| Category | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| compliance | Communication Compliance Channels | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-channels.md | With communication compliance policies, you can choose to scan messages in one o Chat communications in both public and private Microsoft Teams channels and individual chats can be scanned. When users are assigned to a communication compliance policy with Microsoft Teams coverage selected, chat communications for the users are automatically monitored across all Microsoft Teams where the users are a member. Microsoft Teams coverage is automatically included for pre-defined policy templates and is selected by default in the custom policy template. Teams chats matching communication compliance policy conditions may take up to 48 hours to process. -For private chat and private channels, communication compliance policies support Modern attachment scanning. Modern attachments are files sourced from [OneDrive](/onedrive/plan-onedrive-enterprise#modern-attachments) or [SharePoint](/sharepoint/dev/solution-guidance/modern-experience-customizations) sites that are included in Teams messages. Text is automatically extracted from these attachments for automated processing and potential matches with active communication compliance policy conditions and classifiers. There isn't any additional configuration necessary for Modern attachment detection and processing. Text is only extracted for attachments matching policy conditions. Text isn't extracted for attachments for messages with policy matches, even if the attachment also has a policy match. +For private chat and private channels, communication compliance policies support [Shared Channels](/MicrosoftTeams/shared-channels) and Modern attachment scanning. Shared Channels support in Teams is handled automatically and don't require additional communication compliance configuration changes. The following table summarizes communication compliance behavior when sharing Teams channels with groups and users: ++|**Scenario**|**Communication compliance behavior**| +|:--|:| +| **Share a channel with an internal team** | Communication compliance policies apply to in-scope users and all messages in the shared channel | +| **Share a channel with an external team** | Communication compliance policies apply to internal in-scope users and messages in the shared channel for the internal organization | ++Modern attachments are files sourced from [OneDrive](/onedrive/plan-onedrive-enterprise#modern-attachments) or [SharePoint](/sharepoint/dev/solution-guidance/modern-experience-customizations) sites that are included in Teams messages. Text is automatically extracted from these attachments for automated processing and potential matches with active communication compliance policy conditions and classifiers. There isn't any additional configuration necessary for Modern attachment detection and processing. Text is only extracted for attachments matching policy conditions. Text isn't extracted for attachments for messages with policy matches, even if the attachment also has a policy match. Modern attachment scanning is supported for the following file types: |
| compliance | Content Search Reference | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/content-search-reference.md | Keep the following things in mind when searching for content in Microsoft Teams - To search for content located in Teams and Microsoft 365 Groups, you have to specify the mailbox and SharePoint site that are associated with a team or group. -- Content from private channels is stored in each user's mailbox, not the team mailbox. To search for content in private channels, see [eDiscovery of private channels](/microsoftteams/ediscovery-investigation#ediscovery-of-private-channels).+- Content from private channels is stored in each user's mailbox, not the team mailbox. To search for content in private channels, see [eDiscovery of private and shared channels](/microsoftteams/ediscovery-investigation#ediscovery-of-private-and-shared-channels). - Run the **Get-UnifiedGroup** cmdlet in Exchange Online to view properties for a team or a Microsoft 365 Group. This is a good way to get the URL for the site that's associated with a team or a group. For example, the following command displays selected properties for a Microsoft 365 Group named Senior Leadership Team: |
| compliance | Create Retention Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-retention-policies.md | When you have more than one retention policy, and when you also use retention la ### Retention policy for Teams locations +> [!NOTE] +> Retention policies now support [shared channels](/MicrosoftTeams/shared-channels), currently in preview. When you configure retention settings for the **Teams channel message** location, if a team has any shared channels, they inherit retention settings from their parent team. + 1. From the [Microsoft 365 compliance center](https://compliance.microsoft.com/), select **Information Governance** > **Retention Policies**. 2. Select **New retention policy** to start the **Create retention policy** configuration, and name your new retention policy. When you have more than one retention policy, and when you also use retention la - If you chose **Adaptive**: On the **Choose adaptive policy scopes and locations** page, select **Add scopes** and select one or more adaptive scopes that have been created. Then, select one or more locations. The locations that you can select depend on the [scope types](retention-settings.md#configuration-information-for-adaptive-scopes) added. For example, if you only added a scope type of **User**, you will be able to select **Teams chats** but not **Teams channel messages**. - If you chose **Static**: On the **Choose locations to apply the policy** page, select one or more locations for Teams:- - **Teams channel message**: Messages from standard channel chats and standard channel meetings, but not from [private channels](/microsoftteams/private-channels) that have their own policy location. + - **Teams channel message**: Messages from standard and shared channel chats, and standard and shared channel meetings, but not from [private channels](/microsoftteams/private-channels) that have their own policy location. - **Teams chats**: Messages from private 1:1 chats, group chats, and meeting chats. - **Teams private channel messages**: Messages from private channel chats and private channel meetings. First, the retention policy needs to be distributed to the locations that you se Set-AppRetentionCompliancePolicy -Identity <policy name> -RetryDistribution ``` - - For all other policy locations, such as **Exchange email**, **SharePoint sites**, **Teams channel messages** etc: + - For all other policy locations, such as **Exchange email**, **SharePoint sites**, and **Teams channel messages**: ```PowerShell Set-RetentionCompliancePolicy -Identity <policy name> -RetryDistribution |
| compliance | Dlp Microsoft Teams | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-microsoft-teams.md | If your organization has data loss prevention (DLP), you can define policies tha - **Example 2: Protecting sensitive information in documents**. Suppose that someone attempts to share a document with guests in a Microsoft Teams channel or chat, and the document contains sensitive information. If you have a DLP policy defined to prevent this, the document won't open for those users. Your DLP policy must include SharePoint and OneDrive in order for protection to be in place. This is an example of DLP for SharePoint that shows up in Microsoft Teams, and therefore requires that users are licensed for Office 365 DLP (included in Office 365 E3), but does not require users to be licensed for Office 365 Advanced Compliance.) +- **Example 3: Protecting communications in Teams Shared Channels**. For shared channels, the host Teams team DLP policy are applied. For example letΓÇÖs say there's a shared channel owned by TeamA of Contoso. TeamA has a DLP policy P1. There are 3 ways to share a channel: + - **Share with member**: You invite user1 from Contoso to join the shared channel without making him a member of TeamA. Everyone in this shared channel, including user1, will be covered by P1. + - **Share with team (internally)**: You share the channel with another team TeamB in Contoso. That another team may have a different DLP policy, but that doesnΓÇÖt matter. P1 will apply to everyone in this shared channel, including both TeamA and TeamB users. + - **Share with team (cross tenant)**: You share the channel with a team TeamF in Fabrikam. Fabrikam may have its own DLP policy, but that doesnΓÇÖt matter. P1 will apply to everyone in this shared channel, including both TeamA (Contoso) and TeamF (Fabrikam) users. + ## DLP Licensing for Microsoft Teams [Data loss prevention](dlp-learn-about-dlp.md) capabilities were extended to include Microsoft Teams chat and channel messages, **including private channel messages** for: DLP protection is applied differently to Teams entities. |When policy is scoped by |These Teams Entities |Will have DLP protection available| |||| |Individual user accounts |1:1/n chats |Yes |-| |General chats |No | -| |private channels |Yes | +| |Standard and shared channel messages |No | +| |Private channel messages |Yes | |Security groups/distribution lists | 1:1/n chats |Yes |-| |General chats |No | -| |private channels |Yes | +| |Standard and shared channel messages |No | +| |Private channel messages |Yes | |Microsoft 365 group |1:1/n chats |No |-| |General chats |Yes | -| |private channels|No| +| |Standard and shared channel messages |Yes | +| |Private channel messages|No| ## Policy tips help educate users |
| compliance | Dlp Powerbi Get Started | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-powerbi-get-started.md | + + Title: "Get started with Data loss prevention for Power BI" +f1.keywords: +- CSH +++ Last updated :+audience: ITPro ++f1_keywords: +- 'ms.o365.cc.DLPLandingPage' ++ms.localizationpriority: high ++- M365-security-compliance +- m365solution-mip +- m365initiative-compliance ++search.appverid: +- MET150 +description: "Prepare for and deploy DLP to PowerBI locations." ++# Get started with Data loss prevention policies for Power BI (preview) ++To help organizations detect and protect their sensitive data, [Microsoft 365 data loss prevention (DLP) polices](/microsoft-365/compliance/dlp-learn-about-dlp) support Power BI. When a PowerBI data set matches the criteria in a DLP policy, an alert that explains the nature of the sensitive content can be triggered. This alert is also registered in the data loss prevention **Alerts** tab in the Microsoft compliance portal for monitoring and management by administrators. In addition, email alerts can be sent to administrators and specified users. ++## Considerations and limitations ++- DLP policies apply to workspaces. Only workspaces hosted in Premium Gen2 capacities are supported. +- DLP dataset evaluation workloads impact capacity. Metering for DLP evaluation workloads is not supported. +- Both classic and new experience workspaces are supported, as long as they are hosted in Premium Gen2 capacities. +- You must create a custom DLP custom policy for Power BI. DLP templates are not supported. +- DLP polices that are applied to the DLP location support sensitivity labels and sensitive information types as conditions. +- DLP policies for Power BI are not supported for sample datasets, [streaming datasets](/power-bi/connect-data/service-real-time-streaming), or datasets that connect to their data source via [DirectQuery](/power-bi/connect-data/desktop-use-directquery) or [live connection](/power-bi/connect-data/desktop-directquery-about#live-connections). +- DLP policies for Power BI are not supported in sovereign clouds. ++## Licensing and permissions ++### SKU/subscriptions licensing ++Before you get started with DLP for Power BI, you should confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=1). For full licensing guidance, see [Microsoft 365 guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-protection). ++### Permissions ++Data from DLP for Power BI can be viewed in [Activity explorer](/microsoft-365/compliance/data-classification-activity-explorer). There are four roles that grant permission to activity explorer; the account you use for accessing the data must be a member of any one of them. ++- Global administrator +- Compliance administrator +- Security administrator +- Compliance data administrator ++## How DLP policies for Power BI work ++You define a DLP policy in the data loss prevention section of the compliance portal. See, [Design a data loss prevention policy](dlp-policy-design.md#design-a-data-loss-prevention-policy). In the policy, you specify sensitivity label(s) you want to detect. You also specify the action(s) that will happen when the policy detects a dataset that has a specified sensitivity label applied. DLP policies support two actions for Power BI: ++- User notification via policy tips. +- Alerts. Alerts can be sent by email to administrators and users. Additionally, administrators can monitor and manage alerts on the **Alerts** tab in the compliance center. ++When a dataset is evaluated by DLP and matches the conditions in a DLP policy, the actions defined in the policy are applied. A dataset is evaluated occurs when a dataset is: ++- Publish +- Republish +- On-demand refresh +- Scheduled refresh ++>[!NOTE] +> DLP evaluation of the dataset does not occur if either of the following is true: +> - The initiator of the event is a service principal. +> - The dataset owner is either a service principal or a B2B user. ++### What happens when a dataset matches a DLP policy ++When a dataset matches a DLP policy: ++- If the policy has user notification configured, it will be marked in the Power BI service with a shield icon to indicate that it matches a DLP policy. ++  ++ Open the dataset details page to see a policy tip that explains the policy match and how the detected type of sensitive information should be handled. ++  ++ >[!NOTE] + > If you hide the policy tip, it doesnΓÇÖt get deleted. It will appear the next time you visit the page. ++- If alerts are enabled in the policy, an alert will be recorded on the dlp **Alerts** tab in the compliance center, and (if configured) an email will be sent to administrators and/or specified users. The following image shows the **Alerts** tab in the data loss prevention section of the compliance center. ++  ++## Configure a DLP policy for Power BI ++Follow the procedures in [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md#create-test-and-tune-a-dlp-policy) and use the custom template. ++> [!IMPORTANT] +> When you select the locations for your DLP policy for Power BI, select only the Power BI location. Do not select any other locations, this configuration is not supported. ++<!