Updates from: 03/22/2024 09:12:40
Category Microsoft Docs article Related commit history on GitHub Change details
microsoft-365-copilot-requirements Microsoft 365 Copilot Requirements https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-requirements.md
Copilot is available in Current Channel and in Monthly Enterprise Channel. As al
## Network requirements
-Copilot services connect to endpoints contained within the [Microsoft 365 endpoint taxonomy](https://aka.ms/o365ip). As with all Microsoft 365 services, we recommend that customers align their network with the [Microsoft 365 network connectivity principles](/microsoft-365/enterprise/microsoft-365-network-connectivity-principles). This helps provide the best experience with Copilot through minimization of latency and increased network quality of service for critical network flows.
+Copilot experiences are deeply integrated with Microsoft 365 applications and often use the same [network connections and endpoints that Microsoft 365 apps](/microsoft-365/enterprise/urls-and-ip-address-ranges) use. As such, baseline network configuration customers should ensure that Microsoft 365 endpoints are not blocked within their environment and that network setup follows [Microsoft 365 network connectivity principles](/microsoft-365/enterprise/microsoft-365-network-connectivity-principles) and best practices.
-There are many Copilot experiences, including some core experiences like Excel, Word, PowerPoint, Teams, and Loop, that use WebSocket connections (wss://) from the device running the Microsoft 365 app to a Microsoft service. So, to use these Copilot experiences, WebSocket connections must be allowed from user endpoints to the endpoints listed in our endpoint taxonomy, specifically in ID number 147 in the section for [Microsoft 365 Common and Office Online](/microsoft-365/enterprise/urls-and-ip-address-ranges).
+In addition to [standard Microsoft 365 domains and IPs](/microsoft-365/enterprise/urls-and-ip-address-ranges), there are some extra network endpoints (domains) that Copilot scenarios may need to connect to enable richer integrations (such as Copilot experiences for the Web). Customers should ensure that traffic to these domains is also not blocked by their network solutions:
+
+- copilot.microsoft.com, *.copilot.microsoft.com
+- *.bing.com, *.bingapis.com
+- challenges.cloudflare.com
+
+>[!IMPORTANT]
+> Several Copilot integrations rely on WebSockets (WSS) to deliver a streamlined user experience. Some customer networks may not be configured to handle WSS connections properly, which may result in Copilot application failures. Typical network configurations that impact WSS include:
+>- WSS protocol is blocked by the network perimeter
+>- Network devices attempting to perform TLS inspection of connections
+>- Proxy servers enforcing aggressive connection timeouts
+
+Microsoft recommends that customers verify that their network supports full WSS connectivity (including addressing the issues above) from user devices running Microsoft 365 applications to the following domains:
+
+- Microsoft 365 Copilot experiences (Enterprise): *.cloud.microsoft, *.office.com
+- Additional Copilot experiences (including Consumer): *.bing.com, copilot.microsoft.com, *.copilot.microsoft.com
+
+>[!NOTE]
+> Some customers may prefer to use granular definitions of endpoints (such as individual FQDNs) instead of wildcards to configure their network settings. However, due to hyperscale, and the dynamic nature of its services, Microsoft 365 is unable to provide specific FQDNs used by individual features and scenarios. Doing so would result in unmanageable configuration surface, constant customer network changes and connectivity incidents. When reviewing and implementing recommended network configurations, customers should consider all FQDNs and subdomains where wildcards are specified as functionally required for the referenced scenarios.
+
+In the future, we plan to consolidate Copilot experiences for Microsoft 365 under the *.cloud.microsoft domain and Copilot network requirements and associated required customer network configurations can be further simplified.
## More resources
admin Account Disabled Error https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/account-disabled-error.md
- Title: "Getting an account disabled error in Outlook on the web"-- CSH--- Previously updated : 10/29/2020----- scotvorg-- M365-subscription-management---- MET150
-description: "Learn how to add a license to unlicensed users to fix the account disabled error."
--
-# Getting an account disabled error in Outlook on the web
-
-If you get the error **Your account has been disabled** with `X-OWA-Error: Microsoft.Exchange.Data.Storage.AccountDisabledException` when you try to open Outlook on the web (formerly known as Outlook Web App), your admin might have disabled your access to Outlook on the web.
-
-Your admin can fix this error by following the steps in the topic [Enable or disable Outlook Web App for a mailbox](/exchange/recipients-in-exchange-online/manage-user-mailboxes/enable-or-disable-outlook-web-app).
bookings Bookings Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/bookings/bookings-overview.md
description: "An overview of the Microsoft Bookings app, which includes a web-ba
Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).
-Microsoft Bookings makes scheduling and managing appointments a breeze. Bookings includes a web-based booking calendar and integrates with Outlook to optimize your staffΓÇÖs calendar and give your customers flexibility to book a time that works best for them. Email and SMS text notifications reduce no-shows and enhances customer satisfaction. Your organization saves time with a reduction in repetitive scheduling tasks. With built-in flexibility and ability to customize, Bookings can be designed to fit the situation and needs of many different parts of an organization.
+Microsoft Bookings makes scheduling and managing appointments a breeze. It helps you schedule and manage appointments with your customers, clients, or colleagues. Whether you need to book time to meet people or set aside time for different meetings, Bookings makes it easy and convenient for both you and your attendees. Bookings includes a web-based booking page which integrates with Outlook to optimize your calendar and give your customers the flexibility to book a time that works best for them. Email and SMS text notifications reduce no-shows and enhance customer satisfaction. Your organization saves time with a reduction in repetitive scheduling tasks. With built-in flexibility and ability to customize, Bookings can be designed to fit the situation and needs of many different parts of an organization.
> [!NOTE] > The Bookings calendar is a mailbox in Exchange Online.
-Use Bookings to make your organizationΓÇÖs meetings virtual with online meetings via [Microsoft Teams](https://support.microsoft.com/office/overview-of-the-bookings-app-in-teams-7b8569e1-0c8a-444e-b712-d9968b05110b) and Skype for Business. Each appointment booked as an online meeting creates a unique meeting link that is sent to attendees so they can join via a web browser, phone dial-in, or the Skype or Teams app. Bookings is also available as an [app in Teams](https://support.microsoft.com/office/overview-of-the-bookings-app-in-teams-7b8569e1-0c8a-444e-b712-d9968b05110b), which allows you to create Bookings calendars, assign staff, and both schedule new and manage existing appointments without ever leaving Teams.
+## Watch: Introducing Microsoft Bookings
-Bookings is made up of these components:
+> [!VIDEO https://www.youtube.com/embed/G2HOsM767Sw]
-- A booking page where your customers and clients can schedule appointments with the staff member who should provide the service or run the appointment. This web-based scheduling page can be shared via a direct link, your Facebook page, and even through link embedding within your website.
+Bookings makes it easier for small businesses to schedule and manage appointments with their customers.
-- A web app that contains a set of web-based, business-facing pages where Bookings calendar owners and administrators within an organization can define appointment types and details, manage staff schedules and availability, set business hours, and customize how appointments are scheduled. These pages allow for versatility and the ability to customize a Bookings calendar to fit the diverse needs of the person or organization.
+## Microsoft Bookings lets you conduct virtual meetings
+Use Bookings to make your organizationΓÇÖs meetings virtual with online meetings via [Microsoft Teams](https://support.microsoft.com/office/overview-of-the-bookings-app-in-teams-7b8569e1-0c8a-444e-b712-d9968b05110b) and Skype for Business. Each appointment booked as an online meeting creates a unique meeting link that is sent to attendees so they can join via a web browser, phone dial-in, or the Skype or Teams app. Bookings is also available as an [app in Teams](https://support.microsoft.com/office/overview-of-the-bookings-app-in-teams-7b8569e1-0c8a-444e-b712-d9968b05110b), which allows you to create Booking pages, declare your availability, add team members, and both schedule new and manage existing appointments.
-## Bookings data and compliance
+## Personal Bookings
+Personal bookings is how you manage your own appointment timeslots, it allows you to easily configure and share your availability with your customers, clients, or colleagues. You can be in charge of your own time and avoid the back and forth of scheduling. You can also set aside time for specific activities by creating meeting types. Once you create a personal booking page, you can share a link with anyone who can then see your availability and easily schedule a time when you are free and is convenient for them.
-All Bookings data is stored within the Microsoft 365 platform and in Exchange Online. Bookings follows all data storage policies that are set by Microsoft, which are the same policies that all Microsoft 365 apps follow. Bookings uses shared mailboxes in Exchange to store customer, staff, service, and appointment details. Compliance policies for shared mailboxes in Exchange also apply for Bookings mailboxes. All customer data (including information provided by customers when booking) is captured in Bookings and is stored within the app, thus it's stored within Exchange Online.
+## Shared Bookings
+Shared bookings are booking pages that you create and manage for your team. They allow you to invite your team members to let your customers book time with you and your team.
-## Before you begin
+It is made up of these components:
-Microsoft Bookings is available in the following subscriptions:
+A booking page where your customers and clients can schedule appointments with the staff members who should provide the service or run the appointment. This web-based booking page can be shared via a direct link, your Facebook page, and even through link embedding within your website.
-- Office 365: A3, A5, E1, E3, E5, F1, F3, G1, G3, and G5-- Microsoft 365: A3, A5, E1, E3, E5, F1, F3, Business Basic, Business Standard, Business Premium
+A web app that contains a set of web-based, business-facing pages where Booking page owners and administrators within an organization can define appointment types and details, manage staff schedules and availability, set business hours, and customize how appointments are scheduled. These pages allow for versatility and the ability to customize a booking page to fit the diverse needs of the person or organization.
