Updates from: 03/01/2023 02:32:10
Category Microsoft Docs article Related commit history on GitHub Change details
admin Servicenow Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/servicenow-incidents.md
Here are how the properties on the Microsoft service health incident will map to
| Resolution note | The Microsoft service health incident was resolved on <date_time>. Please refer to the incident details in the Microsoft 365 Support tab for more information. | - To have the app automatically create ServiceNow incidents, you will need to configure the **Assignment group** and **Category**. The **Assigned to** and **Subcategory** are not required but can be configured for improved routing and reporting.
-*This documentation was made with AI assistance.*
+*This documentation was made with AI assistance.*
compliance Apply Retention Labels Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-retention-labels-automatically.md
f1.keywords:
Previously updated : 02/18/2023 Last updated : 02/28/2023 audience: Admin
compliance Apply Sensitivity Label Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md
Use the following table to help you identify the differences in behavior for the
|Assign a Rights Management owner for emails sent from another organization |No |Yes| |For emails, replace existing label that has same or lower priority |No |Yes (configurable)|
-\* Auto-labeling isn't currently available in all regions because of a backend Azure dependency. If your tenant can't support this functionality, the **Auto-labeling** tab isn't visible in the Microsoft Purview compliance portal. For more information, see [Azure dependency availability by country](/troubleshoot/azure/general/dependency-availability-by-country).
+\* Auto-labeling isn't currently available in all regions because of a backend Azure dependency. If your tenant can't support this functionality, the **Auto-labeling** page isn't visible in the Microsoft Purview compliance portal. For more information, see [Azure dependency availability by country](/troubleshoot/azure/general/dependency-availability-by-country).
## How multiple conditions are evaluated when they apply to more than one label
Finally, you can use simulation mode to provide an approximation of the time nee
### Creating an auto-labeling policy
-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft Purview compliance portal</a>, navigate to sensitivity labels:
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft Purview compliance portal</a>, navigate to **Solutions** > **Information protection** > **Auto-labeling**:
- - **Solutions** > **Information protection**
-
- If you don't immediately see this option, first select **Show all**.
-
-2. Select the **Auto-labeling** tab:
-
- ![Auto-labeling tab.](../media/auto-labeling-tab.png)
+ ![Auto-labeling page.](../media/auto-labeling-tab.png)
> [!NOTE]
- > If you don't see the **Auto-labeling** tab, this functionality isn't currently available in your region because of a backend Azure dependency. For more information, see [Azure dependency availability by country](/troubleshoot/azure/general/dependency-availability-by-country).
+ > If you don't see the **Auto-labeling** option, this functionality isn't currently available in your region because of a backend Azure dependency. For more information, see [Azure dependency availability by country](/troubleshoot/azure/general/dependency-availability-by-country).
-3. Select **+ Create auto-labeling policy**. This starts the New policy configuration:
+2. Select **+ Create auto-labeling policy**. This starts the New policy configuration:
![New policy configuration for auto-labeling.](../media/auto-labeling-wizard.png)
-4. For the page **Choose info you want this label applied to**: Select one of the templates, such as **Financial** or **Privacy**. You can refine your search by using the **Show options for** dropdown. Or, select **Custom policy** if the templates don't meet your requirements. Select **Next**.
+3. For the page **Choose info you want this label applied to**: Select one of the templates, such as **Financial** or **Privacy**. You can refine your search by using the **Show options for** dropdown. Or, select **Custom policy** if the templates don't meet your requirements. Select **Next**.
-5. For the page **Name your auto-labeling policy**: Provide a unique name, and optionally a description to help identify the automatically applied label, locations, and conditions that identify the content to label.
+4. For the page **Name your auto-labeling policy**: Provide a unique name, and optionally a description to help identify the automatically applied label, locations, and conditions that identify the content to label.
-6. For the page **Assign admin units**: This configuration is currently in preview. If your organization is using [administrative units in Azure Active Directory](/azure/active-directory/roles/administrative-units), an auto-labeling policy for just Exchange can be automatically restricted to specific users by selecting administrative units. If your account has been [assigned administrative units](microsoft-365-compliance-center-permissions.md#administrative-units-preview), you must select one or more administrative units.
+5. For the page **Assign admin units**: This configuration is currently in preview. If your organization is using [administrative units in Azure Active Directory](/azure/active-directory/roles/administrative-units), an auto-labeling policy for just Exchange can be automatically restricted to specific users by selecting administrative units. If your account has been [assigned administrative units](microsoft-365-compliance-center-permissions.md#administrative-units-preview), you must select one or more administrative units.
If you don't want to restrict the policy by using administrative units, or your organization hasn't configured administrative units, keep the default of **Full directory**.
-7. For the page **Choose locations where you want to apply the label**: Select and specify locations for Exchange, SharePoint, and OneDrive. If you don't want to keep the default of **All** included for your chosen locations, select the link to choose specific instances to include, or select the link to choose specific instances to exclude. Then select **Next**.
-
+6. For the page **Choose locations where you want to apply the label**: Select and specify locations for Exchange, SharePoint, and OneDrive. If you don't want to keep the default of **All** included for your chosen locations, select the link to choose specific instances to include, or select the link to choose specific instances to exclude. Then select **Next**.
+
![Choose locations page for auto-labeling configuration.](../media/locations-auto-labeling-wizard.png) > [!NOTE]
Finally, you can use simulation mode to provide an approximation of the time nee
- For OneDrive accounts, see [Get a list of all user OneDrive URLs in your organization](/onedrive/list-onedrive-urls) to help you specify individual OneDrive accounts to include or exclude.
-8. For the **Set up common or advanced rules** page: Keep the default of **Common rules** to define rules that identify content to label across all your selected locations. If you need different rules per location, including more options for Exchange, select **Advanced rules**. Then select **Next**.
-
+7. For the **Set up common or advanced rules** page: Keep the default of **Common rules** to define rules that identify content to label across all your selected locations. If you need different rules per location, including more options for Exchange, select **Advanced rules**. Then select **Next**.
+
The rules use conditions that include [sensitive information types](sensitive-information-type-learn-about.md), [trainable classifiers](classifier-learn-about.md), and sharing options: - To select a sensitive information type or trainable classifier as a condition, under **Content contains**, select **Add**, and then choose **Sensitive info types** or **Trainable classifiers**. - To select sharing options as a condition, under **Content is shared**, choose either **only with people inside my organization** or **with people outside my organization**.-
+
If your location is **Exchange** and you selected **Advanced rules**, there are other conditions that you can select: - Sender IP address is - Recipient domain is
Finally, you can use simulation mode to provide an approximation of the time nee
- Sender domain is - Recipient is a member of - Sender is-
+
For each of these conditions, you can then specify exceptions.-
-9. Depending on your previous choices, you'll now have an opportunity to create new rules by using conditions and exceptions.
-
+
+8. Depending on your previous choices, you'll now have an opportunity to create new rules by using conditions and exceptions.
+
The configuration options for sensitive information types are the same as those you select for auto-labeling for Office apps. If you need more information, see [Configuring sensitive info types for a label](#configuring-sensitive-info-types-for-a-label).-
+
When you've defined all the rules you need, and confirmed their status is on, select **Next** to move on to choosing a label to auto-apply.
-10. For the **Choose a label to auto-apply** page: Select **+ Choose a label**, select a label from the **Choose a sensitivity label** pane, and then select **Next**.
+9. For the **Choose a label to auto-apply** page: Select **+ Choose a label**, select a label from the **Choose a sensitivity label** pane, and then select **Next**.
-11. If your policy includes the Exchange location: Specify optional configurations on the **Additional settings for email** page:
+10. If your policy includes the Exchange location: Specify optional configurations on the **Additional settings for email** page:
- **Automatically replace existing labels that have the same or lower priority**: Applicable for both incoming and outgoing emails, when you select this setting, it ensures a matching sensitivity label will always be applied. If you don't select this setting, a matching sensitivity label won't be applied to emails that have an existing sensitivity label with a [higher priority](sensitivity-labels.md#label-priority-order-matters) or that were manually labeled.
Finally, you can use simulation mode to provide an approximation of the time nee
For **Assign a Rights Management owner**, specify a single user by an email address that's owned by your organization. Don't specify a mail contact, a shared mailbox, or any group type, because these aren't supported for this role.
-12. For the **Decide if you want to test out the policy now or later** page: Select **Run policy in simulation mode** if you're ready to run the auto-labeling policy now, in simulation mode. Then decide whether to automatically turn on the policy if it's not edited for 7 days:
+11. For the **Decide if you want to test out the policy now or later** page: Select **Run policy in simulation mode** if you're ready to run the auto-labeling policy now, in simulation mode. Then decide whether to automatically turn on the policy if it's not edited for 7 days:
![Test out the configured auto-labeling policy.](../media/simulation-mode-auto-labeling-wizard.png) If you're not ready to run simulation, select **Leave policy turned off**.
-13. For the **Summary** page: Review the configuration of your auto-labeling policy and make any changes that needed, and complete the configuration.
+12. For the **Summary** page: Review the configuration of your auto-labeling policy and make any changes that needed, and complete the configuration.
Now on the **Information protection** > **Auto-labeling** page, you see your auto-labeling policy in the **Simulation** or **Off** section, depending on whether you chose to run it in simulation mode or not. Select your policy to see the details of the configuration and status (for example, **Policy simulation is still running**). For policies in simulation mode, select the **Matched items** tab to see which emails or documents matched the rules that you specified.
compliance Audit Log Retention Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/audit-log-retention-policies.md
Audit (Premium) in Microsoft 365 provides a default audit log retention policy f
- To retain an audit log for longer than 90 days (and up to 1 year), the user who generates the audit log (by performing an audited activity) must be assigned an Office 365 E5 or Microsoft 365 E5 license or have a Microsoft 365 E5 Compliance or E5 eDiscovery and Audit add-on license. To retain audit logs for 10 years, the user who generates the audit log must also be assigned a 10-year audit log retention add-on license in addition to an E5 license. >[!NOTE]
- >If the user generating the audit log doesn't meet these licensing requirements,data is retained according to the highest priority retention policy. This may be either the default retention policy for the user's license or the highest priority policy that matches the user and its record type.
+ >If the user generating the audit log doesn't meet these licensing requirements, data is retained according to the highest priority retention policy. This may be either the default retention policy for the user's license or the highest priority policy that matches the user and its record type.
- All custom audit log retention policies (created by your organization) take priority over the default retention policy. For example, if you create an audit log retention policy for Exchange mailbox activity that has a retention period that's shorter than one year, audit records for Exchange mailbox activities will be retained for the shorter duration specified by the custom policy.
compliance Dlp Alerts Dashboard Learn https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-alerts-dashboard-learn.md
f1.keywords:
Previously updated : 10/12/2020 Last updated : 02/28/2023 audience: ITPro f1_keywords:
Here are some of the events associated with an alert. In the UI, you can choose
|user overrode policy |did the user override the policy via a policy tip | all events| |use override justification |the text of the reason provided by the user for the override | all events|
+## Investigate DLP incidents in Microsoft 365 Defender portal
+
+Incidents for Microsoft Purview Data Loss Prevention (DLP) can be managed in the Microsoft 365 Defender portal. See, [Investigate data loss incidents with Microsoft 365 Defender](../security/defender/investigate-dlp.md) for details. You can manage DLP incidents along with security incidents from **Incidents & alerts** > **Incidents** on the quick launch of the Microsoft 365 Defender portal.
+
+From this page, you can:
+
+- View all your DLP alerts grouped under incidents in the Microsoft 365 Defender incident queue.
+- View intelligent inter-solution (DLP-MDE, DLP-MDO) and intra-solution (DLP-DLP) correlated alerts under a single incident.
+- Hunt for compliance logs along with security under Advanced Hunting.
+- In-place admin remediation actions on user, file, and device.
+- Associate custom tags to DLP incidents and filter by them.
+- Filter by DLP policy name, tag, Date, service source, incident status, and user on the unified incident queue.
+ ## See Also - [Get started with the data loss prevention alert dashboard](dlp-alerts-dashboard-get-started.md)
compliance Dlp Powerbi Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-powerbi-get-started.md
search.appverid: - MET150
-description: "Prepare for and deploy DLP to PowerBI locations, to help organizations detect and protect their sensitive data."
+description: "Prepare for and deploy DLP to Power BI locations, to help organizations detect and protect their sensitive data."
# Get started with Data loss prevention policies for Power BI (preview)
-To help organizations detect and protect their sensitive data, [Microsoft Purview data loss prevention (DLP) polices](/microsoft-365/compliance/dlp-learn-about-dlp) support Power BI. When a PowerBI data set matches the criteria in a DLP policy, an alert that explains the nature of the sensitive content can be triggered. This alert is also registered in the data loss prevention **Alerts** tab in the Microsoft compliance portal for monitoring and management by administrators. In addition, email alerts can be sent to administrators and specified users.
+To help organizations detect and protect their sensitive data, [Microsoft Purview Data Loss Prevention (DLP) polices](/microsoft-365/compliance/dlp-learn-about-dlp) support Power BI. When a Power BI data set matches the criteria in a DLP policy, an alert that explains the nature of the sensitive content can be triggered. This alert is also registered in the data loss prevention **Alerts** tab in the Microsoft compliance portal for monitoring and management by administrators. In addition, email alerts can be sent to administrators and specified users.
[!INCLUDE [purview-preview](../includes/purview-preview.md)] ## Considerations and limitations - DLP policies apply to workspaces. Only workspaces hosted in Premium Gen2 capacities are supported. For more information, see [What is Power BI Premium Gen2?](/power-bi/enterprise/service-premium-gen2-what-is).-- DLP dataset evaluation workloads impact capacity. Metering for DLP evaluation workloads is not supported.-- Both classic and new experience workspaces are supported, as long as they are hosted in Premium Gen2 capacities.-- You must create a custom DLP custom policy for Power BI. DLP templates are not supported.-- DLP polices that are applied to the DLP location support sensitivity labels and sensitive information types as conditions. -- DLP policies for Power BI are not supported for sample datasets, [streaming datasets](/power-bi/connect-data/service-real-time-streaming), or datasets that connect to their data source via [DirectQuery](/power-bi/connect-data/desktop-use-directquery) or [live connection](/power-bi/connect-data/desktop-directquery-about#live-connections).-- DLP policies for Power BI are not supported in sovereign clouds.
+- DLP dataset evaluation workloads impact capacity. Metering for DLP evaluation workloads isn't supported.
+- Both classic and new experience workspaces are supported, as long as they're hosted in Premium Gen2 capacities.
+- You must create a custom DLP custom policy for Power BI. DLP templates aren't supported.
+- DLP policies that are applied to the DLP location support sensitivity labels and sensitive information types as conditions.
+- DLP policies for Power BI aren't supported for sample datasets, [streaming datasets](/power-bi/connect-data/service-real-time-streaming), or datasets that connect to their data source via [DirectQuery](/power-bi/connect-data/desktop-use-directquery) or [live connection](/power-bi/connect-data/desktop-directquery-about#live-connections).
+- DLP policies for Power BI aren't supported in sovereign clouds.
## Licensing and permissions
Data from DLP for Power BI can be viewed in [Activity explorer](/microsoft-365/c
You define a DLP policy in the data loss prevention section of the compliance portal. See, [Design a data loss prevention policy](dlp-policy-design.md#design-a-data-loss-prevention-policy). In the policy, you specify sensitivity label(s) you want to detect. You also specify the action(s) that will happen when the policy detects a dataset that has a specified sensitivity label applied. DLP policies support two actions for Power BI: - User notification via policy tips.-- Alerts. Alerts can be sent by email to administrators and users. Additionally, administrators can monitor and manage alerts on the **Alerts** tab in the compliance center.
+- Alerts. Alerts can be sent by email to administrators and users. Additionally, administrators can monitor and manage alerts on the **Alerts** tab in the compliance portal.
When a dataset is evaluated by DLP and matches the conditions in a DLP policy, the actions defined in the policy are applied. A dataset is evaluated occurs when a dataset is:
When a dataset matches a DLP policy:
>[!NOTE] > If you hide the policy tip, it doesnΓÇÖt get deleted. It will appear the next time you visit the page. -- If alerts are enabled in the policy, an alert will be recorded on the dlp **Alerts** tab in the compliance center, and (if configured) an email will be sent to administrators and/or specified users. The following image shows the **Alerts** tab in the data loss prevention section of the Microsoft Purview compliance portal.-
- ![Screenshot of Alerts tab in the compliance center.](../media/dlp-power-bi-alerts-tab.png)
+- If alerts are enabled in the policy, an alert will be recorded on the dlp **Alerts** tab in the compliance portal, and (if configured) an email will be sent to administrators and/or specified users. The following image shows the **Alerts** tab in the data loss prevention section of the Microsoft Purview compliance portal.
## Configure a DLP policy for Power BI
Follow the procedures in [Create and Deploy data loss prevention policies](dlp-c
> [!IMPORTANT] > When you select the locations for your DLP policy for Power BI, select only the Power BI location. Do not select any other locations, this configuration is not supported.
-<!--1. Log into the [Microsoft Purview compliance portal](https://compliance.microsoft.com).
-
-1. Choose the **Data loss prevention** solution in the navigation pane, select the **Policies** tab, choose **Create policy**.
-
- ![Screenshot of D L P create policy page.](media/service-security-dlp-policies-for-power-bi/power-bi-dlp-create.png)
-
-1. Choose the **Custom** category and then the **Custom policy** template.
-
- >[!NOTE]
- >No other categories or templates are currently supported.
-
- ![Screenshot of D L P choose custom policy page.](media/service-security-dlp-policies-for-power-bi/power-bi-dlp-choose-custom.png)
-
- When done, click **Next**.
-
-1. Name the policy and provide a meaningful description.
-
- ![Screenshot of D L P policy name description section.](media/service-security-dlp-policies-for-power-bi/power-bi-dlp-name-description.png)
-
- When done, click **Next**.
-
-1. Enable Power BI as a location for the DLP policy. **Disable all other locations**. Currently, DLP policies for Power BI must specify Power BI as the sole location.
-
- ![Screenshot of D L P choose location page.](media/service-security-dlp-policies-for-power-bi/power-bi-dlp-choose-location.png)
-
- By default the policy will apply to all workspaces. Alternatively, you can specify particular workspaces to include in the policy as well as workspaces to exclude from the policy.
- >[!NOTE]
- > DLP actions are supported only for workspaces hosted in Premium Gen2 capacities.
-
- If you select **Choose workspaces** or **Exclude workspaces**, a dialog will allow you to create a list of included (or excluded) workspaces. You must specify workspaces by workspace object ID. Click the info icon for information about how to find workspace object IDs.
-
- ![Screenshot of D L P choose workspaces dialog.](media/service-security-dlp-policies-for-power-bi/power-bi-dlp-choose-workspaces.png)
-
- After enabling Power BI as a DLP location for the policy and choosing which workspaces the policy will apply to, click **Next**.
-
-1. The **Define policy settings** page appears. Choose **Create or customize advanced DLP rules** to begin defining your policy.
-
- ![Screenshot of D L P create advanced rule page.](media/service-security-dlp-policies-for-power-bi/power-bi-dlp-create-advanced-rule.png)
-
- When done, click **Next**.
-
-1. On the **Customize advanced DLP rules** page, you can either start creating a new rule or choose an existing rule to edit. Click **Create rule**.
-
- ![Screenshot of D L P create rule page.](media/service-security-dlp-policies-for-power-bi/power-bi-dlp-create-rule.png)
--
-1. The **Create rule** page appears. On the create rule page, provide a name and description for the rule, and then configure the other sections, which are described following the image below.
-
- ![Screenshot of D L P create rule form.](media/service-security-dlp-policies-for-power-bi/power-bi-dlp-create-rule-form.png)
-
-### Conditions
-
-In the condition section, you define the conditions under which the policy will apply to a dataset. Conditions are created in groups. Groups make it possible to construct complex conditions.
-
-1. Open the conditions section, choose **Add condition** and then **Content contains**.
-
- ![Screenshot of D L P add conditions content contains section.](media/service-security-dlp-policies-for-power-bi/power-bi-dlp-add-conditions-content-contains.png)
-
- This opens the first group (named Default ΓÇô you can change this).
-
-1. Choose **Add**, and then **Sensitivity labels**.
-
- >[!NOTE]
- > Sensitive info types are currently not supported.
-
- ![Screenshot of D L P add conditions section.](media/service-security-dlp-policies-for-power-bi/power-bi-dlp-add-conditions.png)
-
- When you choose **Sensitivity labels**, you will be able to choose a particular sensitivity label from a list that will appear.
-
- You can add additional sensitivity labels to the group. To the right of the group name, you can specify **Any of these** or **All of these**. This determines whether matches on all or any of the labels is required for the condition to hold. Make sure **Any of these** is selected, since datasets canΓÇÖt have more than one label applied.
-
- The image below shows a group (Default) that contains two sensitivity label conditions. The logic Any of these means that a match on any one of the sensitivity labels in the group constitutes ΓÇ£trueΓÇ¥ for that group.
-
- ![Screenshot of D L P conditions group section.](media/service-security-dlp-policies-for-power-bi/power-bi-dlp-condition-group.png)
-
- You can create more than one group, and you can control the logic between the groups with **AND** or **OR** logic.
-
- The image below shows a rule containing two groups, joined by **OR** logic.
-
- ![Screenshot of rule with two groups.](media/service-security-dlp-policies-for-power-bi/power-bi-dlp-content-contains.png)
-
-### Exceptions
-
-If the sensitivity label of the dataset matches any of the defined exceptions, the rule wonΓÇÖt be applied to the dataset.
-
-Exceptions are configured in the same way as conditions, described above.
-
-![Screenshot of D L P exceptions section.](media/service-security-dlp-policies-for-power-bi/power-bi-dlp-exceptions-section.png)
-
-### Actions
-
-Protection actions are currently unavailable for Power BI DLP policies.
-
-![Screenshot of D L P policy actions section.](media/service-security-dlp-policies-for-power-bi/power-bi-dlp-actions-section.png)
--
-### User notifications
-
-The user notifications section is where you configure your policy tip. Turn on the toggle, select the **Notify users in Office 365 service with a policy tip** and **Policy tips** checkboxes, and write your policy tip in the text box.
-
-![Screenshot of D L P user notification section.](media/service-security-dlp-policies-for-power-bi/power-bi-dlp-user-notification.png)
-
-### User overrides
-
-User overrides are currently unavailable for Power BI DLP policies.
-
-![Screenshot of D L P user overrides section.](media/service-security-dlp-policies-for-power-bi/power-bi-dlp-user-overrides-section.png)
-
-### Incident reports
-
-Assign a severity level that will be shown in alerts generated from this policy. Enable (default) or disable email notification to admins, specify users or groups for email notification, and configure the details about when notification will occur.
-
-![Screenshot of D L P incident report section.](media/service-security-dlp-policies-for-power-bi/power-bi-dlp-incidence-report.png)
-
-### Additional options
-
-![Screenshot of D L P additional options section.](media/service-security-dlp-policies-for-power-bi/power-bi-dlp-additional-options.png)
-
-## Monitor and manage policy alerts
-
-Log into the Microsoft Purview compliance portal and navigate to **Data loss prevention > Alerts**.
-
-![Screenshot of D L P Alerts tab.](media/service-security-dlp-policies-for-power-bi/power-bi-dlp-alerts-tab.png)
-
-Click on an alert to start drilling down to its details and to see management options.
> ## Next steps - [Learn about data loss prevention](/microsoft-365/compliance/dlp-learn-about-dlp)
compliance Get Started With The Default Dlp Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/get-started-with-the-default-dlp-policy.md
This policy is named **Default DLP policy** and appears under **Data loss preven
This policy is fully customizable, the same as any DLP policy that you create yourself from scratch. You can also turn off or delete the policy, so that your users no longer receive policy tips or email notifications.
-![DLP policy named Default DLP policy.](../media/260731e8-4d57-4c98-abec-07b052ec48d5.png)
-
+
## When the widget does and does not appear The widget named **Further protect shared content** appears in the **Recommended for you** section of the **Home** page of the Microsoft Purview compliance portal.
compliance Information Barriers Attributes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/information-barriers-attributes.md
- tier2 - purview-compliance
+ms.localizationpriority: medium
f1.keywords: - NOCSH
The attributes listed in this article can be used to define or edit segments of
2. Make sure the user accounts have values filled in for the attribute(s) you selected in Step 1. View user account details, and if necessary, edit user accounts to include attribute values. - To edit multiple accounts (or use PowerShell to edit a single account), see [Configure user account properties with Office 365 PowerShell](../enterprise/configure-user-account-properties-with-microsoft-365-powershell.md).- - To edit a single account, see [Add or update a user's profile information using Azure Active Directory](/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal). 3. [Define segments using PowerShell](information-barriers-policies.md#define-segments-using-powershell), similar to the following examples:
compliance Information Barriers Edit Segments Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/information-barriers-edit-segments-policies.md
- tier2 - purview-compliance
+ms.localizationpriority: medium
f1.keywords: - NOCSH
After you have [defined information barriers (IB) policies](information-barriers
| [Remove a segment](#remove-a-segment) | Remove an information barriers segment when you no longer need a particular segment. | | [Remove a policy and a segment](#remove-a-policy-and-segment) | Remove an information barriers policy and a segment at the same time. | | [Stop a policy application](#stop-a-policy-application) | Take this action when you want to stop the process of applying information barriers policies. <br> Stopping a policy application isn't instant, and it doesn't undo policies that are already applied to users. |
+| [Enable or disable user discoverability](#enable-or-disable-user-discoverability) | Enable or disable if users are displayed in the people picker. |
| [Define policies for information barriers](information-barriers-policies.md) | Define an information barriers policy when you don't already have such policies in place, and you must restrict or limit communications between specific groups of users. | | [Troubleshooting information barriers](/office365/troubleshoot/information-barriers/information-barriers-troubleshooting) | Refer to this article when you run into unexpected issues with information barriers. |
Use this procedure edit the definition of a user segment. For example, you might
Example: Suppose a policy was defined to block the *Research* segment from communicating with the *Sales* and *Marketing* segments. The policy was defined by using this cmdlet: `New-InformationBarrierPolicy -Name "Research-SalesMarketing" -AssignedSegment "Research" -SegmentsBlocked "Sales","Marketing"`
- Suppose we want to change it so that people in the *Research* segment can only communicate with people in the *HR* segment. To make this change, we use this cmdlet: `Set-InformationBarrierPolicy -Identity 43c37853-ea10-4b90-a23d-ab8c93772471 -SegmentsAllowed "HR"`
+ Suppose we want to change it so that users in the *Research* segment can only communicate with users in the *HR* segment. To make this change, we use this cmdlet: `Set-InformationBarrierPolicy -Identity 43c37853-ea10-4b90-a23d-ab8c93772471 -SegmentsAllowed "HR"`
In this example, we changed *SegmentsBlocked* to *SegmentsAllowed* and specified the *HR* segment.
After you have started applying information barriers policies, if you want to st
|:|:-| | `Stop-InformationBarrierPoliciesApplication -Identity GUID` | `Stop-InformationBarrierPoliciesApplication -Identity 46237888-12ca-42e3-a541-3fcb7b5231d1` <p> In this example, we're stopping information barriers policies from being applied. |
+## Enable or disable user discoverability
+
+> [!IMPORTANT]
+> Support for enabling or disabling search restrictions is only available when your organization isn't in *Legacy* mode. Organizations in *Legacy* mode cannot enable or disable search restrictions. Enabling or disabling search restrictions requires additional actions to change the information barriers mode for your organization. For more information, see [Use multi-segment support in information barriers)](information-barriers-multi-segment.md) for details.<br><br> Organizations in *Legacy* mode will be eligible to upgrade to the newest version of information barriers in the future. For more information, see the [information barriers roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=information%2Cbarriers)..
+
+To enable the people picker search restriction using PowerShell, complete the following steps:
+
+1. Use the **Set-PolicyConfig** cmdlet to enable the people picker restriction:
+
+```powershell
+Set-PolicyConfig -InformationBarrierPeopleSearchRestriction 'Enabled'
+```
+
+To disable the people picker search restriction using PowerShell, complete the following steps:
+
+1. Use the **Set-PolicyConfig** cmdlet to disable the people picker restriction:
+
+```powershell
+Set-PolicyConfig -InformationBarrierPeopleSearchRestriction 'Disabled'
+```
+ ## Resources - [Get an overview of information barriers](information-barriers.md)
After you have started applying information barriers policies, if you want to st
- [Learn more about information barriers in Microsoft Teams](/MicrosoftTeams/information-barriers-in-teams) - [Learn more about information barriers in SharePoint Online](/sharepoint/information-barriers) - [Learn more about information barriers in OneDrive](/onedrive/information-barriers)
+- [Use multi-segment support in information barriers](information-barriers-multi-segment.md)
- [Attributes for IB policies](information-barriers-attributes.md) - [Troubleshooting information barriers](/office365/troubleshoot/information-barriers/information-barriers-troubleshooting)
compliance Information Barriers Multi Segment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/information-barriers-multi-segment.md
+
+ Title: "Use multi-segment support in information barriers"
+description: Learn how to use multi-segment support with information barriers in Microsoft Purview.
+keywords: Microsoft 365, Microsoft Purview, compliance, information barriers
+++
+audience: ITPro
+++
+- highpri
+- tier2
+- purview-compliance
+- m365solution-mip
+- m365initiative-compliance
+- highpri
+ms.localizationpriority: medium
+f1.keywords:
+- NOCSH
+++
+# Use multi-segment support in information barriers
+
+> [!IMPORTANT]
+> Support for assigning users to multiple segments is only available when your organization isn't in *Legacy* mode. To determine if your organization is in *Legacy* mode, see [Check the IB mode for your organization](#check-the-ib-mode-for-your-organization) and check the value of the `InformationBarrierMode` property. <br><br> Users are restricted to being assigned to only one segment for organizations in *Legacy* mode. Organizations in *Legacy* mode will be eligible to upgrade to the newest version of information barriers in the future. For more information, see the [information barriers roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=information%2Cbarriers).
+
+The multi-segment mode enables you to assign users in your organization to up to 10 segments in information barriers instead of being limited to just one segment. This allows support for more diverse communication rules between individuals and groups to support more complex organizational and operational scenarios. For organizations using multi-segment support, all information barriers policies must be defined with an allow list.
+
+When configured for multi-segment support, compatibility for users depending on each user's assignment to a shared segment. If users share assignment to the same segment, they are compatible. For example, the following table shows that User A and User B aren't compatible because they don't share an assigned segment. However, User A is compatible with User C and User B is compatible with User C because they each have an assigned segment in common.
+
+| **User** | **Assigned segments** |
+|:|:-|
+| User A | Segment 1, Segment 2 |
+| User B | Segment 3, Segment 4 |
+| User C | Segment 2, Segment 4 |
+||
+
+## Multi-segment example: North School District's schools, segments, and policies
+
+The North School District has two schools, School 1 and School 2. The district policy is to allow students and teachers to communicate with each other only if they are both in the same school. For example, a student and teacher that are both in School 1 can communicate, but a student in School 1 cannot communicate with a teacher in School 2. For this scenario, multiple segments are configured to support the following district policy scenarios:
+
+### North School District's schools and plan
+
+North School District's has two schools:
+
+| **Segment** | **Allowed communication** | **Prevented communication** |
+|:|:--|:-|
+| School 1 | Students and teachers in School 1 | Students and teachers in School 2 |
+| School 2 | Students and teachers in School 2 | Students and teachers in School 1 |
+|||
+
+For this structure, North School District's plan includes three IB policies:
+
+1. An IB policy designed to enable students and teachers in School 1 to communicate with each other.
+2. Another IB policy to enable students and teachers in School 2 to communicate with each other.
+3. Another IB policy designed to allow teachers in School 1 and School 2 to communicate with each other.
+
+### North School District's defined segments
+
+North School District will use the *Department* attribute in Azure Active Directory to define segments, as follows:
+
+| **Segment** | **Segment definition** |
+|:|:--|
+| School1 | `New-OrganizationSegment -Name "School1" -UserGroupFilter "Department -eq 'School1'"` |
+| School2 | `New-OrganizationSegment -Name "School2" -UserGroupFilter "Department -eq 'School2'"` |
+| AllTeachers | `New-OrganizationSegment -Name "AllTeachers" -UserGroupFilter "MemberOfGroup -eq 'AllTeachersgroup@northschoolsdistrict.com'"` |
+||
+
+With the segments defined, Contoso proceeds to define the IB policies.
+
+### North School District's IB policies
+
+North School District defines three IB policies, as described in the following table:
+
+| Policy | Policy Definition |
+|:-|:|
+| **Policy 1: Students and teachers in School 1 can communicate with each other** | `New-InformationBarrierPolicy -Name School1Policy -SegmentsAllowed 'School1' -AssignedSegment 'School1' -State Active` <p> In this example, the IB policy is called *School1Policy*. When this policy is active and applied, it will enable students and teachers in School 1 to communicate with each other. This policy is a one-way policy; it won't prevent students and teachers in School 1 from communicating with School 2. For that, Policy 2 is needed. |
+| **Policy 2: Students and teachers in School 2 can communicate with each other** | `New-InformationBarrierPolicy -Name School2Policy -SegmentsAllowed 'School2' -AssignedSegment 'School2' -State Active` <p> In this example, the IB policy is called *School2Policy*. When this policy is active and applied, it will enable students and teachers in School 2 to communicate with each other. |
+| **Policy 3: Teachers in different schools can communicate with each other** | `New-InformationBarrierPolicy -Name AllTeachersPolicy -SegmentsAllowed 'AllTeachers' -AssignedSegment 'AllTeachers' -State Active` <p> In this case, the IB policy is called *AllTeachersPolicy*. When this policy is active and applied, teachers in School 1 and School 2 can communicate with each other. |
+||
+
+With segments and policies defined, the North School District applies the policies by running the **Start-InformationBarrierPoliciesApplication** cmdlet. When the cmdlet finishes, the North School District has implemented their communication policy for students and teachers.
+
+## Check the IB mode for your organization
+
+If you want to support assigning users to multiple segments, you'll need to verify that your IB organization supports multiple segments. Run the following cmdlet to verify your IB mode:
+
+```powershell
+Get-PolicyConfig
+```
+
+If the value of the `InformationBarrierMode` property is *SingleSegment*, you can enable multi-segment support by following the guidance in the [Enable multiple segment support for users](#enable-multiple-segment-support-for-users) section in this article. If the value of the `InformationBarrierMode` property is *MultiSegment*, you can skip enabling support for multi-segment, it's already enabled for your organization.
+
+If the value of the `InformationBarrierMode` property is *Legacy*, enabling multi-segment isn't supported for your organization. *Legacy* organizations will be eligible to upgrade to the newest version of information barriers in the future. For more information, see the [information barriers roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=information%2Cbarriers)
+
+## Enable multiple segment support for users
+
+To enable multi-segment support for organizations in *SingleSegment* mode, run the following cmdlet from an [Exchange Online PowerShell session](/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps).
+
+```powershell
+Enable-ExoInformationBarrierMultiSegment
+```
+
+> [!IMPORTANT]
+> If you enable multiple segments in your organization, you cannot revert to single segment support.
+
+## Multi-segment support for users in OneDrive
+
+If your IB organization isn't in *LegacyMode* mode and you've configured OneDrive for information barriers for multi-segment support, the OneDrive user experience is as follows:
+
+- **OneDrive IB policy**: A multi-segment user's OneDrive ia automatically set to *Owner Moderated* mode by default.
+- **OneDrive site access by a multi-segment user**:
+
+ - *Explicit* or *Mixed* mode: A multi-segment user is granted access if they have at least one of the segments as that of the OneDrive and have site access permission.
+ - **All other modes**: Users have the same site access experience as with single segment support.
+
+- **OneDrive sharing by a multi-segment user**: A multi-segment user can share a OneDrive site and the included content per the IB mode configuring for OneDrive.
+
+ - *Explicit* mode: Users can share OneDrive content with other users who have same segment as the OneDrive.
+ - *Open* or *Owner moderated* mode: Users can share content with other compatible users per IB policies.
+
+For more information about managing IB for OneDrive, see [Use information barriers with OneDrive](/sharepoint/information-barriers-onedrive).
+
+## Multi-segment support for users in SharePoint Online
+
+If your IB organization isn't in *LegacyMode* mode and you've configured SharePoint for information barriers for multi-segment support, the SharePoint user experience is as follows:
+
+- **Site creation**: When a multi-segment user creates a SharePoint site (a Microsoft 365 group connected or non-group site), the site is automatically set to *Owner moderated* mode.
+- **SharePoint site access by a multi-segment user**:
+
+ - **Explicit mode**: Users are granted access if they have at least one of the segments as that of the site and have site access permission.
+ - **All other modes**: Users have the same site access experience as with single segment support.
+
+- **SharePoint site sharing by a multi-segment user**: A multi-segment user can share site and its content per IB mode of the site.
+
+ - *Explicit* mode: Can share content with users who match the segment of the site.
+ - *Implicit* or *Owner moderated* mode: Can share content with the other existing members of the Microsoft 365 group connected to the site.
+ - *Open* mode: Can share content with other users who they are compatible per IB policy.
+
+For more information about managing IB for SharePoint, see [Use information barriers with SharePoint](/sharepoint/information-barriers).
+
+## Multi-segment support for users in Microsoft Teams
+
+If your IB organization isn't in *LegacyMode* mode and you've configured Teams for information barriers for multi-segment support, the Microsoft Teams user experience is as follows:
+
+- **Team creation**: When a multi-segment user creates a team, the team is automatically set to *Implicit* mode by default.
+- **Team member addition**: All users in the team must have one segment which is compatible with all other users.
+
+For more information about managing IB for Microsoft Teams, see [Use information barriers with Microsoft Teams](/microsoftteams/information-barriers-in-teams).
compliance Information Barriers Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/information-barriers-policies.md
- m365solution-mip - m365initiative-compliance - highpri
+ms.localizationpriority: medium
f1.keywords: - NOCSH
To learn more about roles and permissions, see [Roles and role groups in the Mic
When you configure IB, you'll work with several objects and concepts. - **User account attributes** are defined in Azure Active Directory (or Exchange Online). These attributes can include department, job title, location, team name, and other job profile details. You'll assign users or groups to segments with these attributes.-- **Segments** are sets of groups or users that are defined in the compliance portal or by using PowerShell that use selected group or user account attributes. See the list of [IB supported attributes](information-barriers-attributes.md) for details.
+- **Segments** are sets of groups or users that are defined in the compliance portal or by using PowerShell that use selected group or user account attributes.
+
+ Your organization can have up to 5,000 segments and users can be assigned to a maximum of 10 segments. See the list of [IB supported attributes](information-barriers-attributes.md) for details.
+
+ > [!IMPORTANT]
+ > Support for 5,000 segments and assigning users to multiple segments is only available when your organization isn't in *Legacy* mode. Assigning users to multiple segments requires additional actions to change the information barriers mode for your organization. For more information, see [Use multi-segment support in information barriers](information-barriers-multi-segment.md) for details. <br><br> For organizations in *Legacy* mode, the maximum number of segments supported is 250 and users are restricted to being assigned to only one segment. Organizations in *Legacy* mode will be eligible to upgrade to the newest version of information barriers in the future. For more information, see the [information barriers roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=information%2Cbarriers).
+ - **IB policies** determine communication limits or restrictions. When you define IB policies, you choose from two kinds of policies: - *Block* policies prevent one segment from communicating with another segment. - *Allow* policies allow one segment to communicate with only certain other segments. > [!NOTE]
- > For *allow* policies, non-IB groups and users will not be visible to users included in IB segments and policies. If you need non-IB groups and users to be visible to users included in IB segments and policies, you must use *block* policies.
+ > **For organizations in *Legacy* mode**: Non-IB groups and users **will not be visible** to users included in IB segments and policies for *allow* policies. If you need non-IB groups and users to be visible to users included in IB segments and policies, you must use *block* policies. <br><br> **For organizations in *SingleSegment* or *MultiSegment* mode**: Non-IB groups and users **will be visible** to users included in IB segments and policies for *allow* policies. <br><br> To verify your IB mode, see [Check the IB mode for your organization](/microsoft-365/compliance/information-barriers-multi-segment#check-the-ib-mode-for-your-organization).
- **Policy application** is done after all IB policies are defined, and you're ready to apply them in your organization.-- **Visibility of non-IB users and groups**. Non-IB users and groups are users and groups excluded from IB segments and policies. Depending on the type of IB policies (block or allow), the behavior for these users and group will differ in Microsoft Teams, SharePoint, OneDrive, and in your global address list. For users defined in *allow* policies, non-IB groups and users won't be visible to users included in IB segments and policies. For users defined in *block* policies, non-IB groups and users will be visible to users included in IB segments and policies.
+- **Visibility of non-IB users and groups**: Non-IB users and groups are users and groups excluded from IB segments and policies. Depending on when you configure IB policies in your organization and the type of IB policies (block or allow), the behavior for these users and group will differ in Microsoft Teams, SharePoint, OneDrive, and in your global address list.
+ - **For organizations in *Legacy* mode**: For users defined in *allow* policies, non-IB groups and users won't be visible to users included in IB segments and policies. For users defined in *block* policies, non-IB groups and users will be visible to users included in IB segments and policies.
+ - **For organizations in *SingleSegment* or *MultiSegment* mode**: For users defined in *allow* and *block* policies, non-IB groups and users will be visible to users included in IB segments and policies.
- **Group support**. Only Modern Groups are currently supported in IB and Distribution Lists/Security Groups are treated as non-IB groups.-- **Hidden/disabled user accounts**. For hidden/disabled accounts in your organization, the *HiddenFromAddressListEnabled* parameter is automatically set to *True* when the users accounts are hidden or disabled. In IB-enabled organizations, these accounts are prevented from communicating with all other user accounts. In Microsoft Teams, all chats including these accounts are locked or the users are automatically removed from conversations.
+- **Hidden/disabled user accounts**. For hidden/disabled accounts in your organization, the *HiddenFromAddressListEnabled* parameter is automatically set to *True* when the users accounts are hidden or disabled. In IB-enabled organizations, these accounts are prevented from communicating with all other user accounts.
