Updates from: 03/16/2021 04:12:51
Category Microsoft Docs article Related commit history on GitHub Change details
admin Admin Mobile App https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/admin-overview/admin-mobile-app.md
Title: "About the Microsoft 365 Admin mobile app" f1.keywords: - NOCSH--++ audience: Admin
search.appverid:
- BCS160 - MET150 - MOE150 description: "Get the Microsoft 365 Admin app and learn to manage your online organization from your phone or tablet." # About the Microsoft 365 admin mobile app
-Are you an admin who's usually on the go? Then check out the [Microsoft 365 Admin app](https://go.microsoft.com/fwlink/?LinkID=627216). You can use the app to manage your online organization from your phone or tablet. You can get the app from the Apple Store, and from Google Play. <br>
+Are you an admin whoΓÇÖs usually on the go? Even if you arenΓÇÖt, there may be times when you need to manage Microsoft 365 from your phone or tablet. Check out the free [Microsoft 365 Admin app](https://go.microsoft.com/fwlink/?LinkID=627216), the perfect companion to the web-based Microsoft 365 admin center. You can download the app from the [Apple App Store](https://apps.apple.com/app/apple-store/id761397963?pt=80423&ct=docsaboutadminapp&mt=8), and from the [Google Play Store](https://play.google.com/store/apps/details?id=com.ms.office365admin&referrer=utm_source%3Ddocsaboutadminapp%26utm_campaign%25docsaboutadminapp).
-![Screen capture of the admin mobile app's home page, displaying search, messages, health, and quick links.](../../media/admin-mobile-app-darkbg.png)
-The admin app is a feature-rich app that has over 80 features to help you manage your org when you can't get to a computer. Here's a list of just a few of the tasks you can do from the app:
+The admin app has a lot of capabilities which will enable you to manage Microsoft 365 from your mobile or tablet device, when you canΓÇÖt get to a computer. Here's a list of a few of the tasks you can do from the app:
-- Get service health and change notifications-- Create a service request-- Reset a user's password-- Assign licenses-- Add or remove group memberships-- Add users
+- **Manage users and devices** Add or edit a user, reset a userΓÇÖs password, assign a role, block user, delete user, manage alias, assign licenses, wipe device data and more.
+- **Manage groups** Add a group, add or remove users from groups.
+- **License management and billing** View a list of purchased and assigned licenses, assign licenses to users, purchase or remove licenses and view and download invoices.
+- **Support** Create a new service request and keep track of all the updates related to the service requests while you are on the go.
+- **Message Center** Stay on top of all the upcoming changes, planned maintenance, or other important announcements related to Microsoft 365
+- **Service Health** Monitor the health of all the services by viewing the current status of the service and details about service disruption and outages.
+- **Notifications** Stay on top of all the important information and updates related to message center posts, service health and billing through push notifications. You can even customize what you want to be notified of.
-And if you're someone who is responsible for more than one online organization, you sign in to multiple orgs and quickly switch between them.
+If you're an admin and you're responsible for more than one Microsoft 365 organization, you can sign in to multiple organizations and quickly switch between them. The app supports dark theme and is available in 39 languages.
> [!IMPORTANT]
-> If you're having trouble using the Admin mobile app on iOS or Android, email us at [feedback365@microsoft.com](mailto:feedback365@microsoft.com) to let us know.
+> If you're having issues using the Admin mobile app on iOS or Android, email us at [feedback365@microsoft.com](mailto:feedback365@microsoft.com) to let us know.
## Download the admin mobile app
-[Microsoft 365 Admin mobile app](https://go.microsoft.com/fwlink/?LinkID=627216).
-
-Watch a short video about installing the admin mobile app.<br><br>
+[Apple App Store](https://apps.apple.com/app/apple-store/id761397963?pt=80423&ct=docsaboutadminapp&mt=8)
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/05c1d439-9ec2-415f-9178-250f64dec64c]
+[Google Play Store](https://play.google.com/store/apps/details?id=com.ms.office365admin&referrer=utm_source%3Ddocsaboutadminapp%26utm_campaign%25docsaboutadminapp).
+
+## Watch: Install the admin mobile app
-If you found this video helpful, check out the [complete training series for small businesses and those new to Microsoft 365](https://support.microsoft.com/office/6ab4bbcd-79cf-4000-a0bd-d42ce4d12816).
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/05c1d439-9ec2-415f-9178-250f64dec64c]
-
## Frequently asked questions
-Below are answers to some frequently asked questions people ask about the app.
+Below are answers to frequently asked questions.
### What do I need to do to be able to use the app?
-You need to have a valid Microsoft 365 Apps for business or Microsoft 365 Business Premium subscription with admin privileges to sign in and use the app. The Admin mobile app isn't an email client. It's a rich administrative app with over 80 features to help you support your org while your on the go.
+To use the app you need to have admin permissions and a valid subscription to one of the following Microsoft 365 subscriptions:
+
+- Microsoft 365 Apps for Enterprise
+- Microsoft 365 Apps for Business
+- Microsoft 365 Business Premium
+- Microsoft 365 Business Standard
+- Microsoft 365 Business Basic
+- Microsoft 365 E3/E5
+- Office 365: E1, E3/E5
+- Exchange Online plan
+- OneDrive for business plan
### Can I use the app with my Microsoft 365 Family subscription?
-No, the app only works with Microsoft 365 Apps for business and Microsoft 365 Business Premium subscriptions.
-
+No, the app doesnΓÇÖt work with Microsoft 365 Family or Microsoft 365 Personal subscriptions.
+ ### Will the app work if my organization has directory synchronization enabled?
-Yes, but with reduced functionality. You'll be able to sign in and view service information, but most of the user management functions will be read-only. You won't be able to add, edit, or delete users. However, you'll be able to assign licenses to users in your organization, and get notifications.
+Yes, but with reduced functionality. You'll be able to sign in and view service information, but most of the user management functions will be read-only. You won't be able to add, edit, or delete users. However, you'll be able to assign licenses to users in your organization and get notifications.
### What languages are supported by the app?
-The app supports all 39 languages that the web-based Microsoft 365 admin center supports. To change the language, select the app launch icon in the upper bar and choose **Settings** > **Language**.
-
-### Why does the Messages tile on the Home screen show numbers even after I've read the new messages?
-
-The numbers are the total messages from the last week, not unread messages.
+The app supports all 39 languages that the web-based Microsoft 365 admin center supports. To change the language, from the left navigation menu in the admin center, go to **Settings** > **Language** or select the **Language** icon in **Quick Links** section of the admin mobile app home page.
### How can I share the Service Incidents and Messages with the rest of my organization?
-If you select a specific service incident or a message, the share option will be in the top right corner. We currently support email sharing.
+If you select a specific service incident or a message, the share option will be in the top right corner.
### Can I use this app with multiple accounts or tenants?
-Yes, you can setup multiple accounts or tenants.
-
-### My app is acting funny. What can I do to troubleshoot weird app behavior?
+Yes, you can setup multiple accounts or organizations.
+
+### IΓÇÖm unable to login or my app is acting funny. What can I do to troubleshoot or fix the issue?
You can try some common mobile app troubleshooting steps:
-
+ 1. Close and reopen the app.
-
-2. Uninstall and reinstall the app.
+1. Uninstall and reinstall the app. Ensure that you are on the latest version of the app.
+1. If you have Microsoft Authenticator or Company portal app installed on your device, try reinstalling it or updating to the latest version.
+1. If that doesn't work, you can email us at feedback365@microsoft.com to let us know.
+
+### How do I manage notifications in the app?
+
+From the left navigation menu, go to **Settings** > **Notifications**. You can manage service health, message center and billing notifications here.
-3. If that doesn't work, you can email us at [feedback365@microsoft.com](mailto:feedback365@microsoft.com) to let us know.
-
### What do I do if my question isn't answered?
-Email [feedback365@microsoft.com](mailto:feedback365@microsoft.com) to report an issue with the app. Or you can give feedback at the bottom of this article.
+Email [feedback365@microsoft.com](mailto:feedback365@microsoft.com) to report an issue with the app. Or you can give feedback at the bottom of this article.
## See also
compliance Dlp Chrome Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-chrome-get-started.md
+
+ Title: "Get started with the Microsoft Compliance Extension (preview)"
+f1.keywords:
+- CSH
+++ Last updated :
+audience: ITPro
+
+f1_keywords:
+- 'ms.o365.cc.DLPLandingPage'
+
+localization_priority: Priority
+
+- M365-security-compliance
+- m365solution-mip
+- m365initiative-compliance
+search.appverid:
+- MET150
+description: "Prepare for and deploy the Microsoft Compliance Extension."
++
+# Get started with Microsoft Compliance Extension (preview)
+
+Use these procedures to roll out the Microsoft Compliance Extension.
+
+## Before you begin
+
+To use Microsoft Compliance Extension, the device must be onboarded into endpoint DLP. Review these articles if you are new to DLP or endpoint DLP
+
+- [Learn about Microsoft Compliance Extension](dlp-chrome-learn-about.md)
+- [Overview of data loss prevention](data-loss-prevention-policies.md)
+- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md)
+- [Create a DLP policy from a template](create-a-dlp-policy-from-a-template.md)
+- [Learn about endpoint data loss prevention](endpoint-dlp-learn-about.md)
+- [Get started with Endpoint data loss prevention](endpoint-dlp-getting-started.md)
+- [Onboarding tools and methods for Windows 10 devices](dlp-configure-endpoints.md)
+- [Configure device proxy and internet connection settings for Endpoint DLP](endpoint-dlp-configure-proxy.md)
+- [Using Endpoint data loss prevention](endpoint-dlp-using.md)
+
+### SKU/subscriptions licensing
+
+Before you get started, you should confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=1) and any add-ons. To access and use Endpoint DLP functionality, you must have one of these subscriptions or add-ons.
+
+- Microsoft 365 E5
+- Microsoft 365 A5 (EDU)
+- Microsoft 365 E5 compliance
+- Microsoft 365 A5 compliance
+- Microsoft 365 E5 information protection and governance
+- Microsoft 365 A5 information protection and governance
+
+For detailed licensing guidance, see [Microsoft 365 licensing guidance for security & compliance](https://docs.microsoft.com/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-protection).
+
+- Your org must be licensed for Endpoint DLP
+- Your devices must be running Windows 10 x64 build 1809 or later.
+- The device must have Antimalware Client Version is 4.18.2101.9 or later. Check your current version by opening **Windows Security** app, select the **Settings** icon, and then select **About**.
++
+### Permissions
+
+Data from Endpoint DLP can be viewed in [Activity explorer](data-classification-activity-explorer.md). There are seven roles that grant permission to activity explorer, the account you use for accessing the data must be a member of any one of them.
+
+- Global admin
+- Compliance admin
+- Security admin
+- Compliance data admin
+- Global reader
+- Security reader
+- Reports reader
+
+### Overall installation workflow
+
+Deploying Microsoft Compliance Extension is a multi-phase process. You can choose to install on one machine at a time, or use Microsoft Endpoint Manager or Group Policy for organization-wide deployments.
+
+1. [Prepare your devices](#prepare-your-devices).
+2. [Basic Setup Single Machine Selfhost](#basic-setup-single-machine-selfhost)
+3. [Deploy using Microsoft Endpoint Manager](#deploy-using-microsoft-endpoint-manager)
+4. [Deploy using Group Policy](#deploy-using-group-policy)
+5. [Test the Extension](#test-the-extension)
+6. [Use the Alerts Management Dashboard to viewing Chrome DLP alerts](#use-the-alerts-management-dashboard-to-viewing-chrome-dlp-alerts)
+7. [Viewing Chrome DLP data in activity explorer](#viewing-chrome-dlp-data-in-activity-explorer)
+
+### Prepare infrastructure
+
+If you are rolling out the Microsoft Compliance Extension to all your monitored Windows 10 devices, you should remove Google Chrome from the unallowed app and unallowed browser lists. For more information, see [Unallowed browsers](endpoint-dlp-using.md#unallowed-browsers). If you are only rolling it out to a few devices you can leave Chrome on the unallowed browser or unallowed app lists. The Microsoft Compliance Extension will bypass the restrictions of both lists for those computers where it is installed.
+
+### Prepare your devices
+
+1. Use the procedures in these topics to onboard your devices:
+ 1. [Get started with Endpoint data loss prevention](endpoint-dlp-getting-started.md)
+ 1. [Onboarding tools and methods for Windows 10 devices](dlp-configure-endpoints.md)
+ 1. [Configure device proxy and internet connection settings for Endpoint DLP](endpoint-dlp-configure-proxy.md)
+
+### Basic Setup Single Machine Selfhost
+
+This is the recommended method.
+
+1. Sign on to the Windows 10 computer that you want to install the Microsoft Compliance Extension on and run the this PowerShell script as an administrator.
+
+```powershell
+Get-Item -path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Miscellaneous Configuration" | New-ItemProperty -Name DlpDisableBrowserCache -Value 0 -Force
+```
+
+2. Navigate to [Microsoft Compliance Extension - Chrome Web Store (google.com)](https://chrome.google.com/webstore/detail/microsoft-compliance-exte/echcggldkblhodogklpincgchnpgcdco).
+3. Install the extension using the instructions on the Chrome Web Store page.
+
+### Deploy using Microsoft Endpoint Manager
+
+Use this setup method for organization Wide deployments
+
+##### Enabling Required Registry Key via Microsoft Endpoint Manager
+
+1. Create a PowerShell script with the following contents:
+```powershell
+Get-Item -path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Miscellaneous Configuration" | New-ItemProperty -Name DlpDisableBrowserCache -Value 0 -Force
+```
+2. Sign in to the [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com).
+3. Navigate to **Devices** > **Scripts** and select **Add**.
+4. Browse to the location of the script created when prompted.
+5. Select the following settings:
+ 1. Run this script using the logged-on credentials: YES
+ 1. Enforce script signature check: NO
+ 1. Run script in 64-bit PowerShell Host: YES
+6. Select the proper device groups and apply the policy.
+
+#### Microsoft Endpoint Manager Force Install Steps
+
+Before adding the Microsoft Compliance Extension to the list of force-installed extensions, it is important to ingest the Chrome ADMX. Steps for this process in Microsoft Endpoint Manager are documented by Google: [Manage Chrome Browser with Microsoft Intune - Google Chrome Enterprise Help](https://support.google.com/chrome/a/answer/9102677?hl=en#zippy=%2Cstep-ingest-the-chrome-admx-file-into-intune).
+
+ After ingesting the ADMX, the steps below can be followed to create a configuration profile for this extension.
+
+1. Sign in to the Microsoft Endpoint Manager Admin Center (https://endpoint.microsoft.com)
+2. Navigate to Configuration Profiles.
+3. Select **Create Profile**.
+4. Select **Windows 10** as the platform.
+5. Select **Custom** as profile type.
+6. Select the **Settings** tab.
+7. Select **Add**.
+8. Enter the following policy information.
+OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist
+Data type: String
+Value: <enabled/><data id=”ExtensionInstallForcelistDesc” value=”1&#xF000; echcggldkblhodogklpincgchnpgcdco;https://clients2.google.com/service/update2/crx″/>
+
+9. Click create.
+
+### Deploy using Group Policy
+
+If you don't want to use Microsoft Endpoint Manager, you can use group policies to deploy the Microsoft Compliance Extension across your organization
+
+1. Your devices must be manageable via Group Policy, and you need to import all Chrome ADMXs into the Group Policy Central Store. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://docs.microsoft.com/troubleshoot/windows-client/group-policy/create-and-manage-central-store).
+2. Create a PowerShell script using this:
+
+```powershell
+et-Item -path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Miscellaneous Configuration" | New-ItemProperty -Name DlpDisableBrowserCache -Value 0 -Force
+```
+
+3. Open the **Group Policy Management Console** and navigate to your organizational unit (OU).
+4. Right-click and select **Create a GPO in this domain and Link it here**. When prompted, assign a descriptive name to this group policy object (GPO) and finish creating it.
+5. Right-click the GPO and select **Edit**.
+6. Go to **Computer Configuration** > **Preferences** > **Control Panel Settings** > **Scheduled Tasks**.
+7. Create a new immediate task by selecting right-clicking and selecting **New** > **Immediate Task (At least Windows 7)**.
+8. Give the task a name & description.
+9. Choose the corresponding account to run the immediate task, for example NT Authority
+10. Select **Run with highest privileges**.
+11. Configure the policy for Windows 10.
+12. In the **Actions** tab, select the action **Start a program**.
+13. Enter the path to the Program/Script created in Step 1.
+14. Select **Apply**.
+
+#### Adding the Chrome Extension to the ForceInstall List
+
+1. In the Group Policy Management Editor, navigate to your OU.
+2. Expand the following path **Computer/User configuration** > **Policies** > **Administrative templates** > **Classic administrative templates** > **Google** > **Google Chrome** > **Extensions**. This path may vary depending on your configuration.
+3. Select **Configure the list of force-installed extensions**.
+4. Right click and select **Edit**.
+5. Select **Enabled**.
+6. Select **Show**.
+7. Under **Value**, add the following entry: `echcggldkblhodogklpincgchnpgcdco;https://clients2.google.com/service/update2/crx`
+8. Select **OK** and then **Apply**.
+
+### Test the Extension
+
+#### Upload to cloud service, or access by unallowed browsers Cloud Egress
+
+1. Create or get a sensitive item and, try to upload a file to one of your organizationΓÇÖs restricted service domains. The sensitive data must match one of our built-in [Sensitive Info Types](sensitive-information-type-entity-definitions.md), or one of your organizationΓÇÖs sensitive information types. You should get a DLP toast notification on the device you are testing from that shows that this action is not allowed when the file is open.
+
+#### Testing other DLP scenarios in Chrome
+
+Now that youΓÇÖve removed Chrome from the disallowed browsers/apps list, you can test the scenarios below to confirm the behavior meets your organizationΓÇÖs requirements:
+
+- Copy data from a sensitive item to another document using the Clipboard
+ - To test, open a file that is protected against copy to clipboard actions in the Chrome browser and attempt to copy data from the file.
+ - Expected Result: A DLP toast notification showing that this action is not allowed when the file is open.
+- Print a document
+ - To test, open a file that is protected against print actions in the Chrome browser and attempt to print the file.
+ - Expected Result: A DLP toast notification showing that this action is not allowed when the file is open.
+- Copy to USB Removeable Media
+ - To test, try to save the file to a removeable media storage.
+ - Expected Result: A DLP toast notification showing that this action is not allowed when the file is open.
+- Copy to Network Share
+ - To test, try to save the file to a network share.
+ - Expected Result: A DLP toast notification showing that this action is not allowed when the file is open.
++
+### Use the Alerts Management Dashboard to viewing Chrome DLP alerts
+
+1. Open the **Data loss prevention** page in the [Microsoft 365 Compliance center](https://compliance.microsoft.com) and select **Alerts**.
+
+2. Refer to the procedures in [How to configure and view alerts for your DLP policies](dlp-configure-view-alerts-policies.md) to view alerts for your Endpoint DLP policies.
++
+### Viewing Chrome DLP data in activity explorer
+
+1. Open the [Data classification page](https://compliance.microsoft.com/dataclassification?viewid=overview) for your domain in the Microsoft 365 Compliance center and choose **Activity explorer**.
+
+2. Refer to the procedures in [Get started with Activity explorer](data-classification-activity-explorer.md) to access and filter all the data for your Endpoint devices.
+
+ > [!div class="mx-imgBorder"]
+ > ![activity explorer filter for endpoint devices](../media/endpoint-dlp-4-getting-started-activity-explorer.png)
+
+### Known Issues and Limitations
+
+1. Drag & Drop enforcement for folder upload is not supported.
+2. Block Override enforcement for cloud egress is not supported.
+3. Incognito mode is not supported and must be disabled.
+
+## Next steps
+Now that you have onboarded devices and can view the activity data in Activity explorer, you are ready to move on to your next step where you create DLP policies that protect your sensitive items.
+
+- [Using Endpoint data loss prevention](endpoint-dlp-using.md)
+
+## See also
+
+- [Learn about Endpoint data loss prevention ](endpoint-dlp-learn-about.md)
+- [Using Endpoint data loss prevention ](endpoint-dlp-using.md)
+- [Overview of data loss prevention](data-loss-prevention-policies.md)
+- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md)
+- [Get started with Activity explorer](data-classification-activity-explorer.md)
+- [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/)
+- [Onboarding tools and methods for Windows 10 machines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints)
+- [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=1)
+- [Azure AD joined devices](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-join)
+- [Download the new Microsoft Edge based on Chromium](https://support.microsoft.com/help/4501095/download-the-new-microsoft-edge-based-on-chromium)
compliance Dlp Chrome Learn About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-chrome-learn-about.md
+
+ Title: "Learn about the Microsoft Compliance Extension (preview)"
+f1.keywords:
+- CSH
+++ Last updated :
+audience: ITPro
+
+f1_keywords:
+- 'ms.o365.cc.DLPLandingPage'
+
+localization_priority: Priority
+
+- M365-security-compliance
+- m365solution-mip
+- m365initiative-compliance
+search.appverid:
+- MET150
+description: "The Microsoft Compliance Extension extends monitoring and control of file activities and protective actions to the Google Chrome browser"
++
+# Learn about the Microsoft Compliance Extension (preview)
+
+[Endpoint data loss prevention (endpoint DLP)](endpoint-dlp-learn-about.md) extends the activity monitoring and protection capabilities of [Microsoft 365 data loss prevention (DLP)](data-loss-prevention-policies.md) to sensitive items that are on Windows 10 devices. Once devices are onboarded into the Microsoft 365 compliance solutions, the information about what users are doing with sensitive items is made visible in [activity explorer](data-classification-activity-explorer.md) and you can enforce protective actions on those items via [DLP policies](create-test-tune-dlp-policy.md).
+
+Once the Microsoft Compliance Extension is installed on a Windows 10 device, organizations can monitor when a user attempts to access or upload a sensitive item to a cloud service using Google Chrome and enforce protective actions via DLP.
+
+## Activities you can monitor and take action on
+
+The Microsoft Compliance Extension enables you to audit and manage the following types of activities users take on sensitive items on devices running Windows 10.
