+4. Unselect the checkbox for **Allow Copilot to improve responses with web content**.

+4. Unselect the checkbox for **Allow Copilot to improve responses with web content**.

+Copilot for Microsoft 365 is available as an add-on plan with one of the following licensing prerequisites:

+### Improved responses with web content in Copilot for Microsoft 365

+This control allows you to enable or disable CopilotΓÇÖs ability to access the public web to get the latest information available when responding to prompts. Note that this is a separate control from Copilot with commercial data protection. Learn more about [how to Manage access to web content in Copilot for Microsoft 365 responses](manage-public-web-access.md).

+Copilot for Microsoft 365 is available as an add-on plan with one of the following licensing prerequisites:

+Microsoft Copilot for Microsoft 365 will follow the standard practice of deployment and updates for Microsoft 365 Apps, being available in all update channels, except for Semi-Annual Enterprise Channel. Preview channels (also known as Microsoft 365 Insider) include Current Channel (Preview) and Beta Channel. Production channels include Current Channel and Monthly Enterprise Channel.

+Copilot is available in Current Channel and in Monthly Enterprise Channel. As always, preview channels are a great option to validate the product before rolling out to the rest of organization. To learn more, see [Overview of update channels](/deployoffice/updates/overview-update-channels) and [Microsoft 365 Insider channels](/deployoffice/insider/compare-channels).

+> Microsoft Copilot for Microsoft 365 will follow the standard practice of deployment and updates for Microsoft 365 Apps, being available in all update channels, except for Semi-Annual Enterprise Channel. Preview channels (also known as Microsoft 365 Insider) include Current Channel (Preview) and Beta Channel. Production channels include Current Channel and Monthly Enterprise Channel.

+> Copilot is available in Current Channel and in Monthly Enterprise Channel. As always, preview channels are a great option to validate the product before rolling out to the rest of organization. To learn more, see [Overview of update channels](/deployoffice/updates/overview-update-channels) and [Microsoft 365 Insider channels](/deployoffice/insider/compare-channels).

+### Privacy settings for Microsoft 365 Apps

+Review your privacy settings for Microsoft 365 Apps because those settings might have an effect on the availability of Microsoft Copilot for Microsoft 365 features. For more information, see [Microsoft Copilot for Microsoft 365 and policy settings for connected experiences](microsoft-365-copilot-privacy.md#microsoft-copilot-for-microsoft-365-and-policy-settings-for-connected-experiences).

+> Teams Copilot usage does not include Microsoft Copilot with Graph-grounded chat usage, but it will be displayed in Copilot for Microsoft 365 usage soon.

+ - azure-ad-ref-level-one-done

+2. Next, connect to Microsoft Entra ID with [these instructions](connect-to-microsoft-365-powershell.md). To consent to the required permissions, run the following command:

+ ```powershell

+ Connect-MgGraph -Scopes Application.Read.All, Application.ReadWrite.All.

+ ```

+ Get-MgServicePrincipal -Filter "AppId eq '00000002-0000-0ff1-ce00-000000000000'" | select -ExpandProperty ServicePrincipalNames

+ $x= Get-MgServicePrincipal -Filter "AppId eq '00000002-0000-0ff1-ce00-000000000000'"

+ $ServicePrincipalUpdate =@(

+ "https://mail.corp.contoso.com/","https://owa.contoso.com/"

+ )

+ Update-MgServicePrincipal -ServicePrincipalId $x.Id -ServicePrincipalNames $ServicePrincipalUpdate

+ - azure-ad-ref-level-one-done

+> [!NOTE]

+> The Azure Active Directory (AzureAD) PowerShell module is being deprecated and replaced by the Microsoft Graph PowerShell SDK. You can use the Microsoft Graph PowerShell SDK to access all Microsoft Graph APIs. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started).

+>

+> Also see [Install the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation) and [Upgrade from Azure AD PowerShell to Microsoft Graph PowerShell](/powershell/microsoftgraph/migration-steps) for information on how to install and upgrade to Microsoft Graph PowerShell, respectively.

+A cloud-only user is a user not synchronized to the tenant via Microsoft Entra Connect. This user was created directly in Microsoft Entra ID. Use the **Get-MgUser** and **Set-MgUser** cmdlets in the Microsoft Graph PowerShell SDK to view or specify the _Geography_ location where a cloud-only user's mailbox will be stored.

+First, you must connect to Microsoft Graph using the required permission scopes for the actions you will take in your Microsoft Graph PowerShell session.

+The Microsoft Graph PowerShell SDK supports two types of authentication: delegated access, and app-only access. In this guide, you'll use delegated access to sign in as a user, grant consent to the SDK to act on your behalf, and call the Microsoft Graph.

+For details on using app-only access for unattended scenarios, see Use app-only authentication with the Microsoft Graph PowerShell SDK.

+**Determine required permission scopes**

+Each API in the Microsoft Graph is protected by one or more permission scopes. The user logging in must consent to one of the required scopes for the APIs you plan to use. In this example, we'll use the following APIs.

+List users to find the user ID of the logged-in user.

+Modify the **PreferredDataLocation** value for a user.

+The *User.Read.All* permission scope enables the first call, and the *User.ReadWrite.All* scope enables the second. These permissions require an admin account.

+For more information about how to determine what permission scopes you'll need, see [Using Find-MgGraphCommand cmdlet](/powershell/microsoftgraph/find-mg-graph-command).

+To connect to your Microsoft 365 Organization, run the following command:

+```powershell

+Connect-MgGraph -Scopes "User.Read.All","Group.ReadWrite.All"

+```

+The command prompts you to go to a web page to sign in with your credentials. Once you've done that, the command indicates success with a Welcome To Microsoft Graph! message. You only need to sign in once per session.

+> [!TIP]

+> You can accretively add permissions by repeating the Connect-MgGraph command with the new permission scopes.

+To view the **PreferredDataLocation** value for a user, use this syntax in Microsoft Graph PowerShell:

+Get-MgUser -ConsistencyLevel eventual -Count userCount -Search '"UserPrincipalName:<UserPrincipalName>"' | Format-List UserPrincipalName,PreferredDataLocation

+Get-MgUser -ConsistencyLevel eventual -Count userCount -Search '"UserPrincipalName:michelle@contoso.onmicrosoft.com"' | Format-List

+To modify the **PreferredDataLocation** value for a cloud-only user object, use the following syntax in Microsoft Graph PowerShell:

+Update-MgUser -UserID <UserID> -PreferredDataLocation <GeoLocationCode>

+For example, to set the **PreferredDataLocation** value to the European Union (EUR) geo for the user michelle@contoso.onmicrosoft.com, get the UserID value from the last command output and run the following command:

+Update-MgUser -UserID michelle@contoso.onmicrosoft.com -PreferredDataLocation EUR

+$params = @{

+ accountEnabled = $true

+ displayName = "<display name>"

+ mailNickname = "<mailbox name>"

+ userPrincipalName = "<sign-in name>"

+ usageLocation = "<ISO 3166-1 alpha-2 country code>"

+ passwordProfile = @{

+ forceChangePasswordNextSignIn = $true

+ password = "<temp password>"

+ }

+}

+$user = New-MgUser -BodyParameter $params

+$EmsSku = Get-MgSubscribedSku -All | Where SkuPartNumber -eq '<license SKU ID>'

+Set-MgUserLicense -UserId $user.Id -AddLicenses @{SkuId = $EmsSku.SkuId} -RemoveLicenses @()

+> [!TIP]

+> The `usageLocation` is A two-letter country code (ISO standard 3166). Required for users that are assigned licenses due to legal requirements to check for availability of services in countries. Examples include: US, JP, and GB.

+- Password: Manually add password in the form of a hashtable

+- Location: Australia (AU)

+First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md) using Microsoft Graph Powershell.

+After you connect, use the following syntax to create an individual account:

+$params = @{

+ accountEnabled = $true

+ displayName = "Elizabeth Brunner"

+ mailNickname = "ElizabethB"

+ userPrincipalName = "ebrunner@contoso.onmicrosoft.com"

+ usageLocation = "AU"

+ passwordProfile = @{

+ forceChangePasswordNextSignIn = $true

+ password = "xWwvJ]6NMw+bWH-d"

+ }

+}

+$user = New-MgUser -BodyParameter $params

+$EmsSku = Get-MgSubscribedSku -All | Where SkuPartNumber -eq 'ENTERPRISEPREMIUM'

+Set-MgUserLicense -UserId $user.Id -AddLicenses @{SkuId = $EmsSku.SkuId} -RemoveLicenses @()

+ - azure-ad-ref-level-one-done

+## View user accounts using Microsoft Graph PowerShell

+> [!NOTE]

+> The Azure Active Directory (AzureAD) PowerShell module is being deprecated and replaced by the Microsoft Graph PowerShell SDK. You can use the Microsoft Graph PowerShell SDK to access all Microsoft Graph APIs. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started).

+>

+> Also see [Install the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation) and [Upgrade from Azure AD PowerShell to Microsoft Graph PowerShell](/powershell/microsoftgraph/migration-steps) for information on how to install and upgrade to Microsoft Graph PowerShell, respectively.

+1. First, install the required software to use Microsoft Graph PowerShell. See [Connect to Microsoft 365 with Microsoft Graph PowerShell](connect-to-microsoft-365-powershell.md) for more information.