## Configuration overview | **Steps** | **What's involved** | |:|:-|
-| **Step 1**: [Make sure prerequisites are met](#step-1-make-sure-prerequisites-are-met) | - Verify that you have the required subscriptions and permissions <br/>- Verify that your directory includes data for segmenting users<br/>- Enable [search by name for Microsoft Teams](/microsoftteams/teams-scoped-directory-search)<br/>- Make sure audit logging is turned on<br/>- Make sure no Exchange address book policies are in place <br/>- Provide admin consent for Microsoft Teams (steps are included) |
+| **Step 1**: [Make sure prerequisites are met](#step-1-make-sure-prerequisites-are-met) | - Verify that you have the required subscriptions and permissions <br/>- Verify that your directory includes data for segmenting users<br/>- Enable [search by name for Microsoft Teams](/microsoftteams/teams-scoped-directory-search)<br/>- Make sure audit logging is turned on <br/> - Check the IB mode for your organization <br/>- Configure how Exchange address book policies are implemented (depending on when you've enable IB in your organization) <br/>- Provide admin consent for Microsoft Teams (steps are included) |
| **Step 2**: [Segment users in your organization](#step-2-segment-users-in-your-organization) | - Determine what policies are needed<br/>- Make a list of segments to define<br/>- Identify which attributes to use<br/>- Define segments in terms of policy filters | | **Step 3**: [Create information barriers policies](#step-3-create-ib-policies) | - Create your policies (don't apply yet)<br/>- Choose from two kinds (block or allow) | | **Step 4**: [Apply information barriers policies](#step-4-apply-ib-policies) | - Set policies to active status<br/>- Run the policy application<br/>- View policy status | | **Step 5**: [Configuration for information barriers on SharePoint and OneDrive (optional)](#step-5-configuration-for-information-barriers-on-sharepoint-and-onedrive) | - Configure IB for SharePoint and OneDrive |
-| **Step 6**: [Information barriers modes (optional)](#step-6-information-barriers-modes) | - Update IB modes if applicable |
+| **Step 6**: [Information barriers modes (optional)](#step-6-information-barriers-modes-optional) | - Update IB modes if applicable |
+| **Step 7**: [Configure user discoverability for information barriers (optional)](#step-7-configure-user-discoverability-for-information-barriers-optional) | - Enable or restrict user discoverability in IB with the people picker if applicable. |
## Step 1: Make sure prerequisites are met
In addition to the required subscriptions and permissions, make sure that the fo
- **Verify audit logging is enabled**: In order to look up the status of an IB policy application, audit logging must be turned on. Auditing is enabled for Microsoft 365 organizations by default. Some organizations may have disabled auditing for specific reasons. If auditing is disabled for your organization, it might be because another administrator has turned it off. We recommend confirming that it's OK to turn auditing back on when completing this step. For more information, see [Turn the audit log search on or off](audit-log-enable-disable.md). -- **Remove existing Exchange Online address book policies**: Before you define and apply IB policies, you must remove all existing Exchange Online address book policies in your organization. IB policies are based on address book policies and existing ABPs policies aren't compatible with the ABPs created by IB. To remove your existing address book policies, see [Remove an address book policy in Exchange Online](/exchange/address-books/address-book-policies/remove-an-address-book-policy). For more information about IB policies and Exchange Online, see [Information barriers and Exchange Online](information-barriers.md#information-barriers-and-exchange-online).
+- **Check the IB mode for your organization**: Support for multiple segments, people discoverability options, Exchange ABPs, and other features is determined by the IB mode for your organization. To verify the IB mode for your organization, see [Check the IB mode for your organization](/microsoft-365/compliance/information-barriers-multi-segment#check-the-ib-mode-for-your-organization).
+
+- **Remove existing Exchange Online address book policies (optional)**:
+ - **For organizations in *Legacy* mode**: Before you define and apply IB policies, you must remove all existing Exchange Online address book policies in your organization. IB policies are based on address book policies and existing ABPs policies aren't compatible with the ABPs created by IB. To remove your existing address book policies, see [Remove an address book policy in Exchange Online](/exchange/address-books/address-book-policies/remove-an-address-book-policy). For more information about IB policies and Exchange Online, see [Information barriers and Exchange Online](information-barriers.md#information-barriers-and-exchange-online).
+ - **For organizations in *SingleSegment* or *MultiSegment* mode**: Information barriers is no longer based on Exchange Online Address Book Policies (ABPs). Organizations using ABPs will not have any impact to the existing ABPs when enabling information barriers.
-- **Manage using PowerShell (optional)**: IB segments and policies can be defined and managed in Office 365 Security & Compliance PowerShell. Although several examples are provided in this article, you'll need to be familiar with PowerShell cmdlets and parameters if you choose to use PowerShell to configure and manage IB segments and policies. You'll also need the Azure Active Directory PowerShell module if you choose this configuration option.
+- **Manage using PowerShell (optional)**: IB segments and policies can be defined and managed in the compliance portal, but you can also use the Office 365 Security & Compliance PowerShell if preferred or needed. Although several examples are provided in this article, you'll need to be familiar with PowerShell cmdlets and parameters if you choose to use PowerShell to configure and manage IB segments and policies. You'll also need the Azure Active Directory PowerShell module if you choose this configuration option.
- [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell) - [Install Azure Active Directory PowerShell for Graph](/powershell/azure/active-directory/install-adv2)
When you have your initial list of needed groups and policies, proceed to identi
### Identify segments
-In addition to your initial list of policies, make a list of segments for your organization. Users who will be included in IB policies should belong to a segment. Plan your segments carefully as a user can only be in one segment. Each segment can have only one IB policy applied.
+In addition to your initial list of policies, make a list of segments for your organization. Users who will be included in IB policies should belong to at least one segment. Users can be assigned to multiple segments if needed. You can have up to 5,000 segments in your organization and each segment can have only one IB policy applied.
> [!IMPORTANT]
-> A user can only be in one segment.
+> A user can only be in one segment for organizations in *Legacy* or *SingleSegement* modes. To verify your IB mode, see [Check the IB mode for your organization](/microsoft-365/compliance/information-barriers-multi-segment#check-the-ib-mode-for-your-organization).
Determine which attributes in your organization's directory data you'll use to define segments. You can use *Department*, *MemberOf*, or any of the supported IB attributes. Make sure that you have values in the attribute you select for users. For more information, see the [supported attributes for IB](information-barriers-attributes.md). > [!IMPORTANT]
-> **Before you proceed to the next section, make sure your directory data has values for attributes that you can use to define segments**. If your directory data does not have values for the attributes you want to use, then the user accounts must be updated to include that information before you proceed with configuring IB. To get help with this, see the following resources:<br/>- [Configure user account properties with Office 365 PowerShell](../enterprise/configure-user-account-properties-with-microsoft-365-powershell.md)<br/>- [Add or update a user's profile information using Azure Active Directory](/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal)
+> **Before you proceed to the next section, make sure your directory data has values for attributes that you can use to define segments**. If your directory data does not have values for the attributes you want to use, then the user accounts must be updated to include that information before you proceed with configuring IB. To get help with this, see the following resources: <br/><br/>- [Configure user account properties with Office 365 PowerShell](../enterprise/configure-user-account-properties-with-microsoft-365-powershell.md)<br/>- [Add or update a user's profile information using Azure Active Directory](/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal)
+
+### Enable multiple segment support for users (optional)
+
+Support for assigning users to multiple segments is only available when your organization isn't in *Legacy* mode. If you want to support assigning users to multiple segments, see [Use multi-segment support in information barriers](information-barriers-multi-segment.md).
+
+Users are restricted to being assigned to only one segment for organizations in *Legacy* mode. Organizations in *Legacy* mode will be eligible to upgrade to the newest version of information barriers in the future. For more information, see the [information barriers roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=information%2Cbarriers).
++ ### Define segments using the compliance portal
To define segments in the compliance portal, complete the following steps:
8. Add additional attributes as needed on the **User group filter** page, then select **Next**. 9. On the **Review your settings** page, review the settings you've chosen for the segment and any suggestions or warnings for your selections. Select **Edit** to change any of the segment attributes and conditions or select **Submit** to create the segment.
- > [!IMPORTANT]
- > **Make sure that your segments do not overlap**. Each user who will be affected by IB policies should belong to one (and only one) segment. No user should belong to two or more segments. See [Example: Contoso's defined segments](#contosos-defined-segments) in this article for an example scenario.
- ### Define segments using PowerShell To define segments with PowerShell, complete the following steps:
To define segments with PowerShell, complete the following steps:
2. Repeat this process for each segment you want to define.
- > [!IMPORTANT]
- > **Make sure that your segments do not overlap**. Each user who will be affected by IB policies should belong to one (and only one) segment. No user should belong to two or more segments. See [Example: Contoso's defined segments](#contosos-defined-segments) in this article for an example scenario.
- After you've defined your segments, proceed to [Step 3: Create IB policies](#step-3-create-ib-policies). ### Using "equals" and "not equals" in PowerShell segment definitions
In addition to defining segments using "equals" or "not equals", you can define
When you create your IB policies, you'll determine whether you need to prevent communications between certain segments or limit communications to certain segments. Ideally, you'll use the minimum number of IB policies to ensure your organization is compliant with internal, legal, and industry requirements. You can use the compliance portal or PowerShell to create and apply IB policies. > [!TIP]
-> For user experience consistency, we recommend using Block policies for most scenarios if possible.
+> For user experience consistency, we recommend using *Block* policies for most scenarios if possible.
With your list of user segments and the IB policies you want to define, select a scenario, and then follow the steps.
With your list of user segments and the IB policies you want to define, select a
- [Scenario 2: Allow a segment to communicate only with one other segment](#scenario-2-allow-a-segment-to-communicate-only-with-one-other-segment) > [!IMPORTANT]
-> **Make sure that as you define policies, you do not assign more than one policy to a segment**. For example, if you define one policy for a segment called *Sales*, do not define an additional policy for the *Sales* segment.<br> In addition, as you define IB policies, make sure to set those policies to inactive status until you are ready to apply them. Defining (or editing) policies does not affect users until those policies are set to active status and then applied.
+> **Make sure that as you define policies, you do not assign more than one policy to a segment**. For example, if you define one policy for a segment called *Sales*, do not define an additional policy for the *Sales* segment.<br><br> In addition, as you define IB policies, make sure to set those policies to inactive status until you are ready to apply them. Defining (or editing) policies does not affect users until those policies are set to active status and then applied.
### Scenario 1: Block communications between segments
If you're configuring IB for SharePoint and OneDrive, you'll need to enable IB o
To enable IB in SharePoint and OneDrive, follow the guidance and steps in the [Use information barriers with SharePoint](/sharepoint/information-barriers) article.
-## Step 6: Information barriers modes
+## Step 6: Information barriers modes (optional)
Modes can help strengthen access, sharing, and membership of a Microsoft 365 resource based on the resource's IB mode. Modes are supported on Microsoft 365 Groups, Microsoft Teams, OneDrive, and SharePoint sites and are automatically enabled in your new or existing IB configuration.
The following IB modes are supported on Microsoft 365 resources:
| **Mode** | **Description** | **Example** | |:--|:|:--|
-| **Open** | There aren't any IB policies or segments associated with the Microsoft 365 resource. Anyone can be invited to be a member of the resource. | A team site created for picnic event for your organization. |
-| **Owner Moderated (preview)** | The IB policy of the Microsoft 365 resource is determined from the resource owner's IB policy. The resource owners can invite any user to the resource based on their IB policies. This mode is useful when your company wants to allow collaboration among incompatible segment users that are moderated by the owner. Only the resource owner can add new members per their IB policy. | The VP of HR wants to collaborate with the VPs of Sales and Research. A new SharePoint site that is set with IB mode *Owner Moderated* to add both Sales and Research segment users to the same site. It's the responsibility of the owner to ensure appropriate members are added to the resource. |
+| **Open** | There aren't any IB policies or segments associated with the Microsoft 365 resource. Anyone can be invited to be a member of the resource. | A team site created for a picnic event for your organization. |
+| **Owner Moderated** | The IB policy of the Microsoft 365 resource is determined from the resource owner's IB policy. The resource owners can invite any user to the resource based on their IB policies. This mode is useful when your company wants to allow collaboration among incompatible segment users that are moderated by the owner. Only the resource owner can add new members per their IB policy. | The VP of HR wants to collaborate with the VPs of Sales and Research. A new SharePoint site that is set with IB mode *Owner Moderated* to add both Sales and Research segment users to the same site. It's the responsibility of the owner to ensure appropriate members are added to the resource. |
| **Implicit** | The IB policy or segments of the Microsoft 365 resource is inherited from the resource members IB policy. The owner can add members as long as they're compatible with the existing members of the resource. This mode is the default IB mode for Microsoft Teams. | The Sales segment user creates a Microsoft Teams team to collaborate with other compatible segments in the organization. | | **Explicit** | The IB policy of the Microsoft 365 resource is per the segments associated with the resource. The resource owner or SharePoint administrator has the ability to manage the segments on the resource. | A site created only for Sales segment members to collaborate by associating the Sales segment with the site. |
-| **Mixed (preview)** | Only applicable to OneDrive. The IB policy of the OneDrive is per the segments associated with the OneDrive. The resource owner or OneDrive administrator has the ability to manage the segments on the resource. | A OneDrive created for Sales segment members to collaborate is allowed to be shared with unsegmented users. |
+| **Mixed** | Only applicable to OneDrive. The IB policy of the OneDrive is per the segments associated with the OneDrive. The resource owner or OneDrive administrator has the ability to manage the segments on the resource. | A OneDrive created for Sales segment members to collaborate is allowed to be shared with unsegmented users. |
+
+### Implicit mode updates
+
+Depending on when you've enable IB in your organization, your organization will be in either *Legacy*, *SingleSegment*, or *MultiSegment* organization mode. To verify your mode, see [Check the IB mode for your organization](/microsoft-365/compliance/information-barriers-multi-segment#check-the-ib-mode-for-your-organization).
+
+If your organization is in *SingleSegment* or *MultiSegment* mode and the information barriers mode of the Teams group is *Implicit*, the Teams-connected groups/sites won't have any segments associated with it.
For more information about IB modes and how they're configured across services, see the following articles:
For more information about IB modes and how they're configured across services,
- [Information barriers modes and OneDrive](/onedrive/information-barriers) - [Information barriers modes and SharePoint](/sharepoint/information-barriers)
+## Step 7: Configure user discoverability for information barriers (optional)
+
+Information barriers policies allow administrators to enable or disable search restrictions in the people picker. By default, the people picker restriction is enabled for IB policies. For example, IB policies that block two specific users from communication can also restrict the users from seeing each other when using the people picker.
+
+> [!IMPORTANT]
+> Support for enabling or disabling search restrictions is only available when your organization isn't in *Legacy* mode. Organizations in *Legacy* mode cannot enable or disable search restrictions. Enabling or disabling search restrictions requires additional actions to change the information barriers mode for your organization. For more information, see [Use multi-segment support in information barriers)](information-barriers-multi-segment.md) for details.<br><br> Organizations in *Legacy* mode will be eligible to upgrade to the newest version of information barriers in the future. For more information, see the [information barriers roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=information%2Cbarriers).
+
+To disable the people picker search restriction using PowerShell, complete the following steps:
+
+1. Use the **Set-PolicyConfig** cmdlet to disable the people picker restriction:
+
+```powershell
+Set-PolicyConfig -InformationBarrierPeopleSearchRestriction 'Disabled'
+```
+ ## Example scenario: Contoso's departments, segments, and policies To see how an organization might approach defining segments and policies, consider the following example scenario.
When the cmdlet finishes, Contoso is compliant with industry requirements.
## Resources - [Learn about information barriers](information-barriers.md)
+- [Use multi-segment support in information barriers](information-barriers-multi-segment.md)
- [Learn more about information barriers in Microsoft Teams](/MicrosoftTeams/information-barriers-in-teams) - [Learn more about information barriers in SharePoint Online](/sharepoint/information-barriers) - [Learn more about information barriers in OneDrive](/onedrive/information-barriers)
compliance Information Barriers Solution Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/information-barriers-solution-overview.md
Microsoft 365 enables communication and collaboration across groups and organiza
Microsoft Purview Information Barriers (IB) is supported in Microsoft Teams, SharePoint Online, and OneDrive for Business. A compliance administrator or IB administrator can define policies to allow or prevent communications between groups of users in Microsoft Teams. Use IB policies for situations like these: -- User in the day trader group shouldn't communicate or share files with the marketing team-- Finance personnel working on confidential company information shouldn't communicate or share files with certain groups within their organization-- An internal team with trade secret material shouldn't call or chat online with people in certain groups within their organization-- A research team should only call or chat online with a product development team
+- User in the day trader group should not communicate or share files with the marketing team.
+- Instructors in one school shouldn't be able to communicate or share files with students in another school in the same school district.
+- Finance personnel working on confidential company information should not communicate or share files with certain groups within their organization.
+- An internal team with trade secret material should not call or chat online with users in certain groups within their organization.
+- A research team should only call or chat online with a product development team.
[!INCLUDE [purview-preview](../includes/purview-preview.md)]
Use the following steps to configure IB for your organization:
- [Attributes for IB policies](information-barriers-attributes.md) - [Edit or remove IB policies](information-barriers-edit-segments-policies.md)
+- [Use multi-segment support in information barriers](information-barriers-multi-segment.md)
compliance Information Barriers https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/information-barriers.md
- m365solution-mip - m365initiative-compliance - highpri
+ms.localizationpriority: medium
f1.keywords: - NOCSH
When IB policies are in place, users who shouldn't communicate or share files wi
IB policies can allow or prevent communication and collaboration between groups and users for the following example scenarios: - Users in the *Day Trader* group shouldn't communicate or share files with the *Marketing Team*
+- Instructors in one school shouldn't be able to communicate or share files with students in another school in the same school district.
- Finance personnel working on confidential company information shouldn't communicate or share files with certain groups within their organization-- An internal team with trade secret material shouldn't call or chat online with people in certain groups within their organization
+- An internal team with trade secret material shouldn't call or chat online with users in certain groups within their organization
- A research team should only call or chat online with a product development team - A SharePoint site for *Day Trader* group shouldn't be shared or accessed by anyone outside of the *Day Trader* group
In Microsoft Teams, IB policies determine and prevent the following kinds of una
- Sharing a file with another user - Access to a file through sharing a link
-If the users conducting these activities in Microsoft Teams are included in an IB policy to prevent the activity, they won't be able to proceed. In addition, everyone included in an IB policy can be potentially blocked from communicating with other users in Microsoft Teams. When people affected by IB policies are part of the same team or group chat, they may be removed from those chat sessions and further communication with the group may not be allowed.
+If the users conducting these activities in Microsoft Teams are included in an IB policy to prevent the activity, they won't be able to proceed. In addition, everyone included in an IB policy can be potentially blocked from communicating with other users in Microsoft Teams. When users affected by IB policies are part of the same team or group chat, they may be removed from those chat sessions and further communication with the group may not be allowed.
For more information, see [information barriers in Microsoft Teams](/MicrosoftTeams/information-barriers-in-teams).
For more information, see [Information barriers in SharePoint](/sharepoint/infor
## Information barriers and Exchange Online
-IB policies aren't available to restrict communication and collaboration between groups and users in email messages. IB policies are based on [Exchange Online Address Book Policies (ABPs)](/exchange/address-books/address-book-policies/address-book-policies). ABPs allow organizations to virtually assign users into specific groups in order to provide customized views of the organization's global address book (GAL). When IB policies are created, ABPs for the policies are automatically created. As IB policies are added in your organization, the structure and behavior of your GAL will change to comply with IB policies.
+IB policies aren't available to restrict communication and collaboration between groups and users in email messages. Only Exchange Online deployments are currently supported for IB policies. If your organization needs to define and control email communications, consider using [Exchange mail flow rules](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules).
-Before you define and apply IB policies, you must remove all existing Exchange address book policies in your organization. IB policies are based on address book policies and existing ABPs policies aren't compatible with the ABPs created by IB. To remove your existing address book policies, see [Remove an address book policy in Exchange Online](/exchange/address-books/address-book-policies/remove-an-address-book-policy). Once IB policies are enabled and if you have hierarchical address book enabled, all users not included in an IB segment will see the [hierarchical address book](/exchange/address-books/hierarchical-address-books/hierarchical-address-books) in Exchange online.
+### Information barriers and Exchange for single and multi-segment modes
+
+If your organization is in [*single* or *multi-segment* mode](information-barriers-multi-segment.md#check-the-ib-mode-for-your-organization), information barriers is no longer based on Exchange Online Address Book Policies (ABPs). Organizations using ABPs will not have any impact to the existing ABPs when enabling information barriers. If there's no ABP defined for users with associated IB segments and policies, an ABP is automatically created with empty address lists for these users. You can change these ABPs as needed. We recommend that your ABPs are consistent with the segments you configure in information barriers. You should try to avoid user visibility differences between your existing ABPs and your new information barriers configuration.
+
+### Information barriers and Exchange for legacy mode
-Only Exchange Online deployments are currently supported for IB policies. If your organization needs to define and control email communications, consider using [Exchange mail flow rules](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules).
+If your organization is in [*legacy* mode](information-barriers-multi-segment.md#check-the-ib-mode-for-your-organization), IB policies are based on [Exchange Online Address Book Policies (ABPs)](/exchange/address-books/address-book-policies/address-book-policies). ABPs allow organizations to virtually assign users into specific groups in order to provide customized views of the organization's global address book (GAL). When IB policies are created, ABPs for the policies are automatically created. As IB policies are added in your organization, the structure and behavior of your GAL will change to comply with IB policies.
+
+Before you define and apply IB policies, you must remove all existing Exchange address book policies in your organization. IB policies are based on address book policies and existing ABPs policies aren't compatible with the ABPs created by IB. To remove your existing address book policies, see [Remove an address book policy in Exchange Online](/exchange/address-books/address-book-policies/remove-an-address-book-policy). Once IB policies are enabled and if you have hierarchical address book enabled, all users not included in an IB segment will see the [hierarchical address book](/exchange/address-books/hierarchical-address-books/hierarchical-address-books) in Exchange online.
## Ready to get started? - [Get started with information barriers](information-barriers-policies.md) - [Manage IB policies](information-barriers-edit-segments-policies.md)
+- [Use multi-segment support in information barriers](information-barriers-multi-segment.md)
- [See the attributes that can be used for IB policies](information-barriers-attributes.md)
compliance Insider Risk Management Activities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-activities.md
f1.keywords:
Previously updated : 02/16/2023 Last updated : 02/28/2023 audience: itpro - tier1
The **User activity** chart is one of the most powerful tools for internal risk
![Insider risk management user activity](../media/insider-risk-user-activities.png)
-1. **Time filters**: By default, the last three months of potentially risky activities displayed in the User activity chart. You can easily filter the chart view by selecting the *6 Months*, *3 Months*, or *1 Month* tabs on the bubble chart.
-2. **Risk alert activity and details**: Potentially risky activities are visually displayed as colored bubbles in the User activity chart. Bubbles are created for different categories of risk and. Select a bubble to display the details for each potentially risky activity. Details include:
- - **Date** of the risk activity.
- - The **risk activity category**. For example, *Email(s) with attachments sent outside the organization* or *File(s) downloaded from SharePoint Online*.
- - **Risk score** for the alert. This score is the numerical score for the alert risk severity level.
- - Number of events associated with the alert. Links to each file or email associated with the risk activity are also available.
+1. **Case actions**: Options for resolving the case are on the case action toolbar. When viewing in a case, you can resolve a case, send an email notice to the user, or escalate the case for a data or user investigation.
+2. **Risk activity chronology**: The full chronology of all risk alerts associated with the case are listed, including all the details available in the corresponding alert bubble.
3. **Filters and sorting (preview)**: - **Risk category**: Filter activities by the following risk categories: *Activities with risk scores > 15 (unless in a sequence)* and *Sequence activities*. - **Activity Type**: Filter activities by the following types: *Access*, *Deletion*, *Collection*, *Exfiltration*, *Infiltration*, *Obfuscation*, and *Security*. - **Sort by**: List the timeline of potentially risky activities by *Date occurred* or *Risk score*.
-4. **Risk sequence**: The chronological order of potentially risky activities is an important aspect of risk investigation and identifying these related activities is an important part of evaluating overall risk for your organization. Alert activities that are related are displayed with connecting lines to highlight that these activities are associated with a larger risk area. Sequences are also identified in this view by an icon positioned above the sequence activities relative to the risk score for the sequence. Hover over the icon to see the date and time of the risky activity associated with this sequence. This view of activities can help investigators literally 'connect the dots' for risk activities that could have been viewed as isolated or one-off events. Select the icon or any bubble in the sequence to display details for all the associated risk activities. Details include:
+4. **Time filters**: By default, the last three months of potentially risky activities are displayed in the User activity chart. You can easily filter the chart view by selecting the *6 Months*, *3 Months*, or *1 Month* tabs on the bubble chart.
+5. **Risk sequence**: The chronological order of potentially risky activities is an important aspect of risk investigation and identifying these related activities is an important part of evaluating overall risk for your organization. Alert activities that are related are displayed with connecting lines to highlight that these activities are associated with a larger risk area. Sequences are also identified in this view by an icon positioned above the sequence activities relative to the risk score for the sequence. Hover over the icon to see the date and time of the risky activity associated with this sequence. This view of activities can help investigators literally 'connect the dots' for risk activities that could have been viewed as isolated or one-off events. Select the icon or any bubble in the sequence to display details for all the associated risk activities. Details include:
- **Name** of the sequence. - **Date** or **Date range** of the sequence. - **Risk score** for the sequence. This score is the numerical score for the sequence of the combined alert risk severity levels for each related activity in the sequence. - **Number of events associated with each alert in the sequence**. Links to each file or email associated with each potentially risky activity are also available.
- - **Show activities in sequence**. Displays sequence as a highlight line on the bubble chart and expands the alert details to display all related alerts in the sequence.
-
-5. **Risk activity legend**: Across the bottom of the user activity chart, a color-coded legend helps you quickly determine risk category for each alert.
-6. **Risk activity chronology**: The full chronology of all risk alerts associated with the case are listed, including all the details available in the corresponding alert bubble.
-7. **Case actions**: Options for resolving the case are on the case action toolbar. When viewing in a case, you can resolve a case, send an email notice to the user, or escalate the case for a data or user investigation.
+ - **Show activities in sequence**. Displays the sequence as a highlight line on the bubble chart and expands the alert details to display all related alerts in the sequence.
+6. **Risk alert activity and details**: Potentially risky activities are visually displayed as colored bubbles in the User activity chart. Bubbles are created for different categories of risk. Select a bubble to display the details for each potentially risky activity. Details include:
+ - **Date** of the risk activity.
+ - The **risk activity category**. For example, *Email(s) with attachments sent outside the organization* or *File(s) downloaded from SharePoint Online*.
+ - **Risk score** for the alert. This score is the numerical score for the alert risk severity level.
+ - Number of events associated with the alert. Links to each file or email associated with the risk activity are also available.
+7. **Cumulative exfiltration activities**: Select this button to view a visual chart of how activity is building over time for the user.
+8. **Risk activity legend**: Across the bottom of the user activity chart, a color-coded legend helps you quickly determine risk category for each alert.
## Activity explorer
The Activity explorer provides risk investigators and analysts with a comprehens
To filter alerts on the Activity explorer for column information, select the Filter control. You can filter alerts by one or more attributes listed in the details pane for the alert. Activity explorer also supports customizable columns to help investigators and analysts focus the dashboard on the information most important to them.
-Use the *Activity scope* and *Risk insight* filters to display and sort activities and insights for the following areas.
+Use the *Activity scope*, *Risk factor*, and *Review status* filters to display and sort activities and insights for the following areas.
-- **Activity scope filters**: Filters all scored activities for the user.
+- **Activity scope**: Filters all scored activities for the user.
- All scored activity for this user - Only scored activity in this alert -- **Risk factor filters**: Filters for risk factor activity applicable for all policies assigning risk scores This includes all activity for all policies for in-scope users.
+- **Risk factor**: Filters for risk factor activity applicable for all policies assigning risk scores This includes all activity for all policies for in-scope users.
- Unusual activity - Includes events with priority content - Includes events with unallowed domain
Use the *Activity scope* and *Risk insight* filters to display and sort activiti
- Health record access activities - Risky browser usage
+- **Review status**: Filters activity review status.
+ - All
+ - Not yet reviewed (filters out any activity that was part of a dismissed or resolved alert)
+ ![Insider risk management activity explorer overview](../media/insider-risk-activity-explorer.png) To use the **Activity explorer**, complete the following steps:
To help minimize the number of older items that provide limited current value, t
|Active cases (and associated artifacts)|Indefinite retention, never expire| |Resolved cases (and associated artifacts)|120 days from case resolution, then automatically deleted| |Maximum number of active cases|100|
-|User activities reports|120 days from activity detection, then automatically deleted|
+|User activities reports|120 days from report creation, then automatically deleted|
## Get help managing your insider risk alert queue
compliance Insider Risk Management Adaptive Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-adaptive-protection.md
After you've completed all three of the previous steps, you're ready to enable A
To enable Adaptive Protection, select the **Adaptive Protection settings** tab and toggle **Enable Adaptive Protection** to *On*. It may take up to 36 hours before you can expect to see Adaptive Protection risk levels and DLP actions applied to applicable user activities.
+Watch the following video on the Microsoft Mechanics channel to [see how Adaptive Protection can automatically adjust the strength of data protection based on calculated data security risk levels of users](https://youtu.be/9GLsxvtoLWE).
+ ## Manage Adaptive Protection Once you've enabled Adaptive Protection and your insider risk management and DLP policies are configured, you'll have access to information about policy metrics, current in-scope users, and risk levels currently in-scope.
compliance Insider Risk Management Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-policies.md
f1.keywords:
Previously updated : 02/07/2023 Last updated : 02/28/2023 audience: itpro - tier1
Risk management activities may not occur as isolated events. These risks are fre
These insider risk management policies can use specific indicators and the order that they occur to detect each step in a sequence of risk. For policies created from the *Data leaks* and *Data leaks by priority user* templates, you can also select which sequences trigger the policy. File names are used when mapping activities across a sequence. These risks are organized into four main categories of activity: -- **Collection**: Detects download activities by in-scope policy users. Example risk management activities include downloading files from SharePoint sites or moving files into a compressed folder.
+- **Collection**: Detects download activities by in-scope policy users. Example risk management activities include downloading files from SharePoint sites, third-party cloud services, unallowed domains, or moving files into a compressed folder.
- **Exfiltration**: Detects sharing or extraction activities to internal and external sources by in-scope policy users. An example risk management activity includes sending emails with attachments from your organization to external recipients. - **Obfuscation**: Detects the masking of potentially risky activities by in-scope policy users. An example risk management activity includes renaming files on a device. - **Clean-up**: Detects deletion activities by in-scope policy users. An example risk management activity includes deleting files from a device.
compliance Mip Easy Trials https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/mip-easy-trials.md
f1.keywords:
Previously updated : 10/25/2021 Last updated : 02/28/2023 audience: Admin
Eligibility includes customers who have a [free trial for Microsoft Purview](com
To get these preconfigured labels and policies: 1. From the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), select **Solutions** > **Information protection**
-
- If you don't immediately see this option, first select **Show all** from the navigation pane.
-
+ 2. If you are eligible for the Microsoft Purview Information Protection default labels and policies, you'll see the following information, where you can activate the default labels and policies. For example: :::image type="content" alt-text="Microsoft Purview Information Protection activation for preconfigured labels and policies." source="../media/mip-preconfigured.png" lightbox="../media/mip-preconfigured.png":::
To get these preconfigured labels and policies:
3. Now enable sensitivity labels for SharePoint and OneDrive. This step is a prerequisite to use sensitivity labels in Office for the web, and auto-labeling policies for SharePoint and OneDrive.
- Use the following banner at the top of the Information Protection **Overview** tab, and select **Turn on now**. If you don't see this banner, sensitivity labels for SharePoint and OneDrive have already been enabled for your tenant.
+ Use the following banner at the top of the **Information Protection** \> **Overview** page, and select **Turn on now**. If you don't see this banner, sensitivity labels for SharePoint and OneDrive have already been enabled for your tenant.
![Enable sensitivity labels for SharePoint and OneDrive banner.](../media/turn-on-mip-labels.png)
compliance Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels.md
f1.keywords:
Previously updated : 09/11/2019 Last updated : 02/28/2023 audience: Admin
For these pages that have unavailable options, select **Next** to continue. Or,
### Label priority (order matters)
-When you create your sensitivity labels in the Microsoft Purview compliance portal, they appear in a list on the **Sensitivity** tab on the **Labels** page. In this list, the order of the labels is important because it reflects their priority. You want your most restrictive sensitivity label, such as Highly Confidential, to appear at the **bottom** of the list, and your least restrictive sensitivity label, such as Public, to appear at the **top**.
+When you create your sensitivity labels in the Microsoft Purview compliance portal, they appear in a list on the **Information Protection** \> **Labels** page. In this list, the order of the labels is important because it reflects their priority. You want your most restrictive sensitivity label, such as Highly Confidential, to appear at the **bottom** of the list, and your least restrictive sensitivity label, such as Public, to appear at the **top**.
You can apply just one sensitivity label to an item such as a document, email, or container. If you set an option that requires your users to provide a justification for changing a label to a lower classification, the order of this list identifies the lower classifications. However, this option doesn't apply to sublabels that share the priority of their parent label.
compliance Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/whats-new.md
f1.keywords:
Previously updated : 02/27/2023 Last updated : 02/28/2023 audience: Admin
Whether it be adding new solutions to the [Microsoft Purview compliance portal](
## February 2023
+### Audit
+
+- Clarification for audit log activities for [messages with reactions](/microsoft-365/compliance/audit-log-activities#yammer-activities) in Yammer.
+- [Clarification](/microsoft-365/compliance/audit-log-retention-policies#before-you-create-an-audit-log-retention-policy) on customized retention policies and licensing requirements.
+- Updates to [export limits](/microsoft-365/compliance/audit-new-search#audit-search-results-overview) for all search job items in Audit (Premium).
+- Clarification for [OneDrive for Business support](/microsoft-365/compliance/audit-premium) in Audit (Premium).
+ ### Communication compliance - **Mark a policy as a favorite**: [Mark a policy as a favorite and then filter and sort your policy lists](communication-compliance-policies.md#mark-a-policy-as-a-favorite).
Whether it be adding new solutions to the [Microsoft Purview compliance portal](
- **Adaptive Protection (preview)** - [Learn about Adaptive Protection in Data Loss Prevention (preview)](dlp-adaptive-protection-learn.md) - **DLP migration assistant for Symantec GA** - [Learn about the Microsoft Purview Data Loss Prevention migration assistant for Symantec](dlp-migration-assistant-for-symantec-learn.md)
+### eDiscovery
+
+- Updates and clarifications for [decryption support](/microsoft-365/compliance/ediscovery-decryption) in eDiscovery solutions.
+- Updates and clarification for [keyword queries and search conditions](/microsoft-365/compliance/ediscovery-keyword-queries-and-search-conditions) in eDiscovery.
+- Updates for new collection management features, including new review set as column links, including the review set name in collection overviews, saving collections as a draft to capture progress and return to complete later, and more:
+ - *Updated*: [Learn about collections in eDiscovery (Premium)](/microsoft-365/compliance/ediscovery-collections)
+ - *Updated*:[Create a collection estimate in eDiscovery (Premium)](/microsoft-365/compliance/ediscovery-create-draft-collection)
+ - *Updated*: [Commit a collection estimate to a review set in eDiscovery (Premium)](/microsoft-365/compliance/ediscovery-commit-draft-collection)
+- New description section for [expand selection](/microsoft-365/compliance/ediscovery-export-documents-from-review-set#export-options) option for filtered and selected documents in export options.
+- Updates for graph API endpoints in the [Search and purge chat messages in Teams](/microsoft-365/compliance/ediscovery-search-and-delete-teams-chat-messages) article.
+- Updates to clarify how to [verify the deletion of purged messages](/microsoft-365/compliance/ediscovery-search-and-delete-teams-chat-messages#step-6-verify-chat-messages-are-purged) in Microsoft Teams without having to view as a specific user.
+
+### Information barriers
+
+- New support for multi-segments, people discoverability options, Exchange ABP integration, and more:
+ - *New*: [Use multi-segment support in information barriers](/microsoft-365/compliance/information-barriers-multi-segment)
+ - *Updated*: [Use information barriers with OneDrive](/sharepoint/information-barriers-onedrive)
+ - *Updated*: [Use information barriers with SharePoint](/sharepoint/information-barriers)
+ - *Updated*: [Use information barriers in Microsoft Teams](/microsoftteams/information-barriers-in-teams)
+- Clarifications for [policy application processing](/microsoftteams/information-barriers-in-teams#ib-policy-application-in-teams) for IB in Microsoft Teams.
+ ### Insider risk management - **In preview**: New [Adaptive Protection guidance](/microsoft-365/compliance/insider-risk-management-adaptive-protection). Adaptive Protection in Microsoft Purview uses machine learning to identify and mitigate the most critical risks with the most effective [data loss prevention (DLP)](/microsoft-365/compliance/dlp-adaptive-protection-learn) protection controls dynamically, saving security teams valuable time while ensuring better data security.
Whether it be adding new solutions to the [Microsoft Purview compliance portal](
- **In preview**: [Support for Azure Active Directory administrative units](get-started-with-sensitivity-labels.md#support-for-administrative-units). - **In preview**: Previously available in preview for Word, Excel, and PowerPoint, the [sensitivity bar](sensitivity-labels-office-apps.md#sensitivity-bar) with support for [label colors](sensitivity-labels-office-apps.md#label-colors) is now also in preview for Outlook on Windows. - **In preview**: Now supported for labeling built into Windows, macOS, iOS, and Android, auditing actions for sensitivity labels include encryption details such as a change in the encryption status and settings, and the Rights Management owner.-- New Office setting if you need to [disable the PDF support in Office apps for Word, Excel, and PowerPoint](sensitivity-labels-office-apps.md#disabling-pdf-support).
+- **New Office setting**: Available with Group Policy and the Cloud Policy service for Microsoft 365, a new setting if you need to [disable the PDF support in Office apps for Word, Excel, and PowerPoint](sensitivity-labels-office-apps.md#disabling-pdf-support).
+- **Rolling out**: In the Microsoft Purview compliance portal, the horizontal tabs for **Overview**, **Labels**, **Label policies**, and **Auto-labeling** now display as vertical options in the left navigation pane when you expand **Information protection**.
## January 2023
frontline Ehr Admin Epic https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/ehr-admin-epic.md
Review the following information to get an understanding of the overall integrat
You'll need to request access to the Teams app.
-1. Request to download the Teams app in the [Epic Connection Hub](https://apporchard.epic.com/Gallery?id=16793). Doing this triggers a request from Epic to the Microsoft EHR connector team.
+1. Request to download the Teams app in the [Epic Connection Hub](https://appmarket.epic.com/). Doing this triggers a request from Epic to the Microsoft EHR connector team.
1. After you make your request, send an email to [TeamsForHealthcare@service.microsoft.com](mailto:teamsforhealthcare@service.microsoft.com) with your organization name, tenant ID, and the email address of your Epic technical contact. 1. The Microsoft EHR connector team will respond to your email with confirmation of enablement.
frontline Shifts Connector Manually Map Instances https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/includes/shifts-connector-manually-map-instances.md
--- Previously updated : 08/04/2022---
-##### To map an instance to an existing team
-
-1. Select the instance name.
-2. In the pane, search for the team, and then select it. Keep in mind that teams that are already mapped to an instance in this connection don't show up in the search.
-3. Choose the time zone and closest city.
-4. Select **Save**, and then select **Next**.
-
-##### To map an instance to a new team
-
-1. Select the instance name.
-2. In the pane, choose **Create a new team**. You'll be taken to a new tab in your browser where you can create a new team in the Microsoft 365 admin center.
- 1. Enter a name and an optional description for the team.
- 1. Add one or more team owners. Make sure you add the Microsoft 365 system account as owner.
- 1. Add team members.
- 1. Add a team email address and choose a privacy setting.
- 1. Review your settings, and then choose **Add team**. When your team is created, choose **Close**.
-3. Go back to the wizard, search for, and then select the new team you created.
-4. Choose the time zone and closest city.
-5. Select **Save**, and then select **Next**.
frontline Shifts Connector Prerequisites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/includes/shifts-connector-prerequisites.md
Before you get started, make sure you have the following prerequisites:
- proxyHeader: X-MS-AuthToken - At least one team is set up in Teams.-- You added a Microsoft 365 system account as a team owner to all teams you want to map.</br> [Create this account in Microsoft 365](/microsoft-365/admin/add-users/add-users) and assign it a Microsoft 365 license. Then, add the account as a team owner to all teams that you want to map. The Shifts connector uses this account when syncing Shifts changes from Blue Yonder WFM.-
- We recommend that you create an account specifically for this purpose and not use your user account.
+- You added a Microsoft 365 system account as a team owner to all teams you want to map.</br> [Create this account in Microsoft 365](/microsoft-365/admin/add-users/add-users) and assign it a Microsoft 365 license. Then, add the account as a team owner to all teams that you want to map. The Shifts connector uses this account when syncing Shifts changes from Blue Yonder WFM. Therefore, we recommend that you create an account specifically for this purpose and not use your personal user account.
frontline Shifts Connector Ukg Prerequisites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/includes/shifts-connector-ukg-prerequisites.md
Before you get started, make sure you have the following prerequisites: -- Your UKG Dimensions service account name and password and service URLs:
+- Your UKG Dimensions service account name and password and service URLs. If you don't have this information, contact UKG Dimensions support.
- - Application program interface URL
+ - API URL
- Application key - Client ID - Client secret
- - Single Sign On URL
+ - Single Sign On (SSO) URL
- If you don't have this information, contact UKG Dimensions support.
-- Federated single sign-on (SSO) authentication is enabled in your UKG Dimensions environment. </br>Azure Active Directory (Azure AD) is the supported identity provider for SSO. To enable SSO, set up integration between Azure AD and UKG Dimensions. For a step-by-step tutorial, see [Tutorial: Azure AD SSO integration with Kronos Workforce Dimensions](/azure/active-directory/saas-apps/kronos-workforce-dimensions-tutorial). If you need help or more information about setting up SSO, contact UKG Dimensions support.
+- Azure Active Directory (Azure AD) is the supported identity provider for SSO. To enable SSO, set up integration between Azure AD and UKG Dimensions. For a step-by-step tutorial, see [Tutorial: Azure AD SSO integration with Kronos Workforce Dimensions](/azure/active-directory/saas-apps/kronos-workforce-dimensions-tutorial). If you need help or more information about setting up SSO, contact UKG Dimensions support.
+- Federated SSO authentication is enabled in your UKG Dimensions environment. Follow the steps to [configure UKG Dimensions single sign-on](#configure-single-sign-on).
- After the integration is set up, configure users as federated accounts on their profile page in UKG Dimensions.
