+**Microsoft Entra

+Contact your Global Administrator to edit the user consent policy in the Microsoft Entra portal by following [these steps](https://learn.microsoft.com/entra/identity/enterprise-apps/configure-user-consent).

+ Title: "Billing information for Microsoft 365 for business in Italy"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- Tier1

+- scotvorg

+- M365-subscription-management

+- Adm_O365

+search.appverid: MET150

+description: "Learn about information specifically for Microsoft 365 for business in Italy."

+- commerce_billing

+- admindeeplinkMAC

+monikerRange: 'o365-worldwide'

+# Billing information for Microsoft 365 for business in Italy

+## 1. Where can I get an invoice for my Microsoft 365 for business purchase?

+Your invoice is sent to the registered billing notification email address 24 hours after your purchase is confirmed. To download your invoice in the Microsoft 365 admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Bills & payments</a> page.

+> [!IMPORTANT]

+> If you want the invoice to include your Codice Fiscale/Tax ID, you must add it before the purchase confirmation.

+## 2. How can I add my Codice Fiscale/Tax ID to the invoice I get for the purchase of Microsoft 365 for business?

+### During the purchase process (Checkout)

+During the checkout purchase process, when you get to step **4. Payment and billing**, select the box to enter a Codice Fiscale/Tax ID. This step is necessary so that you can see it reflected in your purchase invoice.

+### For your future purchases

+You can add or modify your Codice Fiscale/Tax ID so that the information is reflected in future Microsoft 365 for business purchases. To add or modify your Codice Fiscale/Tax ID, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2084771" target="_blank">Billing accounts</a> page.

+> [!NOTE]

+> If you're in a recurrent billing subscription, the addition or modification of the Codice Fiscale/Tax ID is reflected on the invoice of your next charge.

+#### Add your Codice Fiscale/Tax ID

+If your invoice number begins with "G," to ensure you can still receive invoices, update your Microsoft account to include your Codice Fiscale/Tax ID.

+1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>.

+2. In the navigation menu, select **Billing**, then select <a href="https://go.microsoft.com/fwlink/p/?linkid=2084771" target="_blank">**Billing accounts**</a>.

+3. Select the billing account you want to update.

+4. In the **Tax ID** section, select **Add tax ID**. If you already have a tax ID listed, such as a VAT ID, select **Add another tax ID**.

+5. In the **Codice Fiscale ID** field, add your ID, then select **Save**.

+## 3. Can I add or modify my Codice Fiscale/Tax ID to an invoice that was already generated?

+It's important that you add or modify your Codice Fiscale/Tax ID before you make your purchase. You can't add or modify the Codice Fiscale/Tax ID information after we generate your Microsoft 365 for business invoice.

+## 4. Why wasn't an e-invoice issued by Sistema di Interscambio (SDI)?

+If a Codice Fiscale/Tax ID isn't provided, e-invoices aren't issued by SDI per Italian e-invoicing regulations. For such scenarios, invoices issued by Microsoft are still available.

+## 5. What's the wire payment information for Italy?

+For details about making a payment, see [Payment information for Italy](/legal/pay/italy).

+## Related content

+[View your invoice in the Microsoft 365 admin center](view-your-bill-or-invoice.md) (article)\

+[Understand your invoice for your Microsoft MCA billing account](understand-your-invoice.md) (article)\

+[Understand your invoice for your Microsoft MOSA billing account](understand-your-invoice2.md) (article)

+ Title: "Manage self-service purchases and trials (for users)"

+description: "Users can learn how to manage their self-service purchases in the Microsoft 365 admin center."

+# Manage self-service purchases and trials (for users)

+1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>, then go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.

+## Buy more or reduce licenses

+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.

+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a> page.

+2. Select the product for which you want to assign licenses.

+3. On the product details page, select **Assign licenses**.

+5. Select **Assign**, then select close the details pane.

+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a> page.

