- - If you chose **Adaptive**: On the **Choose adaptive policy scopes and locations** page, select **Add scopes** and select one or more adaptive scopes that have been created. Then, select one or more locations. The locations that you can select depend on the [scope types](purview-adaptive-scopes.md#configure-adaptive-scopes) added. For example, if you only added a scope type of **User**, you will be able to select **Exchange email** but not **SharePoint sites**.

-5. On the **Choose locations to apply the policy** page, you select the content locations that you want to apply the policy to. For this scenario, we apply the policy only to SharePoint locations, because all the production documents are stored in SharePoint document libraries. Toggle the status for **Exchange email**, **OneDrive accounts**, and **Microsoft 365 Groups** to **Off**. Make sure that the status for SharePoint sites is set to **On** before you select **Next**:

- - If you chose **Adaptive**: On the **Choose adaptive policy scopes and locations** page, select **Add scopes** and select one or more adaptive scopes that have been created. Then, select one or more locations. The locations that you can select depend on the [scope types](purview-adaptive-scopes.md#configure-adaptive-scopes) added. For example, if you only added a scope type of **User**, you will be able to select **Exchange email** but not **SharePoint sites**.

- - For all other policy locations, such as **Exchange email**, **SharePoint sites**, **Teams channel messages** etc.:

-Teams is more than just chats and channel messages. If you have teams that were created from a Microsoft 365 group (formerly Office 365 group), you should additionally configure a retention policy that includes that Microsoft 365 group by using the **Microsoft 365 Groups** location. This retention policy applies to content in the group's mailbox, site, and files.

-If you have team sites that aren't connected to a Microsoft 365 group, you need a retention policy that includes the **SharePoint sites** or **OneDrive accounts** locations to retain and delete files in Teams:

-Yammer is more than just community messages and private messages. To retain and delete email messages for your Yammer network, configure an additional retention policy that includes any Microsoft 365 groups that are used for Yammer, by using the **Microsoft 365 Groups** location.

- - If you chose **Adaptive**: On the **Choose adaptive policy scopes and locations** page, select **Add scopes** and select one or more adaptive scopes that have been created. Then, select one or more locations. The locations that you can select depend on the [scope types](purview-adaptive-scopes.md#configure-adaptive-scopes) added. For example, if you only added a scope type of **User**, you'll be able to select **Exchange email** but not **SharePoint sites**.

- - [Exchange email and Exchange public folders](retention-settings.md#configuration-information-for-exchange-email-and-exchange-public-folders)

- - [Microsoft 365 Groups](retention-settings.md#configuration-information-for-microsoft-365-groups)

- - For all other policy locations, such as **Exchange email**, **SharePoint sites**, and **Teams channel messages**:

-1. [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) - This article presents some common policy intent scenarios that you'll map to configuration options, then it walks you through configuring those options.

-At this level an administrative unit restricted admin will only be able to pick from the administrative units that they're assigned to.

-Conditions are where you define what you want the rule to look for and context in which those items are being used. They tell the rule — when you find an item that looks like *this* and is being used like *that* — it's a match and the rest of the actions in the policy should be taken on it. You can use conditions to assign different actions to different risk levels. For example, sensitive content shared internally might be lower risk and require fewer actions than sensitive content shared with people outside the organization.

-When a user attempts an action on a sensitive item in a context that meets the conditions of a rule, you can let them know about it through user notification emails and in context policy tip popups. These notifications are useful because they increase awareness and help educate people about your organization's DLP policies.

-*%%AppliedActions%% File name %%FileName%% via %%ProcessName%% is not allowed by your organization. Select 'Allow' if you want to bypass the policy %%PolicyName%%*

-*pasting from the clipboard File Name: Contoso doc 1 via WINWORD.EXE is not allowed by your organization. Click 'Allow' button if you want to bypass the policy Contoso highly confidential*

- > This also means that any new Microsoft 365 retention settings using a static scope that is applied to the default selection of **All recipients** will automatically include all existing inactive mailboxes.

-> [!NOTE]

-> Thank you for your feedback and support during the preview of the ServiceNow connector. We've decided to end the preview of ServiceNow connector and discontinue support in insider risk management on November 30, 2020. We are actively evaluating alternative methods to provide customers with ServiceNow integration in insider risk management.

-|**Users** - applies to: <br/> - Exchange email <br/> - OneDrive accounts <br/> - Teams chats <br/> - Teams private channel messages (<br/> - Yammer user messages| First Name <br/> Last name <br/>Display name <br/> Job title <br/> Department <br/> Office <br/>Street address <br/> City <br/>State or province <br/>Postal code <br/> Country or region <br/> Email addresses <br/> Alias <br/> Exchange custom attributes: CustomAttribute1 - CustomAttribute15|

-|**Microsoft 365 Groups** - applies to: <br/> - Microsoft 365 Groups <br/> - Teams channel messages (standard and shared) <br/> - Yammer community messages <br> |Name <br/> Display name <br/> Description <br/> Email addresses <br/> Alias <br/> Exchange custom attributes: CustomAttribute1 - CustomAttribute15 |

-Use the cmdlets in the following table when the locations are **Exchange email**, **SharePoint sites**, **OneDrive accounts**, **Microsoft 365 Groups**, **Skype for Business**, **Exchange public folders**, **Teams chat messages**, or **Teams channel messages**.

-|[Enable-ComplianceTagStorage](/powershell/module/exchange/enable-compliancetagstorage) <br /><br /> [Get-ComplianceTagStorage](/powershell/module/exchange/get-compliancetagstorage) |A one-time operation to create storage, or view that storage for retention labels |Exchange email <br /><br />SharePoint sites <br /><br /> OneDrive accounts <br /><br /> Microsoft 365 Groups|

-|[Get-ComplianceTag](/powershell/module/exchange/get-compliancetag)<br /><br> [New-ComplianceTag](/powershell/module/exchange/new-compliancetag) <br /><br> [Remove-ComplianceTag](/powershell/module/exchange/remove-compliancetag) <br /><br> [Set-ComplianceTag](/powershell/module/exchange/set-compliancetag) |View, create, delete, configure retention labels |Exchange email <br /><br /> SharePoint sites <br /><br /> OneDrive accounts<br /><br /> Microsoft 365 Groups|

-|[Get-RecordReviewNotificationTemplateConfig](/powershell/module/exchange/get-recordreviewnotificationtemplateconfig) <br /><br /> [Set-RecordReviewNotificationTemplateConfig](/powershell/module/exchange/set-recordreviewnotificationtemplateconfig) |View or configure the disposition review notification and reminder settings |Exchange email <br /><br /> SharePoint sites <br /><br /> OneDrive accounts <br /><br /> Microsoft 365 Groups|

-|[Get-RetentionCompliancePolicy](/powershell/module/exchange/get-retentioncompliancepolicy) <br /><br /> [New-RetentionCompliancePolicy](/powershell/module/exchange/new-retentioncompliancepolicy) <br /><br /> [Remove-RetentionCompliancePolicy](/powershell/module/exchange/remove-retentioncompliancepolicy) <br /><br /> [Set-RetentionCompliancePolicy](/powershell/module/exchange/set-retentioncompliancepolicy) |View, create, delete, configure retention policies and retention label policies |Exchange email <br /><br /> SharePoint sites <br /><br /> OneDrive accounts<br /><br /> Microsoft 365 Groups <br /><br /> Skype for Business <br /><br /> Exchange public folders <br /><br /> Teams chat messages <br /><br /> Teams channel messages |

-|[Get-RetentionComplianceRule](/powershell/module/exchange/get-retentioncompliancerule) <br /><br /> [New-RetentionComplianceRule](/powershell/module/exchange/new-retentioncompliancerule) <br /><br /> [Set-RetentionComplianceRule](/powershell/module/exchange/set-retentioncompliancerule) <br /><br /> [Remove-RetentionComplianceRule](/powershell/module/exchange/remove-retentioncompliancerule) | View, create, configure, delete settings (rules) for retention policies and retention labels |Exchange email <br /><br /> SharePoint sites <br /><br /> OneDrive accounts <br /><br /> Microsoft 365 Groups <br /><br /> Skype for Business <br /><br /> Exchange public folders <br /><br /> Teams chat messages <br /><br /> Teams channel messages |

-When the locations are for Teams chat messages, Teams channel messages, Exchange email, SharePoint sites, OneDrive accounts, Microsoft 365 Groups, Skype for Business, or Exchange public folders, use the cmdlets listed in the [previous section](#retention-cmdlets-for-most-locations).

-For example, **All recipients** for the **Exchange email** location. With this default setting, all existing user mailboxes will be included in the policy, and any new mailboxes created after the policy is applied will automatically inherit the policy.

-> For example, if you specify one SharePoint site to include in your retention policy that's configured to delete data, and then remove the single site, by default all SharePoint sites will then be subject to the retention policy that permanently deletes data. The same applies to includes for Exchange recipients, OneDrive accounts, Teams chat users, and so on.

-### Configuration information for Exchange email and Exchange public folders

-Both the **Exchange email** location and the **Exchange public folders** location require mailboxes to have at least 10 MB of data before retention settings will apply to them.

-The **Exchange email** location supports retention for users' email, calendar, and other mailbox items, by applying retention settings at the level of a mailbox. Shared mailboxes and resource mailboxes for equipment and rooms are also supported.

-Email contacts and Microsoft 365 group mailboxes aren't supported for Exchange email. For Microsoft 365 group mailboxes, select the **Microsoft 365 Groups** location instead. Although the Exchange location initially allows a group mailbox to be selected for a static scope, when you try to save the retention policy, you receive an error that "RemoteGroupMailbox" isn't a valid selection for this location.

-When you configure an auto-apply policy that uses sensitive information types and select the **Exchange email** location:

-When you choose the **SharePoint sites** location, the policy for retention can retain and delete documents in SharePoint communication sites, team sites that aren't connected by Microsoft 365 groups, and classic sites. Unless you're using [adaptive policy scopes](#exceptions-for-adaptive-policy-scopes), team sites connected by Microsoft 365 groups aren't supported with this option and instead, use the **Microsoft 365 Groups** location that applies to content in the group's mailbox, site, and files.

