Updates from: 02/08/2024 06:20:43
Category Microsoft Docs article Related commit history on GitHub Change details
manage-public-web-access Manage Public Web Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/manage-public-web-access.md
For Search admins and Global admins:
3. Select Change.
-4. Unselect the checkbox for **Allow Copilot to reference public web content**.
+4. Unselect the checkbox for **Allow Copilot to improve responses with web content**.
5. Select Save. - :::image type="content" source="media/allow-copilot-web-content.png" alt-text="Screenshot showing the option to allow Copilot to access web content."::: For Global admins only:
For Global admins only:
1. In the admin center, go to **Settings** > **Org settings**. 2. On the Copilot page, select **Improved responses with web content in Copilot for Microsoft 365**. 3. Select **Change**.
-4. Unselect the checkbox for **Allow Copilot to reference web content**.
+4. Unselect the checkbox for **Allow Copilot to improve responses with web content**.
5. Select **Save**. + All admin setting updates may take up to 24 hours to reflect any changes. >[!NOTE]
microsoft-365-copilot-overview Microsoft 365 Copilot Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-overview.md
To learn more, see [Semantic Index for Copilot](/MicrosoftSearch/semantic-index-
## Availability
-Copilot for Microsoft 365 is an add-on plan with the following licensing prerequisites:
+Copilot for Microsoft 365 is available as an add-on plan with one of the following licensing prerequisites:
- Microsoft 365 E5 - Microsoft 365 E3
microsoft-365-copilot-page Microsoft 365 Copilot Page https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-page.md
Microsoft Copilot for Microsoft 365 is powered by an advanced processing and orc
This control navigates you to the Integrated App settings to control how non-Microsoft apps and first party apps can work with Microsoft Copilot for Microsoft 365.
-### Public web content access
+### Improved responses with web content in Copilot for Microsoft 365
-This control allows you to enable or disable CopilotΓÇÖs ability to access the public web to get the latest information available when responding to prompts. Note that this is a separate control from Copilot with commercial data protection. Learn more about [how to Manage access to public web content in Microsoft Copilot for Microsoft 365 responses](manage-public-web-access.md).
+This control allows you to enable or disable CopilotΓÇÖs ability to access the public web to get the latest information available when responding to prompts. Note that this is a separate control from Copilot with commercial data protection. Learn more about [how to Manage access to web content in Copilot for Microsoft 365 responses](manage-public-web-access.md).
### Data Security and Compliance
microsoft-365-copilot-requirements Microsoft 365 Copilot Requirements https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-requirements.md
To use Microsoft Copilot for Microsoft 365 with Microsoft Whiteboard, you must h
## License requirements
-Copilot for Microsoft 365 is an add-on plan with the following licensing prerequisites:
+Copilot for Microsoft 365 is available as an add-on plan with one of the following licensing prerequisites:
- Microsoft 365 E5 - Microsoft 365 E3
You can use the [Microsoft Copilot for Microsoft 365 setup guide](https://admin.
## Update channels
-Microsoft Copilot for Microsoft 365 will follow Microsoft 365 Apps' standard practice for deployment and updates, being available in all update channels, except for Semi-annual channel. Preview channels include Insiders, Current Channel - Preview and Beta Channel. Production channels include Current Channel and then Monthly Enterprise Channel.
+Microsoft Copilot for Microsoft 365 will follow the standard practice of deployment and updates for Microsoft 365 Apps, being available in all update channels, except for Semi-Annual Enterprise Channel. Preview channels (also known as Microsoft 365 Insider) include Current Channel (Preview) and Beta Channel. Production channels include Current Channel and Monthly Enterprise Channel.
-Copilot is available in Current Channel, and starting December 12, on Monthly Enterprise Channel. As always, preview channels are a great option to validate the product before rolling out to the rest of organization. To learn more, see To learn more, see [Overview of update channels](/deployoffice/updates/overview-update-channels), and the [Microsoft 365 Insider channels](/deployoffice/insider/compare-channels).
+Copilot is available in Current Channel and in Monthly Enterprise Channel. As always, preview channels are a great option to validate the product before rolling out to the rest of organization. To learn more, see [Overview of update channels](/deployoffice/updates/overview-update-channels) and [Microsoft 365 Insider channels](/deployoffice/insider/compare-channels).
## Network requirements
microsoft-365-copilot-setup Microsoft 365 Copilot Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-setup.md
To get started with the implementation process, see [Deployment guide for Micros
- **Microsoft Whiteboard** To use Copilot for Microsoft 365 with Microsoft Whiteboard, you must have Whiteboard enabled for your tenant. To learn more about Microsoft Whiteboard, see [Manage access to Microsoft Whiteboard for your organization](/microsoft-365/whiteboard/manage-whiteboard-access-organizations). >[!IMPORTANT]
-> Microsoft Copilot for Microsoft 365 will follow Microsoft 365 Apps' standard practice for deployment and updates, being available in all update channels, except for Semi-annual channel. Preview channels include Insiders, Current Channel - Preview and Beta Channel. Production channels include Current Channel and then Monthly Enterprise Channel.
+> Microsoft Copilot for Microsoft 365 will follow the standard practice of deployment and updates for Microsoft 365 Apps, being available in all update channels, except for Semi-Annual Enterprise Channel. Preview channels (also known as Microsoft 365 Insider) include Current Channel (Preview) and Beta Channel. Production channels include Current Channel and Monthly Enterprise Channel.
>
-> Copilot is available in Current Channel, and starting December 12, on Monthly Enterprise Channel. As always, preview channels are a great option to validate the product before rolling out to the rest of organization. To learn more, see [Overview of update channels](/deployoffice/updates/overview-update-channels), and the [Microsoft 365 Insider channels](/deployoffice/insider/compare-channels).
+> Copilot is available in Current Channel and in Monthly Enterprise Channel. As always, preview channels are a great option to validate the product before rolling out to the rest of organization. To learn more, see [Overview of update channels](/deployoffice/updates/overview-update-channels) and [Microsoft 365 Insider channels](/deployoffice/insider/compare-channels).
## Manage licenses for Copilot
You can also assign licenses in bulk to [groups of users through the Azure admin
Microsoft Copilot for Microsoft 365 ensures data security and privacy by adhering to existing obligations and integrating with your organization's policies. It utilizes your Microsoft Graph content with the same access controls as other Microsoft 365 services. To learn more about privacy with Microsoft Copilot for Microsoft 365, see [Data, Privacy, and Security for Microsoft Copilot for Microsoft 365](microsoft-365-copilot-privacy.md).
-### Privacy settings for Microsoft 365 Apps for enterprise
+### Privacy settings for Microsoft 365 Apps
-Review your privacy settings for Microsoft 365 Apps for enterprise because those settings might have an effect on the availability of Microsoft Copilot for Microsoft 365 features. For more information, see [Microsoft Copilot for Microsoft 365 and policy settings for connected experiences](microsoft-365-copilot-privacy.md#microsoft-copilot-for-microsoft-365-and-policy-settings-for-connected-experiences).
+Review your privacy settings for Microsoft 365 Apps because those settings might have an effect on the availability of Microsoft Copilot for Microsoft 365 features. For more information, see [Microsoft Copilot for Microsoft 365 and policy settings for connected experiences](microsoft-365-copilot-privacy.md#microsoft-copilot-for-microsoft-365-and-policy-settings-for-connected-experiences).
## More resources
admin Microsoft 365 Copilot Usage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-365-copilot-usage.md
You can see the following summary charts in this report as default view:
The definitions for Enabled Users and Active Users metrics are the same as provided earlier. >[!NOTE]
-> Teams Copilot usage does not include Microsoft 365 Chat usage, but Microsoft 365 Chat usage will be displayed in Copilot for Microsoft 365 usage soon.
+> Teams Copilot usage does not include Microsoft Copilot with Graph-grounded chat usage, but it will be displayed in Copilot for Microsoft 365 usage soon.
**Current view** shows you the total usage of Copilot for Microsoft 365 among Microsoft 365 apps of the time frame.
enterprise Configure Exchange Server For Hybrid Modern Authentication https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication.md
Title: "How to configure Exchange Server on-premises to use Hybrid Modern Authen
Previously updated : 12/19/2023 Last updated : 02/01/2024 audience: ITPro
description: Learn how to configure an Exchange Server on-premises to use Hybrid
- seo-marvel-apr2020 - has-azure-ad-ps-ref
+ - azure-ad-ref-level-one-done
# How to configure Exchange Server on-premises to use Hybrid Modern Authentication
Run the commands that assign your on-premises web service URLs as Microsoft Entr
Ensure the URLs clients might connect to are listed as HTTPS service principal names in Microsoft Entra ID. In case EXCH is in hybrid with **multiple tenants**, these HTTPS SPNs should be added in the Microsoft Entra ID of all the tenants in hybrid with EXCH.
-2. Next, connect to Microsoft Entra ID with [these instructions](connect-to-microsoft-365-powershell.md).
+2. Next, connect to Microsoft Entra ID with [these instructions](connect-to-microsoft-365-powershell.md). To consent to the required permissions, run the following command:
- > [!NOTE]
- > You need to use the _Connect-MsolService_ option from this page to be able to use the following command.
+ ```powershell
+ Connect-MgGraph -Scopes Application.Read.All, Application.ReadWrite.All.
+ ```
3. For your Exchange-related URLs, type the following command: ```powershell
- Get-MsolServicePrincipal -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000 | select -ExpandProperty ServicePrincipalNames
+ Get-MgServicePrincipal -Filter "AppId eq '00000002-0000-0ff1-ce00-000000000000'" | select -ExpandProperty ServicePrincipalNames
``` Take note of (and screenshot for later comparison) the output of this command, which should include an `https://*autodiscover.yourdomain.com*` and `https://*mail.yourdomain.com*` URL, but mostly consist of SPNs that begin with `00000002-0000-0ff1-ce00-000000000000/`. If there are `https://` URLs from your on-premises that are missing, those specific records should be added to this list.
Run the commands that assign your on-premises web service URLs as Microsoft Entr
4. If you don't see your internal and external MAPI/HTTP, EWS, ActiveSync, OAB, and Autodiscover records in this list, you must add them using the following command (the example URLs are `mail.corp.contoso.com` and `owa.contoso.com`, but you should replace the example URLs with your own): ```powershell
- $x= Get-MsolServicePrincipal -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000
- $x.ServicePrincipalnames.Add("https://mail.corp.contoso.com/")
- $x.ServicePrincipalnames.Add("https://owa.contoso.com/")
- Set-MSOLServicePrincipal -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000 -ServicePrincipalNames $x.ServicePrincipalNames
+ $x= Get-MgServicePrincipal -Filter "AppId eq '00000002-0000-0ff1-ce00-000000000000'"
+ $ServicePrincipalUpdate =@(
+ "https://mail.corp.contoso.com/","https://owa.contoso.com/"
+ )
+ Update-MgServicePrincipal -ServicePrincipalId $x.Id -ServicePrincipalNames $ServicePrincipalUpdate
``` 5. Verify your new records were added by running the `Get-MsolServicePrincipal` command from step 2 again, and looking through the output. Compare the list / screenshot from before to the new list of SPNs. You might also take a screenshot of the new list for your records. If you are successful, you'll see the two new URLs in the list. Going by our example, the list of SPNs now includes the specific URLs `https://mail.corp.contoso.com` and `https://owa.contoso.com`.
enterprise M365 Dr Workload Exo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/m365-dr-workload-exo.md
- it-pro - has-azure-ad-ps-ref
+ - azure-ad-ref-level-one-done
ms.localizationpriority: medium - M365-subscription-management
Exchange Online synchronizes the PreferredDataLocation property from Microsoft E
Exchange Online PowerShell is required to view and configure Multi-Geo properties in your Microsoft 365 environment. To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
-You need the [Microsoft Azure Active Directory PowerShell Module](https://social.technet.microsoft.com/wiki/contents/articles/28552.microsoft-azure-active-directory-powershell-module-version-release-history.aspx) v1.1.166.0 or later in v1.x to see the **PreferredDataLocation** property on user objects. User objects synchronized via Microsoft Entra Connect into Microsoft Entra ID can't have their **PreferredDataLocation** value directly modified via Azure AD PowerShell. Cloud-only user objects can be modified via Azure AD PowerShell. To connect to Azure AD PowerShell, see [Connect to PowerShell](connect-to-microsoft-365-powershell.md).
- In Exchange Online Multi-Geo environments, you don't need to do any manual steps to add Geographies to your tenant. After you receive the Message Center post that says multi-geo is ready for Exchange Online, all available Geographies will be ready and configured for you to use. #### Connect directly to a geo location using Exchange Online PowerShell
MailboxRegionLastUpdateTime : 2/6/2018 8:21:01 PM
#### Move an existing cloud-only mailbox to a specific geo location
-A cloud-only user is a user not synchronized to the tenant via Microsoft Entra Connect. This user was created directly in Microsoft Entra ID. Use the **Get-MsolUser** and **Set-MsolUser** cmdlets in the Azure AD Module for Windows PowerShell to view or specify the _Geography_ location where a cloud-only user's mailbox will be stored.
+> [!NOTE]
+> The Azure Active Directory (AzureAD) PowerShell module is being deprecated and replaced by the Microsoft Graph PowerShell SDK. You can use the Microsoft Graph PowerShell SDK to access all Microsoft Graph APIs. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started).
+>
+> Also see [Install the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation) and [Upgrade from Azure AD PowerShell to Microsoft Graph PowerShell](/powershell/microsoftgraph/migration-steps) for information on how to install and upgrade to Microsoft Graph PowerShell, respectively.
+
+A cloud-only user is a user not synchronized to the tenant via Microsoft Entra Connect. This user was created directly in Microsoft Entra ID. Use the **Get-MgUser** and **Set-MgUser** cmdlets in the Microsoft Graph PowerShell SDK to view or specify the _Geography_ location where a cloud-only user's mailbox will be stored.
+
+First, you must connect to Microsoft Graph using the required permission scopes for the actions you will take in your Microsoft Graph PowerShell session.
+
+The Microsoft Graph PowerShell SDK supports two types of authentication: delegated access, and app-only access. In this guide, you'll use delegated access to sign in as a user, grant consent to the SDK to act on your behalf, and call the Microsoft Graph.
+
+For details on using app-only access for unattended scenarios, see Use app-only authentication with the Microsoft Graph PowerShell SDK.
+
+**Determine required permission scopes**
+
+Each API in the Microsoft Graph is protected by one or more permission scopes. The user logging in must consent to one of the required scopes for the APIs you plan to use. In this example, we'll use the following APIs.
+
+List users to find the user ID of the logged-in user.
+Modify the **PreferredDataLocation** value for a user.
-To view the **PreferredDataLocation** value for a user, use this syntax in Azure AD PowerShell:
+The *User.Read.All* permission scope enables the first call, and the *User.ReadWrite.All* scope enables the second. These permissions require an admin account.
+
+For more information about how to determine what permission scopes you'll need, see [Using Find-MgGraphCommand cmdlet](/powershell/microsoftgraph/find-mg-graph-command).
+
+To connect to your Microsoft 365 Organization, run the following command:
+
+```powershell
+Connect-MgGraph -Scopes "User.Read.All","Group.ReadWrite.All"
+```
+
+The command prompts you to go to a web page to sign in with your credentials. Once you've done that, the command indicates success with a Welcome To Microsoft Graph! message. You only need to sign in once per session.
+
+> [!TIP]
+> You can accretively add permissions by repeating the Connect-MgGraph command with the new permission scopes.
+
+To view the **PreferredDataLocation** value for a user, use this syntax in Microsoft Graph PowerShell:
```powershell
-Get-MsolUser -UserPrincipalName <UserPrincipalName> | Format-List UserPrincipalName,PreferredDataLocation
+Get-MgUser -ConsistencyLevel eventual -Count userCount -Search '"UserPrincipalName:<UserPrincipalName>"' | Format-List UserPrincipalName,PreferredDataLocation
``` For example, to see the **PreferredDataLocation** value for the user michelle@contoso.onmicrosoft.com, run the following command: ```powershell
-Get-MsolUser -UserPrincipalName michelle@contoso.onmicrosoft.com | Format-List
+Get-MgUser -ConsistencyLevel eventual -Count userCount -Search '"UserPrincipalName:michelle@contoso.onmicrosoft.com"' | Format-List
```
-To modify the **PreferredDataLocation** value for a cloud-only user object, use the following syntax in Azure AD PowerShell:
+To modify the **PreferredDataLocation** value for a cloud-only user object, use the following syntax in Microsoft Graph PowerShell:
```powershell
-Set-MsolUser -UserPrincipalName <UserPrincipalName> -PreferredDataLocation <GeoLocationCode>
+Update-MgUser -UserID <UserID> -PreferredDataLocation <GeoLocationCode>
```
-For example, to set the **PreferredDataLocation** value to the European Union (EUR) geo for the user michelle@contoso.onmicrosoft.com, run the following command:
+For example, to set the **PreferredDataLocation** value to the European Union (EUR) geo for the user michelle@contoso.onmicrosoft.com, get the UserID value from the last command output and run the following command:
```powershell
-Set-MsolUser -UserPrincipalName michelle@contoso.onmicrosoft.com -PreferredDataLocation EUR
+Update-MgUser -UserID michelle@contoso.onmicrosoft.com -PreferredDataLocation EUR
``` > [!NOTE]
To create a new mailbox in a specific _Geographic_ location, you need to do eith
To create a new cloud-only licensed user (not Microsoft Entra Connect synchronized) in a specific _Geographic_ location, use the following syntax in Azure AD PowerShell: ```powershell
-New-MsolUser -UserPrincipalName <UserPrincipalName> -DisplayName "<Display Name>" [-FirstName <FirstName>] [-LastName <LastName>] [-Password <Password>] [-LicenseAssignment <AccountSkuId>] -PreferredDataLocation <GeoLocationCode>
+$params = @{
+ accountEnabled = $true
+ displayName = "<display name>"
+ mailNickname = "<mailbox name>"
+ userPrincipalName = "<sign-in name>"
+ usageLocation = "<ISO 3166-1 alpha-2 country code>"
+ passwordProfile = @{
+ forceChangePasswordNextSignIn = $true
+ password = "<temp password>"
+ }
+}
+
+$user = New-MgUser -BodyParameter $params
+
+$EmsSku = Get-MgSubscribedSku -All | Where SkuPartNumber -eq '<license SKU ID>'
+Set-MgUserLicense -UserId $user.Id -AddLicenses @{SkuId = $EmsSku.SkuId} -RemoveLicenses @()
```
+> [!TIP]
+> The `usageLocation` is A two-letter country code (ISO standard 3166). Required for users that are assigned licenses due to legal requirements to check for availability of services in countries. Examples include: US, JP, and GB.
+ This example creates a new user account for Elizabeth Brunner with the following values: - User principal name: ebrunner@contoso.onmicrosoft.com - First name: Elizabeth - Last name: Brunner - Display name: Elizabeth Brunner-- Password: randomly generated and shown in the results of the command (because we're not using the _Password_ parameter)
+- Password: Manually add password in the form of a hashtable
- License: `contoso:ENTERPRISEPREMIUM` (E5)-- Location: Australia (AUS)
+- Location: Australia (AU)
+
+First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md) using Microsoft Graph Powershell.
+
+After you connect, use the following syntax to create an individual account:
```powershell
-New-MsolUser -UserPrincipalName ebrunner@contoso.onmicrosoft.com -DisplayName "Elizabeth Brunner" -FirstName Elizabeth -LastName Brunner -LicenseAssignment contoso:ENTERPRISEPREMIUM -PreferredDataLocation AUS
+$params = @{
+ accountEnabled = $true
+ displayName = "Elizabeth Brunner"
+ mailNickname = "ElizabethB"
+ userPrincipalName = "ebrunner@contoso.onmicrosoft.com"
+ usageLocation = "AU"
+ passwordProfile = @{
+ forceChangePasswordNextSignIn = $true
+ password = "xWwvJ]6NMw+bWH-d"
+ }
+}
+
+$user = New-MgUser -BodyParameter $params
+
+$EmsSku = Get-MgSubscribedSku -All | Where SkuPartNumber -eq 'ENTERPRISEPREMIUM'
+Set-MgUserLicense -UserId $user.Id -AddLicenses @{SkuId = $EmsSku.SkuId} -RemoveLicenses @()
``` For more information about creating new user accounts and finding LicenseAssignment values in Azure AD PowerShell, see [Create user accounts with PowerShell](create-user-accounts-with-microsoft-365-powershell.md) and [View licenses and services with PowerShell](view-licenses-and-services-with-microsoft-365-powershell.md).
enterprise View User Accounts With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/view-user-accounts-with-microsoft-365-powershell.md
Title: "View Microsoft 365 user accounts with PowerShell"
Previously updated : 12/19/2023 Last updated : 02/05/2024 audience: Admin
- Ent_Office_Other - seo-marvel-apr2020 - has-azure-ad-ps-ref
+ - azure-ad-ref-level-one-done
ms.assetid: bb12f49d-a85d-4f3b-ada2-5c4e33977b10 description: Learn how to view, list, or display your Microsoft 365 user accounts in different ways with PowerShell.
description: Learn how to view, list, or display your Microsoft 365 user account
You can use the Microsoft 365 admin center to view the accounts for your Microsoft 365 tenant. PowerShell for Microsoft 365 enables this but also provides additional functionality.
-## Use the Azure Active Directory PowerShell for Graph module
+## View user accounts using Microsoft Graph PowerShell
-First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-azure-active-directory-powershell-for-graph-module).
+> [!NOTE]
+> The Azure Active Directory (AzureAD) PowerShell module is being deprecated and replaced by the Microsoft Graph PowerShell SDK. You can use the Microsoft Graph PowerShell SDK to access all Microsoft Graph APIs. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started).
+>
+> Also see [Install the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation) and [Upgrade from Azure AD PowerShell to Microsoft Graph PowerShell](/powershell/microsoftgraph/migration-steps) for information on how to install and upgrade to Microsoft Graph PowerShell, respectively.
+
+1. First, install the required software to use Microsoft Graph PowerShell. See [Connect to Microsoft 365 with Microsoft Graph PowerShell](connect-to-microsoft-365-powershell.md) for more information.
+
+1. Then run the following cmdlet to connect to your organization with the required permission scope, which in this case is *User.ReadBasic.All*:
+
+```powershell
+# Connect to Microsoft Graph
+Connect-Graph -Scopes User.ReadBasic.All
+```
### View all accounts
-To display the full list of user accounts, run this command:
+To display the full list of user accounts with user ID and user principal name, run this command:
```powershell
-Get-AzureADUser
+Get-MgUser -All | Select DisplayName,Id,UserPrincipalName
``` You should get information similar to this: ```powershell
-ObjectId DisplayName UserPrincipalName
-- --
-032fc1fc-b5a2-46f1-8635-3d7dcb52c48d Adele Vance AdeleV@litwareinc.OnMicr...
-bd1e6af1-41e7-4f77-a2ac-5b209950135c Global Administrator admin@litwareinc.onmicro...
-ec37a4d6-232e-4eb7-82a5-1613490642a5 Alex Wilber AlexW@litwareinc.OnMicro...
-be4bdddd-c790-424c-9f96-a0cf609b7815 Allan Deyoung AllanD@litwareinc.OnMicr...
-598ab87b-76f0-4bf9-9538-bd46b10f4438 Christie Cline ChristieC@litwareinc.OnM...
-40722671-e520-4a5f-97d4-0bc9e9b2dc0f Debra Berger DebraB@litwareinc.OnMicr...
+DisplayName Id UserPrincipalName
+-- -- --
+Conf Room Adams 6e206948-b2b6-406c-a728-80bbe78e4003 Adams@M365x89521157.OnMicrosoft.com
+Adele Vance 916a6a08-b9d0-44b6-870f-562d8358a314 AdeleV@M365x89521157.OnMicrosoft.com
+MOD Administrator 5710f237-df3f-4bcd-b875-82deb02f98aa admin@M365x89521157.onmicrosoft.com
+Alex Wilber 8aa561dc-441d-4d74-aeb3-e2be41c116c8 AlexW@M365x89521157.OnMicrosoft.com
+Allan Deyoung 6b629e5e-3cf4-42d0-8007-3a93f0253382 AllanD@M365x89521157.OnMicrosoft.com
+Automate Bot 3a70feb4-9407-47b5-9b61-7526ac0e98d8 AutomateB@M365x89521157.OnMicrosoft.com
+Conf Room Baker d8cf3fef-1d03-4b9c-9be0-fed44fb87596 Baker@M365x89521157.OnMicrosoft.com
+Bianca Pisani 7fe8c2d1-eb8e-4032-96ba-26242ff0acd9 BiancaP@M365x89521157.OnMicrosoft.com
``` ### View a specific account
be4bdddd-c790-424c-9f96-a0cf609b7815 Allan Deyoung
To display a specific user account, run the following command. Fill in the sign-in account name of the user account, which is also known as the user principal name (UPN). Remove the "<" and ">" characters. ```powershell
-Get-AzureADUser -ObjectID <sign-in name of the user account>
+Get-MgUser -UserId '<user principal name>'
``` Here's an example: ```powershell
-Get-AzureADUser -ObjectID BelindaN@litwareinc.onmicosoft.com
+Get-MgUser -UserId 'BelindaN@litwareinc.onmicosoft.com'
``` ### View additional property values for a specific account
-By default, the **Get-AzureADUser** cmdlet only displays the *ObjectID*, *DisplayName*, and *UserPrincipalName* properties of accounts.
+By default, the **Get-MgUser** cmdlet only displays the *DisplayName*, *Id*, *Mail*, and *UserPrincipalName* properties of accounts.
-To be more selective about the properties to display, use the **Select** cmdlet in combination with the **Get-AzureADUser** cmdlet. To combine the two cmdlets, use the "pipe" character ("|"), which tells Azure Active Directory PowerShell for Graph to take the results of one command and send it to the next command. Here's an example command that displays the *DisplayName*, *Department*, and *UsageLocation* for every user account:
+To be more selective about the properties to display, use the **Select** cmdlet in combination with the **Get-MgUser** cmdlet. To combine the two cmdlets, use the "pipe" character ("|"), which tells PowerShell to take the results of one command and send it to the next command. Here's an example command that displays the *DisplayName*, *Department*, and *UsageLocation* for every user account:
```powershell
-Get-AzureADUser | Select DisplayName,Department,UsageLocation
+Get-MgUser -All | Select DisplayName,Department,UsageLocation
``` This command instructs PowerShell to:
-1. Get all the information on the user accounts (**Get-AzureADUser**) and send it to the next command (**|**).
+1. Get all the information on the user accounts (**Get-MgUser**) and send it to the next command (**|**).
1. Display only the user account name, department, and usage location (**Select DisplayName, Department, UsageLocation**). To see all the properties for a specific user account, use the **Select** cmdlet and the wildcard character (*). Here's an example: ```powershell
-Get-AzureADUser -ObjectID BelindaN@litwareinc.onmicosoft.com | Select *
+Get-MgUser -UserID 'BelindaN@litwareinc.onmicosoft.com' | Select *
``` As another example, run the following command to check the enabled status of a specific user account: ```powershell
-Get-AzureADUser -ObjectID <sign-in name of the user account> | Select DisplayName,UserPrincipalName,AccountEnabled
+Get-MgUser -UserID '<sign-in name of the user account>' | Select DisplayName,UserPrincipalName,AccountEnabled
``` ### View account synchronization status
User accounts have two sources:
- Microsoft Entra accounts, which are created directly in the cloud.
