+For additional details about securing data and managed devices in Microsoft 365 Business Premium, see [How to secure your business data with Microsoft 365 for business](/microsoft-365/business-premium/secure-your-business-data).

+[How to secure your business data with Microsoft 365 for business](/microsoft-365/business-premium/secure-your-business-data)

+- For Outlook messages, you can [apply a sensitivity label based on attachments that are labeled](sensitivity-labels-office-apps.md#configure-label-inheritance-from-email-attachments).

+### Scenario 2 Show policy tip as oversharing popup (preview)

+> [!IMPORTANT]

+> This is a hypothetical scenario with hypothetical values. It's only for illustrative purposes. You should substitute your own sensitive information types, sensitivity labels, distribution groups and users.

+#### Scenario 2 pre-requisites and assumptions

+This scenario uses the *Highly confidential* sensitivity label, so it requires that you have created and published sensitivity labels. To learn more, see:

+- [Learn about sensitivity labels](sensitivity-labels.md)

+- [Get started with sensitivity labels](get-started-with-sensitivity-labels.md)

+- [Create and configure sensitivity labels and their policies](create-sensitivity-labels.md)

+This procedure uses a hypothetical company domain at Contoso.com.

+#### Scenario 2 policy intent and mapping

+*We need to block emails to all recipients that have the ΓÇÿhighly confidentialΓÇÖ sensitivity label applied except if the recipient domain is contoso.com. We want to notify the user on send with a popup dialogue and no one can be allowed to override the block.*

+|Statement|Configuration question answered and configuration mapping|

+|||

+|"We need to block emails to all recipients..."|- **Where to monitor**: Exchange </br>- **Administrative scope**: Full directory </br>- **Action**: Restrict access or encrypt the content in Microsoft 365 locations > Block users from receiving email or accessing shared SharePoint, OneDrive, and Teams files > Block everyone |

+|"...that have the 'highly confidential' sensitivity label applied..."| - **What to monitor**: use the Custom template </br> - **Conditions for a match**: edit it to add the *highly confidential* sensitivity label|

+|"...except if..."| **Condition group configuration** - Create a nested boolean NOT condition group joined to the first conditions using a boolean AND|

+|"...the recipient domain is contoso.com."| **Condition for match**: Recipient domain is|

+|"...Notify..."|**User notifications**: enabled|

+|"...the user on send with a popup dialogue..."| **Policy tips**: selected </br> - **Show policy tip as a dialog for the end user before send**: selected|

+|"...and no one can be allowed to override the block...| **Allow overrides from M365 Services**: not selected|

+#### Steps to create policy for scenario 2

+> [!IMPORTANT]

+> For the purposes of this policy creation procedure, you'll accept the default include/exclude values and leave the policy turned off. You'll be changing these when you deploy the policy.

+1. Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft Purview compliance portal</a>.

+1. In the Microsoft Purview compliance portal \> left navigation \> **Solutions** \> **Data loss prevention** \> **Policies** \> **+ Create policy**.

+1. Select **Custom** from the **Categories** list.

+

+1. Select **Custom** from the **Templates** list.

+

+1. Give the policy a name.

+> [!IMPORTANT]

+> Policies cannot be renamed.

+5. Fill in a description. You can use the policy intent statement here.

+1. Select **Next**.

+1. Select **Full directory** under **Admin units**.

+1. Set the **Exchange email** location status to **On**. Set all the other location status to **Off**.

+1. Select **Next**.

+1. Accept the default values for **Include** = **All** and **Exclude** = **None**.

+

+1. The **Create or customize advanced DLP rules** option should already be selected.

+

+1. Select **Next**.

+

+1. Select **Create rule**. Name the rule and provide a description.

+1. Select **Add condition** > **Content contains** > **Add** > **Sensitivity labels** > **Highly confidential**. Choose **Add**.

+

+1. Select **Add group** > **AND** > **NOT** > **Add condition**.

+1. Select **Recipient domain is** > **contoso.com**. Choose **Add**.

+

+1. Select **Add and action** > **Restrict access or encrypt the content in Microsoft 365 locations** > **Restrict access or encrypt the content in Microsoft 365 locations** > **Block users from receiving email or accessing shared SharePoint, OneDrive, and Teams file.** > **Block everyone**.

+

+1. Set **User notifications** to **On**.

+

+1. Select **Policy tips** > **Show the policy tip as a dialog for the end user before send**.

+

+1. Make sure that **Allow override from M365 services** *isn't* selected.

+

+1. Choose **Save**.

+

+1. Choose **Next** > **Keep it off** > **Next** > **Submit**.

+1. [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) - This article presents some common policy intent scenarios that you'll map to configuration options. It also walks you through configuring those options.

+Also, you need to be aware of the following constraints of the platform:

+- Maximum number of MIP + MIG policies in a tenant: 10,000

+- Maximum size of a DLP policy (100 KB)

+- Maximum number of DLP rules:

+ - In a policy: Limited by the size of the policy

+ - In a tenant: 600

+- Maximum size of an individual DLP rule: 80 KB

+- GIR evidence limit: 100, with each SIT evidence, in proportion of occurrence

+- Text extraction limit: 1 MB

+- Regex size limit for all matches predicted: 20 KB

+- Policy name length limit: 64 characters

+- Policy rule length limit: 64 characters

+- Comment length limit: 1024 characters

+- Description length limit: 1024 characters

+At this level, an administrative unit restricted admin will only be able to pick from the administrative units that they're assigned to.

+Conditions are where you define what you want the rule to look for and context in which those items are being used. They tell the ruleΓÇöwhen you find an item that looks like *this* and is being used like *thatΓÇöit's a match and the rest of the actions in the policy should be taken on it. You can use conditions to assign different actions to different risk levels. For example, sensitive content shared internally might be lower risk and require fewer actions than sensitive content shared with people outside the organization.

+- Any email attachment's content couldn't be scanned

+- Content isn't labeled (.pdf and Office files are fully supported). This predicate detects content that doesn't have a sensitivity label applied. To help ensure only supported file types are detected, you should use this condition with the **File extension is** or **File type is** conditions.

+- (preview) The user accessed a sensitive website from Microsoft Edge. See, [Scenario 6 Monitor or restrict user activities on sensitive service domains (preview)](endpoint-dlp-using.md#scenario-6-monitor-or-restrict-user-activities-on-sensitive-service-domains) for more information.

+#### DLP Platform Limitations for Conditions

+|Predicate | Workload | Limit | Cost of Evaluation |

+|-|-|--|--|

+|Content Contains | EXO/SPO/ODB | 125 SITs per rule | High |

+|Content is shared from Microsoft 365 | EXO/SPO/ODB | - | High |

+|Sender IP address is | EXO | Individual range length <= 128; Count <= 600 |Low|

+|Has sender overridden the policy tip |EXO | - | Low |

+|Sender is | EXO | Individual email length <= 256; Count <= 600| Medium |

+|Sender is a member of | EXO | Count <= 600 | High |

+|Sender domain is | EXO | Domain name length <= 67; Count <= 600 |Low |

+|Sender address contains words | EXO |Individual word length <= 128; Count <= 600 | Low |

+|Sender address matches patterns | EXO |Regex length <= 128 char; Count <= 600 | Low |

+|Sender AD attribute contains words | EXO | Individual word length <= 128; Count <= 600 | Medium |

+|Sender AD attribute matches patterns | EXO | Regex length <= 128 char; Count <= 600 | Medium |

+|Content of email attachment(s) can't be scanned|EXO| [Supported file types](/exchange/security-and-compliance/mail-flow-rules/inspect-message-attachments#supported-file-types-for-mail-flow-rule-content-inspection) | Low |

+|Incomplete scan of email attachment content | EXO | Size > 1 MB | Low |

+|Attachment is password-protected | EXO | File types: Office files, ZIP, and 7z |Low|

+|Attachment's file extension is |EXO/SPO/ODB | Count <= 50 | High|

+|Recipient is a member of |EXO | Count <= 600 | High |

+|Recipient domain is | EXO| Domain name length <= 67; Count <= 5000 | Low |

+|Recipient is | EXO | Individual email length <= 256; Count <= 600 |Low |

+|Recipient address contains words | EXO | Individual word length <= 128; Count <= 600 | Low |

+|Recipient address matches patterns | EXO | Count <= 300 | Low|

+|Document name contains words or phrases | EXO | Individual word length <= 128; Count <=600 |Low|

+|Document Name matches patterns| EXO | Regex length <= 128 char; Count <= 300 |Low|

+|Document property is | EXO/SPO/ODB | - | Low |

+|Document size equals or is greater than | EXO | - | Low|

+|Subject contains words or phrases | EXO | Individual word length <= 128; Count <= 600| Low|

+|Header contains words or phrases | EXO | Individual word length <= 128; Count <= 600 |Low|

+|Subject or body contains words or phrases |EXO| Individual word length <= 128; Count <= 600 |Low|

+|Content character set contains words |EXO | Count <= 600 |Low|

+|Header matches patterns |EXO | Regex length <= 128 char; Count <= 300 | Low|

+|Subject matches patterns|EXO | Regex length <= 128 char; Count <= 300 | Low|

+|Subject or body matches patterns |EXO |Regex length <= 128 char; Count <= 300 | Low|

+|Message type is | EXO| - | Low|

+|Message size over | EXO | - | Low|

+|With importance | EXO | - | Low|

+|Sender AD attribute contains words |EXO| Each attribute key value pair: has Regex length <= 128 char; Count <= 600 | Medium |

+|Sender AD attribute matches patterns |EXO | Each attribute key value pair: has Regex length <= 128 char; Count <= 300 | Medium|

+|Document contains words | EXO | Individual word length <= 128; Count <= 600 | Medium|

+|Document matches patterns| EXO| Regex length <= 128 char; Count <= 300 | Medium|

+#### DLP Platform Limitations for Actions

+|Action Name | Workload | Limits |

+||||

+|Restrict access or encrypt content in Microsoft 365| EXO/SPO/ODB | |

+|Set headers | EXO | |

+|Remove header | EXO | |

+|Redirect the message to specific users | EXO| Total of 100 across all DLP rules. Cannot be DL/SG|

+|Forward the message for approval to sender's manager | EXO | Manager should be defined in AD|

+|Forward the message for approval to specific approvers |EXO | Groups aren't supported|

+|Add recipient to the **To** box | EXO | Recipient count <= 10; Cannot be DL/SG|

+|Add recipient to the **Cc** box | EXO | Recipient count <= 10; Cannot be DL/SG|

+|Add recipient to the **Bcc** box | EXO | Recipient count <= 10; Cannot be DL/SG|

+|Add the sender's manager as recipient | EXO | Manager attribute should be defined in AD|

+|Apply HTML disclaimer| EXO| |

+|Prepend subject| EXO| |

+|Apply OME| EXO | |

+|Remove OME | EXO | |

+When a user attempts an action on a sensitive item in a context that meets the conditions of a rule, you can let them know about it through user notification emails and in- context policy tip popups. These notifications are useful because they increase awareness and help educate people about your organization's DLP policies.

+*%%AppliedActions%% File name %%FileName%% via %%ProcessName%% isn't allowed by your organization. Select 'Allow' if you want to bypass the policy %%PolicyName%%*

+*pasting from the clipboard File Name: Contoso doc 1 via WINWORD.EXE isn't allowed by your organization. Select the 'Allow' button if you want to bypass the policy Contoso highly confidential*

+To enable multiple segment support for organizations in *SingleSegment* mode, you must not have any IB segments or policies currently defined for your organization. Run the following cmdlet to enable multiple segment support in your organization:

+The **Alerts** tab summarizes the current alerts included in the case. New alerts may be added to an existing case and they'll be added to the **Alert** queue as they're assigned. The following alert attributes are listed in the queue:

+The **Forensic evidence** tab allows risk investigators to review visual captures associated with risk activities included in cases. For example, as part of the case management actions, investigators may need to help clarify the context of the user activity under review. Viewing the actual clips of the activity can help the investigator determine if the user activity is potentially risky and may lead to a security incident.

+- **Get permissions to use insider risk management**: The level of access you have to insider risk management features depends on which role group you were assigned. To access and configure recommended actions, users must be assigned to the *Insider Risk Management* or *Insider Risk Management Admins* role groups.

+ - This option is currently rolling out in preview. For more information, see [Configure label inheritance from email attachments](sensitivity-labels-office-apps.md#configure-label-inheritance-from-email-attachments)

+> For this scenario, Outlook calendar events are still rolling out in general availability for Windows and macOS.

+- Prevent copy of meeting chat

+- **Outlook for Windows**: Rolling out to Current Channel, version 2302+

+ - Prevent copy of meeting chat

+ - Prevent copy of meeting chat

+- [Label inheritance from email attachments](#configure-label-inheritance-from-email-attachments):

+ - For this configuration, the label must be scoped to both files and emails.

+## Configure label inheritance from email attachments

+> [!NOTE]

+> This capability is currently rolling out in preview for built-in labeling, and in various stages of release across the platforms. Identify the minimum versions of Outlook that support this feature by using the [capabilities table for Outlook](sensitivity-labels-versions.md#sensitivity-label-capabilities-in-outlook), and the row **Label inheritance from email attachments**.

+Turn on email inheritance for when users attach labeled documents to an email message that isn't manually labeled. With this configuration, a sensitivity label is dynamically selected for the email message, based on the sensitivity labels that are applied to the attachments and published to the user. The [highest priority label](sensitivity-labels.md#label-priority-order-matters) is dynamically selected when it's supported by Outlook.

+Whether this label inheritance will override an existing label on the email message:

+- When an email message has been manually labeled, that label won't be replaced by label inheritance from email attachments.

+- Label inheritance from email attachments will replace a lower priority sensitivity label that is automatically applied or applied as a default label, but won't override a higher priority label.

+You configure this setting in the sensitivity label policy, on the **Default settings for emails** page. For the section **Inherit label from attachments**, select the checkbox **Email inherits highest priority label from attachments**. The attachment must be a physical file, and can't be a link to a file (for example, a link to a file on Microsoft SharePoint or OneDrive).

+When you select this checkbox, you can then further select the following option: **Recommend users apply the attachments label instead of automatically applying it.** Without this selection, the label is automatically applied but users can still remove the label or select a different label before sending the email.

+> [!NOTE]

+> If you've configured the PowerShell advanced setting **AttachmentAction** for the Azure Information Protection (AIP) unified labeling client to be Automatic or Recommended, these options are automatically reflected in the compliance portal. However, the **AttachmentActionTip** advanced setting for a customized recommendation message doesn't have a corresponding entry in the compliance portal and isn't supported by built-in labeling.

+By default, if the automatically selected label applies encryption, the same encryption is applied to the email. For example, if the highest priority label applies encryption with Full Control to the Marketing group, the email will be protected with Full Control to the Marketing group. If the highest priority label applies the encryption option of Do Not Forward, the email message is also labeled and encrypted with Do Not Forward.

+However, take into consideration the outcome when an email client doesn't support a specific protection action that's been applied to an attachment:

+- For built-in labeling:

+

+ - **Double Key Encryption**: If the highest priority label applies Double Key Encryption, no label or encryption is selected for the email message in Outlook for Windows.

+ - **Custom permissions for Word, PowerPoint, and Excel**: If the highest priority label applies just user-defined permissions for Word, PowerPoint, and Excel (the option **Let users assign permissions when they apply the label** and **In Word, PowerPoint, and Excel, prompt users to specify permissions**), no label or protection is selected for the email message because Outlook doesn't support this label configuration.

+- For the Azure Information Protection (AIP) unified labeling client:

+

+ - **S/MIME**: If the highest priority label applies S/MIME signing and encryption, and the label is also configured for encryption from the Azure Rights Management service, that label is applied to the email message with the same S/MIME signing and encryption but also the label's configured encryption settings for the Azure Rights Management service.

+

+ - **Double Key Encryption**: If the highest priority label applies the encryption setting for Double Key Encryption, no label or encryption is selected for the email message if the label is configured for **Let users assign permissions when they apply the label**. The label and protection is applied if the label is configured for **Assign permissions now**.

