Updates from: 03/11/2021 04:13:27
Category Microsoft Docs article Related commit history on GitHub Change details
admin Compare Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/create-groups/compare-groups.md
In the **Groups** section of the Microsoft 365 admin center, you can create and
## Microsoft 365 groups
-Microsoft 365 groups are used for collaboration between users, both inside and outside your company. With each Microsoft 365 group, members get a group email and shared workspace for conversations, files, and calendar events, and a Planner.
+Microsoft 365 groups are used for collaboration between users, both inside and outside your company. With each Microsoft 365 group, members get a group email and shared workspace for conversations, files, and calendar events, Stream and a Planner.
You can add people from outside your organization to a group as long as this has been [enabled by the administrator](manage-guest-access-in-groups.md). You can also allow external senders to send email to the group email address.
admin Whats New In Preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/whats-new-in-preview.md
WeΓÇÖve revamped the Message center to help you discover relevant messages and a
To learn more about the new features, check out [Manage messages in Message center](manage/manage-messages.md).
+### What's new features
+
+We've made improvements to how you view the "What's new" features for users in the Office apps. You can now see the rich content in the Whats' new pane that your users can see. You can also learn more about the feature before you decide to let your users know about the feature. For more info, check out [Manage which OfficeΓÇÄ features appear in What's New](manage/show-hide-new-features.md).
++ ## Ignite 2020 (August & September) Welcome to Microsoft Ignite - our first online-only Ignite. We hope to see you in one of our sessions: [Microsoft Ignite 2020 Session Catalog](https://myignite.microsoft.com/sessions). Here's just a few of the things we'll be talking about at Ignite.
commerce About Registration Numbers https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/about-registration-numbers.md
+
+ Title: "About registration numbers and under review notifications"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
+- Adm_O365
+search.appverid:
+- MET150
+description: "Learn about registration numbers and under-review notifications when you buy Microsoft products or services."
+
+- okr_SMB
+- AdminSurgePortfolio
+- Commerce
++
+# About registration numbers and under review notifications
+
+This article only applies to commercial customers who buy or activate products or services directly from Microsoft. This article doesnΓÇÖt apply to Volume Licensing, or cloud solution provider (CSP) customers who work directly with a partner.
+
+## What is a registration number?
+
+We use the registration number to review the details of your account. This lets us determine if Microsoft can provide you products and services. See the [Registration numbers by country](#registration-numbers-by-country) section below to find more information about what values to enter into this field.
+
+For countries where the registration number is mandatory, the label above the text box indicates what type of number is required.
+
+<!-- For example, in the following screenshot, the label indicates that a CNPJ registration number is needed.
+ add screenshot-->
+
+For countries where the registration number is optional, you can choose to provide a company legal registration number. DonΓÇÖt enter a personal ID in this field.
+
+<!-- The following screenshot shows an example of when the registration number is optional.
+add screenshot -->
+
+If you donΓÇÖt have a valid registration number, see [Registration numbers by country](#registration-numbers-by-country) for details.
+
+## What should I do if I get an under-review notification?
+
+When you complete a purchase, you might receive a notification that your account is under review. During the review process, you can check the status by browsing to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2084771" target="_blank">Billing accounts</a> page and selecting the account that you used to complete your purchase.
+
+The review process normally takes about one day to complete but can take longer.
+
+<!-- The following screenshot shows the review notification displayed during checkout.
+add screenshot -->
+
+An email notification is also sent to all Global and Billing admins on your account. In some cases, the notification is sent to users who have the Billing Account Owners or Billing Account Contributors role on the account. The notification says that a review is currently in process. A confirmation email notification is sent after the review process is complete.
+
+<!-- The following screenshot shows the notification displayed on the billing account details page.
+add screenshot -->
+
+## Registration numbers by country
+
+The following table contains samples of the registration numbers collected for each country. In cases where multiple IDs are listed, only one is required.
+
+| Country or region | Details | | | | |
+|:--|:--|:--|:--|:--|:--|
+| **Armenia** | INN ΓÇô Tax identification number<br>VAT number ΓÇô Also known as a VAT Registration Number. This is the unique number that identifies a taxable person (business) or non-taxable legal entity that is registered for VAT.<br>Public service number | | | | |
+| **Azerbaijan** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/Azerbaijan-TIN.pdf) ΓÇô Tax Identification number<br>INN ΓÇô Tax identification number | | | | |
+| **Belarus** | UNP ΓÇô This is a nine-digit number (numeric for organizations, alphanumeric for individuals) that contains a region identifier, a serial per region, and a check digit. | | | | |
+|**Brazil** | [CNPJ](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/Brazil-TIN.pdf) – (Cadastro Nacional da Pessoa Jurídica, or National Registry of Legal Entities). This is an identification number issued to Brazilian companies by the Department of Federal Revenue of Brazil | | | | |
+| **China** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/China-TIN.pdf) ΓÇô Tax Identification number | | | | |
+| **Hungary** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/Hungary-TIN.pdf) ΓÇô Tax Identification number | | | | |
+| **India** | Tax ID<br>[PAN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/India-TIN.pdf) ΓÇô (Presence Across Nation) PAN India Involvement means that there is one organization that is operating at several locations in India. | | | | |
+| **Iraq** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/) ΓÇô Tax Identification number | | | | |
+| **Kazakhstan** | BIN ΓÇô Bank identification number<br>IIN ΓÇô Issuer identification number | | | | |
+| **Kyrgyzstan** | INN ΓÇô Tax Identification number | | | | |
+| **Moldova** | IDNO ΓÇô The unique state identification number assigned to the legal entity (also known as. Fiscal code).<br>IDNP ΓÇô Birth personal code (ΓÇ£Numarul de IdentificareΓÇ¥) | | | | |
+| **Myanmar** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/) ΓÇô Tax Identification number | | | | |
+| **Poland** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/Poland-TIN.pdf) – Tax Identification number<br>[PESEL](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/Poland-TIN.pdf) – The national identification number used in Poland (Polish Powszechny Elektroniczny System Ewidencji Ludności, Universal Electronic System for Registration of the Population) | | | | |
+| **Russia** | [INN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/Russia-TIN.pdf) ΓÇô Tax identification number (Russian ΓÇ£Individualiy Nomer NalogoplatelshikaΓÇ¥) | | | | |
+| **Saudi Arabia** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/Saudi-Arabia-TIN.pdf) ΓÇô Tax Identification number | | | | |
+| **South Africa** | TRN ΓÇô traffic registration number | | | | |
+| **South Sudan** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/) ΓÇô Tax Identification number | | | | |
+| **Tajikistan** | INN ΓÇô Tax Identification number<br>EIN ΓÇô Employer Identification number<br>KPP ΓÇô This is a code that reflects the reason for the organization registration. | | | | |
+| **Thailand** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/) ΓÇô Tax Identification number | | | | |
+| **Turkey** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/Turkey-TIN.pdf) ΓÇô Tax Identification number<br>NIN | | | | |
+| **Ukraine** | EGRPOU<br>EDRPOU ΓÇô Local ID | | | | |
+| **United Arab Emirates** | Tax ID<br>[VAT number](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/UAE-TIN.pdf) - Also known as a VAT Registration Number. This is the unique number that identifies a taxable person (business) or non-taxable legal entity that is registered for VAT. | | | | |
+| **United States** | [EIN](https://irs.ein-forms-gov.com/?keyword=employer%20identification%20number&source=Google&network=o&device=c&devicemodel=&mobile=&adposition%5d&targetid=kwd-81501461534755:loc-190&msclkid=458d3159f6051392f5286e8e75ed79ce) ΓÇô Employer Identification number | | | | |
+| **Uzbekistan** | INN ΓÇô Tax Identification number | | | | |
+| **Vietnam** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/) ΓÇô Tax Identification number | | | | |
+| **Venezuela** | RIF ΓÇô is a Tax number (ΓÇ£Registro de Identificaci├│n FiscalΓÇ¥) | | | | |
compliance Advanced Audit https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/advanced-audit.md
For eligible customers and users that are assigned the appropriate license, ther
**When will the new 10-year audit log retention add-on license be available?**
-The new 10-year audit log retention add-on will be available for purchase by customers with E5 subscriptions in early 2021.
+The new 10-year audit log retention add-on is now available for purchase by customers with E5 subscriptions.
-**What happens to my organization's audit log data if I create 10-year audit log retention policy the feature is released to general availability but before the required add-on license is available in early 2021?**
+**What happens to my organization's audit log data if I created a 10-year audit log retention policy when the feature was released to general availability but before the required add-on license was made available in February 2021?**
-Any audit log data covered by a 10-year audit log retention policy that you create after general availability will be retained for 10 years. When the 10-year audit log retention add-on license is available in early 2021, you will need to purchase add-on licenses for users who's audit data is being retained by an existing 10-year audit retention policy. Also, once the add-on license is available in early 2021, the appropriate licensing will be enforced when you create new 10-year audit log retention policies.
+Any audit log data covered by a 10-year audit log retention policy that you created after general availability will be retained for 10 years. When the 10-year audit log retention add-on license is available in early 2021, you will need to purchase add-on licenses for users who's audit data is being retained by an existing 10-year audit retention policy.
**Are the new events in Advanced Audit available in the Office 365 Management Activity API?**
compliance Audit Log Retention Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/audit-log-retention-policies.md
Advanced Audit in Microsoft 365 provides a default audit log retention policy fo
- You can have a maximum of 50 audit log retention policies in your organization. -- To retain an audit log for longer than 90 days, the user who generated the audit log must be assigned an Office 365 E5 or Microsoft 365 E5 license or have a Microsoft 365 E5 Compliance or E5 eDiscovery and Audit add-on license.
+- To retain an audit log for longer than 90 days (and up to 1 year), the user who generates the audit log (by performing an audited activity) must be assigned an Office 365 E5 or Microsoft 365 E5 license or have a Microsoft 365 E5 Compliance or E5 eDiscovery and Audit add-on license. To retain audit logs for 10 years, the user who generates the audit log must also be assigned a 10-year audit log retention add-on license in addition to an E5 license.
- All custom audit log retention policies (created by your organization) take priority over the default retention policy. For example, if you create an audit log retention policy for Exchange mailbox activity that has a retention period that's shorter than one year, audit records for Exchange mailbox activities will be retained for the shorter duration specified by the custom policy.
compliance Customer Key Tenant Level https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customer-key-tenant-level.md
Using keys you provide, you can create a data encryption policy (DEP) and assign
- Teams chat suggestions by Cortana - Teams status messages - User and signal information for Exchange Online
+- Exchange Online mailboxes that aren't already encrypted Customer Key DEPs at the application level
For Microsoft Teams, Customer Key at the tenant level encrypts new data from the time the DEP is assigned to the tenant. Public preview does not support encrypting past data. For Exchange Online, Customer Key encrypts all existing and new data.
