-You can easily see how people in your business are using Microsoft 365 services. For example, you can identify who is using a service a lot and reaching quotas, or who may not need a Microsoft 365 license at all. Perpetual license model will not be included in the reports.

-2. Click the **View more** button from the at-a-glance activity card for a service (such as email or OneDrive) to see the report detail page. On that page, different reports for the service are provided in tabs.

-> When you move or copy documents that have version history, only the latest version is moved.

- > .uk domains require a different procedure. Contact Microsoft Support and request an **IPS Tag change** to match the registrar you want to manage your domain going forward. Once the tag changes, the domain immediately transfers to the new registrar. You will then need to work with the new registrar to complete the transfer, likely paying transfer fees and adding the transferred domain to your account with your new registrar.

- - Microsoft 365 admin center

-1. If you don't want users to have to change passwords, uncheck the box next to **Set passwords to never expire**.

-> Password expiration notifications are no longer supported in the Microsoft 365 admin center and the Office apps or Office web apps.

-|**Blogs** and **Community** <br/> |Visit Office Blogs, Microsoft Community, and Microsoft Tech Community to learn more details about changes in Microsoft 365 and share experiences with other users. <br/> |Visit [Office Blogs](https://www.microsoft.com/en-us/microsoft-365/blog/). Visit [Microsoft Community](https://answers.microsoft.com). Visit [Microsoft Tech Community](https://techcommunity.microsoft.com). <br/> |

-|Remove all assigned licenses <br/> |Another option is to remove any Microsoft 365 licenses assigned to the user. This prevents them from using applications and services like the Office suite, Office apps for the web, Yammer, and SharePoint Online. They can still sign in but canΓÇÖt use these services. <br/> |Use when you feel this user no longer needs access to specific features in Microsoft 365. <br/> <br> **Important:** When you remove a license, the user's mailbox will be deleted in 30 days.

-In this introductory course, you'll learn the six critical elements to drive adoption of your Microsoft cloud services to deliver value to your company. This course is applicable to any size company and uses Office 365 and Microsoft Teams as the example service to create real-world scenarios. For more information about training for adoption specialists, read [Use the Microsoft service adoption framework to drive adoption in your enterprise](/training/paths/m365-service-adoption).

-This setting controls whether users can give that consent to apps that use OpenID Connect and OAuth 2.0 for sign-in and requests to access data. An app can be created from within your own organization, or it can come from another Office 365 organization or a third-party.

-A user can give access only to apps they own that access their Office 365 information. They can't give an app access to any other user's information.

- When you're finished, you'll be ready to install Office apps and migrate your email and calendar items to Microsoft 365.

-|Step 5 | [Install Office apps and Microsoft Teams](../setup/install-applications.md).</br> All the people who have Microsoft 365 licenses should install the Office apps on their work devices.|

-1. Optionally, install Office apps, then select **Continue**.

-

-

-Multifactor authentication means you and your employees must provide more than one way to sign in to Microsoft 365 is one of the easiest ways to secure your business. Based on your understanding of [multifactor authentication (MFA) and its support in Microsoft 365](multi-factor-authentication-microsoft-365.md), it's time to set it up and roll it out to your organization.

-## Next steps

-You must set up Office apps on your devices so you can edit files that are stored on your team site from your tablet or phone. If you don't install the Office apps for your tablet or phone, you'll be able to view the files on your team site, but not edit them.

- - [Install and set up Office on an Android with Microsoft 365](https://support.microsoft.com/office/cafe9d6f-8b0c-4b03-b20a-12438a82a22d)

- - [Install and set up Office on an iPhone or iPad with Microsoft 365](https://support.microsoft.com/office/9df6d10c-7281-4671-8666-6ca8e339b628)

- - [Set up Office on Windows Phone with Microsoft 365](https://support.microsoft.com/office/2b7c1b51-a717-45d6-90c9-ee1c1c5ee0b7)

-description: "Now that you've set up Microsoft 365, learn how to install individual Office applications on your Mac, PC, or mobile devices."

-# Install Office applications

-Now that you've set up Microsoft 365, you can install individual Office applications on your Mac, PC, or mobile devices.

-## Watch: Install Office apps

-Microsoft Office apps can be found on your **Start** menu. If you don't see them, you can install them yourself.

-1. Go to office.com. You might need to sign in with your work account.

-2. Select **Install Office** > **Microsoft 365 apps** > **Run** , and then select **Yes**.

-3. The Office apps are installed. The process may take several minutes. When it completes, select **Close**.

-4. To install Microsoft Teams, go to the office.com page, and choose **Teams**.

-

-[Install Office applications](install-applications.md) (link page)\

-[Overview of the Microsoft 365 admin center](Overview of the Microsoft 365 admin center](../admin-overview/admin-center-overview.md) (video)

-### Add priority accounts from the Setup page

-Add priority accounts from the **Setup page**.

-1. Go to the Microsoft 365 admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.microsoft.com</a>.

-2. Go to **Setup** > **Organizational knowledge**, and choose **View** under **Monitor your most important accounts**.

-3. Select **Get Started** or **Manage**.

-4. On the **Add Priority accounts** page, in the search field, type the name or email address of the person you want to add to the priority accounts list. You can also set your email threshold for failed or delayed emails and get a weekly report of issues for priority accounts.

-5. Select the user and choose **Save**.

-## Watch: Where to store files in Office 365

-You can enable third-party storage for your users in Microsoft 365 so they can store and share documents using services like Dropbox in addition to OneDrive and team sites. This can be a great way to provide services that your users may already be using or prefer to use for business projects. If you don't want people in your organization using Office to open files in a third-party service, follow these steps to turn it off.

-3. On the **Services** tab, select **Office on the web**.

- - [Install and set up Office on an Android with Microsoft 365](https://support.microsoft.com/office/cafe9d6f-8b0c-4b03-b20a-12438a82a22d)

- - [Install and set up Office on an iPhone or iPad with Microsoft 365](https://support.microsoft.com/office/9df6d10c-7281-4671-8666-6ca8e339b628)

- - [Set up Office on Windows Phone with Microsoft 365](https://support.microsoft.com/office/2b7c1b51-a717-45d6-90c9-ee1c1c5ee0b7)

-description: "Install Office on an iPhone or an Android phone, and your work files in Office apps will be protected by Microsoft 365 for business."

-Follow the instructions in the tabs to install Office on an iPhone or an Android phone. After you follow these steps, your work files created in Office apps will be protected by Microsoft 365 for business.

-The example is for Outlook, but applies for any other Office apps you want to install also.

-Watch a short video on how to set up Office apps on iOS devices with Microsoft 365 for business.<br><br>

-Watch a video about installing Outlook and Office on Android devices.<br><br>

-# Set up Microsoft 365 Apps for business

-3. On the first page you will get the option to install Office apps on your computer. You can also do this later.

-3. On the next page you can add users and they will automatically get assigned the Microsoft Apps for business license. After you've added the users, you'll also get an option to share credentials with the new users you added. You can choose to print them out, email them, or download them.

-## Install Office

-Once you've created accounts for other people in your business, you and your team members will be able to install the full desktop version of Office (Word, Excel, Outlook, etc.). Each person can install Office on up to 5 PCs or Macs.

-Need more detailed steps or want to install the 64-bit version of Office? See [Step-by-step installation instructions](https://support.microsoft.com/office/4414eaaf-0478-48be-9c42-23adc4716658#BKMK_InstallSteps).

-Install Office on your mobile device, and set up Outlook to work with your new Microsoft mailbox. Everyone on your team will need to do this step. Each person can install the Office mobile apps on up to 5 phones and 5 tablets.

-Microsoft makes online file storage easy. To learn which storage locations are best for your business, see [Where you can store files in Office 365](https://support.microsoft.com/office/d18d21a0-1f9f-4f6c-ac45-d52afa0a4a2e).

-1. On your computer, use File Explorer to open OneDrive. Or, from [Office 365](https://www.office.com), open **OneDrive** from the app launcher.

-## Get started using Office

-To take a tour of Microsoft 365 and learn how to use all the Office mobile apps, see [Get started](../admin-overview/get-started-with-office-365.md).

-4. Follow the steps in the wizard to [Create DNS records at any DNS hosting provider for Office 365](/office365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider) that verifies you own the domain. If you know your domain host, see also [Add a domain to Microsoft 365](/microsoft-365/admin/setup/add-domain).

-1. The setup wizard typically detects your registrar and gives you a link to step-by-step instructions for updating your NS records at the registrar website. If it doesn't, [Change nameservers to set up Office 365 with any domain registrar](../get-help-with-domains/change-nameservers-at-any-domain-registrar.md).

-2. Follow the steps to buy a new domain and enter the domain name you want to use (like contoso.com). After you've completed buying your domain, you can [add users and licenses](../add-users/add-users.md) and install your Office apps in the admin center.

-2. On the **Install your Office apps** page, you can optionally install the apps on your own computer.

-4. Follow the steps to [Create DNS records at any DNS hosting provider for Office 365](/office365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider) that verifies you own the domain. If you know your domain host, see also [Add a domain to Microsoft 365](/microsoft-365/admin/setup/add-domain).

-1. The setup wizard typically detects your registrar and gives you a link to step-by-step instructions for updating your NS records at the registrar website. If it doesn't, [Change nameservers to set up Office 365 with any domain registrar](../get-help-with-domains/change-nameservers-at-any-domain-registrar.md).

- When the signup process is complete, you'll be directed to the admin center, where you'll follow a wizard to install Office apps, add your domain, add users, and assign licenses. After you complete the initial setup, you can use the **Setup** page in the admin center to continue setting up and configuring the services that come with your subscriptions.

-2. Follow the steps to buy a new domain and enter the domain name you want to use (like contoso.com). After you've completed buying your domain, you can [add users and licenses](../add-users/add-users.md) and install your Office apps in the admin center.

-After installing the Office apps, you&#39;ll want set up Outlook to start using email, calendar, and contacts. Here&#39;s how.

-### How do I help someone install Microsoft Office?

-Send them this article to help them install Office: [Download and install Microsoft 365 Office or Office 2019 on a PC or a MAC](https://support.microsoft.com/office/download-and-install-or-reinstall-microsoft-365-or-office-2019-on-a-pc-or-mac-4414eaaf-0478-48be-9c42-23adc4716658).

-> Once you attach a domain, and you and your users use business accounts to save data into the Microsoft cloud, you can conduct data subject requests on behalf of all users by following guidance in the [Office 365 Data Subject Requests for the GDPR and CCPA](/compliance/regulatory/gdpr-dsr-office365) topic.

-|Available apps and services|Use Word, Excel, PowerPoint, OneDrive, Teams, Access. This set of apps is best for very small businesses who don't need branded email immediately, or who already use branded email from a different provider and do not intend to switch to use Microsoft Exchange. You'll use Outlook with your existing email account (be it outlook.com, Hotmail, Yahoo, Gmail or other).|Use Word, Excel, PowerPoint, OneDrive, Teams, Access. Microsoft 365 Business Standard with Option 2 also lets you access a wide range of additional

-3. On the **Confirmation details** page, we'll give you some more info about your subscription. You can now go to the Microsoft 365 admin center to add users, install Office apps, invite your team to use Microsoft 365 and more. We'll also send you an email with set up steps for Microsoft 365 Business Standard.

-If you previously used Simplified Sign Up mode to purchase a business subscription before October 2021 without adding a business domain you may need to accept new terms of service for uninterrupted service and usage of the Microsoft Office apps. You may be sent emails or you'll see in-app prompts when you sign in to Microsoft 365 admin Center.