+ - **Custom permissions for Word, PowerPoint, and Excel**: If the highest priority label applies just user-defined permissions for Word, PowerPoint, and Excel (the option **Let users assign permissions when they apply the label** and **In Word, PowerPoint, and Excel, prompt users to specify permissions**), no label or protection is selected for the email message because Outlook doesn't support this label configuration.

+ - **Encrypt-Only**: If the highest priority label applies the encryption setting for Encrypt-Only, no label or protection is selected for the email message because the AIP unified labeling client doesn't support this setting.

+- [Create protected PDFs from Office files](https://support.microsoft.com/topic/aba7e367-e482)

+|[Audit label-related user activity](sensitivity-labels-office-apps.md#auditing-labeling-activities): <br /> - Includes encryption details | Current Channel: 2301+ | 16.70+ | 2.70+ | 16.0.16130+ | Under review |

+|Manually apply, change, or remove label <br /> - [Calendar items](sensitivity-labels-meetings.md)| Current Channel: Rolling out to 2302+ | Rolling out: 16.70+ ^\* | Under review | Under review | Yes |

+|[Audit label-related user activity](sensitivity-labels-office-apps.md#auditing-labeling-activities): <br /> - Includes encryption details | Current Channel: 2301+ | 16.70+ ^\* | 4.2309+| 4.2309+ | Under review |

+|[Sensitivity bar](sensitivity-labels-office-apps.md#sensitivity-bar) | Preview: Rolling out to [Current Channel (Preview)](https://office.com/insider) | Under review | Under review | Under review | Under review |

+|[Display label color](sensitivity-labels-office-apps.md#label-colors) | Preview: Rolling out to [Current Channel (Preview)](https://office.com/insider) | Preview: [Current Channel (Preview)](https://office.com/insider) | Under review | Under review | Under review |

+|[Preventing oversharing as DLP policy tip](dlp-create-deploy-policy.md#scenario-2-show-policy-tip-as-oversharing-popup-preview)| Preview: Rolling out to [Beta Channel](https://office.com/insider) | Under review | Under review | Under review | Under review |

+|[Label inheritance from email attachments](sensitivity-labels-office-apps.md#configure-label-inheritance-from-email-attachments) | Preview: Rolling out to [Beta Channel](https://office.com/insider) | Under review | Under review | Under review | Yes |

+The ordering of sublabels is also used with [label inheritance from email attachments](sensitivity-labels-office-apps.md#configure-label-inheritance-from-email-attachments).

+- **General availability (GA)**: Both Outlook for Windows and Outlook for Mac are rolling out in general availability for [protected meetings](sensitivity-labels-meetings.md).

+- **In preview**: Prevent [oversharing of labeled emails as a DLP policy tip](dlp-create-deploy-policy.md#scenario-2-show-policy-tip-as-oversharing-popup-preview). This DLP policy configuration is an equivalent for the AIP add-in with PowerShell advanced settings that implement pop-up messages in Outlook that warn, justify, or block emails being sent.

+- **In preview**: As a parity feature for the AIP add-in, built-in labeling for Windows supports [label inheritance from email attachments](sensitivity-labels-office-apps.md#configure-label-inheritance-from-email-attachments).

+- Update to clarify that a subject rights request will automatically pause at the [data estimate stage](/privacy/priva/subject-rights-requests-data-retrieval) if over 10K items or 100 GB of data are likely to be retrieved.

+- Instructions to [Customize an archive and deletion policy for mailboxes](set-up-an-archive-and-deletion-policy-for-mailboxes.md) are updated to include only retention tags that have an outcome that can't be achieved with Microsoft 365 retention.

+- In a multi-geo environment, cross-geo mailbox auditing is not supported. For example, if a user is assigned permissions to access a shared mailbox in a different geo location, mailbox actions performed by that user are not logged in the mailbox audit log of the shared mailbox. Exchange admin audit events are available for all locations via [Microsoft Purview](/microsoft-365/compliance/audit-solutions-overview) and the [Search-UnifiedAuditLog](/powershell/module/exchange/search-unifiedauditlog) cmdlet. For more information, see [Manage mailbox auditing](../compliance/enable-mailbox-auditing.md).

+>

+> Enable port 8653 to allow execution of this command.

+# Microsoft 365 Multi-Tenant Organization People Search (public preview)

+>This Public Preview program is designed to give customers the opportunity to try out the multi-tenant people search feature. You can then validate the scenario and provide feedback to the product development team. The purpose of this article is to:

+> _Fig 1: Azure AD cross tenant synchronization illustration

+## Known limitations

+- The Microsoft Teams audio and video call buttons will direct the call to the MeganΓÇÖs Contoso tenant Teams instance and not the Teams instance target tenant (Fabrikam).

+- The current experience provides limited information on the people card (basic contact information, job title and office location).

+- There is no external tag to differentiate synced users and internal users. For example, if there was a megan@fabrikam and megan@Contoso there's no (External) tag to show that megan@fabrikam is a different user.

+## External Member Limitations

+- External member isn't supported in Teams Connect shared channels.

+- Converting an external guest into an external member or converting an external member into an external guest isn't currently supported by Teams. For more information, see Guest access in Microsoft Teams.

+- External member isn't supported in Power BI. For more information, see Distribute Power BI content to external guest users using Azure Active Directory B2B.

+- Both tenants have the **Azure AD Cross-tenant Synchronization** feature enabled

+- Provisioned users from home to target tenants

+3. **Bing for Business**

+## Provide feedback

+Use this [form][https://aka.ms/MTOpeoplesearchpreviewfeedback] to provide feedback to the MTO people search team. https://aka.ms/MTOpeoplesearchpreviewfeedback

+## Frequently asked questions

+If you have questions regarding cross tenant synchronization, see [Cross Tenants Synchronization FAQs] [/azure/active-directory/multi-tenant-organizations/cross-tenant-synchronization-overview#frequently-asked-questions]

+1. What are the license requirements for MTO people search?

+A: Cross-tenant Synchronization is a pre-requisite to Multi-tenant people search feature. The licensing requirements for cross tenant synchronization can be found here. [License requirements] [/azure/active-directory/multi-tenant-organizations/cross-tenant-synchronization-overview#license-requirements]

+2. What is the sync schedule?

+A: The cross-tenant sync interval is currently fixed to start at 40-minute intervals. Sync duration varies based on the number of in-scope users. The initial sync cycle is likely to take significantly longer than the following incremental sync cycles.

+3. How long does it take to discover a synced user in M365 people search experiences?

+A: The synced users will be available in the global address list right away. However, it make take up to a day for the user to be discoverable in people search experiences in M365 applications.

+4. What attributes are synchronized from the home to the resource tenant?

+A: Cross-tenant synchronization will sync commonly used attributes on the user object in Azure AD, including (but not limited to) displayName, userPrincipalName, and directory extension attributes.

+- What attributes can't be synchronized?

+Attributes including (but not limited to) managers, photos, custom security attributes, and user attributes outside of the directory can't be synchronized by cross-tenant synchronization.

+All synced attributes will be displayed on the people card if available. [For more information on attribute syncing] /azure/active-directory/multi-tenant-organizations/cross-tenant-synchronization-overview#attributes]

+7. Is there a limit to how many tenants we can apply this to?

+A: No

+8. Is there a limit on the number of user objects that can be synced?

+A: No. However, it is important to note that if there are more users to be synced in a single job, it will take longer to complete. [How long will it take to provision users] [/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user#how-long-will-it-take-to-provision-users]

+9. Can I sync users as guests rather than members?

+A: Yes. However, to enable M365 MTO people search and future MTO scenarios, we require you to sync users as members. Guests are intended for cross-company scenarios, whereas members are intended for tenants within the same company.

+- Exchange Online [Data Residency for Exchange Online](/microsoft-365/enterprise/m365-dr-workload-exo)

+- You added a Microsoft 365 system account as a team owner to all teams you want to map.</br> [Create this account in Microsoft 365](/microsoft-365/admin/add-users/add-users) and assign it a Microsoft 365 license. Then, add the account as a team owner to all teams that you want to map. The Shifts connector uses this account when syncing Shifts changes from Blue Yonder WFM. Therefore, we recommend that you create an account specifically for this purpose and not use your personal user account.

+ **Some features in this article require [Microsoft Syntex - SharePoint Advanced Management](/sharepoint/advanced-management)**

+## Week of March 06, 2023

+| Published On |Topic title | Change |

+|||--|

+| 3/7/2023 | [Automatically apply a retention label to Microsoft 365 items](/microsoft-365/compliance/apply-retention-labels-automatically?view=o365-worldwide) | modified |

+| 3/7/2023 | [Automatically apply a sensitivity label in Microsoft 365](/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-worldwide) | modified |

+| 3/7/2023 | [Publish and apply retention labels](/microsoft-365/compliance/create-apply-retention-labels?view=o365-worldwide) | modified |

+| 3/7/2023 | [Apply encryption using sensitivity labels](/microsoft-365/compliance/encryption-sensitivity-labels?view=o365-worldwide) | modified |

+| 3/7/2023 | [Use sensitivity labels to protect calendar items, Teams meetings, and chat](/microsoft-365/compliance/sensitivity-labels-meetings?view=o365-worldwide) | modified |

+| 3/7/2023 | [Manage sensitivity labels in Office apps](/microsoft-365/compliance/sensitivity-labels-office-apps?view=o365-worldwide) | modified |

+| 3/7/2023 | [Learn about sensitivity labels](/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide) | modified |

+| 3/7/2023 | [Incident response with Microsoft 365 Defender](/microsoft-365/security/defender/incidents-overview?view=o365-worldwide) | modified |

+| 3/7/2023 | [Investigate incidents in Microsoft 365 Defender](/microsoft-365/security/defender/investigate-incidents?view=o365-worldwide) | modified |

+| 3/6/2023 | [Set up Microsoft Syntex](/microsoft-365/syntex/set-up-microsoft-syntex) | added |

+| 3/6/2023 | [Pay-as-you-go services and pricing for Microsoft Syntex](/microsoft-365/syntex/syntex-pay-as-you-go-services) | added |

+| 3/6/2023 | [Compare Microsoft Defender Vulnerability Management plans and capabilities](/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-capabilities?view=o365-worldwide) | modified |

+| 3/6/2023 | [Quarantine policies](/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide) | modified |

+| 3/6/2023 | [Microsoft recommendations for EOP and Defender for Office 365 security settings](/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365?view=o365-worldwide) | modified |

+| 3/6/2023 | [Set up Microsoft Syntex per-user licensing](/microsoft-365/syntex/set-up-content-understanding) | modified |

+| 3/6/2023 | [Configure Microsoft Syntex for pay-as-you-go billing in Azure](/microsoft-365/syntex/syntex-azure-billing) | modified |

+| 3/6/2023 | [Licensing for Microsoft Syntex](/microsoft-365/syntex/syntex-licensing) | modified |

+| 3/7/2023 | [Manage tamper protection for your organization using Microsoft Intune](/microsoft-365/security/defender-endpoint/manage-tamper-protection-intune?view=o365-worldwide) | renamed |

+| 3/7/2023 | [Microsoft Syntex video library](/microsoft-365/syntex/video-library) | added |

+| 3/7/2023 | [Microsoft 365 admin center help # < 60 chars](/microsoft-365/admin/index?view=o365-worldwide) | modified |

+| 3/7/2023 | Upgrade distribution lists to Microsoft 365 Groups in Exchange Online | removed |

+| 3/7/2023 | [Get started with the Microsoft Purview Chrome Extension](/microsoft-365/compliance/dlp-chrome-get-started?view=o365-worldwide) | modified |

+| 3/7/2023 | [Cross-Tenant Identity Mapping (preview)](/microsoft-365/enterprise/cross-tenant-identity-mapping?view=o365-worldwide) | modified |

+| 3/7/2023 | [Windows and Office 365 deployment lab kit](/microsoft-365/enterprise/modern-desktop-deployment-and-management-lab?view=o365-worldwide) | modified |

+| 3/7/2023 | [Configure Microsoft Defender for Endpoint on Android features](/microsoft-365/security/defender-endpoint/android-configure?view=o365-worldwide) | modified |

+| 3/7/2023 | [What's new in Microsoft Defender for Endpoint on Android](/microsoft-365/security/defender-endpoint/android-whatsnew?view=o365-worldwide) | modified |

+| 3/7/2023 | [Migrating servers from Microsoft Monitoring Agent to the unified solution](/microsoft-365/security/defender-endpoint/application-deployment-via-mecm?view=o365-worldwide) | modified |

+| 3/7/2023 | [Test attack surface reduction (ASR) rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-test?view=o365-worldwide) | modified |

+| 3/7/2023 | [Use attack surface reduction rules to prevent malware infection](/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide) | modified |

+| 3/7/2023 | [Batch Update alert entities API](/microsoft-365/security/defender-endpoint/batch-update-alerts?view=o365-worldwide) | modified |

+| 3/7/2023 | [Advanced deployment guidance for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/comprehensive-guidance-on-linux-deployment?view=o365-worldwide) | modified |

+| 3/7/2023 | [Delete a file from the live response library](/microsoft-365/security/defender-endpoint/delete-library?view=o365-worldwide) | modified |

+| 3/7/2023 | [Device health Microsoft Defender Antivirus health report](/microsoft-365/security/defender-endpoint/device-health-microsoft-defender-antivirus-health?view=o365-worldwide) | modified |

+| 3/7/2023 | [Microsoft Defender for Endpoint evaluation lab](/microsoft-365/security/defender-endpoint/evaluation-lab?view=o365-worldwide) | modified |

+| 3/7/2023 | [Frequently asked questions on tamper protection](/microsoft-365/security/defender-endpoint/faqs-tamper-protection?view=o365-worldwide) | modified |

+| 3/7/2023 | [List devices by software](/microsoft-365/security/defender-endpoint/get-machines-by-software?view=o365-worldwide) | modified |

+| 3/7/2023 | [Manage tamper protection using tenant attach with Configuration Manager, version 2006](/microsoft-365/security/defender-endpoint/manage-tamper-protection-configuration-manager?view=o365-worldwide) | modified |

+| 3/7/2023 | [Manage tamper protection on an individual device](/microsoft-365/security/defender-endpoint/manage-tamper-protection-individual-device?view=o365-worldwide) | modified |

+| 3/7/2023 | [Manage tamper protection for your organization using Microsoft 365 Defender](/microsoft-365/security/defender-endpoint/manage-tamper-protection-microsoft-365-defender?view=o365-worldwide) | modified |

+| 3/7/2023 | [Protect security settings with tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide) | modified |

+| 3/7/2023 | [How to subscribe to Microsoft Defender Experts for Hunting](/microsoft-365/security/defender/onboarding-defender-experts-for-hunting?view=o365-worldwide) | modified |

+| 3/8/2023 | [Configure a default sensitivity label for a SharePoint document library](/microsoft-365/compliance/sensitivity-labels-sharepoint-default-label?view=o365-worldwide) | modified |

+| 3/9/2023 | [Investigate devices in the Defender for Endpoint Devices list](/microsoft-365/security/defender-endpoint/investigate-machines?view=o365-worldwide) | modified |

+| 3/9/2023 | [Deploy Microsoft Defender for Endpoint on Linux manually](/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-worldwide) | modified |

+| 3/9/2023 | [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-perf?view=o365-worldwide) | modified |

+| 3/9/2023 | [What's new in Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-whatsnew?view=o365-worldwide) | modified |

+| 3/9/2023 | [Intune-based deployment for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-install-with-intune?view=o365-worldwide) | modified |

+| 3/9/2023 | [Microsoft Defender for Endpoint on iOS](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-ios?view=o365-worldwide) | modified |

+| 3/9/2023 | [Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux?view=o365-worldwide) | modified |

+| 3/9/2023 | [Onboard previous versions of Windows on Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/onboard-downlevel?view=o365-worldwide) | modified |

