Docs update tracker

Updates from: 02/09/2024 06:26:25

Category	Microsoft Docs article	Related commit history on GitHub	Change details
threat-intelligence	Security Copilot And Defender Threat Intelligence	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/defender/threat-intelligence/security-copilot-and-defender-threat-intelligence.md	Title: Microsoft Security Copilot and Microsoft Defender Threat Intelligence description: Learn about Microsoft Defender Threat Intelligence capabilities embedded in Security Copilot. keywords: security copilot, threat intelligence, defender threat intelligence, defender ti, embedded experience, vulnerability impact assessment, threat actor profile, plugins, Microsoft plugins--+ ms.localizationpriority: medium
admin	Microsoft 365 Copilot Usage	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-365-copilot-usage.md	You can view several numbers for Copilot for Microsoft 365 usage, which highligh Active Users shows you total number of enabled users in your organization who tried a user-initiated Copilot for Microsoft 365 feature, in one or more Microsoft 365 apps over the selected time period. +> [!NOTE] +> A user is considered active in a given app if they performed an intentional action for an AI-powered capability. For example, if a user selects the Copilot icon in the Word ribbon to open the Copilot chat pane, this does not count towards active usage. However, if the user interacts with the chat pane by submitting a prompt, this action would count towards active usage. + Active users rate shows you the number of active users in your organization divided by the number of enabled users. The definitions for Enabled Users and Active Users metrics are the same as provided earlier. You can see the following summary charts in this report as default view: The definitions for Enabled Users and Active Users metrics are the same as provided earlier. >[!NOTE] -> Teams Copilot usage does not include Microsoft Copilot with Graph-grounded chat usage, but it will be displayed in Copilot for Microsoft 365 usage soon. +> This report does not yet include Microsoft Copilot with Graph-grounded chat usage, but it will be available in this report soon. You'll be notified of this update through the Microsoft 365 message center. + +>[!IMPORTANT] +> Your organization must have optional diagnostic telemetry for Office apps enabled for Windows, Mac, iOS, and Android in order for comprehensive usage information to be captured in this report. [Learn more about diagnostic telemetry settings](/DeployOffice/privacy/optional-diagnostic-data). Current view shows you the total usage of Copilot for Microsoft 365 among Microsoft 365 apps of the time frame.
admin	Manage Office Scripts Settings	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/manage-office-scripts-settings.md	description: "Learn how to manage Office Scripts settings for users in your orga [Office Scripts](/office/dev/scripts) allows users to automate tasks by recording, editing, and running scripts in Excel. Office Scripts works with Power Automate, and users run scripts on workbooks by using the Excel Online (Business) connector. Microsoft 365 admins can manage Office Scripts settings from the Microsoft 365 admin center. -## Before you begin --- To manage Office Scripts settings, you must be a Global admin. For more information, see [About admin roles](../add-users/about-admin-roles.md).--- Ensure users in your organization have a valid license for a Microsoft 365 or Office 365 commercial or EDU plan that includes access to Microsoft 365 apps, such as one of the following plans:--- Microsoft 365 Business Standard-- Microsoft 365 Apps for business-- Microsoft 365 Apps for enterprise-- Office 365 E3-- Office 365 E5-- Office 365 A3-- Office 365 A5 +> [!NOTE] +> To manage Office Scripts settings, you must be a Global admin. For more information, see [About admin roles](../add-users/about-admin-roles.md). ## Manage availability of Office Scripts and sharing of scripts
commerce	E3 Extra Features Licenses	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/e3-extra-features-licenses.md	Microsoft 365 E3 or E5 Extra Features provides additional features for your user \|Microsoft Clipchamp \| Yes \| Yes \| \|Microsoft Loop \| Yes \| Yes \| \|Windows Autopatch \| Yes \| Yes \| +\|Windows Update for Business deployment service \| Yes \| Yes \| \|Customer Lockbox \| No \| Yes \| \|Defender for IoT - Enterprise IoT Security \| No \| Yes \| \|Immersive spaces for Teams \| No \| Yes \|
enterprise	Microsoft 365 Overview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-overview.md	f1.keywords: Previously updated : 12/27/2023 Last updated : 02/08/2024 audience: ITPro - scotvorg - M365-subscription-management - must-keep +- essentials-overview - it-pro - intro-overview For more information and configuration examples for a small and medium business [![Image for the Best together with Surface and the Edge browser poster.](../media/microsoft-365-overview/best-together-poster-thumbnail.png)](https://download.microsoft.com/download/2/8/d/28db0cf9-2f5a-4f63-91e2-46ff5c4d3baf/microsoft-best-together-poster.pdf) - ## Microsoft 365 training ![Microsoft 365 Fundamentals training.](../media/microsoft-365-overview/m365-fundamentals.svg) -To learn more about Microsoft 365 and work toward a Microsoft 365 certification, you can start with [Microsoft 365 Certified: Fundamentals](/training/paths/m365-fundamentals/). +To learn more about Microsoft 365 and work toward a Microsoft 365 certification, you can start with [Microsoft 365 Fundamentals](/training/courses/ms-900t01/). ## See also
enterprise	Remove Licenses From User Accounts With Microsoft 365 Powershell	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/remove-licenses-from-user-accounts-with-microsoft-365-powershell.md	Title: "Remove Microsoft 365 licenses from user accounts with PowerShell" Previously updated : 12/18/2023 Last updated : 01/17/2024 audience: Admin - LIL_Placement - O365ITProTrain - has-azure-ad-ps-ref + - azure-ad-ref-level-one-done ms.assetid: e7e4dc5e-e299-482c-9414-c265e145134f description: "Explains how to use PowerShell to remove Microsoft 365 licenses that were previously assigned to users." foreach($user in $licensedUsers) } ``` -Another way to free up a license is by deleting the user account. For more information, see [Delete and restore user accounts with PowerShell](delete-and-restore-user-accounts-with-microsoft-365-powershell.md). - -## Use the Azure Active Directory PowerShell for Graph module - ->The Set-AzureADUserLicense cmdlet is scheduled to be retired. Please migrate your scripts to the Microsoft Graph SDK's Set-MgUserLicense cmdlet as described above. For more information, see [Migrate your apps to access the license managements APIs from Microsoft Graph](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/migrate-your-apps-to-access-the-license-managements-apis-from/ba-p/2464366). -> - -First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-azure-active-directory-powershell-for-graph-module). - -Next, list the license plans for your tenant with this command. - -```powershell -Get-AzureADSubscribedSku \| Select SkuPartNumber -``` - -Next, get the sign-in name of the account for which you want to remove a license, also known as the user principal name (UPN). - -Finally, specify the user sign-in and license plan names, remove the "<" and ">" characters, and run these commands. - -```powershell -$userUPN="<user sign-in name (UPN)>" -$planName="<license plan name from the list of license plans>" -$license = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses -$license.RemoveLicenses = (Get-AzureADSubscribedSku \| Where-Object -Property SkuPartNumber -Value $planName -EQ).SkuID -Set-AzureADUserLicense -ObjectId $userUPN -AssignedLicenses $license -``` - -To remove all of the licenses for a specific user account, specify the user sign-in name, remove the "<" and ">" characters, and run these commands. - -```powershell -$userUPN="<user sign-in name (UPN)>" -$userList = Get-AzureADUser -ObjectID $userUPN -$Skus = $userList \| Select -ExpandProperty AssignedLicenses \| Select SkuID -if($userList.Count -ne 0) { - if($Skus -is [array]) - { - $licenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses - for ($i=0; $i -lt $Skus.Count; $i++) { - $licenses.RemoveLicenses += (Get-AzureADSubscribedSku \| Where-Object -Property SkuID -Value $Skus[$i].SkuId -EQ).SkuID - } - Set-AzureADUserLicense -ObjectId $userUPN -AssignedLicenses $licenses - } else { - $licenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses - $licenses.RemoveLicenses = (Get-AzureADSubscribedSku \| Where-Object -Property SkuID -Value $Skus.SkuId -EQ).SkuID - Set-AzureADUserLicense -ObjectId $userUPN -AssignedLicenses $licenses - } -} -``` - -## Use the Microsoft Azure Active Directory module for Windows PowerShell - ->[!Note] ->The Set-MsolUserLicense and New-MsolUser (-LicenseAssignment) cmdlets are scheduled to be retired. Please migrate your scripts to the Microsoft Graph SDK's Set-MgUserLicense cmdlet as described above. For more information, see [Migrate your apps to access the license managements APIs from Microsoft Graph](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/migrate-your-apps-to-access-the-license-managements-apis-from/ba-p/2464366). -> - -First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-microsoft-azure-active-directory-module-for-windows-powershell). - -To view the licensing plan (AccountSkuID) information in your organization, see the following articles: --- [View licenses and services with PowerShell](view-licenses-and-services-with-microsoft-365-powershell.md)--- [View account license and service details with PowerShell](view-account-license-and-service-details-with-microsoft-365-powershell.md)- -If you use the Get-MsolUser cmdlet without using the _-All_ parameter, only the first 500 accounts are returned. - -### Removing licenses from user accounts - -To remove licenses from an existing user account, use the following syntax: - -```powershell -Set-MsolUserLicense -UserPrincipalName <Account> -RemoveLicenses "<AccountSkuId1>", "<AccountSkuId2>"... -``` - ->[!Note] ->PowerShell Core does not support the Microsoft Azure Active Directory module for Windows PowerShell module and cmdlets with Msol in their name. To