+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.

+1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2084771" target="_blank">Billing accounts</a> page.

+2. On the **Overview** tab, select a billing account.

+3. On the billing account details page, select the **Billing profile** tab. The tab lists all billing profiles associated with the selected billing account.

+4. Select a billing profile name to view the details page.

+5. In the **Invoice and billing notifications** section, under **Payment method**, choose one of the following options:

+6. In the details pane, enter the card details, then select **Save** or **Replace**.

+2. On the **Payment methods** page, select **Add a payment method**, then select **Add a payment method** from the drop-down list.

+3. In the **Add a payment method** pane, enter the information for the new payment method, then select **Save*.

+> [!NOTE]

+> It is generally recommended that traffic for Defender for Endpoint is not inspected by SSL inspection (TLS inspection). This applies to all supported operating systems (Windows, Linux, and MacOS).

+description: Use Microsoft Intune to deploy the configuration package on devices so that they're onboarded to the Defender for Endpoint service.

+For more information on using Defender for Endpoint CSP, see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).

+For more information on using Defender for Endpoint CSP, see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).

+ 2. In the navigation pane, select **Settings** \> **Endpoints** \> **Device management** \> **Offboarding**.

+ 3. Select Windows 10 or Windows 11 as the operating system.

+ 4. In the **Deployment method** field, select **Mobile Device Management / Microsoft Intune**.

+ 5. Click **Download package**, and save the .zip file.

+## Related articles

+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**.

+2. Run the following cmdlet:

+If network protection fails to detect, make sure that the following prerequisites are enabled:

+2. [Behavior Monitoring is enabled](/microsoft-365/security/defender-endpoint/behavior-monitor)

+3. [Cloud Protection is enabled](/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus)

+4. [Cloud Protection network connectivity is functional](/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus)

+## Related articles

+- The addition of a new log file - `microsoft_defender_scan_skip.log`. This will log the filenames that were skipped from various antivirus scans by Microsoft Defender for Endpoint due to any reason.

+ Title: Manage system extensions using Jamf

+description: Manage system extensions using Jamf for Microsoft Defender for Endpoint to work properly on macOS.

+# Manage system extensions using Jamf

+## Jamf

+### Jamf System Extensions Policy

+ :::image type="content" source="media/jamf-system-extensions-approval.png" alt-text="Approving system extensions in Jamf." lightbox="media/jamf-system-extensions-approval.png":::

+Add the following Jamf payload to grant Full Disk Access to the Microsoft Defender for Endpoint Security Extension. This policy is a prerequisite for running the extension on your device.

+> Jamf doesn't have built-in support for content filtering policies, which are a prerequisite for enabling the network extensions that Microsoft Defender for Endpoint on macOS installs on the device. Furthermore, Jamf sometimes changes the content of the policies being deployed. As such, the following steps provide a workaround that involves signing the configuration profile.

+4. Follow the instructions on [this page](https://learn.jamf.com/bundle/technical-articles/page/Welcome.html) to create a signing certificate using Jamf's built-in certificate authority.

+6. From the Jamf portal, navigate to **Configuration Profiles** and select the **Upload** button. Select **com.microsoft.network-extension.signed.mobileconfig** when prompted for the file.

+Threat actors can use compromised user accounts for several malicious purposes, including reading emails in a user's inbox, forwarding emails to external recipients, and sending phishing mails, among others. The targeted user might be unaware that their emails are being forwarded. This is a common tactic that attackers use when user accounts are compromised.

+Emails can be forwarded either manually or automatically using forwarding rules. Automatic forwarding can be implemented in multiple ways like Inbox Rules, Exchange Transport Rule (ETR), and SMTP Forwarding. While manual forwarding requires direct action from users, they might not be aware of all the autoforwarded emails. In Microsoft 365, an alert is raised when a user autoforwards an email to a potentially malicious email address.