-You can use the following command to find accounts that are synchronizing from **on-premise** AD. It instructs PowerShell to get all users who have the attribute *DirSyncEnabled* set to *True*.
+You can use the following command to find accounts that are synchronizing from **on-premise** AD. It instructs PowerShell to get all users who have the attribute *OnPremisesSyncEnabled* set to *True*.
```powershell
-Get-AzureADUser | Where {$_.DirSyncEnabled -eq $true}
+Get-MgUser -All -Filter 'OnPremisesSyncEnabled eq true'
```
-You can use the following command to find **cloud-only** accounts. It instructs PowerShell to get all users who have the attribute *DirSyncEnabled* set to *False* or not set (*Null*).
-An account that was never synced from on-premise AD has *DirSyncEnabled* set to *Null*. An account that was synced initially from on-premise AD but is no longer being synced has *DirSyncEnabled* set to *False*.
+You can use the following command to find **cloud-only** accounts. It instructs PowerShell to get all users who have the attribute *OnPremisesSyncEnabled* set to *False* or not set (*Null*).
+An account that was never synced from on-premises AD has *OnPremisesSyncEnabled* set to *Null*. An account that was synced initially from on-premises AD but is no longer being synced has *OnPremisesSyncEnabled* set to *False*.
```powershell
-Get-AzureADUser | Where {$_.DirSyncEnabled -ne $true}
-```
+Get-MgUser -All | Where OnPremisesSyncEnabled -ne true
+OnPremisesSyncEnabled```
### View accounts based on a common property
-To be more selective about the list of accounts to display, you can use the **Where** cmdlet in combination with the **Get-AzureADUser** cmdlet. To combine the two cmdlets, use the "pipe" character ("|"), which tells Azure Active Directory PowerShell for Graph to take the results of one command and send it to the next command. Here's an example command that displays only those user accounts that have an unspecified usage location:
+To be more selective about the list of accounts to display, you can use the **Where** cmdlet in combination with the **Get-MgUser** cmdlet. To combine the two cmdlets, use the "pipe" character ("|"), which tells PowerShell to take the results of one command and send it to the next command. Here is an example command that displays only those user accounts that have an unspecified usage location:
```powershell
-Get-AzureADUser | Where {$_.UsageLocation -eq $Null}
+Get-MgUser | Where UsageLocation -eq $Null
```
-This command instructs Azure Active Directory PowerShell for Graph to:
+This command instructs PowerShell to:
-1. Get all the information on the user accounts (**Get-AzureADUser**) and send it to the next command (**|**).
+1. Get all the information on the user accounts (**Get-MgUser**) and send it to the next command (**|**).
-1. Find all the user accounts that have an unspecified usage location (**Where {$\_.UsageLocation -eq $Null}**). Inside the braces, the command instructs PowerShell to only find the set of accounts for which the UsageLocation user account property (**$\_.UsageLocation**) is not specified (**-eq $Null**).
+1. Find all the user accounts that have an unspecified usage location (**Where UsageLocation -eq $Null**). The command instructs PowerShell to only find the set of accounts for which the *UsageLocation* user account property (**UsageLocation**) is not specified (**-eq $Null**).
The **UsageLocation** property is only one of many properties associated with a user account. To display all the properties for a specific user account, use the **Select** cmdlet and the wildcard character (*). Here's an example: ```powershell
-Get-AzureADUser -ObjectID BelindaN@litwareinc.onmicosoft.com | Select *
+Get-MgUser -UserID BelindaN@litwareinc.onmicosoft.com | Select *
``` For example, **City** is the name of a user account property. You can use the following command to list all accounts of users who live in London: ```powershell
-Get-AzureADUser | Where {$_.City -eq "London"}
-```
-
-> [!TIP]
-> The syntax for the **Where** cmdlet in these examples is **Where {$\_.** [user account property name] [comparison operator] [value] **}**.> [comparison operator] is **-eq** for equals, **-ne** for not equals, **-lt** for less than, **-gt** for greater than, and others. [value] is typically a string (a sequence of letters, numbers, and other characters), a numerical value, or **$Null** for unspecified. For more information, see [Where](/powershell/module/microsoft.powershell.core/where-object).
-
-## Use the Microsoft Azure Active Directory module for Windows PowerShell
-
-First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-microsoft-azure-active-directory-module-for-windows-powershell).
-
-### View all accounts
-
-To display the full list of user accounts, run this command:
-
-```powershell
-Get-MsolUser
-```
-
->[!Note]
->PowerShell Core doesn't support the Microsoft Azure Active Directory module for Windows PowerShell module and cmdlets with *Msol* in their name. Run these cmdlets from Windows PowerShell.
->
-
-You should get information similar to this:
-
-```powershell
-UserPrincipalName DisplayName isLicensed
-- -
-BonnieK@litwareinc.onmicrosoft.com Bonnie Kearney True
-FabriceC@litwareinc.onmicrosoft.com Fabrice Canel True
-BrianJ@litwareinc.onmicrosoft.com Brian Johnson False
-AnneWlitwareinc.onmicrosoft.com Anne Wallace True
-ScottW@litwareinc.onmicrosoft.com Scott Wallace False
-```
-
-The **Get-MsolUser** cmdlet also has a set of parameters to filter the set of user accounts displayed. For example, for the list of unlicensed users (users who have been added to Microsoft 365 but haven't yet been licensed to use any of the services), run this command:
-
-```powershell
-Get-MsolUser -UnlicensedUsersOnly
-```
-
-You should get information similar to this:
-
-```powershell
-UserPrincipalName DisplayName isLicensed
-- -
-BrianJ@litwareinc.onmicrosoft.com Brian Johnson False
-ScottW@litwareinc.onmicrosoft.com Scott Wallace False
-```
-
-For information about additional parameters to filter the set of user accounts that are displayed, see [Get-MsolUser](/previous-versions/azure/dn194133(v=azure.100)).
-
-### View a specific account
-
-To display a specific user account, run the following command. Fill in the sign-in name of the user account, which is also known as the user principal name (UPN). Remove the "<" and ">" characters.
-
-```powershell
-Get-MsolUser -UserPrincipalName <sign-in name of the user account>
-```
-
-### View accounts based on a common property
-
-To be more selective about the list of accounts to display, you can use the **Where** cmdlet in combination with the **Get-MsolUser** cmdlet. To combine the two cmdlets, use the "pipe" character ("|"), which tells PowerShell to take the results of one command and send it to the next command. Here's an example that displays only those user accounts that have an unspecified usage location:
-
-```powershell
-Get-MsolUser | Where {$_.UsageLocation -eq $Null}
-```
-
-This command instructs PowerShell to:
-
-1. Get all the information on the user accounts (**Get-MsolUser**) and send it to the next command (**|**).
-
-1. Find all user accounts that have an unspecified usage location (**Where {$\_.UsageLocation -eq $Null}**). Inside the braces, the command instructs PowerShell to find only the set of accounts for which the UsageLocation user account property (**$\_.UsageLocation**) is not specified (**-eq $Null**).
-
-You should get information similar to this:
-
-```powershell
-UserPrincipalName DisplayName isLicensed
-- -
-BrianJ@litwareinc.onmicrosoft.com Brian Johnson False
-ScottW@litwareinc.onmicrosoft.com Scott Wallace False
-
-```
-
-The *UsageLocation* property is only one of many properties associated with a user account. To see all of the properties for user accounts, use the **Select** cmdlet and the wildcard character (*) to display them all for a specific user account. Here's an example:
-
-```powershell
-Get-MsolUser -UserPrincipalName BelindaN@litwareinc.onmicosoft.com | Select *
-```
-
-For example, *City* is the name of a user account property. You can use the following command to list all of the user accounts for users who live in London:
-
-```powershell
-Get-MsolUser | Where {$_.City -eq "London"}
+Get-MgUser | Where City -eq "London"
``` > [!TIP]
-> The syntax for the **Where** cmdlet in these examples is **Where {$\_.** [user account property name] [comparison operator] [value] **}**. [comparison operator] is **-eq** for equals, **-ne** for not equals, **-lt** for less than, **-gt** for greater than, and others. [value] is typically a string (a sequence of letters, numbers, and other characters), a numerical value, or **$Null** for unspecified. For more information, see [Where](/powershell/module/microsoft.powershell.core/where-object).
-
-To check the blocked status of a user account, use the following command:
-
-```powershell
-Get-MsolUser -UserPrincipalName <UPN of user account> | Select DisplayName,BlockCredential
-```
-
-### View additional property values for accounts
-
-By default, the **Get-MsolUser** cmdlet displays these three properties of user accounts:
-
-- UserPrincipalName--- DisplayName--- isLicensed-
-If you need additional properties, such as the department where the user works and the country/region where they use Microsoft 365 services, you can run **Get-MsolUser** in combination with the **Select** cmdlet to specify the list of user account properties. Here's an example:
-
-```powershell
-Get-MsolUser | Select DisplayName, Department, UsageLocation
-```
-
-This command instructs PowerShell to:
-
-1. Get all the information about the user accounts (**Get-MsolUser**) and send it to the next command (**|**).
-
-1. Display only the user account name, department, and usage location (**Select DisplayName, Department, UsageLocation**).
-
-You should get information similar to this:
-
-```powershell
-DisplayName Department UsageLocation
- -
-Bonnie Kearney Sales & Marketing US
-Fabrice Canel Legal US
-Brian Johnson
-Anne Wallace Executive Management US
-Alex Darrow Sales & Marketing US
-Scott Wallace Operations
-```
-
-The **Select** cmdlet lets you choose what properties to display. To display all the properties for a specific user account, use the wildcard character (*). Here's an example:
-
-```powershell
-Get-MsolUser -UserPrincipalName BelindaN@litwareinc.onmicosoft.com | Select *
-```
-
-To be more selective about the list of accounts to display, you can also use the **Where** cmdlet. Here's an example command that displays only those user accounts that have an unspecified usage location:
-
-```powershell
-Get-MsolUser | Where {$_.UsageLocation -eq $Null} | Select DisplayName, Department, UsageLocation
-```
-
-This command instructs PowerShell to:
-
-1. Get all the information about the user accounts (**Get-MsolUser**) and send it to the next command (**|**).
-
-1. Find all user accounts that have an unspecified usage location (**Where {$\_.UsageLocation -eq $Null}**), and send the resulting information to the next command (**|**). Inside the braces, the command instructs PowerShell to only find the set of accounts for which the UsageLocation user account property (**$\_.UsageLocation**) is not specified (**-eq $Null**).
-
-1. Display only the user account name, department, and usage location (**Select DisplayName, Department, UsageLocation**).
-
-You should get information similar to this:
-
-```powershell
-DisplayName Department UsageLocation
- -
-Brian Johnson
-Scott Wallace Operations
-```
-
-If you're using directory synchronization to create and manage your Microsoft 365 users, you can display the local account from which a Microsoft 365 user has been projected. The following example assumes that:
--- Microsoft Entra Connect is configured to use the default source anchor of ObjectGUID. (For more information about configuring a source anchor, see [Microsoft Entra Connect: Design concepts](/azure/active-directory/hybrid/plan-connect-design-concepts)).-- The Active Directory Domain Services module for PowerShell has been installed (see [RSAT tools](https://www.microsoft.com/en-gb/download/details.aspx?id=45520)).-
-```powershell
-Get-ADUser ([guid][System.Convert]::FromBase64String((Get-MsolUser -UserPrincipalName <UPN of user account>).ImmutableID)).guid
-```
+> The syntax for the **Where** cmdlet in these examples is **Where** [user account property name] [comparison operator] [value] **value**.> [comparison operator] is **-eq** for equals, **-ne** for not equals, **-lt** for less than, **-gt** for greater than, and others. [value] is typically a string (a sequence of letters, numbers, and other characters), a numerical value, or **$Null** for unspecified. For more information, see [Where](/powershell/module/microsoft.powershell.core/where-object).
## See also
frontline Flw Team Collaboration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-team-collaboration.md
searchScope:
appliesto: - Microsoft Teams - Microsoft 365 for frontline workers Previously updated : 01/17/2024 Last updated : 02/07/2024 # Frontline team collaboration
Your team can use apps in Teams to coordinate and collaborate with each other on
- [Track and monitor work with Tasks](#track-and-monitor-work-with-tasks) - [Streamline approvals with Approvals](#streamline-approvals-with-approvals) - [Check in on progress with Updates](#check-in-on-progress-with-updates)
+- [Create a personalized experience with Viva Connections](#create-a-personalized-experience-with-viva-connections)
> [!TIP] > Examples are given for the financial services, healthcare, nonprofit, and retail industries, but you can use these apps for an organization in any sector.
+You manage apps for your organization in the Teams admin center. To learn more, see [Overview of app management and governance in Teams admin center](/microsoftteams/manage-apps).
+
+Your users can add any apps that you have allowed to their teams. Share this training with your users to show them how: [Find and use apps](https://support.microsoft.com/office/find-and-use-apps-6e22a734-c002-4da0-ba63-681f155b142d).
+ ### Create, manage, and share schedules with Shifts Use Shifts to seamlessly manage and share schedules. Managers can create custom groups such as cashiers, nurses, or mortgage specialists, assign shifts to employees, add breaks, and add open shifts that employees can request to take. Employees can use Shifts to set their availability, view their schedules, swap shifts with coworkers, clock in and out, and more. For example, a volunteer coordinator at a nonprofit could create open shifts that volunteers can request to take.
Learn how to [manage the Updates app for your organization](/microsoftteams/mana
Share this [Updates video training](https://support.microsoft.com/office/get-started-in-updates-c03a079e-e660-42dc-817b-ca4cfd602e5a) with your users.
-## Manage apps
+### Create a personalized experience with Viva Connections
-Manage apps for your organization in the Teams admin center. To learn more, see [Overview of app management and governance in Teams admin center](/microsoftteams/manage-apps).
+Viva Connections is part of the [Microsoft Viva suite](/viva/microsoft-viva-overview) and enables you to create a personalized landing experience in Teams.
-Your users can add any apps that you have allowed to their teams. Share this training with your users to show them how: [Find and use apps](https://support.microsoft.com/office/find-and-use-apps-6e22a734-c002-4da0-ba63-681f155b142d).
+The Viva Connections dashboard provides fast and easy access to information and job-related tasks. For example, add the Shifts card to show information about the next or current shift from the Shifts app. Content in the cards is dynamic and personalized to the user.
+
+Learn more about [Viva Connections](/viva/connections/viva-connections-overview) and [how to create a Viva Connections dashboard](/viva/connections/create-dashboard).
## Communicate over email with Exchange Online and Outlook
Email is a core communication tool for most workplaces. [Set up email with Excha
You can also set up shared mailboxes to allow for incoming mail from customers (such as for customer service or scheduling requests) and have a group of workers who monitor and send email from a public email alias like info@contoso.com. For more information about shared mailboxes, see [About shared mailboxes](../admin/email/about-shared-mailboxes.md) and [Open and use a shared mailbox in Outlook](https://support.microsoft.com/office/open-and-use-a-shared-mailbox-in-outlook-d94a8e9e-21f1-4240-808b-de9c9c088afd).
-## Use Viva Connections to create a personalized experience
-
-Viva Connections is part of the [Microsoft Viva suite](/viva/microsoft-viva-overview) and enables you to create a personalized landing experience in Teams.
-
-The Viva Connections dashboard provides fast and easy access to information and job-related tasks. For example, add the Shifts card to show information about the next or current shift from the Shifts app. Content in the cards is dynamic and personalized to the user.
-
-Learn more about [Viva Connections](/viva/connections/viva-connections-overview) and [how to create a Viva Connections dashboard](/viva/connections/create-dashboard).
- ## Learn more about Teams capabilities for specific industries -- [Teams for Retail](teams-for-retail-landing-page.md)
+- [Teams for Financial Services](teams-for-financial-services.md)
- [Teams for Healthcare](teams-in-hc.md) - [Teams for Manufacturing](teams-for-manufacturing.md)
+- [Teams for Retail](teams-for-retail-landing-page.md)
frontline Set Up Targeted Communications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/set-up-targeted-communications.md
appliesto: - Microsoft Teams - Microsoft 365 for frontline workers Previously updated : 02/02/2024 Last updated : 02/07/2024
frontline Teams For Financial Services https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/teams-for-financial-services.md
searchScope:
appliesto: - Microsoft Teams - Microsoft 365 for frontline workers Previously updated : 02/01/2023 Last updated : 02/07/2024 # Get started with Microsoft 365 for Financial Services
-Frontline workers in the financial services industry have unique needs for communicating and collaborating based on the services they offer. To get the most benefit for your frontline workforce, you first choose which scenarios Microsoft 365 can help you with in your day-to-day business operations, and then make sure that you prepare your environment with the right fundamentals, teams, and apps to support those scenarios.
+Frontline workers in the financial services industry have unique needs for communicating and collaborating based on the services they offer. To get the most benefit for your frontline workforce, first choose which scenarios Microsoft 365 can help you with in your day-to-day business operations, and then make sure that you prepare your environment with the right fundamentals, teams, and apps to support those scenarios.
1. [Choose your scenarios](#choose-your-scenarios) you want to implement for your business.
-2. [Set up Microsoft 365](flw-setup-microsoft-365.md) - Set up Microsoft 365's core elements, Microsoft Teams, and any other services you need.
+2. [Set up Microsoft 365](flw-setup-microsoft-365.md) - Set up Microsoft 365, Microsoft Teams, and any other services you need.
3. [Configure services and apps](#configure-services-and-apps) - Use team templates to set up the teams you need quickly, including the channels and apps you need for your business. Add in other apps from Microsoft as needed to support your scenarios. ## Choose your scenarios
-Microsoft 365 and Microsoft Teams offer several capabilities that can help financial services organizations with their daily operations and digital transformation. We recommend the following scenarios for financial services organizations:
+Microsoft 365 and Teams offer capabilities that help financial services organizations enhance productivity in their daily operations and digital transformation. We recommend the following scenarios for financial services organizations:
- [Communicate within and across locations](#communicate-within-and-across-locations) - [Simplify business processes](#simplify-business-processes) - [Onboard and train employees](#onboard-and-train-employees) - [Strengthen corporate communications](#strengthen-corporate-communications)-- [Collaborate on loan applications](#collaborate-on-loan-applications) > [!NOTE]
-> These scenarios are also part of the Microsoft Cloud for Financial Services. You can do more with these scenarios when you also use other capabilities from the Microsoft Cloud for Financial Services, such as Microsoft Dynamics 365. Learn more about using this solution, which brings together capabilities from Dynamics 365, and Microsoft 365 at [Microsoft Cloud for Financial Services](/industry/financial-services).
+> These scenarios are also part of Microsoft Cloud for Financial Services. You can do more with these scenarios when you also use other capabilities from the Microsoft Cloud for Financial Services, such as Microsoft Dynamics 365. Learn more about using this solution, which brings together capabilities from Dynamics 365 and Microsoft 365 at [Microsoft Cloud for Financial Services](/industry/financial-services).
### Communicate within and across locations Bring associates and management together across branches to collaborate and streamline operations with Teams and Teams apps.
-**Key apps:** Shifts, Walkie Talkie, Tasks, Approvals, Chat, Praise, Lists, Files, Updates
+**Key apps and capabilities:** Shifts, Walkie Talkie, Tasks, Approvals, Praise, Lists, Updates, Viva Connections, Chat, Files
-**Additional
+**Additional
More information: [Frontline team collaboration](flw-team-collaboration.md)
More information: [Simplify business processes](simplify-business-processes.md)
Financial services organizations have unique needs due to the high knowledge bases of frontline staff. From numeracy skills to up-to-date knowledge of company and governmental regulations, make sure your workforce is prepared with a strong onboarding and training process.
-**Key features and apps:** Lists, meetings
+**Key apps and capabilities:** Lists, Viva Learning, Viva Connections, Viva Engage, meetings
-**Additional
+**Additional
More information: [Training and onboarding](flw-onboarding-training.md) ### Strengthen corporate communications
-Employee engagement is a significant contributor to workplace satisfaction, loyalty, and productivity at any organization. Learn how to keep everyone informed and engaged using SharePoint, Teams, Viva Engage, Stream, and Viva Connections.
+Employee engagement is a significant contributor to workplace satisfaction, loyalty, and productivity at any organization. Learn how to keep everyone informed and engaged using SharePoint, Teams, Viva Connections, and Viva Engage.
-**Additional
+**Key apps and capabilities:** Viva Connections, Viva Engage, meetings
-More information: [Corporate communications with frontline workers](flw-corp-comms.md)
-
-> [!NOTE]
-> For all of these capabilities, users must have an appropriate license. Microsoft 365 for frontline workers F1 and F3 or Office 365 F3, Office 365 A3, A5, E3, and E5, as well as Microsoft 365 Business Standard, Business Premium, A3, A5, E3, and E5 are all supported. For more information about general Teams licensing, see [Manage user access to Teams](/microsoftteams//user-access). See [Licensing options for frontline workers](flw-licensing-options.md) for more about using Microsoft 365 for frontline workers in combination with other licenses.
+**Additional
-### Collaborate on loan applications
-
-Use [Collaboration Manager for Loans](/industry/financial-services/collaboration-manager/overview) to accelerate the lending process with automation and collaboration tools, to quickly go from application to signing. Collaboration Manager for Loans includes tools for keeping track of loan records, taking notes, and managing customer communications and bookings.
+More information: [Corporate communications with frontline workers](flw-corp-comms.md)
> [!NOTE]
-> Collaboration Manager for Loans is available as part of the Microsoft Cloud for Financial Services, which includes additional capabilities from Microsoft 365 and Dynamics 365. [Learn more about the Microsoft Cloud for Financial Services](/industry/financial-services).
-
-More information: [Admin documentation for Collaboration Manager for Loans](/industry/financial-services/collaboration-manager/overview) and [Collaboration Manager for Loans user guide](/industry/financial-services/collaboration-manager/use)
+> For all these capabilities, users must have an appropriate license. For more information about general Teams licensing, see [Manage user access to Teams](/microsoftteams//user-access). Check out [Understand frontline worker user types and licensing](flw-licensing-options.md) to learn more about using Microsoft 365 for frontline workers in combination with other licenses. For a detailed comparison of what's included in Microsoft 365 enterprise plans, see the [Modern work plan comparison](https://go.microsoft.com/fwlink/p/?linkid=2139145) table.
## Configure services and apps
More information: [Admin documentation for Collaboration Manager for Loans](/ind
### Apps and services for financial services
-Ensure that your workers can communicate, collaborate, and deliver great customer service with apps like Shifts, Tasks, Lists, Praise, and more. You can determine which apps are available for your users by enabling them in the Teams admin center or by including them in a team template. More information about [managing Teams apps](/microsoftteams/manage-apps).
+Ensure that your workers can communicate, collaborate, and deliver great customer service with Teams apps like Shifts, Tasks, Lists, Praise, and more. You can determine which apps are available for your users by enabling them in the Teams admin center or by using a team template. Learn more about [managing Teams apps](/microsoftteams/manage-apps).
-For financial services environments, the following apps and services can help you transform your business processes and support communication:
+For financial services environments, the following apps and services can help you transform your business processes and support communication.
| Teams apps and services | Description | Manage | Help | | -- | -- | -- | -- | | Approvals | Streamline the sign-off process by integrating Approvals into chat. | [Manage Approvals](/microsoftteams/approval-admin?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [Use Approvals](https://support.microsoft.com/office/what-is-approvals-a9a01c95-e0bf-4d20-9ada-f7be3fc283d3) |
-| Chat | Enable quick conversations between staff with secure chat in Teams. | [Chat, teams, channels & apps in Microsoft Teams](/microsoftteams/deploy-chat-teams-channels-microsoft-teams-landing-page) | [Chat in Teams](https://support.microsoft.com/office/start-and-pin-chats-a864b052-5e4b-4ccf-b046-2e26f40e21b5?wt.mc_id=otc_microsoft_teams) |
+| Chat | Enable quick conversations between staff with chat in Teams. | [Chat, teams, channels & apps in Teams](/microsoftteams/deploy-chat-teams-channels-microsoft-teams-landing-page) | [Chat in Teams](https://support.microsoft.com/office/start-and-pin-chats-a864b052-5e4b-4ccf-b046-2e26f40e21b5?wt.mc_id=otc_microsoft_teams) |
| Documents and files | Share standard operating procedures, regulatory compliance policies, company policies, and financial product fact sheets. | [Teams and SharePoint integration](/sharepoint/teams-connected-sites) | [Share files](https://support.microsoft.com/office/upload-and-share-files-57b669db-678e-424e-b0a0-15d19215cb12) | | Praise | Recognize coworkers for great teamwork with the Praise app. | [Manage the Praise app](/microsoftteams/manage-praise-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [Send Praise to people](https://support.microsoft.com/office/send-praise-to-people-50f26b47-565f-40fe-8642-5ca2a5ed261e) | | Shifts | Manage schedules and clock in and out with Shifts. | [Manage the Shifts app](/microsoftteams/expand-teams-across-your-org/shifts/manage-the-shifts-app-for-your-organization-in-teams?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [Use Shifts](https://support.microsoft.com/office/what-is-shifts-f8efe6e4-ddb3-4d23-b81b-bb812296b821) | | Tasks | Help employees know what they should focus on when not with customers by assigning tasks. Your corporate office can use [task publishing](/microsoftteams/manage-tasks-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json#task-publishing) to send out tasks to locations and track progress across those locations. | [Manage the Tasks app](/microsoftteams/manage-tasks-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [Use Tasks](https://support.microsoft.com/office/use-the-tasks-app-in-teams-e32639f3-2e07-4b62-9a8c-fd706c12c070) | | Updates | Check in on recurring or one-off priorities such as daily counts. Managers can create templates for employees to fill out and submit. | [Manage the Updates app](/microsoftteams/manage-updates-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [Use Updates](https://support.microsoft.com/office/get-started-in-updates-c03a079e-e660-42dc-817b-ca4cfd602e5a) |
-| Virtual Appointments| A central hub for all your virtual appointment needs. Schedule and manage virtual consultations with clients, view analytics, and configure options, all in one place.| [Manage the Virtual Appointments app](/microsoftteams/manage-virtual-appointments-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [What is the Virtual Appointments app?](https://support.microsoft.com/topic/22df0079-e6d9-4225-bc65-22747fb2cb5f) |
-| Bookings| Schedule and manage virtual consultations with clients. | [Manage the Bookings app](/microsoftteams/bookings-app-admin?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [Use Bookings](https://support.microsoft.com/office/what-is-bookings-42d4e852-8e99-4d8f-9b70-d7fc93973cb5) |
+| Virtual Appointments| Schedule and manage virtual consultations with clients, view analytics, and more, in the Virtual Appointments app.| [Manage the Virtual Appointments app](/microsoftteams/manage-virtual-appointments-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [What is the Virtual Appointments app?](https://support.microsoft.com/topic/22df0079-e6d9-4225-bc65-22747fb2cb5f) |
+| Viva Connections | Viva Connections creates an experience in Teams that connects employees with tools, news, and resources. Employees can view a tailored news feed from your organization and a personalized dashboard with the resources they need. | [Overview of Viva Connections](/viva/connections/viva-connections-overview) | Use [Viva Connections](https://support.microsoft.com/office/your-intranet-is-now-in-microsoft-teams-8b4e7f76-f305-49a9-b6d2-09378476f95b) |
+| Viva Learning | Provide initial and ongoing training to make sure your employees are up-to-date with their skills and knowledge base. | [Overview of Viva Learning](/viva/learning/overview-viva-learning) | [Use Viva Learning](https://support.microsoft.com/office/viva-learning-preview-01bfed12-c327-41e0-a68f-7fa527dcc98a) |
+| Viva Engage | Connect your entire organization and enable communication across departments and regions with Viva Engage. | [Overview of Viva Engage](/viva/engage/overview) | [Use Viva Engage](https://support.microsoft.com/topic/getting-started-with-microsoft-viva-engage-729f9fce-3aa6-4478-888c-a1543918c284) |
| More apps and services from Microsoft | Description | Manage | Help | | -- | -- | -- | -- |
-| Power Apps and the Power Platform | Integrate business processes and enable quick updates to data, such as sales numbers, KPIs, and other reports. | [Teams integration with Microsoft Power Platform](/microsoftteams/platform/samples/teams-low-code-solutions) and [Manage Microsoft Power Platform apps in the Microsoft Teams admin center](/microsoftteams/manage-power-platform-apps) | - |
+| Power Apps and the Power Platform | Integrate business processes and enable quick updates to data, such as sales numbers, KPIs, and other reports. | [Teams integration with Microsoft Power Platform](/microsoftteams/platform/samples/teams-low-code-solutions) and [Manage Microsoft Power Platform apps in the Teams admin center](/microsoftteams/manage-power-platform-apps) | |
| SharePoint | A new, connected SharePoint site is created whenever you create a new team. You can use SharePoint to store files, post news, and make sure your workers have access to important information. | [Teams and SharePoint integration](/sharepoint/teams-connected-sites) | [Add a SharePoint page, list, or document library as a tab in Teams](https://support.microsoft.com/office/add-a-sharepoint-page-list-or-document-library-as-a-tab-in-teams-131edef1-455f-4c67-a8ce-efa2ebf25f0b)|
-| Viva Connections | Viva Connections creates a hub in Teams where your frontline team can view a tailored news feed from your organization and a personalized dashboard with resources they need. | [Overview of Viva Connections](/sharepoint/viva-connections-overview) | [Viva Connections in Microsoft Teams](https://support.microsoft.com/office/your-intranet-is-now-in-microsoft-teams-8b4e7f76-f305-49a9-b6d2-09378476f95b) |
-| Viva Learning | Provide initial and ongoing training to make sure your employees are up-to-date with their skills and knowledge base. | [Manage Viva Learning](/microsoft-365/learning/) | [Use Viva Learning](https://support.microsoft.com/office/viva-learning-preview-01bfed12-c327-41e0-a68f-7fa527dcc98a) |
-| Viva Engage | Connect your entire organization and enable communication across departments and regions. | [Overview of Viva Engage](/viva/engage/overview) | [Use Viva Engage](https://support.microsoft.com/topic/getting-started-with-microsoft-viva-engage-729f9fce-3aa6-4478-888c-a1543918c284) |
-For more about successfully implementing and adopting Teams, see [Adopt Microsoft Teams](/microsoftteams/adopt-microsoft-teams-landing-page).