continue using these cmdlets, you must run them from Windows PowerShell. -> - -This example removes the litwareinc:ENTERPRISEPACK (Office 365 Enterprise E3) license from the user account BelindaN@litwareinc.com. - -```powershell -Set-MsolUserLicense -UserPrincipalName belindan@litwareinc.com -RemoveLicenses "litwareinc:ENTERPRISEPACK" -``` - ->[!Note] ->You cannot use the `Set-MsolUserLicense` cmdlet to unassign users from canceled licenses. You must do this individually for each user account in the Microsoft 365 admin center. -> - -To remove all licenses from a group of existing licensed users, use either of the following methods: - -- Filter the accounts based on an existing account attribute To do this, use the following syntax:- - ```powershell - $userArray = Get-MsolUser -All <FilterableAttributes> \| where {$_.isLicensed -eq $true} - for ($i=0; $i -lt $userArray.Count; $i++) - { - Set-MsolUserLicense -UserPrincipalName $userArray[$i].UserPrincipalName -RemoveLicenses $userArray[$i].licenses.accountskuid - } - ``` +To remove a specific license from a list of users in a text file, perform the following steps. This example removes the SPE_E5 (Microsoft 365 Enterprise E5) license from the user accounts defined in the text file C:\My Documents\Accounts.txt. - This example removes all licenses from all user accounts in the Sales department in the United States. - - ```powershell - $userArray = Get-MsolUser -All -Department "Sales" -UsageLocation "US" \| where {$_.isLicensed -eq $true} - for ($i=0; $i -lt $userArray.Count; $i++) - { - Set-MsolUserLicense -UserPrincipalName $userArray[$i].UserPrincipalName -RemoveLicenses $userArray[$i].licenses.accountskuid - } - ``` --- Use a list of specific accounts for a specific license To do this, perform the following steps:- - 1. Create and save a text file that contains one account on each line like this: + 1. Create and save a text file to C:\My Documents\Accounts.txt that contains one account on each line like this: ```powershell akol@contoso.com To remove all licenses from a group of existing licensed users, use either of th kakers@contoso.com ``` - 2. Use the following syntax: - - ```powershell - $x=Get-Content "<FileNameAndPath>" - for ($i=0; $i -lt $x.Count; $i++) - { - Set-MsolUserLicense -UserPrincipalName $x[$i] -RemoveLicenses "<AccountSkuId1>","<AccountSkuId2>"... - } - ``` - - This example removes the litwareinc:ENTERPRISEPACK (Office 365 Enterprise E3) license from the user accounts defined in the text file C:\My Documents\Accounts.txt. + 2. Use the following command: ```powershell $x=Get-Content "C:\My Documents\Accounts.txt" + $e5Sku = Get-MgSubscribedSku -All \| Where SkuPartNumber -eq 'SPE_E5' for ($i=0; $i -lt $x.Count; $i++) { - Set-MsolUserLicense -UserPrincipalName $x[$i] -RemoveLicenses "litwareinc:ENTERPRISEPACK" - } - ``` - - To remove all licenses from all existing user accounts, use the following syntax: - - ```powershell - $userArray = Get-MsolUser -All \| where {$_.isLicensed -eq $true} - for ($i=0; $i -lt $userArray.Count; $i++) - { - Set-MsolUserLicense -UserPrincipalName $userArray[$i].UserPrincipalName -RemoveLicenses $userArray[$i].licenses.accountskuid + Set-MgUserLicense -UserId $x[$i] -RemoveLicenses @($e5Sku.SkuId) -AddLicenses @{} } ```
enterprise	Tenant Roadmap Microsoft 365	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/tenant-roadmap-microsoft-365.md	f1.keywords: Previously updated : 07/29/2020 Last updated : 02/08/2024 audience: ITPro - scotvorg - M365-subscription-management - m365initiative-coredeploy +- essentials-get-started +- must-keep description: The roadmap to set up your tenants for Microsoft 365.
security	Defender Endpoint Antivirus Exclusions	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-antivirus-exclusions.md	When you're dealing with false positives, or known entities that are generating \| Scenario \| Steps to consider \| \|:\|:-\| -\| [False positive](defender-endpoint-false-positives-negatives.md): An entity, such as a file or a process, was detected and identified as malicious, even though the entity isn't a threat. \| 1. [Review and classify alerts](defender-endpoint-false-positives-negatives.md#part-1-review-and-classify-alerts) that were generated as a result of the detected entity. <br/>2. [Suppress an alert](defender-endpoint-false-positives-negatives.md#suppress-an-alert) for a known entity. <br/>3. [Review remediation actions](defender-endpoint-false-positives-negatives.md#part-2-review-remediation-actions) that were taken for the detected entity. <br/>4. [Submit the false positive to Microsoft](../intelligence/submission-guide.md) for analysis. <br/>5. [Define an exclusion](defender-endpoint-false-positives-negatives.md#part-3-review-or-define-exclusions) for the entity (only if necessary). \| +\| [False positive](defender-endpoint-false-positives-negatives.md): An entity, such as a file or a process, was detected and identified as malicious, even though the entity isn't a threat. \| 1. [Review and classify alerts](defender-endpoint-false-positives-negatives.md#part-1-review-and-classify-alerts) that were generated as a result of the detected entity. <br/>2. [Suppress an alert](defender-endpoint-false-positives-negatives.md#suppress-an-alert) for a known entity. <br/>3. [Review remediation actions](defender-endpoint-false-positives-negatives.md#part-2-review-remediation-actions) that were taken for the detected entity. <br/>4. [Submit the false positive to Microsoft](../defender/submission-guide.md) for analysis. <br/>5. [Define an exclusion](defender-endpoint-false-positives-negatives.md#part-3-review-or-define-exclusions) for the entity (only if necessary). \| \| [Performance issues](troubleshoot-performance-issues.md) such as one of the following issues:<br/>- A system is having high CPU usage or other performance issues.<br/>- A system is having memory leak issues.<br/>- An app is slow to load on devices.<br/>- An app is slow to open a file on devices. \| 1. [Collect diagnostic data](collect-diagnostic-data.md) for Microsoft Defender Antivirus.<br/>2. If you're using a non-Microsoft antivirus solution, [check with the vendor for any needed exclusions](troubleshoot-performance-issues.md#check-with-vendor-for-antivirus-exclusions).<br/>3. [Analyze the Microsoft Protection Log](troubleshoot-performance-issues.md#analyze-the-microsoft-protection-log) to see the estimated performance impact.<br/>4. [Define an exclusion for Microsoft Defender Antivirus](configure-exclusions-microsoft-defender-antivirus.md) (if necessary).<br/>5. [Create an indicator for Defender for Endpoint](manage-indicators.md) (only if necessary). \| \| [Compatibility issues](microsoft-defender-antivirus-compatibility.md) with non-Microsoft antivirus products. <br/>Example: Defender for Endpoint relies on security intelligence updates for devices, whether they're running Microsoft Defender Antivirus or a non-Microsoft antivirus solution. \| 1. If you're using a non-Microsoft antivirus product as your primary antivirus/antimalware solution, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-compatibility.md#requirements-for-microsoft-defender-antivirus-to-run-in-passive-mode).<br/>2. If you're switching from a non-Microsoft antivirus/antimalware solution to Defender for Endpoint, see [Make the switch to Defender for Endpoint](switch-to-mde-overview.md). This guidance includes:<br/>- [Exclusions you might need to define for the non-Microsoft antivirus/antimalware solution](switch-to-mde-phase-2.md#step-3-add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-your-existing-solution);<br/>- [Exclusions you might need to define for Microsoft Defender Antivirus](switch-to-mde-phase-2.md#step-4-add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-antivirus); and <br/>- [Troubleshooting information](switch-to-mde-troubleshooting.md) (just in case something goes wrong while migrating). \|
security	Criteria	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/criteria.md	+ + Title: How Microsoft identifies malware and potentially unwanted applications + +description: Learn how Microsoft reviews software for privacy violations and other negative behavior, to determine if it's malware or a potentially unwanted application. +keywords: security, malware, virus research threats, research malware, device protection, computer infection, virus infection, descriptions, remediation, latest threats, MMdevice, Microsoft Malware Protection Center, PUA, potentially unwanted applications + +ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium +++ +audience: ITPro + +- m365-security +- tier2 + Last updated : 12/13/2021 +search.appverid: met150 ++ +# How Microsoft identifies malware and potentially unwanted applications + +Microsoft aims to provide a delightful and productive Windows experience by working to ensure you're safe and in control of your devices. Microsoft helps protect you from potential threats by identifying and analyzing software and online content. When you download, install, and run software, we check the reputation of downloaded programs and ensure you're protected against known threats. You are also warned about software that is unknown to us. + +You can assist Microsoft by [submitting unknown or suspicious software for analysis](https://www.microsoft.com/wdsi/filesubmission/). This will help ensure that unknown or suspicious software is scanned by our system to start establishing reputation. [Learn more about submitting files for analysis](submission-guide.md) + +The next sections provide an overview of the classifications we use for applications and the types of behaviors that lead to that classification. + +> [!NOTE] +> New forms of malware and potentially unwanted applications are being developed and distributed rapidly. The following list may not be comprehensive, and Microsoft reserves the right to adjust, expand, and update these without prior notice or announcement. + +## Unknown ΓÇô Unrecognized software + +No antivirus or protection technology is perfect. It takes time to identify and block malicious sites and applications, or trust newly released programs and certificates. With almost 2 billion websites on the internet and software continuously updated and released, it's impossible to have information about every single site and program. + +Think