Updates from: 03/17/2021 04:10:13
Category Microsoft Docs article Related commit history on GitHub Change details
admin Productivity Score https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/productivity/productivity-score.md
Title: "Microsoft Productivity Score" f1.keywords: - NOCSH--++ audience: Admin
description: "Overview of Microsoft productivity score."
# Microsoft Productivity Score
-Productivity Score supports the journey to digital transformation with insights about how your organization uses Microsoft 365 and the technology experiences that support it. Your organizationΓÇÖs score reflects people and technology experience measurements and can be compared to benchmarks from organizations similar in size to yours.
+Productivity Score supports the journey to digital transformation with insights about how your organization uses Microsoft 365 and the technology experiences that support it. Your organization's score reflects people and technology experience measurements and can be compared to benchmarks from organizations similar in size to yours.
It provides:
We provide metrics, insights, and recommendations in two areas:
- **People experiences:** Quantifies how the organization works using Microsoft 365 categories like content collaboration, mobility, communication, meetings, and teamwork.
- For each of the mentioned categories, we look at public research to identify some best practices and associated benefits in the form of organizational effectiveness . For example, [Forrester](https://vc2prod.blob.core.windows.net/vc-resources/TEIStudies/TEI%20of%20Microsoft%20365%20E5%20-%20Oct%202018.pdf) research has shown that when people collaborate and share content in the cloud (instead of emailing attachments), they can save up to 100 minutes a week. Furthermore, we quantify the use of these best practices in your organization to help you see where you are on your digital transformation journey.
+ For each of the mentioned categories, we look at public research to identify some best practices and associated benefits in the form of organizational effectiveness. For example, [Forrester](https://vc2prod.blob.core.windows.net/vc-resources/TEIStudies/TEI%20of%20Microsoft%20365%20E5%20-%20Oct%202018.pdf) research has shown that when people collaborate and share content in the cloud (instead of emailing attachments), they can save up to 100 minutes a week. Furthermore, we quantify the use of these best practices in your organization to help you see where you are on your digital transformation journey.
- **Technology experiences:** Your organization depends on reliable and well performing technology as well as the efficient use of Microsoft 365. [Endpoint analytics](https://aka.ms/endpointanalytics) helps you understand how your organization can be impacted by performance and health issues with your hardware and software. Microsoft 365 apps health helps you understand whether the devices in your organization are running Microsoft 365 apps on recommended channels.
Productivity Score includes data from Exchange, SharePoint, OneDrive, Teams, Wor
Your organization's score is updated daily and reflects user actions completed in the last 28 (including the current day).
-## Pre-requisites
+## Prerequisites
-For people experiences data, you need a Microsoft 365 for business or Office 365 for enterprise subscription. For endpoint analytics data for your tenant, you need to add Microsoft Intune to your subscription. Intune helps you protect your organizationΓÇÖs data by managing devices and apps. Once you have Intune, you can turn on endpoint analytics within the Intune experience. Learn more about [Microsoft Intune](https://docs.microsoft.com/mem/intune/).
+For people experiences data, you need a Microsoft 365 for business or Office 365 for enterprise subscription. For endpoint analytics data for your tenant, you need to add Microsoft Intune to your subscription. Intune helps you protect your organization's data by managing devices and apps. Once you have Intune, you can turn on endpoint analytics within the Intune experience. Learn more about [Microsoft Intune](https://docs.microsoft.com/mem/intune/).
> [!NOTE] > A license to Workplace Analytics is not required to get the Productivity Score features.
Productivity Score is only available in the Microsoft 365 Admin Center and can o
> [!NOTE] > Only an IT professional with the Global Administrator role can sign up or opt in a tenant for Productivity Score.
-Please note that the information is only intended to be used for furthering digital transformation using Microsoft 365, and should therefore be shared with discretion.
+The role-based access control model for Productivity Score helps organizations further digital transformation efforts with Microsoft 365 by providing the flexibility to assign roles to IT professionals within an organization.
-Microsoft is committed to protecting individual privacy. This [privacy document](privacy.md) explains the controls we provide you, as your organizationΓÇÖs IT administrator, to ensure that the information is actionable while not compromising the trust you place in Microsoft .
+Microsoft is committed to protecting individual privacy. This [privacy document](privacy.md) explains the controls we provide you, as your organization's IT administrator, to ensure that the information is actionable while not compromising the trust you place in Microsoft.
You can access the experience from Microsoft 365 Admin home under **Reports** > **Productivity Score**.
compliance Building Search Queries https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/building-search-queries.md
description: "Use keywords and conditions to narrow the scope of the search when searching for data using Advanced eDiscovery in Microsoft 365."
-# Build search collection queries in Advanced eDiscovery
+# Build search queries for collections in Advanced eDiscovery
-When building search queries to collect data in an Advanced eDiscovery case, you can use keywords to find specific content and conditions to narrow the scope of the search to return items that are most relevant to your legal investigation.
+When configuring the search query when creating a [collection](collections-overview.md) in an Advanced eDiscovery case, you can use keywords to find specific content and conditions to narrow the scope of the search to return items that are most relevant to your legal investigation.
![Use keywords and conditions to narrow the results of a search](../media/SearchQueryBox.png)
compliance Collecting Data For Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/collecting-data-for-ediscovery.md
- Title: "Collect data for a case in Advanced eDiscovery"-- NOCSH--- Previously updated : --
-localization_priority: Normal
--- MOE150-- MET150-
-description: Learn how to identify a document set for review in an investigation using the Search tool in Advanced eDiscovery.
---
-# Collect data for a case in Advanced eDiscovery
-
-Once you've identified custodians and data sources that are of interest for your case, it's time to identify the set of documents to delve into. You can use the Search tool in Advanced eDiscovery to identify relevant documents from custodial and non-custodial locations in Microsoft 365.
-
-After you run a search, you can view statistics on the retrieved items, such as the locations that had the most items that matched the search query. You can also preview a subset of the results. When you've identified the set of documents you want to further examine, you can add the search results to a review set to collect and process.
-
-## Create a search
-
-Selecting **New search** on the **Searches** tab will start a wizard that guides you through creating a search. For detailed information on how to create a search, see [Create a search to collect data](create-search-to-collect-data.md).
-
-After a search is created, a flyout page with details is displayed. The **Statistics** and **Preview** buttons are initially unavailable because the search hasn't completed yet. You can keep track of the progress of the search on the **Searches** tab.
-
-## View search results and statistics
-
-There are two components of a content search: Statistics (Estimates) and Preview. As each of these components complete, you'll see the status displayed in the corresponding columns on the **Searches** tab change from **Submitted** to **In progress** to **Completed**.
-
-Once the search estimate is completed, select the search to display the flyout page, which will display some high-level statistics about the results of the search. At this point, the **Statistics** button will be active. You can select it to see search statistics, such as:
--- Summary-- Top locations-- Queries-
-For more information about search statistics, see [Search statistics](search-statistics-in-advanced-ediscovery.md).
-
-Once preview is completed, the **Preview** button will be active. Select it to preview a sampled subset of the results.
-
-## Add search results to a review set
-
-When you're ready to collect and process the entire results of a search, you can do so by adding it to a review set. For details, see [Add data to a review set](add-data-to-review-set.md).
-
-## Add non-Microsoft 365 data to a review set
-
-As part of the collection process for a case, you can also add non-Office 365 data to a review set and review and analyze together with the Office 365 data that you collected by using the search tool. When you add non-Office 365, you have to associate it with a specific custodian in the case. For more information, see [Load non-Microsoft 365 data into a review set](load-non-Office-365-data-into-a-review-set.md).
compliance Collection Statistics Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/collection-statistics-reports.md
+
+ Title: "Collection statistics and reports"
+f1.keywords:
+- NOCSH
++++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+search.appverid:
+- MOE150
+- MET150
+description: "Learn how to access and use statistics and reports for draft collections and collections that have been committed to a review set in Advanced eDiscovery."
++
+# Collection statistics and reports in Advanced eDiscovery
+
+After you create a draft collection, you can view statistics on the retrieved items, such as the content locations that contain the most items that matched the search criteria and the number of items returned by the search query. You can also preview a subset of the results.
+
+When you've identified the set of documents you want to further examine, you can add the search results to a review set to collect and process.
+
+## Statistics and reports for draft collections
+
+This section describes the statistics that are available for draft collections. These statistics are available on the **Search statistics** tab on the flyout page of a draft collection.
+
+### Collection estimates
+
+This section displays a graphical summary of the estimated items returned by the collection. This indicates the number of items that match the search criteria of the collection. This information gives you an idea about the estimated number of items returned by the collection.
+
+![Collection estimates for a draft collection](../media/AeDCollectionEstimates.png)
+
+- **Estimated items by locations**: The total number of estimated items returned by the collection. The specific number of items located in mailboxes and located in sites is also displayed.
+
+- **Estimated locations with hits**: The total number of content locations that contain items returned by the collection. The specific number of mailbox and site locations is also displayed.
+
+- **Data volume by location (in MB)**: The total size of all estimated items returned by the collection. The specific size of mailbox items and site items is also displayed.
+
+### Condition report
+
+This section displays statistics about the collection search query and the number of estimated items that matched different parts of the search query. You can use these statistics to analyze the number of items that match each component of search query. This can help you refine the search criteria for the collection and if necessary narrow the scope of the collection.
+
+- **Location type**: The type of content location that the query statistics are applicable to. The value of **Exchange** indicates a mailbox location; a value of **SharePoint** indicates a site location.
+
+- **Part**: The part of the search query the statistics are applicable to. **Primary** indicates the entire search query. **Keyword** indicates the statistics in the row are for a specific keyword. If you use a keyword list when for the search query in the collection, statistics for each component of the query are included in this table.
+
+- **Condition**: The actual component (keyword or condition) of the search query that was run for the draft collection that returned the statistics displayed in the corresponding row.
+
+- **Locations with hits**: The number of the content locations (specified by the **Location type** column) that contain items that match the primary or keyword query listed in the **Condition** column.
+
+- **Items**: The number of items (from the specified content location) that match the query listed in the **Condition** column. As previously explained, if an item contains multiple instances of a keyword that is being searched for, it's only counted once in this column.
+
+- **Size (MB)**: The total size of all items that were found (in the specified content location) that match the search query in the **Condition** column.
+
+### Top locations
+
+This section displays statistics about the specific content locations with the most items returned by the collection.
+
+- The name of the location name (the email address of mailboxes and the URL for sites).
+
+- Location type (a mailbox or site).
+
+- Estimated number of items in the content location returned by the collection.
+
+- The total size of estimated items in each content location.
+
+## Statistics and reports for committed collections
+
+This section describes the statistics that are available after you commit a collection to a review set, including the actual number of items added to the review set. These statistics (in addition to load set information) provide historical information about content added to a case.
+
+After you commit a collection to a review set, the following tabs are displayed on the flyout page of the committed connection. Each of these tabs contains different types of information about the collection.
+
+![Tabs on flyout page of committed collection](../media/CommittedCollectionFlyoutPage.png)
+
+### Collection contents
+
+This section of the **Summary** tab contains statistics and other information about the items that were collected from the data sources in the collection and added to the review set.
+
+- **Total extracted items**. The total number of items added to the review set. This number indicates the sum of parent items and child items added to the review set.
+
+ > [!TIP]
+ > Hover the cursor over the parent or child item bars to display the total number of parent or child items.
+
+- **Parent items**. The number of items returned by the collection that was used to collect the items that were added to the review set. This number corresponds to (and is equal to) the estimated number of items that is displayed in the **Collection parameters** section. The number of parent items he collection information that was used to collect the items that were added to the review set.
+
+ A parent item might contain multiple child items. For example, an email message is a parent item if it contains an attached file or has a cloud attachment. In this case, the attached file or the target of the cloud attachment are considered child items. When you commit a collection, parent items and any corresponding child items are added to the review set as individual items or files.
+
+- **Child items**. The number of child items added to the review set. Child items are attachments or other parts of a parent item. Child items include attached files, cloud attachments, images, and email signatures. When you commit a collection to a review set, child items are extracted, indexed, and added to the review set as individual files.
+
+- **Unique items**. The number of unique items added to the review set. Unique items are unique to the review set. All items are unique when the first collection is added to a new review set because there were no previous items in the review set.
+
+- **Identified duplicate items**. The number of items from the collection that were not added to the review set because the same item already exists in the review set. Statistics about duplicate items can help explain the differences between the number of estimated items from a draft collection and the actual number of items added to the review set.
+
+### Indexing
+
+The **Indexing** section on the **Summary** tab of a committed review set contains indexing information about the items added to the review set.
+
+**New indexed items**. The number of items that were newly indexed before they were added to the review set. An example of a newly indexed item are child items that are extracted from a parent item then indexed before they're added to the review set. Also, items that aren't located in custodial data sources and non-custodial content locations listed on the **Data sources** tab in the case are indexed before they're added to the review. For example, newly indexed items would include items collected from additional locations.
+
+**Updated indexed items**. The number of partially indexed items that were successfully indexed and added to the review set. This would partially indexed items from custodial and non-custodial content locations **Data sources** tab that were successfully indexed when the collection was committed to the review set.
+
+**Indexing errors**. The number of partially indexed items that couldn't be indexed before they were added to the review set. These items might require error remediation.
+
+### Collection parameters
+
+This section displays the collection information that was used to collect the items that were added to the review set. This tab displays information that is similar to the information on the **Search statistics** tab. This section provides a quick snap shot of the search query used by the collection, the content locations that were searched, and the estimated collection results. As previously explained, the number of estimated items in this section would be equal to the number of parent items shown in the **Collection contents** section.
+
+### Search statistics tab
+
+The statistics displayed on the **Search statistics** tab are the same statistics from the last time that a draft collection was run. This includes collection estimates, condition report, and top locations. This information is preserved from the draft collection for historical reference, and can be compared to the actual collection that was committed to the review set.