+1. Then run the following cmdlet to connect to your organization with the required permission scope, which in this case is *User.ReadBasic.All*:

+```powershell

+# Connect to Microsoft Graph

+Connect-Graph -Scopes User.ReadBasic.All

+```

+To display the full list of user accounts with user ID and user principal name, run this command:

+Get-MgUser -All | Select DisplayName,Id,UserPrincipalName

+DisplayName Id UserPrincipalName

+-- -- --

+Conf Room Adams 6e206948-b2b6-406c-a728-80bbe78e4003 Adams@M365x89521157.OnMicrosoft.com

+Adele Vance 916a6a08-b9d0-44b6-870f-562d8358a314 AdeleV@M365x89521157.OnMicrosoft.com

+MOD Administrator 5710f237-df3f-4bcd-b875-82deb02f98aa admin@M365x89521157.onmicrosoft.com

+Alex Wilber 8aa561dc-441d-4d74-aeb3-e2be41c116c8 AlexW@M365x89521157.OnMicrosoft.com

+Allan Deyoung 6b629e5e-3cf4-42d0-8007-3a93f0253382 AllanD@M365x89521157.OnMicrosoft.com

+Automate Bot 3a70feb4-9407-47b5-9b61-7526ac0e98d8 AutomateB@M365x89521157.OnMicrosoft.com

+Conf Room Baker d8cf3fef-1d03-4b9c-9be0-fed44fb87596 Baker@M365x89521157.OnMicrosoft.com

+Bianca Pisani 7fe8c2d1-eb8e-4032-96ba-26242ff0acd9 BiancaP@M365x89521157.OnMicrosoft.com

+Get-MgUser -UserId '<user principal name>'

+Get-MgUser -UserId 'BelindaN@litwareinc.onmicosoft.com'

+By default, the **Get-MgUser** cmdlet only displays the *DisplayName*, *Id*, *Mail*, and *UserPrincipalName* properties of accounts.

+To be more selective about the properties to display, use the **Select** cmdlet in combination with the **Get-MgUser** cmdlet. To combine the two cmdlets, use the "pipe" character ("|"), which tells PowerShell to take the results of one command and send it to the next command. Here's an example command that displays the *DisplayName*, *Department*, and *UsageLocation* for every user account:

+Get-MgUser -All | Select DisplayName,Department,UsageLocation

+1. Get all the information on the user accounts (**Get-MgUser**) and send it to the next command (**|**).

+Get-MgUser -UserID 'BelindaN@litwareinc.onmicosoft.com' | Select *

+Get-MgUser -UserID '<sign-in name of the user account>' | Select DisplayName,UserPrincipalName,AccountEnabled

+You can use the following command to find accounts that are synchronizing from **on-premise** AD. It instructs PowerShell to get all users who have the attribute *OnPremisesSyncEnabled* set to *True*.

+Get-MgUser -All -Filter 'OnPremisesSyncEnabled eq true'

+You can use the following command to find **cloud-only** accounts. It instructs PowerShell to get all users who have the attribute *OnPremisesSyncEnabled* set to *False* or not set (*Null*).

+An account that was never synced from on-premises AD has *OnPremisesSyncEnabled* set to *Null*. An account that was synced initially from on-premises AD but is no longer being synced has *OnPremisesSyncEnabled* set to *False*.

+Get-MgUser -All | Where OnPremisesSyncEnabled -ne true

+OnPremisesSyncEnabled```

+To be more selective about the list of accounts to display, you can use the **Where** cmdlet in combination with the **Get-MgUser** cmdlet. To combine the two cmdlets, use the "pipe" character ("|"), which tells PowerShell to take the results of one command and send it to the next command. Here is an example command that displays only those user accounts that have an unspecified usage location:

+Get-MgUser | Where UsageLocation -eq $Null

+This command instructs PowerShell to:

+1. Get all the information on the user accounts (**Get-MgUser**) and send it to the next command (**|**).

+1. Find all the user accounts that have an unspecified usage location (**Where UsageLocation -eq $Null**). The command instructs PowerShell to only find the set of accounts for which the *UsageLocation* user account property (**UsageLocation**) is not specified (**-eq $Null**).

+Get-MgUser -UserID BelindaN@litwareinc.onmicosoft.com | Select *

+Get-MgUser | Where City -eq "London"

+> The syntax for the **Where** cmdlet in these examples is **Where** [user account property name] [comparison operator] [value] **value**.> [comparison operator] is **-eq** for equals, **-ne** for not equals, **-lt** for less than, **-gt** for greater than, and others. [value] is typically a string (a sequence of letters, numbers, and other characters), a numerical value, or **$Null** for unspecified. For more information, see [Where](/powershell/module/microsoft.powershell.core/where-object).

+- [Create a personalized experience with Viva Connections](#create-a-personalized-experience-with-viva-connections)

+You manage apps for your organization in the Teams admin center. To learn more, see [Overview of app management and governance in Teams admin center](/microsoftteams/manage-apps).

+Your users can add any apps that you have allowed to their teams. Share this training with your users to show them how: [Find and use apps](https://support.microsoft.com/office/find-and-use-apps-6e22a734-c002-4da0-ba63-681f155b142d).

+### Create a personalized experience with Viva Connections

+Viva Connections is part of the [Microsoft Viva suite](/viva/microsoft-viva-overview) and enables you to create a personalized landing experience in Teams.

+The Viva Connections dashboard provides fast and easy access to information and job-related tasks. For example, add the Shifts card to show information about the next or current shift from the Shifts app. Content in the cards is dynamic and personalized to the user.

+Learn more about [Viva Connections](/viva/connections/viva-connections-overview) and [how to create a Viva Connections dashboard](/viva/connections/create-dashboard).

+- [Teams for Financial Services](teams-for-financial-services.md)

+- [Teams for Retail](teams-for-retail-landing-page.md)

+Frontline workers in the financial services industry have unique needs for communicating and collaborating based on the services they offer. To get the most benefit for your frontline workforce, first choose which scenarios Microsoft 365 can help you with in your day-to-day business operations, and then make sure that you prepare your environment with the right fundamentals, teams, and apps to support those scenarios.

+2. [Set up Microsoft 365](flw-setup-microsoft-365.md) - Set up Microsoft 365, Microsoft Teams, and any other services you need.

+Microsoft 365 and Teams offer capabilities that help financial services organizations enhance productivity in their daily operations and digital transformation. We recommend the following scenarios for financial services organizations:

+> These scenarios are also part of Microsoft Cloud for Financial Services. You can do more with these scenarios when you also use other capabilities from the Microsoft Cloud for Financial Services, such as Microsoft Dynamics 365. Learn more about using this solution, which brings together capabilities from Dynamics 365 and Microsoft 365 at [Microsoft Cloud for Financial Services](/industry/financial-services).

+**Key apps and capabilities:** Shifts, Walkie Talkie, Tasks, Approvals, Praise, Lists, Updates, Viva Connections, Chat, Files

+**Additional

+**Key apps and capabilities:** Lists, Viva Learning, Viva Connections, Viva Engage, meetings

+**Additional

+Employee engagement is a significant contributor to workplace satisfaction, loyalty, and productivity at any organization. Learn how to keep everyone informed and engaged using SharePoint, Teams, Viva Connections, and Viva Engage.

+**Key apps and capabilities:** Viva Connections, Viva Engage, meetings

+**Additional

+More information: [Corporate communications with frontline workers](flw-corp-comms.md)

+> For all these capabilities, users must have an appropriate license. For more information about general Teams licensing, see [Manage user access to Teams](/microsoftteams//user-access). Check out [Understand frontline worker user types and licensing](flw-licensing-options.md) to learn more about using Microsoft 365 for frontline workers in combination with other licenses. For a detailed comparison of what's included in Microsoft 365 enterprise plans, see the [Modern work plan comparison](https://go.microsoft.com/fwlink/p/?linkid=2139145) table.

+Ensure that your workers can communicate, collaborate, and deliver great customer service with Teams apps like Shifts, Tasks, Lists, Praise, and more. You can determine which apps are available for your users by enabling them in the Teams admin center or by using a team template. Learn more about [managing Teams apps](/microsoftteams/manage-apps).

+For financial services environments, the following apps and services can help you transform your business processes and support communication.

+| Chat | Enable quick conversations between staff with chat in Teams. | [Chat, teams, channels & apps in Teams](/microsoftteams/deploy-chat-teams-channels-microsoft-teams-landing-page) | [Chat in Teams](https://support.microsoft.com/office/start-and-pin-chats-a864b052-5e4b-4ccf-b046-2e26f40e21b5?wt.mc_id=otc_microsoft_teams) |

+| Virtual Appointments| Schedule and manage virtual consultations with clients, view analytics, and more, in the Virtual Appointments app.| [Manage the Virtual Appointments app](/microsoftteams/manage-virtual-appointments-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [What is the Virtual Appointments app?](https://support.microsoft.com/topic/22df0079-e6d9-4225-bc65-22747fb2cb5f) |

+| Viva Connections | Viva Connections creates an experience in Teams that connects employees with tools, news, and resources. Employees can view a tailored news feed from your organization and a personalized dashboard with the resources they need. | [Overview of Viva Connections](/viva/connections/viva-connections-overview) | Use [Viva Connections](https://support.microsoft.com/office/your-intranet-is-now-in-microsoft-teams-8b4e7f76-f305-49a9-b6d2-09378476f95b) |

+| Viva Learning | Provide initial and ongoing training to make sure your employees are up-to-date with their skills and knowledge base. | [Overview of Viva Learning](/viva/learning/overview-viva-learning) | [Use Viva Learning](https://support.microsoft.com/office/viva-learning-preview-01bfed12-c327-41e0-a68f-7fa527dcc98a) |

+| Viva Engage | Connect your entire organization and enable communication across departments and regions with Viva Engage. | [Overview of Viva Engage](/viva/engage/overview) | [Use Viva Engage](https://support.microsoft.com/topic/getting-started-with-microsoft-viva-engage-729f9fce-3aa6-4478-888c-a1543918c284) |

+| Power Apps and the Power Platform | Integrate business processes and enable quick updates to data, such as sales numbers, KPIs, and other reports. | [Teams integration with Microsoft Power Platform](/microsoftteams/platform/samples/teams-low-code-solutions) and [Manage Microsoft Power Platform apps in the Teams admin center](/microsoftteams/manage-power-platform-apps) | |

+To learn more about successfully implementing and adopting Teams, see [Adopt Microsoft Teams](/microsoftteams/adopt-microsoft-teams-landing-page).