-|Available apps and services|Sign in with your existing email account (Hotmail, Gmail, Yahoo) using the new Business Standard signup process. Microsoft Teams with cloud storage in OneDrive. Free web versions of Word, Excel, PowerPoint on Office.com to edit files shared in Teams. <br/><br/> **This set of apps is best for very small businesses who need to collaborate effectively over video meetings and chat**. |Microsoft Teams and OneDrive. Microsoft Exchange, SharePoint, Bookings, Planner and Lists. Premium Office web versions of Word, Excel, PowerPoint on Office.com. <br/><br/> **Microsoft 365 Business Basic also lets you access a wide range of web-based services**: <ul><li>New, branded business email accounts with Outlook, shared calendars within your business.</li><li>Bookings, appointment scheduling and Meeting recordings.</li><li>Shared document storage and SharePoint sites.</li><li> Microsoft Planner and Microsoft Lists.</li></ul> <br/> Microsoft 365 Business Basic offer additional services within Teams with Domain Account Sign-up: <ul><li>Meeting recordings and anonymous call access in Microsoft Teams.</li><li>Easier document sharing within your business.</li><li>Support for the compliance needs for your industry.</li><li>Access and control over your employees' use of services.</li><li>The widest range of integrations of non-Microsoft apps (e.g. Salesforce, Adobe) that work within Teams and Office.</li></ul>|

-Download and start using [Office apps for business](https://support.microsoft.com/office/install-office-apps-from-office-365-dcf2d841-dac7-455b-9a77-fc8f7ee92702).

-When using an upgraded Microsoft 365 Business account, your documents, email and data that you create within Microsoft Office (and within other apps in Microsoft 365 for business subscriptions) will be owned by the technical administrator in your organization. For example, the person who sent you the invitation email or your business owner.

-6. On the Welcome to Microsoft 365 page, you can download Office desktop and mobile apps, and set up OneDrive.

-Download and start using [Office apps for business](https://support.microsoft.com/office/install-office-apps-from-office-365-dcf2d841-dac7-455b-9a77-fc8f7ee92702).

-|Office <br/> |Any user who has activated their Microsoft 365 Pro Plus, Visio Pro or Project Pro subscription on at least one device. <br/> ||

-This summary lets you quickly understand usage patterns in Office and how and where your employees are collaborating.

-The activation and license page offers reports on Microsoft 365 activation; that is, how many users have downloaded and activated Office apps and how many licenses have been assigned by your organization. The month value towards the top refers to the current month, and the metrics reflect values aggregated from the beginning of the month to the current date.

-7. Select **Events on Office 365 calendar affect availability** if you want the free/busy information from staff membersΓÇÖ calendars to impact availability for bookings services through Bookings.

-Bookings with me is a feature of Outlook powered by Bookings. All data is stored within the Microsoft 365 platform and in Exchange. Bookings with me follows data storage policies set by Microsoft, which are the same policies that all Office apps follow. All customer data (including information provided by attendees when booking) is captured in Bookings and is stored within Exchange. For more information, check out [Privacy: It's all about you](https://www.microsoft.com/en-us/trust-center/privacy).

-To customize your booking page, sign in to [Office.com](https://office.com), and then go to **Bookings** \> **Booking page**. You can customize the booking page with the following options. Once you've setup up your Booking Page, you can publish it so people can start booking appointments with you.

-If your IT administrator has granted you [access to Bookings](/microsoft-365/bookings/turn-bookings-on-or-off), you can access the app via Office online.

-# Setup for Microsoft 365 Business for Campaigns

-2. In the browser, go to the Microsoft 365 admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank"><https://admin.microsoft.com></a>.

-1. Go to <a href="https://office.com" target="_blank"><https://Office.com></a>.

-# Multi-factor authentication

-# Protect your administrator accounts in Microsoft 365 Business Premium

-Because admin accounts come with elevated privileges, they're valuable targets for hackers and cyber criminals. This article describes:

- 1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">Microsoft 365 admin center</a> and then choose **Users** \> **Active users** in the left nav.

-1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">Microsoft 365 admin center</a> and then choose **Users** \> **Active users** in the left nav.

-description: "Know what to watch for in email. Train your team to guard against malware, phishing, and other malicious cyberattacks, using the cybersecurity tools included with Microsoft 365 Business Premium."

-# Protect all email

-In this mission, you bump up your security defenses. You begin by enforcing multifactor authentication (MFA) requirements by using either security defaults or Conditional Access. You'll set up the different admin roles and specific levels of security for them. Admin account access is a high-value target for the enemy hackers, and protecting those accounts is critical because the access and control they provide can impact the entire system. And, you'll protect your email content and devices.

-Stay vigilant - the safety and reliability of the system relies upon you.

-Now that you have Microsoft 365 Business Premium, your first critical mission is to complete your initial setup process right away. Let's get you going!

-Once you've achieved this objective, proceed to [boost your security protection](m365bp-security-overview.md).

-| Operating systems (client) | **Windows**: Windows 11, Windows 10, Windows 8.1<br/>**macOS**: One of the three most recent versions of macOS

-The following details apply to working with your policies in the security center.

-### View existing device protection policies

-To view your existing device protection policies in the Microsoft 365 Defender portal:

-1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.

-1. In the navigation pane, choose **Device configuration**. Policies are organized by operating system (such as **Windows client**) and policy type (such as **Next-generation protection** and **Firewall**).

-1. Select an operating system tab (for example, **Windows clients**), and then review the list of policies under the **Next-generation protection** and **Firewall** categories.

-1. To view more details about a policy, select its name. A side pane will open that provides more information about that policy, such as which devices are protected by that policy.

-### Edit an existing device protection policy

-To edit a device policy:

-1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.

-1. In the navigation pane, choose **Device configuration**. Policies are organized by operating system (such as **Windows client**) and policy type (such as **Next-generation protection** and **Firewall**).

-1. Select an operating system tab (for example, **Windows clients**), and then review the list of policies under the **Next-generation protection** and **Firewall** categories.

-1. To edit a policy, select its name, and then choose **Edit**.

-1. On the **General information** tab, review the information. If necessary, you can edit the description. Then choose **Next**.

-1. On the **Device groups** tab, determine which device groups should receive this policy.

-1. On the **Configuration settings** tab, review the settings. If necessary, you can edit the settings for your policy. To get help with this task, see the following articles:

-1. On the **Review your policy** tab, review the general information, targeted devices, and configuration settings.

-### Create a new device protection policy

-To create a new device protection policy:

-1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.

-1. In the navigation pane, choose **Device configuration**. Policies are organized by operating system (such as **Windows client**) and policy type (such as **Next-generation protection** and **Firewall**).

-1. Select an operating system tab (for example, **Windows clients**), and then review the list of **Next-generation protection** policies.

-1. Under **Next-generation protection** or **Firewall**, select **+ Add**.

-1. On the **General information** tab, take the following steps:

-1. On the **Device groups** tab, either create a new device group, or use an existing group. Policies are assigned to devices through device groups. Here are some things to keep in mind:

-1. On the **Configuration settings** tab, specify the settings for your policy, and then choose **Next**. For more information about the individual settings, see [Understand next-generation configuration settings in Microsoft Defender for Business](../security/defender-business/mdb-next-gen-configuration-settings.md).

-1. On the **Review your policy** tab, review the general information, targeted devices, and configuration settings.

-Use the following information to create and manage device policies in Intune, done through Endpoint security in the Microsoft Intune admin center.

-### Create, duplicate and edit policies

-To create a policy in Intune

-1. Sign in to the Microsoft Intune admin center.

-1. Select **Endpoint security** and the type of policy you want to configure, and then select **Create Policy**.

-1. Choose from the following policy types:

- - Enter the following properties:

-1. Platform: Choose the platform for which you're creating the policy. The available options depend on the policy type you select.

-1. Profile: Choose from the available profiles for the platform you selected. For information about the profiles, see the dedicated section in this article for your chosen policy type.

-1. Select **Create**.

-1. On the Basics page, enter a name and description for the profile, then choose **Next**.

-1. On the Configuration settings page, expand each group of settings, and configure the settings you want to manage with this profile.

-1. When you're done configuring settings, select **Next**.

-1. On the Scope tags page, choose **Select scope tags** to open the **Select tags** pane to assign scope tags to the profile.

-1. Select **Next** to continue.

-1. On the **Assignments** page, select the groups that will receive this profile. For more information on assigning profiles, see Assign user and device profiles.

-1. Select **Next**.

-1. On the Review + create page, when you're done, choose **Create**. The new profile is displayed in the list when you select the policy type for the profile you created.

-To duplicate a policy in Intune:

-1. Sign in to the Microsoft Intune admin center.

-1. Select the policy that you want to copy. Next, select **Duplicate** or select the ellipsis **(...)** to the right of the policy and select **Duplicate**.

-1. Provide a New name for the policy, and then select **Save**.

-To edit a policy:

-1. Select the new policy, and then select **Properties**.

-1. Select **Settings** to expand a list of the configuration settings in the policy. You canΓÇÖt modify the settings from this view, but you can review how they're configured.

-1. To modify the policy, select **Edit** for each category where you want to make a change:

-1. After youΓÇÖve made changes, select **Save** to save your edits. Edits to one category must be saved before you can introduce edits to any additional categories.

-description: "Learn best pratices to protect your business from ransomware, phishing, and malicious URLs or attachments with Microsoft 365 for business."

-After a user connects their device to your organization by signing in with their work account to the device or to Office apps on the device, you can protect the device with the policies you set up. Connected devices are listed on the **Devices** page. If a device is lost or stolen, you can manage it from this page to remove any company data. You can also reset Windows 10 devices to their factory settings to wipe out any custom settings.

-Mobile application management lets you control your business data in your users' personal devices, such as iPhones and Androids, and their personal Windows computers. You can use application management policies to prevent your users from copying business data from Office apps to their personal apps. You can also remove all data from the Office apps on their personal devices. For more information, see [Choose the device management solution that's right for you](/mem/intune/fundamentals/what-is-device-management#choose-the-device-management-solution-thats-right-for-you) and [Set up and secure managed devices](/microsoft-365/business-premium/m365bp-protect-devices).

-2. In the upper right of the page, see the amount of storage used across all sites, and the total storage for your subscription. If your organization has configured Multi-Geo in Office 365, the bar also shows the amount of storage used across all geo locations.

- **For help with Microsoft 365 Family or Microsoft 365 Personal**, see [Using product keys with Office](https://support.microsoft.com/office/12a5763a-d45c-4685-8c95-a44500213759).

-# Manage Microsoft Teams auto-claim policies

-> Auto-claim policies are currently only available for Microsoft Teams. More products will be available to use in the future.

-> [!NOTE]

-> Currently, you can only create one auto-claim policy. The number of policies you can create will increase as more products are able to use this feature.

-If you have Microsoft 365 Apps for enterprise (device) or Microsoft 365 Apps for Education (device), you can assign licenses to devices by using Azure AD groups. When a device has a license, anyone who uses that device can use Microsoft 365 Apps for enterprise (previously named Office 365 ProPlus). For example, let's say you have 20 laptops and tablets that are used by people in your organization. When you assign a license to each device, each person who logs in to one of the devices uses Microsoft 365 Apps for enterprise without the need for their own license.