--1. Log into the [Microsoft 365 compliance portal](https://compliance.microsoft.com). ++1. Choose the **Data loss prevention** solution in the navigation pane, select the **Policies** tab, choose **Create policy**. ++  ++1. Choose the **Custom** category and then the **Custom policy** template. + + >[!NOTE] + >No other categories or templates are currently supported. ++  + + When done, click **Next**. ++1. Name the policy and provide a meaningful description. ++  + + When done, click **Next**. ++1. Enable Power BI as a location for the DLP policy. **Disable all other locations**. Currently, DLP policies for Power BI must specify Power BI as the sole location. ++  ++ By default the policy will apply to all workspaces. Alternatively, you can specify particular workspaces to include in the policy as well as workspaces to exclude from the policy. + >[!NOTE] + > DLP actions are supported only for workspaces hosted in Premium Gen2 capacities. ++ If you select **Choose workspaces** or **Exclude workspaces**, a dialog will allow you to create a list of included (or excluded) workspaces. You must specify workspaces by workspace object ID. Click the info icon for information about how to find workspace object IDs. ++  + + After enabling Power BI as a DLP location for the policy and choosing which workspaces the policy will apply to, click **Next**. ++1. The **Define policy settings** page appears. Choose **Create or customize advanced DLP rules** to begin defining your policy. ++  + + When done, click **Next**. ++1. On the **Customize advanced DLP rules** page, you can either start creating a new rule or choose an existing rule to edit. Click **Create rule**. ++  +++1. The **Create rule** page appears. On the create rule page, provide a name and description for the rule, and then configure the other sections, which are described following the image below. ++  + +### Conditions ++In the condition section, you define the conditions under which the policy will apply to a dataset. Conditions are created in groups. Groups make it possible to construct complex conditions. ++1. Open the conditions section, choose **Add condition** and then **Content contains**. ++  + + This opens the first group (named Default ΓÇô you can change this). ++1. Choose **Add**, and then **Sensitivity labels**. + + >[!NOTE] + > Sensitive info types are currently not supported. + +  + + When you choose **Sensitivity labels**, you will be able to choose a particular sensitivity label from a list that will appear. ++ You can add additional sensitivity labels to the group. To the right of the group name, you can specify **Any of these** or **All of these**. This determines whether matches on all or any of the labels is required for the condition to hold. Make sure **Any of these** is selected, since datasets canΓÇÖt have more than one label applied. ++ The image below shows a group (Default) that contains two sensitivity label conditions. The logic Any of these means that a match on any one of the sensitivity labels in the group constitutes ΓÇ£trueΓÇ¥ for that group. ++  + + You can create more than one group, and you can control the logic between the groups with **AND** or **OR** logic. ++ The image below shows a rule containing two groups, joined by **OR** logic. ++  + +### Exceptions ++If the sensitivity label of the dataset matches any of the defined exceptions, the rule wonΓÇÖt be applied to the dataset. ++Exceptions are configured in the same way as conditions, described above. + + + +### Actions ++Protection actions are currently unavailable for Power BI DLP policies. ++ +++### User notifications ++The user notifications section is where you configure your policy tip. Turn on the toggle, select the **Notify users in Office 365 service with a policy tip** and **Policy tips** checkboxes, and write your policy tip in the text box. ++ + +### User overrides + +User overrides are currently unavailable for Power BI DLP policies. ++ + +### Incident reports ++Assign a severity level that will be shown in alerts generated from this policy. Enable (default) or disable email notification to admins, specify users or groups for email notification, and configure the details about when notification will occur. ++ + +### Additional options ++ + +## Monitor and manage policy alerts ++Log into the Microsoft 365 compliance portal and navigate to **Data loss prevention > Alerts**. ++ ++Click on an alert to start drilling down to its details and to see management options. +--> +## Next steps ++- [Learn about data loss prevention](/microsoft-365/compliance/dlp-learn-about-dlp) +- [Sensitivity labels in Power BI](/power-bi/enterprise/service-security-sensitivity-label-overview) +- [Audit schema for sensitivity labels in Power BI](/power-bi/enterprise/service-security-sensitivity-label-audit-schema) |
| compliance | Limits Ediscovery20 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/limits-ediscovery20.md | The following table lists the limits for cases and review sets in Advanced eDisc |Maximum number of unique tags per case. <br/> |1,000<sup>1</sup> | |Maximum concurrent jobs in your organization to add content to a review set. These jobs are named **Adding data to a review set** and are displayed on the **Jobs** tab in a case.| 10<sup>2</sup> | |Maximum concurrent jobs to add content to a review set per user. These jobs are named **Adding data to a review set** and are displayed on the **Jobs** tab in a case. | 3 |-||| ## Hold limits The following table lists the indexing limits in Advanced eDiscovery. |Maximum size of a single file. <br/> |150 MB<sup>4</sup> <br/> | |Maximum depth of embedded items in a document. <br/> |25<sup>4</sup> <br/> | |Maximum size of files processed by Optical Character Recognition (OCR). <br/> |24 MB<sup>4</sup> <br/> -||| ## Search limits The limits described in this section are related to using the search tool on the |Maximum number of items per public folder mailbox displayed on preview page for searches. |100| |Maximum number of items found in all public folder mailbox items displayed on preview page for searches. |200| |Maximum number of public folder mailboxes that can be previewed for search results. If there are more than 500 public folder mailboxes that contain items that match the search query, only the top 500 mailboxes with the most results are available for preview.|500|-||| +|The maximum size of an item that can be viewed on the sample page of a draft collection.|10,000,000 bytes (approximately 9.5 MB)| ## Search times Microsoft collects performance information for searches run by all organizations. While the complexity of the search query can impact search times, the biggest factor that affects how long searches take is the number of mailboxes searched. Although Microsoft doesn't provide a Service Level Agreement for search times, the following table lists average search times for collection searches based on the number of mailboxes included in the search. - | Number of mailboxes | Average search time | - |:--|:--| - |100 <br/> |30 seconds <br/> | - |1,000 <br/> |45 seconds <br/> | - |10,000 <br/> |4 minutes <br/> | - |25,000 <br/> |10 minutes <br/> | - |50,000 <br/> |20 minutes <br/> | - |100,000 <br/> |25 minutes <br/> | - ||| +| Number of mailboxes | Average search time | +|:--|:--| +|100 <br/> |30 seconds <br/> | +|1,000 <br/> |45 seconds <br/> | +|10,000 <br/> |4 minutes <br/> | +|25,000 <br/> |10 minutes <br/> | +|50,000 <br/> |20 minutes <br/> | +|100,000 <br/> |25 minutes <br/> | ## Viewer limits | Description of limit | Limit | |:--|:--| |Maximum size of Excel file that can be viewed in the native viewer. <br/> |4 MB <br/> |-||| ## Export limits - Final export out of Review Set The limits described in this section are related to exporting documents out of a |:--|:--| |Maximum size of a single export.|5 million documents or 500 GB, whichever is smaller| |Maximum concurrent exports per review set. | 1 |-||| ## Review set download limits | Description of limit | Limit | |:--|:--| |Total file size or maximum number of documents downloaded from a review set. <br/> |3 MB or 50 documents<sup>7</sup>|-||| ## Notes |
| compliance | Limits For Content Search | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/limits-for-content-search.md | The following table lists the search limits when using the content search tool i |The maximum number of items per public folder mailbox that are displayed on the preview page when previewing content search results.|100| |The maximum number of items found in all public folder mailboxes that are displayed on the preview page when previewing content search results.|200| |The maximum number of public folder mailboxes that can be previewed for search results. If there are more than 500 public folder mailboxes that contain content that matches the search query, only the top 500 public folder mailboxes with the most search results will be available for preview.|500|+|The maximum size of an item that can be viewed on the preview page.|10,000,000 bytes (approximately 9.5 MB)| |The maximum number of characters for the search query (including operators and conditions) for a search. <p> **Note:** This limit takes effect after the query is expanded and includes characters from the keyword query, any search permissions filters applied to the user, and the URLs of all site locations. This means the query will get expanded against each of the keywords. For example, if a search query has 15 keywords and additional parameters and conditions, the query gets expanded 15 times, each with the other parameters and conditions in the query. So even though the number of characters in the search query may be below the limit, it's the expanded query that may contribute to exceeding this limit.|**Mailboxes:** 10,000. <p> **Sites:** 4,000 when searching all sites or 2,000 when searching up to 20 sites. <sup>3</sup>|-|Maximum number of variants returned when using a prefix wildcard to search for an exact phrase in a search query or when using a prefix wildcard and the **NEAR** Boolean operator.|10,000 <sup>4</sup>| +|The maximum number of variants returned when using a prefix wildcard to search for an exact phrase in a search query or when using a prefix wildcard and the **NEAR** Boolean operator.|10,000 <sup>4</sup>| |The minimum number of alpha characters for prefix wildcards; for example, `time*`, `one*`, or `set*`.|3| |The maximum number of mailboxes in a search that you can delete items in by doing a "search and purge" action (by using the **New-ComplianceSearchAction -Purge** command). If the search that you're doing a purge action for has more source mailboxes than this limit, the purge action will fail. For more information about search and purge, see [Search for and delete email messages in your organization](search-for-and-delete-messages-in-your-organization.md).|50,000| |The maximum number of locations in a search that you can export items from. If the search that you're exporting has more locations than this limit, the export will fail. For more information, see [Export content search results](export-search-results.md).|100,000|-||| > [!NOTE] > <sup>1</sup> Although you can search an unlimited number of mailboxes in a single search, you can only download the exported search results from a maximum of 100,000 mailboxes using the eDiscovery Export Tool in the Microsoft 365 compliance center. Microsoft collects performance information for searches run by all organizations |25,000|10 minutes| |50,000|20 minutes| |100,000|25 minutes|-||| ## Export limits The following table lists the limits when exporting the results of a content sea |Maximum number of mailboxes for search results that can be downloaded using the eDiscovery Export Tool|100,000| |Maximum size of PST file that can be exported <p> **Note:** If the search results from a user's mailbox are larger than 10 GB, the search results for the mailbox will be exported in two (or more) separate PST files. If you choose to export all search results in a single PST file, the PST file will be spilt into additional PST files if the total size of the search results is larger than 10 GB. If you want to change this default size, you can edit the Windows Registry on the computer that you use to export the search results. See [Change the size of PST files when exporting eDiscovery search results](change-the-size-of-pst-files-when-exporting-results.md). The search results from a specific mailbox won't be divided among multiple PST files unless the content from a single mailbox is more than 10 GB. If you chose to export the search results in one PST file for that contains all messages in a single folder and the search results are larger than 10 GB, the items are still organized in chronological order, so they will be spilt into additional PST files based on the sent date.|10 GB| |Rate at which search results from mailboxes and sites are uploaded to a Microsoft-provided Azure Storage location.|Maximum of 2 GB per hour|-||| ## Indexing limits for email messages |
| compliance | Retention Policies Teams | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-teams.md | For other workloads, see: ## What's included for retention and deletion +> [!NOTE] +> Retention policies now support [shared channels](/MicrosoftTeams/shared-channels), currently in preview. Any shared channels inherit retention settings from the parent channel. + Teams chats messages, channel messages, and private channel messages can be deleted by using retention policies for Teams, and in addition to the text in the messages, the following items can be retained for compliance reasons: Embedded images, tables, hypertext links, links to other Teams messages and files, and [card content](/microsoftteams/platform/task-modules-and-cards/what-are-cards). Chat messages and private channel messages include all the names of the people in the conversation, and channel messages include the team name and the message title (if supplied). Code snippets, recorded voice memos from the Teams mobile client, thumbnails, announcement images, and reactions from others in the form of emoticons are not retained when you use retention policies for Teams. These mailboxes are, listed by their RecipientTypeDetails attribute: - **UserMailbox**: These mailboxes store message data for cloud-based Teams users. - **MailUser**: These mailboxes store message data for [on-premises Teams users](search-cloud-based-mailboxes-for-on-premises-users.md). - **GroupMailbox**: These mailboxes store message data for Teams standard channels.+- **SubstrateGroup**: These mailboxes store message data for Teams shared channels. Other mailbox types, such as RoomMailbox that is used for Teams conference rooms, are not supported for Teams retention policies. |
| compliance | Retention Settings | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-settings.md | When you choose to use adaptive scopes, you are prompted to select what type of |:--|:--| |**Users** - applies to: <br/> - Exchange email <br/> - OneDrive accounts <br/> - Teams chats <br/> - Teams private channel messages <br/> - Yammer user messages| First Name <br/> Last name <br/>Display name <br/> Job title <br/> Department <br/> Office <br/>Street address <br/> City <br/>State or province <br/>Postal code <br/> Country or region <br/> Email addresses <br/> Alias <br/> Exchange custom attributes: CustomAttribute1 - CustomAttribute15| |**SharePoint sites** - applies to: <br/> - SharePoint sites <br/> - OneDrive accounts |Site URL <br/>Site name <br/> SharePoint custom properties: RefinableString00 - RefinableString99 |-|**Microsoft 365 Groups** - applies to: <br/> - Microsoft 365 Groups <br/> - Teams channel messages <br/> - Yammer community messages |Name <br/> Display name <br/> Description <br/> Email addresses <br/> Alias <br/> Exchange custom attributes: CustomAttribute1 - CustomAttribute15 | +|**Microsoft 365 Groups** - applies to: <br/> - Microsoft 365 Groups <br/> - Teams channel messages (standard and shared) <br/> - Yammer community messages |Name <br/> Display name <br/> Description <br/> Email addresses <br/> Alias <br/> Exchange custom attributes: CustomAttribute1 - CustomAttribute15 | The property names for sites are based on SharePoint site managed properties. For information about the custom attributes, see [Using Custom SharePoint Site Properties to Apply Microsoft 365 Retention with Adaptive Policy Scopes](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/using-custom-sharepoint-site-properties-to-apply-microsoft-365/ba-p/3133970). |
| compliance | Retention | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention.md | Retention policies can be applied to the following locations: - Yammer community messages - Yammer user messages +> [!NOTE] +> Teams channel messages now include [shared channels](/MicrosoftTeams/shared-channels) (currently in preview) as well as standard channels. + You can very efficiently apply a single policy to multiple locations, or to specific locations or users. For the start of the retention period, you can choose when the content was created or, supported only for files and the SharePoint, OneDrive, and Microsoft 365 Groups locations, when the content was last modified. |