+2. [Set up Microsoft 365](flw-setup-microsoft-365.md) - Set up Microsoft 365, Microsoft Teams, and any other services you need.

+Microsoft 365 and Microsoft Teams offers capabilities that help manufacturing organizations enhance productivity in their daily operations and digital transformation. We recommend the following scenarios for manufacturers:

+> For all these capabilities, users must have an appropriate license. For more information about general Teams licensing, see [Manage user access to Teams](/microsoftteams//user-access). Check out [Understand frontline worker user types and licensing](flw-licensing-options.md) to learn more about using Microsoft 365 for frontline workers in combination with other licenses. For a detailed comparison of what's included in Microsoft 365 enterprise plans, see the [Modern work plan comparison](https://go.microsoft.com/fwlink/p/?linkid=2139145) table.

+**Key apps and capabilities:** Walkie Talkie, Praise, Viva Connections, Viva Engage, Chat

+**Additional

+**Key apps:** Lists

+**Key apps:** Viva Learning, Viva Connections, Viva Engage

+**Additional

+Ensure that your workers can communicate, collaborate, and deliver great products with apps like Shifts, Tasks, Lists, Praise, and more. You can determine which apps are available for your users by enabling them in the Teams admin center or by using a team template. Learn more about [managing Teams apps](/microsoftteams/manage-apps).

+For manufacturing environments, the following apps and services can help you transform your business processes and support communication.

+| Tasks | Supervisors can assign tasks to let workers know what to focus on. Your organization's central office can use [task publishing](/microsoftteams/manage-tasks-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json#task-publishing) to send out tasks to locations and track progress across those locations. | [Manage the Tasks app](/microsoftteams/manage-tasks-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [Use Tasks](https://support.microsoft.com/office/use-the-tasks-app-in-teams-e32639f3-2e07-4b62-9a8c-fd706c12c070) |

+| Viva Connections | Viva Connections creates an experience in Teams that connects employees with tools, news, and resources. Employees can view a tailored news feed from your organization and a personalized dashboard with the resources they need. For example, you could create a Manuals card so your operators can easily find all the necessary manuals. | [Overview of Viva Connections](/viva/connections/viva-connections-overview) | [Use Viva Connections](https://support.microsoft.com/office/your-intranet-is-now-in-microsoft-teams-8b4e7f76-f305-49a9-b6d2-09378476f95b) |

+| Viva Learning | Provide initial and ongoing training to make sure your employees are up-to-date with their skills and knowledge base. | [Overview of Viva Learning](/viva/learning/overview-viva-learning) | [Use Viva Learning](https://support.microsoft.com/office/viva-learning-preview-01bfed12-c327-41e0-a68f-7fa527dcc98a) |

+| Viva Engage | Connect your entire organization and enable communication across departments and regions with Viva Engage. | [Overview of Viva Engage](/viva/engage/overview) | [Use Viva Engage](https://support.microsoft.com/topic/getting-started-with-microsoft-viva-engage-729f9fce-3aa6-4478-888c-a1543918c284) |

+| Power Apps and the Power Platform | Integrate business processes and enable quick updates to data, such as machine downtime, KPIs, and other reports. | [Teams integration with Microsoft Power Platform](/microsoftteams/platform/samples/teams-low-code-solutions) and [Manage Microsoft Power Platform apps in the Microsoft Teams admin center](/microsoftteams/manage-power-platform-apps) | |

+To learn more about successfully implementing and adopting Teams, see [Adopt Microsoft Teams](/microsoftteams/adopt-microsoft-teams-landing-page).

+Retail environments, with their rotating schedules and on-the-go staff, have very different needs than other organizations. To get the most benefit for your retail organization, first choose which scenarios Microsoft 365 and Microsoft Teams can help you with in your day-to-day business operations, and then make sure that you prepare your Teams environment with the right fundamentals, teams, and apps to support those scenarios.

+2. [Set up Microsoft 365](flw-setup-microsoft-365.md) - Set up Microsoft 365, Microsoft Teams, and any other services you need.

+Microsoft 365 and Teams offer capabilities that can help retail organizations enhance productivity in their daily operations and digital transformation. We recommend the following scenarios for retail organizations:

+|[](https://go.microsoft.com/fwlink/?linkid=2206476) <br/> [PDF](https://go.microsoft.com/fwlink/?linkid=2206476) \| [Visio](https://go.microsoft.com/fwlink/?linkid=2206271) <br>Updated January 2024 |This poster provides an overview of the scenarios you can implement for your frontline workforce in a retail setting.|

+<!-- ### Video overviews

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWRzfc]-->

+**Key apps and capabilities:** Shifts, Walkie Talkie, Tasks, Approvals, Praise, Lists, Updates, Viva Connections, Chat, Files

+**Additional

+**Key apps and capabilities:** Shifts, Walkie Talkie, Tasks, Approvals, Praise, Lists, Updates, Viva Connections, Viva Engage, Chat, Files

+**Additional

+Use the Virtual Appointments app in Teams to schedule and manage virtual appointments such as virtual shopping experiences for associates and customers.

+**Key apps and capabilities:** Virtual Appointments, meetings

+Employee engagement is a significant contributor to workplace satisfaction, loyalty, and productivity at any organization. Learn how to keep everyone informed and engaged using SharePoint, Teams, Viva Engage, and Viva Connections.

+**Key apps:** Viva Connections, Viva Engage

+**Additional

+**Key apps and capabilities:** Lists, Viva Learning, Viva Engage, meetings

+**Additional

+> For all these capabilities, users must have an appropriate license. For more information about general Teams licensing, see [Manage user access to Teams](/microsoftteams//user-access). Check out [Understand frontline worker user types and licensing](flw-licensing-options.md) to learn more about using Microsoft 365 for frontline workers in combination with other licenses. For a detailed comparison of what's included in Microsoft 365 enterprise plans, see the [Modern work plan comparison](https://go.microsoft.com/fwlink/p/?linkid=2139145) table.

+Ensure that your workers can communicate, collaborate, and deliver great customer service with apps like Shifts, Walkie Talkie, Tasks, Lists, Praise, and more. You can determine which apps are available for your users by enabling them in the Teams admin center or by using a team template. Learn more about [managing Teams apps](/microsoftteams/manage-apps).

+For retail environments, the following apps and services can help you transform your business processes and support communication.

+| Approvals | Approvals can be integrated into chat for easy sign off. | [Manage Approvals](/microsoftteams/approval-admin?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [Use Approvals](https://support.microsoft.com/office/what-is-approvals-a9a01c95-e0bf-4d20-9ada-f7be3fc283d3) |

+| Walkie Talkie | Instant push-to-talk communication that's not constrained by geography like standard two-way radios.| [Manage the Walkie Talkie app](/microsoftteams/walkie-talkie?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [Use Walkie Talkie](https://support.microsoft.com/office/get-started-with-teams-walkie-talkie-25bdc3d5-bbb2-41b7-89bf-650fae0c8e0c) |

+| Virtual Appointments|Schedule and manage virtual fittings and consultations, view analytics, and more, in the Virtual Appointments app.| [Manage the Virtual Appointments app](/microsoftteams/manage-virtual-appointments-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [What is the Virtual Appointments app?](https://support.microsoft.com/topic/22df0079-e6d9-4225-bc65-22747fb2cb5f) |

+| Viva Connections | Viva Connections creates an experience in Teams that connects employees with tools, news, and resources. Retail associates can view a tailored news feed from your organization and a personalized dashboard with the resources they need. | [Overview of Viva Connections](/viva/connections/viva-connections-overview) | Use [Viva Connections](https://support.microsoft.com/office/your-intranet-is-now-in-microsoft-teams-8b4e7f76-f305-49a9-b6d2-09378476f95b) |

+| Viva Learning | Provide training when needed, right in the flow of their work.| [Overview of Viva Learning](/viva/learning/overview-viva-learning) | [Use Viva Learning](https://support.microsoft.com/office/viva-learning-preview-01bfed12-c327-41e0-a68f-7fa527dcc98a) |

+| Viva Engage | Connect your entire organization and enable communication across departments and regions with Viva Engage. | [Overview of Viva Engage](/viva/engage/overview) | [Use Viva Engage](https://support.microsoft.com/topic/getting-started-with-microsoft-viva-engage-729f9fce-3aa6-4478-888c-a1543918c284) |

+| SharePoint | When you create a new team, a new SharePoint site is created and connected to the team. Many of the scenarios rely on SharePoint features already embedded in Teams, such as sharing documents for team collaboration. | [Teams and SharePoint integration](/sharepoint/teams-connected-sites) | [Add a SharePoint page, list, or document library as a tab in Teams](https://support.microsoft.com/office/add-a-sharepoint-page-list-or-document-library-as-a-tab-in-teams-131edef1-455f-4c67-a8ce-efa2ebf25f0b)|

+Create teams that include a predefined set of settings, channels, tabs, and preinstalled apps for communication and collaboration within an individual store, with a region, or between headquarters and your staff wherever they are.

