-| Yammer body content | 13 hours |

-| Email OCR | 13 hours |

-| Teams OCR | 13 hours |

-| Email attachment | 13 hours |

-| Team attachment | 13 hours |

-| Teams modern attachment | 13 hours |

-| Teams shared channels | 13 hours |

-See one of the following topics for detailed, step-by-step instructions for bulk-importing your organization's PST files to Microsoft 365.

-1. **Download the PST import tools and key to private Azure Storage location** - The first step is to download the tool and access key used to upload the PST files or copy them to a hard drive. You obtain these from the **Import** page in the compliance portal. The key provides you (or Microsoft data center personnel in the case of drive shipping) with the necessary permissions to upload PST files to a private and secure Azure Storage location. This access key is unique to your organization and helps prevent unauthorized access to your PST files after they're uploaded to the Microsoft cloud. Importing PST files to Microsoft 365 doesn't require your organization to have a separate Azure subscription.

-2. **Upload or copy the PST files** - The next step depends on whether you're using network upload or drive shipping to import PST files. In both cases, you'll use the tool and secure storage key that you obtained in the previous step.

- - **Network upload:** The AzCopy.exe tool (downloaded in step 1) is used to upload and store your PST files in an Azure Storage location in the Microsoft cloud. The Azure Storage location that you upload your PST files to is located in the same regional Microsoft datacenter as your organization.

- - **Drive shipping:** The WAImportExport.exe tool (downloaded in step 1) is used to copy your PST files to the hard drive. This tool encrypts the hard drive with BitLocker and then copies the PSTs to the hard drive. Like network upload, the PST files that you want to copy to the hard drive have to be located in a file share or file server in your organization.

-3. **Create a PST import mapping file** - After the PST files have been uploaded to the Azure Storage location or copied to a hard drive, the next step is to create a comma-separated value (CSV) file that specifies which user mailboxes the PST files will be imported to (and a PST file can be imported to a user's primary mailbox or their archive mailbox). [Download a copy of the PST Import mapping file](https://go.microsoft.com/fwlink/p/?LinkId=544717). The Microsoft 365 Import service will use the information to import the PST files.

-4. **Create a PST import job** - The next step is to create a PST import job on the **Import PST files** page in the compliance portal and submit the PST import mapping file created in the previous step. For network upload (because the PST files have been uploaded to Azure) Microsoft 365 analyzes the data in the PST files and then gives you an opportunity to set filters that control what data actually gets imported to the mailboxes specified in the PST import mapping file.

-5. **Filter the PST data that will be imported to mailboxes** - After the import job is created (and after the PST files from a drive shipping job are uploaded to the Azure Storage location) Microsoft 365 analyzes the data in the PST files (safely and securely) by identifying the age of the items and the different message types included in the PST files. When the analysis is completed and the data is ready to import, you have the option to import all the data contained in the PST files or you can trim the data that's imported by setting filters that control what data gets imported.

-6. **Start the PST import job** - After the import job is started, Microsoft 365 uses the information in the PST import mapping file to import the PST files from the Azure Storage location to user mailboxes. Status information about the import job (including information about each PST file being imported) is displayed on the **Import PST files** page in the compliance portal. When the import job is finished, the status for the job is set to **Complete**.

-Additionally, to create import jobs in the compliance portal, one of the following must be true:

-Network upload is currently available in these regions: United States, Canada, Brazil, the United Kingdom, France, Germany, Switzerland, Norway, Europe, India, East Asia, Southeast Asia, Japan, Republic of Korea, Australia, and United Arab Emirates (UAE). Network upload will be available in more regions in the future.

-If different PST files are imported to different target mailboxes, the import process occurs in parallel; in other words, each PST/mailbox pair is imported simultaneously. If multiple PST files are imported to the same mailbox, they will be imported sequentially (one at a time), not simultaneously.