- At least one team is set up in Teams.-- You added a Microsoft 365 system account as a team owner to all teams you want to map.</br> [Create this account in Microsoft 365](/microsoft-365/admin/add-users/add-users) and assign it a Microsoft 365 license. Then, add the account as a team owner to all teams that you want to map. The Shifts connector uses this account when syncing Shifts changes from UKG Dimensions.-
- We recommend that you create an account specifically for this purpose and not use your user account.
+- You added a Microsoft 365 system account as a team owner to all teams you want to map.</br> [Create this account in Microsoft 365](/microsoft-365/admin/add-users/add-users) and assign it a Microsoft 365 license. Then, add the account as a team owner to all teams that you want to map. The Shifts connector uses this account when syncing Shifts changes from UKG Dimensions. Therefore, we recommend that you create an account specifically for this purpose and not use your personal user account.
frontline Shifts Connector Ukg Sso https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/includes/shifts-connector-ukg-sso.md
+++ Last updated : +
+audience: admin
++
+You'll need to take some additional steps after UKG enables SSO for your organization.
+
+#### Change user accounts to Federated accounts
+
+Each user that will be using the connector will need a Federated account.
+
+1. From the left menu on UKG Dimensions, go to **Maintenance** and select **People information**.
+1. Open the user's profile.
+1. Under the **Employee** section, expand **Information**.
+1. Change the **Authentication Type** to **Federated**.
+1. Save your changes and repeat the process for all users that will use the connector.
+
+#### Allow Shifts SSO redirection URLs
+
+After UKG enables SSO for your organization, you'll need to configure the connector's redirection URL. This will allow UKG Dimensions to redirect the user to the Shifts app in Microsoft Teams as part of the SSO flow.
+
+1. Sign into UKG with an account that has access to Application Setup.
+1. From the left menu, go to **Administration**, then **Application Setup**.
+1. Then, go to **System Configuration** and choose **System Settings**.
+1. Select **Global Values**.
+1. In the **global.oAuth.authCode.redirection.uris** field, enter the value: "https://flw.teams.microsoft.com/shifts-web-app/connectorauthenticationdone".
+1. In the **global.oAuthToken.redirection.domain.whiteList** field, enter the value: "flw.teams.microsoft.com".
+1. Select **Save**.
frontline Shifts Connector Wizard Intro https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/includes/shifts-connector-wizard-intro.md
audience: admin
-The Shifts connector wizard in the Microsoft 365 admin center enables you to integrate the Shifts app in Microsoft Teams with your workforce management (WFM) system. After you set up a connection, your frontline workers can seamlessly view and manage their schedules in your WFM system from within Shifts.
+The Shifts connector wizard in the Microsoft 365 admin center enables you to integrate the Shifts app in Microsoft Teams with your workforce management (WFM) system. Your frontline workers can seamlessly view and manage their schedules in your WFM system from within Shifts.
-The wizard configures the Shifts connector, creates a connection to your WFM system, and applies the sync settings and team mappings that you choose. Sync settings determine the schedule information that's synced between your WFM system and Shifts. Team mappings define the sync relationship between your WFM instances and teams in Teams. You can map to existing teams and new teams.
+The wizard creates a connection to your WFM system and a connection instance, which apply the sync settings and team mappings that you choose. Sync settings determine the schedule information that's synced between your WFM system and Shifts. Team mappings define the sync relationship between your WFM instances and teams in Teams.
-You can set up multiple connections, each with different sync settings. For example, if your organization has multiple locations with different schedule requirements, create a connection with unique sync settings for each location. Keep in mind that a WFM instance can only be mapped to one team at any given time. If a WFM instance is already mapped to a team, it can't be mapped to another team.
+You can create one or more connection instances, each with different sync settings. For example, if your organization has multiple locations with different schedule requirements, create a connection instance with unique sync settings for each location. Keep in mind that a WFM instance can only be mapped to one team at any given time. If a WFM instance is already mapped to a team, it can't be mapped to another team.
With your WFM system as the system of record, your frontline workers can efficiently manage their schedules and availability in Shifts on their devices. Frontline managers can continue to use your WFM system to set up schedules.
frontline Shifts Connector Blue Yonder Admin Center Manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-blue-yonder-admin-center-manage.md
Title: Use the Microsoft 365 admin center to manage your Shifts connection to Blue Yonder Workforce Management----
+ Title: Use the Microsoft 365 admin center to manage your Shifts connection to Blue Yonder Workforce Management (Preview)
++++ audience: admin
appliesto: - Microsoft Teams - Microsoft 365 for frontline workers Previously updated : 10/28/2022 Last updated : 2/27/2023
-# Use the Microsoft 365 admin center to manage your Shifts connection to Blue Yonder Workforce Management
+# Use the Microsoft 365 admin center to manage your Shifts connection to Blue Yonder Workforce Management (Preview)
## Overview
-The [Microsoft Teams Shifts connector for Blue Yonder](shifts-connectors.md#microsoft-teams-shifts-connector-for-blue-yonder) enables you to integrate the Shifts app in Microsoft Teams with Blue Yonder Workforce Management (Blue Yonder WFM). After you set up a connection, your frontline workers can seamlessly view and manage their schedules in Blue Yonder WFM from within Shifts.
+The [Microsoft Teams Shifts connector for Blue Yonder](shifts-connectors.md#microsoft-teams-shifts-connector-for-blue-yonder) (Preview) enables you to integrate the Shifts app in Microsoft Teams with Blue Yonder Workforce Management (Blue Yonder WFM). Your frontline workers can seamlessly view and manage their schedules in Blue Yonder WFM from within Shifts.
-You can use the [Shifts connector wizard](shifts-connector-wizard.md) in the Microsoft 365 admin center or [PowerShell](shifts-connector-blue-yonder-powershell-setup.md) to create a connection. After a connection is set up, you can manage it in the Microsoft 365 admin center. The Connector Management page lists each connection that you've set up, along with information such as health status and sync interval details. You can also access the wizard to create a new connection or make changes to any of your existing connections. For example, you can update sync settings and team mappings.
+You can use the [Shifts connector wizard](shifts-connector-wizard.md) (Preview) in the Microsoft 365 admin center or [PowerShell](shifts-connector-blue-yonder-powershell-setup.md) to create a connection and connection instances. After they're set up, you can manage them in the Microsoft 365 admin center. The Connector Management Console page lists each connection and connection instance that you've set up, along with information such as health status and sync interval details. You can also access the wizard to create a new connection and connection instances or make changes to any of your existing ones. For example, you can update sync settings and team mappings.
> [!NOTE] > You can also use PowerShell to manage a connection. For example, you can view an error report, change connection settings, and disable sync. To learn more, see [Use PowerShell to manage your Shifts connection to Blue Yonder Workforce Management](shifts-connector-powershell-manage.md).
-## Manage your connection
+## Manage
1. In the left navigation of the [Microsoft 365 admin center](https://admin.microsoft.com/), choose **Setup**, and then under **Featured collections**, select **Frontline workers**.
-2. Select **Manage Shifts connectors**, and then choose **Manage**. Keep in mind that this option is available only if you've set up at least one connection, either using the wizard or PowerShell.
+2. Select **Connector Management Console**.
- Here, you'll see a list of all the connections you've set up through the wizard or PowerShell, along with information about each one.
+ Here, you'll see a list of all the connections and connection instances you've set up through the wizard or PowerShell, along with information about each one.
:::image type="content" source="media/shifts-connector-blue-yonder-manage.png" alt-text="Screenshot of the Connector Management page in the Microsoft 365 admin center, showing a list of connections." lightbox="media/shifts-connector-blue-yonder-manage.png":::
- - To create a new connection, select **Add connector** at the top of the page to start the wizard.
- - To view more details about a connection, click the connection name. On the details page, you'll see health information, including mapping and account authorization errors and warnings (if any), the list of mappings (if any), and more. You can also choose **Edit** to update connection settings in the wizard.
+### Manage your connection
- :::image type="content" source="media/shifts-connector-blue-yonder-manage-details.png" alt-text="Screenshot of the details page for a connection, showing connector health and mappings information." lightbox="media/shifts-connector-blue-yonder-manage-details.png":::
+- To create a new connection, select **Add connection** at the top of the page.
+- To update connection settings, choose **Edit** next to an existing connection. You'll see the Connection settings pane, where you can update the settings that you want.
- For a complete list of error messages and how to resolve them, see [List of error messages](#list-of-error-messages) later in this article.
+### Manage your connection instances
- - To make changes to a connection, choose **Edit** next to the connection. You'll be taken to the wizard, where you can update the settings that you want.
-
-> [!NOTE]
-> You can also go directly to the Connector Management page when you select the **Connector Management** button on the last page of the wizard during connection setup.
+- To create a new connection instance, select **Create instance**.
+- To make changes to an existing connection instance, choose **Edit** next to the instance name. You'll be taken to the wizard, where you can update the settings and mappings.
+- To view more details about an existing connection instance, select its name. On the details page, you'll see health information, including ongoing errors (if any), and mappings. You can also choose **Edit** to update settings in the wizard or **Back** to return to the Connector Management Console.
+
+ :::image type="content" source="media/shifts-connector-blue-yonder-manage-details.png" alt-text="Screenshot of the details page for a connection, showing connector health and mappings information." lightbox="media/shifts-connector-blue-yonder-manage-details.png":::
+
+For a complete list of error messages and how to resolve them, see [List of error messages](#list-of-error-messages) later in this article.
+
+#### Edit connection instance settings
+
+You'll need to choose the data that your Shifts users can see and change. You'll be given the following options for these settings:
+
+- **Shifts users will not see provider data**: Data won't sync between UKG Dimensions and Shifts. <br>
+- **Shifts users can see provider data**: Data syncing is unidirectional from UKG Dimensions to Shifts. <br>
+- **Shifts users can see and change provider data**: Data syncing is bidirectional between UKG Dimensions and Shifts.
+
+> [!IMPORTANT]
+> Before you disable a feature by selecting the option **Shifts users will not see provider data**, be aware that:
+>
+> - If the setting **Schedules, groups, shifts, and activities** is disabled, then all other settings, such as **Time off** and **Employee availability**, and more, will also be disabled.
+> - If the setting **Open shift** is disabled, **Open shift request** will also be disabled.
+> - If the setting **Time off** is disabled, **Time off request** will also be disabled.
+
+> [!IMPORTANT]
+> If you chose any of the following options to disable open shifts, open shift requests, swap requests, or time off requests, there's another step you need to do to hide the capability in Shifts.
+>
+> - Open shifts: **Shifts users will not see provider data**
+> - Swap requests: **Shifts users will not see provider data**
+> - Time off requests: **Shifts users will not see provider data**
+>
+> After you edit your settings, make sure you follow the steps to [Disable open shifts, open shifts requests, swap requests, and time off requests.](/microsoft-365/frontline/shifts-connector-wizard-ukg#disable-open-shifts-open-shifts-requests-swap-requests-and-time-off-requests)
## List of error messages
Here's the list of error messages that you may encounter and information to help
|Error type |Error details |Resolution | ||||
-|Unable to authenticate workforce management system.|The workforce management system account credentials you've provided are invalid or this account doesn't have the required permissions.|Update your WFM service account credentials in the connection settings. To do this, do one of the following:<ul><li>In the Microsoft 365 admin center, choose **Edit** on the Connector Management page or the connection details page to go to the Shifts connector wizard.</li><li>Use the [Set-CsTeamsShiftsConnectionInstance](/powershell/module/teams/set-csteamsshiftsconnectioninstance) or [Update-CsTeamsShiftsConnectionInstance](/powershell/module/teams/update-csteamsshiftsconnectioninstance) cmdlet.</li><li>Use [this PowerShell script](shifts-connector-powershell-manage.md#change-connection-settings).</li></ul>|
+|Unable to authenticate workforce management system.|The workforce management system account credentials you've provided are invalid or this account doesn't have the required permissions.|Update your WFM service account credentials in the connection settings. To do this, do one of the following:<ul><li>In the Microsoft 365 admin center, choose **Edit** next to the connection on the Connector Management Console page.</li><li>Use the [Set-CsTeamsShiftsConnectionInstance](/powershell/module/teams/set-csteamsshiftsconnectioninstance) or [Update-CsTeamsShiftsConnectionInstance](/powershell/module/teams/update-csteamsshiftsconnectioninstance) cmdlet.</li><li>Use [this PowerShell script](shifts-connector-powershell-manage.md#change-connection-settings).</li></ul>|
|Unable to authenticate Graph. |Authentication failed. Ensure that you've entered valid credentials for the designated actor and have the required permissions.|Make sure that your Microsoft 365 system account (also known as designated actor) is added as a team owner.<br> Or, update your Microsoft 365 system account credentials in the connection settings.| |Some users have failed to map correctly|Mapping failed for some users: \<X\> succeeded, \<X\> failed AAD user(s) and \<X\> failed workforce management system user(s).|Use the [Get-CsTeamsShiftsConnectionSyncResult](/powershell/module/teams/get-csteamsshiftsconnectionsyncresult) cmdlet or [this PowerShell script](shifts-connector-powershell-manage.md#user-mapping-errors) to identify the users for whom the mapping failed. Make sure that the users in the mapped team match the users in the WFM instance.|
-|Unable to map a team or teams in this batch. |This designated actor profile doesn't have team ownership privileges. |Make sure your Microsoft 365 system account (also known as designated actor) is added as a team owner.<br>If youΓÇÖve changed your Microsoft 365 system account, add that account as a team owner, and update the connection settings to use that account.|
-| |This team is already mapped to an existing connector instance. |Unmap the team from the existing connection by using the [Remove-CsTeamsShiftsConnectionTeamMap](/powershell/module/teams/remove-csteamsshiftsconnectionteammap) cmdlet. Or, create a new connection to remap the team.|
-| |This timezone is invalid. The timezone passed in is not using tz database format.|Make sure that the time zone is correct, and then remap the team.|
-| |We can't find this connector instance.|Map the team to an existing connection.|
-| |This AAD team couldn't be found.|Make sure that the team exists or create a new team.|
+
+### Error: Unable to map a team or teams in this batch
+
+|Error details |Resolution |
+|--|--|
+|This designated actor profile doesn't have team ownership privileges. |Make sure your Microsoft 365 system account (also known as designated actor) is added as a team owner.<br>If youΓÇÖve changed your Microsoft 365 system account, add that account as a team owner, and update the connection settings to use that account.|
+|This team is already mapped to an existing connection instance. |Unmap the team from the existing connection instance by using the [Remove-CsTeamsShiftsConnectionTeamMap](/powershell/module/teams/remove-csteamsshiftsconnectionteammap) cmdlet. Or, create a new connection to remap the team.|
+|This timezone is invalid. The timezone passed in isn't using tz database format.|Make sure that the time zone is correct, and then remap the team.|
+|We can't find this connection instance.|Map the team to an existing connection instance.|
+|This AAD team couldn't be found.|Make sure that the team exists or create a new team.|
## Related articles
frontline Shifts Connector Blue Yonder Known Issues https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-blue-yonder-known-issues.md
Title: Teams Shifts connector for Blue Yonder known issues----++++ audience: admin
frontline Shifts Connector Blue Yonder Powershell Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-blue-yonder-powershell-setup.md
Title: Use PowerShell to connect Shifts to Blue Yonder Workforce Management----++++ audience: admin
Last updated 10/28/2022
## Overview
-Use the [Microsoft Teams Shifts connector for Blue Yonder](shifts-connectors.md#microsoft-teams-shifts-connector-for-blue-yonder) to integrate the Shifts app in Microsoft Teams with Blue Yonder Workforce Management (Blue Yonder WFM). After a connection is set up, your frontline workers can seamlessly view and manage their schedules in Blue Yonder WFM from within Shifts.
+Use the [Microsoft Teams Shifts connector for Blue Yonder](shifts-connectors.md#microsoft-teams-shifts-connector-for-blue-yonder) to integrate the Shifts app in Microsoft Teams with Blue Yonder Workforce Management (Blue Yonder WFM). Your frontline workers can seamlessly view and manage their schedules in Blue Yonder WFM from within Shifts.
In this article, we walk you through how to use PowerShell to set up and configure the connector to integrate Shifts with Blue Yonder WFM.
frontline Shifts Connector Powershell Manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-powershell-manage.md
Title: Use PowerShell to manage your Shifts connection to Blue Yonder Workforce Management----++++ audience: admin
Last updated 10/28/2022
## Overview
-The [Microsoft Teams Shifts connector for Blue Yonder](shifts-connectors.md#microsoft-teams-shifts-connector-for-blue-yonder) enables you to integrate the Shifts app in Microsoft Teams with Blue Yonder Workforce Management (Blue Yonder WFM). After you set up a connection, your frontline workers can seamlessly view and manage their schedules in Blue Yonder WFM from within Shifts.
+The [Microsoft Teams Shifts connector for Blue Yonder](shifts-connectors.md#microsoft-teams-shifts-connector-for-blue-yonder) enables you to integrate the Shifts app in Microsoft Teams with Blue Yonder Workforce Management (Blue Yonder WFM). Your frontline workers can seamlessly view and manage their schedules in Blue Yonder WFM from within Shifts.
You can use the [Shifts connector wizard](shifts-connector-wizard.md) in the Microsoft 365 admin center or [PowerShell](shifts-connector-blue-yonder-powershell-setup.md) to set up a connection. After a connection is set up, you can manage it by using [Shifts connector PowerShell cmdlets](#shifts-connector-cmdlets).
Here's the list of error messages that you may encounter and information to help
|Error type |Error details |Resolution | ||||
-|Unable to authenticate workforce management system.|The workforce management system account credentials you've provided are invalid or this account doesn't have the required permissions.|Update your WFM service account credentials in the connection settings. To do this, do one of the following:<ul><li>In the Microsoft 365 admin center, choose **Edit** on the Connector Management page or the connection details page to go to the Shifts connector wizard.</li><li>Use the [Set-CsTeamsShiftsConnectionInstance](/powershell/module/teams/set-csteamsshiftsconnectioninstance) or [Update-CsTeamsShiftsConnectionInstance](/powershell/module/teams/update-csteamsshiftsconnectioninstance) cmdlet.</li><li>Use [this PowerShell script](#change-connection-settings).</li></ul>|
+|Unable to authenticate workforce management system.|The workforce management system account credentials you've provided are invalid or this account doesn't have the required permissions.|Update your WFM service account credentials in the connection settings. To do this, do one of the following:<ul><li>In the Microsoft 365 admin center, choose **Edit** next to the connection on the Connector Management Console page.</li><li>Use the [Set-CsTeamsShiftsConnectionInstance](/powershell/module/teams/set-csteamsshiftsconnectioninstance) or [Update-CsTeamsShiftsConnectionInstance](/powershell/module/teams/update-csteamsshiftsconnectioninstance) cmdlet.</li><li>Use [this PowerShell script](#change-connection-settings).</li></ul>|
|Unable to authenticate Graph. |Authentication failed. Ensure that you've entered valid credentials for the designated actor and have the required permissions.|Make sure that your Microsoft 365 system account (also known as designated actor) is added as a team owner.<br> Or, update your Microsoft 365 system account credentials in the connection settings.| |Some users have failed to map correctly|Mapping failed for some users: \<X\> succeeded, \<X\> failed AAD user(s) and \<X\> failed workforce management system user(s).|Use the [Get-CsTeamsShiftsConnectionSyncResult](/powershell/module/teams/get-csteamsshiftsconnectionsyncresult) cmdlet or [this PowerShell script](#user-mapping-errors) to identify the users for whom the mapping failed. Make sure that the users in the mapped team match the users in the WFM instance.| |Unable to map a team or teams in this batch. |This designated actor profile doesn't have team ownership privileges. |Make sure your Microsoft 365 system account (also known as designated actor) is added as a team owner.<br>If youΓÇÖve changed your Microsoft 365 system account, add that account as a team owner, and update the connection settings to use that account.|
-| |This team is already mapped to an existing connector instance. |Unmap the team from the existing connection by using the [Remove-CsTeamsShiftsConnectionTeamMap](/powershell/module/teams/remove-csteamsshiftsconnectionteammap) cmdlet. Or, create a new connection to remap the team.|
+| |This team is already mapped to an existing connector instance. |Unmap the team from the existing connector instance by using the [Remove-CsTeamsShiftsConnectionTeamMap](/powershell/module/teams/remove-csteamsshiftsconnectionteammap) cmdlet. Or, create a new connection to remap the team.|
| |This timezone is invalid. The timezone passed in is not using tz database format.|Make sure that the time zone is correct, and then remap the team.| | |We can't find this connector instance.|Map the team to an existing connection.| | |This AAD team couldn't be found.|Make sure that the team exists or create a new team.|
frontline Shifts Connector Ukg Admin Center Manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-ukg-admin-center-manage.md
Title: Use the Microsoft 365 admin center to manage your Shifts connection to UKG Dimensions----
+ Title: Use the Microsoft 365 admin center to manage your Shifts connection to UKG Dimensions (Preview)
++++ audience: admin
appliesto: - Microsoft Teams - Microsoft 365 for frontline workers Previously updated : 10/28/2022 Last updated : 2/27/2023
-# Use the Microsoft 365 admin center to manage your Shifts connection to UKG Dimensions
-
+# Use the Microsoft 365 admin center to manage your Shifts connection to UKG Dimensions (Preview)
## Overview
-The [Microsoft Teams Shifts connector for UKG Dimensions](shifts-connectors.md#microsoft-teams-shifts-connector-for-ukg-dimensions) enables you to integrate the Shifts app in Microsoft Teams with UKG Dimensions. After you set up a connection, your frontline workers can seamlessly view and manage their schedules in UKG Dimensions from within Shifts.
+The [Microsoft Teams Shifts connector for UKG Dimensions](shifts-connectors.md#microsoft-teams-shifts-connector-for-ukg-dimensions) (Preview) enables you to integrate the Shifts app in Microsoft Teams with UKG Dimensions. Your frontline workers can seamlessly view and manage their schedules in UKG Dimensions from within Shifts.
-You can use the [Shifts connector wizard](shifts-connector-wizard-ukg.md) in the Microsoft 365 admin center or [PowerShell](shifts-connector-ukg-powershell-setup.md) to create a connection. After a connection is set up, you can manage it in the Microsoft 365 admin center. The Connector Management page lists each connection that you've set up, along with information such as health status and sync interval details. You can also access the wizard to create a new connection or make changes to any of your existing connections. For example, you can update sync settings and team mappings.
+You can use the [Shifts connector wizard](shifts-connector-wizard-ukg.md) (Preview) in the Microsoft 365 admin center or [PowerShell](shifts-connector-ukg-powershell-setup.md) to create a connection and connection instances. After they're set up, you can manage them in the Microsoft 365 admin center. The Connector Management Console page lists each connection and connection instance that you've set up, along with information such as health status and sync interval details. You can also access the wizard to create a new connection and connection instances or make changes to any of your existing ones. For example, you can update sync settings and team mappings.
> [!NOTE] > You can also use PowerShell to manage a connection. For example, you can view an error report, change connection settings, and disable sync. To learn more, see [Use PowerShell to manage your Shifts connection to UKG Dimensions](shifts-connector-ukg-powershell-manage.md).
-## Manage your connection
+## Manage
1. In the left navigation of the [Microsoft 365 admin center](https://admin.microsoft.com/), choose **Setup**, and then under **Featured collections**, select **Frontline workers**.
-2. Select **Manage Shifts connectors**, and then choose **Manage**. Keep in mind that this option is available only if you've set up at least one connection, either using the wizard or PowerShell.
+2. Select **Connector Management Console**.
- Here, you'll see a list of all the connections you've set up through the wizard or PowerShell, along with information about each one.
+ Here, you'll see a list of all the connections and connection instances you've set up through the wizard or PowerShell, along with information about each one.
:::image type="content" source="media/shifts-connector-ukg-manage.png" alt-text="Screenshot of the Connector Management page in the Microsoft 365 admin center, showing a list of connections." lightbox="media/shifts-connector-ukg-manage.png":::
- - To create a new connection, select **Add connector** at the top of the page to start the wizard.
+### Manage your connection
- - To view more details about a connection, click the connection name. On the details page, you'll see health information, including mapping and account authorization errors (if any), the list of mappings (if any), and more. You can also choose **Edit** to update connection settings in the wizard.
+- To create a new connection, select **Add connection** at the top of the page.
+- To update connection settings, choose **Edit** next to an existing connection. You'll see the Connection settings pane, where you can update the settings that you want.
- :::image type="content" source="media/shifts-connector-ukg-manage-details.png" alt-text="Screenshot of the details page for a connection, showing connector health and mappings information." lightbox="media/shifts-connector-ukg-manage-details.png":::
+### Manage your connection instances
- For a complete list of error messages and how to resolve them, see [List of error messages](#list-of-error-messages) later in this article.
+- To create a new connection instance, select **Create instance**.
+- To make changes to an existing connection instance, choose **Edit** next to the instance name. You'll be taken to the wizard, where you can update the settings and mappings.
+- To view more details about an existing connection instance, select its name. On the details page, you'll see health information, including ongoing errors (if any), and mappings. You can also choose **Edit** to update settings in the wizard or **Back** to return to the Connector Management Console.
- - To make changes to a connection, choose **Edit** next to the connection. You'll be taken to the wizard, where you can update the settings that you want.
-
-> [!NOTE]
-> You can also go directly to the Connector Management page when you select the **Connector Management** button on the last page of the wizard during connection setup.
+ :::image type="content" source="media/shifts-connector-ukg-manage-details.png" alt-text="Screenshot of the details page for a connection, showing connector health and mappings information." lightbox="media/shifts-connector-ukg-manage-details.png":::
+
+For a complete list of error messages and how to resolve them, see [List of error messages](#list-of-error-messages) later in this article.
+
+#### Edit connection instance settings
+
+You'll need to choose the data that your Shifts users can see and change. You'll be given the following options for these settings:
+
+- **Shifts users will not see provider data**: Data won't sync between UKG Dimensions and Shifts. <br>
+- **Shifts users can see provider data**: Data syncing is unidirectional from UKG Dimensions to Shifts. <br>
+- **Shifts users can see and change provider data**: Data syncing is bidirectional between UKG Dimensions and Shifts.
+
+> [!IMPORTANT]
+> Before you disable a feature by selecting the option **Shifts users will not see provider data**, be aware that:
+>
+> - If the setting **Schedules, groups, shifts, and activities** is disabled, then all other settings, such as **Time off** and **Employee availability**, and more, will also be disabled.
+> - If the setting **Open shift** is disabled, **Open shift request** will also be disabled.
+> - If the setting **Time off** is disabled, **Time off request** will also be disabled.
+
+> [!IMPORTANT]
+> If you chose any of the following options to disable open shifts, open shift requests, swap requests, or time off requests, there's another step you need to do to hide the capability in Shifts.
+>
+> - Open shifts: **Shifts users will not see provider data**
+> - Swap requests: **Shifts users will not see provider data**
+> - Time off requests: **Shifts users will not see provider data**
+>
+> After you edit your settings, make sure you follow the steps to [Disable open shifts, open shifts requests, swap requests, and time off requests.](/microsoft-365/frontline/shifts-connector-wizard-ukg#disable-open-shifts-open-shifts-requests-swap-requests-and-time-off-requests)
## List of error messages
Here's the list of error messages that you may encounter and information to help
|Error type |Error details |Resolution | ||||
-|Unable to authenticate workforce management system.|The workforce management system account credentials you've provided are invalid or this account doesn't have the required permissions.|Update your WFM service account credentials in the connection settings. To do this, do one of the following:<ul><li>In the Microsoft 365 admin center, choose **Edit** on the Connector Management page or the connection details page to go to the Shifts connector wizard.</li><li>Use the [Set-CsTeamsShiftsConnectionInstance](/powershell/module/teams/set-csteamsshiftsconnectioninstance) or [Update-CsTeamsShiftsConnectionInstance](/powershell/module/teams/update-csteamsshiftsconnectioninstance) cmdlet.</li><li>Use [this PowerShell script](shifts-connector-ukg-powershell-manage.md#change-connection-settings).</li></ul>|
+|Unable to authenticate workforce management system.|The workforce management system account credentials you've provided are invalid or this account doesn't have the required permissions.|Update your WFM service account credentials in the connection settings. To do this, do one of the following:<ul><li>In the Microsoft 365 admin center, choose **Edit** next to the connection on the Connector Management Console page.</li><li>Use the [Set-CsTeamsShiftsConnectionInstance](/powershell/module/teams/set-csteamsshiftsconnectioninstance) or [Update-CsTeamsShiftsConnectionInstance](/powershell/module/teams/update-csteamsshiftsconnectioninstance) cmdlet.</li><li>Use [this PowerShell script](shifts-connector-ukg-powershell-manage.md#change-connection-settings).</li></ul>|
|Unable to authenticate Graph. |Authentication failed. Ensure that you've entered valid credentials for the designated actor and have the required permissions.|Make sure that your Microsoft 365 system account (also known as designated actor) is added as a team owner.<br> Or, update your Microsoft 365 system account credentials in the connection settings.| |Some users have failed to map correctly|Mapping failed for some users: \<X\> succeeded, \<X\> failed AAD user(s) and \<X\> failed workforce management system user(s).|Use the [Get-CsTeamsShiftsConnectionSyncResult](/powershell/module/teams/get-csteamsshiftsconnectionsyncresult) cmdlet or [this PowerShell script](shifts-connector-ukg-powershell-manage.md#user-mapping-errors) to identify the users for whom the mapping failed. Make sure that the users in the mapped team match the users in the WFM instance.|
-|Unable to map a team or teams in this batch. |This designated actor profile doesn't have team ownership privileges. |Make sure your Microsoft 365 system account (also known as designated actor) is added as a team owner.<br>If youΓÇÖve changed your Microsoft 365 system account, add that account as a team owner, and update the connection settings to use that account.|
-| |This team is already mapped to an existing connector instance. |Unmap the team from the existing connection by using the [Remove-CsTeamsShiftsConnectionTeamMap](/powershell/module/teams/remove-csteamsshiftsconnectionteammap) cmdlet. Or, create a new connection to remap the team.|
-| |This timezone is invalid. The timezone passed in is not using tz database format.|Make sure that the time zone is correct, and then remap the team.|
-| |We can't find this connector instance.|Map the team to an existing connection.|
-| |This AAD team couldn't be found.|Make sure that the team exists or create a new team.|
+
+### Error: Unable to map a team or teams in this batch
+
+|Error details |Resolution |
+|-|-|
+|This designated actor profile doesn't have team ownership privileges. |Make sure your Microsoft 365 system account (also known as designated actor) is added as a team owner.<br>If youΓÇÖve changed your Microsoft 365 system account, add that account as a team owner, and update the connection settings to use that account.|
+|This team is already mapped to an existing connection instance. |Unmap the team from the existing connection instance by using the [Remove-CsTeamsShiftsConnectionTeamMap](/powershell/module/teams/remove-csteamsshiftsconnectionteammap) cmdlet. Or, create a new connection to remap the team.|
+|This timezone is invalid. The timezone passed in isn't using tz database format.|Make sure that the time zone is correct, and then remap the team.|
+|This connection instance couldn't be found.|Map the team to an existing connection instance.|
+|This AAD team couldn't be found.|Make sure that the team exists or create a new team.|
## Related articles
frontline Shifts Connector Ukg Known Issues https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-ukg-known-issues.md
Title: Team Shifts connector for UKG Dimensions known issues----++++ audience: admin
Last updated 10/28/2022
# Known issues: Team Shifts connector for UKG Dimensions - This article lists known issues for the [Microsoft Teams Shifts connector for UKG Dimensions](shifts-connectors.md#microsoft-teams-shifts-connector-for-ukg-dimensions). ## You can map an instance to more than one team using PowerShell or Microsoft Graph
frontline Shifts Connector Ukg Powershell Manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-ukg-powershell-manage.md
Title: Use PowerShell to manage your Shifts connection to UKG Dimensions----++++ audience: admin
Last updated 10/28/2022
# Use PowerShell to manage your Shifts connection to UKG Dimensions - ## Overview
-The [Microsoft Teams Shifts connector for UKG Dimensions](shifts-connectors.md#microsoft-teams-shifts-connector-for-ukg-dimensions) enables you to integrate the Shifts app in Microsoft Teams with UKG Dimensions. After you set up a connection, your frontline workers can seamlessly view and manage their schedules in UKG Dimensions from within Shifts.
+The [Microsoft Teams Shifts connector for UKG Dimensions](shifts-connectors.md#microsoft-teams-shifts-connector-for-ukg-dimensions) enables you to integrate the Shifts app in Microsoft Teams with UKG Dimensions. Your frontline workers can seamlessly view and manage their schedules in UKG Dimensions from within Shifts.
You can use the [Shifts connector wizard](shifts-connector-wizard-ukg.md) in the Microsoft 365 admin center or [PowerShell](shifts-connector-ukg-powershell-setup.md) to set up a connection. After a connection is set up, you can manage it by using [Shifts connector PowerShell cmdlets](#shifts-connector-cmdlets).
Here's the list of error messages that you may encounter and information to help
|Error type |Error details |Resolution | ||||
-|Unable to authenticate workforce management system.|The workforce management system account credentials you've provided are invalid or this account doesn't have the required permissions.|Update your WFM service account credentials in the connection settings. To do this, do one of the following:<ul><li>In the Microsoft 365 admin center, choose **Edit** on the Connector Management page or the connection details page to go to the Shifts connector wizard.</li><li>Use the [Set-CsTeamsShiftsConnectionInstance](/powershell/module/teams/set-csteamsshiftsconnectioninstance) or [Update-CsTeamsShiftsConnectionInstance](/powershell/module/teams/update-csteamsshiftsconnectioninstance) cmdlet.</li><li>Use [this PowerShell script](#change-connection-settings).</li></ul>|
+|Unable to authenticate workforce management system.|The workforce management system account credentials you've provided are invalid or this account doesn't have the required permissions.|Update your WFM service account credentials in the connection settings. To do this, do one of the following:<ul><li>In the Microsoft 365 admin center, choose **Edit** next to the connection on the Connector Management Console page.</li><li>Use the [Set-CsTeamsShiftsConnectionInstance](/powershell/module/teams/set-csteamsshiftsconnectioninstance) or [Update-CsTeamsShiftsConnectionInstance](/powershell/module/teams/update-csteamsshiftsconnectioninstance) cmdlet.</li><li>Use [this PowerShell script](#change-connection-settings).</li></ul>|
|Unable to authenticate Graph. |Authentication failed. Ensure that you've entered valid credentials for the designated actor and have the required permissions.|Make sure that your Microsoft 365 system account (also known as designated actor) is added as a team owner.<br> Or, update your Microsoft 365 system account credentials in the connection settings.| |Some users have failed to map correctly|Mapping failed for some users: \<X\> succeeded, \<X\> failed AAD user(s) and \<X\> failed workforce management system user(s).|Use the [Get-CsTeamsShiftsConnectionSyncResult](/powershell/module/teams/get-csteamsshiftsconnectionsyncresult) cmdlet or [this PowerShell script](#user-mapping-errors) to identify the users for whom the mapping failed. Make sure that the users in the mapped team match the users in the WFM instance.| |Unable to map a team or teams in this batch. |This designated actor profile doesn't have team ownership privileges. |Make sure your Microsoft 365 system account (also known as designated actor) is added as a team owner.<br>If youΓÇÖve changed your Microsoft 365 system account, add that account as a team owner, and update the connection settings to use that account.|
-| |This team is already mapped to an existing connector instance. |Unmap the team from the existing connection by using the [Remove-CsTeamsShiftsConnectionTeamMap](/powershell/module/teams/remove-csteamsshiftsconnectionteammap) cmdlet. Or, create a new connection to remap the team.|
+| |This team is already mapped to an existing connector instance. |Unmap the team from the existing connector instance by using the [Remove-CsTeamsShiftsConnectionTeamMap](/powershell/module/teams/remove-csteamsshiftsconnectionteammap) cmdlet. Or, create a new connection to remap the team.|
| |This timezone is invalid. The timezone passed in is not using tz database format.|Make sure that the time zone is correct, and then remap the team.| | |We can't find this connector instance.|Map the team to an existing connection.| | |This AAD team couldn't be found.|Make sure that the team exists or create a new team.|
frontline Shifts Connector Ukg Powershell Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-ukg-powershell-setup.md
Title: Use PowerShell to connect Shifts to UKG Dimensions----++++ audience: admin
Last updated 10/28/2022
## Overview -
-Use the [Microsoft Teams Shifts connector for UKG Dimensions](shifts-connectors.md#microsoft-teams-shifts-connector-for-ukg-dimensions) to integrate the Shifts app in Microsoft Teams with UKG Dimensions. After a connection is set up, your frontline workers can seamlessly view and manage their schedules in UKG Dimensions from within Shifts.
+Use the [Microsoft Teams Shifts connector for UKG Dimensions](shifts-connectors.md#microsoft-teams-shifts-connector-for-ukg-dimensions) to integrate the Shifts app in Microsoft Teams with UKG Dimensions. Your frontline workers can seamlessly view and manage their schedules in UKG Dimensions from within Shifts.
In this article, we walk you through how to use PowerShell to set up and configure the connector to integrate Shifts with UKG Dimensions.
With UKG Dimensions as the system of record, your frontline workers can efficien
[!INCLUDE [shifts-connector-ukg-prerequisites](includes/shifts-connector-ukg-prerequisites.md)]
+### Configure single sign-on
++ ### Admin role to manage the connector using PowerShell [!INCLUDE [shifts-connector-admin-role](includes/shifts-connector-admin-role.md)]
frontline Shifts Connector Wizard Ukg https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-wizard-ukg.md
Title: Use the Shifts connector wizard to connect Shifts to UKG Dimensions----
+ Title: Use the Shifts connector wizard to connect Shifts to UKG Dimensions (Preview)
++++ audience: admin
appliesto: - Microsoft Teams - Microsoft 365 for frontline workers Previously updated : 10/28/2022 Last updated : 2/27/2023
-# Use the Shifts connector wizard to connect Shifts to UKG Dimensions
+# Use the Shifts connector wizard to connect Shifts to UKG Dimensions (Preview)
## Overview - [!INCLUDE [shifts-connector-wizard-intro](includes/shifts-connector-wizard-intro.md)] ## Integrate Shifts with UKG Dimensions
-The [Microsoft Teams Shifts connector for UKG Dimensions](shifts-connectors.md#microsoft-teams-shifts-connector-for-ukg-dimensions) enables you to integrate Shifts with UKG Dimensions to manage your schedules and keep them up to date. In this article, we walk you through how to run the wizard to set up a connection to UKG Dimensions through the connector.
+The [Microsoft Teams Shifts connector for UKG Dimensions](shifts-connectors.md#microsoft-teams-shifts-connector-for-ukg-dimensions) enables you to integrate Shifts with UKG Dimensions to manage your schedules and keep them up to date. In this article, we walk you through how to run the wizard to set up a connection and a connection instance to UKG Dimensions through the connector.
> [!NOTE] > You can also use PowerShell to integrate Shifts with UKG Dimensions. To learn more, see [Use PowerShell to connect Shifts to UKG Dimensions](shifts-connector-ukg-powershell-setup.md).
You must be a Microsoft 365 global admin to run the wizard.
- The teams you want to map don't have any schedules. If a team has an existing schedule, [remove the schedule from the team](#remove-schedules-from-teams-you-want-to-map) before you map a UKG Dimensions instance to it. Otherwise, you'll see duplicate shifts.
+### Configure single sign-on
++ <a name="remove_schedules"> </a> ## Remove schedules from teams you want to map > [!NOTE]
-> Complete this step if you're mapping UKG Dimensions instances to existing teams that have schedules. If you're mapping to teams that don't have any schedules or if you're creating new teams to map to, you can skip this step.
+> Complete this step if you're mapping UKG Dimensions instances to existing teams that have schedules. If you're mapping to teams that don't have any schedules or if you've already created new teams to map to, you can skip this step.
Use PowerShell to remove schedules from teams. 1. First, you'll need to install the PowerShell modules and get set up. Follow the steps to [set up your environment](shifts-connector-ukg-powershell-manage.md#set-up-your-environment)+ 1. Run the following command: ```powershell
To learn more, see [Remove-CsTeamsShiftsScheduleRecord](/powershell/module/teams
## Run the wizard
-### Get started
+### Create a connection
-1. In the left navigation of the [Microsoft 365 admin center](https://admin.microsoft.com/), choose **Setup**, and then go to the **Apps and email** section.
-1. Select **Connect your workforce management system**. Here, you can learn more about Shifts connectors and the frontline worker and manager experience when you connect Shifts to your WFM system.
+1. In the left navigation of the [Microsoft 365 admin center](https://admin.microsoft.com/), choose **Setup**, and then under **Featured collections**, select **Frontline workers**.
+
+1. Select **Connector Management Console**.
:::image type="content" source="media/shifts-connector-wizard-get-started.png" alt-text="Screenshot of the details page for the Shifts connector wizard in the Microsoft 365 admin center." lightbox="media/shifts-connector-wizard-get-started.png":::
-1. When you're ready, select **Get started**.
-1. On the Choose your connector page, choose **UKG Dimensions**, and then select **Next** to create a UKG Dimensions connection.
+1. To create a new connection, choose **Add connection**.
+
+1. In the Choose your connector pane, choose **UKG Dimensions**, and then select **Next** to create a UKG Dimensions connection.
<a name="connection_details"> </a>
-### Enter connection details
-1. On the Connection details page, give your connection a unique name. It can't be longer than 128 characters or have any special characters.
+1. In the Connection settings pane, give your connection a unique name. It can't be longer than 100 characters or have any special characters.
+
+1. Enter your UKG Dimensions service account name (which enables access to all instances created in UKG Dimensions) and password and service URLs. If you don't know one or more of your connection details, contact your UKG Dimensions delivery partner or account manager.
:::image type="content" source="media/shifts-connector-wizard-ukg-connection-details.png" alt-text="Screenshot of the Connection details page of the wizard, showing connection settings." lightbox="media/shifts-connector-wizard-ukg-connection-details.png":::
-1. Enter your UKG Dimensions service account name (which enables access to all instances created in UKG Dimensions) and password and service URLs.
-1. When you're done, select **Next** to test the connection with the settings you entered.
-<a name="sync"> </a>
-### Choose sync settings
+1. When you're done, select **Save connection**.
-On the Sync settings page, you choose the information to sync from UKG Dimensions to Shifts, the sync frequency, and whether Shifts users can make changes to the data.
+> [!NOTE]
+> If you need to create another connection, go to the Connector Management Console page, and then select **Add connection**.
-1. Enter your Microsoft 365 system account.
- :::image type="content" source="media/shifts-connector-wizard-ukg-sync-settings.png" alt-text="Screenshot of the Sync settings page of the wizard, showing sync settings." lightbox="media/shifts-connector-wizard-ukg-sync-settings.png":::
-<a name="email"> </a>
-1. Under **Email notification recipients**, choose who receives email notifications about this connection. You can add individual users and groups. The email notifications contain information about connection setup status and any issues or errors that may occur after the connection is set up.
