+We refer to the userΓÇÖs prompt and CopilotΓÇÖs response to that prompt as the ΓÇ£content of interactionsΓÇ¥ and the record of those interactions is the userΓÇÖs Copilot interaction history.

+When a user interacts with Microsoft Copilot for Microsoft 365 apps (such as Word, PowerPoint, Excel, OneNote, Loop, or Whiteboard), we store data about these interactions. The stored data includes the user's prompt and Copilot's response, including citations to any information used to ground Copilot's response. We refer to the userΓÇÖs prompt and CopilotΓÇÖs response to that prompt as the ΓÇ£content of interactionsΓÇ¥ and the record of those interactions is the userΓÇÖs Copilot interaction history. For example, this stored data provides users with Copilot interaction history in [Microsoft Copilot with Graph-grounded chat](https://support.microsoft.com/topic/5b00a52d-7296-48ee-b938-b95b7209f737) and [meetings in Microsoft Teams](https://support.microsoft.com/office/0bf9dd3c-96f7-44e2-8bb8-790bedf066b1). This data is processed and stored in alignment with contractual commitments with your organizationΓÇÖs other content in Microsoft 365. The data is encrypted while it's stored and isn't used to train foundation LLMs, including those used by Microsoft Copilot for Microsoft 365.

+## Security Copilot integrates with Microsoft Defender Threat Intelligence

+ 

+1. Go to [Microsoft Security Copilot](https://go.microsoft.com/fwlink/?linkid=2247989) and sign in with your credentials.

+2. Make sure that the Defender TI plugin is turned on. Select the **Security Copilot plugin** icon in the lower-left corner of your screen.

+ 

+ 

+3. Enter your prompt in the prompt bar.

+1. In the prompt bar, enter **/**.

+2. Select **See all system capabilities**. The *ThreatIntelligence.DTI* section lists all the available capabilities for Defender TI that you can use.

+To view these promptbooks, in the prompt bar, enter \*.

+Get threat intelligence from threat articles and threat actors.

+**Sample prompts** :

+- Show me the latest threat articles.

+**Sample prompts**:

+- Give me the reputation score of the host _\<host name\>_.

+**Sample prompts**:

+### CVE vulnerability data

+**Sample prompts**:

+- **Looks right** - Select this button if the results are accurate, based on your assessment.

+- **Needs improvement** - Select this button if any detail in the results is incorrect or incomplete, based on your assessment.

+1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.

+2. From the dashboard homepage, select **Microsoft Teams** in the left navigation, then select the **Device usage** tab.

+You can also export the report data into an Excel .csv file by selecting the **Export** link. This exports data of all users and enables you to do simple sorting and filtering for further analysis.

+|Metric |Definition|

+|User name |The display name of the user. |

+|Windows |Selected if the user was active in the Teams desktop client on a Windows-based computer. |

+|Mac |Selected if the user was active in the Teams desktop client on a macOS computer. |

+|iOS |Selected if the user was active on the Teams mobile client for iOS. |

+|Android phone | Selected if the user was active on the Teams mobile client for Android. |

+|Chrome OS |Selected if the user was active in the Teams desktop client on a ChromeOS computer.|

+|Linux | Selected if the user was active in the Teams desktop client on a Linux computer. |

+|Web |Selected if the user was active in the Teams web client on devices.|

+|Last activity date (UTC) |The last date (UTC) that the user participated in a Teams activity. |

+[Microsoft Teams user activity report](../activity-reports/microsoft-teams-user-activity-preview.md)

+[Microsoft Teams usage activity report](../activity-reports/microsoft-teams-usage-activity.md)

+ Title: "Microsoft 365 OneDrive activity reports"

+# Microsoft 365 Reports in the admin center - OneDrive activity

+The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It lets you drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview article](activity-reports.md).

+2. From the dashboard homepage, select the OneDrive button in the left navigation.

+## Interpret the OneDrive activity report

+The OneDrive activity report can be viewed for trends over the last 7 days, 30 days, 90 days, or 180 days. However, if you select a particular day in the report, the table will show data for up to 28 days from the current date (not the date the report was generated).

+|Metric|Definition|

+|Username |The user name of the owner of the OneDrive account. |

+|Last activity date (UTC) |The most recent day file activity occurred on the OneDrive account for the selected date range. To see activity that occurred on a specific date, select the date directly in the chart. |

+|Files viewed or edited |The number of files that the user uploaded, downloaded, modified, or viewed. |

+|Files synced |The number of files that have been synced from a user's local device to the OneDrive account. |

+|Files shared internally | The number of files that have been shared with users within the organization, or with users within groups (that might include external users). |

+|Files shared externally |The number of files that have been shared with users outside of the organization. |

+|Deleted | This indicates that the user's license was removed. **NOTE**: Activity for a deleted user will still display in a report as long as he or she was licensed at some time during the selected time period. The **Deleted** column helps you to note that the user may no longer be active, but contributed to the data in the report. |

+|Deleted date |The date on which the user's license was removed. |

+|Product assigned |The Microsoft 365 products that are licensed to the user.|

+|||

+2. From the dashboard homepage, select **Project** in the left navigation.

+|Metric|Definition|

+|Username |The email address of the user who performed the activity on the SharePoint Site. |

+|Last activity date (UTC) |The latest date a file activity was performed or a page was visited for the selected date range. To see activity that occurred on a specific date, select the date directly in the chart. |

+|Files viewed or edited |The number of files that the user uploaded, downloaded, modified, or viewed. |

+|Files synced |The number of files that have been synced from a user's local device to the SharePoint site. |

+|Files shared internally | The count of files that have been shared with users within the organization, or with users within groups (that might include external users). |

+|Files shared externally |The number of files that have been shared with users outside of the organization. |

+|Pages visited |The visits to unique pages by the user. |

+|Deleted | This indicates that the user's license was removed. **NOTE:** Activity for a deleted user will still display in the report as long as he or she was licensed at some time during the selected time period. The Deleted column helps you to note that the user may no longer be active, but contributed to the data in the report. |

+|Deleted date |The date on which the user's license was removed. |

+|Product assigned |The Microsoft 365 products that are licensed to the user.|

+1. In the admin center, go to the **Reports**, and then select **Usage**.

+2. From the dashboard homepage, select **Viva Engage** in the left navigation.

+|Metric|Definition|

+|Username |The email address of the user. You can display the actual email address or make this field anonymous. This grid shows users who logged into Viva Engage using the Microsoft 365 account or who logged into the network using single sign-on. |

+|Display name |The full name of the user. You can display the actual email address or make this field anonymous. |

+|User state |One of three values: Activated, Deleted, or Suspended. These reports show data for active, suspended, and deleted users. They do not reflect pending users, because pending users cannot post, read, or like a message. |

+|State change date (UTC) |The date on which the user's state was changed in Viva Engage. |

+|Last activity date (UTC) | The last date that the user posted, read, or liked a message. |

+|Posted |The number of messages the user posted during the time period you specified. |

+|Read |The number of conversations that the user read during the time period you specified. |

+|Liked |The number of messages that the user liked during the time period you specified. |

+|Product assigned |The products that are assigned to this user.|

+2. From the dashboard homepage, select **Viva Engage** in the left navigation, then select **Device usage**.

+2. From the dashboard homepage, select **Viva Engage** in the left navigation, then select the **Groups activity** tab.

+|Metric|Definition|

+As a Microsoft 365 admin, the Reports dashboard shows you the activity overview across various products in your organization. It enables you to drill in to get more granular insight about the activities specific to each product. Check out the activity reports in the Microsoft 365 admin center.

+## How do I get to the Viva Learning activity report?

+1. In the admin center, go to the **Reports** > **Usage** page.

+2. From the dashboard homepage, select **Viva Learning** in the left navigation.

+ :::image type="content" source="../../media/dns-godaddy/godaddy-domains-TXT-save.png" alt-text="Select TXT from the Type drop-down list.":::

+ :::image type="content" source="../../media/dns-godaddy/godaddy-manage-dns.png" alt-text="Select DNS from the drop-down list.":::

+- .cloud

+Prepare to roll up your sleeves and block out a chunk of time on your calendar: transferring data between two Microsoft 365 accounts is a manual, complicated, and time-consuming process. This isn't an automated or supported process. We help you get started.

+|Purchase the plan you want to move to. <br/> |When you sign up, you specify the company name to use in the initial domain names: *yourcompany* .onmicrosoft.com, *yourcompany* -public.sharepoint.com, and *yourcompany* .sharepoint.com. Use a different *yourcompany* name than you did for any existing subscriptions. <br/> > [!NOTE]> It typically takes a minimum of several months after canceling a subscription to release the initial domain names that use *yourcompany* from our systems. Even if you plan to save all your data from your old Microsoft 365 subscription, and cancel that subscription, the old *yourcompany* value isn't immediately available for use in a new subscription. |

+|Remove your custom domain from your old Microsoft 365 subscription. <br/> | Follow the [required steps before you remove a domain](remove-a-domain.md) to remove the domain name from user email addresses and remove DNS records for email and Lync for the custom domain. If you host your public website on Microsoft 365, you need to remove the CNAME record that points to it. <br/> > [!IMPORTANT]> After you remove the MX record that routes email to this custom domain, email will stop working until you add the domain to your new account, set up the new MX record, and set up your users. When you remove the DNS records for Lync, Lync will stop working. And after you remove the CNAME record that points to your public website, it will not be available. [Remove the domain](remove-a-domain.md) . <br/> |

+|Cancel the subscription for the plan you're done with by calling Microsoft Support for Microsoft 365. <br/> | Verify that your new subscription is working and all data has transferred to your new account. <br/> [Contact customer support](../../business-video/get-help-support.md) to cancel your old subscription. <br/> |

+If you're transferring data from Microsoft 365 to Microsoft 365 Midsize Business or Microsoft 365 Enterprise, the admin pages are structured differently. Watch a [Video: Introducing Microsoft 365 Enterprise](../index.yml), and go to the following places to look at admin settings.

+- Save the old site as a template and import the template into the new site.

+### OneDrive data:

+Ask users to Copy/Sync [OneDrive content to their computer](https://support.microsoft.com/office/59b1de2b-519e-4d3a-8f45-51647cf291cd), and then add it back to their new subscription.

+>

+> - You must be licensed with Microsoft 365 Copilot to use plugins for Copilot for Microsoft 365.

+> - The capability is enabled by default in all Microsoft 365 Copilot licensed tenants.

+> - Admins can disable this functionality on a user and group basis and control how individual plugins are approved for use, and which plugins are enabled."