+To learn more about successfully implementing and adopting Teams, see [Adopt Microsoft Teams](/microsoftteams/adopt-microsoft-teams-landing-page).
frontline Teams For Manufacturing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/teams-for-manufacturing.md
searchScope:
appliesto: - Microsoft Teams - Microsoft 365 for frontline workers Previously updated : 09/27/2022 Last updated : 02/07/2024 # Get started with Microsoft 365 for Manufacturing
Last updated 09/27/2022
Empower your frontline workforce with digital tools and modern devices that offer the best experiences for collaboration and productivity. Microsoft 365 can help you transform your workforce with productivity apps, intelligent cloud services, and increased security. 1. [Choose your scenarios](#choose-your-scenarios) you want to implement for your business.
-2. [Set up Microsoft 365](flw-setup-microsoft-365.md) - Set up Microsoft 365's core elements, Microsoft Teams, and any other services you need.
+2. [Set up Microsoft 365](flw-setup-microsoft-365.md) - Set up Microsoft 365, Microsoft Teams, and any other services you need.
3. [Configure services and apps](#configure-services-and-apps) - Use team templates to set up the teams you need quickly, including the channels and apps you need for your business. Add in other apps from Microsoft as needed to support your scenarios. ## Choose your scenarios
-Microsoft 365 and Microsoft Teams offer several capabilities that can help manufacturing organizations with their daily operations and digital transformation. We recommend the following scenarios for manufacturers:
+Microsoft 365 and Microsoft Teams offers capabilities that help manufacturing organizations enhance productivity in their daily operations and digital transformation. We recommend the following scenarios for manufacturers:
- [Connect and engage your workforce](#connect-and-engage-your-workforce) - [Enhance workforce management](#enhance-workforce-management)
Microsoft 365 and Microsoft Teams offer several capabilities that can help manuf
- [Onboard and train employees](#onboard-and-train-employees) > [!NOTE]
-> For all of these capabilities, users must have an appropriate license. Microsoft 365 for frontline workers F1 and F3 or Office 365 F3, Office 365 A3, A5, E3, and E5, as well as Microsoft 365 Business Standard, Business Premium, A3, A5, E3, and E5 are all supported. For more information about general Teams licensing, see [Manage user access to Teams](/microsoftteams//user-access). See [Licensing options for frontline workers](flw-licensing-options.md) for more about using Microsoft 365 for frontline workers in combination with other licenses.
+> For all these capabilities, users must have an appropriate license. For more information about general Teams licensing, see [Manage user access to Teams](/microsoftteams//user-access). Check out [Understand frontline worker user types and licensing](flw-licensing-options.md) to learn more about using Microsoft 365 for frontline workers in combination with other licenses. For a detailed comparison of what's included in Microsoft 365 enterprise plans, see the [Modern work plan comparison](https://go.microsoft.com/fwlink/p/?linkid=2139145) table.
### Connect and engage your workforce Empower your frontline workers to engage with each other and your broader organization using communication tools and platforms.
-**Key apps:** Walkie Talkie, Chat, Praise
+**Key apps and capabilities:** Walkie Talkie, Praise, Viva Connections, Viva Engage, Chat
-**Additional
+**Additional
More information: [Frontline team collaboration](flw-team-collaboration.md) and [Corporate communications](flw-corp-comms.md)
More information: [Frontline team collaboration](flw-team-collaboration.md) and
- Track key performance indicators (KPIs) with Power BI reports - Keep track of everything else with Lists
-**Key features and apps:** Lists
+**Key apps:** Lists
**Additional
More information: [Simplify business processes](simplify-business-processes.md)
Make sure that all your workers have the knowledge and capabilities they need to succeed.
-**Additional
+**Key apps:** Viva Learning, Viva Connections, Viva Engage
+
+**Additional
More information: [Training and onboarding](flw-onboarding-training.md)
More information: [Training and onboarding](flw-onboarding-training.md)
### Apps and services for manufacturing
-Ensure that your workers can communicate, collaborate, and deliver great products with apps like Shifts, Tasks, Lists, Praise, and more. You can determine which apps are available for your users by enabling them in the Teams admin center or by including them in a team template. More information about [managing Teams apps](/microsoftteams/manage-apps).
+Ensure that your workers can communicate, collaborate, and deliver great products with apps like Shifts, Tasks, Lists, Praise, and more. You can determine which apps are available for your users by enabling them in the Teams admin center or by using a team template. Learn more about [managing Teams apps](/microsoftteams/manage-apps).
-For manufacturing environments, the following apps and services can help you transform your business processes and support communication:
+For manufacturing environments, the following apps and services can help you transform your business processes and support communication.
| Teams apps and services | Description | Manage | Help | | -- | -- | -- | -- |
For manufacturing environments, the following apps and services can help you tra
| Documents and files | Share standard operating procedures, manuals, diagrams, inspection records, and more. | [Teams and SharePoint integration](/sharepoint/teams-connected-sites) | [Share files](https://support.microsoft.com/office/upload-and-share-files-57b669db-678e-424e-b0a0-15d19215cb12) | | Praise | Recognize coworkers for great teamwork with the Praise app. | [Manage the Praise app](/microsoftteams/manage-praise-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [Send Praise to people](https://support.microsoft.com/office/send-praise-to-people-50f26b47-565f-40fe-8642-5ca2a5ed261e) | | Shifts | Manage schedules and clock in and out with Shifts. | [Manage the Shifts app](/microsoftteams/expand-teams-across-your-org/shifts/manage-the-shifts-app-for-your-organization-in-teams?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [Use Shifts](https://support.microsoft.com/office/what-is-shifts-f8efe6e4-ddb3-4d23-b81b-bb812296b821) |
-| Tasks | Foremen and supervisors can assign tasks to let workers know what to focus on. Your organization's central office can use [task publishing](/microsoftteams/manage-tasks-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json#task-publishing) to send out tasks to locations and track progress across those locations. | [Manage the Tasks app](/microsoftteams/manage-tasks-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [Use Tasks](https://support.microsoft.com/office/use-the-tasks-app-in-teams-e32639f3-2e07-4b62-9a8c-fd706c12c070) |
+| Tasks | Supervisors can assign tasks to let workers know what to focus on. Your organization's central office can use [task publishing](/microsoftteams/manage-tasks-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json#task-publishing) to send out tasks to locations and track progress across those locations. | [Manage the Tasks app](/microsoftteams/manage-tasks-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [Use Tasks](https://support.microsoft.com/office/use-the-tasks-app-in-teams-e32639f3-2e07-4b62-9a8c-fd706c12c070) |
| Updates | Check in on recurring and one-off priorities such as machinery repairs and inspections. Supervisors can create templates for employees to fill out and submit. | [Manage the Updates app](/microsoftteams/manage-updates-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [Use Updates](https://support.microsoft.com/office/get-started-in-updates-c03a079e-e660-42dc-817b-ca4cfd602e5a) |
+| Viva Connections | Viva Connections creates an experience in Teams that connects employees with tools, news, and resources. Employees can view a tailored news feed from your organization and a personalized dashboard with the resources they need. For example, you could create a Manuals card so your operators can easily find all the necessary manuals. | [Overview of Viva Connections](/viva/connections/viva-connections-overview) | [Use Viva Connections](https://support.microsoft.com/office/your-intranet-is-now-in-microsoft-teams-8b4e7f76-f305-49a9-b6d2-09378476f95b) |
+| Viva Learning | Provide initial and ongoing training to make sure your employees are up-to-date with their skills and knowledge base. | [Overview of Viva Learning](/viva/learning/overview-viva-learning) | [Use Viva Learning](https://support.microsoft.com/office/viva-learning-preview-01bfed12-c327-41e0-a68f-7fa527dcc98a) |
+| Viva Engage | Connect your entire organization and enable communication across departments and regions with Viva Engage. | [Overview of Viva Engage](/viva/engage/overview) | [Use Viva Engage](https://support.microsoft.com/topic/getting-started-with-microsoft-viva-engage-729f9fce-3aa6-4478-888c-a1543918c284) |
| More apps and services from Microsoft | Description | Manage | Help | | -- | -- | -- | -- |
-| Power Apps and the Power Platform | Integrate business processes and enable quick updates to data, such as machine downtime, KPIs, and other reports. | [Teams integration with Microsoft Power Platform](/microsoftteams/platform/samples/teams-low-code-solutions) and [Manage Microsoft Power Platform apps in the Microsoft Teams admin center](/microsoftteams/manage-power-platform-apps) | - |
+| Power Apps and the Power Platform | Integrate business processes and enable quick updates to data, such as machine downtime, KPIs, and other reports. | [Teams integration with Microsoft Power Platform](/microsoftteams/platform/samples/teams-low-code-solutions) and [Manage Microsoft Power Platform apps in the Microsoft Teams admin center](/microsoftteams/manage-power-platform-apps) | |
| SharePoint | A new, connected SharePoint site is created whenever you create a new team. You can use SharePoint to store files, post news, and make sure your workers have access to important information. | [Teams and SharePoint integration](/sharepoint/teams-connected-sites) | [Add a SharePoint page, list, or document library as a tab in Teams](https://support.microsoft.com/office/add-a-sharepoint-page-list-or-document-library-as-a-tab-in-teams-131edef1-455f-4c67-a8ce-efa2ebf25f0b)|
-| Viva Connections | Viva Connections creates a hub in Teams where your frontline team can view a tailored news feed from your organization and a personalized dashboard with resources they need. For example, you could create a Manuals card so your operators can find all the necessary manuals easily. | [Overview of Viva Connections](/sharepoint/viva-connections-overview) | [Viva Connections in Microsoft Teams](https://support.microsoft.com/office/your-intranet-is-now-in-microsoft-teams-8b4e7f76-f305-49a9-b6d2-09378476f95b) |
-| Viva Learning | Provide initial and ongoing training to make sure your employees are up to date with their skills and knowledge base. | [Manage Viva Learning](/microsoft-365/learning/) | [Use Viva Learning](https://support.microsoft.com/office/viva-learning-preview-01bfed12-c327-41e0-a68f-7fa527dcc98a) |
-| Viva Engage | Connect your entire organization and enable communication across plants and regions. | [Overview of Viva Engage](/viva/engage/overview) | [Use Viva Engage](https://support.microsoft.com/topic/getting-started-with-microsoft-viva-engage-729f9fce-3aa6-4478-888c-a1543918c284) |
-For more about successfully implementing and adopting Teams, see [Adopt Microsoft Teams](/microsoftteams/adopt-microsoft-teams-landing-page).
+To learn more about successfully implementing and adopting Teams, see [Adopt Microsoft Teams](/microsoftteams/adopt-microsoft-teams-landing-page).
frontline Teams For Retail Landing Page https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/teams-for-retail-landing-page.md
searchScope:
appliesto: - Microsoft Teams - Microsoft 365 for frontline workers Previously updated : 02/01/2023 Last updated : 02/07/2024 # Get started with Microsoft 365 for retail organizations
-Retail environments, with their rotating schedules and on-the-go staff, have very different needs than other organizations. To get the most benefit for your retail organization, you first choose which scenarios Microsoft 365 and Microsoft Teams can help you with in your day-to-day business operations, and then make sure that you prepare your Teams environment with the right fundamentals, teams, and apps to support those scenarios.
+Retail environments, with their rotating schedules and on-the-go staff, have very different needs than other organizations. To get the most benefit for your retail organization, first choose which scenarios Microsoft 365 and Microsoft Teams can help you with in your day-to-day business operations, and then make sure that you prepare your Teams environment with the right fundamentals, teams, and apps to support those scenarios.
1. [Choose your scenarios](#choose-your-scenarios) you want to implement for your business. :::image type="content" source="media/retail-teams-scenarios.png" alt-text="Diagram showing Teams scenarios for retail." lightbox="media/retail-teams-scenarios.png":::
-2. [Set up Microsoft 365](flw-setup-microsoft-365.md) - Set up Microsoft 365's core elements, Microsoft Teams, and any other services you need.
+2. [Set up Microsoft 365](flw-setup-microsoft-365.md) - Set up Microsoft 365, Microsoft Teams, and any other services you need.
3. [Configure services and apps](#configure-services-and-apps) - Use team templates to set up the teams you need quickly, including the channels and apps you need for your business. Add in other apps from Microsoft as needed to support your scenarios. :::image type="content" source="media/retail-teams-apps.png" alt-text="Diagram showing teams, team templates and apps that can be included." lightbox="media/retail-teams-apps.png"::: ## Choose your scenarios
-Microsoft 365 and Microsoft Teams offer several capabilities that can help retail organizations with their daily operations and digital transformation. We recommend the following scenarios for retail organizations:
+Microsoft 365 and Teams offer capabilities that can help retail organizations enhance productivity in their daily operations and digital transformation. We recommend the following scenarios for retail organizations:
[![In-store communication and collaboration.](media/retail-scenarios-in-store.png)](#in-store-communication-and-collaboration) [![Cross-store communication and collaboration.](media/retail-scenarios-cross-store.png)](#cross-store-communication-and-collaboration) [![Virtual fittings and consultations.](media/retail-scenarios-virtual-visits.png)](#virtual-fittings-and-consultations) [![Simplify business processes.](media/retail-scenarios-business-processes.png)](#simplify-business-processes) [![Corporate communications.](media/retail-scenarios-corp-comms.png)](#corporate-communications) [![Onboarding new employees.](media/retail-scenarios-onboarding.png)](#onboarding-new-employees)
Use the following poster to start envisioning what your organization can do with
| Item | Description | |:--|:--|
-|[![Microsoft 365 for frontline workers: Retail scenarios.](media/m365-frontline-retail-thumb.png)](https://go.microsoft.com/fwlink/?linkid=2206476) <br/> [PDF](https://go.microsoft.com/fwlink/?linkid=2206476) \| [Visio](https://go.microsoft.com/fwlink/?linkid=2206271) <br>Updated September 2022 |This poster provides an overview of the scenarios you can implement for your frontline workforce in a retail setting.|
+|[![Microsoft 365 for frontline workers: Retail scenarios.](media/m365-frontline-retail-thumb.png)](https://go.microsoft.com/fwlink/?linkid=2206476) <br/> [PDF](https://go.microsoft.com/fwlink/?linkid=2206476) \| [Visio](https://go.microsoft.com/fwlink/?linkid=2206271) <br>Updated January 2024 |This poster provides an overview of the scenarios you can implement for your frontline workforce in a retail setting.|
-### Video overviews
+<!-- ### Video overviews
Watch the following video to see how you can help your store associates connect and collaborate:
Watch the following video to see how you can help your store associates connect
Watch the following video to see how you can simplify business processes in retail environments:
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWRzfc]
-
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWRzfc]-->
### In-store communication and collaboration Bring in-store associates and management together to collaborate and streamline operations with Teams and Teams apps.
-**Key apps:** Shifts, Walkie Talkie, Tasks, Approvals, Chat, Praise, Lists, Files, Updates
+**Key apps and capabilities:** Shifts, Walkie Talkie, Tasks, Approvals, Praise, Lists, Updates, Viva Connections, Chat, Files
-**Additional
+**Additional
More information: [Frontline team collaboration](flw-team-collaboration.md)
More information: [Frontline team collaboration](flw-team-collaboration.md)
Staff members can communicate and collaboration across multiple stores in a region, or with headquarters using the same tools and apps you use within your store.
-**Key apps:** Shifts, Walkie Talkie, Tasks, Approvals, Chat, Praise, Lists, Files, Updates
+**Key apps and capabilities:** Shifts, Walkie Talkie, Tasks, Approvals, Praise, Lists, Updates, Viva Connections, Viva Engage, Chat, Files
-**Additional
+**Additional
More information: [Frontline team collaboration](flw-team-collaboration.md) ### Virtual fittings and consultations
-Use the Virtual Appointments app or the Bookings app in Microsoft Teams to schedule and manage virtual appointments such as virtual shopping experiences for associates and customers.
+Use the Virtual Appointments app in Teams to schedule and manage virtual appointments such as virtual shopping experiences for associates and customers.
-**Key features and apps:** meetings, Virtual Appointments, Bookings
+**Key apps and capabilities:** Virtual Appointments, meetings
More information: [Virtual Appointments with Microsoft Teams](virtual-appointments.md)
More information: [Simplify business processes](simplify-business-processes.md)
### Corporate communications
-Employee engagement is a significant contributor to workplace satisfaction, loyalty, and productivity at any organization. Learn how to keep everyone informed and engaged using SharePoint, Teams, Viva Engage, Stream, and Viva Connections.
+Employee engagement is a significant contributor to workplace satisfaction, loyalty, and productivity at any organization. Learn how to keep everyone informed and engaged using SharePoint, Teams, Viva Engage, and Viva Connections.
+
+**Key apps:** Viva Connections, Viva Engage
-**Additional
+**Additional
More information: [Corporate communications with frontline workers](flw-corp-comms.md)
More information: [Corporate communications with frontline workers](flw-corp-com
Make new employee onboarding a great experience by fostering an all-in-one hybrid work environment where new employees can find important resources, meet people in their organization, and prepare to be successful in their new role.
-**Key apps:** Lists, Live Meetings
+**Key apps and capabilities:** Lists, Viva Learning, Viva Engage, meetings
-**Additional
+**Additional
More information: [Onboard new employees](flw-onboarding-training.md) > [!NOTE]
-> For all of these capabilities, users must have an appropriate license. Microsoft 365 for frontline workers F1 and F3 or Office 365 F3, Office 365 A3, A5, E3, and E5, as well as Microsoft 365 Business Standard, Business Premium, A3, A5, E3, and E5 are all supported. For more information about general Teams licensing, see [Manage user access to Teams](/microsoftteams//user-access). See [Licensing options for frontline workers](flw-licensing-options.md) for more about using Microsoft 365 for frontline workers in combination with other licenses.
+> For all these capabilities, users must have an appropriate license. For more information about general Teams licensing, see [Manage user access to Teams](/microsoftteams//user-access). Check out [Understand frontline worker user types and licensing](flw-licensing-options.md) to learn more about using Microsoft 365 for frontline workers in combination with other licenses. For a detailed comparison of what's included in Microsoft 365 enterprise plans, see the [Modern work plan comparison](https://go.microsoft.com/fwlink/p/?linkid=2139145) table.
## Configure services and apps
More information: [Onboard new employees](flw-onboarding-training.md)
### Apps and services for retail
-Ensure that your workers can communicate, collaborate, and deliver great customer service with apps like Shifts, Walkie Talkie, Tasks, Lists, Praise, and more. You can determine which apps are available for your users by enabling them in the Teams admin center or by including them in a team template. More information about [managing Teams apps](/microsoftteams/manage-apps).
+Ensure that your workers can communicate, collaborate, and deliver great customer service with apps like Shifts, Walkie Talkie, Tasks, Lists, Praise, and more. You can determine which apps are available for your users by enabling them in the Teams admin center or by using a team template. Learn more about [managing Teams apps](/microsoftteams/manage-apps).
-For retail environments, the following apps and services can help you transform your business processes and support communication:
+For retail environments, the following apps and services can help you transform your business processes and support communication.
| Teams apps and services | Description | Manage | Help | | -- | -- | -- | -- |
-| Approvals | Approvals can be integrated into chat for easy sign-off. | [Manage Approvals](/microsoftteams/approval-admin?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [Use Approvals](https://support.microsoft.com/office/what-is-approvals-a9a01c95-e0bf-4d20-9ada-f7be3fc283d3) |
+| Approvals | Approvals can be integrated into chat for easy sign off. | [Manage Approvals](/microsoftteams/approval-admin?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [Use Approvals](https://support.microsoft.com/office/what-is-approvals-a9a01c95-e0bf-4d20-9ada-f7be3fc283d3) |
| Chat | Enable quick conversations and checkins between staff with secure, enterprise-grade communications tools, instead of consumer grade apps or SMS. | [Chat, teams, channels & apps in Microsoft Teams](/microsoftteams/deploy-chat-teams-channels-microsoft-teams-landing-page) | [Chat in Teams](https://support.microsoft.com/office/start-and-pin-chats-a864b052-5e4b-4ccf-b046-2e26f40e21b5?wt.mc_id=otc_microsoft_teams) | | Documents | Share standard operating procedures, store policies, plans, and more. | [Teams and SharePoint integration](/sharepoint/teams-connected-sites) | [Share files](https://support.microsoft.com/office/upload-and-share-files-57b669db-678e-424e-b0a0-15d19215cb12) | | Praise | Recognize coworkers for great teamwork with the Praise app. | [Manage the Praise app](/microsoftteams/manage-praise-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [Send Praise to people](https://support.microsoft.com/office/send-praise-to-people-50f26b47-565f-40fe-8642-5ca2a5ed261e) |
For retail environments, the following apps and services can help you transform
| Shifts | Manage schedules and clock in and out with Shifts. | [Manage the Shifts app](/microsoftteams/expand-teams-across-your-org/shifts/manage-the-shifts-app-for-your-organization-in-teams?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [Use Shifts](https://support.microsoft.com/office/what-is-shifts-f8efe6e4-ddb3-4d23-b81b-bb812296b821) | | Tasks | Help employees know what they should focus on when not with customers by assigning tasks. Operations can use [task publishing](/microsoftteams/manage-tasks-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json#task-publishing) to send out tasks to locations and track progress across those locations. | [Manage the Tasks app](/microsoftteams/manage-tasks-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [Use Tasks](https://support.microsoft.com/office/use-the-tasks-app-in-teams-e32639f3-2e07-4b62-9a8c-fd706c12c070) | | Updates | Check in on recurring or one-off priorities such as daily cleaning. Managers can create templates for employees to fill out and submit. | [Manage the Updates app](/microsoftteams/manage-updates-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [Use Updates](https://support.microsoft.com/office/get-started-in-updates-c03a079e-e660-42dc-817b-ca4cfd602e5a) |
-| Walkie Talkie | Push to talk quick communication that's not constrained by geography like standard 2-way radios.| [Manage the Walkie Talkie app](/microsoftteams/walkie-talkie?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [Use Walkie Talkie](https://support.microsoft.com/office/get-started-with-teams-walkie-talkie-25bdc3d5-bbb2-41b7-89bf-650fae0c8e0c) |
-| Virtual Appointments| A central hub for all your virtual appointment needs. Schedule and manage virtual fittings and consultations, view analytics, and configure options, all in one place.| [Manage the Virtual Appointments app](/microsoftteams/manage-virtual-appointments-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [What is the Virtual Appointments app?](https://support.microsoft.com/topic/22df0079-e6d9-4225-bc65-22747fb2cb5f) |
-| Bookings | Schedule and manage virtual fittings and consultations.| [Manage the Bookings app](/microsoftteams/bookings-app-admin?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [Use Bookings](https://support.microsoft.com/office/what-is-bookings-42d4e852-8e99-4d8f-9b70-d7fc93973cb5) |
+| Walkie Talkie | Instant push-to-talk communication that's not constrained by geography like standard two-way radios.| [Manage the Walkie Talkie app](/microsoftteams/walkie-talkie?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [Use Walkie Talkie](https://support.microsoft.com/office/get-started-with-teams-walkie-talkie-25bdc3d5-bbb2-41b7-89bf-650fae0c8e0c) |
+| Virtual Appointments|Schedule and manage virtual fittings and consultations, view analytics, and more, in the Virtual Appointments app.| [Manage the Virtual Appointments app](/microsoftteams/manage-virtual-appointments-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [What is the Virtual Appointments app?](https://support.microsoft.com/topic/22df0079-e6d9-4225-bc65-22747fb2cb5f) |
+| Viva Connections | Viva Connections creates an experience in Teams that connects employees with tools, news, and resources. Retail associates can view a tailored news feed from your organization and a personalized dashboard with the resources they need. | [Overview of Viva Connections](/viva/connections/viva-connections-overview) | Use [Viva Connections](https://support.microsoft.com/office/your-intranet-is-now-in-microsoft-teams-8b4e7f76-f305-49a9-b6d2-09378476f95b) |
+| Viva Learning | Provide training when needed, right in the flow of their work.| [Overview of Viva Learning](/viva/learning/overview-viva-learning) | [Use Viva Learning](https://support.microsoft.com/office/viva-learning-preview-01bfed12-c327-41e0-a68f-7fa527dcc98a) |
+| Viva Engage | Connect your entire organization and enable communication across departments and regions with Viva Engage. | [Overview of Viva Engage](/viva/engage/overview) | [Use Viva Engage](https://support.microsoft.com/topic/getting-started-with-microsoft-viva-engage-729f9fce-3aa6-4478-888c-a1543918c284) |
| More apps and services from Microsoft | Description | Manage | Help | | -- | -- | -- | -- | | Power Apps and the Power Platform | Integrate business processes and enable quick updates to data, such as store inventory, sales numbers, incident reports, and more. | [Teams integration with Microsoft Power Platform](/microsoftteams/platform/samples/teams-low-code-solutions) and [Manage Microsoft Power Platform apps in the Microsoft Teams admin center](/microsoftteams/manage-power-platform-apps) | - |
-| SharePoint | When you create a new team, a new SharePoint site is created and connected to the team. Many of the scenarios above rely on SharePoint features already embedded in Teams, such as sharing documents for team collaboration. | [Teams and SharePoint integration](/sharepoint/teams-connected-sites) | [Add a SharePoint page, list, or document library as a tab in Teams](https://support.microsoft.com/office/add-a-sharepoint-page-list-or-document-library-as-a-tab-in-teams-131edef1-455f-4c67-a8ce-efa2ebf25f0b)|
-| Viva Connections | Viva Connections creates a hub in Teams where your retail associates can view a tailored news feed from your organization and a personalized dashboard with resources they need. | [Overview of Viva Connections](/sharepoint/viva-connections-overview) | [Viva Connections in Microsoft Teams](https://support.microsoft.com/office/your-intranet-is-now-in-microsoft-teams-8b4e7f76-f305-49a9-b6d2-09378476f95b) |
-| Viva Learning | Provide training when needed, right in the flow of their work. | [Manage Viva Learning](/microsoft-365/learning/) | [Use Viva Learning](https://support.microsoft.com/office/viva-learning-preview-01bfed12-c327-41e0-a68f-7fa527dcc98a) |
-| Viva Engage | Connect your organization and allow communication across departments and regions with Viva Engage. | [Overview of Viva Engage](/viva/engage/overview) | [Use Viva Engage](https://support.microsoft.com/topic/getting-started-with-microsoft-viva-engage-729f9fce-3aa6-4478-888c-a1543918c284) |
+| SharePoint | When you create a new team, a new SharePoint site is created and connected to the team. Many of the scenarios rely on SharePoint features already embedded in Teams, such as sharing documents for team collaboration. | [Teams and SharePoint integration](/sharepoint/teams-connected-sites) | [Add a SharePoint page, list, or document library as a tab in Teams](https://support.microsoft.com/office/add-a-sharepoint-page-list-or-document-library-as-a-tab-in-teams-131edef1-455f-4c67-a8ce-efa2ebf25f0b)|
### Retail templates for teams
-Create teams that include a predefined set of settings, channels, tabs, and pre-installed apps for communication and collaboration within an individual store, with a region, or between headquarters and your staff wherever they are.