-## Watch: Introducing Microsoft Bookings
+## Bookings data and compliance
+All Bookings data is stored within the Microsoft 365 platform and in Exchange Online. Bookings follows all data storage policies that are set by Microsoft, which are the same policies that all Microsoft 365 apps follow. Bookings uses shared mailboxes in Exchange to store customer, staff, service, and appointment details. Compliance policies for shared mailboxes in Exchange also apply for Bookings mailboxes. All customer data (including information provided by customers when booking) is captured in Bookings and is stored within the app, thus it's stored within Exchange Online.
-> [!VIDEO https://www.youtube.com/embed/G2HOsM767Sw]
+## Before you begin
+Microsoft Bookings is available in the following subscriptions:
-Bookings makes it easier for small businesses to schedule and manage appointments with their customers.
+Office 365: A3, A5, E1, E3, E5, F1, F3, G1, G3, and G5
+Microsoft 365: A3, A5, E1, E3, E5, F1, F3, Business Basic, Business Standard, Business Premium, Teams Essentials, Teams Premium
-## Next steps
+## Next steps
To get started, see [Get access to Microsoft Bookings](get-access.md). To turn Bookings on or off, see [Turn Bookings on or off for your organization](turn-bookings-on-or-off.md).
enterprise Cross Tenant Mailbox Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-mailbox-migration.md
This article describes the process for cross-tenant mailbox moves and provides g
When a mailbox is migrated cross-tenant with this feature, only user-visible content in the mailbox (email, contacts, calendar, tasks, and notes) is migrated to the target (destination tenant). After a successful migration, the source mailbox is deleted. This deletion means that after migration, under no circumstances is the source mailbox available, discoverable, or accessible in the source tenant.
-> [!NOTE]
-> If you are interested in previewing our new feature **Domain Sharing for email** alongside your cross-tenant mailbox migrations, complete the form at [aka.ms/domainsharingpreview](https://aka.ms/domainsharingpreview). The **Domain sharing for email** feature enables users in separate Microsoft 365 tenants to send and receive email using addresses from the same custom domain. The feature is intended to solve scenarios where users in separate tenants need to represent a common corporate brand in their email addresses. The current preview supports sharing domains indefinitely and shared domains during cross-tenant mailbox migration coexistence.
- ## Licensing > [!IMPORTANT]
Yes. It's possible to have two instances of Microsoft Entra Connect synchronize
- Depending on your current state of hybrid Exchange, you need to verify that the on-premises directory objects have the required attributes (such as msExchMailboxGUID and proxyAddresses) populated correctly before attempting to sync to another tenant; else you'll run into issues with double mailboxes and migration failures. - You must take some extra steps to manage UPN transitioning, changing it on-premises once the migration has been completed for a user unless you're also moving the custom domain during a cut-over migration.
+### How should I handle mailboxes that are close to, or over quota.
+
+Mailboxes nearing their quota prior to migration may end up over quota either before or during the actual migration. If this happens, these mailboxes will fail migration and will need to be remediated and restarted. To mitigate this, it is recommend the source tenant admin identify mailboxes at or near quota prior to migration and take the necessary steps to either reduce the mailbox size, provision a primary archive or in some cases enable auto expanding archives for the user's mailboxes.
+
+> [!NOTE]
+> Once enabling an archive or auto expanding archive for a user, ensure the correct archiving policies are applied to the user and the process is run to move the mailbox data to it's new location and free up space.
+ ### Do auto-expanded archive mailboxes move? **Issue: Auto Expanded archives cannot be migrated.** Yes, if the user in source has auto-expanding archives enabled and has additional auxiliary archives, cross-tenant mailbox migration will work. We support moving users that have no more than 12 auxiliary archive mailboxes. Additionally, users with large primary, large main archive, and large auxiliary archive mailboxes will require extra time to synchronize and should be submitted well in advance of the cut-over date. If the source mailbox is expanded during the mailbox migration process, the migration will fail as a new auxiliary archive will be created in the source, but not in the target. In this case, you'll need to remove the user from the batch and resubmit them.
enterprise Deploy Microsoft 365 Directory Synchronization Dirsync In Microsoft Azure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/deploy-microsoft-365-directory-synchronization-dirsync-in-microsoft-azure.md
Title: "Deploy Microsoft 365 Directory Synchronization in Microsoft Azure"
Previously updated : 11/05/2018 Last updated : 03/21/2024 audience: ITPro
- scotvorg - Ent_O365 - Strat_O365_Enterprise
+- must-keep
f1.keywords: - CSH
You can install Microsoft Entra Connect on an on-premises server, but you can al
This solution requires connectivity between your on-premises network and your Azure virtual network. For more information, see [Connect an on-premises network to a Microsoft Azure virtual network](connect-an-on-premises-network-to-a-microsoft-azure-virtual-network.md). > [!NOTE]
-> This article describes synchronization of a single domain in a single forest. Microsoft Entra Connect synchronizes all AD DS domains in your Active Directory forest with Microsoft 365. If you have multiple Active Directory forests to synchronize with Microsoft 365, see [Multi-forest Directory Sync with Single Sign-On Scenario](/azure/active-directory/hybrid/whatis-hybrid-identity).
+> This article describes synchronization of a single domain in a single forest. Microsoft Entra Connect synchronizes all AD DS domains in your Active Directory forest with Microsoft 365. If you have multiple Active Directory forests to synchronize with Microsoft 365, see [Multi-forest Directory Sync with Single Sign-On Scenario](/azure/active-directory/hybrid/whatis-hybrid-identity).
## Overview of deploying Microsoft 365 directory synchronization in Azure
The following diagram shows Microsoft Entra Connect running on a virtual machine
In the diagram, there are two networks connected by a site-to-site VPN or ExpressRoute connection. There's an on-premises network where AD DS domain controllers are located, and there's an Azure virtual network with a directory sync server, which is a virtual machine running [Microsoft Entra Connect](https://www.microsoft.com/download/details.aspx?id=47594). There are two main traffic flows originating from the directory sync server: -- Microsoft Entra Connect queries a domain controller on the on-premises network for changes to accounts and passwords.-- Microsoft Entra Connect sends the changes to accounts and passwords to the Microsoft Entra instance of your Microsoft 365 subscription. Because the directory sync server is in an extended portion of your on-premises network, these changes are sent through the on-premises network's proxy server.
-
+- Microsoft Entra Connect queries a domain controller on the on-premises network for changes to accounts and passwords.
+- Microsoft Entra Connect sends the changes to accounts and passwords to the Microsoft Entra instance of your Microsoft 365 subscription. Because the directory sync server is in an extended portion of your on-premises network, these changes are sent through the on-premises network's proxy server.
+ > [!NOTE]
-> This solution describes synchronization of a single Active Directory domain, in a single Active Directory forest. Microsoft Entra Connect synchronizes all Active Directory domains in your Active Directory forest with Microsoft 365. If you have multiple Active Directory forests to synchronize with Microsoft 365, see [Multi-forest Directory Sync with Single Sign-On Scenario](/azure/active-directory/hybrid/whatis-hybrid-identity).
+> This solution describes synchronization of a single Active Directory domain, in a single Active Directory forest. Microsoft Entra Connect synchronizes all Active Directory domains in your Active Directory forest with Microsoft 365. If you have multiple Active Directory forests to synchronize with Microsoft 365, see [Multi-forest Directory Sync with Single Sign-On Scenario](/azure/active-directory/hybrid/whatis-hybrid-identity).
There are two major steps when you deploy this solution: 1. Create an Azure virtual network and establish a site-to-site VPN connection to your on-premises network. For more information, see [Connect an on-premises network to a Microsoft Azure virtual network](connect-an-on-premises-network-to-a-microsoft-azure-virtual-network.md).
-
+ 2. Install [Microsoft Entra Connect](https://www.microsoft.com/download/details.aspx?id=47594) on a domain-joined virtual machine in Azure, and then synchronize the on-premises AD DS to Microsoft 365. This involves:
-
- Creating an Azure Virtual Machine to run Microsoft Entra Connect.
-
- Installing and configuring [Microsoft Entra Connect](https://www.microsoft.com/download/details.aspx?id=47594).
-
- Configuring Microsoft Entra Connect requires the credentials (user name and password) of a Microsoft Entra administrator account and a AD DS enterprise administrator account. Microsoft Entra Connect runs immediately and on an ongoing basis to synchronize the on-premises AD DS forest to Microsoft 365.
-
+
+ - Creating an Azure Virtual Machine to run Microsoft Entra Connect.
+
+ - Installing and configuring [Microsoft Entra Connect](https://www.microsoft.com/download/details.aspx?id=47594).
+
+ Configuring Microsoft Entra Connect requires the credentials (user name and password) of a Microsoft Entra administrator account and an AD DS enterprise administrator account. Microsoft Entra Connect runs immediately and on an ongoing basis to synchronize the on-premises AD DS forest to Microsoft 365.
+ Before you deploy this solution in production, you can use the instructions in [The simulated enterprise base configuration](simulated-ent-base-configuration-microsoft-365-enterprise.md) to set up this configuration as a proof of concept, for demonstrations, or for experimentation. > [!IMPORTANT]
-> When Microsoft Entra Connect configuration completes, it does not save the AD DS enterprise administrator account credentials.