+Microsoft Copilot for Microsoft 365 is a new experience inside Microsoft 365 that combines the power of large language models with your data and Microsoft 365 apps to capture natural language commands to produce content and analyze data. Plugins for Copilot are extensions that enable Copilot to access and use third-party apps, such as Jira, [Dynamics 365](/microsoft-365-copilot/extensibility/overview-business-applications), or Bing Web Search. Admins can manage plugins for Copilot in the same way as they manage any other app in the Integrated apps section of the Microsoft 365 admin center. This document explains how admins can enable, disable, assign, block, or remove plugins for Copilot for their organization, and about Copilot capabilities and data privacy.

+For detailed information about how Microsoft 365 Copilot uses, protects, and shares organizational information to power extensibility, see [Data, Privacy, and Security for Microsoft 365 Copilot](/microsoft-365-copilot/microsoft-365-copilot-privacy).

+

+- essentials-overview

+The Microsoft 365 Advanced Data Residency add-on (ADR) provides eligible customers with expanded coverage of Microsoft 365 workloads and Customer Data, committed data residency for local country/region datacenter regions, and prioritized tenant migration services. With Advanced Data Residency, enterprise customers can best address their data residency compliance and tenant location requirements.

+- [SharePoint and OneDrive](m365-dr-workload-spo.md)

+- [Microsoft Copilot for Microsoft 365](m365-dr-workload-copilot.md)

+The Advanced Data Residency ("ADR") add-on is intended for Microsoft 365 enterprise customers who have comprehensive data residency requirements. To be eligible to purchase ADR, customers must meet the following prerequisites:

+ - OneDrive Plan 1 or Plan 2

+ - SharePoint Plan 1 or Plan 2

+Customers must cover 100% of paid licenses in the tenant with ADR add-on license for tenant to receive data residency for ADR workloads. See the table for an example.

+| ADR-related SKU | Available Licenses | Allocated Licenses | ADR Required Licenses |

+If you have 1,645 licenses purchased for ADR, then you have a data residency commitment for your _Local Region Geography_. If you have fewer than 1,645 licenses, then you do NOT have a data residency commitment, and your tenant is subject to being moved out of the _Local Region Geography_.

+Customers who purchase Multi-Geo licenses for their tenant don't have to also pay for ADR for the same licenses. You avoid 'double licensing' a single seat for two different data residency programs. For example, if a customer would normally require 15,000 ADR licenses to satisfy the program requirements, but they also have 4,000 Multi-Geo licenses, then they're only required to purchase 11,000 ADR licenses. The two programs combined would cover the normal ADR program requirement of 100% user coverage.

+To find out how many ADR licenses, you need go to the Microsoft 365 admin center under **Billing > Your Products** within your tenant and add up the total Purchased Quantity for all ADR-eligible SKUs to get the proper total of ADR licenses required.

+- Customers have rights to purchase full ADR add-on for only the paid portion of Microsoft 365 SKUs and aren't obligated to cover free subscription types. However, they must cover the paid education licenses with ADR (Microsoft 365 A3/A5, Office 365 A3/A5 student or faculty).

+If all of a customer's tenant data covered by the Advanced Data Residency feature isn't already stored at rest within their eligible _Local Region Geography_, then a data migration to the _Local Region Geography_ is required. If customer tenant data covered by the Advanced Data Residency feature is already stored at rest within their eligible _Local Region Geography_, then no data migration to the _Local Region Geography_ is required.

+After a customer receives their Advanced Data Residency licenses, the customer needs to signal that they're ready to schedule data migration, if one is necessary. To signal your tenant is ready for its data migration, the customer _tenant_ administrator visits the Data Location section of the Microsoft 365 Admin Console within the **Settings -> Org Settings -> Organization Profile** area. From here, the customer administrator is able to see the current location of their data-at-rest and what _Local Region Geography_ their customer data is migrated to.

+Microsoft uses reasonable efforts to try to complete an Advanced Data Residency add-on customer migration within 12 months from the time the customer administrator signals they're ready for migration. However, Microsoft might not be able to complete the migration within this timeframe for all customers. For example, larger or more complex customers or situations outside of Microsoft's control might require extra time to complete the migration. Advanced Data Residency add-on customers also receive prioritized migration services for their tenants over the legacy Move Program migration option. These migration expectations also apply to all ADR EDU customers as well. Customers utilizing the legacy Move Program for a data migration who don't have the Advanced Data Residency feature should follow [Legacy Move Program Migration Expectations](m365-dr-legacy-move-program.md#migration-expectations).

+### Effect on End Users and Workloads

+

+

+Microsoft makes commitments to store certain customer data at rest in the applicable _Local Region Geography_ for [eligible customers](advanced-data-residency.md#eligibility) that purchase ADR. The commitments are specified as follows.

+## SharePoint/OneDrive

+- SharePoint site content and the files stored within that site and files uploaded to OneDrive

+## Microsoft Copilot for Microsoft 365

+The following customer data is stored at rest in the _Local Region Geography_:

+- Any stored content of interactions with Microsoft Copilot for Microsoft 365 to the extent not included in the preceding commitments.

+- Exchange Online Protection (EOP). The following customer data is stored at rest in the _Local Region Geography_: Service configuration data and policies, quarantined email and attachments, junk email, grading analysis, blocklists (url, tenant, user), spam domains, reports, and alerts

+- Viva Connections Dashboard and Feed can have content sourced from SharePoint, Exchange Online and Microsoft Teams. All customer data sourced from these services covered by data residency commitments will be stored in the _Local Region Geography_. Refer to [Exchange Online](m365-dr-workload-exo.md), [SharePoint](m365-dr-workload-spo.md), and [Microsoft Teams](m365-dr-workload-teams.md) workload data residency pages for more details.

+- Machine Learning ("ML") models are trained on public web data, and as such don't contain any customer data from your tenant. In the future, it's possible we'll use customer data to improve accuracy of the ML models, in which case the data handling of ML models will follow the same policies as any other customer content (including data residency, retention, access control, sensitivity).

+- Topic highlighting is computed dynamically when the SharePoint page is rendered by running a language model against the content of the page and linking it with the knowledge base of Topics. The Topics data is sourced from the Substrate in the _Local Region Geography_.

+ - SharePoint, OneDrive, Exchange Online and Microsoft Teams follow the data residency commitments for those services. Refer to [Exchange Online](m365-dr-workload-exo.md), [SharePoint](m365-dr-workload-spo.md), and [Microsoft Teams](m365-dr-workload-teams.md) workload data residency pages for more details.

+The following customer data is stored at rest in the _Local Region Geography_:

+- DLP admin configuration, DLP policies in Compliance Portal, DLP monitored activities, violation history, Activity Explorer and Microsoft 365 unified audit logs, quarantine storage, DLP Alerts and DLP Alert management dashboard

+> Even though the Move Program is officially ending, we still have some in-flight geographies that we will see through to completion, based on the original 24-month migration commitment. Please refer to the following table for the remaining countries/regions and their migration deadlines.

+Microsoft will use reasonable efforts to try to complete a legacy Move Program migration for customers who request a migration between November 1, 2022 and April 30, 2023, by June 2025. Customers who requested a migration in the legacy Move Program prior to November 1, 2022, will continue being migrated with reasonable efforts by Microsoft towards the intended completion date provided to them previously. However, Microsoft might not be able to complete the migration within this timeframe for all customers. For example, significantly larger or more complex customers or situations outside of Microsoft's control might require more time to complete the migration. Customers utilizing the Advanced Data Residency feature for a data migration will instead follow the [Advanced Data Residency Migration Expectations](advanced-data-residency.md#migration-expectations).

+- SharePoint site content and the files stored within that site

+- Files uploaded to OneDrive

+- Teams chat data for group and private chats (files in Teams folders or placed in chat are managed by SharePoint and OneDrive, respectively)

+In addition to Exchange Online, SharePoint, and OneDrive; Microsoft will migrate Teams data to the local datacenter.

+Teams files are stored in SharePoint and Teams chat files are stored in OneDrive. Voicemail, calendar, and contacts are stored in Exchange Online. In many cases, Exchange Online, SharePoint, and OneDrive are already used by the customer in the local datacenter geo and are also part of the Microsoft 365 migration program for eligible customer countries/regions.

+Due to shared dependencies between Exchange Online and SharePoint/OneDrive, any migration can't be considered

+completed until both services are migrated. Exchange Online and SharePoint/OneDrive often migrate at separate times and independently from one another. Customer _Tenant_ admins receive confirmation in Message Center when each service migration is completed and can view the data location card in the Admin Center at any time to confirm the applicable customer data at rest location for

+Some of the Microsoft 365 services may be located in different geos for some existing customers and for customers that are in the middle of the move process. Our services run independently of each other and there's no impact on the user experience if this is the case. However, for data residency purposes, a _Tenant_ migration can't be considered as complete until both Exchange Online and SharePoint/OneDrive are migrated to the same datacenter geo.

+Watch the Microsoft 365 Message Center for confirmation that the move of each service's data is complete. When each service's data is moved, we post a completion notice so you get three completion notices: one each for Exchange Online, SharePoint, and Skype for Business Online. You can also verify the location of your customer data at rest via the Data Location section under your Organization Profile in the Microsoft 365 admin center.