+Create teams that include a predefined set of settings, channels, tabs, and preinstalled apps for communication and collaboration within an individual store, with a region, or between headquarters and your staff wherever they are.
-- The Retail **Organize a store** template includes channels for General, Shift Handoff, Store Readiness, and Learning, and includes the Approvals, Tasks, and Wiki apps.
+- The **Organize a store** template includes channels for General, Shift Handoff, Store Readiness, and Learning, and includes the Approvals, Tasks, and Wiki apps.
- The **Retail for managers** template includes channels for General, Operations, and Learning, and includes a Wiki tab.
-You can also [create a custom template](/microsoftteams/create-a-team-template) to include the apps your store needs. More information: [Get started with Retail team templates](/microsoftteams/get-started-with-retail-teams-templates?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json)
+You can also [create a custom template](/microsoftteams/create-a-team-template) to include the apps your store needs. To learn more, see [Use retail team templates](/microsoftteams/get-started-with-retail-teams-templates?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json)
## Get ready to roll out your scenarios - identify roles and responsibilities for scenarios
-Now that you know what scenarios you want to implement and what you need to support them, you can gather your team so you can plan, roll out, and monitor how they're working in your organization. For example, the following roles might be needed to roll out these scenarios in your organization:
+Now that you know what scenarios you want to implement and what you need to support them, you can gather your team so you can plan, roll out, and monitor how they're working in your organization. For example, the following roles might be needed to roll out these scenarios in your organization.
| Image | Role | Responsibilities | Department | | - | - | -- | -- |
-|<img src="/office/media/icons/administrator.png" alt="Administrator symbol."> | IT Administrator | Work with operations and retail management staff to define scenarios and how they'll work for the organization. <br><br>Configure settings in the Teams admin center, such as policies and templates, and enable apps. <br><br>Set up app settings (such as global Shifts settings) for the organization. <br><br>Add and license users. | IT department |
-|<img src="/office/media/icons/user-monitor.png" alt="User monitor symbol.">| Operations staff | Work with Administrators to define scenarios, and determine which settings, policies, templates, and apps are needed for Teams. <br><br>Create regional or divisional teams from templates. <br><br>Set up tasks, lists, and approval flows for coordination between stores within a region, or between stores and headquarters. <br><br>Set up learning framework for staff. | Central operations |
-|<img src="/office/media/icons/presenter-teams.png" alt="Presenter symbol."> | Store manager | Work with Administrators and Operations staff to define scenarios. <br><br>Create teams for the store from templates. <br><br>Set up channels and apps for the teams, as needed. For example: a channel for shift handovers. <br><br>Set up store schedules in Shifts. <br><br>Set up tasks, lists, updates, and approval flows that are specific to the store. <br><br>Set up learning tasks for staff. | Store management |
+|<img src="/office/media/icons/administrator.png" alt="Administrator symbol."> | IT administrator | Collaborate with operations and retail management staff to define scenarios and how they'll work for the organization. <br><br>Configure settings in the Teams admin center, such as policies and templates, and enable apps. <br><br>Set up app settings for the organization. <br><br>Add and license users. | IT department |
+|<img src="/office/media/icons/user-monitor.png" alt="User monitor symbol.">| Operations staff | Work with administrators to define scenarios, and determine which settings, policies, templates, and apps are needed for Teams. <br><br>Create regional or divisional teams from templates. <br><br>Set up tasks, lists, and approval flows for coordination between stores within a region, or between stores and headquarters. <br><br>Set up a learning framework for staff. | Central operations |
+|<img src="/office/media/icons/presenter-teams.png" alt="Presenter symbol."> | Store manager | Work with administrators and operations staff to define scenarios. <br><br>Create teams for the store from templates. <br><br>Set up channels and apps for the teams, as needed. For example, a channel for shift handovers. <br><br>Set up store schedules and settings in Shifts. <br><br>Set up tasks, lists, updates, and approval flows that are specific to the store. <br><br>Set up learning tasks for staff. | Store management |
-For more about successfully implementing and adopting Teams, see [Adopt Microsoft Teams](/microsoftteams/adopt-microsoft-teams-landing-page).
+To learn more about successfully implementing and adopting Teams, see [Adopt Microsoft Teams](/microsoftteams/adopt-microsoft-teams-landing-page).
security Defender Endpoint Demonstrations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstrations.md
The following table lists the available demonstrations alphabetically, with thei
| 2 |[Validate antimalware](/microsoft-365/security/defender-endpoint/validate-antimalware)| NGP |Confirm that antivirus/antimalware is detecting and blocking malware. | | 3 |[Potentially unwanted applications (PUA) demonstration](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-potentially-unwanted-applications)| NGP |Confirm that potentially unwanted applications (PUAs) are being blocked on your network by downloading a fake (safe) PUA file. | | 4 |[Cloud-delivered protection demonstration](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-cloud-delivered-protection)| NGP |Confirm that cloud-delivered protection is working properly on your computer. |
-| 5 |[Block at First Sight (BAFS) demonstration](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-block-at-first-sight-bafs)| NGP |With the BAFS feature in Microsoft Defender Antivirus, newly discovered files are analyzed and if needed blocked. |
-| 6 |[App reputation demonstration](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-app-reputation)| NGP |Navigate to the app reputation page to see the demonstration scenario using Microsoft Edge.|
-| 7 |[URL reputation demonstrations](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-smartscreen-url-reputation)| NGP |Navigate to the URL Reputation page to see the demonstration scenarios using Microsoft Edge.|
-| 8 |[Network protection demonstrations](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-network-protection)| ASR |Navigate to a suspicious URL to trigger network protection. |
-| 9 |[Attack surface reduction rules (ASR rules) demonstrations](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-attack-surface-reduction-rules)| ASR |Download sample files to trigger each ASR rule.|
-| 10 |[Exploit protection (EP) demonstrations](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-exploit-protection)| ASR | Apply custom exploit protection settings.|
-| 11 |[Controlled folder access (CFA) demonstration (block script)](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-controlled-folder-access-test-tool)| ASR | Download the CFA test tool.|
-| 12 |[Controlled folder access (CFA) demonstrations (block ransomware)](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-controlled-folder-access)| ASR | Download and execute a sample file to trigger CFA ransomware protection.|
-
+| 5 |[App reputation demonstration](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-app-reputation)| NGP | Navigate to the app reputation page to see the demonstration scenario using Microsoft Edge.|
+| 6 |[URL reputation demonstrations](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-smartscreen-url-reputation)| NGP | Navigate to the URL Reputation page to see the demonstration scenarios using Microsoft Edge. |
+| 7 | [Network protection demonstrations](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-network-protection)| ASR | Navigate to a suspicious URL to trigger network protection. |
+| 8 | [Attack surface reduction rules (ASR rules) demonstrations](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-attack-surface-reduction-rules)| ASR | Download sample files to trigger each ASR rule. |
+| 9 | [Exploit protection (EP) demonstrations](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-exploit-protection) | ASR | Apply custom exploit protection settings. |
+| 10 | [Controlled folder access (CFA) demonstration (block script)](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-controlled-folder-access-test-tool)| ASR | Download the CFA test tool. |
+| 11 | [Controlled folder access (CFA) demonstrations (block ransomware)](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-controlled-folder-access)| ASR| Download and execute a sample file to trigger CFA ransomware protection.|
## See also [Attack surface protection \(ASR\) overview](overview-attack-surface-reduction.md)
security Communicate Defender Experts Xdr https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/communicate-defender-experts-xdr.md
- essentials-manage search.appverid: met150 Previously updated : 01/29/2024 Last updated : 02/08/2024 # Communicating with experts in the Microsoft Defender Experts for XDR service
security Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/whats-new.md
For more information on what's new with other Microsoft Defender security produc
You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter). +
+## February 2024
+- (Preview) **[Custom detection rules in Microsoft Graph security API](/graph/api/resources/security-api-overview?view=graph-rest-beta&preserve-view=true#custom-detections)** are now available. Create advanced hunting custom detection rules specific to your org to proactively monitor for threats and take action.
+ ## January 2024 - **Defender Boxed is available for a limited period of time**. Defender Boxed highlights your organization's security successes, improvements, and response actions during 2023. Take a moment to celebrate your organization's improvements in security posture, overall response to detected threats (manual and automatic), blocked emails, and more.
security Air About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-about.md
Permissions are granted through certain roles, such as those that are described
|Task|Role(s) required| |||
-|Set up AIR features|One of the following roles: <ul><li>Global Administrator</li><li>Security Administrator</li></ul> <br/> These roles can be assigned in [Microsoft Entra ID](/azure/active-directory/roles/permissions-reference) or in the [Microsoft Defender portal](mdo-portal-permissions.md).|
-|Start an automated investigation <p> or <p> Approve or reject recommended actions|One of the following roles, assigned in [Microsoft Entra ID](/azure/active-directory/roles/permissions-reference) or in the [Microsoft Defender portal](mdo-portal-permissions.md): <ul><li>Global Administrator</li><li>Security Administrator</li><li>Security Operator</li><li>Global Reader</li><li>Security Reader <br> and </li><li>Search and Purge (this role is assigned only in the [Microsoft Defender portal](mdo-portal-permissions.md). You might need to create a new **Email & collaboration** role group there and add the Search and Purge role to that new role group.</li></ul>|
+|Set up AIR features|One of the following roles: <ul><li>Global Administrator</li><li>Security Administrator</li></ul> <br/> These roles can be assigned in [Microsoft Entra ID](/entr).|
+|Start an automated investigation <p> or <p> Approve or reject recommended actions|One of the following roles, assigned in [Microsoft Entra ID](/entr). You might need to create a new **Email & collaboration** role group there and add the Search and Purge role to that new role group.</li></ul>|
## Required licenses
security Attack Simulation Training Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-teams.md
The addition of Teams in Attack simulation training affects the following featur
In addition to having user reporting for Teams messages turned on as described in [User reported message settings in Microsoft Teams](submissions-teams.md), you also need to configure the Teams accounts that can be used as sources for simulation messages in Attack simulation training. To configure the accounts, do the following steps:
-1. Identify or create a user who's a member of the [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator), [Security Administrator](/azure/active-directory/roles/permissions-reference#security-administrator), or [Attack Simulation Administrator](/azure/active-directory/roles/permissions-reference#attack-simulation-administrator) roles in Microsoft Entra ID. Assign a Microsoft 365, Office 365, Microsoft Teams Essentials, Microsoft 365 Business Basic, or a Microsoft 365 Business Standard license for [Microsoft Teams](/office365/servicedescriptions/teams-service-description). You need to know the password.
+1. Identify or create a user who's a member of the [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator), [Security Administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator), or [Attack Simulation Administrator](/entra/identity/role-based-access-control/permissions-reference#attack-simulation-administrator) roles in Microsoft Entra ID. Assign a Microsoft 365, Office 365, Microsoft Teams Essentials, Microsoft 365 Business Basic, or a Microsoft 365 Business Standard license for [Microsoft Teams](/office365/servicedescriptions/teams-service-description). You need to know the password.
2. Using the account from Step 1, open the Microsoft Defender portal at <https://security.microsoft.com> and go to **Email & collaboration** \> **Attack simulation training** \> **Settings** tab. Or, to go directly to the **Settings** tab, use <https://security.microsoft.com/attacksimulator?viewid=setting>. 3. On the **Settings** tab, select **Manager user accounts** in the **Teams simulation configuration** section. 4. In the **Teams simulation configuration** flyout that opens, select **Generate token**. Read the information in the confirmation dialog, and then select **I agree**.
security Detect And Remediate Illicit Consent Grants https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants.md
After you have identified an application with illicit permissions, you have seve
## See also -- [Unexpected application in my applications list](/azure/active-directory/application-access-unexpected-application) walks administrators through various actions they may want to take after realizing there are unexpected applications with access to data.-- [Integrating applications with Microsoft Entra ID](/azure/active-directory/active-directory-apps-permissions-consent) is a high-level overview of consent and permissions.-- [Problems developing my application](/azure/active-directory/active-directory-application-dev-development-content-map) provides links to various consent related articles.-- [Application and service principal objects in Microsoft Entra ID](/azure/active-directory/develop/active-directory-application-objects) provides an overview of the Application and Service principal objects that are core to the application model.-- [Manage access to apps](/azure/active-directory/active-directory-managing-access-to-apps) is an overview of the capabilities that administrators have to manage user access to apps.
+- [Applications listed in Enterprise applications](/entra/identity/enterprise-apps/application-list) walks administrators through various actions they may want to take after realizing there are unexpected applications with access to data.
+- [Quickstart: Register an application with the Microsoft identity platform](/entra/identity-platform/quickstart-register-app) is a high-level overview of consent and permissions.
+- [Configure token lifetime policies](/entra/identity-platform/configure-token-lifetimes) provides links to various consent related articles.
+- [Application and service principal objects in Microsoft Entra ID](/entra/identity-platform/app-objects-and-service-principals) provides an overview of the Application and Service principal objects that are core to the application model.
+- [Manage access to an application](/entra/identity/enterprise-apps/what-is-access-management) is an overview of the capabilities that administrators have to manage user access to apps.
security Detect And Remediate Outlook Rules Forms Attack https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack.md
The Rules and Forms exploits are only used by an attacker after they've stolen o
The best way to protect user accounts (especially admin accounts) is to [set up MFA for users](/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication). You should also: -- Monitor how user accounts are [accessed and used](/azure/active-directory/active-directory-view-access-usage-reports). You may not prevent the initial breach, but you can shorten the duration and the effects of the breach by detecting it sooner. You can use these [Office 365 Cloud App Security policies](/cloud-app-security/what-is-cloud-app-security) to monitor accounts and alert you to unusual activity:
+- Monitor how user accounts are [accessed and used](/entra/identity/monitoring-health/overview-monitoring-health). You may not prevent the initial breach, but you can shorten the duration and the effects of the breach by detecting it sooner. You can use these [Office 365 Cloud App Security policies](/cloud-app-security/what-is-cloud-app-security) to monitor accounts and alert you to unusual activity:
- **Multiple failed login attempts**: Triggers an alert when users perform multiple failed sign in activities in a single session with respect to the learned baseline, which could indicate an attempted breach.
security Email Security In Microsoft Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-security-in-microsoft-defender.md
You can use the **Submit to Microsoft** option in Explorer to report a message a
:::image type="content" source="../../media/submission-panel-explorer.png" alt-text="Screenshot of the submission flyout in Threat Explorer." lightbox="../../media/submission-panel-explorer.png":::
-5. Select the **It appears clean** checkbox if you want to get a second opinion from Microsoft and then select **Submit**.
+5. Select **It appears clean** if you're unsure and you want a verdict from Microsoft. Then select **Submit**.
-6. Select the **I've confirmed it's clean** checkbox if you are sure that it is clean. After clicking **Next**, you can specify whether you want to create an allow entry. You can specify how many days you want the allow entry to be active, add a note if needed, and then select **Submit**.
+6. Select **I've confirmed it's clean** if you're sure that the message is clean. After selecting **Next**, you can specify whether you want to create an allow entry. You can specify how many days you want the allow entry to be active, add a note if needed, and then select **Submit**.
## View phishing URL and click verdict data
security Mdo Deployment Guide https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-deployment-guide.md
To configure EOP and Defender for Office 365 features, you need permissions. The
||| |Global Administrator in Azure AD|[About Microsoft 365 admin roles](/microsoft-365/admin/add-users/about-admin-roles)| |Organization Management in Email & collaboration role groups|[Role groups in Microsoft Defender for Office 365](scc-permissions.md#role-groups-in-microsoft-defender-for-office-365-and-microsoft-purview)|
-|Security Administrator in Azure AD|[Azure AD built-in roles](/azure/active-directory/roles/permissions-reference#security-administrator)
+|Security Administrator in Azure AD|[Azure AD built-in roles](/entra/identity/role-based-access-control/permissions-reference#security-administrator)
|Security Administrator in Email & collaboration role groups|[Role groups in Microsoft Defender for Office 365](scc-permissions.md#role-groups-in-microsoft-defender-for-office-365-and-microsoft-purview)| |Exchange Online Organization Management|[Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo)|
If you decide to use custom policies, use the [Configuration analyzer](configura
## Step 3: Assign permissions to admins
-**Summary**: Assign the [Security Administrator](/azure/active-directory/roles/permissions-reference#security-administrator) role in Azure Active Directory to other admins, specialists, and help desk personnel so they can do tasks in EOP and Defender for Office 365.
+**Summary**: Assign the [Security Administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator) role in Azure Active Directory to other admins, specialists, and help desk personnel so they can do tasks in EOP and Defender for Office 365.
**Details**:
-You're probably already using the initial account that you used to enroll in Microsoft 365 to do all the work in this deployment guide. That account is an admin everywhere in Microsoft 365 (specifically, it's a member of the [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) role in Azure Active Directory (Azure AD)), and allows you to do pretty much anything. The required permissions were described earlier in this article at [Roles and permissions](#roles-and-permissions).
+You're probably already using the initial account that you used to enroll in Microsoft 365 to do all the work in this deployment guide. That account is an admin everywhere in Microsoft 365 (specifically, it's a member of the [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) role in Azure Active Directory (Azure AD)), and allows you to do pretty much anything. The required permissions were described earlier in this article at [Roles and permissions](#roles-and-permissions).
But, the intent of this step is to configure other admins to help you manage the features of EOP and Defender for Office 365 in the future. What you don't want is a lot of people with Global Administrator power who don't need it. For example, do they really need to delete/create accounts or make other users Global Administrators? The concept of _least privilege_ (assigning only the required permissions to do the job and nothing more) is a good practice to follow.
When it comes to assigning permissions for tasks in EOP and Defender for Office
- [Admin submissions and review of user reported messages](submissions-admin-review-user-reported-messages.md) - [User tags](user-tags-about.md)
-**For simplicity, we recommend using the [Security Administrator](/azure/active-directory/roles/permissions-reference#security-administrator) role in Azure AD for others who need to configure settings in EOP and Defender for Office 365.**
+**For simplicity, we recommend using the [Security Administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator) role in Azure AD for others who need to configure settings in EOP and Defender for Office 365.**
-For instructions, see [View and assign administrator roles in Azure Active Directory](/azure/active-directory/users-groups-roles/directory-manage-roles-portal) and [Manage access to Microsoft Defender XDR with Azure Active Directory global roles](/microsoft-365/security/defender/m365d-permissions).
+For instructions, see [Assign Microsoft Entra roles to users](/entra/identity/role-based-access-control/manage-roles-portal) and [Manage access to Microsoft Defender XDR with Azure Active Directory global roles](/microsoft-365/security/defender/m365d-permissions).
## Step 4: Priority accounts and user tags
security Mdo Portal Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-portal-permissions.md
When you select a role, a details flyout opens that contains the description of
:::image type="content" source="../../media/permissions-manage-in-azure-ad-link.png" alt-text="The link to manage permissions in Microsoft Entra ID" lightbox="../../media/permissions-manage-in-azure-ad-link.png":::
-For more information, see [View and assign administrator roles in Microsoft Entra ID](/azure/active-directory/users-groups-roles/directory-manage-roles-portal) and [Manage access to Microsoft Defender XDR with Microsoft Entra global roles](/microsoft-365/security/defender/m365d-permissions).
+For more information, see [Assign Microsoft Entra roles to users](/entra/identity/role-based-access-control/manage-roles-portal) and [Manage access to Microsoft Defender XDR with Microsoft Entra global roles](/microsoft-365/security/defender/m365d-permissions).
|Role|Description| |||
-|**Global Administrator**|Access to all administrative features in all Microsoft 365 services. Only global administrators can assign other administrator roles. For more information, see [Global Administrator / Company Administrator](/azure/active-directory/roles/permissions-reference#global-administrator--company-administrator).|
-|**Compliance Data Administrator**|Keep track of your organization's data across Microsoft 365, make sure it's protected, and get insights into any issues to help mitigate risks. For more information, see [Compliance Data Administrator](/azure/active-directory/roles/permissions-reference#compliance-data-administrator).|
-|**Compliance Administrator**|Help your organization stay compliant with any regulatory requirements, manage eDiscovery cases, and maintain data governance policies across Microsoft 365 locations, identities, and apps. For more information, see [Compliance Administrator](/azure/active-directory/roles/permissions-reference#compliance-administrator).|
-|**Security Operator**|View, investigate, and respond to active threats to your Microsoft 365 users, devices, and content. For more information, see [Security Operator](/azure/active-directory/roles/permissions-reference#security-operator).|
-|**Security Reader**|View and investigate active threats to your Microsoft 365 users, devices, and content, but (unlike the Security operator) they don't have permissions to respond by taking action. For more information, see [Security Reader](/azure/active-directory/roles/permissions-reference#security-reader).|
-|**Security Administrator**|Control your organization's overall security by managing security policies, reviewing security analytics and reports across Microsoft 365 products, and staying up-to-speed on the threat landscape. For more information, see [Security Administrator](/azure/active-directory/roles/permissions-reference#security-administrator).|
-|**Global Reader**|The read-only version of the **Global administrator** role. View all settings and administrative information across Microsoft 365. For more information, see [Global Reader](/azure/active-directory/roles/permissions-reference#global-reader).|
-|**Attack Simulation Administrator**|Create and manage all aspects of [attack simulation](attack-simulation-training-simulations.md) creation, launch/scheduling of a simulation, and the review of simulation results. For more information, see [Attack Simulation Administrator](/azure/active-directory/roles/permissions-reference#attack-simulation-administrator).|
-|**Attack Payload Author**|Create attack payloads but not actually launch or schedule them. For more information, see [Attack Payload Author](/azure/active-directory/roles/permissions-reference#attack-payload-author).|
+|**Global Administrator**|Access to all administrative features in all Microsoft 365 services. Only global administrators can assign other administrator roles. For more information, see [Global Administrator / Company Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator--company-administrator).|
+|**Compliance Data Administrator**|Keep track of your organization's data across Microsoft 365, make sure it's protected, and get insights into any issues to help mitigate risks. For more information, see [Compliance Data Administrator](/entra/identity/role-based-access-control/permissions-reference#compliance-data-administrator).|
+|**Compliance Administrator**|Help your organization stay compliant with any regulatory requirements, manage eDiscovery cases, and maintain data governance policies across Microsoft 365 locations, identities, and apps. For more information, see [Compliance Administrator](/entra/identity/role-based-access-control/permissions-reference#compliance-administrator).|
+|**Security Operator**|View, investigate, and respond to active threats to your Microsoft 365 users, devices, and content. For more information, see [Security Operator](/entra/identity/role-based-access-control/permissions-reference#security-operator).|
+|**Security Reader**|View and investigate active threats to your Microsoft 365 users, devices, and content, but (unlike the Security operator) they don't have permissions to respond by taking action. For more information, see [Security Reader](/entra/identity/role-based-access-control/permissions-reference#security-reader).|
+|**Security Administrator**|Control your organization's overall security by managing security policies, reviewing security analytics and reports across Microsoft 365 products, and staying up-to-speed on the threat landscape. For more information, see [Security Administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator).|
+|**Global Reader**|The read-only version of the **Global administrator** role. View all settings and administrative information across Microsoft 365. For more information, see [Global Reader](/entra/identity/role-based-access-control/permissions-reference#global-reader).|
+|**Attack Simulation Administrator**|Create and manage all aspects of [attack simulation](attack-simulation-training-simulations.md) creation, launch/scheduling of a simulation, and the review of simulation results. For more information, see [Attack Simulation Administrator](/entra/identity/role-based-access-control/permissions-reference#attack-simulation-administrator).|
+|**Attack Payload Author**|Create attack payloads but not actually launch or schedule them. For more information, see [Attack Payload Author](/entra/identity/role-based-access-control/permissions-reference#attack-payload-author).|
### Email & collaboration roles in the Microsoft Defender portal
security Mdo Sec Ops Guide https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-sec-ops-guide.md
Permissions for managing Defender for Office 365 in the Microsoft Defender porta
The following permissions (roles and role groups) are available in Defender for Office 365 and can be used to grant access to security team members: - **Microsoft Entra ID**: Centralized roles that assign permissions for _all_ Microsoft 365 services, including Defender for Office 365. You can view the Microsoft Entra roles and assigned users in the Microsoft Defender portal, but you can't manage them directly there. Instead, you manage Microsoft Entra roles and members at <https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/RolesManagementMenuBlade/~/AllRoles/adminUnitObjectId//resourceScope/%2F>. The most frequent roles used by security teams are:
- - **[Security Administrator](/azure/active-directory/roles/permissions-reference#security-administrator)**
- - **[Security Reader](/azure/active-directory/roles/permissions-reference#security-reader)**
+ - **[Security Administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator)**
+ - **[Security Reader](/entra/identity/role-based-access-control/permissions-reference#security-reader)**
- **Exchange Online** and **Email & collaboration**: Roles and role groups that grant permission specific to Microsoft Defender for Office 365. The following roles aren't available in Microsoft Entra ID, but can be important for security teams:
The following permissions (roles and role groups) are available in Defender for
- **Tenant AllowBlockList Manager** (Exchange Online): Manage allow and block entries in the [Tenant Allow/Block List](tenant-allow-block-list-about.md). Blocking URLs, files (using file hash) or senders is a useful response action to take when investigating malicious email that was delivered.