+- You identify the alerts associated with autoforwarded emails as malicious (TP) or benign (FP) activities.

+ If malicious, you have [stop email autoforwarding](../office-365-security/outbound-spam-policies-external-email-forwarding.md) for the affected mailboxes.

+- You take the necessary action if emails were forwarded to a malicious email address.

+Some rules might move all the emails to another folder and mark them as "read", while some rules might move only mails that contain specific keywords in the email message or subject. For example, the inbox rule might be set to look for keywords like "invoice," "phish," "do not reply," "suspicious email," or "spam," among others, and move them to an external email account. Attackers might also use the compromised user mailbox to distribute spam, phishing emails, or malware.

+You can also analyze these other activities for the affected mailbox:

+ - Observe how many of the recent email sent by the sender are detected as phish, spam, or malware.

+- [Autoforwarded messages report in the EAC](/exchange/monitoring/mail-flow-reports/mfr-auto-forwarded-messages-report)

+Here's the workflow to identify suspicious email forwarding activities.

+ - What other details are available for this email? For example: subject, return path, and timestamp.

+- IdentityLogonEvents - Contains sign-in information for all users.

+Run this query to find out who else forwarded emails to these recipients (SRL/RL).

+Run this query to find out if there were any anomalous sign-in events from this user. For example: unknown IPs, new applications, uncommon countries/regions, multiple LogonFailed events.

+4. Check for other activities originated from impacted accounts, IP addresses, and suspicious senders.

+Threat actors can use compromised user accounts for many malicious purposes including reading emails in a user's inbox, creating inbox rules to forward emails to external accounts, deleting traces, and sending phishing mails. Malicious inbox rules are common during business email compromise (BEC) and phishing campaigns and it's important to monitor for them consistently.

+- You identify the alerts associated with inbox manipulation rules as malicious (TP) or benign (FP) activities.

+ If malicious, you remove malicious inbox manipulation rules.

+- You take the necessary action if emails were forwarded to a malicious email address.

+Attackers might set up email rules to hide incoming emails in the compromised user mailbox to obscure their malicious activities from the user. They might also set rules in the compromised user mailbox to delete emails, move the emails into another less noticeable folder (like RSS), or forward mails to an external account. Some rules might move all the emails to another folder and mark them as "read", while some rules might move only mails that contain specific keywords in the email message or subject.

+For example, the inbox rule might be set to look for keywords like "invoice," "phish," "do not reply," "suspicious email," or "spam," among others, and move them to an external email account. Attackers might also use the compromised user mailbox to distribute spam, phishing emails, or malware.

+Here's the workflow to identify suspicious inbox manipulation rule activities.

+ The attacker might apply the manipulation rule only to emails that contains certain words. You can find these keywords under certain attributes such as: "BodyContainsWords," "SubjectContainsWords," or "SubjectOrBodyContainsWords."

+ If there are filtering by keywords, then check whether the keywords seem suspicious to you (common scenarios are to filter emails related to the attacker activities, such as "phish," "spam," and "do not reply," among others).

+description: Learn about the common Microsoft Defender XDR REST API error codes.

+Error codes can be returned by an operation on any of the Microsoft Defender XDR APIs. Every error response contains an error message, which can help resolve the problem. The error message column in the table section provides some sample messages. The content of actual messages varies based on the factors that triggered the response. Variable content is indicated by angle brackets (`< >`) in the following table:

+| Error code | HTTP status code | Message |

+|--|--|--|

+| BadRequest | BadRequest (400) | General Bad Request error message. |

+| ODataError | BadRequest (400) | Invalid OData URI query \<the specific error is specified\>. |

+| InvalidInput | BadRequest (400) | Invalid input \<the invalid input\>. |

+| InvalidRequestBody | BadRequest (400) | Invalid request body. |

+| InvalidHashValue | BadRequest (400) | Hash value \<the invalid hash\> is invalid. |