-> You can use a [filter in the SharePoint admin center](/sharepoint/customize-admin-center-site-list) or a [SharePoint PowerShell command](/powershell/module/sharepoint-online/get-sposite#example-10) to confirm whether a site is group-connected. For static scopes, these sites are supported with the **Microsoft 365 Groups** location.

-#### Exceptions for adaptive policy scopes

-When you configure a policy for retention that uses adaptive policy scopes and select the **SharePoint sites** location:

-### Configuration information for Microsoft 365 Groups

-To retain or delete content for a Microsoft 365 group (formerly Office 365 group), use the **Microsoft 365 Groups** location. For retention policies, this location includes the group mailbox and SharePoint teams site. For retention labels, this location includes the SharePoint teams site only.

-> Even though a Microsoft 365 group has an Exchange mailbox, a retention policy for the **Exchange email** location won't include content in Microsoft 365 group mailboxes.

-If you use static scopes: Although the **Exchange email** location for a static scope initially allows you to specify a group mailbox to be included or excluded, when you try to save the retention policy, you'll see an error that "RemoteGroupMailbox" isn't a valid selection for the Exchange location.

-When you configure an auto-apply policy that uses sensitive information types and select the **Microsoft 365 Groups** location:

-> [!NOTE]

-> Teams channel messages now include [shared channels](/MicrosoftTeams/shared-channels) (currently in preview) as well as standard channels.

- A static scope that is configured for all instances for a location is sometimes referred to as an "org-wide policy". For example, **Exchange email** and the default setting of **All recipients**. Or, **SharePoint sites** and the default setting of **All sites**. When retention policies aren't org-wide but have been configured with an adaptive scope or a static scope that includes specific instances, they have equal precedence at this level.

- An implicit retention policy requires a static policy scope with the **All recipients** (for Exchange email) or **All groups** (for Microsoft 365 Groups) configuration.

- - This option is currently rolling out in preview. For more information, see [Specify a default sublabel for a parent label](sensitivity-labels-office-apps.md#specify-a-default-sublabel-for-a-parent-label)

-> For this scenario, Outlook calendar events remain in preview for Windows, and rolling out in general availability for macOS.

-|Manually apply, change, or remove label <br /> - [Calendar items](sensitivity-labels-meetings.md)| Preview: Rolling out to [Current Channel (Preview)](https://office.com/insider) | Rolling out: 16.70+ ^\* | Under review | Under review | Yes |

-Cross Tenant User Data Migration is available as an add-on to the Microsoft 365 subscription plans below and is only available to customers with an active Enterprise Agreement customer. User licenses are per migration (onetime fee). Contact your Microsoft account team for details.

-spo cdn set --type Public --enabled true

-spo cdn set --type Private --enabled true

-spo cdn get --type Public

-spo cdn origin list --type Public

-spo cdn origin add --type [Public | Private] --origin <path>

-spo cdn origin add --type Public --origin */masterpage

-spo cdn origin add --type Private --origin sites/site1/siteassets

-spo cdn origin remove --type Public --origin */masterpage

-spo cdn policy set --type Public --policy IncludeFileExtensions --value "CSS,EOT,GIF,ICO,JPEG,JPG,JS,MAP,PNG,SVG,TTF,WOFF,JSON"

-spo cdn policy set --type Public --policy ExcludeRestrictedSiteClassifications --value "HBI"

-spo cdn set --type Public --enabled false

-Or you can check with the Office 365 CLI:

-spo cdn origin list

-To add the origin in the Office 365 CLI:

-spo cdn origin add --origin */CLIENTSIDEASSETS

-You can choose to work with the Office 365 CDN using either the **SharePoint Online Management Shell** PowerShell module or the **Office 365 CLI**.

-+ [Installing the Office 365 CLI](https://pnp.github.io/cli-microsoft365/user-guide/installing-cli/)

-This article provides guidance for how to troubleshoot common setup and configuration issues for the Microsoft Teams Electronic Health Record (EHR) connector. Use it to help resolve blockers that you may experience when you set up and configure the EHR connector to integrate with your [Oracle Health EHR](ehr-admin-cerner.md) or [Epic EHR](ehr-admin-epic.md) system.

-This scenario can happen because of several reasons.

-| [Virtual Appointments with Teams and Electronic Healthcare Record (EHR) integration](#virtual-appointments-and-electronic-healthcare-record-ehr-integration) | Schedule, manage, and conduct virtual appointments with patients. This scenario connects Teams and the Cerner or Epic platform to support virtual appointments. | Active subscription to Microsoft Cloud for Healthcare or subscription to Microsoft Teams EHR connector standalone offer. <br> Users must have an appropriate Microsoft 365 or Office 365 license that includes Teams meetings*. <br> Organizations must have Cerner version November 2018 or later or Epic version November 2018 or later. <br>Details for [Cerner EHR](ehr-admin-cerner.md#before-you-begin) and [Epic EHR](ehr-admin-epic.md#before-you-begin) requirements |

-

-**Android Apps** \> **Add \> Android store app** and choose **Select**.

-

- 1. Select **Permissions > Add**. From the list, select the available app permissions > **OK**.

- 2. Select an option for each permission to grant with this policy:

- - **Prompt** - Prompts the user to accept or deny.

- - **Auto deny** - Automatically denies without notifying the user.

- 1. Go to the **Configuration settings** section and choose **'Use configuration designer'** in Configuration settings format.

-> - When you use Microsoft Defender for Cloud to monitor servers, a Defender for Endpoint tenant is automatically created (in the US for US users, in the EU for European and UK users).<br>

-Data collected by Defender for Endpoint is stored in the geo-location of the tenant as identified during provisioning.

-> - Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant. <br>

-Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers.

- - `%Programfiles%\FSLogix\Apps\frxccd.sys`

- - `\\storageaccount.file.core.windows.net\share**.VHDX`

-| [Defender for Endpoint Plan 1](defender-endpoint-plan-1.md) | - [Next-generation protection](defender-endpoint-plan-1.md#next-generation-protection) (includes antimalware and antivirus)<br/>- [Attack surface reduction](defender-endpoint-plan-1.md#attack-surface-reduction)<br/>- [Manual response actions](defender-endpoint-plan-1.md#manual-response-actions)<br/>- [Centralized management](defender-endpoint-plan-1.md#centralized-management)<br/>- [Security reports](defender-endpoint-plan-1.md#reporting)<br/>- [APIs](defender-endpoint-plan-1.md#apis)<br/>- [Support for Windows 10, iOS, Android OS, and macOS devices](defender-endpoint-plan-1.md#cross-platform-support)|

-You can use Microsoft Defender Antivirus in a remote desktop (RDS) or non-persistent virtual desktop infrastructure (VDI) environment. Following the guidance in this article, you can configure updates to download directly to your RDS or VDI environments when a user signs in.

-> Although a VDI can be hosted on Windows Server 2012 or Windows Server 2016, virtual machines (VMs) should be running Windows 10, version 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.

- 1. Create an SMB/CIFS file share.

-

-

- > An NTFS permission is added for **Authenticated Users:Read:**.

-[Export device health methods and properties](device-health-api-methods-properties.md) | Run API Calls such as - GET /api/public/avdeviceshealth.

- > Only admins and users who have "Manage Portal Settings" permissions can enable live response.

- >

- > Automated Investigation must be enabled in the [Advanced features settings](advanced-features.md) prior to enabling live response.

-| Operating system | Your organization's devices must be running one of the following operating systems with the [latest antivirus/antimalware updates](manage-updates-baselines-microsoft-defender-antivirus.md): <br/>- Windows 11<br/>- Windows 10 Anniversary Update (version 1607) or later |

-2. In the navigation pane, select **Settings** \> **Endpoints** \> **General** \> **Advanced Features**.

-3. Scroll down until you see **Web content filtering**.

-**Cults**: Sites related to groups or movements whose members demonstrate passion for a belief system that is different from those that are socially accepted.

-

-**Child abuse images**: Sites that include child abuse images or pornography.

-**School cheating**: Sites related to plagiarism or school cheating.

-

-

-

-Network protection does not currently support SSL inspection, which might result in some sites being allowed by web content filtering that would normally be blocked. Sites would be allowed due to a lack of visibility into encrypted traffic after the TLS handshake has taken place and an inability to parse certain redirects. This includes redirections from some web-based mail login pages to the mailbox page. As an accepted workaround, you can create a custom block indicator for the login page to ensure no users are able to access the site. Keep in mind, this might block their access to other services associated with the same website.

-|`DeviceSubType` | `string` | Additional modifier for certain types of devices, for example, a mobile device can be a tablet or a smartphone; only available if device discovery finds enough information about this attribute |

-The `DeviceInfo` table provides device information based on heartbeats, which are periodic reports or signals from a device. Every fifteen minutes, the device sends a partial heartbeat that contains frequently changing attributes like `LoggedOnUsers`. Once a day, a full heartbeat containing the device's attributes is sent.

-description: Use and customize query results in guided mode for advanced hunting in Microsoft 365 Defender

-In hunting using guided mode, the results of the query appear in the **Results** tab.

-[ ](../../media/guided-hunting/results-view.png#lightbox)

-A few standard columns are included in the results for easy viewing.

-1. Select **Customize columns** in the upper right-hand portion of the results view.

-

-2. From here, select the columns to include in the results view and deselect columns to hide.

-[  ](../../media/guided-hunting/results-view-customize-columns-tb.png#lightbox)

->[!NOTE]

->[!NOTE]

->[!NOTE]

-With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices.

-Use these queries to learn how you can quickly get information about user accounts, devices, and files.

-You can get account names and other account information by merging or joining the [IdentityInfo table](advanced-hunting-identityinfo-table.md). The query below obtains the list of phishing and malware detections from the [EmailEvents table](advanced-hunting-emailevents-table.md) and then joins that information with the `IdentityInfo` table to get detailed information about each recipient.

-| join (IdentityInfo | distinct AccountUpn, AccountDisplayName, JobTitle,

-Department, City, Country) on $left.RecipientEmailAddress == $right.AccountUpn

-| project Timestamp, NetworkMessageId, Subject, ThreatTypes,

-SenderFromAddress, RecipientEmailAddress, AccountDisplayName, JobTitle,

-Watch this [short video](https://www.youtube.com/watch?v=8qZx7Pp5XgM) to learn how you can use Kusto Query Language to join tables.