- By default, this role is assigned only to the **Security Operator role group in Exchange Online**, not in Microsoft Entra ID. Membership in the **[Security Operator role in Microsoft Entra ID](/azure/active-directory/roles/permissions-reference#security-operator)** _doesn't_ allow you to manage entries the Tenant Allow/Block List.
+ By default, this role is assigned only to the **Security Operator role group in Exchange Online**, not in Microsoft Entra ID. Membership in the **[Security Operator role in Microsoft Entra ID](/entra/identity/role-based-access-control/permissions-reference#security-operator)** _doesn't_ allow you to manage entries the Tenant Allow/Block List.
Members of the **Security Administrator** or **Organization management** roles in Microsoft Entra ID or the corresponding role groups in Exchange Online _are_ able to manage entries in the Tenant Allow/Block List.
security Office 365 Ti https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-ti.md
Microsoft Defender for Office 365 uses role-based access control. Permissions ar
> Although some roles, such as Security Administrator, can be assigned in the Microsoft Defender portal, consider using either the Microsoft 365 admin center or Microsoft Entra ID instead. For information about roles, role groups, and permissions, see the following resources: > > - [Permissions in the Microsoft Defender portal](mdo-portal-permissions.md)
-> - [Microsoft Entra built-in roles](/azure/active-directory/roles/permissions-reference)
+> - [Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference)
|Activity|Roles and permissions| |||
security Pim In Mdo Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/pim-in-mdo-configure.md
The name of your user (here 'Alex') will appear under Eligible assignments on th
***Step 2***. Create the required second (elevated) permission group for additional tasks and assign eligibility.
-Using [Privileged Access groups](/azure/active-directory/privileged-identity-management/groups-features) we can now create our own custom groups and combine permissions or increase granularity where required to meet your organizational practices and needs.
+Using [Privileged Access groups](/entra/id-governance/privileged-identity-management/concept-pim-for-groups) we can now create our own custom groups and combine permissions or increase granularity where required to meet your organizational practices and needs.
### Create a role group requiring the permissions we need
security Priority Accounts Security Recommendations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/priority-accounts-security-recommendations.md
Microsoft 365 provides the following resources to help inform users in your orga
|||| |Microsoft 365|[Customizable learning pathways](/office365/customlearning/)|These resources can help you put together training for users in your organization.| |Microsoft 365 security|[Learning module: Secure your organization with built-in, intelligent security from Microsoft 365](/training/modules/security-with-microsoft-365)|This module enables you to describe how Microsoft 365 security features work together and to articulate the benefits of these security features.|
-|Multi-factor authentication|[Two-step verification: What is the additional verification page?](/azure/active-directory/user-help/multi-factor-authentication-end-user-first-time)|This article helps end users understand what multi-factor authentication is and why it's being used at your organization.|
+|Multi-factor authentication|[Download and install the Microsoft Authenticator app](https://support.microsoft.com/account-billing/351498fc-850a-45da-b7b6-27e523b8702a)|This article helps end users understand what multi-factor authentication is and why it's being used at your organization.|
|Attack simulation training|[Get started using Attack simulation training](attack-simulation-training-get-started.md)|Attack simulation training in Microsoft Defender for Office 365 Plan 2 allows admin to configure, launch, and track simulated phishing attacks against specific groups of users.| In addition, Microsoft recommends that users take the actions described in this article: [Protect your account and devices from hackers and malware](https://support.microsoft.com/office/066d6216-a56b-4f90-9af3-b3a1e9a327d6). These actions include:
security Quarantine Admin Manage Messages Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-admin-manage-messages-files.md
In the **Submit to Microsoft for analysis** flyout that opens, configure the fol
- **Remove entry after**: The default value is **30 days**, but you can also select **1 day**, **7 days**, or a **Specific date** that's less than 30 days. - **Allow entry note**: Enter an optional note that contains additional information.
- - **It appears clean**: Select this option if you want to get a second opinion from Microsoft.
+ - **It appears clean**: Select this option if you're unsure and you want a verdict from Microsoft.
When you're finished on the **Submit to Microsoft for analysis** flyout, select **Submit**.
security Responding To A Compromised Email Account https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account.md
Follow the procedures in [Reset a business password for someone](/microsoft-365/
> > - If the on-premises identity is federated with Microsoft 365, you must change the on-premises account password on-premises, and then notify the administrator of the compromise. >
-> - Be sure to update app passwords. App passwords aren't automatically revoked when you reset the password. The user should delete existing app passwords and create new ones. For instructions, see [Create and delete app passwords from the Additional security verification page](/azure/active-directory/user-help/multi-factor-authentication-end-user-app-passwords#create-and-delete-app-passwords-from-the-additional-security-verification-page).
+> - Be sure to update app passwords. App passwords aren't automatically revoked when you reset the password. The user should delete existing app passwords and create new ones. For instructions, see [Manage app passwords for two-step verification](https://support.microsoft.com/account-billing/d6dc8c6d-4bf7-4851-ad95-6d07799387e9).
> > - We highly recommended that you enable multi-factor authentication (MFA) for the account. MFA is a good way to help prevent account compromise, and is very important for accounts with administrative privileges. For instructions, see [Set up multi-factor authentication](/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication).
security Safe Attachments For Spo Odfb Teams Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure.md
You turn on or turn off Safe Attachments for Office 365 for SharePoint, OneDrive
- To turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, you need to be a member of the **Organization Management** or **Security Administrator** role groups in the Microsoft Defender portal. For more information, see [Permissions in the Microsoft Defender portal](mdo-portal-permissions.md). -- To use SharePoint Online PowerShell to prevent people from downloading malicious files, you need to be member of the [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) or [SharePoint Administrator](/azure/active-directory/roles/permissions-reference#sharepoint-administrator) roles in Microsoft Entra ID.
+- To use SharePoint Online PowerShell to prevent people from downloading malicious files, you need to be member of the [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) or [SharePoint Administrator](/entra/identity/role-based-access-control/permissions-reference#sharepoint-administrator) roles in Microsoft Entra ID.
- Verify that audit logging is enabled for your organization (it's on by default). For instructions, see [Turn auditing on or off](/purview/audit-log-enable-disable).
security Safe Documents In E5 Plus Security About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-documents-in-e5-plus-security-about.md
Users don't need Defender for Endpoint installed on their local devices to get S
Safe Documents isn't included in Microsoft Defender for Office 365 licensing plans.
- For more information, see [Product names and service plan identifiers for licensing](/azure/active-directory/enterprise-users/licensing-service-plan-reference).
+ For more information, see [Product names and service plan identifiers for licensing](/entra/identity/users/licensing-service-plan-reference).
- They're using Microsoft 365 Apps for enterprise (formerly known as Office 365 ProPlus) version 2004 or later.
For more information, see the following articles:
- [View Microsoft 365 licenses and services with PowerShell](/microsoft-365/enterprise/view-licenses-and-services-with-microsoft-365-powershell) - [View Microsoft 365 account license and service details with PowerShell](/microsoft-365/enterprise/view-account-license-and-service-details-with-microsoft-365-powershell)-- [Product names and service plan identifiers for licensing](/azure/active-directory/enterprise-users/licensing-service-plan-reference)
+- [Product names and service plan identifiers for licensing](/entra/identity/users/licensing-service-plan-reference)
### Onboard to the Microsoft Defender for Endpoint service to enable auditing capabilities
security Scc Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/scc-permissions.md
Managing permissions in Defender for Office 365 or Microsoft Purview gives users
|**Quarantine Administrator**|Members can access all Quarantine actions. For more information, see [Manage quarantined messages and files as an admin in EOP](quarantine-admin-manage-messages-files.md)|Quarantine| |**Records Management**|Members can configure all aspects of records management, including retention labels and disposition reviews.|Disposition Management <br/><br/> RecordManagement <br/><br/> Retention Management <br/><br/> Scope Manager| |**Reviewer**|Members can access review sets in [eDiscovery (Premium)](/purview/ediscovery-overview) cases. Members of this role group can see and open the list of cases on the **eDiscovery \> Advanced** page in the Microsoft Purview compliance portal that they're members of. After the user accesses an eDiscovery (Premium) case, they can select **Review sets** to access case data. This role doesn't allow the user to preview the results of a collection search that's associated with the case or do other search or case management tasks. Members of this role group can only access the data in a review set.|Review|
-|**Security Administrator**|Members have access to many security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and the Defender and compliance portals. <br/><br/> By default, this role group may not appear to have any members. However, the Security Administrator role from Microsoft Entra ID is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Administrator role from Microsoft Entra ID. <br/><br/> To manage permissions centrally, add and remove group members in the Microsoft Entra admin center. For more information, see [Microsoft Entra built-in roles](/azure/active-directory/roles/permissions-reference). If you edit this role group in these portals (membership or roles), those changes apply only to the security and compliance areas and not to any other services. <br/><br/> This role group includes all of the read-only permissions of the Security reader role, plus many additional administrative permissions for the same
+|**Security Administrator**|Members have access to many security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and the Defender and compliance portals. <br/><br/> By default, this role group may not appear to have any members. However, the Security Administrator role from Microsoft Entra ID is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Administrator role from Microsoft Entra ID. <br/><br/> To manage permissions centrally, add and remove group members in the Microsoft Entra admin center. For more information, see [Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference). If you edit this role group in these portals (membership or roles), those changes apply only to the security and compliance areas and not to any other services. <br/><br/> This role group includes all of the read-only permissions of the Security reader role, plus many additional administrative permissions for the same
|**Security Operator**|Members can manage security alerts, and also view reports and settings of security features.|Compliance Search <br/><br/> Manage Alerts <br/><br/> Security Reader <br/><br/> Tag Contributor <br/><br/> Tag Reader <br/><br/> Tenant AllowBlockList Manager <br/><br/> View-Only Audit Logs <br/><br/> View-Only Device Management <br/><br/> View-Only DLP Compliance Management <br/><br/> View-Only IB Compliance Management <br/><br/> View-Only Manage Alerts|
-|**Security Reader**|Members have read-only access to many security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and the Defender and compliance portals. <br/><br/> By default, this role group may not appear to have any members. However, the Security Reader role from Microsoft Entra ID is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Reader role from Microsoft Entra ID. <br/><br/> To manage permissions centrally, add and remove group members in the Microsoft Entra admin center. For more information, see [Microsoft Entra built-in roles](/azure/active-directory/roles/permissions-reference). If you edit this role group in the portals (membership or roles), those changes apply only to security and compliance areas and not to any other services.|Compliance Manager Reader <br/><br/> Security Reader <br/><br/> Sensitivity Label Reader <br/><br/> Tag Reader <br/><br/> View-Only Device Management <br/><br/> View-Only DLP Compliance Management <br/><br/> View-Only IB Compliance Management <br/><br/> View-Only Manage Alerts|
+|**Security Reader**|Members have read-only access to many security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and the Defender and compliance portals. <br/><br/> By default, this role group may not appear to have any members. However, the Security Reader role from Microsoft Entra ID is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Reader role from Microsoft Entra ID. <br/><br/> To manage permissions centrally, add and remove group members in the Microsoft Entra admin center. For more information, see [Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference). If you edit this role group in the portals (membership or roles), those changes apply only to security and compliance areas and not to any other services.|Compliance Manager Reader <br/><br/> Security Reader <br/><br/> Sensitivity Label Reader <br/><br/> Tag Reader <br/><br/> View-Only Device Management <br/><br/> View-Only DLP Compliance Management <br/><br/> View-Only IB Compliance Management <br/><br/> View-Only Manage Alerts|
|**Service Assurance User**|Members can access the Service assurance section in the compliance portal. Service assurance provides reports and documents that describe Microsoft's security practices for customer data that's stored in Microsoft 365. It also provides independent third-party audit reports on Microsoft 365. For more information, see [Service assurance in the compliance portal](/purview/service-assurance).|Service Assurance View| |**Subject Rights Request Administrators**|Create subject rights requests.|Case Management <br/><br/> Compliance Manager Contribution <br/><br/> Compliance Manager Reader <br/><br/> Subject Rights Request Admin <br/><br/> View-Only Case| |**Subject Rights Request Approvers**|Approvers who are able to approve subject rights requests.|Compliance Manager Reader <br/><br/> Subject Rights Request Approver|
security Siem Server Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/siem-server-integration.md
Be sure that your current plan allows for Microsoft Sentinel integration (for ex
Note that you can choose tables from *any other Microsoft Defender product* you find helpful and applicable while completing the final step, (below).
-7. Select **EmailEvents**, **EmailUrlInfo**, **EmailAttachmentInfo**, and **EmailPostDeliveryEvents** > and **Apply Changes**.
+1. Select **EmailEvents**, **EmailUrlInfo**, **EmailAttachmentInfo**, and **EmailPostDeliveryEvents** > and **Apply Changes**.
## More resources
-[Integrate security solutions in Microsoft Defender for Cloud](/azure/security-center/security-center-partner-integration#exporting-data-to-a-siem)
+[Integrate security solutions in Microsoft Defender for Cloud](/azure/defender-for-cloud/partner-integration)
[Integrate Microsoft Graph Security API alerts with a SIEM](/graph/security-integration)
security Submissions Admin https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-admin.md
For other ways that **admins** can report messages to Microsoft in the Defender
- **Choose at least one recipient who had an issue**: Specify the recipients to run a policy check against. The policy check determines if the email bypassed scanning due to user or organization policies or override. - **Why are you submitting this message to Microsoft?**: Select one of the following values:
- - **It appears suspicious**: Select this value to get a second opinion from Microsoft, select **Submit**, and then go to Step 6.
+ - **It appears suspicious**: Select this value if you're unsure and you want a verdict from Microsoft, select **Submit**, and then go to Step 6.
or
After a few moments, the block entry is available on the **Domains & addresses**
- **File**: Select :::image type="icon" source="../../media/m365-cc-sc-import-icon.png" border="false"::: **Browse files** to find and select the file to submit. - **Why are you submitting this email attachment to Microsoft?**: Select one of the following values:
- - **It appears suspicious**: Select this value to get a second opinion from Microsoft, select **Submit**, and then go to Step 6.
+ - **It appears suspicious**: Select this value if you're unsure and you want a verdict from Microsoft, select **Submit**, and then go to Step 6.
or
After a few moments, the block entry is available on the **Files** tab on the **
- **URL**: Enter the full URL (for example, `https://www.fabrikam.com/marketing.html`), and then select it in the box that appears. You can enter up to 50 URLs at once. - **Why are you submitting this URL to Microsoft?**: Select one of the following values:
- - **It appears suspicious**: Select this value to get a second opinion from Microsoft, select **Submit**, and then go to Step 6.
+ - **It appears suspicious**: Select this value if you're unsure and you want a verdict from Microsoft, select **Submit**, and then go to Step 6.
or
After a few moments, the block entry is available on the **URL** tab on the **Te
- **Choose at least one recipient who had an issue**: Specify the recipients to run a policy check against. The policy check determines if the email was blocked due to user or organization policies or overrides. - **Why are you submitting this message to Microsoft?**: Select one of the following values:
- - **It appears clean**: Select this value to get a second opinion from Microsoft, select **Submit**, and then go to Step 6.
+ - **It appears clean**: Select this value if you're unsure and you want a verdict from Microsoft, select **Submit**, and then go to Step 6.
or
After a few moments, the associated allow entries appear on the **Domains & addr
- **File**: Select **Browse files** to find and select the file to submit. - **Why are you submitting the message to Microsoft?**: Select one of the following values:
- - **It appears clean**: Select this value to get a second opinion from Microsoft, select **Submit**, and then go to Step 6.
+ - **It appears clean**: Select this value if you're unsure and you want a verdict from Microsoft, select **Submit**, and then go to Step 6.
or
For URLs reported as false positives, we allow subsequent messages that contain
- **URL**: Enter the full URL (for example, `https://www.fabrikam.com/marketing.html`), and then select it in the box that appears. You can also provide a top level domain (for example, `https://www.fabrikam.com/*`), and then select it in the box that appears. You can enter up to 50 URL at once. - **Why are you submitting this URL to Microsoft?**: Select one of the following values:
- - **It appears clean**: Select this value to get a second opinion from Microsoft, select **Submit**, and then go to Step 6.
+ - **It appears clean**: Select this value if you're unsure and you want a verdict from Microsoft, select **Submit**, and then go to Step 6.
or
In the **Submit to Microsoft for analysis** flyout that opens, do the following
- **Email messages**: - **Why are you submitting this message to Microsoft?**: Select one of the following values:
- - **It appears clean** or **It appears suspicious**: Select one of these values to get a second opinion from Microsoft.
+ - **It appears clean** or **It appears suspicious**: Select one of these values if you're unsure and you want a verdict from Microsoft.
Select **Submit**, and then select **Done**.
security Tenant Wide Setup For Increased Security https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-wide-setup-for-increased-security.md
Be sure to visit these two areas in Microsoft Entra ID to complete tenant-wide s
If your organization includes offices with secure network access, add the trusted IP address ranges to Microsoft Entra ID as named locations. This feature helps reduce the number of reported false positives for sign-in risk events.
-See: [Named locations in Microsoft Entra ID](/azure/active-directory/conditional-access/location-condition)
+See: [Named locations in Microsoft Entra ID](/entra/identity/conditional-access/location-condition)
### Block apps that don't support modern authentication
security Zero Trust Continuous Access Evaluation Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365.md
Microsoft is working on additional Microsoft 365 services and clients to support
Continuous access evaluation will be included in all versions of Office 365 and Microsoft 365. Configuring Conditional Access policies requires Microsoft Entra ID P1, which is included in all Microsoft 365 versions. > [!NOTE]
-> See [this article](/azure/active-directory/conditional-access/concept-continuous-access-evaluation#limitations) for the limitations of continuous access evaluation.
+> See [this article](/entra/identity/conditional-access/concept-continuous-access-evaluation#limitations) for the limitations of continuous access evaluation.
## Scenarios supported by Microsoft 365
Critical events include:
- Password is changed - User sessions are revoked - Multifactor authentication is enabled for the user-- Account risk increased based on the evaluation of the access from [Microsoft Entra ID Protection](/azure/active-directory/identity-protection/overview-identity-protection)
+- Account risk increased based on the evaluation of the access from [Microsoft Entra ID Protection](/entra/id-protection/overview-identity-protection)
Conditional Access policy evaluation occurs when the user account is no longer connecting from a trusted network.
The following Microsoft 365 services currently support continuous access evaluat
\** Calls, meetings, and chat in Teams do not conform to IP-based Conditional Access policies.
-For more information about how to set up a Conditional Access policy, see [this article](/azure/active-directory/conditional-access/overview).
+For more information about how to set up a Conditional Access policy, see [this article](/entra/identity/conditional-access/overview).
## Microsoft 365 clients supporting continuous access evaluation
For clients that don't support continuous access evaluation, the access token li
## See also -- [Continuous access evaluation](/azure/active-directory/conditional-access/concept-continuous-access-evaluation)-- [Conditional Access documentation](/azure/active-directory/conditional-access/overview)-- [Microsoft Entra ID Protection documentation](/azure/active-directory/identity-protection/overview-identity-protection)
+- [Continuous access evaluation](/entra/identity/conditional-access/concept-continuous-access-evaluation)
+- [Conditional Access documentation](/entra/identity/conditional-access/overview)
+- [Microsoft Entra ID Protection documentation](/entra/id-protection/overview-identity-protection)
security Zero Trust Identity Device Access Policies Common https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-common.md
Here's a one-page PDF summary:
- Users who will manage app protection and device compliance policies must be able to sign in to Intune as an **Intune Administrator** or **Global Administrator**. - Those users who only need to view configurations can be assigned the **Security Reader** or **Global Reader** roles.
-For more information about roles and permissions, see the article [Microsoft Entra built-in roles](/azure/active-directory/roles/permissions-reference).
+For more information about roles and permissions, see the article [Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference).
### User registration
-Ensure your users register for multifactor authentication prior to requiring its use. If you have licenses that include Microsoft Entra ID P2, you can use the [MFA registration policy within Microsoft Entra ID Protection](/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy) to require that users register. We provide [communication templates](https://aka.ms/mfatemplates), you can download and customize, to promote registration.
+Ensure your users register for multifactor authentication prior to requiring its use. If you have licenses that include Microsoft Entra ID P2, you can use the [MFA registration policy within Microsoft Entra ID Protection](/entra/id-protection/howto-identity-protection-configure-mfa-policy) to require that users register. We provide [communication templates](https://aka.ms/mfatemplates), you can download and customize, to promote registration.
### Groups
-All Microsoft Entra groups used as part of these recommendations must be created as a **Microsoft 365** group *not a Security group*. This requirement is important for the deployment of sensitivity labels when securing documents in Microsoft Teams and SharePoint later on. For more information, see the article [Learn about groups and access rights in Microsoft Entra ID](/azure/active-directory/fundamentals/concept-learn-about-groups#group-types)
+All Microsoft Entra groups used as part of these recommendations must be created as a **Microsoft 365** group *not a Security group*. This requirement is important for the deployment of sensitivity labels when securing documents in Microsoft Teams and SharePoint later on. For more information, see the article [Learn about groups and access rights in Microsoft Entra ID](/entra/fundamentals/concept-learn-about-groups#group-types)
### Assigning policies
Here's an example of group assignment and exclusions for requiring MFA after you
Be careful when applying higher levels of protection to groups and users. **The goal of security isn't to add unnecessary friction** to the user experience. For example, members of the *Top Secret Project Buckeye group* will be required to use MFA every time they sign in, even if they aren't working on the specialized security content for their project. Excessive security friction can lead to fatigue.
-You may consider enabling [passwordless authentication methods](/azure/active-directory/authentication/concept-authentication-passwordless), like Windows Hello for Business or FIDO2 security keys to reduce some friction created by certain security controls.
+You may consider enabling [passwordless authentication methods](/entra/identity/authentication/concept-authentication-passwordless), like Windows Hello for Business or FIDO2 security keys to reduce some friction created by certain security controls.
### Emergency access accounts
-All organizations should have at least one emergency access account that is monitored for use and excluded from policies. **These accounts are only used in case all other administrator accounts and authentication methods become locked out or otherwise unavailable**. More information can be found in the article, [Manage emergency access accounts in Microsoft Entra ID](/azure/active-directory/roles/security-emergency-access).
+All organizations should have at least one emergency access account that is monitored for use and excluded from policies. **These accounts are only used in case all other administrator accounts and authentication methods become locked out or otherwise unavailable**. More information can be found in the article, [Manage emergency access accounts in Microsoft Entra ID](/entra/identity/role-based-access-control/security-emergency-access).
### Exclusions
Once your app protection and device compliance policies are created in Intune, y
### Require MFA based on sign-in risk
-Follow the guidance in the article [Common Conditional Access policy: Sign-in risk-based multifactor authentication](/azure/active-directory/conditional-access/howto-conditional-access-policy-risk) to create a policy to require multifactor authentication based on sign-in risk.
+Follow the guidance in the article [Common Conditional Access policy: Sign-in risk-based multifactor authentication](/entra/identity/conditional-access/howto-conditional-access-policy-risk) to create a policy to require multifactor authentication based on sign-in risk.
When configuring your policy, use the following risk levels.
When configuring your policy, use the following risk levels.
### Block clients that don't support multifactor authentication
-Follow the guidance in the article [Common Conditional Access policy: Block legacy authentication](/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy) to block legacy authentication.
+Follow the guidance in the article [Common Conditional Access policy: Block legacy authentication](/entra/identity/conditional-access/howto-conditional-access-policy-block-legacy) to block legacy authentication.
### High risk users must change password
-Follow the guidance in the article [Common Conditional Access policy: User risk-based password change](/azure/active-directory/conditional-access/howto-conditional-access-policy-risk-user) to require users with compromised credentials to change their password.
+Follow the guidance in the article [Common Conditional Access policy: User risk-based password change](/entra/identity/conditional-access/howto-conditional-access-policy-risk-user) to require users with compromised credentials to change their password.
-Use this policy along with [Microsoft Entra password protection](/azure/active-directory/authentication/concept-password-ban-bad), which detects and blocks known weak passwords and their variants in addition to terms specific to your organization. Using Microsoft Entra password protection ensures that changed passwords are stronger.
+Use this policy along with [Microsoft Entra password protection](/entra/identity/authentication/concept-password-ban-bad), which detects and blocks known weak passwords and their variants in addition to terms specific to your organization. Using Microsoft Entra password protection ensures that changed passwords are stronger.
### Require approved apps and app protection policies **You must create a Conditional Access policy** to enforce the app protection policies created in Intune. Enforcing app protection policies requires a Conditional Access policy **and** a corresponding app protection policy.
-To create a Conditional Access policy that requires approved apps and APP protection, follow the steps in [Require approved client apps or app protection policy with mobile devices](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection). This policy only allows accounts within mobile apps protected by app protection policies to access Microsoft 365 endpoints.
+To create a Conditional Access policy that requires approved apps and APP protection, follow the steps in [Require approved client apps or app protection policy with mobile devices](/entra/identity/conditional-access/howto-policy-approved-app-or-app-protection). This policy only allows accounts within mobile apps protected by app protection policies to access Microsoft 365 endpoints.
Blocking legacy authentication for other client apps on iOS and Android devices ensures that these clients can't bypass Conditional Access policies. If you're following the guidance in this article, you've already configured [Block clients that don't support modern authentication](#block-clients-that-dont-support-multifactor-authentication).
Organizations using the [Subscription Activation](/windows/deployment/windows-10
### Always require MFA
-Follow the guidance in the article [Common Conditional Access policy: Require MFA for all users](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa) to require your specialized security level users to always perform multifactor authentication.
+Follow the guidance in the article [Common Conditional Access policy: Require MFA for all users](/entra/identity/conditional-access/howto-conditional-access-policy-all-users-mfa) to require your specialized security level users to always perform multifactor authentication.
> [!WARNING] > When configuring your policy, select the group that requires specialized security and use that **instead of selecting All users**.
security Zero Trust Identity Device Access Policies Exchange https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-exchange.md
For mobile devices, the following clients are blocked based on the Conditional A
- Exchange ActiveSync clients that support modern authentication, but don't support Intune app protection policies. - Devices that support Intune app protection policies, but aren't defined in the policy.
-To block Exchange ActiveSync connections using basic authentication on other types of devices (for example, PCs), follow the steps in [Block Exchange ActiveSync on all devices](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection#block-exchange-activesync-on-all-devices).
+To block Exchange ActiveSync connections using basic authentication on other types of devices (for example, PCs), follow the steps in [Block Exchange ActiveSync on all devices](/entra/identity/conditional-access/howto-policy-approved-app-or-app-protection#block-exchange-activesync-on-all-devices).
## Limit access to Exchange Online from Outlook on the web
Here are the steps:
Set-OwaMailboxPolicy -Identity "OwaMailboxPolicy-Default" -ConditionalAccessPolicy ReadOnlyPlusAttachmentsBlocked ```
-5. In the Azure portal, [create a new Conditional Access policy](/azure/active-directory/conditional-access/concept-conditional-access-policies) with these settings:
+5. In the Azure portal, [create a new Conditional Access policy](/entra/identity/conditional-access/concept-conditional-access-policies) with these settings:
**Assignments** \> **Users and groups**: Select appropriate users and groups to include and exclude.
security Zero Trust Identity Device Access Policies Guest Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-guest-access.md
This policy prompts guests to register for MFA in your tenant, regardless of whe
While organizations can enforce risk-based policies for B2B users using Microsoft Entra ID Protection, there are limitations in the implementation of Microsoft Entra ID Protection for B2B collaboration users in a resource directory because their identity exists in their home directory. Due to these limitations, Microsoft recommends you exclude guests from risk-based MFA policies and require these users to always use MFA.
