Updates from: 03/25/2022 02:52:02
Category Microsoft Docs article Related commit history on GitHub Change details
admin Manage Feedback Ms Org https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/manage-feedback-ms-org.md
Your devices must be on a minimum build number to use these policies. See the ta
|**Build #**|**Win32**|**iOS**|**Android**|**Mac**|**Web**| |:--|:--|:--|:--|:--|:--|
-|In-product feedback|At least 16.0.13328|At least 2.42|At least 16.0.13328|At least 16.42|Publicly available|
-|In-product surveys|At least 16.0.13328|At least 2.42|At least 16.0.13426|At least 16.42|Pending rollout|
-|Metadata collection|At least 16.0.13328|At least 2.42|At least 16.0.13328|At least 16.42|Publicly available|
-|Customer engagement|At least 16.0.13328|At least 2.42|At least 16.0.13426|At least 16.42|Pending rollout|
+|In-product feedback|At least Version 2010|At least 2.42|At least 16.0.13328|At least 16.42|Publicly available|
+|In-product surveys|At least Version 2010|At least 2.42|At least 16.0.13426|At least 16.42|Pending rollout|
+|Metadata collection|At least Version 2010|At least 2.42|At least 16.0.13328|At least 16.42|Publicly available|
+|Customer engagement|At least Version 2010|At least 2.42|At least 16.0.13426|At least 16.42|Pending rollout|
## Specific policies you can configure
Your devices must be on a minimum build number to use these policies. See the ta
## Configure policies
-1. Go to [https://config.office.com](https://config.office.com) and login.
-1. Select **Customization** then **Policy Management**.
-1. Select **Create**.
-1. Enter **name** and **description**.
-1. Choose the Azure Active directory groups that you want to configure.
-1. Search for **Feedback** and **Survey**.
-1. For each policy listed, set the value you want.
-
-For more information, see [Overview of the Office cloud policy service](/deployoffice/overview-office-cloud-policy-service).
+To configure these policy settings, you can use the Office cloud policy service. For more information, see [Overview of the Office cloud policy service](/deployoffice/overview-office-cloud-policy-service). You can search for "feedback" or "survey" within the Office cloud policy service UI to find the policy settings to configure them.
These policy settings are also available if you use Group Policy. To use these policy settings, download at least version 5146.1000 of the [Administrative Template files (ADMX/ADML)](https://www.microsoft.com/download/details.aspx?id=49030), released on March 22, 2021.
-You can find these policy settings under User Configuration -> Policies -> Administrative Templates -> Microsoft Office 2016 -> Privacy -> Trust Center.
+You can find these policy settings under User Configuration\Policies\Administrative Templates\Microsoft Office 2016\Privacy\Trust Center.
> [!NOTE] > It takes a few hours for the client applications to update.
admin Azure Ad Setup Guides https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/azure-ad-setup-guides.md
description: "Learn about setup guides for Azure Active Directory."
# Azure Active Directory setup guides
-Azure Active Directory (Azure AD) features help you manage and secure your organization. These setup guides will help you integrate those features in a simple way. In the following sections, weΓÇÖll give a brief description of the setup guides and share links to the guides.
+Azure Active Directory (Azure AD) features help you manage and secure your organization. These setup guides will help you integrate those features in a simple way. In the following sections, weΓÇÖll briefly describe the setup guides and share links to the guides.
## Who are these setup guides for?
The setup guides help you configure the core functionality of Azure AD. If you n
### Required permissions
-You must be a member of the following administrator roles:
+You must be a member of the following administrative roles:
- Global administrator: allows you to use integrated tools in the setup guides to make changes in your Microsoft 365 organization. - Global reader: allows you to view the setup guides but not make changes in your tenant.
+## Identity security for Teams
+
+Azure Active Directory (Azure AD) is our cloud-based identity and access management service, which helps your employees sign in and access apps and services.
+This catalog contains some basic security features you can use to ensure your users are safe and have the most productive time using Teams.
+
+### Licensing
+
+An Azure Active Directory P2 license is required to utilize the security features in this catalog.
+
+[Open the Identity security for Teams catalog](https://aka.ms/teamsidentity)
+ ## Azure Active Directory deployment The Azure Active Directory setup guide will help you set up the most common Azure AD features in a recommended order. The setup guide is split into three sections: **Initial**, **Core**, and **Advanced**. Each section recommends a set of features you should turn on.
The setup guides contain a checklist of the tasks you need to complete and you c
## Add or sync users to your Microsoft account
-This guide helps you get your user accounts setup in Azure and Microsoft 365. Based on your environment and needs, you can choose to add users individually, migrate your on-premises directory with Azure AD cloud sync or Azure AD Connect, or troubleshoot existing sync issues.
+This guide helps you set up user accounts setup in Azure and Microsoft 365. Based on your environment and needs, you can choose to add users individually, migrate your on-premises directory with Azure AD cloud sync or Azure AD Connect, or troubleshoot existing sync issues.
+
+### Licensing
+
+Using Azure Active Directory sync tools is free and included with all Microsoft 365 subscriptions.
[Open the Add or Sync users setup guide](https://go.microsoft.com/fwlink/?linkid=2183349).
+## Add a cloud app to Microsoft 365
+
+This guide is designed to help you add cloud apps to Microsoft 365. In our guide, you can add an application to your tenant, add users to the app, assign roles, and more. If the app supports Single Sign-On (SSO), weΓÇÖll walk you through that configuration as well.
+ ### Licensing
-Using Azure Active Directory sync tools is free and included with all Microsoft 365 subscriptions.
+Every paid subscription to Microsoft 365 comes with a free subscription to Azure AD. You can use Azure AD to manage your apps and create and manage user and group accounts.
+
+[Open the Add a cloud app to Microsoft 365 setup guide](https://aka.ms/AzureAppSetup)
## Azure Self-Service password reset (SSPR) guide
SSPR requires one of the following licenses:
## Multi-factor authentication (MFA)
-This guide provides the current MFA status and helps IT admins select the best MFA option that meets their org's requirements. Then we assist with configuring and enforcing the selected MFA method for the org.
+This guide provides the current MFA status and helps IT admins select the best MFA option that meets their organization's requirements. Then we assist with configuring and enforcing the selected MFA method for the org.
### Licensing
Conditional Access requires an Azure Active Directory P1 or P2 license, security
[Open the multi-factor authentication (MFA) guide](https://go.microsoft.com/fwlink/?linkid=2183506)
-### The passwordless setup guide
+## The passwordless setup guide
The passwordless setup guide is designed to help you determine the best passwordless method for your environment. The methods include security keys, Windows Hello for Business, and the Microsoft Authenticator app. If the recommendation is Windows Hello for Business, there's a section to guide you through the different options. The guide asks you questions to help you craft a step-by-step plan.
+### Licensing
+
+Every paid subscription to Microsoft 365 comes with a free subscription to Azure AD. You can use Azure AD to manage your apps and create and manage user and group accounts.
+ [Open the passwordless setup guide](https://go.microsoft.com/fwlink/?linkid=2183427).
admin Gdpr Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/security-and-compliance/gdpr-compliance.md
that they are not accessible by unauthorized persons.
If you choose to store personal data in the cloud, such as through Microsoft 365, you have security features such as the ability to help you to manage permissions to files and folders, centralized secure locations to save your files (OneDrive or SharePoint document libraries), and data encryption when sending or retrieving your files. #### Microsoft 365 features that can help
-You can use [Set up DLP features](set-up-compliance.md#watch-set-up-dlp-features) to help to protect your business's sensitive information. You can [set up a DLP policy](/microsoft-365/compliance/create-a-dlp-policy-from-a-template) that uses the [GDPR template](/microsoft-365/compliance/what-the-dlp-policy-templates-include#general-data-protection-regulation-gdpr).
+
+You can use [Set up compliance features](set-up-compliance.md) to help to protect your business's sensitive information. Compliance Manager can help you get started right away! For example, you can [set up a DLP policy](/microsoft-365/compliance/create-a-dlp-policy-from-a-template) that uses the [GDPR template](/microsoft-365/compliance/what-the-dlp-policy-templates-include#general-data-protection-regulation-gdpr).
### Step 5: Keep documentation on your data processing activities
admin Set Up Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/security-and-compliance/set-up-compliance.md
Title: "Increase threat protection for Microsoft 365 Business Premium" f1.keywords: - NOCSH--++ audience: Admin
description: "Set up compliance features to prevent data loss and help keep your
# Set up compliance features
-Your Microsoft 365 Business Premium comes with features to protect your data and devices, and help you keep your and your customers' sensitive information secure.
+Your Microsoft 365 Business Premium subscription includes compliance and privacy features. These capabilities help protect your company's data, and to help you keep your and your customers' sensitive information secure. This article is designed to help you get started with your compliance features.
-## Watch: Set up DLP features
+## Before you begin
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE3TGvL?autoplay=false]
+Make sure you have one of the following roles assigned in Azure Active Directory:
-Data loss prevention policies help identify and protect your business's sensitive information, such as Social Security numbers or medical records.
+- Global Administrator
+- Compliance Administrator
-1. To get started, go to the [admin center](https://admin.microsoft.com), and select **Setup**.
-1. Scroll down to **Set up data loss prevention**, and then select **View**, and then **Manage**.
-1. To edit a policy, select it, choose **Edit policy**, then select what to change. For example, select **Locations** to change what gets scanned.
-1. To create a new policy, select **Create a policy**.
-1. You can create a custom policy or start with a template. For example, to create a HIPAA policy, select the **Medical and health** template, and then select **U.S. Health Insurance Act (HIPAA)**. Select **Next**.
-1. Review your settings, and select **Create**. After your policy takes effect, email that contains the described sensitive information is blocked, and the sender who attempted to send that information sees a warning message.
+To learn more, see [Get started with the roles page](../add-users/admin-roles-page.md).
-See [Create a DLP policy from a template](../../compliance/create-a-dlp-policy-from-a-template.md) for an example on how to set up a policy to protect against protect loss of personal data.
-
-DLP comes with many ready-to-use policy templates for many different locales. For example, Australia Financial Data, Canada Personal Information Act, U.S. Financial Data, and so on. See [What the DLP policy templates include](../../compliance/what-the-dlp-policy-templates-include.md) for a full list. All of these templates can be enabled similar to the PII template example.
-
-## Set up email retention with Exchange Online Archiving
+## Use Compliance Manager to get started
- **Exchange Online Archiving** license features help maintain compliance and regulatory standards by preserving email content for eDiscovery. It also helps reduce your risk if there is a lawsuit, and provides a way to recover data after a security breach or when you need to recover deleted items. You can use litigation hold to preserve all of a user's content, or use retention policies to customize what you want to preserve.
-
-**Litigation hold:** You can preserve all mailbox content including deleted items by putting a user's entire mailbox on litigation hold.
-
-To place a mailbox on litigation hold, in the Admin center:
-
-1. In the left nav, go to **Users** \> **Active users**.
-
-2. Select a user whose mailbox you want to place on litigation hold. In the user pane, expand **Mail settings**, and next to **More settings**, choose **Edit Exchange properties**.
-
-3. On the mailbox page for the user, choose ** mailbox features ** on the left nav, and then choose the **Enable** link under **Litigation hold**.
-
-4. In the **litigation hold** dialog box, you can specify the litigation hold duration in the **Litigation hold duration** field. Leave the field empty if you want to place an infinite hold. You can also add notes and direct the mailbox owner to a website you might have to explain more about the litigation hold. \> **Save**.
-
-**Retention:** You can enable customized retention policies, for example, to preserve for a specific amount of time or delete content permanently at the end of the retention period. To learn more, see [Overview of retention policies](../../compliance/retention.md).
-## Watch: Set up Sensitivity labels
+Microsoft 365 Business Premium includes Compliance Manager, which can help you get started setting up your compliance features. Such features include data loss prevention, information governance, and insider risk management, to name a few. Compliance Manager can save you time by highlighting recommendations, a compliance score, and ways to improve your score.