You can create multiple DEPs per tenant but can only assign one DEP at any point
If you already have Customer Key set up for Exchange Online and Sharepoint Online, here's how the new tenant-level public preview fits in.
-The tenant-level encryption policy you create encrypts all data for the Microsoft Teams and Exchange Online workloads in Microsoft 365. This policy doesn't interfere with finely tuned DEPs you've already created in Customer Key.
+The tenant-level encryption policy you create encrypts all data for the Microsoft Teams and Exchange Online workloads in Microsoft 365. However, for Exchange Online, if you have already assigned Customer Key DEPs to individual mailboxes, the tenant-level policy won't override those DEPs. The tenant-level policy will only encrypt mailboxes that aren't assigned a mailbox level Customer Key DEP already.
-Examples:
-
-Microsoft Teams files and some Teams call and meeting recordings that are saved in OneDrive for Business and SharePoint are encrypted by a SharePoint Online DEP. A single SharePoint Online DEP encrypts content within a single geo.
-
-For Exchange Online, you can create a DEP that encrypts one or more user mailboxes with Customer Key. When you create a tenant-level policy, that policy will not encrypt the encrypted mailboxes. However, the tenant-level key will encrypt the mailboxes that are not affected by a DEP already.
+For example, Microsoft Teams files and some Teams call and meeting recordings that are saved in OneDrive for Business and SharePoint are encrypted by a SharePoint Online DEP. A single SharePoint Online DEP encrypts content within a single geo.
## Set up Customer Key at the tenant level (public preview)
To verify that an expiration date is not set for your keys, run the [Get-AzKeyVa
Get-AzKeyVaultKey -VaultName <vault name> ```
-An expired key cannot be used by Customer Key and operations attempted with an expired key will fail and possibly result in a service outage. We strongly recommend that keys used with Customer Key do not have an expiration date. An expiration date, once set, cannot be removed, but can be changed to a different date. If a key must be used that has an expiration date set, change the expiration value to 12/31/9999. Keys with an expiration date set to a date other than 12/31/9999 will not pass Microsoft 365 validation.
+An expired key cannot be used by Customer Key and operations attempted with an expired key will fail and possibly result in a service outage. We strongly recommend that keys used with Customer Key do not have an expiration date. An expiration date, once set, cannot be removed, but can be changed to a different date. If a key must be used that has an expiration date set, change the expiration value to 12/31/9999. Keys with an expiration date set to a date other than 12/31/9999 won't pass Microsoft 365 validation.
To change an expiration date that has been set to any value other than 12/31/9999, run the [Update-AzKeyVaultKey](https://docs.microsoft.com/powershell/module/az.keyvault/update-azkeyvaultkey) cmdlet as follows:
You need to be assigned permissions before you can run these cmdlets. Although t
### Create policy ```powershell
- New-M365DataAtRestEncryptionPolicy [-Name] <String> -AzureKeyIDs <MultiValuedProperty> [-Description <String>] [-Enabled <Boolean>]
+ New-M365DataAtRestEncryptionPolicy [-Name] <String> -AzureKeyIDs <MultiValuedProperty> [-Description <String>]
```
-Description: Enable compliance admin to create a new data encryption policy (DEP) using two AKV root keys. Once created, a policy can then be assigned using Set-M365DataAtRestEncryptionPolicy cmdlet. Upon first assignment of keys or after you rotate keys, it can take up to 24 hours for the new keys to take effect. If the new DEP takes more than 24 hours to take effect, contact Microsoft.
+Description: Enable compliance admin to create a new data encryption policy (DEP) using two AKV root keys. Once created, a policy can then be assigned using Set-M365DataAtRestEncryptionPolicyAssignment cmdlet. Upon first assignment of keys or after you rotate keys, it can take up to 24 hours for the new keys to take effect. If the new DEP takes more than 24 hours to take effect, contact Microsoft.
Example:
Parameters:
### Assign policy ```powershell
-Set-M365DataAtRestEncryptionPolicyAssignment -Policy ΓÇ£<Default_PolicyName or Default_PolicyID>ΓÇ¥
+Set-M365DataAtRestEncryptionPolicyAssignment -DataEncryptionPolicy ΓÇ£<Default_PolicyName or Default_PolicyID>ΓÇ¥
``` Description:
This cmdlet is used for configuring default Data Encryption Policy. This policy
Example: ```powershell
-Set-M365DataAtRestEncryptionPolicyAssignment -Policy ΓÇ£Tenant default policyΓÇ¥
+Set-M365DataAtRestEncryptionPolicyAssignment -DataEncryptionPolicy ΓÇ£Default_PolicyNameΓÇ¥
``` Parameters: | Name | Description | Optional (Y/N) | |-|-||--Policy|Specifies the data encryption policy that needs to be assigned; specify either the Policy Name or the Policy ID.|N|
+-DataEncryptionPolicy|Specifies the data encryption policy that needs to be assigned; specify either the Policy Name or the Policy ID.|N|
### Modify or Refresh policy ```powershell
-Set-M365DataAtRestEncryptionPolicy [-Identity] < M365DataAtRestEncryptionPolicy DataEncryptionPolicyIdParameter> -Refresh [-Enabled <Boolean>] [-Name <String>] [-Description <String>]
+Set-M365DataAtRestEncryptionPolicy [-Identity] <M365DataAtRestEncryptionPolicy DataEncryptionPolicyIdParameter> -Refresh [-Enabled <Boolean>] [-Name <String>] [-Description <String>]
``` Description:
Parameters:
|-Identity|Specifies the data encryption policy that you want to modify.|N| |-Refresh|Use the Refresh switch to update the data encryption policy after you rotate any of the associated keys in the Azure Key Vault. You don't need to specify a value with this switch.|Y| |-Enabled|The Enabled parameter enables or disable the data encryption policy. Before you disable a policy, you must unassign it from your tenant. Valid values are:</br > $true: The policy is enabled</br > $false: The policy is disabled.|Y|
-|-Name|The Name parameter specifies the unique name for the data encryption policy.|Y
+|-Name|The Name parameter specifies the unique name for the data encryption policy.|Y|
|-Description|The Description parameter specifies an optional description for the data encryption policy.|Y| ### Get policy details ```powershell
-Get-M365DataAtRestEncryptionPolicy [-Identity] < M365DataAtRestEncryptionPolicy DataEncryptionPolicyIdParameter>
+Get-M365DataAtRestEncryptionPolicy [-Identity] <M365DataAtRestEncryptionPolicy DataEncryptionPolicyIdParameter>
``` Description: This cmdlet lists all of M365DataAtRest encryption policies that are created for the tenant or details about a specific policy.
compliance Delete An Inactive Mailbox https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/delete-an-inactive-mailbox.md
f1.keywords:
Previously updated : 9/5/2017 Last updated : audience: Admin
search.appverid:
ms.assetid: f5caf497-5e8d-4b7a-bfff-d02942f38150 - seo-marvel-apr2020
-description: When you no longer need to preserve the contents of an Microsoft 365 inactive mailbox, you can permanently delete the inactive mailbox.
+description: When you no longer need to preserve the contents of a Microsoft 365 inactive mailbox, you can permanently delete the inactive mailbox.
# Delete an inactive mailbox
-An inactive mailbox is used to preserve a former employee's email after he or she leaves your organization. When you no longer need to preserve the contents of an inactive mailbox, you can permanently delete the inactive mailbox by removing the hold. Also, it's possible that multiple holds might be placed on an inactive mailbox. For example, an inactive mailbox might be placed on Litigation Hold and on one or more In-Place Holds. Additionally, a retention policy (created in the security and compliance center in Office 365 or Microsoft 365) might be applied to the inactive mailbox. You have to remove all holds and retention policies from an inactive mailbox to delete it. After you remove the holds and retention policies, the inactive mailbox is marked for deletion and is permanently deleted after it's processed.
+An inactive mailbox is used to preserve a former employee's email after they leave your organization. When you no longer need to preserve the contents of an inactive mailbox, you can permanently delete the inactive mailbox by removing the hold. Also, it's possible that multiple holds might be placed on an inactive mailbox. For example, an inactive mailbox might be placed on Litigation Hold and on one or more In-Place Holds. Additionally, a retention policy (created in the security and compliance center in Office 365 or Microsoft 365) might be applied to the inactive mailbox. You have to remove all holds and retention policies from an inactive mailbox to delete it. After you remove the holds and retention policies, the inactive mailbox is marked for deletion and is permanently deleted after it's processed.
> [!IMPORTANT] > As we continue to invest in different ways to preserve mailbox content, we're announcing the retirement of In-Place Holds in the Exchange admin center. That means you should use Litigation Holds and retention policies to create an inactive mailbox. Starting July 1, 2020 you won't be able to create new In-Place Holds in Exchange Online. But you'll still be able to change the hold duration of an In-Place Hold placed on an inactive mailbox. However, starting October 1, 2020, you won't be able to change the hold duration. You'll only be able to delete an inactive mailbox by removing the In-Place Hold. Existing inactive mailboxes that are on In-Place Hold will still be preserved until the hold is removed. For more information about the retirement of In-Place Holds, see [Retirement of legacy eDiscovery tools](legacy-ediscovery-retirement.md).
See the [More information](#more-information) section for a description of what
- You can copy the contents of an inactive mailbox to another mailbox before you remove the hold and delete an inactive mailbox. For details, see [Restore an inactive mailbox in Office 365](restore-an-inactive-mailbox.md). -- If you remove the hold or retention policy from an inactive mailbox and the soft-deleted mailbox retention period for the mailbox has expired, the mailbox will be permanently deleted. After it's deleted, it can't be recovered. Before you remove the hold, be sure that you no longer need the contents in the mailbox. If you want to re-activate an inactive mailbox, you can recover it. For details, see [Recover an inactive mailbox in Office 365](recover-an-inactive-mailbox.md).
+- If you remove the hold or retention policy from an inactive mailbox and the soft-deleted mailbox retention period for the mailbox has expired, the mailbox will be permanently deleted. After it's deleted, it can't be recovered. Before you remove the hold, be sure that you no longer need the contents in the mailbox. If you want to reactivate an inactive mailbox, you can recover it. For details, see [Recover an inactive mailbox in Office 365](recover-an-inactive-mailbox.md).
- For more information about inactive mailboxes, see [Inactive mailboxes in Office 365](inactive-mailboxes-in-office-365.md).
For more information identifying specific location retention policies applied to
There are two ways to remove an In-Place Hold from an inactive mailbox: -- **Delete the In-Place Hold object** If the inactive mailbox that you want to permanently delete is the only source mailbox for an In-Place Hold, you can just delete the In-Place Hold object.
+- **Delete the In-Place Hold object**. If the inactive mailbox that you want to permanently delete is the only source mailbox for an In-Place Hold, you can just delete the In-Place Hold object.
