Updates from: 03/27/2021 04:11:56
Category Microsoft Docs article Related commit history on GitHub Change details
admin Assign Licenses To Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/assign-licenses-to-users.md
f1.keywords:
-ms.audience: Admin
+audience: Admin
localization_priority: Priority - M365-subscription-management - Adm_TOC-- commerce
+- AdminSurgePortfolio
- TopSMBIssues - SaRA - okr_SMB-- AdminSurgePortfolio - manage_licenses
+- commerce
search.appverid: - MET150 description: "Learn how to assign licenses to users." Previously updated : 08/14/2020 # Assign licenses to users -
-> [!NOTE]
-> The admin center is changing. If your experience doesn't match the details presented here, see
-[About the new Microsoft 365 admin center](../microsoft-365-admin-center-preview.md?preserve-view=true&view=o365-21vianet).
--- You can assign licenses to users on either the **Active users** page, or on the **Licenses** page. The method you use depends on whether you want to assign product licenses to specific users or assign users licenses to a specific product.
+> [!NOTE]
+> As an admin, you can't assign or unassign licenses for a self-service purchase subscription bought by a user in your organization. You can [take over a self-service purchase subscription](../../commerce/subscriptions/manage-self-service-purchases-admins.md#take-over-a-self-service-purchase-subscription), and then assign or unassign licenses.
[Learn how to add a user and assign a license at the same time](../add-users/add-users.md).
You can assign licenses to users on either the **Active users** page, or on the
- To use group-based licensing, see [Assign licenses to users by group membership in Azure Active Directory](/azure/active-directory/users-groups-roles/licensing-groups-assign) - Some services, like Sway, are automatically assigned to users, and don't need to be assigned individually. - ## Use the Licenses page to assign licenses to users When you use the **Licenses** page to assign licenses, you assign licenses for a specific product to up to 20 users. On the **Licenses** page, you see a list of all the products that you have subscriptions for. You also see the total number of licenses for each product, how many licenses are assigned, and how many are available. + 1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a> page.+++
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a>, go to the **Billing** > **Licenses** page.
++
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the **Billing** > **Licenses** page.
++ 2. Select a product. 3. On the product details page, select **Assign licenses**. 4. In the **Assign licenses to users** pane, begin typing a name, and then choose it from the results to add it to the list. You can add up to 20 users at a time.
-5. Select **Turn apps and services on or off** to assign or remove access to specific items.
+4. Select **Turn apps and services on or off** to assign or remove access to specific items.
6. When you're finished, select **Assign**, then select **Close**. If there's a conflict, a message displays, tells you what the problem is, and tells you how to fix it. For example, if you selected licenses that contain conflicting services, the error message says to review the services included with each license and try again. ## Change the apps and services a user has access to + 1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a> page.
-2. On the **Licenses** page, select the row for a specific user.
-3. In the right pane, select or deselect the apps and services that you want to give access to or remove access from.
-4. When you're finished, select **Save**, then select **Close**.
::: moniker-end +
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a>, go to the **Billing** > **Licenses** page.
+++
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the **Billing** > **Licenses** page.
++
+2. On the **Licenses** page, select the row for a specific user.
+3. In the right pane, select or deselect the apps and services that you want to give access to or remove access from.
+4. When you're finished, select **Save**, then select **Close**.
## Use the Active users page to assign licenses
When you use the **Active users** page to assign licenses, you assign users lice
### Assign licenses to multiple users + 1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
-2. Select the circles next to the names of the users that you want to assign licenses to.
-3. At the top, select **More options (...)**, then select **Manage product licenses**.
-4. In the **Manage product licenses** pane, select **Add to existing product license assignments** \> **Next**.
-5. In the **Add to existing products** pane, switch the toggle to the **On** position for the license that you want the selected users to have.\
- By default, all services associated with those licenses are automatically assigned to the users. You can limit which services are available to the users. Switch the toggles to the **Off** position for the services that you don't want the users to have.
-6. At the bottom of the pane, select **Add** \> **Close**.
::: moniker-end ::: moniker range="o365-germany"
-## Assign licenses to multiple users
-
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
-2. Select the boxes next to the names of the users that you want to assign licenses to.
-3. In the **Bulk actions** pane, select **Edit product licenses**.
-4. In the **Assign products** pane, select **Add to existing product license assignments** \> **Next**.
-5. Switch the toggle to the **On** position for the licenses that you want the selected users to have.\
- By default, all services associated with those licenses are automatically assigned to the users. You can limit which services are available to the users. Switch the toggles to the **Off** position for the services that you don't want the users to have.
-6. At the bottom of the **Add to existing products** pane, select **Add** \> **Close** \> **Close**.
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a>, go to the **Billing** > **Active users** page.
::: moniker-end ::: moniker range="o365-21vianet"
-## Assign licenses to multiple users
-
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
-2. Select the boxes next to the names of the users that you want to assign licenses to.
-3. In the **Bulk actions** pane, select **Edit product licenses**.
-4. In the **Assign products** pane, select **Add to existing product license assignments** \> **Next**.
-5. Switch the toggle to the **On** position for the licenses that you want the selected users to have.\
- By default, all services associated with those licenses are automatically assigned to the users. You can limit which services are available to the users. Switch the toggles to the **Off** position for the services that you don't want the users to have.
-6. At the bottom of the **Add to existing products** pane, select **Add** \> **Close** \> **Close**.
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the **Billing** > **Active users** page.
::: moniker-end
+2. Select the circles next to the names of the users that you want to assign licenses to.
+3. At the top, select **More options (...)**, then select **Manage product licenses**.
+4. In the **Manage product licenses** pane, select **Add to existing product license assignments** \> **Next**.
+5. In the **Add to existing products** pane, switch the toggle to the **On** position for the license that you want the selected users to have.\
+ By default, all services associated with those licenses are automatically assigned to the users. You can limit which services are available to the users. Switch the toggles to the **Off** position for the services that you don't want the users to have.
+6. At the bottom of the pane, select **Add** \> **Close**.
### Assign licenses to one user + 1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
-2. Select the row of the user that you want to assign a license to.
-3. In the right pane, select **Licenses and Apps**.
-4. Expand the **Licenses** section, select the boxes for the licenses that you want to assign, then select **Save changes**.
::: moniker-end ::: moniker range="o365-germany"
-## Assign licenses to one user
-
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
-2. Select the box next to the name of the user that you want to assign a license to.
-3. In the right pane, in the **Product licenses** row, select **Edit**.
-4. In the **Product licenses** pane, switch the toggle to the **On** position for the license that you want to assign to this user.\
- By default, all services associated with that license are automatically assigned to the user. You can limit which services are available to the user. Switch the toggles to the **Off** position for the services that you don't want that user to have.
-5. At the bottom of the **Product licenses** pane, select **Save** \> **Close** \> **Close**.
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a>, go to the **Billing** > **Active users** page.
::: moniker-end ::: moniker range="o365-21vianet"
-## Assign licenses to one user
-
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
-2. Select the box next to the name of the user that you want to assign a license to.
-3. In the right pane, in the **Product licenses** row, select **Edit**.
-4. In the **Product licenses** pane, switch the toggle to the **On** position for the license that you want to assign to this user.\
- By default, all services associated with that license are automatically assigned to the user. You can limit which services are available to the user. Switch the toggles to the **Off** position for the services that you don't want that user to have.
-5. At the bottom of the **Product licenses** pane, select **Save** \> **Close** \> **Close**.
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the **Billing** > **Active users** page.
::: moniker-end
+2. Select the row of the user that you want to assign a license to.
+3. In the right pane, select **Licenses and Apps**.
+4. Expand the **Licenses** section, select the boxes for the licenses that you want to assign, then select **Save changes**.
+ ## Assign a license to a guest user You can invite guest users to collaborate with your organization in the Azure Active Directory admin center. To learn about guest users, see [What is guest user access in Azure Active Directory B2B?](/azure/active-directory/external-identities/what-is-b2b). If you don't have any guest users, see [Quickstart: Add guest users to your directory in the Azure portal](/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal).
admin Remove Licenses From Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/remove-licenses-from-users.md
f1.keywords:
-ms.audience: Admin
+audience: Admin
localization_priority: Normal - M365-subscription-management - Adm_TOC-- commerce - AdminSurgePortfolio - manage_licenses
+- okr_smb
+- commerce
search.appverid: - MET150 description: "Learn how to unassign licenses from user accounts."
Last updated 07/01/2020
# Unassign licenses from users -
-> [!NOTE]
-> The admin center is changing. If your experience doesn't match the details presented here, see
-[About the new Microsoft 365 admin center](../microsoft-365-admin-center-preview.md?preserve-view=true&view=o365-21vianet).
--- You can unassign licenses from users on either the **Active users** page, or on the **Licenses** page. The method you use depends on whether you want to unassign product licenses from specific users or unassign users licenses from a specific product.
+> [!NOTE]
+> As an admin, you can't assign or unassign licenses for a self-service purchase subscription bought by a user in your organization. You can [take over a self-service purchase subscription](../../commerce/subscriptions/manage-self-service-purchases-admins.md#take-over-a-self-service-purchase-subscription), and then assign or unassign licenses.
## Before you begin
You can unassign licenses from users on either the **Active users** page, or on
- You can [remove licenses from user accounts with Office 365 PowerShell](../../enterprise/remove-licenses-from-user-accounts-with-microsoft-365-powershell.md). - You can also [delete user accounts](../add-users/delete-a-user.md) that were assigned a license to make their license available to other users. When you delete a user account, their license is immediately available to assign to someone else. - ## Use the Licenses page to unassign licenses When you use the **Licenses** page to unassign licenses, you unassign licenses for a specific product for up to 20 users. + 1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a> page.+++
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a>, go to the **Billing** > **Licenses** page.
++
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the **Billing** > **Licenses** page.
++ 2. Select the product for which you want to unassign licenses. 3. Select the users for which you want to unassign licenses. 4. Select **Unassign licenses**. 5. In the **Unassign licenses** box, select **Unassign**. -- ## Use the Active users page to unassign licenses When you use the **Active users** page to unassign licenses, you unassign product licenses from users. ### Unassign licenses from one user
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
-2. Select the row of the user that you want to unassign a license for.
-3. In the right pane, select **Licenses and Apps**.
-4. Expand the **Licenses** section, clear the boxes for the licenses that you want to unassign, then select **Save changes**.
+
+1. In the admin center, go to the **Users** > <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
::: moniker-end ::: moniker range="o365-germany"
-## Unassign licenses from one user
-
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
-2. Pick the user that you want to unassign the license for.
-3. On the right, in the **Product licenses** row, select **Edit**.
-4. In the **Product licenses** pane, switch the toggle to the **Off** position for the license you want to unassign for the user. For example, if you switch off the Office 365 Enterprise E3 license, it unassigns that license and all services under that license for that user.
-5. At the bottom of the **Product licenses** pane, select **Save** \> **Close** \> **Close**.
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a>, go to the **Billing** > **Active users** page.
::: moniker-end ::: moniker range="o365-21vianet"
-## Unassign licenses from one user
-
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
-2. Pick the user that you want to unassign the license for.
-3. On the right, in the **Product licenses** row, select **Edit**.
-4. In the **Product licenses** pane, switch the toggle to the **Off** position for the license you want to unassign for the user. For example, if you switch off the Office 365 Enterprise E3 license, it unassigns that license and all services under that license for that user.
-5. At the bottom of the **Product licenses** pane, select **Save** \> **Close** \> **Close**.
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the **Billing** > **Active users** page.
::: moniker-end
+2. Select the row of the user that you want to unassign a license for.
+3. In the right pane, select **Licenses and Apps**.
+4. Expand the **Licenses** section, clear the boxes for the licenses that you want to unassign, then select **Save changes**.
+ ### Unassign licenses from multiple users
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
-2. Select the circles next to the names of the users that you want to unassign licenses for.
-3. At the top, select **More options (...)**, then select **Manage product licenses**.
-4. In the **Manage product licenses** pane, select **Replace existing product license assignments** \> **Next**.
-5. At the bottom of the **Replace existing products** pane, select the **Remove all product licenses from the selected users** check box, then select **Replace** \> **Close**.
+
+1. In the admin center, go to the **Users** > <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
::: moniker-end ::: moniker range="o365-germany"
-## Unassign licenses from multiple users
-
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
-2. Select the boxes next to the names of the users that you want to unassign all licenses for.
-3. In the **Bulk actions** pane, select **Edit product licenses**.
-4. In the **Replace existing products** pane, select **Replace existing product license assignments** \> **Next**.
-5. At the bottom of the **Replace existing products** pane, select the **Remove all product licenses from the selected users** check box, then select **Replace** \> **Close** \> **Close**.
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a>, go to the **Billing** > **Active users** page.
::: moniker-end ::: moniker range="o365-21vianet"
-## Unassign licenses from multiple users
-
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
-2. Select the boxes next to the names of the users that you want to unassign all licenses for.
-3. In the **Bulk actions** pane, select **Edit product licenses**.
-4. In the **Replace existing products** pane, select **Replace existing product license assignments** \> **Next**.
-5. At the bottom of the **Replace existing products** pane, select the **Remove all product licenses from the selected users** check box, then select **Replace** \> **Close** \> **Close**.
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the **Billing** > **Active users** page.
::: moniker-end
+2. Select the circles next to the names of the users that you want to unassign licenses for.
+3. At the top, select **More options (...)**, then select **Manage product licenses**.
+4. In the **Manage product licenses** pane, select **Replace existing product license assignments** \> **Next**.
+5. At the bottom of the **Replace existing products** pane, select the **Remove all product licenses from the selected users** check box, then select **Replace** \> **Close**.
+ ## What happens to a user's data when you remove their license? - When a license is removed from a user, data that is associated with that account is held for 30 days. After the 30-day grace period, the data is deleted and can't be recovered.
admin Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/setup.md
description: "Learn how to set up your Microsoft Business Premium, Microsoft 365
See the following links to get your business or [nonprofit](https://go.microsoft.com/fwlink/p/?LinkId=627221) up and running with [Microsoft 365 Business Standard](https://go.microsoft.com/fwlink/p/?LinkId=627220), Microsoft 365 Business Basic, Microsoft 365 Apps for business, or Office 365 Education. Not a business? See [Set up for Microsoft 365 Family or Microsoft 365 Personal](https://support.microsoft.com/office/65415a24-3cbf-4f30-901d-9bf9eba7fce2).-- [Microsoft365.com/setup](https://micro-soft-365setup.com/) - [Set up Microsoft 365 Business Basic](setup-business-basic.md) - [Set up Microsoft Business Standard](setup-business-standard.md) - [Set up Microsoft 365 Business Premium](../../business/set-up.md)
campaigns Get Microsoft 365 Campaigns https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/campaigns/get-microsoft-365-campaigns.md
Title: "Get Microsoft 365 for Campaigns" f1.keywords: - NOCSH--++
-ms.audience: Admin
+audience: Admin
localization_priority: Normal
Anybody with Microsoft 365 Business Premium can use this guidance to configure e
- National or federal political campaigns in the United States and New Zealand - U.S. State-wide political campaigns (eg: campaigns seeking office for governor, state legislature, or attorney general)*
- *Due to local regulations, we are unable to offer M365 for Campaigns in the following states at this time: CO, DE, IL, OK, WI & WY. We encourage campaigns in those states to explore additional offerings at [Microsoft 365 for business](https://www.office.com/business).
+ *Due to local regulations, we are unable to offer Microsoft 365 for Campaigns in the following states at this time: CO, DE, IL, OK, WI & WY. We encourage campaigns in those states to explore additional offerings at [Microsoft 365 for business](https://www.office.com/business).
- State-level political parties in the United States
campaigns M365 Campaigns Conditional Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/campaigns/m365-campaigns-conditional-access.md
Title: "Set up conditional access policies"
+ Title: "Turn on security defaults"
f1.keywords: - NOCSH--++
-ms.audience: Admin
+audience: Admin
localization_priority: Normal
search.appverid:
- BCS160 - MET150 - MOE150
-description: "Learn how to require MFA and set up conditional access policies for Microsoft 365 for business."
+description: "Learn how security defaults can help protect your organization from identity-related attacks by providing preconfigured security settings."
-# Require multi-factor authentication and set up conditional access policies
+# Turn on security defaults
-You protect access to your data with multi-factor authentication and conditional access policies. These add substantial additional security. Microsoft provides a set of baseline conditional access policies that are recommended for all customers. Baseline policies are a set of predefined policies that help protect organizations against many common attacks. These common attacks can include password spray, replay, and phishing.