-If you have more than one subscription, you can assign licenses to different people for each subscription. For example, you can assign all of your users to all Microsoft 365 applications and services as part of a Microsoft 365 Business Standard subscription. You can also assign a subset of users to Visio Online through a separate Visio subscription.

-## How many devices can people install Office on?

-If your subscription includes any of the following products, each person can install Office on up to five PCs or Mac, five tablets, and five phones.

-|Microsoft 365 Apps for enterprise and Microsoft 365 Apps for business|The person can download Office apps on up to five Macs or PCs, five tablets, and five smartphones.|

- **For help with a Microsoft 365 Family or Microsoft 365 Personal product key**, see [Using product keys with Office](https://support.microsoft.com/office/12a5763a-d45c-4685-8c95-a44500213759).

-| "Sorry, this is an invalid product key. Try entering it again. If your product key is for Microsoft 365 Personal or Microsoft 365 Family, redeem it at office.com/setup." <br/><br/>If you're using Office 365 Solo in Japan: "Sorry, this is an invalid product key. Try entering it again. If your product key is for Office 365 Solo, redeem it at office.com/setup." | If you're setting up [Microsoft 365 Family or Personal](https://support.microsoft.com/office/28cbc8cf-1332-4f04-9123-9b660abb629e), you need to redeem your product key at [https://www.office.com/setup](https://www.office.com/setup). Otherwise, for business customers, carefully check the numbers and characters you're entering. |

- **For help with Microsoft 365 Home, or Personal**, see [Using product keys with Office](https://support.microsoft.com/office/12a5763a-d45c-4685-8c95-a44500213759).

-### Uninstall Office (optional)

-If you canceled your subscription, and didn't [move users to a different subscription](move-users-different-subscription.md) that includes Microsoft 365, Microsoft 365 runs in reduced functionality mode. When this happens, users can only read and print documents, and Microsoft 365 applications display [Unlicensed Product notifications](https://support.microsoft.com/office/0d23d3c0-c19c-4b2f-9845-5344fedc4380). To avoid any confusion, have your users [uninstall Office](https://support.microsoft.com/office/9dd49b83-264a-477a-8fcc-2fdf5dbf61d8) from their machines.

-| Users have normal access to Microsoft 365, files, and applications | Users have normal access to Microsoft 365, files, and applications | Users can't access Microsoft 365, files, or applications | Users can't access Microsoft 365, files, or applications |

-| Admins have normal access to Microsoft 365, data, and apps | Admins can access the admin center | Admins can access the admin center, but can't assign licenses to users | Admins can access the admin center to buy and manage other subscriptions |

-While a subscription is active, you and your users have normal access to your data, services like email and OneDrive for Business, and Office applications. As the admin, you'll receive a series of notifications via email and in the admin center as your subscription nears its expiration date.

-In this stage, users have normal access to the Microsoft 365 portal, Office applications, and services such as email and SharePoint Online.

-In this stage, your access decreases significantly. Your users can't sign in, or access services like email or SharePoint Online. Office applications eventually move into a read-only, reduced functionality mode and display [Unlicensed Product notifications](https://support.microsoft.com/office/0d23d3c0-c19c-4b2f-9845-5344fedc4380). You can still sign in and get to the admin center, but can't assign licenses to users. Your customer data, including all user data, email, and files on team sites, is available only to you and other admins.

-Admins and users no longer have access to the services or Office applications that came with the subscription. All customer dataΓÇöfrom user data to documents and emailΓÇöis permanently deleted and is unrecoverable.

-2. Open the Compliance Center settings page and choose **Turn on macOS device monitoring**.

-Device onboarding is shared across Microsoft 365 and Microsoft Defender for Endpoint (MDE). If you've already onboarded devices to MDE, they will appear in the managed devices list and no further steps are necessary to onboard those specific devices. Onboarding devices in Compliance center also onboards them into MDE.

-2. Antimalware Client Version is 4.18.2110 or newer. Check your current version by opening Windows Security app, select the Settings icon, and then select About. The version number is listed under Antimalware Client Version. Update to the latest Antimalware Client Version by installing Windows Update KB4052623.

-3. The following Windows Updates for Windows 10 are installed for devices that will be monitored.

-4. All devices must be one of these:

-5. A supported version of Microsoft Office is installed and up to date. For the most robust protection and user experience, ensure Microsoft 365 Apps version 16.0.14701.0 or newer is installed.

-6. If you have endpoints that use a device proxy to connect to the internet, follow the procedures in [Configure device proxy and internet connection settings for Information Protection](device-onboarding-configure-proxy.md#configure-device-proxy-and-internet-connection-settings-for-information-protection).

-2. Open the Compliance Center settings page and choose **Turn on Windows device monitoring**.

-# Get started with Microsoft Purview Firefox Extension (preview)

-# Learn about the Microsoft Purview Firefox Extension (preview)

-<!--## Create a DLP policy

-All DLP policies are created and maintained in the Microsoft Purview center. See, INSERT LINK TO ARTICLE THAT WILL START WALKING THEM THROUGH THE POLICY CREATION PROCEDURES for more information.-->

-### The priority by which rules are processed

-#### For endpoints

-Priority for rules on endpoints is also assigned according to the order in which it's created. That means, the rule created first has first priority, the rule created second has second priority, and so on.

-When a file on an endpoint matches multiple DLP policies, the first rule that's enabled with most restrictive enforcement on the [endpoint activities](endpoint-dlp-learn-about.md#endpoint-activities-you-can-monitor-and-take-action-on) is the one that gets enforced on the content. For example, if content matches all of the following rules, then rule 2 takes precedence over the other rules since it's the most restrictive.

-In the below example, Rule 1 takes precedence over the other matching rules since it's the most restrictive.

-All the other rules are evaluated but their actions aren't enforced. Audit logs will show the most restrictive rule applied on the file. If there's more than one rule that matches and they're equally restrictive, then policy and rule priority governs which rule would be applied on the file.

-description: "This article describes how to manage eDiscovery (Standard) cases. This includes closing a case, reopening a closed case, and deleting a case."

-# Close, reopen, and delete a eDiscovery (Standard) case

-This article describes how to close, reopen, and delete Microsoft Purview eDiscovery (Standard) cases in Microsoft 365.

-You have to be assigned the *RMS Decrypt* role to preview, review, and export files encrypted with Microsoft encryption technologies. You also have to be assigned this role to review and query encrypted files that are added to a review set in eDiscovery (Premium).

-This role is assigned by default to the eDiscovery Manager role group on the **Permissions** page in the Microsoft Purview compliance portal. For more information about the RMS Decrypt role, see [Assign eDiscovery permissions](ediscovery-assign-permissions.md#rms-decrypt).

-1. In Graph Explorer, run the following GET request to retrieve the ID for the collection that you created in Step 2, and contains the items you want to purge. Use the value `https://graph.microsoft.com/v1.0/security/cases/ediscoveryCases('ediscoverySearchID')/searches` in the address bar of the request query, where *ediscoverySearchID* is the ID that you obtained in the previous procedure. Be sure to surround the ediscoverySearchID with parentheses and single quotation marks.

-1. In Graph Explorer, run the following POST request to purge the items returned by the collection that you created in Step 2. Use the value `https://graph.microsoft.com/v1.0/security/cases/ediscoveryCases/('ediscoveryCaseID')/searches/('ediscoverySearchID')/purgeData` in the address bar of the request query, where *ediscoveryCaseID* and *ediscoverySearchID* are the IDs that you obtained in the previous procedures. Be sure to surround the ID values with parentheses and single quotation marks.

-> [!NOTE]

-> In Microsoft Purview, DLP policy evaluation of sensitive items occurs centrally, so there is no time lag for policies and policy updates to be distributed to individual devices. When a policy is updated in compliance center, it generally takes about an hour for those updates to be synchronized across the service. Once policy updates are synchronized, items on targeted devices are automatically re-evaluated the next time they are accessed or modified. (Preview) For Authorized Groups changes, the policy will need 24 hours to sync

-> [!NOTE]

-> If the **Always audit file activity for devices** setting is on, activities on any Word, PowerPoint, Excel, PDF, and .csv file are always audited even if the device is not targeted by any policy.

-> [!TIP]

-> To ensure activities are audited for all supported file types, create a [custom DLP policy](dlp-create-deploy-policy.md).

-However, if you choose the option to run a Power Automate flow, currently rolling out in preview, this label configuration supports custom actions such as:

-

-In Power Automate, you create an automated cloud flow from blank that uses the trigger **When the retention period expires**. Then, add one or more steps and specify the operations that run your choice of actions.

-## Limitations for this scenario

- 3. From the **Select a Power Automate flow** flyout pane, you'll see any automated cloud flows that you created (or somebody has shared with you) and that have the **When the retention period expires** trigger.

-Twelve digits

-Twelve letters and digits

-16 digits containing optional periods

-16 digits:

-eight digits

-eight digits

-No

-13 digits containing a hyphen

-Yes

- User Name,First Name,Last Name,Display Name,Job Title,Department,Office Number,Office Phone,Mobile Phone,Fax,Address,City,State or Province,ZIP or Postal Code,Country or Region

- chris@contoso.com,Chris,Green,Chris Green,IT Manager,Information Technology,123451,123-555-1211,123-555-6641,123-555-6700,1 Microsoft way,Redmond,Wa,98052,United States

- ben@contoso.com,Ben,Andrews,Ben Andrews,IT Manager,Information Technology,123452,123-555-1212,123-555-6642,123-555-6700,1 Microsoft way,Redmond,Wa,98052,United States

- david@contoso.com,David,Longmuir,David Longmuir,IT Manager,Information Technology,123453,123-555-1213,123-555-6643,123-555-6700,1 Microsoft way,Redmond,Wa,98052,United States

- cynthia@contoso.com,Cynthia,Carey,Cynthia Carey,IT Manager,Information Technology,123454,123-555-1214,123-555-6644,123-555-6700,1 Microsoft way,Redmond,Wa,98052,United States

- melissa@contoso.com,Melissa,MacBeth,Melissa MacBeth,IT Manager,Information Technology,123455,123-555-1215,123-555-6645,123-555-6700,1 Microsoft way,Redmond,Wa,98052,United States

-## Provide feedback

-Use this [form](https://aka.ms/MTOpeoplesearchpreviewfeedback) to provide feedback to the MTO people search team.

-## Frequently asked questions

-If you have questions regarding cross tenant synchronization, see [Cross Tenants Synchronization FAQs](/azure/active-directory/multi-tenant-organizations/cross-tenant-synchronization-overview#frequently-asked-questions)

-1. What are the license requirements for MTO people search?

-A: Cross-tenant Synchronization is a pre-requisite to Multi-tenant people search feature. The licensing requirements for cross tenant synchronization can be found here. [License requirements](/azure/active-directory/multi-tenant-organizations/cross-tenant-synchronization-overview#license-requirements)

-2. What is the sync schedule?

-A: The cross-tenant sync interval is currently fixed to start at 40-minute intervals. Sync duration varies based on the number of in-scope users. The initial sync cycle is likely to take significantly longer than the following incremental sync cycles.

-3. How long does it take to discover a synced user in M365 people search experiences?

-A: The synced users will be available in the global address list right away. However, it make take up to a day for the user to be discoverable in people search experiences in M365 applications.

-4. What attributes are synchronized from the home to the resource tenant?

-A: Cross-tenant synchronization will sync commonly used attributes on the user object in Azure AD, including (but not limited to) displayName, userPrincipalName, and directory extension attributes.

-Attributes including (but not limited to) managers, photos, custom security attributes, and user attributes outside of the directory can't be synchronized by cross-tenant synchronization.