> [!NOTE] > You have to disable the hold before you can delete an In-Place Hold object. If you try to delete an In-Place Hold object that has the hold enabled, you'll receive an error message. -- **Remove the inactive mailbox as a source mailbox of an In-Place Hold** If you want to retain other source mailboxes for an In-Place Hold, you can remove the inactive mailbox from the list of source mailboxes and keep the In-Place Hold object.
+- **Remove the inactive mailbox as a source mailbox of an In-Place Hold**. If you want to retain other source mailboxes for an In-Place Hold, you can remove the inactive mailbox from the list of source mailboxes and keep the In-Place Hold object.
#### Delete an In-Place Hold
If the In-Place Hold contains a large number of source mailboxes, it's possible
- **Is an inactive mailbox permanently deleted immediately after the hold is removed?** If the soft-deleted date for an inactive mailbox is older than 30 days, the mailbox won't be permanently deleted as soon as you remove the hold. The mailbox will be marked for permanent deletion and is deleted the next time it's processed. -- **How does the soft-deleted mailbox retention period affect inactive mailboxes?** If the soft-deleted date for an inactive mailbox is more than 30 days before the date the hold was removed, the mailbox is marked for permanent deletion. But if an inactive mailbox has a soft-deleted date within the last 30 days and you remove the hold, you can recover the mailbox up until the soft-deleted mailbox retention period expires. For details, see [Delete or restore user mailboxes in Exchange Online](https://docs.microsoft.com/exchange/recipients-in-exchange-online/delete-or-restore-mailboxes). After the soft-deleted mailbox retention period expires, you have follow the procedures for recovering an inactive mailbox. For details, see [Recover an inactive mailbox in Office 365](recover-an-inactive-mailbox.md).
+- **How does the soft-deleted mailbox retention period affect inactive mailboxes?** If the soft-deleted date for an inactive mailbox is more than 30 days before the date the hold was removed, the mailbox is marked for permanent deletion. But if an inactive mailbox has a soft-deleted date within the last 30 days and you remove the hold, you can recover the mailbox up until the soft-deleted mailbox retention period expires. For details, see [Delete or restore user mailboxes in Exchange Online](https://docs.microsoft.com/exchange/recipients-in-exchange-online/delete-or-restore-mailboxes). After the soft-deleted mailbox retention period expires, you have to follow the procedures for recovering an inactive mailbox. For details, see [Recover an inactive mailbox in Office 365](recover-an-inactive-mailbox.md).
- **How do you display information about an inactive mailbox after the hold is removed?** After a hold is removed and the inactive mailbox is reverted back to a soft-deleted mailbox, it won't be returned by using the *InactiveMailboxOnly* parameter with the **Get-Mailbox** cmdlet. But you can display information about the mailbox by using the **Get-Mailbox -SoftDeletedMailbox** command. For example:
compliance Exchange Online Uses Tls To Secure Email Connections https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/exchange-online-uses-tls-to-secure-email-connections.md
If you want to encrypt the message you need to use an encryption technology that
We recommend using TLS in situations where you want to set up a secure channel of correspondence between Microsoft and your on-premises organization or another organization, such as a partner. Exchange Online always attempts to use TLS first to secure your email but cannot always do this if the other party does not offer TLS security. Keep reading to find out how you can secure all mail to your on-premises servers or important partners by using *connectors*.
-To provide the best-in-class encryption to our customers, Microsoft has deprecated Transport Layer Security (TLS) versions 1.0 and 1.1 in [Office 365](tls-1.0-and-1.1-deprecation-for-office-365.md) and [Office 365 GCC](tls-1-2-in-office-365-gcc.md). However, you can continue to use an unencrypted SMPT connection without any TLS. We don't recommend email transmission without any encryption.
+To provide the best-in-class encryption to our customers, Microsoft has deprecated Transport Layer Security (TLS) versions 1.0 and 1.1 in [Office 365](tls-1.0-and-1.1-deprecation-for-office-365.md) and [Office 365 GCC](tls-1-2-in-office-365-gcc.md). However, you can continue to use an unencrypted SMTP connection without any TLS. We don't recommend email transmission without any encryption.
## How Exchange Online uses TLS between Exchange Online customers
compliance Limits For Content Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/limits-for-content-search.md
The following table lists the search limits when using the content search tool i
|:--|:--| |The maximum number of mailboxes or sites that can be searched in a single search <br/> |No limit <sup>1</sup> <br/> | |The maximum number of searches that can run at the same time in your organization. <br/> |30 <br/> |
+|The maximum number of organization-wide searches that can be run at the same time. <br/> |3 <br/> |
|The maximum number of searches that a single user can start at the same time. This limit is most likely hit when the user tries to start multiple searches by using the **Get-ComplianceSearch \| Start-ComplianceSearch** command in Security & Compliance Center PowerShell. <br/> |10 <br/> | |The maximum number of items per user mailbox that are displayed on the preview page when previewing Content Search results. <br/> |100 <br/> | |The maximum number of items found in all user mailboxes that are displayed on the preview page when previewing search results. The newest items are displayed. <br/> |1,000 <br/> |
The following table lists the search limits when using the content search tool i
> [!NOTE] > <sup>1</sup> Although you can search an unlimited number of mailboxes in a single search, you can only download the exported search results from a maximum of 100,000 mailboxes using the eDiscovery Export Tool in the Microsoft 365 compliance center. To download the search results from more than 100,000 mailboxes, you have to use Security & Compliance Center PowerShell. For more information and a sample script, see [Exporting results from more than 100,000 mailboxes](export-search-results.md#exporting-results-from-more-than-100000-mailboxes). <br/><br/> <sup>2</sup> When searching SharePoint and OneDrive for Business locations, the characters in the URLs of the sites being searched are counted against this limit. <br/><br/> <sup>3</sup> For non-phrase queries (a keyword value that doesn't use double quotation marks) we use a special prefix index. This tells us that a word occurs in a document, but not where it occurs in the document. To do a phrase query (a keyword value with double quotation marks), we need to compare the position within the document for the words in the phrase. This means that we can't use the prefix index for phrase queries. In this case, we internally expand the query with all possible words that the prefix expands to; for example, `"time*"` can expand to `"time OR timer OR times OR timex OR timeboxed OR …"`. 10,000 is the maximum number of variants the word can expand to, not the number of documents matching the query. There is no upper limit for non-phrase terms.
+## Search times
+Microsoft collects performance information for searches run by all organizations. While the complexity of the search query can impact search times, the biggest factor that affects how long searches take is the number of mailboxes searched. Although Microsoft doesn't provide a Service Level Agreement for search times, the following table lists average search times for collection searches based on the number of mailboxes included in the search.
+
+|Number of mailboxes|Average search time|
+|:--|:--|
+|100|30 seconds|
+|1,000|45 seconds|
+|10,000|4 minutes|
+|25,000|10 minutes|
+|50,000|20 minutes|
+|100,000|25 minutes|
+|||
+ ## Export limits The following table lists the limits when exporting the results of a content search. These limits also apply when you export content from a Core eDiscovery case.
compliance Office 365 Encryption In The Microsoft Cloud Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/office-365-encryption-in-the-microsoft-cloud-overview.md
Microsoft provides service-side technologies that encrypt customer data at rest
In addition to the baseline level of cryptographic security provided by Microsoft, our cloud services also include additional cryptography options that you can manage. For example, you can enable encryption for traffic between their Azure virtual machines (VMs) and their users. With [Azure Virtual Networks](https://azure.microsoft.com/services/virtual-network/), you can use the industry-standard IPsec protocol to encrypt traffic between your corporate VPN gateway and Azure as well as between the VMs located on your Virtual Network. In addition, In addition, [new Office 365 Message Encryption capabilities](set-up-new-message-encryption-capabilities.md) allow you to send encrypted mail to anyone.
-In accordance with the Public Key Infrastructure Operational Security Standard, which is a component of the [Microsoft Security Policy](https://servicetrust.microsoft.com/ViewPage/TrustDocuments?command=Download&downloadType=Document&downloadId=5868ecc8-50b7-4f91-b43f-640e2b99e86e&docTab=6d000410-c9e9-11e7-9a91-892aae8839ad_FAQ%20and%20White%20Papers), Microsoft leverages the cryptographic capabilities included in the Windows operating system for certificates and authentication mechanisms, which includes the use of cryptographic modules that meet the U.S. government's [Federal Information Processing Standards](https://csrc.nist.gov/publications/PubsFIPS.html) (FIPS) 140-2 standard. (Relevant NIST certificate numbers for Microsoft can be found at https://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm.)
+In accordance with the Public Key Infrastructure Operational Security Standard, which is a component of the [Microsoft Security Policy](https://servicetrust.microsoft.com/ViewPage/TrustDocuments?command=Download&downloadType=Document&downloadId=5868ecc8-50b7-4f91-b43f-640e2b99e86e&docTab=6d000410-c9e9-11e7-9a91-892aae8839ad_FAQ%20and%20White%20Papers), Microsoft leverages the cryptographic capabilities included in the Windows operating system for certificates and authentication mechanisms, which includes the use of cryptographic modules that meet the U.S. government's [Federal Information Processing Standards](https://csrc.nist.gov/publications/PubsFIPS.html) (FIPS) 140-2 standard. You can search for the relevant NIST certificate numbers for Microsoft using the [Cryptographic Module Validation Program CMVP](https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search).
> [NOTE] > To access the Microsoft Security Policy as a resource, you must sign in using your work or school account. If you don't have a subscription yet, [you can sign up for a free trial](https://servicetrust.microsoft.com/Home/TrialSubscriptions).
compliance Partially Indexed Items In Content Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/partially-indexed-items-in-content-search.md
Your organization might be required to identify and perform additional analysis
Keep the following in mind about partially indexed items: -- When you run an eDiscovery search, the total number and size of partially indexed Exchange items (returned by the search query) are displayed in search statistics in the details pane, and labeled as **Indexed items**. Statistics about partially indexed items displayed in the details pane don't include partially indexed items in SharePoint or OneDrive.
+- When you run an eDiscovery search, the total number and size of partially indexed Exchange items (returned by the search query) are displayed in the search statistics on the flyout page, and labeled as **unindexed items**. Statistics about partially indexed items displayed on the flyout page don't include partially indexed items in SharePoint or OneDrive.
- If the search that you're exporting results from was a search of specific content locations or all content locations in your organization, only the unindexed items from content locations that contain items that match the search criteria will be exported. In other words, if no search results are found in a mailbox or site, then any unindexed items in that mailbox or site won't be exported. The reason for this is that exporting partially indexed items from lots of locations in the organization might increase the likelihood of export errors and increase the time it takes to export and download the search results.
compliance Retention Policies Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-teams.md
You can use a retention policy to retain and delete data from chats and channel
These mailboxes are, listed by their RecipientTypeDetails attribute: -- **UserMailbox**: These mailboxes store messages for Teams users who have an Exchange Online mailbox.-- **MailUser**: These mailboxes store messages for Teams users who have a mailbox for an on-premises Exchange server and not Exchange Online.