+|Macro Region Geography <br/> |Macro Region Geography 1 ΓÇô EMEA, Macro Region Geography 2 ΓÇô Asia Pacific, Macro Region Geography 3 - Americas <br/> |

+|Macro Region Geography 1 - EMEA <br/> |Data centers in Austria, Finland, France, Ireland, Israel, Italy, Netherlands, Poland, Sweden <br/> |

+|Macro Region Geography 2 - Asia Pacific <br/> |Data centers in Australia, Hong Kong Special Administrative Region, Japan, Malaysia, Singapore, South Korea <br/> |

+|Macro Region Geography 3 - Americas <br/> |Data centers in Brazil, Chile, United States <br/> |

+|Local Region Geography <br/> |Australia, Brazil, Canada, France, Germany, India, Israel, Italy, Japan, Poland, Qatar, South Korea, Norway, South Africa, Sweden, Switzerland, United Arab Emirates, United Kingdom <br/> |

+|Future Local Region Geography <br/> | Future planned data center regions: Indonesia, Spain, Mexico, Malaysia, Austria, Chile, New Zealand, Denmark, Greece, Taiwan, Saudi Arabia <br/> |

+|Geography <br/> |_Local Region Geography, Future Local Region Geography_, or _Macro Region Geography_ <br/> |

+|Satellite Geography <br/> |If a customer subscribes to the Multi Geo service, then they can set policy at a user level to store customer data in other Geographies outside of the _Tenant_ _Primary Provisioned Geography_ <br/> |

+|Microsoft Entra ID <br/> |Microsoft Entra ID <br/> |

+|Tenant <br/> |A _Tenant_ represents an organization in Microsoft Entra ID. It's a reserved Microsoft Entra service instance that an organization receives and owns when it signs up for a Microsoft cloud service such as Azure or Microsoft 365. Each Microsoft Entra ID _Tenant_ is distinct and separate from other Microsoft Entra ID _Tenant's_ <br/> |

+|Default Geography <br/> |When a _Microsoft Entra ID Tenant_ is created, a country/region is provided by the customer during the sign-up process. This country/region determines the default Geography for all Microsoft 365 services. In some cases, not all services are able to provision in this single _Default Geography_. See _Microsoft 365 Service provisioning mapping_ below for a description. <br/> |

+|Microsoft 365 Service provisioning mapping <br/> |All Microsoft 365 Services use the _Default Geography_ to determine where a given _Tenant's_ specified data will be provisioned and stored. <br/> |

+|Microsoft 365 Service provisioning country mapping <br/> |Refer to [data maps](https://aka.ms/datamaps) to learn where a given service provisions specified customer data, based on the _Tenant Default Geography._ <br/> |

+|Primary Provisioned Geography <br/> |A given Microsoft 365 service uses the _Tenant Default Geography_ combined with the _Microsoft 365 Service provisioning country mapping_ to determine which _Geography_ to provision customer data into. <br/> |

+|Microsoft 365 admin center Data Location <br/> |To see the _Primary Provisioned Geography_ for Exchange Online, SharePoint, OneDrive, and Microsoft Teams refer to Microsoft 365 admin center in **Admin > Settings > Org Settings > Organization Profile > Data Location**. <br/> |

+|Microsoft 365 Multi-Geo Capabilities <br/> |Microsoft 365 Multi-Geo Capabilities allows a single _Tenant_ to store customer data-at-rest across multiple geographies rather than be limited to the single _Primary Provisioned Geography_. See the Multi-Geo description for more detail. <br/> |

+|Preferred Data Location (PDL) <br/> |Used for _Tenants_ with a Multi-Geo subscription. A property set by the administrator that indicates where the user or shared resource's data should be stored at-rest. See the Multi-Geo description for more detail. <br/> |

+|Advanced Data Residency (ADR) <br/> |A new Microsoft 365 add-on service that guarantees customer data residency for a defined set of services. See section 3 <br/> |

+|Privacy and Security Product Terms <br/> |Privacy and Security Terms for Microsoft 365 services provides some customer data location related commitments. The document can be found <a href="https://www.microsoft.com/licensing/terms/en-US/product/PrivacyandSecurityTerms/EAEAS" target="_blank">here</a>. The extract of the relevant section (on November 1, 2022) is:<br>**Office 365 Services.** If Customer provisions its _Tenant_ in Australia, Brazil, Canada, the European Union, France, Germany, India, Japan, Norway, Qatar, South Africa, South Korea, Sweden, Switzerland, the United Kingdom, the United Arab Emirates, or the United States, Microsoft stores the following Customer Data at rest only within that Geo: (1) Exchange Online mailbox content (e-mail body, calendar entries, and the content of e-mail attachments), (2) SharePoint site content and the files stored within that site, (3) files uploaded to OneDrive, and (4) Microsoft Teams chat messages (including private messages, channel messages, meeting messages and images used in chats), and for customers using Microsoft Stream (on SharePoint), meeting recordings, and (5) any stored content of interactions with Microsoft Copilot for Microsoft 365 to the extent not included in the preceding commitments.

+|Workloads <br/> |Often used to refer to a Microsoft 365 service such as but not limited to Exchange Online, SharePoint, OneDrive, Microsoft Teams, etc.|

+Microsoft 365 Cloud services run on our data centers around the world and provide services to customers around the world. Customer data might be stored in multiple data centers. Data residency refers to the geographic location where customer data is stored at rest. Data residency is important for government, public sector, education and regulated commercial entities to help ensure protection of personal and/or sensitive information. In many countries/regions, customers are expected to comply with laws, regulations or industry standards that explicitly govern the location of data storage.

+When a customer creates a new Microsoft Entra ID _Tenant_, the customer enters a country/region during the creation process. This country/region is what defines the _Default Geography_ for the _Tenant_. There are multiple paths to creating _Tenants_. They can be created through Microsoft Entra ID forms, they can be created when trying out new Microsoft 365 services (trials), etc. Once a _Tenant_ is created, the _Default Geography_ can't be changed.

+Microsoft 365 services aren't deployed to all Microsoft data centers globally. The larger services, like Exchange Online, SharePoint, OneDrive, and Microsoft Teams are universally deployed to all _Geographies_. Other services make decisions on where to deploy their services based on the number of customers, regional affiliations, and software architectures. When a customer first uses a service in this category, the provisioning logic uses the _Default Geography_ and the supported _Geographies_ to determine where to provision a given customer.

+Over time, a particular service may deploy their software to additional _Geographies_, so the provisioning locations for new customers can change over time. This doesn't necessarily cause customer data to move to a new _Geography_.

+You can use the Microsoft 365 admin center to understand where your data for a given service is stored. As a _Tenant_ administrator you can find the actual data location by navigating to **Admin > Settings > Org Settings > Organization Profile > Data Location**. Currently the data location is available for Exchange Online, SharePoint, OneDrive, Microsoft Teams, Microsoft Copilot for Microsoft 365, Exchange Online Protection, Viva Connections and Viva Topics. In addition to this resource, see the [Data Maps page](o365-data-locations.md).

+**Example 1:** For a _Tenant_ with the sign-up country/region as "France" that has a new subscription that includes Exchange Online, SharePoint, OneDrive and Microsoft Teams, then the customer data for those services will be provisioned into the French _Local Region Geography_. Why? Because those services are deployed into the French data centers and the _Tenant_ has a France sign up country/region.

+**Example 2:** For a _Tenant_ with the sign-up country/region as "Belgium" that has a new subscription that includes Exchange Online, SharePoint, OneDrive and Microsoft Teams, then the customer data for those services will be provisioned into the _Macro Region Geography 1 ΓÇô EMEA_. Why? Because there are no Microsoft 365 data centers in Belgium and the closest Geography is _Macro Region Geography 1 - EMEA_.

+**Example 3:** For a _Tenant_ with the sign-up country/region as "Japan" that has a new subscription that includes Microsoft Forms, then the customer data for Forms will be provisioned into the _Macro Region Geography 3 - Americas_. Why? Because Forms is only deployed in _Macro Region Geography 3 - Americas_ and _Macro Region Geography 1 ΓÇô EMEA_ (EU _Tenants_ only).

+**Example 4a:** For a _Tenant_ with the sign-up country/region as "Sweden" that has a new subscription that includes Microsoft Viva Engage, then the customer data for Viva Engage will be provisioned into the _Macro Region Geography 1 - EMEA_. Why? Because Viva Engage is deployed in _Macro Region Geography 1 - EMEA_ and Swedish _Tenants_ are best served out of that _Geography_.

+**Example 4b:** For a _Tenant_ with the sign-up country/region as "Sweden" that has a subscription that includes Microsoft Viva Engage from before Viva Engage was deployed to _Macro Regional Geography 1 - EMEA_, then the customer data for Viva Engage will be located in _Macro Region Geography 3 - Americas_. Why? Because, at that time, Viva Engage only had a single deployment for all customers in _Macro Region Geography 3 - Americas_.

+1. If a _Tenant_ subscribes to the _Multi-Geo_ service, then _Tenants_ user's data for Exchange Online, SharePoint, OneDrive, Microsoft Teams and Microsoft Copilot for Microsoft 365 can be assigned to _Satellite Geographies_.

+1. If a _Tenant_ has sign up country/region as a _Local Region Geography_ and has a subscription to the _Advanced Data Residency_ service add-on, then the _Tenant_ data for the included services will be migrated from the _Regional Geography_ to the relevant _Local Region Geography_.

+1. Product Terms: Exchange Online, SharePoint, OneDrive, Microsoft Teams and Microsoft Copilot for Microsoft 365 provisioned in Australia, Brazil, Canada, France, Germany, India, Japan, Qatar, South Korea, Norway, South Africa, Sweden, Switzerland, United Arab Emirates, United Kingdom, European Union and the United States have a commitment for customer data residency expressed in the [Product Terms](https://www.microsoft.com/licensing/terms/product/PrivacyandSecurityTerms/all). For more information, see the [Product Terms Data Residency page](m365-dr-product-terms-dr.md).

+1. _Multi Geo_ subscription: allows customers to assign data location for Exchange Online, SharePoint, OneDrive, Microsoft Teams and Microsoft Copilot for Microsoft 365 to any supported _Geography_. For more information, see [Multi Geo Data Residency](microsoft-365-multi-geo.md).

+1. _Advanced Data Residency_ subscription provides data residency commitments for an expanded set of Microsoft 365 services in any _Local Region Geography_. For more information, see the [Advanced Data Residency page](advanced-data-residency.md).

+|Exchange Online |X¹ |X² |X³ |

+| SharePoint / OneDrive |X¹ |X² |X³ |

+| Microsoft Teams |X¹ |X² |X³ |

+| Microsoft Copilot for Microsoft 365 |X¹ |X² |X³ |

+| Microsoft Defender for Office P1 |- |- |X³ |

+| Office for the Web |- |- |X³ |

+| Viva Connections |- |- |X³ |

+| Viva Topics |- |- |X³ |

+| Microsoft Purview |- |- |X³ |

+1. Available in _Local Region Geography_, _Future Local Region Geography_ (when the future data center is launched) and _Regional Geography countries/regions_

+1. Only available for _Local Region Geography_ and _Future Local Region Geography_ (when the future data center is launched) countries/regions.