->[!Tip]

-| project AlertId, Timestamp, Title, Severity, Category

-Use the following query to get information on file related events.

- DeviceFileEvents

- DeviceNetworkEvents

- DeviceNetworkEvents

-EmailPostDeliveryEvents

-| project ZapTime = Timestamp, ActionType, NetworkMessageId , RecipientEmailAddress

-| project ZapTime, ActionType, NetworkMessageId , RecipientEmailAddress, AccountUpn,

-| where ThreatTypes has "Malware"

-) on AccountName

-Malicious emails often contain documents and other specially crafted attachments that run PowerShell commands to deliver additional payloads. If you are aware of emails coming from a known malicious sender (`MaliciousSender@example.com`), you can use this query to list and review PowerShell activities that occurred within 30 minutes after an email was received from the sender.

-) on AccountName

-Advanced hunting is based on the [Kusto query language](/azure/kusto/query/). You can use Kusto operators and statements to construct queries that locate information in a specialized [schema](advanced-hunting-schema-tables.md).

-

-In the Microsoft 365 Defender portal, go to **Hunting** to run your first query. Use the following example:

-| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,

-A short comment has been added to the beginning of the query to describe what it is for. This comment helps if you later decide to save the query and share it with others in your organization.

-### Customize result columns and length

-| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,

->[!TIP]

->You can view query results as charts and quickly adjust filters. For guidance, [read about working with query results](advanced-hunting-query-results.md)

-You can then run different queries without ever opening a new browser tab.

->[!NOTE]

->[!NOTE]

->Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the [GitHub query repository](https://aka.ms/hunting-queries).

->[!NOTE]

->Some tables in this article might not be available in Microsoft Defender for Endpoint. [Turn on Microsoft 365 Defender](m365d-enable.md) to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md).

->[!TIP]

-You can save a new or existing query so that it is only accessible to you or shared with other users in your organization.

-1. Create or modify a query.

-

-3. Enter a name for the query.

-

-5. Select **Save**.

-## Access community queries in the GitHub repo

-Community queries are grouped into folders like *Campaigns*, *Collection*, *Defense evasion*, and the like. Further information about the query is provided as in-line comments in the query itself.

->[!tip]

->Microsoft security researchers also provide advanced hunting queries that you can use to locate activities and indicators associated with emerging threats. These queries are provided as part of the [threat analytics](/windows/security/threat-protection/microsoft-defender-atp/threat-analytics) reports in Microsoft 365 Defender.

-

->[!NOTE]

->To locate files and quarantine them, the query results should also include `DeviceId` values as device identifiers.

-

->[!NOTE]

->Some tables in this article might not be available in Microsoft Defender for Endpoint. [Turn on Microsoft 365 Defender](m365d-enable.md) to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md).

->[!Note]

->You can provide feedback to Microsoft about true positive and false positives alerts, not only at the end of the investigation, but also during the investigation process. This can help Microsoft with future analysis and classification of security events.

->

-Defender for Office 365 alerts can be classified as:

->[!Note]

->Microsoft 365 Defender portal [https://security.microsoft.com](https://security.microsoft.com) brings together functionality from existing Microsoft security portals. The Microsoft 365 Defender portal emphasizes quick access to information, simpler layouts, and bringing related information together for easier use.

->

-Defender for Cloud Apps alerts can be classified as:

->[!Note]

-severity | Enum | Severity of the Incident. Possible values are: ```UnSpecified```, ```Informational```, ```Low```, ```Medium```, and ```High```.

-status | Enum | Specifies the current status of the incident. Possible values are: ```Active```, ```InProgress```, ```Resolved```, and ```Redirected```.

->[!NOTE]

->Around August 29, 2022, previously supported alert determination values ('Apt' and 'SecurityPersonnel') will be deprecated and no longer available via the API.

->[!NOTE]

->Around August 29, 2022, previously supported alert determination values ('Apt' and 'SecurityPersonnel') will be deprecated and no longer available via the API.

-Here are some examples of what it looks like:

-Automatic attack disruption is designed to contain attacks in progress, limit the impact on an organizationΓÇÖs assets, and provide more time for the SOC to remediate the attack fully. Unlike known protection methods such as prevention and blocking based on a single indicator of compromise, the attack disruption in Microsoft 365 Defender leverages the full breadth of our XDR signal to act at the incident level, taking the entire attack into account.

-While many XDR and SOAR solutions allow you to create your automatic response actions, the key difference to Microsoft 365 DefenderΓÇÖs automatic attack disruption is that it is built-in and uses insights from our security researchers and advanced AI models to counteract the complexities of advanced attacks. It considers the entire context of signals from different sources to determine compromised assets.

-This game-changing capability limits a threat actorΓÇÖs progress early on and dramatically reduces the overall impact of an attack, from associated costs to loss of productivity.

-We understand that taking automatic action sometimes comes with hesitation from security teams, given the potential impact it can have on an organization. Therefore, the automatic attack disruption capabilities in Microsoft 365 Defender are designed to rely on high-fidelity signals. In addition to XDR capabilities that correlate incidents with millions of Defender product signals across email, identity, applications, documents, devices, networks, and files. Insights from the continuous investigation of thousands of incidents by MicrosoftΓÇÖs security research team ensure that automatic attack disruption maintains a high signal-to-noise ratio (SNR).

-For more information see ΓÇÿview attack disruption details and resultsΓÇÖ.

-|Deployment requirements|<ul><li>Deployment across Defender products (e.g., Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps)</li><ul><li>The wider the deployment, the greater the protection coverage is. For example, if a Microsoft Defender for Cloud Apps signal is used in a certain detection, then this product is required to detect the relevant specific attack scenario.</li><li>Similarly, the relevant product should be deployed to execute an automated response action. For example, Microsoft Defender for Endpoint is required to automatically contain a device. </li></ul><li>Microsoft Defender for EndpointΓÇÖs device discovery is set to ΓÇÿstandard discoveryΓÇÖ</li></ul>|

-2. Go to **Settings** > **Endpoints** > **Device groups** under **Permissions**.

-Automatic attack disruption enables the exclusion of specific user accounts from automated containment actions. Excluded users wonΓÇÖt be affected by automated actions triggered by attack disruption. You must be a global administrator or security administrator to perform the following procedure:

-2. Go to **Settings** > **Identities** > **Automated response exclusions**. Check the user list to exclude accounts.

-Excluding user accounts is not recommended, and accounts added to this list wonΓÇÖt be suspended in all supported attack types like business email compromise (BEC) and human-operated ransomware.

-Microsoft 365 Defender supports security information and event management (SIEM) tools ingesting information from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for a registered AAD application representing the specific SIEM solution or connector installed in your environment.

-There are two primary models to ingest security information:

-1. Ingesting Microsoft 365 Defender incidents and their contained alerts from a REST API in Azure.

-2. Ingesting streaming event data either through Azure Event Hubs or Azure Storage Accounts.

-Microsoft 365 Defender currently supports the following SIEM solution integrations:

-

-Use the Splunk Add-on for Microsoft Cloud Services to ingest events from Azure Event Hubs.

-

->Use the new IBM QRadar Microsoft 365 Defender Device Support Module (DSM) that calls the [Microsoft 365 Defender Streaming API](streaming-api.md) that allows ingesting streaming event data from Microsoft 365 Defender products via Event Hubs or Azure Storage Account. For more information on supported event types, see [Supported event types](supported-event-types.md).

->[!Important]

->You must be a Global Administrator or Security Administrator in Azure Active Directory, or have all the **Authorization** permissions assigned in Microsoft 365 Defender RBAC to perform this task. For more information on permissions, see [Permission pre-requisites](../defender/manage-rbac.md#permissions-pre-requisites).

- >[!Note]

- >[!Note]

- >[!Note]

->[!Note]

->For the Microsoft 365 Defender security portal to start enforcing the permissions and assignments configured in your new or imported roles, youΓÇÖll need to activate the new Microsoft 365 Defender RBAC model. For more information, see [Activate Microsoft 365 Defender RBAC](activate-defender-rbac.md).

-You can also manage custom detections that apply to data from specific Microsoft 365 Defender solutions if you have permissions for them. If you only have manage permissions for Microsoft 365 Defender for Office, for instance, you can create custom detections using `Email` tables but not `Identity` tables.

-### 1. Prepare the query.

-In the Microsoft 365 Defender portal, go to **Advanced hunting** and select an existing query or create a new query. When using a new query, run the query to identify errors and understand possible results.

->[!IMPORTANT]

->To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity.

- - `DeviceId`

- - `DeviceName`

- - `RemoteDeviceName`

- - `RecipientEmailAddress`

- - `SenderFromAddress` (envelope sender or Return-Path address)

- - `SenderMailFromAddress` (sender address displayed by email client)

- - `RecipientObjectId`

- - `AccountObjectId`

- - `AccountSid`

- - `AccountUpn`

- - `InitiatingProcessAccountSid`

- - `InitiatingProcessAccountUpn`

- - `InitiatingProcessAccountObjectId`

->[!NOTE]

->Support for additional entities will be added as new tables are added to the [advanced hunting schema](advanced-hunting-schema-tables.md).

-### 2. Create new rule and provide alert details.

->[!TIP]

-> Match the time filters in your query with the lookback duration. Results outside of the lookback duration are ignored.

-Near real-time detections are supported for the following tables:

->[!NOTE]

-### 3. Choose the impacted entities.

-### 4. Specify actions.

-Your custom detection rule can automatically take actions on devices, files, users, or emails that are returned by the query.

-Both the Disable user and Force password reset options require the user SID, which are in the columns `AccountSid`, `InitiatingProcessAccountSid`, `RequestAccountSid`, and `OnPremSid`.

-### 5. Set the rule scope.

-### 6. Review and turn on the rule.

-After reviewing the rule, select **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions.

->[!Important]

->Custom detections should be regularly reviewed for efficiency and effectiveness. To make sure you are creating detections that trigger true alerts, take time to review your existing custom detections by following the steps in [Manage existing custom detection rules](#manage-existing-custom-detection-rules). <br>

-You maintain control over the broadness or specificity of your custom detections so any false alerts generated by custom detections might indicate a need to modify certain parameters of the rules.

