d11cbf35219a6.png" alt-text="The page on which you can add the Configuration settings" lightbox="images/cf30438b5512ac89af1d11cbf35219a6.png":::

- :::image type="content" source="images/6f093e42856753a3955cab7ee14f12d9.png" alt-text="The page on which you can save the Configuration settings" lightbox="images/6f093e42856753a3955cab7ee14f12d9.png":::

- :::image type="content" source="images/dd55405106da0dfc2f50f8d4525b01c8.png" alt-text="The page on which you complete the Configuration settings" lightbox="images/dd55405106da0dfc2f50f8d4525b01c8.png":::

- :::image type="content" source="images/644e0f3af40c29e80ca1443535b2fe32.png" alt-text="The page displaying a new profile" lightbox="images/644e0f3af40c29e80ca1443535b2fe32.png":::

-4. Enter the following details:

- **General**

- - Distribution Method: Install Automatically(default)

- - Level: Computer Level(default)

- :::image type="content" source="images/3160906404bc5a2edf84d1d015894e3b.png" alt-text="The MDATP MDAV configuration settings" lightbox="images/3160906404bc5a2edf84d1d015894e3b.png":::

-5. In **Application & Custom Settings** select **Configure**.

- :::image type="content" source="images/e1cc1e48ec9d5d688087b4d771e668d2.png" alt-text="The application and custom settings" lightbox="images/e1cc1e48ec9d5d688087b4d771e668d2.png":::

- :::image type="content" source="images/6f85269276b2278eca4bce84f935f87b.png" alt-text="The configuration settings plist file" lightbox="images/6f85269276b2278eca4bce84f935f87b.png":::

- :::image type="content" source="images/db15f147dd959e872a044184711d7d46.png" alt-text="The configuration settings preferences domain" lightbox="images/db15f147dd959e872a044184711d7d46.png":::

- :::image type="content" source="images/526e978761fc571cca06907da7b01fd6.png" alt-text="The prompt to choose the plist file" lightbox="images/526e978761fc571cca06907da7b01fd6.png":::

- :::image type="content" source="images/98acea3750113b8dbab334296e833003.png" alt-text="The mdatpmdav configuration settings" lightbox="images/98acea3750113b8dbab334296e833003.png":::

- :::image type="content" source="images/0adb21c13206861ba9b30a879ade93d3.png" alt-text="The configuration setting upload" lightbox="images/0adb21c13206861ba9b30a879ade93d3.png":::

- :::image type="content" source="images/f624de59b3cc86e3e2d32ae5de093e02.png" alt-text="The prompt to upload the image related to the configuration settings" lightbox="images/f624de59b3cc86e3e2d32ae5de093e02.png":::

- > :::image type="content" source="images/8e69f867664668796a3b2904896f0436.png" alt-text="The prompt to upload the intune file related to the configuration settings" lightbox="images/8e69f867664668796a3b2904896f0436.png":::

- :::image type="content" source="images/1b6b5a4edcb42d97f1e70a6a0fa48e3a.png" alt-text="The option to save the image related to the configuration settings" lightbox="images/1b6b5a4edcb42d97f1e70a6a0fa48e3a.png":::

- :::image type="content" source="images/33e2b2a1611fdddf6b5b79e54496e3bb.png" alt-text="The uploaded file related to the configuration settings" lightbox="images/33e2b2a1611fdddf6b5b79e54496e3bb.png":::

- :::image type="content" source="images/a422e57fe8d45689227e784443e51bd1.png" alt-text="The configuration settings page" lightbox="images/a422e57fe8d45689227e784443e51bd1.png":::

- :::image type="content" source="images/9fc17529e5577eefd773c658ec576a7d.png" alt-text="The scope for the configuration settings" lightbox="images/9fc17529e5577eefd773c658ec576a7d.png":::

- :::image type="content" source="images/cf30438b5512ac89af1d11cbf35219a6.png" alt-text="The configuration settings addsav" lightbox="images/cf30438b5512ac89af1d11cbf35219a6.png":::