+
+## Differences between draft collection estimates and the actual committed collection
+
+When you run a draft collection, an estimate of the number of items (and their total size) that meet the collection criteria is displayed on the **Summary** tab and in **Collection estimates** section of the **Search statistics** tab. After you commit a draft collection to a review set, the actual number of items (and their total size) added the review set are often different from the estimates. In most cases, more items are added to the review set than were estimated from the draft collection. The following list describes the most common reasons for these differences and tips for identifying them:
+
+- **Child items**. Child items that are extracted from their parent items and added as individual files. The number of child items may significantly increase the number of items that are actually added to the review set. In general, the number of parent items identified in the **Collection contents** section on the **Summary** tab of a committed collection should be equal to the number of estimated items from the draft collection.
+
+- **Duplicate items**. Items from the draft collection that have already been added to the review set in a previous collection won't be added. As previously explained, the number of duplicate items in the collection is displayed in the **Collection contents** section on the **Summary** tab.
+
+- **Collection configuration options**. When you commit a draft collection to a review set, you have to option to include conversation threads, cloud attachments, and document versions. Any of these items that are added to the review set aren't included in the estimates of the draft collection. They are identified and collected only when you commit the collection. Selecting these options will most likely increase the number of items added to the review set.
+
+ For example, multiple versions of SharePoint documents aren't included in the estimate for the draft collection. But if you select the option to include all document versions when you export the search results, which will increase the actual number (and total size) of items added to the review set.
+
+ For more information about these options, see [Commit a draft collection to a review set](commit-draft-collection.md#commit-a-draft-collection-to-a-review-set-in-advanced-ediscovery).
+
+Here are other reasons why the estimated results from a draft collection can be different that the actual committed results.
+
+- **The way results are estimated for draft collections**. An estimate of the search results returned by a draft collection is just that, an estimate (and not an actual count) of the items that meet the collection query criteria. To compile the estimate of email items, a list of the message IDs that meet the search criteria is requested from the Exchange database. But when you commit the collection to a review set, the collection is rerun and the actual messages are retrieved from the Exchange database. So differences might result because of how the estimated number of items and the actual number of items are determined.
+
+- **Changes that happen between the time when estimating and committing draft collections**. When you commit a draft collection to a review set, the search is rerun to collect that most recent items in the search index that meet the search criteria. It's possible that additional items were created, sent, or deleted that meet the search criteria in the time between when the draft collection was last run and when the draft collection is committed to a review set. It's also possible that items that were in the search index when the draft collection results were estimated are no longer there because they were purged from a data source before committing the collection. One way to mitigate this issue is to specify a date range for a collection. Another way is to place a hold on content locations so that items are preserved and can't be purged.
+
+- **Unindexed items**. If the draft collection included searching all Exchange mailboxes or all SharePoint sites, then only unindexed items from content locations that contain items that match the collection criteria will be added to the review set. In other words, if no results are found in a mailbox or site, then any unindexed items in that mailbox or site won't be added to the review set. However, unindexed items from all content locations (even those that don't contain items that match the collection query) will be included in the estimated collection results.
+
+ Alternatively, if the draft collection included specific content locations (which means that specific mailboxes or sites where specified on the **Additional locations** page in the draft collection wizard), then unindexed items (that aren't excluded by the collection criteria) from the content locations specified in the search will be exported. In this case, the estimated number of unindexed items and the number of unindexed items that are added to the review set should be the same.
compliance Collections Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/collections-overview.md
+
+ Title: "Overview of collections in Advanced eDiscovery"
+f1.keywords:
+- NOCSH
++++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+search.appverid:
+- MOE150
+- MET150
+description: "Use collections in Advanced eDiscovery to search for and collect content that's relative to your case or investigation."
++
+# Learn about collections in Advanced eDiscovery
+
+> [!NOTE]
+> We're rolling out a new collections experience in Advanced eDiscovery, which is described in this article. This rollout will take a number of weeks before it's available to all organizations. If the new collections experience isn't available in your organization, you can still collect case content with the [Advanced eDiscovery search tool](create-search-to-collect-data.md).
+
+When organizations are faced with gathering the communications and content that may be relevant to an investigation or potential litigation, they face a significant challenge under the best of circumstances. In todayΓÇÖs modern workplace, the volume, variety, and velocity of content is enabling innovation and remote work, while also expanding the requirements and process for managing collections for eDiscovery investigations.
+
+The collection workflow poses significant technical challenges around extracting content from native locations and sources. It's also a critical point in the assessment and strategy for common litigation or investigations scenarios. As organizations begin to assess an investigation, the first questions asked are who was involved? After identifying who was involved, these custodians can quickly be placed on hold to preserve relevant content. The next question is what took place? To answer this second fundamental question of any investigation, managers must turn to the data. To quickly assess the most relevant content to the question of what took place, managers start to refine the target of the question to ensure that the collection results are comprehensive without being too broad.
+
+Collections in Advanced eDiscovery help eDiscovery managers quickly scope a search for content across email, documents, and other content in Microsoft 365. Collections provide managers with an estimate of the content that may be relevant to the case. This allows managers to make quick, informed decisions about the size and scope of content relevant to a case. eDiscovery managers can create a collection to search custodial data sources (such as mailboxes and SharePoint sites) and by using specific search criteria (such as keywords and date ranges) to quickly define the scope of their collection.
+
+After the collection is defined, eDiscovery managers can save the collection as a draft and get estimates, including estimates for data volume, the content locations that contain results, and the number of hits for search query condition. These insights can help to inform if the collection should be revised to narrow or expand the scope of the collection before moving on the review and analyze stages in the eDiscovery workflow.
+
+When the manager is satisfied with the scope of the collection and the estimated amount of content that's likely to be responsive, the manager can add or *commit* the content to a review set. When committing a collection to a review set, that manager also has the options to include chat conversations, cloud attachments, and document versions. The content in the collection also goes through another level of processing during ingestion into the review set. and the collection will be updated with the final collection summary. After content is added to the review set, eDiscovery managers can continue to query, group, and refine the content in to help with minimization and review. Additionally, the collection is updated with information and statistics about the content committed to the review set. This provides a historical reference about the content in the collection.
+
+With the release of collections in an Advanced eDiscovery, the **Searches** tab has been renamed to **Collections** in an Advanced eDiscovery case in the Microsoft 365 compliance center. The steps to define the scope and size of the collection follow the same process as search to define locations and conditions. Save as draft and get preview estimates enables quick validation of targeted scope of collections prior to committing a full search and collection into the review set. This enables improved job management, and targeted iterations for starting to minimize content during the search and collection process.
+
+## Collections workflow
+
+To get started using collections in Advanced eDiscovery, here's a basic workflow and descriptions of each step in the process.
+
+![Collections workflow in Advanced eDiscovery](../media/CollectionsWorkflow.png)
+
+1. **Create and run a draft collection**. The first step is to create a draft collection and define the custodial and non-custodial data sources to search. You can also search other data sources that haven't been added to the case. After you add the data sources, you configure the search query to search the data sources for content relevant to the case. You can keywords, properties, and conditions to build search queries that return content that's likely most relevant to the case. For more information, see [Create a draft collection](create-draft-collection.md).
+
+2. **Review estimates and statistics**. After you create a draft collection and run it, the next step is to view collection statistics to help you verify whether relevant content is being found and the content locations with the most hits. You can also preview a sample of the search results to further help you determine if the content is within scope of your investigation. For more information, see [Statistics and reports for draft collections](collection-statistics-reports.md#statistics-and-reports-for-draft-collections).
+
+3. **Revise and rerun a draft collection**. Based on the estimates and statistics returned by the collection, you can edit the draft collection by changing the data sources that are searched and the search query to expand or narrow the collection. You can update and rerun the draft collection until you're confident that collection contains the content that's most relevant to your case.
+
+4. **Commit a draft collection to a review set**. When you're satisfied that the collection returns the type content that is relevant to the case, you can commit the collection to the review set. When you commit a collection, you have the option to add conversation threads, cloud attachments, and document versions to the review set, all of which might be relevant to the case. The following things happen when you commit a collection:
+
+ - Child items (such as email attachments, email signatures, and images) are extracted from a parent item (such as an email message, chat message, or document), indexed (in a process called *deep indexing*), and added to the review set as separate files.
+
+ - Deep indexing is performed on items collected from additional data sources. These types of data sources are content locations other than the custodial and non-custodial data sources previously added to the case.
+
+ For more information, see [Commit a draft collection to a review set](commit-draft-collection.md).
+
+5. **Review collection summary and statistics**. After you commit a collection to a review set, information about the collection is retained, such as statistics about extracted items, deep indexing, the search query used for the collection, and the content locations that items were collected from. Also, committed collections can't be edited or rerun. You can only copy or delete them. Preserving collections provides a historical record of the collected items that were added to a review set. For more information, see [Statistics and reports for committed collections](collection-statistics-reports.md#statistics-and-reports-for-committed-collections).
compliance Commit Draft Collection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/commit-draft-collection.md
+
+ Title: "Commit a draft collection to a review set"
+f1.keywords:
+- NOCSH
++++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+search.appverid:
+- MOE150
+- MET150
+description: "After you create and iterate on a draft collection, you can commit it to a review set. When you commit a draft collection, the collected items are added to review set in the case. After the collected items are in the review set, you can analyze, review, and export them."
++
+# Commit a draft collection to a review set in Advanced eDiscovery
+
+When you're satisfied with the items you've collected in a draft collection and are ready to analyze, tag, and review them, you can add a collection to a review set in the case. When you commit a draft collection to a review set, collected items are copied from their original content location in Microsoft 365 to a review set. A review set is a secure, Microsoft-provided Azure Storage location in the Microsoft cloud.
+
+## Commit a draft collection to a review set
+
+1. In the Microsoft 365 compliance center, open the Advanced eDiscovery case, and then select the **Collections** tab to display a list of the collections in the case.
+
+ ![List of collections in a case](../media/CommitDraftCollections1.png)
+
+ > [!TIP]
+ > A value of `Estimated` in the **Status** column identifies the draft collections that can be added to a review set. A status of `Committed` indicates that a collection has already been added to a review set.
+
+2. On the **Collections** page, select the draft collection that you want to commit to a review set.
+
+3. On the bottom of the flyout page, select **Actions** > **Edit collection**.
+
+4. In the edit collection wizard, click **Next** until the **Save draft or collect** page is displayed.
+
+5. Configure the following settings:
+
+ 1. Select **Collect items and add to review set**.
+
+ 2. Decide whether to add the collection to a new review set (which is created after you submit the collection) or to an existing review set. Complete this section based on your decision.
+
+ 3. Configure the additional collection settings:
+
+ - **Teams and Yammer messages**: Select this option to add conversation threads to the collection that include the chat items returned by the search query in the collection. This means that the chat conversation that contains items that match the search criteria is reconstructed. This lets you review chat items in the context of the back and forth conversation. For more information, see [Conversation threading in Advanced eDiscovery](conversation-review-sets.md).
+
+ - **Cloud attachments**: Select this option to include modern attachments or linked files when the collection results are added to the review set. This means that the target file of a modern attachment or linked file is added to the review set.
+
+ - **SharePoint versions**: Select this option to enable the collection of all version of a SharePoint document per the version limits and search parameters of the collection. Selecting this option will significantly increase the size of items that are added to the review set.
+
+ 4. Configure the settings to define the scale of the collection to add to the review set:
+
+ - **Add all collection results**: Select this option to add all the items that match the search criteria of the collection to the review set.
+
+ - **Add a sample of the collection results**: Select this option to add a sample of the collection results to the review set instead of adding all results. If you select this option, click **Edit sample parameters** and choose one of the following options:
+
+ - **Sample based on confidence**: Items from the collection are added to the review set will be determined by the statistical parameters that you set. If you typically use a confidence level and interval when sampling results, specify them in the drop-down boxes. Otherwise, use the default settings.
+
+ - **Randomly sample**: Items from the collection are added to the review set based on a random selection of the specified percentage of the total number of items returned by the search.
+
+6. On the **Review your collection** page, you can review the collection settings that you configured on the previous page. Click **Edit** if you want to change them.
+
+7. Click **Submit** to create the draft collection. A page is displayed confirming that the collection was created.
+
+## What happens after you commit a draft collection
+
+When you commit a draft collection to a review set, the following things happen:
+
+- The collection search query is run again. This means the actual search results copied to the review set may be different than the estimated results that were returned when the collection search was last run.
+
+- All items in the search results are copied from the original data source in the live service, and copied to a secure Azure Storage location in the Microsoft cloud.
+
+- All items (including the content and metadata) that aren't located in custodian or non-custodian data sources are reindexed (in a process called *deep indexing*) so that all data in the review set is fully searchable during the review of the case data. Reindexing the content in a collection results in thorough and fast searches when you search or filter the content in the review set during the case investigation.
+
+- Encrypted SharePoint and OneDrive documents and encrypted files attached email messages that's returned in the search results are decrypted when you commit the collection to a review set. You can review and query the decrypted files in the review set. For more information, see [Decryption in Microsoft 365 eDiscovery tools](ediscovery-decryption.md).
+
+- Optical character recognition (OCR) functionality extracts text from images, and includes the image text with the content that's added to a review set. For more information, see the [Optical character recognition](#optical-character-recognition) section in this article.
+
+- After the commit is successfully completed, the value of the status column of on the **Collections** tab is changed to `Committed`.
+
+## Optical character recognition
+
+When you commit a collection to a review set, optical character recognition (OCR) functionality in Advanced eDiscovery automatically extracts text from images, and includes the image text with the content that's added to a review set. You can view the extracted text in the Text viewer of the selected image file in the review set. This lets you conduct further review and analysis on text in images. OCR is supported for loose files, email attachments, and embedded images. For a list of image file formats that are supported for OCR, see [Supported file types in Advanced eDiscovery](supported-filetypes-ediscovery20.md#image).
+
+You have to enable OCR functionality for each case that you create in Advanced eDiscovery. For more information, see [Configure search and analytics settings](configure-search-and-analytics-settings-in-advanced-ediscovery.md#optical-character-recognition-ocr).
compliance Communication Compliance Feature Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-feature-reference.md
To view communication compliance review activities for a policy, select the **Ex
| **Operations** | The review operations performed on the policy. | | **AuditData** | This field is the main data source for all policy review activities. All review activities are recorded and separated by comma delimiters. |
-You can also view audit activities in the unified audit log or with the [Search-UnifiedAuditLog](/powershell/module/exchange/search-unifiedauditlog) PowerShell cmdlet.