+
+activity |description | supported policy actions|
+||||
+|file copied to cloud | Detects when a user attempts to upload a sensitive item to a restricted service domain through the Chrome browser |audit, block|
+|file printed |Detects when a user attempts to print a sensitive item that is open in the Chrome browser to a local or network printer |audit, block with override, block|
+|file copied to clipboard |Detects when a user attempts to copy information from a sensitive item that is being viewed in the Chrome browser and then paste it into another app, process, or item. |audit, block with override, block|
+|file copied to removable storage | Detects when a user attempts to copy a sensitive item or information from a sensitive item that is open in the Chrome browser to removable media or USB device |audit, block with override, block|
+|file copied to network share |Detects when a user attempts to copy a sensitive item or information from a sensitive item that is open in the Chrome browser to a network share or mapped network drive.|audit, block with override, block |
+
+## Deployment process
+1. [Get started with endpoint data loss prevention](endpoint-dlp-getting-started.md)
+2. [Onboarding tools and methods for Windows 10 devices](dlp-configure-endpoints.md)
+3. [Install the extension on your Windows 10 devices](dlp-chrome-get-started.md)
+4. [Create or edit DLP policies](create-test-tune-dlp-policy.md) that restrict upload to cloud service, or access by unallowed browsers actions and apply them to your Windows 10 devices
+
+## Next steps
+
+See [Get started with the Microsoft Compliance Extension](dlp-chrome-get-started.md) for complete deployment procedures and scenarios.
+
+## See also
+
+- [Get started with Microsoft Compliance Extension](dlp-chrome-get-started.md)
+- [Learn about Microsoft 365 Endpoint data loss prevention](endpoint-dlp-learn-about.md)
+- [Getting started with Microsoft Endpoint data loss prevention](endpoint-dlp-getting-started.md)
+- [Using Microsoft Endpoint data loss prevention](endpoint-dlp-using.md)
+- [Overview of data loss prevention](data-loss-prevention-policies.md)
+- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md)
+- [Get started with Activity explorer](data-classification-activity-explorer.md)
+- [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/)
+- [Insider Risk management](insider-risk-management.md)
compliance Dlp Teams Default Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-teams-default-policy.md
+
+ Title: "Learn about the default data loss prevention policy in Microsoft Teams (preview)"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: ITPro
++
+localization_priority: Normal
+
+- M365-security-compliance
+search.appverid:
+- MET150
+description: "Learn about the default data loss prevention policy in Microsoft Teams"
++
+# Learn about the default data loss prevention policy in Microsoft Teams (preview)
+
+[Data loss prevention](data-loss-prevention-policies.md) (DLP) capabilities have been extended to include Microsoft Teams chat and channel messages, including private channel messages. As a part of this release, we created a default DLP policy for first-time customers to Compliance center.
+
+## Applies to
+
+Any tenant who is licensed with one or more of the below licenses and have active Teams users
+
+- ME5,
+- MA5,
+- E5/A5 Compliance,
+- IP+G,
+- OE5,
+- O365 Advanced Compliance
+- EMS E5
++
+## What does the default policy do?
+
+The default DLP policy tracks all the credit card numbers shared internally and externally to the organization. This policy is on by default for all users of the tenant. It does not generate any policy tips for end users but does generate an Alert event and also triggers a low severity email to the admin (added in the policy). Administrator can view the activities and edit the policies details by logging into the Compliance center.
+
+Admins can view this policy in the [Compliance center](https://compliance.microsoft.com/compliancesettings) > Data Loss prevention policies page.
++
+> [!div class="mx-imgBorder"]
+> ![default Teams DLP policy](../media/default-teams-dlp-policy.png)
+
+## Edit or delete the default policy
+
+To [edit the default policy for better performance or to delete it](create-test-tune-dlp-policy.md#tune-a-dlp-policy), just use an account with **DLP Compliance Management** permissions. For more information, see, [Permissions](create-test-tune-dlp-policy.md#permissions).
+
compliance Information Barriers Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/information-barriers-policies.md
In addition to the [required licenses and permissions](information-barriers.md#r
- Admin consent for information barriers in Microsoft Teams - When your IB policies are in place, they can remove non-IB compliance users from Groups (i.e. Teams channels, which are based on groups). This configuration helps ensure your organization remains compliant with policies and regulations. Use the following procedure to enable information barrier policies to work as expected in Microsoft Teams.
- 1. Run the following PowerShell cmdlets:
+ 1. Pre-requisite: Install Azure PowerShell from [here](https://docs.microsoft.com/en-us/powershell/azure/install-az-ps)
+ 2. Run the following PowerShell cmdlets:
```powershell
- Connect-AzAccount
+ Connect-AzAccount -Tenant "<yourtenantdomain.com>" //for example: Connect-AzAccount -Tenant "Contoso.onmicrosoft.com"
$appId="bcf62038-e005-436d-b970-2a472f8c1982" $sp=Get-AzADServicePrincipal -ServicePrincipalName $appId if ($sp -eq $null) { New-AzADServicePrincipal -ApplicationId $appId }
In addition to the [required licenses and permissions](information-barriers.md#r
2. When prompted, sign in using your work or school account for Office 365.
- 3. In the **Permissions requested** dialog box, review the information, and then choose **Accept**.
+ 3. In the **Permissions requested** dialog box, review the information, and then choose **Accept**. The permissions reqested by the App is given below <add a screenshot>
+ ![image](https://user-images.githubusercontent.com/8932063/107690955-b1772300-6c5f-11eb-9527-4235de860b27.png)
+ When all the prerequisites are met, proceed to the next section.
compliance Insider Risk Management Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-alerts.md
Insider risk management alerts are automatically generated by risk indicators de
The insider risk **Alert dashboard** allows you to view and act on alerts generated by insider risk policies. Each report widget displays information for last 30 days. -- **Alerts to review**: The total number of alerts needing review and triage are listed, including a breakdown by alert severity.
+- **Total alerts that need review**: The total number of alerts needing review and triage are listed, including a breakdown by alert severity.
- **Open alerts over past 30 days**: The total number of alerts created by policy matches over the last 30 days, sorted by high, medium, and low alert severity levels. - **Average time to resolve alerts**: A summary of useful alert statistics: - Average time to resolve high severity alerts, listed in hours, days, or months.
To triage an insider risk alert, complete the following steps:
2. On the **Alerts dashboard**, select the alert you want to triage. 3. On the **Alerts detail pane**, you can review the following tabs and triage the alert: - **Summary**: This tab contains general information about the alert and allows you to confirm the alert and create a new case or allows you to dismiss the alert. It includes the current status for the alert and the alert risk severity level, listed as *High*, *Medium*, or *Low*. The severity level may increase or decrease over time if the alert is not triaged.
- - **What happened**: Displays the top three risk activities and policy matches during the activity evaluation period, including the type of violation associated with the activity.
+ - **What happened (preview)**: Displays the top three risk activities and policy matches during the activity evaluation period, including the type of violation associated with the activity and the number of occurrences.
- **User details**: Displays general information about the user assigned to the alert. If anonymization is enabled, the username, email address, alias, and organization fields are anonymized. - **Alert details**: Includes the length of time since the alert was generated, the policies that generated the alert are listed, and the case generated from the alert is listed. For new alerts, the **Case** field displays None.
- - **Content detected**: Includes content associated with the risk activities for the alert and summarizes activity events by key areas. Selecting an activity link opens the Activity explorer and displays additional details about the activity.
+ - **Content detected (preview)**: Includes content associated with the risk activities for the alert and summarizes activity events by key areas. Selecting an activity link opens the Activity explorer and displays additional details about the activity.
- **User activity**: This tab displays the activity history for the user associated with the alert. This history includes other alerts and activities related to risk indicators defined in the template assigned to the policy for this alert. This history allows risk analysts and investigators to factor in any past risky behavior for the employee as part of the triage process. - **Actions**: The following actions are available for each alert: - **Open expanded view**: Opens the **Activity explorer** dashboard.
To triage an insider risk alert, complete the following steps:
The Activity explorer provides risk investigators and analysts with a comprehensive analytic tool that provides detailed information about alerts. With the Activity explorer, reviewers can quickly review a timeline of detected risky activity and identify and filter all risk activities associated with alerts. To filter alerts on the Activity explorer, select the Filter control. You can filter alerts by one or more attributes listed in the details pane for the alert. Activity explorer also supports customizable columns to help investigators and analysts focus the dashboard on the information most important to them.
-![Insider risk management activity explorer overview](../media/insider-risk-management-activity-explorer.png)
+![Insider risk management activity explorer overview](../media/insider-risk-activity-explorer.png)
To use the **Activity explorer**, complete the following steps:
To use the **Activity explorer**, complete the following steps:
When reviewing activities in the Activity explorer, investigators and analysts can select a specific activity and open the activity details pane. The pane displays detailed information about the activity that investigators and analysts can use during the alert triage process. The detailed information may provide context for the alert and assist with identifying the full scope of the risk activity that triggered the alert.
-![Insider risk management activity explorer details](../media/insider-risk-management-activity-explorer-details.png)
+![Insider risk management activity explorer details](../media/insider-risk-activity-explorer-details.png)
## Create a case for an alert
compliance Insider Risk Management Audit Log https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-audit-log.md
+
+ Title: Insider risk management audit log
+description: Learn about the insider risk management audit log in Microsoft 365
+keywords: Microsoft 365, insider risk management, risk management, compliance
+localization_priority: Normal
+
+f1.keywords:
+- NOCSH
+++
+audience: itpro
+++
+# Insider risk management audit log
+
+The insider risk management audit log enables you to stay informed on the actions that were taken on insider risk management features. This log allows independent review of the actions taken by users assigned to one or more insider risk management role groups. The insider risk management audit log is automatically enabled in your organization and cannot be disabled.
+
+![Insider risk management audit log](../media/insider-risk-audit-log.png)
+
+The audit log is automatically and immediately updated whenever monitored activities occur and the log retains information about the activity for 180 days (about six months). After 180 days, the data for the activity is permanently deleted from the log.
+
+Areas included in activity monitoring include:
+
+- Policies
+- Cases
+- Alerts
+- Settings
+- Users
+- Notice templates
+
+To view and export data from the audit log, users must be assigned to the *Insider Risk Management* or *Insider Risk Management Auditors* role groups. To learn more about insider risk management role groups, see [Getting started with insider risk management Step 1: Enabling permissions](insider-risk-management-configure.md#step-1-enable-permissions-for-insider-risk-management).
+
+>[!NOTE]
+>The insider risk management audit log isn't associated with the Microsoft 365 audit log, they are independent auditing systems and capture information on separate activities. Disabling Microsoft 365 auditing doesn't impact activity auditing within insider risk management.
+
+## View activity in the insider risk audit log
+
+To view feature activity monitored for insider risk management, navigate to, and select the **Insider risk audit log** link in the top-right area of any insider risk management tab. By default, you'll see the following information displayed for insider risk management activities:
+
+- **Activity:** A description of the activity taken within the insider risk management solution by a user.
+- **Category:** The area or item where the activity was performed. For example, you'll see *Policies* as the category when policy change activities were performed.
+- **Activity performed by:** The user name of the user that performed the activity.
+- **Date:** The date and time the activity was performed. The date and time are the local date and time for your organization.
+
+For more information about a logged activity, select the activity to display the activity details pane. This pane includes additional information about the activity.
+
+## Columns and filtering
+
+To make it easier for auditors to review logged activity, filtering is supported in the **Insider risk audit log**. For basic filtering, queue columns are available to add to the view to provide different pivots on the files and messages. You can filter activities by the **Category, Date range,** and **Activity performed by** fields.
+
+To add or remove column headings for the activity queue, use the **Customize columns** control and select from the column options. These columns map to common conditions supported in the **Insider risk audit log** and are listed later in this article.
+
+## Audit log export
+
+Users assigned to the *Insider Risk Management* or *Insider Risk Management Auditors* role groups can export all activity in the audit log to a .csv (comma-separated values) file by selecting **Export** on the **Insider risk audit log** page. Depending on the activity, some fields for an activity may not be applicable to the activity and these fields will appear as blank in the exported file.
+
+The file contains activity information for the following fields:
+
+- **Activity performed by:** The user name of the user modifying an item value. Users listed here were assigned to one or more of the following role [insider risk management role groups](insider-risk-management-configure.md#step-1-enable-permissions-for-insider-risk-management): *Insider Risk Management*, *Insider Risk Management Admins*, *Insider Risk Management Analysts*, *Insider Risk Management Investigators*. Each role group has different permission levels for managing insider risk features.
+- **Activity:** The activity taken on an item. Values are *Viewed, Deleted, Added, Edited policy, Case, User, Alert,* and *Settings.*
+- **Added**: Objects that were added during the activity, such as users, file types, or domains.
+- **Alert volume**: The level of alert volume defined in insider risk management settings.
+- **Amount**: The currently selected custom indicator amounts for a policy.
+- **Asset ID**: The asset ID of the priority physical asset the activity was performed on.
+- **Category:** The category of the item modified. Values are *Policies, Cases, Users, Alerts, Settings,* and *Notice templates.*
+- **Date:** Date and time, listed in your organization's local date and time.
+- **Description**: The description input by the user for the object being acted on (such as a policy or a priority user group).
+- **DLP policy**: The data loss prevention (DLP) policy selected to trigger inclusion in an insider risk management policy.
+- **Indicator**: The indicator in the within insider risk settings that the activity was performed on (such as adding or removing an indicator).
+- **Notice template**: The notice template the activity was performed on.
+- **Number of days**: The policy activation window defined in insider risk settings.
+- **Number of files**: The file volume limit defined in insider risk management settings.
+- **Policy template**: The policy template that the indicators acted on belongs to.
+- **Previous amount**: The previously selected custom indicator amounts for a policy.
+- **Priority user group**: The priority user group the activity was performed on.
+- **Removed**: Objects that were removed during the activity, such as users, file types, or domains.
+- **Sender**: The sender field of the notice template the activity was performed on.
+- **Target policy**: The policy the activity was performed on (such as adding a user to or removing a user from).
+- **Template message body**: The message body of the notice template the activity was performed on.
+- **Template subject**: The subject field of the notice template the activity was performed on.
+- **User:** User the activity was performed on.
compliance Insider Risk Management Cases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-cases.md
Depending on the number and type of active insider risk management policies in y
## Investigate a case
-Deeper investigation into insider risk management alerts is critical to taking proper corrective actions. Insider risk management cases are the central management tool to dive deeper into user risk activity history and alert details, and to explore the content and messages exposed to risks. Risk analysts and investigators also use cases to centralize review feedback and notes and to process case resolution.
+Deeper investigation into insider risk management alerts is critical to taking proper corrective actions. Insider risk management cases are the central management tool to dive deeper into user risk activity history, alert details, the sequence of risk events, and to explore the content and messages exposed to risks. Risk analysts and investigators also use cases to centralize review feedback and notes and to process case resolution.
Selecting a case opens the case management tools and allows analysts and investigators to dig into the details of cases.
Use the filter control to filter alerts by several attributes, including:
### User activity
-The **User activity** tab is one of the most powerful tools for internal risk analysis and investigation for cases in the insider risk management solution. This tab is structured to enable quick review of a case, including a historical timeline of all alerts, all alerts details, the current risk score for the user in the case, and controls to take effective action to contain the risks in the case.
+The **User activity** tab is one of the most powerful tools for internal risk analysis and investigation for cases in the insider risk management solution. This tab is structured to enable quick review of a case, including a historical timeline of all alerts, alert details, the current risk score for the user in the case, the sequence of risk events, and controls to take effective action to contain the risks in the case.
![Insider risk management user activity](../media/insider-risk-user-activities.png)
-1. **Date and window time filters**: By default, the last six months of alerts confirmed in the case are displayed in the User activity chart. You can easily filter the chart view with either the slider controls at both ends of the chart window, or by defining specific start and end dates in the chart filter control.
+1. **Time filters**: By default, the last six months of alerts confirmed in the case are displayed in the User activity chart. You can easily filter the chart view by selecting the *6 Months*, *3 Months*, or *1 Month* tabs on the bubble chart.
2. **Risk alert activity and details**: Risk activities are visually displayed as colored bubbles in the User activity chart. Bubbles are created for different categories of risk and bubble size is proportional to the number of risk activities for the category. Select a bubble to display the details for each risk activity. Details include: - **Date** of the risk activity. - The **risk activity category**. For example, *Email(s) with attachments sent outside the organization* or *File(s) downloaded from SharePoint Online*. - **Risk score** for the alert. This score is the numerical score for the alert risk severity level.
- - Number of events associated with the alert. Links to each file or email associated with the risk activity is also available.
-3. **Risk activity legend**: Across the bottom of the user activity chart, a color-coded legend helps you quickly determine risk category for each alert.
-4. **Risk activity chronology**: The full chronology of all risk alerts associated with the case are listed, including all the details available in the corresponding alert bubble.
-5. **Case actions**: Options for resolving the case are on the case action toolbar. You can resolve a case, send an email notice to the user, or escalate the case for a data or user investigation.
+ - Number of events associated with the alert. Links to each file or email associated with the risk activity are also available.
+3. **Risk sequence (preview)**: The chronological order of risky activities is an important aspect of risk investigation and identifying these related activities is an important part of evaluating overall risk for your organization. Alert activities that are related are displayed with connecting lines to highlight that these activities are associated with a larger risk area. This view of activities can help investigators literally 'connect the dots' for risk activities that could have been viewed as isolated or one-off events. Select any bubble in the sequence to display details for all the associated risk activities. Details include:
+
+ - **Name** of the sequence.
+ - **Date** or **Date range** of the sequence.
+ - **Risk score** for the sequence. This score is the numerical score for the sequence of the combined alert risk severity levels for each related activity in the sequence.
+ - **Number of events associated with each alert in the sequence**. Links to each file or email associated with each risk activity are also available.
+ - **Show activities in sequence**. Displays sequence as a highlight line on the bubble chart and expands the alert details to display all related alerts in the sequence.
+
+4. **Risk activity legend**: Across the bottom of the user activity chart, a color-coded legend helps you quickly determine risk category for each alert.
+5. **Risk activity chronology**: The full chronology of all risk alerts associated with the case are listed, including all the details available in the corresponding alert bubble.
+6. **Case actions**: Options for resolving the case are on the case action toolbar. You can resolve a case, send an email notice to the user, or escalate the case for a data or user investigation.
### Activity explorer (preview)
The **Activity explorer** tab allows risk analysts and investigators to review a
For more information about the Activity explorer, see the [Insider risk management alerts](insider-risk-management-alerts.md#activity-explorer-preview) article.
-### Content Explorer
+### Content explorer
-The **Content Explorer** tab allows risk analysts and investigators to review copies of all individual files and email messages associated with risk alerts. For example, if an alert is created when a user downloads hundreds of files from SharePoint Online and the activity triggers a policy alert, all the downloaded files for the alert are captured and copied to the insider risk management case from original storage sources.
+The **Content explorer** tab allows risk analysts and investigators to review copies of all individual files and email messages associated with risk alerts. For example, if an alert is created when a user downloads hundreds of files from SharePoint Online and the activity triggers a policy alert, all the downloaded files for the alert are captured and copied to the insider risk management case from original storage sources.
-The Content Explorer is a powerful tool with basic and advanced search and filtering features. To learn more about using the Content Explorer, see [Insider risk management Content Explorer](insider-risk-management-content-explorer.md).
+The Content explorer is a powerful tool with basic and advanced search and filtering features. To learn more about using the Content explorer, see [Insider risk management Content explorer](insider-risk-management-content-explorer.md).
-![Insider risk management case Content Explorer](../media/insider-risk-content-explorer.png)
+![Insider risk management case Content explorer](../media/insider-risk-content-explorer.png)
### Case notes
To add a note to a case:
### Contributors
-The **Contributors** tab in the case is where risk analysts and investigators can add other reviewers to the case. Be default, all users assigned the **Insider Risk Management Analysts** and **Insider Risk Management Investigators** roles are listed as contributors for each active and closed case. Only users assigned the **Insider Risk Management Investigators** role have permission to view files and messages in the Content Explorer.
+The **Contributors** tab in the case is where risk analysts and investigators can add other reviewers to the case. Be default, all users assigned the **Insider Risk Management Analysts** and **Insider Risk Management Investigators** roles are listed as contributors for each active and closed case. Only users assigned the **Insider Risk Management Investigators** role have permission to view files and messages in the Content explorer.
Temporary access to a case can be granted by adding a user as a contributor. Contributors have all case management control on the specific case except: - Permission to confirm or dismiss alerts - Permission to edit the contributors for cases-- Permission to view files and messages in the Content Explorer
+- Permission to view files and messages in the Content explorer
To add a contributor to a case:
Sharing an insider risk management case allows risk investigators and analysts t
The following sharing options are available: -- **ServiceNow**: After configuring the Microsoft 365 ServiceNow connector for your Microsoft 365 organization, you can easily share a link to the case, open an incident, or request a change with your ServiceNow organization. To share the case with ServiceNow, select **Share** > **ServiceNow** from the case action. ServiceNow integration with insider risk management supports includes the following case information and actions:
+- **ServiceNow**: After configuring the Microsoft 365 ServiceNow connector for your Microsoft 365 organization, you can easily share a link to the case, open an incident, or request a change with your ServiceNow organization. To share the case with ServiceNow, select **Case Actions** > **Share** > **ServiceNow** from the case action. ServiceNow integration with insider risk management supports includes the following case information and actions:
- **Task name**: The name for the new ServiceNow task. - **Task description**: The description for the new ServiceNow task. This editable description field automatically includes a link to the insider risk management case. - **Task type**: The task type for the new ServiceNow task, either *Incident* or *Change request*.
compliance Insider Risk Management Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-configure.md
There are four roles groups used to configure permissions to manage insider risk
Depending on the structure of your compliance management team, you have options to assign users to specific role groups to manage different sets of insider risk management features. To view the **Permissions** tab in the Office 365 Security & Compliance Center and manage role groups, you need to be assigned to the *Organization Management* role group or need to be assigned the *Role Management* role. Choose from these role group options when configuring insider risk management: | **Role group** | **Role permissions** |
-| :- | :- |
-| **Insider Risk Management** | Use this role group to manage insider risk management for your organization in a single group. By adding all user accounts for designated administrators, analysts, and investigators, you can configure insider risk management permissions in a single group. This role group contains all the insider risk management permission roles. This configuration is the easiest way to quickly get started with insider risk management and is a good fit for organizations that do not need separate permissions defined for separate groups of users.|
-| **Insider Risk Management Admin** | Use this role group to initially configure insider risk management and later to segregate insider risk administrators into a defined group. Users in this role group can create, read, update, and delete insider risk management policies, and global settings. |
-| **Insider Risk Management Analysts** | Use this group to assign permissions to users that will act as insider risk case analysts. Users in this role group can access all insider risk management alerts, cases, and notices templates. They cannot access the insider risk Content Explorer. |
-| **Insider Risk Management Investigators** | Use this group to assign permissions to users that will act as insider risk data investigators. Users in this role group can access all insider risk management alerts, cases, notices templates, and the Content Explorer. |
+| :- | :- |
+| **Insider Risk Management** | Use this role group to manage insider risk management for your organization in a single group. By adding all user accounts for designated administrators, analysts, investigators, and auditors you can configure insider risk management permissions in a single group. This role group contains all the insider risk management permission roles and associated permissions. This configuration is the easiest way to quickly get started with insider risk management and is a good fit for organizations that do not need separate permissions defined for separate groups of users. |
+| **Insider Risk Management Admin** | Use this role group to initially configure insider risk management and later to segregate insider risk administrators into a defined group. Users in this role group can enable and view analytics insights and create, read, update, and delete insider risk management policies, global settings, and role group assignments. |
+| **Insider Risk Management Analysts** | Use this group to assign permissions to users that will act as insider risk case analysts. Users in this role group can access and view all insider risk management alerts, cases, analytics insights, and notices templates. They cannot access the insider risk Content explorer. |
+| **Insider Risk Management Investigators** | Use this group to assign permissions to users that will act as insider risk data investigators. Users in this role group can access to all insider risk management alerts, cases, notices templates, and the Content explorer for all cases. |
+| **Insider Risk Management Auditors** | Use this group to assign permissions to users that will audit insider risk management activities. Users in this role group can access the insider risk audit log. |
> [!NOTE] > These role groups are currently not supported on Privileged Identity Management (PIM). To learn more about PIM, see [Assign Azure AD roles in Privileged Identity Management](/azure/active-directory/privileged-identity-management/pim-how-to-add-role-to-user).