-Sensitivity labels come with Azure Information Protection (AIP) Plan 1, and help you classify, and optionally protect your documents and emails, by applying labels. Labels can be applied automatically by administrators who define rules and conditions, manually by users, or by using a combination where users are given recommendations.
+Here's how to get started:
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE3VRGT?autoplay=false]
+1. Go to [https://compliance.microsoft.com](https://compliance.microsoft.com) and sign in.
-1. In the [admin center](https://admin.microsoft.com), select the **Compliance** admin center.
-1. Select **Classification**, and then **Sensitivity labels**.
-1. Select **Create a label**, and when the warning appears, select **Yes**.
-1. Review your settings, and select **Create**. Your label has been created. Repeat this process for any additional labels you want.
-1. By default, labels appear in Office apps in this order: **Confidential**, **Internal**, and **Public**. To change the order, for each label, select the three dots (more actions), and then move the label up or down. Typically, permissions are listed from the lowest to highest level of permissions.
-1. Review your settings, then select **Publish**.
+2. In the navigation pane, choose **Compliance Manager**.
-For your labels to work, each user needs to download the Azure Information Protection unified labeling client. Search the web for **AzinfoProtection_UL.exe**, then download it from the Microsoft Download Center, and run it on your users' computers.
+3. On the **Overview** tab, review the information. Select an item or link to view more information, or to take actions, such as configuring a data loss prevention (DLP) policy. For example, in the **Solutions that affect your score** section, you might select the link in the **Remaining actions** column.
-The next time you open an Office app like Word, you'll see the sensitivity labels that were created. To change or apply a label, select Sensitivity, and choose a label.
+ :::image type="content" source="../../business-premium/media/m365bp-compliancesolutions.png" alt-text="Screenshot of Solutions That Affect Your Score pane.":::
-### Install the Azure Information Protection client manually
+ That action takes you to the **Improvement actions** tab, which is filtered for the item you selected. In this example we're looking at DLP policies to configure.
-To manually install the AIP client:
+ :::image type="content" source="../../business-premium/media/m365bp-dlppoliciestoconfigure.png" alt-text="Screenshot of DLP policies to configure.":::
-1. Download **AzinfoProtection_UL.exe** from [Microsoft download center](https://www.microsoft.com/download/details.aspx?id=53018).
-
-2. You can verify that the installation worked by viewing a Word document and making sure that the **Sensitivity** option is available on the **Home** tab.
-<br/>![Protection tab drop-down in a Word document.](../../media/word-sensitivity.png)
+4. On the **Improvement actions** tab, select an item. In our example, we've selected **Create customized DLP policies or personally identifiable information**. A page loads that provides more information about the policy to configure.
-For more information, see [Install the client](/azure/information-protection/infoprotect-tutorial-step3).
+ :::image type="content" source="../../business-premium/media/m365bp-dlppolicyinfo.png" alt-text="Screenshot of information about DLP policy for customer content.":::
+
+ Follow the information on the screen to set up your DLP policy.
+
+For more information about compliance features in Microsoft 365 for business, see [Microsoft 365 compliance documentation](../../compliance/index.yml).
+
+## Use sensitivity labels
+
+Sensitivity labels are available in Office apps (such as Outlook, Word, Excel, and PowerPoint). Examples of labels include:
+
+- Normal
+- Personal
+- Private
+- Confidential
+
+However, you can define other labels for your company as well.
+
+Use the following articles to get started with sensitivity labels:
+
+1. [What are sensitivity labels?](../../compliance/sensitivity-labels.md)
+
+2. [Get started creating your sensitivity labels](../../compliance/get-started-with-sensitivity-labels.md)
+
+3. [Publish sensitivity labels and their policies](../../compliance/create-sensitivity-labels.md)
+
+4. [Show people in your company how to use sensitivity labels](https://support.microsoft.com/office/apply-sensitivity-labels-to-your-files-and-email-in-office-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9)
admin Set Up Windows Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/set-up-windows-devices.md
Title: "Set up Windows devices for Microsoft 365 Business Premium users" f1.keywords: - CSH--++ audience: Admin
description: "Set up Windows devices running Windows 10 Pro for Microsoft 365 Bu
## Before you begin
-Before you can set up Windows devices for Microsoft 365 Business Premium users, make sure all the Windows devices are running Windows 10 Pro, version 1703 (Creators Update). Windows 10 Pro is a prerequisite for deploying Windows 10 Business, which is a set of cloud services and device management capabilities that complement Windows 10 Pro and enable the centralized management and security controls of Microsoft 365 Business Premium.
-
-If you have Windows devices running Windows 7 Pro, Windows 8 Pro, or Windows 8.1 Pro, your Microsoft 365 Business Premium subscription entitles you to a Windows 10 upgrade.
-
-For more information on how to upgrade Windows devices to Windows 10 Pro Creators Update, follow the steps in this topic: [Upgrade Windows devices to Windows Pro Creators Update](../../business-video/upgrade.md).
-
-See [Verify the device is connected to Azure AD](#verify-the-device-is-connected-to-azure-ad) to verify you have the upgrade, or to make sure the upgrade worked.
+Before you can set up Windows devices for Microsoft 365 Business Premium users, make sure all the Windows devices are running Windows 10 Pro, version 1703 (Creators Update) or Windows 11 Pro.
-## Watch: Connect your PC to Microsoft 365 Business
+Windows 10 Pro (or Windows 11 Pro) is a prerequisite for deploying Windows 10 Business, which is a set of cloud services and device management capabilities that complement Windows 10 Pro and Windows 11 Pro, and enable the centralized management and security controls of Microsoft 365 Business Premium.
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE3yXh3]
+[Learn more about requirements for Microsoft 365 Business Premium](https://www.microsoft.com/microsoft-365/business/microsoft-365-business-premium?activetab=pivot:techspecstab).
-If you found this video helpful, check out the [complete training series for small businesses and those new to Microsoft 365](../../business-video/index.yml).
-
-## Join Windows 10 devices to your organization's Azure AD
+## Windows 10 Pro and Windows 11 Pro
-When all Windows devices in your organization have either been upgraded to Windows 10 Pro Creators Update or are already running Windows 10 Pro Creators Update, you can join these devices to your organization's Azure Active Directory. Once the devices are joined, they'll be automatically upgraded to Windows 10 Business, which is part of your Microsoft 365 Business Premium subscription.
+If you have Windows devices running previous versions of Windows, such as Windows 7 Pro, Windows 8 Pro, or Windows 8.1 Pro, your Microsoft 365 Business Premium subscription entitles you to upgrade those devices to Windows 10 Pro or Windows 11 Pro.
-### For a brand new, or newly upgraded, Windows 10 Pro device
+For more information on how to upgrade Windows devices, see the following articles:
-For a brand new device running Windows 10 Pro Creators Update, or for a device that was upgraded to Windows 10 Pro Creators Update but has not gone through Windows 10 device setup, follow these steps.
+- [Upgrade Windows Home to Windows Pro](https://support.microsoft.com/windows/upgrade-windows-home-to-windows-pro-ef34d520-e73f-3198-c525-d1a218cc2818)
+- [Upgrade to Windows 10 Pro](https://support.microsoft.com/windows/upgrade-to-windows-10-pro-71ecc746-0f81-a4c0-bd4b-0db8559e0796)
-1. Go through Windows 10 device setup until you get to the **How would you like to set up?** page.
-
- ![On the How would you like to set up page, choose Set up for an organization.](../../media/1b0b2dba-00bb-4a99-a729-441479220cb7.png)
-
-2. Here, choose **Set up for an organization** and then enter your username and password for Microsoft 365 Business Premium.
-
-3. Finish Windows 10 device setup.
-
- Once you're done, the user will be connected to your organization's Azure AD. See [Verify the device is connected to Azure AD](#verify-the-device-is-connected-to-azure-ad) to make sure.
-
-### For a device already set up and running Windows 10 Pro
+After you have upgraded, see [Verify the device is connected to Azure AD](#verify-the-device-is-connected-to-azure-ad) to verify you have the upgrade, or to make sure the upgrade worked.
- **Connect users to Azure AD:**
-
-1. In your user's Windows PC, that is running Windows 10 Pro, version 1703 (Creators Update) (see [pre-requisites](../security-and-compliance/pre-requisites-for-data-protection.md), click the Windows logo, and then the Settings icon.
-
- ![In the Start menu, click Windows Settings icon.](../../media/74e1ce9a-1554-4761-beb9-330b176e9b9d.png)
-
-2. In **Settings**, go to **Accounts**.
-
- ![In Windows Settings, go to Accounts.](../../media/472fd688-d111-4788-9fbb-56a00fbdc24d.png)
-
-3. On **Your info** page, click **Access work or school** \> **Connect**.
-
- ![Choose Connect under Access work or school.](../../media/af3a4e3f-f9b9-4969-b3e2-4ef99308090c.png)
-
-4. On the **Set up a work or school account** dialog, under **Alternate actions**, choose **Join this device to Azure Active Directory**.
-
- ![Click Join this device to Azure Active Directory.](../../media/fb709a1b-05a9-4750-9cb9-e097f4412cba.png)
-
-5. On the **Let's get you signed in** page, enter your work or school account \> **Next**.
-
- On the **Enter password** page, enter your password \> **Sign in**.
-
- ![Enter your work or school email on the Let's get you signed in page.](../../media/f70eb148-b1d2-4ba3-be38-7317eaf0321a.png)
-
-6. On the **Make sure this is your organization** page, verify that the information is correct, and choose **Join**.
-
- On the **You're all set!** page, choose **Done**.
-
- ![On the Make sure this is your organization screen, choose Join.](../../media/c749c0a2-5191-4347-a451-c062682aa1fb.png)
+## Join Windows devices to your organization's Azure AD
+
+When all your company's Windows devices are running Windows 10 Pro or Windows 11 Pro, you can join these devices to your organization's Azure Active Directory (Azure AD).
+
+1. On a Windows device, select the Windows logo, and then the Settings icon.
-If you uploaded files to OneDrive for Business, sync them back down. If you used a third-party tool to migrate profile and files, also sync those to the new profile.
+2. In **Settings**, go to **Accounts** > **Access work or school** \> **Connect**.
+3. Type your email address, and then choose **Next**.
+
+4. Follow the prompts to complete the process.
+ ## Verify the device is connected to Azure AD To verify your sync status, on the **Access work or school** page in **Settings**, select the **Connected to** _ \<organization name\> _ area to expose the buttons **Info** and **Disconnect**. Choose **Info** to get your synchronization status.
-On the **Sync status** page, choose **Sync** to get the latest mobile device management policies onto the PC.
-
-To start using the Microsoft 365 Business Premium account, go to the Windows **Start** button, right-click your current account picture, and then **Switch account**. Sign in by using your organization email and password.
-
-![Click Info button to view synchronization status.](../../media/818f7043-adbf-402a-844a-59d50034911d.png)
-
-## Verify the PC is upgraded to Windows 10 Business
-
-Verify that your Azure AD joined Windows 10 devices are upgraded to Windows 10 Business as part of your Microsoft 365 Business Premium subscription.
-
-1. Go to **Settings** \> **System** \> **About**.
-
-2. Confirm that the **Edition** shows **Windows 10 Business**.
-
- ![Verify that Windows edition is Windows 10 Business.](../../media/ff660fc8-d3ba-431b-89a5-f5abded96c4d.png)
+On the **Sync status** page, choose **Sync** to get the latest mobile device management policies onto the PC.
## Next steps
business-premium M365bp Increase Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-increase-protection.md
Title: "Increase threat protection for Microsoft 365 Business Premium" f1.keywords: - NOCSH---+++ audience: Admin
description: "Get help with increasing the level of protection in Microsoft 365
# Increase threat protection for Microsoft 365 Business Premium
-This article helps you increase the protection in your Microsoft 365 subscription to protect against phishing, malware, and other threats. These recommendations are appropriate for organizations with an increased need for security, like political campaigns, law offices, and health care clinics.
+In this objective, you increase your threat protection with Microsoft 365 Business Premium. It's critical to protect the org against phishing, malware, and other threats. These recommendations are especially appropriate for political campaigns, law offices, and health care clinics, which have an increased need for security.