+

+| Country/Region | Exchange Online | SharePoint, OneDrive | Teams | Copilot for Microsoft 365 | MDO P1 | Office for the web | Viva Connections | Viva Topics | Purview |

+| | | | | | | | | | |

+| Australia | P-M-A | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| Brazil | P-M-A | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| Canada | P-M-A | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| European Union | P-M | P-M | P-M | P-M | - | - | - | - | - |

+| France | P-M-A | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| Germany | P-M-A | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| India | P-M-A | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| Israel | M-A | M-A | M-A | M-A | A | A | A | A | A |

+| Italy | M-A | M-A | M-A | M-A | A | A | A | A | A |

+| Japan | P-M-A | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| Poland | M-A | M-A | M-A | M-A | A | A | A | A | A |

+| Qatar | P-M-A | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| South Korea | P-M-A | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| Norway | P-M-A | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| South Africa | P-M-A | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| Sweden | P-M-A | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| Switzerland | P-M-A | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| United Arab Emirates | P-M-A | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| United Kingdom | P-M-A | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| United States | P-M | P-M | P-M | P-M | - | - | - | - | - |

+#### **Table 4: Current Local Geographies and Region specific Datacenter locations**

+|Country/Region |Datacenter Location |

+|Australia |Sydney, Melbourne |

+|Brazil |Rio, Campinas |

+|Canada |Quebec City, Toronto |

+|European Union |Austria (Vienna), Finland (Helsinki), France (Paris, Marseille), Ireland (Dublin), Italy (Milan), Netherlands (Amsterdam), Poland (Warsaw), Sweden (Gävle, Sandviken, Staffanstorp) |

+|France |Paris, Marseille |

+|Germany |Frankfurt, Berlin |

+|India |Chennai, Mumbai, Pune |

+|Israel |Tel Aviv |

+|Italy |Milan |

+|Japan |Osaka, Tokyo |

+|South Korea |Busan, Seoul |

+|Norway |Oslo, Stavanger |

+|Poland |Warsaw |

+|Qatar |Doha |

+|South Africa |Cape Town, Johannesburg |

+|Sweden |Gävle, Sandviken, Staffanstorp |

+|Switzerland |Geneva, Zurich |

+|United Arab Emirates |Dubai, Abu Dhabi |

+|United Kingdom |Durham, London, Cardiff |

+|United States |Boydton, Cheyenne, Chicago, Des Moines, Quincy, San Antonio, Santa Clara, San Jose |

+1. Online

+- **Office 365 Services** If Customer provisions its tenant in Australia, Brazil, Canada, the European Union, France, Germany, India, Japan, Norway, Qatar, South Africa, South Korea, Sweden, Switzerland, the United Kingdom, the United Arab Emirates, or the United States, Microsoft stores the following Customer Data at rest only within that Geo: (1) Exchange Online mailbox content (e-mail body, calendar entries, and the content of e-mail attachments), (2) SharePoint site content and the files stored within that site, (3) files uploaded to OneDrive, (4) Microsoft Teams chat messages (including private messages, channel messages, meeting messages and images used in chats), and for customers using Microsoft Stream (on SharePoint), meeting recordings, and (5) any stored content of interactions with Copilot for Microsoft 365 to the extent not included in the preceding commitments.

+- For current language, refer to the Privacy and Security Product Terms <a href="https://www.microsoft.com/licensing/terms/product/PrivacyandSecurityTerms/all" target="_blank">webpage</a> and view the section titled "Location of Customer Data at Rest for Core Online Services."

+For more data residency capabilities, refer to the [_Multi-Geo_ service](microsoft-365-multi-geo.md) and/or the [_Advanced Data Residency_ service](advanced-data-residency.md).

+When Microsoft's data centers were launched in Australia, Brazil, Canada, the European Union, France, Germany, India, Japan, Norway, Qatar, South Africa, South Korea, Sweden, Switzerland, the United Kingdom, or the United Arab Emirates, it was possible for any _Tenant_ with the appropriate _Default Geography_ to opt in to move their data into the applicable geography. This opt in period was open for six months after the Data Center was operational. Today, the _tenant_ must have a valid subscription to the Advanced Data Residency add-on in order to migrate data into the country data centers.

+ Title: Data Residency for Microsoft Copilot for Microsoft 365

+description: Learn about data residency for Microsoft Copilot for Microsoft 365.

+f1.keywords:

+- NOCSH

+- it-pro

+ms.localizationpriority: medium

+- M365-subscription-management

+- must-keep

+# Data Residency for Microsoft Copilot for Microsoft 365

+## Overview

+Service documentation: [Microsoft Copilot for Microsoft 365 overview](/microsoft-365-copilot/microsoft-365-copilot-overview) and [Data, Privacy, and Security for Microsoft Copilot for Microsoft 365](/microsoft-365-copilot/microsoft-365-copilot-privacy)

+Capability Summary: Microsoft Copilot for Microsoft 365 is an AI-powered productivity tool that coordinates large language models (LLMs), content in Microsoft Graph, and the Microsoft 365 apps that you use every day, such as Word, Excel, PowerPoint, Outlook, and Teams. This integration provides real-time intelligent assistance, enabling users to enhance their creativity, productivity, and skills.

+The following applications provide the ability to interact with Microsoft Copilot for Microsoft 365: Microsoft Word, Excel, PowerPoint, Loop, Outlook, Teams (Chat, Meetings, Calls, Whiteboard), and OneNote.

+The content of interactions and the related semantic index with Microsoft Copilot for Microsoft 365 are stored at rest in the relevant _Local Region Geography_.

+## Data Residency Commitments Available for Microsoft Copilot for Microsoft 365

+### Product Terms

+Required Conditions:

+1. _Tenant_ has a sign-up country/region included in Australia, Brazil, Canada, the European Union, France, Germany, India, Japan, Norway, Qatar, South Africa, South Korea, Sweden, Switzerland, the United Kingdom, the United Arab Emirates, or the United States.

+**Commitment:**

+_For current language, refer to the [Privacy and Security Product Terms](https://www.microsoft.com/licensing/terms/product/PrivacyandSecurityTerms/all) and view the section titled "Location of Customer Data at Rest for Core Online Services."_

+### Advanced Data Residency (ADR) add-on

+Required Conditions:

+1. _Tenant_ has a sign-up country/region included in _Local Region Geography_.

+1. _Tenant_ has a valid Advanced Data Residency subscription for all users in the _Tenant_

+1. For existing _Tenant_ that has data stored in a _Macro Region Geography_, the _Tenant_ Global Admin must opt in to move the _Tenant_ data into the _Local Region Geography_.

+1. The Microsoft Copilot for Microsoft 365 subscription customer data is provisioned in _Local Region Geography_.

+**Commitment:**

+Refer to the [ADR Commitment page](m365-dr-commitments.md#microsoft-copilot-for-microsoft-365) to understand the specific data at rest commitments for Microsoft Copilot for Microsoft 365. Examples of the committed data include:

+- "Content of InteractionsΓÇ¥ such as the user's prompt and Microsoft Copilot's response, including citations to any information used to ground Microsoft Copilot's response.

+### Multi-Geo add-on

+Required Conditions:

+1. _Tenants_ have a valid Multi-Geo subscription that covers all users assigned to a _Satellite Geography_

+1. Customer must have an active Enterprise or CSP Partner Agreement.

+1. Total purchased Multi-Geo units must be greater than 5% of the total eligible licenses in the _Tenant_.

+**Commitment:**

+Multi-Geo capabilities in Microsoft Copilot for Microsoft 365 enable content of interactions with Microsoft Copilot for Microsoft 365 to be stored at rest in a specified _Macro Region Geography_ or _Local Region Geography_ location. Microsoft Copilot for Microsoft 365 uses the Preferred Data Location (PDL) for users and groups to determine where to store data. If the PDL isn't set or is invalid, data is stored in the _Tenant's Primary Provisioned Geography_ location. The _Geography_ where the content of interactions with Microsoft Copilot for Microsoft 365 are stored is determined by the PDL of the user interacting with Microsoft Copilot for Microsoft 365. This means that the storage of content of interactions for users in different regions will be based on their respective PDL configurations.

+To find the current location of a user's content of interactions with Microsoft Copilot for Microsoft 365 by referencing the PDL configuration for that user. Refer to [Multi-Geo Testing](m365-multi-geo-user-testing.md)

+**Illustrative examples**

+**Collaboration Experience**

+Two people are working together on a Microsoft Word document. User A authored the document and stored it in the OneDrive for Business personal storage site, which is located in France. User B is in Canada and asks Microsoft Copilot for Microsoft 365 to rewrite a paragraph in the document. The paragraph User B submitted as the prompt, as well as the rewrite options Microsoft Copilot for Microsoft 365 provides (the ΓÇ£content of interactionsΓÇ¥ in this case) are stored in Canada; the original document remains in France, as does any rewrite the user accepts into that document.

+**Teams Meeting Experience**

+Microsoft Teams meeting recording video location is determined by the user PDL that starts the recording, or when meetings have an automatic recording policy, the location is determined from the first person joining the meeting. When users in other regions interact with Microsoft Copilot for Microsoft 365 in Teams, those user prompts and corresponding responses are stored in the location of the user that asks the Microsoft Copilot for Microsoft 365 questions.

+### Migration

+Microsoft Copilot for Microsoft 365 is part of the Microsoft 365 Advanced Data Residency migration. You can learn more at [ADR Migration](advanced-data-residency.md#data-migration-management)

+### How can I determine customer data location?

+You can find the actual data location in Microsoft 365 admin center. In the coming months, you will be able to find the actual data location for committed data, by navigating to **Settings > Org settings > Organization profile > Data location**.

+ - it-pro

+ - has-azure-ad-ps-ref

+ - azure-ad-ref-level-one-done

+> [!NOTE]

+> If Customer provisions its tenant in Australia, Brazil, Canada, the European Union, France, Germany, India, Japan, Norway, Qatar, South Africa, South Korea, Sweden, Switzerland, United Arab Emirates, United Kingdom, or United States, Microsoft will store the following Customer Data at rest only within that Geo: Exchange Online mailbox content (e-mail body, calendar entries, and the content of e-mail attachments)

+ > [!NOTE]

+ > Cross-geo mailbox folder sharing is supported in Outlook on Windows.