- :::image type="content" source="images/6f093e42856753a3955cab7ee14f12d9.png" alt-text="The notification of configuration settings" lightbox="images/6f093e42856753a3955cab7ee14f12d9.png":::

- :::image type="content" source="images/dd55405106da0dfc2f50f8d4525b01c8.png" alt-text="The config profile's settings" lightbox="images/dd55405106da0dfc2f50f8d4525b01c8.png":::

-2. Click **New**, and enter the following details for **Options**:

- - Tab **General**:

- - **Name**: MDATP MDAV Notification settings

- - **Description**: macOS 11 (Big Sur) or later

- - **Category**: None *(default)*

- - **Distribution Method**: Install Automatically *(default)*

- - **Level**: Computer Level *(default)*

- :::image type="content" source="images/c9820a5ff84aaf21635c04a23a97ca93.png" alt-text="The new macOS configuration profile page" lightbox="images/c9820a5ff84aaf21635c04a23a97ca93.png":::

- :::image type="content" source="images/7f9138053dbcbf928e5182ee7b295ebe.png" alt-text="The configuration settings mdatpmdav notifications tray" lightbox="images/7f9138053dbcbf928e5182ee7b295ebe.png":::

- :::image type="content" source="images/4bac6ce277aedfb4a674f2d9fcb2599a.png" alt-text="The configuration settings mdatpmdav notifications mau" lightbox="images/4bac6ce277aedfb4a674f2d9fcb2599a.png":::

- :::image type="content" source="images/441aa2ecd36abadcdd8aed03556080b5.png" alt-text="The page on which you can add values for the configuration settings" lightbox="images/441aa2ecd36abadcdd8aed03556080b5.png":::

- :::image type="content" source="images/09a275e321268e5e3ac0c0865d3e2db5.png" alt-text="The page on which you can save values for the configuration settings contoso machine group" lightbox="images/09a275e321268e5e3ac0c0865d3e2db5.png":::

- :::image type="content" source="images/4d2d1d4ee13d3f840f425924c3df0d51.png" alt-text="The page that displays the completion notification of the configuration settings" lightbox="images/4d2d1d4ee13d3f840f425924c3df0d51.png":::

- :::image type="content" source="images/633ad26b8bf24ec683c98b2feb884bdf.png" alt-text="The completed configuration settings" lightbox="images/633ad26b8bf24ec683c98b2feb884bdf.png":::

- :::image type="content" source="images/eaba2a23dd34f73bf59e826217ba6f15.png" alt-text="The configuration settings" lightbox="images/eaba2a23dd34f73bf59e826217ba6f15.png":::

-4. Enter the following details:

- **General**

- :::image type="content" source="images/1f72e9c15eaafcabf1504397e99be311.png" alt-text="The configuration setting application and custom settings" lightbox="images/1f72e9c15eaafcabf1504397e99be311.png":::

- :::image type="content" source="images/1213872db5833aa8be535da57653219f.png" alt-text="The configuration setting preference domain" lightbox="images/1213872db5833aa8be535da57653219f.png":::

- :::image type="content" source="images/335aff58950ce62d1dabc289ecdce9ed.png" alt-text="The prompt to choose the file regarding configuration setting" lightbox="images/335aff58950ce62d1dabc289ecdce9ed.png":::

- :::image type="content" source="images/a26bd4967cd54bb113a2c8d32894c3de.png" alt-text="The mdatpmdavmau settings" lightbox="images/a26bd4967cd54bb113a2c8d32894c3de.png":::

- :::image type="content" source="images/4239ca0528efb0734e4ca0b490bfb22d.png" alt-text="The upload of the file regarding configuration setting" lightbox="images/4239ca0528efb0734e4ca0b490bfb22d.png":::

- :::image type="content" source="images/4ec20e72c8aed9a4c16912e01692436a.png" alt-text="The page displaying the upload option for the file regarding configuration setting" lightbox="images/4ec20e72c8aed9a4c16912e01692436a.png":::