+| 3/9/2023 | [Take response actions on a device in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide) | modified |

+| 3/9/2023 | [Run the client analyzer on macOS or Linux](/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux?view=o365-worldwide) | modified |

+| 3/9/2023 | [Server migration scenarios for the new version of Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/server-migration?view=o365-worldwide) | modified |

+| 3/9/2023 | [Supported Microsoft Defender for Endpoint capabilities by platform](/microsoft-365/security/defender-endpoint/supported-capabilities-by-platform?view=o365-worldwide) | modified |

+| 3/9/2023 | [Troubleshoot onboarding issues related to Security Management for Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/troubleshoot-security-config-mgt?view=o365-worldwide) | modified |

+| 3/9/2023 | [Upload files to the live response library](/microsoft-365/security/defender-endpoint/upload-library?view=o365-worldwide) | modified |

+| 3/9/2023 | [Microsoft Defender for Identity sensor health and settings in Microsoft 365 Defender](/microsoft-365/security/defender-identity/sensor-health?view=o365-worldwide) | modified |

+| 3/9/2023 | [Block vulnerable applications](/microsoft-365/security/defender-vulnerability-management/tvm-block-vuln-apps?view=o365-worldwide) | modified |

+| 3/9/2023 | [Browser extensions assessment](/microsoft-365/security/defender-vulnerability-management/tvm-browser-extensions?view=o365-worldwide) | modified |

+| 3/9/2023 | [Get relevant info about an entity with go hunt](/microsoft-365/security/defender/advanced-hunting-go-hunt?view=o365-worldwide) | modified |

+| 3/9/2023 | [Use the advanced hunting query resource report](/microsoft-365/security/defender/advanced-hunting-limits?view=o365-worldwide) | modified |

+| 3/9/2023 | [Choose between guided and advanced modes for hunting in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-modes?view=o365-worldwide) | modified |

+| 3/9/2023 | [Create and manage custom detection rules in Microsoft 365 Defender](/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide) | modified |

+| 3/9/2023 | [Get started using Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-get-started?view=o365-worldwide) | modified |

+| 3/9/2023 | [Manage data for Microsoft Whiteboard](/microsoft-365/whiteboard/manage-data-organizations?view=o365-worldwide) | modified |

+| 3/8/2023 | [Overview of content processing in Microsoft Syntex](/microsoft-365/syntex/content-processing-overview) | added |

+| 3/8/2023 | [Automatically retain or delete content by using retention policies](/microsoft-365/compliance/create-retention-policies?view=o365-worldwide) | modified |

+| 3/8/2023 | [Identify the available PowerShell cmdlets for retention](/microsoft-365/compliance/retention-cmdlets?view=o365-worldwide) | modified |

+| 3/8/2023 | [Configure Microsoft 365 retention settings to automatically retain or delete content](/microsoft-365/compliance/retention-settings?view=o365-worldwide) | modified |

+| 3/8/2023 | [Learn about retention policies & labels to retain or delete](/microsoft-365/compliance/retention?view=o365-worldwide) | modified |

+| 3/8/2023 | [Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune](/microsoft-365/security/defender-endpoint/android-intune?view=o365-worldwide) | modified |

+| 3/8/2023 | [Integration with Microsoft Defender for Cloud](/microsoft-365/security/defender-endpoint/azure-server-integration?view=o365-worldwide) | modified |

+| 3/8/2023 | [Configure Microsoft Defender Antivirus on a remote desktop or virtual desktop infrastructure environment](/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus?view=o365-worldwide) | modified |

+| 3/8/2023 | [Web content filtering](/microsoft-365/security/defender-endpoint/web-content-filtering?view=o365-worldwide) | modified |

+| 3/8/2023 | [Work with query results in guided mode for hunting in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-query-builder-results?view=o365-worldwide) | modified |

+| 3/8/2023 | [Hunt for threats across devices, emails, apps, and identities with advanced hunting](/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide) | modified |

+| 3/8/2023 | [Learn the advanced hunting query language in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-query-language?view=o365-worldwide) | modified |

+| 3/8/2023 | [Use shared queries in Microsoft 365 Defender advanced hunting](/microsoft-365/security/defender/advanced-hunting-shared-queries?view=o365-worldwide) | modified |

+| 3/8/2023 | [Take action on advanced hunting query results in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-take-action?view=o365-worldwide) | modified |

+| 3/8/2023 | [Alert grading playbooks](/microsoft-365/security/defender/alert-grading-playbooks?view=o365-worldwide) | modified |

+| 3/8/2023 | [Automatic attack disruption in Microsoft 365 Defender](/microsoft-365/security/defender/automatic-attack-disruption?view=o365-worldwide) | modified |

+| 3/8/2023 | [Configure automatic attack disruption capabilities in Microsoft 365 Defender](/microsoft-365/security/defender/configure-attack-disruption?view=o365-worldwide) | modified |

+| 3/8/2023 | [Integrate your SIEM tools with Microsoft 365 Defender](/microsoft-365/security/defender/configure-siem-defender?view=o365-worldwide) | modified |

+| 3/8/2023 | [Create custom roles with Microsoft 365 Defender role-based access control (RBAC)](/microsoft-365/security/defender/create-custom-rbac-roles?view=o365-worldwide) | modified |

+| 3/8/2023 | [Create and manage custom detection rules in Microsoft 365 Defender](/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide) | modified |

+| 3/8/2023 | [Edit or delete roles Microsoft 365 Defender role-based access control (RBAC)](/microsoft-365/security/defender/edit-delete-rbac-roles?view=o365-worldwide) | modified |

+| 3/8/2023 | [Step 4. Evaluate Microsoft Defender for Endpoint overview, including reviewing the architecture](/microsoft-365/security/defender/eval-defender-endpoint-overview?view=o365-worldwide) | modified |

+| 3/8/2023 | [Review architecture requirements and the technical framework for Microsoft Defender for Identity](/microsoft-365/security/defender/eval-defender-identity-architecture?view=o365-worldwide) | modified |

+| 3/8/2023 | [Enable the evaluation environment for Microsoft Defender for Identity](/microsoft-365/security/defender/eval-defender-identity-enable-eval?view=o365-worldwide) | modified |

+| 3/8/2023 | [Run an attack simulation in a Microsoft 365 Defender pilot environment](/microsoft-365/security/defender/eval-defender-investigate-respond-simulate-attack?view=o365-worldwide) | modified |

+| 3/8/2023 | [Review architecture requirements and the structure for Microsoft Defender for Cloud Apps](/microsoft-365/security/defender/eval-defender-mcas-architecture?view=o365-worldwide) | modified |

+| 3/8/2023 | [Step 5. Evaluate Microsoft Defender for Cloud Apps overview](/microsoft-365/security/defender/eval-defender-mcas-overview?view=o365-worldwide) | modified |

+| 3/8/2023 | [Microsoft 365 Defender portal](/microsoft-365/security/defender/microsoft-365-defender-portal?view=o365-worldwide) | modified |

+| 3/8/2023 | [Redirecting accounts from Microsoft Defender for Endpoint to Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-security-mde-redirection?view=o365-worldwide) | modified |

+| 3/8/2023 | [Redirecting accounts from Microsoft Defender for Identity to Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-security-mdi-redirection?view=o365-worldwide) | modified |

+| 3/8/2023 | [Assess your security posture through Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score-improvement-actions?view=o365-worldwide) | modified |

+| 3/8/2023 | [Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide) | modified |

+| 3/8/2023 | [How to subscribe to Microsoft Defender Experts for Hunting](/microsoft-365/security/defender/onboarding-defender-experts-for-hunting?view=o365-worldwide) | modified |

+| 3/8/2023 | [Detecting human-operated ransomware attacks with Microsoft 365 Defender](/microsoft-365/security/defender/playbook-detecting-ransomware-m365-defender?view=o365-worldwide) | modified |

+| 3/8/2023 | [Set up your Microsoft 365 Defender trial lab or pilot environment](/microsoft-365/security/defender/setup-m365deval?view=o365-worldwide) | modified |

+| 3/8/2023 | [Remove yourself from the blocked senders list and address 5.7.511 Access denied errors](/microsoft-365/security/office-365-security/use-the-delist-portal-to-remove-yourself-from-the-office-365-blocked-senders-lis?view=o365-worldwide) | modified |

+| 3/8/2023 | [Create a rule to move or copy a file from one document library to another in Microsoft Syntex](/microsoft-365/syntex/content-processing-create-rules) | modified |

+| 3/8/2023 | [Manage data for Microsoft Whiteboard](/microsoft-365/whiteboard/manage-data-organizations?view=o365-worldwide) | modified |

+| 3/8/2023 | Configure a team with security isolation by using a unique sensitivity label | removed |

+| 3/10/2023 | [Create and deploy a data loss prevention policy](/microsoft-365/compliance/dlp-create-deploy-policy?view=o365-worldwide) | modified |

+| 3/10/2023 | [Data Loss Prevention policy reference](/microsoft-365/compliance/dlp-policy-reference?view=o365-worldwide) | modified |

+| 3/10/2023 | [DeviceInfo table in the advanced hunting schema](/microsoft-365/security/defender/advanced-hunting-deviceinfo-table?view=o365-worldwide) | modified |

+| 3/10/2023 | [Microsoft Defender for Office 365 data retention](/microsoft-365/security/office-365-security/mdo-data-retention?view=o365-worldwide) | modified |

+| 3/10/2023 | [Configure teams with protection for highly sensitive data](/microsoft-365/solutions/configure-teams-highly-sensitive-protection?view=o365-worldwide) | modified |

+| 3/10/2023 | [Configure teams with protection for sensitive data](/microsoft-365/solutions/configure-teams-sensitive-protection?view=o365-worldwide) | modified |

+| 3/10/2023 | [Configure Teams with three tiers of file sharing security](/microsoft-365/solutions/configure-teams-three-tiers-protection?view=o365-worldwide) | modified |

+| 3/10/2023 | [Microsoft 365 productivity illustrations](/microsoft-365/solutions/productivity-illustrations?view=o365-worldwide) | modified |

+| 3/9/2023 | [Frequently asked questions on tamper protection](/microsoft-365/security/defender-endpoint/faqs-tamper-protection?view=o365-worldwide) | modified |

+| 3/9/2023 | [Manage tamper protection using tenant attach with Configuration Manager, version 2006](/microsoft-365/security/defender-endpoint/manage-tamper-protection-configuration-manager?view=o365-worldwide) | modified |

+| 3/9/2023 | [Manage tamper protection on an individual device](/microsoft-365/security/defender-endpoint/manage-tamper-protection-individual-device?view=o365-worldwide) | modified |

+| 3/9/2023 | [Manage tamper protection for your organization using Microsoft Intune](/microsoft-365/security/defender-endpoint/manage-tamper-protection-intune?view=o365-worldwide) | modified |

+| 3/9/2023 | [Manage tamper protection for your organization using Microsoft 365 Defender](/microsoft-365/security/defender-endpoint/manage-tamper-protection-microsoft-365-defender?view=o365-worldwide) | modified |

+| 3/9/2023 | [Protect security settings with tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide) | modified |

+| 3/10/2023 | [How to secure your business data with Microsoft 365 for business](/microsoft-365/business-premium/secure-your-business-data?view=o365-worldwide) | added |

+| 3/10/2023 | [Configure a team with security isolation by using a unique sensitivity label](/microsoft-365/solutions/secure-teams-security-isolation?view=o365-worldwide) | added |

+| 3/10/2023 | [Increase threat protection for Microsoft 365 for business](/microsoft-365/admin/security-and-compliance/increase-threat-protection?view=o365-worldwide) | modified |

+| 3/10/2023 | Metrics and activity tracking in Microsoft Bookings | removed |

+| 3/10/2023 | [Keyword queries and search conditions for eDiscovery](/microsoft-365/compliance/ediscovery-keyword-queries-and-search-conditions?view=o365-worldwide) | modified |

+| 3/10/2023 | [Integrate your SIEM tools with Microsoft 365 Defender](/microsoft-365/security/defender/configure-siem-defender?view=o365-worldwide) | modified |

+| 3/10/2023 | [Create custom roles with Microsoft 365 Defender role-based access control (RBAC)](/microsoft-365/security/defender/create-custom-rbac-roles?view=o365-worldwide) | modified |

+| 3/10/2023 | [Create and manage custom detection rules in Microsoft 365 Defender](/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide) | modified |

+| 3/10/2023 | [Edit or delete roles Microsoft 365 Defender role-based access control (RBAC)](/microsoft-365/security/defender/edit-delete-rbac-roles?view=o365-worldwide) | modified |

+| 3/10/2023 | [Step 4. Evaluate Microsoft Defender for Endpoint overview, including reviewing the architecture](/microsoft-365/security/defender/eval-defender-endpoint-overview?view=o365-worldwide) | modified |

+| 3/10/2023 | [Review architecture requirements and the technical framework for Microsoft Defender for Identity](/microsoft-365/security/defender/eval-defender-identity-architecture?view=o365-worldwide) | modified |

+| 3/10/2023 | [Enable the evaluation environment for Microsoft Defender for Identity](/microsoft-365/security/defender/eval-defender-identity-enable-eval?view=o365-worldwide) | modified |

+| 3/10/2023 | [Run an attack simulation in a Microsoft 365 Defender pilot environment](/microsoft-365/security/defender/eval-defender-investigate-respond-simulate-attack?view=o365-worldwide) | modified |

+| 3/10/2023 | [Review architecture requirements and the structure for Microsoft Defender for Cloud Apps](/microsoft-365/security/defender/eval-defender-mcas-architecture?view=o365-worldwide) | modified |

+| 3/10/2023 | [Step 5. Evaluate Microsoft Defender for Cloud Apps overview](/microsoft-365/security/defender/eval-defender-mcas-overview?view=o365-worldwide) | modified |

+| 3/10/2023 | [Microsoft 365 Defender portal](/microsoft-365/security/defender/microsoft-365-defender-portal?view=o365-worldwide) | modified |

+| 3/10/2023 | [Redirecting accounts from Microsoft Defender for Endpoint to Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-security-mde-redirection?view=o365-worldwide) | modified |

+| 3/10/2023 | [Redirecting accounts from Microsoft Defender for Identity to Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-security-mdi-redirection?view=o365-worldwide) | modified |

+| 3/10/2023 | [Assess your security posture through Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score-improvement-actions?view=o365-worldwide) | modified |

+| 3/10/2023 | [Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide) | modified |

+| 3/10/2023 | [How to subscribe to Microsoft Defender Experts for Hunting](/microsoft-365/security/defender/onboarding-defender-experts-for-hunting?view=o365-worldwide) | modified |

+| 3/10/2023 | [Detecting human-operated ransomware attacks with Microsoft 365 Defender](/microsoft-365/security/defender/playbook-detecting-ransomware-m365-defender?view=o365-worldwide) | modified |

+| 3/10/2023 | [Set up your Microsoft 365 Defender trial lab or pilot environment](/microsoft-365/security/defender/setup-m365deval?view=o365-worldwide) | modified |

+| 3/10/2023 | [Remove yourself from the blocked senders list and address 5.7.511 Access denied errors](/microsoft-365/security/office-365-security/use-the-delist-portal-to-remove-yourself-from-the-office-365-blocked-senders-lis?view=o365-worldwide) | modified |

+| 3/10/2023 | [Set up secure file and document sharing and collaboration with Teams in Microsoft 365](/microsoft-365/solutions/setup-secure-collaboration-with-teams?view=o365-worldwide) | modified |

+| 3/10/2023 | [Overview of the Apps page in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-apps-page-overview?view=o365-worldwide) | added |

+| 3/10/2023 | [Overview of the Device health page in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-device-health-overview?view=o365-worldwide) | added |

+ Title: "Overview of the Apps page in Microsoft 365 Lighthouse"

+f1.keywords: NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- Tier1

+- scotvorg

+- M365-subscription-management

+- Adm_O365

+- AdminSurgePortfolib

+- M365-Lighthouse

+search.appverid: MET150

+description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, learn how to view application performance insights."