-1. Choose your sync settings:
- 1. Under **Schedule and shifts**, choose the UKG Dimensions data that Shifts users can see or change, and then set the sync frequency.
- 1. Under **Time card**, choose what action Shifts users can do with time entries.
- 1. Under **Requests**, choose the types of requests that Shifts users can see and create.
+### Create a connection instance
- > [!IMPORTANT]
- > If you chose any of the following options to disable open shifts, open shift requests, swap requests, or time off requests, there's another step you need to do to hide the capability in Shifts.
- >
- > - Open shifts: **Shifts users will not see UKG Dimensions data**
- > - Swap requests: **Feature is disabled for all users**
- > - Time off requests: **Feature is disabled for all users**
- >
- > After you run the wizard, make sure you follow the steps in the [Disable open shifts, open shifts requests, swap requests, and time off requests](#disable-open-shifts-open-shifts-requests-swap-requests-and-time-off-requests) section later in this article.
-
-1. When you're done choosing your settings, select **Create connection**.
+After you create a connection, you can set up one or more connection instances in that connection.
-<a name="instances"> </a>
-### Map UKG Dimensions instances to teams
+You'll see all the connections you've created on your **Connector Management Console**. Under the connection where you want to create a new instance, select **Create instance**
+ :::image type="content" source="media/shifts-connector-wizard-ukg-create-instance.png" alt-text="Screenshot of the Connector Management Console showing existing connections." lightbox="media/shifts-connector-wizard-ukg-create-instance.png":::
-Choose the UKG Dimensions instances that you want to connect to Shifts, and then map each instance to a team in Teams. You can map up to 100 instances. There's two ways that you can do this:
+<a name="sync"> </a>
+#### Choose settings
-- [Manually map instances to teams](#manually-map-instances-to-teams)-- [Prepare and upload a CSV file that defines your mappings](#use-a-csv-file-to-map-instances-to-teams)
+On the Settings page, you choose the information to sync from UKG Dimensions to Shifts, the sync frequency, and whether Shifts users can make changes to the data.
+ :::image type="content" source="media/shifts-connector-wizard-sync-settings.png" alt-text="Screenshot of the Sync settings page of the wizard, showing sync settings." lightbox="media/shifts-connector-wizard-sync-settings.png":::
-<a name="map_manual"> </a>
-#### Manually map instances to teams
+1. Enter a name for your connection instance. It can't be longer than 100 characters or have any special characters.
-Select the instances that you want to map.
+1. Enter your Microsoft 365 system account. This is the [account that you created as a prerequisite](#before-you-begin) that is a team owner of all the teams you want to map.
+<a name="email"> </a>
-Then, map each instance to a team in Teams. You can map an instance to an existing team or you can create a new team.
+1. Under **Email notification recipients**, choose who receives email notifications about this connection instance. You can add individual users and groups. The email notifications contain information about setup status and any issues or errors that may occur after the connection instance is set up.
+ > [!TIP]
+ > You'll be given the following options for the next group of settings: <br>
+ > **Shifts users will not see provider data**: Data won't sync between UKG Dimensions and Shifts. <br>
+ > **Shifts users can see provider data**: Data syncing is unidirectional from UKG Dimensions to Shifts. <br>
+ > **Shifts users can see and change provider data**: Data syncing is bidirectional between UKG Dimensions and Shifts.
-<a name="map_csv"> </a>
-#### Use a CSV file to map instances to teams
+4. Choose your basic, **Time card**, and **Request** settings from the options listed above.
-1. Select **switch to bulk mode**.
-1. Select **download a template file** to download a mapping template that you can use to define your mappings.
+5. Then, choose your sync frequency.
- :::image type="content" source="media/shifts-connector-wizard-ukg-mapping-file.png" alt-text="Screenshot of the Upload mapping file page of the wizard." lightbox="media/shifts-connector-wizard-ukg-mapping-file.png":::
+ > [!IMPORTANT]
+ > Before you disable a feature by selecting the option **Shifts users will not see provider data**, be aware that:
+ >
+ > - If the setting **Schedules, groups, shifts, and activities** is disabled, then all other settings, such as **Time off** and **Employee availability**, and more, will also be disabled.
+ > - If the setting **Open shift** is disabled, **Open shift request** will also be disabled.
+ > - If the setting **Time off** is disabled, **Time off request** will also be disabled.
-1. Use the template to create your mapping file. It contains these columns, in the following order, starting with the first column. An asterisk (*) indicates a required column.
+ > [!IMPORTANT]
+ > If you chose any of the following options to disable open shifts, open shift requests, swap requests, or time off requests, there's another step you need to do to hide the capability in Shifts.
+ >
+ > - Open shifts: **Shifts users will not see provider data**
+ > - Swap requests: **Shifts users will not see provider data**
+ > - Time off requests: **Shifts users will not see provider data**
+ >
+ > After you run the wizard, make sure you follow the steps in the [Disable open shifts, open shifts requests, swap requests, and time off requests](#disable-open-shifts-open-shifts-requests-swap-requests-and-time-off-requests) section later in this article.
- |Column name |Description |
- |||
- |**UKG Dimensions Instance ID*** |The UKG Dimensions WFM instance ID.|
- |**UKG Dimensions Instance Name**|The UKG Dimensions WFM instance name.|
- |**Team ID*** |The team ID.|
- |**Team Name**|The team name.|
- |**Time zone*** |The time zone in tz database format. For example, Europe/London.|
+6. When you're done choosing your settings, select **Next**.
- > [!NOTE]
- > You only need to fill out the required columns (UKG Dimensions Instance ID, Team ID, Time zone) to map instances to teams.
+<a name="instances"> </a>
+#### Map UKG Dimensions instances to teams
- To help you create your mapping file, the template includes a list of all your UKG Dimensions instances, followed by a list of your teams (up to 1,000) and their corresponding team IDs.
+Choose the UKG Dimensions instances that you want to connect to Shifts, and then map each WFM instance to a team in Teams. You can map up to 400 instances.
- Here's an example of what a mapping file looks like.
- |UKG Dimensions Instance ID|UKG Dimensions Instance Name|Team ID|Team Name|Time zone|
- ||||||
- |4201|CO/Australia|ee0bbc99-7120||Australia/Sydney|
- |4203|CO/US|90db4db7-be44|US Team|America/New_York|
- |4251||c88b4ead-c965||Europe/London|
+1. On the **Mapping** page, start by choosing which WFM instance(s) you want to map to Microsoft Teams team(s).
-1. When you've created your mapping file, select **Browse** to upload it. The wizard validates your file. If it finds errors, you'll see a list of the errors, and a message requesting that you correct them. Otherwise, you'll see a message to continue to the next step.
-1. Select **Next**.
+1. Tick the checkbox for each WFM instance you want to map. Instances will only map if you check their boxes.
-### Review and finish
+1. Next, search for and choose the correct Microsoft Teams team.
-Review your settings. If you need to make changes to any team mappings, choose **Edit** to do so. When you're ready, select **Finish**.
+ Keep in mind that teams that are already mapped to a WFM instance in this connection instance won't be available to map again.
+1. Choose the time zone. The closest city will be automatically filled in, but you can change it.
-YouΓÇÖll see a message to confirm that we received your request along with an operation ID. Make a note of the operation ID. You'll need it to check the setup status of your connection.
+1. When you've mapped all your teams, select **Next**.
+### Review and finish
-The wizard starts the process to set up the connection and map the instances to the teams you selected. This process may take some time to complete. The recipients you chose will receive email notifications about setup status.
+Before finishing, review the summary of the connection instance creation process. If you need to make changes during the connection instance creation process, choose **Back**. When you're ready, select **Finish**.
-Select **Done** to exit the wizard.
-YouΓÇÖre on your way but youΓÇÖre not done yet! Be sure to check your email. You'll receive a confirmation that we received your request along with a [link](shifts-connector-ukg-powershell-manage.md#check-connection-setup-status) to how you can check setup status.
+The wizard starts the process to set up the connection instance, which may take some time to complete. If you try to edit the connection instance before the setup is complete, you most likely won't be able to view the mappings you created previously.
-> [!NOTE]
-> If an issue or error occurs in a connection after it's set up, you'll get notified in email. Follow the instructions in the email to troubleshoot the issue.
+The email notification recipients you chose will receive email notifications about setup status in case there are any errors.
## Disable open shifts, open shifts requests, swap requests, and time off requests
To hide open shifts, swap requests, and time off requests in Shifts, use the Gra
To hide open shifts requests in Shifts, go to **Settings** in Shifts, and then turn off the **Open shifts** setting. <a name="manage"> </a>
-## Manage your connection
+## Manage your connection and connection instance
After a connection is set up, you can manage and make changes to it in the Microsoft 365 admin center or by using PowerShell. ### Use the Microsoft 365 admin center
-The Connector Management page lists each connection that you've set up, along with information such as health status and sync interval details. You can also access the wizard to make changes to any of your connections. For example, you can update sync settings and team mappings.
+The Connector Management Console page lists each connection and connection instance that you've set up, along with information such as health status and sync interval details. You can also access the wizard to create new connections and connection instances and make changes to any of your existing ones. For example, you can update sync settings and team mappings.
To learn more, see [Use the Microsoft 365 admin center to manage your Shifts connection to UKG Dimensions](shifts-connector-ukg-admin-center-manage.md).
frontline Shifts Connector Wizard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connector-wizard.md
Title: Use the Shifts connector wizard to connect Shifts to Blue Yonder Workforce Management----
+ Title: Use the Shifts connector wizard to connect Shifts to Blue Yonder Workforce Management (Preview)
++++ audience: admin
appliesto: - Microsoft Teams - Microsoft 365 for frontline workers Previously updated : 10/28/2022 Last updated : 2/27/2023
-# Use the Shifts connector wizard to connect Shifts to Blue Yonder Workforce Management
+# Use the Shifts connector wizard to connect Shifts to Blue Yonder Workforce Management (Preview)
## Overview
Last updated 10/28/2022
## Integrate Shifts with Blue Yonder Workforce Management
-The [Microsoft Teams Shifts connector for Blue Yonder](shifts-connectors.md#microsoft-teams-shifts-connector-for-blue-yonder) enables you to integrate Shifts with Blue Yonder Workforce Management (Blue Yonder WFM) to manage your schedules and keep them up to date. In this article, we walk you through how to run the wizard to set up a connection to Blue Yonder WFM through the connector.
+The [Microsoft Teams Shifts connector for Blue Yonder](shifts-connectors.md#microsoft-teams-shifts-connector-for-blue-yonder) enables you to integrate Shifts with Blue Yonder Workforce Management (Blue Yonder WFM) to manage your schedules and keep them up to date. In this article, we walk you through how to run the wizard to set up a connection and connection instance to Blue Yonder WFM through the connector.
> [!NOTE] > You can also use PowerShell to integrate Shifts with Blue Yonder WFM. To learn more, see [Use PowerShell to connect Shifts to Blue Yonder Workforce Management](shifts-connector-blue-yonder-powershell-setup.md).
To learn more, see [Remove-CsTeamsShiftsScheduleRecord](/powershell/module/teams
## Run the wizard
-### Get started
+### Create a connection
-1. In the left navigation of the [Microsoft 365 admin center](https://admin.microsoft.com/), choose **Setup**, and then go to the **Apps and email** section.
-1. Select **Connect your workforce management system**. Here, you can learn more about Shifts connectors and the frontline worker and manager experience when you connect Shifts to your WFM system.
+1. In the left navigation of the [Microsoft 365 admin center](https://admin.microsoft.com/), choose **Setup**, and then under **Featured collections**, select **Frontline workers**.
+
+1. Select **Connector Management Console**.
:::image type="content" source="media/shifts-connector-wizard-get-started.png" alt-text="Screenshot of the details page for the Shifts connector wizard in the Microsoft 365 admin center." lightbox="media/shifts-connector-wizard-get-started.png":::
-1. When you're ready, select **Get started**.
-1. On the Choose your connector page, choose **Blue Yonder Workforce Management**, and then select **Next** to create a Blue Yonder WFM connection.
-### Enter connection details
+1. To create a new connection, choose **Add connection**.
+
+1. In the Choose your connector pane, choose **Blue Yonder Workforce Management**, and then select **Next** to create a Blue Yonder WFM connection.
<a name="connection_details"> </a>
-1. On the Connection details page, give your connection a unique name. It can't be longer than 128 characters or have any special characters.
+1. In the Connection settings pane, give your connection a unique name. It can't be longer than 100 characters or have any special characters.
+
+1. Enter your Blue Yonder WFM service account name and password and service URLs. If you don't know one or more of your connection details, contact your Blue Yonder WFM partner.
:::image type="content" source="media/shifts-connector-wizard-connection-details.png" alt-text="Screenshot of the Connection details page of the wizard, showing connection settings." lightbox="media/shifts-connector-wizard-connection-details.png":::
-1. Enter your Blue Yonder WFM service account name and password and service URLs.
-1. When you're done, select **Next** to test the connection with the settings you entered.
-### Choose sync settings
-<a name="sync"> </a>
+1. When you're done, select **Save connection**.
-On the Sync settings page, you choose the information to sync from Blue Yonder WFM to Shifts, the sync frequency, and whether Shifts users can make changes to the data.
+> [!NOTE]
+> If you need to create another connection, go to the Connector Management Console page, and then select **Add connection**.
-1. Enter your Microsoft 365 system account.
+### Create a connection instance
+
+After you create a connection, you can set up one or more connection instances in that connection.
+
+You'll see all the connections you've created on your **Connector Management Console**. Under the connection where you want to create a new instance, select **Create instance**.
+ :::image type="content" source="media/shifts-connector-wizard-by-create-instance.png" alt-text="Screenshot of the Connector Management Console, showing the button to create a new instance." lightbox="media/shifts-connector-wizard-by-create-instance.png":::
+
+#### Choose settings
+<a name="sync"> </a>
+
+On the Settings page, you choose the information to sync from Blue Yonder WFM to Shifts, the sync frequency, and whether Shifts users can make changes to the data.
:::image type="content" source="media/shifts-connector-wizard-sync-settings.png" alt-text="Screenshot of the Sync settings page of the wizard, showing sync settings." lightbox="media/shifts-connector-wizard-sync-settings.png":::+
+1. Enter a name for your connection instance. It can't be longer than 100 characters or have any special characters.
+
+1. Enter your Microsoft 365 system account. This is the [account that you created as a prerequisite](#prerequisites) that is a team owner of all the teams you want to map.
+ <a name="email"> </a>
-1. Under **Email notification recipients**, choose who receives email notifications about this connection. You can add individual users and groups. The email notifications contain information about connection setup status and any issues or errors that may occur after the connection is set up.
-1. Choose your sync settings:
- 1. Under **Schedule and shifts**, choose the Blue Yonder WFM data that Shifts users can see or change, and then set the sync frequency.
- 1. Under **Time card**, choose what action Shifts users can do with time entries.
- 1. Under **Requests**, choose the types of requests that Shifts users can see and create.
+
+3. Under **Email notification recipients**, choose who receives email notifications about this connection instance. You can add individual users and groups. The email notifications contain information about setup status and any issues or errors that may occur after the connection instance is set up.
+
+ > [!TIP]
+ > You'll be given the following options for the next group of settings: <br>
+ > **Shifts users will not see provider data**: Data won't sync between UKG Dimensions and Shifts. <br>
+ > **Shifts users can see provider data**: Data syncing is unidirectional from UKG Dimensions to Shifts. <br>
+ > **Shifts users can see and change provider data**: Data syncing is bidirectional between UKG Dimensions and Shifts.
+
+4. Choose your basic, **Time card**, and **Request** settings from the options listed above.
+
+5. Then, choose your sync frequency.
+
+ > [!IMPORTANT]
+ > Before you disable a feature by selecting the option **Shifts users will not see provider data**, be aware that:
+ >
+ > - If the setting **Schedules, groups, shifts, and activities** is disabled, then all other settings, such as **Time off** and **Employee availability**, and more, will also be disabled.
+ > - If the setting **Open shift** is disabled, **Open shift request** will also be disabled.
+ > - If the setting **Time off** is disabled, **Time off request** will also be disabled.
> [!IMPORTANT] > If you chose any of the following options to disable open shifts, open shift requests, swap requests, or time off requests, there's another step you need to do to hide the capability in Shifts. >
- > - Open shifts: **Shifts users will not see Blue Yonder WFM data**
- > - Swap requests: **Feature is disabled for all users**
- > - Time off requests: **Feature is disabled for all users**
+ > - Open shifts: **Shifts users will not see provider data**
+ > - Swap requests: **Shifts users will not see provider data**
+ > - Time off requests: **Shifts users will not see provider data**
> > After you run the wizard, make sure you follow the steps in the [Disable open shifts, open shifts requests, swap requests, and time off requests](#disable-open-shifts-open-shifts-requests-swap-requests-and-time-off-requests) section later in this article.
-
-1. When you're done choosing your settings, select **Create connection**.
-
-### Map Blue Yonder Workforce Management instances to teams
-<a name="sites"> </a>
-
-Choose the Blue Yonder WFM instances that you want to connect to Shifts, and then map each instance to a team in Teams. You can map up to 100 instances. There's two ways that you can do this:
-- [Manually map instances to teams](#manually-map-instances-to-teams)-- [Prepare and upload a CSV file that defines your mappings](#use-a-csv-file-to-map-instances-to-teams)
+6. When you're done choosing your settings, select **Next**.
-#### Manually map instances to teams
+#### Map Blue Yonder Workforce Management instances to teams
+<a name="sites"> </a>
-Select the instances that you want to map.
+Choose the Blue Yonder WFM instances that you want to connect to Shifts, and then map each WFM instance to a team in Teams. You can map up to 400 instances.
<a name="mapping"> </a> <a name="search_teams"> </a> Then, map each instance to a team in Teams. You can map an instance to an existing team or you can create a new team.-
-#### Use a CSV file to map instances to teams
+1. On the **Mapping** page, start by choosing which WFM instance(s) you want to map to Microsoft Teams team(s).
-1. Select **switch to bulk mode**.
-1. Select **download a template file** to download a mapping template that you can use to define your mappings.
+1. Tick the checkbox for each WFM instance you want to map. Instances will only map if you check their boxes.
- :::image type="content" source="media/shifts-connector-wizard-mapping-file.png" alt-text="Screenshot of the Upload mapping file page of the wizard." lightbox="media/shifts-connector-wizard-mapping-file.png":::
+1. Next, search for and choose the correct Microsoft Teams team.
+ Keep in mind that teams that are already mapped to a WFM instance in this connection instance won't be available to map again.
-1. Use the template to create your mapping file. It contains these columns, in the following order, starting with the first column. An asterisk (*) indicates a required column.
+1. Choose the time zone. The closest city will be automatically filled in, but you can change it.
- |Column name |Description |
- |||
- |**Blue Yonder Instance ID*** |The Blue Yonder WFM instance ID.|
- |**Blue Yonder Instance Name**|The Blue Yonder WFM instance name.|
- |**Team ID*** |The team ID.|
- |**Team Name**|The team name.|
- |**Time zone*** |The time zone in tz database format. For example, Europe/London.|
-
- > [!NOTE]
- > You only need to fill out the required columns (Blue Yonder Instance ID, Team ID, Time zone) to map instances to teams.
-
- Here's an example of what a mapping file looks like.
-
- |Blue Yonder Instance ID|Blue Yonder Instance Name|Team ID|Team Name|Time zone|
- ||||||
- |2111|Contoso US Team|3a4d78a-2261|US Team|America/Los_Angeles|
- |3212|Contoso UK Team|2d1f6c2e-5272|UK Team|Europe/London|
- |4865||bfa6o89e-1328||America/Toronto|
-
-1. When you've created your mapping file, select **Browse** to upload it. The wizard validates your file. If it finds errors, you'll see a list of the errors, and a message requesting that you correct them. Otherwise, you'll see a message to continue to the next step.
-1. Select **Next**.
+1. When you've mapped all your teams, select **Next**.
### Review and finish
-Review your settings. If you need to make changes to any team mappings, choose **Edit** to do so. When you're ready, select **Finish**.
+Before finishing, review the summary of the connection instance creation process. If you need to make changes during the connection instance creation process, choose **Back**. When you're ready, select **Finish**.
:::image type="content" source="media/shifts-connector-wizard-review.png" alt-text="Screenshot of the Review page of the wizard, showing mappings." lightbox="media/shifts-connector-wizard-review.png":::
-YouΓÇÖll see a message to confirm that we received your request along with an operation ID. Make a note of the operation ID. You'll need it to check the setup status of your connection.
+The wizard starts the process to set up the connection instance, which may take some time to complete. If you try to edit the connection instance before the setup is complete, you most likely won't be able to view the mappings you created previously.
-
-The wizard starts the process to set up the connection and map the instances to the teams you selected. This process may take some time to complete. The recipients you chose will receive email notifications about setup status.
+The email notification recipients you chose will receive email notifications about setup status in case there are any errors.
Select **Done** to exit the wizard.
-YouΓÇÖre on your way but youΓÇÖre not done yet! Be sure to check your email. You'll receive a confirmation that we received your request along with a [link](shifts-connector-powershell-manage.md#check-connection-setup-status) to how you can check setup status.
-
-> [!NOTE]
-> If an issue or error occurs in a connection after it's set up, you'll get notified in email. Follow the instructions in the email to troubleshoot the issue.
- ## Disable open shifts, open shifts requests, swap requests, and time off requests > [!IMPORTANT]
To hide open shifts, swap requests, and time off requests in Shifts, use the Gra
To hide open shifts requests in Shifts, go to **Settings** in Shifts, and then turn off the **Open shifts** setting.
-## Manage your connection
+## Manage your connection and connection instance
<a name="update_connection"> </a> After a connection is set up, you can manage and make changes to it in the Microsoft 365 admin center or by using PowerShell. ### Use the Microsoft 365 admin center
-The Connector Management page lists each connection that you've set up, along with information such as health status and sync interval details. You can also access the wizard to make changes to any of your connections. For example, you can update sync settings and team mappings.
+The Connector Management Console page lists each connection and connection instance that you've set up, along with information such as health status and sync interval details. You can also access the wizard to create new connections and connection instances and make changes to any of your existing ones. For example, you can update sync settings and team mappings.
To learn more, see [Use the Microsoft 365 admin center to manage your Shifts connection to Blue Yonder Workforce Management](shifts-connector-blue-yonder-admin-center-manage.md).
frontline Shifts Connectors https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-connectors.md
Title: Shifts connectors--++ -+ audience: admin
As for the connector itself, you don't need to worry about upgrades or maintenan
### Microsoft Teams Shifts connector for UKG Dimensions - The Teams Shifts connector for UKG Dimensions is a first-party offering that's hosted and managed by Microsoft. With this connector, you can integrate Shifts with UKG Dimensions to manage your schedules and keep them up to date. :::image type="content" source="media/shifts-connector-ukg-dimensions.png" alt-text="Screenshot showing Shifts on a mobile device, a time off request, and a schedule in UKG Dimensions." lightbox="media/shifts-connector-ukg-dimensions.png":::
frontline Shifts For Teams Landing Page https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-for-teams-landing-page.md
Title: Shifts for frontline workers description: Get the admin guidance you need to set up and manage Shifts, the schedule management tool, in Microsoft Teams. --++ audience: admin-+ f1.keywords: - NOCSH
If you're using a third-party workforce management (WFM) system for scheduling,
||| |:::image type="icon" source="/office/medi)** Get an overview of Shifts connectors and how they work. Learn about the managed connectors that are available and the supported WFM systems. | |:::image type="icon" source="/office/medi).</li></ul> |
-|:::image type="icon" source="/office/medi).</li></ul>|
+|:::image type="icon" source="/office/medi).</li></ul>|
|:::image type="icon" source="/office/medi#reflexis-shifts-connector-for-microsoft-teams)** Learn about integrating Shifts with the Reflexis WFM system through the connector.| ## Shifts extensions
lighthouse M365 Lighthouse Deploy Standard Tenant Configurations Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-deploy-standard-tenant-configurations-overview.md
To view the Microsoft 365 Lighthouse default baseline that applies to all tenant
The Microsoft 365 Lighthouse default baseline is designed to ensure all managed tenants are healthy and secure. To view the tasks included in the default baseline, select **Default baseline** from the list. Select any of the tasks to view additional details about the task and the associated user impact. ### Default Lighthouse configurations
lighthouse M365 Lighthouse Device Compliance Page Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-device-compliance-page-overview.md
To get detailed device compliance information for a particular customer tenant,
To export device compliance data to an Excel comma-separated values (.csv) file, select **Export**. ## Devices tab
The Devices tab also includes the following options:
- **Restart:** Select one or more devices from the list that have a status of Not compliant, In grace period, or Not evaluated, and then select this option to restart those devices. - **Search:** Enter keywords to quickly locate a specific device in the list. ## Policies tab
The Policies tab also includes the following options:
- **Refresh:** Select to retrieve the most current device compliance policy data. - **Search:** Enter keywords to quickly locate a specific device compliance policy in the list. ## Settings tab
The Settings tab also includes the following options:
- **Refresh:** Select to retrieve the most current non-compliant settings data. - **Search:** Enter keywords to quickly locate a specific non-compliant setting in the list. ## Related content
lighthouse M365 Lighthouse Device Security Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-device-security-overview.md
You can access the Device security page in Microsoft 365 Lighthouse from the **S
The Incidents and alerts tab provides a multi-tenant view of incidents and alerts that were flagged from devices in your customers' network. By default, the tab displays any active incidents seen in the last 30 days. You can select any incident or alert to open the details pane to view more information. From the details pane, you can also resolve the incident or alert, or assign it to yourself. ## Devices tab
The Devices tab also includes the following options:
- **Export**: Select to export device compliance data to an Excel comma-separated values (.csv) file. - **Search**: Enter keywords to quickly locate a specific device in the list. ## Related content [Manage Microsoft Defender for Endpoint incidents](../security/defender-endpoint/manage-incidents.md) (article)\
lighthouse M365 Lighthouse Quarantine Messages Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-quarantine-messages-overview.md
The quarantine list is a sortable view of quarantine information by tenant. With
You also can adjust the columns and sort data based on tenant, message status, and expiration dates. The **Copy Link to Messages in Microsoft** **365 Defender** option provides a link to Microsoft 365 Defender portal where you can access and manage your tenant's email quarantine queue. You must authenticate before you can take any action.
lighthouse M365 Lighthouse Tenants Page Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-tenants-page-overview.md
The Tenants page also includes the following options:
- **Assign Tags:** Select to assign a tag to a tenant. - **Search:** Enter keywords to quickly locate a specific tenant in the list. ## Tenant list
To help organize your tenants and easily filter the existing views, you can crea
To view detailed tenant information, select a tenant from the list of tenants. The tenant details page contains contact information and deployment plan status. ### Overview tab
lighthouse M365 Lighthouse Threat Management Page Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-threat-management-page-overview.md
To access the Threat management page in Microsoft 365 Lighthouse, select **Devic
On the Overview tab of the Threat management page, you can monitor the antivirus state across all your tenants to identify the areas that need attention. ## Threats tab On the Threats tab of the Threat management page, you can see the Active, Mitigated, Resolved, and Allowed threats across all your tenants. You can also remediate multiple threats at the same time across all your tenants by filtering and drilling down into each threat to learn which devices, users, or tenants are affected. You can filter threats by:
The following table lists the different threat statuses and their definition:<br
The Antivirus protection tab on the Threats management page shows the devices across all your tenants and their Microsoft Defender Antivirus protection state. You can assess the status and take action for one or more devices that may be vulnerable. You can also select a device to view more information, such as Device Overview, Current Threats, and Device Action statuses. ## Related content
lighthouse M365 Lighthouse Troubleshoot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-troubleshoot.md
Previously updated : 02/15/2022 Last updated : 02/28/2023 audience: Admin
This article describes error messages and problems that you might encounter whil
- Must have delegated access set up for the Managed Service Provider (MSP) to be able to manage the customer tenant* - Must have at least one Microsoft 365 Business Premium, Microsoft 365 E3, Microsoft 365 E5, Windows 365 Business, or Microsoft Defender for Business license-- Must have no more than 2500 licensed users
+- Must have no more than 2500 licensed users
+- Must reside in the same geographic region (Americas, European Union, or Asia plus Australia) as the partner organization that manages them
**Resolution:** The following table describes the different tenant statuses that require action and explains how to resolve them.
Either granular delegated admin privileges (GDAP) plus an indirect reseller rela
| Status | Description | Resolution | |--|--|--|
-| Inactive | The tenant was offboarded at the request of the MSP and is no longer being managed in Lighthouse. | You need to reactivate the tenant. On the **Tenants** page, select the three dots (more actions) next to the tenant that you want to reactivate, and then select **Activate tenant**. It can take 24ΓÇô48 hours for initial customer data to appear in Lighthouse. |
-| Ineligible - DAP or GDAP is not set up | You don't have DAP or GDAP and indirect reseller admin privileges set up with the tenant, which is required by Lighthouse. | Set up DAP or GDAP and indirect reseller admin privileges in the Microsoft Partner Center. |
-| Ineligible - Required license is missing | The tenant is missing a required license. They need at least one Microsoft 365 Business Premium, Microsoft 365 E3, Microsoft 365 E5, or Microsoft Defender for Business license. | Make sure the tenant has at least one Microsoft 365 Business Premium, Microsoft 365 E3, Microsoft 365 E5, Windows 365 Business, or Microsoft Defender for Business license assigned. |
-| Ineligible - User count exceeded | The tenant has more than the maximum of 2500 licensed users allowed by Lighthouse. | Verify that the tenant doesn't have more than 2500 licensed users. |
-| Ineligible - Geo check failed | You and your customer don't reside in the same geographic region, which is required by Lighthouse. | Verify that the customer resides in your geographic region. If not, then you can't manage the tenant in Lighthouse. |
-| In process | Lighthouse discovered the tenant but is still in the process of onboarding them. | Allow Lighthouse 48 hours to complete onboarding of the tenant. |
+| Inactive | Your organization has excluded this customer tenant from Lighthouse management. | You need to reactivate the tenant. On the **Tenants** page, select the three dots (more actions) next to the tenant that you want to reactivate, and then select **Activate tenant**. It can take 24ΓÇô48 hours for initial customer data to appear in Lighthouse. |
+| Limited | This customer tenant has access to only a limited set of experiences in Lighthouse, including GDAP setup and management, user search, user details, tenant tagging, and service health. | Select the tenant name to see a detailed status of Lighthouse management requirements. For more information, see [Requirements for Microsoft 365 Lighthouse](m365-lighthouse-requirements.md). |
+| In process | An error occurred during the onboarding process for this customer tenant and we're working on a fix. | If this error persists for more than 48 hours, please contact Support. |
If you confirmed that your customer tenant meets the onboarding criteria and they're still not showing as **Active** in Lighthouse, contact Support. For more information, see [Get help and support for Microsoft 365 Lighthouse](m365-lighthouse-get-help-and-support.md).
lighthouse M365 Lighthouse Users Page Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-users-page-overview.md
Microsoft 365 Lighthouse lets you manage users across customer tenant accounts b
On the Account management page, you can quickly search across tenants for specific users and perform common user management tasks like updating user account information, resetting passwords, assigning licenses, and managing a user's groups, mailbox, or OneDrive. You can also view inactive accounts and take the appropriate security actions and reclaim unused licenses.
-## Risky Users page
+## Risky users page
-The Risky Users page shows user accounts across your tenants that have been flagged for risky behavior. Select any of the users to view more information on a detected risk or to mitigate a risk by resetting a user's password or blocking sign-in. For more information about risk types and detection, see [What is risk?](/azure/active-directory/identity-protection/concept-identity-protection-risks).
+The Risky users page shows user accounts across your tenants that have been flagged for risky behavior. Select any of the users to view more information on a detected risk or to mitigate a risk by resetting a user's password or blocking sign-in. For more information about risk types and detection, see [What is risk?](/azure/active-directory/identity-protection/concept-identity-protection-risks).
-The Risky Users page also includes the following options:
+The Risky users page also includes the following options:
- **Export:** Select to export device compliance data to an Excel comma-separated values (.csv) file. - **Refresh:** Select to retrieve the most current device compliance data. - **Confirm user(s) compromised:** Select to confirm the user was compromised.
The Risky Users page also includes the following options:
- **Reset password:** Select to change or reset user password. - **Block Sign-in:** Select to prevent anyone from signing in as this user. ## Multifactor Authentication page The Multifactor Authentication page provides detailed information on the status of multifactor authentication (MFA) enablement across your tenants. Select any tenant in the list to see more details for that tenant, including which Conditional Access policies requiring MFA are already configured and which users haven't yet registered for MFA. ## Password reset page The Password reset page shows detailed information on the status of SSPR enablement across your tenants. It also provides insights into users who have SSPR enabled but still need to register before they can reset their password on their own. ## Related content
lighthouse M365 Lighthouse Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-whats-new.md
Previously updated : 05/05/2022 Last updated : 02/28/2023 audience: Admin
We're continuously adding new features to [Microsoft 365 Lighthouse](m365-lighth
> [!NOTE] > Some features get rolled out at different speeds to our customers. If you aren't seeing a feature yet, you should see it soon.
+## February 2023
+
+### New GDAP management capabilities
+
+Managed Service Provider (MSP) technicians responsible for managing granular delegated admin privileges (GDAP) can now get at-a-glance details of all their customers' delegated relationships in Microsoft 365 Lighthouse. This new feature helps ensure GDAP is set up correctly for all of your customers.
+
+To view the status of your customers' delegated relationships, including delegated access type, whether a GDAP template has been assigned, number of active and pending relationships, nearest expiration date, and security groups with access to manage the customer tenant, go to **Permissions** > **Delegated access**.
+
+### App insights from Endpoint analyticsΓÇ»
+
+We've added insights from Endpoint analytics to Microsoft 365 Lighthouse to help you proactively take measures to improve the health of user devices and apps within managed tenants. The insights from Endpoint analytics inform a deployment sub-task called **Enable Device Health Monitoring** within the default baseline under the **Set up device enrollment** task. Once the new sub-task is enabled and the deployment task is deployed, select **Apps** > **App performance** in the left navigation pane in Microsoft 365 Lighthouse to see the Endpoint analytics insights.ΓÇ»
+
+For more information, see [What is Endpoint analytics?](/mem/analytics/overview).
+
+### Device insights from Endpoint analyticsΓÇ»
+
+We've added insights from Endpoint analytics to Microsoft 365 Lighthouse to help you proactively take measures to improve the health of user devices and apps within managed tenants. The insights from Endpoint analytics inform a deployment sub-task called **Enable Device Health Monitoring** within the default baseline under the **Set up device enrollment** task. Once the new sub-task is enabled and the deployment task is deployed, select **Devices** > **Device health** in the left navigation pane in Microsoft 365 Lighthouse to see the Endpoint analytics insights.ΓÇ»
+
+For more information, see [What is Endpoint analytics?](/mem/analytics/overview).
+
+### Multi-tenant exposure score and recommendationsΓÇ»
+
+We've brought multi-tenant threat and vulnerability management capabilities from Microsoft Defender for Endpoint (MDE) into Microsoft 365 Lighthouse. To see the exposure levels of all your managed tenants onboarded to MDE, go to **Devices** > **Vulnerability management** in Microsoft 365 Lighthouse.ΓÇ»
+
+### Persistent deployment status detection and configuration drift analysis
+
+We've enhanced Microsoft 365 Lighthouse to provide persistent configuration detection and deployment status to monitor your tenants&mdash;even when you're offline&mdash;and identify any updates to a tenant configuration that results in a regression of the deployment status for any of the assigned tasks.
+
+Microsoft 365 Lighthouse also provides *who*, *where*, and *when* details about user activity that caused the detected drift so that you can efficiently and effectively restore the tenant to the desired state.
+
+This insight helps you effectively engage fellow tenant admins&mdash;either in your organization or in the customer's organization&mdash;to educate them about the impact of their activity and how to mitigate future risks associated with configuration drift.
+
+### Enhanced deployment insights for licensingΓÇ»
+
+Microsoft 365 Lighthouse now provides insights around which deployment tasks can't be completed for which users due to insufficient licensing. These insights help you adjust the licensing or the deployment plan accordingly to complete your deployment.
++
+### Deployment insights Home page card
+
+The Microsoft 365 Lighthouse Home page now includes a Deployment insights card that provides actionable insights around the deployment state of the tenants you manage. These insights can help identify where to focus deployment activities to optimize tenant health and security.
++
+### Deployment progress by user
+
+Microsoft 365 Lighthouse now reports deployment progress by user so you can see the deployment status for every applicable deployment task. The ability to see which users are compliant with, not compliant with, not targeted for, not licensed for, or excluded from each deployment task across all your managed tenants can help you to more efficiently and effectively help each user be secure and productive.
+ ## January 2023 ### Automation of Intune device enrollment through the default baseline
lighthouse M365 Lighthouse Win365 Page Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-win365-page-overview.md
The Overview tab also includes the following options:
- **Export:** Select to export Cloud PC data to an Excel comma-separated values (.csv) file. - **Search:** Enter keywords to quickly locate a specific Cloud PC in the list. ## All Cloud PCs tab
The All Cloud PCs tab also includes the following options:
To see a complete list of Cloud PC provisioning statuses and what they mean, see [Device management overview for Cloud PCs](/windows-365/enterprise/device-management-overview#column-details) in the Windows 365 documentation library. ## Azure network connections tab
The Azure network connections tab also includes the following options:
- **Refresh:** Select to retrieve the most current connection data. - **Search:** Enter keywords to quickly locate a specific connection. ## Related content
security Defender Endpoint Plan 1 2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1-2.md
Defender for Endpoint Plan 1 and 2 (standalone), Defender for Business (standalo
- To try Defender for Endpoint, go to the [Defender for Endpoint trial sign-up page](https://go.microsoft.com/fwlink/p/?LinkID=2168109). - To try the Microsoft Defender Vulnerability Management add-on for Defender for Endpoint Plan 2, visit [https://aka.ms/AddonPreviewTrial](https://aka.ms/AddonPreviewTrial).
-## Mixed-licensing scenarios
-
-A mixed-licensing scenario is a situation in which an organization is using a mix of subscriptions, such as Defender for Endpoint Plan 1 and Plan 2. The following table describes examples of mixed-licensing scenarios:
-
-| Scenario | Description |
-|:|:|
-| *Mixed tenant* | Use different sets of capabilities for groups of users and their devices. Examples include:<br/>- Defender for Endpoint Plan 1 and Defender for Endpoint Plan 2<br/>- Microsoft 365 E3 and Microsoft 365 E5 |
-| *Mixed trial* | Try a premium level subscription for some users. Examples include: <br/>- Defender for Endpoint Plan 1 (purchased for all users), and Defender for Endpoint Plan 2 (a trial subscription has been started for some users)<br/>- Microsoft 365 E3 (purchased for all users), and Microsoft 365 E5 (a trial subscription has been started for some users) |
-| *Phased upgrades* | Upgrade user licenses in phases. Examples include:<br/>- Moving groups of users from Defender for Endpoint Plan 1 to Plan 2<br/>- Moving groups of users from Microsoft 365 E3 to E5 |
-
-**If you have Defender for Endpoint Plan 1 and Plan 2 in your tenant, the ability to manage your subscription settings across client devices is now in preview**! This new capability enables you to:
--- Apply *either* Defender for Endpoint Plan 1 *or* Plan 2 settings to all your client devices; or-- Use mixed mode, and apply Defender for Endpoint Plan 1 settings to some client devices, and Defender for Endpoint Plan 2 to other client devices.-
-You can also use a newly added license usage report to track status.
-
-**For more information, including how to use mixed-licensing scenarios in your tenant, see [Manage your Defender for Endpoint subscription settings across devices](defender-endpoint-subscription-settings.md)**.
- > [!TIP] > If your organization is a small or medium-sized business, see [What happens if I have a mix of Microsoft endpoint security subscriptions](/microsoft-365/security/defender-business/mdb-faq#what-happens-if-i-have-a-mix-of-microsoft-endpoint-security-subscriptions)?
security Defender Endpoint Subscription Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-subscription-settings.md
- Title: Manage your Microsoft Defender for Endpoint subscription settings across client devices
-description: Learn about your options for managing your Defender for Endpoint subscription settings. Choose Plan 1, Plan 2, or mixed mode.
-keywords: Defender for Endpoint, choose plan 1, choose plan 2, mixed mode, device tag, endpoint protection, endpoint security, device security, cybersecurity
---- Previously updated : 02/27/2023------ M365-security-compliance-- m365initiative-defender-endpoint--
-# Manage Microsoft Defender for Endpoint subscription settings across client devices
-
-A [mixed-licensing scenario](defender-endpoint-plan-1-2.md#mixed-licensing-scenarios) is a situation in which an organization is using a mix of Defender for Endpoint Plan 1 and Plan 2 licenses. Until recently, mixed-licensing scenarios weren't supported; in cases of multiple subscriptions, the highest functional subscription would take precedence for your tenant. Now, **the ability to manage your subscription settings to accommodate mixed licensing scenarios across client devices is currently in preview**! These capabilities enable you to:
--- **Set your tenant to mixed mode and tag devices** to determine which client devices will receive features and capabilities from each plan (we call this option *mixed mode*); **OR**,-- **Use the features and capabilities from one plan across all your client devices**. -
-## [**Use mixed mode**](#tab/mixed)
-
-## Set your tenant to mixed mode and tag devices
-
-> [!IMPORTANT]
-> - **Mixed-mode settings apply to client endpoints only**. Tagging server devices wonΓÇÖt change their subscription state. All server devices running Windows Server or Linux should have appropriate licenses, such as [Defender for Servers](/azure/defender-for-cloud/plan-defender-for-servers-select-plan). See [Options for onboarding servers](defender-endpoint-plan-1-2.md#options-for-onboarding-servers).
-> - **Make sure to follow the procedures in this article to try mixed-license scenarios in your environment**. Assigning user licenses in the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)) doesn't set your tenant to mixed mode.
-> - Make sure that you have opted in to receive [preview features](preview.md).
-> - **You should have active trial or paid licenses for both Defender for Endpoint Plan 1 and Plan 2**.
-> - To access license information, you must have one of the following roles assigned in Azure Active Directory (Azure AD):
-> - Global Admin
-> - Security Admin
-> - License Admin + MDE Admin
-
-1. As an admin, go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
-
-2. Go to **Settings** > **Endpoints** > **Licenses**. Your usage report report opens and displays information about your organizationΓÇÖs Defender for Endpoint licenses.