+Security defaults help protect your organization from identity-related attacks by providing preconfigured security settings that Microsoft manages on behalf of your organization. These settings include enabling multi-factor authentication (MFA) for all admins and user accounts. For most organizations, security defaults offer a good level of additional sign-in security.
-These policies require admins and users to enter a second form of authentication (called multi-factor authentication, or MFA) under certain conditions. For example, if a user in your organization tries to sign in to Microsoft 365 from a different country or from an unknown device, the sign-in might be considered risky. The user must provide an extra form of authentication (such as a fingerprint or a code) to prove their identity.
+For more information about security defaults and the policies they enforce, see [What are security defaults?](/azure/active-directory/fundamentals/concept-fundamentals-security-defaults)
-Currently, the baseline policies include the following policies:
+If your subscription was created on or after October 22, 2019, security defaults might have been automatically enabled for you&mdash;you should check your settings to confirm.
-- Set up in Microsoft 365 admin center:
- - **Require MFA for admins**: Requires multi-factor authentication for the most privileged administrator roles, including global administrator.
- - **End-user protection**: Requires multi-factor authentication for users only when a sign-in is risky.
-- Set up in Azure Active Directory portal:
- - **Block legacy authentication**: Older client apps and some new apps don't use newer, more secure, authentication protocols. These older apps can bypass conditional access policies and gain unauthorized access to your environment. This policy blocks access from clients that don't support conditional access.
- - **Require MFA for Service Management**: Requires multi-factor authentication for access to management tools, including Azure portal (where you configure baseline policies).
+To enable security defaults in your Azure Active Directory (Azure AD) or to check to see if they're already enabled:
-We recommend that you enable all of these baseline policies. After these policies are enabled, admins and users will be prompted to register for Azure AD Multifactor Authentication.
+1. Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a> with Global admin credentials.
-For more information about these policies, see [What are baseline policies](/azure/active-directory/conditional-access/concept-baseline-protection)?
+2. In the left pane, select **Show All,** and then under **Admin centers**, select **Azure Active Directory**.
-## Require MFA
+3. In the left pane of the **Azure Active Directory admin center,** select **Azure Active Directory**.
-To require that all users sign in with a second form of ID:
+4. From the left menu of the Dashboard, in the **Manage** section, select **Properties**.
-1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">https://admin.microsoft.com</a> and choose **Setup**.
+ :::image type="content" source="../media/m365-campaigns-conditional-access/azure-ad-properties.png" alt-text="Screenshot of the Azure Active Directory admin center showing the location of the Properties menu item.":::
-2. On the Setup page, choose **View** in the **Make sign-in more secure** card.
+5. At the bottom of the **Properties** page, select **Manage Security defaults**.
- ![Make sign-in more secure card.](../media/setupmfa.png)
-3. On the Make sign-in more secure page, choose **Get started**.
+6. In the right pane, you'll see the **Enable Security defaults** setting. If **Yes** is selected, then security defaults are already enabled and no further action is required. If security defaults are not currently enabled, then select **Yes** to enable them, and then select **Save**.
-4. On the Strengthen sign-in security pane, select the check boxes next to **Require multi-factor authentication for admins** and **Require users to register for multi-factor authentication and block access if risk is detected**.
- Be sure to exclude the [emergency](m365-campaigns-protect-admin-accounts.md#create-an-emergency-admin-account) or "break-glass" admin account from the MFA requirement in the **Find users** box.
+> [!NOTE]
+> If you've been using Conditional Access policies, you'll need to turn them off before using security defaults.
+>
+> You can use either security defaults or Conditional Access policies, but you can't use both at the same time.
- ![Strengthen sing-in security page.](../media/requiremfa.png)
+## Consider using Conditional Access
-5. Choose **Create policy** on the bottom of the page.
+If your organization has complex security requirements or you need more granular control over your security policies, then you should consider using Conditional Access instead of security defaults to achieve a similar or higher security posture.
-## Set up baseline policies
+Conditional Access lets you create and define policies that react to sign-in events and request additional actions before a user is granted access to an application or service. Conditional Access policies can be granular and specific, empowering users to be productive wherever and whenever, but also protecting your organization.
-1. Go to the [Azure portal](https://portal.azure.com), and then navigate to **Azure Active Directory** \> **Security** \> **Conditional Access** to create a **new policy**.
+Security defaults are available to all customers, while Conditional Access requires a license for one of the following plans:
-See the following specific instructions for each policy: <br>
- - [Require MFA for admins](/azure/active-directory/conditional-access/howto-baseline-protect-administrators) <br>
- - [Require MFA for users](/azure/active-directory/conditional-access/howto-baseline-protect-end-users) <br>
- - [Block legacy authentication](/azure/active-directory/conditional-access/howto-baseline-protect-legacy-auth) <br>
- - [Require MFA for service management](/azure/active-directory/conditional-access/howto-baseline-protect-azure)
+- Azure Active Directory Premium P1 or P2
+- Microsoft 365 Business Premium
+- Microsoft 365 E3 or E5
+- Enterprise Mobility & Security E3 or E5
-> [!NOTE]
-> Preview policies no longer exist and users will need to create their own policies.
+If you want to use Conditional Access to configure policies equivalent to those enabled by security defaults, check out the following step-by-step guides:
+
+- [Require MFA for administrators](/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa)
+- [Require MFA for Azure management](/azure/active-directory/conditional-access/howto-conditional-access-policy-azure-management)
+- [Block legacy authentication](/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy)
+- [Require MFA for all users](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa)
+- [Require Azure AD MFA registration](/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy) - Requires Azure AD Identity Protection, which is part of Azure Active Directory Premium P2
-You can set up extra policies, such as requiring approved client apps. For more information, see the [Conditional Access documentation](/azure/active-directory/conditional-access/).
+To learn more about Conditional Access, see [What is Conditional Access?](/azure/active-directory/conditional-access/overview) For more information about creating Conditional Access policies, see [Create a Conditional Access policy](/azure/active-directory/authentication/tutorial-enable-azure-mfa#create-a-conditional-access-policy).
+
+> [!NOTE]
+> If you have a plan or license that provides Conditional Access but haven't yet created any Conditional Access policies, you're welcome to use security defaults. However, you'll need to turn off security defaults before you can use Conditional Access policies.
campaigns M365 Campaigns Increase Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/campaigns/m365-campaigns-increase-protection.md
Title: "Increase threat protection" f1.keywords: - NOCSH--++
-ms.audience: Admin
+audience: Admin
localization_priority: Normal
campaigns M365 Campaigns Multifactor Authenication https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/campaigns/m365-campaigns-multifactor-authenication.md
Title: "Set up multifactor authentication" f1.keywords: - NOCSH--++
-ms.audience: Admin
+audience: Admin
localization_priority: Normal
campaigns M365 Campaigns Protect Admin Accounts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/campaigns/m365-campaigns-protect-admin-accounts.md
Title: "Protect your administrator accounts" f1.keywords: - NOCSH--++
-ms.audience: Admin
+audience: Admin
localization_priority: Normal
Because admin accounts come with elevated privileges, they're valuable targets f
- How to set up an additional administrator account for emergencies. - How to protect these accounts.
-When you sign up for Microsoft 365 and enter your information, you automatically become the global admin. A global admin has the ultimate control of user accounts and all the other settings in the Microsoft admin center, but there are many different kinds of admin accounts with varying degrees of access. See [about admin roles](/office365/admin/add-users/about-admin-roles) for information about the different access levels for each kind of admin role.
+When you sign up for Microsoft 365 and enter your information, you automatically become the Global admin. A Global admin has the ultimate control of user accounts and all the other settings in the Microsoft admin center, but there are many different kinds of admin accounts with varying degrees of access. See [about admin roles](/office365/admin/add-users/about-admin-roles) for information about the different access levels for each kind of admin role.
## Create additional admin accounts Use admin accounts only for administration. Admins should have a separate user account for regular use of Office apps and only use their administrative account when necessary to manage accounts and devices, and while working on other admin functions. It's also a good idea to remove the Microsoft 365 license from the admin accounts so you don't have to pay for them.
-You'll want to set up at least one additional global admin account to give admin access to another trusted employee. You can also create separate admin accounts for user management (this role is called **User management administrator**). For more information, see [about admin roles](/office365/admin/add-users/about-admin-roles).
+You'll want to set up at least one additional Global admin account to give admin access to another trusted employee. You can also create separate admin accounts for user management (this role is called **User management administrator**). For more information, see [about admin roles](/office365/admin/add-users/about-admin-roles).
To create additional admin accounts:
To create additional admin accounts:
2. On the **Active users** page, select **Add a user** at the top of the page, and on the **New user** panel, enter the name and other information. 3. Expand the **Roles** section, and choose **Global administrator** to give this user global admin access. You can also choose **Customized administrator** and choose any of the roles that are displayed.
- Enter an alternate email in the **Alternative email address** text box. You can use this address to recover your password information if you get locked out. For global admins, a billing statement will also be sent to this address.
+ Enter an alternate email in the **Alternative email address** text box. You can use this address to recover your password information if you get locked out. For Global admins, a billing statement will also be sent to this address.
![Choose the administrator role](../media/adminroles.png)
To create a new user account:
3. Expand the **Roles** section, and choose **User (no administrative access)**. 4. In the **Product licenses** section, move the selector for **Microsoft 365 Business** to **On**.
-## Register each of these accounts for multi-factor authentication
+## Turn on security defaults
-Make sure these accounts are using [multifactor authentication](m365-campaigns-multifactor-authenication.md).
+Security defaults help protect your organization from identity-related attacks by providing preconfigured security settings that Microsoft manages on behalf of your organization. These settings include enabling multi-factor authentication (MFA) for all admins and user accounts. For more information about security defaults and to learn how to enable them on, see [Turn on security defaults](m365-campaigns-conditional-access.md).
## Additional recommendations -- Be sure that admin accounts are also set up for multi-factor authentication. We'll show you how to do this in [Configure conditional access policies](m365-campaigns-conditional-access.md). - Before using admin accounts, close out all unrelated browser sessions and apps, including personal email accounts. You can also use in private, or incognito browser windows.-- After completing admin tasks, be sure to sign out of the browser session.
+- After completing admin tasks, be sure to sign out of the browser session.
campaigns M365 Campaigns Protect Pcs Macs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/campaigns/m365-campaigns-protect-pcs-macs.md
Title: "Protect unmanaged Windows 10 PCs and Macs" f1.keywords: - NOCSH--++
-ms.audience: Admin
+audience: Admin
localization_priority: Normal
Windows Update downloads updates for Windows Security automatically to help keep
If you have an earlier version of Windows and are using Microsoft Security Essentials, it's a good idea to move to Windows Security. For more information, see [help protect my device with Windows Security](https://support.microsoft.com/help/17464/windows-10-help-protect-my-device-with-windows-security). **Turn on Windows Firewall**<p>
-You should always run Windows Firewall even if you have another firewall turned on. Turning off Windows Firewall might make your device (and your network, if you have one) more vulnerable to unauthorized access. See [Turn Windows Firewall on or off](https://support.microsoft.com/help/4028544/windows-10-turn-windows-defender-firewall-on-or-off) for instructions
+You should always run Windows Firewall even if you have another firewall turned on. Turning off Windows Firewall might make your device (and your network, if you have one) more vulnerable to unauthorized access. See [Turn Windows Firewall on or off](https://support.microsoft.com/help/4028544/windows-10-turn-windows-defender-firewall-on-or-off) for instructions.
## [Mac](#tab/Mac)
campaigns M365 Campaigns Sign In https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/campaigns/m365-campaigns-sign-in.md
Title: "Sign in to Microsoft 365" f1.keywords: - NOCSH--++
-ms.audience: Admin
+audience: Admin
localization_priority: Normal
If you signed up for Microsoft 365, you're the Microsoft 365 admin. Here's how t
Set up staff as described in [Add users](../admin/add-users/add-users.md?toc=%2fmicrosoft-365%2fcampaigns%2ftoc.json) You can also reset and resend passwords on the **Add users** page.
-All staff can sign in at <a href="https://office.com" target="_blank">https://Office.com</a>.
+All staff can sign in at <a href="https://office.com" target="_blank">https://Office.com</a>.
campaigns M365 Campaigns Sign Up https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/campaigns/m365-campaigns-sign-up.md
Title: "Sign up for Microsoft 365 for Campaigns" f1.keywords: - NOCSH--++
-ms.audience: Admin
+audience: Admin
localization_priority: Normal
After you have completed these steps, you're ready to [assign the new licenses](
- [Set up Microsoft 365](../business/set-up.md?toc=/microsoft-365/campaigns/toc.json) to complete your Microsoft 365 for Campaigns set up. - [Add users](../admin/add-users/add-users.md?toc=%2fmicrosoft-365%2fcampaigns%2ftoc.json) to your plan. Include the campaign candidate, all senior campaign staff, and anyone who will have access to sensitive campaign or party information.-- [Bump up protection for your campaign](m365-campaigns-security-overview.md)
+- [Bump up protection for your campaign](m365-campaigns-security-overview.md)
campaigns M365 Campaigns Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/campaigns/m365-campaigns-users.md
Title: "How these security recommendations affect your users" f1.keywords: - NOCSH--++
-ms.audience: Admin
+audience: Admin
localization_priority: Normal
campaigns Microsoft 365 Campaigns Setup Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/campaigns/microsoft-365-campaigns-setup-overview.md
Title: "Setup overview for Microsoft 365 Business Premium" f1.keywords: - NOCSH--++ Last updated 9/20/2018
-ms.audience: Admin
+audience: Admin
localization_priority: Normal
For key staff, we recommend that you use [managed devices](../business/set-up-wi
**If you need to contact support:**
-As a Microsoft 365 admin, you have access to our customer support team, **[Contact support for business products - Admin Help](../admin/contact-support-for-business-products.md)**
+As a Microsoft 365 admin, you have access to our customer support team, **[Contact support for business products - Admin Help](../admin/contact-support-for-business-products.md)**
commerce Manage Self Service Purchases Admins https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/manage-self-service-purchases-admins.md
localization_priority: Normal
+- M365-subscription-management
+- Adm_O365
+- Adm_TOC
+
+- AdminSurgePortfolio
+- okr_smb
- commerce - search.appverid: - MET150 description: "Admins can learn how to manage self-service purchases made by users in their organization."
description: "Admins can learn how to manage self-service purchases made by user
# Manage self-service purchases (Admin) -
-> [!NOTE]
-> The admin center is changing. If your experience doesn't match the details presented here, see
-[About the new Microsoft 365 admin center](../../admin/microsoft-365-admin-center-preview.md?preserve-view=true&view=o365-21vianet).
-- As an admin, you can see self-service purchases made by people in your organization. You see the product name, purchaser name, subscriptions purchased, expiration date, purchase price, and assigned users for each self-service purchase. If required by your organization, you can turn off self-service purchasing on a per product basis via PowerShell. You have the same data management and access policies over products bought through self-service purchase or centrally. You can also control whether users in your organization can make self-service purchases. For more information, see [Use AllowSelfServicePurchase for the MSCommerce PowerShell module](allowselfservicepurchase-powershell.md). ## View self-service subscriptions + 1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.+++
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a>, go to the **Billing** > **Your products** page.
+++
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the **Billing** > **Your products** page.
++ 2. On the **Products** tab, select the filter icon, then select **Self-service**. 3. To view more details about a subscription, choose one from the list. ## View who has licenses for a self-service purchase subscription
+> [!NOTE]
+> As an admin, you can't assign or unassign licenses for a self-service purchase subscription bought by a user in your organization. You can [take over a self-service purchase subscription](#take-over-a-self-service-purchase-subscription), and then assign or unassign licenses.
++ 1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a> page.+++
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a>, go to the **Billing** > **Licenses** page.
++
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the **Billing** > **Licenses** page.
++ 2. Select the filter icon, then choose **Self-service**. 3. Select a product to see licenses assigned to people. > [!NOTE]
For more information, see [Use AllowSelfServicePurchase for the MSCommerce Power
You can assign existing licenses or purchase additional subscriptions through existing agreements for users assigned to self-service purchases. After you assign these centrally purchased licenses, you can request that purchasers cancel their existing subscriptions.
-1. In the admin center go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=868433" target="_blank">Purchase services</a> page.
+
+1. In the admin center go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=868433" target="_blank">Purchase services</a> page.
+++
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a>, go to the **Billing** > **Purchase services** page.