+| InvalidDomainName | BadRequest (400) | Domain name \<the invalid domain\> is invalid. |

+| InvalidIpAddress | BadRequest (400) | IP address \<the invalid IP\> is invalid. |

+| InvalidUrl | BadRequest (400) | URL \<the invalid URL\> is invalid. |

+| MaximumBatchSizeExceeded | BadRequest (400) | Maximum batch size exceeded. Received: \<batch size received\>, allowed: {batch size allowed}. |

+| MissingRequiredParameter | BadRequest (400) | Parameter \<the missing parameter\> is missing. |

+| OsPlatformNotSupported | BadRequest (400) | OS Platform \<the client OS Platform\> isn't supported for this action. |

+| ClientVersionNotSupported | BadRequest (400) | \<The requested action\> is supported on client version \<supported client version\> and later. |

+| Unauthorized | Unauthorized (401) | Unauthorized <br /><br />*This error is usually caused by an invalid or expired authorization header.* |

+| Forbidden | Forbidden (403) | Forbidden <br /><br />*This error can occur with a valid token but insufficient permission for the action*. |

+| DisabledFeature | Forbidden (403) | Tenant feature isn't enabled. |

+| DisallowedOperation | Forbidden (403) | \<the disallowed operation and the reason\>. |

+| NotFound | Not Found (404) | General Not Found error message. |

+| ResourceNotFound | Not Found (404) | Resource \<the requested resource\> wasn't found. |

+| InternalServerError | Internal Server Error (500) | *If there's no error message, retry the operation. [Contact Microsoft](../../admin/get-help-support.md) if it doesn't get resolved*. |

+Each error response contains a unique ID parameter for tracking. The property name of this parameter is *target*. If you contact Microsoft about an error, attaching your tracking ID helps Microsoft find the root cause of the problem.

+1. Rate limitations for this API are 100 calls per minute and 1,500 calls per hour.

+| Permission type|Permission|Permission display name |

+||||

+|Application|Incident.Read.All|`Read all Incidents`|

+|Application|Incident.ReadWrite.All|`Read and write all Incidents`|

+|Delegated (work or school account)|Incident.Read|`Read Incidents`|

+|Delegated (work or school account)|Incident.ReadWrite|`Read and write Incidents`|

+> - The user needs to have at least the following role permission: `View Data`

+|Name|Type|Description|

+||||

+|Authorization|String|Bearer {token}. **Required**.|

+If successful, this method returns `200 OK`, and the incident entity in the response body.

+If incident with the specified ID wasn't found - 404 Not Found.

+description: Learn about the methods and properties of the Incidents resource type in Microsoft Defender XDR.

+An [incident](incidents-overview.md) is a collection of related alerts that help describe an attack. Events from different entities in your organization are aggregated automatically by Microsoft Defender XDR. You can use the incidents API to programmatically access your organization's incidents and related alerts.

+You can request up to 50 calls per minute or 1,500 calls per hour. Each method also has its own quotas. For more information on method-specific quotas, see the respective article for the method you want to use.

+A `429` HTTP response code indicates that you've reached a quota, either by number of requests sent, or by allotted running time. The response body includes the time until the quota you reached is reset.

+| Property | Type | Description |

+|-|-|-|

+| incidentId | long | Incident unique ID. |

+| redirectIncidentId | nullable long | The Incident ID the current Incident was merged to. |

+| incidentName | string | The name of the Incident. |

+| createdTime | DateTimeOffset | The date and time (in UTC) the Incident was created. |

+| lastUpdateTime | DateTimeOffset | The date and time (in UTC) the Incident was last updated. |

+| assignedTo | string | Owner of the Incident. |

+| severity | Enum | Severity of the Incident. Possible values are: `UnSpecified`, `Informational`, `Low`, `Medium`, and `High`. |

+| status | Enum | Specifies the current status of the incident. Possible values are: `Active`, `InProgress`, `Resolved`, and `Redirected`. |