-
+> When Microsoft Entra Connect configuration completes, it does not save the AD DS enterprise administrator account credentials.
+ > [!NOTE]
-> This solution describes synchronizing a single AD DS forest to Microsoft 365. The topology discussed in this article represents only one way to implement this solution. Your organization's topology might differ based on your unique network requirements and security considerations.
+> This solution describes synchronizing a single AD DS forest to Microsoft 365. The topology discussed in this article represents only one way to implement this solution. Your organization's topology might differ based on your unique network requirements and security considerations.
## Plan for hosting a directory sync server for Microsoft 365 in Azure <a name="PlanningVirtual"> </a>
Before you deploy this solution in production, you can use the instructions in [
Before you begin, review the following prerequisites for this solution: - Review the related planning content in [Plan your Azure virtual network](connect-an-on-premises-network-to-a-microsoft-azure-virtual-network.md#plan-your-azure-virtual-network).
-
+ - Ensure that you meet all [Prerequisites](connect-an-on-premises-network-to-a-microsoft-azure-virtual-network.md#prerequisites) for configuring the Azure virtual network.
-
+ - Have a Microsoft 365 subscription that includes the Active Directory integration feature. For information about Microsoft 365 subscriptions, go to the [Microsoft 365 subscription page](https://products.office.com/compare-all-microsoft-office-products?tab=2).
-
+ - Provision one Azure Virtual Machine that runs Microsoft Entra Connect to synchronize your on-premises AD DS forest with Microsoft 365.
-
- You must have the credentials (names and passwords) for a AD DS enterprise administrator account and a Microsoft Entra Administrator account.
-
+
+ You must have the credentials (names and passwords) for an AD DS enterprise administrator account and a Microsoft Entra Administrator account.
+ ### Solution architecture design assumptions The following list describes the design choices made for this solution. -- This solution uses a single Azure virtual network with a site-to-site VPN connection. The Azure virtual network hosts a single subnet that has one server, the directory sync server that is running Microsoft Entra Connect.
-
+- This solution uses a single Azure virtual network with a site-to-site VPN connection. The Azure virtual network hosts a single subnet that has one server, the directory sync server that is running Microsoft Entra Connect.
+ - On the on-premises network, a domain controller and DNS servers exist.
-
+ - Microsoft Entra Connect performs password hash synchronization instead of single sign-on. You don't have to deploy an Active Directory Federation Services (AD FS) infrastructure. To learn more about password hash synchronization and single sign-on options, see [Choosing the right authentication method for your Microsoft Entra hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn).
-
+ There are other design choices that you might consider when you deploy this solution in your environment. These include the following: - If there are existing DNS servers in an existing Azure virtual network, determine whether you want your directory sync server to use them for name resolution instead of DNS servers on the on-premises network.
-
-- If there are domain controllers in an existing Azure virtual network, determine whether configuring Active Directory Sites and Services may be a better option for you. The directory sync server can query the domain controllers in the Azure virtual network for changes in accounts and passwords instead of domain controllers on the on-premises network.
-
+
+- If there are domain controllers in an existing Azure virtual network, determine whether configuring Active Directory Sites and Services might be a better option for you. The directory sync server can query the domain controllers in the Azure virtual network for changes in accounts and passwords instead of domain controllers on the on-premises network.
+ ## Deployment roadmap Deploying Microsoft Entra Connect on a virtual machine in Azure consists of three phases: - Phase 1: Create and configure the Azure virtual network
-
+ - Phase 2: Create and configure the Azure virtual machine
-
+ - Phase 3: Install and configure Microsoft Entra Connect
-
-After deployment, you must also assign locations and licenses for the new user accounts in Microsoft 365.
+After deployment, you must also assign locations and licenses for the new user accounts in Microsoft 365.
### Phase 1: Create and configure the Azure virtual network
This figure shows an on-premises network connected to an Azure virtual network t
Create the virtual machine in Azure using the instructions [Create your first Windows virtual machine in the Azure portal](https://go.microsoft.com/fwlink/p/?LinkId=393098). Use the following settings: -- On the **Basics** pane, select the same subscription, location, and resource group as your virtual network. Record the user name and password in a secure location. You will need these later to connect to the virtual machine.
-
-- On the **Choose a size** pane, choose the **A2 Standard** size.
-
-- On the **Settings** pane, in the **Storage** section, select the **Standard** storage type. In the **Network** section, select the name of your virtual network and the subnet for hosting the directory sync server (not the GatewaySubnet). Leave all other settings at their default values.
-
+1. On the **Basics** pane, select the same subscription, location, and resource group as your virtual network. Record the user name and password in a secure location. You'll need these later to connect to the virtual machine.
+
+1. On the **Choose a size** pane, choose the **A2 Standard** size.
+
+1. On the **Settings** pane, in the **Storage** section, select the **Standard** storage type. In the **Network** section, select the name of your virtual network and the subnet for hosting the directory sync server (not the GatewaySubnet). Leave all other settings at their default values.
+ Verify that your directory sync server is using DNS correctly by checking your internal DNS to make sure that an Address (A) record was added for the virtual machine with its IP address. Use the instructions in [Connect to the virtual machine and sign on](/azure/virtual-machines/windows/connect-logon) to connect to the directory sync server with a Remote Desktop Connection. After signing in, join the virtual machine to the on-premises AD DS domain.
This figure shows the directory sync server virtual machine in the cross-premise
Complete the following procedure: 1. Connect to the directory sync server using a Remote Desktop Connection with an AD DS domain account that has local administrator privileges. See [Connect to the virtual machine and sign on](/azure/virtual-machines/windows/connect-logon).
-
+ 2. From the directory sync server, open the [Set up directory synchronization for Microsoft 365](set-up-directory-synchronization.md) article and follow the directions for directory synchronization with password hash synchronization.
-
+ > [!CAUTION] > Setup creates the **AAD_xxxxxxxxxxxx** account in the Local Users organizational unit (OU). Do not move or remove this account or synchronization will fail.
This figure shows the directory sync server with Microsoft Entra Connect in the
Microsoft Entra Connect adds accounts to your Microsoft 365 subscription from the on-premises AD DS, but in order for users to sign in to Microsoft 365 and use its services, the accounts must be configured with a location and licenses. Use these steps to add the location and activate licenses for the appropriate user accounts: 1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com), and then click **Admin**.
-
+ 2. In the left navigation, click **Users** > <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">**Active users**</a>. 3. In the list of user accounts, select the check box next to the user you want to activate.
-
+ 4. On the page for the user, click **Edit** for **Product licenses**.
-
+ 5. On the **Product licenses** page, select a location for the user for **Location**, and then enable the appropriate licenses for the user.
-
+ 6. When complete, click **Save**, and then click **Close** twice.
-
+ 7. Go back to step 3 for additional users.
-
+ ## See also [Microsoft 365 solution and architecture center](../solutions/index.yml)
enterprise Dns Records For Office 365 Dod https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/dns-records-for-office-365-dod.md
- Adm_O365 - has-azure-ad-ps-ref
+ - azure-ad-ref-level-one-done
search.appverid: - OGA150 - OGC150
hideEdit: true
As part of onboarding to Office 365 DoD, you will need to add your SMTP and SIP domains to your Online Services tenant. YouΓÇÖll do this using the New-MsolDomain cmdlet in Azure AD PowerShell or use the [Azure Government Portal](https://portal.azure.us) to start the process of adding the domain and proving ownership. + Once you have your domains added to your tenant and validated, use the following guidance to add the appropriate DNS records for the services below. You may need to modify the below table to fit your organizationΓÇÖs needs with respect to the inbound MX record(s) and any existing Exchange Autodiscover record(s) you have in place. We strongly recommend coordinating these DNS records with your messaging team to avoid any outages or mis-delivery of email. ## Exchange Online
enterprise Dns Records For Office 365 Gcc High https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/dns-records-for-office-365-gcc-high.md
- Adm_O365 - has-azure-ad-ps-ref
+ - azure-ad-ref-level-one-done
search.appverid: - OGA150 - OGC150
hideEdit: true
As part of onboarding to Office 365 GCC High, you will need to add your SMTP and SIP domains to your Online Services tenant. YouΓÇÖll do this using the New-MsolDomain cmdlet in Azure AD PowerShell or use the [Azure Government Portal](https://portal.azure.us) to start the process of adding the domain and proving ownership. + Once you have your domains added to your tenant and validated, use the following guidance to add the appropriate DNS records for the services below. You may need to modify the below table to fit your organizationΓÇÖs needs with respect to the inbound MX record(s) and any existing Exchange Autodiscover record(s) you have in place. We strongly recommend coordinating these DNS records with your messaging team to avoid any outages or mis-delivery of email. ## Exchange Online
enterprise Ipv6 Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ipv6-support.md
Title: "IPv6 support in Microsoft 365 services"
Previously updated : 06/02/2022 Last updated : 03/21/2024 audience: ITPro
ms.localizationpriority: medium
- scotvorg - Ent_O365
+- must-keep
f1.keywords: - CSH
description: "Summary: Describes IPv6 support in Microsoft 365 components and in
# IPv6 support in Microsoft 365 services
-With the growing adoption and support of IPv6 across enterprise networks, service providers, and devices, many customers are wondering if their users can continue to access Microsoft 365 services from IPv6 clients and IPv6 networks. Microsoft 365 services can be successfully used from both IPv6 dual stack and IPv6-only devices (IPv6-only devices require translation technologies such as DNS64 or NAT64). In fact, we have an increasing number of customers, from consumers to large enterprises, who are moving towards greater adoption of IPv6. For most customers, IPv4 won't completely disappear from their digital landscape, so we aren't planning to require IPv6 or to de-prioritize IPv4 in any Microsoft 365 features or services.
