-|Active files | The number of active files on the site.<br/> NOTE: If files were removed during the specified time period for the report, the number of active files shown in the report may be larger than the current number of files on the site. |

-# Enable Modern Authentication for Office 2013 on Windows devices

-To enable modern authentication for any Windows devices that have Office 2013 installed, you need to set specific registry keys.

-

-## Enable modern authentication for Office 2013 clients

-> [!NOTE]

-> Modern authentication is already enabled for Office 2016 clients, you do not need to set registry keys for Office 2016.

-

-To enable modern authentication for any devices running Windows (for example on laptops and tablets), that have Microsoft Office 2013 installed, you need to set the following registry keys. The keys need to be set on each device that you want to enable for modern authentication:

-<br>

-****

-|:|::|:|

-Create or modify the following registry keys to force Outlook to use a newer authentication method for web services, such as EWS and Autodiscover. We recommend that users force Outlook to use Modern Authentication.

-1. Exit Outlook.

-2. Start Registry Editor by using one of the following procedures, as appropriate for your version of Windows:

- - **Windows 10, Windows 8.1, and Windows 8:** Press Windows Key + R to open a **Run** dialog box. Type *regedit.exe*, and then press **Enter.**

- - **Windows 7:** Click **Start**, type *regedit.exe* in the search box, and then press **Enter.**

-3. In Registry Editor, locate and click the following registry subkey:

- ```console

- HKEY_CURRENT_USER\Software\Microsoft\Exchange\

- ```

-4. If the *AlwaysUseMSOAuthForAutoDiscover* key is missing, on the Edit menu, point to **New** and then select **DWORD Value**. Type *AlwaysUseMSOAuthForAutoDiscover*, then press **Enter.**

-5. Right-click *AlwaysUseMSOAuthForAutoDiscover*, and then click **Modify.**

-6. In the **Value** data box, type **1**, and then click **OK.**

-7. In Registry Editor, locate and click the following registry subkey:

- ```console

- HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Identity\

- ```

-8. If the *EnableADAL* and *Version* keys already exist, modify the values if necessary, then exit Registry Editor. If they do not, on the Edit menu, point to **New** and then select **DWORD Value** to create the missing keys.

-9. For example, if the *EnableADAL* key is missing, type *EnableADAL*, and then press **Enter.**

-10. Right-click *EnableADAL*, and then click **Modify.**

-11. In the **Value** data box, type **1**, and then click **OK.**

-12. Follow the same process for the Version key if necessary.

-13. **Exit Registry Editor.**

-Once you've set the registry keys, you can set Office 2013 devices apps to use [multifactor authentication (MFA)](set-up-multi-factor-authentication.md) with Microsoft 365.

-

-If you're currently signed-in with any of the client apps, you need to sign out and sign back in for the change to take effect. Otherwise, the MRU and roaming settings will be unavailable until the identity is established.

-

-## Disable modern authentication on devices

-To disable modern authentication on a device, set the following registry keys on the device:

-<br>

-****

-|Registry key|Type|Value|

-|:|::|:|

-|HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL|REG_DWORD|0|

-|HKEY_CURRENT_USER\Software\Microsoft\Exchange\AlwaysUseMSOAuthForAutoDiscover|REG_DWORD|0|

-

-[Sign in to Office 2013 with a second verification method](https://support.microsoft.com/office/2b856342-170a-438e-9a4f-3c092394d3cb) (article)\

-[Outlook prompts for password and doesn't use Modern Authentication to connect to Office 365](/outlook/troubleshoot/authentication/outlook-prompt-password-modern-authentication-enabled) (article)

-**Microsoft Security Technical Content Library**: Explore this library to find interactive guides and other learning content relevant to your needs. [Visit Library](/security/content-library).

-Recommended actions can help your organization quickly get started and to get the most out of insider risk management capabilities. Included on the **Overview** page, recommended actions help guide you through the steps to configure and deploy policies and to take investigation actions for user actions that generate alerts from policy matches.

-Admin notifications automatically send an email notification to users included in the *Insider Risk Management*, *Insider Risk Management Analysts*, and *Insider Risk Management Investigators* role groups when the first alert is generated for a new policy. This is enabled by default for all organizations and policies are checked every 24 hours for first-time alerts. Notifications aren't sent for any alerts that occur in policies after the first alert.

-If you've enabled insider risk management Analytics for your organization, members of the *Insider Risk Management Admin* role group automatically receive an email notification for initial analytics insights for data leaks, theft, and exfiltration activities.