+You can also view audit activities in the unified audit log or with the [Search-UnifiedAuditLog](/powershell/module/exchange/search-unifiedauditlog) PowerShell cmdlet. To learn more about audit log retention policies, see [Manage audit log retention policies](audit-log-retention-policies.md).
For example, the following example returns the activities for all the supervisory review activities (policies and rules):
This example returns the update activities for your communication compliance pol
Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -RecordType Discovery -Operations SupervisionPolicyCreated,SupervisionPolicyUpdated,SupervisionPolicyDeleted ```
+This example returns activities that match your current communication compliance policies:
+
+```PowerShell
+Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -Operations SupervisionRuleMatch
+```
+ ## Transitioning from Supervision in Office 365 Organizations using supervision policies in Office 365 should immediately plan to transition to communication compliance policies in Microsoft 365 and need to understand these important points:
compliance Conversation Review Sets https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/conversation-review-sets.md
search.appverid:
- MOE150 - MET150 ms.assetid: -
-description: Learn how to use the Conversation Reconstruction feature in Advanced eDiscovery to reconstruct, review, and export threaded conversations.
+description: "Learn about the conversation reconstruction feature in Advanced eDiscovery (called conversation threading) to reconstruct, review, and export chat conversations in Microsoft Teams and Yammer groups."
-# Review conversations in Advanced eDiscovery
+# Conversation threading in Advanced eDiscovery
-Instant messaging is a convenient way to ask questions, share ideas, or quickly communicate across large audiences. As instant messaging platforms, like Microsoft Teams, become core to enterprise collaboration, organizations must evaluate how their eDiscovery workflow addresses these new forms of communication and collaboration.
+Instant messaging is a convenient way to ask questions, share ideas, or quickly communicate across large audiences. As instant messaging platforms, like Microsoft Teams and Yammer groups, become core to enterprise collaboration, organizations must evaluate how their eDiscovery workflow addresses these new forms of communication and collaboration.
The Conversation Reconstruction feature in Advanced eDiscovery is designed to help you identify contextual content and produce distinct conversation views. This capability allows you to efficiently and rapidly review complete instant message conversations (also called *threaded conversations*) that are generated in platforms like Microsoft Teams.
Here are few definitions to help you get start using Conversation Reconstruction
![Microsoft Teams Channel Conversation](../media/threadedchat.png)
- In other apps (such as 1xN chat messages in Teams), there is not a formal reply chain and instead messages appear as a "flat river of messages" within a single thread. In these types apps, conversations are inferred from a group of messages that occur within a certain time. This "soft-grouping" of messages (as opposed to a reply chain) represent the "back and forth" conversation about a specific topic of interest.
-
-## Step 1: Run a search
-
-After you have identified relevant custodians and content locations, you can create a search to find potentially relevant content. On the **Searches** tab in the Advanced eDiscovery case, you can create a search by clicking **New search** and following the wizard. For information about how you can create a search, build a search query, and view the search results, see [Collect data for a case](create-search-to-collect-data.md).
+ In other apps (such as 1xN chat messages in Teams), there is not a formal reply chain and instead messages appear as a "flat river of messages" within a single thread. In these types apps, conversations are inferred from a group of messages that occur within a certain time. This "soft-grouping" of messages (as opposed to a reply chain) represent the "back and forth" conversation about a specific topic of interest.
-## Step 2: Create a conversation review set
-
-In a review set, you can search, tag, annotate, and redact documents, email messages, and chat conversations. In Advanced eDiscovery, you can customize your review of conversations, based in individual messages or threaded conversations. This is determined by the type of review set that you add the results of the search created in Step 1 to. There are two different types of review sets:
-
- - **Standard review sets:** Messages in conversations are processed and displayed as individual items.
-
- - **Conversation review sets:** Messages in conversations are processed individually but displayed in a conversation view. In a conversation review set, you can annotate, tag, and redact messages in a threaded conversation view.
+## Step 1: Create a draft collection
-For more information about how to review and manage content in a review set, see [Manage review sets](managing-review-sets.md).
+After you have identified relevant custodians and content locations, you can create a search to find potentially relevant content. On the **Collections** tab in the Advanced eDiscovery case, you can create a collection by clicking **New collection** and following the wizard. For information about how you can create a collection, build a search query, and preview the search results, see [Create a draft collection](create-draft-collection.md).
-## Step 3: Enable conversation retrieval options
+## Step 2: Commit a draft collection to a review set
-After you have reviewed and finalized your search query, you can add the search results to a review set. When you add your search results into a review set, the original data is copied to an Azure Storage area to facilitate the review and analysis process. For more information about adding search results to a review set, see [Add search results to a review set](add-data-to-review-set.md).
+After you have reviewed and finalized the search query in a collection, you can add the search results to a review set. When you add your search results into a review set, the original data is copied to an Azure Storage area to facilitate the review and analysis process. For more information about adding search results to a review set, see [Commit a draft collection to a review set](commit-draft-collection.md).
-When you add data from conversations to a review set, you can use the conversation retrieval options to expand your search and include contextual messages. After you set the conversation retrieval options, the following things can happen:
+When you add items from conversations to a review set, you can use the threaded conversations option to collect contextual messages from conversations that contain items that match the search criteria of the collection. After you select the thread conversations option, the following things can happen:
![Conversation Retrieval](../media/messagesandconversations.png)
-1. Using a keyword and date range query, the search returned a hit on *Message 3*. This message was part of a larger conversation, illustrated by *CRC1*.
+1. Using a keyword and date range query, the search returned a hit on *Message 3*. This message was part of a larger conversation, illustrated by *CRC1*.
-2. When you add the data into a review set and enable the conversation retrieval options, Advanced eDiscovery will go back and collect other items in *CRC1*.
+2. When you add the data into a review set and enable the conversation retrieval options, Advanced eDiscovery will go back and collect other items in *CRC1*.
-3. After the items have been added to the review set, you can review all the individual messages from *CRC1*.
+3. After the items have been added to the review set, you can review all the individual messages from *CRC1*.
-To enable conversation retrieval:
-
-1. On the **Searches** tab in the Advanced eDiscovery case, select a search, and then click **Add to review set** on the flyout page.
-
-2. Select an existing review set or create a review set. You can configure retrieval options when adding search results to a standard or a conversation review set.
+To enabled the threaded conversations option, see [Commit a draft collection to a review set](commit-draft-collection.md#commit-a-draft-collection-to-a-review-set).
-3. Under **Collection options**, configure the conversation retrieval options for the content sources that you want to expand in your search, and then click **Add** to start the process.
-
-4. After the **Add to review set** job on the **Jobs** tab has finished, you can start reviewing the conversations.
-
-## Step 4: Review and export conversations in a review set
+## Step 3: Review and export threaded conversations
-After the content has been processed and added to the review set, you can start reviewing the data in the review set. The review capabilities are different depending on whether the content was added to a standard review set or a conversation review set.
+After the content has been processed and added to the review set, you can start reviewing the data in the review set. The review capabilities are different depending on whether the content was added to a standard review set or a conversation review set.
### Reviewing conversations in a standard review set
-In a standard review set, messages are processed and displayed as individual items, similar to how they're stored in a mailbox folder. In this workflow, each message is processed as a separate item. As a result, the threaded summary and export options aren't available in a standard review set.
+In a standard review set, messages are processed and displayed as individual items, similar to how they're stored in a mailbox folder. In this workflow, each message is processed as a separate item. As a result, the threaded summary and export options aren't available in a standard review set.
![Standard review set](../media/standardrs.PNG)
The following sections describe reviewing and exporting conversations in a conve
In a conversation review set, you can use the following options to facilitate the review process. -- **Group by conversation:** Groups messages within the same conversation together to help users simplify and expedite their review process.
+- **Group by conversation:** Groups messages within the same conversation together to help users simplify and expedite their review process.
- **Summary view:** Displays the threaded conversation. In this view, you can see the entire conversation and also access the metadata for each individual message.
In a conversation review set, you can use the following options to facilitate th
- Download individual messages -- **Text view:** Provides the extracted text for the entire conversation.
+- **Text view:** Provides the extracted text for the entire conversation.
- **Annotate view:** Lets you markup a threaded view of the conversation. All messages in the conversation share the same annotated document.
b. Conversation options
- **Conversation files:** When you export conversation files, the annotated view is converted to a PDF file and downloaded to the export folder. Messages in one conversation file point to the PDF version of the same conversation file.
- - **Individual chat messages:** When you export individual messages, each unique message in the conversation is exported as a standalone item. The file is exported in the same format that it was saved as in the mailbox. For a specific conversation, you receive multiple .msg files.
+ - **Individual chat messages:** When you export individual messages, each unique message in the conversation is exported as a standalone item. The file is exported in the same format that it was saved as in the mailbox. For a specific conversation, you receive multiple .msg files.
>[!NOTE]
- > If you applied annotations to the conversation file, these annotations won't be transferred to the individual messages.
+ > If you applied annotations to the conversation file, these annotations won't be transferred to the individual messages.
c. Other options
- - **Generate text files for all exported content:** Generates a text file for each conversation exported from the review set.
+ - **Generate text files for all exported content:** Generates a text file for each conversation exported from the review set.
- **Replace exported content with redacted PDFs:** If redacted conversation files are generated during the review process, then these files are available during export. You can decided whether to export only the native files (by not selecting this option) or to replace the native files with the redacted versions of the native files (by selecting this option), which are exported as PDF files.
compliance Create And Manage Advanced Ediscoveryv2 Case https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-and-manage-advanced-ediscoveryv2-case.md
To get you started using Advanced eDiscovery, here's a basic workflow that align
- You can use the [communications workflow](managing-custodian-communications.md) in Advanced eDiscovery to send a legal hold notification to custodians.
-2. **[Search data sources for data relevant to the case](collecting-data-for-ediscovery.md)**. After you add custodians and non-custodial data sources to a case, use the built-in search tool to search these data sources for data that may be relevant to the case. You use keywords, properties, and conditions to [build search queries](building-search-queries.md) that return search results with the data that's most likely relevant to the case. You can also:
+2. **[Collect relevant data from data sources](create-draft-collection.md)**. After you add custodians and non-custodial data sources to a case, use the built-in collections tool to search these data sources for content that may be relevant to the case. You use keywords, properties, and conditions to [build search queries](building-search-queries.md) that return search results with the data that's most likely relevant to the case. You can also:
- - View [search statistics](search-statistics-in-advanced-ediscovery.md) that may help you refine a search query to narrow the results.
+ - View [collection statistics](collection-statistics-reports.md) that may help you refine a collection to narrow the results.
- - Preview the search results to quickly verify whether the relevant data is being found.
+ - Preview a sample of the collection to quickly verify whether the relevant data is being found.
- - Revise a query and rerun the search.
+ - Revise a query and rerun the collection.
-3. **[Add data to a review set](add-data-to-review-set.md)**. Once you've configured and verified that a search returns the desired data, the next step is to add the search results to a review set. When you add data to a review set, items are copied from their original location to a secure Azure Storage location. The data is reindexed again to optimize it for thorough and fast searches when reviewing and analyzing items in the review set. Additionally, you can also [add non-Office 365 data into a review set](load-non-office-365-data-into-a-review-set.md).
+3. **[Commit collection to a review set](commit-draft-collection.md)**. Once you've configured and verified that a search returns the desired data, the next step is to add the search results to a review set. When you add data to a review set, items are copied from their original location to a secure Azure Storage location. The data is reindexed again to optimize it for thorough and fast searches when reviewing and analyzing items in the review set. Additionally, you can also [add non-Office 365 data into a review set](load-non-office-365-data-into-a-review-set.md).
There's also a special kind of review set that you can add data to, called a *conversation review set*. These types of reviews sets provide conversation reconstruction capabilities to reconstruct, review, and export threaded conversations like those in Microsoft Teams. For more information, see [Review conversations in Advanced eDiscovery](conversation-review-sets.md).
compliance Create Draft Collection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-draft-collection.md
+
+ Title: "Create a draft collection"
+f1.keywords:
+- NOCSH
++++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+search.appverid:
+- MOE150
+- MET150
+description: "A draft collection is an eDiscovery search of custodial and non-custodial data sources in an Advanced eDiscovery case that returns a search estimate that matches the search query of the collection. You can review search statistics, preview a sampling of items, and revise and rerun the collection before you commit the results to a review set."
++
+# Create a draft collection in Advanced eDiscovery
+
+After you've identified custodians and any non-custodian data sources for the case, you're ready to identify and locate a set of documents that are relevant. You do this by using the Collections tool to search data sources for relevant content. You do this by creating a collection that searches specified data sources for content that matches your search criteria. You have the option to create a *draft collection*, which is an estimate of the items are found or you can create a collection that automatically adds the items to a review set. When you create a draft collection, you can views information about the estimated results that matched the search query, such as the total number and size of items found, the different data sources where they were found, and statistics about the search query. You can also preview a sample of items that were returned by the collection. Using these statistics, you can change the search query and rerun the draft collection to narrow your results. Once you're satisfied with the collection results, you can commit the collection to a review set. When you commit a draft collection, the items returned by the collection are added to a review set for review, analysis, and export.
+
+## Before you create a draft collection
+
+- Add custodians and non-custodial data sources to the case before you create a draft collection. This is required so that you can select the data sources when you create a draft collection. For more information, see:
+
+ - [Add custodians to a case](add-custodians-to-case.md)
+
+ - [Add non-custodial data sources to a case](non-custodial-data-sources.md)
+
+- You can search additional data sources (ones that haven't been added to the case as custodial or non-custodial locations) in a draft collection for content that may be relevant to the case. These data sources might include mailboxes, SharePoint sites, and Teams. If this situation is applicable to your case, compile a list of these data sources so you can add them to the collection.
+
+## Create a draft collection
+
+1. In the Microsoft 365 compliance center, open the Advanced eDiscovery case, and then select the **Collections** tab.
+
+2. On the **Collections** page, select **New collection** > **Standard collection**.
+
+3. Type a name (required) and description (optional) for the collection. After the collection is created, you can't change the name, but you can modify the description.