+++
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the **Billing** > **Purchase services** page.
++ 2. Find and choose the product that you want to buy, then choose **Buy**. 3. Complete the remaining steps to complete your purchase. 4. Follow the steps in [View who has licenses for a self-service purchased subscription](#view-who-has-licenses-for-a-self-service-purchase-subscription) to export a list of users to reference in the next step.
When you move users to a different subscription, the old subscription is automat
> [!NOTE] > You must have an available license for each user youΓÇÖre moving in the subscription that youΓÇÖre moving users to. + 1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.+++
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a>, go to the **Billing** > **Your products** page.
+++
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the **Billing** > **Your products** page.
++ 2. On the **Products** tab, select the filter icon, then select **Self-service**. 3. Select the subscription that you want to take over. 4. On the subscription details page, in the **Subscriptions and settings** section, select **Take control of this subscription**.
When you move users to a different subscription, the old subscription is automat
When you choose to cancel a self-service purchase subscription, users with licenses lose access to the product. The user who originally bought the self-service purchase subscription receives an email that says the subscription was canceled. + 1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.+++
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a>, go to the **Billing** > **Your products** page.
+++
+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the **Billing** > **Your products** page.
++ 2. On the **Products** tab, select the filter icon, then select **Self-service**. 3. Select the subscription that you want to cancel. 4. On the subscription details page, in the **Subscriptions and settings** section, select **Take control of this subscription**.
commerce Move Users Different Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/move-users-different-subscription.md
You must be a Global, License, or User admin to assign licenses. For more inform
1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page. 2. Select the circles next to the names of the users that you want to replace existing licenses for.
-3. At the top, select **More options (...)**, then select **Manage product licenses**.
-4. In the **Manage product licenses** pane, select **Replace existing product license assignments** \> **Next**.
-5. Switch the toggle to the **On** position for the licenses that you want to assign to these users.\
- You can limit which services are available to the users. Switch the toggles to the **Off** position for the services that you don't want those users to have. Any previous license assignments for the selected users are removed.
-6. At the bottom of the **Replace existing products** pane, select **Replace** \> **Close**.
+3. At the top, select **Manage product licenses**.
+4. In the **Manage product licenses** pane, select **Replace** and select the licenses that you would like to assign to the users.
+5. At the bottom, select **Save Changes** \> **Close**.
::: moniker-end
If youΓÇÖre not going to [reassign the unused licenses to other users](../../man
[Remove licenses from your subscription](../licenses/buy-licenses.md) (article)\ [Change plans manually](change-plans-manually.md) (article)\ [Understand subscriptions and licenses in Microsoft 365 for business](../licenses/subscriptions-and-licenses.md) (article)\
-[Buy another Microsoft 365 for business subscription](../try-or-buy-microsoft-365.md) (article)
+[Buy another Microsoft 365 for business subscription](../try-or-buy-microsoft-365.md) (article)
+
compliance Add Your Organization Brand To Encrypted Messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/add-your-organization-brand-to-encrypted-messages.md
To remove all modifications from the default template, including brand customiza
The following table describes the encryption customization option defaults.
- **To revert this feature of the encryption experience back to the default text and image**|**Use these commands**|
+ |To revert this feature of the encryption experience back to the default text and image|Use these commands|
|:--|:--|
- |Default text that comes with encrypted email messages <br/> The default text appears above the instructions for viewing encrypted messages|`Set-OMEConfiguration -Identity "<OMEConfigurationName>" -EmailText "<empty string>"` <br/> **Example:** <br/> `Set-OMEConfiguration -Identity "OME Configuration" -EmailText ""`|
+ |Default text that comes with encrypted email messages. The default text appears above the instructions for viewing encrypted messages|`Set-OMEConfiguration -Identity "<OMEConfigurationName>" -EmailText "<empty string>"` <br/> **Example:** <br/> `Set-OMEConfiguration -Identity "OME Configuration" -EmailText ""`|
|Disclaimer statement in the email that contains the encrypted message|`Set-OMEConfiguration -Identity "<OMEConfigurationName>" DisclaimerText "<empty string>"` <br/> **Example:** <br/> `Set-OMEConfiguration -Identity "OME Configuration" -DisclaimerText ""`| |Text that appears at the top of the encrypted mail viewing portal|`Set-OMEConfiguration -Identity "<OMEConfigurationName>" -PortalText "<empty string>"` <br/> **Example reverting back to default:** <br/> `Set-OMEConfiguration -Identity "OME Configuration" -PortalText ""`| |Logo|`Set-OMEConfiguration -Identity "<OMEConfigurationName>" -Image <"$null">` <br/> **Example reverting back to default:** <br/> `Set-OMEConfiguration -Identity "OME configuration" -Image $null`| |Background color|`Set-OMEConfiguration -Identity "<OMEConfigurationName>" -BackgroundColor "$null">` <br/> **Example reverting back to default:** <br/> `Set-OMEConfiguration -Identity "OME configuration" -BackgroundColor $null`|
- |
## Remove a custom branding template (Advanced Message Encryption)
compliance Customer Key Manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customer-key-manage.md
The output from this cmdlet includes:
- **Rolling:** A key roll is in progress. If the key for the geo is rolling, you'll also be shown information on what percentage of sites have completed the key roll operation so that you can monitor progress.
-## Unassign a DEP from a mailbox
+## Roll back from Customer Key to Microsoft managed Keys
-You unassign a DEP from a mailbox using the Set-mailbox PowerShell cmdlet and setting the `DataEncryptionPolicy` to `$NULL`. Running this cmdlet unassigns the currently assigned DEP and reencrypts the mailbox using the DEP associated with default Microsoft managed keys. You can't unassign the DEP used by Microsoft managed keys. If you don't want to use Microsoft managed keys, you can assign another DEP to the mailbox.
+For Customer Key at the tenant level, you'll need to reach out to Microsoft with a request for ΓÇ£offboardingΓÇ¥ from Customer Key. The request will be handled by the On Call Engineering team.
+
+For Customer Key at the application level, you do this by unassigning a DEP from mailboxes using the Set-mailbox PowerShell cmdlet and setting the `DataEncryptionPolicy` to `$NULL`. Running this cmdlet unassigns the currently assigned DEP and reencrypts the mailbox using the DEP associated with default Microsoft managed keys. You can't unassign the DEP used by Microsoft managed keys. If you don't want to use Microsoft managed keys, you can assign another Customer Key DEP to the mailbox.
To unassign the DEP from a mailbox using the Set-Mailbox PowerShell cmdlet, complete these steps.
To unassign the DEP from a mailbox using the Set-Mailbox PowerShell cmdlet, comp
## Revoke your keys and start the data purge path process
-You control the revocation of all root keys including the availability key. Customer Key provides control of the exit planning aspect of the regulatory requirements for you. If you decide to revoke your keys to purge your data and exit the service, the service deletes the availability key once the data purge process completes.
+You control the revocation of all root keys including the availability key. Customer Key provides control of the exit planning aspect of the regulatory requirements for you. If you decide to revoke your keys to purge your data and exit the service, the service deletes the availability key once the data purge process completes. You can't perform a data purge for a tenant-level policy.
Microsoft 365 audits and validates the data purge path. For more information, see the SSAE 18 SOC 2 Report available on the [Service Trust Portal](https://servicetrust.microsoft.com/). In addition, Microsoft recommends the following documents:
compliance Customer Key Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customer-key-overview.md
Customer Key enhances the ability of your organization to meet the demands of co
## Customer Key encrypts data at rest in Office 365
-Using keys you provide, Customer Key encrypts:
+Using keys you provide, Customer Key at the application level encrypts:
- SharePoint Online, OneDrive for Business, and Teams files. - Files uploaded to OneDrive for Business.
compliance Customer Key Tenant Level https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customer-key-tenant-level.md
Title: "Customer Key for Microsoft 365 at the tenant level (public preview)"
Previously updated : 2/17/2021 Last updated : 3/26/2021 audience: ITPro
- M365-security-compliance - m365solution-mip - m365initiative-compliance
-description: "Learn how to set up Customer Key for all data within your Microsoft 365 tenant."
+description: "Learn how to set up Customer Key for your data within Microsoft 365 at the tenant level."
# Overview of Customer Key for Microsoft 365 at the tenant level (public preview)
-Using keys you provide, you can create a data encryption policy (DEP) and assign it to the tenant. The DEP encrypts data across the tenant for these workloads:
+Using keys you provide, you can create a data encryption policy (DEP) and assign it to the tenant. The tenant-wide DEP you create encrypts the following data:
- Teams chat messages (1:1 chats, group chats, meeting chats and channel conversations) - Teams media messages (images, code snippets, video messages, audio messages, wiki images)
Using keys you provide, you can create a data encryption policy (DEP) and assign
- Teams status messages - User and signal information for Exchange Online - Exchange Online mailboxes that aren't already encrypted Customer Key DEPs at the application level
+- MIP exact data match (EDM) data ΓÇô (data file schemas, rule packages, and the salts used to hash the sensitive data)
-For Microsoft Teams, Customer Key at the tenant level encrypts new data from the time the DEP is assigned to the tenant. Public preview does not support encrypting past data. For Exchange Online, Customer Key encrypts all existing and new data.
+For Microsoft Information Protection and Microsoft Teams, Customer Key at the tenant level encrypts new data from the time you assign the DEP to the tenant. Public preview doesn't support encrypting past data. For Exchange Online, Customer Key encrypts all existing and new data.
-You can create multiple DEPs per tenant but can only assign one DEP at any point in time. When you assign the DEP, encryption begins automatically but can take some time to complete depending on the size of your tenant.
+You can create multiple DEPs per tenant but can only assign one DEP at a time. When you assign the DEP, encryption begins automatically but takes some time to complete depending on the size of your tenant.
## Tenant level policies add broader control to Customer Key for Microsoft 365 If you already have Customer Key set up for Exchange Online and Sharepoint Online, here's how the new tenant-level public preview fits in.
-The tenant-level encryption policy you create encrypts all data for the Microsoft Teams and Exchange Online workloads in Microsoft 365. However, for Exchange Online, if you have already assigned Customer Key DEPs to individual mailboxes, the tenant-level policy won't override those DEPs. The tenant-level policy will only encrypt mailboxes that aren't assigned a mailbox level Customer Key DEP already.
+The tenant-level encryption policy you create encrypts all data for the Microsoft Teams and Exchange Online workloads in Microsoft 365. However, for Exchange Online, if you have already assigned Customer Key DEPs to individual mailboxes, the tenant-level policy won't override those DEPs. The tenant-level policy will only encrypt mailboxes that aren't assigned a mailbox level Customer Key DEP already. When you encrypt a user mailbox using a tenant level DEP, all its content gets encrypted. For information about what gets encrypted with a DEP at the application level, see [Service encryption with Customer Key](customer-key-overview.md).
-For example, Microsoft Teams files and some Teams call and meeting recordings that are saved in OneDrive for Business and SharePoint are encrypted by a SharePoint Online DEP. A single SharePoint Online DEP encrypts content within a single geo.
+## Data that isn't encrypted with Customer Key at the tenant level
+
+Customer Key doesn't encrypt the following types of data at the tenant level. Instead, Microsoft 365 uses other types of encryption to protect this data.
+
+- Exchange online mailboxes that you've already encrypted using a Customer Key DEP at the application level. Mailboxes that don't have a Customer Key DEP assigned to them will be encrypted using the tenant level DEP. This arrangement means that you may have some mailboxes encrypted with a tenant level DEP and some mailboxes encrypted with application level DEPs.
+- SharePoint and OneDrive for Business use Customer Key at the application level. A single DEP encrypts content in SharePoint for a single geo.
+- Microsoft Teams files and some Teams call and meeting recordings saved in OneDrive for Business and SharePoint are encrypted by a SharePoint Online DEP.
+
+Any workloads or scenarios that aren't currently supported by Customer Key for Microsoft 365.
+
+- Other Microsoft 365 workloads such as Yammer, Planner, and so on.
+- Teams Live Events and Q&A in Live Events. For Teams, this scenario is the only one that isn't encrypted by Customer Key at the tenant level.
## Set up Customer Key at the tenant level (public preview)
-These steps are similar but not identical to the steps for setting up Customer Key at the application level. You should only use this public preview with test data in test tenants. Do not use this release with production data or in your production environment. If you already have a production deployment of Customer Key, use these steps to set up Customer Key at the tenant level in a test environment. Once you have assigned a tenant level DEP to your tenant, you can start the validation process and reach out to m365ck@microsoft.com with any questions or concerns. You can also find documented validation steps in the public preview of [Validation Instructions for Data-at-rest Encryption for Microsoft 365](https://aka.ms/CustomerKey/PublicPreviewValidation).
+These steps are similar but not identical to the steps for setting up Customer Key at the application level. Only use this public preview with test data in test tenants. Don't use this release with production data or in your production environment. If you already have a production deployment of Customer Key, use these steps to set up Customer Key at the tenant level in a test environment. Once you've assigned a tenant level DEP to your tenant, you can start the validation process and contact m365ck@microsoft.com with any questions or concerns. You can also find documented validation steps in the public preview of [Validation Instructions for Data-at-rest Encryption for Microsoft 365](https://aka.ms/CustomerKey/PublicPreviewValidation).
You'll complete most of these tasks by remotely connecting to Azure PowerShell. For best results, use version 4.4.0 or later of Azure PowerShell.
-Before you get started, make sure of the following:
+Before you begin:
- You'll need to use a work or school account that has the compliance admin role to set up Customer Key at the tenant level.-- Ensure that you have the appropriate licensing for your organization. Use a paid, invoiced Azure Subscription using either an Enterprise Agreement or a Cloud Service Provider. Azure Subscriptions purchased using Pay As You Go plans or using a credit card aren't supported for Customer Key. Starting April 1, 2020, Customer Key in Office 365 is offered in Office 365 E5, M365 E5, M365 E5 Compliance, and M365 E5 Information Protection & Governance SKUs. Office 365 Advanced Compliance SKU is no longer available for procuring new licenses. Existing Office 365 Advanced Compliance licenses will continue to be supported. While the service can be enabled with a minimum of one license under the tenant having the appropriate license, you should still make sure all users that benefit from the service have appropriate licenses.
+- Ensure that you have the appropriate licensing for your organization. Use a paid, invoiced Azure Subscription using either an Enterprise Agreement or a Cloud Service Provider. Azure Subscriptions purchased using Pay As You Go plans or using a credit card aren't supported for Customer Key. Starting April 1, 2020, Customer Key in Office 365 is offered in Office 365 E5, Microsoft 365 E5, Microsoft 365 E5 Compliance, and Microsoft 365 E5 Information Protection & Governance SKUs. Office 365 Advanced Compliance SKU is no longer available for new licenses. Existing Office 365 Advanced Compliance licenses will continue to be supported. While the service can be enabled with a minimum of one appropriately licensed user under the tenant, you should still make sure all users that benefit from the service have appropriate licenses.
### Create two new Azure subscriptions
-Customer Key requires two keys for each data encryption policy (DEP). To achieve this, you must create two Azure subscriptions. As a best practice, Microsoft recommends that you have separate members of your organization configure one key in each subscription. Only use these Azure subscriptions to administer encryption keys for Microsoft 365. This protects your organization in case one of your operators accidentally, intentionally, or maliciously deletes or otherwise mismanages the keys for which they are responsible.
+Customer Key requires two keys for each data encryption policy (DEP). To create two keys, you must create two Azure subscriptions. As a best practice, Microsoft recommends that you have separate members of your organization configure one key in each subscription. Only use these Azure subscriptions to administer encryption keys for Microsoft 365. Following these guidelines helps protect your organization in case one of your operators accidentally, intentionally, or maliciously deletes or otherwise mismanages the keys for which they are responsible.
There is no practical limit to the number of Azure subscriptions that you can create for your organization. Following this best practice helps minimize the impact of human error while helping to manage the resources used by Customer Key. ### Register Azure subscriptions to use a mandatory retention period
-The temporary or permanent loss of root encryption keys can be disruptive or even catastrophic to service operation and can result in data loss. For this reason, the resources used with Customer Key require strong protection. All the Azure resources that are used with Customer Key offer protection mechanisms beyond the default configuration. Azure subscriptions can be tagged or registered in a way that will prevent immediate and irrevocable cancellation. This is referred to as registering for a mandatory retention period. The steps required to register Azure subscriptions for a mandatory retention period require collaboration with the Microsoft. This process can take up to five business days. Previously, this was sometimes referred to as "Do Not Cancel".