-If you prefer to disable admin notifications, complete the following steps:

-

-|Change label|Allowed |Allowed - container admin only | Allowed - container admin only| **Blocked**

-|Remove label|Allowed |Allowed - container admin only | Allowed - container admin only| **Blocked**

-For organizations that assign licenses to groups of users by using group-based licensing, you have to turn off the licensing assignment for Microsoft 365 Advanced Auditing for the group. After you save your changes, verify that Microsoft 365 Advanced Auditing is turned off for the group. Then turn the licensing assignment for the group back on. For instructions about group-based licensing, see [Assign licenses to users by group membership in Azure Active Directory](/azure/active-directory/users-groups-roles/licensing-groups-assign).

-Also, if you have customized the mailbox actions that are logged on user mailboxes or shared mailboxes, any new Advanced Audit events released by Microsoft will not be automatically audited on those mailboxes. For information about changing the mailbox actions that are audited for each logon type, see the "Change or restore mailbox actions logged by default" section in [Manage mailbox auditing](enable-mailbox-auditing.md#change-or-restore-mailbox-actions-logged-by-default).

-This article is organized by priority of work, starting with protecting those accounts used to administer the most critical services and assets, such as your tenant, e-mail, and SharePoint. It provides a methodical way for approaching security and works together with the following spreadsheet so you can track your progress with stakeholders and teams across your organization: [Microsoft 365 security for BDMs spreadsheet](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/Microsoft-365-BDM-security-recommendations-spreadsheet.xlsx).

-[](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/Microsoft-365-BDM-security-recommendations-spreadsheet.xlsx)

-

-One more thing before we get started . . . be sure to [turn on the audit log](../compliance/search-the-audit-log-in-security-and-compliance.md). You'll need this data later, in the event you need to investigate an incident or a breach.

-As a first step, we recommend ensuring critical accounts in the environment are given an extra layer of protection as these accounts have access and permissions to manage and alter critical services and resources, which can negatively impact the entire organization, if compromised. Protecting privileged accounts is one of the most effective ways to protect against an attacker who seeks to elevate the permissions of a compromised account to an administrative one.

-|Enforce multifactor authentication (MFA) for all administrative accounts.|||

-|Configure and use Privileged Access Workstations (PAW) to administer services. Do not use the same workstations for browsing the Internet and checking email not related to your administrative account.| | |

-

-Known threats include malware, compromised accounts, and phishing. Some protections against these threats can be implemented quickly with no direct impact to your users, while others require more planning and user training.

-

-After adding extra protections to your privileged accounts and protecting against known attacks, shift your attention to protecting against unknown threats. The more determined and advanced adversaries use innovative and new, unknown methods to attack organizations. With Microsoft's vast telemetry of data gathered over billions of devices, applications, and services, we are able to perform Defender for Office 365 on Windows, Office 365, and Azure to prevent against Zero-Day attacks, utilizing sand box environments, and checking validity before allowing access to your content.

-|**Configure Microsoft Defender for Office 365**:<br>* Safe Attachments<br>* Safe Links<br>* Microsoft Defender for Endpoint for SharePoint, OneDrive, and Microsoft Teams<br>* Anti-phishing in Defender for Office 365 protection| | |

-|**Configure Microsoft Defender for Endpoint capabilities**:<br>* Windows Defender Antivirus <br>* Exploit protection <br> * Attack surface reduction <br> * Hardware-based isolation <br>* Controlled folder access | | |

-

-While Microsoft takes every possible measure to prevent against threats and attacks, we recommend always working under the "Assume Breach" mindset. Even if an Attacker has managed to intrude into the environment, we need to make sure they are unable to exfiltrate data or identity information from the environment. For this reason, we recommend enabling protection against sensitive data leaks such as Social Security numbers, credit cards numbers, other personal information, and other organizational level confidential information.

-The "Assume Breach" mindset requires implementing a Zero Trust network strategy, which means users are not fully trusted just because they are internal to the network. Instead, as part of authorization of what users can do, sets of conditions are specified, and when such conditions are met, certain controls are enforced. Conditions may include device health status, application being accessed, operations being performed, and user risk. For example, a device enrollment action should always trigger MFA authentication to ensure no rouge devices are added to your environment.

-A Zero Trust network strategy also requires that you know where your information is stored and apply appropriate controls for classification, protection, and retention. To effectively protect your most critical and sensitive assets you need to first identify where these are located and take inventory, which can be challenging. Next, work with your organization to define a governance strategy. Defining a classification schema for an organization and configuring policies, labels, and conditions require careful planning and preparation. It is important to realize that this is not an IT driven process. Be sure to work with your legal and compliance team to develop an appropriate classification and labeling schema for your organization's data.