+- **MailUser**: These mailboxes store messages for cloud-based Teams users.
+- **UserMailbox**: These mailboxes store messages for [on-premises Teams users](search-cloud-based-mailboxes-for-on-premises-users.md).
- **GroupMailbox**: These mailboxes store messages for Teams channels. Other mailbox types, such as RoomMailbox that is used for Teams conference rooms, are not supported for Teams retention policies.
contentunderstanding Difference Between Document Understanding And Form Processing Model https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/difference-between-document-understanding-and-form-processing-model.md
Use the following table to understand when to use forms processing and when to u
| Feature | Forms processing | Document understanding | | - | - | - |
-| Model Type - when to use each | Used for semi-structured file formats ΓÇô for example, Office documents where there are differences in the layout, but still similar information to be extracted. | Used for unstructured file formats, for example PDFs for forms content such as invoices or purchase orders where the layout and formatting is similar. |
-| Model creation | Model created in AI builder with seamless access from SharePoint document library.| Model created in native interface built into SharePoint Content Center.|
-| Classification type| Settable classifier where machine teaching is used to give clues to the system on what data to extract.| Trainable classifier with optional extractors using machine teaching to assign document location on what data to extract.|
-| Locations | Restricted to a single Document Library unless you use Power Platform to retrieve from CDS.| Can be applied to multiple libraries.|
+| Model Type - when to use each | Used for semi-structured file formats, for example PDFs for forms content such as invoices or purchase orders where the layout and formatting is similar. | Used for semi-structured file formats ΓÇô for example, Office documents where there are differences in the layout, but still similar information to be extracted. |
+| Model creation | Model created in AI builder with seamless access from SharePoint document library.| Model created in SharePoint in a new site, the content center. |
+| Classification type| Settable classifier is used to give clues to the system on what data to extract.| Trainable classifier with optional extractors using machine teaching to assign document location on what data to extract.|
+| Locations | Trained for a single document library.| Can be applied to multiple libraries.|
| Supported file types| Train on PDF, JPG, PNG format, total 50 MB and 500 pages.| Train on 5-10 PDF, Office, or email files, including negative examples.<br>Office files are truncated at 64k characters. OCR-scanned files are limited to 20 pages.|
-| Integrate with Managed Metadata | No | Yes, through setting on Document Library columns prior to training model.|
-| Compliance feature integration when Microsoft Information Protection is enabled | Set Retention labels.<br>Set Sensitivity labels is coming. | Set Retention labels.<br>Set Sensitivity labels is coming. |
+| Integrate with Managed Metadata | No | Yes, by training entity extractor referencing a configured managed metadata field.|
+| Compliance feature integration when Microsoft Information Protection is enabled | Set published Retention labels.<br>Set Sensitivity labels is coming. | Set published Retention labels.<br>Set Sensitivity labels is coming. |
| Supported regions| Form processing relies on Power Platform. For information about global availability for Power Platform and AI Builder, see [Power Platform availability](https://dynamics.microsoft.com/geographic-availability/). | Available in all regions.|
-| Transactional cost | Uses AI Builder credits.<br>Credits can be purchased in batches of 1M.<br>1M credits are included when 300+ SharePoint Syntex licenses are purchased.<br>1M credits will allow processing of 2000 file pages.| N/A |
-| Capacity | Provisioned against the default common data service environment.| No capacity restrictions.|
-| Supported languages| English <br>Coming later in 2021: Spanish, German, French, Italian| Models work on all latin alphabet languages. In addition to English: German, Swedish, French, Spanish, Italian, and Portuguese.|
+| Transactional cost | Uses AI Builder credits.<br>Credits can be purchased in batches of 1M.<br>1M credits are included when 300+ SharePoint Syntex licenses are purchased.<br>1M credits will allow processing of 2000 file pages.<br>| N/A |
+| Capacity | Uses the default Power Platform environment (custom environments with Dataverse database supported). | Does not have capacity restrictions.|
+| Supported languages| English <br>Coming later in 2021: Latin alphabet languages | Models work on all latin alphabet languages. In addition to English: German, Swedish, French, Spanish, Italian, and Portuguese.|
## See Also [Training: Improve business performance with AI Builder](https://docs.microsoft.com/learn/paths/improve-business-performance-ai-builder/?source=learn)
enterprise Additional Office365 Ip Addresses And Urls https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/additional-office365-ip-addresses-and-urls.md
Apart from DNS, these are all optional for most customers unless you need the sp
| 6 | Mailbox Migration. When mailbox migration is initiated from on-premises [Exchange Hybrid](https://docs.microsoft.com/exchange/exchange-deployment-assistant) to Office 365, Office 365 will connect to your published Exchange Web Services (EWS)/Mailbox Replication Services (MRS) server. If you need the NAT IP addresses used by Exchange Online servers to restrict inbound connections from specific source IP ranges, they are listed in [Office 365 URL & IP ranges](urls-and-ip-address-ranges.md) under the "Exchange Online" service area. Care should be taken to ensure that access to published EWS endpoints like OWA is not impacted by ensuring the MRS proxy resolves to a separate FQDN and public IP address before restricting TCP 443 connections from specific source IP ranges. | Customer on-premises EWS/MRS Proxy<br> TCP port 443 | Inbound server traffic | | 7 | [Exchange Hybrid](https://docs.microsoft.com/exchange/exchange-deployment-assistant) co-existence functions such as Free/Busy sharing. | Customer on-premises Exchange server | Inbound server traffic | | 8 | [Exchange Hybrid](https://docs.microsoft.com/exchange/exchange-deployment-assistant) proxy authentication | Customer on-premises STS | Inbound server traffic |
-| 9 | Used to configure [Exchange Hybrid](https://docs.microsoft.com/exchange/exchange-deployment-assistant), using the [Exchange Hybrid Configuration Wizard](https://docs.microsoft.com/exchange/hybrid-configuration-wizard) <br> Note: These endpoints are only required to configure Exchange hybrid | domains.live.com on TCP ports 80 & 443, only required for Exchange 2010 SP3 Hybrid Configuration Wizard<BR> <BR> GCC High, DoD IP addresses: 40.118.209.192/32; 168.62.190.41/32 <BR> <BR> Worldwide Commercial & GCC: *.store.core.windows.net; asl.configure.office.com; mshrcstorageprod.blob.core.windows.net; tds.configure.office.com; mshybridservice.trafficmanager.net <BR> | Outbound server only traffic |
+| 9 | Used to configure [Exchange Hybrid](https://docs.microsoft.com/exchange/exchange-deployment-assistant), using the [Exchange Hybrid Configuration Wizard](https://docs.microsoft.com/exchange/hybrid-configuration-wizard) <br> Note: These endpoints are only required to configure Exchange hybrid | domains.live.com on TCP ports 80 & 443, only required for Exchange 2010 SP3 Hybrid Configuration Wizard<BR> <BR> GCC High, DoD IP addresses: 40.118.209.192/32; 168.62.190.41/32 <BR> <BR> Worldwide Commercial & GCC: *.store.core.windows.net; asl.configure.office.com; tds.configure.office.com; mshybridservice.trafficmanager.net ; <BR> aka.ms/hybridwizard; <BR> shcwreleaseprod.blob.core.windows.net/shcw/\*;<BR> | Outbound server only traffic |
| 10 | The AutoDetect service is used in [Exchange Hybrid](https://docs.microsoft.com/exchange/exchange-deployment-assistant) scenarios with [Hybrid Modern Authentication with Outlook for iOS and Android](https://docs.microsoft.com/Exchange/clients/outlook-for-ios-and-android/use-hybrid-modern-auth) <BR> <BR> ```*.acompli.net``` <BR> <BR> ```*.outlookmobile.com``` <BR> <BR> ```*.outlookmobile.us``` <BR> <BR> ```52.125.128.0/20``` <BR> ```52.127.96.0/23``` <BR> | Customer on-premises Exchange server on TCP 443 | Inbound server traffic | | 11 | Exchange hybrid Azure AD authentication | *.msappproxy.net | TCP outbound server only traffic | | 12 | Skype for Business in Office 2016 includes video based screen sharing which uses UDP ports. Prior Skype for Business clients in Office 2013 and earlier used RDP over TCP port 443. | TCP port 443 open to 52.112.0.0/14 | Skype for Business older client versions in Office 2013 and earlier |
enterprise Ms Cloud Germany Transition Add Adfs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-add-adfs.md
description: "Summary: Active Directory Federation Services (AD FS) migration st
# AD FS migration steps for the migration from Microsoft Cloud Deutschland
-To migrate your Active Directory Federation Services (AD FS) farm from Microsoft Cloud Deutschland:
+This configuration change can be applied at any time before phase 4 is starting.
+Once phase 2 is completed the configuration change will work and you are able to sign in to Office 365 Global endpoints such as `https://portal.office.com`. If you are implementing the configuration change before phase 2, the Office 365 Global endpoints will _not yet work_ but the new relying party trust is still part of your Active Directory Federation Services (AD FS) configuration.
+
+To migrate your AD FS farm from Microsoft Cloud Deutschland:
1. Back up your AD FS settings including FF trust info with [these steps](#backup). Name the backup **Microsoft Cloud Deutschland_Only** to indicate it only has the Microsoft Cloud Deutschland tenant info. 2. Test the restore using the Microsoft Cloud Deutschland_Only backup, The AD FS farm should continue to operate as Microsoft Cloud Deutschland only.
-3. Create a new Relying Party trust from **AD FS > Office 365 services**.
-4. In **Relying Party Trusts** in the AD FS management console, select **Add Relying Party Trust**.
-5. Select **Next** on the **Welcome** page of the Add Relying Party Trust wizard.
-6. On the **Select Data Source** page, select **Import data about the relying party published online or on a local network**. The **Federation metadata address (host name or URL)** value is set to `https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadata.xml`. Click **Next**.
-7. On the **Select Data Source** page, type the display name. Microsoft recommends **Microsoft Office 365 Identity Platform WorldWide**. Click **Next**.
-8. Click **Next** on the **Configure Multi-factor Authentication Now?**, **Choose Issuance Authorization Rules**, and **Ready to Add Trust** pages.
-9. Click **Close** on the **Finish** page.
-By closing the wizard, the Relying Party Trust to the Office 365 services eSTS is established. However, no Issuance Transform rules are established.
+Once you have completed and tested the AD FS backup, perform the following steps to add a new relying party trust to your ADFS configuration:
-You can use [AD FS Help](https://adfshelp.microsoft.com/AadTrustClaims/ClaimsGenerator) to generate the correct Issuance Transform rules. The generated claim rules created with AD FS Help can either be manually added through the AD FS management console or with PowerShell. AD FS Help will generate the necessary PowerShell scripts that need to be run.
+1. Open the AD FS management console
+2. In the left pane of the ADFS management console, expand **ADFS**, then **Trust Relationships**, then **Relying Party Trusts**
+3. In the right pane, select **Add Relying Party Trust...**
+4. Select **Next** on the **Welcome** page of the Add Relying Party Trust wizard.