-
-3. Under **Subscription state**, select **Manage subscription settings**.
-
- > [!NOTE]
- > If you don't see **Manage subscription settings**, at least one of the following conditions is true:
- > - You have Defender for Endpoint Plan 1 or Plan 2 (but not both); or
- > - Mixed-license capabilities haven't rolled out to your tenant yet.
-
-4. A **Subscription settings** flyout opens. Choose the option to use Defender for Endpoint Plan 1 and Plan 2. (No changes will occur until devices are tagged as per the next step.)
-
-5. Tag the devices that should receive either Defender for Endpoint Plan 1 or Plan 2 capabilities. You can choose to tag your devices manually or by using a dynamic rule. [Learn more about device tagging](#more-details-about-device-tagging).
-
- | Method | Details |
- |:|:|
- | Tag devices manually | To tag devices manually, create a tag called `License MDE P1` and apply it to devices. To get help with this step, see [Create and manage device tags](machine-tags.md).<br/><br/>Note that devices that are tagged with the `License MDE P1` tag using the [registry key method](machine-tags.md#add-device-tags-by-setting-a-registry-key-value) will not receive downgraded functionality. If you want to tag devices by using the registry key method, use a dynamic rule instead of manual tagging. |
- | Tag devices automatically by using a dynamic rule | *Dynamic rule functionality is new! It allows you to apply a dynamic and granular level of control over how you manage devices*. <br/><br/>To use a dynamic rule, you specify a set of criteria based on device name, domain, operating system platform, and/or device tags. Devices that meet the specified criteria will receive the Defender for Endpoint Plan 1 or Plan 2 capabilities according to your rule. <br/><br/>As you define your criteria, you can use the following condition operators: <br/>- `Equals` / `Not equals`<br/>- `Starts with`<br/>- `Contains` / `Does not contain` <br/><br/>For **Device name**, you can use freeform text.<br/><br/>For **Domain**, select from a list of domains.<br/><br/>For **OS platform**, select from a list of operating systems.<br/><br/>For **Tag**, use the freeform text option. Type the tag value that corresponds to the devices that should receive either Defender for Endpoint Plan 1 or Plan 2 capabilities. See the example in [More details about device tagging](#more-details-about-device-tagging). |
-
- Device tags are visible in the **Device inventory** view and in the [Defender for Endpoint APIs](apis-intro.md).
-
-6. Save your rule and wait for up to three (3) hours for tags to be applied. Then, proceed to [Validate that a device is receiving only Defender for Endpoint Plan 1 capabilities](#validate-that-a-device-is-receiving-only-defender-for-endpoint-plan-1-capabilities).
-
-### More details about device tagging
-
-As described in [Tech Community blog: How to use tagging effectively](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/how-to-use-tagging-effectively-part-1/ba-p/1964058), device tagging provides you with granular control over devices. With device tags, you can:
--- Display certain devices to individual users in the Microsoft 365 Defender portal so that they see only the devices they're responsible for.-- Include or exclude devices from specific security policies.-- Determine which devices should receive Defender for Endpoint Plan 1 or Plan 2 capabilities. (*This capability is now in preview!*)-
-For example, suppose that you want to use a tag called `VIP` for all the devices that should receive Defender for Endpoint Plan 2 capabilities. Here's what you would do:
-
-1. Create a device tag called `VIP`, and apply it to all the devices that should receive Defender for Endpoint Plan 2 capabilities. Use one of the following methods to create your device tag:
-
- - [Add and manage device tags using the Microsoft 365 Defender portal](machine-tags.md#add-and-manage-device-tags-using-the-portal).
- - [Add device tags by setting a registry key value](machine-tags.md#add-device-tags-by-setting-a-registry-key-value).
- - [Add or remove machine tags by using the Defender for Endpoint API](add-or-remove-machine-tags.md).
- - [Add device tags by creating a custom profile in Microsoft Intune](machine-tags.md#add-device-tags-by-creating-a-custom-profile-in-microsoft-intune).
-
-2. Set up a dynamic rule using the condition operator `Tag Does not contain VIP`. In this case, all devices that do not have the `VIP` tag will receive the `License MDE P1` tag and Defender for Endpoint Plan 1 capabilities.
--
-## [**Use one plan**](#tab/oneplan)
-
-## Use the features and capabilities from one plan across all your devices
-
-> [!IMPORTANT]
-> - Make sure that you have opted in to receive [preview features](preview.md).
-> - To access license information, you must have one of the following roles assigned in Azure Active Directory (Azure AD):
-> - Global Admin
-> - Security Admin
-> - License Admin + MDE Admin
-
-1. As a Security Admin or Global Admin, go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
-
-2. Go to **Settings** > **Endpoints** > **Licenses**.
-
-3. Under **Subscription state**, select **Manage subscription settings**.
-
- > [!NOTE]
- > If you don't see **Manage subscription settings**, at least one of the following conditions is true:
- > - You have Defender for Endpoint Plan 1 or Plan 2 (but not both); or
- > - Mixed-license capabilities haven't rolled out to your tenant yet.
-
-4. A **Subscription settings** flyout opens. Choose one plan for all users and devices, and then select **Done**. It can take up to three hours for your changes to be applied.
-
- If you chose to apply Defender for Endpoint Plan 1 to all devices, proceed to [Validate that devices are receiving only Defender for Endpoint Plan 1 capabilities](#validate-that-a-device-is-receiving-only-defender-for-endpoint-plan-1-capabilities).
---
-## Validate that a device is receiving only Defender for Endpoint Plan 1 capabilities
-
-After you have assigned Defender for Endpoint Plan 1 capabilities to some or all devices, you can verify that an individual device is receiving those capabilities.
-
-1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), go to **Assets** > **Devices**.
-
-2. Select a device that is tagged with `License MDE P1`. You should see that Defender for Endpoint Plan 1 is assigned to the device.
-
-> [!NOTE]
-> Devices that are assigned Defender for Endpoint Plan 1 capabilities will not have vulnerabilities or security recommendations listed.
-
-## Review license usage
-
-The license usage report is estimated based on sign-in activities on the device. To reduce management overhead, there will not be a requirement for device-to-user mapping and assignment. Instead, the license report will provide a utilization estimation that is calculated based on the utilization seen across your organization. It might take up to one day for your usage report to reflect the active usage of your devices.
-
-> [!IMPORTANT]
-> To access license information, you must have one of the following roles assigned in Azure Active Directory (Azure AD):
-> - Security Admin
-> - Global Admin
-> - License Admin + MDE Admin
-
-1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
-
-2. Choose **Settings** > **Endpoints** > **Licenses**.
-
-3. Review your available and assigned licenses. The calculation is based on detected users who have accessed devices that are onboarded to Defender for Endpoint.
-
-## More resources
--- [Compare Microsoft endpoint security plans](defender-endpoint-plan-1-2.md)-- [Licensing and product terms for Microsoft 365 subscriptions](https://www.microsoft.com/licensing/terms/productoffering/Microsoft365/MCA).-- [How to contact support for Defender for Endpoint](contact-support.md).-- [Get started with Microsoft Security (trial offers)](https://www.microsoft.com/security/business/get-started/start-free-trial)-- [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md)-- [Microsoft Defender for Business](../defender-business/mdb-overview.md) (endpoint protection for small and medium-sized businesses)
security Manage Tamper Protection Microsoft Endpoint Manager https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-tamper-protection-microsoft-endpoint-manager.md
ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium Previously updated : 01/27/2023 Last updated : 02/28/2023 audience: ITPro
Tamper protection is part of anti-tampering capabilities that include [standard
3. Assign the profile to one or more groups.
+## How to tell if a Windows device is managed by Intune
+
+You can use a registry key to confirm whether a Windows device is managed by Intune, or co-managed by Intune and Configuration Manager.
+
+1. On a Windows device open Registry Editor. (Read-only mode is fine; you won't be editing the registry key.)
+
+2. Go to `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender` (or `HKLM\SOFTWARE\Microsoft\Windows Defender`), and look for a `REG_DWORD` entry called **ManagedDefenderProductType**.
+
+ - If **ManagedDefenderProductType** has a value of `6`, then the device is managed by Intune.
+ - If **ManagedDefenderProductType** has a value of `7`, then the device is co-managed by Intune and Configuration Manager.
+
+> [!CAUTION]
+> Do not change the value of **ManagedDefenderProductType**. Use the preceding procedure for information only. Changing the key will have no effect on how the device is managed.
+ > [!TIP] > If you're looking for Antivirus related information for other platforms, see: > - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md)
security Prevent Changes To Security Settings With Tamper Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md
ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium Previously updated : 02/27/2023 Last updated : 02/28/2023 audience: ITPro
Depending on the method or management tool you use to enable tamper protection,
| How tamper protection is enabled | Dependency on cloud protection? | |||
-|Microsoft Intune|No|
-|Microsoft Endpoint Configuration Manager with Tenant Attach|No|
-|Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com))|Yes|
+| Microsoft Intune | No |
+| Microsoft Configuration Manager with Tenant Attach | No |
+| Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) | Yes |
## Methods to configure tamper protection
If your organization has [exclusions defined for Microsoft Defender Antivirus](c
### How to determine whether the functionality to protect exclusions is enabled on a Windows device
-You can use a registry key to determine whether the functionality to protect Microsoft Defender Antivirus exclusions is enabled.
+You can use a registry key to determine whether the functionality to protect Microsoft Defender Antivirus exclusions is enabled. Note that the following procedure describes how to view, but not change, tamper protection status.
1. On a Windows device open Registry Editor. (Read-only mode is fine; you won't be editing the registry key.)
-2. Go to `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features` (or `HKLM\SOFTWARE\Microsoft\Windows Defender\Features`), and look for a `REG_DWORD` entry called **TPExclusions**.
+2. Go to `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features` (or `HKLM\SOFTWARE\Microsoft\Windows Defender\Features`), and look for the `REG_DWORD` entries that are listed in the following table:
- - If **TPExclusions** has a value of `1`, then all required conditions are met, and the new functionality to protect exclusions is enabled on the device. In this case, exclusions are tamper protected.
- - If **TPExclusions** has a value of `0`, then tamper protection isn't currently protecting exclusions on the device.
+ | REG_DWORD | Value | What it means |
+ |:|:|:|
+ | **TamperProtection** | 5 | Tamper protection is deployed. |
+ | **TamperProtectionSource** | 64 | Tamper protection is managed by Intune. |
+ | **TPExclusions** | 1 | Required conditions are met, and the new functionality to protect exclusions is enabled on the device. In this case, exclusions are tamper protected. |
+ | **TPExclusions** | 0 | Tamper protection isn't currently protecting exclusions on the device. |
> [!CAUTION]
-> Do not change the value of **TPExclusions**. Use the preceding procedure for information only. Changing the key will have no effect on whether tamper protection applies to exclusions.
+> Do not change the value of the registry keys. Use the preceding procedure for information only. Changing keys will have no effect on whether tamper protection applies to exclusions.
## Are you using Windows Server 2012 R2, 2016, or Windows version 1709, 1803, or 1809?
security Whats New In Microsoft Defender Endpoint https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-endpoint.md
ms.pagetype: security
ms.localizationpriority: medium Previously updated : 02/27/2023 Last updated : 02/28/2023 audience: ITPro
For more information on Microsoft Defender for Endpoint on specific operating sy
- [What's new in Defender for Endpoint on Linux](linux-whatsnew.md) ## February 2023-- [Mixed-licensing scenarios](defender-endpoint-plan-1-2.md#mixed-licensing-scenarios) are now in preview, enabling you to [Manage Microsoft Defender for Endpoint subscription settings across devices](defender-endpoint-subscription-settings.md). - The Microsoft Defender for Identity integration toggle is now removed from the MDE Settings > Advanced features page. Because Defender for Identity is now integrated with Microsoft 365 Defender, this toggle is no longer required. You don't need to manually configure integration between services. See [What's new - Microsoft Defender for Identity](/defender-for-identity/whats-new#defender-for-identity-release-2194).
security Anti Malware Protection About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-malware-protection-about.md
Anti-malware policies control the settings and notification options for malware
- **Enable the common attachments filter**: There are certain types of files that you really shouldn't send via email (for example, executable files). Why bother scanning these types of files for malware, when you should probably block them all, anyway? That's where the common attachments filter comes in. The file types that you specify are automatically treated as malware. - The default file types: `ace, apk, app, appx, ani, arj, bat, cab, cmd,com, deb, dex, dll, docm, elf, exe, hta, img, iso, jar, jnlp, kext, lha, lib, library, lnk, lzh, macho, msc, msi, msix, msp, mst, pif, ppa, ppam, reg, rev, scf, scr, sct, sys, uif, vb, vbe, vbs, vxd, wsc, wsf, wsh, xll, xz, z`.
-
+ - Additional predefined file types that you can select from in the Microsoft 365 Defender portal<sup>\*</sup>: `7z, 7zip, a, accdb, accde, action, ade, adp, appxbundle, asf, asp, aspx, avi, bin, bundle, bz, bz2, bzip2, cab, caction, cer, chm, command, cpl, crt, csh, css, der, dgz, dmg, doc, docx, dot, dotm, dtox, dylib, font, gz, gzip, hlp, htm, html, imp, inf, ins, ipa, isp, its, jnlp, js, jse, ksh, lqy, mad, maf, mag, mam, maq, mar, mas, mat, mav, maw, mda, mdb, mde, mdt, mdw, mdz, mht, mhtml, mscompress, msh, msh1, msh1xml, msh2, msh2xml, mshxml, msixbundle, o, obj, odp, ods, odt, one, onenote, ops, package, pages, pbix, pdb, pdf, php, pkg, plugin, pps, ppsm, ppsx, ppt, pptm, pptx, prf, prg, ps1, ps1xml, ps2, ps2xml, psc1, psc2, pst, pub, py, rar, rpm, rtf, scpt, service, sh, shb, shtm, shx, so, tar, tarz, terminal, tgz, tool, url, vhd, vsd, vsdm, vsdx, vsmacros, vss, vssx, vst, vstm, vstx, vsw, workflow, ws, xhtml, xla, xlam, xls, xlsb, xlsm, xlsx, xlt, xltm, xltx, zi, zip, zipx`. <sup>\*</sup> You can enter any text value in the Defender portal or using the _FileTypes_ parameter in the [New-MalwareFilterPolicy](/powershell/module/exchange/new-malwarefilterpolicy) or [Set-MalwareFilterPolicy](/powershell/module/exchange/set-malwarefilterpolicy) cmdlets in Exchange Online PowerShell.
security Anti Malware Protection For Spo Odfb Teams About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-malware-protection-for-spo-odfb-teams-about.md
Title: Built-in virus protection in SharePoint Online, OneDrive, and Microsoft Teams
+f1.keywords:
- NOCSH
audience: Admin ms.localizationpriority: medium
+search.appverid:
- SPO160 - MOE150 - MET150 ms.assetid: e3c6df61-8513-499d-ad8e-8a91770bff63-+ - m365-security - tier2 description: Learn about how SharePoint Online detects viruses in files that users upload and prevents users from downloading or syncing the files.
Last updated 1/31/2023
Microsoft 365 uses a common virus detection engine for scanning files that users upload to SharePoint Online, OneDrive, and Microsoft Teams. This protection is included with all subscriptions that include SharePoint Online, OneDrive, and Microsoft Teams. > [!IMPORTANT]
-> The built-in anti-virus capabilities are a way to help contain viruses. They aren't intended as a single point of defense against malware for your environment. We encourage all customers to investigate and implement anti-malware protection at various layers and apply best practices for securing their enterprise infrastructure.
+> The built-in anti-virus capabilities are a way to help contain viruses. They aren't intended as a single point of defense against malware for your environment. We encourage all customers to investigate and implement anti-malware protection at various layers and apply best practices for securing their enterprise infrastructure.
## What happens if an infected file is uploaded to SharePoint Online?
-The Microsoft 365 virus detection engine scans files asynchronously (at some time after upload). If a file has not yet been scanned by the asynchronous virus detection process, and a user tries to download the file from the browser or from Teams, a scan on download is triggered by SharePoint before the download is allowed. **All file types are not automatically scanned**. Heuristics determine the files to scan. When a file is found to contain a virus, the file is flagged.
+The Microsoft 365 virus detection engine scans files asynchronously (at some time after upload). If a file has not yet been scanned by the asynchronous virus detection process, and a user tries to download the file from the browser or from Teams, a scan on download is triggered by SharePoint before the download is allowed. **All file types are not automatically scanned**. Heuristics determine the files to scan. When a file is found to contain a virus, the file is flagged.
Here's what happens:
For instructions, see [Use SharePoint Online PowerShell to prevent users from do
## Can admins bypass *DisallowInfectedFileDownload* and extract infected files?
-SharePoint admins and global admins are allowed to do forensic file extractions of malware-infected files in SharePoint Online PowerShell with the [Get-SPOMalwareFileContent](/powershell/module/sharepoint-online/get-spomalwarefilecontent) cmdlet. Admins don't need access to the site that hosts the infected content. As long as the file has been marked as malware, admins can use **Get-SPOMalwareFileContent** to extract the file.
+SharePoint admins and global admins are allowed to do forensic file extractions of malware-infected files in SharePoint Online PowerShell with the [Get-SPOMalwareFileContent](/powershell/module/sharepoint-online/get-spomalwarefilecontent) cmdlet. Admins don't need access to the site that hosts the infected content. As long as the file has been marked as malware, admins can use **Get-SPOMalwareFileContent** to extract the file.
-For more information about the infected file, admins can use the **[Get-SPOMalwareFile](/powershell/module/sharepoint-online/get-spomalwarefile)** cmdlet to see the type of malware that was detected and the status of the infection.
+For more information about the infected file, admins can use the **[Get-SPOMalwareFile](/powershell/module/sharepoint-online/get-spomalwarefile)** cmdlet to see the type of malware that was detected and the status of the infection.
## What happens when the OneDrive sync client tries to sync an infected file?
security Anti Phishing Policies Mdo Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-policies-mdo-configure.md
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal crea
- **Quarantine the message**: If you select this action, an **Apply quarantine policy** box appears where you select the quarantine policy that applies to messages that are quarantined by user impersonation protection. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Quarantine policies](quarantine-policies.md). A blank **Apply quarantine policy** value means the default quarantine policy is used (DefaultFullAccessPolicy for user impersonation detections). When you later edit the anti-phishing policy or view the settings, the default quarantine policy name is shown.
-
+ - **Deliver the message and add other addresses to the Bcc line** - **Delete the message before it's delivered**
security Attack Simulation Training Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-faq.md
At 9:00 AM on the same day, the simulation message is sent to UserB. With region
So, on the initial run of a campaign with region aware delivery enabled, it might appear that the simulation message was sent only to users in a specific time zone. But, as time passes and more users come into scope, the targeted users will increase. - ### Q: Does Microsoft collect or store any information that users enter at the Credential Harvest sign-in page, used in the Credential Harvest simulation technique? A: No. Any information entered at the credential harvest login page is discarded silently. Only the 'click' is recorded to capture the compromise event. Microsoft does not collect, log or store any details that users enter at this step.
security Attack Simulation Training Payloads https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-payloads.md
audience: ITPro
ms.localizationpriority: medium-+ - m365-security - tier2
When you select a payload from the list, a details flyout appears with the follo
For **Link in attachment**, the name of the box is **Select a URL in this attachment that you want to be your phishing link**. Later, you'll embed the URL in the attachment. Select one of the available URL values:
-
+ - <https://www.mcsharepoint.com> - <https://www.attemplate.com> - <https://www.doctricant.com>
When you select a payload from the list, a details flyout appears with the follo
- Common settings on the **Configure payload** page: - **Add tag(s)**
-
+ - **Theme**: The available values are: **Account Activation**, **Account Verification**, **Billing**, **Clean up Mail**, **Document Received**, **Expense**, **Fax**, **Finance Report**, **Incoming Messages**, **Invoice**, **Item Received**, **Login Alert**, **Mail Received**, **Other**, **Password**, **Payment**, **Payroll**, **Personalized Offer**, **Quarantine**, **Remote Work**, **Review Message**, **Security Update**, **Service Suspended**, **Signature Required**, **Upgrade Mailbox Storage**, **Verify mailbox**, or **Voicemail**.
-
+ - **Brand**: The available values are: **American Express**, **Capital One**, **DHL**, **DocuSign**, **Dropbox**, **Facebook**, **First American**, **Microsoft**, **Netflix**, **Scotiabank**, **SendGrid**, **Stewart Title**, **Tesco**, **Wells Fargo**, **Syrinx Cloud**, or **Other**.
-
+ - **Industry**: The available values are: **Banking**, **Business services**, **Consumer services**, **Education**, **Energy**, **Construction**, **Consulting**, **Financial services**, **Government**, **Hospitality**, **Insurance**, **Legal**, **Courier services**, **IT**, **Healthcare**, **Manufacturing**, **Retail**, **Telecom**, **Real estate**, or **Other**. - **Current event**: The available values are **Yes** or **No**.
When you select a payload from the list, a details flyout appears with the follo
|**Unprofessional looking design or formatting**|Message body| |**URL hyperlinking**|Message body| |**You're special**|Message body|
-
+ This list is curated to contain the most common clues that appear in phishing messages. If you select the email message subject or the message body as the location for the indicator, a **Select text** button appears. Click this button to select the text in the message subject or message body where you want the indicator to appear. When you're finished, click **Select**.
security Attack Simulation Training Training Campaigns https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-training-campaigns.md
audience: ITPro
ms.localizationpriority: medium-+ - m365-security - tier2 description: Admins can learn how to create training campaigns in Attack simulation training in Microsoft Defender for Office 365 Plan 2.
When you're finished, click **Next**.
The **Training reminder notification** page is available only if you selected **Customized end user notifications** on the **[Select end user notification](#select-end-user-notification)** page. - **Set frequency for reminder notification**: Select **Weekly** (default) or **Twice a week**.
- - Reminder notifications will stop at the end of the campaign
+ - Reminder notifications will stop at the end of the campaign.
- **Select a reminder notification**: This section shows the following notifications and their configured languages:
security Connectors Detect Respond To Compromise https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/connectors-detect-respond-to-compromise.md
Last updated 12/01/2022
Connectors are used for enabling mail flow between Microsoft 365 or Office 365 and email servers that you have in your on-premises environment. For more information, see [Configure mail flow using connectors in Exchange Online](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/use-connectors-to-configure-mail-flow).
-A compromised inbound connector is defined as when an unauthorized individual either applies change(s) to an existing inbound connector or creates a new inbound connector in a Microsoft 365 tenant, with the intention of sending spam or phish emails. Note that this is applicable only to inbound connectors of type OnPremises.
+A compromised inbound connector is defined as when an unauthorized individual either applies change(s) to an existing inbound connector or creates a new inbound connector in a Microsoft 365 tenant, with the intention of sending spam or phish emails. Note that this is applicable only to inbound connectors of type OnPremises.
## Detect a compromised connector Here are some of the characteristics of a compromised connector: -- Sudden spike in outbound mail volume.
+- Sudden spike in outbound mail volume.
- Mismatch between P1 and P2 senders in outbound mails. For more information on P1 and P2 senders, see [How EOP validates the From address to prevent phishing](anti-phishing-from-email-address-validation.md#an-overview-of-email-message-standards). -- Outbound mails sent from a domain that is not provisioned or registered.
+- Outbound mails sent from a domain that is not provisioned or registered.
-- The connector is blocked from sending relaying mail.
+- The connector is blocked from sending relaying mail.
-- The presence of an inbound connector wasn't created by the intended user or the administrator.
+- The presence of an inbound connector wasn't created by the intended user or the administrator.
-- Unauthorized change(s) in existing connector configuration, such as name, domain name, and IP address.
+- Unauthorized change(s) in existing connector configuration, such as name, domain name, and IP address.
-- A recently compromised administrator account. Note that you can edit connector configuration only if you have administrative access.
+- A recently compromised administrator account. Note that you can edit connector configuration only if you have administrative access.
## Secure and restore email function to a suspected compromised connector You must complete all the following steps to regain access to your connector. These steps help you remove any back-door entries that may have been added to your connector.
-### Step 1: Identify if an inbound connector has been compromised
+### Step 1: Identify if an inbound connector has been compromised
#### Review recent suspicious connector traffic or related messages
-If you have [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md), go directly to https://security.microsoft.com/threatexplorer.
+If you have [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md), go directly to <https://security.microsoft.com/threatexplorer>.
-1. Select **Connector**, insert **Connector Name**, select date range, and then click **Refresh**.
+1. Select **Connector**, insert **Connector Name**, select date range, and then click **Refresh**.
:::image type="content" source="../../media/connector-compromise-explorer.png" alt-text="Inbound connector explorer view" lightbox="../../media/connector-compromise-explorer.png":::
If you have [Microsoft Defender for Office 365 plan 2](defender-for-office-365.m
:::image type="content" source="../../media/connector-compromise-abnormal-spike.png" alt-text="Number of emails delivered to junk folder" lightbox="../../media/connector-compromise-abnormal-spike.png":::
-3. Identify:
+3. Identify:
- - If **Sender IP** matches with your organization's on-prem IP address.
+ - If **Sender IP** matches with your organization's on-prem IP address.
- - If a significant number of emails were recently sent to the **Junk** folder. This is a good indicator of a compromised connector being used to send spam.
+ - If a significant number of emails were recently sent to the **Junk** folder. This is a good indicator of a compromised connector being used to send spam.
- - If the recipients are the ones that your organization usually stays in contact with.
+ - If the recipients are the ones that your organization usually stays in contact with.
:::image type="content" source="../../media/connector-compromise-sender-ip.png" alt-text="Sender IP and your organization's on-prem IP address" lightbox="../../media/connector-compromise-sender-ip.png":::
-If you have [Microsoft Defender for Office 365 Plan 1](defender-for-office-365.md) or [Exchange Online Protection](eop-about.md), go to https://admin.exchange.microsoft.com/#/messagetrace.
+If you have [Microsoft Defender for Office 365 Plan 1](defender-for-office-365.md) or [Exchange Online Protection](eop-about.md), go to <https://admin.exchange.microsoft.com/#/messagetrace>.
-1. Open **Suspicious connector activity** alert in https://security.microsoft.com/alerts.
+1. Open **Suspicious connector activity** alert in <https://security.microsoft.com/alerts>.
2. Select an activity under **Activity list**, and copy suspicious **connector domain** and **IP address** detected in the alert. :::image type="content" source="../../media/connector-compromise-outbound-email-details.png" alt-text="Connector compromise outbound email details" lightbox="../../media/connector-compromise-outbound-email-details.png":::
-
-3. Search by using **connector domain** and **IP address** in [**Message trace**](https://admin.exchange.microsoft.com/#/messagetrace).
+
+3. Search by using **connector domain** and **IP address** in [**Message trace**](https://admin.exchange.microsoft.com/#/messagetrace).
:::image type="content" source="../../media/connector-compromise-new-message-trace.png" alt-text="New message trace flyout" lightbox="../../media/connector-compromise-new-message-trace.png":::
-
-4. In the **Message trace** search results, identify:
- - If a significant number of emails were recently marked as **FilteredAsSpam**. This is a good indicator of a compromised connector being used to send spam.
+4. In the **Message trace** search results, identify:
+
+ - If a significant number of emails were recently marked as **FilteredAsSpam**. This is a good indicator of a compromised connector being used to send spam.
- - If the recipients are the ones that your organization usually stays in contact with.
+ - If the recipients are the ones that your organization usually stays in contact with.
:::image type="content" source="../../media/connector-compromise-message-trace-results.png" alt-text="New message trace search results" lightbox="../../media/connector-compromise-message-trace-results.png":::
-#### Investigate and validate connector-related activity
+#### Investigate and validate connector-related activity
-Use the following command line in PowerShell to investigate and validate connector-related activity by a user in the audit log. For more information, see [Use a PowerShell script to search the audit log](/compliance/audit-log-search-script).
+Use the following command line in PowerShell to investigate and validate connector-related activity by a user in the audit log. For more information, see [Use a PowerShell script to search the audit log](/compliance/audit-log-search-script).
```powershell Search-UnifiedAuditLog -StartDate "<ExDateTime>" -EndDate "<ExDateTime>" -Operations "New-InboundConnector", "Set-InboundConnector", "Remove-InboundConnector ```
-### Step 2: Review and revert unauthorized change(s) in a connector
+### Step 2: Review and revert unauthorized change(s) in a connector
-1. Sign into https://admin.exchange.microsoft.com/.
+1. Sign into <https://admin.exchange.microsoft.com/>.
-2. Review and revert unauthorized connector change(s).
+2. Review and revert unauthorized connector change(s).
-### Step 3: Unblock the connector to re-enable mail flow
+### Step 3: Unblock the connector to re-enable mail flow
-1. Sign into https://security.microsoft.com/restrictedentities.
+1. Sign into <https://security.microsoft.com/restrictedentities>.
-2. Select the restricted connector to unblock the connector.
+2. Select the restricted connector to unblock the connector.
### Step 4: Investigate and remediate potentially compromised administrative user account
security Defender For Office 365 Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/defender-for-office-365-whats-new.md
For more information on what's new with other Microsoft Defender security produc
## January 2023 - [Automatic Tenant Allow/Block List expiration management is now available in Microsoft Defender for Office 365](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447): Microsoft will now automatically remove entries from the allow list once the system has learned from it. Alternatively, Microsoft will extend the expiration time of the allows if the system has not learned yet. This will prevent your legitimate emails from going to junk or quarantine.-- **Configuring third-party phishing simulations in Advanced Delivery:** We have expanded "Simulation URLs to allow" limit to 30 URLs. To learn how to configure, see [Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes](skip-filtering-phishing-simulations-sec-ops-mailboxes.md)
+- **Configuring third-party phishing simulations in Advanced Delivery:** We have expanded "Simulation URLs to allow" limit to 30 URLs. To learn how to configure, see [Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes](skip-filtering-phishing-simulations-sec-ops-mailboxes.md)
## December 2022
For more information on what's new with other Microsoft Defender security produc
- With **allow expiry management** (currently in private preview), if Microsoft hasn't learned from the allow, Microsoft will automatically extend the expiry time of allows, which are going to expire soon, by 30 days to prevent legitimate email from going to junk or quarantine again. - Customers in the government cloud environments will now be able to create allow and block entries for URLs and attachments in the Tenant Allow/Block List using the admin URL and email attachment submissions. The data submitted through the submissions experience won't leave the customer tenant, thus satisfying the data residency commitments for government cloud clients. - **Enhancement in URL click alerts:**
- - With the new lookback scenario, the "A potentially malicious URL click was detected" alert will now include any clicks during the _past 48 hours_ (for emails) from the time the malicious URL verdict is identified.
+ - With the new lookback scenario, the "A potentially malicious URL click was detected" alert will now include any clicks during the _past 48 hours_ (for emails) from the time the malicious URL verdict is identified.
## September 2022 - **Anti-spoofing enhancement for internal domains and senders:** - For spoofing protection, the allowed senders or domains defined in the [anti-spam policy](anti-spam-policies-configure.md) and within user allow lists must now pass authentication in order for the allowed messages to be honored. The change only impacts messages that are considered to be internal (the sender or sender's domain is in an accepted domain in the organization). All other messages will continue to be handled as they are today.
-**Automatic redirection from Office 365 Security & Compliance Center to Microsoft 365 Defender portal:** Automatic redirection begins for users accessing the security solutions in Office 365 Security & Compliance center (protection.office.com) to the appropriate solutions in Microsoft 365 Defender portal (security.microsoft.com). This is for all security workflows like: Alerts, Threat Management, and Reports.
+**Automatic redirection from Office 365 Security & Compliance Center to Microsoft 365 Defender portal:** Automatic redirection begins for users accessing the security solutions in Office 365 Security & Compliance center (protection.office.com) to the appropriate solutions in Microsoft 365 Defender portal (security.microsoft.com). This is for all security workflows like: Alerts, Threat Management, and Reports.
- Redirection URLs: - GCC Environment:
For more information on what's new with other Microsoft Defender security produc
- DoD Environment: - From Office 365 Security & Compliance Center URL: scc.protection.apps.mil - To Microsoft 365 Defender URL: security.apps.mil-- Items in the Office 365 Security & Compliance Center that aren't related to security aren't redirected to Microsoft 365 Defender. For compliance solutions redirection to Microsoft 365 Compliance Center, see Message Center post 244886.
+- Items in the Office 365 Security & Compliance Center that aren't related to security aren't redirected to Microsoft 365 Defender. For compliance solutions redirection to Microsoft 365 Compliance Center, see Message Center post 244886.
- This is a continuation of [Microsoft 365 Defender delivers unified XDR experience to GCC, GCC High and DoD customers - Microsoft Tech Community](https://techcommunity.microsoft.com/t5/public-sector-blog/microsoft-365-defender-delivers-unified-xdr-experience-to-gcc/ba-p/3263702), announced in March 2022. - This change enables users to view and manage additional Microsoft 365 Defender security solutions in one portal. - This change impacts all customers who use the Office 365 Security & Compliance Center (protection.office.com), including Microsoft Defender for Office (Plan 1 or Plan 2), Microsoft 365 E3 / E5, Office 365 E3/ E5, and Exchange Online Protection. For the full list, see [Security & Compliance Center - Service Descriptions | Microsoft Docs](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance)
security Email Security In Microsoft Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-security-in-microsoft-defender.md
- m365-security - tier1 description: View and investigate malware phishing attempts.-+ - seo-marvel-apr2020
To see malware detected in email sorted by Microsoft 365 technology, use the [**
### Report a message as clean in Explorer
-You can use the **Report clean** option in Explorer to report a message as false positive.
+You can use the **Report clean** option in Explorer to report a message as false positive.
1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Explorer**, and then, in the **View** drop down list, verify that **Phish** is selected.
-2. Verify that you're on the **Email** tab, and then from the list of reported messages, select the one you'd like to report as clean.
+2. Verify that you're on the **Email** tab, and then from the list of reported messages, select the one you'd like to report as clean.
3. Click **Actions** to expand the list of options.
You can use the **Report clean** option in Explorer to report a message as false
> [!div class="mx-imgBorder"] > :::image type="content" source="../../media/report-clean-option-explorer.png" alt-text="The Report clean option in the Explorer" lightbox="../../media/report-clean-option-explorer.png":::
-5. Toggle the slider to **On**. From the drop down list, specify the number of days you want the message to be removed, add a note if needed, and then select **Submit**.
+5. Toggle the slider to **On**. From the drop down list, specify the number of days you want the message to be removed, add a note if needed, and then select **Submit**.
## View phishing URL and click verdict data
security Identity Access Policies Guest Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-policies-guest-access.md
audience: Admin
+f1.keywords:
- NOCSH -+ - it-pro - goldenconfig-+ - M365-identity-device-management - m365-security - m365solution-identitydevice
Configure Conditional Access policies for:
- [Exchange Online](secure-email-recommended-policies.md) - [SharePoint](sharepoint-file-access-policies.md) - [Microsoft Defender for Cloud Apps](mcas-saas-access-policies.md)
-
security Identity Access Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-policies.md
The following steps will help create a Conditional Access policy to require devi
1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. 1. Under **Include**, select **All users**.
- 1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.
+ 1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.
1. Under **Cloud apps or actions** > **Include**, select **All cloud apps**. 1. If you must exclude specific applications from your policy, you can choose them from the **Exclude** tab under **Select excluded cloud apps** and choose **Select**. 1. Under **Access controls** > **Grant**.
security Install App Guard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/install-app-guard.md
ms.localizationpriority: medium
search.appverid: - MET150 - MOE150-+ - m365-security - tier3 description: Get the latest in hardware-based isolation. Prevent current and emerging attacks like exploits or malicious links from disrupting employee productivity and enterprise security.
To learn more about Microsoft 365 Apps update channels, see [Overview of update
### Enable Application Guard for Office
-1. If you're running Windows 10, download and install **Windows 10 cumulative monthly security updates KB4571756**. Note that if you're running Windows 11, you don't need to download and install the security update. Simply follow the rest of the process steps.
+1. If you're running Windows 10, download and install **Windows 10 cumulative monthly security updates KB4571756**. Note that if you're running Windows 11, you don't need to download and install the security update. Simply follow the rest of the process steps.
2. Select **Microsoft Defender Application Guard** under Windows Features and select **OK**. Enabling the Application Guard feature will prompt a system reboot. You can choose to reboot now or after step 3.
To learn more about Microsoft 365 Apps update channels, see [Overview of update
Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard ```
-3. From the Group Policy Editor window, expand **Computer Configuration -> Administrative Templates -> Windows Components -> Microsoft Defender Application Guard**. Enable the **Turn on Microsoft Defender Application Guard in Managed Mode** setting. Set the value under Options as **2** or **3**.
+3. From the Group Policy Editor window, expand **Computer Configuration -> Administrative Templates -> Windows Components -> Microsoft Defender Application Guard**. Enable the **Turn on Microsoft Defender Application Guard in Managed Mode** setting. Set the value under Options as **2** or **3**.
:::image type="content" source="../../media/ag04-deploy.png" alt-text="The option to turn on AG in Managed Mode" lightbox="../../media/ag04-deploy.png":::
For more on configuring Windows diagnostic settings, refer to [Configuring Windo
### Confirm that Application Guard for Office is enabled and working
-Before confirming that Application Guard for Office is enabled:
+Before confirming that Application Guard for Office is enabled:
1. Launch Word, Excel, or PowerPoint on a device where the policies have been deployed.
If you encounter any issues when launching Application Guard for Office, you're
### Submit feedback via One Customer Voice
-You may also submit feedback from within Word, Excel, and PowerPoint if the issue happens when files are opened in Application Guard. Refer to [Provide feedback](https://insider.office.com/en-us/handbook#Provide-feedback) for detailed guidance.
+You may also submit feedback from within Word, Excel, and PowerPoint if the issue happens when files are opened in Application Guard. Refer to [Provide feedback](https://insider.office.com/handbook#Provide-feedback) for detailed guidance.
## Integration with Microsoft Defender for Endpoint and Microsoft Defender for Office 365
security Mdo Data Retention https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-data-retention.md
ms.localizationpriority: medium
- m365-security - tier2-
-description: Microsoft Defender for Office 365 data retention informationThreat Explorer/ Real-Time detections
+
+description: Microsoft Defender for Office 365 data retention informationThreat Explorer/ Real-Time detections
search.appverid: met150
security Mdo Email Entity Page https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-email-entity-page.md
- m365-security - tier1 - highpri-+ description: Microsoft Defender for Office 365 E5 and P1 and P2 customers can see email details in all Microsoft Defender for Office 365 experiences including the email headers for copy, Detection details, Threats detected, Latest and Original delivery locations, Delivery actions, and IDs like Alert Id, Network Message ID and more. search.appverid: met150
See email details in the experiences below, including [previewing and downloadin
## How to get to the email entity page
-Anywhere you find email details throughout the Microsoft Defender for Office 365, the email entity details are available. This includes:
+Anywhere you find email details throughout the Microsoft Defender for Office 365, the email entity details are available. This includes:
+ - Threat Explorer - Advanced Hunting - Alerts
These details are specific to email attachments and URLs. Users can see these de
Users will see enriched detonation details for known malicious attachments or URLs found in their emails, which got detonated for their specific tenant. It will include the Detonation chain, Detonation summary, Screenshot, and Observed behavior details to help customers understand why the attachment or URL was deemed malicious and detonated.
-1. *Detonation chain*. A single file or URL detonation can trigger multiple detonations. The Detonation chain tracks the path of detonations, including the original malicious file or URL that caused the verdict, and all other files or URLs affected by the detonation. These URLs or attached files may not be directly present in the email, but including that analysis is important to determining why the file or URL was found to be malicious.
+1. *Detonation chain*. A single file or URL detonation can trigger multiple detonations. The Detonation chain tracks the path of detonations, including the original malicious file or URL that caused the verdict, and all other files or URLs affected by the detonation. These URLs or attached files may not be directly present in the email, but including that analysis is important to determining why the file or URL was found to be malicious.
> [!NOTE] > This may show just the top level item if none of the entities linked to it were found to be problematic, or were detonated.
Users will see enriched detonation details for known malicious attachments or UR
- *Exchange transport rules (also known as mail flow rules or ETRs)*: These rules are applied to a message at the transport layer and take precedence over phish and spam verdicts. Mail flow rules are created and modified in the Exchange admin center at <https://admin.exchange.microsoft.com/#/transportrules>, but if any mail flow rule applies to a message, the rule name and GUID will be shown here. Valuable information for tracking purposes. -- *Primary Override: Source*: Primary override and source refer to the tenant or user setting which impacted the delivery of the email, overriding the delivery location given by the system (as per the threat and detection technology). As an example, this could be an email blocked due to a tenant configured transport rule or an email allowed due to an end-user setting for Safe Senders.
+- *Primary Override: Source*: Primary override and source refer to the tenant or user setting which impacted the delivery of the email, overriding the delivery location given by the system (as per the threat and detection technology). As an example, this could be an email blocked due to a tenant configured transport rule or an email allowed due to an end-user setting for Safe Senders.
-- *All Overrides*: All Overrides refer to the list of overrides (tenant or user settings) that was applied on the email, which may or may not have impacted the delivery of an email. As an example, if a tenant configured transport rule, as well as a tenant configured policy setting (for example, from the Tenant Allow Block lists), is applied to an email, then both will be listed in this field. You can check the primary override field to determine the setting that impacted the delivery of the email.
+- *All Overrides*: All Overrides refer to the list of overrides (tenant or user settings) that was applied on the email, which may or may not have impacted the delivery of an email. As an example, if a tenant configured transport rule, as well as a tenant configured policy setting (for example, from the Tenant Allow Block lists), is applied to an email, then both will be listed in this field. You can check the primary override field to determine the setting that impacted the delivery of the email.
- *Bulk Complaint Level (BCL)*: The bulk complaint level (BCL) of the message. A higher BCL indicates a bulk mail message is more likely to generate complaints (the natural result if the email is likely to be spam).
Users will see enriched detonation details for known malicious attachments or UR
- *Forwarding*: For scenarios with autoforwarding, it indicates the forwarding user as well as the forwarding type like ETR or SMTP forwarding. -- *Distribution list*: Shows the distribution list, if the recipient received the email as a member of the list. It shows the top level distribution list if there are nested distribution lists involved.
+- *Distribution list*: Shows the distribution list, if the recipient received the email as a member of the list. It shows the top level distribution list if there are nested distribution lists involved.
- *To, Cc*: Indicates the addresses that are listed in To, Cc fields of an email. The information in these fields is restricted to 5000 characters.
Users will see enriched detonation details for known malicious attachments or UR
## Actions you can take on the Email entity Page
-Security teams can now take email actions like soft delete and hard delete, move to junk, move to inbox, trigger an investigation, submit to Microsoft for review in line, and et cetera. **Tenant level block** actions like file and URL or sender can also be triggered from the Email entity page.