-Microsoft 365 information protection capabilities can help you discover what information you have, where it is stored, and which information requires extra protection. Information protection is a continuous process and Microsoft 365 capabilities provide you with visibility into how users are using and distributing sensitive information, where your information is currently stored, and where it flows. You can also see how users handling information that is regulated to be sure the appropriate labels and protections are applied.

-|**Review and optimize your conditional access and related policies to align with your objectives for a Zero Trust network**. Protecting against known threats includes implementing a set of [recommended policies](./office-365-security/microsoft-365-policies-configurations.md). Review your implementation of these policies to ensure you're protecting your apps and data against hackers who have gained access to your network. The recommended Intune app protection policy for Windows 10 enables Windows Information Protection (WIP). WIP protects against accidental leaks of your organization data through apps and services, like email, social media, and the public cloud. | ||

-|Use **Microsoft Defender for Office 365** tools:<br>* Threat investigation and response capabilities<br> * Automated investigation and response | ||

-|Use **Microsoft Defender for Endpoint**:<br> * [Endpoint detection and response](/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) <br> * Automated investigation and remediation Secure score <br>* [Advanced hunting](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) <br>| ||

-|Use **Microsoft Defender for Cloud Apps** to detect unusual behavior across cloud apps to identify ransomware, compromised users or rogue applications, analyze high-risk usage and remediate automatically to limit the risk to your organization.| ||

-|Use **Microsoft Sentinel** or your current SIEM tool to monitor for threats across your environment. | ||

-|**Deploy [Microsoft Defender for Identity](/azure-advanced-threat-protection/what-is-atp)** to monitor and protect against threats targeted to your on-premises Active Directory environment. | | |

-

-<!

-[](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/media/zero-trust/zero-trust-architecture.png)

-

-|[Block abuse of exploited vulnerable signed drivers](#block-abuse-of-exploited-vulnerable-signed-drivers) | Y | Y MEM OMA-URI | | Y | Y |

-Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run more payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes; such as spawning a command prompt or using PowerShell to configure registry settings.

-> The steps below are applicable only to devices running previous versions of Windows such as:

-Windows Server 2016 and earlier or Windows 8.1 and earlier.

-## On-premises devices

-## Azure virtual machines

-## Additional ransomware resources

-The *go hunt* action is available in various sections of the Defender for Cloud whenever event or entity details are displayed. For example, you can use *go hunt* from the following sections:

- :::image type="content" source="../../media/go-hunt-1-incident.png" alt-text="The **Mailboxes** page with the **Go hunt** option in the Microsoft 365 Defender portal " lightbox="../../media/go-hunt-1-incident.png":::

- :::image type="content" source="../../media/go-hunt-2-entity.png" alt-text="The Go hunt option for a piece of evidence in the **Incident** page in Microsoft 365 Defender portal" lightbox="../../media/go-hunt-2-entity.png":::

- :::image type="content" source="../../media/go-hunt-3-event.png" alt-text="The **Hunt for related events** option on an event's page in the **Timelines** tab in Microsoft 365 Defender portal" lightbox="../../media/go-hunt-3-event.png":::

-When using *go hunt* to query for information about a user, device, or any other type of entity, the query checks all relevant schema tables for any events involving that entity. To keep the results manageable, the query is scoped to around the same time period as the earliest activity in the past 30 days that involves the entity and is associated with the incident.

-You can use *go hunt* after selecting any of these entity types:

-The link to incident feature lets you add advanced hunting query results to a new or existing incident under investigation. This feature helps you easily capture records from advanced hunting activities so you can create a richer timeline or context of events regarding an incident.

- :::image type="content" source="../../media/link-to-incident-1.png" alt-text="An example of the **Query** page in the Microsoft 365 Defender portal" lightbox="../../media/link-to-incident-1.png":::

-2. In the Results page, select the events or records that are related to a new or current investigation you are working on, then select **Link to incident**.

- :::image type="content" source="../../media/link-to-incident-1b.png" alt-text="The **Link to incident** option of the **Results** tab in the Microsoft 365 Defender portal" lightbox="../../media/link-to-incident-1b.png":::

- :::image type="content" source="../../media/link-to-incident-3-create-new.png" alt-text="An example of the **Alert details** section in the **Link to incident** pane in the Microsoft 365 Defender portal" lightbox="../../media/link-to-incident-3-create-new.png":::

- :::image type="content" source="../../media/link-to-incident-3-link-to-existing.png" alt-text="An example of **Alert details** section in the **Link to incident** pane in the Microsoft 365 Defender portal":::

- - **Alert title** - provide a descriptive title for the results that your incident responders can understand. This becomes the alert title.