->[!TIP]

-*Custom detection rule details*

-In the rule details screen (**Hunting** > **Custom detections** > **[Rule name]**), go to **Triggered alerts**, which lists the alerts generated by matches to the rule. Select an alert to view detailed information about it and take the following actions:

-In the rule details screen (**Hunting** > **Custom detections** > **[Rule name]**), go to **Triggered actions**, which lists the actions taken based on matches to the rule.

->[!TIP]

->To quickly view information and take action on an item in a table, use the selection column [&#10003;] at the left of the table.

->[!NOTE]

->Some columns in this article might not be available in Microsoft Defender for Endpoint. [Turn on Microsoft 365 Defender](m365d-enable.md) to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md).

->[!Important]

->You must be a Global Administrator or Security Administrator in Azure Active Directory, or have all the **Authorization** permissions assigned in Microsoft 365 Defender RBAC to perform this task. For more information on permissions, see [Permission pre-requisites](../defender/manage-rbac.md#permissions-pre-requisites).

->[!Note]

->After editing an imported role, the changes made in Microsoft 365 Defender RBAC will not be reflected back in the individual product RBAC model.

->[!Note]

->After deleting an imported role, the role won't be deleted from the individual product RBAC model. If needed, you can re-import it to the Microsoft 365 Defender RBAC list of roles.

-This article outlines the process to enable and pilot Microsoft Defender for Endpoint. Before starting this process, be sure you've reviewed the overall process for [evaluating Microsoft 365 Defender](eval-overview.md), and you've [created the Microsoft 365 Defender evaluation environment](eval-create-eval-environment.md).

-<br>

- |Step |Description

-|||

-| [Step 1. Review architecture requirements and key concepts](eval-defender-endpoint-architecture.md) | Understand the Defender for Endpoint architecture and the capabilities available to you. |

-|[Step 2. Enable the evaluation environment](eval-defender-endpoint-enable-eval.md) | Follow the steps to set up the evaluation environment. |

-|[Step 3. Set up the pilot ](eval-defender-endpoint-pilot.md) | Verify your pilot group, run simulations, and become familiar with key features and dashboards. |

-The following diagram illustrates the baseline architecture for Defender for Identity.

-| Reports | Defender for Identity reports allow you to schedule or immediately generate and download reports that provide system and entity status information. You can create reports about system health, security alerts, and potential lateral movement paths detected in your environment. | [Microsoft Defender for Identity Reports ](/defender-for-identity/reports) |

-Return to the overview for [Evaluate and pilot Microsoft 365 Defender](eval-overview.md)

-Use the following steps to set up your Microsoft Defender for Identity environment.

-Sign in to the Defender for Identity portal to create your instance and then connect this instance to your Active Directory environment.

-| Step | Description |More information |

-||||

-|1 | Create the Defender for Identity instance | [Quickstart: Create your Microsoft Defender for Identity instance](/defender-for-identity/install-step1) |

-|2 | Connect the Defender for Identity instance to your Active Directory forest | [Quickstart: Connect to your Active Directory Forest](/defender-for-identity/install-step2) |

-| Step | Description |More information |

-||||

-|1 | Determine how many Microsoft Defender for Identity sensors you need. | [Plan capacity for Microsoft Defender for Identity](/defender-for-identity/capacity-planning) |

-|2 | Download the sensor setup package | [Quickstart: Download the Microsoft Defender for Identity sensor setup package](/defender-for-identity/install-step3) |

-|3 | Install the Defender for Identity sensor | [Quickstart: Install the Microsoft Defender for Identity sensor](/defender-for-identity/install-step4) |

-|4 | Configure the sensor | [Configure Microsoft Defender for Identity sensor settings ](/defender-for-identity/install-step5) |

-| Step | Description |More information |

-||||

-|1 | Configure Windows event log collection | [Configure Windows Event collection](/defender-for-identity/configure-windows-event-collection) |

-|2 | Configure Internet proxy settings | [Configure endpoint proxy and Internet connectivity settings for your Microsoft Defender for Identity Sensor](/defender-for-identity/configure-proxy) |

-Microsoft Defender for Identity lateral movement path detection relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity Service account.

-For instructions on how to do this, see [Configure Microsoft Defender for Identity to make remote calls to SAM](/defender-for-identity/install-step8-samr).

->[!Note]

->If you are brand new to security analysis and incident response, see the [Respond to your first incident walkthrough](first-incident-overview.md) to get a guided tour of a typical process of analysis, remediation, and post-incident review.

->

-

-3. Select **Open incident page** to get more information about the incident.

->Before we walk you through this simulation, watch the following video to get familiar with what automated self-healing is, where to find it in the portal, and how it can help in your security operations:

-|Step |Description |

-| 1. [Simulate attacks](eval-defender-investigate-respond-simulate-attack.md) | Simulate attacks on your evaluation environment and use the Microsoft 365 Defender portal to perform incident response. |

-| 2. [Try incident response capabilities ](eval-defender-investigate-respond-additional.md) | Try additional incident response features and capabilities in Microsoft 365 Defender. |

-|||

-### Navigation you may need

-Before enabling Microsoft Defender for Cloud Apps, be sure you understand the architecture and can meet the requirements.

-#### Discovering cloud apps

-#### Managing cloud apps

-After you discover cloud apps and analyze how these apps are used by your organization, you can begin managing cloud apps that you choose.

-#### Applying session controls to cloud apps

-Microsoft Defender for Cloud Apps serves as a reverse proxy, providing proxy access to sanctioned cloud apps. This provision allows Defender for Cloud Apps to apply session controls that you configure.

-#### Integrating with Azure AD with Conditional Access App Control

-You might already have SaaS apps added to your Azure AD tenant to enforce multi-factor authentication and other conditional access policies. Microsoft Defender for Cloud Apps natively integrates with Azure AD. All you have to do is configure a policy in Azure AD to use Conditional Access App Control in Defender for Cloud Apps. This routes network traffic for these managed SaaS apps through Defender for Cloud Apps as a proxy, which allows Defender for Cloud Apps to monitor this traffic and to apply session controls.

-#### Protecting your organization from hackers

-It's worth repeating this illustration from the overview to this Microsoft 365 Defender evaluation and pilot guide.

-| Defender for Cloud Apps Dashboard | Presents an overview of the most important information about your organization and gives links to deeper investigation. | [Working with the dashboard ](/cloud-app-security/daily-activities-to-protect-your-cloud-environment) |

-| Cloud Discovery Dashboard | Cloud Discovery analyzes your traffic logs and is designed to give more insight into how cloud apps are being used in your organization as well as give alerts and risk levels. | [Working with discovered apps ](/cloud-app-security/discovered-apps) |

-| | | |

-These options are included in [Step 2. Enable the evaluation environment](eval-defender-mcas-enable-eval.md).

-You can integrate Microsoft Defender for Cloud Apps with your generic SIEM server or with Microsoft Sentinel to enable centralized monitoring of alerts and activities from connected apps.

- - m365solution-evalutatemtp

-This article outlines the process to enable and pilot Microsoft Defender for Cloud Apps alongside Microsoft 365 Defender. Before starting this process, be sure you've reviewed the overall process for [evaluating Microsoft 365 Defender](eval-overview.md) and you have [created the Microsoft 365 Defender evaluation environment](eval-create-eval-environment.md).

-<br>

-|[Set up the pilot ](eval-defender-mcas-pilot.md) | Scope your deployment to certain user groups, configure Conditional Access App Control, and try out tutorials for protecting your environment. |

->You must be a Global Administrator or Security Administrator in Azure Active Directory, or have all the **Authorization** permissions assigned in Microsoft 365 Defender RBAC to perform this task. For more information on permissions, see [Permission pre-requisites](../defender/manage-rbac.md#permissions-pre-requisites).

->[!Note]

->As a Microsoft partner, Protiviti contributed to and provided material feedback to this article.

->

->[!NOTE]

->[!NOTE]

->[!NOTE]

->Microsoft Defender for Endpoint automatically provisions in European Union (EU) data centers when turned on through Microsoft Defender for Cloud. Microsoft 365 Defender will automatically provision in the same EU data center for customers who have provisioned Microsoft Defender for Endpoint in this manner.

-Watch this short video to learn about the Microsoft 365 Defender portal.

-Microsoft 365 Defender emphasizes *unity, clarity, and common goals*.

->[!IMPORTANT]

-You can search across the following entities in Defender for Endpoint and Defender for Identity:

- >[!NOTE]

- >IP and URL searches are exact match and don't appear in the search results page ΓÇô they lead directly to the entity page.

->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4Bzww]

-|Search | The search bar is located at the top of the page. Suggestions are provided as you type. You can search across the following entities in Defender for Endpoint and Defender for Identity: <br><br> - **Devices** - supported for both Defender for Endpoint and Defender for Identity. You can even use search operators, for example, you can use "contains" to search for part of a host name. <br><br> - **Users** - supported for both Defender for Endpoint and Defender for Identity. <br><br> - **Files, IPs, and URLs** - same capabilities as in Defender for Endpoint. <br> NOTE: *IP and URL searches are exact match and don't appear in the search results page ΓÇô they lead directly to the entity page. <br><br> - **MDVM** - same capabilities as in Defender for Endpoint (vulnerabilities, software, and recommendations). <br><br> The enhanced search results page centralizes the results from all entities. |

-This includes redirection for direct access to the former portal via browser, including links pointing towards the former securitycenter.windows.com portal - such as links in email notifications, and links returned by SIEM API calls.

-Once enabled, this update might take effect almost immediately for some accounts. But the redirection might take longer to propagate to every account in your organization. Accounts in active sessions while this setting is applied will not be ejected from their session and will only be routed to Microsoft 365 Defender after ending their current session and signing back in again.

-3. Navigate to **Settings** > **Endpoints** > **General** > **Portal redirection** or [click here](https://security.microsoft.com/preferences2/portal_redirection).

->[!IMPORTANT]

->Enabling this setting will not terminate active user sessions. Accounts who are in an active session while this setting is applied will only be directed to Microsoft 365 Defender after ending their current session and signing in again.