- :::image type="content" source="images/253274b33e74f3f5b8d475cf8692ce4e.png" alt-text="The page displaying the save option for the file regarding configuration setting" lightbox="images/253274b33e74f3f5b8d475cf8692ce4e.png":::

- :::image type="content" source="images/10ab98358b2d602f3f67618735fa82fb.png" alt-text="The Scope tab for the configuration settings" lightbox="images/10ab98358b2d602f3f67618735fa82fb.png":::

- :::image type="content" source="images/56e6f6259b9ce3c1706ed8d666ae4947.png" alt-text="The option to add deployment targets" lightbox="images/56e6f6259b9ce3c1706ed8d666ae4947.png":::

- :::image type="content" source="images/38c67ee1905c4747c3b26c8eba57726b.png" alt-text="The page on which you add more values to the configuration settings" lightbox="images/38c67ee1905c4747c3b26c8eba57726b.png":::

- :::image type="content" source="images/321ba245f14743c1d5d51c15e99deecc.png" alt-text="The page on which you can add more values to the configuration settings" lightbox="images/321ba245f14743c1d5d51c15e99deecc.png":::

- :::image type="content" source="images/ba44cdb77e4781aa8b940fb83e3c21f7.png" alt-text="The completion notification regarding the configuration settings" lightbox="images/ba44cdb77e4781aa8b940fb83e3c21f7.png":::

- :::image type="content" source="images/264493cd01e62c7085659d6fdc26dc91.png" alt-text="The profile for which settings are to be configured" lightbox="images/264493cd01e62c7085659d6fdc26dc91.png":::

-3. Enter the following details:

- **General**

- :::image type="content" source="images/ba3d40399e1a6d09214ecbb2b341923f.png" alt-text="The configuration setting in general" lightbox="images/ba3d40399e1a6d09214ecbb2b341923f.png":::

- :::image type="content" source="images/715ae7ec8d6a262c489f94d14e1e51bb.png" alt-text="The configuration privacy policy control" lightbox="images/715ae7ec8d6a262c489f94d14e1e51bb.png":::

- :::image type="content" source="images/22cb439de958101c0a12f3038f905b27.png" alt-text="The configuration setting privacy preference policy control details" lightbox="images/22cb439de958101c0a12f3038f905b27.png":::

- :::image type="content" source="images/bd93e78b74c2660a0541af4690dd9485.png" alt-text="The configuration setting add system policy all files option" lightbox="images/bd93e78b74c2660a0541af4690dd9485.png":::

- :::image type="content" source="images/6de50b4a897408ddc6ded56a09c09fe2.png" alt-text="The save operation for the configuration setting" lightbox="images/6de50b4a897408ddc6ded56a09c09fe2.png":::

- :::image type="content" source="images/tcc-add-entry.png" alt-text="The save operation relating to the configuration setting" lightbox="images/tcc-add-entry.png":::

- :::image type="content" source="images/tcc-epsext-entry.png" alt-text="The configuration setting tcc epsext entry" lightbox="images/tcc-epsext-entry.png":::

- :::image type="content" source="images/tcc-epsext-entry2.png" alt-text="The other instance of configuration setting tcc epsext" lightbox="images/tcc-epsext-entry2.png":::

- :::image type="content" source="images/2c49b16cd112729b3719724f581e6882.png" alt-text="The page depicting the scope for the configuration setting" lightbox="images/2c49b16cd112729b3719724f581e6882.png":::

- :::image type="content" source="images/57cef926d1b9260fb74a5f460cee887a.png" alt-text="The page depicting the configuration setting" lightbox="images/57cef926d1b9260fb74a5f460cee887a.png":::

- :::image type="content" source="images/368d35b3d6179af92ffdbfd93b226b69.png" alt-text="The configuration setting contoso machine group" lightbox="images/368d35b3d6179af92ffdbfd93b226b69.png":::