+| classification | Enum | Specification of the incident. Possible values are: `TruePositive`, `Informational, expected activity`, and `FalsePositive`. |

+| determination | Enum | Specifies the determination of the incident. <p>Possible determination values for each classification are: <br><li> <b>True positive</b>: `Multistage attack` (MultiStagedAttack), `Malicious user activity` (MaliciousUserActivity), `Compromised account` (CompromisedUser) ΓÇô consider changing the enum name in public api accordingly, `Malware` (Malware), `Phishing` (Phishing), `Unwanted software` (UnwantedSoftware), and `Other` (Other). <li> <b>Informational, expected activity:</b> `Security test` (SecurityTesting), `Line-of-business application` (LineOfBusinessApplication), `Confirmed activity` (ConfirmedUserActivity) - consider changing the enum name in public api accordingly, and `Other` (Other). <li> <b>False positive:</b> `Not malicious` (Clean) - consider changing the enum name in public api accordingly, `Not enough data to validate` (InsufficientData), and `Other` (Other). |

+| tags | string list | List of Incident tags. |

+| comments | List of incident comments | Incident Comment object contains: comment string, createdBy string, and createTime date time. |

+| alerts | alert list | List of related alerts. See examples at [List incidents](api-list-incidents.md) API documentation. |

+> Around August 29, 2022, previously supported alert determination values (`Apt` and `SecurityPersonnel`) will be deprecated and no longer available via the API.

+category|Visual and numeric view of how far the attack has progressed along the kill chain. Aligned to the [MITRE ATT&CK&trade; framework](https://attack.mitre.org/).|Impact

+mitreTechniques|The attack techniques, as aligned with the [MITRE ATT&CK](https://attack.mitre.org/)&trade; framework.|\[\]

+Once you turn on chat on Teams, a new team named **Defender Experts team** is created and the Defender Experts Teams app is installed in it. Each incident that requires your attention is posted on this team's **Managed response** channel as a new post. To engage with our experts (for example, ask follow-up questions about the investigation summary or actions published by Defender Experts), use the **Reply** text bar to mention or tag *@Defender Experts* and type your message.

+- Don't attach any attachments (for example, files for analysis) in the chat. For security reasons, Defender Experts won't be able to view the attachments. Instead, send them to appropriate submissions channels or provide links where they can be found in Microsoft Defender XDR portal.

+- Conversations in the Teams chat about an incident are also synchronized with the incident's **Chat** tab in the Microsoft Defender XDR portal so that you can see messages and updates about an investigation wherever you go.

+description: Learn how to create and manage custom detections rules based on advanced hunting queries.

+- **Frequency**ΓÇöinterval for running the query and taking action. [See more guidance in the rule frequency section](#rule-frequency)

+- **Continuous (NRT)**ΓÇöruns continuously, checking data from events as they're collected and processed in near real-time (NRT), see [Continuous (NRT) frequency](custom-detection-rules.md#continuous-nrt-frequency)

+- The query doesn't use joins, unions, or the `externaldata` operator.

+You can select only one column for each entity type (mailbox, user, or device). Columns that aren't returned by your query can't be selected.

+- When selected, the **Allow/Block** action can be applied to the file. Blocking files are only allowed if you have *Remediate* permissions for files and if the query results have identified a file ID, such as an SHA1. Once a file is blocked, other instances of the same file in all devices are also blocked. You can control which device group the blocking is applied to, but not specific devices.

+Both the `Disable user` and `Force password reset` options require the user SID, which are in the columns `AccountSid`, `InitiatingProcessAccountSid`, `RequestAccountSid`, and `OnPremSid`.

+Only data from devices in the scope will be queried. Also, actions are taken only on those devices.

+You can view the list of existing custom detection rules, check their previous runs, and review the alerts that were triggered. You can also run a rule on demand and modify it.