-Before you begin, check your Microsoft Secure Score. Microsoft Secure Score analyzes your organization's security based on your regular activities and security settings and assigns a score. Begin by taking note of your current score. Taking the actions recommended in this article increases your score. The goal isn't to achieve the max score, but to be aware of opportunities to protect your environment that don't negatively affect productivity for your users.
+## Start with Secure Score
+
+Microsoft Secure Score analyzes your organization's security based on your regular activities and security settings and assigns a score. Take note of your current score and then take the recommended actions in this article to increase your score. The goal is to always be aware of and try to improve your score.
For more information, see [Microsoft Secure Score](../security/defender/microsoft-secure-score.md).
+## Review and apply preset security policies
+
+Your subscription includes [preset security policies](../security/office-365-security/preset-security-policies.md) that use recommended settings for anti-spam, anti-malware, and anti-phishing protection. By default, built-in protection is enabled; consider applying standard or strict protection for increased security.
+
+Preset security policies consist of:
+
+- Profiles, which determine the level of protection
+- Policies (such as anti-spam, anti-malware, anti-phishing, Safe Attachments, and Safe Links)
+- Policy settings (such as groups, users, or domains to receive the policies and any exceptions)
+
+The following table summarizes the levels of protection and preset policy types.
+
+| Level of protection | Description |
+|:|:|
+| **Standard protection** <br/>(*recommended for most businesses*) | Standard protection uses a baseline profile that's suitable for most users <br/><br/>It includes anti-spam, anti-malware, anti-phishing, spoof settings, impersonation settings, Safe Links, and Safe Attachments policies. |
+| **Strict protection** | Strict protection includes the same kinds of policies as standard protection, but with more stringent settings. If your business must meet additional security requirements or regulations, consider applying strict protection to your priority users or high value targets. |
+| **Built-in protection** | Protects against malicious links and attachments in email. Enabled and applied to all users by default. |
+
+You can specify the users, groups, and domains to receive preset policies, and you can define certain exceptions, but you cannot change preset policies themselves.
+
+You can also create your own security policies for custom settings to suit your company's needs.
++++
+<!--https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365?view=o365-worldwide
++ ## Raise the level of protection against malware in mail Your Office 365 or Microsoft 365 environment includes protection against malware, but you can increase this protection by blocking attachments with file types that are commonly used for malware. To bump up malware protection in email:
If you don't see the **Setup** page with cards in your tenant yet, see how to co
3. On the **Increase protection from advanced threats** page, choose **Get started**. 4. On the pane that opens, select the check boxes next to **Links and attachments in email**, **Scan files in SharePoint, OneDrive, and Teams**, and **Scan links in Office desktop and Office Online apps** under **Scan items for malicious content**.-
+
Under **Links and attachments in email**, Type in All Users, or the specific users whose email you want scanned. ![Select all check boxes in Increase protection from advanced threats.](../media/setatp.png)
To create a new policy targeted to all recipients in your domain:
For more information, see [Safe Links in Defender for Office 365](../security/office-365-security/safe-links.md).
+-->
+ ## Turn on the Unified Audit Log After you turn on the audit log search in the Security & Compliance Center, you can retain the admin and other user activity in the log and search it.
To change the sharing settings for OneDrive and SharePoint:
![Choose Specific people and set link expiration to 14 days.](../media/anyonelinks.png) + ## Activity alerts You can use activity alerts to track admin and user activities and detect malware and data loss prevention incidents in your organization. Your subscription includes a set of default policies, but you can also create custom ones. For more information, see [alert policies](../compliance/alert-policies.md). For example, if you store an important file in SharePoint that you don't want anyone to share externally, you can create a notification that alerts you if someone does share it.
You can prevent people in your organization from sharing their calendars, or you
![Screenshot of calendar free/busy sharing with anyone.](../media/sharefreebusy.png) If your users are allowed to share their calendars, see [these instructions](https://support.office.com/article/7ecef8ae-139c-40d9-bae2-a23977ee58d5) for how to share from Outlook on the web.+
compliance Device Onboarding Macos Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/device-onboarding-macos-overview.md
MacOS devices can be onboarded into Microsoft 365 compliance solutions using eit
**Applies to:** -- [Microsoft 365 Endpoint data loss prevention (DLP)](./endpoint-dlp-learn-about.md)
+- [Endpoint data loss prevention (DLP)](./endpoint-dlp-learn-about.md)
- [Insider risk management](insider-risk-management.md#learn-about-insider-risk-management-in-microsoft-365) ## Before you begin Before you get started with Endpoint DLP on macOS devices (Catalina 10.15 or later), you should familiarize yourself with these articles: -- [Learn about Microsoft 365 Endpoint data loss prevention](endpoint-dlp-learn-about.md#learn-about-microsoft-365-endpoint-data-loss-prevention)
+- [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md#learn-about-microsoft-365-endpoint-data-loss-prevention)
- [Get started with Endpoint data loss prevention](endpoint-dlp-getting-started.md#get-started-with-endpoint-data-loss-prevention) If you are not familiar with DLP at all, you should familiarize yourself with these articles as well:
When you want to onboard devices that haven't been onboarded yet, you'll downloa
> [!NOTE] > While it usually takes about 60 seconds for device onboarding to be enabled, please allow up to 30 minutes before engaging with Microsoft support.
-2. Open the Compliance Center settings page and choose **Onboard devices**.
-
- > [!div class="mx-imgBorder"]
- > ![enable device management.](../media/endpoint-dlp-learn-about-1-enable-device-management.png)
+2. Open the Compliance Center settings page and choose **Turn on macOS device monitoring**.
## Next steps
compliance Device Onboarding Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/device-onboarding-overview.md
description: "Onboard Windows 10 and Windows 11 devices into Microsoft 365"
**Applies to:** -- [Microsoft 365 Endpoint data loss prevention (DLP)](./endpoint-dlp-learn-about.md)
+- [Endpoint data loss prevention (DLP)](./endpoint-dlp-learn-about.md)
- [Insider risk management](insider-risk-management.md#learn-about-insider-risk-management-in-microsoft-365)
-Microsoft 365 Endpoint data loss prevention (Endpoint DLP) and insider risk management require that Windows 10 Windows and Windows 11 devices be onboarded into the service so that they can send monitoring data to the services.
+Endpoint data loss prevention (Endpoint DLP) and insider risk management require that Windows 10 Windows and Windows 11 devices be onboarded into the service so that they can send monitoring data to the services.
-Microsoft 365 Endpoint DLP allows you to monitor Windows 10 or Windows 11 devices and detect when sensitive items are used and shared. This gives you the visibility and control you need to ensure that they are used and protected properly, and to help prevent risky behavior that might compromise them. For more information about all of MicrosoftΓÇÖs DLP offerings, see [Learn about data loss prevention](dlp-learn-about-dlp.md). To learn more about Endpoint DLP, see [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md).
+Endpoint DLP allows you to monitor Windows 10 or Windows 11 devices and detect when sensitive items are used and shared. This gives you the visibility and control you need to ensure that they are used and protected properly, and to help prevent risky behavior that might compromise them. For more information about all of MicrosoftΓÇÖs DLP offerings, see [Learn about data loss prevention](dlp-learn-about-dlp.md). To learn more about Endpoint DLP, see [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md).
Insider risk management uses the full breadth of service and 3rd-party indicators to help you quickly identify, triage, and act on risky user activity. By using logs from Microsoft 365 and Microsoft Graph, insider risk management allows you to define specific policies to identify risk indicators and to take action to mitigate these risks. For more information, see [Learn about insider risk management in Microsoft 365](insider-risk-management.md#learn-about-insider-risk-management-in-microsoft-365).
In this deployment scenario, you'll onboard Windows 10 or Windows 11 devices tha
> [!NOTE] > While it usually takes about 60 seconds for device onboarding to be enabled, please allow up to 30 minutes before engaging with Microsoft support.
-2. Open the Compliance Center settings page and choose **Onboard devices**.
-
- > [!div class="mx-imgBorder"]
- > ![enable device management.](../media/endpoint-dlp-learn-about-1-enable-device-management.png)
+2. Open the Compliance Center settings page and choose **Turn on Windows device monitoring**.
3. Choose **Device management** to open the **Devices** list.
lighthouse M365 Lighthouse Troubleshoot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-troubleshoot.md
This article describes error messages and problems that you might encounter whil
**Cause:** Your customer tenants don't meet the following criteria:
- - Must have delegated (DAP) set up for the Managed Service Provider (MSP) to be able to manage the customer tenaant*
+ - Must have delegated (DAP) set up for the Managed Service Provider (MSP) to be able to manage the customer tenant*
- Must have at least one Microsoft 365 Business Premium, Microsoft 365 E3 license, or Windows 365 Business license - Must have no more than 1000 licensed users 
lighthouse M365 Lighthouse Win365 Page Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-win365-page-overview.md
For more information about Windows 365, see [What is Windows 365?](/windows-365/
> [!IMPORTANT] > You must go to [MEM](https://go.microsoft.com/fwlink/p/?linkid=2150463) to provision Cloud PCs for each customer tenant before you can manage them in Lighthouse. You can't provision from within Lighthouse.
-Once you've provisioned Cloud PCs for your customer tenant, the Windows 365 card on the Microsoft 365 Home page provides a brief alert on the Cloud PCs in need of action, such as the number of Cloud PCs that failed to provision and on-premises network connection failures. To get a detailed status, select the button on the Windows 365 card (or select **Windows 365** in the left navigation pane) to open the Windows 365 page. From this page, you can get a status overview of the Cloud PCs assigned to your customer tenants, view a list of all the Cloud PCs you manage and the tenants they're assigned to, and view the on-premises network connections between your customer tenants and Azure Active Directory (Azure AD) and their status.
+Once you've provisioned Cloud PCs for your customer tenant, the Windows 365 card on the Microsoft 365 Home page provides a brief alert on the Cloud PCs in need of action, such as the number of Cloud PCs that failed to provision and Azure network connection failures. To get a detailed status, select the button on the Windows 365 card (or select **Windows 365** in the left navigation pane) to open the Windows 365 page. From this page, you can get a status overview of the Cloud PCs assigned to your customer tenants, view a list of all the Cloud PCs you manage and the tenants they're assigned to, and view the Azure network connections between your customer tenants and Azure Active Directory (Azure AD) and their status.
## Overview tab
-On the Overview tab, the colored count-annotation bar displays the total number of Cloud PCs or on-premises network connections across all your customer tenants that have the following statuses: Failed network connections, Not provisioned, Provisioning failed, and Deprovisioning soon.
+On the Overview tab, the colored count-annotation bar displays the total number of Cloud PCs or Azure network connections across all your customer tenants that have the following statuses: Failed network connections, Not provisioned, Provisioning failed, and Deprovisioning soon.
You can see a breakdown of Cloud PC statuses for each customer tenant in the list below the annotation bar. To see which tenants have Cloud PCs with a specific status, select that status from the count-annotation bar to filter the list. To see Cloud PC statuses for one or more specific customer tenants, use the **Tenants** dropdown menu to filter the list.
-To get detailed status information for a particular customer tenant, select a value under any of the status columns for that tenant. Depending on which column the value is in, the **On-premises network connections** or **All cloud PCs** tab will open and show more information.
+To get detailed status information for a particular customer tenant, select a value under any of the status columns for that tenant. Depending on which column the value is in, the **Azure network connections** or **All cloud PCs** tab will open and show more information.
The Overview tab also includes the following options:
The Overview tab also includes the following options:
- **Export:** Select to export Cloud PC data to an Excel comma-separated values (.csv) file. - **Search:** Enter keywords to quickly locate a specific Cloud PC in the list. ## All Cloud PCs tab
The All Cloud PCs tab also includes the following options:
To see a complete list of Cloud PC provisioning statuses and what they mean, see [Device management overview for Cloud PCs](/windows-365/enterprise/device-management-overview#column-details) in the Windows 365 documentation library.
-## On-premises network connections tab
+## Azure network connections tab
-On the On-premises network connections tab, the colored count-annotation bar displays the total number of on-premises network connections across all your customer tenants that have the following statuses: Successful connections and Failed connections.