-All synced attributes will be displayed on the people card if available. For more information on attribute syncing, see [this page.](/azure/active-directory/multi-tenant-organizations/cross-tenant-synchronization-overview#attributes)

-7. Is there a limit to how many tenants we can apply this to?

-A: No

-8. Is there a limit on the number of user objects that can be synced?

-A: No. However, it is important to note that if there are more users to be synced in a single job, it will take longer to complete. [How long will it take to provision users](/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user#how-long-will-it-take-to-provision-users)

-9. Can I sync users as guests rather than members?

-A: Yes. However, to enable M365 MTO people search and future MTO scenarios, we require you to sync users as members. Guests are intended for cross-company scenarios, whereas members are intended for tenants within the same company.

-## Week of February 13, 2023

-| Published On |Topic title | Change |

-|||--|

-| 2/14/2023 | [Microsoft 365 admin center - Overview](/microsoft-365/admin/admin-overview/admin-center-overview?view=o365-worldwide) | modified |

-| 2/14/2023 | [Operationalize attack surface reduction (ASR) rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-operationalize?view=o365-worldwide) | modified |

-| 2/14/2023 | [Limit guest sharing to specific organizations](/microsoft-365/solutions/limit-guest-sharing-to-specific-organization?view=o365-worldwide) | modified |

-| 2/13/2023 | [Virtual Appointments with Teams - Integration into Oracle Health EHR](/microsoft-365/frontline/ehr-admin-oracle-health?view=o365-worldwide) | renamed |

-| 2/13/2023 | [Learn about retention policies & labels to retain or delete](/microsoft-365/compliance/retention?view=o365-worldwide) | modified |

-| 2/14/2023 | [Manage protected devices with Microsoft 365 Business Premium](/microsoft-365/business/manage-protected-devices?view=o365-worldwide) | modified |

-| 2/14/2023 | [All credentials entity definition](/microsoft-365/compliance/sit-defn-all-creds?view=o365-worldwide) | modified |

-| 2/16/2023 | [Security defaults and Conditional Access](/microsoft-365/business-premium/m365bp-conditional-access?view=o365-worldwide) | modified |

-| 2/16/2023 | [Introduction to information management policies](/microsoft-365/compliance/intro-to-info-mgmt-policies?view=o365-worldwide) | modified |

-| 2/16/2023 | [Compare security features in Microsoft 365 plans for small and medium-sized businesses](/microsoft-365/security/defender-business/compare-mdb-m365-plans?view=o365-worldwide) | modified |

-| 2/16/2023 | [Get Microsoft Defender for Business](/microsoft-365/security/defender-business/get-defender-business?view=o365-worldwide) | modified |

-| 2/16/2023 | [Add users and assign licenses in Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-add-users?view=o365-worldwide) | modified |

-| 2/16/2023 | [View and edit your security settings in Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-configure-security-settings?view=o365-worldwide) | modified |

-| 2/16/2023 | [Understand next-generation protection configuration settings in Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-next-gen-configuration-settings?view=o365-worldwide) | modified |

-| 2/16/2023 | [Requirements for Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-requirements?view=o365-worldwide) | modified |

-| 2/16/2023 | [Set up and configure Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-setup-configuration?view=o365-worldwide) | modified |

-| 2/16/2023 | [Manage Microsoft Defender Antivirus updates and apply baselines](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus?view=o365-worldwide) | modified |

-| 2/16/2023 | [Common Zero Trust identity and device access policies - Microsoft 365 for enterprise](/microsoft-365/security/office-365-security/identity-access-policies?view=o365-worldwide) | modified |

-| 2/15/2023 | [Connect your DNS records at IONOS by 1&1 to Microsoft 365](/microsoft-365/admin/dns/create-dns-records-at-1-1-internet?view=o365-worldwide) | modified |

-| 2/15/2023 | [Manage self-service purchases and trials (for admins)](/microsoft-365/commerce/subscriptions/manage-self-service-purchases-admins?view=o365-worldwide) | modified |

-| 2/16/2023 | [Comment and collaborate using annotations in Microsoft Syntex](/microsoft-365/syntex/annotations) | added |

-| 2/16/2023 | [Export documents from a review set in eDiscovery (Premium)](/microsoft-365/compliance/ediscovery-export-documents-from-review-set?view=o365-worldwide) | modified |

-| 2/16/2023 | [Integrate your SIEM tools with Microsoft 365 Defender](/microsoft-365/security/defender/configure-siem-defender?view=o365-worldwide) | modified |

-| 2/16/2023 | [Microsoft Syntex documentation # < 60 chars](/microsoft-365/syntex/index) | modified |

-| 2/16/2023 | [Onboard devices to Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-onboard-devices?view=o365-worldwide) | modified |

-| 2/16/2023 | [Cross-tenant mailbox migration](/microsoft-365/enterprise/cross-tenant-mailbox-migration?view=o365-worldwide) | modified |

-| 2/16/2023 | [What's new in Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-whatsnew?view=o365-worldwide) | modified |

-| 2/16/2023 | [Overview of Microsoft Syntex](/microsoft-365/syntex/syntex-overview) | modified |

-| 2/16/2023 | [Bookings with me](/microsoft-365/bookings/bookings-in-outlook?view=o365-worldwide) | modified |

-| 2/17/2023 | [Learn about data loss prevention](/microsoft-365/compliance/dlp-learn-about-dlp?view=o365-worldwide) | modified |

-| 2/17/2023 | [Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes](/microsoft-365/security/office-365-security/skip-filtering-phishing-simulations-sec-ops-mailboxes?view=o365-worldwide) | modified |

-| 2/17/2023 | [Use network protection to help prevent Linux connections to bad sites](/microsoft-365/security/defender-endpoint/network-protection-linux?view=o365-worldwide) | modified |

-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

-2. If the document is from a trusted location, the document is opened with the active content enabled. If the document is not from a trusted location, the evaluation continues.

-3. It is here the updated behavior takes effect:

- - Now, whether or not the user identified the document as a trusted document is not considered here (now at step 8).

-4. Cloud policies are checked to see if this type of active content is allowed or blocked. If the active content is not blocked, the evaluation continues to step 6.

-6. Group policies are checked to see if this type of active content is allowed or blocked. If the active content is not blocked, the evaluation continues to step 7.

-7. Local settings are checked to see if this type of active content is allowed or blocked. If the active content is blocked, the opening of the document is blocked with a notification in the trust bar. If the active content is not blocked, the evaluation continues.

-Trusted documents are Office documents that open without any security prompts for macros, ActiveX controls, and other types of active content in the document. Protected View or Application Guard is not used to open the document. When users open a Trusted Document, and all active content is enabled. Even if the document contains new active content or updates to existing active content, users won't receive security prompts the next time they open the document.

-|Add-ins & Extensibility|Excel|Do not show AutoRepublish warning alert|**Disabled**|No|

-|Jscript & VBScript|Outlook|Do not allow Outlook object model scripts to run for public folders|**Enabled**|No|

-|Jscript & VBScript|Outlook|Do not allow Outlook object model scripts to run for shared folders|**Enabled**|No|

-Here is an example of a request that adds a new scan.

-Here is an example of a request that deletes scans.

-Here is an example of a request that updates a scan.

-Microsoft Defender for Endpoint on Android, which already protects enterprise users on Mobile Device Management (MDM) scenarios, now extends support to Mobile App Management (MAM), for devices that are not enrolled using Intune mobile device management (MDM). It also extends this support to customers who use other enterprise mobility management solutions, while still using Intune for mobile application management (MAM). This capability allows you to manage and protect your organization's data within an application.

- c. If the connection is not turned on, select the toggle to turn it on and then select **Save Preferences**.

-3. Select **Download**. You will be redirected to the app store (Google play).

-5. Click **Continue > Launch**. The Microsoft Defender for Endpoint app onboarding/activation flow is initiated. Follow the steps to complete onboarding. You will automatically be redirected back to Managed app onboarding screen, which now indicates that the device is healthy.

-3. Add the key and value from the table below. Ensure that the **"DefenderMAMConfigs"** key is present in every policy that you create using Managed Apps route. For Managed Devices route, this key should not exist. When you are done, click **Next**.

-For users with key set as true, the users will be able to onboard the app without giving these permissions.

-2. Even if the user has skipped these permissions, the device will be able to onboard, and a heartbeat will be sent.

-3. Since permissions are disabled, Web protection will not be active. It will be partially active if one of the permissions is given.

-You do not have Microsoft 365 license assigned, or your organization does not have a license for Microsoft 365 Enterprise subscription.

-Phishing websites impersonate trustworthy websites for the purpose of obtaining your personal or financial information. Visit the [Provide feedback about network protection](https://www.microsoft.com/wdsi/filesubmission/exploitguard/networkprotection) page if you want to report a website that could be a phishing site.

-for Android are not blocked on some Xiaomi devices. The following functionality doesn't work on these devices.

-Xiaomi changed the battery optimization permissions in Android 11. Defender for Endpoint is not allowed to configure this setting to ignore battery optimizations.

-If a user faces an issue which is not already addressed in the above sections or is unable to resolve using the listed steps, the user can provide **in-app feedback** along with **diagnostic data**. Our team can then investigate the logs to provide the right solution. Users can follow these steps to do the same:

-5. Provide details of the issue that you are facing and check "Send diagnostic data". We recommend checking "Include your email address" so that the team can reach back to you with a solution or a follow-up.

-1. In the left pane, there is a list of sample requests that you can use.

-description: Use Microsoft Defender for Endpoint Flow connector to create a flow that will be triggered any time a new event occurs on your tenant.

-> For more details about premium connectors licensing prerequisites, see [Licensing for premium connectors](/power-automate/triggers-introduction#licensing-for-premium-connectors).

-The following example demonstrates how to create a Flow that is triggered any time a new Alert occurs on your tenant. You'll be guided on defining what event starts the flow and what next action will be taken when that trigger occurs.

-3. Add a new step for emailing about the Alert and the Isolation. There are multiple email connectors that are very easy to use, such as Outlook or Gmail.

-### 05.25.2021

-Implementing attack surface reduction (ASR) rules moves the first test ring into an enabled, functional state.

-When you are confident that you have correctly configured the ASR rules for ring 1, you can widen the scope of your deployment to the next ring (ring n + 1).

-As you continue to expand your attack surface reduction rules deployment, you may find it necessary or beneficial to customize the attack surface reduction rules that you have enabled.

-You can choose to exclude files and folders from being evaluated by attack surface reduction rules. When excluded, the file won't be blocked from running even if an attack surface reduction rule detects that the file contains malicious behavior.

-The ransomware rule is designed to help enterprise customers reduce risks of ransomware attacks while ensuring business continuity. By default, the ransomware rule errors on the side of caution and protect against files that haven't yet attained sufficient reputation and trust. To reemphasize, the ransomware rule only triggers on files that have not gained enough positive reputation and prevalence, based on usage metrics of millions of our customers. Usually, the blocks are self resolved, because each file's "reputation and trust" values are incrementally upgraded as non-problematic usage increases.

-In cases in which blocks aren't self resolved in a timely manner, customers can - _at their own risk_ - make use of either the self-service mechanism or an Indicator of Compromise (IOC)-based "allow list" capability to unblock the files themselves.

-An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource. However, you cannot limit an exclusion to a specific rule.

-An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.

-If you are encountering problems with rules detecting files that you believe should not be detected, [use audit mode to test the rule](evaluate-attack-surface-reduction.md).