+The temporary or permanent loss of root encryption keys can be disruptive or even catastrophic to service operation and can result in data loss. For this reason, the resources used with Customer Key require strong protection. All the Azure resources that are used with Customer Key offer protection mechanisms beyond the default configuration. Azure subscriptions can be tagged or registered in a way that will prevent immediate and irrevocable cancellation. This process is referred to as registering for a mandatory retention period. The steps required to register Azure subscriptions for a mandatory retention period require collaboration with the Microsoft. This process can take up to five business days. Previously, this process was sometimes referred to as "Do Not Cancel".
Before contacting the Microsoft 365 team, you must perform the following steps for each Azure subscription that you use with Customer Key. Ensure that you have the [Azure PowerShell Az](/powershell/azure/new-azureps-module-az) module installed before you start.
Before contacting the Microsoft 365 team, you must perform the following steps f
Register-AzProviderFeature -FeatureName mandatoryRetentionPeriodEnabled -ProviderNamespace Microsoft.Resources ```
-3. Contact Microsoft to have the process finalized at [m365ck@microsoft.com](mailto:m365ck@microsoft.com). Include the following in your email:
+3. Contact Microsoft to have the process finalized at [m365ck@microsoft.com](mailto:m365ck@microsoft.com). Include the following content in your email:
**Subject**: Customer Key for \<*Your tenant's fully-qualified domain name*\>
When you create a key vault, you must choose a SKU: either Standard or Premium.
Use a common prefix for key vaults and include an abbreviation of the use and scope of the key vault and keys. For example, for the Contoso service where the vaults will be located in North America, a possible pair of names is Contoso-O365-NA-VaultA1 and Contoso-O365-NA-VaultA2. Vault names are globally unique strings within Azure, so you may need to try variations of your desired names in case the desired names are already claimed by other Azure customers. Once configured, vault names cannot be changed, so the best practice is to have a written plan for setup and use a second person to verify the plan is executed correctly.
-If possible, create your vaults in non-paired regions. Paired Azure regions provide high availability across service failure domains. Therefore, regional pairs can be thought of as each other's backup region. This means that an Azure resource that is placed in one region is automatically gaining fault tolerance through the paired region. For this reason, choosing regions for two vaults used in a data encryption policy where the regions are paired means that only a total of two regions of availability are in use. Most geographies only have two regions, so it's not yet possible to select non-paired regions. If possible, choose two non-paired regions for the two vaults used with a data encryption policy. This benefits from a total of four regions of availability. For more information, see [Business continuity and disaster recovery (BCDR): Azure Paired Regions](/azure/best-practices-availability-paired-regions) for a current list of regional pairs.
+If possible, create your vaults in non-paired regions. Paired Azure regions provide high availability across service failure domains. Therefore, regional pairs can be thought of as each other's backup region. An Azure resource that is placed in one region is automatically gaining fault tolerance through the paired region. Choosing regions for two vaults used in a data encryption policy where the regions are paired means that only a total of two regions of availability are in use. Most geographies only have two regions, so it's not yet possible to select non-paired regions. If possible, choose two non-paired regions for the two vaults used with a data encryption policy. This scenario benefits from a total of four regions of availability. For more information, see [Business continuity and disaster recovery (BCDR): Azure Paired Regions](/azure/best-practices-availability-paired-regions) for a current list of regional pairs.
### Assign permissions to each key vault
-For each key vault, you will need to define three separate sets of permissions for Customer Key, depending on your implementation. For example, you will need to define one set of permissions for each of the following:
+For each key vault, you'll need to define three separate sets of permissions for Customer Key, depending on your implementation. For example, you'll need to define one set of permissions for each of these:
- **Key vault administrators** that will perform day-to-day management of your key vault for your organization. These tasks include backup, create, get, import, list, and restore. > [!IMPORTANT] > The set of permissions assigned to key vault administrators does not include the permission to delete keys. This is intentional and an important practice. Deleting encryption keys is not typically done, since doing so permanently destroys data. As a best practice, do not grant this permission to key vault administrators by default. Instead, reserve this for key vault contributors and only assign it to an administrator on a short term basis once a clear understanding of the consequences is understood.
- To assign these permissions to a user in your organization, log in to your Azure subscription with Azure PowerShell. For instructions, see [Sign in with Azure PowerShell](/powershell/azure/authenticate-azureps).
+ To assign these permissions to a user in your organization, sign in to your Azure subscription with Azure PowerShell. For instructions, see [Sign in with Azure PowerShell](/powershell/azure/authenticate-azureps).
Run the Set-AzKeyVaultAccessPolicy cmdlet to assign the necessary permissions.
Add-AzKeyVaultKey -VaultName Contoso-O365EX-NA-VaultA1 -Name Contoso-O365EX-NA-V
### Check the recovery level of your keys
-Microsoft 365 requires that the Azure Key Vault subscription is set to Do Not Cancel and that the keys used by Customer Key have soft delete enabled. You can confirm this by looking at the recovery level on your keys.
+Microsoft 365 requires that the Azure Key Vault subscription is set to Do Not Cancel and that the keys used by Customer Key have soft delete enabled. You can confirm these settings by looking at the recovery level on your keys.
To check the recovery level of a key, in Azure PowerShell, run the Get-AzKeyVaultKey cmdlet as follows:
If the _Recovery Level_ property returns anything other than a value of **Recove
### Back up Azure Key Vault
-Immediately following creation or any change to a key, perform a backup and store copies of the backup, both online and offline. Don't connect offline copies to any network. Instead, store them in a physical safe or commercial storage facility. At least one copy of the backup should be stored in a location that will be accessible if a disaster happens. The backup blobs are the sole means of restoring key material should a Key Vault key be permanently destroyed or otherwise rendered inoperable. Keys that are external to Azure Key Vault and were imported to Azure Key Vault do not qualify as a backup because the metadata necessary for Customer Key to use the key does not exist with the external key. Only a backup taken from Azure Key Vault can be used for restore operations with Customer Key. Therefore, it is essential that you make a backup of Azure Key Vault once a key is uploaded or created.
+Immediately following creation or any change to a key, back up the key and store copies of the backup, both online and offline. Don't connect offline copies to any network. Instead, store them in a physical safe or commercial storage facility. At least one copy of the backup should be stored in a location that will be accessible if a disaster happens. The backup blobs are the sole means of restoring key material should a Key Vault key be permanently destroyed or otherwise rendered inoperable. Keys that are external to Azure Key Vault and were imported to Azure Key Vault don't qualify as a backup because the metadata necessary for Customer Key to use the key doesn't exist with the external key. Only a backup taken from Azure Key Vault can be used for restore operations with Customer Key. So, it's essential that you make a backup of Azure Key Vault once a key is uploaded or created.
To create a backup of an Azure Key Vault key, run the [Backup-AzKeyVaultKey](/powershell/module/az.keyvault/backup-azkeyvaultkey) cmdlet as follows:
Set-M365DataAtRestEncryptionPolicyAssignment -DataEncryptionPolicy "<Default_Pol
``` Description:
-This cmdlet is used for configuring default Data Encryption Policy. This policy will be used to then encrypt data across all support workloads.
+This cmdlet is used for configuring default Data Encryption Policy. This policy will be used to then encrypt data across all support workloads.
Example:
Parameters:
|-|-|| |-Identity|Specifies the data encryption policy that you want to modify.|N| |-Refresh|Use the Refresh switch to update the data encryption policy after you rotate any of the associated keys in the Azure Key Vault. You don't need to specify a value with this switch.|Y|
-|-Enabled|The Enabled parameter enables or disable the data encryption policy. Before you disable a policy, you must unassign it from your tenant. Valid values are:</br > $true: The policy is enabled</br > $false: The policy is disabled.|Y|
+|-Enabled|The Enabled parameter enables or disables the data encryption policy. Before you disable a policy, you must unassign it from your tenant. Valid values are:</br > $true: The policy is enabled</br > $false: The policy is disabled.|Y|
|-Name|The Name parameter specifies the unique name for the data encryption policy.|Y| |-Description|The Description parameter specifies an optional description for the data encryption policy.|Y|
Get-M365DataAtRestEncryptionPolicyAssignment
Description: This cmdlet lists the policy thatΓÇÖs currently assigned to the tenant.
-## Offboarding from Customer Key
+## Offboarding from Customer Key at the tenant level
-If you need to revert back to Microsoft-managed keys, you can. When you offboard, your data is re-encrypted using default encryption supported by each individual workload. For example, Exchange Online supports default encryption using Microsoft-managed keys.
+If you need to revert to Microsoft-managed keys, you can. When you offboard, your data is re-encrypted using default encryption supported by each individual workload. For example, Exchange Online supports default encryption using Microsoft-managed keys.
-If you decided to offboard your tenant from Customer Key at the tenant level, reach out to Microsoft with a request through email to "disable" the service for the tenant at [m365ck@microsoft.com](mailto:m365ck@microsoft.com).
+If you decide to offboard your tenant from Customer Key at the tenant level, email [m365ck@microsoft.com](mailto:m365ck@microsoft.com) with a request to "disable" the service for the tenant.
> [!IMPORTANT] > Offboarding is not the same as a data purge. A data purge permanently crypto-deletes your organization's data from Microsoft 365, offboarding does not. You can't perform a data purge for a tenant-level policy. For information about data purge path, see [Revoke your keys and start the data purge path process](customer-key-manage.md#revoke-your-keys-and-start-the-data-purge-path-process).
For information about the availability key, see [Learn about the availability ke
## Key rotation
-For information about rotating or rolling keys used with Customer Key, see [Roll or rotate a Customer Key or an availability key](customer-key-availability-key-roll.md). When you update the DEP to use the new version of the keys, you'll run the Set-M365DataAtRestEncryptionPolicy cmdlet as described earlier in this article.
+For information about rotating or rolling keys that you use with Customer Key, see [Roll or rotate a Customer Key or an availability key](customer-key-availability-key-roll.md). When you update the DEP to use the new version of the keys, you'll run the Set-M365DataAtRestEncryptionPolicy cmdlet as described earlier in this article.
+
+## Known issues
+
+When you enable Customer Key at the tenant level, you can't create a new team in Microsoft Teams.
-## Related articles:
+## Related articles
- [Service encryption with Customer Key](customer-key-overview.md)
For information about rotating or rolling keys used with Customer Key, see [Roll
- [Learn about the availability key](customer-key-availability-key-understand.md) -- [Service Encryption](office-365-service-encryption.md)
+- [Service Encryption](office-365-service-encryption.md)
compliance Double Key Encryption https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/double-key-encryption.md
DKE tenant and key settings are located in the **appsettings.json** file.
"https://sts.windows.net/9c99431e-b513-44be-a7d9-e7b500002d4b/" ] ```
+> [!NOTE]
+> If you want to enable external B2B access to your key store, you will also need to include these external tenants as part of the valid issuers' list.
Locate the `JwtAudience`. Replace `<yourhostname>` with the hostname of the machine where the DKE service will run. For example:
compliance Information Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/information-protection.md
For information about governing your data, see [Microsoft Information Governance
To understand your data landscape and identify important data across your hybrid environment, use the following capabilities: |Capability|What problems does it solve?|Get started|
-|:|:|:--|:--|
-|[Sensitive information types](sensitive-information-type-entity-definitions.md)| Identifies sensitive data by using built-in or custom regular expressions or a function. Corroborative evidence includes keywords, confidence levels, and proximity.| [Customize a built-in sensitive information type](customize-a-built-in-sensitive-information-type.md)|
+|:|:|:--|
+|[Sensitive information types](sensitive-information-type-learn-about.md)| Identifies sensitive data by using built-in or custom regular expressions or a function. Corroborative evidence includes keywords, confidence levels, and proximity.| [Customize a built-in sensitive information type](customize-a-built-in-sensitive-information-type.md)|
|[Trainable classifiers](classifier-learn-about.md)| Identifies sensitive data by using examples of the data you're interested in rather than identifying elements in the item (pattern matching). You can use built-in classifiers or train a classifier with your own content.| [Get started with trainable classifiers](classifier-get-started-with.md) | |[Data classification](data-classification-overview.md) | A graphical identification of items in your organization that have a sensitivity label, a retention label, or have been classified. You can also use this information to gain insights into the actions that your users are taking on these items. | [Get started with content explorer](data-classification-content-explorer.md)<br /><br /> [Get started with activity explorer](data-classification-activity-explorer.md) |
To understand your data landscape and identify important data across your hybrid
To apply flexible protection actions that include encryption, access restrictions, and visual markings, use the following capabilities: |Capability|What problems does it solve?|Get started|
-|:|:||:-|
+|:|:||
|[Sensitivity labels](sensitivity-labels.md)| A single solution across apps, services, and devices to label and protect your data as it travels inside and outside your organization. <br /><br />Example scenarios: <br /> [Manage sensitivity labels for Office apps](sensitivity-labels-office-apps.md)<br /> [Encrypt documents and emails](encryption-sensitivity-labels.md )<br /> [Apply and view labels in Power BI](/power-bi/admin/service-security-apply-data-sensitivity-labels) <br /><br /> For a comprehensive list of scenarios for sensitivity labels, see the Get started documentation.|[ Get started with sensitivity labels](get-started-with-sensitivity-labels.md) | |[Azure Information Protection unified labeling client](/azure/information-protection/rms-client/aip-clientv2)| For Windows computers, extends sensitivity labels for additional features and functionality that includes labeling and protecting all file types from File Explorer and PowerShell<br /><br /> Example additional features: [Custom configurations for the Azure Information Protection unified labeling client](/azure/information-protection/rms-client/clientv2-admin-guide-customizations)| [Azure Information Protection unified labeling client administrator guide](/azure/information-protection/rms-client/clientv2-admin-guide)| |[Double Key Encryption](double-key-encryption.md)| Under all circumstances, only your organization can ever decrypt protected content or for regulatory requirements, you must hold encryption keys within a geographical boundary. | [Deploy Double Key Encryption](double-key-encryption.md#deploy-dke)|
To help prevent accidental oversharing of sensitive information, use the followi
|Capability|What problems does it solve?|Get started|
-|:|:|:|:--|
-|[Data loss prevention (DLP)](data-loss-prevention-policies.md)| Helps prevent unintentional sharing of sensitive items. <br /><br />Example scenario: [Protect sensitive information in Microsoft Teams chat and channel messages](dlp-microsoft-teams.md) | [Get started with the default DLP policy](get-started-with-the-default-dlp-policy.md)|
-|[Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md)| Extends DLP capabilities to items that are used and shared on Windows 10 computers. | [Get started with Endpoint data loss prevention](endpoint-dlp-getting-started.md)|
+|:|:|:|
+|[Data loss prevention (DLP)](data-loss-prevention-policies.md)| Helps prevent unintentional sharing of sensitive items. | [Get started with the default DLP policy](get-started-with-the-default-dlp-policy.md)|
+|[Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md)| Extends DLP capabilities to items that are used and shared on Windows 10 computers. | [Get started with Endpoint data loss prevention](endpoint-dlp-getting-started.md)|
+|[Learn about the Microsoft Compliance Extension (preview)](dlp-chrome-learn-about.md) | Extends DLP capabilities to the Chrome browser | [Get started with the Microsoft Compliance Extension (preview)](dlp-chrome-get-started.md)|
+|[Learn about Microsoft 365 data loss prevention on-premises scanner (preview)](dlp-on-premises-scanner-learn.md)|Extends DLP monitoring of file activities and protective actions for those files to on-premises file shares and SharePoint folders and document libraries.|[Get started with Microsoft 365 data loss prevention on-premises scanner (preview)](dlp-on-premises-scanner-get-started.md)|
+|[Protect sensitive information in Microsoft Teams chat and channel messages](dlp-microsoft-teams.md) | Extends some DLP functionality to Teams chat and channel messages | [Learn about the default data loss prevention policy in Microsoft Teams (preview)](dlp-teams-default-policy.md)|
compliance Ome Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ome-faq.md
For more information about BYOK, see [Planning and implementing your Azure Infor
## Do OME and BYOK with Azure Information Protection change Microsoft's approach to third-party data requests such as subpoenas?