+
+4. On the **Custodial data sources** page, do one of the following things to identify the custodial data sources to collect content from:
+
+ - Click **Select custodians** to search specific custodians that were added to the case. If you use this option, a list of the case custodians is displayed. Select one or more custodians. After you select and add the custodians, you can also select the specific data sources to search for each custodian. These data sources that are displayed were specified when the custodian was added to the case.
+
+ - Click the **Select all** toggle to search all custodians that were added to the case. When you select this option, all data sources for all custodians are searched.
+
+5. On the **Non-custodial data sources** page, do one of the following things to identify the non-custodial data sources to collect content from:
+
+ - Click **Select non-custodial data sources** to select specific non-custodial data sources that were added to the case. If you use this option, a list of data sources displayed. Select one or more of these data sources.
+
+ - Click the **Select all** toggle to select all non-custodial data sources that were added to the case.
+
+6. On the **Additional data sources** page, you can select other mailboxes and sites to search as part of the collection. These types of data sources weren't added as custodial or non-custodial data locations in the case. You also have two options when searching additional data sources:
+
+ - To search all content locations for a specific service (Exchange mailboxes, SharePoint and OneDrive sites, or Exchange public folders), click the corresponding **Select all** toggle in the **Status** column. This option will search all content locations in the selected service.
+
+ - To search specific content location for a service, click the corresponding **Select all** toggle in the **Status** column, and then click **Users, groups or teams** (for Exchange mailboxes) or **Choose sites** for (SharePoint and OneDrive sites) to search specific content locations.
+
+7. On the **Conditions** page, you can create the search query that is used to collect items from the data sources that you've identified in the previous wizard pages. You can search for keywords, property:value pairs, or use a keyword list. You can also add various search conditions to narrow the scope of the collection. For more information, see [Build search queries for collections](building-search-queries.md).
+
+8. On the **Save as draft or add to review set** page, select **Save collection as draft**.
+
+ > [!NOTE]
+ > The other option on this page lets you collect items and add them direct to a review set. Instead of creating a draft collection that you can review statistics for and preview a sample of the collection results, this option skips that process and automatically adds the collection to a review set. If you select the second option to add the collection to a review set, you have additional settings to configure, such as collecting entire chat conversation threads in Microsoft Teams and Yammer and collecting cloud attachments (also called *modern attachments*). For more information about these settings, see [Commit a draft collection to a review set](commit-draft-collection.md).
+
+9. On the **Review your collection** page, you can review and update the collection settings that you configured on the previous pages.
+
+ - **Summary** tab: Review and modify the name and description of the collection, the collection search criteria, additional data locations, and the collection type.
+
+ - **Sources** tab: Review and modify the custodial and non-custodial data sources for the collection.
+
+10. Click **Submit** to create the draft collection. A page is displayed confirming that the collection was created.
+
+## What happens after you create a draft collection
+
+After you create a draft collection, it listed on the **Collections** page in the case and the status shows that it's in progress. A job named **Preparing search preview and estimates** is also created and displayed on the **Jobs** page in the case.
+
+During the draft collection process, Advanced eDiscovery performs a search estimate using the search criteria and data sources that you specified in the collection. Advanced eDiscovery also prepares a sampling of items that you can preview. When the collection is complete, the following columns and corresponding values on the **Collection** page are updated:
+
+![Status states for a draft collection](../media/DraftCollectionStatus.png)
+
+- **Status**: Indicates the status and type of collection. A value of **Estimated** indicates that a draft collection is complete. This same value also indicates that the collection is a draft collection, and that it hasn't been added to a review set. A value of **Committed** in the **Status** column indicates that the collection has been added to a review set.
+
+- **Estimate status**: Indicates the status of the estimated search results and whether or not the search estimates and statistics are ready for review. A value of **Successful** indicates the results of the draft collection are ready for review. After you first submit a draft collection, a value of **In progress** is displayed to indicate the collection is still running
+
+- **Preview status**: Indicates the status of the sample items that you can preview. A value of **Successful** indicates the items are ready for preview. After you first submit a draft collection, a value of **In progress** is displayed to indicate that the collection is still running.
+
+## Next steps after a draft collection is complete
+
+After the draft collection is successfully completed, you can perform various tasks. To perform most of these tasks, just go the **Collections** tab and click the name of the draft collection to display the flyout page.
+
+![Flyout page for a draft collection](../media/DraftCollectionFlyoutPage.png)
+
+Here's a list of things you can do from the collection flyout page:
+
+- Select the **Summary** tab to view summary information about the collection and the estimated search results returned by the collection. This includes that total number of items and size of the estimated search results, the number of mailboxes and sites contained search results, and the search conditions (if used) used to scope the collection.
+
+- Select the **Data sources** tab to view a list of custodians and non-custodial data sources) that were searched in the collection. Any additional content locations that were search are listed under **Locations** on the **Summary** tab.
+
+- Select the **Search statistics** tab to view statistics about the collection. This includes the total number and size of items found in each service (for example, Exchange mailboxes or SharePoint sites) and a condition report that displays statistics about the number of items returned by different components of the search query used by the collection. For more information, see [Collection statistics and reports](collection-statistics-reports.md).
+
+- Click **Review sample** (located at the bottom of the flyout page) to preview a sample of the items returned by the collection.
+
+- Commit the draft collection to a review set (by clicking **Actions** > **Edit collection**). This means that you rerun the collection (using the current settings) and add the items returned by the collection to a review set. As previously explained, you can also configure additional settings (such as conversation threading and cloud-based attachments) when you add the collection to a review set. For more information and step-by-step instructions, see [Commit a draft collection to a review set](commit-draft-collection.md).
+
+## Manage a draft collection
+
+You can use the options in the **Actions** menu on the flyout page of a draft collection to perform various management tasks.
+
+![Options on Actions menu for draft collection](../media/DraftCollectionActionsMenu.png)
+
+Here's are descriptions of the management options.
+
+- **Edit collection**: Change the settings of the draft collection. After you make changes, you can rerun the collection and update the search estimates and statistics. As previously explained, you use this option to commit a draft collection to a review set.
+
+- **Delete collection**: Delete a draft collection. Note that after a draft collection is committed to a review set, it can't be deleted.
+
+- **Refresh estimates**: Rerun the query (against the data sources) specified in the draft collection to update the search estimates and statistics.
+
+- **Export as report**: Exports information about the draft collection to a CSV file that you can download to your local computer. The export report contains the following information:
+
+ - The identity of each content location that contains items that match the search query in the draft collection. These locations are typically mailboxes or sites.
+
+ - The total number of items in each content location.
+
+ - The total size (in bytes) of the items in each content location.
+
+ - The service (such as Exchange or SharePoint) in which the content location is located.
+
+- **Copy collection**: Create a new draft collection by copying the settings from an existing collection. You have to use a different name for the new collection. You also have the option to modify the settings before you submit the new collection. After you submit it, the search query is run and new estimates and statistics are generated. The is a good way to quickly create additional draft collection and then modify selected settings as necessary while still preserving information in the original collection. This also lets you easily compare the results of two similar collections.
+
+> [!NOTE]
+> After a draft collection is committed to a review set, you can only copy the collection and export a report.
compliance Customer Key Tenant Level https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customer-key-tenant-level.md
For example, Microsoft Teams files and some Teams call and meeting recordings th
## Set up Customer Key at the tenant level (public preview)
-These steps are similar but not identical to the steps for setting up Customer Key at the application level. You should only use this public preview with test data in test tenants. Do not use this release with production data or in your production environment. If you already have a production deployment of Customer Key, use these steps to set up Customer Key at the tenant level in a test environment.
+These steps are similar but not identical to the steps for setting up Customer Key at the application level. You should only use this public preview with test data in test tenants. Do not use this release with production data or in your production environment. If you already have a production deployment of Customer Key, use these steps to set up Customer Key at the tenant level in a test environment. Once you have assigned a tenant level DEP to your tenant, you can start the validation process and reach out to m365ck@microsoft.com with any questions or concerns. You can also find documented validation steps in the public preview of [Validation Instructions for Data-at-rest Encryption for Microsoft 365](https://aka.ms/CustomerKey/PublicPreviewValidation).
You'll complete most of these tasks by remotely connecting to Azure PowerShell. For best results, use version 4.4.0 or later of Azure PowerShell.
Parameters:
### Assign policy ```powershell
-Set-M365DataAtRestEncryptionPolicyAssignment -DataEncryptionPolicy ΓÇ£<Default_PolicyName or Default_PolicyID>ΓÇ¥
+Set-M365DataAtRestEncryptionPolicyAssignment -DataEncryptionPolicy "<Default_PolicyName or Default_PolicyID>"
``` Description:
This cmdlet is used for configuring default Data Encryption Policy. This policy
Example: ```powershell
-Set-M365DataAtRestEncryptionPolicyAssignment -DataEncryptionPolicy ΓÇ£Default_PolicyNameΓÇ¥
+Set-M365DataAtRestEncryptionPolicyAssignment -DataEncryptionPolicy "Default_PolicyName"
``` Parameters:
Set-M365DataAtRestEncryptionPolicy -Identity "NAM Policy" -Enabled $false
Refresh a data encryption policy. ```powershell
-Set-M365DataAtRestEncryptionPolicy -Identity ΓÇ£EUR PolicyΓÇ¥ -Refresh
+Set-M365DataAtRestEncryptionPolicy -Identity "EUR Policy" -Refresh
``` Parameters:
This cmdlet lists the policy thatΓÇÖs currently assigned to the tenant.
If you need to revert back to Microsoft-managed keys, you can. When you offboard, your data is re-encrypted using default encryption supported by each individual workload. For example, Exchange Online supports default encryption using Microsoft-managed keys.
-If you decided to offboard your tenant from Customer Key at the tenant level, reach out to Microsoft with a request through email to ΓÇ£disableΓÇ¥ the service for the tenant at [m365ck@microsoft.com](mailto:m365ck@microsoft.com).
+If you decided to offboard your tenant from Customer Key at the tenant level, reach out to Microsoft with a request through email to "disable" the service for the tenant at [m365ck@microsoft.com](mailto:m365ck@microsoft.com).
> [!IMPORTANT] > Offboarding is not the same as a data purge. A data purge permanently crypto-deletes your organization's data from Microsoft 365, offboarding does not. You can't perform a data purge for a tenant-level policy. For information about data purge path, see [Revoke your keys and start the data purge path process](customer-key-manage.md#revoke-your-keys-and-start-the-data-purge-path-process).
compliance Dlp Chrome Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-chrome-get-started.md
Deploying Microsoft Compliance Extension is a multi-phase process. You can choos
### Prepare infrastructure
-If you are rolling out the Microsoft Compliance Extension to all your monitored Windows 10 devices, you should remove Google Chrome from the unallowed app and unallowed browser lists. For more information, see [Unallowed browsers](endpoint-dlp-using.md#unallowed-browsers). If you are only rolling it out to a few devices you can leave Chrome on the unallowed browser or unallowed app lists. The Microsoft Compliance Extension will bypass the restrictions of both lists for those computers where it is installed.
+If you are rolling out the Microsoft Compliance Extension to all your monitored Windows 10 devices, you should remove Google Chrome from the unallowed app and unallowed browser lists. For more information, see [Unallowed browsers](endpoint-dlp-using.md#unallowed-browsers). If you are only rolling it out to a few devices, you can leave Chrome on the unallowed browser or unallowed app lists. The Microsoft Compliance Extension will bypass the restrictions of both lists for those computers where it is installed.
### Prepare your devices
If you are rolling out the Microsoft Compliance Extension to all your monitored
This is the recommended method.
-1. Sign on to the Windows 10 computer that you want to install the Microsoft Compliance Extension on and run the this PowerShell script as an administrator.
+1. Sign in to the Windows 10 computer on which you want to install the Microsoft Compliance Extension on, and run this PowerShell script as an administrator.
-```powershell
-Get-Item -path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Miscellaneous Configuration" | New-ItemProperty -Name DlpDisableBrowserCache -Value 0 -Force
-```
+ ```powershell
+ Get-Item -path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Miscellaneous Configuration" | New-ItemProperty -Name DlpDisableBrowserCache -Value 0 -Force
+ ```
2. Navigate to [Microsoft Compliance Extension - Chrome Web Store (google.com)](https://chrome.google.com/webstore/detail/microsoft-compliance-exte/echcggldkblhodogklpincgchnpgcdco).+ 3. Install the extension using the instructions on the Chrome Web Store page. ### Deploy using Microsoft Endpoint Manager
-Use this setup method for organization Wide deployments
+Use this setup method for organization-wide deployments.
+ ##### Enabling Required Registry Key via Microsoft Endpoint Manager 1. Create a PowerShell script with the following contents:
-```powershell
-Get-Item -path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Miscellaneous Configuration" | New-ItemProperty -Name DlpDisableBrowserCache -Value 0 -Force
-```
+
+ ```powershell
+ Get-Item -path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Miscellaneous Configuration" | New-ItemProperty -Name DlpDisableBrowserCache -Value 0 -Force
+ ```
+ 2. Sign in to the [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com).+ 3. Navigate to **Devices** > **Scripts** and select **Add**.+ 4. Browse to the location of the script created when prompted.+ 5. Select the following settings: 1. Run this script using the logged-on credentials: YES 1. Enforce script signature check: NO 1. Run script in 64-bit PowerShell Host: YES+ 6. Select the proper device groups and apply the policy. #### Microsoft Endpoint Manager Force Install Steps
Before adding the Microsoft Compliance Extension to the list of force-installed
After ingesting the ADMX, the steps below can be followed to create a configuration profile for this extension.
-1. Sign in to the Microsoft Endpoint Manager Admin Center (https://endpoint.microsoft.com)
+1. Sign in to the Microsoft Endpoint Manager Admin Center (https://endpoint.microsoft.com).
+ 2. Navigate to Configuration Profiles.+ 3. Select **Create Profile**.+ 4. Select **Windows 10** as the platform.+ 5. Select **Custom** as profile type.+ 6. Select the **Settings** tab.+ 7. Select **Add**.+ 8. Enter the following policy information.
-OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist
-Data type: String
-Value: <enabled/><data id=”ExtensionInstallForcelistDesc” value=”1&#xF000; echcggldkblhodogklpincgchnpgcdco;https://clients2.google.com/service/update2/crx″/>
+
+ OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist`<br/>
+ Data type: `String`<br/>
+ Value: `<enabled/><data id="ExtensionInstallForcelistDesc" value="1&#xF000; echcggldkblhodogklpincgchnpgcdco;https://clients2.google.com/service/update2/crx"/>`
9. Click create.
Value: <enabled/><data id=ΓÇ¥ExtensionInstallForcelistDescΓÇ¥ value=ΓÇ¥1&#xF000;
If you don't want to use Microsoft Endpoint Manager, you can use group policies to deploy the Microsoft Compliance Extension across your organization 1. Your devices must be manageable via Group Policy, and you need to import all Chrome ADMXs into the Group Policy Central Store. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://docs.microsoft.com/troubleshoot/windows-client/group-policy/create-and-manage-central-store).
-2. Create a PowerShell script using this:
-```powershell
-et-Item -path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Miscellaneous Configuration" | New-ItemProperty -Name DlpDisableBrowserCache -Value 0 -Force
-```
+2. Create a PowerShell script using this PowerShell command:
+
+ ```powershell
+ Get-Item -path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Miscellaneous Configuration" | New-ItemProperty -Name DlpDisableBrowserCache -Value 0 -Force
+ ```
3. Open the **Group Policy Management Console** and navigate to your organizational unit (OU).+ 4. Right-click and select **Create a GPO in this domain and Link it here**. When prompted, assign a descriptive name to this group policy object (GPO) and finish creating it.+ 5. Right-click the GPO and select **Edit**.+ 6. Go to **Computer Configuration** > **Preferences** > **Control Panel Settings** > **Scheduled Tasks**.+ 7. Create a new immediate task by selecting right-clicking and selecting **New** > **Immediate Task (At least Windows 7)**.+ 8. Give the task a name & description.+ 9. Choose the corresponding account to run the immediate task, for example NT Authority+ 10. Select **Run with highest privileges**.+ 11. Configure the policy for Windows 10.+ 12. In the **Actions** tab, select the action **Start a program**.+ 13. Enter the path to the Program/Script created in Step 1.+ 14. Select **Apply**. #### Adding the Chrome Extension to the ForceInstall List 1. In the Group Policy Management Editor, navigate to your OU.+ 2. Expand the following path **Computer/User configuration** > **Policies** > **Administrative templates** > **Classic administrative templates** > **Google** > **Google Chrome** > **Extensions**. This path may vary depending on your configuration.+ 3. Select **Configure the list of force-installed extensions**.+ 4. Right click and select **Edit**.+ 5. Select **Enabled**.+ 6. Select **Show**.+ 7. Under **Value**, add the following entry: `echcggldkblhodogklpincgchnpgcdco;https://clients2.google.com/service/update2/crx`+ 8. Select **OK** and then **Apply**. ### Test the Extension
compliance Information Barriers Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/information-barriers-policies.md
When you define policies for information barriers, you'll work with user account
## The work flow at a glance
-|**Phase**|**What's involved**|
+| Phase | What's involved |
|:--|:| | [Make sure prerequisites are met](#prerequisites) | - Verify that you have the [required licenses and permissions](information-barriers.md#required-licenses-and-permissions)<br/>- Verify that your directory includes data for segmenting users<br/>- Enable scoped directory search for Microsoft Teams<br/>- Make sure audit logging is turned on<br/>- Make sure no Exchange address book policies are in place<br/>- Use PowerShell (examples are provided)<br/>- Provide admin consent for Microsoft Teams (steps are included) | | [Part 1: Segment users in your organization](#part-1-segment-users) | - Determine what policies are needed<br/>- Make a list of segments to define<br/>- Identify which attributes to use<br/>- Define segments in terms of policy filters |
In addition to the [required licenses and permissions](information-barriers.md#r
- Admin consent for information barriers in Microsoft Teams - When your IB policies are in place, they can remove non-IB compliance users from Groups (i.e. Teams channels, which are based on groups). This configuration helps ensure your organization remains compliant with policies and regulations. Use the following procedure to enable information barrier policies to work as expected in Microsoft Teams.
- 1. Pre-requisite: Install Azure PowerShell from [here](https://docs.microsoft.com/en-us/powershell/azure/install-az-ps)
- 2. Run the following PowerShell cmdlets:
+ 1. Pre-requisite: Install Azure PowerShell from [Install Azure PowerShell](https://docs.microsoft.com/powershell/azure/install-az-ps).
+
+ 1. Run the following PowerShell cmdlets:
```powershell Connect-AzAccount -Tenant "<yourtenantdomain.com>" //for example: Connect-AzAccount -Tenant "Contoso.onmicrosoft.com"
In addition to the [required licenses and permissions](information-barriers.md#r
Start-Process "https://login.microsoftonline.com/common/adminconsent?client_id=$appId" ```
- 2. When prompted, sign in using your work or school account for Office 365.
+ 1. When prompted, sign in using your work or school account for Office 365.
- 3. In the **Permissions requested** dialog box, review the information, and then choose **Accept**. The permissions reqested by the App is given below <add a screenshot>
- ![image](https://user-images.githubusercontent.com/8932063/107690955-b1772300-6c5f-11eb-9527-4235de860b27.png)
+ 1. In the **Permissions requested** dialog box, review the information, and then choose **Accept**. The permissions requested by the App is given below.
+
+ > [!div class="mx-imgBorder"]
+ > ![image](https://user-images.githubusercontent.com/8932063/107690955-b1772300-6c5f-11eb-9527-4235de860b27.png)
When all the prerequisites are met, proceed to the next section.
Defining segments does not affect users; it just sets the stage for information
1. Use the **New-OrganizationSegment** cmdlet with the **UserGroupFilter** parameter that corresponds to the [attribute](information-barriers-attributes.md) you want to use.
- |**Syntax**|**Example**|
+ | Syntax | Example |
|:|:-| | `New-OrganizationSegment -Name "segmentname" -UserGroupFilter "attribute -eq 'attributevalue'"` |`New-OrganizationSegment -Name "HR" -UserGroupFilter "Department -eq 'HR'"` <p>In this example, a segment called *HR* is defined using *HR*, a value in the *Department* attribute. The **-eq** portion of the cmdlet refers to "equals." (Alternately, you can use **-ne** to mean "not equals". See [Using "equals" and "not equals" in segment definitions](#using-equals-and-not-equals-in-segment-definitions).) |
After you have defined your segments, proceed to [define information barrier pol
In the following example, we are defining a segment such that "Department equals HR."
-|**Example**|**Note**|
+| Example | Note |
|:-|:-| |`New-OrganizationSegment -Name "HR" -UserGroupFilter "Department -eq 'HR'"` | Notice that in this example, the segment definition includes an "equals" parameter denoted as **-eq**. | You can also define segments using a "not equals" parameter, denoted as **-ne**, as shown in the following table:
-|**Syntax**|**Example**|
+| Syntax | Example |
|:|:-| | `New-OrganizationSegment -Name "NotSales" -UserGroupFilter "Department -ne 'Sales'"` | In this example, we defined a segment called *NotSales* that includes everyone who is not in *Sales*. The **-ne** portion of the cmdlet refers to "not equals". | In addition to defining segments using "equals" or "not equals", you can define a segment using both "equals" and "not equals" parameters. You can also define complex group filters using logical *AND* and *OR* operators.
-|**Syntax**|**Example**|
+| Syntax | Example |
|:|:-| | `New-OrganizationSegment -Name "LocalFTE" -UserGroupFilter "Location -eq 'Local'" -and "Position -ne 'Temporary'"` | In this example, we defined a segment called *LocalFTE* that includes people who are located locally and whose positions are not listed as *Temporary*. | | `New-OrganizationSegment -Name "Segment1" -UserGroupFilter "MemberOf -eq 'group1@contoso.com'' -and MemberOf -ne 'group3@contoso.com'"`| In this example, we defined a segment called *Segment1* that includes people who are members of group1@contoso.com and not members of group3@contoso.com. |
For example, suppose you want to block communications between Segment A and Segm
1. To define your first blocking policy, use the **New-InformationBarrierPolicy** cmdlet with the **SegmentsBlocked** parameter.
- |**Syntax**|**Example**|
- |**--|:-|
+ | Syntax | Example |
+ |:--|:-|
| `New-InformationBarrierPolicy -Name "policyname" -AssignedSegment "segment1name" -SegmentsBlocked "segment2name"` | `New-InformationBarrierPolicy -Name "Sales-Research" -AssignedSegment "Sales" -SegmentsBlocked "Research" -State Inactive` <p> In this example, we defined a policy called *Sales-Research* for a segment called *Sales*. When active and applied, this policy prevents people in *Sales* from communicating with people in a segment called *Research*. | 2. To define your second blocking segment, use the **New-InformationBarrierPolicy** cmdlet with the **SegmentsBlocked** parameter again, this time with the segments reversed.
- |**Example**|**Note**|
+ | Example | Note |
|:-|:-| |`New-InformationBarrierPolicy -Name "Research-Sales" -AssignedSegment "Research" -SegmentsBlocked "Sales" -State Inactive` | In this example, we defined a policy called *Research-Sales* to prevent *Research* from communicating with *Sales*. |
For example, suppose you want to block communications between Segment A and Segm
1. To allow one segment to communicate with only one other segment, use the **New-InformationBarrierPolicy** cmdlet with the **SegmentsAllowed** parameter.
- |**Syntax**|**Example**|
+ | Syntax | Example |
|:-|:-| | `New-InformationBarrierPolicy -Name "policyname" -AssignedSegment "segment1name" -SegmentsAllowed "segment2name","segment1name"` | `New-InformationBarrierPolicy -Name "Manufacturing-HR" -AssignedSegment "Manufacturing" -SegmentsAllowed "HR","Manufacturing" -State Inactive` <p> In this example, we defined a policy called *Manufacturing-HR* for a segment called *Manufacturing*. When active and applied, this policy allows people in *Manufacturing* to communicate only with people in a segment called *HR*. (In this case, *Manufacturing* cannot communicate with users who are not part of *HR*.) | **If needed, you can specify multiple segments with this cmdlet, as shown in the following example.**
- |**Syntax**|**Example**|
+ | Syntax | Example |
|:|:-| | `New-InformationBarrierPolicy -Name "policyname" -AssignedSegment "segment1name" -SegmentsAllowed "segment2name", "segment3name","segment1name"` | `New-InformationBarrierPolicy -Name "Research-HRManufacturing" -AssignedSegment "Research" -SegmentsAllowed "HR","Manufacturing","Research" -State Inactive` <p> In this example, we defined a policy that allows the *Research* segment to communicate with only *HR* and *Manufacturing*. |
Information barrier policies are not in effect until you set them to active stat
2. To set a policy to active status, use the **Set-InformationBarrierPolicy** cmdlet with an **Identity** parameter, and the **State** parameter set to **Active**.
- |**Syntax**|**Example**|
+ | Syntax | Example |
|:|:-| | `Set-InformationBarrierPolicy -Identity GUID -State Active` | `Set-InformationBarrierPolicy -Identity 43c37853-ea10-4b90-a23d-ab8c93772471 -State Active` <p> In this example, we set an information barrier policy that has the GUID *43c37853-ea10-4b90-a23d-ab8c93772471* to active status. |
Information barrier policies are not in effect until you set them to active stat
With PowerShell, you can view status of user accounts, segments, policies, and policy application, as listed in the following table.
-|**To view this information**|**Take this action**|
+| To view this information | Take this action |
|:|:-| | User accounts | Use the **Get-InformationBarrierRecipientStatus** cmdlet with Identity parameters. <p> Syntax: `Get-InformationBarrierRecipientStatus -Identity <value> -Identity2 <value>` <p> You can use any value that uniquely identifies each user, such as name, alias, distinguished name, canonical domain name, email address, or GUID. <p> Example: `Get-InformationBarrierRecipientStatus -Identity meganb -Identity2 alexw` <p> In this example, we refer to two user accounts in Office 365: *meganb* for *Megan*, and *alexw* for *Alex*. <p> (You can also use this cmdlet for a single user: `Get-InformationBarrierRecipientStatus -Identity <value>`) <p> This cmdlet returns information about users, such as attribute values and any information barrier policies that are applied.| | Segments | Use the **Get-OrganizationSegment** cmdlet.<p> Syntax: `Get-OrganizationSegment` <p> This cmdlet will display a list of all segments defined for your organization. |
To see how an organization might approach defining segments and policies, consid
Contoso has five departments: HR, Sales, Marketing, Research, and Manufacturing. In order to remain compliant with industry regulations, people in some departments are not supposed to communicate with other departments, as listed in the following table:
-|**Segment**|**Can talk to**|**Cannot talk to**|
+| Segment | Can talk to | Cannot talk to |
|:-|:--|:--| | HR | Everyone | (no restrictions) | | Sales | HR, Marketing, Manufacturing | Research |
Contoso has five departments: HR, Sales, Marketing, Research, and Manufacturing.
For this structure, Contoso's plan includes three information barrier policies: 1. A policy designed to prevent Sales from communicating with Research (and another policy to prevent Research from communicating with Sales).+ 2. A policy designed to allow Manufacturing to communicate with HR and Marketing only. For this scenario, it's not necessary to define policies for HR or Marketing.
For this scenario, it's not necessary to define policies for HR or Marketing.
Contoso will use the Department attribute in Azure Active Directory to define segments, as follows:
-|**Department**|**Segment Definition**|
+| Department | Segment Definition |
|:-|:| | HR | `New-OrganizationSegment -Name "HR" -UserGroupFilter "Department -eq 'HR'"` | | Sales | `New-OrganizationSegment -Name "Sales" -UserGroupFilter "Department -eq 'Sales'"` |
With the segments defined, Contoso proceeds to define policies.