+5. On the **Select Data Source** page, select **Import data about the relying party published online or on a local network**. The **Federation metadata address (host name or URL)** value must be set to `https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadata.xml`. Then, click **Next**.
+6. On the **Select Data Source** page, type the display name such as **Microsoft Office 365 Identity Platform WorldWide**. Then, click **Next**.
+7. On the wizard page **Configure Multi-factor Authentication Now?**, select the appropriate choice according to your authentication requirements. If you stick with the default, select **I don't want to configure multi-factor authentication settings for this relying party trust at this time**. You can change this setting later if you want to.
+8. On the **Choose Issuance Authorization Rules**, keep **Permit all users to access this relying party** selected click **Next**
+9. Click **Next** on the **Ready to Add Trust** page to complete the wizard.
+10. Click **Close** on the **Finish** page.
-1. Run **Generate Claims** on AD FS help and copy the PowerShell claims transformation script using the **Copy** option on the right upper corner of the script.
-2. Paste the generated PowerShell into the following:
+By closing the wizard, the Relying Party Trust with the Office 365 Global services is established. However, no Issuance Transform rules are configured yet.
- ```powershell
- $RuleSet = New-AdfsClaimRuleSet -ClaimRule "<AD FS Help generated PSH>"
- Set-AdfsRelyingPartyTrust -TargetName ΓÇ£Microsoft Office 365 Identity Platform WorldWideΓÇ¥ -IssuanceTransformRules $RuleSet.ClaimRulesString;
- ```
-3. Execute the completed script.
-4. Verify that two Relying Party trusts are present; one for worldwide and one for BF.
-5. Backup your trusts using [these steps](#backup). Save it with the name **FFAndWorldwide**.
-6. Complete your backend migration and verify that AD FS still works during migration process.
+You can use [AD FS Help](https://adfshelp.microsoft.com/AadTrustClaims/ClaimsGenerator) to generate the correct Issuance Transform rules. The generated claim rules created with AD FS Help can either be manually added through the AD FS management console or with PowerShell. AD FS Help will generate the necessary PowerShell scripts that need to be executed.
+
+<!--
+ Question from ckinder
+ is step #3 true?
+ how to verify step 5? Need more information!
+-->
+1. Run **Generate Claims** on AD FS help and copy the PowerShell claims transformation script using the **Copy** option on the right upper corner of the script.
+2. Open your preferred text editor and paste the PowerShell script into a new text window.
+3. Add the following PowerShell lines to the end of the pasted script from step 2
+ ```powershell
+ $authzRules = "=>issue(Type = `"http://schemas.microsoft.com/authorization/claims/permit`", Value = `"true`"); "
+ $RuleSet = New-AdfsClaimRuleSet -ClaimRule "<AD FS Help generated PSH>"
+ Set-AdfsRelyingPartyTrust -TargetName ΓÇ£Microsoft Office 365 Identity Platform WorldWideΓÇ¥ -IssuanceTransformRules $RuleSet.ClaimRulesString -IssuanceAuthorizationRules $authzRules
+ ```
+4. Safe and execute the PowerShell script.
+5. Verify that two Relying Party trusts are present; one for the Microsoft Cloud Deutschland and one for the Office 365 Global service.
+6. Backup your trusts using [these steps](#backup). Save it with the name **FFAndWorldwide**.
+7. Complete your backend migration and verify that AD FS still works during the migration process.
## AD FS Disaster Recovery (WID Database)
To restore the AD FS farm in a disaster [AD FS Rapid Restore Tool](https://docs.
1. Install the AD FS Rapid Restore Tool on the primary AD FS server. 2. Import the module in a PowerShell session with this command.-
- ```powershell
- Import-Module "C:\Program Files (x86)\ADFS Rapid Recreation Tool\ADFSRapidRecreationTool.dll"
- ```
+ ```powershell
+ Import-Module "C:\Program Files (x86)\ADFS Rapid Recreation Tool\ADFSRapidRecreationTool.dll"
+ ```
3. Run the backup command:-
- ```powershell
- Backup-ADFS -StorageType "FileSystem" -storagePath "<Storage path of backup>" -EncryptionPassword "<password>" -BackupComment "Restore Doku" -BackupDKM
- ```
-
-4. Store the backup safely on a desired destination.
+ ```powershell
+ Backup-ADFS -StorageType "FileSystem" -storagePath "<Storage path of backup>" -EncryptionPassword "<password>" -BackupComment "Restore Doku" -BackupDKM
+ ```
+4. Store the backup safely on a desired destination.
### Restore an AD FS Farm
If your farm failed completely and there is no way to return to the old farm, do
1. Move the previously generated and stored backup to the new primary AD FS server. 2. Run the following `Restore-ADFS` PowerShell command. If necessary, import the AD FS SSL certificate beforehand.
- ```powershell
- Restore-ADFS -StorageType "FileSystem" -StoragePath "<Path to Backup>" -DecryptionPassword "<password>" -GroupServiceAccountIdentifier "<gMSA>" -DBConnectionString "WID" -RestoreDKM
- ```
+ ```powershell
+ Restore-ADFS -StorageType "FileSystem" -StoragePath "<Path to Backup>" -DecryptionPassword "<password>" -GroupServiceAccountIdentifier "<gMSA>" -DBConnectionString "WID" -RestoreDKM
+ ```
3. Point your new DNS records or load balancer to the new AD FS servers.
enterprise Ms Cloud Germany Transition Add Experience https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-add-experience.md
Between Phase 2 of 9 and Phase 3 of 9, Partner Portal may not be accessible. Dur
| Step(s) | Description | Impact | |:-|:-|:-|
-| From the beinning of phase 4 until phase 9 is completed, eDiscovery searches will fail or return 0 results for SharePoint Online, OneDrive for Business, and Exchange Online locations that have been migrated. | During migration, customers can continue to create cases, holds, searches, and exports in the [Security & Compliance Center](https://docs.microsoft.com/microsoft-365/compliance/manage-legal-investigations), including [Content Search](https://docs.microsoft.com/microsoft-365/compliance/search-for-content). However, searches against SharePoint Online, OneDrive for Business, and Exchange Online locations that have been migrated will either return 0 results or produce an error. For remediation, see the _Impact_ column. | In the event that a search returns zero results or an error during migration, please take the following action for SharePoint Online: <ul><li>Download sites directly from SharePoint Online/ OneDrive for Business site by following the instructions in [Download files and folders from OneDrive or SharePoint](https://support.office.com/article/download-files-and-folders-from-onedrive-or-sharepoint-5c7397b7-19c7-4893-84fe-d02e8fa5df05). This method will require SharePoint Online administrator permissions or read-only permissions on the site.</li><li>If limits are exceeded, as explained in [Download files and folders from OneDrive or SharePoint](https://support.office.com/article/download-files-and-folders-from-onedrive-or-sharepoint-5c7397b7-19c7-4893-84fe-d02e8fa5df05), customers can use the OneDrive for Business sync client by following the guidance in [Sync SharePoint and Teams files with your computer](https://support.office.com/article/sync-sharepoint-files-with-the-new-onedrive-sync-app-6de9ede8-5b6e-4503-80b2-6190f3354a88).</li><li>For more information see [In-Place eDiscovery in Exchange Server](https://docs.microsoft.com/Exchange/policy-and-compliance/ediscovery/ediscovery) |
+| From the beginning of phase 4 until phase 9 is completed, eDiscovery searches will fail or return 0 results for SharePoint Online, OneDrive for Business, and Exchange Online locations that have been migrated. | During migration, customers can continue to create cases, holds, searches, and exports in the [Security & Compliance Center](https://docs.microsoft.com/microsoft-365/compliance/manage-legal-investigations), including [Content Search](https://docs.microsoft.com/microsoft-365/compliance/search-for-content). However, searches against SharePoint Online, OneDrive for Business, and Exchange Online locations that have been migrated will either return 0 results or produce an error. For remediation, see the _Impact_ column. | In the event that a search returns zero results or an error during migration, please take the following action for SharePoint Online: <ul><li>Download sites directly from SharePoint Online/ OneDrive for Business site by following the instructions in [Download files and folders from OneDrive or SharePoint](https://support.office.com/article/download-files-and-folders-from-onedrive-or-sharepoint-5c7397b7-19c7-4893-84fe-d02e8fa5df05). This method will require SharePoint Online administrator permissions or read-only permissions on the site.</li><li>If limits are exceeded, as explained in [Download files and folders from OneDrive or SharePoint](https://support.office.com/article/download-files-and-folders-from-onedrive-or-sharepoint-5c7397b7-19c7-4893-84fe-d02e8fa5df05), customers can use the OneDrive for Business sync client by following the guidance in [Sync SharePoint and Teams files with your computer](https://support.office.com/article/sync-sharepoint-files-with-the-new-onedrive-sync-app-6de9ede8-5b6e-4503-80b2-6190f3354a88).</li><li>For more information see [In-Place eDiscovery in Exchange Server](https://docs.microsoft.com/Exchange/policy-and-compliance/ediscovery/ediscovery) |
|||| ## Post-migration
enterprise Ms Cloud Germany Transition Add Pre Work https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-add-pre-work.md
Use these links to get to the pre-work steps relevant to your organization:
| Step(s) | Description | Impact | |:-|:-|:-| | Prepare to notify users about restarting and signing in to and out of their clients after migration. | Office client licensing will transition from Microsoft Cloud Deutschland to Office 365 services in the migration. Clients pick up a new valid license after signing out of and in to Office clients. | Users' Office products need to refresh licenses from Office 365 services. If licenses aren't refreshed, Office products may experience license validation errors. |
-| Ensure network connectivity to [Office 365 services URLs and IP addresses](https://aka.ms/o365urls). | All clients and services hosted by the customer that are used to access Office 365 service must be able to access the Office 365 Global services endpoints. <br>In case, you or your collaboration partners have firewall rules in place that would prevent accessing the URLs and IP addresses listed in [Office 365 services URLs and IP addresses](https://aka.ms/o365urls) must change the firewall rules to permit access to the Office 365 Global service enpoints| Failures of the service or client software can occur if this is not done before Phase 4 |
+| Ensure network connectivity to [Office 365 services URLs and IP addresses](https://aka.ms/o365urls). | All clients and services hosted by the customer that are used to access Office 365 service must be able to access the Office 365 Global services endpoints. <br>In case, you or your collaboration partners have firewall rules in place that would prevent accessing the URLs and IP addresses listed in [Office 365 services URLs and IP addresses](https://aka.ms/o365urls) must change the firewall rules to permit access to the Office 365 Global service endpoints| Failures of the service or client software can occur if this is not done before Phase 4 |
| Cancel any trial subscriptions. | Trial subscriptions will not be migrated and will block transfer of paid subscriptions. | Trial services are expired and non-functioning if accessed by users after cancellation. | | Analyze differences in license features between Microsoft Cloud Deutschland and Office 365 Services. | Office 365 services include additional features and services not available in the current Microsoft Cloud Deutschland. During subscription transfer, new features will be available to users. | <ul><li> Analyze the different features provided by the licenses for Microsoft Cloud Deutschland and Office 365 Services. Start with the [Office 365 platform Service Description](https://docs.microsoft.com/office365/servicedescriptions/office-365-platform-service-description/office-365-platform-service-description). </li><li> Determine if any new features of Office 365 services should be initially disabled to limit effects on users or on user change management, and alter user license assignments as needed. </li><li>Prepare users and help desk staff for new services and features provided by Office 365 services. |