+On the Azure network connections tab, the colored count-annotation bar displays the total number of Azure network connections across all your customer tenants that have the following statuses: Successful connections and Failed connections.
-In the list below the count-annotation bar, you can view all on-premises network connections and their connection status.
+In the list below the count-annotation bar, you can view all Azure network connections and their connection status.
To see connections with a specific provisioning status, select that status from the count-annotation bar to filter the list. To see connection statuses for one or more specific customer tenants, use the **Tenants** dropdown menu to filter the list. If you need to take action or troubleshoot a connection in the list, select **View connection details in Microsoft Endpoint Manager**.
-The On-premises network connections tab also includes the following options:
+The Azure network connections tab also includes the following options:
- **Refresh:** Select to retrieve the most current connection data. - **Export:** Select to export connection data to an Excel comma-separated values (.csv) file. - **Search:** Enter keywords to quickly locate a specific connection. ## Related content
security High Risk Delivery Pool For Outbound Messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/high-risk-delivery-pool-for-outbound-messages.md
ms.prod: m365-security
Email servers in the Microsoft 365 datacenters might be temporarily guilty of sending spam. For example, a malware or malicious spam attack in an on-premises email organization that sends outbound mail through Microsoft 365, or compromised Microsoft 365 accounts. Attackers also try to avoid detection by relaying messages through Microsoft 365 forwarding.
-These scenarios can result in the IP address of the affected Microsoft 365 datacenter servers appearing on third-party blocklists. Destination email organizations that use these blocklists will reject email from those messages sources.
+These scenarios can result in the IP address of the affected Microsoft 365 datacenter servers appearing on third-party blocklists. Destination email organizations that use these blocklists will reject email from those Microsoft 365 messages sources.
## High-risk delivery pool
-To prevent this, all outbound messages from Microsoft 365 datacenter servers that's determined to be spam or that exceeds the sending limits of [the service](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#sending-limits-across-office-365-options) or [outbound spam policies](configure-the-outbound-spam-policy.md) are sent through the _high-risk delivery pool_.
+
+To prevent our IP addresses from being blocked, all outbound messages from Microsoft 365 datacenter servers that are determined to be spam are sent through the _high-risk delivery pool_.
The high risk delivery pool is a separate IP address pool for outbound email that's only used to send "low quality" messages (for example, spam and [backscatter](backscatter-messages-and-eop.md). Using the high risk delivery pool helps prevent the normal IP address pool for outbound email from sending spam. The normal IP address pool for outbound email maintains the reputation sending "high quality" messages, which reduces the likelihood that these IP address will appear on IP blocklists.
For more information, see [Control outbound spam](outbound-spam-controls.md).
> [!NOTE] > Messages where the source email domain has no A record and no MX record defined in public DNS are always routed through the high-risk delivery pool, regardless of their spam or sending limit disposition.
+>
+> Messages that exceed the following limits are blocked, so they aren't sent through the high-risk delivery pool:
+>
+> - The [sending limits of the service](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#sending-limits-across-office-365-options).
+> - [Outbound spam policies](configure-the-outbound-spam-policy.md) where the senders are restricted from sending mail.
### Bounce messages
Possible causes for a surge in NDRs include:
All of these issues can result in a sudden increase in the number of NDRs being processed by the service. Many times, these NDRs appear to be spam to other email servers and services (also known as _[backscatter](backscatter-messages-and-eop.md)_). - ### Relay pool Messages that are forwarded or relayed via Microsoft 365 in certain scenarios will be sent using a special relay pool, because the destination should not consider Microsoft 365 as the actual sender. It's important for us to isolate this email traffic, because there are legitimate and invalid scenarios for auto forwarding or relaying email out of Microsoft 365. Similar to the high-risk delivery pool, a separate IP address pool is used for relayed mail. This address pool is not published because it can change often, and it's not part of published SPF record for Microsoft 365. Microsoft 365 needs to verify that the original sender is legitimate so we can confidently deliver the forwarded message.
-The forwarded/relayed message should meet one of the following criteria to avoid using the relay pool:
+The forwarded or relayed message should meet one of the following criteria to avoid using the relay pool:
- The outbound sender is in an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). - SPF passes when the message comes to Microsoft 365. - DKIM on the sender domain passes when the message comes to Microsoft 365.
-
+ You can tell that a message was sent via the relay pool by looking at the outbound server IP (the relay pool will be in the 40.95.0.0/16 range), or by looking at the outbound server name (will have "rly" in the name). In cases where we can authenticate the sender, we use Sender Rewriting Scheme (SRS) to help the recipient email system know that the forwarded message is from a trusted source. You can read more about how that works and what you can do to help make sure the sending domain passes authentication in [Sender Rewriting Scheme (SRS) in Office 365](/office365/troubleshoot/antispam/sender-rewriting-scheme).
For DKIM to work, make sure you enable DKIM for sending domain. For example, fab
To add a custom domains follow the steps in [Add a domain to Microsoft 365](../../admin/setup/add-domain.md). If the MX record for your domain points to a third party service or an on-premises email server, you should use [Enhanced Filtering for Connectors](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors). Enhanced Filtering ensures SPF validation is correct for inbound mail and will avoid sending email through the relay pool.-
security Permissions In The Security And Compliance Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center.md
To see how to grant access to the Security & Compliance Center, check out [Give
|||| |**Attack Simulation Administrators**|Don't use this role group in the Security & Compliance Center. Use the corresponding role in Azure AD.|Attack Simulator Admin| |**Attack Simulator Payload Authors**|Don't use this role group in the Security & Compliance Center. Use the corresponding role in Azure AD.|Attack Simulator Payload Author|
-|**Communication Compliance**|Provides permission to all the communication compliance roles: administrator, analyst, investigator, and viewer.|Case Management <p> Communication Compliance Admin <p> Communication Compliance Analysis <p> Communication Compliance Case Management <p> Communication Compliance Investigation <p> Communication Compliance Viewer <p> Data Classification Feedback Provider <p> Data Connector Admin <p> View-Only Case|
-|**Communication Compliance Administrators**|Administrators of communication compliance that can create/edit policies and define global settings.|Communication Compliance Admin <p> Communication Compliance Case Management <p> Data Connector Admin|
-|**Communication Compliance Analysts**|Analysts of communication compliance that can investigate policy matches, view message meta data, and take remediation actions.|Communication Compliance Analysis <p> Communication Compliance Case Management|
-|**Communication Compliance Investigators**|Analysts of communication compliance that can investigate policy matches, view message content, and take remediation actions.|Case Management <p> Communication Compliance Analysis <p> Communication Compliance Case Management <p> Communication Compliance Investigation <p> Data Classification Feedback Provider <p> View-Only Case|
-|**Communication Compliance Viewers**|Viewer of communication compliance that can access the available reports and widgets.|Communication Compliance Case Management <p> Communication Compliance Viewer|
-|**Compliance Administrator**<sup>1</sup>|Members can manage settings for device management, data loss prevention, reports, and preservation.|Case Management <p> Communication Compliance Admin <p> Communication Compliance Case Management <p> Compliance Administrator <p> Compliance Search <p> Data Classification Feedback Provider <p> Data Classification Feedback Reviewer <p> Data Connector Admin <p> Data Investigation Management <p> Device Management <p> Disposition Management <p> DLP Compliance Management <p> Hold <p> IB Compliance Management <p> Information Protection Admin <p> Information Protection Analyst <p> Information Protection Investigator <p> Information Protection Reader <p> Insider Risk Management Admin <p> Manage Alerts <p> Organization Configuration <p> RecordManagement <p> Retention Management <p> View-Only Audit Logs <p> View-Only Case <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Manage Alerts <p> View-Only Recipients <p> View-Only Record Management <p> View-Only Retention Management|
-|**Compliance Data Administrator**|Members can manage settings for device management, data protection, data loss prevention, reports, and preservation.|Compliance Administrator <p> Compliance Search <p> Data Connector Admin <p> Device Management <p> Disposition Management <p> DLP Compliance Management <p> IB Compliance Management <p> Information Protection Admin <p> Information Protection Analyst <p> Information Protection Investigator <p> Information Protection Reader <p> Manage Alerts <p> Organization Configuration <p> RecordManagement <p> Retention Management <p> Sensitivity Label Administrator <p> View-Only Audit Logs <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Manage Alerts <p> View-Only Recipients <p> View-Only Record Management <p> View-Only Retention Management|
-|**Compliance Manager Administrators**|Manage template creation and modification.|Compliance Manager Administration <p> Compliance Manager Assessment <p> Compliance Manager Contribution <p> Compliance Manager Reader <p> Data Connector Admin|
-|**Compliance Manager Assessors**|Create assessments, implement improvement actions, and update test status for improvement actions.|Compliance Manager Assessment <p> Compliance Manager Contribution <p> Compliance Manager Reader <p> Data Connector Admin|
-|**Compliance Manager Contributors**|Create assessments and perform work to implement improvement actions.|Compliance Manager Contribution <p> Compliance Manager Reader <p> Data Connector Admin|
+|**Communication Compliance**|Provides permission to all the communication compliance roles: administrator, analyst, investigator, and viewer.|Case Management <p><p> Communication Compliance Admin <p> Communication Compliance Analysis <p> Communication Compliance Case Management <p> Communication Compliance Investigation <p> Communication Compliance Viewer <p> Data Classification Feedback Provider <p> Data Connector Admin <p> View-Only Case|
+|**Communication Compliance Administrators**|Administrators of communication compliance that can create/edit policies and define global settings.|Communication Compliance Admin <p><p> Communication Compliance Case Management <p> Data Connector Admin|
+|**Communication Compliance Analysts**|Analysts of communication compliance that can investigate policy matches, view message meta data, and take remediation actions.|Communication Compliance Analysis <p><p> Communication Compliance Case Management|
+|**Communication Compliance Investigators**|Analysts of communication compliance that can investigate policy matches, view message content, and take remediation actions.|Case Management <p><p> Communication Compliance Analysis <p> Communication Compliance Case Management <p> Communication Compliance Investigation <p> Data Classification Feedback Provider <p> View-Only Case|
+|**Communication Compliance Viewers**|Viewer of communication compliance that can access the available reports and widgets.|Communication Compliance Case Management <p><p> Communication Compliance Viewer|
+|**Compliance Administrator**<sup>1</sup>|Members can manage settings for device management, data loss prevention, reports, and preservation.|Case Management <p><p> Communication Compliance Admin <p> Communication Compliance Case Management <p> Compliance Administrator <p> Compliance Search <p> Data Classification Feedback Provider <p> Data Classification Feedback Reviewer <p> Data Connector Admin <p> Data Investigation Management <p> Device Management <p> Disposition Management <p> DLP Compliance Management <p> Hold <p> IB Compliance Management <p> Information Protection Admin <p> Information Protection Analyst <p> Information Protection Investigator <p> Information Protection Reader <p> Insider Risk Management Admin <p> Manage Alerts <p> Organization Configuration <p> RecordManagement <p> Retention Management <p> View-Only Audit Logs <p> View-Only Case <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Manage Alerts <p> View-Only Recipients <p> View-Only Record Management <p> View-Only Retention Management|
+|**Compliance Data Administrator**|Members can manage settings for device management, data protection, data loss prevention, reports, and preservation.|Compliance Administrator <p><p> Compliance Search <p> Data Connector Admin <p> Device Management <p> Disposition Management <p> DLP Compliance Management <p> IB Compliance Management <p> Information Protection Admin <p> Information Protection Analyst <p> Information Protection Investigator <p> Information Protection Reader <p> Manage Alerts <p> Organization Configuration <p> RecordManagement <p> Retention Management <p> Sensitivity Label Administrator <p> View-Only Audit Logs <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Manage Alerts <p> View-Only Recipients <p> View-Only Record Management <p> View-Only Retention Management|