Contoso defines three policies, as described in the following table:
-|**Policy**|**Policy Definition**|
+| Policy | Policy Definition |
|:|:--| | **Policy 1: Prevent Sales from communicating with Research** | `New-InformationBarrierPolicy -Name "Sales-Research" -AssignedSegment "Sales" -SegmentsBlocked "Research" -State Inactive` <p> In this example, the information barrier policy is called *Sales-Research*. When this policy is active and applied, it will help prevent users who are in the Sales segment from communicating with users in the Research segment. This policy is a one-way policy; it won't prevent Research from communicating with Sales. For that, Policy 2 is needed. | | **Policy 2: Prevent Research from communicating with Sales** | `New-InformationBarrierPolicy -Name "Research-Sales" -AssignedSegment "Research" -SegmentsBlocked "Sales" -State Inactive` <p> In this example, the information barrier policy is called *Research-Sales*. When this policy is active and applied, it will help prevent users who are in the Research segment from communicating with users in the Sales segment. |
compliance Managing Holds https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/managing-holds.md
Last updated audience: Admin-+ localization_priority: Normal
compliance Overview Ediscovery 20 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/overview-ediscovery-20.md
When you add a custodian and the corresponding custodial data sources to a case,
### Collecting case data
-Use the **Searches** tab to create searches to search the in-place custodial and non-custodial data sources for content relevant to the case. You can create and run query-based searches (using keywords and conditions) to identify a set of email messages and documents that are relevant to the case and that you want to further review and analyze in subsequent steps in the eDiscovery workflow. You can create one or more searches associated with the case. You can also use the search tool to preview sample documents and view search statistics to help you refine and improve the search results. After you're satisfied the search results contain the all data relevant to the case, you add the search results to a review set for further review, analysis, and culling. For more information, see [Collect data for a case](collecting-data-for-ediscovery.md).
+Use the **Collections** tab to create eDiscovery searches to search the in-place custodial and non-custodial data sources for content relevant to the case. You can create and run query-based collections (using keywords and conditions) to identify a set of email messages and documents that are relevant to the case and that you want to further review and analyze in subsequent steps in the eDiscovery workflow. You can create one or more collections associated with the case. You can also use the collection tool to preview sample documents and view search statistics to help you refine and improve the search results. After you're satisfied the collection results contain the data relevant to the case, you can commit the collection to a review set for further review, analysis, and culling. For more information, see [Collect data for a case](collecting-data-for-ediscovery.md).
### Reviewing and analyzing case data
compliance Retention Policies Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-teams.md
For other workloads, see:
The following Teams items can be retained and deleted by using retention policies for Teams: Chat messages and channel messages, including embedded images, tables, hypertext links and links to other Teams messages and files, and [card content](https://docs.microsoft.com/microsoftteams/platform/task-modules-and-cards/what-are-cards). Chat messages include all the names of the people in the chat, and channel messages include the team name and the message title (if supplied). > [!NOTE]
-> Including card content is a recent addition and currently rolling out to tenants. For more information, see [Microsoft 365 compliance capabilities for Adaptive Card content through apps in Teams now available](https://techcommunity.microsoft.com/t5/microsoft-teams-blog/microsoft-365-compliance-capabilities-for-adaptive-card-content/ba-p/2095869).
+> Including card content is a recent addition and now fully rolled out to tenants. For more information, see [Microsoft 365 compliance capabilities for Adaptive Card content through apps in Teams now available](https://techcommunity.microsoft.com/t5/microsoft-teams-blog/microsoft-365-compliance-capabilities-for-adaptive-card-content/ba-p/2095869).
Teams messages in private channels are currently not supported for retention policies. Code snippets, recorded voice memos from the Teams mobile client, thumbnails, announcement images, and reactions from others in the form of emoticons are not included when you use retention policies for Teams.
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
Additional information for built-in labeling:
For guidance about when to use this setting, see the information about [policy settings](sensitivity-labels.md#what-label-policies-can-do).
+> [!NOTE]
+> If you use the default label policy setting for documents and emails in addition to mandatory labeling:
+>
+> The default label always takes priority over mandatory labeling. However, for documents, the Azure Information Protection unified labeling client applies the default label to all unlabeled documents whereas built-in labeling applies the default label to new documents and not to existing documents that are unlabeled. This difference in behavior means that when you use mandatory labeling with the default label setting, users will be prompted to apply a sensitivity label more often when they use built-in labeling than when they use the Azure Information Protection unified labeling client.
+ ## End-user documentation - [Apply sensitivity labels to your documents and email within Office](https://support.microsoft.com/en-us/office/apply-sensitivity-labels-to-your-files-and-email-in-office-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9)
compliance Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels.md
When you configure a label policy, you can:
- **Choose which users and groups see the labels.** Labels can be published to any specific user or email-enabled security group, distribution group, or Microsoft 365 group (which can have [dynamic membership](https://docs.microsoft.com/azure/active-directory/users-groups-roles/groups-create-rule)) in Azure AD. -- **Apply a default label** to all new documents and emails created by the users and groups included in the label policy, and the same or different default label to containers (if you've [enabled sensitivity labels for Microsoft Teams, Microsoft 365 groups, and SharePoint sites](sensitivity-labels-teams-groups-sites.md)). Users can always change the default label if it's not the right label for their document or email.
+- **Apply a default label** to all new documents and unlabeled emails created by the users and groups included in the label policy, and the same or different default label to containers (if you've [enabled sensitivity labels for Microsoft Teams, Microsoft 365 groups, and SharePoint sites](sensitivity-labels-teams-groups-sites.md)). With this setting, the Azure Information Protection unified labeling client also applies the default label to existing documents that are unlabeled. Users can always change the default label if it's not the right label for their document or email.
Consider using a default label to set a base level of protection settings that you want applied to all your content. However, without user training and other controls, this setting can also result in inaccurate labeling. It's usually not a good idea to select a label that applies encryption as a default label to documents. For example, many organizations need to send and share documents with external users who might not have apps that support the encryption or they might not use an account that can be authorized. For more information about this scenario, see [Sharing encrypted documents with external users](sensitivity-labels-office-apps.md#sharing-encrypted-documents-with-external-users).
compliance View Keyword Statistics For Content Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/view-keyword-statistics-for-content-search.md
search.appverid:
- MOE150 - MET150 ms.assetid: 9701a024-c52e-43f0-b545-9a53478aec04
-description: Learn how to use the Search Statistics feature to display and compare statistics for multiple Content Searches in Security & Compliance Center.
+description: "Learn how to use the Search Statistics feature to display and compare statistics for multiple Content Searches in Security & Compliance Center."
compliance What Is Stored In Exo Mailbox https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/what-is-stored-in-exo-mailbox.md
search.appverid:
- MED150 - MET150 ms.assetid:-
-description: "Data produced by cloud-based apps in Microsoft 365 is stored or associated with a user's Exchange Online mailbox."
+description: "Content produced by cloud-based apps in Microsoft 365 is stored or associated with a user's Exchange Online mailbox. This content can be searched using Microsoft eDiscovery tools."
-# Content stored in Exchange Online mailboxes
+# Content stored in Exchange Online mailboxes for eDiscovery
-A mailbox in Exchange Online is primarily used to store email-related items such as messages, calendar items, tasks, and notes. But that's changing as more cloud-based apps also store their data in a user's mailbox. One advantage of storing data in a mailbox is that you can use the search tools in content search, Core eDiscovery, Advanced eDiscovery to find, view, and export the data from these cloud-based apps. The data from some of these apps is stored in hidden folders located in a non-interpersonal message (non-IPM) subtree in the mailbox. Data from other cloud-based apps might not be stored _in_ the mailbox, but it's _associated with_ the mailbox, and is returned in searches (if that data matches the search query). Regardless of whether cloud-based data is stored in or associated with a user mailbox, the data is typically not visible in an email client when a user opens their mailbox.
+A mailbox in Exchange Online is primarily used to store email-related items such as messages, calendar items, tasks, and notes. But that's changing as more cloud-based apps also store their data in a user's mailbox. One advantage of storing data in a mailbox is that you can use the search tools in content search, Core eDiscovery, and Advanced eDiscovery to find, view, and export the data from these cloud-based apps. The data from some of these apps is stored in hidden folders located in a non-interpersonal message (non-IPM) subtree in the mailbox. Data from other cloud-based apps might not be stored _in_ the mailbox, but it's _associated with_ the mailbox, and is returned in searches (if that data matches the search query). Regardless of whether cloud-based data is stored in or associated with a user mailbox, the data is typically not visible in an email client when a user opens their mailbox.
The following table lists the apps that either stores or associates data with a cloud-based mailbox. The table also describes the type of content that each app produces. |Microsoft 365 app|Description| |:|:|
-|Forms|Forms and responses to a form are stored in files that are attached to email messages and stored in a hidden folder in the mailbox of the user who created the form. Forms created before April 2020 are stored as a PDF file. Forms created after 2020 are stored as a JSON file. Responses to a form are stored in a CSV file. When you export content from Forms in a PST file, this data is located in the **ApplicationDataRoot** folder in a subfolder named with the following globally unique identified (GUID): **c9a559d2-7aab-4f13-a6ed-e7e9c52aec87**.|
+|Forms|Forms and responses to a form are stored in files that are attached to email messages and stored in a hidden folder in the mailbox of the user who created the form. Forms created before April 2020 are stored as a PDF file. Forms created after 2020 are stored as a JSON file. Responses to a form are stored in a CSV file. When you export content from Forms in a PST file, this data is located in the **ApplicationDataRoot** folder in a subfolder named with the following globally unique identified (GUID): **c9a559d2-7aab-4f13-a6ed-e7e9c52aec87**. |
|Microsoft 365 Groups|Email messages, calendar items, contacts (People), notes, and tasks are stored in the mailbox that's associated with a Microsoft 365 group.| |Outlook/Exchange Online|Email messages, calendar items, contacts (People), notes, and tasks are stored in a user's mailbox.| |People|Contacts in the People app (which are the same contacts as the ones accessible in Outlook) are stored in a user's mailbox.| |Class Schedule|Plans created in Class Schedule are stored in the mailbox of the corresponding Microsoft 365 Group that is provisioned when a new plan is created. The alias for the group mailbox is the name of the plan.| |Skype for Business|Conversations in Skype for Business are stored in the Conversation History folder in a user's mailbox. If the mailbox of a participant of a Skype meeting is placed on Litigation Hold or assigned to a retention policy, files attached to a meeting are retained in the participants mailbox.|
-|Sway|Sways are stored as an HTML file that is attached to an email message and stored in a hidden folder in the mailbox of the user who created the sway. When you export content from Sway in a PST file, this data is located in the **ApplicationDataRoot** folder in a subfolder named with the following GUID) **905fcf26-4eb7-48a0-9ff0-8dcc7194b5ba**.|
+|Sway|Sways are stored as an HTML file that is attached to an email message and stored in a hidden folder in the mailbox of the user who created the sway. When you export content from Sway in a PST file, this data is located in the **ApplicationDataRoot** folder in a subfolder named with the following GUID: **905fcf26-4eb7-48a0-9ff0-8dcc7194b5ba**.|
|Tasks|Tasks in the Tasks app (which are the same tasks as the ones accessible in Outlook) are stored in a user's mailbox.|
-|Teams|Conversations that are part of a Teams channel are associated with the Teams mailbox. Conversations that are part of the Chat list in Teams (also called *1 x N chats*) are associated with the mailbox of the users who participate in the chat. Also, summary information for meetings and calls in a Teams channel are associated with mailboxes of users who dialed into the meeting or call. So when searching for Teams content, you would search the Teams mailbox for content in channel conversations and search user mailboxes for content in 1 x N chats.|
+|Teams|Conversations that are part of a Teams channel are associated with the Teams mailbox. Conversations that are part of the Chat list in Teams (also called *1 x N chats*) are associated with the mailbox of the users who participate in the chat. Also, summary information for meetings and calls in a Teams channel are associated with mailboxes of users who dialed into the meeting or call. So when searching for Teams content, you would search the Teams mailbox for content in channel conversations and search user mailboxes for content in 1 x N chats.|
|To-Do|Tasks (called *to-dos*, which are saved in to-do lists) in the To-Do app are stored in a user's mailbox.|
-|Yammer|Conversations and comments within a Yammer community are associated with the Microsoft 365 Group mailbox, as well as the user mailbox of the author and any named recipients (@mentioned or cc'ed users). Private messages sent outside of a Yammer community are stored in the mailbox of the users who participate in the private message.|
+|Yammer|Conversations and comments within a Yammer community are associated with the Microsoft 365 Group mailbox, as well as the user mailbox of the author and any named recipients (@ mentioned or Cc'ed users). Private messages sent outside of a Yammer community are stored in the mailbox of the users who participate in the private message.|
|||| > [!NOTE]
-> At this time, if a hold is placed on a mailbox (by using holds in eDiscovery and Advanced eDiscovery cases), content from Forms and Sway will not be preserved by the hold.
+> At this time, if a hold is placed on a mailbox (by using holds in Core eDiscovery and Advanced eDiscovery cases), content from Forms and Sway will not be preserved by the hold.
enterprise Ms Cloud Germany Transition Add Adfs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-add-adfs.md
description: "Summary: Active Directory Federation Services (AD FS) migration st
# AD FS migration steps for the migration from Microsoft Cloud Deutschland
-This configuration change can be applied at any time before phase 4 is starting.
-Once phase 2 is completed the configuration change will work and you are able to sign in to Office 365 Global endpoints such as `https://portal.office.com`. If you are implementing the configuration change before phase 2, the Office 365 Global endpoints will _not yet work_ but the new relying party trust is still part of your Active Directory Federation Services (AD FS) configuration.
+This configuration change needs to be applied any time before phase 2 is starting.
+Once phase 2 is completed the configuration change will work and you are able to sign in via Office 365 Global endpoints such as `https://portal.office.com`. If you are implementing the configuration change before phase 2, the Office 365 Global endpoints will _not yet work_ but the new relying party trust is still part of your Active Directory Federation Services (AD FS) configuration.
-To migrate your AD FS farm from Microsoft Cloud Deutschland:
+Customers who use federated authentication with Active Directory Federation Services (AD FS) shouldn't make changes to issuer URIs that are used for all authentications with on-premises Active Directory Domain Services (AD DS) during migration. Changing issuer URIs will lead to authentication failures for users in the domain. Issuer URIs can be changed directly in AD FS or when a domain is converted from _managed_ to _federated_ and vice-versa. We recommend that you do not add, remove, or convert a federated domain in the Azure AD tenant that has been migrated. Issuer URIs can be changed after the migration is fully complete.