-| Create organization-wide [retention policies](https://docs.microsoft.com/microsoft-365/compliance/retention) to protect from inadvertent deletion of content during migration. |<ul><li>To ensure that content isn't inadvertently deleted by end users during the migration, customers may choose to enable an organization-wide retention policy. </li><li>Although retention isn't required, since holds placed at any time during the migration should work as expected, having a retention policy is a back-up safety mechanism. At the same time, a retention policy might not be used by all customers, especially those who are concerned about over preservation.</li></ul>| Apply retention policy as described in [Learn about retention policies and retention labels](https://docs.microsoft.com/microsoft-365/compliance/retention-policies). Failures of the service or client software can occur if this is not done before Phase 4 of 9. </li></ul>|
+| Create organization-wide [retention policies](https://docs.microsoft.com/microsoft-365/compliance/retention) to protect from inadvertent deletion of content during migration. |<ul><li>To ensure that content isn't inadvertently deleted by end users during the migration, customers may choose to enable an organization-wide retention policy. </li><li>Although retention isn't required, since holds placed at anytime during the migration should work as expected, having a retention policy is a back-up safety mechanism. At the same time, a retention policy might not be used by all customers, especially those who are concerned about over preservation.</li></ul>| Apply retention policy as described in [Learn about retention policies and retention labels](https://docs.microsoft.com/microsoft-365/compliance/retention-policies). Failures of the service or client software can occur if this is not done before Phase 4 of 9. </li></ul>|
||||| ## Active Directory Federation Services (AD FS)
Use these links to get to the pre-work steps relevant to your organization:
| Step(s) | Description | Impact | |:-|:-|:-|
-| Update to the latest version of the Hybrid Configuration Wizard (HCW) any time before your tenant is entering migration stage 5. You may start this activity immidiately after receiving the message center notificate that your Office 365 tenant migratin has begun.<br><br> Microsoft Cloud Deutschland hybrid Exchange Online customers must uninstall previous versions of HCW, and then install and execute the latest version (17.0.5378.0 or higher) from [https://aka.ms/hybridwizard](https://aka.ms/hybridwizard). |<ul><li>The latest version of the HCW includes necessary updates to support customers who are transitioning from Microsoft Cloud Deutschland to Office 365 Services.</li><li> Updates include changes to on-premises certificate settings for the Send connector and the Receive connector.</li><li> Exchange administrators must re-install the HCW any time before Phase 5 of 9 (Exchange migration) begins.<br>When executing the HCW before phase 5, select "Office 365 Germany" on the 2nd page of the HCW under _Office 365 Exchange Online_ in the listbox below _My Office 365 organization is hosted by_</li><li>**NOTE**: Upon completion of your Office 365 tenant migration , you will remove and re-install the HCW again, this time using "Office 365 Worldwide" settings on the 2nd parge of the HCW to complete your Hybrid setup with the Exchange Online global service.</li></ul>|Failure to run the HCW before Phase 5 (Exchange migration) may result in service or client failure. |
+| Update to the latest version of the Hybrid Configuration Wizard (HCW) anytime before your tenant is entering migration stage 5. You may start this activity immediately after receiving the message center notification that your Office 365 tenant migration has begun.<br><br> Microsoft Cloud Deutschland hybrid Exchange Online customers must uninstall previous versions of HCW, and then install and execute the latest version (17.0.5378.0 or higher) from [https://aka.ms/hybridwizard](https://aka.ms/hybridwizard). |<ul><li>The latest version of the HCW includes necessary updates to support customers who are transitioning from Microsoft Cloud Deutschland to Office 365 Services.</li><li> Updates include changes to on-premises certificate settings for the Send connector and the Receive connector.</li><li> Exchange administrators must re-install the HCW anytime before Phase 5 of 9 (Exchange migration) begins.<br>When executing the HCW before phase 5, select "Office 365 Germany" on the 2nd page of the HCW under _Office 365 Exchange Online_ in the listbox below _My Office 365 organization is hosted by_</li><li>**NOTE**: Upon completion of your Office 365 tenant migration, you will remove and re-install the HCW again, this time using "Office 365 Worldwide" settings on the 2nd page of the HCW to complete your Hybrid setup with the Exchange Online global service.</li></ul>|Failure to run the HCW before Phase 5 (Exchange migration) may result in service or client failure. |
|||| ## SharePoint Online
Remove MSOID, CName from customer-owned DNS if it exists anytime before Azure Ac
| Step(s) | Description | Impact | |:-|:-|:-|
-| Add an identifier for single sign-on (SSO) to an existing relying party trust and disable AD FS metadata auto-updates. | An ID must be added to the AD FS relying party trust before starting your migration. To avoid accidental removal of the relying party identifier, disable auto-update for metadata updates. <br><br> Run this command as a single command-line on the AD FS server: <br>`Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:microsoftonline.de -Identifier @('urn:federation:microsoftonline.de', 'https://login.microsoftonline.de/extSTS.srf', 'https://login.microsoftonline.de') -AutoUpdate $False`
+| Add an identifier for single sign-on (SSO) to an existing relying party trust and disable AD FS metadata auto-updates. | An ID must be added to the AD FS relying party trust before starting your migration. To avoid accidental removal of the relying party identifier, disable auto-update for metadata updates. <br><br> Run this command as a single command line on the AD FS server: <br>`Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:microsoftonline.de -Identifier @('urn:federation:microsoftonline.de', 'https://login.microsoftonline.de/extSTS.srf', 'https://login.microsoftonline.de') -AutoUpdate $False`
| Federated authentication organizations | Required Action. Inaction before Phase 4 of 9 (SharePoint) will result in service impact during the migration. | | Generate relying party trust for global Azure AD endpoints. | Customers need to manually create a relying party trust (RPT) to [global](https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadata.xml) endpoints. This is done by adding a new RPT via GUI by leveraging the global federation metadata URL and then using [Azure AD RPT Claim Rules](https://adfshelp.microsoft.com/AadTrustClaims/ClaimsGenerator#:~:text=%20Azure%20AD%20RPT%20Claim%20Rules%20%201,Azure%20AD.%20This%20will%20be%20what...%20More%20) (in AD FS Help) to generate the claim rules and import them into the RPT. | Federated authentication organizations | Required Action. Inaction will result in service impact during the migration. | |||||
Remove MSOID, CName from customer-owned DNS if it exists anytime before Azure Ac
If you are using the same Azure Active Directory identity partition for Office 365 and Microsoft Azure in the Microsoft Cloud Deutschland instance, make sure that you are preparing for the customer driven migration of Microsoft Azure services. The migration of your Microsoft Azure services must not be started before your Office 365 tenant has reached migration phase 3 and must be completed before migration phase 8 has been completed.+ | Step(s) | Description | Impact | |:-|:-|:-| | Determine which Azure services are in use and prepare for future migration from Germany to the Office 365 services tenant by working with your partners. Follow the steps described in the [Azure migration playbook](https://docs.microsoft.com/azure/germany/germany-migration-main). |<ul><li>Migration of Azure resources is a customer responsibility and requires manual effort following prescribed steps. Understanding what services are in use in the organization is key to successful migration of Azure services. </li><li> Office 365 Germany customers who have Azure subscriptions under the same identity partition (organization) must follow the Microsoft-prescribed order when they can begin subscription and services migration.</li></ul>|<ul><li>Customers may have multiple Azure subscriptions, each subscription containing infrastructure, services, and platform components. </li><li> Administrators should identify subscriptions and stakeholders to ensure prompt migration and validation is possible as part of this migration event. </li><li>Failing to successfully complete migration of these subscriptions and Azure components within the prescribed timeline will affect completion of the Office and Azure AD transition to Office 365 services and may result in data loss. </li><li> A Message center notification will signal the point at which customer-led migration can begin. </li></ul>|
enterprise Ms Cloud Germany Transition Phases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-phases.md
The following sections contain actions and effects for workloads as they progres
## Opt-In **Applies to**: All customers with an Office 365 tenant hosted in the Microsoft Cloud Deutschland (MCD)+ | Step(s) | Description | Impact | |:-|:--|:-|
-| We can't migrate Office 365 tenants hosted in the MCD without consent. | Microsoft gains the right to migrate in one of two ways, which enables Microsoft to orchestrate the transition of data and services to the Office 365 Global services instance. <ol><li>The Office 365 tenant administrator opts-in to the Microsoft-driven migration. </li><li> Customers renew any subscriptions in their MCD Office 365 tenant after May 1, 2020. We'll notify these customers of the migration right each month, wait 30 days to give customers a chance to cancel, and then directly opt-in.</li></ol> | <ul><li>Tenant is marked as consented for migration, and Admin Center displays confirmation. </li><li>Acknowledgment is posted to the Office 365 tenant Message Center. Service configuration continues from Microsoft Cloud Deutschland endpoints. </li><li>The tenant administatror must monitor the Office 365 Message Center for updates on the igration phase status. </li></ul>|
+| We can't migrate Office 365 tenants hosted in the MCD without consent. | Microsoft gains the right to migrate in one of two ways, which enables Microsoft to orchestrate the transition of data and services to the Office 365 Global services instance. <ol><li>The Office 365 tenant administrator opts-in to the Microsoft-driven migration. </li><li> Customers renew any subscriptions in their MCD Office 365 tenant after May 1, 2020. We'll notify these customers of the migration right each month, wait 30 days to give customers a chance to cancel, and then directly opt-in.</li></ol> | <ul><li>Tenant is marked as consented for migration, and Admin Center displays confirmation. </li><li>Acknowledgment is posted to the Office 365 tenant Message Center. Service configuration continues from Microsoft Cloud Deutschland endpoints. </li><li>The tenant administrator must monitor the Office 365 Message Center for updates on the migration phase status. </li></ul>|
## Subscription (Phase 3)
Additional considerations:
**Applies to:** All customers using Exchange Online
-If you're using Exchange Online hybrid: Exchange Online Hybrid administrators **must execute the Hybrid Configuration wizard (HCW) multiple times** as part of this transition. See the [prework advanced migration steps for Exchange](ms-cloud-germany-transition-add-experience.md#Exchange-Online-before-phase-5)
+If you're using Exchange Online hybrid: Exchange Online Hybrid administrators **must execute the Hybrid Configuration wizard (HCW) multiple times** as part of this transition. See the [prework advanced migration steps for Exchange](ms-cloud-germany-transition-add-experience.md#exchange-online-before-phase-5)
-As described in the migration [prework](ms-cloud-germany-transition-add-pre-work.md#exchange-online), **before the migration step phase 5 begins,** Exchange Online hybrid customers need to run the latest version of the Exchange Hybrid Configruation Wizard (HCW) in "Office 365 Germany" mode to prepare the on-premises configuration for the migration to Office 365 global services.