+- The **Organize a store** template includes channels for General, Shift Handoff, Store Readiness, and Learning, and includes the Approvals, Tasks, and Wiki apps.

+You can also [create a custom template](/microsoftteams/create-a-team-template) to include the apps your store needs. To learn more, see [Use retail team templates](/microsoftteams/get-started-with-retail-teams-templates?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json)

+Now that you know what scenarios you want to implement and what you need to support them, you can gather your team so you can plan, roll out, and monitor how they're working in your organization. For example, the following roles might be needed to roll out these scenarios in your organization.

+|<img src="/office/media/icons/administrator.png" alt="Administrator symbol."> | IT administrator | Collaborate with operations and retail management staff to define scenarios and how they'll work for the organization. <br><br>Configure settings in the Teams admin center, such as policies and templates, and enable apps. <br><br>Set up app settings for the organization. <br><br>Add and license users. | IT department |

+|<img src="/office/media/icons/user-monitor.png" alt="User monitor symbol.">| Operations staff | Work with administrators to define scenarios, and determine which settings, policies, templates, and apps are needed for Teams. <br><br>Create regional or divisional teams from templates. <br><br>Set up tasks, lists, and approval flows for coordination between stores within a region, or between stores and headquarters. <br><br>Set up a learning framework for staff. | Central operations |

+|<img src="/office/media/icons/presenter-teams.png" alt="Presenter symbol."> | Store manager | Work with administrators and operations staff to define scenarios. <br><br>Create teams for the store from templates. <br><br>Set up channels and apps for the teams, as needed. For example, a channel for shift handovers. <br><br>Set up store schedules and settings in Shifts. <br><br>Set up tasks, lists, updates, and approval flows that are specific to the store. <br><br>Set up learning tasks for staff. | Store management |

+To learn more about successfully implementing and adopting Teams, see [Adopt Microsoft Teams](/microsoftteams/adopt-microsoft-teams-landing-page).

+| 5 |[App reputation demonstration](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-app-reputation)| NGP | Navigate to the app reputation page to see the demonstration scenario using Microsoft Edge.|

+| 6 |[URL reputation demonstrations](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-smartscreen-url-reputation)| NGP | Navigate to the URL Reputation page to see the demonstration scenarios using Microsoft Edge. |

+| 7 | [Network protection demonstrations](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-network-protection)| ASR | Navigate to a suspicious URL to trigger network protection. |

+| 8 | [Attack surface reduction rules (ASR rules) demonstrations](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-attack-surface-reduction-rules)| ASR | Download sample files to trigger each ASR rule. |

+| 9 | [Exploit protection (EP) demonstrations](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-exploit-protection) | ASR | Apply custom exploit protection settings. |

+| 10 | [Controlled folder access (CFA) demonstration (block script)](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-controlled-folder-access-test-tool)| ASR | Download the CFA test tool. |

+| 11 | [Controlled folder access (CFA) demonstrations (block ransomware)](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-controlled-folder-access)| ASR| Download and execute a sample file to trigger CFA ransomware protection.|

+## February 2024

+- (Preview) **[Custom detection rules in Microsoft Graph security API](/graph/api/resources/security-api-overview?view=graph-rest-beta&preserve-view=true#custom-detections)** are now available. Create advanced hunting custom detection rules specific to your org to proactively monitor for threats and take action.

+|Set up AIR features|One of the following roles: <ul><li>Global Administrator</li><li>Security Administrator</li></ul> <br/> These roles can be assigned in [Microsoft Entra ID](/entr).|

+|Start an automated investigation <p> or <p> Approve or reject recommended actions|One of the following roles, assigned in [Microsoft Entra ID](/entr). You might need to create a new **Email & collaboration** role group there and add the Search and Purge role to that new role group.</li></ul>|

+1. Identify or create a user who's a member of the [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator), [Security Administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator), or [Attack Simulation Administrator](/entra/identity/role-based-access-control/permissions-reference#attack-simulation-administrator) roles in Microsoft Entra ID. Assign a Microsoft 365, Office 365, Microsoft Teams Essentials, Microsoft 365 Business Basic, or a Microsoft 365 Business Standard license for [Microsoft Teams](/office365/servicedescriptions/teams-service-description). You need to know the password.

+- [Applications listed in Enterprise applications](/entra/identity/enterprise-apps/application-list) walks administrators through various actions they may want to take after realizing there are unexpected applications with access to data.

+- [Quickstart: Register an application with the Microsoft identity platform](/entra/identity-platform/quickstart-register-app) is a high-level overview of consent and permissions.

+- [Configure token lifetime policies](/entra/identity-platform/configure-token-lifetimes) provides links to various consent related articles.

+- [Application and service principal objects in Microsoft Entra ID](/entra/identity-platform/app-objects-and-service-principals) provides an overview of the Application and Service principal objects that are core to the application model.

+- [Manage access to an application](/entra/identity/enterprise-apps/what-is-access-management) is an overview of the capabilities that administrators have to manage user access to apps.

+- Monitor how user accounts are [accessed and used](/entra/identity/monitoring-health/overview-monitoring-health). You may not prevent the initial breach, but you can shorten the duration and the effects of the breach by detecting it sooner. You can use these [Office 365 Cloud App Security policies](/cloud-app-security/what-is-cloud-app-security) to monitor accounts and alert you to unusual activity:

+5. Select **It appears clean** if you're unsure and you want a verdict from Microsoft. Then select **Submit**.

+6. Select **I've confirmed it's clean** if you're sure that the message is clean. After selecting **Next**, you can specify whether you want to create an allow entry. You can specify how many days you want the allow entry to be active, add a note if needed, and then select **Submit**.

+|Security Administrator in Azure AD|[Azure AD built-in roles](/entra/identity/role-based-access-control/permissions-reference#security-administrator)

+**Summary**: Assign the [Security Administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator) role in Azure Active Directory to other admins, specialists, and help desk personnel so they can do tasks in EOP and Defender for Office 365.

+You're probably already using the initial account that you used to enroll in Microsoft 365 to do all the work in this deployment guide. That account is an admin everywhere in Microsoft 365 (specifically, it's a member of the [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) role in Azure Active Directory (Azure AD)), and allows you to do pretty much anything. The required permissions were described earlier in this article at [Roles and permissions](#roles-and-permissions).

+**For simplicity, we recommend using the [Security Administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator) role in Azure AD for others who need to configure settings in EOP and Defender for Office 365.**

+For instructions, see [Assign Microsoft Entra roles to users](/entra/identity/role-based-access-control/manage-roles-portal) and [Manage access to Microsoft Defender XDR with Azure Active Directory global roles](/microsoft-365/security/defender/m365d-permissions).

+For more information, see [Assign Microsoft Entra roles to users](/entra/identity/role-based-access-control/manage-roles-portal) and [Manage access to Microsoft Defender XDR with Microsoft Entra global roles](/microsoft-365/security/defender/m365d-permissions).

+|**Global Administrator**|Access to all administrative features in all Microsoft 365 services. Only global administrators can assign other administrator roles. For more information, see [Global Administrator / Company Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator--company-administrator).|

+|**Compliance Data Administrator**|Keep track of your organization's data across Microsoft 365, make sure it's protected, and get insights into any issues to help mitigate risks. For more information, see [Compliance Data Administrator](/entra/identity/role-based-access-control/permissions-reference#compliance-data-administrator).|

+|**Compliance Administrator**|Help your organization stay compliant with any regulatory requirements, manage eDiscovery cases, and maintain data governance policies across Microsoft 365 locations, identities, and apps. For more information, see [Compliance Administrator](/entra/identity/role-based-access-control/permissions-reference#compliance-administrator).|

+|**Security Operator**|View, investigate, and respond to active threats to your Microsoft 365 users, devices, and content. For more information, see [Security Operator](/entra/identity/role-based-access-control/permissions-reference#security-operator).|

+|**Security Reader**|View and investigate active threats to your Microsoft 365 users, devices, and content, but (unlike the Security operator) they don't have permissions to respond by taking action. For more information, see [Security Reader](/entra/identity/role-based-access-control/permissions-reference#security-reader).|

+|**Security Administrator**|Control your organization's overall security by managing security policies, reviewing security analytics and reports across Microsoft 365 products, and staying up-to-speed on the threat landscape. For more information, see [Security Administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator).|

+|**Global Reader**|The read-only version of the **Global administrator** role. View all settings and administrative information across Microsoft 365. For more information, see [Global Reader](/entra/identity/role-based-access-control/permissions-reference#global-reader).|

+|**Attack Simulation Administrator**|Create and manage all aspects of [attack simulation](attack-simulation-training-simulations.md) creation, launch/scheduling of a simulation, and the review of simulation results. For more information, see [Attack Simulation Administrator](/entra/identity/role-based-access-control/permissions-reference#attack-simulation-administrator).|

+|**Attack Payload Author**|Create attack payloads but not actually launch or schedule them. For more information, see [Attack Payload Author](/entra/identity/role-based-access-control/permissions-reference#attack-payload-author).|

+ - **[Security Administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator)**

+ - **[Security Reader](/entra/identity/role-based-access-control/permissions-reference#security-reader)**

+ By default, this role is assigned only to the **Security Operator role group in Exchange Online**, not in Microsoft Entra ID. Membership in the **[Security Operator role in Microsoft Entra ID](/entra/identity/role-based-access-control/permissions-reference#security-operator)** _doesn't_ allow you to manage entries the Tenant Allow/Block List.