-If different PST files are imported to different target mailboxes, the import process occurs in parallel; in other words, each PST/mailbox pair is imported simultaneously. If multiple PST files are imported to the same mailbox, they will be imported sequentially (one at a time), not simultaneously.

-There are two versions of the PST file format: ANSI and Unicode. We recommend importing files that use the Unicode PST file format. However, files that use the ANSI PST file format, such as those for languages that use a double-byte character set (DBCS), can also be imported to Microsoft 365. For more information about importing ANSI PST files, see Step 3 in [Use drive shipping to import your organization PST files to Microsoft 365](use-drive-shipping-to-import-pst-files-to-office-365.md#step-3-create-the-pst-import-mapping-file).

-No, Microsoft can't wipe hard drives before shipping them back to customers. Hard drives are returned to you in the same state they were in when they were received by Microsoft.

-No, Microsoft can't destroy your hard drive. Hard drives are returned to you in the same state they were in when they were received by Microsoft.

-The hard drive that you ship to Microsoft might have to cross international borders. If so, you're responsible for ensuring that the hard drive and the data it contains are imported and/or exported in accordance with the applicable laws. Before shipping a hard drive, check with your advisors to verify that your drive and data can legally be shipped to the specified Microsoft data center. This will help to ensure that it reaches Microsoft in a timely manner.

-## Plan for the review and investigation workflow

-Depending on how you want to manage insider risk management policies and alerts, you'll need to assign users to specific role groups to manage different sets of insider risk management features. You have the option to assign users with different compliance responsibilities to specific role groups to manage different areas of insider risk management features. Or you may decide to assign all user accounts for designated administrators, analysts, investigators, and viewers to the *Insider Risk Management* role group. Use a single role group or multiple role groups to best fit your compliance management requirements.

-Choose from the following role group options and solution actions when working with insider risk management:

-|**Actions**|**Insider Risk Management**|**Insider Risk Management Admins**|**Insider Risk Management Analysts**|**Insider Risk Management Investigators**|**Insider Risk Management Auditors**|**Insider Risk Management Approvers**|

-||||||||

-|Configure policies and settings|Yes|Yes|No|No|No|No|

-|Access analytics insights|Yes|Yes|Yes|No|No|No|

-|Access and investigate alerts|Yes|No|Yes|Yes|No|No|

-|Access and investigate cases|Yes|No|Yes|Yes|No|No|

-|Access and view the Content Explorer|Yes|No|No|Yes|No|No|

-|Configure notice templates|Yes|No|Yes|Yes|No|No|

-|View and export audit logs|Yes|No|No|No|Yes|No|

-|Access and view forensic evidence captures|Yes|No|No|Yes|No|No|

-|Create forensic evidence capturing request|Yes|Yes|No|No|No|No|

-|Approve forensic evidence capturing requests|Yes|No|No|No|No|Yes|

-|View device health report|Yes|Yes|No|No|No|No|

-|Configure Adaptive Protection|Yes|Yes|No|No|No|No|

-|View Adaptive Protection users tab|Yes|No|Yes|Yes|No|No|

-> [!IMPORTANT]

-> Make sure you always have at least one user in the *Insider Risk Management* or *Insider Risk Management Admins* role groups (depending on the option you choose) so that your insider risk management configuration doesn't get in to a 'zero administrator' scenario if specific users leave your organization.