-See the [attack surface reduction rules reference](attack-surface-reduction-rules-reference.md) topic for details on each rule.

-## Additional topics in this deployment collection

-Such software behaviors are sometimes seen in legitimate applications. However, these behaviors are often considered risky because they are commonly abused by attackers through malware. Attack surface reduction rules can constrain software-based risky behaviors and help keep your organization safe.

-### Cases where warn mode is not supported

-Warn mode isn't supported for three attack surface reduction rules when you configure them in Microsoft Intune. (If you use Group Policy to configure your attack surface reduction rules, warn mode is supported.) The three rules that do not support warn mode when you configure them in Microsoft Intune are as follows:

-Here is an example query:

-Automated investigation and remediation (AIR) capabilities in Microsoft Defender for Business are preconfigured and are not configurable. In Microsoft Defender for Endpoint, you can configure AIR to one of several levels of automation. Your automation level affects whether remediation actions following AIR investigations are taken automatically or only upon approval.

-|**Semi - require approval for non-temp folders remediation** <br> (also a type of *semi-automation*)|With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are *not* in temporary folders. <p> Temporary folders can include the following examples: <ul><li>`\users\*\appdata\local\temp\*`</li><li>`\documents and settings\*\local settings\temp\*`</li><li>`\documents and settings\*\local settings\temporary\*`</li><li>`\windows\temp\*`</li><li>`\users\*\downloads\*`</li><li>`\program files\`</li><li>`\program files (x86)\*`</li><li>`\documents and settings\*\users\*`</li></ul> <p> Remediation actions can be taken automatically on files or executables that are in temporary folders. <p> Pending actions for files or executables that are not in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab. <p> Actions that were taken on files or executables in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **History** tab.|

-|**No automated response** <br> (also referred to as *no automation*)|With no automation, automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. However, other threat protection features, such as [protection from potentially unwanted applications](/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus), can be in effect, depending on how your antivirus and next-generation protection features are configured. <p> ***Using the *no automation* option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up your automation level to full automation (or at least semi-automation)](/microsoft-365/security/defender-endpoint/machine-groups).|

-1. You can update alerts that are available in the API. See [List Alerts](get-alerts.md) for more information.

-> - The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles.md) for more information)

-> - The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)

-Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values.

-Here is an example of the request.

-Cancel an already launched machine action that is not yet in final state (completed, canceled, failed).

-If successful, this method returns 200, OK response code with a Machine Action entity. If machine action entity with the specified id was not found - 404 Not Found.

-Here is an example of the request.

-## Related topic

- 1. In the event Microsoft Defender Antivirus cannot make a clear determination, file metadata is sent to the cloud protection service. Often within milliseconds, the cloud protection service can determine based on the metadata as to whether the file is malicious or not a threat.

- - The cloud query of file metadata can be a result of behavior, mark of the web, or other characteristics where a clear verdict is not determined.

- - A small metadata payload is sent, with the goal of reaching a verdict of malware or not a threat. The metadata does not include personally identifiable information (PII). Information such as filenames, are hashed.

- - Can be synchronous or asynchronous. For synchronous, the file will not open until the cloud renders a verdict. For asynchronous, the file will open while cloud protection performs its analysis.

- 2. After examining the metadata, if Microsoft Defender Antivirus cloud protection cannot reach a conclusive verdict, it can request a sample of the file for further inspection. This request honors the settings configuration for sample submission:

- - If file is likely to contain PII, the user will get a request to allow file sample submission.

- - If configured, the user will always be prompted for consent before file submission

- - If configured, all samples will be sent automatically

- - "Do not send" is the equivalent to the "Disabled" setting in macOS policy

- 3. After metadata and/or files are submitted to cloud protection, you can use **samples**, **detonation**, or **big data analysis** machine-learning models to reach a verdict. Turning off cloud-delivered protection will limit analysis to only what the client can provide through local machine-learning models, and similar functions.

-There are two more scenarios where Defender for Endpoint might request a file sample that is not related to the cloud protection at Microsoft Defender Antivirus. These scenarios are described in the following table:

-|Manual file sample collection in the Microsoft 365 Defender portal | When onboarding devices to Defender for Endpoint, you can configure settings for [endpoint detection and response (EDR)](overview-endpoint-detection-response.md). For example, there is a setting to enable sample collections from the device, which can easily be confused with the sample submission settings described in this article. <br/><br/>The EDR setting controls file sample collection from devices when requested through the Microsoft 365 Defender portal, and is subject to the roles and permissions already established. This setting can allow or block file collection from the endpoint for features such as deep analysis in the Microsoft 365 Defender portal. If this setting is not configured, the default is to enable sample collection. <br/><br/>Learn about Defender for Endpoint configuration settings, see: [Onboarding tools and methods for Windows 10 devices in Defender for Endpoint](configure-endpoints.md) |

-\*|Matches any number of any characters including none (note that when this wildcard is used inside a path it will substitute only one folder)|`/var/\*/\*.log`|`/var/log/system.log`|`/var/log/nested/system.log`

- |For RHEL/Centos/Oracle 8.0-8.5|<https://packages.microsoft.com/config/rhel/8/prod.repo>|

- > :::image type="content" source="images/mdatp-6-systemconfigurationprofiles-2.png" alt-text="The custom configuration profile - assignment" lightbox="images/mdatp-6-systemconfigurationprofiles-2.png":::

- > [!div class="mx-imgBorder"]

- > :::image type="content" source="images/mdatp-6-systemconfigurationprofiles-3.png" alt-text="The completion of the custom configuration profile" lightbox="images/mdatp-6-systemconfigurationprofiles-3.png":::

-### February-2023 (Platform: 4.18.2302.x | Engine: 1.1.20100.6)

-During the technical support (only) phase, commercially reasonable support incidents will be provided through Microsoft Customer Service & Support and Microsoft's managed support offerings (such as Premier Support). If a support incident requires escalation to development for further guidance, requires a non-security update, or requires a security update, customers will be asked to upgrade to the latest platform version or an intermediate update (*).

-`"%programdata%\Microsoft\Windows Defender\Platform\<version>\MpCmdRun.exe" -RevertPlatform`

-`"%programdata%\Microsoft\Windows Defender\Platform\<version>\MpCmdRun.exe" -ResetPlatform`

-The hardware requirements for Defender for Endpoint on devices are the same for the supported editions.

-## Initiate live response Session

-To download the package (Zip file) and investigate the events that occurred on a device

-3. The zip file will download

-Alternate way:

-The package contains the following folders:

-> - Exclusion for Linux isolation is not supported.

-|[Device response capabilities: collect investigation package, run AV scan](respond-machine-alerts.md) |  |  |  ^{[[2](#fn2)][[3](#fn3)]} |  ^{[[2](#fn2)][[3](#fn3)]} |

-|[Device isolation](respond-machine-alerts.md) |  |  | ! |  ^{[[2](#fn2)][[3](#fn3)]} |

-|[Live Response](live-response.md) |  |  |  ^[[2](#fn2)] |  ^[[2](#fn2)] |

-|Disabled|Tamper protection is completely off (this is the default mode after installation)|

-|Audit|Tampering operations are logged, but not blocked|

-| `IsRootSignerMicrosoft` | `boolean` | Indicates whether the signer of the root certificate is Microsoft and the file is built-in to Windows OS |

-| `SignatureState` | `string` | State of the file signature: SignedValid - the file is signed with a valid signature, SignedInvalid - the file is signed but the certificate is invalid, Unsigned - the file is not signed, Unknown - information about the file cannot be retrieved

-| `IsClickedThrough` | `bool` | Indicates whether the user was able to click through to the original URL or was not allowed|

-## Related topics

-Suspicious inbox forwarding rules might be very difficult to detect because maintenance of inbox rules is common task done by users. Therefore, it's important to monitor the alerts.

-Here is the workflow to identify suspicious email forwarding rules.

-1. Search for other suspicious cloud activities that originated from the same IP in the tenant. For instance, suspicious activity might be multiple failed logins attempts.

- Validate that the sign in activity prior to the rule creation event is not suspicious (such as the common location, ISP, or user-agent).

-## Related topics

-If the device is enrolled in Microsoft Defender for Endpoint, you will also see a list of response actions (3). Response actions allow you to perform common security-related tasks.

-The sidebar lists the device's full name and exposure level. It also provides some important basic information in small subsections which can be toggled open or closed, such as:

-* **Tags** - Any Microsoft Defender for Endpoint, Microsoft Defender for Identity, or custom tags associated with the device. Tags from Microsoft Defender for Identity are not editable.

-* **Security info** - Open incidents and active alerts. Devices enrolled in Microsoft Defender for Endpoint will also display exposure level and risk level.

-* **Device details** - Domain, OS, timestamp for when the device was first seen, IP addresses, resources. Devices enrolled in Microsoft Defender for Endpoint also display health state. Devices enrolled in Microsoft Defender for Identity will display SAM name and a timestamp for when the device was first created.

-* **Manage tags** - Updates custom tags you have applied to this device.

-* **Restrict app execution** - Prevents applications that are not signed by Microsoft from running.

-Devices enrolled in Microsoft Defender for Endpoint will also display tabs that feature a timeline, a list of security recommendations, a software inventory, a list of discovered vulnerabilities, and missing KBs (security updates).

-If the device is enrolled in Microsoft Defender for Endpoint, you will also see the device's risk level and any available data on security assessments. The security assessments describe the device's exposure level, provide security recommendations, and list affected software and discovered vulnerabilities.

-You can customize the number of items displayed, as well as which columns are displayed for each item. The default behavior is to list thirty items per page.

-The columns in this tab include information on the severity of the threat that triggered the alert, as well as status, investigation state, and who the alert has been assigned to.

-The *impacted entities* column refers to the device (entity) whose profile you are currently viewing, plus any other devices in your network that are affected.

-Selecting an item from this list will open a flyout containing even more information about the selected alert.

-Selecting an item from this list will open a flyout displaying an Event entities graph, showing the parent and child processes involved in the event.

-The list can be filtered by the specific kind of event; for example, Registry events or Smart Screen Events.

-The list can also be exported to a CSV file, for download. Although the file is not limited by number of events, the maximum time range you can choose to export is seven days.

-The **Security recommendations** tab lists actions you can take to protect the device. Selecting an item on this list will open a flyout where you can get instructions on how to apply the recommendation.

-As with the previous tabs, the number of items displayed per page, as well as which columns are visible, can be customized.

-Selecting an item from this list opens a flyout containing more details about the selected software, as well as the path and timestamp for the last time the software was found.

-Selecting an item from this list will open a flyout that describes the CVE.

-The **Missing KBs** tab lists any Microsoft Updates that have yet to be applied to the device. The "KBs" in question are [Knowledge Base articles](https://support.microsoft.com/help/242450/how-to-query-the-microsoft-knowledge-base-by-using-keywords-and-query) which describe these updates; for example, [KB4551762](https://support.microsoft.com/help/4551762/windows-10-update-kb4551762).

-Selecting an item will open a flyout that links to the update.

- - If your public MX record currently resolves to a third-party or on-premises SMTP gateway then additional routing configurations may be required.

- - If your public MX record currently resolves to on-premises Exchange then you may still be in a hybrid model where some recipient mailbox have not yet been migrated to EXO.

- - If the domain type is set to **Authoritative** then it is assumed all recipient mailboxes for your organization currently reside in Exchange Online.

- - If the domain type is set to **InternalRelay** then you may still be in a hybrid model where some recipient mailboxes still reside on-premises.