+> - [Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference)

+Using [Privileged Access groups](/entra/id-governance/privileged-identity-management/concept-pim-for-groups) we can now create our own custom groups and combine permissions or increase granularity where required to meet your organizational practices and needs.

+|Multi-factor authentication|[Download and install the Microsoft Authenticator app](https://support.microsoft.com/account-billing/351498fc-850a-45da-b7b6-27e523b8702a)|This article helps end users understand what multi-factor authentication is and why it's being used at your organization.|

+ - **It appears clean**: Select this option if you're unsure and you want a verdict from Microsoft.

+> - Be sure to update app passwords. App passwords aren't automatically revoked when you reset the password. The user should delete existing app passwords and create new ones. For instructions, see [Manage app passwords for two-step verification](https://support.microsoft.com/account-billing/d6dc8c6d-4bf7-4851-ad95-6d07799387e9).

+- To use SharePoint Online PowerShell to prevent people from downloading malicious files, you need to be member of the [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) or [SharePoint Administrator](/entra/identity/role-based-access-control/permissions-reference#sharepoint-administrator) roles in Microsoft Entra ID.

+ For more information, see [Product names and service plan identifiers for licensing](/entra/identity/users/licensing-service-plan-reference).

+- [Product names and service plan identifiers for licensing](/entra/identity/users/licensing-service-plan-reference)

+|**Security Administrator**|Members have access to many security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and the Defender and compliance portals. <br/><br/> By default, this role group may not appear to have any members. However, the Security Administrator role from Microsoft Entra ID is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Administrator role from Microsoft Entra ID. <br/><br/> To manage permissions centrally, add and remove group members in the Microsoft Entra admin center. For more information, see [Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference). If you edit this role group in these portals (membership or roles), those changes apply only to the security and compliance areas and not to any other services. <br/><br/> This role group includes all of the read-only permissions of the Security reader role, plus many additional administrative permissions for the same

+|**Security Reader**|Members have read-only access to many security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and the Defender and compliance portals. <br/><br/> By default, this role group may not appear to have any members. However, the Security Reader role from Microsoft Entra ID is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Reader role from Microsoft Entra ID. <br/><br/> To manage permissions centrally, add and remove group members in the Microsoft Entra admin center. For more information, see [Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference). If you edit this role group in the portals (membership or roles), those changes apply only to security and compliance areas and not to any other services.|Compliance Manager Reader <br/><br/> Security Reader <br/><br/> Sensitivity Label Reader <br/><br/> Tag Reader <br/><br/> View-Only Device Management <br/><br/> View-Only DLP Compliance Management <br/><br/> View-Only IB Compliance Management <br/><br/> View-Only Manage Alerts|

+1. Select **EmailEvents**, **EmailUrlInfo**, **EmailAttachmentInfo**, and **EmailPostDeliveryEvents** > and **Apply Changes**.

+[Integrate security solutions in Microsoft Defender for Cloud](/azure/defender-for-cloud/partner-integration)

+ - **It appears suspicious**: Select this value if you're unsure and you want a verdict from Microsoft, select **Submit**, and then go to Step 6.

+ - **It appears suspicious**: Select this value if you're unsure and you want a verdict from Microsoft, select **Submit**, and then go to Step 6.

+ - **It appears suspicious**: Select this value if you're unsure and you want a verdict from Microsoft, select **Submit**, and then go to Step 6.

+ - **It appears clean**: Select this value if you're unsure and you want a verdict from Microsoft, select **Submit**, and then go to Step 6.

+ - **It appears clean**: Select this value if you're unsure and you want a verdict from Microsoft, select **Submit**, and then go to Step 6.

+ - **It appears clean**: Select this value if you're unsure and you want a verdict from Microsoft, select **Submit**, and then go to Step 6.

+ - **It appears clean** or **It appears suspicious**: Select one of these values if you're unsure and you want a verdict from Microsoft.

+See: [Named locations in Microsoft Entra ID](/entra/identity/conditional-access/location-condition)

+> See [this article](/entra/identity/conditional-access/concept-continuous-access-evaluation#limitations) for the limitations of continuous access evaluation.

+- Account risk increased based on the evaluation of the access from [Microsoft Entra ID Protection](/entra/id-protection/overview-identity-protection)

+For more information about how to set up a Conditional Access policy, see [this article](/entra/identity/conditional-access/overview).

+- [Continuous access evaluation](/entra/identity/conditional-access/concept-continuous-access-evaluation)

+- [Conditional Access documentation](/entra/identity/conditional-access/overview)

+- [Microsoft Entra ID Protection documentation](/entra/id-protection/overview-identity-protection)

+For more information about roles and permissions, see the article [Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference).

+Ensure your users register for multifactor authentication prior to requiring its use. If you have licenses that include Microsoft Entra ID P2, you can use the [MFA registration policy within Microsoft Entra ID Protection](/entra/id-protection/howto-identity-protection-configure-mfa-policy) to require that users register. We provide [communication templates](https://aka.ms/mfatemplates), you can download and customize, to promote registration.

+All Microsoft Entra groups used as part of these recommendations must be created as a **Microsoft 365** group *not a Security group*. This requirement is important for the deployment of sensitivity labels when securing documents in Microsoft Teams and SharePoint later on. For more information, see the article [Learn about groups and access rights in Microsoft Entra ID](/entra/fundamentals/concept-learn-about-groups#group-types)

+You may consider enabling [passwordless authentication methods](/entra/identity/authentication/concept-authentication-passwordless), like Windows Hello for Business or FIDO2 security keys to reduce some friction created by certain security controls.

+All organizations should have at least one emergency access account that is monitored for use and excluded from policies. **These accounts are only used in case all other administrator accounts and authentication methods become locked out or otherwise unavailable**. More information can be found in the article, [Manage emergency access accounts in Microsoft Entra ID](/entra/identity/role-based-access-control/security-emergency-access).

+Follow the guidance in the article [Common Conditional Access policy: Sign-in risk-based multifactor authentication](/entra/identity/conditional-access/howto-conditional-access-policy-risk) to create a policy to require multifactor authentication based on sign-in risk.

+Follow the guidance in the article [Common Conditional Access policy: Block legacy authentication](/entra/identity/conditional-access/howto-conditional-access-policy-block-legacy) to block legacy authentication.

+Follow the guidance in the article [Common Conditional Access policy: User risk-based password change](/entra/identity/conditional-access/howto-conditional-access-policy-risk-user) to require users with compromised credentials to change their password.

+Use this policy along with [Microsoft Entra password protection](/entra/identity/authentication/concept-password-ban-bad), which detects and blocks known weak passwords and their variants in addition to terms specific to your organization. Using Microsoft Entra password protection ensures that changed passwords are stronger.

+To create a Conditional Access policy that requires approved apps and APP protection, follow the steps in [Require approved client apps or app protection policy with mobile devices](/entra/identity/conditional-access/howto-policy-approved-app-or-app-protection). This policy only allows accounts within mobile apps protected by app protection policies to access Microsoft 365 endpoints.

+Follow the guidance in the article [Common Conditional Access policy: Require MFA for all users](/entra/identity/conditional-access/howto-conditional-access-policy-all-users-mfa) to require your specialized security level users to always perform multifactor authentication.

+To block Exchange ActiveSync connections using basic authentication on other types of devices (for example, PCs), follow the steps in [Block Exchange ActiveSync on all devices](/entra/identity/conditional-access/howto-policy-approved-app-or-app-protection#block-exchange-activesync-on-all-devices).

+5. In the Azure portal, [create a new Conditional Access policy](/entra/identity/conditional-access/concept-conditional-access-policies) with these settings:

+For more information, see [Limitations of ID Protection for B2B collaboration users](/entra/id-protection/concept-identity-protection-b2b#limitations-of-id-protection-for-b2b-collaboration-users).

+The first step in using Defender for Cloud Apps to manage SaaS apps is to discover these and then add them to your Microsoft Entra tenant. If you need help with discovery, see [Discover and manage SaaS apps in your network](/cloud-app-security/tutorial-shadow-it). After you've discovered apps, [add these to your Microsoft Entra tenant](/entra/identity/enterprise-apps/add-application-portal).

+- Are aligned with [Microsoft Secure Score](../defender/microsoft-secure-score.md) and [identity score in Microsoft Entra ID](/entra/identity/monitoring-health/concept-identity-secure-score). Following the recommendations will increase these scores for your organization.

+- Help you to implement these [five steps to securing your identity infrastructure](/azure/security/fundamentals/steps-secure-identity).

+For organizations who don't have these licenses, we recommend that you at least implement [security defaults](/entra/fundamentals/security-defaults), which is included with all Microsoft 365 plans.