- :::image type="content" source="images/809cef630281b64b8f07f20913b0039b.png" alt-text="The configuration setting contoso machine-group" lightbox="images/809cef630281b64b8f07f20913b0039b.png":::

- :::image type="content" source="images/6c8b406ee224335a8c65d06953dc756e.png" alt-text="The configuration setting illustration" lightbox="images/6c8b406ee224335a8c65d06953dc756e.png":::

- :::image type="content" source="images/6c8b406ee224335a8c65d06953dc756e.png" alt-text="The social media post Description automatically generated" lightbox="images/6c8b406ee224335a8c65d06953dc756e.png":::

-2. Enter the following details:

- **General**

- :::image type="content" source="images/24e290f5fc309932cf41f3a280d22c14.png" alt-text="The configuration settings mdatpmdav kernel" lightbox="images/24e290f5fc309932cf41f3a280d22c14.png":::

- :::image type="content" source="images/30be88b63abc5e8dde11b73f1b1ade6a.png" alt-text="The page displaying the configuration settings approved kernel extensions" lightbox="images/30be88b63abc5e8dde11b73f1b1ade6a.png":::

-4. In **Approved Kernel Extensions** Enter the following details:

- :::image type="content" source="images/39cf120d3ac3652292d8d1b6d057bd60.png" alt-text="The Approved Kernel Extensions pane" lightbox="images/39cf120d3ac3652292d8d1b6d057bd60.png":::

- :::image type="content" source="images/0df36fc308ba569db204ee32db3fb40a.png" alt-text="The Scope tab for the configuration" lightbox="images/0df36fc308ba569db204ee32db3fb40a.png":::

- :::image type="content" source="images/0dde8a4c41110dbc398c485433a81359.png" alt-text="The page on which you define additional values for the configuration settings" lightbox="images/0dde8a4c41110dbc398c485433a81359.png":::

- :::image type="content" source="images/0add8019b85a453b47fa5c402c72761b.png" alt-text="The MDATP MDAV Kernel extension" lightbox="images/0add8019b85a453b47fa5c402c72761b.png":::

- :::image type="content" source="images/1c9bd3f68db20b80193dac18f33c22d0.png" alt-text="The Configuration Profiles details page" lightbox="images/1c9bd3f68db20b80193dac18f33c22d0.png":::

- :::image type="content" source="images/6c8b406ee224335a8c65d06953dc756e.png" alt-text="The automatically generated social media post's description" lightbox="images/6c8b406ee224335a8c65d06953dc756e.png":::

-2. Enter the following details:

- **General**

- :::image type="content" source="images/sysext-new-profile.png" alt-text="The configuration settings sysext new profile" lightbox="images/sysext-new-profile.png":::

- :::image type="content" source="images/sysext-configure.png" alt-text="The pane with the Configure option for the system extensions" lightbox="images/sysext-configure.png":::

-4. In **System Extensions** enter the following details:

- :::image type="content" source="images/sysext-configure2.png" alt-text="The MDATP MDAV system extensions pane" lightbox="images/sysext-configure2.png":::

- :::image type="content" source="images/0df36fc308ba569db204ee32db3fb40a.png" alt-text="The Target Computers selection pane" lightbox="images/0df36fc308ba569db204ee32db3fb40a.png":::

- :::image type="content" source="images/0dde8a4c41110dbc398c485433a81359.png" alt-text="The New macOS Configuration Profile pane" lightbox="images/0dde8a4c41110dbc398c485433a81359.png":::

- :::image type="content" source="images/sysext-scope.png" alt-text="The display of options regarding MDATP MDAV System Extensions" lightbox="images/sysext-scope.png":::

- :::image type="content" source="images/sysext-final.png" alt-text="The configuration settings sysext - final" lightbox="images/sysext-final.png":::

- :::image type="content" source="images/netext-create-profile.png" alt-text="The mdatpmdav configuration setting" lightbox="images/netext-create-profile.png":::

- :::image type="content" source="images/0df36fc308ba569db204ee32db3fb40a.png" alt-text="The configuration settings sco tab" lightbox="images/0df36fc308ba569db204ee32db3fb40a.png":::