| compliance | Sensitivity Labels Office Apps | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md | The numbers listed are the minimum Office application versions required for each |[Audit label-related user activity](#auditing-labeling-activities) | Current Channel: 2011+ <br /><br> Monthly Enterprise Channel: 2011+ <br /><br> Semi-Annual Enterprise Channel: 2108+ | 16.43+ | 2.46+ | 16.0.13628+ | Yes | |[Require users to apply a label to their email and documents](#require-users-to-apply-a-label-to-their-email-and-documents) | Current Channel: 2101+ <br /><br> Monthly Enterprise Channel: 2101+ <br /><br> Semi-Annual Enterprise Channel: 2108+ | 16.45+ | 2.47+ | 16.0.13628+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) <br /> - Using sensitive info types | Current Channel: 2009+ <br /><br> Monthly Enterprise Channel: 2009+ <br /><br> Semi-Annual Enterprise Channel: 2102+ | 16.44+ | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |-|[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) <br /> - Using trainable classifiers | Current Channel: 2105+ <br /><br> Monthly Enterprise Channel: 2105+ <br /><br> Semi-Annual Enterprise Channel: 2018+ | 16.49+ | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | +|[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) <br /> - Using trainable classifiers | Current Channel: 2105+ <br /><br> Monthly Enterprise Channel: 2105+ <br /><br> Semi-Annual Enterprise Channel: 2108+ | 16.49+ | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |[Support co-authoring and AutoSave](sensitivity-labels-coauthoring.md) for labeled and encrypted documents | Current Channel: 2107+ <br /><br> Monthly Enterprise Channel: 2107+ <br /><br> Semi-Annual Enterprise Channel: 2202+ | 16.51+ | Preview: 2.58+ when you [opt-in](sensitivity-labels-coauthoring.md#opt-in-to-the-preview-of-co-authoring-for-ios-and-android) | Preview: 16.0.14931+ when you [opt-in](sensitivity-labels-coauthoring.md#opt-in-to-the-preview-of-co-authoring-for-ios-and-android) | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | The numbers listed are the minimum Office application versions required for each |[Let users assign permissions: <br /> - Do Not Forward](encryption-sensitivity-labels.md#let-users-assign-permissions) | Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes | |[Let users assign permissions: <br /> - Encrypt-Only](encryption-sensitivity-labels.md#let-users-assign-permissions) | Current Channel: 2011+ <br /><br> Monthly Enterprise Channel: 2011+ <br /><br> Semi-Annual Enterprise Channel: 2108+ | 16.48+ <sup>\*</sup> | 4.2112.0+ | 4.2112.0+ | Yes | |[Require users to apply a label to their email and documents](#require-users-to-apply-a-label-to-their-email-and-documents) | Current Channel: 2101+ <br /><br> Monthly Enterprise Channel: 2101+ <br /><br> Semi-Annual Enterprise Channel: 2108+ | 16.43+ <sup>\*</sup> | 4.2111+ | 4.2111+ | Yes |-|[Audit label-related user activity](#auditing-labeling-activities) | Current Channel: 2011+ <br /><br> Monthly Enterprise Channel: 2011+ <br /><br> Semi-Annual Enterprise Channel: 2202+ | 16.51+ <sup>\*</sup> | 4.2126+ | 4.2126+ | Yes | +|[Audit label-related user activity](#auditing-labeling-activities) | Current Channel: 2011+ <br /><br> Monthly Enterprise Channel: 2011+ <br /><br> Semi-Annual Enterprise Channel: 2022+ | 16.51+ <sup>\*</sup> | 4.2126+ | 4.2126+ | Yes | |[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) <br /> - Using sensitive info types | Current Channel: 2009+ <br /><br> Monthly Enterprise Channel: 2009+ <br /><br> Semi-Annual Enterprise Channel: 2102+ | 16.44+ <sup>\*</sup> | Under review | Under review | Yes | |[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) <br /> - Using trainable classifiers | Current Channel: 2105+ <br /><br> Monthly Enterprise Channel: 2105+ <br /><br> Semi-Annual Enterprise Channel: 2108+ | 16.49+ | Under review | Under review | Yes | |[Different settings for default label and mandatory labeling](#outlook-specific-options-for-default-label-and-mandatory-labeling) | Current Channel: 2105+ <br /><br> Monthly Enterprise Channel: 2105+ <br /><br> Semi-Annual Enterprise Channel: 2108+ | 16.43+ <sup>\*</sup> | 4.2111+ | 4.2111+ | Yes | |
| compliance | Sensitivity Labels Teams Groups Sites | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-teams-groups-sites.md | After you enable and configure sensitivity labels for containers, users can addi  +> [!NOTE] +> Sensitivity labels for containers support [Teams shared channels](/MicrosoftTeams/shared-channels), currently in preview. If a team has any shared channels, they automatically inherit sensitivity label settings from their parent team, and that label can't be removed or replaced with a different label. + ## How to enable sensitivity labels for containers and synchronize labels If you haven't yet enabled sensitivity labels for containers, do the following set of steps as a one-time procedure: |
| compliance | Teams Workflow In Advanced Ediscovery | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/teams-workflow-in-advanced-ediscovery.md | description: "Learn how to preserve, collect, review, and export content from Mi This article provides a comprehensive set of procedures, guidelines, and best practices for using Advanced eDiscovery to preserve, collect, review, and export content from Microsoft Teams. The goal of this article is to help you optimize your eDiscovery workflow for Teams content. -There are four categories of Teams content that you can collect and process using Advanced eDiscovery: +There are five categories of Teams content that you can collect and process using Advanced eDiscovery: - **Teams 1:1 chats**. Chat messages, posts, and attachments shared in a Teams conversation between two people. Teams 1:1 chats are also called *conversations*. - **Teams group chats**. Chat messages, posts, and attachments shared in a Teams conversation between three or more people. Also called *1:N* chats or *group conversations*. -- **Teams channels**. Chat messages, posts, replies, and attachments shared in a Teams channel.+- **Teams channels**. Chat messages, posts, replies, and attachments shared in a standard Teams channel. -- **Private Teams channels**. Message posts, replies, and attachments shared in a private Teams channel.+- **Private channels**. Message posts, replies, and attachments shared in a private Teams channel. ++- **Shared channels**. Message posts, replies, and attachments shared in a shared Teams channel. ## Where Teams content is stored A prerequisite to managing Teams content in Advanced eDiscovery is to understand |Teams 1:1 chats |Messages in 1:1 chats are stored in the Exchange Online mailbox of all chat participants. |Files shared in a 1:1 chat are stored in the OneDrive for Business account of the person who shared the file. | |Teams group chats |Messages in group chats are stored in the Exchange Online mailbox of all chat participants. |Files shared in group chats are stored in the OneDrive for Business account of the person who shared the file. | |Teams channels |All channel messages and posts are stored in the Exchange Online mailbox associated with the team.|Files shared in a channel are stored in the SharePoint Online site associated with the team. |-|Private Teams channels |Messages sent in a private channel are stored in the Exchange Online mailboxes of all members of the private channel.|Files shared in a private channel are stored in a dedicated SharePoint Online site associated with the private channel.| +|Private channels |Messages sent in a private channel are stored in the Exchange Online mailboxes of all members of the private channel.|Files shared in a private channel are stored in a dedicated SharePoint Online site associated with the private channel.| +|Shared channels |Messages sent in a shared channel are stored in a system mailbox associated with the shared channel.<sup>1</sup>|Files shared in a shared channel are stored in a dedicated SharePoint Online site associated with the shared channel.| |||| +> [!NOTE] +> <sup>1</sup> To search for (and preserve) messages sent in a shared channel, you have to search or specify the Exchange Online mailbox for the parent Team. + ## Create a case for Teams content The first step to managing Teams content in Advanced eDiscovery is to create a case using the new case format that's optimized for managing Teams content. Here's the benefits of using the new case format for Teams content: To add custodians to a case and preserve custodial data sources: - **OneDrives**. The custodian's OneDrive account is selected by default. Keep this selected to add (and preserve) files shared in 1:1 chats and group chats as custodial data. - - **SharePoint**. Add the SharePoint site associated with any private channel the custodian is a member of to add (and preserve) as custodial data the files shared in the private channel. Click **Edit** and then add the URL for the SharePoint site associated with a private channel. To learn how to locate the private channels a user is a member of, see [eDiscovery of private channels](/microsoftteams/ediscovery-investigation#ediscovery-of-private-channels). + - **SharePoint**. Add the SharePoint site associated with any private or shared channel the custodian is a member of to add (and preserve) as custodial data the files shared in a channel. Click **Edit** and then add the URL for the SharePoint site associated with a private or shared channel. To learn how to locate the private and shared channels a user is a member of, see [eDiscovery of private and shared channels](/microsoftteams/ediscovery-investigation#ediscovery-of-private-and-shared-channels). - - **Teams**. Add the teams that the custodian is a member of to add (and preserve) as custodial data all channel messages and all files shared to a Teams channel. When you click **Edit**, the mailbox and site associated with each team the custodian is a member of are displayed in a list. Select the teams that you want to associate to the custodian. You have to select both the corresponding mailbox and site for each team. + - **Teams**. Add the teams that the custodian is a member of to add (and preserve) as custodial data all channel messages and all files shared to a Teams channel. This includes adding the mailbox for the parent team of a shared channel the custodian is a member of. When you click **Edit**, the mailbox and site associated with each team the custodian is a member of are displayed in a list. Select the teams that you want to associate to the custodian. You have to select both the corresponding mailbox and site for each team. > [!NOTE]- > You can also add the mailbox and site of Teams that custodians aren't members of as a custodian data location. You do this by clicking **Edit** next to **Exchange** and **SharePoint** and then adding the mailbox and site associate with the team. + > You can also add the mailbox and site of Teams that custodians aren't members of as a custodian data location. You do this by clicking **Edit** next to **Exchange** and **SharePoint** and then adding the mailbox and site associated with the team. 6. After you add custodians and configure the custodial data sources, click **Next** to display the **Hold settings** page. To create a collection of Teams content: 5. Select one or more custodians and then click **Add**. - After you add specific custodians to the collection, a list of specific data sources for each custodian is displayed. These are the data sources that you configured when you added the custodian to the case. All custodian data sources are selected by default. This includes any Teams and private channels that you associated with a custodian. + After you add specific custodians to the collection, a list of specific data sources for each custodian is displayed. These are the data sources that you configured when you added the custodian to the case. All custodian data sources are selected by default. This includes any Teams or channels that you associated with a custodian. We recommend doing the following things when collecting Teams content: - Remove custodians' OneDrive accounts from the collection scope (by unselecting the checkbox in the **Custodian's OneDrive** column for each custodian). This prevents the collection of duplicate files that were attached to 1:1 chats and group chats. Cloud attachments are automatically collected from each conversation found in the collection when you commit the draft collection to the review set. By using this method (instead of searching OneDrive accounts as part of the collection), files attached to 1:1 and group chats are grouped in the conversation they were shared in. - - Unselect the checkbox in the **Additional site** column to remove the SharePoint sites containing files shared in private channels. Doing this eliminates collecting duplicate files that were attached to private channel conversations because cloud attachments attached to private channel conversations are automatically added to the review set when you commit the draft collection and grouped in the conversations that were shared in. + - Unselect the checkbox in the **Additional site** column to remove the SharePoint sites containing files shared in private or shared channels. Doing this eliminates collecting duplicate files that were attached to private or shared channel conversations because these cloud attachments are automatically added to the review set when you commit the draft collection and grouped in the conversations they were shared in. 6. If you previously followed the steps to add Teams content as custodian data sources, you can skip this step and select **Next**. Otherwise, on the **Non-custodial data sources** wizard page, you can choose non-custodial data sources that contain Teams content that you may have added to the case to search in the collection. To create a collection of Teams content: 8. On the **Conditions** wizard page, configure the search query to collect Teams content from the data sources that you specified on the previous wizard pages. You can use various keywords and search conditions to narrow the scope of the collection. For more information, see [Build search queries for collections](building-search-queries.md). - To help ensure the most comprehensive collection of Teams chat conversations (including 1:1, group, channel, and private chats) use the **Type** condition and select the **Instant messages** option. We also recommend including a date range or several keywords to narrow the scope of the collection to items relevant to your investigation. Here's a screenshot of a sample query using the **Type** and **Date** options: + To help ensure the most comprehensive collection of Teams chat conversations (including 1:1, group, and channel chats) use the **Type** condition and select the **Instant messages** option. We also recommend including a date range or several keywords to narrow the scope of the collection to items relevant to your investigation. Here's a screenshot of a sample query using the **Type** and **Date** options:  The following table describes how the different types of Teams chat content are | Teams content type|Group by family |Group by conversation | |:|:|:| |Teams 1:1 and group chats | A transcript and all of its attachments and extracted items share the same **FamilyId**. Each transcript has a unique **FamilyId**. |All transcript files and their family items within the same conversation share the same **ConversationId**. This includes the following items:<br/><br/> - All extracted items and attachments of all transcripts that share the same **ConversationId**. <br/> - All transcripts for the same chat conversation<br/> - All custodian copies of each transcript<br/> - Transcripts from subsequent collections from the same chat conversation <br/><br/> For Teams 1:1 and group chat conversations, you might have multiple transcript files, each one corresponding to a different time frame within the conversation. Because these transcript files are from the same conversation with the same participants, they share the same **ConversationId**.|-|Teams channel and private channel chats | Each post and all replies and attachments are saved to its own transcript. This transcript and all of its attachments and extracted items share the same **FamilyId**. |Each post and its attachments and extracted items have a unique **ConversationId**. If there are subsequent collections or new replies from the same post, the delta transcripts resulting from those collections will also have the same **ConversationId**.| +|Standard, private, and shared channel chats | Each post and all replies and attachments are saved to its own transcript. This transcript and all of its attachments and extracted items share the same **FamilyId**. |Each post and its attachments and extracted items have a unique **ConversationId**. If there are subsequent collections or new replies from the same post, the delta transcripts resulting from those collections will also have the same **ConversationId**.| |||| Use the **Group** control in the command bar of a review set to view Teams content grouped by family or conversation. Here's the logic used by Advanced eDiscovery to include additional messages and | Teams content type|Queries with search parameters |Queries with date ranges | |:|:|:| |Teams 1:1 and group chats |Messages that were posted 12 hours before and 12 hours after responsive items are grouped with the responsive item in a single transcript file. |Messages in a 24-hour window are grouped in a single transcript file.|-|Teams channel and private channel chats |Each post that contains responsive items and all corresponding replies are grouped in a single transcript file. |Each post that contains responsive items and all corresponding replies are grouped in a single transcript file.| +|Standard, private, and shared Teams channel chats |Each post that contains responsive items and all corresponding replies are grouped in a single transcript file. |Each post that contains responsive items and all corresponding replies are grouped in a single transcript file.| |||| ### Deduplication of Teams content The following table describes metadata properties for Teams content. |:|:| |ContainsEditedMessage | Indicates whether a transcript file contains an edited message. Edited messages are identified when viewing the transcript file.| |ConversationId|A GUID that identifies the conversation that the item is associated with. Transcript files and attachments from the same conversation have the same value for this property.|-|Conversation name | The name of the conversation the transcript file or attachment is associated with. For Teams 1:1 and group chats, the value of this property is the UPN of all participants of the conversation are concatenated. For example, `User3 <User3@contoso.onmicrosoft.com>,User4 <User4@contoso.onmicrosoft.com>,User2 <User2@contoso.onmicrosoft.com>`. Teams channel and private channel chats use the following format for conversation name: `<Team name>,<Channel name>`.ΓÇ» For example, `eDiscovery vNext, General`. | -|ConversationType | Indicates the type of Team chat. For Teams 1:1 and group chats, the value for this property is `Group`. For Teams channel and private channel chats, the value is `Channel`.| +|Conversation name | The name of the conversation the transcript file or attachment is associated with. For Teams 1:1 and group chats, the value of this property is the UPN of all participants of the conversation are concatenated. For example, `User3 <User3@contoso.onmicrosoft.com>,User4 <User4@contoso.onmicrosoft.com>,User2 <User2@contoso.onmicrosoft.com>`. Teams channel (standard, private, and shared) chats use the following format for conversation name: `<Team name>,<Channel name>`.ΓÇ» For example, `eDiscovery vNext, General`. | +|ConversationType | Indicates the type of Team chat. For Teams 1:1 and group chats, the value for this property is `Group`. For standard, private, and shared channel chats, the value is `Channel`.| |Date | The time stamp of the first message in the transcript file.| |FamilyId|A GUID that identifies the transcript file for a chat conversation. Attachments will have the same value for this property as the transcript file that contains the message the file was attached to.| |FileClass |Indicates that type of content. Items from Teams chats have the value `Conversation`. In contrast, Exchange email messages have the value `Email`.| | |MessageKind | The message kind property. Teams content has the value `microsoftteams , im`. | |Recipients | A list of all users who received a message within the transcript conversation.|-|TeamsChannelName | The Teams channel name or private channel name of the transcript.| +|TeamsChannelName | The Teams channel name of the transcript.| ||| For descriptions of other Advanced eDiscovery metadata properties, see [Document metadata fields in Advanced eDiscovery](document-metadata-fields-in-Advanced-eDiscovery.md). |