+# Overview of the Apps page in Microsoft 365 Lighthouse

+Microsoft 365 Lighthouse brings the features of Microsoft Endpoint Analytics for applications into a simplified management view. The Apps page provides insight into potential issues for desktop applications on managed devices. You can quickly identify the top applications impacting end-user productivity along with app failure metrics for these applications.

+The data only reflects fully managed Windows devices. Data on Bring Your Own Devices is not supported.

+## Requirements

+Devices must be enrolled in Microsoft Intune. For more information on enrollment, see [What is Endpoint analytics?](/mem/analytics/overview) Once a device is enrolled, the Apps page will automatically populate with data. It may take up to 48 hours to see updates.

+> [!NOTE]

+> If data doesnΓÇÖt show up for a specific application, verify that the policy is enabled. From the tenantΓÇÖs deployment plan, under **Set up device enrollment**, verify that **Device health monitoring policy** is compliant. If not compliant, deploy the policy.

+## App performance tab

+The Apps performance tab provides application insight from the past 14 days. For each application, Lighthouse provides the following information,

+- **Name**: The app identifier in the file manifest provided by your client devices. The app name is typically in executable (or .exe) format.

+- **Publisher**: The publisher of the executable reported in the file manifest.

+- **Total** **Active devices (14 days)**: The total number of enrolled devices that have launched this app at least once in the past 14 days.

+- **Total crashes (14 days):** The total number of application crash events reported across all enrolled devices over the past 14 days.

+- **Total app hangs:** The total number of application hangs reported across all enrolled devices over the past 14 days.

+Select an application from the list for more detailed application information, including which devices are having issues. A shortcut is provided to view the device in Microsoft Endpoint Manager, where you can see more insights and recommendations.

+The App performance tab also includes the following options:

+- **Export**: Select to export app performance data to an Excel comma-separated values (.csv) file.

+- **Search**: Enter keywords to quickly locate a specific name or publisher in the list.

+## Related content

+[What is Endpoint analytics?](/mem/analytics/overview) (article)\

+[Application reliability in endpoint analytics](/mem/analytics/app-reliability) (article)

+ Title: "Overview of the Device health page in Microsoft 365 Lighthouse"

+f1.keywords: NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- Tier1

+- scotvorg

+- M365-subscription-management

+- Adm_O365

+- AdminSurgePortfolib

+- M365-Lighthouse

+search.appverid: MET150

+description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, learn how to view device health insights."

+# Overview of the Device health page in Microsoft 365 Lighthouse

+Microsoft 365 Lighthouse brings the features of Microsoft Endpoint Analytics for devices into a simplified multi-tenant management view. Performance issues and other problems can go undetected by a tenant for an extended period, impacting end-user experience and increasing support costs. The Device health page brings these problems to the surface faster and across multiple tenants to save time and end-user pain by allowing you to gain insights and remedy problems.

+The Device health page provides a subset of device analytics offered through Endpoint Analytics, specifically device performance and startup processes. Example data includes device health status, total restarts, total blue screens, top processes, and hardware specifications. The data only reflects fully managed Windows devices. Data on Bring Your Own Devices is not supported.

+## Requirements

+Devices must be enrolled in Microsoft Intune. For more information on enrollment, see [What is Endpoint analytics?](/mem/analytics/overview) Once a device is enrolled, the Device health page will automatically populate with data. It may take up to 48 hours to see updates.

+> [!NOTE]

+> If data doesnΓÇÖt show up for a specific tenant, verify that the policy is enabled. From the tenantΓÇÖs deployment plan, under **Set up device enrollment**, verify that **Device health monitoring policy** is compliant. If not compliant, deploy the policy.

+## Overview tab

+The Overview tab provides a multi-tenant view of device health, including the total number of restarts and blue screens. Select a tenant from the list to see device-specific details.

+The Overview tab also includes the following options:

+- **Tenant filter:** Filter by tenant or tag.

+- **Date filter:** Filter by date range.

+- **Export**: Select to export device data to an Excel comma-separated values (.csv) file.

+## Devices tab

+The Device tab provides device health insights for all managed Windows devices, including,

+- Health status (Needs attention, Meeting goals, Insufficient data)

+- Start up performance score ΓÇô To learn more, see [Scores, baselines, and insights in Endpoint Analytics](/mem/analytics/scores).

+- Total restarts

+- Total blue screens

+- Startup processes

+- Hardware model, manufacturer, OS version, and disk type

+Select a device from the list for more detailed device information, including a comprehensive list of startup processes on that device. A shortcut is provided to view the device in Microsoft Endpoint Manager, where you can see more insights and recommendations.

+The Devices tab also includes the following options:

+- **Tenant filter:** Filter by tenant or tag.

+- **Date filter:** Filter by date range.

+- **Export**: Select to export device data to an Excel comma-separated values (.csv) file.

+- **Search**: Enter keywords to quickly locate a specific device in the list.

+- **Choose Columns**: Select which columns to show.

+## Related content

+[What is Endpoint analytics?](/mem/analytics/overview) (article)\

+[Scores, baselines, and insights in Endpoint Analytics](/mem/analytics/scores) (article)

+`https://login.microsoftonline.com/{tenant}/adminconsent?client_id=2d94989f-457a-47c1-a637-e75acdb11568`

+|`-Scan [-ScanType [<value>]] [-File <path> [-DisableRemediation] [-BootSectorScan] [-CpuThrottling]] [-Timeout <days>] [-Cancel]`|Scans for malicious software. Values for **ScanType** are:<p>**0** Default, according to your configuration<p>**1** Quick scan<p>**2** Full scan<p>**3** File and directory custom scan.<p>CpuThrottling runs according to policy configurations.|

+|`-CaptureNetworkTrace -Path <path>`|Captures all the network input into the Network Protection service and saves it to a file at `<path>`. <br/>Supply an empty path to stop tracing.|

+|`-GetFiles [-SupportLogLocation <path>]`|Collects support information. See [collecting diagnostic data](collect-diagnostic-data.md).|

+|`-GetFilesDiagTrack`|Same as `-GetFiles`, but outputs to temporary DiagTrack folder.|

+|`-RemoveDefinitions [-All]`|Restores the installed security intelligence to a previous backup copy or to the original default set.|

+|`-RemoveDefinitions [-DynamicSignatures]`|Removes only the dynamically downloaded security intelligence.|

+|`-RemoveDefinitions [-Engine]`|Restores the previous installed engine.|

+|`-SignatureUpdate [-UNC \|-MMPC]`|Checks for new security intelligence updates.|

+|`-Restore [-ListAll \|[[-Name <name>] [-All] \|[-FilePath <filePath>]] [-Path <path>]]`|Restores or lists quarantined item(s).|

+|`-AddDynamicSignature [-Path]`|Loads dynamic security intelligence.|

+|`-ListAllDynamicSignatures`|Lists the loaded dynamic security intelligence.|

+|`-RemoveDynamicSignature [-SignatureSetID]`|Removes dynamic security intelligence.|

+|`-CheckExclusion -path <path>`|Checks whether a path is excluded.|

+|`-ResetPlatform`| Revert platform binaries back to the previous installed version of the Defender platform.|

+|`-RevertPlatform`|reset platform binaries back to `%ProgramFiles%\Windows Defender`.|

+|**ValidateMapsConnection failed (800106BA)** or **0x800106BA**|The Microsoft Defender Antivirus service is disabled. Enable the service and try again. If you need help re-enabling Microsoft Defender Antivirus, see [Reinstall/enable Microsoft Defender Antivirus on your endpoints](switch-to-mde-phase-2.md#step-1-reinstallenable-microsoft-defender-antivirus-on-your-endpoints).<p> Note that in Windows 10 1909 or older, and Windows Server 2019 or older, the service was formerly called *Windows Defender Antivirus*.|

+- [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)

+- [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos)

+- [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)

+- [Configure Defender for Endpoint on Android features](android-configure.md)

+- [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)

+## Mixed-licensing scenarios

+A mixed-licensing scenario is a situation in which an organization is using a mix of subscriptions, such as Defender for Endpoint Plan 1 and Plan 2. The following table describes examples of mixed-licensing scenarios:

+| Scenario | Description |

+|:|:|

+| *Mixed tenant* | Use different sets of capabilities for groups of users and their devices. Examples include:<br/>- Defender for Endpoint Plan 1 and Defender for Endpoint Plan 2<br/>- Microsoft 365 E3 and Microsoft 365 E5 |

+| *Mixed trial* | Try a premium level subscription for some users. Examples include: <br/>- Defender for Endpoint Plan 1 (purchased for all users), and Defender for Endpoint Plan 2 (a trial subscription has been started for some users)<br/>- Microsoft 365 E3 (purchased for all users), and Microsoft 365 E5 (a trial subscription has been started for some users) |

+| *Phased upgrades* | Upgrade user licenses in phases. Examples include:<br/>- Moving groups of users from Defender for Endpoint Plan 1 to Plan 2<br/>- Moving groups of users from Microsoft 365 E3 to E5 |

+**If you have Defender for Endpoint Plan 1 and Plan 2 in your tenant, the ability to manage your subscription settings across client devices is now in preview**! This new capability enables you to:

+- Apply *either* Defender for Endpoint Plan 1 *or* Plan 2 settings to all your client devices; or

+- Use mixed mode, and apply Defender for Endpoint Plan 1 settings to some client devices, and Defender for Endpoint Plan 2 to other client devices.

+You can also use a newly added license usage report to track status.

+**For more information, including how to use mixed-licensing scenarios in your tenant, see [Manage your Defender for Endpoint subscription settings across devices](defender-endpoint-subscription-settings.md)**.

+ Title: Manage your Microsoft Defender for Endpoint subscription settings across client devices

+description: Learn about your options for managing your Defender for Endpoint subscription settings. Choose Plan 1, Plan 2, or mixed mode.

+keywords: Defender for Endpoint, choose plan 1, choose plan 2, mixed mode, device tag, endpoint protection, endpoint security, device security, cybersecurity

+search.appverid: MET150

+audience: ITPro

+ms.localizationpriority: medium

+f1.keywords: NOCSH

+- M365-security-compliance

+- m365initiative-defender-endpoint

+# Manage Microsoft Defender for Endpoint subscription settings across client devices

+A [mixed-licensing scenario](defender-endpoint-plan-1-2.md#mixed-licensing-scenarios) is a situation in which an organization is using a mix of Defender for Endpoint Plan 1 and Plan 2 licenses. Until recently, mixed-licensing scenarios weren't supported; in cases of multiple subscriptions, the highest functional subscription would take precedence for your tenant. Now, **the ability to manage your subscription settings to accommodate mixed licensing scenarios across client devices is currently in preview**! These capabilities enable you to:

+- **Set your tenant to mixed mode and tag devices** to determine which client devices will receive features and capabilities from each plan (we call this option *mixed mode*); **OR**,

+- **Use the features and capabilities from one plan across all your client devices**.

+## [**Use mixed mode**](#tab/mixed)

+## Set your tenant to mixed mode and tag devices

+> [!IMPORTANT]

+> - **Mixed-mode settings apply to client endpoints only**. Tagging server devices wonΓÇÖt change their subscription state. All server devices running Windows Server or Linux should have appropriate licenses, such as [Defender for Servers](/azure/defender-for-cloud/plan-defender-for-servers-select-plan). See [Options for onboarding servers](defender-endpoint-plan-1-2.md#options-for-onboarding-servers).

+> - **Make sure to follow the procedures in this article to try mixed-license scenarios in your environment**. Assigning user licenses in the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)) doesn't set your tenant to mixed mode.

+> - Make sure that you have opted in to receive [preview features](preview.md).

+> - **You should have active trial or paid licenses for both Defender for Endpoint Plan 1 and Plan 2**.

+> - To access license information, you must have one of the following roles assigned in Azure Active Directory (Azure AD):

+> - Global Admin

+> - Security Admin

+> - License Admin + MDE Admin

+1. As an admin, go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.

+2. Go to **Settings** > **Endpoints** > **Licenses**. Your usage report report opens and displays information about your organizationΓÇÖs Defender for Endpoint licenses.

+3. Under **Subscription state**, select **Manage subscription settings**.

+ > [!NOTE]

+ > If you don't see **Manage subscription settings**, at least one of the following conditions is true:

+ > - You have Defender for Endpoint Plan 1 or Plan 2 (but not both); or

+ > - Mixed-license capabilities haven't rolled out to your tenant yet.

+4. A **Subscription settings** flyout opens. Choose the option to use Defender for Endpoint Plan 1 and Plan 2. (No changes will occur until devices are tagged as per the next step.)

+5. Tag the devices that should receive either Defender for Endpoint Plan 1 or Plan 2 capabilities. You can choose to tag your devices manually or by using a dynamic rule. [Learn more about device tagging](#more-details-about-device-tagging).

+ | Method | Details |

+ |:|:|

+ | Tag devices manually | To tag devices manually, create a tag called `License MDE P1` and apply it to devices. To get help with this step, see [Create and manage device tags](machine-tags.md).<br/><br/>Note that devices that are tagged with the `License MDE P1` tag using the [registry key method](machine-tags.md#add-device-tags-by-setting-a-registry-key-value) will not receive downgraded functionality. If you want to tag devices by using the registry key method, use a dynamic rule instead of manual tagging. |

+ | Tag devices automatically by using a dynamic rule | *Dynamic rule functionality is new for mixed-license scenarios! It allows you to apply a dynamic and granular level of control over how you manage devices*. <br/><br/>To use a dynamic rule, you specify a set of criteria based on device name, domain, operating system platform, and/or device tags. Devices that meet the specified criteria will receive the Defender for Endpoint Plan 1 or Plan 2 capabilities according to your rule. <br/><br/>As you define your criteria, you can use the following condition operators: <br/>- `Equals` / `Not equals`<br/>- `Starts with`<br/>- `Contains` / `Does not contain` <br/><br/>For **Device name**, you can use freeform text.<br/><br/>For **Domain**, select from a list of domains.<br/><br/>For **OS platform**, select from a list of operating systems.<br/><br/>For **Tag**, use the freeform text option. Type the tag value that corresponds to the devices that should receive either Defender for Endpoint Plan 1 or Plan 2 capabilities. See the example in [More details about device tagging](#more-details-about-device-tagging). |

+

+ Device tags are visible in the **Device inventory** view and in the [Defender for Endpoint APIs](apis-intro.md).

+ > [!NOTE]

+ > Dynamically added Defender for Endpoint P1 tags are not currently filterable in the Device inventory view.

+6. Save your rule and wait for up to three (3) hours for tags to be applied. Then, proceed to [Validate that a device is receiving only Defender for Endpoint Plan 1 capabilities](#validate-that-a-device-is-receiving-only-defender-for-endpoint-plan-1-capabilities).

+### More details about device tagging

+As described in [Tech Community blog: How to use tagging effectively](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/how-to-use-tagging-effectively-part-1/ba-p/1964058), device tagging provides you with granular control over devices. With device tags, you can:

+- Display certain devices to individual users in the Microsoft 365 Defender portal so that they see only the devices they're responsible for.

+- Include or exclude devices from specific security policies.

+- Determine which devices should receive Defender for Endpoint Plan 1 or Plan 2 capabilities. (*This capability is now in preview!*)

+For example, suppose that you want to use a tag called `VIP` for all the devices that should receive Defender for Endpoint Plan 2 capabilities. Here's what you would do:

+1. Create a device tag called `VIP`, and apply it to all the devices that should receive Defender for Endpoint Plan 2 capabilities. Use one of the following methods to create your device tag:

+ - [Add and manage device tags using the Microsoft 365 Defender portal](machine-tags.md#add-and-manage-device-tags-using-the-portal).

+ - [Add device tags by setting a registry key value](machine-tags.md#add-device-tags-by-setting-a-registry-key-value).

+ - [Add or remove machine tags by using the Defender for Endpoint API](add-or-remove-machine-tags.md).