-No. OME and the option to provide and control your own encryption keys, called BYOK, from Azure Information Protection were not designed to respond to law enforcement subpoenas. OME, with BYOK for Azure Information Protection, was designed for compliance-focused customers. Microsoft takes third-party requests for customer data very seriously. As a cloud service provider, we always advocate for the privacy of customer data. In the event we get a subpoena, we always attempt to redirect the third party to the customer to obtain the information. (Please read Brad Smith's blog: [Protecting customer data from government snooping](https://blogs.microsoft.com/blog/2013/12/04/protecting-customer-data-from-government-snooping/)). We periodically publish detailed information of the request we receive. For more information regarding third-party data requests, see [Responding to government and law enforcement requests to access customer data](https://www.microsoft.com/trustcenter/privacy/govt-requests-for-data) on the Microsoft Trust Center. Also, see "Disclosure of Customer Data" in the [Online Services Terms (OST)](https://www.microsoft.com/Licensing/product-licensing/products.aspx).
+No. OME and the option to provide and control your own encryption keys, called BYOK, from Azure Information Protection were not designed to respond to law enforcement subpoenas. OME, with BYOK for Azure Information Protection, was designed for compliance-focused customers. Microsoft takes third-party requests for customer data seriously. As a cloud service provider, we always advocate for the privacy of customer data. In the event we get a subpoena, we always attempt to redirect the third party to the customer to obtain the information. (Read Brad Smith's blog: [Protecting customer data from government snooping](https://blogs.microsoft.com/blog/2013/12/04/protecting-customer-data-from-government-snooping/)). We periodically publish detailed information of the request we receive. For more information regarding third-party data requests, see [Responding to government and law enforcement requests to access customer data](https://www.microsoft.com/trustcenter/privacy/govt-requests-for-data) on the Microsoft Trust Center. Also, see "Disclosure of Customer Data" in the [Online Services Terms (OST)](https://www.microsoft.com/Licensing/product-licensing/products.aspx).
## How is this feature related to legacy Office 365 Message Encryption (OME) and Information Rights Management (IRM) features?
If a file format is supported, such as a Word, Excel, or PowerPoint file, the fi
## Are PDF file attachments supported?
-The short answer is yes! PDF encryption allows you to protect sensitive PDF documents through secure communication or secure collaboration. When you send email, the Office 365 service encrypts PDF file attachments not the Outlook client.
+The short answer is yes! If enabled, PDF encryption allows you to protect sensitive PDF documents through secure communication or secure collaboration. When you send an email, the Office 365 service encrypts PDF file attachments. The Outlook client doesn't encrypt PDF file attachments.
-For Outlook on the web, Outlook for iOS, and Outlook for Android, you can encrypt PDFs you send without any additional steps. These clients natively support PDF encryption.
+For Outlook on the web, Outlook for iOS, and Outlook for Android, you can encrypt PDFs you send without any more steps. These clients natively support PDF encryption.
Outlook desktop does not natively support encryption of PDF file attachments. Instead, you'll need to set up Exchange mail flow rules or DLP to apply encryption to PDF attachments first. When you send mail from Outlook Desktop with a PDF attachment, the client sends the message with the attachment to the service first. When the service receives the file, the service applies the OME protection of the data loss prevention (DLP) policy or mail flow rule in Exchange Online. Next, Exchange Online sends the message with the protected PDF file attachment.
Yes. All encrypted email messages are discoverable by Microsoft 365 compliance f
## Can I remove encryption from email?
-Admins can set up a mail flow rule to remove encryption. You can't remove encryption using a mail flow rule from mail that is applied by another organization, unless the mail is enrypted using encrypt-only protection.
+Admins can set up a mail flow rule to remove encryption. You can't remove encryption using a mail flow rule from mail that is applied by another organization, unless the mail is encrypted using encrypt-only protection.
## Is delegated access supported?
compliance Ome Version Comparison https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ome-version-comparison.md
This article is part of a larger series of articles about Office 365 Message Enc
## Overview of AD RMS deprecation in Exchange Online
-Exchange Online includes Information Rights Management (IRM) functionality that provides online and offline protection of email messages and attachments. By default, Exchange Online uses Azure Azure Information Protection. However, your organization may have configured Exchange Online IRM to use on-premises Active Directory Rights Management Service (AD RMS). AD RMS support in Exchange Online is retiring. Instead, Azure Information Protection will replace AD RMS entirely.
+Exchange Online includes Information Rights Management (IRM) functionality that provides online and offline protection of email messages and attachments. By default, Exchange Online uses Azure Information Protection. However, your organization may have configured Exchange Online IRM to use on-premises Active Directory Rights Management Service (AD RMS). AD RMS support in Exchange Online is retiring. Instead, Azure Information Protection will replace AD RMS entirely.
-Before you begin, review and assess the impact for your organization. If your organization is already using Azure Information Protection to encrypt email in Exchange Online, there is nothing for you to do. If you encrypt your email using Exchange mail flow rules, for example using Office 365 Message Encryption, you won't have to change your secure email. Otherwise, you'll need to prepare for AD RMS deprecation by switching to Azure Information Protection.
+To assess whether this deprecation impacts your organization, see [How to migrate AD RMS to Azure RMS in Exchange Online](https://support.microsoft.com/help/5001237). This article provides recommendations on migration options.
-### Prepare for AD RMS deprecation
-
-If you've already set up Azure Information Protection but you're not using it, enable the service using Exchange Online PowerShell. On your local computer, using a work or school account that has global administrator permissions in your organization, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) in a Windows PowerShell window.
-
-To enable Azure Information Protection, use the Set-IrmConfiguration cmdlet by typing the following command.
-
-```powershell
-Set-IrmConfiguration -AzureRMSLicensingEnabled $true
-```
-
-If your organization has not yet set up Azure Information Protection, you'll need to migrate from AD RMS to Azure Information Protection. For instructions, see [Migrating from AD RMS to Azure Information Protection](/azure/information-protection/migrate-from-ad-rms-to-azure-rms).
-
-## Side-by-side comparison of features and capabilities
+## Side-by-side comparison of OME features and capabilities
| **Situation** | **Legacy OME** | **IRM in AD RMS** | **New OME capabilities** | |--|-|-|--|
compliance Predictive Coding Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/predictive-coding-overview.md
+
+ Title: "Predictive coding module for Advanced eDiscovery (preview)"
+f1.keywords:
+- NOCSH
++++
+audience: Admin
++
+localization_priority: Normal
+search.appverid:
+- MET150
+
+description: "The new predictive coding module in Advanced eDiscovery uses machine learning to analyze documents in a review set to predictive which the documents that are relevant to your case or investigation."
+++
+# Predictive coding module for Advanced eDiscovery (preview)
+
+Using the new predictive coding module in Advanced eDiscovery, you can create and build a model to prioritize review of documents starting with the most relevant documents. To get started, you can create a model, label as few as 50 documents, and then filter documents by model prediction scores to review relevant non-relevant documents.
+
+HereΓÇÖs a quick overview of the workflow:
+
+1. Open the predictive coding module in a review set.
+
+ ![Click the Analyze dropdown list in a review to go to the Predictive coding module](..\media\PredictiveCoding1.png)
+
+2. On the **Predictive coding models** page, click **New model** to create a new predictive coding model.
+
+ ![Create a new model](..\media\PredictiveCoding2.png)
+
+3. Label at least 50 documents as **Relevant** or **Not relevant**. This labeling is used to train the system.
+
+ ![Label documents as relevant or not relevant to train the system](..\media\PredictiveCoding3.png)
+
+4. Apply the **Prediction score** filter for your model to the review set. To do this:
+
+ 1. In the review set, click **Filters**.
+ 2. In the **Filters** flyout page, expand the **Analytics/ML** section and then select **Prediction score** checkbox for the model you want to apply.
+ 3. In the **Prediction score** filter, specify a prediction score. The filter will display the documents in the review set that match the prediction score.
+
+ ![Specify a prediction score to filter documents](..\media\PredictiveCoding4.png)
+
+5. Monitor the performance, status, and stability of your model.
+
+ ![Monitor the performance, status, and stability of your model](..\media\PredictiveCoding5.png)
enterprise Microsoft 365 Vpn Implement Split Tunnel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-vpn-implement-split-tunnel.md
Port 80 is only used for things like redirect to a port 443 session, no customer
### Does split-tunnel configuration work for Teams running in a browser?
-**No**, it does not. It works only on Microsoft Teams client version 1.3.00.13565 or greater. This version includes improvements in how the client detects available network paths.
+Yes it does, via supported browsers which are listed at https://docs.microsoft.com/en-us/microsoftteams/get-clients#web-client
## Related topics
Port 80 is only used for things like redirect to a port 443 session, no customer
[Assessing Office 365 network connectivity](assessing-network-connectivity.md)
-[Office 365 network and performance tuning](network-planning-and-performance.md)
+[Office 365 network and performance tuning](network-planning-and-performance.md)
enterprise Office 365 Network Mac Perf Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/office-365-network-mac-perf-overview.md
The details tab on the office location page shows the specific measurement resul
> [!div class="mx-imgBorder"] > ![Location-specific details](../media/m365-mac-perf/m365-mac-perf-locations-plan-details-all.png)
+## Sharing network assessment data with Microsoft
+
+By default, the network assessments for your organization and the network insights are shared with Microsoft employees. This does not include any personal data from your staff but only the specific network assessment metrics and network insights shown in the admin center for your office locations. It also does not include your office location names or street addresses so you would need to tell them the city and support ID of the office you want to discuss. If this is turned off, the Microsoft engineers that you are discussing your network connectivity with cannot view any of this information. Enabling this setting only shares future data starting the day after you enable it.
+ ## CSV Import for LAN subnet office locations For LAN subnet office identification, you need to add each location in advance. Instead of adding individual office locations in the **Locations** tab you can import them from a CSV file. You may be able to obtain this data from other places you have stored it such as the Call Quality Dashboard or Active Directory Sites and Services
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
###### [Device control overview](mac-device-control-overview.md) ###### [JAMF examples](mac-device-control-jamf.md) ###### [Intune examples](mac-device-control-intune.md)
-##### [Schedule scans](mac-schedule-scan-atp.md)
+##### [Schedule scans](mac-schedule-scan.md)
#### [Troubleshoot]() ##### [Troubleshoot installation issues](mac-support-install.md)
#### [General]() ##### [Verify data storage location and update data retention settings](data-retention-settings.md) ##### [Configure alert notifications](configure-email-notifications.md)
-##### [Configure advanced features](advanced-features.md
+##### [Configure advanced features](advanced-features.md)
#### [Permissions]() ##### [Use basic permissions to access the portal](basic-permissions.md)
##### [Attack surface reduction rules](troubleshoot-asr.md) # [Microsoft 365 Security](../index.yml)
-# [Microsoft 365 Defender](../defender/index.yml)
+# [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
# [Defender for Office 365](../office-365-security/overview.md)
security Advanced Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-features.md
For more information about role assignments, see [Create and manage roles](user-
Enabling this feature allows you to run unsigned scripts in a live response session. +
+## Restrict correlation to within scoped device groups
+When this setting is turned on, alerts are correlated into separate incidents based on their scoped device group. By default, incident correlation happens across the entire tenant scope.
+
+>[!NOTE]
+>Changing this setting impacts future alert correlations only.
++ ## Autoresolve remediated alerts For tenants created on or after Windows 10, version 1809, the automated investigation and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don't want to have alerts auto-resolved, you'll need to manually turn off the feature.
security Configure Server Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-endpoints.md
Perform the following steps to fulfill the onboarding requirements:
- In addition, for Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements: - Install the [February monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) - Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)-
+
+ > [!NOTE]
+ > If you are managing your Windows Server 2008 R2 SP1 with SCCM, the SCCM client agent installs .Net Framework 4.5.2. So you don't need to install the .NET framework 4.5 (or later).
+
- For Windows Server 2008 R2 SP1 and Windows Server 2012 R2: [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). > [!NOTE]
security Custom Detection Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/custom-detection-rules.md
When saved, a new custom detection rule immediately runs and checks for matches
- **Every 3 hours**ΓÇöruns every 3 hours, checking data from the past 6 hours - **Every hour**ΓÇöruns hourly, checking data from the past 2 hours
-> [!IMPORTANT]
-> When changing a query that is already scheduled as a Custom Detection, it's next immediate execution will have a lookback window of 30 days, exactly as if a new query was being created.
-> Changes to a large number of queries, and with time filters higher than the default lookback duration for the selected frequency, might have an impact in the overall quota consumption of Advanced Hunting and resulting in exhausting the daily quota.
+When you edit a rule, it will run with the applied changes in the next run time scheduled according to the frequency you set.
+ > [!TIP] > Match the time filters in your query with the lookback duration. Results outside of the lookback duration are ignored.
security Edr In Block Mode https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/edr-in-block-mode.md
To learn more, see [Get-MpComputerStatus](https://docs.microsoft.com/powershell/
3. In the list of results, in the **STATE** row, confirm that the service is running.
+### How much time does it take for EDR in block mode to be disabled?
+If you chose to disable EDR in block mode it can take up to 30 minutes for the system to disable this capability.
+ ## See also - [Tech Community blog: Introducing EDR in block mode: Stopping attacks in their tracks](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617)
security Gov https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/gov.md
GCC | GCC High | DoD
Microsoft Defender for Endpoint Server GCC | Microsoft Defender for Endpoint Server for GCC High | Microsoft Defender for Endpoint Server for DOD Azure Defender for Servers | Azure Defender for Servers - Government | Azure Defender for Servers - Government
-<br>
+<br />
## Portal URLs The following are the Microsoft Defender for Endpoint portal URLs for US Government customers:
GCC | https://gcc.securitycenter.microsoft.us
GCC High | https://securitycenter.microsoft.us DoD | https://securitycenter.microsoft.us
-<br>
+<br />
## Endpoint versions
Windows 10, version 1909 (with [KB4586819](https://support.microsoft.com/help/45
Windows 10, version 1903 (with [KB4586819](https://support.microsoft.com/help/4586819)) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) Windows 10, version 1809 (with [KB4586839](https://support.microsoft.com/help/4586839)) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) Windows 10, version 1803 (with [KB4598245](https://support.microsoft.com/help/4598245)) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
-Windows 10, version 1709 | ![No](images/svg/check-no.svg)<br>Note: Won't be supported | ![Yes](images/svg/check-yes.svg) With [KB4499147](https://support.microsoft.com/help/4499147)<br>Note: [Deprecated](https://docs.microsoft.com/lifecycle/announcements/revised-end-of-service-windows-10-1709), please upgrade | ![No](images/svg/check-no.svg)<br>Note: Won't be supported
-Windows 10, version 1703 and earlier | ![No](images/svg/check-no.svg)<br>Note: Won't be supported | ![No](images/svg/check-no.svg)<br>Note: Won't be supported | ![No](images/svg/check-no.svg)<br>Note: Won't be supported
+Windows 10, version 1709 | ![No](images/svg/check-no.svg)<br />Note: Won't be supported | ![Yes](images/svg/check-yes.svg) With [KB4499147](https://support.microsoft.com/help/4499147)<br />Note: [Deprecated](https://docs.microsoft.com/lifecycle/announcements/revised-end-of-service-windows-10-1709), please upgrade | ![No](images/svg/check-no.svg)<br />Note: Won't be supported
+Windows 10, version 1703 and earlier | ![No](images/svg/check-no.svg)<br />Note: Won't be supported | ![No](images/svg/check-no.svg)<br />Note: Won't be supported | ![No](images/svg/check-no.svg)<br />Note: Won't be supported
Windows Server 2019 (with [KB4586839](https://support.microsoft.com/help/4586839)) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) Windows Server 2016 | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) Windows Server 2012 R2 | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
Windows 8.1 Enterprise | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/ch
Windows 8 Pro | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) Windows 7 SP1 Enterprise | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) Windows 7 SP1 Pro | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
-Linux | ![No](images/svg/check-no.svg) Rolling out | ![No](images/svg/check-no.svg) Rolling out | ![No](images/svg/check-no.svg) Rolling out
-macOS | ![No](images/svg/check-no.svg) Rolling out | ![No](images/svg/check-no.svg) Rolling out | ![No](images/svg/check-no.svg) Rolling out
+Linux | ![Yes](images/svg/check-yes.svg) In preview<br />See note below | ![Yes](images/svg/check-yes.svg) In preview<br />See note below | ![Yes](images/svg/check-yes.svg) In preview<br />See note below
+macOS | ![Yes](images/svg/check-yes.svg) In preview<br />See note below | ![Yes](images/svg/check-yes.svg) In preview<br />See note below | ![Yes](images/svg/check-yes.svg) In preview<br />See note below
Android | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog iOS | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/check-no.svg) On engineering backlog
iOS | ![No](images/svg/check-no.svg) On engineering backlog | ![No](images/svg/c
> [!NOTE] > Trying to onboard Windows devices older than Windows 10 or Windows Server 2019 using [Microsoft Monitoring Agent](configure-server-endpoints.md#option-1-onboard-by-installing-and-configuring-microsoft-monitoring-agent-mma)? You'll need to choose "Azure US Government" under "Azure Cloud" if using the [setup wizard](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard), or if using a [command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line) or a [script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation) - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1.