+Security teams can now take email actions like soft delete and hard delete, move to junk, move to inbox, trigger an investigation, submit to Microsoft for review in line, and et cetera. **Tenant level block** actions like file and URL or sender can also be triggered from the Email entity page.
-You will be able to select **Take actions** from the top right corner of the entity page and this will open the Action wizard for you to select the specific action you need.
+You will be able to select **Take actions** from the top right corner of the entity page and this will open the Action wizard for you to select the specific action you need.
![Take action from entity page.](../../media/Take-ActionWizard-Email-entity.png)
-In the Action wizard you can take email actions, email submissions, block sender and sender domain, investigative actions and two step approval (add to remediation) in the same side pane. This follows a consistent flow for ease of use. The Action wizard uses the same system as is used by Explorer actions (for Delete, Submissions, and Investigation actions), for example. You will be able to see and track these actions in the
- [Unified action center](https://security.microsoft.com/action-center/history) (for deleted emails), in the
- [Submission portal](https://security.microsoft.com/reportsubmission) (for submissions), and in [Tenant Allow/Block Lists](https://security.microsoft.com/tenantAllowBlockList) page for (TABL blocks).
+In the Action wizard you can take email actions, email submissions, block sender and sender domain, investigative actions and two step approval (add to remediation) in the same side pane. This follows a consistent flow for ease of use. The Action wizard uses the same system as is used by Explorer actions (for Delete, Submissions, and Investigation actions), for example. You will be able to see and track these actions in the
+ [Unified action center](https://security.microsoft.com/action-center/history) (for deleted emails), in the
+ [Submission portal](https://security.microsoft.com/reportsubmission) (for submissions), and in [Tenant Allow/Block Lists](https://security.microsoft.com/tenantAllowBlockList) page for (TABL blocks).
-We are also bringing Tenant level block URL and attachment to the respective Email entity URL and Attachments tabs. Upon approval, all the Tenant Allow and Block Lists (or TABL) block URL and block attachments can be tracked under TABL/URL and TABL/file pages.
+We are also bringing Tenant level block URL and attachment to the respective Email entity URL and Attachments tabs. Upon approval, all the Tenant Allow and Block Lists (or TABL) block URL and block attachments can be tracked under TABL/URL and TABL/file pages.
![Take block URL action from entity page.](../../media/Block-URL-Email-entity.png)
-See [permissions](mdo-portal-permissions.md) required to take these actions.
+See [permissions](mdo-portal-permissions.md) required to take these actions.
-
### The Email summary panel The email summary panel is a summarized view of the full email entity page. It contains standardized details about the email (for example, detections), as well as context-specific information (for example, for Quarantine or Submissions metadata). The email summary panel replaces the traditional email flyouts throughout Microsoft Defender for Office 365.
The email summary panel is a summarized view of the full email entity page. It c
> ![Open the email entity link.](../../medio.png) > [!NOTE]
-> To view all the components, click on the **Open email entity** link to open the full email entity page.
+> To view all the components, click on the **Open email entity** link to open the full email entity page.
-The email summary panel is divided into the following sections:
+The email summary panel is divided into the following sections:
- *Delivery details*: Contains information about threats and corresponding confidence level, detection technologies, and original and latest delivery location. - *Email details*: Contains information about email properties like sender name, sender address, time received, authentication details, and other several other details. -- *URLs*: By default, you will see 3 URLs and their corresponding threats. You can always select **View all URLs** to expand and see all URLs and export them.
+- *URLs*: By default, you will see 3 URLs and their corresponding threats. You can always select **View all URLs** to expand and see all URLs and export them.
-- *Attachments*: By default, you will see 3 attachments. You can always select **View all attachments** to expand and see all attachments.
+- *Attachments*: By default, you will see 3 attachments. You can always select **View all attachments** to expand and see all attachments.
-In addition to the above sections, you will also see sections specific to few experiences that are integrated with the summary panel:
+In addition to the above sections, you will also see sections specific to few experiences that are integrated with the summary panel:
-- Submissions:
+- Submissions:
- - *Submission details*: Contains information about the specific submissions such as:
- - Date submitted
- - Subject
- - Submission type
- - Reason for submitting
- - Submission ID
- - Submitted by
+ - *Submission details*: Contains information about the specific submissions such as:
+ - Date submitted
+ - Subject
+ - Submission type
+ - Reason for submitting
+ - Submission ID
+ - Submitted by
- - *Result details*: Messages that are submitted are reviewed. You can see the result of your submission as well as any recommended next steps.
+ - *Result details*: Messages that are submitted are reviewed. You can see the result of your submission as well as any recommended next steps.
-- Quarantine:
+- Quarantine:
- - *Quarantine details*: Contains quarantine-specific details. For more information, see [Manage quarantined messages](quarantine-admin-manage-messages-files.md#view-quarantined-message-details).
+ - *Quarantine details*: Contains quarantine-specific details. For more information, see [Manage quarantined messages](quarantine-admin-manage-messages-files.md#view-quarantined-message-details).
- - Expires: The date/time when the message will be automatically and permanently deleted from quarantine.
- - Released to: All email addresses (if any) to which the message has been released.
- - Not yet released to: All email addresses (if any) to which the message has not yet been released.
+ - Expires: The date/time when the message will be automatically and permanently deleted from quarantine.
+ - Released to: All email addresses (if any) to which the message has been released.
+ - Not yet released to: All email addresses (if any) to which the message has not yet been released.
- - *Quarantine actions*: For more information on different quarantine actions, see [Manage quarantined messages](quarantine-admin-manage-messages-files.md#take-action-on-quarantined-email).
+ - *Quarantine actions*: For more information on different quarantine actions, see [Manage quarantined messages](quarantine-admin-manage-messages-files.md#take-action-on-quarantined-email).
security Mdo Sec Ops Manage Incidents And Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-sec-ops-manage-incidents-and-alerts.md
The most effective way to take action is to use the built-in integration with In
You take action on email based on the result of a manual investigation or hunting activity. [Threat Explorer](threat-explorer-about.md) allows security team members to take action on any email messages that might still exist in cloud mailboxes. They can take action on intra-org messages that were sent between users in your organization. Threat Explorer data is available for the last 30 days.
-Watch this short video to learn how Microsoft 365 Defender combines alerts from various detection sources, like Defender for Office 365, into incidents.
+Watch this short video to learn how Microsoft 365 Defender combines alerts from various detection sources, like Defender for Office 365, into incidents.
+ > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWGpcs]
security Microsoft 365 Policies Configurations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/microsoft-365-policies-configurations.md
audience: Admin
+f1.keywords:
- NOCSH -+ - it-pro - goldenconfig-+ - M365-identity-device-management - m365-security - m365solution-identitydevice
Each industry also has their own set of specialized regulations. Rather than pro
This guidance shows you how to implement Zero Trust protection for identities and devices for each of these levels of protection. Use this guidance as a minimum for your organization and adjust the policies to meet your organization's specific requirements.
-It's important to use consistent levels of protection across your identities, devices, and data. For example, protection for users with priority accounts&mdash;such as executives, leaders, managers, and others&mdash;should include the same level of protection for their identities, their devices, and the data they access.
+It's important to use consistent levels of protection across your identities, devices, and data. For example, protection for users with priority accounts&mdash;such as executives, leaders, managers, and others&mdash;should include the same level of protection for their identities, their devices, and the data they access.
<!-- The **Zero Trust identity and device protection for Microsoft 365** architecture model shows you which capabilities are comparable. [![Thumb image for Zero Trust Identity and device protection for Microsoft 365 poster.](../../media/microsoft-365-policies-configurations/zero-trust-id-device-protection-model-thumbnail.png)](../../downloads/MSFT_cloud_architecture_identity&device_protection.pdf) <br> [View as a PDF](../../downloads/MSFT_cloud_architecture_identity&device_protection.pdf) \| [Download as a PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_identity&device_protection.pdf) \| [Download as a Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_identity&device_protection.vsdx) >
+-->
Additionally, see the [Deploy information protection for data privacy regulations](../../solutions/information-protection-deploy.md) solution to protect information stored in Microsoft 365.
Microsoft recommends that you do not create policy sets that apply to all apps b
1. Configure prerequisite identity features and their settings. 2. Configure the common identity and access Conditional Access policies. 3. Configure Conditional Access policies for guest and external users.
-4. Configure Conditional Access policies for Microsoft 365 cloud apps&mdash;such as Microsoft Teams, Exchange, and SharePoint&mdash;and Microsoft Defender for Cloud Apps policies.
+4. Configure Conditional Access policies for Microsoft 365 cloud appsΓÇösuch as Microsoft Teams, Exchange, and SharePointΓÇöand Microsoft Defender for Cloud Apps policies.
After you have configured Zero Trust identity and device access, see the [Azure AD feature deployment guide](/azure/active-directory/fundamentals/active-directory-deployment-checklist-p2) for a phased checklist of additional features to consider and [Azure AD Identity Governance](/azure/active-directory/governance/) to protect, monitor, and audit access.
security Office 365 Ti https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-ti.md
Use the Incidents list (this is also called Investigations) to see a list of in
To view the list of current incidents for your organization in the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Incidents & alerts** \> **Incidents**. Or, to go directly to the **Incidents** page, use <https://security.microsoft.com/incidents>. - ### Attack simulation training Use Attack simulation training to set up and run realistic cyberattacks in your organization, and identify vulnerable people before a real cyberattack affects your business. To learn more, see [Simulate a phishing attack](attack-simulation-training-simulations.md).
security Priority Accounts Security Recommendations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/priority-accounts-security-recommendations.md
Title: Security recommendations for priority accounts in Microsoft 365, priority accounts, priority accounts in Office 365, priority accounts in Microsoft 365
+f1.keywords:
- NOCSH
audience: Admin ms.localizationpriority: medium
+search.appverid:
- MET150 - MOE150-
+ms.assetid:
+ - m365-security - m365solution-overview - m365solution-protecthve
description: Admins can learn how to elevate the security settings and use reports, alerts, and investigations for priority accounts in their Microsoft 365 organizations. Previously updated : 12/08/2022 Last updated : 2/28/2023 # Security recommendations for priority accounts in Microsoft 365
Last updated 12/08/2022
Not all user accounts have access to the same company information. Some accounts have access to sensitive information, such as financial data, product development information, partner access to critical build systems, and more. If compromised, accounts that have access to highly confidential information pose a serious threat. We call these types of accounts _priority accounts_. Priority accounts include (but aren't limited to) CEOs, CISOs, CFOs, infrastructure admin accounts, build system accounts, and more.
+Microsoft Defender for Office 365 supports priority accounts as tags that can be used in filters in alerts, reports, and investigations. For more information, see [User tags in Microsoft Defender for Office 365](user-tags-about.md).
+ For attackers, ordinary phishing attacks that cast a random net for ordinary or unknown users are inefficient. On the other hand, _spear phishing_ or _whaling_ attacks that target priority accounts are very rewarding for attackers. So, priority accounts require stronger than ordinary protection to help prevent account compromise. Microsoft 365 and Microsoft Defender for Office 365 contain several key features that provide additional layers of security for your priority accounts. This article describes these capabilities and how to use them.
After you secure and tag your priority users, you can use the available reports,
|Feature|Description| ||| |Alerts|The user tags of affected users are visible and available as filters on the **Alerts** page in the Microsoft 365 Defender portal. For more information, see [Viewing alerts](../../compliance/alert-policies.md#view-alerts).|
+|Incidents|The user tags for all correlated alerts are visible on the **Incidents** page in the Microsoft 365 Defender portal. For more information, see [Manage incidents and alerts](mdo-sec-ops-manage-incidents-and-alerts.md).|
+|Custom alert policies|You can create alert policies based on user tags in the Microsoft 365 Defender portal. For more information, see [Alert policies in Microsoft 365](../../compliance/alert-policies.md).|
|Explorer <p> Real-time detections|In **Explorer** (Defender for Office 365 Plan 2) or **Real-time detections** (Defender for Office 365 Plan 1), user tags are visible in the Email grid view and the Email details flyout. User tags are also available as a filterable property. For more information, see [Tags in Explorer](threat-explorer-about.md#tags-in-threat-explorer).|
+|Email entity page|You can filter emails based on applied user tags in Microsoft Defender for Office 365 E5, and Defender for Office P1 and P2. For more information, see [Email entity page](mdo-email-entity-page.md).|
|Campaign Views|User tags are one of many filterable properties in Campaign Views in Microsoft Defender for Office 365 Plan 2. For more information, see [Campaign Views](campaigns.md).| |Threat protection status report|In virtually all of the views and detail tables in the **Threat protection status report**, you can filter the results by **priority accounts**. For more information, see [Threat protection status report](reports-email-security.md#threat-protection-status-report).|
+|Top senders and recipients report|You can add this user tag to the top 20 message senders in your organization. For more information, see [Top senders and recipients report](reports-email-security.md#top-senders-and-recipients-report).|
+|Compromised user report|User accounts that are marked as **Suspicious** or **Restricted** in Microsoft 365 organizations with Exchange Online mailboxes shows up in this report. For more information, see [Compromised user report](reports-email-security.md#compromised-users-report).|
+|Admin submissions and user reported messages|Use the Submissions page in the Microsoft 365 Defender portal to submit email messages, URLs, and attachments to Microsoft for analysis. For more information, see [Admin submissions and user reported messages](submissions-admin.md).|
+|Quarantine|Quarantine is available to hold potentially dangerous or unwanted messages in Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations for **Priority accounts**. For more information, see [Quarantine email messages](quarantine-about.md).|
+|Attack simulation|To test your security policies and practices, run a benign cyberattack simulation for your target users. For more information, see [Attack simulation](attack-simulation-training-simulations.md#target-users).|
|Email issues for priority accounts report|The **Email issues for priority accounts** report in the Exchange admin center (EAC) contains information about undelivered and delayed messages for **priority accounts**. For more information, see [Email issues for priority accounts report](/exchange/monitoring/mail-flow-reports/mfr-email-issues-for-priority-accounts-report).| ## Train users
In addition, Microsoft recommends that users take the actions described in this
## See also
-[Announcing Priority Account Protection in Microsoft Defender for Office 365](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/announcing-priority-account-protection-in-microsoft-defender-for/ba-p/1696385)
+- [User tags in Microsoft Defender for Office 365](user-tags-about.md)
+- [Configure and review priority accounts](protection-stack-microsoft-defender-for-office365.md)
+- [Manage and monitor priority accounts](../../admin/setup/priority-accounts.md)
+- [Announcing Priority Account Protection in Microsoft Defender for Office 365](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/announcing-priority-account-protection-in-microsoft-defender-for/ba-p/1696385)
security Priority Accounts Turn On Priority Account Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/priority-accounts-turn-on-priority-account-protection.md
Microsoft Defender for Office 365 supports priority accounts as tags that can be
For more information, see [User tags in Microsoft Defender for Office 365](user-tags-about.md).
+> [!NOTE]
+> Currently, you can only apply user tags to mailbox users.
+> Your organization can tag a maximum of 250 users using the Priority account tag.
+> Each custom tag has a maximum of 10,000 users per tag and your organization can create up to 500 custom tags.
+ ## Review differentiated protection from priority account protection The affects of priority account protection are visible in the following features:
security Protection Stack Microsoft Defender For Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/protection-stack-microsoft-defender-for-office365.md
Title: Step-by-step threat protection stack in Microsoft Defender for Office 365
+ Title: Step-by-step threat protection stack in Microsoft Defender for Office 365
+f1.keywords:
- NOCSH
ms.localizationpriority: medium
description: Follow the path of an incoming message through the threat filtering stack in Microsoft Defender for Office 365. -+ - m365-security - tier2 search.appverid: met150
The Microsoft Defender for Office 365 protection or filtering stack can be broke
## Phase 1 - Edge Protection
-Unfortunately, Edge blocks that were once *critical* are now relatively simple for bad actors to overcome. Over time, less traffic is blocked here, but it remains an important part of the stack.
+Unfortunately, Edge blocks that were once *critical* are now relatively simple for bad actors to overcome. Over time, less traffic is blocked here, but it remains an important part of the stack.
Edge blocks are designed to be automatic. In the case of false positive, senders will be notified and told how to address their issue. Connectors from trusted partners with limited reputation can ensure deliverability, or temporary overrides can be put in place, when onboarding new endpoints.
security Quarantine Admin Manage Messages Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-admin-manage-messages-files.md
Admins in organizations with Microsoft Defender for Office 365 can also manage f
You view and manage quarantined messages in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
-Watch this short video to learn how to manage quarantined messages as an administrator.
+Watch this short video to learn how to manage quarantined messages as an administrator.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWGGPF] ## What do you need to know before you begin?
Watch this short video to learn how to manage quarantined messages as an adminis
After you've entered the search criteria, press ENTER to filter the results. > [!NOTE]
- > The **Search** box on the main **Quarantine** page will search only quarantined items in the current view, not the entire quarantine. To search all quarantined items, use **Filter** and the resulting **Filters** flyout.
+ > The **Search** box on the main **Quarantine** page will search only quarantined items in the current view, not the entire quarantine. To search all quarantined items, use **Filter** and the resulting **Filters** flyout.
After you find a specific quarantined message, select the message to view details about it, and to take action on it (for example, view, release, download, or delete the message).
security Real Time Detections https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/real-time-detections.md
- tier1 - highpri description: Use Explorer or Real-time detections to investigate and respond to threats efficiently.-+ - seo-marvel-apr2020
This article explains the difference between Explorer and real-time detections r
If your organization has [Microsoft Defender for Office 365](defender-for-office-365.md), and you have the [permissions](#required-licenses-and-permissions), you can use **Explorer** (also known as **Threat Explorer**) or **Real-time detections** to detect and remediate threats.
-In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration**, and then choose **Explorer** _or_ **Real-time detections**. To go directly to the page, use <https://security.microsoft.com/threatexplorer> or <https://security.microsoft.com/realtimereports>.
+In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration**, and then choose **Explorer** *or* **Real-time detections**. To go directly to the page, use <https://security.microsoft.com/threatexplorer> or <https://security.microsoft.com/realtimereports>.
With these tools, you can:
For more information, see [Email security with Explorer](email-security-in-micro
## Updated experience for Explorer and Real-time detections
-The experience for Threat Explorer and Real-time detections is updated to align with modern accessibility standards, and to optimize the workflow. For a short while, you will be able to toggle between the old experience and the new one.
+The experience for Threat Explorer and Real-time detections is updated to align with modern accessibility standards, and to optimize the workflow. For a short while, you will be able to toggle between the old experience and the new one.
> [!NOTE]
-> Toggling impacts only your account and does not impact anyone else within your tenant.
+> Toggling impacts only your account and does not impact anyone else within your tenant.
Threat Explorer and Real-time detections is divided into the following views: -- *All email*: Shows all email analyzed by Defender for office 365 and contains both good and malicious emails. This feature is only present in Threat Explorer and is not available for Real-time detections. By default, it is set to show data for two days, which can be expanded up to 30 days. This is also the default view for Threat Explorer.
+- *All email*: Shows all email analyzed by Defender for office 365 and contains both good and malicious emails. This feature is only present in Threat Explorer and is not available for Real-time detections. By default, it is set to show data for two days, which can be expanded up to 30 days. This is also the default view for Threat Explorer.
-- *Malware view*: Shows emails on which a malware threat was identified. This is the default view for Real-time detections, and shows data for two days (can be expanded to 30 days).
+- *Malware view*: Shows emails on which a malware threat was identified. This is the default view for Real-time detections, and shows data for two days (can be expanded to 30 days).
- *Phish view*: Shows emails on which a phish threat was identified. -- *Content malware view*: Shows malicious detections identified in files shared through OneDrive, SharePoint, or Teams.
+- *Content malware view*: Shows malicious detections identified in files shared through OneDrive, SharePoint, or Teams.
Here are the common components within these experiences: - Filters
- - You can use the various filters to view the data based on email or file attributes.
+ - You can use the various filters to view the data based on email or file attributes.
- - By default, the time filter is applied to the records, and is applied for two days.
+ - By default, the time filter is applied to the records, and is applied for two days.
- - If you are applying multiple filters, they are applied in 'AND' mode and you can use the advanced filter to change it to 'OR' mode.
+ - If you are applying multiple filters, they are applied in 'AND' mode and you can use the advanced filter to change it to 'OR' mode.
- - You can use commas to add multiple values for the same filter.
+ - You can use commas to add multiple values for the same filter.
- > [!div class="mx-imgBorder"]
- > ![Explorer filters](../../media/explorer-new-experience-filters.png)
+ > [!div class="mx-imgBorder"]
+ > ![Explorer filters](../../media/explorer-new-experience-filters.png)
- Charts
- - Charts provide a visual, aggregate view of data based on filters. You can use different filters to view the data by different dimensions.
+ - Charts provide a visual, aggregate view of data based on filters. You can use different filters to view the data by different dimensions.
> [!NOTE]
- > You may see no results in chart view even if you are seeing an entry in the list view. This happens if the filter does not produce any data. For example, if you have applied the filter malware family, but the underlying data does not have any malicious emails, then you may see the message no data available for this scenario.
+ > You may see no results in chart view even if you are seeing an entry in the list view. This happens if the filter does not produce any data. For example, if you have applied the filter malware family, but the underlying data does not have any malicious emails, then you may see the message no data available for this scenario.
- > [!div class="mx-imgBorder"]
- > ![Explorer chart view](../../media/explorer-new-experience-export-chart-data.png)
+ > [!div class="mx-imgBorder"]
+ > ![Explorer chart view](../../media/explorer-new-experience-export-chart-data.png)
-- Results grid
+- Results grid
- - Results grid shows the email results based on the filters you have applied.
+ - Results grid shows the email results based on the filters you have applied.
- - Based on the configuration set in your tenant, data will be shown in UTC or local timezone, with the timezone information available in the first column.
+ - Based on the configuration set in your tenant, data will be shown in UTC or local timezone, with the timezone information available in the first column.
- - You can navigate to the individual email entity page from the list view by clicking the **Open in new window** icon.
+ - You can navigate to the individual email entity page from the list view by clicking the **Open in new window** icon.
- - You can also customize your columns to add or remove columns to optimize your view.
+ - You can also customize your columns to add or remove columns to optimize your view.
- > [!Note]
- > You can toggle between the *Chart View* and the *List View* to maximize your result set.
+ > [!Note]
+ > You can toggle between the *Chart View* and the *List View* to maximize your result set.
- > [!div class="mx-imgBorder"]
- > ![Explorer grid view](../../media/explorer-new-experience-list-chart-view.png)
+ > [!div class="mx-imgBorder"]
+ > ![Explorer grid view](../../media/explorer-new-experience-list-chart-view.png)
-- Detailed flyout
+- Detailed flyout
- - You can click on hyperlinks to get to the email summary panel (entries in Subject column), recipient, or IP flyout.
+ - You can click on hyperlinks to get to the email summary panel (entries in Subject column), recipient, or IP flyout.
- - The email summary panel replaces the legacy email flyout, and also provides a path to access the email entity panel.
+ - The email summary panel replaces the legacy email flyout, and also provides a path to access the email entity panel.
- - The individual entity flyouts like IP, recipient, and URL would reflect the same information, but presented in a single tab-based view, with the ability to expand and collapse the different sections based on requirement.
+ - The individual entity flyouts like IP, recipient, and URL would reflect the same information, but presented in a single tab-based view, with the ability to expand and collapse the different sections based on requirement.
- - For flyouts like URLs, you can click **View all Email** or **View all Clicks** to view the full set of emails/clicks containing that URL, as well as export the result set.
+ - For flyouts like URLs, you can click **View all Email** or **View all Clicks** to view the full set of emails/clicks containing that URL, as well as export the result set.
- Actions
- - From Threat Explorer, you can trigger remediation actions like *Delete an email*. For more information on remediation, remediation limits, and tracking remediation see [Remediate malicious email](remediate-malicious-email-delivered-office-365.md).
+ - From Threat Explorer, you can trigger remediation actions like *Delete an email*. For more information on remediation, remediation limits, and tracking remediation see [Remediate malicious email](remediate-malicious-email-delivered-office-365.md).
- Export
- - You can click **Export chart data** to export the chart details. Similarly, click **Export email list** to export email details.
+ - You can click **Export chart data** to export the chart details. Similarly, click **Export email list** to export email details.
- - You can export up to 200K records for email list. However, for better system performance and reduced download time, you should use various email filters.
+ - You can export up to 200K records for email list. However, for better system performance and reduced download time, you should use various email filters.
- > [!div class="mx-imgBorder"]
- > ![Export chart data](../../media/explorer-new-experience-export-chart-data.png)
+ > [!div class="mx-imgBorder"]
+ > ![Export chart data](../../media/explorer-new-experience-export-chart-data.png)
-In addition to these features, you will also get updated experiences like *Top URLs*, *Top clicks*, *Top targeted users*, and *Email origin*. *Top URLs*, *Top clicks*, and *Top targeted users* can be further filtered based on the filter that you apply within Explorer.
+In addition to these features, you will also get updated experiences like *Top URLs*, *Top clicks*, *Top targeted users*, and *Email origin*. *Top URLs*, *Top clicks*, and *Top targeted users* can be further filtered based on the filter that you apply within Explorer.
## Required licenses and permissions
security Remediate Malicious Email Delivered Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/remediate-malicious-email-delivered-office-365.md
-+ - m365-security - tier1 audience: admin
+f1.keywords:
- NOCSH ms.localizationpriority: medium search.appverid: MET150
Security teams can use Explorer to select emails in several ways:
- Choose emails by hand: Use filters in various views. Select up to 100 emails to remediate. -- Query selection: Select an entire query by using the top **select all** button. The same query is also shown in action center mail submission details. Customers can submit maximum 200,000 emails from threat explorer.
+- Query selection: Select an entire query by using the top **select all** button. The same query is also shown in action center mail submission details. Customers can submit maximum 200,000 emails from threat explorer.
-- Query selection with exclusion: Sometimes security operations teams may want to remediate emails by selecting an entire query and excluding certain emails from the query manually. To do so, an admin can use the **Select all** check box and scroll down to exclude emails manually. The query can hold a maximum of 200,000 emails.
+- Query selection with exclusion: Sometimes security operations teams may want to remediate emails by selecting an entire query and excluding certain emails from the query manually. To do so, an admin can use the **Select all** check box and scroll down to exclude emails manually. The query can hold a maximum of 200,000 emails.
Once emails are selected through Explorer, you can start remediation by taking direct action or by queuing up emails for an action: - Direct approval: When actions like *move to inbox*, *move to junk*, *move to deleted items*, *soft delete*, or *hard delete* are selected by security personnel who have appropriate permissions, and the next steps in remediation are followed, the remediation process begins to execute the selected action.
-> [!NOTE]
-> As the remediation gets kicked-off, it generates an alert and an investigation in parallel. Alert shows up in the alerts queue with the name "Administrative action submitted by an Administrator" suggesting that security personnel took the action of remediating an entity. It presents details like name of the person who performed the action, supporting investigation link, time etc. It works really well to know every time a harsh action like remediation is performed on entities. All these actions can be tracked under the **Actions & Submissions** \> **Action center** -> **History tab** (public preview).
+
+ > [!NOTE]
+ > As the remediation gets kicked-off, it generates an alert and an investigation in parallel. Alert shows up in the alerts queue with the name "Administrative action submitted by an Administrator" suggesting that security personnel took the action of remediating an entity. It presents details like name of the person who performed the action, supporting investigation link, time etc. It works really well to know every time a harsh action like remediation is performed on entities. All these actions can be tracked under the **Actions & Submissions** \> **Action center** -> **History tab** (public preview).
- Two-step approval: An "add to remediation" action can be taken by admins who don't have appropriate permissions or who need to wait to execute the action. In this case, the targeted emails are added to a remediation container. Approval is needed before the remediation is executed.
Open any remediation item to view details about it, including its remediation na
- *Email count* Displays the number of emails submitted through Threat Explorer. These emails can be actionable or not actionable. - *Action logs* Show the details of remediation statuses like successful, failed, and already in destination.
+ :::image type="content" source="../../media/microsoft-365-defender-action-center-history-panel.png" alt-text="The Action Center with the Move to Inbox option open.":::
- **Actionable**: Emails in the following cloud mailbox locations can be acted on and moved: - Inbox
Open any remediation item to view details about it, including its remediation na
Admins can take actions on emails in quarantine if necessary, but those emails will expire out of quarantine if they're not manually purged. By default, emails quarantined because of malicious content aren't accessible by users, so security personnel don't have to take any action to get rid of threats in quarantine. If the emails are on-premises or external, the user can be contacted to address the suspicious email. Or the admins can use separate email server/security tools for removal. These emails can be identified by applying the *delivery location = on-prem* external filter in Explorer. For failed or dropped email, or email not accessible by users, there won't be any email to mitigate, since these mails don't reach the mailbox.
-
- **Action logs**: This shows the messages remediated, successful, failed, already in destination. Status can be:
Open any remediation item to view details about it, including its remediation na
- **Success**: The desired action on remediable emails was accomplished. For example: An admin wants to remove emails from mailboxes, so the admin takes the action of soft-deleting emails. If a remediable email isn't found in the original folder after the action is taken, the status will show as successful. - **Failure**: The desired action on remediable emails failed. For example: An admin wants to remove emails from mailboxes, so the admin takes the action of soft-deleting emails. If a remediable email is still found in the mailbox after the action is taken, status will show as failed.
-
+ - **Already in destination**: The desired action was already taken on the email OR the email already existed in the destination location. For example: An email was soft deleted by the admin through Explorer on day one. Then similar emails show up on day 2, which are again soft deleted by the admin. While selecting these emails, admin ends up picking some emails from day one that are already soft deleted. Now these emails will not be acted upon again, they will just show as "already in destination", since no action was taken on them as they existed in the destination location. - **New**: An *Already in destination* column has been added in the Action Log. This feature uses the latest delivery location in Threat Explorer to signal if the mail has already been remediated. *Already in destination* will help security teams understand the total number of messages that still need to be addressed.
security Safe Links About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links-about.md
> [!IMPORTANT] > This article is intended for business customers who have [Microsoft Defender for Office 365](defender-for-office-365.md). If you're using Outlook.com, Microsoft 365 Family, or Microsoft 365 Personal, and you're looking for information about Safelinks in Outlook, see [Advanced Outlook.com security](https://support.microsoft.com/office/882d2243-eab9-4545-a58a-b36fee4a46e2).
-Safe Links is a feature in [Defender for Office 365](defender-for-office-365.md) that provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages and other locations. Safe Links scanning occurs in addition to the regular [anti-spam](anti-spam-protection-about.md) and [anti-malware](anti-malware-protection-about.md) in inbound email messages in Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
+Safe Links is a feature in [Defender for Office 365](defender-for-office-365.md) that provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, Teams messages and other locations. Safe Links scanning occurs in addition to the regular [anti-spam](anti-spam-protection-about.md) and [anti-malware](anti-malware-protection-about.md) in inbound email messages in Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
Watch this short video on how to protect against malicious links with Safe Links in Microsoft Defender for Office 365.
security Scc Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/scc-permissions.md
Managing permissions in Defender for Office 365 or Purview compliance gives user
|**Content Explorer List Viewer**|View all items in Content explorer in list format only.|Data Classification List Viewer| |**Data Investigator**|Perform searches on mailboxes, SharePoint Online sites, and OneDrive for Business locations.|Communication <br/><br/> Compliance Search <br/><br/> Custodian <br/><br/> Data Investigation Management <br/><br/> Export <br/><br/> Preview <br/><br/> Review <br/><br/> RMS Decrypt <br/><br/> Search And Purge| |**eDiscovery Manager**|Members can perform searches and place holds on mailboxes, SharePoint Online sites, and OneDrive for Business locations. Members can also create and manage eDiscovery cases, add and remove members to a case, create and edit Content Searches associated with a case, and access case data in eDiscovery (Premium). <br/><br/> An eDiscovery Administrator is a member of the eDiscovery Manager role group who has been assigned additional permissions. In addition to the tasks that an eDiscovery Manager can perform, an eDiscovery Administrator can:<ul><li>View all eDiscovery cases in the organization.</li><li>Manage any eDiscovery case after they add themselves as a member of the case.</li></ul> <br/><br/> The primary difference between an eDiscovery Manager and an eDiscovery Administrator is that an eDiscovery Administrator can access all cases that are listed on the **eDiscovery cases** page in the compliance portal. An eDiscovery manager can only access the cases they created or cases they are a member of. For more information about making a user an eDiscovery Administrator, see [Assign eDiscovery permissions in the compliance portal](../../compliance/assign-ediscovery-permissions.md).|Case Management <br/><br/> Communication <br/><br/> Compliance Search <br/><br/> Custodian <br/><br/> Export <br/><br/> Hold <br/><br/> Manage Review Set Tags <br/><br/> Preview <br/><br/> Review <br/><br/> RMS Decrypt <br/><br/> Scope Manager|
-|**Global Reader**|Members have read-only access to reports, alerts, and can see all the configuration and settings. <br/><br/> The primary difference between Global Reader and Security Reader is that a Global Reader can access **configuration and settings**.|Compliance Manager Reader <br/><br/> Scope Manager <br/><br/> Security Reader <br/><br/> Sensitivity Label Reader <br/><br/> Service Assurance View <br/><br/> View-Only Audit Logs <br/><br/> View-Only Device Management <br/><br/> View-Only DLP Compliance Management <br/><br/> View-Only IB Compliance Management <br/><br/> View-Only Manage Alerts <br/><br/> View-Only Recipients <br/><br/> View-Only Record Management <br/><br/> View-Only Retention Management|
+|**Global Reader**|Members have read-only access to reports, alerts, and can see all the configuration and settings. <br/><br/> The primary difference between Global Reader and Security Reader is that a Global Reader can access **configuration and settings**.|Compliance Manager Reader <br/><br/> Security Reader <br/><br/> Sensitivity Label Reader <br/><br/> Service Assurance View <br/><br/> View-Only Audit Logs <br/><br/> View-Only Device Management <br/><br/> View-Only DLP Compliance Management <br/><br/> View-Only IB Compliance Management <br/><br/> View-Only Manage Alerts <br/><br/> View-Only Recipients <br/><br/> View-Only Record Management <br/><br/> View-Only Retention Management|
|**Information Protection**|Full control over all information protection features, including sensitivity labels and their policies, DLP, all classifier types, activity and content explorers, and all related reports.|Data Classification Content Viewer <br/><br/> Data Classification List Viewer <br/><br/> Information Protection Admin <br/><br/> Information Protection Analyst <br/><br/> Information Protection Investigator <br/><br/> Information Protection Reader <br/><br/> Purview Evaluation Administrator| |**Information Protection Admins**|Create, edit, and delete DLP policies, sensitivity labels and their policies, and all classifier types. Manage endpoint DLP settings and simulation mode for auto-labeling policies.|Information Protection Admin <br/><br/> Purview Evaluation Administrator| |**Information Protection Analysts**|Access and manage DLP alerts and activity explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types.|Data Classification List Viewer <br/><br/> Information Protection Analyst <br/><br/> Purview Evaluation Administrator|
The following roles aren't assigned to the Organization Management role group by
|**Review**|This role lets users access review sets in eDiscovery (Premium) cases. Users who are assigned this role can see and open the list of cases on the **eDiscovery \> Advanced** page in the Microsoft Purview compliance portal that they're members of. After the user accesses an eDiscovery (Premium) case, they can select **Review sets** to access case data. This role doesn't allow the user to preview the results of a collection search that's associated with the case or do other search or case management tasks. Users with this role can only access the data in a review set.|Data Investigator <br/><br/> eDiscovery Manager <br/><br/> Insider Risk Management <br/><br/> Insider Risk Management Investigators <br/><br/> Reviewer| |**RMS Decrypt**|Decrypt RMS-protected content when exporting search results.|Data Investigator <br/><br/> eDiscovery Manager| |**Role Management**|Manage role group membership and create or delete custom role groups.|Organization Management|
-|**Scope Manager**|Enables administrators to create, edit, delete, and control access to scoping features such as Adaptive Scopes in the organization.|Communication Compliance <br/><br/> Communication Compliance Administrators <br/><br/> Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> eDiscovery Manager <br/><br/> Global Reader <br/><br/> Organization Management <br/><br/> Records Management|
+|**Scope Manager**|Enables administrators to create, edit, delete, and control access to scoping features such as Adaptive Scopes in the organization.|Communication Compliance <br/><br/> Communication Compliance Administrators <br/><br/> Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> eDiscovery Manager <br/><br/> Organization Management <br/><br/> Records Management|
|**Search And Purge**|Lets people bulk-remove data that matches the criteria of a content search.|Data Investigator <br/><br/> Organization Management| |**Security Administrator**|View and edit the configuration and reports for Security features.|Organization Management <br/><br/> Security Administrator| |**Security Reader**|View the configuration and reports for Security features.|Global Reader <br/><br/> Organization Management <br/><br/> Security Operator <br/><br/> Security Reader|
security Secure By Default https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/secure-by-default.md
Title: Secure by default in Office 365
+f1.keywords:
- NOCSH
Last updated 1/31/2023
audience: ITPro ms.localizationpriority: medium
+search.appverid:
- MET150 - MOE150-+ - m365-security - tier2 description: Learn more about the secure by default setting in Exchange Online Protection (EOP)
Because Microsoft wants to keep our customers secure by default, some tenants ov
- IP Allow List (connection filtering) - Exchange mail flow rules (also known as transport rules)
-If you want to temporarily allow certain messages that are still being blocked by Microsoft, do so using [admin submissions](submissions-admin.md#report-good-email-to-microsoft).
+If you want to temporarily allow certain messages that are still being blocked by Microsoft, do so using [admin submissions](submissions-admin.md#report-good-email-to-microsoft).
More information on these overrides can be found in [Create safe sender lists](create-safe-sender-lists-in-office-365.md).
security Connect Microsoft Defender For Office 365 To Microsoft Sentinel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/connect-microsoft-defender-for-office-365-to-microsoft-sentinel.md
Title: Connect Microsoft Defender for Office 365 to Microsoft Sentinel description: The steps to connect Microsoft Defender for Office 365 to Sentinel. Add your Microsoft Defender for Office 365 data (*and* data from the rest of the Microsoft 365 Defender suite), including incidents, to Microsoft Sentinel for a single pane of glass into your security.
-search.product:
+search.product:
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security
+f1.keywords:
- NOCSH ms.localizationpriority: medium audience: ITPro-+ - m365-guidance-templates - m365-security - tier3
Take advantage of rich security information events management (SIEM) combined wi
> The Microsoft 365 Defender connector is currently in **PREVIEW**. See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.> ## What you will need+ - Microsoft Defender for Office 365 Plan 2 or higher. (Included in E5 plans) - Microsoft Sentinel [Quickstart guide](/azure/sentinel/quickstart-onboard). - Sufficient permissions (Security Administrator in M365 & Read / Write permissions in Sentinel). ## Add the Microsoft 365 Defender Connector
-1. [Login to the Azure Portal](https://portal.azure.com) and navigate to **Microsoft Sentinel** > Pick the relevant workspace to integrate with Microsoft 365 Defender
- 1. On the left-hand navigation menu underneath the heading **Configuration** > choose **Data connectors**.
+
+1. [Login to the Azure Portal](https://portal.azure.com) and navigate to **Microsoft Sentinel** \> Pick the relevant workspace to integrate with Microsoft 365 Defender.
+ 1. On the left-hand navigation menu underneath the heading **Configuration** \> choose **Data connectors**.
2. When the page loads, **search for** Microsoft 365 Defender **and select the Microsoft 365 Defender (preview) connector**. 3. On the right-hand flyout, select **Open Connector Page**. 4. Under the **Configuration** section of the page that loads, select **Connect incidents & alerts**, leaving Turn off all Microsoft incident creation rules for these products ticked.
security Defense In Depth Guide https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/defense-in-depth-guide.md
Title: Getting started with defense in-depth configuration for email security description: Step-by-step configuration guidance on how to get security value from Microsoft Defender for Office 365 when you have third party email filtering.
-search.product:
+search.product:
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security
+f1.keywords:
- NOCSH -+ ms.localizationpriority: medium audience: ITPro-+ - m365-guidance-templates - m365-security - tier3
This guide is for you if:
The information below will detail how to get the most out of your investment, broken down into easy to follow steps. ## What you will need+ - Mailboxes hosted in Office 365 - One or more of: - Microsoft Defender for Office 365 Plan 1 for protection features
The information below will detail how to get the most out of your investment, br
- Built-in protection offers a base level of unobtrusive protection, and includes malware, zero day (Safe Attachments), and URL protection (Safe Links) in email (including internal email), SharePoint Online, OneDrive, and Teams. Note that URL protection provided in this state is via API call only. It doesn't wrap or rewrite URLs but does require a supported Outlook client. You can create your own custom policies to expand your protection.
-**Read more & watch an overview video of Safe Links here :** [Complete Safe Links overview](../safe-links-about.md)
+**Read more & watch an overview video of Safe Links here:** [Complete Safe Links overview](../safe-links-about.md)
-**Read more about Safe Attachments here :** [Safe Attachments](../safe-attachments-about.md)
+**Read more about Safe Attachments here:** [Safe Attachments](../safe-attachments-about.md)
### Detection, investigation, response and hunting features
The information below will detail how to get the most out of your investment, br
**Read More:** [How to configure quarantine permissions and policies](how-to-configure-quarantine-permissions-with-quarantine-policies.md) -- The Migration guide contains lots of useful guidance on preparing and tuning your environment to ready it for a migration. But many of the steps are *also* applicable to a dual-use scenario. Simply ignore the MX switch guidance in the final steps.
+- The Migration guide contains lots of useful guidance on preparing and tuning your environment to ready it for a migration. But many of the steps are *also* applicable to a dual-use scenario. Simply ignore the MX switch guidance in the final steps.
**Read it here:** [Migrate from a third-party protection service to Microsoft Defender for Office 365 - Office 365 | Microsoft Docs](../migrate-to-defender-for-office-365.md)
security Deploy And Configure The Report Message Add In https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/deploy-and-configure-the-report-message-add-in.md
Title: How-to deploy and configure the report message add-in description: The steps to deploy and configure Microsoft's phish reporting add-in(s) aimed at security administrators.
-search.product:
+search.product:
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security
+f1.keywords:
- NOCSH ms.localizationpriority: medium audience: ITPro-+ - m365-guidance-templates - m365-security - tier3
search.appverid: met150
Last updated 1/31/2023
-# Deploy and configure the report message add-in to users
+# Deploy and configure the Report Message add-in to users
-The Report Message and Report Phishing add-ins for Outlook makes it easy to report phishing to Microsoft and its affiliates for analysis, along with easy triage for admins on the Submissions page at <https://security.microsoft.com/reportsubmission?viewid=user>.