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com> expand *Email & collaboration* \> select **Policies & rules** \> select **Threat policies** \> scroll down to the *Others* section, and then select **Evaluation mode**. Or, to go directly to the *Evaluation mode* page, use <https://security.microsoft.com/atpEvaluation>.

-Next, complete any additional configuration and expand your pilot groups until these have reached full production.

-Defender for Identity doesn't require any additional configuration. Just make sure you've purchased the necessary licenses and installed the sensor on all of your Active Directory domain controllers and Active Directory Federation Services (AD FS) servers.

-To promote Microsoft Defender for Endpoint evaluation environment from a pilot to production, simply onboard more endpoints to the service using any of the [supported tools and methods](../defender-endpoint/onboard-configure.md).

-Microsoft Defender for Cloud Apps doesn't require any additional configuration. Just make sure you've purchased the necessary licenses. If you've scoped the deployment to certain user groups, increase the scope of these groups until you reach production scale.

-Whatever the current maturity of your security operations, it is important for you to align with your Security Operations Center (SOC). While there is no single model that fits every organization, there are certain aspects that are more common than others.

-Usually, the SOC team's core function is to make sure all security devices such as firewalls, intrusion prevention systems, data loss prevention systems, vulnerability management systems, and identity systems are functioning correctly and being monitored. The SOC teams will work with the broader network operations such as identity, DevOps, cloud, application, data science, and other business teams to ensure the analysis of security information is centralized and secured. Additionally, the SOC team is responsible for maintaining logs of the data in useable and readable formats, which could include parsing and normalizing disparate formats.

-The recommended methods to deploy Microsoft 365 Defender in your Security Operations Center (SOC) will depend on the SOC team's current set of tools, processes, and skillsets. Maintaining cyber hygiene across platforms can be challenging because of the vast amount of data coming from dozens if not hundreds of security sources.

-Security tools are interrelated. Turning on one feature in a security technology or changing a process may in turn break another. For this reason, Microsoft recommends that your SOC team formalize a method for defining and prioritizing use cases. Use cases help define requirements and test processes for SOC operations across various teams. It creates a methodology for capturing metrics to determine if the right roles and mix of tasks are aligned to the right team with the right skillsets.

-Once the story board has been approved, the next step is to invoke the use case workflow. Here is an example process for an anti-phishing campaign.

-Here is an example high-level storyboard for the Microsoft Defender Vulnerability Management of assets.

-Here is an example process for threat and vulnerability scanning.

-After a use case has been approved and tested, gaps among your security teams should be identified, along with people, processes, and the Microsoft 365 Defender technologies involved. Microsoft 365 Defender technologies should be analyzed to determine if they are capable of achieving desired outcomes. These can be tracked via a checklist or a matrix.

-|Threat Intelligence and Analytics team|Data sources are properly feeding the threat intelligence engines.|Threat Intelligence Analyst/Engineer|Data feed requirements established, threat intelligence triggers from approved sources|Microsoft Defender for Identity, Microsoft Defender for Endpoint|Threat Intelligence team did not use automation script to link Microsoft 365 Defender API with threat intel engines|Add Microsoft 365 Defender as data sources to threat engines <p> Update use case run book|N|

-In these example use cases, the testing revealed several gaps in the SOC team's requirements that were established as baselines for the responsibilities of each team. The use case checklist can be as comprehensive as needed to ensure that the SOC team is prepared for the Microsoft 365 Defender integration with new or existing SOC requirements. Since this will be an iterative process, the use case development process and the use case output content will naturally serve to update and mature the SOC's runbooks with lessons learned.

-Maintenance of the SOC team runbooks and playbooks can be organized in a multitude of ways. Each SOC team may be responsible for their own, or there may be a single centralized version for all teams to share in a central repository. Runbook and playbook management for individual organizations is based on size, skillsets, roles, and segregation of duties. Once a runbook has been updated, the playbook update process should follow.

-Playbooks are the steps the SOC teams will need to follow when a real event occurs, based on the successful integration and test of the use case. Therefore, it is imperative that the SOC follows a formalized approach to incident response, such as the [NIST Incident Response Standard](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf) that has become one of the leading industry standards for incident response.

-One of the core foundations of an escalation playbook is to ensure there is little ambiguity as to what each SOC team is supposed to do before, during, and after an event or incident. Therefore, it is good practice to list out step by step instructions.

-* If you have online backups, consider disconnecting the backup system from the network until you are confident that the attack is contained, see [Backup and restore plan to protect against ransomware | Microsoft Docs](/security/compass/backup-plan-to-protect-against-ransomware).

-* If you are experiencing or expect an imminent and active ransomware deployment:

-* For the devices that are not yet isolated and are not part of the critical infrastructure:

- * Isolate compromised devices from the network but do not shut them off.

- * Pausing OneDrive sync will help protect your cloud data from being updated by potentially infected devices. For more information, see [How to Pause and Resume sync in OneDrive](https://support.microsoft.com/office/how-to-pause-and-resume-sync-in-onedrive-2152bfa4-a2a5-4d3a-ace8-92912fb4421e).

- * If IT staff identified the initial threatΓÇösuch as noticing backups being deleted, antivirus alerts, endpoint detection and response (EDR) alerts, or suspicious system changesΓÇöit is often possible to take quick decisive measures to thwart the attack, typically by the containment actions described in this article.

- * What system and security updates were not installed on devices on that date? This is important to understand what vulnerabilities might have been leveraged so they can be addressed on other devices.

-If you have offline backups, you can probably restore the data that has been encrypted after you have removed the ransomware payload (malware) from your environment and after you have verified that there's no unauthorized access in your Microsoft 365 tenant.

-* If a user account might have been created by an attacker, disable the account. Do not delete the account unless there are no plans to perform security forensics for the incident.

-* Do not forget to scan devices that synchronize data or the targets of mapped network drives.

-* After you have cleaned your computers and devices and recovered the data, you can re-enable Exchange ActiveSync and OneDrive sync that you previously disabled in step 3 of containment.

-Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside.

-Your data will be kept and will be available to you while the license is under grace period or suspended mode. At the end of this period, data which is associated to expired or terminated license will be erased from Microsoft's systems to make it unrecoverable, no later than 90 days from the associated contract termination or expiration.

-## March 2023

-|Maximum minutes of inactivity before password is required|15 minutes|

-For Exchange Online, you can use authentication policies to [disable Basic authentication](/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online), which forces all client access requests to use modern authentication.

- - *Quarantine details*: Contains quarantine-specific details. For more information, see [Manage quarantined messages](quarantine-admin-manage-messages-files.md#view-quarantined-message-details).

-After you have the message header information, find the **X-Forefront-Antispam-Report** header. There will be multiple field and value pairs in this header separated by semicolons (;). For example:

-|`IPV:NLI`|The IP address was not found on any IP reputation list.|

-|`SFTY`|The message was identified as phishing and will also be marked with one of the following values: <ul><li>9.19: Domain impersonation. The sending domain is attempting to [impersonate a protected domain](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365). The safety tip for domain impersonation is added to the message (if it's enabled).</li><li>9.20: User impersonation. The sending user is attempting to impersonate a user in the recipient's organization, or [a protected user that's specified in an anti-phishing policy](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) in Microsoft Defender for Office 365. The safety tip for user impersonation is added to the message (if it's enabled).</li><li>9.25: First contact safety tip. This value _might_ be an indication of a suspicious or phishing message. For more information, see [First contact safety tip](anti-phishing-policies-about.md#first-contact-safety-tip).</li></ul>|

-|`action`|Indicates the action taken by the spam filter based on the results of the DMARC check. For example: <ul><li>**oreject** or **o.reject**: Stands for override reject. In this case Microsoft 365 uses this action when it receives a message that fails the DMARC check from a domain whose DMARC TXT record has a policy of p=reject. Instead of deleting or rejecting the message, Microsoft 365 marks the message as spam. For more information on why Microsoft 365 is configured this way, see [How Microsoft 365 handles inbound email that fails DMARC](email-authentication-dmarc-configure.md#how-microsoft-365-handles-inbound-email-that-fails-dmarc).</li><li>**pct.quarantine**: Indicates that a percentage less than 100% of messages that do not pass DMARC will be delivered anyway. This means that the message failed DMARC and the policy was set to quarantine, but the pct field was not set to 100% and the system randomly determined not to apply the DMARC action, as per the specified domain's policy.</li><li>**pct.reject**: Indicates that a percentage less than 100% of messages that do not pass DMARC will be delivered anyway. This means that the message failed DMARC and the policy was set to reject, but the pct field was not set to 100% and the system randomly determined not to apply the DMARC action, as per the specified domain's policy.</li><li>**permerror**: A permanent error occurred during DMARC evaluation, such as encountering an incorrectly formed DMARC TXT record in DNS. Attempting to resend this message isn't likely to end with a different result. Instead, you may need to contact the domain's owner in order to resolve the issue.</li><li>**temperror**: A temporary error occurred during DMARC evaluation. You may be able to request that the sender resend the message later in order to process the email properly.</li></ul>|

-|`dkim`|Describes the results of the DKIM check for the message. Possible values include: <ul><li>**pass**: Indicates the DKIM check for the message passed.</li><li>**fail (reason)**: Indicates the DKIM check for the message failed and why. For example, if the message was not signed or the signature was not verified.</li><li>**none**: Indicates that the message was not signed. This may or may not indicate that the domain has a DKIM record or the DKIM record does not evaluate to a result, only that this message was not signed.</li></ul>|

-|`reason`|The reason the composite authentication passed or failed. The value is a 3-digit code. For example: <ul><li>**000**: The message failed explicit authentication (`compauth=fail`). For example, the message received a DMARC fail with an action of quarantine or reject.</li><li>**001**: The message failed implicit authentication (`compauth=fail`). This means that the sending domain did not have email authentication records published, or if they did, they had a weaker failure policy (SPF soft fail or neutral, DMARC policy of `p=none`).</li><li>**002**: The organization has a policy for the sender/domain pair that is explicitly prohibited from sending spoofed email. This setting is manually set by an admin.</li><li>**010**: The message failed DMARC with an action of reject or quarantine, and the sending domain is one of your organization's accepted-domains (this is part of self-to-self, or intra-org, spoofing).</li><li>**1xx** or **7xx**: The message passed authentication (`compauth=pass`). The last two digits are internal codes used by Microsoft 365.</li><li>**2xx**: The message soft-passed implicit authentication (`compauth=softpass`). The last two digits are internal codes used by Microsoft 365.</li><li>**3xx**: The message was not checked for composite authentication (`compauth=none`).</li><li>**4xx** or **9xx**: The message bypassed composite authentication (`compauth=none`). The last two digits are internal codes used by Microsoft 365.</li><li>**6xx**: The message failed implicit email authentication, and the sending domain is one of your organization's accepted domains (this is part of self-to-self or intra-org spoofing).</li></ul>|

-|`spf`|Describes the results of the SPF check for the message. Possible values include: <ul><li>`pass (IP address)`: The SPF check for the message passed and includes the sender's IP address. The client is authorized to send or relay email on behalf of the sender's domain.</li><li>`fail (IP address)`: The SPF check for the message failed and includes the sender's IP address. This is sometimes called _hard fail_.</li><li>`softfail (reason)`: The SPF record designated the host as not being allowed to send, but is in transition.</li><li>`neutral`: The SPF record explicitly states that it does not assert whether the IP address is authorized to send.</li><li>`none`: The domain doesn't have an SPF record or the SPF record doesn't evaluate to a result.</li><li>`temperror`: A temporary error has occurred. For example, a DNS error. The same check later might succeed.</li><li>`permerror`: A permanent error has occurred. For example, the domain has a badly formatted SPF record.</li></ul>|

-For clarity, we'll use these specific group names throughout this article, but you're free to use your own naming convention.