+ - [Add device tags by creating a custom profile in Microsoft Intune](machine-tags.md#add-device-tags-by-creating-a-custom-profile-in-microsoft-intune).

+2. Set up a dynamic rule using the condition operator `Tag Does not contain VIP`. In this case, all devices that do not have the `VIP` tag will receive the `License MDE P1` tag and Defender for Endpoint Plan 1 capabilities.

+## [**Use one plan**](#tab/oneplan)

+## Use the features and capabilities from one plan across all your devices

+> [!IMPORTANT]

+> - Make sure that you have opted in to receive [preview features](preview.md).

+> - To access license information, you must have one of the following roles assigned in Azure Active Directory (Azure AD):

+> - Global Admin

+> - Security Admin

+> - License Admin + MDE Admin

+1. As a Security Admin or Global Admin, go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.

+2. Go to **Settings** > **Endpoints** > **Licenses**.

+3. Under **Subscription state**, select **Manage subscription settings**.

+ > [!NOTE]

+ > If you don't see **Manage subscription settings**, at least one of the following conditions is true:

+ > - You have Defender for Endpoint Plan 1 or Plan 2 (but not both); or

+ > - Mixed-license capabilities haven't rolled out to your tenant yet.

+4. A **Subscription settings** flyout opens. Choose one plan for all users and devices, and then select **Done**. It can take up to three hours for your changes to be applied.

+ If you chose to apply Defender for Endpoint Plan 1 to all devices, proceed to [Validate that devices are receiving only Defender for Endpoint Plan 1 capabilities](#validate-that-a-device-is-receiving-only-defender-for-endpoint-plan-1-capabilities).

+## Validate that a device is receiving only Defender for Endpoint Plan 1 capabilities

+After you have assigned Defender for Endpoint Plan 1 capabilities to some or all devices, you can verify that an individual device is receiving those capabilities.

+1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), go to **Assets** > **Devices**.

+2. Select a device that is tagged with `License MDE P1`. You should see that Defender for Endpoint Plan 1 is assigned to the device.

+> [!NOTE]

+> Devices that are assigned Defender for Endpoint Plan 1 capabilities will not have vulnerabilities or security recommendations listed.

+## Review license usage

+The license usage report is estimated based on sign-in activities on the device. To reduce management overhead, there will not be a requirement for device-to-user mapping and assignment. Instead, the license report will provide a utilization estimation that is calculated based on the utilization seen across your organization. It might take up to one day for your usage report to reflect the active usage of your devices.

+> [!IMPORTANT]

+> To access license information, you must have one of the following roles assigned in Azure Active Directory (Azure AD):

+> - Security Admin

+> - Global Admin

+> - License Admin + MDE Admin

+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.

+2. Choose **Settings** > **Endpoints** > **Licenses**.

+3. Review your available and assigned licenses. The calculation is based on detected users who have accessed devices that are onboarded to Defender for Endpoint.

+## More resources

+- [Compare Microsoft endpoint security plans](defender-endpoint-plan-1-2.md)

+- [Licensing and product terms for Microsoft 365 subscriptions](https://www.microsoft.com/licensing/terms/productoffering/Microsoft365/MCA).

+- [How to contact support for Defender for Endpoint](contact-support.md).

+- [Get started with Microsoft Security (trial offers)](https://www.microsoft.com/security/business/get-started/start-free-trial)

+- [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md)

+- [Microsoft Defender for Business](../defender-business/mdb-overview.md) (endpoint protection for small and medium-sized businesses)

+ > Only admins and users who have "Manage Portal Settings" permissions can enable live response.

+|type|Enum|Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "LiveResponse", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution", and "UnrestrictCodeExecution".|

+## How to roll back an update

+In the unfortunate event that you encounter issues after a platform update, you can roll back to the previous or the inbox version of the Microsoft Defender platform.

+- To roll back to the previous version, run the following command:<br>

+`"%programdata%\Microsoft\Windows Defender\Platofrm\<version>\MpCmdRun.exe" -RevertPlatform`

+- To roll back this update to the version shipped with the Operating System ("%ProgramFiles%\Windows Defender")<br>

+`"%programdata%\Microsoft\Windows Defender\Platofrm\<version>\MpCmdRun.exe" -ResetPlatform`

+## Platform version included with Windows 10 releases

+|1809 (RS5) |`4.18.1807.5` |`1.1.15000.2` | Technical upgrade support (only) |

+### 20230308.1

+- Defender package version: **20230308.1**

+- Security intelligence version: **1.383.1321.0**

+- Engine version: **1.1.20000.2**

+- Platform version: **4.18.2301.6**

+#### Fixes

+- None

+#### Additional information

+- None

+| Disable Microsoft Defender Antivirus Realtime Protection using PowerShell | Use the following PowerShell cmdlet: `Set-MpPreference -DisableRealtimeMonitoring $true` |

+With Microsoft Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Configuration Manager to [monitor Microsoft Defender Antivirus](/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](/intune/introduction-intune). When endpoints are onboarded to Defender for Endpoint, alerts are visible in Microsoft 365 Defender [unified alert and incident queues](/microsoft-365/security/defender/incident-queue).

+Within the Microsoft 365 Defender portal, reporting is also available for Microsoft Defender for Endpoint onboarded endpoints across platforms that include antivirus engine versions, security intelligence versions, and Microsoft Defender Antivirus platform versions via [Device Health reports](/microsoft-365/security/defender-endpoint/device-health-reports).

+> See [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md).

+> [!NOTE]

+> If you're looking for Antivirus related information for other platforms, see:

+> - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md)

+> - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)

+> - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos)

+> - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md)

+> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)

+> - [Configure Defender for Endpoint on Android features](android-configure.md)

+> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)

+> [!IMPORTANT]

+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

+|`DeviceSubtype` | `string` | Additional modifier for certain types of devices, for example, a mobile device can be a tablet or a smartphone; only available if device discovery finds enough information about this attribute |

+|`SensorHealthState` | `string` | Indicates health of the deviceΓÇÖs EDR sensor, if onboarded to Microsoft Defender For Endpoint |

+| `IsExcluded`| `bool` | Determines if the device is currently excluded from Microsoft Defender for Vulnerability Management experiences |

+|`ExclusionReason` | `string` | Indicates the reason for device exclusion |

+| `AssetValue`| `string` | Indicates the value of a device as assigned by the user |

+| `ExposureLevel` | `string` | Indicates the exposure level of a device |

+The `DeviceInfo` table provides device information based on periodic reports or signals (heartbeats) from a device. Complete reports are sent every hour and every time a change happens to a previous heartbeat.

+> [!IMPORTANT]

+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

+| `NetworkAdapterVendor` | `string` | Name of the manufacturer or vendor of the network adapter |

+For more information, see [view attack disruption details and results](autoad-results.md).

+Microsoft 365 Defender supports security information and event management (SIEM) tools ingesting information from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for a registered AAD application representing the specific SIEM solution or connector installed in your environment.

+There are two primary models to ingest security information:

+1. Ingesting Microsoft 365 Defender incidents and their contained alerts from a REST API in Azure.

+2. Ingesting streaming event data either through Azure Event Hubs or Azure Storage Accounts.

+Microsoft 365 Defender currently supports the following SIEM solution integrations:

+- Support for updating Microsoft 365 Defender Incidents and/or Microsoft Defender for Endpoint Alerts and the respective dashboards has been moved to the Microsoft 365 App for Splunk.

+Use the Splunk Add-on for Microsoft Cloud Services to ingest events from Azure Event Hubs.

+Use the new IBM QRadar Microsoft 365 Defender Device Support Module (DSM) that calls the [Microsoft 365 Defender Streaming API](streaming-api.md) that allows ingesting streaming event data from Microsoft 365 Defender products via Event Hubs or Azure Storage Account. For more information on supported event types, see [Supported event types](supported-event-types.md).

+> [!IMPORTANT]

+> You must be a Global Administrator or Security Administrator in Azure Active Directory, or have all the **Authorization** permissions assigned in Microsoft 365 Defender RBAC to perform this task. For more information on permissions, see [Permission pre-requisites](../defender/manage-rbac.md#permissions-pre-requisites).

+ > [!NOTE]

+ > [!NOTE]

+ > [!NOTE]

+> [!NOTE]

+> For the Microsoft 365 Defender security portal to start enforcing the permissions and assignments configured in your new or imported roles, you'll need to activate the new Microsoft 365 Defender RBAC model. For more information, see [Activate Microsoft 365 Defender RBAC](activate-defender-rbac.md).

+f1.keywords:

+You can also manage custom detections that apply to data from specific Microsoft 365 Defender solutions if you have permissions for them. If you only have manage permissions for Microsoft 365 Defender for Office, for instance, you can create custom detections using `Email` tables but not `Identity` tables.

+- Assign the **security administrator** or **security operator** role in [Microsoft 365 admin center](https://admin.microsoft.com/) under **Roles** \> **Security admin**.

+- Check RBAC settings for Microsoft Defender for Endpoint in [Microsoft 365 Defender](https://security.microsoft.com/) under **Settings** \> **Permissions** > **Roles**. Select the corresponding role to assign the **manage security settings** permission.

+### 1. Prepare the query

+In the Microsoft 365 Defender portal, go to **Advanced hunting** and select an existing query or create a new query. When using a new query, run the query to identify errors and understand possible results.

+> [!IMPORTANT]

+> To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity.

+ - `DeviceId`

+ - `DeviceName`

+ - `RemoteDeviceName`

+ - `RecipientEmailAddress`

+ - `SenderFromAddress` (envelope sender or Return-Path address)

+ - `SenderMailFromAddress` (sender address displayed by email client)

+ - `RecipientObjectId`

+ - `AccountObjectId`

+ - `AccountSid`

+ - `AccountUpn`

+ - `InitiatingProcessAccountSid`

+ - `InitiatingProcessAccountUpn`

+ - `InitiatingProcessAccountObjectId`

+> [!NOTE]

+> Support for additional entities will be added as new tables are added to the [advanced hunting schema](advanced-hunting-schema-tables.md).

+### 2. Create new rule and provide alert details

+- **Description**ΓÇömore information about the component or activity identified by the rule

+> [!TIP]

+> Match the time filters in your query with the lookback duration. Results outside of the lookback duration are ignored.

+Near real-time detections are supported for the following tables:

+- `DeviceEvents`

+- `DeviceFileCertificateInfo`

+- `DeviceFileEvents`

+- `DeviceImageLoadEvents`

+- `DeviceLogonEvents`

+- `DeviceNetworkEvents`

+- `DeviceNetworkInfo`

+- `DeviceInfo`

+- `DeviceProcessEvents`

+- `DeviceRegistryEvents`

+- `EmailAttachmentInfo`

+- `EmailEvents`

+- `EmailPostDeliveryEvents`

+- `EmailUrlInfo`

+- `UrlClickEvents`

+> [!NOTE]

+### 3. Choose the impacted entities

+### 4. Specify actions

+Your custom detection rule can automatically take actions on devices, files, users, or emails that are returned by the query.

+- When selected, the **Allow/Block** action can be applied to the file. Blocking files are only allowed if you have *Remediate* permissions for files and if the query results have identified a file ID, such as a SHA1. Once a file is blocked, other instances of the same file in all devices are also blocked. You can control which device group the blocking is applied to, but not specific devices.

+- When selected, the **Mark user as compromised** action is taken on users in the `AccountObjectId`, `InitiatingProcessAccountObjectId`, or `RecipientObjectId` column of the query results. This action sets the users risk level to "high" in Azure Active Directory, triggering corresponding [identity protection policies](/azure/active-directory/identity-protection/overview-identity-protection).

+- Select **Force password reset** to prompt the user to change their password on the next sign in session.

+Both the Disable user and Force password reset options require the user SID, which are in the columns `AccountSid`, `InitiatingProcessAccountSid`, `RequestAccountSid`, and `OnPremSid`.

+- If the custom detection yields email messages, you can select **Move to mailbox folder** to move the email to a selected folder (any of **Junk**, **Inbox**, or **Deleted items** folders).

+### 5. Set the rule scope

+### 6. Review and turn on the rule

+After reviewing the rule, select **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions.

+> [!IMPORTANT]

+> Custom detections should be regularly reviewed for efficiency and effectiveness. To make sure you are creating detections that trigger true alerts, take time to review your existing custom detections by following the steps in [Manage existing custom detection rules](#manage-existing-custom-detection-rules).

+>

+> You maintain control over the broadness or specificity of your custom detections so any false alerts generated by custom detections might indicate a need to modify certain parameters of the rules.

+> [!TIP]

+In the rule details screen (**Hunting** \> **Custom detections** \> **[Rule name]**), go to **Triggered alerts**, which lists the alerts generated by matches to the rule. Select an alert to view detailed information about it and take the following actions:

+In the rule details screen (**Hunting** \> **Custom detections** \> **[Rule name]**), go to **Triggered actions**, which lists the actions taken based on matches to the rule.

+> [!TIP]

+> To quickly view information and take action on an item in a table, use the selection column [&#10003;] at the left of the table.

+> [!NOTE]

+> Some columns in this article might not be available in Microsoft Defender for Endpoint. [Turn on Microsoft 365 Defender](m365d-enable.md) to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md).

+> [!IMPORTANT]

+> You must be a Global Administrator or Security Administrator in Azure Active Directory, or have all the **Authorization** permissions assigned in Microsoft 365 Defender RBAC to perform this task. For more information on permissions, see [Permission pre-requisites](../defender/manage-rbac.md#permissions-pre-requisites).

+> [!NOTE]

+> After editing an imported role, the changes made in Microsoft 365 Defender RBAC will not be reflected back in the individual product RBAC model.

+> [!NOTE]

+> After deleting an imported role, the role won't be deleted from the individual product RBAC model. If needed, you can re-import it to the Microsoft 365 Defender RBAC list of roles.

+f1.keywords:

+This article outlines the process to enable and pilot Microsoft Defender for Endpoint. Before starting this process, be sure you've reviewed the overall process for [evaluating Microsoft 365 Defender](eval-overview.md), and you've [created the Microsoft 365 Defender evaluation environment](eval-create-eval-environment.md).

+|Step|Description|

+|||

+|[Step 1. Review architecture requirements and key concepts](eval-defender-endpoint-architecture.md)|Understand the Defender for Endpoint architecture and the capabilities available to you.|

+|[Step 2. Enable the evaluation environment](eval-defender-endpoint-enable-eval.md)|Follow the steps to set up the evaluation environment.|

+|[Step 3. Set up the pilot](eval-defender-endpoint-pilot.md)|Verify your pilot group, run simulations, and become familiar with key features and dashboards.|

+f1.keywords:

+The following diagram illustrates the baseline architecture for Defender for Identity.

+- Sensors can also parse Active Directory Federation Services (AD FS) when Azure AD is configured to use federated authentication (dotted line in illustration).

+| Reports | Defender for Identity reports allow you to schedule or immediately generate and download reports that provide system and entity status information. You can create reports about system health, security alerts, and potential lateral movement paths detected in your environment. | [Microsoft Defender for Identity Reports](/defender-for-identity/reports) |

+Return to the overview for [Evaluate and pilot Microsoft 365 Defender](eval-overview.md)

+f1.keywords:

+Use the following steps to set up your Microsoft Defender for Identity environment.

+Sign in to the Defender for Identity portal to create your instance and then connect this instance to your Active Directory environment.

+|Step|Description|More information|

+||||

+|1|Create the Defender for Identity instance|[Quickstart: Create your Microsoft Defender for Identity instance](/defender-for-identity/install-step1)|

+|2|Connect the Defender for Identity instance to your Active Directory forest|[Quickstart: Connect to your Active Directory Forest](/defender-for-identity/install-step2)|

+|Step|Description|More information|

+||||

+|1|Determine how many Microsoft Defender for Identity sensors you need.|[Plan capacity for Microsoft Defender for Identity](/defender-for-identity/capacity-planning)|

+|2|Download the sensor setup package|[Quickstart: Download the Microsoft Defender for Identity sensor setup package](/defender-for-identity/install-step3)|

+|3|Install the Defender for Identity sensor|[Quickstart: Install the Microsoft Defender for Identity sensor](/defender-for-identity/install-step4)|

+|4|Configure the sensor|[Configure Microsoft Defender for Identity sensor settings](/defender-for-identity/install-step5)|

+|Step|Description|More information|

+||||

+|1|Configure Windows event log collection|[Configure Windows Event collection](/defender-for-identity/configure-windows-event-collection)|

+|2|Configure Internet proxy settings|[Configure endpoint proxy and Internet connectivity settings for your Microsoft Defender for Identity Sensor](/defender-for-identity/configure-proxy)|

+Microsoft Defender for Identity lateral movement path detection relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity Service account.