+With the growing adoption and support of IPv6 across enterprise networks, service providers, and devices, many customers are wondering if their users can continue to access Microsoft 365 services from IPv6 clients and IPv6 networks. Microsoft 365 services can be successfully used from both IPv6 dual stack and IPv6-only devices (IPv6-only devices require translation technologies such as DNS64 or NAT64). In fact, we have an increasing number of customers, from consumers to large enterprises, who are moving towards greater adoption of IPv6. For most customers, IPv4 won't completely disappear from their digital landscape, so we aren't planning to require IPv6 or to deprioritize IPv4 in any Microsoft 365 features or services.
One of our key priorities with Microsoft 365 is to ensure seamless customer and user experiences over the Internet from any location, from any device. This includes access to Microsoft 365 from customer devices that are using IPv6 in the dual stack configuration as well as transitioning to IPv6-only client deployments. In most cases, when you follow a standard Internet-based model of connecting to Microsoft 365 as described in [Microsoft 365 network connectivity principles](microsoft-365-network-connectivity-principles.md), [Microsoft 365 URLs and IP address ranges](urls-and-ip-address-ranges.md), and [Microsoft 365 network planning best practices](network-and-migration-planning.md#best-practices-for-network-planning-and-improving-migration-performance-for-office-365), IPv6 transitions won't be disruptive to your user experience. Many Microsoft 365 services already provide native IPv6 support today and can be accessed directly from IPv6 dual stack and IPv6-only clients. Microsoft 365 also allows access through conventional IPv6 to IPv4 translation technologies (such as base 64 proxies or DNS64/NAT64) commonly used by customers and network solution providers to connect to IPv4 Internet resources.
-As with any SaaS service and the Internet overall, the scope of natively IPv6 enabled Microsoft 365 interfaces, features and APIs expands continuously and without direct customer action or control. If you're running IPv6 or IPv6-only services on your networks that need access to Microsoft 365 and the Internet, it is recommended that you include dynamic IPv6/IPv4 transitional mechanisms such as DNS64/NAT64 to ensure end-to-end IPv6 connectivity to Microsoft 365 without any further network reconfigurations.
+As with any SaaS service and the Internet overall, the scope of natively IPv6 enabled Microsoft 365 interfaces, features, and APIs expands continuously and without direct customer action or control. If you're running IPv6 or IPv6-only services on your networks that need access to Microsoft 365 and the Internet, it's recommended that you include dynamic IPv6/IPv4 transitional mechanisms such as DNS64/NAT64 to ensure end-to-end IPv6 connectivity to Microsoft 365 without any further network reconfigurations.
-Most of Microsoft 365 services have been or will be enabled with IPv6 capabilities completely transparently for end users and IT admins. Some Microsoft 365 scenarios (such as anonymous inbound e-mail) do have special requirements and considerations for use in conjunction with IPv6. For more details about scenario specific IPv6 requirements and considerations, please contact your Microsoft account team or Microsoft support.
+Most of Microsoft 365 services have been or will be enabled with IPv6 capabilities transparently for end users and IT admins. Some Microsoft 365 scenarios (such as anonymous inbound e-mail) do have special requirements and considerations for use in conjunction with IPv6. For more details about scenario specific IPv6 requirements and considerations, contact your Microsoft account team or Microsoft support.
Here's a short link you can use to come back: [https://aka.ms/o365ip6](https://aka.ms/o365ip6)
enterprise Microsoft 365 Monitoring https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-monitoring.md
Title: "Microsoft 365 monitoring"
Previously updated : 03/25/2022 Last updated : 03/21/2024 audience: Admin
- scotvorg - Ent_O365 - Strat_O365_Enterprise
+- must-keep
f1.keywords: - NOCSH
Monitoring provides you with information about incidents and advisories that are
- **Third-party infrastructure**. Issue is detected in third-party infrastructure on which your organization has taken a dependency and requires action from your organization for resolution. For example, user authentication transactions are getting throttled by a third-party security token service (STS) provider that prevents users from connecting to Exchange Online. -- **Customer infrastructure**. Issue is detected in your organization's infrastructure and requires action from your organization for resolution. For example, users can't access Exchange Online because they are unable to obtain an authentication token from STS provider hosted by your organization because of an expired certificate.
+- **Customer infrastructure**. Issue is detected in your organization's infrastructure and requires action from your organization for resolution. For example, users can't access Exchange Online because they're unable to obtain an authentication token from STS provider hosted by your organization because of an expired certificate.
Here's an example of the **Service health** page in the Microsoft 365 admin center, which is available at **Health** > **Service health** for organization scenarios and [priority account](../admin/setup/priority-accounts.md) scenarios. [![Screenshot of the Service health page in the Microsoft 365 admin center.](../media/m365-monitoring-final.png)](../media/m365-monitoring-final.png#lightbox)
-If Microsoft 365 monitoring discovers issues that need your attention, these will be shown under the **Issues in your environment that require action** in the Active Issues section of the page.
+If Microsoft 365 monitoring discovers issues that need your attention, these are shown under the **Issues in your environment that require action** in the Active Issues section of the page.
To access detailed monitoring pages for specific services, select **View** under **Organizational-level monitoring** on the service health page.
Then make sure you meet both of the following requirements:
- Your organization needs to have a license count of at least 5,000, from one or a combination of these products: Office 365 E3, Microsoft 365 E3, Office 365 E5, or Microsoft 365 E5. -- Your organization needs to have at least 50 monthly active users for one or more core Microsoft 365 services, which include Microsoft Teams, OneDrive for Business, SharePoint Online, Exchange Online, and Office apps.
+- Your organization needs to have at least 50 monthly active users for one or more core Microsoft 365 services, which include Microsoft Teams, OneDrive, SharePoint, Exchange Online, and Office apps.
If the license count for your organization falls below 5,000 users and the monthly active users falls below 50 users in the core services, Exchange Online monitoring won't be enabled until these requirements are met.
Microsoft 365 Monitoring features are in preview for eligible customers. While i
For general feedback, use the **Give feedback** icon on the bottom-right corner of the monitoring page.
-For feedback on incidents or advisories, use the **Is this post helpful? link.
+For feedback on incidents or advisories, use the **Is this post helpful?** link.
### 6. Are there any privacy concerns?
enterprise Plan For Third Party Ssl Certificates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/plan-for-third-party-ssl-certificates.md
audience: ITPro Previously updated : 05/15/2019 Last updated : 03/21/2024 ms.localizationpriority: medium
- scotvorg - Ent_O365 - M365-subscription-management
+- must-keep
f1.keywords: - CSH
description: "Summary: Describes the SSL certificates needed for Exchange on-pre
To encrypt communications between your clients and the Microsoft 365 environment, third-party Secure Socket Layer (SSL) certificates must be installed on your infrastructure servers. This article is part of [Network planning and performance tuning for Microsoft 365](./network-planning-and-performance.md).
-
+ Certificates are required for the following Microsoft 365 components: - Exchange on-premises
-
+ - Single sign-on (SSO) (for both the Active Directory Federation Services (AD FS) federation servers and AD FS federation server proxies)
-
+ - Exchange Online services, such as Autodiscover, Outlook Anywhere, and Exchange Web Services
-
+ - Exchange hybrid server
-
-## Certificates for Exchange On-Premises
+
+## Certificates for Exchange on-premises
For an overview about how to use digital certificates to make the communication between the on-premises Exchange organization and Exchange Online secure, see the TechNet article [Understanding Certificate Requirements](/previous-versions/exchange-server/exchange-141/gg476123(v=exchg.141)).