- So, instead of using preset security policies, you're going to manually create custom policies with settings that are very similar to, but in some cases are different than, the settings of Standard and Strict preset security policies.

-You can specify an Exchange Online mailbox to receive messages that users report as malicious or not malicious. For instructions, see [User reported settings](submissions-user-reported-messages-custom-mailbox.md). This mailbox can receive copies of messages that your users submitted to Microsoft, or the mailbox can intercept messages without reporting them to Microsoft (you're security team can manually analyze and submit the messages themselves). However, the interception approach does not allow the service to automatically tune and learn.

-Don't underestimate the importance of this step. Data from user reported messages will give you the feedback loop that you need to verify a good, consistent end-user experience before and after the migration. This feedback helps you to make informed policy configuration decisions, as well as provide data-backed reports to management that the migration went smoothly.

-Because your inbound email is routed through another protection service that sits in front of Microsoft 365, it's very likely that you already have a mail flow rule (also known as a transport rule) in Exchange Online that sets the spam confidence level (SCL) of all incoming mail to the value -1 (bypass spam filtering). Most third-party protection services encourage this SCL=-1 mail flow rule for Microsoft 365 customers who want to use their services.

- Before or during the cutover of your MX record to Microsoft 365, you'll disable this rule to turn on the full protection of the Microsoft 365 protection stack for all recipients in your organization.

- - **For cloud-based protection services**: You can use a header and header value that's unique to your organization. Messages that have the header are not scanned by Microsoft 365. Messages without the header are scanned by Microsoft 365

- - **For on-premises protection services or devices**: You can use source IP addresses. Messages from the source IP addresses are not scanned by Microsoft 365. Messages that aren't from the source IP addresses are scanned by Microsoft 365.

-Enhanced Filtering for Connectors is required by Defender for Office 365 to see where internet messages actually came from. Enhanced Filtering for Connectors greatly improves the accuracy of the Microsoft filtering stack (especially [spoof intelligence](anti-phishing-protection-spoofing-about.md), as well as post-breach capabilities in [Threat Explorer](threat-explorer-about.md) and [Automated Investigation & Response (AIR)](air-about-office.md).

-**Congratulations**! You have completed the **Setup** phase of your [migration to Microsoft Defender for Office 365](migrate-to-defender-for-office-365.md#the-migration-process)!

-The high risk delivery pool is a separate IP address pool for outbound email that's only used to send "low quality" messages (for example, spam and [backscatter](anti-spam-backscatter-about.md). Using the high risk delivery pool helps prevent the normal IP address pool for outbound email from sending spam. The normal IP address pool for outbound email maintains the reputation sending "high quality" messages, which reduces the likelihood that these IP address will appear on IP blocklists.

-The very real possibility that IP addresses in the high-risk delivery pool will be placed on IP blocklists remains, but this is by design. Delivery to the intended recipients isn't guaranteed, because many email organizations won't accept messages from the high risk delivery pool.

-Messages that are forwarded or relayed via Microsoft 365 in certain scenarios will be sent using a special relay pool, because the destination should not consider Microsoft 365 as the actual sender. It's important for us to isolate this email traffic, because there are legitimate and invalid scenarios for auto forwarding or relaying email out of Microsoft 365. Similar to the high-risk delivery pool, a separate IP address pool is used for relayed mail. This address pool is not published because it can change often, and it's not part of published SPF record for Microsoft 365.

-You can tell that a message was sent via the relay pool by looking at the outbound server IP (the relay pool will be in the 40.95.0.0/16 range), or by looking at the outbound server name (will have "rly" in the name).

-To add a custom domains follow the steps in [Add a domain to Microsoft 365](../../admin/setup/add-domain.md).

-The Microsoft Defender for Office 365 protection or filtering stack can be broken out into 4 phases, as in this article. Generally speaking, incoming mail passes through all of these phases before delivery, but the actual path email takes is subject to an organization's Defender for Office 365 configuration.

-Edge blocks are designed to be automatic. In the case of false positive, senders will be notified and told how to address their issue. Connectors from trusted partners with limited reputation can ensure deliverability, or temporary overrides can be put in place, when onboarding new endpoints.

-2. **IP reputation and throttling** will block messages being sent from known bad connecting IP addresses. If a specific IP sends many messages in a short period of time they will be throttled.

-3. **Domain reputation** will block any messages being sent from a known bad domain.

-4. Whenever Microsoft Defender for Office 365 detects a malicious attachment, the file's hash, and a hash of its active content, are added to Exchange Online Protection (EOP) reputation. **Attachment reputation blocking** will block that file across all Office 365, and on endpoints, through MSAV cloud calls.

-7. Microsoft uses a determination of reputation from URL sandboxing as well as URL reputation from third party feeds in **URL reputation blocking**, to block any message with a known malicious URL.

-1. **Safe Links** is Defender for Office 365's time-of-click protection. Every URL in every message is wrapped to point to Microsoft Safe Links servers. When a URL is clicked it is checked against the latest reputation, before the user is redirected to the target site. The URL is asynchronously sandboxed to update its reputation.

-# Manage quarantined messages and files as an admin in EOP

-In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, quarantine holds potentially dangerous or unwanted messages. For more information, see [Quarantined email messages in EOP](quarantine-about.md).

-Admins in organizations with Microsoft Defender for Office 365 can also manage files that were quarantined by [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md).

-#### View quarantined message details

-#### View quarantined file details

-## Use Exchange Online PowerShell or standalone EOP PowerShell to view and manage quarantined messages and files

-The cmdlets that you use to view and manage messages and files in quarantine are described in the following list:

-The experience for Threat Explorer and Real-time detections is updated to align with modern accessibility standards, and to optimize the workflow. For a short while, you will be able to toggle between the old experience and the new one.

-Threat Explorer and Real-time detections is divided into the following views:

- - If you are applying multiple filters, they are applied in 'AND' mode and you can use the advanced filter to change it to 'OR' mode.

- - Results grid shows the email results based on the filters you have applied.

- - Based on the configuration set in your tenant, data will be shown in UTC or local timezone, with the timezone information available in the first column.

-In addition to these features, you will also get updated experiences like *Top URLs*, *Top clicks*, *Top targeted users*, and *Email origin*. *Top URLs*, *Top clicks*, and *Top targeted users* can be further filtered based on the filter that you apply within Explorer.

-Remediation means taking a prescribed action against a threat. Malicious email sent to your organization can be cleaned up either by the system, through zero-hour auto purge (ZAP), or by security teams through remediation actions like *move to inbox*, *move to junk*, *move to deleted items*, *soft delete*, or *hard delete*. Microsoft Defender for Office 365 Plan 2/E5 enables security teams to remediate threats in email and collaboration functionality through manual and automated investigation.

- If remediations are stuck in the "In progress" state for a while, it's likely due to system delays. It could take up to a few hours to remediate. You might see variations in mail submission counts, as some of the emails may not have been included the query at the start of remediation due to system delays. It is a good idea to retry remediating in such cases.

- Admins can take actions on emails in quarantine if necessary, but those emails will expire out of quarantine if they're not manually purged. By default, emails quarantined because of malicious content aren't accessible by users, so security personnel don't have to take any action to get rid of threats in quarantine. If the emails are on-premises or external, the user can be contacted to address the suspicious email. Or the admins can use separate email server/security tools for removal. These emails can be identified by applying the *delivery location = on-prem* external filter in Explorer. For failed or dropped email, or email not accessible by users, there won't be any email to mitigate, since these mails don't reach the mailbox.

- - **Already in destination**: The desired action was already taken on the email OR the email already existed in the destination location. For example: An email was soft deleted by the admin through Explorer on day one. Then similar emails show up on day 2, which are again soft deleted by the admin. While selecting these emails, admin ends up picking some emails from day one that are already soft deleted. Now these emails will not be acted upon again, they will just show as "already in destination", since no action was taken on them as they existed in the destination location.

- - **New**: An *Already in destination* column has been added in the Action Log. This feature uses the latest delivery location in Threat Explorer to signal if the mail has already been remediated. *Already in destination* will help security teams understand the total number of messages that still need to be addressed.

-Actions can only be taken on messages in Inbox, Junk, Deleted, and Soft Deleted folders of Threat Explorer. Here's an example of how the new column works. A *soft delete action* takes place on the message present in the Inbox, then the message will be handled according to policies. The next time a soft delete is performed, this message will show under the column 'Already in destination' signaling it doesn't need to be addressed again.

-To keep you protected, Safe Documents sends files to the [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) cloud for analysis. Details on how Microsoft Defender for Endpoint handles your data can be found here: [Microsoft Defender for Endpoint data storage and privacy](/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy).

-Files sent by Safe Documents are not retained in Defender for Endpoint beyond the time needed for analysis (typically, less than 24 hours).

-|In Pat's organization, admins have created a Safe Links policy that applies Pat, but Safe Links protection for Office apps is turned off. Pat opens a Word document and clicks a URL in the file.|Pat is not protected by Safe Links. <p> Although Pat is included in an active Safe Links policy, Safe Links protection for Office apps is turned off in that policy, so the protection can't be applied.|

-After Safe Links rewrites a URL, the URL remains rewritten even if the message is _manually_ forwarded or replied to (both to internal and external recipients). Additional links that are added to the forwarded or replied-to message are not rewritten.

-After you turn on Safe Links protection for Microsoft Teams, URLs in Teams are checked against a list of known malicious links when the protected user clicks the link (time-of-click protection). URLs are not rewritten. If a link is found to be malicious, users will have the following experiences:

- - If Safe Links scanning is unable to complete, Safe Links protection does not trigger. In Office desktop clients, the user will be warned before they proceed to the destination website.

-Each Safe Links policy contains a **Do not rewrite the following URLs** list that you can use to specify URLs that are not rewritten by Safe Links scanning. In other words, the list allows users who are included in the policy to access the specified URLs that would otherwise be blocked by Safe Links. You can configure different lists in different Safe Links policies. Policy processing stops after the first (likely, the highest priority) policy is applied to the user. So, only one **Do not rewrite the following URLs** list is applied to a user who is included in multiple active Safe Links policies.

-The clicked URL was in an email message that has been identified as a phishing attack. As a result, all URLs in the email message are blocked. We recommend that you do not proceed to the site.

-The clicked URL points to a site that has been identified as malicious. We recommend that you do not proceed to the site.

-The clicked URL has been manually blocked by an admin in your organization (the **Block the following URLs** list in the global settings for Safe Links). The link was not scanned by Safe Links because it was manually blocked.

-There are several reasons why an admin would manually block specific URLs. If you think the site should not be blocked, contact your admin.

-Because Microsoft wants to keep our customers secure by default, some tenants overrides are not applied for malware or high confidence phishing. These overrides include:

-Secure by default is not a setting that can be turned on or off, but is the way our filtering works out of the box to keep potentially dangerous or unwanted messages out of your mailboxes. Malware and high confidence phishing messages should be quarantined. By default, only admins can manage messages that are quarantined as malware or high confidence phishing, and they can also report false positives to Microsoft from there. For more information, see [Manage quarantined messages and files as an admin in EOP](quarantine-admin-manage-messages-files.md).