+For instructions on how to do this, see [Configure Microsoft Defender for Identity to make remote calls to SAM](/defender-for-identity/install-step8-samr).

+- [Step 2: Try out capabilities ΓÇö Walk through tutorials for identifying and remediating different attack types](#step-2-try-out-capabilities--walk-through-tutorials-for-identifying-and-remediating-different-attack-types)

+f1.keywords:

+> [!NOTE]

+> If you are brand new to security analysis and incident response, see the [Respond to your first incident walkthrough](first-incident-overview.md) to get a guided tour of a typical process of analysis, remediation, and post-incident review.

+4. Select **Open incident page** to get more information about the incident.

+> Before we walk you through this simulation, watch the following video to get familiar with what automated self-healing is, where to find it in the portal, and how it can help in your security operations:

+|Step|Description|

+|1. [Simulate attacks](eval-defender-investigate-respond-simulate-attack.md)|Simulate attacks on your evaluation environment and use the Microsoft 365 Defender portal to perform incident response.|

+|2. [Try incident response capabilities](eval-defender-investigate-respond-additional.md)|Try additional incident response features and capabilities in Microsoft 365 Defender.|

+## Navigation you may need

+f1.keywords:

+Before enabling Microsoft Defender for Cloud Apps, be sure you understand the architecture and can meet the requirements.

+- The use of cloud apps by an organization is unmonitored and unprotected.

+- This use falls outside the protections achieved within a managed organization.

+### Discovering cloud apps

+- A. Cloud App Discovery integrates with Microsoft Defender for Endpoint natively. Defender for Endpoint reports cloud apps and services being accessed from IT-managed Windows 10 and Windows 11 devices.

+### Managing cloud apps

+After you discover cloud apps and analyze how these apps are used by your organization, you can begin managing cloud apps that you choose.

+### Applying session controls to cloud apps

+Microsoft Defender for Cloud Apps serves as a reverse proxy, providing proxy access to sanctioned cloud apps. This provision allows Defender for Cloud Apps to apply session controls that you configure.

+### Integrating with Azure AD with Conditional Access App Control

+You might already have SaaS apps added to your Azure AD tenant to enforce multi-factor authentication and other conditional access policies. Microsoft Defender for Cloud Apps natively integrates with Azure AD. All you have to do is configure a policy in Azure AD to use Conditional Access App Control in Defender for Cloud Apps. This routes network traffic for these managed SaaS apps through Defender for Cloud Apps as a proxy, which allows Defender for Cloud Apps to monitor this traffic and to apply session controls.

+- Defender for Cloud Apps monitors this traffic and applies any session control policies that have been configured by administrators.

+### Protecting your organization from hackers

+It's worth repeating this illustration from the overview to this Microsoft 365 Defender evaluation and pilot guide.

+| Defender for Cloud Apps Dashboard | Presents an overview of the most important information about your organization and gives links to deeper investigation. | [Working with the dashboard](/cloud-app-security/daily-activities-to-protect-your-cloud-environment) |

+| Cloud Discovery Dashboard | Cloud Discovery analyzes your traffic logs and is designed to give more insight into how cloud apps are being used in your organization as well as give alerts and risk levels. | [Working with discovered apps](/cloud-app-security/discovered-apps) |

+These options are included in [Step 2. Enable the evaluation environment](eval-defender-mcas-enable-eval.md).

+You can integrate Microsoft Defender for Cloud Apps with your generic SIEM server or with Microsoft Sentinel to enable centralized monitoring of alerts and activities from connected apps.

+f1.keywords:

+ - m365solution-evalutatemtp

+This article outlines the process to enable and pilot Microsoft Defender for Cloud Apps alongside Microsoft 365 Defender. Before starting this process, be sure you've reviewed the overall process for [evaluating Microsoft 365 Defender](eval-overview.md) and you have [created the Microsoft 365 Defender evaluation environment](eval-create-eval-environment.md).

+|[Set up the pilot](eval-defender-mcas-pilot.md) | Scope your deployment to certain user groups, configure Conditional Access App Control, and try out tutorials for protecting your environment. |

+ Title: Import roles to Microsoft 365 Defender RBAC

+> You must be a Global Administrator or Security Administrator in Azure Active Directory, or have all the **Authorization** permissions assigned in Microsoft 365 Defender RBAC to perform this task. For more information on permissions, see [Permission pre-requisites](../defender/manage-rbac.md#permissions-pre-requisites).

+> [!NOTE]

+> As a Microsoft partner, Protiviti contributed to and provided material feedback to this article.

+> [!NOTE]

+> [!NOTE]

+> [!NOTE]

+> Microsoft Defender for Endpoint automatically provisions in European Union (EU) data centers when turned on through Microsoft Defender for Cloud. Microsoft 365 Defender will automatically provision in the same EU data center for customers who have provisioned Microsoft Defender for Endpoint in this manner.

+- Go to [Defender monthly news](https://aka.ms/defendernews)

+Watch this short video to learn about the Microsoft 365 Defender portal.

+Microsoft 365 Defender emphasizes *unity, clarity, and common goals*.

+> [!IMPORTANT]

+You can search across the following entities in Defender for Endpoint and Defender for Identity:

+- **Devices** - supported for both Defender for Endpoint and Defender for Identity. Supports use of search operators.

+- **Users** - supported for Defender for Endpoint, Defender for Identity, and Defender for Cloud Apps.

+ > [!NOTE]

+ > IP and URL searches are exact match and don't appear in the search results page ΓÇô they lead directly to the entity page.

+- **MDVM** - same capabilities as in Defender for Endpoint (vulnerabilities, software, and recommendations).

+- Third-party integrations to help secure users with effective threat protection, detection, investigation, and response in various security fields of endpoints, vulnerability management, email, identities, and cloud apps.

+- Professional services where organizations can enhance the detection, investigation, and threat intelligence capabilities of the platform.

+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4Bzww]

+|Search | The search bar is located at the top of the page. Suggestions are provided as you type. You can search across the following entities in Defender for Endpoint and Defender for Identity: <br><br> - **Devices** - supported for both Defender for Endpoint and Defender for Identity. You can even use search operators, for example, you can use "contains" to search for part of a host name. <br><br> - **Users** - supported for both Defender for Endpoint and Defender for Identity. <br><br> - **Files, IPs, and URLs** - same capabilities as in Defender for Endpoint. <br> NOTE: *IP and URL searches are exact match and don't appear in the search results page ΓÇô they lead directly to the entity page. <br><br> - **MDVM** - same capabilities as in Defender for Endpoint (vulnerabilities, software, and recommendations). <br><br> The enhanced search results page centralizes the results from all entities. |

+f1.keywords:

+This includes redirection for direct access to the former portal via browser, including links pointing towards the former securitycenter.windows.com portal - such as links in email notifications, and links returned by SIEM API calls.

+Once enabled, this update might take effect almost immediately for some accounts. But the redirection might take longer to propagate to every account in your organization. Accounts in active sessions while this setting is applied will not be ejected from their session and will only be routed to Microsoft 365 Defender after ending their current session and signing back in again.

+3. Navigate to **Settings** \> **Endpoints** \> **General** \> **Portal redirection** or [click here](https://security.microsoft.com/preferences2/portal_redirection).

+> [!IMPORTANT]

+> Enabling this setting will not terminate active user sessions. Accounts who are in an active session while this setting is applied will only be directed to Microsoft 365 Defender after ending their current session and signing in again.

+> [!NOTE]

+> You must be a global administrator or have security administrator permissions in Azure Active Directory to enable or disable this setting.

+2. Navigate to **Settings** \> **Endpoints** \> **General** \> **Portal redirection** or [open the page here](https://security.microsoft.com/preferences2/portal_redirection).

+This setting can be enabled again at any time.

+Once disabled, accounts will no longer be routed to security.microsoft.com, and you will once again have access to the former portal - securitycenter.windows.com or securitycenter.microsoft.com.

+- [Microsoft delivers unified SIEM and XDR to modernize security operations](https://www.microsoft.com/security/blog/?p=91813)

+- [XDR versus SIEM infographic](https://afrait.com/blog/xdr-versus-siem/)

+- [`The New Defender`](https://afrait.com/blog/the-new-defender/)

+- [About Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender)

+f1.keywords:

+Once enabled, this update might take effect almost immediately for some accounts. But the redirection might take longer to propagate to every account in your organization. Accounts in active sessions while this setting is applied won't be ejected from their session and will only be routed to Microsoft 365 Defender after ending their current session and signing back in again.

+> [!IMPORTANT]

+> Enabling this setting will not terminate active user sessions. Accounts who are in an active session while this setting is applied will only be directed to Microsoft 365 Defender after ending their current session and signing in again.

+> [!NOTE]

+> You must be a global administrator or have security administrator permissions in Azure Active Directory to enable or disable this setting.

+2. Navigate to **Settings** > **Identities** > **General** > **Portal redirection** or [open the page here](https://security.microsoft.com/preferences2/portal_redirection).

+search.appverid:

+Once you have completed an action it can take between 24-48 hours for the changes to be reflected in your secure score.

+When you select a specific recommended action, a full page flyout appears.

+> [!NOTE]

+> If you choose to create a 'Global exception' in the Defender Vulnerability management security recommendation, the status in the Microsoft Secure Score recommended action will be updated with the exception justification. Updates may take up to 2 hours.

+> If you choose to create an 'Exception per device group' in the Defender Vulnerability manage security recommendation, Secure Score will not be updated and the recommended action will remain as 'To address'.

+Prerequisites include any licenses that are needed or actions to be completed before the recommended action is addressed. Make sure you have enough seats in your license to complete the recommended action and that those licenses are applied to the necessary users.

+search.appverid:

+Secure Score helps organizations:

+- Report on the current state of the organization's security posture.

+- Improve their security posture by providing discoverability, visibility, guidance, and control.

+- Compare with benchmarks and establish key performance indicators (KPIs).

+> [!NOTE]

+> Currently, the Azure Active Directory related Microsoft Secure Score recommendations are not available for customer tenants registered in the following Azure Active Directory regions:

+> [!NOTE]

+> [!IMPORTANT]

+> Security defaults include security features that provide similar security to the "sign-in risk policy" and "user risk policy" recommended actions. Instead of setting up these policies on top of the security defaults, we recommend updating their statuses to "Resolved through alternative mitigation."

+- Global administrator

+- Security administrator

+- Exchange administrator

+- SharePoint administrator

+- Helpdesk administrator

+- User administrator

+- Service support administrator

+- Security reader

+- Security operator

+- Global reader

+ - tier1

+If you're new to Microsoft 365 Defender and Defender Experts for Hunting:

+3. The Microsoft 365 Defender quick tour will get you familiar with the security suite, where the capabilities are and how important they are. Select **Take a quick tour**.

+- Hunter-trained artificial intelligence to discover and target both known attacks and emerging threats

+- Identification of the most pertinent risks, helping SOCs maximize their effectiveness

+- Help in scoping compromises and as much context as can be quickly delivered to enable a swift SOC response

+You can set up Microsoft 365 Defender to notify you or your staff with an email about new incidents or updates to existing incidents, including those observed by Microsoft Defender Experts. [Learn more about getting incident notifications by email](/microsoft-365/security/defender/incidents-overview#get-incident-notifications-by-email)

+Select **Ask Defender Experts** directly inside the Microsoft 365 security portal to get swift and accurate responses to all your threat hunting questions. Experts can provide insight to better understand the complex threats your organization may face. Experts on Demand can help to:

+- Commodity ransomware is malware that spreads with phishing or between devices and encrypts files before demanding a ransom.

+- Human-operated ransomware is a planned and coordinated attack by active cybercriminals who employ multiple attack methods. In many cases, known techniques and tools are used to infiltrate your organization, find the assets or systems worth extorting, and then demand a ransom. Upon compromising a network, the attacker carries out reconnaissance of assets and systems which can be encrypted or extorted. The attackers then encrypt or exfiltrate data before demanding a ransom.

+- Microsoft Defender for Endpoint

+- Microsoft Defender for Office 365

+- Microsoft Defender for Identity

+- Microsoft Defender for Cloud Apps (including the app governance add-on)

+- Microsoft Azure AD Identity Protection

+- Microsoft Defender for IoT

+- Microsoft 365 Business Premium

+- Microsoft Defender for Business

+- When detected during the pre-ransom stage, smaller-scale mitigations such as isolating infected devices or user accounts can be used to disrupt and remediate the attack.

+- If detection comes at a later stage, such as when the malware used to encrypt files is being deployed, more aggressive remediation steps that can cause downtime might need to be used to disrupt and remediate the attack.

+- [Human-operated ransomware attacks: A preventable disaster](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/)

+- [Ransomware threat analytics reports in the Microsoft 365 Defender portal](https://sip.security.microsoft.com/threatanalytics3?page_size=30&filters=tags%3DRansomware&ordering=-lastUpdatedOn&fields=displayName,alertsCount,impactedEntities,exposureLevel,MisconfiguredDevices,VulnerableDevices,reportType,createdOn,lastUpdatedOn,tags,flag)

+- RDP brute force

+- Vulnerable internet-facing system

+- Weak application settings

+- Phishing email

+- Mimikatz

+- LSA secrets

+- Credential vault

+- Credentials in plaintext

+- Abuse of service accounts

+- Cobalt Strike

+- WMI

+- Abuse of management tools

+- PsExec

+- New accounts

+- GPO changes

+- Shadow IT tools

+- Schedule tasks

+- Service registration

+- Disabling security features

+- Clearing log files

+- Deleting attack artifact files

+- Resetting timestamps on altered files

+- Exfiltration of sensitive data

+- Encryption of data in place and in backups

+- Deletion of data in place and backups, which might be combined with a preceding exfiltration

+- Threat of public leakage of exfiltrated, sensitive data

+- A one-off attack to surveil the email messages of someone in the finance department of an organization.

+- The pre-ransom part of an attack chain to use compromised user account credentials to discover the resources available to the user account and to compromise other user accounts with higher levels of privilege and access.

+|Attack method|Signal source|Alternate security portals|

+||||

+|RDP brute force|Defender for Endpoint|Defender for Cloud Apps|

+|Vulnerable internet-facing system|Windows security features, Microsoft Defender for Servers|

+|Weak application settings|Defender for Cloud Apps, Defender for Cloud Apps with the app governance add-on|Defender for Cloud Apps|

+|Malicious app activity|Defender for Cloud Apps, Defender for Cloud Apps with the app governance add-on|Defender for Cloud Apps|

+|Phishing email|Defender for Office 365|

+|Password spray against Azure AD accounts|Azure AD Identity Protection via Defender for Cloud Apps|Defender for Cloud Apps|

+|Password spray against on-premises accounts|Microsoft Defender for Identity|

+|Device compromise|Defender for Endpoint|

+|Credential theft|Microsoft Defender for Identity|

+|Escalation of privilege|Microsoft Defender for Identity|

+|Spike category|Signal source|Alternate security portals|

+||||

+|Sign-ins: Numerous failed attempts, attempts to logon to multiple devices in a short period, multiple first-time logons, etc.|Azure AD Identity Protection via Defender for Cloud Apps, Microsoft Defender for Identity|Defender for Cloud Apps|

+|Recently active user account, group, machine account, app|Azure AD Identity Protection via Defender for Cloud Apps (Azure AD), Defender for Identity (Active Directory Domain Services [AD DS])|Defender for Cloud Apps|

+|Recent app activity such as data access|Apps with Defender for Cloud Apps with the app governance add-on|Defender for Cloud Apps|

+|Activity|Signal source|Alternate security portal|

+||||

+|New apps that are installed|Defender for Cloud Apps with the app governance add-on|Defender for Cloud Apps|

+|New user accounts|Azure Identity Protection|Defender for Cloud Apps|

+|Role changes|Azure Identity Protection|Defender for Cloud Apps|

+|Behavior|Signal source|

+|||

+|Malware spread to multiple devices|Defender for Endpoint|

+|Resource scanning|Defender for Endpoint, Defender for Identity|

+|Changes in mailbox forwarding rules|Defender for Office 365|

+|Data exfiltration and encryption|Defender for Office 365|

+-*Monitor for Adversary Disabling Security** ΓÇô as this is often part of human-operated ransomware (HumOR) attack chain

+- **Event Logs Clearing** ΓÇô especially the Security Event log and PowerShell Operational logs

+- **Disabling of security tools/controls** (associated with some groups)

+- An incident queue, which groups related alerts for an attack to provide the full attack scope, impacted assets, and automated remediation actions.