+|**Compliance Manager Administrators**|Manage template creation and modification.|Compliance Manager Administration <p><p> Compliance Manager Assessment <p> Compliance Manager Contribution <p> Compliance Manager Reader <p> Data Connector Admin|
+|**Compliance Manager Assessors**|Create assessments, implement improvement actions, and update test status for improvement actions.|Compliance Manager Assessment <p><p> Compliance Manager Contribution <p> Compliance Manager Reader <p> Data Connector Admin|
+|**Compliance Manager Contributors**|Create assessments and perform work to implement improvement actions.|Compliance Manager Contribution <p><p> Compliance Manager Reader <p> Data Connector Admin|
|**Compliance Manager Readers**|View all Compliance Manager content except for administrator functions.|Compliance Manager Reader| |**Content Explorer Content Viewer**|View the contents files in Content explorer.|Data Classification Content Viewer| |**Content Explorer List Viewer**|View all items in Content explorer in list format only.|Data Classification List Viewer|
-|**Data Investigator**|Perform searches on mailboxes, SharePoint Online sites, and OneDrive for Business locations.|Communication <p> Compliance Search <p> Custodian <p> Data Investigation Management <p> Export <p> Preview <p> Review <p> RMS Decrypt <p> Search And Purge|
-|**eDiscovery Manager**|Members can perform searches and place holds on mailboxes, SharePoint Online sites, and OneDrive for Business locations. Members can also create and manage eDiscovery cases, add and remove members to a case, create and edit Content Searches associated with a case, and access case data in Advanced eDiscovery. <p> An eDiscovery Administrator is a member of the eDiscovery Manager role group who has been assigned additional permissions. In addition to the tasks that an eDiscovery Manager can perform, an eDiscovery Administrator can:<ul><li>View all eDiscovery cases in the organization.</li><li>Manage any eDiscovery case after they add themselves as a member of the case.</li></ul> <p> The primary difference between an eDiscovery Manager and an eDiscovery Administrator is that an eDiscovery Administrator can access all cases that are listed on the **eDiscovery cases** page in the Security & Compliance Center. An eDiscovery manager can only access the cases they created or cases they are a member of. For more information about making a user an eDiscovery Administrator, see [Assign eDiscovery permissions in the Security & Compliance Center](../../compliance/assign-ediscovery-permissions.md).|Case Management <p> Communication <p> Compliance Search <p> Custodian <p> Export <p> Hold <p> Preview <p> Review <p> RMS Decrypt|
-|**Global Reader**|Members have read-only access to reports, alerts, and can see all the configuration and settings.<p> The primary difference between Global Reader and Security Reader is that a Global Reader can access **configuration and settings**.|Security Reader <p> Sensitivity Label Reader <p> Service Assurance View <p> View-Only Audit Logs <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Manage Alerts <p> View-Only Recipients <p> View-Only Record Management <p> View-Only Retention Management|
-|**Information Protection**|Full control over all information protection features, including sensitivity labels and their policies, DLP, all classifier types, activity and content explorers, and all related reports.|Data Classification Content Viewer <p> Information Protection Admin <p> Information Protection Analyst <p> Information Protection Investigator <p> Information Protection Reader|
+|**Data Investigator**|Perform searches on mailboxes, SharePoint Online sites, and OneDrive for Business locations.|Communication <p><p> Compliance Search <p> Custodian <p> Data Investigation Management <p> Export <p> Preview <p> Review <p> RMS Decrypt <p> Search And Purge|
+|**eDiscovery Manager**|Members can perform searches and place holds on mailboxes, SharePoint Online sites, and OneDrive for Business locations. Members can also create and manage eDiscovery cases, add and remove members to a case, create and edit Content Searches associated with a case, and access case data in Advanced eDiscovery. <p> An eDiscovery Administrator is a member of the eDiscovery Manager role group who has been assigned additional permissions. In addition to the tasks that an eDiscovery Manager can perform, an eDiscovery Administrator can:<ul><li>View all eDiscovery cases in the organization.</li><li>Manage any eDiscovery case after they add themselves as a member of the case.</li></ul> <p> The primary difference between an eDiscovery Manager and an eDiscovery Administrator is that an eDiscovery Administrator can access all cases that are listed on the **eDiscovery cases** page in the Security & Compliance Center. An eDiscovery manager can only access the cases they created or cases they are a member of. For more information about making a user an eDiscovery Administrator, see [Assign eDiscovery permissions in the Security & Compliance Center](../../compliance/assign-ediscovery-permissions.md).|Case Management <p><p> Communication <p> Compliance Search <p> Custodian <p> Export <p> Hold <p> Preview <p> Review <p> RMS Decrypt|
+|**Global Reader**|Members have read-only access to reports, alerts, and can see all the configuration and settings. <p> The primary difference between Global Reader and Security Reader is that a Global Reader can access **configuration and settings**.|Security Reader <p><p> Sensitivity Label Reader <p> Service Assurance View <p> View-Only Audit Logs <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Manage Alerts <p> View-Only Recipients <p> View-Only Record Management <p> View-Only Retention Management|
+|**Information Protection**|Full control over all information protection features, including sensitivity labels and their policies, DLP, all classifier types, activity and content explorers, and all related reports.|Data Classification Content Viewer <p><p> Information Protection Admin <p> Information Protection Analyst <p> Information Protection Investigator <p> Information Protection Reader|
|**Information Protection Admins**|Create, edit, and delete DLP policies, sensitivity labels and their policies, and all classifier types. Manage endpoint DLP settings and simulation mode for auto-labeling policies.|Information Protection Admin|
-|**Information Protection Analysts**|Access and manage DLP alerts and activity explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types.|Data Classification List Viewer <p> Information Protection Analyst|
-|**Information Protection Investigators**|Access and manage DLP alerts, activity explorer, and content explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types.|Data Classification Content Viewer <p> Information Protection Analyst <p> Information Protection Investigator|
+|**Information Protection Analysts**|Access and manage DLP alerts and activity explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types.|Data Classification List Viewer <p><p> Information Protection Analyst|
+|**Information Protection Investigators**|Access and manage DLP alerts, activity explorer, and content explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types.|Data Classification Content Viewer <p><p> Information Protection Analyst <p> Information Protection Investigator|
|**Information Protection Readers**|View-only access to reports for DLP polcies and sensitivity labels and their policies.|Information Protection Reader|
-|**Insider Risk Management**|Use this role group to manage insider risk management for your organization in a single group. By adding all user accounts for designated administrators, analysts, and investigators, you can configure insider risk management permissions in a single group. This role group contains all the insider risk management permission roles. This is the easiest way to quickly get started with insider risk management and is a good fit for organizations that do not need separate permissions defined for separate groups of users.|Case Management <p> Data Connector Admin <p> Insider Risk Management Admin <p> Insider Risk Management Analysis <p> Insider Risk Management Audit <p> Insider Risk Management Investigation <p> Insider Risk Management Sessions <p> View-Only Case|
-|**Insider Risk Management Admins**|Use this role group to initially configure insider risk management and later to segregate insider risk administrators into a defined group. Users in this role group can create, read, update, and delete insider risk management policies, global settings, and role group assignments.|Case Management <p> Data Connector Admin <p> Insider Risk Management Admin <p> View-Only Case|
-|**Insider Risk Management Analysts**|Use this group to assign permissions to users that will act as insider risk case analysts. Users in this role group can access all insider risk management alerts, cases, and notices templates. They cannot access the insider risk Content Explorer.|Case Management <p> Insider Risk Management Analysis <p> View-Only Case|
+|**Insider Risk Management**|Use this role group to manage insider risk management for your organization in a single group. By adding all user accounts for designated administrators, analysts, and investigators, you can configure insider risk management permissions in a single group. This role group contains all the insider risk management permission roles. This is the easiest way to quickly get started with insider risk management and is a good fit for organizations that do not need separate permissions defined for separate groups of users.|Case Management <p><p> Data Connector Admin <p> Insider Risk Management Admin <p> Insider Risk Management Analysis <p> Insider Risk Management Audit <p> Insider Risk Management Investigation <p> Insider Risk Management Sessions <p> View-Only Case|
+|**Insider Risk Management Admins**|Use this role group to initially configure insider risk management and later to segregate insider risk administrators into a defined group. Users in this role group can create, read, update, and delete insider risk management policies, global settings, and role group assignments.|Case Management <p><p> Data Connector Admin <p> Insider Risk Management Admin <p> View-Only Case|
+|**Insider Risk Management Analysts**|Use this group to assign permissions to users that will act as insider risk case analysts. Users in this role group can access all insider risk management alerts, cases, and notices templates. They cannot access the insider risk Content Explorer.|Case Management <p><p> Insider Risk Management Analysis <p> View-Only Case|
|**Insider Risk Management Auditors**|Use this group to assign permissions to users that will audit insider risk management activities. Users in this role group can access the insider risk audit log.|Insider Risk Management Audit|
-|**Insider Risk Management Investigators**|Use this group to assign permissions to users that will act as insider risk data investigators. Users in this role group can access all insider risk management alerts, cases, notices templates, and the Content Explorer for all cases.|Case Management <p> Insider Risk Management Investigation <p> View-Only Case|
+|**Insider Risk Management Investigators**|Use this group to assign permissions to users that will act as insider risk data investigators. Users in this role group can access all insider risk management alerts, cases, notices templates, and the Content Explorer for all cases.|Case Management <p><p> Insider Risk Management Investigation <p> View-Only Case|
|**Insider Risk Management Session Approvers**|Manage group modification requests for session recording.|Insider Risk Management Sessions|
-|**IRM Contributors**|This role group is visible, but is used by background services only.|Insider Risk Management Permanent contribution <p> Insider Risk Management Temporary contribution|
+|**IRM Contributors**|This role group is visible, but is used by background services only.|Insider Risk Management Permanent contribution <p><p> Insider Risk Management Temporary contribution|
|**Knowledge Administrators**|Configure knowledge, learning, assign trainings and other intelligent features.|Knowledge Admin| |**MailFlow Administrator**|Members can monitor and view mail flow insights and reports in the Security & Compliance Center. Global admins can add ordinary users to this group, but, if the user isn't a member of the Exchange Admin group, the user will not have access to Exchange admin-related tasks.|View-Only Recipients|
-|**Organization Management**<sup>1</sup>|Members can control permissions for accessing features in the Security & Compliance Center, and also manage settings for device management, data loss prevention, reports, and preservation. <p> Users who are not global administrators must be Exchange administrators to see and take action on devices that are managed by Basic Mobility and Security for Microsoft 365 (formerly known as Mobile Device Management or MDM). <p> Global admins are automatically added as members of this role group, but you won't see them in the output of the [Get-RoleGroupMember](/powershell/module/exchange/get-rolegroupmember) cmdlet in [Security & Compliance Center PowerShell](/powershell/module/exchange/get-rolegroupmember).|Audit Logs <p> Case Management <p> Communication Compliance Admin <p> Communication Compliance Case Management <p> Compliance Administrator <p> Compliance Search <p> Data Connector Admin <p> Device Management <p> DLP Compliance Management <p> Hold <p> IB Compliance Management <p> Insider Risk Management Admin <p> Manage Alerts <p> Organization Configuration <p> Quarantine <p> RecordManagement <p> Retention Management <p> Role Management <p> Search And Purge <p> Security Administrator <p> Security Reader <p> Sensitivity Label Administrator <p> Sensitivity Label Reader <p> Service Assurance View <p> Tag Contributor <p> Tag Manager <p> Tag Reader <p> View-Only Audit Logs <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Case <p> View-Only Manage Alerts <p> View-Only Recipients <p> View-Only Record Management <p> View-Only Retention Management|
-|**Privacy Management**|Manage access control for Priva in the Microsoft 365 compliance center.|Case Management <p> Data Classification Content Viewer <p> Data Classification List Viewer <p> Privacy Management Admin <p> Privacy Management Analysis <p> Privacy Management Investigation <p> Privacy Management Permanent contribution <p> Privacy Management Temporary contribution <p> Privacy Management Viewer <p> Subject Rights Request Admin <p> View-Only Case|