+description: Learn what's included in the Microsoft Defender XDR you evaluate, and se up your Microsoft Defender XDR trial lab or pilot environment by activating trial licenses. Start your XDR cyber security journey here and learn how to take that test to production.

+The steps in this series run end-to-end, from learning the concepts behind the Microsoft Defender XDR to building it, and into taking the evaluation environment live to production.

+There are two common ways to do this next step in evaluation. This series assumes you already have a production Microsoft 365 tenant and are activating Microsoft 365 E5 trial licenses to evaluate Microsoft Defender XDR in *the current environment*. An in-place evaluation will let you keep any security methods with the purchase of licenses after the evaluation period.

+The second is to [Set up your Microsoft Defender XDR trial lab environment](setup-m365deval.md) for evaluation. It might not have many real signals from the business while in testing.

+## You need to activate Microsoft 365 E5 trial licenses to evaluate Microsoft Defender XDR

+1. Sign in your existing Microsoft 365 tenant administration portal.

+5. Confirm your request and select **Try now** button.

+description: Use this article to promote your trial subscriptions of Defender for Identity, Defender for Office 365, Defender for Endpoint, and Defender for Cloud Apps to your live environment in Microsoft Defender XDR.

+Next, complete any other configuration and expand your pilot groups until these reach full production.

+Defender for Identity doesn't require any other configuration. Just make sure to purchase the necessary licenses and install the sensor on all of your Active Directory domain controllers and Active Directory Federation Services (AD FS) servers.

+After successfully evaluating or piloting Defender for Office 365, it can be promoted to your entire production environment.

+2. Rerun recommended baseline policy configurations (either Standard or Strict) against your production email domain or specific groups of users.

+3. Optionally create and configure any custom Defender for Office 365 policies against your production email domain or groups of users. However, remember that any assigned baseline policies will always take precedence over custom policies.

+Microsoft Defender for Cloud Apps doesn't require any other configuration. Just make sure to purchase the necessary licenses. If you've scoped the deployment to certain user groups, increase the scope of these groups until you reach production scale.

+ Title: FAQs related to Microsoft Defender Experts for XDR Managed response

+# Understanding Managed response

+The following section lists down questions you or your SOC team might have regarding [Managed response](managed-detection-and-response-xdr.md).

+|**What is Managed response?** | Microsoft Defender Experts for XDR offers **Managed response** where our experts manage the entire remediation process for incidents that require them. This process includes investigating the incident to identify the root cause, determining the required response actions, and taking those actions on your behalf.|

+|**What actions are in scope for Managed response?** | All actions found below are in scope for Managed response for any device and user that isn't excluded.<br><br>*For devices* *(Available now)*<ul><li>Isolate machine<br><li>Release machine from isolation<br><li>Stop and quarantine file<br><li>Restrict app execution<br><li>Remove app restriction</ul><br>*For users (Coming soon)*<ul><li>Force password reset<br><li>Disable user<br><li>Enable user<br><li>Soft delete emails </ul> |

+|**Can I customize the extent of Managed response?** | You can configure the extent to which our experts do Managed response actions on your behalf by excluding certain devices and users (individually or by groups) either during onboarding or later by modifying your service's settings. [Read more about excluding device groups](../defender/get-started-xdr.md#exclude-devices-from-remediation) |

+|**What support do Defender Experts offer for excluded assets?** | If our experts determine that you need to perform response actions on excluded devices or users, we notify you through various customizable methods and direct you to your Microsoft Defender XDR portal. From your portal, you can then view a detailed summary of our investigation process and the required response actions in the portal and perform these required actions directly. Similar capabilities are also available through Defender APIs, in case you prefer using a security information and event management (SIEM), IT service management (ITSM), or any other third-party tool. |