+|[Multifactor authentication (MFA)](/entra/identity/authentication/concept-mfa-howitworks)|MFA requires users to provide two forms of verification, such as a user password plus a notification from the Microsoft Authenticator app or a phone call. MFA greatly reduces the risk that stolen credentials can be used to access your environment. Microsoft 365 uses the Microsoft Entra multifactor authentication service for MFA-based sign-ins.|Microsoft 365 E3 or E5|

+|[Conditional Access](/entra/identity/conditional-access/overview)|Microsoft Entra ID evaluates the conditions of the user sign-in and uses Conditional Access policies to determine the allowed access. For example, in this guidance we show you how to create a Conditional Access policy to require device compliance for access to sensitive data. This greatly reduces the risk that a hacker with their own device and stolen credentials can access your sensitive data. It also protects sensitive data on the devices, because the devices must meet specific requirements for health and security.|Microsoft 365 E3 or E5|

+|[Microsoft Entra groups](/entra/fundamentals/concept-learn-about-groups)|Conditional Access policies, device management with Intune, and even permissions to files and sites in your organization rely on the assignment to user accounts or Microsoft Entra groups. We recommend you create Microsoft Entra groups that correspond to the levels of protection you are implementing. For example, your executive staff are likely higher value targets for hackers. Therefore, it makes sense to add the user accounts of these employees to a Microsoft Entra group and assign this group to Conditional Access policies and other policies that enforce a higher level of protection for access.|Microsoft 365 E3 or E5|

+|[Device enrollment](/entra/identity/devices/overview)|You enroll a device into Microsoft Entra ID to create an identity for the device. This identity is used to authenticate the device when a user signs in and to apply Conditional Access policies that require domain-joined or compliant PCs. For this guidance, we use device enrollment to automatically enroll domain-joined Windows computers. Device enrollment is a prerequisite for managing devices with Intune.|Microsoft 365 E3 or E5|

+|[Microsoft Entra ID Protection](/entra/id-protection/overview-identity-protection)|Enables you to detect potential vulnerabilities affecting your organization's identities and configure automated remediation policy to low, medium, and high sign-in risk and user risk. This guidance relies on this risk evaluation to apply Conditional Access policies for multifactor authentication. This guidance also includes a Conditional Access policy that requires users to change their password if high-risk activity is detected for their account.|Microsoft 365 E5, Microsoft 365 E3 with the E5 Security add-on, EMS E5, or Microsoft Entra ID P2 licenses|

+|[Self-service password reset (SSPR)](/entra/identity/authentication/concept-sspr-howitworks)|Allow your users to reset their passwords securely and without help-desk intervention, by providing verification of multiple authentication methods that the administrator can control.|Microsoft 365 E3 or E5|

+|[Microsoft Entra password protection](/entra/identity/authentication/concept-password-ban-bad)|Detect and block known weak passwords and their variants and additional weak terms that are specific to your organization. Default global banned password lists are automatically applied to all users in a Microsoft Entra tenant. You can define additional entries in a custom banned password list. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.|Microsoft 365 E3 or E5|

+After you have configured Zero Trust identity and device access, see the [Microsoft Entra feature deployment guide](/entra/fundamentals/concept-secure-remote-workers) for a phased checklist of additional features to consider and [Microsoft Entra ID Governance](/entra/id-governance/) to protect, monitor, and audit access.

+|[Configure PHS](/entra/identity/hybrid/connect/how-to-connect-password-hash-synchronization). This feature must be enabled to detect leaked credentials and to act on them for risk-based Conditional Access. **Note:** This is required regardless of whether your organization uses federated authentication.|Cloud-only|Microsoft 365 E3 or E5|

+|[Enable seamless single sign-on](/entra/identity/hybrid/connect/how-to-connect-sso) to automatically sign users in when they are on their organization devices connected to your organization network.|Cloud-only and federated|Microsoft 365 E3 or E5|

+|[Configure named locations](/entra/identity/conditional-access/location-condition#named-locations). Microsoft Entra ID Protection collects and analyzes all available session data to generate a risk score. We recommend you specify your organization's public IP ranges for your network in the Microsoft Entra ID named locations configuration. Traffic coming from these ranges is given a reduced risk score, and traffic from outside the organization environment is given a higher risk score.||Microsoft 365 E3 or E5|

+|[Register all users for self-service password reset (SSPR) and multifactor authentication (MFA)](/entra/identity/authentication/concept-registration-mfa-sspr-combined). We recommend you register users for Microsoft Entra multifactor authentication ahead of time. Microsoft Entra ID Protection makes use of Microsoft Entra multifactor authentication to perform additional security verification. Additionally, for the best sign-in experience, we recommend users install the [Microsoft Authenticator app](https://support.microsoft.com/account-billing/351498fc-850a-45da-b7b6-27e523b8702a) and the Microsoft Company Portal app on their devices. These can be installed from the app store for each platform.||Microsoft 365 E3 or E5|

+|[Plan your Microsoft Entra hybrid join implementation](/entra/identity/devices/hybrid-join-plan). Conditional Access will make sure devices connecting to apps are domain-joined or compliant. To support this on Windows computers, the device must be registered with Microsoft Entra ID. This article discusses how to configure automatic device registration.|Cloud-only|Microsoft 365 E3 or E5|

+|[Configure password writeback to on-premises AD](/entra/identity/authentication/tutorial-enable-sspr). Password writeback allows Microsoft Entra ID to require that users change their on-premises passwords when a high-risk account compromise is detected. You can enable this feature using Microsoft Entra Connect in one of two ways: either enable **Password Writeback** in the optional features screen of Microsoft Entra Connect setup, or enable it via Windows PowerShell.|Cloud-only|Microsoft 365 E3 or E5|

+|[Configure Microsoft Entra password protection](/entra/identity/authentication/concept-password-ban-bad). Microsoft Entra Password Protection detects and blocks known weak passwords and their variants, and can also block additional weak terms that are specific to your organization. Default global banned password lists are automatically applied to all users in a Microsoft Entra tenant. You can define additional entries in a custom banned password list. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.||Microsoft 365 E3 or E5|

+|[Enable Microsoft Entra ID Protection](/entra/id-protection/overview-identity-protection). Microsoft Entra ID Protection enables you to detect potential vulnerabilities affecting your organization's identities and configure an automated remediation policy to low, medium, and high sign-in risk and user risk.||Microsoft 365 E5 or Microsoft 365 E3 with the E5 Security add-on|

+|[Enable continuous access evaluation](/entra/identity/conditional-access/concept-continuous-access-evaluation) for Microsoft Entra ID. Continuous access evaluation proactively terminates active user sessions and enforces tenant policy changes in near real-time.||Microsoft 365 E3 or E5|

+We recommend Windows 11 or Windows 10 (version 2004 or later), as Azure is designed to provide the smoothest SSO experience possible for both on-premises and Microsoft Entra ID. Work or school-issued devices should be configured to join Microsoft Entra ID directly or if the organization uses on-premises AD domain join, those devices should be [configured to automatically and silently register with Microsoft Entra ID](/entra/identity/devices/hybrid-join-plan).

+We recommend installing the [Microsoft Authenticator app](https://support.microsoft.com/account-billing/351498fc-850a-45da-b7b6-27e523b8702a) on user devices before deploying Conditional Access or MFA policies. At a minimum, the app should be installed when users are asked to register their device with Microsoft Entra ID by adding a work or school account, or when they install the Intune company portal app to enroll their device into management. This depends on the configured Conditional Access policy.

+We recommend users install the [Intune Company Portal app](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal&hl=en) and [Microsoft Authenticator app](https://support.microsoft.com/account-billing/351498fc-850a-45da-b7b6-27e523b8702a) before Conditional Access policies are deployed or when required during certain authentication attempts. After app installation, users may be asked to register with Microsoft Entra ID or enroll their device with Intune. This depends on the configured Conditional Access policy.

+For Microsoft 365 E3 or E5 or with separate Microsoft Entra ID P1 or P2 licenses, you can require MFA for administrator accounts with a manually created Conditional Access policy. See [Conditional Access: Require MFA for administrators](/entra/identity/conditional-access/howto-conditional-access-policy-admin-mfa) for the details.

+For editions of Microsoft 365 or Office 365 that do not support Conditional Access, you can enable [security defaults](/entra/fundamentals/security-defaults) to require MFA for all accounts.

+- Use [Microsoft Entra Privileged Identity Management](/entra/id-governance/privileged-identity-management/pim-getting-started) to reduce the number of persistent administrative accounts.

+- Follow [best practices](/entra/identity/role-based-access-control/best-practices) for securing privileged accounts in Microsoft Entra ID.

+Once you've [set up and deployed the capabilities of Intune](/microsoft-365/solutions/apps-guide-overview#deploying-intune) and you've [added the apps you want to manage to Intune](/microsoft-365/solutions/apps-add-overview), you can begin the process of creating app configuration policies. App configuration policies allow members of your organization (end users) to easily install and use the related apps on their devices. By using app configuration policies, you can help you eliminate app setup problems. You can assign configuration settings to a policy that is then assigned to end users before they run the app. The settings are then supplied automatically when the app is configured on the end user's device. Most importantly, end users don't need to take action. You can create and use app configuration policies to provide configuration settings for both iOS/iPadOS or Android apps. The configuration policy settings are used when the app checks for these settings, typically the first time the app is run.

+> Similar to app protection policies, app configuration policies should be assigned to end users and/or devices before assigning the related app.

+You create app configuration policies directly in Intune that are unique for each app and each group of end users. Then, you can apply each app configuration policy to end users and/or devices. There are many different settings you can use to configuration an app. For example, an app configuration setting might require you to specify any of the following details:

+If end users were to enter these settings instead, they could enter them incorrectly. App configuration policies can help provide consistency across an enterprise and reduce helpdesk calls from end users trying to configure settings on their own. By using app configuration policies, the adoption of new apps can be easier and quicker.