-|**Privacy Management Administrators**|Administrators of privacy management solution that can create/edit policies and define global settings.|Case Management <p> Privacy Management Admin <p> View-Only Case|
-|**Privacy Management Analysts**|Analysts of privacy management solution that can investigate policy matches, view messages meta data, and take remediation actions.|Case Management <p> Data Classification List Viewer <p> Privacy Management Analysis <p> View-Only Case|
-|**Privacy Management Contributors**|Manage contributor access for privacy management cases.|Privacy Management Permanent contribution <p> Privacy Management Temporary contribution|
-|**Privacy Management Investigators**|Investigators of privacy management solution that can investigate policy matches, view message content, and take remediation actions.|Case Management <p> Data Classification Content Viewer <p> Data Classification List Viewer <p> Privacy Management Investigation <p> View-Only Case|
-|**Privacy Management Viewers**|Viewer of privacy management solution that can access the available dashboards and widgets.|Data Classification List Viewer <p> Privacy Management Viewer|
+|**Organization Management**<sup>1</sup>|Members can control permissions for accessing features in the Security & Compliance Center, and also manage settings for device management, data loss prevention, reports, and preservation. <p> Users who are not global administrators must be Exchange administrators to see and take action on devices that are managed by Basic Mobility and Security for Microsoft 365 (formerly known as Mobile Device Management or MDM). <p> Global admins are automatically added as members of this role group, but you won't see them in the output of the [Get-RoleGroupMember](/powershell/module/exchange/get-rolegroupmember) cmdlet in [Security & Compliance Center PowerShell](/powershell/module/exchange/get-rolegroupmember).|Audit Logs <p><p> Case Management <p> Communication Compliance Admin <p> Communication Compliance Case Management <p> Compliance Administrator <p> Compliance Search <p> Data Connector Admin <p> Device Management <p> DLP Compliance Management <p> Hold <p> IB Compliance Management <p> Insider Risk Management Admin <p> Manage Alerts <p> Organization Configuration <p> Quarantine <p> RecordManagement <p> Retention Management <p> Role Management <p> Search And Purge <p> Security Administrator <p> Security Reader <p> Sensitivity Label Administrator <p> Sensitivity Label Reader <p> Service Assurance View <p> Tag Contributor <p> Tag Manager <p> Tag Reader <p> View-Only Audit Logs <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Case <p> View-Only Manage Alerts <p> View-Only Recipients <p> View-Only Record Management <p> View-Only Retention Management|
+|**Privacy Management**|Manage access control for Priva in the Microsoft 365 compliance center.|Case Management <p><p> Data Classification Content Viewer <p> Data Classification List Viewer <p> Privacy Management Admin <p> Privacy Management Analysis <p> Privacy Management Investigation <p> Privacy Management Permanent contribution <p> Privacy Management Temporary contribution <p> Privacy Management Viewer <p> Subject Rights Request Admin <p> View-Only Case|
+|**Privacy Management Administrators**|Administrators of privacy management solution that can create/edit policies and define global settings.|Case Management <p><p> Privacy Management Admin <p> View-Only Case|
+|**Privacy Management Analysts**|Analysts of privacy management solution that can investigate policy matches, view messages meta data, and take remediation actions.|Case Management <p><p> Data Classification List Viewer <p> Privacy Management Analysis <p> View-Only Case|
+|**Privacy Management Contributors**|Manage contributor access for privacy management cases.|Privacy Management Permanent contribution <p><p> Privacy Management Temporary contribution|
+|**Privacy Management Investigators**|Investigators of privacy management solution that can investigate policy matches, view message content, and take remediation actions.|Case Management <p><p> Data Classification Content Viewer <p> Data Classification List Viewer <p> Privacy Management Investigation <p> View-Only Case|
+|**Privacy Management Viewers**|Viewer of privacy management solution that can access the available dashboards and widgets.|Data Classification List Viewer <p><p> Privacy Management Viewer|
|**Quarantine Administrator**|Members can access all Quarantine actions. For more information, see [Manage quarantined messages and files as an admin in EOP](manage-quarantined-messages-and-files.md)|Quarantine|
-|**Records Management**|Members can configure all aspects of records management, including retention labels and disposition reviews.|Disposition Management <p> RecordManagement <p> Retention Management|
+|**Records Management**|Members can configure all aspects of records management, including retention labels and disposition reviews.|Disposition Management <p><p> RecordManagement <p> Retention Management|
|**Reviewer**|Members can access review sets in [Advanced eDiscovery](../../compliance/overview-ediscovery-20.md) cases. Members of this role group can see and open the list of cases on the **eDiscovery > Advanced** page in the Microsoft 365 compliance center that they're members of. After the user accesses an Advanced eDiscovery case, they can select **Review sets** to access case data. This role doesn't allow the user to preview the results of a collection search that's associated with the case or do other search or case management tasks. Members of this role group can only access the data in a review set.|Review|
-|**Security Administrator**|Members have access to a number of security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and Security & Compliance Center. <p> By default, this role group may not appear to have any members. However, the Security Administrator role from Azure Active Directory is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Administrator role from Azure Active Directory. <p> To manage permissions centrally, add and remove group members in the Azure Active Directory admin center. For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference). If you edit this role group in the Security & Compliance Center (membership or roles), those changes apply only to the Security & Compliance Center and not to any other services. <p> This role group includes all of the read-only permissions of the Security reader role, plus a number of additional administrative permissions for the same
-|**Security Operator**|Members can manage security alerts, and also view reports and settings of security features.|Compliance Search <p> Manage Alerts <p> Security Reader <p> Tag Contributor <p> Tag Reader <p> Tenant AllowBlockList Manager <p> View-Only Audit Logs <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Manage Alerts|
-|**Security Reader**|Members have read-only access to a number of security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and Security & Compliance Center. <p> By default, this role group may not appear to have any members. However, the Security Reader role from Azure Active Directory is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Reader role from Azure Active Directory. <p> To manage permissions centrally, add and remove group members in the Azure Active Directory admin center. For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference). If you edit this role group in the Security & Compliance Center (membership or roles), those changes apply only to the Security & Compliance Center and not to any other services.|Security Reader <p> Sensitivity Label Reader <p> Tag Reader <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Manage Alerts|
+|**Security Administrator**|Members have access to a number of security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and Security & Compliance Center. <p> By default, this role group may not appear to have any members. However, the Security Administrator role from Azure Active Directory is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Administrator role from Azure Active Directory. <p> To manage permissions centrally, add and remove group members in the Azure Active Directory admin center. For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference). If you edit this role group in the Security & Compliance Center (membership or roles), those changes apply only to the Security & Compliance Center and not to any other services. <p> This role group includes all of the read-only permissions of the Security reader role, plus a number of additional administrative permissions for the same
+|**Security Operator**|Members can manage security alerts, and also view reports and settings of security features.|Compliance Search <p><p> Manage Alerts <p> Security Reader <p> Tag Contributor <p> Tag Reader <p> Tenant AllowBlockList Manager <p> View-Only Audit Logs <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Manage Alerts|
+|**Security Reader**|Members have read-only access to a number of security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and Security & Compliance Center. <p> By default, this role group may not appear to have any members. However, the Security Reader role from Azure Active Directory is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Reader role from Azure Active Directory. <p> To manage permissions centrally, add and remove group members in the Azure Active Directory admin center. For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference). If you edit this role group in the Security & Compliance Center (membership or roles), those changes apply only to the Security & Compliance Center and not to any other services.|Security Reader <p><p> Sensitivity Label Reader <p> Tag Reader <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Manage Alerts|
|**Service Assurance User**|Members can access the Service assurance section in the Security & Compliance Center. Service assurance provides reports and documents that describe Microsoft's security practices for customer data that's stored in Microsoft 365. It also provides independent third-party audit reports on Microsoft 365. For more information, see [Service assurance in the Security & Compliance Center](../../compliance/service-assurance.md).|Service Assurance View|
-|**Subject Rights Request Administrators**|Create subject rights requests.|Case Management <p> Subject Rights Request Admin <p> View-Only Case|
+|**Subject Rights Request Administrators**|Create subject rights requests.|Case Management <p><p> Subject Rights Request Admin <p> View-Only Case|
|**Supervisory Review**|Members can create and manage the policies that define which communications are subject to review in an organization. For more information, see [Configure communication compliance policies for your organization](../../compliance/communication-compliance-configure.md).|Supervisory Review Administrator| > [!NOTE]
Note that the following roles aren't assigned to the Organization Management rol
|||| |**Attack Simulator Admin**|Don't use this role in the Security & Compliance Center. Use the corresponding role in Azure AD.|Attack Simulator Administrators| |**Attack Simulator Payload Author**|Don't use this role in the Security & Compliance Center. Use the corresponding role in Azure AD.|Attack Simulator Payload Authors|
-|**Audit Logs**|Turn on and configure auditing for the organization, view the organization's audit reports, and then export these reports to a file.|Organization Management <p> Security Administrator|
-|**Case Management**|Create, edit, delete, and control access to eDiscovery cases.|Communication Compliance <p> Communication Compliance Investigators <p> Compliance Administrator <p>eDiscovery Manager <p> Insider Risk Management <p> Insider Risk Management Admins <p> Insider Risk Management Analysts <p> Insider Risk Management Investigators <p> Organization Management <p> Privacy Management <p> Privacy Management Administrators <p> Privacy Management Analysts <p> Privacy Management Investigators <p> Subject Rights Request Administrators|
-|**Communication**|Manage all communications with the custodians identified in an Advanced eDiscovery case. Create hold notifications, hold reminders, and escalations to management. Track custodian acknowledgment of hold notifications and manage access to the custodian portal that is used by each custodian in a case to track communications for the cases where they were identified as a custodian.|Data Investigator <p> eDiscovery Manager|
-|**Communication Compliance Admin**|Used to manage policies in the Communication Compliance feature.|Communication Compliance <p> Communication Compliance Administrators <p> Compliance Administrator <p> Organization Management|
-|**Communication Compliance Analysis**|Used to perform investigation, remediation of the message violations in the Communication Compliance feature. Can only view message meta data.|Communication Compliance <p> Communication Compliance Analysts <p> Communication Compliance Investigators|
-|**Communication Compliance Case Management**|Used to access Communication Compliance cases.|Communication Compliance <p> Communication Compliance Administrators <p> Communication Compliance Analysts <p> Communication Compliance Investigators <p> Communication Compliance Viewers <p> Compliance Administrator <p> Organization Management|
-|**Communication Compliance Investigation**|Used to perform investigation, remediation, and review message violations in the Communication Compliance feature. Can view message meta data and message.|Communication Compliance <p> Communication Compliance Investigators|
-|**Communication Compliance Viewer**|Used to access reports and widgets in the Communication Compliance feature.|Communication Compliance <p> Communication Compliance Viewers|
-|**Compliance Administrator**|View and edit settings and reports for compliance features.|Compliance Administrator <p> Compliance Data Administrator <p> Organization Management|
+|**Audit Logs**|Turn on and configure auditing for the organization, view the organization's audit reports, and then export these reports to a file.|Organization Management <p><p> Security Administrator|
+|**Case Management**|Create, edit, delete, and control access to eDiscovery cases.|Communication Compliance <p><p> Communication Compliance Investigators <p> Compliance Administrator <p> eDiscovery Manager <p> Insider Risk Management <p> Insider Risk Management Admins <p> Insider Risk Management Analysts <p> Insider Risk Management Investigators <p> Organization Management <p> Privacy Management <p> Privacy Management Administrators <p> Privacy Management Analysts <p> Privacy Management Investigators <p> Subject Rights Request Administrators|