+> [!NOTE]
+> You'll need version 101.25.72 and above for Linux, and version 101.25.69 and above for macOS. During preview those versions are availble only in the "Insider Fast" channel. See [Configure the Linux software repository](linux-install-manually.md#configure-the-linux-software-repository) or [Set the channel name (macOS)](mac-updates.md#set-the-channel-name) for instructions.
+ ### OS versions when using Azure Defender for Servers The following OS versions are supported when using [Azure Defender for Servers](https://docs.microsoft.com/azure/security-center/security-center-wdatp):
Windows Server 2016 | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check
Windows Server 2012 R2 | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) Windows Server 2008 R2 SP1 | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
-<br>
+<br />
## Required connectivity settings If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed in the downloadable sheet to the allowed domains list.
The following downloadable spreadsheet lists the services and their associated U
Spreadsheet of domains list | Description :--|:--
-![Thumb image for Microsoft Defender for Endpoint URLs spreadsheet](images/mdatp-urls.png)<br/> | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <br><br>[Download the spreadsheet here.](https://download.microsoft.com/download/8/e-urls.xlsx)
+![Thumb image for Microsoft Defender for Endpoint URLs spreadsheet](images/mdatp-urls.png)<br/> | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <br /><br />[Download the spreadsheet here.](https://download.microsoft.com/download/8/e-urls.xlsx)
For more information, see [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md).
You can find the Azure IP ranges in [Azure IP Ranges and Service Tags ΓÇô US Gov
> [!NOTE] > As a cloud-based solution, the IP address ranges can change. It's recommended you move to DNS-based rules.
-<br>
+<br />
## API
-Instead of the public URIs listed in our [API documentation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/apis-intro), you'll need to use the following URIs:
+Instead of the public URIs listed in our [API documentation](apis-intro.md), you'll need to use the following URIs:
Endpoint type | GCC | GCC High & DoD :|:|:
Login | `https://login.microsoftonline.com` | `https://login.microsoftonline.us`
Defender for Endpoint API | `https://api-gcc.securitycenter.microsoft.us` | `https://api-gov.securitycenter.microsoft.us` SIEM | `https://wdatp-alertexporter-us.gcc.securitycenter.windows.us` | `https://wdatp-alertexporter-us.securitycenter.windows.us`
-<br>
+<br />
## Feature parity with commercial Defender for Endpoint for US Government customers doesn't have complete parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government customers, there are some capabilities not yet available we want to highlight.
Automated investigation and remediation: Response to Office 365 alerts | ![No](i
Email notifications | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) Evaluation lab | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) Management and APIs: Device health and compliance report | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
-Management and APIs: Integration with third-party products | ![No](images/svg/check-no.svg) Rolling out | ![No](images/svg/check-no.svg) Rolling out | ![No](images/svg/check-no.svg) Rolling out
+Management and APIs: Integration with third-party products | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
Management and APIs: Streaming API | ![Yes](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) In development | ![No](images/svg/check-no.svg) In development Management and APIs: Threat protection report | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) Threat & vulnerability management | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg) | ![Yes](images/svg/check-yes.svg)
security Ios Configure Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-configure-features.md
Defender for Endpoint for iOS enables admins to configure custom indicators on i
## Report unsafe site Phishing websites impersonate trustworthy websites for the purpose of obtaining your personal or financial information. Visit the [Provide feedback about network protection](https://www.microsoft.com/wdsi/filesubmission/exploitguard/networkprotection) page if you want to report a website that could be a phishing site.+
+## Battery Consumption issues on iOS when Microsoft Defender for Endpoint is installed
+
+The battery usage by an app is computed by Apple based on a multitude of factors including CPU and Network usage. Microsoft Defender for Endpoint uses a local/loop-back VPN in the background to check web traffic for any malicious websites or connections. Network packets from any app go through this check and that causes the battery usage of Microsoft Defender for Endpoint to be computed inaccurately. This gives a false impression to the user. The actual battery consumption of Microsoft Defender for Endpoint is lesser than what is shown on the Battery Settings page on the device. This is based on conducted tests done on the Microsoft Defender for Endpoint app to understand battery consumption.
+
+Also the VPN used is a local VPN and unlike traditional VPNs, network traffic is not sent outside the device.
security Linux Resources https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-resources.md
The following table lists commands for some of the most common scenarios. Run `m
|Group |Scenario |Command | |-|--|--| |Configuration |Turn on/off real-time protection |`mdatp config real-time-protection --value [enabled\|disabled]` |
+|Configuration |Turn on/off behavior monitoring |`mdatp config behavior-monitoring --value [enabled\|disabled]`
|Configuration |Turn on/off cloud protection |`mdatp config cloud --value [enabled\|disabled]` | |Configuration |Turn on/off product diagnostics |`mdatp config cloud-diagnostic --value [enabled\|disabled]` | |Configuration |Turn on/off automatic sample submission |`mdatp config cloud-automatic-sample-submission [enabled\|disabled]` |
security Mac Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-exclusions.md
For more information on how to configure exclusions from JAMF, Intune, or anothe
Open the Defender for Endpoint application and navigate to **Manage settings** > **Add or Remove Exclusion...**, as shown in the following screenshot:
-![Manage exclusions screenshot](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-37-exclusions)
+![Manage exclusions screenshot](images/mdatp-37-exclusions.png)
Select the type of exclusion that you wish to add and follow the prompts.
security Mac Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-manually.md
Title: Manual deployment for Microsoft Defender ATP for macOS
-description: Install Microsoft Defender ATP for macOS manually, from the command line.
+ Title: Manual deployment for Microsoft Defender for Endpoint for macOS
+description: Install Microsoft Defender for Endpoint for macOS manually, from the command line.
keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150
To complete this process, you must have admin privileges on the device.
1. Navigate to the downloaded wdav.pkg in Finder and open it.
- ![App install screenshot1](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-28-appinstall)
+ ![App install screenshot1](images/mdatp-28-appinstall.png)
2. Select **Continue**, agree with the License terms, and enter the password when prompted.
- ![App install screenshot2](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-29-appinstalllogin)
+ ![App install screenshot2](images/mdatp-29-appinstalllogin.png)
> [!IMPORTANT] > You will be prompted to allow a driver from Microsoft to be installed (either "System Extension Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed.
- ![App install screenshot3](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-30-systemextension)
+ ![App install screenshot3](images/mdatp-30-systemextension.png)
3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**:
- ![Security and privacy window screenshot](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-31-securityprivacysettings)
+ ![Security and privacy window screenshot](images/mdatp-31-securityprivacysettings.png)
The installation proceeds.
To complete this process, you must have admin privileges on the device.
2. Select **Continue**, agree with the License terms, and enter the password when prompted.
-3. At the end of the installation process, you will be promoted to approve the system extensions used by the product. Select **Open Security Preferences**.
+3. At the end of the installation process, you'll be promoted to approve the system extensions used by the product. Select **Open Security Preferences**.
![System extension approval](images/big-sur-install-2.png)
To complete this process, you must have admin privileges on the device.
1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the device where you deploy Microsoft Defender for Endpoint for macOS.
- The client device is not associated with orgId. Note that the *orgId* attribute is blank.
+ The client device isn't associated with orgId. Note that the *orgId* attribute is blank.
```bash mdatp health --field org_id
To complete this process, you must have admin privileges on the device.
After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.
- ![Microsoft Defender icon in status bar screenshot](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-icon-bar)
+ ![Microsoft Defender icon in status bar screenshot](images/mdatp-icon-bar.png)
## How to Allow Full Disk Access
security Mac Install With Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-intune.md
Title: Intune-based deployment for Microsoft Defender ATP for Mac
+ Title: Intune-based deployment for Microsoft Defender for Endpoint for Mac
description: Install Microsoft Defender for Endpoint for Mac, using Microsoft Intune. keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh
The following table summarizes the steps you would need to take to deploy and ma
| [Grant full disk access to Microsoft Defender for Endpoint](#create-system-configuration-profiles-step-8) | MDATP_tcc_Catalina_or_newer.xml | com.microsoft.wdav.tcc | | [Network Extension policy](#create-system-configuration-profiles-step-9) | MDATP_NetExt.xml | N/A | | [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/mac-updates#intune) | MDATP_Microsoft_AutoUpdate.xml | com.microsoft.autoupdate2 |
-| [Microsoft Defender for Endpoint configuration settings](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/mac-preferences#intune-profile-1)<br/><br/> **Note:** If you are planning to run a third-party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav |
+| [Microsoft Defender for Endpoint configuration settings](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/mac-preferences#intune-profile-1)<br/><br/> **Note:** If you're planning to run a third-party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav |
| [Configure Microsoft Defender for Endpoint and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-10) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray | ## Download installation and onboarding packages
Download the installation and onboarding packages from Microsoft Defender Securi
## Client device setup
-You do not need any special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cp).
+You don't need any special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cp).
1. Confirm device management.
+ ![Confirm device management screenshot](images/mdatp-3-confirmdevicemgmt.png)
+ Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**:
- ![Management profile screenshot](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-4-managementprofile)
+ ![Management profile screenshot](images/mdatp-4-managementprofile.png)
2. Select **Continue** and complete the enrollment.
You do not need any special provisioning for a Mac device beyond a standard [Com
3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed: > [!div class="mx-imgBorder"]
- > ![Add Devices screenshot](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-5-alldevices)
+ > ![Add Devices screenshot](images/mdatp-5-alldevices.png)
## Approve System Extensions
To approve the system extensions:
4. Select **OK**.
- ![Import a configuration from a file for Custom Configuration Profile](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-6-systemconfigurationprofiles)
+ ![Import a configuration from a file for Custom Configuration Profile](images/mdatp-6-systemconfigurationprofiles.png)
5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
To approve the system extensions:
Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**: > [!div class="mx-imgBorder"]
-> ![View of Device Status in Monitor](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-7-devicestatusblade.png)
+> ![View of Device Status in Monitor](images/mdatp-7-devicestatusblade.png)
## Publish application
Once the Intune changes are propagated to the enrolled devices, you can see them
> If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Microsoft Defender for Endpoint. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender for Endpoint for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Microsoft Defender for Endpoint with *Ignore app version* set to **No**, please change it to **Yes**. If Microsoft Defender for Endpoint still cannot be installed on a client device, then uninstall Microsoft Defender for Endpoint and push the updated policy. > [!div class="mx-imgBorder"]
- > ![Display of App information in App add](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-8-intuneappinfo)
+ > ![Display of App information in App add](images/mdatp-8-intuneappinfo.png)
7. Select **OK** and **Add**. > [!div class="mx-imgBorder"]
- > ![Device status shown in Notifications window](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-9-intunepkginfo)
+ > ![Device status shown in Notifications window](images/mdatp-9-intunepkginfo.png)
8. It may take a few moments to upload the package. After it's done, select the package from the list and go to **Assignments** and **Add group**. > [!div class="mx-imgBorder"]
- > ![Client apps screenshot](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-10-clientapps)
+ > ![Client apps screenshot](images/mdatp-10-clientapps.png)
9. Change **Assignment type** to **Required**. 10. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. > [!div class="mx-imgBorder"]
- > ![Intune assignments info screenshot](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-11-assignments)
+ > ![Intune assignments info screenshot](images/mdatp-11-assignments.png)
11. After some time the application will be published to all enrolled devices. You can see it listed in **Monitor** > **Device**, under **Device install status**: > [!div class="mx-imgBorder"]
- > ![Intune device status screenshot](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-12-deviceinstall)
+ > ![Intune device status screenshot](images/mdatp-12-deviceinstall.png)
## Verify client device state 1. After the configuration profiles are deployed to your devices, open **System Preferences** > **Profiles** on your Mac device.
- ![System Preferences screenshot](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-13-systempreferences)<br/>
- ![System Preferences Profiles screenshot](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-14-systempreferencesprofiles)
+ ![System Preferences screenshot](images/mdatp-13-systempreferences.png)<br/>
+ ![System Preferences Profiles screenshot](images/mdatp-14-systempreferencesprofiles.png)
2. Verify that the following configuration profiles are present and installed. The **Management Profile** should be the Intune system profile. _Wdav-config_ and _wdav-kext_ are system configuration profiles that were added in Intune:
- ![Profiles screenshot](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-15-managementprofileconfig)
+ ![Profiles screenshot](images/mdatp-15-managementprofileconfig.png)
3. You should also see the Microsoft Defender icon in the top-right corner: > [!div class="mx-imgBorder"]
- > ![Microsoft Defender icon in status bar screenshot](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-icon-bar)
+ > ![Microsoft Defender icon in status bar screenshot](images/mdatp-icon-bar.png)
## Troubleshooting
security Mac Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-privacy.md
The following fields are collected:
#### Product and service performance data events
+**Unexpected application exit (crash)**
+
+Collects system information and the state of an application when an application unexpectedly exits.
+
+The following fields are collected:
+
+| Field | Description |
+| | -- |
+| v1_crash_count | Number of times V1 engine process crashed every hour on client machine |
+| v2_crash_count | Number of times V2 engine process crashed every hour on client machine |
+| EDR_crash_count | Number of times EDR process crashed every hour on client machine |
+ **Kernel extension statistics** The following fields are collected:
security Mac Schedule Scan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-schedule-scan.md
+
+ Title: How to schedule scans with MDATP for macOS
+description: Learn how to schedule an automatic scanning time for Microsoft Defender ATP in macOS to better protect your organization's assets.
+keywords: microsoft, defender, atp, mac, scans, antivirus
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+localization_priority: Normal
+
+audience: ITPro
+
+ - m365-security-compliance
+ - m365initiative-defender-endpoint
+
+ms.technology: mde
++
+# Schedule scans with Microsoft Defender for Endpoint for Mac
++
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+While you can start a threat scan at any time with Microsoft Defender for Endpoint, your enterprise might benefit from scheduled or timed scans. For example, you can schedule a scan to run at the beginning of every workday or week.
+
+## Schedule a scan with *launchd*
+
+You can create a scanning schedule using the *launchd* daemon on a macOS device.
+
+1. The following code shows the schema you need to use to schedule a scan. Open a text editor and use this example as a guide for your own scheduled scan file.
+
+ For more information on the *.plist* file format used here, see [About Information Property List Files](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/AboutInformationPropertyListFiles.html) at the official Apple developer website.
+
+ ```XML
+ <?xml version="1.0" encoding="UTF-8"?>
+ <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
+ "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+ <plist version="1.0">
+ <dict>
+ <key>Label</key>
+ <string>com.microsoft.wdav.schedquickscan</string>
+ <key>ProgramArguments</key>
+ <array>
+ <string>sh</string>
+ <string>-c</string>
+ <string>/usr/local/bin/mdatp scan quick</string>
+ </array>
+ <key>RunAtLoad</key>
+ <true/>
+ <key>StartCalendarInterval</key>
+ <dict>
+ <key>Day</key>
+ <integer>3</integer>
+ <key>Hour</key>
+ <integer>2</integer>
+ <key>Minute</key>
+ <integer>0</integer>
+ <key>Weekday</key>
+ <integer>5</integer>
+ </dict>
+ <key>WorkingDirectory</key>
+ <string>/usr/local/bin/</string>
+ </dict>
+ </plist>
+ ```
+
+2. Save the file as *com.microsoft.wdav.schedquickscan.plist*.
+
+ > [!TIP]
+ > To run a full scan instead of a quick scan, change line 12, `<string>/usr/local/bin/mdatp scan quick</string>`, to use the `full` option instead of `quick` (i.e. `<string>/usr/local/bin/mdatp scan full</string>`) and save the file as *com.microsoft.wdav.sched**full**scan.plist* instead of *com.microsoft.wdav.sched**quick**scan.plist*.
+
+3. Open **Terminal**.
+4. Enter the following commands to load your file:
+
+ ```bash
+ launchctl load /Library/LaunchDaemons/<your file name.plist>
+ launchctl start <your file name>
+ ```
+
+5. Your scheduled scan will run at the date, time, and frequency you defined in your p-list. In the example, the scan runs at 2:00 AM every Friday.