| security | Investigate Alerts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-alerts.md | ms.technology: m365d [!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] **Applies to:**+ - Microsoft 365 Defender +>[!Note] +>This article describes security alerts in Microsoft 365 Defender. However, you can use activity alerts to send email notifications to yourself or other admins when users perform specific activities in Microsoft 365. For more information, see [Create activity alerts - Microsoft 365 Compliance | Microsoft Docs](../../compliance/create-activity-alerts.md). + Alerts are the basis of all incidents and indicate the occurrence of malicious or suspicious events in your environment. Alerts are typically part of a broader attack and provide clues about an incident. -In Microsoft 365 Defender, related alerts are aggregated together to form [incidents](incidents-overview.md). Incidents will always provide the broader context of an attack, however, analyzing alerts can be valuable when deeper analysis is required. +In Microsoft 365 Defender, related alerts are aggregated together to form [incidents](incidents-overview.md). Incidents will always provide the broader context of an attack, however, analyzing alerts can be valuable when deeper analysis is required. -The **Alerts queue** shows the current set of alerts. You get to the alerts queue from **Incidents & alerts > Alerts** on the quick launch of the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>. +The **Alerts queue** shows the current set of alerts. You get to the alerts queue from **Incidents & alerts > Alerts** on the quick launch of the [Microsoft 365 Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2077139). :::image type="content" source="../../media/investigate-alerts/alerts-ss-alerts-queue.png" lightbox="../../media/investigate-alerts/alerts-ss-alerts-queue.png" alt-text="Example of the alerts queue in the Microsoft 365 Defender portal"::: |
| security | Alerts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/alerts.md | - Title: Alerts in the Microsoft 365 Defender portal - - NOCSH --- Previously updated : -- - MOE150 - - MET150 - - BCS160 -- - M365-security-compliance - - m365initiative-defender-office365 -description: Learn about how to use the alerts features in the Microsoft 365 Defender portal to view and manage alerts, including managing advanced alerts. --- seo-marvel-apr2020---# Alerts in the Microsoft 365 Defender portal ---**Applies to** -- [Exchange Online Protection](exchange-online-protection-overview.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)--Use the alerts features in the Microsoft 365 Defender portal to view and manage alerts for your organization, including managing advanced alerts as part of [Microsoft Defender for Cloud Apps overview](/cloud-app-security/what-is-cloud-app-security). --## How to get to the alerts features --Alerts are available in the Microsoft 365 Defender portal at <https://security.microsoft.com> at **Incidents & alerts** \> **Alerts**. Or, to go direct to the **Alerts** page, use <https://security.microsoft.com/alerts>. --## Alerts features --The following table describes the tools that are available on the **Alerts** page. --|Tool|Description| -||| -|[Manage alerts](../../compliance/create-activity-alerts.md)|Use activity alerts to send email notifications to yourself or other admins when users perform specific activities in Microsoft 365. Activity alerts are similar to searching the audit log for events, except that you'll be sent an email message when an event that you've created an alert for occurs.| -|[Manage advanced alerts](/cloud-app-security/what-is-cloud-app-security)|Use the **Manage advanced alerts** feature of Microsoft Defender for Cloud Apps to set up policies that can alert you to suspicious and anomalous activity in Microsoft 365. After you're alerted, you can investigate situations that are potentially problematic and, if needed, take action to address security issues.| |
| solutions | Allow Direct Connect With All Organizations | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/allow-direct-connect-with-all-organizations.md | + + Title: "Enable shared channels with all external organizations" ++++audience: ITPro +++- SPO_Content +- M365-collaboration +- m365solution-securecollab +- m365solution-scenario +- m365initiative-externalcollab +ms.localizationpriority: medium +f1.keywords: NOCSH +recommendations: false +description: Learn how to enable shared channels with all other Microsoft 365 and Azure Active Directory organizations. +++# Enable shared channels with all external organizations ++While sharing shared channels externally is enabled by default in Teams, Azure Active Directory cross-tenant access settings for [B2B direct connect](/azure/active-directory/external-identities/b2b-direct-connect-overview) must also be configured to share a channel externally. By default, these settings are set to block all organizations. ++You can change the B2B direct connect default settings to allow all organizations. This allows users to collaborate in shared channels without your organization having to create a separate configuration for each organization that you want to collaborate with. (Note that the organizations you collaborate with will also have to configure their B2B direct connect settings.) ++If your organization doesn't have a requirement to restrict collaboration with other organizations, enabling all organizations by default can save you time and complexity in managing each organization separately. ++> [!NOTE] +> Changes to cross-tenant access settings may take two hours to take effect. ++## Allow users to invite people in other organizations to participate in shared channels ++You can allow your users to invite people from other organizations to use shared resources - such as shared channels in Teams - by default. ++To allow users to invite B2B direct connect participants by default +1. Sign in to [Azure Active Directory](https://aad.portal.azure.com) using a Global administrator or Security administrator account. +1. Select **External Identities**, and then select **Cross-tenant access settings (preview)**. +1. On the **Default settings** tab, under **Inbound access settings**, select **Edit inbound defaults**. +1. Select the **B2B direct connect** tab. +1. On the **Users and groups** tab, under **Access status**, choose **Allow access**. +1. On the **External applications** tab, under **Access status**, choose **Allow access**. +1. Select **Save**. +1. Select the **Trust settings** tab. +1. Choose if you want to trust multi-factor authentication, compliant devices, or hybrid Azure AD joined devices from other organizations. +1. Select **Save**. +1. Close the **Default settings** blade. ++## Allow users to participate in shared channels in other organizations ++You can allow your users to access resources that are hosted by an external organization - such as shared channels in Teams - by default. ++To allow users to access resource from other organizations by default +1. In [Azure Active Directory](https://aad.portal.azure.com), select **External Identities**, and then select **Cross-tenant access settings (preview)**. +1. On the **Default settings** tab, under **Outbound access settings**, select **Edit outbound defaults**. +1. Select the **B2B direct connect** tab. +1. On the **Users and groups** tab, under **Access status**, choose **Allow access**. +1. On the **External applications** tab, under **Access status**, choose **Allow access**. +1. Select **Save**. +1. Close the **Default settings** blade. ++## Related topics ++[B2B direct connect overview](/azure/active-directory/external-identities/b2b-direct-connect-overview) ++[Configure cross-tenant access settings for B2B direct connect](/azure/active-directory/external-identities/cross-tenant-access-settings-b2b-direct-connect) + |
| solutions | Collaborate As Team | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/collaborate-as-team.md | If you need to collaborate with guests across documents, tasks, and conversation In this article, we'll walk through the Microsoft 365 configuration steps necessary to set up a team for collaboration with guests. Once you have configured guest access, you can invite guests to teams by following the steps in [Add guests to a team in Teams](https://support.microsoft.com/office/fccb4fa6-f864-4508-bdde-256e7384a14f). +> [!NOTE] +> [Shared channels](collaborate-teams-direct-connect.md) offers a more seamless experience than guest accounts when collaborating with other Microsoft 365 organizations. Shared channels allow you to collaborate with people outside your organization using Teams channels without the need for external participants to sign in to your organization. We recommend you review [Plan external collaboration](plan-external-collaboration.md) to see if shared channels is a better options than collaborating with guests for any given scenario. + ## Video demonstration This video shows the configuration steps described in this document.</br> This video shows the configuration steps described in this document.</br> Sharing in Microsoft 365 is governed at its highest level by the [B2B external collaboration settings in Azure Active Directory](/azure/active-directory/external-identities/delegate-invitations). If guest sharing is disabled or restricted in Azure AD, this setting overrides any sharing settings that you configure in Microsoft 365. -Check the B2B external collaboration settings settings to ensure that sharing with guests is not blocked. +Check the B2B external collaboration settings to ensure that sharing with guests is not blocked.  To invite guests to a team [Create a B2B extranet with managed guests](b2b-extranet.md) [SharePoint and OneDrive integration with Azure AD B2B](/sharepoint/sharepoint-azureb2b-integration-preview)--[Sharing options are greyed out when sharing from SharePoint or OneDrive](/sharepoint/troubleshoot/administration/sharing-options-grayed-out-when-sharing-from-sharepoint-online-or-onedrive) |
| solutions | Collaborate Teams Direct Connect | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/collaborate-teams-direct-connect.md | + + Title: "Collaborate with external participants in a channel" ++++audience: ITPro +++- SPO_Content +- M365-collaboration +- m365solution-3tiersprotection +- m365solution-securecollab +- m365initiative-externalcollab ++localization_priority: Priority +f1.keywords: NOCSH +recommendations: false +description: Learn how to use shared channels with people outside your organization. +++# Collaborate with external participants in a channel ++If you want to allow your users to collaborate with people outside your organization in [shared channels](/MicrosoftTeams/shared-channels), you need to configure B2B direct connect for each organization that you want to collaborate with. (Alternatively, you can [Enable shared channels with all external organizations](/microsoft-365/solutions/allow-direct-connect-with-all-organizations).) ++When you enable shared channels with another organization: ++- Team owners in your organization will be able to invite people from other organizations to participate in shared channels. +- Your organization's custom (line of business) apps will be available in shared channels and external participants will be able to access them. +- Your organization's apps list will be available in shared channels and external participants will be able to access them. ++> [!NOTE] +> Shared channels is in preview and requires that you have configured [Microsoft Teams Public Preview](/MicrosoftTeams/public-preview-doc-updates). If you plan to share channels with other organizations, they must also have configured Teams public preview. ++## Enable shared channels in Teams ++Shared channels is enabled by default in Teams. Follow this procedure to confirm the settings. ++To configure shared channels +1. In the [Teams admin center](https://admin.teams.microsoft.com/), expand **Teams**, and then select **Teams policies**. +1. Select the policy for which you want to enable shared channels, and then select **Edit**. +1. Select the options you want to enable: + - To allow team owners to create shared channels, turn **Create shared channels** on. + - To allow team owners to share shared channels with people outside the organization, turn **Share shared channels externally** on. + - To allow users to be invited to shared channels in other organizations, turn **Can be invited to external shared channels** on. +1. Select **Apply**. ++## Configure cross-tenant access settings in Azure AD ++Azure AD B2B direct connect is disabled by default. To enable collaboration in shared channels with people from other organizations, you must: ++1. [Add an organization](#add-an-organization). +1. [Configure inbound settings](#configure-inbound-settings) for the organization to allow users from the organization to be invited to your shared channels. +1. [Configure outbound settings](#configure-outbound-settings) for the organization to allow your users to be invited to the other organization's shared channels. ++As part of this configuration, we enable the **Office 365** application, which includes Teams and Teams-integrated services such as SharePoint. ++> [!NOTE] +> Changes to cross-tenant access settings may take two hours to take effect. ++### Add an organization ++Add each organization with which you want to participate in shared channels. ++To add an organization +1. Sign in to [Azure Active Directory](https://aad.portal.azure.com) using a Global administrator or Security administrator account. +1. Select **External Identities**, and then select **Cross-tenant access settings (preview)**. +1. Select **Organizational settings**. +1. Select **Add organization**. +1. On the **Add organization** pane, type the full domain name (or tenant ID) for the organization. +1. Select the organization in the search results, and then select **Add**. +1. The organization appears in the **Organizational settings** list. At this point, all access settings for this organization are inherited from your default settings. ++### Configure inbound settings ++Follow this procedure for each organization where you want to invite external participants. ++To configure inbound settings for an organization +1. In [Azure Active Directory](https://aad.portal.azure.com), select **External Identities**, and then select **Cross-tenant access settings (preview)**. +1. Select the inbound access link for the organization that you want to modify. +1. On the **B2B direct connect** tab, choose **Customize settings**. +1. On the **External users and groups** tab, choose **Allow access** and **All users and groups**. +1. On the **Applications** tab, choose **Allow access** and **Select applications**. +1. Select **Add Microsoft applications**. +1. Select the **Office 365** application, and then choose **Select**. +1. Select **Save** and close the **Outbound access settings** blade. ++### Configure outbound settings ++Follow this procedure for each organization where you want your users to be able to participate in external shared channels. ++To configure outbound settings for an organization +1. In [Azure Active Directory](https://aad.portal.azure.com), select **External Identities**, and then select **Cross-tenant access settings (preview)**. +1. Select the outbound access link for the organization that you want to modify. +1. On the **B2B direct connect** tab, choose **Customize settings**. +1. On the **External users and groups** tab, choose **Allow access** and set a **Target** of all users. +1. On the **External applications** tab, choose **Allow access** and **Select external applications**. +1. Select **Add Microsoft applications**. +1. Select the **Office 365** application, and then choose **Select**. +1. Select **Save** and close the **Outbound access settings** blade. ++## See also ++[B2B direct connect overview](/azure/active-directory/external-identities/b2b-direct-connect-overview) ++[Configure cross-tenant access settings for B2B direct connect](/azure/active-directory/external-identities/cross-tenant-access-settings-b2b-direct-connect) ++[Limit who can be invited by an organization](limit-invitations-from-specific-organization.md) ++[Shared channels limits](/MicrosoftTeams/shared-channels#shared-channel-limits) |