-## Certificates for Single Sign-On
+## Certificates for single sign-on
To provide your users with a simplified single sign-on experience that includes robust security, the certificates shown in the following table are required on either the federation servers or the federation server proxies. The table below focuses on Active Directory Federation Services (AD FS), we also have more information on [using third-party identity providers](/azure/active-directory/hybrid/how-to-connect-fed-compatibility). | Certificate Type | Description | What you need to know before you deploy | |:--|:--|:--| |**SSL certificate (also called a server authentication certificate)** <br/> |This is a standard SSL certificate that is used to make communications between federation servers, clients, and federation server proxy computers secure. <br/> |AD FS requires an SSL certificate. By default, AD FS uses the SSL certificate that is configured for the default website in Internet Information Services (IIS). <br/> The subject name of this SSL certificate is used to determine the Federation Service (FS) name for each instance of AD FS that you deploy. Consider choosing a subject name for any new certification authority (CA)-issued certificates that best represents the name of your company or organization to Microsoft 365. This name must be Internet-routable. <br/>**Caution:** AD FS requires that this SSL certificate have no dotless (short-name) subject name. <br/> **Recommendation:** Because this certificate must be trusted by clients of AD FS, we recommend that you use an SSL certificate issued by a public (third-party) CA or by a CA that is subordinate to a publicly trusted root; for example, VeriSign or Thawte. <br/> |
-|**Token-signing certificate** <br/> |This is a standard X.509 certificate that's used for securely signing all tokens that the federation server issues and that Microsoft 365 accepts and validates. <br/> |The token-signing certificate must contain a private key that chains to a trusted root in the FS. By default, AD FS creates a self-signed certificate. However, depending on the needs of your organization, you can change this certificate to a CA-issued certificate by using the AD FS management snap-in. <br/>**Caution:** The token-signing certificate is critical to the stability of the FS. If the certificate is changed, Microsoft 365 must be notified of the change. If notification is not provided, users can't sign in to their Microsoft 365 service offerings.<br/>**Recommendation:** We recommend that you use the self-signed token-signing certificate that is generated by AD FS. By doing so, it manages this certificate for you by default. For example, when this certificate is about to expire, AD FS will generate a new self-signed certificate. <br/> |
-
+|**Token-signing certificate** <br/> |This is a standard X.509 certificate that's used for securely signing all tokens that the federation server issues and that Microsoft 365 accepts and validates. <br/> |The token-signing certificate must contain a private key that chains to a trusted root in the FS. By default, AD FS creates a self-signed certificate. However, depending on the needs of your organization, you can change this certificate to a CA-issued certificate by using the AD FS management snap-in. <br/>**Caution:** The token-signing certificate is critical to the stability of the FS. If the certificate is changed, Microsoft 365 must be notified of the change. If notification isn't provided, users can't sign in to their Microsoft 365 service offerings.<br/>**Recommendation:** We recommend that you use the self-signed token-signing certificate that is generated by AD FS. By doing so, it manages this certificate for you by default. For example, when this certificate is about to expire, AD FS will generate a new self-signed certificate. <br/> |
+ Federation server proxies require the certificate that is described in the following table. | Certificate Type | Description | What you need to know before you deploy | |:--|:--|:--| |SSL certificate <br/> |This is a standard SSL certificate that is used for securing communications between a federation server, a federation server proxy, and Internet client computers. <br/> |This SSL certificate must be bound to the default website in IIS before you can successfully run the AD FS Federation Server Proxy Configuration wizard. <br/> This certificate must have the same subject name as the SSL certificate that was configured on the federation server in the corporate network. <br/> **Recommendation:** We recommend that you use the same server authentication certificate that is configured on the federation server that this federation server proxy connects to. <br/> |
-
+ ## Certificates for Autodiscover, Outlook Anywhere, and Active Directory Synchronization Your external-facing Exchange 2013, Exchange 2010, Exchange 2007, and Exchange 2003 Client Access servers (CASs) require a third-party SSL certificate for secure connections for Autodiscover, Outlook Anywhere, and Active Directory synchronization services. You may already have this certificate installed in your on-premises environment.
Your external-facing Exchange hybrid server or servers require a third-party SSL
## Microsoft 365 Certificate Chains
-This article describes the certificates you may need to install on your infrastructure. For more information on the certificates installed on our Microsoft 365 servers, see [Microsoft 365 Certificate Chains](https://support.office.com/article/0c03e6b3-e73f-4316-9e2b-bf4091ae96bb).
+This article describes the certificates you might need to install on your infrastructure. For more information on the certificates installed on our Microsoft 365 servers, see [Microsoft 365 Certificate Chains](https://support.office.com/article/0c03e6b3-e73f-4316-9e2b-bf4091ae96bb).
## See also
security Device Control Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-policies.md
description: Learn about Device control policies in Defender for Endpoint
Previously updated : 02/14/2024 Last updated : 03/20/2024
Device control policies define access (called an entry) for a set of devices. En
| Entry setting | Options | |||
+| AccessMask | Applies the action only if the access operations matches the access mask - The access mask is the bit-wise OR of the access values:<br><br> 1 - Device Read<br>2 - Device Write<br>4 - Device Execute<br>8 - File Read<br>16 - File Write<br>32 - File Execute<br>64 - Print<br><br>For example:<br>Device Read, Write and Execute = 7 (1+2+4)<br>Device Read, Disk Read = 9 (1+8)<br>
| Action | Allow <br/> Deny <br/> AuditAllow <br/> AuditDeny | | Notification | None (default) <br/> An event is generated <br/> The user receives notification <br/> File evidence is captured |
+> [!WARNING]
+> The [February 2024](microsoft-defender-antivirus-updates.md#february-2024-engine-11240209--platform-418240207) release causes inconsistent results for device control customers who are using removable media policies with disk/device-level access only (masks that are less than or equal to 7). Enforcement might not work as expected. To mitigate this issue, rolling back to the previous version is recommended.
+ If device control is configured, and a user attempts to use a device that's not allowed, the user gets a notification that contains the name of the device control policy and the name of the device. The notification appears once every hour after initial access is denied. An entry supports the following optional conditions: -- Access Condition: Applies the action only to the access defined in the access mask - User Condition: Applies the action only to the user/group identified by the SID - Machine Condition: Applies the action only to the device/group identified by the SID - Parameters Condition: Applies the action only if the parameters match (See Advanced Conditions)
security Get Defender Vulnerability Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management.md
Microsoft Defender Vulnerability Management is available as a standalone and as
> [!NOTE] > Trials will be available to customers using the New Commerce Experience (NCE) for a 30 day period. After the 30 day period customers will be able to purchase Microsoft Defender Vulnerability Management through NCE.
+## Required roles for starting the trial
+
+2. As a Global Administrator, you can start the trial or you can allow to users start the trial on behalf of your organization by enabling this option:
+
+ 1. In the Microsoft 365 admin center, go to **Settings** > **Org settings** > **Services** > **User owned apps and services**
+ 2. Check **Let users start trials on behalf of your organization**
+ 3. Select **Save**
++
+> [!NOTE]
+> If you don't want users in your organization to be able to start trials, as a Global Administrator you must disable this option once you've activated the trial.
+>
+> Only a Global Administrator can end the trial.
+
+It can take a few hours for the changes to take effect. Once it does, return to the trial setup page and select **Begin trial**.
+ ## Try Defender Vulnerability Management Standalone If you're a new customer or an existing Defender for Endpoint P1 or Microsoft 365 E3 customer, you will sign up to trial the **Defender Vulnerability Management Standalone trial**.
security Trial User Guide Defender Vulnerability Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/trial-user-guide-defender-vulnerability-management.md
search.appverid: met150 Previously updated : 08/01/2023 Last updated : 03/15/2024 # Trial user guide: Microsoft Defender Vulnerability Management
-## Welcome to the Microsoft Defender Vulnerability Management trial user guide
- This user guide is a simple tool to help you make the most of your free trial. Using the suggested steps in this guide from the Microsoft Security team, you'll learn how vulnerability management can help you protect your users and data. ## What is Microsoft Defender Vulnerability Management?
Watch the following video to learn more about Defender Vulnerability Management:
### Step 1: Set-up > [!NOTE]
-> Users need to have the global admin role defined in Microsoft Entra ID to onboard the trial.
+> Users need to have the global admin role defined in Microsoft Entra ID to onboard the trial. For more information, see [Required roles for starting the trial](get-defender-vulnerability-management.md#required-roles-for-starting-the-trial).
1. Check [permissions and pre-requisites.](tvm-prerequisites.md) 2. The Microsoft Defender Vulnerability Management trial can be accessed in several ways:
- Via the [Microsoft Defender portal](https://security.microsoft.com) under Trials.
+ - If you have access to the [Microsoft Defender 365 portal](https://security.microsoft.com/trialHorizontalHub), go to **Trials** in the left navigation pane bar. Once you've reached the [Microsoft 365 trials hub](https://security.microsoft.com/trialHorizontalHub):
+
+ - If you have Defender for Endpoint Plan 2, find the **Defender Vulnerability Management add-on** card and select **Try now**.
+ - If you're a new customer or an existing Defender for Endpoint P1 or Microsoft 365 E3 customer, choose the **Defender Vulnerability Management** card and select **Try now**.
:::image type="content" source="../../medivm-trialshub.png" alt-text="Screenshot of Microsoft Defender Vulnerability Management trial hub landing page.":::
- Via the [Microsoft Admin Center](https://admin.microsoft.com/#/catalog) (global admins only).
+ - Sign up through the [Microsoft Admin Center](https://admin.microsoft.com/#/catalog) (global admins only).
+
+> [!NOTE]
+> For more options on how to sign up to the trial, see [Sign up for Microsoft Defender Vulnerability Management](get-defender-vulnerability-management.md).
+
+3. Review the information about what's included in the trial, then select **Begin trial**. Once you activate the trial it can take up to 6 hours for the new features to become available in the portal.
+
+ - The Defender Vulnerability Management add-on trial lasts for 90 days.
+ - The Defender Vulnerability Management Standalone trial lasts for 90 days.
-3. Learn how to sign up for the Defender Vulnerability Management Trial
- - If you have Defender for Endpoint Plan 2, choose [Defender Vulnerability Management Add-on](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-defender-vulnerability-management-add-on-trial-for-defender-for-endpoint-plan-2-customers).
- - If you're a new customer or an existing Defender for Endpoint P1 or Microsoft 365 E3, choose [Defender Vulnerability Management Standalone](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-defender-vulnerability-management-standalone).
4. When you're ready to get started, visit the [Microsoft Defender portal](https://security.microsoft.com) and select **Vulnerability management** in the left navigation bar to start using the Defender Vulnerability Management trial. > [!NOTE]
-> Once you activate the trial it can take up to 6 hours for the new features to become available in the portal.
+> If you're a Microsoft Defender for Cloud customers, see [Vulnerability Management capabilities for servers](./defender-vulnerability-management-capabilities.md#vulnerability-management-capabilities-for-servers) to learn more about the Defender Vulnerabilities Management capabilities available to your organization.