+
+ The `Weekday` value of `StartCalendarInterval` uses an integer to indicate the fifth day of the week, or Friday.
+
+ > [!IMPORTANT]
+ > Agents executed with *launchd* will not run at the scheduled time while the device is asleep. They will instead run once the device resumes from sleep mode.
+ >
+ > If the device is turned off, the scan will run at the next scheduled scan time.
+
+## Schedule a scan with Intune
+
+You can also schedule scans with Microsoft Intune. The [runMDATPQuickScan.sh](https://github.com/microsoft/shell-intune-samples/tree/master/Misc/MDATP#runmdatpquickscansh) shell script available at [Scripts for Microsoft Defender for Endpoint](https://github.com/microsoft/shell-intune-samples/tree/master/Misc/MDATP) will persist when the device resumes from sleep mode.
+
+See [Use shell scripts on macOS devices in Intune](https://docs.microsoft.com/mem/intune/apps/macos-shell-scripts) for more detailed instructions on how to use this script in your enterprise.
security Mac Support Kext https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-kext.md
Title: Troubleshoot kernel extension issues in Microsoft Defender ATP for Mac
-description: Troubleshoot kernel extension-related issues in Microsoft Defender ATP for Mac.
+ Title: Troubleshoot kernel extension issues in Microsoft Defender for Endpoint for Mac
+description: Troubleshoot kernel extension-related issues in Microsoft Defender for Endpoint for Mac.
keywords: microsoft, defender, atp, mac, kernel, extension search.product: eADQiWindows 10XVcnh search.appverid: met150
ms.technology: mde
This article provides information on how to troubleshoot issues with the kernel extension that is installed as part of Microsoft Defender for Endpoint for Mac.
-Starting with macOS High Sierra (10.13), macOS requires all kernel extensions to be explicitly approved before they are allowed to run on the device.
+Starting with macOS High Sierra (10.13), macOS requires all kernel extensions to be explicitly approved before they're allowed to run on the device.
-If you did not approve the kernel extension during the deployment/installation of Microsoft Defender for Endpoint for Mac, the application displays a banner prompting you to enable it:
+If you didn't approve the kernel extension during the deployment/installation of Microsoft Defender for Endpoint for Mac, the application displays a banner prompting you to enable it:
- ![RTP disabled screenshot](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-32-main-app-fix)
+ ![RTP disabled screenshot](images/mdatp-32-main-app-fix.png)
-You can also run ```mdatp health```. It reports if real-time protection is enabled but not available. This indicates that the kernel extension is not approved to run on your device.
+You can also run ```mdatp health```. It reports if real-time protection is enabled but not available. This indicates that the kernel extension isn't approved to run on your device.
```bash mdatp health
If less than 30 minutes have passed since the product was installed, navigate to
If you don't see this prompt, it means that 30 or more minutes have passed, and the kernel extension still not been approved to run on your device:
-![Security and privacy window after prompt expired screenshot](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-33-securityprivacysettings-noprompt)
+![Security and privacy window after prompt expired screenshot](images/mdatp-33-securityprivacysettings-noprompt.png)
In this case, you need to perform the following steps to trigger the approval flow again.
-1. In Terminal, attempt to install the driver. The following operation will fail, because the kernel extension was not approved to run on the device. However, it will trigger the approval flow again.
+1. In Terminal, attempt to install the driver. The following operation will fail, because the kernel extension wasn't approved to run on the device. However, it will trigger the approval flow again.
```bash sudo kextutil /Library/Extensions/wdavkext.kext
security Mac Support Perf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-perf.md
Title: Troubleshoot performance issues for Microsoft Defender ATP for Mac
-description: Troubleshoot performance issues in Microsoft Defender ATP for Mac.
+ Title: Troubleshoot performance issues for Microsoft Defender for Endpoint for Mac
+description: Troubleshoot performance issues in Microsoft Defender for Endpoint for Mac.
keywords: microsoft, defender, atp, mac, performance search.product: eADQiWindows 10XVcnh search.appverid: met150
This topic provides some general steps that can be used to narrow down performan
Real-time protection (RTP) is a feature of Microsoft Defender for Endpoint for Mac that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics.
-Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Microsoft Defender for Endpoint for Mac. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Microsoft Defender for Endpoint for Mac.
+Depending on the applications that you're running and your device characteristics, you may experience suboptimal performance when running Microsoft Defender for Endpoint for Mac. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Microsoft Defender for Endpoint for Mac.
The following steps can be used to troubleshoot and mitigate these issues:
The following steps can be used to troubleshoot and mitigate these issues:
- From the user interface. Open Microsoft Defender for Endpoint for Mac and navigate to **Manage settings**.
- ![Manage real-time protection screenshot](/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-36-rtp)
+ ![Manage real-time protection screenshot](images/mdatp-36-rtp.png)
- From the Terminal. For security purposes, this operation requires elevation.
security Minimum Requirements https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/minimum-requirements.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-minreqs-abovefoldlink)
There are some minimum requirements for onboarding devices to the service. Learn about the licensing, hardware and software requirements, and other configuration settings to onboard devices to the service.
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-minreqs-abovefoldlink).
- > [!TIP] > - Learn about the latest enhancements in Defender for Endpoint: [Defender for Endpoint Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced). > - Defender for Endpoint demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
For a detailed comparison table of Windows 10 commercial edition comparison, see
Access to Defender for Endpoint is done through a browser, supporting the following browsers: - Microsoft Edge-- Internet Explorer version 11 - Google Chrome > [!NOTE]
Devices on your network must be running one of these editions.
The hardware requirements for Defender for Endpoint on devices are the same for the supported editions. > [!NOTE]
-> Machines running mobile versions of Windows (such as Windows CE and Windows 10 Mobile) are not supported.
+> Machines running mobile versions of Windows (such as Windows CE and Windows 10 Mobile) aren't supported.
> > Virtual Machines running Windows 10 Enterprise 2016 LTSB may encounter performance issues if run on non-Microsoft virtualization platforms. >
The hardware requirements for Defender for Endpoint on devices are the same for
### Other supported operating systems - Android
+- iOS
- Linux - macOS > [!NOTE]
-> You'll need to know the exact Linux distributions and versions of Android and macOS that are compatible with Defender for Endpoint for the integration to work.
+> You'll need to confirm the Linux distributions and versions of Android, iOS and macOS you've are compatible with Defender for Endpoint for the integration to work.
By default, this service is enabled. It's good practice to check to ensure that
![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png)
-You'll need to set the service to automatically start if the **START_TYPE** is not set to **AUTO_START**.
+You'll need to set the service to automatically start if the **START_TYPE** isn't set to **AUTO_START**.
**Use the command line to set the Windows 10 diagnostic data service to automatically start:**
You'll need to set the service to automatically start if the **START_TYPE** is n
#### Internet connectivity Internet connectivity on devices is required either directly or through proxy.
-The Defender for Endpoint sensor can utilize a daily average bandwidth of 5 MB to communicate with the Defender for Endpoint cloud service and report cyber data. One-off activities such as file uploads and investigation package collection are not included in this daily average bandwidth.
+The Defender for Endpoint sensor can use a daily average bandwidth of 5 MB to communicate with the Defender for Endpoint cloud service and report cyber data. One-off activities such as file uploads and investigation package collection aren't included in this daily average bandwidth.
For more information on additional proxy configuration settings, see [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md).
The Defender for Endpoint agent depends on the ability of Microsoft Defender Ant
Configure Security intelligence updates on the Defender for Endpoint devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus).
-When Microsoft Defender Antivirus is not the active antimalware in your organization and you use the Defender for Endpoint service, Microsoft Defender Antivirus goes on passive mode.
+When Microsoft Defender Antivirus isn't the active antimalware in your organization and you use the Defender for Endpoint service, Microsoft Defender Antivirus goes on passive mode.
If your organization has turned off Microsoft Defender Antivirus through group policy or other methods, devices that are onboarded must be excluded from this group policy.
-If you are onboarding servers and Microsoft Defender Antivirus is not the active antimalware on your servers, Microsoft Defender Antivirus will either need to be configured to go on passive mode or uninstalled. The configuration is dependent on the server version. For more information, see [Microsoft Defender Antivirus compatibility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus-compatibility.md).
+If you're onboarding servers and Microsoft Defender Antivirus isn't the active antimalware on your servers, Microsoft Defender Antivirus will either need to be configured to go on passive mode or uninstalled. The configuration is dependent on the server version. For more information, see [Microsoft Defender Antivirus compatibility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus-compatibility.md).
> [!NOTE] > Your regular group policy doesn't apply to Tamper Protection, and changes to Microsoft Defender Antivirus settings will be ignored when Tamper Protection is on.
If you are onboarding servers and Microsoft Defender Antivirus is not the active
## Microsoft Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled If you're running Microsoft Defender Antivirus as the primary antimalware product on your devices, the Defender for Endpoint agent will successfully onboard.
-If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Manager (current branch), you'll need to ensure that the Microsoft Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Microsoft Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy).
+If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Manager (current branch), you'll need to ensure the Microsoft Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Microsoft Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy).
## Related topics
security Partner Applications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/partner-applications.md
Logo |Partner name | Description
![Image of Aruba ClearPass Policy Manager logo](images/aruba-logo.png) | [Aruba ClearPass Policy Manager](https://go.microsoft.com/fwlink/?linkid=2127544) | Ensure Defender for Endpoint is installed and updated on each endpoint before allowing access to the network ![Image of Blue Hexagon for Network logo](images/bluehexagon-logo.png) | [Blue Hexagon for Network](https://go.microsoft.com/fwlink/?linkid=2104613) | Blue Hexagon has built the industry's first real-time deep learning platform for network threat protection ![Image of CyberMDX logo](images/cybermdx-logo.png) | [CyberMDX](https://go.microsoft.com/fwlink/?linkid=2135620) | Cyber MDX integrates comprehensive healthcare assets visibility, threat prevention and repose into your Defender for Endpoint environment
+![Image of HYAS Protect logo](images/hyas-logo.png) | [HYAS Protect](https://go.microsoft.com/fwlink/?linkid=2156763) | HYAS Protect utilizes authoritative knowledge of attacker infrastructure to proactively protect Microsoft Defender for Endpoint endpoints from cyberattacks
![Image of Vectra Network Detection and Response (NDR) logo](images/vectra-logo.png) |[Vectra Network Detection and Response (NDR)](https://go.microsoft.com/fwlink/?linkid=866934)| Vectra applies AI & security research to detect and respond to cyber-attacks in real time
security Advanced Hunting Deviceevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceevents-table.md
ms.technology: m365d
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] - **Applies to:** - Microsoft 365 Defender -- The miscellaneous device events or `DeviceEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from this table. >[!TIP]
For information on other tables in the advanced hunting schema, [see the advance
| `SHA1` | string | SHA-1 of the file that the recorded action was applied to | | `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated ΓÇö use the SHA1 column when available. | | `MD5` | string | MD5 hash of the file that the recorded action was applied to |
+| `FileSize` | long | Size of the file in bytes |
| `AccountDomain` | string | Domain of the account | | `AccountName` | string | User name of the account | | `AccountSid` | string | Security Identifier (SID) of the account |
For information on other tables in the advanced hunting schema, [see the advance
| `LocalPort` | int | TCP port on the local machine used during communication | | `FileOriginUrl` | string | URL where the file was downloaded from | | `FileOriginIP` | string | IP address where the file was downloaded from |
-| `AdditionalFields` | string | Additional information about the event in JSON array format |
-| `InitiatingProcessFileSize` | long | Size of the file that ran the process responsible for the event |
-| `FileSize` | long | Size of the file in bytes |
| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event | | `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated ΓÇö use the SHA1 column when available. |
+| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
+| `InitiatingProcessFileSize` | long | Size of the file that ran the process responsible for the event |
| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event | | `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event | | `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event | | `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
-| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
-| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event | | `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event | | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event | | `InitiatingProcessAccountUpn` | string | User principal name (UPN) of the account that ran the process responsible for the event | | `InitiatingProcessAccountObjectId` | string | Azure AD object ID of the user account that ran the process responsible for the event |
+| `InitiatingProcessVersionInfoCompanyName` | string | Company name from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoProductName` | string | Product name from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoProductVersion` | string | Product version from the version information of the process (image file) responsible for the event |
+|` InitiatingProcessVersionInfoInternalFileName` | string | Internal file name from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoOriginalFileName` | string | Original file name from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoFileDescription` | string | Description from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
+| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
+| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts | | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+| `AdditionalFields` | string | Additional information about the event in JSON array format |
## Related topics - [Advanced hunting overview](advanced-hunting-overview.md)
security Advanced Hunting Devicefileevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicefileevents-table.md
For information on other tables in the advanced hunting schema, [see the advance
| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event | | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event | | `InitiatingProcessAccountUpn` | string | User principal name (UPN) of the account that ran the process responsible for the event |
+| `InitiatingProcessAccountObjectId` | string | Azure AD object ID of the user account that ran the process responsible for the event |
| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event | | `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event | | `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated ΓÇö use the SHA1 column when available. | | `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event | | `InitiatingProcessFileName` | string | Name of the process that initiated the event |
+| `InitiatingProcessFileSize` | long | Size of the process (image file) that initiated the event |
+| `InitiatingProcessVersionInfoCompanyName` | string | Company name from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoProductName` | string | Product name from the version information of the process (image file) responsible for the event |
+|` InitiatingProcessVersionInfoProductVersion` | string | Product version from the version information of the process (image file) responsible for the event |
+|` InitiatingProcessVersionInfoInternalFileName` | string | Internal file name from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoOriginalFileName` | string | Original file name from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoFileDescription` | string | Description from the version information of the process (image file) responsible for the event |
| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event | | `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event | | `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
For information on other tables in the advanced hunting schema, [see the advance
| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event | | `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started | | `RequestProtocol` | string | Network protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS |
-| `ShareName` | string | Name of shared folder containing the file |
| `RequestSourceIP` | string | IPv4 or IPv6 address of the remote device that initiated the activity | | `RequestSourcePort` | string | Source port on the remote device that initiated the activity | | `RequestAccountName` | string | User name of account used to remotely initiate the activity | | `RequestAccountDomain` | string | Domain of the account used to remotely initiate the activity | | `RequestAccountSid` | string | Security Identifier (SID) of the account used to remotely initiate the activity |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
-| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-| `AdditionalFields` | string | Additional information about the entity or event |
+| `ShareName` | string | Name of shared folder containing the file |
| `InitiatingProcessFileSize` | long | Size of the file that ran the process responsible for the event | | `SensitivityLabel` | string | Label applied to an email, file, or other content to classify it for information protection | | `SensitivitySubLabel` | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently | | `IsAzureInfoProtectionApplied` | boolean | Indicates whether the file is encrypted by Azure Information Protection |-
+| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
+| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+| `AdditionalFields` | string | Additional information about the entity or event |
>[!NOTE] > File hash information will always be shown when it is available. However, there are several possible reasons why a SHA1, SHA256, or MD5 cannot be calculated. For instance, the file might be located in remote storage, locked by another process, compressed, or marked as virtual. In these scenarios, the file hash information appears empty.
security Advanced Hunting Deviceimageloadevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceimageloadevents-table.md
For information on other tables in the advanced hunting schema, [see the advance
| `SHA1` | string | SHA-1 of the file that the recorded action was applied to | | `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated ΓÇö use the SHA1 column when available. | | `MD5` | string | MD5 hash of the file that the recorded action was applied to |
+| `FileSize` | long | Size of the file in bytes |
| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event | | `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event | | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
For information on other tables in the advanced hunting schema, [see the advance
| `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated ΓÇö use the SHA1 column when available. | | `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event | | `InitiatingProcessFileName` | string | Name of the process that initiated the event |
+| `InitiatingProcessFileSize` | long | Size of the file that ran the process responsible for the event |
+| `InitiatingProcessVersionInfoCompanyName` | string | Company name from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoProductName` | string | Product name from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoProductVersion`| string | Product version from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoInternalFileName` | string | Internal file name from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoOriginalFileName` | string | Original file name from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoFileDescription` | string | Description from the version information of the process (image file) responsible for the event |
| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event | | `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event | | `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
For information on other tables in the advanced hunting schema, [see the advance
| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started | | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-| `InitiatingProcessFileSize` | long | Size of the file that ran the process responsible for the event |
-| `FileSize` | long | Size of the file in bytes |
## Related topics - [Advanced hunting overview](advanced-hunting-overview.md)
security Advanced Hunting Deviceinfo Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceinfo-table.md
For information on other tables in the advanced hunting schema, [see the advance
| `AadObjectId` | string | Unique identifier for the device in Azure AD | | `LoggedOnUsers` | string | List of all users that are logged on the machine at the time of the event in JSON array format | | `RegistryDeviceTag` | string | Machine tag added through the registry |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
-|`AdditionalFields` | string | Additional information about the event in JSON array format |
| `OSVersion` | string | Version of the operating system running on the machine | | `MachineGroup` | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine |
+| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
+|`AdditionalFields` | string | Additional information about the event in JSON array format |
The `DeviceInfo` table provides device information based on heartbeats, which are periodic reports or signals from a device. Every fifteen minutes, the device sends a partial heartbeat that contains frequently changing attributes like `LoggedOnUsers`. Once a day, a full heartbeat containing the device's attributes is sent.