of Unknown/Uncommonly downloaded warnings as an early warning system for potentially undetected malware. There's generally a delay from the time new malware is released until it's identified. Not all uncommon programs are malicious, but the risk in the unknown category is much higher for the typical user. Warnings for unknown software aren't blocks. Users can choose to download and run the application normally if they wish to. + +Once enough data is gathered, Microsoft's security solutions can make a determination. Either no threats are found, or an application or software is categorized as malware or potentially unwanted software. + +## Malware + +Malware is the overarching name for applications and other code, like software, that Microsoft classifies more granularly as malicious software or unwanted software. + +### Malicious software + +Malicious software is an application or code that compromises user security. Malicious software may steal your personal information, lock your device until you pay a ransom, use your device to send spam, or download other malicious software. In general, malicious software wants to trick, cheat, or defrauds users, placing them in vulnerable states. + +Microsoft classifies most malicious software into one of the following categories: + +* Backdoor: A type of malware that gives malicious hackers remote access to and control of your device. + +* Command and Control: A type of malware that infects your device and establishes communication with the hackers' command-and-control server to receive instructions. Once communication is established, hackers can send commands that can steal data, shut down and reboot the device, and disrupt web services. + +* Downloader: A type of malware that downloads other malware onto your device. It must connect to the internet to download files. + +* Dropper: A type of malware that installs other malware files onto your device. Unlike a downloader, a dropper doesn't have to connect to the internet to drop malicious files. The dropped files are typically embedded in the dropper itself. + +* Exploit: A piece of code that uses software vulnerabilities to gain access to your device and perform other tasks, such as installing malware.. + +* Hacktool: A type of tool that can be used to gain unauthorized access to your device. + +* Macro virus: A type of malware that spreads through infected documents, such as Microsoft Word or Excel documents. The virus is run when you open an infected document. + +* Obfuscator: A type of malware that hides its code and purpose, making it more difficult for security software to detect or remove. + +* Password stealer: A type of malware that gathers your personal information, such as usernames and passwords. It often works along with a keylogger, which collects and sends information about the keys you press and websites you visit. + +* Ransomware: A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note that states you must pay money or perform other actions before you can use your device again. [See more information about ransomware](/security/ransomware/human-operated-ransomware). + +* Rogue security software: Malware that pretends to be security software but doesn't provide any protection. This type of malware usually displays alerts about nonexistent threats on your device. It also tries to convince you to pay for its services. + +* Trojan: A type of malware that attempts to appear harmless. Unlike a virus or a worm, a trojan doesn't spread by itself. Instead, it tries to look legitimate to tricks users into downloading and installing it. Once installed, trojans perform various malicious activities such as stealing personal information, downloading other malware, or giving attackers access to your device. + +* Trojan clicker: A type of trojan that automatically clicks buttons or similar controls on websites or applications. Attackers can use this trojan to click on online advertisements. These clicks can skew online polls or other tracking systems and can even install applications on your device. + +* Worm: A type of malware that spreads to other devices. Worms can spread through email, instant messaging, file sharing platforms, social networks, network shares, and removable drives. Sophisticated worms take advantage of software vulnerabilities to propagate. + +### Unwanted software + +Microsoft believes that you should have control over your Windows experience. Software running on Windows should keep you in control of your device through informed choices and accessible controls. Microsoft identifies software behaviors that ensure you stay in control. We classify software that doesn't fully demonstrate these behaviors as "unwanted software". + +#### Lack of choice + +You must be notified about what is happening on your device, including what software does and whether it's active. + +Software that exhibits lack of choice might: + +* Fail to provide prominent notice about the behavior of the software and its purpose and intent. + +* Fail to clearly indicate when the software is active. It might also attempt to hide or disguise its presence. + +* Install, reinstall, or remove software without your permission, interaction, or consent. + +* Install other software without a clear indication of its relationship to the primary software. + +* Circumvent user consent dialogs from the browser or operating system. + +* Falsely claim to be software from Microsoft. + +Software must not mislead or coerce you into making decisions about your device. It is considered behavior that limits your choices. In addition to the previous list, software that exhibits lack of choice might: + +* Display exaggerated claims about your device's health. + +* Make misleading or inaccurate claims about files, registry entries, or other items on your device. + +* Display claims in an alarming manner about your device's health and require payment or certain actions in exchange for fixing the purported issues. + +Software that stores or transmits your activities or data must: + +* Give you notice and get consent to do so. Software shouldn't include an option that configures it to hide activities associated with storing or transmitting your data. + +#### Lack of control + +You must be able to control software on your device. You must be able to start, stop, or otherwise revoke authorization to software. + +Software that exhibits lack of control might: + +* Prevent or limit you from viewing or modifying browser features or settings. + +* Open browser windows without authorization. + +* Redirect web traffic without giving notice and getting consent. + +* Modify or manipulate webpage content without your consent. + +Software that changes your browsing experience must only use the browser's supported extensibility model for installation, execution, disabling, or removal. Browsers that don't provide supported extensibility models are considered non-extensible and shouldn't be modified. + +#### Installation and removal + +You must be able to start, stop, or otherwise revoke authorization given to software. Software should obtain your consent before installing, and it must provide a clear and straightforward way for you to install, uninstall, or disable it. + +Software that delivers poor installation experience might bundle or download other "unwanted software" as classified by Microsoft. + +Software that delivers poor removal experience might: + +* Present confusing or misleading prompts or pop-ups when you try to uninstall it. + +* Fail to use standard install/uninstall features, such as Add/Remove Programs. + +#### Advertising and advertisements + +Software that promotes a product or service outside of the software itself can interfere with your computing experience. You should have clear choice and control when installing software that presents advertisements. + +The advertisements that are presented by software must: + +* Include an obvious way for users to close the advertisement. The act of closing the advertisement must not open another advertisement. + +* Include the name of the software that presented the advertisement. + +The software that presents these advertisements must: + +* Provide a standard uninstall method for the software using the same name as shown in the advertisement it presents. + +Advertisements shown to you must: + +* Be distinguishable from website content. + +* Not mislead, deceive, or confuse. + +* Not contain malicious code. + +* Not invoke a file download. + +#### Consumer opinion + +Microsoft maintains a worldwide network of analysts and intelligence systems where you can [submit software for analysis](https://www.microsoft.com/wdsi/filesubmission). Your participation helps Microsoft identify new malware quickly. After analysis, Microsoft creates Security intelligence for software that meets the described criteria. This Security intelligence identifies the software as malware and are available to all users through Microsoft Defender Antivirus and other Microsoft antimalware solutions. + +## Potentially unwanted application (PUA) + +Our PUA protection aims to safeguard user productivity and ensure enjoyable Windows experiences. This protection helps deliver more productive, performant, and delightful Windows experiences. For instruction on how to enable PUA protection in Chromium-based Microsoft Edge and Microsoft Defender Antivirus, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). + +PUAs are not considered malware. + +Microsoft uses specific categories and the category definitions to classify software as a PUA. + +* Advertising software: Software that displays advertisements or promotions, or prompts you to complete surveys for other products or services in software other than itself. This includes software that inserts advertisements to webpages. + +* Torrent software (Enterprise only): Software that is used to create or download torrents or other files specifically used with peer-to-peer file-sharing technologies. + +* Cryptomining software (Enterprise only): Software that uses your device resources to mine cryptocurrencies. + +* Bundling software: Software that offers to install other software that is not developed by the same entity or not required for the software to run. Also, software that offers to install other software that qualifies as PUA based on the criteria outlined in this document. + +* Marketing software: Software that monitors and transmits the activities of users to applications or services other than itself for marketing research. + +* Evasion software: Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products. + +* Poor industry reputation: Software that trusted security providers detect with their security products. The security industry is dedicated to protecting customers and improving their experiences. Microsoft and other organizations in the security industry continuously exchange knowledge about files we have analyzed to provide users with the best possible protection. +