| solutions | Collaborate With People Outside Your Organization | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/collaborate-with-people-outside-your-organization.md | description: Learn how to configure Microsoft 365 apps like Teams, OneDrive, and # Collaborating with people outside your organization -The external sharing capabilities in Microsoft 365 provide an opportunity for people in your organization to collaborate with partners, vendors, customers, and others who don't have an account in your directory. You can share entire teams or sites with people outside your organization, or just individual files. +The external sharing capabilities in Microsoft 365 provide an opportunity for people in your organization to collaborate with partners, vendors, customers, and others who don't have an account in your directory. You can share entire teams, channels, or sites with people outside your organization, or just individual files. -Collaborating with people outside your organization consists of two major components: +Collaborating with people outside your organization consists of these major components: - **Enable sharing** - Configure the sharing controls across Azure Active Directory, Teams, Microsoft 365 Groups, and SharePoint to allow the level of sharing that you want for your organization.+- **Configure organizational relationships** - If you are using shared channels, you must configure cross-tenant access settings in Azure Active Directory to allow B2B direct connect access for each organization you want to collaborate with. (These organizations must also configure organizational relationships with your tenant.) - **Enable additional security** - While the basic sharing features can be configured to require people outside your organization to authenticate, Microsoft 365 provides many additional security and compliance features to help you protect your data and maintain your governance policies while sharing externally. Read [Set up secure collaboration with Microsoft 365 and Microsoft Teams](/microsoft-365/solutions/setup-secure-collaboration-with-teams) to learn how external sharing ties in with the overall Microsoft 365 collaboration guidance. ## Enable sharing -By default, in Microsoft 365, sharing with people outside your organization is enabled. Many external sharing scenarios work without further configuration. To confirm the settings for a scenario that you're using, or enable a new one, choose from the following options: +By default, sharing with people outside your organization using guest access or anonymous access is enabled, but shared channels must be enabled by configuring organizational relationships in Azure AD. Most guest sharing scenarios work without further configuration. To confirm the settings for a scenario that you're using, or enable a new one, choose from the following options: - [Collaborate on documents](collaborate-on-documents.md) - Learn how to configure Microsoft 365 to allow sharing and collaboration with people outside your organization (both guests and unauthenticated users) on files and folders. - [Collaborate in a site](collaborate-in-site.md) - Learn how to configure Microsoft 365 to enable sharing SharePoint sites with guests. - [Collaborate as a team](collaborate-as-team.md) - Learn how to configure Microsoft 365 to enable guest collaboration in Teams.+- [Collaborate with external participants in a channel](/microsoft-365/solutions/collaborate-teams-direct-connect) for collaborating with people outside the organization in a shared channel. For a comprehensive look at the guest sharing settings available across Microsoft 365, see [Microsoft 365 guest sharing settings reference](microsoft-365-guest-settings.md). Once you've enabled the scenario that you want to use for sharing with people ou ## Collaborate with partner companies -When you're working on a large project that involves many guests from another organization, or if you have an ongoing vendor relationship in which guests are often changing, you can use entitlement management in Azure Active Directory to simplify guest management and allow the partner company to share in that responsibility. See [Create a B2B extranet with managed guests](b2b-extranet.md) for details. +When you're working on a large project that involves guests from another organization, consider shared channels. Because shared channels do not use guest accounts, the users in the other organization can access the shared channel directly without having to log into your organization separately. ++If you have an ongoing vendor relationship in which guests are often changing, you can use entitlement management in Azure Active Directory to simplify guest management and allow the partner company to share in that responsibility. See [Create a B2B extranet with managed guests](b2b-extranet.md) for details. ## Limit sharing |
| solutions | Configure Teams Highly Sensitive Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/configure-teams-highly-sensitive-protection.md | To allow or block guest sharing, we use a combination of a sensitivity label for For the highly sensitive level of protection, we'll be using a sensitivity label to classify the team. This label can also be used to classify and encrypt individual files in this or other teams or in other file locations such as SharePoint or OneDrive. -As a first step, you must enable sensitivity labels for Teams. See [Use sensitivity labels to protect content in Microsoft Teams, Office 365 groups, and SharePoint sites](../compliance/sensitivity-labels-teams-groups-sites.md) for details. +As a first step, you must enable sensitivity labels for Teams. See [Use sensitivity labels to protect content in Microsoft Teams, Office 365 Groups, and SharePoint sites](../compliance/sensitivity-labels-teams-groups-sites.md) for details. If you already have sensitivity labels deployed in your organization, consider how this label fits with your overall label strategy. You can change the name or settings if needed to meet the needs of your organization. To restrict private channel creation You can also use [teams policies](/MicrosoftTeams/teams-policies) to control who can create private channels. +## Shared channel settings ++[Shared channels](/MicrosoftTeams/shared-channels) doesn't have team-level settings. The shared channel settings you configure in the Teams admin center and Azure AD will be available for all teams regardless of sensitivity. + ## SharePoint settings Each time you create a new team with the highly sensitive label, there are two steps to do in SharePoint: To update the site default sharing link type 1. Under Default sharing link type, clear the **Same as organization-level setting** check box, and select **People with existing access**. 1. Select **Save**. -#### Private channels --If you add private channels to the team, each private channel creates a new SharePoint site with the default sharing settings. These sites are not visible in the SharePoint admin center, so you must use the Set-SPOSite PowerShell cmdlet to update the guest sharing settings. +Note that if you add private or shared channels to the team, each creates a new SharePoint site with the default sharing settings. You can update them in the SharePoint admin center by selecting the sites associated with the team. ### Site sharing settings |
| solutions | Configure Teams Sensitive Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/configure-teams-sensitive-protection.md | To allow or block guest sharing, we use a combination of a sensitivity label for For the sensitive level of protection, we'll be using a sensitivity label to classify the team. This label can also be used to classify individual files in this or other teams, or in other file locations such as SharePoint or OneDrive. -As a first step, you must enable sensitivity labels for Teams. See [Use sensitivity labels to protect content in Microsoft Teams, Office 365 groups, and SharePoint sites](../compliance/sensitivity-labels-teams-groups-sites.md) for details. +As a first step, you must enable sensitivity labels for Teams. See [Use sensitivity labels to protect content in Microsoft Teams, Office 365 Groups, and SharePoint sites](../compliance/sensitivity-labels-teams-groups-sites.md) for details. If you already have sensitivity labels deployed in your organization, consider how this label fits with your overall label strategy. You can change the name or settings if needed to meet the needs of your organization. To restrict private channel creation You can also use [teams policies](/MicrosoftTeams/teams-policies) to control who can create private channels. +## Shared channel settings ++[Shared channels](/MicrosoftTeams/shared-channels) doesn't have team-level settings. The shared channel settings you configure in the Teams admin center and Azure AD apply to all teams regardless of sensitivity. + ## SharePoint settings Each time you create a new team with the sensitive label, there are two steps to do in SharePoint: To update the site default sharing link type If you want to script this as part of your team creation process, you can use [Set-SPOSite](/powershell/module/sharepoint-online/set-sposite) with the `-DefaultSharingLinkType Direct` parameter to change the default sharing link to *Specific people*. -#### Private channels --If you add private channels to the team, each private channel creates a new SharePoint site with the default sharing settings. These sites are not visible in the SharePoint admin center, so you must use the Set-SPOSite PowerShell cmdlet to update the guest sharing settings. +Note that if you add private or shared channels to the team, each creates a new SharePoint site with the default sharing settings. You can update them in the SharePoint admin center by selecting the sites associated with the team. ### Site sharing settings -To help ensure that the SharePoint site does not get shared with people who are not members of the team, we limit such sharing to owners. +To help ensure that the SharePoint site does not get shared with people who are not members of the team, we limit such sharing to owners. This is only necessary for the SharePoint site that was created with the team. Additional sites created as part of private or shared channels can't be shared outside the team or channel. To configure owners-only site sharing 1. In Teams, navigate to the **General** tab of the team you want to update. To configure owners-only site sharing 6. Under **Sharing permissions**, choose **Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site**, and then click **Save**. -## See Also +## Related topics [Create and configure sensitivity labels and their policies](../compliance/create-sensitivity-labels.md) |
| solutions | Configure Teams Three Tiers Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/configure-teams-three-tiers-protection.md | The following table summarizes the configurations for each tier. Use these confi |Private or public team|Public|Private|Private|Private| |Who has access?|Everybody in the organization, including B2B users.|Only members of the team. Others can request access to the associated site.|Only members of the team.|Only members of the team.| |Private channels|Owners and members can create private channels|Owners and members can create private channels|Only owners can create private channels|Only owners can create private channels|+|Shared channels|Owners and members can create shared channels|Owners and members can create shared channels|Only owners can create shared channels|Only owners can create shared channels| |Site-level guest access|**New and existing guests** (default).|**New and existing guests** (default).|**New and existing guests** or **Only people in your organization** depending on team needs.|**New and existing guests** or **Only people in your organization** depending on team needs.| |Site sharing settings|**Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site**.|**Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site**.|**Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site**.|**Only site owners can share files, folders, and the site**.<br>Access requests **Off**.| |Site-level unmanaged device access|**Full access from desktop apps, mobile apps, and the web** (default).|**Full access from desktop apps, mobile apps, and the web** (default).|**Allow limited, web-only access**.|**Block access**.| Teams for sensitive and highly sensitive protection are private teams in which s ## Sensitivity labels -The sensitive and highly sensitive tiers use sensitivity labels to help secure the team and its files. To implement these tiers, you must enable [sensitivity labels to protect content in Microsoft Teams, Office 365 groups, and SharePoint sites](../compliance/sensitivity-labels-teams-groups-sites.md). +The sensitive and highly sensitive tiers use sensitivity labels to help secure the team and its files. To implement these tiers, you must enable [sensitivity labels to protect content in Microsoft Teams, Office 365 Groups, and SharePoint sites](../compliance/sensitivity-labels-teams-groups-sites.md). While the baseline tier does not require sensitivity labels, consider creating a "general" label and then requiring that all teams be labeled. This will help ensure that users make a conscious choice about sensitivity when they create a team. If you plan to deploy the sensitive or highly sensitive tiers, we do recommend creating a "general" label that you can use for baseline teams and for files that are not sensitive. While teams do not have a read-only permission option, the SharePoint site does. By default, both owners and members of the team can share files and folders with people outside the team. This may include people outside your organization, if you have allowed guest sharing. In all three tiers, we update the default sharing link type to help avoid accidental oversharing. In the highly sensitive tier, we restrict such sharing to team owners only. -## Guest sharing +## Sharing with people outside your organization -If you need to collaborate with people outside your organization, we recommend configuring [SharePoint and OneDrive integration with Azure AD B2B](/sharepoint/sharepoint-azureb2b-integration-preview) for the best sharing and administration experience. +If you need to share Teams content with people outside your organization, there are two options: -Teams guest sharing is on by default, but you can turn it off if needed in the sensitive and highly sensitive tiers by using a sensitivity label. +- **Guest sharing** - Guest sharing uses Azure AD B2B collaboration which allows users to share files, folders, sites, groups, and teams with people from outside your organization. These people access shared resources by using guest accounts in your directory. +- **Shared channels** - Shared channels uses Azure AD B2B direct connect which allows users to share resources in your organization with people from