+|**Communication**|Manage all communications with the custodians identified in an Advanced eDiscovery case. Create hold notifications, hold reminders, and escalations to management. Track custodian acknowledgment of hold notifications and manage access to the custodian portal that is used by each custodian in a case to track communications for the cases where they were identified as a custodian.|Data Investigator <p><p> eDiscovery Manager|
+|**Communication Compliance Admin**|Used to manage policies in the Communication Compliance feature.|Communication Compliance <p><p> Communication Compliance Administrators <p> Compliance Administrator <p> Organization Management|
+|**Communication Compliance Analysis**|Used to perform investigation, remediation of the message violations in the Communication Compliance feature. Can only view message meta data.|Communication Compliance <p><p> Communication Compliance Analysts <p> Communication Compliance Investigators|
+|**Communication Compliance Case Management**|Used to access Communication Compliance cases.|Communication Compliance <p><p> Communication Compliance Administrators <p> Communication Compliance Analysts <p> Communication Compliance Investigators <p> Communication Compliance Viewers <p> Compliance Administrator <p> Organization Management|
+|**Communication Compliance Investigation**|Used to perform investigation, remediation, and review message violations in the Communication Compliance feature. Can view message meta data and message.|Communication Compliance <p><p> Communication Compliance Investigators|
+|**Communication Compliance Viewer**|Used to access reports and widgets in the Communication Compliance feature.|Communication Compliance <p><p> Communication Compliance Viewers|
+|**Compliance Administrator**|View and edit settings and reports for compliance features.|Compliance Administrator <p><p> Compliance Data Administrator <p> Organization Management|
|**Compliance Manager Administration**|Manage template creation and modification.|Compliance Manager Administrators|
-|**Compliance Manager Assessment**|Create assessments, implement improvement actions, and update test status for improvement actions.|Compliance Manager Administrators <p> Compliance Manager Assessors|
-|**Compliance Manager Contribution**|Create assessments and perform work to implement improvement actions.|Compliance Manager Administrators <p> Compliance Manager Assessors <p> Compliance Manager Contributors|
-|**Compliance Manager Reader**|View all Compliance Manager content except for administrator functions.|Compliance Manager Administrators <p> Compliance Manager Assessors <p> Compliance Manager Contributors <p> Compliance Manager Readers|
-|**Compliance Search**|Perform searches across mailboxes and get an estimate of the results.|Compliance Administrator <p> Compliance Data Administrator <p> Data Investigator <p> eDiscovery Manager <p> Organization Management <p> Security Operator|
-|**Custodian**|Identify and manage custodians for Advanced eDiscovery cases and use the information from Azure Active Directory and other sources to find data sources associated with custodians. Associate other data sources such as mailboxes, SharePoint sites, and Teams with custodians in a case. Place a legal hold on the data sources associated with custodians to preserve content in the context of a case.|Data Investigator <p> eDiscovery Manager|
-|**Data Classification Content Viewer**|View in-place rendering of files in Content explorer.|Content Explorer Content Viewer <p> Information Protection <p> Information Protection Investigators <p> Privacy Management <p> Privacy Management Investigators|
-|**Data Classification Feedback Provider**|Allows providing feedback to classifiers in content explorer.|Communication Compliance <p> Communication Compliance Investigators <p> Compliance Administrator|
+|**Compliance Manager Assessment**|Create assessments, implement improvement actions, and update test status for improvement actions.|Compliance Manager Administrators <p><p> Compliance Manager Assessors|
+|**Compliance Manager Contribution**|Create assessments and perform work to implement improvement actions.|Compliance Manager Administrators <p><p> Compliance Manager Assessors <p> Compliance Manager Contributors|
+|**Compliance Manager Reader**|View all Compliance Manager content except for administrator functions.|Compliance Manager Administrators <p><p> Compliance Manager Assessors <p> Compliance Manager Contributors <p> Compliance Manager Readers|
+|**Compliance Search**|Perform searches across mailboxes and get an estimate of the results.|Compliance Administrator <p><p> Compliance Data Administrator <p> Data Investigator <p> eDiscovery Manager <p> Organization Management <p> Security Operator|
+|**Custodian**|Identify and manage custodians for Advanced eDiscovery cases and use the information from Azure Active Directory and other sources to find data sources associated with custodians. Associate other data sources such as mailboxes, SharePoint sites, and Teams with custodians in a case. Place a legal hold on the data sources associated with custodians to preserve content in the context of a case.|Data Investigator <p><p> eDiscovery Manager|
+|**Data Classification Content Viewer**|View in-place rendering of files in Content explorer.|Content Explorer Content Viewer <p><p> Information Protection <p> Information Protection Investigators <p> Privacy Management <p> Privacy Management Investigators|
+|**Data Classification Feedback Provider**|Allows providing feedback to classifiers in content explorer.|Communication Compliance <p><p> Communication Compliance Investigators <p> Compliance Administrator|
|**Data Classification Feedback Reviewer**|Allows reviewing feedback from classifiers in feedback explorer.|Compliance Administrator|
-|**Data Classification List Viewer**|View the list of files in content explorer.|Content Explorer List Viewer <p> Information Protection Analysts <p> Privacy Management <p> Privacy Management Analysts <p> Privacy Management Investigators <p> Privacy Management Viewers|
-|**Data Connector Admin**|Create and manage connectors to import and archive non-Microsoft data in Microsoft 365.|Communication Compliance <p> Communication Compliance Administrators <p> Compliance Administrator <p> Compliance Data Administrator <p> Compliance Manager Administrators <p> Compliance Manager Assessors <p> Compliance Manager Contributors <p> Insider Risk Management <p> Insider Risk Management Admins <p> Organization Management|
-|**Data Investigation Management**|Create, edit, delete, and control access to data investigation.|Compliance Administrator <p> Data Investigator|
-|**Device Management**|View and edit settings and reports for device management features.|Compliance Administrator <p> Compliance Data Administrator <p> Organization Management <p> Security Administrator|
-|**Disposition Management**|Control permissions for accessing Manual Disposition in the Security & Compliance Center.|Compliance Administrator <p> Compliance Data Administrator <p> Records Management|
-|**DLP Compliance Management**|View and edit settings and reports for data loss prevention (DLP) policies.|Compliance Administrator <p> Compliance Data Administrator <p> Organization Management <p> Security Administrator|
-|**Export**|Export mailbox and site content that's returned from searches.|Data Investigator <p> eDiscovery Manager|
-|**Hold**|Place content in mailboxes, sites, and public folders on hold. When on hold, a copy of the content is stored in a secure location. Content owners will still be able to modify or delete the original content.|Compliance Administrator <p>eDiscovery Manager <p> Organization Management|
-|**IB Compliance Management**|View, create, remove, modify, and test Information Barrier policies.|Compliance Administrator <p> Compliance Data Administrator <p> Organization Management <p> Security Administrator|
-|**Information Protection Admin**| Create, edit, and delete DLP policies, sensitivity labels and their policies, and all classifier types. Manage endpoint DLP settings and simulation mode for auto-labeling policies.|Compliance Administrator <p> Compliance Data Administrator <p> Information Protection <p> Information Protection Admins|
-|**Information Protection Analyst**|Access and manage DLP alerts and activity explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types.|Compliance Administrator <p> Compliance Data Administrator <p> Information Protection <p> Information Protection Analysts <p> Information Protection Investigators|
-|**Information Protection Investigator**|Access and manage DLP alerts, activity explorer, and content explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types.|Compliance Administrator <p> Compliance Data Administrator <p> Information Protection <p> Information Protection Investigators|
-|**Information Protection Reader**|View-only access to reports for DLP policies and sensitivity labels and their policies.|Compliance Administrator <p> Compliance Data Administrator <p> Information Protection <p> Information Protection Readers|
-|**Insider Risk Management Admin**|Create, edit, delete, and control access to Insider Risk Management feature.|Compliance Administrator <p> Insider Risk Management <p> Insider Risk Management Admins <p> Organization Management|
-|**Insider Risk Management Analysis**|Access all insider risk management alerts, cases, and notices templates.|Insider Risk Management <p> Insider Risk Management Analysts|
-|**Insider Risk Management Audit**|Allow viewing Insider Risk audit trails.|Insider Risk Management <p> Insider Risk Management Auditors|
-|**Insider Risk Management Investigation**|Access all insider risk management alerts, cases, notices templates, and the Content Explorer for all cases.|Insider Risk Management <p> Insider Risk Management Investigators|
+|**Data Classification List Viewer**|View the list of files in content explorer.|Content Explorer List Viewer <p><p> Information Protection Analysts <p> Privacy Management <p> Privacy Management Analysts <p> Privacy Management Investigators <p> Privacy Management Viewers|
+|**Data Connector Admin**|Create and manage connectors to import and archive non-Microsoft data in Microsoft 365.|Communication Compliance <p><p> Communication Compliance Administrators <p> Compliance Administrator <p> Compliance Data Administrator <p> Compliance Manager Administrators <p> Compliance Manager Assessors <p> Compliance Manager Contributors <p> Insider Risk Management <p> Insider Risk Management Admins <p> Organization Management|
+|**Data Investigation Management**|Create, edit, delete, and control access to data investigation.|Compliance Administrator <p><p> Data Investigator|
+|**Device Management**|View and edit settings and reports for device management features.|Compliance Administrator <p><p> Compliance Data Administrator <p> Organization Management <p> Security Administrator|
+|**Disposition Management**|Control permissions for accessing Manual Disposition in the Security & Compliance Center.|Compliance Administrator <p><p> Compliance Data Administrator <p> Records Management|
+|**DLP Compliance Management**|View and edit settings and reports for data loss prevention (DLP) policies.|Compliance Administrator <p><p> Compliance Data Administrator <p> Organization Management <p> Security Administrator|
+|**Export**|Export mailbox and site content that's returned from searches.|Data Investigator <p><p> eDiscovery Manager|
+|**Hold**|Place content in mailboxes, sites, and public folders on hold. When on hold, a copy of the content is stored in a secure location. Content owners will still be able to modify or delete the original content.|Compliance Administrator <p><p> eDiscovery Manager <p> Organization Management|
+|**IB Compliance Management**|View, create, remove, modify, and test Information Barrier policies.|Compliance Administrator <p><p> Compliance Data Administrator <p> Organization Management <p> Security Administrator|
+|**Information Protection Admin**|Create, edit, and delete DLP policies, sensitivity labels and their policies, and all classifier types. Manage endpoint DLP settings and simulation mode for auto-labeling policies.|Compliance Administrator <p><p> Compliance Data Administrator <p> Information Protection <p> Information Protection Admins|
+|**Information Protection Analyst**|Access and manage DLP alerts and activity explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types.|Compliance Administrator <p><p> Compliance Data Administrator <p> Information Protection <p> Information Protection Analysts <p> Information Protection Investigators|
+|**Information Protection Investigator**|Access and manage DLP alerts, activity explorer, and content explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types.|Compliance Administrator <p><p> Compliance Data Administrator <p> Information Protection <p> Information Protection Investigators|
+|**Information Protection Reader**|View-only access to reports for DLP policies and sensitivity labels and their policies.|Compliance Administrator <p><p> Compliance Data Administrator <p> Information Protection <p> Information Protection Readers|
+|**Insider Risk Management Admin**|Create, edit, delete, and control access to Insider Risk Management feature.|Compliance Administrator <p><p> Insider Risk Management <p> Insider Risk Management Admins <p> Organization Management|
+|**Insider Risk Management Analysis**|Access all insider risk management alerts, cases, and notices templates.|Insider Risk Management <p><p> Insider Risk Management Analysts|
+|**Insider Risk Management Audit**|Allow viewing Insider Risk audit trails.|Insider Risk Management <p><p> Insider Risk Management Auditors|
+|**Insider Risk Management Investigation**|Access all insider risk management alerts, cases, notices templates, and the Content Explorer for all cases.|Insider Risk Management <p><p> Insider Risk Management Investigators|
|**Insider Risk Management Permanent contribution**|This role group is visible, but is used by background services only.|IRM Contributors|
-|**Insider Risk Management Sessions**|Allow managing group modification requests for session recording.|Insider Risk Management <p> Insider Risk Management Session Approvers|
+|**Insider Risk Management Sessions**|Allow managing group modification requests for session recording.|Insider Risk Management <p><p> Insider Risk Management Session Approvers|