+|**How am I going to be informed about the response actions?** | Response actions that our experts have completed on your behalf and any pending ones that you need to perform on your excluded assets are displayed in the **Managed response** panel in your Defender portal's **Incidents** page. <br><br>In addition, you'll also receive an email containing a link to the incident and instructions to view the Managed response in the portal. Moreover, if you have integration with Microsoft Sentinel or APIs, you'll also be notified within those tools by looking for Defender Experts statuses. For more information, see [FAQs related to Microsoft Defender Experts for XDR incident notifications](../defender/faq-incident-notifications-xdr.md).|

+|**Can I customize Managed response based on actions?** | No. If you have devices or users that are considered high-value or sensitive, you can add them to your exclusion list. Our experts will NOT take any action on them and will only provide guidance if they're impacted by an incident.|

+- [Managed detection and response](managed-detection-and-response-xdr.md)

+- [FAQs related to Microsoft Defender Experts for XDR incident notifications](../defender/faq-incident-notifications-xdr.md)

+description: Provide product feedback on Microsoft Defender XDR.

+Your feedback helps us get better in protecting your environment from advanced attacks. Share your experience, impressions, and requests by providing feedback.

+Check out this video to see how to provide feedback.

+1. From any part of the Microsoft Defender portal, select **Give feedback**.

+Once our experts begin to perform comprehensive response work on your behalf, you'll start receiving [notifications about incidents](managed-detection-and-response-xdr.md#incident-updates) that require remediation steps and targeted recommendations on critical incidents. You can also [chat with our experts](communicate-defender-experts-xdr.md) or your SDMs regarding important queries and regular business and security posture reviews, and [view real-time reports](reports-xdr.md) on the number of incidents we've investigated and resolved on your behalf.

+description: Manage permissions and access to Microsoft Defender XDR Security portal experiences using unified role-based access control (RBAC).

+|Microsoft Defender for Office 365|Full support for all data and actions scenarios that are controlled by [Email & Collaboration roles](../office-365-security/mdo-portal-permissions.md) and scenarios controlled by [Exchange Online permissions](/exchange/permissions-exo/permissions-exo). </br></br> **Note:** <ul><li>The Microsoft Defender XDR RBAC model is initially available for organizations with Microsoft Defender for Office 365 Plan 2 licenses only. This capability isn't available to users on trial licenses.</li><li>Granular delegated admin privileges (GDAP) aren't supported.</li><li>Cmdlets in Exchange Online PowerShell and Security & Compliance PowerShell continue to use the old RBAC models and aren't affected by Microsoft Defender XDR Unified RBAC.</li><li>Azure B2B invited guests aren't supported by experiences that were previously under Exchange Online RBAC.</li></ul>|

+|Microsoft Defender for Identity|Full support for all identity data and actions. </br></br> **Note:** Defender for Identity experiences also adhere to permissions granted from [Microsoft Defender for Cloud Apps](https://security.microsoft.com/cloudapps/permissions/roles). For more information, see [Microsoft Defender for Identity role groups](https://go.microsoft.com/fwlink/?linkid=2202729).|

+ - Create a custom role that can grant access to security groups or individual users to manage roles and permissions in Microsoft Defender XDR unified RBAC. This removes the need for Microsoft Entra global roles to manage permissions. To do this, you need to assign the **Authorization** permission in Microsoft Defender XDR Unified RBAC. For details on how to assign the Authorization permission, see [Create a role to access and manage roles and permissions](../defender/create-custom-rbac-roles.md#create-a-role-to-access-and-manage-roles-and-permissions).

+- The Microsoft Defender XDR security solution continues to respect existing Microsoft Entra global roles when you activate the Microsoft Defender XDR Unified RBAC model for some or all of your workloads, that is, Global Admins retain assigned admin privileges.

+You must activate the workloads in Microsoft Defender XDR to use the Microsoft Defender XDR Unified RBAC model. Until activated, Microsoft Defender XDR continues to respect the existing RBAC models. For more information, see [Activate Microsoft Defender XDR Unified RBAC](activate-defender-rbac.md).