->[!NOTE]

->You must be a global administrator or have security administrator permissions in Azure Active Directory to enable or disable this setting.

-2. Navigate to **Settings** > **Endpoints** > **General** > **Portal redirection** or [open the page here](https://security.microsoft.com/preferences2/portal_redirection).

-This setting can be enabled again at any time.

-Once disabled, accounts will no longer be routed to security.microsoft.com, and you will once again have access to the former portal - securitycenter.windows.com or securitycenter.microsoft.com.

-Once enabled, this update might take effect almost immediately for some accounts. But the redirection might take longer to propagate to every account in your organization. Accounts in active sessions while this setting is applied won't be ejected from their session and will only be routed to Microsoft 365 Defender after ending their current session and signing back in again.

->[!IMPORTANT]

->Enabling this setting will not terminate active user sessions. Accounts who are in an active session while this setting is applied will only be directed to Microsoft 365 Defender after ending their current session and signing in again.

->[!NOTE]

->You must be a global administrator or have security administrator permissions in Azure Active Directory to enable or disable this setting.

-2. Navigate to **Settings** > **Identities** > **General** > **Portal redirection** or [open the page here](https://security.microsoft.com/preferences2/portal_redirection).

-Once you have completed an action it can take between 24-48 hours for the changes to be reflected in your secure score.

-When you select a specific recommended action, a full page flyout appears.

->[!NOTE]

->If you choose to create a 'Global exception' in the Defender Vulnerability management security recommendation, the status in the Microsoft Secure Score recommended action will be updated with the exception justification. Updates may take up to 2 hours.

->If you choose to create an 'Exception per device group' in the Defender Vulnerability manage security recommendation, Secure Score will not be updated and the recommended action will remain as 'To address'.

-Prerequisites include any licenses that are needed or actions to be completed before the recommended action is addressed. Make sure you have enough seats in your license to complete the recommended action and that those licenses are applied to the necessary users.

-Secure Score helps organizations:

-* Report on the current state of the organization's security posture.

-* Improve their security posture by providing discoverability, visibility, guidance, and control.

-* Compare with benchmarks and establish key performance indicators (KPIs).

->[!Note]

-> Currently, the Azure Active Directory related Microsoft Secure Score recommendations are not available for customer tenants registered in the following Azure Active Directory regions:

->[!Note]

->[!IMPORTANT]

->Security defaults include security features that provide similar security to the "sign-in risk policy" and "user risk policy" recommended actions. Instead of setting up these policies on top of the security defaults, we recommend updating their statuses to "Resolved through alternative mitigation."

-* Global administrator

-* Security administrator

-* Exchange administrator

-* SharePoint administrator

-* Helpdesk administrator

-* User administrator

-* Service support administrator

-* Security reader

-* Security operator

-* Global reader

- - tier1

-If you're new to Microsoft 365 Defender and Defender Experts for Hunting:

-3. The Microsoft 365 Defender quick tour will get you familiar with the security suite, where the capabilities are and how important they are. Select **Take a quick tour**.

-You can set up Microsoft 365 Defender to notify you or your staff with an email about new incidents or updates to existing incidents, including those observed by Microsoft Defender Experts. [Learn more about getting incident notifications by email](/microsoft-365/security/defender/incidents-overview#get-incident-notifications-by-email)

-Select **Ask Defender Experts** directly inside the Microsoft 365 security portal to get swift and accurate responses to all your threat hunting questions. Experts can provide insight to better understand the complex threats your organization may face. Experts on Demand can help to:

-* Commodity ransomware is malware that spreads with phishing or between devices and encrypts files before demanding a ransom.

-* Human-operated ransomware is a planned and coordinated attack by active cybercriminals who employ multiple attack methods. In many cases, known techniques and tools are used to infiltrate your organization, find the assets or systems worth extorting, and then demand a ransom. Upon compromising a network, the attacker carries out reconnaissance of assets and systems which can be encrypted or extorted. The attackers then encrypt or exfiltrate data before demanding a ransom.

-* Microsoft Defender for Endpoint

-* Microsoft Defender for Office 365

-* Microsoft Defender for Identity

-* Microsoft Defender for Cloud Apps (including the app governance add-on)

-* Microsoft Azure AD Identity Protection

-* Microsoft Defender for IoT

-* Microsoft 365 Business Premium

-* Microsoft Defender for Business

-* When detected during the pre-ransom stage, smaller-scale mitigations such as isolating infected devices or user accounts can be used to disrupt and remediate the attack.

-* If detection comes at a later stage, such as when the malware used to encrypt files is being deployed, more aggressive remediation steps that can cause downtime might need to be used to disrupt and remediate the attack.

-* [Human-operated ransomware attacks: A preventable disaster](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/)

-* [Ransomware threat analytics reports in the Microsoft 365 Defender portal](https://sip.security.microsoft.com/threatanalytics3?page_size=30&filters=tags%3DRansomware&ordering=-lastUpdatedOn&fields=displayName,alertsCount,impactedEntities,exposureLevel,MisconfiguredDevices,VulnerableDevices,reportType,createdOn,lastUpdatedOn,tags,flag)

-* RDP brute force

-* Vulnerable internet-facing system

-* Weak application settings

-* Phishing email

-* Mimikatz

-* LSA secrets

-* Credential vault

-* Credentials in plaintext

-* Abuse of service accounts

-* Cobalt Strike

-* WMI

-* Abuse of management tools

-* PsExec

-* New accounts

-* GPO changes

-* Shadow IT tools

-* Schedule tasks

-* Service registration

-* Disabling security features

-* Clearing log files

-* Deleting attack artifact files

-* Resetting timestamps on altered files

-* Exfiltration of sensitive data

-* Encryption of data in place and in backups

-* Deletion of data in place and backups, which might be combined with a preceding exfiltration

-* Threat of public leakage of exfiltrated, sensitive data

-* A one-off attack to surveil the email messages of someone in the finance department of an organization.

-* The pre-ransom part of an attack chain to use compromised user account credentials to discover the resources available to the user account and to compromise other user accounts with higher levels of privilege and access.

-Attack method |Signal source |Alternate security portals

-|:|:|:

-RDP brute force|Defender for Endpoint|Defender for Cloud Apps

-Vulnerable internet-facing system|Windows security features, Microsoft Defender for Servers|

-Weak application settings |Defender for Cloud Apps, Defender for Cloud Apps with the app governance add-on|Defender for Cloud Apps |

-Malicious app activity |Defender for Cloud Apps, Defender for Cloud Apps with the app governance add-on|Defender for Cloud Apps |

-Phishing email |Defender for Office 365

-Password spray against Azure AD accounts |Azure AD Identity Protection via Defender for Cloud Apps |Defender for Cloud Apps

-Password spray against on-premises accounts |Microsoft Defender for Identity

-Device compromise |Defender for Endpoint

-Credential theft |Microsoft Defender for Identity

-Escalation of privilege |Microsoft Defender for Identity

-Spike category |Signal source |Alternate security portals

-|: |: |:

-Sign-ins: Numerous failed attempts, attempts to logon to multiple devices in a short period, multiple first-time logons, etc. |Azure AD Identity Protection via Defender for Cloud Apps, Microsoft Defender for Identity |Defender for Cloud Apps

-Recently active user account, group, machine account, app |Azure AD Identity Protection via Defender for Cloud Apps (Azure AD), Defender for Identity (Active Directory Domain Services [AD DS]) |Defender for Cloud Apps

-Recent app activity such as data access |Apps with Defender for Cloud Apps with the app governance add-on |Defender for Cloud Apps

-Activity |Signal source |Alternate security portal

-|: |: |:

-New apps that are installed |Defender for Cloud Apps with the app governance add-on |Defender for Cloud Apps

-New user accounts |Azure Identity Protection |Defender for Cloud Apps

-Role changes |Azure Identity Protection |Defender for Cloud Apps

-Behavior |Signal source

-|: |:

-Malware spread to multiple devices |Defender for Endpoint

-Resource scanning |Defender for Endpoint, Defender for Identity

-Changes in mailbox forwarding rules |Defender for Office 365

-Data exfiltration and encryption |Defender for Office 365

-**Monitor for Adversary Disabling Security** ΓÇô as this is often part of human-operated ransomware (HumOR) attack chain

-* **Event Logs Clearing** ΓÇô especially the Security Event log and PowerShell Operational logs

-* **Disabling of security tools/controls** (associated with some groups)

-* An incident queue, which groups related alerts for an attack to provide the full attack scope, impacted assets, and automated remediation actions.

-* An alerts queue, which lists all of the alerts being tracked by Microsoft 365 Defender.

-* Microsoft Defender for Endpoint

-* Microsoft Defender for Office 365

-* Microsoft Defender for Identity

-* Microsoft Defender for Cloud Apps (including the app governance add-on)

-* Microsoft Azure AD Identity Protection

-* Microsoft Defender for IoT

-Attacks and incidents |Signal source

-|: |:

-Cloud identity: Password spray, numerous failed attempts, attempts to log on to multiple devices in a short period, multiple first-time logons, recently active user accounts |Azure AD Identity Protection

-On-premises identity (AD DS) compromise |Defender for Identity

-Phishing |Defender for Office 365

-Malicious apps |Defender for Cloud Apps or Defender for Cloud Apps with app governance add-on

-Endpoint (device) compromise |Defender for Endpoint

-IoT-capable device compromise |Defender for IoT

-* Incidents containing the "ransomware" category. Here is the corresponding [link](https://security.microsoft.com/incidents?filters=AlertStatus%3DNew%257CInProgress,category%3Dransomware&page_size=30&fields=expand,name,tags,severity,investigationStates,category,impactedEntities,alertCount,serviceSource,detectionSource,firstEventTime,lastEventTime,sensitivity,status,incidentAssignment,classification,determination,rbacGroup).

-* Incidents with a specified **Actor** name known to be performing ransomware attacks.

-* Incidents with a specified **Associated threat** name known to be used in ransomware attacks.

-* Incidents containing a custom tag that your SecOps team uses for incidents that are known to be part of a larger, coordinated ransomware attack.