other Azure AD organizations. These people access the shared channels in Teams by using their own work or school account. No guest account is created in your organization. -In the highly sensitive tier, we configure the sensitivity label to encrypt files to which it is applied. If you need guests to have access to these files, you must give them permissions when you create the label. +Both guest sharing and shared channels are useful depending on the situation. See [Plan external collaboration](plan-external-collaboration.md) for details on each and how to decide which to use for a given scenario. ++If you plan to use guest sharing, we recommend configuring [SharePoint and OneDrive integration with Azure AD B2B](/sharepoint/sharepoint-azureb2b-integration-preview) for the best sharing and administration experience. ++Teams guest sharing is on by default, but you can turn it off if needed in the sensitive and highly sensitive tiers by using a sensitivity label. Shared channels are on by default, but require setting up cross-organizational relationships for each organization you want to collaborate with. See [Collaborate with external participants in a channel](collaborate-teams-direct-connect.md) for details. ++In the highly sensitive tier, we configure the sensitivity label to encrypt files to which it is applied. If you need guests to have access to these files, you must give them permissions when you create the label. External participants in shared channels can't be given permissions to sensitivity labels and can't access content encrypted by a sensitivity label. We highly recommend that you leave guest sharing on for the baseline tier and for the sensitive or highly sensitive tiers if you need to collaborate with people outside your organization. The guest sharing features in Microsoft 365 provide a much more secure and governable sharing experience than sending files as attachments in email messages. It also reduces the risk of shadow IT where users use ungoverned consumer products to share with legitimate external collaborators. +If you regularly collaborate with other organizations that use Azure AD, shared channels may be a good option. Shared channels appear seamlessly in the other organization's Teams client and allow external participants to use their regular user account for their organization rather than having to login in separately using a guest account. + See the following references to create a secure and productive guest sharing environment for your organization: - [Best practices for sharing files and folders with unauthenticated users](best-practices-anonymous-sharing.md) |
| solutions | Create Secure Guest Sharing Environment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/create-secure-guest-sharing-environment.md | Now, guest will be required to enroll in multi-factor authentication before they ### More information -[Planning an Azure AD Multi-Factor Authentication deployment](/azure/active-directory/authentication/howto-mfa-getstarted) +[Planning an Azure AD multi-factor authentication deployment](/azure/active-directory/authentication/howto-mfa-getstarted) ## Set up a terms of use for guests To set up a guest access review 13. Type a **Review name** and review the settings. 14. Click **Create**. -It's important to note that for SharePoint and OneDrive locations, documents will be proactively blocked right after detection of sensitive information, irrespective of whether the document is shared or not, for all external users, while internal users will continue to have access to the document. +It's important to note that for SharePoint and OneDrive locations, documents will be proactively blocked right after detection of sensitive information, irrespective of whether the document is shared or not, for all guests, while internal users will continue to have access to the document. ### More information To create a DLP rule 13. Choose your test options and click **Next**. 14. Click **Submit**, and then click **Done**. -It's important to note that this policy doesn't remove access if the guest is a member of the site or team as a whole. If you plan to have highly sensitive documents in a site or team with guest members, consider using [private channels in Teams](https://support.microsoft.com/office/de3e20b0-7494-439c-b7e5-75899ebe6a0e) and only allowing members of your organization in the private channels. +It's important to note that this policy doesn't remove access if the guest is a member of the site or team as a whole. If you plan to have highly sensitive documents in a site or team with guest members, consider these options: ++- Use [private channels](/MicrosoftTeams/private-channels) and only allowing members of your organization in the private channels. +- Use [shared channels](/MicrosoftTeams/shared-channels) to collaborate with people outside your organization while only having people from your organization in the team itself. ## Additional options |
| solutions | End Life Cycle Groups Teams Sites Yammer | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/end-life-cycle-groups-teams-sites-yammer.md | The benefit of [archiving a team](/microsoftteams/archive-or-delete-a-team) is t When a team is archived by an owner, it's set to read-only for members both for content within the team and if selected, the associated SharePoint site. The objective of this action is to ensure that conversations in channels are preserved in their existing state, along with SharePoint-based content such as files and wikis. -In the SharePoint site there are no visible changes. However, no changes can be made to any files or lists because the SharePoint permissions for the Microsoft 365 Group are set to **Site visitors**. This includes the OneNote notebook for the team, which is stored in the Site Assets library within the SharePoint site. +In the SharePoint site there are no visible changes. However, no changes can be made to any files or lists because the SharePoint permissions for the Microsoft 365 group are set to **Site visitors**. This includes the OneNote notebook for the team, which is stored in the Site Assets library within the SharePoint site. When a team is archived, the underlying Microsoft 365 group is still subject to the expiration policy (if set), and as such the owner must continue to renew the team. If it's only required to keep a copy of the plan for record-keeping purposes, th **Copy and move tasks to another Plan** -While copying or moving tasks to another plan seems like a solution, individual tasks can only be [copied or moved between plans](https://support.microsoft.com/office/ad43a5d8-c1ad-42fd-b3da-fe97d72c8a1b) within the same group. This won't back up the data if the group associated With the plan is being deleted. +While copying or moving tasks to another plan seems like a solution, individual tasks can only be [copied or moved between plans](https://support.microsoft.com/office/ad43a5d8-c1ad-42fd-b3da-fe97d72c8a1b) within the same group. This won't back up the data if the group associated with the plan is being deleted. **Copy entire plan** Files are generally stored in three primary locations within a SharePoint site: - Files in channels ΓÇô Documents library - Wiki pages ΓÇô Teams Wiki Data library -If the site has one or more subsites, the off-boarding process will need to be repeated for each subsite. If the team contains private channels, there's a separate SharePoint site for each channel. +If the site has one or more subsites, the off-boarding process will need to be repeated for each subsite. If the team contains private or shared channels, there's a separate SharePoint site for each channel. It's important when removing files from a group or team to consider that they may be shared with users who aren't members of the group or team. You may want to communicate the impending change to them. |
| solutions | Groups Services Interactions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/groups-services-interactions.md | Yes, SharePoint offers several non-group-associated services and sites such as c **Can there be multiple sites per group?** -No, there can only be a single site per group. Private channels in Teams use additional sites that are not connected to the group. +No, there can only be a single site per group. Private and shared channels in Teams use additional sites that are not connected to the group. **Can sites be associated with multiple groups?** |
| solutions | Groups Teams Access Governance | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/groups-teams-access-governance.md | The following table provides a quick reference for the access controls available ||Dynamic group membership based on rules|[Create or update a dynamic group in Azure Active Directory](/azure/active-directory/users-groups-roles/groups-create-rule)| ||Control who can share files, folders, and sites.|[Set up and manage access requests](https://support.microsoft.com/office/94b26e0b-2822-49d4-929a-8455698654b3)| |Conditional access|||-||Multifactor Authentication|[Azure AD Multifactor Authentication](/azure/active-directory/authentication/concept-mfa-howitworks)| +||Multi-factor Authentication|[Azure AD multi-factor Authentication](/azure/active-directory/authentication/concept-mfa-howitworks)| ||Control device access based on group, team, or site sensitivity.|[Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites](../compliance/sensitivity-labels-teams-groups-sites.md)| ||Limit site access for unmanaged devices.|[Control SharePoint access from unmanaged devices](/sharepoint/control-access-from-unmanaged-devices)| ||Control site access based on location|[Control access to SharePoint and OneDrive data based on network location](/sharepoint/control-access-based-on-network-location)| The following table provides a quick reference for the access controls available |User management||| ||Review team and group membership on a regular basis.|[What are Azure AD access reviews?](/azure/active-directory/governance/access-reviews-overview)| ||Automate access management to groups and teams.|[What is Azure AD entitlement management?](/azure/active-directory/governance/entitlement-management-overview)|-||Allow or block people from creating private channels in Teams.|[Manage the life cycle of private channels in Microsoft Teams](/MicrosoftTeams/private-channels-life-cycle-management)| ## Membership SharePoint sites provide the ability to add owners, members, and visitors apart ## Conditional access -With Microsoft 365, you can require multifactor authentication for both people inside and outside your organization. There are many options for the circumstances when people are prompted for a second factor of authentication. We highly recommend that you deploy multifactor authentication for your organization: +With Microsoft 365, you can require multi-factor authentication for both people inside and outside your organization. There are many options for the circumstances when people are prompted for a second factor of authentication. We highly recommend that you deploy multi-factor authentication for your organization: -- [Azure AD Multifactor Authentication](/azure/active-directory/authentication/concept-mfa-howitworks)+- [Azure AD multi-factor authentication](/azure/active-directory/authentication/concept-mfa-howitworks) If you have sensitive information in some of your groups and teams, you can enforce device management policies based on a group or team's sensitivity label. You can block access entirely from unmanaged devices, or allow limited, web only access: Private channels in Teams allow for scoped conversations and file sharing betwee - [Private channels in Microsoft Teams](/MicrosoftTeams/private-channels) -- [Manage the life cycle of private channels in Microsoft Teams](/MicrosoftTeams/private-channels-life-cycle-management)+Shared channels allow you to invite people who are outside the team or outside the organization. Depending on your specific business needs and external sharing policies, you may want to allow or block this capability. ++- [Shared channels](/MicrosoftTeams/shared-channels) Additional resources: |
| solutions | Limit Guest Sharing To Specific Organization | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/limit-guest-sharing-to-specific-organization.md | + + Title: "Limit guest sharing to specific organizations" ++++audience: ITPro +++- SPO_Content +- M365-collaboration +- m365solution-securecollab +- m365solution-scenario +- m365initiative-externalcollab +ms.localizationpriority: medium +f1.keywords: NOCSH +recommendations: false +description: Learn how to limit guest sharing to specific Azure AD or Microsoft 365 organizations. +++# Limit guest sharing to specific organizations ++By default, users can invite people outside the organization as guests. This includes inviting them to teams in Microsoft Team, SharePoint sites, and sharing individual files and folders with them. ++If you only want your users to invite guests from specific organizations, you can specify these organizations in the Azure Active Directory cross-tenant access settings for [B2B collaboration](/azure/active-directory/external-identities/what-is-b2b). ++## Configure cross-tenant access settings ++The first step in limiting guest sharing is to change the default settings in the Azure AD cross-tenant access settings to block inviting guests by default. Then you can allow guest invitations for specific organizations. ++> [!NOTE] +> Changes to cross-tenant access settings may take two hours to take effect. ++### Set the default B2B collaboration settings to block inviting guests ++Because inviting guests is enabled by default, limiting guest invitations to certain organizations requires blocking inbound B2B collaboration by default. ++To block inbound B2B collaboration by default +1. Sign in to [Azure Active Directory](https://aad.portal.azure.com) using a Global administrator or Security administrator account. +1. Select **External Identities**, and then select **Cross-tenant access settings (preview)**. +1. Select the **Default settings** tab. +1. Under **Inbound access settings**, select **Edit inbound defaults**. +1. Select the **B2B collaboration** tab and the **Users and groups** tab. +1. Under **Access status**, choose **Block access**. +1. Select the **External access** tab. +1. Under **Access status**, choose **Block access**. +1. Select **Save**. +1. Close the **Default settings** blade. ++### Add the organization where you want to allow guest invitations ++Next, add the organizations where you want to allow your users to invite guests to the Azure AD cross-tenant access list. ++To add an organization +1. In [Azure Active Directory](https://aad.portal.azure.com), select **External Identities**, and then select **Cross-tenant access settings (preview)**. +1. Select **Organizational settings**. +1. Select **Add organization**. +1. On the **Add organization** pane, type the full domain name (or tenant ID) for the organization. +1. Select the organization in the search results, and then select **Add**. +1. The organization appears in the **Organizational settings** list. ++At this point, all access settings for this organization are inherited from your default settings. ++### Configure inbound settings for the organization to allow all users ++Once you have added the organization, you need to update the organization's inbound settings to allow B2B collaboration users to be invited as guests. Do this for each organization where you want to allow your users to be able to invite guests. ++1. In [Azure Active Directory](https://aad.portal.azure.com), select **External Identities**, and then select **Cross-tenant access settings (preview)**. +1. Select the inbound access link for the organization that you want to modify. +1. On the **B2B collaboration** tab, choose **Customize settings**. +1. Under **Access status**, choose **Allow access**. +1. Under **Target**, choose to allow all users. +1. Select **Save** and close the **Outbound access settings** blade. ++## Turn off one-time passcode authentication ++Even after you've limited B2B collaboration to certain organizations, people can still share files and folders with people in other organizations - they just won't be given a guest account in your directory. ++If you wish to prevent sharing entirely with other organizations, you have to disable the one-time passcode feature in Azure AD. This will prevent people outside your organization from being sent a one-time passcode for authentication to shared files or folders. ++To disable the email one-time passcode feature +1. Sign in to the [Azure portal](https://portal.azure.com/) as an Azure AD global administrator. +1. In the navigation pane, select **Azure Active Directory**. +1. Select **External Identities** > **All identity providers**. +1. Select **Email one-time passcode**, and then under **Email one-time passcode for guests**, select **Disable email one-time passcode for guests** (or **No** if the feature was previously enabled, disabled, or opted into during preview). +1. Select **Save**. ++## Related topics ++[B2B direct connect overview](/azure/active-directory/external-identities/b2b-direct-connect-overview) ++[Configure cross-tenant access settings for B2B direct connect](/azure/active-directory/external-identities/cross-tenant-access-settings-b2b-direct-connect) ++[Limit who can be invited by an organization](limit-invitations-from-specific-organization.md) ++[Limit organizations where users can have guest accounts](limit-organizations-where-users-have-guest-accounts.md) |