+When you activate some or all of your workloads to use the new permission model, the roles and permissions for these workloads are fully controlled by the Microsoft Defender XDR Unified RBAC model in the Microsoft Defender portal.

+ - [View, edit, and delete RBAC roles](edit-delete-rbac-roles.md)

+Watch the following video to see the preceding steps in action:

+description: Microsoft Defender XDR is a coordinated threat protection solution designed to protect devices, identity, data, and applications.

+- **Identities with Defender for Identity and Microsoft Entra ID Protection** - Microsoft Defender for Identity is a cloud-based security solution that uses your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Microsoft Entra ID Protection uses the learnings Microsoft acquired from their position in organizations with Microsoft Entra ID, the consumer space with Microsoft Accounts, and in gaming with Xbox to protect your users.

+- Narrate the full story of the attack across product alerts, behaviors, and context for security teams by joining data on alerts, suspicious events and impacted assets to incidents.

+ For example, if a malicious file is detected on an endpoint protected by Defender for Endpoint, it instructs Defender for Office 365 to scan and remove the file from all e-mail messages. The file is blocked on sight by the entire Microsoft 365 security suite.

+appliesto:

+ - Microsoft Sentinel in the Microsoft Defender portal

+- ATT&CK-based evaluation of Microsoft Defender XDR - April 2022: [Microsoft Defender XDR demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&CK&reg; Evaluations]([Microsoft Security Blog: Microsoft Defender XDR demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&CK&reg; Evaluations](https://www.microsoft.com/en-us/security/blog/2022/04/05/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations/))

+description: Find solutions and workarounds to known Microsoft Defender XDR issues.

+If you don't see capabilities on the navigation pane such as the Incidents, Action center, or Hunting in your portal, you need to verify that your tenant has the appropriate licenses.

+If you have Microsoft Defender for Identity deployed in your environment but you're not seeing Defender for Identity alerts as part of Microsoft Defender XDR incidents, you need to ensure that the Microsoft Defender for Cloud Apps and Defender for Identity integration is enabled.

+A false positive is a file or URL that is detected as malicious but isn't a threat. You can create indicators and define exclusions to unblock and allow certain files/URLs. See [Address false positives/negatives in Defender for Endpoint](/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives).

+- (GA) Identity timeline is now generally available as part of the new Identity page in Microsoft Defender XDR. The updated User page has a new look, an expanded view of related assets and a new dedicated timeline tab. The timeline represents activities and alerts from the last 30 days. It unifies a user's identity entries across all available workloads: Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Defender for Endpoint. Using the timeline helps you easily focus on a user's activities (or activities performed on them) in specific timeframes.

+- The MAIL FROM address (also known as the `5321.MailFrom` address, P1 sender, or envelope sender) is the email address that's used in the SMTP transmission of the message. This email address is typically recorded in the **Return-Path** header field in the message header (although it's possible for the sender to designate a different **Return-Path** email address).

+- The From address (also known as the `5322.From` address or P2 sender) is the email address in the **From** header field, and is the sender's email address that's displayed in email clients. The From address is the focus of the requirements in this article.

+|**No From address**|When a message arrives at Microsoft 365 or Outlook.com without a From address, we try to assign the MAIL FROM address to the From address to ensure the message is deliverable. Currently, these messages are accepted by the service, even if the original From address is `From: <>`.|

+ - The value `ip4:` or `ip6:` to identify the type of IP address.

+ v=spf1 ip4:192.168.0.10 include:spf.protection.outlook.com -all

+ - _Read access for email and Teams message headers_: **Security operations/Raw data (email & collaboration)/Email & collaboration metadata (read)**.

+ - _Preview and download email messages_: **Security operations/Raw data (email & collaboration)/Email & collaboration content (read)**.

+ - _Remediate malicious email_: **Security operations/Security data/Email & collaboration advanced actions (manage)**.