-Members of the following roles can assign users to insider risk management role groups and have the same solution permissions included with the *Insider Risk Management Admins* role group:

-|[AIP add-in disabled by default](sensitivity-labels-aip.md#how-to-configure-newer-versions-of-office-to-enable-the-aip-add-in)|Current Channel: 2302+ <br /><br> Monthly Enterprise Channel: 2302+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Not relevant |Not relevant |Not relevant|Not relevant |

-|[AIP add-in disabled by default](sensitivity-labels-aip.md#how-to-configure-newer-versions-of-office-to-enable-the-aip-add-in)|Current Channel: 2302+ <br /><br> Monthly Enterprise Channel: 2302+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Not relevant |Not relevant |Not relevant|Not relevant |

- - [Specify websites or desktop apps to include or exclude when you create a policy](insider-risk-management-forensic-evidence-configure.md#step-4-create-a-policy)

- - [View and explore a list of captured clips and filter the list to find just the information you need](insider-risk-management-forensic-evidence-manage.md#viewing-captured-clips)

- - [Purchase/analyze capacity for captured clips and/or sign up for 20 GB of trial capacity](insider-risk-management-forensic-evidence-manage.md#capacity-and-billing)

-> Private CDN configuration is in the process of deprecation. You are no longer required to configure a private CDN. Image file types are served through a private CDN out of the box. However, if a private CDN is in use for other file types, like JS or CSS, we recommend using a public CDN for better performance. Going forward, non-image file types will not be supported through private CDNs.

-> Private CDN configuration is in the process of deprecation. You are no longer required to configure a private CDN. Image file types are served through a private CDN out of the box. However, if a private CDN is in use for other file types, like JS or CSS, we recommend using a public CDN for better performance. Going forward, non-image file types will not be supported through private CDNs.

-|Dismissed|The subtask has been Dismissed by a Lighthouse user.<p>**NOTE:** Not licensed subtasks may be dismissed by a Lighthouse user.</p>|

-## How do I find Sid or ComputerSid for Azure AD group?

-Different from AD group, the Sid or ComputerSid is using Object Id for Azure AD group. You can find the Object Id from Azure portal.

-The **Default Enforcement** setting is for all device control components, which means if you set it to `Deny`, it will block all printers as well. You can either create custom policy to explictly allow printers or you can replace the Default Enforcement policy with a custom policy.

-#### March-2023 (Build: 101.98.05 | Release version: 30.123012.19805.0)

-|**Response**|||||

-|[Automated Investigation & Response (AIR)](automated-investigations.md)|||||

-|[Device response capabilities: collect investigation package, run AV scan](respond-machine-alerts.md)||| ^[[3](#fn3)]| ^[[3](#fn3)]|

-|[Device isolation](respond-machine-alerts.md)||| ^[[3](#fn3)]||

-|File response capabilities: collect file, deep analysis, block file, stop, and quarantine processes||| ^[[4](#fn4)]| ^[[4](#fn4)]|

-|[Live Response](live-response.md)|||||

-> [!IMPORTANT]

-> This table includes information that used to be available in the `AppFileEvents` table. Starting March 7, 2021, users hunting through file-related activities in cloud services on and beyond this date should use the `CloudAppEvents` table instead. <br><br>Make sure to search for queries and custom detection rules that still use the `AppFileEvents` table and edit them to use the `CloudAppEvents` table. More guidance about converting affected queries can be found in [Hunt across cloud app activities with Microsoft 365 Defender advanced hunting](https://techcommunity.microsoft.com/t5/microsoft-365-defender/hunt-across-cloud-app-activities-with-microsoft-365-defender/ba-p/1893857).

-Only valid, non-guest users with a valid mailbox will be included in simulations. If you use distribution groups or mail-enabled security groups to target users, you can use the [Get-DistributionGroupMember](/powershell/module/exchange/get-distributiongroupmember) cmdlet in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) to view and validate distribution group members.

-To combat the tendency to use low click rate payloads and to maximize educational returns, we've created a new piece of metadata for every global payload called the predicted compromise rate (PCR).

-> [!NOTE]

-> EOP now uses its own mail flow delivery agent to route messages to the Junk Email folder instead of using the junk email rule. The _Enabled_ parameter on the **Set-MailboxJunkEmailConfiguration** cmdlet no longer has any effect on mail flow. EOP routes messages based on the actions set in anti-spam policies. The user's Safe Sender list and Blocked Senders list will continue to work as usual.