-Now that you have set up your trial, it's time to try key capabilities.
+## Try out Defender Vulnerability Management
-### Step 2: Know what to protect in a single view
+### Step 1: Know what to protect in a single view
Built-in and agentless scanners continuously monitor and detect risk even when devices aren't connected to the corporate network. Expanded asset coverage consolidates software applications, digital certificates, browser extensions, and hardware and firmware into a single inventory view.
Built-in and agentless scanners continuously monitor and detect risk even when d
3. [**Authenticated scan for Windows**](windows-authenticated-scan.md) - with Authenticated scan for Windows you can remotely target by IP ranges or hostnames and scan Windows services by providing Defender Vulnerability Management with credentials to remotely access the devices. Once configured the targeted unmanaged devices will be scanned regularly for software vulnerabilities.
-4. [Assign device value](tvm-assign-device-value.md) - defining a device's value helps you differentiate between asset priorities. The device value is used to incorporate the risk appetite of an individual asset into the Defender Vulnerability Management exposure score calculation. Devices assigned as "high value" will receive more weight. Device value options:
+4. [**Assign device value**](tvm-assign-device-value.md) - defining a device's value helps you differentiate between asset priorities. The device value is used to incorporate the risk appetite of an individual asset into the Defender Vulnerability Management exposure score calculation. Devices assigned as "high value" will receive more weight. Device value options:
- Low - Normal (Default) - High You can also use the [set device value API](/microsoft-365/security/defender-endpoint/set-device-value).
-### Step 3: Track and mitigate remediation activities
+### Step 2: Track and mitigate remediation activities
1. [**Request remediation**](tvm-remediation.md#request-remediation) - vulnerability management capabilities bridge the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Recommendation** pages to [Intune](/mem/intune/). 2. [**View your remediation activities**](tvm-remediation.md#view-your-remediation-activities) - when you submit a remediation request from the Security recommendations page, it kicks-off a remediation activity. A security task is created that can be tracked on a **Remediation** page, and a remediation ticket is created in Microsoft Intune.
Built-in and agentless scanners continuously monitor and detect risk even when d
- [View blocked applications](tvm-block-vuln-apps.md#view-blocked-applications) - [Unblock applications](tvm-block-vuln-apps.md#unblock-applications)
+> [!NOTE]
+> When the trial ends blocked applications will be immediately unblocked whereas baseline profiles may be stored for a short additional time before being deleted.
+ 4. Use enhanced assessment capabilities such as [Network shares analysis](tvm-network-share-assessment.md) to protect vulnerable network shares. As network shares can be easily accessed by network users, small common weaknesses can make them vulnerable. These types of misconfigurations are commonly used in the wild by attackers for lateral movement, reconnaissance, data exfiltration, and more. That's why we built a new category of configuration assessments in Defender Vulnerability Management that identify the common weaknesses that expose your endpoints to attack vectors in Windows network shares. This helps you: - Disallow offline access to shares - Remove shares from the root folder
Built-in and agentless scanners continuously monitor and detect risk even when d
5. View and monitor your organization's devices using a [**Vulnerable devices report**](tvm-vulnerable-devices-report.md) that shows graphs and bar charts with vulnerable device trends and current statistics. The goal is for you to understand the breath and scope of your device exposure.
-### Step 4: Set up security baseline assessments
+### Step 3: Set up security baseline assessments
Instead of running point-in-time compliance scans, security baselines assessment helps you to continuously and proactively monitor your organization's compliance against industry security benchmarks in real time. A security baseline profile is a customized profile that you can create to assess and monitor endpoints in your organization against industry security benchmarks (CIS, NIST, MS). When you create a security baseline profile, you're creating a template that consists of multiple device configuration settings and a base benchmark to compare against.
Security baselines provide support for Center for Internet Security (CIS) benchm
2. Review [security baseline profile assessment results](tvm-security-baselines.md#review-security-baseline-profile-assessment-results) 3. [Use advanced hunting](tvm-security-baselines.md#use-advanced-hunting)
-### Step 5: Create meaningful reports to get in-depth insights using APIs and Advanced Hunting
+> [!NOTE]
+> When the trial ends security baseline profiles may be stored for a short additional time before being deleted.
+
+### Step 4: Create meaningful reports to get in-depth insights using APIs and Advanced Hunting
Defender Vulnerability Management APIs can help drive clarity in your organization with customized views into your security posture and automation of vulnerability management workflows. Alleviate your security team's workload with data collection, risk score analysis, and integrations with your other organizational processes and solutions. For more information, see:
Defender Vulnerability Management APIs can help drive clarity in your organizati
Advanced hunting enables flexible access to Defender Vulnerability Management raw data, which allows you to proactively inspect entities for known and potential threats. For more information, see [Hunt for exposed devices](../defender-endpoint/advanced-hunting-overview.md).
+## Licensing and trial information
+
+As part of the trial setup, the new Defender Vulnerability Management trial licenses will be applied to users automatically. Therefore, no assignment is needed (_The trial can automatically apply up to 1,000,000 licenses_). The licenses are active for the duration of the trial.
+
+### Getting started with the trial
+
+You can start using Defender Vulnerability Management features as soon as you see them in the Microsoft Defender portal. Nothing is created automatically and users won't be affected. When you navigate to each solution, you may be guided to make extra setup configurations to start using features.
+
+### Extending the trial
+
+You can extend the trial within the last 15 days of the trial period. You're limited to a maximum of two trial periods. If you don't extend by the time your trial period ends, you'll need to wait at least 30 days before signing up for a second trial.
+
+### Ending the trial
+
+Admins can disable the trial anytime by selecting **Trials** on the left navigation, going to the **Defender Vulnerability Management** trial card and selecting **End trial**.
+
+Unless stated otherwise for the solution your trial data will be maintained for time, usually 180 days, before being permanently deleted. You may continue to access the data gathered during the trial until that time.
+ ## Additional resources
+- Terms and conditions: See the [terms and conditions](/legal/microsoft-365/microsoft-365-trial) for Microsoft 365 trials.
- Compare offerings: [Microsoft Defender Vulnerability Management](defender-vulnerability-management-capabilities.md) - [Defender Vulnerability Management documentation](../defender-vulnerability-management/index.yml) - Datasheet: [Microsoft Defender Vulnerability Management: Reduce cyber risk with continuous vulnerability discovery and assessment, risk-based prioritization, and remediation](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4XR02)
security Mto Tenants https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/mto-tenants.md
- highpri - tier1 Previously updated : 09/01/2023 Last updated : 03/20/2024 # Manage tenants
Last updated 09/01/2023
## View the tenants page
-To view the list of tenants that appear in multi-tenant management, go to [Settings page](https://mto.security.microsoft.com/mtosettings) in multi-tenant management in Microsoft Defender XDR:
+To view the list of tenants that appear in multitenant management, go to [Settings page](https://mto.security.microsoft.com/mtosettings) in multitenant management in Microsoft Defender XDR:
- :::image type="content" source="../../media/defender/mto-tenant-settings.png" alt-text="Screenshot of multi-tenant management in Microsoft Defender XDR" lightbox="../../media/defender/mto-tenant-settings.png":::
+ :::image type="content" source="../../media/defender/mto-tenant-settings.png" alt-text="Screenshot of multitenant management in Microsoft Defender XDR" lightbox="../../media/defender/mto-tenant-settings.png":::
From the **Settings** page you can:
From the **Settings** page you can:
- Select a tenant from the list to open the [Microsoft Defender portal](https://security.microsoft.com) for that tenant. - **Remove a tenant**: Select the tenant you'd like to remove > select **Remove**.
-## Multi-tenant management status indicator
+## Multitenant management status indicator
-The multi-tenant management status indicator provides information on whether data issues exist for the page you're viewing, such as data loading issues or permissions issues. The indicator appears in the bottom right corner of the page:
+The multitenant management status indicator provides information on whether data issues exist for the page you're viewing, such as data loading issues or permissions issues. The indicator appears in the bottom right corner of the page:
When no issue exists, the status indicator is a green tick:
security Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/whats-new.md
You can also get product updates and important notifications through the [messag
- (Preview) **[Custom detection rules in Microsoft Graph security API](/graph/api/resources/security-api-overview?view=graph-rest-beta&preserve-view=true#custom-detections)** are now available. Create advanced hunting custom detection rules specific to your org to proactively monitor for threats and take action.
+>[!Warning]
+> The 2024-02 platform release causes inconsistent results for device control customers using removable media policies with disk/device-level access only (masks that are less of equal to 7). The enforcement might not work as expected.
+> To mitigate this issue, rolling back to the previous version of the Defender platform is recommended.