Complete the following steps to add users to an insider risk management role gro
7. Select **Save** to add the users to the role group. Select **Close** to complete the steps.
-## Step 2: Enable the audit log
+## Step 2: Enable the Microsoft 365 audit log
-Insider risk management uses audit logs for user insights and activities configured in policies. The audit logs are a summary of all activities associated with an insider risk management policy or anytime a policy is changed.
+Insider risk management uses Microsoft 365 audit logs for user insights and activities identified in policies and analytics insights. The Microsoft 365 audit logs are a summary of all activities within your organization and insider risk management policies may use these activities for generating policy insights.
-For step-by-step instructions to turn on auditing, see [Turn audit log search on or off](turn-audit-log-search-on-or-off.md). After you turn on auditing, a message is displayed that says the audit log is being prepared and that you can run a search in a couple of hours after the preparation is complete. You only have to do this action once. For more information about the using the audit log, see [Search the audit log](search-the-audit-log-in-security-and-compliance.md).
+For step-by-step instructions to turn on auditing, see [Turn audit log search on or off](turn-audit-log-search-on-or-off.md). After you turn on auditing, a message is displayed that says the audit log is being prepared and that you can run a search in a couple of hours after the preparation is complete. You only have to do this action once. For more information about the using the Microsoft 365 audit log, see [Search the audit log](search-the-audit-log-in-security-and-compliance.md).
-## Step 3: Configure prerequisites for templates
+## Step 3: Enable and view insider risk analytics insights (optional)
-Most insider risk management templates have prerequisites that must be configured for policy indicators to generate relevant activity alerts. Configure the appropriate prerequisites depending on the policies you plan to configure for your organization.
+Insider risk management analytics enables you to conduct an evaluation of potential insider risks in your organization without configuring any insider risk policies. This evaluation can help your organization identify potential areas of higher user risk and help determine the type and scope of insider risk management policies you may consider configuring. This evaluation may also help you determine needs for additional licensing or future optimization of existing policies. Analytics scan results may take up to 48 hours before insights are available as reports for review. To learn more about analytics insights, see [Insider risk management settings: Analytics (preview)](insider-risk-management-settings.md#analytics-preview).
+
+To enable insider risk Analytics, you must be a member of the *Insider Risk Management*, *Insider Risk Management Admin*, or Microsoft 365 *Global admin* role group.
+
+Complete the following steps to enable insider risk analytics:
+
+1. In the [Microsoft 365 compliance center](https://compliance.microsoft.com), go to **Insider risk management**.
+2. Select **Run scan** on the **Scan for insider risks in your organization** card on the insider risk management **Overview** tab. This action turns on analytics scanning for your organization. You can also turn on scanning in your organization by navigating to **Insider risk settings** > **Analytics (preview)** and enabling **Scan your tenant's user activity to identify potential insider risks**.
+3. On the **Analytics details** pane, select **Run scan to start the scan for your organization**. Analytics scan results may take up to 24 hours before insights are available as reports for review.
+
+After reviewing the analytics insights, choose the insider risk policies and configure the associated prerequisites that best meet your organization's insider risk mitigation strategy.
+
+## Step 4: Configure prerequisites for policies
+
+Most insider risk management policies have prerequisites that must be configured for policy indicators to generate relevant activity alerts. Configure the appropriate prerequisites depending on the policies you plan to configure for your organization.
### Configure Microsoft 365 HR connector
See the [Getting started with insider risk management settings](insider-risk-man
### Configure Physical badging connector (optional)
-Insider risk management supports importing user and log data imported from physical control and access platforms. The Physical badging connector allows you to pull in access data from JSON files, including user IDs, access point IDs, access time and dates, and access status. This data helps drive alert indicators in insider risk management policies and is an important part of configuring full risk management coverage in your organization. If you configure more than one Physical badging connector for your organization, insider risk management automatically pulls indicators from all Physical badging connectors. Information from the Physical badging connector supplements other insider risk signals when using all insider risk policy templates.
+Insider risk management supports importing user and log data from physical control and access platforms. The Physical badging connector allows you to pull in access data from JSON files, including user IDs, access point IDs, access time and dates, and access status. This data helps drive alert indicators in insider risk management policies and is an important part of configuring full risk management coverage in your organization. If you configure more than one Physical badging connector for your organization, insider risk management automatically pulls indicators from all Physical badging connectors. Information from the Physical badging connector supplements other insider risk signals when using all insider risk policy templates.
>[!IMPORTANT] >For insider risk management policies to use and correlate signal data related to departing and terminated users with event data from your physical control and access platforms, you must also configure the Microsoft 365 HR connector. If you enable the Physical badging connector without enabling the Microsoft 365 HR connector, insider risk management policies will only process events for unauthorized physical access for users in your organization. See the [Set up a connector to import physical badging data](import-physical-badging-data.md) article for step-by-step guidance to configure the Physical badging connector for your organization. After you've configured the connector, return to these configuration steps.
-## Step 4: Configure insider risk settings
+### Configure Microsoft Defender for Endpoint (optional)
+
+[Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. To have better visibility of security violations in your organization, you can import and filter Defender for Endpoint alerts for activities used in policies created from insider risk management security violation policy templates.
+
+If you create security violation policies, you'll need to have Microsoft Defender for Endpoint configured in your organization and enable Defender for Endpoint for insider risk management integration in the Defender Security Center to import security violation alerts. For more information about requirements, see the [Minimum requirements for Microsoft Defender for Endpoints](/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements) article.
+
+See the [Configure advanced features in Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/advanced-features#share-endpoint-alerts-with-microsoft-compliance-center) article for step-by-step guidance to configure Defender for Endpoint for insider risk management integration. After you've configured the Microsoft Defender for Endpoint, return to these configuration steps.
+
+## Step 5: Configure insider risk settings
[Insider risk settings](insider-risk-management-settings.md) apply to all insider risk management policies, regardless of the template you chose when creating a policy. Settings are configured using the **Insider risk settings** control located at the top of all insider risk management tabs. These settings control privacy, indicators, monitoring windows, and intelligent detections.
Before configuring a policy, define the following insider risk settings:
3. On the **Indicators** page, select the alert indicators you want to apply to all insider risk policies. >[!IMPORTANT]
- >In order to receive alerts for risky activity defined in your policies, you must select one or more indicators.
+ >In order to receive alerts for risky activity defined in your policies, you must select one or more indicators. If indicators aren't configured in Settings, the indicators won't be selectable in insider risk policies.
4. On the **Policy timeframes** page, select the [policy timeframes](insider-risk-management-settings.md#policy-timeframes) to go into effect for a user when they trigger a match for an insider risk policy. 5. On the **Intelligent detections** page, configure the following settings for insider risk policies:
- - [Anomaly detections](insider-risk-management-settings.md#anomaly-detections)
+ - [File type exclusions](insider-risk-management-settings.md#file-type-exclusions)
+ - [Thresholds for unusual file activity](insider-risk-management-settings.md#threshold-for-unusual-file-activity)
- [Alert volume level](insider-risk-management-settings.md#alert-volume) - [Microsoft Defender for Endpoint alert status](insider-risk-management-settings.md#microsoft-defender-for-endpoint-preview) - [Domain settings](insider-risk-management-settings.md#domains-preview)
Before configuring a policy, define the following insider risk settings:
10. On the **Microsoft Teams** page, enable Microsoft Teams integration with insider risk management to automatically create a team for case or user collaboration. See the [Getting started with insider risk management settings](insider-risk-management-settings.md#microsoft-teams-preview) article for step-by-step guidance. 11. Select **Save** to enable these settings for your insider risk policies.
-## Step 5: Create an insider risk management policy
+## Step 6: Create an insider risk management policy
-Insider risk management policies include assigned users and define which types of risk indicators are configured for alerts. Before activities can trigger alerts, a policy must be configured.
+Insider risk management policies include assigned users and define which types of risk indicators are configured for alerts. Before activities can trigger alerts, a policy must be configured. Use the policy wizard to create new insider risk management policies.
1. In the [Microsoft 365 compliance center](https://compliance.microsoft.com), go to **Insider risk management** and select the **Policies** tab. 2. Select **Create policy** to open the policy wizard.
-3. On the **New insider risk policy** page, complete the following fields:
- - **Name (required)**: Enter a friendly name for the policy.
- - **Description (optional)**: Enter a description for the policy.
- - **Choose policy template (required)**: Select one of the [policy templates](insider-risk-management-policies.md#policy-templates) to define the types of risk indicators are monitored by the policy.
+3. On the **Policy template** page, choose a policy category and then select the template for the new policy. These templates are made up of conditions and indicators that define the risk activities you want to detect and investigate. Review the template prerequisites, triggering events, and detected activities to confirm this policy template fits your needs.
>[!IMPORTANT]
- >Most policy templates have prerequisites that must be configured for the policy to generate relevant alerts. If you haven't configured the applicable policy prerequisites, see **Step 3** above.
+ >Some policy templates have prerequisites that must be configured for the policy to generate relevant alerts. If you haven't configured the applicable policy prerequisites, see **Step 4** above.
4. Select **Next** to continue.
-5. On the **Users** page, select **Add user or group** or **Choose Priority user groups** to define which users or priority user groups are included in the policy, depending on the policy template you've selected. Select **All users and mail-enabled groups** checkbox if applicable (if you haven't selected a priority user-based template). Select **Next** to continue.
-6. On the **Specify what content to prioritize (optional)** page, you can assign the sources to prioritize for increased risk scores. However, some activities won't generate an alert at all unless the related content contains built-in or custom sensitive info types or was specified as a priority on this page:
- - **SharePoint sites**: Select **Add SharePoint site** and select the SharePoint organizations you want to prioritize. For example, *"group1@contoso.sharepoint.com/sites/group1"*.
+5. On the **Name and description** page, complete the following fields:
+ - **Name (required)**: Enter a friendly name for the policy. This name cannot be changed after the policy is created.
+ - **Description (optional)**: Enter a description for the policy.
+
+6. Select **Next** to continue.
+7. On the **Users and groups** page, select **Include all users and groups** or **Include specific users and groups** to define which users or groups are included in the policy, or if you've chosen a priority users-based template; select **Add or edit priority user groups**. Selecting **Include all users and groups** will look for triggering events for all users and groups in your organization to start assigning risk scores for the policy. Selecting **Include specific users and groups** allows you to define which users and groups to assign to the policy.
+8. Select **Next** to continue.
+9. On the **Content to prioritize** page, you can assign (if needed) the sources to prioritize, which increases the chance of generating a high severity alert for these sources. Select one of the following choices:
+
+ - **I want to specify SharePoint sites, sensitivity labels, and/or sensitive information types as priority content**. Selecting this option will enable detail pages in the wizard to configure these channels.
+ - **I don't want to specify priority content right now (you'll be able to do this after the policy is created)**. Selecting this option will skip the channel detail pages in the wizard.
+
+10. Select **Next** to continue.
+
+11. If you selected **I want to specify SharePoint sites, sensitivity labels, and/or sensitive information types as priority content** in the previous step, you'll see the detail pages for *SharePoint sites*, *Sensitive info types*, and *Sensitivity labels*. Use these detail pages to define the SharePoint, sensitive info types, and sensitivity labels to prioritize in the policy.
+
+ - **SharePoint sites**: Select **Add SharePoint site** and select the SharePoint organizations you have access to and want to prioritize. For example, *"group1@contoso.sharepoint.com/sites/group1"*.
- **Sensitive info type**: Select **Add sensitive info type** and select the sensitivity types you want to prioritize. For example, *"U.S. Bank Account Number"* and *"Credit Card Number"*. - **Sensitivity labels**: Select **Add sensitivity label** and select the labels you want to prioritize. For example, *"Confidential"* and *"Secret"*.
-7. Select **Next** to continue.
-8. On the **Select policy indicators** page, you'll see the [indicators](insider-risk-management-settings.md#indicators) that you've defined as available on the **Insider risk settings** > **Indicators** page. If you selected a *Data leaks* template at the beginning of the wizard, you must select a DLP policy from the **DLP policy** dropdown list to enable triggering indicators for the policy. Select the indicators you want to apply to the policy. If you prefer not to use the default policy threshold settings for these indicators, disable the **Use default thresholds recommended by Microsoft** and enter the threshold values for each selected indicator. If you've selected at least one *Office* or *Device* indicator, select the **Risk score boosters** as appropriate. Risk score boosters are only applicable for selected indicators.
+
+12. Select **Next** to continue.
+13. On the **Indicators and triggering events** page, you'll see the [indicators](insider-risk-management-settings.md#indicators) that you've defined as available on the **Insider risk settings** > **Indicators** page. If you selected a *Data leaks* template at the beginning of the wizard, you must select a DLP policy from the **DLP policy** dropdown list to enable triggering indicators for the policy or select the built-in triggering event.
>[!IMPORTANT]
- >If indicators on this page can't be selected, you'll need to select the indicators you want to enable for all policies on the **Insider risk management** > **Settings** > **Policy indicators** page.
+ >If indicators on this page can't be selected, you'll need to select the indicators you want to enable for all policies. You can use the **Turn on indicators** button in the wizard or select indicators on the **Insider risk management** > **Settings** > **Policy indicators** page.
+
+ Select the indicators you want to apply to the policy. If you prefer not to use the default policy threshold settings for these indicators, disable the **Use default thresholds recommended by Microsoft** and enter the threshold values for each selected indicator.
+
+ - If you've selected at least one *Office* or *Device* indicator, select the **Risk score boosters** as appropriate. Risk score boosters are only applicable for selected indicators.
+ - If you've selected a *Data theft* or *Data leaks* policy template, select one or more **Sequence detection** methods and a **Cumulative exfiltration detection** method to apply to the policy.
-9. Select **Next** to continue.
-10. On the **Policy timeframes** page, you'll see the [activation window conditions](insider-risk-management-settings.md#policy-timeframes) for the policy that on the **Insider risk settings** > **Policy timeframes** page.
-11. Select **Next** to continue.
-12. On the **Review** page, review the settings you've chosen for the policy. Select **Edit** to change any of the policy values or select **Submit** to create and activate the policy.
+14. Select **Next** to continue.
+15. On the **Indicator thresholds** page, select the option to use default indicator thresholds or to specify custom thresholds for individual indicators. For each indicator, choose the appropriate level to generate the desired level of activity alerts.
+16. Select **Next** to continue.
+17. On the **Review** page, review the settings you've chosen for the policy and any suggestions or warnings for your selections. Select **Edit** to change any of the policy values or select **Submit** to create and activate the policy.
## Next steps
compliance Insider Risk Management Content Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-content-explorer.md
Title: Insider risk management Content Explorer
-description: Learn about insider risk management Content Explorer in Microsoft 365
+ Title: Insider risk management Content explorer
+description: Learn about insider risk management Content explorer in Microsoft 365
keywords: Microsoft 365, insider risk management, risk management, compliance localization_priority: Normal ms.prod: microsoft-365-enterprise
audience: itpro
-# Insider risk management Content Explorer
+# Insider risk management Content explorer
-The insider risk management Content Explorer allows users assigned the *Insider Risk Management Investigators* role to examine the context and details of content associated with activity in alerts. For all alerts that are confirmed to a case, copies of data and message files are archived as a snapshot in time of the items, while maintaining the original files and messages in the storage sources. The copying of data and messages is transparent to the user associated with the alert and to the owner of the content. If the content includes Information Rights management permissions, these permissions are maintained for the copied content and users assigned the *Insider Risk Management Investigators* role will need these permissions and rights if they need to open and view the files. Each file and message are automatically assigned a unique file ID in the insider risk management case for management purposes. Documents associated with device indicator activities are not included in Content Explorer.
+The insider risk management **Content explorer** allows users assigned the *Insider Risk Management Investigators* role to examine the context and details of content associated with activity in alerts. The case data in Content explorer is refreshed daily to include new activity. For all alerts that are confirmed to a case, copies of data and message files are archived as a snapshot in time of the items, while maintaining the original files and messages in the storage sources. The copying of data and messages is transparent to the user associated with the alert and to the owner of the content. For new cases, it usually takes about an hour for content to populate in Content explorer. For cases with large amounts of content, it may take longer to create a snapshot. If content is still loading in Content explorer, you will see a progress indicator that displays the completion percentage.
-![Insider risk management content explorer](../media/insider-risk-content-explorer.png)
+In some cases, data associated with a case may not be available as a snapshot for review in Content explorer. This situation may occur when case data has been deleted or moved, or when a temporary error occurs when processing case data. If this situation occurs, select **View files** in the warning bar to view the file names, file path, and reason for the failure for each file. If needed, this information can be exported to a .csv (comma-separated values) file.
+
+If the content includes Information Rights Management permissions, these permissions are maintained for the copied content and users assigned the *Insider Risk Management Investigators* role will need these permissions and rights if they need to open and view the files. Each file and message are automatically assigned a unique file ID in the insider risk management case for management purposes. Documents associated with device indicator activities are not included in Content explorer.
+
+![Insider risk management Content explorer](../media/insider-risk-content-explorer.png)
+
+>[!Note]
+>Content explorer includes activities related to Microsoft Office files. Site-level activities, such as when a SharePoint site is deleted or if site permissions are changed, aren't included in Content explorer.
## Column options
-To make it easier for risk analysts and investigators to review captured data and messages and review the context to the case, several filtering and sorting tools are included in the Content Explorer. For basic sorting, the **Date** and **File class** columns support sorting using the column titles in the content queue pane. Other queue columns are available to add to the view to provide different pivots on the files and messages.
+To make it easier for risk analysts and investigators to review captured data and messages and review the context to the case, several filtering and sorting tools are included in the Content explorer. For basic sorting, the **Date** and **File class** columns support sorting using the column titles in the content queue pane. Other queue columns are available to add to the view to provide different pivots on the files and messages.
-To add or remove column headings for the content queue, use the **Edit columns** control and select from the following column options. These columns map to the common, email, and document property conditions supported in the Content Explorer and listed later in this article.
+To add or remove column headings for the content queue, use the **Edit columns** control and select from the following column options. These columns map to the common, email, and document property conditions supported in the Content explorer and listed later in this article.
| **Column option** | **Description** | |:|:-|
To add or remove column headings for the content queue, use the **Edit columns**
| **Conversation ID** | Conversation Id from the message. | | **Conversation index** | Conversation index from the message. | | **Created time** | The time the file or email message was created. |
-| **Date** | For email, the date a message was received by a recipient or sent by the sender. For documents, the date a document was last modified. |
+| **Date (UTC)** | For email, the date a message was received by a recipient or sent by the sender. For documents, the date a document was last modified. Date is in Coordinated Universal Time (UTC).|
| **Dominant theme** | Dominant theme as calculated for analytics. | | **Email set ID** | Group ID for all messages in the same email set. | | **Family ID** | Family Id groups together all items; for email, this column includes the message and all attachments; for documents, this column includes the document and any embedded items. |
-| **File class** | For content from SharePoint and OneDrive: **Document**; for content from Exchange: **Email or **Attachment**. |
+| **File class** | For content from SharePoint and OneDrive: **Document**; for content from Exchange: **Email** or **Attachment**. |
| **File ID** | Document identifier unique within the case. | | **File type icon** | The extension of a file; for example, docx, one, pptx, or xlsx. This field is the same property as the FileExtension site property. | | **ID** | The GUID identifier for the file. |
To add or remove column headings for the content queue, use the **Edit columns**
| **Inclusive type** | Inclusive type calculated for analytics: **0** - not inclusive; **1** - inclusive; **2** - inclusive minus; **3** - inclusive copy. | | **Last modified** | The date that a document was last changed. | | **Marked as representative** | One document from each set of exact duplicates is marked as representatives. |
-| **Message kind** | The type of email message to search for. Possible values: contacts, docs, email, external data, faxes, im, journals, meetings, microsoft teams (returns items from chats, meetings, and calls in Microsoft Teams), notes, posts, rssfeeds, tasks, voicemail |
+| **Message kind** | The type of email message to search for. Possible values: contacts, docs, email, external data, faxes, im, journals, meetings, microsoft teams (returns items from chats, meetings, and calls in Microsoft Teams), notes, posts, RSS feeds, tasks, voicemail |
| **Participants** | List of all participants of a message; for example, Sender, To, Cc, Bcc. | | **Pivot ID** | The ID of a pivot. | | **Received** | The date that an email message was received by a recipient. This field is the same property as the Received email property. |
To add or remove column headings for the content queue, use the **Edit columns**
| **Representative ID** | Numeric identifier of each set of exact duplicates. | | **Sender** | The sender of an email message. | | **Sender/Author** | For email, the person who sent a message. For documents, the person cited in the author field from Office documents. You can type more than one name, separated by commas. Two or more values are logically connected by the OR operator. |
+| **Sensitive info types** | The sensitive info types identified in content. |
+| **Sensitivity labels** | The sensitivity labels applied to the content. |
| **Sent** | The date that an email message was sent by the sender. This field is the same property as the Sent email property. | | **Size** | For both email and documents, the size of the item (in bytes). | | **Subject** | The text in the subject line of an email message. |
For advanced filter and search tools, expand the **Filter** pane on the left sid
### Email property conditions
-The following table lists email message property conditions available the Content Explorer.