security	Malware Naming	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/malware-naming.md	+ + Title: How Microsoft names malware + +description: Understand the malware naming convention used by Microsoft Defender Antivirus and other Microsoft antimalware. +keywords: security, malware, names, Microsoft, MMPC, Microsoft Malware Protection Center, WDSI, malware name, malware prefix, malware type, virus name + +ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium +++ +audience: ITPro + +- m365-security +- tier2 +- must-keep + +search.appverid: met150 Last updated : 08/18/2023++ +# Malware names + +We name the malware and unwanted software that we detect according to the Computer Antivirus Research Organization (CARO) malware naming scheme. The scheme uses the following format: + +![How Microsoft determines names malware](../../media/security-intelligence-images/naming-malware.png) + +When our analysts research a particular threat, they determine what each of the components name is. + +## Type + +Describes what the malware does on your computer. Worms, viruses, trojans, backdoors, and ransomware are some of the most common types of malware. +``` +* Adware +* Backdoor +* Behavior +* BrowserModifier +* Constructor +* DDoS +* Exploit +* HackTool +* Joke +* Misleading +* MonitoringTool +* Program +* Personal Web Server (PWS) +* Ransom +* RemoteAccess +* Rogue +* SettingsModifier +* SoftwareBundler +* Spammer +* Spoofer +* Spyware +* Tool +* Trojan +* TrojanClicker +* TrojanDownloader +* TrojanNotifier +* TrojanProxy +* TrojanSpy +* VirTool +* Virus +* Worm +``` +## Platforms + +Platforms guide the malware to its compatible operating system (such as Windows, macOS, and Android). The platform's guidance is also used for programming languages and file formats. + +### Operating systems +``` +* AndroidOS: Android operating system +* DOS: MS-DOS platform +* EPOC: Psion devices +* FreeBSD: FreeBSD platform +* iOS: iPhone operating system +* Linux: Linux platform +* macOS: MAC 9.x platform or earlier +* macOS_X: macOS X or later +* OS2: OS2 platform +* Palm: Palm operating system +* Solaris: System V-based Unix platforms +* SunOS: Unix platforms 4.1.3 or lower +* SymbOS: Symbian operating system +* Unix: general Unix platforms +* Win16: Win16 (3.1) platform +* Win2K: Windows 2000 platform +* Win32: Windows 32-bit platform +* Win64: Windows 64-bit platform +* Win95: Windows 95, 98 and ME platforms +* Win98: Windows 98 platform only +* WinCE: Windows CE platform +* WinNT: WinNT +``` + +### Scripting languages +``` +* ABAP: Advanced Business Application Programming scripts +* ALisp: ALisp scripts +* AmiPro: AmiPro script +* ANSI: American National Standards Institute scripts +* AppleScript: compiled Apple scripts +* ASP: Active Server Pages scripts +* AutoIt: AutoIT scripts +* BAS: Basic scripts +* BAT: Basic scripts +* CorelScript: Corelscript scripts +* HTA: HTML Application scripts +* HTML: HTML Application scripts +* INF: Install scripts +* IRC: mIRC/pIRC scripts +* Java: Java binaries (classes) +* JS: JavaScript scripts +* LOGO: LOGO scripts +* MPB: MapBasic scripts +* MSH: Monad shell scripts +* MSIL: .NET intermediate language scripts +* Perl: Perl scripts +* PHP: Hypertext Preprocessor scripts +* Python: Python scripts +* SAP: SAP platform scripts +* SH: Shell scripts +* VBA: Visual Basic for Applications scripts +* VBS: Visual Basic scripts +* WinBAT: Winbatch scripts +* WinHlp: Windows Help scripts +* WinREG: Windows registry scripts +``` + +### Macros +``` +* A97M: Access 97, 2000, XP, 2003, 2007, and 2010 macros +* HE: macro scripting +* O97M: Office 97, 2000, XP, 2003, 2007, and 2010 macros - those that affect Word, Excel, and PowerPoint +* PP97M: PowerPoint 97, 2000, XP, 2003, 2007, and 2010 macros +* V5M: Visio5 macros +* W1M: Word1Macro +* W2M: Word2Macro +* W97M: Word 97, 2000, XP, 2003, 2007, and 2010 macros +* WM: Word 95 macros +* X97M: Excel 97, 2000, XP, 2003, 2007, and 2010 macros +* XF: Excel formulas +* XM: Excel 95 macros +``` + +### Other file types +``` +* ASX: XML metafile of Windows Media .asf files +* HC: HyperCard Apple scripts +* MIME: MIME packets +* Netware: Novell Netware files +* QT: Quicktime files +* SB: StarBasic (StarOffice XML) files +* SWF: Shockwave Flash files +* TSQL: MS SQL server files +* XML: XML files +``` +## Family + +Grouping of malware based on common characteristics, including attribution to the same authors. Security software providers sometimes use different names for the same malware family. + +## Variant letter + +Used sequentially for every distinct version of a malware family. For example, the detection for the variant ".AF" would have been created after the detection for the variant ".AE". + +## Suffixes + +Provides extra detail about the malware, including how it's used as part of a multicomponent threat. In the preceding example, "!lnk" indicates that the threat component is a shortcut file used by Trojan: Win32/Reveton.T. +``` +* .dam: damaged malware +* .dll: Dynamic Link Library component of a malware +* .dr: dropper component of a malware +* .gen: malware that is detected using a generic signature +* .kit: virus constructor +* .ldr: loader component of a malware +* .pak: compressed malware +* .plugin: plug-in component +* .remnants: remnants of a virus +* .worm: worm component of that malware +* !bit: an internal category used to refer to some threats +* !cl: an internal category used to refer to some threats +* !dha: an internal category used to refer to some threats +* !pfn: an internal category used to refer to some threats +* !plock: an internal category used to refer to some threats +* !rfn: an internal category used to refer to some threats +* !rootkit: rootkit component of that malware +* @m: worm mailers +* @mm: mass mailer worm +```
security	Microsoft Threat Actor Naming	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-threat-actor-naming.md	+ + Title: How Microsoft names threat actors + +description: Learn how Microsoft names threat actors and how to use the naming convention to identify associated intelligence. +keywords: security, threat actor, security intelligence, naming convention, taxonomy, weather, threat actor naming, motivation, attribution, nation-state, financially motivated, private sector offensive actor, influence operations, groups in development, DEV-, nation state + +ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium +++ +audience: ITPro + +- m365-security +- tier2 + +search.appverid: met150 Last updated : 01/15/2024++ +# How Microsoft names threat actors + +Microsoft shifted to a new naming taxonomy for threat actors aligned with the theme of weather. We intend to bring better clarity to customers and other security researchers with the nex taxonomy. We offer a more organized, articulate, and easy way to reference threat actors so that organizations can better prioritize and protect themselves and aid security researchers already confronted with an overwhelming amount of threat intelligence data. ++ +Microsoft categorizes threat actors into five key groups: + +Nation-state actors: cyber operators acting on behalf of or directed by a nation/state-aligned program, irrespective of whether for espionage, financial gain, or retribution. Microsoft observed that most nation state actors continue to focus operations and attacks on government agencies, intergovernmental organizations, nongovernmental organizations, and think tanks for traditional espionage or surveillance objectives. + +Financially motivated actors: cyber campaigns/groups directed by a criminal organization/person with motivations of financial gain and are not associated with high confidence to a known non-nation state or commercial entity. This category includes ransomware operators, business email compromise, phishing, and other groups with purely financial or extortion motivations. + +Private sector offensive actors (PSOAs): cyber activity led by commercial actors that are known/legitimate legal entities, that create and sell cyberweapons to customers who then select targets and operate the cyberweapons. These tools were observed targeting and surveilling dissidents, human rights defenders, journalists, civil society advocates, and other private citizens, threatening many global human rights efforts. + +Influence operations: information campaigns communicated online or offline in a manipulative fashion to shift perceptions, behaviors, or decisions by target audiences to further a group or a nation's interests and objectives. + +Groups in development: a temporary designation given to an unknown, emerging, or developing threat activity. This designation allows Microsoft to track a group as a discrete set of information until we can reach high confidence about the origin or identity of the actor behind the operation. Once criteria are met, a group in development is converted to a named actor or merged into existing names. + +In our new taxonomy, a weather event or family name represents one of the above categories. For nation-state actors, we have assigned a family name to a country/region of origin tied to attribution, like Typhoon indicates origin or attribution to China. For other actors, the family name represents a motivation. For example, Tempest indicates financially motivated actors. + +Threat actors within the same weather family are given an adjective to distinguish actor groups with distinct tactics, techniques, and procedures (TTPs), infrastructure, objectives, or other identified patterns. For groups in development, we use a temporary designation of Storm and a four-digit number where there is a newly discovered, unknown, emerging, or developing cluster