-1. Back up your AD FS settings including FF trust info with [these steps](#backup). Name the backup **Microsoft Cloud Deutschland_Only** to indicate it only has the Microsoft Cloud Deutschland tenant info.
-2. Test the restore using the Microsoft Cloud Deutschland_Only backup, The AD FS farm should continue to operate as Microsoft Cloud Deutschland only.
+To prepare your AD FS farm for the migration from Microsoft Cloud Deutschland perform the following steps:
+
+1. Back up your AD FS settings, including the existing Microsoft Cloud Deutschland Relying Party trust, with [these steps](#backup). Name the backup **MicrosoftCloudDeutschlandOnly** to indicate it only has the Microsoft Cloud Deutschland tenant info.
+
+ > [!NOTE]
+ > The backup will not only contain the existing Office 365 Relying Party Trust for Microsoft Cloud Deutschland, but also all other Relying Party Trusts present on the respective AD FS farm.
+
+2. Test the restore using the MicrosoftCloudDeutschlandOnly backup, The AD FS farm should continue to operate as Microsoft Cloud Deutschland only.
Once you have completed and tested the AD FS backup, perform the following steps to add a new relying party trust to your ADFS configuration:
-1. Open the AD FS management console
-2. In the left pane of the ADFS management console, expand **ADFS**, then **Trust Relationships**, then **Relying Party Trusts**
+1. Open the AD FS management console.
+
+2. In the left pane of the ADFS management console navigate to the **Relying Party Trusts** menu.
+ 3. In the right pane, select **Add Relying Party Trust...**
-4. Select **Next** on the **Welcome** page of the Add Relying Party Trust wizard.
-5. On the **Select Data Source** page, select **Import data about the relying party published online or on a local network**. The **Federation metadata address (host name or URL)** value must be set to `https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadata.xml`. Then, click **Next**.
-6. On the **Select Data Source** page, type the display name such as **Microsoft Office 365 Identity Platform WorldWide**. Then, click **Next**.
-7. On the wizard page **Configure Multi-factor Authentication Now?**, select the appropriate choice according to your authentication requirements. If you stick with the default, select **I don't want to configure multi-factor authentication settings for this relying party trust at this time**. You can change this setting later if you want to.
-8. On the **Choose Issuance Authorization Rules**, keep **Permit all users to access this relying party** selected click **Next**
+
+4. Select **Start** on the **Welcome** page of the Add Relying Party Trust wizard.
+
+5. On the **Select Data Source** page, select **Import data about the relying party published online or on a local network**. The **Federation metadata address (host name or URL)** value must be set to `https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadata.xml`. Click **Next**.
+
+6. On the **Specify Display Name** page, type the display name such as **Microsoft Office 365 Identity Platform WorldWide**. Click **Next**.
+
+7. If you are using ADFS in Windows Server 2012, on the wizard page **Configure Multi-factor Authentication Now?**, select the appropriate choice according to your authentication requirements. If you stick with the default, select **I don't want to configure multi-factor authentication settings for this relying party trust at this time**. You can change this setting later if you want to.
+
+8. For AD FS 2012: On the **Choose Issuance Authorization Rules**, keep **Permit all users to access this relying party** selected and click **Next**.
+
+8. For AD FS 2016 and AD FS 2019: On the **Choose Access Control Policy** page, select the appropriate access control policy and click **Next**. If none is chosen, the Relying Party Trust will **NOT** work.
+ 9. Click **Next** on the **Ready to Add Trust** page to complete the wizard.+ 10. Click **Close** on the **Finish** page.
-By closing the wizard, the Relying Party Trust with the Office 365 Global services is established. However, no Issuance Transform rules are configured yet.
+By closing the wizard, the Relying Party Trust with the Office 365 Global service is established. However, no Issuance Transform rules are configured yet.
You can use [AD FS Help](https://adfshelp.microsoft.com/AadTrustClaims/ClaimsGenerator) to generate the correct Issuance Transform rules. The generated claim rules created with AD FS Help can either be manually added through the AD FS management console or with PowerShell. AD FS Help will generate the necessary PowerShell scripts that need to be executed.
-<!--
- Question from ckinder
- is step #3 true?
- how to verify step 5? Need more information!
>
-1. Run **Generate Claims** on AD FS help and copy the PowerShell claims transformation script using the **Copy** option on the right upper corner of the script.
-2. Open your preferred text editor and paste the PowerShell script into a new text window.
-3. Add the following PowerShell lines to the end of the pasted script from step 2
- ```powershell
- $authzRules = "=>issue(Type = `"http://schemas.microsoft.com/authorization/claims/permit`", Value = `"true`"); "
- $RuleSet = New-AdfsClaimRuleSet -ClaimRule "<AD FS Help generated PSH>"
- Set-AdfsRelyingPartyTrust -TargetName ΓÇ£Microsoft Office 365 Identity Platform WorldWideΓÇ¥ -IssuanceTransformRules $RuleSet.ClaimRulesString -IssuanceAuthorizationRules $authzRules
- ```
-4. Safe and execute the PowerShell script.
-5. Verify that two Relying Party trusts are present; one for the Microsoft Cloud Deutschland and one for the Office 365 Global service.
-6. Backup your trusts using [these steps](#backup). Save it with the name **FFAndWorldwide**.
-7. Complete your backend migration and verify that AD FS still works during the migration process.
+> [!NOTE]
+> [AD FS Help](https://adfshelp.microsoft.com/AadTrustClaims/ClaimsGenerator) will generate the standard issuance transform rules that ship with the product. However, if custom issuance transform rules are in place in the Microsoft Cloud Deutschland Relying Party Trust (for example, custom issuer URIs, non-standard immutable IDs, or any other customizations), the rules generated by AD FS help must be modified in a way that they fit the custom logic currently in place for the Microsoft Cloud Deutschland relying party trust. If these customizations are not integrated in the rules generated via [AD FS Help](https://adfshelp.microsoft.com/AadTrustClaims/ClaimsGenerator), authentication to **Microsoft Office 365 Identity Platform WorldWide** will most likely **not** work for your federated identities.
+
+1. Run **Generate Claims** on [AD FS Help](https://adfshelp.microsoft.com/AadTrustClaims/ClaimsGenerator) and copy the PowerShell script using the **Copy** option on the right upper corner of the script.
+
+2. Follow the steps outlined at [AD FS Help](https://adfshelp.microsoft.com/AadTrustClaims/ClaimsGenerator) on how to run the PowerShell script in your AD FS farm to generate the global Relying Party Trust.
+
+3. Verify that two Relying PartyTtrusts are present; one for Microsoft Cloud Deutschland and one for the Office 365 Global service. The following command can be leveraged for the check. It should return two rows and the respective names and identifiers.
+
+ ```powershell
+ Get-AdfsRelyingPartyTrust | Where-Object {$_.Identifier -like 'urn:federation:MicrosoftOnline*'} | Select-Object Name, Identifier
+ ```
+
+4. Backup your full migration configuration, including both Relying Party trusts, using [these steps](#backup). Save it with the name **MicrosoftCloudDeutschlandAndWorldwide**.
+
+5. While your tenant is in migration, regularly verify that AD FS authentication is working with Microsoft Cloud Deutschland and Microsoft Global cloud in the various supported migration steps.
+ ## AD FS Disaster Recovery (WID Database)
-To restore the AD FS farm in a disaster [AD FS Rapid Restore Tool](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/ad-fs-rapid-restore-tool) needs to be leveraged. Therefore, the tool must be downloaded and before the start of the migration a backup must be created and safely stored. In this example (TAT environments) the following commands have been run to back up the farm:
+To restore the AD FS farm in a disaster [AD FS Rapid Restore Tool](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/ad-fs-rapid-restore-tool) needs to be leveraged. Therefore, the tool must be downloaded and before the start of the migration a backup must be created and safely stored. In this example, the following commands have been run to back up a farm running on a WID database:
<h2 id="backup"></h2> ### Back up an AD FS Farm 1. Install the AD FS Rapid Restore Tool on the primary AD FS server.+ 2. Import the module in a PowerShell session with this command.
- ```powershell
- Import-Module "C:\Program Files (x86)\ADFS Rapid Recreation Tool\ADFSRapidRecreationTool.dll"
- ```
+
+ ```powershell
+ Import-Module "C:\Program Files (x86)\ADFS Rapid Recreation Tool\ADFSRapidRecreationTool.dll"
+ ```
+ 3. Run the backup command:
- ```powershell
- Backup-ADFS -StorageType "FileSystem" -storagePath "<Storage path of backup>" -EncryptionPassword "<password>" -BackupComment "Restore Doku" -BackupDKM
- ```
+
+ ```powershell
+ Backup-ADFS -StorageType "FileSystem" -storagePath "<Storage path of backup>" -EncryptionPassword "<password>" -BackupComment "Restore Doku" -BackupDKM
+ ```
+ 4. Store the backup safely on a desired destination. + ### Restore an AD FS Farm If your farm failed completely and there is no way to return to the old farm, do the following. 1. Move the previously generated and stored backup to the new primary AD FS server.+ 2. Run the following `Restore-ADFS` PowerShell command. If necessary, import the AD FS SSL certificate beforehand.
- ```powershell
- Restore-ADFS -StorageType "FileSystem" -StoragePath "<Path to Backup>" -DecryptionPassword "<password>" -GroupServiceAccountIdentifier "<gMSA>" -DBConnectionString "WID" -RestoreDKM
- ```
+ ```powershell
+ Restore-ADFS -StorageType "FileSystem" -StoragePath "<Path to Backup>" -DecryptionPassword "<password>" -GroupServiceAccountIdentifier "<gMSA>" -DBConnectionString "WID" -RestoreDKM
+ ```
3. Point your new DNS records or load balancer to the new AD FS servers. + ## More information Getting started:
enterprise Use Microsoft 365 Cdn With Spo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/use-microsoft-365-cdn-with-spo.md
You can read more about how CDN access to assets in a private origin works in [U
> You should never place resources that contain user information or are considered sensitive to your organization in a public origin. + If you remove an asset from a public origin, the asset may continue to be available for up to 30 days from the cache; however, we will invalidate links to the asset in the CDN within 15 minutes. + When you host style sheets (CSS files) in a public origin, you can use relative paths and URIs within the code. This means that you can reference the location of background images and other objects relative to the location of the asset that's calling it.
-+ While you can hard code a public origin's URL, doing so is not recommended. The reason for this is that if access to the CDN becomes unavailable, the URL will not automatically resolve to your organization in SharePoint Online and might result in broken links and other errors.
++ While you can construct a public origin's URL, you should proceed with caution and ensure you utilize the page context property and follow the guidance for doing so. The reason for this is that if access to the CDN becomes unavailable, the URL will not automatically resolve to your organization in SharePoint Online and might result in broken links and other errors. The URL is also subject to change wich is why it should not just be hard coded to its current value. + The default file types that are included for public origins are .css, .eot, .gif, .ico, .jpeg, .jpg, .js, .map, .png, .svg, .ttf, .woff and .woff2. You can specify additional file types. + You can configure a policy to exclude assets that have been identified by site classifications that you specify. For example, you can choose to exclude all assets that are marked as "confidential" or "restricted" even if they are an allowed file type and are located in a public origin.
The following diagram illustrates the workflow when SharePoint receives a reques
> [!TIP] > If you want to disable auto-rewriting for specific URLs on a page, you can check out the page and add the query string parameter **?NoAutoReWrites=true** to the end of each link you want to disable.
-#### Hardcoding CDN URLs for public assets
+#### Constructing CDN URLs for public assets
If the _Publishing_ feature is not enabled for a public origin, or the asset is not one of the link types supported by the auto-rewrite feature of the CDN service, you can manually construct URLs to the CDN location of the assets and use these URLs in your content. > [!NOTE]
-> You cannot hardcode CDN URLs to assets in a private origin because the required access token that forms the last section of the URL is generated at the time the resource is requested.
+> You cannot hardcode or construct CDN URLs to assets in a private origin because the required access token that forms the last section of the URL is generated at the time the resource is requested. You can construct the URL for Public CDN and the URL should not be hard coded as it is subject to change.
For public CDN assets, the URL format will look like the following:
Replace **TenantHostName** with your tenant name. Example:
``` html https://publiccdn.sharepointonline.com/contoso.sharepoint.com/sites/site/library/asset.png ```
+> [!NOTE]
+> The page context property should be used to construct the prefix instead of hard coding "https://publiccdn.sharepointonline.com". The URL is subject to change and should not be hard coded. If you are using display templates with Classic SharePoint Online then you can use the property "window._spPageContextInfo.publicCdnBaseUrl" in your display template for the prefix of the URL. If you are SPFx web parts for modern and classic SharePoint the you can utilize the property "this.context.pageContext.legacyPageContext.publicCdnBaseUrl". This will provide the prefix so that if it is changed then your implementation will update with it. As an example for SPFx, the URL can be constructed using the property "this.context.pageContext.legacyPageContext.publicCdnBaseUrl" + "/" + "host" + "/" + "relativeURL for the item". Please see [Using CDN in Client-side code](https://youtu.be/IH1RbQlbhIA) which is part of the [season 1 performance series](https://aka.ms/sppnp-perfvideos)
+ ### Using assets in private origins
security Office 365 Evaluation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-evaluation.md
ms.prod: m365-security
Conducting a comprehensive security product evaluation can help give you informed decisions on upgrades and purchases. It helps to try out the security product's capabilities to assess how it can help your security operations team in their daily tasks.
-The [Microsoft Defender for Office 365](office-365-atp.md) evaluation experience is designed to eliminate the complexities of device and environment configuration so that you can focus on evaluating the capabilities of the security solution. It only applies to email protection and not SharePoint, Office Clients like Word, or Teams.
+The [Microsoft Defender for Office 365](office-365-atp.md) evaluation experience is designed to eliminate the complexities of device and environment configuration so that you can focus on evaluating the capabilities of Microsoft Defender for Office 365. With evaluation mode, all messages sent to Exchange Online mailboxes can be evaluated without pointing MX records to Microsoft. The feature only applies to email protection and not to Office Clients like Word, SharePoint, or Teams.