+The following table lists email message property conditions available in the Content explorer.
| **Condition option** | **Description** | |:|:-|
The following table lists email message property conditions available the Conten
## Document property conditions
-The following table lists documents property conditions available the Content Explorer. Many of these property conditions are shared with review sets included in [Advanced eDiscovery cases](document-metadata-fields-in-Advanced-eDiscovery.md).
+The following table lists documents property conditions available the Content explorer. Many of these property conditions are shared with review sets included in [Advanced eDiscovery cases](document-metadata-fields-in-Advanced-eDiscovery.md).
| **Condition option** | **Description** | |:|:-|
compliance Insider Risk Management Plan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-plan.md
Depending on the structure of your compliance management team, you have options
| **Role group** | **Role permissions** | | :- | :- |
-| **Insider Risk Management** | Use this role group to manage insider risk management for your organization in a single group. By adding all user accounts for designated administrators, analysts, and investigators, you can configure insider risk management permissions in a single group. This role group contains all the insider risk management permission roles. This configuration is the easiest way to quickly get started with insider risk management and is a good fit for organizations that do not need separate permissions defined for separate groups of users.|
-| **Insider Risk Management Admin** | Use this role group to initially configure insider risk management and later to segregate insider risk administrators into a defined group. Users in this role group can create, read, update, and delete insider risk management policies, and global settings. |
-| **Insider Risk Management Analysts** | Use this group to assign permissions to users that will act as insider risk case analysts. Users in this role group can access to all insider risk management alerts, cases, and notices templates. They cannot access the insider risk Content Explorer. |
-| **Insider Risk Management Investigators** | Use this group to assign permissions to users that will act as insider risk data investigators. Users in this role group can access to all insider risk management alerts, cases, notices templates, and the Content Explorer for all cases. |
+| **Insider Risk Management** | Use this role group to manage insider risk management for your organization in a single group. By adding all user accounts for designated administrators, analysts, investigators, and auditors you can configure insider risk management permissions in a single group. This role group contains all the insider risk management permission roles and associated permissions. This configuration is the easiest way to quickly get started with insider risk management and is a good fit for organizations that do not need separate permissions defined for separate groups of users. |
+| **Insider Risk Management Admin** | Use this role group to initially configure insider risk management and later to segregate insider risk administrators into a defined group. Users in this role group can enable and view analytics insights and create, read, update, and delete insider risk management policies, global settings, and role group assignments. |
+| **Insider Risk Management Analysts** | Use this group to assign permissions to users that will act as insider risk case analysts. Users in this role group can access and view all insider risk management alerts, cases, analytics insights, and notices templates. They cannot access the insider risk Content explorer. |
+| **Insider Risk Management Investigators** | Use this group to assign permissions to users that will act as insider risk data investigators. Users in this role group can access to all insider risk management alerts, cases, notices templates, and the Content explorer for all cases. |
+| **Insider Risk Management Auditors** | Use this group to assign permissions to users that will audit insider risk management activities. Users in this role group can access the insider risk audit log. |
## Understand requirements and dependencies
Share insider risk management documentation with the stakeholders in your organi
- [Create and manage insider risk policies](insider-risk-management-policies.md) - [Investigate insider risk alerts](insider-risk-management-alerts.md) - [Take action on insider risk cases](insider-risk-management-cases.md)-- [Review case data with the insider risk Content Explorer](insider-risk-management-content-explorer.md)
+- [Review case data with the insider risk Content explorer](insider-risk-management-content-explorer.md)
- [Create insider risk notice templates](insider-risk-management-notices.md) ## Ready to get started?
compliance Insider Risk Management Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-policies.md
# Insider risk management policies
-Insider risk management policies determine which users are in-scope and which types of risk indicators are configured for alerts. You can quickly create a policy that applies to all users in your organization or define individual users or groups for management in a policy. Policies support content priorities to focus policy conditions on multiple or specific Microsoft Teams, SharePoint sites, data sensitivity types, and data labels. Using templates, you can select specific risk indicators and customize event thresholds for policy indicators, effectively customizing risk scores and level and frequency of alerts. Additionally, risk score boosters and anomaly detections help identify user activity that is of higher importance or more unusual. Policies windows allow you to define the time frame to apply the policy to alert activities and are used to determine the duration of the policy once activated.
+Insider risk management policies determine which users are in-scope and which types of risk indicators are configured for alerts. You can quickly create a policy that applies to all users in your organization or define individual users or groups for management in a policy. Policies support content priorities to focus policy conditions on multiple or specific Microsoft Teams, SharePoint sites, data sensitivity types, and data labels. Using templates, you can select specific risk indicators and customize event thresholds for policy indicators, effectively customizing risk scores, and level and frequency of alerts. Additionally, risk score boosters and anomaly detections help identify user activity that is of higher importance or more unusual. Policy windows allow you to define the time frame to apply the policy to alert activities and are used to determine the duration of the policy once activated.
## Policy dashboard
-The **Policy dashboard** allows you to quickly see the policies in your organization and the current status of alerts associated with each policy.
+The **Policy dashboard** allows you to quickly see the policies in your organization, the health of the policy, manually add users to policies, and the view the status of alerts associated with each policy.
- **Policy name**: The name assigned to the policy in the policy wizard.
+- **Status**: The health status for each policy. Displays number of policy warnings and recommendations, or a status of *Healthy* for policies without issues. You can click on the policy to see the health status details for any warnings or recommendations.
- **Active alerts**: The number of active alerts for each policy. - **Confirmed alerts**: The total number of alerts the resulted in cases from the policy in the last 365 days. - **Actions taken on alerts**: The total number of alerts that were confirmed or dismissed for the last 365 days.-- **Policy effectiveness**: The percentage determined by total confirmed alerts divided by total actions taken on alerts (which is the sum of alerts that were confirmed or dismissed over the past year).-- **Active**: The status of the case, either *Yes* or *No*.
+- **Policy alert effectiveness**: The percentage determined by total confirmed alerts divided by total actions taken on alerts (which is the sum of alerts that were confirmed or dismissed over the past year).
![Insider risk management policy dashboard](../media/insider-risk-policy-dashboard.png)
+## Policy recommendations from analytics (preview)
+
+Insider risk analytics enables you to conduct an evaluation of potential insider risks in your organization without configuring any insider risk policies. This evaluation can help your organization identify potential areas of higher user risk and help determine the type and scope of insider risk management policies you may consider configuring.
+
+To learn more about insider risk analytics and policy recommendations, see [Insider risk management settings: Analytics (preview)](insider-risk-management-settings.md#analytics-preview).
+ ## Policy templates Insider risk management templates are pre-defined policy conditions that define the types of risk indicators and risk scoring model used by the policy. Each policy must have a template assigned in the policy creation wizard before the policy is created. Insider risk management supports up to five policies for each policy template. When you create a new insider risk policy with the policy wizard, you'll choose from one of the following policy templates: ### Data theft by departing users
-When users leave your organization, there are specific risk indicators typically associated with data theft by departing users. This policy template uses indicators for risk scoring and focuses detection and alerts to this risk area. Data theft for departing users may include downloading files from SharePoint Online, printing files, and copying data to personal cloud messaging and storage services near their employment resignation and end dates. This template starts scoring for risk indicators relating to these activities and how they correlate with user employment status.
+When users leave your organization, there are specific risk indicators typically associated with data theft by departing users. This policy template uses exfiltration indicators for risk scoring and focuses on detection and alerts in this risk area. Data theft for departing users may include downloading files from SharePoint Online, printing files, and copying data to personal cloud messaging and storage services near their employment resignation and end dates. By using either the Microsoft 365 HR connector or the option to automatically monitor for user account deletion in Azure Active Directory for your organization, this template starts scoring for risk indicators relating to these activities and how they correlate with user employment status.
>[!IMPORTANT]
->When using this template, you must configure a Microsoft 365 HR connector to periodically import resignation and termination date information for users in your organization. See the [Import data with the HR connector](import-hr-data.md) article for step-by-step guidance to configure the Microsoft 365 HR connector for your organization.
+>When using this template, you can configure a Microsoft 365 HR connector to periodically import resignation and termination date information for users in your organization. See the [Import data with the HR connector](import-hr-data.md) article for step-by-step guidance to configure the Microsoft 365 HR connector for your organization. If you choose not to use the HR connector, you must select the User account deleted from Azure AD option when configuring trigger events in the policy wizard.
### General data leaks
-Protecting data and preventing data leaks is a constant challenge for most organizations, particularly with the rapid grow of new data created by users, devices, and services. Users are empowered to create, store, and share information across services and devices that make managing data leaks increasingly more complex and difficult. Data leaks can include accidental oversharing of information outside your organization or data theft with malicious intent. In conjunction with an assigned Data Loss Prevention (DLP) policy, this template starts scoring real-time detections of suspicious SharePoint Online data downloads, file and folder sharing, printing files, and copying data to personal cloud messaging and storage services.
+Protecting data and preventing data leaks is a constant challenge for most organizations, particularly with the rapid grow of new data created by users, devices, and services. Users are empowered to create, store, and share information across services and devices that make managing data leaks increasingly more complex and difficult. Data leaks can include accidental oversharing of information outside your organization or data theft with malicious intent. With an assigned Data Loss Prevention (DLP) policy or the built-in triggering event, this template starts scoring real-time detections of suspicious SharePoint Online data downloads, file and folder sharing, printing files, and copying data to personal cloud messaging and storage services.
-When using a **Data leaks** template, you must assign a DLP policy to trigger indicators in the insider risk policy for high severity alerts in your organization. Whenever a high severity alert is generated by a DLP policy rule is added to the Office 365 audit log, insider risk policies created with this template automatically examine the high severity DLP alert. If the alert contains an in-scope user defined in the insider risk policy, the alert is processed by the insider risk policy as a new alert and assigned an insider risk severity and risk score. This policy allows you to evaluate this alert in context with other activities included in the case.
+When using a *Data leaks* template, you can assign a DLP policy to trigger indicators in the insider risk policy for high severity alerts in your organization. Whenever a high severity alert is generated by a DLP policy rule is added to the Office 365 audit log, insider risk policies created with this template automatically examine the high severity DLP alert. If the alert contains an in-scope user defined in the insider risk policy, the alert is processed by the insider risk policy as a new alert and assigned an insider risk severity and risk score. This policy allows you to evaluate this alert in context with other activities included in the case. If you don't choose a DLP policy, you must select the built-in triggering event.
#### Data leaks policy guidelines
See the [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) ar
### Data leaks by priority users (preview)
-Protecting data and preventing data leaks for users in your organization may depend on their position, level of access to sensitive information, or risk history. Data leaks can include accidental oversharing of highly sensitive information outside your organization or data theft with malicious intent. In conjunction with an assigned Data Loss Prevention (DLP) policy, this template starts scoring real-time detections of suspicious activity and result in an increased likelihood of insider risk alerts and alerts with higher severity levels. Priority users are defined in [priority user groups](insider-risk-management-settings.md#priority-user-groups-preview) configured in the insider risk management settings area.
+Protecting data and preventing data leaks for users in your organization may depend on their position, level of access to sensitive information, or risk history. Data leaks can include accidental oversharing of highly sensitive information outside your organization or data theft with malicious intent. With an assigned Data Loss Prevention (DLP) policy, this template starts scoring real-time detections of suspicious activity and result in an increased likelihood of insider risk alerts and alerts with higher severity levels. Priority users are defined in [priority user groups](insider-risk-management-settings.md#priority-user-groups-preview) configured in the insider risk management settings area.
As with the **General data leaks template**, you must assign a DLP policy to trigger indicators in the insider risk policy for high severity alerts in your organization. Follow the Data leaks policy guidelines above when creating a policy using this template. Additionally, you will need to assign priority user groups created in **Insider risk management** > **Settings** > **Priority user groups** to the policy. ### Data leaks by disgruntled users (preview)
-When users experience employment stressors, they may become disgruntled which may increase the chances of insider risk activity. This template starts scoring user activity when an indicator associated with disgruntlement is identified. Examples include performance improvement notifications, poor performance reviews, or changes to job level status. Data leaks for disgruntled users may include downloading files from SharePoint Online and copying data to personal cloud messaging and storage services near employment stressor events.
+When users experience employment stressors, they may become disgruntled, which may increase the chances of insider risk activity. This template starts scoring user activity when an indicator associated with disgruntlement is identified. Examples include performance improvement notifications, poor performance reviews, or changes to job level status. Data leaks for disgruntled users may include downloading files from SharePoint Online and copying data to personal cloud messaging and storage services near employment stressor events.
When using this template, you must also configure a Microsoft 365 HR connector to periodically import performance improvement notifications, poor performance review status, or job level change information for users in your organization. See the [Import data with the HR connector](import-hr-data.md) article for step-by-step guidance to configure the Microsoft 365 HR connector for your organization. ### General security policy violations (preview)
-In many organizations, users have permissions to install software on their devices or to modify device settings to help with their tasks. Either inadvertently or with malicious intent, users may install malware or disable important security features that help protect information on their device or on your network resources. This policy template uses security alerts from Microsoft Defender for Endpoint to start scoring these activities and focus detection and alerts to this risk area. Use this template to provide insights for security policy violations in scenarios when users may have a history of security policy violations that may be an indicator of insider risk.
+In many organizations, users have permission to install software on their devices or to modify device settings to help with their tasks. Either inadvertently or with malicious intent, users may install malware or disable important security features that help protect information on their device or on your network resources. This policy template uses security alerts from Microsoft Defender for Endpoint to start scoring these activities and focus detection and alerts to this risk area. Use this template to provide insights for security policy violations in scenarios when users may have a history of security policy violations that may be an indicator of insider risk.
You'll need to have Microsoft Defender for Endpoint configured in your organization and enable Defender for Endpoint for insider risk management integration in the Defender Security Center to import security violation alerts. For more information on configuring Defender for Endpoint for insider risk management integration, see [Configure advanced features in Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/advanced-features#share-endpoint-alerts-with-microsoft-compliance-center). ### Security policy violations by departing users (preview)
-Departing users, whether leaving on positive or negative terms, may be higher risks for security policy violations. To help protect against inadvertent or malicious security violations for departing users, this policy template uses Defender for Endpoint alerts to provide insights into security-related activities. These activities include the user installing malware or other potentially harmful applications and disabling security features on their devices. Policy indicators are activated after users have a resignation or termination date imported from the Microsoft 365 HR Connector as a triggering event.
-
-When using this template, you must configure a Microsoft 365 HR connector to periodically import resignation and termination date information for users in your organization. See the [Import data with the HR connector](import-hr-data.md) article for step-by-step guidance to configure the Microsoft 365 HR connector for your organization.
+Departing users, whether leaving on positive or negative terms, may be higher risks for security policy violations. To help protect against inadvertent or malicious security violations for departing users, this policy template uses Defender for Endpoint alerts to provide insights into security-related activities. These activities include the user installing malware or other potentially harmful applications and disabling security features on their devices. By using either the [Microsoft 365 HR connector](import-hr-data.md) or the option to automatically monitor for user account deletion in Azure Active Directory for your organization, this template starts scoring for risk indicators relating to these security activities and how they correlate with user employment status.
You'll need to have Microsoft Defender for Endpoint configured in your organization and enable Defender for Endpoint for insider risk management integration in the Defender Security Center to import security violation alerts. For more information on configuring Defender for Endpoint for insider risk management integration, see [Configure advanced features in Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/advanced-features#share-endpoint-alerts-with-microsoft-compliance-center). ### Security policy violations by priority users (preview)
-Protecting against security violations for users in your organization may depend on their position, level of access to sensitive information, or risk history. Because security violations by priority users may have an outsized impact on your organization's critical areas, this policy template starts scoring on these indicators and uses Microsoft Defender for Endpoint alerts to provide insights into security-related activities for these users. These may include the priority users installing malware or other potentially harmful applications and disabling security features on their devices. Priority users are defined in priority user groups configured in the insider risk management settings area.
+Protecting against security violations for users in your organization may depend on their position, level of access to sensitive information, or risk history. Because security violations by priority users may have a significant impact on your organization's critical areas, this policy template starts scoring on these indicators and uses Microsoft Defender for Endpoint alerts to provide insights into security-related activities for these users. These activities may include the priority users installing malware or other potentially harmful applications and disabling security features on their devices. Priority users are defined in priority user groups configured in the insider risk management settings area.
You'll need to have Microsoft Defender for Endpoint configured in your organization and enable Defender for Endpoint for insider risk management integration in the Defender Security Center to import security violation alerts. For more information on configuring Defender for Endpoint for insider risk management integration, see [Configure advanced features in Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/advanced-features#share-endpoint-alerts-with-microsoft-compliance-center). Additionally, you will need to assign priority user groups created in **Insider risk management** > **Settings** > **Priority user groups** to the policy. ### Security policy violations by disgruntled users (preview)
-Users that experience employment stressors may be at a higher risk for inadvertent or malicious security policy violations. These stressors may include the user being placed on a performance improvement plan, poor performance review status, or being demoted from their current position. This policy template starts risk scoring based these indicators and activities associated with these events for these users.
+Users that experience employment stressors may be at a higher risk for inadvertent or malicious security policy violations. These stressors may include the user being placed on a performance improvement plan, poor performance review status, or being demoted from their current position. This policy template starts risk scoring based on these indicators and activities associated with these events for these users.
When using this template, you must also configure a Microsoft 365 HR connector to periodically import performance improvement notifications, poor performance review status, or job level change information for users in your organization. See the [Import data with the HR connector](import-hr-data.md) article for step-by-step guidance to configure the Microsoft 365 HR connector for your organization.
The following table lists the triggering events and prerequisites for policies c
| **Policy template** | **Triggering events for policies** | **Prerequisites** | | : | : | :- |
-| Data theft by departing users | Resignation or termination date indicator from HR connector | Microsoft 365 HR connector configured for termination and resignation date indicators |
-| General data leaks | Data leak policy activity that creates a High severity alert | DLP policy configured for High severity alerts |
-| Data leaks by priority users | Data leak policy activity that creates a High severity alert | DLP policy configured for High severity alerts <br><br> Priority user groups configured in insider risk settings |
+| Data theft by departing users | Resignation or termination date indicator from HR connector | (optional) Microsoft 365 HR connector configured for termination and resignation date indicators or Azure Active Directory integration enabled |
+| General data leaks | Data leak policy activity that creates a High severity alert | (optional) DLP policy configured for High severity alerts or built-in data exfiltration triggering event |
+| Data leaks by priority users | Data leak policy activity that creates a *High severity* alert or built-in exfiltration event triggers | (optional) DLP policy configured for High severity alerts <br><br> Priority user groups configured in insider risk settings |
| Data leaks by disgruntled users | Performance improvement, poor performance, or job level change indicators from HR connector | Microsoft 365 HR connector configured for disgruntlement indicators | | General security policy violations | Defensive evasion of security controls or unwanted software detected by Microsoft Defender for Endpoint | Active Microsoft Defender for Endpoint subscription <br><br> Microsoft Defender for Endpoint integration with Microsoft 365 compliance center configured |
-| Security policy violations by departing users | Resignation or termination date indicators from HR connector | Microsoft 365 HR connector configured for termination and resignation date indicators <br><br> Active Microsoft Defender for Endpoint subscription <br><br> Microsoft Defender for Endpoint integration with Microsoft 365 compliance center configured |
+| Security policy violations by departing users | Resignation or termination date indicators from HR connector or Azure Active Directory account deletion | (optional) Microsoft 365 HR connector configured for termination and resignation date indicators <br><br> Active Microsoft Defender for Endpoint subscription <br><br> Microsoft Defender for Endpoint integration with Microsoft 365 compliance center configured |
| Security policy violations by priority users | Defensive evasion of security controls or unwanted software detected by Microsoft Defender for Endpoint | Active Microsoft Defender for Endpoint subscription <br><br> Microsoft Defender for Endpoint integration with Microsoft 365 compliance center configured <br><br> Priority user groups configured in insider risk settings | | Security policy violations by disgruntled user | Performance improvement, poor performance, or job level change indicators from HR connector | Microsoft 365 HR connector configured for disgruntlement indicators <br><br> Active Microsoft Defender for Endpoint subscription <br><br> Microsoft Defender for Endpoint integration with Microsoft 365 compliance center configured | ## Prioritize content in policies
-Insider risk management policies support specifying a higher priority for content depending where it is stored or how it is classified. Specifying content as a priority increases the risk score for any associated activity, which in turn increases the chance of generating a high severity alert. However, some activities won't generate an alert at all unless the related content contains built-in or custom sensitive info types or was specified as a priority in the policy.
+Insider risk management policies support specifying a higher priority for content depending on where it is stored or how it is classified. Specifying content as a priority increases the risk score for any associated activity, which in turn increases the chance of generating a high severity alert. However, some activities won't generate an alert at all unless the related content contains built-in or custom sensitive info types or was specified as a priority in the policy.
For example, your organization has a dedicated SharePoint site for a highly confidential project. Data leaks for information in this SharePoint site could compromise the project and would have a significant impact on its success. By prioritizing this SharePoint site in a Data leaks policy, risk scores for qualifying activities are automatically increased. This prioritization increases the likelihood that these activities generate an insider risk alert and raises the severity level for the alert.
When you create an insider risk management policy in the policy wizard, you can
- **Sensitive information types**: Any activity associated with content that contains [sensitive information types](sensitive-information-type-entity-definitions.md) are assigned a higher risk score. - **Sensitivity labels**: Any activity associated with content that has specific [sensitivity labels](sensitivity-labels.md) applied are assigned a higher risk score.