- :::image type="content" source="../../media/link-to-incident-4-impacted-entities.png" alt-text="An example of an impacted entity in the **Link to incident** section in the Microsoft 365 Defender portal" lightbox="../../media/link-to-incident-4-impacted-entities.png":::

-1. Review the details you have provided in the **Summary** section.

- :::image type="content" source="../../media/link-to-incident-5-summary.png" alt-text="An example of the results page in the **Link to incident** section in the Microsoft 365 Defender portal" lightbox="../../media/link-to-incident-5-summary.png":::

- :::image type="content" source="../../media/link-to-incident-6-incident-pg.png" alt-text="An example of event details screen in the **Summary** tab in the Microsoft 365 Defender portal" lightbox="../../media/link-to-incident-6-incident-pg.png":::

- :::image type="content" source="../../media/link-to-incident-7-alert-story.png" alt-text="An example of full details of an event in the **Timeline** tab in the Microsoft 365 Defender portal" lightbox="../../media/link-to-incident-7-alert-story.png":::

-While you can construct your [advanced hunting](advanced-hunting-overview.md) queries to return very precise information, you can also work with the query results to gain further insight and investigate specific activities and indicators. You can take the following actions on your query results:

-| -- | -- |

-

-If you're dealing with a list of values that isnΓÇÖt finite, you can use the `Top` operator to chart only the values with the most instances. For example, to get the top ten sender domains with the most phishing emails, use the query below:

-

-*Pie chart showing distribution of phishing emails across top sender domains*

-Using the `summarize` operator with the `bin()` function, you can check for events involving a particular indicator over time. The query below counts events involving the file `invoice.doc` at 30 minute intervals to show spikes in activity related to that file:

-

-

-

->Some tables in this article might not be available in Microsoft Defender for Endpoint. [Turn on Microsoft 365 Defender](m365d-enable.md) to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md).

-

-

- 

- 

-

- 

- 

- 

- 

- 

- 

-

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

-

-1. Select **Subscriptions** > **{ Select the subscription the event hub will be deployed to }** > **Resource providers**.

-

- 

- 

- 

- Go **to Event Hubs \> Add** and select the pricing tier, throughput units and Auto-Inflate (requires standard pricing and under features) appropriate for the load you are expecting. For more information, see [Pricing - Event Hubs \| Microsoft Azure](https://azure.microsoft.com/pricing/details/event-hubs/)

- > You can use an existing event hub, but the throughput and scaling are set at the namespace level so it is recommended to place an event hub in itsown namespace.

- 

-1. You will also need the Resource ID of this Event Hub Namespace. Go to your Azure Event Hubs namespace page \> Properties. Copy the text under Resource ID and record it for use during the Microsoft 365 Configuration section below.

- 

-1. Once the Event Hub Namespace is created, you will need to add the App Registration Service Principal as Reader, Azure Event Hubs Data Receiver, and the user who will be logging into Microsoft 365 Defender as Contributor (you can also do this at Resource Group or Subscription level).

- You do this step at **Event Hubs Namespace** \> **Access Control (IAM)** \> **Add** and verify under **Role assignments**:

- 

-Instead of exporting all the Event Types (Tables) into one Event Hub, you can export each table into a different Event Hub inside your Event Hub Namespace (one Event Hub per Event Type).

-In this option, Microsoft 365 Defender will create Event Hubs for you.

-> If you are using an Event Hub Namespace that is **not** part of an Event Hub Cluster, you will only be able to choose up to 10 Event Types (Tables) to export in each Export Settings you define, due to an Azure limitation of 10 Event Hubs per Event Hub Namespace.

-

-Create an Event Hub within your Namespace by selecting **Event Hubs** \> **+ Event Hub**.

-

-For this Event Hub (not namespace) you will need to configure a Shared Access Policy with Send, Listen Claims. Click on your **Event Hub** \> **Shared access policies** \> **+ Add** and then give it a Policy name (not used elsewhere) and check **Send** and **Listen**.

-

- 

- **Event-Hub name**: If you created an Event Hub inside your Event Hub Namespace, paste the Event Hub sname you recorded above.

- If you choose to let Microsoft 365 Defender to create Event Hubs per Event Types (Tables) for you, leave this field empty.

- 

-This will show you how many emails were received in the last hour joined across all the other tables. It will also show you if you are seeing events that could be exported to the event hub. If this count shows 0, then you won't see any data going out to the Event Hub.