-You can also use the Microsoft 365 Defender APIs to query the Microsoft 365 Defender incidents and alerts data in your tenant. A custom app can filter the data, filter it based on custom settings, and then provide a filtered list of links to alerts and incidents that you can easily select to go right to that alert or incident. See [List incidents API in Microsoft 365 Defender | Microsoft Docs](/api-list-incidents.md). You can also integrate your SIEM with Microsoft Defender, see [Integrate your SIEM tools with Microsoft 365 Defender](/configure-siem-defender.md).

-* The [Hunt for ransomware](/advanced-hunting-find-ransomware.md) article

-* GitHub repository for advanced hunting queries:

- * [Ransomware-specific](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/tree/master/Ransomware) queries

- * [All categories](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/tree/master/Ransomware) of queries

-* Threat analytics reports

- * Advanced hunting section of the [Ransomware: A pervasive and ongoing threat](https://security.microsoft.com/threatanalytics3/05658b6c-dc62-496d-ad3c-c6a795a33c27/analystreport) analyst report

- * Advanced hunting section of other analyst reports

-* How often to run the custom detection rule

-* The severity of the alert created by the rule

-* The MITRE attack phase for the created alert

-* Impacted entities

-* Actions to take on impacted entities

-* Pre-work for your SecOps team and organization

-* Security analyst training, as needed

-* Ongoing operational work to incorporate the latest attacks and detection experiences of your security analysts

-* Processes for Tier 1 analyst scanning of incoming incidents and alerts and assignment to Tier 2 analysts for investigation.

-* Manually running advanced hunting queries and their schedule (daily, weekly, monthly).

-* Ongoing changes based on ransomware attack investigation and mitigation experiences.

-* Common ransomware attack chains (MITRE attack tactics and common threat techniques and malware)

-* Incidents and alerts and how to locate and analyze them in the Microsoft 365 Defender portal using:

- * Alerts and incidents already created by Microsoft 365 Defender

- * Pre-scanned URL-based filters for the Microsoft 365 Defender portal

- * Programmatically via the incidents API

-* Advanced hunting queries to use and their manual schedule (daily, weekly, monthly)

-* Custom detection rules to use and their settings

-* Custom incident tags

-* The latest [threat analytics reports for ransomware](https://security.microsoft.com/threatanalytics3?page_size=30&filters=tags%3DRansomware&ordering=-lastUpdatedOn&fields=displayName,alertsCount,impactedEntities,reportType,createdOn,lastUpdatedOn,tags,flag) attacks in the Microsoft 365 Defender portal

-* Update your catalog of advanced hunting queries with:

- * New queries based on the latest threat analytics reports in the Microsoft 365 Defender portal or the [Advanced Hunting GitHub repository](<https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/tree/master/Ransomware>).

- * Changes to existing ones to optimize for threat identification or for better alert quality.

-* Update custom detection rules based on new or changed advanced hunting queries.

-* Update the set of operational tasks for ransomware detection.

->[!NOTE]

-# Set up your Microsoft 365 Defender trial in a lab environment

-This topic guides you to set up a dedicated lab environment. For information on setting up a trial in production, see the new [Evaluate and pilot Microsoft 365 Defender](eval-overview.md) guide.

->[!NOTE]

->If you already have an existing Office 365 or Azure Active Directory subscription, you can skip the Office 365 E5 trial tenant creation steps.

-

-3. Fill in your first name, last name, business phone number, company name, company size, and country or region.

-

-

-4. Choose your verification preference: through a text message or call. Click **Send Verification Code**.

-

-

-

-

-11. [Optional] Download Office apps. Click **Next** to skip this step.

-

-13. Choose online services. Select **Exchange** and click **Next**.

-

-

->[!NOTE]

->Signing up for a trial gives you 25 user licenses to use for a month. See [Try or buy a Microsoft 365 subscription](../../commerce/try-or-buy-microsoft-365.md) for details.

-2. Select **Microsoft 365 E5** and click **Start free trial**.

-

-

-

->[!NOTE]

->The analyst report also lists **generic detections** that can identify a wide-range of threats, in addition to components or behaviors specific to the tracked threat. These generic detections don't reflect in the charts.

->[!NOTE]

->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWwJfU]

->[!CAUTION]

->**The preview period for the ServiceNow connector has ended**<br>

->This capability is no longer available. Thank you for your feedback and continued support while we determine next steps.

->[!NOTE]

-|[</li></ul>

-

-

->If your browser is being blocked by Safe Links and Safe Attachment pages, see [Advanced Outlook.com security for Microsoft 365 subscribers](https://support.microsoft.com/office/advanced-outlook-com-security-for-microsoft-365-subscribers-882d2243-eab9-4545-a58a-b36fee4a46e2?storagetype=live).

->[!Note]

->When opening an email cluster to view it in Explorer from the email cluster details, the PhishEdu and SecOps mailbox filters will be applied in Explorer but will not be shown. If you change the Explorer filters, dates, or refresh the query within the page ΓÇô then the PhishEdu/SecOps filter exclusions will get removed and emails that match these will be shown once again. If you refresh the Explorer page using the browser refresh function, the original query filters will get re-loaded, including the PhishEdu/SecOps filters ΓÇô but removing any subsequent changes you had made.

->

->You can choose to do nothing about DKIM for your custom domain too. If you don't set up DKIM for your custom domain, Microsoft 365 creates a private and public key pair, enables DKIM signing, and then configures the Microsoft 365 default policy for your custom domain.

-description: Microsoft Defender for Office 365 data retention informationThreat Explorer/ Real-Time detections

-> Microsoft Defender for Office 365 comes in two different Plan types. You can tell if you have **Plan 1** if you have 'Real-time Detections', and **Plan 2**, if you have Threat Explorer. The Plan you have influences the tools you will see, so be certain that you're aware of your Plan as you learn.

-|Alert metadata details (Microsoft Defender for Office alerts) | 90 days |

-|Entity metadata details (Emails) | 30 days |

-|Activity alert details (audit logs) | 7 days |

-|Email entity page | 30 days |

-|Quarantine | 30 days (configurable up to 30 days maximum) |

-|Reports | 90 days (for all aggregated data) <br>30 days (for all detailed information except below) <br> 10 days (for Threat protection status report detail and spoof mail report details) <br> 7 days (for URL protection report details) <br>

-|Submissions | 30 days |

-|Threat Explorer/ Real-Time detections | 30 days |

-|Action Center | 180 days, 30 days (Office Action center) |

-|Advanced Hunting | 30 days |

-|AIR (Automated Investigation and Response) | 60 days (for investigations meta data)<br> 30 days (for email meta data) |

-|Attack Simulation Data | 18 months |

-|Campaigns | 30 days |

-|Incidents | 30 days|

-|Remediation | 30 days |

-|Threat Analytics | 30 days |

-|Threat Trackers | 30 days |

-Quarantine policies (formerly known as _quarantine tags_) in Exchange Online Protection (EOP) and Microsoft Defender for Office 365 allow admins to control what users are able to do to quarantined messages based on why the message was quarantined. Quarantine policies are available in all Microsoft 365 organizations with Exchange Online mailboxes.

-|**[Anti-malware policies](anti-malware-policies-configure.md)**|Yes ( _QuarantineTag_)|

-<p>

-

-

-> 550 5.7.511 Access denied, banned sender[xxx.xxx.xxx.xxx]. To request removal from this list, forward this message to delist@microsoft.com. For more information, go to https://go.microsoft.com/fwlink/?LinkId=526653.

-

-In the email to request removal from this list, provide the full NDR code and IP address. Microsoft will contact you within 48 hours with the next steps.

-As an organizationΓÇÖs security posture is constantly changing alongside the cybersecurity landscape, making security posture improvements should be a continuous process. This article provides an overview of how you can strengthen your organization's security posture using capabilities available in Microsoft 365 Defender and other Microsoft security products, such as Microsoft Defender for Endpoint and Microsoft Defender Vulnerability Management.

-To allow or block guest sharing, we use a combination of a sensitivity label for the team and site-level sharing controls for the associated SharePoint site, both discussed later.

-For the highly sensitive level of protection, we'll be using a sensitivity label to classify the team. This label can also be used to classify and encrypt individual files in this or other teams or in other file locations such as SharePoint or OneDrive.

-As a first step, you must enable sensitivity labels for Teams. See [Use sensitivity labels to protect content in Microsoft Teams, Office 365 Groups, and SharePoint sites](../compliance/sensitivity-labels-teams-groups-sites.md) for details.

-2. Under **Solutions**, click **Information protection**.

-3. Click **Create a label**.

-4. Give the label a name. We suggest **Highly sensitive**, but you can choose a different name if that one is already in use.

-5. Add a display name and description, and then click **Next**.

-6. On the **Define the scope for this label page**, select **Files & emails** and **Groups & sites** and click **Next**.

-7. On the **Choose protection settings for files and emails** page, select **Encrypt files and emails**, and then click **Next**.

-8. On the **Encryption** page, choose **Configure encryption settings**.

-9. Under **Assign permissions to specific users and groups**, click **Assign permissions**.

-10. Click **Add all users and groups in your organization**.

-11. If there are guests who should have permissions to decrypt files, click **Add users or groups** and add them.

-12. Click **Save**, and then click **Next**.

-13. On the *Auto-labeling for files and emails** page, click **Next**.

-14. On the **Define protection settings for groups and sites** page, select **Privacy and external user access settings** and **Device access and external sharing settings** and click **Next**.

-15. On the **Define privacy and external user access settings** page, under **Privacy**, select the **Private** option.

-16. If you want to allow guest access, under **External user access**, select **Let Microsoft 365 Group owners add people outside your organization to the group as guests**.

-17. Click **Next**.

-18. On the **Define external sharing and device access settings** page, select **Control external sharing from labeled SharePoint sites**.

-19. Under **Content can be shared with**, choose **New and existing guests** if you're allowing guest access or **Only people in your organization** if not.

-20. Under **Access from unmanaged devices**, choose **Block access**. (If you're allowing guests and they don't have managed devices, you may want to choose **Allow limited, web-only access**.)

-21. Click **Next**.

-22. On the **Auto-labeling for database columns** page, click **Next**.

-23. Click **Create label**, and then click **Done**.