-For more information, see [Limitations of Identity Protection for B2B collaboration users](/azure/active-directory/identity-protection/concept-identity-protection-b2b#limitations-of-identity-protection-for-b2b-collaboration-users).
+For more information, see [Limitations of ID Protection for B2B collaboration users](/entra/id-protection/concept-identity-protection-b2b#limitations-of-id-protection-for-b2b-collaboration-users).
### Excluding guests and external users from device management
security Zero Trust Identity Device Access Policies Mcas Saas https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-mcas-saas.md
This guidance includes recommendations for these scenarios:
## Bring SaaS apps into IT management
-The first step in using Defender for Cloud Apps to manage SaaS apps is to discover these and then add them to your Microsoft Entra tenant. If you need help with discovery, see [Discover and manage SaaS apps in your network](/cloud-app-security/tutorial-shadow-it). After you've discovered apps, [add these to your Microsoft Entra tenant](/azure/active-directory/manage-apps/add-application-portal).
+The first step in using Defender for Cloud Apps to manage SaaS apps is to discover these and then add them to your Microsoft Entra tenant. If you need help with discovery, see [Discover and manage SaaS apps in your network](/cloud-app-security/tutorial-shadow-it). After you've discovered apps, [add these to your Microsoft Entra tenant](/entra/identity/enterprise-apps/add-application-portal).
You can begin to manage these by doing the following:
security Zero Trust Identity Device Access Policies Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-overview.md
Zero Trust identity and device access settings and policies are recommended in t
These tiers and their corresponding configurations provide consistent levels of Zero Trust protection across your data, identities, and devices. These capabilities and their recommendations: - Are supported in Microsoft 365 E3 and Microsoft 365 E5.-- Are aligned with [Microsoft Secure Score](../defender/microsoft-secure-score.md) and [identity score in Microsoft Entra ID](/azure/active-directory/fundamentals/identity-secure-score). Following the recommendations will increase these scores for your organization.-- Help you to implement these [five steps to securing your identity infrastructure](/azure/security/azure-ad-secure-steps).
+- Are aligned with [Microsoft Secure Score](../defender/microsoft-secure-score.md) and [identity score in Microsoft Entra ID](/entra/identity/monitoring-health/concept-identity-secure-score). Following the recommendations will increase these scores for your organization.
+- Help you to implement these [five steps to securing your identity infrastructure](/azure/security/fundamentals/steps-secure-identity).
If your organization has unique requirements or complexities, use these recommendations as a starting point. However, most organizations can implement these recommendations as prescribed.
Many of our recommendations rely on services that are available only with the fo
- EMS E5. - Microsoft Entra ID P2 licenses.
-For organizations who don't have these licenses, we recommend that you at least implement [security defaults](/azure/active-directory/fundamentals/concept-fundamentals-security-defaults), which is included with all Microsoft 365 plans.
+For organizations who don't have these licenses, we recommend that you at least implement [security defaults](/entra/fundamentals/security-defaults), which is included with all Microsoft 365 plans.
### Caveats
Microsoft Entra ID provides a full suite of identity management capabilities. We
|Capability or feature|Description|Licensing| ||||
-|[Multifactor authentication (MFA)](/azure/active-directory/authentication/concept-mfa-howitworks)|MFA requires users to provide two forms of verification, such as a user password plus a notification from the Microsoft Authenticator app or a phone call. MFA greatly reduces the risk that stolen credentials can be used to access your environment. Microsoft 365 uses the Microsoft Entra multifactor authentication service for MFA-based sign-ins.|Microsoft 365 E3 or E5|
-|[Conditional Access](/azure/active-directory/conditional-access/overview)|Microsoft Entra ID evaluates the conditions of the user sign-in and uses Conditional Access policies to determine the allowed access. For example, in this guidance we show you how to create a Conditional Access policy to require device compliance for access to sensitive data. This greatly reduces the risk that a hacker with their own device and stolen credentials can access your sensitive data. It also protects sensitive data on the devices, because the devices must meet specific requirements for health and security.|Microsoft 365 E3 or E5|
-|[Microsoft Entra groups](/azure/active-directory/fundamentals/active-directory-manage-groups)|Conditional Access policies, device management with Intune, and even permissions to files and sites in your organization rely on the assignment to user accounts or Microsoft Entra groups. We recommend you create Microsoft Entra groups that correspond to the levels of protection you are implementing. For example, your executive staff are likely higher value targets for hackers. Therefore, it makes sense to add the user accounts of these employees to a Microsoft Entra group and assign this group to Conditional Access policies and other policies that enforce a higher level of protection for access.|Microsoft 365 E3 or E5|
-|[Device enrollment](/azure/active-directory/devices/overview)|You enroll a device into Microsoft Entra ID to create an identity for the device. This identity is used to authenticate the device when a user signs in and to apply Conditional Access policies that require domain-joined or compliant PCs. For this guidance, we use device enrollment to automatically enroll domain-joined Windows computers. Device enrollment is a prerequisite for managing devices with Intune.|Microsoft 365 E3 or E5|
-|[Microsoft Entra ID Protection](/azure/active-directory/identity-protection/overview)|Enables you to detect potential vulnerabilities affecting your organization's identities and configure automated remediation policy to low, medium, and high sign-in risk and user risk. This guidance relies on this risk evaluation to apply Conditional Access policies for multifactor authentication. This guidance also includes a Conditional Access policy that requires users to change their password if high-risk activity is detected for their account.|Microsoft 365 E5, Microsoft 365 E3 with the E5 Security add-on, EMS E5, or Microsoft Entra ID P2 licenses|
-|[Self-service password reset (SSPR)](/azure/active-directory/authentication/concept-sspr-howitworks)|Allow your users to reset their passwords securely and without help-desk intervention, by providing verification of multiple authentication methods that the administrator can control.|Microsoft 365 E3 or E5|
-|[Microsoft Entra password protection](/azure/active-directory/authentication/concept-password-ban-bad)|Detect and block known weak passwords and their variants and additional weak terms that are specific to your organization. Default global banned password lists are automatically applied to all users in a Microsoft Entra tenant. You can define additional entries in a custom banned password list. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.|Microsoft 365 E3 or E5|
+|[Multifactor authentication (MFA)](/entra/identity/authentication/concept-mfa-howitworks)|MFA requires users to provide two forms of verification, such as a user password plus a notification from the Microsoft Authenticator app or a phone call. MFA greatly reduces the risk that stolen credentials can be used to access your environment. Microsoft 365 uses the Microsoft Entra multifactor authentication service for MFA-based sign-ins.|Microsoft 365 E3 or E5|
+|[Conditional Access](/entra/identity/conditional-access/overview)|Microsoft Entra ID evaluates the conditions of the user sign-in and uses Conditional Access policies to determine the allowed access. For example, in this guidance we show you how to create a Conditional Access policy to require device compliance for access to sensitive data. This greatly reduces the risk that a hacker with their own device and stolen credentials can access your sensitive data. It also protects sensitive data on the devices, because the devices must meet specific requirements for health and security.|Microsoft 365 E3 or E5|
+|[Microsoft Entra groups](/entra/fundamentals/concept-learn-about-groups)|Conditional Access policies, device management with Intune, and even permissions to files and sites in your organization rely on the assignment to user accounts or Microsoft Entra groups. We recommend you create Microsoft Entra groups that correspond to the levels of protection you are implementing. For example, your executive staff are likely higher value targets for hackers. Therefore, it makes sense to add the user accounts of these employees to a Microsoft Entra group and assign this group to Conditional Access policies and other policies that enforce a higher level of protection for access.|Microsoft 365 E3 or E5|
+|[Device enrollment](/entra/identity/devices/overview)|You enroll a device into Microsoft Entra ID to create an identity for the device. This identity is used to authenticate the device when a user signs in and to apply Conditional Access policies that require domain-joined or compliant PCs. For this guidance, we use device enrollment to automatically enroll domain-joined Windows computers. Device enrollment is a prerequisite for managing devices with Intune.|Microsoft 365 E3 or E5|
+|[Microsoft Entra ID Protection](/entra/id-protection/overview-identity-protection)|Enables you to detect potential vulnerabilities affecting your organization's identities and configure automated remediation policy to low, medium, and high sign-in risk and user risk. This guidance relies on this risk evaluation to apply Conditional Access policies for multifactor authentication. This guidance also includes a Conditional Access policy that requires users to change their password if high-risk activity is detected for their account.|Microsoft 365 E5, Microsoft 365 E3 with the E5 Security add-on, EMS E5, or Microsoft Entra ID P2 licenses|
+|[Self-service password reset (SSPR)](/entra/identity/authentication/concept-sspr-howitworks)|Allow your users to reset their passwords securely and without help-desk intervention, by providing verification of multiple authentication methods that the administrator can control.|Microsoft 365 E3 or E5|
+|[Microsoft Entra password protection](/entra/identity/authentication/concept-password-ban-bad)|Detect and block known weak passwords and their variants and additional weak terms that are specific to your organization. Default global banned password lists are automatically applied to all users in a Microsoft Entra tenant. You can define additional entries in a custom banned password list. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.|Microsoft 365 E3 or E5|
Here are the components of Zero Trust identity and device access, including Intune and Microsoft Entra objects, settings, and subservices.
Microsoft recommends that you don't create policy sets that apply to all apps be
3. Configure Conditional Access policies for guest and external users. 4. Configure Conditional Access policies for Microsoft 365 cloud appsΓÇösuch as Microsoft Teams, Exchange, and SharePointΓÇöand Microsoft Defender for Cloud Apps policies.
-After you have configured Zero Trust identity and device access, see the [Microsoft Entra feature deployment guide](/azure/active-directory/fundamentals/active-directory-deployment-checklist-p2) for a phased checklist of additional features to consider and [Microsoft Entra ID Governance](/azure/active-directory/governance/) to protect, monitor, and audit access.
+After you have configured Zero Trust identity and device access, see the [Microsoft Entra feature deployment guide](/entra/fundamentals/concept-secure-remote-workers) for a phased checklist of additional features to consider and [Microsoft Entra ID Governance](/entra/id-governance/) to protect, monitor, and audit access.
## Next step
security Zero Trust Identity Device Access Policies Prereq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-prereq.md
The following table details the prerequisite features and their configuration th
|Configuration|Exceptions|Licensing| ||::||
-|[Configure PHS](/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization). This must be enabled to detect leaked credentials and to act on them for risk-based Conditional Access. **Note:** This is required regardless of whether your organization uses federated authentication.|Cloud-only|Microsoft 365 E3 or E5|
-|[Enable seamless single sign-on](/azure/active-directory/connect/active-directory-aadconnect-sso) to automatically sign users in when they are on their organization devices connected to your organization network.|Cloud-only and federated|Microsoft 365 E3 or E5|
-|[Configure named locations](/azure/active-directory/reports-monitoring/quickstart-configure-named-locations). Microsoft Entra ID Protection collects and analyzes all available session data to generate a risk score. We recommend you specify your organization's public IP ranges for your network in the Microsoft Entra ID named locations configuration. Traffic coming from these ranges is given a reduced risk score, and traffic from outside the organization environment is given a higher risk score.||Microsoft 365 E3 or E5|
-|[Register all users for self-service password reset (SSPR) and multifactor authentication (MFA)](/azure/active-directory/authentication/concept-registration-mfa-sspr-converged). We recommend you register users for Microsoft Entra multifactor authentication ahead of time. Microsoft Entra ID Protection makes use of Microsoft Entra multifactor authentication to perform additional security verification. Additionally, for the best sign-in experience, we recommend users install the [Microsoft Authenticator app](/azure/active-directory/user-help/microsoft-authenticator-app-how-to) and the Microsoft Company Portal app on their devices. These can be installed from the app store for each platform.||Microsoft 365 E3 or E5|
-|[Enable automatic device registration of domain-joined Windows computers](/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup). Conditional Access will make sure devices connecting to apps are domain-joined or compliant. To support this on Windows computers, the device must be registered with Microsoft Entra ID. This article discusses how to configure automatic device registration.|Cloud-only|Microsoft 365 E3 or E5|
+|[Configure PHS](/entra/identity/hybrid/connect/how-to-connect-password-hash-synchronization). This feature must be enabled to detect leaked credentials and to act on them for risk-based Conditional Access. **Note:** This is required regardless of whether your organization uses federated authentication.|Cloud-only|Microsoft 365 E3 or E5|
+|[Enable seamless single sign-on](/entra/identity/hybrid/connect/how-to-connect-sso) to automatically sign users in when they are on their organization devices connected to your organization network.|Cloud-only and federated|Microsoft 365 E3 or E5|
+|[Configure named locations](/entra/identity/conditional-access/location-condition#named-locations). Microsoft Entra ID Protection collects and analyzes all available session data to generate a risk score. We recommend you specify your organization's public IP ranges for your network in the Microsoft Entra ID named locations configuration. Traffic coming from these ranges is given a reduced risk score, and traffic from outside the organization environment is given a higher risk score.||Microsoft 365 E3 or E5|
+|[Register all users for self-service password reset (SSPR) and multifactor authentication (MFA)](/entra/identity/authentication/concept-registration-mfa-sspr-combined). We recommend you register users for Microsoft Entra multifactor authentication ahead of time. Microsoft Entra ID Protection makes use of Microsoft Entra multifactor authentication to perform additional security verification. Additionally, for the best sign-in experience, we recommend users install the [Microsoft Authenticator app](https://support.microsoft.com/account-billing/351498fc-850a-45da-b7b6-27e523b8702a) and the Microsoft Company Portal app on their devices. These can be installed from the app store for each platform.||Microsoft 365 E3 or E5|
+|[Plan your Microsoft Entra hybrid join implementation](/entra/identity/devices/hybrid-join-plan). Conditional Access will make sure devices connecting to apps are domain-joined or compliant. To support this on Windows computers, the device must be registered with Microsoft Entra ID. This article discusses how to configure automatic device registration.|Cloud-only|Microsoft 365 E3 or E5|
|**Prepare your support team**. Have a plan in place for users that cannot complete MFA. This could be adding them to a policy exclusion group, or registering new MFA information for them. Before making either of these security-sensitive changes, you need to ensure that the actual user is making the request. Requiring users' managers to help with the approval is an effective step.||Microsoft 365 E3 or E5|
-|[Configure password writeback to on-premises AD](/azure/active-directory/active-directory-passwords-getting-started). Password writeback allows Microsoft Entra ID to require that users change their on-premises passwords when a high-risk account compromise is detected. You can enable this feature using Microsoft Entra Connect in one of two ways: either enable **Password Writeback** in the optional features screen of Microsoft Entra Connect setup, or enable it via Windows PowerShell.|Cloud-only|Microsoft 365 E3 or E5|
-|[Configure Microsoft Entra password protection](/azure/active-directory/authentication/concept-password-ban-bad). Microsoft Entra Password Protection detects and blocks known weak passwords and their variants, and can also block additional weak terms that are specific to your organization. Default global banned password lists are automatically applied to all users in a Microsoft Entra tenant. You can define additional entries in a custom banned password list. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.||Microsoft 365 E3 or E5|
-|[Enable Microsoft Entra ID Protection](/azure/active-directory/identity-protection/overview-identity-protection). Microsoft Entra ID Protection enables you to detect potential vulnerabilities affecting your organization's identities and configure an automated remediation policy to low, medium, and high sign-in risk and user risk.||Microsoft 365 E5 or Microsoft 365 E3 with the E5 Security add-on|
+|[Configure password writeback to on-premises AD](/entra/identity/authentication/tutorial-enable-sspr). Password writeback allows Microsoft Entra ID to require that users change their on-premises passwords when a high-risk account compromise is detected. You can enable this feature using Microsoft Entra Connect in one of two ways: either enable **Password Writeback** in the optional features screen of Microsoft Entra Connect setup, or enable it via Windows PowerShell.|Cloud-only|Microsoft 365 E3 or E5|
+|[Configure Microsoft Entra password protection](/entra/identity/authentication/concept-password-ban-bad). Microsoft Entra Password Protection detects and blocks known weak passwords and their variants, and can also block additional weak terms that are specific to your organization. Default global banned password lists are automatically applied to all users in a Microsoft Entra tenant. You can define additional entries in a custom banned password list. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.||Microsoft 365 E3 or E5|
+|[Enable Microsoft Entra ID Protection](/entra/id-protection/overview-identity-protection). Microsoft Entra ID Protection enables you to detect potential vulnerabilities affecting your organization's identities and configure an automated remediation policy to low, medium, and high sign-in risk and user risk.||Microsoft 365 E5 or Microsoft 365 E3 with the E5 Security add-on|
|**Enable modern authentication** for [Exchange Online](/Exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online) and for [Skype for Business Online](https://social.technet.microsoft.com/wiki/contents/articles/34339.skype-for-business-online-enable-your-tenant-for-modern-authentication.aspx). Modern authentication is a prerequisite for using MFA. Modern authentication is enabled by default for Office 2016 and 2019 clients, SharePoint, and OneDrive for Business.||Microsoft 365 E3 or E5|
-|[Enable continuous access evaluation](/azure/active-directory/conditional-access/concept-continuous-access-evaluation) for Microsoft Entra ID. Continuous access evaluation proactively terminates active user sessions and enforces tenant policy changes in near real-time.||Microsoft 365 E3 or E5|
+|[Enable continuous access evaluation](/entra/identity/conditional-access/concept-continuous-access-evaluation) for Microsoft Entra ID. Continuous access evaluation proactively terminates active user sessions and enforces tenant policy changes in near real-time.||Microsoft 365 E3 or E5|
## Recommended client configurations
This section describes the default platform client configurations that we recomm
### Windows devices
-We recommend Windows 11 or Windows 10 (version 2004 or later), as Azure is designed to provide the smoothest SSO experience possible for both on-premises and Microsoft Entra ID. Work or school-issued devices should be configured to join Microsoft Entra ID directly or if the organization uses on-premises AD domain join, those devices should be [configured to automatically and silently register with Microsoft Entra ID](/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup).
+We recommend Windows 11 or Windows 10 (version 2004 or later), as Azure is designed to provide the smoothest SSO experience possible for both on-premises and Microsoft Entra ID. Work or school-issued devices should be configured to join Microsoft Entra ID directly or if the organization uses on-premises AD domain join, those devices should be [configured to automatically and silently register with Microsoft Entra ID](/entra/identity/devices/hybrid-join-plan).
For BYOD Windows devices, users can use **Add work or school account**. Note that users of the Google Chrome browser on Windows 11 or Windows 10 devices need to [install an extension](https://chrome.google.com/webstore/detail/windows-10-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji?utm_source=chrome-app-launcher-info-dialog) to get the same smooth sign-in experience as Microsoft Edge users. Also, if your organization has domain-joined Windows 8 or 8.1 devices, you can install Microsoft Workplace Join for non-Windows 10 computers. [Download the package to register](https://www.microsoft.com/download/details.aspx?id=53554) the devices with Microsoft Entra ID. ### iOS devices
-We recommend installing the [Microsoft Authenticator app](/azure/multi-factor-authentication/end-user/microsoft-authenticator-app-how-to) on user devices before deploying Conditional Access or MFA policies. At a minimum, the app should be installed when users are asked to register their device with Microsoft Entra ID by adding a work or school account, or when they install the Intune company portal app to enroll their device into management. This depends on the configured Conditional Access policy.
+We recommend installing the [Microsoft Authenticator app](https://support.microsoft.com/account-billing/351498fc-850a-45da-b7b6-27e523b8702a) on user devices before deploying Conditional Access or MFA policies. At a minimum, the app should be installed when users are asked to register their device with Microsoft Entra ID by adding a work or school account, or when they install the Intune company portal app to enroll their device into management. This depends on the configured Conditional Access policy.
### Android devices
-We recommend users install the [Intune Company Portal app](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal&hl=en) and [Microsoft Authenticator app](/azure/multi-factor-authentication/end-user/microsoft-authenticator-app-how-to) before Conditional Access policies are deployed or when required during certain authentication attempts. After app installation, users may be asked to register with Microsoft Entra ID or enroll their device with Intune. This depends on the configured Conditional Access policy.
+We recommend users install the [Intune Company Portal app](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal&hl=en) and [Microsoft Authenticator app](https://support.microsoft.com/account-billing/351498fc-850a-45da-b7b6-27e523b8702a) before Conditional Access policies are deployed or when required during certain authentication attempts. After app installation, users may be asked to register with Microsoft Entra ID or enroll their device with Intune. This depends on the configured Conditional Access policy.
We also recommend that organization-owned devices are standardized on OEMs and versions that support Android for Work or Samsung Knox to allow mail accounts, be managed and protected by Intune MDM policy.
For more information about client support in Microsoft 365, see the following ar
## Protecting administrator accounts
-For Microsoft 365 E3 or E5 or with separate Microsoft Entra ID P1 or P2 licenses, you can require MFA for administrator accounts with a manually created Conditional Access policy. See [Conditional Access: Require MFA for administrators](/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa) for the details.
+For Microsoft 365 E3 or E5 or with separate Microsoft Entra ID P1 or P2 licenses, you can require MFA for administrator accounts with a manually created Conditional Access policy. See [Conditional Access: Require MFA for administrators](/entra/identity/conditional-access/howto-conditional-access-policy-admin-mfa) for the details.
-For editions of Microsoft 365 or Office 365 that do not support Conditional Access, you can enable [security defaults](/azure/active-directory/fundamentals/concept-fundamentals-security-defaults) to require MFA for all accounts.
+For editions of Microsoft 365 or Office 365 that do not support Conditional Access, you can enable [security defaults](/entra/fundamentals/security-defaults) to require MFA for all accounts.
Here are some additional recommendations: -- Use [Microsoft Entra Privileged Identity Management](/azure/active-directory/privileged-identity-management/pim-getting-started) to reduce the number of persistent administrative accounts.
+- Use [Microsoft Entra Privileged Identity Management](/entra/id-governance/privileged-identity-management/pim-getting-started) to reduce the number of persistent administrative accounts.
- [Use privileged access management](/purview/privileged-access-management) to protect your organization from breaches that may use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. - Create and use separate accounts that are assigned [Microsoft 365 administrator roles](/microsoft-365/admin/add-users/about-admin-roles) *only for administration*. Admins should have their own user account for regular non-administrative use and only use an administrative account when necessary to complete a task associated with their role or job function.-- Follow [best practices](/azure/active-directory/roles/best-practices) for securing privileged accounts in Microsoft Entra ID.
+- Follow [best practices](/entra/identity/role-based-access-control/best-practices) for securing privileged accounts in Microsoft Entra ID.
## Next step
solutions Apps Config Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/apps-config-overview.md
keywords:
# Configure apps using Microsoft Intune
-Once you've [set up and deployed the capabilities of Intune](/microsoft-365/solutions/apps-guide-overview#deploying-intune) and you've [added the apps you want to manage to Intune](/microsoft-365/solutions/apps-add-overview), you can begin the process of creating app configuration policies. App configuration policies allow members of your organization (end-users) to easily install and use the related apps on their devices. By using app configuration policies, you can help you eliminate app setup problems. You can assign configuration settings to a policy that is then assigned to end-users before they run the app. The settings are then supplied automatically when the app is configured on the end-user's device. Most importantly, end-users don't need to take action. You can create and use app configuration policies to provide configuration settings for both iOS/iPadOS or Android apps. The configuration policy settings are used when the app checks for these settings, typically the first time the app is run.
+Once you've [set up and deployed the capabilities of Intune](/microsoft-365/solutions/apps-guide-overview#deploying-intune) and you've [added the apps you want to manage to Intune](/microsoft-365/solutions/apps-add-overview), you can begin the process of creating app configuration policies. App configuration policies allow members of your organization (end users) to easily install and use the related apps on their devices. By using app configuration policies, you can help you eliminate app setup problems. You can assign configuration settings to a policy that is then assigned to end users before they run the app. The settings are then supplied automatically when the app is configured on the end user's device. Most importantly, end users don't need to take action. You can create and use app configuration policies to provide configuration settings for both iOS/iPadOS or Android apps. The configuration policy settings are used when the app checks for these settings, typically the first time the app is run.
> [!NOTE] > App configuration policies are not always needed or not required. The app developer must incorporate app configuration support into the app to allow app configuration via Intune. > > Intune is provided as a web-based console to manage, protect, and monitor all of your organization's endpoints, whether those endpoints are devices or apps. >
-> Similar to app protection policies, app configuration policies should be assigned to end-users and/or devices before assigning the related app.
+> Similar to app protection policies, app configuration policies should be assigned to end users and/or devices before assigning the related app.
-You create app configuration policies directly in Intune that are unique for each app and each group of end-users. Then, you can apply each app configuration policy to end-users and/or devices. There are many different settings you can use to configuration an app. For example, an app configuration setting might require you to specify any of the following details:
+You create app configuration policies directly in Intune that are unique for each app and each group of end users. Then, you can apply each app configuration policy to end users and/or devices. There are many different settings you can use to configuration an app. For example, an app configuration setting might require you to specify any of the following details:
- A custom port number - Language settings - S/MIME settings - Security and protection settings - Branding settings (such as a company logo)
-If end-users were to enter these settings instead, they could enter them incorrectly. App configuration policies can help provide consistency across an enterprise and reduce helpdesk calls from end-users trying to configure settings on their own. By using app configuration policies, the adoption of new apps can be easier and quicker.
+If end users were to enter these settings instead, they could enter them incorrectly. App configuration policies can help provide consistency across an enterprise and reduce helpdesk calls from end users trying to configure settings on their own. By using app configuration policies, the adoption of new apps can be easier and quicker.
+
+## Benefits of app configuration policies
+
+App configuration policies can help you streamline apps installation, increase app adoption, reduce setup problems, and ensure app configuration consistency. In addition, by having the apps configured in a consistent manner with correct settings, your organizational data is better protected.
+ The available configuration parameters and the implementation of the configuration parameters are decided by the developers of the application. Documentation from the application vendor should be reviewed to see what configurations are available and how the configurations influence the behavior of the application. For some applications, Intune will populate the available configuration settings.
Follow these steps if you haven't already set up Intune and added the apps you n
## Apps that support app configuration
-Apps that have been specifically enhanced to support a unified endpoint management provider, such as Microsoft Intune, can support configuration. Apps that can be configured using an Intune app configuration policy have been enabled to support configuration settings using the Intune App SDK or the Intune App Wrapping Tool. For a list of apps that have been enhanced to support Intune, see [Microsoft Intune protected apps](/mem/intune/apps/apps-supported-intune-apps). Note that an app doesn't have to support app configuration or app protection in order to be assigned to end-users and/or devices.
+Apps that have been specifically enhanced to support a unified endpoint management provider, such as Microsoft Intune, can support configuration. Apps that can be configured using an Intune app configuration policy have been enabled to support configuration settings using the Intune App SDK or the Intune App Wrapping Tool. For a list of apps that have been enhanced to support Intune, see [Microsoft Intune protected apps](/mem/intune/apps/apps-supported-intune-apps). Note that an app doesn't have to support app configuration or app protection in order to be assigned to end users and/or devices.
> [!NOTE] > Apps that support configuration in Microsoft Intune support the [AppConfig](https://www.appconfig.org/) community standard. ## Determine your management deployment model
-Before you configure apps to be managed by Intune, you first need to determine your management deployment model. Intune supports mobile device management (MDM), mobile application management (MAM), and both MDM + MAM. Devices that are enrolled with Intune use MDM. MDM enables organizations to protect and secure their resources and data on enrolled devices. Apps that are managed (MAM) on their own without device management (MDM), can be configured and protected using Intune. MAM enables your to manage and protect your organization's data within an application.