+## Sequence detection (preview)
+
+Risky activities may not occur as isolated events. These risks are frequently part of a larger sequence of events. A sequence is a group of two or more user activities performed one after the other that might suggest an elevated risk. Identifying these related activities is an important part of evaluating overall risk. When sequence detection is enabled for data theft or data leaks policies, insights from sequence information activities are displayed on the **User activity** tab within an insider risk management case. The following policy templates support sequence detection:
+
+- Data theft by departing users
+- General data leaks
+- Data leaks by priority users
+- Data leaks by disgruntled users
+
+These insider risk management policies can use specific indicators and the order that they occur to detect each step in a sequence of risk. File names are used when mapping activities across a sequence. These risks are organized into four main categories of activity:
+
+- **Collection**: These category signals focus on download activities by in-scope policy users. An example activity in this category would be downloading files from SharePoint sites.
+- **Exfiltration**: These category signals focus on sharing or extraction activities to internal and external sources by in-scope policy users. An example activity in this category would be sending emails with attachments from your organization to external recipients.
+- **Obfuscation**: These category signals focus on the masking of risky activities by in-scope policy users. An example activity in this category would be renaming files on a device.
+- **Clean-up**: These category signals focus on deletion activities by in-scope policy users. An example activity in this category would be deleting files from a device.
+
+>[!NOTE]
+>Sequence detection uses indicators that are enabled in the global settings for insider risk management and indicators that are selected in a policy. If appropriate indicators are not selected, sequence detection will not work.
+
+You can customize individual threshold settings for each sequence detection type when configured in the policy. These threshold settings adjust alerts based on the volume of files associated with the sequence.
+
+To learn more about sequence detection management in the **User activity** view, see [Insider risk management cases: User activity](insider-risk-management-cases.md#user-activity).
+
+## Cumulative exfiltration detection (preview)
+
+Insider risk indicators help identify unusual levels of risk activities when evaluated daily for users that are in-scope for insider risk policies. Cumulative exfiltration detection uses machine learning models to help you identify when user exfiltration activities exceed the organizational averages when measured over time and over multiple exfiltration activity types. Insider risk management analysts and investigators may use cumulative exfiltration detection insights to help identify exfiltration activities that may not typically generate alerts but are above what is typical for their organization. Some examples may be departing users slowly exfiltrate data across a range of days, or when users repeatedly share data across multiple channels more than usual for data sharing for your organization.
+
+Cumulative exfiltration detection is enabled by default when using the following policy templates:
+
+- Data theft by departing users
+- General data leaks
+- Data leaks by priority users
+- Data leaks by disgruntled users
+
+>[!NOTE]
+>Cumulative exfiltration detection uses exfiltration indicators that are enabled in the global settings for insider risk management and exfiltration indicators that are selected in a policy. As such, cumulative exfiltration detection is only evaluated for the necessary exfiltration indicators selected.
+
+When cumulative exfiltration detection is enabled for data theft or data leak policies, insights from cumulative exfiltration activities are displayed on the **User activity** tab within an insider risk management case.
+
+To learn more about the User activity management, see [Insider risk management cases: User activities](insider-risk-management-cases.md#user-activity).
+
+## Policy health (preview)
+
+The policy health status gives you insights into potential issues with your insider risk management policies. The Status column on the Policies tab can alert you to policies issues that may prevent user activity from being reported or why the number of activity alerts is unusual. The policy health status can also confirm that the policy is healthy and doesn't need attention or configuration changes.
+
+If there are issues with a policy, the policy health status displays notification warnings and recommendations to help you take action to resolve policy issues. These notifications can help you resolve the following issues:
+
+- Policies with incomplete configuration. These issues may include missing users or groups in the policy or other incomplete policy configuration steps.
+- Policies with indicator configuration issues. Indicators are an important part of each policy. If indicators aren't configured, or if too few indicators are selected, the policy may not evaluate risky activities as expected.
+- Policy triggers aren't working, or policy trigger requirements aren't properly configured. Policy functionality may depend on other services or configuration requirements to effectively detect triggering events to activate risk score assignment to users in the policy. These dependencies may include issues with connector configuration, Microsoft Defender for Endpoint alert sharing, or data loss prevention policy configuration settings.
+- Volume limits are nearing or over limits. Insider risk management policies use numerous Microsoft 365 services and endpoints to aggregate risk activity signals. Depending on the number of users in your policies, volume limits may delay identification and reporting of risk activities. Learn more about these limits in the Policy template limits section of this article.
+
+To quickly view the health status for a policy, navigate the Policy tab and the Status column. Here you will see the following policy health status options for each policy:
+
+- Healthy: No issues have been identified with the policy.
+- Recommendations: There are some issues with the policy that may prevent the policy from operating as expected.
+- Warnings: There are issues with the policy that will prevent it from identifying risky activities.
+
+For more details about any recommendations or warnings, select a policy on the **Policy** tab to open the policy details card. More information about the recommendations and warnings, including guidance on how to address these issues, will be displayed in the Notifications section of the details card.
+
+![Insider risk management policy health](../media/insider-risk-policy-health.png)
+
+Use the following table to learn more about recommendations and warning notifications and actions to take to resolve potential issues.
+
+|**Notification messages**|**Policy templates**|**Causes / Try this action to fix**|
+|:|:-|:|
+| Policy isn't assigning risk scores to activity | All policy templates | You may want to review your policy scope and triggering event configuration so that the policy can assign risk scores to activity <br><br> 1. Review the users that are selected for the policy. If you have few users selected, you may want to select additional users. <br> 2. If you're using an HR connector, check that your HR connector is sending the correct data. <br> 3. If you're using a DLP policy as your triggering event, check your DLP policy configuration to ensure it is configured to be used in this policy. <br> 4. For security violation policies, review the Microsoft Defender for Endpoint alert triage status selected in Insider risk settings > Intelligent detections. Confirm that the alert filter isn't too narrow. |
+| Policy hasn't generated any alerts | All policy templates | You may want to review your policy configuration so that you are analyzing the scoring the activity that you care about. <br><br> 1. Confirm that you've selected indicators that you want to score. The more indicators selected, the more activities are assigned risk scores. <br> 2. Review threshold customization for policy. If the thresholds selected do not align with your organization's risk tolerance, adjust the selections so that alerts are created based on your preferred thresholds. <br> 3. Review the users and groups selected for the policy. Confirm you've selected all of the applicable users and groups. <br> 4. For security violation policies, confirm you've selected the alert triage status that you want to score for Microsoft Defender for Endpoint alerts in Intelligent Detections in settings.|
+| No users or groups are included in this policy | All policy templates | Users or groups aren't assigned to the policy. <br><br> Edit your policy and select users or groups for the policy. |
+| No indicators have been selected for this policy | All policy templates | Indicators haven't been selected for the policy <br><br> Edit your policy and select appropriate policy indicators for the policy. |
+| No priority user groups are included in this policy | - Data leaks by priority users <br> - Security policy violations by priority users | Priority user groups aren't assigned to the policy. <br><br> Configure priority user groups in Insider risk management settings and assign priority user groups to the policy. |
+| No triggering event has been selected for this policy | All policy templates | A triggering event isn't configured for the policy <br><br> Risk scores won't be assigned to user activities until you edit the policy and select a triggering event. |
+| HR connector isn't configured or working as expected | - Data theft by departing user <br> - Security policy violations by departing user <br> - Data leaks by disgruntled users <br> - Security policy violations by disgruntled users | There is an issue with the HR connector. <br><br> 1. If you're using an HR connector, check that your HR connector is sending correct data <br><br> OR <br><br> 2. Select the Azure AD account deleted triggering event. |
+| No devices are onboarded | - Data theft by departing users <br> - General data leaks <br> - Data leaks by disgruntled users <br> - Data Leaks by priority users | Device indicators are selected but there aren't any devices onboarded to the Microsoft 365 <br><br> Check whether devices are onboarded and meet requirements. |
+| HR connector hasn't uploaded data recently | - Data theft by departing user <br> - Security policy violations by departing user <br> - Data leaks by disgruntled users <br> - Security policy violations by disgruntled users | HR connector has not imported data in more than 7 days. <br><br> Check that your HR connector is configured correctly and sending data. |
+| We are unable to check the status of your HR connector right now, please check again later | - Data theft by departing user <br> - Security policy violations by departing user <br> - Data leaks by disgruntled users <br> - Security policy violations by disgruntled users | The insider risk management solution is unable to check the status of your HR connector. <br><br> Check that your HR connector is configured correctly and sending data, or come back and check the policy status. |
+| DLP policy isn't selected as the triggering event | - General Data leaks <br> - Data leaks by priority users | A DLP policy has not been selected as a triggering event or the selected DLP policy has been deleted. <br><br> Edit the policy and either select an active DLP policy or 'User performs an exfiltration activity' as the triggering event in the policy configuration. |
+| DLP policy used in this policy is turned off | - General Data leaks <br> - Data leaks by priority users | DLP policy used in this policy is turned off. <br><br> 1. Turn the DLP policy assigned to this policy on. <br><br> OR <br><br> 2. Edit this policy and either select a new DLP policy or 'User performs an exfiltration activity' as the triggering event in the policy configuration. |
+| DLP policy doesn't meet requirements | - General Data leaks <br> - Data leaks by priority users | DLP policies used as triggering events must be configured to generate high severity alerts. <br><br> 1. Edit your DLP policy to assign applicable alerts as *High severity*. <br><br> OR <br><br> 2. Edit this policy and select *User performs an exfiltration activity* as the triggering event. |
+| Your organization doesn't have a Microsoft Defender for Endpoint subscription | - General security policy violations <br> - Security policy violations by departing users <br> - Security policy violations by disgruntled users <br> - Security policy violations by priority users | An active Microsoft Defender for Endpoint subscription wasn't detected for your organization. <br><br> Until a Microsoft Defender for Endpoint subscription is added, these policies won't assign risk scores to user activity. |
+| Microsoft Defenders for Endpoint alerts aren't being shared with the compliance center | - General security policy violations <br> - Security policy violations by departing users <br> - Security policy violations by disgruntled users <br> - Security policy violations by priority users | Microsoft Defender for Endpoint alerts aren't being shared with the compliance center. <br><br> Configure sharing of Microsoft Defender for Endpoint alerts. |
+| You are approaching the maximum limit of users being actively scored for this policy template. | All policy templates | Each policy template has a maximum number of in-scope users. See the template limit section details. <br><br> Review the users in the Users tab and remove any users who do not need to be scored anymore. |
+
+## Policy template limits
+
+Insider risk management policy templates use limits to manage the volume and rate of processing for in-scope user risk activities and how this process is integrated with supporting Microsoft 365 services. Each policy template has a maximum number of users that can be actively assigned risk scores for the policy that it can support and effectively process and report risk activities. In-scope users are users with triggering events for the policy.
+
+The limit for each policy is calculated based on the total number of unique users receiving risk scores per policy template type. If the number of users for a policy template type is near or exceeds the user limit, the policy performance will be reduced. To view the current number of users for a policy, navigate to the Policy tab and the Users in scope column. You may have up to five policies for any policy template. These maximum limits apply to users across all policies using a given policy template.
+
+Use the following table to determine the maximum number of in-scope users supported for each policy template:
+
+|**Policy template**|**Current in-scope user maximum**|
+|:|:--|
+| General data leak | 15,000 |
+| Data leak by disgruntled users | 7,500 |
+| Data leak by priority users | 1,000 |
+| Data theft by departing users | 20,000 |
+| General security policy violations | 1,000 |
+| Security policy violation by priority users | 1,000 |
+| Security policy violations by departing users | 15,000 |
+| Security policy violations by disgruntled users | 7,500 |
+ ## Create a new policy To create a new insider risk management policy, you'll use the policy wizard in **Insider risk management** solution in the Microsoft 365 compliance center.
To create a new insider risk management policy, you'll use the policy wizard in
Complete the following steps to create a new policy: 1. In the [Microsoft 365 compliance center](https://compliance.microsoft.com), go to **Insider risk management** and select the **Policies** tab.
-2. Select **Create policy** to open the policy wizard
-3. On the **New insider risk policy** page, complete the following fields:
- - **Name (required)**: Enter a friendly name for the policy.
- - **Description (optional)**: Enter a description for the policy.
- - **Choose policy template (required)**: Select one of the [policy templates](insider-risk-management-policies.md#policy-templates) to define the types of risk indicators are monitored by the policy.
+2. Select **Create policy** to open the policy wizard.
+3. On the **Policy template** page, choose a policy category and then select the template for the new policy. These templates are made up of conditions and indicators that define the risk activities you want to detect and investigate. Review the template prerequisites, triggering events, and detected activities to confirm this policy template fits your needs.
>[!IMPORTANT]
- >Most policy templates have prerequisites that must be configured for the policy to generate relevant alerts. If you haven't configured the applicable policy prerequisites, see [Get started with insider risk management](insider-risk-management-configure.md#step-3-configure-prerequisites-for-templates).
+ >Some policy templates have prerequisites that must be configured for the policy to generate relevant alerts. If you haven't configured the applicable policy prerequisites, see **Step 4** above.
4. Select **Next** to continue.
-5. On the **Users** page, select **Add user or group** or **Choose Priority user groups** to define which users or priority user groups are included in the policy, depending on the policy template you've selected. Select **All users and mail-enabled groups** checkbox if applicable (if you haven't selected a priority user-based template). Select **Next** to continue.
-6. On the **Specify what content to prioritize (optional)** page, you can assign the sources to prioritize for increased risk scores. However, some activities won't generate an alert at all unless the related content contains built-in or custom sensitive info types or was specified as a priority on this page:
- - **SharePoint sites**: Select **Add SharePoint site** and select the SharePoint organizations you want to prioritize. For example, *"group1@contoso.sharepoint.com/sites/group1"*.
+5. On the **Name and description** page, complete the following fields:
+ - **Name (required)**: Enter a friendly name for the policy. This name cannot be changed after the policy is created.
+ - **Description (optional)**: Enter a description for the policy.
+
+6. Select **Next** to continue.
+7. On the **Users and groups** page, select **Include all users and groups** or **Include specific users and groups** to define which users or groups are included in the policy, or if you've chosen a priority users-based template; select **Add or edit priority user groups**. Selecting **Include all users and groups** will look for triggering events for all users and groups in your organization to start assigning risk scores for the policy. Selecting **Include specific users and groups** allows you to define which users and groups to assign to the policy.
+8. Select **Next** to continue.
+9. On the **Content to prioritize** page, you can assign (if needed) the sources to prioritize, which increases the chance of generating a high severity alert for these sources. Select one of the following choices:
+
+ - **I want to specify SharePoint sites, sensitivity labels, and/or sensitive information types as priority content**. Selecting this option will enable detail pages in the wizard to configure these channels.
+ - **I don't want to specify priority content right now (you'll be able to do this after the policy is created)**. Selecting this option will skip the channel detail pages in the wizard.
+
+10. Select **Next** to continue.
+
+11. If you selected **I want to specify SharePoint sites, sensitivity labels, and/or sensitive information types as priority content** in the previous step, you'll see the detail pages for *SharePoint sites*, *Sensitive info types*, and *Sensitivity labels*. Use these detail pages to define the SharePoint, sensitive info types, and sensitivity labels to prioritize in the policy.
+
+ - **SharePoint sites**: Select **Add SharePoint site** and select the SharePoint organizations you have access to and want to prioritize. For example, *"group1@contoso.sharepoint.com/sites/group1"*.
- **Sensitive info type**: Select **Add sensitive info type** and select the sensitivity types you want to prioritize. For example, *"U.S. Bank Account Number"* and *"Credit Card Number"*. - **Sensitivity labels**: Select **Add sensitivity label** and select the labels you want to prioritize. For example, *"Confidential"* and *"Secret"*.
-7. Select **Next** to continue.
-8. On the **Select policy indicators** page, you'll see the [indicators](insider-risk-management-settings.md#indicators) that you've defined as available on the **Insider risk settings** > **Indicators** page. If you selected a *Data leaks* template at the beginning of the wizard, you must select a DLP policy from the **DLP policy** dropdown list to enable triggering indicators for the policy. Select the indicators you want to apply to the policy. If you prefer not to use the default policy threshold settings for these indicators, disable the **Use default thresholds recommended by Microsoft** and enter the threshold values for each selected indicator. If you've selected at least one *Office* or *Device* indicator, select the **Risk score boosters** as appropriate. Risk score boosters are only applicable for selected indicators.
+
+12. Select **Next** to continue.
+13. On the **Indicators and triggering events** page, you'll see the [indicators](insider-risk-management-settings.md#indicators) that you've defined as available on the **Insider risk settings** > **Indicators** page. If you selected a *Data leaks* template at the beginning of the wizard, you must select a DLP policy from the **DLP policy** dropdown list to enable triggering indicators for the policy or select the built-in triggering event.
>[!IMPORTANT]
- >If indicators on this page can't be selected, you'll need to select the indicators you want to enable for all policies on the **Insider risk management** > **Settings** > **Policy indicators** page.
+ >If indicators on this page can't be selected, you'll need to select the indicators you want to enable for all policies. You can use the **Turn on indicators** button in the wizard or select indicators on the **Insider risk management** > **Settings** > **Policy indicators** page.
+
+ Select the indicators you want to apply to the policy. If you prefer not to use the default policy threshold settings for these indicators, disable the **Use default thresholds recommended by Microsoft** and enter the threshold values for each selected indicator.
-9. Select **Next** to continue.
-10. On the **Policy timeframes** page, you'll see the [activation window conditions](insider-risk-management-settings.md#policy-timeframes) for the policy that on the **Insider risk settings** > **Policy timeframes** page.
-11. Select **Next** to continue.
-12. On the **Review** page, review the settings you've chosen for the policy. Select **Edit** to change any of the policy values or select **Submit** to create and activate the policy.
+ - If you've selected at least one *Office* or *Device* indicator, select the **Risk score boosters** as appropriate. Risk score boosters are only applicable for selected indicators.
+ - If you've selected a *Data theft* or *Data leaks* policy template, select one or more **Sequence detection** methods and a **Cumulative exfiltration detection** method to apply to the policy.
+
+14. Select **Next** to continue.
+15. On the **Indicator thresholds** page, select the option to use default indicator thresholds or to specify custom thresholds for individual indicators. For each indicator, choose the appropriate level to generate the desired level of activity alerts.
+16. Select **Next** to continue.
+17. On the **Review** page, review the settings you've chosen for the policy and any suggestions or warnings for your selections. Select **Edit** to change any of the policy values or select **Submit** to create and activate the policy.
## Update a policy
Complete the following steps to manage an existing policy:
1. In the [Microsoft 365 compliance center](https://compliance.microsoft.com), go to **Insider risk management** and select the **Policies** tab. 2. On the policy dashboard, select the policy you want to manage. 3. On the policy details page, select **Edit policy**
-4. In the policy wizard, you cannot edit the following fields:
+4. In the policy wizard, you cannot edit the following:
+ - **Policy template**: The template used to define the types of risk indicators monitored by the policy.
- **Name**: The friendly name for the policy
- - **Choose policy template**: The template used to define the types of risk indicators monitored by the policy.
-5. Enter a new description for the policy in the **Description** field.
+5. On the **Name and description** page, update the description for the policy in the **Description** field.
6. Select **Next** to continue.
-7. On the **Users** page, select **Add user or group** or **Choose Priority user groups** to define which users or priority user groups are included in the policy, depending on the policy template you've selected. Select **All users and mail-enabled groups** checkbox if applicable (if you haven't selected a priority user-based template). Select **Next** to continue.
-8. On the **Specify what content to prioritize (optional)** page, you can assign the sources to prioritize for increased risk scores. However, some activities won't generate an alert at all unless the related content contains built-in or custom sensitive info types or was specified as a priority on this page:
- - **SharePoint sites**: Select **Add SharePoint site** and select the SharePoint organizations you want to prioritize. For example, *"group1@contoso.sharepoint.com/sites/group1"*.
+7. On the **Users and groups** page, select **Include all users and groups** or **Include specific users and groups** to define which users or groups are included in the policy, or if you've chosen a priority users-based template; select **Add or edit priority user groups**. Selecting **Include all users and groups** will look for triggering events for all users and groups in your organization to start assigning risk scores for the policy. Selecting **Include specific users and groups** allows you to define which users and groups to assign to the policy.
+8. Select **Next** to continue.
+9. On the **Content to prioritize** page, you can assign (if needed) the sources to prioritize, which increases the chance of generating a high severity alert for these sources. Select one of the following choices:
+
+ - **I want to specify SharePoint sites, sensitivity labels, and/or sensitive information types as priority content**. Selecting this option will enable detail pages in the wizard to configure these channels.
+ - **I don't want to specify priority content right now (you'll be able to do this after the policy is created)**. Selecting this option will skip the channel detail pages in the wizard.
+
+10. Select **Next** to continue.
+
+11. If you selected **I want to specify SharePoint sites, sensitivity labels, and/or sensitive information types as priority content** in the previous step, you'll see the detail pages for *SharePoint sites*, *Sensitive info types*, and *Sensitivity labels*. Use these detail pages to define the SharePoint, sensitive info types, and sensitivity labels to prioritize in the policy.
+
+ - **SharePoint sites**: Select **Add SharePoint site** and select the SharePoint organizations you have access to and want to prioritize. For example, *"group1@contoso.sharepoint.com/sites/group1"*.
- **Sensitive info type**: Select **Add sensitive info type** and select the sensitivity types you want to prioritize. For example, *"U.S. Bank Account Number"* and *"Credit Card Number"*. - **Sensitivity labels**: Select **Add sensitivity label** and select the labels you want to prioritize. For example, *"Confidential"* and *"Secret"*.
-9. Select **Next** to continue.
-10. On the **Select policy indicators** page, you'll see the [indicators](insider-risk-management-settings.md#indicators) that you've defined as available on the **Insider risk settings** > **Indicators** page. If you selected a *Data leaks* template at the beginning of the wizard, you must select a DLP policy from the **DLP policy** dropdown list to enable triggering indicators for the policy. Select the indicators you want to apply to the policy. If you prefer not to use the default policy threshold settings for these indicators, disable the **Use default thresholds recommended by Microsoft** and enter the threshold values for each selected indicator. If you've selected at least one *Office* or *Device* indicator, select the **Risk score boosters** as appropriate. Risk score boosters are only applicable for selected indicators.
+
+12. Select **Next** to continue.
+13. On the **Indicators and triggering events** page, you'll see the [indicators](insider-risk-management-settings.md#indicators) that you've defined as available on the **Insider risk settings** > **Indicators** page. If you selected a *Data leaks* template at the beginning of the wizard, you must select a DLP policy from the **DLP policy** dropdown list to enable triggering indicators for the policy or select the built-in triggering event.