+- An alerts queue, which lists all of the alerts being tracked by Microsoft 365 Defender.

+- Microsoft Defender for Endpoint

+- Microsoft Defender for Office 365

+- Microsoft Defender for Identity

+- Microsoft Defender for Cloud Apps (including the app governance add-on)

+- Microsoft Azure AD Identity Protection

+- Microsoft Defender for IoT

+|Attacks and incidents|Signal source|

+|||

+|Cloud identity: Password spray, numerous failed attempts, attempts to log on to multiple devices in a short period, multiple first-time logons, recently active user accounts|Azure AD Identity Protection|

+|On-premises identity (AD DS) compromise|Defender for Identity|

+|Phishing|Defender for Office 365|

+|Malicious apps|Defender for Cloud Apps or Defender for Cloud Apps with app governance add-on|

+|Endpoint (device) compromise|Defender for Endpoint|

+|IoT-capable device compromise|Defender for IoT|

+- Incidents containing the "ransomware" category. Here is the corresponding [link](https://security.microsoft.com/incidents?filters=AlertStatus%3DNew%257CInProgress,category%3Dransomware&page_size=30&fields=expand,name,tags,severity,investigationStates,category,impactedEntities,alertCount,serviceSource,detectionSource,firstEventTime,lastEventTime,sensitivity,status,incidentAssignment,classification,determination,rbacGroup).

+- Incidents with a specified **Actor** name known to be performing ransomware attacks.

+- Incidents with a specified **Associated threat** name known to be used in ransomware attacks.

+- Incidents containing a custom tag that your SecOps team uses for incidents that are known to be part of a larger, coordinated ransomware attack.

+You can also use the Microsoft 365 Defender APIs to query the Microsoft 365 Defender incidents and alerts data in your tenant. A custom app can filter the data, filter it based on custom settings, and then provide a filtered list of links to alerts and incidents that you can easily select to go right to that alert or incident. See [List incidents API in Microsoft 365 Defender| Microsoft Docs](/api-list-incidents.md). You can also integrate your SIEM with Microsoft Defender, see [Integrate your SIEM tools with Microsoft 365 Defender](/configure-siem-defender.md).

+- The [Hunt for ransomware](/advanced-hunting-find-ransomware.md) article

+- GitHub repository for advanced hunting queries:

+ - [Ransomware-specific](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/tree/master/Ransomware) queries

+ - [All categories](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/tree/master/Ransomware) of queries

+- Threat analytics reports

+ - Advanced hunting section of the [Ransomware: A pervasive and ongoing threat](https://security.microsoft.com/threatanalytics3/05658b6c-dc62-496d-ad3c-c6a795a33c27/analystreport) analyst report

+ - Advanced hunting section of other analyst reports

+- How often to run the custom detection rule

+- The severity of the alert created by the rule

+- The MITRE attack phase for the created alert

+- Impacted entities

+- Actions to take on impacted entities

+- Pre-work for your SecOps team and organization

+- Security analyst training, as needed

+- Ongoing operational work to incorporate the latest attacks and detection experiences of your security analysts

+ - Processes for Tier 1 analyst scanning of incoming incidents and alerts and assignment to Tier 2 analysts for investigation.

+ - Manually running advanced hunting queries and their schedule (daily, weekly, monthly).

+ - Ongoing changes based on ransomware attack investigation and mitigation experiences.

+- Common ransomware attack chains (MITRE attack tactics and common threat techniques and malware)

+- Incidents and alerts and how to locate and analyze them in the Microsoft 365 Defender portal using:

+ - Alerts and incidents already created by Microsoft 365 Defender

+ - Pre-scanned URL-based filters for the Microsoft 365 Defender portal

+ - Programmatically via the incidents API

+- Advanced hunting queries to use and their manual schedule (daily, weekly, monthly)

+- Custom detection rules to use and their settings

+- Custom incident tags

+- The latest [threat analytics reports for ransomware](https://security.microsoft.com/threatanalytics3?page_size=30&filters=tags%3DRansomware&ordering=-lastUpdatedOn&fields=displayName,alertsCount,impactedEntities,reportType,createdOn,lastUpdatedOn,tags,flag) attacks in the Microsoft 365 Defender portal

+- Update your catalog of advanced hunting queries with:

+ - New queries based on the latest threat analytics reports in the Microsoft 365 Defender portal or the [Advanced Hunting GitHub repository](<https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/tree/master/Ransomware>).

+ - Changes to existing ones to optimize for threat identification or for better alert quality.

+- Update custom detection rules based on new or changed advanced hunting queries.

+- Update the set of operational tasks for ransomware detection.

+> [!NOTE]

+# Set up your Microsoft 365 Defender trial in a lab environment

+- Microsoft 365 Defender

+This topic guides you to set up a dedicated lab environment. For information on setting up a trial in production, see the new [Evaluate and pilot Microsoft 365 Defender](eval-overview.md) guide.

+> [!NOTE]

+> If you already have an existing Office 365 or Azure Active Directory subscription, you can skip the Office 365 E5 trial tenant creation steps.

+3. Fill in your first name, last name, business phone number, company name, company size, and country or region.

+4. Choose your verification preference: through a text message or call. Click **Send Verification Code**.

+11. [Optional] Download Office apps. Click **Next** to skip this step.

+13. Choose online services. Select **Exchange** and click **Next**.

+> [!NOTE]

+> Signing up for a trial gives you 25 user licenses to use for a month. See [Try or buy a Microsoft 365 subscription](../../commerce/try-or-buy-microsoft-365.md) for details.

+2. Select **Microsoft 365 E5** and click **Start free trial**.

+> [!NOTE]

+> The analyst report also lists **generic detections** that can identify a wide-range of threats, in addition to components or behaviors specific to the tracked threat. These generic detections don't reflect in the charts.

+> [!NOTE]

+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWwJfU]

+> [!CAUTION]

+> **The preview period for the ServiceNow connector has ended**

+>

+> This capability is no longer available. Thank you for your feedback and continued support while we determine next steps.

+- (Preview) Complete device reports for the [`DeviceInfo` table](advanced-hunting-deviceinfo-table.md) in advanced hunting are now sent *every hour* (instead of the previous daily cadence). In addition, complete device reports are also sent whenever there is a change to any previous report. New columns were also added to the `DeviceInfo` table, along with several improvements to existing data in `DeviceInfo` and [DeviceNetworkInfo](advanced-hunting-devicenetworkinfo-table.md) tables.

+> [!NOTE]

+|[</li></ul>

+> You can specify a maximum of 350 users for user impersonation protection in each anti-phishing policy.

+> User impersonation protection does not work if the sender and recipient have previously communicated via email. If the sender and recipient have never communicated via email, the message can be identified as an impersonation attempt.

+>

+> You might get the error "The email address already exists" if you try to add a user to user impersonation protection when that email address is already specified for user impersonation protection in another anti-phishing policy. This error occurs only in the Defender portal. You won't get the error if you use the corresponding _TargetedUsersToProtect_ parameter in the **New-AntiPhishPolicy** or **Set-AntiPhishPolicy** cmdlets in Exchange Online PowerShell.

+> You can specify a maximum of 50 custom domains for domain impersonation protection in each anti-phishing policy.

+> Trusted domain entries don't include subdomains of the specified domain. You need to add an entry for each subdomain.

+> If Microsoft 365 system messages from the following senders are identified as impersonation attempts, you can add the senders to the trusted senders list:

+> - `noreply@email.teams.microsoft.com`

+> - `noreply@emeaemail.teams.microsoft.com`

+> - `no-reply@sharepointonline.com`

+ > [!NOTE]

+ > You can specify a maximum of 350 users for user impersonation protection in each anti-phishing policy.

+ >

+ > User impersonation protection does not work if the sender and recipient have previously communicated via email. If the sender and recipient have never communicated via email, the message can be identified as an impersonation attempt.

+ >

+ > You might get the error "The email address already exists" if you try to add a user to user impersonation protection when that email address is already specified for user impersonation protection in another anti-phishing policy. This error occurs only in the Defender portal. You won't get the error if you use the corresponding _TargetedUsersToProtect_ parameter in the **New-AntiPhishPolicy** or **Set-AntiPhishPolicy** cmdlets in Exchange Online PowerShell.

+ > You can specify a maximum of 50 custom domains for domain impersonation protection in each anti-phishing policy.

+ > Trusted domain entries don't include subdomains of the specified domain. You need to add an entry for each subdomain.

+ > If Microsoft 365 system messages from the following senders are identified as impersonation attempts, you can add the senders to the trusted senders list:

+ > - `noreply@email.teams.microsoft.com`

+ > - `noreply@emeaemail.teams.microsoft.com`

+ > - `no-reply@sharepointonline.com`

+ > [!NOTE]

+ > You can't use dynamic distribution groups to target users.

+- This change impacts all customers who use the Office 365 Security & Compliance Center (protection.office.com), including Microsoft Defender for Office (Plan 1 or Plan 2), Microsoft 365 E3 / E5, Office 365 E3/ E5, and Exchange Online Protection. For the full list, see [Microsoft 365 guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance)

+> If your browser is being blocked by Safe Links and Safe Attachment pages, see [Advanced Outlook.com security for Microsoft 365 subscribers](https://support.microsoft.com/office/advanced-outlook-com-security-for-microsoft-365-subscribers-882d2243-eab9-4545-a58a-b36fee4a46e2?storagetype=live).

+> [!NOTE]

+> When opening an email cluster to view it in Explorer from the email cluster details, the PhishEdu and SecOps mailbox filters will be applied in Explorer but will not be shown. If you change the Explorer filters, dates, or refresh the query within the page ΓÇô then the PhishEdu/SecOps filter exclusions will get removed and emails that match these will be shown once again. If you refresh the Explorer page using the browser refresh function, the original query filters will get re-loaded, including the PhishEdu/SecOps filters ΓÇô but removing any subsequent changes you had made.

+> You can choose to do nothing about DKIM for your custom domain too. If you don't set up DKIM for your custom domain, Microsoft 365 creates a private and public key pair, enables DKIM signing, and then configures the Microsoft 365 default policy for your custom domain.

+|&nbsp;|Azure AD Conditional Access policy|Include|Exclude|

+|||||

+|**Starting point**|Require multifactor authentication for medium or high sign-in risk|*All users*|<ul><li>Emergency access accounts</li><li>Conditional Access exclusion group</li></ul>|

+|**Enterprise**|Require multifactor authentication for low, medium, or high sign-in risk|*Executive staff group*|<ul><li>Emergency access accounts</li><li>Conditional Access exclusion group</li></ul>|

+|**Specialized security**|Require multifactor authentication always|*Top Secret Project Buckeye group*|<ul><li>Emergency access accounts</li><li>Conditional Access exclusion group</li></ul>|

+|Policy|More information|Licensing|

+|[Require MFA when sign-in risk is *medium* or *high*](#require-mfa-based-on-sign-in-risk)|Use risk data from Azure AD Identity Protection to require MFA only when risk is detected|Microsoft 365 E5 or Microsoft 365 E3 with the E5 Security add-on|

+|[Block clients that don't support modern authentication](#block-clients-that-dont-support-multifactor-authentication)|Clients that don't use modern authentication can bypass Conditional Access policies, so it's important to block them.|Microsoft 365 E3 or E5|

+|[High risk users must change password](#high-risk-users-must-change-password)|Forces users to change their password when signing in if high-risk activity is detected for their account.|Microsoft 365 E5 or Microsoft 365 E3 with the E5 Security add-on|

+|[Apply application protection policies for data protection](#app-protection-policies)|One Intune app protection policy per platform (Windows, iOS/iPadOS, Android).|Microsoft 365 E3 or E5|

+|[Require approved apps and app protection policies](#require-approved-apps-and-app-protection-policies)|Enforces mobile app protection policies for phones and tablets using iOS, iPadOS, or Android.|Microsoft 365 E3 or E5|

+|Policy|More information|Licensing|

+|[Require MFA when sign-in risk is *low*, *medium*, or *high*](#require-mfa-based-on-sign-in-risk)|Use risk data from Azure AD Identity Protection to require MFA only when risk is detected|Microsoft 365 E5 or Microsoft 365 E3 with the E5 Security add-on|

+|[Define device compliance policies](#device-compliance-policies)|Set minimum configuration requirements. One policy for each platform.|Microsoft 365 E3 or E5|

+|[Require compliant PCs and mobile devices](#require-compliant-pcs-and-mobile-devices)|Enforces the configuration requirements for devices accessing your organization|Microsoft 365 E3 or E5|

+|Policy|More information|Licensing|

+|[*Always* require MFA](#always-require-mfa)|Users must perform MFA anytime they sign in to your organizations services|Microsoft 365 E3 or E5|

+|Property|Value|

+|Require BitLocker|Require|

+|Require Secure Boot to be enabled on the device|Require|

+|Require code integrity|Require|

+|Property|Value|

+|Require a password to unlock mobile devices|Require|

+|Simple passwords|Block|

+|Password type|Device default|

+|Minimum password length|6|

+|Maximum minutes of inactivity before password is required|15 minutes|

+|Password expiration (days)|41|

+|Number of previous passwords to prevent reuse|5|

+|Require password when device returns from idle state (Mobile and Holographic)|Require|

+|Require encryption of data storage on device|Require|

+|Firewall|Require|

+|Antivirus|Require|

+|Antispyware|Require|

+|Microsoft Defender Antimalware|Require|

+|Microsoft Defender Antimalware minimum version|Microsoft recommends versions no more than five behind from the most recent version.|

+|Microsoft Defender Antimalware signature up to date|Require|

+|Real-time protection|Require|

+|Property|Value|

+|[Require the device to be at or under the machine-risk score](/mem/intune/protect/advanced-threat-protection-configure#create-and-assign-compliance-policy-to-set-device-risk-level)|Medium|

+|Level of protection|Risk level values needed|Action|

+|Starting point|High, medium|Check both.|

+|Enterprise|High, medium, low|Check all three.|

+ Title: Prerequisite work for implementing Zero Trust identity and device access policies

+description: Admins can learn how long Defender for Office 365 features retain data.

+> Microsoft Defender for Office 365 comes in two different subscriptions: **Plan 1** and **Plan 2**. If you have **Threat Explorer** at <https://security.microsoft.com/threatexplorer>, you have Plan 2. Otherwise, you have **Real-time Detections** at <https://security.microsoft.com/realtimereports> as part of **Plan 1**.

+>

+> Your Defender for Office 365 subscription affects the tools that are available to you, so make sure you know which subscription you have as you learn.