of threat activity. + +The table shows how the new family names map to the threat actors that we track. + +\|Actor category\|Type\|Family name\| +\|\|::\|::\| +\|Nation-state\|China<br>Iran<br>Lebanon<br>North Korea<br>Russia<br>South Korea<br>Turkey<br>Vietnam\|Typhoon<br>Sandstorm<br>Rain<br>Sleet<br>Blizzard<br>Hail<br>Dust<br>Cyclone\| +\|Financially motivated\|Financially motivated\|Tempest\| +\|Private sector offensive actors\|PSOAs\|Tsunami\| +\|Influence operations\|Influence operations\|Flood\| +\|Groups in development\|Groups in development\|Storm\| + +Use the following reference table to understand how our previously publicly disclosed old threat actor names translate to our new taxonomy. + +\|Threat actor name\|Previous name\|Origin/Threat\|Other names\| +\|\|::\|::\|::\| +\|Aqua Blizzard\|ACTINIUM\|Russia\|UNC530, Primitive Bear, Gamaredon\| +\|Blue Tsunami\|\|Private sector offensive actor\|Black Cube\| +\|Brass Typhoon\|BARIUM\|China\|APT41\| +\|Cadet Blizzard\|DEV-0586\|Russia\|\| +\|Camouflage Tempest\|TAAL\|Financially motivated\|FIN6, Skeleton Spider\| +\|Canvas Cyclone\|BISMUTH\|Vietnam\|APT32, OceanLotus\| +\|Caramel Tsunami\|SOURGUM\|Private sector offensive actor\|Candiru\| +\|Carmine Tsunami\|DEV-0196\|Private sector offensive actor\|QuaDream\| +\|Charcoal Typhoon\|CHROMIUM\|China\|ControlX\| +\|Cinnamon Tempest\|DEV-0401\|Financially motivated\|Emperor Dragonfly, Bronze Starlight\| +\|Circle Typhoon\|DEV-0322\|China\|\| +\|Citrine Sleet\|DEV-0139, DEV-1222\|North Korea\|AppleJeus, Labyrinth Chollima, UNC4736\| +\|Cotton Sandstorm\|DEV-0198 (NEPTUNIUM)\|Iran\|Vice Leaker\| +\|Crimson Sandstorm\|CURIUM\|Iran\|TA456, Tortoise Shell\| +\|Cuboid Sandstorm\|DEV-0228\|Iran\|\| +\|Denim Tsunami\|KNOTWEED\|Private sector offensive actor\|DSIRF\| +\|Diamond Sleet\|ZINC\|North Korea\|Labyrinth Chollima, Lazarus\| +\|Emerald Sleet\|THALLIUM\|North Korea\|Kimsuky, Velvet Chollima\| +\|Flax Typhoon\|Storm-0919\|China\|Ethereal Panda\| +\|Forest Blizzard\|STRONTIUM\|Russia\|APT28, Fancy Bear\| +\|Ghost Blizzard\|BROMINE\|Russia\|Energetic Bear, Crouching Yeti\| +\|Gingham Typhoon\|GADOLINIUM\|China\|APT40, Leviathan, TEMP.Periscope, Kryptonite Panda\| +\|Granite Typhoon\|GALLIUM\|China\|\| +\|Gray Sandstorm\|DEV-0343\|Iran\|\| +\|Hazel Sandstorm\|EUROPIUM\|Iran\|Cobalt Gypsy, APT34, OilRig\| +\|Jade Sleet\|Storm-0954\|North Korea\|TraderTraitor, UNC4899\| +\|Lace Tempest\|DEV-0950\|Financially motivated\|FIN11, TA505\| +\|Lemon Sandstorm\|RUBIDIUM\|Iran\|Fox Kitten, UNC757, PioneerKitten\| +\|Lilac Typhoon\|DEV-0234\|China\|\| +\|Manatee Tempest\|DEV-0243\|Financially motivated\|EvilCorp, UNC2165, Indrik Spider\| +\|Mango Sandstorm\|MERCURY\|Iran\|MuddyWater, SeedWorm, Static Kitten, TEMP.Zagros\| +\|Marbled Dust\|SILICON\|T├╝rkiye\|Sea Turtle\| +\|Marigold Sandstorm\|DEV-0500\|Iran\|Moses Staff\| +\|Midnight Blizzard\|NOBELIUM\|Russia\|APT29, Cozy Bear\| +\|Mint Sandstorm\|PHOSPHORUS\|Iran\|APT35, Charming Kitten\| +\|Mulberry Typhoon\|MANGANESE\|China\|APT5, Keyhole Panda, TABCTENG\| +\|Mustard Tempest\|DEV-0206\|Financially motivated\|Purple Vallhund\| +\|Night Tsunami\|DEV-0336\|Private sector offensive actor\|NSO Group\| +\|Nylon Typhoon\|NICKEL\|China\|ke3chang, APT15, Vixen Panda\| +\|Octo Tempest\|Storm-0875\|Financially motivated\|0ktapus, Scattered Spider, UNC3944\| +\|Onyx Sleet\|PLUTONIUM\|North Korea\|Silent Chollima, Andariel, DarkSeoul\| +\|Opal Sleet\|OSMIUM\|North Korea\|Konni\| +\|Peach Sandstorm\|HOLMIUM\|Iran\|APT33, Refined Kitten\| +\|Pearl Sleet\|DEV-0215 (LAWRENCIUM)\|North Korea\|\| +\|Periwinkle Tempest\|DEV-0193\|Financially motivated\|Wizard Spider, UNC2053\| +\|Phlox Tempest\|DEV-0796\|Financially motivated\|ClickPirate, Chrome Loader, Choziosi loader\| +\|Pink Sandstorm\|AMERICIUM\|Iran\|Agrius, Deadwood, BlackShadow, SharpBoys\| +\|Pistachio Tempest\|DEV-0237\|Financially motivated\|FIN12\| +\|Plaid Rain\|POLONIUM\|Lebanon\|\| +\|Pumpkin Sandstorm\|DEV-0146\|Iran\|ZeroCleare\| +\|Raspberry Typhoon\|RADIUM\|China\|APT30, LotusBlossom\| +\|Ruby Sleet\|CERIUM\|North Korea\|\| +\|Sangria Tempest\|ELBRUS\|Financially motivated\|Carbon Spider, FIN7\| +\|Sapphire Sleet\|COPERNICIUM\|North Korea\|Genie Spider, BlueNoroff\| +\|Seashell Blizzard\|IRIDIUM\|Russia\|Sandworm\| +\|Secret Blizzard\|KRYPTON\|Russia\|Venomous Bear, Turla, Snake\| +\|Silk Typhoon\|HAFNIUM\|China\|\| +\|Smoke Sandstorm\|BOHRIUM\|Iran\|\| +\|Spandex Tempest\|CHIMBORAZO\|Financially motivated\|TA505\| +\|Star Blizzard\|SEABORGIUM\|Russia\|Callisto, Reuse Team\| +\|Storm-0062\|DEV-0062\|China\|DarkShadow, Oro0lxy\| +\|Storm-0133\|DEV-0133\|Iran\|LYCEUM, HEXANE\| +\|Storm-0216\|DEV-0216\|Financially motivated\|Twisted Spider, UNC2198\| +\|Storm-0257\|DEV-0257\|Group in development\|UNC1151\| +\|Storm-0324\|DEV-0324\|Financially motivated\|TA543, Sagrid\| +\|Storm-0381\|DEV-0381\|Financially motivated\|\| +\|Storm-0530\|DEV-0530\|North Korea\|H0lyGh0st\| +\|Storm-0539\|\|Financially motivated\|\| +\|Storm-0558\|\|China\|\| +\|Storm-0569\|DEV-0569\|Financially motivated\|\| +\|Storm-0587\|DEV-0587\|Russia\|SaintBot, Saint Bear, TA471\| +\|Storm-0744\|DEV-0744\|Financially motivated\|\| +\|Storm-0829\|DEV-0829\|Group in development\|Nwgen Team\| +\|Storm-0835\|\|Group in development\|EvilProxy\| +\|Storm-0867\|DEV-0867\|Egypt\|Caffeine\| +\|Storm-0971\|DEV-0971\|Financially motivated\|(Merged into Octo Tempest)\| +\|Storm-0978\|DEV-0978\|Group in development\|RomCom, Underground Team\| +\|Storm-1044\|DEV-1044\|Financially motivated\|Danabot\| +\|Storm-1084\|DEV-1084\|Iran\|DarkBit\| +\|Storm-1099\|\|Russia\|\| +\|Storm-1101\|DEV-1101\|Group in development\|NakedPages\| +\|Storm-1113\|DEV-1113\|Financially motivated\|\| +\|Storm-1133\|\|Palestinian Authority\|\| +\|Storm-1152\|\|Financially motivated\|\| +\|Storm-1167\|DEV-1167\|Indonesia\|\| +\|Storm-1283\|\|Group in development\|\| +\|Storm-1286\|\|Group in development\|\| +\|Storm-1295\|DEV-1295\|Group in development\|Greatness\| +\|Storm-1567\|\|Financially motivated\|Akira\| +\|Storm-1575\|\|Group in development\|Dadsec\| +\|Storm-1674\|\|Financially motivated\|\| +\|Strawberry Tempest\|DEV-0537\|Financially motivated\|LAPSUS$\| +\|Sunglow Blizzard\|DEV-0665\|Russia\|\| +\|Tomato Tempest\|SPURR\|Financially motivated\|Vatet\| +\|Vanilla Tempest\|DEV-0832\|Financially motivated\|\| +\|Velvet Tempest\|DEV-0504\|Financially motivated\|\| +\|Violet Typhoon\|ZIRCONIUM\|China\|APT31\| +\|[Volt Typhoon](https://www.microsoft.com/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques)\|\|China\|BRONZE SILHOUETTE, VANGUARD PANDA\| +\|Wine Tempest\|PARINACOTA\|Financially motivated\|Wadhrama\| +\|Wisteria Tsunami\|DEV-0605\|Private sector offensive actor\|CyberRoot\| +\|Zigzag Hail\|DUBNIUM\|South Korea\|Dark Hotel, Tapaoux\| + +Read our announcement about the new taxonomy for more information: [https://aka.ms/threatactorsblog](https://aka.ms/threatactorsblog) + +## Putting intelligence into the hands of security professionals + +[Intel profiles in Microsoft Defender Threat Intelligence](../defender/defender-threat-intelligence.md) bring crucial insights about threat actors. These insights enable security teams to get the context they need as they prepare for and respond to threats. + +Additionally, the Microsoft Defender Threat Intelligence Intel Profiles API provides the most up-to-date threat actor infrastructure visibility in the industry today. Updated information is crucial in enabling threat intelligence and security operations (SecOps) teams to streamline their advanced threat hunting and analysis workflows. Learn more about this API in the documentation: [Use the threat intelligence APIs in Microsoft Graph (preview)](/graph/api/resources/security-threatintelligence-overview). + +## Resources + +Use the following query on Microsoft Defender XDR and other Microsoft security products supporting the Kusto query language (KQL) to get information about a threat actor using the old name, new name, or industry name: + +```kusto +let TANames = externaldata(PreviousName: string, NewName: string, Origin: string, OtherNames: dynamic)[@"https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json"] with(format="multijson", ingestionMapping='[{"Column":"PreviousName","Properties":{"Path":"$.Previous name"}},{"Column":"NewName","Properties":{"Path":"$.New name"}},{"Column":"Origin","Properties":{"Path":"$.Origin/Threat"}},{"Column":"OtherNames","Properties":{"Path":"$.Other names"}}]'); +let GetThreatActorAlias = (Name: string) { +TANames +\| where Name =~ NewName or Name =~ PreviousName or OtherNames has Name +}; +GetThreatActorAlias("ZINC") +``` +The following files containing the comprehensive mapping of old threat actor names with their new names are also available: + +- [JSON format](https://github.com/microsoft/mstic/blob/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json) +- [downloadable Excel](https://download.microsoft.com/download/4/5/2/45208247-c1e9-432d-a9a2-1554d81074d9/microsoft-threat-actor-list.xlsx)