-### Site default sharing link settings

-To update the site default sharing link type

-1. Open the SharePoint admin center, and under **Sites**, select <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites**</a>.

-1. Select the site that is associated with team.

-1. On the **Policies** tab, under **External sharing**, select **Edit**.

-1. Under Default sharing link type, clear the **Same as organization-level setting** check box, and select **People with existing access**.

-1. Select **Save**.

-Note that if you add private or shared channels to the team, each creates a new SharePoint site with the default sharing settings. You can update them in the SharePoint admin center by selecting the sites associated with the team.

-### Site sharing settings

-To help ensure that the SharePoint site does not get shared with people who are not members of the team, we limit such sharing to owners. We also limit sharing of files and folders to team owners. This helps ensure that owners are aware whenever a file is shared with someone outside the team.

-To configure owners-only site sharing

-1. In Teams, navigate to the **General** tab of the team you want to update.

-2. In the tool bar for the team, click **Files**.

-3. Click the ellipsis, and then click **Open in SharePoint**.

-4. In the tool bar of the underlying SharePoint site, click the settings icon, and then click **Site permissions**.

-5. In the **Site permissions** pane, under **Site sharing**, click **Change how members can share**.

-6. Under **Sharing permissions**, choose **Only site owners can share files, folders, and the site**.

-7. Set **Allow access requests** to **Off**, and then click **Save**.

-For the sensitive level of protection, we'll be using a sensitivity label to classify the team. This label can also be used to classify individual files in this or other teams, or in other file locations such as SharePoint or OneDrive.

-As a first step, you must enable sensitivity labels for Teams. See [Use sensitivity labels to protect content in Microsoft Teams, Office 365 Groups, and SharePoint sites](../compliance/sensitivity-labels-teams-groups-sites.md) for details.

-2. Under **Solutions**, click **Information protection**.

-3. Click **Create a label**.

-4. Give the label a name. We suggest **Sensitive**, but you can choose a different name if that one is already in use.

-5. Add a display name and description, and then click **Next**.

-6. On the **Define the scope for this label page**, select **Files & emails** and **Groups & sites** and click **Next**.

-7. On the **Choose protection settings for files and emails** page, click **Next**.

-8. On the *Auto-labeling for files and emails** page, click **Next**.

-9. On the **Define protection settings for groups and sites** page, select **Privacy and external user access settings** and **Device access and external sharing settings** and click **Next**.

-10. On the **Define privacy and external user access settings** page, under **Privacy**, select the **Private** option.

-11. If you want to allow guest access, under **External user access**, select **Let Microsoft 365 Group owners add people outside your organization to the group as guests**.

-12. Click **Next**.

-13. On the **Define external sharing and device access settings** page, select **Control external sharing from labeled SharePoint sites**.

-14. Under **Content can be shared with**, choose **New and existing guests** if you're allowing guest access or **Only people in your organization** if not.

-15. Under **Access from unmanaged devices**, choose **Allow limited, web-only access**.

-16. Click **Next**.

-17. On the **Auto-labeling for database columns** page, click **Next**.

-18. Click **Create label**, and then click **Done**.

-Each time you create a new team with the sensitive label, there are two steps to do in SharePoint:

-The articles in this series provide recommendations for configuring teams in Microsoft Teams and their associated SharePoint sites for file protection that balances security with ease of collaboration.

-|Shared channels|Owners and members can create shared channels|Owners and members can create shared channels|Only owners can create shared channels|Only owners can create shared channels|

-|Site sharing settings|**Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site**.|**Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site**.|**Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site**.|**Only site owners can share files, folders, and the site**.<br>Access requests **Off**.|

-|Site-level unmanaged device access|**Full access from desktop apps, mobile apps, and the web** (default).|**Full access from desktop apps, mobile apps, and the web** (default).|**Allow limited, web-only access**.|**Block access**.|

-|Sensitivity labels|None|None|Sensitivity label used to classify the team and control guest sharing and unmanaged device access.|Sensitivity label used to classify the team and control guest sharing and unmanaged device access. Label can also be used on files to encrypt files.|

-The sensitive and highly sensitive tiers use sensitivity labels to help secure the team and its files. To implement these tiers, you must enable [sensitivity labels to protect content in Microsoft Teams, Office 365 Groups, and SharePoint sites](../compliance/sensitivity-labels-teams-groups-sites.md).

-While the baseline tier does not require sensitivity labels, consider creating a "general" label and then requiring that all teams be labeled. This will help ensure that users make a conscious choice about sensitivity when they create a team. If you plan to deploy the sensitive or highly sensitive tiers, we do recommend creating a "general" label that you can use for baseline teams and for files that are not sensitive.

-By default, both owners and members of the team can share files and folders with people outside the team. This may include people outside your organization, if you have allowed guest sharing. In all three tiers, we update the default sharing link type to help avoid accidental oversharing. In the highly sensitive tier, we restrict such sharing to team owners only.

-In the highly sensitive tier, we configure the sensitivity label to encrypt files to which it is applied. If you need guests to have access to these files, you must give them permissions when you create the label. External participants in shared channels can't be given permissions to sensitivity labels and can't access content encrypted by a sensitivity label.

-If you regularly collaborate with other organizations that use Azure AD, shared channels may be a good option. Shared channels appear seamlessly in the other organization's Teams client and allow external participants to use their regular user account for their organization rather than having to login in separately using a guest account.

-## Access from unmanaged devices

-For the sensitive and highly sensitive tiers, we restrict access to SharePoint content with sensitivity labels. Azure AD conditional access offers many options for determining how people access Microsoft 365, including limitations based on location, risk, device compliance, and other factors. We recommend you read [What is Conditional Access?](/azure/active-directory/conditional-access/overview) and consider which additional policies might be appropriate for your organization.

-Note that guests often don't have devices that are managed by your organization. If you allow guests in any of the tiers, consider what kinds of devices they'll be using to access teams and sites and set your unmanaged device policies accordingly.

-### Control device access across Microsoft 365

-The unmanaged devices setting in sensitivity labels only affect SharePoint access. If you want to expand control of unmanaged devices beyond SharePoint, you can [Create an Azure Active Directory conditional access policy for all apps and services in your organization](/azure/active-directory/conditional-access/howto-conditional-access-policy-compliant-device) instead. To configure this policy specifically for [Microsoft 365 services](/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#office-365), select the **Office 365** cloud app under **Cloud apps or actions**.

-

-## See also

-|[ <br>Updated September 2021| The architectural material helps you plan your deployment for the following architectures: <ul><li> Cloud-native </li><li> Co-management </li><li> On-premise</li><li>Evaluation and local onboarding</li> |

-## Microsoft Teams with security isolation

-With Microsoft 365, you can configure a private team in Microsoft Teams and use SharePoint site security settings and a unique sensitivity label to encrypt files so that only team members can decrypt them.

-[](../downloads/team-security-isolation-poster.pdf) <br/>

-[PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/team-security-isolation-poster.pdf) | [PowerPoint](https://download.microsoft.com/download/8/0/5/8057fc16-c044-40b6-a652-7ed555ba2895/team-security-isolation-poster.pptx) <br>

-Updated August 2020

-For more information, see the article for this poster: [Configure a team with security isolation](secure-teams-security-isolation.md).

-recommendations: false

-description: "Learn how to create a team with a unique sensitivity label for security."

-# Configure a team with security isolation by using a unique sensitivity label

-This article provides you with recommendations and steps to configure a private team in Microsoft Teams and use a unique sensitivity label to encrypt files so that only team members can decrypt them.

-Beyond the private access, this article describes how to configure the associated SharePoint site, which you can access from the **Files** section of a team channel, for the additional security needed to store highly regulated data.

-The elements of configuration for a team with security isolation are:

- - Prevents members of the site from sharing the site with others.

- - Prevents non-members of the site from requesting access to the site.

- - Prevents access to SharePoint content from unmanaged devices

- - Allows or denies guest access to the team, depending on your requirements

- - Encrypts documents to which the label is applied

-> [!IMPORTANT]

-> Be sure you have enabled [sensitivity labels to protect content in Microsoft Teams, Office 365 groups, and SharePoint sites](../compliance/sensitivity-labels-teams-groups-sites.md) before you proceed with the steps in this article.

-Watch this video for an overview of the deployment process.

-<br>

-<br>

-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4mGHf]

-<a name="poster"></a>

-For a 1-page summary of this scenario, see the [Microsoft Teams with security isolation poster](../downloads/team-security-isolation-poster.pdf).

-[](../downloads/team-security-isolation-poster.pdf)

-You can also download this poster in [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/team-security-isolation-poster.pdf) or [PowerPoint](https://download.microsoft.com/download/8/0/5/8057fc16-c044-40b6-a652-7ed555ba2895/team-security-isolation-poster.pptx) formats and print it on letter, legal, or tabloid (11 x 17) size paper.

-Try this configuration in your own test lab environment with [these instructions](team-security-isolation-dev-test.md).

-See how the Contoso Corporation used an isolated team for a top-secret project in [this case study](contoso-team-for-top-secret-project.md).

-## Initial protections

-To help protect access to the team and its underlying SharePoint site, review the following best practices:

-## Guest sharing

-Depending on the nature of your business, you may or may not want to enable guest sharing for this team. If you do plan to collaborate with people outside your organization in the team, enable guest sharing.

-For details about sharing with guests securely, see the following resources:

-To allow or block guest sharing, we use a combination of a sensitivity label for the team and site-level sharing controls for the associated SharePoint site, both discussed later.

-## Create a private team

-Since we are creating a sensitivity label specifically for this team, the next step is to create the team. If you have an existing team, you can use that.

-To create a team for sensitive information

-1. In Teams, click **Teams** on the left side of the app, then click **Join or create a team** at the bottom of the teams list.

-2. Click **Create team** (first card, top left corner).

-3. Choose **Build a team from scratch**.

-4. In the **Sensitivity** list, keep the default.

-5. Under **Privacy**, click **Private**.

-6. Type a name for the team that is related to your sensitive project. For example, **Project Saturn**.

-7. Click **Create**.

-8. Add users to the team, and then click **Close**.

-## Private channel settings

-We recommend restricting creating private channels to team owners.