| solutions | Limit Invitations From Specific Organization | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/limit-invitations-from-specific-organization.md | + + Title: "Limit who can be invited by an organization" ++++audience: ITPro +++- SPO_Content +- M365-collaboration +- m365solution-securecollab +- m365solution-scenario +- m365initiative-externalcollab +ms.localizationpriority: medium +f1.keywords: NOCSH +recommendations: false +description: Learn how to limit which of your users can be invited as a guest or shared channel participant to a specific organization. +++# Limit who can be invited by an organization ++If you collaborate with another organization and want to limit who can be invited to that organization as a guest or a shared channel member in Teams, you can specify who can be invited in the cross-tenant access settings in Azure Active Directory. ++> [!NOTE] +> Changes to cross-tenant access settings may take two hours to take effect. ++## Create a security group ++The easiest way to specify who can be invited to another organization is to use a security group. You can use a security group with a defined membership or a dynamic security group. You can use an existing security group or create a new one for this purpose. ++To create a security group +1. Sign in to [Azure Active Directory](https://aad.portal.azure.com) using a Global administrator or Security administrator account. +1. On the **Active Directory** page, select **Groups** and then select **New group**. +1. Choose **Security** for the **Group type**. +1. Type a **Group name.** +1. Optionally, add a description for the group. +1. For **Azure AD roles can be assigned to the group**, choose **No**. +1. Select a pre-defined **Membership type (required)**. +1. Add group owners and members or a [dynamic query](/azure/active-directory/enterprise-users/groups-dynamic-membership) if you're using dynamic user membership. +1. Select **Create**. Your group is created and ready for you to add members. ++## Add an organization ++To define collaboration rules with another organization, you have to add that organization to the Azure AD cross-tenant access settings. If you haven't already added the organization, follow this procedure to add it. ++To add an organization +1. In [Azure Active Directory](https://aad.portal.azure.com), select **External Identities**, and then select **Cross-tenant access settings (preview)**.1. Select **Organizational settings**. +1. Select **Add organization**. +1. On the **Add organization** pane, type the full domain name (or tenant ID) for the organization. +1. Select the organization in the search results, and then select **Add**. +1. The organization appears in the **Organizational settings** list. At this point, all access settings for this organization are inherited from your default settings. ++## Choose who can be invited by an organization ++There are two options for limiting who can be invited to an organization: ++- Limit who can be invited as a guest. This prevents users from being added to the other organization's Azure AD as a guest. It prevents sharing of files, folders, sites, teams, and Microsoft 365 groups with people who aren't in the security group. +- Limit who can be added to an external shared channel. This prevents people who aren't in the security group from being added to shared channels in the other organization. ++In [Azure Active Directory](https://aad.portal.azure.com), select **External Identities**, and then select **Cross-tenant access settings (preview)**. ++To limit who can be invited as a guest +1. Select the outbound access link for the organization that you want to modify. +1. On the **B2B collaboration** tab, choose **Customize settings**. +1. Under **Access status**, choose **Allow access**. +1. Under **Target**, choose **Select external users and groups**. +1. Select the link to add users and groups. +1. Search for and select the security group that you want to use. +1. Choose **Select**. +1. Select **Save** and close the **Outbound access settings** blade. +++To limit who can be invited as a shared channel participant +1. Select the outbound access link for the organization that you want to modify. +1. On the **B2B direct connect** tab, choose **Customize settings**. +1. Under **Access status**, choose **Allow access**. +1. Under **Target**, choose **Select external users and groups**. +1. Select the link to add users and groups. +1. Search for and select the security group that you want to use. +1. Choose **Select**. +1. Select **Save** and close the **Outbound access settings** blade. ++## Related topics ++[B2B direct connect overview](/azure/active-directory/external-identities/b2b-direct-connect-overview) ++[Configure cross-tenant access settings for B2B direct connect](/azure/active-directory/external-identities/cross-tenant-access-settings-b2b-direct-connect) ++[Limit organizations where users can have guest accounts](limit-organizations-where-users-have-guest-accounts.md) ++[Limit guest sharing to specific organizations](limit-guest-sharing-to-specific-organization.md) |
| solutions | Limit Organizations Where Users Have Guest Accounts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/limit-organizations-where-users-have-guest-accounts.md | + + Title: "Limit organizations where users can have guest accounts" ++++audience: ITPro +++- SPO_Content +- M365-collaboration +- m365solution-securecollab +- m365solution-scenario +- m365initiative-externalcollab +ms.localizationpriority: medium +f1.keywords: NOCSH +recommendations: false +description: Learn how to specify which organizations your users can have guest accounts in. +++# Limit organizations where users can have guest accounts ++By default, other Microsoft 365 and Azure Active Directory organizations can invite your users to participate in their organization as guests. This includes inviting them to teams in Microsoft Team, SharePoint sites, and sharing individual files and folders with them. ++If you only want your users to participate as guests with specific organizations, you can specify these organizations in the Azure Active Directory cross-tenant access settings for [B2B collaboration](/azure/active-directory/external-identities/what-is-b2b). ++> [!NOTE] +> Changes to cross-tenant access settings may take two hours to take effect. ++## Set the default B2B collaboration settings to block users from being guests ++Because participating as guests is enabled by default, limiting guest participation to certain organizations requires blocking outbound B2B collaboration by default. ++To block outbound B2B collaboration by default +1. Sign in to [Azure Active Directory](https://aad.portal.azure.com) using a Global administrator or Security administrator account. +1. Select **External Identities**, and then select **Cross-tenant access settings (preview)**. +1. Select the **Default settings** tab. +1. Under **Outbound access settings**, select **Edit outbound defaults**. +1. Select the **B2B collaboration** tab and the **Users and groups** tab. +1. Under **Access status**, choose **Block access**. +1. Select the **External access** tab. +1. Under **Access status**, choose **Block access**. +1. Select **Save**. +1. Close the **Default settings** blade. ++## Add an organization ++Next, add the organizations where you want to allow your users to collaborate as guests to the Azure AD cross-tenant access list. ++To add an organization +1. In [Azure Active Directory](https://aad.portal.azure.com), select **External Identities**, and then select **Cross-tenant access settings (preview)**. +1. Select **Organizational settings**. +1. Select **Add organization**. +1. On the **Add organization** pane, type the full domain name (or tenant ID) for the organization. +1. Select the organization in the search results, and then select **Add**. +1. The organization appears in the **Organizational settings** list. ++At this point, all access settings for this organization are inherited from your default settings. ++## Configure the organization's outbound setting to allow all users ++Once you have added the organization, you need to update the organization's outbound settings to allow B2B collaboration users to be added as guests. Do this for each organization where you want to allow your users to be added as guests. ++To allow users to B2B collaboration guests in an organization +1. In [Azure Active Directory](https://aad.portal.azure.com), select **External Identities**, and then select **Cross-tenant access settings (preview)**. +1. Select the outbound access link for the organization that you want to modify. +1. On the **B2B collaboration** tab, choose **Customize settings**. +1. Under **Access status**, choose **Allow access**. +1. Under **Target**, choose to allow all users. +1. Select **Save** and close the **Outbound access settings** blade. ++## Related topics ++[B2B direct connect overview](/azure/active-directory/external-identities/b2b-direct-connect-overview) ++[Configure cross-tenant access settings for B2B direct connect](/azure/active-directory/external-identities/cross-tenant-access-settings-b2b-direct-connect) ++[Limit who can be invited by an organization](limit-invitations-from-specific-organization.md) ++[Limit guest sharing to specific organizations](limit-guest-sharing-to-specific-organization.md) |
| solutions | Limit Who Can Invite Guests | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/limit-who-can-invite-guests.md | + + Title: "Limit who can invite guests" ++++audience: ITPro +++- SPO_Content +- M365-collaboration +- m365solution-securecollab +- m365solution-scenario +- m365initiative-externalcollab +ms.localizationpriority: medium +f1.keywords: NOCSH +recommendations: false +description: Learn how to limit who can invite guests to your organization. +++# Limit who can invite guests ++You can limit who in your organization can invite guests. Guest accounts can be used for sharing teams, SharePoint sites, files, and folders with people outside your organization. ++If your business processes require that you limit who can share with guests, or if you want users to complete training before they're able to share with guests, you can limit who can share by using the Guest inviter role in Azure Active Directory. ++## Create a security group for people allowed to invite guests ++The first step is to create a security group for the users who will be allowed to invite guests. Be sure to configure this group to allow an Azure AD role, and then assign it the Guest inviter role. ++To create a security group for guest inviters +1. Sign in to [Azure Active Directory](https://aad.portal.azure.com) using a Global administrator or Security administrator account. +1. On the **Active Directory** page, select **Groups** and then select **New group**. +1. Choose **Security** for the **Group type**. +1. Type a **Group name.** +1. Optionally, add a description for the group. +1. For **Azure AD roles can be assigned to the group**, choose **Yes**. +1. Add group owners and members. +1. Under **Roles**, select **No roles selected**. +1. Search for and select the **Guest inviter** role, and then choose **Select**. +1. Select **Create**, and confirm that you want a group to which roles can be assigned. Your group is created and ready for you to add members. ++## Configure external collaboration settings ++Once you've created the security group and added the users who you want to be able to invite guests, the next step is to configure the Azure AD external collaboration settings to only allow users with the Guest inviter role to invite guests. ++Note that global administrators can always invite guests regardless of this setting. ++> [!NOTE] +> Changes to cross-tenant access settings may take two hours to take effect. ++To configure Azure AD to limit guest invites to the Guest inviter role +1. In [Azure Active Directory](https://aad.portal.azure.com/), select **External identities**. +1. Select **External collaboration settings**. +1. Under **Guest invite settings**, choose **Only users assigned to specific admin roles can invite guests**. +1. Select **Save**. ++## Related topics ++[Allow only users in specific security groups to share externally in SharePoint and OneDrive](/sharepoint/manage-security-groups) ++[Enable B2B external collaboration and manage who can invite guests](/azure/active-directory/external-identities/delegate-invitations) |
| solutions | Plan External Collaboration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/plan-external-collaboration.md | + + Title: "Plan external collaboration" ++++audience: ITPro +++- M365-collaboration +- m365solution-securecollab +- m365solution-scenario +- m365initiative-externalcollab ++- seo-marvel-apr2020 +- seo-marvel-jun2020 +localization_priority: Normal +f1.keywords: NOCSH +recommendations: false +description: Plan which external collaboration options to use in Microsoft 365. +++# Plan external collaboration ++Microsoft 365 offers several options for collaborating with people outside your organization: ++- 1:1 and group chat in Teams with people outside your organization +- Teams meetings with people outside your organization +- Sharing individual files or folders with people outside your organization +- Collaboration in a team, with channel conversations, file collaboration, and shared apps ++This article covers the fourth option, group collaboration with channel conversations, file collaboration, and shared apps. ++## Terms ++- **Azure AD B2B collaboration** ΓÇô A feature that allows users to share files, folders, sites, groups, and teams with people from outside your organization. These people access shared resources by using guest accounts in your directory. +- **Azure AD B2B direct connect** ΓÇô A feature that allows users to share resources in your organization with people from other Azure AD organizations. These people access the shared resources by using their own work or school account. No guest account is created in your organization. +- **External participant** ΓÇô A person from outside your organization who is participating in a resource ΓÇô such as a shared channel ΓÇô using their own identity and not a guest account in your directory. +- **External organization** ΓÇô Another organization that you are sharing resources with. +- **Guest** ΓÇô A person from outside your organization who accesses shared resources by signing in to a guest account in your directory. +- **Host organization** ΓÇô The organization that is hosting a shared resource, such as a shared channel. +- **Shared channel** ΓÇô A Teams channel that can be shared with people outside the team. These people can be inside your organization or from other Azure AD organizations. +- **Sharing links** ΓÇô Links with permissions to a file or folder that are used to share that file or folder with others. The people being shared with can be inside or outside your organization. ++## Options for collaboration in a team ++When collaborating in a team with people outside your organization, there are two options for how those people access the resources that you share with them. ++**Guest sharing** ++Guest sharing uses Azure AD B2B collaboration to allow sharing and collaboration with people outside your organization by adding a guest account in Azure AD for each person. Guest accounts can be used for the following: ++- Guest membership in teams, SharePoint sites, and Microsoft 365 groups +- Individual file and folder sharing ++Guests in a team have similar capabilities to regular team members. ++**External participants in shared channels** ++External participants access shared resources in your organization by using their own Azure AD or Microsoft 365 identity. This is enabled by Azure AD B2B direct connect through an organizational relationship configured by both organizations. Guest accounts are not used in this relationship. ++The primary advantage of external participants in shared channels versus guest sharing is that people outside your organization can collaborate with your users in Teams without having to change their user context. When using guest accounts, users must sign out of Teams with their work or school account and