|**Insider Risk Management Temporary contribution**|This role group is visible, but is used by background services only.|IRM Contributors| |**Knowledge Admin**|Configure knowledge, learning, assign trainings and other intelligent features.|Knowledge Administrators|
-|**Manage Alerts**|View and edit settings and reports for alerts.|Compliance Administrator <p> Compliance Data Administrator <p> Organization Management <p> Security Administrator <p> Security Operator|
-|**Organization Configuration**|Run, view, and export audit reports and manage compliance policies for DLP, devices, and preservation.|Compliance Administrator <p> Compliance Data Administrator <p> Organization Management|
-|**Preview**|View a list of items that are returned from content searches, and open each item from the list to view its contents.|Data Investigator <p> eDiscovery Manager|
-|**Privacy Management Admin**|Manage policies in Privacy Management and has access to all functionality of the solution.|Privacy Management <p> Privacy Management Administrators|
+|**Manage Alerts**|View and edit settings and reports for alerts.|Compliance Administrator <p><p> Compliance Data Administrator <p> Organization Management <p> Security Administrator <p> Security Operator|
+|**Organization Configuration**|Run, view, and export audit reports and manage compliance policies for DLP, devices, and preservation.|Compliance Administrator <p><p> Compliance Data Administrator <p> Organization Management|
+|**Preview**|View a list of items that are returned from content searches, and open each item from the list to view its contents.|Data Investigator <p><p> eDiscovery Manager|
+|**Privacy Management Admin**|Manage policies in Privacy Management and has access to all functionality of the solution.|Privacy Management <p><p> Privacy Management Administrators|
|**Privacy Management Analysis**|Perform investigation and remediation of the message violations in Privacy Management. Can only view messages metadata.|Privacy Management <p> Privacy Management Analysts|
-|**Privacy Management Investigation**|Perform investigation, remediation, and review message violations in Privacy Management. Can view message metadata and the full message.|Privacy Management <p> Privacy Management Investigators|
-|**Privacy Management Permanent contribution**|Access Privacy Management cases as a permanent contributor.|Privacy Management <p> Privacy Management Contributors|
-|**Privacy Management Temporary contribution**|Access Privacy Management cases as a temporary contributor.|Privacy Management <p> Privacy Management Contributors|
-|**Privacy Management Viewer**|Access dashboards and widgets in Privacy Management.|Privacy Management <p> Privacy Management Viewers|
-|**Quarantine**|Allows viewing and releasing quarantined email.|Quarantine Administrator <p> Security Administrator <p> Organization Management|
-|**RecordManagement**|View and edit the configuration of the records management feature.|Compliance Administrator <p> Compliance Data Administrator <p> Organization Management <p> Records Management|
-|**Retention Management**|Manage retention policies, retention labels, and retention label policies.|Compliance Administrator <p> Compliance Data Administrator <p> Organization Management <p> Records Management|
-|**Review**|This role lets users access review sets in Advanced eDiscovery cases. Users who are assigned this role can see and open the list of cases on the **eDiscovery > Advanced** page in the Microsoft 365 compliance center that they're members of. After the user accesses an Advanced eDiscovery case, they can select **Review sets** to access case data. This role doesn't allow the user to preview the results of a collection search that's associated with the case or do other search or case management tasks. Users with this role can only access the data in a review set.|Data Investigator <p> eDiscovery Manager <p> Reviewer|
-|**RMS Decrypt**|Decrypt RMS-protected content when exporting search results.|Data Investigator <p> eDiscovery Manager|
+|**Privacy Management Investigation**|Perform investigation, remediation, and review message violations in Privacy Management. Can view message metadata and the full message.|Privacy Management <p><p> Privacy Management Investigators|
+|**Privacy Management Permanent contribution**|Access Privacy Management cases as a permanent contributor.|Privacy Management <p><p> Privacy Management Contributors|
+|**Privacy Management Temporary contribution**|Access Privacy Management cases as a temporary contributor.|Privacy Management <p><p> Privacy Management Contributors|
+|**Privacy Management Viewer**|Access dashboards and widgets in Privacy Management.|Privacy Management <p><p> Privacy Management Viewers|
+|**Quarantine**|Allows viewing and releasing quarantined email.|Quarantine Administrator <p><p> Security Administrator <p> Organization Management|
+|**RecordManagement**|View and edit the configuration of the records management feature.|Compliance Administrator <p><p> Compliance Data Administrator <p> Organization Management <p> Records Management|
+|**Retention Management**|Manage retention policies, retention labels, and retention label policies.|Compliance Administrator <p><p> Compliance Data Administrator <p> Organization Management <p> Records Management|
+|**Review**|This role lets users access review sets in Advanced eDiscovery cases. Users who are assigned this role can see and open the list of cases on the **eDiscovery > Advanced** page in the Microsoft 365 compliance center that they're members of. After the user accesses an Advanced eDiscovery case, they can select **Review sets** to access case data. This role doesn't allow the user to preview the results of a collection search that's associated with the case or do other search or case management tasks. Users with this role can only access the data in a review set.|Data Investigator <p><p> eDiscovery Manager <p> Reviewer|
+|**RMS Decrypt**|Decrypt RMS-protected content when exporting search results.|Data Investigator <p><p> eDiscovery Manager|
|**Role Management**|Manage role group membership and create or delete custom role groups.|Organization Management|
-|**Search And Purge**|Lets people bulk-remove data that matches the criteria of a content search.|Data Investigator <p> Organization Management|
-|**Security Administrator**|View and edit the configuration and reports for Security features.|Organization Management <p> Security Administrator|
-|**Security Reader**|View the configuration and reports for Security features.|Global Reader <p> Organization Management <p> Security Operator <p> Security Reader|
-|**Sensitivity Label Administrator**|View, create, modify, and remove sensitivity labels.|Compliance Data Administrator <p> Organization Management <p> Security Administrator|
-|**Sensitivity Label Reader**|View the configuration and usage of sensitivity labels.|Global Reader <p> Organization Management <p> Security Reader|
-|**Service Assurance View**|Download the available documents from the Service Assurance section. Content includes independent auditing, compliance documentation, and trust-related guidance for using Microsoft 365 features to manage regulatory compliance and security risks.|Global Reader <p> Organization Management <p> Service Assurance User|
+|**Search And Purge**|Lets people bulk-remove data that matches the criteria of a content search.|Data Investigator <p><p> Organization Management|
+|**Security Administrator**|View and edit the configuration and reports for Security features.|Organization Management <p><p> Security Administrator|
+|**Security Reader**|View the configuration and reports for Security features.|Global Reader <p><p> Organization Management <p> Security Operator <p> Security Reader|
+|**Sensitivity Label Administrator**|View, create, modify, and remove sensitivity labels.|Compliance Data Administrator <p><p> Organization Management <p> Security Administrator|
+|**Sensitivity Label Reader**|View the configuration and usage of sensitivity labels.|Global Reader <p><p> Organization Management <p> Security Reader|
+|**Service Assurance View**|Download the available documents from the Service Assurance section. Content includes independent auditing, compliance documentation, and trust-related guidance for using Microsoft 365 features to manage regulatory compliance and security risks.|Global Reader <p><p> Organization Management <p> Service Assurance User|
|**Supervisory Review Administrator**|Manage supervisory review policies, including which communications to review and who should do the review.|Supervisory Review|
-|**Tag Contributor**|View and update membership of existing user tags.|Organization Management <p> Security Administrator <p> Security Operator|
-|**Tag Manager**|View, update, create, and delete user tags.|Organization Management <p> Security Administrator|
+|**Tag Contributor**|View and update membership of existing user tags.|Organization Management <p><p> Security Administrator <p> Security Operator|
+|**Tag Manager**|View, update, create, and delete user tags.|Organization Management <p><p> Security Administrator|
|**Tag Reader**|Read-only access to existing user tags.|Security Reader| |**Tenant AllowBlockList Manager**|Manage tenant allow block list settings.|Security Operator|
-|**View-Only Audit Logs**|View and export audit reports. Because these reports might contain sensitive information, you should only assign this role to people with an explicit need to view this information.|Compliance Administrator <p> Compliance Data Administrator <p> Global Reader <p> Organization Management <p> Security Administrator <p> Security Operator|
-|**View-Only Case**||Communication Compliance <p> Communication Compliance Investigators <p> Compliance Administrator <p> Insider Risk Management <p> Insider Risk Management Admins <p> Insider Risk Management Analysts <p> Insider RiskManagement Investigators <p> Organization Management <p> Privacy Management <p> Privacy Management Administrators <p> Privacy Management Analysts <p> Privacy Management Investigators <p> Subject Rights Request Administrators|
-|**View-Only Device Management**|View the configuration and reports for the Device Management feature.|Compliance Administrator <p> Compliance Data Administrator <p> Global Reader <p> Organization Management <p> Security Administrator <p> Security Operator <p> Security Reader|
-|**View-Only DLP Compliance Management**|View the settings and reports for data loss prevention (DLP) policies.|Compliance Administrator <p> Compliance Data Administrator <p> Global Reader <p> Organization Management <p> Security Administrator <p> Security Operator <p> Security Reader|
-|**View-Only IB Compliance Management**|View the configuration and reports for the Information Barriers feature.|Compliance Administrator <p> Compliance Data Administrator <p> Global Reader <p> Organization Management <p> Security Administrator <p> Security Operator <p> Security Reader|
-|**View-Only Manage Alerts**|View the configuration and reports for the Manage Alerts feature.|Compliance Administrator <p> Compliance Data Administrator <p> Global Reader <p> Organization Management <p> Security Administrator <p> Security Operator <p> Security Reader|
-|**View-Only Recipients**|View information about users and groups.|Compliance Administrator <p> Compliance Data Administrator <p> Global Reader <p> MailFlow Administrator <p> Organization Management|
-|**View-Only Record Management**|View the configuration of the records management feature.|Compliance Administrator <p> Compliance Data Administrator <p> <p> Global Reader <p> Organization Management|
-|**View-Only Retention Management**|View the configuration of retention policies, retention labels, and retention label policies.|Compliance Administrator <p> Compliance Data Administrator <p> Global Administrator <p> Organization Management|
+|**View-Only Audit Logs**|View and export audit reports. Because these reports might contain sensitive information, you should only assign this role to people with an explicit need to view this information.|Compliance Administrator <p><p> Compliance Data Administrator <p> Global Reader <p> Organization Management <p> Security Administrator <p> Security Operator|
+|**View-Only Case**||Communication Compliance <p><p> Communication Compliance Investigators <p> Compliance Administrator <p> Insider Risk Management <p> Insider Risk Management Admins <p> Insider Risk Management Analysts <p> Insider RiskManagement Investigators <p> Organization Management <p> Privacy Management <p> Privacy Management Administrators <p> Privacy Management Analysts <p> Privacy Management Investigators <p> Subject Rights Request Administrators|
+|**View-Only Device Management**|View the configuration and reports for the Device Management feature.|Compliance Administrator <p><p> Compliance Data Administrator <p> Global Reader <p> Organization Management <p> Security Administrator <p> Security Operator <p> Security Reader|
+|**View-Only DLP Compliance Management**|View the settings and reports for data loss prevention (DLP) policies.|Compliance Administrator <p><p> Compliance Data Administrator <p> Global Reader <p> Organization Management <p> Security Administrator <p> Security Operator <p> Security Reader|
+|**View-Only IB Compliance Management**|View the configuration and reports for the Information Barriers feature.|Compliance Administrator <p><p> Compliance Data Administrator <p> Global Reader <p> Organization Management <p> Security Administrator <p> Security Operator <p> Security Reader|
+|**View-Only Manage Alerts**|View the configuration and reports for the Manage Alerts feature.|Compliance Administrator <p><p> Compliance Data Administrator <p> Global Reader <p> Organization Management <p> Security Administrator <p> Security Operator <p> Security Reader|
+|**View-Only Recipients**|View information about users and groups.|Compliance Administrator <p><p> Compliance Data Administrator <p> Global Reader <p> MailFlow Administrator <p> Organization Management|
+|**View-Only Record Management**|View the configuration of the records management feature.|Compliance Administrator <p><p> Compliance Data Administrator <p> <p> Global Reader <p> Organization Management|
+|**View-Only Retention Management**|View the configuration of retention policies, retention labels, and retention label policies.|Compliance Administrator <p><p> Compliance Data Administrator <p> Global Administrator <p> Organization Management|