>[!IMPORTANT]
- >If indicators on this page can't be selected, you'll need to select the indicators you want to enable for all policies on the **Insider risk management** > **Settings** > **Policy indicators** page.
+ >If indicators on this page can't be selected, you'll need to select the indicators you want to enable for all policies. You can use the **Turn on indicators** button in the wizard or select indicators on the **Insider risk management** > **Settings** > **Policy indicators** page.
+
+ Select the indicators you want to apply to the policy. If you prefer not to use the default policy threshold settings for these indicators, disable the **Use default thresholds recommended by Microsoft** and enter the threshold values for each selected indicator.
+
+ - If you've selected at least one *Office* or *Device* indicator, select the **Risk score boosters** as appropriate. Risk score boosters are only applicable for selected indicators.
+ - If you've selected a *Data theft* or *Data leaks* policy template, select one or more **Sequence detection** methods and a **Cumulative exfiltration detection** method to apply to the policy.
+
+14. Select **Next** to continue.
+15. On the **Indicator thresholds** page, select the option to use default indicator thresholds or to specify custom thresholds for individual indicators. For each indicator, choose the appropriate level to generate the desired level of activity alerts.
+16. Select **Next** to continue.
+17. On the **Review** page, review the settings you've chosen for the policy and any suggestions or warnings for your selections. Select **Edit** to change any of the policy values or select **Submit** to create and activate the policy.
+
+## Copy a policy
+
+You may need to create a new policy that is similar to an existing policy but needs just a few configuration changes. Instead of creating a new policy from scratch, you can copy an existing policy and then modify the areas that need to be updated in the new policy.
+
+Complete the following steps to copy an existing policy:
+
+1. In the Microsoft 365 compliance center, go to Insider risk management and select the Policies tab.
+2. On the policy dashboard, select the policy you want to copy.
+3. On the policy details page, select Copy.
+4. In the policy wizard, name the new policy and update the policy configuration as needed.
+
+## Add users to a policy
+
+There may be scenarios where you need to add temporarily users to insider risk policies after an unusual event is reported outside of the insider risk management workflow. Use Start scoring activity for users on the Policies tab to manually add a user (or users) to one or more insider risk policies for a specific amount of time, to immediately start assigning risk scores to their activity, and to bypass the requirement for a user to have a triggering indicator (like a DLP policy match). You can also add a reason for adding the user to the policy. Users manually added to policies are displayed in the Users dashboard.
+
+>[!NOTE]
+>It may take several hours for new manually-added users to appear in the Users dashboard. Activities for the previous 90 days for these users may take up to 24 hours to display. To view activities for manually added users, navigate to the Users tab and select the user on the Users dashboard and open the User activity tab on the details pane.
+
+To manually add a user(s) to one or more insider risk management policies, complete the following steps:
+
+1. In the [Microsoft 365 compliance center](https://compliance.microsoft.com), go to **Insider risk management** and select the **Policies** tab.
+2. On the policy dashboard, select the policy or policies you want to add users to.
+3. Select **Start scoring activity for users**.
+4. In the **Reason field** in the **Add users to multiple policies** pane, add a reason for adding the users.
+5. In the **This should last for (choose between 5 and 30 days)** field, define the number of days to score the user's activity for the policy they are added to
+6. To search your Active Directory for users, use the **Search user to add to policies** field. Type the name of the user you want to add to the policies. Select the user name and repeat to assign additional users to the policies. The list of users you've selected appear in the users section of the Add users to multiple policies pane.
+7. To import a list of users to add to the policies, select **Import** to import a .csv (comma-separated values) file. The file must be in the following format and you must list the user principal names in the file:
+
+ ```csv
+ user principal name
+ user1@domain.com
+ user2@domain.com
+ ```
+
+8. Select the Add users to policies to accept the changes and add users to the policies or select Cancel to discard the changes and close the dialog.
+
+## Stop scoring users in a policy
-11. Select **Next** to continue.
-12. On the **Policy timeframes** page, you'll see the [activation window conditions](insider-risk-management-settings.md#policy-timeframes) for the policy that on the **Insider risk settings** > **Policy timeframes** page.
-13. Select **Next** to continue.
-14. On the **Review** page, review the settings you've updated for the policy. Select **Edit** to change any of the policy values or select **Submit** to update and activate the policy.
+To stop scoring users in a policy, see the [Insider risk management users: Remove users from in-scope assignment to policies](insider-risk-management-users.md#remove-users-from-in-scope-assignment-to-policies) article.
## Delete a policy
compliance Insider Risk Management Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-settings.md
# Get started with insider risk management settings
-Insider risk management settings apply to all insider risk management policies, regardless of the template you chose when creating a policy. Settings are configured using the **Insider risk settings** control located at the top of all insider risk management tabs. These settings control policy components for the following areas:
+Insider risk management settings apply to all insider risk management policies, regardless of the template you choose when creating a policy. Settings are configured using the **Insider risk settings** control located at the top of all insider risk management tabs. These settings control policy components for the following areas:
- Privacy - Indicators
Insider risk management settings apply to all insider risk management policies,
- Priority physical assets (preview) - Power Automate flows (preview) - Microsoft Teams (preview)
+- Analytics (preview)
Before you get started and create insider risk management policies, it's important to understand these settings and choose setting levels best for the compliance needs for your organization.
Insider risk policy templates define the type of risk activities that you want t
Alerts are triggered by policies when users perform activities related to policy indicators that meet a required threshold. Insider risk management uses two types of indicators: -- **Triggering events**: Events that determine if a user is active for an insider risk management policy. If a user is added to an insider risk management policy does not have a triggering event, the user activity is not evaluated by the policy. For example, User A is added to a policy created from the *Data theft by departing users* policy template and the policy and Microsoft 365 HR connector are properly configured. Until User A has a termination date reported by the HR connector, User A activities aren't evaluated by this insider risk management policy for risk. Another example of a triggering event is if a user has a *High* severity DLP policy alert when using *Data leaks* policies.-- **Policy indicators**: Indicators included in insider risk management policies used to determine a risk score for an in-scope user. These policy indicators are only activated after a triggering event occurs for a user. Some examples of policy indicators are when a user copies data to personal cloud storage services or portable storage devices, or if a user shares internal files and folders with unauthorized external parties.
+- **Triggering events**: Events that determine if a user is active in an insider risk management policy. If a user is added to an insider risk management policy does not have a triggering event, the user activity is not evaluated by the policy. For example, User A is added to a policy created from the *Data theft by departing users* policy template and the policy and Microsoft 365 HR connector are properly configured. Until User A has a termination date reported by the HR connector, User A activities aren't evaluated by this insider risk management policy for risk. Another example of a triggering event is if a user has a *High* severity DLP policy alert when using *Data leaks* policies.
+- **Policy indicators**: Indicators included in insider risk management policies used to determine a risk score for an in-scope user. These policy indicators are only activated after a triggering event occurs for a user. Some examples of policy indicators are when a user copies data to personal cloud storage services or portable storage devices, if a user account is removed from Azure Active Directory, or if a user shares internal files and folders with unauthorized external parties.
Policy indicators are segmented into the following areas. You can choose the indicators to activate and customize indicator event limits for each indicator level when creating an insider risk policy: -- **Office indicators**: These include policy indicators for SharePoint sites, Teams, and email messaging.-- **Device indicators**: These include policy indicators for activity such as sharing files over the network or with devices. Indicators include activity involving Microsoft Office files, .CSV files, and .PDF files. If you select **Device indicators**, activity is processed only for devices with Windows 10 Build 1809 or higher. For more information on configuring devices for integration with insider risk, see the following [Enable device indicators and onboard devices](insider-risk-management-settings.md#OnboardDevices) section.-- **Security policy violation indicator**: These include indicators from Microsoft Defender for Endpoint related to unapproved or malicious software installation or bypassing security controls. To receive alerts in insider risk management, you must have an active Defender for Endpoint license and insider risk integration enabled. For more information on configuring Defender for Endpoint for insider risk management integration, see [Configure advanced features in Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/advanced-features\#share-endpoint-alerts-with-microsoft-compliance-center).-- **Risk score boosters**: These include raising the risk score for unusual activities or past policy violations. Enabling risk score boosters increase risk scores and the likelihood of alerts for these types of activities. Risk score boosters can only be selected if one or more indicators are selected.-
-![Insider risk management indicator settings](../media/insider-risk-settings-indicators.png)
+- **Office indicators**: These include policy indicators for SharePoint sites, Microsoft Teams, and email messaging.
+- **Device indicators**: These include policy indicators for activity such as sharing files over the network or with devices. Indicators include activities involving Microsoft Office files, .csv (comma-separated values) files, and .pdf (portable document format) files. If you select **Device indicators**, activity is processed only for devices with Windows 10 Build 1809 or higher and you must first onboard devices to the compliance center. For more information on configuring devices for integration with insider risk, see the following [Enable device indicators and onboard devices](insider-risk-management-settings.md#OnboardDevices) section in this article.
+- **Security policy violation indicator (preview)**: These include indicators from Microsoft Defender for Endpoint related to unapproved or malicious software installation or bypassing security controls. To receive alerts in insider risk management, you must have an active Defender for Endpoint license and insider risk integration enabled. For more information on configuring Defender for Endpoint for insider risk management integration, see [Configure advanced features in Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/advanced-features\#share-endpoint-alerts-with-microsoft-compliance-center).
+- **Physical access indicators (preview)**: These include policy indicators for physical access to sensitive assets. For example, attempted access to a restricted area in your physical badging system logs can be shared with insider risk management policies. To receive these types of alerts in insider risk management, you must have priority physical assets enabled in insider risk management and the [Physical badging data connector](import-physical-badging-data.md) configured. To learn more about configuring physical access, see the [Priority physical access section](#priority-physical-assets-preview) in this article.
+- **Microsoft Cloud App Security indicators (preview)**: These include policy indicators from shared alerts from Cloud App Security. Automatically enabled anomaly detection in Cloud App Security immediately starts detecting and collating results, targeting numerous behavioral anomalies across your users and the machines and devices connected to your network. To include these activities in insider risk management policy alerts, select one or more indicators in this section. To learn more about Cloud App Security analytics and anomaly detection, see [Get behavioral analytics and anomaly detection](/cloud-app-security/anomaly-detection-policy).
+- **Risk score boosters**: These include raising the risk score for unusual activities or past policy violations. Enabling risk score boosters increases risk scores and the likelihood of alerts for these types of activities. For unusual activities, scores are boosted if the detected activity deviates from the user's typical behavior. For example, a significant increase in daily file downloads. Unusual activity is presented as an increase in percentage (for example, '100% above usual activity') and will impact the risk score differently depending on the activity. For users with previous policy violations, scores are boosted if a user had more than one case previously resolved as a confirmed policy violation. Risk score boosters can only be selected if one or more indicators are selected.
In some cases, you may want to limit the insider risk policy indicators that are applied to insider risk policies in your organization. You can turn off the policy indicators for specific areas by disabling them from all insider risk policies. Triggering events cannot be modified for insider risk policy templates.
Make sure that the Windows 10 devices that you plan on reporting in insider risk
#### Step 2: Onboarding devices <a name="OnboardStep2"> </a>
-You must enable device monitoring and onboard your endpoints before you can monitor for insider risk management activities on a device. Both of these actions are done in the Microsoft 365 Compliance portal.
+You must enable device monitoring and onboard your endpoints before you can monitor for insider risk management activities on a device. Both actions are taken in the Microsoft 365 Compliance portal.
When you want to onboard devices that haven't been onboarded yet, you'll download the appropriate script and deploy as outlined in the following steps.
If Microsoft Defender for Endpoint is already deployed and there are endpoints r
1. Open the [Microsoft compliance center](https://compliance.microsoft.com). 2. Open the Compliance Center settings page and choose **Enable device monitoring**.
-3. Choose **Device management** to open the **Devices** list. You should see the list of devices that are already reporting in to Microsoft Defender for Endpoint.
+3. Choose **Device management** to open the **Devices** list. You should see the list of devices that are already reporting into Microsoft Defender for Endpoint.
4. Choose **Onboarding** if you need to onboard more devices. 5. Choose the way you want to deploy to these more devices from the **Deployment method** list and then **Download package**. 6. Follow the appropriate procedures in [Onboarding tools and methods for Windows 10 machines](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). This link takes you to a landing page where you can access Microsoft Defender for Endpoint procedures that match the deployment package you selected in step 5:
Once done and endpoint is onboarded, it should be visible under the **Devices**
### Indicator level settings (preview)
-When creating a policy in the policy wizard, you can configure how the daily number of risk events should influence the risk score for insider risk alerts. These indicator settings help you control how the number of occurrences of risk events in your organization should affect the risk score, and consequently the associated alert severity, for these events. If you prefer, you can also choose to keep the default event threshold levels recommended by Microsoft for all enabled indicators.
+When creating a policy in the policy wizard, you can configure how the daily number of risk events should influence the risk score for insider risk alerts. These indicator settings help you control how the number of occurrences of risk events in your organization should affect the risk score, and so the associated alert severity, for these events. If you prefer, you can also choose to keep the default event threshold levels recommended by Microsoft for all enabled indicators.
For example, you decide to enable SharePoint indicators in the insider risk policy settings and to set custom thresholds for SharePoint events when configuring indicators for a new insider risk *Data leaks* policy. While in the insider risk policy wizard, you configure three different daily event levels for each SharePoint indicator to influence the risk score for alerts associated with these events.
For the first daily event level, you set the threshold at *10 or more events per
Policy timeframes allow you to define past and future review periods that are triggered after policy matches based on events and activities for the insider risk management policy templates. Depending on the policy template you choose, the following policy timeframes are available: -- **Activation window**: Available for all policy templates, the *Activation window* is the defined number of days that the window activates **after** a triggering event. The window activates for 1 to 30 days after a triggering event occurs for any user assigned to the policy. For example, you've configured an insider risk management policy and set the *Activation window* to 30 days. Several months have passed since you configured the policy and a triggering event occurs for one of the users included in the policy. The triggering event activates the *Activation window* and the policy is active for that user for 30 days after the triggering event occurred.-- **Past activity detection**: Available for all policy templates, the *Past activity detection* is the defined number of days that the window activates **before** a triggering event. The window activates for 0 to 180 days before a triggering event occurs for any user assigned to the policy. For example, you've configured an insider risk management policy and set the *Past activity detection* to 90 days. Several months have passed since you configured the policy and a triggering event occurs for one of the users included in the policy. The triggering event activates the *Past activity detection* and the policy gathers historic activities for that user for 90 days prior to the triggering event.
+- **Activation window**: Available for all policy templates, the *Activation window* is the defined number of days that the window activates **after** a triggering event. The window activates for 1 to 30 days after a triggering event occurs for any user assigned to the policy. For example, you've configured an insider risk management policy and set the *Activation window* to 30 days. Several months have passed since you configured the policy, and a triggering event occurs for one of the users included in the policy. The triggering event activates the *Activation window* and the policy is active for that user for 30 days after the triggering event occurred.
+- **Past activity detection**: Available for all policy templates, the *Past activity detection* is the defined number of days that the window activates **before** a triggering event. The window activates for 0 to 180 days before a triggering event occurs for any user assigned to the policy. For example, you've configured an insider risk management policy and set the *Past activity detection* to 90 days. Several months have passed since you configured the policy, and a triggering event occurs for one of the users included in the policy. The triggering event activates the *Past activity detection* and the policy gathers historic activities for that user for 90 days prior to the triggering event.
![Insider risk management timeframe settings](../media/insider-risk-settings-timeframes.png) ## Intelligent detections
-Intelligent detection settings help refine how the detections of risky activities are processed for alerts. In certain circumstances, you may need to define files types to ignore or you want to enforce a detection level for files to help define a minimum bar for alerts. Use these settings to control overall alert volume, file type exclusions, and file volume limits.
+Intelligent detection settings help refine how the detections of risky activities are processed for alerts. In certain circumstances, you may need to define file types to ignore, or you want to enforce a detection level for files to help define a minimum bar for alerts. Use these settings to control overall alert volume, file type exclusions, and file volume limits.
+
+### File type exclusions
-### Anomaly detections
+To exclude specific file types from all insider risk management policy matching, enter file type extensions separated by commas. For example, to exclude certain types of music files from policy matches you may enter aac,mp3,wav,wma in the **File type exclusions** field. Files with these extensions will be ignored by all insider risk management policies.
-Anomalous detections include settings for file type exclusions and file volume limits.
+### Threshold for unusual file activity
-- **File type exclusions**: To exclude specific file types from all insider risk management policy matching, enter file type extensions separated by commas. For example, to exclude certain types of music files from policy matches you may enter *aac,mp3,wav,wma* in the **File type exclusions** field. Files with these extensions would be ignored by all insider risk management policies.-- **File volume cut-off limit**: To define a minimum file level before activity alerts are reported in insider risk policies, enter the number of files. For example, you would enter '10' if you do not want to generate insider risk alerts when a user downloads 10 files or less, even if the policies consider this activity an anomaly.
+To define a minimum file level before activity alerts are reported in insider risk policies, enter the number of files. For example, you would enter '10' if you do not want to generate insider risk alerts when a user downloads 10 files or less, even if the policies consider this activity as unusual.
### Alert volume
User activities detected by insider risk policies are assigned a specific risk s
### Microsoft Defender for Endpoint (preview)
-[Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. To have better visibility of security violation in your organization, you can import and filter Defender for Endpoint alerts for activities used in policies created from insider risk management security violation policy templates.
+[Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. To have better visibility of security violations in your organization, you can import and filter Defender for Endpoint alerts for activities used in policies created from insider risk management security violation policy templates.
Depending on the types of signals you are interested in, you can choose to import alerts to insider risk management based on the Defender for Endpoint alert triage status. You can define one or more of the following alert triage statuses in the global settings to import:
For example, if you select *New*, *In progress*, and *Resolved* for this setting
### Domains (preview)
-Domain settings help you define risk levels for communications to specific domains. These communications include sharing files, email messages, or downloading content. By specifying domains in these settings, you can increase or decrease the risk scoring for activity that takes place with these domains. For example, to specify contoso.com and sales.wingtiptoys.com as allowed domains, you will enter 'contoso.com sales.wingtiptoys.com' in the **Allowed domains** field.
+Domain settings help you define risk levels for activities to specific domains. These activities include sharing files, sending email messages, downloading, or uploading content. By specifying domains in these settings, you can increase or decrease the risk scoring for activity that takes place with these domains.
+
+Use Add domain to define a domain for each of the domain settings. Additionally, you can use wildcards to help match variations of root domains or subdomains. For example, to specify sales.wingtiptoys.com and support.wingtiptoys.com, you use the wildcard entry '*.wingtiptoys.com' to match these subdomains (and any other subdomain at the same level). To specify multi-level subdomains for a root domain, you must select the **Include Multi-Level Subdomains** checkbox.
For each of the following domain settings, you can enter up to 500 domains: -- **Unallowed domains:** By specifying unallowed domains, activity that takes place with these domains will have *higher* risk scores.-- **Allowed domains:** By specifying allowed domains in settings, activity that takes place with these domains will have *lower* risk scores and is treated similarly to how internal organization activity is treated. For example, email activities to these domains are analyzed similarly to how internal email activity is analyzed.-- **Third party domains:** Third party domains are domains used for business purposes at your organization and sensitive content may be stored across these locations. By specifying a third party domain, you can receive alerts for any risky activity on these domains.
+- **Unallowed domains:** By specifying unallowed domains, activity that takes place with these domains will have *higher* risk scores. Some examples are activities involving sharing content with someone (such as sending email to someone with a gmail.com address) and when users download content to a device from one of these unallowed domains.
+- **Allowed domains:** Certain activity related to allowed domains will be ignored by your policies and won't generate alerts. These activities include:
+
+ - Email sent to external domains
+ - Files, folders, sites shared with external domains
+ - Files uploaded to external domains (using Microsoft Edge browser)
+
+ By specifying allowed domains in settings, this activity with these domains is treated similarly to how internal organization activity is treated. For example, domains added here map to activities may involve sharing content with someone outside your organization (such as sending email to someone with a gmail.com address). You can't include your SharePoint sites as allowed domains.
+
+- **Third party domains:** If your organization uses third-party domains for business purposes (such as cloud storage), include them here so you can receive alerts for activity related to the device indicator *Use a browser to download content from a third-party site*.
## Export alerts (preview)
Insider risk management alert information is exportable to security information
To use the APIs to review insider risk alert information:
-1. Enable Office 365 Management Activity API support in **Insider risk management** > **Settings** > **Export**. By default, this setting is disabled for your Microsoft 365 organization.
+1. Enable Office 365 Management Activity API support in **Insider risk management** > **Settings** > **Export alerts**. By default, this setting is disabled for your Microsoft 365 organization.
2. Filter the common Office 365 audit activities by *SecurityComplianceAlerts*. 3. Filter *SecurityComplianceAlerts* by the *InsiderRiskManagement* category.
For example, your organization has a badging system for users that monitors and
You choose to enable the Physical badging data connector in Microsoft 365 to import access information from your physical badging system and specify priority physical assets in insider risk management. By importing information from your badging system and correlating physical access information with other risk activities identified in insider risk management, you notice that one of the users on the project is accessing the project offices after normal working hours and is also exporting large amounts of data to a personal cloud storage service from their normal work area. This physical access activity associated with the online activity may point to possible data theft and compliance investigators and analysts can take appropriate actions as dictated by the circumstances for this user.
+![Insider risk management priority physical assets](../media/insider-risk-settings-priority-assets.png)
+ ### Configure priority physical assets To configure priority physical assets, you'll configure the Physical badging connector and use setting controls in the **Insider risk management** solution in the Microsoft 365 compliance center. To configure priority physical assets, you must be a member of the *Insider Risk Management* or *Insider Risk Management Admin role group*.
Complete the following steps to configure priority physical assets:
>For insider risk management policies to use and correlate signal data related to departing and terminated users with event data from your physical control and access platforms, you must also configure the Microsoft 365 HR connector. If you enable the Physical badging connector without enabling the Microsoft 365 HR connector, insider risk management policies will only process events for physical access activities for users in your organization. 2. In the [Microsoft 365 compliance center](https://compliance.microsoft.com), go to **Insider risk management** and select **Insider risk settings** > **Priority physical assets**.