-To restrict private channel creation

-1. In the team, click **More options**, and then click **Manage team**.

-2. On the **Settings** tab, expand **Member permissions**.

-3. Clear the **Allow members to create private channels** check box.

-You can also use [teams policies](/MicrosoftTeams/teams-policies) to control who can create private channels.

-## Create a sensitivity label

-To configure a team for security isolation, we'll be using a sensitivity label created specifically for this team. This label is used at the team level to control guest sharing and to block access from unmanaged devices. It can also be used to classify and encrypt individual files in the team so that only team owners and members can open them.

-If you have an internal partner or stakeholder group who should be able to view encrypted documents but not edit them, you can add them to the label with view-only permissions. You can then add these people to the team's SharePoint site with Reader permissions, and they will have read-only access to the site where the documents are kept, but not the team itself.

-To create a sensitivity label

-1. Open the Microsoft Purview compliance portal, and under **Solutions**, select <a href="https://go.microsoft.com/fwlink/p/?linkid=2174015" target="_blank">**Information protection**</a>.

-1. Click **Create a label**.

-1. Give the label a name. We suggest naming it after the team that you'll be using it with.

-1. Add a display name and description, and then click **Next**.

-1. On the **Define the scope for this label page**, select **Files & emails** and **Groups & sites** and click **Next**.

-1. On the **Choose protection settings for files and emails** page, select **Encrypt files and emails**, and then click **Next**.

-1. On the **Encryption** page, choose **Configure encryption settings**.

-1. Click **Add users or groups**, select the team that you created, and then click **Add**

-1. Click **Choose permissions**.

-1. Choose **Co-Author** from the dropdown list, and then click **Save**.

-1. If you want to include users or groups with read-only access to files with the label:

- 1. Click **Assign permissions**.

- 1. Click **Add users or groups**, select the users or groups that you want to add, and then click **Add**.

- 1. Click **Choose permissions**.

- 1. Choose **Viewer** from the dropdown list, and then click **Save**.

-13. Click **Save**, and then click **Next**.

-14. On the *Auto-labeling for files and emails** page, click **Next**.

-15. On the **Define protection settings for groups and sites** page, select **Privacy and external user access settings** and **Device access and external sharing settings** and click **Next**.

-16. On the **Define privacy and external user access settings** page, under **Privacy**, select the **Private** option.

-17. If you want to allow guest access, under **External user access**, select **Let Microsoft 365 Group owners add people outside your organization to the group as guests**.

-18. Click **Next**.

-19. On the **Define external sharing and device access settings** page, select **Control external sharing from labeled SharePoint sites**.

-20. Under **Content can be shared with**, choose **New and existing guests** if you're allowing guest access or **Only people in your organization** if not.

-21. Under **Access from unmanaged devices**, choose **Block access**.

-22. Click **Next**.

-23. On the **Auto-labeling for database columns** page, click **Next**.

-24. Click **Create label**, and then click **Done**.

-Once you've created the label, you need to publish it to the users who will use it. In this case, we'll make the label available only to people in the team.

-To publish a sensitivity label:

-1. In the Microsoft Purview compliance portal, on the <a href="https://go.microsoft.com/fwlink/p/?linkid=2174015" target="_blank">**Information protection** page</a>, choose the **Label policies** tab.

-2. Click **Publish labels**.

-3. On the **Choose sensitivity labels to publish** page, click **Choose sensitivity labels to publish**.

-4. Select the label that you created, and then click **Add**.

-5. Click **Next**.

-6. On the Publish to users and groups page, click **Choose users and groups**.

-7. Click **Add**, and then select the team that you created.

-8. Click **Add**, and then click **Done**.

-9. Click **Next**.

-10. On the Policy settings page, select the **Users must provide justification to remove a label or lower classification label** check box, and then click **Next**.

-11. Type a name for the policy, and then click **Next**.

-12. Click **Submit** and then click **Done**.

-## Apply the label to the team

-Once the label has been published, you must apply it to the team in order for the guest sharing and managed devices settings to take effect. This is done in the SharePoint admin center. Note, it may take some time for the label to become available after it's been published.

-To apply the sensitivity label

-1. Open the SharePoint admin center, and under **Sites**, select <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites**</a>.

-1. Select the site that is associated with team.

-1. On the **Policies** tab, under **Sensitivity**, select **Edit**.

-1. Select the label that you created, and then select **Save**.

-## SharePoint settings

-There are three steps to do in SharePoint:

-### SharePoint guest settings

-The guest sharing setting that you chose when you created the label (which only affects team membership) should match the guest sharing settings for the associated SharePoint site as follows:

-|Label setting|SharePoint site setting|

-|:|:-|

-|**Let Office 365 group owners add people outside the organization to the group** selected|**New and existing guests** (default for new teams)|

-|**Let Office 365 group owners add people outside the organization to the group** not selected|**Only people in your organization**|

-We'll also update the default sharing link type to reduce the risk of accidentally sharing files and folders to a wider audience than intended.

-To update site settings

-1. Open the SharePoint admin center, and under **Sites**, select <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites**</a>

-1. Select the site that is associated with team.

-1. On the **Policies** tab, under **External sharing**, select **Edit**.

-1. If you allowed guest sharing when you created the sensitive label, ensure that **New and existing guests** is selected. If you didn't allow sharing when you created the label, choose **Only people in your organization**.

-1. Under Default sharing link type, clear the **Same as organization-level setting** check box, and select **People with existing access**.

-1. Select **Save**.

-#### Private channels

-If you add private channels to the team, each private channel creates a new SharePoint site with the default sharing settings. These sites are not visible in the SharePoint admin center, so you must use the [Set-SPOSite](/powershell/module/sharepoint-online/set-sposite) PowerShell cmdlet with the following parameters to update the guest sharing settings:

-If you don't plan to use private channels with your team, consider turning off the ability for team members to create them under **Member permissions** in [team settings](https://support.microsoft.com/office/ce053b04-1b8e-4796-baa8-90dc427b3acc).

-### Site sharing settings

-To help ensure that the SharePoint site does not get shared with people who are not members of the team, we limit such sharing to owners. We also limit sharing of files and folders to team owners. This helps ensure that owners are aware whenever a file is shared with someone outside the team.

-To configure owners-only site sharing

-1. In Teams, navigate to the **General** tab of the team you want to update.

-2. In the tool bar for the team, click **Files**.

-3. Click the ellipsis, and then click **Open in SharePoint**.

-4. In the tool bar of the underlying SharePoint site, click the settings icon, and then click **Site permissions**.

-5. In the Site permissions pane, under **Sharing Settings**, click **Change sharing settings**.

-6. Under **Sharing permissions**, choose **Only site owners can share files, folders, and the site**, and then click **Save**.

-### Custom site permissions

-If you added people with Viewer permissions to the sensitivity label, you can add them to the SharePoint site with Read access so they have easy access to the files.

-To add users to the site

-1. In the site, click the settings icon, and then click **Site permissions**.

-2. Click **Invite people**, and then click **Share site only**.

-3. Type the names of the users and groups that you want to invite.

-4. For each person or group that you add, change their permissions from **Edit** to **Read**.

-5. Choose if you want to send them an email with a link to the site.

-6. Click **Add**.

-## Additional protections

-Microsoft 365 offers additional methods for securing your content. Consider if the following options would help improve security for your organization.

-## Drive user adoption for team members

-With the team in place, it's time to drive the adoption of this team and its additional security to team members.

-### Train your users

-Members of the team can access the team and all of its resources, including chats, meetings, and other apps. When working with files from the **Files** section of a channel, members of the team should assign the sensitivity label to the files they create.

-When the label gets applied to the file, it is encrypted. Members of the team can open it and collaborate in real time. If the file leaves the site and gets forwarded to a malicious user, they will have to supply credentials of a user account that is member of the team to open the file and view its contents.

-Train your team members:

-This training should include hands-on exercises so that your team members can experience these capabilities and their results.

-### Conduct periodic reviews of usage and address team member feedback

-In the weeks after training:

-Retrain your users as needed.

-## See also

-[Azure AD Privileged Identity Management](/azure/active-directory/privileged-identity-management/pim-configure)

-Microsoft Syntex lets you build simple rules-driven actions in document libraries based on metadata. From a document library, you can create rules to automate tasks such as sending a notification when metadata changes in a file, when a new file is created in the library, or when files are moved or copied based on metadata extracted by Syntex models.

- 

-You'll choose a condition that triggers the rule and the action that the rule will take.

-For example, you can create a rule to move files tagged with a specific customer to a specific library or folder. These rules help you structure your content architecture with the power of AI-driven processing.

-Document libraries can have multiple move and copy rules to support moving and copying files to different destination libraries based on metadata criteria.

-> [!NOTE]

-> This feature is available only for users who are licensed for Syntex.

-## Move or copy a file

-2. On the **Manage rules** page, you can see the rules that have been applied. You can turn on or off a rule or [create a new rule](#move-or-copy-a-file) to automate actions on a specific document library.

-|Unstructured document processing|The number of pages processed for Word, PDF, or TIFF files; the number of sheets for Excel files; the number of slides for PowerPoint files; or the number of files for other file types. You won't be charged for model training. You will be charged for processing whether or not there's a positive classification, or any entities extracted.<br><br>Processing occurs on document upload and on subsequent updates. Processing is counted for each model applied. For example, if you have two models applied to a library and you upload or update a five-page document in that library, the total pages processed is 10.|$0.10/page|

-|Prebuilt document processing|The number of pages processed for PDF or image files. You won't be charged for model training. You will be charged for processing whether or not there's a positive classification, or any entities extracted.<br><br>Processing occurs on document upload and on subsequent updates. Processing is counted for each model applied. For example, if you have two models applied to a library and you upload or update a five-page document in that library, the total pages processed is 10.|$0.01/page|

-### Transferring whiteboard when a user leaves the company

-Learn more about preserving former userΓÇÖs content: [Step 5 - Give another employee access to OneDrive and Outlook data - Microsoft 365 admin | Microsoft Learn](/admin/add-users/remove-former-employee-step-5)

-### Managing moved whiteboards

-Once the .whiteboard file appears in the OneDrive for Business of the new owner, they can open, edit, rename or delete the files.