+As described in the migration [prework](ms-cloud-germany-transition-add-pre-work.md#exchange-online), **before the migration step phase 5 begins,** Exchange Online hybrid customers need to run the latest version of the Exchange Hybrid Configuration Wizard (HCW) in "Office 365 Germany" mode to prepare the on-premises configuration for the migration to Office 365 global services.
Upon **completion of the migration phase 5** (when the Message Center notice is published), you need to run the HCW again using Office 365 Worldwide settings to point your on-premises systems to the Office 365 Global services. Additional DNS updates may be required if you use custom domains.
Customers with Dynamics 365 require additional engagement to migrate the organiz
**Applies to:** All customers using Office desktop applications (Word, Excel, PowerPoint, Outlook, ...)
-Office 365 tenants transitioning to the region "Germany" require all users to close, sign out from Office 365 and back in for all Office desktop applications (Word, Excel, PowerPoint, Outlook, etc.) and OneDrive for Business client after the tenant migration has reached phase 9 . Signing out and in, allows the Office services to obtain new authentication tokens from the global Azure AD service.
+Office 365 tenants transitioning to the region "Germany" require all users to close, sign out from Office 365 and back in for all Office desktop applications (Word, Excel, PowerPoint, Outlook, etc.) and OneDrive for Business client after the tenant migration has reached phase 9. Signing out and in, allows the Office services to obtain new authentication tokens from the global Azure AD service.
| Step(s) | Description | Impact | |:-|:-|:-|
enterprise Office 365 Network Mac Perf Cpe https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/office-365-network-mac-perf-cpe.md
Title: "Microsoft 365 informed network routing"
Previously updated : 12/22/2020 Last updated : 03/10/2021 audience: Admin
In the case where there is not at least one network circuit providing direct Int
### Application usage
-Application experience data (reflected through network quality metrics) is collected through usage of Microsoft Outlook on devices running Windows, Teams, SharePoint, and OneDrive. Other application traffic is not considered when evaluating the health of a network circuit.
+Application experience data (reflected through network quality metrics) is collected through usage of specific Microsoft client applications. Exchange metrics reflect usage of the Outlook client as well as some Outlook Web App usage. SharePoint and OneDrive metrics reflect usage of the tenant-specific SharePoint endpoints, regardless of client application. Teams metrics reflect usage of the Teams desktop client. Other application traffic is not considered when evaluating the health of a network circuit.
## Enabling informed network routing
enterprise Plan For Multi Geo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/plan-for-multi-geo.md
For details about the Teams experience in a Microsoft 365 Multi-Geo tenancy, see
To get started configuring Microsoft 365 Multi-Geo, see [Configure Microsoft 365 Multi-Geo](multi-geo-tenant-configuration.md). Once you've completed the configuration, remember to [migrate your users' OneDrive libraries](move-onedrive-between-geo-locations.md) as needed to get your users working from their preferred data locations.+
+## Related topics
+
+[Microsoft 365 Multi-Geo eDiscovery configuration](https://docs.microsoft.com/microsoft-365/enterprise/multi-geo-ediscovery-configuration)
managed-desktop Privacy Personal Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/privacy-personal-data.md
keywords: GDPR, retention, deletion, storage, retention, processing, security, a
ms.sitesec: library + f1.keywords: - NOCSH
+audience: Admin, ITPro
ms.localizationpriority: normal
Microsoft Managed Desktop stores its data in one or more of the following Micros
- Azure SQL - Azure storage
+- Dynamics 365
-Microsoft Managed Desktop stores its data in the United States. Personal data is retained by Microsoft Managed Desktop for a maximum of 30 days.
+Microsoft Managed Desktop stores its data in the United States. Personal data is retained by Microsoft Managed Desktop for a maximum of 30 days, except for alert data for Microsoft Managed Desktop devices collected by Microsoft Defender for Endpoint. The actual alert data (which could include personal data) is stored for 180 days. Alert data with personal data removed is stored for up to two years. In compliance with the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), Microsoft Managed Desktop honors the data subject rights for any personal data that is stored in alert data.
### Staff location
-The MMD Operations and MMD Security Operations teams are located in the United States and India.
+The Microsoft Managed Desktop Operations and Security Operations teams are located in the United States and India.
## Data usage of Microsoft Managed Desktop
Microsoft Managed Desktop processes these entities to provide the service:
- Tenant data - Azure Active Directory resources - Policy and configuration data-- Microsoft Defender for Endpoint metadata
+- Microsoft Defender for Endpoint metadata and alert data
- Windows diagnostic data - Product and service usage data
Microsoft Managed Desktop does not use any personal data collected as part of pr
The European Union [General Data Protection Regulation (GDPR)](https://ec.europa.eu/justice/data-protection/reform/index_en.htm) gives rights to people (known in the regulation as data subjects) to manage the personal data that has been collected by an employer or other type of agency or organization (known as the data controller or just controller). Personal data is defined very broadly under the GDPR as any data that relates to an identified or identifiable natural person. The GDPR gives data subjects specific rights to their personal data; these rights include obtaining copies of personal data, requesting corrections to it, restricting the processing of it, deleting it, or receiving it in an electronic format so it can be moved to another controller. A formal request by a data subject to a controller to take an action on their personal data is called a Data Subject Request or DSR.
-Similarly, the California Consumer Privacy Act (CCPA) provides privacy rights and obligations to California consumers, including rights similar to GDPR's Data Subject Rights, such as the right to delete, access, and receive (portability) their personal information. The CCPA also provides for certain disclosures, protections against discrimination when electing exercise rights, and "opt-out / opt-in" requirements for certain data transfers classified as "sales". Sales are broadly defined to include the sharing of data for a valuable consideration. For more information about the CCPA, see the [California Consumer Privacy Act](https://docs.microsoft.com/microsoft-365/compliance/offering-ccpa?view=o365-worldwide) and the [California Consumer Privacy Act FAQ](https://docs.microsoft.com/microsoft-365/compliance/ccpa-faq?view=o365-worldwide).
+Similarly, the CCPA provides privacy rights and obligations to California consumers, including rights similar to GDPR's Data Subject Rights, such as the right to delete, access, and receive (portability) their personal information. The CCPA also provides for certain disclosures, protections against discrimination when electing exercise rights, and "opt-out / opt-in" requirements for certain data transfers classified as "sales". Sales are broadly defined to include the sharing of data for a valuable consideration. For more information about the CCPA, see the [California Consumer Privacy Act](https://docs.microsoft.com/microsoft-365/compliance/offering-ccpa?view=o365-worldwide) and the [California Consumer Privacy Act FAQ](https://docs.microsoft.com/microsoft-365/compliance/ccpa-faq?view=o365-worldwide).
The following section discusses how Microsoft Managed Desktop helps controllers to find, access, and act on personal data or personal information used by Microsoft Managed Desktop.
The following section discusses how Microsoft Managed Desktop helps controllers
A tenant administrator can view, correct, and delete their own personal data (such as their own contact information) directly in the Admin Contact section of the Microsoft Managed Desktop Portal.
+## Microsoft Defender for Endpoint alert data
+
+Security administrators can request an extraction or deletion of personal data related to Microsoft Defender for Endpoint alerts on a Microsoft Managed Desktop managed device in their environment. The security administrator should sign in to the Microsoft Managed Desktop [Admin Portal](https://aka.ms/memadmin) and submit a support request. Select **Support request type** of **Change request**, **Category** of **Security**, and **Subcategory** of **Other**, and then provide the relevant device names in the description along with your request for extraction or deletion of data.
+ ### User-related personal data Aside from this, Microsoft Managed Desktop does not collect personal data on its own. Instead, it relies on and uses personal data that other Microsoft Enterprise Online Services collected. IT Admins looking to respond to their user requests to view, correct, and delete their personal data can use the respective functionality of the underlying services that Microsoft Managed Desktop depends on. If you are interested in viewing or deleting personal data used by these services, see the [Azure Data Subject Requests for the GDPR](https://docs.microsoft.com/microsoft-365/compliance/gdpr-dsr-azure) article first.
Furthermore, use the following guidance to exercise DSRs for the services Micros
- [Azure Active Directory](https://docs.microsoft.com/microsoft-365/compliance/gdpr-dsr-azure?view=o365-worldwide) - [Microsoft Intune](https://docs.microsoft.com/microsoft-365/compliance/gdpr-dsr-intune?view=o365-worldwide)-- [Microsoft Defender for Endpoint](https:/docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy)
+- [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy)
- [Windows 10](https://docs.microsoft.com/windows/privacy/windows-10-and-privacy-compliance)
security Advanced Hunting Appfileevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-appfileevents-table.md
ms.technology: m365d
The `AppFileEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file-related activities in cloud apps and services monitored by Microsoft Cloud App Security. Use this reference to construct queries that return information from this table.
->[!TIP]
-> For detailed information about the events types (`ActionType` values) supported by a table, use the [built-in schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) available in the security center.
+>[!WARNING]
+>This table will be retired soon. As of March 7, 2021, the `AppFileEvents` table is no longer logging records. Users hunting through file-related activities in cloud services on and beyond the said date should use the [CloudAppEvents](advanced-hunting-cloudappevents-table.md) table instead. <br><br>Make sure to search for queries and custom detection rules that still use the `AppFileEvents` table and edit them to use the `CloudAppEvents` table. More guidance about converting affected queries can be found in [Hunt across cloud app activities with Microsoft 365 Defender advanced hunting](https://techcommunity.microsoft.com/t5/microsoft-365-defender/hunt-across-cloud-app-activities-with-microsoft-365-defender/ba-p/1893857).
+ For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
For information on other tables in the advanced hunting schema, [see the advance
| `ReportId` | long | Unique identifier for the event | | `AdditionalFields` | string | Additional information about the entity or event |
+>[!TIP]
+> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in the security center.
++ ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md)
security Advanced Hunting Cloudappevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-cloudappevents-table.md
ms.technology: m365d
**Applies to:** - Microsoft 365 Defender
-Currently available in preview, the `CloudAppEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about activities in various cloud apps and services, specifically Microsoft Teams and Exchange Online. Use this reference to construct queries that return information from this table.
-This table will expand to include more activities monitored by Microsoft Cloud App Security. Eventually, this table will include file activity currently stored in the [AppFileEvents](advanced-hunting-appfileevents-table.md) table. Microsoft will provide additional guidance as more data moves to this table.