+## Benefits of app configuration policies

+App configuration policies can help you streamline apps installation, increase app adoption, reduce setup problems, and ensure app configuration consistency. In addition, by having the apps configured in a consistent manner with correct settings, your organizational data is better protected.

+Apps that have been specifically enhanced to support a unified endpoint management provider, such as Microsoft Intune, can support configuration. Apps that can be configured using an Intune app configuration policy have been enabled to support configuration settings using the Intune App SDK or the Intune App Wrapping Tool. For a list of apps that have been enhanced to support Intune, see [Microsoft Intune protected apps](/mem/intune/apps/apps-supported-intune-apps). Note that an app doesn't have to support app configuration or app protection in order to be assigned to end users and/or devices.

+Before you configure apps to be managed by Intune, you first need to determine your management deployment model. Intune supports mobile device management (MDM), mobile application management (MAM), and both MDM + MAM. Devices that are enrolled with Intune use MDM. MDM enables organizations to protect and secure their resources and data on enrolled devices. Apps that are managed (MAM) on their own without device management (MDM), can be configured and protected using Intune. MAM enables you to manage and protect your organization's data within an application.

+| MDM | Devices that are enrolled with Intune use MDM. MDM enables organizations to protect and secure their resources and data on enrolled devices. When you are using MDM only, your app configuration policy channel must be set to **Managed devices**. For more information about MDM, see [Microsoft Intune enrollment](/mem/intune/fundamentals/deployment-guide-enrollment). |

+| MAM | Apps that are managed (MAM) without device management (MDM), can be configured and protected using Intune. MAM enables you to manage and protect your organization's data within an application. When you choose to manage only the apps on devices used by members of your organization without enrolling or managing devices, your app configuration policy channel must be set to **Managed apps** . This configuration is commonly referred to as MAM without device enrollment, or MAM-WE. You can manage apps using MAM by using Intune configuration and protection policies on devices not enrolled with Intune MDM. MAM is ideal to help protect organization data on mobile devices used by members of your organization for both personal and work tasks.<p>**NOTE:**<br>You can't deploy apps to the device. The end user has to get the apps from the store.<p>For more information, see [MAM without device management](/mem/intune/fundamentals/deployment-plan-protect-apps#mam-without-device-management). |

+| MDM + MAM | Intune allows you to manage devices (MDM) and manage apps (MAM). This configuration is commonly referred to as MAM + MDM. You can manage apps using MAM on devices that are enrolled with Intune MDM. A configuration policy that is delivered through the **Manged apps** channel will take precedence over a configuration policy delivered through the **Managed devices** channel. For more information about MDM + MAM, see [MAM with device management](/mem/intune/fundamentals/deployment-plan-protect-apps#mam-with-device-management). |

+## App configuration process flow

+Once you have added an app to Intune, you can assign the app configuration policy to end users. The configuration policy will be used when the app is installed on the end user's device.

+You can allow end users using Android personally owned and corporate-owned work profiles to turn on connected apps experiences for supported apps. This app configuration setting enables apps to connect and integrate app data across the work and personal app instances on Android. For an app to provide this experience, the app needs to integrate with Google's connected apps SDK, which means only limited apps support it. You can turn on the connected apps setting proactively, and when apps add support, users are able to enable the connected apps experience. For more information, see [Enable connected apps](/mem/intune/apps/app-configuration-policies-use-android#enable-connected-apps).

+If your organization is managing devices with Intune, you need to use the Company Portal app. End users at your organization use the Company Portal to securely access company data and do common tasks. End users can access these tasks and information using either the Company Portal app, Company Portal website, or Intune app. The Company Portal app supports iOS/iPadOS, Linux, macOS, and Windows devices. The Intune app supports Android devices.

+- Integrating Office Lens technology, which will help your organization use their device's camera capabilities. These capabilities include converting images into editable Word and Excel documents, scanning PDFs, and capturing whiteboards with automatic digital enhancements to make the content easier to read.

+Intune provides an **App configuration status** report to help you monitor the apps you've deployed to your end users. Additionally, Intune provides diagnostic logs and configuration status per device.

+The Company Portal app, Company Portal website, and Intune app on Android are where end users access company data and do common tasks related to their managed devices and apps. Based on your Intune settings, common task may include enrolling devices, installing and updating apps, locating information about your organization, and performing device actions. Intune allow you to customize and configure the Company Portal. The Company Portal app supports iOS/iPadOS, Linux, macOS, and Windows devices. The Intune app supports Android devices.

+> The "Company Portal" is commonly used as the descriptor for the Intune app, Company portal app, and the Company portal website. The Company Portal exists on each end user's device.

+End users can use the Company Portal to view details about their managed devices and available apps used with Intune at your organization. In addition, end users can perform self-service device actions from the Company Portal, including the following device actions:

+> Before end users can use the Company Portal, you must set up their work account. Your organization must also have a subscription to Microsoft Intune.

+Company Portal helps simplify the tasks your end users need to do for work. For example, end users may use the Company Portal to do the following:

+You can customize the end user experience for the Company Portal. Customizing the Company Portal is different from configuring the Company Portal. Customization helps provide a familiar and helpful experience for your end users. You can customize the Company Portal so that it supports specific details about your organization, such as the following:

+- [Add branding information](#add-branding-information) for the end users at your organization

+Adding branding information for your Intune tenant allows you to customize the experience end users have when using the Company Portal. Branding involves setting fields in Intune, such as:

+Adding support information for your Intune tenant will also allow you to customize the end users experience. By providing your organization's support information, your end users can reach out with questions. This support information is displayed on **Support**, **Help & Support**, and **Helpdesk** pages across the end user experience.

+If you choose to enroll users devices to be managed by Intune, in most enrollment scenarios the Company Portal will automatically be installed on the end user's device. The Company Portal is used to authenticate the end user within your organization when they launch the Company Portal. For more information, see [Set up automated device enrollment in Intune](/mem/intune/enrollment/device-enrollment-program-enroll-ios).

+> On personal or BYOD non-Windows client devices, end users must install the Company Portal app from the Microsoft Store. Once installed, end users open the Company Portal app and sign in with their organization credentials. For example, `user@contoso.com`.

+You can choose which additional app sources will be shown in Company Portal to end users at your organization. You can choose to hide or show Microsoft Entra Enterprise Applications, Office Online Applications, or Configuration Manager Applications. You can find these settings in [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) by selecting **Tenant administration** > **Customization**. For more information, see [App source setting options](/mem/intune/apps/company-portal-app#app-source-setting-options).

+You can customize the visibility of specific self-service device actions for Windows and iOS devices. The **Remove** and **Reset** device actions can be customized for end users in the Company Portal. These actions can be used to restrict device actions in the Company Portal app and website, however don't implement any device restriction policies. To prevent users from removing or resetting corporate Windows and iOS devices, you can hide these actions from the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) by selecting **Tenant Administration** > **Customization**. For more information, see [Customizing Remove and Reset device actions](/mem/intune/apps/company-portal-app#customizing-remove-and-reset-device-actions).

+Microsoft Intune makes it easy to provide Microsoft Outlook to your end users at your organization. Outlook provides secure email, calendar, contacts, and files. You can choose to add app configuration policies for Microsoft Outlook to iOS/iPadOS or Android devices. Outlook for iOS/iPadOS and Android supports app settings that allow unified endpoint management (UEM) administrators (using tools such as Microsoft Intune) and Microsoft 365 or Office 365 administrators to customize the behavior of the app.

+> Before you add Microsoft 365 Apps to Intune, you want to check the prerequisites for the end user's devices at your organization. For more information, see the [Before you start]() section of [Add Microsoft 365 Apps to Windows 10/11 devices with Microsoft Intune](/mem/intune/apps/apps-add-office365).

+You can select the Microsoft apps to install on your end user's Windows 10/11 devices. Additionally, if you own licenses for [additional Office apps](/deployoffice/use-the-office-deployment-tool-to-install-volume-licensed-editions-of-visio-2016), such as Microsoft Project and Microsoft Visio, you can also assign them with Intune.

+You can select the app architecture type, default file format, and update channel for the app suite. The **Architecture** setting allows you to select the 32-bit or 64-bit edition of Microsoft 365 Apps to be installed on your end user's devices. The **Default file format** setting allows you to choose the file format for the suite. Microsoft recommends you use the **Office Open XML Format**. You can also set the **Update channel**. This setting defines how often the app is updated with new features. Microsoft recommends selecting the **Monthly Enterprise Channel** along with **Remove other versions** set to **Yes**.

+When you choose to target an app configuration policy to **Managed apps**, you're using "MAM channel" to deliver app configuration to end users at your organization. Within the Intune admin center, the MAM channel is referred to as a Managed Apps app configuration policy. The MAM channel is different than the mobile device management (MDM) OS platform channels that are offered when a device is enrolled. By using the MAM channel, apps can receive app configuration policies regardless of the device enrollment state. This is an important difference between mobile application management and mobile device management.

+If your end user's Android devices isn't managed, you can use the **Managed apps** channel to configuration Microsoft 365 (Office). Configuration settings available for this app when you choose this channel for your policy include general [configuration settings](apps-config-step-6.md#managed-apps-configuration-settings) and configuration for [Microsoft Tunnel](apps-config-step-6.md#connected-apps-configuration). For more information about this channel for managed devices, see, [App configuration policies for the Managed apps channel](apps-config-step-6.md#app-configuration-policies-for-the-managed-apps-channel).