security	Portal Submission Troubleshooting	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/portal-submission-troubleshooting.md	+ + Title: Troubleshoot Microsoft Security intelligence malware submission errors caused by administrator block +description: Troubleshoot MSI portal errors + +keywords: security, sample submission help, malware file, virus file, trojan file, submit, send to Microsoft, submit a sample, virus, trojan, worm, undetected, doesn't detect, email microsoft, email malware, I think this is malware, I think it's a virus, where can I send a virus, is this a virus, MSE, doesn't detect, no signature, no detection, suspect file, MMPC, Microsoft Malware Protection Center, researchers, analyst, WDSI, security intelligence + +ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium +++ +audience: ITPro + +- m365-security +- tier2 + +search.appverid: met150 Last updated : 03/18/2022++ +# Troubleshooting Microsoft Security intelligence malware submission errors caused by administrator block + +In some instances, an administrator block might cause submission issues when you try to submit a potentially infected file to the [Microsoft Security intelligence website](https://www.microsoft.com/wdsi) for analysis. The following process shows how to resolve this problem. + +## Review your settings + +Open your Azure [Enterprise application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/). Under Enterprise Applications > Users can consent to apps accessing company data on their behalf, check whether Yes or No is selected. + +- If No is selected, a Microsoft Entra administrator for the customer tenant will need to provide consent for the organization. Depending on the configuration with Microsoft Entra ID, users might be able to submit a request right from the same dialog box. If there's no option to ask for admin consent, users need to request for these permissions to be added to their Microsoft Entra admin. Go to the following section for more information. + +- If Yes is selected, ensure the Windows Defender Security Intelligence app setting Enabled for users to sign in? is set to Yes [in Azure](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). If No is selected, you'll need to request a Microsoft Entra admin enable it. + +## Implement Required Enterprise Application permissions + +This process requires a global or application admin in the tenant. + +1. Open [Enterprise Application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). +2. Select Grant admin consent for organization. +3. If you're able to do so, review the API permissions required for this application, as the following image shows. Provide consent for the tenant. + + ![grant consent image.](../../media/security-intelligence-images/msi-grant-admin-consent.jpg) + +4. If the administrator receives an error while attempting to provide consent manually, try either [Option 1](#option-1-approve-enterprise-application-permissions-by-user-request) or [Option 2](#option-2-provide-admin-consent-by-authenticating-the-application-as-an-admin) as possible workarounds. + +## Option 1 Approve enterprise application permissions by user request + +> [!NOTE] +> This is currently a preview feature. + +Microsoft Entra admins will need to allow for users to request admin consent to apps. Verify the setting is configured to Yes in [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/). + +![Enterprise applications user settings.](../../media/security-intelligence-images/msi-enterprise-app-user-setting.jpg) + +More information is available in [Configure Admin consent workflow](/azure/active-directory/manage-apps/configure-admin-consent-workflow). + +Once this setting is verified, users can go through the enterprise customer sign-in at [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission), and submit a request for admin consent, including justification. + +![Contoso sign in flow.](../../media/security-intelligence-images/msi-contoso-approval-required.png) + +Admin will be able to review and approve the application permissions [Azure admin consent requests](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AccessRequests/menuId/). + +After providing consent, all users in the tenant will be able to use the application. + +## Option 2 Provide admin consent by authenticating the application as an admin + +This process requires that global admins go through the Enterprise customer sign-in flow at [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission). + +![Consent sign in flow.](../../media/security-intelligence-images/msi-microsoft-permission-required.jpg) + +Then, admins review the permissions and make sure to select Consent on behalf of your organization, and then select Accept. + +All users in the tenant will now be able to use this application. + +## Option 3: Delete and readd app permissions + +If neither of these options resolve the issue, try the following steps (as an admin): + +1. Remove previous configurations for the application. Go to [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/982e94b2-fea9-4d1f-9fca-318cda92f90b) +and select delete. + + ![Delete app permissions.](../../media/security-intelligence-images/msi-properties.png) + +2. Capture TenantID from [Properties](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties). + +3. Replace {tenant-id} with the specific tenant that needs to grant consent to this application in the URL below. Copy this URL into browser. The rest of the parameters are already completed. +``https://login.microsoftonline.com/{tenant-id}/v2.0/adminconsent?client_id=f0cf43e5-8a9b-451c-b2d5-7285c785684d&state=12345&redirect_uri=https%3a%2f%2fwww.microsoft.com%2fwdsi%2ffilesubmission&scope=openid+profile+email+offline_access`` + + ![Permissions needed.](../../media/security-intelligence-images/msi-microsoft-permission-requested-your-organization.png) + +4. Review the permissions required by the application, and then select Accept. + +5. Confirm the permissions are applied in the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/ce60a464-5fca-4819-8423-bcb46796b051). + + ![Review that permissions are applied.](../../media/security-intelligence-images/msi-permissions.jpg) + +6. Sign in to [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission) as an enterprise user with a non-admin account to see if you have access. + + If the warning is not resolved after following these troubleshooting steps, call Microsoft support.
security	Safety Scanner Download	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/safety-scanner-download.md	+ + Title: Microsoft Safety Scanner Download + +description: Get the Microsoft Safety Scanner tool to find and remove malware from Windows computers. +keywords: security, malware ++ +ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium +++ +audience: ITPro + +- m365-security +- tier2 + +search.appverid: met150 Last updated : 02/06/2023+++ +# Microsoft Safety Scanner Download + +Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats. + +- [Download Microsoft Safety Scanner (32-bit)](https://go.microsoft.com/fwlink/?LinkId=212733) + +- [Download Microsoft Safety Scanner (64-bit)](https://go.microsoft.com/fwlink/?LinkId=212732) + +> [!NOTE] +> Safety Scanner is exclusively SHA-2 signed. Your devices must be updated to support SHA-2 in order to run Safety Scanner. To learn more, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). + +## Important information + +- The security intelligence update version of the Microsoft Safety Scanner matches the version described [in this web page](https://www.microsoft.com/wdsi/definitions). + +- Microsoft Safety Scanner only scans when manually triggered. Safety Scanner expires 10 days after being downloaded. To rerun a scan with the latest anti-malware definitions, download and run Safety Scanner again. We recommend that you always download the latest version of this tool before each scan. + +- Safety Scanner is a portable executable and doesn't appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download. + +- This tool doesn't replace your antimalware product. For real-time protection with automatic updates, use [Microsoft Defender Antivirus on Windows 11, Windows 10, and Windows 8](https://www.microsoft.com/windows/comprehensive-security) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you're having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/wdsi/help/troubleshooting-infection). + +## System requirements + +Safety Scanner helps remove malicious software from computers running Windows 11, Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2019, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2. For details, refer to the [Microsoft Lifecycle Policy](/lifecycle/). + +## How to run a scan + +1. Download this tool and open it. +2. Select the type of scan that you want to run and start the scan. +3. Review the scan results displayed on screen. For detailed detection results, view the log at %SYSTEMROOT%\debug\msert.log. + +To remove this tool, delete the executable file (msert.exe by default). + +For more information about the Safety Scanner, see the support article on [how to troubleshoot problems using Safety Scanner](https://support.microsoft.com/kb/2520970). + +## Related resources + +- [Troubleshooting Safety Scanner](https://support.microsoft.com/help/2520970/how-to-troubleshoot-an-error-when-you-run-the-microsoft-safety-scanner) +- [Microsoft Defender Antivirus](https://www.microsoft.com/windows/comprehensive-security) +- [Microsoft Security Essentials](https://support.microsoft.com/help/14210/security-essentials-download) +- [Removing difficult threats](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware) +- [Submit file for malware analysis](https://www.microsoft.com/wdsi/filesubmission) +- [Microsoft antimalware and threat protection solutions](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint)
security	Submission Guide	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/submission-guide.md	+ + Title: Submit files for analysis by Microsoft +description: Learn how to submit files to Microsoft for malware analysis, how to track your submissions, and dispute detections. + +keywords: security, sample submission help, malware file, virus file, trojan file, submit, send to Microsoft, submit a sample, virus, trojan, worm, undetected, doesn't detect, email microsoft, email malware, I think this is malware, I think it's a virus, where can I send a virus, is this a virus, MSE, doesn't detect, no signature, no detection, suspect file, MMPC, Microsoft Malware Protection Center, researchers, analyst, WDSI, security intelligence + +ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium +++ +audience: ITPro + +- m365-security +- tier2 + +search.appverid: met150 Last updated : 08/18/2023++ +# Submit files for analysis + +If you have a file that you suspect might be malware or is being incorrectly detected, you can submit it to us for analysis. This page has answers to some common questions about submitting a file for analysis. + +> [!TIP] +> If your organization's subscription includes [Microsoft Defender for Endpoint Plan 2](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint), [Microsoft Defender for Office 365 Plan 2](/microsoft-365/security/office-365-security/defender-for-office-365), or [Microsoft Defender XDR](/microsoft-365/security/defender/microsoft-365-defender), you can use the [new unified submissions portal](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/unified-submissions-in-microsoft-365-defender-now-generally/ba-p/3270770). To learn more, see [Submit files