security Advanced Hunting Devicelogonevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicelogonevents-table.md
For information on other tables in the advanced hunting schema, [see the advance
| `DeviceId` | string | Unique identifier for the machine in the service | | `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | | `ActionType` | string |Type of activity that triggered the event |
+| `LogonType` | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br> |
| `AccountDomain` | string | Domain of the account | | `AccountName` | string | User name of the account | | `AccountSid` | string | Security Identifier (SID) of the account | | `Protocol` | string | Protocol used during the communication | | `FailureReason` | string | Information explaining why the recorded action failed |
-| `LogonType` | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br> |
+| `IsLocalAdmin` | boolean | Boolean indicator of whether the user is a local administrator on the machine |
| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts | | `RemoteDeviceName` | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information | | `RemoteIP` | string | IP address that was being connected to | | `RemoteIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | | `RemotePort` | int | TCP port on the remote device that was being connected to |
-| `AdditionalFields` | string | Additional information about the event in JSON array format |
-| `InitiatingProcessFileSize` | long | Size of the file that ran the process responsible for the event |
| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event | | `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event | | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
For information on other tables in the advanced hunting schema, [see the advance
| `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populatedΓÇöuse the SHA1 column when available | | `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event | | `InitiatingProcessFileName` | string | Name of the process that initiated the event |
+| `InitiatingProcessFileSize` | long | Size of the file that ran the process responsible for the event |
+| `InitiatingProcessVersionInfoCompanyName` | string | Company name from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoProductName` | string | Product name from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoProductVersion` | string | Product version from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoInternalFileName` | string | Internal file name from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoOriginalFileName` | string | Original file name from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoFileDescription` | string | Description from the version information of the process (image file) responsible for the event |
| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event | | `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event | | `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
For information on other tables in the advanced hunting schema, [see the advance
| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started | | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-| `IsLocalAdmin` | boolean | Boolean indicator of whether the user is a local administrator on the machine |
+| `AdditionalFields` | string | Additional information about the event in JSON array format |
## Related topics - [Advanced hunting overview](advanced-hunting-overview.md)
security Advanced Hunting Devicenetworkevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table.md
For information on other tables in the advanced hunting schema, [see the advance
| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event | | `InitiatingProcessFileName` | string | Name of the process that initiated the event | | `InitiatingProcessFileSize` | long | Size of the file that ran the process responsible for the event |
+| `InitiatingProcessVersionInfoCompanyName` | string | Company name from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoProductName` | string | Product name from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoProductVersion` | string | Product version from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoInternalFileName` | string | Internal file name from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoOriginalFileName` | string | Original file name from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoFileDescription` | string | Description from the version information of the process (image file) responsible for the event |
| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event | | `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event | | `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
For information on other tables in the advanced hunting schema, [see the advance
| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event | | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event | | `InitiatingProcessAccountUpn` | string | User principal name (UPN) of the account that ran the process responsible for the event |
+| `InitiatingProcessAccountObjectId` | string | Azure AD object ID of the user account that ran the process responsible for the event |
| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | | `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
security Advanced Hunting Devicenetworkinfo Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicenetworkinfo-table.md
For information on other tables in the advanced hunting schema, [see the advance
| `Timestamp` | datetime | Date and time when the event was recorded | | `DeviceId` | string | Unique identifier for the machine in the service | | `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
| `NetworkAdapterName` | string | Name of the network adapter | | `MacAddress` | string | MAC address of the network adapter | | `NetworkAdapterType` | string | Network adapter type. For the possible values, refer to [this enumeration](/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2) |
For information on other tables in the advanced hunting schema, [see the advance
| `IPv6Dhcp` | string | IPv6 address of DHCP server | | `DefaultGateways` | string | Default gateway addresses in JSON array format | | `IPAddresses` | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local |
+| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
## Related topics - [Advanced hunting overview](advanced-hunting-overview.md)
security Advanced Hunting Deviceprocessevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceprocessevents-table.md
For information on other tables in the advanced hunting schema, [see the advance
| `SHA1` | string | SHA-1 of the file that the recorded action was applied to | | `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated ΓÇö use the SHA1 column when available. | | `MD5` | string | MD5 hash of the file that the recorded action was applied to |
+| `FileSize` | long | Size of the file in bytes |
+| `ProcessVersionInfoCompanyName` | string | Company name from the version information of the newly created process |
+| `ProcessVersionInfoProductName` | string | Product name from the version information of the newly created process |
+| `ProcessVersionInfoProductVersion` | string | Product version from the version information of the newly created process |
+| `ProcessVersionInfoInternalFileName` | string | Internal file name from the version information of the newly created process |
+| `ProcessVersionInfoOriginalFileName` | string | Original file name from the version information of the newly created process |
+| `ProcessVersionInfoFileDescription` | string | Description from the version information of the newly created process |
| `ProcessId` | int | Process ID (PID) of the newly created process | | `ProcessCommandLine` | string | Command line used to create the new process | | `ProcessIntegrityLevel` | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources |
For information on other tables in the advanced hunting schema, [see the advance
| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event | | `InitiatingProcessFileName` | string | Name of the process that initiated the event | | `InitiatingProcessFileSize` | long | Size of the file that ran the process responsible for the event |
+| `InitiatingProcessVersionInfoCompanyName` | string | Company name from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoProductName` | string | Product name from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoProductVersion` | string | Product version from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoInternalFileName` | string | Internal file name from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoOriginalFileName` | string | Original file name from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoFileDescription` | string | Description from the version information of the process (image file) responsible for the event |
| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event | | `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event | | `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
For information on other tables in the advanced hunting schema, [see the advance
| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event | | `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event | | `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
+| `InitiatingProcessSignerType` | string | Type of file signer of the process (image file) that initiated the event |
+| `InitiatingProcessSignatureStatus` | string | Information about the signature status of the process (image file) that initiated the event |
| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | | `AdditionalFields` | string | Additional information about the event in JSON array format |
-| `FileSize` | long | Size of the file in bytes |
+ ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md)
security Advanced Hunting Deviceregistryevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceregistryevents-table.md
For information on other tables in the advanced hunting schema, [see the advance
| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event | | `InitiatingProcessFileName` | string | Name of the process that initiated the event | | `InitiatingProcessFileSize` | long | Size of the file that ran the process responsible for the event |
+| `InitiatingProcessVersionInfoCompanyName` | string | Company name from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoProductName` | string | Product name from the version information of the process (image file) responsible for the event |
+|` InitiatingProcessVersionInfoProductVersion` | string | Product version from the version information of the process (image file) responsible for the event |
+|` InitiatingProcessVersionInfoInternalFileName` | string | Internal file name from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoOriginalFileName` | string | Original file name from the version information of the process (image file) responsible for the event |
+| `InitiatingProcessVersionInfoFileDescription` | string | Description from the version information of the process (image file) responsible for the event |
| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event | | `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event | | `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
security Advanced Hunting Devicetvmsecureconfigurationassessment Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicetvmsecureconfigurationassessment-table.md
For information on other tables in the advanced hunting schema, see [the advance
| `IsCompliant` | boolean | Indicates whether the configuration or policy is properly configured | | `IsApplicable` | boolean | Indicates whether the configuration or policy applies to the device | | `Context` | string | Additional contextual information about the configuration or policy |
-| `IsExpectedUserImpactCompliant` | boolean | Indicates whether there will be user impact if the configuration or policy is applied |
+| `IsExpectedUserImpact` | boolean | Indicates whether there will be user impact if the configuration or policy is applied |
## Related topics
security Advanced Hunting Expert Training https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-expert-training.md
ms.technology: m365d
Boost your knowledge of advanced hunting quickly with _Tracking the adversary_, a webcast series for new security analysts and seasoned threat hunters. The series guides you through the basics all the way to creating your own sophisticated queries. Start with the first video on fundamentals or jump to more advanced videos that suit your level of experience. - | Title | Description | Watch | Queries | |--|--|--|--| | Episode 1: KQL fundamentals | This episode covers the basics of advanced hunting in Microsoft 365 Defender. Learn about available advanced hunting data and basic KQL syntax and operators. | [YouTube](https://youtu.be/0D9TkGjeJwM?t=351) (54:14) | [CSL file](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%201%20-%20KQL%20Fundamentals.csl) |
security Advanced Hunting Fileprofile Function https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-fileprofile-function.md
ms.technology: m365d
The `FileProfile()` function is an enrichment function in [advanced hunting](advanced-hunting-overview.md) that adds the following data to files found by the query. | Column | Data type | Description |
-||-|-|
-| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
-| SHA256 | string | SHA-256 of the file that the recorded action was applied to |
-| MD5 | string | MD5 hash of the file that the recorded action was applied to |
-| FileSize | int | Size of the file in bytes |
-| GlobalPrevalence | int | Number of instances of the entity observed by Microsoft globally |
-| GlobalFirstSeen | datetime | Date and time when the entity was first observed by Microsoft globally |
-| GlobalLastSeen | datetime | Date and time when the entity was last observed by Microsoft globally |
-| Signer | string | Information about the signer of the file |
-| Issuer | string | Information about the issuing certificate authority (CA) |
-| SignerHash | string | Unique hash value identifying the signer |
-| IsCertificateValid | boolean | Whether the certificate used to sign the file is valid |
-| IsRootSignerMicrosoft | boolean | Indicates whether the signer of the root certificate is Microsoft |
-| IsExecutable | boolean | Whether the file is a Portable Executable (PE) file |
-| ThreatName | string | Detection name for any malware or other threats found |
-| Publisher | string | Name of the organization that published the file |
-| SoftwareName | string | Name of the software product |
+|||-|
+| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
+| `SHA256` | string | SHA-256 of the file that the recorded action was applied to |
+| `MD5` | string | MD5 hash of the file that the recorded action was applied to |
+| `FileSize` | int | Size of the file in bytes |
+| `GlobalPrevalence` | int | Number of instances of the entity observed by Microsoft globally |
+| `GlobalFirstSeen` | datetime | Date and time when the entity was first observed by Microsoft globally |
+| `GlobalLastSeen` | datetime | Date and time when the entity was last observed by Microsoft globally |
+| `Signer` | string | Information about the signer of the file |
+| `Issuer` | string | Information about the issuing certificate authority (CA) |
+| `SignerHash` | string | Unique hash value identifying the signer |
+| `IsCertificateValid` | boolean | Whether the certificate used to sign the file is valid |
+| `IsRootSignerMicrosoft` | boolean | Indicates whether the signer of the root certificate is Microsoft |
+| `SignatureState` | string | State of the file signature: SignedValid - the file is signed with a valid signature, SignedInvalid - the file is signed but the certificate is invalid, Unsigned - the file is not signed, Unknown - information about the file cannot be retrieved
+| `IsExecutable` | boolean | Whether the file is a Portable Executable (PE) file |
+| `ThreatName` | string | Detection name for any malware or other threats found |
+| `Publisher` | string | Name of the organization that published the file |
+| `SoftwareName` | string | Name of the software product |
## Syntax
security Advanced Hunting Identitylogonevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table.md
For information on other tables in the advanced hunting schema, [see the advance
|-|--|-| | `Timestamp` | datetime | Date and time when the event was recorded | | `ActionType` | string | Type of activity that triggered the event. See the [in-portal schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) for details |
-| `LogonType` | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start |
| `Application` | string | Application that performed the recorded action |
+| `LogonType` | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start |
| `Protocol` | string | Network protocol used | | `FailureReason` | string | Information explaining why the recorded action failed | | `AccountName` | string | User name of the account |
security Custom Detection Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/custom-detection-rules.md
With the query in the query editor, select **Create detection rule** and specify
- **Recommended actions**ΓÇöadditional actions that responders might take in response to an alert #### Rule frequency
-When you save or edit a new rule, it runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals, applying a lookback duration based on the frequency you choose:
+When you save a new rule, it runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals, applying a lookback duration based on the frequency you choose:
- **Every 24 hours**ΓÇöruns every 24 hours, checking data from the past 30 days - **Every 12 hours**ΓÇöruns every 12 hours, checking data from the past 24 hours - **Every 3 hours**ΓÇöruns every 3 hours, checking data from the past 6 hours - **Every hour**ΓÇöruns hourly, checking data from the past 2 hours
+When you edit a rule, it will run with the applied changes in the next run time scheduled according to the frequency you set.
+++ >[!TIP] > Match the time filters in your query with the lookback duration. Results outside of the lookback duration are ignored.
security Mtp Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/mtp-permissions.md
- Title: Manage access to Microsoft 365 Defender data in the Microsoft 365 security center
-description: Learn how to manage permissions to data in Microsoft 365 Defender
-keywords: access, permissions, MTP, Microsoft Threat Protection, M365, security, MCAS, MDATP, Cloud App Security, Microsoft Defender Advanced Threat Protection, scope, scoping, RBAC
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
- - NOCSH
-----
- - MOE150
- - MET150
--
-# Manage access to Microsoft 365 Defender with Azure Active Directory global roles
---
-**Applies to:**
-- Microsoft 365 Defender-
-There are two ways to manage access to Microsoft 365 Defender
-- **Global Azure Active Directory (Azure AD) roles**-- **Custom role access**-
-Accounts assigned the following **Global Azure AD roles** can access Microsoft 365 Defender functionality and data:
-- Global administrator-- Security administrator-- Security Operator-- Global Reader-- Security Reader-
-To review accounts with these roles, [view Permissions in the Microsoft 365 security center](https://security.microsoft.com/permissions).
-
-**Custom role** access is a new capability in Microsoft 365 Defender and allows you to manage access to specific data, tasks, and capabilities in Microsoft Defender 365. Custom roles offer more control than global Azure AD roles, providing users only the access they need with the least-permissive roles necessary. Custom roles can be created in addition to global Azure AD roles. [Learn more about custom roles](custom-roles.md).
-
->![NOTE]
->This article applies only to managing global Azure AD roles. For more information about using custom role-based access control, see [Custom roles for role-based access control](custom-roles.md)
-
-## Access to functionality
-Access to specific functionality is determined by your [Azure AD role](/azure/active-directory/users-groups-roles/directory-assign-admin-roles). Contact a global administrator if you need access to specific functionality that requires you or your user group be assigned a new role.
-
-### Approve pending automated tasks
-[Automated investigation and remediation](mtp-autoir-actions.md) can take action on emails, forwarding rules, files, persistence mechanisms, and other artifacts found during investigations. To approve or reject pending actions that require explicit approval, you must have certain roles assigned in Microsoft 365. To learn more, see [Action center permissions](mtp-action-center.md#required-permissions-for-action-center-tasks).
-
-## Access to data
-Access to Microsoft 365 Defender data can be controlled using the scope assigned to user groups in Microsoft Defender for Endpoint role-based access control (RBAC). If your access has not been scoped to a specific set of devices in the Defender for Endpoint, you will have full access to data in Microsoft 365 Defender. However, once your account is scoped, you will only see data about the devices in your scope.
-
-For example, if you belong to only one user group with a Microsoft Defender for Endpoint role and that user group has been given access to sales devices only, you will see only data about sales devices in Microsoft 365 Defender. [Learn more about RBAC settings in Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/rbac)
-
-### Microsoft Cloud App Security access controls
-During the preview, Microsoft 365 Defender does not enforce access controls based on Cloud App Security settings. Access to Microsoft 365 Defender data is not affected by these settings.
-
-## Related topics
-- [Custom roles in role-based access control for Microsoft 365 Defender](custom-roles.md)-- [Azure AD roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles)-- [Microsoft Defender for Endpoint RBAC](/windows/security/threat-protection/microsoft-defender-atp/rbac)-- [Cloud App Security roles](/cloud-app-security/manage-admins)