+

+

+ ```powershell

+ Import-Module ExchangeOnlineManagement

+ ```

+

+

+ ```powershell

+ Connect-ExchangeOnline -UserPrincipalName admin@contoso.onmicrosoft.com -ConnectionUri https://outlook.office365.com/powershell?email=olga@contoso.onmicrosoft.com

+ ```

+

+

+ ```powershell

+

+ For example, to see the _Geography_ location information for the mailbox chris@contoso.onmicrosoft.com, run the following command:

+ ```powershell

+ The output of the command looks like this:

+ ```powershell

+Database : EURPR03DG077-db007

+MailboxRegion : EUR

+

+First, you must connect to Microsoft Graph using the required permission scopes for the actions you'll take in your Microsoft Graph PowerShell session.

+```

+> - The size and type of mailbox.

+> - The number of mailboxes being moved.

+> - The availability of move resources.

+

+ ```powershell

+ Set-Mailbox <MailboxIdentity> -ElcProcessingDisabled $true

+ ```

+ ```powershell

+ Set-Mailbox <MailboxIdentity> -ElcProcessingDisabled $false

+ ```

+

+To create a new cloud-only licensed user (not Microsoft Entra Connect synchronized) in a specific _Geographic_ location, use the following syntax in Microsoft Graph PowerShell:

+ ```powershell

+ $RC = Get-Credential

+ ```

+ ```powershell

+ New-MoveRequest -Remote -RemoteHostName mail.contoso.com -RemoteCredential $RC -Identity user@contoso.com -TargetDeliveryDomain <YourAppropriateDomain>

+ ```

+

+|User has mailbox folder permission to another mailbox <br/> |Potentially limited. <br/> If User A and Mailbox B aren't in the same _Geography_ during the tenant move, User A can't open Mailbox B's folder in Outlook Web Access if User A only has permission to a specific folder in Mailbox B. <br/> To add a shared folder, right-click the user name in the left navigation panel and select **Add shared folder**. <br/> |

+|User with full mailbox permission to another mailbox <br/> |Fully supported. <br/> If User A has _Full Access_ permission to Mailbox B, then User A can select the shared folder in the left navigation panel in Outlook Web Access to open a window showing Mailbox B. A user can open a shared mailbox using Outlook Web Access during the move without any adverse effect. The limitation only applies to folder-level sharing in a mailbox.|

+You can find the actual data location in Tenant Admin Center. As a tenant administrator you can find the actual data location, for committed data, by navigating to **Admin->Settings->Org Settings->Organization Profile->Data Location**.

+Capability Summary: Protects email and collaboration from zero-day malware, phish, and business email compromise. MDO P1 builds on Exchange Online Protection (EOP).

+Refer to the [ADR Commitment page](m365-dr-commitments.md#microsoft-defender-for-office-p1) for the specific customer data at rest commitment for Microsoft Defender for Office P1.

+1. _Tenant_ has a sign-up country included in _Local Region Geography_ or _Expanded Local Region Geography_.

+Refer to the [Advanced Data Residency Commitment](m365-dr-commitments.md) page for the specific customer data at rest commitment for Exchange Online Protection.

+EOP customer data migrates after ADR migration is initiated. MDO P1 doesn't have customer data to migrate.

+Refer to the [ADR Commitment page](m365-dr-commitments.md#office-for-the-web) for the specific customer data at rest commitment for Office for the Web.

+The cache for documents isn't migrated to the new _Geography_, and will be reestablished as users work on documents.

+We are in the process of updating the actual data location in _Tenant_ Admin Center. When this change is complete the tenant will be able to see the actual data location, for in scope data, by navigating to Admin|Settings|Org Settings|Organization Profile|Data Location. Until that change is visible, you can view the Exchange Online data or SharePoint location information in order to understand where the in scope data is stored for this service.

+>Unless otherwise stated in the [Microsoft Product Terms](https://www.microsoft.com/licensing/terms/product/PrivacyandSecurityTerms/all), the following Microsoft 365 services do not have specific commitments for data residency. You can use the following guidance to determine where your data may be provisioned at this time.

+Use the following guidance to determine where your data is located. Reference your _tenant Default Geography_.

+Refer to [Microsoft Entra Data Locations](https://aka.ms/aaddatamap).

+Tenants in EU member Countries/regions maintain data in Macro Region Geography 1 ΓÇô EMEA. All other tenants have customer data stored in the United States, except Australia. For customers in Australia, Microsoft Forms customer data is stored at rest in Australia for all new tenants using Forms and existing tenants that haven't previously used Forms.

+Refer to endpoint.microsoft.com, Tenant Administration | Tenant Status for existing tenants. If you don't have an existing tenant, create a trial tenant and provision Intune. Microsoft won't store Intune customer data at rest outside the stated geo, except if:

+- It's necessary for Microsoft to provide customer support, troubleshoot the service, or comply with legal requirements.

+- The customer configures an account to enable such storage of customer data, including by using the following:

+- If you're using the Remote Help feature, the Helper and Sharer's information might be sent outside of the stated Geo for 48 hours.

+- For Microsoft Entra ID: Refer to [Microsoft Entra Data Locations](https://aka.ms/aaddatamap).

+- Preview, beta, or other prerelease services, which typically store customer data in the United States but might store it globally. Regardless, Microsoft doesn't control or limit the Geo from which customers or their end users might access customer data. Similarly, where customer data in other services is subsequently integrated into Intune, the originating customer data will continue to be stored subject to the other service's own Geo commitments (if any); only the copy of the customer data integrated into Intune will be stored in the stated Geo for Intune.

+Customer data for this service comes from other services, like Exchange Online and SharePoint Online. There's no customer data stored outside of those services with the exception of the mobile device.

+OneNote stores customer data in OneDrive. It does however have an API that can cause persistent caches to be made outside of the Geography where OneDrive stores customer data.

+See the [Static data location information for select workloads](#static-data-location-information-for-select-workloads) section.

+Refer to [Dynamics 365 availability and data locations | Microsoft Learn](/dynamics365/get-started/availability).

+Starting December 5, 2022, Viva Goals [Customer Data](/privacy/eudb/eu-data-boundary-learn) for new tenants in the [European Union Data Boundary (EUDB)](/privacy/eudb/eu-data-boundary-learn#eu-data-boundary-countries-and-datacenter-locations) and in the United Kingdom will be stored in data centers located in the EU. All other tenants will have their Viva Goals Customer Data stored in data centers located in the United States. Tenants aren't provided with a choice for the specific deployment region for data storage.

+Customers based in EU and UK who signed up for Viva Goals prior to December 5, 2022, have now been migrated to EU data centers.

+See the [Static data location information for select workloads](#static-data-location-information-for-select-workloads) section. The data region for Manager/Leader and Advanced is determined by the _Default Geography_ of the _tenant_, not individual users.

+See the [Static data location information for select workloads](#static-data-location-information-for-select-workloads) section.

+Refer to [Manage data for Microsoft Whiteboard | Microsoft Learn](/microsoft-365/whiteboard/manage-data-organizations).

+Refer to [Data Residency - Viva Engage | Microsoft Learn](/viva/engage/manage-security-and-compliance/data-residency).

+The required conditions for the related commitments for the following services are:

+1. _Tenant_ has a sign-up country/region included in _Local Region Geography_ or _Expanded Local Region Geography_.

+Customer Data supporting Purview services is closely aligned with the Exchange Online and SharePoint services, and the bulk of the data migrated, if required to fulfill the data residency commitments for the Purview services, will be handled by those services. In the cases where supporting Customer Data is maintained in an Azure Service, for example, the migration of that data is tied to the migration of the underlying Exchange Online/SharePoint data.

+We are in the process of updating the actual data location in _Tenant_ Admin Center. When this change is complete you will be able to see the actual data location, for committed data, by navigating to Admin->Settings->Org Settings->Organization Profile->Data Location. Until that change is visible, you can view the Exchange Online data location information in order to understand where your committed data is stored for this service.

+Refer to the [ADR Commitment page](m365-dr-commitments.md#purview-audit-standard) for the specific Customer Data at rest commitment for Purview Audit (Standard).

+Refer to the [ADR Commitment page](m365-dr-commitments.md#purview-audit-premium) for the specific Customer Data at rest commitment for Purview Audit (Premium).

+Service documentation: [Learn about retention policies & labels](/microsoft-365/compliance/retention)

+Refer to the [ADR Commitment page](m365-dr-commitments.md#data-lifecycle-managementdata-retention) for the specific Customer Data at rest commitment for Data lifecycle management - Data Retention.

+Refer to the [ADR Commitment page](m365-dr-commitments.md#data-lifecycle-managementrecords-management) for the specific Customer Data at rest commitment for Data lifecycle management - Records Management.

+Refer to the [ADR Commitment page](m365-dr-commitments.md#information-protectionsensitivity-labels) for the specificCustomer Data at rest commitment for Information Protection - Sensitivity labels.

+- Windows 10, Windows 11, and macOS (Catalina 10.15 and higher) endpoints

+Refer to the [ADR Commitment page](m365-dr-commitments.md#information-protectiondata-loss-prevention-dlp) for the specific Customer Data at rest commitment for Information Protection - Data Loss Prevention (DLP).

+Refer to the [ADR Commitment page](m365-dr-commitments.md#information-protectionoffice-message-encryption) for the specific Customer Data at rest commitment for Information Protection - Office Message Encryption.

+Refer to the [ADR Commitment page](m365-dr-commitments.md#risk-and-complianceinformation-barriers) for the specific Customer Data at rest commitment for IB.

+ Title: Data Residency for SharePoint and OneDrive

+description: Data Residency for SharePoint and OneDrive

+# Data Residency for SharePoint and OneDrive

+1. The SharePoint subscription customer data is provisioned in _Local Region Geography_ or _Expanded Local Region Geography_.

+Refer to the [ADR Commitment page](m365-dr-commitments.md#sharepointonedrive) for the specific customer data at rest commitment for SharePoint and OneDrive.

+Customers can assign users of SharePoint/OneDrive to any _Satellite Geography_ supported by Multi-Geo (see Section 4.1.3). The following customer data will be stored in the relevant _Satellite Geography_:

+- SharePoint site content and the files stored within that site, and files uploaded to OneDrive.

+When SharePoint is moved, data for the following services is also moved:

+

+- OneDrive

+After we've completed moving your SharePoint data, you might see some of the following effects.

+

+- The data move for video takes longer than the moves for the rest of your content in SharePoint.

+- After the SharePoint content is moved, there will be a time frame when videos aren't able to be played.

+In the course of moving your SharePoint data, we migrate your search index and search settings to a new location. Until we've **completed** the move of your SharePoint data, we continue to serve your users from the index in the original location. In the new location, search automatically starts crawling your content after we've completed moving your SharePoint data. From this point and onwards, we serve your users from the migrated index. Changes to your content that occurred after the migration aren't included in the migrated index until crawling picks them up. Most customers don't notice that results are less fresh right after we've completed moving their SharePoint data, but some customers might experience reduced freshness in the first 24-48 hours.

+

+

+- Popularity and Search Reports for the site: Counts for Excel reports in the new location only include migrated counts and counts from usage reports that have run after we completed moving your SharePoint data. Any counts from the interim period are lost and can't be recovered. This period is typically a couple of days. Some customers might experience shorter or longer losses.

+As part of the migration, the _Primary Provisioned Geography_ changes and all new content will be stored at rest in the new _Primary Provisioned Geography_. Existing content will move in the background with no impact to you for up to 90 days after the first change to the SharePoint data location in the admin center.

+## **Multi-Geo Capabilities in SharePoint / OneDrive**

+Multi-Geo capabilities in OneDrive and SharePoint enable control of shared resources like SharePoint team sites and Microsoft 365 group mailboxes stored at rest in a specified _Macro Region Geography_ or _Local Region Geography_.

+The SharePoint storage quota for any _Geography_ location can be allocated by the SharePoint administrator by connecting to the _Primary Provisioned Geography_. _Geography_ administrators for _Satellite Geography_ locations can view the storage quota but can't allocate it.

+Use the [Microsoft SharePoint Management Shell](https://www.microsoft.com/download/details.aspx?id=35588) and connect to the _Primary Provisioned Geography_ location to allocate the storage quota for a _Geography_ location.

+With OneDrive _Geography_ move, you can move a user's OneDrive to a different _Geography_ location. OneDrive _Geography_ move is performed by the SharePoint administrator or the Microsoft 365 global administrator. Before you start a OneDrive _Geography_ move, be sure to notify the user whose OneDrive is being moved and recommend they close all files for the duration of the move. (If the user has a document open using the Office client during the move, then upon move completion the document will need to be saved to the new location.) The move can be scheduled for a future time, if desired.

+During OneDrive _Geography_ move window (about 2-6 hours) the user's OneDrive is set to read-only. The user can still access their files via the OneDrive sync app or their OneDrive site in SharePoint. After OneDrive _Geography_ move is complete, the user will be automatically connected to their OneDrive at the destination _Geography_ location when they navigate to OneDrive in the Microsoft 365 app launcher. The sync app will automatically begin syncing from the new location.

+The procedures in this article require the [Microsoft SharePoint PowerShell Module](https://www.microsoft.com/download/details.aspx?id=35588).

+- When the move is expected to start and how long it's expected to take

+- File permissions and sharing won't change as a result of the move.

+

+You'll see a list of your _Geography_ locations and whether content can be moved between will be denoted as "Compatible". If the command returns "Incompatible" please retry validating the status at a later date.

+This will return Success if the OneDrive is ready to be moved or Fail if there's a legal hold or subsite that would prevent the move. Once you have validated that the OneDrive is ready to move, you can start the move.

+

+You can stop the _Geography_ move of a user's OneDrive, provided the move isn't in progress or completed by using the cmdlet:

+|NotStarted|The move hasn't started|

+While the move is in progress, the user's OneDrive is set to read-only. Once the move is completed, the user is directed to their OneDrive in the new _Geography_ location when they navigate to OneDrive the Microsoft 365 app launcher or a web browser.

+- File permissions and sharing won't change because of the move.

+

+ To move a Microsoft 365 group-connected site, the Global Administrator or SharePoint Administrator must first change the Preferred Data Location (PDL) attribute for the Microsoft 365 group.

+You can stop a SharePoint site _Geography_ move, provided the move isn't in progress or completed by using the `Stop-SPOSiteContentMove` cmdlet.

+|Ready to Trigger|The move hasn't started.|

+|Scheduled|The move is in queue but hasn't yet started.|

+When the SharePoint site _Geography_ move completes, users will have access to their Microsoft 365 group site files on the Teams app. Additionally, files shared via Teams chat from their site prior to _Geography_ move will continue to work after move is complete.

+SharePoint uses Azure Blob Storage for its content, while the metadata associated with sites and its files is stored within SharePoint. After the site is moved from its source _Geography_ location to its destination _Geography_ location, the service will also move its associated Blob Storage. Blob Storage moves complete in approximately 40 days. This won't have any impact to users interaction with the data.

+This article is for Global or SharePoint administrators who have created a Multi-Geo _Satellite Geography_ location **before** SharePoint Multi-Geo capabilities became generally available on March 27, 2019, and who haven't enabled SharePoint Multi-Geo in their _Satellite Geography_ location(s).

+1. Open your SharePoint Management Shell and then run and confirm the following code:

+You can find the actual data location in Microsoft 365 admin center. As a _Tenant_ administrator you can find the actual data location, for committed data, by navigating to **Admin->Settings->Org Settings->Organization Profile->Data Location**. If you don't have a _Tenant_ created, you can have a _Tenant_ created when signing up for a Microsoft 365 trial.

+1. _Tenant_ has a sign-up country/region included in _Local Region Geography_, the European Union, or the United States.

+_For current language, please refer to the [Privacy and Security Product Terms](https://www.microsoft.com/licensing/terms/product/PrivacyandSecurityTerms/all) and view the section titled "Location of Customer Data at Rest for Core Online Services."_

+Refer to the [ADR Commitment page](m365-dr-commitments.md#microsoft-teams) to understand the specific commitments provided via Product Terms. Examples of the committed data include:

+- Chat/ channel messages and team structure: Every team in Microsoft Teams is backed by a Microsoft 365 Modern Group and its SharePoint site and Exchange mailbox. Private chats (including group chats), messages sent as part of a conversation in a channel, and the structure of teams and channels are stored in an Azure powered chat service. The data is also stored in a hidden folder in the user and group mailboxes to enable information protection features.

+- Images and Media: Media used in chats (except for Giphy GIFs which aren't stored but are a reference link to the original Giphy URL) are stored in an Azure based Media Service deployed to the same locations as the chat service.

+- Meeting Recordings: For users of Microsoft Stream (on SharePoint) Meeting Recordings are stored in the OneDrive storage of the user that initiates the recording.

+After the migration is complete the Files tab might take additional time (up to 7 seconds) to fully load when the user first attempts to use it.

+You can find the actual data location in _Tenant_ Admin Center. As a _Tenant_ administrator you can find the actual data location, for committed data, by navigating to **Settings > Org settings > Organization profile > Data location**.

+Capability Summary: Microsoft Viva Connections is your gateway to a modern employee experience designed to keep everyone engaged and informed. Viva Connections is a customizable app in Microsoft Teams that gives everyone a personalized destination to discover relevant news, conversations, and the tools they need to succeed. Data storage is related to the following Viva Connections Components: Dashboard and feed.

+Refer to the [ADR Commitment page](m365-dr-commitments.md#viva-connections) for the specific customer data at rest commitment for Viva Connections.

+Data is stored within Exchange Online, SharePoint and Microsoft Teams. Migration processes are handled by the applicable/relevant workloads.

+Refer to the [ADR Commitment page](m365-dr-commitments.md#viva-topics) for the specific customer data at rest commitment for Viva Topics.

+Data stored is maintained within Exchange Online, SharePoint, and Microsoft Teams. Migration processes are handled by the applicable/relevant workloads.

+description: "Determine where your Microsoft 365 customer data is stored worldwide."

+- SharePoint (ODSP) and OneDrive [Data Location](m365-dr-workload-spo.md#how-can-i-determine-customer-data-location)

+- Microsoft Copilot for Microsoft 365 [Data Location](m365-dr-workload-copilot.md#how-can-i-determine-customer-data-location)