in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/admin-submissions-mde). + +## How do I submit a file to Microsoft for analysis? + +### Send a malware file + +You can send files that you think might be malware or files that were incorrectly detected through the [sample submission portal](https://www.microsoft.com/wdsi/filesubmission). + +You can complete a quick analysis by providing detailed information about the product you were using and what you were doing when you found the file. + +After you sign in, you'll be able to track your submissions. + +> [!NOTE] +> +> You can use the Microsoft Security Intelligence submission feature even if you don't have Microsoft Defender for Endpoint Plan 2 or Microsoft Defender for Office Plan 2. + +### Submit a suspected email attachment + +Use the [Microsoft Defender portal](https://security.microsoft.com/) to submit suspected email attachments to Microsoft for review. For more information, see [Submit a suspected email attachment to Microsoft](../office-365-security/submissions-admin.md). + +### Submit a file or file hash + +Use the unified submissions feature in Microsoft Defender for Endpoint to submit files and file hashes to Microsoft for review. For more information, see [Submit files in Microsoft Defender for Endpoint](../defender-endpoint/admin-submissions-mde.md). + +## Can I send a sample by email? + +No, we only accept submissions through our [sample submission portal](https://www.microsoft.com/wdsi/filesubmission). + +## Can I submit a sample without signing in? + +No. If you're an enterprise customer, you need to sign in so that we can prioritize your submission appropriately. If you're currently experiencing a virus outbreak or security-related incident, you should contact your designated Microsoft support professional or go to [Microsoft Support](https://support.microsoft.com/) for immediate assistance. + +## What is the Software Assurance ID (SAID)? + +The [Software Assurance ID (SAID)](https://www.microsoft.com/licensing/licensing-programs/software-assurance-default.aspx) is for enterprise customers to track support entitlements. The submission portal accepts and retains SAID information and allows customers with valid SAIDs to make higher priority submissions. + +### How do I dispute the detection of my program? + +[Submit the file](https://www.microsoft.com/wdsi/filesubmission) in question as a software developer. Wait until your submission has a final determination. + +If you're not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We'll use the information you provide to investigate further if necessary. + +We encourage all software vendors and developers to read about [how Microsoft identifies malware and unwanted software](criteria.md). + +## How do I track or view past sample submissions? + +You can track your submissions through the [submission history page](https://www.microsoft.com/wdsi/submissionhistory). + +## What does the submission status mean? + +Each submission is shown to be in one of the following status types: + +* SubmittedΓÇöthe file has been received + +* In progressΓÇöan analyst has started checking the file + +* ClosedΓÇöa final determination has been given by an analyst + +You can see the status of any files you submit to us on the [submission history page](https://www.microsoft.com/wdsi/submissionhistory). + +## How does Microsoft prioritize submissions + +Processing submissions take dedicated analyst resource. Because we regularly receive a large number of submissions, we handle them based on a priority. The following factors affect how we prioritize submissions: + +* Prevalent files with the potential to impact large numbers of computers are prioritized. + +* Authenticated customers, especially enterprise customers with valid [Software Assurance IDs (SAIDs)](https://www.microsoft.com/licensing/licensing-programs/software-assurance-default.aspx), are given priority. + +* Submissions flagged as high priority by SAID holders are given immediate attention. + +Your submission is immediately scanned by our systems to give you the latest determination even before an analyst starts handling your case. Note that the same file may have already been processed by an analyst. To check for updates to the determination, select rescan on the submission details page. + +## See also + +[Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](../defender-endpoint/defender-endpoint-antivirus-exclusions.md)
security	Virus Initiative Criteria	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/virus-initiative-criteria.md	+ + Title: Microsoft Virus Initiative + +description: The Microsoft Virus Initiative (MVI) helps organizations that make antivirus or antimalware products integrate with Windows and share telemetry with Microsoft. + +ms.localizationpriority: medium +++ +audience: ITPro + +- m365-security +- tier2 + +search.appverid: met150 Last updated : 12/08/2023++ +# Microsoft Virus Initiative + +The Microsoft Virus Initiative (MVI) helps organizations improve the security solutions our customers rely on to keep them safe. We provide tools, resources, and knowledge to support better-together experiences with great performance, reliability, and compatibility. + +## Become a member + +You can request membership if you're a representative of an organization that develops antimalware technology. Not all applicants are accepted into the program. +To be considered for the MVI program, your organization must meet all the following requirements: + +1. Your commercially available security solution must provide real-time protection that detects, prevents, and remediates malicious software. +2. Your organization is responsible for both developing and distributing updates to end-customers that address compatibility with Windows. +3. Your organization must be active in the antimalware industry and have a positive reputation, as evidenced by participation in industry conferences, membership in industry organizations, or being reviewed in industry-standard reports such as AV-Comparatives, OPSWAT, or Gartner. +4. Your organization must sign a non-disclosure agreement (NDA) with Microsoft. +5. Your organization must sign a program license agreement. +6. Your organization must be active in the program and meet all program requirements. +7. Your security solution must meet all program requirements, which requires use of [Azure Code Signing](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/azure-code-signing-democratizing-trust-for-developers-and/ba-p/3604669). +8. Your security solution must have been certified within the last 12 months through independent testing by at least one of the organizations listed below. Yearly certification must be maintained. + +\|Test Provider\|Lab Test Type\|Minimum Level / Score\| +\|-\|\|-\| +\|[AV-Comparatives](https://www.av-comparatives.org/testmethod/real-world-protection-tests/) \| Real-World Protection Test. \| Approved rating\| +\|[AV-Test](https://www.av-test.org/en/about-the-institute/certification/) \| Must pass tests for Windows. Certifications for Mac and Linux aren't accepted.\| ΓÇó AV-TEST Certified (home) <br> ΓÇó AV-TEST Approved (corporate) \| +\|[SKD Labs](http://www.skdlabs.com/) \| Certification Requirements Product: Anti-virus or Antimalware. \| Score >= 98.5% with On Demand, On Access and Total Detection tests \| +\|[VB 100](https://www.virusbulletin.com/testing/vb100/vb100-methodology/vb100-methodology-ver1-1/) \| VB100 Certification Test V1.1 \| VB100 Certification \| +\|[West Coast Labs](https://www.westcoastlabs.com/checkmark) \| Checkmark Certified \| Product validated minimum of grade A\| +\|[SE Labs](https://selabs.uk/en/reports/consumers/) \| Protection, Small Business, or Enterprise EP Protection Test. \| ΓÇó Protection A rating <br> ΓÇó Small Business EP A rating <br>ΓÇó Enterprise EP Protection A rating \| ++ +## Apply now + +If your organization meets these criteria and is interested in joining, [apply for membership now](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbRxusDUkejalGp0OAgRTWC7BUQVRYUEVMNlFZUjFaUDY2T1U1UDVVU1NKVi4u). Applications are reviewed monthly.
security	Cybersecurity Industry Partners	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/intelligence/cybersecurity-industry-partners.md	- Title: Industry collaboration programs- -description: There are various collaborative programs regarding Microsoft industry-wide anti-malware - Microsoft Virus Initiative (MVI), and Coordinated Malware Eradication (CME) -keywords: security, malware, antivirus industry, anti-malware Industry, collaboration programs, alliances, Microsoft Virus Initiative, Coordinated Malware Eradication, WDSI, MMPC, Microsoft Malware Protection Center, partnerships -- -ms.sitesec: library ------ m365-security-- tier2- Previously updated : 03/18/2022-- -# Industry collaboration programs - -There are various industry-wide collaboration programs with different objectives and requirements, provided by Microsoft. Enrolling in the right program can help you protect your customers, gain more insight into the current threat landscape, or help disrupting the malware ecosystem. - -## Microsoft Virus Initiative (MVI) - -MVI is open to organizations who build and own a Real Time Protection (RTP) anti-malware product of their own design, or one developed using a third-party Antivirus SDK. - -Members get access to the [Microsoft Defender XDR APIs](../defender/api-overview.md) for the Microsoft Defender portal, IOfficeAntivirus (IOAV), AntiMalware Scan Interface (AMSI), and Cloud Files, along with health data and other telemetry to help customers stay protected. Anti-malware products are submitted to Microsoft for performance testing regularly. - -Go to the [MVI program page](virus-initiative-criteria.md) for more information. - -## Coordinated Malware Eradication (CME) - -CME is open to organizations who are involved in cybersecurity and anti-malware or interested in fighting cybercrime. - -The program aims to bring organizations in cybersecurity and other industries together to pool tools, information, and actions to drive coordinated campaigns against malware. The ultimate goal is to create efficient and long-lasting results for better protection of our communities, customers, and businesses. - -Go to the [CME program page](coordinated-malware-eradication.md) for more information.