If you don't already have a license that supports Microsoft Defender for Office 365, you can start a [free 30-day evaluation](https://admin.microsoft.com/AdminPortal/Home#/catalog/offer-details/microsoft-defender-for-office-365-plan-2-/223860DC-15D6-42D9-A861-AE05473069FA) and test the capabilities in the Office 365 Security & Compliance center (https://protection.office.com/homepage). You'll enjoy the quick set-up and you can easily turn it off if necessary.
solutions Collaboration Governance Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/collaboration-governance-overview.md
This series of articles will help you understand how groups, teams, and SharePoi
There are many options for deploying Microsoft 365 Groups and Teams for secure collaboration in your organization. We recommend you use this governance content alongside [Set up secure collaboration with Microsoft 365](setup-secure-collaboration-with-teams.md) and its associated articles to create the best collaboration solution for your organization.
+### Data residency
+
+If your organization is multi-national and you have data residency requirements for different geographies, include [Microsoft 365 Multi-Geo](/microsoft-365/enterprise/microsoft-365-multi-geo) as part of your collaboration governance plan.
+ ## Why Microsoft 365 groups are important Microsoft 365 groups lets you choose a set of people with whom you wish to collaborate, and easily set up a collection of resources for those people to share. Adding members to the group automatically grants the needed permissions to all assets provided by the group. Both Teams and Yammer use Microsoft 365 groups to manage their membership.
As you start your governance planning process, keep these best practices in mind
- **Embed governance decisions directly in the solutions you create** - many governance decisions can be implemented by turning on or off features in Microsoft 365.
+- **Use a phased approach** - Roll collaboration features out to a small group of users first. Get feedback from them, watch for help desk tickets, and update any needed settings or processes before proceeding to a larger group.
+ - **Reinforce with training** - adapt solutions such as [Microsoft 365 learning pathways](https://docs.microsoft.com/office365/customlearning) to ensure that your organization-specific expectations are reinforced with Microsoft-provided training. - **Have a strategy for communicating governance policies and guidelines in your organization** - create a Microsoft 365 Adoption Center in a SharePoint communication site to communicate policies and procedures.
solutions Create Secure Guest Sharing Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/create-secure-guest-sharing-environment.md
Note that we won't discuss enabling guest sharing settings in this article. See
## Set up multi-factor authentication for guests
-Multi-factor authentication greatly reduces the chances of an account being compromised. Since guest users may be using personal email accounts that don't adhere to any governance policies or best practices, it's especially important to require multi-factor authentication for guests. If a guest user's username and password is stolen, requiring a second factor of authentication greatly reduces the chances of unknown parties gaining access to your sites and files.
+Multi-factor authentication greatly reduces the chances of an account being compromised. Since guests may be using personal email accounts that don't adhere to any governance policies or best practices, it's especially important to require multi-factor authentication for guests. If a guest's username and password is stolen, requiring a second factor of authentication greatly reduces the chances of unknown parties gaining access to your sites and files.
In this example, we'll set up multi-factor authentication for guests by using a conditional access policy in Azure Active Directory.
Now, guest will be required to enroll in multi-factor authentication before they
## Set up a terms of use for guests
-In some situations guest users may not have signed non-disclosure agreements or other legal agreements with your organization. You can require guests to agree to a terms of use before accessing files that are shared with them. The terms of use can be displayed the first time they attempt to access a shared file or site.
+In some situations guests may not have signed non-disclosure agreements or other legal agreements with your organization. You can require guests to agree to a terms of use before accessing files that are shared with them. The terms of use can be displayed the first time they attempt to access a shared file or site.
To create a terms of use, you first need to create the document in Word or another authoring program, and then save it as a .pdf file. This file can then be uploaded to Azure AD.
To create an Azure AD terms of use
9. Under **Conditional Access**, in the **Enforce with Conditional Access policy template** list choose **Create conditional access policy later**. 10. Click **Create**.
-Once you've created the terms of use, the next step is to create a conditional access policy that displays the terms of use to guest users.
+Once you've created the terms of use, the next step is to create a conditional access policy that displays the terms of use to guests.
To create a conditional access policy
To create a conditional access policy
10. On the **Grant** blade, select **Guest terms of use**, and then click **Select**. 11. On the **New** blade, under **Enable policy**, click **On**, and then click **Create**.
-Now, the first time a guest user attempts to access content or a team or site in your organization, they will be required to accept the terms of use.
+Now, the first time a guest attempts to access content or a team or site in your organization, they will be required to accept the terms of use.
> [!NOTE] > Using Conditional Access requires an Azure AD Premium P1 license. For more information, see [What is Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview).
Now, the first time a guest user attempts to access content or a team or site in
## Set up guest access reviews
-With access reviews in Azure AD, you can automate a periodic review of user access to various teams and groups. By requiring an access review for guests specifically, you can help ensure guest users do not retain access to your organization's sensitive information for longer than is necessary.
+With access reviews in Azure AD, you can automate a periodic review of user access to various teams and groups. By requiring an access review for guests specifically, you can help ensure guests do not retain access to your organization's sensitive information for longer than is necessary.
-Access reviews can be organized into programs. A program is a grouping of similar access reviews that can be used to organize access reviews for reporting and auditing purposes.
-
-To create a program
-
-1. Sign in to the Azure portal and open the [Identity Governance page](https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade).
-2. In the left menu, click **Programs**
-3. Click **New program**.
-4. Type a **Name** and **Description**.
-5. Click **Create**.
-
-Once the program has been created, we can create a guest access review and associate it with the program.
-
-To set up a guest user access review
+To set up a guest access review
1. On the [Identity Governance page](https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade), in the left menu, click **Access reviews**. 2. Click **New access review**.
+3. Choose the **Teams + Groups** option.
+4. Choose the **All Microsoft 365 groups with guest users** option. Click **Select group(s) to exclude** if you want to exclude any groups.
+5. Choose the **Guest users only** option, and then click **Next: Reviews**.
+6. Under **Select reviewers**, choose **Group Owner(s)**.
+7. Click **Select fallback reviewers**, choose who should be the fallback reviewers, and then click **Select**.
+8. Under **Specify recurrence of review**, choose **Quarterly**.
+9. Select a start date and duration.
+10. For **End**, choose **Never**, and then click **Next: Settings**.
- ![Screenshot of Azure AD access review settings](../media/azure-ad-create-access-review.png)
+ ![Screenshot of Azure AD access review tab](../media/azure-ad-create-access-review.png)
-3. In the **Name** box, type a name.
-4. For **Frequency**, choose **Quarterly**.
-5. For **End**, choose **Never**.
-6. For **Scope**, choose **Guest users only**.
-7. Click **Group**, select the groups that you want to include in the access review, and then click **Select**.
-8. Under **Programs**, click **Link to program**.
-9. On the **Select a program** blade, choose **Guest access review program**
-10. Click **Start**.
+11. On the **Settings** tab, review the settings for compliance with your business rules.
+
+ ![Screenshot of Azure AD access review settings tab](../media/azure-ad-create-access-review-settings.png)
-A separate access review is created for each group that you specify. Group owners of each group will be emailed quarterly to approve or deny guest access to their groups.
+12. Click **Next: Review + Create**.
+13. Type a **Review name** and review the settings.
+14. Click **Create**.
-It's important to note that guests can be given access to teams or groups, or to individual files and folders. When given access to files and folders, guests may not be added to any particular group. If you want to do access reviews on guest users who don't belong to a team or group, you can create a dynamic group in Azure AD to contain all guests and then create an access review for that group. Site owners can also manage [guest expiration for the site](https://support.microsoft.com/office/25bee24f-42ad-4ee8-8402-4186eed74dea)
+It's important to note that guests can be given access to teams or groups, or to individual files and folders. When given access to files and folders, guests may not be added to any particular group. If you want to do access reviews on guests who don't belong to a team or group, you can create a dynamic group in Azure AD to contain all guests and then create an access review for that group. Site owners can also manage [guest expiration for the site](https://support.microsoft.com/office/25bee24f-42ad-4ee8-8402-4186eed74dea)
### More information
It's important to note that guests can be given access to teams or groups, or to
[Create an access review of groups or applications in Azure AD access reviews](https://docs.microsoft.com/azure/active-directory/governance/create-access-review)
-## Set up web-only access for guest users
+## Set up web-only access for guests
-You can reduce your attack surface and ease administration by requiring guest users to access your teams, sites, and files by using a web browser only.
+You can reduce your attack surface and ease administration by requiring guests to access your teams, sites, and files by using a web browser only.
For Microsoft 365 Groups and Teams, this is done with an Azure AD conditional access policy. For SharePoint, this is configured in the SharePoint admin center. (You can also [use sensitivity labels to restrict guests to web-only access](https://docs.microsoft.com/microsoft-365/compliance/sensitivity-labels-teams-groups-sites).)
To restrict guests to web-ony access for SharePoint
Note that this setting in the SharePoint admin center creates a supporting conditional access policy in Azure AD.
-## Configure a session timeout for guest users
+## Configure a session timeout for guests
-Requiring guests to authenticate on a regular basis can reduce the possibility of unknown users accessing your organization's content if a guest user's device isn't kept secure. You can configure a session timeout conditional access policy for guest users in Azure AD.
+Requiring guests to authenticate on a regular basis can reduce the possibility of unknown users accessing your organization's content if a guest's device isn't kept secure. You can configure a session timeout conditional access policy for guests in Azure AD.
To configure a guest session timeout policy
solutions Groups Teams Access Governance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/groups-teams-access-governance.md
Membership of teams and groups is controlled by owners. Members can invite other
- [Manage discovery of private teams in Microsoft Teams](https://docs.microsoft.com/microsoftteams/manage-discovery-of-private-teams)
-You can manage membership of a group or team dynamically based on some criteria, such as department. In this case, members and owners cannot invite people to the team.
+You can manage membership of a group or team dynamically based on some criteria, such as department. In this case, members and owners cannot invite people to the team. Dynamic groups uses metadata that you define in Azure Active Directory to control who is a member of the group. Be sure the metadata that you're using is complete and up to date as incorrect metadata can lead to users being left out of groups or incorrect users being added.
- [Create or update a dynamic group in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/users-groups-roles/groups-create-rule)
If your organization has sensitive data that you need to share with guests, but
- [Limit external sharing to specified security groups](https://docs.microsoft.com/microsoft-365/solutions/share-limit-accidental-exposure#limit-sharing-of-files-folders-and-sites-with-people-outside-your-organization-to-specified-security-groups)
-Groups and Teams have organization-level setting that allow or deny guest access. While you can [restrict guest access to specific teams or groups by using Microsoft PowerShell](per-group-guest-access.md), we recommend doing this by means of a sensitivity label. With sensitivity labels you can automatically allow or deny guest access based on the label applied:
+Groups and Teams have organization-level settings that allow or deny guest access. While you can [restrict guest access to specific teams or groups by using Microsoft PowerShell](per-group-guest-access.md), we recommend doing this by means of a sensitivity label. With sensitivity labels you can automatically allow or deny guest access based on the label applied:
- [Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites](https://docs.microsoft.com/microsoft-365/compliance/sensitivity-labels-teams-groups-sites)
+In an environment where you frequently invite guests to groups and teams, consider setting up regularly scheduled guest access reviews. Owners can be prompted to review guests in their groups and teams and approve or deny access.
+
+- [Set up guest access reviews](/microsoft-365/solutions/create-secure-guest-sharing-environment#set-up-guest-access-reviews)
+ Microsoft 365 offers many different methods of sharing information. If you have sensitive information and you want to restrict how it's shared, review the options for limiting sharing: - [Limit sharing in Microsoft 365](https://docs.microsoft.com/microsoft-365/solutions/microsoft-365-limit-sharing)
solutions Groups Teams Compliance Governance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/groups-teams-compliance-governance.md
Configuring a retention policy for Microsoft 365 Groups covers the group mailbox
- [Learn about retention policies for SharePoint and OneDrive](https://docs.microsoft.com/microsoft-365/compliance/retention-policies-sharepoint)
-Retention policies for Teams retain chat and channel messages. While chat and channel messages are stored in Exchange mailboxes, they are not affected by Exchange retention policies. You must set your retention policies to apply to Teams chats and Teams channel messages:
+Retention policies for Teams retain chat and channel messages. While chat and channel messages are stored in Exchange mailboxes, they are not affected by Exchange retention policies. You must set your retention policies to apply to Teams chats and Teams channel messages.
+
+User chats are retained indefinitely even if a user account is deleted. If you don't want to retain this data indefinitely, consider using a retention policy to delete user chats after a specified time or include this deletion in your user deletion process.
- [Learn about retention policies for Microsoft Teams](https://docs.microsoft.com/microsoft-365/compliance/retention-policies-teams)
solutions Manage Creation Of Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/manage-creation-of-groups.md
description: "Learn how to control which users can create Microsoft 365 Groups."
By default, all users can create Microsoft 365 groups. This is the recommended approach because it allows users to start collaborating without requiring assistance from IT.
-If your business requires that you restrict who can create groups, you can do so by following the procedures in this article. When you limit who can create a group, it affects all services that rely on groups for access, including:
+If your business requires that you restrict who can create groups, you can restrict Microsoft 365 Group creation to the members of a particular Microsoft 365 group or security group.
+
+If you're concerned about users creating teams or groups that don't comply with your business standards, consider requiring users to complete a training course and then adding them to the group of allowed users.
+
+When you limit who can create a group, it affects all services that rely on groups for access, including:
- Outlook - SharePoint
If your business requires that you restrict who can create groups, you can do so
- Power BI (classic) - Project for the web / Roadmap
-You can restrict Microsoft 365 Group creation to the members of a particular Microsoft 365 group or security group. To configure this, you use Windows PowerShell. This article walks you through the needed steps.
- The steps in this article won't prevent members of certain roles from creating Groups. Office 365 Global admins can create Groups via any means, such as the Microsoft 365 admin center, Planner, Teams, Exchange, and SharePoint Online. Other roles can create Groups via limited means, listed below. - Exchange Administrator: Exchange Admin center, Azure AD
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCop
The last line of the script will display the updated settings:
-![This is what your settings will look like when you're done.](../media/952cd982-5139-4080-9add-24bafca0830c.png)
+![Screenshot of PowerShell script output.](../media/952cd982-5139-4080-9add-24bafca0830c.png)
If in the future you want to change which group is used, you can rerun the script with the name of the new group.