-You can also use authentication policies to [disable Basic authentication](/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online), which forces all client access requests to use modern authentication.

-Email abuse, junk email, and fraudulent emails (phishing) continue to burden the entire email ecosystem. To help maintain user trust in the use of email, Microsoft has put various policies and technologies in place to help protect our users. However, Microsoft understands that legitimate email should not be negatively affected. Therefore, we have established a suite of services to help senders improve their ability to deliver email to Microsoft 365 users by proactively managing their sending reputation.

-|[Anti-Spam IP Delist Portal](#anti-spam-ip-delist-portal)|A tool to submit IP delist request. Before submitting this request it is the sender's responsibility to ensure that any further mail originating from the IP in question is not abusive or malicious.|

-This is a self-service portal you can use to remove yourself from the Microsoft 365 blocked senders list. Use this portal if you are you getting an error message when you try to send an email to a recipient whose email address is in Microsoft 365 and you don't think you should be. For more information, see [Use the delist portal to remove yourself from the blocked senders list](use-the-delist-portal-to-remove-yourself-from-the-office-365-blocked-senders-lis.md).

-This step-by-step guide will take you through assessing a change, and exporting the impacted emails for assessment. The procedure can be applied to many different changes, by altering the criteria (filters) you use in explorer.

-1. The chart should refresh, and if it now displays no data, this means we have not detected any threats on any of the mail previously shown, which indicates an override is not needed, as there is no detection to override.

-1. If there is data displayed when the data is sliced by **Detection technology**, this means removing the override *would* have impact on this sender / domain due to the protection stack taking action.

-1. You should investigate the mail further to assess if it is truly malicious and the entry can be removed, or if it is a *false positive* and should be remediated so it is no longer incorrectly detected as a threat (authentication is the biggest cause of false positives).

-By using preset security policies (*Standard* or *Strict*), you will always have Microsoft's *recommended, best practice, configuration* for your users.

-Our Strict preset security policy has more aggressive limits and settings for security controls that will result in more aggressive detections and will involve the admin in making decisions on which blocked emails are released to end users.

-1. Select **All Recipients** to apply Exchange Online Protection tenant wide, or select **Specific recipients** to manually add add users, groups, or domains you want to apply the protection policy to. Click the **Next** button.

-1. On the **Impersonation Protection** section, add email addresses & domains to protect from impersonation attacks, then add any trusted senders and domains you do not want the impersonation protection to apply to, then press **Next**.

-Attack simulation training lets you run benign attack simulations on your organization to assess your phishing risk and teach your users how to better avoid phish attacks. By following this guide, you will configure automated flows with specific techniques and payloads that run when the specified conditions are met, launching simulations against your organization.

-1. If you picked OAuth as a Payload, you'll need to enter the name, logo and scope (permissions) you'd like the app to have when it's used in a simulation. *Next*.

-5. If you have multiple policies, you will need to complete this step for each policy (excluding built-in, standard and strict preset policies).

-6. **Select** a policy, a flyout will appear on the left-hand side.

-Users can store their files in potentially unsupported 3rd party storage providers. If you do not use these providers, you can disable this setting to reduce data leakage risk.

-Applications are a very useful part of Microsoft teams, but it is recommended to maintain a list of allowed apps rather than allowing all apps by default.

-3. If you have custom permission policies, you will need to do these steps for each of them if appropriate, otherwise select **Global (Org-wide default)**.

- - Third-party apps ΓÇô set to **Allow specific apps and block all others** (if you already have 3rd party apps to then select for allowing) otherwise select **Block all apps**.

-6. You'll need to change this setting for each policy (if you have multiple).

-You can reduce the attack surface by ensuring people outside your organization cannot request access to control presenter's screens and require dial in and all external people to be authenticated & admitted from a meeting lobby.

-3. If you have assigned any custom or built-in policies to users, you will need to do these steps for each of them if appropriate, otherwise select **Global (Org-wide default)**.

-10. You'll need to change this setting for each policy.

-3. If you have assigned any custom or built-in policies to users, you will need to do these steps for each of them if appropriate, otherwise select **Global (Org-wide default)**.

-6. You'll need to change this setting for each policy.

-Historically, allow lists have told Exchange Online Protection to ignore the signals indicating an email is malicious. It is commonplace for vendors to request IPs, domains, and sender addresses be overridden unnecessarily. Attackers have been known to take advantage of this mistake and it is a pressing security loophole to have unnecessary allow list entries. This step-by-step guide will walk you through using advanced hunting to identify these misconfigured overrides and remove them, so you can increase your organization's security posture.

-3. Pressing the **NetworkMessageId** hyperlink for individual emails when shown in the results will load a flyout, allowing easy access to the email entity page, where the **analysis** tab will provide further details, such as the transport rule(s) which that email matched.

- - [Client Access Rules in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/client-access-rules/client-access-rules)

-This article attempts to explain the common error messages tha you might receive as you try to [report emails, URLs, and email attachments to Microsoft](submissions-admin.md)

-If you encounter this error message, then either of the following conditions might have occured:

- - [Client Access Rules in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/client-access-rules/client-access-rules)

-More recommendations specific to Teams deployment are included in this article to cover specific authentication circumstances, including for users outside your organization. You will need to follow this guidance for a complete security experience.

-Conditional Access policies only apply to guest access in Teams because there is a corresponding Azure AD B2B account.

-External access users have less access and functionality than an individual who's been added via guest access. For example, external access users can chat with your internal users with Teams but cannot access team channels, files, or other resources.

-External access does not use Azure AD B2B user accounts and therefore does not use Conditional Access policies.

-Teams and channels are two commonly used elements in Microsoft Teams, and there are policies you can put in place to control what users can and cannot do when using teams and channels. While you can create a global team, if your organization has 5000 users or less, you are likely to find it helpful to have smaller teams and channels for specific purposes, in-line with your organizational needs.

- - If the message was blocked by [domain or user impersonation protection](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) in Defender for Office 365, an allow entry is not created in the Tenant Allow/Block List. Instead, the domain or sender is added to the **Trusted senders and domains section** in the [anti-phishing policy](anti-phishing-policies-mdo-configure.md#use-the-microsoft-365-defender-portal-to-modify-anti-phishing-policies) that detected the message.

- - If the message was not blocked due to filtering, no allow entries are created anywhere.

-By default, allow entries for domains and email addresses, files, and URLs exist for 30 days. During those 30 days, Microsoft will learn from the allow entries and [remove them or automatically extend them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those entities will be delivered, unless something else in the message is detected as malicious. By default, allow entries for spoofed senders never expire.

-If Microsoft has learned from the allow entry, the entry will be removed. You'll get an alert about the removal of the now unnecessary allow entry from the built-in [alert policy](../../compliance/alert-policies.md) named **Removed an entry in Tenant Allow/Block List**).

-By adding a trusted ARC sealer, Office 365 will validate and trust the authentication results that the sealer provides when delivering mail to your tenant in Office 365.

-Are you getting an error message when you try to send an email to a recipient whose email address is in Microsoft 365 (for example and address 5.7.511 Access denied)? If you think you should not be receiving the error message, you can use the delist portal to remove yourself from the blocked senders list.

-You will know you have been added to the list when you receive a response to a mail message that includes an error that looks something like this:

-> 550 5.7.606-649 Access denied, banned sending IP [_IP address_] (ex. 5.7.511 Access denied): To request removal from this list please visit <https://sender.office.com/> and follow the directions. For more information see [Email non-delivery reports in Exchange Online](/Exchange/mail-flow-best-practices/non-delivery-reports-in-exchange-online/non-delivery-reports-in-exchange-online).

- The portal sends an email to the email address that you supply. The email will look something like the following:

-description: Zero-hour auto purge (ZAP) retroactively moves delivered messages in an Exchange Online mailbox to the Junk Email folder or quarantine that are found to be spam, phishing, or that contain malware after delivery.

-# Zero-hour auto purge (ZAP) in Exchange Online

-In Microsoft 365 organizations with mailboxes in Exchange Online, zero-hour auto purge (ZAP) is an email protection feature that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes.

-## How ZAP works

-[Safe sender lists](create-safe-sender-lists-in-office-365.md), mail flow rules (also known as transport rules), Inbox rules, or additional filters take precedence over ZAP. Similar to what happens in mail flow, this means that even if the service determines the delivered message needs ZAP, the message is not acted on because of the safe senders configuration. This is another reason to be careful about configuring messages to bypass filtering.

-### Zero-hour auto purge (ZAP) considerations for Microsoft Defender for Office 365

-ZAP will not quarantine any message that's in the process of [Dynamic Delivery](safe-attachments-about.md#dynamic-delivery-in-safe-attachments-policies) in Safe Attachments policy scanning. If a phishing or spam signal is received for messages in this state, and the filtering verdict in the anti-spam policy is set to take some action on the message (Move to Junk, Redirect, Delete, or Quarantine) then ZAP will default to a 'Move to Junk' action.

-## How to see if ZAP moved your message

-Zero-hour auto purge still works as long as the message has not been deleted, or as long as the same, or stronger, action has not already been applied. For example, if the anti-phishing policy is set to quarantine and message is already in the Junk Email, then ZAP will take action to quarantine the message.

-If you are a small or medium-size organization using one of Microsoft's business plans, see these resources instead:

-For customers using our enterprise plans, Microsoft recommends you complete the tasks listed in the following table that apply to your service plan. If, instead of purchasing a Microsoft 365 enterprise plan, you are combining subscriptions, note the following:

-Before you begin, check your [Microsoft 365 Secure Score](./defender/microsoft-secure-score.md) in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>. From a centralized dashboard, you can monitor and improve the security for your Microsoft 365 identities, data, apps, devices, and infrastructure. You are given points for configuring recommended security features, performing security-related tasks (such as viewing reports), or addressing recommendations with a third-party application or software. The recommended tasks in this article will raise your score.

-Applying these policies will take only a few minutes, but be prepared to support your users over the next several days.

-You'll need to work with your Exchange Online administrator and SharePoint Online administrator to configure Defender for Office 365 for these workloads:

-After you have configured one or more of your Defender for Office 365 services, turn on MTP. New features are added continually to MTP; consider opting in to receive preview features.

-If you are rapidly enabling the bulk of your employees to work from home, this sudden switch of connectivity patterns can have a significant impact on the corporate network infrastructure. Many networks were scaled and designed before cloud services were adopted. In many cases, networks are tolerant of remote workers, but were not designed to be used remotely by all users simultaneously.

-Training users can save your users and security operations team a lot of time and frustration. Savvy users are less likely to open attachments or click links in questionable email messages, and they are more likely to avoid suspicious websites.

-Congratulations! You have quickly implemented some of the most important security protections and your organization is much more secure. Now you're ready to go even further with threat protection capabilities (including Microsoft Defender for Endpoint), data classification and protection capabilities, and securing administrative accounts. For a deeper, methodical set of security recommendations for Microsoft 365, see [Microsoft 365 Security for Business Decision Makers (BDMs)](Microsoft-365-security-for-bdm.md).

-Next, create a conditional access policy that applies to that authentication context and that requires guests to agree to a terms of use as a condition of access.

-For more details about how default library labels work, see [Configure a default sensitivity label for a SharePoint document library](/microsoft-365/compliance/sensitivity-labels-sharepoint-default-label).

-A variation of the Highly sensitive option, [Teams with security isolation](secure-teams-security-isolation.md) uses a unique sensitivity label for one team, which provides additional security. You can use this label to encrypt files, and only members of that team will be able to read them.