- :::image type="content" source="images/0dde8a4c41110dbc398c485433a81359.png" alt-text="The configuration settings adim" lightbox="images/0dde8a4c41110dbc398c485433a81359.png":::

- :::image type="content" source="images/netext-scope.png" alt-text="The Content Filter pane" lightbox="images/netext-scope.png":::

- :::image type="content" source="images/netext-final.png" alt-text="The configuration settings netext - final" lightbox="images/netext-final.png":::

-## Step 10: Schedule scans with Microsoft Defender for Endpoint on macOS

-## Step 11: Deploy Microsoft Defender for Endpoint on macOS

- :::image type="content" source="images/8dde76b5463047423f8637c86b05c29d.png" alt-text="The file explorer wdav package" lightbox="images/8dde76b5463047423f8637c86b05c29d.png":::

- :::image type="content" source="images/fb2220fed3a530f4b3ef36f600da0c27.png" alt-text="The file explorer1 wdavmdm package" lightbox="images/fb2220fed3a530f4b3ef36f600da0c27.png":::

- :::image type="content" source="images/990742cd9a15ca9fdd37c9f695d1b9f4.png" alt-text="The configuration settings for jamfpro" lightbox="images/990742cd9a15ca9fdd37c9f695d1b9f4.png":::

- :::image type="content" source="images/b6d671b2f18b89d96c1c8e2ea1991242.png" alt-text="The configuration settings - computer management" lightbox="images/b6d671b2f18b89d96c1c8e2ea1991242.png":::

- :::image type="content" source="images/57aa4d21e2ccc65466bf284701d4e961.png" alt-text="The bird Description for an automatically generated package" lightbox="images/57aa4d21e2ccc65466bf284701d4e961.png":::

-6. In **New Package** Enter the following details:

- **General tab**

- :::image type="content" source="images/21de3658bf58b1b767a17358a3f06341.png" alt-text="The General tab for configuration settings" lightbox="images/21de3658bf58b1b767a17358a3f06341.png":::

- :::image type="content" source="images/1aa5aaa0a387f4e16ce55b66facc77d1.png" alt-text="The computer screen displaying the description for an automatically generated package" lightbox="images/1aa5aaa0a387f4e16ce55b66facc77d1.png":::

- :::image type="content" source="images/56dac54634d13b2d3948ab50e8d3ef21.png" alt-text="The limitation tab for the configuration settings" lightbox="images/56dac54634d13b2d3948ab50e8d3ef21.png":::

- :::image type="content" source="images/33f1ecdc7d4872555418bbc3efe4b7a3.png" alt-text="The configuration settings pack uploading process for the package related to the configuration settings" lightbox="images/33f1ecdc7d4872555418bbc3efe4b7a3.png":::

- :::image type="content" source="images/1626d138e6309c6e87bfaab64f5ccf7b.png" alt-text="An instance of uploading the package for configuration settings" lightbox="images/1626d138e6309c6e87bfaab64f5ccf7b.png":::

- :::image type="content" source="images/f878f8efa5ebc92d069f4b8f79f62c7f.png" alt-text="The configuration settings policies" lightbox="images/f878f8efa5ebc92d069f4b8f79f62c7f.png":::

- :::image type="content" source="images/847b70e54ed04787e415f5180414b310.png" alt-text="The configuration settings new policy" lightbox="images/847b70e54ed04787e415f5180414b310.png":::

-11. In **General** Enter the following details:

- - Display name: MDATP Onboarding Contoso 200329 v100.86.92 or later

- :::image type="content" source="images/625ba6d19e8597f05e4907298a454d28.png" alt-text="The configuration settings - MDATP onboard" lightbox="images/625ba6d19e8597f05e4907298a454d28.png":::

- :::image type="content" source="images/68bdbc5754dfc80aa1a024dde0fce7b0.png" alt-text="The recurring check-in for the configuration settings" lightbox="images/68bdbc5754dfc80aa1a024dde0fce7b0.png":::