+Before you configure apps to be managed by Intune, you first need to determine your management deployment model. Intune supports mobile device management (MDM), mobile application management (MAM), and both MDM + MAM. Devices that are enrolled with Intune use MDM. MDM enables organizations to protect and secure their resources and data on enrolled devices. Apps that are managed (MAM) on their own without device management (MDM), can be configured and protected using Intune. MAM enables you to manage and protect your organization's data within an application.
| Management deployment model | Description | |||
-| MDM | Devices that are enrolled with Intune use MDM. MDM enables organizations to protect and secure their resources and data on enrolled devices. When using MDM only, your app configuration policy channel must be set to **Managed devices**. For more information about MDM, see [Microsoft Intune enrollment](/mem/intune/fundamentals/deployment-guide-enrollment). |
-| MAM | Apps that are managed (MAM) without device management (MDM), can be configured and protected using Intune. MAM enables your to manage and protect your organization's data within an application. When you choose to manage only the apps on devices used by members of your organization without enrolling or managing devices, your app configuration policy channel must be set to **Managed apps** . This configuration is commonly referred to as MAM without device enrollment, or MAM-WE. You can manage apps using MAM by using Intune configuration and protection policies on devices not enrolled with Intune MDM. MAM is ideal to help protect organization data on mobile devices used by members of your organization for both personal and work tasks.<p>**NOTE:**<br>You can't deploy apps to the device. The end-user has to get the apps from the store.<p>For more information, see [MAM without device management](/mem/intune/fundamentals/deployment-plan-protect-apps#mam-without-device-management). |
-| MDM + MAM | Intune allows you to manage devices (MDM) and manage apps (MAM). This configuration is commonly referred to as MAM + MDM. You can manage apps using MAM on devices that are enrolled with Intune MDM. A configuration policy that is delivered through the **Manged apps** channel will take presidence over a configuration policy delivered through the **Managed devices** channel. For more information about MDM + MAM, see [MAM with device management](/mem/intune/fundamentals/deployment-plan-protect-apps#mam-with-device-management). |
+| MDM | Devices that are enrolled with Intune use MDM. MDM enables organizations to protect and secure their resources and data on enrolled devices. When you are using MDM only, your app configuration policy channel must be set to **Managed devices**. For more information about MDM, see [Microsoft Intune enrollment](/mem/intune/fundamentals/deployment-guide-enrollment). |
+| MAM | Apps that are managed (MAM) without device management (MDM), can be configured and protected using Intune. MAM enables you to manage and protect your organization's data within an application. When you choose to manage only the apps on devices used by members of your organization without enrolling or managing devices, your app configuration policy channel must be set to **Managed apps** . This configuration is commonly referred to as MAM without device enrollment, or MAM-WE. You can manage apps using MAM by using Intune configuration and protection policies on devices not enrolled with Intune MDM. MAM is ideal to help protect organization data on mobile devices used by members of your organization for both personal and work tasks.<p>**NOTE:**<br>You can't deploy apps to the device. The end user has to get the apps from the store.<p>For more information, see [MAM without device management](/mem/intune/fundamentals/deployment-plan-protect-apps#mam-without-device-management). |
+| MDM + MAM | Intune allows you to manage devices (MDM) and manage apps (MAM). This configuration is commonly referred to as MAM + MDM. You can manage apps using MAM on devices that are enrolled with Intune MDM. A configuration policy that is delivered through the **Manged apps** channel will take precedence over a configuration policy delivered through the **Managed devices** channel. For more information about MDM + MAM, see [MAM with device management](/mem/intune/fundamentals/deployment-plan-protect-apps#mam-with-device-management). |
It is important to understand that you have different app configuration options and capabilities depending on the management workflow you use at your organization. For more information about MAM, see [MAM configurations](/mem/intune/fundamentals/deployment-plan-protect-apps#mam-configurations). For more information about management deployment models, see [Enroll in device management, application management, or both](/mem/intune/fundamentals/what-is-intune#enroll-in-device-management-application-management-or-both).
It is important to understand that you have different app configuration options
:::image type="content" source="../media/configure-managed-apps/guide.png" alt-text="Common process to configure apps using Microsoft Intune" border="false" :::
+## App configuration process flow
+
+Once you have added an app to Intune, you can assign the app configuration policy to end users. The configuration policy will be used when the app is installed on the end user's device.
++ ## Delivery channels for app configuration policies It's important to understand the difference between app configuration policies that support **Managed devices** verses **Managed apps**. Managed devices are those devices that have been enrolled in a unified endpoint management provider, such as Microsoft Intune. These enrolled devices use mobile device management (MDM) provided by the unified endpoint management provider. MDM enables organizations to protect and secure their resources and data on enrolled devices. Managed apps are apps that you have assigned to users via a unified endpoint management provider, such as Intune. Managed apps support app configuration policies and app protection policies. These apps use mobile application management (MAM) that is provided by the unified endpoint management provider. MAM enables organizations to manage and protect their data within an application.
Certain supported apps can be configured to add additional capabilities. These c
#### Enable connected Android apps
-You can allow end-users using Android personally owned and corporate-owned work profiles to turn on connected apps experiences for supported apps. This app configuration setting enables apps to connect and integrate app data across the work and personal app instances on Android. For an app to provide this experience, the app needs to integrate with Google's connected apps SDK, which means only limited apps support it. You can turn on the connected apps setting proactively, and when apps add support, users are able to enable the connected apps experience. For more information, see [Enable connected apps](/mem/intune/apps/app-configuration-policies-use-android#enable-connected-apps).
+You can allow end users using Android personally owned and corporate-owned work profiles to turn on connected apps experiences for supported apps. This app configuration setting enables apps to connect and integrate app data across the work and personal app instances on Android. For an app to provide this experience, the app needs to integrate with Google's connected apps SDK, which means only limited apps support it. You can turn on the connected apps setting proactively, and when apps add support, users are able to enable the connected apps experience. For more information, see [Enable connected apps](/mem/intune/apps/app-configuration-policies-use-android#enable-connected-apps).
#### Grant state for Android apps
This solution steps you through the process of creating app configuration polici
### Configure the Company Portal
-If your organization is managing devices with Intune, you need to use the Company Portal app. End-users at your organization use the Company Portal to securely access company data and do common tasks. End-users can access these tasks and information using either the Company Portal app, Company Portal website, or Intune app. The Company Portal app supports iOS/iPadOS, Linux, macOS, and Windows devices. The Intune app supports Android devices.
+If your organization is managing devices with Intune, you need to use the Company Portal app. End users at your organization use the Company Portal to securely access company data and do common tasks. End users can access these tasks and information using either the Company Portal app, Company Portal website, or Intune app. The Company Portal app supports iOS/iPadOS, Linux, macOS, and Windows devices. The Intune app supports Android devices.
> [!NOTE] > The "Company Portal" is commonly used as the descriptor for the Intune app, Company portal app, and the Company portal website.
Microsoft 365 (M365), formerly known as Microsoft Office, is a suite of producti
Windows, iOS, and Android delivers several key benefits including: - Combining Word, Excel, and PowerPoint in a way that simplifies the experience with fewer apps to download or switch between. It requires far less phone storage than installing individual apps while maintaining virtually all the capabilities of the existing mobile apps people already know and use.-- Integrating Office Lens technology to unlock the power of the camera with capabilities like converting images into editable Word and Excel documents, scanning PDFs, and capturing whiteboards with automatic digital enhancements to make the content easier to read.
+- Integrating Office Lens technology, which will help your organization use their device's camera capabilities. These capabilities include converting images into editable Word and Excel documents, scanning PDFs, and capturing whiteboards with automatic digital enhancements to make the content easier to read.
- Adding new functionality for common tasks people often encounter when working on a phoneΓÇöthings like making quick notes, signing PDFs, scanning QR codes, and transferring files between devices. The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft Intune and Microsoft Entra ID P1 or P2 features.
For recommended app configuration steps, see [Configure other apps](apps-config-
### Verify app configuration
-Intune provides an **App configuration status** report to help you monitor the apps you've deployed to your end-users. Additionally, Intune provides diagnostic logs and configuration status per device.
+Intune provides an **App configuration status** report to help you monitor the apps you've deployed to your end users. Additionally, Intune provides diagnostic logs and configuration status per device.
For recommended app configuration steps, see [Monitor app configuration](apps-config-step-7.md).
solutions Apps Config Step 1 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/apps-config-step-1.md
keywords:
# Step 1. Customize and configure the Company Portal
-The Company Portal app, Company Portal website, and Intune app on Android are where end-users access company data and do common tasks related to their managed devices and apps. Based on your Intune settings, common task may include enrolling devices, installing and updating apps, locating information about your organization, and performing device actions. Intune allow you to customize and configure the Company Portal. The Company Portal app supports iOS/iPadOS, Linux, macOS, and Windows devices. The Intune app supports Android devices.
+The Company Portal app, Company Portal website, and Intune app on Android are where end users access company data and do common tasks related to their managed devices and apps. Based on your Intune settings, common task may include enrolling devices, installing and updating apps, locating information about your organization, and performing device actions. Intune allow you to customize and configure the Company Portal. The Company Portal app supports iOS/iPadOS, Linux, macOS, and Windows devices. The Intune app supports Android devices.
> [!NOTE]
-> The "Company Portal" is commonly used as the descriptor for the Intune app, Company portal app, and the Company portal website. The Company Portal exists on each end-user's device.
+> The "Company Portal" is commonly used as the descriptor for the Intune app, Company portal app, and the Company portal website. The Company Portal exists on each end user's device.
-End-users can use the Company Portal to view details about their managed devices and available apps used with Intune at your organization. In addition, end-users can perform self-service device actions from the Company Portal, including the following device actions:
+End users can use the Company Portal to view details about their managed devices and available apps used with Intune at your organization. In addition, end users can perform self-service device actions from the Company Portal, including the following device actions:
- Retire - Wipe
End-users can use the Company Portal to view details about their managed devices
- Key Recovery > [!IMPORTANT]
-> Before end-users can use the Company Portal, you must set up their work account. Your organization must also have a subscription to Microsoft Intune.
+> Before end users can use the Company Portal, you must set up their work account. Your organization must also have a subscription to Microsoft Intune.
-Company Portal helps simplify the tasks your end-users need to do for work. For example, end-users may use the Company Portal to do the following:
+Company Portal helps simplify the tasks your end users need to do for work. For example, end users may use the Company Portal to do the following:
- Enroll their device to access corporate resources, including Office, email, and OneDrive for Business. - Quickly reset the password to their work account if they should forget it
Company Portal helps simplify the tasks your end-users need to do for work. For
## Customize the Company Portal
-You can customize the end-user experience for the Company Portal. Customizing the Company Portal is different from configuring the Company Portal. Customization helps provide a familiar and helpful experience for your end-users. You can customize the Company Portal so that it supports specific details about your organization, such as the following:
+You can customize the end user experience for the Company Portal. Customizing the Company Portal is different from configuring the Company Portal. Customization helps provide a familiar and helpful experience for your end users. You can customize the Company Portal so that it supports specific details about your organization, such as the following:
-- [Add branding information](#add-branding-information) for the end-users at your organization
+- [Add branding information](#add-branding-information) for the end users at your organization
- [Add support information](#add-support-information) for your organization - [Configure the Company Portal](#configure-the-company-portal) experience for enrollment, privacy, notifications, device categories, app sources, and self-service actions
Navigate to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/
### Add branding information
-Adding branding information for your Intune tenant allows you to customize the experience end-users have when using the Company Portal. Branding involves setting fields in Intune, such as:
+Adding branding information for your Intune tenant allows you to customize the experience end users have when using the Company Portal. Branding involves setting fields in Intune, such as:
- Organization name - Color
For more information, such as branding best practices and examples, see [Brandin
### Add support information
-Adding support information for your Intune tenant will also allow you to customize the end-users experience. By providing your organization's support information, your end-users can reach out with questions. This support information is displayed on **Support**, **Help & Support**, and **Helpdesk** pages across the end-user experience.
+Adding support information for your Intune tenant will also allow you to customize the end users experience. By providing your organization's support information, your end users can reach out with questions. This support information is displayed on **Support**, **Help & Support**, and **Helpdesk** pages across the end user experience.
Support fields in Intune include the following:
You can configure the Company Portal experience specifically for enrollment, pri
You can protect resources and devices by using mobile device management (MDM) and mobile application management (MAM) services and tools from Intune. MDM enables organizations to protect and secure their resources and data based on enrolled devices. Organization can make sure that only authorized people and devices get access to proprietary information. Similarly, device users can feel at ease accessing work data from their device, such as a phone, because they know their device meets their organization's security requirements. MAM enables organizations to manage and protect their data within an application.
-If you choose to enroll users devices to be managed by Intune, in most enrollment scenarios the Company Portal will automatically be installed on the end-user's device. The Company Portal is used to authenticate the end-user within your organization when they launch the Company Portal. For more information, see [Set up automated device enrollment in Intune](/mem/intune/enrollment/device-enrollment-program-enroll-ios).
+If you choose to enroll users devices to be managed by Intune, in most enrollment scenarios the Company Portal will automatically be installed on the end user's device. The Company Portal is used to authenticate the end user within your organization when they launch the Company Portal. For more information, see [Set up automated device enrollment in Intune](/mem/intune/enrollment/device-enrollment-program-enroll-ios).
> [!NOTE]
-> On personal or BYOD non-Windows client devices, end-users must install the Company Portal app from the Microsoft Store. Once installed, end-users open the Company Portal app and sign in with their organization credentials. For example, `user@contoso.com`.
+> On personal or BYOD non-Windows client devices, end users must install the Company Portal app from the Microsoft Store. Once installed, end users open the Company Portal app and sign in with their organization credentials. For example, `user@contoso.com`.
### Understand privacy
You can allow or block the device category prompt in Intune Company Portal. For
### App sources
-You can choose which additional app sources will be shown in Company Portal to end-users at your organization. You can choose to hide or show Microsoft Entra Enterprise Applications, Office Online Applications, or Configuration Manager Applications. You can find these settings in [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) by selecting **Tenant administration** > **Customization**. For more information, see [App source setting options](/mem/intune/apps/company-portal-app#app-source-setting-options).
+You can choose which additional app sources will be shown in Company Portal to end users at your organization. You can choose to hide or show Microsoft Entra Enterprise Applications, Office Online Applications, or Configuration Manager Applications. You can find these settings in [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) by selecting **Tenant administration** > **Customization**. For more information, see [App source setting options](/mem/intune/apps/company-portal-app#app-source-setting-options).
### Remove and reset device actions
-You can customize the visibility of specific self-service device actions for Windows and iOS devices. The **Remove** and **Reset** device actions can be customized for end-users in the Company Portal. These actions can be used to restrict device actions in the Company Portal app and website, however don't implement any device restriction policies. To prevent users from removing or resetting corporate Windows and iOS devices, you can hide these actions from the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) by selecting **Tenant Administration** > **Customization**. For more information, see [Customizing Remove and Reset device actions](/mem/intune/apps/company-portal-app#customizing-remove-and-reset-device-actions).
+You can customize the visibility of specific self-service device actions for Windows and iOS devices. The **Remove** and **Reset** device actions can be customized for end users in the Company Portal. These actions can be used to restrict device actions in the Company Portal app and website, however don't implement any device restriction policies. To prevent users from removing or resetting corporate Windows and iOS devices, you can hide these actions from the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) by selecting **Tenant Administration** > **Customization**. For more information, see [Customizing Remove and Reset device actions](/mem/intune/apps/company-portal-app#customizing-remove-and-reset-device-actions).
### Configure the Company Portal for iOS/iPadOS ADE
solutions Apps Config Step 2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/apps-config-step-2.md
keywords:
# Step 2. Configure Microsoft Outlook
-Microsoft Intune makes it easy to provide Microsoft Outlook to your end-users at your organization. Outlook provides secure email, calendar, contacts, and files. You can choose to add app configuration policies for Microsoft Outlook to iOS/iPadOS or Android devices. Outlook for iOS/iPadOS and Android supports app settings that allow unified endpoint management (UEM) administrators (using tools such as Microsoft Intune) and Microsoft 365 or Office 365 administrators to customize the behavior of the app.
+Microsoft Intune makes it easy to provide Microsoft Outlook to your end users at your organization. Outlook provides secure email, calendar, contacts, and files. You can choose to add app configuration policies for Microsoft Outlook to iOS/iPadOS or Android devices. Outlook for iOS/iPadOS and Android supports app settings that allow unified endpoint management (UEM) administrators (using tools such as Microsoft Intune) and Microsoft 365 or Office 365 administrators to customize the behavior of the app.
> [!NOTE] > The methods described use Microsoft Intune as the unified endpoint management service and Exchange as the messaging platform.
solutions Apps Config Step 3 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/apps-config-step-3.md
Microsoft 365 Apps is a version of Office that's available through Microsoft 365
Configuration for **Microsoft 365 Apps for Windows 10 and later** in Intune takes place when adding the app to Intune. > [!IMPORTANT]
-> Before you add Microsoft 365 Apps to Intune, you want to check the prerequisites for the end-user's devices at your organization. For more information, see the [Before you start]() section of [Add Microsoft 365 Apps to Windows 10/11 devices with Microsoft Intune](/mem/intune/apps/apps-add-office365).
+> Before you add Microsoft 365 Apps to Intune, you want to check the prerequisites for the end user's devices at your organization. For more information, see the [Before you start]() section of [Add Microsoft 365 Apps to Windows 10/11 devices with Microsoft Intune](/mem/intune/apps/apps-add-office365).
When you add [Microsoft 365 Apps for Windows 10 and later](/mem/intune/apps/apps-add-office365#select-microsoft-365-apps) to Intune, you also determine how you want these apps configured. After adding the [app suite information](/mem/intune/apps/apps-add-office365#step-1app-suite-information), you can choose how you want to add the configuration details. Use the [configuration designer](/mem/intune/apps/apps-add-office365#step-2option-1-configure-app-suite-using-the-configuration-designer) if you don't already have the specific XML configuration data needed for this app type.
To use the configuration designer, you must set **Configuration settings format*
### Configure app suite
-You can select the Microsoft apps to install on your end-user's Windows 10/11 devices. Additionally, if you own licenses for [additional Office apps](/deployoffice/use-the-office-deployment-tool-to-install-volume-licensed-editions-of-visio-2016), such as Microsoft Project and Microsoft Visio, you can also assign them with Intune.
+You can select the Microsoft apps to install on your end user's Windows 10/11 devices. Additionally, if you own licenses for [additional Office apps](/deployoffice/use-the-office-deployment-tool-to-install-volume-licensed-editions-of-visio-2016), such as Microsoft Project and Microsoft Visio, you can also assign them with Intune.
### App suite information
-You can select the app architecture type, default file format, and update channel for the app suite. The **Architecture** setting allows you to select the 32-bit or 64-bit edition of Microsoft 365 Apps to be installed on your end-user's devices. The **Default file format** setting allows you to choose the file format for the suite. Microsoft recommends you use the **Office Open XML Format**. You can also set the **Update channel**. This setting defines how often the app is updated with new features. Microsoft recommends selecting the **Monthly Enterprise Channel** along with **Remove other versions** set to **Yes**.
+You can select the app architecture type, default file format, and update channel for the app suite. The **Architecture** setting allows you to select the 32-bit or 64-bit edition of Microsoft 365 Apps to be installed on your end user's devices. The **Default file format** setting allows you to choose the file format for the suite. Microsoft recommends you use the **Office Open XML Format**. You can also set the **Update channel**. This setting defines how often the app is updated with new features. Microsoft recommends selecting the **Monthly Enterprise Channel** along with **Remove other versions** set to **Yes**.
### Properties
For more information about configuring the Microsoft 365 Apps for Windows 10 and
You can create an app configuration policy in Intune that allows you to configure specific settings for Microsoft 365 (Office) for iOS/iPadOS. For the iOS/iPad app that support [app configuration](/mem/intune/apps/app-configuration-policies-overview#apps-that-support-app-configuration), you can create either an app configuration policy to target [Managed devices](/mem/intune/apps/app-configuration-policies-overview#managed-devices) or [Managed apps](/mem/intune/apps/app-configuration-policies-overview#managed-apps).
-When you choose to target an app configuration policy to **Managed apps**, you're using "MAM channel" to deliver app configuration to end-users at your organization. Within the Intune admin center, the MAM channel is referred to as a Managed Apps app configuration policy. The MAM channel is different than the mobile device management (MDM) OS platform channels that are offered when a device is enrolled. By using the MAM channel, apps can receive app configuration policies regardless of the device enrollment state. This is an important difference between mobile application management and mobile device management.
+When you choose to target an app configuration policy to **Managed apps**, you're using "MAM channel" to deliver app configuration to end users at your organization. Within the Intune admin center, the MAM channel is referred to as a Managed Apps app configuration policy. The MAM channel is different than the mobile device management (MDM) OS platform channels that are offered when a device is enrolled. By using the MAM channel, apps can receive app configuration policies regardless of the device enrollment state. This is an important difference between mobile application management and mobile device management.
> [!NOTE] > With Microsoft Intune, app configuration delivered through the mobile device management OS channel is referred to as a **Managed Devices** App Configuration Policy (ACP); app configuration delivered through the App Protection Policy (APP) channel is referred to as a **Managed Apps** App Configuration Policy.
For additional app configuration policy information for iOS/iPadOS, see the foll
## Configure Microsoft 365 (Office) as a managed app
-If your end-user's Android devices isn't managed, you can use the **Managed apps** channel to configuration Microsoft 365 (Office). Configuration settings available for this app when you choose this channel for your policy include general [configuration settings](apps-config-step-6.md#managed-apps-configuration-settings) and configuration for [Microsoft Tunnel](apps-config-step-6.md#connected-apps-configuration). For more information about this channel for managed devices, see, [App configuration policies for the Managed apps channel](apps-config-step-6.md#app-configuration-policies-for-the-managed-apps-channel).
+If your end user's Android devices isn't managed, you can use the **Managed apps** channel to configuration Microsoft 365 (Office). Configuration settings available for this app when you choose this channel for your policy include general [configuration settings](apps-config-step-6.md#managed-apps-configuration-settings) and configuration for [Microsoft Tunnel](apps-config-step-6.md#connected-apps-configuration). For more information about this channel for managed devices, see, [App configuration policies for the Managed apps channel](apps-config-step-6.md#app-configuration-policies-for-the-managed-apps-channel).
## Policies for Office apps
-Intune provides [policies specifically for Microsoft Office apps](/mem/intune/apps/app-office-policies). You can select specific options to create mobile app management policies for Office mobile apps that connect to Microsoft 365 services. There are many policies for Office apps that you can add to Microsoft Intune and apply to groups of end-users.
+Intune provides [policies specifically for Microsoft Office apps](/mem/intune/apps/app-office-policies). You can select specific options to create mobile app management policies for Office mobile apps that connect to Microsoft 365 services. There are many policies for Office apps that you can add to Microsoft Intune and apply to groups of end users.
You must meet the requirements to use policies for Office apps. For more information about requirements, see [Requirements for using the Office cloud policy service](/deployoffice/overview-office-cloud-policy-service#requirements-for-using-the-office-cloud-policy-service). App protection policies aren't supported for other apps that connect to on-premises Exchange or SharePoint services. For related information, see [Overview of the Office cloud policy service for Microsoft 365 Apps for enterprise](/deployoffice/overview-office-cloud-policy-service).
solutions Apps Config Step 4 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/apps-config-step-4.md
keywords:
# Step 4. Configure Microsoft Edge
-Microsoft Edge provides AI-powered web browsing capabilities. Using Intune, Microsoft Edge can be added, configured, and assigned to end-users at your organization. Once added and assigned, end-users can use Microsoft Edge to safely view and work with your company resources. Using Intune, you can also assign Microsoft Edge to your end-users to support conditional access, app protection, and single sign-on at your organization.
+Microsoft Edge provides AI-powered web browsing capabilities. Using Intune, Microsoft Edge can be added, configured, and assigned to end users at your organization. Once you have added and assigned Microsoft Edge, end users can use Edge to safely view and work with your company resources. Using Intune, you can also assign Microsoft Edge to your end users to support conditional access, app protection, and single sign-on at your organization.
You can add Microsoft Edge to Intune as a store app (Android, iOS/iPadOS), a Built-In app (Android, iOS/iPadOS), a Windows 10 and later app, a macOS app, or a Managed Google Play store app. However, only the Microsoft Edge for the iOS/iPadOS and Android platforms support app configuration policies.
Microsoft Edge for iOS/iPadOS and Android supports the following configuration s
### General app configuration settings
-Microsoft Edge provides several different configuration settings that allow you to customize the behavior of Edge on an end-user's device. The following table provides a list of general app configuration settings for Edge.