+The Report Message and Report Phishing add-ins for Outlook make it easy to report phishing to Microsoft and its affiliates for analysis, along with easy triage for admins on the Submissions page at <https://security.microsoft.com/reportsubmission?viewid=user>.
Depending on whether you are licensed for Defender for Office 365, you'll also get added functionality such as alerting & automated investigation and response (AIR), which will remove the burden from your security operations staff. This guide will walk you through configuring the add-in deployment as recommended by the Microsoft Defender for Office 365 team.
security Ensuring You Always Have The Optimal Security Controls With Preset Security Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/ensuring-you-always-have-the-optimal-security-controls-with-preset-security-policies.md
Title: Steps to quickly set up the Standard or Strict preset security policies for Microsoft Defender for Office 365 description: Step to setup preset security policies in Microsoft Defender for Office 365 so you have the security recommended by the product. Preset policies set a security profile of either *Standard* or *Strict*. Set these and Microsoft Defender for Office 365 will manage and maintain these security controls for you.
-search.product:
+search.product:
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security
+f1.keywords:
- NOCSH ms.localizationpriority: medium audience: ITPro-+ - m365-guidance-templates - m365-security - tier3
By using preset security policies (*Standard* or *Strict*), you will always have
**Use the steps below** to apply preset security policies and have Microsoft Defender for Office 365 manage and maintain security controls *for you*. ## What you will need+ - Microsoft Defender for Office 365 Plan 1 or higher (Included in E5) - Sufficient permissions (Security Administrator role) - 5 minutes to perform the steps below.
Our Strict preset security policy has more aggressive limits and settings for se
Once you've chosen between the Standard and Strict security preset policies for your users, it takes a few further steps to assign users to each preset. 1. Identify the users, groups, or domains you would like to include in Standard and Strict security presets.
-1. Login to the Microsoft Security portal at https://security.microsoft.com.
+1. Login to the Microsoft Security portal at <https://security.microsoft.com>.
1. On the left nav, under **Email & collaboration**, select **Policies & rules**. 1. Select **Threat policies**. 1. Select **Preset Security Policies** underneath the **Templated policies** heading
Use config analyzer to determine if your users are configured per Microsoft's be
> Configuration analyzer allows admins to find and fix security policies where the settings are below the Standard or Strict protection profile settings in preset security policies. Find out more about Configuration analyzer [here](../../office-365-security/configuration-analyzer-for-security-policies.md). Secure Presets are always recommended because it *ensures* admins are exercising Microsoft best practices. However, in some cases customized configurations are required. Learn about custom policies [here](../../office-365-security/tenant-wide-setup-for-increased-security.md).-
security How To Configure Quarantine Permissions With Quarantine Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-configure-quarantine-permissions-with-quarantine-policies.md
Title: How to configure quarantine permissions and policies
-description: The steps to configure quarantine policies and permissions across different groups, including AdminOnlyPolicy, limited access, full access, and providing security admins and users with a simple way to manage false positive folders.
-search.product:
+description: The steps to configure quarantine policies and permissions across different groups, including AdminOnlyPolicy, limited access, full access, and providing security admins and users with a simple way to manage false positive folders.
+search.product:
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security
+f1.keywords:
- NOCSH ms.localizationpriority: medium audience: ITPro-+ - m365-guidance-templates - m365-security - tier3
Providing security admins and users with a very simple way to manage false posit
> For a short video aimed at admins trying to set quarantine permissions and policies, [see this link](https://www.youtube.com/watch?v=vnar4HowfpY). If you are an end user opt for this [1 minute overview](https://www.youtube.com/watch?v=s-vozLO43rI) of the process. ## What you will need+ - Sufficient permissions (Security Administrator role) - 5 minutes to perform the steps below.
Once it has been decided the categories of items users can triage or not-triage,
1. Repeat these same steps for the other policies: **Anti-phishing policy**, **Anti-Malware policy**, and **Safe Attachment policy**. > [!TIP]
-> For more detailed information on what you've learned so far, see [Configure spam filter policies - Office 365 | Microsoft Docs ](../../office-365-security/anti-spam-policies-configure.md)| [Configure anti-phishing policies in EOP - Office 365 | Microsoft Docs](../../office-365-security/anti-phishing-policies-eop-configure.md) | [Configure anti-malware policies - Office 365 | Microsoft Docs](../../office-365-security/anti-malware-policies-configure.md)| [Set up Safe Attachments policies in Microsoft Defender for Office 365 - Office 365 | Microsoft Docs](../../office-365-security/safe-attachments-policies-configure.md)
+> For more detailed information on what you've learned so far, see [Configure spam filter policies - Office 365](../../office-365-security/anti-spam-policies-configure.md)| [Configure anti-phishing policies in EOP](../../office-365-security/anti-phishing-policies-eop-configure.md) | [Configure anti-malware policies](../../office-365-security/anti-malware-policies-configure.md)| [Set up Safe Attachments policies in Microsoft Defender for Office 365](../../office-365-security/safe-attachments-policies-configure.md)
## Next Steps
security How To Handle False Negatives In Microsoft Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-handle-false-negatives-in-microsoft-defender-for-office-365.md
Title: (False Negatives) How to handle malicious emails that are delivered to recipients using Microsoft Defender for Office 365
-description: The steps to handle malicious emails coming through to end users and inboxes (as False Negatives) with Microsoft Defender for Office 365 in order to prevent loss of business.
-search.product:
+description: The steps to handle malicious emails coming through to end users and inboxes (as False Negatives) with Microsoft Defender for Office 365 in order to prevent loss of business.
+search.product:
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security
+f1.keywords:
- NOCSH ms.localizationpriority: medium audience: ITPro-+ - m365-guidance-templates - m365-security - tier3
security How To Prioritize Manage Investigate And Respond To Incidents In Microsoft 365 Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-prioritize-manage-investigate-and-respond-to-incidents-in-microsoft-365-defender.md
Title: How to prioritize, Manage, Investigate & Respond to Incidents in Microsoft 365 Defender description: The steps to manage alerts triggered in Microsoft 365 Defender. Automated investigation and response (AIR) hunt across the subscription and determines the impact and scope of a threat, and combines the information into a single Incident.
-search.product:
+search.product:
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security
+f1.keywords:
- NOCSH ms.localizationpriority: medium audience: ITPro-+ - m365-guidance-templates - m365-security - tier3
When alerts are triggered in Microsoft 365 Defender, automated investigation and
## Prioritize & manage Incidents
-Navigate to the security portal Incidents page https://security.microsoft.com/incidents.
+Navigate to the security portal Incidents page <https://security.microsoft.com/incidents>.
When the Incident page loads you can filter and prioritize by clicking columns to sort the actions or press Filters to apply a filter such as data source, tags or state.
If you need to understand the items involved further, you can use the incident g
## Next Steps
-You can start using *Action Center* to act on pending action items from all incidents in your organization if you want to focus on the action items AIR needs approval for.
+You can start using *Action Center* to act on pending action items from all incidents in your organization if you want to focus on the action items AIR needs approval for.
## More Information
security How To Setup Attack Simulation Training For Automated Attacks And Training https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-setup-attack-simulation-training-for-automated-attacks-and-training.md
Title: How to setup automated attacks and training within Attack simulation training
+ Title: How to setup automated attacks and training within Attack simulation training
description: The steps to automate Attack Simulation training and send a payload to target users. By following this guide, you will learn to create automated attack flows with specific techniques and payloads.
-search.product:
+search.product:
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security
+f1.keywords:
- NOCSH ms.localizationpriority: medium audience: ITPro-+ - m365-guidance-templates - m365-security - tier3
security Optimize And Correct Security Policies With Configuration Analyzer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/optimize-and-correct-security-policies-with-configuration-analyzer.md
Title: Optimize and correct security policies with configuration analyzer description: The steps to optimize and correct security policies with configuration analyzer. Configuration analyzer is a central location and single pane of glass for administering and viewing the email security policies you have configured in your tenant.
-search.product:
+search.product:
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security
+f1.keywords:
- NOCSH ms.localizationpriority: medium audience: ITPro-+ - m365-guidance-templates - m365-security - tier3
Last updated 1/31/2023
Configuration analyzer is a central location and single pane of glass for administering and viewing the email security policies you have configured in your tenant. You can perform a side-to-side comparison of your settings to our Standard and Strict recommended settings, apply recommendations and view historical changes that affected your posture. ## What you'll need+ - Exchange Online Protection - Sufficient permissions (Security Administrator role) - 5 minutes to perform the steps below. ## Compare settings and apply recommendations+ 1. Navigate to [https://security.microsoft.com/configurationAnalyzer](https://security.microsoft.com/configurationAnalyzer). 1. Pick either **Standard recommendations** or **Strict recommendations** from the top menu based on the side-to-side comparison you'd like to make. 1. Recommendations for policy changes will be displayed. (If applicable)
security Protect Your C Suite With Priority Account Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/protect-your-c-suite-with-priority-account-protection.md
Last updated 1/31/2023
Priority account protection helps IT and security teams ensure a high quality of service and protection for the critical people within your organization. Tagging an account as a priority account will enable the additional protection tuned for the mail flow patterns targeting company executives, along with extra visibility in reports, alerts, and investigations. ## What you'll need+ - Microsoft Defender for Office 365 Plan 2 (included as part of E5 plans) - Sufficient permissions (Security Administrator role) - 5 minutes to perform the steps below. ## Tag Priority users+ 1. Identify the users, groups, or domains you would like to tag as priority accounts. 1. Login to the [Microsoft Security Portal](https://security.microsoft.com/) and navigate to Settings on the left navigation bar. 1. Select Email & collaboration on the page that loads and then click User tags
Priority account protection helps IT and security teams ensure a high quality of
To learn what priority account tags are see [Manage and monitor priority accounts - Microsoft 365 admin | Microsoft Docs](../../../admin/setup/priority-accounts.md). ## Next Steps+ [Review the differentiated protection for users tagged as priority accounts](../../office-365-security/priority-accounts-turn-on-priority-account-protection.md). ## PowerShell configuration
-If you want to achieve these steps via [PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), you can do this using the following cmdlets:
-1. View a list of priority accounts: **Get-User -IsVIP | select Identity**
-1. Add user to list of priority accounts: **Set-User -VIP:$true -Identity \<Identity\>**
-1. Remove user from list of priority accounts: **Set-User -VIP:$false -Identity \<Identity\>**
+
+If you want to achieve these steps via [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), you can do this using the following commands:
+
+- View a list of priority accounts: `Get-User -IsVIP | select Identity`
+- Add user to list of priority accounts: `Set-User -VIP $true -Identity <Identity>`
+- Remove user from list of priority accounts: `Set-User -VIP $false -Identity <Identity>`
security Review Allow Entries https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/review-allow-entries.md
Title: Review and remove unnecessary allow list entries with Advanced Hunting in Microsoft Defender for Office 365 description: Steps and sample queries for advanced hunting to start reviewing your security configuration and removing unnecessary allow list entries.
-search.product:
+search.product:
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security
+f1.keywords:
- NOCSH ms.localizationpriority: medium audience: ITPro-+ - m365-guidance-templates - m365-security - tier3
Last updated 01/04/2023
# Introduction
-Historically, allow lists have told Exchange Online Protection to ignore the signals indicating an email is malicious. It is commonplace for vendors to request IPs, domains, and sender addresses be overridden unnecessarily. Attackers have been known to take advantage of this mistake and it is a pressing security loophole to have unnecessary allow list entries. This step-by-step guide will walk you through using advanced hunting to identify these misconfigured overrides and remove them, so you can increase your organization's security posture.
+Historically, allow lists have told Exchange Online Protection to ignore the signals indicating an email is malicious. It is commonplace for vendors to request IPs, domains, and sender addresses be overridden unnecessarily. Attackers have been known to take advantage of this mistake and it is a pressing security loophole to have unnecessary allow list entries. This step-by-step guide will walk you through using advanced hunting to identify these misconfigured overrides and remove them, so you can increase your organization's security posture.
## What you will need+ - Microsoft Defender for Office 365 Plan 2 (Included in E5 plans, or trial available at aka.ms/trymdo) - Sufficient permissions (Security reader role) - 5-10 minutes to do the steps below.
Historically, allow lists have told Exchange Online Protection to ignore the sig
## Queries
-### Top override source
+### Top override source
+ Use this query to find where the most unnecessary overrides are located. This query looks for emails that have been overridden without any detection that needed an override.
-`EmailEvents
-| where OrgLevelAction == "Allow"
-| summarize count() by OrgLevelPolicy, ThreatTypes`
+```kusto
+EmailEvents
+| where OrgLevelAction == "Allow"
+| summarize count() by OrgLevelPolicy, ThreatTypes
+```
-### Top overridden threat type
-Use this query to find the most overridden types of threat detected. This query looks for emails that had the detected threat overridden, DMARC, or Spoof indicates email authentication issues that can be fixed to remove the *need* for the override.
+### Top overridden threat type
-`EmailEvents
-| where OrgLevelAction == "Allow" and ThreatTypes != ""
-|summarize count() by DetectionMethods `
+Use this query to find the most overridden types of threat detected. This query looks for emails that had the detected threat overridden, DMARC, or Spoof indicates email authentication issues that can be fixed to remove the *need* for the override.
+
+```kusto
+EmailEvents
+| where OrgLevelAction == "Allow" and ThreatTypes != ""
+|summarize count() by DetectionMethods
+```
### Top overridden IPs+ This query looks for emails that have been overridden by IP, without any detection that called for an override.
-`EmailEvents
-| where OrgLevelAction == "Allow" and ThreatTypes != ""
-|summarize count() by SenderIPv4
-| top 10 by count_ `
+```kusto
+EmailEvents
+| where OrgLevelAction == "Allow" and ThreatTypes != ""
+|summarize count() by SenderIPv4
+| top 10 by count_
+```
### Top overridden domains+ This query looks for emails that have been overridden by sending domain without any detection that called for an override. **(Change to SenderMailFromDomain to check the 5321.MailFrom)**
-`EmailEvents
-| where OrgLevelAction == "Allow" and ThreatTypes != ""
-|summarize count() by SenderFromDomain
-| top 10 by count_ `
+```kusto
+EmailEvents
+| where OrgLevelAction == "Allow" and ThreatTypes != ""
+|summarize count() by SenderFromDomain
+| top 10 by count_
+```
### Top overridden senders+ This query looks for emails that have been overridden by sending address without any detection that requires an override. **(Change to SenderMailFromAddress to check the 5321.MailFrom)**
-`EmailEvents
-| where OrgLevelAction == "Allow" and ThreatTypes != ""
-|summarize count() by SenderFromAddress
-| top 10 by count_ `
+```kusto
+EmailEvents
+| where OrgLevelAction == "Allow" and ThreatTypes != ""
+|summarize count() by SenderFromAddress
+| top 10 by count_
+```
## Learn More+ Hopefully you found this useful, with some basic queries to get you started with advanced hunting, to learn more check out the below articles Learn more about advanced hunting: [Overview - Advanced hunting](../../defender/advanced-hunting-overview.md)
security Search For Emails And Remediate Threats https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/search-for-emails-and-remediate-threats.md
Title: Search for emails and remediate threats using Threat Explorer in Microsoft 365 Defender description: The steps to do manual remediation in Threat Explorer in Microsoft 365 Defender, including how to get the best performance and scenarios that call for remediation.
-search.product:
+search.product:
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security
+f1.keywords:
- NOCSH ms.localizationpriority: medium audience: ITPro-+ - m365-guidance-templates - m365-security - tier3
Last updated 1/31/2023
Email remediation is an already existing feature that helps admins act on emails that are threats. ## What you'll need+ - Microsoft Defender for Office 365 Plan 2 (Included in E5 plans) - Sufficient permissions (be sure to grant the account [Search and Purge](https://sip.security.microsoft.com/securitypermissions) role)
Email remediation is an already existing feature that helps admins act on emails
1. **Select a threat to remediate** in [Threat Explorer](https://security.microsoft.com/threatexplorer) and select the **Message Actions** button, which will offer you options such as *Soft Delete* or *Hard Delete*. 1. The side pane will open and ask for details like a name for the remediation, severity, and description. Once the information is reviewed, press **Submit**. 1. As soon as the admin approves this action, they will see the Approval ID and a link to the Microsoft 365 Defender Action Center [here](https://security.microsoft.com/action-center/history). This page is where **actions can be tracked**.- 1. **Admin action alert** - A system alert shows up in the alert queue with the name 'Administrative action submitted by an Administrator'. This indicates that an admin took the action of remediating an entity. It gives details such as the name of the admin who took the action, and the investigation link and time. This makes admins aware of each important action, like remediation, taken on entities. 1. **Admin action investigation** - Since the analysis on entities was already done by the admin and that's what led to the action taken, no additional analysis is done by the system. It shows details such as related alert, entity selected for remediation, action taken, remediation status, entity count, and approver of the action. This allows admins to keep track of the investigation and actions carried out *manually*--an admin action investigation.
-1. **Action logs in unified action center** - History and action logs for email actions like soft delete and move to deleted items folder, are *all available in a centralized view* under the unified **Action Center** > **History tab**.
+1. **Action logs in unified action center** - History and action logs for email actions like soft delete and move to deleted items folder, are *all available in a centralized view* under the unified **Action Center** > **History tab**.
1. **Filters in unified action center** - There are multiple filters such as remediation name, approval ID, Investigation ID, status, action source, and action type. These are useful for finding and tracking email actions in unified Action center. > [!IMPORTANT]
-> Performance
->For better performance, remediation should be done in batches of *50,000 or fewer*. Narrow down the search result by using *latest delivery location* and trigger email remediation if the email is in remediable folder like Inbox, Junk, Deleted, for example.
+> For better performance, remediation should be done in batches of *50,000 or fewer*. Narrow down the search result by using *latest delivery location* and trigger email remediation if the email is in remediable folder like Inbox, Junk, Deleted, for example.
## Scenarios that call for email remediation
Here are scenarios of email remediation:
Two manual email remediation scenarios: 1. The main scenario:
- 1. Manual actions taken on emails (for example, using Threat Explorer or Advanced Hunting) are only visible in the legacy Defender for Office 365 Action Center (Email and Collaboration > Review > Action Center in Action center - Microsoft 365 security).
+ 1. Manual actions taken on emails (for example, using Threat Explorer or Advanced Hunting) are only visible in the legacy Defender for Office 365 Action Center (Email and Collaboration > Review > Action Center in Action center - Microsoft 365 security).
1. Two-step approval scenario: 1. Manual actions pending approval using the two-step approval process (1. The email was added to remediation by one analyst, 2. The email was reviewed and approved by another analyst).
Given the common scenarios, email remediation can be triggered in three differen
1. **Query based remediation with exclusions**: Selecting all emails, and then manually removing a few messages (the query can hold a maximum of 1,000 emails and the maximum number of exclusions is 100). ## Next Steps+ 1. Go to the [Microsoft 365 Defender portal](https://security.microsoft.com) and sign in. 1. In the navigation pane, select **Action center**.
-1. Go to the **History** tab, click on any waiting approval list. It opens up a side pane.
+1. Go to the **History** tab, click on any waiting approval list. It opens up a side pane.
1. Track the action status in the unified action center. ## More information
security Stay Informed With Message Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/stay-informed-with-message-center.md
Title: Steps to set up a weekly digest email of message center changes for Microsoft Defender for Office 365 description: The steps to setup a weekly digest email of message center activity to stay up-to-date about changes to Microsoft Defender for Office 365.
-search.product:
+search.product:
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security
+f1.keywords:
- NOCSH ms.localizationpriority: medium audience: ITPro-+ - m365-guidance-templates - m365-security - tier3
Follow the steps below to make that helpful digest email happen.
- 5 minutes to perform the steps below. ## Steps to set up a weekly digest mail of message center changes and notifications.
-1. Login to the **Admin Center** at https://admin.microsoft.com
+
+1. Login to the **Admin Center** at <https://admin.microsoft.com>.
1. On the left-hand navigation, select **Show All**. 1. Expand **Health** and press **Message Center**. 1. On the page that loads, select **Preferences**.
Follow the steps below to make that helpful digest email happen.
You're done. ## Watch: Track your message center tasks in Planner+ [Video](https://www.microsoft.com/en-us/videoplayer/embed/RE4C7Ne) ## Learn More+ [Track new and changed features in the Microsoft 365 Message center](../../../admin/manage/message-center.md) [Track your message center tasks in Planner](/office365/planner/track-message-center-tasks-planner)
security Step By Step Guide Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/step-by-step-guide-overview.md
Title: Microsoft Defender for Office 365 step-by-step guides and how to use them
+ Title: Microsoft Defender for Office 365 step-by-step guides and how to use them
description: What are the step-by-step-guides for Microsoft 365 Defender for Office 365? See *only the steps needed to complete a task* and set up features. Information for use in trial subscriptions and production. Guidance designed to minimise information overload and speed up your configuration and use.
-search.product:
+search.product:
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security
+f1.keywords:
- NOCSH ms.localizationpriority: medium audience: ITPro-+ - m365-guidance-templates - m365-security - tier3
These step-by-step guides help administrators configure and use Microsoft Defend
> Admins need to be on top of prevention, detection, investigation and hunting, response and remediation, and user training to position their organization securely. The step-by-step guides touch on all of these areas so that admins can set up trials, launch quickly into production, and configure in minutes. >:::image type="content" source="../../../media/msft-a-graphic-showing-the-steps-to-mastering-microsoft-defender-for-office-365.png" alt-text="This graphic illustrates the areas that admins need to master in order to properly secure their organization. The step-by-step guides touch on all of these areas, so that admins can set up trials, launch quickly, and configure production in minutes.":::
-Beyond links to the documentation, the step-by-step guides don't concern themselves with product details (the docs around Microsoft Defender for Office 365 are thorough for when you need them).
+Beyond links to the documentation, the step-by-step guides don't concern themselves with product details (the docs around Microsoft Defender for Office 365 are thorough for when you need them).
Instead, these guides are streamlined for **learning by doing**, **testing**, and **running experiments**. They're ideal for **trial subscriptions**, and will allow admins and security operators to **deploy the same logic in production**.
security Tune Bulk Mail Filtering Walkthrough https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/tune-bulk-mail-filtering-walkthrough.md
ms.localizationpriority: medium audience: ITPro-+ - m365-guidance-templates - m365-security - tier3
Bulk mail is typically advertising emails or marketing messages. These emails ca
1. Take the headers of a message you're concerned with and search for the **"X-Microsoft-Antispam:"** header, which contains a **BCL value**. Make a note of this number. 1. Repeat this process until you have an average BCL value. We'll use this value as the threshold. Any mail with a **BCL** value **above** this number will be impacted by the changes we make.
-1. **Login** to the Microsoft Security portal at https://security.microsoft.com.
+1. **Login** to the Microsoft Security portal at <https://security.microsoft.com>.
1. On the **left nav**, under **Email & collaboration**, select **Policies & rules**. 1. Select **Threat policies** and then **Anti-Spam**. 1. When the page loads, the next action you'll take depends on the type of policy you're using: 1. Preset Policies can't be edited. The threshold is 6 in standard, 5 in strict.
- 1. The default (inbuilt) policy is 7.
+ 1. The default (inbuilt) policy is 7.
1. Custom policies are set to 7 by default unless another value is provided. 1. **Edit** (or create a custom policy) to set the BCL threshold that meets your needs. For example, if most of the messages you collected (which were all unwanted) have a BCL value of 4 or higher, setting the BCL value to 4 in the policy would filter out these messages for your end users. 1. Within that policy, under the **"Edit actions"** section, select the **"bulk message action"** and select what to do when the threshold is exceeded. For example, you could select Quarantine if you would like to keep all bulk out of the mailbox or use the Junk email folder for a less aggressive stance.
-1. If you receive complaints from users about too many bulk emails being blocked, you can adjust this threshold, or alternatively, submit the message to us, which will also add the sender to the TABL (Tenant Allow Block List).
+1. If you receive complaints from users about too many bulk emails being blocked, you can adjust this threshold, or alternatively, submit the message to us, which will also add the sender to the Tenant Allow Block List.
> [!TIP]
-> Review this step-by-step guide for more details on allowing senders using the TABL (Tenant Allow Block List): [How to handle legitimate emails getting blocked from delivery using Microsoft Defender for Office 365](how-to-handle-false-positives-in-microsoft-defender-for-office-365.md).
+> Review this step-by-step guide for more details on allowing senders using the Tenant Allow Block List: [How to handle legitimate emails getting blocked from delivery using Microsoft Defender for Office 365](how-to-handle-false-positives-in-microsoft-defender-for-office-365.md).
## More aggressive strategies for managing bulk senders In some cases, the sender of bulk mail doesn't generate enough complaints for its messages to be assigned a BCL value high enough to be caught by your tuned threshold value. In this situation, it's possible to use transport rules to take an aggressive approach; however, use caution, as false positives (unwanted blocking) will occur. Tune the rules with exceptions and management to stay relevant for your organization's mail patterns. > [!TIP]
->To better protect certain groups of users, such as your c-suite and priority accounts, you can create a specialized policy specifically scoped to them and set a higher BCL threshold, alongside a separate transport rule (if applicable). These groups of users might be more vulnerable to unsolicited emails due to their email addresses being readily accessible in the public domain.
+> To better protect certain groups of users, such as your c-suite and priority accounts, you can create a specialized policy specifically scoped to them and set a higher BCL threshold, alongside a separate transport rule (if applicable). These groups of users might be more vulnerable to unsolicited emails due to their email addresses being readily accessible in the public domain.
See [Use mail flow rules to filter bulk email in Exchange Online | Microsoft Learn](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-filter-bulk-mail) for more information.
See [Use mail flow rules to filter bulk email in Exchange Online | Microsoft Lea
- Customers with Microsoft Defender for Office 365 Plan 1 or higher can use the [email entity page](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/introducing-the-email-entity-page-in-microsoft-defender-for/ba-p/2275420) to discover the BCL value of messages instead of interrogating headers. -- Customers with Microsoft Defender for Office 365 Plan 2 can interrogate bulk values at scale using [advanced hunting](/microsoft-365/security/office-365-security/anti-spam-spam-vs-bulk-about#how-to-tune-bulk-email.md).
+- Customers with Microsoft Defender for Office 365 Plan 2 can interrogate bulk values at scale using [advanced hunting](/microsoft-365/security/office-365-security/anti-spam-spam-vs-bulk-about#how-to-tune-bulk-email.md).
## More Information
security Submissions Admin https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-admin.md
After a few moments, the allow entries will appear on the **Domains & addresses*
> - Allow entries are added during mail flow based on the filters that determined the message was malicious. For example, if the sender email address and a URL in the message were determined to be bad, an allow entry is created for the sender (email address or domain) and the URL. > - If the sender email address is not found to be malicious by our filtering system, submitting the email message to Microsoft won't create an allow entry in the Tenant Allow/Block List. > - When an allowed domain or email address, spoofed sender, URL, or file (_entity_) is encountered again, all filters that are associated with the entity are skipped. For email messages, all other entities are still evaluated by the filtering system before making a decision.
-> - During mail flow, if messages from the domain or email address pass other checks in the filtering stack, the messages will be delivered. For example, if [email authentication](email-authentication-about.md) passes, a message from a sender in the allow entry will be delivered.
-> - By default, allow entries for domains and email addresses, files, and URLs exist for 30 days. During those 30 days, Microsoft will learn from the allow entries and [remove them or automatically extend them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). By default, allow entries for spoofed senders never expire.
+> - During mail flow, if messages from the allowed domain or email address pass other checks in the filtering stack, the messages will be delivered. For example, if a message passes [email authentication checks](email-authentication-about.md), a message from an allowed sender email address will be delivered.
+> - By default, allow entries for domains and email addresses exist for 30 days. During those 30 days, Microsoft will learn from the allow entries and [remove them or automatically extend them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages from those domains or email addresses will be delivered, unless something else in the message is detected as malicious. By default, allow entries for spoofed senders never expire.
> - For messages that were incorrectly blocked by [domain or user impersonation protection](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365), the allow entry for the domain or sender is not created in the Tenant Allow/Block List. Instead, the domain or sender is added to the **Trusted senders and domains** section in the [anti-phishing policy](anti-phishing-policies-mdo-configure.md#use-the-microsoft-365-defender-portal-to-modify-anti-phishing-policies) that detected the message. > - When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the **Spoofed senders** tab in the Tenant Allow/Block List.
After a few moments, the allow entry will appear on the **Files** tab on the **T
> [!NOTE] >
-> - By default, allow entries for domains and email addresses, files, and URLs exist for 30 days. During those 30 days, Microsoft will learn from the allow entries and [remove them or automatically extend them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). By default, allow entries for spoofed senders never expire.
+> - By default, allow entries for files exist for 30 days. During those 30 days, Microsoft will learn from the allow entries and [remove them or automatically extend them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those files will be delivered, unless something else in the message is detected as malicious.
> - When the file is encountered again during mail flow, [Safe Attachments](safe-attachments-about.md) detonation or file reputation checks and all other file-based filters are overridden. If the filtering system determines that all other entities in the email message are clean, the message will be delivered. > - During selection, all file-based filters, including [Safe Attachments](safe-attachments-about.md) detonation or file reputation checks are overridden, allowing user access to the file.
After a few moments, the allow entry will appear on the **URL** tab on the **Ten
> [!NOTE] >
-> - By default, allow entries for domains and email addresses, files, and URLs exist for 30 days. During those 30 days, Microsoft will learn from the allow entries and [remove them or automatically extend them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). By default, allow entries for spoofed senders never expire.
+> - By default, allow entries for URLs exist for 30 days. During those 30 days, Microsoft will learn from the allow entries and [remove them or automatically extend them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those URLs will be delivered, unless something else in the message is detected as malicious.
> - When the URL is encountered again during mail flow, [Safe Links](safe-links-about.md) detonation or URL reputation checks and all other URL-based filters are overridden. If the filtering system determines that all other entities in the email message are clean, the message will be delivered. > - During selection, all URL-based filters, including [Safe Links](safe-links-about.md) detonation or URL reputation checks are overridden, allowing user access to content at the URL.
security Submissions Submit Files To Microsoft https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-submit-files-to-microsoft.md
Title: Submit malware and non-malware to Microsoft for analysis
+f1.keywords:
- NOCSH
audience: ITPro ms.localizationpriority: medium
+search.appverid:
- MET150 ms.assetid: 12eba50e-661d-44b8-ae94-a34bc47fb84d-+ - m365-security - tier1 description: Admins and end-users can learn about submitting undetected malware or mis-identified malware attachments to Microsoft for analysis.
But what can you do if you receive a message with a suspicious attachment or hav
- Messages with links to malicious sites are considered spam. For more information about reporting spam and non-spam messages, see [Report messages and files to Microsoft](submissions-report-messages-files-to-microsoft.md). -- Files that block you from your accessing your system and demand money to open them are considered ransomware.
+- Files that block you from your accessing your system and demand money to open them are considered ransomware.
## Submit malware files to Microsoft
security Submissions User Reported Messages Custom Mailbox https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-user-reported-messages-custom-mailbox.md
Before you get started, you need to configure Exchange Online Protection and Def
- Turn off Zero-hour auto purge (ZAP) for malware (**Protection settings** section \> **Enable zero-hour auto purge for malware** is not selected or `-ZapEnabled $false` in PowerShell). - Turn off common attachments filtering (**Protection settings** section \> **Enable the common attachments filter** is not selected or `-EnableFileFilter $false` in PowerShell).
-
+ For instructions, see [Create an anti-malware policy](anti-malware-policies-configure.md#use-the-microsoft-365-defender-portal-to-create-anti-malware-policies). - Verify that the reporting mailbox is not included in the **Standard** or **Strict** preset security policies. For instructions, see [Preset security policies](preset-security-policies.md).
When the toggle is **On** :::image type="icon" source="../../media/scc-toggle-on
- **Add a mailbox to send reported messages to** in the **Reported message destinations** section: Enter the email address of an existing Exchange Online mailbox to use as the reporting mailbox that holds user-reported messages from third-party reporting tools. These messages are not submitted to Microsoft. These user-reported messages appear on the **User reported** tab of the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=user>. The **Result** value for these entries is **Not Submitted to Microsoft**.
-
+ Messages sent to the reporting mailbox must include the original user reported message as an uncompressed .EML or .MSG attachment. Don't forward the original user-reported message to the reporting mailbox. > [!CAUTION]
The remaining settings are the default values in "Other settings" as described i
```powershell $usersub = "reportedmessages@contoso.com"
-New-ReportSubmissionPolicy -ReportJunkToCustomizedAddress $true -ReportJunkAddresses $usersub -ReportNotJunkToCustomizedAddress $true -ReportNotJunkAddresses $usersub -ReportPhishToCustomizedAddress $true -ReportPhishAddresses $usersub
+New-ReportSubmissionPolicy -ReportJunkToCustomizedAddress $true -ReportJunkAddresses $usersub -ReportNotJunkToCustomizedAddress $true -ReportNotJunkAddresses $usersub -ReportPhishToCustomizedAddress $true -ReportPhishAddresses $usersub
New-ReportSubmissionRule -Name DefaultReportSubmissionRule -ReportSubmissionPolicy DefaultReportSubmissionPolicy -SentTo $usersub ```
security Submissions Users Report Message Add In Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-users-report-message-add-in-configure.md
Admins in Microsoft 365 Government Community Cloud (GCC) or GCC High need to use
1. In the Microsoft 365 admin center at <https://portal.office365.us/adminportal>, go to **Organization** \> **Add-ins**, and select **Deploy Add-In**.
-2. In the **Deploy a new add-in** flyout that opens, click **Next**, and then select **Upload custom apps**.
+2. In the **Deploy a new add-in** flyout that opens, click **Next**, and then select **Upload custom apps**.
3. Select **I have a URL for the manifest file**. Use the following URLs:
security Tenant Allow Block List About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-about.md
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-> [!NOTE]
+> [!IMPORTANT]
> To allow phishing URLs that are part of third-party attack simulation training, use the [advanced delivery configuration](skip-filtering-phishing-simulations-sec-ops-mailboxes.md) to specify the URLs. Don't use the Tenant Allow/Block List.
-In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, you might disagree with the EOP filtering verdict. For example, a good message might be marked as bad (a false positive), or a bad message might be allowed through (a false negative).
+In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, you might disagree with the EOP or Defender for Office 365 filtering verdict. For example, a good message might be marked as bad (a false positive), or a bad message might be allowed through (a false negative).
-The Tenant Allow/Block List in the Microsoft 365 Defender portal gives you a way to manually override the Microsoft 365 filtering verdicts. The Tenant Allow/Block List is used during mail flow for incoming messages from external senders. Note that it doesn't apply to messages within the organization.
+The Tenant Allow/Block List in the Microsoft 365 Defender portal gives you a way to manually override the Microsoft Defender for Office or Exchange Online Protection filtering verdicts. The Tenant Allow/Block List is used during mail flow for incoming messages from external senders. Note that it doesn't apply to messages within the organization.
The Tenant Allow/Block list is available in the Microsoft 365 Defender portal at <https://security.microsoft.com> \> **Policies & rules** \> **Threat Policies** \> **Tenant Allow/Block Lists** in the **Rules** section. To go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.
Use the Submissions page (also known as *admin submission*) at <https://security
- Email messages from these senders are marked as *high confidence spam* (SCL = 9). What happens to the messages is determined by the [anti-spam policy](anti-spam-policies-configure.md) that detected the message for the recipient. In the default anti-spam policy and new custom policies, messages that are marked as high confidence spam are delivered to the Junk Email folder by default. In Standard and Strict [preset security policies](preset-security-policies.md), high confidence spam messages are quarantined. - Users in the organization can't send email to these blocked domains and addresses. They'll receive the following non-delivery report (also known as an NDR or bounce message): '550 5.7.703 Your message can't be delivered because one or more recipients are blocked by your organization's tenant recipient block policy'. The entire message is blocked for all recipients of the message, even if only one recipient email address or domain is defined in a block entry.
- > [!NOTE]
+ > [!TIP]
> To block only spam from a specific sender, add the email address or domain to the block list in [anti-spam policies](anti-spam-policies-configure.md). To block all email from the sender, use **Domains and email addresses** in the Tenant Allow/Block List. -- **Files**: Email messages that contain these blocked files are blocked as *malware*. Messages contatining the blocked files are quarantined.
+- **Files**: Email messages that contain these blocked files are blocked as *malware*. Messages containing the blocked files are quarantined.
- **URLs**: Email messages that contain these blocked URLs are blocked as *high confidence phishing*. Messages containing the blocked URLs are quarantined.
In most cases, you can't directly create allow entries in the Tenant Allow/Block
The following list describes what happens in the Tenant Allow/Block List when you report something to Microsoft as a false positive on the Submissions page: -- **Email attachments** and **URLs**: An allow entry is created and the entry appears on the **Files** or **URLs** tab in the Tenant Allow/Block List.
+- **Email attachments** and **URLs**: An allow entry is created and the entry appears on the **Files** or **URLs** tab in the Tenant Allow/Block List respectively.
-- **Email**: If a message was blocked by the Microsoft 365 filtering stack, an allow entry might be created in the Tenant Allow/Block List:
+- **Email**: If a message was blocked by the EOP or Defender for Office 365 filtering stack, an allow entry might be created in the Tenant Allow/Block List:
- If the message was blocked by [spoof intelligence](anti-spoofing-spoof-intelligence.md), an allow entry for the sender is created, and the entry appears on the **Spoofed senders** tab in the Tenant Allow Block List. - If the message was blocked by [domain or user impersonation protection](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) in Defender for Office 365, an allow entry is not created in the Tenant Allow/Block List. Instead, the domain or sender is added to the **Trusted senders and domains section** in the [anti-phishing policy](anti-phishing-policies-mdo-configure.md#use-the-microsoft-365-defender-portal-to-modify-anti-phishing-policies) that detected the message. - If the message was blocked due to file-based filers, an allow entry for the file is created, and the entry appears on the **Files** tab in the Tenant Allow Block List.
The following list describes what happens in the Tenant Allow/Block List when yo
- If the message was blocked for any other reason, an allow entry for the sender email address or domain is created, and the entry appears on the **Domains & addresses** tab in the Tenant Allow Block List. - If the message was not blocked due to filtering, no allow entries are created anywhere.
- - If the message was blocked for other reasons, an allow entry for the sender is created, and it appears on the **Domains & addresses** tab in the Tenant Allow Block List.
-
- - If the message was not blocked, and an allow entry for the sender is not created, it won't show on the **Spoofed senders** tab or the **Domains & addresses** tab.
-
-By default, allow entries for domains and email addresses, files, and URLs exist for 30 days. During those 30 days, Microsoft will learn from the allow entries and [remove them or automatically extend them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from these allow entries, messages that contain these entities will be delivered, unless something else is the message is detected as malicious. By default, allow entries for spoofed senders never expire.
+By default, allow entries for domains and email addresses, files, and URLs exist for 30 days. During those 30 days, Microsoft will learn from the allow entries and [remove them or automatically extend them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those entities will be delivered, unless something else in the message is detected as malicious. By default, allow entries for spoofed senders never expire.
-> [!NOTE]
+> [!IMPORTANT]
> Microsoft does not allow you to create allow entries directly. Unnecessary allow entries expose your organization to malicious email which could have been filtered by the system. > > Microsoft manages the creation of allow entries from the Submissions page. Allow entries are added during mail flow based on the filters that determined the message was malicious. For example, if the sender email address and a URL in the message were determined to be bad, an allow entry is created for the sender (email address or domain) and the URL. >
-> When that domain, email address, file, or URL (*entity*) is encountered again (during mail flow or time of click), all filters associated with that entity are skipped.
+> When the entity is encountered again (during mail flow or time of click), all filters associated with that entity are skipped.
>
-> During mail flow, if messages containing the entity in the allow entry pass other checks in the filtering stack, the messages will be delivered. For example, if [email authentication](email-authentication-about.md), URL filtering and file filter pass the checks, a message from a sender email address in the allow entry will be delivered.
+> During mail flow, if messages containing the allowed entity pass other checks in the filtering stack, the messages will be delivered. For example, if a message passes [email authentication checks](email-authentication-about.md), URL filtering, and file filtering, a message from an allowed sender email address will be delivered.
## What to expect after you add an allow or block entry After you add an allow entry on the Submissions page or a block entry in the Tenant Allow/Block List, the entry should start working immediately 99.999% of the time. For the rest, it could take up to 24 hours.
-An allow is created by default for a period of 30 calendar days so that Microsoft could learn from it and then remove it. With **[allow expiry management](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447)**, if Microsoft has not learned from the allow entry, Microsoft will automatically extend the expiry time of allow entries that will soon expire by another 30 days. This extension prevents legitimate email from going to junk or quarantine or legitimate URL or file from being blocked at time of click. If Microsoft does not learn within 90 calendar days from the date of the original creation of the allow entry, Microsoft will remove the allow entry. You will be kept informed throughout the process using emails.
- If Microsoft has learned from the allow entry, the entry will be removed, and you'll get an alert informing you about it.
security Tenant Allow Block List Email Spoof Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-email-spoof-configure.md
You manage allow and block entries for email in the Microsoft 365 Defender Porta
- For domains and email addresses, the maximum number of allow entries is 500, and the maximum number of block entries is 500 (1000 domain and email address entries in total). -- For Files, the maximum number of allow entries is 500, and the maximum number of block entries is 500 (1000 file entries in total).--- For URLs, the maximum number of allow entries is 500, and the maximum number of block entries is 500 (1000 URL entries in total).--- For spoofed senders, the maximum number of entries is 1024.--- By default, allow entries for **domains and email addresses**, **files** and **URLs** are created for 30 days. Microsoft will either learn from the allow entries for **domains and email addresses**, **files** and **URLs** within those 30 days, or automatically extend it for you. Once Microsoft learns, email containing these entities will be delivered to the inbox provided something else in the email is not malicious. Moreover these entities by default will open at time of click.
+- For spoofed senders, the maximum number of allow entries and block entries is 1024 (1024 allow entries and no block entries, 512 allow entries and 512 block entries, etc.).
- Entries for spoofed senders never expire.