sign in again using the guest account. Alternatively, they can have a separate copy of Teams running in a private browser session. This switching between organizations takes time and can cause users to miss important communications while signed out of a given organization. ++With shared channels, users can remain signed in to their organization and access channels shared with them from other organizations. Shared channels from other organizations are available in Teams alongside the teams and channels in your organization. There is no need to switch organizations. ++## Feature comparison ++The following table describes the experiences available depending on the type of account used. ++|Feature|User (your organization)|Guest (Azure AD collaboration)|External participant (Azure AD direct connect)| +|:--|:--|:|:-| +|Team access|Y|Y|N| +|Shared channel access|Y|N|Y| +|Permissions through file sharing links|Y|Y|N| +|Use shared channels|Y|N|Y| +|Use private channels|Y|Y|N| +|Account in your directory|Y|Y|N| +|Access reviews|Y|Y|Y| + +## Planning considerations ++Most organizations will use both guest sharing and shared channels with external participants. ++Guest sharing is enabled by default in Azure AD and in Microsoft 365 (Teams, Microsoft 365 Groups, and SharePoint). This allows users to invite guests to teams and sites and to share files with them without having to request assistance from IT. ++You must use guest sharing if: +- You want to invite people from outside your organization to the team rather than individual channels +- You want to share files or folders in a channel with people outside your organization who are not in the channel +- You want to collaborate with people outside your organization who do not have a work or school account. ++While shared channels is turned on by default in Teams, external collaboration with shared channels requires that an Azure AD administrator set up cross-tenant access between your organization and each other organization with which you want to share. Each other organization must set up cross-tenant access on their end as well. ++If you plan to use shared channels with other organizations, you can choose between a self-service model and a by-request model. ++- Self-service ΓÇô You can configure cross-tenant access to allow inbound and outbound access to all other Azure AD organizations. Alternatively, you can block a list of organizations that you don't want your users to share with, leaving all other organizations available. This allows your users to invite people outside the organization to participate in shared channels without having to contact your helpdesk or IT department. +- By-request ΓÇô You can configure cross-tenant access for each individual organization with which you want to allow shared channels. When choosing this model, it's important to have a documented business process that your users can follow to request cross-tenant access with another organization. ++## Compliance in shared channels ++Shared channels are integrated with Microsoft 365 compliance features. ++##### Communications compliance ++Admins can set policies to monitor content for all users in the channel. All messages content in channels, including the shared channel, are covered by [communication compliance policies](/microsoft-365/compliance/communication-compliance). Shared channels inherit the policy of the host organization. ++##### Conditional access ++The host organization's [conditional access policies](/azure/active-directory/conditional-access/overview) are applied to external participants, including B2B direct connect users. The external organization's policies are not used. The following types of conditional access policies are supported with shared channels: ++- Policies that are scoped to all guest users, external participants, SharePoint Online cloud apps +- Grant Access controls that require MFA, a compliant device, or a hybrid Azure AD joined device. ++IP-based policies are supported at the SharePoint file level. So an external participant could access shared channel from a restricted location, but be blocked when trying to open a file. ++##### Data loss prevention (DLP) ++Admins can apply [DLP policies](/microsoft-365/compliance/dlp-policy-design) to a team where all channels, including shared channels, inherit the policy. Shared channels inherit the policy of the host organization. ++##### Retention policy ++Admins can apply a [retention policy](/microsoft-365/compliance/retention) on a team where all channels, including shared channels, inherit the retention policy. Shared channels inherit the policy of the parent team. ++##### Sensitivity labels ++[Sensitivity labels](/microsoft-365/compliance/sensitivity-labels) available in the host organization are the only labels that can be applied to the documents in a shared channel site. A file that is encrypted by a sensitivity label cannot be opened by external participants. Automatic labeling is not used. ++Shared channels and their associated SharePoint sites inherit the label from the parent team. ++##### Information barriers ++Users who are not allowed to communicate per [information barrier](/microsoftteams/information-barriers-in-teams) policies can't be part of shared channel. Information barrier policies are only effective for users in the host organization. If users are external participants in another organization's shared channel, information barrier policies don't apply. ++##### eDiscovery ++Admins can perform searches for all users in the channel. All channels, including the shared channel, are discoverable. All message data in the channel regardless of who added the data is discoverable by the compliance admin. ++##### Legal hold ++Admins can place channel-only members from the host organization who are not a part of the team on hold. They can also [place the entire team on hold](/MicrosoftTeams/legal-hold). Admins cannot place an external participant on hold. ++##### Audit logs ++All the actions performed for [existing audit events](/microsoft-365/compliance/detailed-properties-in-the-office-365-audit-log) are audited in shared channels. +++## Related topics ++[Intro to file collaboration in Microsoft 365](/sharepoint/intro-to-file-collaboration) ++[Plan file collaboration in SharePoint with Microsoft 365](/sharepoint/deploy-file-collaboration) |
| solutions | Setup Secure Collaboration With Teams | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/setup-secure-collaboration-with-teams.md | To configure secure collaboration, you use these Microsoft 365 capabilities and |||| |Microsoft Defender for Office 365|Safe Attachments for SPO, OneDrive and Teams; Safe Documents; Safe Links for Teams|Microsoft 365 E1, E3 and E5| |SharePoint|Site and file sharing policies, Site sharing permissions, Sharing links, Access requests, Site guest sharing settings|Microsoft 365 E1, E3 and E5|-|Microsoft Teams|Guest access, private teams, private channels|Microsoft 365 E1, E3 and E5| +|Microsoft Teams|Guest access, private teams, private channels, shared channels|Microsoft 365 E1, E3 and E5| |Microsoft 365 Compliance|Sensitivity labels|Microsoft 365 E3 and E5| ## Collaboration governance framework for Teams and Microsoft 365 These resources will help you get started with setting up your environment for c - [Collaborate on documents](collaborate-on-documents.md) for sharing individual files of folders. - [Collaborate in a site](collaborate-in-site.md) for collaborating with guests in a SharePoint site. - [Collaborate as a team](collaborate-as-team.md) for collaborating with guests in a team.+- [Collaborate with external participants in a channel](/microsoft-365/solutions/collaborate-teams-direct-connect) for collaborating with people outside the organization in a shared channel. Depending on the sensitivity of the information being shared, you can add safeguards to help prevent oversharing. These resources will help you set up the protections that you need for your organization: Depending on the sensitivity of the information being shared, you can add safegu - [Limit accidental exposure to files when sharing with people outside your organization](share-limit-accidental-exposure.md) - [Create a secure guest sharing environment](create-secure-guest-sharing-environment.md) -If you have a major project with a partner organization, you can use Azure Entitlement Management to manage the guests from that organization in a team that you set up for the project. See [Create a B2B extranet with managed guests](b2b-extranet.md) for details. +If you have a major project with a partner organization, you can use either [shared channels](/microsoft-365/solutions/collaborate-teams-direct-connect) or [Azure Entitlement Management](b2b-extranet.md) to manage the people outside your organization who you need to collaborate with. ## Training for administrators These training modules from Microsoft Learn can help you learn the collaboration |Training:|Protect enterprise information with Microsoft 365| |||-||Protecting and securing your organization's information is more challenging than ever. The Protect enterprise information with Microsoft 365 learning path discusses how to protect your sensitive information from accidental oversharing or misuse, how to discover and classify data, how to protect it with sensitivity labels, and how to both monitor and analyze your sensitive information to protect against its loss. This learning path can help you prepare for the Microsoft 365 Certified: Security Administrator Associate and Microsoft 365 Certified: Enterprise Administration Expert certifications..<p>1 hr - Learning Path - 5 Modules| +||Protecting and securing your organization's information is more challenging than ever. The Protect enterprise information with Microsoft 365 learning path discusses how to protect your sensitive information from accidental oversharing or misuse, how to discover and classify data, how to protect it with sensitivity labels, and how to both monitor and analyze your sensitive information to protect against its loss. This learning path can help you prepare for the Microsoft 365 Certified: Security Administrator Associate and Microsoft 365 Certified: Enterprise Administration Expert certifications.<p>1 hr - Learning Path - 5 Modules| > [!div class="nextstepaction"] > [Start >](/learn/modules/m365-security-info-overview/introduction/) |
| solutions | Trust Conditional Access From Other Organizations | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/trust-conditional-access-from-other-organizations.md | + + Title: "Require conditional access for people outside your organization" ++++audience: ITPro +++- SPO_Content +- M365-collaboration +- m365solution-securecollab +- m365solution-scenario +- m365initiative-externalcollab +ms.localizationpriority: medium +f1.keywords: NOCSH +recommendations: false +description: Learn how to require people outside your organization to pass conditional access checks such as MFA and compliant devices. +++# Require conditional access for people outside your organization ++You can require any of the following conditional access options for people outside your organization: ++- Multi-factor authentication +- Compliant devices +- Hybrid Azure AD joined devices ++When using Azure AD B2B direct connect - such as with shared channels in Teams - you can choose to trust the conditional access settings from other organizations for these options. ++## Planning considerations for conditional access ++Multi-factor authentication can be used with any external account. If your organization doesn't trust multi-factor authentication from other Azure AD organizations, users from those organizations will have to perform multi-factor authentication when accessing resources in your organization. People with third party email addresses (not hosted by Microsoft) will always be prompted for multi-factor authentication. ++The options **Require device to be marked compliant** and **Require Hybrid Azure AD joined device** require devices that are managed in Azure AD. If you choose to enable these options, people outside your organization must be using devices that are managed by your organization or by an organization that you trust. People without managed devices will be blocked, including: ++- People with third party or consumer email addresses +- People from Microsoft 365 or Azure AD organizations that don't manage devices +- People from Microsoft 365 or Azure AD organizations that require managed devices where your organization doesn't trust their conditional access settings. ++We recommend using caution when requiring compliant or hybrid Azure AD joined devices because this will block many external collaboration scenarios. Be sure all of your partner organizations manage their devices and that your organization trusts their settings. ++## Set up conditional access requirements for people outside your organization ++To require conditional access for people outside your organization, do the following: ++1. [Choose conditional access settings to trust from other organizations](#choose-conditional-access-settings-to-trust-from-other-organizations). +1. [Set up conditional access for people outside your organization](#set-up-conditional-access-for-people-outside-your-organization). ++## Choose conditional access settings to trust from other organizations ++You can choose to trust conditional access settings from all other Microsoft 365 and Azure AD organizations or only from those you specify. ++> [!NOTE] +> Changes to cross-tenant access settings may take two hours to take effect. ++### Trust conditional access settings from all Azure Active Directory organizations ++If you want to trust conditional access settings from all organizations, follow this procedure. ++To trust conditional access settings from all Azure Active Directory organizations +1. Sign in to [Azure Active Directory](https://aad.portal.azure.com) using a Global administrator or Security administrator account. +1. Select **External Identities**, and then select **Cross-tenant access settings (preview)**. +1. Select the **Default settings** tab. +1. Under **Inbound access settings**, select **Edit inbound defaults**. +1. Select the **Trust settings** tab. +1. Choose which settings you want your conditional access policies to accept from other organizations. +1. Select **Save** and close the **Default settings** blade. ++### Trust conditional access settings from a specific organization ++If you want to trust conditional access settings from a specific organization, follow this procedure. ++To trust conditional access settings from a specific organization +1. Sign in to [Azure Active Directory](https://aad.portal.azure.com) using a Global administrator or Security administrator account. +1. Select **External Identities**, and then select **Cross-tenant access settings (preview)**. +1. Select the **Inbound access** settings for the organization where you want to trust conditional access settings. +1. Select the **Trust settings** tab. +1. Select the **Customize settings** option. +1. Choose which settings you want your conditional access policies to accept from other organizations. +1. Select **Save** and close the **Default settings** blade. ++## Set up conditional access for people outside your organization ++Setting up a conditional access policy for people outside your organization affects the following: ++- People using guest accounts (Azure AD B2B collaboration users) +- External participants in Teams shared channels (Azure AD B2B direct connect users) ++> [!IMPORTANT] +> Only select the **Require device to be marked compliant** or **Require Hybrid Azure AD joined device** if everyone outside your organization is using a device that is managed by your organization or by a trusted Microsoft 365 or Azure AD organization. ++To set up conditional access for people outside your organization +1. Go to [Azure conditional access policies](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade). +1. On the **Conditional Access | Policies** blade, click **New policy**. +1. In the **Name** field, type a name. +1. Under **Assignments**, click **Users and groups**. +1. On the **Users and groups** blade, select **Select users and groups**, select the **All guests and external users** check box. +1. Under **Assignments**, click **Cloud apps or actions**. +1. On the **Cloud apps or actions** blade, select **All cloud apps** on the **Include** tab. +1. Under **Access controls**, click **Grant**. +1. On the **Grant** blade, select the options that you want to require for people outside your organization, and then click **Select**. +1. On the **New** blade, under **Enable policy**, click **On**, and then click **Create**. ++## Related topics ++[Tutorial: Enforce multi-factor authentication for B2B guests](/azure/active-directory/external-identities/b2b-tutorial-require-mfa) |