+ ## January 2024 - **Defender Boxed is available for a limited period of time**. Defender Boxed highlights your organization's security successes, improvements, and response actions during 2023. Take a moment to celebrate your organization's improvements in security posture, overall response to detected threats (manual and automatic), blocked emails, and more.
security Zero Trust With Microsoft 365 Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/zero-trust-with-microsoft-365-defender.md
To add Microsoft Defender XDR to your Zero Trust strategy and architecture, go t
|Includes|Prerequisites|Doesn't include| ||||
-| Set up the evaluation and pilot environment for all components: <ul><li>Defender for Identity</li><li>Defender for Office 365</li><li>Defender for Endpoint</li><li>Microsoft Defender for Cloud Apps</li></ul> <br> Protect against threats <br><br> Investigate and respond to threats | See the guidance for the architecture requirements for each component of Microsoft Defender XDR. | Microsoft Entra ID Protection is not included in this solution guide. It is included in [Step 1. Configure Zero Trust identity and device access protection](../microsoft-365-zero-trust.md#step-1-configure-zero-trust-identity-and-device-access-protection--starting-point-policies). |
+| Set up the evaluation and pilot environment for all components: <ul><li>Defender for Identity</li><li>Defender for Office 365</li><li>Defender for Endpoint</li><li>Microsoft Defender for Cloud Apps</li></ul> <br> Protect against threats <br><br> Investigate and respond to threats | See the guidance for the architecture requirements for each component of Microsoft Defender XDR. | Microsoft Entra ID Protection is not included in this solution guide. It is included in [Step 1. Configure Zero Trust identity and device access protection](../microsoft-365-zero-trust.md#step-1-configure-zero-trust-identity-and-device-access-protection-starting-point-policies). |
## Next steps
security Microsoft 365 Zero Trust https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/microsoft-365-zero-trust.md
Use this article together with this poster.
| Item | Description | |:--|:--|
-|[![Illustration of the Microsoft 365 Zero Trust deployment plan.](../medi)</li></ul>
+|[![Illustration of the Microsoft 365 Zero Trust deployment plan.](../medi)</li></ul>
## Zero Trust security architecture
This illustration provides a representation of the primary elements that contrib
In the illustration: -- Security policy enforcement is at the center of a Zero Trust architecture. This includes Multi Factor authentication with conditional access that takes into account user account risk, device status, and other criteria and policies that you set.-- Identities, devices, data, apps, network, and other infrastructure components are all configured with appropriate security. Policies that are configured for each of these components are coordinated with your overall Zero Trust strategy. For example, device policies determine the criteria for healthy devices and conditional access policies require healthy devices for access to specific apps and data.
+- Security policy enforcement is at the center of a Zero Trust architecture. This includes multifactor authentication with Conditional Access that takes into account user account risk, device status, and other criteria and policies that you set.
+- Identities, devices, data, apps, network, and other infrastructure components are all configured with appropriate security. Policies that are configured for each of these components are coordinated with your overall Zero Trust strategy. For example, device policies determine the criteria for healthy devices and Conditional Access policies require healthy devices for access to specific apps and data.
- Threat protection and intelligence monitors the environment, surfaces current risks, and takes automated action to remediate attacks. For more information about Zero Trust, see Microsoft's [_**Zero Trust Guidance Center**_](/security/zero-trust).
Microsoft 365 is built intentionally with many security and information protecti
This illustration represents the work of deploying Zero Trust capabilities. This work is broken into units of work that can be configured together, starting from the bottom and working to the top to ensure that prerequisite work is complete. In this illustration:
In this illustration:
- Threat protection capabilities are built on top of this foundation to provide real-time monitoring and remediation of security threats. - Information protection and governance provide sophisticated controls targeted at specific types of data to protect your most valuable information and to help you comply with compliance standards, including protecting personal information.
-This article assumes you have already configured cloud identity. If you need guidance for this objective, see [**Deploy your identity infrastructure for Microsoft 365**](/microsoft-365/enterprise/deploy-identity-solution-overview).
+This article assumes you are using cloud identity. If you need guidance for this objective, see [**Deploy your identity infrastructure for Microsoft 365**](/microsoft-365/enterprise/deploy-identity-solution-overview).
> [!TIP] > When you understand the steps and the end-to-end deployment process, you can use the [Set up your Microsoft Zero Trust security model](https://go.microsoft.com/fwlink/?linkid=2224820) advanced deployment guide when signed in to the Microsoft 365 admin center. This guide steps you through applying Zero Trust principles for standard and advanced technology pillars. To step through the guide without signing in, go to the [Microsoft 365 Setup portal](https://go.microsoft.com/fwlink/?linkid=2222968).
-## Step 1: Configure Zero Trust identity and device access protection ΓÇö starting-point policies
+## Step 1: Configure Zero Trust identity and device access protection: Starting-point policies
The first step is to build your Zero Trust foundation by configuring identity and device access protection. :::image type="content" source="../media/zero-trust/m365-zero-trust-architecture-identities.png" alt-text="Diagram that shows the process to configure Zero Trust identity and device access protection." lightbox="../media/zero-trust/m365-zero-trust-architecture-identities.png":::
-Go to [**_Zero Trust identity and device access protection_**](office-365-security/zero-trust-identity-device-access-policies-overview.md) for prescriptive guidance to accomplish this. This series of articles describes a set of identity and device access prerequisite configurations and a set of Microsoft Entra Conditional Access, Microsoft Intune, and other policies to secure access to Microsoft 365 for enterprise cloud apps and services, other SaaS services, and on-premises applications published with Microsoft Entra application proxy.
+Go to [**_Zero Trust identity and device access protection_**](office-365-security/zero-trust-identity-device-access-policies-overview.md) for detailed prescriptive guidance. This series of articles describes a set of identity and device access prerequisite configurations and a set of Microsoft Entra Conditional Access, Microsoft Intune, and other policies to secure access to Microsoft 365 for enterprise cloud apps and services, other SaaS services, and on-premises applications published with Microsoft Entra application proxy.
|Includes|Prerequisites|Doesn't include| |||| |Recommended identity and device access policies for three levels of protection: <ul><li>Starting point</li><li>Enterprise (recommended)</li><li>Specialized</li></ul> <br> Additional recommendations for: <ul><li>External users (guests)</li><li>Microsoft Teams</li><li>SharePoint Online</li><li>Microsoft Defender for Cloud Apps</lu></ul>|Microsoft E3 or E5 <br><br> Microsoft Entra ID in either of these modes: <ul><li>Cloud-only</li><li>Hybrid with password hash sync (PHS) authentication</li><li>Hybrid with pass-through authentication (PTA)</li><li>Federated</li></ul>|Device enrollment for policies that require managed devices. See [Step 2. Manage endpoints with Intune](#step-2-manage-endpoints-with-intune) to enroll devices|
-Start by implementing the starting-point tier. These policies do not require enrolling devices into management.
+Start by implementing the starting-point tier. These policies don't require enrolling devices into management.
## Step 2: Manage endpoints with Intune
-Next, enroll your devices into management and begin protecting these with more sophisticated controls.
+Next, enroll your devices into management and begin protecting them with more sophisticated controls.
:::image type="content" source="../media/zero-trust/m365-zero-trust-architecture-endpoints.png" alt-text="Diagram that shows the Manage endpoints with Intune element." lightbox="../media/zero-trust/m365-zero-trust-architecture-endpoints.png":::
-Go to [**_Manage devices with Intune_**](../solutions/manage-devices-with-intune-overview.md) for prescriptive guidance to accomplish this.
+See [**_Manage devices with Intune_**](../solutions/manage-devices-with-intune-overview.md) for detailed prescriptive guidance.
|Includes|Prerequisites|Doesn't include| ||||
Go to [**_Manage devices with Intune_**](../solutions/manage-devices-with-intune
For more information, see [Zero Trust for Microsoft Intune](/mem/intune/fundamentals/zero-trust-with-microsoft-intune).
-## Step 3: Add Zero Trust identity and device access protection ΓÇö Enterprise policies
+## Step 3: Add Zero Trust identity and device access protection: Enterprise policies
With devices enrolled into management, you can now implement the full set of recommended Zero Trust identity and device access policies, requiring compliant devices.
With devices enrolled into management, you can now implement the full set of rec
Return to [**_Common identity and device access policies_**](office-365-security/zero-trust-identity-device-access-policies-common.md) and add the policies in the Enterprise tier. <a name='step-4-evaluate-pilot-and-deploy-microsoft-365-defender'></a>
Go to [**_Evaluate and pilot Microsoft Defender XDR_**](defender/eval-overview.m
|Includes|Prerequisites|Doesn't include| ||||
-|Set up the evaluation and pilot environment for all components: <ul><li>Defender for Identity</li><li>Defender for Office 365</li><li>Defender for Endpoint</li><li>Microsoft Defender for Cloud Apps</li></ul> <br> Protect against threats <br><br> Investigate and respond to threats|See the guidance to read about the architecture requirements for each component of Microsoft Defender XDR.| Microsoft Entra ID Protection is not included in this solution guide. It is included in [Step 1. Configure Zero Trust identity and device access protection](#step-1-configure-zero-trust-identity-and-device-access-protection--starting-point-policies).|
+|Set up the evaluation and pilot environment for all components: <ul><li>Defender for Identity</li><li>Defender for Office 365</li><li>Defender for Endpoint</li><li>Microsoft Defender for Cloud Apps</li></ul> <br> Protect against threats <br><br> Investigate and respond to threats|See the guidance to read about the architecture requirements for each component of Microsoft Defender XDR.| Microsoft Entra ID Protection isn't included in this solution guide. It's included in [Step 1. Configure Zero Trust identity and device access protection](#step-1-configure-zero-trust-identity-and-device-access-protection-starting-point-policies).|
For more information, see these additional Zero Trust articles:
security Detect And Remediate Illicit Consent Grants https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants.md
description: Learn how to recognize and remediate the illicit consent grants att
- seo-marvel-apr2020 - has-azure-ad-ps-ref
+ - azure-ad-ref-level-one-done
appliesto:
The simplest way to verify the Illicit Consent Grant attack is to run [Get-Azure
> [!IMPORTANT] > We ***highly recommend*** that you require multi-factor authentication on your administrative account. This script supports MFA authentication. + 1. Sign in to the computer that you will run the script from with local administrator rights. 2. Download or copy the [Get-AzureADPSPermissions.ps1](https://gist.github.com/psignoret/41793f8c6211d2df5051d77ca3728c09) script from GitHub to a folder from which you will run the script. This will be the same folder to which the output "permissions.csv" file will be written.
security Email Authentication About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-authentication-about.md
This section describes why you need SPF, DKIM, and DMARC for domains on the inte
- Register a domain (for example, proseware.com) and configure DKIM for the domain. - Send email with the From email addresses in a different domain (for example, woodgrovebank.com). -- **DMARC**: As explained in [Set up DMARC to validate the From address domain for senders in Microsoft 365](email-authentication-dmarc-configure.md), DMARC uses SPF and DMARC to check for alignment between the domains in the MAIL FROM and From addresses. DMARC also specifies the action that the destination email system should take on messages that fail DMARC, and identifies where to send DMARC results (both pass and fail).