-

-Once you have verified there is data to export, you can view the Event Hub to verify that messages are incoming. This can take up to one hour.

-1. In Azure, go to **Event Hubs** \> Click on the **Namespace** \> **Event Hubs** \> Click on the **Event Hub**.

- 

- 

- 

- 

- 

- 

-<br>

-

-

-

-

-

-

-

-

-

-

- :::image type="content" source="../../medio-eval-license-details.png" alt-text="The Office 365 section has a Details button to click.":::

- :::image type="content" source="../../media/mdo-eval/3-m365-purchase-button.png" alt-text="Click 'Start free trial' (there's a 35$ fee).":::

- :::image type="content" source="../../medio-trial-order.png" alt-text="There is a 'Try Now' button on the 'Check out, confirm your order' panel (for an Office 365 E5 trial of a month for 25 users).":::

-

-

- 

- 

-

-|[Step 3. Set up the pilot ](eval-defender-endpoint-pilot.md) | Verify your pilot group, run simulations, and become familiar with key features and dashboards. |

-

-

-| | | |

-

-| |Step |More information |

-| | |

-| |Step |More information |

-| | | |

-| |Step |More information |

-| | | |

-Return to the overview for [Evaluate and pilot Microsoft 365 Defender](eval-overview.md)

-

-| |Step |Description |

-||||

-

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

-

-

- 

-

-

-

-

-

-

-

-

-

-

-

-[

-Use the following steps to setup and configure the pilot for Microsoft Defender for Office 365.

-It may not be evident why 'Standard' and 'Strict' are the terms used for this, but that will become clear when you explore more about Defender for Office 365 security presets. Naming groups 'custom' and 'exceptions' speak for themselves, and though most of your users should fall under *standard* and *strict*, custom and exception groups will collect valuable data for you regarding managing risk.

-1. Logon to Exchange Admin Center (EAC) using an account that has been granted Recipient Administrator role or been delegated group management permissions.

-2. From the navigation menu, expand **Recipients** and select <a href="https://go.microsoft.com/fwlink/?linkid=2183233" target="_blank">**Groups**</a>.

- :::image type="content" source="../../medio-eval-pilot.png" alt-text="Exchange admin center on the navigation menu (the quick launch) with an arrow pointing at Groups. Click Groups.":::

- :::image type="content" source="../../medio-eval-pilot-add-group.png" alt-text="Add groups on the Groups panel.":::

- :::image type="content" source="../../medio-eval-pilot-group-type.png" alt-text="Choose a distribution group type here.":::

- :::image type="content" source="../../medio-eval-pilot-set-up-basics.png" alt-text="Name and describe the group.":::

-It's encouraged to begin with the *recommended baseline policies* when evaluating MDO and then refine them as needed over the course of your evaluation period.

- :::image type="content" source="../../medio-eval-pilot-threat-policies.png" alt-text="a.":::

- :::image type="content" source="../../medio-eval-pilot-template-policies.png" alt-text="Click the Preset Security Policies tile.":::

- :::image type="content" source="../../medio-eval-pilot-preset.png" alt-text="On the Preset security policies panel, click Edit.":::

- :::image type="content" source="../../medio-eval-pilot-eop-protections.png" alt-text="Add the conditions needed to apply the EOP security level to your pilot group.":::

- :::image type="content" source="../../medio-protections.png" alt-text="Add the conditions needed to apply the Defender for Office 365 security level to your pilot group.":::

-

-|7|[Configure MFA and conditional access for guests, including Intune app protection](#7-configure-mfa-and-conditional-access-for-guests-including-intune-mobile-app-protection)||||

-|8|[Enroll PCs into device management and require compliant PCs](#8-enroll-pcs-into-device-management-and-require-compliant-pcs)||||

-|9|[Optimize your network for cloud connectivity](#9-optimize-your-network-for-cloud-connectivity)||||

-|10|[Train users](#10-train-users)||||

-|11|[Get started with Microsoft Defender for Cloud Apps](#11-get-started-with-microsoft-defender-for-cloud-apps)||||

-|12|[Monitor for threats and take action](#12-monitor-for-threats-and-take-action)||||

-|

-

-|

-

-|

-[PDF](https://download.microsoft.com/download/9/b/b/9bb5fa79-74e9-497b-87c5-4021e53d9fc2/hybrid-worker-infrastructure.pdf) | [PowerPoint](https://download.microsoft.com/download/9/b/b/9bb5fa79-74e9-497b-87c5-4021e53d9fc2/hybrid-worker-infrastructure.pptx) <br>