+The `CloudAppEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about activities in various cloud apps and services covered by Microsoft Cloud App Security, specifically Dropbox, Exchange Online, OneDrive, Microsoft Teams, and SharePoint. Use this reference to construct queries that return information from this table.
+
+>[!IMPORTANT]
+>This table includes information that used to be available in the `AppFileEvents` table. Starting March 7, 2021, users hunting through file-related activities in cloud services on and beyond this date should use the `CloudAppEvents` table instead. <br><br>Make sure to search for queries and custom detection rules that still use the `AppFileEvents` table and edit them to use the `CloudAppEvents` table. More guidance about converting affected queries can be found in [Hunt across cloud app activities with Microsoft 365 Defender advanced hunting](https://techcommunity.microsoft.com/t5/microsoft-365-defender/hunt-across-cloud-app-activities-with-microsoft-365-defender/ba-p/1893857).
+ For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
For information on other tables in the advanced hunting schema, [see the advance
| `RawEventData` | string | Raw event information from the source application or service in JSON format | | `AdditionalFields` | string | Additional information about the entity or event | + ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md)
security Advanced Hunting Deviceevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-deviceevents-table.md
ms.technology: m365d
The miscellaneous device events or `DeviceEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from this table. >[!TIP]
-> For detailed information about the events types (`ActionType` values) supported by a table, use the [built-in schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) available in the security center.
+> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in the security center.
For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
security Advanced Hunting Devicefileevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-devicefileevents-table.md
ms.technology: m365d
The `DeviceFileEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from this table. >[!TIP]
-> For detailed information about the events types (`ActionType` values) supported by a table, use the [built-in schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) available in the security center.
+> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in the security center.
For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
security Advanced Hunting Deviceimageloadevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-deviceimageloadevents-table.md
ms.technology: m365d
The `DeviceImageLoadEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from this table. >[!TIP]
-> For detailed information about the events types (`ActionType` values) supported by a table, use the [built-in schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) available in the security center.
+> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in the security center.
For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
security Advanced Hunting Devicelogonevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-devicelogonevents-table.md
ms.technology: m365d
The `DeviceLogonEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events on devices. Use this reference to construct queries that return information from this table. >[!TIP]
-> For detailed information about the events types (`ActionType` values) supported by a table, use the [built-in schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) available in the security center.
+> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in the security center.
For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
security Advanced Hunting Devicenetworkevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-devicenetworkevents-table.md
ms.technology: m365d
The `DeviceNetworkEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from this table. >[!TIP]
-> For detailed information about the events types (`ActionType` values) supported by a table, use the [built-in schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) available in the security center.
+> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in the security center.
For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
security Advanced Hunting Deviceprocessevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-deviceprocessevents-table.md
ms.technology: m365d
The `DeviceProcessEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from this table. >[!TIP]
-> For detailed information about the events types (`ActionType` values) supported by a table, use the [built-in schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) available in the security center.
+> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in the security center.
For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
security Advanced Hunting Deviceregistryevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-deviceregistryevents-table.md
ms.technology: m365d
The `DeviceRegistryEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from this table. >[!TIP]
-> For detailed information about the events types (`ActionType` values) supported by a table, use the [built-in schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) available in the security center.
+> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in the security center.
For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
security Advanced Hunting Emailevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-emailevents-table.md
ms.technology: m365d
The `EmailEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about events involving the processing of emails on Microsoft Defender for Office 365. Use this reference to construct queries that return information from this table. >[!TIP]
-> For detailed information about the events types (`ActionType` values) supported by a table, use the [built-in schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) available in the security center.
+> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in the security center.
For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
security Advanced Hunting Emailpostdeliveryevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-emailpostdeliveryevents-table.md
ms.technology: m365d
The `EmailPostDeliveryEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about post-delivery actions taken on email messages processed by Microsoft 365. Use this reference to construct queries that return information from this table. >[!TIP]
-> For detailed information about the events types (`ActionType` values) supported by a table, use the [built-in schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) available in the security center.
+> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in the security center.
To get more information about individual email messages, you can also use the [`EmailEvents`](advanced-hunting-emailevents-table.md), [`EmailAttachmentInfo`](advanced-hunting-emailattachmentinfo-table.md), and the [`EmailUrlInfo`](advanced-hunting-emailurlinfo-table.md) tables. For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
security Advanced Hunting Identitydirectoryevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-identitydirectoryevents-table.md
ms.technology: m365d
The `IdentityDirectoryEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains events involving an on-premises domain controller running Active Directory (AD). This table captures various identity-related events, like password changes, password expiration, and user principal name (UPN) changes. It also captures system events on the domain controller, like scheduling of tasks and PowerShell activity. Use this reference to construct queries that return information from this table. >[!TIP]
-> For detailed information about the events types (`ActionType` values) supported by a table, use the [built-in schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) available in the security center.
+> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in the security center.
For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
security Advanced Hunting Identitylogonevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-identitylogonevents-table.md
ms.technology: m365d
The `IdentityLogonEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about authentication activities made through your on-premises Active Directory captured by Microsoft Defender for Identity and authentication activities related to Microsoft online services captured by Microsoft Cloud App Security. Use this reference to construct queries that return information from this table. >[!TIP]
-> For detailed information about the events types (`ActionType` values) supported by a table, use the [built-in schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) available in the security center.
+> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in the security center.
>[!NOTE] >This table covers Azure Active Directory (AD) logon activities tracked by Cloud App Security, specifically interactive sign-ins and authentication activities using ActiveSync and other legacy protocols. Non-interactive logons that are not available in this table can be viewed in the Azure AD audit log. [Learn more about connecting Cloud App Security to Microsoft 365](https://docs.microsoft.com/cloud-app-security/connect-office-365-to-microsoft-cloud-app-security)
security Advanced Hunting Identityqueryevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-identityqueryevents-table.md
ms.technology: m365d
The `IdentityQueryEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about queries performed against Active Directory objects, such as users, groups, devices, and domains. Use this reference to construct queries that return information from this table. >[!TIP]
-> For detailed information about the events types (`ActionType` values) supported by a table, use the [built-in schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) available in the security center.
+> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in the security center.
For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
security Advanced Hunting Query Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-query-results.md
If you're dealing with a list of values that isnΓÇÖt finite, you can use the `To
```kusto EmailEvents
-| where PhishFilterVerdict == "Phish"
-| summarize Count = count() by SenderFromDomain
+| where ThreatTypes has "Phish"
+| summarize Count = count() by SenderFromDomain
| top 10 by Count ``` Use the pie chart view to effectively show distribution across the top domains:
security Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/whats-new.md
RSS feed: Get notified when this page is updated by copying and pasting the foll
https://docs.microsoft.com/api/search/rss?search=%22Lists+the+new+features+and+functionality+in+Microsoft+365+defender%22&locale=en-us ```
+## March 2021
+- [CloudAppEvents table](advanced-hunting-cloudappevents-table.md) <br>Find information about events in various cloud apps and services covered by Microsoft Cloud App Security. This table also includes information previously available in `AppFileEvents`.
## February 2021 - (Preview) The enhanced [Microsoft 365 security center (https://security.microsoft.com)](https://security.microsoft.com) is now available in public preview. This new experience brings Defender for Endpoint and Defender for Office 365 to the center. [Learn more about what's changed](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center).
security Attack Simulator https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulator.md
ms.prod: m365-security
If your organization has Microsoft Defender for Office 365 Plan 2, which includes [Threat Investigation and Response capabilities](office-365-ti.md), you can use Attack Simulator in the Security & Compliance Center to run realistic attack scenarios in your organization. These simulated attacks can help you identify and find vulnerable users before a real attack impacts your bottom line. Read this article to learn more. > [!NOTE]
-> Attack Simulator v1 experience has been switched to read-only mode and replaced by Attack simulator training that's described in [Get started using Attack simulation training](attack-simulation-training-get-started.md).
-> The ability to launch new simulations from this site has been disabled. However, you can still access reports for simulations run for a period of 90 days from January 24, 2021.
+>
+> Attack Simulator as described in this article is now read-only and has been replaced by **Attack simulation training** in the **Email & collaboration** node in the [Microsoft 365 security center](https://security.microsoft.com). For more information, see [Get started using Attack simulation training](attack-simulation-training-get-started.md).
+>
+> The ability to launch new simulations from this version of Attack Simulator has been disabled. However, you can still access reports for up to 90 days from January 24, 2021.
## What do you need to know before you begin?
security Configure The Outbound Spam Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-the-outbound-spam-policy.md
New-HostedOutboundSpamFilterRule -Name "<RuleName>" -HostedOutboundSpamFilterPol
This example creates a new outbound spam filter rule named Contoso Executives with these settings: - The outbound spam filter policy named Contoso Executives is associated with the rule.- - The rule applies to members of the group named Contoso Executives Group. ```PowerShell
-New-HostedOutboundSpamFilterRule -Name "Contoso Executives" -HostedOutboundSpamFilterPolicy "Contoso Executives" -SentToMemberOf "Contoso Executives Group"
+New-HostedOutboundSpamFilterRule -Name "Contoso Executives" -HostedOutboundSpamFilterPolicy "Contoso Executives" -FromMemberOf "Contoso Executives Group"
``` For detailed syntax and parameter information, see [New-HostedOutboundSpamFilterRule](https://docs.microsoft.com/powershell/module/exchange/new-hostedoutboundspamfilterrule).
solutions Collaborate As Team https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/collaborate-as-team.md
- m365initiative-externalcollab - seo-marvel-apr2020
-localization_priority: Normal
+localization_priority: Priority
f1.keywords: NOCSH description: Learn about the Microsoft 365 configuration steps necessary to set up a team for task, conversation, and documentation collaboration with guests in Teams.
solutions Identity Design Principles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/identity-design-principles.md
To [Multi-Geo](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365
- It does not to provide performance benefits. It could make performance worse if the [network design](https://aka.ms/office365networking) is not correct. Get devices "close" to the Microsoft network, not necessarily to your data. - It is not a solution for [GDPR compliance](https://www.microsoft.com/trust-center/privacy/gdpr-overview). GDPR does not focus on data sovereignty or storage locations. There are other compliance frameworks for that. - It does not solve delegation of administration (see below) or [information barriers](https://docs.microsoft.com/microsoft-365/compliance/information-barriers).-- It is not the same as multi-tenant and requires additional [user provisioning](https:/docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-feature-preferreddatalocation) workflows.
+- It is not the same as multi-tenant and requires additional [user provisioning](https://github.com/MicrosoftDocs/azure-docs-pr/blob/master/articles/active-directory/hybrid/how-to-connect-sync-feature-preferreddatalocation.md) workflows.
- It does not [move your tenant](https://docs.microsoft.com/microsoft-365/enterprise/moving-data-to-new-datacenter-geos) (your Azure AD) to another geography. ## Delegation of administration