- :::image type="content" source="images/8fb4cc03721e1efb4a15867d5241ebfb.png" alt-text="The option to configure packages" lightbox="images/8fb4cc03721e1efb4a15867d5241ebfb.png":::

- :::image type="content" source="images/526b83fbdbb31265b3d0c1e5fbbdc33a.png" alt-text="The option to add more settings to MDATP MDA" lightbox="images/526b83fbdbb31265b3d0c1e5fbbdc33a.png":::

- :::image type="content" source="images/9d6e5386e652e00715ff348af72671c6.png" alt-text="The save option for the configuration settings" lightbox="images/9d6e5386e652e00715ff348af72671c6.png":::

-17. Select the **Scope** tab.

- :::image type="content" source="images/8d80fe378a31143db9be0bacf7ddc5a3.png" alt-text="The Scope tab related to the configuration settings" lightbox="images/8d80fe378a31143db9be0bacf7ddc5a3.png":::

-18. Select the target computers.

- :::image type="content" source="images/6eda18a64a660fa149575454e54e7156.png" alt-text="The option to add computer groups" lightbox="images/6eda18a64a660fa149575454e54e7156.png":::

- **Scope**

- Select **Add**.

- :::image type="content" source="images/1c08d097829863778d562c10c5f92b67.png" alt-text="The configuration settings - ad1" lightbox="images/1c08d097829863778d562c10c5f92b67.png":::

- :::image type="content" source="images/216253cbfb6ae738b9f13496b9c799fd.png" alt-text="The configuration settings - ad2" lightbox="images/216253cbfb6ae738b9f13496b9c799fd.png":::

- **Self-Service**

- :::image type="content" source="images/c9f85bba3e96d627fe00fc5a8363b83a.png" alt-text="The Self Service tab for configuration settings" lightbox="images/c9f85bba3e96d627fe00fc5a8363b83a.png":::

-19. Select **Done**.

- :::image type="content" source="images/99679a7835b0d27d0a222bc3fdaf7f3b.png" alt-text="The Contoso onboarding status with an option to complete it" lightbox="images/99679a7835b0d27d0a222bc3fdaf7f3b.png":::

- :::image type="content" source="images/632aaab79ae18d0d2b8e0c16b6ba39e2.png" alt-text="The policies page" lightbox="images/632aaab79ae18d0d2b8e0c16b6ba39e2.png":::

-> JAMF supports so called Smart Computer Groups, that allow deployoing e.g. configuration profiles to all machines matching certain criteria evaluated dynamically.

-Checking for the license state and whether it got properly provisioned, can be done through the admin center or through the **Microsoft Azure portal**.

-By default, users can invite people outside the organization as guests. This includes inviting them to teams in Microsoft Team, SharePoint sites, and sharing individual files and folders with them.

-If you only want your users to invite guests from specific organizations, you can specify these organizations in the Azure Active Directory cross-tenant access settings for [B2B collaboration](/azure/active-directory/external-identities/what-is-b2b).

-The first step in limiting guest sharing is to change the default settings in the Azure AD cross-tenant access settings to block inviting guests by default. Then you can allow guest invitations for specific organizations. Note that this will block access for existing guests whose domains are not specifically allowed.

-Because inviting guests is enabled by default, limiting guest invitations to certain organizations requires blocking inbound B2B collaboration by default.

-### Add the organization where you want to allow guest invitations

-Next, add the organizations where you want to allow your users to invite guests to the Azure AD cross-tenant access list.

-Once you have added the organization, you need to update the organization's inbound settings to allow B2B collaboration users to be invited as guests. Do this for each organization where you want to allow your users to be able to invite guests.

-1. In Azure Active Directory, on the Overview page, click **Organizational relationships**.

-2. Click **Settings**.

-3. Under **Collaboration restrictions**, select **Deny invitations to the specified domains** or **Allow invitations only to the specified domains**, and then type the domains that you want to use.

-4. Click **Save**.