-3. On the **Priority physical assets** page, you can either manually add the physical asset IDs you want to monitor for the asset events imported by the Physical badging connector or import a .CSV file of all physical assets IDs imported by the Physical badging connector:
+3. On the **Priority physical assets** page, you can either manually add the physical asset IDs you want to monitor for the asset events imported by the Physical badging connector or import a .csv file of all physical assets IDs imported by the Physical badging connector:
a) To manually add physical assets IDs, choose **Add priority physical assets**, enter a physical asset ID, then select **Add**. Enter other physical asset IDs and then select **Add priority physical assets** to save all the assets entered.
- b) To add a list of physical asset IDs from a .CSV file, choose **Import priority physical assets**. From the file explorer dialog, select the .CSV file you wish to import, then select **Open**. The physical asset IDs from the .CSV files are added to the list.
+ b) To add a list of physical asset IDs from a .csv file, choose **Import priority physical assets**. From the file explorer dialog, select the .csv file you wish to import, then select **Open**. The physical asset IDs from the .csv files are added to the list.
4. Navigate to the **Policy indicators** tab in Settings. 5. On the **Policy indicators** page, navigate to the **Physical access indicators** section and select the checkbox for **Physical access after termination or failed access to sensitive asset**. 6. Select **Save** to configure and exit.
Complete the following steps to create a Power Automate flow from a recommended
>[!IMPORTANT] >If other users in your organization need access to the flow, the flow must be shared.
+![Insider risk management power automate flows](../media/insider-risk-settings-power-automate-flows.png)
+ ### Create a custom Power Automate flow for insider risk management Some processes and workflows for your organization may be outside of the recommended insider risk management flow templates and you may have the need to create custom Power Automate flows for insider risk management areas. Power Automate flows are flexible and support extensive customization, but there are steps that need to be taken to integrate with insider risk management features.
Enabling Microsoft Teams support for cases is quick and easy to configure. To en
3. Enable Microsoft Teams integration for insider risk management. 4. Select **Save** to configure and exit.
+![Insider risk management Microsoft Teams](../media/insider-risk-settings-teams.png)
+ ### Create a Microsoft Teams team for existing cases If you enable Microsoft Teams support for insider risk management after you have existing cases, you'll need to manually create a team for each case as needed. After enabling Microsoft Teams support in insider risk management settings, new cases will automatically create a new Microsoft Teams team.
To create a team for a case, you'll use the Create Microsoft Team control when w
4. Select **Create Microsoft team** and then select **Close**. Depending on the number of users assigned to insider risk management role groups, it may take 15 minutes for all investigators and analysts to be added to the Microsoft Teams team for a case.+
+## Analytics (preview)
+
+Insider risk analytics enables you to conduct an evaluation of potential insider risks in your organization without configuring any insider risk policies. This evaluation can help your organization identify potential areas of higher user risk and help determine the type and scope of insider risk management policies you may consider configuring. Analytics scans offer the following advantages for your organization:
+
+- Easy to configure: To get started with analytics scans, you can select Run scan when prompted by the analytics recommendation or go to Insider risk settings > Analytics tab and enable analytics.
+- Minimal privacy requirements: Scan results and insights are returned as anonymized user activity, individual user names are not identifiable by reviewers.
+- Understand potential risks through consolidated insights: Scan results can help you quickly identify potential risk areas for your users and which policy would be best to help mitigate these risks.
+
+Analytics scans for risk activity events from several sources to help identify insights into potential areas of risk. Depending on your current configuration, analytics looks for qualifying risk activities in the following areas:
+
+- Microsoft 365 audit logs: Included in all scans, this is the primary source for identifying most of the potentially risky activities.
+- Exchange Online: Included in all scans, Exchange Online activity helps identify activities where data in attachments are emailed to external contacts or services.
+- Azure Active Directory: Included in all scans, Azure Active Directory history helps identify risky activities associated with users with deleted user accounts.
+- Microsoft 365 HR data connector: If configured, HR connector events help identify risky activities associated with users that have resignation or upcoming termination dates.
+
+Analytics insights from scans are based on the same risk activity signals used by insider risk management policies and report results based on both single and sequence user activities. However, the risk scoring for analytics is based on up to 30 days of activity while insider risk policies use daily activity for insights. When you first enable and run analytics in your organization, you'll see the scan results for one day. If you leave analytics enabled, you'll see the results of each daily scan added to the insight reports for a maximum range of the previous 30 days of activity.
+
+### Enable analytics and start your scan
+
+To enable insider risk analytics, you must be a member of the Insider Risk Management, Insider Risk Management Admin or Microsoft 365 Global admin role group.
+Complete the following steps to enable insider risk analytics:
+
+1. In the [Microsoft 365 compliance center](htttps://compliance.microsoft.com), go to **Insider risk management**.
+2. Select **Run scan** on the **Scan for insider risks in your organization** card on the insider risk management **Overview** tab. This turns on analytics scanning for your organization. You can also turn on scanning in your organization by navigating to **Insider risk settings** > **Analytics** and enabling **Scan your tenant's user activity to identify potential insider risks**.
+3. On the **Analytics details** pane, select **Run scan** to start the scan for your organization. Analytics scan results may take up to 24 hours before insights are available as reports for review.
+
+![Insider risk management analytics settings](../media/insider-risk-settings-analytics-enable.png)
+
+### Viewing analytics insights and creating new policies
+
+After the first analytics scan is complete for your organization, you can view the insights and recommendations for potentially risky activities by your users. Daily scans will continue unless you turn off analytics for your organization. To view potential risks for your organization, go to the **Overview** tab and select **View results** on the **Insider risk analytics (preview)** card. If the scan for your organization isn't complete, you'll see a message that the scan is still active.
+
+![Insider risk management analytics report ready card](../media/insider-risk-analytics-ready-card.png)
+
+For completed scans, you'll see the potential risks discovered in your organization and insights and recommendations to address these risks. Identified risks and specific insights are included in reports grouped by area, the total number of users with identified risks, the percentage of these users with potentially risky activities, and a recommended insider risk policy to help mitigate these risks. The reports include:
+
+- **Data leaks insights**: Activities for all users that may include accidental oversharing of information outside your organization or data leaks by users with malicious intent.
+- **Data theft insights**: Activities for departing users or users with deleted Azure Active Directory accounts that may include risky sharing of information outside your organization or data theft by users with malicious intent.
+- **Top exfiltration insights**: Activities by all users that may include sharing data outside of your organization.
+
+![Insider risk management analytics overview report](../media/insider-risk-analytics-overview.png)
+
+To display more information for an insight, select **View details** to display the details pane for the insight. The details pane includes the complete insight results, an insider risk policy recommendation, and the **Create policy** button to quickly help you create the recommended policy. Selecting Create policy takes you to the policy wizard and automatically selects the recommended policy template related to the insight. For example, if the analytics insight is for *Data leak* activity, the *General data leaks* policy template will be pre-selected in the policy wizard for you.
+
+![Insider risk management analytics details report](../media/insider-risk-analytics-details.png)
+
+### Turn off analytics
+
+To turn off insider risk analytics, you must be a member of the *Insider Risk Management*, *Insider Risk Management Admin*, or Microsoft 365 *Global admin* role group. After you disable analytics, analytics insight reports will remain static and not be updated for new risks.
+
+Complete the following steps to turn off insider risk analytics:
+
+1. In the [Microsoft 365 compliance center](htttps://compliance.microsoft.com), go to **Insider risk management**.
+2. Select **Insider risk settings** > **Analytics** page.
+3. On the **Analytics** page, turn off **Scan your tenant's user activity to identify potential insider risks**.
compliance Insider Risk Management Solution Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-solution-overview.md
Use the following steps to configure insider risk management for your organizati
1. Learn about [insider risk management](insider-risk-management.md) in Microsoft 365 2. Plan for [insider risk management and verify licensing](insider-risk-management-plan.md) 3. Configure [insider risk management settings](insider-risk-management-settings.md)
-4. Configure [permissions](insider-risk-management-configure.md#step-1-enable-permissions-for-insider-risk-management) and [policy prerequisites & connectors](insider-risk-management-configure.md#step-3-configure-prerequisites-for-templates)
-5. Create and configure [insider risk management policies](insider-risk-management-configure.md#step-5-create-an-insider-risk-management-policy)
+4. Configure [permissions](insider-risk-management-configure.md#step-1-enable-permissions-for-insider-risk-management) and [policy prerequisites & connectors](insider-risk-management-configure.md#step-4-configure-prerequisites-for-policies)
+5. Create and configure [insider risk management policies](insider-risk-management-configure.md#step-6-create-an-insider-risk-management-policy)
## More information about insider risk management
compliance Insider Risk Management Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-users.md
The **Users dashboard** is an important tool in the insider risk management work
After users are added to insider risk management policies, background processes are automatically evaluating user activities for [triggering indicators](insider-risk-management-settings.md#indicators). After triggering indicators are present, user activities are assigned risk scores. Some of these activities may result in an insider risk alert, but some activities may not meet a minimum risk score level and an insider risk alert won't be created. The **Users dashboard** allows you to view users with these types of indicators and risk scores, as well users that have active insider risk alerts.
-Additionally, there may be scenarios where you need to add temporarily users to insider risk policies after an unusual event is reported outside of the insider risk management workflow. The **Users dashboard** allows you to manually add a user to an insider risk policy for a specific amount of time and bypass the requirement for a user to have a triggering indicator. These users are always displayed in the Users dashboard when actively assigned to a policy.
- Learn more about how the Users dashboard displays users in the following scenarios: -- Dashboard users with active insider risk policy alerts-- Dashboard users with triggering indicators-- Dashboard users added temporarily to policies
+- Users with active insider risk policy alerts
+- Users with triggering events
+- Users added temporarily to policies
-## Dashboard users with active insider risk policy alerts
+## Users with active insider risk policy alerts
The **Users dashboard** automatically displays all users with active insider risk policy alerts. These users with alerts have both a triggering indicator and an activity risk score that meets the requirements for creating an insider risk alert. Activities for these users are viewed by selecting the user in the **Users dashboard** and navigating to the **User activity** tab.
-## Dashboard users with triggering indicators
+## Users with triggering events
-The **Users dashboard** automatically displays all users with triggering indicators, but that don't have an activity risk score that would create an insider risk alert. For example, a user with a reported resignation date is displayed because this event is a triggering indicator but isn't an activity that has a risk score. Activities for these users are viewed by selecting the user in the **Users dashboard** and navigating to the **User activity** tab.
+The **Users dashboard** automatically displays all users with triggering events, but that don't have an activity risk score that would create an insider risk alert. For example, a user with a reported resignation date is displayed because this activity is a triggering event but isn't an activity that has a risk score. Activities for these users are viewed by selecting the user in the **Users dashboard** and navigating to the **User activity** tab.
-## Dashboard users added temporarily to policies
+## Users added temporarily to policies
-The **Users dashboard** allows you to temporarily add users to an existing insider risk management policy after an unusual event outside of the insider risk management workflow. Temporarily adding users is also a way to add users to an insider risk management policy for testing the policy, even if a required connector isn't configured.
+The **Users dashboard** includes users added to insider risk management policies after an unusual event outside of the insider risk management workflow. Temporarily adding users (from the Policies dashboard) is also a way to start scoring user activity for an insider risk management policy for testing the policy, even if a required connector isn't configured.
-When a user is manually added to a policy, the user activities for the previous 90 days are scored and added to the **User activity** timeline. For example, you have a user not currently in-scope in an insider risk policy and the user has data leak activities reported to the legal department in your organization. The legal department recommends that you configure new short-term monitoring requirements for the user. You can temporarily assign the user to your *Data leaks* policy for a designated length of time (activation window). All users added temporarily are displayed in the **Users dashboard** because triggering indicator requirements are waived.
+When a user is manually added to a policy, the user activities for the previous 90 days are scored and added to the **User activity** timeline. For example, you have a user not currently being assigned risk scores for an insider risk policy and the user has data leak activities reported to the legal department in your organization. The legal department recommends that you configure new short-term monitoring requirements for the user. You can temporarily assign the user to your *Data leaks* policy for a designated length of time (activation window). All users added temporarily are displayed in the **Users dashboard** because triggering event requirements are waived.
>[!NOTE] >It may take several hours for new manually-added users to appear in the **Users dashboard**. Activities for the previous 90 days for these users may take up to 24 hours to display. To view activities for manually added users, select the user on the **Users dashboard** and open the **User activity** tab on the details pane.
-The user is automatically removed from the insider policy and the **Users dashboard** when the time defined in the **Activation window** expires if:
+The user is automatically removed from the **Users dashboard** and scoring stops when the time defined in the **Activation window** expires if:
-- the user doesn't have any triggering indicators or insider risk policy alerts, and-- if the manually defined **Activation window** duration is longer than the global policy **Activation window** duration.
+- the user doesn't have any additional triggering events or insider risk policy alerts, and
+- if the manually defined **Activation window** duration is longer than the global policy **Activation window** duration.
The **Activation window** setting with the longest duration always overrides the **Activation window** setting with a shorter duration. For example, you've configured the **Activation window** on the global **Policy timeframes** tab in the insider risk management global settings for 15 days, which is automatically applied to all your insider risk policies.
Each user displayed in the **Users dashboard** has the following information:
![Insider risk management users dashboard](../media/insider-risk-users-dashboard.png) >[!NOTE]
->The number of users displayed on the **Users dashboard** may be limited in some instances, depending on the volume of active alerts and matching policies. Users with active alerts are displayed on the **Users dashboard** as the alerts are generated, and there may be rare cases when the maximum number of displayed users is reached. If this happens, users with active alerts who aren't displayed will be added to the **Users dashboard** as existing user alerts are triaged.
+>The number of users displayed on the **Users dashboard** may be limited in some instances, depending on the volume of active alerts and matching policies. Users with active alerts are displayed on the **Users dashboard** as the alerts are generated, and there may be rare cases when the maximum number of displayed users is reached. If this limit happens, users with active alerts who aren't displayed will be added to the **Users dashboard** as existing user alerts are triaged.
## View user details
To view more details about risk activity for a user, open the user details pane
- **User activity** tab - **History of recent user activity**: Lists both triggering indicators and insider risk indicators for user activities up to the last 180 days. All activities pertinent to insider risk indicators are also scored, though the activities may or may not have generated an insider risk alert. Triggering indicator examples may be a resignation date or the last scheduled date of work for the user. Insider risk indicators are activities determined to have an element of risk and are defined in policies that the user is included in. Event and risk activities are listed with the most recent item listed first.
-## Temporarily add a user to a policy
+## Remove users from in-scope assignment to policies
-To temporarily add a user to an insider risk management policy, you'll use the **Users** tab in the **Insider risk management** solution in the Microsoft 365 compliance center. Users added manually bypass triggering indicator requirements for the policy they are added to and are displayed in the **Users dashboard**. To permanently add a user to an insider risk management policy, you'll use the policy wizard.
+There may be scenarios where you need to stop assigning risk scores to a user's activity in insider risk management policies. Use **Remove users** on the **Users dashboard** page to stop assigning risk scores for one or more users from all insider risk management policies that they are currently in-scope for. This action does not remove users from the overall policy assignment (when you add users or groups to a policy configuration), but simply removes the users from active processing by policies after current triggering events. If the users have another triggering event in the future, risk scores from policies will automatically begin to be assigned to the users again. Any existing alerts or cases for this user will not be removed.
-Complete the following steps to add a user to an existing insider risk policy:
+>[!NOTE]
+>Removing a user from a policy may take several minutes to complete. Once complete, the user will no longer be listed on the Users page. If the removed user has active alerts or cases, then the user will remain on the Users page and the details for the user will show that they are no longer in-scope for a policy.
-1. In the [Microsoft 365 compliance center](https://compliance.microsoft.com), go to **Insider risk management** and select the **Users** tab.
-2. Select **Add a user to a policy** on the toolbar.
-3. On the **Add a new user** dialog, start typing a user name in the **User** field. Select the user you want to add to a policy.
-4. Select the dropdown arrow for the **Policy** field to display configured insider risk management policies. Select the policy to add the user to.
-5. Use the **Activation window** slider control to define how long the user is included in a policy and displayed in the Users dashboard. The time you specify determines how long the policy is active for this user and starts when the first alert is generated or a triggering indicator (like a DLP policy match) is detected. The range for the **Activation window** is 5 to 30 days.
-6. Select **Add** and then **Confirm** to add the user to the policy.
+To manually remove users from in-scope status in all insider risk management policies, complete the following steps:
->[!NOTE]
->It may take several hours for new manually-added users to appear in the **Users dashboard**. Activities for the previous 90 days for these users may take up to 24 hours to display. To view activities for manually added users, select the user on the **Users dashboard** and open the **User activity** tab on the details pane.
+1. In the [Microsoft 365 compliance center](https://compliance.microsoft.com), go to **Insider risk management** and select the **Users** tab.
+2. On the **Users dashboard**, select the user or users you want to remove from being in-scope in insider risk management policies.
+3. Select **Remove users**.
+4. On the **Remove user** pane, Select **Remove** or **Cancel** to discard the changes and close the dialog.
+5. Select **Remove** on the confirmation pane to remove the user.
## Run automated tasks with Power Automate flows for a user
compliance Insider Risk Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management.md
Insider risk management is centered around the following principles:
- **Transparency**: Balance user privacy versus organization risk with privacy-by-design architecture. - **Configurable**: Configurable policies based on industry, geographical, and business groups. - **Integrated**: Integrated workflow across Microsoft 365 compliance solutions.-- **Actionable**: Provides insights to enable user notifications, data investigations, and user investigations.
+- **Actionable**: Provides insights to enable reviewer notifications, data investigations, and user investigations.
+
+## Identifying potential risks with analytics (preview)
+
+Insider risk analytics enables you to conduct an evaluation of potential insider risks in your organization without configuring any insider risk policies. This evaluation can help your organization identify potential areas of higher user risk and help determine the type and scope of insider risk management policies you may consider configuring. This evaluation may also help you determine needs for additional licensing or future optimization of existing insider risk policies.
+
+To learn more about insider risk analytics, see [Insider risk management settings: Analytics](insider-risk-management-settings.md#analytics-preview).
## Workflow
Identifying and resolving internal risk activities and compliance issues with in
[Insider risk management policies](insider-risk-management-policies.md) are created using pre-defined templates and policy conditions that define what triggering events and risk indicators are examined in your organization. These conditions include how risk indicators are used for alerts, what users are included in the policy, which services are prioritized, and the monitoring time period.
-You can select from the following[policy templates to quickly get started with insider risk management:
+You can select from the following policy templates to quickly get started with insider risk management:
- [Data theft by departing users](insider-risk-management-policies.md#data-theft-by-departing-users) - [General data leaks](insider-risk-management-policies.md#general-data-leaks)
Alerts are resolved by opening a new case, assigning the alert to an existing ca
Selecting a case on the case dashboard opens the case for investigation and review. This step is the heart of the insider risk management workflow. This area is where risk activities, policy conditions, alerts details, and user details are synthesized into an integrated view for reviewers. The primary investigation tools in this area are: - **User activity**: User activity is automatically displayed in an interactive chart that plots activities over time and by risk level for current or past risk activities. Reviewers can quickly filter and view the entire risk history for the user and drill into specific activities for more details.-- **Content Explorer**: All data files and email messages associated with alert activities are automatically captured and displayed in the Content Explorer. Reviewers can filter and view files and messages by data source, file type, tags, conversation, and many more attributes.
+- **Content explorer**: All data files and email messages associated with alert activities are automatically captured and displayed in the Content explorer. Reviewers can filter and view files and messages by data source, file type, tags, conversation, and many more attributes.
- **Case notes**: Reviewers can provide notes for a case in the Case Notes section. This list consolidates all notes in a central view and include reviewer and date submitted information. ![Insider risk management investigation](../media/insider-risk-investigate.png)
+Additionally, the new [Audit log (preview)](insider-risk-management-audit-log.md) enables you to stay informed of the actions that were taken on insider risk management features. This resource allows an independent review of the actions taken by users assigned to one or more insider risk management role groups.
+ ### Action After cases are investigated, reviewers can quickly act to resolve the case or collaborate with other risk stakeholders in your organization. If users accidentally or inadvertently violate policy conditions, a simple reminder notice can be sent to the user from notice templates you can customize for your organization. These notices may serve as simple reminders or may direct the user to refresher training or guidance to help prevent future risky behavior. For more information, see [Insider risk management notice templates](insider-risk-management-notices.md).