+|Canada |CAN |Canada datacenters |

+## Memory protection and memory scanning

+Microsoft Defender Antivirus (MDAV) provides memory protection with different engines:

+|Client|Cloud|

+|:|:|

+|Behavior Monitoring | Behavior-based Machine Learning|

+|Antimalware Scan Interface(AMSI) integration | AMSI-paired Machine Learning|

+|Emulation |Detonation-based Machine Learning|

+|Memory scanning |N/A|

+An additional layer to help prevent memory-based attacks is to use the Attack Surface Reduction (ASR) rule ΓÇô **Block Office applications from injecting code into other processes**. For more information see, [Block Office applications from injecting code into other processes](attack-surface-reduction-rules-reference.md#block-office-applications-from-injecting-code-into-other-processes).

+### How does Microsoft Defender Antivirus memory protection help?

+See [Detecting reflective DLL loading with Windows Defender for Endpoint](https://www.microsoft.com/security/blog/2017/11/13/detecting-reflective-dll-loading-with-windows-defender-atp/) to learn about one way Microsoft Defender Antivirus memory attack protection helps.

+The guide is available:

+- [Evaluate Microsoft Defender Antivirus using PowerShell](microsoft-defender-antivirus-using-powershell.md)

+- in PDF format for offline viewing: [Download the guide in PDF format](https://www.microsoft.com/download/details.aspx?id=54795).

+### Troubleshooting Network Protection

+If network protection fails to detect, make sure that the following pre-requisites are enabled:

+1. Microsoft Defender Antivirus is the primary antivirus app (active mode)

+1. [Behavior Monitoring is enabled](/microsoft-365/security/defender-endpoint/behavior-monitor)

+1. [Cloud Protection is enabled](/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus)

+1. [Cloud Protection network connectivity is functional](/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus)

+ Title: Hardware acceleration and Microsoft Defender Antivirus.

+description: How Microsoft Defender Antivirus incorporates hardware acceleration and Microsoft Defender Antivirus.

+ms.localizationpriority: medium

+search.appverid: MET150

+f1 keywords: NOCSH

+audience: ITPro

+# Hardware acceleration and Microsoft Defender Antivirus

+**Applies to:**

+- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037)  

+- Microsoft Defender Antivirus

+- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)

+**Platforms:**

+- Windows 11, Windows 10

+**Known limitations:**

+- Intel TDT doesn't support processors designated as servers.

+- Multi-level virtualization isn't currently supported.

+- Windows Server workloads aren't supported.

+- Windows clients running on Xeon processors aren't supported due to Intel Xeon processors not supporting Intel TDT functionality.

+## Microsoft Defender Antivirus (MDAV) and Intel Threat Detection Technology (TDT)

+This table shows the Intel TDT technologies Microsoft collaborated with Intel on to provide security while also balancing performance:

+|Available since |Intel TDT technology | Intel Threat Detection Technology (TDT) available on|

+|:|:|:|

+|2018|Intel TDT ΓÇô Accelerated Memory Scanning (AMS)|Intel integrated graphic 6th Gen Core (circa 2015) or newer family of processors, running on laptops, tablets, and desktop systems.|

+|2021|Intel TDT - Cryptojacking detector| Intel 6th Gen Core (circa 2015) or newer family of processors, running on laptops, tablets, and desktop systems.|

+|2022|Intel TDT - Ransomware detector| Intel 8th Gen Core or newer family of processors.|

+**Intel Threat Detection Technology (TDT) - Accelerated Memory Scanning (AMS):** Introduced extra memory scanning capabilities to detect fileless attacks that are expensive on the Central Processing Unit (CPU), and then offload them to the integrated Graphics Processor Unit (integrated GPU). Two benefits are:

+- lower CPU consumption

+- A reduction of System-on-a-chip (SoC) power consumption leading to longer battery life on laptops and tablets

+**Intel Threat Detection Technology (TDT) - Cryptojacking:** Enhanced detection by leveraging IntelΓÇÖs Central Processing Unit (CPU) performance monitoring unit (PMU) and offloading to the integrated Graphics Processor Unit (integrated GPU) to detect the malware code execution (fingerprint) of repeated mathematical operations at runtime. The signals are processed by a layer of machine learning with minimal overhead.

+### How do you enable Intel TDT AMS or Cryptojacking integration?

+Enabled by default when Microsoft Defender Antivirus is running.

+### What do the detections show up as?

+The regular Microsoft Defender Antivirus Event ID **1116**.

+### What type of attacks does it help with?

+- We use the Intel TDT - Cryptojacking detector to thwart various cryptojacking mallards. The following Coinminer campaigns were successfully detected and blocked using the TDT Cryptojacking detector: [YouTube Pirated Software Videos Deliver Triple Threat: Vidar Stealer, LaPlasa Clipper, XMRig Miner](https://www.fortinet.com/blog/threat-research/youtube-pirated-software-videos-deliver-triple-threat-vidar-stealer-laplas-clipper-xmrig-miner)

+- We use the Intel TDT detector to identify instances of CryptoJacking malware abusing Windows binaries (lolbins), and then employ Defender behavior monitoring to prevent and block such activities effectively. For more information, see [Hardware-based threat defense against increasingly complex cryptojackers](https://www.microsoft.com/security/blog/2022/08/18/hardware-based-threat-defense-against-increasingly-complex-cryptojackers/).

+## Related articles

+- [Defending against ransomware with Microsoft Defender for Endpoint and Intel TDT: A Case Study](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defending-against-ransomware-with-microsoft-defender-for/ba-p/3243941).

+For more information, see [Ansible documentation](https://docs.ansible.com/ansible/latest).

+See <https://docs.ansible.com/ansible/latest> for more information.

+ Title: Evaluate Microsoft Defender Antivirus using PowerShell.

+description: Businesses of all sizes can use this guide to evaluate and test the protection offered by Microsoft Defender Antivirus in Windows using PowerShell.

+ms.localizationpriority: medium

+- m365-security

+- tier2

+- mde-ngp

+search.appverid: met150

+# Evaluate Microsoft Defender Antivirus using Powershell

+**Applies to:**

+- Microsoft Defender Antivirus

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+In Windows 10 or newer and Windows Server 2016 or newer you can use next-generation protection features offered by Microsoft Defender Antivirus(MDAV) and Microsoft Defender Exploit Guard (Microsoft Defender EG).

+This topic explains how to enable and test the key protection features in Microsoft Defender AV and Microsoft Defender EG, and provides you with guidance and links to more information.

+We recommend you use [this evaluation PowerShell script](https://aka.ms/wdeppscript) to configure these features, but you can individually enable each feature with the cmdlets described in the rest of this document.

+See the following product documentation libraries for more information about our EPP products:

+- [Microsoft Defender Antivirus](https://aka.ms/wdavdocs)

+- [Microsoft Defender Exploit Guard](https://aka.ms/wdegdocs)

+This article describes configuration options in Windows 10 or newer and Windows Server 2016 or newer.

+If you have any questions about a detection that Microsoft Defender AV makes, or you discover a missed detection, you can submit a file to us at [our sample submission help site.](https://www.microsoft.com/security/portal/mmpc/help/submission-help.aspx)

+## Use PowerShell to enable the features

+This guide provides the [Microsoft Defender Antivirus cmdlets](/powershell/module/defender/?view=windowsserver2022-ps) that configure the features you should use to evaluate our protection.

+To use these cmdlets:

+> 1\. Open an elevated instance of PowerShell (choose to Run as administrator).

+>

+> 2\. Enter the command listed in this guide and press Enter.

+You can check the status of all settings before you begin, or during your evaluation, by using the [Get-MpPreference PowerShell cmdlet](/powershell/module/defender/get-mppreference?view=windowsserver2022-ps).

+Microsoft Defender AV indicates a detection through [standard Windows notifications](configure-notifications-microsoft-defender-antivirus.md). You can also [review detections in the Microsoft Defender AV app](review-scan-results-microsoft-defender-antivirus.md).

+The Windows event log also records detection and engine events. [See the Microsoft Defender Antivirus events article for a list of event IDs](troubleshoot-microsoft-defender-antivirus.yml) and their corresponding actions.

+## Cloud protection features

+Standard definition updates can take hours to prepare and deliver; our cloud-delivered protection service can deliver this protection in seconds.

+More details are available in [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus).

+| Description | PowerShell Command |

+|||

+|Enable the Microsoft Defender Cloud for near-instant protection and increased protection|Set-MpPreference -MAPSReporting Advanced|

+|Automatically submit samples to increase group protection|Set-MpPreference -SubmitSamplesConsent Always|

+|Always Use the cloud to block new malware within seconds|Set-MpPreference -DisableBlockAtFirstSeen 0|

+|Scan all downloaded files and attachments|Set-MpPreference -DisableIOAVProtection 0|

+|Set cloud block level to 'High'|Set-MpPreference -CloudBlockLevel High|

+|High Set cloud block timeout to 1 minute|Set-MpPreference -CloudExtendedTimeout 50|

+## Always-on protection (real-time scanning)

+Microsoft Defender AV scans files as soon as they're seen by Windows, and will monitor running processes for known or suspected malicious behaviors. If the antivirus engine discovers malicious modification, it will immediately block the process or file from running.

+See [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md) for more details on these options.

+| Description | PowerShell Command |

+|||

+|Constantly monitor files and processes for known malware modifications | Set-MpPreference -DisableRealtimeMonitoring 0 |

+|Constantly monitor for known malware behaviors ΓÇô even in ΓÇÿcleanΓÇÖ files and running programs | Set-MpPreference -DisableBehaviorMonitoring 0 |

+|Scan scripts as soon as they are seen or run | Set-MpPreference -DisableScriptScanning 0 |

+|Scan removable drives as soon as they are inserted or mounted | Set-MpPreference -DisableRemovableDriveScanning 0 |

+## Potentially Unwanted Application protection

+[Potentially unwanted applications](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) are files and apps that are not traditionally classified as malicious. These include third-party installers for common software, ad-injection, and certain types of toolbars in your browser.

+| Description | PowerShell Command |

+|||

+|Prevent grayware, adware, and other potentially unwanted apps from installing|Set-MpPreference -PUAProtection Enabled|

+## Email and archive scanning

+You can set Microsoft Defender Antivirus to automatically scan certain types of email files and archive files (such as .zip files) when they are seen by Windows. More information about this feature can be found under the [Manage email scans in Microsoft Defender](configure-advanced-scan-types-microsoft-defender-antivirus.md) article.

+| Description | PowerShell Command |

+|||

+|Scan email files and archives|Set-MpPreference -DisableArchiveScanning 0 </br> Set-MpPreference -DisableEmailScanning 0|

+## Manage product and protection updates

+Typically, you receive Microsoft Defender AV updates from Windows update once per day. However, you can increase the frequency of those updates by setting the following options, and [ensuring that your updates are managed either in System Center Configuration Manager, with Group Policy, or in Intune](deploy-manage-report-microsoft-defender-antivirus.md).

+| Description | PowerShell Command |

+|||

+|Update signatures every day|Set-MpPreference -SignatureUpdateInterval|

+|Check to update signatures before running a scheduled scan|Set-MpPreference -CheckForSignaturesBeforeRunningScan 1|

+## Advanced threat and exploit mitigation and prevention Controlled folder access

+Microsoft Defender Exploit Guard provides features that help protect devices from known malicious behaviors and attacks on vulnerable technologies.

+| Description | PowerShell Command |

+|||

+|Prevent malicious and suspicious apps (such as ransomware) from making changes to protected folders with Controlled folder access|Set-MpPreference -EnableControlledFolderAccess Enabled|

+|Block connections to known bad IP addresses and other network connections with [Network protection](network-protection.md)|Set-MpPreference -EnableNetworkProtection Enabled|

+|Apply a standard set of mitigations with [Exploit protection](exploit-protection.md)|Invoke-WebRequest </br> https://demo.wd.microsoft.com/Content/ProcessMitigation.xml -OutFile ProcessMitigation.xml </br >Set-ProcessMitigation -PolicyFilePath ProcessMitigation.xml|

+|Block known malicious attack vectors with [Attack surface reduction](attack-surface-reduction.md)|Add-MpPreference -AttackSurfaceReductionRules\_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules\_Actions Enabled </br>Add-MpPreference -AttackSurfaceReductionRules\_Ids 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -AttackSurfaceReductionRules\_Actions Enabled</br>Add-MpPreference -AttackSurfaceReductionRules\_Ids D4F940AB-401B-4EfC-AADCAD5F3C50688A -AttackSurfaceReductionRules\_Actions Enabled</br>Add-MpPreference -AttackSurfaceReductionRules\_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules\_Actions Enabled</br>Add-MpPreference -AttackSurfaceReductionRules\_Ids BE9BA2D9-53EA-4CDC-84E5- 9B1EEEE46550 -AttackSurfaceReductionRules\_Actions Enabled </br>Add-MpPreference -AttackSurfaceReductionRules\_Ids 01443614-CD74-433A-B99E2ECDC07BFC25 -AttackSurfaceReductionRules\_Actions Enabled</br>Add-MpPreference -AttackSurfaceReductionRules\_Ids 5BEB7EFE-FD9A-4556801D275E5FFC04CC -AttackSurfaceReductionRules\_Actions Enabled</br>Add-MpPreference -AttackSurfaceReductionRules\_Ids D3E037E1-3EB8-44C8-A917- 57927947596D -AttackSurfaceReductionRules\_Actions Enabled</br>Add-MpPreference -AttackSurfaceReductionRules\_Ids 3B576869-A4EC-4529-8536- B80A7769E899 -AttackSurfaceReductionRules\_Actions Enabled</br>Add-MpPreference -AttackSurfaceReductionRules\_Ids 75668C1F-73B5-4CF0-BB93- 3ECF5CB7CC84 -AttackSurfaceReductionRules\_Actions Enabled</br>Add-MpPreference -AttackSurfaceReductionRules\_Ids 26190899-1602-49e8-8b27-eb1d0a1ce869 -AttackSurfaceReductionRules\_Actions Enabled</br>Add-MpPreference -AttackSurfaceReductionRules\_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules\_Actions Enabled</br>Add-MpPreference -AttackSurfaceReductionRules\_Ids D1E49AAC-8F56-4280-B9BA993A6D77406C -AttackSurfaceReductionRules\_Actions Enabled</br>Add-MpPreference -AttackSurfaceReductionRules\_Ids 33ddedf1-c6e0-47cb-833e-de6133960387 -AttackSurfaceReductionRules\_Actions Enabled</br>Add-MpPreference -AttackSurfaceReductionRules\_Ids B2B3F03D-6A65-4F7B-A9C7- 1C7EF74A9BA4 -AttackSurfaceReductionRules\_Actions Enabled</br>Add-MpPreference -AttackSurfaceReductionRules\_Ids c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb -AttackSurfaceReductionRules\_Actions Enabled</br>Add-MpPreference -AttackSurfaceReductionRules\_Ids a8f5898e-1dc8-49a9-9878-85004b8a61e6 -AttackSurfaceReductionRules\_Actions Enabled</br>Add-MpPreference -AttackSurfaceReductionRules\_Ids 92E97FA1-2EDF-4476-BDD6- 9DD0B4DDDC7B -AttackSurfaceReductionRules\_Actions Enabled</br>Add-MpPreference -AttackSurfaceReductionRules\_Ids C1DB55AB-C21A-4637-BB3FA12568109D35 -AttackSurfaceReductionRules\_Actions Enabled|

+Some rules may block behavior you find acceptable in your organization. In these cases, change the rule from Enabled to Audit to prevent unwanted blocks.

+## One-click Microsoft Defender Offline Scan

+Microsoft Defender Offline Scan is a specialized tool that comes with Windows 10 or newer, and allows you to boot a machine into a dedicated environment outside of the normal operating system. ItΓÇÖs especially useful for potent malware, such as rootkits.

+See [Microsoft Defender Offline](microsoft-defender-offline.md) for more information on how this feature works.

+| Description | PowerShell Command |

+|||

+|Ensure notifications allow you to boot the PC into a specialized malware removal environment|Set-MpPreference -UILockdown 0|

+## Resources

+This section lists many resources that can assist you with evaluating Microsoft Defender Antivirus.

+- [Microsoft Defender in Windows 10 library](microsoft-defender-antivirus-windows.md)

+- [Microsoft Defender for Windows Server 2016 library](/windows-server/security/windows-defender/windows-defender-overview-windows-server)

+- [Windows 10 security library](/windows/resources/)

+- [Windows 10 security overview](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10)

+- [Microsoft Defender Security Intelligence (Microsoft Malware Protection Center (MMPC)) website ΓÇô threat research and response](https://www.microsoft.com/wdsi)

+- [Microsoft Security website](https://www.microsoft.com/security)

+- [Microsoft Security blog](https://www.microsoft.com/security/blog)

+ Title: Microsoft Defender Antivirus in Windows Overview

+# Microsoft Defender Antivirus in Windows Overview

+- Windows

+WeΓÇÖve also designed our antivirus solution to work in both online and offline scenarios. For offline scenarios, the latest dynamic intelligence from the Intelligence Security Graph is provisioned to the endpoint regularly throughout the day. When connected to the cloud, itΓÇÖs fed real-time intelligence from the [Intelligent Security Graph](https://www.microsoft.com/security/blog/2018/04/17/connect-to-the-intelligent-security-graph-using-a-new-api/).

+| Windows 10 version 1709 or later, Windows 11, Windows Server 1803 or later | Make sure that [Microsoft Defender Antivirus real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md), [behavior monitoring](/microsoft-365/security/defender-endpoint/behavior-monitor) and [cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) are enabled (active) |

+> [!NOTE]

+> If you're using Defender for Endpoint Plan 1, you can take certain response actions manually. For more information, see [Manual response actions](/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1#manual-response-actions).

+ //List malicious emails that were not zapped successfully

+ :::image type="content" source="../../media/atp-api-new-app-partner.png" alt-text="An application's registration sections in the Microsoft Defender portal" lightbox="../..//media/atp-api-new-app-partner.png":::

+ Title: Create custom Microsoft Defender XDR reports using Microsoft Graph security API and Power BI

+description: How to create custom Microsoft Defender XDR reports using Microsoft Graph security API and Power BI.

+# Create custom Microsoft Defender XDR reports using Microsoft Graph security API and Power BI

+- Navigating built-in reports in the Microsoft Defender portal.

+- Using Microsoft Sentinel workbooks with prebuilt templates for every Defender product (requires integration with Microsoft Sentinel).

+- Applying the render function in Advanced Hunting.

+In this article, we create a sample Security Operations Center (SOC) efficiency dashboard in Power BI using Microsoft Graph security API. We access it in user context, therefore user must have [corresponding permissions](manage-rbac.md) to be able to view alerts and incidents data.

+In this section, we go through the steps required to get Microsoft Defender XDR data into Power BI, using Alerts data as an example.

+1. Open Microsoft Power BI Desktop.

+2. Select **Get Data > Blank Query**.

+3. Select **Advanced Editor**.

+ :::image type="content" source="../../media/defender/power-bi/manage-parameters.png" alt-text="Screenshot that shows how to create a new data query in Power BI Desktop." lightbox="../../media/defender/power-bi/manage-parameters.png":::

+4. Paste in Query:

+ ```console

+5. Select **Done**.

+6. When you're prompted for credentials, select **Edit Credentials**:

+ :::image type="content" source="../../media/defender/power-bi/edit-credentials-api.png" alt-text="Screenshot of how to edit credentials for API connection." lightbox="../../media/defender/power-bi/edit-credentials-api.png":::

+7. Select **Organizational account > Sign in**.

+ :::image type="content" source="../../media/defender/power-bi/sign-in-org-account.png" alt-text="Screenshot of the organizational account authentication window." lightbox="../../media/defender/power-bi/sign-in-org-account.png":::

+8. Enter credentials for account with access to Microsoft Defender XDR incidents data.

+9. Select **Connect**.

+Microsoft Graph API supports [query parameters](/graph/filter-query-parameter). Here are few examples of filters used in the report:

+- The following query returns the list of alerts generated over the past three days. Using this query in environments with high volumes of data might result in hundreds of megabytes of data that could take a moment to load. By using this hardcoded approach, you're able to quickly see your most recent alerts over the last three days as soon as you open the report.

+ ```console

+ ```console

+- When historical data is required (for example, comparing the number of incidents per month), filtering by date isn't an option (since we want to go as far back as possible). In this case, we need to pull a few selected fields as shown in the following example:

+ ```console

+ Source = OData.Feed("https://graph.microsoft.com/v1.0/security/alerts_v2?$filter=createdDateTime ge " & StartLookbackDate & " and createdDateTime lt " & EndLookbackDate &

+Instead of constantly querying the code to adjust the timeframe, use parameters to set a Start and End Date each time you open the report.

+1. Go to **Query Editor**.

+2. Select **Manage Parameters** \> **New Parameter**.

+3. Set desired parameters.

+ In the following example, we use two different time frames, Start and End dates.

+ :::image type="content" source="../../media/defender/power-bi/manage-parameters.png" alt-text="Screenshot of how to manage Parameters in Power BI." lightbox="../../media/defender/power-bi/manage-parameters.png":::

+4. Remove hardcoded values from the queries and make sure that StartDate and EndDate variable names correspond to parameter names:

+ ```console

+Once the data has been queried and the parameters are set, now we can review the report. During the first launch of the PBIT report file, you're prompted to provide the parameters that we specified earlier:

+The dashboard offers three tabs intended to provide SOC insights. The first tab provides a summary of all recent alerts (depending on the selected timeframe). This tab helps analysts clearly understand the security state over their environment using alert details broken down by detection source, severity, total number of alerts and mean-time-to-resolution.

+For more information, see the [Power BI report templates sample file](https://download.microsoft.com/download/0/1/6/01686830-b4e4-4cc1-af5b-7e07eab3ff55/defender-xdr-soc-overview.zip).

+ :::image type="content" source="../../media/copilot-in-defender/incident-report/fig1-new-sec-copilot-m365d-create-report.png" alt-text="Screenshot highlighting the generate incident report and report icon buttons in the incident page." lightbox="../../media/copilot-in-defender/incident-report/fig1-expand-sec-copilot-m365d-create-report.png":::

+ :::image type="content" source="../../media/copilot-in-defender/incident-report/fig2-new-sec-copilot-m365d-create-report.png" alt-text="Screenshot of the incident report card in the incident page." lightbox="../../media/copilot-in-defender/incident-report/fig2-expand-sec-copilot-m365d-create-report.png":::

+> [!TIP]

+> Filters are cached. The filters from the last sessions are selected by default the next time you open the **Quarantine** page. This behavior helps with triage operations.

+> [!TIP]

+> Filters are cached. The filters from the last sessions are selected by default the next time you open the **Quarantine** page. This behavior helps with triage operations.

+

+

+> The latest version of the contracts management site template is now available as a [team site template directly from SharePoint](https://support.microsoft.com/office/80820115-c700-4a62-bb59-69b33c8e3b4f). The look book version of this site template is no longer being updated.

+f1.keywords: NOCSH

+Read on for more details or watch this video for a quick walk-through of the latest improvements.

+The Test Base for Microsoft 365 dashboard shows the memory consumed by your application on a new pre-released Windows update and compares it with the memory used by the last released Windows update.

+By providing the failure signals upfront, our goal is to clearly flag potential issues that can disrupt and impact the end user experience for your application.

+

+In this example, the favorite process ΓÇ£USLTestMemoryStress.exeΓÇ¥ process consumed an average of approximately 100 MB on the pre-release August update compared to the released July update, hence the Test Base for Microsoft 365 identified a regression.

+The regression on the main process was determined to be ΓÇ£statistically significantΓÇ¥ so the service communicated and highlighted this difference to the user. If the comparison wasn't statistically significant, it wouldn't be highlighted. Memory utilization can be noisy, so we use statistical models to distinguish, across builds and releases, meaningful differences from inconsequential differences.

+The next step is to understand what caused the memory regression. You can download the zip files for both executions from the Download log files option, as shown below.