+Intune provides [policies specifically for Microsoft Office apps](/mem/intune/apps/app-office-policies). You can select specific options to create mobile app management policies for Office mobile apps that connect to Microsoft 365 services. There are many policies for Office apps that you can add to Microsoft Intune and apply to groups of end users.

+Microsoft Edge provides AI-powered web browsing capabilities. Using Intune, Microsoft Edge can be added, configured, and assigned to end users at your organization. Once you have added and assigned Microsoft Edge, end users can use Edge to safely view and work with your company resources. Using Intune, you can also assign Microsoft Edge to your end users to support conditional access, app protection, and single sign-on at your organization.

+Microsoft Edge provides several different configuration settings that allow you to customize the behavior of Edge on an end user's device. The following table provides a list of general app configuration settings for Edge.

+| com.microsoft.intune.mam.managedbrowser.disableShareUsageData | You can choose to enable data collection so that the end user browsing experience in Edge is personalized. By default, end users are promoted to share usage data. You can choose to disable the prompt and share usage data. For more information, see [Disable data sharing for personalization](/mem/intune/apps/manage-microsoft-edge#disable-data-sharing-for-personalization). |

+| com.microsoft.intune.mam.managedbrowser.disabledFeatures | You can disable certain features in Edge that are enabled by default. For example, you can disable password prompts, InPrivate browsing, translator, read aloud, drop documents and messages to devices), and developer tools. For more information, see [ Disable specific features](/mem/intune/apps/manage-microsoft-edge#disable-specific-features). |

+| com.microsoft.intune.mam.managedbrowser.cookieControlsMode | You can control whether sites can store cookies for your end users. You can choose to allow cookies, block non-Microsoft cookies, block non-Microsoft cookies in InPrivate mode, or block all cookies. Cookies contain data about end user browsing preferences. The are used to show you relevant content. |

+| com.microsoft.intune.mam.managedbrowser.PersistentWebsiteDataStore | For iOS devices, you can choose the persistent website data store to use for an end user in Edge. By default, the personal account is used. However, you can choose to use the website data store based on the first signed-in account, or choose to use the work or school account first regardless of the sign-in order. For more information, see [iOS Website data store](/mem/intune/apps/manage-microsoft-edge#ios-website-data-store). |

+| EdgeLockedViewModeEnabled | Edge for iOS and Android can be enabled as locked view mode with MDM policy `EdgeLockedViewModeEnabled`. This policy, which is disabled by default, allows organizations to restrict various browser functionalities, providing a controlled and focused browsing experience. The locked view mode is often used together with MAM policy **com.microsoft.intune.mam.managedbrowser.NewTabPage.CustomURL** or MDM policy **EdgeNewTabPageCustomURL**, which allow organizations to configure a specific web page that is automatically launched when Edge is opened. Users are restricted to this web page and cannot navigate to other websites, providing a controlled environment for specific tasks or content consumption. |

+Microsoft Edge provides several different configuration settings that allow you to customize the behavior of Edge on an end user's device. The following table provides a list of data protection configuration settings for Edge.

+| com.microsoft.intune.mam.managedbrowser.account.syncDisabled | You can choose to allow Edge to sync end user's browsing data across all their signed-in devices. This relates to Favorites, Passwords, and Address (autofill). For more information, see [Manage account synchronization](/mem/intune/apps/manage-microsoft-edge#manage-account-synchronization). |

+| com.microsoft.intune.mam.managedbrowser.AllowListURLs | You can add a list of URLs that end users are allowed to reach. End users must be using their work or school account in Edge. For more information, see [Manage restricted web sites](/mem/intune/apps/manage-microsoft-edge#manage-restricted-web-sites). |

+| com.microsoft.intune.mam.managedbrowser.BlockListURLs | You can choose a list of URLs that end users aren't allowed to reach. End users must be using their work or school account in Edge. For more information, see [Manage restricted web sites](/mem/intune/apps/manage-microsoft-edge#manage-restricted-web-sites). |

+| com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock | You can choose to allow managed users (work or school account) to switch to their personal account to view a website. Personal accounts must not be disabled. Users are prompted to either switch to the personal context to open the restricted site, or to add a personal account. For more information, see [Manage restricted web sites](/mem/intune/apps/manage-microsoft-edge#manage-restricted-web-sites). |

+| com.microsoft.intune.mam.managedbrowser.durationOfOpenInPrivateSnackBar | You can choose the number of seconds that an end user sees the snack bar notification "Access to this site is blocked by your organization. WeΓÇÖve opened it in InPrivate mode for you to access the site." For more information, see [Manage restricted web sites](/mem/intune/apps/manage-microsoft-edge#manage-restricted-web-sites). |

+| com.microsoft.intune.mam.managedbrowser.NTLMSSOURLs | You can choose a list of internal (intranet) websites that enable NTLM credential caching. The end users must enter credentials and successfully authenticate when attempting to access a URL in the list. NTLM is a Windows network authentication protocol. For more information, see [Manage NTLM single sign-on sites](/mem/intune/apps/manage-microsoft-edge#manage-ntlm-single-sign-on-sites). |

+| com.microsoft.intune.mam.managedbrowser.SSLErrorOverrideAllowed | You can configure whether end users can click through SSL warning pages. For more information, see [SSL warning page control](/mem/intune/apps/manage-microsoft-edge#ssl-warning-page-control). |

+Microsoft Teams allows your organization to collaborate and communicate in real-time. Your organization can use Teams to chat between individuals, groups, teams, and channels. They can set up meetings, share apps and files, and make calls. Team also supports adding various apps to bring capability and insight.

+Using Intune, Teams can be added, configured, and assigned to your organization's end users. You can also assign Microsoft Teams to your end users to support conditional access, app protection, and single sign-on at your organization.

+Microsoft Teams provides configuration settings that allow you to customize the behavior of Teams on an end user's device. The following table provides a list of general app configuration settings for Teams.

+| com.microsoft.teams.chat.notifications.IntuneMAMOnly | You can allow chat notifications when using the Mobile Application Management (MAM) channel in Intune. You select the **Managed apps** option when you create an app configuration policy. For more information, see [Notification settings in Microsoft Teams](/mem/intune/apps/manage-microsoft-teams#notification-settings-in-microsoft-teams). |

+| com.microsoft.teams.channel.notifications.IntuneMAMOnly | You can allow channel notifications when using the MAM channel in Intune. You select the **Managed apps** option when you create an app configuration policy. For more information, see [Notification settings in Microsoft Teams](/mem/intune/apps/manage-microsoft-teams#notification-settings-in-microsoft-teams). |

+| com.microsoft.teams.others.notifications.IntuneMAMOnly | You can allow other notifications when using the MAM channel in Intune. You select the **Managed apps** option when you create an app configuration policy. For more information, see [Notification settings in Microsoft Teams](/mem/intune/apps/manage-microsoft-teams#notification-settings-in-microsoft-teams). |

+For these notifications to show up on iOS/iPadOS and Android devices, your end users must ensure specific settings are set in the Teams and Company Portal apps. For more information, see [Teams notifications](/mem/intune/apps/manage-microsoft-teams#for-the-notifications-to-show-up-on-ios-and-android-devices).

+When you choose Managed devices,** you can choose to target your app configuration policy to either **iOS/iPadOS** or **Android Enterprise** devices. For **iOS/iPadOS** apps, you can choose a single associated **Built-In iOS app** or **iOS store app**. For **Android Enterprise** apps, you can choose a single associated **Managed Google Play store app** or **Managed Google Play web link**.

+>

+For more information about Microsoft Tunnel for MAM, see [Microsoft Tunnel for Mobile Application Management](/mem/intune/protect/microsoft-tunnel-mam).

+Similar to app configuration policies for managed devices, if the managed app supports configuration settings, the **Configuration settings** dropdown box is visible. You can set the configuration values by using either the configuration designer or by entering JSON data. Both methods accomplish the same configuration setting results. Additional, setting keys, types, and values may be available for the specific app. Check with the app developer to determine if there are additional configuration settings available for an app.

+Continue with [Step 7](apps-config-step-7.md) to verify other apps in Microsoft Intune.

+Follow these steps to set up a backup policy for Exchange mailboxes sites using Microsoft 365 Backup. Ensure that Microsoft 365 Backup is [enabled for your tenant](#step-2-turn-on-microsoft-365-backup).

+ 

+ If you try to submit a duplicate translation request before the file has finished processing, you'll receive a message telling you to wait a few minutes before trying again.

+ 

+Do you need insights on how your applications will perform with the latest Windows features - prior to it being available in the market and without you maintaining an environment?

+Do you want to run your validation tests against Windows Insider Program builds in our Azure environment?

+**Feature update** validation on Test Base for Microsoft 365 can help you achieve all these and more!

+Check out the step-by-step outline below to find out how to access this new capability in Test Base for Microsoft 365 service.

+To get started with Feature update validation in Test Base for Microsoft 365, upload your applications (and related files) through the self-service onboarding portal.

+Highlighted below are the steps to take as you fill out the **Test Matrix**:

+To set up for feature updates, you must specify the target product and its preview channel from "Insider Channel" dropdown list.

+Your selection will register your application for automatic test runs against the latest feature updates of your selected product channel and all future new updates in the latest Windows Insider Preview Builds of your selection.

+You may also set your current OS in "OS baseline for Insight". We would provide you with more test insights by regression analysis of your as-is OS environment and the latest target OS.

+

+To check more details on the Windows Insider Preview builds, refer to [Flight Hub - Windows Insider Program | Microsoft Docs](/windows-insider/flight-hub/).