In most cases, users try their best to properly handle sensitive or confidential
## Intentional or unintentional security policy violations (preview)
-Users typically have a large degree of control when managing their devices in the modern workplace. This may include permissions to install or uninstall applications needed in the performance of their duties or the ability to temporarily disable device security features. Whether this activity is inadvertent, accidental, or malicious, this conduct can pose risk to your organization and is important to identify and act to minimize. To help identity these risky security activities, the following insider risk management security policy violation templates scores security risk indicators and uses Microsoft Defender for Endpoint alerts to provide insights for security-related activities:
+Users typically have a large degree of control when managing their devices in the modern workplace. This control may include permissions to install or uninstall applications needed in the performance of their duties or the ability to temporarily disable device security features. Whether this activity is inadvertent, accidental, or malicious, this conduct can pose risk to your organization and is important to identify and act to minimize. To help identity these risky security activities, the following insider risk management security policy violation templates scores security risk indicators and uses Microsoft Defender for Endpoint alerts to provide insights for security-related activities:
- [General security policy violations (preview)](insider-risk-management-policies.md#general-security-policy-violations-preview) - [Security policy violations by departing users (preview)](insider-risk-management-policies.md#security-policy-violations-by-departing-users-preview)
Users typically have a large degree of control when managing their devices in th
## Policies for users based on position, access level, or risk history (preview)
-Users in your organization may have different levels of risk depending on their position, level of access to sensitive information, or risk history. This may include members of your organization's executive leadership team, IT administrators that have extensive data and network access privileges, or users with a past history of risky activities. In these circumstances, closer inspection and more aggressive risk scoring are important to help surface alerts for investigation and quick action. To help identify risky activities for these types of users, you can create priority user groups and create policies from the following policy templates:
+Users in your organization may have different levels of risk depending on their position, level of access to sensitive information, or risk history. This structure may include members of your organization's executive leadership team, IT administrators that have extensive data and network access privileges, or users with a past history of risky activities. In these circumstances, closer inspection and more aggressive risk scoring are important to help surface alerts for investigation and quick action. To help identify risky activities for these types of users, you can create priority user groups and create policies from the following policy templates:
- [Security policy violations by priority users (preview)](insider-risk-management-policies.md#security-policy-violations-by-priority-users-preview) - [Data leaks by priority users (preview)](insider-risk-management-policies.md#data-leaks-by-priority-users-preview)
compliance Insider Risk Solution Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-solution-overview.md
Title: Insider risk solution
+ Title: Insider risk solutions
description: Learn how to help minimize risk in your organization with insider risk solutions in Microsoft 365. keywords: Microsoft 365, insider risk, compliance localization_priority: Normal
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
Last updated
audience: Admin
-localization_priority: Normal
+localization_priority: Priority
search.appverid: - MOE150
The numbers listed are the minimum Office application version required for each
|[Dynamic markings with variables](#dynamic-markings-with-variables) | 2010+ | 16.42+ | 2.42+ | 16.0.13328+ | Under review | |[Assign permissions now](encryption-sensitivity-labels.md#assign-permissions-now) | 1910+ | 16.21+ | 2.21+ | 16.0.11231+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |[Let users assign permissions](encryption-sensitivity-labels.md#let-users-assign-permissions) |2004+ | 16.35+ | Under review | Under review | Under review |
-|[Audit label-related user activity](data-classification-activity-explorer.md) | 2011+ | 16.43+ | Rolling out: 2.46+ | Rolling out: 16.0.13628+ | Yes <sup>\*</sup> |
-|[Require users to apply a label to their email and documents](#require-users-to-apply-a-label-to-their-email-and-documents) | Rolling out: 2101+ | Rolling out: 16.45+ | Rolling out in preview: [Beta Channel](https://office.com/insider) | Rolling out: 16.0.13628+ | Under review
+|[Audit label-related user activity](data-classification-activity-explorer.md) | 2011+ | 16.43+ | 2.46+ | Rolling out: 16.0.13628+ | Yes <sup>\*</sup> |
+|[Require users to apply a label to their email and documents](#require-users-to-apply-a-label-to-their-email-and-documents) | 2101+ | Rolling out: 16.45+ | Preview: [Beta Channel](https://office.com/insider) | Rolling out: 16.0.13628+ | Under review
|[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) | 2009+ | Rolling out: 16.44+ | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |[Support co-authoring and AutoSave](sensitivity-labels-coauthoring.md) for labeled and encrypted documents | Preview: [Current Channel (Preview)](https://office.com/insider) | Preview: [Beta Channel](https://office.com/insider) | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |
enterprise Microsoft 365 Tenant To Tenant Migrations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-tenant-to-tenant-migrations.md
Use the [Tenant-to-tenant migration architecture model](https://download.microso
[![Tenant-to-tenant migration model](../media/solutions-architecture-center/msft-tenant-to-tenant-migration-thumb.png)](https://download.microsoft.com/download/b/a/1/ba19dfe7-96e2-4983-8783-4dcff9cebe7b/microsoft-365-tenant-to-tenant-migration.pdf)
-You download this model in [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/Microsoft-365-tenant-to-tenant-migration.pdf) format and print it on letter, legal, or tabloid (11 x 17) size paper.
+You download this model in [PDF](https://download.microsoft.com/download/b/a/1/ba19dfe7-96e2-4983-8783-4dcff9cebe7b/microsoft-365-tenant-to-tenant-migration.pdf) format and print it on letter, legal, or tabloid (11 x 17) size paper.
This model provides guidance and a starting-point for planning with sections on:
enterprise Ms Cloud Germany Transition Add Pre Work https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-add-pre-work.md
Use these links to get to the pre-work steps relevant to your organization:
| Cancel any trial subscriptions. | Trial subscriptions will not be migrated and will block transfer of paid subscriptions. | Trial services are expired and non-functioning if accessed by users after cancellation. | | Analyze differences in license features between Microsoft Cloud Deutschland and Office 365 Services. | Office 365 services include additional features and services not available in the current Microsoft Cloud Deutschland. During subscription transfer, new features will be available to users. | <ul><li> Analyze the different features provided by the licenses for Microsoft Cloud Deutschland and Office 365 Services. Start with the [Office 365 platform Service Description](https://docs.microsoft.com/office365/servicedescriptions/office-365-platform-service-description/office-365-platform-service-description). </li><li> Determine if any new features of Office 365 services should be initially disabled to limit effects on users or on user change management, and alter user license assignments as needed. </li><li>Prepare users and help desk staff for new services and features provided by Office 365 services. | | Create organization-wide [retention policies](https://docs.microsoft.com/microsoft-365/compliance/retention) to protect from inadvertent deletion of content during migration. |<ul><li>To ensure that content isn't inadvertently deleted by end users during the migration, customers may choose to enable an organization-wide retention policy. </li><li>Although retention isn't required, since holds placed at anytime during the migration should work as expected, having a retention policy is a back-up safety mechanism. At the same time, a retention policy might not be used by all customers, especially those who are concerned about over preservation.</li></ul>| Apply retention policy as described in [Learn about retention policies and retention labels](https://docs.microsoft.com/microsoft-365/compliance/retention-policies). Failures of the service or client software can occur if this is not done before Phase 4 of 9. </li></ul>|
+| Correct license overages | In certain circumstances customers may be able to consume more services than are purchased. This condition is known as a license overage. Microsoft cannot migrate customers in a license overage condition from Microsoft Cloud Deutschland to the German datacenter regions. To ensure continuous access to the service and data, every assigned user requires a license. | All customers | Customers must evaluate and resolve the license overage condition through purchase of additional licenses or by unassigning licenses from users. |
||||| ## Active Directory Federation Services (AD FS)
enterprise Ms Cloud Germany Transition Phases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-phases.md
The following sections contain actions and effects for workloads as they progres
**Applies to**: All customers with an Office 365 tenant hosted in the Microsoft Cloud Deutschland (MCD) | Step(s) | Description | Impact |
-|:-|:-|:-|
-| Subscriptions are transferred, and licenses are reassigned. | Corresponding Office 365 Global services subscriptions are purchased in the Office 365 Global instance for the transferred Microsoft Cloud Deutschland subscriptions. Users with assigned Microsoft Cloud Deutschland licenses will be assigned licenses in the Office 365 Global instance. Legacy Microsoft Cloud Deutschland subscriptions are removed from the Office 365 services tenant on completion.| <ul><li>Changes to existing subscriptions will be blocked (for example, no new subscription purchases or seat count changes) during this phase.</li><li>License assignment changes will be blocked.</li><li>The Microsoft Cloud Deutschland subscription will be migrated to corresponding Office 365 Global services subscription. The Office 365 Global services offer of that subscription is defined by Microsoft (also known as _Offer mapping_).</li><li>The number of features (service plans) offered by Office 365 services can be larger than in the original Microsoft Cloud Deutschland offer. User licenses in Office 365 services will be equivalently assigned to similar Microsoft Cloud Deutschland features (service plans). User licenses of all users will be automatically assigned to the new features. The admin needs to take an explicit action to disable those licenses, if needed. </li><li>When subscription migration is complete, both Office 365 services and Microsoft Cloud Deutschland subscriptions will be visible in the Office 365 Admin Portal, with the status of Microsoft Cloud Deutschland subscriptions as _deprovisioned_. </li><li>Users will be reassigned licenses that are tied to the new Office 365 services subscriptions. Any customer processes that have dependencies on MCD subscriptions or SKU GUIDs will be broken and need to be revised with the Office 365 services offering. </li><li>New subscriptions in the Office 365 services will be purchased with the new term (monthly/quarterly/yearly), and the customer will receive a prorated refund for the unused balance of the Microsoft Cloud Deutschland subscription. </li><li>Partner Microsoft Cloud Deutschland tenants won't be migrated. CSP customers will be migrated to Office 365 services under the new Office 365 services tenant of the same partner. After customer migration, the partner can manage this customer only from the Office 365 services tenant. </li><li>Additional functionality is available (for example, Microsoft Planner and Microsoft Flow), unless disabled by tenant admin. For information about how to disable service plans that are assigned to users' licenses, see [Disable access to Microsoft 365 services while assigning user licenses](disable-access-to-services-while-assigning-user-licenses.md).</li></ul> |
+|:-|:--|:-|
+| Subscriptions are transferred, and licenses are reassigned. | After the tenant is transitioned to Office 365 services, corresponding Office 365 services subscriptions are purchased for the transferred Microsoft Cloud Deutschland subscriptions. Users with assigned Microsoft Cloud Deutschland licenses will be assigned Office 365 services licenses. Legacy Microsoft Cloud Deutschland subscriptions are removed from the Office 365 services tenant on completion. | <ul><li>If your organization is in a 'license overage' situation (using more seats than are licensed), the migration may be blocked until this is remedied. Refer to [Pre-Work](ms-cloud-germany-transition-add-pre-work.md?view=o365-worldwide#applies-to-everyone) to understand how to ensure your allocated seat count matches the seats being used.</li><li> Changes to existing subscriptions will be blocked (for example, no new subscription purchases or seat count changes) during this phase. </li><li> License assignment changes will be blocked. </li><li> The Microsoft Cloud Deutschland subscription will be migrated to corresponding Office 365 services subscription. The Office 365 services offer of that subscription is defined by Microsoft (also known as _Offer mapping_). </li><li> The number of features (service plans) offered by Office 365 services can be larger than in the original Microsoft Cloud Deutschland offer. User licenses in Office 365 services will be equivalently assigned to similar Microsoft Cloud Deutschland features (service plans). User licenses of all users will be automatically assigned to the new features. The admin needs to take an explicit action to disable those licenses, if needed. </li><li> When subscription migration is complete, both Office 365 services and Germany subscriptions will be visible in the Office 365 Admin Portal, with the status of Germany subscriptions as _deprovisioned_. </li><li> Users will be reassigned licenses that are tied to the new Office 365 services subscriptions. Any customer processes that have dependencies on Germany subscriptions or SKU GUIDs will be broken and need to be revised with the Office 365 services offering. </li><li> New subscriptions in the Office 365 services will be purchased with the new term (monthly/quarterly/yearly), and the customer will receive a prorated refund for the unused balance of the Microsoft Cloud Deutschland subscription. </li><li> Partner Microsoft Cloud Deutschland tenants won't be migrated. CSP customers will be migrated to Office 365 services under the new Office 365 services tenant of the same partner. After customer migration, the partner can manage this customer only from the Office 365 services tenant. </li><li> Additional functionality is available (for example, Microsoft Planner and Microsoft Flow), unless disabled by tenant admin. For information about how to disable service plans that are assigned to users' licenses, see [Disable access to Microsoft 365 services while assigning user licenses](disable-access-to-services-while-assigning-user-licenses.md). |
|||| ## SharePoint Online (Phase 4)
enterprise Page Diagnostics For Spo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/page-diagnostics-for-spo.md
The tool generates a report for each analyzed page showing how the page performs
The Page Diagnostics tool is designed to analyze SharePoint site pages only, not system pages such as *allitems.aspx* or *sharepoint.aspx*. If you attempt to run the tool on a system page or any other non-site page, you will receive an error message advising that the tool cannot be run for that type of page.
-![Must run on a SharePoint page](../media/page-diagnostics-for-spo/pagediag-Error-StartPage.png)
+> [!div class="mx-imgBorder"]
+> ![Must run on a SharePoint page](../media/page-diagnostics-for-spo/pagediag-Error-StartPage.png)
This is not an error in the tool as there is no value in assessing libraries or system pages. Please navigate to a SharePoint site page to use the tool. If this error occurs on a SharePoint page, please check the master page to ensure that the SharePoint metatags have not been removed. To provide feedback about the tool, select the ellipsis at the top right corner of the tool and then select [Give feedback](https://go.microsoft.com/fwlink/?linkid=874109).
-![Give feedback](../media/page-diagnostics-for-spo/pagediag-feedback.png)
+> [!div class="mx-imgBorder"]
+> ![Give feedback](../media/page-diagnostics-for-spo/pagediag-feedback.png)
## Install the Page Diagnostics for SharePoint tool
The installation procedure in this section will work for both the Chrome and Mic
1. Install the Page Diagnostics for SharePoint tool for **Microsoft Edge** [(Edge extension)](https://microsoftedge.microsoft.com/addons/detail/ocemkolpnamjcacndljdfmhlpcaoipji) or **Chrome** [(Chrome extension)](https://chrome.google.com/webstore/detail/inahogkhlkbkjkkaleonemeijihmfagi). Please review the User Privacy Policy provided on the description page in the store. When adding the tool to your browser, you will see the following permissions notice.
- ![Extension permissions](../media/page-diagnostics-for-spo/pagediag-add-to-edge.png)
+ > [!div class="mx-imgBorder"]
+ > ![Extension permissions](../media/page-diagnostics-for-spo/pagediag-add-to-edge.png)
This notice is in place because a page may contain content from locations outside of SharePoint depending on the web parts and customizations on the page. This means that the tool will read the requests and responses when the start button is clicked and only for the active SharePoint tab where the tool is running. This information is captured locally by the web browser and is available to you via the **Export to JSON** or **Export to HAR** button in the tool's _Network trace_ tab. **The information is not sent to or captured by Microsoft.** (The tool respects the Microsoft privacy policy accessible [here](https://go.microsoft.com/fwlink/p/?linkid=857875).)
Select **Start** to begin collecting data for analysis.
1. The **About** link includes the currently installed version of the tool and a direct link to the tool's third party notice. 1. The **Correlation ID, SPRequestDuration, SPIISLatency**, **Page load time**, and **URL** details are informational and can be used for a few purposes.
- ![Page diagnostics details](../media/page-diagnostics-for-spo/pagediag-details.PNG)
+ > [!div class="mx-imgBorder"]
+ > ![Page diagnostics details](../media/page-diagnostics-for-spo/pagediag-details.PNG)
- **CorrelationID** is an important element when working with Microsoft Support as it allows them to gather additional diagnostic data for the specific page. - **SPRequestDuration** is the time taken for SharePoint to process the page. Structural navigation, large images, lots of API calls could all contribute to longer durations.
Select **Start** to begin collecting data for analysis.
|**Improvement opportunities** |Yellow |Test result falls outside the baseline value and could be contributing to performance issues. Test-specific criteria may apply.| |**No action required** |Green |Test result falls within the test's baseline value.|
- ![Page diagnostics](../media/page-diagnostics-for-spo/pagediag-results-general.PNG)
+ > [!div class="mx-imgBorder"]
+ > ![Page diagnostics](../media/page-diagnostics-for-spo/pagediag-results-general.PNG)
-1. A [**Network trace**](#how-to-use-the-network-trace-tab) tab provides details about page build requests and responses.
+1. A [**Network trace**](#how-to-use-the-network-trace-tab-and-how-to-export-a-har-file) tab provides details about page build requests and responses.
## How to use the Diagnostic tests tab
The **Network Trace** tab provides detailed information about both requests to b
- Yellow: 500-1000ms - Red: \> 1000ms
- ![Network Trace](../media/page-diagnostics-for-spo/pagediag-networktrace-red.png)
+ > [!div class="mx-imgBorder"]
+ > ![Network Trace](../media/page-diagnostics-for-spo/pagediag-networktrace-red.png)
In the image shown above, the red item pertains to the default page. It will always show red unless the page loads in \< 1000ms (less than 1 second).
The **Network Trace** tab provides detailed information about both requests to b
3. **Share relevant details with others who can help investigate issues**. To share the details or information provided in the tool with your developers or a technical support person, using the **Enable exporting to HTTP Archive (HAR)** is the recommended approach.
-![Enable exporting to HAR](../media/page-diagnostics-for-spo/pagediag-submithar.png)
+ > [!div class="mx-imgBorder"]
+ > ![Enable exporting to HAR](../media/page-diagnostics-for-spo/pagediag-submithar.png)
That should be enabled prior to clicking Start, which will then enable debug mode in your browser. It will generate an HTTP Archive file (HAR) which can then be accessed through the "Network Trace" tab. Click the "Export to HAR" and it will download the file to your computer and you can then share it accordingly. The file can be opened in a variety of debug tools, like F12 Developer Tools and Fiddler.
- ![Network trace](../media/page-diagnostics-for-spo/pagediag-NetworkTraceHAR.PNG)
+> [!div class="mx-imgBorder"]
+> ![Network trace](../media/page-diagnostics-for-spo/pagediag-networktracehar.png)
> [!IMPORTANT] > These results contain URLs and that can be classified as PII (Personally Identifiable Information). Make sure to follow your organization's guidelines before distributing that information.
No change is visible except that you will be notified that you have enabled it a
2. On your keyboard, press **ALT-Shift-L**. This will display the **Enable support logging** check box. 3. Select the check box, and then click **Start** to reload the page and generate verbose logging.
- ![Support Option Enabled](../media/page-diagnostics-for-spo/pagediag-support.png)
+ > [!div class="mx-imgBorder"]
+ > ![Support Option Enabled](../media/page-diagnostics-for-spo/pagediag-support.png)
You should note the CorrelationID (displayed at the top of the tool) and provide it to your support representative to enable them to gather additional information about the diagnostic session.
security User Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-submission.md
After you've verified that your mailbox meets all applicable prerequisites, [Use
2. In the **User submissions** page that appears, select one of the following options:
- 1. **Enable the Report Message feature for Outlook (Recommended)**: Select this option if you use the Report Message add-in, the Report Phishing add-in or the built-in reporting in Outlook on the web, and then configure the following settings:
+ 1. **Enable the Report Message feature for Outlook (Recommended)**: Select
+this option if you use the Report Message add-in, the Report Phishing
+add-in or the built-in reporting in Outlook on the web, and then configure
+the following settings:
- - **Customize the end-user confirmation message**: Click this link. In the **Customize confirmation message** flyout that appears, configure the following settings:
+ - **Customize the end-user confirmation message**: Click this link. In the **Customize confirmation message** flyout that appears, configure the following settings:
- - **Before submission**: In the **Title** and **Confirmation message** boxes, enter the descriptive text that users see before they report a message using the Report Message add-in or the Report Phishing add-in. You can use the variable %type% to include the submission type (junk, not junk, phish, etc.).
+ - **Before submission**: In the **Title** and **Confirmation message** boxes, enter the descriptive text that users see before they report a message using the Report Message add-in or the Report Phishing add-in. You can use the variable %type% to include the submission type (junk, not junk, phish, etc.).
- As noted, if you select an option that sends the reported messages to Microsoft, the following text is also added to the notification:
+ As noted, if you select an option that sends the reported messages to Microsoft, the following text is also added to the notification:
> Your email will be submitted as-is to Microsoft for analysis. Some emails might contain personal or sensitive information.
- - **After submission**: Click ![Expand icon](../../media/scc-expand-icon.png). In the **Title** and **Confirmation message** boxes, enter the descriptive text that users see after they report a message using the Report Message add-in or the Report Phishing add-in. You can use the variable %type% to include the submission type.
+ - **After submission**: Click ![Expand icon](../../media/scc-expand-icon.png). In the **Title** and **Confirmation message** boxes, enter the descriptive text that users see after they report a message using the Report Message add-in or the Report Phishing add-in. You can use the variable %type% to include the submission type.
When you're finished, click **Save**. To clear these values, click **Restore** back on the **User submissions** page.-
- - **Send the reported messages to**: Make one of the following selections:
-
- - **Microsoft (Recommended)**: The user submissions mailbox isn't used (all reported messages go to Microsoft).
-
- - **Microsoft and a custom mailbox**: In the box that appears, enter the email address of an existing Exchange Online mailbox. Distribution groups are not allowed. User submissions will go to both Microsoft for analysis and to the custom mailbox for your admin or security operations team to analyze.
-
- - **Custom mailbox**: In the box that appears, enter the email address of an existing Exchange Online mailbox. Distribution groups are not allowed. Use this option if you want the message to only go to an admin or the security operations team for analysis first. Messages will not go to Microsoft unless the admin forwards it themselves.
+
+ - **Customize the end-user reporting options**: Click this link. In the
+**Customize end-user reporting options** flyout that appears, enter the
+descriptive text for Junk email reporting options.
+ Under **Options to show when messages are reported**, select at least
+one among the following options:
+ - **Ask me before sending a report**
+ - **Automatically send reports**
+ - **Never send reports** \
+ When you're finished, click **Save**.
+ - **Send the reported messages to**: Make one of the following selections:
+ - **Microsoft (Recommended)**: The user submissions mailbox isn't used (all reported messages go to Microsoft).
+ - **Both Microsoft and a custom mailbox**: In the box that appears, enter the email address of an existing Exchange Online mailbox. Distribution groups are not allowed. User submissions will go to both Microsoft for analysis and to the custom mailbox for your admin or security operations team to analyze.
+ - **Custom mailbox only**: In the box that appears, enter the email address of an existing Exchange Online mailbox. Distribution groups are not allowed. Use this option if you want the message to only go to an admin or the security operations team for analysis first. Messages will not go to Microsoft unless the admin forwards it themselves.
> [!NOTE] > U.S. Government organizations (GCC, GCC-H, and DoD) can only configure **Custom mailbox**. The other two options are disabled.
After you've verified that your mailbox meets all applicable prerequisites, [Use
> [!CAUTION] > If you have [disabled junk email reporting in Outlook on the web](report-junk-email-and-phishing-scams-in-outlook-on-the-web-eop.md#disable-or-enable-junk-email-reporting-in-outlook-on-the-web) using Outlook on the web mailbox policies, but you configure either of the previous settings to report messages to Microsoft, users will be able to report messages to Microsoft in Outlook on the web using the Report Message add-in or the Report Phishing add-in.
- - **Disable the Report Message feature for Outlook**: Select this option if you use third-party reporting tools instead of the Report Message add-in, the Report Phishing add-in or the built-in reporting in Outlook on the web, and then configure the following settings:
- Select **Use this custom mailbox to receive user reported submissions**. In the box that appears, enter the email address of an existing mailbox that is already in Office 365. This has to be an existing mailbox in Exchange Online that can receive email.
+ 1. **Disable the Report Message feature for Outlook**: Select this option if you use third-party reporting tools instead of the Report Message add-in, the Report Phishing add-in or the built-in reporting in Outlook on the web, and then configure the following settings:
- When you're finished, click **Confirm**.
+ Select **Use this custom mailbox to receive user reported submissions**. In the box that appears, enter the email address of an existing mailbox that is already in Office 365. This has to be an existing mailbox in Exchange Online that can receive email.
+
+ When you're finished, click **Confirm**.
## Message submission format
In the following example:
`3|49871234-6dc6-43e8-abcd-08d797f20abe|167.220.232.101|test@contoso.com|(test phishing submission)` Messages that do not follow this format will not display properly in the Submissions portal.+