+|Alert metadata details (Microsoft Defender for Office alerts)|90 days.|

+|Entity metadata details (Email)|30 days.|

+|Activity alert details (audit logs)|7 days.|

+|Email entity page|30 days.|

+|Quarantine|30 days (configurable; 30 days is the maximum).|

+|Reports|90 days for aggregated data. <br/><br/> 30 days for detailed information.|

+|Submissions|30 days.|

+|Real-Time detections|30 days.|

+|Action Center|180 days. <br/><br/> Office Action Center 30 days.|

+|Advanced Hunting|30 days.|

+|AIR (Automated investigation and response)|60 days for investigations metadata. <br/><br/> 30 days for email metadata.|

+|Attack simulation training data|18 months.|

+|Campaigns|30 days.|

+|Incidents|30 days.|

+|Remediation|30 days|

+|Threat Analytics|30 days.|

+|Threat Explorer|30 days.|

+|Threat Trackers|30 days.|

+ >

+ > You can specify a maximum of 350 users for user impersonation protection in the Standard or Strict preset security policy.

+ >

+ > User impersonation protection does not work if the sender and recipient have previously communicated via email. If the sender and recipient have never communicated via email, the message can be identified as an impersonation attempt.

+ >

+ > You can specify a maximum of 50 custom domains for domain impersonation protection in the Standard or Strict preset security policy.

+ > [!NOTE]

+ > Trusted domain entries don't include subdomains of the specified domain. You need to add an entry for each subdomain.

+|**[Anti-malware policies](anti-malware-policies-configure.md)**|Yes (_QuarantineTag_)|

+- [Create anomaly detection policies in Defender for Cloud Apps](/cloud-app-security/anomaly-detection-policy)

+The details table below the chart provides the following near-real-time view of all clicks that happened within the organization for the last 30 days:

+|Value|Member name|Description|

+|28|ThreatIntelligence|Phishing and malware events from Exchange Online Protection and Microsoft Defender for Office 365.|

+|41|ThreatIntelligenceUrl|Safe Links time-of-block and block override events from Microsoft Defender for Office 365.|

+|47|ThreatIntelligenceAtpContent|Phishing and malware events for files in SharePoint Online, OneDrive for Business, and Microsoft Teams, from Microsoft Defender for Office 365.|

+|64|AirInvestigation|Automated investigation and response events, such as investigation details and relevant artifacts, from Microsoft Defender for Office 365 Plan 2.|

+> 550 5.7.511 Access denied, banned sender[xxx.xxx.xxx.xxx]. To request removal from this list, forward this message to delist@microsoft.com. For more information, go to https://go.microsoft.com/fwlink/?LinkId=526653.

+In the email to request removal from this list, provide the full NDR code and IP address. Microsoft will contact you within 48 hours with the next steps.

+As an organization's security posture is constantly changing alongside the cybersecurity landscape, making security posture improvements should be a continuous process. This article provides an overview of how you can strengthen your organization's security posture using capabilities available in Microsoft 365 Defender and other Microsoft security products, such as Microsoft Defender for Endpoint and Microsoft Defender Vulnerability Management.

+ms.localizationpriority: normal

+- Tier1

+- A sensitivity label for the team that allows you to turn guest sharing on or off and enforces a conditional access for access to the SharePoint site. The label is also used as a default label for files.

+- Site access is restricted to team members.

+To allow or block guest sharing, we'll use controls available in sensitivity labels.

+## Authentication context

+We'll use an [Azure Active Directory authentication context](/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#configure-authentication-contexts) to enforce more stringent access conditions when users access SharePoint sites.

+First, add an authentication context in Azure Active Directory.

+To add an authentication context

+1. In [Azure Active Directory Conditional Access](https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade), under **Manage**, click **Authentication context**.

+2. Click **New authentication context**.

+3. Type a name and description and select the **Publish to apps** check box.

+ 

+4. Click **Save**.

+Next, create a conditional access policy that applies to that authentication context and that requires guests to agree to a terms of use as a condition of access.

+To create a conditional access policy

+1. In [Azure Active Directory Conditional Access](https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade), click **New policy**.

+1. Type a name for the policy.

+1. On the **Users and groups** tab, choose the **Select users and groups** option, and then select the **Guest or external users** check box.

+1. Choose **B2B collaboration guest users** from the dropdown.

+1. On the **Cloud apps or actions** tab, under **Select what this policy applies to**, choose **Authentication context**, and select the check box for the authentication context that you created.

+ 

+1. On the **Grant** tab, select **Require multifactor authentication**, and then click **Select**.

+1. Choose if you want to enable the policy, and then click **Create**.

+We'll point to the authentication context in the sensitivity label.

+For the highly sensitive level of protection, we'll be using a sensitivity label to classify the team. We'll also use this label to classify and encrypt individual files in the team. (It can also be used on files in other file locations such as SharePoint or OneDrive.)

+As a first step, you must enable sensitivity labels for Teams. See [Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 Groups, and SharePoint sites](../compliance/sensitivity-labels-teams-groups-sites.md) for details.

+1. Under **Solutions**, click **Information protection**.

+1. On the **Labels** tab, click **Create a label**.

+1. Give the label a name. We suggest **Highly sensitive**, but you can choose a different name if that one is already in use.

+1. Add a display name and description, and then click **Next**.

+1. On the **Define the scope for this label page**, select **Files & emails** and **Groups & sites** and clear **Include meetings**.

+1. Click **Next**.

+1. On the **Choose protection settings for files and emails** page, select **Apply or remove encryption**, and then click **Next**.

+1. On the **Encryption** page, choose **Configure encryption settings**.

+1. Under **Assign permissions to specific users and groups**, click **Assign permissions**.

+1. Click **Add all users and groups in your organization**.

+1. If there are guests who should have permissions to decrypt files, click **Add users or groups** and add them.

+1. Click **Save**, and then click **Next**.

+1. On the **Auto-labeling for files and emails** page, click **Next**.

+1. On the **Define protection settings for groups and sites** page, select **Privacy and external user access settings** and **External sharing and Conditional Access settings** and click **Next**.

+1. On the **Define privacy and external user access settings** page, under **Privacy**, select the **Private** option.

+1. If you want to allow guest access, under **External user access**, select **Let Microsoft 365 Group owners add people outside your organization to the group as guests**.

+1. Click **Next**.

+1. On the **Define external sharing and device access settings** page, select **Control external sharing from labeled SharePoint sites**.

+1. Under **Content can be shared with**, choose **New and existing guests** if you're allowing guest access or **Only people in your organization** if not.

+1. Select **Use Azure AD Conditional Access to protect labeled SharePoint sites**.

+1. Select the **Choose an existing authentication context** option, and then select the authentication context that you created from the dropdown list.

+1. Click **Next**.

+1. On the **Auto-labeling for database columns** page, click **Next**.

+1. Click **Create label**, and then click **Done**.

+- Restrict access to the site to members of the team only

+- Choose a default sensitivity label for the document library connected to the team.

+### Restrict site access to team members

+Each time you create a new team with the highly sensitive label, you need to turn on restricted site access on the associated SharePoint site. This prevents people from outside the team from accessing the site or its content. (This requires a Microsoft Syntex - SharePoint Advanced Management license.)

+[SharePoint PowerShell](/powershell/sharepoint/sharepoint-online/introduction-sharepoint-online-management-shell) is required to configure restricted site access.

+If you haven't used restricted site access before, you need to turn it on for your organization. To do this, run the following command:

+```Powershell

+Set-SPOTenant -EnableRestrictedAccessControl $true

+```

+> [!NOTE]

+> If you have Microsoft 365 Multi-Geo, you must run this command for each geo-location you want to use restricted access control.

+Wait for approximately one hour before turning on restricted access control for the site.

+To restrict site access for the site connected to your team, run the following command:

+```Powershell

+Set-SPOSite -Identity <siteurl> -RestrictedAccessControl $true

+```

+### Choose a default sensitivity label for files

+We'll use the sensitivity label that we created as the default sensitivity label for the site document library that is connected to Teams. This will automatically apply the highly sensitive label to any new label-compatible files that are uploaded to the library, encrypting them. (This requires a Microsoft Syntex - SharePoint Advanced Management license.)

+To set a default sensitivity label for a document library

+1. In Teams, navigate to the **General** channel of the team you want to update.

+1. In the tool bar for the team, click **Files**.

+1. Click **Open in SharePoint**.

+1. In the SharePoint site, open **Settings** and then choose **Library settings**.

+1. From the **Library settings** flyout pane, select **Default sensitivity labels**, and then select the highly sensitive label from the drop-down box.

+For more details about how default library labels work, see [Configure a default sensitivity label for a SharePoint document library](/microsoft-365/compliance/sensitivity-labels-sharepoint-default-label).

+ms.localizationpriority: normal

+- Tier1

+- A sensitivity label for the team that allows you to turn guest sharing on or off and limits access to SharePoint content to web-only for unmanaged devices. This label is also used as the default label for files.

+For the sensitive level of protection, we'll be using a sensitivity label to classify the team. We'll also use this label to classify individual files in the team. (It can also be used on files in other file locations such as SharePoint or OneDrive.)

+As a first step, you must enable sensitivity labels for Teams. See [Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 Groups, and SharePoint sites](../compliance/sensitivity-labels-teams-groups-sites.md) for details.

+1. Under **Solutions**, click **Information protection**.

+1. Click **Create a label**.

+1. Give the label a name. We suggest **Sensitive**, but you can choose a different name if that one is already in use.

+1. Add a display name and description, and then click **Next**.

+1. On the **Define the scope for this label page**, select **Files & emails** and **Groups & sites** and clear **Include meetings**.

+1. Click **Next**.

+1. On the **Choose protection settings for files and emails** page, click **Next**.

+1. On the **Auto-labeling for files and emails** page, click **Next**.

+1. On the **Define protection settings for groups and sites** page, select **Privacy and external user access settings** and **External sharing and Conditional Access settings** and click **Next**.

+1. On the **Define privacy and external user access settings** page, under **Privacy**, select the **Private** option.

+1. If you want to allow guest access, under **External user access**, select **Let Microsoft 365 Group owners add people outside your organization to the group as guests**.

+1. Click **Next**.

+1. On the **Define external sharing and device access settings** page, select **Control external sharing from labeled SharePoint sites**.

+1. Under **Content can be shared with**, choose **New and existing guests** if you're allowing guest access or **Only people in your organization** if not.

+1. Select **Use Azure AD Conditional Access to protect labeled SharePoint sites**.

+1. Choose the **Determine whether users can access SharePoint sites from unmanaged devices** option, and then choose **Allow limited, web-only access**.

+1. Click **Next**.

+1. On the **Auto-labeling for database columns** page, click **Next**.

+1. Click **Create label**, and then click **Done**.

+Each time you create a new team with the sensitive label, there are three steps to do in SharePoint:

+- Choose a default sensitivity label for the document library connected to the team.

+### Choose a default sensitivity label for files

+We'll use the sensitivity label that we created as the default sensitivity label for the site document library that is connected to Teams. This will automatically apply the highly sensitive label to any new label-compatible files that are uploaded to the library. (This requires a Microsoft Syntex - SharePoint Advanced Management license.)

+To set a default sensitivity label for a document library

+1. In Teams, navigate to the **General** channel of the team you want to update.

+1. In the tool bar for the team, click **Files**.

+1. Click **Open in SharePoint**.

+1. In the SharePoint site, open **Settings** and then choose **Library settings**.

+1. From the **Library settings** flyout pane, select **Default sensitivity labels**, and then select the highly sensitive label from the drop-down box.

+For more details about how default library labels work, see [Configure a default sensitivity label for a SharePoint document library](/microsoft-365/compliance/sensitivity-labels-sharepoint-default-label).

+ms.localizationpriority: normal

+- Tier1

+The articles in this series provide recommendations for configuring teams in Microsoft Teams, and their associated SharePoint sites, for file protection that balances security with ease of collaboration.

+- Sensitive protection

+For information about creating a Teams meeting environment that meets your compliance requirements, see [Configure Teams meetings with three tiers of protection](/MicrosoftTeams/configure-meetings-three-tiers-protection).

+|Site-level conditional access|**Full access from desktop apps, mobile apps, and the web** (default).|**Full access from desktop apps, mobile apps, and the web** (default).|**Allow limited, web-only access**.|Custom conditional access policy|

+|Sensitivity labels|None|None|Sensitivity label used to classify the team and control guest sharing and unmanaged device access.|Sensitivity label used to classify the team, control guest sharing, and specify a conditional access policy. Default file label is used on files to encrypt them.|

+|Site sharing settings|**Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site**.|**Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site**.|**Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site**.|N/A (Controlled by site-level restricted access control.)|

+|Site-level restricted access control|None|None|None|Team members only|

+The sensitive and highly sensitive tiers use sensitivity labels to help secure the team and its files. To implement these tiers, you must enable [sensitivity labels to protect content in Microsoft Teams, Microsoft 365 Groups, and SharePoint sites](../compliance/sensitivity-labels-teams-groups-sites.md).

+While the baseline tier does not require sensitivity labels, consider creating a "general" label and then requiring that all teams be labeled. This will help ensure that users make a conscious choice about sensitivity when they create a team. If you plan to deploy the sensitive or highly sensitive tiers, we do recommend creating a "general" label that you can use for baseline teams and for files that are not sensitive. For the highly sensitive tier, we'll also specify a default sensitivity label for document libraries so that Office files and other compatible files will have that label automatically applied when they're uploaded.

+For the highly sensitive tier, we'll restrict access to the site to members of the team only. This restriction will also prevent sharing files with people outside the team.

+By default, both owners and members of the team can share files and folders with people outside the team. This may include people outside your organization, if you have allowed guest sharing. In all three tiers, we update the default sharing link type to help avoid accidental oversharing. In the highly sensitive tier, we restrict such sharing to team owners only. As noted above, in the highly sensitive tier, file access is limited to team members only.

+In the highly sensitive tier, we configure the default library sensitivity label to encrypt files to which it is applied. If you need guests to have access to these files, you must give them permissions when you create the label. External participants in shared channels can't be given permissions to sensitivity labels and can't access content encrypted by a sensitivity label.

+If you regularly collaborate with other organizations that use Azure AD, shared channels may be a good option. Shared channels appear seamlessly in the other organization's Teams client and allow external participants to use their regular user account for their organization rather than having to log in separately using a guest account.

+## Conditional access policies

+Azure AD conditional access offers many options for determining how people access Microsoft 365, including limitations based on location, risk, device compliance, and other factors. We recommend you read [What is Conditional Access?](/azure/active-directory/conditional-access/overview) and consider which additional policies might be appropriate for your organization.

+For the sensitive and highly sensitive tiers, we use sensitivity labels to restrict access to SharePoint content.

+For the sensitive tier, we'll restrict access to web-only for unmanaged devices. (Note that guests often don't have devices that are managed by your organization. If you allow guests in any of the tiers, consider what kinds of devices they'll be using to access teams and sites and set your unmanaged device policies accordingly.)

+For the highly sensitive tier, we'll use [Azure Active Directory authentication context](/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#configure-authentication-contexts) with the sensitivity label to trigger a custom conditional access policy when people access the SharePoint site associate with the team.

+### Conditional access across Teams-related services

+The conditional access settings in sensitivity labels only affect SharePoint access. If you want to expand conditional access beyond SharePoint, you can [Create an Azure Active Directory conditional access policy for all apps and services in your organization](/azure/active-directory/conditional-access/howto-conditional-access-policy-compliant-device) instead. To configure this policy specifically for [Microsoft 365 services](/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#office-365), select the **Office 365** cloud app under **Cloud apps or actions**.

+

+## Related topics

+|[ <br>Updated September 2021| The architectural material helps you plan your deployment for the following architectures: <ul><li> Cloud-native </li><li> Co-management </li><li> On-premises</li><li>Evaluation and local onboarding</li> |

+2. On the **Manage rules** page, you can see the rules that have been applied. You can turn on or off a rule or [create a new rule](#create-a-rule-to-move-or-copy-a-file-from-one-document-library-to-another-in-microsoft-syntex) to automate actions on a specific document library.

+## See also

+[Overview of content processing](content-processing-overview.md)

+## See also

+[Create a rule to move or copy a file from one document library to another](content-processing-create-rules.md)