You have the following options to create block entries for domains and email add
- [The Submissions page in the Microsoft 365 Defender portal](#use-the-microsoft-365-defender-portal-to-create-block-entries-for-domains-and-email-addresses-on-the-submissions-page) - The Tenant Allow/Block List in [the Microsoft 365 Defender portal](#use-the-microsoft-365-defender-portal-to-create-block-entries-for-domains-and-email-addresses-in-the-tenant-allowblock-list) or in [PowerShell](#use-powershell-to-create-block-entries-for-domains-and-email-addresses-in-the-tenant-allowblock-list)
-To create block entries for spoofed senders, see the [Use the Microsoft 365 Defender portal to view existing allow or block entries for domains and email addresses in the Tenant Allow/Block List](#use-the-microsoft-365-defender-portal-to-view-existing-allow-or-block-entries-for-domains-and-email-addresses-in-the-tenant-allowblock-list) section later in this article.
+To create block entries for spoofed senders, see the [Use the Microsoft 365 Defender portal to create block entries for spoofed senders in the Tenant Allow/Block List](#use-the-microsoft-365-defender-portal-to-create-block-entries-for-spoofed-senders-in-the-tenant-allowblock-list) section later in this article.
+
+By default, allow entries for domains and email addresses exist for 30 days. During those 30 days, Microsoft will learn from the allow entries and [remove them or automatically extend them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those entities will be delivered, unless something else in the message is detected as malicious. By default, allow entries for spoofed senders never expire.
#### Use the Microsoft 365 Defender portal to create block entries for domains and email addresses on the Submissions page
-When you use the Submissions page at <https://security.microsoft.com/reportsubmission> to report email messages as **Should have been blocked (False negative)**, you can select **Block all emails from this recipient** to add a block entry for the sender on the **Domains & addresses** tab in the Tenant Allow/Block List.
+When you use the Submissions page at <https://security.microsoft.com/reportsubmission> to submit email messages as **Should have been blocked (False negative)**, you can select **Block all emails from this sender or domain** to add a block entry for the sender email address or domain on the **Domains & addresses** tab in the Tenant Allow/Block List.
-For instructions, see [Report questionable email to Microsoft](submissions-admin.md#report-questionable-email-to-microsoft).
+For instructions, see [Submit questionable email to Microsoft](submissions-admin.md#report-questionable-email-to-microsoft).
#### Use the Microsoft 365 Defender portal to create block entries for domains and email addresses in the Tenant Allow/Block List
Email messages from these senders are marked as *high confidence spam* (SCL = 9)
- **Never expire** - **Specific date**: The maximum value is 90 days from today.
- - **Optional note**: Enter descriptive text for the entries.
+ - **Optional note**: Enter descriptive text for why you're blocking the email addresses or domains.
5. When you're finished, click **Add**.
For detailed syntax and parameter information, see [New-TenantAllowBlockListItem
### Use the Microsoft 365 Defender portal to create allow entries for domains and email addresses on the Submissions page
-You can't create allow entries for domains and email addresses directly in the Tenant Allow/Block List. Instead, you use the Submissions page at <https://security.microsoft.com/reportsubmission> to report the message as a false positive, which also adds an allow entry for the sender on the **Domains & addresses** tab in the Tenant Allow/Block List.
+You can't create allow entries for domains and email addresses directly in the Tenant Allow/Block List. Instead, you use the Submissions page at <https://security.microsoft.com/reportsubmission> to submit the message as a false positive, which also adds an allow entry for the sender on the **Domains & addresses** tab in the Tenant Allow/Block List.
-By default, allow entries for domains and email addresses, files, and URLs exist for 30 days, while allow entries for spoofed senders never expire. Within those 30 days, Microsoft will learn from the allow entries or automatically extend the allow entries for you. Once Microsoft learns, email containing these entities will be delivered to the inbox provided something else in the email is not malicious. Moreover these entities by default will open at time of click.
+For instructions, see [Submit good email to Microsoft](submissions-admin.md#report-good-email-to-microsoft).
-For instructions, see [Report good email to Microsoft](submissions-admin.md#report-good-email-to-microsoft).
+By default, allow entries for domains and email addresses, files, and URLs exist for 30 days. During those 30 days, Microsoft will learn from the allow entries and [remove them or automatically extend them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those entities will be delivered, unless something else in the message is detected as malicious.
-> [!NOTE]
+> [!IMPORTANT]
> Microsoft does not allow you to create allow entries directly. Unnecessary allow entries expose your organization to malicious email which could have been filtered by the system. >
-> Microsoft manages the allow creation process from the Submissions page. Allow entries are added during mail flow based on the filters that determined the message was malicious. For example, if the sender email address and a URL in the message were determined to be bad, an allow entry is created for the sender (email address or domain) and the URL.
+> Microsoft manages the creation of allow entries from the Submissions page. Allow entries are added during mail flow based on the filters that determined the message was malicious. For example, if the sender email address and a URL in the message were determined to be bad, an allow entry is created for the sender (email address or domain) and the URL.
>
-> When that domain, email address, file, or URL (_entity_) is encountered again (during mail flow or time of click), all filters associated with that entity are skipped.
+> When the entity in the allow entry is encountered again (during mail flow or time of click), all filters associated with that entity are skipped.
>
-> During mail flow, if messages containing the entity in the allow entry pass other checks in the filtering stack, the messages will be delivered. For example, if [email authentication](email-authentication-about.md), URL filtering and file filter pass the checks, a message from a sender email address in the allow entry will be delivered.
+> During mail flow, if messages containing the allowed entity pass other checks in the filtering stack, the messages will be delivered. For example, if a message passes [email authentication checks](email-authentication-about.md), URL filtering, and file filtering, a message from an allowed sender email address will be delivered.
### Use the Microsoft 365 Defender portal to view existing allow or block entries for domains and email addresses in the Tenant Allow/Block List
For instructions, see [Report good email to Microsoft](submissions-admin.md#repo
Click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) **Filter** to filter the results. The following values are available in the **Filter** flyout that appears:
- - **Action**: **Allow** and **Block**.
+ - **Action**: The values are **Allow** and **Block**.
- **Never expire**: ![Toggle on.](../../media/scc-toggle-on.png) or ![Toggle off.](../../media/scc-toggle-off.png) - **Last updated**: Select **From** and **To** dates. - **Remove on**: Select **From** and **To** dates.
For detailed syntax and parameter information, see [Get-TenantAllowBlockListItem
You can make the following modifications to entries for domains and email addresses in the Tenant Allow/Block list: - **Block entries**: The expiration date and notes.-- **Allow entries**: Notes.
+- **Allow entries**: The expiration date and notes.
1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>.
You can make the following modifications to entries for domains and email addres
3. On the **Domains & addresses** tab, select the check box of the entry that you want to modify, and then click the ![Edit icon.](../../media/m365-cc-sc-edit-icon.png) **Edit** button that appears. 4. The following settings are available in the **Edit domain & addresses** flyout that appears:
- - **Remove block entry after**: You can extend block entries for a maximum of 90 days after the creation date or set them to **Never expire**.
+ - **Remove block entry after**: You can extend block entries for a maximum of 90 days from the system date or set them to **Never expire**.
+ - **Remove allow entry after**: You can extend allow entries for a maximum of 30 days from the system date.
- **Optional note** When you're finished, click **Save**.
-By default, allow entries for domains and email addresses, files, and URLs exist for 30 days. During those 30 days, Microsoft will learn from the allow entries and [remove them or automatically extend them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). By default, allow entries for spoofed senders never expire.
-
-> [!NOTE]
-> For allow entries only, if you select the entry by clicking anywhere in the row other than the check box, you can select ![View submission icon.](../../media/m365-cc-sc-view-submission-icon.png) **View submission** in the details flyout that appears to go to the **Submissions** page at <https://security.microsoft.com/reportsubmission>.
+> [!TIP]
+> For entries added via submission, if you select the entry by clicking anywhere in the row other than the check box, you can select ![View submission icon.](../../media/m365-cc-sc-view-submission-icon.png) **View submission** in the details flyout that opens, which takes you to the submission details that added the entry.
#### Use PowerShell to modify existing allow or block entries for domains and email addresses in the Tenant Allow/Block List
In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-
Set-TenantAllowBlockListItems -ListType Sender <-Ids <Identity value> | -Entries <Value value>> [<-ExpirationDate Date | -NoExpiration>] [-Notes <String>] ```
-This example changes the expiration date of the specified block entry for domains and email addresses.
+This example changes the expiration date of the specified block entry for the sender email address.
```powershell Set-TenantAllowBlockListItems -ListType Sender -Entries "julia@fabrikam.com" -ExpirationDate "9/1/2022"
For detailed syntax and parameter information, see [Set-TenantAllowBlockListItem
4. In the warning dialog that appears, click **Delete**.
-> [!NOTE]
+> [!TIP]
> You can select multiple entries by selecting each check box, or select all entries by selecting the check box next to the **Value** column header. #### Use PowerShell to remove existing allow or block entries for domains and email addresses from the Tenant Allow/Block List
In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-
Remove-TenantAllowBlockListItems -ListType Sender <-Ids <Identity value> | -Entries <Value value>> ```
-This example removes the specified block entry for domains and email addresses from the Tenant Allow/Block List.
+This example removes the specified entry for domains and email addresses from the Tenant Allow/Block List.
```powershell Remove-TenantAllowBlockListItems -ListType Sender -Entries "adatum.com"
You have the following options to create block entries for spoofed senders:
Submitting messages that were blocked by [spoof intelligence](anti-spoofing-spoof-intelligence.md) to Microsoft in the **Submissions** portal at <https://security.microsoft.com/reportsubmission> adds the sender as an allow entry for the sender on the **Spoofed senders** tab in Tenant Allow/Block List.
-For instructions, see [Report good email to Microsoft](submissions-admin.md#report-good-email-to-microsoft).
+For instructions, see [Submit good email to Microsoft](submissions-admin.md#report-good-email-to-microsoft).
> [!NOTE] > When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the **Spoofed senders** tab in the Tenant Allow/Block List.
For detailed syntax and parameter information, see [New-TenantAllowBlockListSpoo
### Use the Microsoft 365 Defender portal to create block entries for spoofed senders in the Tenant Allow/Block List
-You create block entries for spoofed senders directly in the Tenant Allow/Block List.
+You can create block entries for spoofed senders directly in the Tenant Allow/Block List. The steps are nearly identical to [creating allow entries for spoofed senders](#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-spoofed-senders-in-the-tenant-allowblock-list) as previously described in this article.
+
+The only difference is: for the **Action** value in Step 3, choose **Block** instead of **Allow**.
> [!NOTE] > Email messages from these senders are blocked as *phishing*.
You create block entries for spoofed senders directly in the Tenant Allow/Block
> > Block entries for spoofed senders never expire.
-The instructions to report the message are nearly identical to the steps in [Use the Microsoft 365 Defender page to create allow entries for domains and email addresses on the Submissions page](#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-domains-and-email-addresses-on-the-submissions-page).
-
-The only difference is: for the **Action** value in Step 4, choose **Block** instead of **Allow**.
- #### Use PowerShell to create block entries for spoofed senders in the Tenant Allow/Block List In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax:
For detailed syntax and parameter information, see [New-TenantAllowBlockListSpoo
- **Spoofed user** - **Sending infrastructure**
- - **Spoof type**: The value **Internal** or **External**.
- - **Action**: The value **Block** or **Allow**.
+ - **Spoof type**: The values are **Internal** or **External**.
+ - **Action**: The values are **Block** or **Allow**.
You can click on a column heading to sort in ascending or descending order.
Only messages from that domain *and* sending infrastructure pair are allowed to
## About impersonated domains or senders
-In organizations with Microsoft Defender for Office 365, you can't create allow entries in the Tenant/Allow/Block List for messages that were detected as impersonation by [domain or sender impersonation protection](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).
+You can't create allow entries in the Tenant Allow/Block List for messages that were detected as [domain or sender impersonation protection in Defender for Office 365](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).
-Reporting a message that was incorrectly blocked as impersonation on the Submissions page at <https://security.microsoft.com/reportsubmission> does not add the sender or domain as an allow entry in the Tenant Allow/Block List.
+Submitting a message that was incorrectly blocked as impersonation on the Submissions page at <https://security.microsoft.com/reportsubmission> does not add the sender or domain as an allow entry in the Tenant Allow/Block List.
Instead, the domain or sender is added to the **Trusted senders and domains section** in the [anti-phishing policy](anti-phishing-policies-mdo-configure.md#use-the-microsoft-365-defender-portal-to-modify-anti-phishing-policies) that detected the message.
-The instructions to report the message are identical to the steps in [Use the Microsoft 365 Defender portal to create allow entries for domains and email addresses in the Submissions page](#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-domains-and-email-addresses-on-the-submissions-page).
+The instructions to submit the message are identical to the steps in [Use the Microsoft 365 Defender portal to create allow entries for domains and email addresses in the Submissions page](#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-domains-and-email-addresses-on-the-submissions-page).
> [!NOTE]
->
-> - Currently, Graph Impersonation is not taken care from here.
+> Currently, Graph Impersonation is not taken care from here.
## Related articles
security Tenant Allow Block List Files Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-files-configure.md
You manage allow and block entries for files in the Microsoft 365 Defender Porta
- An entry should be active within 30 minutes, but it might take up to 24 hours for the entry to be active. -- By default, allow entries for **files** are created for 30 days. Microsoft will either learn from the allow entries for **files** within those 30 days, or automatically extend it for you. Once Microsoft learns, email containing these files will be delivered to the inbox provided something else in the email is not malicious. Moreover these files by default will open at time of click.- - You need to be assigned permissions before you can do the procedures in this article. You have the following options: - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): **configuration/security (manage)** or **configuration/security (read)**. Currently, this option requires membership in the Microsoft 365 Defender Preview program. - [Exchange Online RBAC](/exchange/permissions-exo/permissions-exo):
You manage allow and block entries for files in the Microsoft 365 Defender Porta
## Create block entries for files
+Email messages that contain these blocked files are blocked as *malware*. Messages containing the blocked files are quarantined.
+ You have the following options to create block entries for files: - [The Submissions page in the Microsoft 365 Defender portal](#use-the-microsoft-365-defender-portal-to-create-block-entries-for-files-on-the-submissions-page)
You have the following options to create block entries for files:
### Use the Microsoft 365 Defender portal to create block entries for files on the Submissions page
-When you use the Submissions page at <https://security.microsoft.com/reportsubmission> to report files as **Should have been blocked (False negative)**, you can select **Block this file** to add a block entry on the **Files** tab in the Tenant Allow/Block List.
+When you use the Submissions page at <https://security.microsoft.com/reportsubmission> to submit files as **Should have been blocked (False negative)**, you can select **Block this file** to add a block entry on the **Files** tab in the Tenant Allow/Block List.
-For instructions, see [Report questionable email attachments to Microsoft](submissions-admin.md#report-questionable-email-attachments-to-microsoft).
+For instructions, see [Submit questionable email attachments to Microsoft](submissions-admin.md#report-questionable-email-attachments-to-microsoft).
### Use the Microsoft 365 Defender portal to create block entries for files in the Tenant Allow/Block List You can create block entries for files directly in the Tenant Allow/Block List.
-Email messages that contain these blocked files are blocked as *malware*.
- 1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>. 2. On the **Tenant Allow/Block List** page, select the **Files** tab.
Email messages that contain these blocked files are blocked as *malware*.
- **Never expire** - **Specific date**: The maximum value is 90 days from today.
- - **Optional note**: Enter descriptive text for the entries.
+ - **Optional note**: Enter descriptive text for why you're blocking the files.
5. When you're finished, click **Add**.
For detailed syntax and parameter information, see [New-TenantAllowBlockListItem
## Use the Microsoft 365 Defender portal to create allow entries for files on the Submissions page
-You can't create allow entries for files directly in the Tenant Allow/Block List. Instead, you use the Submissions page at <https://security.microsoft.com/reportsubmission> to report the message attachment as a false positive, which also adds an allow entry on the **Files** tab in the Tenant Allow/Block List.
+You can't create allow entries for files directly in the Tenant Allow/Block List. Instead, you use the Submissions page at <https://security.microsoft.com/reportsubmission> to submit the message attachment as a false positive, which also adds an allow entry on the **Files** tab in the Tenant Allow/Block List.
-For instructions, see [Report good email attachments to Microsoft](submissions-admin.md#report-good-email-attachments-to-microsoft).
+For instructions, see [Submit good email attachments to Microsoft](submissions-admin.md#report-good-email-attachments-to-microsoft).
-By default, allow entries for files are created for 30 days. Microsoft will either learn from the allow entries for files within those 30 days, or automatically extend it for you. Once Microsoft learns, email containing these files will be delivered to the inbox provided something else in the email is not malicious. Moreover these files by default will open at time of click.
-
-> [!NOTE]
+> [!IMPORTANT]
> Microsoft does not allow you to create allow entries directly. Unnecessary allow entries expose your organization to malicious email which could have been filtered by the system. >
-> Microsoft manages the allow creation process from Submission by creating allows for those entities (domains or email addresses, spoofed senders, URLs, or files) which were determined to be malicious by filters during mail flow. For example, if a file being submitted was determined to be bad by our filtering, an allow entry is created for that file.
+> Microsoft manages the creation of allow entries from the Submissions page. Allow entries are added during mail flow based on the filters that determined the message was malicious. For example, if the sender email address and a file in the message were determined to be bad, an allow entry is created for the sender (email address or domain) and the file.
+>
+> When that entity is encountered again, all filters associated with that entity are overridden.
>
-> When that entity (domain or email address, URL, file) is encountered again, all filters associated with that entity are overridden.
+> By default, allow entries for files exist for 30 days. During those 30 days, Microsoft will learn from the allow entries and [remove them or automatically extend them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those files will be delivered, unless something else in the message is detected as malicious.
>
-> During mail flow, if messages containing the file pass other checks in the filtering stack, the messages will be delivered. For example, if [email authentication](email-authentication-about.md) passes, a message containing the file in the allow entry will be delivered.
+> During mail flow, if messages containing the allowed file pass other checks in the filtering stack, the messages will be delivered. For example, if a message passes [email authentication checks](email-authentication-about.md), a message containing an allowed file will be delivered.
> > During time of click, the file allow overrides all filters associated with the file entity, allowing the end user to access the file.
By default, allow entries for files are created for 30 days. Microsoft will eith
2. Select the **Files** tab. The following columns are available: - **Value**: The file hash.
- - **Action**: The value **Allow** or **Block**.
+ - **Action**: The values are **Allow** or **Block**.
- **Modified by** - **Last updated** - **Remove on**: The expiration date.
By default, allow entries for files are created for 30 days. Microsoft will eith
Click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) **Filter** to filter the results. The following values are available in the **Filter** flyout that appears:
- - **Action**: **Allow** and **Block**.
+ - **Action**: The values are **Allow** and **Block**.
- **Never expire**: ![Toggle on.](../../media/scc-toggle-on.png) or ![Toggle off.](../../media/scc-toggle-off.png) - **Last updated**: Select **From** and **To** dates. - **Remove on**: Select **From** and **To** dates.
For detailed syntax and parameter information, see [Get-TenantAllowBlockListItem
You can make the following modifications to entries for files in the Tenant Allow/Block list: - **Block entries**: The expiration date and notes.-- **Allow entries**: Notes.
+- **Allow entries**: The expiration date and notes.
1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>.
You can make the following modifications to entries for files in the Tenant Allo
3. On the **Files** tab, select the check box of the entry that you want to modify, and then click the ![Edit icon.](../../media/m365-cc-sc-edit-icon.png) **Edit** button that appears. 4. The following settings are available in the **Edit file** flyout that appears:
- - **Remove block entry after**: You can extend block entries for a maximum of 90 days after the creation date or set them to **Never expire**.
+ - **Remove block entry after**: You can extend block entries for a maximum of 90 days from the system date or set them to **Never expire**.
+ - **Remove allow entry after**: You can extend allow entries for a maximum of 30 days from the system date.
- **Optional note** When you're finished, click **Save**.
-> [!NOTE]
-> For allow entries only, if you select the entry by clicking anywhere in the row other than the check box, you can select ![View submission icon.](../../media/m365-cc-sc-view-submission-icon.png) **View submission** in the details flyout that appears to go to the **Submissions** page at <https://security.microsoft.com/reportsubmission>.
+> [!TIP]
+> For entries added via submission, if you select the entry by clicking anywhere in the row other than the check box, you can select ![View submission icon.](../../media/m365-cc-sc-view-submission-icon.png) **View submission** in the details flyout that opens, which takes you to the submission details that added the entry.
### Use PowerShell to modify existing allow or block entries for files in the Tenant Allow/Block List
For detailed syntax and parameter information, see [Set-TenantAllowBlockListItem
4. In the warning dialog that appears, click **Delete**.
-> [!NOTE]
+> [!TIP]
> You can select multiple entries by selecting each check box, or select all entries by selecting the check box next to the **Value** column header. ### Use PowerShell to remove existing allow or block entries for files from the Tenant Allow/Block List
security Tenant Allow Block List Urls Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-urls-configure.md
Last updated 12/05/2022
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-> [!NOTE]
+> [!IMPORTANT]
> To allow phishing URLs that are part of third-party attack simulation training, use the [advanced delivery configuration](skip-filtering-phishing-simulations-sec-ops-mailboxes.md) to specify the URLs. Don't use the Tenant Allow/Block List. This article describes how to create and manage URL allow and block entries that are available in the Tenant Allow/Block List. For more information about the Tenant Allow/Block List, see [Manage allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md).
-You manage allow and block entries for URLs in the Microsoft 365 Defender Portal or in Exchange Online PowerShell. Messages containing the blocked URLs are quarantined.
+You manage allow and block entries for URLs in the Microsoft 365 Defender Portal or in Exchange Online PowerShell.
## What do you need to know before you begin?
You manage allow and block entries for URLs in the Microsoft 365 Defender Portal
## Create block entries for URLs
+Email messages that contain these blocked URLs are blocked as *high confidence phishing*. Messages containing the blocked URLs are quarantined.
+ You have the following options to create block entries for URLs: - [The Submissions page in the Microsoft 365 Defender portal](#use-the-microsoft-365-defender-portal-to-create-block-entries-for-urls-on-the-submissions-page)
You have the following options to create block entries for URLs:
### Use the Microsoft 365 Defender portal to create block entries for URLs on the Submissions page
-When you use the Submissions page at <https://security.microsoft.com/reportsubmission> to report URLs as **Should have been blocked (False negative)**, you can select **Block this URL** to add a block entry on the **URLs** tab in the Tenant Allow/Block List.
+When you use the Submissions page at <https://security.microsoft.com/reportsubmission> to submit URLs as **Should have been blocked (False negative)**, you can select **Block this URL** to add a block entry on the **URLs** tab in the Tenant Allow/Block List.
-For instructions, see [Report questionable URLs to Microsoft](submissions-admin.md#report-questionable-urls-to-microsoft).
+For instructions, see [Submit questionable URLs to Microsoft](submissions-admin.md#report-questionable-urls-to-microsoft).
### Use the Microsoft 365 Defender portal to create block entries for URLs in the Tenant Allow/Block List You can create block entries for URLs directly in the Tenant Allow/Block List.
-Email messages that contain these blocked URLs are blocked as *high confidence phishing*.
- 1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>. 2. On the **Tenant Allow/Block List** page, select the **URLs** tab.
Email messages that contain these blocked URLs are blocked as *high confidence p
- **30 days** - **Specific date**: The maximum value is 90 days from today.
- - **Optional note**: Enter descriptive text for the entries.
+ - **Optional note**: Enter descriptive text for why you're blocking the URLs.
5. When you're finished, click **Add**.
For detailed syntax and parameter information, see [New-TenantAllowBlockListItem
## Use the Microsoft 365 Defender portal to create allow entries for URLs on the Submissions page
-You can't create URL allow entries directly in the Tenant Allow/Block List. Instead, you use the Submissions page at <https://security.microsoft.com/reportsubmission> to report the URL as a false positive, which also adds an allow entry on the **URLs** tab in the Tenant Allow/Block List.
+You can't create URL allow entries directly in the Tenant Allow/Block List. Instead, you use the Submissions page at <https://security.microsoft.com/reportsubmission> to submit the URL as a false positive, which also adds an allow entry on the **URLs** tab in the Tenant Allow/Block List.
-For instructions, see [Report good URLs to Microsoft](submissions-admin.md#report-good-urls-to-microsoft).
+For instructions, see [Submit good URLs to Microsoft](submissions-admin.md#report-good-urls-to-microsoft).
-By default, allow entries for domains and email addresses, files, and URLs exist for 30 days. During those 30 days, Microsoft will learn from the allow entries and [remove them or automatically extend them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). By default, allow entries for spoofed senders never expire.
-
-> [!NOTE]
+> [!IMPORTANT]
> Microsoft does not allow you to create allow entries directly. Unnecessary allow entries expose your organization to malicious email which could have been filtered by the system. > > Microsoft manages the allow creation process from Submission by creating allows for those entities (domains or email addresses, spoofed senders, URLs, or files) which were determined to be malicious by filters during mail flow or time of click. For example, if a URL being submitted was determined to be bad by our filtering, an allow entry is created for that URL. >
-> When that entity (domain or email address, URL, file) is encountered again, all filters associated with that entity are overridden.
+> When that entity is encountered again, all filters associated with that entity are overridden.
>
-> During mail flow, if messages containing the URL pass other checks in the filtering stack, the messages will be delivered. For example, if [email authentication](email-authentication-about.md) passes, a message containing the URL in the allow entry will be delivered.
+> By default, allow entries for URLs exist for 30 days. During those 30 days, Microsoft will learn from the allow entries and [remove them or automatically extend them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those URLs will be delivered, unless something else in the message is detected as malicious.
+>
+> During mail flow, if messages containing the allowed URL pass other checks in the filtering stack, the messages will be delivered. For example, if a message passes [email authentication checks](email-authentication-about.md) and file filtering, a message containing an allowed URL will be delivered.
> > During time of click, the URL allow entry overrides all filters associated with the URL entity, allowing the user to access the content in the URL. >
By default, allow entries for domains and email addresses, files, and URLs exist
2. Select the **URL** tab. The following columns are available: - **Value**: The URL.
- - **Action**: The value **Allow** or **Block**.
+ - **Action**: The values are **Allow** or **Block**.
- **Modified by** - **Last updated** - **Remove on**: The expiration date.
By default, allow entries for domains and email addresses, files, and URLs exist
Click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) **Filter** to filter the results. The following values are available in the **Filter** flyout that appears:
- - **Action**: **Allow** and **Block**.
+ - **Action**: The values are **Allow** and **Block**.
- **Never expire**: ![Toggle on.](../../media/scc-toggle-on.png) or ![Toggle off.](../../media/scc-toggle-off.png) - **Last updated**: Select **From** and **To** dates. - **Remove on**: Select **From** and **To** dates.
For detailed syntax and parameter information, see [Get-TenantAllowBlockListItem
You can make the following modifications to entries for URLs in the Tenant Allow/Block list: - **Block entries**: The expiration date and notes.-- **Allow entries**: Notes.--
+- **Allow entries**: The expiration date and notes.
+ 1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>. 2. Select the **URLs** tab
You can make the following modifications to entries for URLs in the Tenant Allow
3. On the **URLs** tab, select the check box of the entry that you want to modify, and then click the ![Edit icon.](../../media/m365-cc-sc-edit-icon.png) **Edit** button that appears. 4. The following values are available in the **Edit URL** flyout that appears:
- - **Remove block entry after**: You can extend block entries for a maximum of 90 days after the creation date or set them to **Never expire**.
+ - **Remove block entry after**: You can extend block entries for a maximum of 90 days from the system date or set them to **Never expire**.
+ - **Remove allow entry after**: You can extend allow entries for a maximum of 30 days from the system date.
- **Optional note** When you're finished, click **Save**.
-> [!NOTE]
-> For allow entries only, if you select the entry by clicking anywhere in the row other than the check box, you can select ![View submission icon.](../../media/m365-cc-sc-view-submission-icon.png) **View submission** in the details flyout that appears to go to the **Submissions** page at <https://security.microsoft.com/reportsubmission>.
+> [!TIP]
+> For entries added via submission, if you select the entry by clicking anywhere in the row other than the check box, you can select ![View submission icon.](../../media/m365-cc-sc-view-submission-icon.png) **View submission** in the details flyout that opens up. It takes you to the submission details that added the entry.
### Use PowerShell to modify existing allow or block entries for URLs in the Tenant Allow/Block List
For detailed syntax and parameter information, see [Set-TenantAllowBlockListItem
4. In the warning dialog that appears, click **Delete**.
-> [!NOTE]
+> [!TIP]
> You can select multiple entries by selecting each check box, or select all entries by selecting the check box next to the **Value** column header. ### Use PowerShell to remove existing allow or block entries for URLs from the Tenant Allow/Block List
Valid URL entries and their results are described in the following sections.
- contoso.com/b/a/c - test.com/contoso.com - - **Allow not matched** and **Block not matched**: - 123contoso.com
security Threat Explorer Threat Hunting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-threat-hunting.md
In this article:
> [!NOTE] > This is part of a **3-article series** on **Threat Explorer (Explorer)**, **email security**, and **Explorer and Real-time detections** (such as differences between the tools, and permissions needed to operate them). The other two articles in this series are [Email security with Threat Explorer](email-security-in-microsoft-defender.md) and [Threat Explorer and Real-time detections](real-time-detections.md).
-**Applies to**
-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- If your organization has [Microsoft Defender for Office 365](defender-for-office-365.md), and you have the [permissions](#required-licenses-and-permissions), you can use **Explorer** or **Real-time detections** to detect and remediate threats. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration**, and then choose **Explorer** or **Real-time detections**. To go directly to the page, use <https://security.microsoft.com/threatexplorer> or <https://security.microsoft.com/realtimereports>.
With these tools, you can:
For more information, see [Email security with Threat Explorer](email-security-in-microsoft-defender.md).
-Watch this short video to learn how to hunt and investigate email and collaboration-based threats using Microsoft Defender for Office 365.
+> [!TIP]
+> Advanced hunting in Microsoft 365 Defender now supports an easy-to-use query builder for analysts who want to hunt through cloud app data and other threat data (if available), even if they do not know Kusto Query Language (KQL). To get started, read [Build queries using guided mode](/microsoft-365/security/defender/advanced-hunting-query-builder).
+
+Watch this short video to learn how to hunt and investigate email and collaboration-based threats using Microsoft Defender for Office 365.
+ > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWyPRU] ## Threat Explorer walk-through
Refining focus in Explorer or Real-time detection can be thought of in layers. T
> If Sec Ops uses **Tags** to mark accounts they consider high valued targets, they can make selections like *Phish View with a Tags filter focus (include a date range if used)*. This will show them any phishing attempts directed at their high value user targets during a time-range (like dates when certain phishing attacks are happening a lot for their industry). With the new version of Threat Explorer, users can use the following new dropdown options with four new operators on the filters:
- - Equals any of ΓÇô returns values matching the exact user input.
- - Equals none of ΓÇô returns values not matching the exact user input.
- - Contains any of ΓÇô returns values partially matching user input.
- - Contains none of ΓÇô returns values not partially matching user input.
+
+- Equals any of ΓÇô returns values matching the exact user input.
+- Equals none of ΓÇô returns values not matching the exact user input.
+- Contains any of ΓÇô returns values partially matching user input.
+- Contains none of ΓÇô returns values not partially matching user input.
Note that these filter conditions are available based on filter types and input types.
security Use Arc Exceptions To Mark Trusted Arc Senders https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-arc-exceptions-to-mark-trusted-arc-senders.md
Email authentication mechanisms like [SPF](email-authentication-spf-configure.md
## Authenticated Received Chain (ARC) in Microsoft 365 Defender for Office
-Services that modify message content in transit before delivery to your organization can invalidate DKIM email signatures and affect authentication of the message. When these intermediary services perform such actions, they can use ARC to provide details of the original authentication before the modifications occurred. Your organization can then trust these details to help with authenticating the message.
+Services that modify message content in transit before delivery to your organization can invalidate DKIM email signatures and affect authentication of the message. When these intermediary services perform such actions, they can use ARC to provide details of the original authentication before the modifications occurred. Your organization can then trust these details to help with authenticating the message.
**Trusted ARC sealers lets admins add a list of *trusted* intermediaries into the Microsoft 365 Defender portal.** Trusted ARC sealers allows Microsoft to honor ARC signatures from these trusted intermediaries, preventing these legitimate messages from failing the authentication chain.
A list of trusted ARC sealers is only needed where intermediaries are part of an
1. May modify the email header or email contents. 2. May cause authentication to fail for other reasons (example, by removing attachments).
-
+ By adding a trusted ARC sealer, Office 365 will validate and trust the authentication results that the sealer provides when delivering mail to your tenant in Office 365.
-**Administrators should add *only legitimate services* as trusted ARC sealers.** Adding only services the organization expressly uses and knows will help messages that must first go through a service to pass email authentication checks, and prevent legitimate messages
+**Administrators should add *only legitimate services* as trusted ARC sealers.** Adding only services the organization expressly uses and knows will help messages that must first go through a service to pass email authentication checks, and prevent legitimate messages
from being sent to *Junk* due to authentication failures. ## Steps to add a trusted ARC sealer to Microsoft 365 Defender
An ARC header that lists an 'oda' of 1 indicates that previous ARC has been *ver
See the email authentication methods at the end of this header-block for the oda result.
-``
+```text
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 40.107.65.78) smtp.rcpttodomain=microsoft.com smtp.mailfrom=sampledoamin.onmicrosoft.com; dmarc=bestguesspass action=none
arc=pass (0 oda=1 ltdi=1
spf=[1,1,smtp.mailfrom=sampledoamin.onmicrosoft.com] dkim=[1,1,header.d=sampledoamin.onmicrosoft.com] dmarc=[1,1,header.from=sampledoamin.onmicrosoft.com])
-``
+```
To check whether the ARC result was used to override a DMARC failure, look for *compauth* result and a *reason of code(130)* in the header. See the last entry in this header-block to find *compauth* and *reason*.
-``
+```text
Authentication-Results: spf=fail (sender IP is 51.163.158.241) smtp.mailfrom=contoso.com; dkim=fail (body hash did not verify) header.d=contoso.com;dmarc=fail action=none header.from=contoso.com;compauth=pass reason=130
-``
+```
## PowerShell steps to add or remove a trusted ARC sealer
header.from=contoso.com;compauth=pass reason=130
1. Connect to Exchange Online PowerShell. 2. Connect-ExchangeOnline. 3. To add or update a domain into a trusted ARC sealer:
-</br>
-``
-Set-ArcConfig -Identity default -ArcTrustedSealers {a list of arc signing domains split by comma}
-``
-</br>or</br>
-``
-Set-ArcConfig -Identity {tenant name/tenanid}\default -ArcTrustedSealers {a list of arc signing domains split by comma}
-``
-</br>You need to provide identity parameter *-Identity* default when running *Set-ArcConfig*. The trusted sealers should be matched to the value of the 'd' tag in the *ARC-Seal header*.
+
+ ```powershell
+ Set-ArcConfig -Identity default -ArcTrustedSealers {a list of arc signing domains split by comma}
+ ```
+
+ or
+
+ ```powershell
+ Set-ArcConfig -Identity {tenant name/tenanid}\default -ArcTrustedSealers {a list of arc signing domains split by comma}
+ ```
+
+ You need to provide identity parameter *-Identity* default when running *Set-ArcConfig*. The trusted sealers should be matched to the value of the 'd' tag in the *ARC-Seal header*.
4. View the trusted ARC sealers:
-</br>
-``
-Get-ArcConfig
-``
-or
-``
-Get-ArcConfig - Organization {tenant name}
-``
+
+ ```powershell
+ Get-ArcConfig
+ ```
+
+ or
+
+ ```powershell
+ Get-ArcConfig - Organization {tenant name}
+ ```
## Trusted ARC sealer mailflow graphics
-These diagrams contrast mailflow operations with and without a trusted ARC sealer, when using any of SPF, DKIM, and DMARC email authentication. In both graphics, there are legitimate services used by the company that must intervene in mailflow, sometimes violating email authentication standards by changing sending IPs, and writing to the email header. **In the first case, the indirect mailflow traffic demonstrates the result *before* admins add a trusted ARC sealer.**
+These diagrams contrast mail flow operations with and without a trusted ARC sealer, when using any of SPF, DKIM, and DMARC email authentication. In both graphics, there are legitimate services used by the company that must intervene in mail flow, sometimes violating email authentication standards by changing sending IPs, and writing to the email header. **In the first case, the indirect mail flow traffic demonstrates the result *before* admins add a trusted ARC sealer.**
:::image type="content" source="../../media/m365d-indirect-traffic-flow-without-trusted-arc-sealer.PNG" alt-text="In this graphic Contoso publishes SPF, DKIM, and DMARC as part of standard email security. A sender using SPF sends mail from inside contoso.com to fabrikam.com, and this mail passes through a third party service Contoso has hired, and that service modifies the sending IP address in the email header. The mail fails SPF due to the altered IP, and DKIM because the content was modified at a third party, during the DNS check at EOP. DMARC fails because of the SPF and DKIM failures. The message is sent to Junk, Quarantine, or Rejected.":::
security Use Privileged Identity Management In Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-privileged-identity-management-in-defender-for-office-365.md
In this example we will configure "Alex", a member of our security team who will
3. Set the '**Activation maximum duration (hours)**' to a normal working day and 'On activation' to require **Azure MFA**. 4. As this is Alex's normal privilege level for day-to-day operations, we will Uncheck **Require justification on activation**' > **Update**. 5. Select **Add Assignments** > **No member selected** > select or type the name to search for the correct member.
-6. Click the **Select** button to choose the member you need to add for PIM privileges > click **Next** > make no changes on the Add Assignment page (both assignment type *Eligible* and duration *Permanently Eligible* will be defaults ) and **Assign**.
+6. Click the **Select** button to choose the member you need to add for PIM privileges > click **Next** > make no changes on the Add Assignment page (both assignment type *Eligible* and duration *Permanently Eligible* will be defaults) and **Assign**.
The name of your user (here 'Alex') will appear under Eligible assignments on the next page, this means they are able to PIM into the role with the settings configured earlier.
security Use The Delist Portal To Remove Yourself From The Office 365 Blocked Senders Lis https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-the-delist-portal-to-remove-yourself-from-the-office-365-blocked-senders-lis.md
There are good reasons for senders to wind up on the blocked senders list, but m
See [Create safe sender lists in EOP](create-safe-sender-lists-in-office-365.md) and [Outbound spam protection in EOP](outbound-spam-protection-about.md) to prevent an IP from being blocked.
-### How do fix error code 5.7.511
-
-When there's a problem delivering an email message that you sent, Microsoft 365 or Office 365 sends an email to let you know. The email you receive is a delivery status notification, also known as a DSN or bounce message. The most common type is called a non-delivery report (NDR) and they tell you that a message wasn't delivered. In certain situations, Microsoft must conduct additional investigations against traffic from your IP, and if you're receiving the NDR code 5.7.511, you **will not** be able to use the delist portal.
-
-> 550 5.7.511 Access denied, banned sender[xxx.xxx.xxx.xxx]. To request removal from this list, forward this message to delist@microsoft.com. For more information, go to <https://go.microsoft.com/fwlink/?LinkId=526653>.
-
-In the email to request removal from this list, provide the full NDR code and IP address. Microsoft will contact you within 48 hours with the next steps.
+### How to fix error code 5.7.511
+
+When there's a problem delivering an email message that you sent, Microsoft 365 or Office 365 sends an email notification to let you know. The email notification is known a delivery status notification or DSN. The most common type of DSN is a non-delivery report (also known as an NDR or bounce message) that tells you that a message wasn't delivered. In certain situations, Microsoft must conduct additional investigations against traffic from your IP address. If you receive and NDR with code 5.7.511, you **will not** be able to use the delist portal.
+
+> 550 5.7.511 Access denied, banned sender[xxx.xxx.xxx.xxx]. To request removal from this list, forward this message to delist@microsoft.com. For more information, go to https://go.microsoft.com/fwlink/?LinkId=526653.
+
+In the email to request removal from this list, provide the full NDR code and IP address. Microsoft will contact you within 48 hours with the next steps.
## More information
security User Tags About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-tags-about.md
Title: User tags in Microsoft Defender for Office 365
+f1.keywords:
- NOCSH
Last updated 1/31/2023
audience: ITPro ms.localizationpriority: medium
+search.appverid:
- MET150-+ - m365-security - tier2-+ description: Admins can learn how to identify specific groups of users with user tags in Microsoft Defender for Office 365 Plan 2. Tag filtering is available across alerts, reports, and investigations in Microsoft Defender for Office 365 to quickly identify the tagged users.
User tags are identifiers for specific groups of users in [Microsoft Defender for Office 365](defender-for-office-365.md). There are two types of user tags: -- **System tags**: Currently, [Priority accounts](../../admin/setup/priority-accounts.md) is the only type of system tag.
+- **System tags**: Currently, [Priority account](../../admin/setup/priority-accounts.md) is the only type of system tag.
- **Custom tags**: You create these user tags yourself.
-If your organization has Defender for Office 365 Plan 2 (included in your subscription or as an add-on), you can create custom user tags in addition to using the priority accounts tag.
+If your organization has Defender for Office 365 Plan 2 (included in your subscription or as an add-on), you can create custom user tags in addition to using the Priority account tag.
> [!NOTE] > Currently, you can only apply user tags to mailbox users.
+>
+> Your organization can tag a maximum of 250 users using the Priority account system tag.
+>
+> Each custom tag has a maximum of 10,000 users per tag and your organization can create up to 500 custom tags.
After you apply system tags or custom tags to users, you can use those tags as filters in alerts, incidents, reports, and investigations:
security Zero Hour Auto Purge https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-hour-auto-purge.md
Title: Zero-hour auto purge in Microsoft Defender for Office 365
+f1.keywords:
- NOCSH
audience: Admin ms.localizationpriority: medium
+search.appverid:
- MOE150 - MED150 - MBS150 - MET150 ms.assetid: 96deb75f-64e8-4c10-b570-84c99c674e15-+ - m365-security - tier2-+ - seo-marvel-apr2020 description: Zero-hour auto purge (ZAP) retroactively moves delivered messages in an Exchange Online mailbox to the Junk Email folder or quarantine that are found to be spam, phishing, or that contain malware after delivery.
The ZAP action is seamless for the user; they aren't notified if a message is de
[Safe sender lists](create-safe-sender-lists-in-office-365.md), mail flow rules (also known as transport rules), Inbox rules, or additional filters take precedence over ZAP. Similar to what happens in mail flow, this means that even if the service determines the delivered message needs ZAP, the message is not acted on because of the safe senders configuration. This is another reason to be careful about configuring messages to bypass filtering.
-Watch this short video to learn how ZAP in Microsoft Defender for Office 365 automatically detects and neutralizes threats in email.
+Watch this short video to learn how ZAP in Microsoft Defender for Office 365 automatically detects and neutralizes threats in email.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWGrLg] ### Zero-hour auto purge (ZAP) for malware