+Microsoft Edge provides several different configuration settings that allow you to customize the behavior of Edge on an end user's device. The following table provides a list of general app configuration settings for Edge.
| Key | Description | |||
Microsoft Edge provides several different configuration settings that allow you
| com.microsoft.intune.mam.managedbrowser.MyApps | You can have users view My Apps bookmark within the organization folder inside Edge for iOS and Android. For more information, see [My Apps bookmark](/mem/intune/apps/manage-microsoft-edge#my-apps-bookmark). | | com.microsoft.intune.mam.managedbrowser.PasswordSSO | You can enable Microsoft Entra password single sign-on (SSO) functionality offered by Microsoft Entra ID to allow user access management to web applications that don't support identity federation. For more information, see [Microsoft Entra password single sign-on](/mem/intune/apps/manage-microsoft-edge#azure-ad-password-single-sign-on). | | com.microsoft.intune.mam.managedbrowser.defaultHTTPS | Microsoft Edge for iOS and Android devices uses the HTTPS protocol handler when the user doesn't specify the protocol in the URL. For more information, see [Default protocol handler](/mem/intune/apps/manage-microsoft-edge#default-protocol-handler). |
-| com.microsoft.intune.mam.managedbrowser.disableShareUsageData | You can choose to enable data collection so that the end-user browsing experience in Edge is personalized. By default, end-users are promoted to share usage data. You can choose to disable the prompt and share usage data. For more information, see [Disable data sharing for personalization](/mem/intune/apps/manage-microsoft-edge#disable-data-sharing-for-personalization). |
-| com.microsoft.intune.mam.managedbrowser.disabledFeatures | You can disable certain features in Edge that are enabled by default. For example, you can disable password prompts, InPrivate browsing, authfill, translator, readaloud, drop documents and messages to devices), and developer tools. For more information, see [ Disable specific features](/mem/intune/apps/manage-microsoft-edge#disable-specific-features). |
+| com.microsoft.intune.mam.managedbrowser.disableShareUsageData | You can choose to enable data collection so that the end user browsing experience in Edge is personalized. By default, end users are promoted to share usage data. You can choose to disable the prompt and share usage data. For more information, see [Disable data sharing for personalization](/mem/intune/apps/manage-microsoft-edge#disable-data-sharing-for-personalization). |
+| com.microsoft.intune.mam.managedbrowser.disabledFeatures | You can disable certain features in Edge that are enabled by default. For example, you can disable password prompts, InPrivate browsing, translator, read aloud, drop documents and messages to devices), and developer tools. For more information, see [ Disable specific features](/mem/intune/apps/manage-microsoft-edge#disable-specific-features). |
| com.microsoft.intune.mam.managedbrowser.disableImportPasswords | You can disable the import of passwords from Password Manager. For more information, see [Disable import passwords feature](/mem/intune/apps/manage-microsoft-edge#disable-import-passwords-feature). |
-| com.microsoft.intune.mam.managedbrowser.cookieControlsMode | You can control whether sites can store cookies for your end-users. You can choose to allow cookies, block non-Microsoft cookies, block non-Microsoft cookies in InPrivate mode, or block all cookies. Cookies contain data about end-user browsing preferences. The are used to show you relevant content. |
+| com.microsoft.intune.mam.managedbrowser.cookieControlsMode | You can control whether sites can store cookies for your end users. You can choose to allow cookies, block non-Microsoft cookies, block non-Microsoft cookies in InPrivate mode, or block all cookies. Cookies contain data about end user browsing preferences. The are used to show you relevant content. |
| com.microsoft.intune.mam.managedbrowser.enableKioskMode | For Android devices, you can enable kiosk mode in Edge. Kiosk mode runs Edge in full-screen. By default, kiosk mode is disabled. For more information, see [Kiosk mode experiences on Android devices](/mem/intune/apps/manage-microsoft-edge#kiosk-mode-experiences-on-android-devices). | | com.microsoft.intune.mam.managedbrowser.showAddressBarInKioskMode | For Android devices, you can show the address bar in kiosk mode in Edge. By default, this setting is disabled. For more information, see [Kiosk mode experiences on Android devices](/mem/intune/apps/manage-microsoft-edge#kiosk-mode-experiences-on-android-devices). | | com.microsoft.intune.mam.managedbrowser.showBottomBarInKioskMode | For Android devices, you can show the bottom action bar in kiosk mode in Edge. By default, this setting is disabled. For more information, see [Kiosk mode experiences on Android devices](/mem/intune/apps/manage-microsoft-edge#kiosk-mode-experiences-on-android-devices). | | com.microsoft.intune.mam.managedbrowser.NetworkStackPref | You can choose which network stack is used for Microsoft Edge service communication. The layers of the network architecture are called the network stack. The layers of a network stack are broadly divided into sections, such as Network Interface, Network Driver Interface Specification (NDIS), Protocol Stack, System Drivers, and User-Mode Applications. By default, Microsoft Edge uses the Chromium network stack. You can choose between using the Chromium network stack and the iOS network stack. Primarily, by choosing a network stack, you select which sync services and auto search suggestions are used. | | com.microsoft.intune.mam.managedbrowser.proxyPacUrl | You can choose a URL to a proxy autoconfig (PAC) file to use with Microsoft Edge. **Note:** Use **ProxySettings** instead. For more information, see [ProxyPacUrl](/DeployEdge/microsoft-edge-policies#proxypacurl) and [Set a proxy .pac file URL](/mem/intune/apps/manage-microsoft-edge#set-a-proxy-pac-file-url). | | com.microsoft.intune.mam.managedbrowser.proxyPacUrl.FailOpenEnabled | You can choose to block network access with invalid or unavailable proxy autoconfig (PAC) script. By default, network access is blocked. For more information, see [PAC failed-open support](/mem/intune/apps/manage-microsoft-edge#pac-failed-open-support) and [ProxySettings](/DeployEdge/microsoft-edge-policies#proxysettings). |
-| com.microsoft.intune.mam.managedbrowser.PersistentWebsiteDataStore | For iOS devices, you can choose the persistent website data store to use for an end-user in Edge. By default, the personal account is used. However, you can choose to use the website data store based on the first signed-in account, or choose to use the work or school account first regardless of the sign-in order. For more information, see [iOS Website data store](/mem/intune/apps/manage-microsoft-edge#ios-website-data-store). |
+| com.microsoft.intune.mam.managedbrowser.PersistentWebsiteDataStore | For iOS devices, you can choose the persistent website data store to use for an end user in Edge. By default, the personal account is used. However, you can choose to use the website data store based on the first signed-in account, or choose to use the work or school account first regardless of the sign-in order. For more information, see [iOS Website data store](/mem/intune/apps/manage-microsoft-edge#ios-website-data-store). |
| com.microsoft.intune.mam.managedbrowser.SmartScreenEnabled | Microsoft Defender SmartScreen is a feature that helps users avoid malicious sites and downloads. For more information, see [Microsoft Defender SmartScreen](/mem/intune/apps/manage-microsoft-edge#microsoft-defender-smartscreen). | | com.microsoft.intune.mam.managedbrowser.OpeningExternalApps | When a web page requests to open an external app, users will see a pop-up asking them to open the external app or not. Organizations can manage the behavior. For more information, see [Block opening external apps](/mem/intune/apps/manage-microsoft-edge#block-opening-external-apps). | | com.microsoft.intune.mam.managedbrowser.Chat | You can choose to hide or show the Bing button in the bottom bar of Edge as part of Bing Chat Enterprise. For more information, see [Bing Chat Enterprise](/mem/intune/apps/manage-microsoft-edge#bing-chat-enterprise). | | com.microsoft.intune.mam.managedbrowser.ChatPageContext | You can choose whether Bing Chat Enterprise has access to page content. By default, this setting shows the **Page context** and **Show quick chat panel** options under the Bing co-pilot mode. For more information, see [Bing Chat Enterprise](/mem/intune/apps/manage-microsoft-edge#bing-chat-enterprise). |
-| EdgeLockedViewModeEnabled | Edge for iOS and Android can be enabled as locked view mode with MDM policy `EdgeLockedViewModeEnabled`. This policy, which is disabled by default, allows organizations to restrict various browser functionality, providing a controlled and focused browsing experience. The locked view mode is often used together with MAM policy **com.microsoft.intune.mam.managedbrowser.NewTabPage.CustomURL** or MDM policy **EdgeNewTabPageCustomURL**, which allow organizations to configure a specific web page that is automatically launched when Edge is opened. Users are restricted to this web page and cannot navigate to other websites, providing a controlled environment for specific tasks or content consumption. |
+| EdgeLockedViewModeEnabled | Edge for iOS and Android can be enabled as locked view mode with MDM policy `EdgeLockedViewModeEnabled`. This policy, which is disabled by default, allows organizations to restrict various browser functionalities, providing a controlled and focused browsing experience. The locked view mode is often used together with MAM policy **com.microsoft.intune.mam.managedbrowser.NewTabPage.CustomURL** or MDM policy **EdgeNewTabPageCustomURL**, which allow organizations to configure a specific web page that is automatically launched when Edge is opened. Users are restricted to this web page and cannot navigate to other websites, providing a controlled environment for specific tasks or content consumption. |
### Data protection configuration settings
-Microsoft Edge provides several different configuration settings that allow you to customize the behavior of Edge on an end-user's device. The following table provides a list of data protection configuration settings for Edge.
+Microsoft Edge provides several different configuration settings that allow you to customize the behavior of Edge on an end user's device. The following table provides a list of data protection configuration settings for Edge.
| Key | Description | |||
-| com.microsoft.intune.mam.managedbrowser.account.syncDisabled | You can choose to allow Edge to sync end-user's browsing data across all their signed-in devices. This relates to Favorites, Passwords, and Address (autofill). For more information, see [Manage account synchronization](/mem/intune/apps/manage-microsoft-edge#manage-account-synchronization). |
-| com.microsoft.intune.mam.managedbrowser.AllowListURLs | You can add a list of URLs that end-users are allowed to reach. End-users must be using their work or school account in Edge. For more information, see [Manage restricted web sites](/mem/intune/apps/manage-microsoft-edge#manage-restricted-web-sites). |
-| com.microsoft.intune.mam.managedbrowser.BlockListURLs | You can choose a list of URLs that end-users aren't allowed to reach. End-users must be using their work or school account in Edge. For more information, see [Manage restricted web sites](/mem/intune/apps/manage-microsoft-edge#manage-restricted-web-sites). |
-| com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock | You can choose to allow managed users (work or school account) to switch to their personal account to view a website. Personal accounts must not disabled. Users are prompted to either switch to the personal context to open the restricted site, or to add a personal account. For more information, see [Manage restricted web sites](/mem/intune/apps/manage-microsoft-edge#manage-restricted-web-sites). |
+| com.microsoft.intune.mam.managedbrowser.account.syncDisabled | You can choose to allow Edge to sync end user's browsing data across all their signed-in devices. This relates to Favorites, Passwords, and Address (autofill). For more information, see [Manage account synchronization](/mem/intune/apps/manage-microsoft-edge#manage-account-synchronization). |
+| com.microsoft.intune.mam.managedbrowser.AllowListURLs | You can add a list of URLs that end users are allowed to reach. End users must be using their work or school account in Edge. For more information, see [Manage restricted web sites](/mem/intune/apps/manage-microsoft-edge#manage-restricted-web-sites). |
+| com.microsoft.intune.mam.managedbrowser.BlockListURLs | You can choose a list of URLs that end users aren't allowed to reach. End users must be using their work or school account in Edge. For more information, see [Manage restricted web sites](/mem/intune/apps/manage-microsoft-edge#manage-restricted-web-sites). |
+| com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock | You can choose to allow managed users (work or school account) to switch to their personal account to view a website. Personal accounts must not be disabled. Users are prompted to either switch to the personal context to open the restricted site, or to add a personal account. For more information, see [Manage restricted web sites](/mem/intune/apps/manage-microsoft-edge#manage-restricted-web-sites). |
| com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked | You can choose to allow restricted sites to be opened in the Microsoft Entra account's InPrivate context. If the Microsoft Entra account is the only account configured in Edge, the restricted site is opened automatically in the InPrivate context. For more information, see [Manage restricted web sites](/mem/intune/apps/manage-microsoft-edge#manage-restricted-web-sites). |
-| com.microsoft.intune.mam.managedbrowser.durationOfOpenInPrivateSnackBar | You can choose the number of seconds that an end-user see the snack bar notification "Access to this site is blocked by your organization. WeΓÇÖve opened it in InPrivate mode for you to access the site." For more information, see [Manage restricted web sites](/mem/intune/apps/manage-microsoft-edge#manage-restricted-web-sites). |
+| com.microsoft.intune.mam.managedbrowser.durationOfOpenInPrivateSnackBar | You can choose the number of seconds that an end user sees the snack bar notification "Access to this site is blocked by your organization. WeΓÇÖve opened it in InPrivate mode for you to access the site." For more information, see [Manage restricted web sites](/mem/intune/apps/manage-microsoft-edge#manage-restricted-web-sites). |
| com.microsoft.intune.mam.managedbrowser.AppProxyRedirection | On iOS devices, you can enable Microsoft Entra application proxy redirection scenarios. By default, Microsoft Entra application proxy scenarios are prevented. For more information, see [Manage proxy configuration](/mem/intune/apps/manage-microsoft-edge#manage-proxy-configuration). |
-| com.microsoft.intune.mam.managedbrowser.NTLMSSOURLs | You can choose a list of internal (intranet) websites that enable NTLM credential caching. The end-users must enter credentials and successfully authenticate when attempting to access a URL in the list. NTLM is a Windows network authentication protocol. For more information, see [Manage NTLM single sign-on sites](/mem/intune/apps/manage-microsoft-edge#manage-ntlm-single-sign-on-sites). |
+| com.microsoft.intune.mam.managedbrowser.NTLMSSOURLs | You can choose a list of internal (intranet) websites that enable NTLM credential caching. The end users must enter credentials and successfully authenticate when attempting to access a URL in the list. NTLM is a Windows network authentication protocol. For more information, see [Manage NTLM single sign-on sites](/mem/intune/apps/manage-microsoft-edge#manage-ntlm-single-sign-on-sites). |
| com.microsoft.intune.mam.managedbrowser.durationOfNTLMSSO | You can enter the number of hours to cache credentials when using NTLM credential caching. NTLM is a Windows network authentication protocol. For more information, see [Manage NTLM single sign-on sites](/mem/intune/apps/manage-microsoft-edge#manage-ntlm-single-sign-on-sites). | | com.microsoft.intune.mam.managedbrowser.MicrosoftRootStoreEnabled | Microsoft Edge for Android verifies server certificates using the built-in certificate verifier and the Microsoft Root Store as the source of public trust. Organizations can switch to system certificate verifier and system root certificates. For more information, see [Manage NTLM single sign-on sites](/mem/intune/apps/manage-microsoft-edge#open-external-apps). |
-| com.microsoft.intune.mam.managedbrowser.SSLErrorOverrideAllowed | You can configure whether end-users can click through SSL warning pages. For more information, see [SSL warning page control](/mem/intune/apps/manage-microsoft-edge#ssl-warning-page-control). |
+| com.microsoft.intune.mam.managedbrowser.SSLErrorOverrideAllowed | You can configure whether end users can click through SSL warning pages. For more information, see [SSL warning page control](/mem/intune/apps/manage-microsoft-edge#ssl-warning-page-control). |
For more information about configuring Microsoft Edge, see [Manage Microsoft Edge on iOS and Android with Intune](/mem/intune/apps/manage-microsoft-edge).
solutions Apps Config Step 5 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/apps-config-step-5.md
keywords:
# Step 5. Configure Microsoft Teams
-Microsoft Teams allows your organization to collaborate and communicate in real-time. Your organization can use Teams to chat between individuals, groups, teams, and channels. They can set up meetings, share apps and files, and make calls. Team also supports adding a variety of apps to bring capability and insight.
+Microsoft Teams allows your organization to collaborate and communicate in real-time. Your organization can use Teams to chat between individuals, groups, teams, and channels. They can set up meetings, share apps and files, and make calls. Team also supports adding various apps to bring capability and insight.
-Using Intune, Teams can be added, configured, and assigned to your organization's end-users. You can also assign Microsoft Teams to your end-users to support conditional access, app protection, and single sign-on at your organization.
+Using Intune, Teams can be added, configured, and assigned to your organization's end users. You can also assign Microsoft Teams to your end users to support conditional access, app protection, and single sign-on at your organization.
You can add Microsoft Teams to Intune as a store app (Android, iOS/iPadOS), a Built-In app (Android, iOS/iPadOS), a Windows 10 and later app, or a Managed Google Play store app. However, only the Microsoft Teams for the iOS/iPadOS and Android platforms support app configuration policies.
There are two ways to deliver app configuration using Intune. The first way is t
## General configuration settings
-Microsoft Teams provides configuration settings that allow you to customize the behavior of Teams on an end-user's device. The following table provides a list of general app configuration settings for Teams.
+Microsoft Teams provides configuration settings that allow you to customize the behavior of Teams on an end user's device. The following table provides a list of general app configuration settings for Teams.
| Key | Description | |||
-| com.microsoft.teams.chat.notifications.IntuneMAMOnly | You can allow chat notifications when using the Mobile Application Management (MAM) channel in Intune. You select the **Managed apps** option when create an app configuration policy. For more information, see [Notification settings in Microsoft Teams](/mem/intune/apps/manage-microsoft-teams#notification-settings-in-microsoft-teams). |
-| com.microsoft.teams.channel.notifications.IntuneMAMOnly | You can allow channel notifications when using the MAM channel in Intune. You select the **Managed apps** option when create an app configuration policy. For more information, see [Notification settings in Microsoft Teams](/mem/intune/apps/manage-microsoft-teams#notification-settings-in-microsoft-teams). |
-| com.microsoft.teams.others.notifications.IntuneMAMOnly | You can allow other notifications when using the MAM channel in Intune. You select the **Managed apps** option when create an app configuration policy. For more information, see [Notification settings in Microsoft Teams](/mem/intune/apps/manage-microsoft-teams#notification-settings-in-microsoft-teams). |
+| com.microsoft.teams.chat.notifications.IntuneMAMOnly | You can allow chat notifications when using the Mobile Application Management (MAM) channel in Intune. You select the **Managed apps** option when you create an app configuration policy. For more information, see [Notification settings in Microsoft Teams](/mem/intune/apps/manage-microsoft-teams#notification-settings-in-microsoft-teams). |
+| com.microsoft.teams.channel.notifications.IntuneMAMOnly | You can allow channel notifications when using the MAM channel in Intune. You select the **Managed apps** option when you create an app configuration policy. For more information, see [Notification settings in Microsoft Teams](/mem/intune/apps/manage-microsoft-teams#notification-settings-in-microsoft-teams). |
+| com.microsoft.teams.others.notifications.IntuneMAMOnly | You can allow other notifications when using the MAM channel in Intune. You select the **Managed apps** option when you create an app configuration policy. For more information, see [Notification settings in Microsoft Teams](/mem/intune/apps/manage-microsoft-teams#notification-settings-in-microsoft-teams). |
-For these notifications to show up on iOS/iPadOS and Android devices, your end-users must ensure specific settings are set in the Teams and Company Portal apps. For more information, see [Teams notifications](/mem/intune/apps/manage-microsoft-teams#for-the-notifications-to-show-up-on-ios-and-android-devices).
+For these notifications to show up on iOS/iPadOS and Android devices, your end users must ensure specific settings are set in the Teams and Company Portal apps. For more information, see [Teams notifications](/mem/intune/apps/manage-microsoft-teams#for-the-notifications-to-show-up-on-ios-and-android-devices).
> [!NOTE] > Microsoft Teams also supports Microsoft Tunnel for Mobile Application Management. For more information, see [Microsoft Tunnel for Mobile Application Management for Android](/mem/intune/protect/microsoft-tunnel-mam-android) and [Microsoft Tunnel for Mobile Application Management for iOS/iPadOS](/mem/intune/protect/microsoft-tunnel-mam-ios).
solutions Apps Config Step 6 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/apps-config-step-6.md
App configuration policies can be deployed based on the **Managed devices** chan
## App configuration policies for the Managed devices channel
-When you choose Managed devices,** you can choose to target your app configuration policy to either **iOS/iPadOS** or **Android Enterprise** devices. For **iOS/iPadOS** apps, you can choose a single associated **Built-In iOS app** or **iOS store app**. For **Android Enterprise** apps, you can choose a single associated **Managed Google Play store app** or **Managed Google Play web link**.
+When you choose Managed devices,** you can choose to target your app configuration policy to either **iOS/iPadOS** or **Android Enterprise** devices. For **iOS/iPadOS** apps, you can choose a single associated **Built-In iOS app** or **iOS store app**. For **Android Enterprise** apps, you can choose a single associated **Managed Google Play store app** or **Managed Google Play web link**.
When you select the **Managed devices** channel, you find that iOS/iPadOS has different standard configuration options than Android Enterprise. When you select **iOS/iPadOS** as the platform for your configuration policy, you can add standard configuration keys for the specific app. When you select **Android Enterprise** as the platform for your configuration policy, you must select a **Profile Type** that specifies how your app is targeted based on the Android device profile. Additionally, you can add standard configuration keys for the specific app, and you can also choose to enable [Connected apps](#connected-apps-configuration). ### Configure specific Android Enterprise apps Managed Home Screen, Google Chrome for Android, and Microsoft Launcher are [Android Enterprise](/mem/intune/apps/app-configuration-policies-use-android) apps that can be configured for the **Managed devices** channel. Each of these apps supports configuring the following areas:+ - [Permissions](#android-enterprise-app-configuration-permissions) - [Configuration Settings](#android-enterprise-app-configuration-settings) - [Connected apps](#connected-apps-configuration) > [!NOTE] > You must adhere to the following prerequisites:
+>
> - The user's Android Enterprise device must be enrolled in Intune. For more information, see [Set up enrollment of Android Enterprise personally-owned work profile devices](/mem/intune/enrollment/android-work-profile-enroll). > - Managed Home Screen, Google Chrome for Android, and Microsoft Launcher are added as a Managed Google Play app. For more information about Managed Google Play, see [Connect your Intune account to your Managed Google Play account](/mem/intune/enrollment/connect-intune-android-enterprise). For more information about configuring these apps, see the following resources:+ - [Configure the Microsoft Managed Home Screen app for Android Enterprise](/mem/intune/apps/app-configuration-managed-home-screen-app) - [Configure Google Chrome for Android devices using Intune](/mem/intune/apps/apps-configure-chrome-android) - [Configure Microsoft Launcher](/mem/intune/apps/configure-microsoft-launcher)
If the managed app supports configuration settings, the Configuration settings f
#### Connected apps configuration You can allow users using Android personally owned and corporate-owned work profiles to turn on connected apps experiences for supported apps. This app configuration setting enables apps to connect and integrate app data across the work and personal app instances. For example, connecting a calendar app can show work and personal events together. Some apps might not support connected apps. Additionally, this setting only works for personally owned and corporate-owned work profile devices. For more information, see [Enable connected apps](/mem/intune/apps/app-configuration-policies-use-android#enable-connected-apps).
-
+ ## App configuration policies for the Managed apps channel When you choose the **Managed apps** channel, you can choose you can select the app(s) you would like to target with the policy. You can target an app configuration policy to **Selected apps**, **All apps**, **All Microsoft apps**, or **Core Microsoft apps**. **All Apps** include all Microsoft and partner apps that have integrated the Intune SDK. **Microsoft Apps** include all Microsoft apps that have integrated the Intune SDK. **Core Microsoft apps** include a set of specific Microsoft apps. **Selected apps** allows you to apply an app configuration policy to specific apps. These specific apps can include **Public apps** and **Custom apps**. **Public apps** are apps contained in a predefined app group, such as store apps that you have added to Intune. **Custom apps** are apps that you that you have added from an app store and have also added to Intune.
Microsoft Tunnel is a VPN gateway solution for Microsoft Intune that runs in a c
> [!NOTE] > This capability is available when you add Microsoft Intune Plan 2 or Microsoft Intune Suite as an add-on license. For more information, see [Use Intune Suite add-on capabilities](/mem/intune/fundamentals/intune-add-ons).
-For more information about Microsoft Tunnel for MAM, see [Microsoft Tunnel for Mobile Application Management](\memdocs\intune\protect\microsoft-tunnel-mam).
+For more information about Microsoft Tunnel for MAM, see [Microsoft Tunnel for Mobile Application Management](/mem/intune/protect/microsoft-tunnel-mam).
#### Managed apps configuration settings
-Similar to app configuration policies for managed devices, if the managed app supports configuration settings, the **Configuration settings** dropdown box is visible. You can set the configuration values by using either the configuration designer or by entering JSON data. Both methods accomplish the same configuration setting results. Additional, setting keys, types, and values may be available for the specific app. Check with the app developer to determine if there are additional configuration settings available for an app.
+Similar to app configuration policies for managed devices, if the managed app supports configuration settings, the **Configuration settings** dropdown box is visible. You can set the configuration values by using either the configuration designer or by entering JSON data. Both methods accomplish the same configuration setting results. Additional, setting keys, types, and values may be available for the specific app. Check with the app developer to determine if there are additional configuration settings available for an app.
## Obtain settings for other apps
Win32 apps that your organization creates can be added to Intune. These apps are
[:::image type="content" source="../medi)
-Continue with [Step 7](apps-config-step-7.md) to verify other apps in Microsoft Intune.
+Continue with [Step 7](apps-config-step-7.md) to verify other apps in Microsoft Intune.
syntex Backup Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/backup/backup-setup.md
Follow these steps to set up a backup policy for SharePoint sites using Microsof
# [Exchange](#tab/exchange)
-Follow these steps to set up a backup policy for Exchange mailboxes sites using Microsoft 365 Backup. Ensure that Microsoft 365 Backup is [enabled for your tenant](#turn-on-microsoft-365-backup).
+Follow these steps to set up a backup policy for Exchange mailboxes sites using Microsoft 365 Backup. Ensure that Microsoft 365 Backup is [enabled for your tenant](#step-2-turn-on-microsoft-365-backup).
1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com/Adminportal/Home).
syntex Translation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/translation.md
Translation in Microsoft Syntex lets you create a translated copy of a file manu
When a file is translated, the file name of the translated copy is appended to show the ISO code for the language.
+ ![Screenshot showing the translated filename with the language code appended.](../media/content-understanding/translation-file-with-language-code.png)
+ ## Translate a document on demand To create a translated version of a document, follow these steps:
To create a translated version of a document, follow these steps:
![Screenshot showing the translation confirmation screen.](../media/content-understanding/translation-confirmation.png)
+ If you try to submit a duplicate translation request before the file has finished processing, you'll receive a message telling you to wait a few minutes before trying again.
+
+ ![Screenshot showing the message to wait a few minutes and trying again.](../media/content-understanding/translation-wait-message.png)
+ ## Translate a document automatically You can create a rule to automatically translate a document [when a new file is added](#translate-a-video-transcript) or [when data in a column changes](#when-data-in-a-column-changes).
To create a rule to translate documents automatically when data in a column chan
![Screenshot of the Create a rule page showing the enter a language option.](../media/content-understanding/translation-column-enter-language.png) 4. When your rule statement is complete, select **Create**. You can [see and manage the new rule](content-processing-overview.md#manage-a-rule) on the **Manage rules** page.+ <! ### View the translation activity feed of a document library
test-base Feature https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/feature.md
f1.keywords: NOCSH
# Windows Feature update validation
-Do you need insights on how your applications will perform with the latest Windows features - prior to it being available in the market and without you maintaining an environment?
+Do you need insights on how your applications will perform with the latest Windows features - prior to it being available in the market and without you maintaining an environment?
-Do you want to run your validation tests against Windows Insider Program builds in our Azure environment?
+Do you want to run your validation tests against Windows Insider Program builds in our Azure environment?
-**Feature update** validation on Test Base for Microsoft 365 can help you achieve all these and more!
+**Feature update** validation on Test Base for Microsoft 365 can help you achieve all these and more!
-Check out the step-by-step outline below to find out how to access this new capability in Test Base for Microsoft 365 service.
+Check out the step-by-step outline below to find out how to access this new capability in Test Base for Microsoft 365 service.
-To get started with Feature update validation in Test Base for Microsoft 365, upload your applications (and related files) through the self-service onboarding portal.
+To get started with Feature update validation in Test Base for Microsoft 365, upload your applications (and related files) through the self-service onboarding portal.
-Highlighted below are the steps to take as you fill out the **Test Matrix**:
+Highlighted below are the steps to take as you fill out the **Test Matrix**:
-To set up for feature updates, you must specify the target product and its preview channel from "Insider Channel" dropdown list.
+To set up for feature updates, you must specify the target product and its preview channel from "Insider Channel" dropdown list.
![Screenshot shows Set insider channel product.](Media/windowsfeatureupdatevalidation01-featureupdate.png)
-Your selection will register your application for automatic test runs against the latest feature updates of your selected product channel and all future new updates in the latest Windows Insider Preview Builds of your selection.
+Your selection will register your application for automatic test runs against the latest feature updates of your selected product channel and all future new updates in the latest Windows Insider Preview Builds of your selection.
-You may also set your current OS in "OS baseline for Insight". We would provide you with more test insights by regression analysis of your as-is OS environment and the latest target OS.
+You may also set your current OS in "OS baseline for Insight". We would provide you with more test insights by regression analysis of your as-is OS environment and the latest target OS.
-![Screenshot shows Set OS baseline for Insight product.](Media/windowsfeatureupdatevalidation02-osbaseline.png)
-
-To check more details on the Windows Insider Preview builds, refer to [Flight Hub - Windows Insider Program | Microsoft Docs](/../../../../MicrosoftDocs/windows-insider/tree/public/wip/flight-hub/index.md).
+![Screenshot shows Set OS baseline for Insight product.](Media/windowsfeatureupdatevalidation02-osbaseline.png)
+To check more details on the Windows Insider Preview builds, refer to [Flight Hub - Windows Insider Program | Microsoft Docs](/windows-insider/flight-hub/).
## Next steps