security	Preset Security Policies	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/preset-security-policies.md	The differences in meaningful policy settings in the Standard preset security po \|  Spam detection action (_SpamAction_)\|Move message to Junk Email folder (`MoveToJmf`)\|Quarantine message (`Quarantine`)\| \|Anti-phishing policy\|\|\| \|  If the message is detected as spoof by spoof intelligence (_AuthenticationFailAction_)\|Move message to Junk Email folder (`MoveToJmf`)\|Quarantine message (`Quarantine`)\| -\|Show first contact safety tip (_EnableFirstContactSafetyTips_)\|Selected (`$true`)\|Not selected (`$false`)\| +\|Show first contact safety tip (_EnableFirstContactSafetyTips_)\|Selected (`$true`)\|Selected (`$true`)\| \|  If mailbox intelligence detects an impersonated user (_MailboxIntelligenceProtectionAction_)\|Move message to Junk Email folder (`MoveToJmf`)\|Quarantine message (`Quarantine`)\| \|  Phishing email threshold (_PhishThresholdLevel_)\|3 - More aggressive (`3`)\|4 - Most aggressive (`4`)\| \|Safe Attachments policy\|No difference\|No difference\|
security	Submissions Report Messages Files To Microsoft	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-report-messages-files-to-microsoft.md	User reported messages are also available to admins in the following locations i In Defender for Office 365 Plan 2, admins can also submit messages from the [Email entity page](mdo-email-entity-page.md#actions-you-can-take-on-the-email-entity-page) and from [Alerts](../defender/investigate-alerts.md) in the Defender portal. -Admins can use the sample submission portal at <https://www.microsoft.com/wdsi/filesubmission> to submit other suspected files to Microsoft for analysis. For more information, see [Submit files for analysis](../intelligence/submission-guide.md). +Admins can use the sample submission portal at <https://www.microsoft.com/wdsi/filesubmission> to submit other suspected files to Microsoft for analysis. For more information, see [Submit files for analysis](../defender/submission-guide.md). > [!TIP] > In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD), admins can submit messages to Microsoft for analysis. The messages are analyzed for email authentication and policy checks only. Payload reputation, detonation, and grader analysis aren't done for compliance reasons (data isn't allowed to leave the organization boundary). If you report a message, URL, or email attachment to Microsoft from one of these organizations, you get the following message in the result details:
syntex	Esignature Overview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/esignature-overview.md	Title: Overview of Microsoft SharePoint eSignature + Title: Overview of SharePoint eSignature - enabler-strategic - m365initiative-syntex ms.localizationpriority: medium -description: Learn about Microsoft SharePoint eSignature and how to send electronic signature requests to people inside and outside of your organization. +description: Learn about SharePoint eSignature and how to send electronic signature requests to people inside and outside of your organization. -# Overview of Microsoft SharePoint eSignature +# Overview of SharePoint eSignature > [!NOTE] > Through June 2024, you can try out eSignature and other selected Syntex services at no cost if you have [pay-as-you-go billing](syntex-azure-billing.md) set up. For information and limitations, see [Try out Microsoft Syntex and explore its services](promo-syntex.md).
syntex	Esignature Review Sign Requests	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/esignature-review-sign-requests.md	Title: Review and sign a signature request using Microsoft SharePoint eSignature + Title: Review and sign a signature request using SharePoint eSignature - enabler-strategic - m365initiative-syntex ms.localizationpriority: medium -description: Learn how to review and sign electronic signature requests using Microsoft SharePoint eSignature. +description: Learn how to review and sign electronic signature requests using SharePoint eSignature. -# Review and sign a signature request using Microsoft SharePoint eSignature +# Review and sign a signature request using SharePoint eSignature When a signature request is created, an email notification is sent to the recipients. The notification contains details of the request, including all recipients who are required to sign, and any signing instructions. A recipient doesn't need to have a SharePoint license or a Microsoft account to sign the request.
syntex	Esignature Send Requests	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/esignature-send-requests.md	Title: Create a signature request using Microsoft SharePoint eSignature + Title: Create a signature request using SharePoint eSignature - enabler-strategic - m365initiative-syntex ms.localizationpriority: medium -description: Learn how to use Microsoft SharePoint eSignature to create and send electronic signature requests to people inside and outside of your organization. +description: Learn how to use SharePoint eSignature to create and send electronic signature requests to people inside and outside of your organization. -# Create a signature request using Microsoft SharePoint eSignature +# Create a signature request using SharePoint eSignature ## Create a signature request
syntex	Esignature Setup	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/esignature-setup.md	Title: Set up Microsoft SharePoint eSignature + Title: Set up SharePoint eSignature - enabler-strategic - m365initiative-syntex ms.localizationpriority: medium -description: Learn how to set up and manage sites in Microsoft SharePoint eSignature. +description: Learn how to set up and manage sites in SharePoint eSignature. -# Set up Microsoft SharePoint eSignature +# Set up SharePoint eSignature > [!NOTE] -> Microsoft SharePoint eSignature is currently rolling out to the US market. If a tenant's location is the United States, SharePoint eSignature will be available for that tenant. For US-located, multi-geo enabled tenants, eSignature will be available in the home geo only. SharePoint eSignature will roll out to other regions in 2024. +> SharePoint eSignature is currently rolling out to the US market. If a tenant's location is the United States, SharePoint eSignature will be available for that tenant. For US-located, multi-geo enabled tenants, eSignature will be available in the home geo only. SharePoint eSignature will roll out to other regions later this year. -The SharePoint eSignature service is set up in the Microsoft 365 admin center. SharePoint eSignature uses simple electronic signatures. Before you begin, determine whether this feature is appropriate for your needs and then read the [Microsoft SharePoint eSignature terms of service](/legal/microsoft-365/esignature-terms-of-service). +The SharePoint eSignature service is set up in the Microsoft 365 admin center. SharePoint eSignature uses simple electronic signatures. Before you begin, determine whether this feature is appropriate for your needs and then read the [SharePoint eSignature terms of service](/legal/microsoft-365/esignature-terms-of-service). ## Prerequisites
syntex	Esignature Troubleshoot	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/esignature-troubleshoot.md	Title: Troubleshoot a signature request for Microsoft SharePoint eSignature + Title: Troubleshoot a signature request for SharePoint eSignature - enabler-strategic - m365initiative-syntex ms.localizationpriority: medium -description: Learn how to troubleshoot issues with sending, receiving, or viewing requests in Microsoft SharePoint eSignature. +description: Learn how to troubleshoot issues with sending, receiving, or viewing requests in SharePoint eSignature. -# Troubleshoot a signature request for Microsoft SharePoint eSignature +# Troubleshoot a signature request for SharePoint eSignature ## Unable to create a request If you aren't able to create a signature request, check the PDF viewer settings, ### Default program for PDF viewing -The PDF viewer is opened by selecting a PDF file from SharePoint Online. The ability to use the Get signatures option won't be available if the PDF is viewed in any other way, for example, in Microsoft Edge or Adobe Reader. +The PDF viewer is opened by selecting a PDF file from a SharePoint library. The ability to use the Get signatures option won't be available if the PDF is viewed in any other way, for example, in Microsoft Edge or Adobe Reader. ### Collaboration settings SharePoint eSignature is an extension of SharePoint document storage and managem ### Conditional access policies -Certain [conditional access](/entra/identity/conditional-access/overview) policies might determine whether an external recipient (signers outside of your organization or Microsoft 365 tenant) will be able sign a document. When this happens, the external signers might not be able to access the document for signing. In some other cases, they might be able to access the document for signing but the signing operation will be unsuccessful. One common way to resolve this is to contact your IT admin who will be able to add the eSignature app to the list of approved apps via the Microsoft Entra admin center. +Certain [conditional access](/entra/identity/conditional-access/overview) policies might determine whether an external recipient (signers outside of your organization or Microsoft 365 tenant) is able sign a document. When this happens, the external signers might not be able to access the document for signing. In some other cases, they might be able to access the document for signing but the signing operation is unsuccessful. One common way to resolve this is to contact your IT admin who will be able to add the eSignature app to the list of approved apps via the Microsoft Entra admin center. -## Unable to find the request emails -If you were sent an eSignature request and cannot find it in your email inbox, you should check your spam or junk folder. It is also good practice to mark the sender as non-spam so that future emails from the same sender go directly into your inbox. +## Unable to find the request emails +If you were sent an eSignature request and can't find it in your email inbox, you should check your spam or junk folder. It's also good practice to mark the sender as non-spam so that future emails from the same sender go directly into your inbox. ## Unable to sign a document as an external recipient When you receive a document for signing from someone outside of your organizatio ## Unable to access a signed document -Before a signature request is sent and at the completion of the request, certain checks are done to ensure that the sender has the permissions to write to the document and the originating folder because the final signed document is saved in this folder. If the sender loses access to this folder at any point before signing is complete, they might not be able to access the signed document permanently. In this scenario, the sender will be provided temporary access of 30 days to the signed document through the completion email. To access the folder and document, the sender should ensure that they have read permission to the originating folder or request access from the owner. +Before a signature request is sent and at the completion of the request, certain checks are done to ensure that the sender has the permissions to write to the document and the originating folder because the final signed document is saved in this folder. If the sender loses access to this folder at any point before signing is complete, they might not be able to access the signed document permanently. In this scenario, the sender is provided temporary access of 30 days to the signed document through the completion email. To access the folder and document, the sender should ensure that they have read permission to the originating folder or request access from the owner. Additionally, the eSignature service might not be able to save a copy of the signed document to the originating folder if the folder was accidentally deleted before the signature request was completed.