+- **DMARC**: As explained in [Set up DMARC to validate the From address domain for senders in Microsoft 365](email-authentication-dmarc-configure.md), DMARC uses SPF and DKIM to check for alignment between the domains in the MAIL FROM and From addresses. DMARC also specifies the action that the destination email system should take on messages that fail DMARC, and identifies where to send DMARC results (both pass and fail).
**How DMARC helps SPF and DKIM**: As previously described, SPF makes no attempt to match the domain in MAIL FROM domain and From addresses. DKIM doesn't care if the domain that signed the message matches the domain in the From address.
security Quarantine Admin Manage Messages Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-admin-manage-messages-files.md
Watch this short video to learn how to manage quarantined messages as an admin.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell). - You need to be assigned permissions before you can do the procedures in this article. You have the following options:
- - [Microsoft Defender XDR Unified role based access control (RBAC)](../defender/manage-rbac.md) (Affects the Defender portal only, not PowerShell): **Security Data / email quarantine (manage)** (management via PowerShell).
+ - [Microsoft Defender XDR Unified role based access control (RBAC)](../defender/manage-rbac.md) (Affects the Defender portal only, not PowerShell): **Security operations / Security data / Email & collaboration quarantine (manage)**.
- [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): - _Take action on quarantined messages for all users_: Membership in the **Quarantine Administrator**, **Security Administrator**, or **Organization Management** role groups. - _Submit messages from quarantine to Microsoft_: Membership in the **Quarantine Administrator** or **Security Administrator** role groups.
security Quarantine Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-policies.md
You create and assign quarantine policies in the Microsoft Defender portal or in
- How long messages that were quarantined by anti-spam and anti-phishing protection are held before they expire is controlled by the **Retain spam in quarantine for this many days** (_QuarantineRetentionPeriod_) in anti-spam policies. For more information, see the table in [Quarantine retention](quarantine-about.md#quarantine-retention). - You need to be assigned permissions before you can do the procedures in this article. You have the following options:
- - [Microsoft Defender XDR Unified role based access control (RBAC)](../defender/manage-rbac.md) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)**.
+ - [Microsoft Defender XDR Unified role based access control (RBAC)](../defender/manage-rbac.md) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)**, or **Security operations/Security Data/Email & collaboration quarantine (manage)**.
- [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Quarantine Administrator**, **Security Administrator**, or **Organization Management** role groups. - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator** or **Security Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
solutions Tenant Management Tenants https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/tenant-management-tenants.md
Title: Step 1. Your Microsoft 365 for enterprise tenants
Previously updated : 12/01/2020 Last updated : 03/21/2024 audience: ITPro
- m365solution-tenantmanagement - tenant-management - m365solution-scenario
+- must-keep
- Ent_Solutions description: "Deploy and manage single or multiple Microsoft 365 tenants, with options for multi-geo and moving locations."
description: "Deploy and manage single or multiple Microsoft 365 tenants, with o
# Step 1. Your Microsoft 365 for enterprise tenants
-One of your first tenant decisions is how many to have. Each Microsoft 365 tenant is distinct, unique, and separate from all other Microsoft 365 tenants. Its corresponding Microsoft Entra tenant is also distinct, unique, and separate from all other Microsoft 365 tenants.
+One of your first tenant decisions is how many to have. Each Microsoft 365 tenant is distinct, unique, and separate from all other Microsoft 365 tenants. Its corresponding Microsoft Entra (formerly known as Azure AD or Azure Active Directory) tenant is also distinct, unique, and separate from all other Microsoft 365 tenants.
## Single tenant Having a single tenant simplifies many aspects of your organization's use of Microsoft 365. A single tenant means a single Microsoft Entra tenant with a single set of accounts, groups, and policies. Permissions and sharing of resources across your organization can be done through this central identity provider. A single tenant provides the most feature-rich and simplified collaboration and productivity experience for your users.
-Here is an example showing the default location and Microsoft Entra tenant of a Microsoft 365 tenant.
+Here's an example showing the default location and Microsoft Entra tenant of a Microsoft 365 tenant.
![A single Microsoft 365 tenant with its Microsoft Entra tenant.](../media/tenant-management-overview/tenant-management-example-tenant.png)
There are many reasons why your organization could have multiple tenants:
- Historical decisions - Mergers, acquisitions, or divestitures - Clear separation of branding for conglomerate organizations-- Pre-production, test, or sandbox tenants
+- Preproduction, test, or sandbox tenants
-Here is an example of an organization that has two tenants (Tenant A and Tenant B) in the same default datacenter geo. Each tenant as a separate Microsoft Entra tenant.
+Here's an example of an organization that has two tenants (Tenant A and Tenant B) in the same default datacenter geo. Each tenant as a separate Microsoft Entra tenant.
![Multiple Microsoft 365 tenants with their own Microsoft Entra tenants.](../media/tenant-management-overview/tenant-management-example-multi-tenant.png)
Here are two example tenants and their mailboxes before cross-tenant mailbox mig
In this illustration, two separate tenants have their own domains and set of Exchange mailboxes.
-Here is the target tenant (Tenant A) after cross-tenant mailbox migration.
+Here's the target tenant (Tenant A) after cross-tenant mailbox migration.
![The target tenant after cross-tenant mailbox migration.](../media/tenant-management-overview/tenant-management-cross-tenant-mailbox-after.png)
For more information, see [Cross-tenant mailbox migration](../enterprise/cross-t
### Tenant-to-tenant migrations
-There are several architectural approaches for mergers, acquisitions, divestitures, and other scenarios that might lead you to migrate an existing Microsoft 365 tenant to a new tenant.
+There are several architectural approaches for mergers, acquisitions, divestitures, and other scenarios that might lead you to migrate an existing Microsoft 365 tenant to a new tenant.
For detailed guidance, see [Microsoft 365 tenant-to-tenant migrations](../enterprise/microsoft-365-tenant-to-tenant-migrations.md).
With Microsoft 365 Multi-Geo, you can provision and store data at rest in the ot
In a Multi-Geo environment, your Microsoft 365 tenant consists of a default or central location where your Microsoft 365 subscription was originally created and one or more satellite locations. In a multi-geo tenant, the information about geo locations, groups, and user information is mastered in a global Microsoft Entra tenant. Because your tenant information is mastered centrally and synchronized into each geo location, collaboration experiences involving anyone from your company are shared across the locations.
-Here is an example of an organization that has its default location in Europe and a satellite location in North America. Both locations share the same global Microsoft Entra tenant for the single Microsoft 365 tenant.
+Here's an example of an organization that has its default location in Europe and a satellite location in North America. Both locations share the same global Microsoft Entra tenant for the single Microsoft 365 tenant.
![Example of a multi-geo Microsoft 365 tenant.](../media/tenant-management-overview/tenant-management-example-multi-geo.png)
For more information, see [Microsoft 365 Multi-Geo](../enterprise/microsoft-365-
Microsoft continues to open new datacenter geos for Microsoft 365 services. These new datacenter geos add capacity and compute resources to support our ongoing customer demand and usage growth. Additionally, the new datacenter geos offer in-geo data residency for core customer data.
-Although opening a new datacenter geo does not impact you and your core data stored in an already existing datacenter geo, Microsoft allows you to request an early migration of your organization's core customer data at rest to a new datacenter geo.
+Although opening a new datacenter geo doesn't impact you and your core data stored in an already existing datacenter geo, Microsoft allows you to request an early migration of your organization's core customer data at rest to a new datacenter geo.
-Here is an example in which a Microsoft 365 tenant was moved from the European Union (EU) datacenter geo to the one located in the United Kingdom (UK).
+Here's an example in which a Microsoft 365 tenant was moved from the European Union (EU) datacenter geo to the one located in the United Kingdom (UK).
![Example of moving a Microsoft 365 tenant between datacenter geos.](../media/tenant-management-overview/tenant-management-example-tenant-move.png)
For your Microsoft 365 for enterprise tenants, you have determined:
- Whether you need to migrate one tenant to another. - Whether you need to move core data from one datacenter geo to new one.
-Here is an example of a new tenant.
+Here's an example of a new tenant.
![Example of a new tenant.](../media/tenant-management-overview/tenant-management-tenant-build-step1.png)
In this illustration, the tenant has:
- The set of cloud productivity apps, some of which are specific to products. - A Microsoft Entra tenant that contains global administrator accounts and an initial DNS domain name.
-As we move through the additional steps of this solution, we will build out this figure.
+As we move through the additional steps of this solution, we'll build out this figure.
## Ongoing maintenance for tenants